Earlier Zero-knowledge proof verification systems used to be interactive. The ‘prover’ of information called ‘witness’ and ‘verifier’ had to be simultaneously online in order to successfully execute operations.
This made entire process ambiguous and unscalable. In 1986, Fiat and Shamir invented Fiat-Shamir heuristic and changed interactive zero-knowledge proof to non-interactive zero-knowledge proof.
Fiat–Shamir heuristic is technique for taking an interactive proof of knowledge and creating digital signature based on it. This way ‘witness’ or fact can be verified publicly without prover being online all the time.
Non-Interactive Zero-Knowledge Proof with Discrete Algorithm :
- Sanchita wants to prove to Sachin that she knows value such that y = g^a to base g.
- Sanchita picks random value v from set of values Z, and computes t = g^v.
- Sanchita computes c = H(g, y, t) where H() is hash function.
- Sanchita computes d = v – c*a.
- Sachin or anyone can then check if t = g^d * y^c.
Fiat–Shamir heuristic allows us to replace interactive step 3 with non-interactive random oracle access, but in practice, Hash function is used.
In Interactive ZKP, Sachin would have picked random value c from set Z and sends it to Sanchita.
If the hash value used below does not depend on (public) value of y, security of scheme is weakened, as malicious prover can then select certain value x so that product c*a is known.
Advantages :
-
Scalable –
It does not require prover or verifier to be online all the time. -
Transfarable –
If prover proves proof of witness once, it can be made public and same process is not to be repeated again for different verifier.
Applications :
-
Blockchains –
It can be used to verify transaction in public blockchain even if information of sender, recipient, and transaction remains anonymous. -
Foundation to other protocols –
In 2017 Bulletproofs were released. Zk-SNARK is also followup of Non-Interactive ZKP.