Zero knowledge proof are already used all over the place, for example signature (such as ecdsa) is a zk proof. When you make the signature you are proving that you know the private key for an associated public key.
But how does a proof look like? The Zokrates example at 24:37 leaves more questions than answers. We know that a proof has something to do with an arithmetic circuit, but not how it does so or why.
Wondering why "soundness" is defined as "argument of knowledge". Also, why is bulletproof linear verification time? Also, I thought succinctness means polylog (not log)
the statement to prove for Bulleproofs is of dimension N, where N is such that the message must be between 0 and 2^N -1. Bulletproofs just uses EC crypto,. No Polynomial commitments, no trusted setup. There are 2N such public generators (as opposed to 1 for Schnorr signatures, or 2 for Pedersen committments) and the proof verification in particular needs to multiply all these generators together. In total there are 2N + cste EC multiplications to do. The state of the art is Bulletproofs++ though, which uses a norm argument instead of a inner product argument like in Bulletproofs or Bulletproofs+. making it quite more efficient, although still with a linear verification time.
If Sim produces pi: is it then not possible for any 3rd party to run Sim without knowing w, thereby "proving" knowledge of w without actually knowing w.
![The moment we stopped understanding AI [AlexNet]](/img/n.gif)
Nothing short of GREAT. Succint explanations, yet to see any clearer introduction to zk-SNARKS, just great!!!!
This is a BRILLIANT lecture ( especially for a Computer Engineer like me, whose head starts spinning when studying maths )
Very well explained !
That was really great, simple yet comprehensive explanation of what is going on in the backstage of a zk-snark, thank you
Finally a real life use case of Zero Knowledge Proof. Good to see it being used within blockchains.
Zero knowledge proof are already used all over the place, for example signature (such as ecdsa) is a zk proof. When you make the signature you are proving that you know the private key for an associated public key.
Great and clear video, thanks a lot!
Thank you, great explanation!!!
just got to 3:41 but I'm already liking this awesome explanation
Finally, an actually good lecture on zk-Snarks... :)
what an aawesome simple explaination
Beautiful explanation thank you so much
Amazing 😍👏
Finally this makes sense to me thank you
that was amazing
Nicely explained thanks
thanks for the zk explanation
great
great explanation of the argument system.....I really enjoyed the video although I expected more knowledge about the zk-snarks itself :(
But how does a proof look like? The Zokrates example at 24:37 leaves more questions than answers. We know that a proof has something to do with an arithmetic circuit, but not how it does so or why.
thanks again
where do i find this 32:50 cs251
Have you seen the Midnight network?
zkp = a proof that shows one knows secret.... but anyone who does not know secret can produce the proof of knowing the secret?
Wondering why "soundness" is defined as "argument of knowledge". Also, why is bulletproof linear verification time? Also, I thought succinctness means polylog (not log)
the statement to prove for Bulleproofs is of dimension N, where N is such that the message must be between 0 and 2^N -1. Bulletproofs just uses EC crypto,. No Polynomial commitments, no trusted setup. There are 2N such public generators (as opposed to 1 for Schnorr signatures, or 2 for Pedersen committments) and the proof verification in particular needs to multiply all these generators together. In total there are 2N + cste EC multiplications to do. The state of the art is Bulletproofs++ though, which uses a norm argument instead of a inner product argument like in Bulletproofs or Bulletproofs+. making it quite more efficient, although still with a linear verification time.
If Sim produces pi: is it then not possible for any 3rd party to run Sim without knowing w, thereby "proving" knowledge of w without actually knowing w.
i think it would be a proof π and not the π, but im also interested to hear...
Same question. This seem inherently against security?
ditto! seems to contradict itself. zkp is giving proof that one knows secret.... but anyone who does not know secret can produce the proof???
how did you do it can you share with me , thank you
no such thing as succinct x or remarx or taike or not etc, outx infix any nmw and any s perfect
the video image is too poor, you need to fix it more
23:50, can the witness be anything and it will just yield a proof? or does it need to be specifically chosen so that C(witness) = 0?
how did you do it can you share with me , thank you