[Resource Topic] 2022/1079: The inspection model for zero-knowledge proofs and efficient Zerocash with secp256k1 keys

Welcome to the resource topic for 2022/1079

The inspection model for zero-knowledge proofs and efficient Zerocash with secp256k1 keys

Authors: Huachuang Sun, Haifeng Sun, Kevin Singh, Akhil Sai Peddireddy, Harshad Patil, Jianwei Liu, Weikeng Chen


Proving discrete log equality for groups of the same order is addressed by Chaum and Pedersen’s seminal work. However, there has not been a lot of work in proving discrete log equality for groups of different orders.

This paper presents an efficient solution, which leverages a technique we call delegated Schnorr. The discovery of this technique is guided by a design methodology that we call the inspection model, and we find it useful for protocol designs.

We show two applications of this technique on the Findora blockchain:

Maxwell-Zerocash switching:
There are two privacy-preserving transfer protocols on the Findora blockchain, one follows the Maxwell construction and uses Pedersen commitments over Ristretto, one follows the Zerocash construction and uses Rescue over BLS12-381. We present an efficient protocol to convert assets between these two constructions while preserving the privacy.

Zerocash with secp256k1 keys:
Bitcoin, Ethereum, and many other chains do signatures on secp256k1. There is a strong need for ZK applications to not depend on special curves like Jubjub, but be compatible with secp256k1. Due to FFT unfriendliness of secp256k1, many proof systems (e.g., Groth16, Plonk, FRI) are infeasible. We present a solution using Bulletproofs over curve secq256k1 (“q”) and delegated Schnorr which connects Bulletproofs to TurboPlonk over BLS12-381.

We conclude the paper with (im)possibility results about Zerocash with only access to a deterministic ECDSA signing oracle, which is the case when working with MetaMask. This result shows the limitations of the techniques in this paper.

This paper is under a bug bounty program through a grant from Findora Foundation.

ePrint: https://eprint.iacr.org/2022/1079

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .

This is the author. We do not plan to submit this paper for peer review, but instead make it a bug bounty program. We are eager to learn more about this area, and you will get paid.