4

In ZKP, if a prover P1 possesses a secret number S and generates a proof PRF for the possession of the same with the aim to prove it to a verifier V1.

But, what prevents V1 from misusing the PRF and present itself to others as the one in possession of the secret S (misrepresenting itself as P1)? In fact, since PRF is public, anyone can misuse it. Although I heard the "soundness" keyword but since PRF is public how this activity is prevented?

On similar lines, if V1 has received such PRF from P1, why V1 should not think that P1 might have stolen or copied the PRF from somewhere else?

Please let me know what I am missing here.

user60588
  • 307
  • 1
  • 6

1 Answers1

5

You are not missing anything: if the proof is non-interactive, then it is transferrable, as you observed. Hence, such a proof cannot authenticate the proof sender as the owner of the secret information.

However, this does not hold anymore if the proof is interactive: the proof of knowledge of the secret depends on an interaction with the verifier, who is sending some challenges. There, simply storing the transcript of a proof interaction does not help you in successfully completing the interaction if you don't know the secret, because the challenges won't be the same with very high probability (this is a high-level intuition, but it can be made formal and proven).

If you really want non-interactivity, then depending on the scenario there can sometimes be workarounds where you use ZK proofs with a stronger "non-rerandomizability" notion (i.e., given a proof, one cannot generate a different proof of the same statement without knowing the witness) if the entity checking the proof can e.g. remember all proofs it has seen and refuse to accept a proof it has already seen once in the past. There, the honest party could still authenticate by re-generating a fresh new proof every time, but outside observers of the network could not reuse a previous authentication credential of the honest user.

Geoffroy Couteau
  • 21,719
  • 2
  • 55
  • 78