Suppose a prover publishes two perfectly hiding commitments for $s_1,s_2$, i.e. two Pedersen commitments $C_1=g^{s_1}h^{r_1}$ and $C_2=g^{s_2}h^{r_2}$ such that $s_1,s_2,r_1,r_2$ are secret field elements. Suppose that there two public field elements $b_1, b_2$ that satisfy $b_1=s_1*b_2+s_2$. How to create a zero knowledge proof (or argument of knowledge) for such linear relation?
Asked
Active
Viewed 79 times
1 Answers
2
How to create a zero knowledge proof (or argument of knowledge) for such linear relation?
The obvious way is to generate a proof of knowledge that you know $x$ s.t. $h^x = C_1^{b_2}C_2g^{-b_1} = (g^{s_1}h^{r_1})^{b_2}g^{s_2}h^{r_2}g^{-b_1} = g^{s_1b_2 + s_2 - b_1}h^{b_2r_1 + r_2}$
If you know such an $x$, then either $s_1b_2 + s_2 - b_1 = 0$ must hold, or you must know the relationship between $g$ and $h$ (which Pederson assumes you don't).
And, if you know the secrets (and the relationship does hold), then it is easy to generate such a proof.
For such a proof of knowledge, we can use a Schnorr proof.
poncho
- 154,064
- 12
- 239
- 382