zerocoin ZKSoK Pedersen commitment process

riccardo

3/22/24, 5:39 PM

I am studying the zerocoin paper‡. More precisely I am stuck at page 6, on the Spend function (in paragraph "B. Our construction"). I am not understanding how the ZKSoK is computed. Let's consider the Pedersen commitment as $$C\gets g^Sh^r\bmod p$$

I've found a lot of examples online but they all refer to a case where the "secret" is $ω$: $x=g^ω$ And $x$ is public. I understand the steps in this cases but I am not sure about two things on zerocoin:

Does the provider give $S$ ($S$=serial number) to the verifier, in order to be able to do the verification?
What is the condition that says if the proof is valid or not?

‡ Paywalled

152

1 + 0

zero-knowledge-proofs

Score:2

Crypto

rozbb

3/22/24, 6:59 PM

Yes, the value $S$ is public. From the notation on page 5, "All values not enclosed in ()’s are assumed to be known to the verifier." This makes sense in the scheme, since, once a coin is spent, its serial becomes public and cannot be used again.
You can make efficient ZKPs for a wide range of linear relations about the exponents of some group elements with known bases. Camenisch and Stadler is the usual paper cited here (and in fact, is cited on page 5). Another, perhaps more easy to understand one is by Maurer.

+ 3

riccardo

3/23/24, 2:45 PM

I still do not understand how $S$ is involved during the generation of the proof. More precisely, referring to the example 1 of the Camenisch and Stadler paper, I do not understand where to use it.

rozbb

3/24/24, 7:38 PM

Example 1 doesn't have the form of a Pedersen commitment. It's $g^x$ rather than $g^x h^y$. Example 4 is closer to what you want. [This other answer](https://crypto.stackexchange.com/questions/81236/question-of-proving-the-opening-of-pedersen-commitment) specifies the Pedersen opening protocol directly.

riccardo

3/25/24, 12:19 PM

I've seen the answer and I get it, but what prevents an attacker from properly compute zkp and then provide another $S$? How is the proof and $S$ linked together, and how is $S$ correctness verified by the verifier?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: zerocoin ZKSoK Pedersen commitment process

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.