Score:0

Is there a SNARK system that will give the same proof bytes for different witnesses?

no flag

Suppose the circuit is a hash function with the input being the pre-image (private) and the output being the digest (public). If one knows of a collision can they create 2 different proofs that are equal bit-for-bit by inputting the 2 different pre-images that give the collision?

It seems such a SNARK does not exist at the moment because when the Fiat-Shamir transform is used there is an opening of a polynomial at a certain point which is a function of the witness, so the final proof is also a function of the witness.

ming alex avatar
in flag
If replacing "the same proof" in your question with "the same **statement**", the answer is yes.
Score:0
cn flag

A necessary condition for non-trivial (details below) zero-knowledge proofs is that they are probabilistic. Producing two proofs for the same witness will lead to different transcripts, so this also holds for two proofs with different transcripts.

Intuitively, if the proof is deterministic, then the verifier can know that two provers proving the same statement used the same witness. This is already a problem. The technical reason is that anything that would be provable this way could be efficiently computed by the verifier without the help of the prover. See section 4.5 of this paper by Goldreich and Oren if you're interested in the details.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.