undefined | Better HN

0 pointspolitician5y ago0 comments

The explanations for interactive proofs are compelling, but the non-interactive variants are confusing. I don't understand how an infinite series of queries can be replaced by a static construction.

If you've got some resources that you'd be willing to share, I'd appreciate it.

0 comments

2 comments · 2 top-level

rocqua5y ago

non-interactive proofs set an acceptable failure level. Because of this, some people call them "arguments". Generally, the chance of failure is set to something like 1 in 2^256. Which is low enough to be totally trust-worthy.

When talking about this chance of failure, you have to take into account that an attacker can try to repeat as often as he wants. If you presume he has 2^64 attempts (which is unreasonably high) then his chance of finding a correct proof would be 1 in 2^192. Which is still truly negligible.

This wiki page: https://en.wikipedia.org/wiki/Fiat%E2%80%93Shamir_heuristic

Has a nice explanation but I figure you've seen that already.

In short the idea is:

- Set an acceptable chance of failure (like 1 in 2^256)

- Trust the output of a hash function to be random (random oracle model)

- Use the hash function to derive the "challenges" normally made a by an interactive verifier based on the commitment

Because the challenge(s) are chosen according to the random oracle (hash function) they are random. So it is impossible for the attacker to pick his commitment based on the challenge.

tylersmith5y ago

The interactive version works not because the verifier is making the queries, but because the prover is not. The intuition behind making an interactive protocol non-interactive is use unbiasable queries that can be predicted ahead of time used hashes for pseudo-randomness.

https://en.m.wikipedia.org/wiki/Fiat%E2%80%93Shamir_heuristi...

j / k navigate · click thread line to collapse