Panther also utilizes ZK SNARKs, which stands for “Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge.” Thanks to ZK SNARKs, and just like with ZKPs, a prover can prove their possession of information without revealing it. However, the added benefit of ZK SNARKs is that they allow this to happen without both parties interacting. This helps further users’ privacy and anonymity.
ZK SNARKs are:
Succinct: The size of the proof is small compared to the size of the statement being proved.
Non-interactive: ZK SNARKs do not require rounds of interaction between the prover and verifier except for a negligibly small probability.
Argument: A weaker notion of a mathematical proof where we assume the prover has bounded computational resources.
Knowledge: The prover cannot construct a proof without knowing a particular witness for the statement. This would be the equivalent of knowing “what to look for” or “what to decode”.
Specifically, Panther uses a pairing-based SNARK called Groth16.
Groth16 is a well-known and widely-used pairing-based ZK SNARK dating to 2016. Described by Jens Groth in the paper ”On the Size of Pairing-based Noninteractive Arguments,” it is one of the most widely used ZK SNARKs for ensuring privacy and confidentiality
As a ZK SNARK, Groth16 is Zero-Knowledge, which means that the protocol allows a prover to convince a verifier of the truthfulness of a statement without revealing any additional information about the underlying data. This, of course, is in addition to fulfilling the requisites of completeness and soundness.
Another noteworthy aspect of Groth16 is its succinctness. It enables the prover to generate a succinct proof attesting to the validity of a statement, while the verifier can efficiently verify the proof. The proofs generated using Groth16 are short and concise, requiring significantly less space to store and transmit. A proof contains only 3 group elements, and verification consists of checking a single equation's paring product using 3 pairings in total. This property is crucial for applications where proof size is a limiting factor, such as blockchain systems or privacy-preserving protocols.
The protocol is particularly designed for proving the knowledge of a witness about a statement that can be expressed as a polynomial equation over a finite field. The witness is a set of field elements that satisfy the polynomial equation, and the proof is a succinct representation of the witness that can be efficiently verified by the verifier. The witness also consists of algebraic relationships and computations in elliptic curve groups, such as statements about the satisfiability of equations involving pairing-based cryptography. In the latter case, the key idea behind Groth16 is to construct a proof system that leverages the bilinear pairing properties of elliptic curves to enable efficient verification of complex algebraic relations.
The protocol consists of three main steps: setup, proving, and verification.
Setup: In this step, the common parameters of the protocol are generated. This includes selecting an appropriate elliptic curve group, defining the bilinear pairing function, and establishing the necessary public parameters for the proof system.
Proving: The prover aims to demonstrate the truthfulness of a statement. They construct a succinct proof by following a set of computation rules specified by the proof system. The proof is typically generated by performing a series of mathematical transformations and computations on the input data ensuring that it remains valid and does not reveal any additional information.
Verification: The verifier’s role is to check the validity of the proof without learning anything beyond the truthfulness of the statement. The verifier uses the public parameters and the proof provided by the prover to perform a series of mathematical checks and computations. If the proof passes all the verification checks, the verifier accepts the proof and concludes that the statement is valid with a high probability. Like any other cryptographic system, it is not without limitations. One key consideration is the trusted setup phase, where a setup ceremony is required to generate the initial parameters used in the proof generation and verification. This setup process needs to be performed in a secure and trustworthy manner to prevent potential attacks or backdoors. As long as one of the participants in the trusted ceremony is honest, the setup can be considered secure.
Groth16 needs one setup for each circuit. The Groth16 protocol offers two other desirable properties for this kind of system: soundness (if the statement is false, the prover will not be able to convince the verifier) and succinctness (the proof is short and can be verified efficiently).
The Groth16 protocol has found applications in various domains, such as anonymous credentials, privacy-preserving cryptocurrencies, and decentralized finance (DeFi). In all of the latter, preserving privacy and proving correctness are crucial.
Documentation on Panther's cryptographic primitives is currently under construction.\