1 of 10

Loading...

Loading...

Loading...

Loading...

Loading...

Loading...

Loading...

Loading...

Loading...

Zero-Knowledge proofs (ZK-proofs) are cryptographic protocols that allow one party (the prover) to prove the truth of a statement to another party (the verifier) without revealing any additional information beyond the validity of the statement itself. In other words, a Zero-Knowledge proof demonstrates knowledge or possession of certain information without revealing the information itself. The key features of Zero-Knowledge proofs are:

Completeness: If the statement is true, an honest prover can convince an honest verifier of its truth with overwhelming probability.

Soundness: If the statement is false, no prover, even if malicious, can convince a verifier of its truth, except with negligible probability.

Zero-Knowledge: The proof should not reveal any information beyond the statement's validity. Even after interacting with the prover and receiving the proof, the verifier should not gain additional knowledge about the underlying witness or secret information.

Despite being decades old, Zero-Knowledge proofs have only recently become practical for real-world use in finance. The implications of the technology are enormous: ZKPs can maintain blockchains’ accuracy and make scalability possible with ease and precision. Users can also know with complete clarity how their data is utilized, while only needing to share what’s absolutely necessary for a given transaction.

Zero-Knowledge proofs have various applications, including:

Authentication and identification: Zero-Knowledge proofs can allow users to authenticate or identify themselves to a party without revealing any personally identifiable information.

Privacy-Preserving transactions: Zero-Knowledge proofs can be used to prove the correctness of a transaction or computation without revealing the inputs or intermediate values involved.

Secure Multi-Party Computation (MPC): Zero-Knowledge proofs can enable multiple parties to perform joint computations on their private inputs without revealing the inputs to each other.

Blockchain and cryptocurrencies: Zero-Knowledge proofs are widely used in blockchain and cryptocurrency systems to enhance privacy, improve scalability, and verify the correctness of transactions without exposing sensitive information. Zero-Knowledge proofs provide potent tools for cryptographic protocols, allowing for secure and private interactions between parties while maintaining confidentiality and integrity. With ZKPs, users no longer need to re-execute every transaction in a ledger, as they can instead check a succinct proof.

Panther also utilizes *ZK SNARKs*, which stands for “Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge.” Thanks to ZK SNARKs, and just like with ZKPs, a prover can prove their possession of information without revealing it. However, the added benefit of ZK SNARKs is that they allow this to happen without both parties interacting. This helps further users’ privacy and anonymity.

ZK SNARKs are:

**Succinct:**The size of the proof is small compared to the size of the statement being proved.**Non-interactive:**ZK SNARKs do not require rounds of interaction between the prover and verifier except for a negligibly small probability.**Argument:**A weaker notion of a mathematical proof where we assume the prover has bounded computational resources.**Knowledge:**The prover cannot construct a proof without knowing a particular witness for the statement. This would be the equivalent of knowing “what to look for” or “what to decode”.

Specifically, Panther uses a pairing-based SNARK called Groth16.

Groth16 is a well-known and widely-used pairing-based ZK SNARK dating to 2016. Described by Jens Groth in the paper ”On the Size of Pairing-based Noninteractive Arguments,” it is one of the most widely used ZK SNARKs for ensuring privacy and confidentiality

As a ZK SNARK, Groth16 is Zero-Knowledge, which means that the protocol allows a prover to convince a verifier of the truthfulness of a statement without revealing any additional information about the underlying data. This, of course, is in addition to fulfilling the requisites of completeness and soundness.

Another noteworthy aspect of Groth16 is its succinctness. It enables the prover to generate a succinct proof attesting to the validity of a statement, while the verifier can efficiently verify the proof. The proofs generated using Groth16 are short and concise, requiring significantly less space to store and transmit. A proof contains only 3 group elements, and verification consists of checking a single equation's paring product using 3 pairings in total. This property is crucial for applications where proof size is a limiting factor, such as blockchain systems or privacy-preserving protocols.

The protocol is particularly designed for proving the knowledge of a witness about a statement that can be expressed as a polynomial equation over a finite field. The witness is a set of field elements that satisfy the polynomial equation, and the proof is a succinct representation of the witness that can be efficiently verified by the verifier. The witness also consists of algebraic relationships and computations in elliptic curve groups, such as statements about the satisfiability of equations involving pairing-based cryptography. In the latter case, the key idea behind Groth16 is to construct a proof system that leverages the bilinear pairing properties of elliptic curves to enable efficient verification of complex algebraic relations.

The protocol consists of three main steps: setup, proving, and verification.

Setup: In this step, the common parameters of the protocol are generated. This includes selecting an appropriate elliptic curve group, defining the bilinear pairing function, and establishing the necessary public parameters for the proof system.

Proving: The prover aims to demonstrate the truthfulness of a statement. They construct a succinct proof by following a set of computation rules specified by the proof system. The proof is typically generated by performing a series of mathematical transformations and computations on the input data ensuring that it remains valid and does not reveal any additional information.

Verification: The verifier’s role is to check the validity of the proof without learning anything beyond the truthfulness of the statement. The verifier uses the public parameters and the proof provided by the prover to perform a series of mathematical checks and computations. If the proof passes all the verification checks, the verifier accepts the proof and concludes that the statement is valid with a high probability. Like any other cryptographic system, it is not without limitations. One key consideration is the trusted setup phase, where a setup ceremony is required to generate the initial parameters used in the proof generation and verification. This setup process needs to be performed in a secure and trustworthy manner to prevent potential attacks or backdoors. As long as one of the participants in the trusted ceremony is honest, the setup can be considered secure.

Groth16 needs one setup for each circuit. The Groth16 protocol offers two other desirable properties for this kind of system: soundness (if the statement is false, the prover will not be able to convince the verifier) and succinctness (the proof is short and can be verified efficiently).

The Groth16 protocol has found applications in various domains, such as anonymous credentials, privacy-preserving cryptocurrencies, and decentralized finance (DeFi). In all of the latter, preserving privacy and proving correctness are crucial.

**Documentation on Panther's cryptographic primitives is currently under construction.**\

There are two main types of homomorphic encryption: fully homomorphic encryption (FHE) and partially homomorphic encryption (PHE). FHE allows arbitrary computations to be performed on encrypted data, while PHE allows only certain types of computations to be performed, such as addition or multiplication using elliptic curves, with *G* being a generator of an elliptic curve group. The (homomorphic) operations that can be performed are:

Addition: given points

*bG*and*cG*, an expression of form*a = b + c*can be evaluated in encrypted form as*aG = bG + cG.*Scalar multiplication: given

*bG*, an expression of the form,*a = cb*, where*c*is a constant, can be evaluated in encrypted form as*aG = c(bG).*

Homomorphic encryption is a form of encryption that permits computations on encrypted data without the need to decrypt it. The output, when decrypted, is identical to that produced had the operations been performed on the unencrypted data. While there is a lack of practical schemes that deliver fully homomorphic encryption, there do exist practical schemes that exhibit some homomorphic capabilities. One example is RSA. Another is the discrete log-based systems, typically defined either modulo a prime *p*, or using . It is the latter that is the focus here.

A hash function is a mathematical function that maps (or compresses) data of arbitrary size to fixed-size values, with the output sometimes called hash values, digests, or simply hashes. Given any input, it should be easy (or efficient) to compute the output. The number of possible output values is limited by the fixed output size, whereas the number of possible inputs is not restricted in the same way. Consequently, although the output is specific to the input, there will be many different inputs that map to the same output value.

The core properties of cryptographic hash functions are:

Pre-image resistance (one way): Given a hash output, it should be difficult (computationally infeasible) to find any input that hashes to that given output.

Collision resistance: It should be difficult to find two distinct messages

*m1*and*m2*that hash to the same value. That is, where*hash(m1) = hash(m2*) for*m1≠m2*. Such a pair is called a collision. An algorithm-independent upper bound on the difficulty of finding collisions comes from the Birthday paradox, which implies that when searching for collisions by hashing random inputs, the expected number of trials before finding a collision is given by the square root of the number of possible outputs. That is, for collision resistance, the security level in bits is half that of the hash output bit length.Second pre-image resistance: For a given input, it should be difficult to find any second input that hashes to the same output. Note that collision resistance implies second pre-image resistance.

**Documentation on hash functions is currently under construction, and we are actively working on providing users with a comprehensive overview of this technology.**

The main features of the Poseidon hash include:

1. Efficiency: The Poseidon hash is designed to be highly efficient, enabling fast computation of hash values. It achieves this efficiency using a round-based permutation structure that can be parallelized and optimized for hardware implementations.

2. Security: The Poseidon hash is built upon the cryptographic sponge construction, which provides resistance against cryptographic attacks such as preimage attacks, second preimage attacks, and collision attacks. It employs a combination of algebraic and bitwise operations to ensure the security of the hash function.

3. Resistance to certain cryptographic attacks: The Poseidon hash is specifically designed to resist certain types of attacks that exploit algebraic properties of hash functions, such as differential and linear attacks. The round-based structure and carefully chosen operations make it resistant to these attacks.

4. Customizable parameters: Poseidon allows for the customization of its parameters, such as the number of rounds and field size, to adapt to specific security requirements and performance constraints. This flexibility enables the fine-tuning of the hash function for different applications.

5. Application versatility: Poseidon is suitable for a wide range of cryptographic applications, including digital signatures, Zero-Knowledge proofs, and blockchain systems. It provides a robust and efficient hashing primitive that can be utilized in various cryptographic protocols.

However, let's keep in mind that the Poseidon hash is designed for efficient and secure computation, especially in the context of Zero-Knowledge applications aiming to minimize proof generation time, proof size, and verification time (when it is not constant).

It's important to note that the Poseidon hash is just one among many cryptographic hash functions available. While it is true that Poseidon is better than the Pedersen Hash and Rescue for several use cases, the choice of hash function depends on the specific requirements and security considerations of the application at hand.

**Documentation on the Poseidon hash function is currently under construction, and we are actively working on providing users with a comprehensive overview of this technology.**

\

POSEIDON is a cryptographic hash function designed to be efficient when expressed as a circuit over a large prime field $\mathbb{F}$. It was introduced by Dmitry Khovratovich, Alexei Ivanov, and Dmitry Meshkov in 2019. Its use is advantageous in the context of SNARKs as many other hash functions (such as SHA-256) that are widely used in other contexts do not have efficient circuit representations. Panther uses this hash function as it fits the requirements of our platform.

Poseidon is a Snark-friendly cryptographic hashing algorithm based on a sponge function with the $POSEIDON^\pi$ permutation. Poseidon, as a function per se, maps strings over $\mathbb{F}_p$ (for a prime $p \approx 2^n > 2^{31}$) to fixed-length strings over $\mathbb{F}_p$, i.e. POSEIDON: $\mathbb{F}_p^* \longrightarrow \mathbb{F}p^o$ where $o$ is the output length measured in $\mathbb{F}_p$ elements (usually, $o = 1$). Poseidon takes a string of words in $\mathbb{F}_p$ as its input, and gives a single representative element of $\mathbb{F}_p$ as output (although longer outputs are supported).

The primary application of Poseidon is hashing in large prime fields, and so $POSEIDON^\pi$ takes inputs of $t\ge 2$ words in $\mathbb{F}_p$. For curves such as BLS12-381 of BN254, the prime (scalar) fields have a size of around $2^{255}$. Consequently, a security level of 128 bits (that is, Poseidon-128) corresponds to a capacity of 255 bits, which is one field element.

An elliptic curve is, in essence, simply the set of solutions (or points *(x, y*)) to an equation that can be represented in the form *y*^2* = x*^*3 + ax + b*, where *a* and *b*, as well as points (*x, y*) that lie on the curve (that is, are solutions to the equation), belong to a finite field *F_p *defined by a prime *p*. That is, *F_p *is the set *{0, 1, . . . , p − 1}*, with addition and multiplication being *modulo p*.

Elliptic curves are of interest in cryptography because points can be added together, with the result also being a point on the curve. Furthermore, the set of points obtained by taking a point *G* (a generator) and adding it to itself repeatedly until reaching (or returning to) the starting point *G*, forms a group whose order (denoted here as *q*) is the number of points in the set. The relevance of this is that there is a class of asymmetric (or public key) cryptographic protocols known as the discrete log-based systems, and which include DSA and the Diffie-Hellman protocol, which are defined to work in a group. There are many different types of groups, but for cryptographic security, the so-called *discrete log problem* must be a complex problem to solve (for sufficiently large parameters). Two groups for which this problem is considered difficult are the group defined by the set of integers modulo a large prime *p*, and the group of points on an elliptic curve.

When used for cryptographic purposes, the order *q* is typically a large prime number and defines the scalar field of the curve.

Examples of elliptic curve groups include BN254 (the curve currently used by Panther), BLS12-377, and BLS12-381.

Note that in addition to size, the structure of the group of points on an elliptic curve is also important. The factorization of q − 1 defines the subgroups of *Z_q*. The inclusion in this factorization of *2*^*s *for some sufficiently large *s* is required for using *FFTs* (for example, for multiplying polynomials), and is consequently crucial for the speed (or efficiency) of the proving process.

BN254 has 2-adicity 28 (that is, there exists a multiplicative subgroup of size 2^28).

In addition to Zero-Knowledge proofs, Panther uses *differential privacy*, *homomorphic encryption*, *Secure Multi-Party Computation*, and *selective disclosure schemes*. Each of these mathematical and technical building blocks plays different roles in supporting the enablement of privacy, anonymity, and scalability. By drawing upon these technologies, Panther facilitates a shift in trust from regulatory frameworks and organizational practices to trustless mathematical proofs and their interpretation.

Pairings, or bilinear pairings or Weil pairings, are mathematical operations defined on certain types of elliptic curves. Pairings have important applications in modern cryptography and enable various cryptographic protocols and constructions. Generally, a pairing is a bilinear map that takes two points from different groups and maps them to a target group. The bilinearity property means that the pairing operation satisfies specific algebraic properties, such as linearity and distributivity. Pairings are typically defined on elliptic curves with special properties, such as those that are pairing-friendly or provide a suitable algebraic structure for efficient computation of pairings. Pairing-friendly curves are carefully chosen curves that allow for efficient and secure implementation of pairings.

Some key properties and applications of pairings include:

Bilinearity: Pairings exhibit a bilinear property, meaning they preserve the properties of addition and scalar multiplication in the groups involved. This property allows for computations involving pairings to be distributed across different groups and enables the construction of complex cryptographic protocols.

Cryptographic Constructions: Pairings are used in various cryptographic constructions and protocols, including identity-based encryption, attribute-based encryption, cryptographic accumulators, and non-interactive Zero-Knowledge proofs. Pairings provide the necessary mathematical operations to achieve desired security properties in these applications.

Homomorphic Properties: Some pairings, such as those on specific curves like the BLS12-381 curve, exhibit homomorphic properties. Homomorphic pairings enable computation on encrypted or encoded data without decrypting or revealing the underlying values. This property is particularly useful in privacy-preserving computations and protocols.

Efficiency and Security: Pairings can be efficiently computed on pairing-friendly curves, which enables the practical implementation of cryptographic protocols. Pairings are based on hard mathematical problems, such as the decisional Diffie-Hellman problem or the bilinear Diffie-Hellman problem, providing a foundation for cryptographic security. Pairings have revolutionized many areas of modern cryptography by enabling advanced cryptographic primitives and protocols. They provide a versatile and powerful toolset for achieving security, privacy, and efficient computation in various cryptographic applications.

Mathematically speaking, a pairing is a bilinear mapping as follows:

$e : G_1 × G_2 → G_T .$

It is this bilinearity property that makes pairings such a powerful primitive in cryptography. Let $\mathbb{F}_{q^k}$be a finite extension of $\mathbb{F}p$ with $k \geq 1$. The groups $\mathbb{G}_1$ and $\mathbb{G}2$ are defined in $E(\mathbb{F}_{q^k})$ and the target group $\mathbb{G}_T$ is defined in the multiplicative group $\mathbb{F}^*_{q^k}$, so we usually write $\mathbb{G}_1$and $\mathbb{G}_2$ additively, whilst we write $\mathbb{G}_T$ multiplicatively. Thus, for $P, P^{\prime} ;\in \mathbb{G}_1$ and $Q,Q^{\prime} ;\in \mathbb{G}_2$, the bilinearity of $e$ means that

$e(P + P^{\prime},Q) = e(P,Q) · e(P^{\prime},Q),$

$e(P,Q + Q^{\prime}) = e(P,Q) · e(P,Q^{\prime})$