Hi all,
following up on the request for additional information regarding the Schnorr Proof of Knowledge, please find the details below.
Schnorr Proof of Knowledge
The Schnorr Proof of Knowledge (PoK) is a cryptographic protocol used to demonstrate that a prover knows a secret value without revealing the value itself. This technique is part of a family of proofs known as zero-knowledge proofs. The basic idea is proving knowledge of a secret associated with a discrete logarithm problem. Specifically, the Schnorr PoK allows a prover to show that they know the discrete logarithm of a public value (g^x) with respect to a base (g) in a given group, without revealing (x) itself.
Here is an overview of key steps involved:
-
Setup: Let (G) be a cyclic group of order (p) and generator (g). The prover has a secret (x), and the public key is (y = g^x ).
-
Commitment: The prover selects a random natural number (r) and sends (t = g^r ) to the verifier.
-
Challenge: The verifier sends a random challenge (c) to the prover.
-
Response: The prover calculates (s = r + cx \mod p) and sends it back.
-
Verification: The verifier checks if (g^s = t y^c ). If true, it confirms the prover’s knowledge of (x) without revealing (x) itself. (Note that g^s = g^{r+cx} = g^r g^{cx} = t y^c ).
Relevance of Schnorr PoK for this thread
Threshold cryptography, utilized in signature schemes like ECDSA or BLS, allows signing capabilities to be distributed across multiple parties. For instance, both threshold ECDSA (tECDSA) and threshold BLS (tBLS) signatures are supported natively by the ICP protocol. There is also a non-interactive threshold Schnorr signature scheme, which is planned to be added to the ICP protocol.
An interactive Schnorr PoK is not compatible with these threshold signature schemes due to its design: In the threshold signature schemes, the cryptographic challenges are deterministically computed using a hash function, which incorporates the message. On the other hand, in the interactive Schnoor PoK the cryptographic challenge is chosen randomly by the verifier. Consequently, canisters, which rely on tECDSA for signing messages, cannot provide an interactive Schnorr PoK. Similarly, II-controlled neurons that use tBLS are also unable to provide an interactive PoK.
In contrast, a user who manages their neurons via Quill or a Ledger device can provide a Schnorr PoK of their secret neuron controller key.
Schnorr PoK vs Disbursement Key
II-controlled neurons cannot directly participate in a Schnorr PoK scheme due to their reliance on tBLS signatures. To allow these neurons access to enhanced rewards while disincentivizing neuron transfers, one might create a new scheme providing the neuron controller access to a non-modifiable disbursement key.
This key, controlling the disbursement of ICP and possibly neuron maturity, would grant significant power to its holder. Since knowledge of the key is irreversible, this poses a risk to buyers; previous owners might retain access to the neuron’s ICP or voting rewards.
Conceptually, providing a PoK of the newly created disbursement key is similar to providing a PoK of the controller key. In both cases, possession of the key verifies knowledge of a specific secret. However, the disbursement key introduces a new key (which requires a whole new scheme to manage this additional key) vs a PoK of the existing controller key does not.