You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It should also be feasible to extend the statement with a PoK for the statement I know (m, r) s.t for each c_i (the ciphertexts), c_i = E(m, r). This should enable to "attach/bind" the ciphertexts to the rest of the statement, and force the Adversary willing to modify the ciphertexts of a tx, to generate a new proof. However, I guess that representing E as a multiplicative sub-circuit, and evaluating it on each plaintext is way too "constraint-expensive"..
The text was updated successfully, but these errors were encountered:
See Section 4.15.1 of https://github.com/zcash/zips/blob/master/protocol/protocol.pdf
(or Section 4.10 of the same document).
It should also be feasible to extend the statement with a PoK for the statement
I know (m, r) s.t for each c_i (the ciphertexts), c_i = E(m, r)
. This should enable to "attach/bind" the ciphertexts to the rest of the statement, and force the Adversary willing to modify the ciphertexts of a tx, to generate a new proof. However, I guess that representing E as a multiplicative sub-circuit, and evaluating it on each plaintext is way too "constraint-expensive"..The text was updated successfully, but these errors were encountered: