Question: Witness (terminology and implementation)

[uvdsl]

Hi 👋 I am still admiring your work!

I am wondering about the terminology of the witness and its "implementation".

From the docs:

Witness - Private data that needs to be kept hidden from the verifier. This can be the messages/attributes that are not being disclosed, the signature itself, the accumulator member, accumulator witness. Every witness corresponds to some Statement.

So:

• Is the witness the actual secret value, or is it some wrapper around it, e.g., a commitment (or rather, the value commited to and opening of said commitment)?

And, for two statements (e.g. for POKS and set membership), the witnesses are distinct objects in code, but "reference" the same value. This equality of the witnesses is what we prove with witnessEquality in the metaStatements.

• This equality proof is done via Schnorr, as far as I understand, where we prove knowledge of the commited value (the witness?) and the opening for the commitment (also part of the witness then?) that is used in the particular other proofs (POKS, set membership, etc). What is part of the witness here?

I feel that the term witness is used quite heterogeneously on the Web - and, FWIW, Rannenberg, Camenisch and Sabouri don't even mention that term in their work on Attribute-based Credentials for Trust.
I'd appreciate if you could clarify your understanding of the term witness and how it relates to the composite proofs.

Cheers
Christoph

[lovesh]

Hi.

I am wondering about the terminology of the witness and its "implementation".

The term "witness" is found in zero-knowledge proof literature to refer to the data known to prover (and not the verifier) and whose knowledge is being proven in the proof, see definition 19.2 and 19.3 here.

Is the witness the actual secret value, or is it some wrapper around it, e.g., a commitment (or rather, the value commited to and opening of said commitment)?

Its the actual secret value, the wrapper is just an abstraction. Regarding commitments, they are usually not the witness (unless the proof is about proving knowledge of a commitment and not just its opening), the opening (committed value and any randomness used) is the witness when the proof is for the knowledge of the opening.

This equality proof is done via Schnorr, as far as I understand, where we prove knowledge of the commited value (the witness?) and the opening for the commitment (also part of the witness then?) that is used in the particular other proofs (POKS, set membership, etc). What is part of the witness here?

The opening of the commitment is/includes the committed value and will be the witness. Eg. in a Pedersen commitment C = g * m + h * r, g and h are public but m and r are the opening (m and r being the committed value and randomness respectively) and known only to the committer. When the committer proves knowledge of opening of C, it proves that given public C, g, and h, it knows m and r that satisfy C = g * m + h * r.
In the case of POKS, the messages not being revealed and the signature are the "witness"

I feel that the term witness is used quite heterogeneously on the Web - and, FWIW, Rannenberg, Camenisch and Sabouri don't even mention that term in their work on Attribute-based Credentials for Trust.

Probably to avoid jargon :), and the book is about the application of ZKP. Have only read small part of it though.

Hope that helps.

[uvdsl]

Hi, thank you for the explanation!
The terminology is much clearer to me now and the code (abstraction) also makes more sense.
Thanks again!

[lovesh]

You're welcome.