Proof Properties on Encrypted Data

[3psil0n]

Hey, I am just wondering if there is someone who has already figured out how to use ZoKrates to proof properties on encrypted data. For example, can implement an asymmetric or symmetric encryption scheme just using ZoKrates?

For example, given the encryption E(M) of a message M, can we use Zokrates to show that E(M) is the encryption of M and P(M) for some predicate P?

Is there already some implementation (like the sha gadget)?

[kunxian-xia]

jsnark has implemented some of the symmetric encryption scheme gadgets.

[3psil0n]

It is interesting that jsnark has already implemented encryption gadgets. From a practical perspective, the question arises how efficient such encryption gadgets can be? Or put differently: Is the implementation of encryption gadgets viable. Clearly, encryption gadgets would make ZoKrates much more attractive to me.

[stefandeml]

Thanks for raising this issue. We currently don't have support for an encryption gadget but this definitely can be done (like xjsnark has shown). I didn't come across a good use-case for now that's why we didn't spend time on such a gadget. Hence, I would be very interested in the the use-case you have in mind and how this gadget would help you.

[HarryR]

Is a hash function not suitable?

It has the same properties you need, proof that the public input X matches E(M), and the predicate P(M) is true can just be part of the circuit working on the secret input M that the user-provides

[3psil0n]

Unfortunately, I guess not. If you need to ensure that the data meets properties while at the same time transferring the data to another party (for further manipulation), you also need to ensure that the properties hold on the encrypted data.

[3psil0n]

A use case could be: You have a blockchain as some sort of accountable data exchange between different companies. While the data needs to be kept secret, you want to publicly ensure that the data exchange meets some rules. If the public does not trust the companies for the encrypted data exchange itself, the encrypted data could differ from the (hashed) data that satisfies the rules.

[Mahsa-Bastankhah]

I'm trying to implement the same case that U told and I haven't find the zkp library that satisfies me.did U try jsnark?does it supports checking proof on chain?

[3psil0n]

For now, I did not came up with a solution yet. However, it should be feasible to implement a zkSNARK gadget for encryption. However, I do not know how efficient that would be. It would probably be advisable to choose a suitable encryption scheme.

However, there is at least progress in implementing a Digital Singnature Scheme. ZoKrates should know support checking Edwards-curve Digital Signatures (https://en.wikipedia.org/wiki/EdDSA).

However, I have still a usecase where i want to prove things about an encrypted message. The thing is, I not only want to use the blockchain as proof that I have data with certain properties, but also that I sent the data encrypted to another party.

A simple exemplary use case There are two parties. Party A has the obligation to send data to party B.

The blockchain should ensure that:

1. the data satisfies some properties
2. the data remains "secret"
3. Party B can decrypt (retrieve) the original data

While (1) and (2) can be ensures with hashes, (3) can only be ensured using an "encryption gadget"

[Schaeff]

Why doesn't Party A send the data to Party B using a different channel? Because of data availability?

[3psil0n]

@Schaeff

Parties A and B do not trust each other.

For instance:

1. B cannot claim that he didn't received the data
2. A cannot claim that he send the data while it has not actually send the correct data.

[stark1092]

@3psil0n I also looking for this gadget, have you solved it? Jsnark provides the gadgets for rsa and sha256, but it cannot be verified by smart contract, and the parameters are difficult to retrieve from output files.

[evmcheb]

Also think something like this would be very useful. Would be great if you could verify a message was encrypted to some public key correctly.

[xhliu]

Circom has Mimc/Poseidon encryption https://github.com/iden3/circomlib/search?q=encryption&type=issues

Also Elgamal encryption https://github.com/weijiekoh/elgamal-babyjub/tree/master/circom

[grzracz]

Bump. Would open up a LOT of interesting use cases if this could be solved.

[gcsfred2]

I would like to store encrypted data within a smart contract. My dApp would read it and decrypt it. EdDSA or RSA or similar (kind of irrelevant to the SC). Can ZoKrates help with that?