search

pepper-project / pequin

A system for verifying outsourced computations, and applying SNARKs. Simplified release of the main Pepper codebase.
Other
122 stars 46 forks source link

Prover-knows-hash-preimage example for proving knowledge of sha256 preimage #27

Closed jimouris closed 5 years ago

jimouris commented 5 years ago

Implementation of a realistic use-case proposed in issue #26 by @maxhowald.

Description:

  1. Verifier sets up the P and V keys: ./pepper_compile_and_setup_V.sh prover_knows_hash_preimage prover_knows_hash_preimage.vkey prover_knows_hash_preimage.pkey

  2. Prover claims that she knows the preimage to that hash (located in the exo0 file) ./pepper_compile_and_setup_P.sh prover_knows_hash_preimage

  3. Verifier generates and provides the input_hash (which is a sha256 hash) (located in the prover_knows_hash_preimage.inputs file) bin/pepper_verifier_prover_knows_hash_preimage gen_input prover_knows_hash_preimage.inputs

  4. Prover generates a proof (prover_knows_hash_preimage.proof) that she knows the preimage bin/pepper_prover_prover_knows_hash_preimage prove prover_knows_hash_preimage.pkey prover_knows_hash_preimage.inputs prover_knows_hash_preimage.outputs prover_knows_hash_preimage.proof

  5. Finally, Verifier checks the computation without ever knowing the preimage bin/pepper_verifier_prover_knows_hash_preimage verify prover_knows_hash_preimage.vkey prover_knows_hash_preimage.inputs prover_knows_hash_preimage.outputs prover_knows_hash_preimage.proof

SHA256 implementation https://github.com/cnasikas/data-processing/tree/master/zkp/app/queries/sha256

PS: exo0 file from apps (which is the preimage) should be copied in bin directory and should also have execute permissions.

cnasikas commented 5 years ago

Reference: #13

maxhowald commented 5 years ago

EDIT: My mistake. Please see comment below.

This is a good example. Thanks for submitting this PR! One small issue before merging:

After running (1) - (5), I see the following output:

$ cat prover_verifier_shared/prover_knows_hash_preimage.outputs
0
0

Since the second output is 0, doesn't that mean the prover's hash didn't match? (BTW, the first output of all computations is the return value of the compute function.)

If I add a couple of lines to make the output include the hash calculated in the computation, I see the following:

$ cat prover_verifier_shared/prover_knows_hash_preimage.outputs
0
0
223
63
97
152
4
169
47
219
64
87
25
45
196
61
215
72
234
119
138
220
82
188
73
140
232
5
36
192
20
184
17
25

These look different from the values specified at the top of input_generation/prover_knows_hash_preimage_v_inp_gen.h, so it's not surprising that output->prover_knows_preimage is 0.

Do you have some example code of a (non-verifiable) computation which computes the hash of the example preimage?

Thanks!

maxhowald commented 5 years ago

Actually, nevermind. I simply forgot to copy the right exo0 script in to the pepper/bin directory. Now I see the output is 1, as expected. My bad!

If you have some example code or documentation on how the values in input_generation/prover_knows_hash_preimage_v_inp_gen.h are calculated, that would still be great.

Everything else looks OK.

jimouris commented 5 years ago

Sure, I just made a simple python script to compute the SHA256 of any input and generate the corresponding byte-array from it. Here you go:

#!/usr/bin/env python

import hashlib
import sys

preimage = "abcd"
if len(sys.argv) > 1:
    preimage = sys.argv[1]

h = hashlib.sha256()
h.update(preimage)

hash_bytes = list(bytearray.fromhex(h.hexdigest()))
print hash_bytes