Open edoardopuggioni opened 4 years ago
The problem domain with ZKPs for SNARKs is to create two definitions: 1) the protocol and 2) the circuit. You've described the protocol and it looks good from a high level.
The remaining definition is the circuit. You have the SHA256
function and the Dec
function stated. The SHA256
function is included in libsnark
already (as long as you only need the compression side, and the full hash is not difficult to implement). The Dec
function will require more work to define.
Depending upon things like variable sizes and recursion, the Dec
function might be easy or might be impossible entirely. If you post pseudo-code then it would be easier to comment on.
Thank you so much for your reply.
Let's forget about the Dec
function for now then. Let's say the prover only wants to prove the second part of the statement, in other words that he knows a key k
that has an hash value Hk
. Formally the prover wants to prove that: SHA256(k) == Hk
The prover P
will compute the proof and then send it to the verifier V
along with the hash Hk
.
When V
verifies the proof he can then be sure that P
knows the preimage of the hash, aka the key k
.
So even in this simplified scenario, I just can't understand how to proceed with libsnark
. There is a gadget for SHA256
as you said, but how can I use it in practice to produce the following:
Hk
; the key k
aka the witnessHk
I know this is a very general question, but I can't figure out how to begin. Any suggestion or guideline would be greatly appreciated.
Hello, I would like to implement a zk-SNARKs scenario using
libsnark
but I can't figure out if it is indeed possible and how to approach the implementation in practice.This library seems too technical for me at the moment. I would really appreciate it if there was anyone able to tell me if the following is possible. I would also be very grateful for any suggestions on how to approach the implementation of this problem in practice.
I would like to implement a scenario in which a prover
P
wants to prove the knowledge of the decrypted version of a file to a verifierV
using zk-SNARKs. (The set-up phase to produce the proving and verification keys is done by a trusted third party of course.)In this scenario there is a file
f
and its encrypted version isfE = Enc(f, k)
. HereEnc
is a strong symmetric encryption algorithm such as AES andk
is the key used to encrypt the filef
.The hash of the file
f
isHf = SHA256(f)
In this scenario, I want the prover to be able to prove that:
SHA256(Dec(fE, k)) == Hf AND SHA256(k) == Hk
where obviouslyDec( fE, k )
will produce the original filef
.The prover
P
will send to the verifierV
the following elements, andV
will be then able to verify the proof:P
fE
Hf
Hk
If the verification output is true (the proof is valid) the verifier
V
will be sure of the following:Hf
is the hash of a filef
and the encrypted version of this file isfE
(note thatV
doesn't have/know the original filef
)Hk
is the hash of the keyk
used to encrypt the filef
to obtainfE
Many thanks to anyone who takes the time to read and try give suggestions!