Proof That I Know Something… Proving I Know x for Hash(x)

We live in a digital world that gives too much away. Our systems are often set up to store sensitive information on us, and where we also…

https://www.change.org/p/clemency-for-ross-ulbricht-condemned-to-die-in-prison-for-a-website1024Photo by Austin Distel on Unsplash

Proof That I Know Something… Proving I Know x for Hash(x)

We live in a digital world that gives too much away. Our systems are often set up to store sensitive information on us, and where we also pass this sensitive information through our applications. But, there is another way, and that’s the creation of Non-interactive Zero Knowledge Proofs (NI-ZKP). These magical little functions allow us to prove that we know something secret and give cryptographic proof for it.

So let’s take an example, and where Peggy has a secret value of x, and that Victor has stored a hash value such that:

y=H(x)

If Victor uses a 256-bit hash, there is virtually no chance that we will ever discover the value of x, with just the knowledge of y. x could thus be Peggy’s password, or my National Insurance number. It could even be the proof of a given 256-bit encryption key.

So let’s see if we can prove x with a knowledge of H(x), and run in a smart contract. As the smart contract can expose values, we need to keep the value of x secret. For this, we turn to Zokrates and Solidity.

Zokrates

ZKPs have been around since the mid-1980s, and have often been heavy in terms of their processing requirements. One new family has come along, though, and which provides fast and short proofs. This is zkSnark (zero-knowledge Succinct Non-interactive ARguments of Knowledge). Overall, zkSnarks have been used in applications of privacy-preserving cryptocurrency, but have applications within smart contracts, too. Normally we require a proof to be done using an off-chain method, but the zkSnarks now allows us to prove things on-chain — and in an efficient and low-cost way. As a result, we can create our off-chain applications, and then link them into the Ethereum blockchain for a proof.

One of the quickest ways to produce these proofs is to use Zokrates, and which can plug into Remix:

This code can then be compiled into Solidity code. The code to hash a value is given next:

import "hashes/sha256/512bitPacked" as sha256packed

def main(private field a, private field b, private field c, private field d, field h0, field h1):

field[2] h = sha256packed([a, b, c, d])
assert(h[0] == h0)
assert(h[1] == h1)
return

// Input: 'a' -> 0,0,0,97
// assert(h[0] == 45324487246557938747332883189457400843)
// assert(h[1] == 84478852209878349000735790184433475398)

In Socrates we can only hold 128-bit values, and so our 256-bit hash is split into two parts. In this case h[0] for the lower 128 bits, and h[1] for the upper 128 bits. For the input data, we split into four 128-bit values, and which gives us a data input of up to 512 bits. The values of the input will be a, b, c and d, and where d is the end part of the data buffer. With many other cryptosystems, we use a big-endian format, and where the last byte as the first byte of the data. Thus for a data input of ‘a’, and for 16 bytes (128 bits), we end up with a hex value of:

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61

and where ‘61’ is the hex value for an ‘a’. This is a value of 97 as an integer value.

With this, we have four private fields: a, b, c and d. These will be kept private to the smart contract, and will not be exposed, while h0 and h1 (the hash value) can be revealed:

def main(private field a, private field b, private field c, private field d, field h0, field h1):

We will thus create a zero-knowledge proof for a, b, c and d and which relates to the hash values of h0 and h1. For the next part, we now need to compute a witness within the compiled program and which has the valid values computed. For this, we need to generate the values of h0 and h1 for the hash. So let’s take an into of ‘0x000….a’ and then compute the two input hash values (h0 and h1):

The run of this is:

hx:  22192dc09ba3afbc0d0c5b60675ab40b3f8e08fd3897de4e81a37a4752805f46

45324487246557938747332883189457400843
84478852209878349000735790184433475398

0x22192dc09ba3afbc0d0c5b60675ab40b
0x3f8e08fd3897de4e81a37a4752805f46

And so the two integer values we need for the witness are: h0=45324487246557938747332883189457400843, and h1=84478852209878349000735790184433475398. If we need to enter these values, we can generate the witness:

If we give it the wrong proof for the hash, we will generate an incorrect assertion:

Once computed, we can then generate a verification and a proving key. It can take over a minute, but is a once only compute. For this we get a file named verification_key.json:

The keys are then:

With the verifier and proof keys, and the witness, we can now generate our proof:

We now have a verifier proof (proof.js):

The first part of this file gives us the proof and the second part gives the inputs. We will need these two parts for testing. The bold part is the triplet will use for the proof and the non-bold part is the input of the hash:

[["0x0a3bb1b06802e0bddf2f719a2adadfbda2bf628bcc469f97849f3a2009266ee1","0x1f0e7ef4eafe8acfb8e6f1d608699dc4db47d7553c4a9e6a1630ffe8236be4ee"],                             [["0x2114b641d3de45ac6f59377e5f79ea4e9535276485a0814015c4993cfa367530","0x04bfaabe99401fe960026098f2c994428758132737059ce222b4bf59347e8680"],                             ["0x12af358a294385f705eccef47e01cf89a681b0de94387a35000ff85b8c99b79b","0x032ee889089f107a4214218d08736f31b523799021f700a1c80aab0e9609ed4c"]],                             ["0x293557474f9044afdd3d825609ff22b2659c773cfca55ae9fe51c8b555218a0b","0x19e45a09b7548dac68bebca92325e3e1415b34320e715e7b844fb4417b1110fd"]]

                                                                                       ["0x0000000000000000000000000000000022192dc09ba3afbc0d0c5b60675ab40b","0x000000000000000000000000000000003f8e08fd3897de4e81a37a4752805f46"]

Finally, we will create our Solidity smart contract with an export:

The code is then:

Now let’s test it by using the ganche blockchain:

We then use the Solidity code we generated before, and compile it:

Next we can deploy to our local blockchain:

And the test:

We can see we get a true return. But if we use an incorrect proof, we get a false return:

And so we have proven, that we know x for H(x). We can now deploy our smart contract to the Ethereum test network:

This will then create a new smart contact:

And where we must verify the code:

with:

And where we paste our code:

and then get a successful creation:

We can then test it on the test network [here]:

And testing:

The contract is here:

https://ropsten.etherscan.io/address/0xb3a18b87eabf5abe13cd9dcd9ee7484df2ccaffc

and with the proof of (for 0,0,0,97):

[["0x1538d0c6469863c256046d405e63952ee0d89b273ac3f9602b3581b9523470c8","0x22134f7e8bfbedba329b37b85cbf80435f266b4743ebbaa6dff577b31f99988f"],[["0x0a85811072aa12eae07d1b783717bdf5a02dadc967ad74b341acd446ba458d9f","0x2c7805c9d1ff6db5f42acb31fa88f67a07327a9a5bb2064df06fde63d109310c"],["0x27f25ac8fd5e204b53fd887667ebf3fb77165bedec4ca845bf220e1926f9dcec","0x0c9061c11b315a9d31a6a22135a5a2cbd95a08e3dac0a276809134926b8596dd"]],["0x1f0f16fb33b5627c0fc309e4387ca4982a28bbdb3a6bef57a4a23d406d9921a8","0x072b8f9dc482c7c9a5512382aa8924f18e263789686dd278b90354963ceba89c"]]

And input hash value:

["0x0000000000000000000000000000000022192dc09ba3afbc0d0c5b60675ab40b","0x000000000000000000000000000000003f8e08fd3897de4e81a37a4752805f46"]