[Back] So how do we prove someone's age, without revealing their age? We can do this with a hash chain, and where Peggy (the prover) shows to Victor (the verifier) some information which proves that she is old enough (and where Trent has proven her age):
Zeroknowledge Proof: Proving age with hash chainsOutlineIn this modern world, we give away far too much data, and much of the data that is passed is untrusted (and lacks verification). So how do we prove something, without giving away our data? A typical problem is that Peggy has to prove that she is now 18, and can be served in a bar  let's call the bar "Crypto Nights". So, the bar is very strict on age requirements and Victor guards the door and makes sure that everyone is over 18. So Peggy says that she is over 18, and Victor asks for her age. "Well, I don't want to tell you!", "Well you are not getting in!". So Peggy asks Victor, "Who would you trust to verify that I am old enough?", "Well I trust the Trent to verify!". Now Peggy goes to Trent as tells him the age she has to prove, and Trent sends a random seed to her and generates a signed proof statement that she can give to Victor. Peggy now encrypts her age, and passes this to Victor, and with the two elements, Victor is able to let her in. Victor has no idea how old Peggy is. The basic method is here: For this problem, we will use a hash chain, where we can continually hash values. For example we might start with a seed of "123456", and the first time we create as hash we get Hash("123456"), we can then take the output of this and then hash again. In this way we now have the value of "123456" hashed twice. It will be almost impossible to find the original seed as we are taking a hash of a hash. Let's first look at the code to implement is: import hashlib; import passlib.hash; import sys; age_actual=19 age_to_prove=18 seed=b"12345667" proof = hashlib.md5(seed) encrypted_age = hashlib.md5(seed) for i in range(1,1+age_actualage_to_prove): proof = hashlib.md5(proof.digest()) for i in range(1,age_actual+1): encrypted_age = hashlib.md5(encrypted_age.digest()) verfied_age=proof for i in range(0,age_to_prove): verfied_age = hashlib.md5(verfied_age.digest()) print "Peggy's Age:\t\t",age_actual print "Age to prove:\t\t",age_to_prove print "...." print "Proof:\t\t",proof.hexdigest() print "Encr Age:\t",encrypted_age.hexdigest() print "Verified Age:\t",verfied_age.hexdigest() if (encrypted_age.hexdigest()==verfied_age.hexdigest()): print "You have proven your age ... please come in" else: print "You have not proven you age!" I have used MD5 to keep the output simpler, but we can use SHA1, SHA256 and so on, in order to improve the security of the method. In this case Trent products the value of proof, and Peggy generates encrypted_value. Peggy sends these to Victor, and he takes the proof and performs some hashes, and then compares the result with Peggy's encrypted_age, and if they are the same, she has verified that she is old enough to enter the bar. Now, the proof is calculated by hashing the seed (S) by (1+ActualAgeAgetoProve) times: \(proof = HASH^{1+ActualAgeAgetoProve}[S]\) So if Peggy is 19 years old, and she must prove she is 18, then we will hash the seed two times. Trent will sign the proof with his private key. Now Peggy creates her validation by hashing the seed (which is secret to her and Trent) by (ActualAge+1) \(encryptedage = HASH^{ActualAge+1} [S]\) In this case, she will hash the seed 20 times. Now she passes these two values to Victor (proof and encrypted_age). And now Victor check the signature on the proof, and then hashes this value AgeToProve. \(verify = HASH^{AgeToProve} [proof]\) In this case he will hash 18 times. He then checks the result against Peggy's value, and if they are the same, he lets her in. Overall we need to stop giving away our data, and also start to define whom we trust to verify our information. If your systems still ask and store sensitive information, then think about changing them. We are moving to a citizenfocused world, and our existing methods just don't cope well. Does it work?For Zeroknowledge proof, we need to show:
