Score:2

It is possible to verify the computation of a hash function without actually proving it in zero knowledge?

in flag

Let me first introduce the context: Let's say that we have a hash function evaluation: $$h = H(x, y),$$ where $x$ and $y$ are the public and the private input of the hash function $H$, respectively.

Then, if I want to prove to someone that this computation have been computed properly without actually disclosing $x$, then I have to create a zero-knowledge proof of knowledge $\pi$ (which could be obtained through general purpose ZKPoK such us SNARKS, STARKS, ...) of an $x$ such that $h = H(x, y)$. Until this point, everything is okey.

What if I do want someone else to verify the hash evaluation without revealing the private input $x$, not going through generic purpose ZKPoK; and more importantly: keeping some hash function properties such as determinism, uniformity and universality?

My first idea to solve this question is to find a function $f$ such that:

  1. $f(x)$ can be made public (so that anyone can easily check the computation $H(f(x), y)$).
  2. $f(x)$ also satisfies determinism,uniformity and universality.

In fact, if such a function $f$ exist, then I could just replace $H$ with $f$. Let's say that what I am trying to find is some computation that shares some of the properties that hash functions have but being much more efficiently (i.e., without the need of generic purpose proofs) verificable.

A second idea is to substitute the hashing mechanism by something else (e.g., encryption concatenated with a signature ...) that could be efficiently verifiable while at the same time keeping the mentioned properties.

Ievgeni avatar
cn flag
What is the status of $y$?
Bean Guy avatar
in flag
What do you mean by status?
Ievgeni avatar
cn flag
Is it publicly known? Or is it secret?
Bean Guy avatar
in flag
$x$ is the public input and $y$ is the private input.
Ievgeni avatar
cn flag
If $H$, $f(x)$ is also public, everyone can check $h= H(f(x), y)$, no?
Bean Guy avatar
in flag
Exactly, but I want $f(x)$ to also being a deterministic computation, uniform and universal. In other words, I need $f(x)$ to be a deterministic computation that reveals nothing about the pre-image $x$ and that the risk of collisions is negligible.
Ievgeni avatar
cn flag
"that reveals nothing"=> Be more precise.
Bean Guy avatar
in flag
Is that okey if I say that I want $f(x)$ to be pre-image resistant?
us flag
From your description, it somehow sounds that you are looking for a commitment scheme, e.g. a Pedersen commitment.
Bean Guy avatar
in flag
@RubenDeSmet The problem is that a commitment does not look like a random element. For instance, you can just append some amount of 0s at the end of the commitments ,and then, you easily distinguish a commitment from a random element.
us flag
I don't see how; a standard Pedersen commitment $C = xG + yH$ is perfectly hiding, and afaik undistinguishable from random. On the other hand; that would integrate your $y$ variable into the $f(x)$ function and require it to be uniform random, so it's not strictly what you're after.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.