Score:3

Is there a zero-knowledge proof of a hashed secret?

kp flag

Alice wants to share a secret $S$ with Bob so she encrypts it with Bob's private key.

Bob is not online at the moment so Victor will keep it safe for him in the meantime.

Victor the verifier would like to verify it is indeed the secret $S$ without actually knowing the secret $S$ himself. Victor can reliably know the hash of the secret $S$ (details of how he can rely on the hash are not relevant here). Victor could also have any other kind of commitment, it need not be a hash, provided he can never deduce the secret in plain text.

Alice does this

encryptedSecret = encrypt(secret, bobsPublicKey)

Victor does this

verify(encryptedSecret, hashOfSecret) => true
verify("anything else", hashOfSecret) => false

Does such a verify function exist?

knaccc avatar
es flag
Does it have to be a hash, or could it be a different kind of commitment?
david_adler avatar
kp flag
it could be a different commitment, provided Victor can never get to the secret
knaccc avatar
es flag
Can your question therefore be simplified as: If Victor is aware of a commitment to a secret, how can Alice non-interactively provide that secret to Bob via Victor, including proof to Victor that the secret has been provided without Victor being able to learn the secret? Please also specify who needs to be the one that provides the commitment, as this makes a difference to the answer.
david_adler avatar
kp flag
Alice needs to provide the commitment as Bob is offline
knaccc avatar
es flag
But then how does Victor know that the commitment (whether a hash or otherwise) is a commitment to the correct secret? Alice could provide a commitment to a different secret, and provide proof that the different secret has been given to Bob. Victor would have no idea whether the correct secret has been provided.
david_adler avatar
kp flag
Yeah that's why I've specified, you don't need to be concerned with "details of how he can rely on the hash are not relevant here". It's specific to my application but basically if a bogus secret was distributed between Alice and Bob it doesn't matter. The secret is not active until it has been successfully distributed to at least one other user. The harm is when there is Charlie or others get involved and they start distributing bogus secrets for live secrets.
knaccc avatar
es flag
Can your question be simplified as: How can Alice encrypt a secret such that only Bob can decrypt it, in such a way that if that same secret is re-encrypted and transmitted by Bob to Charlie, Bob can demonstrate to Victor that the same secret originally received from Alice is now being sent to Charlie? Is the secret only ever re-encrypted for transmission to someone else by a person that knows the secret?
david_adler avatar
kp flag
Yes that's a much better way of putting it. You have fully understood, thanks. Not sure how best to reword the question though...
knaccc avatar
es flag
When Alice is transmitting the secret, or when Bob is re-transmitting the secret, does it matter if Alice or Bob mangle the transmission such that it looks fine to Victor but then only the recipient can discover that it's a badly formed transmission that should be rejected? Or does a re-transmission have to prove that the recipient will have definitely be able to successfully decode it?
david_adler avatar
kp flag
"Is the secret only ever re-encrypted for transmission to someone else by a person that knows the secret?" yes
david_adler avatar
kp flag
not sure I understand your last set of questions I think the only way it could works is: if the first transmission between Alice and Bob is corrupted, all future transmissions should also match the corrupted secret.
david_adler avatar
kp flag
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/132390/discussion-between-david-adler-and-knaccc).
fgrieu avatar
ng flag
[Related question](https://crypto.stackexchange.com/q/1767/555)
Score:0
nl flag

There is a ZK-STARK that proves you know the preimage to a value. "The Rescue-Hash statement proven by the prover given in this code is:

"I know a sequence of n + 1 inputs {w_i} such that H(...H(H(w_0, w_1), w_2) ..., w_n) = p"

where:

H is the Rescue hash function.
Each w_i is a 4-tuple of field elements. These are private inputs, known only to the prover.
p is the public output of the hash (which also consists of 4 field elements).

" https://github.com/starkware-libs/ethSTARK/tree/ziggy

david_adler avatar
kp flag
this sounds very promising but is a little over my head, could you explain to me like I'm 5? I don't get what the "inputs" are and I don't get what P is. In terms of Alice, Bob etc how does this work?
Mark avatar
ng flag
While a little late, the key to a result of this form is that the particular hash being used (Rescue) is "advanced crypto friendly", meaning has "low multiplicative complexity" by some metric, and therefore is suitable for usage with advanced crypto primitives (such as MPC, FHE, or ZKProofs --- all have slightly different cost metrics, but roughly speaking have "cheap addition" and "expensive multiplication"). If the hash itself is expressible as a relatively low (multiplicative) depth circuit, you can hope getting a ZK proof of a hash preimage "directly", e.g. treating it as...
Mark avatar
ng flag
a generic statement that you want to prove, and using off-the-shelf techniques for this. Note that this generic technique will perform much worse on other hash functions that are not "advanced crypto friendly", say SHA variants (or really "most" hash functions not designed for this particular goal).
Score:0
in flag

Private verification of a Sudoku solution, Bowe-Maxwell talk and a bitcoin transaction at Financial Crypto 2016 workshop.

The problem solved with verification was:

  1. buyer is reluctant to sent his coins first, at risk of receiving random bits;
  2. seller is reluctant to send his solution to the puzzle first, at risk of receiving no reward.

A non-interactive proof was introduced and implemented to verify that:

  1. the plaintext is a valid Sudoku solution to the puzzle at hand;
  2. the ciphertext was produced with a key;
  3. the key is a pre-image to the hash value, that was sent to the buyer with the ciphertext.

This hash could be used to create HTLC transaction so that the seller would claim his coins only by publishing the key on the blockchain. Well actually a script was used, but lets stick to HTLC as a simplification.

The short practical answer is: one would verify a hash preimage with a zkSNARK proof. Another (general) answer is, an interactive proof system exists for any NP language.

A shameless ad: an alternative Sudoku solution verification circuit was designed, starting from polynomial set representation and "playing cards" solution of Naor, presented at IEEE ATIT 2019.

https://github.com/vadym-f/Sudoku_solvability_proof/tree/master/IEEE_ATIT_2019

david_adler avatar
kp flag
Hey thank you! Sounds promising but not sure how relevant sudoku is to my problem. Could you spell it out a little more about how zkSNARK can be applied to my problem ie in terms of Alice and Bob thanks
Vadym Fedyukovych avatar
in flag
HTLC transaction and the snark proof of a proper secret hashed seems relevant.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.