I have been trying to follow this paper for zk-SNARKs to create Zero Knowledge Proofs (ZKPs) for verifying computations. Specifically, given a public program $F$, a public input $x$, I would like to create a proof $\pi$ which "proves" that there exists some private input $w$ such that,
$$F(x,w)=z,$$
without revealing what $w$ is. However, as I am new to cryptography, although I have a decent background in math with some recreational programming abilities, much of this paper goes over my head.
My restrictions:
So, I thought it might be easier to restrict myself from a universal construction (which is what that paper describes), to an easier case; namely, the Brainf*ck programming language (which I will denote as BF). Also, I will assume that $x=\emptyset$ (i.e; the program $F$ takes only $w$ as an input). Furthermore, the I/O of BF is quite limited, so I will assume that $w$ is simply a string of bytes to initialize the memory, and that the output $z$ is a boolean $\text{True}$.
How would I begin to create a protocol that creates a ZKP for a given public BF program $F$, to "prove" that there exists some private $w$ such that $F(w)=\text{True}$?
How I see myself continuing depends on what exactly $F(\cdot)$ represents. I see a few options
- $F(w)=\text{True} \iff$ the program outputs a non-zero byte,
- $F(w)=\text{True} \iff$ the program outputs anything at all,
- $F(w)=\text{True} \iff$ the program does not halt,
- $F(w)=\text{True} \iff$ the program ends with the bytes in memory in a certain configuration.
They all seem to have various pros and cons. Option 1 and 2 are "natural", but rely on direct outputs of the program. Option 3 and 4 read no outputs, but 3 runs into the halting problem, and 4 reads the memory. These are all effectively isomorphic in the sense that it is trivial to rewrite a program to reproduce any of these results, but I would like to know your opinion on which of these options (if any) makes ZKPs easier. Maybe I'm over thinking this part.
In any case, after this I'm not confident on how to continue. Theoretically, I need some way of generating some notion of a certificate which could only come from a successful evaluation of $F(w)=\text{True}$ and uniquely corresponds to an input $w$, without revealing what $w$ is.
Any and all advice would be greatly appreciated.
P.S. I've asked a related question over at the MathematicsSE here, in which I'm looking for general reference requests for introductions to ZKPs which are more friendly to those with little cryptography background but decent math backgrounds. I figured that there are probably more people here that'd know the answer, despite it being more of a math-oriented question.
