Proof of \(x\) from \(H(x)\) using zkSnarksWe live in a digital world that gives too much away. Our systems are often set up to store sensitive information on us, and where we also pass this sensitive information through our applications. But, there is another way, and that’s the creation of Non-interactive Zero Knowledge Proofs (NI-ZKP). These magical little functions allow us to prove that we know something secret and give cryptographic proof for it. So let’s take an example, and where Peggy has a secret value of x, and that Victor has stored a hash value such that: \(y=H(x)\) If Victor uses a 256-bit hash, there is virtually no chance that we will ever discover the value of x, with just the knowledge of y. x could thus be Peggy’s password, or my National Insurance number. It could even be the proof of a given 256-bit encryption key. So let’s see if we can prove x with a knowledge of H(x), and run in a smart contract. As the smart contract can expose values, we need to keep the value of x secret. For this, we turn to Zokrates and Solidity. ZokratesZKPs have been around since the mid-1980s, and have often been heavy in terms of their processing requirements. One new family has come along, though, and which provides fast and short proofs. This is zkSnark (zero-knowledge Succinct Non-interactive ARguments of Knowledge). Overall, zkSnarks have been used in applications of privacy-preserving cryptocurrency, but have applications within smart contracts, too. Normally we require a proof to be done using an off-chain method, but the zkSnarks now allows us to prove things on-chain — and in an efficient and low-cost way. As a result, we can create our off-chain applications, and then link them into the Ethereum blockchain for a proof. One of the quickest ways to produce these proofs is to use Zokrates, and which can plug into Remix: This code can then be compiled into Solidity code. The code to hash a value is given next: import "hashes/sha256/512bitPacked" as sha256 packeddef main(private field a, private field b, private field c, private field d, field h0, field h1): field[2] h = sha256packed([a, b, c, d]) assert(h[0] == h0) assert(h[1] == h1) return // Input: 'a' -> 0,0,0,97 // assert(h[0] == 45324487246557938747332883189457400843) // assert(h[1] == 84478852209878349000735790184433475398) The updated syntax is: import "hashes/sha256/512bitPacked" as sha256packed; def main(private field a, private field b, private field c, private field d, field h0, field h1) { field[2] h = sha256packed([a, b, c, d]); assert(h[0] == h0); assert(h[1] == h1); return; } // Input: 'a' -> 0,0,0,97 // assert(h[0] == 45324487246557938747332883189457400843) // assert(h[1] == 84478852209878349000735790184433475398) In Socrates we can only hold 128-bit values, and so our 256-bit hash is split into two parts. In this case h[0] for the lower 128 bits, and h[1] for the upper 128 bits. For the input data, we split into four 128-bit values, and which gives us a data input of up to 1024 bits. The values of the input will be a, b, c and d, and where d is the end part of the data buffer. With many other cryptosystems, we use a big-endian format, and where the last byte as the first byte of the data. Thus for a data input of ‘a’, and for 16 bytes (128 bits), we end up with a hex value of: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 and where ‘61’ is the hex value for an ‘a’. This is a value of 97 as an integer value. With this, we have four private fields: a, b, c and d. These will be kept private to the smart contract, and will not be exposed, while h0 and h1 (the hash value) can be revealed: def main(private field a, private field b, private field c, private field d, field h0, field h1) {} We will thus create a zero-knowledge proof for a, b, c and d and which relates to the hash values of h0 and h1. For the next part, we now need to compute a witness within the compiled program and which has the valid values computed. For this, we need to generate the values of h0 and h1 for the hash. So let’s take an into of ‘0x000….a’ and then compute the two input hash values (h0 and h1): import hashlib x = bytes.fromhex('00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61') hash = hashlib.sha256(x) hx = hash.hexdigest() print('hx: ', hx) hh=bytearray(hash.digest()) i1=hh[:16] i2=hh[16:] val1=int.from_bytes(i1,'big') val2=int.from_bytes(i2,'big') print (val1) print (val2) print () print (hex(val1)) print (hex(val2)) The run of this is: hx: 22192dc09ba3afbc0d0c5b60675ab40b3f8e08fd3897de4e81a37a4752805f46 45324487246557938747332883189457400843 84478852209878349000735790184433475398 0x22192dc09ba3afbc0d0c5b60675ab40b 0x3f8e08fd3897de4e81a37a4752805f46 And so the two integer values we need for the witness are: h0=45324487246557938747332883189457400843, and h1=84478852209878349000735790184433475398. If we need to enter these values, we can generate the witness: If we give it the wrong proof for the hash, we will generate an incorrect assertion: Once computed, we can then generate a verification and a proving key. It can take over a minute, but is a once only compute. For this we get a file named verification_key.json: The keys are then: { "alpha": [ "0x1f4acb288eb126d28ccf5216f575ce282f381e19b322c3a93be96394c3659d48", "0x07a64b045e42a4e0ccd95edbbb072eada253fd76546b9e908ca5bb015458cacc" ], "beta": [ [ "0x29896ca87ac917f4bbda0580d3cfad89b15a6c2b2f40eefd00332eb99183a186", "0x2522995fa7f9a2e354021bcabdb601c32fa80ea869e91237ca8489a531e42eb7" ], [ "0x2bb9455ee51a78e8a8ed2e2c393acdddddb78dded82618aab7be32e95dc01f82", "0x037050b69e248d917620bc0ffa96f0ceab56356bbb00a4916ea189707b5fa87f" ] ], "gamma": [ [ "0x1ae2285207b0875fd049c5f90e5bf38d3e0eec81615e355eb6ae86abc8e228fc", "0x10ceff9a728f6a90db352e53670d2c8f0b8c967713f1fd4f78faab3aaa085e82" ], [ "0x1ae77012927c158d58c0ad5885921f8c85a158d53fab02a47b55e6e34e67cee9", "0x1e8b9e68d31f9179984583e89ecbb3b571cb2975b687e2f1983609d24aa42eef" ] ], "delta": [ [ "0x3044d9d51ad9fc57aa18a5609c3504fb2d81af7c29b13d2a88efd5e39fa81378", "0x19821f62e699a0a2d8b5e58cdb56bd5afed3921c2a1ae4141bf0c2fb6b89458b" ], [ "0x0331f36c041bf4a3370906b3c509ab6f2360172c8166025fef8e85ba61d73435", "0x2ccca119cbcfccc4d6de466dac8dbfeb8c53053f0b0629b73fc444036b531805" ] ], "gamma_abc": [ [ "0x1fb042cd7e2f84f28a68723e5539525f9059c334ae477617548723d8acba6cdd", "0x1809fa116526d57230bd58d42333992f139969b720f3241464cd184110a8248f" ], [ "0x05a2b587d4d1c11c7fe81e9483eaa3c3c3fb7a2d7d9e1c123fa261d1b9dc1f1b", "0x22b9ba436a4db558617989b064a0f8d89420fb5f121b48df7cc8591e11c1ef53" ], [ "0x119a8bb852c8c5cfdb4e125660bcb22b172050148b6f9e9e3ca9280926b1cb03", "0x1fe6063a3a48b833156592adc8b0dde752631db2f3ab9ee5c3819c354831d583" ] ] } With the verifier and proof keys, and the witness, we can now generate our proof: We now have a verifier proof (proof.js): [["0x0a3bb1b06802e0bddf2f719a2adadfbda2bf628bcc469f97849f3a2009266ee1","0x1f0e7ef4eafe8acfb8e6f1d608699dc4db47d7553c4a9e6a1630ffe8236be4ee"], [["0x2114b641d3de45ac6f59377e5f79ea4e9535276485a0814015c4993cfa367530","0x04bfaabe99401fe960026098f2c994428758132737059ce222b4bf59347e8680"], ["0x12af358a294385f705eccef47e01cf89a681b0de94387a35000ff85b8c99b79b","0x032ee889089f107a4214218d08736f31b523799021f700a1c80aab0e9609ed4c"]], ["0x293557474f9044afdd3d825609ff22b2659c773cfca55ae9fe51c8b555218a0b","0x19e45a09b7548dac68bebca92325e3e1415b34320e715e7b844fb4417b1110fd"]], ["0x0000000000000000000000000000000022192dc09ba3afbc0d0c5b60675ab40b","0x000000000000000000000000000000003f8e08fd3897de4e81a37a4752805f46"] The first part of this file gives us the proof and the second part gives the inputs. We will need these two parts for testing. The bold part is the triplet will use for the proof and the non-bold part is the input of the hash: [["0x0a3bb1b06802e0bddf2f719a2adadfbda2bf628bcc469f97849f3a2009266ee1","0x1f0e7ef4eafe8acfb8e6f1d608699dc4db47d7553c4a9e6a1630ffe8236be4ee"], [["0x2114b641d3de45ac6f59377e5f79ea4e9535276485a0814015c4993cfa367530","0x04bfaabe99401fe960026098f2c994428758132737059ce222b4bf59347e8680"], ["0x12af358a294385f705eccef47e01cf89a681b0de94387a35000ff85b8c99b79b","0x032ee889089f107a4214218d08736f31b523799021f700a1c80aab0e9609ed4c"]], ["0x293557474f9044afdd3d825609ff22b2659c773cfca55ae9fe51c8b555218a0b","0x19e45a09b7548dac68bebca92325e3e1415b34320e715e7b844fb4417b1110fd"]] ["0x0000000000000000000000000000000022192dc09ba3afbc0d0c5b60675ab40b","0x000000000000000000000000000000003f8e08fd3897de4e81a37a4752805f46"] Finally, we will create our Solidity smart contract with an export: The code is then: // This file is MIT Licensed. // // Copyright 2017 Christian Reitwiessner // Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: // The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. pragma solidity ^0.8.0; library Pairing { struct G1Point { uint X; uint Y; } // Encoding of field elements is: X[0] * z + X[1] struct G2Point { uint[2] X; uint[2] Y; } /// @return the generator of G1 function P1() pure internal returns (G1Point memory) { return G1Point(1, 2); } /// @return the generator of G2 function P2() pure internal returns (G2Point memory) { return G2Point( [10857046999023057135944570762232829481370756359578518086990519993285655852781, 11559732032986387107991004021392285783925812861821192530917403151452391805634], [8495653923123431417604973247489272438418190587263600148770280649306958101930, 4082367875863433681332203403145435568316851327593401208105741076214120093531] ); } /// @return the negation of p, i.e. p.addition(p.negate()) should be zero. function negate(G1Point memory p) pure internal returns (G1Point memory) { // The prime q in the base field F_q for G1 uint q = 21888242871839275222246405745257275088696311157297823662689037894645226208583; if (p.X == 0 && p.Y == 0) return G1Point(0, 0); return G1Point(p.X, q - (p.Y % q)); } /// @return r the sum of two points of G1 function addition(G1Point memory p1, G1Point memory p2) internal view returns (G1Point memory r) { uint[4] memory input; input[0] = p1.X; input[1] = p1.Y; input[2] = p2.X; input[3] = p2.Y; bool success; assembly { success := staticcall(sub(gas(), 2000), 6, input, 0xc0, r, 0x60) // Use "invalid" to make gas estimation work switch success case 0 { invalid() } } require(success); } /// @return r the product of a point on G1 and a scalar, i.e. /// p == p.scalar_mul(1) and p.addition(p) == p.scalar_mul(2) for all points p. function scalar_mul(G1Point memory p, uint s) internal view returns (G1Point memory r) { uint[3] memory input; input[0] = p.X; input[1] = p.Y; input[2] = s; bool success; assembly { success := staticcall(sub(gas(), 2000), 7, input, 0x80, r, 0x60) // Use "invalid" to make gas estimation work switch success case 0 { invalid() } } require (success); } /// @return the result of computing the pairing check /// e(p1[0], p2[0]) * .... * e(p1[n], p2[n]) == 1 /// For example pairing([P1(), P1().negate()], [P2(), P2()]) should /// return true. function pairing(G1Point[] memory p1, G2Point[] memory p2) internal view returns (bool) { require(p1.length == p2.length); uint elements = p1.length; uint inputSize = elements * 6; uint[] memory input = new uint[](inputSize); for (uint i = 0; i < elements; i++) { input[i * 6 + 0] = p1[i].X; input[i * 6 + 1] = p1[i].Y; input[i * 6 + 2] = p2[i].X[1]; input[i * 6 + 3] = p2[i].X[0]; input[i * 6 + 4] = p2[i].Y[1]; input[i * 6 + 5] = p2[i].Y[0]; } uint[1] memory out; bool success; assembly { success := staticcall(sub(gas(), 2000), 8, add(input, 0x20), mul(inputSize, 0x20), out, 0x20) // Use "invalid" to make gas estimation work switch success case 0 { invalid() } } require(success); return out[0] != 0; } /// Convenience method for a pairing check for two pairs. function pairingProd2(G1Point memory a1, G2Point memory a2, G1Point memory b1, G2Point memory b2) internal view returns (bool) { G1Point[] memory p1 = new G1Point[](2); G2Point[] memory p2 = new G2Point[](2); p1[0] = a1; p1[1] = b1; p2[0] = a2; p2[1] = b2; return pairing(p1, p2); } /// Convenience method for a pairing check for three pairs. function pairingProd3( G1Point memory a1, G2Point memory a2, G1Point memory b1, G2Point memory b2, G1Point memory c1, G2Point memory c2 ) internal view returns (bool) { G1Point[] memory p1 = new G1Point[](3); G2Point[] memory p2 = new G2Point[](3); p1[0] = a1; p1[1] = b1; p1[2] = c1; p2[0] = a2; p2[1] = b2; p2[2] = c2; return pairing(p1, p2); } /// Convenience method for a pairing check for four pairs. function pairingProd4( G1Point memory a1, G2Point memory a2, G1Point memory b1, G2Point memory b2, G1Point memory c1, G2Point memory c2, G1Point memory d1, G2Point memory d2 ) internal view returns (bool) { G1Point[] memory p1 = new G1Point[](4); G2Point[] memory p2 = new G2Point[](4); p1[0] = a1; p1[1] = b1; p1[2] = c1; p1[3] = d1; p2[0] = a2; p2[1] = b2; p2[2] = c2; p2[3] = d2; return pairing(p1, p2); } } contract Verifier { using Pairing for *; struct VerifyingKey { Pairing.G1Point alpha; Pairing.G2Point beta; Pairing.G2Point gamma; Pairing.G2Point delta; Pairing.G1Point[] gamma_abc; } struct Proof { Pairing.G1Point a; Pairing.G2Point b; Pairing.G1Point c; } function verifyingKey() pure internal returns (VerifyingKey memory vk) { vk.alpha = Pairing.G1Point(uint256(0x1f4acb288eb126d28ccf5216f575ce282f381e19b322c3a93be96394c3659d48), uint256(0x07a64b045e42a4e0ccd95edbbb072eada253fd76546b9e908ca5bb015458cacc)); vk.beta = Pairing.G2Point([uint256(0x29896ca87ac917f4bbda0580d3cfad89b15a6c2b2f40eefd00332eb99183a186), uint256(0x2522995fa7f9a2e354021bcabdb601c32fa80ea869e91237ca8489a531e42eb7)], [uint256(0x2bb9455ee51a78e8a8ed2e2c393acdddddb78dded82618aab7be32e95dc01f82), uint256(0x037050b69e248d917620bc0ffa96f0ceab56356bbb00a4916ea189707b5fa87f)]); vk.gamma = Pairing.G2Point([uint256(0x1ae2285207b0875fd049c5f90e5bf38d3e0eec81615e355eb6ae86abc8e228fc), uint256(0x10ceff9a728f6a90db352e53670d2c8f0b8c967713f1fd4f78faab3aaa085e82)], [uint256(0x1ae77012927c158d58c0ad5885921f8c85a158d53fab02a47b55e6e34e67cee9), uint256(0x1e8b9e68d31f9179984583e89ecbb3b571cb2975b687e2f1983609d24aa42eef)]); vk.delta = Pairing.G2Point([uint256(0x3044d9d51ad9fc57aa18a5609c3504fb2d81af7c29b13d2a88efd5e39fa81378), uint256(0x19821f62e699a0a2d8b5e58cdb56bd5afed3921c2a1ae4141bf0c2fb6b89458b)], [uint256(0x0331f36c041bf4a3370906b3c509ab6f2360172c8166025fef8e85ba61d73435), uint256(0x2ccca119cbcfccc4d6de466dac8dbfeb8c53053f0b0629b73fc444036b531805)]); vk.gamma_abc = new Pairing.G1Point[](3); vk.gamma_abc[0] = Pairing.G1Point(uint256(0x1fb042cd7e2f84f28a68723e5539525f9059c334ae477617548723d8acba6cdd), uint256(0x1809fa116526d57230bd58d42333992f139969b720f3241464cd184110a8248f)); vk.gamma_abc[1] = Pairing.G1Point(uint256(0x05a2b587d4d1c11c7fe81e9483eaa3c3c3fb7a2d7d9e1c123fa261d1b9dc1f1b), uint256(0x22b9ba436a4db558617989b064a0f8d89420fb5f121b48df7cc8591e11c1ef53)); vk.gamma_abc[2] = Pairing.G1Point(uint256(0x119a8bb852c8c5cfdb4e125660bcb22b172050148b6f9e9e3ca9280926b1cb03), uint256(0x1fe6063a3a48b833156592adc8b0dde752631db2f3ab9ee5c3819c354831d583)); } function verify(uint[] memory input, Proof memory proof) internal view returns (uint) { uint256 snark_scalar_field = 21888242871839275222246405745257275088548364400416034343698204186575808495617; VerifyingKey memory vk = verifyingKey(); require(input.length + 1 == vk.gamma_abc.length); // Compute the linear combination vk_x Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0); for (uint i = 0; i < input.length; i++) { require(input[i] < snark_scalar_field); vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.gamma_abc[i + 1], input[i])); } vk_x = Pairing.addition(vk_x, vk.gamma_abc[0]); if(!Pairing.pairingProd4( proof.a, proof.b, Pairing.negate(vk_x), vk.gamma, Pairing.negate(proof.c), vk.delta, Pairing.negate(vk.alpha), vk.beta)) return 1; return 0; } function verifyTx( Proof memory proof, uint[2] memory input ) public view returns (bool r) { uint[] memory inputValues = new uint[](2); for(uint i = 0; i < input.length; i++){ inputValues[i] = input[i]; } if (verify(inputValues, proof) == 0) { return true; } else { return false; } } } Now let’s test it by using the ganche blockchain: We then use the Solidity code we generated before, and compile it: Next we can deploy to our local blockchain: And then test: We can see we get a true return. But if we use an incorrect proof, we get a false return: And so we have proven, that we know x for H(x). We can now deploy our smart contract to the Ethereum test network: This will then create a new smart contact: And where we must verify the code: with: And where we paste our code: and then get a successful creation: We can then test it on the test network [here]: And testing: and with the proof of (for 0,0,0,97): [["0x1538d0c6469863c256046d405e63952ee0d89b273ac3f9602b3581b9523470c8","0x22134f7e8bfbedba329b37b85cbf80435f266b4743ebbaa6dff577b31f99988f"], [["0x0a85811072aa12eae07d1b783717bdf5a02dadc967ad74b341acd446ba458d9f","0x2c7805c9d1ff6db5f42acb31fa88f67a07327a9a5bb2064df06fde63d109310c"], ["0x27f25ac8fd5e204b53fd887667ebf3fb77165bedec4ca845bf220e1926f9dcec","0x0c9061c11b315a9d31a6a22135a5a2cbd95a08e3dac0a276809134926b8596dd"]], ["0x1f0f16fb33b5627c0fc309e4387ca4982a28bbdb3a6bef57a4a23d406d9921a8","0x072b8f9dc482c7c9a5512382aa8924f18e263789686dd278b90354963ceba89c"]] And input hash value: ["0x0000000000000000000000000000000022192dc09ba3afbc0d0c5b60675ab40b", "0x000000000000000000000000000000003f8e08fd3897de4e81a37a4752805f46"] The smart contract is here]. Presentation |