1

I need to design some protocol where actors will leverage Zero Knowledge Proofs (ZKP) to prove that they know the pre-image of some specific SHA256 hash without revealing the pre-image itself.

Ideally, they should also be able to batch proofs of multiple hashes into a single ZKP.

SHA-256 hashing is not a ZK friendly operation, so (unless I introduce hardware optimization), I should expect long times for generating those ZKPs. Unfortunately, I don't have the option of replacing SHA-256 in favor of some ZK-friendly hash function.

So my questions are:

  1. What ZK scheme is the most adequate for this use case? Would ZK-SNARKs do the job?
  2. Given some average consumer hardware, what is the order of magnitude for the time taken to generate such ZKP (seconds, minutes, hours)? How does that grow in relationship to batch size?
Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
Bernardo Rodrigues
  • 111
  • 3
  • I don't know whether the following would work but have you considered using some IVC scheme like Nova with step function being the compression function of sha256? There'll be some ugliness with padding but maybe this is a staring point? – Marc Ilunga Sep 22 '23 at 22:35
  • But besides that, depending on the actual application you are building, any of the mainstream snarks might actually work. Some benchmarks for SHA256 https://ethresear.ch/t/benchmarking-zkp-development-frameworks-the-pantheon-of-zkp/14943 – Marc Ilunga Sep 22 '23 at 23:17
  • There is a work in progress - a new lookup argument "Lasso" from Justin Thaler which is supposed to help with this. Lookup arguments help speed up non-algebraic operations in hash functions. https://a16zcrypto.com/posts/article/introducing-lasso-and-jolt/ – user93353 Sep 23 '23 at 00:10
  • those benchmarks are quite insightful, thanks! – Bernardo Rodrigues Sep 23 '23 at 03:15
  • should I expect logarithmic scaling in regards to batching multiple preimages into the same ZKP? – Bernardo Rodrigues Sep 23 '23 at 03:19

0 Answers0