hey all-
Love zk proofs and their potential. I’ve been seeking a generalizable solution to the following: “I have a document with some secrets on it. I want to prove to the verifier that I have these secrets without revealing them.” – Note the secrets are words. For example, let’s say I want to prove that “a certain title of a person” has signed it or prove “someone with the correct qualifications has legitimately signed it” or “a person with a certain level of tokens in their wallet has signed it”
Or how about this as a start: “someone from this email domain name (xyz-corp.com) has signed this document” – so it proves domain but not specific email. (think whistleblower application)
There has been some work on proving someone knows the pre-image hash of a document. but that seems like a blunt instrument as I’m seeking just a few elements within the document.
In general I’m seeking more applications that can cross the line into the real world use cases – so any other good examples (beyond zcash and proving I know the cube of a number) would be most welcome!
Hi, I unfortunately don’t have any good answers for you here, but I was curious if you could share info related to the pre-image hash proving work that has been done.
Anyway, I’ll try to help connect you with someone who might be able to answer your question. Thanks for bringing it to the board!
However, I’m looking for something more specific and trying hard to bridge the gap to real world use cases.
For the example starts with a secret document, I can share the hash of it and prove I know the document. But sharing the hash of a document doesn’t show others anything except a garbled string. (right, I know zero-knowledge) but I need some credible way of not being spoofed. So I’m thinking through a case where a document has some relevant information, but also some secrets.
A simple example might be an employment letter where the employer and the employee name is known but the salary is a secret. Take the salary out and replace with a hash, but prove I know the hash preimage (of just the salary). but also prove that the document + hashed secret are one complete document. i.e. I didn’t just cut&paste my own hash into the secret part.
Once you have this, we could use the secret to check for limits, like ‘does this person qualify for a mortgage by having a salary above x’ – should be able to implement that easily, once the above is figured out.
And its easy to use the above use-case generically for any document you don’t mind partially-revealing. so “zero-knowledge except for the parties to the document” for example.
Look forward to connecting to anyone / others for ideas here.
As a more visual example: “I know the redacted parts of this document” would be the statement to prove. How would this be made credible? Would the original need to be onchain?
I’m pretty new to zero-knowledge proofs, but it something that I’m really looking into.
One of the projects that seems particularly promising to me is risc0 and I think you could use it in this case to make the proof that you want.
For example, let’s say that the proof we want is, "a user filled out this document with an Email domain of @zeroknowledge.fm".
Risc0 has a very easy-to-understand system:
You write a public program, in this case the program that is supposed to validate that the document has been signed by somebody with a zeroknowledge.fm Email.
This program would take as input:
The un-filled version of the document you are signing
The list of fields that you are filling in on the document, including your email
When you, the signer of the document, rus the program on your document, the program will output the following information to it’s journal:
The hash of the un-signed document
The hash of the list of fields that you filled into the document
A true or false value indicating whether or not your Email was a zeroknowledge.fm Email
Finally, risc0 creates a proof that states “the public program was executed without being modified or manipulated by the user, and these are the journal entries output by the program while it was being executed.”
This proof now represents your verifiable signature of that document, without specifying any details of how you signed it, except for the fact that your Email was or was not a zeroknowledge.fm Email address.
We can go even further, though. Let’s say that one authority needed to know you signed the document and that your Email was @zeroknowledge.fm, but another authority needed to see that you signed it and that your name was “John Doe”.
You could create another public program that is almost the same, but it checks the name field instead of the email domain.
But because the programs output the hash of the fields that you filled in in the program journal, both authorities can know that you submitted the same filled information to each authority, without submitting one version to one authority, and another version to another authority, just by checking that the hash of the filled in information was the same.
So you can choose what you prove to who, while all the while proving to all of them that you haven’t given each of them different versions of the signed document!
Hi Zicklag – thanks for this! Appreciate the detailed implementation thoughts on the email proof within a document.
Looking at risc0 – it looks like this would be a desktop app – do you know if there is a server version? I would like to deploy via web and use onchain data as the “universal / global source of truth” for any zk work i’m doing. A lot of people always explain that it’s not needed but I see it as providing a solid infrastructure of “always-on reference data” to point to. I rely on it being there more than any central db or email server.
If so I will try it out and see if I can get it to work with an email “verification code has been sent your email, please click the link” approach. Thanks! Steve
You should be able to run it on a server just as well as on a desktop.
Eventually, I believe you’ll be able to run the proof in your browser with WASM, so that you could have the web app generate the zero knowledge proofs.
Also, just a warning, risc0 is really work-in-progress and under heavy development, so it might not be ready for actual use.
Looks like it fills in the gap between “redacted document” and onchain proofs by allowing for field-format specifications that are zkproof compatible. Any thoughts on it?
