0

My question has to do with the creation of a PoWorK( Proof of Work or Knowledge) protocol.How we can create a protocol like this ,using Schnorr as the underlying CVZK protocol and using a hash function (lets say sha256) as the puzzle that is being solved?

In other words :

1) How a P can prove to V that he knows witness w (without revealing), by solving the hash256 and afterwords the V can verify the solution.

2) How a P can prove to V that he did a Proof of Work procedure by solving the hash256 afterwords the V can verify the solution.

It is not clear to me how the P computes the outcome and how the V verifies based on the receiving outcome.

gtopal
  • 101
  • 1

1 Answers1

1

Related question here:
Proving knowledge of a preimage of a hash without disclosing it?
Over at theoretical computer science SE:
Zero knowledge proof for value of a hash function

From the general properties of hash functions, we can not derive such a proof of knowledge. The reason for this is, hash functions are intended to destroy all meaningful structure. In most zero knowledge proofs structures with oneway-trapdoor functions and homomorphic properties are used, because then those proofs are short and elegant. Practical hash functions don't have that. On the contrary, a homomorphic property could be used to find collisions, which shouldn't be possible for hash functions.

For specfic ones, like sha 256, there are ways to get a proof of knowledge, and it is explicitly an example of Zero-Knowledge Using Garbled Circuits or How To Prove Non-Algebraic Statements Efficiently, by Jawurek, Kerschbaum and Orandi (2013). There is an experimental evaluation as well. The experiment had a result of over 5s for sha 256.

That should cover your first question, but I am not sure what you mean with the second question. In a proof of work you usually have the following steps: 1. The client requests something, 2. the server gives the client a task, e.g. a partial preimage to a hash, 3. the client sends the solution, 4. the server grants the request.

Now, you can replace the 3. step of sending the solution with a proof of knowledge. But that doesn't really make any sense, because the task should be possible to complete within reasonable time (partial preimage, or preimage in a reduced input space), and the server has to know that it is actually solvable. So if the server actually wants to get the solution, he can just calculate it himself. A proof of knowledge only makes sense if the input has to be kept secret from the server, but if he can't find the solution within reasonable time, then this challenge is useless in a proof of work - the challenge has to be solvable within reasonable time.

edit: I have no idea what you mean with your references to the Schnorr identifiation scheme and commited verifier zero knowledge. Those elegant kind of proofs like the Schnorr signature scheme are unusable for hash functions.

Community
  • 1
tylo
  • 12,864
  • 26
  • 40