2

Let's say I have a message 0123456789abcdefghijklmnopqrstuvwxyz which gives me the SHA-256 hash 74e7e5bb9d22d6db26bf76946d40fff3ea9f0346b884fd0694920fccfad15e33.

I want to prove to someone that I know a part of the message that hash to the hash, for example xxx34567xxxxxxxxxxxxxxx is it possible to do this? Obviously the counter party should not know what xxxxxxxxx stands for.

Jan Moritz
  • 714
  • 1
  • 6
  • 20

1 Answers1

2

I'm reading the question as:

  • Prover knows a message (thus its SHA-256 hash, and message length), and position+length of a substring (thus the substring).
  • Verifier knows the hash, the substring and its position (thus length), and message length.

Prover should demonstrate knowledge of a message with such SHA-256 hash and length and with such substring at such position, without revealing more information about such message.

This is possible: we define a variant of SHA-256 with fixed message length and fixed substring at fixed position. The problem then reduces to demonstrating knowledge of input of that hash to a verifier knowing the hash, which is covered in this question.

I do not know exactly how much info must be exchanged between prover and verifier.

A concrete implementation is described by Irene Giacomelli, Jesper Madsen, Claudio Orlandi, ZKBoo: Faster Zero-Knowledge for Boolean Circuits, in proceedings of SEC'2016.

fgrieu
  • 149,326
  • 13
  • 324
  • 622