## Where communities thrive

• Join over 1.5M+ people
• Join over 100K+ communities
• Free without limits
##### Activity
Thibaut Schaeffer
@Schaeff
@Mahdad-Baghani do you mean the hash is hardcoded?
Neo
@creepteks
@Schaeff
Yeah, I think I'm still a little bit confused. Take this for an example: https://blog.decentriq.ch/proving-hash-pre-image-zksnarks-zokrates/
I think I was looking at some elementary examples which kinda gave me the idea that it is only possible to hardcode the hash digest into zokrates and then create the circuit.
I actually wanted to understand zkDAI better: https://medium.com/@atvanguard/zkdai-private-dai-transactions-on-ethereum-using-zk-snarks-9e3ef4676e22
I was inspecting the zk-circut at https://github.com/atvanguard/ethsingapore-zk-dai/blob/master/ethereum/zk-circuit.code, and then I figured that I was probably misguided as this next example shows that you can create a circuit using zokrates to prove/verify knowledge of preimage of arbitrary hashes (with limitations regarding the compile-time determination of size of the hashes, of course). Am I right?
import "LIBSNARK/sha256packed"

// https://zokrates.github.io/sha256example.html#computing-a-hash-using-zokrates
// A field value can only hold 254 bits due to the size of the underlying prime field used by zokrates. Therefore, 256 bit values need to be passed as 2 params of 128 bit values.

// https://zokrates.github.io/concepts/stdlib.html?highlight=sha256#sha256packed
// At the time of writing sha256packed takes 4 field elements as inputs, unpacks each of them to 128 bits (big endian), concatenates them and applies sha256. It then returns two field elements, each representing 128 bits of the result.

// Public inputs
// onh0 + onh1: Hash of the note (secret note)
// nn1h0 + nn1h1: Hash of the new note 1
// nn2h0 + nn1h1: Hash of the new note 2

// Private inputs
// ona + onb: secret key of the sender
// onc + ond: (256 bits) representing the value of the note to be spent

// nn1a + nn1b: public key of the receiver
// nn1c + nn1d: the value of the note to be sent

// nn2c + nn2d: leftover change
def main(field onh0, field onh1, private field ona, private field onb, private field onc, private field ond, field nn1h0, field nn1h1, private field nn1a, private field nn1b, private field nn1c, private field nn1d, field nn2h0, field nn2h1, private field nn2c, private field nn2d) -> (field):
// get public key corresponding to private key
// too complex to implement for the hackathon :p - so sending in the public key instead
field pka = ona
field pkb = onb

// old note
h0, h1 = sha256packed(pka, pkb, onc, ond)
h0 == onh0 // verify with public input (hash of the note)
h1 == onh1

// new note 1 that goes to pkreciever
h0, h1 = sha256packed(nn1a, nn1b, nn1c, nn1d)
h0 == nn1h0
h1 == nn1h1

// new note (left over change) that goes back to sender (pk)
h0, h1 = sha256packed(pka, pkb, nn2c, nn2d)
h0 == nn2h0
h1 == nn2h1

ond == nn1d + nn2d // assuming the values fit in 128 bit nums - hence onc, nn1c, nn2c are 0
return 1
Thibaut Schaeffer
@Schaeff
@Mahdad-Baghani so let me make it clear here: it's absolutely possible to pass the hash as a parameter, typically a public one so that the verifier can see it. The cost for that is a slightly bigger proof and slightly more expensive verification, as is the case with any public input.
Neo
@creepteks
@Schaeff thanks for the clarification
hou
@turfT
Hi, can I use zokrates as a tool for generating circuits for default backend bellman? I wish I could only use Zokrates as a DSL to programming circuit and reuse it in bellman. Any suggestions?
Thibaut Schaeffer
@Schaeff
@turfT Hey, what do you want to do in bellman with the zokrates circuit that you can't do with zokrates itself? Have a zokrates circuit inside a bellman circuit?
hou
@turfT
Transfer a zokrates circuit into bellman circuit. I tried to write some zokrates circuit like a Poseidon hash version payment zk protocol, it works pretty well. So I wonder can I transfer circuits into bellman version, only for learning purposes..
thx for your kind relay @Schaeff
smithsen
@smithsen
Hey everyone. I was wondering if I can take hash of a matrix (I need this to make a circuit) and what would be the right way in case I want to use sha256?
Thibaut Schaeffer
@Schaeff
@smithsen inside the program, you could iterate through the matrix filling an array that you then hash?
@turfT Under the hood, zokrates creates a bellman circuit so that it can then use the bellman backend
here https://github.com/Zokrates/ZoKrates/blob/master/zokrates_core/src/proof_system/bellman/mod.rs#L195 the Computation struct (which can be created from a compiled zokrates program and witness) implements the Circuit trait from bellman, so conceptually it could be used as part of a bigger bellman circuit, if that's what you're intending to do
Tim
@timhc22
Hello, had a chat with the team on twitter (@timhc22) what's the best way to chat?
15 replies
smithsen
@smithsen

@smithsen inside the program, you could iterate through the matrix filling an array that you then hash?

Alright, I will try with that

Tim
@timhc22
Hey, would I be right in thinking that zokratesProvider.compile("def main(private field a) -> (field): return a * a") is compiling down to web assembly?
sorry if thats a pretty basic question, I'm pretty new to this
smithsen
@smithsen
Hi, I am sorry but I was reading an article "https://medium.com/zokrates/building-identity-linked-zksnarks-with-zokrates-a36085cdd40" and I was not very clear with what proofOfOwnership.code does exactly in the second piece of code?
Tim
@timhc22
looks like babyjubjubparams.code is the 'pre image', and proofOfOwnership is just generating a non-repudiated (if that is the correct term) hash (proof), the other two inputs/parameters being Alice's public and private key right?
like I said, I'm pretty new to this, so may be wrong, but thanks for sharing that, it was a super interesting read!
Tim
@timhc22
ah no, babyjubjub is this https://github.com/barryWhiteHat/baby_jubjub_ecc, ignore me
smithsen
@smithsen

looks like babyjubjubparams.code is the 'pre image', and proofOfOwnership is just generating a non-repudiated (if that is the correct term) hash (proof), the other two inputs/parameters being Alice's public and private key right?

Hey, I think the same too but I am essentially generating a matrix in another code and then I want to put it in the hash generation system and then use the proof as such, the only problem is my matrix dimension is like 128 x 128 and converting to an array and then doing hash is kinda scary. I was wondering if there are some direct tools.

Thibaut Schaeffer
@Schaeff
@smithsen proofOfOwnership takes a public key and a private key, and makes sure that the public key is derived from the private key. If you make the private key a private input to the program, you're essentially proving that you know the private key to a given public key.
smithsen
@smithsen
Ok so it is like a preliminary stage checking that yes indeed we have the data. So as given in the example there in https://medium.com/zokrates/building-identity-linked-zksnarks-with-zokrates-a36085cdd40 , the author says that Alice wants to prove her age, if I have to consider the picture of Alice's ID card and then work on that, my idea was converting it in matrix and then putting it as a private key in the code written in the blogpost, it is seems too much. Is there a way in Zokrates that I can take the image in ?
Darko Macesic
@dark64

Hey, would I be right in thinking that zokratesProvider.compile("def main(private field a) -> (field): return a * a") is compiling down to web assembly?

no, zokrates itself is compiled down to web assembly which the javascript library calls to compile your program, this makes it possible for zokrates to be run in browser/node environments

smithsen
@smithsen

Ok so it is like a preliminary stage checking that yes indeed we have the data. So as given in the example there in https://medium.com/zokrates/building-identity-linked-zksnarks-with-zokrates-a36085cdd40 , the author says that Alice wants to prove her age, if I have to consider the picture of Alice's ID card and then work on that, my idea was converting it in matrix and then putting it as a private key in the code written in the blogpost, it is seems too much. Is there a way in Zokrates that I can take the image in ?

Can someone please help me with this one? Or at least if can give the reference as in where to look for that would be great. Thanks

DobPP
@dobpp
Hi
DobPP
@dobpp
I'd like to create zokrates generating serial numbers, is it possible?
Thibaut Schaeffer
@Schaeff
@smithsen how do you make sure that Alice doesn't photoshop the ID?
Thibaut Schaeffer
@Schaeff
@smithsen One approach for these kinds of situations (say, proving that Alice is over 18) is to have a reputable entity sign Alice's birth date and public key and give the signature to Alice, then Alice inputs her birth date and the signature as private inputs, and her public key and the reputable entity's public key as public inputs, basically saying: "I know a signature by this reputable entity which claims that I was born on date d with d more than 18 years ago". Note that the reputable entity signed the birth date and not the statement "Alice is over 18", so that Alice can reuse this signature to prove whatever she needs to
smithsen
@smithsen

@smithsen how do you make sure that Alice doesn't photoshop the ID?

I mean Alice can but possibly a reputable entity can hash the image right, as signature ?

Thibaut Schaeffer
@Schaeff
In theory yes, however doing image processing inside a snark is much much more expensive than verifying a digital signature.
smithsen
@smithsen
I see, ok I wanted to process an image inside the snark
stevewu
@Stevewu1234
Hi, I'm learning zk-snark used in Ethereum. And I'm confused with the authenticity of one data: using groth16 algorithm to generate zk-snark proof and the estimation is 1 tx(200bytes) 50MB. Can I use ZoKrates to prove data authenticity? Or have I made a misunderstanding?
Tim
@timhc22
Hello, for anyone who has worked with the zokrates.js library:
I have managed to get it working with a react app locally, but when I host it (on AWS S3), I'm getting an error with Mime types (HERE: https://web3.unegma.com/page-three and HERE: https://github.com/timhc22/zokrates/blob/main/client/src/pages/PageThree/PageThree.js), I've tried to figure out how to add the mime type on s3, but it isn't specific to one file. Any idea if I will need to make the calculations using zokrates.js on a server, and do an api call from the frontend instead, or is there some kind of workaround? Thanks
Ozdemir86
@Ozdemir86
Hello
I need a help any support who online?
Transaction input data sha256 possible ?
hou
@turfT
hi，everyone .. a little confused about bn128 and alt_bn128, are these two curves are the same curves?
Darko Macesic
@dark64

Hello, for anyone who has worked with the zokrates.js library:
I have managed to get it working with a react app locally, but when I host it (on AWS S3), I'm getting an error with Mime types (HERE: https://web3.unegma.com/page-three and HERE: https://github.com/timhc22/zokrates/blob/main/client/src/pages/PageThree/PageThree.js), I've tried to figure out how to add the mime type on s3, but it isn't specific to one file. Any idea if I will need to make the calculations using zokrates.js on a server, and do an api call from the frontend instead, or is there some kind of workaround? Thanks

your server might not know how to serve wasm files, you can google around a bit how to add 'application/wasm' mime type in your server configuration for wasm files, if you're using nginx you can just add

include mime.types;
types {
application/wasm wasm;
}
Darko Macesic
@dark64

hi，everyone .. a little confused about bn128 and alt_bn128, are these two curves are the same curves?

they should have the same equation, but alt_bn128 has some optimizations specific to the generator point of G2 (don't quote me on this, not completely sure)

hou
@turfT
@dark64 help a lot, thx
Neo
@creepteks
Hi, there; I am having trouble converting the u32 arrays to be used in javascript or python. Imagine this scenario: I have a circut that checks if a u32[16] is the actual preimage for a u32[8] hash. I can feed the arguments properly to Zokrates CLI and it yields the expected result. However, I want to store this hash as a bytes32 inside an Ethereum smart contract, and later on, provide zksnarks proof of knowing the preimage. If I use a circuit, as what is presented in RNG tutorial to produce the hash using zokrates CLI, how I can I later on convert the outputted hash to byte32 or hex string? if I use cryptographic libraries like Crypto-js to compute the hash, how can I convert the preimage and its hash to the in the proper format, u32[16] preimage and u32[8] hash, to be passed to zokrates CLI to compute the witness and generate the proof?
prographo
@prographo
Hi, what is the difference between zokrates and snarkjs/circom ?
prographo
@prographo
I am reading through the documentation, here https://zokrates.github.io/language/types.html
it says "when working with the ALT_BN128 curve supported by Ethereum." although I don't see anything in the generated verifier.sol contract specific to ethereum, there are no special primitives used afaics
Neo
@creepteks
@prographo This is actually a very good observation. I took a look at these EIPs: https://eips.ethereum.org/EIPS/eip-196, https://eips.ethereum.org/EIPS/eip-197 and https://eips.ethereum.org/EIPS/eip-1108. So Ethereum uses precompiled contracts to reduce the gas costs for scalar addition and multiplication and paring check on this specific curve. I expected to see some invocation of some precompiled contract such as ECADD at 0x06 or ECMUL at 0x07 but could not find any. Istanbul fork list EIP1108 as included, but I do not know why it is not there in the verifier.sol. Sorry if I did not answer your question... :-(
Thibaut Schaeffer
@Schaeff
ZoKrates relies on this library for proof verification, where you'll find calls to the precompiles
Neo
@creepteks
@Schaeff would you be so kind to help me with the question I asked a few lines before? I would really appreciate it.
Neo
@creepteks

ZoKrates relies on this library for proof verification, where you'll find calls to the precompiles

Also, I was under the impression that EIPs of numbers 196, 197 and 1108 were referring to precompiled EVM opcodes as primitives for skSNARKs computations, but what you provided us with was a series of pre-written solidity contracts that are exported based on the type of the zkp scheme used via zokrates export-verifier command.

Thibaut Schaeffer
@Schaeff
Yes, depending on the scheme you're using, different on chain libraries are required. The central one is the one I linked to above, and it calls the precompiled contracts introduced by the EIPs you just mentioned. Note that only verification happens on chain, proof generation happens off chain.