Hash functions dont have nice mathematical properties such as h(a+b)=h(a)+h(b).
You can use homomorphic encryption if you need such properties.
Homomorphic encryption would not grant such properties to a hash—not to the hash itself—but that is irrelevant here: Such properties are not needed. The ignoramus who spat out that brilliant observation was making a
non sequitur, like observing that hash functions are not the colour mauve. Well, of course not. So what?
In theory, any operation that can be performed by a computer can have its correct performance proved in zero knowledge.
To illustrate: For publicly known Hash160 image
H of secret preimage
secp256k1_pubkey, you can prove in zero knowledge that you ran a program that outputs
true for the following:
RIPEMD160(SHA256(secp256k1_pubkey)) == H
Verifying the proof does not require any knowledge of
secp256k1_pubkey.
Neat trick, eh? That’s the toy version; it simply proves that you know the unrevealed public key. Building this into a system that permits secure spending of funds would necessarily be more complicated; and since the objective here is post-quantum emergency salvaging of coins, it
may need to use something other than current-generation zk-SNARKs.
*It is not merely theoretical. Zcash has been deployed in production for almost six years, running a financial network where you prove in zero knowledge that you ran a program that validates your own transaction. Consensus nodes then verify your proof, without knowing any information about the transaction’s inputs and outputs. With a nod to Clarke, “Any sufficiently advanced cryptography is indistinguishable from magic.”
I have believed for years that zero-knowledge proofs will take over the world. When time permits, I will open the new thread that I’ve been intending for days about zero-knowledge proofs, and the application thereof in Bitcoin. (A prior impetus for that was
my desire to avoid derailing another thread with discussion of using ZK proofs to build a trustless BTC wrapper/bridge.) It will be self-moderated to cut noise. Meanwhile, those who are curious about the topic can find a research bibliography and a little survey of implementations here:
https://zkp.science/FHE is an entirely different topic—and another hot area of rapidly developing research. I want to learn more about that, and especially about potential applications thereof for solving the problem that we can’t publish secrets on a public blockchain. If you have knowledge and ideas on this subject, that would be interesting!
To put simply if you can reverse the following function and tell me what `a` and `b` were you can also reverse hash functions:
a + b = 10
Exactly. Inside hash functions, there are many things that are irreversible. If you have "uint32=mod(otherUint32+anotherUint32,2^32)", then there is no chance to reverse it, because for any given "uint32", there are 2^32 possible pairs of "(otherUint32,anotherUint32)", that will lead us to the same result. Also, there are binary operations, like AND, OR, XOR, that will mix it further, and make it a complete mess. Also don't forget about rotations, they are making it rock solid, because then tracking dependencies between single bits is getting exponentially harder. I think some explanation of the hash functions, based on reduced number of rounds, should be prepared, I will add it to my TODO list.
I suggest an inductive
reductio ad absurdum: “Hash” some data with
CRC-8, which has no cryptographic security whatsoever. Attempt to retrieve the data. If you succeed, then you have discovered that CRC-8 is a lossless compressor that can compress large amounts of arbitrary data down to a single byte! That’s obviously impossible. Q.E.D.: Hash functions cannot be inverted to retrieve their inputs.
Your thread about hash functions will also be interesting.
* zk-STARKs are PQ crypto; they rely only on the security of a hash function, but I am not sure if they are the best option here. There is some debate about zk-SNARKs and quantum computing attacks; I would need to learn more before opining.