-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zkEmail circuit #86
Draft
mitschabaude
wants to merge
26
commits into
feature/zkemail-prep-2
Choose a base branch
from
feature/zk-email-circuit
base: feature/zkemail-prep-2
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
zkEmail circuit #86
+903
−188
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mitschabaude
changed the base branch from
feature/zk-email
to
feature/zkemail-prep-2
December 5, 2024 12:32
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
on top of #87, this adds a first version of the o1js zkEmail implementation.
Motivation
We want to use emails as private credentials, stored in our wallets, and make selective disclosures about them.
The "attributes" of an email credential are the plain text body and header (or specific extracted header fields, like
from
andsubject
), and the "issuer" is the DKIM public key.API
ProvableEmail
type:Details
the full zkemail implementation is self-contained in a single file,
zkemail.ts
.included in this PR:
not included in this PR:
to overcome circuit size limits, we use recursive zkprograms. header is limited to a configurable length (currently 10 sha2 blocks = 640 bytes), while the body has arbitrary length (by optionally using more proofs).
everything is structured into a linear chain of proofs: the inner ones just deal with hashing, and the outer one converts the sha2 states of body and header hashes to bytes, and verifies the RSA signature
note: this depends on o1-labs/o1js#1931 and its follow-up PRs, and currently uses o1js locally at this branch: https://github.com/o1-labs/o1js/tree/tmp/zkprogram-merged
Results
Test using
For email bodies up to 704 bytes,
verifyEmail()
fits in 3 proofs and takes 1:40 min on my machine. (Longer bodies just work as well, but will take more proofs.)However, the final proof already uses about 32k constraints and doesn't include any header extraction (e.g., of the body hash) yet. It seems likely that with the header extraction added, hashing has to be pushed deeper down into the inner proof and everything will need 4 proofs minimum by default.