I’m reaching out with a specific question regarding ZKP in the context of generating an ECDH secret share using Ethereum keys.
My goal is to determine if it is possible to prove, within a ZKP circuit, that an ECDH secret share is correctly generated using an Ethereum private key and an Ethereum public key.
Here are the potentials specifics input:
1. Public Inputs:
Two EVM addresses (keccak256 hash of Ethereum public keys).
2. Private Input:
An Ethereum private key.
My questions are as follows:
Is it technically feasible to use these values (private key and public key) within a plonk circuit?
Is it possible to construct a ZKP to prove the correct generation of the ECDH secret share?
Thank you in advance for your assistance and contributions!
Yes this should be possible. I am not sure what algorithms are required to prove ECDH, but you can generate an etheruem address from a public key, using something like this library.
Do you want users to input their private keys to the circuit and prove that it corresponds to a specific address? Or is putting in a public key sufficient?
Thank you for your message @joshc and for the help. I will look into the library in detail.
And yes, exactly regarding the private key. The prover should include the private key in the circuit (as a private input) and prove within the same circuit that this private key is indeed the origin of the public key (public input).
I have created a public Git repository for the futur result:
Here the first version of my zero-knowledge proof (ZKP) circuit designed to verify the correct generation of a shared secret key from Ethereum addresses.
The circuit is implemented to:
Verify that the public key derived from a given private key matches the provided Ethereum address.
Ensure that shared secret values are correctly generate from public key coordinates and private key.
However, I’ve encountered an issue where the private key does not seem to match the public key. Specifically, when I derive the public key from the private key and convert it to an Ethereum address,the resulting address does not match the expected one.