Hello, I would like to implement a zk-SNARKs scenario using libsnark but I can't figure out if it is indeed possible and how to approach the implementation in practice.

This library seems too technical for me at the moment. I would really appreciate it if there was anyone able to tell me if the following is possible. I would also be very grateful for any suggestions on how to approach the implementation of this problem in practice.

I would like to implement a scenario in which a prover P wants to prove the knowledge of the decrypted version of a file to a verifier V using zk-SNARKs. (The set-up phase to produce the proving and verification keys is done by a trusted third party of course.)

In this scenario there is a file f and its encrypted version is fE = Enc(f, k). Here Enc is a strong symmetric encryption algorithm such as AES and k is the key used to encrypt the file f.

The hash of the file f is Hf = SHA256(f)

In this scenario, I want the prover to be able to prove that:
SHA256(Dec(fE, k)) == Hf AND SHA256(k) == Hk
where obviously Dec( fE, k ) will produce the original file f.

The prover P will send to the verifier V the following elements, and V will be then able to verify the proof:

• the proof itself just produced by P
• the encrypted file fE
• the hash of the file Hf
• the hash of the key Hk

If the verification output is true (the proof is valid) the verifier V will be sure of the following:

• Hf is the hash of a file f and the encrypted version of this file is fE (note that V doesn't have/know the original file f)
• Hk is the hash of the key k used to encrypt the file f to obtain fE

Many thanks to anyone who takes the time to read and try give suggestions!

The problem domain with ZKPs for SNARKs is to create two definitions: 1) the protocol and 2) the circuit. You've described the protocol and it looks good from a high level.
The remaining definition is the circuit. You have the SHA256 function and the Dec function stated. The SHA256 function is included in libsnark already (as long as you only need the compression side, and the full hash is not difficult to implement). The Dec function will require more work to define.
Depending upon things like variable sizes and recursion, the Dec function might be easy or might be impossible entirely. If you post pseudo-code then it would be easier to comment on.

Thank you so much for your reply.

Let's forget about the Dec function for now then. Let's say the prover only wants to prove the second part of the statement, in other words that he knows a key k that has an hash value Hk. Formally the prover wants to prove that: SHA256(k) == Hk

The prover P will compute the proof and then send it to the verifier V along with the hash Hk.

When V verifies the proof he can then be sure that P knows the preimage of the hash, aka the key k.

So even in this simplified scenario, I just can't understand how to proceed with libsnark. There is a gadget for SHA256 as you said, but how can I use it in practice to produce the following:

• Proving and verification keys (trusted set up) in the form of separate files
• Executable usable by any prover to be able to produce a proof (in form of a file) using as inputs: the proving key; the hash value Hk; the key k aka the witness
• Executable usable by any verifier to be able to verify a proof (a file produced by the other executable) using as inputs the proof itself and the hash Hk

I know this is a very general question, but I can't figure out how to begin. Any suggestion or guideline would be greatly appreciated.