I just wanted to say a big thank you for that page. I've read a few explanations of ZKP's, of the
Ali Baba map type and now this map colouring explanation, and I came away none the wiser.
Well, wiser were wiser means "I build another ZKP". The map colouring explanation was actually more confusing than helpful, as anybody who has attempted to colour a map with just three colours knows you often have the entire thing coloured in, except for one problematic vertex which may be one vertex among billions. If you reveal 20 vertexes at random out of a billion, the odds of finding the proof the problem wasn't solved is worse 1 in 10e5, which isn't a proof of anything.
Your page revealed there are lots of ingredients needed to make ZKP's work. Mapping the problem proving some knowledge about a function being the first step, and one you would never guess from the simplistic descriptions. But by far the most surprising one to me is they (or at least ZK-SNARK's) use homomorphic operations. Homomorphic operations are often in the news (most recently a toolkit from Google), but are so slow (from what I can see about 10e9 times slower than doing the same thing without homomorphic operations) I couldn't imagine a real world use case. But here, right under my nose, are homomorphic operations being used in the real world. And no general purpose toolkits were needed.
Another nice resource for understanding zk snarks that I found easily digestible was this paper that was shared on hn a few months ago[0]. https://arxiv.org/abs/1906.07221
I think ZKPs will find most of their use in proving MPC protocols were correctly followed. In these protocols you often need everyone to do certain steps correctly to prevent cheating or deadlock. But sharing the information behind those steps reveals way too much data.
Often ZKP can be used to prove those steps were correctly followed.
A correct Multi-party computation protocol (MPC) by definition is private. MPC from its inception has used zero-knowledge proofs as a building block (i.e. see the GMW compiler from the 1980s) (though other approaches exist).
For many existing MPC protocols, ZKPs are overkill for achieving malicious security, and more efficient approaches exist (eg: information-theoretic MACs)
The page seems a bit too heavily weighted towards SNARKs in particular and cryptocurrency applications in general. There's no mention of ZKPPs, for instance.
Is there a third type of exchange that I am not aware of, other than centralized and decentralized exchanges? How else would people exchange tokens but through a crypto exchange? Are you saying people shouldn’t exchange their crypto?
ZKPs are a really exciting crypto primitive. They're finally getting serious development for the cryptocurrency space, but I think we'll see them used in all sorts of protocols over the next decade.
One possibility I'm excited about is users being able to perform computations locally without sending their data anywhere, and then providing the results to a company, government, etc with a proof that the results are faithful.
It compresses the whole history of the blockchain into a proof of less than 21KB using recursive zero knowledge proofs (each block has a proof that the previous proof is valid).
I’m sad to see that analogy become so popular over the last year. It fails to capture the tremendous amount of work that is required to establish or verify proofs. In the Waldo example verification is O(n).
I’ve worked on other analogies but every simplification is damning in its own way. One I particularly like:
You want to ask Google for directions to an address in your small town but you don’t want Google to know where you are going or where you live. Instead you ask for a list of directions between every address in your small town. It takes a bit longer to return these results but the it satisfies the conditions.
This isn’t of course how ZKP’s work but directionally captures their computational overhead in a way other examples don’t.
For the same reason public-key signatures are worth trusting: if correctly designed and validated, it's computationally intractable to construct one without the information (private key or otherwise) being proved. (You do lose the inability of coparties to prove that you know the thing, but that's not always a problem.)
[+] [-] baby|4 years ago|reply
They’re going to change the world, not just for privacy, but for compression.
[+] [-] rstuart4133|4 years ago|reply
Well, wiser were wiser means "I build another ZKP". The map colouring explanation was actually more confusing than helpful, as anybody who has attempted to colour a map with just three colours knows you often have the entire thing coloured in, except for one problematic vertex which may be one vertex among billions. If you reveal 20 vertexes at random out of a billion, the odds of finding the proof the problem wasn't solved is worse 1 in 10e5, which isn't a proof of anything.
Your page revealed there are lots of ingredients needed to make ZKP's work. Mapping the problem proving some knowledge about a function being the first step, and one you would never guess from the simplistic descriptions. But by far the most surprising one to me is they (or at least ZK-SNARK's) use homomorphic operations. Homomorphic operations are often in the news (most recently a toolkit from Google), but are so slow (from what I can see about 10e9 times slower than doing the same thing without homomorphic operations) I couldn't imagine a real world use case. But here, right under my nose, are homomorphic operations being used in the real world. And no general purpose toolkits were needed.
[+] [-] rocqua|4 years ago|reply
[+] [-] Ar-Curunir|4 years ago|reply
(This is not a slight against the maintainers; the space is moving incredibly quickly, so it's difficult to keep updating regularly.)
[+] [-] eruleman|4 years ago|reply
[+] [-] clashmeifyoucan|4 years ago|reply
[0]: https://news.ycombinator.com/item?id=24815649
[+] [-] toolslive|4 years ago|reply
https://www.researchgate.net/publication/221355016_How_to_Ex...
[+] [-] rocqua|4 years ago|reply
Often ZKP can be used to prove those steps were correctly followed.
[+] [-] knownjorbist|4 years ago|reply
[+] [-] Vervious|4 years ago|reply
[+] [-] Ar-Curunir|4 years ago|reply
[+] [-] throw2500|4 years ago|reply
Not all crypto is "crypto".
[+] [-] tylersmith|4 years ago|reply
That said, this page is implicitly focused on ZK computational proofs for general computations. It's also fairly out of date at this point.
[+] [-] Ar-Curunir|4 years ago|reply
[+] [-] maverick-iceman|4 years ago|reply
Every cryptography gives the cryptographer an immediate asymmetrical advantage, and that's necessary given crypto's adversaries.
Said cryptography advantage cannot be wasted by centralizing the social environment where people exchange the tokens
Crypto exchanges are the singular main point of failure and that is true for both centralized and de-centralized exchanges
[+] [-] legutierr|4 years ago|reply
[+] [-] koheripbal|4 years ago|reply
[+] [-] tylersmith|4 years ago|reply
One possibility I'm excited about is users being able to perform computations locally without sending their data anywhere, and then providing the results to a company, government, etc with a proof that the results are faithful.
[+] [-] SheinhardtWigCo|4 years ago|reply
[+] [-] gjvc|4 years ago|reply
[+] [-] transitory_pce|4 years ago|reply
[+] [-] adamgluck|4 years ago|reply
[+] [-] baby|4 years ago|reply
It compresses the whole history of the blockchain into a proof of less than 21KB using recursive zero knowledge proofs (each block has a proof that the previous proof is valid).
[+] [-] diplodocusaur|4 years ago|reply
[0] https://medium.com/swlh/a-zero-knowledge-proof-for-wheres-wa...
[+] [-] paulgerhardt|4 years ago|reply
I’ve worked on other analogies but every simplification is damning in its own way. One I particularly like:
You want to ask Google for directions to an address in your small town but you don’t want Google to know where you are going or where you live. Instead you ask for a list of directions between every address in your small town. It takes a bit longer to return these results but the it satisfies the conditions.
This isn’t of course how ZKP’s work but directionally captures their computational overhead in a way other examples don’t.
[+] [-] politician|4 years ago|reply
[+] [-] a1369209993|4 years ago|reply
[+] [-] tylersmith|4 years ago|reply
If your concern is trusted setups, those are quickly being phased away by better constructions that are fully transparent.