top | item 40743718

(no title)

ianseyer | 1 year ago

The best analogy of zk-proofs I've heard is to suppose you have found Waldo in "Where's Waldo," and want to prove that you have done this without revealing the location.

You could take a piece of paper (much larger than the picture/book), and cut out a waldo-shaped hole it and position the paper such that he is shown in the hole. Then, when you show it to the challenger, they know that you have found him without you revealing where he is.

discuss

delecti|1 year ago

It took me a minute to fully get this, so I'm adding this so it's a bit more obvious for anyone else: the piece of paper is much larger than the picture/book so that it can hide the book's relative position underneath it.

thaumasiotes|1 year ago

Unfortunately that completely defeats the idea of the proof.

Here's an alternative procedure:

1. Get a very large sheet of paper, and cut a Waldo-shaped hole in it.

2. Get some more paper, and paint a picture of Waldo on it.

3. Paste your image of Waldo on the back of the paper you prepared in step 1.

4. Place this composite over a Where's Waldo book.

5. You've found Waldo!

If you can't tell where the book is, there is no evidence that the image of Waldo is part of the book.

nroets|1 year ago

But it's a simplification: One iteration is enough to detect lying.

In a real ZK proof the probability of the prover lying reduces after each iteration but never reached 0.

pxx|1 year ago

there is a probabilistic interactive component. this protocol allows the prover to fake it by just using a book where they know where Waldo is. in each iteration you choose whether to confirm it's the original book and page under the paper or see Waldo (but not both). a cheating prover has p = .5 of fooling a verifier.

but your concern is invalid to begin with. nothing in the definition of a zkp requires them to be multi-round interactive. there exist non-interactive zkp.

unknown|1 year ago

[deleted]

isaacfung|1 year ago

How do I know if it is the original "Where's Waldo" under the paper?

pxx|1 year ago

in each iteration you choose whether to confirm it's the original book and page under the paper or see waldo

IshKebab|1 year ago

I think that conveys what a zero knowledge proof achieves but it doesn't really correspond to any real zero knowledge proof algorithms. You can't do that over the phone, which is kind of the whole point.

pxx|1 year ago

no, that's not even close to the whole point. the analogy is to introduce the concept of proving something to a verifier without giving the verifier the solution

the paint-mixing analogy of diffie-hellman also can't be done over the phone, but it helps people understand how a shared secret can be established even if all communication is intercepted