zlacker

[return to "Opening up ‘Zero-Knowledge Proof’ technology"]
1. bobbie+yc[view] [source] 2025-07-03 19:02:07
>>doomro+(OP)
Anyone have a good explanation on the intuition of non-interactive zero-knowledge proofs? For example, I thought the "paint-mixing" analogy for Diffie-Hellman key exchange (https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange#Ge...) really helped me handwave the math into "mixing easy, unmixing hard".

https://blog.cryptographyengineering.com/2014/11/27/zero-kno... was a good intro for interactive ZK proofs but I haven't been able to find something for non-interactive ones.

This blog post comparing ZK-STARKs to erasure coding is in the right flavor but didn't quite stick to my brain either: https://vitalik.eth.limo/general/2017/11/09/starks_part_1.ht...

◧◩
2. tptace+Tg[view] [source] 2025-07-03 19:33:30
>>bobbie+yc
If you're looking for something at the level of paint cans, I think you want Matthew Green's "crayons and hats":

https://blog.cryptographyengineering.com/2014/11/27/zero-kno...

◧◩◪
3. remram+Cz[view] [source] 2025-07-03 22:15:02
>>tptace+Tg
That's only for interactive proofs though. Like GP I have no problem understanding those.
◧◩◪◨
4. _alter+rD[view] [source] 2025-07-03 23:02:30
>>remram+Cz
There is a trick to convert an IP to a non-IP.

Usually in an IP, the prover (Bob) has to answer questions from the verifier (Alice), and Alice chooses her questions by flipping a coin. If the Bob doesn’t really know the answer, he’ll get caught cheating with high probability.

So now the trick: Bob starts generates his initial answer. Then he hashes it (“commits” in the jargon), and uses the hash as “Alice’s first coin flip”. Then he answers the question for that flip, hashes the whole thing for “Alice’s second coin flip”… etc.

Bob does this say, 100 times, and then sends the whole simulated conversation to Alice. Alice can verify that he didn’t cheat by checking the intermediate hashes.

The whole thing depends on the ability to not control the result of the hash function, so it’s vital to use a cryptographically secure one.

◧◩◪◨⬒
5. remram+YN[view] [source] 2025-07-04 01:43:28
>>_alter+rD
It "feels" much easier to generate random non-solutions and check if the random questions happen to pass, though. Is it really all there is to it? You increase the number of questions to compensate and that's the whole scheme? Wouldn't the responses be a ludicrous amount of data?
◧◩◪◨⬒⬓
6. jlokie+7S[view] [source] 2025-07-04 02:48:43
>>remram+YN
The trick is called the Fiat-Shamir transform, and you're right, it does require more questions to get an equivalent security level, precisely because you can try a large number of random non-solutions without anyone catching you doing it.

But the number of questions you need to compensate grows only a little.

For example, interactively if you ask for Merkle tree proof that selected leaf values have a particular property, you only have to ask for about k leaves to get probability 1-(2^-k) that you'd catch a dishonest prover who had committed a Merkle root with less than half the leaves having the property.

Non-interactively, a dishonest prover could secretly grind attempts, say 2^g times, and then you'd have a lower probability of catching them, approximately 1-(2^(g-k)). But g can't be all that large, so you can increase k to compensate without making the proof much larger.

You.can also require certain hashes to have a fixed prefix, like Bitcoin mining, forcing every prover to have to grind 2^p times. This reduces the effective g that a dishonest prover can achieve, allowing k to be smaller for the same security, so allowing the non-interactive proof to be smaller. At the cost of honest provers having to grind.

[go to top]