Zero-knowledge proofs allow mathematicians to prove claims without explaining why they’re true
Thank you for reading this post, don't forget to subscribe!Typically proofs don’t merely show that something is true, but they also show why it is true. If I wanted to demonstrate evolution to you, I would show you the fossil record; if I wanted to convict a murderer, I would exhibit a smoking gun; and if I wanted to prove a theorem to you, I would write down a rigorous mathematical argument that you could verify step by step. In essence, to really prove something, it seems like you must give some kind of explanation, the “why” or the “how.”
Related: Can God Be Proved Mathematically?
But it turns out that might not always be the case. Theoretical computer scientists began to challenge this notion in the 1980s by asking if it is ever possible to prove a claim without revealing any additional information beyond the mere truth of the claim. These are called zero-knowledge proofs, and they sound impossible. In a seminal 1989 paper, researchers demonstrated that they are very real.
Here’s how a zero-knowledge proof can help with my Waldo dilemma: I take an opaque cloth that’s much larger than the book, and I cover the page with it. I shift the book around under the cloth to a random location so you lose track of where it is. Then, I cut a small silhouette of Waldo’s face in the cloth so that you can see him (and only him) peeking through. You’re now convinced that I had indeed found Waldo, but that’s all you’ve learned. You already knew Waldo was somewhere on the page, and you have no clue what part of the book you’re looking at, so you’ve merely learned the truth of my claim—I know where Waldo is hiding.
Our second example will more closely resemble how zero-knowledge proofs typically work in theory and practice. For this scenario, I claim to be a tetrachromat, somebody who can perceive extra colors invisible to most people. You have two identical-looking green balls, and I insist that I can distinguish them. We agree on the following demonstration to prove it. We name the balls A and B. You hide both balls from me behind your back and mix them up, mentally keeping track of which hand is holding A and which is holding B. Then you show me one of the balls, and I have to identify whether it’s A or B. If I get it wrong, then you’ve exposed that I was lying. If I get it right, then maybe it’s because I can really tell them apart, or maybe I just got lucky with a 50/50 guess. To gain confidence, you mix them up again and challenge me a second time. If I were guessing, then I would have only a 25 percent chance of getting two correct answers in a row. We can run the experiment as many times as you want, and each successful trial increases your confidence that I’m not faking.
The colored balls example showcases several features shared by many zero-knowledge proofs:
- They’re interactive. We often think of a mathematical proof as a static object, but expanding the concept to allow successive queries to the prover opens up new possibilities. Interactive proofs still faithfully model the real thing, as mathematicians often prove things to each other through conversation over a white boar.
- They’re probabilistic. In the colored balls scenario, I could be a liar who got a lucky string of successful guesses. With each new challenge though, my chance of bluffing you shrinks. If you ask me to identify the ball 30 times, and I get them all right, there is less than a one-in-a-billion chance that you’re just witnessing a hot streak. If you’re not satisfied with one in a billion, let’s go 10 more rounds and reduce my odds of guessing to one in a trillion.
- You really learn nothing other than the claim I’m trying to prove (that I can distinguish the balls). Zilch. Nada. You don’t learn which ball is “greener” than the other one. You can’t use my proof to go convince somebody else that I can distinguish the balls. Even if you filmed our interaction, a skeptic could accuse us of staging it. You only learn what I want you to learn.
So zero-knowledge proofs seem possible for some toy scenarios, but what about real mathematical problems? If I prove a major theorem with a complicated proof, and I want to tell you I’ve done it, but I’m worried you’ll publish the paper first and steal my glory, could I give you a zero-knowledge proof? What types of math problems allow this level of secrecy? Amazingly, every claim that I can prove to you with a traditional mathematical proof can also be proved in zero knowledge. Take your favorite result in math, and you could in principle prove it to a friend while showing them bupkes about how it works. This is a profound discovery about the nature of proof itself. Certainty does not require understanding.
In practice, you might find proving some things to your friend in zero knowledge prohibitively cumbersome, because the complexity of the interaction grows with more advanced claims. Fortunately, the value in zero-knowledge proofs extends well beyond parlor tricks and protecting paranoid mathematicians. They enjoy many applications in cryptography, such as safer passwords, digital signatures and more secure cryptocurrency. For these digital scenarios, we need digital equivalents of “hiding balls behind your back” or “covering the book with a cloth,” so we use tools from cryptography to simulate the physical obscuring of information.
A particularly neat use case is secure electronic voting, where everybody can personally verify the outcome of an election without revealing whom they voted for, and without the need for trusted authorities such as poll workers. These systems have actually been deployed in local elections in several countries, and zero-knowledge proofs are essential to their operation.
Another surprising proposal addresses a problem in nuclear disarmament. Under the Non-Proliferation Treaty, nuclear powers like the U.S. and Russia have agreed to take steps toward disarming their arsenals. To show they’re upholding their end of the treaty, countries want to prove to each other that they have dismantled their warheads. This could be accomplished by granting open-access inspections of nuclear facilities, but warhead designs are highly confidential and contain valuable technology secrets. Enter a remarkably elegant zero-knowledge proof that allows inspectors to verify the authenticity of nuclear weapons without revealing any sensitive information about their design.
Proof is the bread and butter of mathematics, and stretching its definition has had philosophical implications on the nature of conviction and has opened the door to technologies that once seemed impossible.
This is an opinion and analysis article, and the views expressed by the author or authors are not necessarily those of Scientific American.
ABOUT THE AUTHOR(S)
Jack Murtagh writes about math and puzzles, including a series on mathematical curiosities at Scientific American and a weekly puzzle column at Gizmodo. His original puzzles have appeared in the New York Times, the Wall Street Journal and the Los Angeles Times, among other outlets. He holds a Ph.D. in theoretical computer science from Harvard University. Follow Murtagh on Twitter @JackPMurtagh