Zero-knowledge proof

In cryptography, a zero-knowledge proof is a protocol in which one party can convince another party that some given statement is true, without conveying to the verifier any information beyond the mere fact of that statement's truth. The intuition behind the nontriviality of zero-knowledge proofs is that it is trivial to prove possession of the relevant information simply by revealing it; the hard part is to prove this possession without revealing this information.
In light of the fact that one should be able to generate a proof of some statement only when in possession of certain secret information connected to the statement, the verifier, even after having become convinced of the statement's truth by means of a zero-knowledge proof, should nonetheless remain unable to prove the statement to further third parties.
Zero-knowledge proofs can be interactive, meaning that the prover and verifier exchange messages according to some protocol, or noninteractive, meaning that the verifier is convinced by a single prover message and no other communication is needed. In the standard model, interaction is required, except for trivial proofs of BPP problems. In the common random string and random oracle models, non-interactive zero-knowledge proofs exist. The Fiat–Shamir heuristic can be used to transform certain interactive zero-knowledge proofs into noninteractive ones.

Abstract examples

The red card proof

One example of a math-free zero knowledge proof is if Peggy wants to prove to Victor that she has drawn a red card from a standard deck of 52 playing cards, without revealing which specific red card she holds. Victor observes Peggy draw a card at random from the shuffled deck, but she keeps the card face-down so he cannot see it.
To prove her card is red without revealing its identity, Peggy takes the remaining 51 cards from the deck and systematically shows Victor all 26 black cards one by one, placing them face-up on the table. Since a standard deck contains exactly 26 red cards and 26 black cards, and Peggy has demonstrated that all the black cards remain in the deck, Victor can conclude with certainty that Peggy's hidden card must be red.
This proof is zero-knowledge because Victor learns only that Peggy's card is red, but gains no information about whether it is a heart or diamond, or which specific red card she holds. The proof would be equally convincing whether Peggy held the Ace of Hearts or the Two of Diamonds. Furthermore, even if the interaction were recorded, the recording would not reveal Peggy's specific card to future observers, maintaining the zero-knowledge property.
If Peggy was lying and actually held a black card, she would be unable to produce all 26 black cards from the remaining deck, making deception impossible. This demonstrates the soundness of the proof system. This type of physical zero-knowledge proof using standard playing cards belongs to a broader class of card-based cryptographic protocols that allow participants to perform secure computations using everyday objects.

Where's Wally

Another well-known example of a zero-knowledge proof is the "Where's Wally" example. In this example, the prover wants to prove to the verifier that they know where Wally is on a page in a Where's Wally? book, without revealing his location to the verifier.
The prover starts by taking a large black board with a small hole in it, the size of Wally. The board is twice the size of the book in both directions, so the verifier cannot see where on the page the prover is placing it. The prover then places the board over the page so that Wally is in the hole.
The verifier can now look through the hole and see Wally, but cannot see any other part of the page. Therefore, the prover has proven to the verifier that they know where Wally is, without revealing any other information about his location.
This example is not a perfect zero-knowledge proof, because the prover does reveal some information about Wally's location, such as his body position. However, it is a decent illustration of the basic concept of a zero-knowledge proof.

The Ali Baba cave

There is a well-known story presenting the fundamental ideas of zero-knowledge proofs, first published in 1990 by Jean-Jacques Quisquater and others in their paper "How to Explain Zero-Knowledge Protocols to Your Children". The two parties in the zero-knowledge proof story are Peggy as the prover of the statement, and Victor, the verifier of the statement.
In this story, Peggy has uncovered the secret word used to open a magic door in a cave. The cave is shaped like a ring, with the entrance on one side and the magic door blocking the opposite side. Victor wants to know whether Peggy knows the secret word; but Peggy, being a very private person, does not want to reveal her knowledge to Victor or to reveal the fact of her knowledge to the world in general.
They label the left and right paths from the entrance A and B. First, Victor waits outside the cave as Peggy goes in. Peggy takes either path A or B; Victor is not allowed to see which path she takes. Then, Victor enters the cave and shouts the name of the path he wants her to use to return, either A or B, chosen at random. Providing she really does know the magic word, this is easy: she opens the door, if necessary, and returns along the desired path.
However, suppose she did not know the word. Then, she would only be able to return by the named path if Victor were to give the name of the same path by which she had entered. Since Victor would choose A or B at random, she would have a 50% chance of guessing correctly. If they were to repeat this trick many times, say 20 times in a row, her chance of successfully anticipating all of Victor's requests would be reduced to 1 in 2²⁰, or 9.5410⁻⁷.
Thus, if Peggy repeatedly appears at the exit Victor names, then he can conclude that it is extremely probable that Peggy does, in fact, know the secret word.
One side note with respect to third-party observers: even if Victor is wearing a hidden camera that records the whole transaction, the only thing the camera will record is in one case Victor shouting "A!" and Peggy appearing at A or in the other case Victor shouting "B!" and Peggy appearing at B. A recording of this type would be trivial for any two people to fake. Such a recording will certainly never be convincing to anyone but the original participants. In fact, even a person who was present as an observer at the original experiment should be unconvinced, since Victor and Peggy could have orchestrated the whole "experiment" from start to finish.
Further, if Victor chooses his As and Bs by flipping a coin on-camera, this protocol loses its zero-knowledge property; the on-camera coin flip would probably be convincing to any person watching the recording later. Thus, although this does not reveal the secret word to Victor, it does make it possible for Victor to convince the world in general that Peggy has that knowledge—counter to Peggy's stated wishes. However, digital cryptography generally "flips coins" by relying on a pseudo-random number generator, which is akin to a coin with a fixed pattern of heads and tails known only to the coin's owner. If Victor's coin behaved this way, then again it would be possible for Victor and Peggy to have faked the experiment, so using a pseudo-random number generator would not reveal Peggy's knowledge to the world in the same way that using a flipped coin would.
Peggy could prove to Victor that she knows the magic word, without revealing it to him, in a single trial. If both Victor and Peggy go together to the mouth of the cave, Victor can watch Peggy go in through A and come out through B. This would prove with certainty that Peggy knows the magic word, without revealing the magic word to Victor. However, such a proof could be observed by a third party, or recorded by Victor and such a proof would be convincing to anybody. In other words, Peggy could not refute such proof by claiming she colluded with Victor, and she is therefore no longer in control of who is aware of her knowledge.

Two balls and the color-blind friend

Imagine Victor is red-green color-blind and Peggy has two balls: one red and one green, but otherwise identical. To Victor, the balls seem completely identical. Victor is skeptical that the balls are actually distinguishable. Peggy wants to prove to Victor that the balls are in fact differently colored, but nothing else. In particular, Peggy does not want to reveal which ball is the red one and which is the green.
Here is the proof system: Peggy gives the two balls to Victor and he puts them behind his back. Next, he takes one of the balls and brings it out from behind his back and displays it. He then places it behind his back again and then chooses to reveal just one of the two balls, picking one of the two at random with equal probability. He will ask Peggy, "Did I switch the ball?" This whole procedure is then repeated as often as necessary.
By looking at the balls' colors, Peggy can, of course, say with certainty whether or not he switched them. On the other hand, if the balls were the same color and hence indistinguishable, Peggy's ability to determine whether a switch occurred would be no better than random guessing. Since the probability that Peggy would have randomly succeeded at identifying each switch/non-switch is 50%, the probability of having randomly succeeded at all switch/non-switches approaches zero.
Over multiple trials, the success rate would statistically converge to 50%, and Peggy could not achieve a performance significantly better than chance. If Peggy and Victor repeat this "proof" multiple times, Victor should become convinced that the balls are indeed differently colored.
The above proof is zero-knowledge because Victor never learns which ball is green and which is red; indeed, he gains no knowledge about how to distinguish the balls.