零知识证明，编码数独和马里奥速通，且无语义泄漏

零知识证明，编码数独和马里奥速通，且无语义泄漏
Zero-knowledge proofs, encoding Sudoku and Mario speedruns without semantic leak

原始链接: https://vasekrozhon.wordpress.com/2025/03/17/zero-knowledge-proofs/

我们最近发布了一个关于零知识证明的视频，重点是图着色问题。虽然概念看起来很简单，但其背后的机制却很复杂。视频试图在深度和广度之间取得平衡。为了更深入的理解，建议参考Oded Goldreich的密码学著作。视频中省略了一些主题，包括：将可满足性问题规约到着色问题，解释如何将任何算法转换成电路，以及随后转换成图着色问题。“三角形组件”用于强制每个顶点的颜色与其他顶点不同，“变量组件”用于将真/假值转换成节点上的颜色，“子句组件”用于允许除所有子句都为假的情况以外的所有组合。此外，视频中也省略了无需可信权威即可进行投票和货币交换的讨论，这依赖于Goldreich-Micali-Wigderson定理，该定理证明了以分布式方式模拟任何算法的能力，这对加密货币至关重要。最后，文章解释了如何使用“信标”或实际上是用于生成伪随机位的密码散列函数，将交互式零知识证明转换为非交互式证明。所有最新的主题都汇集在一起了！

Hacker News 最新 | 往期 | 评论 | 提问 | 展示 | 招聘 | 提交登录零知识证明、编码数独和马里奥速通游戏，且无语义泄露 (vasekrozhon.wordpress.com) 8 分，来自 pixelpoet，1 小时前 | 隐藏 | 往期 | 收藏 | 1 评论 pixelpoet 1 小时前 [–] 其 YouTube 视频的补充材料：https://www.youtube.com/watch?v=Otvcbw6k4eo 回复加入我们 6 月 16-17 日在旧金山举办的 AI 初创企业学校！指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系我们搜索：

编程零知识证明：从零到英雄 2024-09-03

（评论） 2024-01-16

（评论） 2024-09-03

（评论） 2025-02-25

（评论） 2024-08-01

原文

We published our video on zero-knowledge proofs!

Surprisingly, making this video took a lot of work. Zero-knowledge proofs for coloring are one of those algorithms that, in hindsight, seem beautifully simple and clean. But that’s just an illusion—there’s actually a lot going on behind the scenes. We struggled with deciding how in-depth to go and which applications to discuss. In the end, the video covers a bit of everything, and I hope different viewers will find something that sparks their curiosity. If that’s the case, you should definitely check out some slower, more in-depth sources; zero-knowledge proofs are realistically too difficult to understand them from 20 minutes of a video. For example, the following book on cryptography is a classic: https://www.wisdom.weizmann.ac.il/~oded/foc.html

Here’s a list of topics that did not make it in the video.

1. How to reduce satisfiability to coloring?

We pointed out that almost everything can be reduced to 3-coloring. This is closely connected to our video on NP-completeness—many problems can be formulated as “here is a (polynomial-time) algorithm checking solutions: can you find an input that is accepted by it?” Such an algorithm can be represented as a circuit, and each circuit can be thought of as a collection of constraints on Boolean variables—that is, the satisfiability problem.

Here’s how you can convert a concrete satisfiability problem into graph coloring with three colors. The image below shows a satisfiability problem asking us to set binary variables to some values so that the formula is satisfied. We assume that each constraint in the problem is a disjunction of a few variables or their negations; any satisfiability problem can be converted into this form. ¹ Below the formula is an equivalent graph 3-coloring problem.

And here’s the explanation for the picture:

Explanation of the parts of the graph:

Each part—usually called a gadget—plays a specific role in translating the satisfiability problem into a coloring problem.

Triangle Gadget:

There’s a triangle where each vertex must be colored with one of three colors. In the second picture, I already colored the nodes of the triangle with red, blue, and green. This makes it simpler to talk about the coloring; instead of saying “This node has to have the same color as the top node in the triangle,” we can say “This node has to be green.”

Variable Gadget:

We represent each variable with an edge between two nodes. All these nodes are connected to the green node, which means that in any valid solution, the edge is either colored red-blue or blue-red. This represents whether the variable is true or false.

Clause Gadget:

For a clause like $x_1$ OR $x_2$ OR $x_3$ , we think of it as “the only forbidden combination is $x_1 = \text{FALSE},\; x_2 = \text{FALSE},\; x_3 = \text{FALSE}$ .” Our task is to construct a gadget that eliminates this one forbidden combination while allowing all others. Here’s how: if both $x_1$ and $x_2$ are false (represented as the edge being colored red-blue), the node labeled $x_1$ OR $x_2$ must be blue. Similarly, the node labeled $x_1$ OR $x_2$ OR $x_3$ must be blue. You can verify that any other combination is acceptable.

2. My Favorite Theorem

At the end of the video, we mentioned that zero-knowledge proofs address the question “what can be done without a trusted authority?” By “trusted authority,” we mean someone that everybody trusts to be honest and keep their secrets safe—like a bank, a state, or a software company. Zero-knowledge proofs show that we can achieve certain tasks without any trusted authority.

But zero-knowledge proofs are only about tasks of the type “convince others I can do something”. We can be much more ambitious! For example:

How can we vote without a trusted authority?
In state elections, we trust the state to count votes honestly while maintaining privacy. But here’s a long-shot hope: Could there be a distributed system that does the same without relying on any trusted authority?
How can we keep and exchange money without a bank?
In financial transactions, we trust banks to handle our money honestly while preserving privacy. Again, could a distributed system achieve the same without relying on a bank?

As it turns out, for both questions—and all similar ones—the answer is yes, at least in theory. In the second case, the implementation is, (in)famously, the cryptocurrencies. There are also blockchain protocols that attempt to implement secure private voting.

The fact that all this is possible is supported by one of my favorite theorems from theoretical computer science, proven a few years after the introduction of zero-knowledge proofs. The paper is called How to play ANY mental game, it’s by Goldreich (wrote the book I linked at the beginning), Micali (I had an office pretty close to his when I was at MIT, but sadly never met him there), and Wigderson (Received Turing award recently, his work on cryptography such as this paper was cited as one of the reasons).

Their theorem uses the setup of the Byzantine generals problem (which we covered in an earlier video). In this problem, a group of generals wants to coordinate—in our basic case, each general started with 1 bit of information and they wanted to agree on a common bit. However, the theorem’s setup is more general—each general starts with some information $x_i$ , and together they want to simulate an algorithm $A$ that takes inputs $x_1, x_2, \ldots, x_n$ and outputs some result $y$ . For example, if $A$ is a vote-counting algorithm, each $x_i$ represents who the general numbered $i$ votes for, and $y$ is the elected candidate. We want a distributed simulation of the algorithm $A$ such that:

For example, if there were a trusted authority—say, a universally trusted queen— among the generals, we could have each general send $x_i$ to her, have her simulate $A$ , and then announce $y$ . But the theorem by Goldreich, Micali, Wigderson says that the same can be done without any trusted authority, and for any algorithm $A$ .

It is perhaps not surprising that zero-knowledge proofs are a crucial component of the proof. The rough idea is to split the simulation of $A$ among the generals so that each one performs a computation on data that is meaningless without the context of what the others are doing. For example, a general might be asked to “receive two numbers from generals 8 and 42, sum them, and send the result to general 4.” Using commitment schemes and zero-knowledge proofs, the general can convince others that he performed this computation correctly without revealing the actual numbers. This way, we can keep all the generals to be coordinated in their simulation of $A$ , while each is only doing small piece of the overall computation and can’t really say what’s going on globally.

In practice, implementing cryptocurrencies by simply following this theorem would be incredibly inefficient. Nonetheless, the theorem is a powerful theoretical result demonstrating that many tasks can be accomplished without a trusted authority. Moreover, zero-knowledge proofs are used in blockchain practice. For instance, you could use them to implement private transactions. — on typical blockchains, all transactions are public, but with zero-knowledge proofs, you can prove you have enough funds for a transaction without revealing your balance. There are also methods to use zero-knowledge proofs to speed up blockchains by verifying certain requirements off-chain (as far as I can say people are actually more excited by this second application).

Noninteractive Proofs

Our zero-knowledge proof was interactive—a back-and-forth conversation between the prover and the verifier. This approach is not ideal in practice; for example, what if you want to prove the same fact to many people? It would be better if the prover could simply publish a document that everyone can verify. This is called a noninteractive proof, and it is how we typically think of proofs.

One fact that I believe isn’t as well-known as it should be is that the interactivity of our protocol isn’t inherent and can be removed rather easily. Here’s how:

First, imagine there is what’s sometimes called a beacon—a public source of randomness that everyone can observe. For example, you might imagine that a distant star emits light that we measure here on Earth, and we all agree on how to convert the tiny fluctuations in the strength of the signal into a stream of random bits.

In that case, we can “implement” a verifier as follows: we choose random bits emitted by the beacon at some time $t$ and use these bits to simulate the random challenges issued by the verifier. In the end, our proof is a transcript of the conversation between the prover and the verifier, along with the time $t$ . Any verifier can check that the transcript is valid and that the verifier used the random bits from the beacon at time $t$ .

And that’s it—a noninteractive proof. There are some subtle issues, such as the possibility of us trying to cheat by using some specific time $t$ for which the stream of random bits has some helpful property. However, the probability of successfully cheating in our protocol for a specific time $t$ is extremely low, and we can make it so low that even when considering all possible $t$ , the overall chance of us cheating remains negligible.

In practice, you don’t even need a beacon. Instead, if the protocol has $n$ rounds, you first commit to your graph $n$ times and record all the commits to form a string $s$ . Then, you pass $s$ through a cryptographic hash function to produce a “random” string $r$ , which you use to simulate the verifier. Although the bits in $r$ aren’t truly random, they are unpredictable because cryptographic hash functions are one-way, so this is pretty much equivalent to using the truly random beacon. The right terminology for the bits in the string $r$ is that they are pseudorandom—yet another topic in one of our recent videos. While working on this video, I really felt that all the topics we covered recently are coming together. 🙂