[scrollaway]

What am I missing about the Ali Baba cave proof? Why does Victor ever need to hide which entrance she takes at first? (In fact this is brought up in the last paragraph with no reason as to why it's not the entire proof).

Does Victor knowing the initial path make it non-zero-knowledge? Because if so, the example feels super contrived. I agree your Waldo example is much better.

[SilasX]

One quirk about ZKPs is that they must be convincing only to the verifier[1]. If you know which entrance they used, it’s convincing to everyone, not just the verifier.[2]

If you don’t know which entrance they used, than anyone besides the verifier can remain a Doubting Thomas: “okay, cool, your verifier came out B, then B, then A. So? You could just as well have conspired with them to start out at B, then B, then A!”[3]

I elaborated on an earlier HN discussion: https://news.ycombinator.com/item?id=15323790

[1] The verifier, for purposes of this point, is anyone who contributed to the generation of the random bits that decided which random challenge to present.

[2] In some cases, you do want it to be convincing to everyone, but that’s not the “standard” kind of ZKP.

[3] In the jargon, a valid transcript for a ZKP must be efficiently simulable by someone who lacks the relevant knowledge.

[jasode]

>One quirk about ZKPs is that they must be convincing only to the verifier[1].

I think the parent's question is about what the "zero-knowledge" actually refers to. (scrollaway asked, "Does Victor knowing the initial path make it non-zero-knowledge?") The Wikipedia writing in 2 different places makes it confusing.

For Peggy's secret password X, the "zero knowledge" might mean:

(1) Victor has zero knowledge of what _X_ actually is even after Peggy proves she knows it: the first Wiki paragraph seems to emphasize this with "(the prover Peggy) can prove to another party (the verifier Victor) that she knows a value x, without conveying any information apart from the fact that she knows the value x."

(2) outside world (other than Victor) has zero knowledge that _Peggy_ knows what X is: the later Wiki paragraph is "Further notice that if Victor chooses his A's and B's by flipping a coin on-camera, this protocol loses its zero-knowledge property; the on-camera coin flip would probably be convincing to any person watching the recording later. Thus, although this does not reveal the secret word to Victor, it does make it possible for Victor to convince the world in general that Peggy has that knowledge—counter to Peggy's stated wishes."

Is the "zero knowledge" referring to keeping _X_ a secret , or is it keeping the fact that _Peggy_knows_X_ a secret, or are both secrets together required? The wikipedia article isn't clear on that so the article probably needs some revision to be more explicit.

(For some, an example of a ZKP would be email address verification for new user accounts: Vimeo(verifier) sends an email with a generated numeric code and Peggy(prover) has to enter that number in the webform to activate the account. This proves that Peggy "knows the secret password of that email account" but Vimeo still has "zero knowledge" of her email password. For this particular example, it doesn't matter that that the whole world knows that Peggy knows the password to her peggy@gmail.com so condition (2) is not a strong requirement.)

[SilasX]

The definition of ZKP is (1), but that implies (2), as explained in this paragraph from the Wikipedia article:

>For zero-knowledge proofs of knowledge, the protocol must necessarily require interactive input from the verifier, usually in the form of a challenge or challenges such that the responses from the prover will convince the verifier if and only if the statement is true (i.e., if the prover does have the claimed knowledge). This is clearly the case, since otherwise the verifier could record the execution of the protocol and replay it to someone else: if this were accepted by the new party as proof that the replaying party knows the secret information, then the new party's acceptance is either justified—the replayer does know the secret information—which means that the protocol leaks knowledge and is not zero-knowledge, or it is spurious—i.e. leads to a party accepting someone's proof of knowledge who does not actually possess it.

That is, if the proof were convincing to the entire world, then non-possessors of the knowledge could just replay they proof without having the knowledge.

[windows_tips]

Email is a plaintext protocol, so having a number in an email really just means that you saw the email, not that you know Peggy's password.

[jasode]

Right. It's not irrefutable proof beyond all standards of doubt but it's "enough proof" to Vimeo/verifier that Peggy controls that email account. Whatever arbitrary threshold of proof it is, it's in in the eye of the beholder (the verifier). It's up to Vimeo to arbitrarily decide that getting a matching number is "verifying" Peggy's email account.

Instead of the "proof" aspect, the email example is highlighting what the "zero knowledge" refers to. Whether Peggy's account is compromised or wiretapped by man-in-the-middle attacks, Vimeo/verifier still has zero knowledge of her email account's password.

[windows_tips]

If Peggy has to use the password since recieving the email, vimeo could put bounds on the password length, at least.