| >One quirk about ZKPs is that they must be convincing only to the verifier[1]. I think the parent's question is about what the "zero-knowledge" actually refers to. (scrollaway asked, "Does Victor knowing the initial path make it non-zero-knowledge?") The Wikipedia writing in 2 different places makes it confusing. For Peggy's secret password X, the "zero knowledge" might mean: (1) Victor has zero knowledge of what _X_ actually is even after Peggy proves she knows it: the first Wiki paragraph seems to emphasize this with "(the prover Peggy) can prove to another party (the verifier Victor) that she knows a value x, without conveying any information apart from the fact that she knows the value x." (2) outside world (other than Victor) has zero knowledge that _Peggy_ knows what X is: the later Wiki paragraph is "Further notice that if Victor chooses his A's and B's by flipping a coin on-camera, this protocol loses its zero-knowledge property; the on-camera coin flip would probably be convincing to any person watching the recording later. Thus, although this does not reveal the secret word to Victor, it does make it possible for Victor to convince the world in general that Peggy has that knowledge—counter to Peggy's stated wishes." Is the "zero knowledge" referring to keeping _X_ a secret , or is it keeping the fact that _Peggy_knows_X_ a secret, or are both secrets together required? The wikipedia article isn't clear on that so the article probably needs some revision to be more explicit. (For some, an example of a ZKP would be email address verification for new user accounts: Vimeo(verifier) sends an email with a generated numeric code and Peggy(prover) has to enter that number in the webform to activate the account. This proves that Peggy "knows the secret password of that email account" but Vimeo still has "zero knowledge" of her email password. For this particular example, it doesn't matter that that the whole world knows that Peggy knows the password to her peggy@gmail.com so condition (2) is not a strong requirement.) |
>For zero-knowledge proofs of knowledge, the protocol must necessarily require interactive input from the verifier, usually in the form of a challenge or challenges such that the responses from the prover will convince the verifier if and only if the statement is true (i.e., if the prover does have the claimed knowledge). This is clearly the case, since otherwise the verifier could record the execution of the protocol and replay it to someone else: if this were accepted by the new party as proof that the replaying party knows the secret information, then the new party's acceptance is either justified—the replayer does know the secret information—which means that the protocol leaks knowledge and is not zero-knowledge, or it is spurious—i.e. leads to a party accepting someone's proof of knowledge who does not actually possess it.
That is, if the proof were convincing to the entire world, then non-possessors of the knowledge could just replay they proof without having the knowledge.