[ruuda]

A toy example: suppose we have some sudoku. You want to show publicly (maybe in a HN comment) that you know the solution, without revealing the solution itself, because then anybody would know it and be able to post that they know it. A zero-knowledge proof enables this. You could also post a hash of the solution, but then you need to know the solution already to verify a submission. (It would also enable others to copy your answers without really knowing the solution, though that can be fixed using a technique that zero-knowledge proofs also use, a blinding factor).

More useful cases include decoupling payment information from users, to preserve their privacy. You can prove that somebody paid for the action you want to perform, without identifying the payer. For example to offer cloud storage without knowing which data belongs to which user, so when there is a data breach or law enforcement order, the answer to "tell me everything you know about user X" is their payment history, but not which data is theirs.

[sshine]

One place I wish there was zero knowledge proofs involved, or even any kind of cryptography, is when you perform credit assessment for loans outside your bank: an external loan provide peeks at your full bank account history to assess whether you’re eligible. They don’t need to know where I buy my socks, or even how much money I have. Only that I have a big enough deposit and a steady enough cashflow.

[foota]

This isnt a cryptographic problem really. The loan checker is already trusting your bank to give them the correct information, it's only a matter of anonymization (e.g., they could return merchant types instead of merchant names etc.,.) but theres no real incentive for this.

[sshine]

> theres no real incentive for this

Correct.

People who need the privacy can set up isolated bank accounts and legal entities.

Less cryptography, your accountant will even understand.

[edf13]

Where you spend can have an impact on a decision… e.g. you may have the income and savings but if you’re regularly spending on gambling that can be a red flag.

[hbbio]

You can prove that too with zk!

[rrr_oh_man]

How could this look like?

[sshine]

If the loan assessment criteria are objective, they can be quantified.

The basic concept here is: ZKP lets you prove arbitrary statements.

Instead of:

  Here is entire bank history, you decide.

You can say:

  Had a fixed income above $X for 12 months.
  Had a surplus of $X after fixed expenses in the last 3 months.
  Did not buy anything irregular above $1000 in the last 3 months.

"Did not gamble" is a moral judgement. Who knows, maybe I'm buying gum at the local casino, is that gambling? Maybe I'm tossing a coin every night after work as to whether I should drive in the opposite lane, is that not gambling? You can only objectively measure financially risky behavior in statistical terms.

Think of a ZK proof as a program that can take both public and private knowledge as input, and produce public and private knowledge as output.

This is what seems magical to me: A program with secret input. You can't run the program to verify that my execution of the program is correct, but you can verify a proof that I ran the program with input you didn't have.

The way private knowledge works is through cryptographic commitments.

For example, the bank may start by giving you a signed, structured document with your transactions.

You can then feed their signature and the document to your program, and produce any derivation.

[hbbio]

You can use the MCCs of each tx, then generating a zk-proof that shows none of the MCCs in your account match restricted categories.

This requires cooperation from the "bank", ideally providing Merkle trees to make sure no tx is missing in the proof like it would be for a blockchain-based solution.

[baby]

this is the example often cited as usecase for zkTLS protocols, which are protocols that use additional trust assumptions to notarize a connection you have with a TLS protected host, and then you can prove the notarization (i.e. a signature over the TLS transcript) in ZK as well as any parsing over request/response data.

[Yizahi]

So if we imagine a very rudimentary social hierarchy with a government on top, then thousands of corporations below, and then millions of people below corporations, this feature protects people in a case when government is malicious, but every single corporation is benevolent. Now if the government is not malicious, but corporations are, even part of them, it will allow them to basically take any payment and refuse service or do any other variants of abuse, costing time or money (think how it is bad today, and make it worse). And there is nothing to be done with it, because payment chain information is broken. Which is very useful for criminals who would want to run some business unaccountable and outside of the law system, and not very "useful" for the regular people.

[worldsayshi]

Should be very useful for e-ID authentication in the age of AI? Prove that you're a human with an electronic id without telling the asker who you are.

[roshankhan28]

can this also be used in a session replay software? as in if someone from other team is trying to debug an app issue while watching a replay of the issue capture via DOM but is stuck because some PII data is not visible then can we implement this from user end ? like an OTP to access the PII but only on users consent?