In this video, we dive deep into the fascinating world of Zero-Knowledge Proofs (ZKPs). From understanding the basic concept through a Sudoku example to exploring the intricate details of SNARKs, we've got you covered!
🔍 What you'll learn:
- Basics of Zero-Knowledge Proofs
- How ZKPs can be applied in real-world scenarios
- An in-depth look at SNARKs (Succinct Non-interactive ARgument of Knowledge)
- The power of polynomial commitments in SNARKs
📚 Resources and Further Reading:
Zero-Knowledge Encyclopedia: www.ingonyama.com/ingopedia/c...
Lookup Protocols: www.ingonyama.com/ingopedia/p...
Modular Arithmetic: • Modular Arithmetic Vis...
Elliptic Curve Cryptography: www.ingonyama.com/ingopedia/e...
🌐 About Ingonyama:
At Ingonyama, we're dedicated to demystifying the world of cryptography. Whether you're just starting out or looking to deepen your understanding, our content is designed to enlighten and educate. Don't forget to subscribe for more insightful videos!
05:00: Spelling mistake "Succinctness"
20:18 : The correct equation is E(Q(s))⊙ E(s - *z*) = E(P(s) - y)⊙ E(1)
👍 If you found this video informative, please give us a thumbs up, share with your friends, and hit that subscribe button for more content!
Shoutout to jerosq on Fiverr for video animation 🔥
#ZeroKnowledgeProofs #SNARKs #Cryptography
This got so complicated... But I have to trust it. The places where I do understand all seem valid. Trust. I'll be returning to this to actually learn something I hope.
So this video is like a probabilistic zero-knowledge proof of the existence of zero knowledge proofs! You’ve walked away convinced of their existence, without gaining any direct knowledge about them
@@colin-alexarobinson3542is it really possible to prove something exists by using this something if we haven’t proved it yet ?
@@colin-alexarobinson3542i feel the same way… i wonder if it was on purpose
@colin-alexarobinson3542 i recognise the memer in u, but the "any" part in "without gaining any direct knowledge" doesnt apply here.
Rumours say that Peggy and Victor had a fight with Alice and Bob last week.
One little mistake I'd like to point out for those who might be confused. It is E(Q(s)) \otimes E(s - *z*) = E(P(s) - y) \otimes E(1) at 20:23. It becomes evident by comparing the unencrypted version of the equations.
i got stuck on that mistake being confused for so long...
love the timing of youtube recommending me this, i just finished 'Proofs, Arguments, and Zero-Knowledge' by Justin Thaler published just this past july and its 300 pages of hefty ZKP stuff. i hope i can pivot from computer science software dev stuff into more applied cryptography stuff because this stuff is just so interesting to implement.
@skeletonboxers7336 A coincidence? or does youtube know that you just finished that book? Spoooky! I also love that i got this video recommended... there are so many cool applications I can think of!
even i m trying to switch from dev stuff towards more cryptography as its just awesome
Superb quality video! Deserves way more views. You have done an amazing job covering in a short video key ideas of a complex subject. The amount of work that went into this video is huge, but the result is worth it.
The sudoku example only works assuming Victor is not interested to know the solution. Because before he shuffles the piles, they contain the solution. I know it's a toy example but I wish it demonstrated how real privacy could be accomplished.
Peggy can watch the piles to assure that Victor shuffles before peeking.
or peggy could have shuffled the piles while victor watched
absolutely, victor also could have deployed 3 camera drones watching peggy at all times so he can find out exactly which cards she put where, such a trivial way he could have found out the solution.
Thank you for this!
The music is very distracting. It is a very interesting concept, and I am sure I would enjoy the video much more if the background music wasn't present, or was barely present.
Wonderful explanation! Very talented.
Great video!
Love the Sudoku solution
More please. I would like a longer video or a series that spends a bit more time on each aspect you showed here because it was a bit much.
great video
Could’ve said “Just trust me bro”
Great video! Please reduce the music volume - it is distracting and makes the voice difficult to understand.
seconding it was immediately confusing. Great video otherwise
I would like to echo this concern. When the background music is too loud, it overshadows the voice of the narrator.
For the sudoku proof, how does Victor know that Peggy isn't messing with those triplet piles between making them and placing them? Maybe she could wrap each pile in a rubber band and shuffle that "triplet deck" of 81.
They make the piles of three together. I had to recheck the same point. 2:43
You could say that the two make the piles together, then place each inside sealed envelopes. Peggy then places those envelopes in their correct places, and when Victor sees the envelopes still sealed, he knows that they have not been altered.
@@mavaction But after the piles of three are made, Victor must look away to let Peggy place the cards down. During that time, Peggy has the opportunity to reshuffle the cards to form a false proof
I think the assumption is that based on the initial conditions (aka the initial numbers and their placement) there is only one solution
@@person8064 P and V are trying cooperate on two objectives... Proving she knows a solution, and not giving V any actual numbers for unknown cells in the sudoku. P and V can agree to keeping each triplet of cards in tact. V can observe this. They could put a rubber band on each three cards and have Peggy treat them as single cards. She is not trying to do sleight of hand.
Im shocked that such a small channel is able to give such a good video on this topic. Loved the video
I don't see the correlation between channel size and video quality.
@@AndreasToth Typically small channels are underfunded and don't release good/well researched content. It is also rare to see a small channel releasing high quality content and be small because good quality content also raising subscriber count.
I am a bit confused by the beginning. What stops Victor from peeking at the face down cards? How are they kept secret in practice?
This is just a toy example. In real problems, cryptography is used to hide the information. Victor would have to break modern cryptography in order to "peek at the cards".
Well he wants to play the sudoku as well so why would he want to cheat?
2 ppl saying bad audio quality for this video ... umh wow to them. only music here was distracting - the voice was loud and clear - maybe not top notch, but not bad.
Why should Victor be satisfied that the set of questions and answers yielded by the Fiat-Shamir transformation are an appropriate and sufficient set of questions? Actually, I'm confused how the Fiat-Shamir transformation lets Victor discern between valid and invalid proofs. Isn't it essentially "With this commitment, you will get this list of questions and answers" - but how does Victor know that the answers are correct?
Thank you all for the feedback and support! 🙏 We're amazed by the number of views and excited to see how many of you are interested in the topic. So, what would you like to see in our next video? We've got some options lined up: 1. History of Zero-Knowledge Proofs (ZKP) 2. Arithmetizations 3. Elliptic Curves & Pairing Functions 4. Lookup Arguments Explained 5. Fully Homomorphic Encryption (FHE) Comment below to let us know 💬
Elliptic Curves and Pairings
FHE
Serious question - are you learning these for the first time while making a video about them? It seems like a common pitfall that leads to tutorial hell on KZhead
No, we have a team of researchers that are professionals on the topic: github.com/ingonyama-zk/papers
Nice video. I'd recommend upgrading your microphone or doing some post processing on the voice audio. the strange echo/airiness to the audio is pretty unpleasant, but overall great video, keep going
Counting the cards, just verification, is like those (parody?) bits that tell you if there is even/odd number of 1's in a data set.
Parity bits 😂 Though parody would be a fun name :)
The ZKP Sudoku solution protocol is really cool, but, I'm not yet convinced that it 100% guarantees that Peggy found a correct solution. It seems that there is a very high likelihood that Peggy found a correct solution given that all the shuffled columns, rows and boxes contain each number from 1 to 9, but is there not the possibility that after shuffling, all the rows, columns and boxes seem correct, yet Peggy gave a bogus solution. Maybe I've not thought about it hard enough, but I don't see why there's not a (really) small chance that Peggy can give an incorrect solution yet after Victor shuffles and checks, the 'solution' appears correct. EDIT: Sorry I seem to have commented too early, at 7.03 you begin to talk about how there is a low probability of accepting a false positive! Nonetheless, my question still remains, is it possible to construct a non-solution which becomes a solution after some random shuffling?
You can be convinced by considering Victor doesn't care about knowing the solution, so the only thing that changes is that he will not mix. Victor can verify now that all rows, columns and boxes are right by judge flipping the tiles directly on the board, and now you're convinced she has a (the) solution. By doing the operation in the video, you DON'T change the content in each row, column and box. So if Victor checks directly on the board, then flips back the tiles, divide them by rows, columns and boxes, mix them and check again, each pile will have the SAME content, just not in the same order. Voilà !
in the sudoku proof victor verifies that all the starting digits are in there correct place (as those cards are flipped over) that every row has all the digits from 1 to 9 exactly once(using the first layer of cards), that every column has every digit from one to 9 exactly once(using the second set of cards), and that every 3*3 block has every digit from 1 to 9 exactly once (using the third set of cards. these are all the restrictions that the game of sudoku places on the player.
One use of this is authentication of nuclear emergency action message codes. The codes are verified in a manner very similar to the one shown. Nobody knows exactly the content means but the syntaxes used for a valid code are known. This allows for exclusion of false codes.
in the video it's stated that we can claim pegi knows the solution because she sent to the verifier E(p(s)), E(q(s)), y, z and we can check that the following equation holds: E(q(s)) E(s - y) = E(p(s) - y) E(1) we can even rewrite it as: E(q(s)) (E(s) - E(y)) = (E(p(s)) - E(y)) E(1) and given that E(s) is known as the second element of the vector [ E(1) , E(s), E(s²), E(s³), … ] we can actually verify the solution it is not explained at all why is that incorrect solutions do not match since this equation was not derived in any way from the correct solution. we assume a vector of "right" coefficient exists for the polynomial p(x) to be the exact solution. BUT it's not apparent how our way of checking if pegi knows the solution or not actually take into a count the solution itself.
I thought your whole explanation was just going to be: trust me it's possible haha
I don’t understand it but it’s very important
hahahaha
How does this translate to the example use cases of proving citizenship of a country, or that I have enough money for a transaction? Do I need a trusted third party like the government or a bank to create this proof for me or can I create it on my own? The amount of money in my bank account isn't exactly a problem and any value might be valid. It would be pretty easy for me to lie if the proof just relied on data that I can make up. I guess a bank could provide me with an encrypted check number tied to my account and current balance which I could then use to create a proof on my own?
You create(utilize) the proof by feeding it into an application that actually does the hard work.
@@yz9551 Of course. If I had to do all this complicated math by hand each time I want to buy something I'd stop buying things 😂. My question is: What is the problem that I provide "proof of knowledge" for? The end goal is not to prove I have solved a problem, but to prove I have enough money. So I suppose I need to wrap the information of how much money I have into a problem that I can't solve unless I have enough money.
In the current system, you're correct that a trusted party, such as a government, is typically required to vouch for claims like citizenship or financial status. These trusted entities hold your data securely in a centralized database. When you need to prove something like your identity or that you have enough money for a transaction, you would request the necessary proof from this centralized database. Once you have this proof, you can present it to the party requesting the information, such as insurance companies, banks, or voting systems. The requesting party would then verify the proof by cross-referencing it with the centralized database. Importantly, this process allows you to maintain a level of privacy, as no other information is revealed to the requesting party beyond what is needed for the specific verification. So, while you do gain some privacy in front of the party asking for the information, the system still relies on having a trusted third party to hold and verify your data. Check out some teams that operate in this space: - Outdid (www.outdid.io/) - Sealance (www.sealance.io/) - Trudenty (trudenty.com/) - Worldcoin (worldcoin.org/) Additionally, it's worth noting that blockchain technology offers an alternative to this traditional centralized model, potentially adding an extra layer of privacy and security by using a decentralized, transparent, and immutable ledger.
Say, you are Peggy, the designer of a system with intelligent Victors inside. Can you prove them that their whole system was created from the outside and is merely a subset of everything without making it obvious to them by causing events inconsistent with the rules you created for the whole system to follow (internal miracle)?
Okay, you don't want me to know any details of any of your proofs, but want me to know you have proved them. Great, you can prove it with a zero knowledge proof. Now, how do knowledge proofs work, again?
really good video! though I lost it when the polynomials kicked in, I'll make sure to come back and rewatch it
I need to prove that I'm innocent, but there might be an evil guesser...
Man this video is so good but the sound quality of the voice recording.....
That escalated quickly lol Thanks for the explanation, but how do we build upon this?
There are many implementations and potential use-cases to ZKPs To learn more about ZKPs, check out our knowledge repository Ingopedia: www.ingonyama.com/ingopedia
There is a much simpler way of doing this - if you know the sudoku solution then hash it and ask someone else to hash their solution and see if the hashes match.
That would require for the other person to have the solution, it would not be very useful. And also it is not really zero knowledge, the other party could (with a lot of time) check all the possible entries to the hash ang get the solution that way
one of the properties of zero knowledge proofs is that they can be checked by someone who does not have the information you are proving. If the proof you were going for was 'I have enough money in my bank to pay for this' then you could not get someone else to independently verify without giving up your banking details
the sudoku analogy was almost really good
For the sudoku, shuffling randomly is impossible, so doesn't victor always have a way to "undo" the shuffle thus finding out the solution?
victor doesn't want to know the solution, so he either doesn't keep track of how he shuffled it to undo it later, or asks a third party to shuffle each set while he closes his eyes to not know their shuffling before checking that set for sudoku rule compliance
@@Hunterdog Thanks for the reply.
How can we talk about 0 knowledge proofs without mentioning Fermat, trust me bro, i just need lil bit more paper margin.
😂
i'm not convinced ... you can easily argue that a giraffe is really just a horse with a long neck but i'm not convinced ... because zero knowledge can't transmit knowledge
zkintro.com/articles/friendly-introduction-to-zero-knowledge
0 knowledge proof means that you can sometimes check whether a solution is correct without actually knowing the solution. some properties of it can be enough and to not get the actual solution, it can be encrypted by someone. in the sudoku example, V managed to test P's solution without knowing what the solution actually is. he just knew that if and only if what P gave to him was a solution, then there had to be 3 properties(the rules of sudoku). P then suffles the card (which encodes information) but doesn't change whether the properties are satisfied or not. This convinces T that P does indeed know of a solution but that encoding step makes it impossible for him to know what it is exactly. so 0 knowledge proofs doesn't transmit the solution itself but it does transmit the fact that a solution has been found. This is obviously extremely useful for a lot of reasons in real life situations.
The music is not helping. Please avoid adding music to these videos
His first example fails. Peggy touches the stacks of cards during the setup. No, not allowed. Then Victor touches the cards before they are shuffled. No, not allowed. An infallible and honest intermediary is required for these tasks, however the idea that a computer is an "honest intermediary" cannot be proven since computers are hacked or infected constantly and no software can be proven to be bug-free.
the sets of 3 cards are placed in tamper evident envelopes and have enough security detailing (provided by victor and verified by Peggy to ensure that all cards of a particular number are the same) to make replacement impossible. Peggy lays out the unopened envelopes in the pattern then invites victor back into the room. She opens the envelopes corresponding to the starting numbers and he verifies they are in the right place. she then does the row column 3*3 block thing with victor watching and shuffles the cards (this part requires victor not to see but a small scannable chip on every card would make it easy to detect if Peggy had a card concealed somewhere to substitute in). It is also important to note that the point of the example at the start was to give an example of how the proof is structured and so it does not have to be completely watertight to do its intended function.
wouldn't it be better said, as, obfuscated conditional proofs, rather than zero knowledge, as you are giving some understanding away but not enough to discern the information your trying to obfuscate.
In the example, If Victor has access to the data to split up and shuffle he can just turn over the data and directly check. There is no reason to split and shuffle. So there has to be some intermediate steps to make sure one can carry out this process without victor actually getting the original solution in the first place. This was not mentioned so the example is misleading. It would also seem that Victor could ask enough questions to reserve engineer the solution, at least in the soduku problems.
The video starts with a simplified example and complicated it as it goes on. The initial premise is that Victor doesn't *want* to be spoiled, but you could also say that Alice is present and preventing Victor from doing so, just like Victor was present when the piles of cards were created. With regards to the questions asked, note that they are not arbitrary questions, they are questions of the form "does this row/column/box follow the rules of a valid solution?" -- aka "does this row/column/box contain a set of numbers from 1 to 9". They get no new information if the answer is yes, because a valid solution already has to follow that constraint. If the answer is no, then they know the solution/proof is incorrect, and might be able to glean information on where exactly the solution is incorrect, but that's fine, I guess.
kitlith is right about the initial premise but here are ways to patch the security holes (for example a pre programmed robot with a shuffling function that includes some randomness with both source code and physical structure checked by both parties could do the handling of the cards.
sum all numbers together, thats your proof although insecure. *I didnt see the solution yet*
Peggy could just wait until Victor has completed the puzzle; it's called delayed gratification.. I don't like Peggy.
This is just a toy problem. There are plenty of situations where Victor isn't supposed to know the answer. Like in the example of verifying citizenship without giving up anonymity. Waiting for Victor to solve the problem would be saying, "Yes I'm totally a citizen. Instead of providing proof I'll just sit here and wait while you try to track down who I am via digital surveillance."
ha ha of course@@PopeGoliath , I was just being an a$$
But you can quite easily construct a fake proof for the sudoku with what you described if you can put non-matching numbers in the same place. Proving that numbers match would require knowledge either inspecting and watching it be placed, or inspecting certain tiles. It is only valid because you can check the other numbers under the known numbers. But that wasn’t made explicit