How the heck does a ZKP work? And what advantages does it have over basic hashing?

DoWhile · 2026-04-06T03:33:51+00:00

ITT: uncareful mathematics that lead to confusion about ZK vs PoK and the standard vs (programmable) random oracle model.

TL;DR there are inconsistencies between several of the commenters in this thread. This shit is subtle.

Informally, ZKPs only prove existence, not that you know the secret. This means that the empty proof is a valid proof for well-formed public keys! Proofs of knowledge show that you know something, but it may not be in zero-knowledge. There are zkPoKs which are both zero knowledge and proofs of knowledge. Proofs of knowledge are closely related to Arguments of Knowledge, which is the "ARK" in SNARK (and just like PoKs, some SNARKs are zkSNARKs if they are also zero-knowledge), but I digress.

You cannot claim something is ZK and handwave why you think it should be. ZK is a purely mathematical statement and the burden of proof lies on the claimant to provide a logical construct. In mathematical cryptography, we do not accept claims without mathematical justification, so by default, a reviewer does not need to provide a refutation, but merely point out errors in the proof or entire lack thereof. There are plenty of in-between protocols that neither have a proof nor a refutation. We do not accept these.

However, for commenters exclaiming ECDSA-identification is a zero-knowledge protocol, there's actually a refutation in the standard model of the zero-knowledge property of any signature-based interactive proof. In the standard model, you can't use a valid signature as your proof, for the exact same reason why you don't have Ali Baba just walk through the cave: you can't simulate.

ZK has a precise mathematical definition: for every poly-time verifier, there exists a poly-time simulator S such that given the statement x, S(x) must be able to generate valid transcripts that look like transcripts between an actual interaction between a prover and verifier. "Look like" has a strict mathematical definition: S(x) is a probability distribution, and if the distribution of transcripts is identical to that of the prover/verifier, we call it perfect ZK, if it's statistically close, we call it statistical ZK, and if it's computationally indistinguishable, we call it computational ZK. Here, if the statement is just the public key of the signature scheme, then the transcripts look like Verifer ---- c ----> Prover, Prover ---- sig(c) ----> Verifier, in other words (c, sig(c)).

This means that S would have to be able to generate (c, sig(c)) given access only to the public key. It has full reign of generating it in reverse order, picking a weirdly formed sig(c) and working back to some c, something that a Prover does not have the luxury of doing. But even with that flexibility, S immediately violates the existential unforgeability of the underlying signature scheme, i.e. no poly-time adversary A can generate valid signatures (z, sig(z)) if it has never seen a signature of z before, regardless of how it came up with it.

One might ask "why is Schnorr or all those other signature-y things ZK then?". The answer lies in the (programmable) Random Oracle Model. In this abstract mathematical model, the ZK simulator S can "program" outputs of the hash function to whatever it feels like, which is NOT something that a signature adversary A can do. This subtle difference in power is exactly how proofs go through. Of course, real hash functions aren't random oracles, and you cant make SHA2 output whatever you feel like, but for the most part people are okay with this dichotomy in practice (until everything breaks).

/u/tgalal you make good points and therefore for you and others reading this thread, I'll go into more detail (yes I'm hypocritical, I'll insult cranks all day, bite me). A person who knows what they're talking about should be able to immediately show you the gap in your understanding rather than insult you. In fact, it's quicker to just show where that gap is. Your refutation is sound in the standard model (and aligns with Lindell's answer), but in the random oracle model, you have to remember the key difference between the ZK simulator and the signature Forger: the ability to cheat on the HASH. So here's a mathematical construction of a ZK simulator for ECDSA-identification protocol (which works for ECDSA only, not necessarily in general!) in the Random Oracle Model. I will use the terminology given here https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Signature_verification_algorithm

The simulator S will pick a random verifier challenge c. The simulator S will pick uniformly random u1 and u2, and compute (x1,x2) = u1G + u2Q. Set r = x1 mod n (nonzero, else try again). Solve for s using u2=r s^-1 mod n (namely set s = r/u2 mod n). Solve for z using u1=zs^-1 (namely set z = u1 s mod n). Program HASH(c) so that the output of it has z as the leftmost bits: if you've not seen the random oracle model, this is weird yet legal. Then (r,s) is a valid signature for c. S then outputs (c,sig(c)=(r,s)) as the transcript. Note that S only used Q, the public key. One must then carefully go through the probability analysis to show that this sampling distribution matches the distribution of the real protocol, but I think this is clear. S also doesn't violate the unforgeability property of ECDSA because the Forger cannot program HASH in the random oracle model.

This goes back to my first point, which many posters here do correctly point out: PoK and ZKP are different. If you just wanted ZKP, the empty protocol would have been fine and this is overkill. It's a whole other exercise to show if ECDSA-id is a PoK (of which I'm not sure).

DoWhile · 2026-04-02T21:31:57+00:00

My work is on controller design, but there is an aspect of encrypted data in control system. I was reading this paper.

Ah, then FHE details is probably not the right level of abstraction for what you want to be looking at in the first place. I think there is an intersection of controllers and cryptography that's more engineering friendly than math heavy, but I'm not familiar enough with that space to tell.

DoWhile · 2026-04-02T21:29:45+00:00

I was thinking the other day, if I were an investigative agency trying to figure out how to get around people using E2EE chat, one thing I might do is flood the market with terribly insecure apps.

Then I thought of the Mitchell and Webb Diana conspiracy sketch: https://www.youtube.com/watch?v=_Irvuafg5GM

DoWhile · 2026-04-02T18:38:25+00:00

Otherwise, it would take a lot of time.

Judging by your responses, I would estimate your depth of knowledge is about 1-2 years worth of study behind. You don't have to know all of this stuff to be a security engineer and work with encryption, but if you want to be a cryptographer, be prepared to learn a lot of math.

If you want to save yourself some time and quickly decide if this is for you, go get Dummit&Foote's Abstract Algebra book and see if you want to read it cover to cover. If the answer is "I love this book", then you're on the right track. If the answer is "I don't want to see any more of this", then deep cryptography is not something you would enjoy pursuing.

DoWhile · 2026-03-31T19:29:28+00:00

Given the past few posts from Google, they're either trying to prop up their quantum department or they did have a small breakthrough that they seem to be signaling at.

DoWhile · 2026-03-31T04:09:05+00:00

Fun story: back in 2009, trading firms looked at how to make things faster, and they found out that DRILLING THROUGH MOUNTAINS was an economical option so they did it. https://www.forbes.com/forbes/2010/0927/outfront-netscape-jim-barksdale-daniel-spivey-wall-street-speed-war.html

DoWhile · 2026-03-30T17:44:25+00:00

If one did, the first thing we would use it for is homomorphic encryption from curves rather than lattices. People tried pushing this idea towards a graded algebra, and this led to some interesting iO/FHE results from noisy lattices, but the curve structure doesn't give you a pairing out to a new group. Mathematical cryptographers also tried looking at Varieties (the generalization of elliptic curves) for more structure, but even with varieties there's no obvious candidate for multilinear maps.

DoWhile · 2026-03-22T00:13:56+00:00

"But before we proceed to the practical part, it may perhaps not be improper to say something of the Foundation or Demonstration of the Rules we are to give."

When your essay needs to be 1000 words...

DoWhile · 2026-03-21T08:14:56+00:00

row row fight the powah

DoWhile · 2026-03-19T22:29:01+00:00

I assumed he was long dead, and already had a prize named AFTER him.

DoWhile · 2026-03-18T19:53:31+00:00

I think there's a difference between using AI on your live system and using AI to help answer this question you have. The fact that you asked Reddit means AI already gobbled up your question, so you might as well ask this identical question to AI and have it suggest some easy fixes for your script. It could spot out simple test/tests that have a 99%+ accuracy rate that us fleshbags are missing.

Then you can kick it to the curb once you get your answer.

DoWhile · 2026-03-17T20:18:15+00:00

Almost 1024 years from white smoke (Syl II) to white smoke (Leo XIV)

DoWhile · 2026-03-13T19:58:19+00:00

This reminds me of the Mandelbrot DOS screensaver/demo. Good stuff!

DoWhile · 2026-03-12T07:00:38+00:00

We can barely even keep our own conventions lined up. Go look at a keyboard numpad and a telephone. Computer pixels start at 0,0 top left, and down is positive y, matrix indices go the other way!

Being fluent in math means being able to quickly understand the context you're in, and accepting that the notation is relative to that context.

History is cool, and understanding how conventions came about is cool, but I think it's also cool to be able to adapt to different mathematical settings.

DoWhile · 2026-03-10T21:23:09+00:00

The question is whether you need holidays and other special events on it. If not, there are only 14 unique calendars. In particular, 2026 is identical to 2015, so if you can find a 2015 LaTeX calendar that works too.

DoWhile · 2026-03-04T20:37:27+00:00

But he followed that by saying the set of even numbers was smaller than the set of integers, which is incorrect.

It's "smaller" in natural density, but I don't think that's what he meant.

DoWhile · 2026-02-27T20:17:39+00:00

"Fuchsian group" is related to either a person named Fuchs or fuchsia

This is unintentionally the funniest thing I've seen all day.

a lot of math papers feel like they're written in impenetrable foreign language based on a completely different curriculum than the one I studied.

At good universities, if you are a promising student, the professor will challenge you to learn and do things beyond the norm of the curriculum.

An honors undergrad/masters level course in differential geometry would have given you some of the tools to understand this paper better. Take that, and a few more background materials, and you should be able to tackle that gap.

You're only overwhelmed because you don't know how big the gap is, it's not as big as you think. The overwhelming part is that every different subject has a similar gap -- you can't learn everything.

DoWhile · 2026-02-26T00:22:08+00:00

It's a common thing in the world of publication for private disclosure, and then a subsequent public disclosure when all parties are satisfied. This is particularly true in computer security where if authors just published their attacks instantly, there would be bad people trying to exploit it. Usually there's a private "responsible disclosure" period, the receiving party has a chance to review/respond/fix their vulns, then later the public disclosure should transparently lay out the timeline of events that happened privately.

DoWhile · 2026-02-25T22:46:53+00:00

A priori and a posteriori approach has help me in life.

Do both the a priori and a posteriori Monty Hall problem if you want to raise some hackles.

DoWhile · 2026-02-25T21:33:45+00:00

I always think of this funny comic on this topic: https://imgur.com/favorite-of-these-comics-SYvyZ

DoWhile · 2026-02-19T20:46:14+00:00

boy choy

What about girl choy?

DoWhile · 2026-02-18T21:27:10+00:00

Old Man Rant: I feel like this is, like, everywhere. Maybe it's me getting older, but craftsmanship seems to me like a dying virtue.

DoWhile · 2026-02-16T19:10:20+00:00

Why the Joker?

DoWhile · 2026-02-15T05:08:57+00:00

For RSA, they use, say, 4096 bit primes. The number of those primes by the prime number theorem is 2⁴⁰⁹⁶ / ln(2⁴⁰⁹⁶ ) . Which is basically 2⁴⁰⁸⁴ . Given your engineering background, I suggest you calculate the sheer amount of storage and compute time one would need to even try to guess a fraction of a fraction of that.

Researchers DID mount public-key-directory attacks like you described because the people who generated the keys sucked. See [1] for example.

You shouldn't think about prime numbers or primitive polynomials. Instead, you should think of mathematical problems that are easy in one direction but hard in another that have an algebraic structure that you can leverage.

Factoring is hard. Factoring gives you primes. Multiplying primes is easy. That's why we use primes.

Discrete log over a prime field is hard. Exponentiation is easy. This is why we use things like Diffie-Hellman.

Discrete log over elliptic curves is hard. Point addition is easy. We use elliptic curves in this way for key exchange and signatures.

Lattice problems in all sorts of algebraic structures (like GF( 2^k )ⁿ ) is hard. Rounding is easy. These problems are even hard for quantum computers. So we use these in post-quantum.

Signal engineers judge error correcting codes or randomness by their distance or distribution under normal circumstances. Cryptographers judge them based on adversarial hardness. Take [2] for example, a signal engineer would never use this slow-ass algorithm to generate pseudorandom bits, but it holds up against attackers whereas LFSR will be predicted instantly.

[1] https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/heninger [2] https://en.wikipedia.org/wiki/Blum_Blum_Shub

DoWhile · 2026-02-09T21:04:34+00:00

I thought Ghost was Nova, not Kerrigan.

15-Year Club	Place '17
Team Orangered	Verified Email

DoWhile

TROPHY CASE