This article aims to give you a solid intuitive understanding of what the technical term "zero knowledge" actually means, without going into all the complex mathematics you’d need for the full formal definition. Our goal is to explain the core definition and its rationale in a way that's accessible to everyone, without requiring any mathematical background.
We think understanding the actual meaning of "zero knowledge" is important and being under-emphasized. This term, along with many related terms, is often misused in our industry, leading to unclear communication. Speaking imprecisely about trust and privacy matters can hinder the adoption of these emerging innovative and powerful technologies.
We’ll start with defining proof systems, which are what the term “zero knowledge” applies to.
Proof systems are message exchange protocols with the goal of allowing a prover to convince a verifier of something. A given proof system will be specialized for proving statements of a specific form.
For example, we could have a proof system for proving statements like “The $n$th digit of $\pi$ is $d$”. Here, the prover would provide both $n$ and $d$, and the goal of the protocol is to convince the verifier that the $n$th digit of $\pi$ really is $d$. Ideally, the protocol allows the verifier to be convinced with less effort than it would take them to calculate the digit themselves (otherwise, the protocol is not very useful).
Let's look at a simple but powerful example of a proof system: password verification. When you create a password for a website, you want to be able to prove you know the password later without the website ever storing your actual password. This is done using hash functions - special mathematical functions that convert your password into a unique "fingerprint."
The website stores only this fingerprint (the hash). When you try to log in, you prove you know the password by showing that your input creates the same fingerprint - without ever sending the actual password. This perfectly demonstrates how proof systems can verify knowledge without revealing sensitive information.
The next step towards the term “zero knowledge” is to formalize the sorts of things our proof system is made for proving, which we do with the concept of a relation.
A relation is a set of ordered $(x,y)$ pairs where the $x$ values come from some set $X$, and the $y$ values come from some set $Y$ (and $X$ and $Y$ can be the same). Usually, the relation is defined as a descriptive rule instead of a list of actual pairs.
Let’s look at a couple examples.
Set $X$ and $Y$ to be the integers (i.e: $...,-2,-1,0,1,2,...$). We can define a relation $R_=$ based on the equals sign. In other words, $(x,y)$ is in $R_=$ whenever $x=y$. The list of pairs looks like this:
$$ R_= = \{...,(-2,-2),(-1,-1),(0,0),(1,1),(2,2),...\} $$
Set $X$ and $Y$ to be the integers again. We can define a relation $R_>$ based on the greater than sign. So $(x,y)$ is in $R_>$ whenever $x>y$. Some example pairs would be $(2,1),(2,0),(1,0),(1,-1),(0,-1)$.
Now we’ll revisit our digits of $\pi$ example from above. Set $X$ to be the positive integers and $Y$ to be the digits 0-9. Define $R_\pi$ to contain pairs $(n,d)$ where $d$ is the $n$th digit of $\pi$.
Since $\pi \approx 3.14159...$, the following would be pairs in this relation:
$$ (1,3), (2,1), (3,4), (4,1), (5,5) $$
because the first digit is $3$, then the second digit is $1$, and so on.
When we build a proof system, it’s always for a relation.
For example, we could build a proof system for proving whether a given pair $(n,d)$ is in the relation $R_\pi$ that we discussed above. (Note that, since the verifier can fairly easy check for themselves whether a given value $d$ is in fact the $n$th digit of $\pi$, this isn’t a very useful relation to build a proof system for.)
<aside> <img src="/icons/repeat_blue.svg" alt="/icons/repeat_blue.svg" width="40px" />
This piece is a work in progress. Check back soon for more progress!
</aside>