
Socialist millionaire protocol - petethomas
https://en.wikipedia.org/wiki/Socialist_millionaire
======
BrandonY
I love zero knowledge proofs. My professor in college explained the idea in
what I thought was an especially clear way:

Say that you and a friend are reading a Where's Waldo book, and you want to
prove that you have found Waldo, but you don't want to tell your friend where
Waldo is. This seems impossible. However, you could take a large piece of
cardboard, cut out a Waldo-shaped hole, and place it over the book. Now you
have proven that you can find Waldo.

"But wait!" cries your friend. "How do I know the book is even under there?
Let me see." But you can't do that, since he knows roughly the spot Waldo
would be if you lifted the cardboard.

So, you get a second piece of cardboard and put it on top of the first. Now,
you play a game. You ask your friend whether you should lift one piece of
cardboard (to verify the picture of Waldo) or two pieces (to verify that the
book is beneath the second piece). You can play this game as many times as
required for your partner to gain a reasonable confidence that you're not
cheating.

And that's a zero knowledge proof.

~~~
BinaryIdiot
Correct me if I'm wrong but that example doesn't seem quite right. If you lift
one piece of cardboard the person now sees roughly where Waldo is, right? Sure
the cardboard could be HUGE to obscure the size and position of the book but
then asking to lift both pieces will show you the position and size of the
book making it immediately obvious where Waldo is.

~~~
skj
The idea is that some the time, it's _not_ the book, but just a random small
picture of Waldo.

Since you don't know if it's the book under there or not, you don't know if
this example is a "control".

The proportion of times that it is the book has to be the same as the odds
that you could randomly guess where Waldo is, I think.

~~~
edanm
No, that's wrong. The book always has to be under there, otherwise you aren't
proving anything (or at least, the odds are worse).

The idea is that your counterparty cannot ever ask for _both_ the book under
there _and_ to see Waldo, so they never know where the book is. You can spin
the book around under the cardboard to put it in arbitrary locations,
therefore just seeing the Waldo doesn't help.

------
jxm262
Here's another simplistic explanation for this concept -
[http://twistedoakstudios.com/blog/Post3724_explain-it-
like-i...](http://twistedoakstudios.com/blog/Post3724_explain-it-like-im-five-
the-socialist-millionaire-problem-and-secure-multi-party-computation)

I've been reading alot about the cryptography (and alot of bitcoin stuff),
there's alot of interesting material out there.

~~~
fredsted
Thanks, the Wiki article is complete gibberish to me.

~~~
AMcQuarrie
I find this about basically every Wikipedia article on a math topic. They are
very precise - but basically completely useless for learning anything about
the topic.

~~~
big_youth
While not every wiki page has it enabled I find that the simple english really
helps my understanding. For ex:

[https://en.wikipedia.org/wiki/Probability_theory](https://en.wikipedia.org/wiki/Probability_theory)

[https://simple.wikipedia.org/wiki/Probability_theory](https://simple.wikipedia.org/wiki/Probability_theory)

[https://en.wikipedia.org/wiki/Advanced_Encryption_Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)

[https://simple.wikipedia.org/wiki/Advanced_Encryption_Standa...](https://simple.wikipedia.org/wiki/Advanced_Encryption_Standard)

------
rix0r
Can someone "explain like I'm five" why calculating a hash and comparing those
isn't good enough?

Is it to protect against bruteforcing? What if the hash is made expensive to
compute?

~~~
IshKebab
Yeah, trivial to brute force.

~~~
baby
No reason to downvote you, brute force is indeed one of the reason using
hashes is not an elegant solution.

------
roymurdock
See Enigma [1] and homomorphic encryption for a related concept:

 _The key new utility Enigma brings to the table is the ability to run
computations on data, without having access to the raw data itself. For
example, a group of people can provide access to their salary, and together
compute the average wage of the group. Each participant learns their relative
position in the group, but learns nothing about other members’ salaries. It
should be made clear that this is only a motivating example. In practice, any
program can be securely evaluated while maintaining the inputs a secret._

[1]
[http://enigma.media.mit.edu/enigma_full.pdf](http://enigma.media.mit.edu/enigma_full.pdf)

~~~
morgante
That's a rather interesting choice of name for an encryption tool.

------
azernik
I find that my interest in algorithms goes up the more outlandish their names
get.

~~~
christianmann
Math works the same way. Have you heard of the Ham Sandwich Theorem[1]?

[1]:
[https://en.wikipedia.org/wiki/Ham_sandwich_theorem](https://en.wikipedia.org/wiki/Ham_sandwich_theorem)

~~~
Rexxar
"Hairy ball theorem" is cool too:
[https://en.wikipedia.org/wiki/Hairy_ball_theorem](https://en.wikipedia.org/wiki/Hairy_ball_theorem)

------
barkingcat
Is this the one where both millionaires pledge to donate 100% of their wealth
to ending world hunger - and in the end seeing who's donated more?

~~~
mathgeek
It works for comparing any arbitrary x and y, so long as equality and
inequality can be determined.

------
et2o
I love encountering a seemingly difficult problem that in fact has an easy
solution like this.

~~~
emiliobumachar
Easy to implement once designed. Who knows how much effort went towards
designing it.

------
baby
Note that this explanation is not fair. If Bob stops the protocol when he gets
the answer (equal or not) then Alice doesn't learn anything.

In cryptography there are ways to make such a protocol "fair". Basically both
learn "bit by bit" the answer, if Bob stops early, he only gets one bit of
information more than Alice and if he can bruteforce the rest, so can Alice
(except if Bob is the NSA).

------
tomasien
Is anyone familiar with how this differs from a zero knowledge proof, or is
this a TYPE of ZKP?

~~~
baby
ZKP is Alice proving to Bob something, without telling him what it is. Alice
doesn't learn anything.

In the Millionaire problem both learn the result of the comparison

~~~
tomasien
Thanks!

------
zkhalique
Are the millionaires able to trust each other's self-reporting?

This sounds a bit like mental poker.

~~~
hissworks
From the article:

"Even if one of the parties is dishonest and deviates from the protocol, that
person cannot learn anything more than if x = y."

------
rwmj
Is the use of a fixed choice of prime vulnerable to the Weak DH / Logjam
attack? ([https://weakdh.org/](https://weakdh.org/))

~~~
fryguy
Logjam works like rainbow tables, but for prime fields. Supposing that a way
to reverse the function (a hash in rainbow table case, discrete logarithm in
prime fields) in time X for a single case, you can instead pre-compute
something in time P, which allows computing a specific instance in time Y. P +
Y is longer or equal to X, and Y is significantly less than X. To compute n
inversions takes nX for the first case, and P + nY for the second. However,
the single instance case X still needs to be solvable. For a large enough
prime field, X is still incredibly difficult, so P + Y is going to be
incredibly difficult as well.

It's much more significant that Logjam changes the field to something weak,
than all of the servers use the same prime field.

------
rwmurrayVT
OTR messaging is commonly used with Pidgin and is considered a requirement for
DNM conversations.

~~~
p4bl0
I have never seen "DNM" before. According to the urban dictionary, it means
"deep and meaningful". Is that what you meant?

~~~
rwmurrayVT
DarkNetMarket. I apologize for the late reply. I read HN frequently, rarely
log in, and have yet to figure out how I can tell if someone has sub-commented
me.

------
kazinator
> _Alice and Bob have secret values x and y, respectively. Alice and Bob wish
> to learn if x = y without allowing either party to learn anything else about
> the other 's secret value._

This is better put as: _without allowing either party, in the event that the
equality is false, to learn even so much as whether x < y or x > y._

Of course if the equality is true, each party knows everything about the
other's value.

~~~
neogodless
Well, it says "anything else" which covers exactly that. You don't need to be
more explicit, because the entire goal is "learn if x = y"

~~~
kazinator
If you learn _that_ x = y, then there isn't any "anything else".

