Two famous examples ("The Ali Baba Cave" and the "Two Balls and the Color Blind Friend") appear in the Wikipedia article on zero knowledge proofs .
My favorite, however, is this paper  on convincing another person you've found Waldo, without revealing his location and therefore ruining the game. It's extraordinarily simple: take a piece of cardboard larger than the Where's Waldo book, make a small, Waldo-sized cutout, and position the cardboard in a way that only Waldo himself is visible. As long as you don't give away the position of the book underneath the cardboard, you can prove you've found Waldo without providing _any_ information as to where he is! It's pretty great.
Would love to know of other real world examples. :-)
Btw, another favorite of mine which I often give as a riddle (not a ZKP, but an interactive proof): Assume I claim to have the superpower of knowing exactly how many leaves are on a tree just by looking at it. How can you verify this without actually having to count an entire tree's worth of leaves?
Vf vg ol erzbivat n pregnva ahzore bs yrnirf naq nfxvat sbe gur gbgny pbhag ntnva, gura fhogenpgvat obgu naq pbzcnevat gur qvssrerapr?
Lbh erzbir n xabja (gb lbh) ahzore bs yrnirf juvyr zl onpx vf ghearq, gura nfx zr ntnva. Gura lbh pna frr vs guvf ahzore vf pbeerpg. Lbh pna ercrng guvf nf znal gvzrf nf lbh yvxr.
Lbh pna "fvzcyvsl" guvf ol whfg pubbfvat rnpu gvzr jurgure gb erzbir n yrns be abg, gura nfxvat zr vs lbh qvq be abg. Gura vg'f rnfl gb frr gung gur cebonoyl bs trggvat guvf evtug a gvzrf vf 1/2^a.
Vs fbzrbar unf guvf novyvgl, gura gurl'er abg whfg rfgvzngvat -- gurl xabj gur rknpg ahzore. Gung zrnaf gurl pna gryy gur qvssrerapr orgjrra n gerr jvgu gubhfnaq yrnirf if. n gubhfnaq naq bar...
...naq gung'f jura vg uvg zr. :-)
It still slightly ruins the game as you know the shape you're looking for now.
This is why one way functions are used instead.
The other person won't know where Waldo is, because the cardboard is much bigger than the book, so Waldo could be anywhere on the page.
Do note, the information we are concealing is where Waldo is, and not how he looks.
I'm not 100% sure I understand your protocol though. You're putting a fake picture that has Waldo in it beneath the cardboard? So that you can always punch a hole to reveal Waldo? How does that prove anything?
I'm not sure what I'm missing here.
Under the protocol I gave, you can’t cheat by using a fake Waldo, because each time there’s a fifty percent chance the prover will ask you to remove the screen, which would reveal you’re not using (only) the original page.
(Keep in mind you do the protocol many times with a new position in each one.)
In your Where's Waldo example, this would be like having a non-playing third participant whose trusted by both players. When one player wishes to prove they've found Waldo without ending the game for the other play, they'd demonstrate this in full transparency to the third party verifier, whose word would then be trusted by the second player.
E; not really
Does Victor knowing the initial path make it non-zero-knowledge? Because if so, the example feels super contrived. I agree your Waldo example is much better.
If you don’t know which entrance they used, than anyone besides the verifier can remain a Doubting Thomas: “okay, cool, your verifier came out B, then B, then A. So? You could just as well have conspired with them to start out at B, then B, then A!”
I elaborated on an earlier HN discussion: https://news.ycombinator.com/item?id=15323790
 The verifier, for purposes of this point, is anyone who contributed to the generation of the random bits that decided which random challenge to present.
 In some cases, you do want it to be convincing to everyone, but that’s not the “standard” kind of ZKP.
 In the jargon, a valid transcript for a ZKP must be efficiently simulable by someone who lacks the relevant knowledge.
I think the parent's question is about what the "zero-knowledge" actually refers to. (scrollaway asked, "Does Victor knowing the initial path make it non-zero-knowledge?") The Wikipedia writing in 2 different places makes it confusing.
For Peggy's secret password X, the "zero knowledge" might mean:
(1) Victor has zero knowledge of what _X_ actually is even after Peggy proves she knows it: the first Wiki paragraph seems to emphasize this with "(the prover Peggy) can prove to another party (the verifier Victor) that she knows a value x, without conveying any information apart from the fact that she knows the value x."
(2) outside world (other than Victor) has zero knowledge that _Peggy_ knows what X is: the later Wiki paragraph is "Further notice that if Victor chooses his A's and B's by flipping a coin on-camera, this protocol loses its zero-knowledge property; the on-camera coin flip would probably be convincing to any person watching the recording later. Thus, although this does not reveal the secret word to Victor, it does make it possible for Victor to convince the world in general that Peggy has that knowledge—counter to Peggy's stated wishes."
Is the "zero knowledge" referring to keeping _X_ a secret , or is it keeping the fact that _Peggy_knows_X_ a secret, or are both secrets together required? The wikipedia article isn't clear on that so the article probably needs some revision to be more explicit.
(For some, an example of a ZKP would be email address verification for new user accounts: Vimeo(verifier) sends an email with a generated numeric code and Peggy(prover) has to enter that number in the webform to activate the account. This proves that Peggy "knows the secret password of that email account" but Vimeo still has "zero knowledge" of her email password. For this particular example, it doesn't matter that that the whole world knows that Peggy knows the password to her email@example.com so condition (2) is not a strong requirement.)
>For zero-knowledge proofs of knowledge, the protocol must necessarily require interactive input from the verifier, usually in the form of a challenge or challenges such that the responses from the prover will convince the verifier if and only if the statement is true (i.e., if the prover does have the claimed knowledge). This is clearly the case, since otherwise the verifier could record the execution of the protocol and replay it to someone else: if this were accepted by the new party as proof that the replaying party knows the secret information, then the new party's acceptance is either justified—the replayer does know the secret information—which means that the protocol leaks knowledge and is not zero-knowledge, or it is spurious—i.e. leads to a party accepting someone's proof of knowledge who does not actually possess it.
That is, if the proof were convincing to the entire world, then non-possessors of the knowledge could just replay they proof without having the knowledge.
Instead of the "proof" aspect, the email example is highlighting what the "zero knowledge" refers to. Whether Peggy's account is compromised or wiretapped by man-in-the-middle attacks, Vimeo/verifier still has zero knowledge of her email account's password.
The link provided is to a relatively new library for doing bullet proofs written in Haskell -- the README might benefit from more disclaimer about the verification steps taken and analysis of side channels for the library (probably not ready for production)
Just slapping some ZKP on top of bitcoin is not enough to make it magically private. It needs deeper integration to the model than that.
It is possible to soft fork confidentiality into Bitcoin, see https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016... for example
I don't know either about others, but to me it looks like hiding balances is a regression. Why would you hide your balance, unless you want to lie about it?
I can't think of a reason hiding balances would be better, but I don't have a degree about economy so I'm open to explanation.
Same argument than personal privacy I guess, but here we are talking about currency, not personal political opinions or personal identifyable information.
> Our name comes from advanced mathematics and represents the numerous ways in which we simplify financial processes and products using blockchain technology.
> Range proofs do not leak any information about the secret value
Could someone explain this? I can't say I followed the proof algorithm (don't have background on blinded Pederson commitments etc.), but to me these sound contradictory. If you're relying on a discrete log assumption then it means you are leaking information, but you hope it's not enough information to reconstruct the secret. It doesn't sound like an algorithm that truly doesn't leak information (like OTP).
One thing I found useful is section 2.2 of https://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf, on blinding in RSA.
A hard fork later this fall is expected to bring Bulletproofs to main net. Right now the code is being vetted by 3 external auditors, hired by the community through fund-raising.
The benefit to Monero, once this is implemented, is transactions that are almost an order of magnitude smaller. This is a huge win, for many reasons, and it doesn't even come at the cost of CPU time.