Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

# Experimental relativistic zero-knowledge proofs

## Abstract

Protecting secrets is a key challenge in our contemporary information-based era. In common situations, however, revealing secrets appears unavoidable; for instance, when identifying oneself in a bank to retrieve money. In turn, this may have highly undesirable consequences in the unlikely, yet not unrealistic, case where the bank’s security gets compromised. This naturally raises the question of whether disclosing secrets is fundamentally necessary for identifying oneself, or more generally for proving a statement to be correct. Developments in computer science provide an elegant solution via the concept of zero-knowledge proofs: a prover can convince a verifier of the validity of a certain statement without facilitating the elaboration of a proof at all1. In this work, we report the experimental realization of such a zero-knowledge protocol involving two separated verifier–prover pairs2. Security is enforced via the physical principle of special relativity3, and no computational assumption (such as the existence of one-way functions) is required. Our implementation exclusively relies on off-the-shelf equipment and works at both short (60 m) and long distances (≥400 m) in about one second. This demonstrates the practical potential of multi-prover zero-knowledge protocols, promising for identification tasks and blockchain applications such as cryptocurrencies or smart contracts4.

This is a preview of subscription content, access via your institution

## Relevant articles

• ### Practical quantum tokens without quantum memories and experimental tests

npj Quantum Information Open Access 11 March 2022

## Access options

\$39.95

Prices may be subject to local taxes which are calculated during checkout

## Data availability

All data supporting the findings of this article are available from the corresponding authors upon request.

## Code availability

All code supporting the findings of this article are available from the corresponding authors upon request.

## References

1. Goldwasser, S., Micali, S. & Rackoff, C. The knowledge complexity of interactive proof systems. In Proc. Seventeenth Annual ACM Symposium on Theory of Computing 291–304 (ACM, 1985).

2. Ben-Or, M., Goldwasser, S., Kilian, J. & Wigder-son, A. Multi-prover interactive proofs: how to remove intractability assumptions. In Proc. Twentieth Annual ACM Symposium on Theory of Computing 113–131 (ACM, 1988).

3. Kilian, J. Strong separation models of multi prover interactive proofs. In DIMACS Workshop on Cryptography (DIMACS, 1990).

4. Ben-Sasson, E., Bentov, I., Horesh, Y. & Riabzev, M. Scalable, transparent, and post-quantum secure computational integrity. Preprint at https://eprint.iacr.org/2018/046.pdf (2018).

5. Goldwasser, S., Micali, S. & Rackoff, C. The knowledge complexity of interactive proof systems. SIAM J. Comput. 18, 186–208 (1989).

6. Rivest, R. L., Shamir, A. & Adleman, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978).

7. Garey, M. R. & Johnson, D. S. Computers and Intractability: A Guide to the Theory of NP-Completeness (W. H. Freeman & Co., 1979).

8. Goldreich, O., Micali, S. & Wigderson, A. Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38, 690–728 (1991).

9. Fortnow, L. The complexity of perfect zero-knowledge. In Proc. Nineteenth Annual ACM Symposium on Theory of Computing 204–209 (ACM, 1987).

10. Ben Sasson, E. et al. Zerocash: decentralized anonymous payments from Bitcoin. In Proc. IEEE Symp. Security and Privacy 459–474 (IEEE, 2014).

11. Bernstein, D. J. & Lange, T. Post-quantum cryptography. Nature 549, 188–194 (2017).

12. Arute, F. et al. Quantum supremacy using a programmable superconducting processor. Nature 574, 505–510 (2019).

13. Kent, A. Unconditionally secure bit commitment. Phys. Rev. Lett. 83, 1447–1450 (1999).

14. Crépeau, C., Massenet, A., Salvail, L., Stinchcombe, L. & Yang, N. Practical relativistic zero-knowledge for NP. In Proc. 1st Conf. Information-Theoretic Cryptography 4, 1–18 (LIPiCS, 2020).

15. Mizuno, K. & Nishihara, S. Constructive generation of very hard 3-colorability instances. Discret. Appl. Math. 156, 218–229 (2008).

16. Katz, J. & Lindell, Y. Introduction to Modern Cryptography 3rd edn (CRC, 2020).

17. Verbanis, E. et al. 24-hour relativistic bit commitment. Phys. Rev. Lett. 117, 140506 (2016).

18. Li, N., Li, C., Helleseth, T., Ding, C. & Tang, X. Optimal ternary cyclic codes with minimum distance four and five. Finite Fields their Appl. 30, 100–120 (2014).

19. Tassa, T. & Villar, J. L. On proper secrets, (t, k)-bases and linear codes. Des. Codes Cryptogr. 52, 129–154 (2009).

20. Lunghi, T. et al. Practical relativistic bit commitment. Phys. Rev. Lett. 115, 030502 (2015).

21. Bell, J. S. On the Einstein–Podolsky–Rosen paradox. Phys. Phys. Fiz. 1, 195–200 (1964).

22. Kempe, J., Kobayashi, H., Matsumoto, K., Toner, B. & Vidick, T. Entangled games are hard to approximate. SIAM J. Comput. 40, 848–877 (2011).

23. Chailloux, A. & Leverrier, A. Relativistic (or 2-prover 1-round) zero-knowledge protocol for NP secure against quantum adversaries. In Advances in Cryptology – EUROCRYPT 2017 (eds. Coron, J. S. & Nielsen, J.) 369–396 (Springer, 2017).

24. Ji, Z. Binary constraint system games and locally commutative reductions. Preprint at https://arxiv.org/abs/1310.3794 (2013).

25. Groth, J. Non-interactive zero-knowledge arguments for voting. In Applied Cryptography and Network Security (eds. Ioannidis, J., Keromytis, A. & Yung, M.) 467–482 (Springer, 2005).

26. Micali, S. & Rabin, M. O. Cryptography miracles, secure auctions, matching problem verification. Commun. ACM 57, 85–93 (2014).

27. Glaser, A., Barak, B. & Goldston, R. J. A zero-knowledge protocol for nuclear warhead verification. Nature 510, 497–502 (2014).

28. Group of Applied Physics. Google Maps https://goo.gl/maps/qhriiVPu8ktAqfZd9 (2020).

## Acknowledgements

Financial supports by the Swiss National Science Foundation (starting grant DIAQ, NCCR-QSIT) and the European project OpenQKD are gratefully acknowledged by N.B., S.D., R.H., W.X. and H.Z. P.A., C.C. and N.Y. are grateful to Québec’s FRQNT and Canada’s NSERC for making this work financially possible.

## Author information

Authors

### Contributions

P.A. and C.C. generated the graph used. N.B. and H.Z. supervised the research. C.C. and N.Y. came up with the protocol and C.C. was the theoretical leader. S.D. ensured the link between theory and experiment. R.H. was responsible for the experimental implementation, with support by S.D. and H.Z. W.X. contributed at early stage of the project. S.D. and C.C. wrote the initial draft, with the other authors providing editorial comments.

### Corresponding authors

Correspondence to Claude Crépeau or Sébastien Designolle.

## Ethics declarations

### Competing interests

The authors declare no competing interests.

Peer review information Nature thanks Thomas Vidick and the other, anonymous, reviewer(s) for their contribution to the peer review of this work. Peer reviewer reports are available.

Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

## Extended data figures and tables

### Extended Data Fig. 1 Illustration of a round of the protocol.

The colours are consistent with those of Fig. 1a and depict a typical round where the verifiers ask the same edge to the provers, here $$\{1,2\}$$, but where $$b\ne b\text{'}$$ so that they check in the end that $${a}_{0}+a{\text{'}}_{0}$$ $${a}_{1}+a{\text{'}}_{1}({\rm{m}}{\rm{o}}{\rm{d}}\,3)$$. In this example we have $${{\ell }}_{1}^{0}=2,{{\ell }}_{1}^{1}=1,{{\ell }}_{2}^{0}=0,{{\ell }}_{2}^{1}=1$$; note that, despite the adjacency of the vertices 1 and 2, the equality $${{\ell }}_{1}^{1}={{\ell }}_{2}^{1}$$ is legal as the labellings $${{\ell }}_{k}^{b}$$ do not need to be colourings.

### Extended Data Fig. 2 Illustration of the hardware used in our two implementations.

a, b, The GPS version (a) and the triggered version (b). The essential difference is the method used for synchronizing the verifiers’ questions. In a the connection is wireless as it uses communication with satellites at the expense of a higher imprecision thus further verifier–prover pairs. In b the connection is physical and oriented from the first to the second verifier; the former sends a trigger through the fibre and delays their action by the time needed for this signal to reach the latter. With a better accuracy this second method allows for shorter distances between the verifier–prover pairs, here 60 m but arguably improvable.

## Rights and permissions

Reprints and Permissions

Alikhani, P., Brunner, N., Crépeau, C. et al. Experimental relativistic zero-knowledge proofs. Nature 599, 47–50 (2021). https://doi.org/10.1038/s41586-021-03998-y

• Accepted:

• Published:

• Issue Date:

• DOI: https://doi.org/10.1038/s41586-021-03998-y

• ### Practical quantum tokens without quantum memories and experimental tests

• David Lowndes
• John Rarity

npj Quantum Information (2022)