Intuition for Zero-Knowledge Proofs

Last reviewed: 2026-05-11

Zero knowledge? Go get to zclass.

A zero-knowledge proof lets one party (the prover) convince another party (the verifier) that a statement is true, without revealing anything beyond the fact that it’s true.

Said as a sentence, this sounds either obvious or impossible depending on how you parse it. The two analogies in this lesson are the standard way to get the intuition.

Three properties to keep in mind

Throughout the rest of this module, every zero-knowledge proof system has three properties baked in:

1. Completeness. If the statement is true and the prover follows the protocol, the verifier will be convinced.
2. Soundness. If the statement is false, no cheating prover can convince the verifier (except with negligible probability).
3. Zero-knowledge. The verifier learns nothing beyond “the statement is true.” Anything the verifier could compute after seeing the proof, they could have computed before.

Hold on to those three. They will come back when we look at zk-SNARKs.

Analogy 1: Ali Baba’s cave

The classical introduction, due to Quisquater et al. (1989).

Imagine a circular cave with a single entrance. Inside, the path forks into two passages, A and B, that meet again at a back wall. The wall between them has a magic door that only opens with a secret password.

Peggy (the prover) claims she knows the password. Victor (the verifier) wants to be convinced, without learning the password and without trusting Peggy on her word.

The protocol:

1. Victor waits outside the cave entrance.
2. Peggy enters and walks down passage A or passage B (her choice). Victor doesn’t see which.
3. Victor walks to the fork and shouts a request: “Come out side A!” or “Come out side B!”, chosen by a coin flip he just made.
4. Peggy emerges from the requested side.

If Peggy doesn’t actually know the password, she can only obey if she happened to enter the side Victor asked for, a 50% chance. If she does know the password, she always wins, because she can open the door and walk through to whichever side Victor names.

One round proves nothing, Peggy could be lucky. Twenty rounds reduce the probability of a successful bluff to 1 in 2²⁰ ≈ one in a million. Forty rounds gets you to one in a trillion. Soundness through repetition.

What did Victor learn? That Peggy reliably emerges from whichever side he requests. Nothing about the password itself. Zero-knowledge.

Analogy 2: Two balls and a colorblind friend

Due to Konstantinos Chalkias, popularized in cryptography talks. This one is good for showing zero-knowledge in a setting that isn’t about secrets.

You have two billiard balls, one red, one green, that are identical in every way except color. Your friend is fully colorblind and can’t tell them apart. You claim the balls are different colors. How do you convince your friend without revealing which is which?

The protocol:

1. Your friend holds one ball in each hand and shows them to you.
2. They put both hands behind their back and either swap the balls or don’t, chosen by a coin flip you can’t see.
3. They bring their hands forward. You announce “you swapped” or “you didn’t swap.”

If the balls really are different colors, you’ll always be right, you can just look. If they’re identical (your claim is false), you’ll be right exactly 50% of the time. After 30 successful rounds, your friend is more confident the balls differ than that the sun will rise tomorrow.

But notice what your friend doesn’t learn: which ball is red. They learn the property “these balls are distinguishable to you,” and nothing more. Even after watching all the rounds, they could not tell anyone else which is which. Zero-knowledge.

What these analogies are actually showing

Both analogies share a structure that real zero-knowledge protocols generalize:

• Commitment. The prover does something that locks them into an outcome (entering one side of the cave; the friend swapping or not).
• Challenge. The verifier issues an unpredictable challenge.
• Response. The prover responds in a way that’s only consistent with the truth of the claim.
• Repetition. Doing this many times drives the probability of cheating down exponentially.

This three-step structure (commit, challenge, respond) is called a Σ-protocol. Modern zk-SNARKs are not Σ-protocols themselves, but they descend from the same family of ideas.

Why this matters for Zcash

In Zcash, the “statement” being proved is something like:

“I own a spendable note worth X ZEC, this transaction conserves value, the nullifier I’m publishing matches the note I’m spending, and I haven’t spent it before.”

The verifier (the network) needs to be convinced of all of that without learning which note, whose note, or how much X is. Zero-knowledge proofs are the only known cryptographic primitive that lets the network do this efficiently and at scale.

The next two lessons turn this intuition into specifics:

• zk-SNARKs: what the acronym means and how the modern construction is shaped.
• Trusted setups and Halo: the most important practical-cryptography milestone of Zcash’s history.

Key takeaways

• A zero-knowledge proof has three properties: completeness, soundness: and zero-knowledge.
• Ali Baba’s cave shows how repeated unpredictable challenges drive a cheating prover’s success probability to negligible.
• The two-balls analogy shows what zero-knowledge means in a non-secret setting: the verifier learns the fact, not the witness.
• Zcash needs ZK proofs because the network must verify “this transaction is valid” without learning sender, recipient, or amount.