Available via license: CC BY 4.0

Content may be subject to copyright.

Experimental relativistic zero-knowledge proofs

Pouriya Alikhani,1Nicolas Brunner,2Claude Cr´epeau,1S´ebastien Designolle,2, ∗

Rapha¨el Houlmann,2Weixu Shi,2, 3 and Hugo Zbinden2

1School of Computer Science, McGill University, Montr´eal, Qu´ebec, Canada

2Department of Applied Physics, University of Geneva, 1211 Gen`eve, Switzerland

3Department of Electronic Science, National University of Defense Technology, 410073 Changsha, China

(Dated: December 22, 2020)

Protecting secrets is a key challenge in our contemporary information-based era. In common sit-

uations, however, revealing secrets appears unavoidable, for instance, when identifying oneself in a

bank to retrieve money. In turn, this may have highly undesirable consequences in the unlikely, yet

not unrealistic, case where the bank’s security gets compromised. This naturally raises the question

of whether disclosing secrets is fundamentally necessary for identifying oneself, or more generally for

proving a statement to be correct. Developments in computer science provide an elegant solution

via the concept of zero-knowledge proofs: a prover can convince a veriﬁer of the validity of a certain

statement without facilitating the elaboration of a proof at all. In this work, we report the exper-

imental realisation of such a zero-knowledge protocol involving two separated veriﬁer-prover pairs.

Security is enforced via the physical principle of special relativity, and no computational assumption

(such as the existence of one-way functions) is required. Our implementation exclusively relies on oﬀ-

the-shelf equipment and works at both short (60 m) and long distances (400 m) in about one second.

This demonstrates the practical potential of multi-prover zero-knowledge protocols, promising for

identiﬁcation tasks and blockchain-based applications such as cryptocurrencies or smart contracts.

Introduction.— In a foreign city where you know abso-

lutely no one, you go to an automatic teller machine to

obtain a handful of local cash. You have never heard of

the bank owning that teller machine, yet when requested

for your Personal Identiﬁcation Number to obtain money

you blindly provide it. No joke, you give away that su-

per unique information to a complete stranger. But why?

Because of the cash you get in return? There is actually

zero solid reason to trust that teller machine. You should

never have to give away this private information to any-

one at all! But how could we prove who we are without

giving away such a secret piece of data?

The idea behind zero-knowledge proofs was born in the

middle of the 1980’s [1] and formalises the possibility to

demonstrate knowledge of a secret information without

divulging it. A natural application is the task of identi-

ﬁcation, where a user can demonstrate their identity via

the knowledge of a secret proof of a mathematical state-

ment they created and published. A well-known example

is the RSA cryptosystem [2] in which the mathematical

secret is the factorisation into two huge prime numbers

of an even larger number. In this work we consider the

problem of three-colouring of graphs: an instance is a

graph (nodes and edges attaching some of them to one

another) and a proof of three-colourability assigns to each

vertex one out of three possible colours in a way that any

two vertices connected by an edge have diﬀerent colours,

see Fig. 1(a). Some graphs are three-colourable, some

are not, and the general problem of deciding whether

a graph is three-colourable has no known eﬃcient solu-

tion. However, given a colouring it is extremely easy

to eﬃciently check whether the end points of every edge

∗sebastien.designolle@unige.ch

are assigned diﬀerent colours. For this reason, three-

colourability is a problem in NP, the class of all problems

that are eﬃciently veriﬁable given a solution. Moreover,

it is also NP-complete because an instance of any prob-

lem in NP can be eﬃciently simulated by an instance of

three-colourability, so that if this latter were in P, the

class of all problems eﬃciently solvable, then we would

have P=NP, an equality which has been the most fa-

mous challenge of theoretical computer science for the

last half century and which remains unsolved.

A zero-knowledge proof for three-colourability has

been introduced in Ref. [3] by assuming the existence

of one-way functions, that is, functions that can be ef-

ﬁciently computed but for which ﬁnding a preimage of

a particular output cannot. The zero-knowledge proof

guarantees that upon participation to such an interac-

tion, a prover would convince a veriﬁer of the validity

of the statement when it is indeed valid (completeness),

would not convince the veriﬁer when it is invalid (sound-

ness), while not allowing the latter to improve their abil-

ity to ﬁnd a three-colouring (zero-knowledge), but this

is under the assumption that one-way functions exist. It

is widely believed that a zero-knowledge proof for any

NP-complete problem such as three-colourability is not

possible without this extra computational assumption. If

not, this would lead to vast implications in the world of

complexity [4]. However, this feature is generally unde-

sirable as it signiﬁcantly weakens the long-term security

of such zero-knowledge protocols, which are used, e.g., in

certain crypto-currencies [5]. This may have important

consequences, as security would be fully compromised

if the speciﬁc one-way function used in the protocol is

(later) found to be eﬃciently invertible. This aspect is

particularly relevant given recent advances on quantum

computing [6,7].

arXiv:2012.10452v1 [cs.CR] 18 Dec 2020

2

(i, j)

b

a1=lb

i

a2=lb

j

l0

k, l1

k

P2

(i0, j0)

b0

a0

1=lb0

i0

a0

2=lb0

j0

l0

k, l1

k

(b)

(a)

(c1)

(c2)

10 m

1

2

3

4

5

6

V1

P1

V2

FIG. 1. Relativistic zero-knowledge protocol for three-colourability on a short distance. Two separated provers try

to convince a veriﬁer that they know a given graph is three-colourable without facilitating the elaboration of a three-colouring.

(a) A three-colourable graph with six vertices and ten edges. The three-colouring depicted here is such that c1=c3= 0 (full

blue), c2=c5= 1 (dashed yellow), c4=c6= 2 (dotted red); vertices linked by an edge are indeed of diﬀerent colours.

(b) Satellite view [8] of the building of the experiment. The distance between the two parties involved is 60m, that is, 200 ns

at the speed of light. This separation makes the communication between the two provers impossible at this time scale due to

special relativity. The veriﬁers simultaneously trigger their questions to their provers by means of an optical ﬁbre (dashed line).

(c) Illustration of a round of the protocol on both veriﬁer-prover pairs. Each veriﬁer sends (downward arrow) an edge and a bit b

to their prover, who should answer (upward arrow) their bth labellings at the end points of the edge: for all vertex kthe provers

have indeed pre-agreed on two labellings l0

k, l1

k∈ {0,1,2}that should sum up to a three-colouring, namely, l0

k+l1

k≡ck(mod 3).

When asking the same edge on both sides and opposite bits, the veriﬁers can check, thanks to the deﬁnition of the labellings,

that the provers know that the graph is three-colourable. To make sure that the provers are not cheating the veriﬁers can also

send the same bit with edges sharing (at least) one vertex; the consistency of the provers’ answers can then be tested. By

repeating this procedure many times the veriﬁers can make the probability for dishonest provers to pass the protocol arbitrarily

small (soundness). However, even with all the provers’ answers at hand, the veriﬁers are not more eﬃcient at elaborating a

three-colouring than initially (zero-knowledge).

Remarkably, it is possible to devise zero-knowledge

protocols without the need of any computational assump-

tion. The key idea, as developed by Ben-Or, Goldwasser,

Kilian and Wigderson [9], is to generalise the interactive

proof model such that several provers are now trying to

convince a veriﬁer of the three-colourability of a graph

in perfect zero-knowledge without the need of any fur-

ther assumption. Intuitively, this approach reﬂects the

strategy used by police investigators when interrogating

suspects in separate rooms in order to discern the truth

more easily: it is harder to collectively lie about the valid-

ity of a statement when interrogated separately. The key

diﬀerence between the multi-prover scenario and the orig-

inal deﬁnition of interactive proof rests in the possibility

to prevent several provers from talking to each other, a

single prover always being able to talk to themself. This

naturally suggests the use of spatial separation to enforce

the impossibility to communicate [10,11], at least for

some short period of time: assuming the principle of spe-

cial relativity (nothing can signal faster than the speed

of light) and sending queries to the diﬀerent provers si-

multaneously, there is a short time window during which

they are physically unable to signal between each other.

So far, these ideas have been mainly of purely theoreti-

cal interest, as known protocols required extremely large

information transfer between the provers and veriﬁers,

which prohibited their implementation.

In this work, we report experimental realisations of

relativistic zero-knowledge proofs for an NP-complete

problem (three-colourability). Speciﬁcally we develop an

eﬃcient implementation of the protocol recently estab-

lished in Ref. [12] for two separated veriﬁer-prover pairs.

In practice, key challenges involve the generation of ad-

equate large three-colourable graphs, as well as an ef-

ﬁcient management of the randomness shared between

the provers, achieved via suitable error-correcting codes.

We report on two experiments: ﬁrst, using Global Posi-

tioning System (GPS) clocks to synchronise the two ver-

iﬁers, we performed the protocol at a distance of 400 m;

second, using a triggering ﬁbre between the two veriﬁers,

we conducted the same test at a shorter distance of 60 m.

In both cases, the full running time was about one sec-

ond. The ﬁrst implementation shows that the protocol

at large distances is rather eﬀortless since the wide rel-

ativistic separation only demands a moderate speed on

the provers’ side; the second one demonstrates a clear

potential for serviceable applications. Importantly, the

security is enforced by relativistic constraints, and does

3

not rely on any computational hypothesis such as the

existence of one-way functions. Note that the afore-

mentioned NP-completeness guarantees that any appli-

cation based on a problem in NP can be (polynomi-

ally) cast into an instance of our protocol. For example,

if you trust the Advanced Encryption Standard (AES)

as a secure cryptographic primitive, you can transform

AES instances into three-colourable graphs. Our imple-

mentation achieves security against classically correlated

provers and we discuss the prospects of extending the se-

curity to the general case of quantum-mechanically cor-

related provers below.

Protocol.— We start by presenting the type of zero-

knowledge proof that we used in the experiment. Let

(V, E ) be a ﬁnite undirected graph, namely, a ﬁnite set V

of vertices and a collection Eof edges, that is, unordered

pairs of (distinct) vertices. We further assume that this

graph is three-colourable, see Fig. 1(a). In the following

we denote the three diﬀerent colours by 0, 1, and 2.

The protocol involves two veriﬁers and two provers lo-

cated in a suitable way discussed below. Initially the two

provers pre-agree on random three-colourings ck(n)∈

{0,1,2}for k∈Vand nidentifying the round. In the fol-

lowing, the dependency in nwill be omitted for concise-

ness. For all vertex kthey also choose two labellings l0

k

and l1

ksuch that the equality l0

k+l1

k≡ck(mod 3) holds.

Note that, contrary to a proper colouring, the labellings

l0and l1do not need to have diﬀerent values on adja-

cent vertices. A round is then illustrated in Fig. 1(c) and

consists in (i) each veriﬁer providing their prover with

an edge (i, j)∈Eand a bit b∈ {0,1}, (ii) each prover

answering lb

iand lb

j, and (iii) the two veriﬁers checking

the provers’ answers as described in the next two para-

graphs. If none of the parties abort the protocol, then

we repeat rounds until a certain security level is reached,

see below. The veriﬁers’ tests follow two diﬀerent paths.

On the one hand, the veriﬁers can check that the

provers do indeed know that the graph is three-

colourable. This test is done when both veriﬁers send

the same random edge e= (i, j)=(i0, j0) = e0∈Eand

when b6=b0. Then the answers (a1, a2) and (a0

1, a0

2) of the

two provers are accepted if and only if a1+a0

16≡ a2+a0

2

(mod 3). Clearly this aims at ensuring that the provers

know that the graph is three-colourable.

On the other hand, the veriﬁers can test the consis-

tency of the provers’ answers. When the edges sent share

at least one vertex (say, i=i0) and when the bits sent

are equal (b=b0), then the veriﬁers accept if and only if

the corresponding answers of the two provers are equal

(a1=a0

1). This test typically prevents the provers from

answering in a way that would ignore the edges asked

but would only aim at passing the previous check.

For honest veriﬁers and honest provers (when the

graph is three-colourable), it is easy to see that following

the protocol will always lead to acceptance. This prop-

erty of the protocol is referred to as completeness.

For honest veriﬁers and dishonest provers (when the

graph is not three-colourable), the soundness refers to

the veriﬁers being able to reveal the cheat with very high

probability when performing many rounds. Intuitively, if

the answers of a prover (say, P2) reach their correspond-

ing veriﬁer (V2) before the question of the other one (V1)

could have, by any means, made its way there, then this

prover (P2) must have answered without knowing what

the other one (P1) has been asked. By separating the

veriﬁer-prover pairs by a suﬃcient distance and by tim-

ing the protocol carefully, we can use special relativity

to create this separation in order to make the protocol

sound against classically correlated provers. We discuss

the case of quantum provers below.

For dishonest veriﬁers (trying to get any knowledge of

a three-colouring) and honest provers, the zero-knowledge

property amounts to the veriﬁers getting no knowledge

whatsoever upon interaction with the provers. The above

protocol satisﬁes this property [12].

From the cases described above, we get the main fea-

tures of a good strategy for the veriﬁers to detect cheating

provers. Typically, asking edges with no vertex in com-

mon is of no interest and the two tests described above

should be somehow balanced. When we ﬁx the strat-

egy adopted by the provers, the probability for cheating

provers to pass one round can be computed and from

there the number of rounds required to reach a given se-

curity level. For the protocol that we implemented, that

is, the one from Ref. [12] (of which the one presented

above is a pedagogical variant), a good strategy is given

in Methods 1together with a reminder of the details of

the protocol. With this strategy, when the number of

rounds is 9|E|k, where |E|is the number of edges in the

graph, classically correlated provers can dishonestly pass

the soundness tests with probability at most e−k.

Graphs.— From a theoretical perspective, the three-

colourability problem is NP-complete. This means that

ﬁnding a solution (a three-colouring) is not known to be

possible in polynomial complexity with respect to the size

of the problem (typically the number of vertices |V|) but

checking a solution can be made in polynomial complex-

ity. Moreover, the fact that this problem is NP-complete,

means that it can simulate in polynomial complexity any

other NP problem.

For the implementation we need a concrete graph to-

gether with a three-colouring of it. Here comes a compli-

cation: though the general problem is “hard”, there exist

algorithms eﬃcient in many cases. In order to overcome

this diﬃculty we use suﬃciently large critical graphs.

A four-critical graph is not three-colourable but is such

that the deletion of any edge gives rise to a valid three-

colouring for the resulting graph. Ref. [13] proposes an

algorithm to build large critical graphs corresponding to

very hard instances of three-colourability, a fact corrob-

orated by extensive experimental evidence. However, no

method for generating a three-colouring on the way is

provided therein, so that we adapted the technique so

that is suits our needs; see Methods 2. The graph used

in the following experiments has |V|= 588 vertices and

|E|= 1097 edges, so that reaching a security parameter

4

of k= 100, widely considered safe [14], takes about one

million rounds.

Implementation.— For the realisation of this zero-

knowledge protocol, we used two veriﬁer-prover pairs and

we implemented the protocol from Ref. [12], recalled in

Methods 1. The critical part dwells on the speed of the

answer on the provers’ side; therefore they were operated

on ﬁeld-programmable gate-arrays (FPGA) to reduce the

communication latency, speed up the computation, and

improve its time reliability. On the veriﬁers’ side, FP-

GAs were also used for communication, together with

standard computers for global monitoring and checking

of the answers; see Methods 3for details of the hard-

ware, which builds upon techniques developed for the

implementation of bit commitment [15].

As the protocol involves a signiﬁcant number of rounds

and requires the provers to share in advance some ran-

domness, this resource must be used sparingly. For in-

stance, it is easy to see that, starting from a shared

three-colouring, storing a single permutation of three el-

ements is enough to draw a random three-colouring in

each round. Regarding the remaining shared random-

ness needed in the protocol, it requires at ﬁrst sight one

random trit per vertex and per round, which is not af-

fordable. On second thought only four (two per prover)

may suﬃce but for this the provers should know which

question their partner was asked, i.e., which trits were

“consumed”, which is not possible. Drawing a connection

with error-correcting codes [16,17] we could nonetheless

overcome this diﬃculty; see Methods 4.

Note that two timescales are involved in the experi-

ment: the speed of the exchange between the veriﬁers and

the provers and the repetition rate of the rounds. The

former ﬁxes the minimum distance required between the

two locations and is limited by the speed of computation

on the provers’ side; the latter determines the time that

the protocol takes to reach a given security parameter.

In the next sections, we explain our implementations

of the protocol in two complementary spatial domains.

Long-distance.— The two veriﬁer-prover pairs are

placed in diﬀerent buildings on the campus at 390 m from

one another, corresponding to a time separation of 1.3µs.

The synchronisation relies on GPS clocks as in Ref. [18].

Both veriﬁers send to their neighbouring prover a stream

of challenges at a frequency of 0.3 MHz. As soon as they

receive a challenge the provers compute their answers

based on their shared data, see Fig. 1(c). Taking into ac-

count the imprecision of the system used, the total time

elapsed between the emission of the veriﬁers’ challenges

and the reception of the provers’ answers is 840 ns, which

is below the 1.3µs time separation between the parties,

thus fulﬁlling the soundness requirement. The whole pro-

tocol with one million rounds runs in about 3 s.

Note that the theoretical minimum distance between

the veriﬁers is ﬁxed by the 840ns in which the provers

respond and is thus about 250 m. Also there is no up-

per bound for this distance since the two veriﬁer-prover

pairs are disconnected in this case. Applications involv-

ing faraway actors may be designed based on this sim-

ple protocol [15]: as the distance between the veriﬁer-

prover pairs increases, the one between the veriﬁer and

the prover within a pair becomes less constrained. Typ-

ically veriﬁer-prover pairs widely separated would allow

the provers to be anywhere in the veriﬁers’ cities.

Short-distance.— The two veriﬁer-prover pairs are

placed on two tables outside of the university building

at 60 m from one another, corresponding to a time sep-

aration of 200 ns, see Fig. 1(b). A trigger signal is ex-

changed between the two veriﬁers. When the trigger is

captured by the second veriﬁer, it sends a challenge to

the prover it is connected to. The ﬁrst veriﬁer delays the

emission of their challenge by the time the trigger will

take to be transferred to the second veriﬁer. So both

veriﬁers send to their neighbouring prover a stream of

challenges. Again, as soon as they receive a challenge

the provers compute their answers based on their shared

data and send them back to the veriﬁers. Altogether a

round is achieved in a maximum 192 ns, thus constrain-

ing the veriﬁer to be at a minimal distance of 57.6 m; see

Methods 3for details. With a repetition rate of 3 MHz

the whole protocol with one million rounds runs in less

than a second. Note that with the hardware used and its

time and memory limitations, it would still be possible

to gain an order of magnitude in the size of the graphs,

namely, |V| ∼ 5000 and |E| ∼ 10000, while keeping the

same security parameter k= 100 and a reasonable total

time (about 3 s).

In our implementation the time needed for an ex-

change between the provers and the veriﬁers is mostly

constrained by the latency of the hardware, primarily the

one of the multi-gigabit transceivers used for the optical

links. The computation of the provers’ answers (memory

look-up and calculation) is done in a single clock cycle

(here 8 ns). A parallel communication with dedicated

input/outputs could reduce the transfer time from and

to the physical pins of the provers’ FPGAs, adding no

more than another clock cycle of delay, hence bringing

the exchange time down to 16ns. Moreover, implement-

ing the scheme on a state-of-the-art application-speciﬁc

integrated circuit (ASIC) technology would further re-

duce the clock cycle, thus the overall delay. Therefore

it seems possible to run a full exchange in only a few

nanoseconds so that the two veriﬁer-prover pairs could

eventually be placed about a meter away from each other.

Quantum provers.— So far we have only considered the

case of classically correlated provers. However, in gen-

eral, it would be desirable to extend the security to the

case of quantum provers. This is because they could es-

tablish stronger correlations compared to classically cor-

related ones, a phenomenon known as quantum nonlo-

cality [19,20]. In principle there exist protocols that

are secure against such quantum provers [21]; they typ-

ically rely on a third veriﬁer-prover pair [22] or on the

extension of the graph under study [23]. Concerning our

protocol, it is at the moment unclear whether it remains

secure in the case of two quantum provers, but the adap-

5

tations just mentioned are out of reach for now. On the

one hand, building on the results from Ref. [22] on the

addition of a third veriﬁer-prover pair, it was shown in

Ref. [12] that the number of rounds for which security

can currently be proven is about (21|E|)4k, completely

unpractical for graphs of reasonable size. On the other

hand, Ref. [23] gives a method to inﬂate the graph into an

only quadratically bigger one for which security against

quantum provers can be demonstrated; however, classical

and quantum security are not linked therein so that the

number of rounds required remains unknown. Therefore,

in all cases, improving theoretical proofs clearly repre-

sents the key challenge.

Conclusion.— We have demonstrated that a relativis-

tic zero-knowledge proof for the NP-complete problem

of three-colourability is possible in practice, even for

small distances. For the example mentioned in the intro-

duction, one could thus conceive a teller machine with

two separate ports; customers may then simply spread

their arms and insert a pair of chips to identify them-

selves by proving they know their (public) graph is three-

colourable. Given the simplicity of the operations on the

provers’ side in our protocol, these chips may further-

more be integrated in (two) cell phones. More generally,

these ideas may ﬁnd applications in a wide range of areas

where the concept of zero-knowledge is relevant, such as

blockchain systems and smart contracts [24], electronic

voting and auctions [25,26], as well as nuclear warhead

veriﬁcation [27].

ACKNOWLEDGMENTS

Financial supports by the Swiss National Science Foun-

dation (Starting grant DIAQ, NCCR-QSIT) and the Eu-

ropean project OpenQKD are gratefully acknowledged.

C. C. is supported in part by Qu´ebec’s FRQNT.

[1] S. Goldwasser, S. Micali, and C. Rackoﬀ. The know ledge

complexity of interactive proof systems. Siam J. Comput.

18(1), 186–208 (1989).

[2] R. L. Rivest, A. Shamir, and L. Adleman. A method for

obtaining digital signatures and public-key cryptosystems.

Commun. ACM 21(2), 120–126 (1978).

[3] O. Goldreich, S. Micali, and A. Wigderson. Proofs that

yield nothing but their validity or all languages in NP

have zero-knowledge proof systems. J. ACM 38(3), 690–

728 (1991).

[4] L. Fortnow. The complexity of perfect zero-knowledge.

Proc. STOC’87 pp. 204–209 (1987).

[5] E. Ben Sasson, A. Chiesa, C. Garman, M. Green,

I. Miers, E. Tromer, and M. Virza. Zerocash: Decen-

tralized anonymous payments from bitcoin. Proc. IEEE

Symp. Secur. Priv. pp. 459–474 (2014).

[6] D. J. Bernstein and T. Lange. Post-quantum cryptogra-

phy. Nature 549(7671), 188–194 (2017).

[7] F. Arute et al. Quantum supremacy using a pro-

grammable superconducting processor. Nature 574(7779),

505–510 (2019).

[8] Google Maps. Group of Applied Physics. Chemin de

Pinchat 22, 1227 Carouge, Switzerland (2020).

[9] M. Ben-Or, S. Goldwasser, J. Kilian, and A. Wigder-

son. Multi-prover interactive proofs: how to remove in-

tractability assumptions. Proc. STOC’88 pp. 113–131

(1988).

[10] J. Kilian. Strong separation models of multi prover in-

teractive proofs. DIMACS Workshop on Cryptography

(1990).

[11] A. Kent. Unconditionally secure bit commitment. Phys.

Rev. Lett. 83, 1447–1450 (1999).

[12] C. Cr´epeau, A. Massenet, L. Salvail, L. Stinchcombe, and

N. Yang. Practical relativistic zero-knowledge for NP.

Proc. Inf.-Theor. Cryptogr. (ITC’20) 4, 1–18 (2020).

[13] K. Mizuno and S. Nishihara. Constructive generation of

very hard 3-colorability instances. Discret. Appl. Math.

156(2), 218–229 (2008).

[14] J. Katz and Y. Lindell. Introduction to Modern Cryptog-

raphy. Chapman & Hall/CRC, 3rd ed. (2020).

[15] E. Verbanis, A. Martin, R. Houlmann, G. Boso,

F. Bussi`eres, and H. Zbinden. 24-Hour relativistic bit

commitment. Phys. Rev. Lett. 117, 140506 (2016).

[16] N. Li, C. Li, T. Helleseth, C. Ding, and X. Tang. Optimal

ternary cyclic codes with minimum distance four and ﬁve.

Finite Fields their Appl. 30, 100–120 (2014).

[17] T. Tassa and J. L. Villar. On proper secrets, (t, k)-bases

and linear codes. Des. Codes, Cryptogr. 52(2), 129–154

(2009).

[18] T. Lunghi, J. Kaniewski, F. Bussi`eres, R. Houlmann,

M. Tomamichel, S. Wehner, and H. Zbinden. Practical

relativistic bit commitment. Phys. Rev. Lett. 115, 030502

(2015).

[19] J. S. Bell. On the Einstein–Podolsky–Rosen paradox.

Physics Physique Fizika 1, 195–200 (1964).

[20] N. Brunner, D. Cavalcanti, S. Pironio, V. Scarani, and

S. Wehner. Bell nonlocality. Rev. Mod. Phys. 86, 419–

478 (2014).

[21] J. Kempe, H. Kobayashi, K. Matsumoto, B. Toner, and

T. Vidick. Entangled games are hard to approximate.

Siam J. Comput. 40(3), 848–877 (2011).

[22] A. Chailloux and A. Leverrier. Relativistic (or 2-prover

1-round) zero-knowledge protocol for NP secure against

quantum adversaries. Adv. Cryptol. — Eurocrypt’17 pp.

369–396 (2017).

[23] Z. Ji. Binary constraint system games and locally com-

mutative reductions. arXiv:1310.3794 (2013).

[24] E. Ben-Sasson, I. Bentov, Y. Horesh, and M. Riabzev.

Scalable, transparent, and post-quantum secure computa-

tional integrity. IACR ePrint Arch. (2018).

[25] J. Groth. Non-interactive zero-knowledge arguments for

voting. Proc. Appl. Cryptogr. Netw. Secur. (ACNS’05)

pp. 467–482 (2005).

[26] S. Micali and M. O. Rabin. Cryptography miracles, secure

auctions, matching problem veriﬁcation. Commun. ACM

57(2), 85–93 (2014).

[27] A. Glaser, B. Barak, and R. J. Goldston. A zero-

knowledge protocol for nuclear warhead veriﬁcation. Na-

ture 510(7506), 497–502 (2014).

6

METHODS

1. Protocol

Let us ﬁrst recall the zero-knowledge proof as pro-

posed in Ref. [12]. The notations are the same as in the

main text. Initially the two provers pre-agree on ran-

dom three-colourings ck(n)∈ {0,1,2}and randomisers

bk(n)∈ {0,1,2}for k∈Vand nlabelling the round. A

round is illustrated in Figs 2and consists in (i) each veri-

ﬁer providing their prover with an edge (i, j) = e∈Eand

two randomisers (r, s)∈ {1,2}, (ii) each prover answer-

ing a1≡bi·r+ci(mod 3) and a2≡bj·s+cj(mod 3),

and (iii) the two veriﬁers checking the provers’ answers

as described in the next two paragraphs. If none of the

parties abort the protocol, then we repeat rounds until

a certain security parameter in reached. As in the main

text, the veriﬁers have two ways of checking the provers’

answers.

On the one hand, the veriﬁers can check that the

provers do indeed know that the graph is three-

colourable. This test is done when both veriﬁers send

the same random edge e= (i, j)=(i0, j0) = e0∈Eand

when (r0, s0)=(−r, −s). Then the answers (a1, a2) and

(a0

1, a0

2) of the two provers are accepted if and only if

a1+a0

16≡ a2+a0

2(mod 3).

P1

(i, j)

(r,s)

a1=bi·r+ci

a2=bj·s+cj

bk

ck

V1

FIG. 2. Illustration of a round of the protocol. The colours

are consistent with those of Fig. 1(a) and depict a typical

round where the veriﬁers ask the same edge to the provers,

checking in the end that a1+a0

16≡ a2+a0

2(mod 3). Note

that the provers both use a shared colouring ckand common

randomisers bk.

P2

(i0, j0)

(r0,s0)

a0

1=bi0·r0+ci0

a0

2=bj0·s0+cj0

bk

ck

V2

On the other hand, the veriﬁers can test the consis-

tency of the provers’ answers. When the edges sent do

share at least one vertex (say, i=i0) and when the cor-

responding randomisers are equal (r=r0), then the ver-

iﬁers accept if and only if the answers of the two provers

are equal (ai=a0

i0). This test typically prevents the

provers from answering in a way that ignores the edges

asked but only aims at passing the previous test.

In Ref. [12] the following strategy for the veriﬁers is

given. First the edge (i, j) and the randomisers (r, s) are

chosen (uniformly) at random. Then with probabilities

1

5,2

5, and 2

5(respectively), one of the three following

options is chosen: (i) the edges are chosen to be equal

and the randomisers opposite, that is, (i0, j 0)=(i, j) and

(r0, s0) = (−r, −s); (ii) the ﬁrst randomiser is the same,

the second one is chosen at random, and so is the second

edge among those containing i, that is, r0=r,i0=i,

and (i0, j0)∈E; (iii) the second randomiser is the same,

the ﬁrst one is chosen at random, and so is the second

edge among those containing j, that is, s0=s,j0=j,

and (i0, j0)∈E.

Note that the amount of data exchanged is very small

compared to previous protocols: in Ref. [22] this quan-

tity is polynomial in the number |V|of vertices while

here it is only logarithmic in |V|. This feature allows for

short distances between the veriﬁer-prover pairs since the

communication time is short, even for large graphs.

2. Graph generation

In this section we describe how we construct large

three-colourable graphs which are hard to colour together

with a three-colouring.

In Ref. [13] the authors give (i) seven small graphs that

are four-critical, that is, not three-colourable but such

that any graph obtained by deleting any edge is three-

colourable, and (ii) a procedure to assemble two four-

critical graphs into a (bigger) four-critical graph. Typ-

ically, the method consists in replacing one edge of the

ﬁrst graph by the second one. Importantly, the small and

assembled graphs do not contain any near-four-clique,

that is, any subgraph with four vertices all connected to

one another except for one pair, e.g., . Such structures

indeed appear as weaknesses exploitable by algorithms

looking for a three-colouring and should thus be avoided.

With their procedure they experimentally demonstrated

using various softwares that the complexity of the result-

ing instances was exponential in the number of vertices.

However, they do not include any algorithm to keep

track of the three-colourings that arise upon removal of

an edge. We developed such a method to build large

graphs that are very hard to three-colour together with

a three-colouring.

7

Verifier 1

Prover 1

FPGA

FPGA

GPS

PC

Optical link 1 m

Verifier 2

Prover 2

FPGA

FPGA

PC

GPS

Optical link 1 m

390 m

(a)

Verifier 1

Prover 1

FPGA

FPGA

PC

Optical link 1 m

Verifier 2

Prover 2

FPGA

FPGA

PC

Optical link 1 m

60 m

Optical link 62 m

(b)

FIG. 3. Illustration of the hardware used in our two implementations: (a) the GPS version and (b) the triggered version.

The essential diﬀerence is the method used for synchronising the veriﬁers’ questions. In (a) the connection is wireless as it uses

communication with satellites at the expense of a higher imprecision thus further veriﬁer-prover pairs. In (b) the connection is

physical and oriented from the ﬁrst to the second veriﬁer; the former sends a trigger through the ﬁbre and delays their action

by the time needed for this signal to reach the latter. With a better accuracy this second method allows for shorter distances

between the veriﬁer-prover pairs, here 60 m but arguably improvable.

3. Hardware

For the implementation, the veriﬁers consist of a stan-

dard computer (Intel core i3 processor with 4 GB of

RAM) and an FPGA development board (Xilinx SP605

evaluation board featuring Spartan-6 XC6SLX45T), the

two being connected together through a PCI-Express

link; the provers consist only of the same FPGA devel-

opment board. Within each veriﬁer-prover pair, FPGA

boards are communicating with each other through a

2.5 Gbit/s small form-factor pluggable (SFP) optical link.

On the provers’ side the main data (graph, colouring) is

stored in memories available in the FPGA (Block RAM

of about 2 Mbit) and the random data on Flash memo-

ries available on the FPGA development board (32 MB),

the latter being slower than the former. This shared ran-

domness was generated by means of the quantum random

number generator (QRNG) Quantis by IDQuantique.

a. GPS version

A schematic view of the setup in this case is depicted

on Fig. 3(a). The veriﬁers’ FPGAs are synchronised to

the Coordinated Universal Time (UTC) by means of a

Global Positioning System (GPS) clock, that is, a GPS

receiver and an Oven-Controlled Quartz-Crystal Oscilla-

tor (OCXO) that creates a sinusoidal wave with a fre-

quency of 10 MHz. This OCXO signal, locked to an elec-

tronic pulse per second (PPS) delivered by the GPS with

a precision of 150 ns, is sent to the veriﬁers’ FPGAs where

its frequency is multiplied to a 125 MHz signal through

a phase-locked loop. Eventually this 125MHz signal is

used as a time reference for the computations performed

on the FPGAs, which also receive the PPS signal to check

the synchronisation with the GPS clock. Speciﬁcally, we

veriﬁed that there were 1.25×106±1 cycles between two

successive PPS signal, ﬁxing the cycle duration to 8 ns.

8

This shows that the inaccuracy added by the generation

of the 125 MHz clock would be below 24 ns. Therefore,

since the PPS signals are also labelled with a universal

time stamp, the veriﬁers are able to synchronise their

questions with an accuracy of 150 + 24 =174 ns.

b. Triggered version

A schematic view of the setup in this case is depicted

on Fig. 3(b). The veriﬁers FPGA’s are connected to one

another with an SFP optical link, this link is used to

synchronise the questions sent to the provers. The FP-

GAs run at a base clock frequency of 125 MHz. The

ﬁrst veriﬁer generates a stream of triggers at a rate of

about 3 MHz. These impulsions are transferred to the

second veriﬁer through a ﬁbre channel of 62m connect-

ing both devices, in order to trigger the challenges sent

to the prover. On the ﬁrst veriﬁer this trigger is delayed

by 440 ns to compensate for the delay in the ﬁbre and

the latency of the electronics. With an oscilloscope we

measured that the imprecision between the delayed trig-

ger and the trigger sent through the optical ﬁbre does not

exceed three cycles, i.e., 24 ns. Moreover the total time of

the exchange in the veriﬁers’ FPGA is inferior to 35 cy-

cles but we determined that the veriﬁers internal latency,

that is, the time when the data is still in the FPGA plus

the time the answer is already back, accounts to at least

14 cycles, thus reducing this time to 21 cycles. Note that

this time arises from the conversion from electronical to

optical signals. When adding the imprecision of the trig-

ger, we get that a round is achieved in a maximum of 24

cycles, that is, 192 ns, thus constraining the veriﬁer to be

at a minimal distance of 57.6 m.

4. Shared randomness

In the protocol presented in Methods 1the two provers

need to use the same random colouring and randomisers

in each round. Given the high number of rounds needed

to reach a satisfying security and the relatively low mem-

ory of the FPGAs, a frugal approach is mandatory. In

this section we give the details of our implementation

with this regard.

For the colouring, it is easy to see that there is a thrifty

option: storing a ﬁxed one and only drawing a random

permutation of the colours. The “randomness cost” of

this part is therefore of one bit and one trit in each round.

For the randomisers, a naive approach would demand

one random trit per vertex each time, thus requiring far

too much memory given the high number of rounds. Not-

ing that only four of them are actually used in each round

(two per prover), we apply a radically more aﬀordable al-

ternative: storing |V|(the number of vertices) ﬁxed trits

and drawing 2m+1 trits, where mis the number of digits

of |V|in base three. The idea is to expand randomness

by assigning in advance a small ternary vector (of 2m+1

trits) to each node; then each randomiser is simply chosen

by computing the scalar product with a common random

ternary vector (of 2m+1 trits). The subtle point to take

care of is the independence of the resulting random vari-

ables, which amounts to the linear independence of the

vectors assigned to the nodes. As only four randomis-

ers are consumed in each round, we want all sets of four

such vectors to be free. The literature luckily oﬀers an

elegant solution to this problem via ternary cyclic linear

codes with minimum Hamming distance of ﬁve [16]. The

parity check matrix of a linear code with minimum Ham-

ming distance dis indeed such that all sets of d−1 of

its columns are linearly independent; see, e.g., Ref. [17,

Lemma 3.5]. Moreover, the cyclicity of the code used al-

lows to store only one trit per node and to use it together

with the ones of the next 2mnodes (in numerical order)

to create its ternary vector.