What is certainty in a real world zero knowledge proof?

Question

This question follows directly on from How do I explain zero knowledge proof to my 7 year old cousin?

Most of the simplistic answers there suggest that proof is obtained iteratively, slowly reducing the probability of Peggy simply randomly going through the cave. Or counting leaves over and over. The Wikipedia page suggests the Peggy should demonstrate her magic skills 20 times. Later on there is mention of repeating the proof 128 times. That's a bit of a statistical difference.

In a real world situation of proving something like the existence of a correct 256 bit AES key, how many times would the proving have to be attempted for certainty?

Answer 1

There is obviously no definite answer to that. The general principle, however, is not at all a problem of cryptography: it is a question with a long history in probability and economics. It is referred to as Cournot's principle in this answer of Bjørn Kjos-Hanssen on cstheory.stackexchange.

As detailed by the document which I linked to, the question has long bothered people, especially when it comes to law. When can magistrates declare moral certainty? If there is a 99.99% chance that a guy is the killer, can we safely condemn him? The general consensus is what is known as Cournot's principle, which connects mathematical probabilities with the empirical "real world":

rare events simply don't happen

Or, as put by Kolmogorov: if $P(E)$ is very small and we make a single trial, we can be practically certain that $E$ will not happen.

Of course, none of this really "answers the question". In reality, finding out which probability you will associate to certainty is essentially a matter of three things:

1. How many trials could a cheater have?
2. How strong is the incentive to cheat?
3. How disastrous would be the rare event?

If the attacker has a single trial, and a mistake would not be the end of the world, go for $1/{2^{20}}$ and you'll be fine. If your life depends on the outcome, or an attacker could repeat trials as often as he wants until he succeeds, you want to take a large margin, and you can go for $1/{2^{128}}$.

Note: items 1 and 3 in my list above are, in fact, closely related. Indeed, extremely rare events appear all the time: take a deck of cards, shuffle it, pick ten cards. What was the probability that you would get exactly those ten cards? It's obviously extremely low. Most things are just not so important, so the situation where an unlikely event happens is in fact very common, as there are virtually many "trials" of "unimportant events". This justifies restricting our attention, not to any event, but to "situations with potentially disastrous outcomes": there are very few such situations, hence we get less trials to get a disastrous event.

Note 2: if you want more "actual numbers" for which some famous guy randomly decided that they indicate that an event is unlikely, look at Borel's choice in page 17 of the same pdf I linked to before: he mentions $10^{-6}$ as "uncertainty on the human scale", $10^{-15}$ as "uncertainty on the terrestrial scale", and $10^{-50}$ as "uncertainty on the cosmic scale". Which is, again, an attempted answer at the following question: how many trials does a human / the earth / the universe gets at producing an event with an important outcome?