Cryptographic and Physical Zero-Knowledge Proof Systems for
Solutions of Sudoku Puzzles
Ronen Gradwohl¤ Moni Naory Benny Pinkasz Guy N. Rothblumx
August 12, 2007
Abstract
We consider cryptographic and physical zero-knowledge proof schemes for Sudoku, a popular
combinatorial puzzle. We discuss methods that allow one party, the prover, to convince another
party, the veri¯er, that the prover has solved a Sudoku puzzle, without revealing the solution
to the veri¯er. The question of interest is how a prover can show: (i) that there is a solution
to the given puzzle, and (ii) that he knows the solution, while not giving away any information
about the solution to the veri¯er.
In this paper we consider several protocols that achieve these goals. Broadly speaking, the
protocols are either cryptographic or physical. By a cryptographic protocol we mean one in the
usual model found in the foundations of cryptography literature. In this model, two machines
exchange messages, and the security of the protocol relies on computational hardness. By a
physical protocol we mean one that is implementable by humans using common objects, and
preferably without the aid of computers. In particular, our physical protocols utilize items such
as scratch-o® cards, similar to those used in lotteries, or even just simple playing cards.
The cryptographic protocols are direct and e±cient, and do not involve a reduction to other
problems. The physical protocols are meant to be understood by \lay-people" and imple-
mentable without the use of computers.
¤Department of Computer Science and Applied Math, The Weizmann Institute of Science, Rehovot 76100, Israel;
email: ronen.gradwohl@weizmann.ac.il. Research supported by US-Israel Binational Science Foundation Grant
2002246.
yIncumbent of the Judith Kleeman Professorial Chair, Department of Computer Science and Applied Math, The
Weizmann Institute of Science, Rehovot 76100, Israel; email: moni.naor@weizmann.ac.il. Research supported in
part by a grant from the Israel Science Foundation.
zDepartment of Computer Science, University of Haifa, Haifa, Israel; email: benny@pinkas.net. Research sup-
ported in part by the Israel Science Foundation (grant number 860/06).
xCSAIL, MIT, Cambridge, MA 02139, USA; email: rothblum@csail.mit.edu. Research supported by NSF grant
CNS-0430450 and NSF grant CFF-0635297.

1 Introduction
Sudoku is a combinatorial puzzle that swept the world in 2005 (especially via newspapers, where
it appears next to crossword puzzles), following the lead of Japan (see the Wikipedia entry [20] or
the American Scientist article [12]). In a Sudoku puzzle the challenge is a 9£9 grid subdivided into
nine 3£3 subgrids. Some of the cells are already set with values in the range 1 through 9 and the
goal is to ¯ll the remaining cells with numbers 1 through 9 so that each number appears exactly
once in each row, column and subgrid. Part of the charm and appeal of Sudoku appears to be the
ease of description of the problems, as compared to the time and e®ort it takes one to solve them.
A natural issue, at least for cryptographers, is how to convince someone else that you have
solved a Sudoku puzzle without revealing the solution. In other words, the question of interest
here is: how can a prover show (i) that there is a solution to the given puzzle, and (ii) that he
knows the solution, while not giving away any information about the solution. In this paper we
consider several types of methods for doing just that. Broadly speaking, the methods are either
cryptographic or physical. By a cryptographic protocol we mean one in the usual model found in
the foundations of cryptography literature. In this model, two machines exchange messages and
the security of the protocol relies on computational hardness (see Goldreich [7] for an accessible
account and [8] for a detailed one). By a physical protocol we mean one that is implementable by
humans using common objects, and preferably without the aid of computers. In particular, our
protocols utilize items such as playing cards scratch-o® cards, similar to those used in lotteries.
This Work: The general problem of Sudoku (on an n£n grid) is in the complexity class NP,
which means that given a solution it is easy to verify that it is correct (In fact, Sudoku is known to
be NP-Complete [21], but we are not going to use this fact, at least not explicitly.). Since there are
cryptographic zero-knowledge proofs for all problems in NP [9], there exists one for Sudoku, via
a reduction to 3-Colorability or some other NP-Complete problem with a known zero-knowledge
proof (see de¯nition in Section 2). In this work, however, we are interested in more than the mere
existence of such a proof, but rather in its e±ciency, understandability, and practicality, which we
now explain.
First, the bene¯ts of a direct zero-knowledge proof (rather than via a reduction) are clear, as the
overhead of the reduction is avoided. Thus, the size of the proof can be smaller, and the computation
time shorter. In addition, we wish our proofs to be easy to understand by \non-experts". This
is related to the practicality of the proof: the goal is to make the interaction implementable in
the real world, perhaps even without the use of a computer. One of the important aspects of
this implementability requirement is that the participants have an intuitive understanding of the
correctness of the proof, and thus are convinced by it, rather than relying blindly \on the computer".
(For another example in which this intuitive understanding is important, see the work of Moran and
Naor [14] on methods for polling people on sensitive issues.) Physical protocols whose security is
intuitively clear are also a great tool for teaching zero-knowledge to non-experts (see [2, 4, 6, 16, 18]
for other explorations of simple cryptographic protocols for education and fun).
The contributions of this paper are e±cient cryptographic protocols for showing knowledge of
a solution of a Sudoku puzzle which do not reveal any other useful information (these are known
as zero-knowledge proofs of knowledge) and several transparent physical protocols that achieve the
same task.
Organization: In Section 2 we outline the de¯nition of a zero-knowledge protocol, and the prop-
erties of the cryptographic and physical protocols. In section 3 we describe two cryptographic
1