Private verification of a Sudoku solution, Bowe-Maxwell talk and a bitcoin transaction at Financial Crypto 2016 workshop.
The problem solved with verification was:
- buyer is reluctant to sent his coins first, at risk of receiving random bits;
- seller is reluctant to send his solution to the puzzle first, at risk of receiving no reward.
A non-interactive proof was introduced and implemented to verify that:
- the plaintext is a valid Sudoku solution to the puzzle at hand;
- the ciphertext was produced with a key;
- the key is a pre-image to the hash value, that was sent to the buyer with the ciphertext.
This hash could be used to create HTLC transaction so that the seller would claim his coins only by publishing the key on the blockchain.
Well actually a script was used, but lets stick to HTLC as a simplification.
The short practical answer is: one would verify a hash preimage with a zkSNARK proof.
Another (general) answer is, an interactive proof system exists for any NP language.
A shameless ad: an alternative Sudoku solution verification circuit was designed, starting from polynomial set representation and "playing cards" solution of Naor, presented at IEEE ATIT 2019.
https://github.com/vadym-f/Sudoku_solvability_proof/tree/master/IEEE_ATIT_2019