Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson


Published on

This talk will introduce Zero-Knowledge Proofs (ZKPs) and explain why they are a key element in a growing number of privacy-preserving, digital-identity platforms. Clare will provide basic illustrations of ZKPs and leave the necessary mathematics foundations to the readers.

After this talk you will understand that there is a variety of ZKPs, it’s still early days, and why ZKP is such a perfect tool for digital identity platforms. This talk includes significant updates from the newly-organized ZKProof Standardization organization plus a signal of maturity: one of the first known ZKP vulnerabilities.

Clare will explain why ZKPs are so powerful, and why they are building blocks for a range of applications including privacy-preserving cryptocurrency such as Zcash, Ethereum, Artificial Intelligence, and older versions of Trusted Platform Modules (TPMs). The presentation includes many backup slides for future learning and researching, including four slides of references.

Published in: Internet
  • Be the first to comment

Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson

  1. 1. Zero-Knowledge Proofs (ZKP) Privacy-Preserving Digital Identity October 11, 2018 Clare Nelson, CISSP, CIPP/E VP Business Development & Product Strategy, North America Sedicii @Safe_SaaS SSIMeetup.org
  2. 2. Why? Raison d’Être for Zero-Knowledge Proofs SSIMeetup.org
  3. 3. Zero-Knowledge Proofs (ZKPs) Enhance Privacy Personal Privacy Institutional Integrity Graphic:
  4. 4. zk-STARKs Paper Scalable, transparent, and post-quantum secure computational integrity (March 2018) Human dignity demands that personal information, like medical and forensic data, be hidden from the public. But veils of secrecy designed to preserve privacy may also be abused to cover up lies and deceit by institutions entrusted with Data, unjustly harming citizens and eroding trust in central institutions. Zero knowledge (ZK) proof systems are an ingenious cryptographic solution to this tension between the ideals of personal privacy and institutional integrity, enforcing the latter in a way that does not compromise the former. – Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, Michael Riabzev
  5. 5. Scope Digital Identity SSIMeetup.org
  6. 6. • Artificial Intelligence (OpenMined) • Cryptocurrency • Digital Watermarks • Ethereum • E-Voting • Gaming • Genomics • Location • Mimblewimble • Private Messaging • Sealed Auctions • Smart Contracts (Hawk) • Supply Chain Transparency • Trusted Platform Module (TPM) • Zero-Knowledge Blockchain Scope Out of Scope Digital Identity • Identity Proofing • Authentication In Scope
  7. 7. ZKP and Digital Identity What Problems Are We Solving? SSIMeetup.org
  8. 8. Zero-Knowledge Proofs If your per-son-al data is nev-er col-lect-ed, it can-not be sto-len., TED Talk – Maria Dubovitskaya Cryptographer, Research Staff Member, IBM Zurich Research Laboratory, Ph.D. in cryptography and privacy from ETH Zurich Graphic:
  9. 9. Motivations for ZKP and Digital Identity Digital Identity Risks •Loss of privacy, control •Data breaches •Identity theft o Identity fraud, crime ▪ Human, drug trafficking ▪ Terrorist funding •Surveillance, Profiling •Social engineering Graphic: International Council on Global Privacy and Security, by Design • We don’t need to give up personal privacy for public safety. • We don't need to sacrifice privacy for data analytics. • We can have both. We must have both. TUPS
  10. 10. Ideal for Identification ZKPs are the ideal solution to challenges in identification • Users can prove identities o No exchange of sensitive information • Mitigates identity theft – Sultan Almuhammadi – Charles Neuman University of Southern California, Los Angeles (2005) Graphic:
  11. 11. Zero-Knowledge Proofs Definition SSIMeetup.org
  12. 12. Zero-Knowledge Proofs One of the most powerful tools cryptographers have ever devised – Matthew Green Professor at Johns Hopkins University Co-founder of Zcash
  13. 13. Definition of Zero-Knowledge Proof Proof System, not Geometry Proof Proof system, not a geometry proof
  14. 14. Definition of Zero-Knowledge Proof Enable a Prover to convince a Verifier of the validity of a statement • Yields nothing beyond validity of the statement • Incorporates randomness • Is probabilistic o Does not provide absolute certainty Prover Verifier Statement
  15. 15. Interactive Zero-Knowledge Proof Derived from VerifierProver Construct ZKP Verify ZKP Proof Non-Interactive ZKP Transform multiple messages into one message, or string
  16. 16. ZKP Requirements Completeness • If statement is true, verifier will be convinced by prover Soundness • If statement is false, a cheating prover cannot convince verifier it is true o Except with some small probability Zero-Knowledge • Verifier learns nothing beyond the statement’s validity Graphic:
  17. 17. 007 Wants to Read the News Credit to Anna Lysyanskaya for the 007 metaphor Graphic: I can tell you. But then I’ll have to kill you. .uk Today’s news? Today’snews?Who are you? Do you have a subscription?
  18. 18. 007 Uses Subscription My subscription is #4309115 .uk Today’s news? Today’snews?Who are you? Do you have a subscription? 007 Reveals Personal Data: - Zip code when he looks up the weather - Date of birth when he reads his horoscope - More data when he browses the personal ads Credit to Anna Lysyanskaya for the 007 metaphor Graphic:
  19. 19. Completeness: Telegraph Accepts Proof Here is a Zero-Knowledge Proof .uk Today’s news? Today’snews?Who are you? Do you have a subscription? Credit to Anna Lysyanskaya for the 007 metaphor Graphic: Completeness • Verifier is convinced of true statement
  20. 20. Soundness Credit to Anna Lysyanskaya for the 007 metaphor Graphic: It’s Bond. James Bond. .uk Today’s news? Rejected Who are you? Do you have a subscription? (M fails because she can’t prove to Telegraph)
  21. 21. ZKP Illustration Interactive ZKP SSIMeetup.org
  22. 22. Zero-Knowledge Proof Illustration Matthew Green Telecom Company • Cell towers • Vertices • Avoid signal overlap • Use 1 of 3 signals
  23. 23. Zero-Knowledge Proof Illustration Matthew Green 3-Color Graph Problem • Use colors to represent frequency bands • Solve for 1,000 towers • Hire Brain Consulting
  24. 24. Zero-Knowledge Proof Illustration Matthew Green Proof of Solution • Prove have solution without revealing it • Hats hide the solution
  25. 25. Zero-Knowledge Proof Illustration Matthew Green Proof of Solution • Remove any two hats • See vertices are different colors
  26. 26. 6 4 Zero-Knowledge Proof Illustration Matthew Green Repeat this process • Clear previous solution • (Add randomness) • Solve again • Telecom removes two hats Accept or Reject • Complete for preset number of rounds • Telecom accepts or rejects
  27. 27. ZKP Variants Examples SSIMeetup.org
  28. 28. Examples of ZKP Variants, Bulletproofs, trusted setup, live stream of Zcash launch ZKP NIZKP zk-SNARK zk-STARK Designated Verifier Lattice-Based Interactive, multiple messages, need stable communication channel Not interactive, one message Need one-time, trusted setup to generate key at launch No setup, working on memory issues, I or NI, post-quantum secure No setup, 188 bytes, 10 ms in some cases, not post-quantum secure Lattice-based cryptography, post-quantum secure, research Graph Isomorphism zk-STIK Bulletproof Interactive, compare graphs, efficient computation Scalable Transparent Interactive Oracle of Proof (IOP) of Knowledge DVNIZK, not just any entity can be verifier, verifier must know secret Auror a
  29. 29. Trusted Setup Zcash example, trusted setup, live stream of Zcash launch Multi-Party Computation (MPC) Ceremonies Zcash Sprout (2016) Six participants in the ceremony: 1. Andrew Miller 2. Peter Van Valkenburgh 3. John Dobbertin (pseudonym) 4. Zooko Wilcox 5. Derek Hinch 6. Peter Todd Zcash Sapling (2017-2018) • 87 Participants Private transactions in Zcash rely on zk-SNARK public parameters for constructing and verifying zero-knowledge proofs • Generating zk-SNARK public parameters is equivalent to generating a public/private key pair • Keep public key • Destroy private key • If an attacker gets a copy of the private key, could ▪ Create counterfeit Zcash ▪ Not violate anyone else’s privacy ▪ Not steal other people’s Zcash
  30. 30. ZKP Examples Digital Identity SSIMeetup.org
  31. 31. ZKP Flexibility, Variety of Use Cases • Range proofs o Age range: 25-45 years old • Set membership o Citizen of European Union • Comparison o Do identity attributes or secrets match? • Computational integrity Logical combination of any of the above Preserve Privacy
  32. 32. Graph Isomorphism ZKP Paper by Manuel Blum, UC Berkeley, 1986 Prover Verifier (Graph Isomorphism Problem: Given two graphs with 𝑛 vertices each, decide whether they are isomorphic.) 1986: 2006: 2009: 2011: Compare identity attributes without transferring them
  33. 33. Graph Isomorphism ZKP Passport Driver’s License National ID Relying Party Authoritative Sources No personal data leaves mobile phone or authoritative source 1986: 2006: 2009: 2011: Verifier
  34. 34. zk-STARK Example (Ben-Sasson, Bentov, Horesh, Riabzev) National Offender DNA Database Presidential Candidate, Jaffa Prove to public that Jaffa is not in offender database Graphic:, with permission May 25, 2018. No reliance on any external trusted party
  35. 35. Designated Verifier Designated-Verifier Non-Interactive Zero-Knowledge Proof of Knowledge (DVNIZK) • Know verifier in advance • Provides efficient, privacy-preserving authentication Graphic: EUROCRYPT 2018
  36. 36. ZKP Identity-Related Landscape Identity Verification, Authentication
  37. 37. Considerations SSIMeetup.org
  38. 38. ZKP Considerations Depends on Implementation or Use Cases 1. Transparent • Setup with no reliance on any third party • No trapdoors 2. Scalable • Verify proofs exponentially faster than database size 3. Succinct 4. Universal 5. Compliant with upcoming ZKP standards 6. Interactive, non-interactive 7. Support for IoT or cars 8. Security (threat model) • Code bugs, compromise during deployment, side channel attacks, tampering attacks, MiTM • Manual review, proof sketches, re-use gadgets, emerging tools for formal verification, testing • ZKP protocol breach, how detect breach? 9. Third-party audit • Monero audits: Kudelski Security $30K, Benedikt Bünz, QuarksLab 10. Post-quantum secure
  39. 39. 1985 Goldwasser, Micali, Rackoff paper 2018 ZKP Standards Organization 2012 Goldwasser, Micali win Turing Award Timeline It is Still Early Days
  40. 40. ZKP Standards * I think you should be more explicit here in step two • Open initiative • Industry, academia • Framework for a formal standard of Zero-Knowledge Proofs • Working drafts: o Security o Implementation o Applications Cartoonist: Sydney Harris Source: d-be-more-explicit-here-in-step-two-cartoon.htm
  41. 41. ZKP Standards ZKProof Standards Applications Track Proceedings • Identity Framework, Protocol Description, Functionality 1. Third-party anonymous and confidential attribute attestations through credential issuance by the issuer 2. Confidentially proving claims using Zero-Knowledge Proofs through the presentation of proof of credential by the holder 3. Verification of claims through Zero-Knowledge Proof verifications by the verifier 4. Unlinkable credential revocation by the issuer Plus: • Credential transfer • Authority delegation • Trace auditability Graphic:
  42. 42. ZKP Standards * (June 2018) ZKProof Workshop at Zcon0 • Legal questions o If a robber shows a ZKP that they hold my coins, who legally owns them?* • Trust Graphic:
  43. 43. Trust Graphic: Technical people that trust ZKPs because they understand the math Non-technical people who trust the technical people How bridge this gap?
  44. 44. Resources SSIMeetup.org
  45. 45. ZKP Resources • ISO/IEC 9798-5 • Letter to NIST • Code o libSNARK C++ library o libSTARK C++ library o Bulletproofs using Ristretto, Rust library • Succinct Computational Integrity and Privacy Research (SCIPR) Lab • Stanford Applied Cryptography • ZKP Science • ZKP Standards Organization • References: 4 backup slides at end of this presentation A Hands-On Tutorial for Zero-Knowledge Proofs: Part I-III 18/10/a-hands-on-tutorial-for- zero-knowledge.html September-October, 2018
  46. 46. Gratitude ZKP Inventors, Pioneers SSIMeetup.org
  47. 47. We Stand on the Shoulders of Giants Shafi Goldwasser Eli Ben-Sasson Silvio Micali Matthew Green
  48. 48. @Safe_SaaS Questions? Clare_Nelson @ ClearMark . biz SSIMeetup.org
  49. 49. Mathematics SSIMeetup.org
  50. 50. Bulletproof Range Proof Protocol
  51. 51. Backup Slides SSIMeetup.org
  52. 52. Known Vulnerabilities An Example SSIMeetup.org
  53. 53. Zero-Knowledge Range Proof (ZKRP) Validate •Person is 18-65 years old o Without disclosing the age •Person is in Europe o Without disclosing the exact location
  54. 54. ZKRP Vulnerability • Madars Virza • “The publicly computable value y/t is roughly the same magnitude (in expectation) as w^2 * (m-a+1)(b-m+1). However, w^2 has fixed bit length (again, in expectation) and thus for a fixed range, this value leaks the magnitude of the committed value.” • The proof is not zero knowledge • Response: will find alternative ZKP Graphic:
  55. 55. Source: If you have a PC, you may have touched Zero-Knowledge Proof (TPM 1.2) Graphic:
  56. 56. References • Attribute-based Credentials for Trust (ABC4Trust) Project, (2017). • AU2EU Project, Authentication and Authorization for Entrusted Unions, (2017). • Baldimsti, Foteini; Lysanskaya, Anna. Anonymous Credentials Light. (2013). • Ben Sasson, Eli; Chiesa, Alessandro; Garman, Christina, et al. Zerocash: Decentralized Anonymous Payments from Bitcoin, (May 2014). • Bitansky, Nir; Weizman, Zvika Brakerski; Kalai, Yael. 3-Message Zero Knowledge Against Human Ignorance, (September 2016). • Blum, Manauel; De Santos, Alfredo; Micali, Silvio; Persiano, Giuseppe. Non-Interactive Zero-Knowledge and its Applications, (1991). • Brands, Stefan. Rethinking Public Key Infrastructures and Digital Certificates. The MIT Press, (2000). • Bunz, Benedikt; Bootle, Jonathan; Boneh, Dan; et al. Bulletproofs: Short Proofs for Confidential Transactions and More, (2017). • Camenisch, Jan and E. Van Herreweghen, Design and implementation of the IBM Idemix anonymous credential system, in Proceedings of the 9th ACM conference on Computer and communications security. ACM, 2002, pp. 21–30. • Camenisch, Jan; Dubovitskaya, Maria; Enderlein, Robert; et al. Concepts and languages for privacy-preserving attribute-based authentication, (2013).
  57. 57. References • Cutler, Becky. The Feasibility and Application of Using Zero-Knowledge Protocol for Authentication Systems, (2015). • Durcheva, Mariana. Zero Knowledge Proof Protocol Based on Graph Isomorphism Problem, (2016). • Fleischhacker, Nils; Goyal, Vuypil; Jain, Abhishek. On the Existence of Three Round Zero-Knowledge Proofs, (2017). • Ganev, Valentin; Deml, Stefan. Introduction to zk-SNAKRs (Part 1), (2018). • Gebeyehu, Worku; Ambaw, Lubak; Reddy, MA Eswar. Authenticating Grid Using Graph Isomorphism Based Zero Knowledge Proof, (2014). • Geraud, Rémi. Zero-Knowledge: More Secure than Passwords? (July 25, 2017). • Geers, Marjo; Comparing Privacy in eID Schemes, (2017). • Goldreich, Oded. Zero-Knowledge: a tutorial by Oded Goldreich, has extensive reference list (2010). • Goldreich, Oded; Yair, Oren. Definitions and Properties of Zero-Knowledge Proof Systems, (19940. • Goldwasser, Micali, Rackoff, The Knowledge Complexity of Interactive Proof-Systems, ACM 0-89791-151-2/85/005/02911 (1985). • Green, Matthew. Zero Knowledge Proofs: An Illustrated Primer, (November 2014).
  58. 58. References • Groth, Jens. Short Pairing-Based Non-Interactive Zero-Knowledge Arguments, (2010). • Groth, Jens; Lu, Steve. “A Non-Interactive Shuffle with Pairing Based Verifiability,” (2006). • Groth, Jens; Ostrovsky, Rafail; Sahai, Amit. New Techniques for Non-interactive Zero-Knowledge, (2011). • Guillou, Quisqater, “How to Explain Zero-Knowledge Protocols to Your Children,” (1998). • Gupta, Anuj Das; Delight, Ankur. Zero-Knowledge Proof of Balance: A Friendly ZKP Demo, (June 2017). • Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems, Whitepaper-v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite] • ISO/IEC Information technology — Security techniques — Entity authentication — Part 5: Mechanisms using zero-knowledge techniques, (2015). • Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age, (November 2013). • Kogta, Ronak. ZK-Snarks in English, (July 2017).
  59. 59. References • Lindell, Yehudi. Efficient Zero-Knowledge Proof,, (2015). • Lysyanskaya, Anna. How to Balance Privacy and Key Management in User Authentication, (2012). • Martin-Fernandez, Francisco; Caballero-Gil, Pino; Caballero-Gil, Candido. Authentication Based on Non-Interactive Zero-Knowledge Proofs for the Internet of Things. (January 2016). • Mohr, Austin. A Survey of Zero-Knowledge Proofs with Applications to Cryptography, • Montenegro, Jose.; Fischer, Michael; Lopez, Javier; et al. Secure Sealed-Bid Online Auctions Using Discreet Cryptographic Proof, (June 2013). • Nguyen, Quan; Rudoy, Mikhail; Srinivasan, Arjun. Two Factor Zero Knowledge Proof Authentication System, (2014). • Schukat, M; Flood, P. Zero-knowledge Proofs in M2M Communication, (2014). • Broadbent, Ann; Ji, Zhengfeng; Song, Fang. Zero-knowledge proof systems for QMA, (2016). • Unruh, Dominique. Quantum Proofs of Knowledge, (February 2015). • Wilcox, Zooko. Podcast, Zero Knowledge, The Future of Privacy. (February 21, 2017). • Wu, Huixin; Wang, Feng. A Survey of Noninteractive Zero Knowledge Proof System and its Applications. (May 2014).
  60. 60. Graph Isomorphism G and H are isomorphic graphs
  61. 61. Graph Isomorphism ZKP (GIZKP) Carnegie Mellon University, 2006 How does Prover prove to Verifier that an isomorphism exists? Input: 2 isomorphic graphs G, H on n nodes each. Prover knows isomorphism f. A security parameter k (positive integer). Output: A zero-knowledge protocol that proves P knows f. Prover gives no info to V˜ P˜ can cheat (successfully) with probability ≤ 1/2 n . Protocol: Repeat k times. Prover: Privately take G and randomly permute vertices to get a graph F. Prover: Publicly present F to Verifier (G and H are public from the beginning). Verifier: Toss a coin, and ask Prover to show that G ∼= F if heads, or H ∼= F if tails.
  62. 62. Graph Isomorphism ZKP (GIZKP) Cornell University, 2009 f
  63. 63. EUROCRYPT 2018 Efficient Designated-Verifier Non-Interactive Zero-Knowledge Proofs of Knowledge • Pyrros Chaidos (University of Athens), Geoffroy Couteau (Karlsruhe Institute of Technology) Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs • Dan Boneh (Stanford), Yuval Ishai (Technion and UCLA), Amit Sahai (UCLA), David J. Wu (Stanford) On the Existence of Three Round Zero-Knowledge Proofs • Nils Fleischhacker (Johns Hopkins University and Carnegie Mellon University), Vipul Goyal (Carnegie Mellon University), Abhishek Jain (Johns Hopkins University) An Efficiency-Preserving Transformation from Honest-Verifier Statistical Zero-Knowledge to Statistical Zero-Knowledge • Pavel Hubáček (Charles University in Prague), Alon Rosen (IDC Herzliya), Margarita Vald (Tel-Aviv University) Partially Splitting Rings for Faster Lattice-Based Zero-Knowledge Proofs • Vadim Lyubashevsky (IBM Research - Zurich), Gregor Seiler (IBM Research - Zurich)
  64. 64. The Schnorr NIZK proof is obtained from the interactive Schnorr identification scheme through a Fiat-Shamir transformation • This transformation involves using a secure cryptographic hash function to issue the challenge instead Schnorr NIZK (IETF Draft) Graphic: e-2013-coso-internal-framework
  65. 65. Zero-Knowledge Proof, Formal Definition An interactive proof system (P, V) for a language L is zero-knowledge if for any PPT verifier V∗ there exists an expected PPT simulator S such that ∀ x ∈ L, z ∈ {0, 1} ∗ , ViewV∗ [P(x) ↔ V∗ (x, z)] = S(x, z) As usual, P has unlimited computation power (in practice, P must be a randomized TM). Intuitively, the definition states that an interactive proof system (P, V) is zero-knowledge if for any verifier V∗ there exists an efficient simulator S that can essentially produce a transcript of the conversation that would have taken place between P and V∗ on any given input.
  66. 66. ZKPOK I can’t tell you my secret, but I can prove to you that I know the secret Source: J. Chou, SC700 A2 Internet Information Protocols (2001) Graphic:
  67. 67. You can have security without privacy, but you can’t have privacy without security. — Carolyn Herzog, EVP and General Counsel, ARM
  68. 68. ZKP Variations • GMR defined knowledge as the computational power of a party • Differentiates “knowledge” from “information” • Knowledge is coupled with computational power
  69. 69. • One-Round ZKP • Pairing-Based Non-Interactive Arguments • Perfect ZKPs • Private-coin ZKP • Public-coin ZKP • Scalable Transparent Argument of Knowledge (STARK) • Scalable Transparent IOP of Knowledge (STIK) • Schnorr Non-Interactive Zero-Knowledge Proof • Statistical Zero-Knowledge • Succinct Interactive Proof (SCIP) • Succinct Non-Interactive Argument (SNARG) • Succinct Non-Interactive Argument of Knowledge (SNARK) • Super-Perfect ZKP • Symbolic Zero-Knowledge Proof • Three-Round ZKP • ZK Arguments • ZKP Based on Graph Isomorphism • ZKP of Proximity (ZKPP) Examples: ZKP Variations, Terminology
  70. 70. Non-Interactive Zero-Knowledge Proof zk-SNARK Proof
  71. 71. ISO/IEC 9798-5:2009 Compliance with ISO/IEC 9798-5 may involve the use of the following patents and their counterparts in other countries. Patent Title Inventor Filing Date US 4 995 082 Method for identifying subscribers and for generating and verifying electronic signatures in a data exchange system C.P. Schnorr 1990 US 5 140 634 Method and apparatus for authenticating accreditations and for authenticating and signing messages L.C. Guillou and J-J. Quisquater 1991 EP 0 311 470 Methods and systems to authenticate authorizations and messages with a zero knowledge-proof system and to provide messages with a signature L.C. Guillou and J-J. Quisquater 1998 EP 0 666 664 Method for performing a double-signature secure electronic transaction M. Girault 1995
  72. 72. Attack Resilience (From Academia) Attack Description Mitigation Impersonation A malicious impersonator, for either party Need secret, completeness and soundness Replay Attack Malicious peer or attacker collects previous proofs, and resends these Challenge message required Man in the Middle (MITM) Intruder is able to access and modify messages between prover and verifier (without them knowing) It depends, implementation specific Collaborated Attack Subverted nodes collaborate to enact identity fraud, or co-conspirator It depends, requires reputation auditing design Denial of Service (Dos) Renders networks, hosts, and other systems unusable by consuming bandwidth or deluging with huge number of requests to overload systems Could happen during authentication setup
  73. 73. ZKP Challenges • Requires expertise and experience o PhD mathematics or cryptography o Algebraic cryptography, high-performance computation in finite fields o Applications of modern algebra to algorithms and computer science • Correct usage • Security, threat model • Audited code, formal verification • Known bugs and vulnerabilities Graphic: