The document discusses privacy-preserving authentication through zero-knowledge proofs (ZKPs), emphasizing their potential to secure digital identities by avoiding the transfer of personal data. It explains ZKP's functionality, including interactive and non-interactive variants, and their applications in verifying identity attributes without revealing sensitive information. References to various resources, examples, and the evolving state of ZKP technology are also provided.

1. PRIVACY-PRESERVING
AUTHENTICATION
ANOTHER REASON TO CARE ABOUT
ZERO-KNOWLEDGE PROOFS
clare_nelson@clearmark.biz
@Safe_SaaS

2. The Challenge
Digital Identity

3. If your personal data
is never collected, it
cannot be stolen.
https://www.zurich.ibm .com /identity_m ixer/
https://www.ted.com /talks/m aria_dubovitskaya_take_back_control_of_your_personal_data, TED Talk
– Maria Dubovitskaya
Cryptographer, Research Staff
Member, IBM Zurich Research
Laboratory, Ph.D. in cryptography
and privacy from ETH Zurich
Zero-Knowledge Proofs
G raphic: https://www.youtube.com /watch?v=jp_Q G wXsoXM

4. How Preserve Privacy?
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
Credential Service
Provider (CSP)
Authenticate
Avoid
• Transfer of
identity
attributes,
secrets
Digital Identity Model

5. Digital Identity Model
How Preserve Privacy?
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
Credential Service
Provider (CSP)
Authenticate
ZKP
ZKP
Use Zero-
Knowledge
Proofs instead
of transferring
attributes or
secrets

6. Zero-Knowledge Proofs
Definition

7. One of the most powerful
tools cryptographers have
ever devised.
https://z.cash/team .htm l
https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
– Matthew Green
Professor at Johns Hopkins University,
co-founder of Zcash
Zero-Knowledge Proofs

8. Definition of Zero-Knowledge Proof
http://www0.cs.ucl.ac.uk/staff/J.G roth/ShortNIZK.pdf
http://www.austinm ohr.com /work/files/zkp.pdf
Enable a Prover to convince a
Verifier of the validity of a
statement
• Yields nothing beyond validity
of the statement
• Incorporates randomness
• Is probabilistic
o Does not provide absolute
certainty
Prover Verifier
Statement

9. Interactive Zero-Knowledge Proof
Derived from http://blog.stratum n.com /zkp-hash-chains/
VerifierProver
Construct
ZKP
Verify
ZKP
Proof
Non-Interactive ZKP
Collapse, transform
multiple messages into
one message, or string

10. 007 Wants to Read the News
Credit to Anna Lysyanskaya for the 007 m etaphor
G raphic: http://www.007.com /characters/the-bonds/
I can tell you.
But then I’ll have to kill you.
www.telegraph.co.uk
Today’s news?
Today’snews?Who are you?
Do you have a subscription?

11. 007 Uses Subscription
My subscription is
#4309115
www.telegraph.co.uk
Today’s news?
Today’snews?Who are you?
Do you have a subscription?
007 Reveals Personal Data:
- Zip code when he looks up the weather
- Date of birth when he reads his horoscope
- More data when he browses the personal ads
Credit to Anna Lysyanskaya for the 007 m etaphor
G raphic: http://www.007.com /characters/the-bonds/

12. Completeness: Telegraph Accepts Proof
Here is a
Zero-Knowledge Proof
www.telegraph.co.uk
Today’s news?
Today’snews?Who are you?
Do you have a subscription?
Credit to Anna Lysyanskaya for the 007 m etaphor
G raphic: http://www.007.com /characters/the-bonds/
Completeness
• Honest verifier is convinced of true statement

13. Soundness
Credit to Anna Lysyanskaya for the 007 m etaphor
G raphic: https://en.wikipedia.org/wiki/M _(Jam es_Bond)
It’s Bond. James Bond. www.telegraph.co.uk
Today’s news?
Rejected
Who are you?
Do you have a subscription?
(M fails because
she can’t prove to
Telegraph)

14. ZKP Illustration
Interactive ZKP

15. Zero-Knowledge Proof Illustration
Matthew Green
Telecom Company
• Cell towers
• Vertices
• Avoid signal overlap
• Use 1 of 3 signals
https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/

16. 3-Color Graph Problem
• Use colors to represent
frequency bands
• Solve for 1,000 towers
• Hire ABC Consulting
Zero-Knowledge Proof Illustration
Matthew Green
https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/

17. Proof of Solution
• Prove have solution without
revealing it
• Hats hide the solution
Zero-Knowledge Proof Illustration
Matthew Green
https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/

18. Proof of Solution
• Remove any two hats
• See vertices are different
colors
Zero-Knowledge Proof Illustration
Matthew Green
https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/

19. 6
4
Repeat this process
• Clear previous solution
• (Add randomness)
• Solve again
• Telecom removes two hats
Accept or Reject
• Complete for preset number of
rounds
• Telecom accepts or rejects
Zero-Knowledge Proof Illustration
Matthew Green
https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/

20. ZKP Variants
Examples

21. Examples of ZKP Variants
https://www.slideshare.net/arunta007/elliptic-curve-cryptography-and-zero-knowledge-proof-27914533?next_slideshow=1
https://www.youtube.com/watch?v=CKncw6mIMJQ&list=PLpr-xdpM8wG8DPozMmcbwBjFn15RtC75N
https://www.starkware.co/
http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf
https://eprint.iacr.org/2017/1066.pdf, Bulletproofs
https://thexvid.com/video/O8QA6Nvg8RI/zcash-genesis-block.html, trusted setup, live stream of Zcash launch
ZKP
NIZKP
zk-SNARK
zk-STARK
Designated Verifier
Lattice-Based
Interactive, multiple messages, need stable communication channel
Not interactive, one message
Need one-time, trusted setup to generate key at launch
No setup, working on memory issues, I or NI, post-quantum secure
No setup, 188 bytes, 10 ms in some cases, not post-quantum secure
Lattice-based cryptography, post-quantum secure, research
Graph Isomorphism
zk-STIK
Bulletproof
Interactive, compare graphs, efficient computation
Scalable Transparent Interactive Oracle of Proof (IOP) of Knowledge
DVNIZK, not just any entity can be verifier, verifier must know secret

22. ZKP Examples
Digital Identity

23. ZKP Flexibility, Variety of Use Cases
• Range proofs
o Age range: 25-45 years old
• Set membership
o Citizen of European Union
• Comparison
o Do identity attributes or
secrets match?
• Computational integrity
Logical combination of any
of the above
Preserve
Privacy

24. Graph Isomorphism ZKP
Early Paper: UC Berkeley, 1986
Passport Driver’s License National ID
Relying
Party
Authoritative
Sources
No personal data
leaves mobile phone or
authoritative source
1986: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.469.9048&rep=rep1&type=pdf
2006: https://www.cs.cmu.edu/~ryanw/crypto/lec6.pdf
2009: http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf
2011: http://www.cs.haifa.ac.il/~orrd/IntroToCrypto/Spring11/Lecture9.pdf
https://kriptan.org/white-papers.html
http://gauss.ececs.uc.edu/Courses/c653/lectures/PDF/zero.pdf

25. zk-STARK Example
(Ben-Sasson, Bentov, Horesh, Riabzev)
https://eprint.iacr.org/2018/046.pdf
National Offender DNA Database Presidential Candidate, Jaffa
Prove to public that Jaffa is not in offender database
G raphic: https://www.linkedin.com /in/jaffaedwards/, with perm ission M ay 25, 2018.
No reliance on any external trusted party

26. Designated Verifier
https://eprint.iacr.org/2017/1029.pdf
Designated-Verifier
Non-Interactive
Zero-Knowledge Proof of
Knowledge (DVNIZK)
• Provides efficient, privacy-
preserving authentication
EURO CRYPT 2018
G raphic: http://www.cs.technion.ac.il/im ages/events/2018/3031/fullsize.jpg

27. ZKP Identity-Related Landscape
Identity Verification, Authentication

28. Considerations
Timeline: It is Still Early Days

29. ZKP Considerations
Depends on Implementation or Use Cases
1. Transparent
2. Succinct
3. Universal
4. Scalable
5. Compliant with upcoming
ZKP Standards
6. Interactive, non-interactive
7. Support for IoT or cars
8. Secure (threat model)
9. Third-party audit
10.Post-quantum secure

30. 1985
Goldwasser, Micali,
Rackoff paper
2018
ZKP Standards
Organization
Formal ZKP standard
2012
Goldwasser, Micali
win Turing Award
https://groups.csail.m it.edu/cis/pubs/shafi/1985-stoc.pdf
https://zkproof.org/
Timeline
It is Still Early Days

31. clare_nelson@clearmark.biz
@Safe_SaaS

32. Bulletproof: Example of Exquisite Math
https://blog.chain.com /faster-bulletproofs-with-ristretto-avx2-29450b4490cd
Range Proof Protocol

33. ZKP Resources
• ISO/IEC 9798-5
• Letter to NIST
• Code
o libSNARK C++ library
o libSTARK C++ library
o Bulletproofs using Ristretto, Rust library
• Succinct Computational Integrity and Privacy
Research (SCIPR) Lab
• Stanford Applied Cryptography
• ZKP Science
• ZKP Standards Organization
https://zkp.science/docs/Letter-to-NIST-20160613-Advanced-Crypto.pdf
https://github.com /chain/ristretto-bulletproofs/

34. Gratitude
ZKP Inventors, Pioneers

35. We Stand on the Shoulders of Giants
https://www.csail.mit.edu/user/733
https://people.csail.mit.edu/silvio/
https://cyberweek.tau.ac.il/2017/about/speakers/item/207-eli-ben-sasson
https://z.cash/team.html
Shafi Goldwasser Eli Ben-Sasson
Silvio Micali Matthew Green

36. Graph Isomorphism ZKP
UC Berkeley, 1986
Prover Verifier
(Graph Isomorphism Problem: Given two graphs with !
vertices each, decide whether they are isomorphic.)
1986: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.469.9048&rep=rep1&type=pdf
2006: https://www.cs.cm u.edu/~ryanw/crypto/lec6.pdf
2009: http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf
2011: http://www.cs.haifa.ac.il/~orrd/IntroToCrypto/Spring11/Lecture9.pdf
https://kriptan.org/white-papers.htm l
http://gauss.ececs.uc.edu/Courses/c653/lectures/PDF/zero.pdf
Compare identity attributes
without transferring them

37. Graph Isomorphism ZKP (GIZKP)
Cornell University, 2009
http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf

38. Graph Isomorphism ZKP (GIZKP)
Carnegie Mellon University, 2006
https://www.cs.cm u.edu/~ryanw/crypto/lec6.pdf
How does Prover prove to Verifier that an
isomorphism exists?
Input:
2 isomorphic graphs G, H on n nodes each. Prover knows
isomorphism f. A security parameter k (positive integer).
Output:
A zero-knowledge protocol that proves P knows f. Prover
gives no info to V˜ P˜ can cheat (successfully) with
probability ≤ 1/2 n .
Protocol:
Repeat k times.
Prover: Privately take G and randomly
permute vertices to get a graph F.
Prover: Publicly present F to Verifier (G and
H are public from the beginning).
Verifier: Toss a coin, and ask Prover to
show that G ∼= F if heads, or H ∼= F if tails.

39. Taxonomy
http://www.wisdom .weizm ann.ac.il/~oded/cc-drafts.htm l
Interactive,
Non-Interactive
Proofs
Complexity
Theory
ZKP
Related to Cryptography

40. • Cryptocurrency
• Digital Watermarks
• E-Voting
• Gaming
• Location
• Mimblewimble
• Private Messaging
• Privacy Layer for Ethereum
• Sealed Auctions
• Smart Contracts (Hawk)
• Supply Chain Transparency
• Trusted Platform Module (TPM)
• Zero-Knowledge Blockchain
Scope Out of Scope
Digital Identities
• Identity Proofing
• Authentication
In Scope

41. References
• Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/ (2017).
• AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/ (2017).
• Baldimsti, Foteini; Lysanskaya, Anna. Anonymous Credentials Light. http://cs.brown.edu/~anna/papers/bl13a.pdf (2013).
• Ben Sasson, Eli; Chiesa, Alessandro; Garman, Christina, et al. Zerocash: Decentralized Anonymous Payments from Bitcoin,
http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf (May 2014).
• Bitansky, Nir; Weizman, Zvika Brakerski; Kalai, Yael. 3-Message Zero Knowledge Against Human Ignorance,
https://eprint.iacr.org/2016/213.pdf (September 2016).
• Blum, Manauel; De Santos, Alfredo; Micali, Silvio; Persiano, Giuseppe. Non-Interactive Zero-Knowledge and its Applications,
https://people.csail.mit.edu/silvio/Selected%20Scientific%20Papers/Zero%20Knowledge/Noninteractive_Zero-Knowkedge.pdf
(1991).
• Brands, Stefan. Rethinking Public Key Infrastructures and Digital Certificates. The MIT Press,
http://www.credentica.com/the_mit_pressbook.html (2000).
• Bunz, Benedikt; Bootle, Jonathan; Boneh, Dan; et al. Bulletproofs: Short Proofs for Confidential Transactions and More,
https://eprint.iacr.org/2017/1066.pdf (2017).
• Camenisch, Jan and E. Van Herreweghen, Design and implementation of the IBM Idemix anonymous credential system, in
Proceedings of the 9th ACM conference on Computer and communications security. ACM, 2002, pp. 21–30.
• Camenisch, Jan; Dubovitskaya, Maria; Enderlein, Robert; et al. Concepts and languages for privacy-preserving attribute-based
authentication, https://pdfs.semanticscholar.org/82e2/4078c9ba9fcaf6177a80b8496779676af114.pdf (2013).

42. References
• Cutler, Becky. The Feasibility and Application of Using Zero-Knowledge Protocol for Authentication Systems,
http://www.cs.tufts.edu/comp/116/archive/fall2015/bcutler.pdf (2015).
• Durcheva, Mariana. Zero Knowledge Proof Protocol Based on Graph Isomorphism Problem, http://www.jmest.org/wp-
content/uploads/JMESTN42351827.pdf (2016).
• Fleischhacker, Nils; Goyal, Vuypil; Jain, Abhishek. On the Existence of Three Round Zero-Knowledge Proofs,
https://eprint.iacr.org/2017/935.pdf (2017).
• Gebeyehu, Worku; Ambaw, Lubak; Reddy, MA Eswar. Authenticating Grid Using Graph Isomorphism Based Zero Knowledge
Proof, https://link.springer.com/chapter/10.1007/978-3-319-03107-1_2 (2014).
• Geraud, Rémi. Zero-Knowledge: More Secure than Passwords? https://blog.ingenico.com/posts/2017/07/zero-knowledge-proof-
more-secure-than-passwords.html (July 25, 2017).
• Geers, Marjo; Comparing Privacy in eID Schemes, http://www.id-world-magazine.com/?p=923 (2017).
• Goldreich, Oded. Zero-Knowledge: a tutorial by Oded Goldreich, http://www.wisdom.weizmann.ac.il/~oded/zk-tut02.html has
extensive reference list (2010).
• Goldreich, Oded; Yair, Oren. Definitions and Properties of Zero-Knowledge Proof Systems,
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.17.2901 (19940.
• Goldwasser, Micali, Rackoff, The Knowledge Complexity of Interactive Proof-Systems, ACM 0-89791-151-2/85/005/02911
(1985).
• Green, Matthew. Zero Knowledge Proofs: An Illustrated Primer, https://blog.cryptographyengineering.com/2014/11/27/zero-
knowledge-proofs-illustrated-primer/ (November 2014).

43. References
• Groth, Jens. Short Pairing-Based Non-Interactive Zero-Knowledge Arguments,
http://www0.cs.ucl.ac.uk/staff/J.Groth/ShortNIZK.pdf (2010).
• Groth, Jens; Lu, Steve. “A Non-Interactive Shuffle with Pairing Based Verifiability,”
http://www0.cs.ucl.ac.uk/staff/J.Groth/AsiacryptPairingShuffle.pdf (2006).
• Groth, Jens; Ostrovsky, Rafail; Sahai, Amit. New Techniques for Non-interactive Zero-Knowledge,
http://www0.cs.ucl.ac.uk/staff/J.Groth/NIZKJournal.pdf (2011).
• Guillou, Quisqater, “How to Explain Zero-Knowledge Protocols to Your Children,” http://pages.cs.wisc.edu/~mkowalcz/628.pdf
(1998).
• Gupta, Anuj Das; Delight, Ankur. Zero-Knowledge Proof of Balance: A Friendly ZKP Demo, http://blog.stratumn.com/zero-
knowledge-proof-of-balance-demo/ (June 2017).
• Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction
Systems,
https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core-
Identity-Whitepaper-v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite]
• ISO/IEC Information technology — Security techniques — Entity authentication — Part 5: Mechanisms using zero-knowledge
techniques, https://www.iso.org/standard/50456.html (2015).
• Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age,
http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013).
• Kogta, Ronak. ZK-Snarks in English, https://www.slideshare.net/rixor786/zksnarks-in-english?qid=0e3be303-84fc-43d2-be96-
6db2085a28ff&v=&b=&from_search=3 (July 2017).

44. References
• Lindell, Yehudi. Efficient Zero-Knowledge Proof, https://www.youtube.com/watch?v=Vahw28dValA, (2015).
• Lysyanskaya, Anna. How to Balance Privacy and Key Management in User Authentication,
http://csrc.nist.gov/groups/ST/key_mgmt/documents/Sept2012_Presentations/LYSYANSKAYA_nist12.pdf (2012).
• Martin-Fernandez, Francisco; Caballero-Gil, Pino; Caballero-Gil, Candido. Authentication Based on Non-Interactive Zero-
Knowledge Proofs for the Internet of Things. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4732108/ (January 2016).
• Mohr, Austin. A Survey of Zero-Knowledge Proofs with Applications to Cryptography,
http://www.austinmohr.com/work/files/zkp.pdf.
• Montenegro, Jose.; Fischer, Michael; Lopez, Javier; et al. Secure Sealed-Bid Online Auctions Using Discreet Cryptographic
Proof, http://www.sciencedirect.com/science/article/pii/S0895717711004535?via%3Dihub (June 2013).
• Nguyen, Quan; Rudoy, Mikhail; Srinivasan, Arjun. Two Factor Zero Knowledge Proof Authentication System,
https://courses.csail.mit.edu/6.857/2014/files/16-nguyen-rudoy-srinivasan-two-factor-zkp.pdf (2014).
• Schukat, M; Flood, P. Zero-knowledge Proofs in M2M Communication, http://digital-
library.theiet.org/content/conferences/10.1049/cp.2014.0697 (2014).
• Broadbent, Ann; Ji, Zhengfeng; Song, Fang. Zero-knowledge proof systems for QMA, https://arxiv.org/pdf/1604.02804.pdf
(2016).
• Unruh, Dominique. Quantum Proofs of Knowledge, https://eprint.iacr.org/2010/212.pdf (February 2015).
• Wilcox, Zooko. Podcast, Zero Knowledge, The Future of Privacy. https://medium.com/blockchannel/episode-3-zero-knowledge-
the-future-of-privacy-ea18479295f4 (February 21, 2017).
• Wu, Huixin; Wang, Feng. A Survey of Noninteractive Zero Knowledge Proof System and its Applications.
https://www.hindawi.com/journals/tswj/2014/560484/ (May 2014).

45. EUROCRYPT 2018
https://eurocrypt.iacr.org/2018/acceptedpapers.htm l
Efficient Designated-Verifier Non-Interactive
Zero-Knowledge Proofs of Knowledge
• Pyrros Chaidos (University of Athens), Geoffroy
Couteau (Karlsruhe Institute of Technology)
Quasi-Optimal SNARGs via Linear Multi-
Prover Interactive Proofs
• Dan Boneh (Stanford), Yuval Ishai (Technion
and UCLA), Amit Sahai (UCLA), David J. Wu
(Stanford)
On the Existence of Three Round Zero-
Knowledge Proofs
• Nils Fleischhacker (Johns Hopkins University
and Carnegie Mellon University), Vipul Goyal
(Carnegie Mellon University), Abhishek Jain
(Johns Hopkins University)
An Efficiency-Preserving Transformation
from Honest-Verifier Statistical Zero-
Knowledge to Statistical Zero-Knowledge
• Pavel Hubáček (Charles University in Prague),
Alon Rosen (IDC Herzliya), Margarita Vald (Tel-
Aviv University)
Partially Splitting Rings for Faster Lattice-
Based Zero-Knowledge Proofs
• Vadim Lyubashevsky (IBM Research - Zurich),
Gregor Seiler (IBM Research - Zurich)

46. Backup Slides

47. The Schnorr NIZK proof is obtained from
the interactive Schnorr identification
scheme through a Fiat-Shamir
transformation
• This transformation involves using a
secure cryptographic hash function to
issue the challenge instead
https://tools.ietf.org/htm l/draft-hao-schnorr-01
Schnorr NIZK (IETF Draft)
G raphic: https://www.bswllc.com /resources-articles-
preparing-for-the-2013-coso-internal-fram ework

48. Zero-Knowledge Proof, Formal Definition
http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf
An interactive proof system (P, V) for a language L is zero-
knowledge if for any PPT verifier V∗ there exists an expected
PPT simulator S such that
∀ x ∈ L, z ∈ {0, 1} ∗, ViewV∗ [P(x) ↔ V∗ (x, z)] = S(x, z)
As usual, P has unlimited computation power (in practice, P must
be a randomized TM).
Intuitively, the definition states that an interactive proof system (P,
V) is zero-knowledge if for any verifier V∗ there exists an efficient
simulator S that can essentially produce a transcript of the
conversation that would have taken place between P and V∗ on
any given input.

49. ZKPOK
I can’t tell you
my secret,
but I can prove
to you
that I know the
secret
Source: J. Chou, SC700 A2 Internet Inform ation Protocols (2001)
G raphic: http://www.flowm arq.com /single-post/2015/05/18/IDENTITY-Clarifying-M otivations

50. https://www.sym antec.com /connect/blogs/you-can-t-have-privacy-without-security
https://www.m icrosoft.com /en-us/research/research-area/security-privacy-cryptography/
You can have security
without privacy,
but you can’t have privacy
without security.
— Carolyn Herzog, EVP and
General Counsel, ARM

51. ZKP Variations
https://eprint.iacr.org/2010/150.pdf
• GMR defined knowledge as the
computational power of a party
• Differentiates “knowledge” from
“information”
• Knowledge is coupled with
computational power

52. • One-Round ZKP
• Pairing-Based Non-Interactive Arguments
• Perfect ZKPs
• Private-coin ZKP
• Public-coin ZKP
• Scalable Transparent Argument of Knowledge (STARK)
• Scalable Transparent IOP of Knowledge (STIK)
• Schnorr Non-Interactive Zero-Knowledge Proof
• Statistical Zero-Knowledge
• Succinct Interactive Proof (SCIP)
• Succinct Non-Interactive Argument (SNARG)
• Succinct Non-Interactive Argument of Knowledge (SNARK)
• Super-Perfect ZKP
• Symbolic Zero-Knowledge Proof
• Three-Round ZKP
• ZK Arguments
• ZKP Based on Graph Isomorphism
• ZKP of Proximity (ZKPP)
https://ieeexplore.ieee.org/docum ent/1524082/
https://eprint.iacr.org/2018/167.pdf
https://eurocrypt.iacr.org/2018/acceptedpapers.htm l
http://www0.cs.ucl.ac.uk/staff/J.G roth/NIZKJournal.pdf
https://eprint.iacr.org/2017/114.pdf
http://www.jm est.org/wp-content/uploads/JM ESTN42351827.pdf
Examples: ZKP Variations, Terminology
• Approximate Zero-Knowledge Proof
• Bulletproof
• Computationally sound implementations of Symbolic Zero-
Knowledge Proof
• Concurrent ZKP
• Designated-Verifier Non-Interactive Zero-Knowledge Proof
(DVNIZK)
• Double Advance ZKP
• !-zero-knowledge (weaker notion of ZKP)
• Five-Round ZKP
• Honest-Verifier Statistical Zero-Knowledge
• Implicit Zero-Knowledge Arguments
• Lattice-Based ZKPs
• Lepinski’s 3-round ZK proof protocol
• Non-Interactive Zero-Knowledge Arguments
• Non-Interactive Proofs of Kowledge (NI)ZKPoKs

53. ZKP Challenges
https://www.slideshare.net/arunta007/elliptic-curve-cryptography-and-zero-knowledge-proof-27914533?next_slideshow=1
https://www.starkware.co/#jobs
• Requires expertise and experience
o PhD mathematics or cryptography
o Algebraic cryptography requiring high-
performance computation in finite fields
o Applications of modern algebra to
algorithms and computer science
• Correct usage
• Security, threat model
• Audited code, formal verification
• Known bugs and vulnerabilities
Graphic: http://www.digifotopro.nl/content/beklimming-mount-everest-360-graden-vastgelegd

54. ZKP Standards
https://zkproof.org/
I think you should be more
explicit here in step two
Cartoonist: Sydney Harris
Source: https://www.art.com /products/p15063445373-sa-i6847848/sidney-harris-i-think-
you-should-be-m ore-explicit-here-in-step-two-cartoon.htm
ZKProof.org
• Open initiative
• Industry, academia
• First workshop May 2018
• Framework for a formal
standard of Zero-Knowledge
Proofs

55. Non-Interactive Zero-Knowledge Proof
http://slideplayer.com /slide/2891428/
zk-SNARK Proof

56. ISO/IEC 9798-5:2009
Compliance with ISO/IEC 9798-5 may involve the use of the
following patents and their counterparts in other countries.
https://www.iso.org/standard/50456.htm l
Patent Title Inventor Filing
Date
US 4 995 082 Method for identifying subscribers and for
generating and verifying electronic
signatures in a data exchange system
C.P. Schnorr 1990
US 5 140 634 Method and apparatus for authenticating
accreditations and for authenticating and
signing messages
L.C. Guillou
and J-J.
Quisquater
1991
EP 0 311 470 Methods and systems to authenticate
authorizations and messages with a zero
knowledge-proof system and to provide
messages with a signature
L.C. Guillou
and J-J.
Quisquater
1998
EP 0 666 664 Method for performing a double-signature
secure electronic transaction
M. Girault 1995

57. Attack Resilience (From Academia)
http://repository.ust.hk/ir/bitstream /1783.1-6277/1/pseudo.pdf
Attack Description Mitigation
Impersonation A malicious impersonator, for either party Need secret, completeness
and soundness
Replay Attack Malicious peer or attacker collects
previous proofs, and resends these
Challenge message
required
Man in the
Middle (MITM)
Intruder is able to access and modify
messages between prover and verifier
(without them knowing)
It depends, implementation
specific
Collaborated
Attack
Subverted nodes collaborate to enact
identity fraud, or co-conspirator
It depends, requires
reputation auditing design
Denial of
Service (Dos)
Renders networks, hosts, and other
systems unusable by consuming
bandwidth or deluging with huge number
of requests to overload systems
Could happen during
authentication setup

58. Ideal for Identification
ZKPs are the ideal solution to
challenges in identification
• Users can prove identities
• No exchange of sensitive information
• Mitigates identity theft
– Sultan Almuhammadi
– Charles Neuman
University of Southern
California, Los Angeles
(2005)
https://ieeexplore.ieee.org/docum ent/1524082/
Graphic: https://www.equifax.com.au/personal/articles/what-identity-watch

59. Any sufficiently
advanced technology
is indistinguishable
from magic.
– Arthur C. Clarke
Graphic: https://www.shutterstock.com/video/search/loop-ready-file/?ref_context=keyword

60. ZKP Requirements
http://www0.cs.ucl.ac.uk/staff/J.G roth/ShortNIZK.pdf
http://www.austinm ohr.com /work/files/zkp.pdf
http://www.wisdom .weizm ann.ac.il/~oded/zk-tut02.htm l
Completeness
• If statement is true, verifier will be
convinced by prover
Soundness
• If statement is false, a cheating
prover cannot convince verifier it is
true
o Except with some small probability
Zero-Knowledge
• Verifier learns nothing beyond the
statement’s validity
Graphic: http://mentalfloss.com/article/64108/15-things-you-should-know-about-dogs-playing-poker

61. Known Vulnerabilities
An Example

62. Zero-Knowledge Range Proof (ZKRP)
Validate
• Person is 18-65 years old
oWithout disclosing the age
• Person is in Europe
oWithout disclosing the exact location
https://github.com /ing-bank/zkrangeproof

63. ZKRP Vulnerability
• Madars Virza
• “The publicly computable value y/t is roughly
the same magnitude (in expectation) as w^2
* (m-a+1)(b-m+1). However, w^2 has fixed
bit length (again, in expectation) and thus
for a fixed range, this value leaks the
magnitude of the committed value.”
• The proof is not zero knowledge
• Response: will find alternative ZKP
https://github.com /ing-bank/zkrangeproof
Graphic: https://www.pexels.com/photo/milkweed-bug-perching-on-pink-flower-in-close-up-
photography-1085549/