SlideShare a Scribd company logo
1 of 63
Download to read offline
PRIVACY-PRESERVING
AUTHENTICATION
ANOTHER REASON TO CARE ABOUT
ZERO-KNOWLEDGE PROOFS
clare_nelson@clearmark.biz
@Safe_SaaS
The Challenge
Digital Identity
If your personal data
is never collected, it
cannot be stolen.
https://www.zurich.ibm .com /identity_m ixer/
https://www.ted.com /talks/m aria_dubovitskaya_take_back_control_of_your_personal_data, TED Talk
– Maria Dubovitskaya
Cryptographer, Research Staff
Member, IBM Zurich Research
Laboratory, Ph.D. in cryptography
and privacy from ETH Zurich
Zero-Knowledge Proofs
G raphic: https://www.youtube.com /watch?v=jp_Q G wXsoXM
How Preserve Privacy?
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
Credential Service
Provider (CSP)
Authenticate
Avoid
• Transfer of
identity
attributes,
secrets
Digital Identity Model
Digital Identity Model
How Preserve Privacy?
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
Credential Service
Provider (CSP)
Authenticate
ZKP
ZKP
Use Zero-
Knowledge
Proofs instead
of transferring
attributes or
secrets
Zero-Knowledge Proofs
Definition
One of the most powerful
tools cryptographers have
ever devised.
https://z.cash/team .htm l
https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
– Matthew Green
Professor at Johns Hopkins University,
co-founder of Zcash
Zero-Knowledge Proofs
Definition of Zero-Knowledge Proof
http://www0.cs.ucl.ac.uk/staff/J.G roth/ShortNIZK.pdf
http://www.austinm ohr.com /work/files/zkp.pdf
Enable a Prover to convince a
Verifier of the validity of a
statement
• Yields nothing beyond validity
of the statement
• Incorporates randomness
• Is probabilistic
o Does not provide absolute
certainty
Prover Verifier
Statement
Interactive Zero-Knowledge Proof
Derived from http://blog.stratum n.com /zkp-hash-chains/
VerifierProver
Construct
ZKP
Verify
ZKP
Proof
Non-Interactive ZKP
Collapse, transform
multiple messages into
one message, or string
007 Wants to Read the News
Credit to Anna Lysyanskaya for the 007 m etaphor
G raphic: http://www.007.com /characters/the-bonds/
I can tell you.
But then I’ll have to kill you.
www.telegraph.co.uk
Today’s news?
Today’snews?Who are you?
Do you have a subscription?
007 Uses Subscription
My subscription is
#4309115
www.telegraph.co.uk
Today’s news?
Today’snews?Who are you?
Do you have a subscription?
007 Reveals Personal Data:
- Zip code when he looks up the weather
- Date of birth when he reads his horoscope
- More data when he browses the personal ads
Credit to Anna Lysyanskaya for the 007 m etaphor
G raphic: http://www.007.com /characters/the-bonds/
Completeness: Telegraph Accepts Proof
Here is a
Zero-Knowledge Proof
www.telegraph.co.uk
Today’s news?
Today’snews?Who are you?
Do you have a subscription?
Credit to Anna Lysyanskaya for the 007 m etaphor
G raphic: http://www.007.com /characters/the-bonds/
Completeness
• Honest verifier is convinced of true statement
Soundness
Credit to Anna Lysyanskaya for the 007 m etaphor
G raphic: https://en.wikipedia.org/wiki/M _(Jam es_Bond)
It’s Bond. James Bond. www.telegraph.co.uk
Today’s news?
Rejected
Who are you?
Do you have a subscription?
(M fails because
she can’t prove to
Telegraph)
ZKP Illustration
Interactive ZKP
Zero-Knowledge Proof Illustration
Matthew Green
Telecom Company
• Cell towers
• Vertices
• Avoid signal overlap
• Use 1 of 3 signals
https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
3-Color Graph Problem
• Use colors to represent
frequency bands
• Solve for 1,000 towers
• Hire ABC Consulting
Zero-Knowledge Proof Illustration
Matthew Green
https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
Proof of Solution
• Prove have solution without
revealing it
• Hats hide the solution
Zero-Knowledge Proof Illustration
Matthew Green
https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
Proof of Solution
• Remove any two hats
• See vertices are different
colors
Zero-Knowledge Proof Illustration
Matthew Green
https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
6
4
Repeat this process
• Clear previous solution
• (Add randomness)
• Solve again
• Telecom removes two hats
Accept or Reject
• Complete for preset number of
rounds
• Telecom accepts or rejects
Zero-Knowledge Proof Illustration
Matthew Green
https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
ZKP Variants
Examples
Examples of ZKP Variants
https://www.slideshare.net/arunta007/elliptic-curve-cryptography-and-zero-knowledge-proof-27914533?next_slideshow=1
https://www.youtube.com/watch?v=CKncw6mIMJQ&list=PLpr-xdpM8wG8DPozMmcbwBjFn15RtC75N
https://www.starkware.co/
http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf
https://eprint.iacr.org/2017/1066.pdf, Bulletproofs
https://thexvid.com/video/O8QA6Nvg8RI/zcash-genesis-block.html, trusted setup, live stream of Zcash launch
ZKP
NIZKP
zk-SNARK
zk-STARK
Designated Verifier
Lattice-Based
Interactive, multiple messages, need stable communication channel
Not interactive, one message
Need one-time, trusted setup to generate key at launch
No setup, working on memory issues, I or NI, post-quantum secure
No setup, 188 bytes, 10 ms in some cases, not post-quantum secure
Lattice-based cryptography, post-quantum secure, research
Graph Isomorphism
zk-STIK
Bulletproof
Interactive, compare graphs, efficient computation
Scalable Transparent Interactive Oracle of Proof (IOP) of Knowledge
DVNIZK, not just any entity can be verifier, verifier must know secret
ZKP Examples
Digital Identity
ZKP Flexibility, Variety of Use Cases
• Range proofs
o Age range: 25-45 years old
• Set membership
o Citizen of European Union
• Comparison
o Do identity attributes or
secrets match?
• Computational integrity
Logical combination of any
of the above
Preserve
Privacy
Graph Isomorphism ZKP
Early Paper: UC Berkeley, 1986
Passport Driver’s License National ID
Relying
Party
Authoritative
Sources
No personal data
leaves mobile phone or
authoritative source
1986: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.469.9048&rep=rep1&type=pdf
2006: https://www.cs.cmu.edu/~ryanw/crypto/lec6.pdf
2009: http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf
2011: http://www.cs.haifa.ac.il/~orrd/IntroToCrypto/Spring11/Lecture9.pdf
https://kriptan.org/white-papers.html
http://gauss.ececs.uc.edu/Courses/c653/lectures/PDF/zero.pdf
zk-STARK Example
(Ben-Sasson, Bentov, Horesh, Riabzev)
https://eprint.iacr.org/2018/046.pdf
National Offender DNA Database Presidential Candidate, Jaffa
Prove to public that Jaffa is not in offender database
G raphic: https://www.linkedin.com /in/jaffaedwards/, with perm ission M ay 25, 2018.
No reliance on any external trusted party
Designated Verifier
https://eprint.iacr.org/2017/1029.pdf
Designated-Verifier
Non-Interactive
Zero-Knowledge Proof of
Knowledge (DVNIZK)
• Provides efficient, privacy-
preserving authentication
EURO CRYPT 2018
G raphic: http://www.cs.technion.ac.il/im ages/events/2018/3031/fullsize.jpg
ZKP Identity-Related Landscape
Identity Verification, Authentication
Considerations
Timeline: It is Still Early Days
ZKP Considerations
Depends on Implementation or Use Cases
1. Transparent
2. Succinct
3. Universal
4. Scalable
5. Compliant with upcoming
ZKP Standards
6. Interactive, non-interactive
7. Support for IoT or cars
8. Secure (threat model)
9. Third-party audit
10.Post-quantum secure
1985
Goldwasser, Micali,
Rackoff paper
2018
ZKP Standards
Organization
Formal ZKP standard
2012
Goldwasser, Micali
win Turing Award
https://groups.csail.m it.edu/cis/pubs/shafi/1985-stoc.pdf
https://zkproof.org/
Timeline
It is Still Early Days
clare_nelson@clearmark.biz
@Safe_SaaS
Bulletproof: Example of Exquisite Math
https://blog.chain.com /faster-bulletproofs-with-ristretto-avx2-29450b4490cd
Range Proof Protocol
ZKP Resources
• ISO/IEC 9798-5
• Letter to NIST
• Code
o libSNARK C++ library
o libSTARK C++ library
o Bulletproofs using Ristretto, Rust library
• Succinct Computational Integrity and Privacy
Research (SCIPR) Lab
• Stanford Applied Cryptography
• ZKP Science
• ZKP Standards Organization
https://zkp.science/docs/Letter-to-NIST-20160613-Advanced-Crypto.pdf
https://github.com /chain/ristretto-bulletproofs/
Gratitude
ZKP Inventors, Pioneers
We Stand on the Shoulders of Giants
https://www.csail.mit.edu/user/733
https://people.csail.mit.edu/silvio/
https://cyberweek.tau.ac.il/2017/about/speakers/item/207-eli-ben-sasson
https://z.cash/team.html
Shafi Goldwasser Eli Ben-Sasson
Silvio Micali Matthew Green
Graph Isomorphism ZKP
UC Berkeley, 1986
Prover Verifier
(Graph Isomorphism Problem: Given two graphs with !
vertices each, decide whether they are isomorphic.)
1986: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.469.9048&rep=rep1&type=pdf
2006: https://www.cs.cm u.edu/~ryanw/crypto/lec6.pdf
2009: http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf
2011: http://www.cs.haifa.ac.il/~orrd/IntroToCrypto/Spring11/Lecture9.pdf
https://kriptan.org/white-papers.htm l
http://gauss.ececs.uc.edu/Courses/c653/lectures/PDF/zero.pdf
Compare identity attributes
without transferring them
Graph Isomorphism ZKP (GIZKP)
Cornell University, 2009
http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf
Graph Isomorphism ZKP (GIZKP)
Carnegie Mellon University, 2006
https://www.cs.cm u.edu/~ryanw/crypto/lec6.pdf
How does Prover prove to Verifier that an
isomorphism exists?
Input:
2 isomorphic graphs G, H on n nodes each. Prover knows
isomorphism f. A security parameter k (positive integer).
Output:
A zero-knowledge protocol that proves P knows f. Prover
gives no info to V˜ P˜ can cheat (successfully) with
probability ≤ 1/2 n .
Protocol:
Repeat k times.
Prover: Privately take G and randomly
permute vertices to get a graph F.
Prover: Publicly present F to Verifier (G and
H are public from the beginning).
Verifier: Toss a coin, and ask Prover to
show that G ∼= F if heads, or H ∼= F if tails.
Taxonomy
http://www.wisdom .weizm ann.ac.il/~oded/cc-drafts.htm l
Interactive,
Non-Interactive
Proofs
Complexity
Theory
ZKP
Related to Cryptography
• Cryptocurrency
• Digital Watermarks
• E-Voting
• Gaming
• Location
• Mimblewimble
• Private Messaging
• Privacy Layer for Ethereum
• Sealed Auctions
• Smart Contracts (Hawk)
• Supply Chain Transparency
• Trusted Platform Module (TPM)
• Zero-Knowledge Blockchain
Scope Out of Scope
Digital Identities
• Identity Proofing
• Authentication
In Scope
References
• Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/ (2017).
• AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/ (2017).
• Baldimsti, Foteini; Lysanskaya, Anna. Anonymous Credentials Light. http://cs.brown.edu/~anna/papers/bl13a.pdf (2013).
• Ben Sasson, Eli; Chiesa, Alessandro; Garman, Christina, et al. Zerocash: Decentralized Anonymous Payments from Bitcoin,
http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf (May 2014).
• Bitansky, Nir; Weizman, Zvika Brakerski; Kalai, Yael. 3-Message Zero Knowledge Against Human Ignorance,
https://eprint.iacr.org/2016/213.pdf (September 2016).
• Blum, Manauel; De Santos, Alfredo; Micali, Silvio; Persiano, Giuseppe. Non-Interactive Zero-Knowledge and its Applications,
https://people.csail.mit.edu/silvio/Selected%20Scientific%20Papers/Zero%20Knowledge/Noninteractive_Zero-Knowkedge.pdf
(1991).
• Brands, Stefan. Rethinking Public Key Infrastructures and Digital Certificates. The MIT Press,
http://www.credentica.com/the_mit_pressbook.html (2000).
• Bunz, Benedikt; Bootle, Jonathan; Boneh, Dan; et al. Bulletproofs: Short Proofs for Confidential Transactions and More,
https://eprint.iacr.org/2017/1066.pdf (2017).
• Camenisch, Jan and E. Van Herreweghen, Design and implementation of the IBM Idemix anonymous credential system, in
Proceedings of the 9th ACM conference on Computer and communications security. ACM, 2002, pp. 21–30.
• Camenisch, Jan; Dubovitskaya, Maria; Enderlein, Robert; et al. Concepts and languages for privacy-preserving attribute-based
authentication, https://pdfs.semanticscholar.org/82e2/4078c9ba9fcaf6177a80b8496779676af114.pdf (2013).
References
• Cutler, Becky. The Feasibility and Application of Using Zero-Knowledge Protocol for Authentication Systems,
http://www.cs.tufts.edu/comp/116/archive/fall2015/bcutler.pdf (2015).
• Durcheva, Mariana. Zero Knowledge Proof Protocol Based on Graph Isomorphism Problem, http://www.jmest.org/wp-
content/uploads/JMESTN42351827.pdf (2016).
• Fleischhacker, Nils; Goyal, Vuypil; Jain, Abhishek. On the Existence of Three Round Zero-Knowledge Proofs,
https://eprint.iacr.org/2017/935.pdf (2017).
• Gebeyehu, Worku; Ambaw, Lubak; Reddy, MA Eswar. Authenticating Grid Using Graph Isomorphism Based Zero Knowledge
Proof, https://link.springer.com/chapter/10.1007/978-3-319-03107-1_2 (2014).
• Geraud, Rémi. Zero-Knowledge: More Secure than Passwords? https://blog.ingenico.com/posts/2017/07/zero-knowledge-proof-
more-secure-than-passwords.html (July 25, 2017).
• Geers, Marjo; Comparing Privacy in eID Schemes, http://www.id-world-magazine.com/?p=923 (2017).
• Goldreich, Oded. Zero-Knowledge: a tutorial by Oded Goldreich, http://www.wisdom.weizmann.ac.il/~oded/zk-tut02.html has
extensive reference list (2010).
• Goldreich, Oded; Yair, Oren. Definitions and Properties of Zero-Knowledge Proof Systems,
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.17.2901 (19940.
• Goldwasser, Micali, Rackoff, The Knowledge Complexity of Interactive Proof-Systems, ACM 0-89791-151-2/85/005/02911
(1985).
• Green, Matthew. Zero Knowledge Proofs: An Illustrated Primer, https://blog.cryptographyengineering.com/2014/11/27/zero-
knowledge-proofs-illustrated-primer/ (November 2014).
References
• Groth, Jens. Short Pairing-Based Non-Interactive Zero-Knowledge Arguments,
http://www0.cs.ucl.ac.uk/staff/J.Groth/ShortNIZK.pdf (2010).
• Groth, Jens; Lu, Steve. “A Non-Interactive Shuffle with Pairing Based Verifiability,”
http://www0.cs.ucl.ac.uk/staff/J.Groth/AsiacryptPairingShuffle.pdf (2006).
• Groth, Jens; Ostrovsky, Rafail; Sahai, Amit. New Techniques for Non-interactive Zero-Knowledge,
http://www0.cs.ucl.ac.uk/staff/J.Groth/NIZKJournal.pdf (2011).
• Guillou, Quisqater, “How to Explain Zero-Knowledge Protocols to Your Children,” http://pages.cs.wisc.edu/~mkowalcz/628.pdf
(1998).
• Gupta, Anuj Das; Delight, Ankur. Zero-Knowledge Proof of Balance: A Friendly ZKP Demo, http://blog.stratumn.com/zero-
knowledge-proof-of-balance-demo/ (June 2017).
• Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction
Systems,
https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core-
Identity-Whitepaper-v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite]
• ISO/IEC Information technology — Security techniques — Entity authentication — Part 5: Mechanisms using zero-knowledge
techniques, https://www.iso.org/standard/50456.html (2015).
• Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age,
http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013).
• Kogta, Ronak. ZK-Snarks in English, https://www.slideshare.net/rixor786/zksnarks-in-english?qid=0e3be303-84fc-43d2-be96-
6db2085a28ff&v=&b=&from_search=3 (July 2017).
References
• Lindell, Yehudi. Efficient Zero-Knowledge Proof, https://www.youtube.com/watch?v=Vahw28dValA, (2015).
• Lysyanskaya, Anna. How to Balance Privacy and Key Management in User Authentication,
http://csrc.nist.gov/groups/ST/key_mgmt/documents/Sept2012_Presentations/LYSYANSKAYA_nist12.pdf (2012).
• Martin-Fernandez, Francisco; Caballero-Gil, Pino; Caballero-Gil, Candido. Authentication Based on Non-Interactive Zero-
Knowledge Proofs for the Internet of Things. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4732108/ (January 2016).
• Mohr, Austin. A Survey of Zero-Knowledge Proofs with Applications to Cryptography,
http://www.austinmohr.com/work/files/zkp.pdf.
• Montenegro, Jose.; Fischer, Michael; Lopez, Javier; et al. Secure Sealed-Bid Online Auctions Using Discreet Cryptographic
Proof, http://www.sciencedirect.com/science/article/pii/S0895717711004535?via%3Dihub (June 2013).
• Nguyen, Quan; Rudoy, Mikhail; Srinivasan, Arjun. Two Factor Zero Knowledge Proof Authentication System,
https://courses.csail.mit.edu/6.857/2014/files/16-nguyen-rudoy-srinivasan-two-factor-zkp.pdf (2014).
• Schukat, M; Flood, P. Zero-knowledge Proofs in M2M Communication, http://digital-
library.theiet.org/content/conferences/10.1049/cp.2014.0697 (2014).
• Broadbent, Ann; Ji, Zhengfeng; Song, Fang. Zero-knowledge proof systems for QMA, https://arxiv.org/pdf/1604.02804.pdf
(2016).
• Unruh, Dominique. Quantum Proofs of Knowledge, https://eprint.iacr.org/2010/212.pdf (February 2015).
• Wilcox, Zooko. Podcast, Zero Knowledge, The Future of Privacy. https://medium.com/blockchannel/episode-3-zero-knowledge-
the-future-of-privacy-ea18479295f4 (February 21, 2017).
• Wu, Huixin; Wang, Feng. A Survey of Noninteractive Zero Knowledge Proof System and its Applications.
https://www.hindawi.com/journals/tswj/2014/560484/ (May 2014).
EUROCRYPT 2018
https://eurocrypt.iacr.org/2018/acceptedpapers.htm l
Efficient Designated-Verifier Non-Interactive
Zero-Knowledge Proofs of Knowledge
• Pyrros Chaidos (University of Athens), Geoffroy
Couteau (Karlsruhe Institute of Technology)
Quasi-Optimal SNARGs via Linear Multi-
Prover Interactive Proofs
• Dan Boneh (Stanford), Yuval Ishai (Technion
and UCLA), Amit Sahai (UCLA), David J. Wu
(Stanford)
On the Existence of Three Round Zero-
Knowledge Proofs
• Nils Fleischhacker (Johns Hopkins University
and Carnegie Mellon University), Vipul Goyal
(Carnegie Mellon University), Abhishek Jain
(Johns Hopkins University)
An Efficiency-Preserving Transformation
from Honest-Verifier Statistical Zero-
Knowledge to Statistical Zero-Knowledge
• Pavel Hubáček (Charles University in Prague),
Alon Rosen (IDC Herzliya), Margarita Vald (Tel-
Aviv University)
Partially Splitting Rings for Faster Lattice-
Based Zero-Knowledge Proofs
• Vadim Lyubashevsky (IBM Research - Zurich),
Gregor Seiler (IBM Research - Zurich)
Backup Slides
The Schnorr NIZK proof is obtained from
the interactive Schnorr identification
scheme through a Fiat-Shamir
transformation
• This transformation involves using a
secure cryptographic hash function to
issue the challenge instead
https://tools.ietf.org/htm l/draft-hao-schnorr-01
Schnorr NIZK (IETF Draft)
G raphic: https://www.bswllc.com /resources-articles-
preparing-for-the-2013-coso-internal-fram ework
Zero-Knowledge Proof, Formal Definition
http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf
An interactive proof system (P, V) for a language L is zero-
knowledge if for any PPT verifier V∗ there exists an expected
PPT simulator S such that
∀ x ∈ L, z ∈ {0, 1} ∗, ViewV∗ [P(x) ↔ V∗ (x, z)] = S(x, z)
As usual, P has unlimited computation power (in practice, P must
be a randomized TM).
Intuitively, the definition states that an interactive proof system (P,
V) is zero-knowledge if for any verifier V∗ there exists an efficient
simulator S that can essentially produce a transcript of the
conversation that would have taken place between P and V∗ on
any given input.
ZKPOK
I can’t tell you
my secret,
but I can prove
to you
that I know the
secret
Source: J. Chou, SC700 A2 Internet Inform ation Protocols (2001)
G raphic: http://www.flowm arq.com /single-post/2015/05/18/IDENTITY-Clarifying-M otivations
https://www.sym antec.com /connect/blogs/you-can-t-have-privacy-without-security
https://www.m icrosoft.com /en-us/research/research-area/security-privacy-cryptography/
You can have security
without privacy,
but you can’t have privacy
without security.
— Carolyn Herzog, EVP and
General Counsel, ARM
ZKP Variations
https://eprint.iacr.org/2010/150.pdf
• GMR defined knowledge as the
computational power of a party
• Differentiates “knowledge” from
“information”
• Knowledge is coupled with
computational power
• One-Round ZKP
• Pairing-Based Non-Interactive Arguments
• Perfect ZKPs
• Private-coin ZKP
• Public-coin ZKP
• Scalable Transparent Argument of Knowledge (STARK)
• Scalable Transparent IOP of Knowledge (STIK)
• Schnorr Non-Interactive Zero-Knowledge Proof
• Statistical Zero-Knowledge
• Succinct Interactive Proof (SCIP)
• Succinct Non-Interactive Argument (SNARG)
• Succinct Non-Interactive Argument of Knowledge (SNARK)
• Super-Perfect ZKP
• Symbolic Zero-Knowledge Proof
• Three-Round ZKP
• ZK Arguments
• ZKP Based on Graph Isomorphism
• ZKP of Proximity (ZKPP)
https://ieeexplore.ieee.org/docum ent/1524082/
https://eprint.iacr.org/2018/167.pdf
https://eurocrypt.iacr.org/2018/acceptedpapers.htm l
http://www0.cs.ucl.ac.uk/staff/J.G roth/NIZKJournal.pdf
https://eprint.iacr.org/2017/114.pdf
http://www.jm est.org/wp-content/uploads/JM ESTN42351827.pdf
Examples: ZKP Variations, Terminology
• Approximate Zero-Knowledge Proof
• Bulletproof
• Computationally sound implementations of Symbolic Zero-
Knowledge Proof
• Concurrent ZKP
• Designated-Verifier Non-Interactive Zero-Knowledge Proof
(DVNIZK)
• Double Advance ZKP
• !-zero-knowledge (weaker notion of ZKP)
• Five-Round ZKP
• Honest-Verifier Statistical Zero-Knowledge
• Implicit Zero-Knowledge Arguments
• Lattice-Based ZKPs
• Lepinski’s 3-round ZK proof protocol
• Non-Interactive Zero-Knowledge Arguments
• Non-Interactive Proofs of Kowledge (NI)ZKPoKs
ZKP Challenges
https://www.slideshare.net/arunta007/elliptic-curve-cryptography-and-zero-knowledge-proof-27914533?next_slideshow=1
https://www.starkware.co/#jobs
• Requires expertise and experience
o PhD mathematics or cryptography
o Algebraic cryptography requiring high-
performance computation in finite fields
o Applications of modern algebra to
algorithms and computer science
• Correct usage
• Security, threat model
• Audited code, formal verification
• Known bugs and vulnerabilities
Graphic: http://www.digifotopro.nl/content/beklimming-mount-everest-360-graden-vastgelegd
ZKP Standards
https://zkproof.org/
I think you should be more
explicit here in step two
Cartoonist: Sydney Harris
Source: https://www.art.com /products/p15063445373-sa-i6847848/sidney-harris-i-think-
you-should-be-m ore-explicit-here-in-step-two-cartoon.htm
ZKProof.org
• Open initiative
• Industry, academia
• First workshop May 2018
• Framework for a formal
standard of Zero-Knowledge
Proofs
Non-Interactive Zero-Knowledge Proof
http://slideplayer.com /slide/2891428/
zk-SNARK Proof
ISO/IEC 9798-5:2009
Compliance with ISO/IEC 9798-5 may involve the use of the
following patents and their counterparts in other countries.
https://www.iso.org/standard/50456.htm l
Patent Title Inventor Filing
Date
US 4 995 082 Method for identifying subscribers and for
generating and verifying electronic
signatures in a data exchange system
C.P. Schnorr 1990
US 5 140 634 Method and apparatus for authenticating
accreditations and for authenticating and
signing messages
L.C. Guillou
and J-J.
Quisquater
1991
EP 0 311 470 Methods and systems to authenticate
authorizations and messages with a zero
knowledge-proof system and to provide
messages with a signature
L.C. Guillou
and J-J.
Quisquater
1998
EP 0 666 664 Method for performing a double-signature
secure electronic transaction
M. Girault 1995
Attack Resilience (From Academia)
http://repository.ust.hk/ir/bitstream /1783.1-6277/1/pseudo.pdf
Attack Description Mitigation
Impersonation A malicious impersonator, for either party Need secret, completeness
and soundness
Replay Attack Malicious peer or attacker collects
previous proofs, and resends these
Challenge message
required
Man in the
Middle (MITM)
Intruder is able to access and modify
messages between prover and verifier
(without them knowing)
It depends, implementation
specific
Collaborated
Attack
Subverted nodes collaborate to enact
identity fraud, or co-conspirator
It depends, requires
reputation auditing design
Denial of
Service (Dos)
Renders networks, hosts, and other
systems unusable by consuming
bandwidth or deluging with huge number
of requests to overload systems
Could happen during
authentication setup
Ideal for Identification
ZKPs are the ideal solution to
challenges in identification
• Users can prove identities
• No exchange of sensitive information
• Mitigates identity theft
– Sultan Almuhammadi
– Charles Neuman
University of Southern
California, Los Angeles
(2005)
https://ieeexplore.ieee.org/docum ent/1524082/
Graphic: https://www.equifax.com.au/personal/articles/what-identity-watch
Any sufficiently
advanced technology
is indistinguishable
from magic.
– Arthur C. Clarke
Graphic: https://www.shutterstock.com/video/search/loop-ready-file/?ref_context=keyword
ZKP Requirements
http://www0.cs.ucl.ac.uk/staff/J.G roth/ShortNIZK.pdf
http://www.austinm ohr.com /work/files/zkp.pdf
http://www.wisdom .weizm ann.ac.il/~oded/zk-tut02.htm l
Completeness
• If statement is true, verifier will be
convinced by prover
Soundness
• If statement is false, a cheating
prover cannot convince verifier it is
true
o Except with some small probability
Zero-Knowledge
• Verifier learns nothing beyond the
statement’s validity
Graphic: http://mentalfloss.com/article/64108/15-things-you-should-know-about-dogs-playing-poker
Known Vulnerabilities
An Example
Zero-Knowledge Range Proof (ZKRP)
Validate
• Person is 18-65 years old
oWithout disclosing the age
• Person is in Europe
oWithout disclosing the exact location
https://github.com /ing-bank/zkrangeproof
ZKRP Vulnerability
• Madars Virza
• “The publicly computable value y/t is roughly
the same magnitude (in expectation) as w^2
* (m-a+1)(b-m+1). However, w^2 has fixed
bit length (again, in expectation) and thus
for a fixed range, this value leaks the
magnitude of the committed value.”
• The proof is not zero knowledge
• Response: will find alternative ZKP
https://github.com /ing-bank/zkrangeproof
Graphic: https://www.pexels.com/photo/milkweed-bug-perching-on-pink-flower-in-close-up-
photography-1085549/

More Related Content

What's hot

Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Vasiliy Suvorov
 
Self-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web SummitSelf-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web SummitKaliya "Identity Woman" Young
 
Zksnarks in english
Zksnarks in englishZksnarks in english
Zksnarks in englishRonak Kogta
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?Evernym
 
6. cryptography
6. cryptography6. cryptography
6. cryptography7wounders
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityHeather Vescent
 
Brand New Web3 Wallet
Brand New Web3 WalletBrand New Web3 Wallet
Brand New Web3 Walletssuser7259e6
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)Lal Chandran
 
Everything Blockchain Presentation - Feb 2022
Everything Blockchain Presentation -  Feb 2022Everything Blockchain Presentation -  Feb 2022
Everything Blockchain Presentation - Feb 2022RedChip Companies, Inc.
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyPopescu Petre
 
Decentralized Key Management (DKMS): An Essential Missing Piece of the SSI Pu...
Decentralized Key Management (DKMS): An Essential Missing Piece of the SSI Pu...Decentralized Key Management (DKMS): An Essential Missing Piece of the SSI Pu...
Decentralized Key Management (DKMS): An Essential Missing Piece of the SSI Pu...SSIMeetup
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
overview of cryptographic techniques
overview of cryptographic techniquesoverview of cryptographic techniques
overview of cryptographic techniquesShubham Jain
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36Torsten Lodderstedt
 

What's hot (20)

Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs
 
Encryption
EncryptionEncryption
Encryption
 
Self-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web SummitSelf-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web Summit
 
Cryptography
CryptographyCryptography
Cryptography
 
Zksnarks in english
Zksnarks in englishZksnarks in english
Zksnarks in english
 
集約署名
集約署名集約署名
集約署名
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?
 
6. cryptography
6. cryptography6. cryptography
6. cryptography
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign Identity
 
Brand New Web3 Wallet
Brand New Web3 WalletBrand New Web3 Wallet
Brand New Web3 Wallet
 
Blockchain
BlockchainBlockchain
Blockchain
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
 
Everything Blockchain Presentation - Feb 2022
Everything Blockchain Presentation -  Feb 2022Everything Blockchain Presentation -  Feb 2022
Everything Blockchain Presentation - Feb 2022
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Decentralized Key Management (DKMS): An Essential Missing Piece of the SSI Pu...
Decentralized Key Management (DKMS): An Essential Missing Piece of the SSI Pu...Decentralized Key Management (DKMS): An Essential Missing Piece of the SSI Pu...
Decentralized Key Management (DKMS): An Essential Missing Piece of the SSI Pu...
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
Cryptography
CryptographyCryptography
Cryptography
 
overview of cryptographic techniques
overview of cryptographic techniquesoverview of cryptographic techniques
overview of cryptographic techniques
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
 

Similar to Zero-Knowledge Proofs: Identity Proofing and Authentication

CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04Kyle Lai
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Kyle Lai
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...Clare Nelson, CISSP, CIPP-E
 
What I learned from RSAC 2019
What I learned from RSAC 2019What I learned from RSAC 2019
What I learned from RSAC 2019Ulf Mattsson
 
Authentication and Privacy in Cloud
Authentication and Privacy in CloudAuthentication and Privacy in Cloud
Authentication and Privacy in CloudMphasis
 
Zero Trust: Redefining Security in the Digital Age
Zero Trust: Redefining Security in the Digital AgeZero Trust: Redefining Security in the Digital Age
Zero Trust: Redefining Security in the Digital AgeArnold Antoo
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security IntelligenceSplunk
 
Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption Razi Rais
 
Certes webinar securing the frictionless enterprise
Certes webinar   securing the frictionless enterpriseCertes webinar   securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseJason Bloomberg
 
Dissecting the dangers of deepfakes and their impact on reputation Generative...
Dissecting the dangers of deepfakes and their impact on reputation Generative...Dissecting the dangers of deepfakes and their impact on reputation Generative...
Dissecting the dangers of deepfakes and their impact on reputation Generative...CSIRO National AI Centre
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloudUlf Mattsson
 
Keyless Technologies - NOAH19 London
Keyless Technologies - NOAH19 LondonKeyless Technologies - NOAH19 London
Keyless Technologies - NOAH19 LondonNOAH Advisors
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
NVIS-Pitch Deck version 6 - 2022 MAR.pdf
NVIS-Pitch Deck version 6 - 2022 MAR.pdfNVIS-Pitch Deck version 6 - 2022 MAR.pdf
NVIS-Pitch Deck version 6 - 2022 MAR.pdfPhilSmith165
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
SMi Group's 7th annual European Smart Grid Cyber Security 2017 conference
SMi Group's 7th annual European Smart Grid Cyber Security 2017 conferenceSMi Group's 7th annual European Smart Grid Cyber Security 2017 conference
SMi Group's 7th annual European Smart Grid Cyber Security 2017 conferenceDale Butler
 
Extended Visual Cryptography Using Watermarking
Extended Visual Cryptography Using WatermarkingExtended Visual Cryptography Using Watermarking
Extended Visual Cryptography Using WatermarkingShivam Singh
 
EthCon Korea 28 May 2019
EthCon Korea 28 May 2019EthCon Korea 28 May 2019
EthCon Korea 28 May 2019iExec
 

Similar to Zero-Knowledge Proofs: Identity Proofing and Authentication (20)

CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
 
What I learned from RSAC 2019
What I learned from RSAC 2019What I learned from RSAC 2019
What I learned from RSAC 2019
 
Authentication and Privacy in Cloud
Authentication and Privacy in CloudAuthentication and Privacy in Cloud
Authentication and Privacy in Cloud
 
Cloud Computing and the Culture of Innovation
Cloud Computing and the Culture of Innovation Cloud Computing and the Culture of Innovation
Cloud Computing and the Culture of Innovation
 
Zero Trust: Redefining Security in the Digital Age
Zero Trust: Redefining Security in the Digital AgeZero Trust: Redefining Security in the Digital Age
Zero Trust: Redefining Security in the Digital Age
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 
Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption
 
Certes webinar securing the frictionless enterprise
Certes webinar   securing the frictionless enterpriseCertes webinar   securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
 
Dissecting the dangers of deepfakes and their impact on reputation Generative...
Dissecting the dangers of deepfakes and their impact on reputation Generative...Dissecting the dangers of deepfakes and their impact on reputation Generative...
Dissecting the dangers of deepfakes and their impact on reputation Generative...
 
Practical risk management for the multi cloud
Practical risk management for the multi cloudPractical risk management for the multi cloud
Practical risk management for the multi cloud
 
Keyless Technologies - NOAH19 London
Keyless Technologies - NOAH19 LondonKeyless Technologies - NOAH19 London
Keyless Technologies - NOAH19 London
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
NVIS-Pitch Deck version 6 - 2022 MAR.pdf
NVIS-Pitch Deck version 6 - 2022 MAR.pdfNVIS-Pitch Deck version 6 - 2022 MAR.pdf
NVIS-Pitch Deck version 6 - 2022 MAR.pdf
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsAttack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition Systems
 
SMi Group's 7th annual European Smart Grid Cyber Security 2017 conference
SMi Group's 7th annual European Smart Grid Cyber Security 2017 conferenceSMi Group's 7th annual European Smart Grid Cyber Security 2017 conference
SMi Group's 7th annual European Smart Grid Cyber Security 2017 conference
 
Extended Visual Cryptography Using Watermarking
Extended Visual Cryptography Using WatermarkingExtended Visual Cryptography Using Watermarking
Extended Visual Cryptography Using Watermarking
 
EthCon Korea 28 May 2019
EthCon Korea 28 May 2019EthCon Korea 28 May 2019
EthCon Korea 28 May 2019
 

More from Clare Nelson, CISSP, CIPP-E

Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Clare Nelson, CISSP, CIPP-E
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EClare Nelson, CISSP, CIPP-E
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonClare Nelson, CISSP, CIPP-E
 
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...Clare Nelson, CISSP, CIPP-E
 
Biometric Recognition for Authentication, BSides Austin, May 2017
Biometric Recognition for Authentication, BSides Austin, May 2017Biometric Recognition for Authentication, BSides Austin, May 2017
Biometric Recognition for Authentication, BSides Austin, May 2017Clare Nelson, CISSP, CIPP-E
 
Biometric Authentication, Dragon Unleashed, V1.5
Biometric Authentication, Dragon Unleashed, V1.5Biometric Authentication, Dragon Unleashed, V1.5
Biometric Authentication, Dragon Unleashed, V1.5Clare Nelson, CISSP, CIPP-E
 
HackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's ClothingHackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's ClothingClare Nelson, CISSP, CIPP-E
 

More from Clare Nelson, CISSP, CIPP-E (14)

Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
 
#BiometAuth Podcast
#BiometAuth Podcast#BiometAuth Podcast
#BiometAuth Podcast
 
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
 
Biometric Recognition for Authentication, BSides Austin, May 2017
Biometric Recognition for Authentication, BSides Austin, May 2017Biometric Recognition for Authentication, BSides Austin, May 2017
Biometric Recognition for Authentication, BSides Austin, May 2017
 
Biometric Authentication, Dragon Unleashed, V1.5
Biometric Authentication, Dragon Unleashed, V1.5Biometric Authentication, Dragon Unleashed, V1.5
Biometric Authentication, Dragon Unleashed, V1.5
 
FTC Start with Security: Panel
FTC Start with Security: PanelFTC Start with Security: Panel
FTC Start with Security: Panel
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9
 
LASCON 2015
LASCON 2015LASCON 2015
LASCON 2015
 
OWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San FranciscoOWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San Francisco
 
Financial services 20150503
Financial services 20150503Financial services 20150503
Financial services 20150503
 
HackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's ClothingHackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's Clothing
 

Recently uploaded

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 

Recently uploaded (20)

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 

Zero-Knowledge Proofs: Identity Proofing and Authentication

  • 1. PRIVACY-PRESERVING AUTHENTICATION ANOTHER REASON TO CARE ABOUT ZERO-KNOWLEDGE PROOFS clare_nelson@clearmark.biz @Safe_SaaS
  • 3. If your personal data is never collected, it cannot be stolen. https://www.zurich.ibm .com /identity_m ixer/ https://www.ted.com /talks/m aria_dubovitskaya_take_back_control_of_your_personal_data, TED Talk – Maria Dubovitskaya Cryptographer, Research Staff Member, IBM Zurich Research Laboratory, Ph.D. in cryptography and privacy from ETH Zurich Zero-Knowledge Proofs G raphic: https://www.youtube.com /watch?v=jp_Q G wXsoXM
  • 4. How Preserve Privacy? https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf Credential Service Provider (CSP) Authenticate Avoid • Transfer of identity attributes, secrets Digital Identity Model
  • 5. Digital Identity Model How Preserve Privacy? https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf Credential Service Provider (CSP) Authenticate ZKP ZKP Use Zero- Knowledge Proofs instead of transferring attributes or secrets
  • 7. One of the most powerful tools cryptographers have ever devised. https://z.cash/team .htm l https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/ – Matthew Green Professor at Johns Hopkins University, co-founder of Zcash Zero-Knowledge Proofs
  • 8. Definition of Zero-Knowledge Proof http://www0.cs.ucl.ac.uk/staff/J.G roth/ShortNIZK.pdf http://www.austinm ohr.com /work/files/zkp.pdf Enable a Prover to convince a Verifier of the validity of a statement • Yields nothing beyond validity of the statement • Incorporates randomness • Is probabilistic o Does not provide absolute certainty Prover Verifier Statement
  • 9. Interactive Zero-Knowledge Proof Derived from http://blog.stratum n.com /zkp-hash-chains/ VerifierProver Construct ZKP Verify ZKP Proof Non-Interactive ZKP Collapse, transform multiple messages into one message, or string
  • 10. 007 Wants to Read the News Credit to Anna Lysyanskaya for the 007 m etaphor G raphic: http://www.007.com /characters/the-bonds/ I can tell you. But then I’ll have to kill you. www.telegraph.co.uk Today’s news? Today’snews?Who are you? Do you have a subscription?
  • 11. 007 Uses Subscription My subscription is #4309115 www.telegraph.co.uk Today’s news? Today’snews?Who are you? Do you have a subscription? 007 Reveals Personal Data: - Zip code when he looks up the weather - Date of birth when he reads his horoscope - More data when he browses the personal ads Credit to Anna Lysyanskaya for the 007 m etaphor G raphic: http://www.007.com /characters/the-bonds/
  • 12. Completeness: Telegraph Accepts Proof Here is a Zero-Knowledge Proof www.telegraph.co.uk Today’s news? Today’snews?Who are you? Do you have a subscription? Credit to Anna Lysyanskaya for the 007 m etaphor G raphic: http://www.007.com /characters/the-bonds/ Completeness • Honest verifier is convinced of true statement
  • 13. Soundness Credit to Anna Lysyanskaya for the 007 m etaphor G raphic: https://en.wikipedia.org/wiki/M _(Jam es_Bond) It’s Bond. James Bond. www.telegraph.co.uk Today’s news? Rejected Who are you? Do you have a subscription? (M fails because she can’t prove to Telegraph)
  • 15. Zero-Knowledge Proof Illustration Matthew Green Telecom Company • Cell towers • Vertices • Avoid signal overlap • Use 1 of 3 signals https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
  • 16. 3-Color Graph Problem • Use colors to represent frequency bands • Solve for 1,000 towers • Hire ABC Consulting Zero-Knowledge Proof Illustration Matthew Green https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
  • 17. Proof of Solution • Prove have solution without revealing it • Hats hide the solution Zero-Knowledge Proof Illustration Matthew Green https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
  • 18. Proof of Solution • Remove any two hats • See vertices are different colors Zero-Knowledge Proof Illustration Matthew Green https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
  • 19. 6 4 Repeat this process • Clear previous solution • (Add randomness) • Solve again • Telecom removes two hats Accept or Reject • Complete for preset number of rounds • Telecom accepts or rejects Zero-Knowledge Proof Illustration Matthew Green https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
  • 21. Examples of ZKP Variants https://www.slideshare.net/arunta007/elliptic-curve-cryptography-and-zero-knowledge-proof-27914533?next_slideshow=1 https://www.youtube.com/watch?v=CKncw6mIMJQ&list=PLpr-xdpM8wG8DPozMmcbwBjFn15RtC75N https://www.starkware.co/ http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf https://eprint.iacr.org/2017/1066.pdf, Bulletproofs https://thexvid.com/video/O8QA6Nvg8RI/zcash-genesis-block.html, trusted setup, live stream of Zcash launch ZKP NIZKP zk-SNARK zk-STARK Designated Verifier Lattice-Based Interactive, multiple messages, need stable communication channel Not interactive, one message Need one-time, trusted setup to generate key at launch No setup, working on memory issues, I or NI, post-quantum secure No setup, 188 bytes, 10 ms in some cases, not post-quantum secure Lattice-based cryptography, post-quantum secure, research Graph Isomorphism zk-STIK Bulletproof Interactive, compare graphs, efficient computation Scalable Transparent Interactive Oracle of Proof (IOP) of Knowledge DVNIZK, not just any entity can be verifier, verifier must know secret
  • 23. ZKP Flexibility, Variety of Use Cases • Range proofs o Age range: 25-45 years old • Set membership o Citizen of European Union • Comparison o Do identity attributes or secrets match? • Computational integrity Logical combination of any of the above Preserve Privacy
  • 24. Graph Isomorphism ZKP Early Paper: UC Berkeley, 1986 Passport Driver’s License National ID Relying Party Authoritative Sources No personal data leaves mobile phone or authoritative source 1986: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.469.9048&rep=rep1&type=pdf 2006: https://www.cs.cmu.edu/~ryanw/crypto/lec6.pdf 2009: http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf 2011: http://www.cs.haifa.ac.il/~orrd/IntroToCrypto/Spring11/Lecture9.pdf https://kriptan.org/white-papers.html http://gauss.ececs.uc.edu/Courses/c653/lectures/PDF/zero.pdf
  • 25. zk-STARK Example (Ben-Sasson, Bentov, Horesh, Riabzev) https://eprint.iacr.org/2018/046.pdf National Offender DNA Database Presidential Candidate, Jaffa Prove to public that Jaffa is not in offender database G raphic: https://www.linkedin.com /in/jaffaedwards/, with perm ission M ay 25, 2018. No reliance on any external trusted party
  • 26. Designated Verifier https://eprint.iacr.org/2017/1029.pdf Designated-Verifier Non-Interactive Zero-Knowledge Proof of Knowledge (DVNIZK) • Provides efficient, privacy- preserving authentication EURO CRYPT 2018 G raphic: http://www.cs.technion.ac.il/im ages/events/2018/3031/fullsize.jpg
  • 27. ZKP Identity-Related Landscape Identity Verification, Authentication
  • 28. Considerations Timeline: It is Still Early Days
  • 29. ZKP Considerations Depends on Implementation or Use Cases 1. Transparent 2. Succinct 3. Universal 4. Scalable 5. Compliant with upcoming ZKP Standards 6. Interactive, non-interactive 7. Support for IoT or cars 8. Secure (threat model) 9. Third-party audit 10.Post-quantum secure
  • 30. 1985 Goldwasser, Micali, Rackoff paper 2018 ZKP Standards Organization Formal ZKP standard 2012 Goldwasser, Micali win Turing Award https://groups.csail.m it.edu/cis/pubs/shafi/1985-stoc.pdf https://zkproof.org/ Timeline It is Still Early Days
  • 32. Bulletproof: Example of Exquisite Math https://blog.chain.com /faster-bulletproofs-with-ristretto-avx2-29450b4490cd Range Proof Protocol
  • 33. ZKP Resources • ISO/IEC 9798-5 • Letter to NIST • Code o libSNARK C++ library o libSTARK C++ library o Bulletproofs using Ristretto, Rust library • Succinct Computational Integrity and Privacy Research (SCIPR) Lab • Stanford Applied Cryptography • ZKP Science • ZKP Standards Organization https://zkp.science/docs/Letter-to-NIST-20160613-Advanced-Crypto.pdf https://github.com /chain/ristretto-bulletproofs/
  • 35. We Stand on the Shoulders of Giants https://www.csail.mit.edu/user/733 https://people.csail.mit.edu/silvio/ https://cyberweek.tau.ac.il/2017/about/speakers/item/207-eli-ben-sasson https://z.cash/team.html Shafi Goldwasser Eli Ben-Sasson Silvio Micali Matthew Green
  • 36. Graph Isomorphism ZKP UC Berkeley, 1986 Prover Verifier (Graph Isomorphism Problem: Given two graphs with ! vertices each, decide whether they are isomorphic.) 1986: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.469.9048&rep=rep1&type=pdf 2006: https://www.cs.cm u.edu/~ryanw/crypto/lec6.pdf 2009: http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf 2011: http://www.cs.haifa.ac.il/~orrd/IntroToCrypto/Spring11/Lecture9.pdf https://kriptan.org/white-papers.htm l http://gauss.ececs.uc.edu/Courses/c653/lectures/PDF/zero.pdf Compare identity attributes without transferring them
  • 37. Graph Isomorphism ZKP (GIZKP) Cornell University, 2009 http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf
  • 38. Graph Isomorphism ZKP (GIZKP) Carnegie Mellon University, 2006 https://www.cs.cm u.edu/~ryanw/crypto/lec6.pdf How does Prover prove to Verifier that an isomorphism exists? Input: 2 isomorphic graphs G, H on n nodes each. Prover knows isomorphism f. A security parameter k (positive integer). Output: A zero-knowledge protocol that proves P knows f. Prover gives no info to V˜ P˜ can cheat (successfully) with probability ≤ 1/2 n . Protocol: Repeat k times. Prover: Privately take G and randomly permute vertices to get a graph F. Prover: Publicly present F to Verifier (G and H are public from the beginning). Verifier: Toss a coin, and ask Prover to show that G ∼= F if heads, or H ∼= F if tails.
  • 39. Taxonomy http://www.wisdom .weizm ann.ac.il/~oded/cc-drafts.htm l Interactive, Non-Interactive Proofs Complexity Theory ZKP Related to Cryptography
  • 40. • Cryptocurrency • Digital Watermarks • E-Voting • Gaming • Location • Mimblewimble • Private Messaging • Privacy Layer for Ethereum • Sealed Auctions • Smart Contracts (Hawk) • Supply Chain Transparency • Trusted Platform Module (TPM) • Zero-Knowledge Blockchain Scope Out of Scope Digital Identities • Identity Proofing • Authentication In Scope
  • 41. References • Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/ (2017). • AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/ (2017). • Baldimsti, Foteini; Lysanskaya, Anna. Anonymous Credentials Light. http://cs.brown.edu/~anna/papers/bl13a.pdf (2013). • Ben Sasson, Eli; Chiesa, Alessandro; Garman, Christina, et al. Zerocash: Decentralized Anonymous Payments from Bitcoin, http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf (May 2014). • Bitansky, Nir; Weizman, Zvika Brakerski; Kalai, Yael. 3-Message Zero Knowledge Against Human Ignorance, https://eprint.iacr.org/2016/213.pdf (September 2016). • Blum, Manauel; De Santos, Alfredo; Micali, Silvio; Persiano, Giuseppe. Non-Interactive Zero-Knowledge and its Applications, https://people.csail.mit.edu/silvio/Selected%20Scientific%20Papers/Zero%20Knowledge/Noninteractive_Zero-Knowkedge.pdf (1991). • Brands, Stefan. Rethinking Public Key Infrastructures and Digital Certificates. The MIT Press, http://www.credentica.com/the_mit_pressbook.html (2000). • Bunz, Benedikt; Bootle, Jonathan; Boneh, Dan; et al. Bulletproofs: Short Proofs for Confidential Transactions and More, https://eprint.iacr.org/2017/1066.pdf (2017). • Camenisch, Jan and E. Van Herreweghen, Design and implementation of the IBM Idemix anonymous credential system, in Proceedings of the 9th ACM conference on Computer and communications security. ACM, 2002, pp. 21–30. • Camenisch, Jan; Dubovitskaya, Maria; Enderlein, Robert; et al. Concepts and languages for privacy-preserving attribute-based authentication, https://pdfs.semanticscholar.org/82e2/4078c9ba9fcaf6177a80b8496779676af114.pdf (2013).
  • 42. References • Cutler, Becky. The Feasibility and Application of Using Zero-Knowledge Protocol for Authentication Systems, http://www.cs.tufts.edu/comp/116/archive/fall2015/bcutler.pdf (2015). • Durcheva, Mariana. Zero Knowledge Proof Protocol Based on Graph Isomorphism Problem, http://www.jmest.org/wp- content/uploads/JMESTN42351827.pdf (2016). • Fleischhacker, Nils; Goyal, Vuypil; Jain, Abhishek. On the Existence of Three Round Zero-Knowledge Proofs, https://eprint.iacr.org/2017/935.pdf (2017). • Gebeyehu, Worku; Ambaw, Lubak; Reddy, MA Eswar. Authenticating Grid Using Graph Isomorphism Based Zero Knowledge Proof, https://link.springer.com/chapter/10.1007/978-3-319-03107-1_2 (2014). • Geraud, Rémi. Zero-Knowledge: More Secure than Passwords? https://blog.ingenico.com/posts/2017/07/zero-knowledge-proof- more-secure-than-passwords.html (July 25, 2017). • Geers, Marjo; Comparing Privacy in eID Schemes, http://www.id-world-magazine.com/?p=923 (2017). • Goldreich, Oded. Zero-Knowledge: a tutorial by Oded Goldreich, http://www.wisdom.weizmann.ac.il/~oded/zk-tut02.html has extensive reference list (2010). • Goldreich, Oded; Yair, Oren. Definitions and Properties of Zero-Knowledge Proof Systems, http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.17.2901 (19940. • Goldwasser, Micali, Rackoff, The Knowledge Complexity of Interactive Proof-Systems, ACM 0-89791-151-2/85/005/02911 (1985). • Green, Matthew. Zero Knowledge Proofs: An Illustrated Primer, https://blog.cryptographyengineering.com/2014/11/27/zero- knowledge-proofs-illustrated-primer/ (November 2014).
  • 43. References • Groth, Jens. Short Pairing-Based Non-Interactive Zero-Knowledge Arguments, http://www0.cs.ucl.ac.uk/staff/J.Groth/ShortNIZK.pdf (2010). • Groth, Jens; Lu, Steve. “A Non-Interactive Shuffle with Pairing Based Verifiability,” http://www0.cs.ucl.ac.uk/staff/J.Groth/AsiacryptPairingShuffle.pdf (2006). • Groth, Jens; Ostrovsky, Rafail; Sahai, Amit. New Techniques for Non-interactive Zero-Knowledge, http://www0.cs.ucl.ac.uk/staff/J.Groth/NIZKJournal.pdf (2011). • Guillou, Quisqater, “How to Explain Zero-Knowledge Protocols to Your Children,” http://pages.cs.wisc.edu/~mkowalcz/628.pdf (1998). • Gupta, Anuj Das; Delight, Ankur. Zero-Knowledge Proof of Balance: A Friendly ZKP Demo, http://blog.stratumn.com/zero- knowledge-proof-of-balance-demo/ (June 2017). • Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems, https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core- Identity-Whitepaper-v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite] • ISO/IEC Information technology — Security techniques — Entity authentication — Part 5: Mechanisms using zero-knowledge techniques, https://www.iso.org/standard/50456.html (2015). • Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age, http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013). • Kogta, Ronak. ZK-Snarks in English, https://www.slideshare.net/rixor786/zksnarks-in-english?qid=0e3be303-84fc-43d2-be96- 6db2085a28ff&v=&b=&from_search=3 (July 2017).
  • 44. References • Lindell, Yehudi. Efficient Zero-Knowledge Proof, https://www.youtube.com/watch?v=Vahw28dValA, (2015). • Lysyanskaya, Anna. How to Balance Privacy and Key Management in User Authentication, http://csrc.nist.gov/groups/ST/key_mgmt/documents/Sept2012_Presentations/LYSYANSKAYA_nist12.pdf (2012). • Martin-Fernandez, Francisco; Caballero-Gil, Pino; Caballero-Gil, Candido. Authentication Based on Non-Interactive Zero- Knowledge Proofs for the Internet of Things. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4732108/ (January 2016). • Mohr, Austin. A Survey of Zero-Knowledge Proofs with Applications to Cryptography, http://www.austinmohr.com/work/files/zkp.pdf. • Montenegro, Jose.; Fischer, Michael; Lopez, Javier; et al. Secure Sealed-Bid Online Auctions Using Discreet Cryptographic Proof, http://www.sciencedirect.com/science/article/pii/S0895717711004535?via%3Dihub (June 2013). • Nguyen, Quan; Rudoy, Mikhail; Srinivasan, Arjun. Two Factor Zero Knowledge Proof Authentication System, https://courses.csail.mit.edu/6.857/2014/files/16-nguyen-rudoy-srinivasan-two-factor-zkp.pdf (2014). • Schukat, M; Flood, P. Zero-knowledge Proofs in M2M Communication, http://digital- library.theiet.org/content/conferences/10.1049/cp.2014.0697 (2014). • Broadbent, Ann; Ji, Zhengfeng; Song, Fang. Zero-knowledge proof systems for QMA, https://arxiv.org/pdf/1604.02804.pdf (2016). • Unruh, Dominique. Quantum Proofs of Knowledge, https://eprint.iacr.org/2010/212.pdf (February 2015). • Wilcox, Zooko. Podcast, Zero Knowledge, The Future of Privacy. https://medium.com/blockchannel/episode-3-zero-knowledge- the-future-of-privacy-ea18479295f4 (February 21, 2017). • Wu, Huixin; Wang, Feng. A Survey of Noninteractive Zero Knowledge Proof System and its Applications. https://www.hindawi.com/journals/tswj/2014/560484/ (May 2014).
  • 45. EUROCRYPT 2018 https://eurocrypt.iacr.org/2018/acceptedpapers.htm l Efficient Designated-Verifier Non-Interactive Zero-Knowledge Proofs of Knowledge • Pyrros Chaidos (University of Athens), Geoffroy Couteau (Karlsruhe Institute of Technology) Quasi-Optimal SNARGs via Linear Multi- Prover Interactive Proofs • Dan Boneh (Stanford), Yuval Ishai (Technion and UCLA), Amit Sahai (UCLA), David J. Wu (Stanford) On the Existence of Three Round Zero- Knowledge Proofs • Nils Fleischhacker (Johns Hopkins University and Carnegie Mellon University), Vipul Goyal (Carnegie Mellon University), Abhishek Jain (Johns Hopkins University) An Efficiency-Preserving Transformation from Honest-Verifier Statistical Zero- Knowledge to Statistical Zero-Knowledge • Pavel Hubáček (Charles University in Prague), Alon Rosen (IDC Herzliya), Margarita Vald (Tel- Aviv University) Partially Splitting Rings for Faster Lattice- Based Zero-Knowledge Proofs • Vadim Lyubashevsky (IBM Research - Zurich), Gregor Seiler (IBM Research - Zurich)
  • 47. The Schnorr NIZK proof is obtained from the interactive Schnorr identification scheme through a Fiat-Shamir transformation • This transformation involves using a secure cryptographic hash function to issue the challenge instead https://tools.ietf.org/htm l/draft-hao-schnorr-01 Schnorr NIZK (IETF Draft) G raphic: https://www.bswllc.com /resources-articles- preparing-for-the-2013-coso-internal-fram ework
  • 48. Zero-Knowledge Proof, Formal Definition http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf An interactive proof system (P, V) for a language L is zero- knowledge if for any PPT verifier V∗ there exists an expected PPT simulator S such that ∀ x ∈ L, z ∈ {0, 1} ∗, ViewV∗ [P(x) ↔ V∗ (x, z)] = S(x, z) As usual, P has unlimited computation power (in practice, P must be a randomized TM). Intuitively, the definition states that an interactive proof system (P, V) is zero-knowledge if for any verifier V∗ there exists an efficient simulator S that can essentially produce a transcript of the conversation that would have taken place between P and V∗ on any given input.
  • 49. ZKPOK I can’t tell you my secret, but I can prove to you that I know the secret Source: J. Chou, SC700 A2 Internet Inform ation Protocols (2001) G raphic: http://www.flowm arq.com /single-post/2015/05/18/IDENTITY-Clarifying-M otivations
  • 50. https://www.sym antec.com /connect/blogs/you-can-t-have-privacy-without-security https://www.m icrosoft.com /en-us/research/research-area/security-privacy-cryptography/ You can have security without privacy, but you can’t have privacy without security. — Carolyn Herzog, EVP and General Counsel, ARM
  • 51. ZKP Variations https://eprint.iacr.org/2010/150.pdf • GMR defined knowledge as the computational power of a party • Differentiates “knowledge” from “information” • Knowledge is coupled with computational power
  • 52. • One-Round ZKP • Pairing-Based Non-Interactive Arguments • Perfect ZKPs • Private-coin ZKP • Public-coin ZKP • Scalable Transparent Argument of Knowledge (STARK) • Scalable Transparent IOP of Knowledge (STIK) • Schnorr Non-Interactive Zero-Knowledge Proof • Statistical Zero-Knowledge • Succinct Interactive Proof (SCIP) • Succinct Non-Interactive Argument (SNARG) • Succinct Non-Interactive Argument of Knowledge (SNARK) • Super-Perfect ZKP • Symbolic Zero-Knowledge Proof • Three-Round ZKP • ZK Arguments • ZKP Based on Graph Isomorphism • ZKP of Proximity (ZKPP) https://ieeexplore.ieee.org/docum ent/1524082/ https://eprint.iacr.org/2018/167.pdf https://eurocrypt.iacr.org/2018/acceptedpapers.htm l http://www0.cs.ucl.ac.uk/staff/J.G roth/NIZKJournal.pdf https://eprint.iacr.org/2017/114.pdf http://www.jm est.org/wp-content/uploads/JM ESTN42351827.pdf Examples: ZKP Variations, Terminology • Approximate Zero-Knowledge Proof • Bulletproof • Computationally sound implementations of Symbolic Zero- Knowledge Proof • Concurrent ZKP • Designated-Verifier Non-Interactive Zero-Knowledge Proof (DVNIZK) • Double Advance ZKP • !-zero-knowledge (weaker notion of ZKP) • Five-Round ZKP • Honest-Verifier Statistical Zero-Knowledge • Implicit Zero-Knowledge Arguments • Lattice-Based ZKPs • Lepinski’s 3-round ZK proof protocol • Non-Interactive Zero-Knowledge Arguments • Non-Interactive Proofs of Kowledge (NI)ZKPoKs
  • 53. ZKP Challenges https://www.slideshare.net/arunta007/elliptic-curve-cryptography-and-zero-knowledge-proof-27914533?next_slideshow=1 https://www.starkware.co/#jobs • Requires expertise and experience o PhD mathematics or cryptography o Algebraic cryptography requiring high- performance computation in finite fields o Applications of modern algebra to algorithms and computer science • Correct usage • Security, threat model • Audited code, formal verification • Known bugs and vulnerabilities Graphic: http://www.digifotopro.nl/content/beklimming-mount-everest-360-graden-vastgelegd
  • 54. ZKP Standards https://zkproof.org/ I think you should be more explicit here in step two Cartoonist: Sydney Harris Source: https://www.art.com /products/p15063445373-sa-i6847848/sidney-harris-i-think- you-should-be-m ore-explicit-here-in-step-two-cartoon.htm ZKProof.org • Open initiative • Industry, academia • First workshop May 2018 • Framework for a formal standard of Zero-Knowledge Proofs
  • 56. ISO/IEC 9798-5:2009 Compliance with ISO/IEC 9798-5 may involve the use of the following patents and their counterparts in other countries. https://www.iso.org/standard/50456.htm l Patent Title Inventor Filing Date US 4 995 082 Method for identifying subscribers and for generating and verifying electronic signatures in a data exchange system C.P. Schnorr 1990 US 5 140 634 Method and apparatus for authenticating accreditations and for authenticating and signing messages L.C. Guillou and J-J. Quisquater 1991 EP 0 311 470 Methods and systems to authenticate authorizations and messages with a zero knowledge-proof system and to provide messages with a signature L.C. Guillou and J-J. Quisquater 1998 EP 0 666 664 Method for performing a double-signature secure electronic transaction M. Girault 1995
  • 57. Attack Resilience (From Academia) http://repository.ust.hk/ir/bitstream /1783.1-6277/1/pseudo.pdf Attack Description Mitigation Impersonation A malicious impersonator, for either party Need secret, completeness and soundness Replay Attack Malicious peer or attacker collects previous proofs, and resends these Challenge message required Man in the Middle (MITM) Intruder is able to access and modify messages between prover and verifier (without them knowing) It depends, implementation specific Collaborated Attack Subverted nodes collaborate to enact identity fraud, or co-conspirator It depends, requires reputation auditing design Denial of Service (Dos) Renders networks, hosts, and other systems unusable by consuming bandwidth or deluging with huge number of requests to overload systems Could happen during authentication setup
  • 58. Ideal for Identification ZKPs are the ideal solution to challenges in identification • Users can prove identities • No exchange of sensitive information • Mitigates identity theft – Sultan Almuhammadi – Charles Neuman University of Southern California, Los Angeles (2005) https://ieeexplore.ieee.org/docum ent/1524082/ Graphic: https://www.equifax.com.au/personal/articles/what-identity-watch
  • 59. Any sufficiently advanced technology is indistinguishable from magic. – Arthur C. Clarke Graphic: https://www.shutterstock.com/video/search/loop-ready-file/?ref_context=keyword
  • 60. ZKP Requirements http://www0.cs.ucl.ac.uk/staff/J.G roth/ShortNIZK.pdf http://www.austinm ohr.com /work/files/zkp.pdf http://www.wisdom .weizm ann.ac.il/~oded/zk-tut02.htm l Completeness • If statement is true, verifier will be convinced by prover Soundness • If statement is false, a cheating prover cannot convince verifier it is true o Except with some small probability Zero-Knowledge • Verifier learns nothing beyond the statement’s validity Graphic: http://mentalfloss.com/article/64108/15-things-you-should-know-about-dogs-playing-poker
  • 62. Zero-Knowledge Range Proof (ZKRP) Validate • Person is 18-65 years old oWithout disclosing the age • Person is in Europe oWithout disclosing the exact location https://github.com /ing-bank/zkrangeproof
  • 63. ZKRP Vulnerability • Madars Virza • “The publicly computable value y/t is roughly the same magnitude (in expectation) as w^2 * (m-a+1)(b-m+1). However, w^2 has fixed bit length (again, in expectation) and thus for a fixed range, this value leaks the magnitude of the committed value.” • The proof is not zero knowledge • Response: will find alternative ZKP https://github.com /ing-bank/zkrangeproof Graphic: https://www.pexels.com/photo/milkweed-bug-perching-on-pink-flower-in-close-up- photography-1085549/