Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Zero-Knowledge Proofs: Identity Proofing and Authentication

According to Matthew Green, Zero-Knowledge Proofs are the most powerful tool cryptographers have ever devised. Find out why. Find out how ZKPs apply to identity proofing and authentication.

Zero-Knowledge Proofs: Identity Proofing and Authentication

  1. 1. PRIVACY-PRESERVING AUTHENTICATION ANOTHER REASON TO CARE ABOUT ZERO-KNOWLEDGE PROOFS clare_nelson@clearmark.biz @Safe_SaaS
  2. 2. The Challenge Digital Identity
  3. 3. If your personal data is never collected, it cannot be stolen. https://www.zurich.ibm .com /identity_m ixer/ https://www.ted.com /talks/m aria_dubovitskaya_take_back_control_of_your_personal_data, TED Talk – Maria Dubovitskaya Cryptographer, Research Staff Member, IBM Zurich Research Laboratory, Ph.D. in cryptography and privacy from ETH Zurich Zero-Knowledge Proofs G raphic: https://www.youtube.com /watch?v=jp_Q G wXsoXM
  4. 4. How Preserve Privacy? https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf Credential Service Provider (CSP) Authenticate Avoid • Transfer of identity attributes, secrets Digital Identity Model
  5. 5. Digital Identity Model How Preserve Privacy? https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf Credential Service Provider (CSP) Authenticate ZKP ZKP Use Zero- Knowledge Proofs instead of transferring attributes or secrets
  6. 6. Zero-Knowledge Proofs Definition
  7. 7. One of the most powerful tools cryptographers have ever devised. https://z.cash/team .htm l https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/ – Matthew Green Professor at Johns Hopkins University, co-founder of Zcash Zero-Knowledge Proofs
  8. 8. Definition of Zero-Knowledge Proof http://www0.cs.ucl.ac.uk/staff/J.G roth/ShortNIZK.pdf http://www.austinm ohr.com /work/files/zkp.pdf Enable a Prover to convince a Verifier of the validity of a statement • Yields nothing beyond validity of the statement • Incorporates randomness • Is probabilistic o Does not provide absolute certainty Prover Verifier Statement
  9. 9. Interactive Zero-Knowledge Proof Derived from http://blog.stratum n.com /zkp-hash-chains/ VerifierProver Construct ZKP Verify ZKP Proof Non-Interactive ZKP Collapse, transform multiple messages into one message, or string
  10. 10. 007 Wants to Read the News Credit to Anna Lysyanskaya for the 007 m etaphor G raphic: http://www.007.com /characters/the-bonds/ I can tell you. But then I’ll have to kill you. www.telegraph.co.uk Today’s news? Today’snews?Who are you? Do you have a subscription?
  11. 11. 007 Uses Subscription My subscription is #4309115 www.telegraph.co.uk Today’s news? Today’snews?Who are you? Do you have a subscription? 007 Reveals Personal Data: - Zip code when he looks up the weather - Date of birth when he reads his horoscope - More data when he browses the personal ads Credit to Anna Lysyanskaya for the 007 m etaphor G raphic: http://www.007.com /characters/the-bonds/
  12. 12. Completeness: Telegraph Accepts Proof Here is a Zero-Knowledge Proof www.telegraph.co.uk Today’s news? Today’snews?Who are you? Do you have a subscription? Credit to Anna Lysyanskaya for the 007 m etaphor G raphic: http://www.007.com /characters/the-bonds/ Completeness • Honest verifier is convinced of true statement
  13. 13. Soundness Credit to Anna Lysyanskaya for the 007 m etaphor G raphic: https://en.wikipedia.org/wiki/M _(Jam es_Bond) It’s Bond. James Bond. www.telegraph.co.uk Today’s news? Rejected Who are you? Do you have a subscription? (M fails because she can’t prove to Telegraph)
  14. 14. ZKP Illustration Interactive ZKP
  15. 15. Zero-Knowledge Proof Illustration Matthew Green Telecom Company • Cell towers • Vertices • Avoid signal overlap • Use 1 of 3 signals https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
  16. 16. 3-Color Graph Problem • Use colors to represent frequency bands • Solve for 1,000 towers • Hire ABC Consulting Zero-Knowledge Proof Illustration Matthew Green https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
  17. 17. Proof of Solution • Prove have solution without revealing it • Hats hide the solution Zero-Knowledge Proof Illustration Matthew Green https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
  18. 18. Proof of Solution • Remove any two hats • See vertices are different colors Zero-Knowledge Proof Illustration Matthew Green https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
  19. 19. 6 4 Repeat this process • Clear previous solution • (Add randomness) • Solve again • Telecom removes two hats Accept or Reject • Complete for preset number of rounds • Telecom accepts or rejects Zero-Knowledge Proof Illustration Matthew Green https://blog.cryptographyengineering.com /2014/11/27/zero-knowledge-proofs-illustrated-prim er/
  20. 20. ZKP Variants Examples
  21. 21. Examples of ZKP Variants https://www.slideshare.net/arunta007/elliptic-curve-cryptography-and-zero-knowledge-proof-27914533?next_slideshow=1 https://www.youtube.com/watch?v=CKncw6mIMJQ&list=PLpr-xdpM8wG8DPozMmcbwBjFn15RtC75N https://www.starkware.co/ http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf https://eprint.iacr.org/2017/1066.pdf, Bulletproofs https://thexvid.com/video/O8QA6Nvg8RI/zcash-genesis-block.html, trusted setup, live stream of Zcash launch ZKP NIZKP zk-SNARK zk-STARK Designated Verifier Lattice-Based Interactive, multiple messages, need stable communication channel Not interactive, one message Need one-time, trusted setup to generate key at launch No setup, working on memory issues, I or NI, post-quantum secure No setup, 188 bytes, 10 ms in some cases, not post-quantum secure Lattice-based cryptography, post-quantum secure, research Graph Isomorphism zk-STIK Bulletproof Interactive, compare graphs, efficient computation Scalable Transparent Interactive Oracle of Proof (IOP) of Knowledge DVNIZK, not just any entity can be verifier, verifier must know secret
  22. 22. ZKP Examples Digital Identity
  23. 23. ZKP Flexibility, Variety of Use Cases • Range proofs o Age range: 25-45 years old • Set membership o Citizen of European Union • Comparison o Do identity attributes or secrets match? • Computational integrity Logical combination of any of the above Preserve Privacy
  24. 24. Graph Isomorphism ZKP Early Paper: UC Berkeley, 1986 Passport Driver’s License National ID Relying Party Authoritative Sources No personal data leaves mobile phone or authoritative source 1986: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.469.9048&rep=rep1&type=pdf 2006: https://www.cs.cmu.edu/~ryanw/crypto/lec6.pdf 2009: http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf 2011: http://www.cs.haifa.ac.il/~orrd/IntroToCrypto/Spring11/Lecture9.pdf https://kriptan.org/white-papers.html http://gauss.ececs.uc.edu/Courses/c653/lectures/PDF/zero.pdf
  25. 25. zk-STARK Example (Ben-Sasson, Bentov, Horesh, Riabzev) https://eprint.iacr.org/2018/046.pdf National Offender DNA Database Presidential Candidate, Jaffa Prove to public that Jaffa is not in offender database G raphic: https://www.linkedin.com /in/jaffaedwards/, with perm ission M ay 25, 2018. No reliance on any external trusted party
  26. 26. Designated Verifier https://eprint.iacr.org/2017/1029.pdf Designated-Verifier Non-Interactive Zero-Knowledge Proof of Knowledge (DVNIZK) • Provides efficient, privacy- preserving authentication EURO CRYPT 2018 G raphic: http://www.cs.technion.ac.il/im ages/events/2018/3031/fullsize.jpg
  27. 27. ZKP Identity-Related Landscape Identity Verification, Authentication
  28. 28. Considerations Timeline: It is Still Early Days
  29. 29. ZKP Considerations Depends on Implementation or Use Cases 1. Transparent 2. Succinct 3. Universal 4. Scalable 5. Compliant with upcoming ZKP Standards 6. Interactive, non-interactive 7. Support for IoT or cars 8. Secure (threat model) 9. Third-party audit 10.Post-quantum secure
  30. 30. 1985 Goldwasser, Micali, Rackoff paper 2018 ZKP Standards Organization Formal ZKP standard 2012 Goldwasser, Micali win Turing Award https://groups.csail.m it.edu/cis/pubs/shafi/1985-stoc.pdf https://zkproof.org/ Timeline It is Still Early Days
  31. 31. clare_nelson@clearmark.biz @Safe_SaaS
  32. 32. Bulletproof: Example of Exquisite Math https://blog.chain.com /faster-bulletproofs-with-ristretto-avx2-29450b4490cd Range Proof Protocol
  33. 33. ZKP Resources • ISO/IEC 9798-5 • Letter to NIST • Code o libSNARK C++ library o libSTARK C++ library o Bulletproofs using Ristretto, Rust library • Succinct Computational Integrity and Privacy Research (SCIPR) Lab • Stanford Applied Cryptography • ZKP Science • ZKP Standards Organization https://zkp.science/docs/Letter-to-NIST-20160613-Advanced-Crypto.pdf https://github.com /chain/ristretto-bulletproofs/
  34. 34. Gratitude ZKP Inventors, Pioneers
  35. 35. We Stand on the Shoulders of Giants https://www.csail.mit.edu/user/733 https://people.csail.mit.edu/silvio/ https://cyberweek.tau.ac.il/2017/about/speakers/item/207-eli-ben-sasson https://z.cash/team.html Shafi Goldwasser Eli Ben-Sasson Silvio Micali Matthew Green
  36. 36. Graph Isomorphism ZKP UC Berkeley, 1986 Prover Verifier (Graph Isomorphism Problem: Given two graphs with ! vertices each, decide whether they are isomorphic.) 1986: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.469.9048&rep=rep1&type=pdf 2006: https://www.cs.cm u.edu/~ryanw/crypto/lec6.pdf 2009: http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf 2011: http://www.cs.haifa.ac.il/~orrd/IntroToCrypto/Spring11/Lecture9.pdf https://kriptan.org/white-papers.htm l http://gauss.ececs.uc.edu/Courses/c653/lectures/PDF/zero.pdf Compare identity attributes without transferring them
  37. 37. Graph Isomorphism ZKP (GIZKP) Cornell University, 2009 http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf
  38. 38. Graph Isomorphism ZKP (GIZKP) Carnegie Mellon University, 2006 https://www.cs.cm u.edu/~ryanw/crypto/lec6.pdf How does Prover prove to Verifier that an isomorphism exists? Input: 2 isomorphic graphs G, H on n nodes each. Prover knows isomorphism f. A security parameter k (positive integer). Output: A zero-knowledge protocol that proves P knows f. Prover gives no info to V˜ P˜ can cheat (successfully) with probability ≤ 1/2 n . Protocol: Repeat k times. Prover: Privately take G and randomly permute vertices to get a graph F. Prover: Publicly present F to Verifier (G and H are public from the beginning). Verifier: Toss a coin, and ask Prover to show that G ∼= F if heads, or H ∼= F if tails.
  39. 39. Taxonomy http://www.wisdom .weizm ann.ac.il/~oded/cc-drafts.htm l Interactive, Non-Interactive Proofs Complexity Theory ZKP Related to Cryptography
  40. 40. • Cryptocurrency • Digital Watermarks • E-Voting • Gaming • Location • Mimblewimble • Private Messaging • Privacy Layer for Ethereum • Sealed Auctions • Smart Contracts (Hawk) • Supply Chain Transparency • Trusted Platform Module (TPM) • Zero-Knowledge Blockchain Scope Out of Scope Digital Identities • Identity Proofing • Authentication In Scope
  41. 41. References • Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/ (2017). • AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/ (2017). • Baldimsti, Foteini; Lysanskaya, Anna. Anonymous Credentials Light. http://cs.brown.edu/~anna/papers/bl13a.pdf (2013). • Ben Sasson, Eli; Chiesa, Alessandro; Garman, Christina, et al. Zerocash: Decentralized Anonymous Payments from Bitcoin, http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf (May 2014). • Bitansky, Nir; Weizman, Zvika Brakerski; Kalai, Yael. 3-Message Zero Knowledge Against Human Ignorance, https://eprint.iacr.org/2016/213.pdf (September 2016). • Blum, Manauel; De Santos, Alfredo; Micali, Silvio; Persiano, Giuseppe. Non-Interactive Zero-Knowledge and its Applications, https://people.csail.mit.edu/silvio/Selected%20Scientific%20Papers/Zero%20Knowledge/Noninteractive_Zero-Knowkedge.pdf (1991). • Brands, Stefan. Rethinking Public Key Infrastructures and Digital Certificates. The MIT Press, http://www.credentica.com/the_mit_pressbook.html (2000). • Bunz, Benedikt; Bootle, Jonathan; Boneh, Dan; et al. Bulletproofs: Short Proofs for Confidential Transactions and More, https://eprint.iacr.org/2017/1066.pdf (2017). • Camenisch, Jan and E. Van Herreweghen, Design and implementation of the IBM Idemix anonymous credential system, in Proceedings of the 9th ACM conference on Computer and communications security. ACM, 2002, pp. 21–30. • Camenisch, Jan; Dubovitskaya, Maria; Enderlein, Robert; et al. Concepts and languages for privacy-preserving attribute-based authentication, https://pdfs.semanticscholar.org/82e2/4078c9ba9fcaf6177a80b8496779676af114.pdf (2013).
  42. 42. References • Cutler, Becky. The Feasibility and Application of Using Zero-Knowledge Protocol for Authentication Systems, http://www.cs.tufts.edu/comp/116/archive/fall2015/bcutler.pdf (2015). • Durcheva, Mariana. Zero Knowledge Proof Protocol Based on Graph Isomorphism Problem, http://www.jmest.org/wp- content/uploads/JMESTN42351827.pdf (2016). • Fleischhacker, Nils; Goyal, Vuypil; Jain, Abhishek. On the Existence of Three Round Zero-Knowledge Proofs, https://eprint.iacr.org/2017/935.pdf (2017). • Gebeyehu, Worku; Ambaw, Lubak; Reddy, MA Eswar. Authenticating Grid Using Graph Isomorphism Based Zero Knowledge Proof, https://link.springer.com/chapter/10.1007/978-3-319-03107-1_2 (2014). • Geraud, Rémi. Zero-Knowledge: More Secure than Passwords? https://blog.ingenico.com/posts/2017/07/zero-knowledge-proof- more-secure-than-passwords.html (July 25, 2017). • Geers, Marjo; Comparing Privacy in eID Schemes, http://www.id-world-magazine.com/?p=923 (2017). • Goldreich, Oded. Zero-Knowledge: a tutorial by Oded Goldreich, http://www.wisdom.weizmann.ac.il/~oded/zk-tut02.html has extensive reference list (2010). • Goldreich, Oded; Yair, Oren. Definitions and Properties of Zero-Knowledge Proof Systems, http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.17.2901 (19940. • Goldwasser, Micali, Rackoff, The Knowledge Complexity of Interactive Proof-Systems, ACM 0-89791-151-2/85/005/02911 (1985). • Green, Matthew. Zero Knowledge Proofs: An Illustrated Primer, https://blog.cryptographyengineering.com/2014/11/27/zero- knowledge-proofs-illustrated-primer/ (November 2014).
  43. 43. References • Groth, Jens. Short Pairing-Based Non-Interactive Zero-Knowledge Arguments, http://www0.cs.ucl.ac.uk/staff/J.Groth/ShortNIZK.pdf (2010). • Groth, Jens; Lu, Steve. “A Non-Interactive Shuffle with Pairing Based Verifiability,” http://www0.cs.ucl.ac.uk/staff/J.Groth/AsiacryptPairingShuffle.pdf (2006). • Groth, Jens; Ostrovsky, Rafail; Sahai, Amit. New Techniques for Non-interactive Zero-Knowledge, http://www0.cs.ucl.ac.uk/staff/J.Groth/NIZKJournal.pdf (2011). • Guillou, Quisqater, “How to Explain Zero-Knowledge Protocols to Your Children,” http://pages.cs.wisc.edu/~mkowalcz/628.pdf (1998). • Gupta, Anuj Das; Delight, Ankur. Zero-Knowledge Proof of Balance: A Friendly ZKP Demo, http://blog.stratumn.com/zero- knowledge-proof-of-balance-demo/ (June 2017). • Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems, https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core- Identity-Whitepaper-v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite] • ISO/IEC Information technology — Security techniques — Entity authentication — Part 5: Mechanisms using zero-knowledge techniques, https://www.iso.org/standard/50456.html (2015). • Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age, http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013). • Kogta, Ronak. ZK-Snarks in English, https://www.slideshare.net/rixor786/zksnarks-in-english?qid=0e3be303-84fc-43d2-be96- 6db2085a28ff&v=&b=&from_search=3 (July 2017).
  44. 44. References • Lindell, Yehudi. Efficient Zero-Knowledge Proof, https://www.youtube.com/watch?v=Vahw28dValA, (2015). • Lysyanskaya, Anna. How to Balance Privacy and Key Management in User Authentication, http://csrc.nist.gov/groups/ST/key_mgmt/documents/Sept2012_Presentations/LYSYANSKAYA_nist12.pdf (2012). • Martin-Fernandez, Francisco; Caballero-Gil, Pino; Caballero-Gil, Candido. Authentication Based on Non-Interactive Zero- Knowledge Proofs for the Internet of Things. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4732108/ (January 2016). • Mohr, Austin. A Survey of Zero-Knowledge Proofs with Applications to Cryptography, http://www.austinmohr.com/work/files/zkp.pdf. • Montenegro, Jose.; Fischer, Michael; Lopez, Javier; et al. Secure Sealed-Bid Online Auctions Using Discreet Cryptographic Proof, http://www.sciencedirect.com/science/article/pii/S0895717711004535?via%3Dihub (June 2013). • Nguyen, Quan; Rudoy, Mikhail; Srinivasan, Arjun. Two Factor Zero Knowledge Proof Authentication System, https://courses.csail.mit.edu/6.857/2014/files/16-nguyen-rudoy-srinivasan-two-factor-zkp.pdf (2014). • Schukat, M; Flood, P. Zero-knowledge Proofs in M2M Communication, http://digital- library.theiet.org/content/conferences/10.1049/cp.2014.0697 (2014). • Broadbent, Ann; Ji, Zhengfeng; Song, Fang. Zero-knowledge proof systems for QMA, https://arxiv.org/pdf/1604.02804.pdf (2016). • Unruh, Dominique. Quantum Proofs of Knowledge, https://eprint.iacr.org/2010/212.pdf (February 2015). • Wilcox, Zooko. Podcast, Zero Knowledge, The Future of Privacy. https://medium.com/blockchannel/episode-3-zero-knowledge- the-future-of-privacy-ea18479295f4 (February 21, 2017). • Wu, Huixin; Wang, Feng. A Survey of Noninteractive Zero Knowledge Proof System and its Applications. https://www.hindawi.com/journals/tswj/2014/560484/ (May 2014).
  45. 45. EUROCRYPT 2018 https://eurocrypt.iacr.org/2018/acceptedpapers.htm l Efficient Designated-Verifier Non-Interactive Zero-Knowledge Proofs of Knowledge • Pyrros Chaidos (University of Athens), Geoffroy Couteau (Karlsruhe Institute of Technology) Quasi-Optimal SNARGs via Linear Multi- Prover Interactive Proofs • Dan Boneh (Stanford), Yuval Ishai (Technion and UCLA), Amit Sahai (UCLA), David J. Wu (Stanford) On the Existence of Three Round Zero- Knowledge Proofs • Nils Fleischhacker (Johns Hopkins University and Carnegie Mellon University), Vipul Goyal (Carnegie Mellon University), Abhishek Jain (Johns Hopkins University) An Efficiency-Preserving Transformation from Honest-Verifier Statistical Zero- Knowledge to Statistical Zero-Knowledge • Pavel Hubáček (Charles University in Prague), Alon Rosen (IDC Herzliya), Margarita Vald (Tel- Aviv University) Partially Splitting Rings for Faster Lattice- Based Zero-Knowledge Proofs • Vadim Lyubashevsky (IBM Research - Zurich), Gregor Seiler (IBM Research - Zurich)
  46. 46. Backup Slides
  47. 47. The Schnorr NIZK proof is obtained from the interactive Schnorr identification scheme through a Fiat-Shamir transformation • This transformation involves using a secure cryptographic hash function to issue the challenge instead https://tools.ietf.org/htm l/draft-hao-schnorr-01 Schnorr NIZK (IETF Draft) G raphic: https://www.bswllc.com /resources-articles- preparing-for-the-2013-coso-internal-fram ework
  48. 48. Zero-Knowledge Proof, Formal Definition http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf An interactive proof system (P, V) for a language L is zero- knowledge if for any PPT verifier V∗ there exists an expected PPT simulator S such that ∀ x ∈ L, z ∈ {0, 1} ∗, ViewV∗ [P(x) ↔ V∗ (x, z)] = S(x, z) As usual, P has unlimited computation power (in practice, P must be a randomized TM). Intuitively, the definition states that an interactive proof system (P, V) is zero-knowledge if for any verifier V∗ there exists an efficient simulator S that can essentially produce a transcript of the conversation that would have taken place between P and V∗ on any given input.
  49. 49. ZKPOK I can’t tell you my secret, but I can prove to you that I know the secret Source: J. Chou, SC700 A2 Internet Inform ation Protocols (2001) G raphic: http://www.flowm arq.com /single-post/2015/05/18/IDENTITY-Clarifying-M otivations
  50. 50. https://www.sym antec.com /connect/blogs/you-can-t-have-privacy-without-security https://www.m icrosoft.com /en-us/research/research-area/security-privacy-cryptography/ You can have security without privacy, but you can’t have privacy without security. — Carolyn Herzog, EVP and General Counsel, ARM
  51. 51. ZKP Variations https://eprint.iacr.org/2010/150.pdf • GMR defined knowledge as the computational power of a party • Differentiates “knowledge” from “information” • Knowledge is coupled with computational power
  52. 52. • One-Round ZKP • Pairing-Based Non-Interactive Arguments • Perfect ZKPs • Private-coin ZKP • Public-coin ZKP • Scalable Transparent Argument of Knowledge (STARK) • Scalable Transparent IOP of Knowledge (STIK) • Schnorr Non-Interactive Zero-Knowledge Proof • Statistical Zero-Knowledge • Succinct Interactive Proof (SCIP) • Succinct Non-Interactive Argument (SNARG) • Succinct Non-Interactive Argument of Knowledge (SNARK) • Super-Perfect ZKP • Symbolic Zero-Knowledge Proof • Three-Round ZKP • ZK Arguments • ZKP Based on Graph Isomorphism • ZKP of Proximity (ZKPP) https://ieeexplore.ieee.org/docum ent/1524082/ https://eprint.iacr.org/2018/167.pdf https://eurocrypt.iacr.org/2018/acceptedpapers.htm l http://www0.cs.ucl.ac.uk/staff/J.G roth/NIZKJournal.pdf https://eprint.iacr.org/2017/114.pdf http://www.jm est.org/wp-content/uploads/JM ESTN42351827.pdf Examples: ZKP Variations, Terminology • Approximate Zero-Knowledge Proof • Bulletproof • Computationally sound implementations of Symbolic Zero- Knowledge Proof • Concurrent ZKP • Designated-Verifier Non-Interactive Zero-Knowledge Proof (DVNIZK) • Double Advance ZKP • !-zero-knowledge (weaker notion of ZKP) • Five-Round ZKP • Honest-Verifier Statistical Zero-Knowledge • Implicit Zero-Knowledge Arguments • Lattice-Based ZKPs • Lepinski’s 3-round ZK proof protocol • Non-Interactive Zero-Knowledge Arguments • Non-Interactive Proofs of Kowledge (NI)ZKPoKs
  53. 53. ZKP Challenges https://www.slideshare.net/arunta007/elliptic-curve-cryptography-and-zero-knowledge-proof-27914533?next_slideshow=1 https://www.starkware.co/#jobs • Requires expertise and experience o PhD mathematics or cryptography o Algebraic cryptography requiring high- performance computation in finite fields o Applications of modern algebra to algorithms and computer science • Correct usage • Security, threat model • Audited code, formal verification • Known bugs and vulnerabilities Graphic: http://www.digifotopro.nl/content/beklimming-mount-everest-360-graden-vastgelegd
  54. 54. ZKP Standards https://zkproof.org/ I think you should be more explicit here in step two Cartoonist: Sydney Harris Source: https://www.art.com /products/p15063445373-sa-i6847848/sidney-harris-i-think- you-should-be-m ore-explicit-here-in-step-two-cartoon.htm ZKProof.org • Open initiative • Industry, academia • First workshop May 2018 • Framework for a formal standard of Zero-Knowledge Proofs
  55. 55. Non-Interactive Zero-Knowledge Proof http://slideplayer.com /slide/2891428/ zk-SNARK Proof
  56. 56. ISO/IEC 9798-5:2009 Compliance with ISO/IEC 9798-5 may involve the use of the following patents and their counterparts in other countries. https://www.iso.org/standard/50456.htm l Patent Title Inventor Filing Date US 4 995 082 Method for identifying subscribers and for generating and verifying electronic signatures in a data exchange system C.P. Schnorr 1990 US 5 140 634 Method and apparatus for authenticating accreditations and for authenticating and signing messages L.C. Guillou and J-J. Quisquater 1991 EP 0 311 470 Methods and systems to authenticate authorizations and messages with a zero knowledge-proof system and to provide messages with a signature L.C. Guillou and J-J. Quisquater 1998 EP 0 666 664 Method for performing a double-signature secure electronic transaction M. Girault 1995
  57. 57. Attack Resilience (From Academia) http://repository.ust.hk/ir/bitstream /1783.1-6277/1/pseudo.pdf Attack Description Mitigation Impersonation A malicious impersonator, for either party Need secret, completeness and soundness Replay Attack Malicious peer or attacker collects previous proofs, and resends these Challenge message required Man in the Middle (MITM) Intruder is able to access and modify messages between prover and verifier (without them knowing) It depends, implementation specific Collaborated Attack Subverted nodes collaborate to enact identity fraud, or co-conspirator It depends, requires reputation auditing design Denial of Service (Dos) Renders networks, hosts, and other systems unusable by consuming bandwidth or deluging with huge number of requests to overload systems Could happen during authentication setup
  58. 58. Ideal for Identification ZKPs are the ideal solution to challenges in identification • Users can prove identities • No exchange of sensitive information • Mitigates identity theft – Sultan Almuhammadi – Charles Neuman University of Southern California, Los Angeles (2005) https://ieeexplore.ieee.org/docum ent/1524082/ Graphic: https://www.equifax.com.au/personal/articles/what-identity-watch
  59. 59. Any sufficiently advanced technology is indistinguishable from magic. – Arthur C. Clarke Graphic: https://www.shutterstock.com/video/search/loop-ready-file/?ref_context=keyword
  60. 60. ZKP Requirements http://www0.cs.ucl.ac.uk/staff/J.G roth/ShortNIZK.pdf http://www.austinm ohr.com /work/files/zkp.pdf http://www.wisdom .weizm ann.ac.il/~oded/zk-tut02.htm l Completeness • If statement is true, verifier will be convinced by prover Soundness • If statement is false, a cheating prover cannot convince verifier it is true o Except with some small probability Zero-Knowledge • Verifier learns nothing beyond the statement’s validity Graphic: http://mentalfloss.com/article/64108/15-things-you-should-know-about-dogs-playing-poker
  61. 61. Known Vulnerabilities An Example
  62. 62. Zero-Knowledge Range Proof (ZKRP) Validate • Person is 18-65 years old oWithout disclosing the age • Person is in Europe oWithout disclosing the exact location https://github.com /ing-bank/zkrangeproof
  63. 63. ZKRP Vulnerability • Madars Virza • “The publicly computable value y/t is roughly the same magnitude (in expectation) as w^2 * (m-a+1)(b-m+1). However, w^2 has fixed bit length (again, in expectation) and thus for a fixed range, this value leaks the magnitude of the committed value.” • The proof is not zero knowledge • Response: will find alternative ZKP https://github.com /ing-bank/zkrangeproof Graphic: https://www.pexels.com/photo/milkweed-bug-perching-on-pink-flower-in-close-up- photography-1085549/

×