Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledge Proofs

Privacy-Preserving Authentication: Another
Reason to Care about
Zero-Knowledge Proofs
Clare Nelson, CISSP, CIPP/E
@Safe_SaaS
OWASP Austin
August 29, 2017
clare.nelson@allclearid.com
Posted on SlideShare:
https://www.slideshare.net/eralcnoslen/privacypreserving-
authentication-another-reason-to-care-about-zeroknowledge-proofs

Clare Nelson, @Safe_SaaS
Any sufficiently advanced
technology is indistinguishable
from magic
—Arthur C. Clarke
Graphic: https://www.shutterstock.com/video/search/loop-ready-file/?ref_context=keyword

Source: https://www.usenix.org/legacy/event/hotsec08/tech/full_papers/parno/parno_html/index.html
Graphic: https://www.windowscentral.com/best-dell-laptop
If you have a PC,
you have probably touched
Zero-Knowledge Proof

Scope
In Scope
• Digital User Authentication
Not in Scope
• Other Authentication Use Cases
IoT, Services, Devices
• E-Voting
• Digital Watermarks
• Sealed Auctions
• Cryptocurrency
Zcash
Biometrics
Blockchain, Digital Ledger Technology
Graphic: http://www.itproportal.com/2016/04/07/the-role-of-biometric-authentication-techniques-in-security/

Problem #1, Passwords are Broken
2017
936 Breaches
19,001,935 Records Exposed
Source: http://www.idtheftcenter.org/images/breach/2017Breaches/DataBreachReport_2017.pdf
Graphic: https://www.youtube.com/watch?v=rtMztv0foU4

Data breaches support, enable other crimes
• Human and drug trafficking
• Terrorist activities
• Child exploitation
• Ransom, prove to company breach occurred
• Other illicit activities
Connecting the Dots
Source: https://www.ncfta.net/Home/News
Weak or stolen
passwords
Data
breaches
Crime

Problem #2, Lack of Privacy for Some
Microsoft Privacy Strategy
• Provide customers more
control over collection and use
of their personal information
• Enable people to prove things
about themselves without
revealing their identity
Source: https://privacy.microsoft.com/en-us/privacystatement
Source: https://blogs.technet.microsoft.com/privacyimperative/2008/03/06/microsoft-acquires-credenticas-u-prove-technology/
Graphic: http://www.flowmarq.com/single-post/2015/05/18/IDENTITY-Clarifying-Motivations

007 Wants to Read the News
Source: Credit to Anna Lysyanskaya for the 007 metaphor
Graphic: http://www.007.com/characters/the-bonds/
I can tell you.
But then I’ll have to kill you.
www.telegraph.co.uk
Today’s news?
Today’snews?Who are you?
Do you have a subscription?

007 Reads the News, Uses Subscription and Reveals PII
My subscription is #4309115
www.telegraph.co.uk
Today’s news?
www.telegraph.co.uk knows this is 007, it learns 007’s PII including:
- Zip code when he looks up the weather
- Date of birth when he reads his horoscope
- Gender when he browses the personal ads

007 Reads the News, Remains Anonymous
Here is a Zero-Knowledge Proof
www.telegraph.co.uk
Today’s news?

Zero-Knowledge Proof (ZKP)
Source: J. Chou, SC700 A2 Internet Information Protocols (2001)
I can’t tell you my secret,
but I can prove to you
that I know the secret

Source: J. Chou, SC700 A2 Internet Information Protocols (2001)
Zero-Knowledge Proofs are convincing,
yet they yield nothing beyond the validity
of the assertion being proven
—Alon Rosen, Author of Concurrent Zero-Knowledge,
Associate Professor IDC Herzliya

• Authentication
• Privacy
• Zero-Knowledge Proof

Definitions: Authentication, Privacy
Authentication (User)
• Process of verifying the identity, attributes of a user
• Two or more of something you know, something you have, or
something you are
Privacy (Individual)
• A state in which one is not observed or disturbed by other
people or entities
• European Union: privacy is a fundamental human right (GDPR)
• Ability of individuals to seclude themselves, or information
about themselves, and thereby express themselves selectively
Source: https://niccs.us-cert.gov/glossary
Source: https://en.oxforddictionaries.com/definition/privacy
Source: https://en.wikipedia.org/wiki/Privacy
Source: http://www.madisonaveinsights.com/2014/06/ghostery-assuages-privacy-concerns-through-transparency-and-control/
Source: https://www.thinglink.com/scene/711605013062877186
Know Have Are

Definition of Zero-Knowledge Proof (ZKP), 1 of 2
Proof System
• Proof does not mean math proof, it refers to proof system
Zero-Knowledge Proof
Enables a prover to convince a verifier of the truth of a
statement without leaking any other information
• Zero-knowledge proofs yield nothing beyond the
validity of the assertion
• ZKP supports anonymous, verifiable transaction
identities
• Interactive, requires back and forth, exchange of
messages, between prover and verifier
• Randomness is used
• ZKP is probabilistic, does not provide absolute
certainty
Source: http://www0.cs.ucl.ac.uk/staff/J.Groth/ShortNIZK.pdf
Source: http://www.austinmohr.com/work/files/zkp.pdf
Source: http://www.wisdom.weizmann.ac.il/~oded/zk-tut02.html
Source: https://www.sedicii.com/2015/07/30/zero-knowledge-authentication/
Prover Verifier
Proof of a
statement

Definition of Zero-Knowledge Proof (ZKP), 2 of 2
Source: http://www0.cs.ucl.ac.uk/staff/J.Groth/ShortNIZK.pdf
Source: http://mentalfloss.com/article/64108/15-things-you-should-know-about-dogs-playing-poker
ZKP requirements:
• Zero-Knowledge: Reveal no additional
information beyond the statement’s
validity
• Completeness: If statement is true,
honest verifier (follows the protocol)
will be able to prove statement is true
every time
• Soundness: If the statement is false, a
cheating prover cannot convince the
honest verifier that it is true, except
with very small probability

Soundness
Graphic: https://www.google.com/search?biw=1600&bih=765&tbm=isch&q=daniel+craig+james+bond&sa=X&ved=0ahUKEwiaiLWN9s3VAhXI64MKHY7TDHUQhyYIKw#imgrc=Am84tWm-iK_ayM:
It’s Bond. James Bond.
www.telegraph.co.uk
Today’s news?
(M fails because she can’t prove to Telegraph)

Zero-Knowledge Proof (ZKP) Advantages
Source: https://www.slideshare.net/arunta007/elliptic-curve-cryptography-and-zero-knowledge-proof-27914533?next_slideshow=1
• Privacy-preserving
• Zero knowledge is transferred
between prover and verifier
• Verifier accepts or rejects proof after
multiple challenges and responses
• No degradation of protocol
• Based on problems like discrete
logarithms and integer factorization
• Probabilistic proof protocol
• Computational efficiency, no
encryption

Evolution from Interactive to Non-Interactive ZKP (NIZKP)
Source: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4732108/
• Interactive, multiple
challenge/response messages
• Requires stable, continuous
communication channel
ZKP
• Non-Interactive, one message
• Takes less time
• More efficient
• Optimized for IoT
NIZKP

Disadvantages: Deployment and Correct Usage
Source: https://www.youtube.com/watch?v=CKncw6mIMJQ&list=PLpr-xdpM8wG8DPozMmcbwBjFn15RtC75N
Source: http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf
ZKP
• Limited – Secret must be numerical, translation may be needed
• Lengthy – Many computations, each requires run time
• Stable, continuous connection – Support multiple challenges and
responses between prover and verifier
• Imperfect – An attacker can still intercept the transmission
NIZKP
• More efficient, but in some cases still not succinct
enough
• May not preserve deniability
zk-SNARK
• Still need one-time setup phase
• Tradeoff for having shorter proofs and faster
verification times is stronger assumptions
• zk-SNARK proofs are publicly verifiable, uses Diffie-
Hellman shared secret key variation (too early to
tell disadvantages)

Attack Resilience: Academia, not Real World
Source: http://repository.ust.hk/ir/bitstream/1783.1-6277/1/pseudo.pdf
Attack Description Mitigation
Impersonation A malicious impersonator, for either party Need secret, completeness
and soundness
Replay Attack Malicious peer or attacker collects
previous proofs, and resends these
Challenge message required
Man in the
Middle (MITM)
Intruder is able to access and modify
messages between prover and verifier
(without them knowing)
It depends, implementation
specific
Collaborated
Attack
Subverted nodes collaborate to enact
identity fraud, or co-conspirator
It depends, requires
reputation auditing design
Denial of
Service (Dos)
Renders networks, hosts, and other
systems unusable by consuming
bandwidth or deluging with huge number
of requests to overload systems
Could happen during
authentication setup

Zero-Knowledge Proof for Authentication, Timeline
1985
- Goldwasser,
Micali, Rackoff
paper (MIT
Research)
2008
- Microsoft
acquired
Credentica,
basis for
Microsoft U-
Prove
2014
- Two Factor
Zero-
Knowledge
Proof
Authentication
System
2013
- Sedicci
founded, no
transmission
of private user
data
2015
- IBM Identity
Mixer
announced
2016
- MIRACL
announced
Zero-Factor
Authentication
- Sovrin
founded
Source: https://courses.csail.mit.edu/6.857/2014/files/16-nguyen-rudoy-srinivasan-two-factor-zkp.pdf
Includes variations, some combine classical systems with ZKP systems

Zero-Knowledge Proofs are one of
the most powerful tools
cryptographers have ever devised.
But unfortunately they’re also
relatively poorly understood.
Source: https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-proofs-illustrated-primer/
—Matthew Green, cryptographer and
professor at Johns Hopkins University,
creator of Zcash
∀ x ∈ L, z ∈ {0, 1} ∗, ViewV∗ [P(x) ↔ V∗ (x, z)] = S(x, z)

Zero-Knowledge Proof Illustration
Horizon Telecom Company
• Cell towers
• 11 vertices
• Connected by lines, or edges
• Avoid overlap
• Use 1 of 3 signals

Instance of 3-Color Graph
Problem
• Use colors to represent
frequency bands
• Avoid overlap
• Use 1 of 3 signals
• Easy to solve for 11 vertices
• Hard to solve for larger
numbers, e.g. 900
• Outsource problem, need big
compute

Proof of Solution
• Indoor basketball court
• Spread pieces of paper on floor,
each piece is a vertex
• Pick 3 different-colored crayons
at random
• Color the paper to represent
the solution
• Put hats over the paper to hide
the solution

Source: http://www.automatedtesting.com/Product%20Roadmap.html
Proof of Solution
• Remove two hats
• See vertices are different colors
___________________________
Repeat this process
Lay out new pieces of paper on
floor
Pick 3 crayons at random
Color the paper
Place hats over paper
Invite Verifier
Remove two hats
Prove have solution without
revealing it
Each time the process is repeated,
confidence goes up that a valid solution
was found

Source: Inspired by http://blog.stratumn.com/zkp-hash-chains/
VerifierProver
Construct
ZKP
Verify
ZKP
Proof

Zero-Knowledge Proof (ZKP), Discrete Logarithm Example
Source: http://slideplayer.com/slide/8235130/
b = gx (mod n)
Step Description Prover (P) Verifier (V)
0 Setup g, b, n, x g, b, n
1 Prover generates random r r
2 P sends h = gr mod n to V h h
3 V flips a coin, c = H or T c c
4 If c = H, P sends r to V r, check gr = h
5 If c = T, P sends m = x + r m m, check gm = bh
6 Repeat steps 1-5 until Verifier is convinced that Prover knows x (with
probability 1-2-k, for k iterations)

Real World Demo
Permission granted, Source: https://www.miracl.com/take-a-tour-of-zfa

Permission granted, Source: https://www.miracl.com/take-a-tour-of-zfa
Real World Demo

The Future
Source: https://eprint.iacr.org/2010/212.pdf
Graphic:: https://www.scientificamerican.com/article/quantum-computers-compete-for-supremacy/
With that notation, hP(x, w), V ∗ (Z)i is the same as
com ← P1(x, w), ch ← V ∗ 1 (com, Z), resp ← P2(x, w, ch), V
∗ 2 (resp, Z).
Σ is SHVZK 〚HVZK〛. Hence there is a quantum-
polynomial-time simulator SΣ such that for any 〚quantum-
polynomial-time〛 DΣ: Pr[b = 1 : com ← P1(x, w), ch R ←
Cηx, resp ← P2(x, w, ch), b ← DΣ(|Ψi, com, ch, resp)] − Pr[b
= 1 : (com, ch, resp) ← SΣ(x), b ← DΣ(|Ψi, com, ch, resp)] ≤
εD
where εD = εD(η) is a negligible function depending on DΣ.
Let [ch = ch∗ ] := 1 iff ch = ch∗ .
Then: Pr[succ = 1 ∧ b = 1 : ZE ← |Ψi,hP(x, w), V ∗ (Z)i, b ←
D(Z, E), ch∗ R ← Cηx, succ := [ch = ch∗ ]] (3) = Pr[succ = 1 ∧ b
= 1 : ZE ← |Ψi, com ← P1(x, w), ch ← V ∗ 1 (com, Z), resp ←
P2(x, w, ch), V ∗ 2 (resp, Z), b ← D(Z, E), ch∗ R ← Cηx, succ :=
[ch = ch∗ ]] (∗) = Pr[succ = 1 ∧ b = 1 : com ← P1(x, w), ch∗ R
← Cηx, resp ← P2(x, w, ch∗ ), ZE ← |Ψi, ch ← V ∗ 1 (com, Z),
succ := [ch = ch∗ ], V ∗ 2 (resp, Z), b ← D(Z, E)] ε ≈ Pr[succ = 1
∧ b = 1 : (com, ch∗ , resp) ← SΣ(x), ZE ← |Ψi, ch ← V ∗ 1
(com, Z), succ := [ch = ch∗ ], V ∗ 2 (resp, Z), b ← D(Z, E)] =
Pr[succ = 1 ∧ b = 1 : ZE ← |Ψi, Y, C ← |0i, S1(x, CZY ), succ ←
M(C), b ← D(Z, E)]

Clare Nelson, @Safe_SaaSGraphic: http://www.trustev.com/
Alternative for Privacy-Invasive, Continuous, Risk-Based Authentication

Trusted Platform Module (TPM)
• TPM 1.2 uses ZKP
• TPM 2.0 takes another path
• 2017 Paper from IBM, Intel, Infineon
 Solution, minimal changes to
current TPM 2.0
Source: https://www.cryptomathic.com/news-events/blog/the-trusted-platform-module-explained
Source: http://ieeexplore.ieee.org/document/7958616/
Source: https://eprint.iacr.org/2017/639
Breaking News in the ZKP World
May 2017 conference
YouTube meeting presentation: https://www.youtube.com/watch?v=8tzLOA4YGhc

Source: https://www.youtube.com/watch?v=1fXLJBN-KfI
Source: https://arxiv.org/pdf/1604.02804.pdf
Source: https://simons.berkeley.edu/sites/default/files/docs/1328/slidesunruh.pdf
Graphic: https://www.newscientist.com/article/mg23130894-000-revealed-googles-plan-for-quantum-computer-supremacy/
Zero-Knowledge Proof in a Quantum World?
Station Q
• Worldwide consortium for the advancement of
topological quantum computation
• Zero-knowledge proof systems for QMA
 QMA = Quantum Merlin Arthur (Merlin
Arthur from computational complexity)
Dominique Unruh
• New challenges in quantum case
• Quantum proofs of knowledge
• There are zero-knowledge quantum proofs of
knowledge for all languages in NP (2015)

We Stand on the Shoulders of Giants
Source: https://www.csail.mit.edu/user/733
Source: http://researcher.watson.ibm.com/researcher/view.php?person=zurich-jca
Source: http://www.idtrail.org/content/view/55/43/index.html
Source: https://z.cash/team.html
Shafi Goldwasser
Jan Camenisch
Stefan Brands
Matthew Green

@Safe_SaaS
clare.nelson@allclearid.com
Slides posted on SlideShare:
https://www.slideshare.net/eralcnoslen/pri
vacypreserving-authentication-another-
reason-to-care-about-zeroknowledge-proofs
Questions?
Recommended Reading
1. Data and Goliath, Bruce Schneier (2015)
2. Matthew Green, cryptography blog, Professor Johns Hopkins
3. One TPM to Bind Them All, TPM 2.0 paper by Jan Camenisch,
et al. (2017)

Source: https://www.symantec.com/connect/blogs/you-can-t-have-privacy-without-security
Source: https://www.microsoft.com/en-us/research/research-area/security-privacy-cryptography/
You can have security
without privacy,
but you can’t have privacy
without security.
— Carolyn Herzog, EVP and General Counsel, ARM

Evolution of User Authentication
Genesis (1960s)
- Passwords
- Knowledge-Based
Verification (KBV),
Security questions
- Hardware tokens
- Software tokens
Convenience, Techno Fad
- Biometrics
- Blockchain Digital
Ledger Technology
(DLT)
Privacy-Preserving
- Zero-Knowledge
Proof
- Anonymous or
pseudonymous
techniques

References, 1 of 3
• Attribute-based Credentials for Trust (ABC4Trust) Project, https://abc4trust.eu/ (2017).
• AU2EU Project, Authentication and Authorization for Entrusted Unions, http://www.au2eu.eu/ (2017).
• Baldimsti, Foteini; Lysanskaya, Anna. Anonymous Credentials Light. http://cs.brown.edu/~anna/papers/bl13a.pdf (2013).
• Ben Sasson, Eli; Chiesa, Alessandro; Garman, Christina, et al. Zerocash: Decentralized Anonymous Payments from Bitcoin, http://zerocash-
project.org/media/pdf/zerocash-extended-20140518.pdf (May 2014).
• Bitansky, Nir; Weizman, Zvika Brakerski; Kalai, Yael. 3-Message Zero Knowledge Against Human Ignorance,
https://eprint.iacr.org/2016/213.pdf (September 2016).
• Brands, Stefan. Rethinking Public Key Infrastructures and Digital Certificates. The MIT Press,
http://www.credentica.com/the_mit_pressbook.html (2000).
• Camenisch, Jan and E. Van Herreweghen, Design and implementation of the IBM Idemix anonymous credential system, in Proceedings of the
9th ACM conference on Computer and communications security. ACM, 2002, pp. 21–30.
• Camenisch, Jan; Dubovitskaya, Maria; Enderlein, Robert; et al. Concepts and languages for privacy-preserving attribute-based
authentication, https://pdfs.semanticscholar.org/82e2/4078c9ba9fcaf6177a80b8496779676af114.pdf (2013).
• Cutler, Becky. The Feasibility and Application of Using Zero-Knowledge Protocol for Authentication Systems,
http://www.cs.tufts.edu/comp/116/archive/fall2015/bcutler.pdf (2015).
• Geraud, Rémi. Zero-Knowledge: More Secure than Passwords? https://blog.ingenico.com/posts/2017/07/zero-knowledge-proof-more-
secure-than-passwords.html (July 25, 2017).
• Geers, Marjo; Comparing Privacy in eID Schemes, http://www.id-world-magazine.com/?p=923 (2017).
• Goldreich, Oded. Zero-Knowledge: a tutorial by Oded Goldreich, http://www.wisdom.weizmann.ac.il/~oded/zk-tut02.html has extensive
reference list (2010).

References, 2 of 3
• Goldreich, Oded; Yair, Oren. Definitions and Properties of Zero-Knowledge Proof Systems,
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.17.2901 (19940.
• Goldwasser, Micali, Rackoff, The Knowledge Complexity of Interactive Proof-Systems, ACM 0-89791-151-2/85/005/02911 (1985).
• Green, Matthew. Zero Knowledge Proofs: An Illustrated Primer, https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-
proofs-illustrated-primer/ (November 2014).
• Groth, Jens; Lu, Steve. “A Non-Interactive Shuffle with Pairing Based Verifiability,”
http://www0.cs.ucl.ac.uk/staff/J.Groth/AsiacryptPairingShuffle.pdf (2006).
• Groth, Jens. Short Pairing-Based Non-Interactive Zero-Knowledge Arguments, http://www0.cs.ucl.ac.uk/staff/J.Groth/ShortNIZK.pdf (2010).
• Guillou, Quisqater, “How to Explain Zero-Knowledge Protocols to Your Children,” http://pages.cs.wisc.edu/~mkowalcz/628.pdf (1998).
• Gupta, Anuj Das; Delight, Ankur. Zero-Knowledge Proof of Balance: A Friendly ZKP Demo, http://blog.stratumn.com/zero-knowledge-proof-
of-balance-demo/ (June 2017).
• Hardjono, Thomas; Pentland, Alex “Sandy”; MIT Connection Science & Engineering; Core Identities for Future Transaction Systems,
https://static1.squarespace.com/static/55f6b5e0e4b0974cf2b69410/t/57f7a1653e00be2c09eb96e7/1475846503159/Core-Identity-
Whitepaper-v08.pdf (October 7, 2016). [TBD: check back, right now it is a DRAFT, do not cite]
• ISO/IEC Information technology — Security techniques — Entity authentication — Part 5: Mechanisms using zero-knowledge techniques,
https://www.iso.org/standard/50456.html (2015).
• Johnstone, Mike; Why we need privacy-preserving authentication in the Facebook age,
http://www.iaria.org/conferences2015/filesICSNC15/ICSNC_Keynote_v1.1a.pdf (November 2013).
• Kogta, Ronak. ZK-Snarks in English, https://www.slideshare.net/rixor786/zksnarks-in-english?qid=0e3be303-84fc-43d2-be96-
6db2085a28ff&v=&b=&from_search=3 (July 2017).

References, 3 of 3
• Lysyanskaya, Anna. How to Balance Privacy and Key Management in User Authentication,
http://csrc.nist.gov/groups/ST/key_mgmt/documents/Sept2012_Presentations/LYSYANSKAYA_nist12.pdf (2012).
• Martin-Fernandez, Francisco; Caballero-Gil, Pino; Caballero-Gil, Candido. Authentication Based on Non-Interactive Zero-Knowledge Proofs
for the Internet of Things. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4732108/ (January 2016).
• Mohr, Austin. A Survey of Zero-Knowledge Proofs with Applications to Cryptography, http://www.austinmohr.com/work/files/zkp.pdf.
• Montenegro, Jose.; Fischer, Michael; Lopez, Javier; et al. Secure Sealed-Bid Online Auctions Using Discreet Cryptographic Proof,
http://www.sciencedirect.com/science/article/pii/S0895717711004535?via%3Dihub (June 2013).
• Nguyen, Quan; Rudoy, Mikhail; Srinivasan, Arjun. Two Factor Zero Knowledge Proof Authentication System,
https://courses.csail.mit.edu/6.857/2014/files/16-nguyen-rudoy-srinivasan-two-factor-zkp.pdf (2014).
• Unruh, Dominique. Quantum Proofs of Knowledge, https://eprint.iacr.org/2010/212.pdf (February 2015).
• Wilcox, Zooko. Podcast, Zero Knowledge, The Future of Privacy. https://medium.com/blockchannel/episode-3-zero-knowledge-the-future-
of-privacy-ea18479295f4 (February 21, 2017).
• Wu, Huixin; Wang, Feng. A Survey of Noninteractive Zero Knowledge Proof System and its Applications.
https://www.hindawi.com/journals/tswj/2014/560484/ (May 2014).

Backup Slides

Clare Nelson, CISSP, CIPP/E
Director, Office of the CTO at AllClear ID
Security, Privacy, and Identity
• Background
o Encrypted TCP/IP variants for NSA
o Product Management at DEC (HP), EMC2
o Director Global Alliances at Dell, Novell
o VP Business Development, TeaLeaf Technology (IBM), Mi3 Security
o CEO ClearMark Consulting, MFA Technology and Architecture
• 2001-2014 CEO ClearMark Consulting
• 2014 Co-founder C1ph3r_Qu33ns
• Publications include:
o 2010 August, ISSA Journal, Security Metrics: An Overview
o 2015 April, ISSA Journal, Multi-Factor Authentication: What to Look For
• Talks/Keynotes: Cloud Identity Summit 2017, InfraGard,
HackFormers; BSides Austin; LASCON; OWASP AppSec USA, ISSA
Austin; clients including Fortune 500 financial services, 2015 FTC
Panel
• B.S. Mathematics
Graphic: http://www.activistpost.com/2015/09/fbi-biometrics-programs-surveillance-database.html

Contents
Privacy-Preserving Authentication and Zero-Knowledge Proof (ZKP)
1. Introduction
2. Problems
3. Definitions
4. Examples
5. Standards
6. The Future
Graphic: http://www.computerhope.com/jargon/h/hacker.htm

Many Types of Zero-Knowledge Proof
Acronym Description Notes
ZKP Interactive Zero-Knowledge Proof First invention, multiple
messages between
prover and verifier
NIZKP Non-Interactive Zero-Knowledge Proof
Common Reference String model
• In 2003, Rafael Pass showed that in the common
reference string model non-interactive zero-
knowledge protocols do not preserve all of the
properties of interactive zero-knowledge
protocols; e.g., they do not preserve deniability
Less interaction
required between
prover and verifier
n/a Fiat-Shamir
zk-SNARK zero-knowledge Succinct Non-interactive ARgument of
Knowledge
Zcash

The views presented herein,
expressed in any form, represent
my personal views, and do not
necessarily reflect the views of
my employer.
Graphic: http://rununcensored.com/wp-content/uploads/2013/06/disclaimer.jpg

Some consumers want control of their
identity
• See where their identity resides
• See what data is collected
• Manage and curate it
• Request deletion
• If the data is old, update or leave as is
Source: https://www.sedicii.com/about-us/
Future of Identity and Privacy

Additional Research
• Libsnark (on GitHub)
 Zero knowledge: the verifier learns nothing from the proof beside the
truth of the statement (i.e., the value qux, in the above examples,
remains secret).
 Succinctness: the proof is short and easy to verify.
 Non-interactivity: the proof is a string (i.e. it does not require back-
and-forth interaction between the prover and the verifier).
 Soundness: the proof is computationally sound (i.e., it is infeasible to
fake a proof of a false NP statement). Such a proof system is also called
an argument.
 Proof of knowledge: the proof attests not just that the NP statement is
true, but also that the prover knows why (e.g., knows a valid qux).
• Pinocchio (Nearly Practical Verifiable Computation
 Microsoft Research and IBM Research
 https://eprint.iacr.org/2013/279.pdf
Source: https://github.com/scipr-lab/libsnark
Source: https://github.com/akosba/jsnark

Schnorr NIZK (IETF Draft)
The Schnorr NIZK proof is obtained from
the interactive Schnorr identification
scheme through a Fiat-Shamir
transformation
• This transformation involves using a
secure cryptographic hash function to
issue the challenge instead.
Source: https://tools.ietf.org/html/draft-hao-schnorr-01
Source: http://www.art.com/products/p15063445373-sa-i6847848/sidney-harris-i-think-you-should-be-more-explicit-here-in-step-two-cartoon.htm

ISO/IEC 9798-5 Zero-Knowledge Techniques (2009)
1. Providing unilateral authentication
Identities
Integer factorization
Discrete logarithms with respect to
numbers that are either prime or
composite
Discrete logarithms on elliptic curves
2. Providing unilateral or mutual
authentication
Asymmetric encryption systems
Source: https://www.iso.org/standard/50456.html
Asymmetric cryptography
• Remove potential threat
• Verifier cannot use Claimant
as an Oracle
• Get information about
private key
Entity authentication using zero-knowledge techniques

ISO/IEC 9798-5:2009
Compliance with ISO/IEC 9798-5 may involve the use of the following
patents and their counterparts in other countries.
Patent Title Inventor Filing
Date
US 4 995 082 Method for identifying subscribers and for
generating and verifying electronic signatures
in a data exchange system
C.P. Schnorr 1990
US 5 140 634 Method and apparatus for authenticating
accreditations and for authenticating and
signing messages
L.C. Guillou
and J-J.
Quisquater
1991
EP 0 311 470 Methods and systems to authenticate
authorizations and messages with a zero
knowledge-proof system and to provide
messages with a signature
L.C. Guillou
and J-J.
Quisquater
1998
EP 0 666 664 Method for performing a double-signature
secure electronic transaction
M. Girault 1995

Source: https://www.wsj.com/articles/hbos-hack-hollywood-is-under-siege-1502443802
Data, data everywhere. Jeremiah
Grossman, chief of security strategy
for cybersecurity company Sentinel
One, tells the WSJ that Hollywood TV
and movie companies are vulnerable
because they work with so many
partners that “their data is all over
the place.”

Evolution of Cryptography
Source: http://zerado.com/en/news/a-perfect-tool-for-secret-payments-from-bitcoin-with-zero-knowledge-proof-the-impact-of-z-cash/

More Authentication Examples
Company(s) Name Description
Gemalto,
Microsoft
U-Prove Gemalto integrated smart card technology with Microsoft U-Prove.
• U-Prove has been instrumental guiding minimal disclosure security.
• With Gemalto smart card technology is continuing to push this form of
online authentication forward (February 2017).
Source: http://www.id-world-magazine.com/?p=923
Source: https://blog.gemalto.com/corporate/2011/02/15/what-you-can-expect-to-see-from-us-at-the-rsa-conference/

Is Identity Theft Getting Worse or Better?
Changing Nature of Identity Theft
• Past: Financial- or credit-related identity theft
• Today: Malicious actors use stolen PII to:
Seek employment
Travel across international borders
Obtain prescription drugs
Receive medical treatment
Claim benefits
File false tax returns
Aid in other criminal activities
Synthetic Identity Theft
Occurs when a malicious actor constructs a new
identity
• Composite of multiple individuals' legitimate
information
• Plus fabricated information
Source: https://iapp.org/media/pdf/resource_center/m-17-12.pdf
2017 OMB Memo
• Preparing for and Responding to a
Breach of Personally Identifiable
Information

Computational Complexity and Cryptography
Source: http://slideplayer.com/slide/4951940/
Complexity Theory
• Study the resources required
to solve computational tasks
 Time
 Space (memory)
• Understand relations
between complexity
phenomena
• Provide new perspective on
various concepts
Cryptography
• Specify security
requirements of systems
• Use the computational
infeasibility of problems to
obtain security
• Almost any cryptographic
task requires using these
ideas
Connected

Concepts and languages for privacy-preserving attribute-based
authentication (2014)
Online Identity Providers
• Use SAML, OpenID, or WS-Federation
• The Identity Provider can impersonate its users, track and monitor
user online behavior
Privacy-preserving authentication solutions aim to prevent that
Source: http://www.sciencedirect.com/science/article/pii/S2214212614000167
Price is $31.50
Published in this journal

The Privacy Conundrum
If authentication concerns what a Relying Party needs to know about
you, then privacy is all about what they don’t need to know.
Privacy amounts to information minimization; security professionals
know this all too well as the “Need to Know” principle.
Source: https://www.secureidnews.com/news-item/abandoning-identity-in-favor-of-attributes/

Source: https://www.miracl.com/take-a-tour-of-zfa
Source: https://www.slideshare.net/bribriinlondon/apache-milagro-presentation-at-apachecon-europe-2016
Real World Solution
Key Setup
• Distributed Trust
Authorities (D-TAs)
• Receive key shares to
create the whole client key
• The whole key only exists
during setup and
authentication
• It is never stored in whole
form

ISO/IEC 9798-5
Compliance may involve the use of the following patents
Patent Title Inventor Filing
Date
US 4 995 082 Method for identifying subscribers and for
generating and verifying electronic signatures in a
data exchange system
C.P. Schnorr 1990
US 5 140 634 Method and apparatus for authenticating
accreditations and for authenticating and signing
messages
L.C. Guillou and
J-J. Quisquater
1991
EP 0 311 470 Methods and systems to authenticate
authorizations and messages with a zero
knowledge-proof system and to provide
messages with a signature
L.C. Guillou and
J-J. Quisquater
1998
EP 0 666 664 Method for performing a double-signature secure
electronic transaction
M. Girault 1995

ZKP Authentication Examples in Real World
Company Product Description GitHub
IBM Identity
Mixer
Cryptographic algorithm which enables transactions to occur
without unwillingly sharing any personal data,
https://github.com/IBM-Bluemix/idemix-
issuer-verifier
Microsoft U-Prove Cryptographic technology that enables the issuance and
presentation of cryptographically protected statements in a
manner that provides what is known as “multi-party security:”
issuing organizations, users, and relying parties can protect
themselves not just against outsider attacks but also against
attacks originating from each other.
https://github.com/credentials/uprove_sdk
Sedicii Sediccii Patented zero-knowledge proof authentication service, use
cases:
- Call center authentication
- Website login
- Credit card authorization
- Identity hub
- Respond to negative social media feedback
None
MIRACL MIRACL
Trust ZFA
Multi-Factor Zero-Knowledge Authentication (ZFA) Protocol, https://github.com/miracl/milagro-mfa-
server/wiki/What-is-M-Pin-Core
Sovrin Self-
Sovereign
Identity
Non-profit, open source, Sovrin Identity Network establishes
trust through transparency, diffusion, and neutrality,
https://github.com/sovrin-foundation/sovrin
Source: https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/U-Prove20Technology20Overview20V1.120Revision202.pdf

Evolution from Interactive to Non-Interactive ZKP (NIZKP)
Source: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4732108/
ZKP defines a method to prove the knowledge of a
certain piece of information without revealing
anything about it
• Typical ZKPs are based on several challenges and
responses, involving a successive exchange of
messages, which implies the need to have a
stable and continuous connection between
nodes
• However, this assumption is impossible in a
volatile environment like IoT, where sometimes,
devices move at a high speed, such as, for
example, smart vehicles
• In these cases, a massive exchange of messages
to run a typical ZKP can be infeasible due to
possible connection failures during the protocol
• In order to deal with this problem, the idea of
non-interactive ZKP (NIZKP) has emerged
In NIZKP, all of the challenges of a typical ZKP are
condensed into a single package sent in a single
message
• Optimizes time necessary for the exchange of
messages
• Single message instead of many messages
• The single message can be sent as a beacon in
broadcast mode
• Research: transform an interactive protocol into a
non-interactive protocol, which can be applied to
turn interactive ZKPs into NIZKPs thanks to the
use of hash function.
• NIZKP for NP whose construction is based on one-
way permutations and certified trapdoor
permutations

Microsoft U-Prove
Cryptographic technology that enables the issuance
and presentation of cryptographically protected
statements in a manner that provides what is known as
“multi-party security”
• Issuing organizations, users, and relying parties can
protect themselves not just against outsider attacks
but also against attacks originating from each other
• Enables any desired degree of privacy (including
authenticated anonymity and pseudonymity)
without contravening multi-party security
• User-centric aspects make the U-Prove technology
suited to create the digital equivalent of paper-
based credentials and the plastic cards in one's
wallet
Source: https://www.microsoft.com/en-us/research/project/u-prove/

This little-known
mathematical concept
could eventually make
passwords and PIN
codes obsolete.
Source: https://blog.ingenico.com/posts/2017/07/zero-knowledge-proof-more-secure-than-passwords.html
Source: https://perezbox.com/category/security/
—Remi Geraud, cryptography and
security expert in the Advanced Research
team of Ingenico’s innovation lab
Promise of Zero-Knowledge Proof

Source: https://www.zurich.ibm.com/identity_mixer/
Graphic: http://www.sandybeachbungalows.com/
—Jan Camenisch, Cryptographer and Co-Inventor of IBM Identity Mixer
The Internet is like the lunar surface—it never
forgets a footprint.
With Identity Mixer, we can turn it into a sandy
beach that regularly washes everything away.

If your personal data is
never collected, it cannot
be stolen.
Source: https://www.zurich.ibm.com/identity_mixer/
Graphic: https://www.va.gov/identitytheft/
Graphic: https://www.quora.com/How-many-online-accounts-does-the-average-American-person-have
—Maria Dubovitskaya, Cryptographer,
Research Staff Member, IBM Zurich
Research Laboratory

Examples of Additional Applications, Beyond Authentication
Category Name Description
Cryptocurrency Zcash Open, permissionless cryptocurrency that can fully protect the privacy of
transactions using zero-knowledge cryptography
• The scientists, advisors and engineers of ZECC developed and launched
the Zcash protocol; this includes all of the authors of the Zerocash
protocol, most of the creators of the Zerocoin protocol, and leading
researchers of zk-SNARKs themselves
zk-SNARKs stands for zero-knowledge Succinct Non-interactive ARgument of
Knowledge, and it is the protocol for Zcash
Watermark Watermark
verification
• Show the presence of watermark without revealing information about it
• Prevents removal of the watermark and reselling duplicate copies
E-Voting Emerging Stay tuned for updates, watching Estonia i-voting system, may be used for
homomorphic tallying.
Auctions Sealed-Bid
Auction
Winning bid is determined without information about the losing bids
leaking to either the auctioneer or other bidders, Secure Multiparty
Computation (SMC).
Cryptocurrency projects are fueling ZKP research and evolution
Source: https://www.nist.gov/publications/secure-sealed-bid-online-auctions-using-discreet-cryptographic-proofs

Is Identity Theft Getting Worse or Better? (Continued)
As the ways in which criminals can exploit PII have evolved, so too have
the ensuing types of harm to potentially affected individuals.
Identity theft can result in:
• Embarrassment
• Inconvenience
• Reputational harm
• Emotional harm
• Financial loss
• Unfairness
• In rare cases, risk to personal safety
Individuals can be:
• Arrested and charged for crimes they did not commit
• Professionals such as pharmacists and doctors can suffer irreparable
reputational harm
• Individuals can have benefits suspended or terminated
Source: https://iapp.org/media/pdf/resource_center/m-17-12.pdf

Open Source
Privacy-Preserving Attribute-Based Credential Engine
(p2abcengine)
• On GitHub:
https://github.com/p2abcengine/p2abcengine?cm_mc_u
id=33935528777214954828808&cm_mc_sid_50200000=
1502323851
• Interoperates with IBM Identity Mixer and Microsoft U-
Prove
• Developers can use Privacy-ABCs without having to
consider the specifics of the underlying cryptographic
algorithms

Open Source: Architecture
Parties of the privacy-preserving
Attribute-Based Credentials
(pABC) system:
• User
• Issuer
• Verifier
• Inspector
• Revocation Authority
Crypto Engines
Source: https://github.com/p2abcengine/p2abcengine/wiki/Architecture
Crypto Engine Crypto Engine

ABC4Trust EU Project
Source: https://www.abc4trust.eu/
EU-funded R&D project
Advancing the federation and interchangeability of
technologies supporting trustworthy, privacy-preserving
Attribute-Based Credentials (Privacy-ABCs)

Zero-Knowledge Proof, Formal Definition
Source: http://www.cs.cornell.edu/courses/cs6810/2009sp/scribe/lecture18.pdf
An interactive proof system (P, V) for a language L is zero-knowledge if
for any PPT verifier V∗ there exists an expected PPT simulator S such
that
∀ x ∈ L, z ∈ {0, 1} ∗, ViewV∗ [P(x) ↔ V∗ (x, z)] = S(x, z)
As usual, P has unlimited computation power (in practice, P must be a
randomized TM).
Intuitively, the definition states that an interactive proof system (P, V)
is zero-knowledge if for any verifier V∗ there exists an efficient
simulator S that can essentially produce a transcript of the
conversation that would have taken place between P and V∗ on any
given input.

Source: https://stratumn.com/proof-of-process.html
Horizon
Telecom
Grif
Computer
Limited
compute resources
Powerful
compute resources

Definition of Zero-Knowledge Proof (ZKP) Authentication Protocol
Zero Knowledge Proof (ZKP) Authentication Protocol
• Two parties involved
1. Prover
2. Verifier
• Enables the prover to show that they have the
credential (e.g., password), without having to give
the verifier the credential details
Source: https://en.wikipedia.org/wiki/Zero-knowledge_proof
No transmission or storage of
password/credential details

Source: https://www.wired.com/story/how-your-phone-number-became-the-only-username-that-matters/
Source: https://www.shutterstock.com/video/clip-4218796-stock-footage-girl-using-mobile-phone-smartphone.html
Identity, More Caution
How your phone number
became the only username
that matters
—David Pierce Gear, Wired
(August 2017)

Source: https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-ecdaa-algorithm-v1.1-id-20170202.html
Graphic: https://www.laptopmag.com/articles/tpm-chip-faq
FIDO ECDAA Algorithm
FIDO Basic Attestation scheme alternative
• Direct Anonymous Attestation (DAA) scheme
based on elliptic curves and bilinear pairings
called ECDAA
• Direct Anonymous Attestation is a cryptographic
scheme combining privacy with security
• Basic building blocks for its implementation are
part of TPM 2.0

Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledge Proofs

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledge Proofs

Ähnlich wie Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledge Proofs (20)

Mehr von Clare Nelson, CISSP, CIPP-E

Mehr von Clare Nelson, CISSP, CIPP-E (11)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledge Proofs

Hinweis der Redaktion