June 21st 2020
Dusk Network representative, blockchain & privacy evangelist
There is a lot of enthusiasm for the application of zero-knowledge proof systems, at Dusk Network we’ve developed the open-source PLONK zero-knowledge proof system. It can be used for many things, and what better way to demonstrate its potential with an example!
Consider that you’re applying to rent a house. Anyone familiar with the process (especially in heated housing markets!) knows that it is quite likely to take multiple solicitations, and for every single one of them you’ll have to send your income statements, copies of your ID and other personal information to verify that your claim of being a suitable candidate fits the housing agencies parameters, and is in fact valid.
On the housing agency side, there is a demand for this solution too – they need to do validity checks on all of the documents provided, which can be erroneous (or faked). It takes up a lot of time and is a costly undertaking.
So how would zero-knowledge proof systems come into play? What it takes is a trusted app that only you can control (e.g. your mobile bank app or a Govt ID app) to produce a committed value. This committed value holds the key information about your income statement (which this agency warrant is true), and you use this value to prove via the zero-knowledge proof system to the verifier (i.e. the housing agency) that you are eligible for the house.
Zero-knowledge proof systems protect privacy. Let’s face it, in today’s world data equals power
Without diving too deep into the magician’s hat of cryptography, let us explain the conceptual mathematics by means of apartment seeker Peggy and housing agent Victor. For starters, Peggy and Victor agree on a known mathematical model, or zero-knowledge proof system, which has a very special capability.
With Peggy repeatedly selecting random values and proving equations, Victor can confirm that she indeed has knowledge of value x. It works as follows.
Given a random value, r, selected by Peggy, Victor asks her to prove either equation A, or equation B. Peggy knows how to perform both equations, and could easily come up with a random value to be correct for one of both equations.
However, without knowledge of value x, she cannot calculate A from B, and B from A, and has, therefore, a coin flip chance of convincing Victor. And not knowing beforehand whether Victor asks to solve equation A or B, Peggy would have to be extremely lucky to convince Victor without knowledge of x, if this experiment were to happen repeatedly for different values of r and a large number of n times. This basic prover-verifier flow of a zero-knowledge proof system can be found below.
Essentially, zero-knowledge proof systems perform a series of cryptographic operations with the end-result being a mathematical proof that can be checked by the verifier, to verify that you have computed the proof honestly. And luckily, there are no manual calculations involved for Peggy and Victor.
How it works is simple; instead of sharing your data, you create a mathematical proof that guarantees to the receiver (the verifier) that you meet the predefined requirements. In this example, a governmental agency, or a bank could issue a committed value in an application that only you can control (e.g. your mobile bank app, or Govt Id app). This committed value holds the key information about your income statement, and only you can use this information to send it to the verifier (i.e. the housing agency).
So essentially, how these zero-knowledge proof systems work is that they perform a series of cryptographic operations with the end-result being a mathematical proof that can be checked by the verifier, to verify that you have computed the proof honestly.
Think of blockchain-based systems where status updates are shared through the network, without any sensitive data being revealed to the public, or imagine proving that you are part of a whitelist, without sharing your identifying information, or you can prove that you are 18+ of age without sharing your birth date.
Yes. It’s close to magic.
A short introduction on zero-knowledge proofs
In the literature, zero-knowledge proof systems are described as a “family of cryptographic systems that enable a prover to make claims about a mathematical statement to a verifier, without revealing any additional information other than that statement itself”.
In other words, zero-knowledge proofs allow you to prove that you know a ‘secret’, without actually telling and revealing the secret to another party. This is an extremely powerful tool because you can design systems that permit the creation of computational programmes and then make statements about the programme (for example their actual age or password), without actually needing to share any of the programme data with other parties. And let’s face it, in today’s world data equals power.
Behind the curtains
For every individual case, proof needs to be generated by the sender (i.e. prover) and this proof needs to be verified by the receiver (i.e. verifier), without detailing any additional information about the secret.
In more detail, a zero-knowledge proof must, therefore, satisfy the following three conditions:
- Completeness. If the statement is true, the honest verifier is convinced of this fact by the honest prover.
- Soundness. If the statement is false, no cheater can convince the honest verifier that the statement is true, (which asserted with astronomically high probability!)
- Zero-knowledge. If the statement is true, the verifier does not receive any more information than the fact that the statement is true.
In the case of age verification: 18+ years old, TRUE or FALSE, answer only visible to the verifier.
Why should we care for zero-knowledge proofs?
With zero-knowledge, we can prove whether we are above the age of 18, without actually disclosing our age, and convince the verifier of the soundness of this proof, just by relying on the mathematical properties of the proof system in place. It helps us to keep valuable information close to ourselves, while still enabling us to interact upon this information. For instance,
We can prove that we are part of a whitelist, by making use of a very niche technique called a commitment, which allows for the creation of immutable and encrypted values that link a prover to a particular statement – in this case, their membership to a whitelist. With this, a verifier can check if the statement corresponds to a prover’s inclusion to the whitelist, without disclosing any of the identities on this whitelist.
Or, we can prove that we know the password that belongs to a username, without telling the website what that password is.
Or, we can prove that a public key is ours, without revealing our private key.
And so on.