To begin to understand this concept, we should start by understanding that we live surrounded by companies, applications, and technologies that require us to register or prior access to their product or service, which means that the data we provide are now commercialized, exploited and who knows what else, by these third parties. Making our data no longer ours, or at least we can not guard or protect the circuit through which they pass or for which they are used. Unless, of course, you live outside the network (which is less and less possible).
Even if you don’t live inside the network with the use of apps, as we said, our service providers, such as the network provider, or your phone’s operating system, collect your data without you even realizing it. In this way, in addition to making use of your data, they can also “spy” on us from our microphones, or location. Even access to track our history or cookies to learn more about our tastes and thus ensure that their products or services are according to your tastes. It’s a bit shocking, isn’t it?
Are centralized data server systems something we have to live with?
So, what those of us who develop decentralized identity-linked technology are asking ourselves is how can we give people back control of their data?
While many of these companies really need this data to provide the service. Such is the case of a bank that, in order to grant or give access to a loan, must be able to visualize and analyze the customer’s credit and financial history.
But, and here is the great solution that brings the Self Sovereign Identity, and along with it, the ZK (Zero Knowledge Proof) protocol, what if there was a way to prove that your credit history is good enough, without revealing the actual credit score or all your personal data?
So how does Zero Knowledge Proof work?
Also known as ZK protocol, it is a verification method that takes place between a prover and a verifier.
In a zero knowledge proof system, the prover is able to demonstrate to the verifier that he has knowledge of a particular piece of information (such as the solution to a mathematical equation) without revealing the information itself. These proof systems can be used by modern cryptographers to provide higher levels of privacy and security.
Some historical context
The concept of Zero Knowloedge Proof was first described in a 1985 MIT paper published by Shafi Goldwasser and Silvio Micali.
They were the ones who revealed that it was possible to prove some properties of a number without revealing the number itself, or any additional information about it (as we will see later that happens in Self-Sovereign Identity).
This paper also introduced the mathematically significant finding that interactions between a prover and a verifier could reduce the amount of information needed to prove a given theorem.
Requirements that a ZK proof must fulfill:
First, completeness refers to the ability of the prover to demonstrate knowledge of the relevant information with a high degree of probable accuracy.
This means that, for the proof to be robust, the verifier must be able to reliably determine whether or not the prover is in possession of the information.
Finally, to be truly zero-knowledge, the proof must achieve both completeness and robustness without the information in question ever being communicated between the prover and the verifier.
Zero-knowledge proofs (ZKP) allow data to be verified without disclosure. They therefore have the potential to revolutionize the way data is collected, used and transacted.
Each transaction has a “verifier” and a “prover”. In a transaction using ZKP, the prover attempts to prove something to the verifier without telling the verifier anything else about that thing.
By providing the final result, the prover proves that it is able to compute something without revealing the input or the computation process. Meanwhile, the verifier only knows the result.
ZK proof 3 needed criteria
1. Completeness: it must convince the verifier that the prover knows what he claims to know.
2. Soundness: if the information is false, you cannot convince the verifier that the prover’s information is true.
3. Zero-knowledge-ness: must not reveal anything else to the verifier.
ZK protocol applications
For there to be a need to use a Zero Knowledge system, we must have a field of action where it is necessary to obtain data or verification, but without neglecting the privacy and security of the information.
This can, for example, be applied to authentication systems (logins), where a user can prove that he has access to the application, but without disclosing his password.
Another very prominent case in our area, that of decentralized technologies, is in the universe of DeFI or cryptocurrencies and blockchain technology, where we do not necessarily have to disclose private data for the transaction to become possible.
The model case we are constantly working on from Extrimian, is ZK in Self-Sovereign Identity. Let’s shed some light on how this linkage works.
Self-Sovereign Identity and Zero Knowledge Proof:
As we said in other articles on SSI, this decentralized and Self-Sovereign Identity system, allows individuals to have complete control of their personal information without having to disclose it to others. As the user himself is the owner of the data, the Holder or guardian of his data, we are talking about a decentralized technology, since everything is distributed in unattractive nodes for a hacker, since it is not a “container” of data, but the objective is much simpler.
This is born under the need to protect data, because it happens that in general, personal information is sent to places or apps, where they are stored on servers that may not be adequately protected. This attracts the attention of hackers, which can be risky despite efforts to protect them. This is where SSI’s solution comes in, proposing to leverage the technology provided by ZKP to hide the real information while verifying the identity of individuals.
How does ZKP work in Self-Sovereign Identity?
With Zero Knowledge Proof, we have a prover, which is the individual who needs to certify that they have access or that their data is valid and real, and a verifier, which needs to verify the identity of that individual. In the ZKP system, all the prover needs to show a verifier is the value of X, without showing the actual information. All this requires is a proof of knowledge to verify that the individual is who he claims to be.
Then, the validity of the proof lies in using a cryptographic hash function that proves beyond doubt that the identity is valid.
When you use a hash function on a variable data set, the output can be consistently of a fixed value. Therein lies the verification, because tampering with it is almost improbable and requires extreme computational power.
Lets talk about Self-Sovereign Identity
In this case, people’s personal information may be stored in a private database that may even be centralized by the government (or the issuer that issued such Verifiable Credentials that the user possesses to prove their identity).
But this does not mean that the data is unprotected, because the information is then encrypted and the value is stored in a separate database that is public and uses blockchain technology.
This provides transaparency, immutability, reliability and auditability. This can implement a ZKP protocol that allows holders (individuals) to provide a hash value to verifiers (credit companies, banks, hospitals, etc.) to provide identification. Then, the verifiers will know it is correct without having to see it.
Also, by using a self-sovereign identity system, and owning one’s own data, we have greater interoperability with other systems to verify a person’s identity (we’ll come back to this in other blog post).
Security layers in ZKP
The way this works is that the public database will store the hash value in a distributed decentralized network of nodes, which have validated the information through a consensus mechanism. This is necessary to establish the truth. Then, verifiers will compare the hash value from the tester with the hash value stored in the public blockchain to see if it is valid/correct or not.
On a second level of security, ZKP requires the use of a digital private key that only that individual can possess. This is then required to “unlock” the information to prove to the verifier their identity. The private key is also encrypted along with the personal information, and the output value must always be unique. Individuals will be identified by their “public address”, which is linked to and calculated from a unique private key that no one else has.
Implementing ZKP in KYC and AML
Another use case of Self-Sovereign Identity with Zero Knowledge Proof, is the verification of digital identity for compliance with KYC (Know Your Customer) and AML (Anti Money Laundering) standards, a requirement that many institutions, especially banks, must comply with. These standards require proof of identity. But, if we use ZKP, there is no risk for our personal information, since we do not really deliver it, but we prove that our identity is free of criminal records (for example), or that everything is verified and validated by an Issuer, or official entity, being that all that the verifier needs to know.
Let’s think of a future scenario, where we don’t even need this issuer to have direct access to our information to be the one to prove it, but that this could be automated by computers making it 100% decentralized.
So, of course, all this still requires further development, but the progress in terms of computer data security and digital identity, is increasingly greater and more promising in terms of decentralization and self-sovereignty.