Open data is undeniably useful in many economic sectors. From healthcare to public transport, it is used to make more accurate predictions and conclusions to optimize performance. Many agree that a personalized service, whether it’s a weight loss app or Netflix content suggestions, provides excellent user convenience.
On the other hand, it poses a significant threat to users’ privacy. All is well until personal identifiable data (PII) is misused by third parties, the interference of the 2016 US presidential election being an example. Another illustrative example is the authoritarian Chinese government collecting global user data through proprietary technology and the United States banning TiKTok on politicians’ accounts.
Eliminating the use of PII is nearly impossible as it is used by retail stores, financial, educational and government institutions, and even web browsers. However, there is a way to keep your exposure to a minimum, sometimes providing personalized services without disclosing user-specific data. It is called Zero-Knowledge Proof (ZKP) and is gradually gaining traction in app development.
What is zero-knowledge proof?
ZKP is a cryptographic method to verify the validity of a specific claim without revealing any information about it. The philosophy behind the method states that verifying certain knowledge by revealed possession (e.g. verifying my Covid-19 vaccine because I reveal a government-issued document with my name, photo and ID number) is trivial and exceeded.
Before developing further, let us emphasize its importance with practical examples. ZKP is an effective method for retailers to check a user’s bank account balance without knowing exactly how much money the user has. From a purely ethical standpoint, it’s not up to the retailer to check your account balance, but without ZKP there are few ways to verify that you have sufficient funds to make a purchase. Insurers have been known to check users’ Facebook accounts to withhold or reduce payments if they believe something is against the contract. This is often a slippery situation, with the client at a disadvantage at the negotiation table.
ZKP is a way to use various services without exposing your identity as much as possible. Instead of checking your account balance, the retailer gets enough verification to confirm a purchase and nothing else. When asked to check for Covid-19 vaccine, Border Control gets a positive check without details of vaccine type, date and any other PII related to it. Traveling to Denmark might not be a problem, but it certainly is if you are planning to visit North Korea.
So how does ZKP verify the validity of the claim without revealing anything about the claim itself? The exact mathematical cryptographic functions are extremely complex, but are explained using the example of Ali Baba’s cave in simple terms.
Imagine a cave with an entrance, two contiguous paths (A and B) and a door where A and B meet, which can only be unlocked with a secret code. A girl named Peggy knows the code and wants to prove it to a boy named Victor without revealing the code herself.
One way to do this is for Peggy to enter the cave and Victor ask her to come back in a specific way. Once he asks him to go back to path A, another time to path B, and so on. If Peggy manages to get back on the right path each time, she proves to Victor that she knows the secret code without revealing the code itself.
ZKP and Cybersecurity
This logic is widely adopted in modern cybersecurity systems. Let’s take a password manager as an example, because this software requires the strongest privacy features.
Password managers allow you to store all of your passwords in a place called Vault, which is locked by a single master password. At first, this might seem like a bad idea, because if someone hacks your master password, they’ll be able to access all of your other passwords.
In practice, password managers use ZKP and encryption to ensure that the vault is only accessible to the master password holder and no one else. More importantly, they can grant access to the vault without knowing the master password. Instead (following Ali Baba’s cave logic) they ask for proof that you know the master password.
Different password managers use different verification methods, which Computerpfhile explains perfectly in this video. To summarize, password managers use advanced encryption algorithms to encrypt the master password before it leaves your device and the ZKP on a cloud server (the best password managers use a framework based on the cloud) to authenticate a user without revealing their password.
Advanced encryption and hashing algorithms ensure that the master password is protected against brute force attacks or online surveillance. Meanwhile, ZKP protects against rogue officials and gives users absolute control over the vault. This way, you can entrust your passwords to third parties while maintaining exclusive access privileges.
Conclusion
Services that implement zero-knowledge proof can provide all the benefits of a personalized experience without sacrificing your privacy. With so many people performing financial transactions and uploading personal photos and videos to online clouds, the use of SKP is essential to protect this data from malicious third parties to prevent the misuse of PII.
Latest posts by Answer Prime (see all)