Is it possible to show that something is true without revealing the data that proves it? This is what ‘Zero Knowledge Proof’ technology proposes, a technique which employs cryptographic algorithms so that various parties can verify the veracity of an item of information without sharing the data that compose it.
Every day, millions of users browse the internet, accept cookies and share their personal information in exchange for access to services and digital products. Users are gradually becoming more and more exposed to security breaches and illicit use of their data. Furthermore, they often have to forego their privacy in exchange for services that digital platforms offer – such as recommendations, consultations, personalised assistance, etc. – to which they cannot gain access if they use private browsing.
“Thanks to mass data and technologies, such as artificial intelligence, the possibilities at our disposal to make better decisions are growing exponentially. However, at the same time, so do the risks both in terms of security and data privacy”, explains Luis de la Gandara, R&D manager at BBVA New Digital Businesses (NDB).
Asymmetry regarding access to information present in the current digital society is a clear concern for BBVA, which takes the view that privacy and data ownership “are fundamental individual rights which we must help people to preserve”. “At NDB we are tackling this problem through research into new mechanisms, tools and scientific methods that offer a secure way to take advantage of the potential of the data-based economy without losing privacy”, explains De la Gandara, who is leading this line of research.
One of the technologies that is demonstrating the greatest potential to reach this balance is Zero Knowledge Proof’ (ZKP), a set of tools that allow an item of information to be validated without the need to expose the data that demonstrates it. This is possible thanks to a series of cryptographic algorithms through which a “tester” can mathematically demonstrate to a ‘verifier’ that a computational statement is correct without revealing any data.
In this way, it can be demonstrated that certain data are true without sharing them with a third party. For example, a user could show that he is of the appropriate age to access a product or service, without needing to reveal how many years old he is. Or a person could prove that he has a sufficient income to buy a product or service, without having to share the exact amount of money in his possession.
“Thanks to this protocol it is possible to create, for example, identity authentication systems without the risk of information being stolen, as in order to prove a person’s identity it is not necessary to share any personal data”, assures the expert. But, how does it work?
Alice, Bob and the secret code
In the academic sphere a simple example is often used to illustrate the logic maintained by a cryptographic algorithm that makes this technology possible: ‘The cave of Ali Baba’. Let’s imagine that two characters, Alice and Bob, find themselves at the opening of a cave which has two distinct entrances to two separate paths (A and B). Inside the cave there is a door that connects both paths, but can only be opened with a secret code. Bob (the ‘tester’) owns this code and Alice (the ‘verifier’) wants to buy it, but first she wants to be sure that Bob is not lying.
How can Bob show Alice that he has the code without revealing its contents? To achieve this, they do the following: Alice waits outside the cave and Bob enters at random through one of the doors (A or B). Once inside, Alice approaches the entrance, calls Bob and asks him to exit through one of the two paths. As Bob has the secret code, he will always be able to return via the path that Alice asks him to, even though it may not coincide with the path he has chosen in the first place, as in this case he can open the door and exit through the other side.
Alice may think this has been a question of luck: there was a 50% chance that both of them had chosen the same path. Nevertheless, if this exercise is carried out multiple times, the probability that Bob exits through the same path selected by Alice without having the code progressively reduces, until it being practically impossible. Conclusion? If Bob exits a sufficient number of times through this path, he has unequivocally demonstrated to Alice the truth of his statement: he has the secret code. And to this end there was no need to share the actual code.
Identifying opportunities at NDB
What does all this mean for digital services? “At NDB we are already working in various settings where this technology can be applied to create systems that allow users to interact with digital services that they can trust, and which brings them added value and optimal usability, and at the same time respect the security and privacy of their data”, explains Ignacio Sueiro, Head of NDB’s “Beyond Core” pillar.
An example is the real estate sector. Frequently, even before carrying out a visit, estate agents or rental companies can ask their potential tenants to share their latest pay cheques, bank statements or other sensitive personal documentation to guarantee that they have a sufficient income to take on the cost. In this case, a system based on ZKP could provide users with the possibility to demonstrate that they have sufficient funds without the need to share any private data with the estate agent.
Nonetheless, the technology has the potential to improve data privacy and security in a wide range of use-cases, from fraud prevention systems that require a user’s age, to the use of anonymous data to feed into the Internet of Things (IoT). The latter is also an example of the benefit this technology can provide to regulatory constraints such as GDPR, the European data protection regulations.
Another use-case that is being explored by NDB is the use of ZKP technology to add another layer of security and privacy in ‘blockchain’ oracles. These IT tools allow ‘smart contracts’ to update their status, with the incorporation of external information from verified sources in order to trigger scheduled orders or events. For example, make a payment when there is a certain amount of money in an account.
In these cases ZKP could facilitate the implementation of these systems guaranteeing, at the same time, the privacy of external data that should interact with the block chain in permitting a scheduled action to be triggered, without the need to share the data itself. This could be applied both in centralised systems, where the data’s origin is a trusted entity, such as a bank or regulator; or in decentralised systems or DApps, where trust is based solely on mathematical mechanisms.
Challenges to overcome
For now, the technology finds itself at an early adoption stage and the international actors that are making advances with this technology are still few. One of the challenges being faced is the absence of standards, systems and homogeneous languages, which permit distinct actors to interact with services based on this technology, which is what would really make it possible to harness its potential”, explains Carlos Kuchkovsky, Chief of R&D and technology at NDB.
Scalability is also another technical challenge that still needs to be addressed, as well as the high computing capacity that these algorithms currently require.
Kuchkovsky is one of the NDB members who are actively participating in some of the initiatives and international consortia about technology such as ZKProof, an organisation that works to create global standards that facilitate its implementation, and being a speaker at reference events such as the ZKProof event being organised this year at Berkeley (USA).
“We are committed at NDB to actively collaborate with the academic world and ‘open source’ to closely monitor advances in this technology and participate in efforts to accelerate its adoption,” adds Kuchkovsky. “ZKP can be the key to unleashing the true potential of technologies such as artificial intelligence and the internet of things in a decentralised and data-based future, where users can interact with other people, objects or companies in a secure and private way”, concludes the expert.