Zero-Knowledge Proof: How Cybersecurity Apps Identify Users Without Personal Details

Open data is undeniably useful in many economic sectors. From healthcare to public transportation, it is used to draw more accurate predictions and conclusions to optimize performance. Many would agree that personalized service, whether a weight loss app or Netflix content suggestions, provides outstanding user comfort.

On the other hand, it poses a significant threat to user privacy. All is well until personally identifiable data (PII) is misused by third parties, interference in the 2016 US presidential election being an exemplary case. Another illustrative example is the authoritarian Chinese government collecting global user data through proprietary technology and the US banning TiKTok on politicians’ accounts.

Eliminating the use of PII is nearly impossible, as it is used by retail stores, financial, educational, and governmental institutions, and even web browsers. However, there is a way to limit its exposure to the bare minimum, sometimes providing personalized services without revealing specific user data. It’s called Zero-Knowledge Proof (ZKP), and it’s gradually gaining traction in application development.

What Is Zero-Knowledge Proof?

ZKP is a cryptographic method to verify the validity of a specific statement without revealing any information about it. The philosophy behind the method states that verifying certain knowledge through revealed possession (for example, verifying my Covid-19 vaccine because I reveal a government-issued document with my name, photograph, and identification number) is trivial and outdated.

Before elaborating further, let’s outline its importance with practical examples. ZKP is an effective method for retailers to verify the balance of a user’s bank account without knowing exactly how much money the user has. From a purely ethical perspective, it’s not the retailer’s business to check your account balance, but without ZKP, there are few ways of verifying whether you have sufficient funds to make a purchase. Insurance companies are well known for checking users’ Facebook accounts to deny or reduce payouts if they deem something goes against the contract. Often it’s a slippery slope situation with the client having a disadvantage at the negotiation table.

ZKP is a way of using various services without exposing your identity whenever possible. Instead of checking your account balance, the retailer gets sufficient verification to confirm a purchase and nothing more. When asked for your Covid-19 vaccine verification, border control gets a positive verification without the details of vaccine type, date, and any other PII related to it. Traveling in Denmark might not be an issue, but that’s definitely the case if you plan on visiting North Korea.

So how does ZKP verify the statement’s validity without revealing anything about the statement itself? The exact mathematical cryptographic functions are extremely complex, but they are explained using the Ali Baba cave example in Layman’s terms.

Imagine a cave with one entrance, two conjoining paths (A & B), and a door where A & B joins that can only be unlocked with a secret code. A girl named Peggy knows the code and wants to prove it to a boy named Victor without revealing the code itself. 

One way of doing this is for Peggy to enter the cave and for Victor to ask her to return on a specific path. One time he asks for her to return to path A, another time to B, and so forth. If Peggy succeeds at returning on the correct path each time, she proves to Victor she knows the secret code without revealing the code itself.

ZKP and Cybersecurity

This logic is widely approved in modern cybersecurity systems. Let’s take a password manager as an example because this software requires the strongest privacy features.

Password managers allow you to store all your passwords in one place called Vault, which is locked by a single master password. At first, it may sound like a terrible idea because if anyone hacks your master password, they can access all other passwords. 

In practice, password managers use ZKP and encryption to ensure the Vault can be accessed solely by the master password holder and no one else. More importantly, they can grant access to the Vault without knowing what the master password is. Instead (following Ali Baba cave logic), they ask for proof that you know what the master password is.

Different password managers use different proof methods, which Computerpfhile perfectly explains in this video. To summarize, password managers use advanced encryption algorithms to encrypt the master password before it leaves your device and ZKP on a Cloud server (best password managers use a Cloud-based structure) to authenticate a user without revealing its password.

Advanced encryption and hashing algorithms ensure the master password is safe from brute-forcing attacks or online surveillance. Meanwhile, ZKP protects against rogue employees and gives users absolute control of the Vault. This way, you can trust your passwords with a third party while maintaining exclusive access privileges.

Conclusion

Services that implement zero-knowledge proof can provide all the benefits of a personalized experience without sacrificing your privacy. With so many people performing financial operations and uploading personal pictures and videos to online Clouds, using SKP is essential to secure this data from malicious third parties to prevent PII misuse.

Answer Prime

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top