Stratumn.com

Zero-Knowledge Explained: Part 1. Use Cases

With a zero-knowledge protocol, sharing proofs without data and the selective disclosure of information offer possibilities for businesses to work together in an interconnected world

alt=

Innovation: Gradual and Sudden

Whether in the fields of evolutionary biology, personal growth, or technological advancement, change happens both suddenly and gradually. Gradual change in the technology sector can be seen as firms attempt to reduce their production and transaction costs through automation. An innovative technology that provides less expensive solutions for an existing process is an attractive subject for investment, and slowly pulls the entire market along with it.

Yet gradual evolution is not the only way for change to occur. We’re in the midst of a transformation, both technological and philosophical, that questions the appropriateness of property ownership models as well as wealth distribution patterns in the information age.

Publicly-funded research has given us many discoveries, across domains, in recent decades. We're going to focus on the potentially disruptive effects of one of them in the realm of cryptography: zero-knowledge proof (ZKP). We will cover three use cases and give a broader picture of this technology in the context of Stratumn's Proof of Process.

Know Your Customer – Proof of Balance

Imagine that your friend Alice would like to attend an auction as a buyer. In order to do so, she has to prove she has enough funds to make bids. One plausible solution is for Alice to ask her bank to issue a letter that confirms her available balance as of a certain date and time. The bank can do this with physically protected documents (letterheads, stamps and signatures) or their digital equivalents. The digital equivalent would naturally include a digital signature, ensuring the document was actually produced by Alice’s bank and not some elegant forger. When the action house receives the bank’s signed attestation of Alice’s balance, it can check the authenticity of the document by verifying the signature, and then examine the letter to see if Alice, in fact, has the required minimum balance.

While this protocol can be both faster, cheaper, and more secure than its physical version it inherits one particularly undesirable quirk from its ancestor. Alice is required to provide the statement in the form "my balance is equal to X" instead of "my balance is at least Y".

In this approach, Alice exposes unnecessary confidential information to the auction house (her actual bank balance) instead of merely satisfying the auction house’s verification needs.

We could modify the protocol in such a way that it allows Alice to give her bank a specific balance to verify for each letter. In this case, the bank’s letter would say “Alice has at least Y as of date D and Time T” instead of “Alice has X as of date D and Time T”. While this creates a little more work for the bank, it solves Alice’s privacy problem.

Or does it? As the bank is now involved every time Alice wants to prove her balance, it now knows much more about Alice’s desires and behaviour, even before she makes any further transactions.

What Alice needs is a way to construct proofs of her minimum balance without asking her bank to sign custom documents. What Alice needs are zero-knowledge proofs.

With ZKPs, the bank issues a signed statement of Alice’s balance to Alice, which she keeps secret. The statement could be of the form: “Alice has the amount X as of date D and time T”. In the future, Alice can use the bank’s statement to build custom proofs of requested funds as and when required. Just like regular proofs, these ZKPs are valid as long as the verifier trusts the bank and accepts that it is in reference to Alice’s fund as of a certain date and time.

ZKP sequence diagram

These proofs reveal only the data that Alice wants to be revealed: in this case, the minimum balance instead of the actual one. In effect what Alice is proving is that "I, Alice, have the knowledge of my statement of balance (as of a certain date and time) signed by the bank that you, the auction house, have trust in. Using that knowledge, I prove to you that I have at least the amount you are looking for."

Thus, ZKPs allow Alice to satisfy the wishes of a verifier (the auction house) without exposing the details of her private life to neither the verifier nor the mutually trusted source of information (the bank).

Energy Exchange – Smart Grid

The development of US power production in the twentieth century, largely motivated by increasing economies of scale, resulted in highly-centralized modes of production, transmission and distribution of electricity. In past decades the development of efficient small-scale production and storage technologies, the demonopolization of energy markets, and increased attention on energy production’s impact on our shared environment has begun to transform the world of energy production and exchange.

The appearance of local energy producers (prosumers) restructures the traditional hierarchical model of distribution into peer-to-peer networks of energy exchange. Network models with multiple producers require more sophisticated mechanisms of load balancing and optimisation. Such networks are often called smart grids. While the data sent through a smart grid has to be detailed enough to enable the exchange, it should not expose prosumers’ confidential information.

For example, Alice, Bob and Charlie are potential prosumers on the same smart grid. The grid and its power plants are owned by Edith. Edith has installed smart meters, devices capable of measuring net energy exchange at high precision, at each of the prosumers’ houses. The data is sent to Edith’s platform in real time. She uses it to balance the grid, predict consumption and spot-trade available energy chunks.

At the same time Alice decides to personally participate in the campaign against global warming. She installs a photovoltaic system and connects it with Edith’s grid. Her solar panels produce more energy than she needs, and Edith pays her the difference.

The transition from the traditional centralized grid to such a smart grid would be a hybrid of a centralized ownership structure with a network-oriented model. However, direct exchange producers could still (and likely would) be impeded by the owner (Edith). To transform the power dynamics inherited from the centralized model, the accounting system also needs to be decentralized. With such a system, participating prosumers should be able to register peer-to-peer energy exchange transactions without additional fees, except the operational costs of running the system.

As we migrate towards a decentralized model of data exchange, an interesting issue arises: data accessibility. In a centralized model the data is protected by a single authority, and the access is regulated by means of the same authority. In a decentralized model, as there is no such authority, the transaction data is public and accessible to all users.

In our example, each prosumer’s smart meter would regularly publish that user’s consumption and production data. The messages from these meters are digitally signed by meters' hardware security modules, and the authenticity of such messages is verified by the smart grid participants. While this system would work for accurate data tabulation, it would also reveal some details of the private lives of its participants. For example, a peak of consumption may indicate the time a person takes a shower, no consumption may hint that the household is not occupied.

ZKP technology enables the exchange of data without revealing the actual data. Our protocol is modified so that only certain data aggregates are published. A zero knowledge protocol ensures that the aggregates are computed properly with authenticated data.

ZKP proof construction

In this case, Edith’s smart meters would store their signed individual readings in a secure location controlled by each grid participant. Bob would publish his aggregate power consumption on a regular basis (perhaps monthly). To verify the accuracy of his computed aggregates, he constructs and publishes a proof of consumption. The proof contains the total amount of consumed energy for a period of time chosen by Bob. The proof is built upon the original data and ensures its consistency: all measurements are present, they are correctly signed and the declared total equals the sum of individual data points. Once the proof is published on the smart grid network, it can be verified by the network participants.

Alice, a small producer, publishes her produced energy in a similar way. Bob and Alice exchange data through the network and perform transactions. The transactions reflect virtual asset movements and used for accounting purposes. Such a decentralized accounting and peer-to-peer exchange system, coupled together with a privacy preserving zero-knowledge proof protocol, enable the transition to a new kind of autonomous energy systems.

Social Choice – Anonymous Proxy Voting

Mutual decision-making is an important part of primate society. With decision-making strategy, we need to have consensus. Consensus implies that a majority in a group are in agreement about the decision. As groups grow in number and diversity of opinion increases, consensus becomes less likely. Voting is a strategy to reach agreement without consensus, taking into account the preferences of everyone involved in the election. Though the outcome of an election is virtually guaranteed to be unsatisfactory for some of the voters, it is usually universally accepted. This is due to the voters’ trust that:

  • the system is worth preserving in the long-run
  • their votes are accurately counted

Voters tend to trust that their votes have been accurately counted if the counting is done by a trusted and neutral third party, or if it can be verified independently by any participant. Voting by a show of hands is a good example of public verifiability, whereas ballot voting relies on the neutrality of the body organizing the elections.

Another important aspect of modern voting systems is anonymity. Anonymity guarantees the freedom from being judged and persecuted, and prevents voters from being bribed or otherwise coerced to vote in a certain way (as the coercer cannot be sure the voter has voted as desired.) The drawback of anonymity is that it makes public verifiability complicated. If we try to classify voting systems, almost all of them fall in one of two categories: either anonymous but requiring the existence of a trusted neutral party, or publicly verifiable but not anonymous. A natural question arises: is it possible to build a system that is both anonymous and publicly verifiable?

Until recently, such a protocol could not be found. Intuitively, it seems that public verifiability and anonymity are contradictory. The contradiction stems from the similarity between verifiability and reproducibility. Any computation that can be reproduced can also be verified, and therefore trusted. However, we can also develop mechanisms to verify unreproducible computations. A ZKP does exactly that — it allows someone to verify a computation without knowledge of all of the inputs.

With that in mind, we add a step to a standard publicly-verifiably election to guarantee anonymity: shadow generation. In this phase, each voter would randomly generate a shadow personality, and then use a ZKP to make the following guarantees:

  1. the shadow personality was linked to an authorized voter
  2. each authorized voter could only create one shadow personality
  3. nobody but the relevant authorized voter knows the true identity of the shadow personality

The ZKP ensures a link between a voter's public key and his shadow's public key. More specifically, it ensures that there's a number, which can be used to efficiently and deterministically compute two public keys. The first key should be listed in the public set of voters, and the second one should be equal to the shadow's public key.

ZKP proof verification

The proof constructed in this manner can be verified publicly with a zero-knowledge verification algorithm. It confirms that a shadow originates from one of known voters, but gives no hint as to who precisely it is. Once all shadows are verified, they are used to cast votes. The voters have the private counterparts of their shadows, and they use them to cast signed votes. The votes can then be publicly decrypted and tallied.

A Bigger Picture

What makes zero knowledge proofs so special is the ability to share proofs without sharing data. While data is kept privately and remains under the control of its owner, proofs can be publicly shared and verified. This allows users to selectively disclose their sensitive information.

The examples described above focus on the added value of zero knowledge proof protocol, but they are only a few of many possible ways of combining classical with zero knowledge proof systems. Protocols like these are just pieces of a bigger picture, that includes network infrastructure, public key infrastructure, consensus-based state machine replication, and other forms of cryptographic verifications. These pieces come together as part of the Proof of Process technologies. Leveraging Proof of Process, customers, partners and regulators can establish common processes which they can trust.

The technological tools for establishing power through networks, rather than in centralized sources of trust, is finally at hand. At Stratumn, we are committed to making these tools accessible to real-world problem-solvers and decision-makers.