Zero Knowledge Proof – What Peggy Knows About Victor

Shimrit Tzur-David | May 21, 2018

Zero knowledge proof authentication is the basis of modern-age authentication. It allows for the highest level of security, by ensuring passwords, transactions and conversations don’t get compromised when transferred over an unsecured connection.

In this article we will look at zero knowledge proof to understand the need for it, how it works, and where it’s being utilized to verify parties today.


The Need for Zero Knowledge Proof Authentication

With so much data, accounts and critical information online, the need for a secure and private connection is stronger than ever. Without zero-knowledge proof authentication security can be compromised.

For one, you can risk your password getting stolen when logging into a webpage. As you login, you need to prove who you are by submitting your password, which requires you to type it in. This lowers your passwords’ strength and the ability to protect yourself as the password is then out there for hackers. After entering your password, the server either keeps an encoded version of it, or worse, keeps it in plain text. And finally, your security can be compromised when the server matches your input with the saved password/login, and grants you immediate access (even if it’s not “you”). Every action taken online can increase your risk of getting nailed by a security hack, break or scam. Zero knowledge proof authentication is the strongest way of securing your connection and ensuring it’s safe.


How Zero Knowledge Proof Works

A zero-knowledge proof or protocol allows a “prover” to assure a “verifier” that they have knowledge of a secret or statement without having to reveal the actual secret itself.

The zero knowledge property, which says the verifier learns nothing from the proof other than the fact that it is true, means the prover can only convince the verifier if the fact is true. Therefore a zero knowledge proof informs the verifier that the prover knows the correct secret key. The protocol never requires the prover to enter a password, and the verifier never learns the password. When the zero knowledge proof is used, the actual key cannot be compromised, rather just the fact that the prover knows the key.

A common analogy used to describe the principle is with Peggy (the prover) and Victor (the verifier). Peggy needs to prove to Victor that she can get through a magic door in a middle of a ring tunnel without revealing the secret code that opens the door. Once Peggy is in the tunnel, Victor declares a direction, right or left, where Peggy has to go out of the tunnel. If Peggy enters from the same side Victor asks her to go out, then, she doesn’t have to know the secret code. By repeating this test many times, the probability for Peggy to cheat is almost zero, thus Victor can verify that she knows the secret code without her revealing it.   

Zero-knowledge authentication must comply with 3 different criteria:

  1. Completeness: The test can fully convince the other person that you know what you say you know. If Peggy exits the tunnel from the correct side several times, then Victor will be convinced that she knows the right secret code.
  2. Soundness:  A cheating prover cannot convince the verifier that he has the knowledge, except with some small probability. The probability for Peggy to convince Victor that she knows the secret code without knowing it is 0.5^n where n is the number of test repetitions.
  3. Zero-Knowledgeness: The test reveals no other information to the other person. Victor must not learn the secret code of the magic door.


How Zero Knowledge Proof Is Utilized Today

Today, multi-factor authentication utilizes the zero-knowledge protocol to verify different parties without revealing critical information. The combination of multi-factor and zero knowledge makes for an incredibly strong and secure defense.

Good zero-knowledge proof examples include its use within multi-factor authentication, and within blockchain applications. In regular blockchain transactions, the details of the sent asset are visible to everyone. With the zero-knowledge proof, there can be a completely private transfer of assets across a peer-to-peer blockchain network. Where once a transaction took place and all information regarding the transaction was known, in a zero knowledge transaction, outside parties only know that a transaction took place.

Another popular use case of zero knowledge protocol is zero-knowledge password proof where Victor can verify that Peggy’s identity without Peggy sends any secret authentication data to Victor. This can prevent Man in the Middle Attacks (MiMA) attacks, where a hacker intercepts a connection or messages sent between two parties. MiMA attacks are extremely prevalent in a password or key theft.


Safety and Trust Solved

The zero-knowledge protocol is being utilized by cryptographers to achieve privacy of blockchain applications, within top security applications to safeguard private data, by FinTech organizations and many others.

The Secret Double Octopus solution leverages the power of the zero-knowledge protocol to enable zero trust authentication within enterprises and ensure their security by being password-free. Data security is not a privilege, it’s a right.