Universal storage of distributed user-owned credentials
Glossary
Term DefinitionsZero-Knowledge Proof (ZKP)A cryptographic method that allows one party (the prover) to prove to another party (the verifier) that a statement is true without revealing any information other than the statement itself.Zero-Knowledge Proof of Knowledge (ZKPOK)A zero-knowledge proof that the prover knows some information without revealing anything about that information.Zero-Knowledge Authentication Information (ZKAI)A ZKPOK generated from a user's secret key and stored on a distributed ledger as a public representation of the user's identity without revealing any information about the user's secret key.User SecretA reproducible digital information private to a user that is used to generate a ZKAI, such as a password, PIN, private key, biometric information, hardware security module, or algorithm identifier.Distributed Ledger (DL)A consensus mechanism for replicating, sharing, and synchronizing digital data that is geographically distributed across multiple sites, countries, or institutions.BlockchainA distributed ledger data structure consisting of blocks linked together in chronological order, each containing a set of transactions.Transaction IDA value that uniquely identifies a DL transaction, such as a block hash or hash pointer in a blockchain. Proof Data A ZKPOK generated by a user device from a user key to prove to a verifier that the user has the user key corresponding to the ZKAI. Any person, organization, or system that an entity requires a user to authenticate to access its products, services, or information. An authentication engine is a system or component that performs a verification process to determine whether a user is who they claim to be. Server Key Value A key generated by an authentication server to ensure that each proof data is unique and active for a period of time. A service provider is a third party that manages ZKAI-related services such as user credential registration, authentication, and data management on behalf of a user or entity. Short Answer Question
How is ZKAI different from storing a public key? ZKAI is not a simple public key, but a zero-knowledge proof of knowledge (ZKPOK) generated from a user key. ZKAI is generated in such a way that an attacker cannot deduce the user key from ZKAI, even if ZKAI is public.
What can a user key be? Give three examples. A user key can be any reproducible digital information that is private to a user. Examples include: passwords, PIN codes, biometric information (such as fingerprints).
Why is it beneficial to store ZKAI on a distributed ledger? Storing ZKAI on a distributed ledger provides a tamper-proof, immutable, and publicly accessible public version of a user's key, enabling decentralized and trustless authentication.
Explain the role of attestation data in the authentication process. The user's device generates attestation data using the user's key, which is proof that the user possesses the user's key corresponding to the ZKAI. The verifier compares the attestation data with the ZKAI obtained from the DL to verify the user's identity.
How does the server key value enhance the security of the system? The server key value ensures that each attestation data is unique and valid only for a limited period of time, thereby preventing replay attacks and providing fine-grained control over authentication attempts.
Describe two different multi-factor authentication methods.
A user can register multiple user keys, each corresponding to a separate transaction ID, and provide attestation data corresponding to all keys at authentication time.
A user can consolidate multiple user keys into a single user key and generate a single attestation data containing all key information at authentication time.
Why is it more secure to store user keys on the user's device rather than on the server? Storing user keys on the user's device avoids the risk of key leakage when the server is compromised because the keys are not stored on any server.
Briefly explain how the user key is verified in Approach #1. The user generates a proof data (R, s) using the user key and sends it to the verifier. The verifier uses the public parameters and the proof data to perform a calculation, and if the calculation result is consistent with the ZKAI, the verification passes.
What additional parameters are used in Approach #2 to enhance security? What are their functions? Approach #2 uses a server key value (b) and two random numbers (r1, r2) to enhance security. The server key value ensures that each proof data is unique and valid only for a limited time. The random numbers (r1, r2) are added to the calculation as "salt" to increase the difficulty of cracking.
Explain the purpose of the distributed ledger mapping structure in Figure 9. The distributed ledger mapping structure is used to manage transaction ID pointers of ZKAI stored in different types of data storage systems, including different types of blockchain and non-blockchain storage. It allows flexible user authentication across different platforms.