Minimal Disclosure of Identity with Zero-Knowledge Proof and CL-Signature

If you happen to look young and want to buy a drink from a bar, you will often be asked to show your ID card to prove you are above the legal drinking age, e.g. 20 years old. However, is it really necessary for you to reveal all your personal information to simply get a drink? Does your bartender really need to know your name, surname, home address, national ID number and even your date of birth? By revealing your personal information carelessly, you expose yourself to the risks of identity thefts and scams.

Now imagine that you have a super power to prove to the bartender that you are indeed older than 20 years old without revealing anything else about yourself — not even your birth year. This super power can, in fact, be achieved using zero-knowledge proof and CL-signature protocols. These protocols could give everyone the ability to minimally disclose their personal information and take full control of their own identity.

Zero-Knowledge Proof

Zero-knowledge proof cryptography is a family of cryptographic protocols which allows one party (user or prover) to prove to another party (verifier) that something is true without revealing its underlying information. For example, one zero-knowledge proof protocol, called Sigma protocol, proves that a prover knows a number without revealing what that number is, i.e. a proof of knowledge. Another protocol, called hash chains, can be used to prove that a prover is older than the legal drinking age without revealing how old the prover actually is.

Here, we give a simple demonstration of how a zero-knowledge proof works using a Rubik’s cube. Suppose that a prover, named Alice, would like to prove to a verifier, named Bob, that she knows how to solve a Rubik’s cube. However, she doesn’t want to show him how she solves it. Bob then gives Alice an unsolved Rubik’s cube. Alice then turns around and solves the Rubik’s cube without letting Bob see how she solves it. Finally, Alice turns back and returns the solved Rubik’s cube to Bob. Assume that Bob remembers his Rubik’s cube so well it is impossible for Alice to cheat by preparing another solved Rubik’s cube in advance. Bob can be (almost) 100% certain that Alice knows how to solve the Rubik’s cube even though Bob learns nothing (i.e. zero-knowledge) about how she solves it. Note that he can never be 100% certain since there is always a small chance that Alice twists the Rubik’s cube randomly and accidentally solves it. However, such a random incident is highly unlikely. If Bob still doesn’t trust Alice, he could repeat the process several times until he is satisfied.

A zero-knowledge proof protocol constructs a mathematical proof that is similar to solving a Rubik’s cube. In the modern blockchain ecosystems, zero-knowledge proofs have been growing in popularity. Examples include Zcash which implements zero-knowledge proofs on cryptocurrency transactions and Ernst & Young’s Nightfall on Ethereum start contracts.

A simple demonstration of a zero-knowledge proof. The user proves to the verifier that she knows how to solve a Rubik’s cube without revealing how she does it.

CL-Signature

CL-signature is an efficient signature scheme, which is invented by Jan Camenisch and Anna Lysyanskaya in a series of papers [1, 2, 3]. This protocol enables an attribute-based credential system where users can control how each piece (attribute) of their personal information is presented digitally. Given a credential schema (or template), a user can flexibly choose to reveal or hide the credential attributes in any combination. CL-signature can also be used together with zero-knowledge proofs to enhance privacy.

For example, a user called John applies for a digital national ID card from the government (issuer). The government defines the ID cards’ schema with attributes: Name, Nickname, Address, Date of Birth and ID Number. The attribute Nickname is, in fact, optional and does not need to be presented during the application. With CL-signature, John has the choice to bind his nickname to his ID card without revealing it to his government. Although the government does not know his nickname, the nickname is digitally signed together with the whole credential. John could then apply for a membership at an age-restricted board game cafe (verifier) that asks for new members’ nicknames. John uses CL-signature to hide all his information in his ID card except for his nickname and creates a zero-knowledge proof showing that he is indeed above 20 years old.

In the case of decentralized digital identity, for example, the ID card’s cryptographic hash could be immutably stored in the identity blockchain, which prevents any modification on the issued ID card. As a result, John cannot change any attribute in his ID card, including his nickname, unless he applies for a new card. The ID card can also be presented multiple times to different verifiers with any combination of revealed and hidden attributes.

A demonstration of CL-signature with a zero-knowledge proof of age. Here, a credential contains name, nickname, address, date of birth and ID number. The user binds his nickname to the credential without revealing it to the issuer. The user then presents his credential to the verifier, showing only his nickname and a zero-knowledge proof that he is above 20 years old.

Use Cases

Here, we present a few example use cases:

Health records: a hospital could issue a user a digital health record. The user could then use the health record to apply for a VISA to the UK. Using CL-signature, the user could show the UK embassy that she is negative for a tuberculosis test without revealing other information in the health record. The user can then use the same health record to show to an airline that she is allergic to peanuts, again without revealing anything else.

Streaming media: In the near future, streaming services like Netflix and Disney+ would be able to accurately check their customers’ age for their age-restricted contents. Their users do not need to compromise their personal information by using a zero-knowledge proof showing that they are above the restricted age.

Job applications: Suppose that you have recently graduated from your country’s top university and are applying for a backend developer position in a blockchain startup. Of course, your prospective employer wants to know how well you did in computing-related courses. However, they do not need to know whether you have an F in your classic literature exam. With CL-signature, you could hide the grades of some subjects and construct a zero-knowledge proof showing that your total GPA is above the threshold that the company requires.

Applying zero-knowledge proof and CL-signature on decentralized digital identity allows for an efficient attribute-based digital identity system where users have the ability to minimally disclose their personal information. Such an ability is essential in the current digital world where identity thefts are commonplace.

We are striving towards a better world. The world where privacy not a privilege but a basic human right that belongs to all individuals.