Zero knowledge proofs convince someone of something without revealing its details. For example, a hacker might claim to have tapped your network. A non-zero knowledge proof would involve the hacker pointing to the tap, showing how it works and where it has been installed. A zero-knowledge proof might involve the hacker just demonstrating that random messages sent over the network can be reproduced. This proves existence of the tap without exposing its details.
As you’d guess, cryptographers love these sorts of puzzles, and zero knowledge protocols are taught each year to computer science students. Schnorr’s method, for example, is a typical back-and-forth procedure that proves a condition without leaking additional information. One particularly powerful application of zero knowledge proofs is authentication, because if done properly, it can remove the need for passwords. If this sounds good to you, then read on.
I spent some time with Ethan Landau, who heads up Strategy and Operations for NuID. With team members located on both coasts, NuID provides a so-called Modern Login Box, which supports trustless authentication for trusted identities. As you might expect from my introductory remarks, the trustless aspect of the NuID solution is implemented via zero knowledge proofs. Let me share with you what I learned from Landau.
“We leverage the use of decentralized digital IDs to support trustless authentication,” Landau explained. “Our zero knowledge cryptography and use of blockchain removes the need to store passwords and other authentication credentials. We expect that strong authentication using our protocol can reduce the incidence of mass credential breaches because we remove the stored credentials that hackers and criminals target.”
The advantage of NuID is improved security, because its protocol happens to simplify the requisite underlying public and private key management infrastructure. The challenge, however, as I discussed with Landau during our review, involves selling end-users on a solution whose main benefits might be largely invisible. (And yes – one could point to this issue as the most basic challenge for every cyber security vendor.)
Landau explained NuID’s sensible approach to this issue: “First of all, end users will see no degradation in their experience. We support passwords, biometrics, and other proof factors – albeit with much more secure decentralized control. Our greatest benefit, however, comes from our support for the developer community through a simple, frictionless development portal with all the tools to implement our scheme in a variety of settings.” (Landau shared that the portal is close to ready – the waitlist is here.)
We also discussed the challenge of a small company approaching such as Big Idea as decentralized authentication and Landau had a similarly reasonable answer: “Because we were created on the experiences of our founders at large organizations such as Microsoft and the Gates Foundation, we have unique insights into the needs of bigger customers, including how to scale a decentralized, trustless authentication scheme for trusted identities.”
As a TAG Cyber analyst, I talk with small companies every day – and I will admit to some bias against their success odds. But when I see a founding team with relevant experience working in an area with clear need, offering solutions rooted in meaningful technology – well, I guess my bias flips and I find myself rooting for them to succeed. That sums up my view of NuID: I think they are on the right track, and if they can be both nimble and also aware of scale issues for larger customers, they can succeed.
I think it would be worth your while to reach out to the NuID team. Their integration of blockchain, private key management, and zero knowledge proofs will at minimum teach you something about modern cryptographic application design. Please make sure to let us all know what you learn after your discussion. I look forward to hearing from you.