Zero-Knowledge Proof: More secure than passwords?

This little-known mathematical concept could eventually make passwords and PIN codes obsolete. But what exactly is zero-knowledge?

Zero-knowledge proof (ZKP), which was first analysed by a trio of mathematicians in 1985, is a complicated concept. To put it in relatively simple terms however, it enables one party to prove it possesses certain information or knowledge to a second party, without divulging any of that information to the other party or anyone else.

ZKP is a very powerful cryptographic tool. Following on from Yahoo’s announcement last year that more than 1 billion user accounts had been compromised, is zero-knowledge a more secure solution?

Remi Géraud, Research Engineer within the Ingenico Labs advanced research team, is our resident zero-knowledge expert. We asked him to explain exactly how it works and what it means for the payment industry.

Why the buzz around zero-knowledge proof?

The public is only just now starting to know about ZKP and its use in products.

It’s important because it solves the problem of how to communicate information and knowledge without it being intercepted. It’s particularly useful for communications over the internet, mobile networks, IoT, etc. It’s a very efficient and elegant kind of solution.

What sectors and products are we seeing ZKP being applied?

The most obvious kind of application is identification. Using zero-knowledge, you can easily identify objects or people without the risk of their private identifiers being stolen, or leaked onto the internet, for example. That's the main reason it was invented and is still its primary use today. But in fact we can prove about anything using ZKPs.

For instance, when you use contactless payments, you should be using a zero-knowledge protocol. This prevents interception during that process.

But, of course, ZKP lends itself to many more applications: e-voting, digital cash, or auctioning, for example.

So will get zero-knowledge remove the need for passwords for authentication purposes?

Passwords are already being left behind; eventually we will transition to better solutions. Entering a password is something anyone can do, while employing zero-knowledge protocols is somewhat harder.

It's a cryptographic protocol – devices can very easily work between one another, however it’s not quite clear yet how humans would play that role in the equation. Today a device must be playing that protocol for you.

What is going to change over the next three years in terms of zero-knowledge adoption?

There are two things. Firstly, the public has only just become aware of its existence – but the simple fact that people are becoming aware means there will be a stronger uptake in the technology. Secondly, there is a strong need for zero-knowledge. When you pay over the internet, you need something like zero-knowledge for protection.

Currently, can you pay over the internet using zero-knowledge-based technology?

You can, but not using traditional payment methods just yet. Some crypto currencies use a zero-knowledge mechanism to perform payments, however it is still very marginal.

Will we soon be able to do these kind of zero-knowledge payments using bank accounts or credit cards over the internet?

It’s very probable that with PSD2 (The Second Payment Services Directive) entering into operations, banks will have to share a lot of information with other people, such as application makers, for example.

That means they will need a way to securely exchange this kind of information. Beyond payment, the whole financial system is probably going to transition to this kind of technology.

Will ZKP give financial institutions or merchants a competitive advantage in terms of being able to promise the latest security if they adopt it before their rivals?

It depends how they use it. It’s not the technology itself but rather what you do with it and how you market it. There are a few things that will be possible with ZKP that are otherwise impossible. For instance, imagine a scenario where I have a solution to your problem: I can use ZKP and prove that I have it, and then we can negotiate based on the fact you know I have it. But I haven’t told you anything more than that. Using zero-knowledge allows one to leverage these interesting kind of marketing schemes.

Where does Ingenico come into this?

Ingenico Group is a big player in the payment industry so we must be knowledgeable about what kinds of technologies could be useful. We want to be experts in terms of the cryptographic backbones of financial institutions. And we want this technology to facilitate and fluidify secure transactions.

Payment is an evolving field. For instance, crypto-currencies have developed over the past decade or so, and even though those technologies haven’t yet permeated through to the mainstream, they ask interesting questions about how we pay, and how we exchange information and data and money.

As a general rule, we are very interested in designing technology that enables new social usages in a seamless, secure and reliable way.

Do you have any products based on zero-knowledge proof?

With ZKP, we can, for example, check that payment terminals haven’t been tampered with. But the customer isn’t aware of it; it’s an invisible security layer. Some of our server infrastructure also uses it – again you don’t see what it does, just that it works. It makes sense to leverage ZKP in many scenarios where it improves performance and security, even if behind the curtain.

Is it expensive or difficult to develop zero-knowledge proof-based systems?

The main return on investment is that it gives you better security, and resistance against eavesdroppers and manufacturers that might be in on it.

It’s a very active research area to design such protocols. However, in terms of how hard it is to implement, it’s not hard at all. The only reason why it's not mainstream yet is because it’s still little known outside of the crypto community, and in part because it requires internet connectivity.

How much of a transformative effect do you think it will have on the card payment industry?

It’s quite hard to forecast. The effect on the card payment ecosystem itself might be very limited depending on whether we seek big changes or not.

What will make a change is the use of new devices to pay, so phones, tablets, IoTs, etc. There will be no alternative but for these devices to use some form of zero-knowledge.

Rémi Géraud / a cryptography and security expert

Rémi Géraud has been a cryptography and security expert in the Advanced Research team of Ingenico’s innovation lab since its creation in 2015. Our team focuses on bleeding-edge research and fundamental building blocks for current and next-generation products, in order to keep ahead in terms of technology and security.