CyberSecurity FAQ - What is a Zero-Knowledge Proof (ZKP)? What is Zero-Knowledge Privacy?

Alternative FAQ Phrasings: What is Zero-Based Proof (ZBP)? | What is a Zero-Based Proof? | What is Zero-Based Privacy?

Zero-Based Privacy cybersecurity techniques for cybersecurity are based on Zero-Knowledge Proofs (a.k.a. ZK Proofs, or ZKP for short), which are among the most powerful tools cryptographers have ever devised. Zero-Knowledge Proofs are defined as follows:

Definition: Zero-Based Proof (ZK Proof, ZKP; a.k.a. ZBP) is a cryptographic method by which one party (the Prover, P) can prove to another party (the Verifier, V) that P knows information X, without conveying any information to V other than P knows a value X. The insight to understanding Zero-Knowledge Proofs is that while it is trivial to prove that one possesses knowledge of value by simply revealing it, it is relatively challenging to prove possession of such knowledge without revealing either a) the information itself; or b) additional information.

For an intuitive introduction to Zero-Knowledge Proofs without substantial mathematics, see Zero Knowledge Proofs: An illustrated primer.

As a practical application of Zero-Knowledge Proofs, Zero-Knowledge Privacy is defined as follows:

Definition: Zero-Based Privacy is the practical application of Zero-Based Proofs to improve the security of computer servers that store and transmit sensitive/confidential client data (messages, files, database entries, authentication information, cryptographic keys, file metadata). As a general principle, a Zero-Knowledge Privacy server must never be allowed to read or write client data as plaintext (i.e., unencrypted; compare ciphertext or encrypted), including authentication information, cryptographic keys, and file metadata. Consequently, for most practical purposes the confidentiality of the client data on the server cannot be compromised via internal mismanagement (including internal prying eyes) or external agents (e.g., cyber hackers).

While many vendors of data storage claim end-to-end encryption, many fall short of zero knowledge privacy standards because they either read or write client data and authentication information as plaintext sometime during the end-to-end data transmission or storage processes, typically for client convenience. For example, consider the case of a File Synchronization & Sharing Tool user who uploads a local file on her desktop computer to her cloud-based storage server using a web-based interface. While the web-based interface may be convenient to the user, when she enters her authentication information directly into the web-based interface as plaintext, she is compromising the confidentiality of the file she is uploaded, since the cloud-based server can read the unencrypted file along with the associated metadata and authentication information prior to encryption. Consequently, if the cloud-based server is compromised by either an external or internal cyber threat, any encrypted stored data is also potentially compromised.

Compare this with a bona fide Zero-Knowledge Privacy approach, where the user utilizes a dedicated secure app to fully encrypt the file prior to uploading it to the cloud-based server using the SSL (Secure Socket Layer) protocol during transmission, and the secure app provides neither metadata nor unencrypted password information to the cloud-based server.

See Review: Secure Enterprise File Sync & Sharing (EFSS) Services for a comparison of the cybersecurity features of popular file synchronization and sharing tools, some of which provide Zero-Knowledge Privacy.

If you have constructive recommendations to correct, clarify, or otherwise improve this or any other Cybersecurity FAQ, please contact us.


CYBERSECURITY & DESIGN HANDS-ON WORKSHOP TRAINING OPTIONS
If you seek professional cybersecurity architecture hands-on training that emphasizes robust architecture modeling languages (UML2, SysML, CyberML), strong cyptographic techniques, popular architecture modeling tools (Sparx EA, MagicDraw/Cameo, Rhapsody), and numerous practice exercises, check out PivotPoint's Essential Cybersecurity Architecture & Design Applied hands-on training workshops.

CYBERSECURITY FORUM and CyberSecurityForum.com are trademarks of PivotPoint Technology Corporation. All other product and service names mentioned are the trademarks of their respective companies.