Zero-Knowledge Proofs and Self Sovereign Identity - Jordi Baylina, Iden3

00:03

well hello I'm Jordan Malina and from

00:05

mine and free when I talk a little bit

00:07

about identity and how zero knowledge

00:10

can be used in identity my presentation

00:13

is gonna have three parts first I'm

00:16

going to do a short introduction of what

00:19

we do in item 3 then I'm gonna talk a

00:21

little bit of the roadmap of how what we

00:25

want to build what are the main blocks

00:26

that we see at least in this stage of

00:29

the development and finally I'm gonna

00:31

finally I'm gonna give some ideas of how

00:35

zero knowledge can be used in the

00:37

identity context okay so let's start a

00:40

19-3 what we want to build we want to

00:43

create a sovereign identity system they

00:46

there is we are working in a very low

00:48

layer apart so and while we will if we

00:54

are trying to define a kind of protocol

00:57

a kind of system that's working we want

01:00

we are doing that in an open-source

01:02

manner we want an open protocol and we

01:04

are trying to build a reference

01:06

implementation protocol we are also

01:10

building some of the some tools for you

01:13

know for bringing what this you don't

01:14

know much technology because we saw we

01:16

see this technology absolutely key in

01:18

the sovereign entity field and of course

01:21

we want to focus in the in the

01:23

standardization but as somebody said

01:24

before you know since we want to have

01:27

good standards so we first need to

01:29

understand how this technology works how

01:32

the system works and I tell you that

01:33

when we are working on this every day we

01:35

learn a lot of whole many things how

01:38

important is this technology about well

01:42

before starting with identity I just

01:44

want to say that we are developing some

01:47

of the biggest sukhasana rocks

01:50

tools want to mention here briefly first

01:53

circumcircle is a is a dsl language for

01:58

writing circuits we have sizing some

02:01

nice properties like it's aromatic

02:04

parametric templates and while it works

02:08

quite well for that specifically design

02:10

it we have circum lip which mainly is a

02:13

set of components or gadgets if you want

02:18

for circum here we have the from baby

02:21

jar PBS a would have some some hash

02:24

functions we also have all the sparse

02:27

marquetry very fires inserts deletes and

02:30

all that stuff implemented there so it

02:32

has been very good it has been a good

02:34

example of to prove that circum is a

02:37

good language for writing for writing

02:40

circuits and that we have as large a gas

02:43

which is an independent implementation

02:46

of ellipse narks protocol and today we

02:50

just launched it something that's

02:51

purchased with 20 today it's well it's a

02:55

Zika it's a Zika snark proof generator

02:57

but from the browser right up in web

02:59

assembly by hand and well it's quite

03:02

fast so bright now creating proofs from

03:06

the browser

03:06

well it's you can just as numbers more

03:10

or less 5k constraint silk which takes

03:14

last less than 10 seconds you know in a

03:16

browser but well it just really said

03:18

today so if anybody wants to test it

03:19

that's good okay so let's talk a little

03:21

bit about their entity very briefly I

03:24

think that here most of you have heared

03:25

about surfs or any entity what it means

03:28

the song identity means that everybody

03:30

should be able to create their own

03:32

identity that entity can be understood

03:34

as a if you wanna say an address or a

03:37

fact set of address to control that

03:38

identity okay

03:41

those identity is mainly what way they

03:44

do is they do claims you can an identity

03:47

is giving claims mean that it's like

03:49

state transitions you start with some

03:51

claims and you create more claims so you

03:54

mean that you are creating a new annual

03:56

state and a new state for that for that

03:59

claims and all that is because you want

04:01

to prove those claims a third party now

04:03

we know University is making a claim

04:05

about somebody is giving a title and

04:07

this person was to go to a company and

04:09

what sue proof that the university

04:11

already makes a claim because resist

04:12

rosiness relationship between the

04:14

company and the university you can prove

04:16

all that stuff and of course this proof

04:17

can be a normal proof but can be also it

04:20

makes a lot of interest to be a zero

04:21

knowledge a zero knowledge proof okay so

04:24

how we do that how we work we are

04:28

generating that who we

04:30

creating that from from ID and three

04:32

well there is that how do we create an

04:35

identity you get to start with a normal

04:38

key and that's that could represent an

04:39

identity but what we do is we just put

04:43

all the other data that defines an

04:46

identity we can say that a self claim

04:48

for example all the keys that can

04:50

controls that controls that identity you

04:52

can say for example what's the what's

04:55

the notary or the blockchain or the

04:57

smartphone track where all the claims

04:59

that you are doing is at that maybe we

05:02

can have some metadata so it's a set of

05:05

self claims okay all those claims can be

05:08

understood as a key value pairs and we

05:11

can put all those key value pairs in a

05:13

miracle tree okay and the root of this

05:15

Merkle tree is the identifier of the

05:19

identity that's where we are star if you

05:22

want is the first the Genesis a state of

05:24

the claims okay so this is the initial

05:27

and end video of course you don't need

05:29

to do anything on chain really nearly

05:31

nothing you just define that create that

05:33

and this definition uniquely will give

05:37

you this this this hash this root that

05:41

we we understand that as a claim okay so

05:44

when when we are doing more claims time

05:46

what we what we are we're changing is

05:48

mainly is we are changing this this this

05:50

root we are creating a new root because

05:52

we are adding more and more claims this

05:54

this model scales quite well imagine

05:57

that we put this claim in a smart

05:58

contract in a blockchain this for

06:00

example for a government was very good

06:02

they are having like thousands or

06:05

hundreds of claims every day so they can

06:08

aggregate all the changes all the new

06:11

claims that this government is doing and

06:14

maybe once per hour once per app per ten

06:16

minutes is doing a transaction and

06:17

putting this new root in the in the in

06:20

the blockchain

06:21

this is good but this if we want a

06:25

system where everybody can be a

06:26

certification authority if you want a

06:29

system where you can do 1020 claims

06:31

everybody should be that this does not

06:33

scale goods so the solution to that is

06:36

maybe we can have let's say

06:41

let's start with a central party if you

06:43

won at the beginning that's a trusted

06:45

person to stand notary and then what we

06:47

do is that the route we send this route

06:50

to the dress to the to the to the least

06:54

centralized relay and this row layer

06:58

makes a claim that the user is this one

07:02

here is good but you know the here the

07:05

problem is that this trusted this relay

07:07

must be trusted and this relay can make

07:10

make me say things that are not good

07:13

okay so here what we can do is that what

07:16

happened if this trusted the layer is

07:18

maybe it's a smart contract and in order

07:21

to publish that you need this relay

07:23

needs to verify that the change comes

07:30

from me for example my new route I need

07:32

to sign that route and what I do is I

07:34

send this route and maybe this relay

07:36

aggregates many other transactions

07:38

they've verified with the zero knowledge

07:41

proof and then it's very fun it's just

07:43

publishing the route of the routes you

07:46

know the route of this twisted relay and

07:48

you know for sure that this new route

07:52

follows the rules that you know that

07:54

they need this signature of the neutral

07:56

layer and so on so that means that this

07:58

is what we call it a truce less operator

08:03

and this is very much if you have here's

08:06

about for example about plasma snart's

08:09

or things like that it's a is exactly

08:11

the same it's a kind of a scaling it's

08:13

we are verifying a lot of transactions

08:16

with a single with a single with a

08:18

single zero knowledge okay and with a

08:22

addition that here we don't have the

08:24

data availability problem in that but

08:27

that's the idea of this of this of this

08:30

solution here if you prove something you

08:35

you are sure that this proof is good but

08:40

if the only thing here is that maybe the

08:43

operator just stopped working but in

08:44

this case you will not be able to prove

08:47

you will not prove the opposite so if

08:49

you can generate the proof you can be

08:50

sure that the proof is valid okay of

08:53

course

08:55

this is a good application for zero

08:57

knowledge the other application is the

08:58

obvious one is for just for proving

09:01

anonymously typical example of proving

09:04

that you are 18 years old without

09:06

revealing who you are things like that

09:08

this is a good application for that an

09:12

example of claims just this is just a

09:14

single example but you know the system

09:17

or a system of claims you know

09:18

everything can be understand as a claim

09:20

and one thing is for example who we

09:21

named identities well a name I read it

09:23

is the this case would be the owner of a

09:26

domain name or the owner of a name this

09:28

case the owner of island 3 could make a

09:30

claim saying that Jordy at iron 3 dot IO

09:36

belongs to this identity so you can

09:39

understand even a full maining system as

09:41

a as a you know a sort of claims the

09:45

domain names have owners the owners are

09:47

identities and the identities make

09:49

claims on that owner so we can this is a

09:51

good example but you can extend that do

09:54

everything that's a claim okay and you

09:57

can use the same systems just for making

09:59

the proofs and all that stuff ok so here

10:02

is a little bit the roadmap that we are

10:04

working on ok of course in the lower

10:06

layer we have all the zero knowledge

10:08

technology that's not even clear what's

10:11

gonna be the one that's gonna be that

10:13

will work maybe there are going to be

10:15

many ok on top of that of course we have

10:18

this let's say primitive cryptographic

10:20

primitive here I want to say the

10:23

importance of the of the hind of the

10:26

hash functions inside the inside the

10:29

inside the snarks or inside the zero

10:31

knowledge system this is really

10:33

important on top of that we'll have this

10:35

Mirko trysts partner Catrice we are

10:37

working in a sparse miracle tree sparse

10:40

market trees if you want is our key

10:43

values where the keys are put at some

10:45

some place they used put it in the same

10:48

place and well they work very good

10:53

because you can prove inclusion and you

10:55

can also prove exclusion of those as far

10:57

as Merkle trees they are big because

11:01

they they have many steps and this is

11:03

not very good for a 404 snarks but you

11:05

can do some tricks because the

11:08

definition can

11:09

be without I don't know maybe with 200

11:12

levels but you can have different

11:15

secrets maybe one with ten levels

11:16

another with twenty another with thirty

11:18

all of them are valid for the for the

11:21

structure because the structure does not

11:23

change but you can have different

11:24

circuits for validating different levels

11:27

so this have this advantage on that okay

11:30

and when we have this Merkle tree then

11:31

of course the result the claim format if

11:33

you want the generic claim formats and

11:35

then all the specific claim formats and

11:38

then of course we need to standardize

11:40

also what are the circuits for verifying

11:42

those claims there are some of those

11:44

that are abuse may be for example that

11:46

some what it holds some somebody makes a

11:49

claim that's no abuse maybe this one

11:51

that we talk about the edge with some

11:53

rich range checking on that that could

11:55

be another example but you can have more

11:59

circuits on thaton

12:01

and that's another another place an

12:03

important place okay and more in the

12:06

higher level in their entity and this is

12:08

very much how we see the system to works

12:10

is that we think very much and their

12:14

entities very related to form feeling ok

12:16

when you are for filling in general

12:18

would you you who you have some fields

12:20

general text fields or in much fields if

12:23

you want or you know multiple choice or

12:25

whatever infer that information but

12:26

there are two fields two kind of fields

12:29

that are like for us very important one

12:32

is the signature I think in the normal

12:35

real paper you see it easily that there

12:38

is always a field where you can add a

12:40

signature so I think it would be good to

12:42

have a you know a standard for defining

12:45

a field where you can put a signature

12:48

and the other is a proof maybe you are

12:50

you have a forms means that you are

12:51

asking for a proof and then you are

12:54

filling with a proof that that proof

12:57

what the form is asking you to asking

13:00

you to proof so this is you can

13:03

generalize that very much but if you

13:06

think in there entity you will see

13:07

that's that very much a it works

13:12

you always can think in this I send you

13:15

a form you fill the form I receive the

13:17

form if you think in that way this works

13:19

very good for the standardization

13:22

fortunately for for generalizing the

13:25

communication between that when we are

13:27

talking about communication between our

13:30

entities here and I want which I will

13:32

jump here have a identity discovery

13:35

protocol this is not that zero knowledge

13:37

related but we need to find a way

13:39

right now we have DNS for DNS is quite

13:41

centralized but we have need to find a

13:43

way a decentralized way to find

13:45

foreigner entity when I want to know

13:46

something about an identity I need to

13:50

half of way a decentralized way to find

13:51

for heredity so here we have an identity

13:53

discovery protocol or something like

13:55

that be a peer-to-peer protocol for that

13:57

and once we discover an identity mainly

14:00

what we are asking for is if you want

14:03

service-related identity may be an email

14:05

I wonder how can I send you an email or

14:08

how can I send your message or maybe

14:11

watch your link 18 or watch your

14:12

curriculum page or you can define here

14:15

as many identity services or on top of

14:20

that hey so this is for picture earlier

14:23

in our summarized picture of the work

14:26

that the of the vision of the work that

14:29

we are doing and just to finish the

14:31

presentation I just want to just mention

14:35

some use cases some random use cases of

14:38

the zero knowledge apply it to identity

14:41

one of course is one one is anonymous

14:44

voting so in the presentation but of

14:46

course it's an important important one

14:48

none other is an animal's login would be

14:52

cool for example to log in to run out to

14:56

a web page of this Congress but without

15:01

revealing who you are the only condition

15:02

that you should need is that for example

15:04

that you have buy a ticket or that that

15:06

could be for example a good example of

15:07

anonymous logging of course you have our

15:10

reputation proof sometimes you have a

15:12

score or you have a some kind of

15:14

reputation but you don't want to reveal

15:16

the you don't want to reveal the what

15:20

the reputation comes from so the claims

15:23

that gives you that reputation of course

15:25

here is an important thing that you can

15:27

do on on I read it is another is this is

15:30

this is a little tricky but this is

15:32

interesting I can this week I'll cross

15:35

identity of cross identity proofs so

15:38

here like there is that I can have two

15:43

identities one name is of my real

15:46

identity and the other is my fake

15:47

identity and I don't want them to be

15:49

related one to the other but I can it's

15:53

possible so me here maybe there is some

15:55

service that okay you don't need to you

15:58

don't need you can use a fake identity

16:00

but you need to prove that at least you

16:02

have one real identity

16:03

so here without linking without knowing

16:06

which is your real identity you can even

16:08

you know that you have a figure-eight

16:10

that is fake identity have a real

16:12

identity and only one and here is the

16:15

concept of the nullifier and things like

16:16

that so that you you can only create one

16:19

specific fake identity that it's not

16:21

related you can nobody can relate it but

16:25

but you can only create one so this all

16:28

fall out or for example for civil attack

16:30

protocols that this is one of the a lot

16:33

of this is one of the things that one of

16:36

the one of the excuses to ask for

16:38

identity in a lot of their in lots of

16:41

applications and the last thing that I

16:44

want to mention is just a nice freak

16:47

that used to know what in is

16:48

non-reusable proofs I don't know if you

16:50

heard about but this is a cool idea

16:52

today is that when you are keeping a

16:54

proof machine that I want to prove that

16:58

I'm I'm I'm from a specific religion or

17:02

I'm from a specific political party and

17:04

I want to prove some a specific person

17:06

about that that the church is saying

17:08

that I'm from that religion but what I

17:10

don't want is that this person just take

17:12

that proof and publish to everybody so

17:14

everybody knows that I'm from that

17:16

specific religion of course the

17:19

information I already tell them the

17:21

information but it's not the same so if

17:24

if this proof is not the same that he

17:27

says something that he proves something

17:29

so how the system works here here

17:33

instead of proving to somebody else that

17:35

I'm from a specific religion what I'm

17:37

saying is I'm proving that I'm from that

17:38

specific religion or I hold your your

17:42

private key which is obvious that I

17:44

don't her your private key so because I

17:46

don't hold your private key is sure that

17:49

I'm

17:49

that religion but what happened when you

17:52

just take this proof and you just

17:55

publish to everybody you are probably

17:56

you are proving to everybody that you

17:59

are that I am from that religion or that

18:01

I that I'm holding the private key which

18:03

is obvious that that the person holds

18:05

the private key so you are not proving

18:07

anything and one thing to warranty that

18:10

is for example taking the proof and

18:11

encrypting it with a public key of the

18:14

person that you want to send it to the

18:16

the simple fact of opening of the

18:21

decrypting this proof automatically

18:23

makes this proof unusable so that's a I

18:26

think it's a very cool things here I

18:28

want to give some credits to batalik on

18:30

that but that's that's a cool idea and

18:32

that's very much my presentation just to

18:36

take away to some summary just we are

18:41

building this as so many identity we're

18:42

creating this open source we are you

18:44

know you are we're a non-profit profit

18:47

nonprofit Association we are building

18:50

all these zero knowledge and trying to

18:53

grief to bring this zero knowledge

18:54

technology in the mainstream and of

18:57

course we are we want to push on those

18:59

all those standards and that's it thank

19:02

you very much

19:03

[Applause]

19:13

any any questions yes please hi this is

19:21

a Hitachi so as far as claims is

19:24

concerned are you using any of the

19:28

standards like w3 standards for the

19:31

standard claim definition or DIDS

19:33

is that part of your implementation it

19:37

could be used for but the main

19:39

difficulty of the of this kind of

19:42

standards is that they are very much

19:45

JSON based and you know the you know the

19:49

coding as a shown inside the snark is

19:51

not something very useful on that and

19:53

here we are talking about data

19:57

definition a lot of data definition that

20:00

should be zero knowledge aware and as

20:04

far as I read these kind of standards is

20:07

not very much prepared of course you can

20:09

define a D ID that came that goes in

20:12

that direction we we are planning to do

20:15

that you can maybe use some parts of the

20:18

protocols for that but we are here we

20:20

are talking and defining so sobering

20:23

data structures circuits and structure

20:29

that's different that's another story

20:31

that they are wielding okay they can be

20:34

linked all right because I work with

20:36

Hippolyta Indy and and it uses those

20:39

standards so maybe you know if we have

20:41

those standards adopted then there is a

20:44

interoperability that is possible

20:46

between identity systems yeah they have

20:48

some sort of compatibility so we have to

20:51

work on but you know work or or or work

20:53

is more in this low level zero knowledge

20:57

before going to the standard we need to

20:59

make the work and we need to prove it

21:00

somebody said that before and I like it

21:02

a lot right thanks great okay so it

21:07

looks like we're done with the session

21:08

so thank you very much again let's think

21:10

speak to one more time

21:11

you