NEST® GLOSSARY
“Every day, millions of users browse the internet, accept cookies and share their personal information in exchange for access to services and digital products. Users are gradually becoming more and more exposed to security breaches and illicit use of their data. Furthermore, they often have to forego their privacy in exchange for services that digital platforms offer – such as recommendations, consultations, personalized assistance, etc. – to which they cannot gain access if they use private browsing.
Is it possible to show that something is true without revealing the data that proves it? This is what ‘Zero Knowledge Proof’ technology proposes, a technique which employs cryptographic algorithms so that various parties can verify the veracity of an item of information without sharing the data that compose it.
“Thanks to mass data and technologies, such as artificial intelligence, the possibilities at our disposal to make better decisions are growing exponentially. However, at the same time, so do the risks both in terms of security and data privacy”, explains Luis de la Gándara, R&D manager at BBVA New Digital Businesses (NDB). Asymmetry regarding access to information present in the current digital society is a clear concern for BBVA, which takes the view that privacy and data ownership “are fundamental individual rights which we must help people to preserve”. “At NDB we are tackling this problem through research into new mechanisms, tools and scientific methods that offer a secure way to take advantage of the potential of the data-based economy without losing privacy”, explains De la Gandara, who is leading this line of research.
One of the technologies that is demonstrating the greatest potential to reach this balance is Zero Knowledge Proof (ZKP), a set of tools that allow an item of information to be validated without the need to expose the data that demonstrates it. This is possible thanks to a series of cryptographic algorithms through which a “tester” can mathematically demonstrate to a ‘verifier’ that a computational statement is correct without revealing any data. In this way, it can be demonstrated that certain data are true without sharing them with a third party. For example, a user could show that he is of the appropriate age to access a product or service, without needing to reveal how many years old he is. Or a person could prove that he has a sufficient income to buy a product or service, without having to share the exact amount of money in his possession.
“Thanks to this protocol it is possible to create, for example, identity authentication systems without the risk of information being stolen, as in order to prove a person’s identity it is not necessary to share any personal data”, assures the expert. But, how does it work?
Alice, Bob and the secret code
In the academic sphere a simple example is often used to illustrate the logic maintained by a cryptographic algorithm that makes this technology possible: ‘The cave of Ali Baba’. Let’s imagine that two characters, Alice and Bob, find themselves at the opening of a cave which has two distinct entrances to two separate paths (A and B). Inside the cave there is a door that connects both paths, but can only be opened with a secret code. Bob (the ‘tester’) owns this code and Alice (the ‘verifier’) wants to buy it, but first she wants to be sure that Bob is not lying.
How can Bob show Alice that he has the code without revealing its contents? To achieve this, they do the following: Alice waits outside the cave and Bob enters at random through one of the doors (A or B). Once inside, Alice approaches the entrance, calls Bob and asks him to exit through one of the two paths. As Bob has the secret code, he will always be able to return via the path that Alice asks him to, even though it may not coincide with the path he has chosen in the first place, as in this case he can open the door and exit through the other side.
Alice may think this has been a question of luck: there was a 50% chance that both of them had chosen the same path. Nevertheless, if this exercise is carried out multiple times, the probability that Bob exits through the same path selected by Alice without having the code progressively reduces, until it being practically impossible. Conclusion? If Bob exits a sufficient number of times through this path, he has unequivocally demonstrated to Alice the truth of his statement: he has the secret code. And to this end there was no need to share the actual code.
Identifying opportunities at NDB
What does all this mean for digital services? “At NDB we are already working in various settings where this technology can be applied to create systems that allow users to interact with digital services that they can trust, and which brings them added value and optimal usability, and at the same time respect the security and privacy of their data,” explains Ignacio Sueiro, Head of NDB’s “Beyond Core” pillar.
An example is the real estate sector. Frequently, even before carrying out a visit, estate agents or rental companies can ask their potential tenants to share their latest pay cheques, bank statements or other sensitive personal documentation to guarantee that they have a sufficient income to take on the cost. In this case, a system based on ZKP could provide users with the possibility to demonstrate that they have sufficient funds without the need to share any private data with the estate agent…”