Research Paper Release: FORT Protocol for Self-Sovereign Authentication


Dusk Researcher Xavier Salleras designs protocol that connects NFT and
ZKP technology for privacy-respecting authentication solution
Key takeaways:

-   Dusk researcher Xavier Salleras and two colleagues from the
   Universitat Pompeu Fabra, Barcelona, designed a decentralized system
   to allow customers to prove their rights to use services (either
   online or in-person) without revealing sensitive information.
-   The FORT protocol details 5 steps that guide how the solution uses
   NFTs and ZKPs in a novel way to anonymously prove rights to Service
   Providers while avoiding the need for trusted third parties.
-   The paper also demonstrates how FORT could be easily deployed using
   blockchains, such as Ethereum or Dusk Network, and why integrating
   the latter would lead to a higher level of privacy.
-   The FORT Protocol research paper can be found under Dusk Resources.

Today, many digital and in-person services are provided and paid for
online, all of which require some form of authentication. Think about
your video streaming subscriptions, car-share or vehicle parking apps,
the latest concert tickets you purchased, and many more. All these
service providers issue tokens that are directly related to the
identities of their users after they sign-up for their platform. After
registering, users can authenticate themselves by using the same
credentials over and over again, or they receive a ticket, which proves
their specific right to use that service at a given time and location.
This seems all fun and handy, save for the fact that all these different
platforms use centralized systems that do not ensure customer privacy.

These service providers are in fact trusted third parties, as they all
handle private data about users. The current situation brings
unnecessary risk into the equation, as users are not in control of their
own sensitive information and are susceptible to data leaks and data
misuse. To present an alternative, Dusk researcher Xavier Salleras and
two colleagues from the Department of Information and Communication
Technologies, Universitat Pompeu Fabra, Barcelona, came up with a
decentralized system that allows customers to prove their rights to use
services, either online or in-person, without revealing sensitive
information. How would this work you might ask? It would involve the use
of NFTs on a blockchain like Dusk Network.

To achieve decentralization, Salleras et al. propose a solution where
all of the data are handled by a blockchain. With the help of
non-fungible tokens (NFTs), we are able to describe and uniquely
identify users’ rights for a specific service. Possession of these
rights (i.e. said NFTs) is demonstrated by using zero-knowledge proofs
(ZKPs), which are cryptographic primitives that allow us to guarantee
customers’ privacy. Only by combining NFTs and ZKPs into the blockchain
we create a decentralized solution that ensures customers’ privacy.

Why do we need a blockchain with ZKPs?

Decentralization implies that public data stored in the blockchain can
be accessed by anyone. This leads to some serious privacy concerns. As
blockchains publicly store all network activity, user tracking and/or
profiling become an issue. This problem gets even worse when users of a
blockchain-based service need to interact with real-world services, for
example when proving to event staff that you paid for a ticket; if
anyone connects your blockchain identity, they will instantly learn all
about all your transaction history.

FORT: Right-Proving and Attribute-Blindiwng Self-Sovereign Authentication

Now that we have gained insight into the importance of both NFTs and
ZKPs to create a system of self-sovereign authentication, in which the
users have control over their sensitive information, let’s take a closer
look at the different steps of the FORT protocol.

Figure 3. Shows an overview of the FORT protocol scenario, which is best
explained by a concrete example. Say you want to sign up for a video
streaming subscription. There are 5 steps that guide how FORT works, and
how you can log in to enjoy your new subscription without publicly
storing any sensitive data on the blockchain nor revealing your identity
to the Service Provider.

1.  readOnchainInfo | After paying for the service using a private
   transaction or an anonymous address, the user acquires attributes
   granted by the service provider of the streaming subscription in the
   shape of an NFT stored on the blockchain. In our example, this would
   be the attribute of using the streaming service for a given period
   of time. After the service provider mints the NFT on-chain, it gets
   transferred to the user’s address. Now the user can read these
   attributes from the blockchain.

2.  computeProof | The user computes a certificate (a ZKP) from the
   information that is stored in the NFT on the blockchain, and
   installs the certificate on his/her device, in our case the

3.  sendProof | Now that the user has gained the right to use the
   service and saved this certificate on the smartphone, he/she would
   like to actually use this service. For this, when trying to log in,
   the webpage of the service provider will request the certificate.

4.  verifyOnchainInfo | The service provider automatically reads the
   Merkle tree of the blockchain to verify that the attributes the user
   wants to prove are really on-chain, stored in the NFT. In other
   words, the service provider automatically checks if the user has the
   right to use the service at this very moment.

5.  verifyProof | In the final step the service provider verifies the
   certificate of the user, and grants him/her access to the service,
   without having any idea of who the user is.

Size matters

To have real-world interactions with the FORT protocol on the
blockchain, it is important that all required actions and computations
do not take ages to complete, or are simply too large to run on minimal
requirements. The benchmarks of FORT show that the protocol is efficient
enough to be used in devices with low computing resources, such as
smartphones or smartwatches. This makes FORT a very practical solution.

FORT and Dusk Network

The paper demonstrates how FORT could be easily deployed using
blockchains, such as Ethereum or Dusk Network. As for a Dusk Network
implementation, we have to take into account the private nature of the
execution of the smart contracts, as well as the creation of an NFT
standard. One thing is for sure, integrating FORT into the Dusk Network
blockchain would lead to a higher level of privacy.