Research Paper Release: FORT Protocol for Self-Sovereign Authentication
By Robin Massini

Dusk Researcher Xavier Salleras designs protocol that connects NFT and ZKP technology for privacy-respecting authentication solution

Key takeaways:

• Dusk researcher Xavier Salleras and two colleagues from the Universitat Pompeu Fabra, Barcelona, designed a decentralized system to allow customers to prove their rights to use services (either online or in-person) without revealing sensitive information.
• The FORT protocol details 5 steps that guide how the solution uses NFTs and ZKPs in a novel way to anonymously prove rights to Service Providers while avoiding the need for trusted third parties.
• The paper also demonstrates how FORT could be easily deployed using blockchains, such as Ethereum or Dusk Network, and why integrating the latter would lead to a higher level of privacy.
• The FORT Protocol research paper can be found under Dusk Resources.

Today, many digital and in-person services are provided and paid for online, all of which require some form of authentication. Think about your video streaming subscriptions, car-share or vehicle parking apps, the latest concert tickets you purchased, and many more. All these service providers issue tokens that are directly related to the identities of their users after they sign-up for their platform. After registering, users can authenticate themselves by using the same credentials over and over again, or they receive a ticket, which proves their specific right to use that service at a given time and location. This seems all fun and handy, save for the fact that all these different platforms use centralized systems that do not ensure customer privacy.

These service providers are in fact trusted third parties, as they all handle private data about users. The current situation brings unnecessary risk into the equation, as users are not in control of their own sensitive information and are susceptible to data leaks and data misuse. To present an alternative, Dusk researcher Xavier Salleras and two colleagues from the Department of Information and Communication Technologies, Universitat Pompeu Fabra, Barcelona, came up with a decentralized system that allows customers to prove their rights to use services, either online or in-person, without revealing sensitive information. How would this work you might ask? It would involve the use of NFTs on a blockchain like Dusk Network.

To achieve decentralization, Salleras et al. propose a solution where all of the data are handled by a blockchain. With the help of non-fungible tokens (NFTs), we are able to describe and uniquely identify users’ rights for a specific service. Possession of these rights (i.e. said NFTs) is demonstrated by using zero-knowledge proofs (ZKPs), which are cryptographic primitives that allow us to guarantee customers’ privacy. Only by combining NFTs and ZKPs into the blockchain we create a decentralized solution that ensures customers’ privacy.

Why do we need a blockchain with ZKPs?

Decentralization implies that public data stored in the blockchain can be accessed by anyone. This leads to some serious privacy concerns. As blockchains publicly store all network activity, user tracking and/or profiling become an issue. This problem gets even worse when users of a blockchain-based service need to interact with real-world services, for example when proving to event staff that you paid for a ticket; if anyone connects your blockchain identity, they will instantly learn all about all your transaction history.

FORT: Right-Proving and Attribute-Blinding Self-Sovereign Authentication

Now that we have gained insight into the importance of both NFTs and ZKPs to create a system of self-sovereign authentication, in which the users have control over their sensitive information, let’s take a closer look at the different steps of the FORT protocol.

Figure 3. Shows an overview of the FORT protocol scenario, which is best explained by a concrete example. Say you want to sign up for a video streaming subscription. There are 5 steps that guide how FORT works, and how you can log in to enjoy your new subscription without publicly storing any sensitive data on the blockchain nor revealing your identity to the Service Provider.

1. readOnchainInfo | After paying for the service using a private transaction or an anonymous address, the user acquires attributes granted by the service provider of the streaming subscription in the shape of an NFT stored on the blockchain. In our example, this would be the attribute of using the streaming service for a given period of time. After the service provider mints the NFT on-chain, it gets transferred to the user’s address. Now the user can read these attributes from the blockchain.
   
   
2. computeProof | The user computes a certificate (a ZKP) from the information that is stored in the NFT on the blockchain, and installs the certificate on his/her device, in our case the smartphone.
   
   
3. sendProof | Now that the user has gained the right to use the service and saved this certificate on the smartphone, he/she would like to actually use this service. For this, when trying to log in, the webpage of the service provider will request the certificate.
   
   
4. verifyOnchainInfo | The service provider automatically reads the Merkle tree of the blockchain to verify that the attributes the user wants to prove are really on-chain, stored in the NFT. In other words, the service provider automatically checks if the user has the right to use the service at this very moment.
   
   
5. verifyProof | In the final step the service provider verifies the certificate of the user, and grants him/her access to the service, without having any idea of who the user is.

Size matters

To have real-world interactions with the FORT protocol on the blockchain, it is important that all required actions and computations do not take ages to complete, or are simply too large to run on minimal requirements. The benchmarks of FORT show that the protocol is efficient enough to be used in devices with low computing resources, such as smartphones or smartwatches. This makes FORT a very practical solution.

FORT and Dusk Network

The paper demonstrates how FORT could be easily deployed using blockchains, such as Ethereum or Dusk Network. As for a Dusk Network implementation, we have to take into account the private nature of the execution of the smart contracts, as well as the creation of an NFT standard. One thing is for sure, integrating FORT into the Dusk Network blockchain would lead to a higher level of privacy.