Research Paper Release: FORT Protocol for Self-Sovereign Authentication
Dusk Researcher Xavier Salleras designs protocol that connects NFT and
ZKP technology for privacy-respecting authentication solution
Key takeaways:
- Dusk researcher Xavier Salleras and two colleagues from the
Universitat Pompeu Fabra, Barcelona, designed a decentralized system
to allow customers to prove their rights to use services (either
online or in-person) without revealing sensitive information.
- The FORT protocol details 5 steps that guide how the solution uses
NFTs and ZKPs in a novel way to anonymously prove rights to Service
Providers while avoiding the need for trusted third parties.
- The paper also demonstrates how FORT could be easily deployed using
blockchains, such as Ethereum or Dusk Network, and why integrating
the latter would lead to a higher level of privacy.
- The FORT Protocol research paper can be found under Dusk Resources.
Today, many digital and in-person services are provided and paid for
online, all of which require some form of authentication. Think about
your video streaming subscriptions, car-share or vehicle parking apps,
the latest concert tickets you purchased, and many more. All these
service providers issue tokens that are directly related to the
identities of their users after they sign-up for their platform. After
registering, users can authenticate themselves by using the same
credentials over and over again, or they receive a ticket, which proves
their specific right to use that service at a given time and location.
This seems all fun and handy, save for the fact that all these different
platforms use centralized systems that do not ensure customer privacy.
These service providers are in fact trusted third parties, as they all
handle private data about users. The current situation brings
unnecessary risk into the equation, as users are not in control of their
own sensitive information and are susceptible to data leaks and data
misuse. To present an alternative, Dusk researcher Xavier Salleras and
two colleagues from the Department of Information and Communication
Technologies, Universitat Pompeu Fabra, Barcelona, came up with a
decentralized system that allows customers to prove their rights to use
services, either online or in-person, without revealing sensitive
information. How would this work you might ask? It would involve the use
of NFTs on a blockchain like Dusk Network.
To achieve decentralization, Salleras et al. propose a solution where
all of the data are handled by a blockchain. With the help of
non-fungible tokens (NFTs), we are able to describe and uniquely
identify users’ rights for a specific service. Possession of these
rights (i.e. said NFTs) is demonstrated by using zero-knowledge proofs
(ZKPs), which are cryptographic primitives that allow us to guarantee
customers’ privacy. Only by combining NFTs and ZKPs into the blockchain
we create a decentralized solution that ensures customers’ privacy.
Why do we need a blockchain with ZKPs?
Decentralization implies that public data stored in the blockchain can
be accessed by anyone. This leads to some serious privacy concerns. As
blockchains publicly store all network activity, user tracking and/or
profiling become an issue. This problem gets even worse when users of a
blockchain-based service need to interact with real-world services, for
example when proving to event staff that you paid for a ticket; if
anyone connects your blockchain identity, they will instantly learn all
about all your transaction history.
FORT: Right-Proving and Attribute-Blindiwng Self-Sovereign Authentication
Now that we have gained insight into the importance of both NFTs and
ZKPs to create a system of self-sovereign authentication, in which the
users have control over their sensitive information, let’s take a closer
look at the different steps of the FORT protocol.
Figure 3. Shows an overview of the FORT protocol scenario, which is best
explained by a concrete example. Say you want to sign up for a video
streaming subscription. There are 5 steps that guide how FORT works, and
how you can log in to enjoy your new subscription without publicly
storing any sensitive data on the blockchain nor revealing your identity
to the Service Provider.
1. readOnchainInfo | After paying for the service using a private
transaction or an anonymous address, the user acquires attributes
granted by the service provider of the streaming subscription in the
shape of an NFT stored on the blockchain. In our example, this would
be the attribute of using the streaming service for a given period
of time. After the service provider mints the NFT on-chain, it gets
transferred to the user’s address. Now the user can read these
attributes from the blockchain.
2. computeProof | The user computes a certificate (a ZKP) from the
information that is stored in the NFT on the blockchain, and
installs the certificate on his/her device, in our case the
smartphone.
3. sendProof | Now that the user has gained the right to use the
service and saved this certificate on the smartphone, he/she would
like to actually use this service. For this, when trying to log in,
the webpage of the service provider will request the certificate.
4. verifyOnchainInfo | The service provider automatically reads the
Merkle tree of the blockchain to verify that the attributes the user
wants to prove are really on-chain, stored in the NFT. In other
words, the service provider automatically checks if the user has the
right to use the service at this very moment.
5. verifyProof | In the final step the service provider verifies the
certificate of the user, and grants him/her access to the service,
without having any idea of who the user is.
Size matters
To have real-world interactions with the FORT protocol on the
blockchain, it is important that all required actions and computations
do not take ages to complete, or are simply too large to run on minimal
requirements. The benchmarks of FORT show that the protocol is efficient
enough to be used in devices with low computing resources, such as
smartphones or smartwatches. This makes FORT a very practical solution.
FORT and Dusk Network
The paper demonstrates how FORT could be easily deployed using
blockchains, such as Ethereum or Dusk Network. As for a Dusk Network
implementation, we have to take into account the private nature of the
execution of the smart contracts, as well as the creation of an NFT
standard. One thing is for sure, integrating FORT into the Dusk Network
blockchain would lead to a higher level of privacy.