Technical Overview V2.0

Introducing Hybrid mode of zkTLS oracle protocol

This document describes the zkPass oracle protocol from a technical perspective. It presents the underlying cryptographic components and specifies the building blocks used to construct the zkPass protocol.

The zkPass protocol is meticulously designed to serve as a private data oracle, leveraging Vector Oblivious Linear Evaluation (VOLE) to create efficient commitments, commonly referred to as VOLE-Based Zero-Knowledge Proofs (VOLE-ZK). Specifically, beyond the use of SoftSpokenOT for Oblivious Transfer (OT), the security integrity of the zkPass protocol is intimately tied to the robustness of the VOLE-in-the-Head (VOLEitH) technique.

zkPass operates in a Hybrid Mode, which combines Proxy Mode and MPC Mode, allowing the protocol to adapt to various network conditions and server restrictions without compromising performance or security. This design ensures flexibility in data-sharing scenarios, whether a server supports direct client requests or has stricter security policies.

Overview

While Transport Layer Security (TLS) provides secure access to private data, it doesn't allow users to prove to third parties that the data genuinely came from a specific website. Existing solutions either require unwanted trust assumptions or server modifications, effectively locking users' data at its source. The zkPass protocol addresses this issue by extending TLS into a Three-party TLS (3P-TLS) to prevent cheating and protect privacy, enabling secure data sharing without needing assistance or permission from the data holder.

The zkPass protocol involves three entities: the Prover (P), the Verifier (V), and the DataSource (TLS Server as S). Departing from conventional methods, P utilizes their access token to directly pinpoint and extract their data from S. P then generates a Zero-Knowledge Proof (ZKP) for the V's inspection. This procedure ensures that V remains oblivious to the P's personal data.

To actualize this architecture, we integrate 3P-TLS, MPC, and Non-Interactive Zero Knowledge (NIZK) technologies.

We have designed and implemented the zkPass protocol in two modes:

  1. Proxy Mode: In this mode, P communicates with S through V as a proxy.

  2. MPC Mode: In this mode, both P and V act as a client to communicates with S.

These two modes collectively form Hybrid Mode, providing zkPass with the flexibility to operate efficiently across various scenarios. Typically, the zkPass protocol operates efficiently in Proxy Mode. However, a small number of TLS servers do not support this mode, meaning they block the same account's requests originating from different IP addresses. In such cases, our protocol switches to operate in MPC Mode.

Proxy Mode

In Proxy Mode, we propose having V act as a proxy between P and S. In this setup, P communicates with S through V, which allows V to record the traffic for later verification. The modified protocol flow is designed to maintain security while improving efficiency.

Flow and Security Properties

The protocol flow is as follows:

  1. Three-Party Handshake: P, V, and S engage in a 3P-TLS handshake. This handshake establishes cryptographic parameters and ensures mutual authentication among the parties.

  2. Proof Generation: After the session concludes, P proves statements about the recorded session to V.

To verify server identity, during the three-party handshake, V can verify S's identity by checking the server's signature over a fresh nonce, as per standard TLS procedures. Verifier integrity and privacy are maintained because, under the assumption that TLS is secure, a malicious V cannot compromise the integrity and privacy of the TLS session between P and S. Ensuring Prover integrity requires certain network assumptions. V must maintain a reliable connection to S throughout the session and ensure that the P cannot tamper with the messages exchanged between V and S such as those executed through BGP hijacking. Since attacks like BGP are difficult to execute in practice and are already mitigated by ICP and CSP, these network assumptions are generally acceptable and can be considered negligible in practical scenarios.

The Proxy Mode in the zkPass protocol enhances efficiency and performance by simplifying the communication flow and eliminating the need for intensive cryptographic computations after the handshake phase. Since no complex cryptographic operations are required during the rest of the session, the protocol becomes faster and more efficient due to the reduced cryptographic workload. While this approach is more universal, it introduces an additional trust assumption for the proxy and requires not only a ZK solution that’s affordable for the client, but also special magic tricks to bypass the data source’s WAF.

VOLEitH Protocol

VOLEitH is the most suitable and client affordable ZKP Protocol for authorizing TLS. We have implemented the protocol using SoftSpokenOT[ROY22], VOLE-ZK[YSWW21] and Fiat-Shamir transform[FS87].

VOLE

VOLEitH Commitment

VOLEitH Proof System

The VOLE-ZK is an interactive ZKP in the VOLE-hybrid model. It is based on the Line-Point Zero-Knowledge Paradigm[DIO21]. For the zkPass protocol, we use the QuickSilver protocol to prove boolean circuits satisfaction. As QuickSilver is an interactive proof system, it is described here as a protocol executed between two parties: P and V. And we will convert it into the NIZK eventually.

If the equation equal then circuit satisfied.

At this point, we have successfully completed all protocol implementations.

Why VOLEitH

ZK systems like SNARKs are less suitable for authorizing TLS data because they involve intensive cryptographic computations, such as large-scale exponentiations and complex pairing operations. These operations require substantial computational resources and memory, leading to time-consuming proof generation that is often unaffordable for clients. Additionally, SNARKs typically require a trusted setup phase, which introduces potential security risks. While they may be acceptable for very small data sizes, they are inefficient and impractical for the typical data sizes found in TLS communications.

In contrast, VOLE-ZKs are much more efficient. They naturally handle the linear computations, enabling fast and low-overhead, which makes them more suitable for authorizing TLS data. They avoid the need for a trusted setup and do not require large memory or extensive calculations for proof generation, making them affordable for clients. However, VOLE-ZK proofs are interactive, necessitating the verifier's continuous online presence and potentially introducing risks of collusion.

To overcome these challenges, the zkPass protocol employs the VOLEitH technique, transforming the VOLE-ZK protocol into a non-interactive form. This ensures swift and efficient proof generation directly in the browser and device, addressing the limitations of both traditional SNARKs and VOLE-ZKs. By doing so, zkPass combines the efficiency of VOLE-ZK proofs with the convenience of non-interactivity, making it a practical and secure solution for authorizing TLS data.

MPC Mode

In MPC Mode, we have implemented the protocol using a hybrid approach that combines ZKP and MPC technologies for 3P-TLS.

P and V work together as a single client to establish secure communication with S. They achieve this through a series of stages based on the elliptic curve Diffie-Hellman (ECDH) protocol, enhanced with MPC and OT techniques.

Three-Party Handshake

The first stage of the protocol is a three-party handshake between P, V, and S, where they work together to generate the pre-master key. P and V each receive a share of this key using Oblivious Linear Evaluation (OLE) based Multiplicative-to-Additive (MtA) or Additive-to-Multiplicative (AtM) schemes, which support additive homomorphism. The pre-master key is divided, with P and V each getting one half, while S retains the full key.

To ensure authenticity and prevent the client from impersonating fake websites, after the client and server exchange greetings, the server provides its certificate. During the key exchange phase, the server also signs the public key with its private key from the certificate. This allows V, within the client, to verify the certificate and signature, confirming the server's identity and establishing trust in the data source.

The second stage of the protocol is key derivation, where P and V work together using Garbled Circuit (GC) to generate two session keys from the pre-master key: the encryption key (enc_key) for data protection and the message authentication code key (mac_key) for data integrity. Notably, V only holds a share of the mac_key and has no access to the enc_key, ensuring that V cannot view P’s private information. P also holds a share of the mac_key, giving access to identity-related data but without the ability to tamper with it. Any tampering can be detected by verifying the authenticity of messages using the mac_key.

The MPC algorithm in zkPass has been significantly optimized in several areas, including communication time, hash functions for the Garbler and Evaluator, OT operations, and memory copying. These improvements have increased efficiency by more than threefold. A new AES128 proof method has also been introduced, reducing the number of blocks by 300 times and speeding up Garbler/Evaluator execution by tenfold. zkPass uses Silent OT, minimizing offline network communication during OT generation. For GC, zkPass implements Three Halves Make a Whole and Stacked GC, which reduces the size of the Garbled Tables, leading to less communication and faster execution. Overall, these optimizations have greatly reduced the runtime of the entire MPC process, making zkPass much more efficient.

ZKP

In the final stage of the zkPass protocol, the client creates a ZKP for public verification. After the 3P-TLS phase, the prover obtains the complete data and uses the VOLEitH process to generate a proof. Since this step is similar to the process used in proxy mode, we won’t go into the details here.

Why Not Prioritize MPC Mode

The performance overhead of MPC Mode is significant, mainly due to the truth table (TT) in GC. Every block of application data must be encrypted using a TT, which greatly increases both computational and bandwidth requirements. For a single TLS session, there's a fixed cost of 20MB, plus 8MB per 1KB of outgoing data and 32KB per 1KB of incoming data. For a typical 1KB request and 100KB response, the prover would need to upload around 32MB, making this approach impractical for regular use.

Additionally, MPC Mode isn't necessarily more secure than Proxy Mode because it still relies on a "trusted notary", similar to a proxy. A malicious notary could cache session data and collude with a compromised client. Since the server's decrypted key is hidden for privacy, external verification is impossible, meaning collusion or manipulation could go unnoticed. While MPC mode reduces some trust assumptions, it doesn't fully eliminate them, so it isn't inherently more secure.

Given these issues, while MPC Mode provides some cryptographic advantages and may be useful for small requests, its high performance overhead and limited security benefits make it no better than a well-designed and decentralized proxy. Its resource demands and impracticality for everyday use restrict its real-world application. Therefore, we only reserve this mode as a backup for TLS servers that block requests from the same account when coming from different IP addresses.

Summary

The zkPass protocol distinguishes itself by combining advanced cryptographic techniques to achieve secure, efficient, and privacy-preserving data sharing. By extending TLS into a three-party protocol and integrating VOLEitH for Non-Interactive Zero-Knowledge (NIZK) proofs, zkPass effectively addresses both security and performance challenges.

Its Hybrid Mode, which seamlessly switches between Proxy Mode and MPC Mode, allows the protocol to adapt to various network environments and server policies without compromising efficiency or security. Proxy Mode ensures high performance with minimal cryptographic overhead, while MPC Mode takes over when certain servers block requests from multiple IP addresses, maintaining privacy and security. The use of VOLEitH further enhances efficiency by avoiding the heavy computational and memory demands of traditional cryptographic systems like SNARKs.

Optimized cryptographic computations and communication flows make zkPass highly scalable, ensuring that the protocol remains practical for real-world applications without sacrificing security or speed.

Last updated

Feel free to contact us if you have any ideas