Rob Behnke
March 20th, 2024
Zero-knowledge proofs (ZKPs) and zero-trust are both used to enhance cybersecurity and data security. However, despite their similar-sounding names, these two security tools are designed to achieve very different goals.
ZKPs are cryptographic primitives that have the potential to solve some of the hardest problems faced by blockchain technology. Zero trust, on the other hand, works behind the scenes to limit an organization’s potential exposure to cyberattacks and the damage that can be done by a successful attacker. Read on to learn more about the potential benefits and use cases of each within a Web3 project.
A ZKP is a cryptographic algorithm designed to allow someone to prove that something is true without revealing some secret information. For example, someone wanting to prove that they know the secret password to some club could say the password, but this would allow anyone in earshot to know the password as well. Instead, they could generate a ZKP that demonstrates that they know the password and that anyone can verify without revealing the password itself.
ZKPs can be built in a few different ways, but the most commonly used ZKP architectures are zk-STARKs and zk-SNARKs. These are tools that can be used to develop ZKPs for a desired proof.
One important feature of zk-STARKs and zk-SNARKs is that they are non-interactive proofs. Some ZKPs require communication between the prover and the verifier to complete the proof, which limits their potential use cases. With a non-interactive proof, the prover can generate and publish the proof, and the verifier can check its correctness at their leisure. This attribute makes zkSTARKs and zkSNARKs valuable tools for the blockchain, where everything posted on the digital ledger is publicly visible.
Some applications of ZKPs in blockchain include:
Private Transactions: With blockchains like Bitcoin and Ethereum, all transaction data is publicly visible to allow the nodes in the blockchain network to validate transactions before accepting them into the digital ledger. With ZKPs, it’s possible to construct a transaction that is provably valid without revealing the details of the transaction (source, destination, value, etc.).
Scalability: ZK-Rollups like zkSync use ZKPs to enhance the scalability of Layer-1 blockchains. A ZK-Rollup will execute transactions off-chain and bundle them together into a single state update, which describes the effect of executing all of them. This state update will be posted to the Layer-1 blockchain along with a ZKP that proves that the state update accurately reflects the result of running the bundle of off-chain transactions. In this case, the ZKP doesn’t protect the privacy of the off-chain transactions (although it could); instead, it makes the Layer-1 blockchain more efficient by eliminating the need to run those transactions and record their data on the digital ledger.
Cross-Chain Communication: As different Layer-1 blockchains grow increasingly interconnected via cross-chain bridges, one blockchain may need information about the state of another. A ZKP can be used to generate a verifiable proof about some aspect of another blockchain’s current state. Posting this proof to the first blockchain allows smart contracts running on it to validate that state and act upon it in some way.
Zero trust is a security model designed to replace the traditional “castle and moat” approach to access management that many companies use. In general, companies will defend against cyberattacks by deploying various security solutions at their network perimeter. The goal of these solutions is to identify and block attempted cyberattacks entering the network or sensitive data leaving it.
Under this model, the assumption is that everyone outside the network is untrusted, while everyone with internal access is supposed to be there (because otherwise they would have been blocked at the network perimeter). However, this assumption can be invalid for multiple reasons, including malicious insiders, compromised accounts of trusted users, malware that slips past the protected border, and more.
The term “zero trust” was first coined by John Kindervag of Forrester Research in 2010. The zero trust security model gets its name from the fact that it eliminates this inherent trust in anyone inside the network. Instead, every request for access to corporate resources is verified against access controls before it is approved or denied. Accomplishing this requires microsegmentation, which ensures that a firewall can inspect all traffic moving through the corporate network, even if it doesn’t cross the perimeter.
Furthermore, these access controls used by the zero trust model implement the principle of least privilege. This states that users, applications, or devices should only be granted the access and privileges needed to do their jobs. For example, an office worker who only browses the web and uses a text editor doesn’t need administrative access to their computer. Even if a user — such as a system administrator — needs admin access, they should use it only when required for a task and use a non-privileged account for day-to-day tasks.
The goal of the zero trust security model is to provide an organization with greater visibility into and control over the use of corporate data and resources. With the ability to inspect and approve/deny every request for access to corporate resources, a company has a much higher chance of detecting and blocking a cyberattack than with the “castle and moat” model where they can only catch the attack at the network perimeter.
ZKPs and zero trust are powerful tools for enhancing security and privacy. However, they’re designed for very different use cases. ZKPs are cryptographic primitives that eliminate the need to reveal sensitive data while generating important proofs. Zero trust, on the other hand, is a security model designed to reduce an organization’s vulnerability to cyberattacks by reducing or eliminating inherent trust in insiders.
On-chain projects can benefit from both but in different ways. Building ZKPs into blockchain projects can enhance privacy and/or scalability. Zero trust is an important part of privilege management in these projects, helping to protect the project against private key compromises and other common threats to a project’s security and liquidity.
When designing and implementing a blockchain project, it’s important to have the right tools and techniques for securing it. To ensure the security of your protocol design and help protect against a range of potential threats, get in touch with Halborn.