Zero-Knowledge proofs (ZKPs) for vulnerability disclosure By Vinoth Venkatesan
F
ew relationships in cybersecurity are more delicate than the one between a security researcher who discovers a vulnerability in a product and the company they notify. The company may not care about the vulnerability or impact on customers or downplay the severity to avoid media attention. On its potential for harm, the researcher believes that a timelier public disclosure will incentivise the business to develop a quick patch to protect end-users. While the industry has managed some of these difficulties through coordinated vulnerability disclosure policies, there’s still a fair amount of disagreement and mismatched motivations that can mistrust the two parties. One of the trickier problems is ethically disclosing a bug to the broader public and putting pressure on an organisation without revealing technical information that might allow malicious hackers to exploit it before a patch becomes available.
Here come the Zero-Knowledge Proofs (ZKPs) from DARPA. The research and development arm for the Department of Defense has successfully demonstrated zero-knowledge proofs to the software vulnerability disclosure process using the limited set of use cases. A zero-knowledge proof is a cryptographic protocol that allows one entity to create mathematical evidence to demonstrate to another
36 | Australian Cyber Security Magazine
entity that they can answer a question without disclosing their underlying work. In this case, it would allow a cyber researcher to prove that the vulnerability can be exploited without displaying proof of concept exploit, which might provide a road map to bad actors. This was made possible because of the ongoing cryptocurrency community’s work on developing more efficient zero-knowledge proofs. A paper called “Snarks for C” helped to inspire DARPA researchers to explore ideas for similar applications in other fields that aren’t necessarily connected to the blockchain.
How does it work? Imagine a graph with several different points, and there are lines between each, and each point is assigned a colour: green, red, yellow, etc. The question here is whether you can conclusively prove that each point is different from the adjacent points without displaying them on the graph. The answer is yes. It is possible to interpret much of the relevant information about those points, their colours and their connection to each other into numerical values or equations that can be calculated without viewing the original graph. Moreover, this same fundamental model can be expanded and applied to many other situations, usually involving more “points” or relevant variables that interact in predictable ways — like different parts of a software system
