All online users are facing the reality in which their information can be in one of the massive databases of personally identifiable information (PII) of over 1 billion people on the dark web. The problem of PII leaks has continued to rise at increasing rates. While many are investigating how the personal data leak occurred, and how the servers failed to protect the data, one of the main driving reasons for the leak is due to the services collecting information without the users' consent for monetizing purposes. There is a growing ecosystem of businesses that mine personal data on the internet for big profits.
The current PII flow in which the users are typically asked to submit various PII to the server also exacerbates the problem. Often, many of the PII are not really needed, and eventually, get leaked over time. In addition, web development still lacks effective engineering methods and tools to mitigate the PII leaks. We believe that new thinking and approach are needed to provide a solution that works.
Vision and Opportunity
The vision of OZKi started with the idea of wanting to build a very effective privacy-protecting software component for traditional web services. To this end, we believe that a breakthrough technology called Verifiable Computation, more popularly known as Zero Knowledge Proof (ZKP), can be used to realize such a goal. The challenge here is while ZKP has been used widely in the blockchain world it has not been widely adopted in the Web2 world. We have not seen any ZKP-based developer's tool for building general purpose privacy protecting modules for the traditional Web2 applications. In addition, most of the Web2 applications do not use blockchain, and this in general makes the ZKP knowledge and expertise rare among web developers. So there is a lack of good developer tools to combat the PII leak problems, and the lack of ZKP exposures to the mainstream developers, but therein lies the opportunity for OZKi.
OZKi (Open Zero Knowledge Integration) is a zk-SNARK-based proving framework designed to help webapp developers implement privacy-protecting features with minimal effort. zk-SNARK is a cryptographic zero-knowledge proof that allows for a user (prover) to prove that it possesses a certain piece of information without having to reveal that information.
OZKi has two main components: the OZKi Toolkit and OZKi Oracle service which together provide a secure end-to-end proving system. OZKi is based on the Zero Knowledge Proof (ZKP) which is used primarily in the blockchains and Web3 ecosystems. However, OZKi is specifically designed to help Web2 developers to implement privacy-protecting software components with minimal effort and without requiring the need to use a blockchain.
In addition to lowering the bar to access the ZKP technologies, the OZKi framework also brings in real-world external data through the oracle, securely protects the input to proving function, and mitigates the proof replay attacks. OZKi toolkit defines the ProofGenerator and the ProofVerifier typescript classes that webapp developers can use to generate a zk-snark proof on the client running in a browser or nodejs, and to verify the proof on the service side.
OZKi enables the concept of ID-less server design in which the traditional sign-in process is replaced with proof-based authorization flows such that the server does not use or store any PII on its end. The OZKi BOT demo app shows how one can implement proof-based authorization flows such as Proof-of-Payment with PayPal and Proof-of-Login with Google. With the proof of payment flow, the server can reliably verify if the user is a paid customer without knowing anything about the user. With the proof of login flow, the server can determine if the user's email login matches a certain domain without knowing the email address itself. In both scenarios, the user's PII is never sent to the server and is thus completely protected.
Q: Who are the users of OZKi?
A: Web application developers
Q: What problem does OZKi solve?
A: PII Leak Problem. OZKi solves this by allowing a proof-based flow where the user does not send PII to the servers but rather a proof. The proof contains only information whether the PII meets certain requirements or constraints set by the servers.
Q: What are the use cases for OZKi?
A: OZKi can be used to implement various different proof-based authorizations. OZKi's proving system is a general purpose one, thus the developer can use it to implement other proof flows.
The OZKi team would like to earnestly acknowledge the invaluable guidance and feedback given by Dr. Sekhar Sarukai and Ryan Liu. The team would also like to acknowledge and extend our heartfelt thanks to our fellow MICS Students and the MICS Faculty.