< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27565 — Information technology, cybersecurity and privacy protection — Guidelines on privacy preservation based on zero knowledge proofs [DRAFT]

Abstract

”[ISO/IEC 27565] provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes how different ZKP models can be used to meet those functional requirements securely.”

[Source: ISO/IEC JTC 1/SC 27 SD11 July 2024]

Introduction

 Zero Knowledge Proofs are mathematical techniques (families of cryptographic protocols) allowing someone (the prover) to prove to someone else (the verifier) that they are in possession of a secret, without actually disclosing the secret to the verifier or to some trusted third party. The secret might be a credential used for authentication (such as a password, biometric or personally identifiable information), a cryptographic key, digital currency or some other piece of sensitive/valuable information which is to remain confidential/private during the verification process.

The process involves the prover convincing the verifier that the verifier’s statement/s or assertion/s concerning the secret (e.g. “The person is older than 18 years”) are either true or false, without revealing additional information (their birthday). At the same time, the process substantially prevents malicious interference such as replay attacks (e.g. repeating a previous age-verification sequence that applied to a different person) and collusion between the parties.

Scope of the standard

 This standard principally concerns the use of ZKP for privacy protection (e.g. checking the claimed identity or age of a person known to an authority, without the authority disclosing that personal information), although other use cases are noted (e.g. digital wallets).

Content of the standard

 Main sections:

5. Introduction to ZKPs
6. Use cases of ZKPs
7. Privacy preservation using ZKPs
8. Functional use cases
9. Business use examples

plus 5 appendices.

Status

The standard development project commenced in 2021.

 The standard is now at Draft International Standard stage with an amended title, and looks likely to be published in 2025.

Personal comments

Some 32 specialist terms are defined - a clue as to the complexity of ZKP.

ZKP is an evolving technique.

< Previous standard      ^ Up a level ^      Next standard >