Skip to main content

BSI Standards Under Development

Please be advised that a New Work Item Proposal has been loaded to the BSI Standards Development Portal for comment. We hope this will assist in increasing awareness of the Standards Development Portfolio.

Any comments received will be submitted to IST/033 Information security, cybersecurity and privacy protection, for consideration when deciding the UK response to ISO.

Proposal: ISO/IEC JTC 1/SC 27 N 22084, ISO/IEC NP 27565 Guidelines on privacy preservation based on zero knowledge proofs.

Please visit http://standardsdevelopment.bsigroup.com/projects/9021-06428
Comment period end date: 10/01/2022

Scope

This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes how different ZKP models can be used to meet those functional requirements securely.

Purpose

There are many standards on authentication. ZKP can be used for authentication but also for many other functions, and ZKP can help other forms of authentication be more effective.

The purpose of this proposal is to provide guidance to organisations and communities on how to use ZKP to reduce or avoid risks associated with many types of information sharing and data validation, by not sharing or exposing personal data at all.

The justification involves the avoidance or prevention of many risks.

Data theft and data manipulation. Most business use cases are required to satisfy regulatory requirements, such as those on anti-money laundering, fraud detection, fraud prevention and counter terrorist financing, which involves the checking of many kinds of data before, during and after transactions. Organisations and users require to prove to each other that they are who they claim to be using digital authentication before they validate claimed data to ensure its accuracy within a given timeframe. Currently, the sharing of personal data to be validated exposes the data to major risks in the communication channel, enabling significant criminal attacks and major financial losses. ZKP avoids most channel risks associated with data validation.

AML (anti-money laundering) and countering terrorist financing rules require the collection, processing and use of personal data as part of Customer due diligence (KYC). Fraud detections require transaction monitoring, behavioural monitoring, internal data sharing (including within a group), external data sharing (including with regulators and other financial institutions), data sharing for outsourced arrangements; and cross-border processing of data (especially for international payments). Using ZKP encourages relying party organisations to validate claimed data against authoritative sources, which significantly reduces the attack surface overall, and reduces the risks and costs of personal data proliferation

This focus on authoritative data leads to an increase in data quality across communities of trust, with a reduction in costs and time, and an improvement in service delivery to customers and relying parties in governments and industries.

This significantly improves trust between organisations, particularly in the handling of sensitive data, which encourages additional organisations to participate, who currently don’t participate.

By tying to authoritative sources which have strong access control and consent management, so persons can be more confident that their personal data is protected and controlled, particularly with regard to the principles of: Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality (security); and, Accountability. Using ZKP also reduces that validation of calculated attributes, as in the case of AgeVerification.

There is a global verified market need for risk reduction tools like ZKP. This document is applicable to all kinds of external, collaborative and internal digital and data-centric activities across organisations including government, regulators, non-government institutions, industry users, industry service and product providers in as well as supply chains, cross-border payments, travel, coalition operations and counter-fraud communities.

The initial value would be to make major inroads into the criminal economy, which is currently  the third largest economy in the world after US and China. Using ZKP and related tools could save US$ trillions/year.

If you have any comment or need more information, please contact Sami Ortiz at sami.ortiz@mta.org.uk