What’s Waldo Got To Do With Your Password?

What’s Waldo Got To Do With Your Password?

We live in a 1980s viewpoint of our digital world. We must prove that we know our password, so we blindly send it. It is then checked against a scrambled version of it (normally a hashed version), and which can be easily reversed if someone manages to get access to the scrambled version.

We must prove we are over 18, so we send our date of birth. Straight away we are giving away something which could be used against us, and where we have leaked a bit more of our life to someone who might use it for reasons that we have not consented too (such as hacking our bank account!).

But why? Because programmers have created a world where we must show the original value, again and again. But why can’t we get some trusted person to prove our age, and why can’t see just prove that we still know our password? This is the world of zero-knowledge proofs (ZKPs), and our digital world must move towards this. My ID should be my own, and Facebook could not actually know my ID, but can only link me to the ID that they know.

And so we should all know of the Ali Baba zero-knowledge proof explanation, and where Peggy (the Prover) goes into a cave, and must show Victor (the Verifier) that she knows the secret password to open up the passage way. If Victor continually asks Peggy to exit through a certain exit route, she will always be able to do it. Each time she appears from the correct exit, she increasingly proves the Victor that she knows the secret.

But this paper provides another fun analogy [here]:

So lets start the game. Victor has created a Where’s Waldo scene, and asks Peggy to show him that she knows where he is, without revealing his location:

First Peggy takes a piece of cardboard, and which is larger than the Where’s Waldo scene. She then cuts-out a Waldo-sized hole in the cardboard, so that only Waldo will be seen. All she then has to do, is to pass the cardboard cur-out over to Victor. It won’t give away where Waldo is.

So let’s say we were searching of the ticket inspector. Peggy would find them, and cut-out the area bounded, and pass to Victor. For this she cuts out the cardboard with:

This is not quite a zero-knowledge proof, as Victor knows something and Peggy has to prove that she also knows something. This could be used when we have a log-in ID for Peggy, and she must prove that she still knows her login ID.

In a pure zero-knowledge proof, Peggy would register a secret, but not reveal the secret. Victor will not know what the secret is, but Peggy can still show that she knows the secret.

The other problem with the Where’s Waldo example, is that Victor must challenge Peggy each time to prove that she can find Waldo, — they interact. In a more perfect example, will be where Peggy is able to send Victor the location of Waldo for any number of pictures, without Victor challenging her for the actual picture. This is non-interactive, and where Peggy can continually prove she knows something, without Victor ever challenging her.

If you are interested, here’s more information on ZKP:

In our world of data breaches, we really need to stop storing passwords on sites.