DEV Community

Cover image for NuID: Trustless Authentication Using Zero-Knowledge Proofs on the Blockchain
Rafik Naccache
Rafik Naccache

Posted on

NuID: Trustless Authentication Using Zero-Knowledge Proofs on the Blockchain

The Cover Image is taken from the NuID Website

A while back, I got contacted by Locke Brown, the CEO of NuID Inc (read: New ID as in new identity management). He explained to me how his startup aspires to revolutionize the way we deal with identity and passwords in the world wild webs (pun intended). The promise of NuID is that they'd free us from the breaches leaking our passwords and the internet super-powers eavesdropping on us, by implementing a "Trustless Identity" solution on the Ethereum Blockchain Technology.

They spotted I once starred an authentication library in Clojure, so they thought I would be interested in giving their API a try. Needless to say, this is a compelling story to a nowhere man like myself, with a refreshing mixture of Clojure, Blockchain, Distributed Shared-Nothing authentication mechanism, so I gave it a very light test drive. I thought you might be interested in my discoveries so here we go!

I wrote this post on my very own initiative, I am not endorsing this company nor any of their products.

The Problem in Central Identity Management

So what's wrong in Centrally Managed Identity? To prove you are who you are pretending to be, online services rely on "Identity and Authentication Providers": These are services that store your identity along with your presumably secret access token. Whenever you log to apps using their credentials, or your handle at Facebook, Google, Github, Whatever... You first authenticate yourself with a central authenticating tier to prove your identity.

The problem lies in the very reliance on this central authority. You are "trusting" some internet being with your secret tokens - but you might be telling this "trustee" how you unlock other private stuff as well...Let's be honest, we pretty much use the same password for the twenty-something websites and email providers we access every day!

And even if this authentication store is no maleficient, it might not be protected against security breaches, and your precious identity can be leaked (check the Firefox Monitor to see if your handles have been leaked).

Zero-knowledge proof: The solution

So NuID suggests keeping your secrets well...secret. With their authentication mechanism, Called the "Zero-Knowledge Proof(ZKP)," No single central authority requires you to trust them with your access tokens. Instead, NuID uses ZKP to cryptographically derive from someone's secret a set of non-sensitive public tokens. It's not possible to tell the original password only knowing these tokens, yet they can be used to prove the knowledge of this very secret.

These public tokens will be immutably stored on the Blockchain (I think I've read Ethereum's Rinkeby somewhere...), so there will be no single central point in the architecture, nor it will be possible to mess around with those tokens. I think this excerpt from the Solution document describes it best:

The NuID protocol immutably stores public reference parameters on a blockchain, so that they can be shared but not tampered with. A blockchain provides a trustless infrastructure with no central point of failure.

Combining these technologies allows users to own and manage their authentication credentials while enabling companies to authenticate without storing and protecting sensitive information.

Developer Relations

The solution evolves mainly around API, and as such, their primary customers will be developers. So how appealing do they look to them?

First of all, I must confess I really appreciated the way they found me and personally reached out to me. I think they care about building their community and are carefully picking up potential testers, which is a positive signal I for one was able to read from them.

They also built a developer portal, which lets you test-drive their platform. It comes with fairly comprehensive documentation, and you should write your first authentication queries with no issues. Here's what's working with NuID tastes like (Using Curl, but you can use any of their client libs)

curl \
  -H 'X-API-Key: my-api-key' \
  https://auth.nuid.io/credential/gtgndTplbGxpcHRpYy5jdXJ2ZS9wb2ludHgsQStZelIvajZqdUxBS0pOWGJGaGw4UXczaXcrQ2ViWVJwa0RsN1hPQ2hETHM\=
Enter fullscreen mode Exit fullscreen mode

And the result is:

{
  "pub": {
    "point": "A+YzR/j6juLAKJNXbFhl8Qw3iw+CebYRpkDl7XOChDLs",
    "curve": {
      "id": "secp256k1"
    }
  },
  "keyfn": {
    "id": "scrypt",
    "normalization-form": "NFKC",
    "salt": "TgbyOFik/5YxUl+TzufPnDoL6XZVgEq0f8cNr6qd9KY=",
    "key-length": 32,
    "n": 8192,
    "r": 8,
    "p": 1
  },
  "addresses": [
    {
      "transaction-id": "0x17da3d71783be5b509abd713e983ddc1fd3698d39bc02feeae782d67ba12772a",
      "network": "rinkeby"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

The code of the platform can be found on Github. This is done in Clojure, and in This talk the CTO explains their use of Clojure along with Datomic.

Further Reading

Top comments (0)