David Wu Earns National Science Foundation Grant to Advance Zero-knowledge Proofs that will Build Trust in the Cloud
America has a trust problem. Pew Research reports that 79% of Americans are concerned about how companies use their data, 81% percent believe that privacy risks outweigh the benefits of cloud-based services, and half have decided to stop using a product or service because of privacy concerns.
The alarm is understandable when account logins are not 100% secure. Although a password is encrypted to prevent the password from being compromised during transmission, the digital key that unscrambles the password can be stored by a remote server, which leaves the account vulnerable to a hack.
What if there was a way to log in and prove ownership of an account without ever typing the password? This would be the ultimate level of privacy and security. And what if that method could be extended to protecting other data online, creating a guarantee that data would not be compromised?
David Wu, Anita Jones Career Enhancement Assistant Professor of Computer Science at the University of Virginia School of Engineering, has earned a prestigious National Science Foundation CAREER Award to advance mathematical models that could make such secure transactions possible.
Through the CAREER Award program, the National Science Foundation recognizes early-career faculty who have the potential to serve as academic role models in research and education and to lead advances in the mission of their departments or organizations.
The National Science Foundation has identified the importance of a secure and trustworthy cyberspace, and Wu is forging frontiers in novel methods that will build trust in the cloud, specifically using probabilistic assessments called zero-knowledge proofs.
Zero-knowledge proofs were first theorized in the 1980s by researchers who asked if it was possible for a person to convince another person that a statement was true and yet hide everything else about the statement, other than the fact that it was true. Originally it was a purely theoretical question. Decades later it has evolved into a cryptographic technique with profound implications for privacy and security.
Imagine being able to prove you are over 18 without revealing an actual birthdate; or being able to prove you have a valid social security number without revealing the actual number; or being able to prove a sufficient balance to make a bank withdrawal without revealing any account details.
Zero-knowledge proofs make these types of transactions possible in the cloud.
Wu likens the proofs to algorithms, which are mathematical tools performing specific tasks. Zero-knowledge proofs perform the task of first verifying each party is telling the truth in a transaction and then protecting the underlying information by only using limited bits of data to conduct the transaction.
Some cryptocurrencies are in early stage piloting of zero-knowledge proofs, embracing the power of privacy for transforming their cloud-based business model. Wu, who is focused on the bigger picture, sees the power of privacy for transforming the cloud itself.
"Cryptocurrencies are the tip of the iceberg for applications of zero-knowledge proofs," he said. “By incorporating zero-knowledge proofs into security protocols, we can obtain much stronger assurances that computations outsourced to the cloud are performed correctly.”
With the National Science Foundation grant, Wu is creating these next-generation security protocols. His proofing system not only verifies trust between parties and protects the data, it provides a guarantee that the transaction itself was completed in a trustworthy manner.
“Right now we can protect the messages you send—the sequences of bits to your bank or email server—but, once the data gets there, the remote host can do whatever it wants with those bits,” Wu said. “Users are essentially having to rely on a service provider’s word that they are doing what we ask them to do. With zero-knowledge proofing systems, we can confirm a user’s data is secure even after being manipulated on a remote server.”
Zero-knowledge proofing systems are a desperately needed advancement in light of massive security failures that have eroded the public’s trust. For example, the Yahoo data breaches of the past decade led to half a billion user accounts being compromised.
Wu’s research contributes to an evolution in cryptography that goes beyond protecting data in transit to protecting data in computations. The paradigm shift was taking shape around 2011, just as Wu entered his graduate studies in computer science at Stanford University.
Cryptographic researchers had introduced a viable solution for conducting computations on encrypted data, something that until that point had been largely theoretical. Called fully homomorphic encryption, it allowed entities to process the ciphers, or algorithms used to encrypt data, rather than the data itself.
The breakthrough was a defining moment for Wu.
“These notions had been a 30-year open cryptology problem many thought impossible to solve. Suddenly it became possible to scramble the structure within data and still be able to compute and get useful insights from that data, all without compromising the security,” Wu said. “It seemed too good to be true.”
For the past decade Wu has been devoted to making the impossible a new standard for security through his cryptographic research. He joined UVA Engineering in 2019, after completing his doctoral research and earning Ph.D. in computer science from Stanford in 2018.
Wu believes the advances from zero-knowledge proof research combined with academic-industry collaborations for universal standards are creating an inflection point that could lead to zero-knowledge proofs entering the mainstream in the next few years.
He envisions a future when there will be some sort of zero-knowledge proof certification that verifies in real-time that a transaction is being done securely and accurately. Although no one really knows what that will look like, the existing parallel is the now-routine lock symbol and “https” before a URL, indicating that transmitted data is secured by an established encryption protocol.
“Having a single indicator would be a generic way of approaching it,” Wu said. “These novel certifications may also be customized by providers for separate applications, offering checks of security with each step of a transaction.”
Whatever form the future certification takes, zero-knowledge proofs could turn the tide for so many Americans who are concerned about the safety of their data. Users would no longer have to rely on the word of millions of could-based service providers. Instead, they would be able to trust in a universal and established security protocol.
“David is pioneering novel cryptographic methods,” said Kevin Skadron, Harry Forsyth Douglas Professor of Computer Science and chair of UVA Engineering’s Department of Computer Science. “By protecting sensitive information with zero-knowledge proofs, his work will provide users with greater confidence and protection as we increasingly rely on the Internet for more and more services.”
In pioneering modern cryptographic techniques, Wu also worked with companies like Facebook and Microsoft. He credits the industry experience with allowing him to share perspective on the critical role cryptology plays in securing our global, digital economy.
“As a theorist, my goal is to empower my students with a strong foundation in the fundamentals,” Wu said. “We can look to industry challenges to know why we care so much about these advances.”