Efficient KYC without spilling your guts

Are you looking for a quick and reliable way to find new trading partners and assess their reputation? Our platform includes a real-time KYC module to streamline the process, but we also built a fast and objective solution for confirming the reputation of our users before you go into a KYC process. Most e-commerce platforms rely on third-party reviews and we needed a less biased approach. Trading performance is the ideal reference, but these records are closely guarded in commodity trade. So we developed a feature that allows you to verify performance without ever having to share sensitive information. We enable you to start trading with confidence on Vosbor today.

This article gives insight into how the Vosbor track record verification works and how this will not give away any information on the actual volumes traded. More fundamentally we will explore the mechanics of Zero Knowledge Range proofs, based on our commit and proof logic. ​

So what is Zero Knowledge proof? And why do we call it Zero Knowledge?

​ Any Zero knowledge proof must satisfy the following three important properties: Completeness, Soundness, and Zero-knowledge. ​

  1. Completeness; if the statement is true, an honest verifier will be convinced by an honest prover.
  2. Soundness; if the statement is false, no dishonest prover can convince an honest verifier.
  3. Zero-knowledge; if the statement is true, no dishonest verifier learns anything other then the fact that the statement is true.

​ Vosbor has created an implementation of ZKP Range proofs, which is based on the established “Commit & Prove” zero knowledge framework. This zero knowledge framework supports all of the required properties and can scale to support further proof extensions in the future.

As the name suggests we are building range proofs which means that we are proving that some discrete rounded volume v ∈ [a .. n] where, a is the lower bound of the range, a volume that meets v ≥ a. A proof that tells us that some trader on the Vosbor platform is claiming to have done at least a metric tonnes in total, or in some specific product type. The upper boundary n is set to some extreme high value well beyond the maximum allowed claim. All numbers v, a and n are natural numbers.

On the Vosbor platform, traders can request track records from another trader for some discrete volume levels. Namely; 50,000mt, 100,000mt, 500,000mt, 1,000,000mt, 5,000,000mt or 10,000,000mt. Only actually traded volumes on Vosbor can be used in the proof.

Proofs are signed by Vosbor, to attest that they are based on the trade information that Vosbor recognizes.

Traders can make their Vosbor track record requests to other traders, but the trader receiving these requests can choose to accept or ignore. All requests are made against the aggregated volumes of a company, on the Vosbor platform, represented by the trader.

So, already we can see a few important characteristics.

  • The receiver controls the flow and does not need to motivate his/her decision to accept or ignore the inbound request. If a counterparty is fishing you can simply ignore the request and as you can see all track record requests made to your company, you can detect any fishing attempts
  • Only a few distinct volumes can be tested; traders are not served squeezed ranges that could disclose (or come close to) the secret traded volume.
  • A signature from Vosbor on the proof, will attest that the proof was generated on the Vosbor platform where it used real observed traded volumes for the counterparty that was mentioned in the proof.

The “Commit & Prove” zero knowledge framework is based on a cryptographic commitment which is represented by a set of algorithms that, intuitively, permit putting private data inside a protected environment, in order to avoid data leakage. The system is organized in such a way that it is impossible to modify this private data in a later stage.

The commitments produced are based on an algorithm that generates a fixed length secret representation that is further hidden by a random value (blinding factor). This will hide the volume of interest.

Commitments that Vosbor creates also have homomorphic features, which means that we can perform simple arithmetic operations on these commitments without a need to see the real volumes. Aggregation is performed on these encrypted values.

After the commitments have been calculated it is necessary to bind these volume commitments to companies and products for a given day or version within that day. To effectively bind the information Vosbor is generating an unique Merkle tree with all the volumes for all the users on the platform and for all the products traded.

A Merkle tree is a binary tree data structure (Diagram A) where the commitments are stored in the leaflets of the data structure. This is a simple representation of just two companies (x and y) and only four product types (corn, soybeans, wheat and barley).

MerkeTree

Diagram A; example Merkle tree with volume commitments

For all nodes at each level in this structure, other than the leaf-level, the homomorphic sum and a hash value are calculated binding the two child-nodes with their intrinsic information in one unique hash value. This process repeats itself until the mother of all nodes is reached (Merkle tree root) where all the information comes together in one top level hash value.

The unique feature of a Merkle tree is that a slightest change in any of the values will immediately produce a different Merkle tree root (R). We now have linked all the commitments in a single representative but opaque value at the top.

The total volumes for companies x and y are calculated as the homomorphic sums P and Q where P = A + B + C + D and Q = G + H + I + J.

Every day company x or y could add new trades and therefore end up having a higher traded volume for some of the product types and in total. But as the traded volume only grows, even older proofs remain valid.

Each version of the Merkle tree, represented by the Merkle tree root, is stored on an immutable ledger. So now, once the Merkle tree root is stored all the information it represents is really committed and cannot be changed.

With all commitments securely mounted in a Merkle Tree, a zero knowledge range proof can be constructed using the commitment of some hidden value. For instance suppose we want to test that the volume represented by commitment P (the total volume commitment of company x) is at least 100,000mt. The upper range is assumed to be 9,223,372,036,854,775,807mt, if our volume v[P] is somewhere between these values we would be able to formulate a proof.

The algorithm that Vosbor uses to produce a proof is the so-called Bulletproof algorithm. An algorithm that is both secure and non-interactive. A feature made possible through a discrete logarithm problem and the Fiat-Shamir heuristic. A discrete logarithm problem makes the proof secure and is best explained as a kind of one-way computation which makes it totally infeasible to compute an input given only the output. The Fiat-Shamir heuristic produces a digital signature based on an interactive proof. It establishes that the proof becomes non-interactive (you do not need multiple iterations to ‘statistically’ prove a statement).

The details of this mathematical operation are too complex to fit this blog, so we present it as a black-box operation (Diagram B) that gives a way the input and the output.

Proof

Diagram B; simplified blackbox to generate a proof

The volume is given as a commitment P. Which is a mathematically hidden volume v, the total volume commitment for company x. The range is clearly visible and provides the lower bound a (the at-least-traded total volume that we want to proof) and b some extreme high value (theoretical maximum possible traded volume).

After running the “Vosbor Proof generator” with these inputs, it will produce two new commitments and the proof. The two commitments will bind the lower- and upper bounds relative to the volume commitment. The proof itself is given as a binary blob and together with the volume commitment and the two commitments that bind the volume commitment to the range boundaries is enough to verify the proof and learn that it is either valid (TRUE) or invalid (FALSE) as illustrated by the following blackbox verifier (Diagram C).

Verify

Diagram C; simplified blackbox to verify proof

To audit this “Commit & Prove” zero knowledge framework you must prove a few things. The first check is that the homomorphic sum of all commitments for company x (A, B, C, D) is equal to the total volume commitment for company x (P). And that all (A, B, C, D, P) have a path to the Merkle tree root (R) for the version that was used to build the proof. This root can be observed in a smart-contract on an immutable ledger.

And that’s it. In this post I have demonstrated with a few small examples how volumes are hidden and bound in a Merkle tree. Where the root of this Merkle tree is saved in an immutable ledger which prevents that someone (even Vosbor) can claim that there was a different volume stored than the one used in the proof generation. Many mathematical steps are not explained here, but still it should be clear that calculations are done using homomorphic operations, where the values (volumes) remain hidden. Which makes this a Zero Knowledge proof of volumes traded on the Vosbor platform. Bringing an unique alternative to find potentially interesting counterparties on Vosbor, which in turn saves precious time of traders and compliance departments that would otherwise be spent on KYC in vain.

Read more articles