Research

Decentralized Proofs of Encrypted Web Facts without Revealing Underlying Data

DiStefano uses Two-Party Computation within TLS 1.3 to secret-share session keys, enabling zero-knowledge proofs over encrypted web data for private verification.
November 19, 20254 min

The image displays a detailed view of a sophisticated, futuristic mechanism, predominantly featuring metallic silver components and translucent blue elements with intricate, bubbly textures. A prominent central lens and a smaller secondary lens are visible, alongside other circular structures and a slotted white panel on the left, suggesting advanced data capture and processing capabilities
A clear, multifaceted crystal, exhibiting internal fissures and sharp geometric planes, is positioned centrally on a dark surface adorned with glowing blue circuitry. The crystal's transparency allows light to refract, highlighting its complex structure, reminiscent of a perfectly cut gem or a frozen entity

Briefing

The research addresses the fundamental conflict between data utility and user privacy, specifically the challenge of exporting trusted facts from an encrypted Transport-Layer Security (TLS) channel without exposing the underlying data or browsing history. The foundational breakthrough is DiStefano, an efficient, maliciously-secure framework that integrates Two-Party Computation (2PC) directly into the TLS 1.3 handshake to secret-share session keys between the client and a designated verifier. This novel mechanism allows the client to generate private commitments over the encrypted web traffic, which can then be used to construct arbitrary zero-knowledge proofs over the committed data, ensuring data integrity and user privacy simultaneously. The most important implication is the creation of a trustless cryptographic primitive for compliant, privacy-preserving credentialing and data attestation, fundamentally enabling verifiable identity and facts derived from sensitive web interactions to be used on-chain or in regulated environments.

The image presents a detailed close-up of an abstract, translucent white web-like structure intricately layered over a reflective blue interior, revealing glimpses of metallic components. This complex visual suggests a sophisticated interplay between an outer protective network and inner operational mechanisms

Context

Before this research, exporting trusted information, such as proof of age or accepted purchase details, from an authenticated and encrypted channel secured by TLS was non-trivial and often required compromising user privacy. Prevailing solutions, such as Designated-Commitment TLS (DCTLS) protocols, were often complex, lacked modularity for arbitrary claims, and introduced significant trust assumptions or performance overhead, forcing a difficult trade-off between data utility for third-party verification and the client’s fundamental right to browsing history privacy. This limitation constrained the development of decentralized identity systems that rely on real-world, verified credentials.

A close-up view reveals a modern device featuring a translucent blue casing and a prominent brushed metallic surface. The blue component, with its smooth, rounded contours, rests on a lighter, possibly silver-toned base, suggesting a sophisticated piece of technology

Analysis

DiStefano’s core mechanism re-architects the TLS 1.3 handshake into a three-party protocol involving the client, the server, and a designated verifier. The new primitive is a modified TLS handshake where the client and verifier use Two-Party Computation (2PC) to jointly compute and secret-share the cryptographic session keys. This ensures neither the client nor the verifier ever possesses the complete key material, preserving confidentiality. The client then authenticates the server using a Zero-Knowledge Proof of Valid Signatures (ZKPVS) and commits the encrypted server response to the verifier.

By subsequently receiving the verifier’s key share, the client can decrypt the message and generate a zero-knowledge proof (ZKP) over a specific data point within the message (e.g. proving ‘age > 18’), which the verifier can confirm without ever seeing the full encrypted content or the client’s browsing history. This method fundamentally differs by moving the commitment and proof generation inside the encrypted channel flow, rather than attempting to prove facts after decryption.

A close-up view displays a complex, high-tech mechanical component. It features translucent blue outer elements surrounding a metallic silver inner core with intricate interlocking parts and layered rings

Parameters

  • Online Phase Execution Time → < 1 s (less than one second). This is the time required for the client and verifier to execute the complete online phase of the protocol, demonstrating practicality for real-time web use.
  • Online Phase Communication Overhead → ≤ 80 KiB (kilobytes). This is the maximum data transfer required for the client and verifier to complete the online phase, indicating a low bandwidth cost.
  • Underlying Cryptographic Primitive → Two-Party Computation (2PC). This technique is used to secret-share the TLS session keys between the client and the verifier, ensuring no single party has the complete decryption key.

A close-up view reveals a complex, futuristic mechanical device, predominantly silver and dark blue, with striking electric blue glowing lines and rings. The device features intricate geometric shapes, metallic textures, and visible connecting wires, suggesting advanced technological functionality

Outlook

This framework opens a new avenue for decentralized identity and regulatory compliance by providing a mechanism to bridge trusted off-chain data sources with on-chain verifiable computation. Future research will focus on optimizing the generation of the final zero-knowledge proofs over the committed data, potentially enabling non-interactive, succinct proofs of arbitrary data structures like JSON. In the next 3-5 years, this primitive could be integrated into decentralized identity systems and zero-knowledge rollups, allowing users to privately attest to real-world financial or legal status for on-chain interactions, effectively creating a “private oracle” for web data.

The image showcases a high-precision hardware component, featuring a prominent brushed metal cylinder partially enveloped by a translucent blue casing. Below this, a dark, wavy-edged interface is meticulously framed by polished metallic accents, set against a muted grey background

Verdict

DiStefano provides the foundational cryptographic primitive required to securely bridge the private web with verifiable decentralized systems, resolving the core conflict between data utility and user privacy.

private commitments, verifiable claims, encrypted data, zero-knowledge proof, TLS 1.3, two-party computation, designated verifier, client privacy, session keys, web traffic, decentralized infrastructure, cryptographic protocol, ring signature, data integrity, secure authentication Signal Acquired from → ndss-symposium.org

Micro Crypto News Feeds

cryptographic primitive

Definition ∞ A cryptographic primitive is a fundamental building block of cryptographic systems, such as encryption algorithms or hash functions.

decentralized identity

Definition ∞ Decentralized identity is a digital identity system where individuals control their own identity data without relying on a central provider.

zero-knowledge proof

Definition ∞ A zero-knowledge proof is a cryptographic method where one party, the prover, can confirm to another party, the verifier, that a statement is true without disclosing any specific details about the statement itself.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

data

Definition ∞ 'Data' in the context of digital assets refers to raw facts, figures, or information that can be processed and analyzed.

computation

Definition ∞ Computation refers to the process of performing calculations and executing algorithms, often utilizing specialized hardware or software.

zero-knowledge proofs

Definition ∞ Zero-knowledge proofs are cryptographic methods that allow one party to prove to another that a statement is true, without revealing any information beyond the validity of the statement itself.

decentralized

Definition ∞ Decentralized describes a system or organization that is not controlled by a single central authority.

Tags:

Tags: