Galois recently completed its work on DARPA’s Securing Information for Encrypted Verification and Evaluation (SIEVE) program, which sought to “advance the state of the art in Zero Knowledge Proofs (ZKPs) to enable complex, DoD-relevant applications.”
Over the course of working on SIEVE, our research pushed ZKP performance forward significantly, making the task—once considered far too slow and unwieldy for practical applications—faster, more efficient, and immediately useful.
“We’ve had orders of magnitude improvements in performance since the beginning of this program,” said Galois Research Engineer James Parker. “As an example, proving vulnerabilities in GRIT in ZK took 17 minutes in October, 2020. By March, 2024, we could do that same task in just 1 minute and 33 seconds.”
Benchmark Changes Over Time
OpenSSL | April 2022: 2 days, 23 hours | March 2024: 7 hours 45 minutes |
FFMPEG | April 2021: 1 hour, 47 minutes | March 2024: 10 minutes 29 seconds |
GRIT | October 2020: 17 minutes | March 2024: 1 minute 33 seconds |
Even as our engineers were making ZKP technologies and methods faster, Galois pioneered several new applications with far reaching impact for proving vulnerabilities while maintaining privacy and security in both software and hardware, as well as in ongoing efforts to protect private data.
“When we started working on SIEVE, Zero Knowledge Proofs were unable to do much that was actually useful,” said Galois Principal Scientist David Archer. “By the end of the project we were using ZKPs to do some very useful things.”
Proving Software Vulnerabilities in Zero Knowledge
Cheesecloth, a cryptographic tool developed by Galois as part of the SIEVE program, provides a groundbreaking method for proving software vulnerabilities without exposing sensitive details. It works by compiling C, C++, and Rust programs into zero-knowledge statements or circuits, verifying the execution of the program and proving that vulnerabilities exist while concealing the exact what and where. This empowers analysts who find software vulnerabilities to pressure companies to patch problems and protect users, without needing to resort to publicly disclosing flaws and thus risking bad actors taking advantage.
Capable of detecting issues ranging from memory errors to potential DOS attacks, Cheesecloth’s practical efficacy has been tested and validated with known bugs like FFmpeg’s out-of-bounds memory error and the Heartbleed bug in OpenSSL. Accomplishing these tasks not only effectively, but efficiently, is made possible only through an innovative use of symbolic execution, condensing program behavior into symbols instead of concrete values to dramatically reduce the time and processing power needed. This tool represents a significant advancement not only for ZK capabilities but in digital security more broadly, allowing for the safe disclosure and remediation of vulnerabilities, and potentially transforming how software threats are managed in critical environments.
Securely Verifying Correctness in Hardware Design
In many industries, keeping proprietary hardware designs secure and secret is extremely important for companies to retain their competitive advantage. Yet proving that a product meets performance, safety, or other requirements without revealing sensitive information often proves difficult.
Collaborating with General Electric (GE), Galois demonstrated a method for using ZKPs to verify specific properties about hardware without revealing details about the design or source code.
In defense and aerospace, this approach could empower companies to verify the reliability of components while protecting national security and proprietary technology. In consumer electronics, it could help companies assure partners and regulatory bodies that products like smartphones or IoT devices meet required standards without exposing unique designs and ceding competitive advantage. Looking ahead, this approach has the potential to set a new standard for verifying hardware reliability while preserving privacy.
Safeguarding Consumer Data Privacy
In 2020, Estonia’s Environmental Investment Centre introduced a public program to encourage the purchase of electric vehicles (EVs). In the scheme, citizens who purchased an EV were eligible for financial subsidy if they drove their EV at least 80,000 kilometers within four years, at least 80 percent of which was within Estonian borders. Proving compliance, however, demanded an insidious choice: surrendering personal travel history data or forsaking the subsidy.
In partnership with Cybernetica, Galois developed a privacy-preserving technology using ZKPs that allows Estonian electric vehicle (EV) drivers to verify their eligibility for government subsidies without disclosing detailed travel data, making sophisticated cryptographic privacy measures accessible via a simple web browser interface.
What is particularly exciting about this last application is that it takes sophisticated ZK technology and makes it accessible and actionable for end users, without requiring them to understand (or even notice) what’s happening behind the curtain. Here, as in the previous examples, Galois has opened the floodgates of possibility across industries and applications.
With ZKP technology elegantly folded into the background of applications, health insurers may soon be able to verify the absence of pre-existing conditions without ogling medical charts. Banking portals could affirm a loan applicant’s financial suitability without an intrusive peep into their transaction history.
In short, the advance in speed and usability of ZKPs over the course of SIEVE has dramatically expanded the scope of possible applications. We’re excited to see, and be a part of, all that comes next.
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited)