a note from our CTO Theo

Zero Knowledge

The term “Zero Knowledge” refers to a system in which the database and the application are architected in such a way that the database does not expose any meaningful information. This implies that even if you have full read access to the database, the information is protected in such a way that only those with access can read it.

In SocialX, our database is public⎯anyone can read it. This will allow it to be decentralized later on, so that it can become a community-governed system, while still maintaining privacy where needed.

There are 3 key methods of encryption that come into play to achieve this; we are going to briefly describe them as follows:

Cyphers

A cypher is a way to protect data with a password. For example, if you want to send a secret message to someone that goes through untrusted mediums you can tell your friend the password:

EncryptedValue = Cypher.Encrypt(SecretMessage, “MySecurePassword”)

Since your friend knows the password, he can decrypt it:

SecretMessage = Cypher.Decrypt(EncryptedValue, “MySecurePassword”)

Hashes

A hash acts like a signature for a specific data⎯they aren’t necessarily a means of transmitting data, but more of validating that the data you provided is correct.

For example:

HashValue = Hash.digest(Data);

HashValue is a string of a fixed length (128 chars, for example) and it’s widely used in websites to ensure you own your password. They will never store the actual password inside the database, only the HashValue of it. So, when you login, the password you send is Hashed, and it gets compared with what the website owners have in their database.

Imagine you wanted to send a Message to your friend, but the medium you send it to could be intercepted and the Message could be modified. Using hashes, you could tell a certain password to your Friend that only you know:

Signature = Hash.digest(“MyMessage” + “MySecurePassword”)

The friend will receive “MyMessage” and the Signature. He can then apply the digest to it to make sure it really came from you and wasn’t modified along the way.

Hashes are not the most secure means of signing data because the cost of finding out what the message really is means an attacker would need to hash all possible values and see if they match the hash. It’s not infallible.

RSA – Public/Private Keys

Each PrivateKey has a matching PublicKey.

If you want to send your friend a message, you can encrypt it with PublicKey and decrypt it with PrivateKey. Example:

EncryptedMessage = RSA.encrypt(PublicKey, “MySecretMessage”)

DecryptedMessage = RSA.decrypt(PrivateKey, EncryptedMessage)

In this case, DecryptedMessage is “MySecretMessage”.

The concept of RSA is used for https:// traffic. You send a PublicKey to the web server. All the information the server gives you, gets encrypted with the PublicKey you’ve given, and only you, the one that has the PrivateKey, can decrypt it.

RSA can also be used for signing your message with your PrivateKey, which then can be verified that it was signed by you with the PublicKey:

Signature = RSA.sign(PrivateKey, “MyMessage”)

The friend knows your PublicKey, and he can verify it:

VerifySignature(PublicKey, “MyMessage”, Signature)

Back to SocialX

Using a combination of the cryptosystems specified above, we can achieve a Zero Knowledge platform that allows you to create completely private groups, have friends, and chat. The database will never expose what friends you have, the groups you’re a part of, or group content.

A public database and the most private social platform in the world. It’s a paradox!

Your identity inside SocialX is verified with your PrivateKey⎯if you own the PrivateKey you own your account. After registration, you are provided a file to download. That file holds your PrivateKey protected by the password you chose which will need it to authenticate in new browsers / computers. Losing your password will result in losing access to your account⎯it cannot be retrieved.

The SocialX servers never receive the actual data; data is encrypted inside your browser before it is sent to the server. Using the mix of Cyphers, Hashes and RSA we ensure absolute security and privacy. This means that whenever you post something in your private group, you encrypt the message client-side with the group key which is privately shared to you when you are invited, and you send the message to the server. The server then stores it in the database and other peers inside your group will retrieve it, decrypt it in their browser and view your message.