International Association
for Cryptologic Research

Recently, the area of Key Transparency (KT) has received a lot of attention, as it allows the service provider to provide auditable and verifiable proofs regarding authenticity of public keys used by various participants. Moreover, it is highly preferable to do it in a privacy-preserving ways, so that users and auditors do not learn anything beyond what is necessary to keep the service provider accountable. Abstractly, the problem of building such systems reduces to constructing so called append-only Zero-Knowledge Sets (aZKS). Unfortunately, none of the previous aZKS constructions adequately addressed the problem of key rotation, which would provide Post-Compromise Security (PCS) in case the server in compromised. In this work we address this concern, and refine an extension of aZKS called Rotatable ZKS (RZKS). In addition to addressing the PCS concern, our notion of RZKS has several other attractive features, such as stronger soundness notion (called extractability), and the ability for a stale communication party to quickly catch up with the current epoch, while ensuring the the server did not erase any of the past data. Of independent interest, we also introduce and build a new primitive called Rotatable Verifiable Random Function (VRF), and show how to build RZKS in a modular fashion from rotatable VRF, ordered accumulators and append-only vector commitment schemes.

Zoom’s platform provides video conferencing services for hundreds of millions of daily meeting participants. They use Zoom to conduct business, learn among classmates scattered by recent events, connect with friends and family, collaborate with colleagues, and in some cases, discuss critical matters of state. Zoom is working hard to improve meeting security for its users. In May 2020, Zoom published an incrementally deployable proposal\footnote{\url{https://github.com/zoom/zoom-e2e-whitepaper}}, describing not only a design for its improved end-to-end encryption (E2EE), but also a plan to build an auditable and persistent notion of identity for all Zoom users, which will provide additional security even against active attacks from a compromised Zoom server. In this talk, I will first describe our improved end-to-end design, report on our progress deploying it, and comment on some lessons we learned along the way. Then, I will look to the future and present our vision for user identity protocols. I will argue why it matters, discuss the issues which make this problem hard, and how we plan to address them.