Zero-Knowledge OTP verification on chain

Related tags

Learning resource otp zero-knowledge
Overview

zkOTP: Zero-Knowledge OTP verification on chain

Motivation

Inspired by SmartOTP and Modulo's 1wallet, a zkOTP solution can manage access to a smart contract wallet and provide new web3 users with an authentication method that they are already familiar with using Google Authenticator.

Design

The design is based on the list of assumptions on 1wallet's wiki, but implemented by Merkle inclusion proof using Circom. See implementation here.

During setup, a secret seed thus a list of future timestamps and the corresponding TOTPs (currently 2^7=128 ~ 1 hour) are generated, hashed together to form the leaves of a 7-layer Merkle tree, and the Merkle root is committed onto the blockchain. The secret seed will then be discarded after the user adds it to their Google Authenticator app. The Merkle tree and deployed contract address are stored in local storage of the browser.

During authentication, the user should input the current OTP shown in their app. The corresponding Merkle path and proof will be generated. Currently for demo purpose, a dummy smart contract (rather than a smart contract wallet) is being called for verification.

There are two verification methods in the smart contract:

  1. Naive proof: The SC keeps track of the most recent timestamp that was used for verification, and checks that the new proof is after the most recent timestamp. This will behave more like HOTP than TOTP.
  2. Block timestamp proof: The SC checks that the submitted timestamp is after block.timestamp. A more lenient interval might be needed for more busy or slower networks.

Using the app

The verifier and factory contracts are currently deployed on Harmony devnet. Visit https://zk-otp.netlify.app to try it out.

  • "Deploy" tab: Click the "DEPLOY" button will generate a new OTP contract with a randomly generated seed. After the contract is deployed, the contract address, the seed, and a QR code will be displayed on screen. Make sure to import into your Google Authenticator app, otherwise you will have to pay the gas fee to deploy a new contract.

  • "Verify" tab: Using the display OTP in your Authenticator app, you can try out both authentication methods mentioned above.

Possible next steps

  • use oracle to get live timestamp from external APIs
  • assess security risks in current design
You might also like...

The classical game of Liar's Dice enhanced with the usage of Zero-Knowledge Proof

Liar's Dice An online multiplayer game showcasing the potential of Aleo's Zero Knowledge Proof platform. Local deployment Prerequisites Setup dnsmasq

Dec 15, 2022

The classical game of Liar's Dice enhanced with the usage of Zero-Knowledge Proof

Liar's Dice An online multiplayer game showcasing the potential of Aleo's Zero Knowledge Proof platform. Local deployment Prerequisites Setup dnsmasq

Oct 20, 2022

Zero Two Bot,A fully Modular Whatsapp Bot to do everything possible in WhatsApp by Team Zero Two

Zero Two Bot,A fully Modular Whatsapp Bot to do everything possible in WhatsApp by Team Zero Two

🍭 𝗭𝗲𝗿𝗼 π—§π˜„π—Ό 𝗠𝗗 🍭 A Moduler WhatsApp Bot designed for both PM and Groups - To take your boring WhatsApp usage into a whole different level. T

Dec 25, 2022

Multiplies a number by zero. Useful for when you need to multiply a number by zero

multiply-by-zero Multiplies a number by zero. Useful for when you need to multiply a number by zero Please consider checking out the links of this pro

Jul 3, 2022

Evmos chain

Evmos Evmos is a scalable, high-throughput Proof-of-Stake blockchain that is fully compatible and interoperable with Ethereum. It's built using the Co

Jan 3, 2023

On-chain defense against hostile takeovers

Poison pill On-chain defense against hostile takeovers. In layman's terms, this smart contract only facilitates a discounted sale of shares to a white

Jul 19, 2022

WAMpage - A WebOS root LPE exploit chain

WAMpage - A WebOS root LPE exploit chain

WAMpage WAMpage - A WebOS root LPE exploit chain This exploit is mainly of interest to other researchers - if you just want to root your TV, you proba

Dec 2, 2022

Nouns On-Chain Proposal Simulation and Analysis

Nouns Diligence Nouns On-Chain Proposal Simulation and Analysis For Voters Technical reports for all reviewed proposals can be found in the reports fo

Dec 26, 2022

On-chain generative NFT collection

ETH Time ETH Time is a new NFT collection created to explore new ways of generating NFTs on-chain. It is inspired by existing projects such as Zora's

Feb 13, 2022
Comments
  • Bump decode-uri-component from 0.2.0 to 0.2.2 in /ui

    Bump decode-uri-component from 0.2.0 to 0.2.2 in /ui

    Bumps decode-uri-component from 0.2.0 to 0.2.2.

    Release notes

    Sourced from decode-uri-component's releases.

    v0.2.2

    • Prevent overwriting previously decoded tokens 980e0bf

    https://github.com/SamVerschueren/decode-uri-component/compare/v0.2.1...v0.2.2

    v0.2.1

    • Switch to GitHub workflows 76abc93
    • Fix issue where decode throws - fixes #6 746ca5d
    • Update license (#1) 486d7e2
    • Tidelift tasks a650457
    • Meta tweaks 66e1c28

    https://github.com/SamVerschueren/decode-uri-component/compare/v0.2.0...v0.2.1

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
Owner
drCathieSo.eth
physics ➑️ computer science ➑️ neuroscience ➑️ data science ➑️ web3
drCathieSo.eth
GitHub https://zk-otp.netlify.app
Ed25519 signing and verification applet.

Ed25519 Applet Live demo: https://cyphr.me/ed25519_applet/ed.html This tool can run locally and offline git clone this project to a local directory. g

Cyphr.me 6 Oct 1, 2022
βœ…βŽ A lightweight image rotation verification plugin.

RVerify.js βœ… ❎ A lightweight image rotation verification plugin. Installation Add RVerify.js and RVerify.css to your project. <script src="RVerify.js"

Feng L.H. 44 Dec 6, 2022
Been interested, studying, and developing blockchain security with a Zero Knowledge Proof (ZKP) and create a prototype on the current issue with Philippine's upcoming election. πŸ“₯

Implementation of Zero Knowledge Proofs in Cryptographic Voting ?? Reference: Cryptographic Voting – A Gentle Introduction Overview ????‍?? The main i

Karl Joseph Saycon 2 Apr 11, 2022
Dapp example for airdropping ERC-20 tokens using World ID, preserving privacy for the claimers with zero-knowledge proofs.

World ID Example - Mesha Airdrop This repository contains an example decentralized application (dapp) for World ID. With Mesha Airdrop test airdroppin

Worldcoin 14 Dec 16, 2022
Privacy preserving governance mechanism using zero knowledge for proof of merkle inclusion.

Zero Knowledge Private Voting V1 Motivation On-chain governance today is fully transparent at the cost of privacy. This means that every proposal and

Blockchain Capital 18 Dec 16, 2022
Tell your crush you like them with zero-knowledge

zk-Crush zk-Crush is a way to tell your crush you like them with zero-knowledge. Disclaimer Note this project was mostly meant as a joke, it's not tru

Amir Bolous 224 Jan 2, 2023
Privacy preserving governance mechanism using zero knowledge for proof of merkle inclusion.

Zero Knowledge Private Voting V1 Motivation On-chain governance today is fully transparent at the cost of privacy. This means that every proposal and

Blockchain Capital 11 Jun 7, 2022
The zkPass browser extension can proxy three parties TLS and generate zero-knowledge proofs

zkPass Extension zkPass a Chromium extension which can proxy three parties TLS and generate zero-knowledge proofs. Technology Dependence Multi-party c

zkPass 9 Nov 1, 2022
An Opensource Peer-to-peer Social Network with Zero-Knowledge-Proof based authentication.

HexHoot This is an attempt to create an Opensource Peer-to-peer Social Network with Zero-Knowledge-Proof based authentication. The objective is to dem

Zenin Easa Panthakkalakath 6 Dec 28, 2022
2FA with Zero-Knowledge proofs

zkAuth ??️ ?? Zero-Knowledge protected onchain two-factor Authentication This project provides 2FA for EVM blockchains, compatible with the broadly ad

Daniel Contreras Salinas 22 Dec 26, 2022