Zero Knowledge Based Authentication Using ZK-STARK

Aw, Rui Ying (2025) Zero Knowledge Based Authentication Using ZK-STARK. Final Year Project (Bachelor), Tunku Abdul Rahman University of Technology and Management.

Text RIS_Aw Rui Ying_Fulltext.pdf Restricted to Registered users only Download (926kB)

Abstract

This project focuses on the development of a secure authentication system using zero-knowledge proofs, addressing the increasing concern of password breaches and unauthorized access in conventional authentication methods. The system ensures that users can verify their identity without revealing their actual passwords, thereby enhancing overall security and privacy. Developed using Rust, the backend leverages the Warp web framework to manage API endpoints and Winterfell to generate and verify STARK-based zero-knowledge proofs. User data is simulated using an in-memory HashMap protected by a thread-safe RwLock. Cryptographic techniques such as Argon2 and Blake3 are applied for password hashing and commitment generation. The system includes two main functionalities: user registration and user authentication. During registration, a user’s password is hashed and then converted into a field element that can later be verified using zero-knowledge proof techniques. In the authentication phase, users prove their knowledge of the password through a STARK proof without exposing sensitive information, maintaining confidentiality throughout the process. The development methodology follows an Agile-based iterative approach, emphasizing continuous integration of features and regular testing. Testing strategies involve unit testing of critical components like password hashing and field element generation, integration testing for the registration and login processes, and functional testing to ensure the system operates as specified. Manual testing was employed to validate the workflows and handle various normal and edge case scenarios. The project successfully demonstrates the feasibility of using zero-knowledge proofs for secure password authentication, resulting in a more privacy-preserving system compared to traditional methods. Although the prototype is effective for small-scale applications, limitations include the absence of a frontend interface and reliance on in-memory data storage. Overall, the project highlights an innovative and practical approach to strengthening authentication systems, laying a foundation for future enhancements and larger-scale implementations.