Signed Proof

Signed proof is a proof whose input parameters are digitally signed by the OZKi oracle service or the entity that pulls the PII from the source.

The signed proof is used for scenarios where users need to pull their PII from the sources like PayPal, banks, etc. The signed proof is needed in this type of use case because the users may tamper with the PII, and supply false or malicious input to the proof function.

Signed proof works in the following steps:

• The user logins to the PII provider directly and receives some sort of access token.

• The user calls into OZKi oracle service rest API with the token. The oracle pulls the PII from the source using the token, timestamps the PII, signs it, and sends back the signed PII to the user.

• The user calls the proof function with the oracle's signed data as the input parameters.

• The proof function starts executing by verifying the digitally-signed parameters. The proof function uses the oracle's DSA verification key, which is a public key, to verify the signature. The DSA verification key is statically embedded in the proof function. If the signature verification fails, the proof function will error out, and this will fail the proof generation process.

The signed proof is used to mitigate the following security attack surfaces:

• Impersonation Attack An attacker may masquerade as the oracle service via a MITM attack or other means. However, unless the attacker has access to the oracle's DSA signing key, it will not be able to sign the data correctly; therefore, the proof generation will fail.

• Malicious Input As explained above, the user will not be able to modify or tamper with the data because the proof function will check the validity of the digital signature of the data.