top of page

ISO/IEC 27565

ISO/IEC 27565 — Information technology, cybersecurity and privacy protection — Guidelines on privacy preservation based on zero knowledge proofs

[DRAFT]

Abstract

ISO/IEC 27565 "provides guidelines on using zero-knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing information disclosure. It includes several ZKP functional requirements relevant to a range of different business use cases, then describes how different ZKP models can be used to meet those functional requirements securely.”


[Source: ISO/IEC 27565 FDIS]

Introduction

Zero Knowledge Proofs are mathematical techniques (families of cryptographic protocols) allowing someone (the prover) to prove to someone else (the verifier) that they are in possession of a secret, without actually disclosing the secret to the verifier or to some trusted third party. The secret is often a credential used for authentication (such as a password, biometric or personally identifiable information) but could equally be some other piece of sensitive/valuable information which is to remain confidential/private during the verification process.


The process involves the prover convincing the verifier that the verifier’s statement/s or assertion/s concerning the secret (e.g. “The person is older than 18 years”) are either true or false, without revealing additional information (their birthday). At the same time, the process substantially prevents malicious interference such as replay attacks (e.g. repeating a previous age-verification sequence that applied to a different person) and collusion between the parties.

Scope

This standard principally concerns the use of ZKP for privacy protection (e.g. checking the claimed identity or age of a person known to an authority, without the authority disclosing that personal information), although other use cases are noted (e.g. digital wallets).

Structure

Main sections (in draft):

  • 5: Introduction to ZKPs

  • 6: Considerqations of implementing ZKPs for attribute verification

  • 7: Use cases of ZKPs 

  • 8: Privacy preservation using ZKPs

  • 9: Functional use cases

  • 10: Business use examples

  • Annex A: Factors facilitating or hindering ZKP developments

  • Annex B: Subject binding

  • Annex C: Example of a consistency check between two documents

  • Annex D: Example of ZKP for selective disclosure

  • Annex E: Examples of slective disclosure without using ZKP

  • Annex F: Example of secure comparison of two numbers

  • Annex G: Implementing digital credentials with ZKP

Status

The standard development project commenced in 2021.


The standard is at Final Draft International Standard stage, heading for release at the end of 2025 or early 2026. Among other changes, it will have a new clause “Considerations of implementing ZKPs for attribute verification”.

Commentary

Some 32 specialist terms are defined - a clue as to the complexity of ZKP.


ZKP is an evolving/cutting edge technique.

This page last updated:

4 November 2025

© 2025 IsecT Limited 

 

  • Link
  • LinkedIn
bottom of page