Zero-Knowledge Proof (ZKP) is a cryptographic technique that enables a prover to prove to a verifier that a statement is true without the verifier gaining any other knowledge than “this statement is true.”
There are a lot of use-cases, but two of the most prominent are:
- Digital Privacy, e.g,: proving you are an adult without showing your exact age (> 18 yrs old). It supposes that the prover owns some sort of private cryptographic certificate where its age is written. And that the verifier trusts that this certificate is legitimate. This technique can be used to gate usage of certain online services depending on certain attributes on the user’s certificate, without the service provider nor the certificate issuer knowing who exactly accessed the service. ZKP, in combination with blind-signing, can be used to generate a unique cryptographic identifier per context and per person within the selected group of attributes. We will show in the section about our background innovation an example of this property within the context of Verifiable Credentials.
- Scaling blockchains (“ZK rollups”): a by-product of ZKPs is “verifiable computation” (succinct proofs). Validity proofs can be generated so that anyone can verify that the next block has been created correctly. The validity proof can be verified on-chain very quickly. The proof is uploaded together with the result of the batch of transactions, without all the details, minimising block size.
The technique itself is not new, but a lot of investment and research have been poured into this field recently due to its application in the blockchain space, making the proofs exponentially more performant, with more mature tooling. And it is continuing.
Besides scaling blockchains, ZKP are used within the context of Self-Sovereign Identity for certain Verifiable Credentials flavours, as well as for various other proof-of-personhood strategies (see the corresponding sections).
Advantages
- Powerful way to provide proof-of-personhood, with complete application-layer anonymity, effectively combating sybil attacks in a privacy-preserving way (unlike full-blown KYC).
- ZKPs are verifiable. Anyone can independently use unforgeable proofs to verify the claims, whether offline or online, off-chain or on-chain.
Limitations (Privacy use-case)
- ZKP can provide proof-of-personhood if and only if the right infrastructure is in place, consisting of a network of trusted certificates.
- Require end-users to handle cryptographic keys themselves in specific digital wallets, with all the key management burden and complexity that comes with it. If users are given full control of their privacy, that also means they can lose access to the private keys that control their content.
- ZKP alone is not enough to provide herd anonymity. One needs to make sure that:
- the infrastructure created to issue the certificates is based on a trust model that protects user privacy from its legitimate threats
- the user can legitimately trust that the device and software he uses to generate the proofs locally are not malicious
- the attributes that are revealed are not identifying by themselves
- the proof is not generating any linkable identifier as a by-product (such as a recognizable signature or a permanent public key bound to the user certificate)
- out-of-band context/metadata cannot re-identify the prover (IP address, HTTP request timestamp, behaviour or content directly associated with the proof…etc)
- The cryptographic primitives over which ZKP is implemented are usually more insecure than standard cryptographic techniques, because they:
- are not compliant with standard hardware secure storage, so private keys cannot be generated directly in HSMs (e.g,: BBS+)
- have not been battle-tested over a long period of time (e.g,: Poseidon hash)
Preventing the above limitation by avoiding the usage of novel signature schemes altogether is possible. It requires relying on a client-side general-purpose zkVM (zero-knowledge Virtual Machine), which can provide ZKP based on standard cryptographic signatures. Examples of such emerging zkVM: Ligetron and Risc Zero. However, while extremely promising, these general-purpose zkVMs are currently not performant nor mature enough in the context of modern social apps expectations. Researchers expect drastic performance improvements over the next 5 years.
Can it be useful for our requirements?
- ZKP for scaling is irrelevant to our goal
- ZKP for privacy is the crucial technology that unlocks the possibility to provide both verifiable and privacy-preserving proof-of-personhood, over which an authentication system whereby one human ~= one account can be created, preventing sybil attacks.
