Any time I get someone to explain a real world use case they explain the concept of password hashing. Also, the only people who ever talk about "ZKPs" are these obviously non-technical crypto founders - it's possible they think it's a new thing when it's something we deal with everyday as developers.
I can't get anyone to explain how it's different than a password hash other than in these elaborate hypothetical scenarios that don't relate to technology.
Instead of asking your id police office pass you a circuit. You present your ID to the circuit and pass results to the officer. The officer then verifies you are not a criminal without ever looking at your documents.
This is the same fundamental thing as the password hash example. I can verify you without ever seeing your password, the policeman can verify you without ever seeing your documents - same exact concept.
My question is then: What is unique to ZKPs? Are the ZKP folks just asking us to start calling these techniques "ZKPs"?
When I use Clear for IDV is that a ZKP? Just like your example, they show the ID to Clear, but I never see the ID.
Hashing is a limited variant of ZKP which can answer one exact question. With ZKP you can also check if password has certain length, special characters, etc., without ever seen the password itself.
Clear is not ZKP because Clear servers learn all data from your documents. With ZKP Clear would only know that you hold an ID with details matching the ticket you also hold. This is just 1 bit of information instead of many.
Re: Hashing - The point of one-way encryption is that it can't be decrypted. A plaintext password has 1 job, to be read, not saved - yet you want to encrypt it as if it will be saved, but because it's one-way encrypted now it can't be read. What problem did you solve? You created a problem (that you now need ZKP to solve...)
Anyway, the ZKP concept is not about decrypting hashes at all, but looking at peripheral data to prove something (Alibaba Cave - Victor only knows Peggy knew the password because he had access to some other data - the path she took). "checking length etc." only if those hints are already available to the system in some way. And because of this approach, why would you need the hash? Just don't use passwords at all in the case of ZKP right? Simply rely on the other identifying data that you have access to, that you use anyway. Also - how secure is this loose profiling technique compared to email-backed passwords over HTTPS?
I imagine few product use cases allow for a server to trust all the clients with encryption, while not trusting itself - but there are some use cases like when the server is not the source of truth - file system service, or peer-to-peer stuff like ledgers: If the server's purpose is just to maintain a shared ledger and all the clients in the network are trusted.
But in the case we're talking about, of a service that authenticates clients, you're saying you can't trust the authenticator when that is kinda the point of authentication - they don't trust you, or rather - the server cannot tell for sure that any incoming connection is who they say they are, even if it has "zero knowledge" like their IP address and a face scan (your brother in the same house might pass). The point of a username and password is that you want the server to not trust any connecting clients unless they have this specific data precisely.
The ID would need to have some government digital signature for the ZK circuit to work. The proof would be "this digital ID that has this valid government signature shows XYZ".
The verifier would need the government public key and then can see "This ID that has been signed by the governments private key shows XYZ"
And the next question is: why bother? We have well-established protocols for the ID card: a police scanner creates a nonce and sends it to the card, the card signs it with its private key, and provides a certificate signed by the government.
The police scanner then verifies the signature and checks that the certificate is correctly signed by the government's public key.
Yea the chip gives the information written on the device. It doesn't answer arbitrary questions about the data.
The whole point of ZK proofs is the zero knowledge part. If you don't care about the person being able to see the information of course there's no need for them.
First you described exactly the concept of password hashing, now you're describing something else entirely:
> It doesn't answer arbitrary questions about the data.
Why would you need a "ZKP" to prevent anyone from "asking arbitrary questions" you simply don't build that functionality.
When I create a web server and allow people to login through an endpoint, they can't ask arbitrary questions about user data either - how would that functionality even exist without me writing it? Typically the server doesn't even know passwords. It simply compares a hash - the hash is computed client-side and the server never sees the real password.
Any peripheral user data you want to return is up to you. Identity is not "built in" to conventional programming languages.
Furthermore, none of the ZKP libraries on npm do anything. Most of them are utility libraries with functions like "generateUUID" and "leftPad". The ones from providers like Cloudflare (their least popular stuff) are just private/public key encryption libraries that they call "ZKP".
I didn't mention hashes anywhere in this thread, you were the one claiming you can prove someone's age just based on a hash of it (and still haven't shown how other than breaking the hash with a rainbow table).
I posted this earlier (and it's in the article...) but will reiterate again: ZK proofs are used when the prover (server) and verifier (client) don't trust each other and don't want to give each other data on each other. If you trust the server you can just give it a copy of your passport, if the server trusts the client they can just show a checkbox asking if they're old enough.
They are useful from a mathematical point of view. (And explore the relationship between P and NP, for example.) Not sure if that counts as a 'real use' to you. See also https://en.wikipedia.org/wiki/PCP_theorem
At the moment, producing a zero knowledge proof has roughly a million-fold overhead compared to running a program directly. So there aren't many applications where that's acceptable. So I am very grateful that the blockchain people are more than happy to throw money at the math here. Very generous of them.
In principle, you can use ZKP for privacy preserving compliance work in real (ie traditional) finance.
> Eg Goldman Sachs could encode all their compliance rules in a program, and publish a proof that their books pass the check by that program, without revealing anything about their accounting.
> In a banking context, you could in theory also run your know-your-customer (KYC) rules against customer provided data, store the proof, and delete the original data. That way, you still have proof that your customers don't have ties to North Korea or Russia, but you can't be compelled by anyone to reveal the data later (nor accidentally leak that data, etc).
> Of course, for that latter application, you need a sharp lawyer to make sure that storing the proof instead of the original data is enough for your KYC obligations.
> If you want to go further, you could have your customers run the KYC rules locally, so that their data never leaves their premises.
> (For all these applications, you still have to have a mechanism that connects the real world to the inputs of the programs whose execution you are proving.
> So eg Goldman Sachs would still need an auditor that checks that the assets and obligations they have in their balance sheet actually exist, but the auditor does not otherwise need to make judgement calls or apply any rules.)
ZKPs have only become cheap and easy enough to do in the last few years, so of course Goldman Sachs doesn't use them yet. They'll be using them in a decade, for now look at startups. https://github.com/zk-passport/openpassport is one that is working today, worldcoin ID verification is another.
I carefully gave examples of where ZKP can be useful outside of blockchains.
> Like they don't use blockcrap for interbank settlements, asset tracking, notary, etc.
Yes. So far the only way to track real world assets on a blockchain is to have a trusted third party (or third parties) that connect whatever your blockchain says to the real world.
But if you have that trusted third party, you might as well have them run the database that keeps track of who owns what. No need for a blockchain.
ZKP is different in the sense that it's one of only a few things to come out of the 'crypto' world that has at least a _chance_ of being useful in the real world. One day. Perhaps.
(Cryptography in general is enormously useful. Have a look at HTTPS for one example. When I just say 'crypto' I mean specifically everything to do with the blockchain ecosystem. So far the only real applications of crypto / blockchains that I've seen are gambling (generously called 'speculation' or 'investment') and ransomware payments. Cryptocurrencies aren't even good for buying drugs on the black market so far.)
In any case, ZKP is still very immature. But we are very fortunate that the crypto-people are generously funding this area of essentially pure mathematics research.
This must be a mistake or misunderstanding, because "blockcrap" is hardly mentioned in contrast with examples like confirming someone is of age, meets certain insurance requirements or has certain financial status without revealing anything about them. No blockchain is needed in any of these examples.
Part of growing up means realizing that cryptocrap is cryptocrap.
> examples like confirming someone is of age
When where are the companies that do that? Can I replace my Washington driving license with a ZKP that I can show to police officers or to enter a pub?
There are really no practical examples of the actual usages. Just hand-waving. And moreover, all the examples you provided make no sense. They are far better achieved using classic asymmetric systems.
On the contrary, your sentiment reads less like wisdom and more like hardheadedness. I am glad there are plenty of others here who do not share such a narrow-minded sentiment.
The venn-diagram between cryptocurrency and ZKPs is not a circle, or really even close. They're a mathematical concept first and foremost, and thanks to crypto dumping tons of money into the scaling problem, now much more easily worked with in code across any application. So much for all cryptocrap being, well, cryptocrap!
Your example is terribly contrived. No, you won't replace your drivers license with a ZKP. But a service might validate that you're of age, or meet some other criteria, without you(or they) revealing actual information about yourself.
All of the examples I gave(none of which are my own, but from other commenters who are I'm sure happy to discuss further) require the context of established trust. "Classic asymmetric systems" have problems with this.
I think you both 1) didn't read the article 2) went into the comments assuming it's about cryptocurrency and brought your baggage on that subject with you. The article mentions them in an offhand way, ZKPs are independent of anything cryptocurrency related.
The general takeaway is that you can prove you know something without revealing what it is, or how you know!
If you can't think of the possibilities that unlocks beyond the examples others have already discussed(none of which were crypto related), that's a limitation on your end.
And you still have to do that with ZKPs. Otherwise, I can just "borrow" my buddy's license and get into a pub. Unless the ZKP will interface with a biometric authentication system and do something like facial recognition.
And even then, it hand-waves away the issues with revoked licenses. How do you do license revocation with ZKPs?
> I've created a simple demo program to illustrate the concept of a human passport, inspired by World ID. It uses a zero-knowledge virtual machine (zkVM) to verify certain properties of a password without actually seeing the password itself.
I'm not sure what you're referring to specifically.
If you're asking why we need zero-knowledge proofs (ZKP) in a human passport system:
Imagine you have 6 billion to give away, and all lives worldwide should get their fair share. How could you do this? Giving money to authorities like governments and trusting them?
In the context of 'alllivesmatter.world', I propose the DUKI system. Here's how it works:
- Each person has a human passport (they should never have more than one)
- They can directly claim this money on the blockchain using the DUKI system
- This ensures that each unique person gets their share only once at each period
To achieve this and prevent multiple claims per person without considering privacy, we could use national security IDs, but these IDs need to be genuine, assuming that every human gets and only gets one.
However, using these IDs directly would compromise privacy. So instead, we let authorities prove that using ZKP:
- A valid national ID was used in creating the passport
- Each national ID is used only once in the system
This way, we preserve privacy while still ensuring the integrity of the distribution process.
Other service that focus on real people could also utilize on this. It just like currently wallet as an entry to web3 world, with only one key difference: that wallet represents a unique human in the world.
Thank you for highlighting the complexities around multiple passports and identity. Let me clarify the vision for a "human passport" concept:
1. The "human passport" I'm envisioning differs from traditional passports. Perhaps we could reuse the name WorldID that Worldcoin is developing, which uses biometric data like iris codes to ensure uniqueness. This approach is already working to some degree. Ideally, I just wish that it became a standard, with more implementations and also keep the iris-data at the device level, leaving countries with no excuse to refuse adoption. The goal is to have a standardized, cross-verifiable iris data system, rather than relying on a single authority to guarantee against forgery.
2. The varying name spellings on your different passports wouldn't be relevant to this system. Names are too variable to be components of a unique ID for each human. Instead, I imagine using something more like a social security number, that authorities issuing passports guarantee you never used twice at the same period. The ID thing is just a quick way to locate your public passport. The uniqueness check doesn't depend on this ID. It can be derived using your own private data to access your "human passport" released in public, which is generated using zero-knowledge proofs, and preserving privacy.
Its uniqueness relies on authorities, also relies on some biometric data for example iris-data one-way features, etc., so even if you try to trick the system and create multiple IDs, you'd probably get caught.
3. This isn't just a vision - WorldID is already in use with millions of users. I just wish for wider adoption and for countries to have no excuse not to adapt it as a worldwide standard. The human passport vision isn't about pushing crypto tech; it's about considering how to make 'all lives matter worldwide' from another perspective.
Because you can enforce password policies without the password ever leaving the (untrusted) client in clear text. I.e. the server only sees the hash and still knows it's dealing with a strong PW.
