Hi there. I've done a bit of work on specifying human-centric identity goals for the internet over the last 10 years. May I suggest you look at Microsoft Vega? https://www.microsoft.com/en-us/research/blog/vega-zero-know... (I have no affiliation).
In brief, I think they aim to solve the most important needs for online identity-gated services in a maximally private way.
For instance, I'd like to see .self offer the following: a single domain to any person in the world with identity blinded. I can imagine two 'tranches': say xxx.v.self for 'verified' and xxx.u.self for 'unverified'.
Both would use a Zero Knowledge proof to confirm they had not already registered a domain; verified would register with you guys or a data broker some PII in case it was needed for verification / checks / etc, while unverified would maintain the promise of one domain = one person, but not allow the TLD or registrars to be able to unblind which person it is.
Use cases like this would be really fantastic. And, obviously could be tested out and tried on a normal domain name while you make your pitch, and put in for the auction / however ICANN is currently managing TLD launches.
Please submit this to us via our contact form, we will need lots of community input! https://hccf.onmy.cloud/get-involved/
It is good that Microsoft Vega is popularizing zero-knowledge identity-based attestations. It's unfortunate that they're doing so in a relatively inflexible way.
I wish the Vega people had oriented their work around general-purpose zkVMs instead of application-specific ZK circuits. The latter is a fleeting efficiency win; the former is a permanent flexibility advantage. ZK-based privacy advocates shouldn't over-index on proof performance on today's systems when zkVM systems have been making multiple-OOM performance improvements over the past couple of years.
IOW, with Nova, the Vega people are trying to do something very clever (just as the BBS+ people are trying to do something very cleaver) that general-purpose compute wins have made unnecessary.
Something like RISC Zero will let you run arbitrary Rust code under zero knowledge in a few hundred milliseconds with little fuss. Nobody appreciates that identity verification is one special case of a vast set of useful applications enabled by widespread adoption of a ZK compute platform.
Disagree with this.
RISC Zero is useful for crypto use-cases: Other people need to verify an exact program was run.
The identity use case is about connecting sources of trust (document issuers) with consumers of that trust ("this is a real person") in ways that don't release more than the minimum information required ("the passport office has signed that this is a real person so we can trust that").
Single purpose circuits make a lot of sense for this - there is just no need to a full ZK RISC-V VM for this use case.
RISC Zero verifies that an exact computation was performed. What would be the point of the system otherwise? If you're starting from this incorrect premise, you're going to arrive at an incorrect conclusion.
> Single purpose circuits make a lot of sense for this
No, they don't. They lock your system into a single set of trade-offs without an advantage to offset it. They're premature optimization. How do you think ZK systems can be made resilient to cloning attacks without hardware locking if your ZK vocabulary is limited to stupid BBS-style selective disclosure and nothing else?
> if your ZK vocabulary is limited to stupid BBS-style selective disclosure and nothing else
I don't understand what "BBS-style" means in this context, but selective disclosure is exactly what the requirement is.
Can you talk more about RISC Zero? Does it require a TEE of some sort? I had trouble finding a quality mid-detail spec of how it works; lots of marketing materials basically.
zkVMs (of which RISC Zero is one example) do not require a TEE. That's the whole point: the privacy properties come out of the math. Basically, nowadays, once you and I can agree on the text of a program, you can run the program on your private inputs and produce a number that proves to me that you actually ran this specific program and not some other.
For example, age verification: I can run a program that takes a signed time-stamp and an officially-signed birth certificate and produces a yes/no "over 18" boolean, then prove to you I actually ran this program, not just "return true", but WITHOUT revealing the birth certificate.
It's a really neat facility that too few people are thinking about. We've had zero knowledge systems for a few decades now, but until now, each one has been a special bespoke mathematical object that would take years to develop. Over the past year or two, we've 1) made the things 1000x faster, and 2) made it possible to write arbitrary code under zero knowledge instead of having to make each ZK system a PHD thesis.
Others say that zkVMs are pointless because they're less efficient than these bespoke mathematical objects. Yes, they are. So what? The flexibility is worth it. Others say that zkVMs came out of Etherium, so they're only good for "crypto" stuff. False. Sure, it's the Etherium people who did a lot of foundational research into efficient zkVMs. We owe them a debt of gratitude, because they made a new kind of CS object that's going to be useful for tons of things not tied to Etherium or web3 in any way.
Anyway, if you want to get a feel for fully programmable ZK systems, check out https://noir-lang.org/, a programming language for ZK programs (not a zkVM, but same UX). Or https://github.com/a16z/jolt, which lets you run normal Rust under zero knowledge.
Today, you can write normal-looking code and have it execute under zero knowledge, and, importantly, efficiently. You literally couldn't do this two years ago, and it changes everything.
What does require a trusted computing platform, however, is ensuring that the same program isn't being executed millions of times per second to send millions of different ZKPs to different parties.
ID verification is not enough, you also need some way to prevent one malicious user from re-selling the same ID to millions of others. Without ZKPs, you know what document the user is trying to sign up with, so you can rate-limit that document. With ZKPs, however, you need those rate limits to exist somewhere else.
Yeah, this goes back to the blind spot we technical people have: Solve people/social issues with technological enforcement.
Please get in touch with us via our contact form, we will need collaborators of all kinds and the human validation problem is going to be the hardest technical challenge to solve. We could use your help! https://hccf.onmy.cloud/get-involved/