zk-SNARKs and digital identity: Balancing under multiple dilemmas

In recent years, the application of zk-SNARKs technology in digital identity systems has become increasingly popular. Various identity projects based on zk-SNARKs are developing user-friendly software packages that allow users to prove their valid identity without revealing identity details. The number of World ID users, who are verified using biometric technology and ensure privacy through zk-SNARKs, has surpassed 10 million. Taiwan, China, and the European Union have also applied zk-SNARKs technology in their digital identity projects.

On the surface, the widespread application of zk-SNARKs technology in the digital identity field seems to be a victory for the development of decentralized technology. It can protect social media, voting systems, and various internet services from witch attacks and bot manipulation without sacrificing privacy. But is the reality that simple? Does identity based on zk-SNARKs still carry risks? This article will clarify the following points:

• zk-SNARKs technology addresses many important issues.
• The identification wrapped by zk-SNARKs still carries risks, which mainly stem from the rigid maintenance of the "one person, one identity" attribute.
• Merely using "wealth proof" to counter witch-hunt attacks is not sufficient in most application scenarios; we need some kind of "identity-like" solution.
• The ideal theoretical state is that the cost of obtaining N identities is N².
• In practice, a multi-identity system is the most realistic solution. This can be explicit (, such as identity based on social graphs ), or it can be implicit (, where multiple types of zk-SNARKs identities coexist ).

The Operation Principle of zk-SNARKs Identification

Imagine that you obtained a World ID by scanning your eyeball or scanned your passport with your phone to get a identity based on zk-SNARKs. On your phone, there is a secret value s stored, and in the global registry, there is a corresponding public hash value H(s). When you log into an application, a user ID specific to that application is generated, namely H(s, app_name), and it is verified through zk-SNARKs: this ID originates from the same secret value s as a public hash value in the registry. Therefore, each public hash value can only generate one ID for each application, but it will never reveal which public hash value corresponds to a specific application exclusive ID.

The actual design may be more complex. For example, the application-specific ID in World ID contains the hash values of the application ID and session ID, allowing different operations within the same application to be de-associated from each other. A similar approach can also be used to construct a passport based on zk-SNARKs.

Before discussing the drawbacks of this type of identification, it is important to recognize the advantages it brings. Outside of zk-SNARKs identity, users often need to disclose their complete legal identity to verify themselves, which severely violates the "principle of least privilege" in computer security. Currently, the best alternative is to use indirect tokens such as phone numbers, credit card numbers, etc., but this separation is extremely fragile. The zk-SNARKs technology largely addresses these issues.

However, some issues remain unresolved and may even become more severe due to the strict limitation of "one person, one identification."

Limitations of zk-SNARKs

cannot achieve true anonymity

Even if the zk-SNARKs identification platform operates entirely as expected and strictly enforces all logic, the actual anonymity achieved by users may be lower than the current level. This is because applications may assign a unique application-specific ID to each user, while the identification system follows the "one person, one identity" rule. In the real world, achieving anonymity often requires multiple accounts: one for the regular identity and others for various anonymous identities. Therefore, even a "one person, one identity" system wrapped in zk-SNARKs may gradually lead us towards a world where all activities must be tied to a single public identity.

cannot prevent coercion

Even if you do not disclose your secret value, no one can see the public connections between your accounts. But what if someone forces you to disclose it? The government may enforce the disclosure of secret values to view all activities. Employers may also set the disclosure of complete public information as a condition for employment. Some applications may even technically require users to disclose their identity in other applications to allow registration for use.

Although coercion risks can be reduced through design optimization, such as using multi-party computation mechanisms to generate application-specific IDs, this cannot completely eliminate the risks and may also bring about other drawbacks.

cannot solve non-privacy-related risks

All forms of identification have edge cases:

• Government-issued identities cannot cover stateless individuals.
• Multiple nationality holders may receive unique privileges.
• Identification issuing authorities may be subject to hacking or exploitation by hostile forces.
• Biometric identification may be completely ineffective for some people.
• Biometric identification may be deceived by imitations.

These edge cases pose the greatest threat in systems attempting to maintain the "one person, one identification" attribute, and are unrelated to privacy. Therefore, zk-SNARKs are powerless against this.

The Necessity of Identification Systems

In some groups, there is a proposal to rely entirely on "proof of wealth" to prevent Sybil attacks, rather than building any form of identification system. By imposing a certain cost on each account, it can prevent someone from easily creating a large number of accounts. However, this scheme is not applicable in certain types of scenarios, especially in "universal basic income-like scenarios" and "governance-like scenarios."

identification needs in the scenario of universal basic income

The "Universal Basic Income-like scenario" refers to situations where a certain amount of assets or services needs to be distributed to a very broad user base, regardless of their payment ability. The main goal of such scenarios is to enable people to obtain a sufficient amount of cryptocurrency to complete some basic on-chain transactions and online purchases, such as acquiring ENS names, publishing hashes on-chain to initialize a digital identity using zk-SNARKs, and paying fees for social media platforms.

Another way to achieve a similar effect is "Universal Basic Services": providing every individual with identification the ability to send a limited number of free transactions within specific applications. This method may align better with incentive mechanisms and have higher capital efficiency, but its universality will decrease.

In addition, "Universal Basic Margin" is also an important category. One of the functions of identification is to provide a subject for accountability without requiring users to pledge funds equivalent to the scale of incentives.

identification needs in governance scenarios

In the voting system, if User A's resources are 10 times that of User B, then their voting power will also be 10 times that of B. However, from an economic perspective, each unit of voting power brings A 10 times the benefit that it brings to B. This leads A to invest significantly more effort in participating in the voting process, and they may even strategically manipulate the algorithm.

The deeper reason is that the governance system should not assign equal weight to "one person controlling $100,000" and "1,000 people jointly holding $100,000". The latter represents 1,000 independent individuals, containing richer and more valuable information, rather than the highly repetitive low-volume information.

This indicates that governance-like systems need to understand the internal coordination level of funding bundles, rather than simply assigning weight based on the scale of funds.

Ideal State: The cost of obtaining N identifications is N²

Based on the above arguments, we hope to obtain multiple identifications as easily as possible under the following constraints: ( to limit the power of large entities in governance-like applications; ) to restrict abusive behavior in applications for universal basic income.

The ideal answer is: if having N identities brings an influence of N², then the cost of obtaining N identities should be N². This answer is applicable to applications related to universal basic income and governance.

Multi-identity System: A Path to Achieving the Ideal State

The multi-dimensional identification system refers to an identification mechanism that does not have a single dominant issuing institution. This can be achieved in two ways:

1. Explicit multi-dimensional identification ( is also known as "social graph-based identification" ): you can verify your identity through the proofs of other people in your community.

2. Implicit Multiple Identities: There are numerous different identity providers, and the application is compatible with various identity authentication methods.

Explicit multiple identities naturally possess anonymity: you can have multiple anonymous identities, each of which can establish a reputation in the community through its own actions. zk-SNARKs will make anonymity easier to achieve, allowing you to use your main identity to initiate an anonymous identity.

The "cost curve" of latent multi-dimensional identity is steeper than a quadratic curve, yet still possesses most of the required characteristics. It provides the necessary deterrent against governance attacks and other abuses while ensuring that coercers cannot demand you to disclose a fixed set of identification.

Any form of a multi-identity system naturally has stronger fault tolerance: individuals with hand or eye disabilities may still hold a passport, and stateless persons may also prove their identification through certain non-governmental channels.

It is important to note that if the market share of a certain form of identification approaches 100% and becomes the only login option, then the aforementioned characteristics will fail. This is the biggest risk that identity systems overly pursuing "universality" may face.

In my opinion, the ideal outcome of the current "one person, one identity" project is to integrate with a social graph-based identity system. The "one person, one identity" system can be used to provide initial support for the social graph, creating millions of "seed users" to develop a globally distributed social graph.