Zero-Knowledge Proof: ZKP

Definition

Zero-Knowledge Proofs: How They Work

To understand zero-knowledge proofs intuitively, consider the classic "Ali Baba cave" analogy. A cave has a circular tunnel with a door in the middle that opens only with a secret password. The prover wants to demonstrate they know the password without revealing it. The verifier waits outside while the prover enters the tunnel and goes either left or right. The verifier then shouts which direction the prover should exit from. If the prover knows the password, they can always exit from the requested side (using the door if necessary). If they do not know the password, they can only succeed 50% of the time. After many rounds, the verifier becomes convinced the prover knows the password, but the verifier never learns the password itself.

In the digital identity context, the "statement" being proved is a predicate about credential attributes, and the "secret" is the actual attribute values. For example, to prove "age >= 18", the prover (wallet) constructs a mathematical proof that their date of birth (the secret) satisfies the predicate "current date minus date of birth >= 18 years" without including the date of birth in the proof. The proof is a mathematical object that the verifier can check efficiently, and the mathematical properties of the proof system guarantee that the verifier cannot extract the date of birth from the proof.

Modern ZKP systems used in digital identity fall into two main categories. BBS+ signatures (now being standardized through the IETF) enable "signature-based ZKPs" where the credential issuer signs all attributes using a special signature scheme that allows the holder to create derived proofs disclosing only selected attributes or predicates. zk-SNARKs and zk-STARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge/Scalable Transparent Arguments of Knowledge) enable more general-purpose ZKPs where arbitrary computational statements can be proved, offering greater flexibility but higher computational complexity. Both approaches are being explored for EUDI Wallet integration.

ZKPs vs. SD-JWT: Privacy Trade-offs in the EUDI Wallet

The current EUDI Wallet uses SD-JWT (Selective Disclosure JSON Web Token) for privacy-preserving credential presentations. SD-JWT provides "attribute-level selective disclosure": the wallet chooses which complete attribute values to reveal, and the unrevealed attributes remain hidden. This is a significant privacy improvement over presenting the full credential, but it has limitations. If the verifier needs to know whether the holder is over 18, the holder must reveal their full date of birth (the verifier can then compute the age). SD-JWT cannot prove "age >= 18" without disclosing the date of birth value.

Zero-knowledge proofs provide "predicate-level selective disclosure": the wallet proves a statement about attributes without revealing the attribute values. This is strictly more powerful than SD-JWT's attribute-level disclosure. For the age verification example, a ZKP proves "date of birth implies age >= 18" without revealing the date of birth. The verifier learns only that the person is old enough, nothing more. For income verification, a ZKP proves "income >= threshold" without revealing the exact income. For geographic verification, a ZKP proves "postal code is within region X" without revealing the exact postal code.

The trade-off is computational complexity and proof size. SD-JWT operations (hashing, signature verification) are computationally lightweight and well-suited to mobile devices. ZKP operations (elliptic curve pairings for BBS+, polynomial evaluations for SNARKs) are more computationally intensive, with proof generation times measured in hundreds of milliseconds to seconds depending on the proof system and the complexity of the statement being proved. Proof sizes vary: BBS+ proofs are relatively compact (hundreds of bytes), while SNARK proofs can be larger. For QR code-based presentation scenarios with limited data capacity, proof size matters. The EUDI Wallet specification must balance privacy benefits against practical performance and usability constraints.

Future of ZKPs in the EUDI Wallet Ecosystem

Several standardization efforts are working toward making ZKP-based credentials practical for the EUDI Wallet. The IETF is standardizing BBS+ signatures (draft-irtf-cfrg-bbs-signatures) that would enable efficient ZKP-based selective disclosure for verifiable credentials. The W3C Verifiable Credentials Data Model 2.0 includes provisions for zero-knowledge proof-based credentials. The ISO/IEC 18013-5 amendment process is considering ZKP extensions for mobile driving licences. If these standards mature and implementations prove stable and performant on mobile devices, the EUDI Wallet Architecture Reference Framework could add ZKP-based credential formats as a third option alongside SD-JWT and mDoc.

The BBS+ signature scheme is particularly promising for the EUDI Wallet because it builds on the same issuer-holder-verifier model as the current SD-JWT approach. The issuer signs all credential attributes using a BBS+ signature (instead of a standard ECDSA signature). The holder can then create derived proofs that selectively disclose specific attributes or prove predicates about attributes, all while maintaining the issuer's cryptographic guarantee. The transition from SD-JWT to BBS+ would be relatively smooth from a protocol perspective, as the OpenID4VCI and OpenID4VP protocols can accommodate different proof formats.

Beyond BBS+, more advanced ZKP applications are being researched for digital identity. These include anonymous credentials (credentials that can be presented without any correlation between presentations, providing perfect unlinkability), credential composition proofs (proving statements that combine attributes from multiple credentials, such as "my age credential shows I am over 18 AND my residency credential shows I live in Germany"), and range proofs with policy compliance (proving "my income is sufficient for this loan" based on a lender's predefined threshold without revealing the income or the threshold). These advanced applications could transform the EUDI Wallet from a document digitization tool into a truly privacy-first identity infrastructure.

Examples

Related Terms