Zero Knowledge KYC — Verifying Age and Email Ownership with Zero Knowledge Proofs
There are two common things you might want to verify of a user on an online platform: that they are the owner of an email address, and that they are above an age of 18.
However, sharing your data with centralized platforms leaves your personal information subject to data breaches, where unauthorized parties can have access to your identity. Zero Knowledge proofs and modern KYC platforms provide a solution.
Industry-leading KYC platforms are third party providers of identity authentication. We believe this is a good solution to get Quest started today — but there is still the tradeoff that the identification is centralized and verified by an outside party.
We are building a zero knowledge circuit that can verify that users own a certain email address to offer an alternative. These are the details to how it would work.
The difference between RSA and Zero Knowledge
First thing’s first — I wanted to go over the difference between zero knowledge proofs and encryption methods like RSA.
Zero knowledge proofs are more general than RSA — RSA could only prove things about Twitter DNS records if they were the product of two giant primes (which they are not), and we knew both of the prime numbers.
RSA allows you to encrypt data because you know a secret key that corresponds to some public key (you know prime numbers p and q such that N = pq )— but zero knowledge proofs allow you to prove that y= f(x) while keeping x private for any f.
TLDR: With RSA, you only are verifying that you know p and q, two factors of a large prime. With ZKP, you are verifying that you know a private input, x, such that f(x) = y.
Proof that your age > 18
Next, I wanted to dive deeper into how you can use zero knowledge proofs to prove you own a certificate issued by an authority like the government, your birth certificate or, you own an email address linked to a Twitter account.
For your birth certificate, because birth certificates are issued by an authority like the government, you need a signature from the authority that you are the owner of that birth certificate. Then for proving your age is above 18, you then prove in zero knowledge that what the authority signed was your year of birth and it is more than 18 years ago today.
Public Input: Name and hashed birth certificate, hashed certificate
Publish: Proof that what you are saying is true, signed by the issuing authority
Private: Birth certificate itself
Prove you “own an email”
If you wanted to prove that you own an email address, you could hash an email that states you can change a password for the account and publish the output.
Then, you would keep the contents of the email private, including the email header unique to your email address and generate and publish a proof of the hashed contents of the email as well as the public sender domain, your email address.
f(x) = y
The x is the actual contents of the email.
The y is the published hash of the email.
Public Inputs: Hash output of the email
Private Inputs: Actual contents of the email (Email Header unique to your email address)