Multiple Dilemmas: zk-SNARKs and digital identity systems

The application of zk-SNARKs technology in digital identity systems has gradually become mainstream. Various digital identity projects based on zk-SNARKs are being developed to create user-friendly software, allowing users to prove the validity of their identity without disclosing identity details. The number of World ID users, who adopt biometric technology and protect privacy through zk-SNARKs, has recently surpassed 10 million. Government agencies in regions such as Taiwan, China, and the European Union are also beginning to pay attention to the application of zk-SNARKs in the field of digital identity.

On the surface, the widespread application of zk-SNARKs technology in the digital identity field seems to be a significant victory for decentralized accelerationism (d/acc). It can protect privacy while preventing witch hunts and bot manipulation in social media, voting systems, and more. But is it really that simple? Are there still risks associated with identification based on zk-SNARKs? This article will elaborate on the following points:

• zk-SNARKs technology solves many important problems
• The identity packaged with zk-SNARKs still carries risks, primarily stemming from the strict maintenance of the "one person, one identity" attribute.
• Simply relying on "proof of wealth" to prevent witch attacks is not enough; we need some kind of "identification-like" solution.
• The ideal state is that the cost of obtaining N identifications is N².
• A multi-dimensional identification system is the most realistic solution.

The Operating Mechanism of zk-SNARKs Identification

Assuming you obtained a World ID by scanning your retina, or by scanning your passport with your phone's NFC to get a digital identity based on zk-SNARKs. Your phone will store a secret value s, and there is a corresponding public hash value H(s) in the global blockchain registry. When logging into the app, you will generate a user ID specific to that app, which is H(s, app_name), and verify this ID against a public hash value in the registry using zk-SNARKs to ensure it originates from the same secret value s. This way, each public hash value can only generate one ID for each app, but it will never reveal which public hash value corresponds to a specific app's exclusive ID.

The actual design may be more complex. For example, in World ID, the application-specific ID is a hash value that includes the application ID and session ID, allowing different operations within the same application to be disassociated from each other. The design of passports based on zk-SNARKs can also be constructed in a similar manner.

The zk-SNARKs technology solves many important problems. Beyond the zk-SNARKs identification, users often have to disclose their full legal identity to prove themselves, which seriously violates the "principle of least privilege" in computer security. Currently, the best improvement plan is to use indirect tokens such as phone numbers and credit card numbers, but this separation is extremely fragile, and various types of information may be leaked at any time. The zk-SNARKs technology has largely addressed these issues.

Limitations of zk-SNARKs

cannot achieve anonymity

Assuming a zk-SNARKs identification platform operates completely as expected, strictly reproducing all logic, and has even found a way to protect private information for non-technical users in the long term without relying on centralized institutions. However, at the same time, the application may not actively cooperate with privacy protection, but instead adopt designs that are more favorable to its own political and commercial interests.

In this case, social media applications may assign a unique application-specific ID to each user. Since the identification system follows the "one person, one identity" rule, users can only have one account. In reality, achieving anonymity typically requires multiple accounts: one for the regular identity and others for various anonymous identities. Therefore, in this model, the anonymity that users can actually obtain may be lower than the current level. Even a "one person, one identity" system wrapped in zk-SNARKs may gradually lead us toward a world where all activities must be tied to a single public identity. In an era of increasing risks, depriving people of the choice to protect themselves through anonymity will have serious negative consequences.

cannot withstand coercion

Even if you do not disclose your secret value s, no one can see the public associations between your accounts. But what if someone forces you to disclose it? The government may compel you to reveal your secret value in order to view all your activities. This is not a mere talk: the U.S. government has begun requiring visa applicants to disclose their social media accounts. Furthermore, employers can easily set the disclosure of complete public information as a hiring condition. Additionally, individual applications may also technically require users to disclose their identification from other applications in order to register and use them.

In these cases, the value of the zk-SNARKs attribute is completely lost, but the drawbacks of the "one person, one account" new attribute still exist.

We may be able to reduce coercion risks through design optimization: for example, by adopting a multi-party computation mechanism to generate a dedicated ID for each application, allowing users to participate alongside service providers. This way, if the application operator does not participate, users will not be able to prove their dedicated ID within that application. This will increase the difficulty of forcing others to disclose their complete identification, but it cannot completely eliminate this possibility, and such solutions also have other drawbacks, such as requiring application developers to be active entities in real time, rather than being passive on-chain smart contracts.

cannot resolve non-privacy risks

All forms of identification have edge cases:

• The identification issued by the government cannot cover stateless persons and does not include those who have not yet obtained such documents.
• Government-based identification systems will grant unique privileges to holders of multiple nationalities.
• Passport issuing agencies may be subject to hacking attacks, and intelligence agencies of hostile countries may even forge millions of false identifications.
• For those whose biometric traits are impaired due to injury or illness, biometric identification will be completely ineffective.
• Biometric identification is likely to be deceived by replicas.

These edge cases pose the greatest threat in systems attempting to maintain the "one person one identification" property, and they are completely unrelated to privacy. Therefore, zk-SNARKs are powerless against this.

Limitations of "Proof of Wealth"

In the pure crypto-punk community, a common alternative is to rely entirely on "proof of wealth" to guard against sybil attacks, rather than constructing any form of identification system. By imposing a certain cost on the creation of each account, it can prevent individuals from easily creating a large number of accounts. This practice has precedents on the internet; for example, the Somethingawful forum requires registered accounts to pay a one-time fee of $10, which is non-refundable if the account is banned.

In theory, it is even possible to make payments conditional: when registering an account, you only need to stake a sum of money, which would only be lost in the rare case that the account is banned. Theoretically, this could significantly increase the cost of attacks.

This solution works remarkably well in many scenarios, but it completely fails in certain types of situations. The following focuses on two categories of scenarios: "Universal Basic Income-like scenarios" and "Governance-like scenarios."

The demand for identification in the context of universal basic income scenarios ###.

The "quasi-universal basic income scenario" refers to situations where a certain amount of assets or services is distributed to a very broad user base, regardless of their payment capacity. Worldcoin systematically practices this: anyone with a World ID can regularly receive a small amount of WLD tokens. Many token airdrops also achieve similar goals in a more informal manner, attempting to ensure that at least some tokens reach as many users as possible.

The problem that this type of "small-scale universal basic income" can effectively address is: allowing people to obtain a sufficient amount of cryptocurrency to complete some basic on-chain transactions and online purchases. Specific possibilities may include:

• Acquire ENS name
• Publish a hash on-chain to initialize a digital identity using zk-SNARKs.
• Pay social media platform fees

In addition, there is another way to achieve a similar effect, which is "universal basic services": providing each person with identification the ability to send a limited number of free transactions within specific applications. This method may better align with incentive mechanisms and have higher capital efficiency, as each application benefiting from this adoption can do so without paying for non-users; however, this also comes with certain trade-offs, namely a reduction in universality. Even so, a set of identification solutions is still needed here to prevent the system from suffering from spam attacks while avoiding exclusivity, which arises from requiring users to pay through a certain payment method that may not be accessible to everyone.

The last important category worth emphasizing is "Universal Basic Margin." One of the functions of identification is to provide a subject that can be used for accountability without requiring users to pledge funds equivalent to the scale of incentives. This also helps achieve a goal: reducing the reliance on individual capital amounts for participation.

In governance scenarios, the demand for identification is ###.

In the voting system, if User A's resources are 10 times that of User B, then A's voting power will also be 10 times that of B. However, from an economic perspective, the benefit brought to A by each unit of voting power is 10 times that brought to B. Therefore, overall, the benefit of A's voting to itself is 100 times the benefit of B's voting to itself. This is precisely why we find that A will invest much more effort in participating in voting, researching how to vote to maximize its own goals, and may even strategically manipulate the algorithm. This is also the fundamental reason why "whales" can exert excessive influence in token voting mechanisms.

The more universal and deeper reason is that governance systems should not assign equal weight to "one person controlling 100,000 dollars" and "1,000 people collectively holding 100,000 dollars." The latter represents 1,000 independent individuals, and therefore will contain richer valuable information, rather than a high degree of repetition of small-scale information. The signals from 1,000 people are also often more "moderate," as the opinions of different individuals often offset each other.

This indicates that governance-like systems will not be truly satisfied with the approach of treating "funds of equal scale equally, regardless of their source." The system actually needs to understand the internal coordination levels of these bundles of funds.

It is important to note that if you agree with my framework for describing the two scenarios mentioned above, then from a technical perspective, the need for a clear rule like "one person, one vote" no longer exists.

• For scenarios involving a form of universal basic income, the required identification scheme is: the first identity is free, with a limit on the number of identities that can be obtained. When the cost of obtaining additional identities is high enough to render the act of attacking the system meaningless, the limiting effect is achieved.
• For governance-like scenarios, the core requirement is: to be able to determine through some indirect indicators whether the resource you are dealing with is controlled by a single entity or is part of a "naturally formed", loosely coordinated group.

In these two scenarios, identification is still very useful, but the strict requirement of adhering to rules like "one person, one identity" no longer exists.

Ideal state: The cost of obtaining N identifications is N²

From the above arguments, we can see that there are two pressures from opposite ends limiting the expected difficulty of obtaining multiple identifications in the identity system:

First of all, a clear and visible hard limit cannot be set on the "number of identities that can be easily obtained." If a person can only have one identity, anonymity cannot be discussed, and they may be coerced into revealing their identity. In fact, even a fixed number greater than 1 carries risks: if everyone knows that each person has 5 identities, then you might be coerced.