Once a distant concept, digital identity is now becoming central to how we live, work and interact every day. From boarding a plane to verifying age online, the shift toward digital credentials is accelerating. Governments worldwide are rolling out frameworks like the EU Digital Identity Wallet (EUDI), while companies are experimenting with new ways to verify people without overexposing their personal data.

But with this momentum comes a pressing challenge: How do we build systems that are both trusted and privacy-preserving?

One promising answer lies in zero-knowledge proofs (ZKPs), a cryptographic method that makes it possible to prove something is true without revealing the underlying information. To explore how this concept is moving from research into real-world use, we spoke with two experts at the forefront of this transformation: Matteo Frigo and Abhi Shelat.

Q1: Matteo and Abhi, you both bring decades’ worth of experience in research and cryptography. Can you share how you found yourselves working at the intersection of zero-knowledge proofs and digital identity?

A (Matteo): I have a varied background that includes parallel algorithms, compilers, signal processing, applied mathematics, computer-science theory, and medical devices. In recent years, I was the architect of the Amazon Elastic File System, and one of the early architects of what is now Oracle Cloud Infrastructure. I had heard about zero-knowledge proofs from Silvio Micali in the ‘90s, but I am not really a professional cryptographer. I was kind-of retired when I met Abhi, who was working on ZKP at Google and needed help with the numerical parts of ZKP (e.g. fast Fourier transforms and related algorithms).

A (Abhi): I’ve been working on ZKP since my PhD thesis; a few years ago, Google gave me an opportunity to bring some of the work to practice, and most importantly to work with people like Matteo and Serguei Alleko and others who are incredible engineers. We all believe that the best current application of ZKP protocols is for digital identity, and thus we have thrown ourselves headfirst into that endeavour.

Q2: You’ve said that one of the most promising applications of zero-knowledge proofs today is in digital identity. For readers less familiar with cryptography, how would you describe ZKPs in simple terms? Are there analogies you find especially helpful in making the concept more intuitive?

A (Matteo and Abhi): First, we need to clarify what we mean by ZKP. When we speak of zero-knowledge proofs, we refer to the goal of mathematically proving that a statement about some inputs is true with the explicit goal of hiding the inputs and the reason why the statement is true. More recently, especially in blockchain communities, people have used the term zero-knowledge proof to mean the related notion of succinct proofs, which are designed to support quick verification without necessarily supporting the privacy aspect.

“We use ZKP in its original meaning of information hiding, and I hope that computer scientists and high-quality publications like yours can help to fix this confusion.”

Regarding the analogies: There are several metaphorical attempts on the internet to boil down the essence of ZKP. Some examples include the “knowledge of the path through the cave” story, or the “knowledge of where Waldo is in an image” via the cutout. A friend of ours made a nice video with Wired to explain ZKP, and we recommend readers to check out that video, because it provides several of these folklore vignettes.

What we can add here are a few observations. A mathematical proof consists of a single (often long) message written by a prover and read by a verifier. In contrast, a key idea behind all ZKPs is to allow the verifier to use two extra powers: the power to interrogate (or interact with) the prover by asking questions, and the power of forming random challenges about the statement when interrogating the prover to gain confidence that it is true. These challenges need to be carefully crafted so that they don’t leak any information about why the statement is true.

One of the key gaps between the simple vignettes of ZKP that people hear about, and real-world ZKP is that for any useful statement (such as the ones about your age being over 18), the ZKP scheme typically needs to encode the statement into a mathematical form that allows the verifier to make proper challenges. This step is hard to boil down into a story, but unfortunately a lot of the efficiency of our scheme relates to our ideas on how to do this step.

Q3: Now that we’ve established your focus on zero-knowledge proofs in their original meaning, let’s connect that to your work. In your paper “Anonymous Credentials from ECDSA,” what was the core problem you set out to solve, and how does it move the needle for digital identity frameworks like the EUDI Wallet?

A (Matteo and Abhi): Various governments around the world are planning to deploy verifiable digital identity documents (for example in the EU, US and UK). In addition to giving you a paper passport, the government may give you a document stored in your phone that contains the same information as the passport.

To prevent people from forging passports, the document is cryptographically signed by the government in a way that people cannot forge.

Moreover, to prevent people from copying the document and giving it to somebody else, the document is also cryptographically signed by a “secure area,” a special hardware block in the phone that is designed to be effectively impossible to duplicate. The document can only be used in conjunction with the secure area.

The secure area now becomes a possible risk: If I give a signature from the device element to two parties, then the two parties can detect that the signature came from the same secure area.

Thus, the digital identity schemes about to be deployed suffer from this inherent flaw, that two different presentations of the same document can be linked by sufficiently malicious parties.

The system described in our paper solves this problem. Instead of the phone revealing the document and the signature from the secure area, in our system the phone produces a ZKP that the document has the desired properties (for example, that my name is what I claim it is) and that the signature from the secure area is valid. All this while revealing nothing else about the document or the secure area, and without requiring any changes to all the other parts of the system (e.g., the issuer and their processes).

It has been known for more than 40 years that such a ZKP theoretically exists. Some efforts in the past 10 years have demonstrated systems where such a ZKP could be produced in about one minute, which is too long for the intended use case.

“The essence of our paper is to identify one combination of cryptographic building blocks and implementation techniques that make the generation of the proof possible in about one second on a phone.”

We believe ZKP supports the existing digital ID initiatives of governments globally by providing a technological solution to create both verifiable and privacy-preserving digital IDs. And we’ve already seen positive reception from government bodies, for example the inclusion of this technology in the European Age Verification Solution technical specifications.

Q4: Building on your research, we now see ZKPs moving from theory into practice. Google Wallet recently introduced support for digital IDs with enhanced privacy via ZKPs. How did this initiative come about and why was now the right moment to bring it into a consumer-facing product?

A (Matteo and Abhi): Our goal with this initiative is to make the internet safer and more secure for individuals and businesses. Today we see a gap in scalable, interoperable, and privacy-preserving age and identity verification tools. This absence creates vulnerabilities, creating opportunities for malicious actors. We address this gap by bringing secure, private and interoperable digital identity to people everywhere.

A key step towards this goal is ensuring age and identity verifications can take place without requiring the sharing of any more than the minimum amount of information required. Existing digital credential standards such as ISO 18013-5 build in features like selective disclosure to ensure users can only provide the data elements required for a verification without sharing extraneous elements (e.g. being able to share age above 18 for an online age gate without sharing your full name). However with this approach alone, the digital signature shared with the data elements can potentially be used to track the user.

With zero knowledge proofs, our goal was to close this privacy gap, while also ensuring compatibility with existing issuer implementations of adopted standards and APIs such as ISO 18013-5 (i.e. no re-issuance of credentials required) and the W3C Digital Credentials API. Moreover, we wanted to ensure it would be performant under real-life circumstances, so verifications would work on a wide variety of device hardware while taking only a few seconds to complete.

“The time is also ripe for this technology, with a growing need for anonymous online age verification driven by a shifting regulatory landscape in regions such as the US, UK, and EU. Zero knowledge proofs help us ensure digital credentials can be leveraged for age verification while guaranteeing a high level of privacy.”

Q5: Let’s turn to the user experience. What does the onboarding process look like for someone adding a digital ID to Google Wallet and how do you handle scenarios like lost phones, revocation, or re-issuance of credentials?

A (Matteo and Abhi): Today, users in the US and UK can add digital IDs to Google Wallet and we are working to bring digital IDs to more users across the world. In the US, users in supported states can add their mobile driver's license by completing a verification flow with their issuer in Google Wallet. The verification flow asks users to submit photos of their ID as well as a selfie of their face which are sent to the issuer for verification. Users can also create an ID pass in Google Wallet with their US or UK passport. For ID passes, Google validates the passport directly by asking the user to scan the security chip in their document with their phone and then collects a selfie.

In the event a user loses their phone, the credential can only be accessed with device unlock. Users can also delete their credentials remotely from myaccount.google.com. In the case the device is not connected to the internet, we recommend issuers set a short-lived expiry on the digital security objects on the order of a couple weeks, to ensure the credential cannot be used for an extended period of time without a refresh.

Q6:The progression from research to deployment is always a big leap. Your recent work shows how ZKPs can bridge that gap, with Google Wallet as a great example. Looking ahead now, what are currently still the biggest barriers to widespread adoption of ZKP-based identity systems?

A (Matteo and Abhi): There is a demonstrable need for zero knowledge proof technology used with digital credentials. To encourage adoption, we have already open sourced the technology and are working in relevant standards groups to ensure governments and other industry stakeholders can make effective use.

Beyond this, to grow adoption it’d be valuable to see more uptake from members of the ecosystem such as issuers and relying parties. We are in the early stages of digital credentials which makes this an exciting moment, and if you are an interested party reading this newsletter, we encourage you to learn more and try it out for yourself!

Users in the US and UK can create an ID pass with their passport and then test presenting it with ZKP at our test verifier website. For parties interested in accepting credentials with ZKP visit our developer site for more info.

Turning possibility into reality

The future of digital identity will be shaped by methods like zero-knowledge proofs, stronger global standards and seamless verification solutions.

At Hopae, we help businesses navigate the shift towards digital identity with solutions designed to make digital identity seamless, compliant and user-friendly.

Ready to see what this could look like for your organization?
Request a demo today.

——————————————————————————————————————

About Matteo Frigo and Abhi Shelat

Matteo Frigo received his PhD from the Massachusetts Institute of Technology in 1999. His research interests span parallel algorithms, multi-threaded systems, cache-oblivious algorithms, signal processing, and more recently, zero-knowledge proofs. He has over a decade of experience in the cloud industry, where he designed storage and networking systems for leading cloud platforms. His research has garnered significant accolades, including the Wilkinson Prize for Numerical Software (1999), the ACM Most Influential PLDI Paper Award (2008 and 2009), the SPAA Best Paper Award (2009), and the IEEE FOCS Test of Time Award (2019).

Abhi Shelat received his PhD from the Massachusetts Institute of Technology. His research interests focus on cryptography, including zero-knowledge proofs. He work has been decorated by an NSF CAREER award, a FEST distinguished young investigator award, The Microsoft Research Faculty Fellowship, an SAIC Scholars Award, Awards from Google, Amazon, and Brave, best paper awards at IEEE Oakland S&P (2016) and ACM CCS (2017), and the ACM Student professor of the year award.