Web3 KYC: An in-depth look at zCloak's zk-SBT solution

Preface

In Web3, many issues need to be reconsidered. For example, how to complete KYC in the Web3 environment, how to strike a balance between the requirements for verifying user identity attributes and user privacy protection requirements, and how to truly realize personal data sovereignty? zCloak has been actively exploring solutions to these problems - and we are excited to introduce zk-SBT, a groundbreaking solution that will redefine the Web3 KYC process.

EXISTING ISSUES

There are many problems in the traditional KCY process. For example, Alice wants to participate in a chain game that needs to complete age verification. If the game platform needs to independently verify Alice's age, Alice is required to upload her identity documents, or even biometric data. For game platforms, due to the restrictions of regulations such as the General Data Protection Regulation (GDPR), these operations are very complicated, will incur high costs, and do not conform to the main business of blockchain games. For Alice, the KYC process is also a burden because it needs to be repeated every time she accesses a service that requires some form of authentication, and the risk of identity data leakage increases with the number of authentications Increase.

Therefore, we can't help but wonder if there is a better solution in Web3 that allows Alice to complete the KYC process only once and use it across platforms, so that service providers can also focus more on their core business development without distraction Implementation of authentication solutions and management of user data. Let's explore zCloak Network's solution.

zCloak Network's KYC Solution

User Owns Data: In zCloak Network's zk-SBT solution, Alice's data is not stored in each service provider's database, but on Alice's device - enabling her to own her own Data autonomy. When a service requires authentication, Alice does not need to share her original data, but instead uses her previously authenticated data, certified by a trusted entity and stored as a Verifiable Digital Credential (VC). This approach both ensures Alice's control over her data and satisfies the service provider's authentication needs.

It should be noted that the prerequisite for "users own their own data" is that the data is stored locally on the user. The data stored in the cloud or on the blockchain network is visible and available to everyone, and third parties do not need the consent and approval of the user to use the data, so it is not considered data owned by the user.

"Users own data" is not only the core value of Web3, but also the core difference between zCloak Network's technical solutions and other privacy DID/KYC solutions on the market.

Off-chain VC and on-chain zk-SBT: In order to protect privacy, the VC containing Alice's verification data is stored off-chain - on Alice's device. When Alice needs to prove a certain attribute of her identity, she can generate a zk-SBT through VC. This zk-SBT is stored on-chain and serves as tamper-proof and traceable evidence of KYC results, but does not reveal sensitive data contained in VC. Using the form of VC as the source of data storage can not only ensure the authenticity of the data through digital signatures and timestamps, but also convert it into common token forms on chains such as SBT when necessary, which can simultaneously ensure user privacy and Good interoperability.

User-side ZK calculations for multiple identity checks: The zk-SBT solution allows user-side calculations to meet various identity verification needs, such as age, nationality, income level, credit points, etc. This means that Alice's VC can be reused multiple times for different identity checks, generating a new zk-SBT each time. In this process, Alice's data is "cloaked", and the verifier can verify Alice's attributes without accessing Alice's original data.

For other privacy DID/KYC solutions currently on the market, after the verification conditions of the verifier change, the user needs to go to the official institution to regenerate the certificate. and intent, will leak user privacy, which is a method of using user data that requires permission. The zCloak solution supports one-time issuance of data, which can be adapted to various verification scenarios, and does not require any interaction between users and official institutions. It is a permission-free data usage method to protect privacy. This is also the biggest advantage brought by the combination of local zero-knowledge proof computing technology after users have their own data.

Phase 1: Authenticate KYC, issue VC

In the first phase, we start the KYC process where a trusted entity authenticates the user and issues a verifiable digital certificate (VC). The platform will act as a trusted entity, authenticating Alice's identity using various methods such as document verification, biometric verification, and other authentication techniques.

After successfully completing the KYC authentication, the trusted entity will issue a VC for Alice, which contains Alice's basic identity information, including name, age, nationality, and address. To facilitate the selective disclosure of specific attributes in subsequent computations, VC employs a built-in Merkle tree data structure—a design that allows efficient and secure disclosure of necessary information without compromising the confidentiality of the entire credential.

Second stage: ZKP calculation

In the second stage, Alice's VC will be used as input to the zero-knowledge proof (ZKP) calculation to verify a certain attribute of Alice, such as age. By using the proof logic of the Polygon Miden VM implemented based on WASM, the ZKP calculation is carried out in the zk-STARK VM in the user's wallet. This proves that Alice is old enough to join the gaming platform without revealing her exact age.

Miden VM utilizes advanced cryptographic techniques such as polynomial commitment and evaluation protocols to perform secure computations. These techniques ensure that calculations are performed correctly and securely without revealing any private information. The input data from VC will be used as the private input of ZK calculation, and will be kept secret from the outside world throughout the process. The core of ZKP calculation is zkProgram——define the logic and rules of calculation, and specify the properties that need to be proved. The zkProgram takes input data from the VC and, by applying the necessary calculations and transformations, produces an output representing attributes of the user's data, such as income above $10,000. The output of the ZK calculation will be accompanied by a STARK proof. The verifier uses the output of the computation, the ZK proof, and the ZK program for the final verification process. If everything matches, the validator will generate a "pass" result.

zCloak has currently prepared a "no-code" zkProgram development tool on the web page, which can be used by the verifier to perform various verification calculations on user data according to the laws and regulations of the country where it is located. "No-code" development tools can greatly reduce the development threshold of zkProgram, even people with no programming experience can easily use it, which is really ready for the popularization and promotion of zero-knowledge proof technology.

Phase 3: Create zk-SBT

After successfully completing the ZKP calculation and verification, Alice can then create a zk-SBT on the chain. This involves generating a unique token that links back to the ZKP computation and associates it with Alice's on-chain address. zCloak uses cryptographic techniques including hashing and digital signatures to achieve this association.

zk-SBT itself does not contain any sensitive personal data. Instead, it acts as a reference to the ZKP calculation results, providing verifiable evidence for the proven properties. For example, instead of saying that Alice is 28 years old and from Thailand, zk-SBT would say that she is an adult from Asia. By associating the zk-SBT with Alice's identifier, it becomes a tamper-resistant representation of Alice's verified attributes stored on the blockchain.

zk-SBT stored on the blockchain is transparent and immutable. Other participants in the network can verify the authenticity and correctness of zk-SBT by verifying the relevant ZKP calculation results and Alice's identity. This ensures a trusted and reliable KYC process, as zk-SBT provides a secure, tamper-proof representation of verified properties.

Phase 4: Using zk-SBT

The last stage is Dapp using Alice's zk-SBT. The third-party Dapp can verify the authenticity of Alice's identity attributes and its underlying VC without accessing the original data. Verification takes place on-chain, while relevant VCs are securely stored off-chain.

The zCloak Network team provides an example smart contract using zk-SBT data. Any third-party Dapp can add user identity checking logic to its existing products by reusing these contracts. The idea is to make as few changes to existing smart contracts as possible, that is, Dapps can use user identity data to provide a better user experience with almost no modification.

zk-SBT’s advantages in KYC scenarios

There are several significant advantages of using zk-SBT in the KYC scenario:

1. Privacy Protection: zk-SBT uses ZKP to provide privacy protection. A zk-SBT represents a ZKP, and this ZKP is used to prove the user's assertion based on VC, so there is no need to disclose sensitive data stored on VC. For example, Alice can prove that she is of legal age to use the gaming platform without revealing her exact age. This promotes privacy in blockchain interactions.

2. Decentralization and trustlessness: zk-SBT embodies the principles of decentralization and trustlessness of Web3. Unlike traditional KYC processes in centralized institutions that require trust, zk-SBT transfers trust to mathematical proofs, allowing Alice to maintain control of her data without requiring access to her original data. , confirming the authenticity of the proof by verifying .

3. Performance: Using Miden VM for calculation improves the performance of zk-SBT. This technology enables fast, secure and scalable computation and verification even with large data volumes or user numbers. Elimination of the trusted setup, and simplification of the minting and validating zk-SBT process makes the KYC process more efficient and robust.

4. Reusability: zk-SBT has remarkable reusability. Traditional KYC processes often require repeated verification steps on different platforms. zk-SBT removes this redundancy. The zk-SBT minted by Alice can be reused across platforms and services, adhering to the principle of "do it once, use it everywhere". This reusability saves time and resources and enhances the user experience.

All in all, zk-SBT leverages ZKPs and zk-STARK VMs to maintain privacy, decentralization and trustlessness, and is changing the KYC landscape in the Web3 era. Its unique reusability eliminates redundancy, improving performance and user experience. Currently, zCloak's zk-SBT is in testing and has been deployed on optimismGoerli, baseGoerli, and Linea testnets. We are about to deploy contracts on major Ethereum ecological mainnets in August. For the latest developments, follow our social media channels.