Zero-Knowledge Proofs (ZKPs) are a class of cryptographic techniques that allow one party (the prover) to prove to another party (the verifier) that a statement is true, without revealing any information beyond the validity of the statement itself. In the context of Digital Public Infrastructure (DPI) and digital identity systems, ZKPs are particularly relevant as tools for enhancing privacy, trust and security.
Using DPI systems, relying parties often require individuals to prove something about themselves—their age, citizenship, residence, qualifications, or eligibility for a service. Traditionally, these proofs require the user to reveal more data than necessary. For instance, proving that one is over 18 often involves showing an ID card, which also reveals a name, address, and national ID number.
Zero-Knowledge Proofs change this by allowing users to prove a fact ("I am over 18") without disclosing the underlying personal data (e.g. date of birth). This aligns closely with the principles of data minimisation and selective disclosure, both of which are essential for trustworthy DPI systems.
<aside> 💡
Zero-Knowledge Proofs allow a user to show that they are above 18 years old without revealing their date of birth. Or to prove that they are a resident and social worker without revealing their address or employer.
</aside>
ZKPs enable authentication without identification. A user can demonstrate eligibility for a service without revealing who they are. This reduces the risk of tracking and profiling, especially in digital ID systems.
By using ZKPs, repeated interactions with different services remain unlinkable. A person verifying their student status at different institutions won’t leave a common digital trail.
Since no actual personal data is shared, the attack surface for data breaches is dramatically reduced. ZKPs enforce privacy even in the case of compromised infrastructure. Since no personal information is transmitted, even if the system gets hacked, there simply is no data that can be stolen or misused.
Users maintain control over their information and can choose what to disclose, when, and to whom. This enhances trust in digital identity ecosystems and DPI more broadly.
ZKPs can be computationally intensive, particularly on low-end devices or networks with limited capacity. This poses implementation challenges in Global Majority Countries, where device quality and connectivity vary widely.
Although no individual personal information is transmitted via ZKP, it can still reveal the persons identity by asking an increasing number of questions that allows an attacker to identify the user. When enough questions about someones demographic and characteristics are asked, the person can be revealed. The game Akinator gives a good indication how easy it can be to identify someone with just 5 questions. Even if the person can’t be identified by name, it could be enough to single out and track the user across websites.