Vitalik: Multiple dilemmas under digital identity + ZK technology

By: Vitalik Buterin

Compiled by: Saoirse, Foresight News

Today, the use of zero-knowledge proofs to protect privacy in digital identity systems has become mainstream to a certain extent. Various zero-knowledge proof passport projects are developing extremely user-friendly software packages that can prove that they have a valid ID without revealing any details of their identity. World ID (formerly Worldcoin), which uses biometrics for verification and zero-knowledge proofs to protect privacy, recently exceeded 10 million users. A digital identity government project in Taiwan uses zero-knowledge proofs, and the European Union is also paying more attention to zero-knowledge proofs in its work in the field of digital identity.

On the surface, the widespread adoption of digital identities based on zero-knowledge proof technology would seem to be a big win for d/acc. It can protect our social media, voting systems, and various Internet services from witch attacks and robot manipulation without sacrificing privacy. But is it really that simple? Are there still risks with identities based on zero-knowledge proof? This article will clarify the following points:

• Zero-knowledge proof wrapping (ZK-wrapping) solves many important problems.
• There are still risks in the identity packaged with zero-knowledge proof. These risks seem to have little to do with biometrics or passports. Most of the risks (privacy leakage, susceptibility to coercion, system errors, etc.) mainly come from the rigid maintenance of the "one person, one identity" attribute.
• The other extreme, using "Proof of wealth" to counter Sybil attacks, is not enough in most application scenarios, so we need some kind of "quasi-identity" solution.
• The theoretical ideal is somewhere in between, where the cost of obtaining N identities is N².
• This ideal state is difficult to achieve in practice, but appropriate "multiple identities" are close to it and are therefore the most realistic solution. Multiple identities can be explicit (such as identities based on social graphs) or implicit (multiple types of zero-knowledge proof identities coexist, and no one type has a market share close to 100%).

How do zero-knowledge proof wrapped identities work?

Imagine getting a World ID by scanning your eyeball, or getting a zero-knowledge proof passport identity by scanning your passport with your phone’s NFC reader. For the purposes of this article, the core properties of both approaches are the same (with only a few marginal differences, such as multiple citizenship).

On your phone, there is a secret value s. In the global registry on the chain, there is a public hash value H(s). When you log in to the app, you generate a user ID specific to the app, H(s, app_name), and verify through a zero-knowledge proof that this ID and a public hash value in the registry are derived from the same secret value s. Therefore, each public hash value can only generate one ID for each app, but it will never reveal which public hash value a specific app ID corresponds to.

In fact, the design may be more complicated. In World ID, the application-specific ID is actually a hash value containing the application ID and the session ID, so different operations within the same application can also be decoupled from each other. The design based on zero-knowledge proof passports can also be built in a similar way.

Before we get into the downsides of this type of identity, it’s important to first recognize the benefits it brings. Outside of the niche of zero-knowledge proof identities (ZKIDs), you have to reveal your full legal identity in order to prove yourself to services that require authentication. This is a serious violation of the “principle of least privilege” in computer security: a process should only have the minimum permissions and information it needs to complete its task. They need to prove that you are not a robot, that you are over 18, or that you are from a specific country, but what they get is a pointer to your full identity.

The best improvement that can be achieved at present is to use indirect tokens such as phone numbers and credit card numbers: in this case, the entity that knows the association between your phone/credit card number and in-app activities is separated from the entity (company or bank) that knows the association between your phone/credit card number and legal identity. But this separation is extremely fragile: phone numbers, like other types of information, can be leaked at any time.

With the help of zero-knowledge proof packaging technology (ZK-wrapping, a technical means of protecting user identity privacy using zero-knowledge proofs, allowing users to prove their identity without revealing sensitive information), the above problems have been largely solved. But what I want to discuss next is a less mentioned point: there are still some problems that are not only unsolved, but may even be exacerbated by the strict "one person, one identity" limitation of such solutions.

Zero-knowledge proofs alone cannot achieve anonymity

Assume that a zero-knowledge proof identity (ZK-identity) platform operates exactly as expected, strictly reproduces all the above logic, and even finds a way to protect the private information of non-technical users for a long time without relying on centralized institutions. But at the same time, we can make a realistic assumption: applications will not actively cooperate with privacy protection, they will adhere to the principle of "pragmatism", and the design solutions they adopt, although under the banner of "maximizing user convenience", always seem to favor their own political and commercial interests.

In such a scenario, social media applications would not use complex designs such as frequently rotating session keys, but would assign each user a unique application-specific ID, and since the identity system follows the "one person, one identity" rule, users can only have one account (this is in contrast to today's "weak IDs", such as Google accounts, where the average person can easily register about 5). In the real world, anonymity usually requires multiple accounts: one for the "regular identity" and others for various anonymous identities (see "finsta and rinsta"). Therefore, under this model, the actual anonymity that users can obtain is likely to be lower than the current level. In this way, even a "one person, one identity" system wrapped in zero-knowledge proofs may gradually lead us to a world where all activities must be attached to a single public identity. In an era of increasing risks (such as drone surveillance), depriving people of the option to protect themselves through anonymity will have serious negative consequences.

Zero-knowledge proofs alone cannot protect you from coercion

Even if you don’t disclose your secret value, no one can see the public connections between your accounts, but what if someone forces you to disclose it? A government could force you to reveal your secret value so that it can see all your activity. This is not an empty promise: the US government has begun requiring visa applicants to disclose their social media accounts. In addition, employers can easily make the disclosure of full public profiles a condition of employment. Even individual apps may technically require users to reveal their identities on other apps before they are allowed to sign up (this is done by default when logging in with the app).

Similarly, in these cases, the value of the zero-knowledge proof attribute is lost, but the disadvantages of the new attribute of "one person, one account" still exist.

We may be able to reduce the risk of coercion through design optimization: for example, using a multi-party computing mechanism to generate a unique ID for each application, allowing users and service providers to participate in it. In this way, without the participation of the application operator, users cannot prove their unique ID in the application. This will increase the difficulty of forcing others to reveal their full identity, but it cannot completely eliminate this possibility, and such solutions have other disadvantages, such as requiring application developers to be real-time active entities, rather than passive on-chain smart contracts (no continuous intervention).

Zero-knowledge proofs alone cannot solve non-privacy risks

All forms of identity have edge cases:

• Government-rooted IDs, including passports, do not cover stateless people or those who do not yet have such documents.
• On the other hand, such government-based identity systems confer unique privileges on multiple citizenship holders.
• Passport-issuing agencies could be hacked, and intelligence services in hostile countries could even create millions of fake identities (to manipulate elections, for example, if Russian-style “guerrilla elections” become popular).
• For those whose relevant biometrics are impaired due to injury or illness, biometric identity becomes completely ineffective.
• Biometric identities are susceptible to being spoofed by counterfeiters. If the value of biometric identities becomes extremely high, we may even see people cultivating human organs just to “mass produce” such identities.

These edge cases are most harmful in systems that try to maintain the "one person, one identity" property, and they have nothing to do with privacy. Therefore, zero-knowledge proofs cannot help with them.

Relying on "proof of wealth" to prevent Sybil attacks is not enough to solve the problem, so we need some form of identity system

In the pure cypherpunk community, a common alternative is to rely entirely on "proof of wealth" to prevent Sybil attacks, rather than building any form of identity system. By incurring a certain cost for each account, it is possible to prevent people from easily creating a large number of accounts. This practice has long been a precedent on the Internet. For example, the Somethingawful forum requires a one-time fee of $10 to register an account. If the account is banned, the fee will not be refunded. However, this is not a true crypto-economic model in practice, because the biggest obstacle to creating a new account is not paying $10 again, but getting a new credit card.

In theory, it is even possible to make payments conditional: when registering an account, you only need to pledge a certain amount of money, and only lose this money in the rare case that the account is banned. In theory, this can greatly increase the cost of an attack.

This approach works well in many scenarios, but it doesn’t work at all in some types of scenarios. I will focus on two types of scenarios, which I will call “UBI-like” and “governance-like”.

The need for identity in a UBI-like scenario

The so-called "quasi-UBI scenario" refers to a scenario where a certain amount of assets or services need to be distributed to a very wide (ideally all) user group, regardless of their ability to pay. Worldcoin is systematically practicing this: anyone with a World ID can regularly receive a small amount of WLD tokens. Many token airdrops also achieve similar goals in a more informal way, trying to get at least some of the tokens into the hands of as many users as possible.

Personally, I don’t think such tokens will ever be worth enough to sustain a person’s livelihood. In an AI-driven economy with a thousand times more wealth, such tokens might be worth sustaining a living, but even then, government-led programs that are at least backed by natural resource wealth will still play a more important role in the economy. However, I think the problem that these “mini-UBIs” can really solve is: getting people enough cryptocurrency to complete some basic on-chain transactions and online purchases. This might include:

• Get ENS name
• Publish a hash on-chain to initialize a zero-knowledge proof identity
• Paying for social media platforms

If cryptocurrencies are widely adopted around the world, this problem will no longer exist. But at the moment when cryptocurrencies are not yet popular, this may be the only way for people to access non-financial applications and related online goods and services on the chain, otherwise they may not be able to access these resources at all.

Another way to achieve a similar effect is through “universal basic services”: giving everyone with an identity the ability to send a limited number of free transactions within a specific app. This approach may be more incentive-aligned and capital-efficient, as every app that benefits from such adoption can do so without having to pay for non-users; however, it comes with the trade-off of reduced universality (users are only guaranteed access to apps that participate in the program). Even so, an identity solution is still needed to protect the system from spam attacks while avoiding exclusivity that comes from requiring users to pay through a payment method that may not be available to everyone.

The last important category worth highlighting is the "universal basic security deposit". One of the functions of identity is to provide a target that can be used for accountability without requiring users to pledge funds commensurate with the scale of the incentive. This also helps achieve a goal: reducing the dependence of the participation threshold on the amount of personal capital (or even requiring no capital at all).

The need for identity in governance-like scenarios

Imagine a voting system (such as likes and reposts on social media platforms): if user A has 10 times the resources of user B, then his voting power will also be 10 times that of B. But from an economic perspective, the benefit brought to A per unit of voting power is 10 times that brought to B (because A is larger, any decision will have a more significant impact on its economic level). Therefore, overall, A's vote is 100 times more beneficial to itself than B's vote. Because of this, we will find that A will invest much more energy in participating in voting, studying how to vote to maximize its own goals, and may even strategically manipulate the algorithm. This is also the fundamental reason why "whales" can have an excessive influence in the token voting mechanism.

A more general and deeper reason is that the governance system should not give the same weight to "one person controlling $100,000" as "1,000 people holding $100,000". The latter represents 1,000 independent individuals, and therefore contains richer valuable information rather than a high degree of repetition of small amounts of information. Signals from 1,000 people also tend to be more "mild" because the opinions of different individuals tend to cancel each other out.

This applies both to formal voting systems and to “informal voting systems,” such as people’s ability to participate in the evolution of culture by speaking out publicly.

This suggests that a quasi-governance system would not really be satisfied with treating all bundles of equal size the same, regardless of their source. Instead, the system would need to understand the degree of internal coordination among these bundles.

It should be noted that if you agree with my description framework of the above two scenarios (universal basic income-like scenarios and governance-like scenarios), then from a technical perspective, the need for a clear rule such as "one person, one vote" no longer exists.

• For UBI-like applications, what is really needed is an identity solution that makes the first identity free and limits the number of identities that can be acquired. The limit effect is achieved when the cost of acquiring more identities is high enough to make it meaningless to attack the system.
• For governance-like applications, the core requirement is to be able to judge through some indirect indicators whether the resources you are exposed to are controlled by a single entity or a "naturally formed" group with a low degree of coordination.

In both scenarios, identities are still very useful, but the requirement for them to follow strict rules such as "one person, one identity" no longer exists.

The theoretical ideal state is: the cost of obtaining N identities is N²

From the above arguments, we can see that there are two pressures from opposite ends that limit the desired difficulty of obtaining multiple identities in the identity system:

First, there cannot be a clear and visible hard limit on the number of easily accessible identities. If a person can only have one identity, there is no anonymity and they can be coerced into revealing their identity. In fact, even a fixed number greater than 1 is risky: if everyone knows that everyone has 5 identities, you can be coerced into revealing all 5.

Another reason to support this is that anonymity itself is fragile, so a sufficiently large safety buffer is needed. With modern AI tools, it is easy to correlate user behavior across platforms. Through public information such as word usage habits, posting time, posting intervals, and discussion topics, only 33 bits of information are needed to accurately lock a person. People may be able to use AI tools for defense (for example, when I posted content anonymously, I wrote it in French and then translated it into English through a large language model running locally), but even so, I don’t want to completely end my anonymity with a single mistake.

Second, identity cannot be completely tied to finance (i.e., the cost of acquiring N identities is N), because this would make it easy for large entities to gain too much influence (and thus cause small entities to lose their voice altogether). Twitter Blue’s new mechanism reflects this: the $8 per month certification fee is too low to effectively limit abuse, and users have now basically ignored this certification mark.

Furthermore, we may not want an entity with N times the amount of resources to be able to engage in N times more inappropriate behavior with impunity.

To summarize the above arguments, we want to make it as easy as possible to obtain multiple identities while satisfying the following constraints: (1) limiting the power of large entities in governance-like applications; and (2) limiting abuse in UBI-like applications.

If we directly refer to the mathematical model of the governance-like application in the previous article, we will get a clear answer: if having N identities can bring N² influence, then the cost of obtaining N identities should be N². Coincidentally, this answer also applies to the universal basic income-like application.

 Regular readers of this blog may notice that this is exactly the same as the chart in an earlier blog post on “quadratic funding”, and this is no accident.

Pluralistic identity can achieve this ideal state

The so-called "multiple identity system" refers to an identity mechanism that does not have a single dominant issuing agency, whether the agency is an individual, organization or platform. This system can be achieved in two ways:

• Explicit pluralistic identity (also known as social-graph-based identity). You can verify your identity (or other claims, such as confirmation that you are a member of a community) through the attestation of other people in your community, and the identities of these attestors are verified through the same mechanism. The article "Decentralized Society" has a more detailed description of this type of design, and Circles is a current example.
• Implicit pluralistic identity. This is the current situation. There are many different identity providers, including Google, Twitter, similar platforms in various countries, and multiple government-issued IDs. Very few applications only accept one type of identity authentication. Most applications are compatible with multiple types because only in this way can they reach potential users.

 A recent snapshot of the Circles identity graph. Circles is one of the largest identity projects based on the social graph.

Explicit multi-identity naturally has anonymity: you can have one anonymous identity (or even multiple), each of which can build a reputation in the community through its actions. An ideal explicit multi-identity system might not even require the concept of "discrete identities"; instead, you might have a fuzzy set of verifiable past actions, and be able to prove different parts of it in a granular way as needed for each action.

Zero-knowledge proofs will make anonymity much easier to achieve: you can use a master identity to start a pseudonymous identity, and then privately provide the first signal to get the new pseudonymous identity recognized (e.g., proving that you own a certain amount of tokens to post on anon.world, or proving that your Twitter followers have a certain characteristic). There may be more efficient ways to use zero-knowledge proofs.

The "cost curve" for implicit multiple identities is steeper than the quadratic curve, but still has most of the desired properties. Most people have some, but not all, of the identities listed here. You can acquire another with some effort, but the more identities you have, the lower the cost-benefit ratio of acquiring the next one. As a result, it provides the necessary deterrents for governance attacks and other abuses, while ensuring that coercers cannot require (and cannot reasonably expect) you to reveal a fixed set of identities.

Any form of multiple identity system (whether implicit or explicit) is inherently more tolerant: people with hand or eye disabilities may still hold a passport, and stateless people may still be able to prove their identity through some non-governmental channels.

It is important to note that if a single identity form reaches 100% market share and becomes the only login option, the above features will fail. In my opinion, this is the biggest risk that identity systems that pursue "universality" too much may face: once its market share approaches 100%, it will push the world from a multi-identity system to a "one person, one identity" model, which, as described in this article, has many disadvantages.

In my opinion, the ideal outcome of the current "one person one identity" project is to merge with the identity system based on the social graph. The biggest problem facing identity projects based on the social graph is that it is difficult to scale to a large number of users. The "one person one identity" system can be used to provide initial support for the social graph, creating millions of "seed users", and then the number of users will be large enough to safely develop a global distributed social graph from this foundation.

Special thanks to Balvi volunteers, Silviculture members, and World team members for participating in the discussion.