All research
Cryptography / Identity 2026-02 11 min read

Zero-Knowledge Identity

On-Chain Credentials Without Exposure

By Byiringiro Thierry · 2026-02

zk-proofs identity plonk halo2 defi

Zero-Knowledge Identity

On-Chain Credentials Without Exposure Byiringiro Thierry · February 2026

1. Abstract

For a decade, the DeFi-vs-regulators debate has been stuck on the same axis: "permissionless" vs "KYC'd." A protocol that doesn't gate access lets bad actors in. A protocol that gates access via traditional KYC sacrifices the privacy and pseudonymity that drew users to DeFi in the first place.

Zero-knowledge proofs collapse this axis. A user can prove they are over 18, a U.S. taxpayer, not on the OFAC sanctions list, or accredited under SEC Rule 501 — without revealing which jurisdiction they live in, what their name is, or what their wallet history looks like. The protocol gates access on the predicate (eligibility), not the attestation (identity).

This was technically possible since 2018. It became practically possible in 2024-2026. This paper explains the gap and what closed it.

2. Why "ZK identity is five years away" was true for five years

Three blockers, each of which had to clear:

2.1 Proof systems were too slow. Generating a Groth16 proof for an identity attestation in 2020 took 30-60 seconds on a desktop, longer on mobile. Verifier costs were tractable but prover UX was untenable. A user opening a DeFi app and waiting a minute to "prove I'm not sanctioned" was not going to ship.

2.2 Trusted setup ceremonies were a liability. Groth16 requires a per-circuit trusted setup. Every new credential type needed its own multi-party ceremony — Tornado Cash-style. Operationally expensive, politically risky.

2.3 No legal framework for ZK attestations. A "proof of age" generated by a ZK circuit was, from a regulator's perspective, an unsigned cryptographic statement of unclear legal force. The eSignature equivalents (DocuSign, government-issued attestations) had decades of legal precedent. ZK attestations had none.

By 2026, all three have moved:

  • PLONK-family proof systems (PLONKish, Halo2, UltraGroth) brought down per-circuit prover time to 1-5 seconds on mobile.
  • Universal trusted setup (PowersOfTau-shared, KZG commitments) means new circuits don't need new ceremonies.
  • eIDAS 2.0 (EU, in force April 2026) explicitly recognizes ZK-based attestations under the European Digital Identity Wallet framework. US states (Wyoming, California) and the UK are following.

The combination unlocks ZK identity as a deployable primitive rather than a research curiosity.

3. The three-tier architecture

Tier 1: Issuer. A credentialing authority — government, bank, exchange, university — that asserts a fact about a user (e.g., "this user is over 18," "this user passed KYC at Coinbase"). The issuer publishes a commitment to the user's credential on-chain (or off-chain via a verifiable data registry).

The commitment is hash-based. From the on-chain data alone, you can't recover the user's identity. You can only verify that some issuer-signed credential exists in the registry.

Tier 2: Prover (user). The user holds a witness — the cryptographic material that lets them prove they are the subject of a specific commitment. The witness lives in the user's wallet, encrypted with a passphrase. The user runs a local ZK circuit (in the browser, or on mobile) to produce a proof that:

  1. They control the witness behind some commitment from issuer X.
  2. The credential satisfies a predicate (e.g., "age ≥ 18").
  3. They are the rightful owner of a specific wallet address.

The proof is ~256 bytes. It reveals nothing else — not the issuer (in some constructions), not the user's age, not the user's identity.

Tier 3: Verifier (protocol). The DeFi protocol receives the proof in the user's transaction. The protocol verifies the proof on-chain (or off-chain via a relay). If valid, the user gains access. The verifier learns only that the predicate held.

Issuer        Commitment registry           Prover (user)             Verifier (protocol)
  │                  │                          │                            │
  ├──issue cred────► │                          │                            │
  │                  │                          │                            │
  │                  │ ◄─────derive witness─────┤                            │
  │                  │                          │                            │
  │                  │                          ├──ZK proof + tx────────────►│
  │                  │                          │                            │
  │                  │                          │                            ├─verify proof─►
  │                  │                          │                            │  on-chain

4. What's hard in production

4.1 Mobile prover performance. The PLONK-family proof systems are fast on desktop. On mobile, a typical age-attestation proof takes 1-3 seconds on a 2024 iPhone, 4-8 seconds on a 2022 mid-range Android. This is just on the right side of the UX cliff. It is not fast enough for high-frequency interactions (DeFi swaps, social-app actions) where users expect <300ms response.

The path forward: proof caching. A user generates a proof once; the proof is valid for some time window (24 hours, a week). Subsequent transactions reuse the cached proof. This is what Privado ID and Polygon ID have converged on.

4.2 Revocation. What if an issuer needs to revoke a credential (user faked their KYC documents; user is now sanctioned)? The naive approach — issuer publishes a revocation — leaks information (revocation reveals that a specific commitment was revoked). The state-of-the-art is cryptographic accumulator-based revocation (RSA accumulators, Verkle trees), where revocation is a single proof-of-non-membership that the prover must produce in addition to the predicate proof.

Performance impact: revocation proofs ~double the prover time. UX impact: significant.

4.3 Issuer trust and key management. The system's security ultimately rests on the issuer being honest. If an issuer signs a fraudulent credential, the user's proofs are still cryptographically valid — they're just attesting to a lie. Mitigation is issuer reputation systems and multi-issuer attestations (predicate requires K of N issuer signatures).

4.4 Sybil resistance. A user can generate many wallets and try to claim "over 18" with each. The credential is bound to a specific human; the proof is bound to a specific wallet. Linking these requires either a Worldcoin-style biometric (one human = one orb-verified identity) or a government-issued passport-style commitment that binds to a single national-ID number.

This is the political crux of ZK identity. Worldcoin's iris-scan approach is privacy-controversial; passport-binding approaches are non-portable across jurisdictions. There is no clean technical answer; the social-coordination problem dominates.

5. Deployment data points (2026)

Polygon ID / Privado ID. Mature SDK; multi-credential schemes; eIDAS-aligned. Strongest position in EU DeFi compliance. ~1M unique wallets verified as of Q1 2026.

Worldcoin / World ID. Biometric-anchored, "proof of personhood." Most controversial; most adopted in emerging markets. Brazil, Argentina, Kenya, Mexico are the biggest user bases. Powers proof-of-humanness for Worldcoin Wallet and a growing list of social apps.

zkPassport / NFC passport projects. Generate ZK proofs from biometric e-passport chips. Lowest user friction (you already have a passport); highest issuer trust (national governments). Limited to ~150 countries with NFC passports.

Off-chain attestation networks (EAS, Verax). Not strictly ZK, but interoperable: the underlying attestation is published off-chain; ZK proofs reference it. Useful for compositional credentials (a "DeFi power user" credential built from N transaction-history attestations).

6. A concrete protocol example

Imagine a DeFi options protocol that wants to gate access to accredited investors (SEC Rule 501) and non-sanctioned U.S. persons. The protocol's gate:

function trade(uint256 tokenId, ...) external {
  require(verifyProof(
    msg.sender,
    "accredited_investor",
    "non_sanctioned",
    "us_taxpayer",
    proof
  ), "ineligible");
  // ... trade logic
}

The user must hold:

  • An attestation from a registered broker-dealer that they meet the income/net-worth thresholds.
  • An attestation from a sanctions-screening service that they are not on OFAC's SDN list.
  • An attestation from the IRS (or a state DMV-equivalent) that they are a US taxpayer.

The user produces one ZK proof that combines all three. The protocol verifies it on-chain. The user reveals: their wallet address. Nothing else.

This is the architecture that makes regulated-but-permissionless DeFi possible. It is also the architecture that lets a Brazilian developer participate in a US-only securities offering — by simply not being able to produce the "US taxpayer" attestation, they are cleanly gated without anyone needing to know they're Brazilian. This is the privacy and the compliance both improving simultaneously, the rare design space where there is no trade-off.

7. Implications

For DeFi protocols. Compliance is now a user-side feature, not a protocol-side gate. Protocols can support multiple jurisdictions' rules by accepting different ZK-proof bundles per user. The same protocol can serve EU MiCA-compliant users, US accredited investors, and emerging-market retail — each by their own predicate, none by their identity.

For regulators. ZK identity is the architecture that resolves the AML/KYC vs privacy debate. A regulator no longer needs the transaction graph to verify compliance; they need the attestation registry and the predicate logic. This is a fundamentally different supervisory model, and one that the better-equipped regulators (Singapore MAS, UK FCA, Swiss FINMA) are already adapting toward.

For wallets. Wallets become identity wallets, not just token wallets. Holding credentials, generating proofs, managing revocation — these are new wallet primitives. The wallets that ship them first capture the identity-wallet market for a decade.

For privacy. Privacy is now composable. A user can be public on one chain, private on another, and selectively-disclosed on a third — all from the same root identity. The traditional "all your transaction history is one big leak" model of L1 chains becomes a quaint historical artifact.

8. Conclusion

Zero-knowledge identity is no longer a research project. The proof systems are fast enough, the legal frameworks are forming, and the SDK ecosystems are mature. The remaining work is integration — getting wallets, protocols, and issuers to interoperate on shared standards.

The 5-year horizon: by 2030, regulated DeFi runs on ZK identity by default. Plain-text KYC inside DeFi protocols is gone, the way SHA-1 disappeared from TLS. The privacy-vs-compliance axis collapses into a single point: composable predicate proofs.

The bet I would make: the chains and protocols that adopt this primitive in 2026-2027 win institutional flow for the rest of the decade. The ones that wait, lose.

References

  1. Groth — On the Size of Pairing-Based Non-Interactive Arguments (2016)
  2. Gabizon, Williamson, Ciobotaru — PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge (2019)
  3. Bowe, Grigg, Hopwood — Recursive Proof Composition without a Trusted Setup (Halo2) (2019)
  4. Polygon ID — Iden3 Protocol Specification (2023, revised 2025)
  5. eIDAS 2.0 Regulation (EU) 2024/1183 — full text
  6. Worldcoin Foundation — World ID Technical Whitepaper (revised 2025)
  7. zkPassport — NFC ePassport Proof Generation Specification (2025)