Web3 KYC: A Deep Dive into ZCloak’s Zk-SBT Solution

Preface
In Web3, many issues need to be reconsidered. For example, how to complete KYC in the Web3 environment, how to balance the need to verify user identity attributes with the need to protect user privacy, and how to truly achieve personal data sovereignty? zCloak has been actively exploring solutions to these problems - we are pleased to launch zk-SBT, a groundbreaking solution that will redefine the Web3 KYC process.
Current issues
There are many problems with the traditional KCY process. For example, Alice wants to participate in a blockchain game that requires age verification. If the game platform needs to independently verify Alice's age, Alice will need to upload her identity documents and even biometric data. For the game platform, these operations are very complicated, costly, and not in line with the main business of blockchain games due to restrictions such as the General Data Protection Regulation (GDPR). For Alice, the KYC process is also a burden because she needs to repeat this process every time she accesses a service that requires some form of identity verification, and the risk of identity data leakage increases with the number of identity verifications.
Therefore, we can't help but ask, is there a better solution in Web3 that allows Alice to complete the KYC process only once and use it across platforms, so that service providers can focus more on their core business without being distracted by the implementation of identity verification solutions and the management of user data. Let's explore zCloak Network's solution.
zCloak Network’s KYC Solution
User-Owned Data: In zCloak Network’s zk-SBT solution, Alice’s data is not stored in the database of each service provider, but on Alice’s device – enabling her to have sovereignty over her own data. When a service requires identity verification, Alice does not need to share her original data, but instead uses her previously verified data, which is authenticated by a trusted entity and stored in the form of a verifiable digital credential (VC). This approach ensures Alice’s control over her data while meeting the verification needs of service providers.
It should be noted that the prerequisite for "users owning their own data" is that the data is stored locally. Data stored in the cloud or on the blockchain network is visible and available to everyone. Third parties do not need the user's consent and approval to use this data, so it is not considered data owned by the user.
"Users own data" is not only the core value of Web3, but also the core difference between zCloak Network's technical solutions and other privacy DID/KYC solutions on the market.
Off-chain VC and on-chain zk-SBT: To protect privacy, the VC containing Alice's verification data is stored off-chain - on Alice's device. When Alice needs to prove a certain attribute of her identity, she can generate a zk-SBT through VC. This zk-SBT is stored on the chain and can be used as tamper-proof and traceable evidence of KYC results, but it will not leak sensitive data contained in VC. Using VC as the source of data storage can not only ensure the authenticity of the data through digital signatures and timestamps, but also convert it into common token forms on the chain such as SBT when necessary, which can simultaneously ensure user privacy and good interoperability.
User-side ZK computation for multiple identity checks: The zk-SBT solution allows user-side computation to meet various identity verification needs, such as age, nationality, income level, credit score, etc. This means that Alice's VC can be repeatedly used for different identity checks many times, generating a new zk-SBT each time. In this process, Alice's data is "cloaked" and the verifier can verify her attributes without accessing Alice's original data.
Other privacy DID/KYC solutions currently on the market require users to go to official agencies to regenerate proofs when the verification conditions of the verifier change. This is not only time-consuming and troublesome, but also exposes the scenarios and intentions of users using their own data to official agencies, which will leak user privacy and is a method of using user data that requires permission. The zCloak solution supports one-time issuance of data, which can be adapted to various verification scenarios without the need for users to interact with official agencies. It is a method of using data without permission to protect privacy. This is also the biggest advantage of users owning their own data combined with local zero-knowledge proof computing technology.
Phase 1: KYC certification and issuance of VC
In the first phase, we start the KYC process, where a trusted entity authenticates the user’s identity and issues a verifiable digital credential (VC). The platform will act as a trusted entity to authenticate Alice’s identity using various methods such as document verification, biometric verification, and other identity verification technologies.
After successfully completing the KYC authentication, the trusted entity will issue a VC for Alice, which contains Alice's basic identity information, including name, age, nationality, address, etc. In order to facilitate the selective disclosure of specific attributes in subsequent calculations, VC adopts a built-in Merkle tree data structure - this design allows the necessary information to be disclosed efficiently and securely without compromising the confidentiality of the entire credential.
Phase 2: ZKP Calculation
In the second phase, Alice's VC will be used as input for a zero-knowledge proof (ZKP) calculation to verify a specific attribute of Alice, such as her age. The ZKP calculation is carried out in the zk-STARK VM in the user's wallet using the proof logic of the Polygon Miden VM based on WASM. This proves that Alice is old enough to join the gaming platform without revealing her exact age.
Miden VM utilizes advanced cryptographic techniques such as polynomial commitments and evaluation protocols to perform secure computations. These techniques ensure that computations are performed correctly and securely without leaking any private information. Input data from VC will be used as private input to the ZK computation and will be kept confidential to the outside world throughout the process. The core of ZKP computation is zkProgram - which defines the logic and rules of the computation and specifies the properties that need to be proved. zkProgram takes input data from VC and generates an output that represents the properties of the user data, such as income above $10,000, by applying the necessary calculations and transformations. The output of the ZK computation is accompanied by a STARK proof. The validator uses the computation output, ZK proof, and ZK program for the final verification process. If everything matches, the validator will generate a "pass" result.
zCloak has currently prepared a web-based "code-free" zkProgram development tool, which can be used by the verifier to perform various verification calculations on user data according to the laws and regulations of the country or region where it is located. The "code-free" development tool can greatly reduce the development threshold of zkProgram, and even people without programming experience can use it easily, which is truly prepared for the popularization and promotion of zero-knowledge proof technology.
Phase 3: Creating zk-SBT
After successfully completing the ZKP calculation and verification, Alice can then create a zk-SBT on-chain. This involves generating a unique token that links back to the ZKP calculation result and associates it with Alice's on-chain address. zCloak uses cryptographic techniques including hashing and digital signatures to achieve this association.
The zk-SBT itself does not contain any sensitive personal data. Instead, it acts as a reference to the results of the ZKP computation, providing verifiable evidence for the proven properties. For example, instead of stating that Alice is 28 years old and from Thailand, the zk-SBT would say that she is an adult from Asia. By associating the zk-SBT with Alice's identifier, it becomes a tamper-proof representation of Alice's proven properties stored on the blockchain.
The zk-SBT stored on the blockchain is transparent and immutable. Other participants in the network can verify the authenticity and correctness of the zk-SBT by verifying the relevant ZKP calculation results and Alice's identity. This ensures the trustworthiness and reliability of the KYC process, as zk-SBT provides a secure, tamper-proof representation of verified properties.
Phase 4: Using zk-SBT
The final stage is when Dapp uses Alice’s zk-SBT. Third-party Dapps can verify Alice’s identity attributes and the authenticity of her underlying VC without accessing the original data. Verification is performed on-chain, while the relevant VC is securely stored off-chain.
The zCloak Network team provides examples of smart contracts that use zk-SBT data. Any third-party Dapp can reuse these contracts to add user identity check logic to its existing products. Our idea is to minimize the changes to existing smart contracts as much as possible, that is, Dapps can use user identity data to provide a better user experience with almost no modification.
Advantages of zk-SBT in KYC scenarios
There are several significant advantages to using zk-SBT in KYC scenarios:
1. Privacy protection: zk-SBT uses ZKP to provide privacy protection. A zk-SBT represents a ZKP, which is used to prove the user's assertion based on VC, so there is no need to reveal sensitive data stored on VC. For example, Alice can prove that she has reached the legal age to use the gaming platform without revealing her exact age. This promotes privacy in blockchain interactions.
2. Decentralization and trustlessness: zk-SBT embodies the decentralization and trustlessness principles of Web3. Unlike the traditional KYC process in a centralized institution that requires trust, zk-SBT transfers trust to mathematical proofs, which allows Alice to maintain control of her data while verifying the authenticity of the proof without accessing her original data.
3. Performance: Using Miden VM for computation improves the performance of zk-SBT. This technology supports fast, secure, and scalable computation and verification even with large amounts of data or users. The elimination of trusted setup and the simplification of the process of minting and verifying zk-SBT make the KYC process more efficient and robust.
4. Reusability: zk-SBT has significant reusability. Traditional KYC processes often require repeated verification steps on different platforms. zk-SBT eliminates this redundancy. The zk-SBT minted by Alice can be reused across platforms and services, adhering to the principle of "do it once, use it everywhere". This reusability saves time and resources and improves the user experience.
In summary, zk-SBT is changing the KYC landscape in the Web3 era by leveraging ZKPs and zk-STARK VM to maintain privacy, decentralization, and trustlessness. Its unique reusability eliminates redundancy and improves performance and user experience. Currently, zCloak's zk-SBT is in testing and has been deployed on optimismGoerli, baseGoerli, and Linea testnets. We will deploy the contract on major Ethereum ecosystem mainnets in August. For the latest progress, please follow our social media channels.