Papers
Topics
Authors
Recent
Search
2000 character limit reached

ZK-PoP: Zero-Knowledge Possession Proofs

Updated 5 July 2026
  • ZK-PoP is a design pattern enabling proof of possession of personhood credentials or process evidence without revealing the underlying sensitive data.
  • It leverages advanced cryptographic techniques such as zk-SNARKs, recursive aggregation, and homomorphic encryption to ensure scalability, efficiency, and unlinkability in decentralized systems.
  • The framework underpins applications including Sybil-resistant identity verification, private process attestation for human authorship, and secure password proof-of-possession.

ZK-PoP denotes a family of zero-knowledge constructions in which a prover establishes possession of person-linked or process-linked evidence without disclosing the evidence itself. In the cited literature, the label is used in more than one way: as Zero-Knowledge Proof-of-Personhood, where a prover demonstrates control of a valid unique-human credential for Sybil-resistant admission or consensus, and as Zero-Knowledge Proof of Process Attestation, where a prover demonstrates that a writing session is consistent with human authorship while hiding behavioral biometrics, timing, and intermediate drafts (Lin et al., 18 Feb 2026, Condrey, 26 Feb 2026). Closely related work also uses zero-knowledge as a proof-of-possession mechanism for password authentication over insecure networks, illustrating the broader private-authentication design space around possession proofs (Povsic et al., 2022).

1. Terminological scope

The main strands of the literature differ in what is being proved, what private witness is protected, and what system objective is served. In blockchain and Web 3.0 settings, ZK-PoP is primarily a Sybil-resistance mechanism: the prover shows that a valid identity or personhood credential exists and is bound to exactly one pseudonym or one account. In process-attestation settings, ZK-PoP is a privacy-preserving authorship mechanism: the prover shows that a session satisfies formal constraints on sequential work, human-range behavior, and content evolution. A nearby but distinct line uses quadratic-residuosity proofs to show possession of a password-derived secret without sending the password or its hash on the wire (Sánchez, 2019, Lin et al., 18 Feb 2026, Condrey, 26 Feb 2026, Povsic et al., 2022).

Use in the literature Statement being proved Private witness
Zero-Knowledge Proof-of-Personhood Valid credential, correct derivation of one pseudonym or one account Credential chain, secret key, passphrase, or PHC
Zero-Knowledge Proof of Process Attestation Correct SWF execution, human-range features, incremental editing consistency SWF states, behavioral features, timestamps, content diff
Password proof-of-possession Knowledge of a square-root ww of public x=w2modnx=w^2 \bmod n Password-derived secret root

A recurrent misconception is that ZK-PoP names a single protocol. The cited works instead present a class of constructions sharing a zero-knowledge interface while differing substantially in relation design, cryptographic substrate, and trust anchors.

2. Credentialized proof-of-personhood

A foundational formulation appears in Zero-Knowledge Proof-of-Identity, where the statement proved is: “I hold a valid credential (e.g. an X.509 identity certificate chain or an ePassport), and I know its secret key and passphrase, and from it I derive exactly one blockchain pseudonym for this epoch.” Concretely, the relation requires that CertChain is valid under the public root CA list, SK matches the public key inside CertChain, PP is a passphrase binding, and

uniqueID=getID(CertChain),sigSec=SignSK(“PREFIXED_COMMON_STRING”),pseudonym=H(sigSecBlockchainIDuniqueID“REG”).\text{uniqueID} = \text{getID}(\text{CertChain}), \quad \text{sigSec} = \text{Sign}_{SK}(\text{“PREFIXED\_COMMON\_STRING”}), \quad \text{pseudonym} = H(\text{sigSec} \,\|\, \text{BlockchainID} \,\|\, \text{uniqueID} \,\|\, \text{“REG”}).

The proof π\pi shows knowledge of SK, CertChain, PP, and correct computation of pseudonym without revealing them. By tying this construction to a government-issued credential that is unique per individual, the work states that one enforces “one-person, one-seal,” thereby satisfying Sybil resistance in a permissionless setting while preserving anonymity (Sánchez, 2019).

The same work embeds this identity proof into a consensus architecture based on cryptographic sortition. Each registered miner holds a keypair (pk,sk)(pk,sk) bound to one pseudonym via zk-PoI. In each round or epoch, every node computes VRF_update = VRF_sk(epoch) → (ρ, π_vrf), broadcasts (ρ,πvrf)(\rho,\pi_{\mathrm{vrf}}), and is selected for the committee if H(ρshardID)<thresholdH(\rho \,\|\, \text{shardID}) < \text{threshold}. The paper identifies this as Algorand’s sortition or Dfinity’s BLS threshold beacon. It further develops a game-theoretic layer in which the zk-PoI currency is described as Uniformly-Distributed Capital-Efficient (UDCE), while PoW/PoS systems are described as Power-Law Fee-Concentrated (PLFC), and claims a unique Nash equilibrium, strict domination, ESS, and a Price of Crypto-Anarchy approaching $1$ for the zk-PoI system.

A later Web 3.0 admission framework, ZK-AMS, instantiates proof-of-personhood through a Personhood Credential (PHC) defined as a Verifiable Credential issued by a trusted personhood authority and represented as a JSON-LD VC with three key fields: holder public key pk_holder, issuer public key pk_issuer, and issuer signature sig_issuer over the canonicalized PHC. Its one-person-one-account rule has two layers. At admission time, each PHC may be used exactly once, with the admission smart contract recording the collision-resistant hash

h=Hash(Canon(PHC))h = \text{Hash}(\text{Canon}(\text{PHC}))

on-chain and rejecting duplicates. At provisioning time, each admitted user derives a seed key pair (pkseed,skseed)(pk_{\mathrm{seed}}, sk_{\mathrm{seed}}) and binds a “soul account” by issuing a linkable ring signature whose key image

x=w2modnx=w^2 \bmod n0

is recorded on-chain; any second provisioning with the same x=w2modnx=w^2 \bmod n1 produces the same x=w2modnx=w^2 \bmod n2, which the SoulRegistry contract rejects (Lin et al., 18 Feb 2026).

3. Recursive aggregation and on-chain admission

ZK-AMS realizes proof-of-personhood as a zero-knowledge credential-validation pipeline over a committed relaxed R1CS. The private input is the full PHC structure, including holder public key and issuer signature. The public input is

x=w2modnx=w^2 \bmod n3

where x=w2modnx=w^2 \bmod n4 is a signature under the holder’s key on x=w2modnx=w^2 \bmod n5. The R1CS circuit x=w2modnx=w^2 \bmod n6 checks three conditions: x=w2modnx=w^2 \bmod n7, SigVerify(pk_issuer, h, W.sig_issuer) = 1, and SigVerify(W.pk_holder, h, σ_holder) = 1. To support Nova folding, the system transforms standard R1CS into a relaxed R1CS with slack vector x=w2modnx=w^2 \bmod n8 and scalar x=w2modnx=w^2 \bmod n9, and commits to uniqueID=getID(CertChain),sigSec=SignSK(“PREFIXED_COMMON_STRING”),pseudonym=H(sigSecBlockchainIDuniqueID“REG”).\text{uniqueID} = \text{getID}(\text{CertChain}), \quad \text{sigSec} = \text{Sign}_{SK}(\text{“PREFIXED\_COMMON\_STRING”}), \quad \text{pseudonym} = H(\text{sigSec} \,\|\, \text{BlockchainID} \,\|\, \text{uniqueID} \,\|\, \text{“REG”}).0 and the full witness vector uniqueID=getID(CertChain),sigSec=SignSK(“PREFIXED_COMMON_STRING”),pseudonym=H(sigSecBlockchainIDuniqueID“REG”).\text{uniqueID} = \text{getID}(\text{CertChain}), \quad \text{sigSec} = \text{Sign}_{SK}(\text{“PREFIXED\_COMMON\_STRING”}), \quad \text{pseudonym} = H(\text{sigSec} \,\|\, \text{BlockchainID} \,\|\, \text{uniqueID} \,\|\, \text{“REG”}).1 under an additively-homomorphic linear commitment

uniqueID=getID(CertChain),sigSec=SignSK(“PREFIXED_COMMON_STRING”),pseudonym=H(sigSecBlockchainIDuniqueID“REG”).\text{uniqueID} = \text{getID}(\text{CertChain}), \quad \text{sigSec} = \text{Sign}_{SK}(\text{“PREFIXED\_COMMON\_STRING”}), \quad \text{pseudonym} = H(\text{sigSec} \,\|\, \text{BlockchainID} \,\|\, \text{uniqueID} \,\|\, \text{“REG”}).2

The committed relaxed instance is uniqueID=getID(CertChain),sigSec=SignSK(“PREFIXED_COMMON_STRING”),pseudonym=H(sigSecBlockchainIDuniqueID“REG”).\text{uniqueID} = \text{getID}(\text{CertChain}), \quad \text{sigSec} = \text{Sign}_{SK}(\text{“PREFIXED\_COMMON\_STRING”}), \quad \text{pseudonym} = H(\text{sigSec} \,\|\, \text{BlockchainID} \,\|\, \text{uniqueID} \,\|\, \text{“REG”}).3 and the witness is uniqueID=getID(CertChain),sigSec=SignSK(“PREFIXED_COMMON_STRING”),pseudonym=H(sigSecBlockchainIDuniqueID“REG”).\text{uniqueID} = \text{getID}(\text{CertChain}), \quad \text{sigSec} = \text{Sign}_{SK}(\text{“PREFIXED\_COMMON\_STRING”}), \quad \text{pseudonym} = H(\text{sigSec} \,\|\, \text{BlockchainID} \,\|\, \text{uniqueID} \,\|\, \text{“REG”}).4 (Lin et al., 18 Feb 2026).

The central scalability mechanism is Nova’s Non-Interactive Folding Scheme (NIFS). Rather than verify uniqueID=getID(CertChain),sigSec=SignSK(“PREFIXED_COMMON_STRING”),pseudonym=H(sigSecBlockchainIDuniqueID“REG”).\text{uniqueID} = \text{getID}(\text{CertChain}), \quad \text{sigSec} = \text{Sign}_{SK}(\text{“PREFIXED\_COMMON\_STRING”}), \quad \text{pseudonym} = H(\text{sigSec} \,\|\, \text{BlockchainID} \,\|\, \text{uniqueID} \,\|\, \text{“REG”}).5 independent uniqueID=getID(CertChain),sigSec=SignSK(“PREFIXED_COMMON_STRING”),pseudonym=H(sigSecBlockchainIDuniqueID“REG”).\text{uniqueID} = \text{getID}(\text{CertChain}), \quad \text{sigSec} = \text{Sign}_{SK}(\text{“PREFIXED\_COMMON\_STRING”}), \quad \text{pseudonym} = H(\text{sigSec} \,\|\, \text{BlockchainID} \,\|\, \text{uniqueID} \,\|\, \text{“REG”}).6 proofs on-chain, the system folds them into one accumulator. If uniqueID=getID(CertChain),sigSec=SignSK(“PREFIXED_COMMON_STRING”),pseudonym=H(sigSecBlockchainIDuniqueID“REG”).\text{uniqueID} = \text{getID}(\text{CertChain}), \quad \text{sigSec} = \text{Sign}_{SK}(\text{“PREFIXED\_COMMON\_STRING”}), \quad \text{pseudonym} = H(\text{sigSec} \,\|\, \text{BlockchainID} \,\|\, \text{uniqueID} \,\|\, \text{“REG”}).7 is the current accumulator and uniqueID=getID(CertChain),sigSec=SignSK(“PREFIXED_COMMON_STRING”),pseudonym=H(sigSecBlockchainIDuniqueID“REG”).\text{uniqueID} = \text{getID}(\text{CertChain}), \quad \text{sigSec} = \text{Sign}_{SK}(\text{“PREFIXED\_COMMON\_STRING”}), \quad \text{pseudonym} = H(\text{sigSec} \,\|\, \text{BlockchainID} \,\|\, \text{uniqueID} \,\|\, \text{“REG”}).8 is the uniqueID=getID(CertChain),sigSec=SignSK(“PREFIXED_COMMON_STRING”),pseudonym=H(sigSecBlockchainIDuniqueID“REG”).\text{uniqueID} = \text{getID}(\text{CertChain}), \quad \text{sigSec} = \text{Sign}_{SK}(\text{“PREFIXED\_COMMON\_STRING”}), \quad \text{pseudonym} = H(\text{sigSec} \,\|\, \text{BlockchainID} \,\|\, \text{uniqueID} \,\|\, \text{“REG”}).9-th committed instance, the fold uses the cross-term

π\pi0

a Fiat–Shamir challenge

π\pi1

and fold updates

π\pi2

After π\pi3 users are folded, a finalization fold with a public dummy instance produces π\pi4, and the permissionless batch submitter runs one Groth16 proof on a fixed-size circuit π\pi5 that verifies the last Nova fold, runs π\pi6 on the padded accumulator, and checks the padding instance. Because each fold re-uses the same R1CS circuit and matrices π\pi7, the constraint count of π\pi8 remains constant at 65 605 constraints in the prototype, and the Groth16 proof size remains constant at two group elements. The resulting on-chain verification cost is therefore π\pi9 per batch, regardless of (pk,sk)(pk,sk)0.

Witness privacy during folding is preserved by BGV-style multi-key FHE. Each user encrypts the relevant components of the committed instance and witness; Nova’s linear and cross-term computations are then performed directly on ciphertexts via homomorphic addition, scalar multiplication, matrix multiplication, and entry-wise multiplication. Commitments are likewise evaluated homomorphically so that the ciphertext transcript contains encrypted commitments and never plaintext (pk,sk)(pk,sk)1. Only at batch completion do users publish partial decryption shares, which are combined to recover the final folded plaintext accumulator as a randomized linear combination that hides individual inputs.

The verifier contract then executes UIAsc: it verifies the Groth16 proof, rejects on failure, and for each (pk,sk)(pk,sk)2 in the batch either rejects an already-registered credential hash or stores (pk,sk)(pk,sk)3\approx 435\,150gasfor<code>zkSNARK.Verify</code>intheEthereumprototype,independentofbatchsize.</p><h2class=paperheadingid=processattestationandhumanauthorship>4.Processattestationandhumanauthorship</h2><p>Adistinct2026lineofworkusesthelabelZKPoPfor<strong>ZeroKnowledgeProofofProcessAttestation</strong>.Itsgoalistoallowahumanauthortoconvinceanhonestbutcuriousverifierthatawritingsessionwasexecutedbyaprocessconsistentwithhumanauthorshipnamely,correctsequentialworkfunctionexecution,behavioralfeaturesinhumanranges,andcontentevolutionconsistentwithincrementaleditingwithoutrevealingbiometric,timing,ordraftcontentdatabeyondasingleaccept/rejectbitpercheckpoint(<ahref="/papers/2603.00179"title=""rel="nofollow"dataturbo="false"class="assistantlink"xdataxtooltip.raw="">Condrey,26Feb2026</a>).</p><p>Theformalrelation gas** for <code>zkSNARK.Verify</code> in the Ethereum prototype, independent of batch size.</p> <h2 class='paper-heading' id='process-attestation-and-human-authorship'>4. Process attestation and human authorship</h2> <p>A distinct 2026 line of work uses the label ZK-PoP for <strong>Zero-Knowledge Proof of Process Attestation</strong>. Its goal is to allow a human author to convince an honest-but-curious verifier that a writing session was executed by a process consistent with human authorship—namely, correct sequential work-function execution, behavioral features in human ranges, and content evolution consistent with incremental editing—without revealing biometric, timing, or draft-content data beyond a single accept/reject bit per checkpoint (<a href="/papers/2603.00179" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Condrey, 26 Feb 2026</a>).</p> <p>The formal relation (pk,sk)$4 is defined over a prime field $(pk,sk)$5 for a checkpoint $(pk,sk)$6. The public input is

$(pk,sk)$7

where $(pk,sk)$8 is a SHA-256 commitment hash, $(pk,sk)$9 is the SHA-256 root of the SWF chain states, $(\rho,\pi_{\mathrm{vrf}})$0 is the claimed duration, and $(\rho,\pi_{\mathrm{vrf}})$1 are population means and standard deviations. The private witness is

$(\rho,\pi_{\mathrm{vrf}})$2

with SWF chain states, behavioral features such as IKI entropy and edit rates, hidden timestamps, a content-diff hash, and Pedersen randomness. The relation holds iff four constraints are satisfied:

  1. SWF-chain correctness on sampled positions: for all sampled $(\rho,\pi_{\mathrm{vrf}})3,<code>sha256(si,j1)?=si,j</code>.</li><li><strong>Behavioralfeaturerange</strong>:forall3, <code>sha256(s_{i,j−1}) ?= s_{i,j}</code>.</li> <li><strong>Behavioral feature range</strong>: for all (\rho,\pi_{\mathrm{vrf}})$4, $(\rho,\pi_{\mathrm{vrf}})$5.
  2. Temporal consistency: $(\rho,\pi_{\mathrm{vrf}})$6 lies between $(\rho,\pi_{\mathrm{vrf}})$7 and $(\rho,\pi_{\mathrm{vrf}})$8.
  3. Content binding:

$(\rho,\pi_{\mathrm{vrf}})$9

where

$H(\rho \,\|\, \text{shardID}) < \text{threshold}$0

The arithmetic circuit $H(\rho \,\|\, \text{shardID}) < \text{threshold}$1 implements these constraints as R1CS. The SWF gadget uses Poseidon Merkle inclusion together with a SHA-256 gadget and costs $H(\rho \,\|\, \text{shardID}) < \text{threshold}$2K constraints for the in-circuit Poseidon tree. The behavioral-range gadget encodes each feature as a fixed-point integer and reports $H(\rho \,\|\, \text{shardID}) < \text{threshold}$3 constraints per range check, for $H(\rho \,\|\, \text{shardID}) < \text{threshold}$4K total when $H(\rho \,\|\, \text{shardID}) < \text{threshold}$5. The temporal-consistency gadget uses Pedersen commitments to timestamps and a range proof on the gap. The content-binding gadget computes the session commitment and a SHA-256 hash to $H(\rho \,\|\, \text{shardID}) < \text{threshold}$6, costing $H(\rho \,\|\, \text{shardID}) < \text{threshold}$7K constraints. The reported total is 77,259 R1CS constraints for the basic circuit with $H(\rho \,\|\, \text{shardID}) < \text{threshold}$8 and $H(\rho \,\|\, \text{shardID}) < \text{threshold}$9.

The proof system combines Groth16, Pedersen commitments, and Bulletproof range proofs. For each feature,

$1$0

and the aggregated session commitment is

$1$1

The Groth16 statement is

$1$2

with proof $13consistingof<strong>3groupelements(approximately192bytes)</strong>.TheverifiercheckstheBulletprooffeaturerangeproofs,theBulletprooftimerangeproof,andthen<code>Groth16.Verify(ppvk,xi,πi)</code>.</p><p>Theworkstatesthreetheorems.UndertheDLassumptionandtheHVZKpropertyofBulletproofs,thereisasimulatorthatproducesproofsindistinguishablefromrealoneswithoutthewitness.UnderGroth16knowledgesoundness,SHA256/Poseidoncollisionresistance,anddiscretelogbindingofPedersencommitments,no<ahref="https://www.emergentmind.com/topics/programbasedposteriortrainingppt"title=""rel="nofollow"dataturbo="false"class="assistantlink"xdataxtooltip.raw="">PPT</a>adversarycan<ahref="https://www.emergentmind.com/topics/forgefcd128faec5a4a85840ffd8ea771133b"title=""rel="nofollow"dataturbo="false"class="assistantlink"xdataxtooltip.raw="">forge</a>aproofforwhich3 consisting of <strong>3 group elements (approximately 192 bytes)</strong>. The verifier checks the Bulletproof feature-range proofs, the Bulletproof time-range proof, and then <code>Groth16.Verify(pp_vk, x_i, π_i)</code>.</p> <p>The work states three theorems. Under the DL assumption and the HVZK property of Bulletproofs, there is a simulator that produces proofs indistinguishable from real ones without the witness. Under Groth16 knowledge soundness, SHA-256/Poseidon collision resistance, and discrete-log binding of Pedersen commitments, no <a href="https://www.emergentmind.com/topics/program-based-posterior-training-ppt" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">PPT</a> adversary can <a href="https://www.emergentmind.com/topics/forge-fcd128fa-ec5a-4a85-840f-fd8ea771133b" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">forge</a> a proof for which 1$4 is false except with negligible probability. By perfect hiding of Pedersen commitments and fresh Fiat–Shamir nonces $1$5, the public inputs across sessions are independent, yielding unlinkability.

5. Security properties and adjacent possession proofs

Across the literature, ZK-PoP inherits the classical zero-knowledge triad of completeness, soundness, and zero-knowledge. The 2019 proof-of-identity formulation explicitly states these properties: an honest prover with a true statement is always accepted; no malicious prover can convince the verifier of a false statement except with negligible probability; and the verifier learns nothing beyond validity (Sánchez, 2019).

In the process-attestation setting, these abstract properties are instantiated with concrete assumptions. Zero-knowledge rests on the DL assumption and the HVZK property of Bulletproofs; soundness rests on Groth16 knowledge soundness, SHA-256/Poseidon collision resistance, and Pedersen binding; unlinkability rests on perfect hiding and fresh Fiat–Shamir nonces (Condrey, 26 Feb 2026). In the Web 3.0 admission setting, privacy is strengthened operationally by executing the recursive folding pipeline over multi-key FHE so that the permissionless batch submitter never sees users’ secret witnesses, while one-person-one-account is enforced by duplicate rejection on the PHC hash and on the provisioning key image (Lin et al., 18 Feb 2026).

A useful adjacent construction is the quadratic-residuosity protocol for password authentication. There, the password is stretched into an integer $1$6 in $1$7, the server stores $1$8 with $1$9, and the prover repeatedly demonstrates knowledge of a square-root $h = \text{Hash}(\text{Canon}(\text{PHC}))$0 of the public residue $h = \text{Hash}(\text{Canon}(\text{PHC}))$1 via a one-bit challenge-response protocol:

$h = \text{Hash}(\text{Canon}(\text{PHC}))$2

Repeating $h = \text{Hash}(\text{Canon}(\text{PHC}))$3 independent rounds drives the cheating probability down to $h = \text{Hash}(\text{Canon}(\text{PHC}))$4. The work’s threat model states that a network adversary may eavesdrop or tamper with packets but cannot learn $h = \text{Hash}(\text{Canon}(\text{PHC}))$5 or the password because only zero-knowledge transcripts appear on the wire; an offline impersonator cannot replay prior transcripts because fresh randomness and unpredictable challenges force fresh computation; and after server compromise, recovering $h = \text{Hash}(\text{Canon}(\text{PHC}))$6 from $h = \text{Hash}(\text{Canon}(\text{PHC}))$7 is stated to be as hard as factoring $h = \text{Hash}(\text{Canon}(\text{PHC}))$8 via the Quadratic-Residuosity Problem (Povsic et al., 2022). This adjacent protocol is not a proof-of-personhood system, but it clarifies the broader possession-proof pattern: the verifier learns only that the prover controls the relevant secret.

6. Performance envelope and trade-offs

The main systems optimize different bottlenecks: ZK-AMS minimizes on-chain verification cost per batch, while process-attestation ZK-PoP minimizes proof size and verifier latency per checkpoint stream. The password-authentication construction, by contrast, exposes the round-complexity and latency costs of repeated challenge-response proofs (Lin et al., 18 Feb 2026, Condrey, 26 Feb 2026, Povsic et al., 2022).

System Reported performance Stated trade-off
ZK-AMS zkSNARK.Verify $h = \text{Hash}(\text{Canon}(\text{PHC}))$9 gas independent of $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$0; $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$1 gas at ring size $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$2; with $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$3, $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$4 users/s; with $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$5, $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$6 users/s; as $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$7, $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$8 users/s Operators choose batch size $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$9 to trade amortized cost against end-to-end latency
Process-attestation ZK-PoP 15 min $x=w^2 \bmod n$00 s; 1 h $x=w^2 \bmod n$01 s; 4 h $x=w^2 \bmod n$02 s; proof size 192 bytes; verification 8.2 ms Privacy parameter $x=w^2 \bmod n$03 and circuit dimension trade privacy against accuracy and proving cost
Quadratic-residuosity password proof Typical $x=w^2 \bmod n$04-size 2048 bits; $x=w^2 \bmod n$05–$x=w^2 \bmod n$06 gives cheating probability $x=w^2 \bmod n$07–$x=w^2 \bmod n$08; communication per round $x=w^2 \bmod n$09 bytes for $x=w^2 \bmod n$10 or $x=w^2 \bmod n$11 plus 1 byte for challenge End-to-end latency may dominate if $x=w^2 \bmod n$12 is large

For ZK-AMS, the per-user on-chain cost is

$x=w^2 \bmod n$13

with $x=w^2 \bmod n$14 gas. The paper reports that with $x=w^2 \bmod n15,<code>Cuser1.24Mgas 24users/block 2.0users/s</code>;with15, <code>C_user≈1.24 M gas ⇒ ~24 users/block ⇒ ~2.0 users/s</code>; with x=w^2 \bmod n16,<code>Cuser674950gas 44.5users/block 3.7users/s</code>;andas16, <code>C_user≈674 950 gas ⇒ ~44.5 users/block ⇒ ~3.7 users/s</code>; and as x=w^2 \bmod n$17, throughput approaches 45 users/block (3.75 users/s). The corresponding latency formula is

$x=w^2 \bmod n18</p><p>with<code>Tchain1block=12s</code>;thereportedtotalis<code>1315s</code>for18</p> <p>with <code>T_chain ≈ 1 block = 12 s</code>; the reported total is <code>≈13–15 s</code> for x=w^2 \bmod n$19 and ≈~110 s for $x=w^2 \bmod n$20, where PBS proving dominates.

For process attestation, the privacy-utility frontier is controlled by the differential-privacy parameter on released population statistics: the reported accuracies are 96.8% at $x=w^2 \bmod n$21, 94.2% at $x=w^2 \bmod n$22, and 89.7% at $x=w^2 \bmod n$23. The abstract summarizes this as less than 5% accuracy loss in simulation at practical privacy levels $x=w^2 \bmod n$24 compared to non-private baselines. The deployment discussion adds further engineering trade-offs: Merkle-sample depth $x=w^2 \bmod n$25 trades prover cost against SWF-chain forgery detection; PLONK offers universal setup at the cost of 2× proof size, 3× verify time; and folding systems such as Nova or ProtoGalaxy are identified as future optimizations for $x=w^2 \bmod n$26 proof size per session.

Taken together, these works suggest that ZK-PoP is best understood not as a single protocol but as a design pattern for proving sensitive, person-linked evidence in zero knowledge. In one branch, the witness is an identity or personhood credential and the system objective is Sybil-resistant anonymous admission; in another, the witness is a behavioral and editorial trace and the objective is privacy-preserving human authorship attestation. The cryptographic core varies—zk-SNARKs, recursive folding, multi-key FHE, Pedersen commitments, Bulletproofs, quadratic-residuosity sigma protocols—but the common invariant is that possession is demonstrated while the underlying evidence remains hidden.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to ZK-PoP.