ZK-PoP: Zero-Knowledge Possession Proofs
- ZK-PoP is a design pattern enabling proof of possession of personhood credentials or process evidence without revealing the underlying sensitive data.
- It leverages advanced cryptographic techniques such as zk-SNARKs, recursive aggregation, and homomorphic encryption to ensure scalability, efficiency, and unlinkability in decentralized systems.
- The framework underpins applications including Sybil-resistant identity verification, private process attestation for human authorship, and secure password proof-of-possession.
ZK-PoP denotes a family of zero-knowledge constructions in which a prover establishes possession of person-linked or process-linked evidence without disclosing the evidence itself. In the cited literature, the label is used in more than one way: as Zero-Knowledge Proof-of-Personhood, where a prover demonstrates control of a valid unique-human credential for Sybil-resistant admission or consensus, and as Zero-Knowledge Proof of Process Attestation, where a prover demonstrates that a writing session is consistent with human authorship while hiding behavioral biometrics, timing, and intermediate drafts (Lin et al., 18 Feb 2026, Condrey, 26 Feb 2026). Closely related work also uses zero-knowledge as a proof-of-possession mechanism for password authentication over insecure networks, illustrating the broader private-authentication design space around possession proofs (Povsic et al., 2022).
1. Terminological scope
The main strands of the literature differ in what is being proved, what private witness is protected, and what system objective is served. In blockchain and Web 3.0 settings, ZK-PoP is primarily a Sybil-resistance mechanism: the prover shows that a valid identity or personhood credential exists and is bound to exactly one pseudonym or one account. In process-attestation settings, ZK-PoP is a privacy-preserving authorship mechanism: the prover shows that a session satisfies formal constraints on sequential work, human-range behavior, and content evolution. A nearby but distinct line uses quadratic-residuosity proofs to show possession of a password-derived secret without sending the password or its hash on the wire (Sánchez, 2019, Lin et al., 18 Feb 2026, Condrey, 26 Feb 2026, Povsic et al., 2022).
| Use in the literature | Statement being proved | Private witness |
|---|---|---|
| Zero-Knowledge Proof-of-Personhood | Valid credential, correct derivation of one pseudonym or one account | Credential chain, secret key, passphrase, or PHC |
| Zero-Knowledge Proof of Process Attestation | Correct SWF execution, human-range features, incremental editing consistency | SWF states, behavioral features, timestamps, content diff |
| Password proof-of-possession | Knowledge of a square-root of public | Password-derived secret root |
A recurrent misconception is that ZK-PoP names a single protocol. The cited works instead present a class of constructions sharing a zero-knowledge interface while differing substantially in relation design, cryptographic substrate, and trust anchors.
2. Credentialized proof-of-personhood
A foundational formulation appears in Zero-Knowledge Proof-of-Identity, where the statement proved is: “I hold a valid credential (e.g. an X.509 identity certificate chain or an ePassport), and I know its secret key and passphrase, and from it I derive exactly one blockchain pseudonym for this epoch.” Concretely, the relation requires that CertChain is valid under the public root CA list, SK matches the public key inside CertChain, PP is a passphrase binding, and
The proof shows knowledge of SK, CertChain, PP, and correct computation of pseudonym without revealing them. By tying this construction to a government-issued credential that is unique per individual, the work states that one enforces “one-person, one-seal,” thereby satisfying Sybil resistance in a permissionless setting while preserving anonymity (Sánchez, 2019).
The same work embeds this identity proof into a consensus architecture based on cryptographic sortition. Each registered miner holds a keypair bound to one pseudonym via zk-PoI. In each round or epoch, every node computes VRF_update = VRF_sk(epoch) → (ρ, π_vrf), broadcasts , and is selected for the committee if . The paper identifies this as Algorand’s sortition or Dfinity’s BLS threshold beacon. It further develops a game-theoretic layer in which the zk-PoI currency is described as Uniformly-Distributed Capital-Efficient (UDCE), while PoW/PoS systems are described as Power-Law Fee-Concentrated (PLFC), and claims a unique Nash equilibrium, strict domination, ESS, and a Price of Crypto-Anarchy approaching $1$ for the zk-PoI system.
A later Web 3.0 admission framework, ZK-AMS, instantiates proof-of-personhood through a Personhood Credential (PHC) defined as a Verifiable Credential issued by a trusted personhood authority and represented as a JSON-LD VC with three key fields: holder public key pk_holder, issuer public key pk_issuer, and issuer signature sig_issuer over the canonicalized PHC. Its one-person-one-account rule has two layers. At admission time, each PHC may be used exactly once, with the admission smart contract recording the collision-resistant hash
on-chain and rejecting duplicates. At provisioning time, each admitted user derives a seed key pair and binds a “soul account” by issuing a linkable ring signature whose key image
0
is recorded on-chain; any second provisioning with the same 1 produces the same 2, which the SoulRegistry contract rejects (Lin et al., 18 Feb 2026).
3. Recursive aggregation and on-chain admission
ZK-AMS realizes proof-of-personhood as a zero-knowledge credential-validation pipeline over a committed relaxed R1CS. The private input is the full PHC structure, including holder public key and issuer signature. The public input is
3
where 4 is a signature under the holder’s key on 5. The R1CS circuit 6 checks three conditions: 7, SigVerify(pk_issuer, h, W.sig_issuer) = 1, and SigVerify(W.pk_holder, h, σ_holder) = 1. To support Nova folding, the system transforms standard R1CS into a relaxed R1CS with slack vector 8 and scalar 9, and commits to 0 and the full witness vector 1 under an additively-homomorphic linear commitment
2
The committed relaxed instance is 3 and the witness is 4 (Lin et al., 18 Feb 2026).
The central scalability mechanism is Nova’s Non-Interactive Folding Scheme (NIFS). Rather than verify 5 independent 6 proofs on-chain, the system folds them into one accumulator. If 7 is the current accumulator and 8 is the 9-th committed instance, the fold uses the cross-term
0
a Fiat–Shamir challenge
1
and fold updates
2
After 3 users are folded, a finalization fold with a public dummy instance produces 4, and the permissionless batch submitter runs one Groth16 proof on a fixed-size circuit 5 that verifies the last Nova fold, runs 6 on the padded accumulator, and checks the padding instance. Because each fold re-uses the same R1CS circuit and matrices 7, the constraint count of 8 remains constant at 65 605 constraints in the prototype, and the Groth16 proof size remains constant at two group elements. The resulting on-chain verification cost is therefore 9 per batch, regardless of 0.
Witness privacy during folding is preserved by BGV-style multi-key FHE. Each user encrypts the relevant components of the committed instance and witness; Nova’s linear and cross-term computations are then performed directly on ciphertexts via homomorphic addition, scalar multiplication, matrix multiplication, and entry-wise multiplication. Commitments are likewise evaluated homomorphically so that the ciphertext transcript contains encrypted commitments and never plaintext 1. Only at batch completion do users publish partial decryption shares, which are combined to recover the final folded plaintext accumulator as a randomized linear combination that hides individual inputs.
The verifier contract then executes UIAsc: it verifies the Groth16 proof, rejects on failure, and for each 2 in the batch either rejects an already-registered credential hash or stores 3\approx 435\,150(pk,sk)$4 is defined over a prime field $(pk,sk)$5 for a checkpoint $(pk,sk)$6. The public input is
$(pk,sk)$7
where $(pk,sk)$8 is a SHA-256 commitment hash, $(pk,sk)$9 is the SHA-256 root of the SWF chain states, $(\rho,\pi_{\mathrm{vrf}})$0 is the claimed duration, and $(\rho,\pi_{\mathrm{vrf}})$1 are population means and standard deviations. The private witness is
$(\rho,\pi_{\mathrm{vrf}})$2
with SWF chain states, behavioral features such as IKI entropy and edit rates, hidden timestamps, a content-diff hash, and Pedersen randomness. The relation holds iff four constraints are satisfied:
- SWF-chain correctness on sampled positions: for all sampled $(\rho,\pi_{\mathrm{vrf}})(\rho,\pi_{\mathrm{vrf}})$4, $(\rho,\pi_{\mathrm{vrf}})$5.
- Temporal consistency: $(\rho,\pi_{\mathrm{vrf}})$6 lies between $(\rho,\pi_{\mathrm{vrf}})$7 and $(\rho,\pi_{\mathrm{vrf}})$8.
- Content binding:
$(\rho,\pi_{\mathrm{vrf}})$9
where
$H(\rho \,\|\, \text{shardID}) < \text{threshold}$0
The arithmetic circuit $H(\rho \,\|\, \text{shardID}) < \text{threshold}$1 implements these constraints as R1CS. The SWF gadget uses Poseidon Merkle inclusion together with a SHA-256 gadget and costs $H(\rho \,\|\, \text{shardID}) < \text{threshold}$2K constraints for the in-circuit Poseidon tree. The behavioral-range gadget encodes each feature as a fixed-point integer and reports $H(\rho \,\|\, \text{shardID}) < \text{threshold}$3 constraints per range check, for $H(\rho \,\|\, \text{shardID}) < \text{threshold}$4K total when $H(\rho \,\|\, \text{shardID}) < \text{threshold}$5. The temporal-consistency gadget uses Pedersen commitments to timestamps and a range proof on the gap. The content-binding gadget computes the session commitment and a SHA-256 hash to $H(\rho \,\|\, \text{shardID}) < \text{threshold}$6, costing $H(\rho \,\|\, \text{shardID}) < \text{threshold}$7K constraints. The reported total is 77,259 R1CS constraints for the basic circuit with $H(\rho \,\|\, \text{shardID}) < \text{threshold}$8 and $H(\rho \,\|\, \text{shardID}) < \text{threshold}$9.
The proof system combines Groth16, Pedersen commitments, and Bulletproof range proofs. For each feature,
$1$0
and the aggregated session commitment is
$1$1
The Groth16 statement is
$1$2
with proof $11$4 is false except with negligible probability. By perfect hiding of Pedersen commitments and fresh Fiat–Shamir nonces $1$5, the public inputs across sessions are independent, yielding unlinkability.
5. Security properties and adjacent possession proofs
Across the literature, ZK-PoP inherits the classical zero-knowledge triad of completeness, soundness, and zero-knowledge. The 2019 proof-of-identity formulation explicitly states these properties: an honest prover with a true statement is always accepted; no malicious prover can convince the verifier of a false statement except with negligible probability; and the verifier learns nothing beyond validity (Sánchez, 2019).
In the process-attestation setting, these abstract properties are instantiated with concrete assumptions. Zero-knowledge rests on the DL assumption and the HVZK property of Bulletproofs; soundness rests on Groth16 knowledge soundness, SHA-256/Poseidon collision resistance, and Pedersen binding; unlinkability rests on perfect hiding and fresh Fiat–Shamir nonces (Condrey, 26 Feb 2026). In the Web 3.0 admission setting, privacy is strengthened operationally by executing the recursive folding pipeline over multi-key FHE so that the permissionless batch submitter never sees users’ secret witnesses, while one-person-one-account is enforced by duplicate rejection on the PHC hash and on the provisioning key image (Lin et al., 18 Feb 2026).
A useful adjacent construction is the quadratic-residuosity protocol for password authentication. There, the password is stretched into an integer $1$6 in $1$7, the server stores $1$8 with $1$9, and the prover repeatedly demonstrates knowledge of a square-root $h = \text{Hash}(\text{Canon}(\text{PHC}))$0 of the public residue $h = \text{Hash}(\text{Canon}(\text{PHC}))$1 via a one-bit challenge-response protocol:
$h = \text{Hash}(\text{Canon}(\text{PHC}))$2
Repeating $h = \text{Hash}(\text{Canon}(\text{PHC}))$3 independent rounds drives the cheating probability down to $h = \text{Hash}(\text{Canon}(\text{PHC}))$4. The work’s threat model states that a network adversary may eavesdrop or tamper with packets but cannot learn $h = \text{Hash}(\text{Canon}(\text{PHC}))$5 or the password because only zero-knowledge transcripts appear on the wire; an offline impersonator cannot replay prior transcripts because fresh randomness and unpredictable challenges force fresh computation; and after server compromise, recovering $h = \text{Hash}(\text{Canon}(\text{PHC}))$6 from $h = \text{Hash}(\text{Canon}(\text{PHC}))$7 is stated to be as hard as factoring $h = \text{Hash}(\text{Canon}(\text{PHC}))$8 via the Quadratic-Residuosity Problem (Povsic et al., 2022). This adjacent protocol is not a proof-of-personhood system, but it clarifies the broader possession-proof pattern: the verifier learns only that the prover controls the relevant secret.
6. Performance envelope and trade-offs
The main systems optimize different bottlenecks: ZK-AMS minimizes on-chain verification cost per batch, while process-attestation ZK-PoP minimizes proof size and verifier latency per checkpoint stream. The password-authentication construction, by contrast, exposes the round-complexity and latency costs of repeated challenge-response proofs (Lin et al., 18 Feb 2026, Condrey, 26 Feb 2026, Povsic et al., 2022).
| System | Reported performance | Stated trade-off |
|---|---|---|
| ZK-AMS | zkSNARK.Verify $h = \text{Hash}(\text{Canon}(\text{PHC}))$9 gas independent of $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$0; $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$1 gas at ring size $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$2; with $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$3, $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$4 users/s; with $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$5, $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$6 users/s; as $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$7, $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$8 users/s |
Operators choose batch size $(pk_{\mathrm{seed}}, sk_{\mathrm{seed}})$9 to trade amortized cost against end-to-end latency |
| Process-attestation ZK-PoP | 15 min $x=w^2 \bmod n$00 s; 1 h $x=w^2 \bmod n$01 s; 4 h $x=w^2 \bmod n$02 s; proof size 192 bytes; verification 8.2 ms | Privacy parameter $x=w^2 \bmod n$03 and circuit dimension trade privacy against accuracy and proving cost |
| Quadratic-residuosity password proof | Typical $x=w^2 \bmod n$04-size 2048 bits; $x=w^2 \bmod n$05–$x=w^2 \bmod n$06 gives cheating probability $x=w^2 \bmod n$07–$x=w^2 \bmod n$08; communication per round $x=w^2 \bmod n$09 bytes for $x=w^2 \bmod n$10 or $x=w^2 \bmod n$11 plus 1 byte for challenge | End-to-end latency may dominate if $x=w^2 \bmod n$12 is large |
For ZK-AMS, the per-user on-chain cost is
$x=w^2 \bmod n$13
with $x=w^2 \bmod n$14 gas. The paper reports that with $x=w^2 \bmod nx=w^2 \bmod nx=w^2 \bmod n$17, throughput approaches 45 users/block (3.75 users/s). The corresponding latency formula is
$x=w^2 \bmod nx=w^2 \bmod n$19 and ≈~110 s for $x=w^2 \bmod n$20, where PBS proving dominates.
For process attestation, the privacy-utility frontier is controlled by the differential-privacy parameter on released population statistics: the reported accuracies are 96.8% at $x=w^2 \bmod n$21, 94.2% at $x=w^2 \bmod n$22, and 89.7% at $x=w^2 \bmod n$23. The abstract summarizes this as less than 5% accuracy loss in simulation at practical privacy levels $x=w^2 \bmod n$24 compared to non-private baselines. The deployment discussion adds further engineering trade-offs: Merkle-sample depth $x=w^2 \bmod n$25 trades prover cost against SWF-chain forgery detection; PLONK offers universal setup at the cost of 2× proof size, 3× verify time; and folding systems such as Nova or ProtoGalaxy are identified as future optimizations for $x=w^2 \bmod n$26 proof size per session.
Taken together, these works suggest that ZK-PoP is best understood not as a single protocol but as a design pattern for proving sensitive, person-linked evidence in zero knowledge. In one branch, the witness is an identity or personhood credential and the system objective is Sybil-resistant anonymous admission; in another, the witness is a behavioral and editorial trace and the objective is privacy-preserving human authorship attestation. The cryptographic core varies—zk-SNARKs, recursive folding, multi-key FHE, Pedersen commitments, Bulletproofs, quadratic-residuosity sigma protocols—but the common invariant is that possession is demonstrated while the underlying evidence remains hidden.