Zero-Knowledge Credential Verification Systems

VCs DIDs ZKPs

The Identity Verification Challenge

Organizations struggle with the fundamental tension between verification needs and privacy protection. Traditional systems require users to expose sensitive employment details just to prove they work somewhere, creating unnecessary privacy risks.

Current verification methods force a binary choice: either reveal everything or prove nothing. Cryptographic techniques could enable selective disclosure—proving employment without revealing salary, position details, or other sensitive information.

Design Goals

The system should allow proving employment status while:

  • Keeping sensitive employment details private
  • Avoiding dependence on blockchain infrastructure
  • Giving users control over their credential storage
  • Requiring multiple keys to prevent single points of failure
  • Supporting standard decentralized identity protocols

System Architecture

A multi-key zero-knowledge verification system leverages verifiable credentials stored on decentralized storage without blockchain dependencies.

Core System Components

User Application The user possesses a decentralized identifier (DID) with its corresponding private key in a secure digital wallet. They receive verifiable credentials containing employment data and store encrypted versions or secure references in their personal data store.

Credential Issuer An employment verification service that issues privacy-preserving verifiable credentials by signing them with a trusted issuance key. These credentials encode employment status, position, dates, and metadata in encrypted format.

Employer Verification The employer uses their own key to attest the employment relationship, providing signed attestation that validates the claimant's employment status.

Decentralized Storage AT Protocol Personal Data Stores host encrypted credentials and metadata under user control. This provides RESTful APIs for data retrieval and permissions management while storing secure pointers and hashes for verification proofs.

Zero-Knowledge Proof Module This implements zk-SNARKs or Bulletproofs protocols that allow users to prove statements about their credentials without revealing underlying data. It generates proofs demonstrating credential control via DID private key and valid employment attestation.

Verification Engine The system verifies zero-knowledge proofs without accessing sensitive data in the personal data store. It validates cryptographic evidence linking DID-based credentials and employer attestations to the claimant.

Verification Process Design

A four-phase process separates credential issuance, proof material aggregation, zero-knowledge proof generation, and verification.

Phase A: Credential Issuance and Storage

The credential issuer creates a verifiable credential with employment details and signs it with their issuance key. The user receives and encrypts the credential, storing it in their personal data store along with secure references and hash commitments.

Independently, the employer generates employment attestation using their verifier key, which gets stored alongside the credential reference.

Phase B: Proof Material Aggregation

When verification is needed, the user retrieves secure pointers and cryptographic hashes from their personal data store. They locally aggregate the credential issuance evidence through DID-based signatures and the independent employment attestation signed by the verifier key.

This establishes the link between stored credentials and the multi-key requirements for verification.

Phase C: Zero-Knowledge Proof Generation

The user employs the ZKP module to construct a proof that secretly verifies:

  • Ownership of the private key corresponding to their DID
  • Existence of a valid verifiable credential via encrypted pointer validation
  • Valid employment attestation from the independent verifier

The resulting proof encapsulates all evidence while proving compliance without exposing sensitive data.

Phase D: Proof Verification

The user submits the generated proof with minimal public parameters—DID public key, verifier's public key, and credential reference commitment. The verification engine validates that the claimant possesses the corresponding private key, the credential pointer matches stored data, and the attestation is correctly signed.

Upon successful verification, employment is authenticated through both credentials without retrieving actual credential data.

Data Flow and Processes

Trusted Setup Prover Verifier Generate ZK proof using secret + public parameters Send proof Verify proof using public parameters ✅ Accept - Employment verified ❌ Reject - Verification failed Proof is valid Proof is invalid

Security Principles

Privacy by Design

The system ensures sensitive employment details remain confidential, referenced only via secure pointers in zero-knowledge proofs. Verifiers learn nothing beyond satisfaction of verification conditions.

Multi-Key Requirements

Both DID-based key and independent verifier key must produce evidence, minimizing risk from single key compromise and preventing fraudulent verification.

Decentralized Data Control

Storing credentials on decentralized personal data stores ensures users retain full control over their data, managing access, sharing, and revocation without centralized authorities.

Revocation Support

The design supports revocation through credential issuer or attestor updates to access-control records. The ZKP module can prove non-revocation or validity periods without exposing additional information.

Technology Choices

W3C decentralized identifiers and verifiable credentials standards ensure interoperability. AT Protocol personal data stores provide user-controlled storage with fine-grained access policies.

For cryptographic implementation, zk-SNARKs and Bulletproofs frameworks enable succinct proof construction and verification. Standard digital signature algorithms like EdDSA handle both credential issuance and attestation signing.

System Capabilities

This design creates a privacy-preserving verification system where employment credentials secured through decentralized storage can be proven valid without exposing sensitive data.

The key capabilities include:

  • Decentralized storage and data control ensuring secure, user-controlled credential access
  • Robust two-factor evidence requiring both claimant's DID-based key and independent verifier's key
  • Zero-knowledge proof techniques enabling employment verification while preserving privacy

The result is a secure credential verification system relying on cryptographic attestations and decentralized storage management while removing blockchain dependencies.

Key Insights from This Design

This system demonstrates that privacy and verification aren't mutually exclusive when proper cryptographic techniques are applied. Zero-knowledge proofs enable selective disclosure that solves real-world privacy problems without sacrificing verification integrity.

The multi-key approach provides security benefits beyond single-key systems while decentralized storage ensures users maintain control over their sensitive information. Avoiding blockchain dependencies makes the system more practical for real-world deployment while maintaining strong security properties.