Ask HN: Can zero-knowledge proofs be used to verify a user's identity?
Example:
A startup wants to create a social media site with a community of users who are proven to be actual humans. No one person can create multiple accounts.
Conditions:
1. All profiles must be actual humans
2. All humans must prove they are who they say they are by somehow providing their name and SSN
3. The startup must be able to verify that there exists a record containing the name + SSN combo
4. At no point can the startup have knowledge of the user's SSN
I know this is an overly-simplified scenario with clear drawbacks (not everyone can provide a SSN). The focus of this question is the possibility of user verification without revealing sensitive data so I'd appreciate it if we avoid nitpicking irrelevant details.
Followup Questions:
1. Can this approach be decentralized so no institution acts as the central database for verifying SSNs?
2. Is this even desirable? What are some potential harms to the user?
3. Does something like this already exist?
5 comments
[ 4.3 ms ] story [ 13.2 ms ] threadFor (1), I don't think there's any good way to reduce the property of being an "actual human" to data that can be verified algorithmically.
For (3), if by this you mean that such a record exists in a US government database, I'm not even sure that can be done even without requirement (4).
One possible way it could work is that the government provides a website where a user can enter their name and SSN and receive in return a digitally signed document stating, in effect, that a person of this name has some SSN on file. That document could then be submitted to a company which would only have to validate its signature against a signature published by the government service.
But this still has problems. Presumably you would want to be sure that the person submitting the verification actually is the person with the name and SSN (as opposed to someone who stole or otherwise obtained that name/SSN pair), so the government site has to somehow verify that before generating the verification document.
There's also the issue that many people can have the same name so just having a certificate that says that there is some John Doe who has an SSN doesn't necessarily tell you that the John Doe submitting the application has an SSN, it could be a different John Doe. Though perhaps this problem could be solved by the previous paragraph.