Ask HN: Can zero-knowledge proofs be used to verify a user's identity?

2 points by bvrstvr ↗ HN
Is it possible to use zero-knowledge proofs to verify a user's identity without the user revealing sensitive data?

Example:

A startup wants to create a social media site with a community of users who are proven to be actual humans. No one person can create multiple accounts.

Conditions:

1. All profiles must be actual humans

2. All humans must prove they are who they say they are by somehow providing their name and SSN

3. The startup must be able to verify that there exists a record containing the name + SSN combo

4. At no point can the startup have knowledge of the user's SSN

I know this is an overly-simplified scenario with clear drawbacks (not everyone can provide a SSN). The focus of this question is the possibility of user verification without revealing sensitive data so I'd appreciate it if we avoid nitpicking irrelevant details.

Followup Questions:

1. Can this approach be decentralized so no institution acts as the central database for verifying SSNs?

2. Is this even desirable? What are some potential harms to the user?

3. Does something like this already exist?

5 comments

[ 4.3 ms ] story [ 13.2 ms ] thread
My initial impression is that there are big problems with meeting these requirements.

For (1), I don't think there's any good way to reduce the property of being an "actual human" to data that can be verified algorithmically.

For (3), if by this you mean that such a record exists in a US government database, I'm not even sure that can be done even without requirement (4).

Thanks for sharing your thoughts! I guess the assumption here is that such a database does exist. SSN is the first thing that came to mind because I remember when I lived in South Korea as a child, EVERYTHING you registered for online required your SSN. I had to always provide my SSN when signing up for an account to play a new game, for example. I was wondering if it'd be possible to do something like that without actually revealing your SSN.
So are you asking if the government could create such a database ?
Let's assume we live in a country like South Korea, so such a database must surely already exist (since companies are able to verify a user's SSN). Can we make a verification system that doesn't require the user to provide their SSN but still prove their identity? If possible, is it desirable for a country like the US to also provide the same kinds of databases for the purpose of identity verification?
I think it would be possible but only if the government database itself provides the necessary functionality.

One possible way it could work is that the government provides a website where a user can enter their name and SSN and receive in return a digitally signed document stating, in effect, that a person of this name has some SSN on file. That document could then be submitted to a company which would only have to validate its signature against a signature published by the government service.

But this still has problems. Presumably you would want to be sure that the person submitting the verification actually is the person with the name and SSN (as opposed to someone who stole or otherwise obtained that name/SSN pair), so the government site has to somehow verify that before generating the verification document.

There's also the issue that many people can have the same name so just having a certificate that says that there is some John Doe who has an SSN doesn't necessarily tell you that the John Doe submitting the application has an SSN, it could be a different John Doe. Though perhaps this problem could be solved by the previous paragraph.