GM,

According to data from the on-chain prediction market Polymarket1, the odds of U.S. presidential candidate Donald Trump winning have risen to 60%. Many are optimistic that Trump would be more favorable towards the crypto space, with some even pointing out that he has hinted at firing SEC Chairman Gary Gensler if elected, which has driven cryptocurrency prices up. However, I remain somewhat skeptical about his claims.

Reminder: This Saturday at 7 PM, we have a movie screening event. For those who signed up, please remember to keep your schedule open. The event will take place at Fablab Taipei, across from the Expo Dome at Yuanshan Huabo Park. It might take a little effort to find, so I suggest arriving at Yuanshan Huabo 15 minutes early to be safe. We'll have movie essentials like snacks and drinks ready for you. If you're unable to attend last minute, you can go back to the registration page and cancel your reservation, and the system will automatically release the spot for someone else.

Now, let's get to the main topic.

When it comes to personal data protection, some people have already come to terms with the reality—treating their personal data as public information. Even if someone knows all about your background, that doesn’t mean you should fully trust them. But this article wants to give you a bit of hope: there are people working hard to improve this distorted situation, though these technologies are still in development and may take some time to become widespread.

In this article, I’ll discuss a new concept I heard at the OKX conference—zkKYC—which uses zero-knowledge proof technology for identity verification. In simpler terms, it means "you know who I am, but you don’t know who I am." At first glance, it seems contradictory, but this is the essence of zero-knowledge proof. Let's start with the current situation.

Real Name Verification

Anyone who has ever registered for an exchange account is likely familiar with KYC, which stands for Know Your Customer. Governments require service providers to know their customers, essentially to assess risks. As a result, before renting a car, opening a bank account, or checking into a hotel, people are always asked, “Who are you?”

Naturally, we present our ID cards or passports for verification. However, this process gives rise to three key issues:

• Duplication

• Binding

• Accountability

The hotel receptionist politely informs us, “Mr. X, we will scan your ID for record-keeping.”

We nod in agreement, often feeling like we have no other choice—unless we plan to sleep on the street that night. Few people ever question where this scanned personal data ends up, until they see news about data breaches. Just yesterday, there was a report about a significant data leak from OwlTing:

Taiwan-based blockchain hotel booking platform OwlTing improperly configured its cloud storage, leaving the data of around 70,000 customers—including names, email addresses, and other sensitive information—exposed to the public internet. According to Cybernews, 92% of the exposed phone numbers belonged to Taiwanese users, with others coming from Japan, South Korea, Hong Kong, Singapore, Malaysia, Thailand, and a few hundred from Europe.

This highlights the issue of duplication. Once a company obtains user data, it’s like a kite cut loose from its string—the data can be easily copied, and its future destination is unknown.

Additionally, personal IDs often contain more information than necessary. For example, besides your name and birthdate, your ID may also list your spouse’s name, place of birth, or military service status. Why does a hotel need to know if you served in the military? A hotel staff member might helplessly reply, “It’s just printed on the ID.” This is the binding issue.

Even if hotel staff reassure you that your data is being used appropriately, who ensures that they truly follow the regulations? If the government oversees this, who monitors the government? When data leaks occur, will it become a case of finger-pointing? This is the accountability issue.

Faced with these three problems, some argue that zero-knowledge proof technology can provide a solution. This brings us to the main topic of this article—zkKYC.

Zero-Knowledge Proof

What exactly is a Zero-Knowledge Proof2 (ZKP)?

Ethereum's founder, Vitalik Buterin, once referred to ZKP as "moon math" because it's so advanced that for most people, it might as well be from outer space. However, the basic principle of Zero-Knowledge Proofs is not as complicated as it sounds. My favorite analogy comes from the MIT Digital Currency Initiative's explanation using the example of colorblindness:

Imagine you have two billiard balls, one green and one red. Aside from their color, the two balls are identical. Now, suppose I’m colorblind and cannot tell them apart; to me, both balls appear exactly the same. The challenge is, can you convince me, without mentioning anything about color, that these two balls are indeed different?

It's actually quite simple. You hand both balls to me, the colorblind person, and I take them behind my back, shuffle them randomly, and then bring them out again. You then "guess" whether the ball that was originally in my left hand is now in my right hand.

Since you can easily tell the colors apart, this isn’t guessing at all—you immediately know which ball has switched hands. For me, however, it seems like a miracle. After all, I see both balls as identical, so it looks like you're just lucky. But after repeating this test a few times, I would start to believe that these two balls must be different, even though I can’t see how. Importantly, you never had to reveal any information about the colors.

This interaction demonstrates the essence of Zero-Knowledge Proofs. While no color information (in this case, personal data) is ever shared, the colorblind person is convinced that the two balls (or identities) are indeed different.

Now, let’s apply this to the hotel identity verification scenario. In this case, the colors represent personal data, and the hotel staff are the colorblind party. I need to convince the hotel that I am a certain individual without revealing my personal information. While identity verification is more complex than distinguishing colors, through sufficient computation, the hotel can still confirm who I am.

This brings us back to the key problems: duplication, binding, and accountability.

Zero-Knowledge Proof-based identity verification (zkKYC) doesn’t eliminate identity verification altogether but aims to minimize the amount of information disclosed, allowing individuals to control their data. In other words, zkKYC still requires KYC, but it doesn’t require you to undergo KYC everywhere you go.

For example, when applying for a mobile phone plan, I would have already completed KYC once. If I could obtain a zkKYC certificate issued by the telecom company, I could then use this certificate for identity verification when checking into a hotel or renting a car—just like showing a physical ID card.

Since the hotel has "zero knowledge" of my personal data, there’s no risk of data being duplicated or mismanaged because the original data was never handed over—it stays securely with the telecom company.

zkKYC is distinct from social logins or cross-institution data sharing. When I use my certificate to check into a hotel, the hotel doesn’t need to call the telecom company to verify my information. Instead, the zkKYC certificate, which appears empty to the hotel, actually contains all the necessary information. After some computation, the hotel can confirm my identity. This is the most fascinating aspect of zkKYC.

zkKYC offers many advantages. First, by not spreading original data everywhere, it significantly reduces the risk of data breaches. Second, binding is a flaw in physical documents, but digital data can easily enable selective disclosure. It’s like when an app asks if you want to grant access to your location, photos, or contacts. Unlike physical ID cards, where all information must be shared, digital IDs allow for more control.

In the future, if zkKYC becomes widely adopted in daily life, people might only need to complete KYC with one institution to receive a zkKYC certificate. With fewer entities holding the original data, accountability becomes much simpler in the event of a data breach. But is anyone currently using zkKYC? That’s where the OKX announcement comes into play.

On-Chain Identity

At a recent event, OKX founder Star Xu promised the integration of zkKYC but didn’t provide much detail on how the mechanism would be applied, nor did he offer a specific timeline. My guess is that this is OKX’s strategy for entering decentralized applications, where the exchange would act as the issuer of zkKYC certificates, to be later integrated into on-chain applications.

This is an untapped market. The reason why the on-chain financial world has yet to establish a credit system is that the identity problem remains unsolved. Without unique identities, individuals cannot accumulate credit. As a result, on-chain lending3 is limited to well-known public figures and has yet to reach the broader population.

OKX, as a centralized exchange, reasonably holds users' KYC data. If it can leverage this data to establish the foundation of an on-chain identity system by issuing zkKYC certificates to users, there could be an opportunity to introduce a credit system into the on-chain financial world. For instance, users could use zkKYC certificates to apply for credit loans through DeFi.

This aligns with the industry positioning of centralized exchanges, which serve as bridges between two worlds. Traditionally, these "two worlds" referred to fiat currencies and cryptocurrencies, but in the future, this bridge could also extend to off-chain identities and on-chain identities. However, the concept of zkKYC is still very new, and it brings with it a host of new challenges. For example, if an exchange collapses, the zkKYC certificates issued by it could also become invalid.

In the past, when an exchange failed, only the money disappeared. In the future, we might face the risk of identities vanishing as well. The most concerned parties in this scenario would be the on-chain creditors, the "on-chain lenders," who loaned money to users. Imagine a situation where all the borrowers disappear overnight—no one could accept that.

Even if zkKYC certificates are successfully issued, it would only be the first step. The system would still need to find service providers willing to recognize and accept these certificates before it can be fully functional.

Previously, I was optimistic and thought zkKYC would be ready in just a few months. But after the lessons of the past few years, I no longer believe OKX will launch zkKYC anytime soon. When it comes to innovations that involve regulatory oversight, even if the technology is fully prepared, there is still a long way to go. While zkKYC may not arrive immediately, I hope that the current bleak state of personal data protection is only temporary, and that solutions are already on the way.

Share

Blocktrend is an independent media platform sustained by reader subscription fees. If you find Blocktrend's articles valuable, we welcome you to share this piece. You can also join discussions on our member-created Discord or collect the Writing NFT to include this article in your Web3 records.

Furthermore, please consider recommending Blocktrend to your friends and family. If you successfully refer a friend who subscribes, you'll receive a complimentary one-month extension of your membership. You can find past issues in the article list. As readers often inquire about referral codes, I have compiled them on a dedicated page for your convenience. Feel free to make use of them.