zkPass Protocol: A Technical Overview of Privacy-Preserving Data Verification

The zkPass protocol is a privacy-first oracle solution that enables verifiable, on-chain validation of private internet data. Built on cutting-edge cryptographic technologies like zkTLS, 3P-TLS, and hybrid zero-knowledge (ZK) proofs, zkPass empowers users to securely share sensitive information—such as legal identity, financial records, education credentials, and more—without exposing personal details. This makes it ideal for applications in AI, decentralized identity (DID), DeFi lending, and beyond.

Whether you're verifying income for a loan or proving age eligibility for a digital service, zkPass ensures trust and privacy coexist.

Core Concepts and Definitions

Before diving into the architecture, let’s define key components:

• P: Prover (the user)
• V: Verifier (e.g., a service provider or smart contract)
• S: TLS server (trusted data source like a bank or government site)
• Q: Query initiated by the prover
• R: Response data from the server
• enc_key: Encryption key used in TLS
• mac_key: Message Authentication Code key for integrity
• t: Hash digest

These elements form the foundation of zkPass’s secure, privacy-preserving verification flow.

The Problem with Traditional Verification

In conventional systems, users submit personal data to verifiers who then cross-check with data sources. This creates three major issues:

1. Privacy Risk for Users: Full disclosure of sensitive data.
2. Data Exposure for Verifiers: They become custodians of private information, increasing breach risks.
3. Limited Flexibility for Data Sources: Most can’t offer granular, user-controlled verification.

zkPass flips this model: instead of handing over raw data, users fetch their own data from trusted sources and generate zero-knowledge proofs (ZKPs) locally. These proofs confirm specific claims—like “my income exceeds $50k”—without revealing any underlying details.

👉 Discover how decentralized identity verification is evolving with privacy-first tech

zkPass Architecture: How It Works

Step 1: Three-Party TLS (3P-TLS) + MPC

At its core, zkPass uses 3P-TLS, an extension of standard TLS (the backbone of HTTPS), enhanced with Multi-Party Computation (MPC) and Oblivious Transfer (OT). This allows two parties—the user (P) and a zkPass node (V)—to act as a joint client connecting to a server (S).

Phase 1: Three-Way Handshake

During the handshake:

• P and V collaboratively generate session keys.
• Using Paillier encryption, the pre-master secret is split: P and V each get half; S keeps the full key.
• The server returns its certificate and signs its public key, allowing V to verify authenticity—ensuring no fake websites are involved.

This setup maintains end-to-end trust while preventing either P or V from seeing all secrets.

Phase 2: Key Derivation via MPC

Through secure MPC:

• enc_key (for decrypting data) is derived but only accessible to P.
• mac_key (for message integrity) is shared between P and V—but V only holds part of it.

This means:

• V cannot decrypt user data → privacy preserved
• P cannot alter responses without detection → integrity enforced

Phase 3: Standard TLS & Proof Preparation

After secure communication is established:

• P sends a query (Q) using their access token (e.g., stored in cookies).
• S responds with encrypted data (R’), which P decrypts using enc_key.
• Both P and V exchange parameters needed for the next phase: zero-knowledge proof generation.

Optimizations like silent OT, stacked garbled circuits, and AES128-specific ZK methods reduce computation time by up to 10x and network overhead significantly.

Step 2: Hybrid Zero-Knowledge Proofs

zkPass combines Interactive ZK (IZK) and Non-Interactive ZK (NIZK) in a hybrid approach for efficiency and flexibility.

Interactive ZK (VOLE-ZK23)

zkPass uses a VOLE-based protocol called VOLE-ZK23, where P and V jointly generate vector oblivious linear evaluation instances satisfying m = k + w * delta.

In simple terms:

• P commits to parts of the computation.
• V holds verification parameters.

• Together, they prove that:

  • The request was made with a valid token.
  • The response came from the real server.
  • No tampering occurred.

Five critical constraints are verified:

1. Dec(enc_key, Q') = Q — The encrypted query matches the original.
2. Q = Query(token) — The query uses the user’s actual access token.
3. Dec(enc_key, R') = R — The response is correctly decrypted.
4. Verify(mac_key_pv, MAC, R) = 1 — Response integrity is intact via HMAC-SHA256.
5. b = Assert(R) — The data satisfies predefined conditions (e.g., age > 18).

These ensure both authenticity and selective disclosure.

Optimization Highlights

• SoftSpoken reduces network load by ~50%.
• XOR and INV gates require no commitment due to homomorphic properties.
• Only AND gates need protection—drastically reducing circuit complexity.
• Reusable VOLE parameters enable SIMD-like “multi-data signal input” for repeated operations like AES.

👉 See how zero-knowledge proofs are transforming online privacy

Non-Interactive ZK (NIZK) – For Public Verification

Once IZK completes successfully:

• The zkPass node signs the result.
• The user inserts the result into a Merkle tree.
• The root is updated in an SBT (Selective Blockchain Tree) contract.

To prove something later:

• The user generates a SNARK proof showing their data is a valid leaf in the tree and was signed by a node.
• Anyone can verify this on-chain without knowing the full dataset.

This enables scalable, trustless verification across decentralized apps.

Selective Blockchain Trees (SBT): Structured Privacy

zkPass implements dSBT (data SBT) and tSBT (type SBT) based on ERC998 for composable NFTs.

• tSBT: Categorizes data types—e.g., identity, finance, education.
• dSBT: Stores actual claims derived from secure MPC extractions.

Each dSBT contains:

• A claim tree hashing individual data points (country, age, etc.).
• A root hash secured with babyjubjub signatures and entropy from private keys.
• Zero-knowledge proofs ensuring correct tree construction.

Users can then generate proofs for specific queries:

"Prove I’m over 18" → Show inclusion of age node + value > 18 → Verified without revealing exact age.

All private data remains off-chain and unseen.

Security Model and Threat Mitigation

Potential adversaries include:

• Malicious clients trying to forge proofs
• Rogue nodes attempting to extract user data

Defense Mechanisms:

1. Gateway Layer: Acts like a blockchain RPC endpoint, masking client network patterns.
2. Fishermen System: Random nodes (“fishermen”) send test tasks. Since malicious nodes can’t distinguish real users from fishermen, cheating risks slashing their staked assets.
3. Automated Arbitration: A mediator caches communications and can replay verification using disclosed VOLE parameters to determine fault—fully automated.

This creates strong economic incentives against malice.

Frequently Asked Questions (FAQ)

Q: What makes zkPass different from other ZK oracles?
A: Unlike most oracles that rely on APIs or trust assumptions, zkPass directly verifies HTTPS traffic using zkTLS and 3P-TLS—enabling privacy-preserving access to any website without OAuth.

Q: Can I use zkPass today?
A: Yes. Developers can integrate zkPass into dApps for identity verification, credit scoring, or age checks—all while keeping user data private.

Q: Does zkPass store my personal data?
A: No. All sensitive data stays on your device. Only zero-knowledge proofs are shared.

Q: How does zkPass handle fake websites?
A: During the TLS handshake, servers must provide valid certificates signed by trusted CAs. Both user and node validate these, preventing phishing attacks.

Q: Is the system decentralized?
A: Yes. With fishermen, staking, slashing, and automated arbitration, zkPass operates as a trustless network.

Q: What blockchains support zkPass?
A: zkPass is blockchain-agnostic and integrates with Ethereum, zkSync, Scroll, and others via smart contracts.

Final Thoughts

zkPass redefines how we think about digital identity and data sharing. By combining 3P-TLS, MPC, and hybrid ZK proofs, it delivers a powerful framework where privacy doesn’t come at the cost of verifiability.

From securing AI training data to enabling permissionless lending, zkPass unlocks new possibilities across Web3—and beyond.

👉 Explore the future of private, verifiable data with next-gen protocols