Learn more about the latest security and privacy threats
Back

How Zyphe Uses Zero-Knowledge Proofs in Production KYC

Michelangelo FrigoMichelangelo Frigo(Co-Founder at Zyphe)Published May 21, 2025Updated May 5, 2026
The 3D illustration of a server containing Zero Knowledge KYC.

How Zyphe uses zero-knowledge proofs in production KYC: regulator-grade verification with sub-second performance and no document retention.

Table of contents

Hero / opening

Zero-knowledge proof KYC stopped being a research-paper topic in 2025. The EU Digital Identity Wallet rollout under eIDAS 2 made ZKP-based selective disclosure a regulator-blessed primitive. The AMLA per-decision defensibility test made auditable identity attribute proofs a procurement requirement. And every centralised KYC vendor that survived IDmerit and Sumsub is scrambling to add ZKP veneer to architectures that fundamentally can't deliver it. This piece names what Zyphe actually ships in production, the cryptographic primitives, and the boundaries of what ZKP can and cannot prove for compliance.

What is a zero-knowledge proof, in operational terms?

A zero-knowledge proof lets one party (the prover) convince another (the verifier) that a statement is true without revealing the underlying data. For KYC, the operational shift is that an operator's smart contract or backend can confirm "this customer is over 18, EU-resident, and sanctions-clear" without ever receiving the customer's passport, address, or document image.

The cryptographic primitives in production use today fall into three families:

  1. zk-SNARKs (Succinct Non-Interactive Arguments of Knowledge). The dominant family for compute-heavy predicates. Common implementations include Groth16 (small proofs, trusted setup required) and PLONK (universal trusted setup, more flexible).
  2. zk-STARKs (Scalable Transparent ARguments of Knowledge). No trusted setup, larger proof size, faster verification at scale. Used by some L2s and increasingly in identity contexts.
  3. Bulletproofs and other range-proof primitives. Used for specific predicates like "value is in range" without proving the underlying value.

The detail that matters for compliance: the verifier learns only the predicate truth value. They do not learn the underlying identity, document number, biometric template, or any property of the customer beyond what the proof asserts.

For the broader architectural context, see Decentralized KYC and Decentralized PII Storage.

What does Zyphe's ZK architecture actually look like in production?

Five architectural primitives, each ZKP-relevant.

  1. Off-chain verification produces signed identity attestations. The customer completes the verification flow (government ID with NFC chip read, biometric liveness, sanctions, PEP, address). Zyphe issues a signed attestation: a structured object containing verified attributes, the policy version applied, and the timestamp.
  2. Selective-disclosure ZKP issuance. From the attestation, Zyphe generates ZKP circuits per predicate the operator might need to verify: "over_18", "eu_resident", "sanctions_clear", "kyc_level_3_or_above", "non_pep". Each circuit produces a ZKP that the operator's backend or smart contract can verify in constant time.
  3. User-controlled proof issuance. The customer holds the proving key in a vault they control, typically on-device. When an operator requests a predicate proof, the customer's wallet signs and submits. Zyphe's infrastructure does not act as an oracle that can be coerced or breached into producing proofs without the customer's consent.
  4. On-chain verifier contract. For DeFi or DAO use cases, the predicate verifier deploys as a smart contract. The contract takes the proof as input, runs the verification, returns boolean. Common Solidity verifier patterns are about 1.5 million gas for a Groth16 verification, well within practical bounds for L1 or L2 deployment.
  5. Threshold-encrypted audit trail. Every issued proof, every verification, every revocation is logged in a regulator-accessible audit channel using threshold encryption. The regulator can verify the verification ran, the policy applied, the timestamps, without seeing the underlying customer document.

The architectural detail of which primitive Zyphe uses for which predicate (Groth16 for low-frequency identity attributes, PLONK for higher-throughput cases, range proofs for specific numeric predicates) is bracketed for the editor to confirm with the engineering team before publishing.

What identity predicates can a ZKP actually prove?

Six predicate classes operators commonly need:

The boundary worth flagging: ZKP does not eliminate the need for verification; it eliminates the need for the verifier to receive the underlying data. The off-chain verification step still happens with a regulated identity provider. The ZKP layer is downstream: it takes the verified attestation and produces compact proofs of specific attributes.

For the regulatory framing, see our crypto KYC compliance breakdown and KYC vs AML differences.

How does eIDAS 2 change the ZKP-in-KYC conversation?

The EU Digital Identity Regulation (eIDAS 2), in force since 2024 with national wallet rollouts running through 2026, mandates that EU member states issue digital identity wallets to citizens and that those wallets support selective-disclosure mechanisms based on cryptographic proofs.

The downstream consequence for KYC: regulated operators in the EU will increasingly receive verified credentials from EU citizen wallets that include ZKP-based selective disclosure as a first-class primitive. An EU CASP onboarding an EU citizen can request a ZKP that the citizen is over 18 and EU-resident, satisfy MiCA Article 70's identity verification requirement, and never see the citizen's underlying document.

This is the regulator-blessed path that legitimises ZKP for compliance. Vendor architectures that can integrate with the EU wallet's ZKP primitives are inheriting an institutional trust signal that pre-eIDAS implementations could not.

For the broader regulatory context, see our eIDAS 2 EU Digital Identity Wallet KYC compliance guide and the MiCA framework breakdown.

What does AMLA's per-decision defensibility test mean for ZKP-based KYC?

The EU Anti-Money Laundering Authority, operational since 2025 with the single AML rulebook applying from July 10, 2027, requires firms to demonstrate the rationale for every escalation and every dismissal across the AML stack.

For ZKP-based identity proofs specifically, this raises a question worth answering directly: can a ZKP system be audit-defensible per case? The answer is yes, when the architecture is designed for it.

Three architectural choices that make ZKP audit-defensible:

  1. Per-proof identifier and audit log. Every issued proof has a unique identifier logged with the policy version, the timestamp, the verifying party, and the predicate asserted. The regulator can pull the audit log and verify which proof was issued for which onboarding event.
  2. Policy versioning. The predicate circuit version is part of the audit record. If the regulator asks why a customer was admitted in March under one policy and rejected in April under a different policy, the audit log explains.
  3. Threshold-encrypted reveal mechanism. In the rare case where a regulator needs to inspect the underlying identity (e.g., post-hoc investigation of a suspected fraud), threshold encryption with regulator-plus-customer co-sign reveals the relevant attestation without compromising the broader privacy property.

The ZKP system's audit defensibility is on par with traditional KYC programmes when designed with these primitives, and superior in one respect: the regulator can verify the integrity of the verification programme without exposing customer PII at scale.

For the broader supervisory direction, see our adverse media screening breakdown and compliance enforcement 2026: fintech takeaways.

What are the practical limits of ZKP-based KYC in 2026?

Four honest constraints worth flagging.

  1. Trusted setup considerations for some primitives. Groth16 requires a one-time trusted setup ceremony per circuit. Compromised setup ceremonies have produced flawed proof systems historically. PLONK and zk-STARKs avoid this constraint at the cost of larger proofs or different performance profiles.
  2. Proof generation cost. Generating a Groth16 proof for a complex identity predicate can take seconds on consumer hardware. PLONK and zk-STARKs have different cost profiles. For high-throughput use cases, the architectural choice matters.
  3. Predicate definition is a regulatory question, not just a technical one. "Sanctions_clear" requires deciding which sanctions lists, refreshed how often, with what threshold. The ZKP doesn't define the policy; it certifies the policy was applied.
  4. Custodial risk on the proving key. If the customer loses control of their proving key, they cannot generate new proofs. Zyphe's user-controlled vault includes recovery mechanisms, but the design space is non-trivial.

For the architectural detail underneath the user-controlled vault, see Decentralized PII Storage.

How does ZKP-based KYC compare to centralised vendor "encrypted at rest" claims?

The architectural distinction the IDmerit and Sumsub breaches made obvious.

The marketing claim "encrypted at rest" was the architecture that produced the breaches. ZKP-based selective disclosure is the architecture that prevents them.

For the breach math, see is KYC safe in 2026? and the identity breach epidemic 2026 analysis.

How should an operator evaluate a ZKP-based KYC vendor?

Six diagnostic questions for procurement:

  1. What ZKP primitive do you use, and is the trusted setup verifiable? Groth16 with a documented multi-party ceremony, PLONK with universal setup, or zk-STARKs with no setup are all defensible. Vendors who can't answer this should be eliminated.
  2. Where does the proving key live, and how is recovery handled? User-controlled with a documented recovery mechanism is the gold standard.
  3. What predicates do you support out of the box? A vendor offering only "over_18" is a marketing layer, not a compliance primitive.
  4. How is the audit trail structured, and can a regulator verify it without seeing customer PII? The AMLA defensibility test applies here.
  5. What's the proof generation cost on consumer hardware? Sub-second for common predicates is now achievable; over 5 seconds is a UX problem.
  6. What's your eIDAS 2 wallet integration roadmap? Vendors who can integrate with EU citizen wallets are inheriting institutional trust; those who can't are increasingly stuck.

For the broader vendor-evaluation framework, see our top compliance tools evaluation guide.

The bottom line

Zero-knowledge proof KYC moved from research paper to production primitive in 2025, accelerated by the eIDAS 2 wallet rollout and AMLA's per-decision defensibility test. The architectural distinction that matters is between vendors who treat ZKP as a marketing veneer over centralised storage and vendors whose architecture was designed around the primitive. The procurement question is no longer whether the vendor "supports" ZKP, but whether the architecture lets ZKP do what it's supposed to do.

If the technical conversation belongs in your roadmap, book a 30-minute walkthrough and we'll show the production circuits plus the audit trail your security team will read first.

Related resources

  1. eIDAS 2 context, EU Digital Identity Wallet KYC compliance guide
  2. Architecture, Decentralized KYC
  3. Web3, Blockchain identity verification
Michelangelo FrigoMichelangelo Frigo(Co-Founder at Zyphe)Michelangelo Frigo is a privacy and identity infrastructure expert, founder and CEO of Togggle, and co-founder of Zyphe.

Frequently Asked Questions

A cryptographic proof that lets a verifier confirm a statement about a customer's identity (over 18, EU-resident, sanctions-clear) without receiving the underlying document or PII. The verifier learns only the predicate truth value. For compliance, this means the operator can satisfy regulatory verification requirements without becoming a data-retention liability.

The architecture supports zk-SNARKs (Groth16 for compute-heavy predicates, PLONK for universal-setup flexibility) and zk-STARKs for transparent setup. Range proofs apply for numeric predicates. The specific primitive used per predicate type is bracketed for confirmation by the engineering team before publishing this piece.

No. ZKP eliminates the need for the verifier to receive the underlying identity data. The off-chain verification step still happens with a regulated identity provider; ZKP is downstream of that step, taking the verified attestation and producing compact proofs of specific attributes. The verification quality depends on the upstream KYC.

eIDAS 2, in force since 2024 with national wallet rollouts through 2026, mandates EU citizen wallets that support selective-disclosure mechanisms based on cryptographic proofs. EU CASPs onboarding EU citizens can request ZKP-based attribute proofs via the wallet, satisfying MiCA verification without seeing the underlying document. This is the regulator-blessed path for ZKP in KYC.

Yes, when the architecture is designed for it. Three primitives matter: per-proof unique identifier and audit log; policy versioning per predicate circuit; threshold-encrypted reveal mechanism for post-hoc regulator inspection. The AMLA per-decision defensibility test applies to escalation and dismissal rationale; ZKP audit logs satisfy this without exposing customer PII at scale.

Four constraints: trusted setup considerations for some primitives (Groth16); proof generation cost on consumer hardware (sub-second feasible, multi-second possible); predicate definition is a regulatory question, not just technical; custodial risk on the user-held proving key requires a recovery mechanism. The architecture is mature for production but the design space is non-trivial.

Centralised "encrypted at rest" still stores the customer's documents on the vendor's servers, accessible to staff and exposed in a breach (the IDmerit and Sumsub pattern). ZKP-based selective disclosure means no reconstructable record exists on the vendor's infrastructure; the verifier learns only the predicate. The architectural difference is what makes breaches mathematically irrelevant.

Six questions: what ZKP primitive (Groth16, PLONK, zk-STARK)? Where does the proving key live? What predicates are supported out of the box? How is the audit trail structured for AMLA defensibility? What's the proof generation cost on consumer hardware? What's the eIDAS 2 wallet integration roadmap? Vendors deflecting on three or more should be eliminated.