pith. sign in

arxiv: 2602.16130 · v2 · submitted 2026-02-18 · 💻 cs.NI · cs.CR

ZK-AMS: Credibly Anonymous Admission for Web 3.0 Platforms via Recursive Proof Aggregation

Zibin Lin , Taotao Wang , Shengli Zhang , Long Shi , Boris D\"udder , Shui Yu This is my paper

Pith reviewed 2026-05-15 21:44 UTC · model grok-4.3

classification 💻 cs.NI cs.CR
keywords zero-knowledge proofsrecursive proof aggregationanonymous admissionWeb 3.0homomorphic encryptionbatch verificationpersonhood credentialssoul accounts
0
0 comments X

The pith

ZK-AMS admits users to Web 3.0 platforms anonymously by folding zero-knowledge proofs into batches that verify on-chain at constant cost per batch.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces ZK-AMS to solve the problem of scaling anonymous user admission on Web 3.0 platforms without identity disclosure or per-user on-chain verification fees. It composes credential validation, permissionless batch submission, recursive proof aggregation, and anonymous account creation into a single workflow. The central mechanism folds multiple admission instances off-chain using multi-key homomorphic encryption so an untrusted coordinator can aggregate proofs without seeing individual user witnesses. The aggregated batch then settles on-chain with verification cost that stays fixed no matter how many users join in one batch. A sympathetic reader cares because this removes the cost and latency unpredictability that currently limits bursty onboarding on decentralized platforms.

Core claim

ZK-AMS maps Personhood Credentials to anonymous on-chain Soul Accounts by folding admission instances of a common relation off-chain under multi-key homomorphic encryption, allowing an untrusted batch submitter to coordinate recursive proof aggregation without direct access to individual user witnesses; the resulting batch settles on-chain with constant verification cost per batch rather than per admitted user.

What carries the argument

The confidential batching pipeline that folds admission instances under multi-key homomorphic encryption to support recursive proof aggregation without exposing user witnesses.

If this is right

  • On-chain verification gas stays stable across different batch sizes on Ethereum.
  • Amortized cost per admitted user drops substantially compared with non-recursive baselines.
  • End-to-end latency remains practical even under high-concurrency onboarding loads.
  • Platforms no longer face unpredictable gas spikes tied to the number of simultaneous users.
  • The workflow avoids both per-request on-chain verification and reliance on trusted batching entities.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same pipeline could be reused for other scalable anonymous verification tasks such as decentralized voting or credential renewal without redesigning the on-chain layer.
  • If the multi-key encryption properties generalize, coordinators in other domains could aggregate private data without gaining access to it.
  • Parameter choices evaluated in the paper suggest that platforms with known traffic patterns can tune batch size to minimize total user wait time.
  • Extending the approach to cross-chain settlement would require only that the target chain supports the same constant-cost verification primitive.

Load-bearing premise

The confidentiality scope of the batching pipeline under multi-key homomorphic encryption holds as characterized in the security analysis.

What would settle it

An attack that extracts an individual user witness from the encrypted batch pipeline or on-chain measurements showing verification gas scaling linearly with batch size would disprove the constant-cost claim.

Figures

Figures reproduced from arXiv: 2602.16130 by Boris D\"udder, Long Shi, Shengli Zhang, Shui Yu, Taotao Wang, Zibin Lin.

Figure 1
Figure 1. Figure 1: ZK-AMS platform architecture and admission workflow: (1) client-side credential processing; (2) confidential off-chain batch [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: PBS proof-generation time versus admission batch size [PITH_FULL_IMAGE:figures/full_fig_p012_3.png] view at source ↗
Figure 2
Figure 2. Figure 2: Circuit constraint counts versus admission batch size [PITH_FULL_IMAGE:figures/full_fig_p012_2.png] view at source ↗
Figure 5
Figure 5. Figure 5: MLSAGS signing time (client) and on-chain verification gas [PITH_FULL_IMAGE:figures/full_fig_p012_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Scalability of confidential off-chain folding as the participant count [PITH_FULL_IMAGE:figures/full_fig_p013_6.png] view at source ↗
read the original abstract

Web 3.0 platforms need an onboarding mechanism that can admit real users at scale without forcing them to reveal identity documents or pay one on-chain verification cost per user. Existing approaches typically rely on KYC-style disclosure, per-request on-chain verification, or trusted batching, making onboarding cost and latency difficult to predict under bursty demand. We present \textbf{ZK-AMS}, a credibly anonymous admission infrastructure that maps Personhood Credentials to anonymous on-chain Soul Accounts. Rather than introducing a new primitive, ZK-AMS composes zero-knowledge credential validation, permissionless batch submission, recursive proof aggregation, and anonymous post-admission account provisioning into one end-to-end workflow. Its key design feature is a confidential batching pipeline in which admission instances of a common relation are folded off-chain under multi-key homomorphic encryption, allowing an untrusted batch submitter to coordinate aggregation without direct access to individual user witnesses during batching; the confidentiality scope is characterized explicitly in the security analysis. The resulting batch is settled on-chain with constant verification cost per batch rather than per admitted user. We implement ZK-AMS on an Ethereum testbed and evaluate admission throughput, end-to-end latency, gas consumption, and parameter trade-offs. Results show stable batch-verification gas across evaluated batch sizes, substantially lower amortized on-chain cost than the non-recursive baseline, and practical cost-latency trade-offs for high-concurrency onboarding in Web 3.0 platforms.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The paper presents ZK-AMS, a system for credibly anonymous admission to Web 3.0 platforms. It composes zero-knowledge validation of Personhood Credentials, permissionless batch submission, recursive proof aggregation, and multi-key homomorphic encryption to fold admission instances off-chain. This allows an untrusted submitter to coordinate aggregation without learning individual witnesses, settling the batch on-chain with constant verification cost per batch rather than per user. The resulting anonymous Soul Accounts are provisioned post-admission. An Ethereum testbed implementation reports stable batch gas costs, lower amortized on-chain expense than non-recursive baselines, and practical latency-throughput trade-offs.

Significance. If the confidentiality scope of the multi-key homomorphic encryption batching pipeline holds under the stated threat model, ZK-AMS would provide a practical, scalable mechanism for privacy-preserving onboarding that avoids per-user on-chain costs and trusted intermediaries. The composition of existing primitives with explicit security characterization and reproducible testbed measurements on gas and latency constitutes a concrete engineering contribution to Web3 identity infrastructure.

major comments (1)
  1. [Security Analysis] Security Analysis section: the claim that the multi-key homomorphic encryption pipeline preserves confidentiality against an active untrusted batch submitter (who may supply malformed keys or observe intermediate ciphertexts during folding) is load-bearing for the constant-cost anonymous admission guarantee. No formal reduction or proof sketch is provided showing that the ZK relation for Personhood Credentials remains hidden when the circuit is only partially revealed; without this, the headline claim that the on-chain batch remains credibly anonymous cannot be verified.
minor comments (2)
  1. [Evaluation] Evaluation section: the reported stable batch-verification gas across sizes is useful, but the paper should include a table with exact gas figures, batch sizes, and direct comparison to the non-recursive baseline to substantiate the 'substantially lower amortized cost' claim.
  2. [Abstract] The abstract states that the confidentiality scope is 'characterized explicitly,' yet the manuscript should add a dedicated subsection or theorem statement that lists the exact assumptions (e.g., honest-but-curious vs. malicious submitter) under which the scope holds.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their detailed and constructive review of our manuscript. We address the single major comment below and describe the planned revision.

read point-by-point responses

  1. Referee: [Security Analysis] Security Analysis section: the claim that the multi-key homomorphic encryption pipeline preserves confidentiality against an active untrusted batch submitter (who may supply malformed keys or observe intermediate ciphertexts during folding) is load-bearing for the constant-cost anonymous admission guarantee. No formal reduction or proof sketch is provided showing that the ZK relation for Personhood Credentials remains hidden when the circuit is only partially revealed; without this, the headline claim that the on-chain batch remains credibly anonymous cannot be verified.

    Authors: We acknowledge that the current Security Analysis section characterizes the confidentiality scope through the semantic security of the multi-key homomorphic encryption scheme and the zero-knowledge property of the recursive proofs, arguing that an active submitter cannot recover individual witnesses because folding occurs under encryption and malformed keys are rejected by the proofs. However, we agree that the absence of an explicit reduction or proof sketch leaves the argument less rigorous than ideal. In the revised manuscript we will add a dedicated subsection containing a high-level security reduction sketch. The sketch will employ a standard hybrid argument: the first hybrid replaces the real MKHE ciphertexts with simulated ones (indistinguishable by semantic security), the second replaces the partial circuit openings with a zero-knowledge simulator (indistinguishable by the zk-SNARK property), and the final hybrid shows that the submitter's view is independent of the underlying Personhood Credential relations. We will also explicitly address the malformed-key case by noting that any deviation from the prescribed key-generation protocol is detected by the outer verification circuit. This addition will be placed in the Security Analysis section without changing the system architecture or evaluation results. revision: yes

Circularity Check

0 steps flagged

No circularity: architectural composition of standard primitives

full rationale

The paper presents ZK-AMS as an end-to-end workflow that composes existing building blocks (zero-knowledge credential validation, permissionless batch submission, recursive proof aggregation, and anonymous account provisioning) without introducing new primitives or performing any derivations. No equations, fitted parameters, or self-referential reductions appear in the abstract or described workflow. The constant on-chain verification cost follows directly from applying standard recursive aggregation to batched instances; the confidentiality scope is stated as an explicit assumption in the security analysis rather than derived from the paper's own inputs. This is a self-contained architectural description with no load-bearing steps that reduce to their own definitions or prior self-citations.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on standard cryptographic assumptions for zero-knowledge proofs and homomorphic encryption; no free parameters or new entities are introduced in the abstract description.

axioms (1)
  • domain assumption Zero-knowledge proofs and recursive aggregation are secure under standard cryptographic assumptions
    The security of the confidential batching and constant-cost verification depends on these properties holding.

pith-pipeline@v0.9.0 · 5582 in / 1187 out tokens · 44016 ms · 2026-05-15T21:44:01.708799+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

41 extracted references · 41 canonical work pages

  1. [1]

    Web 3.0: A survey on the architectures, enabling technologies, applications, and challenges,

    B. Cao, S. Xiao, L. Shi, T. Wang, J. Chen, J. Wang, X. Ling, H. Xu, S. Zhang, and E. Liu, “Web 3.0: A survey on the architectures, enabling technologies, applications, and challenges,”IEEE Commun. Surveys Tuts., vol. 27, no. 1, pp. 1–35, 2025

    work page 2025

  2. [2]

    Account service network: A unified decentralized Web 3.0 portal with credible anonymity,

    T. Wang, S. Zhang, Q. Yang, and S. C. Liew, “Account service network: A unified decentralized Web 3.0 portal with credible anonymity,”IEEE Netw., vol. 37, no. 6, pp. 101–108, 2023

    work page 2023

  3. [3]

    Detecting sybil addresses in blockchain airdrops: A subgraph-based feature propagation and fusion approach,

    Q. Liu, Q. Huang, F. Fan, H. Wu, and X. Tang, “Detecting sybil addresses in blockchain airdrops: A subgraph-based feature propagation and fusion approach,” inProc. IEEE Int. Conf. Blockchain Cryptocur- rency (ICBC), 2025

    work page 2025

  4. [4]

    Decentralized society: Finding Web3’s soul,

    E. G. Weyl, P. Ohlhaver, and V . Buterin, “Decentralized society: Finding Web3’s soul,”SSRN Electron. J., 2022, available at SSRN 4105763

    work page 2022

  5. [5]

    Privacy-preserving on-chain permis- sioning for kyc-compliant decentralized applications,

    F. Piper, K. Wolf, and J. Heiss, “Privacy-preserving on-chain permis- sioning for kyc-compliant decentralized applications,” arXiv preprint arXiv:2510.05807, 2025

    work page arXiv 2025

  6. [6]

    Portal: Time-bound and replay-resistant zero-knowledge proofs for single sign- on,

    J. P. Lauinger, S. Bezmez, J. Ernstberger, and S. Steinhorst, “Portal: Time-bound and replay-resistant zero-knowledge proofs for single sign- on,” inProc. IEEE Int. Conf. Blockchain and Cryptocurrency (ICBC), 2024, pp. 1–7

    work page 2024

  7. [7]

    zk-creds: Flexible anonymous credentials from zkSNARKs and existing identity infras- tructure,

    M. Rosenberg, J. White, C. Garman, and I. Miers, “zk-creds: Flexible anonymous credentials from zkSNARKs and existing identity infras- tructure,” inProc. 2023 IEEE Symposium on Security and Privacy (SP), 2023, pp. 790–808

    work page 2023

  8. [8]

    A blockchain-powered decentralized and secure computing paradigm,

    G. J. Mendis, Y . Wu, J. Wei, M. Sabounchi, and R. Roche’, “A blockchain-powered decentralized and secure computing paradigm,” IEEE Trans. Emerg. Top. Comput., vol. 9, no. 4, pp. 2201–2222, 2021

    work page 2021

  9. [9]

    Exploiting zero knowledge proof and blockchains towards the enforcement of anonymity, data integrity and privacy (ADIP) in the IoT,

    A. Rasheed, R. N. Mahapatra, C. Varol, and K. Narashimha, “Exploiting zero knowledge proof and blockchains towards the enforcement of anonymity, data integrity and privacy (ADIP) in the IoT,”IEEE Trans. Emerg. Top. Comput., vol. 10, no. 3, pp. 1476–1491, 2022

    work page 2022

  10. [10]

    Design of anonymous endorsement system in Hyperledger Fabric,

    S. Mazumdar and S. Ruj, “Design of anonymous endorsement system in Hyperledger Fabric,”IEEE Trans. Emerg. Top. Comput., vol. 9, no. 4, pp. 1780–1791, 2021. ZK-AMS: CREDIBLY ANONYMOUS ADMISSION FOR WEB 3.0 PLATFORMS VIA RECURSIVE PROOF AGGREGATION 18

    work page 2021

  11. [11]

    Personhood credentials: Artificial intelligence and the value of privacy-preserving tools to distinguish who is real online,

    S. Adler, Z. Hitzig, S. Jain,et al., “Personhood credentials: Artificial intelligence and the value of privacy-preserving tools to distinguish who is real online,”arXiv preprint arXiv:2408.07892, 2024

    work page arXiv 2024

  12. [12]

    Nova: Recursive zero-knowledge arguments from folding schemes,

    A. Kothapalli, S. Setty, and I. Tzialla, “Nova: Recursive zero-knowledge arguments from folding schemes,” inProc. CRYPTO, 2022, pp. 359–388

    work page 2022

  13. [13]

    On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption,

    A. L ´opez-Alt, E. Tromer, and V . Vaikuntanathan, “On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption,” inProc. ACM STOC, 2012, pp. 1219–1234

    work page 2012

  14. [14]

    (leveled) fully homo- morphic encryption without bootstrapping,

    Z. Brakerski, C. Gentry, and V . Vaikuntanathan, “(leveled) fully homo- morphic encryption without bootstrapping,” inProc. ITCS, 2012, pp. 309–325

    work page 2012

  15. [15]

    Ring confidential transactions,

    S. Noether and A. Mackenzie, “Ring confidential transactions,”Ledger, vol. 1, pp. 1–18, 2016

    work page 2016

  16. [16]

    Linking souls to humans: Blockchain accounts with credible anonymity for Web 3.0 decentralized identity,

    T. Wang, Z. Lin, S. Zhang, L. Shi, Q. Yang, and B. D ¨udder, “Linking souls to humans: Blockchain accounts with credible anonymity for Web 3.0 decentralized identity,”Proc. ACM Web Conf. (WWW), 2025, preliminary version

    work page 2025

  17. [17]

    How to leak a secret,

    R. L. Rivest, A. Shamir, and Y . Tauman, “How to leak a secret,” in Proc. ASIACRYPT, 2001, pp. 552–565

    work page 2001

  18. [18]

    Calamari and falafl: Loga- rithmic (linkable) ring signatures from isogenies and lattices,

    W. Beullens, S. Katsumata, and F. Pintore, “Calamari and falafl: Loga- rithmic (linkable) ring signatures from isogenies and lattices,” inProc. ASIACRYPT, 2020, pp. 464–492

    work page 2020

  19. [19]

    What is IPFS?

    IPFS Documentation, “What is IPFS?” https://docs.ipfs.tech/concepts/ what-is-ipfs/, accessed: 2026-02-08

    work page 2026

  20. [20]

    Ipns (interplanetary name system),

    ——, “Ipns (interplanetary name system),” https://docs.ipfs.tech/ concepts/ipns/, accessed: 2026-02-08

    work page 2026

  21. [21]

    More efficient commitments from structured lattice assumptions,

    C. Baum, I. Damg ˚ard, V . Lyubashevsky, S. Oechsner, and C. Peikert, “More efficient commitments from structured lattice assumptions,” in Proc. 11th Int. Conf. Secur. Cryptogr. Netw. (SCN), Sept. 2018, pp. 368– 385

    work page 2018

  22. [22]

    Fully homomorphic SIMD operations,

    N. P. Smart and F. Vercauteren, “Fully homomorphic SIMD operations,” Des. Codes Cryptogr., vol. 71, no. 1, pp. 57–81, 2014

    work page 2014

  23. [23]

    Publicly verifiable secret sharing,

    M. Stadler, “Publicly verifiable secret sharing,” inProc. EUROCRYPT, 1996, pp. 190–199

    work page 1996

  24. [24]

    Secure multi-party computation with identifiable abort,

    Y . Ishai, R. Ostrovsky, and V . Zikas, “Secure multi-party computation with identifiable abort,” inProc. CRYPTO, 2014, pp. 369–386

    work page 2014

  25. [25]

    go-ethereum: Official Go implementation of the ethereum protocol,

    Ethereum Foundation, “go-ethereum: Official Go implementation of the ethereum protocol,” https://github.com/ethereum/go-ethereum, 2024

    work page 2024

  26. [26]

    On the size of pairing-based non-interactive arguments,

    J. Groth, “On the size of pairing-based non-interactive arguments,” in Proc. EUROCRYPT, 2016, pp. 305–326

    work page 2016

  27. [27]

    Arkworks: An ecosystem for developing and programming with zkSNARKs,

    Arkworks Contributors, “Arkworks: An ecosystem for developing and programming with zkSNARKs,” http://arkworks.rs, 2024

    work page 2024

  28. [28]

    Sonobe: A folding scheme library,

    Privacy Scaling Explorations, “Sonobe: A folding scheme library,” https: //github.com/privacy-scaling-explorations/sonobe/, 2024

    work page 2024

  29. [29]

    Monero 0.13.0 released,

    Monero Project, “Monero 0.13.0 released,” https://www.getmonero.org/ 2018/10/11/monero-0.13.0-released.html, 2018

    work page 2018

  30. [30]

    Hyperledger indy documentation,

    Hyperledger Indy Contributors, “Hyperledger indy documentation,” https://hyperledger-indy.readthedocs.io/en/latest/, 2024

    work page 2024

  31. [31]

    Sovrin network for decentralized digital identity: Analysing a self-sovereign identity system based on distributed ledger technology,

    N. Naik and P. Jenkins, “Sovrin network for decentralized digital identity: Analysing a self-sovereign identity system based on distributed ledger technology,” inProc. IEEE Int. Symp. Syst. Eng. (ISSE), 2021, pp. 1–7

    work page 2021

  32. [32]

    uPort: Decentralized identity framework (archived),

    uPort Team, “uPort: Decentralized identity framework (archived),” https: //www.uport.me/, 2023

    work page 2023

  33. [33]

    TradeMap: A FINMA-compliant anonymous management of an end-2-end trading market place,

    S. R. Niya, S. Allemann, A. Gabay, and B. Stiller, “TradeMap: A FINMA-compliant anonymous management of an end-2-end trading market place,” inProc. 15th Int. Conf. Netw. Service Manag. (CNSM), 2019, pp. 1–5

    work page 2019

  34. [34]

    ZE- BRA: SNARK-based anonymous credentials for practical, private and accountable on-chain access control,

    D. Rathee, G. V . Policharla, T. Xie, R. Cottone, and D. Song, “ZE- BRA: SNARK-based anonymous credentials for practical, private and accountable on-chain access control,”Cryptology ePrint Archive, vol. Paper 2022/1234, 2022

    work page 2022

  35. [35]

    zkKYC in DeFi: An approach for implementing the zkKYC solution concept in decentralized finance,

    P. Pauwels, J. Pirovich, P. Braunz, and J. Deeb, “zkKYC in DeFi: An approach for implementing the zkKYC solution concept in decentralized finance,”Cryptology ePrint Archive, vol. Paper 2022/321, 2022

    work page 2022

  36. [36]

    WeIdentity: A decentralized identity solution,

    WeBank, “WeIdentity: A decentralized identity solution,” https:// weidentity.readthedocs.io/, 2025

    work page 2025

  37. [37]

    Chaindiscipline - towards a blockchain-iot-based self-sovereign identity management framework,

    M. Popa, S. M. Stoklossa, and S. Mazumdar, “Chaindiscipline - towards a blockchain-iot-based self-sovereign identity management framework,” IEEE Trans. Serv. Comput., vol. 16, no. 5, pp. 3238–3251, 2023

    work page 2023

  38. [38]

    Threshold attribute-based credentials with redactable signature,

    R. Shi, H. Feng, Y . Yang, F. Yuan, Y . Li, H. Pang, and R. H. Deng, “Threshold attribute-based credentials with redactable signature,”IEEE Trans. Serv. Comput., vol. 16, no. 5, pp. 3751–3765, 2023

    work page 2023

  39. [39]

    Promise of zero-knowledge proofs (ZKPs) for blockchain privacy and security: Opportunities, challenges, and future directions,

    R. Shashidhara, R. C. Nair, and P. K. Panakalapati, “Promise of zero-knowledge proofs (ZKPs) for blockchain privacy and security: Opportunities, challenges, and future directions,”Security and Privacy, vol. 8, no. 1, p. e461, 2024

    work page 2024

  40. [40]

    Aggregated zero-knowledge proof and blockchain-empowered authentication for autonomous truck platooning,

    W. Li, C. Meese, H. Guo, and M. Nejad, “Aggregated zero-knowledge proof and blockchain-empowered authentication for autonomous truck platooning,”IEEE Trans. Intell. Transp. Syst., vol. 24, no. 9, pp. 9309– 9323, 2023

    work page 2023

  41. [41]

    A survey on zero-knowledge proof in blockchain,

    X. Sun, F. R. Yu, P. Zhang, Z. Sun, W. Xie, and X. Peng, “A survey on zero-knowledge proof in blockchain,”IEEE Netw., vol. 35, no. 4, pp. 198–205, 2021

    work page 2021