Name	Name	Last commit message	Last commit date
parent directory ..
.nojekyll	.nojekyll
README.md	README.md
index.html	index.html

ZK Email

ZK Email is an app for you to anonymously verify email signatures yet mask whatever data you would like. Each email can either be verified to be to/from specific domains or subsets of domains, or have some specific text in the body. These can be used for web2 interoperability, decentralized anonymous KYC, or interesting on-chain anonymity sets. For a deeper dive, read our full blog post.

Registering your email identity

If you wish to generate a ZK proof of Twitter badge, you must do these:

Send yourself a password reset email from Twitter in incognito.
In your inbox, find the email from Twitter and download headers (three dots, then download message).
Copy paste the entire contents of the file into the box below. We admit it is an unfortunate flow, but we are still searching for a good Twitter email that anyone can induce that cannot be injected.
Paste in your sending Ethereum address
Click "Generate Proof"

Note that it is completely client side and open source, and you are not trusting us with any private information.

Verifying Signatures

To verify a group signature, simply paste the resulting proof on the right hand side and click the Verify button. We will try to populate some signals.

Advanced Understanding

Because you put your Ethereum address into the proof, it operates as a commitment such that no one else can steal your proof on chain. If you in the future decide to shift your Twitter badge to a new Ethereum address, you can do so by just generating a proof like this again.

Because all web2 data is centralized to some extent, note that the Twitter mailserver or database may know other identifying metadata about you just from your username.

Because we do not currently have a nullifier, email addresses can generate an infinite number of password reset emails and thus Twitter badges corresponding to their username, meaning their credentials are safe if their Ethereum account is hijacked. This also means 'uniqueness' is hard to define, so anonymous voting protocols in some anonymity set based on zk-email verification would not be possible.

The verification is slow due to large zkeys and proving time, things we are both working on and starting new from-scratch implementations to fix.

There are several other theoretical issues like BCC's etc that break the claimed properties, so contact us or join our discord (has limited uses, dm us for a new link) for more discussion.

ZK Proofs

ZK proofs are essentially signatures which require knowledge of a value satisfying a specific function in order to generate correctly (so they prove knowledge of the value); however, they do not reveal these values to any validator (so they are zero-knowledge). Surprisingly, ZK proofs can be constructed for any computable function.

For ZK Email, the function we care about is

DKIM = RSA_verify(sha_hash(header | sha_hash(body)), pk)

A ZK proof of this statement shows that you own your public ssh key and are part of the group, but does not reveal your public ssh key beyond that. The pk is on the DNS record of the mail sending website.

In addition, for any fixed function, we can actually devise a scheme that produces a very short proof: it is the same size irrespective of the size/complexity of the function. Verification time is also constant; this requires a precomputed short "verification key" which cryptographically encodes the particular function. These succinct proofs are called zkSNARKs (Succinct Non-interactive ARguments of Knowledge). zkSNARKs can be verified very quickly, but signing (proving) a message still requires time proportional to the size of the function.

ZK Proof Construction

ZK proof protocols are generally specified as "arithmetic circuits" which enforce particular constraints on the inputs. These circuits allow you to constrain that two hidden "signals" add or multiply to another; signals can correspond to provided inputs or can be computed intermediates.