Vega: Zero-knowledge proofs for digital identity in the age of AI

AI is transforming how people interact with digital, from AI-powered assistants to autonomous agents that act on a user’s behalf. As these capabilities grow, so does the value of strong digital identity: users need reliable ways to establish trust, whether proving they are human or sharing a credential with an AI-mediated service. Government-issued credentials are still the strongest foundation for trust, but today’s verification methods often require people to hand them over. As AI agents begin acting on behalf of humans and interacting with decentralized systems, the need for fast, privacy-preserving ways to prove credentials will only grow.

These needs are already materializing in policy. Governments are moving quickly to formalize digital identity. The EU Digital Identity (EUDI) framework aims to make digital wallets available to all EU citizens, and efforts like the EU’s age-verification blueprint and the UK’s Online Safety Act mandate government ID-based methods for age checks. Application providers face a double bind: they must either use less accurate approaches like AI-based age estimation, or compromise user privacy by requiring ID uploads.

The credential gets uploaded, processed, sometimes stored, and eventually (hopefully) deleted. But high-profile breaches have repeatedly exposed government IDs that users shared for routine verification. These are not edge cases. They are the predictable consequence of a system that asks users to share their most sensitive documents to prove a single bit of information.

This is the question we set out to answer with Vega: Can we make it practical to prove something about a credential without ever revealing the credential itself?

The path to Vega: From idea to practice

Zero-knowledge proofs (ZKPs) are the cryptographic tool that makes this possible. The idea is simple: they allow a user to prove a claim, such as “I am over 21”, without revealing anything else.. In practice, this means a user could prove their age from their driver’s license without the verifier ever seeing the license, whether to a website, an app, or a service mediated by an AI agent.  The proof works directly on the credential as issued, so the issuer does not need to change anything.

so the issuer does not need to change anything. 

This is not a new idea. The challenge has always been practicality. Prior systems either require a trusted setup that had to be repeated whenever the logic changed, or they sacrificed performance to avoid the trusted setup, often producing large proofs in the process. For real-world use, the proof needs to be fast to generate, small enough to transmit quickly, and efficient enough to run on a mobile device.

We have spent several years working toward a practical solution. Privacy-preserving identity has been a motivating application (opens in new tab) throughout, and Vega’s proof system draws on several building blocks from that line of work:

• Spartan (opens in new tab) showed how to efficiently prove R1CS, a standard way to express statements for a general-purpose proof system, with succinct proofs and without a trusted setup.
• Nova (opens in new tab) introduced folding schemes, which let a prover compress many instances of a computation into one. 
• HyperNova (opens in new tab) showed that Nova’s folding also provides a key building block for zero-knowledge: folding a real instance with a random instance hides the underlying secret data, a technique dubbed “NovaBlindFold.”
• NeutronNova (opens in new tab) provided the most efficient folding scheme for handling a batch of instances at once.

Vega puts these building blocks together into a single proof system. A key design goal is simplicity. Spartan, Nova, and NeutronNova are composed in a direct way, and the circuit is built from a small number of standard components, with no exotic multi-field constructions and no trusted setup. On top of this simple foundation, Vega adds the ability to reuse work across multiple proofs of the same credential and a new way to achieve zero-knowledge with minimal overhead. The result is a system that is easy to audit, extend to new credential formats, and deploy.

Performance

Vega generates a zero-knowledge proof of age from a typical mobile driver’s license, about 2 kilobytes (KB), in 92 miliseconds (ms) on a commodity client device. The resulting proof is 108 KB and can be verified in 23 ms. No trusted setup is required. The prover key is 464 KB; it fits comfortably on any phone. For smaller credentials, proving drops to 62 ms, with 83 KB proofs, and 17 ms verification. In practice, a user taps a button to present a credential, and 92 ms later the proof is done. The service learns only the requested fact; the credential never leaves the phone.

Under the hood: Fold, reuse, and lookup

Vega’s speed comes from two ideas: fold-and-reuse proving and lookup-centric circuit design. The figure below shows the proving pipeline end to end.

The hashing problem, and how folding solves it

A credential proof must do two expensive things: hash the credential bytes with SHA-256 and verify the issuer’s digital signature. Signature verification would normally be the bottleneck, but  Vega avoids that cost by working in a field where the signature arithmetic is native. As a result, hashing becomes the dominant cost. SHA-256 works by applying the same compression function to one 64-byte block at a time. A straightforward circuit simply unrolls all of these iterations,so its size grows with the length of the credential. For a typical mobile driver’s license, that is 30 blocks of compression, all captured in a single circuit.

We take a different approach. Instead of unrolling the entire hash, we define one small “step” circuit that proves a single SHA-256 compression step, and we instantiate it once per block. Because these step instances are structurally identical, we can use NeutronNova’s folding scheme to collapse them into a single instance. The prover does work to fold the 30 step instances into one, but this folding cost is modest. Spartan then only needs to prove a single step-sized circuit alongside a separate “core” circuit that handles the rest of the checks, including signature verification and age predicates, rather than a monolithic circuit with 30 unrolled blocks. The proving key only needs to describe one step and one core, so it stays small regardless of credential length.

There is a subtle privacy issue here to arddress. Credentials vary in length, and if the circuit size varied with the credential, that would leak information. To prevent this, all step circuits share a committed table of intermediate digests. The core circuit picks the selects the appropriate digest using a private index. If the prover selects the wrong entry, the issuer’s signature check fails.

Making it zero-knowledge, cheaply

A proof system needs to be zero-knowledge: the verifier should learn nothing beyond the claim being proved. Existing approaches to achieve this are often complex to engineer and can add significant overhead to the prover. We found a simpler way.

A standard first step is to commit to every message the prover sends using hiding cryptographic commitments, so the verifier sees commitments rather than values. The harder question is to prove that those hidden values would have passed the verifier’s checks. We express those checks as a small constraint system, just a few hundred constraints, since the verifier only performs a logarithmic number of operations. We then fold this constraint system iwith a random instance via Nova’s folding scheme. This step hides the underlying data, so the zero-knowledge overhead scales with this small constraint system, not the full secret data.

Proving once, presenting many times

A user who presents their credential to one website will likely present it again to another, and another. In a world where AI agents handle many of these interactions on a user’s behalf, the same credential may need to be presented dozens of times a day. The credential itself does not change between these presentations. What changes is the session nonce, a fresh random value from the verifier, and possibly the date or the predicate threshold.

Vega takes advantage of this structure by by splitting the prover’s secret data into three parts. The shared data (SHA-256 tables) and the precommitted part, such as the issuer signature and field locationsm are computed and committed once when the credential is first loaded. The online part, such as the device signature and  today’s date, is committed fresh each time. Before each proof, the precomputed commitments are refreshed with new randomness, which is cheaper than recomputing them and ensures that two proofs about the same credential cannot be linked.

Avoiding the parser

Another important part of Vega’s efficiency comes from how it handles the credential format. A mobile driver’s license is encoded in Concise Binary Object Representation (CBOR), and building a full CBOR parser as a circuit would be both complex and expensive. But we realized we do not actually need a parser. The credential bytes are signed by a trusted issuer, so we know they are well-formed. We only need to reach in and grab specific fields.

We treat the credential as a byte-addressable lookup table. The prover says, “the device public key starts at byte 847” and supplies the bytes. The circuit checks three things: that the bytes actually match the authenticated credential, that the right CBOR prefix appears at the start of the field so the prover cannot claim the wrong field, and that the addresses are contiguous so the prover cannot splice bytes from unrelated locations. This replaces an entire parser with a handful of lookups.

The same lookup idea powers length-hiding hashing, as described above: the circuit builds a table of all intermediate SHA-256 digests and picks the correct one at the point where the real message ends.

Device binding

A zero-knowledge credential proof is only useful if it is tied to the person holding the credential. Without device binding, someone who obtains a leaked credential could generate valid proofs for any session. This matters even more in a world of AI agents: if an agent can present a proof on behalf of a user, we need cryptographic assurance that the proof originated from the user’s device, not from an attacker or an unauthorized agent.

Vega addresses this by requiring the holder’s device to sign a fresh session nonce with the device private key, which is bound to the phone’s secure element. The circuit extracts the device public key from the credential via lookup and verifies the device signature over the session nonce hash. Because the device private key never leaves the secure hardware, possession of the signed credential alone is not sufficient to produce a valid proof.

Where this leads

Vega is implemented in Rust and will be open sourced soon. The proof system powering Vega is already available as the open-source spartan2 (opens in new tab) project on GitHub. The paper, joint work with Darya Kaviani, will be presented at the upcoming IEEE Symposium on Security and Privacy in San Francisco. 

While we focused on mobile driver’s licenses as a concrete and timely application, especially given emerging frameworks like the EU Digital Identity wallet, the proof system and circuit techniques are general. They apply to any credential format with a stable byte encoding and a digital signature.

We see several directions where the same primitive becomes increasingly important.

Agents carrying identity on behalf of humans. As autonomous AI agents begin acting on behalf of people, whether booking travel, interacting with services, or entering agreements, those agents will need to prove facts about the human they represent. For example, “my principal is over 18” or “my principal is a licensed physician.” The agent should be able to carry these proofs without ever holding the underlying credential. A zero-knowledge proof generated on the human’s device, bound to the agent’s session via device binding, lets the agent present identity signals without holding secrets.

Bridging off-chain identity to on-chain systems. Decentralized systems increasingly need real-world identity signals, such as KYC compliance, accredited investor status, and jurisdiction checks. Today, this is handled by uploading documents to a centralized intermediary, who then issues an on-chain attestation. The user loses privacy twice: once to the intermediary, and again on chain, where the attestation may be linkable across interactions. A ZKP over an off-chain credential could bridge this directly: the user proves a fact from their government-issued credential, and the on-chain verifier receives only the proof. No intermediary sees the credential, and rerandomization ensures repeated proofs are unlinkable.

As digital identity mandates expand and AI reshapes how humans and agents establish trust, the need for privacy-preserving credential verification will only grow. We see Vega as one step in a broader shift: from a world where proving a fact about yourself requires giving up your identity, to one where cryptography lets you keep it.

Opens in a new tab

The post Vega: Zero-knowledge proofs for digital identity in the age of AI appeared first on Microsoft Research.