Where Verification Must Not Require Revelation
These scenarios share a structural requirement: proving facts about identity without disclosing the data behind them. The cryptographic primitives are the same across all of them; what varies is the fact being proved and the consequences of a privacy failure.
Architectural properties
Four decouplings that traditional identity systems cannot achieve. Each one breaks a different link between knowing data and using it.
Verification Without Collection
Zero-knowledge proofs, generated client-side, verify facts about identity data without transmitting the data itself. The verifier learns the answer. The prover keeps the inputs. A compromised server cannot extract what it never received.
Enables: Age gates, sanctions screening, liveness attestation
Computation Without Decryption
Fully homomorphic encryption lets the server re-screen encrypted nationality and date-of-birth values against updated sanctions lists without decrypting. Unlike ZK proofs, FHE handles list updates without any user action.
Enables: Perpetual screening, encrypted re-evaluation, ongoing compliance
Authentication Without Identification
Pairwise identifiers give each service a unique pseudonym for the same user. Service A and Service B cannot determine they deal with the same person, even if they compare records. Cross-service correlation is mathematically impossible.
Enables: Cross-platform SSO, unlinkable logins, anti-surveillance
Custody Without Exposure
All sensitive data is encrypted with keys derived from the user's own credential: passkey, password, or wallet signature. The server stores encrypted blobs it cannot decrypt. A breach yields ciphertexts that are useless without the user's credential.
Enables: Breach immunity, credential-wrapped storage, user sovereignty
Two integration paths, one set of primitives
The same cryptographic architecture serves applications with no existing verification and applications with established providers. The primitives are identical; the verification source differs.
Full-stack verification
For applications without existing identity verification. Zentity handles document OCR, liveness detection, face matching, proof generation, and credential delivery. The relying party integrates via OAuth 2.1.
Proof layer
The same cryptographic primitives work over externally-verified identity. When a trusted provider verifies identity, Zentity generates zero-knowledge proofs over those signed claims and delivers them via OIDC. The relying party receives proofs instead of raw identity data. The verification provider never learns which service requested the proof.
Where this applies
Each scenario requires a different combination of the same primitives. Ordered by adoption signal strength.
Age Verification
A retailer, platform, or regulator needs to know "old enough." A threshold proof answers the question without creating the liability. The verifier learns the answer and nothing else.
Three jurisdictions enforcing simultaneously in 2026
Agent Delegation
AI agents request approval via CIBA push notifications. The human reviews the specific action on their device and unlocks their vault to release identity one time.
88% of orgs report AI agent security incidents
Bot-Proof Platforms
Sybil-resistant nullifiers confirm a unique, live human acted without learning which human. Pairwise pseudonyms prevent cross-platform tracking.
AI-driven fraud up 180%, deepfakes pass live interviews
Zero-Knowledge SSO
Standard OIDC redirect with pairwise pseudonyms and ZK proofs instead of PII in tokens. Each service sees a unique identifier; the identity provider cannot track which services the user visits.
Passkey adoption up 412%, zero phishing on passwordless
Verifiable Credentials
After verification, users receive portable credentials they own. Selective disclosure lets them reveal only the claims each service needs, and holder binding prevents transfer or theft.
OID4VCI self-certification launched Feb 2026, 38 jurisdictions
Step-Up Authentication
Viewing a balance needs basic login; wiring funds needs document-verified identity. One OAuth scope model.
Industry shift from binary auth to continuous trust
Encrypted AML Screening
FHE screens encrypted nationality and DOB against sanctions lists. A breach yields only ciphertexts.
AMLA enforcing directly, Travel Rule fines hitting €12M
Protocol Distribution
A single verification distributes to every connected service through standard OAuth. Any application that supports OIDC can consume attestations without custom integration or cryptography code.
Reusable identity is the dominant market narrative
On-Chain Compliance
fhEVM evaluates rules against encrypted identity attributes on-chain. Failed checks stay private.
MiCA transitions expiring, DeFi facing 'same risk, same rule'
Cross-Platform Reputation
A freelancer demonstrates verified identity and strong track record across platforms without those platforms being able to correlate the presentations.
1.5B decentralized identities projected for 2026
Incremental Verification
Each document is a discrete attestation that coexists with prior ones. A new passport supplements rather than replaces, and services see only what they explicitly request.
Progressive verification now expected as table stakes
Jurisdiction Membership
An exchange needs "eligible jurisdiction." Merkle proofs verify group inclusion (EU, Schengen, EEA) without revealing the specific country. The exchange learns the answer, not which member.
MiCA country-by-country transitions create immediate need
Identity Without Documents
Biometric verification and NGO-signed attestations establish identity without government documents. FROST threshold key recovery ensures the person retains control even after losing a device.
1 billion people globally lack government-recognized ID
Anonymous Civic Participation
ZK proofs of eligibility with sybil-resistant nullifiers guarantee one vote per person, unlinkable to identity.
Pilots in 5+ countries, 72% satisfaction in Israel trial
Lifecycle and resilience
How the architecture holds up over time and under attack.
| Capability | Traditional Identity | Zentity |
|---|---|---|
| Prove a fact without revealing data | Requires sharing PII to prove anything | ZK proofs verify without disclosure |
| Re-screen without storing data | Must retain PII for ongoing compliance | FHE computes on encrypted data |
| Verify once, use across services | Re-verify per provider, results siloed | Single verification distributed via OAuth |
| Prevent cross-service tracking | Same email or ID used everywhere | Pairwise identifiers per service |
| Prove human presence | CAPTCHAs, increasingly defeated by AI | Passkey signatures require physical hardware |
| Share selectively | All-or-nothing data release | Granular control over each claim |
| Erase completely | Data scattered across many services | Deleting the credential orphans all data |
| Resist quantum attacks | Classical cryptography only | ML-KEM-768, ML-DSA-65 (NIST FIPS 203/204) |
Breach Yields Nothing
Credential-wrapped key custody and FHE ciphertexts mean a server breach exposes no usable data. The server never possesses the decryption keys.
Post-Quantum Durability
Recovery keys use ML-KEM-768. Credential signing uses ML-DSA-65. Identity data has a longer useful lifetime than most encrypted data, making harvest-now-decrypt-later attacks the primary threat.
Erasure by Deletion
Deleting the user's credential orphans all encrypted data. No administrator backdoor — recovery uses FROST threshold guardian signatures (no single key). GDPR right to erasure as an architectural property.
Integrate verification without collection into your stack
Start with the demo to see the full verification flow, then integrate via standard OAuth 2.1