Ethereum launches OpenAC: digital credentials with total privacy through zero-knowledge proofs

Source: Criptonoticias Original Title: Ethereum launches OpenAC, digital credentials that leave no traces Original Link:

OpenAC: Anonymous Digital Credentials on Ethereum

PSE, the team from the Ethereum Foundation (EF) dedicated to the development of privacy-focused tools, presented OpenAC, an open-source cryptographic design to issue proofs representing anonymous, transparent, and lightweight digital credentials.

The system, publicly shared on November 29, is already operational for developers to implement in their projects.

What is OpenAC?

OpenAC is a proposal for digital documents that certify user conditions or permissions ( such as being of legal age ), but which can be presented through cryptographic proofs that do not reveal personal data. Furthermore, it would achieve this without leaving traces that allow tracking user actions.

The PSE team highlighted that OpenAC describes an identity construction based on zero-knowledge proofs (ZK) designed to work with existing identity stacks and deliberately created to be compatible with the European Digital Identity Framework and Architecture (EUDI ARF). This means that OpenAC is designed to integrate with already implemented identity systems, both public and private.

How OpenAC Works

OpenAC uses zero-knowledge proofs (ZK), a cryptographic method that allows proving that an attribute is valid without revealing the original data that proves it. In the context of digital identity, this allows a user to present a credential without exposing the complete document or allowing a third party to track their usage history.

The operation of OpenAC is organized into three roles:

• Issuer: the entity that creates and signs the credential (company, government agency, university, or other institution with the authority to certify a data ).
• User: stores the credential and produces the ZK proof when requested.
• Verifier: application or entity that needs to confirm that the proof is valid, but without accessing the actual content of the document or obtaining additional information about the user's identity.

Trust and Revocation Assumptions

For this scheme to work, the issuer must securely handle their cryptographic keys and only sign correct attributes. OpenAC is based on that initial trust assumption: if the issuer certifies false information or if their private key is compromised, all credentials they issued become invalid.

OpenAC does not incorporate its own revocation mechanism. Therefore, if an issuer needs to invalidate a credential due to error or expiration, they must rely on external systems. According to PSE, these tools must be cryptographic lists that allow verification of whether a credential is still valid without revealing the identity of the holder or tracking their activities.

Tracking Prevention

In order for a credential not to be linkable across different uses, every time the user presents it a completely different proof must be generated. If two proofs repeat any value, a verifier could realize that both come from the same person.

To avoid that possible linkage, OpenAC requires that the user or the application managing the credential incorporates random seeds in each presentation. This randomization ensures that two tests on the same attribute appear completely different.

Practical Implementation

The generation of OpenAC proofs occurs off-chain (off-chain). This means that all the heavy computation is performed on the user's device or in an external application, and not within Ethereum. By avoiding running that process on the network, costs are reduced and network congestion is avoided.

Verification of the proof can be done both off-chain and within a smart contract. The PSE team reported a verification time of 0.129 seconds, making the system manageable for applications requiring quick responses. However, performance will depend on the hardware. On devices with less capacity or in scenarios with heavy load, times may increase.

Implications for Ethereum

OpenAC would position Ethereum as a platform capable of handling digital identities without sacrificing privacy, although the design requires off-chain components and relies on trusted issuers.

The possibility of issuing digital documents that cannot be tracked and that operate with international standards could open up space for applications such as educational records, administrative permits, professional certifications, or access to services that require validation without exposing identity.

Limitations and Infrastructure Requirements

The design aims to minimize the information that reaches Ethereum, but still OpenAC needs additional components to operate in real-world environments. Emitters that handle keys, wallets that support the format of credentials, and external systems that manage mechanisms such as revocation are required. Without that infrastructure, the scheme cannot be deployed at scale.