Cryptographic Privacy
Vega brings zero-knowledge proofs to identity verification in under 100 ms
Vega enables users to prove facts from government IDs without revealing the credential itself, using ZKPs generated in under 100 ms on commodity hardware. It targets real-world formats like mobile driver's licenses and the EU Digital Identity Wallet, with a fold-and-reuse scheme that reduces proof cost for repeated presentations.

Vega is a zero-knowledge proof system that lets users prove facts from government-issued credentials, such as age, personhood, or professional status, without ever revealing the credential itself. The credential never leaves the device, and the proof is generated in under 100 milliseconds on a commodity client device with no trusted setup.
As AI agents begin acting on behalf of humans and interacting with decentralized systems, the need for fast, privacy-preserving ways to prove credentials will only grow. Vega's designers set out to answer a fundamental question: can we make it practical to prove something about a credential without ever revealing the credential itself?
How it works
Vega uses zero-knowledge proofs (ZKPs) to allow a user to prove a claim, such as "I am over 21," without revealing anything else. The proof works directly on the credential as issued, so the issuer does not need to change anything. The system draws on building blocks from prior research: Spartan for efficient R1CS proving without a trusted setup, Nova for folding schemes, HyperNova for zero-knowledge via NovaBlindFold, and NeutronNova for efficient batch folding.
Vega puts these building blocks together into a single proof system with a simple design. The circuit is built from a small number of standard components, with no exotic multi-field constructions and no trusted setup. On top of this foundation, Vega adds the ability to reuse work across multiple proofs of the same credential and a new way to achieve zero-knowledge with minimal overhead.
Performance benchmarks
Vega generates a zero-knowledge proof of age from a typical mobile driver's license, about 2 kilobytes (KB), in 92 ms on a commodity client device. The resulting proof is 108 KB and can be verified in 23 ms. For smaller credentials, proving drops to 62 ms, with 83 KB proofs and 17 ms verification. The prover key is 464 KB, fitting comfortably on any phone.
Fold-and-reuse proving
Vega's speed comes from two ideas: fold-and-reuse proving and lookup-centric circuit design. Instead of unrolling the entire SHA-256 hash, Vega defines one small "step" circuit that proves a single compression step, instantiated once per block. NeutronNova's folding scheme collapses them into a single instance. Spartan then only needs to prove a single step-sized circuit alongside a separate "core" circuit that handles the rest of the checks, including signature verification and age predicates.
To prevent length-based information leakage from varying credential sizes, all step circuits share a committed table of intermediate digests. The core circuit selects the appropriate digest using a private index.
Zero-knowledge made cheap
Vega achieves zero-knowledge with a simple approach: it commits to every message using hiding cryptographic commitments, then expresses verifier checks as a small constraint system, just a few hundred constraints, and folds it with a random instance via Nova's folding scheme. This hides the underlying data, so the zero-knowledge overhead scales with the small constraint system, not the full secret data.
Device binding and session linking
Without device binding, someone who obtains a leaked credential could generate valid proofs for any session. Vega addresses this by requiring the holder's device to sign a fresh session nonce with the device private key, which is bound to the phone's secure element. The circuit extracts the device public key from the credential via lookup and verifies the device signature over the session nonce hash.
For repeated presentations, Vega splits the prover's secret data into three parts: shared data (SHA-256 tables), precommitted data (issuer signature, field locations), and online data (device signature, date). Before each proof, precomputed commitments are refreshed with new randomness, which is cheaper than recomputing them and ensures two proofs about the same credential cannot be linked.
Avoiding the parser
Vega avoids building a full CBOR parser as a circuit by treating the credential as a byte-addressable lookup table. The circuit checks that the bytes match the authenticated credential, that the right CBOR prefix appears at the start of the field, and that addresses are contiguous. This replaces an entire parser with a handful of lookups.
Implications for identity and AI
Vega has implications beyond mobile driver's licenses. As autonomous AI agents begin acting on behalf of people, those agents will need to prove facts about the human they represent. A zero-knowledge proof generated on the human's device, bound to the agent's session via device binding, lets the agent present identity signals without holding secrets.
In decentralized systems, Vega could bridge off-chain identity to on-chain systems. A ZKP over an off-chain credential could prove a fact from a government-issued credential, and the on-chain verifier receives only the proof. No intermediary sees the credential, and rerandomization ensures repeated proofs are unlinkable.
Vega is implemented in Rust and will be open sourced soon. The proof system powering Vega is already available as the open-source spartan2 project on GitHub. A paper, joint work with Darya Kaviani, will be presented at the upcoming IEEE Symposium on Security and Privacy in San Francisco.