CaptchaLa Blog

Appearance

Privacy-Preserving Proof of Human Authorship via Zero-Knowledge Process Attestation

Source: arXiv:2603.00179 · Published 2026-02-26 · By David Condrey

TL;DR

ZK-PoP is trying to solve a real tension in process attestation: the more behavioral evidence you collect to prove a human wrote something, the more you expose about that person’s identity, cognitive state, health, and habits. The paper’s core move is to move the attestation statement itself into zero knowledge, so a verifier can check that a writing session is human-consistent without seeing raw keystroke timings, intermediate drafts, or feature vectors. The scheme combines Groth16 for the main attestation statement, Pedersen commitments for behavioral features, and Bulletproof range proofs for per-feature bounds.

The result is a privacy-preserving attestation pipeline that the author claims is practical: 256-byte proofs, 8.2 ms verification, and proof generation under 30 seconds for a 1-hour session on an Apple M3. The evaluation also reports modest utility loss at a practical privacy level: at ε = 1.0, balanced accuracy drops from 97.1% for the non-private baseline to 94.2% for ZK-PoP. The paper is strongest as a systems/security construction paper: it gives a concrete circuit, explicit constraint counts, and a privacy/soundness story, while also acknowledging that marginal range checks alone do not fully capture richer behavioral structure.

Key findings

  • The basic ZK-PoP circuit is 77,259 R1CS constraints; the extended version is 154,212 constraints (Table I).
  • For a 1-hour session with 120 checkpoints, proof generation is 23.4 s on Apple M3 hardware and the proof size stays 256 bytes (Table III).
  • Single-proof verification takes 8.2 ms; batch verification takes 24.1 ms for 10 proofs and 187 ms for 100 proofs (Table IV).
  • At ε = 1.0, balanced accuracy is 94.2% versus 97.1% for the non-private baseline, a 2.9 percentage-point drop (Table VII).
  • At ε = ∞ (no DP), ZK-PoP still scores 96.8% balanced accuracy, only 0.3 points below baseline (Table VII).
  • The paper reports 3σ bounds with m = 12 features yield 94.2% accuracy at ε = 1.0; tighter 2σ bounds raise accuracy to 96.1%, while loosening to 4σ lowers it to 91.5% (Table VIII).
  • The authors state the basic Groth16 proving key is 27.4 MB, the verification key 1.1 KB, and peak prover memory 368 MB (Table VI).
  • The minimum leakage bound claims at α = 0.058, 1 - h(α) ≈ 0.68 bits, while a binary accept/reject attestation reveals 1 bit per checkpoint.

Threat model

The adversary is the author/prover controlling the writing environment and attempting to fabricate human-authorship evidence, replay or synthesize keystroke/edit traces, or link sessions. The verifier is honest-but-curious and may try to infer behavioral, temporal, or identity information from proofs. The adversary cannot break the Groth16 proof system, cannot find collisions in SHA-256 or Poseidon, and cannot violate the sequential memory-hardness of the Argon2id-based work function faster than honest sequential execution.

Methodology — deep read

The threat model is trust-inverted attestation: the author/prover is the adversary and fully controls the attesting environment (OS, input stream, timing, and evidence generation). The verifier is honest-but-curious and wants only to decide whether the session is human-consistent; the relying party consumes only accept/reject. The scheme assumes the adversary cannot break Groth16 soundness (q-PKE in the AGM), cannot find SHA-256/Poseidon collisions, and cannot beat the sequential/memory-hard properties of Argon2id-based sequential work functions. The privacy goal is stronger than “hide a few fields”: it explicitly targets behavioral privacy, temporal privacy, content privacy, and unlinkability across sessions.

The “data” here is not a classical labeled ML dataset used to train a model; it is the attestation evidence structure. Each session is broken into checkpoints (example: every 30 seconds), and each checkpoint carries public inputs (checkpoint hash h_i, SWF root R_i, previous hash h_{i-1}, claimed duration d_i, and population parameters μ, σ) plus private witness data (behavioral feature vector f_i, SWF intermediate states s_j, timestamps τ_i, randomness r_i, and a content diff hash δ_i). For privacy calibration and evaluation, the paper cites population distributions from Aalto (N = 168,000) and synthetic traces from ScholaWrite (N = 143); for autocorrelation analysis and adversarial evaluation, it cites KLiCKe with N = 300 writers for the lag-1 correlation estimate and N = 4,992 for stronger adversary classes. The paper does not fully specify train/test splits in the machine-learning sense because the main artifact is a proof system plus simulated attestation classification, not a learned classifier.

Architecturally, the core circuit C_PoP is a Groth16-friendly arithmetic circuit over a prime field with four constraint families. C1 checks SWF chain correctness only at a Fiat-Shamir-selected subset of k Merkle-sampled positions rather than verifying the entire chain in-circuit; the paper explicitly says a full SHA-256-in-circuit chain would be too large, so it uses a Poseidon Merkle tree for in-circuit verification and keeps the original sequential SHA-256/Argon2id chain out of circuit. C2 range-checks each committed behavioral feature against public population-derived bounds μ_j ± 3σ_j using Bulletproofs. C3 enforces monotonic timestamps and minimum inter-checkpoint spacing without exposing exact times, by proving the difference of two Pedersen-committed timestamps lies in a public interval. C4 binds content evolution by hashing h_i = SHA256(h_{i-1} || δ_i || Commit(f_i)), so each checkpoint cryptographically ties together prior state, edit delta, and the private behavioral commitment. One concrete end-to-end example: at a checkpoint, the author computes a Pedersen commitment C_j = g^{f_j} h^{r_j} for each behavioral feature, generates Bulletproof range proofs that each f_j sits within the allowed human band, hashes a sampled subset of SWF states into a Poseidon Merkle tree, proves those sampled transitions match the claimed SHA-256 chain, and finally wraps the whole statement into a single Groth16 proof that reveals only accept/reject.

The training regime is best understood as parameterization and benchmarking rather than model training. The paper says the Groth16 setup is performed once per population parameter set and amortized across users, and it uses BN254 for concrete instantiation (about 100-bit security). It does not report optimization epochs or stochastic training hyperparameters because there is no neural model in the main construction. Where there is a privacy-utility simulation, the paper evaluates at ε = ∞, 1.0, and 0.1, with feature dimensionalities m = 6, 12, 24 and bounds of 2σ, 3σ, and 4σ (Table VIII). The implementation is an arkworks Rust prototype (~4,200 lines) integrated with an open-source process attestation daemon, run on Apple M3 hardware for the headline timings, with a noted slowdown on an Intel i5-8250U.

Evaluation is multi-part: performance, circuit size, privacy utility, and adversarial robustness. Performance is reported as proof generation time versus session length (15 min / 1 h / 4 h), proof size, verification time, setup time, and memory. Privacy utility is measured as balanced accuracy on synthetic traces from ScholaWrite combined with Aalto population distributions, comparing ZK-PoP at different ε values to a non-private baseline. The paper also reports adversarial evaluations for several classes, including naive uniform-in-range sampling, distribution-matched attacks, cross-writer replay, and Markov-chain replay, and claims strong compounded rejection over many checkpoints. The paper is explicit that marginal 3σ feature checks are not enough to capture joint distributional structure; it notes that Mahalanobis-style joint tests could improve discrimination at roughly 2× circuit cost. Reproducibility is relatively good for a cryptographic systems paper: code and evaluation scripts are said to be available on GitHub, and the implementation details include the proving system, curve choice, proof size, and hardware used. However, the full text provided is truncated, so the adversarial-evaluation table and some appendix-level details are not visible here.

Technical innovations

  • A zero-knowledge formulation of process attestation that hides behavioral biometrics, timestamps, and intermediate content while still proving human-consistent authorship.
  • A hybrid proof design that uses Groth16 for the main attestation statement, Pedersen commitments for private feature vectors, and Bulletproof range proofs for bounded behavioral features.
  • A Merkle-sampled SWF verification strategy that avoids placing the full sequential SHA-256 chain inside the circuit while still binding sampled checkpoints to the claimed computation.
  • A temporal privacy gadget that proves minimum inter-checkpoint gaps using homomorphic Pedersen commitments instead of exposing exact timestamps.

Datasets

  • Aalto — 168,000 — public population distribution source cited for behavioral statistics
  • ScholaWrite — 143 — source cited for synthetic trace evaluation
  • KLiCKe — 300 writers (autocorrelation analysis) / 4,992 (adversarial evaluation) — source cited in paper

Baselines vs proposed

  • Non-private baseline: balanced accuracy = 97.1% vs proposed ZK-PoP (ε = ∞) = 96.8%
  • Non-private baseline: balanced accuracy = 97.1% vs proposed ZK-PoP (ε = 1.0) = 94.2%
  • Non-private baseline: balanced accuracy = 97.1% vs proposed ZK-PoP (ε = 0.1) = 89.7%
  • Single-proof Groth16 verification: 8.2 ms vs proposed: 8.2 ms
  • Batch verification (10 proofs): 3b pairing baseline implied by discussion vs proposed: 24.1 ms
  • Batch verification (100 proofs): 187 ms vs proposed: 187 ms

Limitations

  • The strongest privacy claims are per-checkpoint and circuit-level; the paper itself notes that joint distributional properties of behavior are not enforced, so marginal 3σ bounds can miss sophisticated forgeries.
  • The full paper text is truncated here, so some adversarial-evaluation details and any appendix proofs or parameter settings are not visible in the provided source.
  • The scheme relies on a Groth16 trusted setup per population parameter set, which introduces ceremony/maintenance complexity and setup trust assumptions.
  • The paper’s own utility numbers show non-trivial accuracy loss at stronger privacy settings (e.g., 94.2% at ε = 1.0 and 89.7% at ε = 0.1).
  • Content privacy is described as near-full rather than absolute in one place, because some replay/transcription defenses require post-verification edit-statistic disclosure.
  • The security analysis for session-level false acceptance uses a heuristic effective-sample-size correction for autocorrelation and explicitly says a formal justification for the multiplicative compounding remains open.

Open questions / follow-ons

  • Can the marginal range checks be replaced with efficient joint tests over behavioral feature correlations without blowing up the circuit size?
  • Can the scheme be upgraded from per-checkpoint Groth16 proofs to incremental verifiable computation or recursive SNARKs to reduce cumulative proving cost?
  • How does the construction behave under real distribution shift in writing behavior across languages, devices, accessibility tools, or long-term author drift?
  • Can the trust assumptions around per-population Groth16 setup be removed with a universal-setup system without unacceptable proof or verification overhead?

Why it matters for bot defense

For a bot-defense or CAPTCHA practitioner, the paper is interesting less as an anti-bot detector and more as a privacy-preserving evidence layer. It shows how to turn behavioral signals that are normally sensitive—typing cadence, revision structure, temporal regularity—into a verifiable claim without exposing the raw telemetry. That is relevant if you want to attest “this was authored through a human process” while minimizing retention of biometrics or reducing GDPR Article 9 exposure.

Operationally, though, the paper also highlights a familiar trap: proving a coarse human/non-human predicate with privacy does not automatically make the predicate robust. The author’s own evaluation suggests marginal behavioral bounds are vulnerable to more adaptive replay or distribution-matched attacks, and the scheme’s practical cost is on the prover side. A bot-defense team would likely treat this as a specialized attestation primitive to combine with other signals, not as a drop-in replacement for detection or risk scoring.

Cite

bibtex
@article{arxiv2603_00179,
  title={ Privacy-Preserving Proof of Human Authorship via Zero-Knowledge Process Attestation },
  author={ David Condrey },
  journal={arXiv preprint arXiv:2603.00179},
  year={ 2026 },
  url={https://arxiv.org/abs/2603.00179}
}

Read the full paper

Articles are CC BY 4.0 — feel free to quote with attribution

© 2026 CaptchaLa