Legacy AI processes often require the transfer of sensitive user data to the cloud—centralized servers run by entities promising protection from hackers, advertisers, and governments.
A different approach keeps the user’s data local, bringing the model to the device instead. There, zero-knowledge cryptography seals each AI computation in an envelope of integrity—preventing fraud against the network while protecting user privacy.
This blog post was adapted from a presentation given at the 2025 Berkeley RDI Summit on Decentralization and AI. You can watch the full presentation here.
World exists to keep humans special in the age of AI. This starts with giving individuals the ability to prove they are a unique human online — without revealing anything else about themselves. It’s about proving “what you are,” not “who you are.”
Of course, there are existing ways to demonstrate some measure of humanness; one could easily send their ID and selfies to a third party for cloud verification — as is increasingly popular due to new regulations in the UK, Texas and elsewhere.
Yet this common approach violates core principles at the heart of the World Network:
- Anonymous: We want a system that can’t learn the identity of the verifying person.
- ID-independent: Individuals shouldn’t need an ID to join the real human network. They should just need to be human as some estimate that 50% of the world’s population does not have machine readable IDs.
- Globally inclusive: Anyone around the world should be able to access and participate.
High-fidelity: We need to be sure — at 1-in-10 billion precision — that someone is a unique person.
And of course, the network must also be maximally secure.
So, how does World manage all these values and constraints, even when they feel mutually exclusive?
Getting from A to B
It all starts with an image.
To verify as a unique human, a person visits a specialized camera called an Orb. The Orb takes photos of a person’s face and iris, which World then uses to determine humanness and uniqueness (using plenty of privacy rocket science).
This ultimately produces the foundational property of World Network: one human, one verified World ID. It prevents spam and eliminates a kind of abuse commonly known as a Sybil attack.
The secure upgrade challenge
The key to this process is an AI model that converts a raw iris image into a unique binary string — what we call the iris code system (do note that since early 2024, the protocol stopped storing iris codes and instead permanently encrypts them into fragments that appear statistically random. For simplicity, this blog post refers to iris codes and does not describe the steps of permanently anonymizing the iris codes).
To scale this model to billions of humans, World must regularly update the model to stay secure and accurate. So how can we do this while keeping our promises on security and privacy?
There are three possible strategies, each with tradeoffs:
- Send the user-custodied image from their phone to the cloud. We can’t trust a user device to always do the right thing. A malicious user could exploit their device — for example, by running software to generate false iris images — thereby breaking our one-human, one-account promise. Instead, we could rely on the Network’s own upgrade server. This means that World could upgrade the iris code for users in the cloud servers, as is common in other systems. This approach, however, violates our core privacy tenets: it forces individuals to upload their iris images to the cloud, where they could be copied or stolen.
- Instead of sending data from the phone to the cloud, World could send the AI transformation from the cloud to the phone. In this case, the upgrade would happen on the person’s personal device, eliminating the need to send raw user data to the cloud. This guarantees privacy and provides a reasonable UX via background process. Just one problem: There’s still the untrusted phone environment, leaving World open to abuse by malicious users — in short, a non-starter for network security.
- To maximize privacy for individuals and security for World, we could require people to revisit an Orb to update their iris codes. This would close the loopholes of untrusted devices and cloud risks. But the cost is terrible UX — constant trips to an Orb are inconvenient and impractical at scale.
Sprinkle in cryptography
Luckily, cryptography can help us overcome this dilemma!
A straightforward approach involves homomorphic encryption: encrypt the data on the user’s phone, send it to the cloud, and transform the encrypted data with the upgraded iris code model directly. Unfortunately, this demands an impractical amount of computation — and because both the images and the final upgraded iris code remain encrypted, there’s no way to confirm they’re actual artifacts from the Orb.
Instead, we take the opposite approach: download the upgraded AI process to the user’s device and run the update entirely locally. It’s called zero-knowledge machine learning (ZKML).
We need a hero
Zero-knowledge cryptography is a computational method that proves something is true without revealing any other information about it (a mathematical magic trick!). In this case, we wrap the upgrade model itself in a zero-knowledge proof on the phone. Then, we send the proof back to the servers to demonstrate that the upgrade executed correctly.
Using this method, we get trustless security back from an untrusted environment, while maintaining users’ privacy. People know their data never leaves their phone, while the network is assured it hasn’t been compromised. It’s a perfect example of how bleeding-edge technology can pull the future forward and help World deliver services without compromising its values.
Just one question left to answer: Is it computationally feasible?
ZK on the phone?
While ZK remains a computationally intensive technique, it’s become significantly less so over the years.
By employing a constellation of clever techniques, including the GKR protocol (which imitates the structure of machine learning layers by operating over layered arithmetic circuits), we see next-generation performance, especially compared to generic zero-knowledge virtual machines.
Newer hardware is helping too. Phone performance globally is improving quickly, meaning each day, more and more mobile devices can support computationally intensive processes like ZK proving.
The upshot is that we can update the iris code — in ZK — on the latest iPhones in under one minute as a background process, and within hundreds of megabytes of peak memory consumption. Those are shockingly impressive numbers.
Of course, not everyone in the world has the latest iPhone or Android device. And a feature that benefits only the most privileged runs counter to our belief that everyone deserves privacy and security. Thankfully, even at today’s performance levels, World can serve over 90% of its existing global user base with the upgrade feature. To support the widest range of mobile environments, we’re taking advantage of:
- The ability to trade off memory and runtime based on a person’s mobile hardware
- Checkpointing the ZK proof of correct execution so it can accumulate in small amounts every time a person opens World App
- Using a small library so we don't exhaust the person’s data bandwidth
The big picture: moving to the edge
Many are understandably concerned about a future dominated by massive, centralized entities that aggregate our personal data and use it to influence our decisions, control access to services, or monetize our private lives without our consent. This is not the way.
Cryptography offers a different path. It enables systems that protect privacy, prove authenticity, and allow individuals to interact and transact without surrendering control over their personal information.
We are proud to be working on technologies that maximize data protections, and we’re stoked that bringing ZK proving to the edge may be yet another important step in that journey.
We look forward to sharing more about ZK iris code upgrades and our other ZK initiatives at World. In the meantime, please follow along for the open sourcing of our ZK libraries later this year.