OpenAC consists of cryptographic proofs that prove information without revealing sensitive data.
Using zero-knowledge (ZK) proofs, he demonstrated verification times of “0.129 seconds.”
PSE, the Ethereum Foundation (EF) team that develops privacy-focused tools, introduced OpenAC, an open-source cryptographic design for issuing proofs representing “anonymous, transparent and lightweight” digital credentials.
The system, shared on X on November 29, is now operational for developers to implement in their projects.
OpenAC is a proposal for digital documents that they certify conditions or permissions of the user (such as being of legal age), but which can be presented through cryptographic evidence that does not reveal personal data.
Also, I would get that without leaving traces that allow users’ actions to be followed.
The PSE team stood out In the announcement the following about OpenAC:
OpenAC describes a zero-knowledge (ZK) proof-based identity construct designed to work with existing identity stacks and deliberately built to be compatible with the European Digital Identity Architecture and Reference Framework (EUDI ARF).
PSE team in X.
That means OpenAC is designed to integrate with already deployed identity systems, both public and private.
A design designed to integrate with existing identities
His white paper explains that OpenAC uses zero-knowledge proofs (ZK, zero-knowledge proofs), a cryptographic method that allows proving that an attribute is valid without revealing the original data that proves it.
In the context of digital identity, this allows a user displays a credential without exposing the entire document or allow a third party to track your usage history.
The operation of OpenAC is organized into three roles that intervene in the cycle of issuing and using a credential:
- Transmitter: the entity that creates and signs the credential: it can be a company, a state agency, a university or any institution that has the authority to certify data.
- User: saves that credential and produces the ZK test when requested.
- Checker: application or entity that needs to confirm that the test is valid, but without accessing the actual content of the document or obtaining additional information about the user’s identity.
For this scheme to work, the issuer must securely handle its cryptographic keys and sign only correct attributes.
OpenAC part of that initial confidence assumption– If the issuer certifies false information or if its private key is compromised, all credentials it issued become invalid.
The document also clarifies that OpenAC does not incorporate its own revocation mechanism. Therefore, if an issuer needs to invalidate a credential due to error or expiration, must rely on external systems.
This requirement introduces a point of dependency in the model, since the management of the revocation is in the hands of a third party.
According to PSE, those tools must be cryptographic lists that allow verifying whether a credential is still valid without revealing the identity of the holder or tracking their activities.
Possible implications for Ethereum
OpenAC would position Ethereum as a platform suitable for managing digital identities without sacrificing privacy, although the design requires components off-chain and depends on reliable issuers.
The possibility of issuing digital documents that cannot be traced and that work with international standards could open space for applications such as educational records, administrative permits, professional certifications or access to services that require validation without exposing identity.
How does OpenAC prevent a credential from being traced?
So that a credential cannot be linked between different uses, each time the user presents it must generate a completely different test.
If two pieces of evidence repeat some value, a verifier might realize that they both come from the same person, even if they don’t know who it is.
To avoid this possible link, OpenAC forces the user or the application that manages the credential incorporate random seeds into each presentation. This randomization would ensure that two tests on the same attribute look completely different.
Implementation and practical limits for OpenAC
The generation of OpenAC tests happens off-chain (off-chain).
That means all the heavy computing (creating the cryptographic proof that proves an attribute without revealing data) is done on the user’s device or in an external applicationand not within Ethereum.
By avoiding executing this process on the network, the cost is reduced and saturation of the chain is avoided.
The verification of the test, on the other hand, can be done either outside the chain as inside a smart contract. Here’s why PSE describes these credentials as “lightweight”: the team reported a verification time of “0.129 seconds,” making the system manageable for applications that require quick responses.
Anyway, performance will depend on hardware. On devices with less capacity or in highly loaded scenarios, times may increase.
The design seeks to minimize the information that reaches Ethereum, but OpenAC still needs additional components to operate in real environments.
Issuers are required to manage keys, wallets to support the credential format, and external systems to manage mechanisms such as revocation.
Without that infrastructure, the scheme cannot be deployed at scale.