Public blockchains impose an inherent tension between regulatory compliance and user privacy. Existing on-chain identity solutions require centralized KYC attestors, specialized hardware, or Decentralized Identifier (DID) frameworks needing entirely new credential infrastructure. Meanwhile, over four billion active X.509 certificates constitute a globally deployed, government-grade trust infrastructure largely unexploited for decentralized identity. This paper presents zk-X509, a privacy-preserving identity system bridging legacy Public Key Infrastructure (PKI) with public ledgers via a RISC-V zero-knowledge virtual machine (zkVM). Users prove ownership of standard X.509 certificates without revealing private keys or personal identifiers. Crucially, the private key never enters the ZK circuit; ownership is proven via OS keychain signature delegation (e.g., macOS Secure Enclave, Windows TPM). The circuit verifies certificate chain validity, temporal validity, key ownership, trustless CRL revocation, blockchain address binding, and Sybil-resistant nullifier generation. It commits 13 public values, including a Certificate Authority (CA) Merkle root hiding the issuing CA, and four selective disclosure hashes. We formalize eight security properties under a Dolev-Yao adversary with game-based definitions and reductions to sEUF-CMA, SHA-256 collision resistance, and ZK soundness. Evaluated on the SP1 zkVM, the system achieves 11.8M cycles for ECDSA P-256 (17.4M for RSA-2048), with on-chain Groth16 verification costing ~300K gas. By leveraging certificates deployed at scale across jurisdictions, zk-X509 enables adoption without new trust establishment, complementing emerging DID-based systems.

翻译：公共区块链在监管合规与用户隐私之间存在固有矛盾。现有链上身份解决方案需要中心化KYC认证者、专用硬件或需全新凭证基础设施的去中心化标识符（DID）框架。与此同时，超过四十亿张活跃X.509证书构成了全球部署的政府级信任基础设施，其去中心化身份潜力尚未被充分挖掘。本文提出zk-X509——一种通过RISC-V零知识虚拟机（zkVM）桥接传统公钥基础设施（PKI）与公共账本的隐私保护身份系统。用户可证明其持有标准X.509证书的所有权，而无需泄露私钥或个人身份标识。关键创新在于：私钥始终不进入零知识电路，所有权证明通过操作系统密钥链签名委托（如macOS安全隔区、Windows TPM）完成。该电路验证证书链有效性、时效有效性、密钥所有权、无信任CRL撤销、区块链地址绑定以及抗女巫攻击的无效符生成。系统提交13个公开值，包括隐藏颁发CA的证书颁发机构（CA）默克尔根，以及四个选择性披露哈希值。我们在Dolev-Yao敌手模型下形式化定义了八种安全属性，并基于博弈论定义与归约至sEUF-CMA、SHA-256抗碰撞性和ZK可靠性的安全性证明。在SP1 zkVM上评估显示，ECDSA P-256消耗1180万次循环（RSA-2048为1740万次），链上Groth16验证约需30万Gas。通过利用跨司法管辖区大规模部署的既有证书体系，zk-X509可在无需建立新信任机制的前提下实现部署，与新兴DID系统形成互补。