(2025-12) DNS-Anchored zk-SNARK Proofs; A Stateless Alternative to ACME Challenge-Response for Domain Control Validation
2025-12-29
Domain Control Validation (DCV) is the cornerstone of trust on the web, serving as the prerequisite for issuing TLS certificates and asserting identity. The current industry standard, the Automated Certificate Management Environment (ACME) protocol, relies on synchronous, interactive challenge-response mechanisms (e.g., HTTP-01) that necessitate active server infrastructure and open network ports. This architectural requirement imposes significant friction on modern serverless, static, and air-gapped deployments, often forcing the exposure of sensitive infrastructure solely for validation purposes.
This paper presents the Portable Trust eXtensible (PTX) protocol, a novel mechanism for asynchronous, non-interactive DCV. PTX decouples the assertion of control from the delivery mechanism by utilizing Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge (zk-SNARKs). We introduce a circuit design that cryptographically binds a set of ephemeral secrets (a nullifier and secret key) to a scoped metadata payload—containing audience restrictions and expiration parameters—anchored to the public DNS via a lightweight TXT record.
This approach eliminates the need for an active web server during validation. A prover generates a self-contained, portable, and purely stateless proof artifact that can be verified client-side by any relying party, with revocation handled via O(TTL) DNS record deletion. We implement a reference toolchain using the Groth16 proving system and the Poseidon hash function, achieving a circuit complexity of just 1,756 constraints and sub-15ms verification times on consumer hardware. Our security analysis demonstrates that PTX effectively mitigates replay attacks through context-commitment public inputs while offering a privacy-preserving alternative to interactive DCV for identity assertions in decentralized environments.