How to Beat Deep Fakes (Part 1)

Published on: 
Jul 28, 2023

Misinformation and truth-distortion have been a part of humanity since the first Homo sapien gaslit another into swimming in a dangerous waterhole to test for crocodiles.

Realistic Deep Fakes reached a tipping point in 2020, crossing the uncanny valley into dangerous territory. Today’s AI technologies have pushed Deep Fakes over the edge, opening the door to a host of dystopian activities, including but not limited to:

AI-generated manipulation is an increasingly pervasive problem in today’s digital landscape. In addition to verifying provenance, the challenge of digital-content authentication is the ability to distinguish between legitimate and illegitimate editing.

Traditional signature algorithms, while useful for validating the origin and authenticity of multimedia, have limitations due to their dependence on a centralized third party such as editing software. This reliance makes them susceptible to exploitation and inhibits trustless editing, as they require trust in the editing software to confirm the correctness of edits.

A proficient hacker could extract the signing key from the editing software and create a valid signature for any image. AI has made these hacks easier than ever.


The application of Zero-Knowledge Proofs (ZKPs) can address these vulnerabilities and enhance the security and reliability of the editing process.

ZKP does not rely on sending digital signatures between parties. Rather, ZK proof-of-editing is done in a privacy preserving fashion such that edits can be kept private, making it a trustworthy method for updating digital works without casting doubt on their authenticity.

Zero-Knowledge Proofs

ZKP is a method to verify arbitrary computation without giving up the data used in that computation, making it a solution for privacy and trust in digital environments. ZKPs are protocols that allow one party (the Prover) to prove to another party (the Verifier) that a certain statement holds truth over some data, without revealing anything about the data itself.

In the context of deep fakes, the dispute is often whether the content is original or has been derived from malicious editing. In cases where origin can be established, it may be that the original content is sensitive and cannot be revealed publicly. A third possibility is that the original content is substantially large in size, and publicly verifying the authenticity requires significant computational overhead.

The properties of ZKP, namely completeness and soundness (an honest prover will always be able to convince the verifier, whereas a malicious prover has an exceedingly small probability of success) ensures the provenance. The Zero-Knowledge property allows the witness (the original content) to be kept private. Finally, with ZK-SNARKs, a family of ZK protocols the industry is leaning towards, we achieve small proof size and fast verifiability of the proof, making the overall process of verification both user and client-side friendly.

Credit: Roman Palkin

In the context of multimedia, digital signatures can be embedded as tamper-evident markers into images, audio, and video files. Any valid transformations of the image (which need to be defined carefully) must be accompanied by a proof of transformation (a ZKP), which attest to the validity of the applied transformation.

The unedited photo is not available to the public. The viewer only sees the edited photo, its metadata, and the Zero Knowledge proof. The “Zero-Knowledge” property ensures that the original photo is kept secret. This is desirable in cases where the original photo contains sensitive content that needs to be cropped out, or for formatting purposes (resizing, cropping, greyscaling, etc).

This stands in contrast to traditional solutions which protect the integrity of the file, but prevent anyone from making allowed and publicly-known transformations. ZKP adds a useful layer on top of digital signatures that enables authentic editing.

If the proof of transformation does not pass the verifiability test, one can conclude the transformation of the image is malicious. If the proof of transformation passes the verifiable test, one can conclude that the image was modified intentionally, the modifications are in the accepted list of transformations, and that there is no claim that the modified image is the original.

How it works

Here is what the process for creating Verified Media may look like:

  1. The media originator creates a hash of the original file. A hash function takes an input (or “message”) and returns a fixed-size string of bytes. The output (“digest”) is unique to each input. Even a small change to the input will produce such a drastic change in output that the new hash value won’t resemble the old one.
  2. Next, the media originator creates a digital signature over the hash value of the file. This representation includes a public digital signature and the hash value. Anyone can publicly verify the integrity of the digital signature given the hash value.
  3. Suppose a file exists that is under dispute regarding its authenticity, specifically whether it is a deep fake of the original. If the contested file is a legitimate modification (implying that the modifier has knowledge of or access to the private image), the modifier can generate a proof of computational integrity for the alleged modifications. This proof comprises the original digital signature, the altered file, the list of purported modifications, and a Zero-Knowledge Proof (ZKP), which serves as evidence of transformation.
  4. The verification process can be initiated when the Zero-Knowledge Proof (ZKP), or Proof of Transformation, the modified file, and the list of claimed modifications are provided. If the Proof of Transformation successfully passes the verification, it indicates that the contested file is not a deep fake and has been edited using the agreed-upon transformations. Conversely, if the ZKP fails to pass, it suggests that the contested file did not originate from the original source using the agreed transformations.

This process ensures that even if someone intercepts the file, they cannot alter it using “not agreed upon” transformations without the changes being detected.

The Future is Now

The winner of the recent ETH Global Hackathon in Paris was a talented team from the University of Oxford Blockchain Society who built a ZK microphone in just two days. This impressive feat resulted in a microphone that protects authenticity and privacy by ensuring trusted audio.

Using a type of ZKP called SNARK, the ZK microphone can prove that audio was indeed recorded on it and legitimate edits were made, proving authenticity while preserving privacy.

Zk-img is an efficient tool that uses Zero-Knowledge Proofs (ZK-SNARKs) to authenticate image edits while maintaining privacy. It can handle arbitrary transformations on high-definition images and supports the addition of new transformations. Notably, zk-img outperforms previous methods in speed, making it a viable solution against deep fakes.

Further guidelines and methods for using ZKP to fight disinformation have been proposed by leading researchers who suggest using in-camera anti-forgery technology to prove image provenance and freedom from tampering.

Recently, players in the audio/visual industry created C2PA, the Coalition for Content Provenance and Authenticity. This is an organization dedicated to developing industry standards for certifying the source of digital content. Zero-Knowledge Proofs can play an important role in these developments.

Credit: Roman Palkin

An upcoming technical blogpost will describe how one such ZK protocol for proving image transformations was designed and implemented.

Follow Ingonyama





Join us:

Written by

Table of Contents

Want to discuss further?

Ingonyama is commited to developing hardware for a private future using Zero Knowledge Proofs.

Get in touch
Get our RSS feed