Even though this is a zero-knowledge protocol (seems very similar to Schnorr's protocol), there is still a possibility of performing an offline dictionary attack against the ledger.

Given the registration sequence from the whitepaper:

KeyGen (secret) computes x = H(secret) and outputs Pub = g^x

Assuming H() is a hashing function (and the salt for the user is public), and g is a generator of some kind of cyclic group (ECC over a finite field in this case), an offline attack consists of hashing a list of passwords and using the hash of each one and the generator point g to create a new point. If the password matches, then the hash will match, and if the hash matches, then the public point will match, thus verifying that you do indeed have the correct secret which yields that point (public key).

Despite being zero-knowledge, there is still risk of being able to guess and check if a password returns an equivalent point. This is only as much of a risk as the password hash itself is, so the common approach is to use scrypt with a high CPU/memory coefficient to increase the amount of time and resources required to guess and check each hash, but it is not a foolproof method of course, just a deterrent.

Tbh I can't even read clojure... so I have little to no idea of what's going on at a technical level. I just have concerns over being able to guess and check a credential which is public. Thoughts?