RFP: zkPassport

[teddyjfpender]

RFC-0001: ZKPassport

• Intent: To establish a standard protocol for generating identity-related attestations from a Mina wallet, enhancing digital identity systems' trust and integrity while safeguarding user privacy.
• Reference RFC: RFC-0010
• Submitted by: @chad11111
• Submitted on: July 9, 2024

Abstract

This proposal introduces ZKPassport, a protocol designed to generate identity-related attestations from a Mina wallet. By enabling users to prove the validity of their identity attributes without disclosing underlying data, ZKPassport enhances the privacy and security of digital interactions. This protocol is applicable across various domains such as finance, healthcare, and online services, providing a robust framework for decentralized identity verification and helping ZKApps defend against sybil attacks.

Introduction

The ZKPassport protocol addresses the challenge of maintaining user privacy while verifying identity attributes. Current digital identity systems often require revealing sensitive information, which can compromise user privacy. ZKPassport leverages zero-knowledge proofs (ZKPs) to allow users to prove the validity of their identity attributes without disclosing the underlying data.

Objectives

• To create a standard protocol for generating identity-related attestations from a Mina wallet.
• To enable users to prove identity attributes without disclosing sensitive data.
• To enable scanning / reading of users documents in a secure way.
• To provide a robust framework for decentralized identity verification.

Motivation and Rationale

Current digital identity systems face several challenges, including:

• Privacy Concerns: Users are often required to disclose sensitive information, compromising their privacy.
• Security Risks: The exposure of personal data increases the risk of identity theft and fraud.
• Compliance: Ensuring compliance with varying local regulations can be complex.

ZKPassport addresses these challenges by enabling zero-knowledge proofs for identity verification, ensuring that users can prove their identity attributes without revealing sensitive information. This approach aligns with the goals of enhancing privacy, security, and compliance within the Mina ecosystem.

Scenarios and Use Cases

Age Verification for Online Services

Aspect	Description
Description	A zkApp requires users to verify their age to access age-restricted content or services.
Requirements	Implementation of zkPassport to verify age without disclosing the date of birth.
Expected Outcome	Users can access age-restricted services by proving they meet the age requirement without revealing their exact age or date of birth.
Impact Analysis	Enhances user privacy while ensuring compliance with age-restriction regulations for online services.

Financial Identity Verification

Aspect	Description
Description	A DEX requires users to verify their identity to comply with KYC (Know Your Customer) regulations.
Requirements	Implementation of zkPassport for KYC verification without disclosing sensitive personal data.
Expected Outcome	Users can comply with KYC requirements by proving their identity without revealing sensitive information.
Impact Analysis	Reduces the risk of identity theft and fraud, enhancing the security of financial transactions while maintaining user privacy.

Open Issues and Discussion Points

• Circuit Implementation: Determining whether to use a single circuit supporting multiple functions or separate circuits for each country.
• Merkle Tree Storage: Ensuring high uptime, free access, and decentralization for the Merkle tree.
• Compliance: Addressing varying local regulations and ensuring the protocol meets compliance requirements.

Appendices

ICAO Specification

For detailed information on the data accessible via Biometric passports, refer to the ICAO specification.

Public Key Directory

For the public keys required to check the validity of passport data, visit the ICAO Public Key Directory.

References

1. ICAO. (n.d.). Machine Readable Travel Documents. Retrieved from ICAO Publications.
2. Mina Protocol. (n.d.). Offchain Storage API. Retrieved from Mina Documentation.

[mahmudsudo]

RFP-0007: zkPassport Implementation Project

Intent: To implement the zkPassport system as outlined in RFC-0007, creating a secure, blockchain-based passport verification application that leverages NFC and zero-knowledge proofs (ZKPs).

Reference RFC: RFC-0007: zkPassport [(https://github.com/MinaFoundation/Core-Grants/pull/11)]

Foundation or Organization Sponsor: Mina Foundation (contact@minafoundation.org)

Submit by: April 21, 2024

Application Form

Contact Information

Team Lead (Main Contact Person):

Name: Mahmud Bello Position/Role: Blockchain Developer / Project Lead Email: blinkztyler@gmail.com GitHub Username: mahmudsudo Telegram/Discord Handle: mahmudsudo Mina Recipient Address (for potential funding): B62qo9KuwZnGW1FvJsX1LTWUJvwTVjgZD61Yx6hoW4JAxp2gZUJnAvX Team Overview: As an experienced blockchain developer with a strong background in cryptography and secure application development, I have spent several years mastering technologies across the blockchain spectrum, including Ethereum and Mina. My technical expertise is complemented by a proven track record in developing and deploying applications that maintain privacy and security through advanced cryptographic methods, such as zero-knowledge proofs.

Proposed Solution Description: The objective is to develop a cross-platform application that utilizes NFC technology to securely scan and store passport information, integrating this data with the Mina blockchain through a zero-knowledge proof protocol designed to ensure data privacy and integrity. The application will be built with a focus on user-friendliness and robust security features to protect sensitive user data against emerging threats.

Execution Plan:

Initial Setup and Research: The project will begin with setting up the development environment and conducting detailed research to refine the NFC data extraction process and the implementation of ZKPs in alignment with Mina Protocol's capabilities.

NFC Implementation: Development of the NFC reading component to capture passport data accurately. This phase will involve rigorous testing with various passport formats to ensure comprehensive compatibility and reliability.

ZKP Implementation: Design and integration of a zero-knowledge proof system that will form the backbone of the passport verification process. This will ensure that users' data can be authenticated without ever exposing actual passport details to the blockchain or other users.

App Development: Building the user interface and underlying functionality to seamlessly integrate NFC and ZKP technologies. The application will be developed for both iOS and Android to ensure wide accessibility.

Testing and Refinement: Extensive testing will be conducted to ensure the application meets all security and usability standards. This will include beta testing with a controlled group of users to gather feedback and make necessary adjustments.

Launch and Monitoring: After thorough testing and final refinements, the application will be launched. Post-launch, the application's performance will be closely monitored to address any issues swiftly and to optimize functionality.

Critical Milestones:

Completion of NFC Module: Successfully implement and test the NFC data extraction module. ZKP Protocol Implementation: Fully functional zero-knowledge proof setup that integrates seamlessly with the Mina blockchain. Public Release: Official launch of the app on both Android and iOS platforms. Additional Support and Funding:

Support Requirements: Would benefit from collaboration with NFC technology experts and additional cryptographic expertise to ensure the robustness of the zero-knowledge proofs.

Grant Funding: A funding request of $50,000 is proposed to cover development tools, external consultancy fees, testing equipment, and operational expenses throughout the project duration.

Breakdown of funding utilization: Development: 2 developers @ $5,000 each = $10,000 1 project manager @ $5,000 = $5,000 Development tools and infrastructure = $5,000 Testing and Debugging: 1 QA engineer @ $5,000 = $5,000 Testing infrastructure and tools = $5,000 Bug bounty program = $5,000 Documentation and Community Engagement: 1 technical writer @ $5,000 = $5,000 Community engagement and marketing expenses = $5,000 Documentation tools and infrastructure = $5,000

Community Engagement: My engagement with the Mina community has been instrumental in refining the project proposal through active discussions and feedback incorporation. This ongoing interaction enhances the project’s alignment with community expectations and its potential for successful implementation.

[mahmudsudo]

Hi, i dropped a proposal for this project a while ago , i would like to know the response on the proposal. Thanks

[chad11111]

Hi, i dropped a proposal for this project a while ago , i would like to know the response on the proposal. Thanks

Hey,

We are waiting for another few proposals and will select soon. Highly appreciate your application!

[EmrePiconbello]

RFP-0007: ## zkPassport with native O1JS on mobile.

Overview The aim of this proposal is setting the standard of creating identity proofs to be used in Mina transactions, and providing tooling for this purpose.

Passports already containing verifiable credentials for the individual, cryptographically signed by the issuing authorities (countries), allows the possibility for a zk layer to depend upon.

We propose building a system such that:

1. User will scan their passports, using their mobile phone with NFC capabilities, using a mobile application.
2. zkApp developers will request an identity proof, satisfying certain conditions, such that being over a certain age or belonging to a certain group of countries, using the provided SDK.
3. Then the zkApp will use the generated proof, in the Mina transactions, to validate those conditions for the user, without exposing users' private data to the chain.

We will provide the necessary tooling to achieve this objective, optimizing for user privacy and ease of use, in the way that is explained below.

Our goal is to provide a solid building block to both zkApps and more comprehensive identity protocols, to set arbitrary requirements or make appropriate tradeoffs, based on the passport information for a given user.

ePassport Primer

ICAO specifies a standard for all ePassports to hold digitally accessible and cryptographically signed information about the owner. We intend to make use of this fact to include passport-backed constrictive identity proof validations in Mina transactions.

For our purposes, communicating with a passport over NFC consists of four main steps:

1. Authentication
   • Sets up a secure communication line between the passport and the scanner.
   • Uses either Basic Access Control (BAC) or Password Authenticated Connection Establishment (PACE)
2. Scanning
3. Passive Authentication (PA)
   • The issuing authorities sign the data the the passport contains, using publicly known key pairs.
   • The information is first hashed using SHA family of hashes, then signed using RSA or ECDSA.
   • Proves that the information contained in the chip is the same that the issuing authority signed.
4. Active Authentication (AA)
   • This proves that the passport's chip is present at the moment of scanning, and the data is not only cloned.
   • Works by sending a challenge to the chip to be signed by its key pair. The public key known for checking the response, is known from scanning and is checked via Passive Authentication already.

ICAO specification allows the following hashing and signing combinations:

• RSA: [SHA-1, SHA-224, SHA-256, SHA-384, SHA-512]
• ECDSA: [SHA-224, SHA-256, SHA-384, SHA-512]

o1js currently supports [RSA, ECDSA, SHA-256, SHA-384, SHA-512], which does not cover SHA-1 and SHA-224. However, according to research of the zkPassport team, SHA-1 usage is not widespread, where SHA-224 is not present. We will support the algorithms o1js implements, which covers the vast majority of current passports and will grow even further for every renewed passport over time.

Architecture

Plan A

There must be a NFC capable device to scan the passport, we plan to support Android and iOS devices via a React Native mobile application, possibly making use of Babel and Metro.

This mobile app will handle all communication with the passport, then it will store the credentials it scanned using encrypted storage feature of the OS, requiring only one scan for proofs to be generated. We will probably make use of the well built NFC scanner module from zkPassport team.

The app will also produce o1js proofs on demand, for the given constrictions the user is required to fulfill, by running o1js on the mobile device for proof generation.

The zkApp will request a proof like "being over 18 years of age and being a citizen of EU" from the mobile app, and will receive a proof to be validated in a recursive manner in a Mina transaction.

The communication line must be secure, preferably peer-to-peer. We are thinking of supporting WebRTC or simple file transfer, we believe it is not critical to the proposal at the moment, as an implementation detail. While off-chain storage is not in scope at the moment, we will decide on this during development.

We are aware of the problems one might face to run o1js on mobile, we will try Babel and Metro first, avoiding the memory limitation of a WebView implementation. However if that fails, we have a plan B as follows.

Plan B

If the mobile device of the user turn out to be unable to generate proofs, we will need to move the computation to user's browser on their PC.

We could build a JS library to be used by the zkApp to generate proofs on its own, but we decided against this in order to avoid sharing personal data with a malicious zkApp which may decide to upload that data to somewhere without permission.

We could build a website that worked via redirects, just like how Google authentication works, but locally between different tabs. We decided against this, to protect the user from phishing attacks since we would share our codebase for anyone to view or host.

Instead, we decided on building an extension similar to familiar web3 wallets. This approach keeps the data on users' own devices, makes use of the computing resources of a comparatively more powerful machine, does not share unnecessary data with parties with unknown intentions, and allows for a really smooth integration with zkApps using a SDK.

Setup:
Usage:

Only downsides for users are:

• Requiring users to install not one but two programs, one to mobile device and one to the browser.
• Extension marketplaces being permissioned and not instant or censorship-free.

Deliverables and Timeline

First two weeks will be spent on scanning the data from passports via the mobile application. We plan a passport scan bounty program that would find edge cases we as individuals absolutely cannot. This program would start from the moment we feel satisfied with the passport scanning capabilities.

As the next step, the mobile application proof generation capabilities will be worked on, we plan to spend two weeks here experimenting.

In parallel, the SDK will start to be developed here to generate and validate proofs with simple conditions. At this point, we would welcome any comments or community audits on the soundness of our approach, proof generation and validation in particular. We would love to have some support from the community on this issue, and would welcome any support from o1labs and Mina Foundation.

If mobile o1js experiment is successful, we would have a working prototype at six weeks, capable of generating and validating proofs with simple conditions, but without all the bells and whistles.

If mobile is unable to support our needs, we will pivot to the extension and the working prototype would be at the end of the ninth week.

After the working prototype, we would work on refining the communication between the different devices, between mobile app and either a zkApp or the extension. We would work on improving the SDK between, including supporting more complex proof requirements. We would also hunt bugs and edge cases. We would also write the documentation at this point.

We will create a bounty program that rewards users who report errors, which will give us the ability that as individuals we cannot possibly have for edge case detection, since everyone only has limited access to different passports. Also we believe this will result in a healthy community engagement and bootstrap adoption.

We plan to finish at 3 and half month in both cases.

Team

Main Contact Person: Emre Akbas

• project manager
• external communication
• Telegram: @E1piconbello
• Discord: e1emre
• Email: emre@piconbello.com

Developer: Mehmet Fatih Görgünoğlu

• passport communication on mobile
• compiling and running o1js on mobile
• possibly developing the extension
• UI/UX for both mobile and possibly extension

Developer: Egemen Göl

• proof generation and validation with o1js
• building the SDK to be used for mobile and zkApp, and possibly extension
• working on the secure communication between devices

Responsibilities and Budget

Maintaining scope includes:

• Maintaining mobile apps on two different platforms
• Possibly maintaining the extension
• Extending the passport compatibility support over time

Developer budget: $7500 per month per developer Legal: $5000
Project Manager: $3000 per month
Bug bounty budget: $3000
Maintaining budget: $1000 per month, for a year after completion

Total budget = $83000

Recipient Mina address: TBD

Possible Next Steps

While our approach proves that the data is not modified and not expired, it does not discriminate against stolen passports.

Our approach could be improved by making live queries against stolen/lost passport databases, using one of the many oracle approaches on Mina.

Participating to a service that uses our passport validation approach, requires the user to have a ePassport that o1js supports. We would like to be a building block to one or more, more comprehensive identity approaches, each making its own tradeoffs to support a more universal user base.

Also, the credentials storage and proof generation, maybe even the passport scan features could be merged into a Mina compatible wallet, keeping users from installing separate software just for passport credentials.

[tmkec]

Our solution attached here too

_Mina Foundation - Proposals for issues 18.pdf