Cointime

Download App
iOS & Android

Zero-knowledge proofs of identity using electronic passports

From ethresearch by turboblitz

Many applications need to verify their user’s identity online, whether it is nationality, age, or simply uniqueness. Today, this is hard. They are stuck between shady heuristics like tracking IP addresses and technologies like Worldcoin that need to deploy their infrastructure widely.

Fortunately, UN countries in association with the International Civil Aviation Organization have built a great tool for us to piggyback on: electronic passports. They are issued by more than 172 countries and include an NFC chip with a signature of the person’s information, including name, date of birth, nationality and gender. Issuing countries make their public keys accessible in online registries, enabling the verification of signatures.

A circuit for passport verification

For someone to prove their identity using a passport, they will have to do two things. First, read the content of their passport’s chip. This can be done easily with any NFC-enabled phone. Then, show a verifier that their passport has been correctly signed. Instead of sending all of their personal data for the verification to happen, they can generate a zero-knowledge proof that redacts some of their inputs.

Our circuit will have to checks two things:

  • The disclosed attributes have been signed correctly
  • The corresponding public key is part of the public key registry of UN countries

A simple circuit compliant with the electronic passport specs would look something like this:

B1_4A2ZxC.png2483×1669 96.6 KB

Here is roughly what happens:

  • Each datagroup stored in the passport contains some of the person’s information. The datagroups we are most interested in are the first one (nationality, age, etc) and the second one (photo). The circuit takes them as inputs along with the signing public key.
  • Datagroups are hashed, concatenated and hashed again.
  • The final result is formatted, hashed and signed by the country authority. We can use the public key to check this signature.

This makes the following attributes disclosable: name, passport number, nationality, issuing state, date of birth, gender, expiry date, photo.Some countries also provide additional data like place of birth, address, phone number, profession and a person to notify. Biometrics like fingerprint and iris are sometimes included but can’t be retrieved, as they require a special access key.

In practice, we want our circuit to have a few other features:

  • Instead of passing the country’s public key directly, we want the user to prove that the public key that signed their passport is part of the registry published by the ICAO. This can be done by passing a merkle proof of inclusion and having only the merkle root as a public input.
  • To allow for selective disclosure of any attribute, we pass a bitmap as a public input that will redact some of the attributes.
  • We want specific modules for age disclosure and nationality list inclusion. A range check can guarantee someone is above a certain age without disclosing the precise age, and an inclusion check can be done over a set of countries to prove someone is or is not a citizen of any country in a list.
  • For applications like minting an SBT or voting, we want to check that the passport is not expired. This can be done by passing the current date and doing a range check over the date in the circuit. We can then check that the current date is correct using the block timestamp in a smart contract or server-side in offchain verification.
  • For applications that need sybil-resistance, we want to store a nullifier that prevents using the same passport twice. The simplest approach involves storing a hash of the government’s signature, though this does not render the individual anonymous from the government’s perspective. There are other approaches, see here 1 for a discussion of the tradeoffs.

A map of a more complete circuit can be found here 3.

One of the challenges is the number of signature algorithms used. Most countries use common ones like RSA with SHA256, but the ICAO specifications are quite permissive and some countries chose to use hash functions like SHA512 or unusual padding formats. We currently support the most common one and we are working on adding support for more.

Applications

Applications roughly fall into three categories: proof of humanity, selective disclosure and authentication.

Proof of humanity can be used in general for sybil resistance. This includes voting, fair airdrops, quadratic funding and helping social media fight bots. If passports can’t be construed as a general solution today, they can be integrated into wider systems like Gitcoin Passport or Zupass.

Selective disclosure has applications like privacy preserving age check. Some countries restrict buying alcohol, drugs or entering casinos for minors, and zk could help bringing better privacy to those controls.

Another example of selective disclosure is proving one is not a citizen of any country in a set of forbidden countries. This could help creating an intermediate level of compliance between KYC-gated traditional finance and fully permissionless DeFi.

Using passport signatures for authentication, one can build a ERC-4337 recovery module that asks for a proof from a specific passport as one of the conditions for recovery. Some passports also support Active Authentication, meaning they have their own private key and the ability to sign data. This would make them suitable for direct transaction signing, either for small transactions or in a multisig setup with other signers.

Limitations

The most obvious limitations of using passport signatures are the following:

  • The passport does not do any kind of biometric check when the chip is read. Therefore there is no straightforward way to know if the passport has not been borrowed or stolen.
  • Most of the world population does not have a passport. Even in the US, only around 50% of the population owns a passport.
  • Issuing authorities can create an arbitrary number of passports and cheat in systems that require passports for sybil resistance.
  • Passports can be lost or revoked. Some countries allow citizen to keep their previous passport when they are issued a new one. Some people have dual citizenship. All those cases are hard to mitigate, as the signatures stay valid.

Those limitations are all quite fundamental to the way passports work today. They can be addressed by aggregating attestations from multiple sources, which will be covered in a future post.

Current state

Proof of Passport is fully open source 12, from mobile app to circuits. If you are interested in contributing, please check open issues 1.

While performance would have been a bottleneck a few years ago, work from teams like Polygon ID, arkworks and mopro have made client-side proving on smartphones quite fast. Generating a proof with the current circuit takes ~4 seconds on a recent iPhone.

We are currently focused on shipping the mobile app for the first integrations. It allows users to mint an Soulbound Token disclosing only specific attributes they chose, or none at all other than the validity of their passport. Contact us to try out the beta release.

Thanks to Rémi 2Andy 1Aayush 1Youssef 2 and Vivek 1 for contributing ideas and helping build this technology!

Comments

All Comments

Recommended for you

  • Web3 Gaming Analytics

    Transforming Gaming: Helika & The Rise of Advanced Analytics

  • Qian Zhimin, the main culprit in the 60,000 Bitcoin money laundering case, was sentenced to 6 years in prison in the first instance

    On May 24th, the Southwark Crown Court in London ruled in the second trial that 42-year-old Chinese national Qian Zhimin was guilty of money laundering and will serve six years and eight months in prison. Previously, Qian Zhimin had attempted to purchase multiple luxury homes in London, including a 23.5 million pound seven-bedroom mansion in Hampstead and a 12.5 million pound mansion with a private cinema and gym, which caught the attention of the police. An investigation found over 61,000 bitcoins worth more than 3 billion pounds in a digital wallet, setting a record for the highest amount of cryptocurrency seized in the UK. Currently, 23,300 bitcoins worth over 1 billion pounds are still in circulation. It is said that these bitcoins came from a 5 billion pound investment fraud case in China between 2014 and 2017, where the funds were transferred overseas and used to purchase cryptocurrency. Qian Zhimin did not directly participate in the fraud, but played a "front desk" role in helping to disguise the source of the laundered funds.

  • Plume Network Raises $10M Seed Funding to Bring Real-World Assets on-Chain

    San Francisco-based Plume Network has secured $10m in seed funding to expand its operations and development efforts. The funding round was led by Haun Ventures, with participation from Galaxy Ventures, Superscrypt, A Capital, SV Angel, Portal Ventures, Reciprocal Ventures and others. Plume provides a modular EVM L2 blockchain for real-world assets, integrating asset tokenisation and compliance providers directly into the chain.

  • A certain address destroyed 11.51 million DOGE 16 minutes ago, worth $1.86 million

    According to on-chain data, an address transferred 11.51 million DOGE, worth $1.86 million, to a black hole address (zero address) 16 minutes ago.

  • Vitalik unlocked 845,205 STRK from the Locked Token Grant contract 50 minutes ago

    According to on-chain analyst Yu Jin's monitoring, V God unlocked and received 845,205 STRK tokens worth $1.07 million from the Starknet Locked Token Grant contract 50 minutes ago.

  • Fidelity FBTC holdings exceed 150,000 Bitcoins, with a market value of over $10 billion

    The net inflow of the Fidelity Bitcoin exchange-traded fund (ETF) FBTC was $19.1224 million yesterday. The total historical net inflow of FBTC has now reached $8.67 billion. According to the latest data from Dune Analytics, FBTC's holdings have exceeded 150,000 Bitcoins, currently reaching 151,797 Bitcoins, and the market value of holdings has also exceeded $10 billion, reaching $10.3 billion. So far, Fidelity is the third-largest holder of spot Bitcoin ETFs, second only to Grayscale (287,701 Bitcoins) and BlackRock (275,756 Bitcoins).

  • xAI to complete new round of financing at a valuation of $24 billion

    According to sources cited by Bloomberg, Elon Musk's artificial intelligence company xAI will complete a round of financing in June, with a valuation of over $24 billion after financing. The company originally planned to raise $6 billion this month. It is said that xAI's goal is to raise as much as $6.5 billion and is expected to achieve this goal in the coming weeks.

  • Bitcoin spot ETFs had a total net inflow of $108 million yesterday, continuing a net inflow for 9 consecutive days

    On May 24th, according to SoSoValue data, the net inflow of Bitcoin spot ETF on May 23rd was $108 million. Yesterday, Grayscale's (Grayscale) GBTC had a net outflow of $13.7209 million, and the historical net outflow of GBTC is currently $17.641 billion. The Bitcoin spot ETF with the highest net inflow in a single day is BlackRock's IBIT, with a net inflow of $88.9516 million in a single day, and the total historical net inflow of IBIT has reached $16.171 billion. The second is Fidelity's FBTC, with a net inflow of $19.1224 million in a single day, and the total historical net inflow of FBTC has reached $8.67 billion.

  • The Hong Kong Privacy Commissioner has issued an enforcement notice to Worldcoin, but the Worldcoin Foundation has not yet disclosed whether it will comply with the ruling.

    The Hong Kong Privacy Commissioner for Personal Data has completed an investigation into the Worldcoin project and emphasized on Thursday that a compulsory enforcement notice has been issued to Worldcoin. However, Worldcoin has not disclosed whether it will comply with the regulatory decision, suspend its biometric data collection activities in Hong Kong, or address the concerns of participants. The Worldcoin Foundation, the supporting organization behind Worldcoin based in the Cayman Islands, expressed disappointment with the views of Hong Kong regulators, stating that its operations are legal and aimed at complying with laws and regulations related to data collection and use in Hong Kong and many other markets. The foundation stated that "unfortunately, Hong Kong overlooked these aspects when evaluating the human verification process."

  • Onchain advertising is here

    How to pay for the new internet