Zero-knowledge proofs of identity using electronic passports

Zero-knowledge proofs of identity using electronic passports

Many applications need to verify their user’s identity online, whether it is nationality, age, or simply uniqueness. Today, this is hard. They are stuck between shady heuristics like tracking IP addresses and technologies like Worldcoin that need to deploy their infrastructure widely.

Fortunately, UN countries in association with the International Civil Aviation Organization have built a great tool for us to piggyback on: electronic passports. They are issued by more than 172 countries and include an NFC chip with a signature of the person’s information, including name, date of birth, nationality and gender. Issuing countries make their public keys accessible in online registries, enabling the verification of signatures.

A circuit for passport verification

For someone to prove their identity using a passport, they will have to do two things. First, read the content of their passport’s chip. This can be done easily with any NFC-enabled phone. Then, show a verifier that their passport has been correctly signed. Instead of sending all of their personal data for the verification to happen, they can generate a zero-knowledge proof that redacts some of their inputs.

Our circuit will have to checks two things:

  • The disclosed attributes have been signed correctly
  • The corresponding public key is part of the public key registry of UN countries

A simple circuit compliant with the electronic passport specs would look something like this:

Here is roughly what happens:

  • Each datagroup stored in the passport contains some of the person’s information. The datagroups we are most interested in are the first one (nationality, age, etc) and the second one (photo). The circuit takes them as inputs along with the signing public key.
  • Datagroups are hashed, concatenated and hashed again.
  • The final result is formatted, hashed and signed by the country authority. We can use the public key to check this signature.

This makes the following attributes disclosable: name, passport number, nationality, issuing state, date of birth, gender, expiry date, photo.
Some countries also provide additional data like place of birth, address, phone number, profession and a person to notify. Biometrics like fingerprint and iris are sometimes included but can’t be retrieved, as they require a special access key.

In practice, we want our circuit to have a few other features:

  • Instead of passing the country’s public key directly, we want the user to prove that the public key that signed their passport is part of the registry published by the ICAO. This can be done by passing a merkle proof of inclusion and having only the merkle root as a public input.
  • To allow for selective disclosure of any attribute, we pass a bitmap as a public input that will redact some of the attributes.
  • We want specific modules for age disclosure and nationality list inclusion. A range check can guarantee someone is above a certain age without disclosing the precise age, and an inclusion check can be done over a set of countries to prove someone is or is not a citizen of any country in a list.
  • For applications like minting an SBT or voting, we want to check that the passport is not expired. This can be done by passing the current date and doing a range check over the date in the circuit. We can then check that the current date is correct using the block timestamp in a smart contract or server-side in offchain verification.
  • For applications that need sybil-resistance, we want to store a nullifier that prevents using the same passport twice. The simplest approach involves storing a hash of the government’s signature, though this does not render the individual anonymous from the government’s perspective. There are other approaches, see here for a discussion of the tradeoffs.

A map of a more complete circuit can be found here.

One of the challenges is the number of signature algorithms used. Most countries use common ones like RSA with SHA256, but the ICAO specifications are quite permissive and some countries chose to use hash functions like SHA512 or unusual padding formats. We currently support the most common one and we are working on adding support for more.

Applications

Applications roughly fall into three categories: proof of humanity, selective disclosure and authentication.

Proof of humanity can be used in general for sybil resistance. This includes voting, fair airdrops, quadratic funding and helping social media fight bots. If passports can’t be construed as a general solution today, they can be integrated into wider systems like Gitcoin Passport or Zupass.

Selective disclosure has applications like privacy preserving age check. Some countries restrict buying alcohol, drugs or entering casinos for minors, and zk could help bringing better privacy to those controls.

Another example of selective disclosure is proving one is not a citizen of any country in a set of forbidden countries. This could help creating an intermediate level of compliance between KYC-gated traditional finance and fully permissionless DeFi.

Using passport signatures for authentication, one can build a ERC-4337 recovery module that asks for a proof from a specific passport as one of the conditions for recovery. Some passports also support Active Authentication, meaning they have their own private key and the ability to sign data. This would make them suitable for direct transaction signing, either for small transactions or in a multisig setup with other signers.

Limitations

The most obvious limitations of using passport signatures are the following:

  • The passport does not do any kind of biometric check when the chip is read. Therefore there is no straightforward way to know if the passport has not been borrowed or stolen.
  • Most of the world population does not have a passport. Even in the US, only around 50% of the population owns a passport.
  • Issuing authorities can create an arbitrary number of passports and cheat in systems that require passports for sybil resistance.
  • Passports can be lost or revoked. Some countries allow citizen to keep their previous passport when they are issued a new one. Some people have dual citizenship. All those cases are hard to mitigate, as the signatures stay valid.

Those limitations are all quite fundamental to the way passports work today. They can be addressed by aggregating attestations from multiple sources, which will be covered in a future post.

Current state

Proof of Passport is fully open source, from mobile app to circuits. If you are interested in contributing, please check open issues.

While performance would have been a bottleneck a few years ago, work from teams like Polygon ID, arkworks and mopro have made client-side proving on smartphones quite fast. Generating a proof with the current circuit takes ~4 seconds on a recent iPhone.

We are currently focused on shipping the mobile app for the first integrations. It allows users to mint an Soulbound Token disclosing only specific attributes they chose, or none at all other than the validity of their passport. Contact us to try out the beta release.

Thanks to Rémi, Andy, Aayush, Youssef and Vivek for contributing ideas and helping build this technology!

17 Likes

Are positive measures “to promote diversity and assist minority nations” discriminatory?
Every body has membership conditions. Knowing exactly what those are leads to more just outcomes.
Belonging criteria is not discriminatory, but mere preconditions for the existence of organizations.

2 Likes

Passports must be stored privately, yet there should be a way to publicly verify their validity. How and where passport information is stored?

1 Like

Good question.

The passport data that is read from the NFC chip is very sensitive information, so I don’t think we want to keep a copy of it in a mobile app. Instead, we can generate a proof of just the information we want, like humanity or nationality and store only this proof. It can still be verified afterwards using the government’s public keys that are accessible online.

1 Like

No, positive measures themselves are not inherently discriminatory. In theory, organizations could apply these measures constructively to foster inclusivity. However, it’s often observed that the nationality listed in passports is used for discriminatory purposes. Ultimately, it’s within an organization’s discretion to either perpetuate discrimination through various classifications and categories, or to uphold the fundamental principles outlined in the Declaration of the United Nations. Article 7 of the Declaration explicitly states that everyone is equal before the law and entitled to equal protection without any discrimination. This includes protection against any discrimination that violates the Declaration and against any incitement to such discrimination. It would be commendable if mechanisms like Ethereum could be utilized to offer anti-discrimination bonuses to minorities, which would be a significant step forward. However, in my opinion, it’s generally better to avoid at all using nationality information in passports

1 Like

Understood. Using the tool likely to come with its values.
The source of worry here being the inherent discriminatory character of national identity. At application level this boils down to KYC and respecting the rules and regulations of the jurisdiction in which you operate. Law, be it international, is historically powerless in its affirmative sense. Appeals to law, since states and not individuals are producers of it, is more efficient at upholding discriminatory practice than not.
This is an application. Ethereum is, like the internet, permissionless and credibly-neutral.

2 Likes

@AndreevPetr tech can be used for good or evil, i don’t think “ignoring” nationality/gender is the way to go

Returning privacy for people to selectively disclose PII is very important

Some positive example use cases:

  • Targeted UBI for at-war countries or high levels of poverty (claimable anonymously if you can prove X)
  • Private refugee applications
  • Anon national forums where civil discussions are taken to improve local or national government
4 Likes

This raises another question: why check people’s passports at all? I think a better idea would be to use ZK technology to encrypt citizens’ passport chips, which would be verified when they pass through customs. Passports, including their chips, are easily forged.

5 Likes

Please stop the overly zealous moderators banning absolutely everything. We are not in Canada.

For my credentials, skills certification:

I have made a 30 minute presentation on zkPassport and SoulBound NFTs at EthBucharest 2024.
Here are the slides: EthBucharest 2024 - Google Slides

Here is an opinion by inverid, most popular mobile app to read Passports.

In practice, only a very few organisations such as national border control, police and local governments receive authorization to read the fingerprints from a passport. Especially in an international context, it is very difficult to arrange. Because of this, EAC-TA seems to be used very little. We have already implemented EAC-TA some years ago, and ReadID can support EAC-TA for customers that have received such authorization. This is however currently not a production feature.

Here is my slide page 11 from the presentation

2 Likes

Further attaching relevant resources on the context perceived discrimination that stem from passports

The Effects of Perceived Discrimination on Immigrant and Refugee Physical and Mental Health

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6553658/

Transgender and Nonbinary People Describe Discrimination, Harassment, and Mistreatment at Aurora Detention Facility in New Civil Rights Complaint

https://www.americanimmigrationcouncil.org/news/transgender-nonbinary-people-abuse-ice-aurora-colorado-detention

Enforcement at the Airport

3 Likes

EAC-TA, which is Terminal authentication, is only meant to be done at airports and requires special access keys. Definitely not something we can or want to do!

4 Likes

Thanks for the nice post!
My lab studies Digital Identity and I have studied the signature algorithm used for Verifiable Credential, so I thought this was a very interesting post.
If you don’t mind, can you elaborate on how Selective Disclosure works?

To allow for selective disclosure of any attribute, we pass a bitmap as a public input that will redact some of the attributes.

Bitmap and circuit diagram are not well connected in my mind. The reason for incorporating that mechanism is to be able to change public input and private input without changing the circuit, right? Can you explain how the flow is different when disclosing only the name and when disclosing only the date of birth?

2 Likes

Hi,

Yes, precisely. By passing a bitmap that selects characters of the MRZ to be revealed, we can have a single circuit for any combination of disclosures, and let users choose what to reveal each time they generate a proof. You can see the code here.

4 Likes

Where can I find a list of oracles for ZK passports? Which industries already have them? Is there a complete list available?

2 Likes

If by oracles you mean the public keys of issuing authorities, there are multiple lists, the main one being compiled by the ICAO. Here is how we parse it.

3 Likes

Hey @turboblitz this is a great use! Have you seen my work on standardizing on chain executions using zk-ID I believe there could be an angle there

Enabling standardized on chain executions through modular smart accounts

3 Likes

ah, this is an interesting use case.

4 Likes

What specific technologies or tools did you use to implement zero-knowledge proofs in your system? Were there any unique challenges you encountered during this process?

5 Likes

How can applications verify on chain? for example, a DeFi app needs to verify if the user is over 18 years old, after the proof is generated, it must be submitted on chain so that the DeFi app can verify?

2 Likes

To enable on-chain verification for applications like DeFi, after generating a zero-knowledge proof (ZKP) from an electronic passport verifying that a user is over 18, the proof must be submitted on-chain. The DeFi app can then verify the proof using the blockchain, which acts as a trustless intermediary. This approach ensures that sensitive user data, such as birth date, is kept private, while the app can confirm the age eligibility based on the verified proof.

These are my guesses.