ZK Firma Digital

Send medical certificate request
Link to download VC
Retrieve medical certificate from Pinata
Generate ZK proof from user certificate
Show certificate information, only for user
Request sent
Show medical certificate
Web list of Verifiable credentials

DIF hackathon 2024

## Inspiration

The Costa Rican government offers an advanced digital identity system (Firma Digital) that allows residents or entities to sign documents with a digital identity validated by the central bank as CA and authenticate themselves on various public or private websites and services. However, there is a significant privacy concern related to sensitive data in Costa Rica. A small amount of identity information, such as a national ID number or car plate number, can lead to extensive data collection. Private companies can use this kind of data to harvest citizen data, for instance, by calling and offering them products or services without any previous request or permission. This fact is exceptionally relevant now that big corporations harvest indiscriminate user data to train AI models. Even worse, criminals are collecting this same data to perform identity theft and fraud, sometimes even making fraudulent calls from the jails.

I also take inspiration from my own experience. Me and my family have already received scam calls, from people that clearly have access to sensitive information about us. This kind of data comes from companies or institutions that collect too much data for use cases that do not require them. For instance, once, I had to send a complete picture of my passport to a sports streaming app just to prove that I was older than 18 years. Not even KYC was necessary in that case. This kind of indiscriminate data collection finally ends up in the hands of criminals for sale on the "dark web."

In the past, I was a contributor to Tails, the OS used by Snowden to reveal the NSA massive espionage capabilities because I feel that a world without privacy is a a world without freedom of expression and without democracy.

What it does

The project aims to address these privacy issues by creating a zero-knowledge proof infrastructure using blockchain technology and ZK circuits. This solution will enable citizens to verify their identity and provide specific information without revealing actual personal details. By minimizing the distribution of sensitive data across various institutions and companies, we can significantly reduce the risk of data theft. Additionally, this system can authenticate users for diverse services, ensuring they are real individuals and not bots, without requiring sensitive information such as email addresses or phone numbers.

The project allows the Costa Rican Firma Digital holder to create off-chain Verifiable Credentials with Zero-Knowledge proofs. The VC can be used to prove that the person is a resident or citizen of the country without revealing any sensitive information. This is useful in many use cases, as we will show later.

Using the Privado ID tools, our PoC also allows users to create non-merklized verifiable credentials in the Polygon network. The user can then utilize those on-chain VCs to request medical certificates to the "government." The "government" would check for VCs and medical credentials requests on-chain in our smart contract, and if they match and come from a real user (resident or citizen), then the "government" creates a medical certificate that corresponds to the user. Then, it is encrypted and uploaded as a private file to Pinata. The app allows the "government" to encrypt the file using AES and then encrypt the AES key using the user's RSA public key. The encrypted key and the also encrypted IPFS hash are sent to the smart contract so the user can retrieve the file from Pinata. The used VCs are finally revoked from the smart contract, and the user can decrypt and visualize their medical certificate.

How we built it

We took inspiration from the Anon Aadhaar project and ZK Passports. This kind of project permits us to connect the blockchain world to physical identity mechanisms that already work without revealing sensible information. This is especially useful in public blockchains such as Ethereum or Polygon, where uploaded data is easily visible to anyone.

In our case, we use the Costa Rican Firma Digital, a set of government-signed certificates that allows the user to prove identity and further sign arbitrary documents. This makes it even more powerful than the mentioned projects.

The PoC app is mainly built with Python. Since we use the Circom compiler tools to create Zero-Knowledge proofs, we also use Javascript. We have also created a Web GUI that allows the user to log in and see current VCs.

We have created smart contracts using the Solidity language for the on-chain Verifiable Credentials and medical certificate requests.

We use Pinata to store the encrypted medical certificates the cardholder requests and the government uploads.

Challenges we ran into

Since we are using PSE tools such as Anon Aadhaar, which uses zero-knowledge proofs but is not compatible with W3C DID and VCs, it was difficult to integrate both technologies. Also, it was challenging to make sense of the compatibility requirement and how to prove that what we do fulfills W3C standards.

Accomplishments that we're proud of

This is my first project using Circom and Zero-knowledge proofs in general. Therefore, I am proud to have built a working PoC in such a short time that solves real privacy problems and can already be used in the real world.

Also, it was not my first time using verifiable credential technology, but I could expand my knowledge, allowing me to build better and more private applications in the future and, more importantly, bring ZK Firma Digital to be a solution that millions of people could use.

What we learned

I have learned about several technologies for the first time, such as Circom and Zero-Knowledge proofs. I have learned to integrate such proofs on-chain and how to create DID and VC on-chain that can be used to solve real-world problems.

I have also used Pinata for the first time, allowing me to create a genuinely Web3 solution.

What's next for ZK Firma Digital

We want to create products that solve real privacy problems in Costa Rica and beyond. We are confident that ZK Firma Digital will be fundamental to such efforts. There are many use cases where we could apply our technology, such as: