Verification stack: BabyZK
The initial zero-knowledge verification stack we have integrated is named “BabyZK”. This stack employs the subsequent algorithms and parameters:- Curve: BN254. All the following algorithms are using this curve.
- Hash: Poseidon.
- Digest: The digest is derived from the Poseidon hash of
poseidon(header, signature metadata)
andposeidon(body)
. Initially, the header and signature metadata are cohesively hashed, according to the canonical sequence of header fields followed by signature metadata fields. Subsequently, the fields within the body are hashed in the type definition order. Finally we take the Poseidon hash of the two hash values. - Signature: EdDSA Poseidon
- Identity commitment schema: a 2-input poseidon hash of BN254 curve of two fields:
identity secret
andinternal nullifier
, in this specified order. - Circuit language: Circom
- Proof system: Groth16, powered by SnarkJS
- Limits: The total number of public inputs of claims in the body must be less than 256, including intrinsic public inputs. For body types encompassing more than 16 signals—such as 9
uint256
fields or 20bool
—the fields are segmented into groups of 16 and individually hashed. The final step is hashing results from these group hashes. This approach is necessitated by Poseidon’s constraint of 16 signals. Given the further restriction that there can’t exceed 256 fields, this hashing methodology can be implemented through a two-layer hashing structure.
Smart contracts
Smart contracts in the protocol serve two primary functions:- On-chain data storage:
- Context registry
- Issuer registry
- Metadata
- Public key management
- Revocable credential state management
- Type registry
- Primitive type management
- Metadata
- Definition
- Resource URI
- Static proof verifier
- Public input parser
- Trust schema
- On-chain Verification:
- Stateful credential zk verifier contract
- Aggregated on-chain attestation
- Issuers can introduce a new context by submitting a string to the contract. The Context ID is derived from the keccak256 hash of this string, truncated to the lower 160 bits.
- Contexts are designed to be universal, instead of binding to a credential type. While it might seem unconventional to associate a boolean-typed credential with the context “Trading volume,” we entrust this decision to the issuer.
- Issuer Metadata:
- Issuer ID: Crafted to be chain-agnostic and deterministic, the issuer’s EVM address is directly adopted as their Issuer ID. For chains not based on EVM, addresses can still be utilized, albeit truncated to 160 bits.
- Name: Issuer can specify their name.
- Identity Verification (built in separate contracts):
- DNSSEC: Issuers can use DNSSEC records to validate their ownership of web2 domains.
- GAL Staking: Issuers can manifest their commitment by staking GAL tokens.
- ENS/SpaceID & Other Bindings: This facilitates the association of issuers with a web3 identity.
- Issuer State:
- Public Key Manager: This contract caters to various verification stacks and is structured as a mapping from
(issuer_id, key_id)
to the key’s status. The key ID is derived from the hash of the public key, with the hashing algorithm contingent on the selected verification stack. Key statuses are bifurcated into:- Active: Denotes keys currently in use.
- Revoked: Signifies that all credentials signed with these keys are invalidated.
- Signature State Manager: For credentials that can be revoked, this contract provision allows issuers to regulate the revocation status for each combination of credential type and context. This is achieved by uploading the hash root of the sparse merkle tree containing signature IDs of the revoked credentials. Issuers need to publish the whole tree to a permanent storage for holders to access.
- URI to the sparse merkle tree.
- Root hash.
- Public Key Manager: This contract caters to various verification stacks and is structured as a mapping from
- Type Registration
- Allows for the registration of new credential types by users.
- Type metadata storage
- Stores type metadata such as revocability, admin address, name, definition in DSL, description, and a resource URI for proof generation artifacts.
- Type Management
- Functionality to update the verifier and public signal getter for a type and a verification stack, adapting to evolving verification needs.
- Functionality to transfer type ownership.
- Check if a type is fully initialized for a given verification stack, ensuring readiness before deployment.
- Utility Functions
- Check if a type is fully initialized for a given verification stack, ensuring readiness before deployment.
- Calculate the typeID based on the creator’s address and the name of the type
- Do type and context matches verifier’s expectation?
- Can the revealed credential expiration lower bound prove that the credential is not expired? (greater or equal to the current blocktime)
- Is the public key still active for the expected issuer?
- If the credential is revocable, is the proof generated with the current SMT root?
verifyProofFull
, so that verifiers can validate a proof with just one function call. It supports both:
- Static Verification: Checks the validity of proofs without considering the state of the issuer’s public key or revocation lists.
- Full Verification: Extends static verification by also checking the issuer’s public key activity and whether the revocation tree check is up-to-date.
SDK
The protocol provides an open source implementation of SDKs that allows developers to build application on Galxe identity protocol. The SDK provides:- Credential maker function: generate a credential based on its type.
- BabyZK verification stack
- circuit generator: generate circom code based on type definition.
- signer: Sign a credential with private key.
- proof generator: Generate a proof based on the type and conditions.
- proof verifier: Based on the credential type, query verification key from blockchain and return the verification result. Users should always use the SDK’s proof verifiers or on-chain verifiers, when possible to enable type-based security checks.
Hosted service
Galxe BabyZK trust setup MPC node This is a hosted service that can participate in phase 2 trust setups for BabyZK’s Groth16 circuits. The service is not a necessity for protocol, but it can improve the user experience of credential type designer and its users. They do not need to worry about the trust setup when a new type is newly invented. The Galxe’s MPC node will make sure to add secrets into the result, seal and publish the proving and verification keys to decentralized storage and corresponding verifier.Application: Galxe identity vault
At the core of Galxe identity protocol’s philosophy lies a deep commitment to the idea of self-sovereign identity. In pursuit of ultimate sovereignty, we developed the Galxe identity vault, a local storage solution for identity data, with embedded zero-knowledge provers, that gives users- self-evident privacy safeguard: given that data is stored locally, users can ensure that their personal information is kept private. Data does not need to pass through or be stored on any external servers where it could potentially be accessed by unauthorized parties.
- total access control: Local storage gives users full control over their own data. They can decide what to do with it, when to share it, how to share it, and who to share it with. This is in contrast to storing data with centralized authorities or intermediaries, where users must trust those authorities will handle their data appropriately, and hope their services are live when needed. With local storage, users can ensure that their data is stored in their own jurisdiction, avoiding potential legal and regulatory complications.
- no-code ZKP: It allows credential type designer, issuer, verifier, and holder to run all the workflow without any coding.
- all the workflows defined below and
- generating a key pair on Baby Jubjub curve, which will be used for signing.
- sync and fetch credentials from issuers.
- checking on-chain state of revocable credentials.
- issuing credentials to any other identity
Storage add-on(s)
The protocol can work with decentralized permanent storage to improve its user experiences, by storing these information:- Proving keys, which is required for holders to generate zero-knowledge proofs. The size of these keys range from one megabytes to even hundreds of megabytes, depending on the number of constraints of the circuit.
- Sparse merkle tree of revoked credentials. Without the SMT data, holders cannot prove the validity of revocable credentials.