Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions src/posts/2026-04-14-resilient-plural-identity.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ The standard model for on-chain identity follows a three-step dependency chain:
2. A **holder** presents that credential (or a ZK proof over it) to prove an attribute: age, nationality, sanctions-list status.
3. A **verifier** (smart contract, institution, dApp) checks the credential's validity, often by querying the issuer's revocation registry.

Every step depends on the issuer being live and cooperative. [ZKPassport](https://zkpassport.id/) verifies passport NFC signatures issued by governments. [Anon Aadhaar](https://github.com/anon-aadhaar) verifies Indian national ID signatures from UIDAI. [ZK Email](https://prove.email/) verifies DKIM signatures from email providers. [TLSNotary](https://tlsnotary.org/) verifies TLS session transcripts from web2 services. All of these produce strong cryptographic proofs of identity attributes. None of them answer the question: what happens when the entity behind the original credential disappears?
Every step depends on the issuer being live and cooperative. [ZKPassport](https://zkpassport.id/) verifies passport NFC signatures issued by governments. [Anon Aadhaar](https://github.com/anon-aadhaar) verifies Indian national ID signatures from UIDAI. [ZK Email](https://prove.email/) verifies DKIM signatures from email providers. [TLSNotary](https://tlsnotary.org/) verifies TLS session transcripts from web2 services. These systems produce strong cryptographic proofs, while still relying on the original source or issuer model for some trust assumptions.

The issuer can fail in several ways. It can shut down (bankruptcy, sanctions, corporate dissolution). It can turn adversarial (mass-revoke credentials, publish false revocation lists, forge credentials for non-holders, refuse new issuance). It can simply go offline. In every case, the holder is left with a credential that cannot be independently verified.

Expand Down Expand Up @@ -80,7 +80,7 @@ No issuer endpoint is contacted. No registry is queried. The on-chain root is th

Two proofs from the same holder, one submitted to Verifier A and another to Verifier B, should look unrelated. No on-chain or off-chain observer should be able to tell they came from the same person. This is what separates useful private identity from tokenized surveillance. Most ZK identity systems fall short of it, either because the credential exposes a persistent identifier during presentation (the holder's pubkey, a hash that is deterministic across scopes), or because the issuer accumulates enough metadata during issuance to correlate later verifications back to a person.

This protocol targets unlinkability on two axes. Across verifiers, the scope-bound nullifier makes the same holder look unrelated to different applications. Across issuance and use, the vOPRF sits at the one point where the identity-source credential would otherwise become a correlation handle, so no single party, including any MPC subset below threshold, sees both sides of the mapping. This was the design goal behind [OpenAC](https://eprint.iacr.org/2026/251) and the motivating reason [TACEO](https://core.taceo.io/articles/taceo-oprf/) puts a vOPRF in the identity path. Without it, identity providers can still watch their users on-chain.
This protocol targets unlinkability on two axes. Across verifiers, the scope-bound nullifier makes the same holder look unrelated to different applications. Across issuance and use, the vOPRF sits at the one point where the identity-source credential would otherwise become a correlation handle, so no single party, including any MPC subset below threshold, sees both sides of the mapping. This was the design goal behind [OpenAC](https://eprint.iacr.org/2026/251) and the motivating reason [TACEO](https://core.taceo.io/articles/taceo-oprf/) puts a vOPRF in the identity path. Without this separation, issuer-side metadata can become a correlation surface.

## Sybil resistance

Expand Down Expand Up @@ -161,19 +161,19 @@ This is a proof-of-concept with real limitations.

Several projects tackle private identity on Ethereum from different angles. Here is where this protocol fits.

[Semaphore](https://semaphore.pse.dev/) (PSE) is the most established private membership proof system. Holders commit an identity to a Merkle tree and generate ZK proofs of membership with nullifiers. It provides the core primitive this protocol extends, but does not enforce sybil resistance at the identity layer: nothing prevents one person from inserting multiple commitments.
[Semaphore](https://semaphore.pse.dev/) (PSE) is the most established private membership proof system. Holders commit an identity to a Merkle tree and generate ZK proofs of membership with nullifiers. It provides the core primitive this protocol extends.

[World ID](https://worldcoin.org/world-id) takes the opposite approach: biometric enrollment via iris scan through a specialized device (the Orb) provides the strongest one-person-one-identity guarantee available. The tradeoff is hardware dependency and centralized enrollment infrastructure, which limits deployment to locations with physical Orb access.
[World ID](https://worldcoin.org/world-id) takes the opposite approach: biometric enrollment via iris scan through a specialized device (the Orb) provides the strongest one-person-one-identity guarantee available.

[Self](https://self.xyz/), [ZKPassport](https://zkpassport.id/), and [Human](https://human.tech/) verify identity attributes and generate ZK proofs. Self and ZKPassport focus on passport NFC signatures on mobile. Human aggregates multiple identity signals into a unified score. All three produce strong per-session proofs and serve as viable enrollment sources for this protocol, with the vOPRF layer adding sybil resistance and issuer independence on top.

[zk-creds](https://eprint.iacr.org/2022/878) (Rosenberg et al., 2023) shares the Merkle-tree-as-issuance-list paradigm. Holders insert credentials into a public bulletin board and generate ZK proofs of possession. The approach works with existing identity documents without modification. The key difference is sybil resistance: zk-creds delegates duplicate prevention to the issuance list manager, while this protocol enforces it cryptographically via the vOPRF enrollment nullifier.
[zk-creds](https://eprint.iacr.org/2022/878) (Rosenberg et al., 2023) shares the Merkle-tree-as-issuance-list paradigm. Holders insert credentials into a public bulletin board and generate ZK proofs of possession. The approach works with existing identity documents without modification.

[zk-promises](https://eprint.iacr.org/2024/1260) (Shih et al., 2025) extends anonymous credentials with stateful callbacks: issuers can asynchronously update, suspend, or revoke credentials after issuance, enabling reputation systems and moderation for anonymous users. The design targets interactive platform use cases (downvotes, bans, reputation decay) rather than institutional identity attestation.

[OpenAC](https://eprint.iacr.org/2026/251) (EF/PSE) adds unlinkable presentations over existing verifiable credentials (SD-JWT, mDL) with transparent ZK proofs and no trusted setup, compatible with the EUDI Architecture Reference Framework. It assumes a cooperative issuer for credential issuance, which is the assumption this protocol is designed to remove.
[OpenAC](https://eprint.iacr.org/2026/251) (EF/PSE) adds unlinkable presentations over existing verifiable credentials (SD-JWT, mDL) with transparent ZK proofs and no trusted setup, compatible with the EUDI Architecture Reference Framework.

[PLUME](https://aayushg.com/thesis.pdf) (ERC-7524) generates deterministic nullifiers from existing ECDSA keys, allowing Ethereum address holders to prove membership and prevent double-actions without new key material. It reuses existing keys (no enrollment ceremony) but does not support attribute predicates or identity-layer sybil resistance.
[PLUME](https://aayushg.com/thesis.pdf) (ERC-7524) generates deterministic nullifiers from existing ECDSA keys, allowing Ethereum address holders to prove membership and prevent double-actions without new key material.

[TACEO](https://core.taceo.io/articles/taceo-oprf/) already runs a distributed threshold vOPRF in production using MPC across 13 globally distributed servers. Their roadmap explicitly targets preventing identity issuers from tracing on-chain usage by verified individuals. This is the same problem we are working on from the enrollment side, and their infrastructure is a natural deployment target for the vOPRF network this protocol requires.

Expand Down
14 changes: 7 additions & 7 deletions src/posts/2026-05-14-resilient-disbursement-rails.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ The protocol hides the path from funder to off-ramp deposit. At the off-ramp, th

We have run into versions of this in our own work. The [shielded pool](/building-private-transfers-on-ethereum/) and [plasma chain](/private-stablecoins-with-plasma/) we built both treat the depositor and the recipient as the privacy boundary. They make on-chain trace useless to a passive observer. They do not protect a recipient who has to walk to a licensed exchange, hand over a passport, and sell the asset for local currency. Every documented financial-surveillance prosecution pivoted on the KYC'd exchange account, the merchant identifier visible to a domestic bank, or the subpoenaed exchange record. Chain analytics on its own has not deanonymized a specific recipient in any case in the public record.

The constraint set is sharper when recipients live somewhere the authorities are hostile to the funder, the implementing partner, or the recipients themselves. Recipients in Yemen, Afghanistan, Syria, the Rohingya camps, or Russia under the FBK donor crackdown cannot be assumed to have a phone or an internet connection. Implementing partners (NGOs, money transfer operators) get breached, coerced, or inherited by successor regimes. The protocol assumes every party in the path between funder and recipient will eventually be compromised.
The constraint set is sharper when recipients live somewhere the authorities are hostile to the funder, the implementing partner, or the recipients themselves. Recipients cannot be assumed to have a phone or an internet connection. Implementing partners may get breached, coerced, or inherited by successor regimes. The protocol assumes every party in the path between funder and recipient will eventually be compromised.

The implementation is [open source](https://github.com/ethereum/iptf-pocs/tree/master/pocs/private-payment/resilient-disbursement-rails), with a detailed [specification](https://github.com/ethereum/iptf-pocs/blob/master/pocs/private-payment/resilient-disbursement-rails/SPEC.md).

Expand All @@ -35,11 +35,11 @@ The standard model for cross-border humanitarian disbursement is a layered chain

The state that lets the chain function under good conditions is exactly what makes it brittle under bad ones. Three failure modes recur in the public record.

**Implementing-partner databases get inherited.** Beneficiary registries from the [Rohingya enrollment program](https://www.hrw.org/news/2021/06/15/un-shared-rohingya-data-without-informed-consent), [Yemen's WFP SCOPE deployment](https://www.thenewhumanitarian.org/news/2019/06/17/un-yemen-rebels-aid-theft-biometrics), the [2021 Afghanistan transition](https://theintercept.com/2021/08/17/afghanistan-taliban-military-biometrics/), the [December 2024 Syria transition](https://www.hrw.org/news/2025/05/12/syria-new-government-restricts-aid-operations), [occupied territories in Ukraine after 2022](https://www.pbs.org/newshour/world/russia-imposes-its-passport-on-occupied-ukraine-coercing-hundreds-of-thousands-into-citizenship), and [Mosul under ISIS occupation between 2014 and 2017](https://www.nrc.no/news/2022/september/iraq-five-years-on-from-the-end-of-the-conflict-up-to-one-million-iraqis-lack-essential-identity-documents) have either been seized or shared with adversarial governments without consent. Compelled disclosure has driven most of the documented humanitarian-data prosecutions.
**Implementing-partner databases get inherited.** Beneficiary registries have either been seized or shared with adversarial governments without consent. Compelled disclosure has driven most of the documented humanitarian-data prosecutions.

**Off-ramps pivot KYC.** [Russia's FBK donor prosecutions](https://en.zona.media/article/2026/04/21/acf_donations) (more than 200 cases as of April 2026), the [Nobitex 2025 KYC dump](https://www.trmlabs.com/resources/blog/inside-the-nobitex-breach-what-the-leaked-source-code-reveals-about-irans-crypto-infrastructure), the [Israeli NBCTF seizure of 189 Binance accounts](https://www.timesofisrael.com/israel-seizes-189-crypto-accounts-linked-to-terror-groups-since-2021-report/), and the [260+ Chinese crypto enforcement cases](https://www.cnbc.com/2021/06/10/china-arrests-over-1100-suspects-for-crypto-related-money-laundering.html) (2021 MPS sweep) all combined on-chain trace with subpoenaed exchange records to identify specific individuals. Chain analytics on its own was insufficient. The KYC process in the exchange was the crucial input.
**Off-ramps pivot KYC.** Certain investigations combined on-chain trace with subpoenaed exchange records to identify specific individuals. Chain analytics on its own was insufficient. The KYC process in the exchange was the crucial input.

**Rails get frozen and civil identity gets weaponized.** Account freezes used as political instruments ([Nigeria EndSARS 2020](https://www.hrw.org/news/2020/11/13/nigeria-punitive-financial-moves-against-protesters) against named protest organisers, [Belarus 2021 to 2022](https://www.amnesty.org/en/latest/press-release/2021/07/belarus-sweeping-closure-of-dozens-of-ngos-as-the-crackdown-on-civil-society-continues/), [Turkey Bank Asya 2016](https://www.bloomberg.com/news/articles/2016-07-18/turkey-halts-gulen-linked-bank-asya-operations-after-failed-coup)) and rail de-risking ([Somali MTO 2013 to 2015](https://www.newstatesman.com/world/africa/2013/11/barclays-vs-dahabshiil-when-somali-money-transfer-company-takes-banking-giant), [Afghanistan Western Union and MoneyGram 2021](https://www.aljazeera.com/economy/2021/9/2/western-union-to-resume-money-transfer-services-to-afghanistan), [Muslim charity de-banking 2014 to 2022](https://www.middleeasteye.net/news/banking-services-withdrawn-4-10-uk-muslim-charities)) show that traditional rails fail under sustained political pressure. State civil-identity systems ([Xinjiang IJOP](https://www.hrw.org/report/2019/05/01/chinas-algorithms-repression/reverse-engineering-xinjiang-police-mass), [Turkey ByLock](https://www.statewatch.org/publications/reports-and-books/bylock-prosecutions-and-the-right-to-fair-trial-in-turkey-the-ecthr-grand-chamber-s-ruling-in-yuksel-yalcinkaya-v-turkiye/), [Pakistan NADRA](https://www.codastory.com/surveillance-and-control/pakistan-biometric-identification-nadra/)) collapse when the state is the adversary.
**Rails get frozen and civil identity gets weaponized.** Account freezes used as political instruments against named protest organisers, and rail de-risking show that traditional rails fail under sustained political pressure. State civil-identity systems collapse when the state is the adversary.

The recipient constraint set is the hardest part. Recipients hold tamper-resistant smartcards, cannot run zero-knowledge provers on-card, may have intermittent or no internet, and lose devices at meaningful rates.

Expand Down Expand Up @@ -138,15 +138,15 @@ A handful of smaller limitations are answered at the operational layer rather th

This builds on a few existing lines of work.

[Railgun](https://railgun.org/) with Private Proofs of Innocence is a production shielded-pool deployment on Ethereum mainnet, with the most developed answer to the off-ramp compliance question available today. This protocol's `IShieldedPool` interface is satisfiable by any Railgun-class deployment.
[Railgun](https://railgun.org/) with Private Proofs of Innocence is a production shielded-pool deployment on Ethereum mainnet. This protocol's `IShieldedPool` interface is satisfiable by any Railgun-class deployment.

[Privacy Pools](https://privacypools.com/) formalized the association-set model that bounds this PoC's pool-level k-anonymity argument. The reachable anonymity set at the off-ramp is the calling claim contract's sub-tree, which is exactly the association-set framing.

[Hinkal](https://hinkal.pro/) ships a programmable shielded-pool stack focused on access control and selective disclosure. It is complementary to the per-claim-contract sub-tree partition this protocol uses to bound the relay-side proving surface.

The stealth-address standards [ERC-5564](https://eips.ethereum.org/EIPS/eip-5564) (address generation) and [ERC-6538](https://eips.ethereum.org/EIPS/eip-6538) (stealth meta-address registry), with deployments at [Umbra](https://app.umbra.cash/) and [Fluidkey](https://fluidkey.com/), establish the recipient-derived-destination pattern. This protocol's stealth derivation runs on-card via HMAC over the master secret, not off-card from a published meta-address. The decision keeps the secret on the smartcard and trades a published-meta-address ergonomic for a tamper-resistance gain.

[Keycard](https://keycard.tech/) is the open-source secure-element wallet reference, running on EAL6+ chips. The `SIGN_VOUCHER` applet here targets a comparable JCOP-class envelope, with EAL4+ AVA_VAN.5 ([BSI-CC-PP-0084](https://www.bsi.bund.de/SharedDocs/Zertifikate_CC/PP/aktuell/PP_0084.html)) as the production-target floor. The [GridPlus Lattice1](https://gridplus.io/) is a comparable secure-element plus companion architecture, with the difference that the companion in this PoC never sees the master secret and only computes the off-card destination and nullifier.
[Keycard](https://keycard.tech/) is the open-source secure-element wallet reference for this prototype, running on EAL6+ chips. The `SIGN_VOUCHER` applet here targets a comparable JCOP-class envelope, with EAL4+ AVA_VAN.5 ([BSI-CC-PP-0084](https://www.bsi.bund.de/SharedDocs/Zertifikate_CC/PP/aktuell/PP_0084.html)) as the production-target floor. The [GridPlus Lattice1](https://gridplus.io/) is a comparable secure-element plus companion architecture.

[Briar](https://briarproject.org/) (Bluetooth LE plus Tor), [Meshtastic](https://meshtastic.org/) (LoRa), and [Reticulum](https://reticulum.network/) (LoRa, packet radio, and other transports) are the candidate `ISubmission` transports for offline voucher delivery from companion to relay. The PoC's port abstraction makes any conforming mesh transport interoperable.

Expand All @@ -156,7 +156,7 @@ The stealth-address standards [ERC-5564](https://eips.ethereum.org/EIPS/eip-5564

[Zerocash](https://eprint.iacr.org/2014/349) (Ben-Sasson et al., 2014) is the prior-art reference for commitment-nullifier shielded payments. This protocol's pool-withdraw circuit is a direct descendant of the Zerocash spend circuit, restricted to a per-claim-contract sub-tree and bound to a claim circuit via a shared nullifier.

[WFP SCOPE Cards](https://usermanual.scope.wfp.org/scope-cards/content/common_topics/introduction/1_introduction.htm), [WFP Building Blocks](https://innovation.wfp.org/project/building-blocks), and [GiveDirectly](https://www.givedirectly.org/) are the reference points for cash-and-voucher assistance at scale. SCOPE Cards is WFP's smartcard-based beneficiary identification and disbursement platform, backed by a centralized cloud registry; Building Blocks runs on a permissioned EVM-style chain and centralizes beneficiary records; GiveDirectly is the standard comparator for direct cash transfer. All three share the disbursement use case but our prototype targets off-ramp unlinkability & smartcard envelopes for adversarial-jurisdiction recipients.
There also exist multiple large-scale humanitarian cash-and-voucher programs that inspired part of this design.

## What comes next

Expand Down
Loading
Loading