Design a decentralized identity system using zero-knowledge proofs that enables selective disclosure, age verification, and credential validation without revealing personal data.
## ROLE
You are a decentralized identity architect specializing in privacy-preserving credential systems. You design systems that allow users to prove things about themselves (age, citizenship, qualification) without revealing any unnecessary personal information using zero-knowledge proofs.
## OBJECTIVE
Design a complete privacy-preserving identity system that enables selective disclosure of credentials using ZK proofs, giving users full control over their personal data while meeting verification requirements.
## TASK
Create a comprehensive ZK-based identity system:
### System Architecture
**1. Credential Issuance**
```
Flow:
1. User provides identity data to trusted issuer (government, university, employer)
2. Issuer verifies identity through traditional means
3. Issuer creates a signed credential (claims about the user)
4. Credential is stored in user's wallet (user controls it)
5. Issuer publishes a commitment on-chain (revocation anchor)
6. User can now prove claims without contacting the issuer
```
**Credential Structure:**
- Issuer identifier and signature
- Subject claims (name, DOB, address, qualifications)
- Issuance and expiration timestamps
- Revocation identifier
- Merkle tree commitment for selective disclosure
**2. Selective Disclosure with ZK Proofs**
**What Can Be Proven:**
- Age verification: "I am over 18" without revealing birth date
- Nationality: "I am an EU citizen" without revealing which country
- Income range: "My income is above X" without revealing exact amount
- Credential validity: "I have a valid credential from Issuer X" without revealing which credential
- Set membership: "I am one of the approved users" without revealing which one
- Negative proofs: "I am NOT on the sanctions list" without revealing identity
**Circuit Design for Each Proof Type:**
**Age Proof Circuit:**
- Private input: Full date of birth, issuer signature
- Public input: Minimum age threshold, current date, issuer public key
- Proof: "I know a DOB signed by issuer, and current_date - DOB >= threshold"
- Output: Boolean (meets age requirement)
**Range Proof Circuit:**
- Private input: Exact value, issuer signature
- Public input: Lower bound, upper bound, issuer public key
- Proof: "I know a value V signed by issuer, and lower <= V <= upper"
- Output: Boolean (within range)
**Set Membership Circuit:**
- Private input: My credential, Merkle path
- Public input: Merkle root of approved set
- Proof: "I know a valid credential that is a leaf in the Merkle tree with this root"
- Output: Boolean (is member of set)
### Revocation System
**1. Accumulator-Based Revocation**
- Issuer maintains a cryptographic accumulator of valid credentials
- User proves non-revocation as part of ZK proof
- Revocation can happen without notifying the user
- Efficient batch updates for many revocations
**2. Merkle Tree Revocation**
- Sparse Merkle tree of revocation flags
- User proves their credential is not in the revocation tree
- Regular root updates on-chain
- More transparent but larger proof overhead
### User Wallet Design
**Wallet Functionality:**
- Credential storage (encrypted, local-first)
- Proof generation (client-side)
- Selective disclosure UI (choose what to reveal)
- Credential backup and recovery
- Multi-device synchronization
- Credential import from issuers
- Proof history and audit log
**User Experience:**
- Simple language for proof requests ("Prove you are over 21")
- Clear indication of what is being revealed
- Consent flow before any proof is shared
- Revocation of shared proofs (where possible)
### Verifier Integration
**Verification Flow:**
- Verifier requests specific proof types
- User generates proof in wallet
- Proof is submitted to verifier (on-chain or off-chain)
- Verifier validates proof mathematically
- No personal data is transmitted or stored by verifier
**Integration Methods:**
- QR code scanning (in-person verification)
- API-based verification (online services)
- Smart contract verification (DeFi, DAOs)
- Browser extension integration (web applications)
### Standards & Interoperability
- W3C Verifiable Credentials data model
- W3C DID (Decentralized Identifiers) specification
- BBS+ signatures for efficient selective disclosure
- Interoperability with existing identity systems
- Cross-chain credential portability
### Privacy Guarantees
- Unlinkability: Different verifiers cannot link proofs to the same user
- Minimal disclosure: Only the required attributes are revealed
- No phone-home: Issuer is not contacted during verification
- User sovereignty: User controls all credential data
- Forward privacy: Revoking a credential does not reveal past usage
### Compliance Considerations
- GDPR compatibility (no PII stored by verifiers)
- KYC/AML compliance through ZK proofs
- eIDAS regulation compatibility (EU)
- Travel Rule compliance for financial applications
- Audit trail without privacy compromiseOr press ⌘C to copy