This repository implements zero-knowledge proof circuits for the eIDAS (electronic IDentification, Authentication and trust Services), EUDI (European Digital Identity) and other digital identity ecosystems using Gnark, a Go-based zk-SNARKs framework, and Longfellow-ZK.
Why Gnark? We chose Gnark for rapid prototyping due to its developer-friendly API and readable codebase.
Why Longfellow-ZK? We chose Longfellow-ZK for it's optimization for the established cryptographic suites and superior performance for server-side proof generation with HSM-protected keys and resource-constrained devices using standard cryptographic keys.
All reference implementations demonstrate core ZKP capabilities but are not production-optimized.
All the circuits presented in this repository are framework-agnostic and can be implemented in alternative ZKP systems like zkID/OpenAC and similar.
The main motivations for this work are:
Complexity of credential management with salt-hash table-based selective disclosure. Achieving even the simplest form of unlinkability requires one-time credentials where batches must be managed by both the issuer and the wallet. This creates high operational complexity and tight coupling between issuers and wallets.
Demonstrating infrastructure reusability. We aim to show that existing e-signing and e-sealing infrastructure, such as eIDAS (v1), can be reused as-is to introduce efficient identity wallet framework, requiring only the addition of ZKP circuits.
With ZK circuits we can achieve different levels of linkability/pseudonymity/anonymity as described in PII linkability, pseudonymity, and anonymity.
Start exploring the circuits:
- All the circuits: circuits/
- Basic circuits: circuits/basic-circuits/
- Over18 circuit: circuits/temporal
- EUDI/eIDAS circuits: circuits/eudi-vc/
Command line tool and API services:
- ZKPI a tool for easy ZKP creation and validation, and testing revocation capabilities (mini CRL and domain-bound CRL).
Test the circuits built using Longfellow-ZK framework:
Other tools and libraries
- CRL Service a demo implementation of a CRL service supporting mini CRL and Domain-Bound CRL
- CAdES core implementation of the CAdES-BES signer. A CAdES-BES signature is a CMS/PKCS#7 signature that includes the signer's certificate additional signed attributes and is encoded using DER. It's the minimal profile for an advanced electronic signature under eIDAS.
- ASN.1 preview a simple Go package for parsing and visualizing DER-encoded ASN.1 data structures with a clean tree-based output.
Technical documents
- Base64 comparison describes how to perform membership check without decoding base64(url) encoded payload. Useful when performing membership checks on JWS/JWT.
- DER encoding contains notes on the DER encoding, structures, etc.
- Lexicographical comparison algorithm defines an algorithm that compares strings lexicographically within a circuit.
- Presentation KB-JWT profiles the verifiable presentation using the KB-JWT data model.
- Domain-bound CRL Domain-Bound Certificate Revocation Lists (DB-CRL)
We've developed two fundamental circuit families relevant for verification in the eIDAS/EUDI context:
Location: circuits/verify-jws-cert/
Proves that a signed payload is valid without revealing the signature, public key, or the public key certificate, while proving that the certificate has been signed by a legitimate Certificate Authority.
What it verifies:
- Signature validity against a public key
- Public key belongs to a valid X.509 certificate
- Certificate is signed by a legitimate Certificate Authority (e.g., a Qualified Trust Service Provider)
Note: the circuits are being refactored.
Location: circuits/eudi-vc/
Enables privacy-preserving verification of EUDI Wallet credentials.
What it verifies:
- Credential was issued using a valid eIDAS e-seal
- Holder controls the holder-binding key
- Holder's key is certified by a legitimate CA/QTSP via X.509 certificate
Learn more what these results enable
These circuits enable:
- Regulatory compliance: Meet eIDAS requirements while maximizing user privacy.
- Building a wallet framework on the existing eIDAS infrastructure with the highest assurance level, e.g., qualified e-seals for Verifiable Credentials and qualified e-signatures for proof of possession and cryptographic holder binding
- Unlinkability: Prove credential validity across services without creating tracking vectors. It enables issuing one-time credentials and share them as many time as needed without a need for batch credential issuance or one-time credential issuance.
- Selective disclosure: Share specific attributes without revealing entire credentials.
- Define the circuit struct in
circuits/; Definition must follow the pattern as laid out in this simple circuit - Add circuit info to the CircuitList
- Recompile:
zkpi compile -o ./setup --force
We welcome contributions! Here's how to get involved:
- Report issues: Open an issue for bugs or feature requests
- Submit changes: Create a pull request with your improvements
- Discuss ideas: Start a discussion before major architectural changes
Please ensure code follows existing patterns.
- gnark - Zero-knowledge proof framework
- Longfellow-ZK - Zero-knowledge proof framework
- Cobra - CLI framework
- Chi - HTTP router
The code of this project is licensed under the Apache2.0 License.
The specification in this repository licensed under the CC BY-SA 4.0