1 of 11

DVR Client Roles

The DVR follows a robust trust model inspired by the W3C Decentralized Identifiers (DID) standards. Within the zkPass ecosystem, we define three client roles which participate in the zkPass ecosystem.

Depending on the application, the client of DVR can take one of these roles:

Data Issuer The entity responsible for issuing the original data that requires protection.
Data Holder (User) The individual whose confidential data is being protected.
Proof Verifier The service or application that sets the requirements or conditions on the user data. It verifies the zero-knowledge proof, which contains the result of the requirements.

This multi-faceted trust model allows the proper flow of data and communications among the DVR stakeholder clients and ensures that the user’s confidential information remains protected and secure.

Data Issuer

The Data Issuer only needs to follow this step for integration with the zkPass Service:

Providing REST API for user data retrieval

Sample Implementation

Sample codes for the Data Issuer implementation follow. Each step is explained in detail in the subsections. The code is also available on the zkpass-sdk repo, as shown here:

Providing User Data Retrieval API

Providing a REST API to retrieve the user data

The Data Issuer is required to expose a REST API that facilitates secure user data token retrieval. The API should be designed to authenticate the user robustly, ensuring that only the legitimate owner can access the data. The zkPass SDK does not dictate the precise authentication mechanisms, API semantics, or response formats, providing developers the flexibility to implement an approach best suited to their application's architecture.

The Data Issuer needs to make sure the user data is in JSON encoding. The DVR app architecture does not dictate the schema or structure of the user data, however, JSON encoding is required.

By conforming to these guidelines, Data Issuers contribute to the robustness and security of the DVR app infrastructure, ensuring an optimized and secure experience for all users involved.

zkPass-client Integration

Signing the User Data

As the authority provisioning sensitive user data, the Data Issuer plays a critical role in the DVR ecosystem. To ensure the authenticity of the user data, the Data Issuer must sign this sensitive information into a JWS (JSON Web Signature) token. The signing of the user data by the Data Issuer is illustrated by part of the DVR/zkPass call sequence, which is highlighted in red below:

The zkpass-client SDK library provides a specialized utility method for this purpose: sign_data_to_jws_token. How to digitally sign the user data using the zkpass-client SDK library is illustrated by the code snippet below.

//
// Step 1: Instantiate the zkpass_client object
//
let zkpass_client = ZkPassClient::new(
    "",
    ZkPassApiKey {
        api_key: "".to_string(),
        secret_api_key: "".to_string(),
    },
);

//
// Step 2: Call the zkpass_client.sign_data_to_jws_token.
//         This is to digitally-sign the user data.
//
let data_token = zkpass_client
    .sign_data_to_jws_token(ISSUER_PRIVKEY, json!(data), Some(ep))
    .unwrap();

Parameters passed to sign_data_to_jws_token:

ISSUER_PRIVKEY This is the signing private key owned by the Data Issuer.
json!(data) This is the user data in JSON encoding.
Some(ep) This is the Keyset Endpoint for the public key needed to verify the signed user data. If the Data Issuer does not implement the JWKS (JSON Web Key Set) endpoints, a None parameter can be passed here, meaning that the public key is distributed manually.

Data Holder

The Data Holder should follow four steps to integrate with zkPass:

Sample Implementation

Sample codes for the Data Holder implementation follow. Each step is explained in detail in the subsections. The code is also available on the zkpass-sdk repo, as shown here:

1. Retrieving the DVR

Retrieving the Data Verification Request (DVR) from the Proof Verifier

No integration with the zkpass-client SDK library is needed for this step.

The Data Holder first gets the DVR by calling the provided by the Proof Verifier.

Part of the zkPass call sequence diagram, which corresponds to the DVR retrieval step, is illustrated below.

2. Retrieving the User Data

Retrieving the User Data from the Data Issuer

No integration with the zkpass-client SDK library is needed for this step.

The User Data retrieves the user data that is needed by the DVR by calling the provided by the Data Issuer.

3. Generating the Proof

Calling zkPass Service's generate_zkpass_proof REST API to create the ZkPass Proof

To generate the ZkPass Proof, the Data Holder needs to use the zkpass-client SDK library. The following section illustrates how the coding is done.

zkPass-client Integration

The Data Holder generates the proof by using the zkpass-client SDK library, as shown here.

4. Verifying the Proof

Sending the ZkpassProof object to the Proof Verifier for verification

No integration with the zkpass-client SDK library is needed for this step.

Once the Data Holder receives the Zkpass Proof from the zkPass Service, it will pass it along to the Proof Verifier for verification. The Proof Verifier provides a REST API for this purpose.

Proof Verifier

The Proof Verifier should take these two steps for the integration with zkPass:

Sample Implementation

A sample implementation for a proof verifier is provided on the zkpass-sdk repo, as shown here:

1. Providing DVR Retrieval API

Providing a REST API to retrieve the DVR

The Proof Verifier must also define a mechanism through which users can retrieve the DVR token. The retrieval could be accomplished through various means, such as QR code scanning, a RESTful API, or other methods. zkPass SDK provides the flexibility to choose a retrieval mechanism most appropriate to the application's architectural design.

Signing the DVR data

The Proof Verifier is the entity responsible for defining the Data Verification Request (DVR) against which user data is verified. To accurately create DVR queries, the verifier must have an in-depth understanding of the user data format as provided by the Data Issuer. Utilizing zkPass Query Language, the verifier can reference specific fields within the user data using the notion of 'Variable'.

Upon receipt of a Zero-Knowledge Proof (ZKP) from the user, the verifier invokes zkPass.verifyProof function to authenticate the proof. A successful verification indicates that the user's data complies with all conditions stipulated in the DVR query.

The Proof Verifier is responsible for generating tokens for the DVR content. To achieve this, it must manage a public/private key pair specifically for digital signing. Additionally, the Proof Verifier should expose a standard JWKS (JSON Web Key Set) endpoint through a RESTful API for signature verification purposes. This endpoint serves as the source for obtaining the public key required to validate the DVR token's signature.

To facilitate the zkPass flow, the verifier must tokenize the DVR object into a JWT (JSON Web Token). In the inner token’s JWT header, the following parameters will be included by the verifier:

jku The URL where the public verification key can be retrieved.
kid The Key ID, is a unique identifier for the specific verification key in use.

zkpass-client Integration

In the implementation of the DVR retrieval codes, the Proof Verifier needs to digitally sign the DVR. This is done using the zkpass-client SDK library as illustrated here.

2. Providing Proof Verification API

Providing a REST API to verify ZkPass Proof

zkpass-client Integration

In the proof verification API implementation, the Proof Verifier needs to verify the received ZkPass Proof object by using the zkpass-client's verify_zkpass_proof method, as shown here.

Providing User Data Retrieval API

Providing a REST API to retrieve the user data

The Data Issuer needs to make sure the user data is in JSON encoding. The DVR app architecture does not dictate the schema or structure of the user data, however, JSON encoding is required.

By conforming to these guidelines, Data Issuers contribute to the robustness and security of the DVR app infrastructure, ensuring an optimized and secure experience for all users involved.

zkPass-client Integration

Signing the User Data

//
// Step 1: Instantiate the zkpass_client object
//
let zkpass_client = ZkPassClient::new(
    "",
    ZkPassApiKey {
        api_key: "".to_string(),
        secret_api_key: "".to_string(),
    },
);

//
// Step 2: Call the zkpass_client.sign_data_to_jws_token.
//         This is to digitally-sign the user data.
//
let data_token = zkpass_client
    .sign_data_to_jws_token(ISSUER_PRIVKEY, json!(data), Some(ep))
    .unwrap();

Parameters passed to sign_data_to_jws_token:

ISSUER_PRIVKEY This is the signing private key owned by the Data Issuer.
json!(data) This is the user data in JSON encoding.
Some(ep) This is the Keyset Endpoint for the public key needed to verify the signed user data. If the Data Issuer does not implement the JWKS (JSON Web Key Set) endpoints, a None parameter can be passed here, meaning that the public key is distributed manually.

1. Providing DVR Retrieval API

Providing a REST API to retrieve the DVR

Signing the DVR data

To facilitate the zkPass flow, the verifier must tokenize the DVR object into a JWT (JSON Web Token). In the inner token’s JWT header, the following parameters will be included by the verifier:

jku The URL where the public verification key can be retrieved.
kid The Key ID, is a unique identifier for the specific verification key in use.

zkpass-client Integration

In the implementation of the DVR retrieval codes, the Proof Verifier needs to digitally sign the DVR. This is done using the zkpass-client SDK library as illustrated here.

https://github.com/gl-zkPass/zkpass-sdk/blob/main/rust/zkpass-demo/src/data_holder.rs

use crate::constants;
use crate::data_issuer::DataIssuer;
use crate::proof_verifier::ProofVerifier;
use std::collections::HashMap;
use std::time::Instant;
use tracing::info;
use zkpass_client::core::OutputReader;
use zkpass_client::interface::{ZkPassApiKey, ZkPassClient, ZkPassProofGenerator};

pub struct DataHolder;

impl DataHolder {
    pub async fn start(&self, zkvm: &str, data_files: HashMap<String, String>, dvr_file: &str) {
        //
        //  Get the user data from the data issuer
        //
        let data_issuer = DataIssuer;
        let user_data_tokens = data_issuer.get_user_data_tokens(zkvm, data_files);
        let user_data_tags: Vec<&String> = user_data_tokens.keys().collect();

        //
        //  Get the dvr from the verifier
        //
        let proof_verifier = ProofVerifier;
        let dvr_token = proof_verifier.get_dvr_token(zkvm, dvr_file, user_data_tags);

        let zkpass_service_url = constants::ZKPASS_URL; // Use the ZKPASS_URL constant from the constants module
        info!("service_url={}", zkpass_service_url);
        println!("\n#### starting zkpass proof generation...");
        let start = Instant::now();

        //
        //  Data Holder's integration points with the zkpass-client SDK library
        //

        //
        // Step 1: Instantiate the zkpass_client object.
        //
        let api_key = String::from(constants::API_KEY);
        let secret_api_key = String::from(constants::SECRET_API_KEY);
        let zkpass_api_key = ZkPassApiKey {
            api_key,
            secret_api_key,
        };
        let zkpass_client = ZkPassClient::new(&zkpass_service_url, Some(zkpass_api_key), zkvm);

        //
        // Step 2: Call the zkpass_client.generate_zk_pass_proof
        //         to get the zkpass_proof_token.
        //
        let zkpass_proof_token = zkpass_client
            .generate_zkpass_proof(&user_data_tokens, &dvr_token)
            .await
            .unwrap();

        let duration = start.elapsed();
        println!("#### generation completed [time={:?}]", duration);

        //
        //  Step 3: Send the zkpass_proof_token to the Proof Verifier
        //          to get the proof verified and retrieve the query result.
        //
        let query_result = proof_verifier
            .verify_zkpass_proof(zkvm, zkpass_proof_token.as_str())
            .await;

        println!("json-result={}", OutputReader::pretty_print(&query_result));
        let output_reader = OutputReader::from_json(&query_result).unwrap();
        println!(">> output list:");
        for entry in output_reader.enumerate() {
            println!("key={}, value={:?}", entry.key, entry.val);
        }
        println!("<< end of list");

        let val = output_reader.find_bool("result").unwrap();
        println!("the query result is {}", val);
    }
}

https://github.com/gl-zkPass/zkpass-sdk/blob/main/rust/zkpass-demo/src/proof_verifier.rs

use crate::constants::{self, issuer_pubkey, verifier_pubkey, VERIFIER_PRIVKEY};
use lazy_static::lazy_static;
use serde_json::{json, Value};
use std::collections::HashMap;
use std::io::prelude::*;
use std::sync::Mutex;
use std::time::Instant;
use tracing::trace;
use uuid::Uuid;
use zkpass_client::core::{
    DataVerificationRequest, KeysetEndpoint, PublicKey, PublicKeyOption, ZkPassError,
};
use zkpass_client::interface::{
    ZkPassClient, ZkPassProofMetadataValidator, ZkPassProofVerifier, ZkPassUtility,
};
use zkpass_core::interface::UserDataRequest;

//
//  Global table to store the generated DVR values
//  The Verifier needs to keep track of all generated DVRs
//  so that it can verify the proof metadata
//  Note: The hash table entry should have time-expiration
//
lazy_static! {
    static ref DVR_TABLE: Mutex<HashMap<String, DataVerificationRequest>> = {
        let map = HashMap::new();
        Mutex::new(map)
    };
}
struct MyMetadataValidator;

impl MyMetadataValidator {
    fn get_expected_dvr_verifying_key(&self) -> PublicKey {
        let expected_dvr_verifying_key = verifier_pubkey();

        expected_dvr_verifying_key
    }

    fn get_expected_dvr(&self, dvr_id: &str) -> Result<DataVerificationRequest, ZkPassError> {
        //
        //  find the DVR in the table
        //
        let dvr: DataVerificationRequest;
        let mut hash_table = DVR_TABLE.lock().unwrap();
        let removed_item: Option<DataVerificationRequest> = hash_table.remove(dvr_id);
        match removed_item {
            Some(_dvr) => {
                println!("#### found dvr: id={}", _dvr.dvr_id);
                dvr = _dvr;
            }
            None => {
                println!("#### no dvr found for the id");
                return Err(ZkPassError::MismatchedDvrDigest);
            }
        }

        Ok(dvr)
    }
}

impl ZkPassProofMetadataValidator for MyMetadataValidator {
    fn validate(
        &self,
        dvr_id: &str,
    ) -> Result<(DataVerificationRequest, PublicKey, u64), ZkPassError> {
        let expected_ttl: u64 = 600;

        Ok((
            self.get_expected_dvr(dvr_id)?,
            self.get_expected_dvr_verifying_key(),
            expected_ttl,
        ))
    }
}

//
//  Simulating the Proof Verifier
//
pub struct ProofVerifier;

impl ProofVerifier {
    //
    //  Simulating the Proof Verifier's get_dvr_token REST API
    //
    pub fn get_dvr_token(
        &self,
        zkvm: &str,
        dvr_file: &str,
        user_data_tags: Vec<&String>,
    ) -> String {
        let mut query_content = std::fs::File::open(dvr_file).expect("Cannot find the dvr file");
        let mut query = String::new();
        query_content
            .read_to_string(&mut query)
            .expect("Should not have I/O errors");
        trace!("query={}", query);

        let kid = String::from("k-1");
        let jku = String::from(
            "https://raw.githubusercontent.com/gl-zkPass/zkpass-sdk/main/docs/zkpass/sample-jwks/verifier-key.json"
        );
        let _ep = KeysetEndpoint { jku, kid };

        let query: Value = serde_json::from_str(&query).unwrap();
        let user_data_requests = self.get_user_data_requests(user_data_tags);

        //
        //  Proof Verifier's integration points with the zkpass-client SDK library
        //  (for get_dvr_token REST API)
        //

        //
        //  Step 1: Instantiate the zkpass_client object.
        //
        let zkpass_client = ZkPassClient::new("", None, zkvm);

        //
        //  Step 2: Call zkpass_client.get_query_engine_version_info.
        //          The version info is needed for DVR object creation.
        //
        let query_engine_version_info = zkpass_client.get_query_engine_version_info().unwrap();

        //
        // Step 3: Create the DVR object.
        //
        let dvr = DataVerificationRequest {
            zkvm: String::from(zkvm),
            dvr_title: String::from("My DVR"),
            dvr_id: Uuid::new_v4().to_string(),
            query_engine_ver: query_engine_version_info.0,
            query_method_ver: query_engine_version_info.1,
            query: serde_json::to_string(&query).unwrap(),
            user_data_requests: user_data_requests,
            dvr_verifying_key: Some(PublicKeyOption::PublicKey(verifier_pubkey())),
        };

        //
        //  Step 4: Call zkpass_client.sign_data_to_jws_token.
        //          to digitally-sign the dvr data.
        //
        let dvr_token = zkpass_client
            .sign_data_to_jws_token(VERIFIER_PRIVKEY, json!(dvr), None)
            .unwrap();

        // save the dvr to a global hash table
        // this will be needed by the validator to check the proof metadata
        let mut dvr_table = DVR_TABLE.lock().unwrap();
        dvr_table.insert(dvr.dvr_id.clone(), dvr.clone());

        dvr_token
    }

    //
    //  Simulating the Proof Verifier's verify_zkpass_proof REST API
    //
    pub async fn verify_zkpass_proof(&self, zkvm: &str, zkpass_proof_token: &str) -> String {
        println!("\n#### starting zkpass proof verification...");
        let start = Instant::now();

        let proof_metadata_validator =
            Box::new(MyMetadataValidator) as Box<dyn ZkPassProofMetadataValidator>;

        //
        //  Proof Verifier's integration points with the zkpass-client SDK library
        //  (for verify_zkpass_proof REST API)
        //

        //
        // Step 1: Instantiate the zkpass_client object.
        //
        let zkpass_service_url = constants::ZKPASS_URL;
        let zkpass_client = ZkPassClient::new(&zkpass_service_url, None, zkvm);

        //
        // Step 2: Call zkpass_client.verify_zkpass_proof to verify the proof.
        //
        let (result, _zkpass_proof) = zkpass_client
            .verify_zkpass_proof(zkpass_proof_token, &proof_metadata_validator)
            .await
            .unwrap();

        let duration = start.elapsed();
        println!("#### verification completed [time={:?}]", duration);

        result
    }

    fn get_user_data_requests(
        &self,
        user_data_tags: Vec<&String>,
    ) -> HashMap<String, UserDataRequest> {
        let mut user_data_requests: HashMap<String, UserDataRequest> = HashMap::new();
        for tag in user_data_tags {
            let user_data_request = UserDataRequest {
                user_data_url: Some(String::from("https://hostname/api/user_data/")),
                user_data_verifying_key: PublicKeyOption::PublicKey(issuer_pubkey()),
            };
            user_data_requests.insert(tag.clone(), user_data_request);
        }

        user_data_requests
    }
}