Product Requirements Document

Executive Summary

The Hook

Over 17 billion personal records were compromised in 2023 alone. Current identity verification protocols (SAML, OAuth, OpenID Connect) require transmitting full identity attribute sets rather than selective proofs of individual claims. To confirm "Is this person a student?", systems expose names, birthdates, addresses, and more. ZeroVerify attacks the collection requirement itself.

The Problem

Current digital identity verification operates on a structural mismatch between what verifiers need and what protocols deliver. To confirm a single boolean claim, SAML, OAuth, OIDC return a full attribute assertion containing every identity field the institution has on record. No existing system integrates zero-knowledge proofs into standard OAuth 2.0 and OIDC flows such that a verifier can confirm a claim without receiving any personal attributes at all.

The Solution

ZeroVerify is a privacy-preserving identity verification layer that integrates with existing identity infrastructure. In the issuance phase, ZeroVerify federates with an institution's IdP via Keycloak, extracts verified attributes, and produces a BBS+ signed verifiable credential stored in the user's mobile wallet. In the verification phase, the wallet uses the stored credential to generate a zk-SNARK proof confirming a claim without encoding any attribute value. The verifier receives a single result: valid or invalid.

Product Definition

ZeroVerify is a privacy-centered verification platform that lets users confirm eligibility claims, like student status or age requirements, without exposing unnecessary personal information. After authentication through trusted Identity Providers, the platform issues signed credentials for local storage. When verification is requested, users generate mathematical proofs for specific proof types (circuits) and receive Accepted/Rejected results without disclosing full identity data.

Target Audience

Primary: Verifiers (merchants, websites, service providers)

Pain points:

  • Existing methods require collecting full identity attribute sets for simple claims
  • Storing identity data increases breach risk and compliance burden
  • Manual verification is slow and high-friction

Secondary: End users (students/individuals)

Pain points:

  • Forced to share more personal info than necessary
  • Limited control over data retention

Supporting: Institutions/IdPs (universities/enterprises)

Pain points:

  • Don't want to replace or rework existing SAML/OAuth/OIDC setups

Minimum Viable Product (MVP)

For the initial launch, ZeroVerify will support one end-to-end verification flow with at least one proof type (e.g., student status).

  • Issuance via existing IdP: User authenticates through Keycloak, and ZeroVerify issues a signed credential
  • Credential storage in user wallet: Credential delivered to user and stored locally
  • Verifier challenge + proof request: Verifier requests a supported proof type
  • User consent: User reviews request and approves/denies proof generation
  • Proof generation: User generates a proof for the requested proof type
  • Verification result: Verifier receives a clear valid/invalid result
  • Replay protection: Proof is bound to verifier challenge to prevent reuse
  • Revocation checking: Verification includes check against credential revocation status

Functional Requirements

Credential Issuance

  • User logs in using a trusted Identity Provider
  • User receives a digital credential in their wallet
  • User can view their credentials inside their wallet

User Generates ZK Proof

  • User receives a notification about a proof request
  • User views which type of proof the verifier requests
  • User can accept or decline the request
  • User generates a ZK proof that only reveals the requested attributes
  • User sends the proof back to the verifier

Proof Verification

  • Verifier submits the received proof for validation
  • Verifier receives confirmation if the proof is valid
  • Verifier sees if the credential is revoked or still active
  • Verifier decides to approve or deny based on the result

Security and Access Control

  • System protects credentials, proofs, and cryptographic keys in storage and transit
  • System ensures only authorized verifiers can request credentials and verify proofs
  • System detects and rejects tampered, invalid, or malformed proofs
  • System supports key management practices, including key rotation
  • System does not persist raw identity attributes—only a non-reversible cryptographic derivative

Non-Functional Requirements

Privacy

System does not persist raw identity attributes. Supports selective disclosure by revealing only attribute(s) required by the requested proof type.

Performance

ZK proofs generated in 1-5 seconds under normal load. Verifiers validate proofs quickly enough for real-time checkout flows.

Scalability

System supports growth in users, issuers, and verifiers without significant performance degradation.

Usability

Simple verification experience with 3 user actions or fewer and clear consent prompts. Straightforward integration for verifiers with clear documentation.

Reliability

System remains available during verification requests and handles transient failures gracefully. Fails safely when proof generation or verification cannot be completed.

Interoperability

Aligns with W3C verifiable credential standards. Supports common authentication systems (OAuth/SSO) and works across major browsers/devices.