Product Requirements Document

Executive Summary

The Hook

Over 17 billion personal records were compromised in 2023 alone. Current identity verification protocols (SAML, OAuth, OpenID Connect) require transmitting full identity attribute sets rather than selective proofs of individual claims. To confirm "Is this person a student?", systems expose names, birthdates, addresses, and more. ZeroVerify attacks the collection requirement itself.

The Problem

Current digital identity verification operates on a structural mismatch between what verifiers need and what protocols deliver. To confirm a single boolean claim, SAML, OAuth, OIDC return a full attribute assertion containing every identity field the institution has on record. No existing system integrates zero-knowledge proofs into standard OAuth 2.0 and OIDC flows such that a verifier can confirm a claim without receiving any personal attributes at all.

The Solution

ZeroVerify is a privacy-preserving identity verification layer that integrates with existing identity infrastructure. In the issuance phase, ZeroVerify federates with an institution's IdP via Keycloak, extracts verified attributes, and produces a BBS+ signed verifiable credential stored in the user's mobile wallet. In the verification phase, the wallet uses the stored credential to generate a zk-SNARK proof confirming a claim without encoding any attribute value. The verifier receives a single result: valid or invalid.

Product Definition

ZeroVerify is a privacy-centered verification platform that lets users confirm eligibility claims, like student status or age requirements, without exposing unnecessary personal information. After authentication through trusted Identity Providers, the platform issues signed credentials for local storage. When verification is requested, users generate mathematical proofs for specific proof types (circuits) and receive Accepted/Rejected results without disclosing full identity data.

Target Audience

Primary: Verifiers (merchants, websites, service providers)

Pain points:

Existing methods require collecting full identity attribute sets for simple claims
Storing identity data increases breach risk and compliance burden
Manual verification is slow and high-friction

Secondary: End users (students/individuals)

Pain points:

Forced to share more personal info than necessary
Limited control over data retention

Supporting: Institutions/IdPs (universities/enterprises)

Pain points:

Don't want to replace or rework existing SAML/OAuth/OIDC setups

Minimum Viable Product (MVP)

For the initial launch, ZeroVerify will support one end-to-end verification flow with at least one proof type (e.g., student status).

Issuance via existing IdP: User authenticates through Keycloak, and ZeroVerify issues a signed credential
Credential storage in user wallet: Credential delivered to user and stored locally
Verifier challenge + proof request: Verifier requests a supported proof type
User consent: User reviews request and approves/denies proof generation
Proof generation: User generates a proof for the requested proof type
Verification result: Verifier receives a clear valid/invalid result
Replay protection: Proof is bound to verifier challenge to prevent reuse
Revocation checking: Verification includes check against credential revocation status

Functional Requirements

Credential Issuance

User logs in using a trusted Identity Provider
User receives a digital credential in their wallet
User can view their credentials inside their wallet

User Generates ZK Proof

User receives a notification about a proof request
User views which type of proof the verifier requests
User can accept or decline the request
User generates a ZK proof that only reveals the requested attributes
User sends the proof back to the verifier

Proof Verification

Verifier submits the received proof for validation
Verifier receives confirmation if the proof is valid
Verifier sees if the credential is revoked or still active
Verifier decides to approve or deny based on the result

Security and Access Control

System protects credentials, proofs, and cryptographic keys in storage and transit
System ensures only authorized verifiers can request credentials and verify proofs
System detects and rejects tampered, invalid, or malformed proofs
System supports key management practices, including key rotation
System does not persist raw identity attributes—only a non-reversible cryptographic derivative

Non-Functional Requirements

Privacy

System does not persist raw identity attributes. Supports selective disclosure by revealing only attribute(s) required by the requested proof type.

Performance

ZK proofs generated in 1-5 seconds under normal load. Verifiers validate proofs quickly enough for real-time checkout flows.

Scalability

System supports growth in users, issuers, and verifiers without significant performance degradation.

Usability

Simple verification experience with 3 user actions or fewer and clear consent prompts. Straightforward integration for verifiers with clear documentation.

Reliability

System remains available during verification requests and handles transient failures gracefully. Fails safely when proof generation or verification cannot be completed.

Interoperability

Aligns with W3C verifiable credential standards. Supports common authentication systems (OAuth/SSO) and works across major browsers/devices.