Verification & Testing

Testing Strategy

ZeroVerify's testing strategy encompasses both unit and integration testing to ensure the system meets all functional and non-functional requirements. Testing focuses on cryptographic correctness, privacy guarantees, and system reliability.

Unit Tests

Unit tests validate individual components in isolation:

Cryptographic Functions: Validate BBS+ signature generation and verification, zk-SNARK proof generation and verification
Credential Creation: Test credential schema compliance, attribute extraction from OAuth claims, credential signing and serialization
Proof Generation: Validate circuit execution, public/private input handling, proof serialization
Revocation Logic: Test bitstring updates, concurrent revocation handling, revocation status checks

Integration Tests

Integration tests validate end-to-end system flows:

Credential Issuance Flow

User authentication through OAuth/OIDC
Credential generation and BBS+ signing
Credential delivery to browser wallet
Prevention of duplicate credential issuance

Proof Generation and Verification

End-to-end proof generation from stored credential
Proof verification against issuer public key
Validation of selective disclosure (only requested attributes revealed)
Performance validation (proof generation <5s, verification <300ms)

Revocation Flow

Revocation request submission and processing
Bitstring update and propagation
Revoked credential rejection during verification
Concurrent revocation consistency

Replay Attack Prevention

Challenge nonce binding to proof
Nonce reuse detection and rejection
Session expiration handling

Success Metrics

Functional Requirements

100% of authenticated users receive credentials
Proof requests delivered to wallet within ≤2 seconds
Users see only requested attributes in consent screen
Proof generation time ≤3–5 seconds under normal load
Verifiers receive correct valid/invalid results
Revoked credentials are flagged during verification

Security

Credentials, proofs, and keys protected in storage and transit
Only authorized verifiers can request and verify proofs
Tampered, invalid, or malformed proofs are detected and rejected
Secure key management practices enforced (key rotation, least-privilege access)

Privacy

Raw personal identity data not stored centrally
Only requested attributes disclosed during proof generation
Minimal linkability across verification sessions

Performance

Zero-knowledge proofs generated in ≤3–5 seconds
Proof verification completes in ≤1–2 seconds for real-time flows

Usability

Users complete verification in ≤3 actions
Clear, user-friendly error messages displayed
Straightforward integration experience for verifiers

Validation Methods

Credential Issuance

Test with multiple IdPs and users. Inspect wallet contents for correct attributes, signatures, and metadata.

Proof Generation

End-to-end testing with sample credentials. Verify hidden attributes remain concealed. Measure generation time under normal load.

Proof Verification

Test verification with valid, revoked, and tampered proofs. Compare results against expected outcomes.

Security

Conduct penetration tests and security audits. Attempt unauthorized proof requests and tampering. Inspect encryption and key management implementation.

Performance

Load testing with multiple concurrent users. Measure proof generation and verification times under various load conditions.

Scalability

Simulate large-scale usage scenarios. Measure system latency and throughput under high load.

Test Cases

Happy Path

Request → Approve → Proof generated → Verify → Accepted

Failure Cases

Replay attempt: Reused proof rejected
Malformed input: Invalid proof structure detected
Invalid proof: Cryptographic verification fails
Revoked credential: Status check fails verification
Expired session: Challenge nonce expired

Edge Cases

OAuth IdP failure or timeout
Revocation list retrieval failure
Concurrent credential issuance attempts
Circuit breaker activation after repeated failures