The problem CornHub solves

Online identity verification is stuck in an unpleasant status quo of ad hoc ID verifications, spreading this valuable information across a plethora of servers, that while supposedly secure, considerably increase the surface of possible attacks and sensitive information retrievals. ID data is particularly sensitive, an attacker could use it to impersonate you and start acting on your behalf, potentially leading to undesirable consequences. Especially nowadays with the latest advances of Artificial Intelligence that makes it easier to forge documents through AI generated passports or ID cards.

But, there is a better way by leveraging the chip in electronic IDs and zero knowledge proofs. On their own, the chips provide a much greater guarantee about the authencity and validity of the document than verifying a photo or video of it. Contained in most passports and some ID cards too, they contain static signatures over their data generated by a private key only known to the issuing State. Verifying them against the State's public key (generally available) can give us the guarantee we need to ensure the document is valid (as long as we trust the issuing State). Based on an international standard, it also makes it easier to build on top of it.

This is a great guarantee, but if you end up just reading these signatures along with the rest of the data on the chip and sending it to a server to be checked and stored there, then we are kind of back to a similar status quo. Comes into the picture zero knowledge with a simple paradigm: verify these signatures in a ZK circuit against the State's public key to attest of the authenticity and validity of the document while keeping its information unknown to the verifier. Then only expose what you want while providing a great level of guarantee.

Here with CornHub, the rationale is even clearer: the only information anyone should get on such a website is whether you are at least 18 years old and that's it, nothing more.

Challenges we ran into

Generating the proof on mobile with Noir and its default backend Barretenberg is quite challenging at the moment. The main bottleneck being memory consumption since a phone has a limited amount of RAM available and generally allocates even less to each app, limiting the size of the circuit we can prove on mobile. As such, for the purpose of this hackathon we have limited our proof to checking strictly for age (based on the MRZ of the ID, availabe in Data Group 1). Other parts of the circuits we have built before to verify the (RSA) signatures, the integrity of the data of the ID (by hashing the data and comparing it to the final message signed), and others were excluded to generate a simple proof able to showcase the use case of CornHub.

Also, as of today, we are only able to generate proof on mobile with Noir 0.19.4 while the latest version is 0.29. While we may be getting close to make it work with a more recent version of Noir, we couldn't make it for the hackathon. The main issue being that with the version 0.19.4 of Noir, the comparison of numbers, used to compare dates, yielded wrong results and was fixed by Aztec in the version 0.22.

We couldn't deploy the Solidity verifier for our circuit to zkSync Sepolia, whether it was with Foundry, Hardhat (and the special zkSync plugin) or Remix. More precisely, the compilation with the configurations for zkSync failed, as some operations done in the verifier seems to not be supported by zkSync as it is not exactly 100% EVM compatible. Therefore, we limited our deployment of the smart contract verifier to Ethereum Sepolia.

Note: some tools used in this project were already built before such as the iOS mobile app, the circuits to generate the proof, and part of the server. During this hackathon, we built the front-end, completed the server by making it support actual proofs, integrated the circuit in the mobile app and connected it to the server to make the whole userflow work seamlessly.