Anon Aadhaar nullifier

# Anon Aadhaar nullifier ## Problem We want to build nullifier system for Anon Aadhaar project. Let think about tradition solution for nullifier, we have: - nullifier = hash(user_sk, app_data) In Anon Aadhaar, user_sk is PDF data. However, we are facing with the problem: PDF data issued by gov, this mean **gov are ready know about PDF data**. Since app_data is public, gov can de-anon action/transaction create by users very easy(just check nullifier = hash (pdf, app_data) for each pdf data). ## Solutions ### Secret app id and MPC We denote: - AppID_sk is secret data, only app manager/deployer know it. - AppID_pk = hash(AppID_sk). - nullifier = hash(AppID_sk, pdf_data) MPC help app manager and user compute nullifier without know about secret of another party. More detail in diagram below: ![](https://hackmd.io/_uploads/ByOEh-aMa.png) The data for de-anon nullifer require 2 information from app manager and users. This model also ensure app manager and user honest when compute nullifer. NOTES: This solution need more effort to implement. MPC is not "dev friendly" right now. ### Secret app id and 2 rounds zkp We define: - Client: who hold pdf card. - Server: who generate zk proof about nullifer with app serect. Client compute zkp with rsa signature on pdf like we are doing. They compute external data call m = hash(hash(pdf)). Client sent zkp p and m to server. Server verify zk proof p with public data m. If it valid, server will compute another zkp q, nullifer = hash(m, AppID_sk). The zk proof q prove with client : nullifer = hash(m, AppID_sk) and AppID_pk = hash(AppID_sk). With this protocol prover and verifer doesn't learn secret information of each others. The protocol also easy to implememt. ![](https://hackmd.io/_uploads/ry8QPjAGp.png) #### version 2. In currect version we can't linkable anon aadhaar proof to nullifer. I proposal a new workflow to fix this. This quite different with idea above. In our protocol we have 2 parties: client and server. Let's clarify how client communicate with server to create nullifer. We have 2 rounds zkp. First one, client generate aadhaar proof p and m = hash(hash(pdf_hash)). Client sent proof p and m to a server. A server pick a secret value sk. On server side, we store one merkle tree ResigterAadhaar. ResigterAadhaar stores hash(m, sk) in the leaf of this tree. Everytime client request create a new nullifer, we insert a value hash(m, sk) to ResigterAadhaar merkle tree, and send sk value back to server. With sk, client can create nullifier by himself/herself. They should prove they hold pdf_hash and sk: - AnonAadhaar(pdf_hash) valid. - hash(m, sk) is leaf of ResigterAadhaar on server. - nullifer = hash(pdf_hash, sk) Our protocol still under develop and we need spend more time to reseach. If you have any question or better solution please comments. Thank you <3!