This is a submission for the Midnight Network "Privacy First" Challenge - Protect That Data prompt
What I Built
I built ZK-VCR (Verifiable Credential Oracle), a decentralized application that pioneers a new standard for privacy in on-chain transactions. It allows users to prove they meet specific health criteria (like having a low cardiovascular risk score) to a smart contract without ever revealing their underlying personal health information.
The project solves the "Leaky Bucket" problem of modern data privacy, where users are forced to hand over sensitive data to multiple services, risking exposure with every new interaction. ZK-VCR replaces this with an "Airlock" model, built on the philosophy of Privacy for the User, Transparency for the Algorithm, and Governance for the Source. A user's data never leaves their device; instead, a Zero-Knowledge proof is generated locally and sent to the chain for verification.
Demo
The complete source code and detailed documentation are available on GitHub:
Source Code & Complete Documentation
Here is a live recording of the ZK-VCR Command-Line Interface (CLI) in action, demonstrating the complete end-to-end flow from a clinic generating a credential to a user privately verifying it on-chain.
How I Used Midnight's Technology
This project is built from the ground up using Midnight's core technology stack:
Compact Language: The entire on-chain logic, including the smart contract and all ZK circuits, is written in Compact. I used it to define the contract's state (like the
owner
and thetrustedIssuers
map) and to implement the complex, privacy-preserving logic inside thesubmitHealthProof
circuit. Key features likepersistentHash
were used to create a ZK-friendly signature scheme.-
MidnightJS SDK: The entire off-chain portion of the DApp—the user CLI, administrator panel, and issuer tool—is built in TypeScript and uses the
MidnightJS
SDK. This library was essential for all blockchain interactions, including:- Deploying and finding contracts on the testnet.
- Managing wallets and private state.
- Constructing and submitting transactions to call the contract's circuits.
- Querying the public on-chain state to display it to the user.
Private Witnesses: The core of the DApp's privacy model relies on Compact's witness system. The user's sensitive
VerifiableCredential
and the administrator'sownerSecretKey
are passed as private witnesses, meaning they are used in the ZK proof computation but never revealed on-chain.
Data Protection as a Core Feature
Data protection isn't just a feature of ZK-VCR; it is the central design principle.
The "Airlock" model ensures that the user's personal health information (PHI) never leaves their local machine. When a user wants to prove their eligibility for a service, the submitHealthProof
ZK circuit is executed locally. The only artifact that is ever sent to the public blockchain is the anonymous ZK proof itself.
This proof mathematically demonstrates three things without revealing the underlying data:
- The health data came from a trusted source (verified via a cryptographic signature).
- The health data meets the publicly defined criteria (the "AI" model was run on it).
- The proof is fresh and not being replayed (verified via a challenge-nonce).
The smart contract learns only a single binary fact: "An anonymous user has successfully proven they are low-risk." It learns nothing about their cholesterol, their blood pressure, or whether they smoke. This provides powerful, mathematically guaranteed privacy that is fundamentally superior to policy-based promises.
Set Up Instructions / Tutorial
The following is a complete, step-by-step guide to setting up the development environment and running the full ZK-VCR demo.
View the Full Tutorial on GitHub
Submission by: @sarthak_bhardwaj_05aba55d
Top comments (0)