Prove Your Health Status, Not Your Identity: Building ZK-VCR on Midnight

#devchallenge #midnightchallenge #web3 #blockchain

Midnight Network Challenge: Protect That Data

This is a submission for the Midnight Network "Privacy First" Challenge - Protect That Data prompt

What I Built

I built ZK-VCR (Verifiable Credential Oracle), a decentralized application that pioneers a new standard for privacy in on-chain transactions. It allows users to prove they meet specific health criteria (like having a low cardiovascular risk score) to a smart contract without ever revealing their underlying personal health information.

The project solves the "Leaky Bucket" problem of modern data privacy, where users are forced to hand over sensitive data to multiple services, risking exposure with every new interaction. ZK-VCR replaces this with an "Airlock" model, built on the philosophy of Privacy for the User, Transparency for the Algorithm, and Governance for the Source. A user's data never leaves their device; instead, a Zero-Knowledge proof is generated locally and sent to the chain for verification.

Demo

The complete source code and detailed documentation are available on GitHub:
Source Code & Complete Documentation

Here is a live recording of the ZK-VCR Command-Line Interface (CLI) in action, demonstrating the complete end-to-end flow from a clinic generating a credential to a user privately verifying it on-chain.

Watch the ZK-VCR Demo

How I Used Midnight's Technology

This project is built from the ground up using Midnight's core technology stack:

Compact Language: The entire on-chain logic, including the smart contract and all ZK circuits, is written in Compact. I used it to define the contract's state (like the owner and the trustedIssuers map) and to implement the complex, privacy-preserving logic inside the submitHealthProof circuit. Key features like persistentHash were used to create a ZK-friendly signature scheme.
MidnightJS SDK: The entire off-chain portion of the DApp—the user CLI, administrator panel, and issuer tool—is built in TypeScript and uses the MidnightJS SDK. This library was essential for all blockchain interactions, including:
- Deploying and finding contracts on the testnet.
- Managing wallets and private state.
- Constructing and submitting transactions to call the contract's circuits.
- Querying the public on-chain state to display it to the user.
Private Witnesses: The core of the DApp's privacy model relies on Compact's witness system. The user's sensitive VerifiableCredential and the administrator's ownerSecretKey are passed as private witnesses, meaning they are used in the ZK proof computation but never revealed on-chain.

Data Protection as a Core Feature

Data protection isn't just a feature of ZK-VCR; it is the central design principle.

The "Airlock" model ensures that the user's personal health information (PHI) never leaves their local machine. When a user wants to prove their eligibility for a service, the submitHealthProof ZK circuit is executed locally. The only artifact that is ever sent to the public blockchain is the anonymous ZK proof itself.

This proof mathematically demonstrates three things without revealing the underlying data:

The health data came from a trusted source (verified via a cryptographic signature).
The health data meets the publicly defined criteria (the "AI" model was run on it).
The proof is fresh and not being replayed (verified via a challenge-nonce).

The smart contract learns only a single binary fact: "An anonymous user has successfully proven they are low-risk." It learns nothing about their cholesterol, their blood pressure, or whether they smoke. This provides powerful, mathematically guaranteed privacy that is fundamentally superior to policy-based promises.