Vox
Vox is a private, secure and sybil-resistant petition platform. Citizens can fight the status-quo without fear of repercussion. Each signature is sure to come from a unique citizen.
Bounties
- Web3Privacy Now, Best creation of a new Web3Privacy project: Vox is first and foremost a tool for Privacy, Freedom and Anti-Surveillance. Vox is in line with the mission to create privacy as a standard within web3 and the blockchain ecosystem. "vox populi vox Dei" - the voice of the people (is) the voice of God.
- zkPass, Create a Real-World Use Case Schema & Create a New Innovative Schema: Vox is competing for both these tracks, since its use of zkPass is truly differentiated, fitting a great use-case! Users are redirected to https://www.anagrafenazionale.interno.it/ where logins are only possible for verified Italian citizens. Our custom schema serves the dual purpose of -
- Sybil-resistance - each user of Vox is a unique Italian citizen.
- Additionally, user data is passed in the public field (hashed).
- Fhenix, Best use of Fhenix Stack: As a public platform that needs to manage highly sensitive personal data, Fhenix serves as an optimal solution for access control to encrypted non-custodially stored data. Once verified through zkPass, the zk-proof attestation is passed to our Fhenix contract, keeping the data cyphered and only accessible based on permissions.
- Laser Romae, Whistleblower Identity: Laser Romae were clear in letting us know that they wanted a verification method for a citizen's identity, which provides provable personal data, without storing or even having access to the data, in compliance with Italian law, not specifically a whistleblowing app. This is exactly what we developed, and our approach was very intentional to split the user verification functionality requested by Laser Romae, from the petition creation and signing functionalities, which represent the consumer-facing use case of the app:
- The UI of the verify page is entirely different from the rest of the app.
- We split our onchain logic into two contracts CoreId.sol and PetitionManager.sol.
- Farcaster: Petitions can be shared through Farcaster frames, redirecting users to Vox.
- Privy, Integration Wizard: The app's user and data journey intertwines many technologies in novel ways. The very first step, as always, is Privy's social login, which is paired to the citizen's identity data and then used from that point on as their identity verifier.
Non-Intrusive Identity Verification:
Let's begin by discussing how identity cards are handled for public online services in Italy. Our ID cards are issued in physical format but can also be paired with the Cied app, provided by the italian authority. This app serves as a secure login method across various public services such as the registry and tax compliance institutes. Using NFC embedded in the physical card, users can authenticate themselves safely. When accessing an online public service that requires authentication, the Cied app can scan a QR code to provide access. This system ensures secure authentication with multiple factors, minimizing risks in case of card theft.
However, how can we leverage this useful feature from an ID card in Web3? Typically, receiving a government-issued card involves an in-person KYC process. Can we apply this to blockchain technology now? Not directly. But we believe there's a way to use retroactively your identity card release kyc process, this allowing to perform user identity verification in a non-intrusive manner, providing an attestation linked to an Ethereum address. This would allow Italian users to selectively approve entities to access necessary informations about themselves. These addresses serve a purpose beyond holding assets, focusing instead on producing signatures backed by the ID card for public services or affiliated third parties.
To achieve this, we've developed a schema using zkPass, intercepting relevant data after a login on anagraphic public service happens. This schema verifies the login method, accepting only logins via the Cied app to prevent simpler methods like username/password or SMS.
Once the login response is intercepted, the zkPass Transgate extension performs zk proofing and returns the information needed to create an attestation. This attestation gets stored onchain. For the purpose of the hackaton our app sponsors the transaction like a legit enity could do. Various fields are returned after interception, used later to verify that the attestation hasn't been tampered with during processing.
We chose to deploy on Fhenix due to its built-in access control features, which facilitate granting access securely. After minting an attestation, we inject the ciphertext of the necessary fields for verification. From this point on, a user can grant access to information by providing a signature required to access and decrypt the ciphertext. Since zkPass attestation stores a hash of the public fields, which we have as ciphertext on Fhenix, decryption allows us to verify the validity of these fields by comparing them with the previously introduced hash.