Introduction to zkIdentity
zkIdentity is Hadinet Africa's privacy-preserving identity verification platform. It enables individuals to prove their identity to decentralized applications and services without exposing sensitive personal data. By combining zero-knowledge cryptography with trusted execution environments, zkIdentity delivers verifiable KYC compliance while keeping users in full control of their information.
The Problem
Traditional identity verification in Web3 suffers from a fundamental tension. On one hand, regulatory frameworks such as AML and KYC laws require platforms to verify user identities. On the other hand, the ethos of decentralized systems demands user privacy and data sovereignty. Current approaches force users into an uncomfortable choice:
- Centralized KYC providers collect and store sensitive documents (passports, national IDs, selfies) in databases that become high-value targets for breaches.
- On-chain identity tokens risk exposing personal information on a public ledger, permanently associating real-world identities with wallet addresses.
- Repeated verification across platforms means users submit the same documents dozens of times, multiplying the surface area for data leaks.
For users in Africa, these problems are compounded by fragmented identity infrastructure, limited access to internationally-recognized documents, and inconsistent coverage across KYC providers.
The Solution
zkIdentity resolves this tension by proving facts about identity without revealing the underlying data. A user can prove "I have been verified by a licensed KYC provider in Nigeria" without anyone -- including Hadinet -- ever seeing their passport photo or national ID number.
The system achieves this through four core components working together:
1. Multi-Provider KYC
zkIdentity integrates with multiple identity verification providers to maximize geographic coverage:
- Smile ID covers 12+ African countries with document and biometric verification.
- Plaid covers the United States, Canada, United Kingdom, and the European Union with financial identity verification.
Users choose the provider appropriate for their jurisdiction. The system is designed to accommodate additional providers as they become available.
2. TEE Attestor
The attestor service runs inside a Trusted Execution Environment (TEE). This is a hardware-isolated enclave where code executes in a tamper-proof context. Even the server operator cannot inspect data inside the TEE. The attestor orchestrates the entire verification flow: it communicates with KYC providers, generates zero-knowledge proofs, encrypts documents, and submits attestations to the blockchain.
3. Zero-Knowledge Proofs
Using Reclaim Protocol's zkFetch, the attestor establishes a TLS tunnel to KYC provider APIs and generates cryptographic proofs of the provider's response. Each verification request produces 14 ZK proofs that collectively prove the user passed KYC without revealing what documents they submitted or what data the provider returned. These proofs are verifiable by anyone but reveal nothing about the underlying personal information.
4. Decentralized Identity (DID)
Each user's identity is anchored to a did:key identifier derived deterministically from their wallet's secp256k1 public key. There is no registration step and no central identity registry. The DID is computed, not assigned, meaning it exists the moment a user connects their wallet.
How It Works at a High Level
- A user connects their wallet and selects a KYC provider.
- The TEE attestor creates a verification session with the chosen provider.
- The user completes the provider's verification flow (document upload, biometric check, etc.).
- The provider notifies the attestor of the result via webhook.
- The attestor uses zkFetch to cryptographically prove the provider's response, generating 14 ZK proofs.
- Non-PII metadata (verification status, provider name, country, timestamp) is submitted to a Cartesi rollup on Arbitrum.
- Encrypted document references are stored on IPFS via Pinata, accessible only to the user.
- The user's DID is now associated with a verified attestation on-chain.
From the user's perspective, the experience is straightforward: connect wallet, verify with a provider, receive a verified status. The cryptographic machinery operates behind the scenes.
What Gets Stored
zkIdentity is designed around a strict principle: no personally identifiable information (PII) ever touches the blockchain.
| Layer | What is stored | Access |
|---|---|---|
| Cartesi Rollup | Verification status, provider name, country code, timestamp, proof hashes | Public (non-PII only) |
| IPFS (Pinata) | AES-256-GCM encrypted document references | User-only (encryption key derived from wallet) |
| KYC Provider | Original documents and biometric data | Provider's retention policy |
| Blockchain (Arbitrum) | Rollup state commitments | Public |
Key Properties
- Privacy-preserving: Zero-knowledge proofs ensure no PII is leaked during or after verification.
- Self-sovereign: Users own their identity through their wallet. No central authority can revoke or modify it.
- Verifiable: Anyone can verify a user's KYC status by checking the on-chain attestation and validating the ZK proofs.
- Multi-jurisdictional: Provider integrations span Africa, North America, and Europe.
- Deterministic identity: The DID is derived from the wallet key -- no registration, no databases, no single points of failure.
Next Steps
- Architecture Overview -- Understand the full system architecture and data flow.
- Verification Flow -- Walk through the 10-step verification process in detail.
- ZK Proof System -- Deep dive into how zero-knowledge proofs are generated and verified.
- Deployment Prerequisites -- Get started with deploying your own zkIdentity instance.