• add support for issuing different claims
• make the holder select the right claim based on the QR query
• Make the verifier, via different QR codes, be able to prompt for different claim proofs

Hi Kaleido-iden3 team members:
we have several questions when executing the demo in https://github.com/iden3/snarkjs

1. Should the entropy and the hashes be kept during the ceremony contribution part? What are these hashes meaning (contribution response hash/ next challenge hashes)?
2. What's the purpose of applying random beacon?
3. In kaleido-iden3 repo, how is the circuit_final.zkey file generated? which role is responsible for the generation of circuit_final.zkey file?
4. How does the witness.wtns generated based on circom by the prover?
5. How would verifier believe according to the public.json and proof.json generated by prover?

In identity/internal/claim.go, I changed the birthday to not satisfy the challenge of being prior to 2000-01-01: birthDay := big.NewInt(20050704), then went through the normal flow of:

• create the JohnDoe and AliceWonder IDs (make clean identities with PR #11)
• publish JohnDoe's ID state on-chain (deploying State contract first if needed)
• issue the claim (make issue-claim)
• publish it
• receive and respond to the challenge QR code as AliceWonder (make receive-claim respond-to-challenge).
• generate the proof as AliceWonder

For the last step, generating the proof (in holder/wallet with command node index.js --holder AliceWonder --qrcode ~/Downloads/challenge-qr.png), it fails with:

...
After adding signal 0 of timestamp
Assert Failed.
Error in template CredentialAtomicQuerySig_350 line: 216

It's expected that the proof cannot be satisfied, but this is an unexpected error message which suggests a programming error.
Is there any way to distinguish between the proof not being satisfied vs. "the inputs are bad" to provide a clearer error message?

Hello @jimthematrix, @Chengxuan!

You have a following note in the Readme file:

Note that the state published to the smart contract is the hash of the latest Merkle trees: hash(claims_root, revocation_root, roots_root). This means that care should be taken when designing the claim schemas. No PII should be part of the claim because a hash of PII is still considered PII under some regulations such as GDPR (details available here).

In the protocol we have two ways of issuing credentials: using MerkleTree Proofs (MTP) and using Babyjubjub signature (Sig).
Only claims issued using Merkletree proofs are added to Claims Tree and end up in Identity State Hash.
Claim issued using BJJ signature are not added to Claims Tree, and do not change Identity State. So there are no GDPR problems with this way of issuing credentials.

Credentials can (and should) include PII. We want users to be able to prove some statements based on the raw data, like date of birth or passort data. Care should be taken not to add such credentials into Claims Tree.

The AgeCredential schema stores the birthDay in the first index data slot (index value 3 in the Merkle tree):

	birthDay := big.NewInt(19950704)
	claim, _ := core.NewClaim(kycAgeSchema, core.WithIndexID(holderId), core.WithIndexDataInts(birthDay, nil), core.WithRevocationNonce(revNonce))

But doesn't that allow issuing multiple birthday claims instead of just one, since the two claims would have unique index hashes?

With @jimthematrix's latest changes in #12, if I go through the steps from scratch, in final step the holder wallet's callback invocation (new) fails with Error: fromBytes error: checksum error in sendCallback line:
from: Id.fromBigInt(BigInt(holderId)).string(),

I added a console.log of the holderId, seen in output below, so it's reading it OK.

e.g.

node index.js --holder AliceWonder --qrcode ~/Downloads/challenge-qr2.png

→

...
Calculated witness successfully written to file /Users/nedgar/iden3/AliceWonder/witness-079da6b78545c4e08c02.wtns
Successfully generated proof!
holderId: 316342200244053077361837322580837170633470168946294832427234421230335098880
Error: fromBytes error: checksum error
    at Function.fromBytes (/Users/nedgar/src/github.com/kaleido-io/kaleido-iden3-samples/holder/wallet/node_modules/@iden3/js-iden3-core/dist/cjs/id.js:60:19)
    at Function.fromBigInt (/Users/nedgar/src/github.com/kaleido-io/kaleido-iden3-samples/holder/wallet/node_modules/@iden3/js-iden3-core/dist/cjs/id.js:70:19)
    at sendCallback (/Users/nedgar/src/github.com/kaleido-io/kaleido-iden3-samples/holder/wallet/index.js:228:14)
    at generateProof (/Users/nedgar/src/github.com/kaleido-io/kaleido-iden3-samples/holder/wallet/index.js:212:9)

FYI @Chengxuan

published to kaleido-iden3-samples/v2

Steps:

• make clean identities
• deploy contracts
• publish genesis state on-chain
• make issue-claim
• publish new state on-chain

This fails using the latest from main branch.

Hi, this is Chengqing from Weiming's team. We have several questions after reviewing this sample.

1. If we are going to integrate this sample into real product. Are these identity files under the $HOMEDIR/iden3/XXX folder supposed to be saved in user's mobile or server, for instance, Identity Hub?
2. we cannot find the detailed Merkle tree proof algorithm implementation, neither in this sample nor go-merkletree-sql
3. we would like to know why generating claim and verifying claim use different language? Generating part uses Golang while verifying uses Javascript?

Would be great if the message format for issuing claims, presenting challenges and presenting claim proofs follow the DIDComm spec

Hi, this is Ling Zhang from Weiming's team. I'm confused about the opeartor <-- and <== in circom.

For example. If I wrote c <== a * b, the value of c is always be equal to a * b since singals are immutable. In my opinion, add a constraint c === a * b is redundant. So why we should use “<==” ？