Verinode now includes comprehensive privacy and encryption capabilities to protect sensitive proof data while maintaining verifiability on the Stellar blockchain.
- AES-256-GCM encryption for symmetric encryption
- RSA-4096 for asymmetric encryption
- scrypt/PBKDF2 key derivation functions
- End-to-end encryption ensuring data privacy
- Secure key generation and management
- Granular visibility settings (public/private/shared)
- Access control lists for specific viewers
- Action-based permissions (view/verify/share)
- Time-based expiration for access rights
- Consent management system
- Data minimization principles
- Field-level control over data sharing
- Disclosure templates for common use cases
- Purpose-based sharing with recipient tracking
- Privacy-preserving previews before sharing
- Audit trails for disclosure activities
- Secure key storage with master password protection
- Automatic key rotation with configurable intervals
- Key compromise handling with replacement generation
- Encrypted key backup and restoration capabilities
- Role-based key access controls
- Age verification without revealing actual age
- Membership proofs without identity disclosure
- Range proofs for numeric values
- Hash preimage proofs for commitments
- Custom circuit creation framework
- Batch verification capabilities
graph TD
A[Raw Proof Data] --> B[Client-Side Encryption]
B --> C[Privacy Controls Applied]
C --> D[Selective Disclosure Filter]
D --> E[ZK Proof Generation]
E --> F[Blockchain Storage]
G[Master Password] --> H[Key Management]
H --> I[Encryption Keys]
I --> B
J[Access Requests] --> K[Privacy Controls Service]
K --> L[Consent Management]
L --> M[Access Decisions]
- Public - Anyone can view (basic metadata only)
- Shared - Specific authorized viewers with custom permissions
- Private - Only owner can access with full data minimization
sequenceDiagram
participant U as User
participant FE as Frontend
participant BE as Backend
participant SC as Smart Contract
participant BC as Blockchain
U->>FE: Enter sensitive data
FE->>FE: Encrypt client-side
FE->>BE: Send encrypted data
BE->>SC: Store on chain
SC->>BC: Commit to blockchain
Note over FE,BC: All sensitive data remains encrypted
All security endpoints are available under /api/security/:
POST /api/security/encrypt- Encrypt dataPOST /api/security/decrypt- Decrypt data
POST /api/security/privacy-controls- Set privacy settingsPOST /api/security/consent/request- Request accessPOST /api/security/consent/grant- Grant access permission
POST /api/security/selective-disclosure- Create selective disclosureGET /api/security/disclosure/templates- Get standard templates
POST /api/security/key-management/initialize- Initialize key systemPOST /api/security/key-management/generate-keypair- Generate key pairsPOST /api/security/key-management/rotate-key- Rotate encryption keys
POST /api/security/zk-proof/generate- Generate zero-knowledge proofPOST /api/security/zk-proof/verify- Verify zero-knowledge proofGET /api/security/zk-proof/circuits- Get available ZK circuits
curl -X POST http://localhost:3001/api/security/encrypt \
-H "Content-Type: application/json" \
-d '{
"data": "{\"userId\":\"123\",\"salary\":50000,\"ssn\":\"123-45-6789\"}",
"password": "strong-master-password-123"
}'curl -X POST http://localhost:3001/api/security/privacy-controls \
-H "Content-Type: application/json" \
-d '{
"proofId": "proof-123",
"settings": {
"visibility": "shared",
"allowedViewers": ["GABC...1234", "GDEF...5678"],
"allowedActions": ["view", "verify"],
"requireConsent": true,
"dataMinimization": true
}
}'curl -X POST http://localhost:3001/api/security/selective-disclosure \
-H "Content-Type: application/json" \
-d '{
"proofData": {"name": "John Doe", "age": 30, "salary": 50000},
"disclosedFields": ["age"],
"purpose": "Employment verification",
"recipient": "HR Department"
}'curl -X POST http://localhost:3001/api/security/zk-proof/generate \
-H "Content-Type: application/json" \
-d '{
"circuitId": "age-verification",
"privateInputs": {"actualAge": 30, "minimumAge": 18},
"publicInputs": [18]
}'Provides UI for:
- Encryption algorithm selection
- Key derivation function choice
- Auto-rotation configuration
- Master password setup with strength meter
Enables management of:
- Visibility settings (public/shared/private)
- Allowed actions per viewer
- Consent requirements
- Data minimization preferences
- Access request approval/rejection
Facilitates:
- Field-by-field disclosure selection
- Quick template application
- Purpose and recipient specification
- Disclosure preview before sharing
- Privacy impact visualization
The privacy verification smart contract (privacyVerification.rs) provides:
verify_privacy()- Check access permissionsverify_selective_disclosure()- Validate disclosed dataverify_zk_proof()- Verify zero-knowledge proofscheck_consent()- Validate consent permissionsset_privacy_settings()- Update privacy configurations
- Privacy settings stored per proof
- Consent records with granter/grantee relationships
- Access logs for audit purposes
- Key rotation metadata
- Use strong master passwords (12+ characters, mixed case, numbers, symbols)
- Enable auto-rotation with appropriate intervals
- Backup encryption keys securely
- Monitor key usage and access patterns
- Apply principle of least privilege - share minimum necessary data
- Use time-based expiration for temporary access
- Require explicit consent for sensitive data sharing
- Enable audit logging for compliance purposes
- Encrypt all sensitive data client-side before transmission
- Use data minimization by default
- Implement proper access controls at multiple layers
- Regular security audits of privacy settings
# Run backend security tests
cd backend
npm test -- --testPathPattern=security
# Run smart contract tests
cd contracts
cargo test privacy# Test end-to-end encryption flow
npm run test:e2e:encryption
# Test privacy controls workflow
npm run test:e2e:privacy- Data minimization built into selective disclosure
- Right to erasure through key compromise handling
- Consent management for data processing
- Privacy by design in all components
- Encryption at rest and in transit
- Access logging and monitoring
- Role-based access controls
- Regular security assessments
- Homomorphic encryption for computations on encrypted data
- Differential privacy for statistical analysis
- Multi-party computation for collaborative verification
- Advanced ZK proof systems (Bulletproofs, Halo2)
- Hardware security module integration
- Decentralized identity integration
- Batch encryption operations
- Caching layer for frequently accessed data
- Asynchronous key operations
- Compressed proof storage
-
Encryption failures
- Verify master password strength
- Check key derivation parameters
- Ensure sufficient entropy
-
Privacy control errors
- Validate Stellar addresses
- Check permission hierarchies
- Verify consent expiration dates
-
ZK proof verification failures
- Confirm circuit compatibility
- Validate input formats
- Check proof generation parameters
- Privacy dashboard for monitoring access patterns
- Encryption key status viewer
- ZK proof debugger with step-by-step verification
- Audit log analyzer for compliance reporting
For issues or questions regarding privacy features:
- Check the documentation
- Review security guidelines
- Contact the security team via security@verinode.com
- File issues in the GitHub repository
Last updated: February 2026 Version: 1.0.0