zkOTP Wallet

Problem Statement

How it's madeTell us about how you built this project; the nitty-gritty details. What technologies did you use? How are they pieced together? If you used any partner technologies, how did it benefit your project? Did you do anything particuarly hacky that's notable and worth mentioning?For proving TOTP Code on-chain, the prover (which is the zk-TOTP wallet) takes private inputs (secret_raw, secret_bits, otp_code) and public inputs (hashed_secret, time_step, action_hash, tx_nonce) into the circuit.Within the circuit:It first confirms the circuit “Secret” matches the hashed_secretIt then computes the TOTP Code with HMAC-SHA1Then compares to the user’sotp_codeThen binds the proof to action_hash & tx_nonceFinally, the smart contract verifies the proof by circuit is true, ensures nonce is not used to prevent replay attacks, and executes the requested action.We use Self Protocol SDKs to implement the on-chain verification process on Celo, then use Hyperlane to securely transmit the zero-knowledge proof and verification data between Celo chain and HashKey chain. This expands the use of Self Protocol and Hyperlane to enable zero-knowledge proof KYC on Hashkey chain, taking a step closer to the framework of regulatory-compliant data storage and data privacy protection networks.

Solution

How’s it made⚙️ Technologies UsedNoir (via nargo) for writing and compiling the zk circuitNoirJS for browser-based proving (WebAssembly)Solidity for the onchain zk-SNARK verifier on CeloPoseidon Hash for efficient in-circuit commitmentsGoogle Authenticator-compatible TOTP (RFC 6238, HMAC-SHA1)Self Protocol for decentralized identity & recovery commitmentCelo Chain as the execution layer for onchain proof verificationHashKey Chain for tiered based KYCThe frontend is built by Next.js, and deployed on Vercel.🧠 Notable Hacks & Engineering WinsImplementing bit-accurate SHA1 and HMAC-SHA1 in-circuit was nontrivial. Handling 512-bit blocks, 32-bit rotations, and byte-alignment took several iterations.Compatible with existing 2FA apps (like Google Authenticator) with zero modification, lowering onboarding friction.