# Identity Infrastructure Stack

Identity Infrastructure Stack is the foundational layer of the zkMe Protocol. It provides the cryptographic primitives, secure storage mechanisms, and on-chain anchoring systems that ensure user data remains under the user’s exclusive control throughout its entire lifecycle. Every credential issued, every proof generated, and every agent interaction authorized by zkMe ultimately depends on the guarantees provided by these modules.

The design philosophy of this layer follows a strict **privacy-by-default** principle: raw personal data is never transmitted to any third party. Instead, data is processed locally on the user’s device, encrypted at rest using threshold cryptography, and represented on-chain only as zero-knowledge proofs or cryptographic commitments. Even in regulatory scenarios requiring data recovery, no single party can access the underlying information alone.

***

## How the Modules Fit Together

The Identity Infrastructure modules form a layered stack, each building on the capabilities of the layer below:

1. **Chain Layer.** The [zkMe Identity Chain](/hub/how-built/id-infra/zkme-identity-chain.md) provides the settlement and persistence foundation for the entire stack. All identity smart contracts are deployed on this chain, all credential state commitments are anchored here, and the Decentralized Storage Provider network manages encrypted credential data persistence. The chain's instant finality and dedicated block space ensure that identity operations are never delayed by unrelated network congestion.
2. **Identity Foundation.** [Self-Sovereign Identity (SSI)](/hub/how-built/id-infra/ssi.md) defines the trust model and role relationships (Issuer, Holder, Verifier, Regulator). The [DID Method](/hub/how-built/id-infra/did-method.md) provides each participant with a globally unique, on-chain resolvable decentralized identifier (`did:zkme`).
3. **Data Protection.** [zkVault](/hub/how-built/id-infra/zkvault.md) provides encrypted secrets storage using a combination of TEE-based key hierarchy and threshold encryption (EC-ElGamal). For AI agents, secrets are decrypted only inside hardware enclaves. [FHE](/hub/how-built/id-infra/fhe.md) enables computation on encrypted data, specifically facial feature vectors, allowing privacy-preserving DID creation without ever exposing biometric data in plaintext.
4. **Data Acquisition.** [zkPassport](/hub/how-built/id-infra/zkpassport.md) extracts and attests identity data from government-issued ePassports via NFC chip reading and Active Authentication. [zkTLS](/hub/how-built/id-infra/zktls.md) bridges Web2 data sources (bank accounts, credit scores, government portals) by generating zero-knowledge proofs from standard HTTPS sessions.
5. **On-Chain Anchoring.** [Smart Contracts](/hub/how-built/id-infra/smart-contracts.md) provide the immutable trust anchor, managing credential state (Merkle roots, revocation status), cross-chain relay, and the Mint/Delegate/Verify contract suite deployed across all supported chains.

***

## Module Index

<table><thead><tr><th width="232.423828125">Module</th><th width="275.837890625">What It Does</th><th>Key Technology</th></tr></thead><tbody><tr><td><a data-mention href="/pages/PJXVg6WY3BJmBfUHiv0R">/pages/PJXVg6WY3BJmBfUHiv0R</a></td><td>Settlement and persistence layer for all identity operations</td><td>CometBFT PoS, EVM (EVMOS), Decentralized Storage Providers</td></tr><tr><td><a data-mention href="/pages/o5SSNX9sDYwphgFAcwh6">/pages/o5SSNX9sDYwphgFAcwh6</a></td><td>Defines the identity model and trust roles</td><td>W3C SSI, Verifiable Credentials</td></tr><tr><td><a data-mention href="/pages/LML1W5eTUQFeh1LmmkzZ">/pages/LML1W5eTUQFeh1LmmkzZ</a></td><td>On-chain decentralized identifier registry</td><td><code>did:zkme</code> specification, EVM smart contract</td></tr><tr><td><a data-mention href="/pages/m4fOGTqZi9hQL5OxAiMy">/pages/m4fOGTqZi9hQL5OxAiMy</a></td><td>Encrypted secrets storage and data recovery</td><td>Threshold encryption (EC-ElGamal), TEE, IPFS</td></tr><tr><td><a data-mention href="/pages/f35ffdG0aa8TTzBKrzoA">/pages/f35ffdG0aa8TTzBKrzoA</a></td><td>Computation on encrypted biometric data</td><td>CKKS fully homomorphic encryption</td></tr><tr><td><a data-mention href="/pages/ZLerOKZiiLOaghojUycc">/pages/ZLerOKZiiLOaghojUycc</a></td><td>ePassport verification and attestation</td><td>NFC, ICAO 9303, Active Authentication, ZKP</td></tr><tr><td><a data-mention href="/pages/MPIrpl18CtFcUr3n3dl3">/pages/MPIrpl18CtFcUr3n3dl3</a></td><td>Web2 data bridging with privacy</td><td>TLS 1.2/1.3, zk-SNARKs</td></tr><tr><td><a data-mention href="/pages/ntNN2rwFAnwNtrVd2Z6w">/pages/ntNN2rwFAnwNtrVd2Z6w</a></td><td>On-chain state management and verification</td><td>Solidity, cross-chain relay, SBT</td></tr></tbody></table>

***

## Recommended Reading Order

For readers new to the zkMe Protocol, we recommend reading the Identity Infrastructure modules in the following order:

1. Start with **zkMe Identity Chain** to understand the blockchain foundation that all other modules depend on.
2. Start with **SSI** to understand the trust model and role definitions.
3. Read **DID Method** to understand how identities are represented on-chain.
4. Read **zkVault** to understand how sensitive data is stored and protected.
5. Read **FHE** to understand how biometric data is processed without exposure.
6. Read **zkPassport** and **zkTLS** to understand how identity data is acquired from real-world sources.
7. Read **Smart Contracts** to understand the on-chain verification and state management layer.

For readers primarily interested in building on zkMe, you may want to start with the [Credential System](/hub/how-built/credential-sys.md) and [Agent Trust Gateway](/hub/how-built/agent-trust-gateway.md) modules, which consume the guarantees provided by this infrastructure layer.

***

## Available as Independent Services

The Identity Infrastructure Stack is available for licensing and deployment by external organizations. Customers can acquire any module independently or license the full stack to build and operate their own identity infrastructure using zkMe's chain layer, cryptographic primitives, and on-chain anchoring systems.

<table><thead><tr><th width="195.8359375">Module</th><th>Acquisition Model</th></tr></thead><tbody><tr><td>zkMe Identity Chain</td><td>License the chain stack (CometBFT + EVMOS + DSP network) for sovereign deployment, or deploy on the shared zkMe mainnet</td></tr><tr><td>SSI Framework</td><td>License the SSI model, role definitions, and MPC wallet infrastructure</td></tr><tr><td>DID Infrastructure</td><td>License the did:zkme registry contracts and resolution service</td></tr><tr><td>zkVault</td><td>License the encryption stack (TEE key hierarchy + EC-ElGamal threshold encryption + IPFS storage layer)</td></tr><tr><td>FHE Engine</td><td>License the CKKS homomorphic encryption compute engine</td></tr><tr><td>zkPassport</td><td>License the NFC reader SDK, Active Authentication module, and ZKP generation pipeline</td></tr><tr><td>zkTLS</td><td>License the TLS session proof generation stack</td></tr><tr><td>Smart Contracts Suite</td><td>License the Mint/Delegate/Verify/Certify contract suite for deployment on any EVM chain</td></tr></tbody></table>

{% hint style="success" %}
All modules support flexible engagement models including technology licensing for self-hosted deployment, managed service with pay-as-you-go or committed-use pricing, and full white-label solutions. Contact the zkMe team at <contact@zk.me>.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.zk.me/hub/how-built/id-infra.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.