Midnight Shield: ZK-Phone Verification & Anti-Spam SDK

[Proposal setup] Proposal title

Please provide your proposal title

Midnight Shield: ZK-Phone Verification & Anti-Spam SDK

[Proposal Summary] Time

Please specify how many months you expect your project to last

3

[Proposal Summary] Translation Information

Please indicate if your proposal has been auto-translated

No

Original Language

en

[Proposal Summary] Problem Statement

What is the problem you want to solve?

Indonesians receive an average of 14+ spam calls per month, partly due to unprotected digital verification, while developers struggle with the cost and security risks of managing phone databases.

[Proposal Summary] Supporting Documentation

Supporting links

• https://github.com/gigahidjrikaaa
,
• https://github.com/gigahidjrikaaa/UGM-AICare
,
• https://github.com/virnamrita
,
• https://github.com/virnamrita/retraicobacoba
,
• https://drive.google.com/file/d/1TKmWMfRCF44zrB9n9kMcwNkcGQlxbtFD/view?usp=sharing

[Proposal Summary] Project Dependencies

Does your project have any dependencies on other organizations, technical or otherwise?

No

Describe any dependencies or write 'No dependencies'

No dependencies

[Proposal Summary] Project Open Source

Will your project's outputs be fully open source?

Yes

Please provide here more information on the open source status of your project outputs

License: MIT (Fully Open Source)

To serve as a true Reference DApp, we release 100% of the codebase under the permissive MIT License. This includes:

The SDK: A drop-in library for easy frontend integration. Compact Contracts: The ZK-circuit logic for unique identity. Oracle Backend: The SMS signing service.

Our goal is to establish a free, forkable standard for privacy-first login that accelerates developer adoption on Midnight.

[Theme Selection] Theme

Please choose the most relevant theme and tag related to the outcomes of your proposal

Identity & Verification

[Campaign Category] Category Questions

What is useful about your DApp within one of the specified industry or enterprise verticals?

Vertical: Identity and Governance (Privacy-Preserving Authentication)

The Data Leak Crisis in Southeast Asia In Indonesia, the digital economy is built on Phone Number Verification. Every major app—from E-commerce (Shopee/Tokopedia) to Fintech (GoPay) to Games—requires a raw phone number plus SMS OTP to verify that a user is a unique human and not a bot.

• The Problem: This centralization of identity has catastrophic privacy consequences. Phone numbers are routinely leaked, sold to data brokers, or scraped. As a result, the average Indonesian receives 14+ spam/scam calls per month (Hiya Global Report).
• The Dilemma: Developers need Sybil Resistance (one person, one account), but currently, they can only achieve it by collecting toxic Personal Identifiable Information (PII).

Midnight Shield: The Zero-Knowledge Solution Our DApp solves this paradox by decoupling Verification from Data Collection.

• For Users (Privacy): They verify their phone number once with the Midnight Shield Oracle. From that point on, they use their Midnight Shield Token to log in to other apps. They prove I own a unique +62 number via a Zero-Knowledge Proof, without ever revealing the digits to the third-party app. This cuts off the source of spam.
• For Developers (Compliance and Security): Startups can verify unique users without storing phone databases. This reduces their liability under Indonesia’s UU PDP (Personal Data Protection Law) and GDPR, as they never touch the raw data.

Why Midnight is Essential This utility is impossible on public blockchains (like Ethereum or standard Cardano).

• On Public Chains: If a user tokenizes their phone number, the link between Wallet Address and Phone Hash is visible on the ledger. Anyone could de-anonymize them.
• On Midnight: We utilize Private State and Selective Disclosure. The phone number hash remains encrypted in the user's local storage. The blockchain only sees a validity proof. This is the Killer App for Midnight in the identity vertical: Provable Uniqueness with Perfect Privacy.

What exactly will you build? List the Compact contract(s) and key functions/proofs, the demo UI flow, Lace (Midnight) wallet integration, and your basic test plan.

We are building a full-stack Reference Implementation comprised of three distinct modules:

A. The Compact Smart Contracts (PhoneShield.compact)

We will develop a ZK-Circuit that manages the lifecycle of a Shielded Identity.

• Private State: Stores the user's phoneNumberHash and oracleSignature (salt) locally on the user's machine.
• Public State: Maintains a merkleRoot of valid identities and a nullifierSet to prevent double-spending.
• Key Circuit: mint_shield(otp_signature): Logic: Verifies that the input signature came from our trusted Off-Chain Oracle. If valid, it mints a Shield Token to the user's private balance.
• Key Circuit: prove_unique_login(app_id): Logic: Generates a Nullifier (a unique hash derived from phoneHash + app_id). It checks if this Nullifier already exists on-chain. If not, it publishes the Nullifier (proving usage) without revealing the phoneHash. This ensures one phone number can only create one account per App ID, preserving Sybil resistance.

B. The Midnight Auth SDK (Frontend and Lace Integration)

We will package the complexity into a reusable npm library (@midnight-shield/client) for other devs.

• Lace Integration: The SDK handles the connection to the Lace Wallet (Midnight Mode). It manages the Coin Selection (finding DUST for fees) and orchestrates the local ZK proof generation in the browser Wasm worker.
• The Demo UI Flow: Shielding Page: User enters Phone -> Request SMS -> Input OTP -> Click Mint Shield. (Backend signs payload -> Wallet generates ZK Mint Proof -> Contract verifies).
• Demo Store (Third Party View): A mock e-commerce site. User clicks Login with Midnight. The SDK prompts the wallet to generate a prove_unique_login proof. The site verifies the proof and logs the user in without asking for a phone number.

C. The Oracle Backend (Node.js)

A secure server utilizing Twilio (or local gateway) for SMS dispatch.

• Cryptographic Signing: Upon successful OTP entry, the server signs the phone hash with an Ed25519 private key. The Compact contract holds the corresponding Public Key to verify these signatures on-chain.

D. Test Plan Unit Testing: Writing compact-test scripts to verify that the nullifier logic correctly blocks double-signups in a simulated ledger environment.

• Integration Testing: End-to-end flow testing on the Midnight DevNet, ensuring that a proof generated in Lace is correctly verified by the deployed contract.

How will other developers learn from and reuse your repo? Describe repo structure, README contents, docs/tutorials, test instructions, and extension points. Which developer personas benefit, and how will you gauge impact (forks, stars, issues, remixes)?

As a Reference DApp, our primary product is Education. We are structuring the repo to be the Standard Library for Identity on Midnight.

• Repo Structure (Monorepo)

1. /packages/compact-contracts: The raw .compact source code and ZK circuit definitions.
2. /packages/sdk: The compiled TypeScript SDK (npm install) for frontend devs.
3. /packages/oracle-server: The Node.js backend template for verifying off-chain data (SMS).
4. /apps/demo-store: A Next.js reference implementation showing the SDK in action.

• Documentation and Learning Resources

1. The Zero-to-Hero README: A step-by-step guide: How to add Midnight Login to your Web2 App in 15 minutes.
2. Architecture Diagrams: Visualizing the flow of Private Data vs. Public Proofs so developers understand why it is private.
3. Extension Points Guide: A dedicated tutorial on how to fork our Oracle. Example: How to swap the SMS Provider for an Email Provider (SMTP) or National ID Scanner (OCR). This encourages developers to build new verification types using our ZK foundation.

• Developer Personas

1. The Web2 Convert: A traditional full-stack developer (React/Node) who wants to add crypto-login but doesn't understand ZK circuitry. Our SDK is built for them—abstracting the math behind a simple hook useMidnightProof().
2. The Privacy Architect: A blockchain dev who wants to build complex governance. They can fork our Compact Contracts to reuse the Nullifier logic for anonymous voting systems.

• Gauging Impact

1. GitHub Metrics: Tracking Forks (developers adapting our code) and Stars (community interest).
2. NPM Downloads: Tracking downloads of the @midnight-shield/client package.
3. Remixes: We will actively track and showcase projects that fork our repo to verify other attributes (e.g., Verified Student, Verified Citizen) in the Final Report.

[Your Project and Solution] Solution

Please describe your proposed solution and how it addresses the problem

In Indonesia, the digital economy runs on Phone Number Verification. Every major app, from E-commerce (Shopee/Tokopedia) to Fintech (GoPay) to Games, requires a raw phone number + SMS OTP to verify that a user is a "unique human" and not a bot. This centralization of identity has catastrophic consequences. Phone numbers are routinely leaked, sold to data brokers, or scraped. As a result, the average Indonesian receives 14+ spam/scam calls per month (Hiya Global Report). Beside that, developers need Sybil Resistance (one person, one account), but currently, they can only achieve it by collecting toxic Personal Identifiable Information (PII). This creates a liability under Indonesia’s UU PDP (Personal Data Protection Law) and requires building complex, insecure SMS verification backends.

The Solution: The Midnight Shield SDK (Drop-in Privacy)

We are building Midnight Shield, an open-source Identity SDK (Software Development Kit) that allows any developer to add "Verify with Midnight" to their app in minutes. It replaces toxic SMS OTPs with Zero-Knowledge Proofs.

Core Component 1: The Shielding Oracle (Off-Chain to On-Chain)

We provide a pre-built Oracle Backend (@midnight-shield/server) that developers can deploy to bridge Web2 and Web3.

The Mechanism: A user enters their phone number on the DApp. The backend sends a standard SMS OTP. Once the user verifies the OTP, the backend issues a cryptographically signed payload (Signature) confirming ownership of that number.

The Privacy: The raw phone number is never stored on-chain. The signature is only used once to mint a Shield Token (a private ZK-credential) to the user's Lace wallet.

Core Component 2: The @midnight-shield/react Library

We abstract the complex cryptography into a simple React hook for frontend developers.

The "Login" Button: Developers simply import . This component handles the connection to the Lace Wallet, manages "Coin Selection" (DUST), and triggers the local ZK Proof generation in the browser.

The ZK Circuit: The SDK generates a proof that states: "I own a valid Shield Token, and I have not created an account on this specific App ID before."

The Nullifier: To prevent one user from creating 100 accounts, the SDK automatically computes a Nullifier Hash (derived from PhoneHash + AppID). This ensures uniqueness per app without allowing different apps to correlate the user's identity across platforms.

Core Component 3: The Reference Compact Contract

We provide a standardized, audited Compact Smart Contract that developers can deploy with one command.

Functionality: It verifies the ZK proofs generated by the SDK and maintains the registry of "Used Nullifiers" to prevent double-spending of identities.

[Your Project and Solution] Impact

Please define the positive impact your project will have on Midnight ecosystem

Midnight Shield serves as a foundational building block for the entire Midnight ecosystem. By packaging complex ZK logic into an easy-to-use SDK, we unlock a massive category of use cases that are currently impossible for average developers to build.

1. Accelerating Developer Adoption

The Gap: New blockchains struggle to attract developers because they lack basic tooling. Currently, if a dev wants to build a voting app on Midnight, they have to write their own ZK-Identity circuit from scratch. This is a massive barrier.

The Fix: By releasing the Midnight Shield SDK, we provide the ecosystem with a "Standard Library" for identity. Future developers building Voting DApps, DAO Tools, or Social Networks can simply npm install @midnight-shield/client. This reduces the "Time-to-Hello-World" for new Midnight devs from weeks to minutes.

2. Demonstrating "Real-World" Privacy Utility

The Narrative: Privacy is often associated with "hiding illicit finance." Midnight Shield changes the narrative to "Consumer Protection."

The Demo: By solving the universal pain point of Spam Calls, we demonstrate a concrete, relatable benefit of ZK technology to non-crypto users. This is the kind of "Killer App" that can drive mass adoption in high-population markets like Indonesia, proving that Midnight solves problems that Ethereum/Cardano cannot.

3. Compliance-Ready Architecture for Enterprise

Regulatory Alignment: By ensuring apps never touch raw phone numbers, our SDK helps developers comply with strict data privacy laws (GDPR, UU PDP). This positions Midnight as the "Compliance Chain" for enterprise adoption, attracting Web2 fintechs and startups who want Sybil resistance without the legal liability of holding PII.

[Your Project and Solution] Capabilities & Feasibility

What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

We have a verified history of shipping complex projects together (including the Fund 13 "Indonesia Car-Dano" success).

1. Giga H. A. Adkhy (Lead ZK Engineer & Full-Stack Architect)

Role: End-to-End Engineering (Compact + Backend + Frontend). Giga handles the entire technical stack.

Contribution: As a Full-Stack Blockchain Architect, Giga is proficient in System Architecture and Smart Contract Security. He will use his experience in Solidity and Aiken to master the Compact language, while using AI coding assistants (Cursor/Copilot) to rapidly scaffold the React frontend and Node.js Oracle backend.

GitHub: https://github.com/gigahidjrikaaa

LinkedIn: https://www.linkedin.com/in/gigahidjrikaaa/

1. Virna Amrita (Product Owner & Privacy UX)

Role: Logic Design, Documentation & User Journey.

Contribution: She designs the privacy flow, ensuring users understand why their data is safe. Crucially for a Reference DApp, she writes the Documentation and Tutorials, ensuring other developers can actually understand and use our code.

GitHub: https://github.com/virnamrita

LinkedIn: https://www.linkedin.com/in/virna-amrita-a13463261/

Research Gate: https://www.researchgate.net/profile/Virna-Amrita

Feasibility Strategy:

1. The "AI Force Multiplier" Strategy

We acknowledge that building a full stack (Contract + Backend + UI) is a heavy lift for one engineer. To mitigate this, we use AI-Augmented Development:

Boilerplate Automation: Giga uses LLMs to generate the standard React/Node.js boilerplate code instantly.

Focus on the Core: This frees up 80% of Giga's time to focus purely on the Compact ZK Circuit (the hard part that AI cannot do well yet).

Result: We achieve the output of a 4-person team with only 2 people, reducing coordination costs to zero.

1. Scope Discipline (Reference DApp vs. Product)

Validation: For now, we define this project's success as functional code that works on DevNet, and not necessarily commercial scale. This allows us to keep the backend simple (a lightweight Oracle) without needing complex DevOps scaling, making the 3-month timeline highly realistic.

1. Proven Collaboration Giga and Virna have worked together on multiple high-stakes projects, including the Project Catalyst Fund 13 (Indonesia CAR-dano) project.

[Final Pitch] Budget & Costs

Please provide a cost breakdown of the proposed work and resources

1. Human Capital (50% - 2,000 USDM)

Lean stipends for the 2-person R&D unit for the 3-month sprint (based in Yogyakarta, Indonesia)

• Giga H. A. Adkhy (Lead ZK Engineer): $1,500 (Lump Sum).

Scope: End-to-End Engineering (Compact Contracts, Node.js Oracle, React SDK).

• Virna Amrita (Product Owner): $500 (Lump Sum).

Scope: Privacy UX Design, Developer Documentation (README.md), and Tutorial Video production.

1. Technical Infrastructure & Operations (50% - 2,000 USDM)

Allocating significant resources to ensure the demo environment is fast, stable, and scalable.

• SMS Gateway Credits (Twilio/Wav): $1,000.

• Usage: This provides a massive buffer for sending 10,000+ OTPs via premium routes. This allows us to run the "Midnight Shield" demo publicly for months without running out of credits, enabling hundreds of other developers to test the flow live.

• Cloud Infrastructure: $600.

• Usage: 12-Month prepaid hosting for the Oracle Backend and Demo DApp on CPU-Optimized Droplets. We are provisioning for High Availability to ensure the reference implementation never goes offline when a developer tries to use it.

• Developer Tooling & Services: $400.

• Usage: Private RPC Node subscriptions (for reliable DevNet access), Domain Registration (midnight-shield.io), and SSL Security certificates to secure the Oracle API.

[Final Pitch] Value for Money

How does the cost of the project represent value for the Midnight ecosystem?

1. A Foundational "Identity Primitive" for $4,000

We are delivering a critical infrastructure component (Privacy-Preserving Login) for a cost lower than a single month of a Silicon Valley engineer's salary.

The Multiplier Effect: By packaging complex ZK circuitry into an easy-to-use SDK (@midnight-shield), we lower the barrier to entry for every future Midnight developer. If just 10 future startups use our library instead of building their own auth system from scratch, we save the ecosystem an estimated $200,000 in redundant engineering hours (10 teams x 2 weeks x $2,500/week). This is a 50x ROI on the grant.

1. Unlocking the "Real World" User Base

The Market: Indonesia has 221 million internet users, yet they suffer from 14+ spam calls per month due to phone number harvesting.

The Showcase: By demonstrating a live anti-spam use case, we provide the Midnight Foundation with a powerful narrative: "Midnight protects consumers from data abuse." This is the kind of story that attracts Web2 enterprises and regulators, driving token utility far beyond DeFi.

1. Zero-Cost Marketing & Distribution

A lot of projects burn 30% of their budget on marketing. We spend $0.

The Leverage: As members of Sumbu Labs, Giga and Virna have direct access to a growing community of Indonesian Web3 enthusiasts and developers on Twitter/X. The platform is not huge yet, but our targets are sort of niche and we are confident that we have the right target for this project's usability.

The Impact: We will use this platform to socialize the Midnight Shield SDK and publish our tutorials. This guarantees immediate visibility and adoption for the Midnight ecosystem without costing the Midnight Foundation a single cent.

1. 50% Direct Tech Investment Uniquely, half of this grant ($2,000) goes directly into hard costs (Server & SMS credits) rather than salaries. This guarantees that the Midnight Shield Demo will remain a live, functional public resource for the community for at least a year, serving as a permanent educational tool.

[Self-Assessment] Self-Assessment Checklist

I confirm that the proposal clearly provides a basic prototype reference application for one of the areas of interest.

Yes

I confirm that the proposal clearly defines which part of the developer journey it improves and how it makes building on Midnight easier and more productive.

Yes

I confirm that the proposal explicitly states the chosen permissive open-source license (e.g., MIT, Apache 2.0) and commits to a public code repository.

Yes

I confirm that the team provides evidence of their technical ability and experience in creating developer tools or high-quality technical content (e.g., GitHub, portfolio).

Yes

I confirm that a plan for creating and maintaining clear, comprehensive documentation is a core part of the proposal's scope.

Yes

I confirm that the budget and timeline (3 months) are realistic for delivering the proposed tool or resource.

Yes

[Required Acknowledgements] Consent & Confirmation

I Agree

Yes