Universal Private Compliance
Pluggable ZK compliance framework for institutions and governments — ASP infrastructure with PLONK proofs over BLS12-381, no per-circuit trusted setup.
UPC — Universal Private Compliance
@permissionless-technologies/upc-sdk
UPC is a pluggable ZK compliance framework. It lets your protocol verify that a user meets a compliance requirement — KYC, accredited investor status, sanctions clearance, any whitelist — without collecting or storing identity data. The user generates a ZK proof off-chain; your contract verifies it on-chain. Nothing sensitive is transmitted or retained.
An ASP (Association Set Provider) maintains a Merkle tree of approved identities. Users prove membership via ZK proof — the verifier learns "someone in the approved set did this" but never who.
npm install @permissionless-technologies/upc-sdkWho Benefits
| Audience | Benefit |
|---|---|
| Institutions | Verifiable compliance without exposing user data. "We verified KYC" without storing or revealing KYC documents. |
| Governments | Sanctions enforcement that works — blocked addresses can't transact, clean addresses stay private |
| ASP operators | Build a compliance business by operating an ASP (KYC verification, sanctions screening, accredited investor checks) |
| Protocol developers | Drop-in compliance for any protocol via IAttestationVerifier interface |
What It Can Do
- PLONK proofs over BLS12-381 — 128-bit security, live since Pectra (EIP-2537, May 2025). Institutions that couldn't accept BN254's ~100-bit security can now use UPC.
- Universal trusted setup — No per-circuit ceremony. Uses Perpetual Powers of Tau (deterministic, reproducible). No "who ran the ceremony?" audit question.
- Pluggable verifiers —
IAttestationVerifiersupports our Merkle ASP, Semaphore, WorldID, zkPass, or custom backends - Pluggable storage —
IASPProviderinterface with Memory, LocalStorage, REST, or custom implementations - On-chain registry —
AttestationHubis a discoverable registry of compliance providers per chain (like Uniswap's token list for ASPs) - ASP sub-packages —
upc-asp-whitelist(auto-whitelist, ready to publish),upc-asp-kyc(planned),upc-asp-sanctions(planned)
What It Can't Do (By Design)
- Cannot force a user to reveal their identity (ZK proofs are zero-knowledge by definition)
- Cannot retroactively revoke a proof already verified on-chain (root history has a TTL)
- Cannot guarantee the quality of an ASP's compliance checks (that's the ASP operator's responsibility)
Why Institutions Should Care
The compliance gap in crypto privacy — Every privacy protocol faces the same question: "How do you prevent money laundering?" UPC is the answer: pluggable, verifiable, on-chain enforced compliance that doesn't destroy privacy.
The ASP model scales — Chainalysis, TRM Labs, Elliptic could each operate an ASP. Exchanges could run their own. Governments could run theirs. Users choose which ASPs they interact with. Recipients choose which ASPs they accept.
Packages
| Package | Purpose | Status |
|---|---|---|
@permissionless-technologies/upc-sdk | Core SDK | Published |
@permissionless-technologies/upc-asp-whitelist | Auto-whitelist ASP service | Ready to publish |
@permissionless-technologies/upc-asp-kyc | KYC verification ASP | Planned |
@permissionless-technologies/upc-asp-sanctions | Sanctions screening ASP | Planned |
Get Started
Quickstart
Create an ASP, add members, generate and verify proofs.
Core Concepts
What is an ASP, how Merkle trees work, PLONK proofs.
SDK Reference
createASPClient, providers, React hooks.
Running an ASP
Set up an ASP service, publish roots, integrate with on-chain registry.
Reusable Primitives
| Primitive | Use Case |
|---|---|
MerkleTree class (LeanIMT-compatible) | Any Merkle membership proof |
IHashFunction interface | Poseidon-BN254, Poseidon-BLS12-381, extensible |
IAttestationVerifier (Solidity) | Any on-chain attestation backend |
AttestationHub (Solidity) | Registry pattern for any verifier type |
BLS12381.sol | EIP-2537 precompile wrapper |
PlonkVerifierBLS12381.sol | Generic PLONK verifier for any BLS12-381 circuit |
UPP (@permissionless-technologies/upp-sdk) uses UPC internally for its ASP compliance layer. If you're building on UPP, you don't need to install UPC separately unless you want to run your own ASP.