Platform

Overview

How It Works

Beneficiary Identity

Policy Corridors

Deterministic Finality

Architecture

Security Model

Governance

Integration
Solutions

Corridors Overview

Institutional Overview

Pricing

All Scenarios

Humanitarian Impact Fund
Assurance

Technical Assurance

Verify Receipt

Receipt Example
Developers

Documentation

APIs & Bridges

Architecture Docs

Glossary

BID API
Company

About

Team

Partners

Roadmap

Investors

Contact

Blog

All Documentation
Schedule Consultation
← Back to Documentation
ZK Compliance Operational Spec All Documentation →

Zero-Knowledge Compliance Operational Specification

Binding operational decisions for ZK gas costs, jurisdictional hierarchy, proof validity windows, KYC provider selection, and proof system migration.

Operational SpecificationJIL SovereignMarch 2026

1. Executive Summary

This document captures the binding operational decisions for the ZK Compliance (ZKC) subsystem of JIL Sovereign. It resolves five open questions that remained after the original ZKC specification was published: per-circuit gas benchmarks, jurisdictional conflict resolution hierarchy, proof validity windows by type, KYC provider selection and failover strategy, and the multi-phase proof system migration path.

All parameters in this document are authoritative for production. They supersede any earlier draft values referenced in design discussions or the original ZKC spec. Changes to these parameters require a governance proposal and 14-of-20 validator approval.

Scope: This specification covers operational parameters only - gas costs, timing windows, provider routing, conflict resolution, and migration strategy. For the ZKC architecture, circuit design, and cryptographic foundations, refer to the ZK Compliance Specification.

2. ZK Circuit Gas Benchmarks

All six production circuits use Groth16 proving with BN254 curves. Gas costs are measured on the JIL L1 execution environment and include calldata, verification computation, and state storage for the proof record.

CircuitGas CostVerification Time
KYC_AGE~220,000~180ms
KYC_JURISDICTION~235,000~195ms
AML_COMPLIANCE~250,000~210ms
SANCTIONS_CLEAR~225,000~185ms
KYC_ACCREDITATION~240,000~200ms
INCOME_THRESHOLD~260,000~220ms

Batch Verification

Submitting 5 or more proofs in a single transaction activates batch verification, which amortizes pairing computation across proofs. The discount is 15% off aggregate gas for the batch. Maximum batch size is 20 proofs per transaction - larger batches are rejected at the contract level to prevent block stuffing.

Example: Submitting 6 proofs individually costs ~1,430,000 gas. Batching the same 6 proofs costs ~1,215,500 gas (15% discount), saving ~214,500 gas per batch.

3. Jurisdictional Conflict Resolution

When a transaction crosses jurisdictions, compliance rules from multiple regulatory frameworks may apply simultaneously. JIL uses strict interpretation - the stricter rule always wins. This eliminates regulatory arbitrage and ensures every transaction satisfies the most demanding applicable standard.

Resolution Hierarchy

  1. Bilateral corridor agreement - Negotiated rules for specific jurisdiction pairs (e.g., US-EU corridor). These take precedence because both regulators have explicitly approved them.
  2. Receiving jurisdiction regulations - The destination jurisdiction's rules apply next, since the receiving regulator has primary enforcement authority over incoming funds.
  3. Sending jurisdiction regulations - The origin jurisdiction's rules apply as a secondary layer, covering outbound transfer restrictions and reporting requirements.
  4. FATF baseline recommendations - When no specific bilateral or jurisdictional rule exists, FATF Travel Rule and baseline AML recommendations serve as the floor.

Conflict Detection

The rule-engine service (port 8460) performs conflict detection at compile time when jurisdiction rule sets are loaded. If two rules produce contradictory requirements for the same proof type, the engine flags the conflict and applies the stricter interpretation automatically. Unresolvable conflicts - where no valid proof can satisfy both rules simultaneously - escalate to compliance-api (port 8100) for manual review by a compliance officer.

Currently 10 jurisdiction rule sets are loaded: US (SEC/FinCEN), EU (MiCA), UK (FCA), Singapore (MAS), Switzerland (FINMA), Japan (FSA), UAE (VARA), Brazil (CVM), Germany (BaFin), and South Korea (FSC).

4. Proof Validity Windows

Proof validity is tiered by type and risk level. Higher-risk proof types expire faster. Each proof type has a renewal grace period during which the old proof remains valid while the user generates a replacement.

Proof TypeValidityRenewal GraceAuto-Suspend
KYC_AGE365 days30 daysYes
KYC_JURISDICTION90 days14 daysYes
KYC_ACCREDITATION180 days30 daysYes
AML_COMPLIANCE30 days7 daysYes
SANCTIONS_CLEAR7 days1 dayImmediate
INCOME_THRESHOLD365 days30 daysYes

Risk-Adjusted Windows

When a user's risk score exceeds 0.7 (as computed by the compliance-api risk engine), all validity windows are halved. For example, a high-risk user's KYC_AGE proof expires in 182 days instead of 365. This forces more frequent re-verification for accounts exhibiting suspicious patterns.

Proofs covering assets in the Protected zone (accounts with active protection coverage) use shorter windows - also halved from the base values. This layering is cumulative: a high-risk user in the Protected zone has validity windows at one-quarter of the base period.

SANCTIONS_CLEAR: This proof type uses immediate suspension with no grace period tolerance. If a sanctions proof expires, the account is frozen within the same block. No transactions are permitted until a fresh sanctions clearance proof is submitted and verified.

5. KYC Provider Selection

JIL uses a dual-provider strategy for identity verification. Two providers ensure failover coverage and broader geographic reach. Both providers' results are stored as ZK-compatible attestations - the raw identity data never touches JIL infrastructure.

5.1 Primary - Onfido

  • Regulation: FCA-regulated (United Kingdom)
  • Coverage: 195 countries, document + biometric verification
  • Certifications: SOC 2 Type II, ISO 27001
  • API Latency: ~8s average per verification
  • Routing: Default provider for all FATF member countries

5.2 Secondary - Sumsub

  • Coverage: 220+ countries, real-time checks
  • Strength: Broader emerging market coverage
  • API Latency: ~6s average per verification
  • Routing: Used for non-FATF jurisdictions and countries unsupported by Onfido

5.3 Routing Logic

The compliance-api service (port 8100) wraps both providers behind a unified interface. Routing decisions follow this order:

  1. If the user's jurisdiction is a FATF member country and Onfido supports it, route to Onfido.
  2. If the user's jurisdiction is not a FATF member, or Onfido does not support the document type, route to Sumsub.
  3. If the primary provider returns 3 consecutive failures (timeout, 5xx, or verification system error), automatic failover to the secondary provider activates.
  4. Health checks run every 60 seconds against both provider APIs. An unhealthy provider is removed from the routing pool until it recovers.
Privacy guarantee: Neither provider receives the user's wallet address, transaction history, or on-chain identity. They receive only the minimum identity documents required for the specific proof type. Results are converted to ZK attestations immediately and the raw verification data is purged within 24 hours.

6. Proof System Migration Strategy

When ZK circuits are upgraded - whether for security patches, new proof types, or proving system migration (e.g., Groth16 to PLONK) - a structured 5-phase epoch migration ensures no user is disrupted and no valid position is forcibly liquidated.

PhaseTimelineAction
AnnounceDay 0Publish new circuit specs, update SDK, notify all integrated services via compliance-api webhook
Dual-AcceptDay 1 - 90Both old and new proofs accepted by verifier contracts. Users can migrate at their own pace.
Soft-DeprecationDay 91 - 120Old proofs still accepted but transactions carry a deprecation warning flag in the proof record
Hard-DeprecationDay 121 - 150Old proofs rejected for new transactions. Existing open positions are grandfathered until their proofs expire naturally.
DeactivationDay 151+Old verifier contract deactivated. All active proofs must use the new circuit.

Emergency Migration Path

If a critical vulnerability is discovered in an active circuit, the standard 150-day timeline is too slow. An emergency path compresses the entire migration to 7 days. This requires a 14-of-20 validator vote (matching the bridge quorum threshold) and must include simultaneous JILHQ announcement plus validator config push to all nodes.

During an emergency migration, the Dual-Accept window is reduced to 3 days, Soft-Deprecation to 2 days, and Hard-Deprecation to 2 days. Deactivation occurs immediately after Hard-Deprecation ends. Users with expiring positions receive automated notifications via the wallet-api webhook channel.

7. Cross-Reference Matrix

This matrix maps each operational parameter to its owning service, configuration source, and governance requirements for changes.

ParameterOwning ServiceConfig SourceChange Authority
Circuit gas costsproof-verifier :8250On-chain verifier contractContract upgrade (14/20 vote)
Batch discount rateproof-verifier :8250On-chain verifier contractContract upgrade (14/20 vote)
Jurisdiction rule setsrule-engine :8460config/jurisdiction-rules/Compliance officer + JILHQ push
Conflict resolution orderrule-engine :8460Hardcoded (strict interpretation)Governance proposal
Proof validity windowscompliance-api :8100compliance_config tableCompliance officer approval
Risk score thresholdcompliance-api :8100compliance_config tableCompliance officer approval
KYC provider routingcompliance-api :8100Environment variablesOps team (no governance needed)
Migration phase timelinesproof-verifier :8250On-chain epoch registry14/20 validator vote
Emergency migration triggerJILHQ :8054Validator consensus14/20 validator vote (emergency)