Trust model
Moca Network uses a split-trust architecture where no single party holds enough information to compromise a user’s identity or access their data:| Party | What they hold | What they cannot do |
|---|---|---|
| User (Holder) | Private keys, consent authority, credential wallet | Cannot forge credentials or bypass schema rules |
| Issuer | Authority to issue credentials, CAK public key (if enabled) | Cannot read encrypted data after issuance, cannot impersonate users |
| Verifier | Verification programs, ZK proof results | Cannot access raw data without user consent (CAK), cannot see data beyond what the proof reveals |
| Moca Chain | On-chain credential proofs, state anchors | Cannot reconstruct private keys or decrypt stored data |
| dStorage | Encrypted credential payloads | Cannot decrypt without the user-consented key |
Security layers
Zero-knowledge proofs
Credential verification uses ZK proofs by default. When a user presents a credential, the verifier receives a boolean result (“this claim is true”) without accessing the underlying personal data. No PII crosses the wire during standard verification.MPC-based key management
User accounts are backed by multi-party computation (MPC). Private keys are never held in one place — shards are distributed so that no single party (including Moca) can reconstruct the key. Keys are only assembled in a secure execution environment at the moment of signing.On-chain anchoring
Credential proofs are anchored on Moca Chain. This provides tamper evidence — if a credential is modified after issuance, the on-chain proof will not match.Encrypted storage
When the Compliance Access Key (CAK) framework is enabled, raw data is encrypted with a user-controlled key and stored in decentralized storage. The data is unreadable at rest by all parties including Moca.Account abstraction
User wallets use smart accounts (ERC-4337 account abstraction) with paymaster-sponsored gas. Users interact with the chain without managing private keys or gas tokens directly.Further reading
Credential security
How credentials are issued, anchored, and verified without exposing PII.
Data privacy
Where data lives, what is encrypted, and who can access it.
Security checklist
Integration best practices for partners.
Privacy & Compliance (CAK)
The Compliance Access Key framework for regulated industries.