Vehicle Identity Lifecycle

The three Secure Element chips — EN-1 (engine), CN-2 (chassis), TN-3 (telematics) — are manufactured to the VSE-1 hardware standard and supplied to OEM manufacturing plants. Each chip generates its own independent Ed25519 keypair in hardware at factory provisioning. The private key never leaves the chip. The public key is recorded by the chip manufacturer and transferred securely to ShieldVIN's provisioning registry for subsequent VIT minting.

• 1.1
  Chip fabrication

  SE chips manufactured to VSE-1 spec. EAL5+ certification. EN-1 and CN-2 are hardened for physical tamper response (key wipe on breach). TN-3 includes cellular/BT connectivity module.
• 1.2
  In-chip keypair generation

  Each chip generates an independent Ed25519 keypair in hardware during factory provisioning. Private key is immutable and never transmitted. Public key is extracted.
• 1.3
  Public key registry transfer

  Chip serial → public key mapping is transferred securely to ShieldVIN's provisioning system under a hardware supply agreement. This is the only moment the public key moves off the chip.
• 1.4
  OEM supply

  Chips delivered to OEM manufacturing plants in sealed, certified packaging. Chip serial numbers linked to the OEM's factory code for traceability before installation.

The OEM joins the ShieldVIN VGM-1 governance consortium, establishing the commercial and technical relationship required before any vehicle can be minted. This is a one-time setup per manufacturer, with per-plant configuration for each factory code. The Manufacturer Portal is provisioned and staff credentials are issued.

• 2.1
  VGM-1 consortium agreement

  OEM signs the VGM-1 governance agreement, establishing their role, data rights, and obligations. Legal, compliance, and technical teams engaged.
• 2.2
  Factory code registration

  Each manufacturing plant is assigned a unique 8-byte factoryCode. This code appears in every VIT minted at that plant, enabling OEM-scoped fleet queries.
• 2.3
  Manufacturer Portal provisioned

  ShieldVIN provisions the OEM's environment on the Manufacturer Portal. VAP-1 API credentials issued. Staff roles configured (plant operator, recall coordinator, fleet admin).
• 2.4
  End-of-line minting workflow integration

  OEM integrates the VAP-1 minting endpoint into their end-of-line manufacturing execution system (MES). Technical integration and testing with ShieldVIN engineering team.

At the end of the production line, once the vehicle's three SE chips are installed and verified, the OEM's manufacturing system calls the ShieldVIN VAP-1 minting endpoint. A Vehicle Identity Token (VIT) is created on Midnight Network — permanently linking the physical vehicle's three hardware keys to its VIN and build record. This is the moment the vehicle acquires a cryptographic identity.

• 3.1
  Chip installation & verification

  EN-1 installed in ECU (engine bay). CN-2 installed in structural A-pillar or firewall at body-in-white stage. TN-3 installed in telematics module behind dashboard. Each chip signs a factory nonce to confirm it is live and responsive.
• 3.2
  VIN assignment

  ISO 3779 VIN assigned to the vehicle. VIN linked to the three chip public keys in the ShieldVIN provisioning system.
• 3.3
  VAP-1 mint request

  OEM's MES system calls POST /v1/vehicle/mint with VIN, three chip public keys (en1PublicKey, cn2PublicKey, tn3PublicKey), buildSpecHash, factoryCode, and mintTimestamp.
• 3.4
  VIT minted on Midnight Network

  ShieldVIN's backend deploys (or writes to) the vehicle_identity.compact contract on Midnight Network. The VIT is created with status=ACTIVE, transferCount=0, serviceCount=0, lastRecordedMileage=0. DUST consumed from ShieldVIN's reserve.
• 3.5
  Initial ownership commitment set

  OEM generates an initial ownershipHash (H(ownerSecret)) using a 32-byte random secret. This represents OEM ownership before first sale. The secret is stored in the OEM's secure system pending first ownership transfer.
• 3.6
  Minting confirmation

  VAP-1 returns a mintingReceipt (transaction ID + VIT contract address/token ID). Stored in OEM's production records. Vehicle leaves the production line with a live cryptographic identity.

The vehicle is transported from the OEM factory to an authorised dealer. The Dealer Portal is notified of incoming stock. The vehicle identity is visible to the dealer from the moment of VIT minting — dealers can verify vehicle identity via the Dealer Portal at any point during their stock holding period.

• 4.1
  Dealer credential issuance

  OEM or ShieldVIN issues the dealer with a VAP-1 dealer role credential. This gives the dealer access to their Dealer Portal and the ability to query and transfer VINs assigned to their inventory.
• 4.2
  Stock visibility

  Dealer can query VIN status via the Dealer Portal immediately. Status=ACTIVE. All public ledger fields are visible (status, transferCount=0, serviceCount=0, lastRecordedMileage=0).
• 4.3
  Dealer-side verification (optional)

  Dealer may run a live ZK proof via the Dealer Portal to confirm the vehicle's chips match the VIT before accepting delivery. Detects any transit tampering before stock is accepted.

At point of sale, the dealer executes an ownership transfer via the Dealer Portal. The first buyer's ownership commitment is written to the Midnight Network VIT. The buyer receives a vehicle identity certificate and access to their vehicle record via the Owner Portal. The dealer's subscription covers this operation — no per-transfer fee to either party.

• 5.1
  Pre-sale identity verification

  Dealer runs a live ZK proof via the Dealer Portal to confirm vehicle identity before completing the sale. Confirms status=ACTIVE, 0 prior transfers, chip keys match VIT.
• 5.2
  Buyer commitment generation

  The buyer generates a 32-byte random owner secret (via TN-3 device credential or Owner App). The dealer's system receives the buyer's commitment hash H(ownerSecret). The secret never leaves the buyer's device.
• 5.3
  Ownership transfer on-chain

  Dealer calls the VAP-1 ownership transfer endpoint. The transferOwnership() circuit updates ownershipHash to the buyer's commitment and increments transferCount to 1. DUST consumed from ShieldVIN's reserve.
• 5.4
  Vehicle identity certificate issued

  Dealer Portal generates a printable vehicle identity certificate for the buyer's handover documentation. Includes VIN, minting date, factory code, QR code linking to the live status page.
• 5.5
  Owner Portal access

  Buyer is invited to register their vehicle on the Owner Portal (my.shieldvin.org) using their owner secret. From this point they can view their vehicle's full on-chain record and generate ownership proofs.

The owner registers the vehicle with the relevant government authority (DVLA in the UK, DMV in the US, etc.). The government queries the ShieldVIN API to verify the vehicle's identity and ownership chain before issuing registration documentation. This is billed under an enterprise government contract — not per-query.

• 6.1
  Registration application

  Owner applies for vehicle registration with the national authority. Provides VIN, purchase documentation, and optionally their ShieldVIN ownership proof (generated from the Owner Portal).
• 6.2
  Government identity query

  The government agency queries the ShieldVIN VAP-1 API using their government role credential. verifyGovernment() circuit returns: status, VIN, transferCount, lastRecordedMileage, lastMilestoneTimestamp.
• 6.3
  Registration issued

  Government issues registration certificate/V5C/title document. The ShieldVIN VIT transaction ID or token reference may be recorded in the national vehicle register as a cryptographic provenance link.

Insurers and finance lenders query the ShieldVIN Verification API when underwriting a new policy or approving a vehicle finance application. Both roles receive the same verified data: vehicle identity, ownership depth, service history count, and verified mileage. Each query is billed individually at the API query rate. Mileage is verified on-chain — not self-reported — making this a uniquely trustworthy input for premium calculation and loan-to-value assessment.

• 7.1
  API query — identity + mileage

  Insurer or lender submits a VAP-1 query (insurer role credential) with the vehicle VIN. verifyInsurer() circuit returns: status, transferCount (ownership depth), serviceCount, lastRecordedMileage, lastMilestoneTimestamp.
• 7.2
  Underwriting / credit decision

  The verified data is fed into the insurer's or lender's underwriting model. On-chain mileage is the key differentiator — it cannot be clock-rolled or self-reported. Finance lenders use the same data to calculate loan-to-value.
• 7.3
  Policy or loan issued

  Insurance policy or finance agreement issued. The ShieldVIN verification transaction reference may be recorded in the policy file as evidence of due diligence.

Each time a vehicle is serviced, the service centre records the event on-chain via the Dealer/Service Portal. This increments the serviceCount and — critically — records the verified odometer reading (lastRecordedMileage) and service timestamp on Midnight Network. Because the mileage can only be written by a credentialled service provider and the smart contract enforces that mileage cannot decrease, this creates a tamper-resistant verified mileage history. Odometer fraud — one of the most common used vehicle scams — becomes provably impossible for ShieldVIN-registered vehicles.

• 8.1
  Vehicle arrives for service

  Service centre verifies vehicle identity via the Portal before work begins. Live ZK proof confirms the three chips match the VIT (prevents working on a cloned vehicle).
• 8.2
  Service completed

  Vehicle serviced per OEM or service schedule. Work recorded in the service centre's own off-chain management system.
• 8.3
  On-chain service event recorded

  Service centre calls the VAP-1 record-service endpoint with: VIN, mileage reading (from the vehicle's instrument cluster or TN-3 telematics), service timestamp. recordService() circuit asserts mileage ≥ last reading, increments serviceCount, updates lastRecordedMileage and lastMilestoneTimestamp on Midnight Network.
• 8.4
  Service confirmation to owner

  Owner receives a notification via the Owner Portal/App that a service event has been recorded. They can see the updated serviceCount and verified mileage in their vehicle record.

A used vehicle sold through a dealer follows a similar process to the first sale. The dealer verifies the vehicle's identity and full history before accepting it as trade-in or stock. At point of sale to the new owner, the ownership transfer is executed on-chain. The verified mileage and complete service count are displayed to the buyer as part of the handover documentation — providing a level of provenance that no paper service record can match.

• 9.1
  Vehicle history check

  Dealer queries VIN via Dealer Portal before accepting trade-in. Receives: status, transferCount (number of previous owners), serviceCount, lastRecordedMileage, lastMilestoneTimestamp. Live ZK proof confirms physical identity match.
• 9.2
  Seller ownership proof

  Seller generates an ownership proof from their Owner Portal or TN-3 device. This proves they hold the current ownershipHash preimage — confirming they are the registered owner before transfer.
• 9.3
  Ownership transfer on-chain

  New buyer generates their commitment. Dealer executes the transferOwnership() circuit. ownershipHash updated, transferCount incremented.
• 9.4
  Buyer receives vehicle identity certificate

  Certificate shows verified mileage, service count, number of previous owners — all from the immutable on-chain record. Printable for the handover pack.

Private vehicle sales between individuals (classified ads, direct sales) are the highest-risk fraud environment. ShieldVIN resolves this by giving the buyer a cryptographic identity check and giving the seller a trustworthy, shareable vehicle history. The transfer is completed via the Owner Portal for both parties — no dealer or broker required. A flat $5 fee applies to the private ownership transfer (Stream 4 revenue).

• 10.1
  Seller shares verification QR

  Seller generates a time-limited QR code from their Owner Portal. QR links to a live status page showing the vehicle's on-chain record (status, transferCount, serviceCount, lastRecordedMileage) — no personal data exposed.
• 10.2
  Buyer verification check

  Buyer scans QR or enters VIN in the Owner Portal. Receives cached status check (sub-second). If this is the buyer's first check this month, it is free. Subsequent checks are billed at the API query rate. The check confirms: status=ACTIVE, mileage, service count, ownership count.
• 10.3
  Live ZK proof (optional, pre-purchase)

  Buyer may optionally request a live ZK proof (≤30 seconds) to confirm the physical vehicle matches the VIT — not just the cached status. Recommended for high-value private sales.
• 10.4
  Seller proves ownership

  Seller generates an ownership proof from their Owner Portal (proves knowledge of the ownershipHash preimage). Shared with the buyer as confirmation that the seller is the legitimate registered owner.
• 10.5
  Ownership transfer on-chain

  Both parties complete the transfer via the Owner Portal. Buyer's new commitment is set, transferCount incremented. Both parties receive a transfer confirmation certificate.

Law enforcement agencies — police, border agencies, customs — use the Government Portal (or a dedicated mobile law enforcement client) for roadside vehicle checks and investigation queries. A cached status check returns in under 1 second for routine checkpoints. A live ZK proof (≤30 seconds) is used when the physical identity of the vehicle needs to be cryptographically confirmed against its chips. If a vehicle is flagged as stolen, the officer can see the VIN; otherwise the VIN is withheld from the proof.

• 11.1
  Cached status check (routine checkpoint)

  Officer queries VIN via Government Portal or mobile client. Cached status returned: ACTIVE / STOLEN / FLAGGED / RECOVERED. Sub-second response. Covers routine checkpoint volume without generating a ZK proof each time.
• 11.2
  Live ZK proof (suspected fraud/investigation)

  For suspected cloned VINs or investigation cases, officer triggers a live ZK proof. verifyPolice() circuit challenges the vehicle's three SE chips. If chips don't match the VIT → proof fails → identity rejected. Confirms the physical vehicle is the registered vehicle. Response ≤30 seconds.
• 11.3
  Stolen disclosure

  If status=STOLEN, the verifyPolice() circuit additionally discloses the VIN (for cross-referencing with national registers and initiating recovery). Other roles do not receive this VIN disclosure.
• 11.4
  Stolen flag (report)

  Officer can file a stolen report via the Government Portal. flagStolen() circuit sets status=STOLEN on the VIT. This is immediate and global — any subsequent query on this VIN returns STOLEN to all roles.
• 11.5
  Evidence pack export

  For prosecution cases, the Government Portal generates a signed evidence pack (PDF + proof hash) documenting the verification result, proof timestamp, and chain of custody for court use.

When an OEM issues a product recall, the recall flag is set on every affected VIT simultaneously via the Manufacturer Portal. This instantly makes the recall visible to every stakeholder who queries those vehicles — dealers, government agencies, insurers, and the owner via their portal. The OEM pays a per-VIN recall event fee to ShieldVIN. The DUST cost of writing to Midnight Network is handled internally by ShieldVIN and is not passed to the OEM.

• 12.1
  Recall batch definition

  OEM identifies affected VINs by date range, model line, factory code, or explicit VIN list. Manufacturer Portal supports bulk selection tools.
• 12.2
  Recall flag written on-chain

  setRecallFlag() circuit called for each affected VIT. Sets status=FLAGGED. DUST consumed per transaction from ShieldVIN's reserve. OEM is billed a flat Fiat fee per affected VIN (not per DUST transaction).
• 12.3
  Owner notification

  Owner Portal and App push a notification to all registered owners of affected vehicles. Government and dealer portals show recall flags in their dashboards.
• 12.4
  Recall service completed

  After the recall service is completed at an authorised dealer or service centre, the service event is recorded on-chain (mileage + service count updated) and the OEM clears the recall flag using clearRecallFlag() — restoring status=ACTIVE.

In the rare event that a Secure Element chip fails due to hardware fault, collision damage, or an OEM-initiated recall of a specific chip batch, a controlled node key rotation procedure is required. This is a multi-party process governed by the VAP-1 hardware-recovery.md specification. The two surviving nodes must co-sign the recovery nonce to prove physical continuity with the registered vehicle. The OEM authorises the replacement chip's new public key. ShieldVIN updates the VIT on-chain.

• 13.1
  Recovery initiated

  Dealer or OEM service centre identifies the failed node (EN-1, CN-2, or TN-3). Initiates a hardware recovery request via the Manufacturer Portal (OEM) or Dealer Portal. Vehicle owner notified.
• 13.2
  Surviving node co-signature

  The two surviving SE chips sign a recovery nonce, proving the vehicle chassis and engine identity are intact. TN-3 assembles the two signatures as witness data for the recovery proof.
• 13.3
  OEM authorisation

  OEM confirms the replacement chip's new public key via the Manufacturer Portal (ownPublicKey() check against authorizedMinterKey). Prevents unauthorised key substitution.
• 13.4
  On-chain key rotation

  nodeKeyRotation() circuit called on the VIT. The failed node's public key is replaced with the new chip's public key. All three keys are again live. ZK proof generation resumes normally.
• 13.5
  Recovery record

  Node rotation history visible in the Government Portal and Manufacturer Portal. Buyers can see whether a vehicle has undergone a hardware recovery — this is disclosed as part of the provenance record.

When a vehicle is written off, scrapped, or declared a total loss, the VIT is decommissioned. Status is permanently set to DECOMMISSIONED on Midnight Network. This prevents a scrapped vehicle's VIN from being reassigned to a salvage or cloned vehicle. The decommission can be triggered by a government authority, by the OEM (for warranty write-offs), or by an insurer following a total-loss claim — each via their respective portal with an appropriate role credential.

• 14.1
  Decommission trigger

  Government agency (end-of-life vehicle regulation), OEM (warranty write-off), or insurer (total-loss claim) initiates decommission via their portal. Reason code provided (write-off, salvage, export, end-of-life).
• 14.2
  Decommission written on-chain

  decommission(reason) circuit called. Sets status=DECOMMISSIONED permanently. Once set, no further lifecycle operations can be executed on this VIT. The record remains readable but immutable.
• 14.3
  Owner notification

  Owner (if still registered) notified via Owner Portal. Government registration databases notified. Any future query on this VIN returns DECOMMISSIONED immediately.
• 14.4
  Chip destruction confirmed

  In regulated end-of-life scenarios (EU ELV Directive), the decommissioning authority confirms physical chip destruction. This prevents chip extraction and reuse in a cloned vehicle.