An Experimental Version of JSON-LD BBS+ Verifiable Credentials Dan Yamamoto (Internet Initiative Japan) 2023-11-10 

Our work 1 ◼ Experimental JSON-LD BBS+ Verifiable Credentials with... ✓ Selective disclosure ✓ Signature hiding for unlinkability ✓ Proof of equality for hidden attributes ✓ Blind signature for private holder binding ✓ Pairwise pseudonymous identifier (PPID) ✓ Predicate proofs  Revocation, issuer-hiding, secure key storage, ...  Documentation, rigorous security review, standardization, ... 

Example Use Case 2 Issuer Verifier Holder 

Example Use Case 3 xyz: Person name = John Smith credentialSubject : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine vc#1: VerifiableCredential issuer = gov; proof = sig1 VC1 bound to Holder's secret Issuer Verifier Holder 

xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 4 VC1 vc#1: VerifiableCredential issuer = gov; proof = sig1 credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! 

xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf cvx#207 : Vaccine vaccine Example Use Case 5 VC1 code#123 vc#1: VerifiableCredential issuer = gov; proof = sig1 credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Is it authorized? 

xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf cvx#207 : Vaccine vaccine Example Use Case 6 VC1 VC2 : VerifiableCredential issuer = prv; proof = sig2 code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject download code#123 vc#1: VerifiableCredential issuer = gov; proof = sig1 credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Is it authorized? Issuer (vaccine info provider) 

xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf cvx#207 : Vaccine vaccine Example Use Case 7 VC1 VC2 : VerifiableCredential issuer = prv; proof = sig2 code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject code#123 vc#1: VerifiableCredential issuer = gov; proof = sig1 credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Is it authorized? Issuer (vaccine info provider) download link data 

xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 8 VC1 VC2 : VerifiableCredential issuer = prv; proof = sig2 code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject vc#1: VerifiableCredential issuer = gov; proof = sig1 credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) link data 

xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 9 VC1 VC2 : VerifiableCredential issuer = prv; proof = sig2 code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** ********* ********* ********************** ************************* vc#1: VerifiableCredential issuer = gov; proof = sig1 selective disclosure *** credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) 

xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 10 VC1 VC2 : VerifiableCredential issuer = prv; proof = sig2 code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** *** X *** *** X *** ********************** ************************* proof of equality vc#1: VerifiableCredential issuer = gov; proof = sig1 *** credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) selective disclosure 

xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 11 VC1 VC2 : VerifiableCredential issuer = prv; proof = ... code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** *** X *** *** X *** ********************** ************************* *** vc#1: VerifiableCredential issuer = gov; proof = 署名値 *** **** signature hiding credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) proof of equality selective disclosure 

xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 12 VC1 VC2 : VerifiableCredential issuer = prv; proof = ... code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** *** X *** *** X *** ********************** ************************* *** vc#1: VerifiableCredential issuer = gov; proof = 署名値 *** **** signature hiding credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) proof of equality selective disclosure >= 2022-04 Predicate Proof 

xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 13 VC1 VC2 : VerifiableCredential issuer = prv; proof = ... code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** *** X *** *** X *** ********************** ************************* vc#1: VerifiableCredential issuer = gov; proof = 署名値 *** **** proof of secret knowledge credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) signature hiding proof of equality selective disclosure *** >= 2022-04 Predicate Proof 

xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 14 VC1 VC2 : VerifiableCredential issuer = prv; proof = ... code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** *** X *** *** X *** ********************** ************************* vc#1: VerifiableCredential issuer = gov; proof = 署名値 *** **** credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) signature hiding proof of equality selective disclosure *** VP proof of secret knowledge >= 2022-04 Predicate Proof 

xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 15 VC1 VC2 : VerifiableCredential issuer = prv; proof = ... code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** *** X *** *** X *** ********************** ************************* vc#1: VerifiableCredential issuer = gov; proof = 署名値 *** **** credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) signature hiding proof of equality selective disclosure *** VP I (anonymized) got vaccinated using authorized vaccine (anonymized) after April 2022 (without exact date) proof of secret knowledge >= 2022-04 Predicate Proof 

Prototype Implementation jsonld-proofs rdf-proofs-wasm rdf-proofs zkp-ld-playground docknetwork/crypto demo apps JSON-LD processing RDF processing BBS+ and zk-SNARKs 16 thin wrapper https://github.com/zkp-ld/ ◆issue & verify JSON-LD VC ◆compose & verify JSON-LD VP ◆issue & verify N-Quads VC ◆compose & verify N-Quads VP ◆issue & verify N-Quads VC ◆compose & verify N-Quads VP ◆sign & verify integer array ◆derive & verify ZKP for integer array 

Playground 17 https://playground.zkp-ld.org/ 

Termwise Encoding with RDF Canonicalization Holder Verifier Issuer Verifiable Credential (VC) Verifiable Presentation (VP) 

JSON-LD 19 xyz: Person name = John Smith credentialSubject : Vaccination date = 2023-01-01 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine : VerifiableCredential issuer = gov; proof = sig1 { "credentialSubject": { "id": "xyz", "name": "John Smith" "isPatientOf": { "date": "2023-01-01", "vaccine": "code#123" } }, ... } JSON-LD document 

Fill the Gap between JSON-LD and BBS+ 20 { "credentialSubject": { "id": "xyz", "name": "John Smith" "isPatientOf": { "date": "2023-01-01", "vaccine": "code#123" } }, ... } 9139018... 8394757... 4937101... ... BBS+. sign Issuer's secret key signature 𝑚1 𝑚2 𝑚3 scalars to be signed encode BBS+ requires an array of scalars as input, rather than JSON-LD → some type of encoding is necessary  Schema mapping  JSON Pointer  N-Quads statement-wise encoding  N-Quads termwise encoding JSON-LD document 

Termwise Encoding 21 1. Convert JSON-LD to RDF N-Quads 2. Disambiguate N-Quads data (Canonicalization) 3. Decompose N-Quads data into terms 4. Encode each term to scalar 5. Feed the array of scalars into the BBS+ sign/verify algorithm 

22 { "credentialSubject": { "id": "xyz", "name": "John Smith" "isPatientOf": { "date": "2023-01-01", "vaccine": "code#123" } } } JSON-LD document (1) Convert JSON-LD into RDF N-Quads 

23 { "credentialSubject": { "id": "xyz", "name": "John Smith" "isPatientOf": { "date": "2023-01-01", "vaccine": "code#123" } } } JSON-LD document _:b0 credentialSubject xyz xyz name "John Smith" xyz isPatientOf _:b1 _:b1 date "2023-01-01"^^xsd:date _:b1 vaccine code#123 N-Quads document toRDF (1) Convert JSON-LD into RDF N-Quads 

24 { "credentialSubject": { "id": "xyz", "name": "John Smith" "isPatientOf": { "date": "2023-01-01", "vaccine": "code#123" } } } JSON-LD document _:b0 credentialSubject xyz xyz name "John Smith" xyz isPatientOf _:b1 _:b1 date "2023-01-01"^^xsd:date _:b1 vaccine code#123 N-Quads document toRDF _:foo credentialSubject xyz xyz name "John Smith" xyz isPatientOf _:bar _:bar date "2023-01-01"^^xsd:date _:bar vaccine code#123 toRDF (1) Convert JSON-LD into RDF N-Quads 

25 { "credentialSubject": { "id": "xyz", "name": "John Smith" "isPatientOf": { "date": "2023-01-01", "vaccine": "code#123" } } } JSON-LD document _:b0 credentialSubject xyz xyz name "John Smith" xyz isPatientOf _:b1 _:b1 date "2023-01-01"^^xsd:date _:b1 vaccine code#123 N-Quads document toRDF _:foo credentialSubject xyz xyz name "John Smith" xyz isPatientOf _:bar _:bar date "2023-01-01"^^xsd:date _:bar vaccine code#123 toRDF _:bar vaccine code#123 xyz isPatientOf _:bar _:bar date "2023-01-01"^^xsd:date xyz name "John Smith" _:foo credentialSubject xyz toRDF (1) Convert JSON-LD into RDF N-Quads 

26 { "credentialSubject": { "id": "xyz", "name": "John Smith" "isPatientOf": { "date": "2023-01-01", "vaccine": "code#123" } } } JSON-LD document _:b0 credentialSubject xyz xyz name "John Smith" xyz isPatientOf _:b1 _:b1 date "2023-01-01"^^xsd:date _:b1 vaccine code#123 N-Quads document toRDF _:foo credentialSubject xyz xyz name "John Smith" xyz isPatientOf _:bar _:bar date "2023-01-01"^^xsd:date _:bar vaccine code#123 toRDF _:bar vaccine code#123 xyz isPatientOf _:bar _:bar date "2023-01-01"^^xsd:date xyz name "John Smith" _:foo credentialSubject xyz toRDF (1) Convert JSON-LD into RDF N-Quads One RDF dataset can have multiple isomorphic RDF N-Quads representations 

(2) Disambiguate N-Quads (Canonicalization) 27 _:b0 credentialSubject xyz xyz name "John Smith" xyz isPatientOf _:b1 _:b1 date "2023-01-01"^^xsd:date _:b1 vaccine code#123 N-Quads document _:foo credentialSubject xyz xyz name "John Smith" xyz isPatientOf _:bar _:bar date "2023-01-01"^^xsd:date _:bar vaccine code#123 _:bar vaccine code#123 xyz isPatientOf _:bar _:bar date "2023-01-01"^^xsd:date xyz name "John Smith" _:foo credentialSubject xyz 

(2) Disambiguate N-Quads (Canonicalization) 28 _:b0 credentialSubject xyz xyz name "John Smith" xyz isPatientOf _:b1 _:b1 date "2023-01-01"^^xsd:date _:b1 vaccine code#123 N-Quads document _:foo credentialSubject xyz xyz name "John Smith" xyz isPatientOf _:bar _:bar date "2023-01-01"^^xsd:date _:bar vaccine code#123 _:bar vaccine code#123 xyz isPatientOf _:bar _:bar date "2023-01-01"^^xsd:date xyz name "John Smith" _:foo credentialSubject xyz _:c14n0 date "2023-01-01"^^xsd:date _:c14n0 vaccine code#123 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name "John Smith" canon Canonicalized N-Quads ✓ deterministically relabel blank nodes ✓ sort in the code order 

(3) Decompose N-Quads into Terms 29 _:c14n0 date "2023-01-01"^^xsd:date _:c14n0 vaccine code#123 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name "John Smith" Canonicalized N-Quads 

(3) Decompose N-Quads into Terms 30 _:c14n0 date "2023-01-01"^^xsd:date _:c14n0 vaccine code#123 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name "John Smith" Canonicalized N-Quads _:c14n0 date "2023-01-01"^^xsd:date code#123 _:c14n0 vaccine 1 4 2 5 3 6 ... split 

(4) Encode each Term to Scalar 31 _:c14n0 date "2023-01-01"^^xsd:date _:c14n0 vaccine code#123 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name "John Smith" Canonicalized N-Quads _:c14n0 date "2023-01-01"^^xsd:date code#123 _:c14n0 vaccine 1 4 2 5 3 6 9139018... 7975413... 1672531200 4937101... 9139018... 1106247... ... 1 4 2 5 3 6 ... split to Scalar 

(4) Encode each Term to Scalar 32 _:c14n0 date "2023-01-01"^^xsd:date _:c14n0 vaccine code#123 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name "John Smith" Canonicalized N-Quads _:c14n0 date "2023-01-01"^^xsd:date code#123 _:c14n0 vaccine 1 4 2 5 3 6 9139018... 7975413... 1672531200 4937101... 9139018... 1106247... ... 1 4 2 5 3 6 ... if datatype == date or dateTime: convert it into UNIX timestamp if datatype == integer: do nothing otherwise: hash to scalar split to Scalar 

(5) Feed Scalars into BBS+ 33 _:c14n0 date "2023-01-01"^^xsd:date _:c14n0 vaccine code#123 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name "John Smith" Canonicalized N-Quads _:c14n0 date "2023-01-01"^^xsd:date code#123 _:c14n0 vaccine 1 4 2 5 3 6 9139018... 7975413... 1672531200 4937101... 9139018... 1106247... ... 1 4 2 5 3 6 ... BBS+. sign Issuer's secret key signature split to Scalar 

(5') Embed Holder's Secret using Blind Signatures 34 9139018... 7975413... 1672531200 4937101... 9139018... 1106247... 1 4 2 5 3 6 ... BBS+. blind sign Issuer's secret key blinded signature {blinded secret} 0 BBS+. unblind signature 9139018... 7975413... 1672531200 4937101... 9139018... 1106247... 1 4 2 5 3 6 ... BBS+. sign Issuer's secret key {secret} 0 

Selective Disclosure Holder Verifier Issuer Verifiable Credential (VC) Verifiable Presentation (VP) 

Selective Disclosure 36 VC issued by Issuer VC' to be shown to Verifier { "credentialSubject": { "id": "xyz", "firstName": "John", "isPatientOf": { "date": "2023-01-01" } } Holder Selective Disclosure { "credentialSubject": { "id": "xyz", "firstName": "John", "isPatientOf": { "date": "2023-01-01" } } 

Selective Disclosure 37 VC issued by Issuer VC' to be shown to Verifier { "credentialSubject": { "id": "xyz", "firstName": "John", "isPatientOf": { "date": "2023-01-01" } } Holder Selective Disclosure { "credentialSubject": { "id": "xyz", "firstName": "John", "isPatientOf": { "date": "2023-01-01" } } remove attribute 

Selective Disclosure 38 VC issued by Issuer VC' to be shown to Verifier { "credentialSubject": { "id": "xyz", "firstName": "John", "isPatientOf": { "date": "2023-01-01" } } Holder Selective Disclosure { "credentialSubject": { "id": "_:000", "firstName": "John", "isPatientOf": { "date": "2023-01-01" } } remove attribute replace value with blank node 

Selective Disclosure 39 VC issued by Issuer VC' to be shown to Verifier { "credentialSubject": { "id": "xyz", "firstName": "John", "isPatientOf": { "date": "2023-01-01" } } Holder Selective Disclosure { "credentialSubject": { "id": "_:000", "firstName": "John", "isPatientOf": { "date": "2023-01-01" } } remove attribute _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" toRDF toRDF replace value with blank node 

Challenge 40 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" VC issued by Issuer VC' to be shown to Verifier Holder 

Challenge 41 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" VC issued by Issuer VC' to be shown to Verifier canon Holder 

Challenge 42 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' to be shown to Verifier canon canon Holder 

Challenge 43 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' to be shown to Verifier canon canon Holder Even after canonicalization, datasets of Holder and Verifier may differ in: blank node labels and quad order 

Challenge 44 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' to be shown to Verifier canon canon Holder Even after canonicalization, datasets of Holder and Verifier may differ in: blank node labels and quad order We introduce index map to handle quad order differences and use Selective Disclosure (ZKP) to deal with the blank node label differences 

(1) Holder Calculates Index Map 𝜓 45 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' to be shown to Verifier Holder canon canon _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 index map 𝜓 

(2) Holder Generates ZK proof 𝜋 46 VC issued by Issuer VC' to be shown to Verifier Holder _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 ≃ _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 

(2) Holder Generates ZK proof 𝜋 47 VC issued by Issuer VC' to be shown to Verifier Holder _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 ≃ deleted statements and all blank nodes are to be treated as unrevealed values 

(2) Holder Generates ZK proof 𝜋 48 VC issued by Issuer VC' to be shown to Verifier Holder _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:c14n0 date "2023-01-01" xyz _:c14n1 credentialSubject 1 4 2 5 3 6 reveal indexes [2, 3, 5, 11] ≃ xyz firstName "John" _:c14n0 xyz isPatientOf 7 10 8 11 9 12 deleted statements and all blank nodes are to be treated as unrevealed values split 

(2) Holder Generates ZK proof 𝜋 49 VC issued by Issuer VC' to be shown to Verifier Holder _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 BBS+.derive Proof 𝜋 (proof) _:c14n0 date "2023-01-01" xyz _:c14n1 credentialSubject 1 4 2 5 3 6 reveal indexes [2, 3, 5, 11] Issuer's public key, signature ≃ xyz firstName "John" _:c14n0 xyz isPatientOf 7 10 8 11 9 12 deleted statements and all blank nodes are to be treated as unrevealed values split 

(3) Send to Verifier 50 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" VC issued by Issuer Holder Verifier VC' 𝜓, 𝜋 canon canon index map 𝜓 

(3) Send to Verifier 51 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' shown to Verifier Holder _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 Verifier VC' 𝜓, 𝜋 canon canon index map 𝜓 

(3) Send to Verifier 52 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' shown to Verifier Holder _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 Verifier VC' 𝜓, 𝜋 _:c14n1 date "2023-01-01" ... split BBS+.verify Proof 1 or 0 canon canon index map 𝜓 

(3) Send to Verifier 53 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' shown to Verifier Holder _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 Verifier VC' 𝜓, 𝜋 _:c14n1 date "2023-01-01" ... split BBS+.verify Proof 1 or 0 canon canon index map Issuer's public key, proof 𝜋 𝜓 

*How to Generate Index Map 𝜓 54 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' shown to Verifier Holder _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 𝜓 canon canon index map 

*How to Generate Index Map 𝜓 55 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' shown to Verifier Holder _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 𝜓 deanon map 𝜙 from to _:000 xyz canon canon index map 

*How to Generate Index Map 𝜓 56 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' shown to Verifier Holder _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 𝜓 deanon map 𝜙 from to _:000 xyz issuer canon map 𝜑 from to _:foo _:c14n1 _:bar _:c14n0 canon canon index map 

*How to Generate Index Map 𝜓 57 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' shown to Verifier Holder _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 𝜓 deanon map 𝜙 from to _:000 xyz verifier canon map 𝜑′ from to _:000 _:c14n0 _:bar _:c14n1 _:foo _:c14n2 issuer canon map 𝜑 from to _:foo _:c14n1 _:bar _:c14n0 canon canon index map 

*How to Generate Index Map 𝜓 58 verifier canon map 𝜑′−1 from to _:c14n0 _:000 _:c14n1 _:bar _:c14n2 _:foo issuer canon map 𝜑 from to _:foo _:c14n1 _:bar _:c14n0 Φ ≔ 𝜑 ⊕ 𝜙 ∘ 𝜑′−1 from to _:c14n0 xyz _:c14n1 _:c14n0 _:c14n2 _:c14n1 𝜙 ⊕ 𝜑 from to _:000 xyz _:foo _:c14n1 _:bar _:c14n0 𝜙 ⊕ 𝜑 from to _:000 xyz _:foo _:c14n1 _:bar _:c14n0 deanon map 𝜙 from to _:000 xyz direct sum compose extended deanon map 

*How to Generate Index Map 𝜓 59 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' shown to Verifier Holder xyz isPatientOf _:c14n0 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 extended deanon map Φ index map 𝜓 = [3, 0, 1] (with total length 𝐿 = 4) canon canon 0 1 2 0 1 2 3 

*Use Index Map 𝜓 60 _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 _:foo credentialSubject xyz xyz firstName "John" xyz isPatientOf _:bar _:bar date "2023-01-01" _:foo credentialSubject _:000 _:000 isPatientOf _:bar _:bar date "2023-01-01" _:c14n0 isPatientOf _:c14n1 _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 VC issued by Issuer VC' shown to Verifier Holder _:c14n1 date "2023-01-01" _:c14n2 credentialSubject _:c14n0 _:c14n0 isPatientOf _:c14n1 Verifier VC' 𝜓, 𝜋 _:c14n1 date "2023-01-01" ... split BBS+.verify Proof 1 or 0 canon canon index map Issuer's public key, proof 𝜋 𝜓 = [3,0,1] 

PPID (Pairwise Pseudonymous IDentifier) Holder Verifier Issuer Verifiable Credential (VC) Verifiable Presentation (VP) 

PPID bound to Holder's Secret and Verifier's Scope 62 VC issued by Issuer Holder _:c14n0 date "2023-01-01" _:c14n1 credentialSubject xyz xyz firstName "John" xyz isPatientOf _:c14n0 BBS+.derive Proof 𝜋 (proof) _:c14n0 date "2023-01-01" xyz _:c14n1 credentialSubject 1 4 2 5 3 6 reveal indexes [2, 3, 5, 11] Issuer's public key, signature xyz firstName "John" _:c14n0 xyz isPatientOf 7 10 8 11 9 12 split {𝑠𝑒𝑐𝑟𝑒𝑡} 0 generate 𝑃𝑃𝐼𝐷 ← 𝐻 𝑠𝑐𝑜𝑝𝑒 𝑠𝑒𝑐𝑟𝑒𝑡 with Proof of Knowledge of 𝑠𝑒𝑐𝑟𝑒𝑡 using the same blinding with BBS+ (for proving equality) Verifier VC' 𝜓, 𝜋 𝑃𝑃𝐼𝐷 integrated