An Extended LDP-BBS 2020 and ZKP-LD Playground

Transcript

1. An Extended LDP-BBS 2020 and ZKP-LD Playground Dan Yamamoto (Internet

   Initiative Japan Inc.) Kazue Sako (Waseda University) 2021-10-13 @ IIW 33

2. LDP-BBS 2020 2 ◼ Features ⚫ selective disclosure ⚫ linked

   data / linked data proofs ◼ Specification ⚫ https://w3c-ccg.github.io/ldp-bbs2020/ ◼ Implementation ⚫ https://github.com/mattrglobal/jsonld- signatures-bbs did:example:A... John Smith birthDate 1980-01-01 https://X.../1 name credentialSubject VerifiableCredential type Signature001 proof sign signature derive Issuer issuer's secret key Holder proof Verifier verify issuer's public key unsigned VC VC VC revealed indicies VP subset VP accept / reject VC VP VC

3. Some Issues of LDP-BBS2020 3 ◼ limited selective disclosure; unable

   to hide `id` ◼ no "predicate proofs" e.g., range proofs, set-membership proofs, ... Issues around zero-knowledge proofs ◼ credential aggregation = to compound multiple VCs into single VP with associated proofs, enabling us to prove some values in the VCs are equivalent without revealing the values themselves ◼ not supported in LDP-BBS 2020 yet No credential aggregation did:example:ABCD... John Smith birthDate 1980-01-01 https://example.org/ 001 name credentialSubject VerifiableCredential type Signature001 proof hide can't hide

4. LDP-BBS 2020 4 did:example:A... John Smith homeLocation https://X.../1 name credentialSubject

   VerifiableCredential type Signature001 proof <https://X.../1> <...type> <...VerifiableCredential> . LD Canonicalization N-quads statements <https://X.../1> <...credentialSubject> <did:example:A...> . <https://X.../1> <...proof> <...Signature001> . <did:example:A...> <...name> "John Smith" . <did:example:A...> <...homeLocation> <http://B...> . 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5 sign sign 𝜎 http://B... attributes unsigned VC issuer issuer's secret key signed VC ZKProof (e.g., selective disclosure) can be constructed statement-wise only

5. Our Extension: Termwise Signing 5 <https://X.../1> <...type> <...VerifiableCredential> . LD

   Canonicalization N-quads statements <https://X.../1> <...credentialSubject> <did:example:A...> . <https://X.../1> <...proof> <...Signature001> . <did:example:A...> <...name> "John Smith" . <did:example:A...> <...homeLocation> <http://B...> . 𝑎1 𝑎2 𝑎3 𝑎4 ⋮ sign sign 𝜎 𝑎1 𝑎2 𝑎3 𝑎4 𝑎5 𝑎6 𝑎7 𝑎8 𝑎9 𝑎10 𝑎11 𝑎12 𝑎13 𝑎14 𝑎15 𝑎16 𝑎17 𝑎18 𝑎19 𝑎20 did:example:A... John Smith homeLocation https://X.../1 name credentialSubject VerifiableCredential type Signature001 proof http://B... attributes unsigned VC issuers secret key signed VC Issuer sign each terms rather than each statements

6. Extended LDP-BBS2020 6 The Power of PowerPoint - thepopp.com ◼

   Termwise ZKProofs ⚫ Termwise selective disclosure ⚫ Termwise equality proofs ⚫ Range proofs, set-membership proofs (*not implemented yet) ◼ + Credential aggregation (n VCs -> 1 VP) ◼ + Remove blank node labels from derived proofs ◼ with... ⚫ increased computational cost (<= 4x) ⚫ increased proof size (<= 4x) (signature size are the same as the original)

7. Use Case 7 Holder Verifier Issuer X Private VC (proof

   of residence) VP Issuer Y Issuer Z Public VC (land registry) Public VC (stats data) "I own an area that is at least 100 square meters and live in a city with a population over 200000" asserted by Issuer Y asserted by Issuer Z asserted by Issuer X issued by Y did:example:A... 300 m2 https://landB... ownedBy area land B name "an area, named land B, with at least 100 square meters is owned by did:example:A..." issued by Z 350000 https://cityA... population City A name "a city, named city A, has a population 350000" 7 "John Smith, born on 1980-01-01, lives in City A" issued by X 1980-01-01 did:example:A... birthDate John Smith name https://cityA... homeLocation issued by X 1980-01-01 did:example:A... birthDate John Smith name issued by Z 350000 https://cityA... population City A name homeLocation issued by Y 300 m2 https://landB... ownedBy area land B name

8. Implementations and Demo 8 The Power of PowerPoint - thepopp.com

   ◼ jsonld-signatures-bbs (forked from MATTR's) ◼ bls12381-key-pair (forked from MATTR's) ◼ bbs-signatures (forked from MATTR's) Implementations (published on Github and npm) ◼ a playground for developers ◼ able to sign JSON-LD documents (as Issuer) ◼ able to verify signed documents and derive proofs from them (as Holder) ◼ able to verify derived proofs (as Verifier) Demo: ZKP-LD Playground (https://playground.zkp-ld.org)

9. Future Work 9 The Power of PowerPoint - thepopp.com ◼

   Support JWK key and VC with multiple proofs ◼ Add recipient binding mechanism ◼ Improve efficiency ⚫ reduce redundancy ⚫ (future) adopt different signature schemes incl. efficient redactable signatures [Sanders, PKC 2020] ◼ Have more rigorous security & privacy analysis (incl. provable security) ◼ Design language to describe range / set-membership proofs (extended JSON-LD frame?) ◼ ...