JSON-LD BBS+ Verifiable Credentials with Private Holder Binding, Pseudonym, ...

Transcript

1. JSON-LD BBS+ Verifiable Credentials with Private Holder Binding, Pseudonym, ...

   Dan Yamamoto (Internet Initiative Japan) 2023-10-10 @ IIW 37

2. Our work 1 ◼ Experimental JSON-LD BBS+ Verifiable Credentials with...

   ✓ Selective disclosure ✓ Signature hiding for unlinkability ✓ Proof of equality for hidden attributes ✓ Blind signature for private holder binding ✓ Pairwise pseudonymous identifier (PPID)  Predicate proofs (on-going)  Revocation, issuer-hiding, secure key storage, ...  Documentation, rigorous security review, standardization, ...

3. Example Use Case 2 Issuer Verifier Holder

4. Example Use Case 3 xyz: Person name = John Smith

   credentialSubject : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine vc#1: VerifiableCredential issuer = gov; proof = sig1 VC1 bound to Holder's secret Issuer Verifier Holder

5. xyz: Person name = John Smith : Vaccination date =

   2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 4 VC1 vc#1: VerifiableCredential issuer = gov; proof = sig1 credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 !

6. xyz: Person name = John Smith : Vaccination date =

   2022-04-04 lotNo = 9999999 isPatientOf cvx#207 : Vaccine vaccine Example Use Case 5 VC1 code#123 vc#1: VerifiableCredential issuer = gov; proof = sig1 credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Is it authorized?

7. xyz: Person name = John Smith : Vaccination date =

   2022-04-04 lotNo = 9999999 isPatientOf cvx#207 : Vaccine vaccine Example Use Case 6 VC1 VC2 : VerifiableCredential issuer = prv; proof = sig2 code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject download code#123 vc#1: VerifiableCredential issuer = gov; proof = sig1 credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Is it authorized? Issuer (vaccine info provider)

8. xyz: Person name = John Smith : Vaccination date =

   2022-04-04 lotNo = 9999999 isPatientOf cvx#207 : Vaccine vaccine Example Use Case 7 VC1 VC2 : VerifiableCredential issuer = prv; proof = sig2 code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject code#123 vc#1: VerifiableCredential issuer = gov; proof = sig1 credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Is it authorized? Issuer (vaccine info provider) download link data

9. xyz: Person name = John Smith : Vaccination date =

   2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 8 VC1 VC2 : VerifiableCredential issuer = prv; proof = sig2 code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject vc#1: VerifiableCredential issuer = gov; proof = sig1 credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) link data

10. xyz: Person name = John Smith : Vaccination date =

    2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 9 VC1 VC2 : VerifiableCredential issuer = prv; proof = sig2 code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** ********* ********* ********************** ************************* vc#1: VerifiableCredential issuer = gov; proof = sig1 selective disclosure *** credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider)

11. xyz: Person name = John Smith : Vaccination date =

    2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 10 VC1 VC2 : VerifiableCredential issuer = prv; proof = sig2 code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** *** X *** *** X *** ********************** ************************* proof of equality vc#1: VerifiableCredential issuer = gov; proof = sig1 *** credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) selective disclosure

12. xyz: Person name = John Smith : Vaccination date =

    2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 11 VC1 VC2 : VerifiableCredential issuer = prv; proof = ... code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** *** X *** *** X *** ********************** ************************* *** vc#1: VerifiableCredential issuer = gov; proof = 署名値 *** **** signature hiding credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) proof of equality selective disclosure

13. xyz: Person name = John Smith : Vaccination date =

    2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 12 VC1 VC2 : VerifiableCredential issuer = prv; proof = ... code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** *** X *** *** X *** ********************** ************************* *** vc#1: VerifiableCredential issuer = gov; proof = 署名値 *** **** signature hiding credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) proof of equality selective disclosure >= 2022-04 Predicate Proof

14. xyz: Person name = John Smith : Vaccination date =

    2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 13 VC1 VC2 : VerifiableCredential issuer = prv; proof = ... code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** *** X *** *** X *** ********************** ************************* vc#1: VerifiableCredential issuer = gov; proof = 署名値 *** **** proof of secret knowledge credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) signature hiding proof of equality selective disclosure *** >= 2022-04 Predicate Proof

15. xyz: Person name = John Smith : Vaccination date =

    2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 14 VC1 VC2 : VerifiableCredential issuer = prv; proof = ... code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** *** X *** *** X *** ********************** ************************* vc#1: VerifiableCredential issuer = gov; proof = 署名値 *** **** credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) signature hiding proof of equality selective disclosure *** VP proof of secret knowledge >= 2022-04 Predicate Proof

16. xyz: Person name = John Smith : Vaccination date =

    2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine Example Use Case 15 VC1 VC2 : VerifiableCredential issuer = prv; proof = ... code#123: Vaccine name = Awesome Vaccine manufacturer = Example.com status = authorized credentialSubject *** **************** **************** *** X *** *** X *** ********************** ************************* vc#1: VerifiableCredential issuer = gov; proof = 署名値 *** **** credentialSubject Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Issuer (vaccine info provider) signature hiding proof of equality selective disclosure *** VP I (anonymized) got vaccinated using authorized vaccine (anonymized) after April 2022 (without exact date) proof of secret knowledge >= 2022-04 Predicate Proof

17. Prototype Implementation jsonld-proofs rdf-proofs-wasm rdf-proofs zkp-ld-playground docknetwork/crypto demo apps JSON-LD

    processing RDF processing BBS+ and zk-SNARKs 16 thin wrapper https://github.com/zkp-ld/ ◆issue & verify JSON-LD VC ◆compose & verify JSON-LD VP ◆issue & verify N-Quads VC ◆compose & verify N-Quads VP ◆issue & verify N-Quads VC ◆compose & verify N-Quads VP ◆sign & verify integer array ◆derive & verify ZKP for integer array

18. Playground 17 https://playground.zkp-ld.org/

19. Appendix

20. VC Issuance 19 1. Convert VC from JSON-LD to RDF

    N-Quads 2. Eliminate ambiguity of N-Quads data (Canonicalization) 3. Decompose N-Quads data into an array of Terms 4. Hash each Term to integer 5. Feed the array of integers into the BBS+ signing algorithm to generate a signature value

21. (1) Convert VC from JSON-LD to RDF N-Quads 20 {

    "type": "VerifiableCredential", "issuer": "gov", "proof": { }, "credentialSubject": { "id": "xyz", "type": "Person", "name": "John Smith" "isPatientOf": { "type": "Vaccination", "date": "2022-04-04", "vaccine": { "id": "code#123", "type": "Vaccine" } } } } xyz: Person name = John Smith : Vaccination date = 2022-04-04 lotNo = 9999999 isPatientOf code#123 : Vaccine vaccine vc#1: VerifiableCredential issuer = gov; proof = sig1 credentialSubject JSON-LD

22. (1) Convert VC from JSON-LD to RDF N-Quads 21 _:b0

    type VerifiableCredential _:b0 issuer gov _:b0 credentialSubject xyz xyz type Person xyz name John Smith xyz isPatientOf _:b1 _:b1 type Vaccination _:b1 date 2022-04-04 _:b1 vaccine code#123 { "type": "VerifiableCredential", "issuer": "gov", "proof": { }, "credentialSubject": { "id": "xyz", "type": "Person", "name": "John Smith" "isPatientOf": { "type": "Vaccination", "date": "2022-04-04", "vaccine": { "id": "code#123", "type": "Vaccine" } } } } JSON-LD N-Quads

23. N-Quads 22 _:b0 type VerifiableCredential _:b0 issuer gov _:b0 credentialSubject

    xyz xyz type Person xyz name John Smith xyz isPatientOf _:b1 _:b1 type Vaccination _:b1 date 2022-04-04 _:b1 vaccine code#123 { "type": "VerifiableCredential", "issuer": "gov", "proof": { }, "credentialSubject": { "id": "xyz", "type": "Person", "name": "John Smith" "isPatientOf": { "type": "Vaccination", "date": "2022-04-04", "vaccine": { "id": "code#123", "type": "Vaccine" } } } } xyz type Person xyz name John Smith xyz isPatientOf _:x _:x type Vaccination _:x date 2022-04-04 _:x vaccine code#123 _:y type VerifiableCredential _:y issuer gov _:y credentialSubject xyz RDF data has "ambiguity" in terms of blank node labels and the order of quads → We need canonical form for signing and verifying

24. (2) Eliminate ambiguity of N-Quads data (Canonicalization) 23 _:b0 type

    VerifiableCredential _:b0 issuer gov _:b0 credentialSubject xyz xyz type Person xyz name John Smith xyz isPatientOf _:b1 _:b1 type Vaccination _:b1 date 2022-04-04 _:b1 vaccine code#123 _:c14n0 date 2022-04-04 _:c14n0 type Vaccination _:c14n0 vaccine code#123 _:c14n1 type VerifiableCredential _:c14n1 credentialSubject xyz _:c14n1 issuer 政府 xyz type Person xyz isPatientOf _:c14n1 xyz name John Smith RDF Canonicalization Regardless of the original blank node labels and the order of quads, you can obtain deterministically unique labels and orders

25. (3) Decompose N-Quads data into an array of Terms 24

    _:c14n0.c8xd... date 2022-04-04 _:c14n0.c8xd... type Vaccination _:c14n0.c8xd... vaccine code#123 _:c14n1.c8xd... type VerifiableCredential _:c14n1.c8xd... credentialSubject xyz _:c14n1.c8xd... issuer gov xyz type Person xyz isPatientOf _:c14n1.c8xd... xyz name John Smith _:c14n0.c8xd... date 2022-04-04 Vaccination _:c14n0.c8xd... type John Smith xyz name ... ... ... 1 4 2 5 26 25 3 6 27

26. (4) Hash each Term to integer 25 _:c14n0 date 2022-04-04

    Vaccination _:c14n0 type John Smith xyz name ... ... ... 1 4 2 5 26 25 3 6 27 9139018... 7975413... 8394757... 4937101... 9139018... 1106247... 5388010... 6580550... 4549787... ... ... ... 1 4 2 5 26 25 3 6 27 Hash to Scalar

27. (5) Feed the array of integers into the BBS+ signing

    algorithm 26 9139018... 7975413... 8394757... 4937101... 9139018... 1106247... 5388010... 6580550... 4549787... ... ... ... 1 4 2 5 26 25 3 6 27 BBS+.sign ← Holder's secret signature { "type": "VerifiableCredential", "issuer": "gov", "proof": { BBS+ signature }, "credentialSubject": { "id": "xyz", "type": "Person", "name": "John Smith" "isPatientOf": { "type": "Vaccination", "date": "2022-04-04", "vaccine": { "id": "code#123", "type": "Vaccine" } } } } 4999362... 0 Issuer's secret key

28. VC Verification 27 9139018... 7975413... 8394757... 4937101... 9139018... 1106247... 5388010...

    6580550... 4549787... ... ... ... 1 4 2 5 26 25 3 6 27 BBS+.verify accept / reject { "type": "VerifiableCredential", "issuer": "gov", "proof": { BBS+ signature }, "credentialSubject": { "id": "xyz", "type": "Person", "name": "John Smith" "isPatientOf": { "type": "Vaccination", "date": "2022-04-04", "vaccine": { "id": "code#123", "type": "Vaccine" } } } } 4999362... 0 Issuer's public key Steps (1) to (4) are the same as Issuance

29. VP Composition 28 _:b0 credentialSubject xyz xyz name John Smith

    xyz isPatientOf _:b1 _:b1 date 2022-04-04 _:b0 credentialSubject _:x0 _:x0 isPatientOf _:b1 _:b1 date 2022-04-04 VC held by the Holder VC to be presented to the Verifier { "credentialSubject": { "id": "xyz", "name": "John Smith" "isPatientOf": { "date": "2022-04-04" } } { "credentialSubject": { "id": "_:x0", "name": "John Smith", "isPatientOf": { "date": "2022-04-04" } } remove quad replace with blank node 2 types of selective disclosure

30. VP Composition 29 Verifier must resume the original layout before

    verification _:b0 credentialSubject xyz xyz name John Smith xyz isPatientOf _:b1 _:b1 date 2022-04-04 _:b0 credentialSubject _:x0 _:x0 isPatientOf _:b1 _:b1 date 2022-04-04 _:c14n0 date 2022-04-04 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentialSubject _:c14n1 canonicalize canonicalize split split _:c14n0 date 2022-04-04 _:c14n1 credentia.. xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentia.. _:c14n1 VC held by the Holder VC to be presented to the Verifier

31. VP Composition 30 _:b0 credentialSubject xyz xyz name John Smith

    xyz isPatientOf _:b1 _:b1 date 2022-04-04 _:b0 credentialSubject _:x0 _:x0 isPatientOf _:b1 _:b1 date 2022-04-04 _:c14n0 date 2022-04-04 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentialSubject _:c14n1 canonicalize canonicalize VC held by the Holder VC to be presented to the Verifier (a) anonymize from to xyz _:x0

32. VP Composition 31 _:b0 credentialSubject xyz xyz name John Smith

    xyz isPatientOf _:b1 _:b1 date 2022-04-04 _:b0 credentialSubject _:x0 _:x0 isPatientOf _:b1 _:b1 date 2022-04-04 _:c14n0 date 2022-04-04 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentialSubject _:c14n1 canonicalize canonicalize VC held by the Holder VC to be presented to the Verifier (b) canonicalize from to _:b1 _:c14n0 _:x0 _:c14n1 _:b0 _:c14n2 (a) anonymize from to xyz _:x0

33. VP Composition 32 _:b0 credentialSubject xyz xyz name John Smith

    xyz isPatientOf _:b1 _:b1 date 2022-04-04 _:b0 credentialSubject _:x0 _:x0 isPatientOf _:b1 _:b1 date 2022-04-04 _:c14n0 date 2022-04-04 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentialSubject _:c14n1 canonicalize canonicalize VC held by the Holder VC to be presented to the Verifier (c) canonicalize from to _:b0 _:c14n1 _:b1 _:c14n0 (a) anonymize from to xyz _:x0 (b) canonicalize from to _:b1 _:c14n0 _:x0 _:c14n1 _:b0 _:c14n2

34. VP Composition 33 (a) anonymize-1 to from _:x0 xyz (b)

    canonicalize-1 from to _:c14n0 _:b1 _:c14n1 _:x0 _:c14n2 _:b0 (c) canonicalize from to _:b0 _:c14n1 _:b1 _:c14n0 (b)-1 × ((a)-1 + (c)) from to _:c14n0 _:c14n0 _:c14n1 xyz _:c14n2 _:c14n1 (a)-1 + (c) from to _:x0 xyz _:b0 _:c14n1.a _:b1 _:c14n0.a (a)-1 + (c) from to _:x0 xyz _:b0 _:c14n1.a _:b1 _:c14n0.a

35. VP Composition 34 _:b0 credentialSubject xyz xyz name John Smith

    xyz isPatientOf _:b1 _:b1 date 2022-04-04 _:b0 credentialSubject _:x0 _:x0 isPatientOf _:b1 _:b1 date 2022-04-04 _:c14n0 date 2022-04-04 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentialSubject _:c14n1 canonicalize canonicalize (b)-1 × ((a)-1 + (c)) from to _:c14n0 _:c14n0 _:c14n1 xyz _:c14n2 _:c14n1 VC held by the Holder VC to be presented to the Verifier _:c14n0 date 2022-04-04 xyz isPatientOf _:c14n0 _:c14n1 credentialSubject xyz

36. VP Composition 35 _:b0 credentialSubject xyz xyz name John Smith

    xyz isPatientOf _:b1 _:b1 date 2022-04-04 _:b0 credentialSubject _:x0 _:x0 isPatientOf _:b1 _:b1 date 2022-04-04 _:c14n0 date 2022-04-04 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentialSubject _:c14n1 canonicalize canonicalize VC held by the Holder VC to be presented to the Verifier _:c14n0 date 2022-04-04 xyz isPatientOf _:c14n0 _:c14n1 credentialSubject xyz index map from to 0 0 1 2 2 1 #quads = 4 0 1 2 0 1 2 to be included in the VP

37. VP Composition 36 _:b0 credentialSubject xyz xyz name John Smith

    xyz isPatientOf _:b1 _:b1 date 2022-04-04 _:b0 credentialSubject _:x0 _:x0 isPatientOf _:b1 _:b1 date 2022-04-04 _:c14n0 date 2022-04-04 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentialSubject _:c14n1 canonicalize canonicalize split split _:c14n0 date 2022-04-04 _:c14n1 credentia.. xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentia.. _:c14n1 VC held by the Holder VC to be presented to the Verifier index map from to 0 0 1 2 2 1 #quads = 4

38. VP Composition 37 _:b0 credentialSubject xyz xyz name John Smith

    xyz isPatientOf _:b1 _:b1 date 2022-04-04 _:b0 credentialSubject _:x0 _:x0 isPatientOf _:b1 _:b1 date 2022-04-04 _:c14n0 date 2022-04-04 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentialSubject _:c14n1 canonicalize canonicalize split split then reorder using index map _:c14n0 date 2022-04-04 _:c14n1 credentia.. xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentia.. _:c14n1 VC held by the Holder VC to be presented to the Verifier index map from to 0 0 1 2 2 1 #quads = 4

39. VP Composition 38 _:b0 credentialSubject xyz xyz name John Smith

    xyz isPatientOf _:b1 _:b1 date 2022-04-04 _:b0 credentialSubject _:x0 _:x0 isPatientOf _:b1 _:b1 date 2022-04-04 _:c14n0 date 2022-04-04 _:c14n1 credentialSubject xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentialSubject _:c14n1 canonicalize canonicalize split split then reorder using index map _:c14n0 date 2022-04-04 _:c14n1 credentia.. xyz xyz isPatientOf _:c14n0 xyz name John Smith _:c14n0 date 2022-04-04 _:c14n1 isPatientOf _:c14n0 _:c14n2 credentia.. _:c14n1 VC held by the Holder VC to be presented to the Verifier index map from to 0 0 1 2 2 1 #quads = 4 Reveal / unreveal indexes have been successfully identified → Verifier can verify BBS+ proof

40. VP Composition 39 9139018... 7975413... 8394757... 4937101... 9139018... 1106247... 5388010...

    6580550... 4549787... ... ... ... 1 4 2 5 26 25 3 6 27 BBS+.derive Non-Interactive Zero-Knowledge Proof 4999362... 0 reveal indexes [5, 6, ..., 25, 26, 27] equal witnesses [ [1,4], ... ] Issuer's public key