Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs

Transcript

1. Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs

   April 4, 2023 @ W3C CCG Dan Yamamoto (Internet Initiative Japan Inc.) Yuji Suga (Internet Initiative Japan Inc.) Kazue Sako (Waseda University)

2. Outline 2 1. Vision and Use Case 2. Construction 3.

   Security and Privacy Analysis 4. Implementations

3. Our Vision 3 Linked Data with Verifiability and Privacy, augmenting

   our Digital Identity

4. Our Vision 4 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability,

   and Predicate Proofs Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block

5. Our Vision 5 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability,

   and Predicate Proofs We can semantically assemble and prove interrelated claims Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block

6. Our Vision 6 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability,

   and Predicate Proofs We can semantically assemble and prove interrelated claims without revealing unnecessary data Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block

7. Our Vision 7 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability,

   and Predicate Proofs We can semantically assemble and prove interrelated claims without revealing unnecessary data without revealing correlatable factors Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block

8. Our Vision 8 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability,

   and Predicate Proofs We can semantically assemble and prove interrelated claims without revealing unnecessary data without revealing correlatable factors with proving various relations among revealed/unrevealed linked data Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block

9. Example Use Case 9 VC1 Issuer Verifier Holder

10. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 10 VC1 Issuer Verifier Holder

11. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 11 VC1 Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 !

12. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 12 VC1 Issuer Verifier Holder Is it authorized? v#99 Prove that you got vaccinated using authorized vaccine after April 2022 !

13. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 13 VC1 Issuer Verifier Holder Is it authorized? v#99 Prove that you got vaccinated using authorized vaccine after April 2022 ! fetch <https://.../v#99>

14. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 14 VC1 VC2 Issuer (vaccine info provider) Issuer Verifier Holder Is it authorized? v#99 Prove that you got vaccinated using authorized vaccine after April 2022 ! fetch <https://.../v#99>

15. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 15 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Is it authorized? v#99 Prove that you got vaccinated using authorized vaccine after April 2022 ! fetch <https://.../v#99>

16. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 16 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Is it authorized? v#99 link data Prove that you got vaccinated using authorized vaccine after April 2022 ! fetch <https://.../v#99>

17. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 17 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 !

18. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 18 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Selective Disclosure

19. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 19 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! *𝑋2 * **************** *𝑋3 * *𝑋4 * *𝑋4 * ************************* ************************* *𝑋1 * *𝑋5 * Selective Disclosure

20. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 20 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! *𝑋2 * **************** *𝑋3 * *𝑋4 * *𝑋4 * ************************* ************************* *𝑋1 * *𝑋5 * Selective Disclosure Proof of Equality

21. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 21 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! *𝑋2 * **************** *𝑋3 * *𝑋4 * *𝑋4 * ************************* ************************* *𝑋1 * *𝑋5 * Selective Disclosure 𝜎 NIZK Unlinkability Proof of Equality

22. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 22 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! *𝑋2 * **************** *𝑋3 * *𝑋4 * *𝑋4 * ************************* ************************* *𝑋1 * *𝑋5 * Selective Disclosure 𝜎 NIZK Unlinkability >= 2022-04 Predicate Proof Proof of Equality

23. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 23 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! *𝑋2 * **************** *𝑋3 * *𝑋4 * *𝑋4 * ************************* ************************* *𝑋1 * *𝑋5 * Selective Disclosure 𝜎 NIZK Unlinkability >= 2022-04 VP Predicate Proof Proof of Equality

24. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 24 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! *𝑋2 * **************** *𝑋3 * *𝑋4 * *𝑋4 * ************************* ************************* *𝑋1 * *𝑋5 * Selective Disclosure 𝜎 NIZK Unlinkability I (anonymized) got vaccinated using authorized vaccine (anonymized) after April 2022 (without exact date) >= 2022-04 VP Predicate Proof Proof of Equality

25. How to Construct It 25 BBS+ Signatures + Termwise Encoding

    BBS+ Signatures BBS+ Signatures + Termwise Encoding BBS+ Signatures + Termwise Encoding + General-Purpose ZKP (e.g., Bulletproofs) Selective Disclosure Unlinkability Predicate Proof* Proof of Equality A variation of BbsSignature2020 (LDP-BBS)

26. How to Construct It 26 BBS+ Signatures + Termwise Encoding

    BBS+ Signatures BBS+ Signatures + Termwise Encoding BBS+ Signatures + Termwise Encoding + General-Purpose ZKP (e.g., Bulletproofs) Selective Disclosure Unlinkability Predicate Proof* Proof of Equality A variation of BbsSignature2020 (LDP-BBS) CAVEAT: our prototype currently support positive integer range proof only

27. BBS+ Signatures 27 ◼ Multi-message signatures with built-in ZKP for

    selective disclosure and unlinkability ◼ Currently in progress of standardization by IRTF CFRG

28. BBS+ Signatures 28 ◼ Multi-message signatures with built-in ZKP for

    selective disclosure and unlinkability ◼ Currently in progress of standardization by IRTF CFRG BBS+.Sign 𝜎: signature [ 𝑚1 , 𝑚2 , … ]: messages 𝑠𝑘: issuer's secret key Issuer

29. BBS+ Signatures 29 ◼ Multi-message signatures with built-in ZKP for

    selective disclosure and unlinkability ◼ Currently in progress of standardization by IRTF CFRG BBS+.Sign BBS+.ProofGen 𝜎: signature [ 𝑚1 , 𝑚2 , … ]: messages 𝑠𝑘: issuer's secret key [ 𝑚1 , 𝑚2 , … ]: messages 𝑝𝑘: issuer's public key 𝜎: signature [ 𝑖1 , 𝑖2 , … ]: disclosed indexes 𝜋: proof (for disclosed messages) Issuer Holder

30. BBS+ Signatures 30 ◼ Multi-message signatures with built-in ZKP for

    selective disclosure and unlinkability ◼ Currently in progress of standardization by IRTF CFRG BBS+.Sign BBS+.ProofGen 𝜎: signature [ 𝑚1 , 𝑚2 , … ]: messages 𝑠𝑘: issuer's secret key [ 𝑚1 , 𝑚2 , … ]: messages 𝑝𝑘: issuer's public key 𝜎: signature [ 𝑖1 , 𝑖2 , … ]: disclosed indexes 𝜋: proof (for disclosed messages) BBS+.ProofVerify [ 𝑚𝑖1 , 𝑚𝑖2 , … ]: disclosed messages 𝑝𝑘: issuer's public key 𝜋: proof [ 𝑖1 , 𝑖2 , … ]: disclosed indexes valid or invalid Issuer Verifier Holder

31. BBS+ Signatures 31 ◼ Multi-message signatures with built-in ZKP for

    selective disclosure and unlinkability ◼ Currently in progress of standardization by IRTF CFRG BBS+.Sign BBS+.ProofGen 𝜎: signature [ 𝑚1 , 𝑚2 , … ]: messages 𝑠𝑘: issuer's secret key [ 𝑚1 , 𝑚2 , … ]: messages 𝑝𝑘: issuer's public key 𝜎: signature [ 𝑖1 , 𝑖2 , … ]: disclosed indexes 𝜋: proof (for disclosed messages) BBS+.ProofVerify [ 𝑚𝑖1 , 𝑚𝑖2 , … ]: disclosed messages 𝑝𝑘: issuer's public key 𝜋: proof [ 𝑖1 , 𝑖2 , … ]: disclosed indexes valid or invalid Issuer Verifier Holder BBS+ Signatures expect an array of scalars as input → We need to encode JSON-LD/RDF to a scalar array → Termwise Encoding

32. Termwise Encoding (1): when Issuer issues VC xyz : Person

    name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = _ 32 Draft of VC to be signed Issuer

33. Termwise Encoding (1): when Issuer issues VC xyz : Person

    name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = _ e#1 date 2022-04-04 . e#1 vaccine v#99 . xyz isPatientOf e#1 . xyz name John Smith . 33 canonicalize RDF N-Quads (sorted) Draft of VC to be signed ... Issuer

34. Termwise Encoding (1): when Issuer issues VC 34 e#1 date

    2022-04-04 . e#1 vaccine v#99 . xyz isPatientOf e#1 . xyz name John Smith . RDF N-Quads (sorted) ... Issuer

35. Termwise Encoding (1): when Issuer issues VC 35 split into

    RDF terms e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith array of RDF terms e#1 date 2022-04-04 . e#1 vaccine v#99 . xyz isPatientOf e#1 . xyz name John Smith . RDF N-Quads (sorted) ... ... Issuer

36. Termwise Encoding (1): when Issuer issues VC 36 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith array of RDF terms ... Issuer

37. Termwise Encoding (1): when Issuer issues VC 37 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith array of RDF terms 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ... Issuer

38. Termwise Encoding (1): when Issuer issues VC 38 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith array of RDF terms BBS+.Sign 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 issuer's secret key ... Issuer

39. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Termwise Encoding (1): when Issuer issues VC 39 e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith array of RDF terms BBS+.Sign 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 issuer's secret key issued VC ... Issuer

40. Termwise Encoding (2): when Holder composes VP 40 issued VC

    in the wallet xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = Holder

41. Termwise Encoding (2): when Holder composes VP 41 issued VC

    in the wallet xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 Holder

42. Termwise Encoding (2): when Holder composes VP 42 issued VC

    in the wallet disclosed VC to be given as VP to the Verifier (= Verifier's view) xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = _ Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 Holder

43. Termwise Encoding (2): when Holder composes VP 43 canonicalize &

    split (same as Issuer did) e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC to be given as VP to the Verifier (= Verifier's view) canonicalize & split (same as Verifier would do) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = _ Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 Holder

44. Termwise Encoding (2): when Holder composes VP 44 canonicalize &

    split (same as Issuer did) e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC to be given as VP to the Verifier (= Verifier's view) canonicalize & split (same as Verifier would do) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = _ Verifier's view will be differed from original layout due to selective disclosure & pseudonyms Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 Holder

45. Termwise Encoding (2): when Holder composes VP 45 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC (= Verifier's view) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 Holder

46. Termwise Encoding (2): when Holder composes VP 46 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC (= Verifier's view) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 compute a quad-to-quad mapping from disclosed quads to original ones = (1→3, 2→1, 3→2) and number of issued quads = 4 that allow Verifier to resume original layout from disclosed VC (1) (2) (3) (1) (2) (3) (4) Holder

47. Termwise Encoding (2): when Holder composes VP 47 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC (= Verifier's view) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 compute a quad-to-quad mapping from disclosed quads to original ones = (1→3, 2→1, 3→2) and number of issued quads = 4 that allow Verifier to resume original layout from disclosed VC 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout (1) (2) (3) (1) (2) (3) (4) Holder

48. Termwise Encoding (2): when Holder composes VP 48 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Holder

49. Termwise Encoding (2): when Holder composes VP 49 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] Holder

50. Termwise Encoding (2): when Holder composes VP 50 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify "equivalence classes" = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 Holder

51. Termwise Encoding (2): when Holder composes VP 51 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 BBS+.ProofGen with proof of equality issuer's public key, signature, nonce & disclosed VC identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify "equivalence classes" = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 Holder

52. Termwise Encoding (2): when Holder composes VP 52 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 BBS+.ProofGen with proof of equality issuer's public key, signature, nonce & disclosed VC identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify "equivalence classes" = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 NIZK proof 𝜋 Holder

53. Termwise Encoding (2): when Holder composes VP 53 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 BBS+.ProofGen with proof of equality issuer's public key, signature, nonce & disclosed VC identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify "equivalence classes" = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 NIZK proof 𝜋 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 proofValue in VP Holder

54. Termwise Encoding (3): when Verifier verifies VP 54 disclosed VC

    in VP (Verifier's view) * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = Verifier

55. Termwise Encoding (3): when Verifier verifies VP 55 disclosed VC

    in VP (Verifier's view) canonicalize & split 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = Verifier

56. Termwise Encoding (3): when Verifier verifies VP 56 disclosed VC

    in VP (Verifier's view) canonicalize & split 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = NIZK proof 𝜋 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 Verifier

57. Termwise Encoding (3): when Verifier verifies VP 57 𝑋2 isPatientOf

    𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 disclosed VC in VP Verifier

58. Termwise Encoding (3): when Verifier verifies VP 58 𝑋2 isPatientOf

    𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 disclosed VC in VP 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC (resumed layout) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Verifier

59. Termwise Encoding (3): when Verifier verifies VP 59 𝑋2 isPatientOf

    𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 disclosed VC in VP 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC (resumed layout) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify equivalence classes = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 Verifier

60. Termwise Encoding (3): when Verifier verifies VP 60 𝑋2 isPatientOf

    𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 disclosed VC in VP 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC (resumed layout) BBS+.ProofVerify with proof of equality issuer's public key, NIZK proof 𝜋, nonce & disclosed VC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify equivalence classes = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 Verifier

61. Termwise Encoding (3): when Verifier verifies VP 61 𝑋2 isPatientOf

    𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 disclosed VC in VP 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC (resumed layout) BBS+.ProofVerify with proof of equality issuer's public key, NIZK proof 𝜋, nonce & disclosed VC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify equivalence classes = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 valid or invalid Verifier

62. Security and Privacy Analysis 62 ◼ We defined game-based security

    notions of unforgeability and anonymity (based on Sanders' work for anonymous credentials @ PKC '20) ◼ and proved: ⚫Our construction is unforgeable if the underlying anonymous credential (e.g., BBS-based) is unforgeable ⚫Our construction is weakly anonymous if the underlying anonymous credential (e.g., BBS-based) is anonymous *Details: D. Yamamoto, Y. Suga, and K. Sako, “Formalising linked-data based verifiable credentials for selective disclosure,” in 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2022, pp. 52–65. https://sako-lab.jp/download.php?article=ssr2022_proceedings_dan.pdf *CAVEAT: our model and analysis do not take into consideration predicate proof yet

63. Full Anonymity vs. Weak Anonymity 63 Fully anonymous presentation only

    leaks: - attributes selectively disclosed by user - issuer's public key Weakly anonymous presentation additionally leaks: - message layout (order and total number) at the time of issuance

64. Full Anonymity vs. Weak Anonymity 64 xyz : Person children

    = Albert children = Alice children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 issued VC in the wallet Fully anonymous presentation only leaks: - attributes selectively disclosed by user - issuer's public key Weakly anonymous presentation additionally leaks: - message layout (order and total number) at the time of issuance Holder

65. Full Anonymity vs. Weak Anonymity 65 xyz : Person children

    = Albert ***************** children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜋, 𝜓, 𝐽 xyz : Person children = Albert children = Alice children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 issued VC in the wallet disclosed VC in VP Fully anonymous presentation only leaks: - attributes selectively disclosed by user - issuer's public key Weakly anonymous presentation additionally leaks: - message layout (order and total number) at the time of issuance Holder Verifier

66. Full Anonymity vs. Weak Anonymity 66 xyz children Albert ***

    *** *** ** xyz children Allie disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 xyz : Person children = Albert ***************** children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜋, 𝜓, 𝐽 xyz : Person children = Albert children = Alice children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 issued VC in the wallet disclosed VC in VP Fully anonymous presentation only leaks: - attributes selectively disclosed by user - issuer's public key Weakly anonymous presentation additionally leaks: - message layout (order and total number) at the time of issuance Holder Verifier

67. Implementations 67 ◼ @zkp-ld/jsonld-signatures-bbs ◼ @zkp-ld/bls12381-key-pair ◼ @zkp-ld/bbs-signatures ◼ @zkp-ld/ursa

    (bbs, bulletproofs-amcl) Implementations (published on Github and npm) ◼ a playground for developers ◼ you can sign & verify LD-based credential and show & verify presentations on browser ◼ with Selective Disclosure, Unlinkability, and (partially implemented) Range Proof ZKP-LD Playground <https://playground.zkp-ld.org> @zkp-ld bbs-signatures (TS + Rust) bbs (Rust) bls12381-key-pair (TS) zkp-ld-playground (React/TS) @mattrglobal fork bulletproofs_amcl (Rust) Hyperledger ursa fork veanpods (TS) rdf-bbs-signatures (TS) jsonld-bbs-signatures (TS)

68. zk-SPARQL 68 { "type": "VerifiablePresentation", "verifiableCredential": [ { "id": "...vc#1",

    "type": "VerifiableCredential", "issuer": "did:example:issuer1", "credentialSubject": { "id": "anoni:RyMyF0", "type": "Person", "isPatientOf": { "id": "anoni:2wtQku", "vaccinationDate": { "@value": "2022-04-04T00:00:00Z" }, "vaccine": { "id": "anoni:5kKKS7" } } } }, { "id": "...vc#2", "type": "VerifiableCredential", "issuer": "did:example:issuer2", "credentialSubject": { "id": "anoni:5kKKS7", "status": "active" }}]} SPARQL query for presentation request result VP https://github.com/ zkp-ld/veanpods

69. Summary 69 Conclusions ⚫ Constructed a LD-based VC scheme with

    selective disclosure, unlinkability, and predicate proofs ⚫ Proposed novel use cases and provided security and privacy analysis ⚫ Provided prototype implementations and Web-based demo Future Work ⚫ Work-in-progress: integrate blind signing for holder-binding ⚫ Additional features: general predicate proofs / revocation / PPID / delegation ⚫ Security&Privacy: stronger anonymity / comprehensive analysis incl. predicate proofs ⚫ Challenge: formal verification / post-quantum security

70. Appendix

71. Implementation Details @zkp-ld bbs-signatures (TS + Rust) bbs (Rust) bls12381-key-pair

    (TS) zkp-ld-playground (React/TS) @mattrglobal fork bulletproofs_amcl (Rust) MIRACL (Rust, C++) Hyperledger ursa fork pairing-plus (Rust) Application BBS+ frontend BBS+ backend + Bulletproofs Pairing-Friendly Curves 71 veanpods (TS) rdf-bbs-signatures (TS) jsonld-bbs-signatures (TS)

72. { "@context": [ ... ], "type": "VerifiablePresentation", "verifiableCredential": [ {

    "id": "anoni:qpLmnX", "type": "VerifiableCredential", "credentialSubject": { "id": "anoni:nihy3C", "status": "authorized" }, "issuer": "did:example:Prv", "proof": { ... }, ... } ] } { "id": "anoni:Dx9jK2", "type": "VerifiableCredential", "credentialSubject": { "id": "anoni:rtxPcC", "type": "Person", "isPatientOf": { "id": "anoni:-wd-iG", "vaccine": { "id": "anoni:nihy3C" } }, "date": { "range": [ ... ] }, }, "issuer": "did:example:Gov", "proof": { ... }, ... }, Example VP xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * **************** * * * * * * NIZK >= 2022-04 vc#2: VerifiableCredential issuer = Prv; proof = ... cvx#987 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject * * ************************* ************************* *** 72

73. How to Prove Predicate: when Holder composes VP 73 issued

    VC in the wallet disclosed VC to be given as VP to the Verifier canonicalize & split 𝑋2 isPatientOf 𝑋3 𝑋3 date 𝑋5 𝑋3 vaccine 𝑋4 xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * : Person ***************** credentialSubject * *: Vaccination date = * * isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = _ with commitment 𝑐 to 2022-04-04 Bulletproofs [ 2021-12-01, ∞ ]: range range proof CAVEAT: our prototype does not support datetime range proof currently (only integer) Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 ✓ prove date>=2021-12-01 Holder

74. Performance Evaluation 74 ◼ i7-10750H (6 cores 12 threads) CPU,

    32GB RAM, Google Chrome ◼ takes at most 1 sec to handle < 200 RDF terms ◼ (the issuance of bound credentials has not yet been implemented & evaluated) size (bits) secret key 256 public key 768 signature 896 proof 2944 + 256 𝑛 (𝑛 : # of hidden terms) VC: sign / sigVf VP: show / verify

75. Syntax 75 User Issuer Verifier issue 𝑖𝑠𝑘, 𝐺 obtain 𝑢𝑠𝑘,

    𝑖𝑝𝑘, 𝐺 → 𝜎 show 𝑢𝑠𝑘, 𝑖𝑝𝑘𝑖 , 𝐺𝑖 , 𝜎𝑖 , b𝑖 , 𝜑𝑖 𝑖 , m → 𝜋 Issuer key generation User key generation VC issuance VC obtaining VP showing VP verification ikGen 𝑝𝑟𝑚 → 𝑖𝑠𝑘, 𝑖𝑝𝑘 uskGen 𝑝𝑟𝑚 → 𝑢𝑠𝑘 verify 𝑖𝑝𝑘𝑖 , 𝐺𝑖 ′, b𝑖 𝑖 , m, 𝜋 → 1 or 0 𝑝𝑟𝑚 ← prmGen 1𝜆, 𝐿 System parameter generation sign 𝑖𝑠𝑘, 𝐺 → 𝜎 sigVf 𝑖𝑝𝑘, 𝐺, 𝜎 → 1 or 0

76. Unforgeability 76 𝒜 𝑝𝑟𝑚 𝑖𝑝𝑘∗ (𝑖𝑝𝑘𝑖 ∗, 𝐺𝑖 ′∗, b𝑖

    ∗) 𝑖 m∗ 𝜋∗ 𝑖𝑠𝑘∗, 𝑖𝑝𝑘∗ ← ikGen(𝑝𝑟𝑚) for 𝑢 ∈ 𝑈 : 𝑢𝑠𝑘𝑢 ∗ ← uskGen 𝑝𝑟𝑚 let honest issuer issue VC to honest user 𝑢 let honest issuer issue VC to 𝒜 let honest user 𝑢 show VP If 𝒜 cannot output non-trivial VP forgery → unforgeable obtiss iss / sign show 𝑢, 𝐺, b 𝑐𝑖𝑑 𝑢 𝑐𝑖𝑑𝑖 , 𝜑𝑖 𝑖 m 𝜋 𝜎 𝐺 VP forgery

77. Anonymity 77 𝒜 𝑝𝑟𝑚 𝑢0 ∗, 𝑐𝑖𝑑0,𝑖 ∗ , 𝜑0,𝑖

    ∗ 𝑖 𝑢1 ∗, 𝑐𝑖𝑑1,𝑖 ∗ , 𝜑1,𝑖 ∗ 𝑖 m∗ let honest user 𝑢 show VP show 𝑢 𝑐𝑖𝑑𝑖 , 𝜑𝑖 𝑖 m 𝜋 𝑝𝑟𝑚 ← prmGen 1𝜆, 𝐿 for 𝑢 ∈ 𝑈 : 𝑢𝑠𝑘𝑢 ∗ ← uskGen 𝑝𝑟𝑚 let honest user 𝑢 store bound VC issued by 𝒜 obt 𝑢, 𝑐𝑖𝑑, 𝑖𝑝𝑘, 𝐺 CRED𝑢0 ∗ 𝑐𝑖𝑑0,𝑖 ∗ → 𝑖𝑝𝑘0,𝑖 ∗ , 𝐺0,𝑖 ∗ , 𝜎0,𝑖 ∗ , b0,𝑖 ∗ CRED𝑢1 ∗ 𝑐𝑖𝑑1,𝑖 ∗ → 𝑖𝑝𝑘1,𝑖 ∗ , 𝐺1,𝑖 ∗ , 𝜎1,𝑖 ∗ , b1,𝑖 ∗ 𝑏 ←𝑅 0,1 𝜋∗ ← show 𝑢𝑠𝑘 𝑢𝑏 ∗ ∗ , 𝑖𝑝𝑘𝑏,𝑖 ∗ , 𝐺𝑏,𝑖 ∗ , 𝜎𝑏,𝑖 ∗ , b𝑏,𝑖 ∗ , 𝜑𝑏,𝑖 ∗ 𝑖 , m∗ 𝒜 𝜋∗ 𝑏∗ challenge pairs user VC reveal func requirement 𝑖𝑝𝑘0,𝑖 ∗ , 𝜑0,1 ∗ 𝐺0,𝑖 ∗ , b0,𝑖 ∗ 𝑖 = 𝑖𝑝𝑘1,𝑖 ∗ , 𝜑1,1 ∗ 𝐺1,𝑖 ∗ , b1,𝑖 ∗ 𝑖 weak anonymity 𝑖𝑝𝑘0,𝑖 ∗ , 𝜑0,1 ∗ canon 𝐺0,𝑖 ∗ , 𝐺0,𝑖 ∗ , b0,𝑖 ∗ 𝑖 = 𝑖𝑝𝑘1,𝑖 ∗ , 𝜑1,1 ∗ canon 𝐺1,𝑖 ∗ , 𝐺1,𝑖 ∗ , b1,𝑖 ∗ 𝑖 If 𝒜 cannot guess 𝑏 → anonymous original number and position of attributes can be leaked