Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs April 4, 2023 @ W3C CCG Dan Yamamoto (Internet Initiative Japan Inc.) Yuji Suga (Internet Initiative Japan Inc.) Kazue Sako (Waseda University)
Our Vision 4 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block
Our Vision 5 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs We can semantically assemble and prove interrelated claims Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block
Our Vision 6 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs We can semantically assemble and prove interrelated claims without revealing unnecessary data Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block
Our Vision 7 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs We can semantically assemble and prove interrelated claims without revealing unnecessary data without revealing correlatable factors Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block
Our Vision 8 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs We can semantically assemble and prove interrelated claims without revealing unnecessary data without revealing correlatable factors with proving various relations among revealed/unrevealed linked data Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block
xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 10 VC1 Issuer Verifier Holder
xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 11 VC1 Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 !
xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 12 VC1 Issuer Verifier Holder Is it authorized? v#99 Prove that you got vaccinated using authorized vaccine after April 2022 !
xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 13 VC1 Issuer Verifier Holder Is it authorized? v#99 Prove that you got vaccinated using authorized vaccine after April 2022 ! fetch
xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 14 VC1 VC2 Issuer (vaccine info provider) Issuer Verifier Holder Is it authorized? v#99 Prove that you got vaccinated using authorized vaccine after April 2022 ! fetch
xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 15 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Is it authorized? v#99 Prove that you got vaccinated using authorized vaccine after April 2022 ! fetch
xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 16 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Is it authorized? v#99 link data Prove that you got vaccinated using authorized vaccine after April 2022 ! fetch
xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 17 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 !
xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 18 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Selective Disclosure
How to Construct It 26 BBS+ Signatures + Termwise Encoding BBS+ Signatures BBS+ Signatures + Termwise Encoding BBS+ Signatures + Termwise Encoding + General-Purpose ZKP (e.g., Bulletproofs) Selective Disclosure Unlinkability Predicate Proof* Proof of Equality A variation of BbsSignature2020 (LDP-BBS) CAVEAT: our prototype currently support positive integer range proof only
BBS+ Signatures 27 ◼ Multi-message signatures with built-in ZKP for selective disclosure and unlinkability ◼ Currently in progress of standardization by IRTF CFRG
Termwise Encoding (1): when Issuer issues VC xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = _ 32 Draft of VC to be signed Issuer
Termwise Encoding (1): when Issuer issues VC xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = _ e#1 date 2022-04-04 . e#1 vaccine v#99 . xyz isPatientOf e#1 . xyz name John Smith . 33 canonicalize RDF N-Quads (sorted) Draft of VC to be signed ... Issuer
Termwise Encoding (1): when Issuer issues VC 35 split into RDF terms e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith array of RDF terms e#1 date 2022-04-04 . e#1 vaccine v#99 . xyz isPatientOf e#1 . xyz name John Smith . RDF N-Quads (sorted) ... ... Issuer
Termwise Encoding (1): when Issuer issues VC 36 e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith array of RDF terms ... Issuer
Termwise Encoding (2): when Holder composes VP 40 issued VC in the wallet xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = Holder
Termwise Encoding (2): when Holder composes VP 41 issued VC in the wallet xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 Holder
Termwise Encoding (2): when Holder composes VP 42 issued VC in the wallet disclosed VC to be given as VP to the Verifier (= Verifier's view) xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = _ Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 Holder
Termwise Encoding (2): when Holder composes VP 43 canonicalize & split (same as Issuer did) e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC to be given as VP to the Verifier (= Verifier's view) canonicalize & split (same as Verifier would do) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = _ Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 Holder
Termwise Encoding (2): when Holder composes VP 44 canonicalize & split (same as Issuer did) e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC to be given as VP to the Verifier (= Verifier's view) canonicalize & split (same as Verifier would do) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = _ Verifier's view will be differed from original layout due to selective disclosure & pseudonyms Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 Holder
Termwise Encoding (2): when Holder composes VP 46 e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC (= Verifier's view) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 compute a quad-to-quad mapping from disclosed quads to original ones = (1→3, 2→1, 3→2) and number of issued quads = 4 that allow Verifier to resume original layout from disclosed VC (1) (2) (3) (1) (2) (3) (4) Holder
Termwise Encoding (2): when Holder composes VP 47 e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC (= Verifier's view) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 compute a quad-to-quad mapping from disclosed quads to original ones = (1→3, 2→1, 3→2) and number of issued quads = 4 that allow Verifier to resume original layout from disclosed VC 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout (1) (2) (3) (1) (2) (3) (4) Holder
Security and Privacy Analysis 62 ◼ We defined game-based security notions of unforgeability and anonymity (based on Sanders' work for anonymous credentials @ PKC '20) ◼ and proved: ⚫Our construction is unforgeable if the underlying anonymous credential (e.g., BBS-based) is unforgeable ⚫Our construction is weakly anonymous if the underlying anonymous credential (e.g., BBS-based) is anonymous *Details: D. Yamamoto, Y. Suga, and K. Sako, “Formalising linked-data based verifiable credentials for selective disclosure,” in 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2022, pp. 52–65. https://sako-lab.jp/download.php?article=ssr2022_proceedings_dan.pdf *CAVEAT: our model and analysis do not take into consideration predicate proof yet
Full Anonymity vs. Weak Anonymity 63 Fully anonymous presentation only leaks: - attributes selectively disclosed by user - issuer's public key Weakly anonymous presentation additionally leaks: - message layout (order and total number) at the time of issuance
Full Anonymity vs. Weak Anonymity 64 xyz : Person children = Albert children = Alice children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 issued VC in the wallet Fully anonymous presentation only leaks: - attributes selectively disclosed by user - issuer's public key Weakly anonymous presentation additionally leaks: - message layout (order and total number) at the time of issuance Holder
Full Anonymity vs. Weak Anonymity 65 xyz : Person children = Albert ***************** children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜋, 𝜓, 𝐽 xyz : Person children = Albert children = Alice children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 issued VC in the wallet disclosed VC in VP Fully anonymous presentation only leaks: - attributes selectively disclosed by user - issuer's public key Weakly anonymous presentation additionally leaks: - message layout (order and total number) at the time of issuance Holder Verifier
Full Anonymity vs. Weak Anonymity 66 xyz children Albert *** *** *** ** xyz children Allie disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 xyz : Person children = Albert ***************** children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜋, 𝜓, 𝐽 xyz : Person children = Albert children = Alice children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 issued VC in the wallet disclosed VC in VP Fully anonymous presentation only leaks: - attributes selectively disclosed by user - issuer's public key Weakly anonymous presentation additionally leaks: - message layout (order and total number) at the time of issuance Holder Verifier
How to Prove Predicate: when Holder composes VP 73 issued VC in the wallet disclosed VC to be given as VP to the Verifier canonicalize & split 𝑋2 isPatientOf 𝑋3 𝑋3 date 𝑋5 𝑋3 vaccine 𝑋4 xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * : Person ***************** credentialSubject * *: Vaccination date = * * isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = _ with commitment 𝑐 to 2022-04-04 Bulletproofs [ 2021-12-01, ∞ ]: range range proof CAVEAT: our prototype does not support datetime range proof currently (only integer) Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 ✓ prove date>=2021-12-01 Holder
yamdan
k1style
culvert
nttcom
karamem0
yukimatsuyoshi
.png){kind=icon}
3playmarketing
_kensh
s2terminal
tomoaki25
ryomaru0825
etaroid
sat
matthewcrist
jcasabona
chrislema
smashingmag
bryan
paigeccino
mongodb
stephaniewalter
zakiwarfel
bcantrill
pedronauck
erikaheidi