Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs

Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs

to be presented at W3C CCG on April 4, 2023

Dan Yamamoto

April 04, 2023
Tweet

More Decks by Dan Yamamoto

Other Decks in Technology

Transcript

  1. Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs

    April 4, 2023 @ W3C CCG Dan Yamamoto (Internet Initiative Japan Inc.) Yuji Suga (Internet Initiative Japan Inc.) Kazue Sako (Waseda University)
  2. Outline 2 1. Vision and Use Case 2. Construction 3.

    Security and Privacy Analysis 4. Implementations
  3. Our Vision 4 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability,

    and Predicate Proofs Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block
  4. Our Vision 5 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability,

    and Predicate Proofs We can semantically assemble and prove interrelated claims Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block
  5. Our Vision 6 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability,

    and Predicate Proofs We can semantically assemble and prove interrelated claims without revealing unnecessary data Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block
  6. Our Vision 7 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability,

    and Predicate Proofs We can semantically assemble and prove interrelated claims without revealing unnecessary data without revealing correlatable factors Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block
  7. Our Vision 8 Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability,

    and Predicate Proofs We can semantically assemble and prove interrelated claims without revealing unnecessary data without revealing correlatable factors with proving various relations among revealed/unrevealed linked data Linked Data with Verifiability and Privacy, augmenting our Digital Identity Building Block
  8. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 10 VC1 Issuer Verifier Holder
  9. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 11 VC1 Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 !
  10. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 12 VC1 Issuer Verifier Holder Is it authorized? v#99 Prove that you got vaccinated using authorized vaccine after April 2022 !
  11. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 13 VC1 Issuer Verifier Holder Is it authorized? v#99 Prove that you got vaccinated using authorized vaccine after April 2022 ! fetch <https://.../v#99>
  12. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 14 VC1 VC2 Issuer (vaccine info provider) Issuer Verifier Holder Is it authorized? v#99 Prove that you got vaccinated using authorized vaccine after April 2022 ! fetch <https://.../v#99>
  13. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 15 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Is it authorized? v#99 Prove that you got vaccinated using authorized vaccine after April 2022 ! fetch <https://.../v#99>
  14. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 16 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Is it authorized? v#99 link data Prove that you got vaccinated using authorized vaccine after April 2022 ! fetch <https://.../v#99>
  15. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 17 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 !
  16. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 18 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! Selective Disclosure
  17. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 19 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! *𝑋2 * **************** *𝑋3 * *𝑋4 * *𝑋4 * ************************* ************************* *𝑋1 * *𝑋5 * Selective Disclosure
  18. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 20 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! *𝑋2 * **************** *𝑋3 * *𝑋4 * *𝑋4 * ************************* ************************* *𝑋1 * *𝑋5 * Selective Disclosure Proof of Equality
  19. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 21 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! *𝑋2 * **************** *𝑋3 * *𝑋4 * *𝑋4 * ************************* ************************* *𝑋1 * *𝑋5 * Selective Disclosure 𝜎 NIZK Unlinkability Proof of Equality
  20. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 22 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! *𝑋2 * **************** *𝑋3 * *𝑋4 * *𝑋4 * ************************* ************************* *𝑋1 * *𝑋5 * Selective Disclosure 𝜎 NIZK Unlinkability >= 2022-04 Predicate Proof Proof of Equality
  21. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 23 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! *𝑋2 * **************** *𝑋3 * *𝑋4 * *𝑋4 * ************************* ************************* *𝑋1 * *𝑋5 * Selective Disclosure 𝜎 NIZK Unlinkability >= 2022-04 VP Predicate Proof Proof of Equality
  22. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Example Use Case 24 VC1 VC2 vc#2: VerifiableCredential issuer = Prv; proof = ... v#99 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject Issuer (vaccine info provider) Issuer Verifier Holder Prove that you got vaccinated using authorized vaccine after April 2022 ! *𝑋2 * **************** *𝑋3 * *𝑋4 * *𝑋4 * ************************* ************************* *𝑋1 * *𝑋5 * Selective Disclosure 𝜎 NIZK Unlinkability I (anonymized) got vaccinated using authorized vaccine (anonymized) after April 2022 (without exact date) >= 2022-04 VP Predicate Proof Proof of Equality
  23. How to Construct It 25 BBS+ Signatures + Termwise Encoding

    BBS+ Signatures BBS+ Signatures + Termwise Encoding BBS+ Signatures + Termwise Encoding + General-Purpose ZKP (e.g., Bulletproofs) Selective Disclosure Unlinkability Predicate Proof* Proof of Equality A variation of BbsSignature2020 (LDP-BBS)
  24. How to Construct It 26 BBS+ Signatures + Termwise Encoding

    BBS+ Signatures BBS+ Signatures + Termwise Encoding BBS+ Signatures + Termwise Encoding + General-Purpose ZKP (e.g., Bulletproofs) Selective Disclosure Unlinkability Predicate Proof* Proof of Equality A variation of BbsSignature2020 (LDP-BBS) CAVEAT: our prototype currently support positive integer range proof only
  25. BBS+ Signatures 27 ◼ Multi-message signatures with built-in ZKP for

    selective disclosure and unlinkability ◼ Currently in progress of standardization by IRTF CFRG
  26. BBS+ Signatures 28 ◼ Multi-message signatures with built-in ZKP for

    selective disclosure and unlinkability ◼ Currently in progress of standardization by IRTF CFRG BBS+.Sign 𝜎: signature [ 𝑚1 , 𝑚2 , … ]: messages 𝑠𝑘: issuer's secret key Issuer
  27. BBS+ Signatures 29 ◼ Multi-message signatures with built-in ZKP for

    selective disclosure and unlinkability ◼ Currently in progress of standardization by IRTF CFRG BBS+.Sign BBS+.ProofGen 𝜎: signature [ 𝑚1 , 𝑚2 , … ]: messages 𝑠𝑘: issuer's secret key [ 𝑚1 , 𝑚2 , … ]: messages 𝑝𝑘: issuer's public key 𝜎: signature [ 𝑖1 , 𝑖2 , … ]: disclosed indexes 𝜋: proof (for disclosed messages) Issuer Holder
  28. BBS+ Signatures 30 ◼ Multi-message signatures with built-in ZKP for

    selective disclosure and unlinkability ◼ Currently in progress of standardization by IRTF CFRG BBS+.Sign BBS+.ProofGen 𝜎: signature [ 𝑚1 , 𝑚2 , … ]: messages 𝑠𝑘: issuer's secret key [ 𝑚1 , 𝑚2 , … ]: messages 𝑝𝑘: issuer's public key 𝜎: signature [ 𝑖1 , 𝑖2 , … ]: disclosed indexes 𝜋: proof (for disclosed messages) BBS+.ProofVerify [ 𝑚𝑖1 , 𝑚𝑖2 , … ]: disclosed messages 𝑝𝑘: issuer's public key 𝜋: proof [ 𝑖1 , 𝑖2 , … ]: disclosed indexes valid or invalid Issuer Verifier Holder
  29. BBS+ Signatures 31 ◼ Multi-message signatures with built-in ZKP for

    selective disclosure and unlinkability ◼ Currently in progress of standardization by IRTF CFRG BBS+.Sign BBS+.ProofGen 𝜎: signature [ 𝑚1 , 𝑚2 , … ]: messages 𝑠𝑘: issuer's secret key [ 𝑚1 , 𝑚2 , … ]: messages 𝑝𝑘: issuer's public key 𝜎: signature [ 𝑖1 , 𝑖2 , … ]: disclosed indexes 𝜋: proof (for disclosed messages) BBS+.ProofVerify [ 𝑚𝑖1 , 𝑚𝑖2 , … ]: disclosed messages 𝑝𝑘: issuer's public key 𝜋: proof [ 𝑖1 , 𝑖2 , … ]: disclosed indexes valid or invalid Issuer Verifier Holder BBS+ Signatures expect an array of scalars as input → We need to encode JSON-LD/RDF to a scalar array → Termwise Encoding
  30. Termwise Encoding (1): when Issuer issues VC xyz : Person

    name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = _ 32 Draft of VC to be signed Issuer
  31. Termwise Encoding (1): when Issuer issues VC xyz : Person

    name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = _ e#1 date 2022-04-04 . e#1 vaccine v#99 . xyz isPatientOf e#1 . xyz name John Smith . 33 canonicalize RDF N-Quads (sorted) Draft of VC to be signed ... Issuer
  32. Termwise Encoding (1): when Issuer issues VC 34 e#1 date

    2022-04-04 . e#1 vaccine v#99 . xyz isPatientOf e#1 . xyz name John Smith . RDF N-Quads (sorted) ... Issuer
  33. Termwise Encoding (1): when Issuer issues VC 35 split into

    RDF terms e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith array of RDF terms e#1 date 2022-04-04 . e#1 vaccine v#99 . xyz isPatientOf e#1 . xyz name John Smith . RDF N-Quads (sorted) ... ... Issuer
  34. Termwise Encoding (1): when Issuer issues VC 36 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith array of RDF terms ... Issuer
  35. Termwise Encoding (1): when Issuer issues VC 37 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith array of RDF terms 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ... Issuer
  36. Termwise Encoding (1): when Issuer issues VC 38 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith array of RDF terms BBS+.Sign 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 issuer's secret key ... Issuer
  37. xyz : Person name = John Smith credentialSubject e#1 :

    Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 Termwise Encoding (1): when Issuer issues VC 39 e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith array of RDF terms BBS+.Sign 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 issuer's secret key issued VC ... Issuer
  38. Termwise Encoding (2): when Holder composes VP 40 issued VC

    in the wallet xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = Holder
  39. Termwise Encoding (2): when Holder composes VP 41 issued VC

    in the wallet xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 Holder
  40. Termwise Encoding (2): when Holder composes VP 42 issued VC

    in the wallet disclosed VC to be given as VP to the Verifier (= Verifier's view) xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = _ Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 Holder
  41. Termwise Encoding (2): when Holder composes VP 43 canonicalize &

    split (same as Issuer did) e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC to be given as VP to the Verifier (= Verifier's view) canonicalize & split (same as Verifier would do) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = _ Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 Holder
  42. Termwise Encoding (2): when Holder composes VP 44 canonicalize &

    split (same as Issuer did) e#1 date 2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC to be given as VP to the Verifier (= Verifier's view) canonicalize & split (same as Verifier would do) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = _ Verifier's view will be differed from original layout due to selective disclosure & pseudonyms Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 Holder
  43. Termwise Encoding (2): when Holder composes VP 45 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC (= Verifier's view) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 Holder
  44. Termwise Encoding (2): when Holder composes VP 46 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC (= Verifier's view) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 compute a quad-to-quad mapping from disclosed quads to original ones = (1→3, 2→1, 3→2) and number of issued quads = 4 that allow Verifier to resume original layout from disclosed VC (1) (2) (3) (1) (2) (3) (4) Holder
  45. Termwise Encoding (2): when Holder composes VP 47 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet disclosed VC (= Verifier's view) 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 compute a quad-to-quad mapping from disclosed quads to original ones = (1→3, 2→1, 3→2) and number of issued quads = 4 that allow Verifier to resume original layout from disclosed VC 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout (1) (2) (3) (1) (2) (3) (4) Holder
  46. Termwise Encoding (2): when Holder composes VP 48 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Holder
  47. Termwise Encoding (2): when Holder composes VP 49 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] Holder
  48. Termwise Encoding (2): when Holder composes VP 50 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify "equivalence classes" = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 Holder
  49. Termwise Encoding (2): when Holder composes VP 51 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 BBS+.ProofGen with proof of equality issuer's public key, signature, nonce & disclosed VC identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify "equivalence classes" = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 Holder
  50. Termwise Encoding (2): when Holder composes VP 52 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 BBS+.ProofGen with proof of equality issuer's public key, signature, nonce & disclosed VC identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify "equivalence classes" = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 NIZK proof 𝜋 Holder
  51. Termwise Encoding (2): when Holder composes VP 53 e#1 date

    2022-04-04 e#1 vaccine v#99 xyz isPatientOf e#1 xyz name John Smith issued VC in the wallet 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 BBS+.ProofGen with proof of equality issuer's public key, signature, nonce & disclosed VC identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify "equivalence classes" = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 NIZK proof 𝜋 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 proofValue in VP Holder
  52. Termwise Encoding (3): when Verifier verifies VP 54 disclosed VC

    in VP (Verifier's view) * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = Verifier
  53. Termwise Encoding (3): when Verifier verifies VP 55 disclosed VC

    in VP (Verifier's view) canonicalize & split 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = Verifier
  54. Termwise Encoding (3): when Verifier verifies VP 56 disclosed VC

    in VP (Verifier's view) canonicalize & split 𝑋2 isPatientOf 𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 * * : Person ***************** credentialSubject * *: Vaccination date = 2022-04-04 isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = NIZK proof 𝜋 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 Verifier
  55. Termwise Encoding (3): when Verifier verifies VP 57 𝑋2 isPatientOf

    𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 disclosed VC in VP Verifier
  56. Termwise Encoding (3): when Verifier verifies VP 58 𝑋2 isPatientOf

    𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 disclosed VC in VP 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC (resumed layout) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Verifier
  57. Termwise Encoding (3): when Verifier verifies VP 59 𝑋2 isPatientOf

    𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 disclosed VC in VP 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC (resumed layout) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify equivalence classes = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 Verifier
  58. Termwise Encoding (3): when Verifier verifies VP 60 𝑋2 isPatientOf

    𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 disclosed VC in VP 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC (resumed layout) BBS+.ProofVerify with proof of equality issuer's public key, NIZK proof 𝜋, nonce & disclosed VC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify equivalence classes = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 Verifier
  59. Termwise Encoding (3): when Verifier verifies VP 61 𝑋2 isPatientOf

    𝑋3 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 quad mapping 𝜓 = (1→3, 2→1, 3→2) number of issued quads 𝐽 = 4 disclosed VC in VP 𝑋3 date 2022-04-04 𝑋3 vaccine 𝑋4 𝑋2 isPatientOf 𝑋3 *** *** *** ** disclosed VC (resumed layout) BBS+.ProofVerify with proof of equality issuer's public key, NIZK proof 𝜋, nonce & disclosed VC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ] identify equivalence classes = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ] 𝑋2 𝑋3 𝑋4 valid or invalid Verifier
  60. Security and Privacy Analysis 62 ◼ We defined game-based security

    notions of unforgeability and anonymity (based on Sanders' work for anonymous credentials @ PKC '20) ◼ and proved: ⚫Our construction is unforgeable if the underlying anonymous credential (e.g., BBS-based) is unforgeable ⚫Our construction is weakly anonymous if the underlying anonymous credential (e.g., BBS-based) is anonymous *Details: D. Yamamoto, Y. Suga, and K. Sako, “Formalising linked-data based verifiable credentials for selective disclosure,” in 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2022, pp. 52–65. https://sako-lab.jp/download.php?article=ssr2022_proceedings_dan.pdf *CAVEAT: our model and analysis do not take into consideration predicate proof yet
  61. Full Anonymity vs. Weak Anonymity 63 Fully anonymous presentation only

    leaks: - attributes selectively disclosed by user - issuer's public key Weakly anonymous presentation additionally leaks: - message layout (order and total number) at the time of issuance
  62. Full Anonymity vs. Weak Anonymity 64 xyz : Person children

    = Albert children = Alice children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 issued VC in the wallet Fully anonymous presentation only leaks: - attributes selectively disclosed by user - issuer's public key Weakly anonymous presentation additionally leaks: - message layout (order and total number) at the time of issuance Holder
  63. Full Anonymity vs. Weak Anonymity 65 xyz : Person children

    = Albert ***************** children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜋, 𝜓, 𝐽 xyz : Person children = Albert children = Alice children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 issued VC in the wallet disclosed VC in VP Fully anonymous presentation only leaks: - attributes selectively disclosed by user - issuer's public key Weakly anonymous presentation additionally leaks: - message layout (order and total number) at the time of issuance Holder Verifier
  64. Full Anonymity vs. Weak Anonymity 66 xyz children Albert ***

    *** *** ** xyz children Allie disclosed VC in the original layout 1 2 3 4 5 6 7 8 9 10 11 12 xyz : Person children = Albert ***************** children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜋, 𝜓, 𝐽 xyz : Person children = Albert children = Alice children = Allie credentialSubject vc#1 : VerifiableCredential issuer = Gov; proof = 𝜎 issued VC in the wallet disclosed VC in VP Fully anonymous presentation only leaks: - attributes selectively disclosed by user - issuer's public key Weakly anonymous presentation additionally leaks: - message layout (order and total number) at the time of issuance Holder Verifier
  65. Implementations 67 ◼ @zkp-ld/jsonld-signatures-bbs ◼ @zkp-ld/bls12381-key-pair ◼ @zkp-ld/bbs-signatures ◼ @zkp-ld/ursa

    (bbs, bulletproofs-amcl) Implementations (published on Github and npm) ◼ a playground for developers ◼ you can sign & verify LD-based credential and show & verify presentations on browser ◼ with Selective Disclosure, Unlinkability, and (partially implemented) Range Proof ZKP-LD Playground <https://playground.zkp-ld.org> @zkp-ld bbs-signatures (TS + Rust) bbs (Rust) bls12381-key-pair (TS) zkp-ld-playground (React/TS) @mattrglobal fork bulletproofs_amcl (Rust) Hyperledger ursa fork veanpods (TS) rdf-bbs-signatures (TS) jsonld-bbs-signatures (TS)
  66. zk-SPARQL 68 { "type": "VerifiablePresentation", "verifiableCredential": [ { "id": "...vc#1",

    "type": "VerifiableCredential", "issuer": "did:example:issuer1", "credentialSubject": { "id": "anoni:RyMyF0", "type": "Person", "isPatientOf": { "id": "anoni:2wtQku", "vaccinationDate": { "@value": "2022-04-04T00:00:00Z" }, "vaccine": { "id": "anoni:5kKKS7" } } } }, { "id": "...vc#2", "type": "VerifiableCredential", "issuer": "did:example:issuer2", "credentialSubject": { "id": "anoni:5kKKS7", "status": "active" }}]} SPARQL query for presentation request result VP https://github.com/ zkp-ld/veanpods
  67. Summary 69 Conclusions ⚫ Constructed a LD-based VC scheme with

    selective disclosure, unlinkability, and predicate proofs ⚫ Proposed novel use cases and provided security and privacy analysis ⚫ Provided prototype implementations and Web-based demo Future Work ⚫ Work-in-progress: integrate blind signing for holder-binding ⚫ Additional features: general predicate proofs / revocation / PPID / delegation ⚫ Security&Privacy: stronger anonymity / comprehensive analysis incl. predicate proofs ⚫ Challenge: formal verification / post-quantum security
  68. Implementation Details @zkp-ld bbs-signatures (TS + Rust) bbs (Rust) bls12381-key-pair

    (TS) zkp-ld-playground (React/TS) @mattrglobal fork bulletproofs_amcl (Rust) MIRACL (Rust, C++) Hyperledger ursa fork pairing-plus (Rust) Application BBS+ frontend BBS+ backend + Bulletproofs Pairing-Friendly Curves 71 veanpods (TS) rdf-bbs-signatures (TS) jsonld-bbs-signatures (TS)
  69. { "@context": [ ... ], "type": "VerifiablePresentation", "verifiableCredential": [ {

    "id": "anoni:qpLmnX", "type": "VerifiableCredential", "credentialSubject": { "id": "anoni:nihy3C", "status": "authorized" }, "issuer": "did:example:Prv", "proof": { ... }, ... } ] } { "id": "anoni:Dx9jK2", "type": "VerifiableCredential", "credentialSubject": { "id": "anoni:rtxPcC", "type": "Person", "isPatientOf": { "id": "anoni:-wd-iG", "vaccine": { "id": "anoni:nihy3C" } }, "date": { "range": [ ... ] }, }, "issuer": "did:example:Gov", "proof": { ... }, ... }, Example VP xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * **************** * * * * * * NIZK >= 2022-04 vc#2: VerifiableCredential issuer = Prv; proof = ... cvx#987 : Vaccine name = awesomeVaccine manufacturer = example.com status = authorized credentialSubject * * ************************* ************************* *** 72
  70. How to Prove Predicate: when Holder composes VP 73 issued

    VC in the wallet disclosed VC to be given as VP to the Verifier canonicalize & split 𝑋2 isPatientOf 𝑋3 𝑋3 date 𝑋5 𝑋3 vaccine 𝑋4 xyz : Person name = John Smith credentialSubject e#1 : Vaccination date = 2022-04-04 isPatientOf v#99: Vaccine vaccine vc#1 : VerifiableCredential issuer = Gov; proof = * * : Person ***************** credentialSubject * *: Vaccination date = * * isPatientOf * *: Vaccine vaccine * * : VerifiableCredential issuer = Gov; proof = _ with commitment 𝑐 to 2022-04-04 Bulletproofs [ 2021-12-01, ∞ ]: range range proof CAVEAT: our prototype does not support datetime range proof currently (only integer) Holder's preference ✓ remove name=John Smith ✓ use pseudonyms: 𝑋1 for vc#1, 𝑋2 for xyz, 𝑋3 for e#1, 𝑋4 for v#99 ✓ prove date>=2021-12-01 Holder
  71. Performance Evaluation 74 ◼ i7-10750H (6 cores 12 threads) CPU,

    32GB RAM, Google Chrome ◼ takes at most 1 sec to handle < 200 RDF terms ◼ (the issuance of bound credentials has not yet been implemented & evaluated) size (bits) secret key 256 public key 768 signature 896 proof 2944 + 256 𝑛 (𝑛 : # of hidden terms) VC: sign / sigVf VP: show / verify
  72. Syntax 75 User Issuer Verifier issue 𝑖𝑠𝑘, 𝐺 obtain 𝑢𝑠𝑘,

    𝑖𝑝𝑘, 𝐺 → 𝜎 show 𝑢𝑠𝑘, 𝑖𝑝𝑘𝑖 , 𝐺𝑖 , 𝜎𝑖 , b𝑖 , 𝜑𝑖 𝑖 , m → 𝜋 Issuer key generation User key generation VC issuance VC obtaining VP showing VP verification ikGen 𝑝𝑟𝑚 → 𝑖𝑠𝑘, 𝑖𝑝𝑘 uskGen 𝑝𝑟𝑚 → 𝑢𝑠𝑘 verify 𝑖𝑝𝑘𝑖 , 𝐺𝑖 ′, b𝑖 𝑖 , m, 𝜋 → 1 or 0 𝑝𝑟𝑚 ← prmGen 1𝜆, 𝐿 System parameter generation sign 𝑖𝑠𝑘, 𝐺 → 𝜎 sigVf 𝑖𝑝𝑘, 𝐺, 𝜎 → 1 or 0
  73. Unforgeability 76 𝒜 𝑝𝑟𝑚 𝑖𝑝𝑘∗ (𝑖𝑝𝑘𝑖 ∗, 𝐺𝑖 ′∗, b𝑖

    ∗) 𝑖 m∗ 𝜋∗ 𝑖𝑠𝑘∗, 𝑖𝑝𝑘∗ ← ikGen(𝑝𝑟𝑚) for 𝑢 ∈ 𝑈 : 𝑢𝑠𝑘𝑢 ∗ ← uskGen 𝑝𝑟𝑚 let honest issuer issue VC to honest user 𝑢 let honest issuer issue VC to 𝒜 let honest user 𝑢 show VP If 𝒜 cannot output non-trivial VP forgery → unforgeable obtiss iss / sign show 𝑢, 𝐺, b 𝑐𝑖𝑑 𝑢 𝑐𝑖𝑑𝑖 , 𝜑𝑖 𝑖 m 𝜋 𝜎 𝐺 VP forgery
  74. Anonymity 77 𝒜 𝑝𝑟𝑚 𝑢0 ∗, 𝑐𝑖𝑑0,𝑖 ∗ , 𝜑0,𝑖

    ∗ 𝑖 𝑢1 ∗, 𝑐𝑖𝑑1,𝑖 ∗ , 𝜑1,𝑖 ∗ 𝑖 m∗ let honest user 𝑢 show VP show 𝑢 𝑐𝑖𝑑𝑖 , 𝜑𝑖 𝑖 m 𝜋 𝑝𝑟𝑚 ← prmGen 1𝜆, 𝐿 for 𝑢 ∈ 𝑈 : 𝑢𝑠𝑘𝑢 ∗ ← uskGen 𝑝𝑟𝑚 let honest user 𝑢 store bound VC issued by 𝒜 obt 𝑢, 𝑐𝑖𝑑, 𝑖𝑝𝑘, 𝐺 CRED𝑢0 ∗ 𝑐𝑖𝑑0,𝑖 ∗ → 𝑖𝑝𝑘0,𝑖 ∗ , 𝐺0,𝑖 ∗ , 𝜎0,𝑖 ∗ , b0,𝑖 ∗ CRED𝑢1 ∗ 𝑐𝑖𝑑1,𝑖 ∗ → 𝑖𝑝𝑘1,𝑖 ∗ , 𝐺1,𝑖 ∗ , 𝜎1,𝑖 ∗ , b1,𝑖 ∗ 𝑏 ←𝑅 0,1 𝜋∗ ← show 𝑢𝑠𝑘 𝑢𝑏 ∗ ∗ , 𝑖𝑝𝑘𝑏,𝑖 ∗ , 𝐺𝑏,𝑖 ∗ , 𝜎𝑏,𝑖 ∗ , b𝑏,𝑖 ∗ , 𝜑𝑏,𝑖 ∗ 𝑖 , m∗ 𝒜 𝜋∗ 𝑏∗ challenge pairs user VC reveal func requirement 𝑖𝑝𝑘0,𝑖 ∗ , 𝜑0,1 ∗ 𝐺0,𝑖 ∗ , b0,𝑖 ∗ 𝑖 = 𝑖𝑝𝑘1,𝑖 ∗ , 𝜑1,1 ∗ 𝐺1,𝑖 ∗ , b1,𝑖 ∗ 𝑖 weak anonymity 𝑖𝑝𝑘0,𝑖 ∗ , 𝜑0,1 ∗ canon 𝐺0,𝑖 ∗ , 𝐺0,𝑖 ∗ , b0,𝑖 ∗ 𝑖 = 𝑖𝑝𝑘1,𝑖 ∗ , 𝜑1,1 ∗ canon 𝐺1,𝑖 ∗ , 𝐺1,𝑖 ∗ , b1,𝑖 ∗ 𝑖 If 𝒜 cannot guess 𝑏 → anonymous original number and position of attributes can be leaked