$30 off During Our Annual Pro Sale. View Details »

Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs

Linked-Data-based Verifiable Credentials with Selective Disclosure, Unlinkability, and Predicate Proofs

to be presented at W3C CCG on April 4, 2023

Dan Yamamoto

April 04, 2023
Tweet

More Decks by Dan Yamamoto

Other Decks in Technology

Transcript

  1. Linked-Data-based Verifiable Credentials
    with Selective Disclosure, Unlinkability,
    and Predicate Proofs
    April 4, 2023 @ W3C CCG
    Dan Yamamoto (Internet Initiative Japan Inc.)
    Yuji Suga (Internet Initiative Japan Inc.)
    Kazue Sako (Waseda University)

    View Slide

  2. Outline
    2
    1. Vision and Use Case
    2. Construction
    3. Security and Privacy Analysis
    4. Implementations

    View Slide

  3. Our Vision
    3
    Linked Data with Verifiability and Privacy,
    augmenting our Digital Identity

    View Slide

  4. Our Vision
    4
    Linked-Data-based
    Verifiable Credentials
    with Selective Disclosure,
    Unlinkability,
    and Predicate Proofs
    Linked Data with Verifiability and Privacy,
    augmenting our Digital Identity
    Building Block

    View Slide

  5. Our Vision
    5
    Linked-Data-based
    Verifiable Credentials
    with Selective Disclosure,
    Unlinkability,
    and Predicate Proofs
    We can semantically assemble and prove
    interrelated claims
    Linked Data with Verifiability and Privacy,
    augmenting our Digital Identity
    Building Block

    View Slide

  6. Our Vision
    6
    Linked-Data-based
    Verifiable Credentials
    with Selective Disclosure,
    Unlinkability,
    and Predicate Proofs
    We can semantically assemble and prove
    interrelated claims
    without revealing unnecessary data
    Linked Data with Verifiability and Privacy,
    augmenting our Digital Identity
    Building Block

    View Slide

  7. Our Vision
    7
    Linked-Data-based
    Verifiable Credentials
    with Selective Disclosure,
    Unlinkability,
    and Predicate Proofs
    We can semantically assemble and prove
    interrelated claims
    without revealing unnecessary data
    without revealing correlatable factors
    Linked Data with Verifiability and Privacy,
    augmenting our Digital Identity
    Building Block

    View Slide

  8. Our Vision
    8
    Linked-Data-based
    Verifiable Credentials
    with Selective Disclosure,
    Unlinkability,
    and Predicate Proofs
    We can semantically assemble and prove
    interrelated claims
    without revealing unnecessary data
    without revealing correlatable factors
    with proving various relations among
    revealed/unrevealed linked data
    Linked Data with Verifiability and Privacy,
    augmenting our Digital Identity
    Building Block

    View Slide

  9. Example Use Case
    9
    VC1
    Issuer
    Verifier
    Holder

    View Slide

  10. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    10
    VC1
    Issuer
    Verifier
    Holder

    View Slide

  11. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    11
    VC1
    Issuer
    Verifier
    Holder
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !

    View Slide

  12. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    12
    VC1
    Issuer
    Verifier
    Holder
    Is it
    authorized?
    v#99
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !

    View Slide

  13. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    13
    VC1
    Issuer
    Verifier
    Holder
    Is it
    authorized?
    v#99
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !
    fetch

    View Slide

  14. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    14
    VC1
    VC2
    Issuer
    (vaccine info
    provider)
    Issuer
    Verifier
    Holder
    Is it
    authorized?
    v#99
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !
    fetch

    View Slide

  15. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    15
    VC1
    VC2
    vc#2: VerifiableCredential
    issuer = Prv; proof = ...
    v#99 : Vaccine
    name = awesomeVaccine
    manufacturer = example.com
    status = authorized
    credentialSubject
    Issuer
    (vaccine info
    provider)
    Issuer
    Verifier
    Holder
    Is it
    authorized?
    v#99
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !
    fetch

    View Slide

  16. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    16
    VC1
    VC2
    vc#2: VerifiableCredential
    issuer = Prv; proof = ...
    v#99 : Vaccine
    name = awesomeVaccine
    manufacturer = example.com
    status = authorized
    credentialSubject
    Issuer
    (vaccine info
    provider)
    Issuer
    Verifier
    Holder
    Is it
    authorized?
    v#99
    link data
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !
    fetch

    View Slide

  17. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    17
    VC1
    VC2
    vc#2: VerifiableCredential
    issuer = Prv; proof = ...
    v#99 : Vaccine
    name = awesomeVaccine
    manufacturer = example.com
    status = authorized
    credentialSubject
    Issuer
    (vaccine info
    provider)
    Issuer
    Verifier
    Holder
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !

    View Slide

  18. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    18
    VC1
    VC2
    vc#2: VerifiableCredential
    issuer = Prv; proof = ...
    v#99 : Vaccine
    name = awesomeVaccine
    manufacturer = example.com
    status = authorized
    credentialSubject
    Issuer
    (vaccine info
    provider)
    Issuer
    Verifier
    Holder
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !
    Selective
    Disclosure

    View Slide

  19. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    19
    VC1
    VC2
    vc#2: VerifiableCredential
    issuer = Prv; proof = ...
    v#99 : Vaccine
    name = awesomeVaccine
    manufacturer = example.com
    status = authorized
    credentialSubject
    Issuer
    (vaccine info
    provider)
    Issuer
    Verifier
    Holder
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !
    *𝑋2
    *
    ****************
    *𝑋3
    * *𝑋4
    *
    *𝑋4
    *
    *************************
    *************************
    *𝑋1
    *
    *𝑋5
    *
    Selective
    Disclosure

    View Slide

  20. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    20
    VC1
    VC2
    vc#2: VerifiableCredential
    issuer = Prv; proof = ...
    v#99 : Vaccine
    name = awesomeVaccine
    manufacturer = example.com
    status = authorized
    credentialSubject
    Issuer
    (vaccine info
    provider)
    Issuer
    Verifier
    Holder
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !
    *𝑋2
    *
    ****************
    *𝑋3
    * *𝑋4
    *
    *𝑋4
    *
    *************************
    *************************
    *𝑋1
    *
    *𝑋5
    *
    Selective
    Disclosure
    Proof of
    Equality

    View Slide

  21. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    21
    VC1
    VC2
    vc#2: VerifiableCredential
    issuer = Prv; proof = ...
    v#99 : Vaccine
    name = awesomeVaccine
    manufacturer = example.com
    status = authorized
    credentialSubject
    Issuer
    (vaccine info
    provider)
    Issuer
    Verifier
    Holder
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !
    *𝑋2
    *
    ****************
    *𝑋3
    * *𝑋4
    *
    *𝑋4
    *
    *************************
    *************************
    *𝑋1
    *
    *𝑋5
    *
    Selective
    Disclosure
    𝜎 NIZK
    Unlinkability
    Proof of
    Equality

    View Slide

  22. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    22
    VC1
    VC2
    vc#2: VerifiableCredential
    issuer = Prv; proof = ...
    v#99 : Vaccine
    name = awesomeVaccine
    manufacturer = example.com
    status = authorized
    credentialSubject
    Issuer
    (vaccine info
    provider)
    Issuer
    Verifier
    Holder
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !
    *𝑋2
    *
    ****************
    *𝑋3
    * *𝑋4
    *
    *𝑋4
    *
    *************************
    *************************
    *𝑋1
    *
    *𝑋5
    *
    Selective
    Disclosure
    𝜎 NIZK
    Unlinkability
    >= 2022-04
    Predicate
    Proof Proof of
    Equality

    View Slide

  23. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    23
    VC1
    VC2
    vc#2: VerifiableCredential
    issuer = Prv; proof = ...
    v#99 : Vaccine
    name = awesomeVaccine
    manufacturer = example.com
    status = authorized
    credentialSubject
    Issuer
    (vaccine info
    provider)
    Issuer
    Verifier
    Holder
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !
    *𝑋2
    *
    ****************
    *𝑋3
    * *𝑋4
    *
    *𝑋4
    *
    *************************
    *************************
    *𝑋1
    *
    *𝑋5
    *
    Selective
    Disclosure
    𝜎 NIZK
    Unlinkability
    >= 2022-04
    VP
    Predicate
    Proof Proof of
    Equality

    View Slide

  24. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Example Use Case
    24
    VC1
    VC2
    vc#2: VerifiableCredential
    issuer = Prv; proof = ...
    v#99 : Vaccine
    name = awesomeVaccine
    manufacturer = example.com
    status = authorized
    credentialSubject
    Issuer
    (vaccine info
    provider)
    Issuer
    Verifier
    Holder
    Prove that you got vaccinated
    using authorized vaccine
    after April 2022 !
    *𝑋2
    *
    ****************
    *𝑋3
    * *𝑋4
    *
    *𝑋4
    *
    *************************
    *************************
    *𝑋1
    *
    *𝑋5
    *
    Selective
    Disclosure
    𝜎 NIZK
    Unlinkability
    I (anonymized) got vaccinated
    using authorized vaccine (anonymized)
    after April 2022 (without exact date)
    >= 2022-04
    VP
    Predicate
    Proof Proof of
    Equality

    View Slide

  25. How to Construct It
    25
    BBS+ Signatures + Termwise Encoding
    BBS+ Signatures
    BBS+ Signatures + Termwise Encoding
    BBS+ Signatures + Termwise Encoding
    + General-Purpose ZKP (e.g., Bulletproofs)
    Selective
    Disclosure
    Unlinkability
    Predicate
    Proof*
    Proof of
    Equality
    A variation of BbsSignature2020 (LDP-BBS)

    View Slide

  26. How to Construct It
    26
    BBS+ Signatures + Termwise Encoding
    BBS+ Signatures
    BBS+ Signatures + Termwise Encoding
    BBS+ Signatures + Termwise Encoding
    + General-Purpose ZKP (e.g., Bulletproofs)
    Selective
    Disclosure
    Unlinkability
    Predicate
    Proof*
    Proof of
    Equality
    A variation of BbsSignature2020 (LDP-BBS)
    CAVEAT: our prototype currently support positive integer range proof only

    View Slide

  27. BBS+ Signatures
    27
    ◼ Multi-message signatures with built-in ZKP for selective disclosure and unlinkability
    ◼ Currently in progress of standardization by IRTF CFRG

    View Slide

  28. BBS+ Signatures
    28
    ◼ Multi-message signatures with built-in ZKP for selective disclosure and unlinkability
    ◼ Currently in progress of standardization by IRTF CFRG
    BBS+.Sign 𝜎: signature
    [ 𝑚1
    , 𝑚2
    , … ]: messages
    𝑠𝑘: issuer's secret key
    Issuer

    View Slide

  29. BBS+ Signatures
    29
    ◼ Multi-message signatures with built-in ZKP for selective disclosure and unlinkability
    ◼ Currently in progress of standardization by IRTF CFRG
    BBS+.Sign
    BBS+.ProofGen
    𝜎: signature
    [ 𝑚1
    , 𝑚2
    , … ]: messages
    𝑠𝑘: issuer's secret key
    [ 𝑚1
    , 𝑚2
    , … ]: messages
    𝑝𝑘: issuer's public key
    𝜎: signature
    [ 𝑖1
    , 𝑖2
    , … ]: disclosed indexes
    𝜋: proof
    (for disclosed messages)
    Issuer
    Holder

    View Slide

  30. BBS+ Signatures
    30
    ◼ Multi-message signatures with built-in ZKP for selective disclosure and unlinkability
    ◼ Currently in progress of standardization by IRTF CFRG
    BBS+.Sign
    BBS+.ProofGen
    𝜎: signature
    [ 𝑚1
    , 𝑚2
    , … ]: messages
    𝑠𝑘: issuer's secret key
    [ 𝑚1
    , 𝑚2
    , … ]: messages
    𝑝𝑘: issuer's public key
    𝜎: signature
    [ 𝑖1
    , 𝑖2
    , … ]: disclosed indexes
    𝜋: proof
    (for disclosed messages)
    BBS+.ProofVerify
    [ 𝑚𝑖1
    , 𝑚𝑖2
    , … ]: disclosed messages
    𝑝𝑘: issuer's public key
    𝜋: proof
    [ 𝑖1
    , 𝑖2
    , … ]: disclosed indexes
    valid or invalid
    Issuer
    Verifier
    Holder

    View Slide

  31. BBS+ Signatures
    31
    ◼ Multi-message signatures with built-in ZKP for selective disclosure and unlinkability
    ◼ Currently in progress of standardization by IRTF CFRG
    BBS+.Sign
    BBS+.ProofGen
    𝜎: signature
    [ 𝑚1
    , 𝑚2
    , … ]: messages
    𝑠𝑘: issuer's secret key
    [ 𝑚1
    , 𝑚2
    , … ]: messages
    𝑝𝑘: issuer's public key
    𝜎: signature
    [ 𝑖1
    , 𝑖2
    , … ]: disclosed indexes
    𝜋: proof
    (for disclosed messages)
    BBS+.ProofVerify
    [ 𝑚𝑖1
    , 𝑚𝑖2
    , … ]: disclosed messages
    𝑝𝑘: issuer's public key
    𝜋: proof
    [ 𝑖1
    , 𝑖2
    , … ]: disclosed indexes
    valid or invalid
    Issuer
    Verifier
    Holder
    BBS+ Signatures expect an array of scalars as input
    → We need to encode JSON-LD/RDF to a scalar array
    → Termwise Encoding

    View Slide

  32. Termwise Encoding (1): when Issuer issues VC
    xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf
    v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = _
    32
    Draft of VC
    to be signed
    Issuer

    View Slide

  33. Termwise Encoding (1): when Issuer issues VC
    xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf
    v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = _
    e#1 date 2022-04-04 .
    e#1 vaccine v#99 .
    xyz isPatientOf e#1 .
    xyz name John Smith .
    33
    canonicalize
    RDF N-Quads (sorted)
    Draft of VC
    to be signed
    ...
    Issuer

    View Slide

  34. Termwise Encoding (1): when Issuer issues VC
    34
    e#1 date 2022-04-04 .
    e#1 vaccine v#99 .
    xyz isPatientOf e#1 .
    xyz name John Smith .
    RDF N-Quads (sorted)
    ...
    Issuer

    View Slide

  35. Termwise Encoding (1): when Issuer issues VC
    35
    split into RDF terms
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    array of RDF terms
    e#1 date 2022-04-04 .
    e#1 vaccine v#99 .
    xyz isPatientOf e#1 .
    xyz name John Smith .
    RDF N-Quads (sorted)
    ... ...
    Issuer

    View Slide

  36. Termwise Encoding (1): when Issuer issues VC
    36
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    array of RDF terms
    ...
    Issuer

    View Slide

  37. Termwise Encoding (1): when Issuer issues VC
    37
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    array of RDF terms
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    ...
    Issuer

    View Slide

  38. Termwise Encoding (1): when Issuer issues VC
    38
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    array of RDF terms
    BBS+.Sign
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    issuer's secret key
    ...
    Issuer

    View Slide

  39. xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf
    v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    Termwise Encoding (1): when Issuer issues VC
    39
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    array of RDF terms
    BBS+.Sign
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    issuer's secret key
    issued VC
    ...
    Issuer

    View Slide

  40. Termwise Encoding (2): when Holder composes VP
    40
    issued VC in the wallet
    xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf
    v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof =
    Holder

    View Slide

  41. Termwise Encoding (2): when Holder composes VP
    41
    issued VC in the wallet
    xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf
    v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof =
    Holder's preference
    ✓ remove name=John Smith
    ✓ use pseudonyms:
    𝑋1
    for vc#1, 𝑋2
    for xyz,
    𝑋3
    for e#1, 𝑋4
    for v#99
    Holder

    View Slide

  42. Termwise Encoding (2): when Holder composes VP
    42
    issued VC in the wallet
    disclosed VC
    to be given as VP to the Verifier
    (= Verifier's view)
    xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf
    v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof =
    * * : Person
    *****************
    credentialSubject
    * *: Vaccination
    date = 2022-04-04
    isPatientOf
    * *: Vaccine
    vaccine
    * * : VerifiableCredential
    issuer = Gov; proof = _
    Holder's preference
    ✓ remove name=John Smith
    ✓ use pseudonyms:
    𝑋1
    for vc#1, 𝑋2
    for xyz,
    𝑋3
    for e#1, 𝑋4
    for v#99
    Holder

    View Slide

  43. Termwise Encoding (2): when Holder composes VP
    43
    canonicalize & split
    (same as Issuer did)
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    issued VC in the wallet
    disclosed VC
    to be given as VP to the Verifier
    (= Verifier's view)
    canonicalize & split
    (same as Verifier would do)
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf
    v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof =
    * * : Person
    *****************
    credentialSubject
    * *: Vaccination
    date = 2022-04-04
    isPatientOf
    * *: Vaccine
    vaccine
    * * : VerifiableCredential
    issuer = Gov; proof = _
    Holder's preference
    ✓ remove name=John Smith
    ✓ use pseudonyms:
    𝑋1
    for vc#1, 𝑋2
    for xyz,
    𝑋3
    for e#1, 𝑋4
    for v#99
    Holder

    View Slide

  44. Termwise Encoding (2): when Holder composes VP
    44
    canonicalize & split
    (same as Issuer did)
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    issued VC in the wallet
    disclosed VC
    to be given as VP to the Verifier
    (= Verifier's view)
    canonicalize & split
    (same as Verifier would do)
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf
    v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof =
    * * : Person
    *****************
    credentialSubject
    * *: Vaccination
    date = 2022-04-04
    isPatientOf
    * *: Vaccine
    vaccine
    * * : VerifiableCredential
    issuer = Gov; proof = _
    Verifier's view will be differed from original layout
    due to selective disclosure & pseudonyms
    Holder's preference
    ✓ remove name=John Smith
    ✓ use pseudonyms:
    𝑋1
    for vc#1, 𝑋2
    for xyz,
    𝑋3
    for e#1, 𝑋4
    for v#99
    Holder

    View Slide

  45. Termwise Encoding (2): when Holder composes VP
    45
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    issued VC in the wallet disclosed VC (= Verifier's view)
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    Holder

    View Slide

  46. Termwise Encoding (2): when Holder composes VP
    46
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    issued VC in the wallet disclosed VC (= Verifier's view)
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    compute a quad-to-quad mapping from disclosed quads to original ones = (1→3, 2→1, 3→2)
    and number of issued quads = 4
    that allow Verifier to resume original layout from disclosed VC
    (1)
    (2)
    (3)
    (1)
    (2)
    (3)
    (4)
    Holder

    View Slide

  47. Termwise Encoding (2): when Holder composes VP
    47
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    issued VC in the wallet disclosed VC (= Verifier's view)
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    compute a quad-to-quad mapping from disclosed quads to original ones = (1→3, 2→1, 3→2)
    and number of issued quads = 4
    that allow Verifier to resume original layout from disclosed VC
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    𝑋2
    isPatientOf 𝑋3
    *** *** *** **
    disclosed VC in the original layout
    (1)
    (2)
    (3)
    (1)
    (2)
    (3)
    (4)
    Holder

    View Slide

  48. Termwise Encoding (2): when Holder composes VP
    48
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    issued VC in the wallet
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    𝑋2
    isPatientOf 𝑋3
    *** *** *** **
    disclosed VC in the original layout
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    Holder

    View Slide

  49. Termwise Encoding (2): when Holder composes VP
    49
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    issued VC in the wallet
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    𝑋2
    isPatientOf 𝑋3
    *** *** *** **
    disclosed VC in the original layout
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ]
    Holder

    View Slide

  50. Termwise Encoding (2): when Holder composes VP
    50
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    issued VC in the wallet
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    𝑋2
    isPatientOf 𝑋3
    *** *** *** **
    disclosed VC in the original layout
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ]
    identify "equivalence classes" = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ]
    𝑋2
    𝑋3
    𝑋4
    Holder

    View Slide

  51. Termwise Encoding (2): when Holder composes VP
    51
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    issued VC in the wallet
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    𝑋2
    isPatientOf 𝑋3
    *** *** *** **
    disclosed VC in the original layout
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    BBS+.ProofGen
    with proof of equality
    issuer's public key,
    signature,
    nonce & disclosed VC
    identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ]
    identify "equivalence classes" = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ]
    𝑋2
    𝑋3
    𝑋4
    Holder

    View Slide

  52. Termwise Encoding (2): when Holder composes VP
    52
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    issued VC in the wallet
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    𝑋2
    isPatientOf 𝑋3
    *** *** *** **
    disclosed VC in the original layout
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    BBS+.ProofGen
    with proof of equality
    issuer's public key,
    signature,
    nonce & disclosed VC
    identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ]
    identify "equivalence classes" = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ]
    𝑋2
    𝑋3
    𝑋4
    NIZK proof 𝜋
    Holder

    View Slide

  53. Termwise Encoding (2): when Holder composes VP
    53
    e#1 date 2022-04-04
    e#1 vaccine v#99
    xyz isPatientOf e#1
    xyz name John Smith
    issued VC in the wallet
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    𝑋2
    isPatientOf 𝑋3
    *** *** *** **
    disclosed VC in the original layout
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    BBS+.ProofGen
    with proof of equality
    issuer's public key,
    signature,
    nonce & disclosed VC
    identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ]
    identify "equivalence classes" = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ]
    𝑋2
    𝑋3
    𝑋4
    NIZK proof 𝜋
    quad mapping 𝜓 = (1→3, 2→1, 3→2)
    number of issued quads 𝐽 = 4
    proofValue
    in VP
    Holder

    View Slide

  54. Termwise Encoding (3): when Verifier verifies VP
    54
    disclosed VC in VP (Verifier's view)
    * * : Person
    *****************
    credentialSubject
    * *: Vaccination
    date = 2022-04-04
    isPatientOf
    * *: Vaccine
    vaccine
    * * : VerifiableCredential
    issuer = Gov; proof =
    Verifier

    View Slide

  55. Termwise Encoding (3): when Verifier verifies VP
    55
    disclosed VC in VP (Verifier's view)
    canonicalize & split
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    * * : Person
    *****************
    credentialSubject
    * *: Vaccination
    date = 2022-04-04
    isPatientOf
    * *: Vaccine
    vaccine
    * * : VerifiableCredential
    issuer = Gov; proof =
    Verifier

    View Slide

  56. Termwise Encoding (3): when Verifier verifies VP
    56
    disclosed VC in VP (Verifier's view)
    canonicalize & split
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    * * : Person
    *****************
    credentialSubject
    * *: Vaccination
    date = 2022-04-04
    isPatientOf
    * *: Vaccine
    vaccine
    * * : VerifiableCredential
    issuer = Gov; proof =
    NIZK proof 𝜋
    quad mapping 𝜓 = (1→3, 2→1, 3→2)
    number of issued quads 𝐽 = 4
    Verifier

    View Slide

  57. Termwise Encoding (3): when Verifier verifies VP
    57
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    quad mapping 𝜓 = (1→3, 2→1, 3→2)
    number of issued quads 𝐽 = 4
    disclosed VC in VP
    Verifier

    View Slide

  58. Termwise Encoding (3): when Verifier verifies VP
    58
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    quad mapping 𝜓 = (1→3, 2→1, 3→2)
    number of issued quads 𝐽 = 4
    disclosed VC in VP
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    𝑋2
    isPatientOf 𝑋3
    *** *** *** **
    disclosed VC (resumed layout)
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    Verifier

    View Slide

  59. Termwise Encoding (3): when Verifier verifies VP
    59
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    quad mapping 𝜓 = (1→3, 2→1, 3→2)
    number of issued quads 𝐽 = 4
    disclosed VC in VP
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    𝑋2
    isPatientOf 𝑋3
    *** *** *** **
    disclosed VC (resumed layout)
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ]
    identify equivalence classes = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ]
    𝑋2
    𝑋3
    𝑋4
    Verifier

    View Slide

  60. Termwise Encoding (3): when Verifier verifies VP
    60
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    quad mapping 𝜓 = (1→3, 2→1, 3→2)
    number of issued quads 𝐽 = 4
    disclosed VC in VP
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    𝑋2
    isPatientOf 𝑋3
    *** *** *** **
    disclosed VC (resumed layout)
    BBS+.ProofVerify
    with proof of equality
    issuer's public key,
    NIZK proof 𝜋,
    nonce & disclosed VC
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ]
    identify equivalence classes = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ]
    𝑋2
    𝑋3
    𝑋4
    Verifier

    View Slide

  61. Termwise Encoding (3): when Verifier verifies VP
    61
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    quad mapping 𝜓 = (1→3, 2→1, 3→2)
    number of issued quads 𝐽 = 4
    disclosed VC in VP
    𝑋3
    date 2022-04-04
    𝑋3
    vaccine 𝑋4
    𝑋2
    isPatientOf 𝑋3
    *** *** *** **
    disclosed VC (resumed layout)
    BBS+.ProofVerify
    with proof of equality
    issuer's public key,
    NIZK proof 𝜋,
    nonce & disclosed VC
    1 2 3 4
    5 6 7 8
    9 10 11 12
    13 14 15 16
    identify disclosed indexes = [ 2, 3, 4, 6, 8, 10, 12 ]
    identify equivalence classes = [ [ 9 ], [ 1, 5, 11 ], [ 7 ] ]
    𝑋2
    𝑋3
    𝑋4
    valid or invalid
    Verifier

    View Slide

  62. Security and Privacy Analysis
    62
    ◼ We defined game-based security notions of unforgeability and anonymity
    (based on Sanders' work for anonymous credentials @ PKC '20)
    ◼ and proved:
    ⚫Our construction is unforgeable
    if the underlying anonymous credential (e.g., BBS-based) is unforgeable
    ⚫Our construction is weakly anonymous
    if the underlying anonymous credential (e.g., BBS-based) is anonymous
    *Details: D. Yamamoto, Y. Suga, and K. Sako, “Formalising linked-data based verifiable credentials for
    selective disclosure,” in 2022 IEEE European Symposium on Security and Privacy Workshops
    (EuroS&PW), 2022, pp. 52–65. https://sako-lab.jp/download.php?article=ssr2022_proceedings_dan.pdf
    *CAVEAT: our model and analysis do not take into consideration predicate proof yet

    View Slide

  63. Full Anonymity vs. Weak Anonymity
    63
    Fully anonymous presentation only leaks:
    - attributes selectively disclosed by user
    - issuer's public key
    Weakly anonymous presentation
    additionally leaks:
    - message layout (order and total number)
    at the time of issuance

    View Slide

  64. Full Anonymity vs. Weak Anonymity
    64
    xyz : Person
    children = Albert
    children = Alice
    children = Allie
    credentialSubject
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    issued VC in the wallet
    Fully anonymous presentation only leaks:
    - attributes selectively disclosed by user
    - issuer's public key
    Weakly anonymous presentation
    additionally leaks:
    - message layout (order and total number)
    at the time of issuance
    Holder

    View Slide

  65. Full Anonymity vs. Weak Anonymity
    65
    xyz : Person
    children = Albert
    *****************
    children = Allie
    credentialSubject
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜋, 𝜓, 𝐽
    xyz : Person
    children = Albert
    children = Alice
    children = Allie
    credentialSubject
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    issued VC in the wallet disclosed VC in VP
    Fully anonymous presentation only leaks:
    - attributes selectively disclosed by user
    - issuer's public key
    Weakly anonymous presentation
    additionally leaks:
    - message layout (order and total number)
    at the time of issuance
    Holder Verifier

    View Slide

  66. Full Anonymity vs. Weak Anonymity
    66
    xyz children Albert
    *** *** *** **
    xyz children Allie
    disclosed VC in the original layout
    1 2 3 4
    5 6 7 8
    9 10 11 12
    xyz : Person
    children = Albert
    *****************
    children = Allie
    credentialSubject
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜋, 𝜓, 𝐽
    xyz : Person
    children = Albert
    children = Alice
    children = Allie
    credentialSubject
    vc#1 : VerifiableCredential
    issuer = Gov; proof = 𝜎
    issued VC in the wallet disclosed VC in VP
    Fully anonymous presentation only leaks:
    - attributes selectively disclosed by user
    - issuer's public key
    Weakly anonymous presentation
    additionally leaks:
    - message layout (order and total number)
    at the time of issuance
    Holder Verifier

    View Slide

  67. Implementations
    67
    ◼ @zkp-ld/jsonld-signatures-bbs
    ◼ @zkp-ld/bls12381-key-pair
    ◼ @zkp-ld/bbs-signatures
    ◼ @zkp-ld/ursa (bbs, bulletproofs-amcl)
    Implementations (published on Github and npm)
    ◼ a playground for developers
    ◼ you can sign & verify LD-based credential
    and show & verify presentations on browser
    ◼ with Selective Disclosure, Unlinkability,
    and (partially implemented) Range Proof
    ZKP-LD Playground
    @zkp-ld
    bbs-signatures
    (TS + Rust)
    bbs
    (Rust)
    bls12381-key-pair
    (TS)
    zkp-ld-playground
    (React/TS)
    @mattrglobal
    fork
    bulletproofs_amcl
    (Rust)
    Hyperledger
    ursa
    fork
    veanpods
    (TS)
    rdf-bbs-signatures
    (TS)
    jsonld-bbs-signatures
    (TS)

    View Slide

  68. zk-SPARQL
    68
    { "type": "VerifiablePresentation",
    "verifiableCredential": [ {
    "id": "...vc#1",
    "type": "VerifiableCredential",
    "issuer": "did:example:issuer1",
    "credentialSubject": {
    "id": "anoni:RyMyF0",
    "type": "Person",
    "isPatientOf": {
    "id": "anoni:2wtQku",
    "vaccinationDate": {
    "@value": "2022-04-04T00:00:00Z"
    },
    "vaccine": { "id": "anoni:5kKKS7" }
    }
    }
    }, {
    "id": "...vc#2",
    "type": "VerifiableCredential",
    "issuer": "did:example:issuer2",
    "credentialSubject": {
    "id": "anoni:5kKKS7",
    "status": "active" }}]}
    SPARQL query
    for presentation
    request
    result VP
    https://github.com/
    zkp-ld/veanpods

    View Slide

  69. Summary
    69
    Conclusions
    ⚫ Constructed a LD-based VC scheme with selective disclosure, unlinkability, and
    predicate proofs
    ⚫ Proposed novel use cases and provided security and privacy analysis
    ⚫ Provided prototype implementations and Web-based demo
    Future Work
    ⚫ Work-in-progress: integrate blind signing for holder-binding
    ⚫ Additional features: general predicate proofs / revocation / PPID / delegation
    ⚫ Security&Privacy: stronger anonymity / comprehensive analysis incl. predicate proofs
    ⚫ Challenge: formal verification / post-quantum security

    View Slide

  70. Appendix

    View Slide

  71. Implementation Details
    @zkp-ld
    bbs-signatures
    (TS + Rust)
    bbs
    (Rust)
    bls12381-key-pair
    (TS)
    zkp-ld-playground
    (React/TS)
    @mattrglobal
    fork
    bulletproofs_amcl
    (Rust)
    MIRACL
    (Rust, C++)
    Hyperledger
    ursa
    fork
    pairing-plus
    (Rust)
    Application
    BBS+ frontend
    BBS+ backend
    + Bulletproofs
    Pairing-Friendly
    Curves
    71
    veanpods
    (TS)
    rdf-bbs-signatures
    (TS)
    jsonld-bbs-signatures
    (TS)

    View Slide

  72. {
    "@context": [ ... ],
    "type": "VerifiablePresentation",
    "verifiableCredential": [
    {
    "id": "anoni:qpLmnX",
    "type": "VerifiableCredential",
    "credentialSubject": {
    "id": "anoni:nihy3C",
    "status": "authorized"
    },
    "issuer": "did:example:Prv",
    "proof": { ... }, ...
    }
    ]
    }
    {
    "id": "anoni:Dx9jK2",
    "type": "VerifiableCredential",
    "credentialSubject": {
    "id": "anoni:rtxPcC",
    "type": "Person",
    "isPatientOf": {
    "id": "anoni:-wd-iG",
    "vaccine": { "id": "anoni:nihy3C" }
    },
    "date": { "range": [ ... ] },
    },
    "issuer": "did:example:Gov",
    "proof": { ... }, ...
    },
    Example VP xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof =
    * *
    ****************
    * * * *
    * *
    NIZK
    >= 2022-04
    vc#2: VerifiableCredential
    issuer = Prv; proof = ...
    cvx#987 : Vaccine
    name = awesomeVaccine
    manufacturer = example.com
    status = authorized
    credentialSubject
    * *
    *************************
    *************************
    ***
    72

    View Slide

  73. How to Prove Predicate: when Holder composes VP
    73
    issued VC in the wallet
    disclosed VC
    to be given as VP to the Verifier
    canonicalize & split
    𝑋2
    isPatientOf 𝑋3
    𝑋3
    date 𝑋5
    𝑋3
    vaccine 𝑋4
    xyz : Person
    name = John Smith
    credentialSubject
    e#1 : Vaccination
    date = 2022-04-04
    isPatientOf
    v#99: Vaccine
    vaccine
    vc#1 : VerifiableCredential
    issuer = Gov; proof =
    * * : Person
    *****************
    credentialSubject
    * *: Vaccination
    date = * *
    isPatientOf
    * *: Vaccine
    vaccine
    * * : VerifiableCredential
    issuer = Gov; proof = _
    with commitment 𝑐 to 2022-04-04
    Bulletproofs
    [ 2021-12-01, ∞ ]: range
    range proof
    CAVEAT: our prototype does not support
    datetime range proof currently (only integer)
    Holder's preference
    ✓ remove name=John Smith
    ✓ use pseudonyms:
    𝑋1
    for vc#1, 𝑋2
    for xyz,
    𝑋3
    for e#1, 𝑋4
    for v#99
    ✓ prove date>=2021-12-01
    Holder

    View Slide

  74. Performance Evaluation
    74
    ◼ i7-10750H (6 cores 12 threads) CPU, 32GB RAM, Google Chrome
    ◼ takes at most 1 sec to handle < 200 RDF terms
    ◼ (the issuance of bound credentials has not yet been implemented & evaluated)
    size (bits)
    secret key 256
    public key 768
    signature 896
    proof 2944 + 256 𝑛
    (𝑛 : # of hidden terms)
    VC: sign / sigVf VP: show / verify

    View Slide

  75. Syntax
    75
    User
    Issuer Verifier
    issue 𝑖𝑠𝑘, 𝐺 obtain 𝑢𝑠𝑘, 𝑖𝑝𝑘, 𝐺 → 𝜎
    show 𝑢𝑠𝑘, 𝑖𝑝𝑘𝑖
    , 𝐺𝑖
    , 𝜎𝑖
    , b𝑖
    , 𝜑𝑖 𝑖
    , m → 𝜋
    Issuer key generation User key generation
    VC issuance VC obtaining
    VP showing VP verification
    ikGen 𝑝𝑟𝑚 → 𝑖𝑠𝑘, 𝑖𝑝𝑘 uskGen 𝑝𝑟𝑚 → 𝑢𝑠𝑘
    verify 𝑖𝑝𝑘𝑖
    , 𝐺𝑖
    ′, b𝑖 𝑖
    , m, 𝜋 → 1 or 0
    𝑝𝑟𝑚 ← prmGen 1𝜆, 𝐿
    System parameter generation
    sign 𝑖𝑠𝑘, 𝐺 → 𝜎 sigVf 𝑖𝑝𝑘, 𝐺, 𝜎 → 1 or 0

    View Slide

  76. Unforgeability
    76
    𝒜
    𝑝𝑟𝑚
    𝑖𝑝𝑘∗
    (𝑖𝑝𝑘𝑖
    ∗, 𝐺𝑖
    ′∗, b𝑖
    ∗)
    𝑖
    m∗
    𝜋∗
    𝑖𝑠𝑘∗, 𝑖𝑝𝑘∗ ← ikGen(𝑝𝑟𝑚)
    for 𝑢 ∈ 𝑈 :
    𝑢𝑠𝑘𝑢
    ∗ ← uskGen 𝑝𝑟𝑚
    let honest issuer issue
    VC to honest user 𝑢
    let honest issuer issue
    VC to 𝒜
    let honest user 𝑢 show
    VP
    If 𝒜 cannot output non-trivial VP forgery
    → unforgeable
    obtiss iss / sign show
    𝑢, 𝐺, b 𝑐𝑖𝑑
    𝑢
    𝑐𝑖𝑑𝑖
    , 𝜑𝑖 𝑖
    m
    𝜋
    𝜎
    𝐺
    VP forgery

    View Slide

  77. Anonymity
    77
    𝒜
    𝑝𝑟𝑚
    𝑢0
    ∗, 𝑐𝑖𝑑0,𝑖
    ∗ , 𝜑0,𝑖

    𝑖
    𝑢1
    ∗, 𝑐𝑖𝑑1,𝑖
    ∗ , 𝜑1,𝑖

    𝑖
    m∗
    let honest user 𝑢 show
    VP
    show
    𝑢
    𝑐𝑖𝑑𝑖
    , 𝜑𝑖 𝑖
    m
    𝜋
    𝑝𝑟𝑚 ← prmGen 1𝜆, 𝐿
    for 𝑢 ∈ 𝑈 :
    𝑢𝑠𝑘𝑢
    ∗ ← uskGen 𝑝𝑟𝑚
    let honest user 𝑢 store
    bound VC issued by 𝒜
    obt
    𝑢, 𝑐𝑖𝑑, 𝑖𝑝𝑘, 𝐺
    CRED𝑢0
    ∗ 𝑐𝑖𝑑0,𝑖
    ∗ → 𝑖𝑝𝑘0,𝑖
    ∗ , 𝐺0,𝑖
    ∗ , 𝜎0,𝑖
    ∗ , b0,𝑖

    CRED𝑢1
    ∗ 𝑐𝑖𝑑1,𝑖
    ∗ → 𝑖𝑝𝑘1,𝑖
    ∗ , 𝐺1,𝑖
    ∗ , 𝜎1,𝑖
    ∗ , b1,𝑖

    𝑏 ←𝑅
    0,1
    𝜋∗ ← show
    𝑢𝑠𝑘
    𝑢𝑏

    ∗ ,
    𝑖𝑝𝑘𝑏,𝑖
    ∗ , 𝐺𝑏,𝑖
    ∗ , 𝜎𝑏,𝑖
    ∗ , b𝑏,𝑖
    ∗ , 𝜑𝑏,𝑖

    𝑖
    ,
    m∗
    𝒜
    𝜋∗ 𝑏∗
    challenge pairs
    user VC reveal
    func
    requirement
    𝑖𝑝𝑘0,𝑖
    ∗ , 𝜑0,1
    ∗ 𝐺0,𝑖
    ∗ , b0,𝑖

    𝑖
    = 𝑖𝑝𝑘1,𝑖
    ∗ , 𝜑1,1
    ∗ 𝐺1,𝑖
    ∗ , b1,𝑖

    𝑖
    weak anonymity
    𝑖𝑝𝑘0,𝑖
    ∗ , 𝜑0,1
    ∗ canon 𝐺0,𝑖
    ∗ , 𝐺0,𝑖
    ∗ , b0,𝑖

    𝑖
    = 𝑖𝑝𝑘1,𝑖
    ∗ , 𝜑1,1
    ∗ canon 𝐺1,𝑖
    ∗ , 𝐺1,𝑖
    ∗ , b1,𝑖

    𝑖
    If 𝒜 cannot guess 𝑏 → anonymous
    original number and position of attributes
    can be leaked

    View Slide