# Proof System for Verifiable Credentials Data Model #### Objective - Enable the use of **selective disclosure** when sharing verifiable information - Enable use cases that support privacy-preserving **credential status** (revocation) - Enable the use of **predicate proofs** using range proofs / verifiable computation - Enable **linking multiple credentials** using equality proofs, linked secrets - Define a mechanism that allows composition of various proof types and logically bind them to interactions #### Scope - Proof constructions with elliptic curves - Data encoding using [RDF dataset conversion](https://www.w3.org/TR/json-ld-api/#object-to-rdf-conversion) of JSON-LD graphs - Data hashing using [Hashing to elliptic curves](https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html) *Reading: [General Proof System](https://www3.cs.stonybrook.edu/~cse541/chapter7.pdf)* ## Proof Formats - Data Integrity - JWP (?) ## Use Cases ### UC(1) Credential issuance with support for status check (revocation) A holder is issued a VC with support for credential status. The VC contains two proofs: - BBS signature - Non-membership witness (for Universal Accumulator specified in the `Credential Status` URL) Both of these proofs are considered to be secret materal and must not be shared directly during presentations -- instead, zero-knowledge proofs must be derived. ``` ┌───────────────────────────────────┐ │Verifiable Credential │ ├───────────────────────────────────┤ │ Type = Driver's License │ │ │ │Credential Subject │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ Name = Jane Doe │ │ Address = 1 Main St. │ │ City = Smallville │ │ Date of Birth = 5-1-1992 │ │ Country = USA │ │ │ │Credential Status │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ Type = Universal Accumulator │ │ URI = https://status.io/x │ │ Entry = JaneDoe_0042 │ ├───────────────────────────────────┤ │Proof │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ Type = BBS Signature │ ├───────────────────────────────────┤ │Proof │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ Type = Non-membership Witness │ └───────────────────────────────────┘ ``` ### UC(2) Presentation with selective disclosure and proof of non-revocation A verifiable presentation where the holder shares proof of signature and a proof of non-revocation. Additionally, the holder hides some fields they don't want to share. The VC contains three proofs - Proof of BBS signature with undisclosed attributes - Proof on Non-membership in the given accumulator - Statement of equality proof that asserts that the same hidden message (8) is found in proof (P1) and (P2) In this scenario, the holder chose to hide two attributes related to their credential and another attribute related to their credential status. Hiding attribute (8) for `Entry` in `Credential Status` protects the user from correlation, as this value may be globally unique. Instead, they chose to provide proof of non-membership and link both proofs together to assert that the proof is related to the same attribute signed by the issuer. ``` ┌─────────────────────────────────────────────────┐ │Verifiable Presentation │ ├─────────────────────────────────────────────────┤ │ │ │ ┌───────────────────────────────────┐ │ │ │Verifiable Credential │ │ │ ├───────────────────────────────────┤ │ │ │ Type = Driver's License (0)│ │ │ │ │ │ │ │Credential Subject │ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ Name = Jane Doe (1)│ │ │ │* Address = 1 Main St. (2)│──┐ │ │ │ City = Smallville (3)│ │ │ │ │* Date of Birth = 5-1-1992 (4)│──┤ │ │ │ Country = USA (5)│ │ │ │ │ │ │ │ │ │Credential Status │ │ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ │ Type = Universal Accumulator (6)│ │ │ │ │ URI = https://status.io/x (7)│ │ │ │ ┌──│* Entry = JaneDoe_0042 (8)│──┤ │ │ │ ├───────────────────────────────────┤ │ │ │ │ │Proof (P1)│ │ │ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ │ │ Type = Proof of BBS Signature │ │ │ │ │ │ Hidden = (2) (4) (8) │◀─┘ │ │ │ ├───────────────────────────────────┤ │ │ │ │Proof (P2)│ │ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ │ Type = Proof of Non-membership │ │ │ └─▶│ Hidden = (8) │ │ │ ├───────────────────────────────────┤ │ │ │Proof (P3)│ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ Type = Proof of Equality │ │ │ │ Expression = (P1)(8) == (P2)(8) │ │ │ └───────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────┘ ``` ### UC(3) Presentation with selective disclosure, proof of non-revocation, and predicate proof Same as [UC(2)](#UC2-Presentation-with-selective-disclosure-and-proof-of-non-revocation), with additional proof. In this scenario, the holder also adds proof of bound check to prove that their undisclosed value for Date of Birth is within a range that asserts they are over age of 21. This predicate proof is included in the set of proofs. Additionally, to bind this proof to the original signature, another expression in the Proof of Equality is added which describes this relationship. ``` ┌─────────────────────────────────────────────────┐ │Verifiable Presentation │ ├─────────────────────────────────────────────────┤ │ │ │ ┌───────────────────────────────────┐ │ │ │Verifiable Credential │ │ │ ├───────────────────────────────────┤ │ │ │ Type = Driver's License (0)│ │ │ │ │ │ │ │Credential Subject │ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ Name = Jane Doe (1)│ │ │ │* Address = 1 Main St. (2)│──┐ │ │ │ City = Smallville (3)│ │ │ │ ┌────│* Date of Birth = 5-1-1992 (4)│──┤ │ │ │ │ Country = USA (5)│ │ │ │ │ │ │ │ │ │ │ │Credential Status │ │ │ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ │ │ Type = Universal Accumulator (6)│ │ │ │ │ │ URI = https://status.io/x (7)│ │ │ │ │ ┌──│* Entry = JaneDoe_0042 (8)│──┤ │ │ │ │ ├───────────────────────────────────┤ │ │ │ │ │ │Proof (P1)│ │ │ │ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ │ │ │ Type = Proof of BBS Signature │ │ │ │ │ │ │ Hidden = (2) (4) (8) │◀─┘ │ │ │ │ ├───────────────────────────────────┤ │ │ │ │ │Proof (P2)│ │ │ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ │ │ Type = Proof of Non-membership │ │ │ │ └─▶│ Hidden = (8) │ │ │ │ ├───────────────────────────────────┤ │ │ │ │Proof (P3)│ │ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ │ Type = Predicate Proof │ │ │ └───▶│ Bound Check = (4) > 21 [Age] │ │ │ ├───────────────────────────────────┤ │ │ │Proof (P4)│ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ Type = Proof of Equality │ │ │ │ Expression = (P1)(8) == (P2)(8) │ │ │ │ (P1)(4) == (P3)(4) │ │ │ └───────────────────────────────────┘ │ └─────────────────────────────────────────────────┘ ``` ### UC(4) Presentation with multiple credentials with selective disclosure linking them together In this scenario, the holder includes two separate VCs in their presentation and hides some of the attributes. In order for them to prove that the VCs contain the same value for the hidden `Address`, they disclose a proof of equality on the entire presentation (as opposed to individual VCs) and reference the equality messages in the expression field. This allows verifiers to ensure that the addresses in both VCs are equal, even tough their value is not disclosed. ``` ┌──────────────────────────────────────────────────────────────────────────────────────┐ │Verifiable Presentation │ ├──────────────────────────────────────────────────────────────────────────────────────┤ │ │ │ ┌───────────────────────────────────┐ ┌───────────────────────────────────┐ │ │ │Verifiable Credential (VC1)│ │Verifiable Credential (VC2)│ │ │ ├───────────────────────────────────┤ ├───────────────────────────────────┤ │ │ │ Type = Driver's License (0)│ │ Type = Library Card (0)│ │ │ │ │ │ │ │ │ │Credential Subject │ │Credential Subject │ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ Name = Jane Doe (1)│ │ Name = Jane Doe (1)│ │ │ │* Address = 1 Main St. (2)│──┐ │ Library = Public Library (2)│ │ │ │ City = Smallville (3)│ │ │* Address = 1 Main St. (3)│──┐ │ │ │* Date of Birth = 5-1-1992 (4)│──┤ │ City = Smallville (4)│ │ │ │ │ Country = USA (5)│ │ │ │ │ │ │ │ │ │ ├───────────────────────────────────┤ │ │ │ │Credential Status │ │ │Proof (P2)│ │ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ │ Type = Universal Accumulator (6)│ │ │ Type = Proof of BBS Signature │ │ │ │ │ URI = https://status.io/x (7)│ │ │ Hidden = (3) │◀─┘ │ │ │* Entry = JaneDoe_0042 (8)│──┤ └────────────────┬──────────────────┘ │ │ ├───────────────────────────────────┤ │ │ │ │ │Proof (P1)│ │ │ │ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │ │ │ │ Type = Proof of BBS Signature │ │ │ │ │ │ Hidden = (2) (4) (8) │◀─┘ │ │ │ └───────────────┬───────────────────┘ │ │ │ │ │ │ ├──────────────────┼──────────────────────────────────────────┼────────────────────────┤ │Proof ▼ ▼ │ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─│ │ Type = Proof of Equality │ │ Expression = (VC1)(P1)(2) == (VC2)(P2)(3) │ └──────────────────────────────────────────────────────────────────────────────────────┘ ``` ### Proof Protocols Example proof protocols used in this document - Group signatures using BBS Signature - Membership proofs using Universal Accumulator with support for membership and non-membership proofs - Range proofs using R1CS bound check circuit with LegoSNARK (LegoGroth16) ## Data Encoding RDF Dataset **Example** Consider the following document ```json { "@context": { "@vocab": "example:", "registeredAt": { "@type": "http://www.w3.org/2001/XMLSchema#dateTime" } }, "firstName": "Jane", "age": 35, "registeredAt": "2023-01-09T01:20:16.161Z" } ``` As RDF Triples ```json [ { "subject": "_:b0", "predicate": "example:age", "object": { "value": "35", "datatype": "http: //www.w3.org/2001/XMLSchema#integer" } }, { "subject": "_:b0", "predicate": "example:firstName", "object": { "value": "Jane", "datatype": "http: //www.w3.org/2001/XMLSchema#string" } }, { "subject": "_:b0", "predicate": "example:registeredAt", "object": { "value": "2023-01-09T01: 20: 16.161Z", "datatype": "http: //www.w3.org/2001/XMLSchema#dateTime" } } ] ``` Serialized ```shell _:b0 <example:age> "35"^^<http://www.w3.org/2001/XMLSchema#integer> . _:b0 <example:firstName> "Jane" . _:b0 <example:registeredAt> "2023-01-09T01:20:16.161Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> . ``` ## Hashing Ref. [Hashing to Elliptic Curves](https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html) Each triple is serialized to scalar given it's `object` value - objects of type `string` are encoded to octet strings using UTF8 byte order - objects of type `number` are encoded directly - objects of type `datetime` are converted to unsigned 64bit int and encoded to scalar ### Hash to Field