From 9acf1a2558392396106eb87b45dc26f458bf8522 Mon Sep 17 00:00:00 2001
From: Wind4Greg
-This specification describes the BBS+ Signature Suite created in 2023
-for the Data Integrity specification. The Signature Suite utilizes
-BBS+ signatures to provide the capability of zero knowledge
-proof disclosures.
+This specification describes a Data Integrity Cryptosuite for use when generating
+digital signatures using the BBS signature scheme.
+The Signature Suite utilizes BBS signatures to provide selective disclosur and
+unlinkable derived proofs.
Developers are advised to not accidentally publish a representation of a private
key. Implementations of this specification MUST raise errors if expression
-of public key information includes a key parameter that is marked as
+of public key information includes a key parameter that is marked as
`Private` in the IANA JSON Web Key Parameters registry.
This suite relies on detached digital signatures represented using [[MULTIBASE]].
The `verificationMethod` property of the proof MUST be a URL.
Dereferencing the `verificationMethod` MUST result in an object
@@ -578,7 +578,7 @@
This suite relies on detached digital signatures represented using [[MULTIBASE]].
The `verificationMethod` property of the proof MUST be a URL.
Dereferencing the `verificationMethod` MUST result in an object
@@ -928,16 +928,16 @@
- The `bbs-proof-2023` cryptographic suite takes an input document,
+ The `bbs-proof-2023` cryptographic suite takes an input document,
that has previously been secured using `bbs-signature-2023`,
- derives from this original document a set of messages to be disclosed
- representing a redacted form of the original document, and
+ derives from this original document a set of messages to be disclosed
+ representing a redacted form of the original document, and
applies the Proof Gen
algorithm to produce a proof of knowledge for the disclosed messages.
The result is a new `proof`, containing the following attributes:
This operation can be applied by any
+ This operation can be applied by any
holder of a `bbs-signature-2023`
secured document, and as such, `bbs-proof-2023` MUST be implemented with
- awareness of the mandatory to disclose fields the original
+ awareness of the mandatory to disclose fields the original
issuer required.
TODO: We need to add a complete list of security
considerations.
From 0835fa8c29a0b292fac2273c9de3cbdfa507a146 Mon Sep 17 00:00:00 2001
From: Wind4Greg
-The following terms are used to describe concepts involved in the
-generation and verification of the Data Integrity
-signature suite.
-
-This specification defines a set of cryptographic suites for the purpose of creating, verifying and deriving proofs
-for BBS+ Signatures in conformance with the Data Integrity [[VC-DATA-INTEGRITY]] specification.
+This specification defines a cryptographic suite for the purpose of
+creating, verifying and deriving proofs using the BBS Signature Scheme in
+conformance with the Data Integrity [[VC-DATA-INTEGRITY]] specification. The
+BBS signature scheme directly provides for selective disclosure and unlinkable
+proofs. It provides four high level functions that work within the issuer,
+holder, verifier model. In particular an issuer uses the BBS `Sign` function to
+create a cryptographic value known as a "BBS signature" which is used in signing
+the original credential. A holder, on receipt of
+a credential signed with BBS, then verifies the credential with the BBS `Verify`
+function.
-In general the suites uses the RDF Dataset Normalization Algorithm [[RDF-DATASET-NORMALIZATION]] to transform an
-input document into its canonical form. It then uses the statement digest algorithm
-to digest each statement to be signed individually, finally the digested statements are signed
-using the defined signature algorithm.
+The holder then chooses information to selectively disclose from the
+received credential and uses the BBS `ProofGen` function to generate a
+cryptographic value, known as a "BBS proof" which is used in creating a proof
+for this "derived credential". The cryptographic "BBS proof" value is unlinkable
+to the original "BBS signature" and a different, unlinkable "BBS proof" can be
+generated by the holder for additional "derived credentials", including those
+containing the exact same information.
+Finally, a verifier uses the BBS `ProofVerify` function to verify the derived
+credential received from the holder.
-BBS+ signatures [[CFRG-BBS-SIGNATURE]] are compatible with any pairing friendly elliptic curve, however the cryptographic
-suites defined in this document elect to only allow the usage of the BLS12-381 for interoperability purposes.
+To apply the BBS signature scheme to verifiable credentials involves the
+processing specified in this document.
+In general the suite uses the RDF Dataset Normalization Algorithm
+[[RDF-DATASET-NORMALIZATION]] to transform an input document into its canonical
+form. An issuer then uses selective disclosure primitives to separate the
+canonical form into mandatory and non-mandatory statements. These are processed
+separately with other information to serve as the inputs to the BBS `Sign`
+function along with appropriate key material. This output is used to
+generate a secured credential. A holder uses a set of selective disclosure
+functions and the BBS `Verify` function on receipt of the credential
+to ascertain validity.
+Similarly, a holder on receipt of a BBS signed credential uses the RDF Dataset
+Normalization Algorithm [[RDF-DATASET-NORMALIZATION]] to transform an input
+document into its canonical form and then applies selective disclosure
+primitives to separate the canonical form into mandatory and selectively
+disclosed statements which are appropriately processed and serve as inputs to
+the BBS `ProofGen` function. The output of this function suitably processed
+becomes the signed selectively disclosed credential sent to a verifier. Using
+canonicalization and selective disclosure primitives the verifier can then use
+the BBS `verifyProof` function to validate the credential.
+ JsonWebKey
bbs-signature-2023
bbs-proof-2023
Proof Verification
bbs-proof-2023
- bbs-proof-2023
`proofValue`
Proof Serialization
Proof Verification
Security Considerations
Acknowledgements
Introduction
BBS+ signatures [[CFRG-BBS-SIGNATURE]] are compatible with any pairing friendly elliptic curve, however the cryptographic
suites defined in this document elect to only allow the usage of the BLS12-381 for interoperability purposes.
Terminology
- Terminology
-
-
- Introduction
Terminology
@@ -252,73 +286,6 @@ Verification Methods
result in equivalent cryptographic material MAY be utilized.
-This definition should go in the Data Integrity specification and referenced -from there. -
- --The `type` of the verification method MUST be `JsonWebKey`. -
- --The `controller` of the verification method MUST be a URL. -
- --The `publicKeyJwk` property of the verification method MUST be a public -key encoded according to [[RFC7517]]. -
- --The specific encoding of public keys is still being refined in [[BLS-JOSE-COSE]]. -
- --Developers are advised to not accidentally publish a representation of a private -key. Implementations of this specification MUST raise errors if expression -of public key information includes a key parameter that is marked as -`Private` in the IANA JSON Web Key Parameters registry. -
- --{ - "@context": [ - "https://www.w3.org/ns/did/v1", - "https://w3id.org/security/data-integrity/v1" - ], - "id": "https://example.com/issuer/123", - "verificationMethod": [{ - "id": "https://example.com/issuer/123#key-0", - "type": "JsonWebKey", - "controller": "https://example.com/issuer/123", - "publicKeyJwk": { - "kty": "OKP", - "crv": "Bls12381G1", - "x": "Ed4GBGLVasEp4ejPz44CvllbTldfLLcm2QcIJluBL6p_SQmRrZvJNa3YaJ-Wx8Im", - "y": "AbdYAsAb20CHzlVW6VBO9i16BcGOmcYiMLlBEh9DfAiDu_1ZIAd1zewSi9f6517g" - } - }, { - "id": "https://example.com/issuer/123#key-1", - "type": "JsonWebKey", - "controller": "https://example.com/issuer/123", - "publicKeyJwk": { - "kty": "OKP", - "crv": "Bls12381G2", - "x": "Ajs8lstTgoTgXMF6QXdyh3m8k2ixxURGYLMaYylVK_x0F8HhE8zk0YWiGV3CHwpQ - Ea2sH4PBZLaYCn8se-1clmCORDsKxbbw3Js_Alu4OmkV9gmbJsy1YF2rt7Vxzs6S", - "y": "BVkkrVEib-P_FMPHNtqxJymP3pV-H8fCdvPkoWInpFfM9tViyqD8JAmwDf64zU2h - BV_vvCQ632ScAooEExXuz1IeQH9D2o-uY_dAjZ37YHuRMEyzh8Tq-90JHQvicOqx" - } - }] -} --
TODO: Add paragraph
++A conforming proof is any concrete expression of the data model +that complies with the normative statements in this specification. Specifically, +all relevant normative statements in Sections + and +of this document MUST be enforced. +
++A conforming processor is any algorithm realized +as software and/or hardware that generates or consumes a +conforming proof. Conforming processors MUST produce errors when +non-conforming documents are consumed. +
++This document contains examples of JSON and JSON-LD data. Some of these examples +are invalid JSON, as they include features such as inline comments (`//`) +explaining certain portions and ellipses (`...`) indicating the omission of +information that is irrelevant to the example. Such parts need to be +removed if implementers want to treat the examples as valid JSON or JSON-LD. +
-The cryptographic material used to verify a data integrity proof is -called the verification method. This suite relies on public key material -represented using [[MULTIBASE]], [[MULTICODEC]], JSON Web Key [[RFC7517]], and [[BLS-JOSE-COSE]]. +These verification methods are used to verify Data Integrity Proofs +[[VC-DATA-INTEGRITY]] produced using BLS12-381 cryptographic key material +that is compliant with [[CFRG-BBS-SIGNATURE]]. The encoding formats for these key types +are provided in this section. Lossless cryptographic key transformation +processes that result in equivalent cryptographic key material MAY be used +during the processing of digital signatures.
- --This suite MAY be used to verify Data Integrity Proofs [[VC-DATA-INTEGRITY]] -produced by BLS12-381 public key material encoded as a -JsonWebKey. Loss-less key transformation processes that -result in equivalent cryptographic material MAY be utilized. -
--This definition should go in the Data Integrity specification and referenced -from there. -
- --The `type` of the verification method MUST be `Multikey`. -
--The `controller` of the verification method MUST be a URL. +The Multikey format, as defined in +[[VC-DATA-INTEGRITY]], is used to express public keys for the cryptographic +suites defined in this specification.
-The `publicKeyMultibase` property of the verification method MUST be a public -key encoded according to [[MULTICODEC]] and formatted according to -[[MULTIBASE]]. The multicodec encoding of a BLS12-381 public key that combines -both the G1 and G2 fields is the byte prefix `0xee` followed by the 48-byte G1 -public key data, which is then followed by the 96-byte G2 public key data. The -145 byte value is then encoded using base64url with no padding (`u`) as the -prefix. Any other encodings MUST NOT be used. +The `publicKeyMultibase` property represents a Multibase-encoded Multikey +expression of a BLS12-381 public key in the G2 group. The encoding this field is +the two-byte prefix `0xeb01` followed +by the 96-byte compressed public key data. +The 98-byte value is then encoded using base58-btc (`z`) as the prefix. Any +other encodings MUST NOT be allowed.
Developers are advised to not accidentally publish a representation of a private key. Implementations of this specification will raise errors in the event of a -[[MULTICODEC]] value other than `0xee` being used in a `publicKeyMultibase` -value. +[[?MULTICODEC]] value other than `0xeb01` being used in a +`publicKeyMultibase` value.
+ title="An BLS12-381 G2 group public key, encoded as a Multikey"> { "id": "https://example.com/issuer/123#key-0", "type": "Multikey", "controller": "https://example.com/issuer/123", - "publicKeyMultibase": "u7ljnAxKdp7YVqJvcMU9GtnmrMc1XZztXHsTsZ2LsmGJ67SsdbmNc - S2SDs0daEPfhVXgODk0IVrgguJ-TJACHyXYa9Ae8DaxcvRy89KLgmWsyOOJn2oY7vCE2gt - JoebMJiQsdbmNcS2SDs0daEPfhVXgODk0IVrgguJ-TJACHyXYa9Ae8DaxcvRy89KLgm" + "publicKeyMultibase": "zUC7EK3ZakmukHhuncwkbySmomv3FmrkmS36E4Ks5rsb6VQSRpoCrx6 + Hb8e2Nk6UvJFSdyw9NK1scFXJp21gNNYFjVWNgaqyGnkyhtagagCpQb5B7tagJu3HDbjQ8h + 5ypoHjwBb" }-
+{ "@context": [ "https://www.w3.org/ns/did/v1", @@ -362,9 +348,9 @@From bf29ced28473f36ef937ffcd7b64f334f57d9208 Mon Sep 17 00:00:00 2001 From: Wind4GregMultikey
"id": "https://example.com/issuer/123#key-1", "type": "Multikey", "controller": "https://example.com/issuer/123", - "publicKeyMultibase": "u7ljnAxKdp7YVqJvcMU9GtnmrMc1XZztXHsTsZ2LsmGJ67SsdbmNc - S2SDs0daEPfhVXgODk0IVrgguJ-TJACHyXYa9Ae8DaxcvRy89KLgmWsyOOJn2oY7vCE2gt - JoebMJiQsdbmNcS2SDs0daEPfhVXgODk0IVrgguJ-TJACHyXYa9Ae8DaxcvRy89KLgm" + "publicKeyMultibase": "zUC7EK3ZakmukHhuncwkbySmomv3FmrkmS36E4Ks5rsb6VQSRpoCr + x6Hb8e2Nk6UvJFSdyw9NK1scFXJp21gNNYFjVWNgaqyGnkyhtagagCpQb5B7tagJu3HDbjQ8h + 5ypoHjwBb" }] }Date: Mon, 9 Oct 2023 10:22:05 -0700 Subject: [PATCH 06/29] Replace/rewrite "Proof Representations" section. --- index.html | 116 ++++++----------------------------------------------- 1 file changed, 12 insertions(+), 104 deletions(-) diff --git a/index.html b/index.html index 4d36057..79e5c05 100644 --- a/index.html +++ b/index.html @@ -357,93 +357,32 @@ Multikey
- This suite relies on detached digital signatures represented using [[MULTIBASE]]. -
- --The `verificationMethod` property of the proof MUST be a URL. -Dereferencing the `verificationMethod` MUST result in an object -containing a `type` property with the value set to -`Multikey` or `JsonWebKey`. -
- --The `type` property of the proof MUST be `DataIntegrityProof`. -
--The `cryptosuite` property of the proof MUST be `bbs-signature-2023`. -
--The `created` property of the proof MUST be an [[XMLSCHEMA11-2]] -formated date string. -
--The `proofPurpose` property of the proof MUST be a string, and MUST -match the verification relationship expressed by the verification method -`controller`. -
--The `proofValue` property of the proof MUST be a detached BBS Signature -produced according to Sign, encoded according to -[[MULTIBASE]] using the base64 base encoding with no padding. -
- --{ - "@context": [ - {"title": "https://schema.org/title"}, - "https://w3id.org/security/data-integrity/v1" - ], - "title": "Hello world!", - "proof": { - "type": "DataIntegrityProof", - "cryptosuite": "bbs-signature-2023", - "created": "2020-11-05T19:23:24Z", - "verificationMethod": "https://example.com/issuer/123#key-2", - "proofPurpose": "assertionMethod", - "proofValue": "uU6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdB - Dd/l6tIYkTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDB - 5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1o - AhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIM - 0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6oba - Enaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYG - nu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBk - Oh6ojlvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/aGQcoD3Tgmy+z0hN+4elMky1RnJEhCuN - QNsEg" - } -} -+
+This suite relies on detached digital signatures represented using [[MULTIBASE]] +and [[?MULTICODEC]]. +
-- This suite relies on detached digital signatures represented using [[MULTIBASE]]. -
+The `verificationMethod` property of the proof MUST be a URL. Dereferencing the `verificationMethod` MUST result in an object containing a `type` property with the value set to -`Multikey` or `JsonWebKey`. +`Multikey`.
The `type` property of the proof MUST be `DataIntegrityProof`.
-The `cryptosuite` property of the proof MUST be `bbs-proof-2023`. +The `cryptosuite` property of the proof MUST be `bbs-2023`.
The `created` property of the proof MUST be an [[XMLSCHEMA11-2]] -formated date string. +formatted date string.
The `proofPurpose` property of the proof MUST be a string, and MUST @@ -451,41 +390,10 @@
-The `proofValue` property of the proof MUST be a detached BBS Signature -produced according to ProofGen, -encoded according to [[MULTIBASE]] using the base64 base encoding with no padding. +The value of the `proofValue` property of the proof MUST be an BBS signature or +BBS proof produced according to [[CFRG-BBS-SIGNATURE]] then serialized and encoded +according to procedures in section .
- --{ - "@context": [ - {"title": "https://schema.org/title"}, - "https://w3id.org/security/data-integrity/v1" - ], - "title": "Hello world!", - "proof": { - "type": "DataIntegrityProof", - "cryptosuite": "bbs-proof-2023", - "created": "2020-11-05T19:23:24Z", - "verificationMethod": "https://example.com/issuer/123#key-2", - "proofPurpose": "assertionMethod", - "generators": 3, - "disclosed": [ 2 ], - "proofValue": "uU6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdB - Dd/l6tIYkTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDB - 5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1o - AhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIM - 0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6oba - Enaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYG - nu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBk - Oh6ojlvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/aGQcoD3Tgmy+z0hN+4elMky1RnJEhCuN - QNsEg" - } -} --
+
This suite relies on detached digital signatures represented using [[MULTIBASE]]
and [[?MULTICODEC]].
- Proof Representations
+
+
+
The `verificationMethod` property of the proof MUST be a URL. Dereferencing the `verificationMethod` MUST result in an object containing a `type` property with the value set to `Multikey`. -
+ -+
The `type` property of the proof MUST be `DataIntegrityProof`. -
-+
+The `cryptosuite` property of the proof MUST be `bbs-2023`. -
-+
+The `created` property of the proof MUST be an [[XMLSCHEMA11-2]] formatted date string. -
-+
+The `proofPurpose` property of the proof MUST be a string, and MUST match the verification relationship expressed by the verification method `controller`. -
-+
+The value of the `proofValue` property of the proof MUST be an BBS signature or BBS proof produced according to [[CFRG-BBS-SIGNATURE]] then serialized and encoded according to procedures in section . -
+ +-The following section describes multiple Data Integrity cryptographic suites -that utilize the BBS Signature Algorithm [[CFRG-BBS-SIGNATURE]]. -
- --The `bbs-signature-2023` cryptographic suite takes an input document, canonicalizes -the document using the Universal RDF Dataset Canonicalization Algorithm -[[RDF-CANON]], and then cryptographically hashes and signs the output -resulting in the production of a data integrity proof. The algorithms in this -section also include the verification of such a data integrity proof. -
- --To generate a proof, the algorithm in - -Section 4.1: Add Proof in the Data Integrity -[[VC-DATA-INTEGRITY]] specification MUST be executed. -For that algorithm, the cryptographic suite specific - -transformation algorithm is defined in Section -, the - -hashing algorithm is defined in Section , -and the - -proof serialization algorithm is defined in Section -. -
-To verify a proof, the algorithm in - -Section 4.2: Verify Proof in the Data Integrity -[[VC-DATA-INTEGRITY]] specification MUST be executed. -For that algorithm, the cryptographic suite specific - -transformation algorithm is defined in Section -, the - -hashing algorithm is defined in Section , -and the - -proof verification algorithm is defined in Section -. -
--The following algorithm specifies how to transform an unsecured input document -into a transformed document that is ready to be provided as input to the -hashing algorithm in Section . -
- - -Required inputs to this algorithm are an -unsecured data document (unsecuredDocument
) and
-
-transformation options (options
). The
-transformation options MUST contain a type identifier for the
-
-cryptographic suite (type
) and a cryptosuite
-identifier (cryptosuite
). A transformed data document is
-produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8
-encoding.
+The following algorithms describe how to use verifiable credentials with
+the BBS Signature Scheme [[CFRG-BBS-SIGNATURE]].
-
- options
.type
is not set to the string
-`DataIntegrityProof` and options
.cryptosuite
is not
-set to the string `bbs-signature-2023` then a `PROOF_TRANSFORMATION_ERROR` MUST be
-raised.
- canonicalDocument
be the result of applying the
-Universal RDF Dataset Canonicalization Algorithm
-[[RDF-CANON]] to the unsecuredDocument
.
- output
to the value of canonicalDocument
.
- canonicalDocument
as the transformed data document.
- -The following algorithm specifies how to cryptographically hash a -transformed data document and proof configuration -into cryptographic hash data that is ready to be provided as input to the -algorithms in Section or -Section . -
- -
-The required inputs to this algorithm are a transformed data document
-(transformedDocument
) and proof configuration
-(proofConfig
). A single hash data value represented as
-series of bytes is produced as output.
-
-The following algorithm specifies how to generate a -proof configuration from a set of proof options -that is used as input to the proof hashing algorithm. -
- -
-The required inputs to this algorithm are proof options
-(options
). The proof options MUST contain a type identifier
-for the
-
-cryptographic suite (type
) and MUST contain a cryptosuite
-identifier (cryptosuite
). A proof configuration
-object is produced as output.
-
proofConfig
be an empty object.
- proofConfig
.type
to
-options
.type
.
- options
.cryptosuite
is set, set
-proofConfig
.cryptosuite
to its value.
- options
.type
is not set to `DataIntegrityProof` and
-proofConfig
.cryptosuite
is not set to `bbs-signature-2023`, an
-`INVALID_PROOF_CONFIGURATION` error MUST be raised.
- proofConfig
.created
to
-options
.created
. If the value is not a valid
-[[XMLSCHEMA11-2]] datetime, an `INVALID_PROOF_DATETIME` error MUST be raised.
- proofConfig
.verificationMethod
to
-options
.verificationMethod
.
- proofConfig
.proofPurpose
to
-options
.proofPurpose
.
- proofConfig
.
-
-The following algorithm specifies how to serialize a digital signature from
-a set of cryptographic hash data. This
-algorithm is designed to be used in conjunction with the algorithms defined
-in the Data Integrity [[VC-DATA-INTEGRITY]] specification,
-
-Section 4: Algorithms. Required inputs are
-cryptographic hash data (hashData
) and
-proof options (options
). The
-proof options MUST contain a type identifier for the
-
-cryptographic suite (type
) and MAY contain a cryptosuite
-identifier (cryptosuite
). A single digital proof value
-represented as series of bytes is produced as output.
-
privateKeyBytes
be the result of retrieving the
-private key bytes associated with the
-options
.verificationMethod
value as described in the
-Data Integrity [[VC-DATA-INTEGRITY]] specification.
-
- Specify how proofBytes
is generated and consumed by Section
-.
-
proofBytes
as the digital proof.
- TODO: We need to add a complete list of privacy + considerations.
-The following algorithm specifies how to verify a digital signature from
-a set of cryptographic hash data. This
-algorithm is designed to be used in conjunction with the algorithms defined
-in the Data Integrity [[VC-DATA-INTEGRITY]] specification,
-
-Section 4: Algorithms. Required inputs are
-cryptographic hash data (hashData
),
-a digital signature (proofBytes
) and
-proof options (options
). A verification result
-represented as a boolean value is produced as output.
-
publicKeyBytes
be the result of retrieving the
-public key bytes associated with the
-options
.verificationMethod
value as described in the
-Data Integrity [[VC-DATA-INTEGRITY]] specification,
-
-Section 4: Retrieving Cryptographic Material.
- verificationResult
be the result of applying the verification
-algorithm defined in the BBS Signature specification [[CFRG-BBS-SIGNATURE]],
-with hashData
as the data to be verified against the
-proofBytes
using the public key specified by
-publicKeyBytes
.
- verificationResult
as the verification result.
- - The `bbs-proof-2023` cryptographic suite takes an input document, - that has previously been secured using `bbs-signature-2023`, - derives from this original document a set of messages to be disclosed - representing a redacted form of the original document, and - applies the Proof Gen - algorithm to produce a proof of knowledge for the disclosed messages. - The result is a new `proof`, containing the following attributes: -
- - -This operation can be applied by any - holder of a `bbs-signature-2023` - secured document, and as such, `bbs-proof-2023` MUST be implemented with - awareness of the mandatory to disclose fields the original - issuer required. -
-TODO: We need to add a complete list of security + considerations.
TODO: We need to add a complete list of privacy - considerations.
-TODO: We need to add a complete list of security - considerations.
-The `verificationMethod` property of the proof MUST be a URL. @@ -407,9 +407,29 @@
TODO: We need to add a complete list of privacy
From 86996c9b8e7edaa76673f289ccb05f6dbe7ed712 Mon Sep 17 00:00:00 2001
From: Wind4Greg
The following algorithms describe how to use verifiable credentials with
-the BBS Signature Scheme [[CFRG-BBS-SIGNATURE]].
+the BBS Signature Scheme [[CFRG-BBS-SIGNATURE]]. When using the BBS signature
+scheme the SHAKE-256 variant SHOULD be used.
+
+Implementations SHOULD fetch and cache verification method information as
+early as possible when adding or verifying proofs. Parameters passed to
+functions in this section use information from the verification
+method — such as the public key size — to determine function parameters — such
+as the cryptographic hashing algorithm.
+
+When the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] is used,
+implementations of that algorithm will detect
+dataset poisoning
+by default, and abort processing upon detection.
+The `bbs-2023` cryptographic suite takes an input document, canonicalizes
+the document using the Universal RDF Dataset Canonicalization Algorithm
+[[RDF-CANON]], and then applies a number of transformations and cryptographic
+operations resulting in the production of a data integrity proof. The algorithms
+in this section also include the verification of such a data integrity proof.
+ Algorithms
bbs-2023 Functions
bbs-2023
+
+ bbs-2023
in this section also include the verification of such a data integrity proof.
+To generate a base proof, the algorithm in + +Section 4.1: Add Proof in the Data Integrity +[[VC-DATA-INTEGRITY]] specification MUST be executed. +For that algorithm, the cryptographic suite specific + +transformation algorithm is defined in Section +, the + +hashing algorithm is defined in Section , +and the + +proof serialization algorithm is defined in Section +. +
+TODO: write details
+TODO: Fill in after section is completed.
@@ -470,6 +483,73 @@+The following algorithm specifies how to transform an unsecured input document +into a transformed document that is ready to be provided as input to the +hashing algorithm in Section . +
+ ++Required inputs to this algorithm are an + +unsecured data document (unsecuredDocument) and +transformation options (options). The +transformation options MUST contain a type identifier for the + +cryptographic suite (type), a cryptosuite +identifier (cryptosuite), and a verification method +(verificationMethod). The transformation options MUST contain an +array of mandatory JSON pointers (mandatoryPointers) and MAY contain +additional options, such as a JSON-LD document loader. A transformed data +document is produced as output. Whenever this algorithm encodes strings, it +MUST use UTF-8 encoding. +
+ +The following algorithm specifies how to transform an unsecured input document into a transformed document that is ready to be provided as input to the hashing algorithm in Section .
-
Required inputs to this algorithm are an
@@ -507,7 +505,6 @@ Base Proof Transformation (bbs-2023)
document is produced as output. Whenever this algorithm encodes strings, it
MUST use UTF-8 encoding.
+The following algorithm specifies how to cryptographically hash a +transformed data document and proof configuration +into cryptographic hash data that is ready to be provided as input to the +algorithms in Section . +
+ ++The required inputs to this algorithm are a transformed data document +(transformedDocument) and canonical proof configuration +(canonicalProofConfig). A hash data value represented +as an object is produced as output. +
+ ++The following algorithm specifies how to generate a +proof configuration from a set of proof options +that is used as input to the +base proof hashing algorithm. +
+ ++The required inputs to this algorithm are proof options +(options). The proof options MUST contain a type identifier +for the + +cryptographic suite (type) and MUST contain a cryptosuite +identifier (cryptosuite). A proof configuration +object is produced as output. +
+ +TODO: Fill in after section is completed.
@@ -548,7 +551,6 @@+The following algorithm specifies how to create a base proof; called by an +issuer of an BBS-protected Verifiable Credential. The base proof is to be +given only to the holder, who is responsible for generating a derived proof from +it, exposing only selectively disclosed details in the proof to a verifier. This +algorithm is designed to be used in conjunction with the algorithms defined +in the Data Integrity [[VC-DATA-INTEGRITY]] specification, + +Section 4: Algorithms. Required inputs are +cryptographic hash data (hashData) and +proof options (options). The +proof options MUST contain a type identifier for the + +cryptographic suite (type) and MAY contain a cryptosuite +identifier (cryptosuite). A single digital proof value +represented as series of bytes is produced as output. +
+ +TODO: Fill in after section is completed.
@@ -713,6 +719,47 @@+The following algorithm creates a selective disclosure derived proof; called by +a holder of an `bbs-2023`-protected verifiable credential. +The derived proof is to be given to the verifier. The inputs include a +JSON-LD document (document), a BBS base proof +(proof), an array of JSON pointers to use to selectively disclose +statements (selectivePointers), and any custom JSON-LD API options, +such as a document loader. A single selectively revealed document +value, represented as an object, is produced as output. +
+ +TODO: Fill in after section is completed.
@@ -764,6 +767,45 @@+The following algorithm attempts verification of a `bbs-2023` derived +proof. This algorithm is called by a verifier of an BBS-protected +verifiable credential. The inputs include a JSON-LD document +(document), an BBS disclosure proof (proof), and any +custom JSON-LD API options, such as a document loader. A single boolean +verification result value is produced as output. +
+ ++The following algorithm serializes the base proof value, including the +BBS signature, HMAC key, and mandatory pointers. +The required inputs are a base signature bbsSignature, +an HMAC key hmacKey, and an array of +mandatoryPointers. +A single base proof string value is produced as output. +
+ ++The following algorithm creates data to be used to generate a derived proof. The +inputs include a JSON-LD document (document), an BBS base proof +(proof), an array of JSON pointers to use to selectively disclose +statements (selectivePointers), and any custom JSON-LD API options, +such as a document loader). A single object, disclosure data, is +produced as output, which contains the "bbsProof", "labelMap", +"mandatoryIndexes", "selectiveIndexes", and "revealDocument" fields. +
+ ++The following algorithm parses the components of an `bbs-2023` selective +disclosure base proof value. The required inputs are a proof value +(proofValue). A single object parsed base proof, containing +three elements, using the names "bbsSignature", "hmacKey", +and "mandatoryPointers", is produced as output. +
+ +
The following algorithm parses the components of an `bbs-2023` selective
disclosure base proof value. The required inputs are a proof value
From 6c100d766285823142a0ce557fef0f31b025cb09 Mon Sep 17 00:00:00 2001
From: Wind4Greg
The following algorithm serializes the base proof value, including the
BBS signature, HMAC key, and mandatory pointers.
@@ -679,8 +678,45 @@
+The following algorithm serializes a derived proof value. The required inputs
+are a BBS proof (bbsProof), a label map (labelMap), an
+array of mandatory indexes (mandatoryIndexes) and an array of
+selective indexes (selectiveIndexes). A single derived proof
+value, serialized as a byte string, is produced as output.
+
+The following algorithm compresses a label map. The required inputs are
+label map (labelMap). The output is a compressed label map.
+
+The following algorithm creates the data needed to perform verification of an
+BBS-protected verifiable credential. The inputs include a JSON-LD
+document (document), a BBS disclosure proof (proof),
+and any custom JSON-LD API options, such as a document loader. A single
+verify data object value is produced as output containing the following
+fields: "bbsProof", "proofHash", "mandatoryHash", "selectedIndexes", and
+"nonMandatory".
+
TODO: Fill in after section is completed.
From 2d218cddcb009a5398449a8e13f96c9aabb6eb0e Mon Sep 17 00:00:00 2001
From: Wind4Greg
+The following algorithm decompresses a label map. The required input is a
+compressed label map (compressedLabelMap). The output is a
+decompressed label map.
+
+The following algorithm parses the components of the derived proof value.
+The required inputs are a derived proof value (proofValue). A
+A single derived proof value value object is produced as output, which
+contains a set to five elements, using the names "bbsProof", "labelMap",
+"mandatoryIndexes", and "selectiveIndexes".
+ TODO: write details
+The following algorithm creates a label map factory function that uses an
+HMAC to shuffle canonical blank node identifiers. The required input is an HMAC
+(previously initialized with a secret key), HMAC. A function,
+labelMapFactoryFunction, is produced as output.
+ createShuffledIdLabelMapFunction
bbs-2023 Functions
serializeBaseProofValue
-
createDisclosureData
compressLabelMap
+ serializeDerivedProofValue
+
+
+
+
createVerifyData
From c6cb2de7d571cef83f5e47e4ca23962c508c91dc Mon Sep 17 00:00:00 2001
From: Wind4Greg createDisclosureData
compressLabelMap
+
+
+
+
+ serializeDerivedProofValue
parseDerivedProofValue
+ createVerifyData
+
+
+
+
+
+ compressLabelMap
Return `map` as compressed label map.
+ decompressLabelMap
+
+
+
+
+ serializeDerivedProofValue
parseDerivedProofValue
+
+
+
+
Selective Disclosure Functions
createShuffledIdLabelMapFunction
-
+
+
+
+
+
+
+
+ createVerifyData
TODO: We need to add a complete list of security considerations.
+To demonstrate selective disclosure features including mandatory disclosure, +selective disclosure, and overlap between mandatory and selective disclosure +requires an input credential document with more content than previous test +vectors. To avoid excessively long test vectors the starting document test +vector is based on a purely ficticious windsurfing (sailing) competition +scenario. In addition we break the test vectors into two groups based on those +that would be generated by the issuer (base proof) and those that would be +generated by the holder (derived proof). +
++In order to add a selective disclosure base proof to a document the issuer needs +the following cryptographic key material: +
++The key material used for generating the add base proof test vectors is shown +below. Hexadecimal representation is use for the BBS key pairs and the HMAC key. +
+++
+In our scenario a sailor is registering with a race organizer for a series of +windsurfing races to be held over a number of days on Maui. The organizer will +inspect the sailors equipment to certify that what has been declared is + accurate. The sailors unsigned equipment inventory is shown below. +
+ ++In addition to let other sailors know what kinds of equipment their competitors +maybe sailing on it is mandatory that each sailor disclose the year of their +most recent windsurfing board and full details on two of their sails. Note that +all sailors are identified by a sail number that is printed on all their +equipment. This mandatory information is specified via an array of JSON pointers +as shown below. +
+ ++The result of applying the above JSON pointers to the sailors equipment document +is shown below. +
+ ++Transformation of the unsigned document begins with canonicalizing the document +as shown below. +
+ ++To prevent possible information leakage from the ordering of the blank node ids +these are processed through a PRF, i.e., the HMAC to give the canonized HMAC +document shown below. This represents an ordered list of statements that will be +subject to mandatory and selective disclosure, i.e., it is from this list that +statements are grouped. +
+ ++The above canonical document gets grouped in to mandatory and non-mandatory +statements. The final output of the selective disclosure transformation process +is shown below. Each statement is now grouped as mandatory and non-mandatory and +its index in the previous list of statements is remembered. +
+ ++The next step is to create the base proof configuration and canonicalize it. +This is shown in the following two examples. +
+ + ++In the hashing step we compute the SHAKE-256 hash of the canonicalized proof +options to produce the `proofHash` and we compute the SHAKE-256 hash of the join of +all the mandatory nquads to produce the `mandatoryHash`. These are shown below +in hexadecimal format. +
+ ++Shown below is the computed `bbsSignature` in hexadecimal, and the +`mandatoryPointers`. These are are fed to the final serialization step with the +`hmacKey`. +
+ ++Finally, the values above are run through the algorithm of Section + to produce the `proofValue` which is +used in the signed based document shown below. +
+ ++In order to create a derived proof a holder starts with a signed document +containing a base proof. The base document we will use for these test vectors is +the final example from Section above. The first +step is to run the algorithm of Section to +recover `bbsSignature`, `hmacKey`, and +`mandatoryPointers` as shown below. +
+ ++Next, the holder needs to indicate what, if anything else, they wish to reveal +to the verifiers by specifying JSON pointers for selective disclosure. In our +windsurfing competition scenario a sailor (the holder) has just completed their +first day of racing and wishes to reveal to the general public (the verifiers) +all the details of the windsurfing boards they used in the competition. These +are shown below. Note that this slightly overlaps with the mandatory disclosed +information which included only the year of their most recent board. +
+ ++To produce the `revealDocument`, i.e., the unsigned document that will +eventually be signed and sent to the verifier, we append the selective pointers +to the mandatory pointers and input these combined pointers along with the +document without proof to the `selectJsonLd` algorithm of [[DI-ECDSA]] +to give the result shown below. +
+ ++Now that we know what the revealed document looks like, we need to furnish +appropriately updated information to the verifier on which statements are +mandatory, and the indexes for the selected non-mandatory statements. Running +step 6 of the + yields an abundance of information about +various statement groups relative to the original document. Below we show a +portion of the indexes for those groups. +
+ ++The verifier needs to be able to aggregate and hash the mandatory statements. To +enable this we furnish them with a list of indexes of the mandatory statements +adjusted to their positions in the reveal document, i.e., relative to the +`combinedIndexes`. While the `selectiveIndexes` need to be adjusted relative to +their positions within the `nonMandatoryIndexes`. These "adjusted" indexes are +shown below. +
+ ++The last important piece of disclosure data is a mapping of canonical blank node +ids to HMAC based shuffled ids, the `labelMap`, computed according to Section +. This is shown below along with +the rest of the disclosure data minus the reveal document. +
+ ++Finally using the disclosure data above with the algorithm of Section + we obtain the signed derived (reveal) +document shown below. +
+ +
From a3d593e08fa7122a2c44a3eceb8b0b978e40efef Mon Sep 17 00:00:00 2001
From: Manu Sporny
This specification describes a Data Integrity Cryptosuite for use when generating
digital signatures using the BBS signature scheme.
-The Signature Suite utilizes BBS signatures to provide selective disclosur and
+The Signature Suite utilizes BBS signatures to provide selective disclosure and
unlinkable derived proofs.
This specification defines a cryptographic suite for the purpose of -creating, verifying and deriving proofs using the BBS Signature Scheme in +creating, verifying, and deriving proofs using the BBS Signature Scheme in conformance with the Data Integrity [[VC-DATA-INTEGRITY]] specification. The BBS signature scheme directly provides for selective disclosure and unlinkable -proofs. It provides four high level functions that work within the issuer, -holder, verifier model. In particular an issuer uses the BBS `Sign` function to +proofs. It provides four high-level functions that work within the issuer, +holder, verifier model. Specifically, an issuer uses the BBS `Sign` function to create a cryptographic value known as a "BBS signature" which is used in signing the original credential. A holder, on receipt of a credential signed with BBS, then verifies the credential with the BBS `Verify` @@ -222,16 +222,16 @@
The holder then chooses information to selectively disclose from the received credential and uses the BBS `ProofGen` function to generate a -cryptographic value, known as a "BBS proof" which is used in creating a proof -for this "derived credential". The cryptographic "BBS proof" value is unlinkable +cryptographic value, known as a "BBS proof", which is used in creating a proof +for this "derived credential". The cryptographic "BBS proof" value is not linkable to the original "BBS signature" and a different, unlinkable "BBS proof" can be -generated by the holder for additional "derived credentials", including those +generated by the holder for additional "derived credentials", including any containing the exact same information. Finally, a verifier uses the BBS `ProofVerify` function to verify the derived credential received from the holder.
-To apply the BBS signature scheme to verifiable credentials involves the +Applying the BBS signature scheme to verifiable credentials involves the processing specified in this document. In general the suite uses the RDF Dataset Normalization Algorithm [[RDF-DATASET-NORMALIZATION]] to transform an input document into its canonical @@ -244,14 +244,14 @@
-Similarly, a holder on receipt of a BBS signed credential uses the RDF Dataset +Similarly, on receipt of a BBS signed credential, a holder uses the RDF Dataset Normalization Algorithm [[RDF-DATASET-NORMALIZATION]] to transform an input -document into its canonical form and then applies selective disclosure +document into its canonical form, and then applies selective disclosure primitives to separate the canonical form into mandatory and selectively -disclosed statements which are appropriately processed and serve as inputs to -the BBS `ProofGen` function. The output of this function suitably processed +disclosed statements, which are appropriately processed and serve as inputs to +the BBS `ProofGen` function. Suitably processed, the output of this function becomes the signed selectively disclosed credential sent to a verifier. Using -canonicalization and selective disclosure primitives the verifier can then use +canonicalization and selective disclosure primitives, the verifier can then use the BBS `verifyProof` function to validate the credential.
@@ -317,8 +317,8 @@The `publicKeyMultibase` property represents a Multibase-encoded Multikey -expression of a BLS12-381 public key in the G2 group. The encoding this field is -the two-byte prefix `0xeb01` followed +expression of a BLS12-381 public key in the G2 group. The encoding of this field +is the two-byte prefix `0xeb01` followed by the 96-byte compressed public key data. The 98-byte value is then encoded using base58-btc (`z`) as the prefix. Any other encodings MUST NOT be allowed. @@ -332,7 +332,7 @@
+ title="A BLS12-381 G2 group public key, encoded as a Multikey"> { "id": "https://example.com/issuer/123#key-0", "type": "Multikey", @@ -472,16 +472,16 @@createShuffledIdLabelMapFunction
-The following algorithm parses the components of an `bbs-2023` selective -disclosure base proof value. The required inputs are a proof value -(proofValue). A single object parsed base proof, containing +The following algorithm parses the components of a `bbs-2023` selective +disclosure base proof value. The required input is a proof value +(proofValue). A single object, parsed base proof, containing three elements, using the names "bbsSignature", "hmacKey", and "mandatoryPointers", is produced as output.
@@ -550,15 +550,15 @@The following algorithm creates data to be used to generate a derived proof. The -inputs include a JSON-LD document (document), an BBS base proof +inputs include a JSON-LD document (document), a BBS base proof (proof), an array of JSON pointers to use to selectively disclose -statements (selectivePointers), and any custom JSON-LD API options, -such as a document loader). A single object, disclosure data, is +statements (selectivePointers), and any custom JSON-LD API options +(such as a document loader). A single object, disclosure data, is produced as output, which contains the "bbsProof", "labelMap", "mandatoryIndexes", "selectiveIndexes", and "revealDocument" fields.
@@ -608,8 +608,8 @@-The following algorithm compresses a label map. The required inputs are +The following algorithm compresses a label map. The required input is label map (labelMap). The output is a compressed label map.
@@ -749,8 +749,8 @@The following algorithm serializes a derived proof value. The required inputs -are a BBS proof (bbsProof), a label map (labelMap), an -array of mandatory indexes (mandatoryIndexes) and an array of +are a BBS proof (bbsProof), a label map (labelMap), an +array of mandatory indexes (mandatoryIndexes), and an array of selective indexes (selectiveIndexes). A single derived proof value, serialized as a byte string, is produced as output.
@@ -813,8 +813,8 @@The following algorithm parses the components of the derived proof value. -The required inputs are a derived proof value (proofValue). A +The required input is a derived proof value (proofValue). A A single derived proof value value object is produced as output, which -contains a set to five elements, using the names "bbsProof", "labelMap", +contains a set of five elements, using the names "bbsProof", "labelMap", "mandatoryIndexes", and "selectiveIndexes".
-The following algorithm creates the data needed to perform verification of an +The following algorithm creates the data needed to perform verification of a BBS-protected verifiable credential. The inputs include a JSON-LD document (document), a BBS disclosure proof (proof), -and any custom JSON-LD API options, such as a document loader. A single +and any custom JSON-LD API options (such as a document loader). A single verify data object value is produced as output containing the following -fields: "bbsProof", "proofHash", "mandatoryHash", "selectedIndexes", and -"nonMandatory". +fields: "`bbsProof`", "`proofHash`", "`mandatoryHash`", "`selectedIndexes`", and +"`nonMandatory`".
To generate a base proof, the algorithm in
-Section 4.1: Add Proof in the Data Integrity
+Section 4.1: Add Proof of the Data Integrity
[[VC-DATA-INTEGRITY]] specification MUST be executed.
For that algorithm, the cryptographic suite specific
@@ -1012,7 +1012,7 @@ Base Proof Transformation (bbs-2023)
-The following algorithm specifies how to create a base proof; called by an -issuer of an BBS-protected Verifiable Credential. The base proof is to be +The following algorithm, to be called by an issuer of a BBS-protected Verifiable +Credential, specifies how to create a base proof. The base proof is to be given only to the holder, who is responsible for generating a derived proof from it, exposing only selectively disclosed details in the proof to a verifier. This algorithm is designed to be used in conjunction with the algorithms defined @@ -1212,8 +1212,8 @@
-The following algorithm creates a selective disclosure derived proof; called by -a holder of an `bbs-2023`-protected verifiable credential. +The following algorithm, to be called by a holder of a `bbs-2023`-protected +verifiable credential, creates a selective disclosure derived proof. The derived proof is to be given to the verifier. The inputs include a JSON-LD document (document), a BBS base proof (proof), an array of JSON pointers to use to selectively disclose @@ -1240,7 +1240,7 @@
-To demonstrate selective disclosure features including mandatory disclosure, -selective disclosure, and overlap between mandatory and selective disclosure +Demonstration of selective disclosure features including mandatory disclosure, +selective disclosure, and overlap between those, requires an input credential document with more content than previous test -vectors. To avoid excessively long test vectors the starting document test -vector is based on a purely ficticious windsurfing (sailing) competition -scenario. In addition we break the test vectors into two groups based on those +vectors. To avoid excessively long test vectors, the starting document test +vector is based on a purely fictitious windsurfing (sailing) competition +scenario. In addition, we break the test vectors into two groups, based on those that would be generated by the issuer (base proof) and those that would be generated by the holder (derived proof).
-In order to add a selective disclosure base proof to a document the issuer needs +To add a selective disclosure base proof to a document, the issuer needs the following cryptographic key material:
-The key material used for generating the add base proof test vectors is shown -below. Hexadecimal representation is use for the BBS key pairs and the HMAC key. +The key material used for generating the test vectors to test add base +proof is shown below. Hexadecimal representation is used for the BBS key +pairs and the HMAC key.
-In our scenario a sailor is registering with a race organizer for a series of +In our scenario, a sailor is registering with a race organizer for a series of windsurfing races to be held over a number of days on Maui. The organizer will -inspect the sailors equipment to certify that what has been declared is - accurate. The sailors unsigned equipment inventory is shown below. +inspect the sailor's equipment to certify that what has been declared is +accurate. The sailor's unsigned equipment inventory is shown below.
-In addition to let other sailors know what kinds of equipment their competitors -maybe sailing on it is mandatory that each sailor disclose the year of their +In addition to letting other sailors know what kinds of equipment their competitors +may be sailing on, it is mandatory that each sailor disclose the year of their most recent windsurfing board and full details on two of their sails. Note that all sailors are identified by a sail number that is printed on all their equipment. This mandatory information is specified via an array of JSON pointers @@ -1363,20 +1364,20 @@
-The result of applying the above JSON pointers to the sailors equipment document +The result of applying the above JSON pointers to the sailor's equipment document is shown below.
-Transformation of the unsigned document begins with canonicalizing the document +Transformation of the unsigned document begins with canonicalizing the document, as shown below.
-To prevent possible information leakage from the ordering of the blank node ids -these are processed through a PRF, i.e., the HMAC to give the canonized HMAC +To prevent possible information leakage from the ordering of the blank node IDs +these are processed through a PRF (i.e., the HMAC) to give the canonicalized HMAC document shown below. This represents an ordered list of statements that will be subject to mandatory and selective disclosure, i.e., it is from this list that statements are grouped. @@ -1384,9 +1385,9 @@
-The above canonical document gets grouped in to mandatory and non-mandatory +The above canonical document gets grouped into mandatory and non-mandatory statements. The final output of the selective disclosure transformation process -is shown below. Each statement is now grouped as mandatory and non-mandatory and +is shown below. Each statement is now grouped as mandatory or non-mandatory, and its index in the previous list of statements is remembered.
Base Proof-In the hashing step we compute the SHAKE-256 hash of the canonicalized proof -options to produce the `proofHash` and we compute the SHAKE-256 hash of the join of -all the mandatory nquads to produce the `mandatoryHash`. These are shown below -in hexadecimal format. +In the hashing step, we compute the SHAKE-256 hash of the canonicalized proof +options to produce the `proofHash`, and we compute the SHAKE-256 hash of the +join of all the mandatory N-Quads to produce the `mandatoryHash`. These are +shown below in hexadecimal format.
-Shown below is the computed `bbsSignature` in hexadecimal, and the +Shown below are the computed `bbsSignature` in hexadecimal, and the `mandatoryPointers`. These are are fed to the final serialization step with the `hmacKey`.
@@ -1416,8 +1417,8 @@Base Proof
data-include-format="text">
Finally, the values above are run through the algorithm of Section - to produce the `proofValue` which is -used in the signed based document shown below. +, to produce the `proofValue` which is +used in the signed base document shown below.
@@ -1425,20 +1426,19 @@-In order to create a derived proof a holder starts with a signed document +To create a derived proof, a holder starts with a signed document containing a base proof. The base document we will use for these test vectors is -the final example from Section above. The first +the final example from Section , above. The first step is to run the algorithm of Section to -recover `bbsSignature`, `hmacKey`, and -`mandatoryPointers` as shown below. +recover `bbsSignature`, `hmacKey`, and `mandatoryPointers`, as shown below.
-Next, the holder needs to indicate what, if anything else, they wish to reveal -to the verifiers by specifying JSON pointers for selective disclosure. In our -windsurfing competition scenario a sailor (the holder) has just completed their -first day of racing and wishes to reveal to the general public (the verifiers) +Next, the holder needs to indicate what else, if anything, they wish to reveal +to the verifiers, by specifying JSON pointers for selective disclosure. In our +windsurfing competition scenario, a sailor (the holder) has just completed their +first day of racing, and wishes to reveal to the general public (the verifiers) all the details of the windsurfing boards they used in the competition. These are shown below. Note that this slightly overlaps with the mandatory disclosed information which included only the year of their most recent board. @@ -1446,17 +1446,17 @@
-To produce the `revealDocument`, i.e., the unsigned document that will -eventually be signed and sent to the verifier, we append the selective pointers -to the mandatory pointers and input these combined pointers along with the -document without proof to the `selectJsonLd` algorithm of [[DI-ECDSA]] -to give the result shown below. +To produce the `revealDocument` (i.e., the unsigned document that will +eventually be signed and sent to the verifier), we append the selective pointers +to the mandatory pointers, and input these combined pointers along with the +document without proof to the `selectJsonLd` algorithm of [[DI-ECDSA]], +to get the result shown below.
Now that we know what the revealed document looks like, we need to furnish -appropriately updated information to the verifier on which statements are +appropriately updated information to the verifier about which statements are mandatory, and the indexes for the selected non-mandatory statements. Running step 6 of the yields an abundance of information about @@ -1467,9 +1467,9 @@
The verifier needs to be able to aggregate and hash the mandatory statements. To -enable this we furnish them with a list of indexes of the mandatory statements -adjusted to their positions in the reveal document, i.e., relative to the -`combinedIndexes`. While the `selectiveIndexes` need to be adjusted relative to +enable this, we furnish them with a list of indexes of the mandatory statements +adjusted to their positions in the reveal document (i.e., relative to the +`combinedIndexes`), while the `selectiveIndexes` need to be adjusted relative to their positions within the `nonMandatoryIndexes`. These "adjusted" indexes are shown below.
@@ -1478,15 +1478,15 @@The last important piece of disclosure data is a mapping of canonical blank node -ids to HMAC based shuffled ids, the `labelMap`, computed according to Section +IDs to HMAC-based shuffled IDs, the `labelMap`, computed according to Section . This is shown below along with the rest of the disclosure data minus the reveal document.
-Finally using the disclosure data above with the algorithm of Section - we obtain the signed derived (reveal) +Finally, using the disclosure data above with the algorithm of Section +, we obtain the signed derived (reveal) document shown below.
Date: Tue, 31 Oct 2023 10:50:07 -0400 Subject: [PATCH 29/29] Use HMAC as a noun in algorithms. --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index fa3ec2e..dc90eab 100644 --- a/index.html +++ b/index.html @@ -457,7 +457,7 @@createShuffledIdLabelMapFunction
For each map entry, entry, in canonicalIdMap:
- -HMAC the canonical identifier from the value in entry to get an HMAC +Perform an HMAC operation on the canonical identifier from the value in entry to get an HMAC digest, digest.