[MINUTES] W3C CCG Credentials CG Call - 2024-06-25 from CCG Minutes Bot on 2024-06-26 (public-credentials@w3.org from June 2024)

From: CCG Minutes Bot <minutes@w3c-ccg.org>
Date: Wed, 26 Jun 2024 18:28:47 +0000
To: public-credentials@w3.org
Message-ID: <67db2b45-5233-eb41-53fa-ea46658846b9@w3c-ccg.org>

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2024-06-25/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2024-06-25/audio.ogg

A video recording is also available at:

https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2024-06-25.mp4

----------------------------------------------------------------
W3C CCG Weekly Teleconference Transcript for 2024-06-25

Agenda:
https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Jun&period_year=2024&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date
Organizer:
Mike Prorock, Kimberly Linson, Harrison Tang
Scribe:
Our Robot Overlords
Present:
Harrison Tang, Nis Jespersen , Erica Connell, GregB, Hiroyuki
Sano, Japan, Markus Sabadello, TallTed // Ted Thibodeau (he/him)
(OpenLinkSw.com), Gregory Natran, Kaliya Young, Benjamin Young,
Wes-Smith, James Chartrand, Leo, Manu Sporny, Joe Andrieu, Wendy
Seltzer, Laura Paglione, Julien Fraichot, PL-T3, Tim Bloomfield,
Alex H, Dmitri Zagidulin, Jeff O - HumanOS, Brandi Delancey, Dave
Longley, Patrick St-Louis, Gerald Glickman

<harrison_tang> @Greg you might want to check your microphone. i
don't think we can hear you when you unmuted earlier
Our Robot Overlords are scribing.
Harrison_Tang: All right um welcome to this week's w3c ccg
meeting uh today we are excited to have Greg uh Bernstein back
again to present on the anonymous holder binding and student sum
so about 2 weeks ago Greg uh.
Harrison_Tang: Present an update on the PBS signatures and uh
today we'll follow up with uh related but different discussion
regards to uh the holder binding Anonymous holder binding and uh
pseudonym so before we get to uh the main agenda I just want to
quickly go over uh the administrative stuff um so first of all a
quick reminder on the code of ethics and professional conduct uh
just want to make sure that uh we hold uh constructive and
respectful conversations and discussions.
Harrison_Tang: A quick note on the intellectual property uh
anyone can participate in these calls however all substantive
contributions to any ccg work items must be the member of the ccg
with full IPR agreement signed so if you have any questions in
regard to getting a w3c account or signing the community
contributor license agreement uh please just let any of the
cultures know.
Harrison_Tang: A quick note on uh the minute meetings uh these uh
minutes are automatically recorded and we will publish the
meeting minutes as well as the audio and video recordings in the
next uh 1 or 2 days.
GregB: Sorry guys I couldn't hear a thing I don't know what was
happening okay sorry.
Harrison_Tang: Because uh does this sound work now can you hear
us now.
GregB: Yeah all all I was hearing is the recording is on and I
knew that you guys were talking because I started seeing the
transcript sorry.
Harrison_Tang: Oh no problem I'm glad it works um.
Harrison_Tang: All right so uh uh just getting back uh to the
administrative stuff and then we'll have Greg on uh to present
and be the discussion on the anonymous holder binding.
Harrison_Tang: All right so again these meetings are being
automatically recorded and will publish the meeting minutes audio
recording and video recording in the next 1 or 2 days we use GT
chat to cue the speaker so you can type in Q Plus to add yourself
to the queue or cue minus to remove.
Harrison_Tang: I think it's a time for introductions and
reintroduction so if you're new to the community or you haven't
been active and want to re-engage feel free to unmute and just uh
introduce yourself.
Harrison_Tang: All right 1 of those days I'm gonna start calling
on people but today's mostly uh familiar faces so I'll let it go
all right um announcements and reminders uh if you have anything
new or new events or new projects uh feel free to just uh unmute
or uh.
Harrison_Tang: Typing Q Plus to add yourself to the queue.
Harrison_Tang: Money you want to go first.
Manu Sporny: Sure sorry uh no no audio for America um.
Manu Sporny: Yeah just a a quick update that um we are we're
we're kind of coming to the end of issues in the verifiable
credential working group on many of the major specifications so
that's good that's that's great news it means that we're pretty
much ready to.
Manu Sporny: Go to the next stage um we are um we are slowly
finishing the test Suites and the number of them uh are um now
ready for implementers to implement against um if you have uh an
implementation and you've been holding off on integrating um uh
now would be a good time to start integrating with the verifiable
credential 20 um test Suite in any of the data Integrity test
Suites we know what that we have a number of implementers that um
are passing some of the older test Suites that would probably
pass.
Manu Sporny: Good chunk 80% plus of the new tests um and so
we're going to be reaching out to people um to integrate with
tests um.
<benjamin_young> Here's how to add your implementation:
https://github.com/w3c/vc-test-suite-implementations?tab=readme-ov-file#usage
Manu Sporny: A also a reminder to implementers is that um as
soon as we get a a healthy number of implementations like Beyond
3 to 4 we will probably just move on um uh meaning that you know
if if you want to be able to kind of prove that you pass a test
Suite uh doing it sooner than later would be good um you are not
expected to pass the entire test Suite nor is it viewed as a
negative thing if you don't pass the entire test Suite um because
right now all we're doing is we're testing to make sure that the
specifications are implementable we're not looking for like
maximum number of implementations um so just a reminder to
implementers um now is the time to start integrating with the
test Suites um Benjamin who's also on this call uh can help you
uh do that uh reach out through the VCW or the ccg if you want
any kind of support or help in doing that that's it.
Harrison_Tang: Thank you man.
Harrison_Tang: By the way Erica uh do you have new announcements
uh.
Erica Connell: Can you hear me now.
Harrison_Tang: Great we can hear you great.
Erica Connell: Awesome thanks Harrison hey I just wanted to uh
remind everybody that um rebooting the web of trust is going to
be convening in October the 7th through 11th in beautiful Ventura
California if you were at the Santa Barbara event um it it's uh
just right down the road from that actually and I'll put the link
um to gets are available on Eventbrite I'll put the link in the
chat and um that's it for now thank you.
Erica Connell: https://rwot13.eventbrite.com/
Harrison_Tang: Thanks a lot and Erica like if you can send a link
to me or directly to the public list that would be great too.
Erica Connell: Oh absolutely I'll do that thanks.
Harrison_Tang: Benjamin do you have anything else to add.
Benjamin Young: No I just wanted to highlight the uh link that I
shared in chat which I share again since it's probably scroll on
past.
Benjamin Young: Um to the.
Benjamin Young: Integration guide for the test Suites if folks
want to add.
Benjamin Young: Implementations uh these are the instructions
for doing that.
Benjamin Young: No is that shortly.
Benjamin Young:
https://github.com/w3c/vc-test-suite-implementations?tab=readme-ov-file#usage
Harrison_Tang: thank you.
Harrison_Tang: Thanks a lot.
Harrison_Tang: All right any other announcements or reminders.
Harrison_Tang: All right updates on the work items.
Manu Sporny: Um the verifiable credential barcodes work uh was
uh adopted last week thank you uh to the chairs um uh and we are
going to continue kind of pushing that forward uh just a heads up
to everyone that that that work item is on a kind of a fairly uh
what's the word accelerated schedule to be deployed into
production um uh there are some uh governments that are are not
going to want to wait for the standardization process to finish
before a version of it is pushed into production um but there but
they will it'll be versioned in a way that allows us to you know
upgrade later on when the whole thing goes through the
standardization process so uh just a heads up that that work item
is going to move a little faster than some of the other ones um
the other uh heads up is that um we got uh government of
Singapore's stuff into render method uh we are looking for
feedback.
Manu Sporny: Uh render method in general we are thinking that it
is possible to generalize render methods so that it works with uh
svgs and PDFs and um and other other things like that and so
there's a generalization discussion that's going on um there we'd
love to hear from other people that want to render credentials um
we will also be releasing examples of render method um.
Manu Sporny: Around uh in the next couple of weeks as well.
Manu Sporny: That's it.
Harrison_Tang: Thank you man.
Harrison_Tang: And uh we'll have a West actually uh talking about
the verifiable credential barcodes on August 6th and uh in
addition to that uh uh will has been uh contacting different work
item um leaders uh and owners uh in regards to uh providing
updates uh as well as uh scheduling them uh to uh you know hold a
special sessions on those work items so we're working on that
actively so uh stay tuned.
Harrison_Tang: All right uh any last uh.
Harrison_Tang: Work item uh discussions.
Harrison_Tang: Last calls for introductions announcements
reminders and work items.
Kaliya Young: Haven't been around much because I was on a
whirlwind tour to uh Europe um last week we had our second
digital identity unconference Europe and it went very very well.
Kaliya Young: Had 1 of the the counselor of Switzerland come and
open the conference.
Kaliya Young: They don't have a prime minister or a president
they have this Council and he's 1 of the people on that Council
so that was pretty cool.
<manu_sporny> Nice!
Kaliya Young: Um and I just wanted to remind folks that we have.
Kaliya Young: Did on conference Africa coming up in South Africa
september.
Kaliya Young: 7Th 25 to 27.
Kaliya Young: So if you have Partners or folks you know working.
Kaliya Young: In Africa.
Kaliya Young: Particularly the southern part of Africa and want
to let them know about the event please do that.
Kaliya Young: And then.
Kaliya Young: And um IBEW.
Kaliya Young: Number 39 is coming up in October and super super
early bird registration is open and I'll put links to both of
those in the chat.
Harrison_Tang: Great thanks Clea.
Harrison_Tang: Didn't know that about the Swiss government so
learn new things uh every day so great.
Kaliya Young: https://didunconf.africa/
Harrison_Tang: All right any last calls for introductions
announcements work items.
Kaliya Young: https://internetidentityworkshop.com/
Harrison_Tang: All right let's get to the main agenda I think uh
you know 2 3 weeks ago we had a we had a Greg here to talk about
BBS amazing discussion learn new things and uh today we have him
back to talk about Anonymous holder binding and Sudan so Greg uh
the floor is yours.
GregB: All right now I am.
GregB: Share this screen.
GregB: Okay but I'm doing it from a different browser okay.
GregB: You see anything.
GregB: Great can you still to see things.
Harrison_Tang: Yep looks good.
GregB: Going cross browser all right.
GregB: So we're going to talk about some Advanced features that
we've added to BBS so we're gonna kind of do an overview remind
folks again.
GregB: BBS we're going to go in a little reverse order because
when I was walking through figuring out how to tell this story it
seemed like pseudonyms were the things to start with and I was a
little shocked to discover that they are now specified for the EU
diw European Union digital identity wallet.
GregB: so I.
GregB: This stuff about cryptographers reviewing the ud ARF
which.
GregB: That came up and I was saying good okay so we're going to
talk about pseudonyms and then at the end we'll get to Anonymous
Soldier binding because that comes.
GregB: Comes with everything okay.
GregB: Have talked before yeah.
GregB: Been helping to co-edit these specs I do a lot of the
cryptographic test fixture generation for these specs um working
out I've got open-source software for almost all this stuff
somebody did recently asked me uh can I use some of this code and
I had forgotten to put a open source license thing in it if you
run across any of my code and it's missing an open source license
statement just tell me I've got a update those things.
GregB: And I'm working with the ietf on the BBS specs which we're
going to be talking about a little bit here.
GregB: We're concerned with tracking so there is a famous song
back in the 80s by a band called The Police Every Breath You Take
every move you make every Bond you break I'll be watching you.
GregB: And it was a very sweet song and it was mistaken for a
love song but it was really about a stalker so people were using
this as their wedding songs and things like that.
<harrison_tang> ;(
GregB: It was a very popular song so people went crazy with the
lyrics to not only Every Breath You Take but every move you make
every leaf you rake.
Manu Sporny: :Scream:
GregB: And so it really is about and if I was currently teaching
cyber security like I used to I would make my students go through
and say How could somebody get this information on you oh you
went to the Home Depot website and looked up a leaf blower oh
your ring doorbell uh camera caught uh you doing something at
blah blah blah so we're concerned with tracking.
GregB: And so when we've talked about tracking.
GregB: we talk.
GregB: Talk about the main players in verifiable credentials the
issuer the holder and the verifiers.
GregB: All right this thing is I'm seeing this thing right in the
middle of it okay.
GregB: So what if a verifier shares information about an
encounter with a holder.
GregB: They learn things.
GregB: They understand the holder's been visiting various sites.
GregB: Seems like they should especially if the holder fully
identifies themselves.
GregB: What about if the verifier.
GregB: Shares information about encounters withholding
presentation of credentials.
GregB: Okay from the holder to a verifier shares that information
back with the issuer it seems like obviously the issuer know all
the places the holders visiting.
GregB: Okay and we can go 1 step further say what if the
verifiers share that information about their encounter with a
holder to a third party that third party could get to know all
that information.
GregB: How do we stop that.
GregB: Or minimize that well.
GregB: First of all don't reveal your name okay and you can do
that with the selective disclosure mechanism okay minimize what
you reveal to the verifiers about yourself.
GregB: to make.
GregB: But there's a bit of a problem with verifiable credentials
and it's that.
GregB: General signatures the digital signatures we use are very
unique.
GregB: Okay and they can take the place of your name to become an
identifier used to track you so we need something called unlined
to make sure the security features that secure the credentials
don't become an identifier to track US okay.
GregB: BBS signature scheme applied to VCS can provide both these
things okay selective disclosures and these things known as
unlink proofs.
GregB: There was just a cryptographic review of these wallets the
European wallet standard and they actually say now that.
GregB: To obtain okay not allow providers of electronic attach
stations meeting some kind of credentials okay to obtain data
allows transactions or user Behavior to be tracked linked or
correlated okay unless explicitly authorized okay.
GregB: And they say this technical framework of the wallet shell
enable privacy preserving techniques which ensure unlike ability.
GregB: I did not make that error that was an errors that's unlink
but I copied it straight from the document so they have a
spelling error okay.
GregB: So we know we want this not always.
GregB: And even if we want anonymity.
GregB: How much anonymity do we want.
GregB: there is.
GregB: Another song from the 80s.
GregB: Is all well after my time don't you forget about me right.
GregB: Got these very Anonymous credential from BBs.
GregB: Your selectively disclosed a minimal amount of
information.
GregB: And you want to.
GregB: But you'd like the verifier.
GregB: To be able to.
GregB: Recognize you from a previous encounter.
GregB: But not be able to link your data with other verifiers.
GregB: So you'd like them to recognize you.
GregB: But not link you with other verifiers.
GregB: That sounds a little tricky okay.
GregB: Another variation of this would be led a verifier
associate you with a previous encounter.
GregB: Not link your data with other verifiers.
GregB: Issuer to know it's you okay oh why would you want that.
GregB: Um let's say we go back and do a pandemic.
GregB: We want to prevent people from hoarding you have to
prevent some kind of present some credit credential to say hey
I'm allowed to buy toilet paper and we're going to not let
individual stores tracker toilet paper use but we're going to see
that there's no hoarding going on by letting some issue or check
that.
GregB: So subtle right.
GregB: Remind you BBS signatures.
GregB: what do they.
GregB: It look like somebody comes up with a bunch of information
that BBS calls messages.
GregB: So this looks like a driver's license for a tree.
GregB: First name Sequoia Sentra and lives in the Redwoods uh
State Park in California where you can create a signature.
GregB: Okay this signature information.
GregB: Okay can act as an ID okay.
GregB: With BBs though.
GregB: We don't the holder doesn't present that signature it only
goes from the issuer to the holder they don't pass it along.
GregB: So he wants to go into a bar to get a very large drink of
water and the requirement is.
GregB: Got to live in California because we had sometimes have
droughts and he's got to prove his age.
GregB: So he's only going to select those 2 pieces of information
to reveal.
GregB: Generate proof at all.
GregB: It's always great when you do a demo.
GregB: Sorry I was not using the online demo.
GregB: Oh demos are always great.
GregB: I do have a demo of the thing we're doing but let me see
let me go back and get to the code.
<harrison_tang> demo is better than no demo
GregB: Too many links create signature.
GregB: Is above signature.
GregB: Select date of birth generate the proof.
GregB: Now as many times as I hit create signature.
GregB: That signature number which is the cryptographic signature
won't change.
GregB: This proof that's generated by the holder to present to
the verifier.
GregB: Every time I hit generate proof I get a unique proof.
GregB: For all purposes like a signature but it's not correlated.
GregB: So that's what we mean we get that anonymity unlink.
GregB: This is a property of BBS you don't get this with the
other signature algorithms.
GregB: You don't get this with eddsa or ecdsa.
GregB: Okay so that's we can do this.
GregB: Or at least we can get that anonymity.
GregB: Appropriate conditions okay but how can we make it so they
can remember us.
GregB: Okay well there's an idea known as a pseudonym right it's
a fictitious name that you use for a particular purpose right.
GregB: Writers like Samuel Clemens wrote as Mark Twain the
mathematician Charles Dodge and Dodge and or however you
pronounce it wrote novels under the name of Lis Carol Wright.
GregB: And when you visit websites you can do the same thing you
can use a different username for each website and you make sure
you use the different password for each website.
GregB: And if you had to.
GregB: Verify with an email address you could use a unique email
address that can be a little bit bothersome but there's some
places that make it very easy to come up with unique email
addresses that forward things to you so if I'm if I think a
website that I'm registering with is a bit dodgy and I don't want
them spamming me I'll go use uh email forwarder that comes up
with unique addresses for each website like Duck private
addresses.
GregB: So that's great that's pseudonyms that's 1 approach is
good for the web but how would you do that with a verifiable
credential.
GregB: Oh and look.
GregB: In this European digital wallet which I just learned
about.
GregB: I'd like you to be able to generate pseudonyms too.
GregB: We're making up a unique name for yourself for every place
sounds a little problematic okay.
GregB: How are we going to do this for VCS.
GregB: I guess we could ask the issuer.
GregB: The issue of EC to the holder under each pseudonym the
holder wants.
GregB: Problems the issuer would have to issue lots of near
duplicate credentials to the holder for each verifier that the
holder encounters.
GregB: Sure would know the holder pseudonyms and can track all
their encounters with verifiers.
GregB: We sit in 1 of our 2 use cases that like the uh the
hoarding prevention use case this might be allowable but.
GregB: In general no we don't want to be dragged okay or that's
not okay but let's start with this first 1 how could we prevent
this headache.
GregB: Okay of having to make an issuer issue lots of VCS under
each pseudonym we want and such okay.
GregB: Well we could do this with a cryptographic technique okay.
GregB: We could have the holder know a secret.
GregB: Find that with par verifier public data to produce.
GregB: Pseudonym okay it's not going to be nice and readable and
things like that but it would be very easy to use in the digital
wallet okay so how do we do this in general.
GregB: Have a hold or have a secret number we can call our
approver ID that's what we do in uh the BBS specs okay and you
want it essentially unique.
GregB: So a random number that's super secret.
GregB: The verifier we're going to let us have a public
essentially unique number call to verify our ID a vid a bid and a
vid okay.
GregB: The holder generates a certain Name by raising the vid to
the power of the pit.
GregB: and shares.
GregB: Okay so how does this help.
GregB: An issuer needs to only sign the VC with info about the
proofer ID.
GregB: Generate the pseudonym for any verifier that they that
publishes a verifier ID.
GregB: Let's keep track of this with appropriate parameters the
difficulty of the discrete logarithm problem this is 1 of those
mathematical things that drives.
GregB: Most of the cry uh most of the digital signature schemes
where you're using today ecdsa and eddsa are based on this thing
called the discrete logarithm problem in addition to um.
GregB: Uh key sharing algorithms like Diffie helmet okay and it
prevents any other verifiers discovering the pit from the
pseudonym and linking with other verifiers.
Dave Longley: Note: for anyone wondering how "vids" could
manifest at a higher level -- they could be derived from things
like Web origins or DIDs.
GregB: Don't freak out it's a little bit of math okay but.
GregB: It's not that hard to do.
GregB: Value would be a number and then BBS we call such numbers
as scalar.
GregB: The vid value the verifier ID would be an element of the
group G1 and BBs.
GregB: BBS has functions already to take an arbitrary number and
turn it into 1 of these scalars or to take an arbitrary number or
bite string and turn it into such an element okay a suited in the
value oh let's see how this works.
GregB: Okay so here's this is not yet this is actually running on
my machine I did.
GregB: Not get this demo out yet so I'm the holder.
GregB: I'm going to generate a random secret number that I'll
call my approver ID okay.
GregB: So here's my PID this number I'm showing in text just for
Simplicity it's are we use hex for large numbers when we do these
tests vectors because.
GregB: it's easy.
GregB: Whatever language people are writing their code in okay oh
but look the verifier ID I'm using looks just like a URL doesn't
have to be.
GregB: Should be unique something to verify or has that they're
going to make public okay from these 2 pieces of information I
can generate a pseudonym.
GregB: This is what it looks like it's a big long hexa decimal
value okay from this value.
GregB: Nobody can go with in current computing.
GregB: Uh terms can go from this value back and discover what my
original secret Brewer ideas.
GregB: And I can hence use this value as a pseudonym.
GregB: With that particular verifier so we can sometimes call
this a pseudonym or a pervert ID.
GregB: But it's got these nice properties okay.
GregB: Do we have enough to do something.
GregB: Make a protocol that gives us a pseudonym that's good for
being recognized and that can't be tracked across verifiers.
GregB: yeah we.
GregB: Let's see how this would work.
GregB: Issuer known pit flow so the issuer in this case we're
going to have them.
GregB: Come up with approver ID our secret value they're going to
share it with the holder okay in addition what they're actually
going to do is they we'll see in a sec they're going to sign it
as a message that they provide using BBS to the holder okay the
holder gets to verify our ID from the verifier somehow they know
it already it's published somewhere they compute the pseudonym.
GregB: Then they create their selective disclosure vidi vici and
send it with the pseudonym to the verifier the verifier sees the
pseudonym they can recognize oh it's the same entity.
GregB: coming back.
GregB: Back with this credential I've seen them before I can say
hello how are you.
GregB: Got whatever it is that you want it.
GregB: Or whatever we continue that relations okay.
GregB: Once again this does not prevent tracking by the issuer so
this would be good for the case of issuer assigns this number and
if needed could with verifier help track purchases or whatever
the holder is doing okay we're going to get to the harder case in
a second okay so the issuer duties they generate the bid they
create a BBS signature the VC adding the PID value.
GregB: At the end.
GregB: Right create the signature.
GregB: Use above signature.
GregB: What we don't do is we'd never revealed the pit oh.
GregB: Oh but this but they have to know the bid and they're told
the bid and when they get their signature.
GregB: Never revealed the pit so the other the verifier never
learns it but they have to prove it.
GregB: Okay send VC with bass proof bid to holder what is the
holder do holder verifies.
GregB: Obtain the verifiers pit value uh vide value the verifier
ID computes the pseudonym based on those 2.
GregB: Permanent is the minimal amount of information to disclose
to the verifier and especially not their approver ID.
GregB: The VC with the derived proof okay that's our term in the
BBS VC BBS spec we have the base proof which is the original
signature which is unique derived proofs have that BBS proof
where I said every time you hit the button to regenerate it its
unique and can't be correlated.
GregB: Send that derived proof and hands and the pseudonym to the
verifier.
GregB: Now what we do.
GregB: and this is.
GregB: In the BBS pseudonym draft is we actually extend the proof
to make sure.
GregB: That pseudonym value calculated and everything like that
is legit and based on the proof of it okay.
GregB: We'll see a little bit about how those kind of things work
coming up.
Harrison_Tang: Hey Craig do you mind taking a clarification
questions.
Harrison_Tang: Yes so so far what you described the solution does
not solve the issuer tracking uh when they collude with verifiers
and tracking the uh tracking cases what it solves is when
verifiers collude with other verifies verifiers and and and.
Harrison_Tang: it solves.
Harrison_Tang: Right like I just want to clarify okay.
GregB: Yes exactly okay because we're going to need something
more for that next case okay.
Harrison_Tang: So so in the earlier presentation you represented
3 types of tracking 1 is the verifier colluding with other
verifiers 1 is the issuer's colluding with uh verifiers and the
third the third 1 is the third party so the solutions so far
solves the verifier collusion problem does it solve the third
party problem or not not.
GregB: Yeah unless yeah unless they are working with the issuer
they don't know the pit the that proved her ID value so yeah you
know.
GregB: Good there okay and that's why when we write some of these
specs and I've gotten on some of the the cryptography people's
specs cases like you got to be really clear about what
information is known to who otherwise they can't figure out what
the attack scenario is and what you're protecting and you got to
tell me what is protected and what's not so under the assumption
that the issuer does not reveal the pit to anybody we're
protected from that third-party tracking.
Harrison_Tang: Got it thank you.
GregB: So we didn't solve the problem of.
GregB: Issuer being able to track us we need something more from
that okay so how can we prevent the okay so this is the question
how can we prevent the issuer from knowing the pit in the first
place and be able to track all their encounters okay and even
even more so what if we wanted to come back to uh a verifier.
GregB: With credentials from somebody else and say hey this is
me.
GregB: Use that same PID.
GregB: With a different issuer without revealing it.
GregB: So what we want to do is we want to have the holder.
GregB: Generate the PID this prover ID value and keep it secret
but how could this work if it's kept secrets.
GregB: Let Me Go full screen.
GregB: The prover ID to be kept secret by the holder.
GregB: What good is the secret and the amazing part of BBS and
zero knowledge proofs start to kick in okay.
GregB: BBS is based on zero knowledge proofs that's how we get
that on linkability and it already uses this stuff inside but
let's understand it.
GregB: Apply to prove her ID uh this whole pseudonym thing the
first thing we need to know is something called a commitment
scheme.
GregB: So a way that you can commit to a number.
GregB: Keep it hidden from others.
GregB: With the ability to reveal it later but not change it.
GregB: It's that classic beginning of a magic trick where it's
like think of a number write it down on a piece of paper fold it
up but don't show it to me.
GregB: After they get it they do their magic trick they're going
to say ah look I know your number.
GregB: or what.
GregB: There was a card or whatever somehow they figured out what
your number was okay.
GregB: But it okay so it's like writing something down to be
revealed later so commitment scheme has the following properties.
GregB: A commitment is generated.
GregB: You can only open it to that original message okay you
can't change the message or your secret number your secret
message whatever it was okay after the commitment has been made.
GregB: Other thing we want out of a commitment scheme
particularly.
GregB: Uh for what we're working with here is we also want
something called hiding.
GregB: Okay the commitment string should not reveal information
about the committed message.
GregB: For example what if it's a very simple message like I
flipped a coin heads or tails you call it right and you're going
to do this interact you know it's like.
GregB: Wait there's only 2 messages you know maybe I can just
reverse engineer things okay well let's take a look at a typical
commitment scheme.
GregB: We've got a message m.
GregB: We choose a number number another number separate from the
message that we're High we're committing to randomly we commute
compute a commitment this is just 1 example of by taking the
hash.
GregB: Of our number or message.
GregB: Concatenated combined just glued together with that random
value.
GregB: The person we're committing to you know this is like
riding that na number and on a piece of paper putting it in an
envelope sealing it up sending it off to them we send them both
the value computed and that random number.
GregB: On revealing it.
GregB: Okay we revealed the message we can prove then that we
haven't changed things by having them recomp compute this.
GregB: Okay so that's 1 example of a commitment scheme.
GregB: Another more another famous commitment scheme is something
called a Patterson commitment.
GregB: Oh we've got this group Theory stuff so we have these 2
numbers 2 separate numbers X is the number that we want to our
message okay and this is more like how BBs Works inside.
GregB: Message ours are random number known as the blinding
factor and we compute the commitments.
GregB: Oh it's got that these are those discrete log things to
solve this is not easy it looks easy to write down.
GregB: and we.
GregB: Can compute exponentials easily but to try and reverse
this is hard.
GregB: Uh how does this help.
GregB: If we reveal the pit.
GregB: We can be tracked still.
GregB: So we don't ever want to go that full step of doing the
reveal.
GregB: So what we're going to do.
GregB: Is provide a proof that we know this value.
GregB: And require the proof doesn't reveal any information
about.
GregB: This is what we mean by a zero knowledge proof.
GregB: And these get quite quite complicated okay you've heard
maybe a thing is called ZK snarks or such like that you've heard
of things that huge computations.
GregB: that's not.
GregB: Not the case.
GregB: With BBs or what we're doing here it's a zero knowledge
proof but it's 1 of the first cases of zero knowledge proofs BBS
is remember go back 20 years.
GregB: And uses some techniques so what kind of concepts are we
going to have here so we're never going to reveal the pit we're
going to prove we know the pit.
GregB: Without revealing it so what do we need here first of all
we're going to have this proof thing this protocol we got to make
sure by the time we're done with this protocol.
GregB: That it actually works you know.
GregB: Okay so if we accept things.
GregB: You know it's true.
GregB: We want to make sure.
GregB: There's a thing called special sound is that basically
says.
GregB: They must know that number to be able to complete this
proof of this protocol.
GregB: Okay so first if we go through all the steps.
GregB: It better be right okay we're we're told hey you really
know that number okay we get a an accepting conversation.
GregB: Again you have to know that secret number okay the prover
needs to really know the number to finish that proof call.
GregB: Okay then the final piece is.
GregB: Okay meaning in an honest verifier I mean they're not
using active attacks and things like that it doesn't learn
anything about that unknown information from the proof protocol.
GregB: Some of these things are very easy to prove okay.
GregB: Others take more effort so how do they I said I'm going to
make this commitment thing.
GregB: Okay this Patterson commitment okay this is going to be my
pit value this is my blinding Factor okay I want to prove that I
know the 2 values.
GregB: Okay so I'm Computing this information.
GregB: The prover and to verify are both going to know g&h the
only the prover knows Alpha and beta.
GregB: Okay Alpha is going to be our pit beta is going to be our
hiding Factor okay prover gives you to the verifier.
GregB: And they want to prove they know those things that they
know the other 2 values.
GregB: So stolen straight from Bonet.
GregB: The B and bbs's book uh free graduate course book on
applied cryptography how these proofs work.
GregB: Is we got P for the approver V for the verifier we pick a
couple random numbers.
GregB: Okay we compute something kind of a test value okay we
send that over.
<wendy_seltzer> (Boneh, for the transcript)
GregB: The verifier computes a random challenge value sends it
back to us.
GregB: Craig what's the point of all this.
GregB: Then at the end they test things.
GregB: well let's.
GregB: Look a little bit Alpha and beta the things that the
prover keeping hidden.
GregB: The challenge value comes from the verifier and mixes in
with those 2 values.
GregB: That's dangerous oh but these Alpha T and beta T kind of
help blind those values so they can't learn it okay kind of makes
sense and then we're going to check at the end.
GregB: The verifier is going to look at these 2 values raised to
powers and see does that correspond to.
GregB: That test value times the other stuff raised to that power
of the challenge okay lots of math don't freak Do Not freak okay
written out long form okay.
GregB: The simplest part of this thing is proving correctness
meaning that if you go through this procedure and the condition
is satisfied that this thing on the left equals this thing on the
right then you should accept it it's an accepting conversation
and that just.
GregB: Follows from doing some stuff with exponentials okay.
GregB: the other.
GregB: 2 things are proven in the textbook okay Greg what does
this mean.
GregB: And how are we going to use it.
GregB: Did 1 more piece.
GregB: so we're.
GregB: Going to be able to generate a proof that we actually know
those values.
GregB: Know our now we need somebody to sign it for us.
GregB: There's something known as a blind signature in
cryptography is a form of digital signature in which the content
of the message is disguised how are you going to disguise it yeah
with that person commitment thing before it's signed the
resulting blind signature can be publicly verified against the
original unblinded messages.
GregB: Blind signatures are typically employed in privacy related
protocols where the sir and message authors are different
parties.
GregB: Examples include cryptographic election systems and
digital cash schemes.
GregB: Yes maybe if they ever come but we're leading the charge
here.
GregB: We have this used need and use and credentials okay.
GregB: BBS already uses all those proof techniques I was telling
you about okay and a lot more complicated elaborate ones.
GregB: The proof that BBS generates from the holder that gets
sent to the verifier.
GregB: The BBS signature scheme can be easily extended to support
blind signature functionality okay and a blind signature setting
the the prover will request signature on a list of messages
without revealing those messages.
GregB: to the.
GregB: However they will be proving to the Ser that they know
what's in those messages they know their secret value okay.
GregB: So we have an API for blind BBS signatures that looks just
like BBS signatures okay except here's the secret key the public
key header all this stuff the messages.
GregB: Okay but it allows us.
GregB: To furnish a commitment.
GregB: That Patterson commitment thing I told you about.
GregB: But we have to furnish it along with the proof.
GregB: They will check okay so let's see how this works a little
bit.
GregB: So let's go to the holder.
GregB: Okay we got the issuer we got the holder.
GregB: The holder has a secret number.
GregB: To do that computation like I said and generate a
commitment with proof.
GregB: In all this stuff.
GregB: 2 of those random numbers uh the scalar plus the
computation of the commitment blah blah blah stuff okay.
GregB: We can validate that commitment with proof.
GregB: They don't learn the holder secret approver blind okay
they don't learn the pit value but they are going to check that
the prover is actually proven they know this.
GregB: So we can validate the commitment once again you change 1
number.
GregB: And things won't validate this is all cryptographically
rigorous material okay.
GregB: And it's about 20 years old okay this was what shook up
things it was this is as a practical version of zero knowledge
proofs okay early on.
GregB: So what are we going to do.
GregB: The holder's got to generate the pit.
GregB: So the holder generated the bid.
GregB: We got the commitment used previous commitment double
check it's valid.
GregB: It goes over to the issuer ah but now.
GregB: In addition to all the messages that were they're going to
sign they're going to sign.
GregB: Over this thing that that came from the holder okay.
GregB: A commitment to the bid.
GregB: it's not.
GregB: Not the pit itself it's not the prover secret number and
it's got a proof.
GregB: The issuer can check to make sure that the holder is not
lying about knowing that number okay.
GregB: We can create this blind signature.
GregB: We get the signature bundle all this useful information
okay.
GregB: So hold your generates their secret value.
GregB: They don't share the secret value with anyone.
GregB: Commitment to that secret value along with the proof that
they actually know it.
GregB: Not enough to send just the commitment because they never
want to reveal that stuff they send it with the proof.
GregB: Issuer is going to do a blind signature.
GregB: On that commitment thing.
GregB: All the good.
GregB: Information there verifying right my trees driver's
license here.
GregB: We got to send that back I forgot to check we're almost
out of time ah sorry.
GregB: We send that back.
GregB: Do the holder what's the holder do well they've got a
pseudonym.
GregB: To go do proof generation.
GregB: I live in the state park uh my date of birth.
GregB: Generate the proof.
GregB: Here's my proof bundle it's got all sorts of useful stuff
in it okay.
GregB: Out over to the verifier.
GregB: Gets the pseudonym here was the verifiers ID they need
that they can do the calculation and verify the proof.
GregB: So using zero knowledge proofs in a very practical way.
GregB: A way that's already used and we can achieve pseudonyms.
GregB: Are on trackable by either by collusion between verifiers
and verifiers issuers.
GregB: Since we learned how to do.
GregB: When somebody issues you a credential.
GregB: Got a signature in it anybody who receives that credential
could potentially go and use that credential then.
GregB: It's not strongly bound to.
GregB: Okay anybody who knows the signature in BBs.
GregB: Generate these BBS proofs however.
GregB: If we want to lock down a virtual of VC okay.
GregB: Using blind signatures approver cam commit to a secret
message before issuance okay so this is like smaller than the
Sudan case the holder generates a secret commits to the secret
blind BBS signs on the commitment plus the other messages.
GregB: Ah we generate a BBS proof with the secret we never reveal
the secret but nobody besides the holder who knows that secret
okay.
GregB: Generate the proof this is what we mean by Anonymous
holder binding it's bound the VC is bound to the holder but it's
only the holder secret that nobody else knows and it can't be
correlated against them.
GregB: Okay I know that's a lot and we've run out of time summary
and final words.
GregB: Completely unlined once again.
GregB: If you sit there and tell them in your selectively
disclosed information your name address and your telephone number
it's not on linkable anymore okay.
GregB: Able pseudonyms okay that can be tracked by the issuer if
required.
GregB: Cryptographically strong but um linkable binding of VCS to
anonymous.
GregB: The holder okay.
GregB: Is cryptographic techniques are well established and
contained in the BBS literature okay.
GregB: All these techniques are currently used in BBS so what are
we doing.
GregB: we have.
GregB: To finalize the apis because partially what was driving
needed to drive the apis was what what did we want from the app
requirements.
GregB: the init.
GregB: Verifier ID suited in draft didn't have the hidden case.
GregB: Oh but we can do that okay so that's where we are here.
GregB: Go to cryptography but nailing down the apis and producing
test vectors and things like that.
GregB: Questions sorry to run so late.
Harrison_Tang: No great presentation amazing um.
Harrison_Tang: I know.
Harrison_Tang: Some people might want to drop off but we can take
like 1 or 2 last questions.
Harrison_Tang: Anyone have questions.
<brandi_delancey> great presentation! thanks greg!!
Manu Sporny: Right I I guess this 1 is about the.
Dave Longley: +1 Great presentation!
<harrison_tang> yeah, amazing presentation!
Manu Sporny: Recently and you linked to this on the mailing list
Greg um 16 world renowned cryptographers really well known
cryptographers in the in the European Union uh came out and said
that the type of cryptography that's being used for the European
digital identity wallets is is not not good enough right they're
basically saying SD jot has some serious flaws when it comes to
unlink specifically and that they're suggesting they used to BBS
did they make any recommendations around any of these optional
Technologies or was it like a more General.
Manu Sporny: You should be using BBS without saying you know
Anonymous holder binding or any of that other.
GregB: Oh no they they they they're well aware of the anonymous
Soldier binding and they thought that was.
GregB: Important and pseudonyms they did not specifically mention
the 2 flavors of pseudonyms they said BBS should be used for
pseudonyms but not even the the European Union digital wallet got
into quite understood the subtlety of the 2 different cases where
you know sometimes we do want the issuer to be able to track
things for good reason you know Controlled Substances use
tracking um.
GregB: So yes those cryptographers are were aware of the blind
signatures and their use and this nice feature of this Anonymous
holder binding which helps lock a credential down to somebody
better.
Harrison_Tang: 1 more question from the audience.
Patrick St-Louis: Yeah sure might as well throw a little
question so uh 1 technology I've been working with for quite some
time is the announcements signature which has similar features
you know like on linkability holder binding and so on um maybe my
question would uh do you have like a concrete bullet point of
things that are quite different uh between these 2 models like
what.
<dave_longley> "holder binding" means "binding to a secret only
the holder knows (and is expected to keep secret)"
Patrick St-Louis: There's a lot of improvements to be made so
what like in a simple concrete way what would these improvements
be and my second question is how uh the work for the he did
document I'm sorry I came a bit late maybe I missed it but was
does the issue or publishes publicly versus what does the holder
kind of present to the verifier.
<dave_longley> (for clarity -- as this terminology has been
confusing sometimes)
GregB: Short answer is that EBS are signatures in its
capabilities its kind of looked at as a a more modern version
than CL signatures that's why the a non-red or look folks are
looking at 2.0 to use BBS and that was mentioned in the uh that
cryptographic review so.
GregB: Both good uh there's also something called PS signatures
that don't for um um.
GregB: Select a disclosure but they offer uh unlink so there's
some good stuff out there now um.
GregB: Case of pseudonyms.
GregB: There was the issuer known prover ID case that in that
case the issuer should not.
GregB: Publish that proved her ID value they should keep that
secret otherwise all the verifiers can correlate and know what
the holder is doing that should only be shared between the issuer
and the holder.
Patrick St-Louis: But is there anything that the issuer needs to
publish.
GregB: In public uh know the thing that needs to be publicly done
is a verifier needs some unique public information to form the
verifier ID.
GregB: That's the thing that needs to be published and that and
that's why I cited used the URL like you need to my little domain
that I own as that information okay and BBS has nice things to
Hash a value like that into a curved point so we can make all the
math work.
GregB: Can start with something.
GregB: like that.
GregB: Um and turned it into a number that we can use so yes the
so we're getting a perverse pseudonym or perverse ID and it's
composed of 2 pieces a hidden piece from the that the holder
knows and a public piece that's unique to the verifier.
<dave_longley> technically, a Web origin, a DID, any
identifier/string could be turned into a Verifier ID (vid)
GregB: And as you and as you can see it'd be nice to have some
protocols to go around this and procedures but that's out of
scope right now so we're baking things into the VCS to be able to
do all this.
Patrick St-Louis: Interesting thank you.
GregB: For for some of that deeper stuff I recommend the
cryptographic that recent cryptographers review because it is
discrete log based its elliptic curve it's got the same issues as
eddsa and ecdsa right.
GregB: There are there is work on post-quantum Style.
GregB: Signatures that are privacy preserving just in the same uh
vein uh 1 of the authors of a privacy preserving um.
GregB: Sanders PS signatures actually has been working with a
group of folks on a post-quantum lattice based uh privacy
preserving signature in the same vein so people know that they
want these features um now as far as Hardware support.
GregB: A lot of the stuff came from um some initial attestation
Anonymous attestation work for TPMS um and so.
GregB: That was mentioned in that cryptographic review uh of the
digital wallet and so.
GregB: I am not actually sure on that I do know that.
GregB: You just saw.
GregB: Best running in a web browser uh I have run it on a cheap
in a web browser on a cheap.
GregB: Uh cell phone that I use for wind serving that's
waterproof but low $160 cell phone and that's running in
JavaScript not even C or rust so these things are definitely
implementable and can run um.
GregB: Exact nature of the hardware support and TPM I don't know.
Harrison_Tang: Alright well thanks Greg we're 10 minutes over
time but no no actually I do want to probably work with you to
schedule a follow-up session in september or October I personally
have a lot of follow up a lot of questions about this as well
this is very very presentation very very.
GregB: The more the more questions the more I can hone it you
know because sometimes I start these things with uh it's a
tutorial to myself to remind me how this stuff works.
Markus Sabadello: :Clap:
Harrison_Tang: Oh no I I I love it like I I think demos uh is way
better than slides in regards to teaching us how how these things
work so this is this is amazing thanks Greg thanks a lot.
GregB: Okay thanks a bunch guys.
Harrison_Tang: All right so I think this concludes uh this week's
uh ccg meeting I'll work with Greg uh to figure out uh how do we
schedule a follow-up session so if people have any more questions
in regards to these interesting topics we can continue the
conversation.
Harrison_Tang: Thanks a lot.

Received on Wednesday, 26 June 2024 18:28:56 UTC