Re: Demonstration of Support for NIST-Compliant Selective Disclosure for Data Integrity Cryptosuites in VCWG

On Sat, Jul 29, 2023 at 4:42 PM Samuel Smith <sam@prosapien.com> wrote:
> The way it works in ACDC is that the list of selectively disclosed attributes are part of an aggregated Hash, that is the hash of a list of blinded hashes. The only thing that is signed is the hash of the list of blinded hashes. Each blinded hash is of a field map using the SAID protocol to generate the self referential hash. But the structure of the field map itself is not leaked. So the length of the list and the structure of individual elements of the list is not disclosed or signed only the blinded aggregate.  So no information is leaked at this point.

Yes, that sounds correct to me (that nothing is leaked at this point).

> The spec also allows an alternative form in which the aggregate is the merkle tree root of the merkle tree of the blinded hashes. Once again the structure of the data inside each blinded hash is not disclosed nor is the size of the merkle tree exposed at this stage. The signature is on the aggregate hash. This is not the same as the w3c mechanism but it would be unfair to say that this approach is leaking information.

Right, and I didn't mean to suggest that information was leaked -- I
don't know ACDC at enough depth to understand where the information
leakage boundaries are. I know that SD-JWT (at least, in one of it's
iterations, things might have changed since then) leaks information on
list sizes based on it's design... that was the format I was alluding
to when I mentioned that some selective disclosure formats leak
information in ways that ecdsa-sd does not.

> ACDCs also have a different selective disclosure mechanism which are labeled nested blinded hashes of field maps. The aggregate(s) at any level may have a label. The label itself may leak information about what has been hashed but the structure of what has been hashed is not disclosed or leaked. This I believe is closer to Gordian elision,
> The two mechanisms (unlabeled aggregate of list of blinded hashes or labeled aggregate of nested blinded hashes of field maps can be combined depending on the use case.

What does ACDC do when selectively disclosing an item in a list? Is
the size of the list disclosed, or is that kept secret in some way?

I ask because I'm curious to hear if collections of information
associated with a property are treated as ordered sets or unordered
sets? We know that the information leakage problem is fairly easy to
solve when you're dealing w/ unordered sets (which is typical in VCs
using JSON-LD)... but becomes much harder if your data structure
treats all lists as ordered (which is typical when using JSON arrays).

Christopher, same question wrt. Gordian Envelopes -- how did you
approach the information leakage issue when disclosing a single item
out of an ordered set / list / array?

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/

Received on Saturday, 12 August 2023 16:15:16 UTC