- From: Oliver Terbu <oliver.terbu@spruceid.com>
- Date: Sun, 13 Aug 2023 06:28:48 +0200
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: Christopher Allen <christophera@lifewithalacrity.com>, Samuel Smith <sam@prosapien.com>, W3C Verifiable Credentials Working Group <public-vc-wg@w3.org>
- Message-ID: <CAP7TzjAYoJJ01Wkijns5jTnoiKEiwNWv9BctHEN5AHNP9vTiUw@mail.gmail.com>
Re SD-JWT On Sat 12. Aug 2023 at 18:16, Manu Sporny <msporny@digitalbazaar.com> wrote: > On Sat, Jul 29, 2023 at 4:42 PM Samuel Smith <sam@prosapien.com> wrote: > > The way it works in ACDC is that the list of selectively disclosed > attributes are part of an aggregated Hash, that is the hash of a list of > blinded hashes. The only thing that is signed is the hash of the list of > blinded hashes. Each blinded hash is of a field map using the SAID protocol > to generate the self referential hash. But the structure of the field map > itself is not leaked. So the length of the list and the structure of > individual elements of the list is not disclosed or signed only the blinded > aggregate. So no information is leaked at this point. > > Yes, that sounds correct to me (that nothing is leaked at this point). > > > The spec also allows an alternative form in which the aggregate is the > merkle tree root of the merkle tree of the blinded hashes. Once again the > structure of the data inside each blinded hash is not disclosed nor is the > size of the merkle tree exposed at this stage. The signature is on the > aggregate hash. This is not the same as the w3c mechanism but it would be > unfair to say that this approach is leaking information. > > Right, and I didn't mean to suggest that information was leaked -- I > don't know ACDC at enough depth to understand where the information > leakage boundaries are. I know that SD-JWT (at least, in one of it's > iterations, things might have changed since then) leaks information on > list sizes based on it's design... that was the format I was alluding > to when I mentioned that some selective disclosure formats leak > information in ways that ecdsa-sd does not. In SD-JWT, one can have decoy hashes to change that behavior. > > ACDCs also have a different selective disclosure mechanism which are > labeled nested blinded hashes of field maps. The aggregate(s) at any level > may have a label. The label itself may leak information about what has been > hashed but the structure of what has been hashed is not disclosed or > leaked. This I believe is closer to Gordian elision, > > The two mechanisms (unlabeled aggregate of list of blinded hashes or > labeled aggregate of nested blinded hashes of field maps can be combined > depending on the use case. > > What does ACDC do when selectively disclosing an item in a list? Is > the size of the list disclosed, or is that kept secret in some way? > > I ask because I'm curious to hear if collections of information > associated with a property are treated as ordered sets or unordered > sets? We know that the information leakage problem is fairly easy to > solve when you're dealing w/ unordered sets (which is typical in VCs > using JSON-LD)... but becomes much harder if your data structure > treats all lists as ordered (which is typical when using JSON arrays). > > Christopher, same question wrt. Gordian Envelopes -- how did you > approach the information leakage issue when disclosing a single item > out of an ordered set / list / array? > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > https://www.digitalbazaar.com/ > > -- *Oliver Terbu* Director Identity Standards, Spruce ID <https://spruceid.com/credible>
Received on Sunday, 13 August 2023 04:29:05 UTC