RE: [EXT] ETSI TR 119 476 on selective disclosure

Hi Brent,

Thanks for your feedback. Looping in Peter Altmann as well, who is a member of the EUDI Wallet toolbox expert group and the co-author of the ETSI TR 119 476 on selective disclosure.

First, let’s run through the legal definitions in the eIDAS2 proposed regulation and the ARF.

The proposed eIDAS2 regulation<https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021PC0281> defines the term selective disclosure as follows in recital 29:

"The European Digital Identity Wallet should technically enable the selective disclosure of attributes to relying parties. This feature should become a basic design feature thereby reinforcing convenience and personal data protection including minimization of processing of personal data."

The ARF v1.1.0<https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/releases/tag/v1.1.0> also defines the term selective disclosure as follows in section 2:

"The capability of the EUDI Wallet that enables the User to present a subset of attributes provided by the PID and/or (Q)EAAs."

Furthermore, in the ARF outline<https://ec.europa.eu/transparency/expert-groups-register/core/api/front/document/73759/download> the term unlinkability is introduced as follows in section 5:

"The Wallet shall ensure an appropriate level of privacy, implementing policies about non-traceability and unlinkability of user's activities for third parties as appropriate considering:
• the applicable legal context for identity providers and attestation providers;
• the need to retain evidence for dispute resolution purpose;
• the right for the user to be informed of the use of their EUDI Wallet."

Those defintions are not very exhaustive, so ETSI TR 119 476<https://www.etsi.org/deliver/etsi_tr/119400_119499/119476/01.01.01_60/tr_119476v010101p.pdf> has the scope to further clarify the terms of selective disclosure, where unlinkability is described as follows in section 3.1:

“unlinkability: lack of information required to connect the user's selectively disclosed attributes beyond what is
disclosed

EXAMPLE 1: Assume that a user's EUDI Wallet includes a (Q)EAA with the attributes first name and last name. The user can disclose its first name to one relying party, and its last name to another relying party. The relying parties cannot exchange any information that allows them to link the user's first name disclosure to the last name disclosure.

EXAMPLE 2: The same principle applies if the user discloses its first name to a relying party and later discloses its last name to the same relying party and the single relying party cannot link the user's first name disclosure to its last name disclosure.

EXAMPLE 3: The same principle applies if the issuer colludes with the verifier without being able to link the user's first name disclosure to its last name disclosure.”

Furthermore, the PID of the EUDI Wallet will rely on ISO mDL MSO and SD-JWT for selective disclosure; both formats are based on salted hashes of attributes for selective disclosure.

ISO 18013-5 (ISO mDL) specifies methods for unlinkability in appendix “E.8 Anonymity and unlinkability”. For example, it contains the following description on random numbers (salts) for the hashed data elements:

“mDLs may store a set of mDL authentication keys (together with a set of random numbers for all data elements and an MSO for each key) and choose an unused or random key for each transaction, or rotate keys for each transaction.”

The SD-JWT draft specification<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-04.html#section-9.4> has the following description on unlinkability:

“9.4. Unlinkability

Colluding Issuer/Verifier or Verifier/Verifier pairs could link issuance/presentation or two presentation sessions to the same user on the basis of unique values encoded in the SD-JWT (Issuer signature, salts, digests, etc.).

To prevent these types of linkability, various methods, including but not limited to the following ones can be used:


  *   Use advanced cryptographic schemes, outside the scope of this specification.
  *   Issue a batch of SD-JWTs to the Holder to enable the Holder to use a unique SD-JWT per Verifier. This only helps with Verifier/Verifier unlinkability.”

It is also worthwhile pointing out that we have divided selective disclosure schemes in the following categories: Atomic attribute credentials, Hashes of salted attributes (such as ISO mDL MSO and SD-JWT), Multi-message signature schemes (such as BBS and CL-signatures), and Proofs for arithmetic circuits (such as zkSNARK, zkSTARK and Bulletproofs). The Multi-message signature schemes and Proofs for arithmetic circuits have been designed with unlinkability as an integral feature, and are therefore superior in that regard, while Hashes of salted attributes require implementation specific methods to cater for unlinkability (as mentioned above). This is also highlighted in Annex A.1 in the ETSI TR 119 476, where unlinkability of SD-JWT and ISO mDL MSO are denoted as conditional.

Hopefully, this clarifies the principles of unlinkability as described in ETSI TR 119 476.

Peter, do you have anything to add?

Kind regards,
Sebastian

From: Brent Zundel <Brent.Zundel@gendigital.com>
Sent: Tuesday, 29 August 2023 21:50
To: Sebastian Elfors <sebastian.elfors@idnow.de>; public-vc-wg@w3.org
Subject: RE: [EXT] ETSI TR 119 476 on selective disclosure


CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Thank you for the work that went into producing this report.
I am still making my way through it, but I came across something that made me pause.

I have concerns about the use of the term ‘unlinkability’ as I’ve seen it used in the document.
The use seems to be different than the common use in cryptographic literature. [1]

The following assertion is made in the conclusion section:
“The conclusion is thus that ISO mDL and SD-JWT meet the eIDAS2 regulatory and technical requirements on selective disclosure, unlinkability and cryptographic algorithms.”

Unless the term ‘unlinkability’ has been redefined, selective disclosure schemes that make use of salted hashes along with regular digital signatures are not unlinkable. It does not matter how the hashes are salted. Any digital signature that requires unblinded sharing of the signature value is inherently linkable.

Therefore, claiming that ISO mDL and SD-JWT are in any way unlinkable is not accurate.

Does eIDAS2 have regulatory and technical requirements for unlinkability? I was unable to find the pertinent section of the proposed regulation.

[1] Unlinkability | SpringerLink<https://link.springer.com/referenceworkentry/10.1007/0-387-23483-7_448>

From: Sebastian Elfors <sebastian.elfors@idnow.de<mailto:sebastian.elfors@idnow.de>>
Sent: Monday, August 28, 2023 5:48 AM
To: public-vc-wg@w3.org<mailto:public-vc-wg@w3.org>
Subject: [EXT] ETSI TR 119 476 on selective disclosure

All,

ETSI has now published the technical report TR 119 476 on selective disclosure<https://www.etsi.org/deliver/etsi_tr/119400_119499/119476/01.01.01_60/tr_119476v010101p.pdf>, which has been authored by me together with Peter Altmann (Swedish Agency for Digital Government). It provides a comprehensive overview of methods for selective disclosure in general, and an analysis of how these methods can be applied for the EUDI Wallet in particular. This could potentially be of interest to W3C VC WG and the related work on standards for ZKP and selective disclosure. Please let us know if you have any feedback or want to discuss this report at a meeting.

Kind regards,
Sebastian Elfors
Senior Architect

T             +49 (0)174 17 22 150
E             sebastian.elfors@idnow.io<mailto:sebastian.elfors@idnow.de>

IDnow.io<https://www.idnow.io/?utm_source=signature&utm_medium=email&utm_campaign=signature>  |  LinkedIn<https://www.linkedin.com/company/idnow?utm_source=signature&utm_medium=email&utm_campaign=signature>   | Instagram<https://www.instagram.com/idnow_careers>

IDnow GmbH Auenstraße 100, 80469 Munich
Registration Court: Amtsgericht München HRB 210463  VAT Reg.No. DE294490635
Managing Directors: Andreas Bodczek, Joseph Lichtenberger, Armin Bauer, Guillaume Despagne

[A picture containing monitor, large  Description automatically generated]