Re: [EXT] ETSI TR 119 476 on selective disclosure

I'm guessing the document means unlinkability is achieved when combined
with batch issuance and single use credentials?

This comes at a higher implementation and maintenance cost for holders and
issuers... but the trade off is still possibly better than using unproven /
non standard cryptography.

OS

On Wed, Aug 30, 2023 at 4:54 AM Sebastian Elfors <sebastian.elfors@idnow.de>
wrote:

> Hi Brent,
>
>
>
> Thanks for your feedback. Looping in Peter Altmann as well, who is a
> member of the EUDI Wallet toolbox expert group and the co-author of the
> ETSI TR 119 476 on selective disclosure.
>
>
>
> First, let’s run through the legal definitions in the eIDAS2 proposed
> regulation and the ARF.
>
>
>
> The proposed eIDAS2 regulation
> <https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021PC0281>
> defines the term selective disclosure as follows in recital 29:
>
>
>
> *"The European Digital Identity Wallet should technically enable the
> selective disclosure of attributes to relying parties. This feature should
> become a basic design feature thereby reinforcing convenience and personal
> data protection including minimization of processing of personal data."*
>
>
>
> The ARF v1.1.0
> <https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/releases/tag/v1.1.0>
> also defines the term selective disclosure as follows in section 2:
>
>
>
> *"The capability of the EUDI Wallet that enables the User to present a
> subset of attributes provided by the PID and/or (Q)EAAs."*
>
>
>
> Furthermore, in the ARF outline
> <https://ec.europa.eu/transparency/expert-groups-register/core/api/front/document/73759/download>
> the term unlinkability is introduced as follows in section 5:
>
>
>
> *"The Wallet shall ensure an appropriate level of privacy, implementing
> policies about non-traceability and unlinkability of user's activities for
> third parties as appropriate considering:*
>
> *• the applicable legal context for identity providers and attestation
> providers;*
>
> *• the need to retain evidence for dispute resolution purpose;*
>
> *• the right for the user to be informed of the use of their EUDI Wallet."*
>
>
>
> Those defintions are not very exhaustive, so ETSI TR 119 476
> <https://www.etsi.org/deliver/etsi_tr/119400_119499/119476/01.01.01_60/tr_119476v010101p.pdf>
> has the scope to further clarify the terms of selective disclosure, where
> unlinkability is described as follows in section 3.1:
>
>
>
> *“unlinkability: lack of information required to connect the user's
> selectively disclosed attributes beyond what is*
>
> *disclosed*
>
>
>
> *EXAMPLE 1: Assume that a user's EUDI Wallet includes a (Q)EAA with the
> attributes first name and last name. The user can disclose its first name
> to one relying party, and its last name to another relying party. The
> relying parties cannot exchange any information that allows them to link
> the user's first name disclosure to the last name disclosure.*
>
>
>
> *EXAMPLE 2: The same principle applies if the user discloses its first
> name to a relying party and later discloses its last name to the same
> relying party and the single relying party cannot link the user's first
> name disclosure to its last name disclosure.*
>
>
>
> *EXAMPLE 3: The same principle applies if the issuer colludes with the
> verifier without being able to link the user's first name disclosure to its
> last name disclosure.”*
>
>
>
> Furthermore, the PID of the EUDI Wallet will rely on ISO mDL MSO and
> SD-JWT for selective disclosure; both formats are based on salted hashes of
> attributes for selective disclosure.
>
>
>
> ISO 18013-5 (ISO mDL) specifies methods for unlinkability in appendix “E.8
> Anonymity and unlinkability”. For example, it contains the following
> description on random numbers (salts) for the hashed data elements:
>
>
>
> *“mDLs may store a set of mDL authentication keys (together with a set of
> random numbers for all data elements and an MSO for each key) and choose an
> unused or random key for each transaction, or rotate keys for each
> transaction.”*
>
>
>
> The SD-JWT draft specification
> <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-04.html#section-9.4>
> has the following description on unlinkability:
>
>
>
> *“9.4. Unlinkability*
>
>
>
> *Colluding Issuer/Verifier or Verifier/Verifier pairs could link
> issuance/presentation or two presentation sessions to the same user on the
> basis of unique values encoded in the SD-JWT (Issuer signature, salts,
> digests, etc.).*
>
>
>
> *To prevent these types of linkability, various methods, including but not
> limited to the following ones can be used:*
>
>
>
>    - *Use advanced cryptographic schemes, outside the scope of this
>    specification.*
>    - *Issue a batch of SD-JWTs to the Holder to enable the Holder to use
>    a unique SD-JWT per Verifier. This only helps with Verifier/Verifier
>    unlinkability.”*
>
>
>
> It is also worthwhile pointing out that we have divided selective
> disclosure schemes in the following categories: Atomic attribute
> credentials, Hashes of salted attributes (such as ISO mDL MSO and SD-JWT),
> Multi-message signature schemes (such as BBS and CL-signatures), and Proofs
> for arithmetic circuits (such as zkSNARK, zkSTARK and Bulletproofs). The
> Multi-message signature schemes and Proofs for arithmetic circuits have
> been designed with unlinkability as an integral feature, and are therefore
> superior in that regard, while Hashes of salted attributes require
> implementation specific methods to cater for unlinkability (as mentioned
> above). This is also highlighted in Annex A.1 in the ETSI TR 119 476, where
> unlinkability of SD-JWT and ISO mDL MSO are denoted as conditional.
>
>
>
> Hopefully, this clarifies the principles of unlinkability as described in
> ETSI TR 119 476.
>
>
>
> Peter, do you have anything to add?
>
>
>
> Kind regards,
>
> Sebastian
>
>
>
> *From:* Brent Zundel <Brent.Zundel@gendigital.com>
> *Sent:* Tuesday, 29 August 2023 21:50
> *To:* Sebastian Elfors <sebastian.elfors@idnow.de>; public-vc-wg@w3.org
> *Subject:* RE: [EXT] ETSI TR 119 476 on selective disclosure
>
>
>
> *CAUTION:* This email originated from outside the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
> Thank you for the work that went into producing this report.
>
> I am still making my way through it, but I came across something that made
> me pause.
>
>
>
> I have concerns about the use of the term ‘unlinkability’ as I’ve seen it
> used in the document.
>
> The use seems to be different than the common use in cryptographic
> literature. [1]
>
>
>
> The following assertion is made in the conclusion section:
>
> “The conclusion is thus that ISO mDL and SD-JWT meet the eIDAS2 regulatory
> and technical requirements on selective disclosure, unlinkability and
> cryptographic algorithms.”
>
>
>
> Unless the term ‘unlinkability’ has been redefined, selective disclosure
> schemes that make use of salted hashes along with regular digital
> signatures are not unlinkable. It does not matter how the hashes are
> salted. Any digital signature that requires unblinded sharing of the
> signature value is inherently linkable.
>
>
>
> Therefore, claiming that ISO mDL and SD-JWT are in any way unlinkable is
> not accurate.
>
>
>
> Does eIDAS2 have regulatory and technical requirements for unlinkability?
> I was unable to find the pertinent section of the proposed regulation.
>
>
>
> [1] Unlinkability | SpringerLink
> <https://link.springer.com/referenceworkentry/10.1007/0-387-23483-7_448>
>
>
>
> *From:* Sebastian Elfors <sebastian.elfors@idnow.de>
> *Sent:* Monday, August 28, 2023 5:48 AM
> *To:* public-vc-wg@w3.org
> *Subject:* [EXT] ETSI TR 119 476 on selective disclosure
>
>
>
> All,
>
>
>
> ETSI has now published the technical report TR 119 476 on selective
> disclosure
> <https://www.etsi.org/deliver/etsi_tr/119400_119499/119476/01.01.01_60/tr_119476v010101p.pdf>,
> which has been authored by me together with Peter Altmann (Swedish Agency
> for Digital Government). It provides a comprehensive overview of methods
> for selective disclosure in general, and an analysis of how these methods
> can be applied for the EUDI Wallet in particular. This could potentially be
> of interest to W3C VC WG and the related work on standards for ZKP and
> selective disclosure. Please let us know if you have any feedback or want
> to discuss this report at a meeting.
>
>
>
> Kind regards,
>
> Sebastian Elfors
>
> Senior Architect
>
>
>
> T             +49 (0)174 17 22 150
>
> E             sebastian.elfors@idnow.io <sebastian.elfors@idnow.de>
>
>
>
> *IDnow.io*
> <https://www.idnow.io/?utm_source=signature&utm_medium=email&utm_campaign=signature>*
> |  **LinkedIn*
> <https://www.linkedin.com/company/idnow?utm_source=signature&utm_medium=email&utm_campaign=signature>
> *  |** Instagram* <https://www.instagram.com/idnow_careers>
>
>
>
> *IDnow GmbH *Auenstraße 100, 80469 Munich
> Registration Court: Amtsgericht München HRB 210463  VAT Reg.No. DE294490635
> Managing Directors: Andreas Bodczek, Joseph Lichtenberger, Armin Bauer,
> Guillaume Despagne
>
>
>
> [image: A picture containing monitor, large Description automatically
> generated]
>
>
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>