AnonCreds v2

It’s here and (can be) real!

https://bit.ly/AnonCredsV2

Agenda

• What is AnonCreds?
• What is AnonCreds V2?
• To Do List
• Code Overview
• Next Actions

https://bit.ly/AnonCredsV2

What is the Verifiable Credentials model?

Proves:

​

1. Who issued the credential.
2. Who holds the credential.***
3. The claims are unchanged.
4. The claims have not been revoked.

Still Required:� Do you trust the Issuer?

https://bit.ly/AnonCredsV2

Privacy: Hyperledger AnonCreds Zero Knowledge Proofs (ZKPs)

• Selective disclosure

• Predicate proofs�

• Derived presentations�with unlinkable identifiers�

• Multi-credential�presentations�

https://bit.ly/AnonCredsV2

What is AnonCreds?

• AnonCreds is glue providing an opinionated implementation of ZKP-based VCs
• It is not a signature scheme — it uses a signature scheme.
• In v1.0 that scheme is CL Signatures.
• It formalizes the data objects, features, and interactions for ZKP-based VCs.
• Goes beyond W3C Verifiable Credentials Data Model Standard
• Goes beyond (for example) CL or BBS+ Signatures definition
• It has acknowledged limitations — e.g., flat data structure, no arrays
• “opinionated” is what makes AnonCreds easy to use and interoperable
• Do this, this and this and voilà! Working, useful ZKP-based verifiable credentials are working.
• Solid underlying implementation, that continues to evolve.
• It works!

https://bit.ly/AnonCredsV2

What is a Verifiable Data Registry?

Decentralized Identifier (DID)�Schema ⏺ Credential Definition ⏺ Revocation Registry

https://bit.ly/AnonCredsV2

What are the opinionated elements?

• Objects
• Published by the issuer: schema, credential definition, revocation registry, revocation state
• Exchanged by participants:
• Issue: offer, request, credential
• Presentation: request, presentation
• Interactions for issuer setup, issuing, presenting, and revoking
• ZKP features:
• Unlinkablity — no unique identifiers
• with holder binding via the link secret
• with revocation via non-revocation proof
• Selective disclosure
• Predicates in limited (but useful) ways — integer expressions

https://bit.ly/AnonCredsV2

What are the non-opinionated/“flexible” elements?

• In some important areas it is NOT opinionated (but it used to be…)
• Not opinionated on the location of the published objects
• Must be published, must be resolvable given the identifier
• Much work to enable publishing anywhere (Indy, cheqd.io, Cardano, Fabric, did:web…)
• Not opinionated on the exchange protocols
• Not tied to DIDcomm for exchange
• Theoretically, works with OpenID4VCs — will be proven (or not) in the very near future
• The objects require certain information, but structure is flexible
• AnonCreds in W3C Verifiable Credentials Data Model Standard format

https://bit.ly/AnonCredsV2

What is AnonCreds v2?

• Key Features:
• Same object types and same interactions as AnonCreds v1
• Flexibility in the underlying signature scheme
• Options include BBS+, PS (Pointcheval Sanders), CL Signatures
• PS Signatures may give us a path to post-quantum signatures!
• More ZKP presentation options to increase data minimization possibilities
• How?
• Define much more information at the schema level about the credential attributes
• Enables encoding the data in a way that can be flexibly signed and presented
• Yes, there is code!
• And there will be a specification

https://bit.ly/AnonCredsV2

Features

• Signature scheme flexibility - short group signatures
• PS Signatures — current scheme in the code base
• BBS+ Signatures — previously implemented, can be added
• Opinionated: Which to choose/use?
• BBS+ Signatures — impressive progress towards IETF standardization
• Lots of hard work done!
• PS Signatures — some progress towards IETF standardization
• Post quantum implementation

https://bit.ly/AnonCredsV2

AnonCreds v1 ZKP Capabilities

• AnonCreds v1 ZKP uses
• Selective disclosure — prove all signatures, but reveal only selected claims data
• Link Secret — sign/prove a blinded secret known to the holder, without revealing the secret
• Predicates — for an integer, prove an expression (“<” “<=” “>”, “>=”) without sharing the value
• Revocation — prove non-revocation without revealing an identifier for the credential
• Basic techniques:
• Encode all data as integers, and sign the encoded integers
• Nothing is known about the data until a credential is created for issuing
• Canonicalization: any integer or integer string is integer, stringify/hash everything else
• No arrays
• Add special “link secret” automatically in all credentials — blinded by holder, signed by issuer

https://bit.ly/AnonCredsV2

AnonCreds v2 ZKP Capabilities

• AnonCreds v1 features and more
• Formalized encoding types:
• Integer — similar to the integers in AnonCreds v1, but zero-centered and 64-bit
• Expected addition: dates in standard format, encoded as integers
• Hashed — similar to the “non-integers” in AnonCreds v1 — uses hash_to_scalar vs. SHA256
• Scalar — enables issuer defined claims like the “link secret” (and more…)
• Enumerated — defined set of values
• Mechanism — schema expanded to include type (encoding) and validators
• Validators: Length, Range, RegEx, AnyOne
• Defines three things — encoding, how to sign, presentation options

https://bit.ly/AnonCredsV2

Encoding Types

• Integer:
• Supports range proofs, negative numbers
• String
• Stringified and hash_to_scalar encoding
• Revealed or not (selective disclosure)
• New: Equality of claims across credentials predicate — without revealing the values
• DateTime (to be added…)
• Encoding standards-based text dates and datetimes (ISO 8601) into Integers
• Human and machine/ZKP-friendly

https://bit.ly/AnonCredsV2

Encoding Types

• Scalar:
• Link Secret for Holder Binding will be part of the implementation
• Issuer can define that the holder supply other blinded values
• Verifiable encryption — blinded value from the issuer that can be decrypted by the issuer
• Credit card number — verifier gets unlinkable value, issuer can decrypt on receipt
• Enumerated:
• Enables concise, accumulator-based set-membership, non-set membership
• E.g., “zip code” in claim is one of these 300 zip codes, without revealing the zip code

https://bit.ly/AnonCredsV2

AnonCreds v2 To Do List

• Everyone: Evaluate the code and cryptographic primitives
• Take a look — what do you think?
• Does this get us to FlexCreds / BBS+ ZKPs / Rich Predicates / Post Quantum / Revocation
• Extract any cryptographic code into libraries
• The “knox” folder
• Abstract the signature scheme
• Currently concrete PS, abstract to enable BBS+
• Experiment — post quantum (Lattice) PS Signatures
• Add always included link_secret value
• Add “DateTime” encoding type
• Encode date as DateInt, time as Unix Time (with thought about pre-1970 timestamps…)

https://bit.ly/AnonCredsV2

AnonCreds v2 To Do List

• Specification and decision making
• An evolution of the AnonCreds v1.0 Specification, path to standardization
• AnonCreds is glue that uses standards (e.g., BBS+, W3C VC Data Model, etc.)
• VC, VP in W3C Verifiable Credentials Data Model Standard format
• Similar to the AnonCreds v1 approach
• Format of the presentation request
• Evolution of AnonCreds v1.0?
• DIF Presentation Exchange?
• Experiment with Post Quantum
• Revocation…

https://bit.ly/AnonCredsV2

Revocation

• Remains tough issue
• Current code includes Allosaur revocation — call back to the issuer
• Possible sharded (multi-party computation)
• Options:
• Evolved AnonCreds v1 approach that scales better.
• Allosaur
• zk-SAM
• Most practical, as it would be usedul as a (minor) variation on StatusList2021
• Always using the same RevReg for AnonCreds and NIST signatures.

https://bit.ly/AnonCredsV2

Code Overview

• https://github.com/hyperledger/anoncreds-v2-rs
• Readme — description
• knox — core cryptography signing — should be just glue, currently uses PS signatures
• Intention is to put all underlying cryptography into modules for reuse, AnonCreds is glue
• Claims
• Credentials
• Issuer Setup
• Issuance
• Presentation Schema
• Presentation Statements
• Presentation
• Verification

https://bit.ly/AnonCredsV2

Hyperledger Labs Agora

• Hyperledger Labs Agora — underlying crypto
• https://github.com/mikelodder7/blsful - being audited - BLS library — a lot of the primitives
• https://github.com/mikelodder7/gennaro-dkg - being audited - MPC support for generating keys, any elliptic curves
• https://github.com/mikelodder7/unknown_order - abstraction for BigNum computations - better, more flexible!
• https://github.com/mikelodder7/soteria-rs - key chain abstraction for pulling secrets into your code - for any OS
• https://github.com/mikelodder7/vsss-rs — being audited — verifiable secret sharing scheme
• https://github.com/mikelodder7/curvey - go implementation of a bunch of elliptic curve
• https://github.com/mikelodder7/blstrs - Rust elliptic curve library
• https://github.com/mikelodder7/bls12_381_plus - Rust elliptic curve library
• https://github.com/mikelodder7/glass_pumpkin - similar value to unknown_order but for prime generation
• https://github.com/mikelodder7/paillier-rs - useful for MPC computations, uses unknown_order
• https://github.com/mikelodder7/verifiable-encryption - enables adding this to AnonCreds v1
• https://github.com/mikelodder7/fernet - standard used for symmetric sign-in tokens

https://bit.ly/AnonCredsV2

Next Steps

• Discuss
• Evaluate
• Evolve

https://bit.ly/AnonCredsV2