1 of 24

CESR Proof Signatures:

Partial Digital Signatures with

KERI and ACDC

1

2 of 24

Underlying technologies and background…

3 of 24

KERI

Key Event Receipt Infrastructure

Key - asymmetric key cryptography (aka. Public-key cryptography)

Event - key rotations (and other activities) are tracked as a series of events

Receipt - witnesses of key events provide signed receipts as an additional threshold structure

Infrastructure - open source framework for building decentralized identifier systems

  • Pre-Rotation
  • Threshold structures.
    • Multi-sig, signature thresholds
    • Delegation
    • Witnesses and witness thresholds

Key innovations:

4 of 24

ACDC

Authentic Chained Data Containers

Authentic - attached digital signatures from KERI identifiers

Chained - references to dependent credentials

Data - any content can be authenticated including of course, verifiable credentials

Containers - serialized data container using name/value hash data structures

  • Schema for compact credentials
  • Credential Provenance Chaining
  • Rules specification

Key innovations:

5 of 24

CESR

Composable Event Streaming Representation

Composable - defines lossless transformation between text and binary streaming formats

Event - and event that conforms to KERI event structure (eg. ACDC credential)

Streaming - specifically defined for low bandwidth, high volume streaming of cryptographic primitives

Representation - Sam wanted an easy to pronounce acronym

  • Composability
  • Flexible, table-based derivation and counter codes
  • Extensible!

Key innovations:

6 of 24

Extending CESR with Transposable Signatures

7 of 24

CESR Proof Signatures

Specification for applying digital signatures to multiple nested portions of serialized name/value data structures.

  • Digital signatures compatible with KERI, ACDC and therefore the vLEI

  • Specification for signing a serialization of any self-addressing data… JSON/CBOR/MsgPack or even XML

  • Support for multiple nested partial signatures

  • Transposable signatures across envelope boundaries

  • IETF Published Draft Specification, part of over all ACDC specification family

8 of 24

How does it work?

{

"v": "ACDC10JSON00011c_",

"d": "EYo4R9I08Et5H5SWKG8ZMS83r8FmRtfahN0V9NbG9zdw",

"i": "Ei5csblWpTy22uVkbZrZxvSUORxPvIlrfpq2e1hKTtfA",

"s": "ECcj1CBn4dpo6ZOmZQNtAjXxT4_MsVXipt5VTPjvSAf0",

"ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",

"a": {

"d": "Ea4ny_YZAtAGUwGSyH7iFiKjpM3yFiDHcjrdomqt7Ryk",

"i": "EP2ukuiw_0xcp943NWz4IRnNtxwx7rzROwV1D_ZRP0XQ",

"dt": "2021-06-09T17:35:54.169967+00:00",

"LEI":"5493001KJTIIGC8Y1R12",

},

"e": []

}

Start with any self-addressing data (SAD)

contains self addressing identifier

(SAID)

9 of 24

How does it work

{

"v": "ACDC10JSON00011c_",

"d": "EYo4R9I08Et5H5SWKG8ZMS83r8FmRtfahN0V9NbG9zdw",

"i": "Ei5csblWpTy22uVkbZrZxvSUORxPvIlrfpq2e1hKTtfA",

"ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",

"s": "ECcj1CBn4dpo6ZOmZQNtAjXxT4_MsVXipt5VTPjvSAf0",

"a": {

"d": "Ea4ny_YZAtAGUwGSyH7iFiKjpM3yFiDHcjrdomqt7Ryk",

"i": "EP2ukuiw_0xcp943NWz4IRnNtxwx7rzROwV1D_ZRP0XQ",

"dt": "2021-06-09T17:35:54.169967+00:00",

"LEI":"5493001KJTIIGC8Y1R12",

},

"e": []

}

Sign the content of the serialization of the data

-AAD

AA5267UlFg1jHee4Dauht77SzGl8WUC_0oimYG5If3SdIOSzWM8Qs9SFajAilQcozXJVnbkY5stG_K4NbKdNB4AQ

ABBgeqntZW3Gu4HL0h3odYz6LaZ_SMfmITL-Btoq_7OZFe3L16jmOe49Ur108wH7mnBaq2E_0U0N0c5vgrJtDpAQ

ACTD7NDX93ZGTkZBBuSeSGsAQ7u0hngpNTZTK_Um7rUZGnLRNJvo5oOnnC1J2iBQHuxoq8PyjdT3BHS2LiPrs2Cg

Digital Signatures ->

10 of 24

How does it work

{

"v": "ACDC10JSON00011c_",

"d": "EYo4R9I08Et5H5SWKG8ZMS83r8FmRtfahN0V9NbG9zdw",

"i": "Ei5csblWpTy22uVkbZrZxvSUORxPvIlrfpq2e1hKTtfA",

"s": "ECcj1CBn4dpo6ZOmZQNtAjXxT4_MsVXipt5VTPjvSAf0",

"ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",

"a": {

"d": "Ea4ny_YZAtAGUwGSyH7iFiKjpM3yFiDHcjrdomqt7Ryk",

"i": "EP2ukuiw_0xcp943NWz4IRnNtxwx7rzROwV1D_ZRP0XQ",

"dt": "2021-06-09T17:35:54.169967+00:00",

"LEI":"5493001KJTIIGC8Y1R12",

},

"p": []

}

Prepend Identifier Information

-AAD

AA5267UlFg1jHee4Dauht77SzGl8WUC_0oimYG5If3SdIOSzWM8Qs9SFajAilQcozXJVnbkY5stG_K4NbKdNB4AQ

ABBgeqntZW3Gu4HL0h3odYz6LaZ_SMfmITL-Btoq_7OZFe3L16jmOe49Ur108wH7mnBaq2E_0U0N0c5vgrJtDpAQ

ACTD7NDX93ZGTkZBBuSeSGsAQ7u0hngpNTZTK_Um7rUZGnLRNJvo5oOnnC1J2iBQHuxoq8PyjdT3BHS2LiPrs2Cg

Digital Signature ->

-FAB

E_T2_p83_gRSuAYvGhqV3S0JzYEF2dIa-OCPLbIhBO7Y

-EAB0AAAAAAAAAAAAAAAAAAAAAAB

EwmQtlcszNoEIDfqD-Zih3N6o5B3humRKvBBln2juTEM

Identifier and Path ->

11 of 24

How does it work

{

"v": "ACDC10JSON00011c_",

"d": "EYo4R9I08Et5H5SWKG8ZMS83r8FmRtfahN0V9NbG9zdw",

"i": "Ei5csblWpTy22uVkbZrZxvSUORxPvIlrfpq2e1hKTtfA",

"ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",

"s": "ECcj1CBn4dpo6ZOmZQNtAjXxT4_MsVXipt5VTPjvSAf0",

"a": {

"d": "Ea4ny_YZAtAGUwGSyH7iFiKjpM3yFiDHcjrdomqt7Ryk",

"i": "EP2ukuiw_0xcp943NWz4IRnNtxwx7rzROwV1D_ZRP0XQ",

"dt": "2021-06-09T17:35:54.169967+00:00",

"LEI":"5493001KJTIIGC8Y1R12",

},

"e": []

}-FABE_T2_p83_gRSuAYvGhqV3S0JzYEF2dIa-OCPLbIhBO7Y

-EAB0AAAAAAAAAAAAAAAAAAAAAABEwmQtlcszNoEIDfqD-Zih3N6o5B3humRKvBBln2juTEM-AADAA5267UlFg1jHee4Dauht77SzGl8WUC_0oimYG5If3SdIOSzWM8Qs9SFajAilQcozXJVnbkY5stG_K4NbKdNB4AQABBgeqntZW3Gu4HL0h3odYz6LaZ_SMfmITL-Btoq_7OZFe3L16jmOe49Ur108wH7mnBaq2E_0U0N0c5vgrJtDpAQACTD7NDX93ZGTkZBBuSeSGsAQ7u0hngpNTZTK_Um7rUZGnLRNJvo5oOnnC1J2iBQHuxoq8PyjdT3BHS2LiPrs2Cg

Attach Signature to Event

12 of 24

Quick Detour… KERI-X Messages

{

"v": "KERI10JSON00011c_",

"t": "exn",

"dt": "2020-08-22T17:50:12.988921+00:00"

"r": "/credential/offer"

"a": {

"v": "ACDC10JSON00011c_",

"d": "EBdXt3gIXOf2BBWNHdSXCJnFJL5OuQPyM5K0neuniccM",

"i": "EmkPreYpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDIPM",

"s": "E46jrVPTzlSkUPqGGeIZ8a8FWS7a6s4reAXRZOkogZ2A",

"a": {

"d": "EgveY4-9XgOcLxUderzwLIr9Bf7V_NHwY1lkFrn9y2PY",

"i": "EQzFVaMasUf4cZZBKA0pUbRc9T8yUXRFLyM1JDASYqAA",

"dt": "2021-06-09T17:35:54.169967+00:00",

"ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",

"LEI": "254900OPPU84GM83MG36",

"personal": {

"legalName": "John Doe",

"city": "Durham"

}

}

}

}

13 of 24

How does it work

{

"v": "ACDC10JSON00011c_",

"d": "EYo4R9I08Et5H5SWKG8ZMS83r8FmRtfahN0V9NbG9zdw",

"i": "Ei5csblWpTy22uVkbZrZxvSUORxPvIlrfpq2e1hKTtfA",

"s": "ECcj1CBn4dpo6ZOmZQNtAjXxT4_MsVXipt5VTPjvSAf0",

"ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",

"a": {

"d": "Ea4ny_YZAtAGUwGSyH7iFiKjpM3yFiDHcjrdomqt7Ryk",

"i": "EP2ukuiw_0xcp943NWz4IRnNtxwx7rzROwV1D_ZRP0XQ",

"dt": "2021-06-09T17:35:54.169967+00:00",

"LEI":"5493001KJTIIGC8Y1R12",

},

"p": []

}

Prepend SAD Path and Identifier Information

-AAD

AA5267UlFg1jHee4Dauht77SzGl8WUC_0oimYG5If3SdIOSzWM8Qs9SFajAilQcozXJVnbkY5stG_K4NbKdNB4AQ

ABBgeqntZW3Gu4HL0h3odYz6LaZ_SMfmITL-Btoq_7OZFe3L16jmOe49Ur108wH7mnBaq2E_0U0N0c5vgrJtDpAQ

ACTD7NDX93ZGTkZBBuSeSGsAQ7u0hngpNTZTK_Um7rUZGnLRNJvo5oOnnC1J2iBQHuxoq8PyjdT3BHS2LiPrs2Cg

Digital Signature ->

-JAB

6AABAAA-

-FAB

E_T2_p83_gRSuAYvGhqV3S0JzYEF2dIa-OCPLbIhBO7Y

-EAB0AAAAAAAAAAAAAAAAAAAAAAB

EwmQtlcszNoEIDfqD-Zih3N6o5B3humRKvBBln2juTEM

Identifier and Path ->

14 of 24

How does it work

{

"v": "ACDC10JSON00011c_",

"d": "EYo4R9I08Et5H5SWKG8ZMS83r8FmRtfahN0V9NbG9zdw",

"i": "Ei5csblWpTy22uVkbZrZxvSUORxPvIlrfpq2e1hKTtfA",

"ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",

"s": "ECcj1CBn4dpo6ZOmZQNtAjXxT4_MsVXipt5VTPjvSAf0",

"a": {

"d": "Ea4ny_YZAtAGUwGSyH7iFiKjpM3yFiDHcjrdomqt7Ryk",

"i": "EP2ukuiw_0xcp943NWz4IRnNtxwx7rzROwV1D_ZRP0XQ",

"dt": "2021-06-09T17:35:54.169967+00:00",

"LEI":"5493001KJTIIGC8Y1R12",

},

"e": []

}-JAB6AABAAA--FABE_T2_p83_gRSuAYvGhqV3S0JzYEF2dIa-OCPLbIhBO7Y

-EAB0AAAAAAAAAAAAAAAAAAAAAABEwmQtlcszNoEIDfqD-Zih3N6o5B3humRKvBBln2juTEM-AADAA5267UlFg1jHee4Dauht77SzGl8WUC_0oimYG5If3SdIOSzWM8Qs9SFajAilQcozXJVnbkY5stG_K4NbKdNB4AQABBgeqntZW3Gu4HL0h3odYz6LaZ_SMfmITL-Btoq_7OZFe3L16jmOe49Ur108wH7mnBaq2E_0U0N0c5vgrJtDpAQACTD7NDX93ZGTkZBBuSeSGsAQ7u0hngpNTZTK_Um7rUZGnLRNJvo5oOnnC1J2iBQHuxoq8PyjdT3BHS2LiPrs2Cg

Attach Signature Group to Event

15 of 24

Nested Partial Signatures

{

"v": "ACDC10JSON00011c_",

"d": "EYo4R9I08Et5H5SWKG8ZMS83r8FmRtfahN0V9NbG9zdw",

"i": "Ei5csblWpTy22uVkbZrZxvSUORxPvIlrfpq2e1hKTtfA",

"s": "ECcj1CBn4dpo6ZOmZQNtAjXxT4_MsVXipt5VTPjvSAf0",

"a": {

"d": "Ea4ny_YZAtAGUwGSyH7iFiKjpM3yFiDHcjrdomqt7Ryk",

"i": "EP2ukuiw_0xcp943NWz4IRnNtxwx7rzROwV1D_ZRP0XQ",

"dt": "2021-06-09T17:35:54.169967+00:00",

"legalName": "John Doe",

"LEI":"5493001KJTIIGC8Y1R12",

},

"e": []

}-JAB6AABAAA--FABE_T2_p83_gRSuAYvGhqV3S0JzYEF2dIa-OCPLbIhBO7Y

-EAB0AAAAAAAAAAAAAAAAAAAAAABEwmQtlcszNoEIDfqD-Zih3N6o5B3humRKvBBln2juTEM-AADAA5267UlFg1jHee4Dauht77SzGl8WUC_0oimYG5If3SdIOSzWM8Qs9SFajAilQcozXJVnbkY5stG_K4NbKdNB4AQABBgeqntZW3Gu4HL0h3odYz6LaZ_SMfmITL-Btoq_7OZFe3L16jmOe49Ur108wH7mnBaq2E_0U0N0c5vgrJtDpAQACTD7NDX93ZGTkZBBuSeSGsAQ7u0hngpNTZTK_Um7rUZGnLRNJvo5oOnnC1J2iBQHuxoq8PyjdT3BHS2LiPrs2Cg

Signing Partial Content using SAD Path

{

}

-JAB5AABAA-a

16 of 24

Transposition

{

"v": "KERI10JSON00011c_",

"t": "exn",

"dt": "2020-08-22T17:50:12.988921+00:00"

"r": "/credential/offer"

"a":{

"v": "ACDC10JSON00011c_",

"d": "EYo4R9I08Et5H5SWKG8ZMS83r8FmRtfahN0V9NbG9zdw",

"i": "Ei5csblWpTy22uVkbZrZxvSUORxPvIlrfpq2e1hKTtfA",

"ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",

"s": "ECcj1CBn4dpo6ZOmZQNtAjXxT4_MsVXipt5VTPjvSAf0",

"a": {

"d": "Ea4ny_YZAtAGUwGSyH7iFiKjpM3yFiDHcjrdomqt7Ryk",

"i": "EP2ukuiw_0xcp943NWz4IRnNtxwx7rzROwV1D_ZRP0XQ",

"dt": "2021-06-09T17:35:54.169967+00:00",

"LEI":"5493001KJTIIGC8Y1R12",

},

"p": []

}

}-JAB6AABAAA--FABE_T2_p83_gRSuAYvGhqV3S0JzYEF2dIa-OCPLbIhBO7Y

-EAB0AAAAAAAAAAAAAAAAAAAAAABEwmQtlcszNoEIDfqD-Zih3N6o5B3humRKvBBln2juTEM-AADAA5267UlFg1jHee4Dauht77SzGl8WUC_0oimYG5If3SdIOSz

Move Signature Across Envelope Boundaries

-JAB5AABAA-a

17 of 24

18 of 24

19 of 24

New Attachment Types

SAD Path Signature Group

Attach multiple signatures to a single Path

Transferable Indexed Controller Signatures

Non-Transferable Witness Receipt Couples

SAD Path Groups

Grouping multiple SAD Path Sig Groups

Facilitates multiple nested signatures

Allows for easy transposition of nested sigs

20 of 24

Group Transposition

21 of 24

Payload-A

Payload-B

Payload-C

Payload-A

Signature-A

Payload-B

Signature-B

Payload-C

Signature-C

1.

2.

3.

-1-Signature-A -2-Signature -3-Signature-C

Payload-A

Payload-B

Payload-C

1.

2.

3.

-Z-[-1-Signature-A -2-Signature -3-Signature-C]

Z.

Transposed Signatures

Transposed Signature Grouping

22 of 24

SAD Path Language

Alternative to JSONPath or JSON Pointer

Single reserved character ‘-’

All paths start with ‘-’ including Root

Path components follow separated by ‘-’ characters

No wildcard pathing

All subpaths must be a map or array

Path components are either fields in a map or items in an array depending on current context

Non-Base64 compatible field names must be replaced with field indices

Facilitates the use of text only variable sized codes

23 of 24

Additions to the Master Code Table

24 of 24

Uses in KERI, ACDC and vLEI

Nested Partial Signatures on ACDC Credentials

Attach multiple signatures to a single Path

Transferable Indexed Controller Signatures

Non-Transferable Witness Receipt Couples

Embedding ACDC Credentials in IPEX Protocol Messages

/credential/issue peer to peer protocol message containing embedded ACDC

Embedding Any Signed Content in Peer to Peer Forwarding

/fwd Message mailbox forwarding protocol

Multiple levels of nesting required

Example: Embedding ACDC in /credential/offer message that is forwarded using /fwd

Signing GLEIF xBRL Annual Report Pilot

Attaching multiple nested signatures on partial content from different signers