post-thumb

Privacy-preserving Solution Using BBS+ for Digital Identity and Wallet

With the eIDAS 2.0 regulation enactment, European citizens will be able to use a Digital Wallet to manage their own digital identity documents, or credentials. These credentials will contain attributes about their holder such as, date of birth, address, etc. The regulation stipulates that the use of the digital wallet and the credentials it contains should ensure the privacy of their users. The privacy-preserving credentials, also called anonymous credentials, will allow their holder to prove attribute values to verifying parties such as government entities or other private services without revealing non-relevant attributes. However, the current regulation does not provide a way to avoid user profiling. Meaning that if users present the same credential multiple times, a profile of the users can be made by the verifying entities which poses a privacy issue for the future. This problem arises because of the regulation recommends a cryptographic solution (i.e., SD-JWT)) that does not achieve this feature. Another cryptographic solution enables this property, namely BBS+ signature scheme.

This blog post presents work done at Worldline to explore the use of the BBS+ signature scheme in combination with the regulation standards of eIDAS 2.0. We first introduce the recent regulation of the European Digital Identity Wallet, then we briefly present BBS+. After that, we present the W3C Verifiable Credential Data Model (VCDM) that is recommended by the regulation to format the credentials. Finally, we explain how BBS+ and the VCDM standard can be used in combination to achieve a privacy-preserving digital identity ecosystem for the future.

Why Privacy-enhancement Solution is Valuable in “European Digital Identity and Wallets”?

The European Parliament and the Council of the European Union (EU) introduced European Digital Identity Wallets (EUDIW), the first trusted and secure digital identity framework for all Europeans. All EU citizens will be able to use a EUDIW to access public and private online services all over Europe. Public and private services, that are legally required to strongly authenticate their users, will have to accept the EUDIW for logging into their online services. The Wallet will also facilitate service providers’ compliance with various regulatory requirements and will allow users to open bank accounts, make payments, and hold digital documents, such as a driving license, an government ID, a diploma, etc, called credentials [EUDIW]. Meaning, that each user will share all their personalized attributes and payment details from this wallet. Therefore, privacy concerns for each user arise.

A first needed property is data minimization according to the users’ needs to access services. In essence, each user can control their sensitive attributes through their wallet according to the services. For example, if service providers do not need specific attributes such as name, address, or other details, and only need date of birth, users can then select the date of birth attribute to access the services without disclosing their name, address etc. This is also known as the data minimization feature or selective disclosure.

The second privacy property, that is required to maintain high level of privacy, is unlinkability, where different transactions cannot be linked to the same user. This means that as the user make use of their credential, the entities that are given this credential cannot link them to the user. This avoids users profiling and tracking.

Advancement of Privacy enhancements in the Regulation

To advance the Selective disclosure and Unlinkability privacy features in the real world, the European Commission (EC) defines the regulatory requirements on selective disclosure (data minimization control) and unlinkability for the EUDI Wallet to attain GDPR and enhanced privacy features. This regulation is called the eIDAS21 regulation and the Architecture Reference Framework (ARF) [ARF].

A cryptographic primitive known as a privacy-preserving signature scheme could be a solution to achieve selective disclosure and unlinkability. Unlinkability is a big challenge to the current EUDIW solutions as the current ARF does not support the unlinkability feature. Indeed, the ARF recommendation for the use of SD-JWT, instead of BBS+, implies that unlinkability is not achieved since SD-JWT does not provide unlinkability. The SD-JWT is chosen by the ARF due to its easier implementation and selective disclosure property. However, Unlinkability is a necessary property if we want to achieve and avoid the profiling of future citizens. This property is achievable with a specific privacy-preserving signature scheme, BBS+ signature scheme. The BBS+ signature scheme is preferred than the other privacy-preserving signature schemes such as CL signature [CL-signature] as BBS+ is much more efficient and contributes same level of privacy properties [BBS23].

BBS+ signatures were originally proposed as a group signatures protocol by Boneh, Boyen, and Shachum [BBS04] (from where they take their name) and have been renamed by Au Man Ho et.al. and later by Jan Camenisch, Manu Drijvers, and Anja Lehmann [CDL16] (where the + comes from). BBS+ allows to encrypt multiple messages. There are standardization efforts for a version of BBS called BBS+ that has led to a recent RFC draft [BBS-IETF24]. BBS+ signature scheme, and its proof of knowledge is briefly delineated in the work [DGPS22].

Credential and W3C standard VCDM (Verifiable Credentials Data Model)

The digital documents stored in the EUDIW are called credentials. The ARF specifies that the credentials stored in the EUDIW should follow the W3C Verifiable Credential Data Model (VCDM) [W3C-VCDM]. This recommendation specifies how attributes should be formatted in a credential. Figure1
Figure 1: The W3C VCDM ecosystem with the issuers, the holder and the verifiers

In W3C VCDM, there are three parties: issuer, holder, and verifier. The issuer gives the holder a verifiable credential which asserts claims about a subject. The credential consists of attributes represented by integers or text. The holder may present a verifiable presentation based on the previously verifiable credentials to a verifier that can verify that the asserted the claims. Verifiable presentations can contain multiple verifiable credentials and a cryptographic proof. They are closed to verifiable credentials in their form.

As an example, a wallet user wants to buy alcohol and needs to provide a proof of age (i.e., attribute) to do so. From their wallet, they select a government-issued credentials (e.g., ID card) and present it to the verifier by only disclosing their date of birth and not their name and address (i.e., selective disclosure) in a verifiable presentation created on the go by the wallet. The verifier will then verify the presentation by verifying the presentation proof cryptographically and the included verifiable credentials.

Figure2
Figure 2: Example of verifiable residence credential in JSON-LD format

Those verifiable credentials/presentations are represented and stored in a file. The most common used format is JSON-LD. Figure 2 shows an example of a verifiable credential for a permanent resident card. The important parts are the “credentialSubject” and “proof” fields. The former contains all the relevant attributes about the holder. The “proof” is where all the cryptographic details are. This is where the BBS+ details will be stored.

The Usage of BBS+ in Privacy Preserving W3C VCDM

The combined approach of W3C verifiable credential data model (VCDM) and BBS+ signature is called privacy-preserving credential or anonymous credential.

Anonymous credentials aim at allowing users to prove attribute values about the user of the credential in an uncorrelated way (unlinkability) without revealing other attribute values (selective disclosure).

Various anonymous credential schemes are discussed in [CDL16] and [SABD18], [CKS09], and [CL02]. Hyperledger Indy is purpose-built to facilitate decentralized identity using anonymous credentials. Indy currently uses RSA-based CL signatures with range proofs from [CCs08]. In comparison, BBS+ signatures are faster to generate keys, sign credentials, and create proofs due to the smaller key sizes of elliptic curves, no prime numbers to use for keys, and one less correctness proof to check.** BBS+ signatures provide three very strong privacy preserving security properties; zero knowledge, proof of knowledge and selective disclosure**.

  • Zero knowledge refers to the inability of an adversary to gain any information regarding a plain text or a secret cryptographic key from the corresponding cipher text.

  • Proof of Knowledge means that the Verifier can be convinced that the Prover is in possession of a secret. The challenge is of-course to keep the zero-knowledge property, meaning that the Verifier will still gain no information about that secret.

  • Selective disclosure is the ability to only reveal parts of a secret to a Verifier, and still be able to prove integrity and possession of the revealed information, and that the revealed information is part of the original larger secret. For example, predicates can be used to prove that the holder’s bank account balance is above a certain threshold, without revealing the balance.

To achieve these privacy-enhanced properties (i.e., selective disclosure and unlinkability) using BBS+ in digital identity with efficient computation, the work carried out has led to the implementation of a proof of concept that provides a response to the problem set. This work could be integrated into the digital identity & wallet demo by Worldline.

Integration of BBS+ into the W3C VCDM

As explained earlier above, BBS+ is a signature scheme. The issuer issues a VCDM-compliant verifiable credential with a BBS+ digital signature. This credential encloses several details. However, BBS+ allows obfuscating some messages of the original message. Using this feature, the user can then present a verifiable presentation that only contain the original credential with only the relevant details for the transaction (e.g., only the name), along with a proof that is derived from the original signature and credential. This way, the verifier that receives the verifiable presentation will be able to verify, both the relevant claims while ensuring the credentials have not been tampered with. Figure 3 illustrates this process and Figure 4 shows the resulting verifiable credential after obfuscation of some details of the credential in Figure 2.

Figure3
Figure 3: BBS+ steps in combination of W3C VCDM

If the user makes another purchase with a verifiable presentation derived from the same original credential, BBS+ ensures that the merchant cannot link the two purchases to the user (i.e., unlikability).

Figure4
Figure 4: The resulting verifiable credential after obfuscation of all but name and gender attributes in the VC in Figure 2.

For our work toward a digital identity project at Worldline, we follow the set of assumptions found in [BBB+18] and [CDL16]. Recent work on BBS+ has been published by [BBS-IETF24] and [BBS23].

Based on recent open-source libraries, we developed an experimental API that enables the use of VCDM-compliant verifiable credentials with BBS+. The API allows to issue, generate a proof (i.e., derivation), present and verify verifiable credentials that are following the W3C data model.

Additions can be done to make the use of BBS+ with VCDM even more flexible and secured. Predicates and compound proofs are interesting improvements:

  • Predicates allow hidden values to be used in operations with a value provided by the verifier. For example, predicates can be used to prove that the holder’s bank account balance is above a certain threshold, without revealing the balance. BBS+ supports partially this property. However, it is achievable only using support of cryptography primitives.

  • Compound proofs allow to combine attributes from different credentials together in a new credentials. Achieving this would enable even stricter selective disclosure and optimized transactions.

Conclusion

While BBS+ was not taken on in the current eIDAS ARF, it possesses all the features to enable a secured digital identity ecosystem. It provides zero knowledge, proof of knowledge and selective disclosure. The features make possible the implementation of the concept of anonymous credentials. Moreover, BBS+ is more efficient and experimental work proved that BBS+ calculations can be done on SIM cards [BBDT16]. As it gets standardized and adopted by the community, we envision BBS+ as the future of digital identity.

References

[EUDIW] European Commission. Commission welcomes final agreement on EU Digital Identity Wallet, 2023, Available at Final agreement on EU Digital Identity Wallet (europa.eu)

[BBS04] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In Matthew Franklin, editor, CRYPTO 2004, volume 3152 of LNCS, pages 41–55. Springer, Heidelberg, August 2004.

[BBDT16] Barki, A., Brunet, S., Desmoulins, N., Traoré, J. (2017). Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials. In: Avanzi, R., Heys, H. (eds) Selected Areas in Cryptography – SAC 2016. SAC 2016. Lecture Notes in Computer Science(), vol 10532. Springer, Cham.

[BBS-IETF24] Tobias Looker , Vasilis Kalos , Andrew Whitehead , Mike Lodder (calid till June 2024). The BBS Signature Scheme. Available at The BBS Signature Scheme (ietf.org).

[CDL16] Jan Camenisch, Manu Drijvers, and Anja Lehmann. Anonymous attestation using the strong diffie hellman assumption revisited. In TRUST, volume 9824 of Lecture Notes in Computer Science, pages 1–20. Springer, 2016.

[SABD18] [SABD18] , Alberto Sonnino, Mustafa Al-Bassam, Shehar Bano, and George Danezis. Coconut: Threshold issuance selective disclosure credentials with applications to distributed ledgers. CoRR, abs/1802.07344, 2018.

[CKS09] Jan Camenisch, Markulf Kohlweiss, and Claudio Soriente. An accumulator based on bilinear maps and efficient revocation for anonymous credentials. In Public Key Cryptography, volume 5443 of lecture Notes in Computer Science, pages 481–500. Springer, 2009

[CL02] Jan Camenisch and Anna Lysyanskaya. A signature scheme with efficient protocols. In SCN, volume 2576 of Lecture Notes in Computer Science, pages 268–289. Springer, 2002.

[CCs08] Jan Camenisch, Rafik Chaabouni, and abhi shelat. Efficient protocols for set membership and range proofs. pages 234–252, 2008.

[LKWL22] Tobias Looker, Vasilis Kalos, Andrew Whitehead, and Mike Lodder. The bbs signature scheme. Internet Engineering Task Force, 2022. https://identity.foundation/bbs-signature/ draft-irtf-cfrg-bbs-signatures.html.

[DGPS22] Moumita Dutta , Chaya Ganesh , Sikhar Patranabis, and Nitin Singh. Compute, but Verify: Efficient Multiparty Computation over Authenticated Inputs. Cryptology ePrint Archive, 2022. https://eprint.iacr.org/2022/1648 .

[W3C-VCDM] Verifiable Credentials Data Model v1.1. Available at Verifiable Credentials Data Model v1.1 (w3.org)

[CL-signature] Jan Camenisch, Anna Lysyanskaya, 2003. A Signature Scheme with Efficient Protocols. Available at https://link.springer.com/chapter/10.1007/3-540-36413-7_20 .

[BBS23] Stefano Tessaro and Chenzhi Zhu, 2023. Revisiting BBS Signatures. Available at 275.pdf (iacr.org).

[ARF] European Digital Identity Architecture and Reference Framework – Outline, 2022. Available at European Digital Identity Architecture and Reference Framework – Outline | Shaping Europe’s digital future (europa.eu).