This specification describes the BBS+ Signature Suite created in 2020 for the Data Integrity specification. The Signature Suite utilizes BBS+ signatures to provide the capability of zero knowledge proof disclosures.
This is an experimental specification and is undergoing regular revisions. It is not fit for production deployment.
This specification defines a set of cryptographic suites for the purpose of creating, verifying and deriving proofs for BBS+ Signatures in conformance with the Data Integrity [[DATA-INTEGRITY]] specification.
In general the suites uses the RDF Dataset Normalization Algorithm [[RDF-DATASET-NORMALIZATION]] to transform an input document into its canonical form. It then uses the statement digest algorithm to digest each statement to be signed individually, finally the digested statements are signed using the defined signature algorithm.
BBS+ signatures [[BBS]] are compatible with any pairing friendly elliptic curve, however the cryptographic suites defined in this document elect to only allow the usage of the BLS12-381 for interoperability purposes.
The following terms are used to describe concepts involved in the generation and verification of the Data Integrity signature suite.
Defined in [[PAIRING-FRIENDLY-CURVES]], BLS12-381 is an elliptic curve that features a unique property only present in a subset of elliptic curves known as being pairing friendly.
Because of the pairing friendly property, BLS12-381 can be used to construct digital signatures that have unique properties, such as aggregatable signatures and or signatures that support zero knowledge proof disclosure.
With pairing friendly elliptic curves, there are two fields, denoted G1 and G2, for which signatures and public keys can exist. Importantly however both the public key and a signature generated using the public key cannot exist in the same field.
Due to the properties of the two fields, there are different associated performance characteristics to selecting which field to use for signatures vs which field to use for public key generation. In general operations are faster in G1 and the resulting commitments are smaller. With this definition of BBS+ signatures we have opted for signatures to be faster and smaller to create rather than key generation.
The following section defines the representation of the Bls12381G1Key2020
The keys definition MUST have an attribute of publicKeyBase58
and its value
MUST be a base58 encoded BLS12-381 public key in the G1 field. Where the
BLS12-381 public key is the raw 48 byte x co-ordinate defining the commitment.
A simple example of a Bls12381G1Key2020:
{ "id": "did:example:123#key-0", "type": "Bls12381G1Key2020", "controller": "did:example:123", "publicKeyBase58": "7cJGQwV5XyzUjJEzY5doVhv62Qqou6qW7G4eh9YbUywgyeDCobiXjN8CnQ7wpWBrGR", }
{ "id": "did:example:123#key-0", "type": "Bls12381G1Key2020", "controller": "did:example:123", "publicKeyJwk": { "kty": "EC", "crv": "BLS12381_G1", "x": "tCgCNuUYQotPEsrljWi-lIRIPpzhqsnJV1NPnE7je6glUb-FJm9IYkuv2hbHw22i" } }
The following section defines the representation of the Bls12381G2Key2020
The keys definition MUST have an attribute of publicKeyBase58
and its value
MUST be a base58 encoded BLS12-381 public key in the G2 field. Where the
BLS12-381 public key is the concatenation of the 2 raw 48 byte x co-ordinates
defining the commitment.
A simple example of a Bls12381G2Key2020:
{ "id": "did:example:123#key-1", "type": "Bls12381G2Key2020", "controller": "did:example:123", "publicKeyBase58" : "oqpWYKaZD9M1Kbe94BVXpr8WTdFBNZyKv48cziTiQUeuhm7sBhCABMyYG4kcMrseC68YTFFgyhiNeBKjzdKk9MiRWuLv5H4FFujQsQK2KTAtzU8qTBiZqBHMmnLF4PL7Ytu" }
{ "id": "did:example:123#key-1", "type": "Bls12381G2Key2020", "controller": "did:example:123", "publicKeyJwk": { "crv": "BLS12381_G2", "kty": "EC", "x": "h_rkcTKXXzRbOPr9UxSfegCbid2U_cVNXQUaKeGF7UhwrMJFP70uMH0VQ9-3-_2zDPAAjflsdeLkOXW3-ShktLxuPy8UlXSNgKNmkfb-rrj-FRwbs13pv_WsIf-eV66-" } }
The BBS+ signature suite 2020 MUST be used in conjunction with the signing and verification algorithms in the Data Integrity [[DATA-INTEGRITY]] specification. The suite consists of the following algorithms:
Parameter | Value | Specification |
---|---|---|
canonicalization algorithm | https://w3id.org/security#URDNA2015 | [[RDF-DATASET-NORMALIZATION]] |
statement digest algorithm | Blake2b | [[BLAKE2]] |
signature algorithm | BBS+ Signature | [[BBS]] |
curve name | BLS12-381 | [[PAIRING-FRIENDLY-CURVES]] |
In order to support selective disclosure of statements, the create verify data algorithm has been modified from its original definition.
The algorithm defined below, outlines the process of obtaining the data in the form required for both signing and verifying.
The following section outlines the terms used by the BBS+ Signature Suite.
To identify the type of data integrity proof that is attached to a linked data document,
the type
attribute defined in
[[DATA-INTEGRITY]].
The term of BbsBlsSignature2020
is used to indicate when a data integrity proof is of type BBS+ Signature.
A linked data document featuring a BBS+ Signature data integrity proof
MUST contain a proof element thats has a type equal to BbsBlsSignature2020
.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"@type": "Person",
"firstName": "Jane",
"lastName": "Does",
"jobTitle": "Professor",
"telephone": "(425) 123-4567",
"email": "jane.doe@example.com",
"proof": {
"type": "BbsBlsSignature2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
"requiredRevealStatements": [ 4, 5 ]
}
}
When a digital signature is produced, it is often useful to capture when this occurred, the created
attribute
can be used to communicate this as defined in
[[DATA-INTEGRITY]].
A linked data document featuring a BBS+ Signature data integrity proof MAY contain a created
attribute with value a value corresponding to an [[!ISO8601]] combined date and time string.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"@type": "Person",
"firstName": "Jane",
"lastName": "Does",
"jobTitle": "Professor",
"telephone": "(425) 123-4567",
"email": "jane.doe@example.com",
"proof": {
"type": "BbsBlsSignature2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
"requiredRevealStatements": [ 4, 5 ]
}
}
When using [[JSON-LD]] to exchange data between more than one software system, it's important to use terminology that both of the software systems can understand.
In [[JSON-LD]] this common terminology is identified with the usage of URIs. However, those URIs can be long and not human friendly for implementors to work with.
In such cases, aliases that are presented in a short-form can be used to ease this burden. This specification relies on the @context
property in [[JSON-LD]]
to short-form aliases to long form URIs required by this signature suite. It's RECOMMENDED that https://w3id.org/security/bbs/v1
is used within the
@context
property to map the short-form aliases to long form URIs.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"@type": "Person",
"firstName": "Jane",
"lastName": "Does",
"jobTitle": "Professor",
"telephone": "(425) 123-4567",
"email": "jane.doe@example.com",
"proof": {
"type": "BbsBlsSignature2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
"requiredRevealStatements": [ 4, 5 ]
}
}
When verifying a digital signature, public key material of the signer is required, the verificationMethod
attribute is
used to communicate this as defined in [[DATA-INTEGRITY]].
A linked data document featuring a BBS+ Signature data integrity proof MUST contain a verificationMethod
attribute with a value that is either the verification method required to verify the data integrity proof or a URI that when dereferenced
results in the verification method required to verify the data integrity proof.
The verification method MUST be of type
Bls12381G2Key2020.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"@type": "Person",
"firstName": "Jane",
"lastName": "Does",
"jobTitle": "Professor",
"telephone": "(425) 123-4567",
"email": "jane.doe@example.com",
"proof": {
"type": "BbsBlsSignature2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
"requiredRevealStatements": [ 4, 5 ]
}
}
A proof purpose defines what the purpose of the created proof was and is used to detect whether the verification method has been used correctly.
A linked data document featuring a BBS+ Signature data integrity proof MUST contain a proofPurpose
attribute with a value that is defined in [[DATA-INTEGRITY]].
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"@type": "Person",
"firstName": "Jane",
"lastName": "Does",
"jobTitle": "Professor",
"telephone": "(425) 123-4567",
"email": "jane.doe@example.com",
"proof": {
"type": "BbsBlsSignature2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
"requiredRevealStatements": [ 4, 5 ]
}
}
When producing a digital signature that is capable of selective disclosure with a set signed statements, it is useful for the signer to be able to express as apart of the proof which statements must be revealed in a derived proof
A linked data document featuring a BBS+ Signature data integrity proof MUST contain a requiredRevealStatements
attribute with a value that is an array of un-signed integers representing the indicies of the statements in the canonical form
that MUST always be revealed in a derived proof. The indicies corresponding to the statements for the verificationMethod
and proofPurpose
as apart of the data integrity proof MUST always be present.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"@type": "Person",
"firstName": "Jane",
"lastName": "Does",
"jobTitle": "Professor",
"telephone": "(425) 123-4567",
"email": "jane.doe@example.com",
"proof": {
"type": "BbsBlsSignature2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
"requiredRevealStatements": [ 4, 5 ]
}
}
The raw value outputted by computing a sign operation must feature in the proof, in order for parties to verify the signature.
A linked data document featuring a BBS+ Signature data integrity proof MUST contain a proofValue
attribute with value defined by the signing algorithm described in this specification.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"@type": "Person",
"firstName": "Jane",
"lastName": "Does",
"jobTitle": "Professor",
"telephone": "(425) 123-4567",
"email": "jane.doe@example.com",
"proof": {
"type": "BbsBlsSignature2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
"requiredRevealStatements": [ 4, 5 ]
}
}
A BBS proof of knowledge data integrity proof is a proof that is derived from a BbsBlsSignature2020 data integrity proof where by a sub-set of the original statements are revealed.
The BBS+ proof of knowledge signature suite MUST be used in conjunction with the signing and verification algorithms in the Data Integrity [[DATA-INTEGRITY]] specification. The suite consists of the following algorithms:
Parameter | Value | Specification |
---|---|---|
canonicalization algorithm | https://w3id.org/security#URDNA2015 | [[RDF-DATASET-NORMALIZATION]] |
statement digest algorithm | Blake2b | [[BLAKE2]] |
signature algorithm | BBS+ Signature | [[BBS]] |
curve name | BLS12-381 | [[PAIRING-FRIENDLY-CURVES]] |
The following section outlines the terms used by the BBS+ proof of knowledge signature suite.
To identify the type of data integrity proof that is attached to a linked data document,
the type
attribute is used as defined in
[[DATA-INTEGRITY]].
The term of BbsSignatureProof2020
is used to indicate when a data integrity proof is of type BBS+ proof of knowledge.
A linked data document featuring a BBS+ proof of knowledge data integrity proof
MUST contain a type
attribute thats has a type equal to BbsSignatureProof2020
.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"id": "urn:bnid:_:c14n0",
"email": "jane.doe@example.com",
"firstName": "Jane",
"jobTitle": "Professor",
"lastName": "Does",
"telephone": "(425) 123-4567",
"proof": {
"type": "BbsBlsSignatureProof2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
"nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
}
}
A linked data document featuring a BBS+ Signature data integrity proof MAY contain a created
attribute with value a value corresponding to an [[!ISO8601]] combined date and time string.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"id": "urn:bnid:_:c14n0",
"email": "jane.doe@example.com",
"firstName": "Jane",
"jobTitle": "Professor",
"lastName": "Does",
"telephone": "(425) 123-4567",
"proof": {
"type": "BbsBlsSignatureProof2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
"nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
}
}
A linked data document featuring a BBS+ proof of knowledge data integrity proof MUST contain a verificationMethod
attribute with a value that is equal to that of the BbsBlsSignature2020 for which the proof is derived from.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"id": "urn:bnid:_:c14n0",
"email": "jane.doe@example.com",
"firstName": "Jane",
"jobTitle": "Professor",
"lastName": "Does",
"telephone": "(425) 123-4567",
"proof": {
"type": "BbsBlsSignatureProof2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
"nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
}
}
A linked data document featuring a BBS+ proof of knowledge data integrity proof MUST contain a proofPurpose
attribute with a value that is equal to that of the BbsBlsSignature2020 for which the proof is derived from.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"id": "urn:bnid:_:c14n0",
"email": "jane.doe@example.com",
"firstName": "Jane",
"jobTitle": "Professor",
"lastName": "Does",
"telephone": "(425) 123-4567",
"proof": {
"type": "BbsBlsSignatureProof2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
"nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
}
}
The raw value outputted by computing a derive proof operation must feature in the proof, in order for parties to be able to verify the proof.
A linked data document featuring a BBS+ proof of knowledge data integrity proof
MUST contain a proofValue
attribute with value defined by the derive proof algorithm
described in this specification.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"id": "urn:bnid:_:c14n0",
"email": "jane.doe@example.com",
"firstName": "Jane",
"jobTitle": "Professor",
"lastName": "Does",
"telephone": "(425) 123-4567",
"proof": {
"type": "BbsBlsSignatureProof2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
"nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
}
}
When a proof is derived it is often useful to prove to the audience of the proof the uniqueness or freshness of proof, the nonce attribute can be used to communicate this.
A linked data document featuring a BBS+ proof of knowledge data integrity proof
MUST contain a nonce
attribute.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"id": "urn:bnid:_:c14n0",
"email": "jane.doe@example.com",
"firstName": "Jane",
"jobTitle": "Professor",
"lastName": "Does",
"telephone": "(425) 123-4567",
"proof": {
"type": "BbsBlsSignatureProof2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proof": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
"nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
}
}
The BBS+ Bound signature suite 2020 adds a mechanism for recipient binding, and is otherwise identical, to the BBS+ signature suite 2020. It MUST be used in conjunction with the signing and verification algorithms in the Data Integrity [[DATA-INTEGRITY]] specification. The suite consists of the following algorithms:
Parameter | Value | Specification |
---|---|---|
canonicalization algorithm | https://w3id.org/security#URDNA2015 | [[RDF-DATASET-NORMALIZATION]] |
statement digest algorithm | Blake2b | [[BLAKE2]] |
signature algorithm | BBS+ Signature | [[BBS]] |
curve name | BLS12-381 | [[PAIRING-FRIENDLY-CURVES]] |
The create verify data algorithm defined below is identical to the create verify data algorithm defined for the BBS+ signature suite 2020, with the addition of steps to include recipient binding.
The algorithm defined below outlines the process of obtaining the data in the form required for both signing and verifying, plus the data required to bind to a recipient
The following section outlines the terms used by the BBS+ Bound Signature Suite which differ from those terms used by the BBS+ Signature Suite. All other terms are the same in both suites.
Use the type
attribute
defined
in [[DATA-INTEGRITY]] to identify the type of data integrity proof that is attached
to a linked data document.
The term BbsBlsBoundSignature2020
is used to indicate
when a data integrity proof is of type BBS+ Bound Signature.
A linked data document featuring a BBS+ Bound Signature
data integrity proof MUST contain a proof element that has a type equal to
BbsBlsBoundSignature2020
.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"@type": "Person",
"firstName": "Jane",
"lastName": "Does",
"jobTitle": "Professor",
"telephone": "(425) 123-4567",
"email": "jane.doe@example.com",
"proof": {
"type": "BbsBlsBoundSignature2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg=="
}
}
A BBS bound proof of knowledge data integrity proof is a proof that is derived from a BbsBlsBoundSignature2020 data integrity proof where a sub-set of the original statements are revealed.
The BBS+ bound proof of knowledge signature suite MUST be used in conjunction with the signing and verification algorithms in the Linked Data Proofs [[DATA-INTEGRITY]] specification. It adds a proof of recipient binding, and is otherwise identical, to the BBS+ proof of knowledge signature suite. The suite consists of the following algorithms:
Parameter | Value | Specification |
---|---|---|
canonicalization algorithm | https://w3id.org/security#URDNA2015 | [[RDF-DATASET-NORMALIZATION]] |
statement digest algorithm | Blake2b | [[BLAKE2]] |
signature algorithm | BBS+ Signature | [[BBS]] |
curve name | BLS12-381 | [[PAIRING-FRIENDLY-CURVES]] |
The following section outlines the terms used by the BBS+ bound proof of knowledge signature suite which differ from those terms used by the BBS+ proof of knowledge. All other terms are the same in both suites.
The type
attribute is used to identify the type of data
integrity proof that is attached to a linked data document as defined
in [[DATA-INTEGRITY]].
The term BbsBoundSignatureProof2020
is used to indicate when a
data integrity proof is of type BBS+ bound proof of knowledge.
A linked data document featuring a BBS+ bound proof of knowledge
data integrity proof MUST contain a type
attribute with a
value of BbsBoundSignatureProof2020
.
{
"@context": [
"http://schema.org/",
"https://w3id.org/security/v2",
"https://w3id.org/security/bbs/v1"
],
"id": "urn:bnid:_:c14n0",
"email": "jane.doe@example.com",
"firstName": "Jane",
"jobTitle": "Professor",
"lastName": "Does",
"telephone": "(425) 123-4567",
"proof": {
"type": "BbsBlsBoundSignatureProof2020",
"created": "2020-04-25",
"verificationMethod": "did:example:489398593#test",
"proofPurpose": "assertionMethod",
"proofValue": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
"nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
}
}
In order to support selective disclosure of statements, the following derive proof algorithm has been defined.
The following algorithm defined below outlines the process of obtaining the inputs into the derive proof algorithm.
The following section describes security considerations that developers implementing this specification should be aware of in order to create secure software.
Portions of the work on this specification have been funded by the United States Department of Homeland Security's (US DHS) Silicon Valley Innovation Program under contracts 70RSAT20T00000003, and 70RSAT20T00000033. The content of this specification does not necessarily reflect the position or the policy of the U.S. Government and no official endorsement should be inferred.