This specification describes the BBS+ Signature Suite created in 2020 for the Data Integrity specification. The Signature Suite utilizes BBS+ signatures to provide the capability of zero knowledge proof disclosures.

This is an experimental specification and is undergoing regular revisions. It is not fit for production deployment.

Introduction

This specification defines a set of cryptographic suites for the purpose of creating, verifying and deriving proofs for BBS+ Signatures in conformance with the Data Integrity [[DATA-INTEGRITY]] specification.

In general the suites uses the RDF Dataset Normalization Algorithm [[RDF-DATASET-NORMALIZATION]] to transform an input document into its canonical form. It then uses the statement digest algorithm to digest each statement to be signed individually, finally the digested statements are signed using the defined signature algorithm.

BBS+ signatures [[BBS]] are compatible with any pairing friendly elliptic curve, however the cryptographic suites defined in this document elect to only allow the usage of the BLS12-381 for interoperability purposes.

Terminology

The following terms are used to describe concepts involved in the generation and verification of the Data Integrity signature suite.

signature suite
A specified set of cryptographic primitives typically consisting of a canonicalization algorithm, a message digest algorithm, and a signature algorithm that are bundled together by cryptographers for developers for the purposes of safety and convenience.
canonicalization algorithm
An algorithm that takes an input document that has more than one possible representation and always transforms it into a canonical form. This process is sometimes also called normalization.
canonical form
The output of applying a canonicalization algorithm to an input document.
statement
n-quads statements are a sequence of RDF terms representing the subject, predicate, object and graph label. See the grammar definition here.
statement digest algorithm
An algorithm that takes a statement and produces a cryptographic output message that is often many orders of magnitude smaller than the input message. These algorithms are often 1) very fast, 2) non-reversible, 3) cause the output to change significantly when even one bit of the input message changes, and 4) make it infeasible to find two different inputs for the same output.
statement digest
The result of the application of the statement digest algorithm to a statement
signature algorithm
An algorithm that takes an input message and produces an output value where the receiver of the message can mathematically verify that the message has not been modified in transit and came from someone possessing a particular secret.
selective disclosure
An information disclosure technique which is the process of deciding and disclosing a sub-set of information from an original information set.
data integrity proof document
A linked data document featuring one or more data integrity proofs.
revealed statements
The set of statements produced by applying the canonicalization algorithm to the reveal document.
derive proof algorithm
An algorithm that takes in a data integrity proof document featuring a data integrity proof that supports a derive proof algorithm along side a reveal document and derives a proof only revealing the statements defined in the reveal document.
derived proof
The product of apply the derive proof algorithm to an data integrity proof document and reveal document.
quad
A quad as specified by [[RDF-DATASET-NORMALIZATION]]
n-quad
An n-quad which is a line based, plain text format encoding of a quad as defined by [[RDF-N-Quads]].
data integrity proof
A data integrity proof which is a set of attributes that represent a linked data digital proof and the parameters required to verify it as defined by [[RDF-N-Quads]].
linked data document
A document comprised of linked data.
curve name
The name defining a particular cryptographic curve.
frame
A frame as specified by [[JSON-LD-FRAMING]] is a JSON-LD document, which describes the form for transforming another JSON-LD document using matching and embedding rules. A frame document allows additional keywords and certain map entries to describe the matching and transforming process.
JSON-LD document
A JSON-LD document as specified by [[JSON-LD-FRAMING]] is a is a serialization of an RDF dataset
framing algorithm
A Framing Algorithm as specified by [[JSON-LD-FRAMING]] is an algorithm that accomplishes the process of framing an input document to a given frame.
blank node
A blank node as specified by [[RDF-CONCEPTS]]. In short, it is a node in a graph that is neither an IRI, nor a literal.

BLS12-381

Defined in [[PAIRING-FRIENDLY-CURVES]], BLS12-381 is an elliptic curve that features a unique property only present in a subset of elliptic curves known as being pairing friendly.

Because of the pairing friendly property, BLS12-381 can be used to construct digital signatures that have unique properties, such as aggregatable signatures and or signatures that support zero knowledge proof disclosure.

TODO: Is the the below the correct place for the rationale?

With pairing friendly elliptic curves, there are two fields, denoted G1 and G2, for which signatures and public keys can exist. Importantly however both the public key and a signature generated using the public key cannot exist in the same field.

Due to the properties of the two fields, there are different associated performance characteristics to selecting which field to use for signatures vs which field to use for public key generation. In general operations are faster in G1 and the resulting commitments are smaller. With this definition of BBS+ signatures we have opted for signatures to be faster and smaller to create rather than key generation.

Bls 12-381 G1 Public Key

The following section defines the representation of the Bls12381G1Key2020

The keys definition MUST have an attribute of publicKeyBase58 and its value MUST be a base58 encoded BLS12-381 public key in the G1 field. Where the BLS12-381 public key is the raw 48 byte x co-ordinate defining the commitment.

A simple example of a Bls12381G1Key2020: 

        {
          "id": "did:example:123#key-0",
          "type": "Bls12381G1Key2020",
          "controller": "did:example:123",
          "publicKeyBase58": "7cJGQwV5XyzUjJEzY5doVhv62Qqou6qW7G4eh9YbUywgyeDCobiXjN8CnQ7wpWBrGR",
        }
      
        {
          "id": "did:example:123#key-0",
          "type": "Bls12381G1Key2020",
          "controller": "did:example:123",
          "publicKeyJwk": {
            "kty": "EC",
            "crv": "BLS12381_G1",
            "x": "tCgCNuUYQotPEsrljWi-lIRIPpzhqsnJV1NPnE7je6glUb-FJm9IYkuv2hbHw22i"
          }
        }

Bls 12-381 G2 Public Key

The following section defines the representation of the Bls12381G2Key2020

The keys definition MUST have an attribute of publicKeyBase58 and its value MUST be a base58 encoded BLS12-381 public key in the G2 field. Where the BLS12-381 public key is the concatenation of the 2 raw 48 byte x co-ordinates defining the commitment.

A simple example of a Bls12381G2Key2020: 

        {
          "id": "did:example:123#key-1",
          "type": "Bls12381G2Key2020",
          "controller": "did:example:123",
          "publicKeyBase58" : "oqpWYKaZD9M1Kbe94BVXpr8WTdFBNZyKv48cziTiQUeuhm7sBhCABMyYG4kcMrseC68YTFFgyhiNeBKjzdKk9MiRWuLv5H4FFujQsQK2KTAtzU8qTBiZqBHMmnLF4PL7Ytu"
        }
      
        {
          "id": "did:example:123#key-1",
          "type": "Bls12381G2Key2020",
          "controller": "did:example:123",
          "publicKeyJwk": {
            "crv": "BLS12381_G2",
            "kty": "EC",
            "x": "h_rkcTKXXzRbOPr9UxSfegCbid2U_cVNXQUaKeGF7UhwrMJFP70uMH0VQ9-3-_2zDPAAjflsdeLkOXW3-ShktLxuPy8UlXSNgKNmkfb-rrj-FRwbs13pv_WsIf-eV66-"
          }
        }

The BBS+ Signature Suite 2020

The BBS+ signature suite 2020 MUST be used in conjunction with the signing and verification algorithms in the Data Integrity [[DATA-INTEGRITY]] specification. The suite consists of the following algorithms:

Parameter Value Specification
canonicalization algorithm https://w3id.org/security#URDNA2015 [[RDF-DATASET-NORMALIZATION]]
statement digest algorithm Blake2b [[BLAKE2]]
signature algorithm BBS+ Signature [[BBS]]
curve name BLS12-381 [[PAIRING-FRIENDLY-CURVES]]

Modification to Algorithms

Create Verify Data Algorithm

In order to support selective disclosure of statements, the create verify data algorithm has been modified from its original definition.

The algorithm defined below, outlines the process of obtaining the data in the form required for both signing and verifying.

  1. Canonicalize the input document using the canonicalization algorithm to a set of statements represented as n-quads.
  2. Initialize an empty array of length equal to the number of statements, let this be known as the statement digests array.
  3. For each statement in order:
    1. Apply the statement digest algorithm to obtain a statement digest
    2. Insert the statement digest into the statement digests array which MUST maintain same order as the order of the statements returned from the canonicalization algorithm.
  4. Returned the statement digests array.

Terms

The following section outlines the terms used by the BBS+ Signature Suite.

Proof Type

To identify the type of data integrity proof that is attached to a linked data document, the type attribute defined in [[DATA-INTEGRITY]].

The term of BbsBlsSignature2020 is used to indicate when a data integrity proof is of type BBS+ Signature.

A linked data document featuring a BBS+ Signature data integrity proof MUST contain a proof element thats has a type equal to BbsBlsSignature2020. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "@type": "Person",
              "firstName": "Jane",
              "lastName": "Does",
              "jobTitle": "Professor",
              "telephone": "(425) 123-4567",
              "email": "jane.doe@example.com",
              "proof": {
                "type": "BbsBlsSignature2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
                "requiredRevealStatements": [ 4, 5 ]
              }
            }

Created

When a digital signature is produced, it is often useful to capture when this occurred, the created attribute can be used to communicate this as defined in [[DATA-INTEGRITY]].

A linked data document featuring a BBS+ Signature data integrity proof MAY contain a created attribute with value a value corresponding to an [[!ISO8601]] combined date and time string. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "@type": "Person",
              "firstName": "Jane",
              "lastName": "Does",
              "jobTitle": "Professor",
              "telephone": "(425) 123-4567",
              "email": "jane.doe@example.com",
              "proof": {
                "type": "BbsBlsSignature2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
                "requiredRevealStatements": [ 4, 5 ]
              }
            }

@context

When using [[JSON-LD]] to exchange data between more than one software system, it's important to use terminology that both of the software systems can understand. In [[JSON-LD]] this common terminology is identified with the usage of URIs. However, those URIs can be long and not human friendly for implementors to work with. In such cases, aliases that are presented in a short-form can be used to ease this burden. This specification relies on the @context property in [[JSON-LD]] to short-form aliases to long form URIs required by this signature suite. It's RECOMMENDED that https://w3id.org/security/bbs/v1 is used within the @context property to map the short-form aliases to long form URIs. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "@type": "Person",
              "firstName": "Jane",
              "lastName": "Does",
              "jobTitle": "Professor",
              "telephone": "(425) 123-4567",
              "email": "jane.doe@example.com",
              "proof": {
                "type": "BbsBlsSignature2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
                "requiredRevealStatements": [ 4, 5 ]
              }
            }

Verification Method

When verifying a digital signature, public key material of the signer is required, the verificationMethod attribute is used to communicate this as defined in [[DATA-INTEGRITY]].

A linked data document featuring a BBS+ Signature data integrity proof MUST contain a verificationMethod attribute with a value that is either the verification method required to verify the data integrity proof or a URI that when dereferenced results in the verification method required to verify the data integrity proof.

The verification method MUST be of type Bls12381G2Key2020. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "@type": "Person",
              "firstName": "Jane",
              "lastName": "Does",
              "jobTitle": "Professor",
              "telephone": "(425) 123-4567",
              "email": "jane.doe@example.com",
              "proof": {
                "type": "BbsBlsSignature2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
                "requiredRevealStatements": [ 4, 5 ]
              }
            }

Proof Purpose

A proof purpose defines what the purpose of the created proof was and is used to detect whether the verification method has been used correctly.

A linked data document featuring a BBS+ Signature data integrity proof MUST contain a proofPurpose attribute with a value that is defined in [[DATA-INTEGRITY]]. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "@type": "Person",
              "firstName": "Jane",
              "lastName": "Does",
              "jobTitle": "Professor",
              "telephone": "(425) 123-4567",
              "email": "jane.doe@example.com",
              "proof": {
                "type": "BbsBlsSignature2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
                "requiredRevealStatements": [ 4, 5 ]
              }
            }

Required Reveal Statements

When producing a digital signature that is capable of selective disclosure with a set signed statements, it is useful for the signer to be able to express as apart of the proof which statements must be revealed in a derived proof

A linked data document featuring a BBS+ Signature data integrity proof MUST contain a requiredRevealStatements attribute with a value that is an array of un-signed integers representing the indicies of the statements in the canonical form that MUST always be revealed in a derived proof. The indicies corresponding to the statements for the verificationMethod and proofPurpose as apart of the data integrity proof MUST always be present. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "@type": "Person",
              "firstName": "Jane",
              "lastName": "Does",
              "jobTitle": "Professor",
              "telephone": "(425) 123-4567",
              "email": "jane.doe@example.com",
              "proof": {
                "type": "BbsBlsSignature2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
                "requiredRevealStatements": [ 4, 5 ]
              }
            }

Proof Value

The raw value outputted by computing a sign operation must feature in the proof, in order for parties to verify the signature.

A linked data document featuring a BBS+ Signature data integrity proof MUST contain a proofValue attribute with value defined by the signing algorithm described in this specification.

TODO: Define the encoding scheme for the signature value
            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "@type": "Person",
              "firstName": "Jane",
              "lastName": "Does",
              "jobTitle": "Professor",
              "telephone": "(425) 123-4567",
              "email": "jane.doe@example.com",
              "proof": {
                "type": "BbsBlsSignature2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg==",
                "requiredRevealStatements": [ 4, 5 ]
              }
            }

The BBS+ Signature Proof Suite 2020

A BBS proof of knowledge data integrity proof is a proof that is derived from a BbsBlsSignature2020 data integrity proof where by a sub-set of the original statements are revealed.

The BBS+ proof of knowledge signature suite MUST be used in conjunction with the signing and verification algorithms in the Data Integrity [[DATA-INTEGRITY]] specification. The suite consists of the following algorithms:

Parameter Value Specification
canonicalization algorithm https://w3id.org/security#URDNA2015 [[RDF-DATASET-NORMALIZATION]]
statement digest algorithm Blake2b [[BLAKE2]]
signature algorithm BBS+ Signature [[BBS]]
curve name BLS12-381 [[PAIRING-FRIENDLY-CURVES]]

Terms

The following section outlines the terms used by the BBS+ proof of knowledge signature suite.

Proof Type

To identify the type of data integrity proof that is attached to a linked data document, the type attribute is used as defined in [[DATA-INTEGRITY]].

The term of BbsSignatureProof2020 is used to indicate when a data integrity proof is of type BBS+ proof of knowledge.

A linked data document featuring a BBS+ proof of knowledge data integrity proof MUST contain a type attribute thats has a type equal to BbsSignatureProof2020. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "id": "urn:bnid:_:c14n0",
              "email": "jane.doe@example.com",
              "firstName": "Jane",
              "jobTitle": "Professor",
              "lastName": "Does",
              "telephone": "(425) 123-4567",
              "proof": {
                "type": "BbsBlsSignatureProof2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
                "nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
              }
            }

Created

TODO: Add paragraph?

A linked data document featuring a BBS+ Signature data integrity proof MAY contain a created attribute with value a value corresponding to an [[!ISO8601]] combined date and time string. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "id": "urn:bnid:_:c14n0",
              "email": "jane.doe@example.com",
              "firstName": "Jane",
              "jobTitle": "Professor",
              "lastName": "Does",
              "telephone": "(425) 123-4567",
              "proof": {
                "type": "BbsBlsSignatureProof2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
                "nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
              }
            }

Verification Method

A linked data document featuring a BBS+ proof of knowledge data integrity proof MUST contain a verificationMethod attribute with a value that is equal to that of the BbsBlsSignature2020 for which the proof is derived from.

TODO: Add paragraph?
            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "id": "urn:bnid:_:c14n0",
              "email": "jane.doe@example.com",
              "firstName": "Jane",
              "jobTitle": "Professor",
              "lastName": "Does",
              "telephone": "(425) 123-4567",
              "proof": {
                "type": "BbsBlsSignatureProof2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
                "nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
              }
            }

Proof Purpose

TODO: Add paragraph?

A linked data document featuring a BBS+ proof of knowledge data integrity proof MUST contain a proofPurpose attribute with a value that is equal to that of the BbsBlsSignature2020 for which the proof is derived from. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "id": "urn:bnid:_:c14n0",
              "email": "jane.doe@example.com",
              "firstName": "Jane",
              "jobTitle": "Professor",
              "lastName": "Does",
              "telephone": "(425) 123-4567",
              "proof": {
                "type": "BbsBlsSignatureProof2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
                "nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
              }
            }

Proof Value

The raw value outputted by computing a derive proof operation must feature in the proof, in order for parties to be able to verify the proof.

A linked data document featuring a BBS+ proof of knowledge data integrity proof MUST contain a proofValue attribute with value defined by the derive proof algorithm described in this specification. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "id": "urn:bnid:_:c14n0",
              "email": "jane.doe@example.com",
              "firstName": "Jane",
              "jobTitle": "Professor",
              "lastName": "Does",
              "telephone": "(425) 123-4567",
              "proof": {
                "type": "BbsBlsSignatureProof2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
                "nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
              }
            }

Nonce

When a proof is derived it is often useful to prove to the audience of the proof the uniqueness or freshness of proof, the nonce attribute can be used to communicate this.

A linked data document featuring a BBS+ proof of knowledge data integrity proof MUST contain a nonce attribute. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "id": "urn:bnid:_:c14n0",
              "email": "jane.doe@example.com",
              "firstName": "Jane",
              "jobTitle": "Professor",
              "lastName": "Does",
              "telephone": "(425) 123-4567",
              "proof": {
                "type": "BbsBlsSignatureProof2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proof": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
                "nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
              }
            }

The BBS+ Bound Signature Suite 2020

The BBS+ Bound signature suite 2020 adds a mechanism for recipient binding, and is otherwise identical, to the BBS+ signature suite 2020. It MUST be used in conjunction with the signing and verification algorithms in the Data Integrity [[DATA-INTEGRITY]] specification. The suite consists of the following algorithms:

Parameter Value Specification
canonicalization algorithm https://w3id.org/security#URDNA2015 [[RDF-DATASET-NORMALIZATION]]
statement digest algorithm Blake2b [[BLAKE2]]
signature algorithm BBS+ Signature [[BBS]]
curve name BLS12-381 [[PAIRING-FRIENDLY-CURVES]]

Modification to Algorithms

Create Verify Data Algorithm

The create verify data algorithm defined below is identical to the create verify data algorithm defined for the BBS+ signature suite 2020, with the addition of steps to include recipient binding.

The algorithm defined below outlines the process of obtaining the data in the form required for both signing and verifying, plus the data required to bind to a recipient

  1. Obtain a blind message which is a commitment to a secret value as described in [[BBS]] section 3.9. This is the recipient binding commitment.
  2. Initialize an empty array of length equal to the number of statements not including the recipient binding commitment; let this be known as the statement digests array.
  3. Use the canonicalization algorithm to canonicalize the input document to a set of statements represented as n-quads.
  4. For each statement in order:
    1. Apply the statement digest algorithm to obtain a statement digest
    2. Insert the statement digest into the statement digests array which MUST maintain same order as the order of the statements returned from the canonicalization algorithm.
  5. Return the statement digests array and the recipient binding commitment.

Terms

The following section outlines the terms used by the BBS+ Bound Signature Suite which differ from those terms used by the BBS+ Signature Suite. All other terms are the same in both suites.

Proof Type

Use the type attribute defined in [[DATA-INTEGRITY]] to identify the type of data integrity proof that is attached to a linked data document.

The term BbsBlsBoundSignature2020 is used to indicate when a data integrity proof is of type BBS+ Bound Signature.

A linked data document featuring a BBS+ Bound Signature data integrity proof MUST contain a proof element that has a type equal to BbsBlsBoundSignature2020. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "@type": "Person",
              "firstName": "Jane",
              "lastName": "Does",
              "jobTitle": "Professor",
              "telephone": "(425) 123-4567",
              "email": "jane.doe@example.com",
              "proof": {
                "type": "BbsBlsBoundSignature2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "F9uMuJzNBqj4j+HPTvWjUN/MNoe6KRH0818WkvDn2Sf7kg1P17YpNyzSB+CH57AWDFunU13tL8oTBDpBhODckelTxHIaEfG0rNmqmjK6DOs0/ObksTZh7W3OTbqfD2h4C/wqqMQHSWdXXnojwyFDEg=="
              }
            }

The BBS+ Bound Signature Proof Suite 2020

A BBS bound proof of knowledge data integrity proof is a proof that is derived from a BbsBlsBoundSignature2020 data integrity proof where a sub-set of the original statements are revealed.

The BBS+ bound proof of knowledge signature suite MUST be used in conjunction with the signing and verification algorithms in the Linked Data Proofs [[DATA-INTEGRITY]] specification. It adds a proof of recipient binding, and is otherwise identical, to the BBS+ proof of knowledge signature suite. The suite consists of the following algorithms:

Parameter Value Specification
canonicalization algorithm https://w3id.org/security#URDNA2015 [[RDF-DATASET-NORMALIZATION]]
statement digest algorithm Blake2b [[BLAKE2]]
signature algorithm BBS+ Signature [[BBS]]
curve name BLS12-381 [[PAIRING-FRIENDLY-CURVES]]

Terms

The following section outlines the terms used by the BBS+ bound proof of knowledge signature suite which differ from those terms used by the BBS+ proof of knowledge. All other terms are the same in both suites.

Proof Type

The type attribute is used to identify the type of data integrity proof that is attached to a linked data document as defined in [[DATA-INTEGRITY]].

The term BbsBoundSignatureProof2020 is used to indicate when a data integrity proof is of type BBS+ bound proof of knowledge.

A linked data document featuring a BBS+ bound proof of knowledge data integrity proof MUST contain a type attribute with a value of BbsBoundSignatureProof2020. 

            {
              "@context": [
                "http://schema.org/",
                "https://w3id.org/security/v2",
                "https://w3id.org/security/bbs/v1"
              ],
              "id": "urn:bnid:_:c14n0",
              "email": "jane.doe@example.com",
              "firstName": "Jane",
              "jobTitle": "Professor",
              "lastName": "Does",
              "telephone": "(425) 123-4567",
              "proof": {
                "type": "BbsBlsBoundSignatureProof2020",
                "created": "2020-04-25",
                "verificationMethod": "did:example:489398593#test",
                "proofPurpose": "assertionMethod",
                "proofValue": "kTTbA3pmDa6Qia/JkOnIXDLmoBz3vsi7L5t3DWySI/VLmBqleJ/Tbus5RoyiDERDBEh5rnACXlnOqJ/U8yFQFtcp/mBCc2FtKNPHae9jKIv1dm9K9QK1F3GI1AwyGoUfjLWrkGDObO1ouNAhpEd0+et+qiOf2j8p3MTTtRRx4Hgjcl0jXCq7C7R5/nLpgimHAAAAdAx4ouhMk7v9dXijCIMaG0deicn6fLoq3GcNHuH5X1j22LU/hDu7vvPnk/6JLkZ1xQAAAAIPd1tu598L/K3NSy0zOy6obaojEnaqc1R5Ih/6ZZgfEln2a6tuUp4wePExI1DGHqwj3j2lKg31a/6bSs7SMecHBQdgIYHnBmCYGNQnu/LZ9TFV56tBXY6YOWZgFzgLDrApnrFpixEACM9rwrJ5ORtxAAAAAgE4gUIIC9aHyJNa5TBklMOh6lvQkMVLXa/vEl+3NCLXblxjgpM7UEMqBkE9/QcoD3Tgmy+z0hN+4eky1RnJsEg=",
                "nonce": "6i3dTz5yFfWJ8zgsamuyZa4yAHPm75tUOOXddR6krCvCYk77sbCOuEVcdBCDd/l6tIY="
              }
            }

Derive Proof Algorithm

In order to support selective disclosure of statements, the following derive proof algorithm has been defined.

TODO: Add examples and full definition of this algorithm

Create Derive Proof Data Algorithm

The following algorithm defined below outlines the process of obtaining the inputs into the derive proof algorithm.

input proof document
A data integrity proof document featuring a data integrity proof that supports proof derivation.
reveal document
A JSON-LD document in the form of a frame which describes the desired transform to apply to the input proof document using the framing algorithm defined in [[JSON-LD-FRAMING]].
revealed document
A data integrity proof document which is the product of the derive proof algorithm.
  1. Apply the canonicalization algorithm to the input proof document to obtain a set of statements represented as n-quads. Let this set be known as the input proof document statements.
  2. Record the total number of statements in the input proof document statements. Let this be known as the total statements.
  3. Apply the framing algorithm to the input proof document. Let the product of the framing algorithm be known as the revealed document.
  4. Canonicalize the revealed document using the canonicalization algorithm to obtain the set of statements represented as n-quads. Let these be known as the revealed statements.
  5. Initialize an empty array of length equal to the number of revealed statements. Let this be known as the revealed indicies array.
  6. For each statement in order:
    1. Find the numerical index the statement occupies in the set input proof document statements.
    2. Insert this numerical index into the revealed indicies array
  7. Returned the revealed indicies array, total statements and input proof document statements.
TODO: Define how we have to validate the requiredRevealStatements
TODO: Add a comment on how we diff the input proof document and the reveal document to produce get the correct node identifiers for the reveal document
TODO: Add paragraph

Security Considerations

The following section describes security considerations that developers implementing this specification should be aware of in order to create secure software.

TODO: We need to add a complete list of security considerations.

Acknowledgements

Portions of the work on this specification have been funded by the United States Department of Homeland Security's (US DHS) Silicon Valley Innovation Program under contracts 70RSAT20T00000003, and 70RSAT20T00000033. The content of this specification does not necessarily reflect the position or the policy of the U.S. Government and no official endorsement should be inferred.