The W3C Credentials Community Group

Meeting Transcriptions and Audio Recordings (2014-today)

Go Back

W3C CCG Weekly Teleconference

Transcript for 2023-05-23

Our Robot Overlords are scribing.
Harrison_Tang: Alright hello everyone welcome to this week's w3c ccg meeting today we're very glad to have a Greg great burst name to a present on PBS for VCS their proper credentials and json-ld but before we get to the main agenda just want to do some quick reminders on the code of ethics and professional conduct reminder more or less just make sure that we know are remain respectful.
Harrison_Tang: to each other we've been doing that for.
Harrison_Tang: As far as I can remember but just want to do a quick reminder and cold not here all right next up we have the IP note anyone can participate in these calls however all substantive contributions to any CG work items must be members of the ccg with full IP our agreements time I'll make sure you have the w3c account and sign the w3c community contributor license agreement if you have any.
Harrison_Tang: questions or problems feel free to reach out to Amy.
Harrison_Tang: We record these meetings and actually we have been quite good at publishing these meeting minutes and I'll deal recordings in the day or two but generally we said we'll publish it by the end of this week.
Harrison_Tang: All right we used to teach each at to Q speaker so you can type in q+ to cure yourself to add yourself to the cube or q- to remove it and you can always do Q question mark to see who's in the queue.
Harrison_Tang: Right that's do the introductions and reintroduction so if you are new to the community or you haven't been active and your rejoining the community please feel free to unmute and introduce or reintroduce yourself.
Harrison_Tang: Don't be shy.
Harrison_Tang: All right so we do this every meeting so you know maybe not you'll have to opportunity to do that next week if you don't feel comfortable doing right now all right next we have announcements and reminders any announcements and reminders.
Kaliya Young: Hey so I guess it's two weeks we're convening the digital identity unconference Europe in Zurich June 7 to 9 just like we are for iaw were committed to making sure it's accessible so I've really pushed them to make sure they keep the startup and NGO tickets available.
Kaliya Young: If you haven't signed up you want to come now is the time to sign up and we are a really great list of those topics I can see on the website if you're in Europe please join us thank you.
Harrison_Tang: Thanks Korea any other announcement or reminders.
Harrison_Tang: All right any updates on the work Islands.
Harrison_Tang: And by the way I think in the email list earlier there are some announcements regards to a verifiable credentials rendering method so the we already we looked at for July 25th so that we can have further discussions there as well.
Harrison_Tang: alright money.
Manu Sporny: Yeah just a question on that do we have to wait for that meeting to pull it into the group it seemed to have a support there were no objections we pull it into the ccg at this point or should we wait two months.
Mike Prorock: Harrison I've got no objections to pulling that in now I think it makes sense there's broad support and no objections to that I would say let's pull it in now and then get a debrief on the updates in that July meeting if that is fine with you.
Harrison_Tang: Yeah yeah of course yeah I think they were small local supporters so let's do that.
Manu Sporny: Great thank you.
Harrison_Tang: Thank you Mommy.
Harrison_Tang: Any other updates on the work items.
Harrison_Tang: All right so let's get to the main agenda so this week again we are very very glad to invite a Greek to present on the BBS for verifiable Potentials in json-ld giving us an overview I think you mentioned that he would love to endless some of the volunteers to actually helping on these efforts so great the floor is yours.
Greg Bernstein: All right let's get the screen sharing and going you don't need to see me anymore but that's what I look like so let's get the screen sharing select window or screen.
Greg Bernstein: Wait before I do that.
Greg Bernstein: Off the video you don't need to see my face okay the other thing to make it easier.
Harrison_Tang: And break sometimes we have technical difficulties when we're doing both video and the SlideShare so thank.
Greg Bernstein: There goes the slides the slides are all available online I just put them in the chat and.
Greg Bernstein: To get Hands-On we've got a demo.
Greg Bernstein: Did I use that I'll be using but anybody can use because it's built with BBs and it's just a web app a standalone single page web app so now let's go back and do the screen share.
Greg Bernstein: Select window or screen.
Greg Bernstein: And let's go over to.
Greg Bernstein: And I'm going to make this big so this is going to be a little different than some of the things we've done this is a tutorial this is at or about BBS and a reminder about verifiable credentials and signatures because I've been working on our crypto sweets not from the point of view of been writing them I've been working and I've been out on test vectors which are really important.
Greg Bernstein: Aunt so we're going.
Greg Bernstein: View of signatures we're going to review VC's in signatures then we're going to talk about what we get from BBS signatures selective disclosure and anemone and unlink ability and.
Greg Bernstein: Who am I okay let's see if we can move that thing a long long time ago in a galaxy far away I got all those degrees from Berkeley then part-time consultant teacher implementer for a while I was formerly an R&D manager at big telecoms and was in a start-up where we did got a cool optical switching prod.
Greg Bernstein: Deployed worldwide lots of network standards work ietf oif itu-t this is the optical stuff spent the pandemic teaching cyber security and web programming I've got the big interest big Advocate on privacy and security okay so those are kind of like my passions now so.
Greg Bernstein: Me there's links to.
Greg Bernstein: Anything else here my website Grotto networking I've got all my course materials for my academic courses if you're interested to see how I taught cybersecurity.
Mike Prorock: +1 Excellent text
Greg Bernstein: Okay signatures and references once again sorry for the academic Focus if you are really trying to get into signatures and understand the modern approach to cryptography probably can't recommend more the book by Dan Bonet and Victor Shoop and it's available for free online and they just did an update to it for their 0.6 version to see.
Greg Bernstein: See some of these properties.
Greg Bernstein: Truce in a readable fashion we came across this paper taming the many EDSA s EDSA signatures and that explains some of the improved properties that you get from signatures.
Greg Bernstein: So what is the signature the formal definition it's a triple it has t generation assigning algorithm and a verification algorithm each of these things is pretty important I tended to forget about the key generation but the thing is every signature scheme.
Greg Bernstein: Has its own set of keys and you got to be very careful to use them correctly not reuse things so.
Greg Bernstein: What is the signature we care about these four verifiable credentials because they put the verifiable in the verifiable credentials the idea is somebody that doesn't have the secret key can't create a message with a signature.
Greg Bernstein: That verifies against the public key okay this is called existential forgery you can't create a new message with a signature that verifies okay there's the signing algorithm the verification it shouldn't be able to do that in addition.
Greg Bernstein: To make it hard for the cryptographers to come up with these schemes is we allow the adversaries.
Greg Bernstein: See signatures on as many different types of credentials as they like and we say you can see as many of those but you still shouldn't be able to come up with a valid signature unless you have the secret key this is called existential unfortunate bility under a chosen message attack to be formal okay you can get you can go further there's something called.
Greg Bernstein: Ang unfortunate Billa.
Greg Bernstein: Okay which means you can't find a new signature on an old message without knowing the secret key okay so of are two schemes of our to current schemes for verifiable credentials EDSA can have the strong unforgeable Leti but EC D sa is not okay for the details the BNS chapter 19 okay.
Greg Bernstein: A signature is.
Greg Bernstein: This is another nice property if it's impossible for the signer to claim later that it signed a different message.
Greg Bernstein: He's came out as desirable after the cryptocurrencies in the block change things and people were finding any way they could figure out how to cheat on the Block chains and such like that and so people found these ways around and Attack the Block change in the cryptocurrencies.
Greg Bernstein: Further there's something called a strongly binding signature okay where the signature is binding to the public key so these are forms of what is recalled non-repudiation okay so there's different levels of security properties the second district should have but that existential unfortunate bility is the basics.
Greg Bernstein: Now I hope I'm not missing any questions because I have my cell phone full screen for good right good okay and I'm watching the time I'm doing a single monitor setup so unlike when Haley teach you don't have a little time clock going okay.
Harrison_Tang: I'll monitor the I'll monitor the question Q so don't worry about.
Greg Bernstein: Okay currently for VCS we have three crypto sweets I think if I got this right that are in working draft status so we have EDSA just got a bunch of test vectors in V our request was.
Greg Bernstein: In white and for that we're I've got some that I have not put in yet for Ed ecdsa what's the difference between these ecdsa has been around longer their Hardware implementations okay I know the new Phipps document that just came out also has EDSA but ecdsa is very important to have around because there's a lot of stuff already out there in the new kid on the Block BBs.
Greg Bernstein: So down to the bits and bytes okay I told you there's three pieces key generation and people particularly with this post Quantum stuff coming up people care about how big are the keys okay it's not just the signature size but it is the key size so our example with e DD essay which is very efficient the secret key.
Greg Bernstein: She is 32.
Greg Bernstein: In the public key which actually is something called a group element in an elliptic curve blah blah blah okay is actually quite small to 32 bytes if you look at post Quantum cryptography you'll find that the key sizes can get quite large okay now given a message M okay this is the down to the byte level part of a signature we look at messages just a bunch of.
Greg Bernstein: B we.
Greg Bernstein: Who's to say.
Greg Bernstein: Mature okay where it's got two pieces to it what we care about is the total length of the signature is only 64 bytes you'll find with both ecdsa EDSA the chief the signatures are quite small okay so these signature schemes that's why these are the the most popular signature schemes down because the signatures the keys that you have to keep around.
Greg Bernstein: And and the.
Greg Bernstein: Themselves are quite small okay so quite efficient, okay.
Greg Bernstein: And particularly EDSA is very fast very efficient and some folks in one of the papers reference proved that by doing a few extra checks we can get all those nice security properties okay and so that will be going into the security consideration sections of our crypto sweet that's a PR to be ridden okay.
Greg Bernstein: Security at these.
Greg Bernstein: Work with B the keys are a bunch of bytes the messages are a bunch of bytes the signatures are a bunch of fights okay we've got to apply these to verifiable credentials and we have to do it correctly okay because if we don't do it correctly you leave holes for exploitation so what do we protect the underside credential but also very important as we have to protect the options related to cryptographic.
Greg Bernstein: I am okay so somebody can't say hey.
Greg Bernstein: Uses we don't use any cryptography no no we're signing this we're going to protect that information to make sure what additional tools do we generally need when we apply these things to be seized we need some kind of if we're talking about Json Json Kana canonicalization algorithm and we usually use cryptographic hashes in some way or form sometimes those are built in the signature schemes.
Greg Bernstein: And sometimes we use them before we go into the.
Greg Bernstein: Scheme so let's take a look very big okay so here's an example credential taken from our document okay it's we want to sign this credential this is unsigned we want to protect this we want to sign this thing we want to digital signature on it in addition to signing that though.
Greg Bernstein: We want.
Greg Bernstein: Swipes the wrong way and it tried to go someplace else okay in addition to protecting the credential we want to protect and ensure that nobody can lie about what type of data Integrity prove what crypto sweet are we using when this thing was created verification method all these things are what we call the proof options okay so we're going to protect these things too.
Greg Bernstein: What do I mean by that.
Greg Bernstein: We're going to include this as stuff we sign so how do our signature crypto sweets work at least for EDSA and ecdsa well.
Greg Bernstein: We run one of these canonicalization algorithms either J CS or rdf on the unsigned VC we do that with the configuration options we take these cryptographic hash things which take a long message and give you a fixed-length output we combine those things together and we actually sign the output of that combined set of hashes.
Greg Bernstein: Becomes our message so that means we have to have a good signature algorithm we got to know how weird canonicalizing things and we also have to make sure it's a good hash Agra all those things we're going to make it very clear that the cryptographer people's can read our document see examples easily and say yeah you're doing that the right way okay and so that's.
Greg Bernstein: Essentially very.
Greg Bernstein: Actually what we do in our crypto sweet documents to produce something that looks like this verifiable credentials got all the credentials stuff ah we've got the proof that includes all that proof.
Greg Bernstein: Option stuff did Integrity proof group just read information proof purpose right here at the end nicely encoded in.
Greg Bernstein: BTC blah blah blah encoding where we convert from B to something that we can put into text is our signature so that's an example of signing now what does BBS do for us okay first of all BBS doesn't stand for brief beautiful signature.
Greg Bernstein: Of the original academic work with the author's Denver nay Xavier bullion and I don't want to put your sack woman's name but I probably just did these guys first described the ski okay references.
Greg Bernstein: The draft okay which is a good place to go and I do have to thank the silliest Gallows who.
Greg Bernstein: And I was working through and coming up with my implementation.
Greg Bernstein: Part of what's really good about here is we have good test vectors and we checked them and when somebody had issues with trying to verify very helpful group over at dif ietf that we're working on this it's like no no no we've got a mistake here at this is where air is very helpful complete set of test vectors great for people trying to okay and if we do.
Greg Bernstein: A more advanced.
Greg Bernstein: BS at a later time I'm sure we can try and get the silliest and some of the other guys I know Brent's eundel is was on this call use one of the early advocates for BBS and has a nice blog post about it from way back okay.
Greg Bernstein: So that's our.
<brentz> waves
<manu_sporny> ^ that guy :)
Greg Bernstein: Injured however just like with EDSA as things started approaching standardization some of the academic folks took a second look and they've got better results optimizations for us so we've been working with a group out of University of Washington up in Washington state they've got some optimizations and additional security proofs for us just like there's more advanced.
Greg Bernstein: Proofs of security for EDSA which.
<mprorock> well since that guy is a fan. . .
Greg Bernstein: I get to our VC document okay the original documents that we base the standard on is this paper from 2016 caution it's these are both hard reads.
Greg Bernstein: Now we have a demo.
Greg Bernstein: We're going to actually go through okay signature creation Singler what's all the rest of us we're going to see what the rest of that is about okay this closely mirrors what we do with our test vectors okay so hence we're doing something that we tell people never ever to do we've got private keys out floating around in the open.
Greg Bernstein: We do this when we.
Greg Bernstein: Is specs and RVC specs in the ietf spec because people need to test these things but the biggest thing about these things Professor mode on is keeping these Keys secure so we throw around random keys and our test vectors and such like that note that in reality you never do this okay so just there for just my caveat okay.
Greg Bernstein: Is like we do in our test vectors in our various aspects hex representation for all field except messages because I wanted the messages readable which are UTF text okay I use Json the hold the information at various stages just like we do with our test vectors these are not VPS or VCS okay this is just for demo purposes Json is just a happy way to get test vectors around okay.
Greg Bernstein: Using a simple list of BBS messages there is more work.
Greg Bernstein: To get BBS applied to a verifiable credential than what my demo shows My Demo is highlighting BBS not the process that we have to take to go and apply BBS to a verifiable credential okay so what are its fundamental properties it has strong unfortunate bility okay so it's got those good properties the security properties that we want to have a little bit stronger than EC.
Greg Bernstein: Scott selective disclosure.
Greg Bernstein: The scheme allows the signer to sign multiple messages and produce a single constant size output signature from which a holder can select which of the quote messages to reveal later it's got something called unlink able proofs and proof of possession okay this is the formal language from the ietf draft.
Greg Bernstein: First and it we're going to.
Greg Bernstein: These things okay so I'm not going to read those detail okay what is this look like from the bits and bytes point of view.
Greg Bernstein: It's a little bigger the random secret key is 32 bytes the public key is a lot bigger three times but still remember a small jpg photo will be a couple hundred K bytes so when we're talking about the signature sizes for elliptic curve based things and this is elliptic curve base ecdsa.
Greg Bernstein: I say eat.
Greg Bernstein: The signature sizes and the keys sizes are small okay so you can do a lot with these things okay and so worrying about too much about B and B we want to do things optimally okay the signature sighs okay.
Greg Bernstein: B okay so that's bigger than the 64 bytes the new optimization results gives us 80 bytes signatures are small so this is why some of this stuff is also being looked at by a coyote people because the signature that the iot even if it has a bunch of different sensors and you want selective disclosure of sensor reading the message going to send has to send is small okay.
Greg Bernstein: So let's go over to.
Greg Bernstein: So I've got a random key I've got a public key.
Greg Bernstein: In a in a more advanced discussion will talk about what we should use this feature of BBS called the header okay but I have here a sequence of messages I was faking a driver's license for a tree in Northern California okay so we have a bunch of different properties first name last name address date of birth height no eyes brown bark.
Greg Bernstein: E needles Etc.
Greg Bernstein: Can create a signature you can add as more messages if you like here you can remove a message this is a okay let's just show okay so we then we click create signature.
Greg Bernstein: Oopsies let's reload.
Greg Bernstein: Create a signature okay so what did we do we get a signature what is it it's a bunch of bytes okay so we have a platinum now somebody's going to use this for something like verify it we need to public key we need the headers We need oh all the separate messages and the signature.
Greg Bernstein: If we want to verify the signature okay we bring in we have to have the public key.
Greg Bernstein: Of all her messages.
Greg Bernstein: I can process that is Json we can click verify now.
Greg Bernstein: Let's say the tree has a issue on you wants to pretend that he's taller than his brother and he's.
Greg Bernstein: 297 Feets not 296 feet that's what happens when you hit the wrong button okay process the Json verify the signature it doesn't verify right that's the kind of thing we expect from signatures people mess with the information it shouldn't verify its back to its original form okay.
Greg Bernstein: Basic signatures okay.
Greg Bernstein: So what okay well.
Greg Bernstein: If we want to do is discuss selective disclosure and we're doing a full VC model we have an issue or a holder and verifier okay we have a three-step model selective disclosure comes in that the holder doesn't want to reveal everything.
Greg Bernstein: So the issuer signs of EC holder verifies the sign VC then the holder selects which to disclose okay which messages and BBs terminology so let's take a look.
Greg Bernstein: Selective disclosure now let's go back for a second do I have my caveat we doing TimeWise okay ish okay.
Greg Bernstein: There's multiple different approaches to selective disclosure okay probably the most straightforward approaches.
Greg Bernstein: Break up your VC into a bunch of different messages okay sign each individual message.
Greg Bernstein: Overall signature for the Kabam combination is just the number of messages times the signature sighs that's not what happens with BBs BBS gives us a fixed signature side no matter how many messages.
Greg Bernstein: Another approach which we have heard of I think we've had a we had the presentation on gordian envelopes there based on a Merkel hash tree you get a signature single signature for the tree the presentation cost is general overhead plus a-hat oops sorry this has basically a single circuit future for the whole tree the costs in both the Merkel and the BBS come when you do your selective disclosure.
Greg Bernstein: Veal or give.
Greg Bernstein: The verifier something for each undisclosed message so you either pay up front when you individually sign okay.
Greg Bernstein: I know.
Greg Bernstein: Quick okay just giving just an overview but with BBs just like with Merkel hash trees basically for each unknown disclose message it's part of the signature you have a little price to pay okay for hash trees it depends on the hash through using the basically it's the number of undisclosed plus the hatch size for BBS number of undisclosed times 32 bytes.
Greg Bernstein: It's for our current implementation.
Greg Bernstein: So we have a tree going into a bar and needs to prove their ID Okay so.
Greg Bernstein: Let's say they're gonna have in clothes their picture and their date of birth okay so we're going to generate a signature.
Greg Bernstein: Oh we got a proof it's got what does it have in it down here.
Greg Bernstein: Only two pieces of message now we come to the proof verification Professor I mean Greg what's going on here.
Greg Bernstein: Sorry we've got a terminology Collision.
Greg Bernstein: Both PBS and verifiable credentials use the term proof and signature but they use them in very different ways okay so I'll use the term BBS signature and BBs proof BBS proof.
Greg Bernstein: Is kind of like the secondary signature or the disclosed signature okay.
Greg Bernstein: So that's why I was like what's this terminology oh BBs.
Greg Bernstein: We select the messages we want to include then we create a proof on it this isn't.
Greg Bernstein: Isn't to be confused with a general VC proof it would be included in the verifiable print presentation as part of the proof okay but it is a derived thing it's derived from the first signature now let's check that this thing can verify.
Greg Bernstein: So what's in it oh I forgot we got these nice things and make things bigger so what are we giving them well we're telling them what things are being disclosed we have some overhead okay given them the date of birth and the encoded photo okay.
Greg Bernstein: If I was true what if they are lying about their age maybe they want to not be as old as they say they are.
Greg Bernstein: Okay if they change their age and then they try and send that proof to somebody it won't verify this is as good as a signature this is derived signature thingy that's not a formal that's not formal terminology it's a derived signature thing but that is our proof okay that's what Brooks like a signature.
Greg Bernstein: And if verifies so we're able to select.
<mprorock> "derived signature thingy 2023" i am sure will now be inbound
Greg Bernstein: Got selective disclosure pretty efficient with their selective disclosure so far so good you can include how many ever different things you like so now the tree can go to as many bars as possible.
Greg Bernstein: It didn't have to reveal its name its address or anything.
Greg Bernstein: Okay and we see the kind of extra information that we have to put into this disclosed in tracks we've got another type of header called a presentation header when we get to not this talk I talk about how you apply BBS verifiable credentials will talk about how we're going to use the header for and the presentation header for that's not this stock that may not be this this for sensory.
Greg Bernstein: Either okay so when you read these.
Greg Bernstein: We have to remember there's this Collision in terminology and we'll see that there's different core operations okay so for verifiable credential the issuer issues the VC we use a BBS signature okay during that process the holder creates a verifiable.
Greg Bernstein: A presentation.
Greg Bernstein: And it's going to use a BBS proof okay.
Greg Bernstein: He uses proof Jen procedure okay.
Greg Bernstein: Okay now when the holder creates the VP here's where the magic comes in it doesn't have the the issuer's secret key it's not even using its own secret cure anything all it has to have is the original signature and the issuer's public key.
Greg Bernstein: That is amazing that's amazing cryptography okay the verifier can verify that the subset of information contained in the verifiable presentation has not been modified by validating the proof contained in the presentation against the issuer's public key right that's what we want to know we want to check it against the vishu no holder keys are involved not saying we.
Greg Bernstein: Okay that's something else that's one of these Advanced topics there's something called BBS with bound signatures as being kicked around okay but that's a different thing no holder keys that is amazing okay and we saw it so and you can go and do and mess with the demo right at each of the different steps we saw that if you mess with the information after signature creation it will not.
Greg Bernstein: Not verify what.
Greg Bernstein: Unfortunate bility yay okay so straight out of the document we've got signed secret key public key messages blah okay verify public key signature messages okay.
Greg Bernstein: Proof or this derive signature thingy just the public key the signature we received the messages and some information about what we're disclosing or what we choose to disclose okay and proof verify use by the verifier.
Greg Bernstein: With the issuer's public key.
Greg Bernstein: Now if that was it that would be amazing enough but wait there's more we get something called anonymity and unlink ability okay so the issuer signs of EC.
Greg Bernstein: Back to the demo.
Greg Bernstein: Create a signature click the button click the.
Greg Bernstein: O signature doesn't change when I click the button.
Greg Bernstein: What does that mean 6 or science fair cryptographic signature by their security properties these tend to be unique yeah it's hard to come up with another signature on the same messages hmm uniqueness is good uniqueness is bad in some ways when a holder creates a VP that includes design BC the cryptographic signature is included if the holder census the multiple verifier.
Greg Bernstein: Where's those signatures verified.
Greg Bernstein: Khalood what's the picture.
Greg Bernstein: So and you sure okay issues a signature to the holder the holder sends the credential to various places but what if the verifier share data amongst themselves they collude okay verifier the verifier collusion that means the issuer can be tracked but wait this is really happened it's not any real information it's just the signature.
Greg Bernstein: Yeah yeah.
Greg Bernstein: The signature is really unique so even though the tree went into a bar and it only disclosed its photo or an age the signature can help identify that it went to different multiple bars okay does this really happen yeah all the time okay this is what people do to keep track you even though third-party cookies are going out they fingerprint your.
Greg Bernstein: Okay so go go look at e FF cover Your Tracks like I said this is from teaching cybersecurity beginning course make people go and see how unique their browser is a cover Your Tracks Mozilla talks a little bit more about browser fingerprinting and if you want to fingerprint people visiting your site you can go to npm you can get a JavaScript library that I'll help you do it and that gets three hundred thousand.
Greg Bernstein: Downloads a week so it's.
Greg Bernstein: That's okay so BBS and anonymity unlink couple proofs the proofs generated by the scheme or known as for what's the zero-knowledge this or that or the other thing lots of theory lots of let's take a look.
Greg Bernstein: So when.
Greg Bernstein: To create my signature nothing happened when I re clicked create signature let's go to proof generation.
Greg Bernstein: This tree is going to go into multiple bars and let's say.
Greg Bernstein: They really don't care about their photo but they want to know if they're from a local National local park state or National Park to see if they can get a big drink of water because we have Trout's now we're going to generator proof oh.
Greg Bernstein: Well that makes sense.
Greg Bernstein: So the proof should change right that makes sense but let's say they go into another bar and they click generate proof.
Greg Bernstein: Oh the proofs generated by BBs.
Greg Bernstein: Okay cryptographically in a cryptographic sense okay these proofs when I create each one of them they're unlinked able there's there's nothing about them that ties each to each other part of the magic of Zur this hold zero knowledge proof stuff okay you can see it here okay this is what takes some effort that's what we mean by.
Greg Bernstein: Harder area because this proof value nice General random Mission numbered thing cryptographically proven on linkable but don't forget we're revealing information up here okay this is like detailed information about their date of birth okay so when we talk start talking about on linkable proofs in anything that.
Greg Bernstein: It has this feature.
Greg Bernstein: Yeah sure put it into the general context of.
Greg Bernstein: How much of other information are you giving away and how much are you leak potentially leaking okay how we doing TimeWise about there.
Greg Bernstein: So that's Unthinkable proofs what did Proof of possession mean why did they say that well that's the thing we just checked that.
Greg Bernstein: Need to do this we did this that unlink able proofs.
Greg Bernstein: We understand what did the proof of possession map the proof of possession thing that hard to understand statement means that the signature sorry not the signature bundle but the proof bundle given the thing we put in the verifone viable presentation behaves like a signature okay theoretically they say this is proof of possession that I have a signature that was signed by blah.
Greg Bernstein: Okay but from our point of view.
Greg Bernstein: Apple presentations means.
Greg Bernstein: Truth or it's just like a signature okay.
Greg Bernstein: Somewhat in a nutshell here.
Greg Bernstein: We've got Deion linkable proofs okay nice feature okay they have peer essentially random okay but it doesn't prevent correlation on disclose message so us the verifiable credential verifiable presentation people when we go and use BBS we're going to have to take care and also advise people.
Greg Bernstein: Using BBs.
Greg Bernstein: They want these capabilities.
Greg Bernstein: What information might we be leaking and the fact that you're giving away information that can be used okay.
Greg Bernstein: So later on if you'd like to try out these things here's some steps try modifying the messages and things like that and how does this all work okay this is proven cryptographically people have used academic proofs and such like that at its heart it's just some up it uses the hardness of what's known as discrete log problem it uses things called elliptic curves to keep all.
Greg Bernstein: These values.
Greg Bernstein: Double sizes and then it uses additional magic of something called elliptic curve pairings or by linear maps to get us this selective disclosure and on linkable properties I know this was quick but hopefully this gives you this tutorial level overview of what we get whoops okay.
Greg Bernstein: Mbbs and why we want to use them for verifiable credentials.
Greg Bernstein: Future Advanced discussions look at the list and we can also see what folks might want to hear about in the future okay.
Greg Bernstein: Back to you guys I think we kept it close to our time and let me stop screen sharing.
Harrison_Tang: Thank you Greg yeah this is an amazing presentation learned a lot from here any questions.
Bob Wyman: Yeah my apologies of this is really dumb but if the proof bundle includes the public key why can't people just doesn't the disclosure of the public key ruin the anonymity.
Greg Bernstein: The public key is of the issuer.
Greg Bernstein: State of California issues me a driver's license I want to prove that I am of age to go get that drink at the bar they're going to use the issuer's public key but not my public this is not my did personal did that goes with my driver's license this is.
Greg Bernstein: From the state of California.
Greg Bernstein: Yeah so there's that's why I was trying to remind folks that the issuer has their secret and public key the thing that you might be wondering it's like wait is somebody else gets this signature couldn't they pretend to be me and Vera and have their credential verified against the public key of the original issue okay.
Greg Bernstein: So but.
Greg Bernstein: Every little bit like the public key would leak information would like reveal that this is a driver's license this is a state of California driver's license.
Greg Bernstein: So think of the anonymity from the holders perspective not the issuer's perspective.
Bob Wyman: Right I got it okay I understand.
Harrison_Tang: Right next up he'll Keith me.
PL/T3-ASU: I think you mean me is that right here so yeah I think one of the things that often is confused in this project and this BBS selective disclosure is whether the properties that you do not wish to disclose our encrypted but sent or alighted from the credential that is actually presented to the endpoint.
PL/T3-ASU: can you elaborate on that.
Greg Bernstein: It is very similar to the alighted okay because what you're it's very much like the gordian envelopes because underneath how this kind of works is they are for each message you're doing a hash there encoding that in these groups and such like.
Greg Bernstein: Like that.
Greg Bernstein: You send the proof you're basically sending somewhat like a hash value it's it's in it's in an imminent it's randomized more than you would in like a gordian envelope type of collision but it is really like removing it and substituting something like a hash but it's more randomized because that's how we get the unlink ability.
PL/T3-ASU: Right but just just wanted to clarify whether they ended up with the whole credential and those pieces that you've left or to be disposed visible and in to the receipt recipient and the rest of it's still there but simply in an encrypted form which potentially could be worked on.
Greg Bernstein: Yeah no it's not even it's not even in an encrypted format you could it's it's hashed in map to the curve via group and randomized it's it's kind of there but it's not in a way that we can see it.
PL/T3-ASU: Got it right right it still takes it still takes some space but it's not the entire it's not what was in the original information.
Greg Bernstein: It doesn't it doesn't even take space it gets mixed in so it's even harder to get it out.
Harrison_Tang: And you have to.
Harrison_Tang: Hi Greg sorry do you mind actually also clarify go a little bit deeper into the trade-off of different selected disclosure in mechanisms like PBS verses earlier you talked about hash Bayside accordion envelope like what are the trade-offs.
Greg Bernstein: Yeah this really needs more than one slide I'm sorry about that and we may want to have a whole talk on it that's it.
Harrison_Tang: Maybe I can schedule a follow-up conversation on this topic of different options yeah.
<steve_magennis> is the bbs demo available somewhere to play with?
Greg Bernstein: Yeah cuz I look at it from a theoretical point of view of like three main classes which okay if you sign individual messages you have to have a signature for each message so your overall signature size is M times the number of messages times the size of the signature so for EDSA.
Greg Bernstein: It'd be M times.
Greg Bernstein: Okay however when you go to disclose.
Greg Bernstein: You don't have any extra okay you just send with what you disclosed with the signature that goes with it BBS in the Merkel hash on the other hand they have one small fixed size signature for arbitrary number of messages but you have to decide when you do your proof derivation you have to say something about the undisclosed messages you have to have some some kind of filler that's the intuition.
Greg Bernstein: A very different between the two but.
Greg Bernstein: Thing is about the same okay undisclosed messages so my proofs got bigger what would go for BBS versus if I have lots of individually signed messages and I'm only revealing two out of a hundred is only going to be like 102 times 64 bytes you know so it's important this is an important thing because selective disclosure is important and we need to understand.
Greg Bernstein: The trade-off.
Greg Bernstein: These things because.
Greg Bernstein: You can do some things that others can't at all but then it's got its trade-offs because we saw about that unlink able anonymity that may not be achievable based on what you're revealing Okay so.
Greg Bernstein: All these.
Greg Bernstein: I say all these approaches are pretty good so if we want to talk more and evaluate these things it's a good topic.
Harrison_Tang: Cool thank you no I will take you up on that I'll I'll talk to you offline about scheduling a topic on this presentation on this topic so thank you thank you and.
Greg Bernstein: Okay and take and take a look if folks want to take a look at the slides that say Advanced topics if that's where we could try and pull in like the syllabus and some of those Owen here's the link to the demo just in case all these things.
Greg Bernstein: You will be sent against by Harrison and case you didn't get the links but they're all up on my website easy to get to.
<kimberly_wilson_linson> Thank you!
Harrison_Tang: All right thank you Greg I learned a lot so this is amazing presentation and thanks a lot and I think this concludes today's a w3c shiji meeting I will send those notes links and and also the links to the slides and the demo in a follow-up email to the to the email agenda email that's sent out earlier so thanks thanks a lot.