From c767aa3bdd5217fb085ac2099ca2d2500f730bef Mon Sep 17 00:00:00 2001 From: Wind4Greg Date: Mon, 15 Apr 2024 16:54:32 -0700 Subject: [PATCH 01/15] Added five informative tables covering baseline and options explaining inputs, outputs and such for issuer, holder, and verifier. --- index.html | 192 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 189 insertions(+), 3 deletions(-) diff --git a/index.html b/index.html index 2626f6d..523764e 100644 --- a/index.html +++ b/index.html @@ -1607,8 +1607,9 @@

Pseudonyms with Issuer-known PID

[[CFRG-Pseudonym-BBS-Signature]].

-

Pseudonyms with Hidden PID

-

+

+

Pseudonyms with Hidden PID

+

This feature is a privacy preserving enhancement that allows a verifier that has seen a selectively revealed document with derived proof from a holder to recognize that the same holder is presenting a new selectively revealed document @@ -1648,7 +1649,192 @@

Pseudonyms with Hidden PID

|pseudonym|, they use the proof verification procedures of [[CFRG-Pseudonym-BBS-Signature]].

-
+ +
+

Optional Feature Summary

+

+This section provides a summaries of the inputs, outputs, proof serialiation, +tasks, and procedures for "baseline" BBS proofs as well as those for the +optional features. By baseline BBS we mean BBS base and derived proofs +without additional features. All the optional features are "additive" in the +sense that some additional input, task, or, output is generated in +addition to that of the "baseline" BBS signatures/proofs. +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1 Issuer Create Base: Inputs and such.
NameTasksInputsSigning Algorithm
Baseline BBSbaseline: BBS signature generation from VC baseline: document, proof options, key material, mandatory pointersBBS
Anonymous Holder Bindingbaseline + selected index adjustmentbaseline + commitment with proof to holder secret from holderBlind BBS
Pseudonym with Issuer Pidbaseline + Generate pidbaselinePseudonym BBS
Pseudonym with Hidden Pidbaseline + selected index adjustmentbaseline + commitment with proof to secret pid from holderPseudonym/Blind BBS
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 2 Issuer Create Base: Headers and Serialization.
NameProof Header BytesSerialized Output
Baseline BBS`0xd9`, `0x5d`, and `0x02`baseline: bbsSignature, bbsHeader, publicKey, hmacKey, and mandatoryPointers
Anonymous Holder Binding`0xd9`, `0x5d`, and `0x04`baseline + signerBlind
Pseudonym with Issuer Pid`0xd9`, `0x5d`, and `0x06` baseline + pid
Pseudonym with Hidden Pid`0xd9`, `0x5d`, and `0x08`baseline + signerBlind
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 3 Holder Add Derived: Inputs and such.
NameTasksInputsProof Generation Algorithm
Baseline BBSBBS derived proof generation from VC with base proofbaseline: (from base proof serialization) bbsSignature, bbsHeader, publicKey, hmacKey, and mandatoryPointers; selectivePointers (holders choice)BBS
Anonymous Holder Bindingbaselinebaseline + holder secret, prover blind (both known to holder), signer blind (included in base proof from issuer)Blind BBS
Pseudonym with Issuer Pidbaseline + Generate pseudonymbaseline + verifier id (from verifier), pid (included in base from issuer)Pseudonym BBS
Pseudonym with Hidden Pidbaseline + Generate pseudonymbaseline + pid, prover blind (both known to holder), signer blind (included in base from issuer), verifier id (from verifier)Pseudonym/Blind BBS
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 4 Holder Add Derived: Headers and Serialization.
NameProof Header BytesSerialized Output
Baseline BBS`0xd9`, `0x5d`, and `0x03`baseline: bbsProof, compressedLabelMap, mandatoryIndexes, selectiveIndexes, presentationHeader
Anonymous Holder Binding`0xd9`, `0x5d`, and `0x05`baseline
Pseudonym with Issuer Pid `0xd9`, `0x5d`, and `0x07`baseline + pseudonym
Pseudonym with Hidden Pid`0xd9`, `0x5d`, and `0x09`baseline + pseudonym
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 5 Verify Derived: Inputs and Algorithms.
NameInputsProof Verification Algorithm
BBS baselinebaseline: (from derived proof serialization) bbsProof, compressedLabelMap, mandatoryIndexes, selectiveIndexes, presentationHeaderBBS
Anonymous Holder BindingbaselineBlind BBS
Pseudonym with Issuer Pidbaseline + verifier id (known to verifier), pseudonym (included in derived proof)Pseudonym BBS
Pseudonym with Hidden Pidbaseline + verifier id (known to verifier), pseudonym (included in derived proof)Pseudonym/Blind BBS
+

Security Considerations

From fde91b6c9c189e23b47247a5b75cf3f264f9c428 Mon Sep 17 00:00:00 2001 From: Wind4Greg Date: Tue, 16 Apr 2024 08:41:43 -0700 Subject: [PATCH 02/15] Update "Create Base Proof" to clarify inputs and use featureOption parameter. --- index.html | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/index.html b/index.html index 523764e..1caf443 100644 --- a/index.html +++ b/index.html @@ -1077,10 +1077,22 @@

Create Base Proof (bbs-2023)

The following algorithm specifies how to create a [=data integrity proof=] given an unsecured data document. Required inputs are an -unsecured data document ([=map=] |unsecuredDocument|), and a set of proof -options ([=map=] |options|). A [=data integrity proof=] ([=map=]), or an error, +unsecured data document ([=map=] |unsecuredDocument|), a set of proof +options ([=map=] |options|), an array of mandatory JSON pointers +(|mandatoryPointers|), a |featureOption| indicator parameter, and, depending on +the |featureOption|, a |commitment_with_proof| byte array. +A [=data integrity proof=] ([=map=]), or an error, is produced as output.

+

+The |featureOption| parameter is used to indicate which optional feature, if +any, is being used. It can take one of the following values `"baseline"`, +`"anonymous_holder_binding"`, `"pseudonym_issuer_pid"`, or +`"pseudonym_hidden_pid"`. Note that `"baseline"` is used to denote the case of +no optional features. In the cases where the |featureOption| is set to +`"anonymous_holder_binding"` or `"pseudonym_hidden_pid"`, the +|commitment_with_proof| input MUST be supplied. +

  1. @@ -1103,8 +1115,9 @@

    Create Base Proof (bbs-2023)

  2. Let |proofBytes| be the result of running the algorithm in Section -[[[#base-proof-serialization-bbs-2023]]] with |hashData| and -|options| passed as parameters. +[[[#base-proof-serialization-bbs-2023]]] with |hashData|, +|options|, |featureOption|, and if required |commitment_with_proof passed as +parameters.
  3. Let |proof|.|proofValue| be a From 3ba9f53dc43edf2bb043fb726d8fe10baae60994 Mon Sep 17 00:00:00 2001 From: Wind4Greg Date: Tue, 16 Apr 2024 09:09:36 -0700 Subject: [PATCH 03/15] Update "Base Proof Serialization" to use featureOption input for clarity. --- index.html | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/index.html b/index.html index 1caf443..6fcbc34 100644 --- a/index.html +++ b/index.html @@ -1116,7 +1116,7 @@

    Create Base Proof (bbs-2023)

  4. Let |proofBytes| be the result of running the algorithm in Section [[[#base-proof-serialization-bbs-2023]]] with |hashData|, -|options|, |featureOption|, and if required |commitment_with_proof passed as +|options|, |featureOption|, and if required |commitment_with_proof| passed as parameters.
  5. @@ -1303,10 +1303,13 @@

    Base Proof Serialization (bbs-2023)

    in the Data Integrity [[VC-DATA-INTEGRITY]] specification,     Section 4: Algorithms. Required inputs are -cryptographic hash data (|hashData|) and -proof options (|options|). -Optional inputs include a |commitment_with_proof| byte array and/or a -|use_pseudonyms| boolean. +cryptographic hash data (|hashData|), +proof options (|options|), |featureOption|, and if required +|commitment_with_proof|. +If |featureOption| is set to `"anonymous_holder_binding"` or +`"pseudonym_hidden_pid"`, the +|commitment_with_proof| input MUST be supplied and otherwise an error should be +returned. The proof options MUST contain a type identifier for the cryptographic suite (|type|) and MAY contain a cryptosuite @@ -1330,50 +1333,52 @@

    Base Proof Serialization (bbs-2023)

  6. Compute the `bbsSignature` using the procedures below, dependent on the values -of |commitment_with_proof| and |use_pseudonyms| options. +of |featureOption|.
    1. -If |commitment_with_proof| is empty and |use_pseudonyms| is false, compute the +If |featureOption| equals `"baseline"`, compute the `bbsSignature` using the `Sign` procedure of [[CFRG-BBS-Signature]], with appropriate key material, `bbsHeader` for the `header`, and `bbsMessages` for the `messages`.
    2. -If |commitment_with_proof| is not empty and |use_pseudonyms| is false, compute the +If |featureOption| equals `"anonymous_holder_binding"` , compute the `bbsSignature` using the `Sign` procedure of [[CFRG-Blind-BBS-Signature]], with appropriate key material, `bbsHeader` for the `header`, and `bbsMessages` for the `messages`. If the signing procedure uses the optional |signer_blind| parameter, retain this value for use when calling (below). This provides for the -"anonymous holder binding" feature. +Anonymous Holder Binding feature.
    3. -If |commitment_with_proof| is empty and |use_pseudonyms| is true, generate a +If |featureOption| equals `"pseudonym_issuer_pid"`, generate a cryptographically random 32 byte |pid| value. Compute the `bbsSignature` using the `Sign` procedure of [[CFRG-Pseudonym-BBS-Signature]], with appropriate key material, `bbsHeader` for the `header`, `bbsMessages` for the `messages`, and |pid| for the `pid`. Retain the |pid| value for use when calling below. -This provides for "pseudonym with issuer known pid". +This provides for Pseudonym with +Issuer-known PID feature.
    4. -If |commitment_with_proof| is not empty and |use_pseudonyms| is true, compute +If |featureOption| equals `"pseudonym_hidden_pid"`, compute the `bbsSignature` using the `Sign` procedure of [[CFRG-Pseudonym-BBS-Signature]], with appropriate key material, `bbsHeader` for the `header`, `bbsMessages` for the `messages`, and |commitment_with_proof| for the `commitment_with_proof`. If the signing procedure uses the optional |signer_blind| parameter retain this value for use when calling below. -This provides for the "pseudonym with hidden pid" feature. +This provides for the Pseudonym with + Hidden PID feature.
  7. Initialize `proofValue to the result of calling the algorithm in Section -, passing `bbsSignature`, `bbsHeader`, -`publicKey`, `hmacKey`, `mandatoryPointers`, `pid`, and `signer_blind` values as -paramters. Use empty byte arrays for `pid` and `signer_blind` if they are not -used. +, passing |bbsSignature|, |bbsHeader|, +|publicKey|, |hmacKey|, |mandatoryPointers|, |featureOption|, and depending on +the |featureOption| value and signing options the |pid|, and |signer_blind| +values as paramters. Note `publicKey` is a byte array of the public key, encoded according to [[CFRG-BBS-SIGNATURE]].
    8. From 24bf82af2757471bcad904d55c06fbb428998044 Mon Sep 17 00:00:00 2001 From: Wind4Greg Date: Tue, 16 Apr 2024 09:41:10 -0700 Subject: [PATCH 04/15] Update serializeBaseProof to use new header bytes based on feature option. --- index.html | 66 ++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 59 insertions(+), 7 deletions(-) diff --git a/index.html b/index.html index 6fcbc34..d6112e1 100644 --- a/index.html +++ b/index.html @@ -590,20 +590,72 @@

    serializeBaseProofValue

    The following algorithm serializes the base proof value, including the BBS signature, HMAC key, and mandatory pointers. -The required inputs are a base signature |bbsSignature|, -an HMAC key |hmacKey|, and an array of -|mandatoryPointers|. +The required inputs are a base signature |bbsSignature|, |bbsHeader|, +|publicKey|, an HMAC key |hmacKey|, an array of +|mandatoryPointers|, |featureOption|,and depending on +the |featureOption| value the |pid|, and |signer_blind| values. A single base proof string value is produced as output.

    1. -Initialize a byte array, `proofValue`, that starts with the BBS base proof -header bytes `0xd9`, `0x5d`, and `0x02`. +Depending upon the value of the |featureOption| set up the |proofValue| as +follows.
    2. +If |proofValue| equals `"baseline"`: +
        +
      1. +Initialize a byte array, |proofValue|, that starts with the BBS base proof +header bytes `0xd9`, `0x5d`, and `0x02`. +
        2. +
      2. Initialize |components| to an array with five elements containing the values of: |bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, and |mandatoryPointers|. +
        3. +
      +
      3. +
    3. +If |proofValue| equals `"anonymous_holder_binding"`: +
        +
      1. +Initialize a byte array, |proofValue|, that starts with the BBS base proof +header bytes `0xd9`, `0x5d`, and `0x04`. +
        2. +
      2. +Initialize |components| to an array with five elements containing the values of: +|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, |mandatoryPointers|, +|signerBlind|. +
        3. +
      +
      4. +
    4. +If |proofValue| equals `"pseudonym_issuer_pid"`: +
        +
      1. +Initialize a byte array, |proofValue|, that starts with the BBS base proof +header bytes `0xd9`, `0x5d`, and `0x06`. +
        2. +
      2. +Initialize |components| to an array with five elements containing the values of: +|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, |mandatoryPointers|, +|pid|. +
        3. +
      +
      5. +
    5. +If |proofValue| equals `"pseudonym_hidden_pid"`: +
        +
      1. +Initialize a byte array, |proofValue|, that starts with the BBS base proof +header bytes `0xd9`, `0x5d`, and `0x08`. +
        2. +
      2. +Initialize |components| to an array with five elements containing the values of: +|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, |mandatoryPointers|, +|signerBlind|. +
        3. +
    6. CBOR-encode |components| per [[RFC8949]] where CBOR tagging MUST NOT be used on @@ -1357,7 +1409,7 @@

      Base Proof Serialization (bbs-2023)

      with appropriate key material, `bbsHeader` for the `header`, `bbsMessages` for the `messages`, and |pid| for the `pid`. Retain the |pid| value for use when calling below. -This provides for Pseudonym with +This provides for Pseudonym with Issuer-known PID feature.
    7. @@ -1368,7 +1420,7 @@

      Base Proof Serialization (bbs-2023)

      for the `commitment_with_proof`. If the signing procedure uses the optional |signer_blind| parameter retain this value for use when calling below. -This provides for the Pseudonym with +This provides for the Pseudonym with Hidden PID feature.
    From b16c2c3ec8431369034b59c93bc20bb1b09080b7 Mon Sep 17 00:00:00 2001 From: Wind4Greg Date: Tue, 16 Apr 2024 10:30:54 -0700 Subject: [PATCH 05/15] Update "Add Derived Proof" to clarify feature options and their required inputs. --- index.html | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/index.html b/index.html index d6112e1..1fadd2f 100644 --- a/index.html +++ b/index.html @@ -1451,20 +1451,40 @@

    Add Derived Proof (bbs-2023)

    JSON-LD document (|document|), a BBS base proof (|proof|), an array of JSON pointers to use to selectively disclose statements (|selectivePointers|), an OPTIONAL BBS -|presentationHeader| (a byte array), an OPTIONAL -|commitment_with_proof| (a byte array), an OPTIONAL |pid| value (a byte array), +|presentationHeader| (a byte array), a |featureOption| parameter, additional +parameters supporting the |featureOption| selected (see below), and any custom JSON-LD API options, such as a document loader. A single selectively revealed document value, represented as an object, is produced as output.

    - +

    +In the case where |featureOption| equals `"anonymous_holder_binding"` the +REQUIRED additional inputs are |holderSecret| and |proverBlind|. These would +have been precomputed by the holder. See +Anonymous Holder Binding for background +information. +

    +

    +In the case where |featureOption| equals `"pseudonym_issuer_pid"` the REQUIRED +additional input is the |verifier_id| which is communicated to the holder by the +verifier. See Pseudonyms with +Issuer-known PID for background information. +

    +

    +In the case where |featureOption| equals `"pseudonym_hidden_pid"` the REQUIRED +additional inputs are the |pid|, |proverBlind| (both known to +holder), |verifier_id| which is communicated to the holder by the verifier. See +See Pseudonyms with +Hidden PID for background information. +

    1. -Initialize `bbsProof`, `labelMap`, `mandatoryIndexes`, `selectiveIndexes`, and -`revealDocument` to the values associated with their +Initialize |bbsProof|, |labelMap|, |mandatoryIndexes|, |selectiveIndexes|, and +|revealDocument| to the values associated with their property names in the object returned when calling the algorithm in -Section , passing the `document`, `proof`, -`selectivePointers`, `presentationHeader`, and any custom JSON-LD API options, +Section , passing the |document|, |proof|, +|selectivePointers|, |presentationHeader|, |featureOption|, required additional +inputs based on the |featureOption|, and any custom JSON-LD API options, such as a document loader.
    2. From f9d78f34051cf9ed58a64f99d55dc45a2b197fb3 Mon Sep 17 00:00:00 2001 From: Wind4Greg Date: Tue, 16 Apr 2024 11:28:55 -0700 Subject: [PATCH 06/15] Update "createDisclosureData" with featureOption parameter and clarify inputs and steps. --- index.html | 141 +++++++++++++++++++++++++++++++---------------------- 1 file changed, 82 insertions(+), 59 deletions(-) diff --git a/index.html b/index.html index 1fadd2f..f667142 100644 --- a/index.html +++ b/index.html @@ -726,48 +726,47 @@

      createDisclosureData

      (|proof|), an array of JSON pointers to use to selectively disclose statements (|selectivePointers|), an OPTIONAL BBS |presentationHeader| (byte array that defaults to an empty byte array if -not present), -an OPTIONAL -|commitment_with_proof| (a byte array), an OPTIONAL |pid| value (a byte array), +not present), a |featureOption| indicator, additional inputs as required by +the |featureOption| (see Add Derived Proof), and any custom JSON-LD API options (such as a document loader). A single object, disclosure data, is -produced as output, which contains the `bbsProof`, `labelMap`, -`mandatoryIndexes`, `selectiveIndexes`, `presentationHeader`, and -`revealDocument` fields. +produced as output, which contains the |bbsProof|, |labelMap|, +|mandatoryIndexes|, |selectiveIndexes|, |presentationHeader|, +|revealDocument|, and |pseudonym| (if computed) fields.

      1. -Initialize `bbsSignature`, `bbsHeader`, `publicKey`, `hmacKey`, -`mandatoryPointers`, and the optional feature parameters `pid` and -`signer_blind` to the values of the associated properties in the object +Initialize |bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, +|mandatoryPointers|, and the optional feature parameters |pid| and +|signer_blind| to the values of the associated properties in the object returned when calling the algorithm in Section , passing the `proofValue` from `proof`.
      2. -Initialize `hmac` to an HMAC API using `hmacKey`. The HMAC uses the same hash +Initialize |hmac| to an HMAC API using |hmacKey|. The HMAC uses the same hash algorithm used in the signature algorithm, i.e., SHA-256.
      3. -Initialize `labelMapFactoryFunction` to the result of calling the -`createShuffledIdLabelMapFunction` algorithm passing `hmac` as `HMAC`. +Initialize |labelMapFactoryFunction| to the result of calling the +|createShuffledIdLabelMapFunction| algorithm passing |hmac| as |HMAC|.
      4. -Initialize `combinedPointers` to the concatenation of `mandatoryPointers` -and `selectivePointers`. +Initialize |combinedPointers| to the concatenation of |mandatoryPointers| +and |selectivePointers|.
      5. -Initialize `groupDefinitions` to a map with the following entries: key of -the string `"mandatory"` and value of `mandatoryPointers`; key of the string -`"selective"` and value of `selectivePointers`; and key of the string `"combined"` -and value of `combinedPointers`. +Initialize |groupDefinitions| to a map with the following entries: key of +the string `"mandatory"` and value of |mandatoryPointers|; key of the string +`"selective"` and value of |selectivePointers|; and key of the string `"combined"` +and value of |combinedPointers|.
      6. -Initialize `groups` and `labelMap` to the result of calling the algorithm in +Initialize |groups| and |labelMap| to the result of calling the algorithm in Section 3.3.16 -canonicalizeAndGroup of the [[DI-ECDSA]] specification, passing `document` -`labelMapFactoryFunction`, -`groupDefinitions`, and any custom JSON-LD +canonicalizeAndGroup of the [[DI-ECDSA]] specification, passing |document| +|labelMapFactoryFunction|, +|groupDefinitions|, and any custom JSON-LD API options. Note: This step transforms the document into an array of canonical N-Quads whose order has been shuffled based on 'hmac' applied blank node identifiers, and groups @@ -780,15 +779,15 @@

        createDisclosureData

        in the list of combined statements. One method for doing this is given below.
        1. -Initialize `mandatoryIndexes` to an empty array. Set `mandatoryMatch` to -`groups.mandatory.matching` map; set `combinedMatch` to -`groups.combined.matching`; and set `combinedIndexes` to the ordered array of -just the keys of the `combinedMatch` map. +Initialize |mandatoryIndexes| to an empty array. Set |mandatoryMatch| to +|groups.mandatory.matching| map; set |combinedMatch| to +|groups.combined.matching|; and set |combinedIndexes| to the ordered array of +just the keys of the |combinedMatch| map.
        2. -For each key in the `mandatoryMatch` map, find its index in the `combinedIndexes` +For each key in the |mandatoryMatch| map, find its index in the |combinedIndexes| array (e.g., `combinedIndexes.indexOf(key)`), and add this value to the -`mandatoryIndexes` array. +|mandatoryIndexes| array.
        7. @@ -798,28 +797,29 @@

        createDisclosureData

        the list of non-mandatory statements. One method for doing this is given below.
        1. -Initialize `selectiveIndexes` to an empty array. Set `selectiveMatch` to the -`groups.selective.matching` map; set `mandatoryNonMatch` to the map -`groups.mandatory.nonMatching`; and `nonMandatoryIndexes` to to the ordered array of -just the keys of the `mandatoryNonMatch` map. +Initialize |selectiveIndexes| to an empty array. Set |selectiveMatch| to the +|groups.selective.matching| map; set |mandatoryNonMatch| to the map +|groups.mandatory.nonMatching|; and |nonMandatoryIndexes| to to the ordered +array of just the keys of the |mandatoryNonMatch| map.
        2. -For each key in the `selectiveMatch` map, find its index in the `nonMandatoryIndexes` -array (e.g., `nonMandatoryIndexes.indexOf(key)`), and add this value to the -`selectiveIndexes` array. +For each key in the |selectiveMatch| map, find its index in the +|nonMandatoryIndexes| array (e.g., `nonMandatoryIndexes.indexOf(key)`), and add +this value to the |selectiveIndexes| array.
      7. -Initialize `bbsMessages` to an array of byte arrays containing the values in the -`nonMandatory` array of strings encoded using the UTF-8 character encoding. +Initialize |bbsMessages| to an array of byte arrays containing the values in the +|nonMandatory| array of strings encoded using the UTF-8 +character encoding.
      8. -Set `bbsProof` to the value computed by the appropriate procedure given below -based on the values of the |commitment_with_proof| and |pid| options. +Set |bbsProof| to the value computed by the appropriate procedure given below +based on the value of the |featureOption| parameter.
        1. -If both |commitment_with_proof| and |pid| options are empty, +If |featureOption| equals `"baseline"`, set `bbsProof` to the value computed by the `ProofGen` procedure from [[CFRG-BBS-SIGNATURE]], i.e., `ProofGen(PK, signature, header, ph, messages, disclosed_indexes)`, @@ -828,34 +828,57 @@

          createDisclosureData

          `messages` is `bbsMessages`, and `disclosed_indexes` is `selectiveIndexes`.
        2. -If |commitment_with_proof| is not empty and |pid| is empty, +If |featureOption| equals `"anonymous_holder_binding"`, set `bbsProof` to the value computed by the `ProofGen` procedure from -[[CFRG-Blind-BBS-Signature]], where `PK` is the original issuers public key, -`signature` is the -`bbsSignature`, `header` is the `bbsHeader`, `ph` is the `presentationHeader` -`messages` is `bbsMessages`, `disclosed_indexes` is `selectiveIndexes`, +[[CFRG-Blind-BBS-Signature]], where |PK| is the original issuers public key, +|signature| is the +|bbsSignature|, |header| is the |bbsHeader|, |ph| is the |presentationHeader|, +|messages| is |bbsMessages|, |disclosed_indexes| is |selectiveIndexes|, `commitment_with_proof`, and `signer_blind`. The holder will also furnish its -"secret value" that was used to compute the `commitment_with_proof`. This is the -"anonymous holder binding" option. +|holder_secret|, and |proverBlind| that was used to compute the +|commitment_with_proof|. This is the +Anonymous Holder Binding feature option. +In addition to the |bbsProof| the Blind BBS `ProofGen` procedure will also +produce and updated (adjusted) list of indexes which should be used to update +the |selectiveIndexes| variable in subsequent processing. To +be updated when IETF API is finalized.
        3. -If |pid| is not empty, compute the |pseudonym| according to the procedures given +If |featureOption| equals `"pseudonym_issuer_pid"`, compute the |pseudonym| +according to the procedures given in [[CFRG-Pseudonym-BBS-Signature]], -and set `bbsProof` to the value computed by the `ProofGen` procedure from -[[CFRG-Pseudonym-BBS-Signature]], where `PK` is the original issuers public key, -`signature` is the -`bbsSignature`, `header` is the `bbsHeader`, `ph` is the `presentationHeader` -`messages` is `bbsMessages`, `disclosed_indexes` is `selectiveIndexes`, and -|pseudonym| is the `pseudonym`. This is for both "pseudonym with issuer known -pid" and "pseudonym with hidden pid" cases. +and set |bsProof| to the value computed by the `ProofGen` procedure from +[[CFRG-Pseudonym-BBS-Signature]], where |PK| is the original issuers public key, +|signature| is the +|bbsSignature|, |header| is the |bbsHeader|, |ph| is the |presentationHeader| +|messages| is |bbsMessages|, |disclosed_indexes| is |selectiveIndexes|, and +|pseudonym| is the `pseudonym`. This is for the +Pseudonyms with Issuer-known PID +feature option. To be updated when IETF API is finalized. + +
          4. +
        4. +If |featureOption| equals `"pseudonym_hidden_pid"`, compute the |pseudonym| +according to the procedures given +in [[CFRG-Pseudonym-BBS-Signature]], +and set |bsProof| to the value computed by the `ProofGen` procedure from +[[CFRG-Pseudonym-BBS-Signature]], where |PK| is the original issuers public key, +|signature| is the +|bbsSignature|, |header| is the |bbsHeader|, |ph| is the |presentationHeader| +|messages| is |bbsMessages|, |disclosed_indexes| is |selectiveIndexes|, +|commitment_with_proof|, |pid|, |proverBlind|, |signer_blind|, and +|pseudonym| is the `pseudonym`. This is for the +Pseudonyms with Hidden PID +feature option. To be updated when IETF API is finalized. +
      9. -Initialize |revealDocument| to the result of the "selectJsonLd" -algorithm, passing `document`, and `combinedPointers` as `pointers`. +Initialize |revealDocument| to the result of the "selectJsonLd" algorithm from +[[DI-ECDSA]], passing `document`, and `combinedPointers` as `pointers`.
      10. Run the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] on @@ -880,8 +903,8 @@

        createDisclosureData

    3. -Return an object with properties matching `bbsProof`, "verifierLabelMap" for `labelMap`, -`mandatoryIndexes`, `selectiveIndexes`, `revealDocument`, and |pseudonym|, if +Return an object with properties matching |bbsProof|, "verifierLabelMap" for |labelMap|, +|mandatoryIndexes|, |selectiveIndexes|, |revealDocument|, and |pseudonym|, if computed.
    From 671a5d2c326bd21f9a3c5d3782ab847770d24480 Mon Sep 17 00:00:00 2001 From: Wind4Greg Date: Tue, 16 Apr 2024 12:03:57 -0700 Subject: [PATCH 07/15] Update pareBaseProofValue to work with new header bytes for the options and return different items based on headers. --- index.html | 65 ++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 56 insertions(+), 9 deletions(-) diff --git a/index.html b/index.html index f667142..ec3a75c 100644 --- a/index.html +++ b/index.html @@ -679,9 +679,10 @@

    parseBaseProofValue

    The following algorithm parses the components of a `bbs-2023` selective disclosure base proof value. The required input is a proof value (|proofValue|). A single object, parsed base proof, containing -five or seven elements, using the names "bbsSignature", "bbsHeader", +six or seven elements, using the names "bbsSignature", "bbsHeader", "publicKey", -"hmacKey", "mandatoryPointers", and optional feature parameters "pid" and +"hmacKey", "mandatoryPointers", "featureOption", and possibly optional feature +parameters "pid" and "signer_blind" is produced as output.

    @@ -696,22 +697,68 @@

    parseBaseProofValue

    an error if it does not.
  8. -Initialize `decodedProofValue` to the result of base64url-no-pad-decoding the +Initialize |decodedProofValue| to the result of base64url-no-pad-decoding the substring following the leading `u` in `proofValue`.
  9. -Ensure that the `decodedProofValue` starts with the BBS base proof header -bytes `0xd9`, `0x5d`, and `0x02`, and throw an error if it does not. +Check that the BBS base proof starts with an allowed header value and set the +|featureOption| variable as follows: +
      +
    1. +If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x02` set +|featureOption| to `"baseline"`. +
      2. +
    2. +If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x04` set +|featureOption| to `"anonymous_holder_binding"`. +
      3. +
    3. +If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x06` set +|featureOption| to `"pseudonym_issuer_pid"`. +
      4. +
    4. +If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x08` set +|featureOption| to `"pseudonym_hidden_pid"`. +
      5. +
    5. +If the |decodedProofValue| starts with any other three byte sequence throw an +error. +
      6. +
    +
  10. Initialize `components` to an array that is the result of CBOR-decoding the bytes that follow the three-byte BBS base proof header.
  11. -Return an object with properties set to the following elements, using the names -"bbsSignature", "bbsHeader", "publicKey", "hmacKey", "mandatoryPointers", (and -optional feature parameters) "pid" and "signer_blind" -respectively. +Based on the value of |featureOption| return an object based on |components| +as follows: +
      +
    1. +If |featureOption| equals `"baseline"` set the property names for the object +based on |components| to "bbsSignature", "bbsHeader", "publicKey", "hmacKey", +"mandatoryPointers" in that order and add |featureOption| as a property. +
      2. +
    2. +If |featureOption| equals `"anonymous_holder_binding"` set the property names +for the object based on |components| to "bbsSignature", "bbsHeader", +"publicKey", "hmacKey", "mandatoryPointers", "signer_blind" in that order and +add |featureOption| as a property. +
      3. +
    3. +If |featureOption| equals `"pseudonym_issuer_pid"` set the property names +for the object based on |components| to "bbsSignature", "bbsHeader", +"publicKey", "hmacKey", "mandatoryPointers", "pid" in that order and +add |featureOption| as a property. +
      4. +
    4. +If |featureOption| equals `"pseudonym_hidden_pid"` set the property names +for the object based on |components| to "bbsSignature", "bbsHeader", +"publicKey", "hmacKey", "mandatoryPointers", "signer_blind" in that order and +add |featureOption| as a property. +
      5. +
From 40810812e45b4f110495390eee01a016fbe5d377 Mon Sep 17 00:00:00 2001 From: Wind4Greg Date: Tue, 16 Apr 2024 14:56:57 -0700 Subject: [PATCH 08/15] Another update to "Add Derived Proof" to clarify parameter usage in step that calls serialization. --- index.html | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/index.html b/index.html index ec3a75c..e8defa0 100644 --- a/index.html +++ b/index.html @@ -1558,19 +1558,19 @@

Add Derived Proof (bbs-2023)

such as a document loader.
  • -Initialize `newProof` to a shallow copy of `proof`. +Initialize |newProof| to a shallow copy of |proof|.
  • -Replace `proofValue` in `newProof` with the result of calling the algorithm -in Section , passing `bbsProof`, -`labelMap`, `mandatoryIndexes`, `selectiveIndexes`, |commitment_with_proof|, and -|pid|. +Replace |proofValue| in |newProof| with the result of calling the algorithm +in Section , passing |bbsProof|, +|labelMap|, |mandatoryIndexes|, |selectiveIndexes|, |featureOption|, and any +required inputs indicated by the |featureOption|.
  • -Set the value of the "`proof`" property in `revealDocument` to `newProof`. +Set the value of the "`proof`" property in |revealDocument| to |newProof|.
  • -Return `revealDocument` as the selectively revealed document. +Return |revealDocument| as the selectively revealed document.
    • From 5d75a756d3cc0e7b34396fe3a393c1b29a7d68cf Mon Sep 17 00:00:00 2001 From: Wind4Greg Date: Tue, 16 Apr 2024 15:24:24 -0700 Subject: [PATCH 09/15] Update "serializeDerivedProofValue" to use additional feature option header bytes and output serialization. --- index.html | 76 +++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 64 insertions(+), 12 deletions(-) diff --git a/index.html b/index.html index e8defa0..98599c1 100644 --- a/index.html +++ b/index.html @@ -603,7 +603,7 @@

    serializeBaseProofValue

    follows.
  • -If |proofValue| equals `"baseline"`: +If |featureOption| equals `"baseline"`:
    1. Initialize a byte array, |proofValue|, that starts with the BBS base proof @@ -616,7 +616,7 @@

      serializeBaseProofValue

  • -If |proofValue| equals `"anonymous_holder_binding"`: +If |featureOption| equals `"anonymous_holder_binding"`:
    1. Initialize a byte array, |proofValue|, that starts with the BBS base proof @@ -630,7 +630,7 @@

      serializeBaseProofValue

  • -If |proofValue| equals `"pseudonym_issuer_pid"`: +If |featureOption| equals `"pseudonym_issuer_pid"`:
    1. Initialize a byte array, |proofValue|, that starts with the BBS base proof @@ -644,7 +644,7 @@

      serializeBaseProofValue

  • -If |proofValue| equals `"pseudonym_hidden_pid"`: +If |featureOption| equals `"pseudonym_hidden_pid"`:
    1. Initialize a byte array, |proofValue|, that starts with the BBS base proof @@ -1024,8 +1024,8 @@

      serializeDerivedProofValue

      are a BBS proof (|bbsProof|), a label map (|labelMap|), an array of mandatory indexes (|mandatoryIndexes|), an array of selective indexes (|selectiveIndexes|), and a BBS presentation header -(|presentationHeader|). -Optional input is |pseudonym|. +(|presentationHeader|), the |featureOption| indicator, and possibly a +|pseudonym| value depending on the |featureOption| value. A single derived proof value, serialized as a byte string, is produced as output.

      @@ -1036,14 +1036,66 @@

      serializeDerivedProofValue

      Section , passing `labelMap` as the parameter.
    2. -Initialize a byte array, `proofValue`, that starts with the BBS disclosure -proof header bytes `0xd9`, `0x5d`, and `0x03`. -
      3. -
    3. + Depending on the value of |featureOption| do the following: +
        +
      1. +If |featureOption| equals `"baseline"`: +
          +
        1. +Initialize |proofValue| to start with the +disclosure proof header bytes `0xd9`, `0x5d`, and `0x03`. +
          2. +
        2. +Initialize |components| to an array with elements containing the values of +|bbsProof|, |compressedLabelMap|, |mandatoryIndexes|, |selectiveIndexes|, and +|presentationHeader|. +
          3. +
        +
        2. +
      2. +If |featureOption| equals `"anonymous_holder_binding"`: +
          +
        1. +Initialize |proofValue| to start with the +disclosure proof header bytes `0xd9`, `0x5d`, and `0x05`. +
          2. +
        2. +Initialize |components| to an array with elements containing the values of +|bbsProof|, |compressedLabelMap|, |mandatoryIndexes|, |selectiveIndexes|, and +|presentationHeader|. +
          3. +
        +
        3. +
      3. +If |featureOption| equals `"pseudonym_issuer_pid"`: +
          +
        1. +Initialize |proofValue| to start with the +disclosure proof header bytes `0xd9`, `0x5d`, and `0x07`. +
          2. +
        2. Initialize |components| to an array with elements containing the values of |bbsProof|, |compressedLabelMap|, |mandatoryIndexes|, |selectiveIndexes|, -|presentationHeader|, and, if provided,|pseudonym|. -
          3. +|presentationHeader|, and |pseudonym|. + +
        +
        4. +
      4. +If |featureOption| equals `"pseudonym_hidden_pid"`: +
          +
        1. +Initialize |proofValue| to start with the +disclosure proof header bytes `0xd9`, `0x5d`, and `0x09`. +
          2. +
        2. +Initialize |components| to an array with elements containing the values of +|bbsProof|, |compressedLabelMap|, |mandatoryIndexes|, |selectiveIndexes|, +|presentationHeader|, and |pseudonym|. +
          3. +
        +
        5. +
      +
    4. CBOR-encode |components| per [[RFC8949]] where CBOR tagging MUST NOT be used on any of the |components|. Append the produced encoded value to |proofValue|. From 6c2dab50f0f1dca07202add32bd65e6c35e01523 Mon Sep 17 00:00:00 2001 From: Wind4Greg Date: Tue, 16 Apr 2024 15:56:12 -0700 Subject: [PATCH 10/15] Update "parseDerivedProofValue" to deal with feature option headers and to return a featureOption field. --- index.html | 42 +++++++++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/index.html b/index.html index 98599c1..2b667c8 100644 --- a/index.html +++ b/index.html @@ -1117,9 +1117,10 @@

      parseDerivedProofValue

      The following algorithm parses the components of the derived proof value. The required input is a derived proof value (|proofValue|). A single derived proof value object is produced as output, which -contains a set of five or six elements, having the names `bbsProof`, `labelMap`, -`mandatoryIndexes`, `selectiveIndexes`, `presentationHeader`, and the optional -`pseudonym` parameter. +contains a set of six or seven elements, having the names "bbsProof", +"labelMap", "mandatoryIndexes", "selectiveIndexes", "presentationHeader", +"featureOption", and possibly "pseudonym" depending on the value of the +|featureOption| parameter.

        @@ -1133,20 +1134,38 @@

        parseDerivedProofValue

        not.
      1. -Initialize `decodedProofValue` to the result of base64url-no-pad-decoding the +Initialize |decodedProofValue| to the result of base64url-no-pad-decoding the substring that follows the leading `u` in `proofValue`.
      2. -Ensure that the `decodedProofValue` starts with the BBS disclosure proof -header bytes `0xd9`, `0x5d`, and `0x03`, and throw an error if it does not. -
        3. +Check that the BBS disclosure proof starts with an allowed header value and set +the |featureOption| variable as follows: +
          +
        1. +If the |decodedProofValue| starts with the header bytes `0xd9`, `0x5d`, and +`0x03`, set |featureOption| to `"baseline"`. +
          2. +
        2. +If the |decodedProofValue| starts with the header bytes `0xd9`, `0x5d`, and +`0x05`, set |featureOption| to `"anonymous_holder_binding"`. +
          3. +
        3. +If the |decodedProofValue| starts with the header bytes `0xd9`, `0x5d`, and +`0x07`, set |featureOption| to `"pseudonym_issuer_pid"`. +
          4. +
        4. +If the |decodedProofValue| starts with the header bytes `0xd9`, `0x5d`, and +`0x09`, set |featureOption| to `"pseudonym_hidden_pid"`. +
          5. +
        +
      3. Initialize `components` to an array that is the result of CBOR-decoding the bytes that follow the three-byte BBS disclosure proof header. Ensure the result is an array of five or six elements — a byte array, a map of integers to integers, an -array of integers, another array of integers, and a byte array; otherwise, throw -an error. +array of integers, another array of integers, and one or two byte arrays; +otherwise, throw an error.
      4. Replace the second element in `components` using the result of calling the @@ -1155,8 +1174,9 @@

        parseDerivedProofValue

      5. Return derived proof value as an object with properties set to the five -elements, using the names `bbsProof`, `labelMap`, `mandatoryIndexes`, -`selectiveIndexes`, `presentationHeader`, and optional `pseudonym`, respectively. +elements, using the names "bbsProof", "labelMap", "mandatoryIndexes", +"selectiveIndexes", "presentationHeader", and optional "pseudonym", respectively. +In addition, add |featureOption| and its value to the object.
      From b3ff67aac21c450e9c3f1963730875b409c72d4f Mon Sep 17 00:00:00 2001 From: Wind4Greg Date: Tue, 16 Apr 2024 16:02:52 -0700 Subject: [PATCH 11/15] Update createVerifyData to handle and pass the extra featureOption from parseDerived. --- index.html | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/index.html b/index.html index 2b667c8..8e48260 100644 --- a/index.html +++ b/index.html @@ -1205,9 +1205,9 @@

      createVerifyData

      to use the `proofHash` value.
    5. -Initialize `bbsProof`, `labelMap`, `mandatoryIndexes`, `selectiveIndexes`, -`presentationHeader`, and `pseudonym` to the values associated with their -property names in the +Initialize |bbsProof|, |labelMap|, |mandatoryIndexes|, |selectiveIndexes|, +|presentationHeader|, |featureOption|, and, possibly, |pseudonym| to the values +associated with their property names in the object returned when calling the algorithm in Section , passing `proofValue` from `proof`.
      6. @@ -1245,8 +1245,9 @@

      createVerifyData

      primitive, passing `mandatory`.
    6. -Return an object with properties matching `baseSignature`, `proofHash`, -`nonMandatory`, `mandatoryHash`, `selectiveIndexes`, and `pseudonym`. +Return an object with properties matching |baseSignature|, |proofHash|, +|nonMandatory|, |mandatoryHash|, |selectiveIndexes|, |featureOption|, and, +possibly |pseudonym|.
    From e3a01fcb2e538bc5b43c65c5d3e145eadbccf3e6 Mon Sep 17 00:00:00 2001 From: Wind4Greg Date: Tue, 16 Apr 2024 16:45:14 -0700 Subject: [PATCH 12/15] Update "Verify Derived Proof" to make use of featureOption variable. --- index.html | 81 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 45 insertions(+), 36 deletions(-) diff --git a/index.html b/index.html index 8e48260..cc06e6c 100644 --- a/index.html +++ b/index.html @@ -1191,58 +1191,59 @@

    createVerifyData

    document (|document|), a BBS disclosure proof (|proof|), and any custom JSON-LD API options (such as a document loader). A single verify data object value is produced as output containing the following -fields: `bbsProof`, `proofHash`, `mandatoryHash`, `selectedIndexes`, -`presentationHeader`, and `nonMandatory`. +fields: |bbsProof|, |proofHash|, |mandatoryHash|, |selectedIndexes|, +|presentationHeader|, |nonMandatory|, |featureOption|, and, possibly, +|pseudonym|.

    1. -Initialize `proofHash` to the result of performing RDF Dataset Canonicalization +Initialize |proofHash| to the result of performing RDF Dataset Canonicalization [[RDF-CANON]] on the proof options, i.e., the proof portion of the document -with the `proofValue` removed. The hash used is the same as that used in +with the |proofValue| removed. The hash used is the same as that used in the signature algorithm, i.e., SHA-256. Note: This step can be performed in parallel; it only needs to be completed before this algorithm needs -to use the `proofHash` value. +to use the |proofHash| value.
    2. Initialize |bbsProof|, |labelMap|, |mandatoryIndexes|, |selectiveIndexes|, |presentationHeader|, |featureOption|, and, possibly, |pseudonym| to the values associated with their property names in the object returned when calling the algorithm in Section -, passing `proofValue` from `proof`. +, passing |proofValue| from |proof|.
    3. -Initialize `labelMapFactoryFunction` to the result of calling the +Initialize |labelMapFactoryFunction| to the result of calling the "`createLabelMapFunction`" algorithm.
    4. -Initialize `nquads` to the result of calling the "`labelReplacementCanonicalize`" -algorithm of [[DI-ECDSA]], passing `document`, `labelMapFactoryFunction`, and +Initialize |nquads| to the result of calling the "`labelReplacementCanonicalize`" +algorithm of [[DI-ECDSA]], passing |document|, |labelMapFactoryFunction|, and any custom JSON-LD API options. Note: This step transforms the document into an array of -canonical N-Quads with pseudorandom blank node identifiers based on `labelMap`. +canonical N-Quads with pseudorandom blank node identifiers based on |labelMap|.
    5. -Initialize `mandatory` to an empty array. +Initialize |mandatory| to an empty array.
    6. -Initialize `nonMandatory` to an empty array. +Initialize |nonMandatory| to an empty array.
    7. -For each entry (`index`, `nq`) in `nquads`, separate the N-Quads into mandatory +For each entry (|index|, |nq|) in |nquads|, separate the N-Quads into mandatory and non-mandatory categories:
      1. -If `mandatoryIndexes` includes `index`, add `nq` to `mandatory`. +If |mandatoryIndexes| includes |index|, add |nq| to |mandatory|.
      2. -Otherwise, add `nq` to `nonMandatory`. +Otherwise, add |nq| to |nonMandatory|.
    8. -Initialize `mandatoryHash` to the result of calling the "`hashMandatory`" -primitive, passing `mandatory`. +Initialize |mandatoryHash| to the result of calling the "`hashMandatory`" +primitive, passing |mandatory|.
    9. Return an object with properties matching |baseSignature|, |proofHash|, @@ -1687,41 +1688,49 @@

      Verify Derived Proof (bbs-2023)

      Let |proof| be the value of |securedDocument|.|proof|.
    10. -Initialize `bbsProof`, `proofHash`, `mandatoryHash`, `selectedIndexes`, -`presentationHeader`, `pseudonym`, and `nonMandatory` to the values associated +Initialize |bbsProof|, |proofHash|, |mandatoryHash|, |selectedIndexes|, +|presentationHeader|, |nonMandatory|, |featureOption|, and, possibly, +|pseudonym|, to the values associated with their property names in the object returned when calling the algorithm in Section , passing the |unsecuredDocument|, |proof|, and any custom JSON-LD API options (such as a document loader).
    11. -Initialize `bbsHeader` to the concatenation of `proofHash` and `mandatoryHash` -in that order. Initialize `disclosedMessages` to an array of byte arrays -obtained from the UTF-8 encoding of the elements of the `nonMandatory` array. +Initialize |bbsHeader| to the concatenation of |proofHash| and |mandatoryHash| +in that order. Initialize |disclosedMessages| to an array of byte arrays +obtained from the UTF-8 encoding of the elements of the |nonMandatory| array.
    12. Initialize |verified| to the result of applying the verification -algorithm below, depending on whether the |pseudonym| value is empty. +algorithm below, depending the |featureOption| value.
      1. -If the |pseudonym| value is empty, initialize |verified| to the result of +If the |featureOption| equals `"baseline"`, Initialize |verified| to the result of applying the verification algorithm `ProofVerify(PK, proof, header, ph, disclosed_messages, disclosed_indexes)` of [[CFRG-BBS-SIGNATURE]] with `PK` set as the public key of the original issuer, `proof` set as `bbsProof`, `header` set as `bbsHeader`, `disclosed_messages` set as `disclosedMessages`, `ph` set as -`presentationHeader`, and `disclosed_indexes` set as `selectiveIndexes`. This -applies to the regular BBS proof case as well as "anonymous holder binding" -case. +`presentationHeader`, and `disclosed_indexes` set as `selectiveIndexes`. +
        2. +
      2. +If the |featureOption| equals `"anonymous_holder_binding"`, Initialize |verified| to the result of +applying the verification algorithm `ProofVerify` algorithm of +[[CFRG-Blind-BBS-Signature]]. To + be updated when IETF API is finalized. +
        3. +
      3. +If the |featureOption| equals `"pseudonym_issuer_pid"`, initialize |verified| +to the result of +applying the verification algorithm `PseudonymProofVerify()` of +[[CFRG-Pseudonym-BBS-Signature]]. To be updated when IETF +API is finalized.
      4. -If the |pseudonym| value is not empty, initialize |verified| to the result of -applying the verification algorithm `PseudonymProofVerify(PK, proof, header, ph, -disclosed_messages, disclosed_indexes, pseudonym)` of -[[CFRG-Pseudonym-BBS-Signature]], with `PK` set as the public key of the -original issuer, `proof` set as `bbsProof`, `header` set as `bbsHeader`, -`disclosed_messages` set as `disclosedMessages`, `ph` set as -`presentationHeader`, `disclosed_indexes` set as `selectiveIndexes`, and -`pseudonym`. This applies to the "pseudonym with issuer known pid" and -"pseudonym with hidden pid" cases. +If the |featureOption| equals `"pseudonym_hidden_pid"`, initialize |verified| +to the result of +applying the verification algorithm `PseudonymHiddenPidProofVerify()` of +[[CFRG-Pseudonym-BBS-Signature]]. To be updated when IETF +API is finalized.
      13. From 2139b582dc4ef232314fec4f2e38fc22cf33176a Mon Sep 17 00:00:00 2001 From: Greg Bernstein Date: Thu, 18 Apr 2024 09:34:34 -0700 Subject: [PATCH 13/15] Procedures update for optional features: wording, punctuation, grammar, and formatting improvements. Co-authored-by: Ted Thibodeau Jr --- index.html | 87 +++++++++++++++++++++++++++--------------------------- 1 file changed, 44 insertions(+), 43 deletions(-) diff --git a/index.html b/index.html index cc06e6c..ed8e7e1 100644 --- a/index.html +++ b/index.html @@ -592,14 +592,14 @@

      serializeBaseProofValue

      BBS signature, HMAC key, and mandatory pointers. The required inputs are a base signature |bbsSignature|, |bbsHeader|, |publicKey|, an HMAC key |hmacKey|, an array of -|mandatoryPointers|, |featureOption|,and depending on +|mandatoryPointers|, |featureOption|, and depending on the |featureOption| value the |pid|, and |signer_blind| values. A single base proof string value is produced as output.

      1. -Depending upon the value of the |featureOption| set up the |proofValue| as +Depending upon the value of the |featureOption|, set up the |proofValue| as follows.
      2. @@ -623,8 +623,8 @@

        serializeBaseProofValue

        header bytes `0xd9`, `0x5d`, and `0x04`.
      3. -Initialize |components| to an array with five elements containing the values of: -|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, |mandatoryPointers|, +Initialize |components| to an array with six elements containing the values of: +|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, |mandatoryPointers|, and |signerBlind|.
      @@ -637,8 +637,8 @@

      serializeBaseProofValue

      header bytes `0xd9`, `0x5d`, and `0x06`.
    13. -Initialize |components| to an array with five elements containing the values of: -|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, |mandatoryPointers|, +Initialize |components| to an array with six elements containing the values of: +|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, |mandatoryPointers|, and |pid|.
    @@ -651,8 +651,8 @@

    serializeBaseProofValue

    header bytes `0xd9`, `0x5d`, and `0x08`.
  • -Initialize |components| to an array with five elements containing the values of: -|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, |mandatoryPointers|, +Initialize |components| to an array with six elements containing the values of: +|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, |mandatoryPointers|, and |signerBlind|.
    • @@ -698,30 +698,30 @@

    parseBaseProofValue

  • Initialize |decodedProofValue| to the result of base64url-no-pad-decoding the -substring following the leading `u` in `proofValue`. +substring that follows the leading `u` in `proofValue`.
  • Check that the BBS base proof starts with an allowed header value and set the |featureOption| variable as follows:
    1. -If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x02` set +If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x02`, set |featureOption| to `"baseline"`.
    2. -If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x04` set +If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x04`, set |featureOption| to `"anonymous_holder_binding"`.
    3. -If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x06` set +If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x06`, set |featureOption| to `"pseudonym_issuer_pid"`.
    4. -If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x08` set +If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x08`, set |featureOption| to `"pseudonym_hidden_pid"`.
    5. -If the |decodedProofValue| starts with any other three byte sequence throw an +If the |decodedProofValue| starts with any other three byte sequence, throw an error.
    @@ -732,30 +732,30 @@

    parseBaseProofValue

    bytes that follow the three-byte BBS base proof header.
  • -Based on the value of |featureOption| return an object based on |components| +Based on the value of |featureOption|, return an object based on |components|, as follows:
    1. -If |featureOption| equals `"baseline"` set the property names for the object +If |featureOption| equals `"baseline"`, set the property names for the object based on |components| to "bbsSignature", "bbsHeader", "publicKey", "hmacKey", -"mandatoryPointers" in that order and add |featureOption| as a property. +and "mandatoryPointers", in that order, and add |featureOption| as a property.
    2. -If |featureOption| equals `"anonymous_holder_binding"` set the property names +If |featureOption| equals `"anonymous_holder_binding"`, set the property names for the object based on |components| to "bbsSignature", "bbsHeader", -"publicKey", "hmacKey", "mandatoryPointers", "signer_blind" in that order and +"publicKey", "hmacKey", "mandatoryPointers", and "signer_blind", in that order, and add |featureOption| as a property.
    3. -If |featureOption| equals `"pseudonym_issuer_pid"` set the property names +If |featureOption| equals `"pseudonym_issuer_pid"`, set the property names for the object based on |components| to "bbsSignature", "bbsHeader", -"publicKey", "hmacKey", "mandatoryPointers", "pid" in that order and +"publicKey", "hmacKey", "mandatoryPointers", and "pid", in that order, and add |featureOption| as a property.
    4. -If |featureOption| equals `"pseudonym_hidden_pid"` set the property names +If |featureOption| equals `"pseudonym_hidden_pid"`, set the property names for the object based on |components| to "bbsSignature", "bbsHeader", -"publicKey", "hmacKey", "mandatoryPointers", "signer_blind" in that order and +"publicKey", "hmacKey", "mandatoryPointers", and "signer_blind", in that order, and add |featureOption| as a property.
    @@ -815,7 +815,7 @@

    createDisclosureData

    |labelMapFactoryFunction|, |groupDefinitions|, and any custom JSON-LD API options. Note: This step transforms the document into an array of canonical -N-Quads whose order has been shuffled based on 'hmac' applied blank node +N-Quads whose order has been shuffled based on 'hmac'-applied blank node identifiers, and groups the N-Quad strings according to selections based on JSON pointers.
    • @@ -879,14 +879,14 @@

    createDisclosureData

    set `bbsProof` to the value computed by the `ProofGen` procedure from [[CFRG-Blind-BBS-Signature]], where |PK| is the original issuers public key, |signature| is the -|bbsSignature|, |header| is the |bbsHeader|, |ph| is the |presentationHeader|, +|bbsSignature|, |header| is the |bbsHeader|, |ph| is the |presentationHeader|, |messages| is |bbsMessages|, |disclosed_indexes| is |selectiveIndexes|, `commitment_with_proof`, and `signer_blind`. The holder will also furnish its |holder_secret|, and |proverBlind| that was used to compute the |commitment_with_proof|. This is the Anonymous Holder Binding feature option. -In addition to the |bbsProof| the Blind BBS `ProofGen` procedure will also -produce and updated (adjusted) list of indexes which should be used to update +In addition to the |bbsProof|, the Blind BBS `ProofGen` procedure will also +produce an updated (adjusted) list of indexes which should be used to update the |selectiveIndexes| variable in subsequent processing. To be updated when IETF API is finalized. @@ -897,7 +897,7 @@

    createDisclosureData

    and set |bsProof| to the value computed by the `ProofGen` procedure from [[CFRG-Pseudonym-BBS-Signature]], where |PK| is the original issuers public key, |signature| is the -|bbsSignature|, |header| is the |bbsHeader|, |ph| is the |presentationHeader| +|bbsSignature|, |header| is the |bbsHeader|, |ph| is the |presentationHeader| |messages| is |bbsMessages|, |disclosed_indexes| is |selectiveIndexes|, and |pseudonym| is the `pseudonym`. This is for the Pseudonyms with Issuer-known PID @@ -1207,7 +1207,7 @@

    createVerifyData

  • Initialize |bbsProof|, |labelMap|, |mandatoryIndexes|, |selectiveIndexes|, -|presentationHeader|, |featureOption|, and, possibly, |pseudonym| to the values +|presentationHeader|, |featureOption|, and, possibly, |pseudonym| to the values associated with their property names in the object returned when calling the algorithm in Section , passing |proofValue| from |proof|. @@ -1285,7 +1285,7 @@

    Create Base Proof (bbs-2023)

    any, is being used. It can take one of the following values `"baseline"`, `"anonymous_holder_binding"`, `"pseudonym_issuer_pid"`, or `"pseudonym_hidden_pid"`. Note that `"baseline"` is used to denote the case of -no optional features. In the cases where the |featureOption| is set to +no optional features. If |featureOption| is set to `"anonymous_holder_binding"` or `"pseudonym_hidden_pid"`, the |commitment_with_proof| input MUST be supplied.

    @@ -1312,7 +1312,7 @@

    Create Base Proof (bbs-2023)

  • Let |proofBytes| be the result of running the algorithm in Section [[[#base-proof-serialization-bbs-2023]]] with |hashData|, -|options|, |featureOption|, and if required |commitment_with_proof| passed as +|options|, |featureOption|, and, if required, |commitment_with_proof| passed as parameters.
  • @@ -1500,11 +1500,11 @@

    Base Proof Serialization (bbs-2023)

    Section 4: Algorithms. Required inputs are cryptographic hash data (|hashData|), -proof options (|options|), |featureOption|, and if required +proof options (|options|), |featureOption|, and, if required, |commitment_with_proof|. If |featureOption| is set to `"anonymous_holder_binding"` or `"pseudonym_hidden_pid"`, the -|commitment_with_proof| input MUST be supplied and otherwise an error should be +|commitment_with_proof| input MUST be supplied; if not supplied, an error SHOULD be returned. The proof options MUST contain a type identifier for the @@ -1602,22 +1602,22 @@

    Add Derived Proof (bbs-2023)

    value, represented as an object, is produced as output.

    -In the case where |featureOption| equals `"anonymous_holder_binding"` the +If |featureOption| equals `"anonymous_holder_binding"`, the REQUIRED additional inputs are |holderSecret| and |proverBlind|. These would have been precomputed by the holder. See Anonymous Holder Binding for background information.

    -In the case where |featureOption| equals `"pseudonym_issuer_pid"` the REQUIRED +If |featureOption| equals `"pseudonym_issuer_pid"`, the REQUIRED additional input is the |verifier_id| which is communicated to the holder by the verifier. See Pseudonyms with Issuer-known PID for background information.

    -In the case where |featureOption| equals `"pseudonym_hidden_pid"` the REQUIRED +If |featureOption| equals `"pseudonym_hidden_pid"`, the REQUIRED additional inputs are the |pid|, |proverBlind| (both known to -holder), |verifier_id| which is communicated to the holder by the verifier. See +holder), and |verifier_id| which is communicated to the holder by the verifier. See Pseudonyms with Hidden PID for background information.

    @@ -1705,7 +1705,7 @@

    Verify Derived Proof (bbs-2023)

    algorithm below, depending the |featureOption| value.
    1. -If the |featureOption| equals `"baseline"`, Initialize |verified| to the result of +If the |featureOption| equals `"baseline"`, initialize |verified| to the result of applying the verification algorithm `ProofVerify(PK, proof, header, ph, disclosed_messages, disclosed_indexes)` of [[CFRG-BBS-SIGNATURE]] with `PK` set as the public key of the original issuer, `proof` set as `bbsProof`, `header` @@ -1713,7 +1713,8 @@

      Verify Derived Proof (bbs-2023)

      `presentationHeader`, and `disclosed_indexes` set as `selectiveIndexes`.
    2. -If the |featureOption| equals `"anonymous_holder_binding"`, Initialize |verified| to the result of +If the |featureOption| equals `"anonymous_holder_binding"`, +initialize |verified| to the result of applying the verification algorithm `ProofVerify` algorithm of [[CFRG-Blind-BBS-Signature]]. To be updated when IETF API is finalized. @@ -1895,12 +1896,12 @@

      Pseudonyms with Hidden PID

      Optional Feature Summary

      -This section provides a summaries of the inputs, outputs, proof serialiation, +This section provides summaries of the inputs, outputs, proof serialiation, tasks, and procedures for "baseline" BBS proofs as well as those for the -optional features. By baseline BBS we mean BBS base and derived proofs +optional features. By baseline BBS, we mean BBS base and derived proofs without additional features. All the optional features are "additive" in the -sense that some additional input, task, or, output is generated in -addition to that of the "baseline" BBS signatures/proofs. +sense that some additional input, task, or output is generated +in addition to those of the "baseline" BBS signatures/proofs.

      From c41cd4ebeffc048d05a0476a42aba2237d528d65 Mon Sep 17 00:00:00 2001 From: Greg Bernstein Date: Mon, 22 Apr 2024 08:26:14 -0700 Subject: [PATCH 14/15] Procedures update for optional features: wording, punctuation, grammar, and formatting improvements. Co-authored-by: Ted Thibodeau Jr --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index ed8e7e1..a923301 100644 --- a/index.html +++ b/index.html @@ -785,7 +785,7 @@

      createDisclosureData

      1. Initialize |bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, -|mandatoryPointers|, and the optional feature parameters |pid| and +|mandatoryPointers|, |pid|, and |signer_blind| to the values of the associated properties in the object returned when calling the algorithm in Section , passing the `proofValue` from `proof`. From bae66c2245f0238aecf09d41ccaef96f92a5a744 Mon Sep 17 00:00:00 2001 From: Manu Sporny Date: Sun, 28 Apr 2024 12:09:24 -0400 Subject: [PATCH 15/15] Fix punctuation around "pid" and "signer_blind". Co-authored-by: Ted Thibodeau Jr --- index.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.html b/index.html index a923301..6d447d1 100644 --- a/index.html +++ b/index.html @@ -682,8 +682,8 @@

        parseBaseProofValue

        six or seven elements, using the names "bbsSignature", "bbsHeader", "publicKey", "hmacKey", "mandatoryPointers", "featureOption", and possibly optional feature -parameters "pid" and -"signer_blind" is produced as output. +parameter "pid" or +"signer_blind", is produced as output.

      Table 1 Issuer Create Base: Inputs and such.