On Cryptographic Mechanisms for the Selective Disclosure of Verifiable Credentials

TL;DR

The paper tackles privacy-preserving selective disclosure of verifiable credentials in digital identity ecosystems, motivated by eIDAS 2 and GDPR considerations. It surveys six mechanisms based on hiding commitments and non-interactive zero-knowledge proofs, including two novel approaches (BBS and PS), and formalizes VC/VP structures and issuing/presentation workflows. The authors analyze standard maturity, cryptographic agility, and quantum safety while evaluating features like presentation unlinkability, predicate proofs, and threshold issuance; they also provide an experimental evaluation across multiple Rust-based implementations and hardware platforms. The results reveal that hash-based hiding commitments (cmtList, merTree) offer high performance and agility with quantum-safe options, while SDSig approaches (CL, BBS/BBS+, PS) provide compact proofs and predicate capabilities at higher computational cost; the work also discusses trade-offs and guidance for practical instantiation in privacy-preserving credential systems.

Abstract

Verifiable credentials are a digital analogue of physical credentials. Their authenticity and integrity are protected by means of cryptographic techniques, and they can be presented to verifiers to reveal attributes or even predicates about the attributes included in the credential. One way to preserve privacy during presentation consists in selectively disclosing the attributes in a credential. In this paper we present the most widespread cryptographic mechanisms used to enable selective disclosure of attributes identifying two categories: the ones based on hiding commitments - e.g., mdl ISO/IEC 18013-5 - and the ones based on non-interactive zero-knowledge proofs - e.g., BBS signatures. We also include a description of the cryptographic primitives used to design such cryptographic mechanisms. We describe the design of the cryptographic mechanisms and compare them by performing an analysis on their standard maturity in terms of standardization, cryptographic agility and quantum safety, then we compare the features that they support with main focus on the unlinkability of presentations, the ability to create predicate proofs and support for threshold credential issuance. Finally we perform an experimental evaluation based on the Rust open source implementations that we have considered most relevant. In particular we evaluate the size of credentials and presentations built using different cryptographic mechanisms and the time needed to generate and verify them. We also highlight some trade-offs that must be considered in the instantiation of the cryptographic mechanisms.

Figures (5)

• Figure 1: Merkle tree constructed over 4 leaves. Disclosing $a_3||s_3$, their inclusion proof in $R$ is $[3,d_4,d_5]$.
• Figure 2: Scatter plot of Issuing and Presentation performance test results on Ryzen 7 5800X for all algorithms. Lower values are better (shorter run time), to the bottom left. Points are median values over all possible disclosed number of attributes in the range $n_D\in\{1,n_A\}$ with $n_A = [4,8,16,33]$. Darker colors correspond to higher $n_A$. merTree algorithms are faster in both generation ($x$ axis) and verification ($y$ axis) of signatures and presentations. Quantum-Safe algorithms are very competitive with EdDSA, except SPHINCS+.
• Figure 3: VP proof size - Eq. (\ref{['eq:proof_size_cmtList']}) to (\ref{['eq:proof_size_PS']}) - vs. public key size - Eq. (\ref{['eq:pk_CL']}), (\ref{['eq:pk_BBS']}), (\ref{['eq:pk_BBS+']}), (\ref{['eq:pk_PS']}) for SDSig. Both are required by the Verifier, but the public key may be cached over several presentations, and the Holder-Verifier channel is more likely to have bandwidth constraints than the Issuer-Verifier channel in a digital wallet scenario, so a smaller proof size is more significant than a smaller public key size. Lighter hues are more disclosed attributes (higher $n_D$). SDSig have smaller holder proofs for higher $n_D$ as fewer ZKP need to be generated for undisclosed attributes; cmtList mechanisms follow the opposite trend, as more salts need to be disclosed. Common values used for comparison, in bytes: salt size ${s=16}$; digest size ${d=32}$; number of attributes ${n_A = 33}$.
• Figure 4: Sigma protocol for linear relations. The Simulator used to prove the zero-knowledge property is defined as follows: it generates uniformly at random $s_1,\dots,s_n,c\in\mathbb{Z}_p$ and sets $T=y^{-c}\prod_{i=1}^n g_i^{s_i}$. The transcript $(T,c,s_1,\dots,s_n)$ is indistinguishable from a real transcript since $c$ is random and $T$ is random as well since it is univocally determined by $s_1,\dots,s_n$ which are chosen uniformly at random. The transcripts verify and have been created without knowing $w_1,\dots,w_n$.
• Figure 5: NIZKP for linear relations. The term $\mathtt{pp}$ is given by the public parameters such as $g_1,\dots,g_n,y$. It would be possible for the prover to create a NIZK proof by sending $(c,r_1,\dots,r_n)$. In this case the verifier must compute $T\xleftarrow{}\prod_{i=1}^n g_i^{r_i}y^{-c}$ and check that $c\stackrel{?}{=}\mathcal{H}(\mathtt{pp},T)$.