What does selective disclosure really mean: A deep-dive into the latest ETSI technical report
By Sebastian Elfors, Senior Architect at IDnow
In August 2023, the European Telecommunications Standards Institute (ETSI) published the technical report “ETSI TR 119 476: Analysis of selective disclosure and zero-knowledge proofs applied to Electronic Attestation of Attributes“, authored by Peter Lee Altmann (Information Technology Specialist at the Swedish Agency for Digital Government) and Sebastian Elfors, Senior Architect at IDnow. In this article, Sebastian provides some background and a condensed overview of the technical report.
The background is the following: The proposed eIDAS2 regulation, which was first published by the EU Commission in June 2021, states in recital 29 that “the European Digital Identity Wallet should technically enable the selective disclosure of attributes to relying parties”. Furthermore, the ARF (Architecture Reference Framework) v1.1.0 defines the term selective disclosure as “the capability of the EUDI Wallet that enables the User to present a subset of attributes provided by the PID and/or (Q)EAAs.”
As these legal definitions are not very exhaustive, ETSI took the initiative to create a technical report that should further investigate and clarify the term selective disclosure and related terms such as unlinkability, Zero-Knowledge Proofs (ZKPs), predicate proofs, range proofs, and so forth.
The ETSI technical report divides signature schemes for selective disclosure in the following categories:
- The first category is based on atomic credentials. This means essentially that short-lived credentials with single values are enrolled for upon request, which are combined into a verifiable presentation. Examples of such atomic credential schemes are FIDO-VC and 509 Attribute Certificates for authorization.
- The second category is called multi-message signature schemes, which can be used to present selected attributes together with proofs of the user’s possession of a complete credential with an original signature. Examples of such multi-message signature schemes are Boneh-Boyen-Shacham (BBS) signatures, Camenisch-Lysyanskaya (CL) signatures, Mercurial signatures, and Pointcheval-Sanders Multi-Signatures. The W3C Verifiable Credentials Data Model and W3C Verifiable Credential Data Integrity specifications allow for multi-message signature schemes, such as BBS and CL-Signatures.
- The third category is based on a signed collection of salted attribute hash values, where each attribute in a credential is salted and hashed and put in a signed file. The user can present selected attributes to a verifier, which can validate the clear-text attributes by salting and hashing them and comparing them to the collection of salted attribute hash values. Examples of credentials based on this technology are the ISO mobile Driving License (mDL) Mobile Security Object (MSO) and IETF SD-JWT.
- The fourth category is denoted proofs for arithmetic circuits, which are ZKP methods that can compute privacy preserving proofs for number ranges, transactions and statements. Examples of such schemes are Bulletproofs, zk-SNARK (Zero-Knowledge Succinct Non-interactive ARgument of Knowledge), and zk-STARK (Zero-Knowledge Succinct Transparent Arguments of Knowledge).
The technologies for selective disclosure and ZKP mentioned above have also been implemented in commercial products and open source solutions, such as Hyperledger AnonCreds, IBM Idemix, and Microsoft U-Prove. Furthermore, such ZKP solutions have been deployed at Government of British Columbia, the German blockchain project IDunion, the IATA Travel Pass, the EU-project ABC4Trust, and the Singapore government. So there is a movement towards real implementations and deployments of privacy preserving solutions.
Hence, the scope of the ETSI TR 119 476 technical report includes the analysis of what implications selective disclosure has on the PID (Person Identification Data) formats that are defined for the EUDI Wallet in the ARF.
For Type 1 configurations of the EUDI Wallet, ISO mDL and W3C Verifiable Credentials have been specified as PID formats in the ARF. In order to achieve selective disclosure for these credential types, ISO mDL MSO and IETF SD-JWT have been selected in the ARF. Both ISO mDL MSO and IETF SD-JWT are based on collections of salted attribute hash values, which can be signed with cryptographic algorithms that are approved by the SOG-IS Crypto Working Group and are also plausible quantum safe. These characteristics are important since the EU public sector requires SOG-IS approved cryptographic algorithms to be used for the PID in EUDI Wallet Type 1 configurations.
It should however also be observed that Type 2 configurations of the EUDI Wallet, which allow for a broader range of credentials and cryptographic algorithms, support the more innovative ZKP schemes such as BBS+, CL-Signatures, zk-SNARK, etc. These cryptographic schemes are however not SOG-IS approved, and can therefore not be used by the EU public sector, but there will still be room for experimental ZKP solutions in the Large Scale Pilots for the EU private sector.
The ETSI TR 119 476 technical report also includes an analysis of how W3C Verifiable Credentials with SD-JWT and ISO mDL with MSO can be deployed in practice for issuance by eIDAS2 compliant Qualified Trust Service Providers (QTSPs) and for use with the EUDI Wallet.
The ISO mDLs are issued with a PKI (Public Key Infrastructure) that is rather similar to the eIDAS2 QTSPs, so there are possibilities to use an eIDAS2 QTSP for issuing ISO mDLs. Similarly, the eIDAS2 Trust Lists may also be federated with the ISO mDL VICAL (Verified Issuer Certificate Authority List). In order to mitigate verifier linkability for the MSOs, it is recommended to issue batchwise of MSOs with different random salts.
The issuance of W3C Verifiable Credentials with SD-JWTs should essentially adhere to the same principles as for the ISO mDL. The ETSI technical report concludes, however, that there are interoperability issues with W3C Verifiable Credentials Data Model v1.1 and IETF SD-JWT, which need to be investigated further.
The ETSI TR 119 476 technical report is considered an important step towards the realization of selective disclosure features for the EUDI Wallet, and may be used as a reference for the ETSI technical standards on eIDAS2 QTSPs and the EUDI Wallet.
About the author
Sebastian Elfors is Senior Architect at IDnow.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.