Selective disclosure and zero-knowledge proofs: Examining the latest revision of ETSI TR 119 476

By Sebastian Elfors, Senior Architect at IDnow

In July 2024, the European Telecommunications Standards Institute (ETSI) published an updated revision of the technical report “ETSI TR 119 476: Analysis of selective disclosure and zero-knowledge proofs applied to Electronic Attestation of Attributes v1.2.1“, authored by Sebastian Elfors (IDnow), Peter Lee Altmann (Swedish Agency for Digital Government), and Johannes Sedlmeir (University of Luxembourg). In this article, Sebastian Elfors, Senior Architect at IDnow, provides an update of the news in the latest revision of the technical report.

Since the first version of ETSI TR 119 476 was published in August 2023, the editors received a lot of feedback from the Self-Sovereign Identity (SSI) community, standardization experts and researchers at universities. Most of the feedback was related to the latest research and standardization of Zero-Knowledge Proof (ZKP) protocols, which have the potential to increase the privacy for the European Union Digital Identity (EUDI) Wallets. Below is a summary of the ZKP protocols and standards that have been added to ETSI TR 119 476.

BBS+ is a fundamental multi-message signature scheme that provides several sophisticated privacy preserving features that are of great interest for the EUDI Wallet. In order for BBS+ to be considered for eIDAS2 and the EU public sector, however, it would have to be standardized by CEN, ETSI or ISO as declared in the EU regulation 1025/2012. One step in this direction is the existing standard ISO/IEC 20008-2 “Anonymous digital signatures”, which specifies the cryptographic primitives of a qSDH scheme that corresponds to BBS04 with single messages. The standardization of multi-message signature schemes will be extended with the ISO/IEC PWI 24843 proposal “Privacy-preserving attribute-based credentials”, which has the intention to standardize BBS+ and PS-MS. Furthermore, ISO/IEC are working on the common draft ISO/IEC CD 27565 “Guidelines on privacy preservation based on zero knowledge proofs”, which includes an example of selective disclosure by using BBS+ with a reference to the IETF CFRG BBS draft specification. These ISO/IEC initiatives have the potential to result in an ISO standardized version of BBS+ as well as other multi-message signature schemes capable of both selective disclosure and full unlinkability.

Another interesting track is the research that is carried out with programmable ZKPs (zk-SNARKs) in conjunction with existing digital identity frameworks such as PKIX X.509 certificates and ICAO Digital Travel Credentials (DTCs). The research projects Cinderella and zk-Creds have implemented prototypes where zk-SNARKs are used in a mobile device to generate pseudo-certificates that share selected attributes from existing digital credentials and derived revocation information. There are, however, two issues with these projects: one is the slow performance during setup of the zk-SNARKs and the second is the lack of standardization of zk-SNARKs. Nevertheless, the research is promising, and has the potential to combine innovative ZKP schemes with existing digital frameworks such as X.509.

Regarding the category of salted attribute hashes, the ETSI report has been updated with Authentic Chained Data Containers (ACDC) and Gordian Envelopes. These technologies are based on Directed Acyclic Graphs (DAGs). A user may disclose various parts of such a directed acyclic graph, e.g. a vertex identifier, without disclosing any attribute values contained in the vertex. Furthermore, there is a description about the Singapore Smart Nation’s project OpenAttestation, which provides document integrity based on a target hash of salted attribute hashes.

The chapter about Attribute Based Credentials (ABC) has also been updated with references to the ISO/IEC 18370 standard on blind digital signatures and the latest research on Keyed-Verification Anonymous Credentials (KVAC). A new algebraic MAC_BBS+ scheme based on a pairing-free variant of BBS is also described in the research paper about KVAC. This KVAC system is suitable for resource constrained environments, and MAC_BBS+ has been implemented as a prototype on standard SIM cards.

In addition to all this, there is a new chapter about privacy aspects of revocation and validity checks. Suitable techniques for such privacy preserving revocation schemes are cryptographic accumulators, OCSP in Must-Staple mode, W3C Status List bit vectors, Private Set Intersection, Private Information Retrieval, and zk-SNARKs for revocation checks on derived pseudo-certificates.

Furthermore, the ETSI technical report discusses the aspects of post-quantum safe cryptography applied on ZKP schemes. BBS+ multi-message signatures and disclosures that are generated in a pre-quantum world will remain confidential in a post-quantum world. Put differently, a computationally unbounded attacker will be able to reveal neither undisclosed messages nor the hidden signature value. In a post-quantum world, however, BBS+ cannot maintain data integrity and authenticity. An attacker with a quantum computer can reveal the signer’s private key from the public key and forge new signatures and proofs.

Finally, there is an analysis of how quantum physics can be applied to classic ZKP schemes, such as the graph 3-colouring problem and Schnorr’s algorithm. The quantum ZKP schemes are still being researched at an academic level and are not yet standardized nor efficiently implemented. It is, however, worthwhile to monitor the research and development of ZKP schemes based on quantum mechanics.

Hence, the revised version of ETSI TR 119 476 v1.2.1 provides a comprehensive overview of the research, standardization and implementation of ZKP schemes, which may be considered for future specifications of the EUDI Wallet.

About the author

Sebastian Elfors is Senior Architect at IDnow.

DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.

Article Topics

digital wallets  |  ETSI  |  ETSI TR 119 476  |  EU Digital Identity Wallet  |  IDnow  |  ISO standards  |  self-sovereign identity  |  zero knowledge