Selective Content Generation

Summary

Generates a customised credential according to the holder’s specific requirement for credential attributes/contents.

Context

A verifier requires certain information to prove a credential holder’s identity. Thus, the credential holder only needs to share a credential with necessary data to the verifier. For example, to show that a student has successfully completed a prerequisite module to register for another module, there is no reason to show the entire transcript but only the grade received (or show the grade is satisfy the minimum expected grade) for the required module(s).

Problem

If a credential issuer publishes general credentials to holders, a verifier can learn all data included in the credential through it needs only a subset of the attributes to perform its task. For instance, if a person shows his/her driving license to identify the age to enter a hospitality venue, it inadvertently reveals his/her address. How to present only the essential data to a credential verifier?

Forces:

  • Privacy – The disclosed credential should contain the minimum amount of data necessary to identify some certain aspects of its holder.
  • Specific requirements – Each verifier may have specific requirements for inspecting a holder’s identity facts.

Solution

Rather than issuing a single credential including all attributes of a credential holder, we could issue different credentials including different subsets of attributes. Selective content generation allows credential issuers to decide what identity attributes are contained in a credential. An issued credential needs to satisfy the target verifier’s specific requirements of the holder’s identity, without revealing extra data.

Selective content generation pattern

Selective content generation pattern

A credential with selective content disclosure can be generated via the following approaches:

  • Atomic credentials – An issuer generates multiple credentials where each one contains exactly one identity attribute about the holder. Consequently, the holder can flexibly disclose one or more of those credentials to a verifier.
  • Selective disclosure signatures – A general credential is issued to a holder, but some special signature schemes like CamenischLysyanskaya signatures allow them to only reveal necessary information.
  • Hashed values – A general credential consists of multiple identity attributes, but each one is hashed with a different nonce. When verifying a credential, a verifier can only validate those with the nonces provided by the holder.
  • Zero-knowledge proof. – When proving certain identity attributes, a holder can protect its information by giving a range instead of precise value (e.g., age is over 18).

Benefits

  • Privacy – A credential with selective content can disclose the identity data which satisfies the verifier’s individual requests while keeping other identity data private.

Drawbacks

  • Cost – Determining the identity data within a credential requires additional communication between holders and verifiers for learning the verification requirements, and between holders and issuers for discussing the credential content. Moreover, maintaining multiple credentials with different contents can incur extra costs.

Related patterns

  • Time-constrained access pattern and selective content generation can work collaboratively to generate credentials with fine-grained specifications.
  • The one-off access pattern and selective content generation can also work collaboratively to generate credentials with fine-grained specifications.
  • Off-chain credential contents can be hashed using the blockchain anchor pattern and stored on-chain to preserve integrity.

Known uses

  • uPort encrypts user identity attributes using a symmetric encryption key before disclosure. The symmetric encryption key is then individually encrypted using a public encryption key owned by the other interacting party.
  • A cryptographic technique known as a zero-knowledge proof is utilised in Sovrin. A verifier can check the authentication of identity through the public key of the issuer, but never learns the actual data.