Right. Pleased to meet you everybody. So I'm going to talk about AI Does two and selective disclosure and serial knowledge proofs being used for the EEU I wallet. So first of all, a little bit of an introduction to selective disclosure and serial knowledge proofs on a pretty high level. So first of all, if we have an Q-E-E-A-A and that means qualified electronic tested attribute, it contains a lot of attributes, name, date of birth, address, student information and so forth. Selectively disclosure attributes means basically that you just select the attributes you want to share.
So for example, if you are going to bar, you can present that you're just about over 21 years or if you're going to car parking, then you can prove that you're a citizen of CDB or if you go to a library, then you might prove that you are a student at the university.
Linkability means essentially that on the verifier side that they should not be able to cooperate or collude in order to get more information about the information that they get. So to take an example, the bar that knows that the user is about 21 should not be able to cooperate with the car parking.
Who knows that the user is a citizen of CDB. On the issue side, there's also issue linkability, meaning that the issuers should not be able to cooperate in any way in order to get more information about the user. And then we have to defined the term as full linkability, meaning that it's verified linkability plus the issue linkability. There is even more stakeholders you can think about like third parties such as internet providers, telcos and so forth. But we include them in the concept of full applicability serial knowledge proofs, predicates.
The previous speakers have talked about it so I don't need to repeat the entire concept.
But in a nutshell, serial knowledge proof predicate means that you can make a statement about an attribute without revealing the attribute itself. So the the classic example is of course that you have your perfect date but you just reveal that you are above 18 and nothing else.
I used another example here, a statement bold true, that you're a citizen of CDB range proofs would say it's a sub-case of predicate proofs and the classic example as always is age about 21 in this case then some legal definitions in EI dose two. So in recital 59 it is stated that selective disclosure is a concept empowering the owner of data to disclose only certain parts of a larger set of data that that's really what we just presented here. Linkability is defined in article five A 16 B and it's defined in the way that I presented.
And recital 14 is quite interesting because there they talk about serial knowledge proofs and they encourage the member states to implement serial knowledge proofs without having the legal requirement for it. So that sort of open up the doors for member states to be innovative, creative implement for example sovereign networks with hyper ledgers, unknown credits and so forth. So by the way, there there is an interesting type actually in the article five A 16 B, it's actually says unlikeability in the I regulation but I fixed this for its presentation to to avoid any confusion.
Alright, so these terms are pretty high level the it also occur in the A RF and I will get back to that. Nevertheless, these terms are very high level in the IDOs two regulation and the A RF.
So Etsy, which is the Telecommunication Standardization Institute in Europe, took the initiative to write a report called ET CTR 1 1 9 4 7 6 came out in August, 2023. I was one of the order editors. I wrote it together with Peter Altman from the Swedish Digitalization Agency and later on Johannes Meyer from University of Luxembourg joined us and it describes select disclosure and Sierra knowledge proofs in in quite depth. And we also made an analysis for AI does two and and the EUDI wallet, how can this be applied according to the regulation?
And the new revision is scheduled now for June this year and we got a lot of feedback on the previous version.
I think we ended up with like 100 pages of feedback that we had to walk through and now a new version is finally coming out.
Alright, a little bit more details about selective disclosure and serial knowledge proofs schemes. And now we're looking more into the cryptographic side of things. So we have divided them in four categories. The first category are so-called atomic schemes. And the idea here is that you issue a single value QEAA very often issued on demand. So if a user wants to present for example a parking ticket, which is the use case here, they can authenticate to or identify themselves to different authorities.
For example, a transport authority can issue an attribute with a car registration civil registry, the address payment provider proof of payment. And this can then be combined into verifiable presentation, which in this case is a parking ticket which is sent off to the car parking signatures.
They can be plausible quantum safe because you can sign with any algorithm here you can select de lithium for example if you so wish predicates, they are not supported by design here but they can be supported within quotes.
If you insert poon statements in in the attributes full and linkability not supported either, definitely not on the issuer side. Salted attribute hashes is another approach which is quite commonly used. And what is basically means is that you have an index list with hashes of salted attributes and that designed by the issuer. So basically if you have the four attributes, name, date of birth address student, you generate four random salts, you concatenate the attribute with a salt and then you hash it and then you put this list into an object that the issuer is signing.
And if you are going to present this, lemme see I can do that, then you're just presenting elements one and four but you present the entire index list but the verifier just needs to check one and four.
And if you rotate the salts and also the signing keys even every time, then you achieve verifier unlikeability which comes with a cost of course, but that's one way to do it. Predicate are not supported by the sign. But here again you can insert PO statement like H above 18 equals true.
Alright, multim message signature schemes. They are basically to generate a proof over a subset of an regional assigned message. What it means basically is that you have a signed credential in the first place and then you can pick out certain values and generate a proof of it with your proof key that the verifier can verify. These schemes are a lot more advanced than the two previous ones that I showed and the most famous ones are the BNA buoyant hassam PBS synergy schemes, which is based on biline pairings and ECC. And then you have cam lu SC seal signatures.
On top of that there are two more signature formats that have been created over the years mercurial signatures and PS MS signatures. The good thing with this schemes is of course that they cater for full linkability and predicates, which is great. The bad news is however, that they are not plausible quantum safe in a post quantum world since they're based on biline pairings. The credentials can be broken in a post quantum world, but it could be worthwhile mentioning if you generate the signatures and predicate proofs in a pre-qual world, they will remain safe in a post quantum world.
The fourth category is proofs for automatic circuits and we have defined this as a serial knowledge proves for proving correctness of short transactions. They're also known as programmable c kps and they of course support predicates by design. CQ small snark is a family currently of aiding protocols and it's growing and they can be deployed either in trusted or non-trust setups. Some of the KU snarks are plausible quantum safe, particularly the ones that are based on hash chains while others are not. Sika stark is a subcategory of se snarks.
They are plausible quantum safe because they're designed based on hashes. Bulletproofs is another subcategory of Zika snark which are however not plausible, quantum safe. Alright then we have a couple of solutions and credential formats. So first of all we have the atomic ones and virtually any attribute can be atomic. You just issue with one attribute can be expo nine certificates or ECA passport or W three CBC doesn't really matter.
And there are two solutions that have been deployed.
One is called a Visa Fido solution that was invented by David Chadwick at the Kent University and he's using Fido with web of N in order to retrieve the atomic credentials from the issuers, which very much correlates to the previous slide on atomic credentials. And they also deployed this as a pilot with DHS in in the uk. The other one is PK X 5 0 9 attribute certificates, which is more of a classic solution, has been around for almost 20 years, meaning that you have a public key certificates first that's being issued and used for authentication, maybe TLS mutual authentication.
And then you get the attribute certificates could be single valued that the relying party receives either through push or pull.
Alright, the format with salted attribute hashes. And this is actually the category that has the most traction right now, at least in the IDO two. So we have I-A-T-F-S-D-W-T, you have heard about it probably it was in the keynotes and it's basically a a hash of values with salted attribute hashes and that can be used with the S-D-E-W-T VC format.
However it's not a hundred percent compatible with W three C VC data model 1.1 and therefore ITF has moved along and created a VC format. I-M-D-L-M-S-O, part of the IMDL standard. And the MSO is mobile security object that contains again, hash values with salts that are hashed and put in a sign container. There's another format or project rather called open at the station has been deployed in Singapore Smart Nation. It's based on integrity, based on hash of salted attribute hashes and a little bit more advanced concepts are hash chains and hash wires and directed AIC graphs.
So-called ECDC formats and Gordian envelopes.
Multi message signature solutions. First of all we have the verifiable credentials W three C and there is a section in the VC specification that specifies how to use seal signatures. There's another specification called the VW four CVC data integrity and here they are using BBS plus as an example, applied on verifiable presentations. And there's actually a new protocol coming out from W three C called EWP, which is a format that's also very applicable for PBS plus.
And as Steven Kern just mentioned, we have Hyperledger Res based on seal signatures deployed in government, British Columbia and also here ID union here in Germany. And there's also direct anonymous attestations which are currently used in several trusted platform modules, tpms. Then we have a category of anonymous attribute credentials and they're abbreviated as a BC systems. The most famous ones are ID mix and you approve. They have been around since around 2000 were invented by David Brands. From that time ID mix is an IBM product and you approve is a Microsoft product.
There's also an ISO standard for it called 18 free seven zero on blind digital signatures and a new standard coming out for key verified anonymous credentials, mainly specified by orange.
This is quite interesting. There are two new concepts or research projects at universities, Cinderella and CQ creds and they have combined Zika snarks with existing solutions. So Cinderella, they base their solution on four nine certificates while CCK creds do the same.
But with eow passports without going through the entire flow, you have the, oops, sorry, here you have the key pair and the credential could be X formula nine. And here you make a C snark requests the select credentials, generate the proof and return the public outputs. So finally select the disclosure for A two. And this sort of summarizes the, the whole presentation. So as you may know, I-M-D-L-M-S-O and SGWT, they're both specified in the A RF for selected disclosure of the pi.
So, and the rational behind that is that they can be signed with SOGI approved or Etsy approved cryptographic algorithms or even post quantum safe algorithms.
So they are very solid format us if you will.
However, as I mentioned, you need to issue batch wise of MSOs with unique salts or even unique keys in order to get verified linkability. Still you don't get proper issue linkability, but this is as good at it gets sort of then there are of course these more innovative schemes. B bs plus is actually getting some traction. First and foremost, it's now getting pushed through I-A-T-F-C-F for gi. I spoke to to BS Looker the other day and he's the editor of that work as pro progressing pretty well.
And there's also an IS initiative called PWI 2 4 8 4 3, where they will take the I-A-T-F-P-B-S plus standard and make an ISO standard of it. And if that happens, then we have all of a sudden an ISO standard, which can be officially referenced by the A RF fund and Etsy, which can maybe in the IDOs three or something open up for BBS plus being used for selective disclosure. And finally, snarks, they are not approved by sogi, Etsy or a I, but future possibility here could of course be in the EU there wallet use G piler.
So in order to implement a snark protocol that can, for example, parse data or even revocation data from EX four nine certificates and eco passports. And that's it.
Thank you Sebastian.
