Anonymous Credentials in the KILT Protocol
Data sovereignty and privacy have gained significant interest during recent years, yet we lack widespread usable solutions. Anonymous Credentials are a type of digital Credentials which entities can obtain from trusted Attesters (issuers) and show these Credentials to multiple Verifiers without necessarily revealing any identifiable information. So even if the Verifiers collude, they cannot pinpoint the identity of the Credential presenter. In this article we present Portablegabi, an attribute based revocable Anonymous Credential library that we developed as part of the grant we received from the Web3 Foundation.
KILT Protocol Enables Verifiable Digital Credentials for the Web 3.0
It is a common joke that on the internet nobody knows that you are a dog. We can solve this fundamental problem with a simple concept of Credentials where Claimers claim certain attributes, trusted entities attest these attributes, and Verifiers identify Claimers through cryptographic challenges (for a more detailed description of the process check out the explainer on our website). In essence, KILT is an open-source protocol for Credential systems where data take the shape of Credentials (certificates) that attest to certain attributes about an entity, e.g. “I am a fair-trade chocolate” or “I am a member of SuperFit gym”.
Credentials in KILT digitise the authentication and authorisation model of the real world, where one is entitled to do something because of something they have. The hundreds of years old concept of real world offline Credentials (eg. a passport) enables users to prove certain attributes about themselves, and these Credentials — other than the implicit fact that the holder is in possession of it — are often equipped with an expiration date to signal the validity of the Credentials over time. Furthermore, when a policeman checks a driver’s license at a road stop, he needs to query a central database to see if the Credential is still valid or revoked (flagged) for any reason. In the faster moving digital world and a higher velocity of changing authorisations, we have an enormous need for such revocable Credentials in a digital form.
Revocable Credentials in KILT
In current Credential solutions the Attester runs the Credential status verification service. This means when a Claimer presents her Credential for verification, the Verifier needs to ask the Attester who issued the Credential whether it is still valid. This leads to reduced privacy for the Claimer since the Attester can learn information about the transaction or service that the Claimer is participating in and so who wants to verify the Credential of the Claimer and where. Moreover, such a system introduces a single point of failure for the verification process, namely the Attester has to make sure that the revocation checking service is always up and running. Setting up such a high availability service can be very much technically involved, and while big corporations have the resources to do so, small businesses and individuals who would like to monetise their trust in the decentralised Web 3.0 should have a simpler alternative.
Enter KILT: we move the centralised revocation lists and status checking service from the servers of the Attester to a distributed ledger which is the KILT Blockchain. This leads to the main advantage: dissolving the central point of failure. Even if an Attester gets under a denial of service attack, the Verifier can still check the Credential status on the blockchain.
The process of the Credential flow is shown in the figure above. The Attester, upon receiving a claim, checks its validity and issues a Credential based on the claim. Also, the Attester creates a cryptographic checksum (hash) of this Credential and stores it on the KILT Blockchain together with a valid/invalid status flag. This Credential hash has the following main properties:
- The hash can be calculated from the Credential easily and deterministically.
- Two different Credentials will result in the same hash only with negligible probability.
- It is really hard to recreate the Credential from the hash.
So if I received a Credential I can easily calculate the hash and check its validity. I can be sure that I am checking the right corresponding entry on the chain. And also, some random attacker reading the chain cannot decrypt a hash back into the Credential and learn for instance personal data in there.
Note that the Attester will still need to run a database on her premise to store the information that maps some identifiable info of the Claimer to the hash to be able to revoke the corresponding Credential if that is required. In the simplest case this database could be a simple Attester app with functionality similar to a password manager where the app keeps the mapping: account (Claimer) and password (hash). The Attester can then simply revoke the Credential on the chain with the App.
What Makes KILT Credentials Anonymous and Why Do We Need Them Anyway?
If you closely look under the hood of the revocable Credentials described in the previous section, you might notice that it has a slight problem with privacy. Namely, when a Claimer sends her Credential to multiple Verifiers, these Verifiers would receive the same hash value corresponding to the Credential and so they could compare hash values among themselves and find out that they were dealing with the same Claimer. Moreover, one Verifier could track the behaviour of a user across different sessions through the same Credential hash value. It is well known that in the current advertisement models of most websites, participants rely on sharing customer data with each other and most of the users don’t know about this or simply agree with them without having another alternative.
These shortcomings are obviously problematic for developing a truly private credentialing system and cause particular problems for two specific use cases that are currently being implemented with the KILT Protocol: security token offerings with SWARM and blockchain-based public transportation tickets with unitb.
SWARM is building an open infrastructure for the emerging digital securities economy where users can invest in projects or take part in initial coin offerings. Since many of these projects are connected to public blockchains, in one way or the other, the behaviour of an investor could be easily tracked across systems. An investor, as a Claimer on the KILT Protocol, should not have to share his investing activity with multiple projects (Verifiers), yet could still prove to them that he is able to do investment related business in a certain country or jurisdiction.
unitb is developing a blockchain-based public transport ticket system with the KILT Protocol. Ideally, some wanting to ride the train should be able to purchase a ticket and have it verified at the respective station they get on or on the way without letting the authorities know exactly the path they took in the transportation system. Such a system would mitigate the risk of authorities collecting data of travelers’ usual public transportation habits, destinations or traveling times.
Introducing Portablegabi, the Anonymous Credential Suite in KILT
At KILT Protocol, we wanted to ensure that the identity of a Claimer could remain completely anonymous so we implemented an open-source solution called Portablegabi based on the Gabi library. The Portablegabi library provides an easy to use Typescript API for signing, verifying and revoking Credentials. We created Portablegabi in a modular way so that the whole Polkadot ecosystem can easily use it and of course we also integrated it into our own KILT SDK.
As we have seen in the previous sections, using the KILT Protocol a Claimer, who possesses an attested Credential, can prove to a third party (Verifier), that specific properties are present inside her Credential, which was signed and attested by a trusted Attester. The important benefits of Portablegabi are selective disclosure and unlinkability: the Claimer can choose which attributes of her Credential to show, to hide all other attributes and even to stay anonymous during the verification.
Selective disclosure enables the Claimer to only present a subset of the information contained inside her attested Credential. In the KILT Protocol, Credential types (CTYPEs) are specific schemas which define what type of attributes shall be included in a Credential. With the Portablegabi library, we can put any type of attributes into a Credential and the Attesters can use this library to make proofs over the attributes as a form of an attestation.
On the other hand, the unlinkability feature hinders the Verifier to link two verification sessions of the same Claimer together to a single identity and hence the Verifier learns nothing about the user besides the intentionally shared properties necessary for the respective verification process. This virtually means that the Claimer can interact with the same Verifier multiple times without the Verifier being able to tell if he talked to the same Claimer. Only if the claimer intends to reveal attributes that uniquely identify him, the Verifier will be able to link multiple sessions together.
Normally, in the digital world showing is also copying. In order to prevent copying, Portablegabi implements the concept of transaction specific Credential presentations. The Credential presentation links to the intended transaction and the protocol. This way, the presented Credential cannot be reused in a malicious manner as it would prove to be invalid for other transactions and purposes.
The Portablegabi Credential suite also provides a scheme to support revocation of attestations using a distributed ledger without compromising the Claimer’s anonymity. Each attestation contains a non-revocation witness which proves that the attestation is not revoked. Every witness is by default contained inside a mathematical accumulator which is written on a Substrate based blockchain, e.g. the KILT Blockchain. If the Attester wishes to revoke an attestation he removes the witness from the accumulator and updates the blockchain with the new accumulator.
In this article we showcased the high-level concepts and features of Anonymous Credentials provided by the Portablegabi library. If you would like to understand the technical details of our Anonymous Credential suite, simply delve into the deep waters and walk through our tutorial that explains how Attesters can issue Credentials using an on-chain accumulator, and how the revocation and the verification works.