index.html

<!DOCTYPE html>
<html>
  <head>
    <title>Data Integrity BBS Cryptosuites v1.0</title>
    <meta http-equiv='Content-Type' content='text/html;charset=utf-8'/>
    <!--
      === NOTA BENE ===
      For the three scripts below, if your spec resides on dev.w3 you can check them
      out in the same tree and use relative links so that they'll work offline,
     -->
    <script src='https://www.w3.org/Tools/respec/respec-w3c' class='remove'></script>
    <script class='remove' src="https://w3c.github.io/vc-data-integrity/common.js"></script>

    <script type="text/javascript" class="remove">
      const respecConfig = {
        // specification status (e.g. WD, LCWD, NOTE, etc.). If in doubt use ED.
        specStatus: "CR",

        // the specification's short name, as in http://www.w3.org/TR/short-name/
        shortName: "vc-di-bbs",
        subtitle: "Achieving Unlinkable Data Integrity with Pairing-based Cryptography",
        group: "vc",
        // latestVersion: "https://www.w3.org/community/reports/credentials/CG-FINAL-vc-di-bbs-20230405/",

        // if you wish the publication date to be other than today, set this
        publishDate:  "2024-04-04",

        // if there is a previously published draft, uncomment this and set its YYYY-MM-DD date
        // and its maturity status
        // previousPublishDate:  "1977-03-15",
        // previousMaturity:  "WD",

        // if there a publicly available Editor's Draft, this is the link
        edDraftURI:           "https://w3c.github.io/vc-di-bbs/",

        // if this is a LCWD, uncomment and set the end of its review period
        implementationReportURI: "https://w3c.github.io/vc-data-integrity/implementations/",
        crEnd: "2024-05-04",

        // if you want to have extra CSS, append them to this list
        // it is recommended that the respec.css stylesheet be kept
        //extraCSS:             ["spec.css", "prettify.css"],

        // editors, add as many as you like
        // only "name" is required
        editors:  [{
            name: "Greg Bernstein", url: "https://www.grotto-networking.com/",
            company: "Invited Expert", w3cid: 140479
          }, {
            name: "Manu Sporny", url: "https://www.linkedin.com/in/manusporny/",
            company: "Digital Bazaar", companyURL: "https://www.digitalbazaar.com/",
            w3cid: 41758
          }
        ],

        // extend the bibliography entries
        //localBiblio: webpayments.localBiblio,

        // wg:           "Verifiable Credentials Working Group Group",
        // URI of the public WG page
        // wgURI:        "https://www.w3.org/community/credentials/",
        // name (with the @w3c.org) of the public mailing to which comments are due
        // wgPublicList: "public-credentials",
        // URI of the patent status for this WG, for Rec-track documents
        // !!!! IMPORTANT !!!!
        // This is important for Rec-track documents, do not copy a patent URI from a random
        // document unless you know what you're doing. If in doubt ask your friendly neighbourhood
        // Team Contact.
        // wgPatentURI:  "https://www.w3.org/community/about/agreements/cla/",

        github: "https://github.com/w3c/vc-di-bbs",

        // URI of the patent status for this WG, for Rec-track documents
        // !!!! IMPORTANT !!!!
        // This is important for Rec-track documents, do not copy a patent URI from a random
        // document unless you know what you're doing. If in doubt ask your friendly neighbourhood
        // Team Contact.
        // wgPatentURI:  "",
        maxTocLevel: 4,
        /*preProcess: [ webpayments.preProcess ],
        alternateFormats: [ {uri: "diff-20111214.html", label: "diff to previous version"} ],
        */
        localBiblio:  {
          "RDF-CONCEPTS": {
            title:    "RDF 1.1 Concepts and Abstract Syntax",
            href:     "https://www.w3.org/TR/rdf11-concepts/",
            authors:  ["Richard Cyganiak", "David Wood", "Markus Lanthaler"],
            status:   "Recommendation",
            publisher:  "W3C"
          },
          "DI-ECDSA": {
              title:    "The Elliptic Curve Digital Signature Algorithm Cryptosuites v1.0",
              href:     "https://www.w3.org/TR/vc-di-ecdsa/",
              authors:  ["David Longley", "Manu Sporny", "Marty Reed"],
              status:   "WD",
              publisher:  "W3C Verifiable Credentials Working Group"
          },
          "VC-DATA-MODEL-2": {
            title: "Verifiable Credentials Data Model v2.0",
            href: "https://www.w3.org/TR/vc-data-model-2.0/",
            authors: [
              "Manu Sporny", "Dave Longley", "Grant Noble", "Dan Burnett",
              "Ted Thibodeau", "Brent Zundel", "David Chadwick",
              "Kyle Den Hartog"
            ],
            status: "Working Draft",
            publisher: "W3C Verifiable Credentials Working Group"
          },
          "CFRG-BBS-SIGNATURE": {
            title:    "The BBS Signature Scheme",
            href:     "https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs-signatures-05.html",
            authors:  ["Tobias Looker", "Vasilis Kalos", "Andrew Whitehead", "Mike Lodder"],
            status:   "Draft"
          },
          "CFRG-PAIRING-FRIENDLY": {
            title: "Pairing-Friendly Curves",
            href: "https://www.ietf.org/archive/id/draft-irtf-cfrg-pairing-friendly-curves-11.html",
            authors: ["Yumi Sakemi", "Tetsutaro Kobayashi", "Tsunekazu Saito", "Riad S. Wahby"],
            status: "Draft"
          },
          "BLS-JOSE-COSE": {
            title:    "Barreto-Lynn-Scott Elliptic Curve Key Representations for JOSE and COSE",
            href:     "https://datatracker.ietf.org/doc/draft-ietf-cose-bls-key-representations/",
            authors:  ["Michael B. Jones", "Tobias Looker"],
            status:   "Draft"
          },
          Taming_EdDSAs: {
            title: "Taming the many EdDSAs",
            href: "https://eprint.iacr.org/2020/1244",
            authors: ["Konstantinos Chalkias", "François Garillot", "Valeria Nikolaenko"],
            date: "2020",
            publisher: "Cryptology ePrint Archive, Paper 2020/1244",
            doi: "10.1007/978-3-030-64357-7_4"
          },
          CDL2016: {
            title: "Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited",
            href: "https://eprint.iacr.org/2016/663",
            authors: ["Jan Camenisch", "Manu Drijvers", "Anja Lehmann"],
            date: "2016",
            publisher: "Cryptology ePrint Archive, Paper 2016/663"
          },
          TZ2023: {
            title: "Revisiting BBS Signatures",
            href: "https://eprint.iacr.org/2023/275",
            authors: ["Stefano Tessaro", "Chenzhi Zhu"],
            date: "2023",
            publisher: "Cryptology ePrint Archive, Paper 2023/275"
          },
          "NISTIR8053": {
            title: "NISTIR 8053: De-Identification of Personal Information",
            href: "https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf",
            authors: ["Simson L. Garfinkel"],
            date: "October 2015"
          },
          "Powar2023": {
            title: "SoK: Managing risks of linkage attacks on data privacy",
            authors: ["J. Powar", "A. R. Beresford"],
            publisher: "Proceedings on Privacy Enhancing Technologies",
            date: "2023",
            href: "https://petsymposium.org/popets/2023/popets-2023-0043.php"
          },
          "Pugliese2020": {
            title: "Long-Term Observation on Browser Fingerprinting: Users' Trackability and Perspective",
            authors: ["G. Pugliese", "C. Riess", "F. Gassmann", "Z. Benenson"],
            publisher: "Proceedings on Privacy Enhancing Technologies",
            date: "2020",
            href: "https://petsymposium.org/popets/2020/popets-2020-0041.php"
          },
          "CFRG-Blind-BBS-Signature": {
            title: "Blind BBS Signatures",
            authors: ["V. Kalos", "G. Bernstein"],
            date: "2024",
            href: "https://www.ietf.org/archive/id/draft-kalos-bbs-blind-signatures-00.html#name-proof-generationhttps://www.ietf.org/archive/id/draft-kalos-bbs-blind-signatures-03.html"
          },
          "CFRG-Pseudonym-BBS-Signature": {
            title: "BBS per Verifier Linkability",
            authors: ["V. Kalos"],
            date: "2024",
            href: "https://www.ietf.org/archive/id/draft-kalos-bbs-per-verifier-linkability-00.html"
          }
        },
        lint: { "informative-dfn": false },
        postProcess: [],
        xref: [
          "INFRA", "I18N-GLOSSARY", "VC-DATA-MODEL-2.0", "VC-DATA-INTEGRITY"
        ]
      };
    </script>
        <style>
code {
  color: rgb(199, 73, 0);
  font-weight: bold;
}
pre {
  overflow-x: auto;
  white-space: pre-wrap;
}
pre .highlight {
  font-weight: bold;
  color: Green;
}
pre .subject {
  font-weight: bold;
  color: RoyalBlue;
}
pre .property {
  font-weight: bold;
  color: DarkGoldenrod;
}
pre .comment {
  font-weight: bold;
  color: SteelBlue;
  -webkit-user-select: none;
  -moz-user-select: none;
  -ms-user-select: none;
  user-select: none;
}
ol.algorithm {
  counter-reset: numsection;
  list-style-type: none;
}
ol.algorithm li {
  margin: 0.5em 0;
}
ol.algorithm li:before {
  font-weight: bold;
  counter-increment: numsection;
  content: counters(numsection, ".") ") ";
}
              </style>
  </head>
  <body>
    <section id='abstract'>
      <p>
This specification describes a Data Integrity Cryptosuite for use when generating
digital signatures using the BBS signature scheme.
The Signature Suite utilizes BBS signatures to provide selective disclosure and
unlinkable derived proofs.
      </p>
    </section>

    <section id='sotd'>
      <p>
The Working Group is actively seeking implementation feedback for this
specification. In order to exit the Candidate Recommendation phase, the Working
Group has set the requirement of at least two independent implementations for
each feature, both mandatory and optional, in the specification. For details on
the conformance testing process, see the test suites listed in the
<a href="https://w3c.github.io/vc-data-integrity/implementations/">
implementation report</a>.
      </p>
    </section>

    <section>
      <h2>Introduction</h2>
      <p>
This specification defines a cryptographic suite for the purpose of
creating, verifying, and deriving proofs using the BBS Signature Scheme in
conformance with the Data Integrity [[VC-DATA-INTEGRITY]] specification. The
BBS signature scheme directly provides for selective disclosure and unlinkable
proofs. It provides four high-level functions that work within the <i>issuer,
holder, verifier</i> model. Specifically, an issuer uses the BBS `Sign` function to
create a cryptographic value known as a "BBS signature" which is used in signing
the original credential. A holder, on receipt of
a credential signed with BBS, then verifies the credential with the BBS `Verify`
function.
      </p>
      <p>
The holder then chooses information to selectively disclose from the
received credential and uses the BBS `ProofGen` function to generate a
cryptographic value, known as a "BBS proof", which is used in creating a proof
for this "derived credential". The cryptographic "BBS proof" value is not linkable
to the original "BBS signature" and a different, unlinkable "BBS proof" can be
generated by the holder for additional "derived credentials", including any
containing the exact same information.
Finally, a verifier uses the BBS `ProofVerify` function to verify the derived
credential received from the holder.
      </p>
      <p>
Applying the BBS signature scheme to verifiable credentials involves the
processing specified in this document.
In general the suite uses the RDF Dataset Canonicalization Algorithm
[[RDF-CANON]] to transform an input document into its canonical
form. An issuer then uses selective disclosure primitives to separate the
canonical form into mandatory and non-mandatory statements. These are processed
separately with other information to serve as the inputs to the BBS `Sign`
function along with appropriate key material. This output is used to
generate a secured credential. A holder uses a set of selective disclosure
functions and the BBS `Verify` function on receipt of the credential
to ascertain validity.
      </p>
      <p>
Similarly, on receipt of a BBS signed credential, a holder uses the RDF Dataset
Canonicalization Algorithm [[RDF-CANON]] to transform an input
document into its canonical form, and then applies selective disclosure
primitives to separate the canonical form into mandatory and selectively
disclosed statements, which are appropriately processed and serve as inputs to
the BBS `ProofGen` function. Suitably processed, the output of this function
becomes the signed selectively disclosed credential sent to a verifier. Using
canonicalization and selective disclosure primitives, the verifier can then use
the BBS `verifyProof` function to validate the credential.
      </p>

      <section id="terminology">
        <h3>Terminology</h3>
        <p>
Terminology used throughout this document is defined in the
<a data-cite="VC-DATA-INTEGRITY#terminology">Terminology</a> section of the
[[[VC-DATA-INTEGRITY]]] specification.
        </p>

      </section>

      <section id="conformance">
        <p>
A <dfn>conforming proof</dfn> is any concrete expression of the data model
that complies with the normative statements in this specification. Specifically,
all relevant normative statements in Sections
<a href="#data-model"></a> and <a href="#algorithms"></a>
of this document MUST be enforced.
        </p>

        <p>
A <dfn class="lint-ignore">conforming processor</dfn> is any algorithm realized
as software and/or hardware that generates or consumes a
<a>conforming proof</a>. Conforming processors MUST produce errors when
non-conforming documents are consumed.
        </p>
	<p>
This document contains examples of JSON and JSON-LD data. Some of these examples
are invalid JSON, as they include features such as inline comments (`//`)
explaining certain portions and ellipses (`...`) indicating the omission of
information that is irrelevant to the example. Such parts need to be
removed if implementers want to treat the examples as valid JSON or JSON-LD.
        </p>
      </section>
    </section>

    <section>
      <h2>Data Model</h2>

      <p>
The following sections outline the data model that is used by this specification
for <a>verification methods</a> and <a>data integrity proof</a> formats.
      </p>

      <section>
        <h2>Verification Methods</h2>
        <p>
These verification methods are used to verify Data Integrity Proofs
[[VC-DATA-INTEGRITY]] produced using BLS12-381 cryptographic key material
that is compliant with [[CFRG-BBS-SIGNATURE]]. The encoding formats for these key types
are provided in this section. Lossless cryptographic key transformation
processes that result in equivalent cryptographic key material MAY be used
during the processing of digital signatures.
        </p>
        <section>
          <h3>Multikey</h3>
          <p>
The <a data-cite="VC-DATA-INTEGRITY#multikey">Multikey format</a>, as defined in
[[VC-DATA-INTEGRITY]], is used to express public keys for the cryptographic
suites defined in this specification.
          </p>

          <p>
The `publicKeyMultibase` property represents a Multibase-encoded Multikey
expression of a BLS12-381 public key in the G2 group. The encoding of this field
is the two-byte prefix `0xeb01` followed
by the 96-byte compressed public key data.
The 98-byte value is then encoded using base58-btc (`z`) as the prefix. Any
other encodings MUST NOT be allowed.
          </p>

          <p class="advisement">
Developers are advised to not accidentally publish a representation of a private
key. Implementations of this specification will raise errors in the event of a
value other than `0xeb01` being used in a `publicKeyMultibase` value.
          </p>

          <pre class="example"
            title="A BLS12-381 G2 group public key, encoded as a Multikey">
{
  "id": "https://example.com/issuer/123#key-0",
  "type": "Multikey",
  "controller": "https://example.com/issuer/123",
  "publicKeyMultibase": "zUC7EK3ZakmukHhuncwkbySmomv3FmrkmS36E4Ks5rsb6VQSRpoCrx6
  Hb8e2Nk6UvJFSdyw9NK1scFXJp21gNNYFjVWNgaqyGnkyhtagagCpQb5B7tagJu3HDbjQ8h
  5ypoHjwBb"
}
          </pre>

          <pre class="example" title="A BLS12-381 G2 group public key,
          encoded as a Multikey in a controller document">
{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/security/multikey/v1"
  ],
  "id": "https://example.com/issuer/123",
  "verificationMethod": [{
    "id": "https://example.com/issuer/123#key-1",
    "type": "Multikey",
    "controller": "https://example.com/issuer/123",
    "publicKeyMultibase": "zUC7EK3ZakmukHhuncwkbySmomv3FmrkmS36E4Ks5rsb6VQSRpoCr
    x6Hb8e2Nk6UvJFSdyw9NK1scFXJp21gNNYFjVWNgaqyGnkyhtagagCpQb5B7tagJu3HDbjQ8h
    5ypoHjwBb"
  }]
}
          </pre>
        </section>
      </section>

      <section>
        <h2>Proof Representations</h2>

        <section>
          <h3>DataIntegrityProof</h3>

          <p>
A proof contains the attributes specified in the
<a href="https://www.w3.org/TR/vc-data-integrity/#proofs">Proofs section</a>
of [[VC-DATA-INTEGRITY]] with the following restrictions.
          </p>
          <p>
The `verificationMethod` property of the proof MUST be a URL.
Dereferencing the `verificationMethod` MUST result in an object
containing a `type` property with the value set to
`Multikey`.
          </p>

          <p>
The `type` property of the proof MUST be `DataIntegrityProof`.
          </p>
          <p>
The `cryptosuite` property of the proof MUST be `bbs-2023`.
          </p>
          <p>
The value of the `proofValue` property of the proof MUST be a BBS signature or
BBS proof produced according to [[CFRG-BBS-SIGNATURE]] that is serialized and encoded
according to procedures in section <a href="#algorithms"></a>.
          </p>
        </section>
      </section>

    </section>

    <section>
      <h2>Algorithms</h2>

      <p>
The following algorithms describe how to use verifiable credentials with
the BBS Signature Scheme [[CFRG-BBS-SIGNATURE]]. When using the BBS signature
scheme the SHA-256 variant SHOULD be used.
      </p>

      <p>
Implementations SHOULD fetch and cache <a>verification method</a> information as
early as possible when adding or verifying proofs. Parameters passed to
functions in this section use information from the <a>verification
method</a> — such as the public key size — to determine function parameters — such
as the cryptographic hashing algorithm.
      </p>

      <p class="advisement">
When the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] is used,
implementations of that algorithm will detect
<a data-cite="RDF-CANON#dataset-poisoning">dataset poisoning</a>
by default, and abort processing upon detection.
      </p>

      <section>
        <h3>Instantiate Cryptosuite</h3>

        <p>
This algorithm is used to configure a cryptographic suite to be used by the
<a data-cite="VC-DATA-INTEGRITY#add-proof">Add Proof</a> and
<a data-cite="VC-DATA-INTEGRITY#verify-proof">Verify Proof</a>
functions in [[[VC-DATA-INTEGRITY]]]. The algorithm takes an options object
([=map=] |options|) as input and returns a [=data integrity cryptographic suite
instance|cryptosuite instance=] ([=struct=] |cryptosuite|).
        </p>

        <ol class="algorithm">
          <li>
Initialize |cryptosuite| to an empty [=struct=].
          </li>
          <li>
If |options|.|type| does not equal `DataIntegrityProof`, return |cryptosuite|.
          </li>
          <li>
If |options|.|cryptosuite| is `bbs-2023` then:
            <ol class="algorithm">
              <li>
Set |cryptosuite|.|createProof| to the algorithm in Section
[[[#create-base-proof-bbs-2023]]].
              </li>
              <li>
Set |cryptosuite|.|verifyProof| to the algorithm in Section
[[[#verify-derived-proof-bbs-2023]]].
              </li>
            </ol>
          </li>
          <li>
Return |cryptosuite|.
          </li>
        </ol>

      </section>

      <section>
        <h3>Selective Disclosure Functions</h3>

        <section>
          <h4>createShuffledIdLabelMapFunction</h4>
          <p>
The following algorithm creates a label map factory function that uses an
HMAC to shuffle canonical blank node identifiers. The required input is an HMAC
(previously initialized with a secret key), |HMAC|. A function,
<em>labelMapFactoryFunction</em>, is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Create a function, |labelMapFactoryFunction|, with one required input
(a canonical node identifier map, |canonicalIdMap|), that will
return a blank node identifier map, <em>bnodeIdMap</em>, as output. Set the
function's implementation to:
              <ol class="algorithm">
                <li>
Generate a new empty bnode identifier map, <em>bnodeIdMap</em>.
                </li>
                <li>
For each map entry, <em>entry</em>, in |canonicalIdMap|:
                  <ol class="algorithm">
                    <li>
Perform an HMAC operation on the canonical identifier from the value in <em>entry</em> to get an HMAC
digest, <em>digest</em>.
                    </li>
                    <li>
Generate a new string value, <em>b64urlDigest</em>, and initialize it to "u"
followed by appending a base64url-no-pad encoded version of the <em>digest</em>
value.
                    </li>
                    <li>
Add a new entry, |newEntry|, to <em>bnodeIdMap</em> using the key
from <em>entry</em> and <em>b64urlDigest</em> as the value.
                    </li>
                  </ol>
                </li>
                <li>
Derive the shuffled mapping from the `bnodeIdMap` as follows:
                  <ol class="algorithm">
                    <li>
Set `hmacIds` to be the sorted array of values from the `bnodeIdMap`, and set
`bnodeKeys` to be the ordered array of keys from the `bnodeIdMap`.
                    </li>
                    <li>
For each key in `bnodeKeys`, replace the `bnodeIdMap` value for that key with the
index position of the value in the `hmacIds` array prefixed by "b", i.e.,
`bnodeIdMap.set(bkey, 'b' + hmacIds.indexOf(bnodeIdMap.get(bkey)))`.
                    </li>
                  </ol>
                </li>
                <li>
Return <em>bnodeIdMap</em>.
                </li>
              </ol>
            </li>
            <li>
Return |labelMapFactoryFunction|.
            </li>
          </ol>

          <p class="note informative">
It should be noted that step 1.2 in the above algorithm is identical to step 1.2
in <a href="https://www.w3.org/TR/vc-di-ecdsa/#createhmacidlabelmapfunction">
Section 3.3.4 `createHmacIdLabelMapFunction`</a> of [[DI-ECDSA]],
so developers might be able to reuse the code or call the function if implementing
both.
          </p>
        </section>


      </section>

      <section>
        <h3>bbs-2023 Functions</h3>
        <section>
          <h4>serializeBaseProofValue</h4>
          <p>
The following algorithm serializes the base proof value, including the
BBS signature, HMAC key, and mandatory pointers.
The required inputs are a base signature |bbsSignature|, |bbsHeader|,
|publicKey|, an HMAC key |hmacKey|, an array of
|mandatoryPointers|, |featureOption|, and, depending on
the |featureOption| value, possibly a |signer_nym_entropy| value.
A single <em>base proof</em> string value is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Depending upon the value of the |featureOption|, set up the |proofValue| as
follows.
            </li>
            <li>
If |featureOption| equals `"baseline"`:
              <ol class="algorithm">
                <li>
Initialize a byte array, |proofValue|, that starts with the BBS base proof
header bytes `0xd9`, `0x5d`, and `0x02`.
                </li>
                <li>
Initialize |components| to an array with five elements containing the values of:
|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, and |mandatoryPointers|.
                </li>
              </ol>
            </li>
            <li>
If |featureOption| equals `"anonymous_holder_binding"`:
              <ol class="algorithm">
                <li>
Initialize a byte array, |proofValue|, that starts with the BBS base proof
header bytes `0xd9`, `0x5d`, and `0x04`.
                </li>
                <li>
Initialize |components| to an array with six elements containing the values of:
|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, and |mandatoryPointers|.
                </li>
              </ol>
            </li>
            <li>
If |featureOption| equals `"pseudonym"`:
              <ol class="algorithm">
                <li>
Initialize a byte array, |proofValue|, that starts with the BBS base proof
header bytes `0xd9`, `0x5d`, and `0x06`.
                </li>
                <li>
Initialize |components| to an array with six elements containing the values of:
|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, |mandatoryPointers|, and
|signer_nym_entropy|.
                </li>
              </ol>
            </li>
            <li>
If |featureOption| equals `"holder_binding_pseudonym"`:
              <ol class="algorithm">
                <li>
Initialize a byte array, |proofValue|, that starts with the BBS base proof
header bytes `0xd9`, `0x5d`, and `0x08`.
                </li>
                <li>
Initialize |components| to an array with six elements containing the values of:
|bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|, |mandatoryPointers|, and
|signer_nym_entropy|.
                </li>
              </ol>
            </li>
            <li>
CBOR-encode |components| per [[RFC8949]] where CBOR tagging MUST NOT be used on
any of the |components|. Append the produced encoded value to |proofValue|.
            </li>
            <li>
Initialize |baseProof| to a string with the multibase-base64url-no-pad-encoding
of `proofValue`. That is, return a string starting with "`u`" and ending with the
base64url-no-pad-encoded value of |proofValue|.
            </li>
            <li>
Return |baseProof| as <em>base proof</em>.
            </li>
          </ol>

        </section>

        <section>
          <h4>parseBaseProofValue</h4>
          <p>
The following algorithm parses the components of a `bbs-2023` selective
disclosure base proof value. The required input is a proof value
(|proofValue|). A single object, <em>parsed base proof</em>, containing
six or seven elements, using the names "bbsSignature", "bbsHeader",
"publicKey",
"hmacKey", "mandatoryPointers", "featureOption", and possibly optional feature
parameter "signer_nym_entropy", is produced as output.
          </p>

          <ol class="algorithm">
            <li>
If the `proofValue` string does not start with
<span class="codepoint" translate="no">
  <bdi lang="en"><code title="LATIN SMALL LETTER U">u</code></bdi>
  (<code class="codepoint">U+0075</code>
  <code class="uname">LATIN SMALL LETTER U</code>)</span>,
indicating that it is a `multibase-base64url-no-pad-encoded` value,
an error MUST be raised and SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_VERIFICATION_ERROR">PROOF_VERIFICATION_ERROR</a>.
            </li>
            <li>
Initialize |decodedProofValue| to the result of base64url-no-pad-decoding the
substring that follows the leading `u` in `proofValue`.
            </li>
            <li>
Check that the BBS base proof starts with an allowed header value and set the
|featureOption| variable as follows:
              <ol class="algorithm">
                <li>
If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x02`, set
|featureOption| to `"baseline"`.
                </li>
                <li>
If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x04`, set
|featureOption| to `"anonymous_holder_binding"`.
                </li>
                <li>
If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x06`, set
|featureOption| to `"pseudonym"`.
                </li>
                <li>
If the |decodedProofValue| starts with the bytes `0xd9`, `0x5d`, and `0x08`, set
|featureOption| to `"holder_binding_pseudonym"`.
                </li>
                <li>
If the |decodedProofValue| starts with any other three byte sequence,
an error MUST be raised and SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_VERIFICATION_ERROR">PROOF_VERIFICATION_ERROR</a>.
                </li>
              </ol>

            </li>
            <li>
Initialize `components` to an array that is the result of CBOR-decoding the
bytes that follow the three-byte BBS base proof header.
            </li>
            <li>
Based on the value of |featureOption|, return an object based on |components|,
as follows:
              <ol class="algorithm">
                <li>
If |featureOption| equals `"baseline"`, set the property names for the object
based on |components| to "bbsSignature", "bbsHeader", "publicKey", "hmacKey",
and "mandatoryPointers", in that order, and add |featureOption| as a property.
                </li>
                <li>
If |featureOption| equals `"anonymous_holder_binding"`, set the property names
for the object based on |components| to "bbsSignature", "bbsHeader",
"publicKey", "hmacKey", and "mandatoryPointers", in that order, and
add |featureOption| as a property.
                </li>
                <li>
If |featureOption| equals `"pseudonym"`, set the property names
for the object based on |components| to "bbsSignature", "bbsHeader",
"publicKey", "hmacKey", "mandatoryPointers", and "signer_nym_entropy", in that
order, and add |featureOption| as a property.
                </li>
                <li>
If |featureOption| equals `"holder_binding_pseudonym"`, set the property names
for the object based on |components| to "bbsSignature", "bbsHeader",
"publicKey", "hmacKey", "mandatoryPointers", and "signer_nym_entropy", in that
order, and add |featureOption| as a property.
                </li>
              </ol>
            </li>
          </ol>

        </section>

        <section>
          <h4>createDisclosureData</h4>

          <p>
The following algorithm creates data to be used to generate a derived proof. The
inputs include a JSON-LD document (|document|), a BBS base proof
(|proof|), an array of JSON pointers to use to selectively disclose
statements (|selectivePointers|), an OPTIONAL BBS
|presentationHeader| (byte array that defaults to an empty byte array if
not present), a |featureOption| indicator, additional inputs as required by
the |featureOption| (see <a href="#add-derived-proof-bbs-2023">Add Derived Proof</a>),
and any custom JSON-LD API options
(such as a document loader). A single object, <em>disclosure data</em>, is
produced as output, which contains the following fields: |bbsProof|,
|labelMap|, |mandatoryIndexes|, |selectiveIndexes|, |presentationHeader|,
|revealDocument|, and, if computed, |pseudonym|.
          </p>

          <ol class="algorithm">
            <li>
Initialize |bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|,
and |mandatoryPointers|
to the values of the associated properties in the object
returned when calling the algorithm in Section
<a href="#parsebaseproofvalue"></a>, passing the `proofValue` from `proof`.
            </li>
            <li>
Initialize |hmac| to an HMAC API using |hmacKey|. The HMAC uses the same hash
algorithm used in the signature algorithm, i.e., SHA-256.
            </li>
            <li>
Initialize |labelMapFactoryFunction| to the result of calling the algorithm of
section <a href="#createshuffledidlabelmapfunction"></a>, passing |hmac| as |HMAC|.
            </li>
            <li>
Initialize |combinedPointers| to the concatenation of |mandatoryPointers|
and |selectivePointers|.
            </li>
            <li>
Initialize |groupDefinitions| to a map with the following entries: key of
the string `"mandatory"` and value of |mandatoryPointers|; key of the string
`"selective"` and value of |selectivePointers|; and key of the string `"combined"`
and value of |combinedPointers|.
            </li>
            <li>
Initialize |groups| and |labelMap| to the result of calling the algorithm in
<a href="https://www.w3.org/TR/vc-di-ecdsa/#canonicalizeandgroup">Section 3.3.16
canonicalizeAndGroup</a> of the [[DI-ECDSA]] specification, passing |document|
|labelMapFactoryFunction|,
|groupDefinitions|, and any custom JSON-LD
API options. Note: This step transforms the document into an array of canonical
N-Quads whose order has been shuffled based on 'hmac'-applied blank node
identifiers, and groups
the N-Quad strings according to selections based on JSON pointers.
            </li>

            <li>
Compute the mandatory indexes relative to their positions in the combined
statement list, i.e., find the position at which a mandatory statement occurs
in the list of combined statements. One method for doing this is given below.
              <ol class="algorithm">
                <li>
Initialize |mandatoryIndexes| to an empty array. Set |mandatoryMatch| to
|groups.mandatory.matching| map; set |combinedMatch| to
|groups.combined.matching|; and set |combinedIndexes| to the ordered array of
just the keys of the |combinedMatch| map.
                </li>
                <li>
For each key in the |mandatoryMatch| map, find its index in the |combinedIndexes|
array (e.g., `combinedIndexes.indexOf(key)`), and add this value to the
|mandatoryIndexes| array.
                </li>
              </ol>
            </li>
            <li>
Compute the selective indexes relative to their positions in the non-mandatory
statement list, i.e., find the position at which a selected statement occurs in
the list of non-mandatory statements. One method for doing this is given below.
              <ol class="algorithm">
                <li>
Initialize |selectiveIndexes| to an empty array. Set |selectiveMatch| to the
|groups.selective.matching| map; set |mandatoryNonMatch| to the map
|groups.mandatory.nonMatching|; and |nonMandatoryIndexes| to to the ordered
array of just the keys of the |mandatoryNonMatch| map.
                </li>
                <li>
For each key in the |selectiveMatch| map, find its index in the
|nonMandatoryIndexes| array (e.g., `nonMandatoryIndexes.indexOf(key)`), and add
this value to the |selectiveIndexes| array.
                </li>
              </ol>
            </li>
            <li>
Initialize |bbsMessages| to an array of byte arrays containing the values in the
|nonMandatory| array of strings encoded using the UTF-8
<a>character encoding</a>.
            </li>
            <li>
Set |bbsProof| to the value computed by the appropriate procedure given below
based on the value of the |featureOption| parameter.
              <ol class="algorithm">
                <li>
If |featureOption| equals `"baseline"`,
set `bbsProof` to the value computed by the `ProofGen` procedure from
[[CFRG-BBS-SIGNATURE]], i.e.,
`ProofGen(PK, signature, header, ph, messages, disclosed_indexes)`,
where `PK` is the original issuers public key, `signature` is the
`bbsSignature`, `header` is the `bbsHeader`, `ph` is the  `presentationHeader`
`messages` is `bbsMessages`, and `disclosed_indexes` is `selectiveIndexes`.
                </li>
                <li>
If |featureOption| equals `"anonymous_holder_binding"`,
set `bbsProof` to the value computed by the `BlindProofGen` procedure from
[[CFRG-Blind-BBS-Signature]], where |PK| is the original issuers public key,
|signature| is the
|bbsSignature|, |header| is the |bbsHeader|, |ph| is the |presentationHeader|,
|messages| is |bbsMessages|, |disclosed_indexes| is |selectiveIndexes|,
and `commitment_with_proof`. The holder will also furnish its
|holder_secret|, and the |proverBlind| that was used to compute the
|commitment_with_proof|. This is the
<a href="#anonymous-holder-binding">Anonymous Holder Binding</a> feature option.
<span class="note">To
be updated when IETF API is finalized.</span>
                </li>
                <li>
If |featureOption| equals `"pseudonym"`,
use the "Verification and Finalization" operation
from [[CFRG-Pseudonym-BBS-Signature]] with an empty |committed_messages| array
to both verify the |bbsSignature| and compute
the |nym_secret| value. This operation uses the |prover_nym|,
|signer_nym_entropy|, and |secret_prover_blind|.
<br><br>
Determine the |nym_domain|. This might be specified by
the verifier or set by the holder, depending on the usage scenario. Use
the "Proof Generation with Pseudonym"
operation from [[CFRG-Pseudonym-BBS-Signature]] to produce the derived proof.
This operation takes as inputs
the original issuer's public key as |PK|,
the               |bbsSignature| as |signature|,
the                  |bbsHeader| as |header|,
the         |presentationHeader| as |ph|,
the                |bbsMessages| as |messages|,
the           |selectiveIndexes| as |disclosed_indexes|,
                                  a |nym_secret|,
                                  a |nym_domain|,
                 an empty array for |committed_messages|,
and                               a |secret_prover_blind|.
In addition to providing
the raw
cryptographic proof value which is assigned to |bbsProof|,
it also returns the |pseudonym|.
<br><br>
This is for the
<a href="#credential-bound-pseudonyms">Credential-Bound Pseudonyms</a>
feature option. <span class="note">To be updated when IETF API is finalized.
</span>
                </li>
                <li>
If |featureOption| equals `"holder_binding_pseudonym"`,
use the "Verification and Finalization" operation
from [[CFRG-Pseudonym-BBS-Signature]] with the |committed_messages| array
containing the |holder_secret| as its only value,
to both verify the |bbsSignature| and compute
the |nym_secret| value. This operation uses the |prover_nym|,
|signer_nym_entropy|, and |secret_prover_blind|.
<br><br>
Determine the |nym_domain|. This might be specified by
the verifier or set by the holder depending on the usage scenario. Use
the "Proof Generation with Pseudonym"
operation from [[CFRG-Pseudonym-BBS-Signature]] to produce the derived proof.
This operation takes as inputs
|PK|, the original issuers public key,
|signature|,  the |bbsSignature|, |header| is the |bbsHeader|,
|ph| is the |presentationHeader|,
|messages| is |bbsMessages|, |disclosed_indexes| is |selectiveIndexes|,
This operation takes as inputs
   the                  original issuers public key as |PK|,
   the                               |bbsSignature| as |signature|,
   the                                  |bbsHeader| as |header|,
   the                         |presentationHeader| as |ph|,
   the                                |bbsMessages| as |messages|,
   the                           |selectiveIndexes| as |disclosed_indexes|,
   a                                                   |nym_secret|,
   a                                                   |nym_domain|,
   the only value of the |committed_messages| array as |holder_secret|,
   and a                                               |secret_prover_blind|.
In addition to
providing the raw cryptographic proof value which is assigned to |bbsProof|,
it also returns the |pseudonym|.

This is for the
<a href="#holder-binding-and-pseudonyms">Holder Binding and Pseudonyms</a>
feature option. <span class="note">To be updated when IETF API is finalized.
</span>
                </li>
              </ol>
            </li>
          <li>
If |featureOption| equals `"anonymous_holder_binding"`,
`"pseudonym"`, or `"holder_binding_pseudonym"` set the |lengthBBSMessages|
parameter to the length of the |bbsMessages| array.
          </li>


            <li>
Initialize |revealDocument| to the result of the "selectJsonLd" algorithm from
[[DI-ECDSA]], passing `document`, and `combinedPointers` as `pointers`.
            </li>
            <li>
Run the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] on
the joined |combinedGroup|.|deskolemizedNQuads|, passing any custom
options, and get the canonical bnode identifier map, |canonicalIdMap|.
Note: This map includes the canonical blank node identifiers that a verifier
will produce when they canonicalize the reveal document.
            </li>
            <li>
Initialize |verifierLabelMap| to an empty map. This map will map
the canonical blank node identifiers produced by the verifier when they
canonicalize the revealed document, to the blank node identifiers that were
originally signed in the base proof.
            </li>
            <li>
For each key (`inputLabel`) and value (`verifierLabel`) in `canonicalIdMap:
              <ol class="algorithm">
                <li>
Add an entry to `verifierLabelMap`, using `verifierLabel` as the key, and the
value associated with `inputLabel` as a key in `labelMap` as the value.
                </li>
              </ol>
            </li>
            <li>
Return an object with properties matching |bbsProof|, "verifierLabelMap" for |labelMap|,
|mandatoryIndexes|, |selectiveIndexes|, |revealDocument|, |pseudonym|, and, if
computed, |lengthBBSMessages|.
            </li>
          </ol>

        </section>

        <section>
          <h4>compressLabelMap</h4>
          <p>
The following algorithm compresses a label map. The required input is
label map (|labelMap|). The output is a <em>compressed label map</em>.
          </p>

          <ol class="algorithm">
            <li>
Initialize `map` to an empty map.
            </li>
            <li>
For each entry (`k`, `v`) in `labelMap`:
              <ol class="algorithm">
                <li>
Add an entry to `map`, with a key that is a base-10 integer parsed from the
characters following the "c14n" prefix in `k`, and a value that is a base-10
integer parsed from the characters following the "b" prefix in `v`.
                </li>
              </ol>
            </li>
            <li>
Return `map` as <em>compressed label map</em>.
            </li>
          </ol>
        </section>

        <section>
          <h4>decompressLabelMap</h4>

          <p>
The following algorithm decompresses a label map. The required input is a
compressed label map (|compressedLabelMap|). The output is a
<em>decompressed label map</em>.
          </p>

          <ol class="algorithm">
            <li>
Initialize `map` to an empty map.
            </li>
<!--   const key = 'c14n' + k
  const value = 'b' + v -->
            <li>
For each entry (`k`, `v`) in `compressedLabelMap`:
              <ol class="algorithm">
                <li>
Add an entry to `map`, with a key that adds the prefix "c14n" to `k`, and a value
that adds a prefix of "b" to `v`.
                </li>
              </ol>
            </li>
            <li>
Return `map` as <em>decompressed label map</em>.
            </li>
          </ol>

        </section>

        <section>
          <h4>serializeDerivedProofValue</h4>

          <p>
The following algorithm serializes a derived proof value. The required inputs
are a BBS proof (|bbsProof|), a label map (|labelMap|), an
array of mandatory indexes (|mandatoryIndexes|), an array of
selective indexes (|selectiveIndexes|), a BBS presentation header
(|presentationHeader|), the |featureOption| indicator, and,
depending on the |featureOption| value, a |nym_domain|, |pseudonym|, and/or
|lengthBBSMessages| value.
A single <em>derived proof</em>
value, serialized as a byte string, is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Initialize `compressedLabelMap` to the result of calling the algorithm in
Section <a href="#compresslabelmap"></a>, passing `labelMap` as the parameter.
            </li>
            <li>
 Depending on the value of |featureOption| do the following:
              <ol class="algorithm">
                <li>
If |featureOption| equals `"baseline"`:
                  <ol class="algorithm">
                    <li>
Initialize |proofValue| to start with the
disclosure proof header bytes `0xd9`, `0x5d`, and `0x03`.
                    </li>
                    <li>
Initialize |components| to an array with elements containing the values of
|bbsProof|, |compressedLabelMap|, |mandatoryIndexes|, |selectiveIndexes|, and
|presentationHeader|.
                    </li>
                  </ol>
                </li>
                <li>
If |featureOption| equals `"anonymous_holder_binding"`:
                  <ol class="algorithm">
                    <li>
Initialize |proofValue| to start with the
disclosure proof header bytes `0xd9`, `0x5d`, and `0x05`.
                    </li>
                    <li>
Initialize |components| to an array with elements containing the values of
|bbsProof|, |compressedLabelMap|, |mandatoryIndexes|, |selectiveIndexes|,
|presentationHeader|, and |lengthBBSMessages|.
                    </li>
                  </ol>
                </li>
                <li>
If |featureOption| equals `"pseudonym"`:
                  <ol class="algorithm">
                    <li>
Initialize |proofValue| to start with the
disclosure proof header bytes: `0xd9`, `0x5d`, and `0x07`.
                    </li>
                    <li>
Initialize |components| to an array with elements containing the values of
|bbsProof|, |compressedLabelMap|, |mandatoryIndexes|, |selectiveIndexes|,
|presentationHeader|, |nym_domain|, |pseudonym|, and |lengthBBSMessages|.
                    </li>
                  </ol>
                </li>
                <li>
If |featureOption| equals `"holder_binding_pseudonym"`:
                  <ol class="algorithm">
                    <li>
Initialize |proofValue| to start with the
disclosure proof header bytes: `0xd9`, `0x5d`, and `0x09`.
                    </li>
                    <li>
Initialize |components| to an array with elements containing the values of
|bbsProof|, |compressedLabelMap|, |mandatoryIndexes|, |selectiveIndexes|,
|presentationHeader|, |nym_domain|, |pseudonym|, and |lengthBBSMessages|.
                    </li>
                  </ol>
                </li>
              </ol>
            <li>
CBOR-encode |components| per [[RFC8949]] where CBOR tagging MUST NOT be used on
any of the |components|. Append the produced encoded value to |proofValue|.
            </li>
            <li>
Return the <em>derived proof</em> as a string with the
multibase-base64url-no-pad-encoding of |proofValue|. That is, return a string
starting with "`u`" and ending with the base64url-no-pad-encoded value of
`proofValue`.
            </li>
          </ol>

        </section>

        <section>
          <h4>parseDerivedProofValue</h4>

          <p>
The following algorithm parses the components of the derived proof value.
The required input is a derived proof value (|proofValue|). A
single <em>derived proof value</em> object is produced as output, which
contains a set of six to nine elements, having the names "bbsProof",
"labelMap", "mandatoryIndexes", "selectiveIndexes", "presentationHeader",
"featureOption", and, depending on the value of the |featureOption| parameter,
"nym_domain", "pseudonym", and/or "lengthBBSMessages".
          </p>

          <ol class="algorithm">
            <li>
If the `proofValue` string does not start with
<span class="codepoint" translate="no">
  <bdi lang="en"><code title="LATIN SMALL LETTER U">u</code></bdi>
  (<code class="codepoint">U+0075</code>,
  <code class="uname">LATIN SMALL LETTER U</code>)</span>, indicating that
it is a `multibase-base64url-no-pad-encoded` value,
an error MUST be raised and SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_VERIFICATION_ERROR">PROOF_VERIFICATION_ERROR</a>.
            </li>
            <li>
Initialize |decodedProofValue| to the result of base64url-no-pad-decoding the
substring that follows the leading `u` in `proofValue`.
            </li>
            <li>
Check that the BBS disclosure proof starts with an allowed header value and set
the |featureOption| variable as follows:
              <ol class="algorithm">
                <li>
If the |decodedProofValue| starts with the header bytes `0xd9`, `0x5d`, and
`0x03`, set |featureOption| to `"baseline"`.
                </li>
                <li>
If the |decodedProofValue| starts with the header bytes `0xd9`, `0x5d`, and
`0x05`, set |featureOption| to `"anonymous_holder_binding"`.
                </li>
                <li>
If the |decodedProofValue| starts with the header bytes `0xd9`, `0x5d`, and
`0x07`, set |featureOption| to `"pseudonym"`.
                </li>
                <li>
If the |decodedProofValue| starts with the header bytes `0xd9`, `0x5d`, and
`0x09`, set |featureOption| to `"holder_binding_pseudonym"`.
                </li>
              </ol>

              <!-- |bbsProof|, |compressedLabelMap|, |mandatoryIndexes|, |selectiveIndexes|,
              |presentationHeader|, |nym_domain|, |pseudonym|, and |lengthBBSMessages|. -->

            <li>
Initialize `components` to an array that is the result of CBOR-decoding the
bytes that follow the three-byte BBS disclosure proof header. If the result
is not an array of five, six, seven, or eight elements,
an error MUST be raised and SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_VERIFICATION_ERROR">PROOF_VERIFICATION_ERROR</a>.
            </li>
            <li>
Replace the second element in `components` using the result of calling the
algorithm in Section <a href="#decompresslabelmap"></a>, passing the existing
second element of `components` as `compressedLabelMap`.
            </li>
            <li>
Return <em>derived proof value</em> as an object with properties set to the five,
six, seven, or eight elements, using the names "bbsProof", "labelMap",
"mandatoryIndexes", "selectiveIndexes", "presentationHeader", and optional
"nym_domain", "pseudonym", and/or "lengthBBSMessages", respectively.
In addition, add |featureOption| and its value to the object.
            </li>
          </ol>

        </section>

        <section>
          <h4>createVerifyData</h4>

          <p>
The following algorithm creates the data needed to perform verification of a
BBS-protected <a>verifiable credential</a>. The inputs include a JSON-LD
document (|document|), a BBS disclosure proof (|proof|),
and any custom JSON-LD API options (such as a document loader). A single
<em>verify data</em> object value is produced as output containing the following
fields: |bbsProof|, |proofHash|, |mandatoryHash|, |selectiveIndexes|,
|presentationHeader|, |nonMandatory|, |featureOption|, and, possibly,
|pseudonym| and/or |lengthBBSMessages|.
          </p>

          <ol class="algorithm">
            <li>
Initialize |proofHash| to the result of performing RDF Dataset Canonicalization
[[RDF-CANON]] on the proof options, i.e., the proof  portion of the document
with the |proofValue| removed. The hash used is the same as that used in
the signature algorithm, i.e., SHA-256. Note: This step can be
performed in parallel; it only needs to be completed before this algorithm needs
to use the |proofHash| value.
            </li>
            <li>
Initialize |bbsProof|, |labelMap|, |mandatoryIndexes|, |selectiveIndexes|,
|presentationHeader|, |featureOption|, and, possibly, |pseudonym| and/or
|lengthBBSMessages| to the values
associated with their property names in the
object returned when calling the algorithm in Section
<a href="#parsederivedproofvalue"></a>, passing |proofValue| from |proof|.
            </li>
            <li>
Initialize |labelMapFactoryFunction| to the result of calling the
"`createLabelMapFunction`" algorithm of [[DI-ECDSA]], passing |labelMap|.
            </li>
            <li>
Initialize |nquads| to the result of calling the "`labelReplacementCanonicalize`"
algorithm of [[DI-ECDSA]], passing |document|, |labelMapFactoryFunction|, and
any custom
JSON-LD API options. Note: This step transforms the document into an array of
canonical N-Quads with pseudorandom blank node identifiers based on |labelMap|.
            </li>
            <li>
Initialize |mandatory| to an empty array.
            </li>
            <li>
Initialize |nonMandatory| to an empty array.
            </li>
            <li>
For each entry (|index|, |nq|) in |nquads|, separate the N-Quads into mandatory
and non-mandatory categories:
              <ol class="algorithm">
                <li>
If |mandatoryIndexes| includes |index|, add |nq| to |mandatory|.
                </li>
                <li>
Otherwise, add |nq| to |nonMandatory|.
                </li>
              </ol>
            </li>
            <li>
Initialize |mandatoryHash| to the result of calling the "`hashMandatory`"
primitive, passing |mandatory|.
            </li>
            <li>
Return an object with properties matching |baseSignature|, |proofHash|,
|nonMandatory|, |mandatoryHash|, |selectiveIndexes|, |featureOption|, and,
possibly, |pseudonym| and/or |lengthBBSMessages|.
            </li>
          </ol>

        </section>

      </section>

      <section>
        <h3>bbs-2023</h3>

        <p>
The `bbs-2023` cryptographic suite takes an input document, canonicalizes
the document using the RDF Dataset Canonicalization Algorithm
[[RDF-CANON]], and then applies a number of transformations and cryptographic
operations resulting in the production of a data integrity proof. The algorithms
in this section also include the verification of such a data integrity proof.
        </p>

        <section>
          <h4>Create Base Proof (bbs-2023)</h4>

          <p>
The following algorithm specifies how to create a [=data integrity proof=] given
an <a>unsecured data document</a>. Required inputs are an
<a>unsecured data document</a> ([=map=] |unsecuredDocument|), a set of proof
options ([=map=] |options|), an array of mandatory JSON pointers
(|mandatoryPointers|), a |featureOption| indicator parameter, and, depending on
the |featureOption|, a |commitment_with_proof| byte array.
A [=data integrity proof=] ([=map=]), or an error,
is produced as output.
          </p>
          <p>
The |featureOption| parameter is used to indicate which optional feature, if
any, is being used. It can take one of the following values: `"baseline"`,
`"anonymous_holder_binding"`, `"pseudonym"`, or
`"holder_binding_pseudonym"`. Note that `"baseline"` is used to denote the case of
no optional features. If |featureOption| is set to
`"anonymous_holder_binding"`, `"pseudonym"`, or `"holder_binding_pseudonym"`, the
|commitment_with_proof| input MUST be supplied.
If |featureOption| is set to
`"pseudonym"` or `"holder_binding_pseudonym"`, the
|signer_nym_entropy| input MUST be supplied.
          </p>

          <ol class="algorithm">
            <li>
Let |proof| be a clone of the proof options, |options|.
            </li>
            <li>
Let |proofConfig| be the result of running the algorithm in
Section [[[#base-proof-configuration-bbs-2023]]] with
|options| passed as a parameter.
            </li>
            <li>
Let |transformedData| be the result of running the algorithm in Section
[[[#base-proof-transformation-bbs-2023]]] with |unsecuredDocument|,
|proofConfig|, and |options| passed as parameters.
            </li>
            <li>
Let |hashData| be the result of running the algorithm in Section
[[[#base-proof-hashing-bbs-2023]]] with |transformedData| and |proofConfig|
passed as a parameters.
            </li>
            <li>
Let |proofBytes| be the result of running the algorithm in Section
[[[#base-proof-serialization-bbs-2023]]] with |hashData|,
|options|, |featureOption|, and, if required, |commitment_with_proof| passed as
parameters.
            </li>
            <li>
Let |proof|.|proofValue| be a <a data-cite="VC-DATA-INTEGRITY#multibase-0">
base64url-encoded Multibase value</a> of the |proofBytes|.
            </li>
            <li>
Return |proof| as the [=data integrity proof=].
            </li>
          </ol>

        </section>

        <section>
          <h4>Base Proof Transformation (bbs-2023)</h4>
          <p>
The following algorithm specifies how to transform an unsecured input document
into a transformed document that is ready to be provided as input to the
hashing algorithm in Section <a href="#base-proof-hashing-bbs-2023"></a>.
          </p>
          <p>
Required inputs to this algorithm are an
<a data-cite="vc-data-integrity#dfn-unsecured-data-document">
unsecured data document</a> (|unsecuredDocument|) and
transformation options (|options|). The
transformation options MUST contain a type identifier for the
<a data-cite="vc-data-integrity#dfn-cryptosuite">
cryptographic suite</a> (|type|), a cryptosuite
identifier (|cryptosuite|), and a verification method
(|verificationMethod|). The transformation options MUST contain an
array of mandatory JSON pointers (|mandatoryPointers|) and MAY contain
additional options, such as a JSON-LD document loader. A <em>transformed data
document</em> is produced as output. Whenever this algorithm encodes strings, it
MUST use UTF-8 encoding.
          </p>
          <ol class="algorithm">
            <li>
Initialize |hmac| to an HMAC API using a locally generated and exportable HMAC
key. The HMAC uses the same hash algorithm used in the signature algorithm,
i.e., SHA-256. Per the recommendations of [[RFC2104]], the HMAC key MUST be the
same length as the digest size; for SHA-256, this is 256 bits or 32 bytes.
            </li>
            <li>
Initialize `labelMapFactoryFunction` to the result of calling the
`createShuffledIdLabelMapFunction` algorithm passing `hmac` as `HMAC`.
            </li>
            <li>
Initialize `groupDefinitions` to a map with an entry with a key of the string
"`mandatory`" and a value of |mandatoryPointers|.
            </li>
            <li>
Initialize `groups` to the result of calling the algorithm in
<a href="https://www.w3.org/TR/vc-di-ecdsa/#canonicalizeandgroup">Section 3.3.16
canonicalizeAndGroup</a> of the [[DI-ECDSA]] specification, passing
`labelMapFactoryFunction`,
`groupDefinitions`, `unsecuredDocument` as `document`, and any custom JSON-LD
API options. Note: This step transforms the document into an array of canonical
N-Quads whose order has been shuffled based on 'hmac' applied blank node
identifiers, and groups
the N-Quad strings according to selections based on JSON pointers.
            </li>
            <li>
Initialize `mandatory` to the values in the `groups.mandatory.matching` map.
            </li>
            <li>
Initialize `nonMandatory` to the values in the `groups.mandatory.nonMatching`
map.
            </li>
            <li>
Initialize `hmacKey` to the result of exporting the HMAC key from `hmac`.
            </li>
            <li>
Return an object with "`mandatoryPointers`" set to `mandatoryPointers`,
"`mandatory`" set to `mandatory`, "`nonMandatory`" set to `nonMandatory`,
and "`hmacKey`" set to `hmacKey`.
            </li>
          </ol>
        </section>

        <section>
          <h4>Base Proof Hashing (bbs-2023)</h4>

          <p>
The following algorithm specifies how to cryptographically hash a
<em>transformed data document</em> and <em>proof configuration</em>
into cryptographic hash data that is ready to be provided as input to the
algorithms in Section <a href="#base-proof-serialization-bbs-2023"></a>.
          </p>

          <p>
The required inputs to this algorithm are a <em>transformed data document</em>
(|transformedDocument|) and <em>canonical proof configuration</em>
(|canonicalProofConfig|). A <em>hash data</em> value represented
as an object is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Initialize `proofHash` to the result of calling the RDF Dataset Canonicalization
algorithm [[RDF-CANON]] on `canonicalProofConfig` and then cryptographically
hashing the result using the same hash that is used by the signature algorithm,
i.e., SHA-256. Note: This step can be performed in parallel;
it only needs to be completed before this algorithm terminates, as the result is
part of the return value.
            </li>
            <li>
Initialize `mandatoryHash` to the result of calling the the algorithm in
<a href="https://www.w3.org/TR/vc-di-ecdsa/#hashmandatorynquads">Section 3.3.17
hashMandatoryNQuads</a> of the [[DI-ECDSA]] specification, passing
|transformedDocument|.`mandatory` and using the SHA-256
algorithm.
            </li>
            <li>
Initialize `hashData` as a deep copy of |transformedDocument|, and
add `proofHash` as "`proofHash`" and `mandatoryHash` as "`mandatoryHash`" to that
object.
            </li>
            <li>
Return `hashData` as <em>hash data</em>.
            </li>
          </ol>

        </section>

        <section>
          <h4>Base Proof Configuration (bbs-2023)</h4>

          <p>
The following algorithm specifies how to generate a
<em>proof configuration</em> from a set of <em>proof options</em>
that is used as input to the
<a href="#base-proof-hashing-bbs-2023">base proof hashing algorithm</a>.
          </p>

          <p>
The required inputs to this algorithm are <em>proof options</em>
(|options|) and the
<a data-cite="vc-data-integrity#dfn-unsecured-data-document">unsecured data
document</a> (|unsecuredDocument|). The <em>proof options</em> MUST contain a
type identifier for the
<a data-cite="vc-data-integrity#dfn-cryptosuite">
cryptographic suite</a> (|type|) and MUST contain a cryptosuite
identifier (|cryptosuite|). A <em>proof configuration</em>
object is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Let |proofConfig| be a clone of the |options| object.
            </li>
            <li>
If |proofConfig|.|type| is not set to `DataIntegrityProof` and/or
|proofConfig|.|cryptosuite| is not set to `bbs-2023`, an error MUST be raised
and SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_GENERATION_ERROR">PROOF_GENERATION_ERROR</a>.
            </li>
            <li>
If |proofConfig|.|created| is set and if the value is not a
valid [[XMLSCHEMA11-2]] datetime, an error MUST be raised and SHOULD convey an
error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_GENERATION_ERROR">PROOF_GENERATION_ERROR</a>.
            </li>
            <li>
Set |proofConfig|.<var>@context</var> to
|unsecuredDocument|.<var>@context</var>.
            </li>
            <li>
Let |canonicalProofConfig| be the result of applying the RDF Dataset
Canonicalization Algorithm [[RDF-CANON]] to the |proofConfig|.
            </li>
            <li>
Return |canonicalProofConfig|.
            </li>
          </ol>

        </section>


        <section>
          <h4>Base Proof Serialization (bbs-2023)</h4>

          <p>
The following algorithm, to be called by an issuer of a BBS-protected Verifiable
Credential, specifies how to create a base proof. The base proof is to be
given only to the holder, who is responsible for generating a derived proof from
it, exposing only selectively disclosed details in the proof to a verifier. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#algorithms">
Section 4: Algorithms</a>. Required inputs are
cryptographic hash data (|hashData|),
|featureOption|, and, if required,
|commitment_with_proof|.
If |featureOption| is set to `"anonymous_holder_binding"`,
`"pseudonym"`, or `"holder_binding_pseudonym"`, the
|commitment_with_proof| input MUST be supplied; if not supplied,
an error MUST be raised and SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_GENERATION_ERROR">PROOF_GENERATION_ERROR</a>.
If |featureOption| is set to
`"pseudonym"` or `"holder_binding_pseudonym"`, the
|signer_nym_entropy| input MUST be supplied; if not supplied,
an error MUST be raised and SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_GENERATION_ERROR">PROOF_GENERATION_ERROR</a>.
A single <em>digital proof</em> value represented as series of bytes is produced
as output.
          </p>

          <ol class="algorithm">
            <li>
Initialize `proofHash`, `mandatoryPointers`, `mandatoryHash`, `nonMandatory`,
and `hmacKey` to the values associated with their property names in
|hashData|.
            </li>
            <li>
Initialize `bbsHeader` to the concatenation of `proofHash` and `mandatoryHash` in
that order.
            </li>
            <li>
Initialize `bbsMessages` to an array of byte arrays containing the values in the
`nonMandatory` array of strings encoded using the UTF-8 <a>character encoding</a>.
            </li>
            <li>
Compute the `bbsSignature` using the procedures below, dependent on the values
of |featureOption|.
              <ol class="algorithm">
                <li>
If |featureOption| equals `"baseline"`, compute the
`bbsSignature` using the `Sign` procedure of [[CFRG-BBS-Signature]],
with appropriate key material, |bbsHeader| for the `header`, and |bbsMessages|
for the `messages`.
                </li>
                <li>
If |featureOption| equals `"anonymous_holder_binding"` , compute the
`bbsSignature` using the `BlindSign` procedure of [[CFRG-Blind-BBS-Signature]],
with appropriate key material, |commitment_with_proof| for the
`commitment_with_proof`, |bbsHeader| for the `header`, and |bbsMessages|
for the `messages`. This provides for the
<a href="#anonymous-holder-binding">Anonymous Holder Binding</a> feature.
                </li>
                <li>
If |featureOption| equals `"pseudonym"` or `"holder_binding_pseudonym"`,
the issuer generates a
cryptographically random value for the |signer_nym_entropy| and computes the
`bbsSignature` using the
"Blind Issuance" operation from [[CFRG-Pseudonym-BBS-Signature]]
with
                                appropriate key material,
            |bbsHeader| for the `header`,
          |bbsMessages| for the `messages`,
|commitment_with_proof| for the `commitment_with_proof`, and
                                |signer_nym_entropy| values.
If the issuer might ever need to reissue a
credential to this holder that is bound to the same |nym_secret|, they should
retain the |signer_nym_entropy| value; otherwise, this value can be discarded.
<br><br>
This provides for the <a href="#credential-bound-pseudonyms">Credential-Bound
Pseudonyms</a>  or <a href="#holder-binding-and-pseudonyms">Holder Binding and
Pseudonyms</a> features.
                </li>
              </ol>
            </li>
            <li>
Initialize `proofValue to the result of calling the algorithm in Section
<a href="#serializebaseproofvalue"></a>, passing |bbsSignature|, |bbsHeader|,
|publicKey|, |hmacKey|, |mandatoryPointers|, |featureOption|, and, depending on
the |featureOption| value, |signer_nym_entropy|, as parameters.
<br><br>
Note: `publicKey` is a byte array of the public key, encoded according to
[[CFRG-BBS-SIGNATURE]].
            </li>
            <li>
Return `proofValue` as <em>digital proof</em>.
            </li>
          </ol>
        </section>


        <section>
          <h4>Add Derived Proof (bbs-2023)</h4>

          <p>
The following algorithm, to be called by a holder of a `bbs-2023`-protected
<a>verifiable credential</a>, creates a selective disclosure derived proof.
The derived proof is to be given to the <a>verifier</a>. The inputs include a
JSON-LD document (|document|), a BBS base proof
(|proof|), an array of JSON pointers to use to selectively disclose
statements (|selectivePointers|), an OPTIONAL BBS
|presentationHeader| (a byte array), a |featureOption| parameter, additional
parameters supporting the |featureOption| selected (see below),
and any custom JSON-LD API options,
such as a document loader. A single <em>selectively revealed document</em>
value, represented as an object, is produced as output.
          </p>
          <p>
If |featureOption| equals `"anonymous_holder_binding"`, the
REQUIRED additional inputs are |holderSecret| and |proverBlind|. These would
have been precomputed by the holder. See
<a href="#anonymous-holder-binding">Anonymous Holder Binding</a> for background
information.
          </p>
          <p>
If |featureOption| equals `"pseudonym"`, the REQUIRED
additional inputs are |prover_nym| and |proverBlind|, which are both known to
the holder, and |nym_dofmain|, which is either set by the holder or communicated
to the holder by the verifier.
See <a href="#credential-bound-pseudonyms">Credential-Bound Pseudonyms</a> for
background information.
          </p>
          <p>
If |featureOption| equals `"holder_binding_pseudonym"`, the REQUIRED
additional inputs are |holder_secret|, |prover_nym|, and |proverBlind|, which are
all known to the holder, and |nym_dofmain|, which is either set by the holder or
communicated to the holder by the verifier.
See <a href="#holder-binding-and-pseudonyms">Holder Binding and Pseudonyms</a> for
background information.
          </p>
          <ol>
            <li>
Initialize |bbsProof|,  |labelMap|, |mandatoryIndexes|, |selectiveIndexes|, and
|revealDocument| to the values associated with their
property names in the object returned when calling the algorithm in
Section <a href="#createdisclosuredata"></a>, passing the |document|, |proof|,
|selectivePointers|, |presentationHeader|, |featureOption|, required additional
inputs based on the |featureOption|, and any custom JSON-LD API options,
such as a document loader.
            </li>
            <li>
Initialize |newProof| to a shallow copy of |proof|.
            </li>
            <li>
Replace |proofValue| in |newProof| with the result of calling the algorithm
in Section <a href="#serializederivedproofvalue"></a>, passing |bbsProof|,
|labelMap|, |mandatoryIndexes|, |selectiveIndexes|, |featureOption|, and any
required inputs indicated by the |featureOption|.
            </li>
            <li>
Set the value of the "`proof`" property in |revealDocument| to |newProof|.
            </li>
            <li>
Return |revealDocument| as the <em>selectively revealed document</em>.
            </li>
          </ol>

        </section>

        <section>
          <h4>Verify Derived Proof (bbs-2023)</h4>

          <p>
The following algorithm specifies how to verify a [=data integrity proof=] given
an <a>secured data document</a>. Required inputs are a
<a>secured data document</a> ([=map=] |securedDocument|). This algorithm returns
a <dfn>verification result</dfn>, which is a [=struct=] whose
[=struct/items=] are:
          </p>

          <dl>
            <dt><dfn data-dfn-for="verification result">verified</dfn></dt>
            <dd>`true` or `false`</dd>
            <dt><dfn data-dfn-for="verification result">verifiedDocument</dfn></dt>
            <dd>
<a data-cite="INFRA#nulls">Null</a>, if [=verification result/verified=] is
`false`; otherwise, an [=unsecured data document=]
            </dd>
          </dl>

          <p>
To verify a derived proof, perform the following steps:
          </p>

          <ol class="algorithm">
            <li>
Let |publicKeyBytes| be the result of retrieving the
public key bytes associated with the
|proof|.|verificationMethod| value as described in the
Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#algorithms">
Section 4: Retrieve Verification Method</a>.
            </li>
            <li>
Let |unsecuredDocument| be a copy of |securedDocument| with
the `proof` value removed.
            </li>
            <li>
Let |proof| be the value of |securedDocument|.|proof|.
            </li>
            <li>
Initialize |bbsProof|, |proofHash|, |mandatoryHash|, |selectiveIndexes|,
|presentationHeader|, |nonMandatory|, |featureOption|, and, possibly,
|lengthBBSMessages| and/or |pseudonym|, to the values associated
with their property names in the object returned when calling the algorithm in
Section <a href="#createverifydata"></a>, passing the |unsecuredDocument|,
|proof|, and any custom JSON-LD API options (such as a document loader).
            </li>
            <li>
Initialize |bbsHeader| to the concatenation of |proofHash| and |mandatoryHash|
in that order. Initialize |disclosedMessages| to an array of byte arrays
obtained from the UTF-8 encoding of the elements of the |nonMandatory| array.
            </li>
            <li>
Initialize |verified| to the result of applying the verification
algorithm below, depending the |featureOption| value.
            <ol class="algorithm">
              <li>
If the |featureOption| equals `"baseline"`, initialize |verified| to the result of
applying the verification algorithm `ProofVerify(PK, proof, header, ph,
disclosed_messages, disclosed_indexes)` of [[CFRG-BBS-SIGNATURE]] with `PK` set
as the public key of the original issuer, `proof` set as `bbsProof`, `header`
set as `bbsHeader`, `disclosed_messages` set as `disclosedMessages`, `ph` set as
`presentationHeader`, and `disclosed_indexes` set as `selectiveIndexes`.
              </li>
              <li>
If the |featureOption| equals `"anonymous_holder_binding"`,
initialize |verified| to the result of
applying the `ProofVerify` verification algorithm of
[[CFRG-Blind-BBS-Signature]] using |lengthBBSMessages| for the `"L"` parameter.
<span class="note">To be updated when IETF API is finalized.</span>
              </li>
              <li>
If the |featureOption| equals `"pseudonym"` or `"holder_binding_pseudonym"`,
initialize |verified|
to the result of applying the
"Proof Verification with Pseudonym" operation from
[[CFRG-Pseudonym-BBS-Signature]] using |lengthBBSMessages| for the `"L"`
parameter and an empty |committed_messages| array.
<span class="note">To be updated when IETF
API is finalized.</span>
              </li>
            </ol>
          </li>
          <li>
Return a [=verification result=] with [=struct/items=]:
              <dl data-link-for="verification result">
                <dt>[=verified=]</dt>
                <dd>|verified|</dd>
                <dt>[=verifiedDocument=]</dt>
                <dd>
|unsecuredDocument| if |verified| is `true`, otherwise
<a data-cite="INFRA#nulls">Null</a>
                </dd>
              </dl>
            </li>
          </ol>

        </section>
      </section>
    </section>
    <section class="informative">
      <h2>Optional Features</h2>
      <p>
The cryptographic properties of BBS signatures permit variants that
can support advanced functionalities. This specification is limited to
supporting only the most relevant of these enhancements, which we explain in the
following sections. The variables |commitment_with_proof|, |holder_secret|,
|prover_nym|, |signer_nym_entropy|, and |pseudonym| are associated with these
features and are not otherwise needed for BBS signatures and proofs.
      </p>
      <p class="issue at-risk" title="Optional BBS features are at risk">
The optional BBS features described in this section, and included in the
algorithms in this specification, are at risk and will be removed before
the finalization of this specification if their respective specifications
at the IETF do not reach RFC status on the same timeline or if there
are not at least two independent implementations for each optional
feature.
      </p>
      <section>
        <h3>Anonymous Holder Binding</h3>
        <p>
This feature binds, at the time of issuance, a document with base proof, to a
secret, known only to a holder, in such a way, that only that holder can generate
a revealed document with derived proof that will verify. For example, if an
adversary obtained the document with base proof, they could not create a revealed
document with derived proof that can verify.
        </p>
        <p>
To provide for this functionality, a holder generates a |holder_secret| value
which should generally be at least 32 bytes long and cryptographically randomly
generated. This value is never shared by the holder. Instead, the holder
generates a commitment, along with a zero knowledge proof of knowledge of this
value, using the "Commitment Computation" operation of [[CFRG-Blind-BBS-Signature]].
This computation involves cryptographically random values and computes
the |commitment_with_proof| and |secret_prover_blind| values. The
|commitment_with_proof| is conveyed to the issuer, while the
|secret_prover_blind| is kept secret and is retained by the holder for use
in generation of derived proofs.
Note that a holder can run the "Commitment Computation" operation multiple times,
to produce unlinkable |commitment_with_proof| values for use with different issuers.
        </p>
        <p>
The issuer, on receipt of the |commitment_with_proof|, follows the procedures
of this specification, and uses the "Blind Signature Generation" operation of
[[CFRG-Blind-BBS-Signature]] to produce a base proof (signature) over the document,
with the |commitment_with_proof| furnished by the holder.
        </p>
        <p>
When the holder wants to create a selectively disclosed document with derived
proof, they use the procedures of this specification and the "Proof Generation"
operation of [[CFRG-Blind-BBS-Signature]]. They use their |holder_secret| as
the only "message" in the |commited messages| array, and supply their
|secret_prover_blind|.
        </p>
        <p>
Verification of the revealed document with derived proof uses the procedures
of this specification and the "Proof Verification" operation of
[[CFRG-Blind-BBS-Signature]].
        </p>

      </section>
      <section>
        <h3>Credential-Bound Pseudonyms</h3>
          <p>
BBS-signed Verifiable Credentials as specified in this document allow for
selective disclosure and unlinkable cryptographic proof artifacts. By
"unlinkable", we mean that the
cryptographic information in the derived proofs cannot be linked to other
proofs nor the original signature. This implies that a verifier cannot determine
whether a holder has presented the same credential before (with a different proof
instantiation), nor can they assert some type of identity. Credential-bound
pseudonyms provide a privacy preserving mechanism to allow for the limited
linkability of a cryptographic pseudonym. Such a pseudonym may be determined
strictly by the holder, or jointly by the holder and the verifier.
          </p>
          <p>
This type of cryptographic pseudonym (cryptographic identifier/name) is
computed from two parts. The first part, the |nym_secret|, is specified by,
and will only be known by, the
holder; the second part, the |nym_domain|, may be specified by either the holder
or the verifier, and will be shared between the holder and verifier.
An issuer binds a credential to a |nym_secret| during the issuance process. 
A holder can then compute pseudonyms from the |nym_secret| and prove to
verifiers that these pseudonyms are bound to the credential they are presenting.
Cryptographic pseudonyms computed from the same |nym_secret| but different
|nym_domain| values are unlinkable.
          </p>
          <p>
The holder might choose a |nym_domain| to give themselves a pseudonym for some
type of public forum, e.g., choose <code>|nym_domain| = "Mark Twain"</code>.
The cryptographic pseudonym calculated by the holder from this |nym_domain|
with their |nym_secret| is essentially unique, and no entity that does not both
know the |nym_secret| and possess the base verifiable credential bound to the
pseudonym could assert this pseudonymous identity. Note that the doublet of
(|nym_domain|, pseudonym) has to be sent with the derived credential to assert
this pseudonymous identity.
          </p>
          <p>
In a different situation, a holder may be using a service from a verifier where
the verifier wants to track visits over time or monitor use of some resource by
the holder. In this case, the verifier chooses the |nym_domain| that the holder
needs to use when presenting their derived credential. For example, a
verifier might specify a public |nym_domain| tied to their DNS domain (e.g.,
`"www.nym.example"`) for the holder to use. A verifier could also
demonstrate that they support data minimization, of a sort, by periodically
changing the |nym_domain| (e.g., tying it to a date,
`"www.nym.example/2025-01-02"`). This specification does not dictate
values for the |nym_domain|.
          </p>
          <p>
Finally, to prevent a malicious holder who obtains another holder's
|nym_secret| from getting a credential bound to that value, the operations
from the [[CFRG-Pseudonym-BBS-Signature]] have the issuer add a randomization
factor, |signer_nym_entropy|, that is securely "mixed" with the holder's
portion, the |prover_nym|, during signature generation. This results in a
|nym_secret| for which the issuer can provide cryptographic assurance that
it is unique, to be used by the holder.
          </p>
          <p>
An outline of the creation and use of credential-bound pseudonyms is shown in
the steps below.
          </p>
          <ol class="algorithm">
            <li>
The holder creates a secure value, known as the |prover_nym|, that should be
at least 32 bytes long and generated in cryptographically random manner. They
then use the "`Commitment`" operation from [[CFRG-Pseudonym-BBS-Signature]]
with an empty |committed_messages| array to compute
the |commitment_with_proof| and the |secret_prover_blind|. The holder sends the
|commitment_with_proof| to the issuer with a request for a credential, but never
discloses |prover_nym| and |secret_prover_blind|, keeping them for later use.
            </li>
            <li>
The issuer receives the holder's request for a credential with a bound pseudonym
(|featureOption| equals `"pseudonym"`), along with the |commitment_with_proof|.
The issuer generates a cryptographically random value for the
|signer_nym_entropy| and uses the "Blind Issuance" operation from
[[CFRG-Pseudonym-BBS-Signature]] to produce the base proof. Among other
information, the base proof will contain the |signer_nym_entropy| value. If the
issuer might ever need to reissue a credential to this holder that is bound to
the same |nym_secret|, they should retain the |signer_nym_entropy| value;
otherwise, this value can be discarded.
            </li>
            <li>
On receipt of the credential with bound pseudonym, the holder uses the procedures
in this specification, along with the "Verification and Finalization" operation
from [[CFRG-Pseudonym-BBS-Signature]] with an empty |committed_messages| array,
to both verify the signature and compute the |nym_secret| value. This operation
uses the |prover_nym|, |signer_nym_entropy|, and |secret_prover_blind| values,
amongst others. If third-party monitoring is being used, then the |nym_secret|
value will need to be securely shared with the monitoring organization.
            </li>
            <li>
When a holder wants to generate a derived proof bound to a pseudonym, they need
to determine the |nym_domain|. As previously noted, this might be specified by
the verifier or set by the holder, depending on the usage scenario. They then use
the procedures in this specification with the "Proof Generation with Pseudonym"
operation from [[CFRG-Pseudonym-BBS-Signature]] to produce the derived proof.
This operation takes as inputs the |nym_secret|, |nym_domain|, empty
|committed_messages| array, and
|secret_prover_blind|, amongst others. In addition to providing the raw
cryptographic proof value, it also returns the |pseudonym| value that gets
included in the derived proof.
            </li>
            <li>
When a verifier receives a derived proof with bound pseudonym, they use the
procedures in this specification along with the
"Proof Verification with Pseudonym" operation from
[[CFRG-Pseudonym-BBS-Signature]] to validate the derived proof. Note that these
procedures will also validate that the specified |nym_domain| was used in the
computation of the |pseudonym|.
            </li>
          </ol>

      </section>
      <section>
        <h3>Holder Binding and Pseudonyms</h3>
        <p>
Anonymous holder binding and credential-bound pseudonyms are, in a sense,
orthogonal features, and a holder and credential ecosystem may wish to use both
at the same time. For instance, a holder may wish to bind a verifiable
credential to a |holder_secret|, so that only a holder knowing this value can
generate a derived proof from the base proof, and bind a |nym_secret| to the
base proof so that pseudonyms can be bound to the derived proof. This
corresponds to the |featureOption| being equal to `"holder_binding_pseudonym"`.
        </p>
        <p>
An outline of the creation and use of both anonymous holder binding and
credential bound pseudonyms is given in the following steps.
        </p>
        <ol class="algorithm">
          <li>
The holder creates two secure values known as the |holder_secret| and
|prover_nym| that should be at
least 32 bytes long and generated in cryptographically random manner. They then
use the "Commitment" operation from [[CFRG-Pseudonym-BBS-Signature]] with the
|committed_messages| array input containing the |holder_secret| as its only
element, to compute the |commitment_with_proof| and |secret_prover_blind|. The
|commitment_with_proof| is sent with their request to the issuer for a
credential while the |holder_secret|, |prover_nym| and |secret_prover_blind| are
kept for later use by the holder and are never disclosed.
          </li>
          <li>
The issuer receives the holders request for a credential with a bound pseudonym,
|featureOption| equals `"pseudonym"`, along with the |commitment_with_proof|.
The issuer uses the procedures in this specification and generates a
cryptographically random value for the |signer_nym_entropy| and uses the
"Blind Issuance" operation from [[CFRG-Pseudonym-BBS-Signature]] to produce the
base proof. Among other information the base proof will contain the
|signer_nym_entropy| value. If the issuer ever needs reissue a credential to
this holder that is bound to the same |nym_secret| they should retain the
|signer_nym_entropy| value, otherwise this value can be discarded.
          </li>
          <li>
The holder on receipt of the credential with bound pseudonym uses the procedures
in this specification along with the "Verification and Finalization" operation
from [[CFRG-Pseudonym-BBS-Signature]] with the |committed_messages| array
containing the |holder_secret| as its only element,
to both verify the signature and compute
the |nym_secret| value. This operation uses the |holder_secret|, |prover_nym|,
|signer_nym_entropy|, and |secret_prover_blind| values amongst others. If third
party monitoring is being utilized then the |nym_secret| value would be securely
shared with the monitoring organization.
          </li>
          <li>
When the holder wants to generate a derived proof bound to a pseudonym they need
to determine the |nym_domain|. As previously stated this might be specified by
the verifier or set by the holder depending on the usage scenario. They then use
the procedures in this specification and the "Proof Generation with Pseudonym"
operation from [[CFRG-Pseudonym-BBS-Signature]] to produce the derived proof.
This operation takes as inputs the |nym_secret|, |nym_domain|, the
|committed_messages| array containing the |holder_secret| as its only element,
and |secret_prover_blind| amongst others. In addition to providing the raw
cryptographic proof value it also returns the |pseudonym| value that gets
included in the derived proof.
          </li>
          <li>
When a verifier receives a derived proof with bound pseudonym they use the
procedures in this specification along with the
"Proof Verification with Pseudonym" operation from
[[CFRG-Pseudonym-BBS-Signature]] to validate the derived proof. Note that these
procedures will also validate that the specified |nym_domain| was used in the
computation of the |pseudonym|.
          </li>
        </ol>

      </section>
      <section class="informative">
        <h3>Optional Feature Summary</h3>
        <p>
This section provides summaries of the inputs, outputs, proof serialiation,
tasks, and procedures for "baseline" BBS proofs as well as those for the
optional features. By <em>baseline</em> BBS, we mean BBS base and derived proofs
without additional features. All the optional features are "additive" in the
sense that some additional input, task, or output is generated
<em>in addition</em> to those of the "baseline" BBS signatures/proofs.
        </p>
        <table class="complex data">
          <caption>Table 1 <em>Issuer Create Base: Inputs and such.</em> </caption>
          <thead>
            <tr>
              <th>Name</th>
              <th>Tasks</th>
              <th>Inputs</th>
              <th>Signing Algorithm</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>Baseline BBS</td>
              <td><em>baseline</em>: BBS signature generation from VC</td>
              <td> <em>baseline</em>: document, proof options, key material, mandatory pointers</td>
              <td>BBS</td>
            </tr>
            <tr>
              <td>Anonymous Holder Binding</td>
              <td><em>baseline</em></td>
              <td><em>baseline</em> + commitment with proof from holder</td>
              <td>Blind BBS</td>
            </tr>
            <tr>
              <td>Credential-Bound Pseudonyms</td>
              <td><em>baseline</em> + generate |signer_nym_entropy| </td>
              <td><em>baseline + |signer_nym_entropy|, commitment with proof
                from holder </em></td>
              <td>Pseudonym BBS</td>
            </tr>
            <tr>
              <td>Holder Binding and Pseudonyms</td>
              <td><em>baseline</em> + generate |signer_nym_entropy|</td>
              <td><em>baseline</em> + |signer_nym_entropy|,
                commitment with proof from holder</td>
              <td>Pseudonym BBS</td>
            </tr>
          </tbody>
        </table>

        <table class="complex data">
          <caption>Table 2 <em>Issuer Create Base: Headers and Serialization.</em> </caption>
          <thead>
            <tr>
              <th>Name</th>
              <th>Proof Header Bytes</th>
              <th>Serialized Output</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>Baseline BBS</td>
              <td>`0xd9`, `0x5d`, and `0x02`</td>
              <td><em>baseline</em>: bbsSignature, bbsHeader, publicKey, hmacKey, and mandatoryPointers</td>
            </tr>
            <tr>
              <td>Anonymous Holder Binding</td>
              <td>`0xd9`, `0x5d`, and `0x04`</td>
              <td><em>baseline</em></td>
            </tr>
            <tr>
              <td>Credential-Bound Pseudonyms</td>
              <td>`0xd9`, `0x5d`, and `0x06`</td>
              <td> <em>baseline</em> + |signer_nym_entropy| </td>
            </tr>
            <tr>
              <td>Holder Binding and Pseudonyms</td>
              <td>`0xd9`, `0x5d`, and `0x08`</td>
              <td><em>baseline</em> + |signer_nym_entropy| </td>
            </tr>
          </tbody>
        </table>

        <table class="complex data">
          <caption>Table 3 <em>Holder Add Derived: Inputs and such.</em> </caption>
          <thead>
            <tr>
              <th>Name</th>
              <th>Tasks</th>
              <th>Inputs</th>
              <th>Proof Generation Algorithm</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>Baseline BBS</td>
              <td>BBS derived proof generation from VC with base proof</td>
              <td><em>baseline</em>: (from base proof serialization)
                bbsSignature, bbsHeader, publicKey, hmacKey, and
                mandatoryPointers; selectivePointers (holders choice)</td>
              <td>BBS</td>
            </tr>
            <tr>
              <td>Anonymous Holder Binding</td>
              <td><em>baseline</em></td>
              <td><em>baseline</em> + |holder_secret|, |prover_blind| (both
                known to holder)</td>
              <td>Blind BBS</td>
            </tr>
            <tr>
              <td>Credential Bound Pseudonyms</td>
              <td><em>baseline</em> + compute |nym_secret|, compute |pseudonym|
              </td>
              <td><em>baseline</em> + |prover_nym|,
                |prover_blind| (all known to holder), |signer_nym_entropy|
                (included in base from issuer), |nym_domain|</td>
              <td>Pseudonym BBS</td>
            </tr>
            <tr>
              <td>Holder Binding and Pseudonyms</td>
              <td><em>baseline</em> + compute |nym_secret|, compute |pseudonym|
              </td>
              <td><em>baseline</em> + |holder_secret|, |prover_nym|,
                |prover_blind| (all known to holder), |signer_nym_entropy|
                (included in base from issuer), |nym_domain|
              </td>
              <td>Pseudonym BBS</td>
            </tr>
          </tbody>
        </table>

        <table class="complex data">
          <caption>Table 4 <em>Holder Add Derived: Headers and Serialization.</em> </caption>
          <thead>
            <tr>
              <th>Name</th>
              <th>Proof Header Bytes</th>
              <th>Serialized Output</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>Baseline BBS</td>
              <td>`0xd9`, `0x5d`, and `0x03`</td>
              <td><em>baseline</em>: bbsProof, compressedLabelMap,
                mandatoryIndexes, selectiveIndexes, presentationHeader
              </td>
            </tr>
            <tr>
              <td>Anonymous Holder Binding</td>
              <td>`0xd9`, `0x5d`, and `0x05`</td>
              <td><em>baseline</em></td>
            </tr>
            <tr>
              <td>Credential Bound Pseudonyms</td>
              <td>`0xd9`, `0x5d`, and `0x07`</td>
              <td><em>baseline</em> + |pseudonym|, |nym_domain|</td>
            </tr>
            <tr>
              <td>Holder Binding and Pseudonyms</td>
              <td>`0xd9`, `0x5d`, and `0x09`</td>
              <td><em>baseline</em> + |pseudonym|, |nym_domain|</td>
            </tr>
          </tbody>
        </table>

         <table class="complex data">
          <caption>Table 5 <em>Verify Derived: Inputs and Algorithms.</em>
          </caption>
          <thead>
            <tr>
              <th>Name</th>
              <th>Inputs</th>
              <th>Proof Verification Algorithm</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>BBS baseline</td>
              <td><em>baseline</em>: (from derived proof serialization)
                bbsProof, compressedLabelMap, mandatoryIndexes,
                selectiveIndexes, presentationHeader
              </td>
              <td>BBS</td>
            </tr>
            <tr>
              <td>Anonymous Holder Binding</td>
              <td><em>baseline</em></td>
              <td>Blind BBS</td>
            </tr>
            <tr>
              <td>Credential-Bound Pseudonyms</td>
              <td><em>baseline</em> + |pseudonym| (included in derived proof),
                |nym_domain|
              </td>
              <td>Pseudonym BBS</td>
            </tr>
            <tr>
              <td>Holder Binding and Pseudonyms</td>
              <td><em>baseline</em> + |pseudonym| (included in derived proof),
                |nym_domain|
              </td>
              <td>Pseudonym BBS</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
    <section>
      <h2>Security Considerations</h2>

      <p class="advisement">
        Before reading this section, readers are urged to familiarize themselves
        with general security advice provided in the
        <a href="https://www.w3.org/TR/vc-data-integrity/#security-considerations">
        Security Considerations section of the Data Integrity specification</a>.
      </p>

      <section class="informative">
        <h3>Base Proof Security Properties</h3>

        <p>
The security of the base proof is dependent on the security properties of the
associated <em>BBS signature</em>. Digital signatures might exhibit a number of
desirable cryptographic properties [[Taming_EdDSAs]] among these are:
        </p>
        <p><strong>EUF-CMA</strong> (<em>existential unforgeability under
chosen message attacks</em>) is usually the minimal security property required
of a signature scheme. It guarantees that any efficient adversary who has the
public key
          <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
            <mstyle displaystyle="true" scriptlevel="0">
              <mrow data-mjx-texclass="ORD">
                <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
                  <mtr>
                    <mtd>
                      <mi>p</mi>
                      <mi>k</mi>
                    </mtd>
                  </mtr>
                </mtable>
              </mrow>
            </mstyle>
          </math>
of the signer and received an arbitrary number of signatures on
messages of its choice (in an adaptive manner):
          <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
            <mstyle displaystyle="true" scriptlevel="0">
              <mrow data-mjx-texclass="ORD">
                <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
                  <mtr>
                    <mtd>
                      <mo fence="false" stretchy="false">{</mo>
                      <msub>
                        <mi>m</mi>
                        <mi>i</mi>
                      </msub>
                      <mo>,</mo>
                      <msub>
                        <mi>&#x3C3;</mi>
                        <mi>i</mi>
                      </msub>
                      <msubsup>
                        <mo fence="false" stretchy="false">}</mo>
                        <mrow data-mjx-texclass="ORD">
                          <mi>i</mi>
                          <mo>=</mo>
                          <mn>1</mn>
                        </mrow>
                        <mi>N</mi>
                      </msubsup>
                    </mtd>
                  </mtr>
                </mtable>
              </mrow>
            </mstyle>
          </math>,
cannot output a valid signature
          <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
            <mstyle displaystyle="true" scriptlevel="0">
              <mrow data-mjx-texclass="ORD">
                <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
                  <mtr>
                    <mtd>
                      <msup>
                        <mi>&#x3C3;</mi>
                        <mo>&#x2217;</mo>
                      </msup>
                    </mtd>
                  </mtr>
                </mtable>
              </mrow>
            </mstyle>
          </math>
for a new message
          <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
            <mstyle displaystyle="true" scriptlevel="0">
              <mrow data-mjx-texclass="ORD">
                <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
                  <mtr>
                    <mtd>
                      <msup>
                        <mi>m</mi>
                        <mo>&#x2217;</mo>
                      </msup>
                      <mo>&#x2209;</mo>
                      <mo fence="false" stretchy="false">{</mo>
                      <msub>
                        <mi>m</mi>
                        <mi>i</mi>
                      </msub>
                      <msubsup>
                        <mo fence="false" stretchy="false">}</mo>
                        <mrow data-mjx-texclass="ORD">
                          <mi>i</mi>
                          <mo>=</mo>
                          <mn>1</mn>
                        </mrow>
                        <mi>N</mi>
                      </msubsup>
                    </mtd>
                  </mtr>
                </mtable>
              </mrow>
            </mstyle>
          </math>
(except with negligible probability). In case the attacker outputs a valid
signature on a new message:
          <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
            <mstyle displaystyle="true" scriptlevel="0">
              <mrow data-mjx-texclass="ORD">
                <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
                  <mtr>
                    <mtd>
                      <mo stretchy="false">(</mo>
                      <msup>
                        <mi>m</mi>
                        <mo>&#x2217;</mo>
                      </msup>
                      <mo>,</mo>
                      <msup>
                        <mi>&#x3C3;</mi>
                        <mo>&#x2217;</mo>
                      </msup>
                      <mo stretchy="false">)</mo>
                    </mtd>
                  </mtr>
                </mtable>
              </mrow>
            </mstyle>
          </math>,
it is called an <em>existential forgery</em>.
        </p>
        <p><strong>SUF-CMA</strong> (<em>strong unforgeability under chosen
message attacks</em>) is a stronger notion than <em>EUF-CMA</em>. It guarantees
that for any efficient adversary who has the public key
          <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
            <mstyle displaystyle="true" scriptlevel="0">
              <mrow data-mjx-texclass="ORD">
                <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
                  <mtr>
                    <mtd>
                      <mi>p</mi>
                      <mi>k</mi>
                    </mtd>
                  </mtr>
                </mtable>
              </mrow>
            </mstyle>
          </math>
of the signer and received an arbitrary number of signatures on messages of its
choice:
          <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
            <mstyle displaystyle="true" scriptlevel="0">
              <mrow data-mjx-texclass="ORD">
                <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
                  <mtr>
                    <mtd>
                      <mo fence="false" stretchy="false">{</mo>
                      <msub>
                        <mi>m</mi>
                        <mi>i</mi>
                      </msub>
                      <mo>,</mo>
                      <msub>
                        <mi>&#x3C3;</mi>
                        <mi>i</mi>
                      </msub>
                      <msubsup>
                        <mo fence="false" stretchy="false">}</mo>
                        <mrow data-mjx-texclass="ORD">
                          <mi>i</mi>
                          <mo>=</mo>
                          <mn>1</mn>
                        </mrow>
                        <mi>N</mi>
                      </msubsup>
                    </mtd>
                  </mtr>
                </mtable>
              </mrow>
            </mstyle>
          </math>,
it cannot output a new valid signature pair
          <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
            <mstyle displaystyle="true" scriptlevel="0">
              <mrow data-mjx-texclass="ORD">
                <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
                  <mtr>
                    <mtd>
                      <mo stretchy="false">(</mo>
                      <msup>
                        <mi>m</mi>
                        <mo>&#x2217;</mo>
                      </msup>
                      <mo>,</mo>
                      <msup>
                        <mi>&#x3C3;</mi>
                        <mo>&#x2217;</mo>
                      </msup>
                      <mo stretchy="false">)</mo>
                    </mtd>
                  </mtr>
                </mtable>
              </mrow>
            </mstyle>
          </math>,
such that
          <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
            <mstyle displaystyle="true" scriptlevel="0">
              <mrow data-mjx-texclass="ORD">
                <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
                  <mtr>
                    <mtd>
                      <mo stretchy="false">(</mo>
                      <msup>
                        <mi>m</mi>
                        <mo>&#x2217;</mo>
                      </msup>
                      <mo>,</mo>
                      <msup>
                        <mi>&#x3C3;</mi>
                        <mo>&#x2217;</mo>
                      </msup>
                      <mo stretchy="false">)</mo>
                      <mo>&#x2209;</mo>
                      <mo fence="false" stretchy="false">{</mo>
                      <msup>
                        <mi>m</mi>
                        <mi>i</mi>
                      </msup>
                      <mo>,</mo>
                      <msup>
                        <mi>&#x3C3;</mi>
                        <mi>i</mi>
                      </msup>
                      <msubsup>
                        <mo fence="false" stretchy="false">}</mo>
                        <mrow data-mjx-texclass="ORD">
                          <mi>i</mi>
                          <mo>=</mo>
                          <mn>1</mn>
                        </mrow>
                        <mi>N</mi>
                      </msubsup>
                    </mtd>
                  </mtr>
                </mtable>
              </mrow>
            </mstyle>
          </math>
(except with negligible probability). Strong unforgeability implies that an
adversary cannot only sign new messages, but also cannot find a new signature
on an old message.
        </p>

        <p>
In [[CDL2016]] under some reasonable assumptions BBS signatures were proven to
be EUF-CMA. Furthermore, in [[TZ2023]], under similar assumptions BBS signatures
were proven to be SUF-CMA. In both cases the assumptions are related to the
hardness of the discrete logarithm problem which is not considered post large
scale quantum computing secure.
        </p>
        <p>
Under non-quantum computing conditions [[CFRG-BBS-SIGNATURE]] provides
additional security guidelines to BBS signature suite implementors. Further
security considerations related to pairing friendly curves are discussed in
[[CFRG-PAIRING-FRIENDLY]].
        </p>
      </section>

      <section class="informative">
        <h3>Derived Proof Security Properties</h3>
        <p>
The security of the derived proof is dependent on the security properties of
the associated <em>BBS proof</em>. Both [[CDL2016]] and [[TZ2023]] prove that a
<em>BBS proof</em> is <q>a zero knowledge proof of knowledge of a BBS
  signature</q>.
        </p>
        <p>
As explained in [[CFRG-BBS-SIGNATURE]] this means:
        </p>
        <blockquote>
a verifying party in receipt of a proof is unable to determine which signature
was used to generate the proof, removing a common source of correlation. In
general, each proof generated is indistinguishable from random even for two
proofs generated from the same signature.
        </blockquote>
        <p>
and
        </p>
        <blockquote>
The proofs generated by the scheme prove to a verifier that the party who
generated the proof (holder/prover or an agent of theirs) was in possession of a
signature without revealing it.
        </blockquote>
        <p>
More precisely, verification of a <em>BBS proof</em> requires the original
issuers public key as well as the unaltered, revealed <em>BBS message</em> in
the proper order.
        </p>
      </section>

    </section>

    <section class="informative">
      <h2>Privacy Considerations</h2>
      <section>
        <h3>Selective Disclosure and Data Leakage</h3>
        <p>
Selective disclosure permits a <em>holder</em> to <em>minimize</em> the information
revealed to a <em>verifier</em> to achieve a particular purpose. In prescribing
an overall system that enables selective disclosure, care has to be taken that
additional information that was not meant to be disclosed to the
<em>verifier</em> is minimized. Such leakage can occur through artifacts of the
system. Such artifacts can come from higher layers of the system, such as in
the structure of data or from the lower level cryptographic primitives.
        </p>
        <p>
For example the BBS signature scheme is an extremely space efficient scheme for
producing a signature on multiple <em>messages</em>, i.e.,  the cryptographic
signature sent to the <em>holder</em> is a constant size regardless of the
number of <em>messages</em>. The <em>holder</em> then can selectively disclose
any of these <em>messages</em> to a <em>verifier</em>, however as part of the
encryption scheme, the total number of messages signed by the <em>issuer</em>
has to be revealed to the <em>verifier</em>. If such information leakage needs to
be avoided then it is recommended to pad the number of messages out to a common
length as suggested in the privacy considerations section of
[[CFRG-BBS-SIGNATURE]].
        </p>
        <p>
At the higher levels, how data gets mapped into individual <em>statements</em>
suitable for selective disclosure, i.e., BBS <em>messages</em>, is a potential
source of data leakage. This cryptographic suite is able to eliminate many
structural artifacts used to express JSON data that might leak information
(nesting, map, or array position, etc.) by using JSON-LD processing to transform
inputs into RDF. RDF can then be expressed as a canonical, flat format of simple
subject, property, value statements (referred to as claims in the Verifiable
Credentials Data Model [[VC-DATA-MODEL-2.0]]). In the following, we examine RDF
canonicalization, a general scheme for mapping a verifiable credential in
JSON-LD format into a set of <em>statements</em> (BBS <em>messages</em>), for
selective disclosure. We show that after this process is performed, there
remains a possible source of information leakage, and we show how this leakage
is mitigated via the use of a keyed pseudo random function (PRF).
        </p>
        <p>
RDF canonicalization can be used to <q>flatten</q> a JSON-LD VC into a set of
<em>statements</em>. The algorithm is dependent on the content of the VC and
also employs a cryptographic hash function to help in ordering the
<em>statements</em>. In essence, how this happens is that each JSON object that
represents the subject of claims within a JSON-LD document will be assigned an
id, if it doesn't have an `@id` field defined. Such <em>ids</em> are known as
<em>blank node ids</em>. These ids are needed to express claims as simple
subject, property, value statements such that the subject in each claim can be
differentiated. The id values are deterministically set per
[[RDF-CANON]] and are based on the data in the document and the
output of a cryptographic hash function such as SHA-256.
        </p>
        <p>
Below we show two slightly different VCs for a set of windsurf sails and their
canonicalization into a set of <em>statements</em> that can be used for
selective disclosure. By changing the year of the 6.1 size sail we see a major
change in statement ordering between these two VCs. If the <em>holder</em>
discloses information about just his larger sails (the 7.0 and 7.8) the
<em>verifier</em> could tell something changed about the set of sails, i.e.,
information leakage.
        </p>
        <pre class="example nohighlight"
        title="A VC for a set of windsurfing sails">
{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    {
      "@vocab": "https://windsurf.grotto-networking.com/selective#"
    }
  ],
  "type": [
    "VerifiableCredential"
  ],
  "credentialSubject": {
    "sails": [
      {
        "size": 5.5,
        "sailName": "Kihei",
        "year": 2023
      },
      {
        "size": 6.1,
        "sailName": "Lahaina",
        "year": 2023 // Will change this to see the effect on canonicalization
      },
      {
        "size": 7.0,
        "sailName": "Lahaina",
        "year": 2020
      },
      {
        "size": 7.8,
        "sailName": "Lahaina",
        "year": 2023
      }
    ]
  }
}
        </pre>
        <p>
Canonical form of the above VC. Assignment of blank node ids, i.e., the
<q>_:c14nX</q> labels are dependent upon the content of the VC and this also
affects the ordering of the statements.
        </p>
        <pre class="example nohighlight"
        title="Canonical form of the VC for a set of windsurfing sails">
_:c14n0 &lt;https://windsurf.grotto-networking.com/selective#sailName&gt; &quot;Lahaina&quot; .
_:c14n0 &lt;https://windsurf.grotto-networking.com/selective#size&gt; &quot;7.8E0&quot;^^&lt;http://www.w3.org/2001/XMLSchema#double&gt; .
_:c14n0 &lt;https://windsurf.grotto-networking.com/selective#year&gt; &quot;2023&quot;^^&lt;http://www.w3.org/2001/XMLSchema#integer&gt; .
_:c14n1 &lt;http://www.w3.org/1999/02/22-rdf-syntax-ns#type&gt; &lt;https://www.w3.org/2018/credentials#VerifiableCredential&gt; .
_:c14n1 &lt;https://www.w3.org/2018/credentials#credentialSubject&gt; _:c14n4 .
_:c14n2 &lt;https://windsurf.grotto-networking.com/selective#sailName&gt; &quot;Lahaina&quot; .
_:c14n2 &lt;https://windsurf.grotto-networking.com/selective#size&gt; &quot;7&quot;^^&lt;http://www.w3.org/2001/XMLSchema#integer&gt; .
_:c14n2 &lt;https://windsurf.grotto-networking.com/selective#year&gt; &quot;2020&quot;^^&lt;http://www.w3.org/2001/XMLSchema#integer&gt; .
_:c14n3 &lt;https://windsurf.grotto-networking.com/selective#sailName&gt; &quot;Kihei&quot; .
_:c14n3 &lt;https://windsurf.grotto-networking.com/selective#size&gt; &quot;5.5E0&quot;^^&lt;http://www.w3.org/2001/XMLSchema#double&gt; .
_:c14n3 &lt;https://windsurf.grotto-networking.com/selective#year&gt; &quot;2023&quot;^^&lt;http://www.w3.org/2001/XMLSchema#integer&gt; .
_:c14n4 &lt;https://windsurf.grotto-networking.com/selective#sails&gt; _:c14n0 .
_:c14n4 &lt;https://windsurf.grotto-networking.com/selective#sails&gt; _:c14n2 .
_:c14n4 &lt;https://windsurf.grotto-networking.com/selective#sails&gt; _:c14n3 .
_:c14n4 &lt;https://windsurf.grotto-networking.com/selective#sails&gt; _:c14n5 .
_:c14n5 &lt;https://windsurf.grotto-networking.com/selective#sailName&gt; &quot;Lahaina&quot; .
_:c14n5 &lt;https://windsurf.grotto-networking.com/selective#size&gt; &quot;6.1E0&quot;^^&lt;http://www.w3.org/2001/XMLSchema#double&gt; .
_:c14n5 &lt;https://windsurf.grotto-networking.com/selective#year&gt; &quot;2023&quot;^^&lt;http://www.w3.org/2001/XMLSchema#integer&gt; .
        </pre>
        <p>
Updated windsurf sail collection, i.e., the 6.1 size sail has been updated to
the 2024 model. This changes the ordering of statements via the assignment of
<em>blank node ids</em>.
        </p>
        <pre class="example nohighlight"
        title="A VC for a slightly updated set of windsurfing sails">
{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    {
      "@vocab": "https://windsurf.grotto-networking.com/selective#"
    }
  ],
  "type": [
    "VerifiableCredential"
  ],
  "credentialSubject": {
    "sails": [
      {
        "size": 5.5,
        "sailName": "Kihei",
        "year": 2023
      },
      {
        "size": 6.1,
        "sailName": "Lahaina",
        "year": 2024 // New sail to update older model, changes canonicalization
      },
      {
        "size": 7.0,
        "sailName": "Lahaina",
        "year": 2020
      },
      {
        "size": 7.8,
        "sailName": "Lahaina",
        "year": 2023
      }
    ]
  }
}
        </pre>
        <p>
Canonical form of the previous VC. Note the difference in <em>blank node id</em>
assignment and ordering of statements.
        </p>
        <pre class="example nohighlight"
        title="Canonical form of the updated VC for a set of windsurfing sails">
_:c14n0 &lt;https://windsurf.grotto-networking.com/selective#sailName&gt; &quot;Lahaina&quot; .
_:c14n0 &lt;https://windsurf.grotto-networking.com/selective#size&gt; &quot;6.1E0&quot;^^&lt;http://www.w3.org/2001/XMLSchema#double&gt; .
_:c14n0 &lt;https://windsurf.grotto-networking.com/selective#year&gt; &quot;2024&quot;^^&lt;http://www.w3.org/2001/XMLSchema#integer&gt; .
_:c14n1 &lt;https://windsurf.grotto-networking.com/selective#sailName&gt; &quot;Lahaina&quot; .
_:c14n1 &lt;https://windsurf.grotto-networking.com/selective#size&gt; &quot;7.8E0&quot;^^&lt;http://www.w3.org/2001/XMLSchema#double&gt; .
_:c14n1 &lt;https://windsurf.grotto-networking.com/selective#year&gt; &quot;2023&quot;^^&lt;http://www.w3.org/2001/XMLSchema#integer&gt; .
_:c14n2 &lt;http://www.w3.org/1999/02/22-rdf-syntax-ns#type&gt; &lt;https://www.w3.org/2018/credentials#VerifiableCredential&gt; .
_:c14n2 &lt;https://www.w3.org/2018/credentials#credentialSubject&gt; _:c14n5 .
_:c14n3 &lt;https://windsurf.grotto-networking.com/selective#sailName&gt; &quot;Lahaina&quot; .
_:c14n3 &lt;https://windsurf.grotto-networking.com/selective#size&gt; &quot;7&quot;^^&lt;http://www.w3.org/2001/XMLSchema#integer&gt; .
_:c14n3 &lt;https://windsurf.grotto-networking.com/selective#year&gt; &quot;2020&quot;^^&lt;http://www.w3.org/2001/XMLSchema#integer&gt; .
_:c14n4 &lt;https://windsurf.grotto-networking.com/selective#sailName&gt; &quot;Kihei&quot; .
_:c14n4 &lt;https://windsurf.grotto-networking.com/selective#size&gt; &quot;5.5E0&quot;^^&lt;http://www.w3.org/2001/XMLSchema#double&gt; .
_:c14n4 &lt;https://windsurf.grotto-networking.com/selective#year&gt; &quot;2023&quot;^^&lt;http://www.w3.org/2001/XMLSchema#integer&gt; .
_:c14n5 &lt;https://windsurf.grotto-networking.com/selective#sails&gt; _:c14n0 .
_:c14n5 &lt;https://windsurf.grotto-networking.com/selective#sails&gt; _:c14n1 .
_:c14n5 &lt;https://windsurf.grotto-networking.com/selective#sails&gt; _:c14n3 .
_:c14n5 &lt;https://windsurf.grotto-networking.com/selective#sails&gt; _:c14n4 .
        </pre>
        <p>
To prevent such information leakage from the assignment of these blank node ids
and the ordering they impose on the <em>statements</em>, an HMAC based PRF is
run on the <em>blank node ids</em>. The HMAC secret key is only shared between
the <em>issuer</em> and <em>holder</em> and each <em>Base Proof</em> generated
by the issuer uses a new HMAC key. An example of this can be seen in the
<a href="https://www.w3.org/TR/vc-di-ecdsa/#example-canonical-hmac-document">
canonical HMAC test vector</a> of [[DI-ECDSA]].
<!-- [canonical HMAC test vector](https://w3c.github.io/vc-di-ecdsa/#example-canonical-hmac-document) of [[VC-ECDSA-SD]]. -->
<!-- <a href="https://www.w3.org/TR/vc-di-ecdsa/#hashmandatorynquads">Section 3.3.17
hashMandatoryNQuads</a> of the [[DI-ECDSA]] specification, passing -->
As discussed in the next section, for BBS to preserve unlinkability we do not
use HMAC based <em>blank node ids</em> but produce a <q>shuffled</q> version of
the ordering based on the HMAC as shown in test vector <a href="#example-canonical-hmac-document"></a>.
Note that this furnishes less information hiding concerning <em>blank node
ids</em> than in the ECDSA-SD approach, since information the number of
<em>blank node ids</em> can leak, but prevents linkage attacks via the
essentially unique identifiers produced by applying an HMAC to blank node ids.
        </p>
      </section>
      <section>
        <h3>Selective Disclosure and Unlinkability</h3>
        <p>
In some uses of VCs it can be important to the privacy of a <em>holder</em> to
prevent the tracking or linking of multiple different <em>verifier</em>
interactions. In particular we consider two important cases (i) <em>verifier to
issuer collusion</em>, and (ii) <em>verifier to verifier collusion</em>. In the
first case, shown in <a href="#verifier-issuer"></a>, a <em>verifier</em>
reports back to the original
<em>issuer</em> of the credential on an interaction with a <em>holder</em>. In
this situation, the <em>issuer</em> could track all the <em>holder</em>
interactions with various <em>verifiers</em> using the issued VC. In the second
situation, shown in <a href="#verifier-verifier"></a>, multiple
<em>verifiers</em> collude to share
information about <em>holders</em> with whom they have interacted.
        </p>
        <figure id="verifier-issuer">
          <img style="margin: auto; display: block; width: 100%;"
               src="diagrams/VerifierIssuerCollusion.svg" alt="
Diagram showing multiple verifiers sending data back to the issuer.
The diagram is laid out top to bottom with a circle labeled issuer at the top,
connected to a circle label holder below. From the circle labeled holder there
are multple arrows to additional circles labeled verifiers. From the circles
labeled verifiers there are dashed arrows back to the circle labeled issuer
showing collusive data flow.">
          <figcaption style="text-align: center;">
Verifier-to-issuer collusion.
          </figcaption>
        </figure>
        <figure id="verifier-verifier">
          <img style="margin: auto; display: block; width: 100%;"
               src="diagrams/VerifiersCollusion.svg" alt="
Diagram showing multiple verifiers sharing with each other.
The diagram is laid out top to bottom with a circle labeled issuer at the top,
connected to a circle label holder below. From the circle labeled holder there
are multple arrows to additional circles labeled verifiers. From the circles
labeled verifiers there are dashed arrows back to other circles labeled issuer
to show verifier to verifier collusive data flows.">
          <figcaption style="text-align: center;">
Verifier-to-verifier collusion.
          </figcaption>
        </figure>
        <p>
We use the term <em>unlinkability</em> to describe the property of a VC system
to prevent such "linkage attacks"  on holder privacy. Although the term
unlinkability is relatively new section 3.3 of [[NISTIR8053]] discusses and
gives a case study of <q>Re-identification through Linkage Attacks</q>. A
systemization of knowledge on <q>linkage attack on data privacy</q> can be found
in [[Powar2023]]. The most widespread use of linkage attack on user privacy
occurs via the practice of web browser fingerprinting, a survey of which can be
found in [[Pugliese2020]].
        </p>
        <p>
To quantify the notion of linkage, [[Powar2023]] introduces the idea of an
<strong>anonymity set</strong>. In the VC case we are concerned with here, the
anonymity set would contain the <em>holder</em> of a particular VC and other
holders associated with a particular <em>issuer</em>. The smaller the anonymity
set the more likely the holder can be tracked across verifiers. Since a signed
VC contains a reference to a public key of the issuer, the starting size for the
anonymity set for a holder possessing a VC from a particular issuer is the
number of VC issued by that issuer with that particular public/private key pair.
Non-malicious issuers are expected to minimize the number of public/private key
pairs used to issue VCs. Note that the anonymity set idea is similar to the
group privacy concept in [[vc-bitstring-status-list]]. When we use the term
linkage here we generally mean any mechanism that results in a reduction in size
of the anonymity set.
        </p>
        <p>
Sources of linkage in a VC system supporting selective disclosure:
        </p>
        <ol>
          <li>
Artifacts from cryptographic primitives.
          </li>
          <li>
Artifacts from mapping a VC into a set of statements suitable for selective disclosure.
          </li>
          <li>
Artifacts from Proof Options and Mandatory reveal Information in the VC.
          </li>
          <li>
Selectively revealed information in the VC.
          </li>
          <li>
External VC System Based Linkage
          </li>
        </ol>
        <p>
We discuss each of these below.
        </p>
        <section>
          <h4>Linkage via Cryptographic Artifacts</h4>
          <p>
Cryptographic Hashes, HMACs, and digital signatures by their nature generate
highly unique identifiers. The output of a hash function such as SHA-256, by its
collision resistance properties, are guaranteed to be essentially unique given
different inputs and result in a strong linkage, i.e., reduces the anonymity set
size to one. Similarly deterministic signature algorithms such as Ed25519 and
deterministic ECDSA will produce essentially unique outputs for different inputs
and lead to strong linkages.
          </p>
          <p>
This implies that <em>holders</em> can be easily tracked across
<em>verifiers</em> via digital signature, HMAC, or hash artifacts inside VCs and
hence are vulnerable to <em>verifier-verifier</em> collusion and
<em>verifier-issuer</em> collusion. Randomized signature algorithms such as some
forms of ECDSA can permit the issuer to generate many distinct signatures on the
same inputs and send these to the <em>holder</em> for use with different
<em>verifiers</em>. Such an approach could be used to prevent
<em>verifier-verifier</em> collusion based tracking but cannot help with
<em>verifier-issuer</em> collusion.
          </p>
          <p>
To achieve unlinkability requires specially designed cryptographic signature
schemes that allow the <em>holder</em> to generate what is called a <q>zero
knowledge proof of knowledge of a signature</q> (ZKPKS). What this means is that
the <em>holder</em> can take a signature from the <em>issuer</em> in such a
scheme, compute a ZKPKS to send to a <em>verifier</em>. This ZKPKS cannot be
linked back to the original signature, but has all the desirable properties of a
signature, i.e., the <em>verifier</em> can use it to verify that the messages
were signed by the <em>issuers</em> public key and that the messages have not
been altered. In addition, the <em>holder</em> can generate as many ZKPKSs as
desired for different <em>verifiers</em> and these are essentially independent
and unlinkable. BBS is one such signature scheme that supports this capability.
          </p>
          <p>
Although the ZKPKS, known as a <em>BBS proof</em> in this document, has
guaranteed unlinkability properties. BBS when used with selective disclosure has
two artifacts that can contribute to linkability. These are the total number of
messages originally signed, and the index values for the revealed statements.
See the privacy considerations in [[CFRG-BBS-SIGNATURE]] for a discussion and
mitigation techniques.
          </p>
          <p>
As mentioned in the section on <q>Issuer's Public Keys</q> of
[[CFRG-BBS-SIGNATURE]] there is the potential threat that an <em>issuer</em> might
use multiple public keys with some of those used to track a specific subset of
users via <em>verifier-issuer</em> collusion. Since the <em>issuers</em> public
key has to be visible to the <em>verifier</em>, i.e., it is referenced in the BBS
proof (derived proof) this can be used as a linkage point if the <em>issuer</em>
has many different public keys and particularly if it uses a subset of those
keys with a small subset of users (<em>holders</em>).
          </p>
        </section>
        <section>
          <h4>Linkage via VC Processing</h4>
          <p>
We saw in the section on information leakage that RDF canonicalization uses a
hash function to order statements and that a further <q>shuffle</q> of the order
of the statements is performed based on an HMAC. This can leave a fingerprint
that might allow for some linkage. How strong of a linkage is dependent on the
number of blank nodes, essentially JSON objects within the VC, and the number of
indexes revealed. Given <em>n</em> blank nodes and <em>k</em> disclosed indexes
in the worst case this would be a reduction in the anonymity set size by a
factor of <em>C(n, k)</em>, i.e., the number combinations of size <em>k</em>
chosen from a set of <em>n</em> elements. One can keep this number quite low by
reducing the number of blank nodes in the VC, e.g., keep the VC short and
simple.
          </p>
        </section>
        <section>
          <h4>Linkage via JSON-LD Node Identifiers</h4>
          <p>
JSON-LD is a JSON-based format for serialization of Linked Data. As such, it supports
assigning a globally unambiguous `@id` attribute (node identifier) to each object
("node", in JSON-LD terminology) within a document. This allows for <q>the linking
of linked data</q>, enabling information about the same entity to be correlated.
This correlation can be desirable or undesirable, depending on the use case.
          </p>
          <p>
When using BBS for its unlinkability feature, globally unambiguous node
identifiers cannot be used for individuals nor for their personally identifiable
information, since the strong linkage they provide is undesirable. Note that the
use of such identifiers is acceptable when expressing statements about non-personal
information (e.g., using a globally unambiguous identifier to identify a large
country or a concert event). Also note that JSON-LD's use of `@context`, which
maps terms to IRIs, does not generally affect unlinkability.
          </p>
        </section>
        <section>
          <h4>Linkage via Proof Options and Mandatory Reveal</h4>
          <p>
In the [[vc-data-integrity]] specification, a number of properties of the
`proof` attribute of a VC are given. Care has to be taken that optional fields
ought not provide strong linkage across verifiers. The optional fields include:
<em>id</em>, <em>created</em>, <em>expires</em>, <em>domain</em>,
<em>challenge</em>, and <em>nonce</em>. For example the optional
<em>created</em> field is a `dateTimeStamp` object which can specify the
creation date for the proof down to an arbitrary sub-second granularity. Such
information, if present, could greatly reduce the size of the anonymity set. If
the issuer wants to include such information they ought to make it as coarse
grained as possible, relative to the number of VCs being issued over time.
          </p>
          <p>
The <em>issuer</em> can also compel a <em>holder</em> to reveal certain
statements to a <em>verifier</em> via the `mandatoryPointers` input used in the
creation of the <em>Base Proof</em>. See section
<a href="#base-proof-transformation-bbs-2023"></a>,
<a href="#example-mandatory-pointers"></a>, and
<a href="#example-json-pointers-and-values"></a>. By <q>compel</q> we mean that
a generated Derived Proof will not verify unless these statements are revealed
to the <em>verifier</em>. Care should be taken such that if such information is
required to be disclosed, that the anonymity set remains sufficiently large.
          </p>
        </section>
        <section>
          <h4>Linkage via Holder Selective Reveal</h4>
          <p>
As discussed in [[Powar2023]] there are many documented cases of
re-identification of individuals from linkage attacks. Hence the <em>holder</em>
is urged  to reveal as little information as possible to help keep the anonymity
set large. In addition, it has been shown a number of times that innocuous
seeming information can be highly unique and thus leading to re-identification
or tracking.  See [[NISTIR8053]] for a walk through of a particularly famous
case of a former governor of Massachusetts and [[Powar2023]] for further
analysis and categorization of 94 such public cases.
          </p>
        </section>
        <section>
          <h4>External VC System Based Linkage</h4>
          <p>
It ought to be pointed out that maintaining unlinkability, i.e., anonymity,
requires care in the systems holding and communicating the VCs. Networking
artifacts such as IP address (layer 3) or Ethernet/MAC address (layer 2) are
well known sources of linkage. For example, mobile phone MAC addresses can be
used to track users if they revisited a particular access point, this led to
mobile phone manufacturers providing a MAC address randomization feature.
Public IP addresses generally provide enough information to geolocate an
individual to a city or region within a country potentially greatly reducing
the anonymity set.
          </p>
        </section>
      </section>
    </section>

    <section class="appendix informative">
      <h2>Test Vectors</h2>
      <section>
        <h4>Baseline Basic Example</h4>
        <p>
The document test
vectors are based on a purely fictitious permanent resident card, and broken
into two groups — those
that would be generated by the issuer ("base proof"), and those that would be
generated by the holder ("derived proof").
        </p>
        <section>
          <h5>Base Proof</h5>
          <p>
To add a selective disclosure base proof to a document, the issuer needs
the following cryptographic key material:
          </p>
          <ol>
            <li>
The issuer's private/public key pair, i.e., the key pair corresponding to the
verification method that will be part of the proof.
            </li>
            <li>
An HMAC key. This is used to randomize the order of the blank node IDs to avoid
potential information leakage via the blank node ID ordering. This is used only
once, and is shared between issuer and holder. The HMAC in this case is
functioning as a pseudorandom function (PRF).
            </li>
          </ol>
          <p>
The key material used for generating the test vectors to test <i>add base
proof</i> is shown below. Hexadecimal representation is used for the BBS key
pairs and the HMAC key.
          </p>
          <pre class="example nohighlight"
          title="Private and Public keys for Signature"
          data-include="TestVectors/BBSKeyMaterial.json"
          data-include-format="text">
          </pre>
          <p>
In our scenario, a permanent resident credential is being issued. The unsigned
permanent resident document is shown below.
          </p>
          <pre class="example nohighlight"
          title="Credential without Proof"
          data-include="TestVectors/prCredUnsigned.json"
          data-include-format="text"></pre>
          <p>
This mandatory information is specified via an array of JSON pointers,
as shown below.
          </p>
          <pre class="example nohighlight"
          title="Mandatory Pointers"
          data-include="TestVectors/prCredMandatory.json"
          data-include-format="text"></pre>
          <p>
The result of applying the above JSON pointers to the document
is shown below.
          </p>
          <pre class="example nohighlight"
          title="JSON Pointers and Values"
          data-include="TestVectors/prc/addPointerValues.json"
          data-include-format="text"></pre>
          <p>
Transformation of the unsigned document begins with canonicalizing the document,
as shown below.
          </p>
          <pre class="example nohighlight"
          title="Canonical Document"
          data-include="TestVectors/prc/addBaseDocCanon.json"
          data-include-format="text"></pre>
          <p>
To prevent possible information leakage via the ordering of the blank node IDs,
these IDs are processed through a PRF (i.e., the HMAC) to give the canonicalized
HMAC document shown below. This represents an ordered list of statements that will
be subject to "mandatory" and "selective" (or "non-mandatory") disclosure, i.e.,
when these statements are grouped based on their disclosure requirements, they
will still be ordered as in this list.
          </p>
          <pre class="example nohighlight" title="Canonical HMAC Document"
          data-include="TestVectors/prc/addBaseDocHMACCanon.json"
          data-include-format="text"></pre>
          <p>
The list from the canonical document above gets grouped into mandatory and
non-mandatory statements. The final output of the selective disclosure
transformation process is shown below. Note that the statements are now grouped
as mandatory or non-mandatory disclosure, and the index of each statement in
the previous list is remembered.
          </p>
          <pre class="example nohighlight" title="Add Base Transformation"
          data-include="TestVectors/prc/addBaseTransform.json"
          data-include-format="text"></pre>
          <p>
The next step is to create the base proof configuration and canonicalize it.
This is shown in the following two examples.
          </p>
          <pre class="example nohighlight" title="Base Proof Configuration"
          data-include="TestVectors/prc/addProofConfig.json"
          data-include-format="text"></pre>
          <pre class="example nohighlight"
          title="Canonical Base Proof Configuration"
          data-include="TestVectors/prc/addProofConfigCanon.txt"
          data-include-format="text"></pre>
          <p>
In the hashing step, we compute the SHA-256 hash of the canonicalized proof
options to produce the `proofHash`, and we compute the SHA-256 hash of the
`JOIN` of all the mandatory N-Quads to produce the `mandatoryHash`. These are
shown below in hexadecimal format.
          </p>
          <pre class="example nohighlight" title="Add Base Hashes"
          data-include="TestVectors/prc/addHashData.json"
          data-include-format="text"></pre>
          <p>
Shown below are the computed `bbsSignature` in hexadecimal, and the
`mandatoryPointers`. These are are fed to the final serialization step with the
`hmacKey`.
          </p>
          <pre class="example nohighlight" title="Add Base Signing"
          data-include="TestVectors/prc/addRawBaseSignatureInfo.json"
          data-include-format="text"></pre>
          <p>
Finally, the values above are run through the algorithm of Section
<a href="#serializebaseproofvalue"></a>, to produce the `proofValue` which is
used in the signed base document, as shown below.
          </p>
          <pre class="example nohighlight" title="Signed Base Document"
          data-include="TestVectors/prc/addSignedSDBase.json"
          data-include-format="text"></pre>
        </section>
        <section>
          <h5>Derived Proof</h5>
          <p>
Random numbers are used, and an optional `presentationHeader` can be an
additional input, for the creation of <q>BBS proofs</q>. To furnish a
deterministic set of test vectors, we used the <q>Mocked Random Scalars</q>
procedure from [[CFRG-BBS-SIGNATURE]]. The `seed` and `presentationHeader` values
we used for generation of the derived proof test vectors are given in hex, below.
          </p>
          <pre class="example nohighlight"
          title="seed and presentation header values"
          data-include="TestVectors/BBSDeriveMaterial.json"
          data-include-format="text"></pre>
          <p>
To create a derived proof, a holder starts with a signed document
containing a base proof. The base document we will use for these test vectors is
the final example from Section <a href="#base-proof"></a>, above. The first
step is to run the algorithm of Section <a href="#parsebaseproofvalue"></a> to
recover `bbsSignature`, `hmacKey`, and `mandatoryPointers`, as shown below.
          </p>
          <pre class="example nohighlight" title="Recovered Base Signature Data"
          data-include="TestVectors/prc/derivedRecoveredBaseData.json"
          data-include-format="text"></pre>
          <p>
Next, the holder needs to indicate what non-mandatory statements, if any, they
wish to reveal to the verifiers, by specifying JSON pointers for selective
disclosure. These are shown below.
          </p>
          <pre class="example nohighlight" title="Selective Disclosure Pointers"
          data-include="TestVectors/prCredSelective.json"
          data-include-format="text"></pre>
          <p>
To produce the `revealDocument` (i.e., the unsigned document that will
eventually be signed and sent to the verifier), we append the selective pointers
to the mandatory pointers, and input these combined pointers along with the
document without proof to the `selectJsonLd` algorithm of [[DI-ECDSA]].
This gets the result shown below.
          </p>
          <pre class="example nohighlight" title="Unsigned Reveal Document"
          data-include="TestVectors/prc/derivedUnsignedReveal.json"
          data-include-format="text"></pre>
          <p>
Now that we know what the reveal document looks like, we need to furnish
appropriately updated information to the verifier about which statements are
mandatory, and the indexes of the selected non-mandatory statements. Running
step 6 of the
<a href="#createdisclosuredata"></a> yields abundant information about
various statement groups relative to the original document. Below, we show a
portion of the indexes for those groups.
          </p>
          <pre class="example nohighlight" title="Derived Group Indexes"
          data-include="TestVectors/prc/derivedGroupIndexes.json"
          data-include-format="text"></pre>
          <p>
The verifier needs to be able to aggregate and hash the mandatory statements. To
enable this, we furnish them with a list of the indexes of the mandatory statements,
adjusted to their positions in the reveal document (i.e., relative to the
`combinedIndexes`), while the `selectiveIndexes` are adjusted relative to
their positions within the `nonMandatoryIndexes`. These "adjusted" indexes are
shown below.
          </p>
          <pre class="example nohighlight"
          title="Adjusted Mandatory and Selective Indexes"
          data-include="TestVectors/prc/derivedAdjIndexes.json"
          data-include-format="text"></pre>

          <p>
The last important piece of disclosure data is the `labelMap`, a mapping of
canonical blank node IDs to HMAC-based shuffled IDs, computed according to
Section <a href="#createdisclosuredata"></a>. This is shown below, along with
the rest of the disclosure data, minus the reveal document.
          </p>
          <pre class="example nohighlight" title="Disclosure Data"
          data-include="TestVectors/prc/derivedDisclosureData.json"
          data-include-format="text"></pre>
          <p>
Finally, using the disclosure data above with the algorithm of Section
<a href="#serializederivedproofvalue"></a>, we obtain the signed derived (reveal)
document shown below.
          </p>
          <pre class="example nohighlight" title="Signed Derived Document"
          data-include="TestVectors/prc/derivedRevealDocument.json"
          data-include-format="text"></pre>
        </section>
      </section>

      <section>
        <h4>Baseline Enhanced Example</h4>
        <p>
Demonstration of selective disclosure features including mandatory disclosure,
selective disclosure, and overlap between those,
requires an input credential document with more content than previous test
vectors. To avoid excessively long test vectors, the starting document test
vector is based on a purely fictitious windsurfing (sailing) competition
scenario. In addition, we break the test vectors into two groups, based on those
that would be generated by the issuer (base proof) and those that would be
generated by the holder (derived proof).
        </p>
        <section>
          <h5>Base Proof</h5>
          <p>
To add a selective disclosure base proof to a document, the issuer needs
the following cryptographic key material:
          </p>
          <ol>
            <li>
The issuer's private/public key pair, i.e., the key pair corresponding to the
verification method that will be part of the proof.
            </li>
            <li>
An HMAC key. This is used to randomize the order of the blank node IDs to avoid
potential information leakage via the blank node ID ordering. This is used only
once, and is shared between issuer and holder. The HMAC in this case is
functioning as a pseudorandom function (PRF).
            </li>
          </ol>
          <p>
The key material used for generating the test vectors to test <i>add base
proof</i> is shown below. Hexadecimal representation is used for the BBS key
pairs and the HMAC key.
          </p>
          <pre class="example nohighlight"
          title="Private and Public keys for Signature"
          data-include="TestVectors/BBSKeyMaterial.json"
          data-include-format="text">
          </pre>
          <p>
In our scenario, a sailor is registering with a race organizer for a series of
windsurfing races to be held over a number of days on Maui. The organizer will
inspect the sailor's equipment to certify that what has been declared is
accurate. The sailor's unsigned equipment inventory is shown below.
          </p>
          <pre class="example nohighlight"
          title="Credential without Proof"
          data-include="TestVectors/windDoc.json"
          data-include-format="text"></pre>
          <p>
In addition to letting other sailors know what kinds of equipment their competitors
may be sailing on, it is mandatory that each sailor disclose the year of their
most recent windsurfing board and full details on two of their sails. Note that
all sailors are identified by a sail number that is printed on all their
equipment. This mandatory information is specified via an array of JSON pointers
as shown below.
          </p>
          <pre class="example nohighlight"
          title="Mandatory Pointers"
          data-include="TestVectors/windMandatory.json"
          data-include-format="text"></pre>
          <p>
The result of applying the above JSON pointers to the sailor's equipment document
is shown below.
          </p>
          <pre class="example nohighlight"
          title="JSON Pointers and Values"
          data-include="TestVectors/addPointerValues.json"
          data-include-format="text"></pre>
          <p>
Transformation of the unsigned document begins with canonicalizing the document,
as shown below.
          </p>
          <pre class="example nohighlight"
          title="Canonical Document"
          data-include="TestVectors/addBaseDocCanon.json"
          data-include-format="text"></pre>
          <p>
To prevent possible information leakage from the ordering of the blank node IDs
these are processed through a PRF (i.e., the HMAC) to give the canonicalized HMAC
document shown below. This represents an ordered list of statements that will be
subject to mandatory and selective disclosure, i.e., it is from this list that
statements are grouped.
          </p>
          <pre class="example nohighlight" title="Canonical HMAC Document"
          data-include="TestVectors/addBaseDocHMACCanon.json"
          data-include-format="text"></pre>
          <p>
The above canonical document gets grouped into mandatory and non-mandatory
statements. The final output of the selective disclosure transformation process
is shown below. Each statement is now grouped as mandatory or non-mandatory, and
its index in the previous list of statements is remembered.
          </p>
          <pre class="example nohighlight" title="Add Base Transformation"
          data-include="TestVectors/addBaseTransform.json"
          data-include-format="text"></pre>
          <p>
The next step is to create the base proof configuration and canonicalize it.
This is shown in the following two examples.
          </p>
          <pre class="example nohighlight" title="Base Proof Configuration"
          data-include="TestVectors/addProofConfig.json"
          data-include-format="text"></pre>
          <pre class="example nohighlight"
          title="Canonical Base Proof Configuration"
          data-include="TestVectors/addProofConfigCanon.txt"
          data-include-format="text"></pre>
          <p>
In the hashing step, we compute the SHA-256 hash of the canonicalized proof
options to produce the `proofHash`, and we compute the SHA-256 hash of the
join of all the mandatory N-Quads to produce the `mandatoryHash`. These are
shown below in hexadecimal format.
          </p>
          <pre class="example nohighlight" title="Add Base Hashes"
          data-include="TestVectors/addHashData.json"
          data-include-format="text"></pre>
          <p>
Shown below are the computed `bbsSignature` in hexadecimal, and the
`mandatoryPointers`. These are are fed to the final serialization step with the
`hmacKey`.
          </p>
          <pre class="example nohighlight" title="Add Base Signing"
          data-include="TestVectors/addRawBaseSignatureInfo.json"
          data-include-format="text"></pre>
          <p>
Finally, the values above are run through the algorithm of Section
<a href="#serializebaseproofvalue"></a>, to produce the `proofValue` which is
used in the signed base document shown below.
          </p>
          <pre class="example nohighlight" title="Signed Base Document"
          data-include="TestVectors/addSignedSDBase.json"
          data-include-format="text"></pre>
        </section>
        <section>
          <h5>Derived Proof</h5>
          <p>
Random numbers are used, and an optional `presentationHeader` can be an input,
for the creation of <q>BBS proofs</q>. To furnish a deterministic set of test
vectors, we used the <q>Mocked Random Scalars</q> procedure from
[[CFRG-BBS-SIGNATURE]]. The `seed` and `presentationHeader` values we used for
generation of the derived proof test vectors are given in hex, below.
          </p>
          <pre class="example nohighlight"
          title="seed and presentation header values"
          data-include="TestVectors/BBSDeriveMaterial.json"
          data-include-format="text"></pre>
          <p>
To create a derived proof, a holder starts with a signed document
containing a base proof. The base document we will use for these test vectors is
the final example from Section <a href="#base-proof"></a>, above. The first
step is to run the algorithm of Section <a href="#parsebaseproofvalue"></a> to
recover `bbsSignature`, `hmacKey`, and `mandatoryPointers`, as shown below.
          </p>
          <pre class="example nohighlight" title="Recovered Base Signature Data"
          data-include="TestVectors/derivedRecoveredBaseData.json"
          data-include-format="text"></pre>
          <p>
Next, the holder needs to indicate what else, if anything, they wish to reveal
to the verifiers, by specifying JSON pointers for selective disclosure. In our
windsurfing competition scenario, a sailor (the holder) has just completed their
first day of racing, and wishes to reveal to the general public (the verifiers)
all the details of the windsurfing boards they used in the competition. These
are shown below. Note that this slightly overlaps with the mandatory disclosed
information which included only the year of their most recent board.
          </p>
          <pre class="example nohighlight" title="Selective Disclosure Pointers"
          data-include="TestVectors/windSelective.json"
          data-include-format="text"></pre>
          <p>
To produce the `revealDocument` (i.e., the unsigned document that will
eventually be signed and sent to the verifier), we append the selective pointers
to the mandatory pointers, and input these combined pointers along with the
document without proof to the `selectJsonLd` algorithm of [[DI-ECDSA]],
to get the result shown below.
          </p>
          <pre class="example nohighlight" title="Unsigned Reveal Document"
          data-include="TestVectors/derivedUnsignedReveal.json"
          data-include-format="text"></pre>
          <p>
Now that we know what the revealed document looks like, we need to furnish
appropriately updated information to the verifier about which statements are
mandatory, and the indexes for the selected non-mandatory statements. Running
step 6 of the
<a href="#createdisclosuredata"></a> yields an abundance of information about
various statement groups relative to the original document. Below we show a
portion of the indexes for those groups.
          </p>
          <pre class="example nohighlight" title="Derived Group Indexes"
          data-include="TestVectors/derivedGroupIndexes.json"
          data-include-format="text"></pre>
          <p>
The verifier needs to be able to aggregate and hash the mandatory statements. To
enable this, we furnish them with a list of indexes of the mandatory statements
adjusted to their positions in the reveal document (i.e., relative to the
`combinedIndexes`), while the `selectiveIndexes` need to be adjusted relative to
their positions within the `nonMandatoryIndexes`. These "adjusted" indexes are
shown below.
          </p>
          <pre class="example nohighlight"
          title="Adjusted Mandatory and Selective Indexes"
          data-include="TestVectors/derivedAdjIndexes.json"
          data-include-format="text"></pre>

          <p>
The last important piece of disclosure data is a mapping of canonical blank node
IDs to HMAC-based shuffled IDs, the `labelMap`, computed according to Section
<a href="#createdisclosuredata"></a>. This is shown below along with
the rest of the disclosure data minus the reveal document.
          </p>
          <pre class="example nohighlight" title="Disclosure Data"
          data-include="TestVectors/derivedDisclosureData.json"
          data-include-format="text"></pre>
          <p>
Finally, using the disclosure data above with the algorithm of Section
<a href="#serializederivedproofvalue"></a>, we obtain the signed derived (reveal)
document shown below.
          </p>
          <pre class="example nohighlight" title="Signed Derived Document"
          data-include="TestVectors/derivedRevealDocument.json"
          data-include-format="text"></pre>
        </section>
      </section>
      <section>
        <h4>Anonymous Holder Binding Feature</h4>
        <section>
          <h5>Holder Binding Commitment Generation</h5>
          <p>
The first steps in using the <em>anonymous holder binding</em> feature are for the
holder to generate their |holderSecret| value, and then compute a commitment with
proof for this value, according to the <em>commitment computation</em> procedure
of [[CFRG-Blind-BBS-Signature]]. Example values and outputs of this procedure
are shown below.
          </p>
          <pre class="example nohighlight" title="Holder's Secret"
            data-include="TestVectors/FeatureInputs/holderSecret.json"
            data-include-format="text"></pre>
          <pre class="example nohighlight"
            title="Holder's Secret Commitment Information"
            data-include="TestVectors/HolderBinding/commitmentInfo.json"
            data-include-format="text"></pre>
          <p>
The |holderSecret| and |secretProverBlind| are to be retained and kept secret by
the holder. The |commitmentWithProof| value is to be communicated to the issuer.
          </p>
        </section>
        <section>
          <h5>Holder Binding Base Proof</h5>
          <p>
The addition of a base proof under the anonymous holder binding option begins
with the issuer receiving a |commitmentWithProof| value from the holder and then
verifying that value with the <em>commitment verification</em> procedure of
[[CFRG-Blind-BBS-Signature]].
The cryptographic key material explained and used in section
<a href="#base-proof">Base Proof</a> will also be used here, and is
repeated below.
          </p>
          <pre class="example nohighlight"
          title="Private and Public keys for Signature"
          data-include="TestVectors/BBSKeyMaterial.json"
          data-include-format="text">
          </pre>
          <p>
In this scenario, we consider an electronic version of a drivers license.
          </p>
          <pre class="example nohighlight"
          title="Credential without Proof for Features"
          data-include="TestVectors/FeatureInputs/license.json"
          data-include-format="text"></pre>
          <p>
To preserve the holder's privacy, the only <em>mandatory</em> fields are the
"issuer" and "expirationDate", as realized in the mandatory pointers given below.
          </p>
          <pre class="example nohighlight"
          title="Mandatory Pointers for Features"
          data-include="TestVectors/FeatureInputs/licenseMandatory.json"
          data-include-format="text"></pre>

          <p>
Transformation of the unsigned document begins with canonicalizing the document,
as shown below.
          </p>
          <pre class="example nohighlight"
          title="Canonical Document for Features"
          data-include="TestVectors/HolderBinding/addBaseDocCanon.json"
          data-include-format="text"></pre>
          <p>
To prevent possible information leakage from the ordering of the blank node IDs,
these are processed through a PRF (i.e., the HMAC) to give the canonicalized HMAC
document shown below. This represents an ordered list of statements that will be
subject to mandatory and selective disclosure, i.e., it is from this list that
statements are grouped.
          </p>
          <pre class="example nohighlight"
          title="Canonical HMAC Document For Features"
          data-include="TestVectors/HolderBinding/addBaseDocHMACCanon.json"
          data-include-format="text"></pre>
          <p>
The above canonical document gets grouped into mandatory and non-mandatory
statements. The final output of the selective disclosure transformation process
is shown below. Each statement is now grouped as mandatory or non-mandatory, and
its index in the previous list of statements is remembered.
          </p>
          <pre class="example nohighlight"
          title="Add Base Transformation for Features"
          data-include="TestVectors/HolderBinding/addBaseTransform.json"
          data-include-format="text"></pre>
          <p>
The next steps are to create the base proof configuration and canonicalize it.
This is shown in the following two examples.
          </p>
          <pre class="example nohighlight"
          title="Base Proof Configuration for Features"
          data-include="TestVectors/HolderBinding/addProofConfig.json"
          data-include-format="text"></pre>
          <pre class="example nohighlight"
          title="Canonical Base Proof Configuration for Features"
          data-include="TestVectors/HolderBinding/addProofConfigCanon.txt"
          data-include-format="text"></pre>
          <p>
In the hashing step, we compute the SHA-256 hash of the canonicalized proof
options to produce the |proofHash|, and we compute the SHA-256 hash of the
join of all the mandatory N-Quads to produce the `mandatoryHash`. These are
shown below in hexadecimal format.
          </p>
          <pre class="example nohighlight" title="Add Base Hashes for Features"
          data-include="TestVectors/HolderBinding/addHashData.json"
          data-include-format="text"></pre>
          <p>
Now we use the <em>blind signature generation</em> procedure of
[[CFRG-Blind-BBS-Signature]] in the
<a href="#base-proof-serialization-bbs-2023"></a>
procedure.
Shown below are the computed |bbsSignature|, |bbsHeader|, |publicKey|,
|hmacKey|, |mandatoryPointers|, and |featureOption|, where byte
data is shown in hexadecimal.
          </p>
          <pre class="example nohighlight"
          title="Add Base Signing for Holder Binding"
          data-include="TestVectors/HolderBinding/addRawBaseSignatureInfo.json"
          data-include-format="text"></pre>
          <p>
Finally, the values above are run through the algorithm of Section
<a href="#serializebaseproofvalue"></a>, to produce the |proofValue| which is
used in the signed base document shown below.
          </p>
          <pre class="example nohighlight"
          title="Signed Base Document for Holder Binding"
          data-include="TestVectors/HolderBinding/addSignedSDBase.json"
          data-include-format="text"></pre>
          </section>
          <section>
            <h5>Holder Binding Derived Proof</h5>
            <p>
As explained in section <a href="derived-proof"></a> we use a
mocked random number generation procedure and demonstrate the use of a
|presentationHeader|. The same |seed| and |presentationHeader| are used here
and are repeated below.
          </p>
          <pre class="example nohighlight"
          title="seed and presentation header values"
          data-include="TestVectors/BBSDeriveMaterial.json"
          data-include-format="text"></pre>
          <p>
To create a derived proof, a holder starts with a signed document
containing a base proof. The base document we will use for these test vectors is
the final example from Section <a href="#holder-binding-base-proof"></a>, above.
The first step is to run the algorithm of Section
<a href="#parsebaseproofvalue"></a> to
recover |bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|,
|mandatoryPointers|, and |featureOption|, as shown below.
          </p>
          <pre class="example nohighlight"
          title="Recovered Base Signature Data for Holder Binding"
          data-include="TestVectors/HolderBinding/derivedRecoveredBaseData.json"
          data-include-format="text"></pre>
          <p>
Next, the holder needs to indicate what else, if anything, they wish to reveal
to the verifiers, by specifying JSON pointers for selective disclosure. In this
case, the holder only wishes to reveal their driving privileges.
          </p>
          <pre class="example nohighlight"
          title="Selective Disclosure Pointers for Features"
          data-include="TestVectors/FeatureInputs/licenseSelective.json"
          data-include-format="text"></pre>
          <p>
To produce the `revealDocument` (i.e., the unsigned document that will
eventually be signed and sent to the verifier), we append the selective pointers
to the mandatory pointers, and input these combined pointers along with the
document without proof to the `selectJsonLd` algorithm of [[DI-ECDSA]],
to get the result shown below.
          </p>
          <pre class="example nohighlight"
          title="Unsigned Reveal Document for Features"
          data-include="TestVectors/HolderBinding/derivedUnsignedReveal.json"
          data-include-format="text"></pre>
          <p>
Now that we know what the revealed document looks like, we need to furnish
appropriately updated information to the verifier about which statements are
mandatory, and the indexes for the selected non-mandatory statements. Running
step 6 of the
<a href="#createdisclosuredata"></a> yields an abundance of information about
various statement groups relative to the original document. Below, we show a
portion of the indexes for those groups.
          </p>
          <pre class="example nohighlight"
          title="Derived Group Indexes for Features"
          data-include="TestVectors/HolderBinding/derivedGroupIndexes.json"
          data-include-format="text"></pre>
          <p>
The verifier needs to be able to aggregate and hash the mandatory statements. To
enable this, we furnish them with a list of indexes of the mandatory statements
adjusted to their positions in the reveal document (i.e., relative to the
`combinedIndexes`), while the `selectiveIndexes` need to be adjusted relative to
their positions within the `nonMandatoryIndexes`. These "adjusted" indexes are
shown below.
          </p>
          <pre class="example nohighlight"
          title="Adjusted Mandatory and Selective Indexes for Features"
          data-include="TestVectors/HolderBinding/derivedAdjIndexes.json"
          data-include-format="text"></pre>

          <p>
The last important piece of disclosure data is a mapping of canonical blank node
IDs to HMAC-based shuffled IDs, the `labelMap`, computed according to Section
<a href="#createdisclosuredata"></a>. This is shown below, along with
the rest of the disclosure data minus the reveal document. Note that here we are
showing the results appropriate to the |featureOption| equal to
`"anonymous_holder_binding"` which uses the <em>blind proof generation</em>
procedure of [[CFRG-Blind-BBS-Signature]]. Note that |blindAdjDisclosedIdxs| is
the final set of BBS selective indexes used in the proof serialization process
and comes from the blind BBS proof generation function which takes
the |adjSelectiveIndexes| as inputs.
          </p>
          <pre class="example nohighlight"
          title="Disclosure Data for Holder Binding"
          data-include="TestVectors/HolderBinding/derivedDisclosureData.json"
          data-include-format="text"></pre>
          <p>
Finally, using the disclosure data above with the algorithm of Section
<a href="#serializederivedproofvalue"></a>, we obtain the signed derived
(reveal) document shown below.
          </p>
          <pre class="example nohighlight"
          title="Signed Derived Document for Holder Binding"
          data-include="TestVectors/HolderBinding/derivedRevealDocument.json"
          data-include-format="text"></pre>
          </section>
        </section>

        <section>
          <h4>Credential Bound Pseudonym Feature</h4>
          <section>
            <h5>Prover Nym Commitment Generation</h5>
            <p>
The first steps in using the <em>credential-bound pseudonym</em> feature are for
the holder to generate their secret |prover_nym| value, and then compute a
commitment with proof for this value according to the "Commitment" operation
from [[CFRG-Pseudonym-BBS-Signature]]. Example values and outputs of this procedure
are shown below.
            </p>
            <pre class="example nohighlight" title="Prover Nym"
            data-include="TestVectors/FeatureInputs/proverNym.json"
            data-include-format="text"></pre>
            <pre class="example nohighlight"
            title="Prover Nym Commitment Information"
            data-include="TestVectors/Pseudonym/commitmentInfo.json"
            data-include-format="text"></pre>
            <p>
The |prover_nym| and |secretProverBlind| are to be retained and kept secret by
the holder. The |commitmentWithProof| value is to be communicated to the issuer.
            </p>
          </section>
          <section>
            <h5>Pseudonym Base Proof</h5>
            <p>
The addition of a base proof under the pseudonym feature option begins
with the issuer receiving a |commitmentWithProof| value from the holder and
generating a cryptographically random value for |signer_nym_entropy|.
            </p>
            <pre class="example nohighlight" title="Signer Nym Entropy"
            data-include="TestVectors/FeatureInputs/signerNymEntropy.json"
            data-include-format="text"></pre>
            <p>
This example will make use of the same key material as shown in
<a href="#example-private-and-public-keys-for-signature-0"></a>,
the same unsigned document as shown in
<a href="#example-credential-without-proof-for-features"></a>, and the same
mandatory pointers as shown in
<a href="#example-mandatory-pointers-for-features"></a>. This results in the
same canonical document as shown in
<a href="#example-canonical-document-for-features"></a>,
the same canonical HMAC document as shown in
<a href="#example-canonical-hmac-document-for-features"></a>, and the same "add
base transformation" as shown in
<a href="#example-add-base-transformation-for-features"></a>.
          </p>
          <p>
This example makes use of the same proof configuration as in
<a href="#example-base-proof-configuration-for-features"></a>.
This results in the same canonical base proof as in
<a href="#example-canonical-base-proof-configuration-for-features"></a>.
Combining this with the above assumptions leads to the same base hashes as in
<a href="#example-add-base-hashes-for-features"></a>.
          </p>
          <p>
Since |featureOption| is equal to `"pseudonym"`, the procedure of
section <a href="#base-proof-serialization-bbs-2023"></a> will produce the
output shown below. This makes use of the
signature generation algorithm of [[CFRG-Pseudonym-BBS-Signature]]. Note the
inclusion of the |signer_nym_entropy| and |featureOption| values, as these
need to be communicated to the holder.
          </p>
          <pre class="example nohighlight"
          title="Add Base Signing for Pseudonym"
          data-include="TestVectors/Pseudonym/addRawBaseSignatureInfo.json"
          data-include-format="text"></pre>
          <p>
Finally, the values above are run through the algorithm of section
<a href="#serializebaseproofvalue"></a>, producing the `proofValue` which is
used in the signed base document shown below.
          </p>
          <pre class="example nohighlight"
          title="Signed Base Document for Pseudonym"
          data-include="TestVectors/Pseudonym/addSignedSDBase.json"
          data-include-format="text"></pre>
          </section>
          <section>
            <h5>Pseudonym Derived Proof</h5>
            <p>
As explained in section <a href="#derived-proof"></a>, we used a
mocked random number generation procedure to demonstrate the use of a
|presentationHeader|. The same |seed| and |presentationHeader| as given in
<a href="#example-seed-and-presentation-header-values"></a> are used here.
                        </p>
                        <p>
To create a derived proof, a holder starts with a signed document
containing a base proof. The base document we will use for these test vectors is
from
<a href="#example-signed-base-document-for-pseudonym"></a>, above. The first
step is to run the algorithm of Section <a href="#parsebaseproofvalue"></a> to
recover |bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|,
|mandatoryPointers|, |signer_nym_entropy|, and |featureOption|, as shown below.
          </p>
          <pre class="example nohighlight"
          title="Recovered Base Signature Data for Pseudonym"
          data-include="TestVectors/Pseudonym/derivedRecoveredBaseData.json"
          data-include-format="text"></pre>
          <p>
Next, the holder uses the the "Verification and Finalization" operation from
[[CFRG-Pseudonym-BBS-Signature]] to both verify the signature and compute the
|nym_secret| value. This operation uses the |prover_nym|,
|signer_nym_entropy|, and |secret_prover_blind| values, amongst others.
          </p>
          <pre class="example nohighlight"
          title="Computed Nym Secret"
          data-include="TestVectors/Pseudonym/nymSecret.json"
          data-include-format="text"></pre>
          <p>
Next, the holder needs to indicate what non-mandatory statements, if any, they
wish to reveal to the verifiers, by specifying JSON pointers for selective
disclosure. In this case, the holder reveals the same information as given in
<a href="#example-selective-disclosure-pointers-for-features"></a>.
This results in the same |revealDocument|
as shown in <a href="#example-unsigned-reveal-document-for-features"></a>.
          <p>
Running <a href="#createdisclosuredata"></a> yields the same information for
derived group indexes as shown in
<a href="#example-derived-group-indexes-for-features"></a> and the same
adjusted mandatory and selective indexes as shown in
<a href="#example-adjusted-mandatory-and-selective-indexes-for-features"></a>.
          </p>
          <p>
Within <a href="#createdisclosuredata"></a>, we compute the |pseudonym| based on
the same |verfifier_id| shown in <a href="example-verifier-id"></a>.
The final output of <a href="#createdisclosuredata"></a> is shown below. Note
the inclusion of the |featureOption| and computed |pseudonym| values.
          </p>
          <pre class="example nohighlight" title="Disclosure Data for Pseudonym"
          data-include="TestVectors/Pseudonym/derivedDisclosureData.json"
          data-include-format="text"></pre>
          <p>
Finally, using the disclosure data above with the algorithm of section
<a href="#serializederivedproofvalue"></a>, we obtain the signed derived (reveal)
document shown below.
          </p>
          <pre class="example nohighlight"
          title="Signed Derived Document for Pseudonym"
          data-include="TestVectors/Pseudonym/derivedRevealDocument.json"
          data-include-format="text"></pre>
          </section>
        </section>

        <section>
          <h4>Holder Binding and Pseudonym Feature</h4>
          <section>
            <h5>Holder Secret and Prover Nym Commitment Generation</h5>
            <p>
The first steps in using the <em>holder binding and pseudonym</em> feature are
for
the holder to generate its |holder_secret| and |prover_nym| values, and
then compute a
commitment with proof for these values, according to the "Commitment" operation
from [[CFRG-Pseudonym-BBS-Signature]]. Example values and outputs of this procedure
are shown below.
            </p>
            <pre class="example nohighlight" title="Holder's Secret"
            data-include="TestVectors/FeatureInputs/holderSecret.json"
            data-include-format="text"></pre>
            <pre class="example nohighlight" title="Prover Nym"
            data-include="TestVectors/FeatureInputs/proverNym.json"
            data-include-format="text"></pre>
            <pre class="example nohighlight"
            title="Holder Secret and Prover Nym Commitment Information"
            data-include="TestVectors/PseudonymHB/commitmentInfo.json"
            data-include-format="text"></pre>
            <p>
The |holder_secret|, |prover_nym|, and |secretProverBlind| need to be retained
and kept secret by the holder. The |commitmentWithProof| value needs to be
communicated to the issuer.
            </p>
          </section>
          <section>
            <h5>Holder Binding and Pseudonym Base Proof</h5>
            <p>
The addition of a base proof under the pseudonym feature option begins
with the issuer receiving a |commitmentWithProof| value from the holder and
generating a cryptographically random value for |signer_nym_entropy|.
            </p>
            <pre class="example nohighlight" title="Signer Nym Entropy"
            data-include="TestVectors/FeatureInputs/signerNymEntropy.json"
            data-include-format="text"></pre>
            <p>
This example will make use of the same key material as shown in
<a href="#example-private-and-public-keys-for-signature-0"></a>,
and the same unsigned document as shown in
<a href="#example-credential-without-proof-for-features"></a>, and the same
mandatory pointers as shown in
<a href="#example-mandatory-pointers-for-features"></a>. This results in the
same canonical document as shown in
<a href="#example-canonical-document-for-features"></a>,
the same canonical HMAC document as shown in
<a href="#example-canonical-hmac-document-for-features"></a>, and the same "add
base transformation" as shown in
<a href="#example-add-base-transformation-for-features"></a>.
          </p>
          <p>
This example makes use of the same proof configuration as in
<a href="#example-base-proof-configuration-for-features"></a>.
This results in the same canonical base proof as in
<a href="#example-canonical-base-proof-configuration-for-features"></a>.
Combining this with the above assumptions leads to the same base hashes as in
<a href="#example-add-base-hashes-for-features"></a>.
          </p>
          <p>
Since |featureOption| is equal to `"holder_binding_pseudonym"`, the procedure of
section <a href="#base-proof-serialization-bbs-2023"></a> will produce the
output shown below. This makes use of the
signature generation algorithm of [[CFRG-Pseudonym-BBS-Signature]]. Note the
inclusion of the |signer_nym_entropy| and |featureOption| values, as these
need to be communicated to the holder.
          </p>
          <pre class="example nohighlight"
          title="Add Base Signing for Holder Binding and Pseudonym"
          data-include="TestVectors/PseudonymHB/addRawBaseSignatureInfo.json"
          data-include-format="text"></pre>
          <p>
Finally, the values above are run through the algorithm of section
<a href="#serializebaseproofvalue"></a>, producing the `proofValue` which is
used in the signed base document shown below.
          </p>
          <pre class="example nohighlight"
          title="Signed Base Document for Holder Binding and Pseudonym"
          data-include="TestVectors/PseudonymHB/addSignedSDBase.json"
          data-include-format="text"></pre>
          </section>
          <section>
            <h5>Holder Binding and Pseudonym Derived Proof</h5>
            <p>
As explained in section <a href="#derived-proof"></a>, we use a
mocked random number generation procedure and demonstrate the use of a
|presentationHeader|. The same |seed| and |presentationHeader| as given in
<a href="#example-seed-and-presentation-header-values"></a> are used here.
                        </p>
                        <p>
To create a derived proof, a holder starts with a signed document
containing a base proof. The base document we will use for these test vectors is
from
<a href="#example-signed-base-document-for-pseudonym"></a>, above. The first
step is to run the algorithm of Section <a href="#parsebaseproofvalue"></a> to
recover |bbsSignature|, |bbsHeader|, |publicKey|, |hmacKey|,
|mandatoryPointers|, |signer_nym_entropy|, and |featureOption|, as shown below.
          </p>
          <pre class="example nohighlight"
          title="Recovered Base Signature Data for Holder Binding and Pseudonym"
          data-include="TestVectors/PseudonymHB/derivedRecoveredBaseData.json"
          data-include-format="text"></pre>
          <p>
Next, the holder uses the the "Verification and Finalization" operation from
[[CFRG-Pseudonym-BBS-Signature]] to both verify the signature and compute the
|nym_secret| value. This operation uses the |holder_secret|, |prover_nym|,
|signer_nym_entropy|, and |secret_prover_blind| values, amongst others.
          </p>
          <pre class="example nohighlight"
          title="Computed Nym Secret"
          data-include="TestVectors/PseudonymHB/nymSecret.json"
          data-include-format="text"></pre>
          <p>
Next, the holder needs to indicate what non-mandatory statements, if any,
they wish to reveal
to the verifiers, by specifying JSON pointers for selective disclosure. In this
case, the holder reveals the same information as given in
<a href="#example-selective-disclosure-pointers-for-features"></a>.
This results in the same |revealDocument|
as shown in <a href="#example-unsigned-reveal-document-for-features"></a>.
          <p>
Running <a href="#createdisclosuredata"></a> yields the same information for
derived group indexes as shown in
<a href="#example-derived-group-indexes-for-features"></a> and the same
adjusted mandatory and selective indexes as shown in
<a href="#example-adjusted-mandatory-and-selective-indexes-for-features"></a>.
          </p>
          <p>
Within <a href="#createdisclosuredata"></a>, we compute the |pseudonym| based on
the same |verfifier_id| shown in <a href="example-verifier-id"></a>.
The final output of <a href="#createdisclosuredata"></a> is shown below. Note
the inclusion of the the |featureOption| and computed |pseudonym| values.
          </p>
          <pre class="example nohighlight" title="Disclosure Data for Holder Binding and Pseudonym"
          data-include="TestVectors/PseudonymHB/derivedDisclosureData.json"
          data-include-format="text"></pre>
          <p>
Finally, using the disclosure data above with the algorithm of section
<a href="#serializederivedproofvalue"></a>, we obtain the signed derived (reveal)
document shown below.
          </p>
          <pre class="example nohighlight"
          title="Signed Derived Document for Holder Binding and Pseudonym"
          data-include="TestVectors/PseudonymHB/derivedRevealDocument.json"
          data-include-format="text"></pre>
          </section>
        </section>
    </section>


    <section class="informative">
      <h2>Acknowledgements</h2>

      <p>
Work on this specification has been supported by the Rebooting the Web of Trust
community facilitated by Christopher Allen, Shannon Appelcline, Kiara Robles,
Brian Weller, Betty Dhamers, Kaliya Young, Manu Sporny, Drummond Reed, Joe
Andrieu, Heather Vescent, Kim Hamilton Duffy, Samantha Chase, Andrew Hughes,
Erica Connell, Shigeya Suzuki, and Zaïda Rivai. The participants in the Internet
Identity Workshop, facilitated by Phil Windley, Kaliya Young, Doc Searls, and
Heidi Nobantu Saul, also supported the refinement of this work through numerous
working sessions designed to educate about, debate on, and improve this
specification.
      </p>

      <p>
The Working Group also thanks our Chair, Brent Zundel, our ex-Chair Kristina
Yasuda, as well as our W3C Staff Contact, Ivan Herman, for their expert
management and steady guidance of the group through the W3C standardization
process.
      </p>

      <p>
Portions of the work on this specification have been funded by the United States
Department of Homeland Security's Science and Technology Directorate under
contracts 70RSAT20T00000003, 70RSAT20T00000029, 70RSAT20T00000033,
70RSAT21T00000016, 70RSAT23T00000005, 70RSAT20T00000010/P00001,
70RSAT20T00000029, 70RSAT21T00000016/P00001, 70RSAT23T00000005,
70RSAT23C00000030, 70RSAT23R00000006, 70RSAT24T00000011, and the National Science Foundation
through NSF 22-572. The content of this specification does not necessarily
reflect the position or the policy of the U.S. Government and no official
endorsement should be inferred.
      </p>

      <p>
The Working Group would like to thank the following individuals for reviewing
and providing feedback on the specification (in alphabetical order):
      </p>

      <p>
Will Abramson,
Mahmoud Alkhraishi,
Christopher Allen,
Joe Andrieu,
Bohdan Andriyiv,
Anthony,
George Aristy,
Hadley Beeman,
Greg Bernstein,
Bob420,
Sarven Capadisli,
Melvin Carvalho,
David Chadwick,
Matt Collier,
Gabe Cohen,
Sebastian Crane,
Kyle Den Hartog,
Veikko Eeva,
Eric Elliott,
Raphael Flechtner,
Julien Fraichot,
Benjamin Goering,
Kim Hamilton Duffy,
Joseph Heenan,
Helge,
Ivan Herman,
Michael Herman,
Anil John,
Andrew Jones,
Michael B. Jones,
Rieks Joosten,
Gregory K,
Gregg Kellogg,
Filip Kolarik,
David I. Lehn,
Charles E. Lehner,
Christine Lemmer-Webber,
Eric Lim,
Dave Longley,
Tobias Looker,
Jer Miller,
nightpool,
Luis Osta,
Nate Otto,
George J. Padayatti,
Addison Phillips,
Mike Prorock,
Brian Richter,
Anders Rundgren,
Eugeniu Rusu,
Markus Sabadello,
silverpill,
Wesley Smith,
Manu Sporny,
Patrick St-Louis,
Orie Steele,
Henry Story,
Oliver Terbu,
Ted Thibodeau Jr,
John Toohey,
Bert Van Nuffelen,
Mike Varley,
Snorre Lothar von Gohren Edwin,
Jeffrey Yasskin,
Kristina Yasuda,
Benjamin Young,
Dmitri Zagidulin,
and
Brent Zundel.
      </p>

    </section>

  </body>
</html>