Known fact

Why Bhutan choose CREDEBL

https://github.com/credebl

<aside> 💡 We selected CREDEBL for 5 main reasons:

1. They are open source
2. They are already certified for multiple UN SDG under Public Goods Certification
3. The open source community and stack is managed by the partner AyanWorks that were also our partner when we worked in the Verity platform (Our first delivered platform for Bhutan.
4. AyanWorks is very well respected in the SSI community for their thought leadership.
5. The wrote the method to connect the SSI indy ledger platform to Indicio and developed DID:WEB.

</aside>

Meeting

June 28, 2024 with CC

• https://hyperledger.github.io/anoncreds-spec/
  • how does zkp used in bhutan’s app?
  • what type of precompile will it need? if you go on-chain, what are the requirements?
  • can we use this zkp for wallet privacy? for ex: for minimal data sharing

• Source:
  • I mainly went through https://github.com/hyperledger/anoncreds-spec/blob/main/spec/ursaAnonCreds.pdf . I can roughly get the idea of the design from the paragraph and the math.
  • For engineers I think the repo would be a good source. There's a demo test that gives you the idea of the API. https://github.com/hyperledger/anoncreds-rs/blob/main/tests/anoncreds_demos.rs
• General impression:
  • AnonCreds is a full fledged project that has been in use since 2017
  • Repo shows signs of user interaction https://github.com/hyperledger/anoncreds-rs/issues/334
  • AnonCreds is a good demonstration of how you build ZK applications before Circom. All the application features are built on top of maths. I'll call it pure-math zk approach.
    • Pros:
      • I imagine there are some performance benefit in this approach because of no circuit overhead. I don't have concrete number/evidence for this. Just a hunch
    • Cons
      • The feature is limited. The cryptography does support number comparisons like > = <, so that we can do age <18 predicates. But that's all it can do. With the circuit approach, we can add a lot more, if not arbitrary, interesting predicates on attributes, for example, hasDriverLicense AND married.
      • It is hard to debug or extend features on the pure-math approach. It requires cryptography expertise. With the circuit approach, it would be a lot easier for usual engineers to modify the scheme.
  • With circom based ZKP scheme, AnonCreds's features can be reproduced with less effort.
• Figure out how ZKP is used in the project?
  • It is the pure math approach.
  • It gives privacies on a holder's attributes
  • It allows the verifier to check predicates like age > 18
  • It allows the issuer to revoke credentials
  • All the above features are doable in Circom. But I'm not sure if PSE has a project that supports all the features.
• What are the chain requirements if we want to deploy on chain?
  • tldr: No extra requirements for AnonCreds.
  • For AnonCreds, the chain acts only as a registry for credentials or other related data. (Revocation registry and VDR, verifiable data registry). No extra requirements. Almost all rollups work.
  • Where do ZKP verifications happen?
    • On issuance of a credential, the holder zk proves to issuer that some hidden attributes are well-formed. For (a bad) example, if you want to register a hidden date of your puppy, you need to prove the year, month, and day are in valid range.
    • On verifying presentations of verifiable claims, the holder zk proves to the verifier.
  • Note: that there might be one case you might want to verify proofs on chain. It seems AnonCreds trusts the issuer. The issuer verifies holder's proof off-chain and then always register a valid credential on chain. This might make business sense because usually issuer is the one who pay to build the DID system. However, it is possible the issuer register an invalid credential for the holder. To avoid that problem, you probably want the contract to verify the proof and register the credential instead.
    • If we want to verify zk proof in the contract, we have to consider the compatibility of precompiles. AnonCreds use BN254, which is compatible with Ethereum's precompile. source: https://hyperledger.github.io/anoncreds-spec/#generating-a-credential-definition-with-revocation-support
• What are the opportunities for ZKP and privacy application?
  • I think I want to introduce the framework from trust over ip https://trustoverip.org/wp-content/toip-model/
    • Opportunities of ZKP and privacy application belongs to layer 4: Application ecosystem.
    • AnonCreds is a on layer 3: a data exchange protocol.
  • It would be hard to discuss a layer 4 problem on layer 3. But with all layer 3 features supported. It's easy to think about applications in terms of the interactions between issuers, holders, and verifiers.
  • sharing a Taiwan's digital wallet post for inspiration https://moda.gov.tw/press/multimedia/blog/10279
• Interesting facts
  • Dmitry Khovratovich is one of the authors in the AnonCreds math paper. He is now in EF's cryptography team.