digital-credentials icon indicating copy to clipboard operation
digital-credentials copied to clipboard
verified publisher icon WICG

Can we require protocols to support unlinkable revocation?

Open johannhof opened this issue 6 months ago • 6 comments

@martinthomson voiced concerns about unlinkable revocation methods such as Cryptographic Accumulators being widely applicable enough to make them part of the protocol registry inclusion criteria for privacy.

I don't have enough practical experience on this topic to decide - so I'm opening this issue for discussion.

johannhof avatar Jun 17 '25 21:06 johannhof

summoning @jaromil @andrea-dintino @mmaker

The only issue is that we are talking about protocols, which potentially support different credential formats, which potentially support different revocation methods depending on their “profile.” I agree that it is good to be concerned about the entire Layer 3 of Credentials, but I think it is complex to verify which specific profile is used.

simoneonofri avatar Jun 17 '25 21:06 simoneonofri

Yeah, sorry, I guess we could say "protocol needs to support formats that support unlinkable revocation", if this was our goal.

johannhof avatar Jun 17 '25 22:06 johannhof

@johannhof thanks for the clarification, it makes sense to me

simoneonofri avatar Jun 17 '25 23:06 simoneonofri

This problem is very dear to me, the first of the 'seven sins' in EUDI. to contribute to the discussion we published SD-BLS in a IEEE journal, here is the pre print in open access https://arxiv.org/abs/2406.19035

jaromil avatar Jun 18 '25 09:06 jaromil

My comments:

  • accumulators don't scale enough to do large-scale revocation: producing a "Witness" (i.e. calculate a blob of credential hashes) for 1,000,000 signatures it takes 5-8 sec (to add the 1,000,001st it takes 5-8 sec and a little more)

  • our SD-BLS paper proposes a solution to do unlinkable revocation, without going through accumulators

  • Longfellow-zk (implementation of Frigo and Shelat's paper) changes the rules of the game and the priorities on revocation quite a bit

andrea-dintino avatar Jun 19 '25 14:06 andrea-dintino

From a layering prospective, this is very likely bound to credential formats - on the protocol level it would mainly be about being able to support such formats (and possibly additional data required in a presentation to convey credential status) imho?

Generally speaking, revocation seems to be still in a pretty weird state and best case for the time being seems to be to try to avoid revocation or reduce its burden by issuing short-lived credentials. Accumulators or similar techniques don't really help you much if your credentials are ECDSA based (and you are presenting those directly) since proving the binding to the credential becomes really hard without losing privacy. Privacy-preserving (unlinkable) revocation becomes imho really important for the shift towards Anonymous Credentials (ZKP).

c2bo avatar Jun 23 '25 08:06 c2bo