That prevents the site from knowing your identity, but I’m not convinced it prevents the government from knowing you visit the site. The government could keep track of which document corresponds to which individual whenever they issue / sign it.
So if the government mandated that each signed proof of “age>18” was stored by the service and mapped to each account (to validate their proof), then the government could request the service to provide them copy of the proof and then cross-check from their end which particular individual is linked to it.
The reason why it works is a bit complicated, but basically the trick is that the signatures are not immutable. Given a valid signature, it is possible to create a new valid signature over the same content that is not linkable to the original one. This means that it is still possible to derive, what authority signed the document, but the authority cannot know in which transaction it has signed that specific document.
If you have no way to link the signature to the original document, then how do you validate that the signature is coming from a document without repetition / abuse?
How do you ensure there aren’t hundreds of signatures used for different accounts all done by the same stolen eID that might be circulating online without the government realizing it?
Can the government revoke the credentials of a specific individual? …because if they can’t then that looks like a big gap that could create a market of ever-growing stolen eIDs (or reusing eIDs from the deceased) …and if they can revoke, what stops the government from creating a simulation in which they revoke one specific individual and then check what signatures end up being revoked to identify which ones belong to that person? The government can mandate the services to provide them all data they have so it can be analyzed as if they were Issuer, Registry and Verifier, all in one, without separation of powers.
I know there are ways to try and fix this, but those ways have other problems too, which end up forcing the need for a compromise… there’s no algorithm that perfectly provides anonymity and full verifiability with a perfect method of revocation that does not require checks at every user login. For example, with the eIDAS 2.0 system (considered zero-knowledge proof), the government does have knowledge of the “secret serial number” that is used in revocation, so if they collude with the service they can identify people by running some tests on the data.
The anonymous credential signature scheme that is planned to be used is BBS#, I don’t know how it handles revocation.
Additionally, BBS# proposes a solution for device-binding from ECDSA-signatures, relying on re-randomization of ECDSA signatures and public keys. Furthermore, a trust model for BBS# that covers revocation and proof of validity is defined in [BBT2025].
That prevents the site from knowing your identity, but I’m not convinced it prevents the government from knowing you visit the site. The government could keep track of which document corresponds to which individual whenever they issue / sign it.
So if the government mandated that each signed proof of “age>18” was stored by the service and mapped to each account (to validate their proof), then the government could request the service to provide them copy of the proof and then cross-check from their end which particular individual is linked to it.
The reason why it works is a bit complicated, but basically the trick is that the signatures are not immutable. Given a valid signature, it is possible to create a new valid signature over the same content that is not linkable to the original one. This means that it is still possible to derive, what authority signed the document, but the authority cannot know in which transaction it has signed that specific document.
If you have no way to link the signature to the original document, then how do you validate that the signature is coming from a document without repetition / abuse?
How do you ensure there aren’t hundreds of signatures used for different accounts all done by the same stolen eID that might be circulating online without the government realizing it?
Can the government revoke the credentials of a specific individual? …because if they can’t then that looks like a big gap that could create a market of ever-growing stolen eIDs (or reusing eIDs from the deceased) …and if they can revoke, what stops the government from creating a simulation in which they revoke one specific individual and then check what signatures end up being revoked to identify which ones belong to that person? The government can mandate the services to provide them all data they have so it can be analyzed as if they were Issuer, Registry and Verifier, all in one, without separation of powers.
I know there are ways to try and fix this, but those ways have other problems too, which end up forcing the need for a compromise… there’s no algorithm that perfectly provides anonymity and full verifiability with a perfect method of revocation that does not require checks at every user login. For example, with the eIDAS 2.0 system (considered zero-knowledge proof), the government does have knowledge of the “secret serial number” that is used in revocation, so if they collude with the service they can identify people by running some tests on the data.
The anonymous credential signature scheme that is planned to be used is BBS#, I don’t know how it handles revocation.
https://github.com/eu-digital-identity-wallet/eudi-doc-standards-and-technical-specifications/blob/main/docs/technical-specifications/ts4-zkp.md
I haven’t found where in that source the implementation of revocation is discussed.
Edit: https://github.com/Orange-OpenSource/BBS-SHARP-doc-eudi-wallet/blob/main/Trust-model-privacy-on-attestation-presentation.md#14-attestation-revocation
Seems like no ways of enabling privacy preserving revocation with bbs# are known jet. This means that arithmetic circuit based proofs would be the only way to enable revocation. And as they can prove any statement in NP with ZK, the fact that they can prove that a revocation id is not part of a given list is obvious. https://github.com/eu-digital-identity-wallet/eudi-doc-standards-and-technical-specifications/blob/main/docs/technical-specifications/ts4-zkp.md#22-proofs-for-arithmetic-circuits-programmable-zkps
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/main-51.pdf As crescent by Microsoft is one of the considered implemations, this paper is probably the most relevant work on revocation of anonymous credentials.