Credential Proof

A cryptographic method that allows one party (the prover) to prove to another (the verifier) that a statement is true without revealing any information beyond the validity of the statement itself. This is the foundation for privacy-preserving credential verification.

• Key Property: Enables selective disclosure (e.g., proving you are over 21 without revealing your birthdate).
• Common Types: zk-SNARKs, zk-STARKs, Bulletproofs.
• Example: A user proves they have a sufficient credit score to access a DeFi loan without revealing the exact score.

A specific type of proof that allows a holder to reveal only specific claims from a credential while keeping the rest hidden. It is a practical application of ZKPs for credential systems.

• Mechanism: Uses cryptographic commitments and zero-knowledge proofs to prove statements about hidden data.
• Use Case: Disclosing only your country of residence from a passport credential, hiding your name, ID number, and photo.
• Standard: Often implemented using BBS+ signatures or similar ZKP schemes.

A compact proof that a specific piece of data (like a credential hash) is part of a larger dataset (like a Merkle tree root stored on-chain). It proves membership without revealing the entire dataset.

• Components: A path of cryptographic hashes from the leaf to the publicly known root.
• Efficiency: Allows verifiers to check credential revocation or issuance status with minimal on-chain data.
• Common Use: Revocation Registries where a credential's unique ID is added to a Merkle tree when revoked.

A proof that demonstrates a credential is currently valid and has not been revoked by its issuer. This is critical for maintaining the trust and freshness of credentials over time.

• Methods: Can be implemented via accumulators, Merkle tree proofs, or status list credentials.
• On-Chain Pattern: The issuer maintains a revocation registry (e.g., a smart contract or Merkle root), and the holder provides a proof their credential ID is not on the list.
• Privacy-Preserving: Advanced schemes allow proving non-revocation without revealing the credential identifier.

A proof that demonstrates the presenter of a credential is its legitimate holder and controls the associated cryptographic key. This prevents credential theft and replay attacks.

• Mechanism: The verifier sends a cryptographic challenge (nonce), and the holder must sign it with their private key.
• Binding: Links the credential presentation to a specific session, ensuring the credential isn't being reused by a different party.
• Standard Practice: A mandatory step in most credential presentation protocols like OIDC4VP.

The critical privacy-enhancing technology for advanced credential proofs. Zero-Knowledge Proofs allow a prover to cryptographically demonstrate knowledge of a secret or the truth of a statement (e.g., 'I am a citizen of Country X') without revealing the secret or statement itself.

• Application: Enables privacy-preserving verification for credentials.
• Use Case: Proving you are over 18 from a passport VC without disclosing your birth date or document number.

A primary application of credential proofs in decentralized governance and distribution. Proof of Personhood systems issue credentials that cryptographically attest an entity is a unique human, mitigating Sybil attacks where one entity creates multiple fake identities.

• Examples: Worldcoin's Proof of Personhood, BrightID, and Gitcoin Passport.
• Impact: Enables fair airdrops, democratic voting in DAOs, and equitable resource allocation (e.g., quadratic funding).

Standards ensuring credential proofs are portable across different platforms and verifiers. This involves agreed-upon schema formats (defining the structure of a credential) and verification protocols.

• Key Standards: W3C VC Data Model, JSON-LD for linked data contexts, and JWT for compact serialization.
• Importance: Prevents vendor lock-in, allowing a credential issued by one entity (e.g., a university) to be verified by another (e.g., an employer) seamlessly.

The cryptographic engine for privacy-preserving credential proofs. A Zero-Knowledge Proof allows a prover to convince a verifier that a statement is true without revealing any information beyond the validity of the statement itself. This is fundamental for proving attributes like age or citizenship without disclosing a birth date or passport number.

• Types: Common schemes include zk-SNARKs (Succinct Non-interactive ARguments of Knowledge) and zk-STARKs (Scalable Transparent ARguments of Knowledge).
• Use Case: A user proves they are over 18 by generating a ZKP from their credential, revealing only the boolean result.

A core privacy feature that allows a user to reveal only specific, necessary attributes from a broader credential. Instead of presenting an entire digital driver's license, a user can selectively disclose just their photo and name, while keeping their address and license number hidden.

• Granular Control: Enables minimal data exposure, adhering to privacy-by-design principles.
• Cryptographic Basis: Often implemented using BBS+ signatures or ZKPs, allowing the verifier to cryptographically confirm the disclosed data is part of a valid, signed credential.

The W3C-standardized format and lifecycle for digital credentials. A Verifiable Credential is a tamper-evident credential whose authorship and integrity can be cryptographically verified. It consists of claims (the data), metadata, and proofs.

• Issuer: The authoritative entity that signs and issues the VC (e.g., a government).
• Holder: The subject who stores and controls the VC.
• Verifier: The party that requests and validates the proof from the holder.
• Trust Anchor: The verifier's trust in the credential stems from trust in the issuer's cryptographic key (DID).

The foundation for issuer and holder identity in decentralized systems. A Decentralized Identifier is a globally unique, cryptographically verifiable identifier controlled by its subject, not a central registry. DIDs resolve to DID Documents containing public keys for authentication and issuing proofs.

• Self-Sovereignty: Users control their DID and associated keys, reducing reliance on centralized identity providers.
• Verifiable Issuance: A credential proof is trusted because it is signed by a key listed in the issuer's publicly resolvable DID Document, establishing a verifiable chain of trust.

Mechanisms to invalidate credentials before their natural expiration. Revocation is critical for security when a credential is compromised (e.g., a lost device) or an attribute changes (e.g., a revoked license).

• Status Lists: Common methods include Revocation Lists (like a CRL) or Status List 2021, where a bit in a cryptographically signed list indicates validity.
• Privacy-Preserving Checks: Advanced schemes allow a verifier to check revocation status via a ZKP, so the verifier learns only if the credential is valid, not its unique identifier.

Security threats targeting the proof presentation process. A Presentation Attack occurs when a malicious actor attempts to fraudulently present a credential proof.

• Replay Attacks: Preventing the reuse of a captured proof. Mitigated by including verifier-provided nonces (unique numbers used once) in the proof generation.
• MIMT & Phishing: Verifiers must authenticate themselves to holders to prevent Man-in-the-Middle attacks where proofs are sent to fake verifiers.
• Credential Stuffing: Attackers attempt to use stolen credential data. Mitigated by binding credentials to strong holder authentication (e.g., biometrics or hardware security keys).

A Zero-Knowledge Proof is a cryptographic method that allows one party (the prover) to prove to another (the verifier) that a statement is true without revealing any information beyond the validity of the statement itself. This is crucial for privacy-preserving credential proofs.

• Application: Proving you are over 21 without revealing your birth date.
• Types: Includes zk-SNARKs, zk-STARKs, and Bulletproofs.

Selective Disclosure is the capability to reveal only specific, necessary attributes from a credential, rather than the entire document. This enhances privacy and minimizes data exposure.

• Mechanism: Often implemented using BBS+ signatures or Zero-Knowledge Proofs.
• Example: Sharing only your name and photo from a driver's license credential, while hiding your address and license number.

These are the three primary roles in a credential proof ecosystem, defined by the W3C Verifiable Credentials data model.

• Issuer: The trusted entity that creates and cryptographically signs the credential (e.g., a government, university, or certification body).
• Holder: The subject of the credential who receives, stores, and controls its presentation (e.g., a citizen or employee).
• Verifier: The party that requests and validates the credential proof to grant access or service.

A Verifiable Presentation is the data format a Holder uses to present one or more credentials to a Verifier. A Proof Request (or Presentation Definition) is the query from a Verifier specifying exactly which credentials or claims are required.

• Flow: Verifier sends a Proof Request → Holder creates a Verifiable Presentation in response → Verifier validates it.
• Security: The presentation itself is cryptographically signed by the Holder, proving they control the credentials.