Data Integrity BBS Cryptosuites v1.0

The Multikey format , as defined in [ VC-DATA-INTEGRITY ], is used to express public keys for the cryptographic suites defined in this specification.

The publicKeyMultibase property represents a Multibase-encoded Multikey expression of a BLS12-381 public key in the G2 group. The encoding of this field is the two-byte prefix 0xeb01 followed by the 96-byte compressed public key data. The 98-byte value is then encoded using base58-btc ( z ) as the prefix. Any other encodings MUST NOT be allowed.

Developers are advised to not accidentally publish a representation of a private key. Implementations of this specification will raise errors in the event of a [ MULTICODEC ] value other than 0xeb01 being used in a publicKeyMultibase value.

{
  "id": "https://example.com/issuer/123#key-0",
  "type": "Multikey",
  "controller": "https://example.com/issuer/123",
  "publicKeyMultibase": "zUC7EK3ZakmukHhuncwkbySmomv3FmrkmS36E4Ks5rsb6VQSRpoCrx6
  Hb8e2Nk6UvJFSdyw9NK1scFXJp21gNNYFjVWNgaqyGnkyhtagagCpQb5B7tagJu3HDbjQ8h
  5ypoHjwBb"
}

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/security/data-integrity/v1"

    "https://w3id.org/security/multikey/v1"

  ],
  "id": "https://example.com/issuer/123",
  "verificationMethod": [{
    "id": "https://example.com/issuer/123#key-1",
    "type": "Multikey",
    "controller": "https://example.com/issuer/123",
    "publicKeyMultibase": "zUC7EK3ZakmukHhuncwkbySmomv3FmrkmS36E4Ks5rsb6VQSRpoCr
    x6Hb8e2Nk6UvJFSdyw9NK1scFXJp21gNNYFjVWNgaqyGnkyhtagagCpQb5B7tagJu3HDbjQ8h
    5ypoHjwBb"
  }]
}

A proof contains the attributes specified in the Proofs section of [ VC-DATA-INTEGRITY ] with the following restrictions.

The verificationMethod property of the proof MUST be a URL. Dereferencing the verificationMethod MUST result in an object containing a type property with the value set to Multikey .

The type property of the proof MUST be DataIntegrityProof .

The cryptosuite property of the proof MUST be bbs-2023 .

The value of the proofValue property of the proof MUST be a BBS signature or BBS proof produced according to [ CFRG-BBS-SIGNATURE ] that is serialized and encoded according to procedures in section 3. Algorithms .

The following algorithm creates a label map factory function that uses an HMAC to shuffle canonical blank node identifiers. The required input is an HMAC (previously initialized with a secret key), HMAC . A function, labelMapFactoryFunction , is produced as output.

1. Create a function, labelMapFactoryFunction , with one required input (a canonical node identifier map, canonicalIdMap ), that will return a blank node identifier map, bnodeIdMap , as output. Set the function's implementation to:
   1. Generate a new empty bnode identifier map, bnodeIdMap .
   2. For each map entry, entry , in canonicalIdMap :
      1. Perform an HMAC operation on the canonical identifier from the value in entry to get an HMAC digest, digest .
      2. Generate a new string value, b64urlDigest , and initialize it to "u" followed by appending a base64url-no-pad encoded version of the digest value.
      3. Add a new entry, newEntry , to bnodeIdMap using the key from entry and b64urlDigest as the value.
   3. Derive the shuffled mapping from the bnodeIdMap as follows:
      1. Set hmacIds to be the sorted array of values from the bnodeIdMap , and set bnodeKeys to be the ordered array of keys from the bnodeIdMap .
      2. For each key in bnodeKeys , replace the bnodeIdMap value for that key with the index position of the value in the hmacIds array prefixed by "b", i.e., bnodeIdMap.set(bkey, 'b' + hmacIds.indexOf(bnodeIdMap.get(bkey))) .
   4. Return bnodeIdMap .
2. Return labelMapFactoryFunction .

The following algorithm serializes the base proof value, including the BBS signature, HMAC key, and mandatory pointers. The required inputs are a base signature bbsSignature , an HMAC key hmacKey , and an array of mandatoryPointers . A single base proof string value is produced as output.

1. Initialize a byte array, proofValue , that starts with the BBS base proof header bytes 0xd9 , 0x5d , and 0x02 .
2. Initialize components to an array with five elements containing the values of: bbsSignature , bbsHeader , publicKey , hmacKey , and mandatoryPointers .
3. CBOR-encode components per [ RFC8949 ] where CBOR tagging MUST NOT be used on any of the components . Append the produced encoded value to proofValue .
4. Initialize baseProof to a string with the multibase-base64url-no-pad-encoding of proofValue . That is, return a string starting with " u " and ending with the base64url-no-pad-encoded value of proofValue .
5. Return baseProof as base proof .

The following algorithm parses the components of a bbs-2023 selective disclosure base proof value. The required input is a proof value ( proofValue ). A single object, parsed base proof , containing five or seven elements, using the names "bbsSignature", "bbsHeader", "publicKey", "hmacKey", "mandatoryPointers", and optional feature parameters "pid" and "signer_blind" is produced as output.

1. Ensure the proofValue string starts with u ( U+0075 LATIN SMALL LETTER U ) , indicating that it is a multibase-base64url-no-pad-encoded value, and throw an error if it does not.
2. Initialize decodedProofValue to the result of base64url-no-pad-decoding the substring following the leading u in proofValue .
3. Ensure that the decodedProofValue starts with the BBS base proof header bytes 0xd9 , 0x5d , and 0x02 , and throw an error if it does not.
4. Initialize components to an array that is the result of CBOR-decoding the bytes that follow the three-byte BBS base proof header.
5. Return an object with properties set to the following elements, using the names "bbsSignature", "bbsHeader", "publicKey", "hmacKey", "mandatoryPointers", (and optional feature parameters) "pid" and "signer_blind" respectively.

The following algorithm creates data to be used to generate a derived proof. The inputs include a JSON-LD document ( document ), a BBS base proof ( proof ), an array of JSON pointers to use to selectively disclose statements ( selectivePointers ), an OPTIONAL BBS presentationHeader (byte array that defaults to an empty byte array if not present), an OPTIONAL commitment_with_proof (a byte array), an OPTIONAL pid value (a byte array), and any custom JSON-LD API options (such as a document loader). A single object, disclosure data , is produced as output, which contains the bbsProof , labelMap , mandatoryIndexes , selectiveIndexes , presentationHeader , and revealDocument fields.

1. Initialize bbsSignature , bbsHeader , publicKey , hmacKey , mandatoryPointers , and the optional feature parameters pid and signer_blind to the values of the associated properties in the object returned when calling the algorithm in Section 3.3.2 parseBaseProofValue , passing the proofValue from proof .
2. Initialize hmac to an HMAC API using hmacKey . The HMAC uses the same hash algorithm used in the signature algorithm, i.e., SHA-256.
3. Initialize labelMapFactoryFunction to the result of calling the createShuffledIdLabelMapFunction algorithm passing hmac as HMAC .
4. Initialize combinedPointers to the concatenation of mandatoryPointers and selectivePointers .
5. Initialize groupDefinitions to a map with the following entries: key of the string "mandatory" and value of mandatoryPointers ; key of the string "selective" and value of selectivePointers ; and key of the string "combined" and value of combinedPointers .
6. Initialize groups and labelMap to the result of calling the algorithm in Section 3.3.16 canonicalizeAndGroup of the [ DI-ECDSA ] specification, passing document labelMapFactoryFunction , groupDefinitions , and any custom JSON-LD API options. Note: This step transforms the document into an array of canonical N-Quads whose order has been shuffled based on 'hmac' applied blank node identifiers, and groups the N-Quad strings according to selections based on JSON pointers.
7. Compute the mandatory indexes relative to their positions in the combined statement list, i.e., find the position at which a mandatory statement occurs in the list of combined statements. One method for doing this is given below.
   1. Initialize mandatoryIndexes to an empty array. Set mandatoryMatch to groups.mandatory.matching map; set combinedMatch to groups.combined.matching ; and set combinedIndexes to the ordered array of just the keys of the combinedMatch map.
   2. For each key in the mandatoryMatch map, find its index in the combinedIndexes array (e.g., combinedIndexes.indexOf(key) ), and add this value to the mandatoryIndexes array.
8. Compute the selective indexes relative to their positions in the non-mandatory statement list, i.e., find the position at which a selected statement occurs in the list of non-mandatory statements. One method for doing this is given below.
   1. Initialize selectiveIndexes to an empty array. Set selectiveMatch to the groups.selective.matching map; set mandatoryNonMatch to the map groups.mandatory.nonMatching ; and nonMandatoryIndexes to to the ordered array of just the keys of the mandatoryNonMatch map.
   2. For each key in the selectiveMatch map, find its index in the nonMandatoryIndexes array (e.g., nonMandatoryIndexes.indexOf(key) ), and add this value to the selectiveIndexes array.
9. Initialize bbsMessages to an array of byte arrays containing the values in the nonMandatory array of strings encoded using the UTF-8 character encoding .
10. Set bbsProof to the value computed by the appropriate procedure given below based on the values of the commitment_with_proof and pid options.
    1. If both commitment_with_proof and pid options are empty, set bbsProof to the value computed by the ProofGen procedure from [ CFRG-BBS-SIGNATURE ], i.e., ProofGen(PK, signature, header, ph, messages, disclosed_indexes) , where PK is the original issuers public key, signature is the bbsSignature , header is the bbsHeader , ph is the presentationHeader messages is bbsMessages , and disclosed_indexes is selectiveIndexes .
    2. If commitment_with_proof is not empty and pid is empty, set bbsProof to the value computed by the ProofGen procedure from [ CFRG-Blind-BBS-Signature ], where PK is the original issuers public key, signature is the bbsSignature , header is the bbsHeader , ph is the presentationHeader messages is bbsMessages , disclosed_indexes is selectiveIndexes , commitment_with_proof , and signer_blind . The holder will also furnish its "secret value" that was used to compute the commitment_with_proof . This is the "anonymous holder binding" option.
    3. If pid is not empty, compute the pseudonym according to the procedures given in [ CFRG-Pseudonym-BBS-Signature ], and set bbsProof to the value computed by the ProofGen procedure from [ CFRG-Pseudonym-BBS-Signature ], where PK is the original issuers public key, signature is the bbsSignature , header is the bbsHeader , ph is the presentationHeader messages is bbsMessages , disclosed_indexes is selectiveIndexes , and pseudonym is the pseudonym . This is for both "pseudonym with issuer known pid" and "pseudonym with hidden pid" cases.
11. Initialize revealDocument to the result of the "selectJsonLd" algorithm, passing document , and combinedPointers as pointers .
12. Run the RDF Dataset Canonicalization Algorithm [ RDF-CANON ] on the joined combinedGroup.deskolemizedNQuads , passing any custom options, and get the canonical bnode identifier map, canonicalIdMap . Note: This map includes the canonical blank node identifiers that a verifier will produce when they canonicalize the reveal document.
13. Initialize verifierLabelMap to an empty map. This map will map the canonical blank node identifiers produced by the verifier when they canonicalize the revealed document, to the blank node identifiers that were originally signed in the base proof.
14. For each key ( inputLabel ) and value ( verifierLabel ) in `canonicalIdMap:
    1. Add an entry to verifierLabelMap , using verifierLabel as the key, and the value associated with inputLabel as a key in labelMap as the value.
15. Return an object with properties matching bbsProof , "verifierLabelMap" for labelMap , mandatoryIndexes , selectiveIndexes , revealDocument , and pseudonym , if computed.

The following algorithm compresses a label map. The required input is label map ( labelMap ). The output is a compressed label map .

1. Initialize map to an empty map.
2. For each entry ( k , v ) in labelMap :
   1. Add an entry to map , with a key that is a base-10 integer parsed from the characters following the "c14n" prefix in k , and a value that is a base-10 integer parsed from the characters following the "b" prefix in v .
3. Return map as compressed label map .

The following algorithm decompresses a label map. The required input is a compressed label map ( compressedLabelMap ). The output is a decompressed label map .

1. Initialize map to an empty map.
2. For each entry ( k , v ) in compressedLabelMap :
   1. Add an entry to map , with a key that adds the prefix "c14n" to k , and a value that adds a prefix of "b" to v .
3. Return map as decompressed label map .

The following algorithm serializes a derived proof value. The required inputs are a BBS proof ( bbsProof ), a label map ( labelMap ), an array of mandatory indexes ( mandatoryIndexes ), an array of selective indexes ( selectiveIndexes ), and a BBS presentation header ( presentationHeader ). Optional input is pseudonym . A single derived proof value, serialized as a byte string, is produced as output.

1. Initialize compressedLabelMap to the result of calling the algorithm in Section 3.3.4 compressLabelMap , passing labelMap as the parameter.
2. Initialize a byte array, proofValue , that starts with the BBS disclosure proof header bytes 0xd9 , 0x5d , and 0x03 .
3. Initialize components to an array with elements containing the values of bbsProof , compressedLabelMap , mandatoryIndexes , selectiveIndexes , presentationHeader , and, if provided, pseudonym .
4. CBOR-encode components per [ RFC8949 ] where CBOR tagging MUST NOT be used on any of the components . Append the produced encoded value to proofValue .
5. Return the derived proof as a string with the multibase-base64url-no-pad-encoding of proofValue . That is, return a string starting with " u " and ending with the base64url-no-pad-encoded value of proofValue .

The following algorithm parses the components of the derived proof value. The required input is a derived proof value ( proofValue ). A single derived proof value object is produced as output, which contains a set of five or six elements, having the names bbsProof , labelMap , mandatoryIndexes , selectiveIndexes , presentationHeader , and the optional pseudonym parameter.

1. Ensure the proofValue string starts with u ( U+0075 , LATIN SMALL LETTER U ) , indicating that it is a multibase-base64url-no-pad-encoded value, and throw an error if it does not.
2. Initialize decodedProofValue to the result of base64url-no-pad-decoding the substring that follows the leading u in proofValue .
3. Ensure that the decodedProofValue starts with the BBS disclosure proof header bytes 0xd9 , 0x5d , and 0x03 , and throw an error if it does not.
4. Initialize components to an array that is the result of CBOR-decoding the bytes that follow the three-byte BBS disclosure proof header. Ensure the result is an array of five or six elements — a byte array, a map of integers to integers, an array of integers, another array of integers, and a byte array; otherwise, throw an error.
5. Replace the second element in components using the result of calling the algorithm in Section 3.3.5 decompressLabelMap , passing the existing second element of components as compressedLabelMap .
6. Return derived proof value as an object with properties set to the five elements, using the names bbsProof , labelMap , mandatoryIndexes , selectiveIndexes , presentationHeader , and optional pseudonym , respectively.

The following algorithm creates the data needed to perform verification of a BBS-protected verifiable credential . The inputs include a JSON-LD document ( document ), a BBS disclosure proof ( proof ), and any custom JSON-LD API options (such as a document loader). A single verify data object value is produced as output containing the following fields: bbsProof , proofHash , mandatoryHash , selectedIndexes , presentationHeader , and nonMandatory .

1. Initialize proofHash to the result of performing RDF Dataset Canonicalization [ RDF-CANON ] on the proof options, i.e., the proof portion of the document with the proofValue removed. The hash used is the same as that used in the signature algorithm, i.e., SHA-256. Note: This step can be performed in parallel; it only needs to be completed before this algorithm needs to use the proofHash value.
2. Initialize bbsProof , labelMap , mandatoryIndexes , selectiveIndexes , presentationHeader , and pseudonym to the values associated with their property names in the object returned when calling the algorithm in Section 3.3.7 parseDerivedProofValue , passing proofValue from proof .
3. Initialize labelMapFactoryFunction to the result of calling the " createLabelMapFunction " algorithm.
4. Initialize nquads to the result of calling the " labelReplacementCanonicalize " algorithm of [ DI-ECDSA ], passing document , labelMapFactoryFunction , and any custom JSON-LD API options. Note: This step transforms the document into an array of canonical N-Quads with pseudorandom blank node identifiers based on labelMap .
5. Initialize mandatory to an empty array.
6. Initialize nonMandatory to an empty array.
7. For each entry ( index , nq ) in nquads , separate the N-Quads into mandatory and non-mandatory categories:
   1. If mandatoryIndexes includes index , add nq to mandatory .
   2. Otherwise, add nq to nonMandatory .
8. Initialize mandatoryHash to the result of calling the " hashMandatory " primitive, passing mandatory .
9. Return an object with properties matching baseSignature , proofHash , nonMandatory , mandatoryHash , selectiveIndexes , and pseudonym .

The following algorithm specifies how to create a data integrity proof given an unsecured data document . Required inputs are an unsecured data document ( map unsecuredDocument ), and a set of proof options ( map options ). A data integrity proof ( map ), or an error, is produced as output.

1. Let proof be a clone of the proof options, options .
2. Let proofConfig be the result of running the algorithm in Section 3.4.4 Base Proof Configuration (bbs-2023) with options passed as a parameter.
3. Let transformedData be the result of running the algorithm in Section 3.4.2 Base Proof Transformation (bbs-2023) with unsecuredDocument , proofConfig , and options passed as parameters.
4. Let hashData be the result of running the algorithm in Section 3.4.3 Base Proof Hashing (bbs-2023) with transformedData and proofConfig passed as a parameters.
5. Let proofBytes be the result of running the algorithm in Section 3.4.5 Base Proof Serialization (bbs-2023) with hashData and options passed as parameters.
6. Let proof . proofValue be a base64url-encoded Multibase value of the proofBytes .
7. Return proof as the data integrity proof .

The following algorithm specifies how to transform an unsecured input document into a transformed document that is ready to be provided as input to the hashing algorithm in Section 3.4.3 Base Proof Hashing (bbs-2023) .

Required inputs to this algorithm are an unsecured data document ( unsecuredDocument ) and transformation options ( options ). The transformation options MUST contain a type identifier for the cryptographic suite ( type ), a cryptosuite identifier ( cryptosuite ), and a verification method ( verificationMethod ). The transformation options MUST contain an array of mandatory JSON pointers ( mandatoryPointers ) and MAY contain additional options, such as a JSON-LD document loader. A transformed data document is produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8 encoding.

1. Initialize hmac to an HMAC API using a locally generated and exportable HMAC key. The HMAC uses the same hash algorithm used in the signature algorithm, i.e., SHA-256. Per the recommendations of [ RFC2104 ], the HMAC key MUST be the same length as the digest size; for SHA-256, this is 256 bits or 32 bytes.
2. Initialize labelMapFactoryFunction to the result of calling the createShuffledIdLabelMapFunction algorithm passing hmac as HMAC .
3. Initialize groupDefinitions to a map with an entry with a key of the string " mandatory " and a value of mandatoryPointers .
4. Initialize groups to the result of calling the algorithm in Section 3.3.16 canonicalizeAndGroup of the [ DI-ECDSA ] specification, passing labelMapFactoryFunction , groupDefinitions , unsecuredDocument as document , and any custom JSON-LD API options. Note: This step transforms the document into an array of canonical N-Quads whose order has been shuffled based on 'hmac' applied blank node identifiers, and groups the N-Quad strings according to selections based on JSON pointers.
5. Initialize mandatory to the values in the groups.mandatory.matching map.
6. Initialize nonMandatory to the values in the groups.mandatory.nonMatching map.
7. Initialize hmacKey to the result of exporting the HMAC key from hmac .
8. Return an object with " mandatoryPointers " set to mandatoryPointers , " mandatory " set to mandatory , " nonMandatory " set to nonMandatory , and " hmacKey " set to hmacKey .

The following algorithm specifies how to cryptographically hash a transformed data document and proof configuration into cryptographic hash data that is ready to be provided as input to the algorithms in Section 3.4.5 Base Proof Serialization (bbs-2023) .

The required inputs to this algorithm are a transformed data document ( transformedDocument ) and canonical proof configuration ( canonicalProofConfig ). A hash data value represented as an object is produced as output.

1. Initialize proofHash to the result of calling the RDF Dataset Canonicalization algorithm [ RDF-CANON ] on canonicalProofConfig and then cryptographically hashing the result using the same hash that is used by the signature algorithm, i.e., SHA-256. Note: This step can be performed in parallel; it only needs to be completed before this algorithm terminates, as the result is part of the return value.
2. Initialize mandatoryHash to the result of calling the the algorithm in Section 3.3.17 hashMandatoryNQuads of the [ DI-ECDSA ] specification, passing transformedDocument . mandatory and using the SHA-256 algorithm.
3. Initialize hashData as a deep copy of transformedDocument , and add proofHash as " proofHash " and mandatoryHash as " mandatoryHash " to that object.
4. Return hashData as hash data .

The following algorithm specifies how to generate a proof configuration from a set of proof options that is used as input to the base proof hashing algorithm .

The required inputs to this algorithm are proof options ( options ). The proof options MUST contain a type identifier for the cryptographic suite ( type ) and MUST contain a cryptosuite identifier ( cryptosuite ). A proof configuration object is produced as output.

1. Let proofConfig be a clone of the options object.
2. If proofConfig . type is not set to DataIntegirtyProof and/or proofConfig . cryptosuite is not set to bbs-2023 , an INVALID_PROOF_CONFIGURATION error MUST be raised.
3. If proofConfig . created is set and if the value is not a valid [ XMLSCHEMA11-2 ] datetime, an INVALID_PROOF_DATETIME error MUST be raised.
4. Set proofConfig . @context to unsecuredDocument . @context .
5. Let canonicalProofConfig be the result of applying the Universal RDF Dataset Canonicalization Algorithm [ RDF-CANON ] to the proofConfig .
6. Return canonicalProofConfig .

The following algorithm, to be called by an issuer of a BBS-protected Verifiable Credential, specifies how to create a base proof. The base proof is to be given only to the holder, who is responsible for generating a derived proof from it, exposing only selectively disclosed details in the proof to a verifier. This algorithm is designed to be used in conjunction with the algorithms defined in the Data Integrity [ VC-DATA-INTEGRITY ] specification, Section 4: Algorithms . Required inputs are cryptographic hash data ( hashData ) and proof options ( options ). Optional inputs include a commitment_with_proof byte array and/or a use_pseudonyms boolean. The proof options MUST contain a type identifier for the cryptographic suite ( type ) and MAY contain a cryptosuite identifier ( cryptosuite ). A single digital proof value represented as series of bytes is produced as output.

1. Initialize proofHash , mandatoryPointers , mandatoryHash , nonMandatory , and hmacKey to the values associated with their property names in hashData .
2. Initialize bbsHeader to the concatenation of proofHash and mandatoryHash in that order.
3. Initialize bbsMessages to an array of byte arrays containing the values in the nonMandatory array of strings encoded using the UTF-8 character encoding .
4. Compute the bbsSignature using the procedures below, dependent on the values of commitment_with_proof and use_pseudonyms options.
   1. If commitment_with_proof is empty and use_pseudonyms is false, compute the bbsSignature using the Sign procedure of [ CFRG-BBS-Signature ], with appropriate key material, bbsHeader for the header , and bbsMessages for the messages .
   2. If commitment_with_proof is not empty and use_pseudonyms is false, compute the bbsSignature using the Sign procedure of [ CFRG-Blind-BBS-Signature ], with appropriate key material, bbsHeader for the header , and bbsMessages for the messages . If the signing procedure uses the optional signer_blind parameter, retain this value for use when calling 3.3.1 serializeBaseProofValue (below). This provides for the "anonymous holder binding" feature.
   3. If commitment_with_proof is empty and use_pseudonyms is true, generate a cryptographically random 32 byte pid value. Compute the bbsSignature using the Sign procedure of [ CFRG-Pseudonym-BBS-Signature ], with appropriate key material, bbsHeader for the header , bbsMessages for the messages , and pid for the pid . Retain the pid value for use when calling 3.3.1 serializeBaseProofValue below. This provides for "pseudonym with issuer known pid".
   4. If commitment_with_proof is not empty and use_pseudonyms is true, compute the bbsSignature using the Sign procedure of [ CFRG-Pseudonym-BBS-Signature ], with appropriate key material, bbsHeader for the header , bbsMessages for the messages , and commitment_with_proof for the commitment_with_proof . If the signing procedure uses the optional signer_blind parameter retain this value for use when calling 3.3.1 serializeBaseProofValue below. This provides for the "pseudonym with hidden pid" feature.
5. Initialize `proofValue to the result of calling the algorithm in Section 3.3.1 serializeBaseProofValue , passing bbsSignature , bbsHeader , publicKey , hmacKey , mandatoryPointers , pid , and signer_blind values as paramters. Use empty byte arrays for pid and signer_blind if they are not used. Note publicKey is a byte array of the public key, encoded according to [ CFRG-BBS-SIGNATURE ].
6. Return proofValue as digital proof .

The following algorithm, to be called by a holder of a bbs-2023 -protected verifiable credential , creates a selective disclosure derived proof. The derived proof is to be given to the verifier . The inputs include a JSON-LD document ( document ), a BBS base proof ( proof ), an array of JSON pointers to use to selectively disclose statements ( selectivePointers ), an OPTIONAL BBS presentationHeader (a byte array), an OPTIONAL commitment_with_proof (a byte array), an OPTIONAL pid value (a byte array), and any custom JSON-LD API options, such as a document loader. A single selectively revealed document value, represented as an object, is produced as output.

1. Initialize bbsProof , labelMap , mandatoryIndexes , selectiveIndexes , and revealDocument to the values associated with their property names in the object returned when calling the algorithm in Section 3.3.3 createDisclosureData , passing the document , proof , selectivePointers , presentationHeader , and any custom JSON-LD API options, such as a document loader.
2. Initialize newProof to a shallow copy of proof .
3. Replace proofValue in newProof with the result of calling the algorithm in Section 3.3.6 serializeDerivedProofValue , passing bbsProof , labelMap , mandatoryIndexes , selectiveIndexes , commitment_with_proof , and pid .
4. Set the value of the " proof " property in revealDocument to newProof .
5. Return revealDocument as the selectively revealed document .

The following algorithm specifies how to verify a data integrity proof given an secured data document . Required inputs are a secured data document ( map securedDocument ). This algorithm returns a verification result , which is a struct whose items are:

verified

true or false

verifiedDocument

Null , if verified is false ; otherwise, an unsecured data document

To verify a derived proof, perform the following steps:

1. Let unsecuredDocument be a copy of securedDocument with the proof value removed.
2. Let proofConfig be a copy of securedDocument . proof with proofValue removed.
3. Let proof be the value of securedDocument . proof .
4. Initialize bbsProof , proofHash , mandatoryHash , selectedIndexes , presentationHeader , pseudonym , and nonMandatory to the values associated with their property names in the object returned when calling the algorithm in Section 3.3.8 createVerifyData , passing the unsecuredDocument , proof , and any custom JSON-LD API options (such as a document loader).
5. Initialize bbsHeader to the concatenation of proofHash and mandatoryHash in that order. Initialize disclosedMessages to an array of byte arrays obtained from the UTF-8 encoding of the elements of the nonMandatory array.
6. Initialize verified to the result of applying the verification algorithm below, depending on whether the pseudonym value is empty.
   1. If the pseudonym value is empty, initialize verified to the result of applying the verification algorithm ProofVerify(PK, proof, header, ph, disclosed_messages, disclosed_indexes) of [ CFRG-BBS-SIGNATURE ] with PK set as the public key of the original issuer, proof set as bbsProof , header set as bbsHeader , disclosed_messages set as disclosedMessages , ph set as presentationHeader , and disclosed_indexes set as selectiveIndexes . This applies to the regular BBS proof case as well as "anonymous holder binding" case.
   2. If the pseudonym value is not empty, initialize verified to the result of applying the verification algorithm PseudonymProofVerify(PK, proof, header, ph, disclosed_messages, disclosed_indexes, pseudonym) of [ CFRG-Pseudonym-BBS-Signature ], with PK set as the public key of the original issuer, proof set as bbsProof , header set as bbsHeader , disclosed_messages set as disclosedMessages , ph set as presentationHeader , disclosed_indexes set as selectiveIndexes , and pseudonym . This applies to the "pseudonym with issuer known pid" and "pseudonym with hidden pid" cases.
7. Return a verification result with items :

   verified

   verified

   verifiedDocument

   unsecuredDocument if verified is true , otherwise Null