hyperledger-archives / indy-sdk

indy-sdk
https://wiki.hyperledger.org/display/indy
Apache License 2.0
668 stars 735 forks source link

Support array types for credential attributes in Anon creds #2578

Closed georgepadayatti closed 1 year ago

georgepadayatti commented 1 year ago

Does anon creds support attributes that is an array of another data model ?

If not, I am trying to understand the 'why' behind it, any thoughts would be appreciated.

An example for such a scenario would be, the following partial data model of an order receipt, where the invoiceLine field is an array of items present in the order.

{
  ...
 rest of the data
  ...
  "invoiceLine": [
    {
      "iD"
      "invoicedQuantity"
      "lineExtensionAmount"
      "item": {
        "name",
        "classifiedTaxCategory": {
          "iD",
          "percent",
          "taxScheme": {
            "iD"
          }
        }
      },
      "price": {
        "priceAmount"
      }
    }
  ]
}
swcurran commented 1 year ago

AnonCreds does not support arrays. The reason is that the the signature scheme behind CL-Signatures uses a private key per attribute, the public key for which is in the credential definition. Those public keys are used to sign the attributes, so the credential must have the same attributes as in the credential definition.

BBS+ Signatures actually gets around that limitation by having a single key pair from which the “key per attribute” is derived at signing time. So that permits the getting around the “no arrays” limitation, but then creates a whole other issue — how does a verifier request data in a coherent way when there is a dynamic amount of data in the credential? Or the holder decide how to respond to a presentation request? MIght be doable, but it’s tricky.

What may work in some cases is to have the array of data in one attribute, and let verifiers know about the structure. You have to reveal the entire array at once (which is probably OK in most cases). Kind of ugly...