Aggregate Verifiable Claims

[kjetilk]

Use case based on old proposal in #37 :

A subject collects data from several issuers, and produces an aggregate of those data (say, for example a sum). This aggregate should be verifiable by a verifier, without revealing the data that is used to compute the aggregate, and preferably also not information about the issuers.

[jandrieu]

Can you give a good example of a specific subject that is doing this for a good reason? I'm not sure what kind of data is being aggregated and how the aggregation algorithm works.

[kjetilk]

I put more of that in #37 . Primarily, the situation is that the subject can expose much less about themselves if they can only expose an aggregate rather than all the data. Aggregation is a common privacy enhancing technique.

The specific situation that motivated this for me was a credit check, where the situation was first that you had to gather all the data (i.e. all credits you had), and submit that. Then, you had to authorize some other party to see all the credits you had, and then it ended up in a centralized database. Not ideal at all. If you could instead just gather the data, sum it up, and return proof that you were credit-worthy without exposing this, it would be a win.

The functions could be simply sum, count and avg to begin with, and possibly some binary operators, e.g. XPath comparisons.

Was this what you had in mind?

[jandrieu]

Yes. I think a credit-reporting use cases with user-selected VCs would be interesting. There are some interesting problems with excluding unfavorable data which are worth describing.

Is there a cryptographic approach that would enable these kinds of range proofs across multiple credentials? I know that some cryptosuites can support range proofs, but I hadn't heard of any that could handle post-facto range proofs from data aggregations.

Perhaps cryptographic circuits could handle this.

[KDean-GS1]

See pull request #156. I'm unable to tag you (@kjetilk) in it directly.