Create a ZKP-enabled JSON-LD credential

Introduction

This guide will demonstrate how to create a ZKP-enabled credential.

ZKP-enabled credentials use the BBS+ signature suite, MATTR is heavily involved in developing these standards within the community. If you are planning on using this feature for production workloads please get in touch for more information on how we can help you as these standards continue to evolve.

Check out the video:

Prerequisites

You need access to the MATTR VII APIs. If you’re experiencing any difficulties, contact us.

In order to create a credential, you will need the following information:

Subject DID
Credential type
JSON-LD claim names as defined by schema.org
Claim values

Create a DID

In order to create a ZKP-enabled credential, you first need to create an Issuer DID with a Bls12381G2 key type, which supports BBS+ signatures for issuing ZKP-enabled credentials.

Request

Set the keyType in the options to Bls12381G2 in order to create a DID with a BLS key type.

jsonCopy to clipboard. 
{
  "method": "web",
  "options": {
      "url": "organization.com",
      "keyType": "Bls12381G2"
  }
}

Response

The resulting DID resides in the did attribute.
If you want to confirm the DID will work for issuing ZKP-enabled credentials, check the DID URL for the assertionMethod matches a publicKey.id that contains "type": "Bls12381G2Key2020".

jsonCopy to clipboard. 
{
  "did": "did:web:organization.com",
  "registrationStatus": "COMPLETED",
  "localMetadata": {
    "keys": [
      {
        "didDocumentKeyId": "did:web:organization.com#oKhQ6nfNxg",
        "kmsKeyId": "a4c76bad-897c-4202-8fbd-3257e165d215"
      },
      {
        "didDocumentKeyId": "did:web:organization.com#2EHAKPYcG6",
        "kmsKeyId": "6bb9bb7a-70b4-45ee-9d02-30bcecc34aa4"
      }
    ],
    "registered": 1632282683786,
    "initialDidDocument": {
      "@context": "https://w3.org/ns/did/v1",
      "id": "did:web:organization.com",
      "publicKey": [
        {
          "id": "did:web:organization.com#oKhQ6nfNxg",
          "controller": "did:web:organization.com",
          "type": "Bls12381G2Key2020",
          "publicKeyBase58": "oKhQ6nfNxgjkmMDXJpyQnpPrHZBMWjaEfBfRzxKYwL51zHA7W3QhjKkpoksD7kMkyMphMCfHFc5f7T2avs3THwiXPr6g6AiLs3i62BTgJeaK3zmkjb8Pcbper7grDgNjUCQ"
        }
      ],
      "authentication": [
        "did:web:organization.com#oKhQ6nfNxg"
      ],
      "assertionMethod": [
        "did:web:organization.com#oKhQ6nfNxg"
      ],
      "capabilityDelegation": [
        "did:web:organization.com#oKhQ6nfNxg"
      ],
      "capabilityInvocation": [
        "did:web:organization.com#oKhQ6nfNxg"
      ],
      "keyAgreement": [
        {
          "id": "did:web:organization.com#2EHAKPYcG6",
          "controller": "did:web:organization.com",
          "type": "X25519KeyAgreementKey2019",
          "publicKeyBase58": "2EHAKPYcG6wPdpMHjRtwDhg4WnSyi695V7EkfRRNxmYW"
        }
      ]
    }
  }
}

Create a credential

Create a credential by making an API request as follows:

Request

httpCopy to clipboard. 
POST https://YOUR_TENANT_URL/v2/credentials/web-semantic/sign

jsonCopy to clipboard. 
{
    "payload": {
        "@context": [
        "https://schema.org"
        ],       
        "name": "Course credential",
        "description": "Course credential description",
        "type": [
        "CourseCredential"
        ],
        "credentialSubject": {
            "id": "did:key:z6MkfxQU7dy8eKxyHpG267FV23agZQu9zmokd8BprepfHALi",
            "givenName": "Chris",
            "familyName": "Shin",
            "educationalCredentialAwarded": "Certificate Name"
       
        },       
        "issuer": {
            "id": " did:web:organization.com ",
            "name": "tenant"   
        },
        "expirationDate": "2024-02-07T06:44:28.952Z"
    },
    "persist": false,
    "revocable": true,
}

The issuer.id contains the DID of the issuer, as created in the previous step.

When the issuer DID has the “keyType”:“Bls12381G2”, the platform will automatically detect this capability and issue a ZKP-enabled BBS+ credential.

The @context must include the reference to common data vocab https://schema.org

type is an array of credential types. It indicates what sort of information a credential holds. This is a unique identifier that the system uses to differentiate between different types of Web Credentials. There MUST be a value of type other than VerifiableCredential in the payload.

The credentialSubject.Id specifies an identifier bound to the credential. This is usually a decentralised identifier (DID) that's owned by the credential holder.

Response

jsonCopy to clipboard. 

"id": "ab42adbc-1139-47f0-9256-3bf5a01fcc7e",
"credential": {
    "type": [
      "VerifiableCredential",
      "CourseCredential"
    ],
    "issuer": {
      "id": "did:web:organization.com",
      "name": "tenant"
    },
    "name": "Course credential",
    "description": "Course credential description",
    "issuanceDate": "2020-09-24T19:16:33.222Z",
    "expirationDate": "2024-02-07T06:44:28.952Z",
    "credentialSubject": {
      "id": "did:key:z6MkfxQU7dy8eKxyHpG267FV23agZQu9zmokd8BprepfHALi",
      "givenName": "Chris",
      "familyName": "Shin",
      "educationalCredentialAwarded": "Certificate Name"
    },
    "@context": [
      "https://www.w3.org/2018/credentials/v1",
      "https://w3id.org/security/bbs/v1",
      "https://w3id.org/vc-revocation-list-2020/v1",
      "https://mattr.global/contexts/vc-extensions/v2",
      "https://schema.org"
    ],
    "credentialStatus": {
      "id": "https://tenant.vii.mattr.global/core/v1/revocation-lists/dd7ceeaa-a5e0-4ab3-a70c-b7237500c605#0",
      "type": "RevocationList2020Status",
      "revocationListIndex": "0",
      "revocationListCredential": "https://YOUR_TENANT_URL/core/v1/revocation-lists/dd7ceeaa-a5e0-4ab3-a70c-b7237500c605"
    },
    "proof": {
      "type": "BbsBlsSignature2020",
      "created": "2020-11-24T19:16:33Z",
      "proofPurpose": "assertionMethod",
      "proofValue": "pVJlfG/Ra9h8WbwqthNsT4lY9Xx5eVxZR6j0GY3yoDNzJq1CuF+nWKgcie3LpAn3UQpzkiODY46kt/WWaqGzyKyX4k5KRsBuSU9pSAL5Y99QFhnrm8t2MeKuZ1NL++ZO1+IelYtNjl6OmajHdphDUA==",
      "verificationMethod": "did:key:zUC7KmMGXt7fs9URk9EDqWLfpCjVTtfFMexViLLkPPUfm9j4heqvk9JkLarva3sP54FGjFNLpwc63ZTef2aR2cPssFbyDj75kopYqWL16j7JigA2BAvJcwnaKvKPUybxbroRg1v#zUC7KmMGXt7fs9URk9EDqWLfpCjVTtfFMexViLLkPPUfm9j4heqvk9JkLarva3sP54FGjFNLpwc63ZTef2aR2cPssFbyDj75kopYqWL16j7JigA2BAvJcwnaKvKPUybxbroRg1v"
    }
  },
  "credentialStatus": {
    "id": "https://YOUR_TENANT_URL/v1/revocation-lists/dd7ceeaa-a5e0-4ab3-a70c-b7237500c605#0",
    "type": "RevocationList2020Status",
    "revocationListIndex": "0",
    "revocationListCredential": "https://product-team.vii.staging.mattrlabs.io/v1/revocation-lists/dd7ceeaa-a5e0-4ab3-a70c-b7237500c605"
  },
  "issuanceDate": "2020-09-24T19:16:33.222Z"
}

The returned credential object is the credential, with id and issuanceDate shown as meta-data, along with other fields depending on the options chosen.

https://www.w3.org/2018/credentials/v1 and https://mattr.global/contexts/vc-extensions/v2 which is the reference to the W3C credential definition is auto-injected as the first element in the context array.

VerifiableCredential is also auto-injected as the first element in the type array. Every W3C verifiable credential must include VerifiableCredential in the type property.

Because this is a ZKP-enabled credential it contains a BBS+ signature, which enables selective disclosure as defined by the proof type of BbsBlsSignature2020. For more information on this signature suite, check out the specification at the W3C CCG.

Obtain a ZKP-enabled credential on the mobile wallet

ZKP-enabled credentials provide valuable benefits to the subjects and holders of credentials. In order for them to receive those benefits, issuers must specifically issue them with ZKP-enabled credentials using signature schemes such as BBS+. The MATTR mobile wallet is interoperable with ZKP-enabled credentials containing BBS+ signatures. It responds appropriately to privacy-preserving presentation requests using JSON-LD Framing.

To set up an Issuer for ZKP-enabled credentials, first, create an Issuer DID with a Bls12381BG2 key type.

Then either;

Create the credential as above and follow the tutorial to offer a credential directly or,

Follow all the steps in offer a credential using OpenID provisioning and make sure you have created DID with a bls12381g2 key that can be selected as the issuerDid when you issue a credential.

Once the ZKP-enabled credential is stored in the mobile wallet, you can then move to the verify tutorials and create a presentation request template for privacy-preserving requests.

The MATTR mobile wallet will indicate if a credential it is holding is ZKP-enabled.