Atala PRISM Seeks Privacy For Cardano Users

Atala PRISM is a blockchain digital identity platform developed by IOHK for Cardano.

You can find the description on the official website of Atala PRISM, and I quote:

Atala PRISM is a self-sovereign identity (SSI) platform and service suite for verifiable data and digital identity. Built on Cardano, it offers core infrastructure for issuing DIDs (decentralized identifiers) and verifiable credentials, alongside tools and frameworks to help expand your ecosystem.”

I did not find the explanation for the choice of the name Atala PRISM, I would not have chosen it, since according to my search, Atala is a compound of Sanskrit words referring to hell or a particular division of the infernal regions, the portion immediately below the earth, and Prism was a highly classified electronic surveillance program operated by the U.S. National Security Agency (NSA) that collected internet communications from various U.S. internet companies, and was revealed to the public in 2013 by former NSA employee Edward Snowden.

Beyond my appreciation, let’s see how this development can provide privacy for the identity of Cardano users.

I always seek to understand the general context to understand the particular product. I like to go from the general to the particular.

The company IOHK has appointed David Harding as CEO of the project, and as presented on the official website he is a leading expert in SaaS and scalable cloud computing, digital identity, multimodal biometrics, FinTech, healthcare, privacy, and enterprise cybersecurity.

To understand IOHK is to understand Atala PRISM, and one way is to read the company’s Privacy Policy applicable to all of its products. While this is a standard statement for most Big Tech, in this case, I find it striking that they collect information from their users, for an open source blockchain development, according to them ” ..for various purposes to provide and improve the Products for your use.”. So it would be with good intentions, but if your data is in the hands of third parties I consider that it can always represent a risk.

Here you can read part of the privacy policy:

Let us now see for whom IOHK has intended this product. It states on its website: “Atala PRISM can help innovators, businesses, and governments grow their offerings in a digital economy.”. And then specifies: “For innovators: Partner with us from start to finish on your development journey and you’ll unlock access to our expert team, best-in-class training, funding and incubation opportunities. For business: Expand your customer base, increase your profits, and secure the future of your business through an improved overall experience.

For government: Implement secure, next-generation services to make your governance more effective, responsive, and agile.

I’ll talk about privacy before I go on with Atala PRISM’s projects so that you can better understand what I want to expose.

Privacy In The Information Age

Data breaches, identity theft, and data mining concerns should be top of mind for digital users.

The way data is handled and stored today is a major problem. Centralized storage can lead to failures. There are many cases of data breaches so I don’t think I need to elaborate on the subject, as they are public knowledge. Cambridge Analytica and Equifax have become synonymous with identity theft.

For example, if someone stole your credit card, and due to data leakage had accessed the data needed to make a purchase, you could be the victim of a crime. But if your card provider had a cryptographic signature system in place, the thief would not be able to sign because he would not have the key, and the transaction would not be processed.

As cryptographic keys are robust and provide high security in today’s digital world, they are a protective tool to safeguard your money when your privacy has been violated.

When contracting a service or buying a product, in many cases consumers have no power of choice over whether or not to provide their data, or whether or not it is shared, much less over the security measures that store it.

Decentralization of personal data is the solution. Each person is the owner of his or her data. This is how Decentralized Identifiers (DID), which have their origin in the principles of Self-Sovereign Identity (SSI), came into being.

When using credentials today, such as a driver’s license, the person who sees it has access to all the information, since in many countries it details the name, residence address, date of birth, etc., but some data does not make sense to be shared in certain cases and with certain recipients.

Verifiable credentials can solve this problem, since through the Zero-Knowledge Protocol (ZKP) they use, a fact can be proven without revealing it, allowing a requester to verify the authenticity of the credential without knowing anything about the credential holder other than the fact that he or she possesses it. For example, someone could prove they are over 18 without sharing their age.

Another common problem that arises is the traceability of information. In a centralized system, the requesting parties can see the history of the information.

In a decentralized system, when we connect our information profile with the health system, bank, utility company, etc., these connections use a different DId for each contact case, because a new DId pair is created, as each party in the connection receives one of the DId. Since the Did pair represents the connection, this relationship cannot be traced back to the personal DId.

Privacy should be a default setting in application design, not a second-layer patch, in the digital age.

Now, having made this introduction, let’s see what proposals Atala PRISM presents for the privacy and identity management of users, who are the owners of their data.

Privacy Under Construction At Atala PRISM

The Atala PRISM team tells, in its official publications, that they are working on two projects to improve the privacy standard and management of user data: AnonCreds and Universal Anonymous Signatures.

Let’s take a look at each of these projects.

AnonCreds

In the official blog, PRISM + AnonCreds is a type of verifiable credential that allows the verification of identities without revealing any of the holder’s data.

Here you can read Anoncred Credential Definition Guide.

AnonCreds is widely used in the hyperledger Indy ecosystem. According to the same article, several organizations have adopted this technology, such as the Government of British Columbia, IDunion, and IATA Travel Pass.

The team proposes to add support for AnonCreds in an Atala PRISM version 2, which will require the integration of a Rust library that supports AnonCreds.

The Atala team has already funded part of the development of this library which is currently in progress. Once the library is completed, it will be integrated into PRISM v2, which will allow the issuance and verification of AnonCreds to complement existing w3c-compliant JWT-VC credentials.

According to the developers, AnonCreds would be a valuable addition to the project because it would allow more granular control over the exchange of personal information. The current implementation of PRISM v2 already provides individuals with better control over their data, however, with AnonCreds individuals will be able to share specific information required for a particular transaction or interaction.

According to the developers, the integration of AnonCreds into PRISM v2 would add another layer of privacy protection to the platform and would align it with the latest standards in the digital identity space, which they tell the release will have broad interoperability with other stakeholders in the digital identity field.

So far I have found no updates on this development, and it is not yet operational on Mainet. The blog posted a year ago, which announced this development, has in its cover graphic the legend: “Coming Soon”.

Universal Anonymous Signatures

Earlier this year, in an official blog post, IOHK presented this development, I quote, “We are really excited about it as, besides bridging several subfields in the domain of anonymous authentication, UAS sets the path towards what we believe could be (part of) the future of Self-Sovereign Identity and something we will definitely push for integration within the Atala offering.”

This article begins by telling a bit of the history of cryptographic credentials.

In 1985, David Chaum first thought of a cryptographic credential that people could use without revealing their identity, but that would assure service providers that they are talking to a legitimate person. This is known as Anonymous Credentials (AC).

In 1991, Chaum and van Heyst proposed Group Signatures (GS), similar to CAs but for several people in a group.

Both AC and GS schemes rely on authorities to issue the credentials needed to authenticate or sign. This need for issuer was overcome when in 2001, Rivest, Shamir, and Tauman came up with Ring Signature (RS) schemes, which can be considered a kind of group signature that cannot be de-anonymized and does not require issuers. This protocol is one of the anonymity measures on which the Monero blockchain is based.

The AC, GS and RS schemes (and their many variants) have some things in common, and are closely related, as they allow users to authenticate themselves anonymously and at the same time allow them to control service providers on the information they can obtain.

The IOHK team states that so far the AC, GS, and RS protocols have been studied independently, and they claim to have created the Universal Anonymous Signatures protocol (UAS), a generic security model that can be modified to suit the needs of each use case.

In this protocol, there are three points at which one may want to adapt this type of anonymous authentication scheme:

—at issuance time, when a user requests a credential,

—at the time of signing, when a user wishes to produce an anonymous signature or present his or her credential; and

—at audit time, when auditors may be required to extract certain information after creating the signature.

The team reports that they are working on an implementation based on generic proprietary construction of BBS+, encryption (ElGamal), and ZK testing (basic Sigma protocols), which will allow them to test this new technology on the SSI provided by Atala.

You can read the official document here Foundations of Anonymous Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions.

So far I haven’t found any news about this project.

Final Words

It is not possible to live in today’s world without digital identity, and the need to tokenize personal data will increase, because part of society demands it by its own will, and governments impose it for political reasons.

In the information age, privacy is a major asset, and as I always say in my publications, privacy is security.

Atala Prism promises to provide digital identity with privacy to Cardano users, it is a question of if and when it will achieve it.

In an article I published some time ago I explained this concept and the importance of decentralized identity, I invite you to read it so that you can continue deepening the subject: Navigating the Concept of Decentralized Identity in Cardano.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts