PSE, an Ethereum Foundation (EF) team that develops privacy-focused tools, has introduced OpenAC, an open-source cryptographic design for issuing certificates that represent “anonymous, transparent, and lightweight” digital credentials.
This system was shared on X on November 29th and is now available for developers to implement in their projects.
OpenAC is a digital document proposal that: Prove a user’s conditions or permissions. (such as being of legal age) but can be presented through cryptographic evidence that does not reveal personal data.
Also, I understand that without leaving any traces that could track your actions.
The PSE team highlighted the following points about OpenAC in their announcement:
OpenAC describes a zero-knowledge (ZK) proof-based identity structure designed to work with existing identity stacks and intentionally built to be compatible with the European Digital Identity Architecture and Reference Framework (EUDI ARF).
X’s PSE team.
In short, OpenAC is designed to integrate with the identity systems you already have in place, both public and private.
Design designed to integrate with your existing identity
In their whitepaper, OpenAC introduces zero-knowledge proofs (ZK, zero knowledge proof), a cryptographic technique that allows attributes to be proven to be valid without revealing the original data proving the attributes.
In the context of digital identity, this Users can view their credentials without exposing the entire document or allow third parties to track your usage history.
OpenAC operations consist of three roles that intervene in the credential issuance and usage cycle.
- transmitter: The entity that creates and signs the credentials: Can be a company, state agency, university, or any agency authorized to authenticate data.
- user: Save those credentials and generate ZK tests on request.
- checker: An application or entity that needs to verify that a test is valid, but does not need to access the actual content of the document or obtain additional information about the user’s identity.
For this scheme to work, the issuer must handle the cryptographic keys securely and sign only the correct attributes.
OpenAC part initial trust assumption– If the issuer proves false information or its private key is compromised, all credentials issued by the issuer become invalid.
The document also makes clear that OpenAC does not have its own built-in revocation mechanism. Therefore, if the issuer needs to invalidate a credential due to an error or expiration date, Must rely on external systems.
This requirement creates a dependency point in the model because revocation management is in the hands of a third party.
According to PSE: those tools should be encrypted list This allows you to check if the credentials are still valid without revealing the owner’s identity or tracking their activities.
Possible impact on Ethereum
OpenAC intends to position Ethereum as a suitable platform for managing digital identities without sacrificing privacy, but its design component required off chain Relies on trusted publishers.
The possibility of issuing digital documents that are untraceable and compliant with international standards could open up space for applications such as educational records, administrative permits, professional qualifications, and access to services that require verification without revealing one’s identity.
How does OpenAC prevent credential tracking?
Prevent users from linking credentials between different uses each time they present them You need to generate completely different tests.
If two pieces of evidence repeat a value, the verifier may realize that they both come from the same person, even if he doesn’t know who it is.
To avoid this potential link, OpenAC forces users or applications to manage their credentials. Incorporate a random seed into each presentation. This randomization ensures that two tests for the same attribute look completely different.
OpenAC implementation and practical limitations
OpenAC test generation is done off-chain (off chain).
That means all the heavy computing (creating cryptographic proofs that prove attributes without revealing data) is required. Runs on the user’s device or an external applicationnot within Ethereum.
By not running this process on the network, costs are reduced and chain saturation is avoided.
On the other hand, test validation can be done with either: Like the outside and inside of the chain smart contract. PSE describes these credentials as “lightweight” for the following reasons: The team reports a verification time of “0.129 seconds,” making the system manageable for applications that require quick responses.
Anyway, Performance depends on hardware. The time can be longer on low capacity devices or high load scenarios.
Although the design strives to minimize the information that reaches Ethereum, additional components are still required for OpenAC to work in a real-world environment.
Issuers must manage external systems that manage keys, wallets that support credential formats, and mechanisms such as revocation.
Without that infrastructure, this scheme cannot be rolled out at scale.
(Tag Translation) Blockchain
