RSCP
DocsSecurity

Security Documentation

Understanding RSCP's threat model, cryptographic foundations, and security best practices.

Privacy by Protocol Design

RSCP's security guarantees are structural, not policy-based. The registry schema physically cannot store private data—it rejects undefined fields at the protocol level. This is fundamentally different from systems that rely on access controls or promises not to misuse data.

Threat Model

RSCP is designed to be secure against a variety of adversaries, each with different capabilities and goals.

Adversary Types

1. Malicious Issuer

An issuer who tries to create fake credentials or leak holder data.

Mitigations:
  • • Trust Anchor validates issuer identity before registration
  • • Issuer DID is embedded in every credential
  • • Verifiers check issuer against Trusted Issuer Registry

2. Compromised Registry

A registry operator that is hacked or acts maliciously.

Mitigations:
  • • Registry only stores public attributes by schema design
  • • Private attributes (email, phone, scores) never transmitted
  • • Even total database compromise reveals no private data

3. Curious Verifier

A verifier attempting to learn more than what was disclosed.

Mitigations:
  • • BBS+ derived proofs reveal only selected attributes
  • • Predicate proofs hide actual values (prove score ≥ 80 without revealing 92)
  • • Derived proofs are unlinkable across verifications

4. External Attacker

Network-level attacker attempting MITM, replay, or forgery.

Mitigations:
  • • All credentials are cryptographically signed
  • • Presentations can be bound to specific verifiers
  • • Short-lived presentations prevent replay attacks
  • • TLS required for all network communication

5. Colluding Parties

Multiple parties working together to correlate or track holders.

Mitigations:
  • • Unlinkable presentations prevent cross-verification correlation
  • • Holders can generate fresh presentations for each verification
  • • Minimal disclosure reduces correlation surface

Security Properties

RSCP provides the following formally-defined security properties:

PropertyDefinitionMechanism
UnforgeabilityCannot create valid credentials without issuer private keyEd25519 / BBS+ signatures
IntegrityCannot modify credentials without detectionCryptographic signatures
Holder BindingOnly the legitimate holder can create presentationsHolder key required for derivation
Selective DisclosureReveal only chosen attributesBBS+ derived proofs
Predicate PrivacyProve predicates without revealing valuesBulletproofs range proofs
UnlinkabilityCannot correlate multiple presentationsBBS+ proof randomization

Attack Resistance Matrix

AttackIssuerRegistryVerifierHolder
Read private data
Create fake credential
Track holderN/A
Replay presentationN/AN/AN/A

= Has access (by design) = Cannot perform (blocked by protocol)

Cryptographic Proofs

RSCP uses a combination of modern cryptographic primitives to achieve its security and privacy goals.

Ed25519 Signatures

Used for basic credential signing. Provides 128-bit security level with compact 64-byte signatures.

  • Standard: RFC 8032
  • Key size: 256-bit private, 256-bit public
  • Signature size: 512 bits (64 bytes)
  • Use case: Signing registry records, issuer authentication
MUST: All issuers MUST use Ed25519 for signing registry records. Ed25519 keys MUST be generated using a cryptographically secure random number generator.

BBS+ Signatures

Enables selective disclosure without revealing the full credential. Built on BLS12-381 pairing-friendly curve.

  • Curve: BLS12-381
  • Security: ~128-bit equivalent
  • Feature: Derived proofs reveal only selected messages
  • Use case: Selective disclosure presentations

How BBS+ Selective Disclosure Works

  1. Issuance: Issuer signs all credential attributes with BBS+ signature
  2. Derivation: Holder creates derived proof revealing only selected attributes
  3. Verification: Verifier checks proof validity without seeing hidden attributes
  4. Unlinkability: Each derived proof includes fresh randomness

Bulletproofs (Range Proofs)

Zero-knowledge proofs that a value lies within a range, without revealing the value itself.

  • Range: 64-bit values
  • Proof size: ~700 bytes (logarithmic in range size)
  • Use case: Prove "testScore ≥ 80" without revealing actual score
MAY: Implementations MAY support predicate proofs using Bulletproofs for numeric attributes. Supported predicates are: >, ≥, <, ≤, =.

SHA-256 Hashing

  • Standard: FIPS 180-4
  • Output: 256 bits (32 bytes)
  • Use cases: Credential hashes, content-addressable identifiers, key derivation inputs

Key Management

Issuer Keys

Ed25519 Signing Key

Primary signing key for registry records

BBS+ Key Pair

For selective disclosure-enabled credentials

Holder Keys

Holders use did:key identifiers backed by Ed25519 keys stored in the device's secure enclave (iOS Keychain, Android Keystore). These keys are used to prove ownership when creating presentations.

SHOULD: Issuer signing keys SHOULD be stored in Hardware Security Modules (HSMs) in production environments.

Best Practices

Security recommendations for each participant in the RSCP ecosystem.

For Issuers

Use HSM for signing keys

Store Ed25519 and BBS+ private keys in FIPS 140-2 Level 3+ certified HSMs. Never store signing keys in application code, environment variables, or config files.

Implement key rotation

Rotate signing keys every 6-12 months. Publish new public keys to your DID document before retiring old keys. Keep old keys available for verification of existing credentials.

Maintain comprehensive audit logs

Log all credential issuance, revocation, and key operations. Include timestamps, operator identity, and credential IDs. Retain logs for regulatory compliance period.

Validate before issuing

Verify holder identity before credential issuance. Implement fraud detection for unusual issuance patterns. Set rate limits on credential creation.

For Wallet Applications

Use device secure enclave

Store holder keys in iOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly or Android Keystore with setUserAuthenticationRequired(true).

Require biometric authentication

Require Face ID, Touch ID, or fingerprint authentication before creating presentations or revealing credential details.

Minimize disclosure by default

When creating presentations, default to minimal disclosure. Warn users when they choose to reveal more attributes than necessary.

Implement secure backup

Enable encrypted credential backup. Use key derivation from user password for backup encryption. Never back up holder private keys to cloud without encryption.

For Verifiers

Always verify signatures first

Never trust credential data without cryptographic verification. Check signature validity before processing any attributes.

Check revocation status

Always check the registry for revocation status, even for recently-seen credentials. Cache status for performance but use short TTL (5 minutes max).

Minimize data retention

Don't store verified credential data longer than necessary. Log verification events without storing full credential contents.

Verify issuer trust

Always check that the issuer DID is in the Trusted Issuer Registry. Reject credentials from unknown or revoked issuers.

Common Vulnerabilities

VulnerabilityImpactPrevention
Key exposureCredential forgeryUse HSM, never log keys
Replay attacksUnauthorized verificationUse nonces, short expiry
Man-in-the-middleCredential interceptionTLS everywhere, pin certificates
Issuer impersonationFake credentialsCheck Trusted Issuer Registry
Over-disclosurePrivacy breachMinimal disclosure defaults
Report a vulnerability
Security Policy