Masking a user's credential until it needs to be reported to its issuing party


I’m trying to figure out a way to keep a user’s identity masked until they need to be reported.

Suppose, for example, that a website needs your driver’s license number (“DL number”) so that it can report you if any illegal activity is detected. But as we’re aware, revealing that number is a threat to personal privacy, because that would mean the website is accumulating a large database of DL numbers. If it were hacked, it could be problematic (for starters).

So, let’s suppose the DL number originated from an organization called the Department of Motor Vehicles (DMV), and that it creates verified credentials for you so you can carry your DL number with you online.

Is there a way to somehow blind the DL number so that the following conditions hold?

  • the website cannot see the actual DL number
  • there is no way to correlate your identity should the blinded(?) form of the DL number get leaked or the website colludes with other websites
  • CRITICAL: the website can give a blinded(?) form of the DL number to the DMV, and the DMV is able to decode the original DL number and unmask the user’s identity

On the spectrum of “information privacy”, it seems like what I’m asking for is something in between a verified credential and a zero-knowledge proof: it requires partial knowledge, or some form of encrypted information that can be decrypted by the issuing party (e.g. DMV in this case). Is this a capability of Sovrin / Hyperledger Indy?


Not at the moment with current SDKs but could be added. So during a proof you provide a cipher text proving that both 1)Issuer can decrypt it and 2)it corresponds to other attributes in the credential. 1- This is called verifiable encryption or an encrypted attribute. 2) is a proof of signature.