Copyright © 2026 the Contributors to the Universal Manifest Specification. This document is published under the W3C Software and Document License.
Restructured per the Conformance-Tier Stack strategy (owner-selected, audit 2026-06-11). DRAFT for review.
This is a companion profile to the Universal Manifest v0.4 Base specification. It specifies the Tier-2 cryptographic cross-DID binding profiles, the unlinkable (BBS+) selective-disclosure track that shares the same cryptography, and the post-quantum signature migration path. Read the Base and EXT-T1 first.
Status: All content in this profile is PREVIEW — under active working-group review, built on the editors' recommended defaults, and fully revisable before the v0.4 schema is locked.
Companion to: Base specification,
building on EXT-T1.
Registry categories: trust,
signature.
The Base defines Tier 2 — Cryptographic binding (Base
§6.4.2) as the assurance level at which cross-DID control is
cryptographically proven via zero-knowledge proof, without revealing
private key material, and reserves the bindingProof
field on identity.crossDidBinding claims (Base
§6.4.4) and the postQuantumSignature member (Base
§6.7, Base
§1.6.3). This profile specifies:
bindingProof.These are bundled here for tier coherence: a deployment certifying to Tier-2 high assurance generally needs the ZK proof, the unlinkable privacy track, and a forward-crypto plan together. Tier-2 evaluators MUST also implement EXT-T1, since Tier 2 is strictly additive over Tier 1.
This profile provides cryptographic proof that the same entity
controls multiple DIDs without revealing private key material or linking
secrets. v0.4 provides two proof profiles for Tier 2 cross-DID binding.
Both use the bindingProof field on
identity.crossDidBinding claims.
The holder possesses a secret s committed in the
credentials of both DIDs. The ZK proof demonstrates equality of
committed secrets across credentials without revealing s,
following the AnonCreds link-secret model adapted for Universal
Manifest. Evaluators MUST verify the BBS+ proof of equality against the
issuer's BLS12-381 G2 public keys for both credentials; the proof
inherently demonstrates that the presenter possesses the
holder-committed secret in both credentials.
A Profile 2A bindingProof MUST contain:
type — MUST be "ZkLinkedSecretProof".cryptosuite — MUST be "bbs-2023" per the
W3C Data Integrity BBS Cryptosuites.proofPurpose — MUST be
"authentication".proofValue — Base64url-encoded BBS+ derived proof
bytes.publicInputs — An object containing
commitmentA and commitmentB, the BBS+
commitments from each credential.BBS+ signatures ([BBS+]) are the RECOMMENDED cryptographic suite for privacy-preserving Tier 2 operations: BBS+ derived proofs are unlinkable across presentations, and selective disclosure is native to the signature scheme.
Both DIDs are derived from a common master seed via hierarchical deterministic key derivation (BIP-32/SLIP-10). The ZK proof demonstrates that a master seed exists such that the two public keys are derivable at declared paths, without revealing the seed.
A Profile 2B bindingProof MUST contain:
type — MUST be "ZkHdDerivationProof".proofSystem — The ZK proof system used (e.g.,
"groth16"). Evaluators MUST support Groth16 [Groth16]; MAY support PLONK or Bulletproofs.circuit — URI identifying the HD derivation circuit
(e.g., "urn:uuid:circuit-hd-derivation-v1").proofValue — Base64url-encoded proof bytes.publicInputs — An object containing
publicKeyA, publicKeyB,
derivationPathA, and derivationPathB.Groth16 proofs require a per-circuit trusted setup ceremony. The ceremony parameters MUST be publicly auditable. Evaluators MUST verify proofs against the published verification key.
When an evaluator encounters an identity.crossDidBinding
claim carrying a bindingProof, it MUST apply the following
procedure (the declared requiredTrustTier governs what the
verified result must satisfy, not whether the proof is verified):
bindingProof.type.ZkLinkedSecretProof: verify the BBS+ derived proof
against the issuer's BLS12-381 G2 public keys referenced in the claim's
credentials. Confirm that the proof demonstrates equality of the
committed holder secret.ZkHdDerivationProof: resolve the circuit URI,
retrieve the verification key, construct the public inputs from the
declared public keys and derivation paths, and verify the ZK proof.failed and treated at Tier 0,
regardless of any accompanying attestations; evaluators MAY apply
stricter local policy (for example, rejecting the manifest). Only an
absent bindingProof falls back to
attester-asserted Tier 1 evaluation.(Worked example: Tier 2 cross-DID binding with linked-secret proof — see Cookbook.)
Preview — built on default: This makes Groth16 the mandatory-to-implement proof system for Profile 2B (smallest proofs, fastest verification), with PLONK permitted as an optional alternative for deployments that prefer a universal setup. Working-group input is requested on whether the trusted-setup cost of Groth16 justifies making PLONK the baseline instead. Flag to revise.
Universal Manifest supports selective disclosure at the manifest level through holder-controlled projection (Base §3.1.3), encrypted facets (Base §2.3), and credential-level disclosure inside claims. For credential-level selective disclosure, v0.4 defines two interoperable tracks so deployments can choose between web-native simplicity and unlinkable privacy:
Manifest-level selective presentation composes with both tracks via facet projection, claim filtering, and pointer elision: the holder controls which facets, claims, and pointers appear in a given manifest instance, and Track A or Track B controls disclosure within a presented credential. Spatial-computing deployments, where the same subject may be observed across many venues, SHOULD use Track B to prevent cross-platform correlation. Deployments default to Track A where unlinkability is not required.
The privacy–binding tension is fundamental: stronger
binding enables correlation, while stronger privacy prevents binding
verification. The specification provides mechanisms for both and
requires evaluators to define their trust tier based on their threat
model. Evaluators MUST NOT require cross-DID binding unless their use
case demands Sybil resistance or trust transitivity; subjects SHOULD use
the minimum binding tier that satisfies their evaluators' requirements.
BBS+ pseudonym scope: if pseudonymScope is
reused across verifiers, cross-verifier correlation becomes possible;
issuers SHOULD generate unique scope URIs per verifier relationship, and
evaluators MUST NOT use a shared pseudonym scope for multiple
independent verifier relationships (EXT-T1
§T1.6.1).
Preview: The dual-track model is built on the editors' default (SD-JWT baseline; BBS+ for privacy-critical and Tier 2). Working-group input is requested on whether Track B should be mandatory for any class of spatial-computing deployment.
This profile defines a post-quantum signature profile providing quantum-resistant signing as a supplement to the baseline Ed25519 profile (Signature Profile A, Base §1.6).
The following NIST-standardized post-quantum signature algorithms are candidates:
The post-quantum profile follows the signature-profile naming convention of Base §1.6. The recommended baseline profile is Signature Profile B: JCS + ML-DSA-65.
The transition from Ed25519 to post-quantum signatures uses a
dual-signature period. During this period, manifests carry both an
Ed25519 signature (in the existing signature field) and a
post-quantum signature (in a new postQuantumSignature
field).
postQuantumSignature field.The postQuantumSignature field follows the same schema
as signature (Base
§1.6) with the algorithm field set to the post-quantum
algorithm identifier (e.g., "ML-DSA-65"). Both proofs are
computed over the same signing input: the canonical bytes of Base
§1.6.3 with the signature,
postQuantumSignature, and (if present)
presentationProof properties removed, so that neither
signature's bytes feed the other's input.
(Worked example: dual-signature manifest — see Cookbook.)
Notes (working-group): Whether the dual-signature mechanism should use a separate top-level field or an array of signature objects is open (separate field is simpler for backward compatibility; an array is more extensible). ML-DSA-65 signatures (~2.4 KB) are significantly larger than Ed25519 (64 bytes); the working group is assessing whether this size increase matters for constrained-device deployments.
Cited in this profile (full descriptors in the published artifact):
bbs-2023).Companion to the Base specification. For the Tier-1 layer this builds on, see EXT-T1; for Tier-3 ceremonies, see EXT-T3.