Glossary

Definitions for terms used throughout the OpenAC / zkID documentation. Cross-references link to the page where the term is first introduced in technical depth.

Roles

Issuer. The party that signs the credential. In OpenAC the issuer signs an SD-JWT with an ECDSA P-256 key. The issuer is assumed honest and operates standard PKI (Security — assumptions).

Holder / wallet / prover. Three names for the same actor at different abstraction levels: holder in the W3C VC vocabulary, wallet in the EUDI / mobile-app sense, prover in the zk-SNARK sense. OpenAC docs default to holder when discussing protocol roles and prover when discussing the SDK. The holder controls a P-256 device key bound via cnf.jwk.

Verifier. The relying party that checks the proof against a policy. Verifiers are assumed semi-honest: they verify correctly but may collude across sessions to compare transcripts.

Credential layer

Anonymous credential. A credential that supports proofs of properties without revealing the underlying attributes. OpenAC's variant uses ZK proofs over a selective-disclosure issuer signature; it is anonymous to the verifier but linkable to the issuer at issuance time.

SD-JWT. Selective Disclosure JWT (draft-ietf-oauth-selective-disclosure-jwt). The compact JWT carries digests of disclosures; individual disclosures ([salt, name, value] base64url-encoded) are presented alongside it.

Disclosure. A [salt, name, value] triple, base64url-encoded, whose SHA-256 digest appears in the JWT's _sd array. Including a disclosure proves a specific attribute is part of the credential; omitting it hides the attribute.

Device binding key. A holder-controlled P-256 public key embedded in the SD-JWT as cnf.jwk. The holder proves possession by signing the verifier's challenge nonce; the proof verifies that signature in-circuit.

Claim. A normalized attribute value passed to the Show circuit as a field element. Strings are encoded injectively (typically via SHA-256 of a serialization); dates and integers are encoded directly.

Predicate. A Boolean function over claims, e.g., claim[0] >= 18 (Predicate types).

Policy. A finite set of predicates combined by a postfix logic expression that the verifier requests be proved true.

Cryptographic primitives

Pedersen vector commitment. Commitment scheme used to commit to the attribute vector $\mathbf{m}=(m_1,\ldots,m_n)$. Defined in Prepare phase — Pedersen / curve notation.

Hyrax. Commitment / IPA framework used to make Pedersen openings efficient inside Spartan2's sum-check protocol (WTSTW18).

Spartan / Spartan2. Transparent (no trusted setup) zkSNARK for R1CS that OpenAC uses as its proving backend (Setty20). "Spartan2" denotes the implementation used by ecdsa-spartan2.

Circom. Domain-specific language for R1CS circuits. OpenAC's jwt, show, ecdsa, and mdoc templates live under wallet-unit-poc/circom/.

P-256 / secp256r1. NIST P-256 elliptic curve, used for issuer and device ECDSA signatures.

Tom256 / T256 / secq256r1. The proving curve $\mathbb{G}$: a cycle partner of P-256 whose scalar field equals P-256's base field. The paper calls it Tom256 (T256); the codebase uses the alias secq256r1 in Circom configuration and Cargo dependencies (Security — assumptions).

Protocol terms

Prepare relation $\mathcal{R}_{\mathrm{prep}}$ / Prepare proof $\pi_{\mathrm{prep}}^{(j)}$. Once-per-credential proof certifying SD-JWT parsing, issuer signature verification, and commitment $C^{(j)}$ to the message vector. In the SDK this is OpenAC.precompute; in the Rust CLI it is prepare.

Show relation $\mathcal{R}_{\mathrm{show}}$ / Show proof $\pi_{\mathrm{show}}^{(j)}$. Per-presentation proof that the verifier's policy holds on $C^{(j)}$ and the device key signed the nonce. In the SDK this is OpenAC.present; in the Rust CLI it is show.

Linking. The verifier checks that Prepare and Show reference the same Pedersen commitment $C^{(j)}$. Implemented by inspecting comm_W_shared in both proof instances.

Reblinding. Re-randomization of the witness commitment between Prepare and Show, performed inside the WASM present call (and inside prepare reblind / show reblind in the Rust CLI). Required for unlinkability across presentations.

Unlinkability. The property that any two presentations are computationally indistinguishable as having come from the same holder, even under collusion among verifiers. Holds under DL-hardness in $\mathbb{G}$ assuming fresh blinds per presentation.

ES256. JWS algorithm name for ECDSA P-256 + SHA-256, the only issuer signature scheme implemented by the current circuits.

cnf.jwk. JSON Web Token claim that carries the holder's confirmation key. OpenAC requires it to be a P-256 EC JWK.

Standards and frameworks

EUDI / EUDI ARF. European Digital Identity (EU regulation 2024/1183) and its Architecture and Reference Framework. OpenAC targets EUDI-compatible flows (EUDI mapping).

ETSI TS 119 476-2. The standard against which OpenAC's selective-disclosure pattern is benchmarked (ETSI alignment).

ICAO 9303. The international standard for machine-readable travel documents. Influences the data model and SOD/DG1 hashing conventions (References).

mDL / mDOC. ISO 18013-5 mobile driver's licence credential format. Roadmap, not implemented today.

W3C VC. Verifiable Credentials Data Model. Roadmap, not implemented today.

Implementation artefacts

openac-sdk 0.1.0. The TypeScript SDK (npm package source).

ecdsa-spartan2. The Rust CLI that performs setup, proving, reblinding, and verification natively. Used directly for benchmarks; wrapped by NativeBackend for Node hosts (Native backend).

openac-studio. The reference web playground (wallet-unit-poc/openac-studio/). Demonstrates rule sets including the no revocation, out-of-band, and in-proof (future) scenarios.

VcSize. JWT-size bucket: '1k', '2k', '4k', '8k'. Selects which set of pre-generated proving / verifying keys to load (Installation — Proving keys).

comm_W_shared. The shared witness commitment exposed in both prepareInstance and showInstance. Its equality across the two halves is what makes the proofs linkable.