index.html

<!DOCTYPE html>
<html>
  <head>
    <title>Data Integrity EdDSA Cryptosuites v1.0</title>
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
    <!--
      === NOTA BENE ===
      For the three scripts below, if your spec resides on dev.w3 you can check them
      out in the same tree and use relative links so that they'll work offline,
     -->
    <script src="https://www.w3.org/Tools/respec/respec-w3c" class="remove"></script>
    <script class="remove" src="https://w3c.github.io/vc-data-integrity/common.js"></script>

    <script type="text/javascript" class="remove">
      var respecConfig = {
        subtitle: "Achieving Data Integrity using EdDSA with Edwards curves",
        // specification status (e.g. WD, LCWD, NOTE, etc.). If in doubt use ED.
        specStatus: "CR",

        // the specification's short name, as in http://www.w3.org/TR/short-name/
        shortName: "vc-di-eddsa",
        group: "vc",

        // if you wish the publication date to be other than today, set this
        publishDate:  "2024-11-05",

        // if there is a previously published draft, uncomment this and set its YYYY-MM-DD date
        // and its maturity status
        // previousPublishDate:  "1977-03-15",
        // previousMaturity:  "WD",

        // if there a publicly available Editor's Draft, this is the link
        edDraftURI: "https://w3c.github.io/vc-di-eddsa/",
        //latestVersion: "https://www.w3.org/community/reports/credentials/CG-FINAL-di-eddsa-2020-20220724/",

        // if this is a LCWD, uncomment and set the end of its review period
        implementationReportURI: "https://w3c.github.io/vc-di-eddsa-test-suite/",
        crEnd: "2024-12-05",

        // if you want to have extra CSS, append them to this list
        // it is recommended that the respec.css stylesheet be kept
        //extraCSS:             ["spec.css", "prettify.css"],

        // editors, add as many as you like
        // only "name" is required
        editors: [{
          name: "Manu Sporny",
          url: "https://www.linkedin.com/in/manusporny/",
          company: "Digital Bazaar",
          companyURL: "https://digitalbazaar.com/",
          w3cid: 41758
        }, {
          name: "Dmitri Zagidulin",
          url: "https://www.linkedin.com/in/dzagidulin/",
          company: "MIT Digital Credentials Consortium",
          companyURL: "https://digitalcredentials.mit.edu/",
          w3cid: 86708
        }, {
          name: "Greg Bernstein", url: "https://www.grotto-networking.com/",
          company: "Invited Expert", w3cid: 140479
        }, {
          name: "Sebastian Crane", url: "https://github.com/seabass-labrax",
          company: "Invited Expert", w3cid: 140132
        }],

        authors: [{
          name: "Dave Longley", url: "https://digitalbazaar.com/",
          company: "Digital Bazaar", companyURL: "https://digitalbazaar.com/",
          w3cid: 48025
        }, {
          name: "Manu Sporny", url: "https://www.linkedin.com/in/manusporny/",
          company: "Digital Bazaar", companyURL: "https://digitalbazaar.com/",
          w3cid: 41758
        }],

        github: "https://github.com/w3c/vc-di-eddsa/",

        // URI of the patent status for this WG, for Rec-track documents
        // !!!! IMPORTANT !!!!
        // This is important for Rec-track documents, do not copy a patent URI from a random
        // document unless you know what you're doing. If in doubt ask your friendly neighbourhood
        // Team Contact.
        // wgPatentURI:  "",
        maxTocLevel: 4,
        /*preProcess: [ webpayments.preProcess ],
        alternateFormats: [ {uri: "diff-20111214.html", label: "diff to previous version"} ],
        */
        localBiblio: {
          MULTIBASE: {
            title: "Multibase",
            href: "https://datatracker.ietf.org/doc/html/draft-multiformats-multibase-01",
          },
          MULTICODEC: {
            title: "Multicodec",
            href: "https://github.com/multiformats/multicodec/",
          },
          Taming_EdDSAs: {
            title: "Taming the many EdDSAs",
            href: "https://eprint.iacr.org/2020/1244",
            authors: ["Konstantinos Chalkias", "François Garillot", "Valeria Nikolaenko"],
            date: "2020",
            publisher: "Cryptology ePrint Archive, Paper 2020/1244",
            doi: "10.1007/978-3-030-64357-7_4"
          },
          Provable_Ed25519: {
            authors: ["Jacqueline Brendel", "Cas Cremers", "Dennis Jackson", "Mang Zhao"],
            title: "The Provable Security of Ed25519: Theory and Practice",
            publisher: "Cryptology ePrint Archive, Paper 2020/823",
            date: "2020",
            href: "https://eprint.iacr.org/2020/823"
          }
        },
        xref: ["INFRA", "VC-DATA-MODEL-2.0", "VC-DATA-INTEGRITY"],
        lint: {"informative-dfn": false},
        otherLinks: [{
          key: "Related Specifications",
          data: [{
            value: "Verifiable Credentials Data Model v2.0",
            href: "https://www.w3.org/TR/vc-data-model-2.0/"
          }, {
            value: "Verifiable Credential Data Integrity v1.0",
            href: "https://www.w3.org/TR/vc-data-integrity/"
          }, {
            value: "Controller Documents v1.0",
            href: "https://www.w3.org/TR/controller-document/"
          },{
            value: "Data Integrity ECDSA Cryptosuites v1.0",
            href: "https://www.w3.org/TR/vc-di-ecdsa/"
          }, {
            value: "Data Integrity BBS Cryptosuites v1.0",
            href: "https://www.w3.org/TR/vc-di-bbs/"
          }]
        }]
      };
    </script>
    <style>
code {
  color: rgb(199, 73, 0);
  font-weight: bold;
}
pre.nohighlight {
  overflow-x: auto;
  white-space: pre-wrap;
}
pre .highlight {
  font-weight: bold;
  color: green;
}
pre .comment {
  font-weight: bold;
  color: Gray;
}
.color-text {
  font-weight: bold;
  text-shadow: -1px 0 black, 0 1px black, 1px 0 black, 0 -1px black;
}
ol.algorithm {
  counter-reset: numsection;
  list-style-type: none;
}
ol.algorithm li {
  margin: 0.5em 0;
}
ol.algorithm li:before {
  font-weight: bold;
  counter-increment: numsection;
  content: counters(numsection, ".") ") ";
}
    </style>
  </head>
  <body>
    <section id="abstract">
      <p>
This specification describes Data Integrity cryptographic suites for use when
creating or verifying a digital signature using the the Ed25519 instantiation
of the Edwards-Curve Digital Signature Algorithm (EdDSA).
      </p>
    </section>

    <section id="sotd">

      <p>
The Working Group is actively seeking implementation feedback for this
specification. In order to exit the Candidate Recommendation phase, the
Working Group has set the requirement of at least two independent
implementations for each mandatory feature in the specification. For details
on the conformance testing process, see the test suites listed in the
<a href="https://w3c.github.io/vc-di-eddsa-test-suite/">
implementation report</a>.
      </p>

      <p class="atrisk issue"
        title="Features with less than two independent implementations">
Any feature with less than two independent implementations in the
<a href="https://w3c.github.io/vc-di-eddsa-test-suite/">
EdDSA Cryptosuite Implementation Report</a> is an "at risk" feature and might be
removed before the transition to W3C Proposed Recommendation.
      </p>

    </section>

    <section>
      <h2>Introduction</h2>
      <p>
This specification defines a cryptographic suite for the purpose of creating,
verifying proofs for Ed25519 EdDSA signatures in conformance with the
Data Integrity [[VC-DATA-INTEGRITY]] specification. The approach is
accepted by the U.S. National Institute of Standards in the latest [[FIPS-186-5]]
publication and meets U.S. Federal Information Processing requirements when
using cryptography to secure digital information.
      </p>
      <p>
The suites described in this specification use the RDF Dataset Canonicalization
Algorithm [[RDF-CANON]] or the JSON Canonicalization Scheme [[RFC8785]] to
transform an input document into its canonical form. The canonical
representation is then hashed and signed with a detached signature algorithm.
      </p>

      <section id="terminology">
        <h3>Terminology</h3>

        <p>
Terminology used throughout this document is defined in the
<a data-cite="VC-DATA-INTEGRITY#terminology">Terminology</a> section of the
[[[VC-DATA-INTEGRITY]]] specification.
        </p>

      </section>

      <section id="conformance">
        <p>
A <dfn>conforming proof</dfn> is any concrete expression of the data model
that complies with the normative statements in this specification. Specifically,
all relevant normative statements in Sections
[[[#data-model]]] and [[[#algorithms]]]
of this document MUST be enforced.
        </p>

        <p>
A <dfn class="lint-ignore">conforming processor</dfn> is any algorithm realized
as software and/or hardware that generates or consumes a
<a>conforming proof</a>. Conforming processors MUST produce errors when
non-conforming documents are consumed.
        </p>
	<p>
This document contains examples of JSON and JSON-LD data. Some of these examples
are invalid JSON, as they include features such as inline comments (`//`)
explaining certain portions and ellipses (`...`) indicating the omission of
information that is irrelevant to the example. These parts would have to be
removed in order to treat the examples as valid JSON or JSON-LD.
        </p>
      </section>

    </section>

    <section>
      <h2>Data Model</h2>

      <p>
The following sections outline the data model that is used by this specification
to express verification methods, such as cryptographic public keys, and
data integrity proofs, such as digital signatures.
      </p>

      <section>
        <h3>Verification Methods</h3>

        <p>
This cryptographic suite is used to verify Data Integrity Proofs
[[VC-DATA-INTEGRITY]] produced using Edwards Curve cryptographic key material.
The encoding formats for those key types are provided in this section. Lossless
cryptographic key transformation processes that result in equivalent
cryptographic key material MAY be used for the processing of digital
signatures.
        </p>

        <section>
          <h4>Multikey</h4>

          <p>
The <a data-cite="controller-document#multikey">Multikey format</a>, defined in
[[[controller-document]]], is used to express public keys for the cryptographic
suites defined in this specification.
          </p>

          <p>
The `publicKeyMultibase` value of the verification method MUST start with the
base-58-btc prefix (`z`), as defined in the
<a data-cite="controller-document#multibase-0">Multibase section</a> of
[[[controller-document]]]. A Multibase-encoded Ed25519 256-bit public key value
follows, as defined in the
<a data-cite="controller-document#Multikey">Multikey section</a> of
[[[controller-document]]]. Any other encoding MUST NOT be allowed.
          </p>

          <p class="advisement">
Developers are advised to not accidentally publish a representation of a private
key. Implementations of this specification will raise errors if they encounter a
Multikey prefix value other than `0xed01` in a `publicKeyMultibase` value.
          </p>

          <pre class="example nohighlight"
            title="An Ed25519 public key encoded as a Multikey">
{
  "id": "https://example.com/issuer/123#key-0",
  "type": "Multikey",
  "controller": "https://example.com/issuer/123",
  "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP"
}
          </pre>

          <pre class="example nohighlight" title="An Ed25519 public key encoded as a
            Multikey in a controller document">
{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/security/multikey/v1"
  ],
  "id": "did:example:123",
  "verificationMethod": [{
    "id": "did:example:123#key-0",
    "type": "Multikey",
    "controller": "did:example:123",
    "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP"
  }],
  "authentication": [
    "did:example:123#key-0"
  ],
  "assertionMethod": [
    "did:example:123#key-0"
  ],
  "capabilityDelegation": [
    "did:example:123#key-0"
  ],
  "capabilityInvocation": [
    "did:example:123#key-0"
  ]
}
          </pre>

          <p>
The `secretKeyMultibase` value of the verification method MUST start with the
base-58-btc prefix (`z`), as defined in the
<a data-cite="controller-document#multibase-0">Multibase section</a> of
[[[controller-document]]]. A Multibase-encoded Ed25519 256-bit secret key value
follows, as defined in the
<a data-cite="controller-document#Multikey">Multikey section</a> of
[[[controller-document]]]. Any other encoding MUST NOT be allowed.
          </p>

          <p class="advisement">
Developers are advised to prevent accidental publication of a representation of
a secret key, and to not export the `secretKeyMultibase` property by default,
when serializing key pairs to Multikey.
          </p>

        </section>

      </section>

      <section>
        <h3>Proof Representations</h3>

        <p>
This section details the proof representation formats that are defined by
this specification.
        </p>

        <section>
          <h4>DataIntegrityProof</h4>

          <p>
A proof contains the attributes specified in the
<a href="https://www.w3.org/TR/vc-data-integrity/#proofs">Proofs section</a>
of [[VC-DATA-INTEGRITY]] with the following restrictions.
          </p>
          <p>
The `type` property MUST be `DataIntegrityProof`.
          </p>
          <p>
The `cryptosuite` property of the proof MUST be `eddsa-rdfc-2022` or `eddsa-jcs-2022`.
          </p>
          <p>
The `proofValue` property of the proof MUST be a detached EdDSA signature
produced according to [[RFC8032]], encoded using the base-58-btc header and
alphabet as described in the
<a data-cite="controller-document#multibase-0">Multibase section</a> of
[[[controller-document]]].
          </p>

          <pre class="example nohighlight"
            title="An Ed25519 digital signature expressed as a
              DataIntegrityProof">
{
  "@context": [
    {"myWebsite": "https://vocabulary.example/myWebsite"},
    "https://www.w3.org/ns/credentials/v2"
  ],
  "myWebsite": "https://hello.world.example/",
  "proof": {
    "type": "DataIntegrityProof",
    "cryptosuite": "eddsa-rdfc-2022",
    "created": "2023-02-24T23:36:38Z",
    "verificationMethod": "https://vc.example/issuers/5678#z6MkrJVnaZkeFzdQyMZu1
      cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
    "proofPurpose": "assertionMethod",
    "proofValue": "z5C5b1uzYJN6pDR3aWgAqUMoSB1JY29epA74qyjaie9qh4okm9DZP6y77eTNq
      5NfYyMwNu9bpQQWUHKH5zAmEtszK"
  }
}
          </pre>

        </section>

      </section>
    </section>

    <section>
      <h2>Algorithms</h2>

      <p>
The following section describes multiple Data Integrity cryptographic suites
that use the Edwards-Curve Digital Signature Algorithm.
      </p>

      <section>
        <h3>Instantiate Cryptosuite</h3>

        <p>
This algorithm is used to configure a cryptographic suite to be used by the
<a data-cite="VC-DATA-INTEGRITY#add-proof">Add Proof</a> and
<a data-cite="VC-DATA-INTEGRITY#verify-proof">Verify Proof</a>
functions in [[[VC-DATA-INTEGRITY]]]. The algorithm takes an options object
([=map=] |options|) as input and returns a [=data integrity cryptographic suite
instance|cryptosuite instance=] ([=struct=] |cryptosuite|).
        </p>

        <ol class="algorithm">
          <li>
Initialize |cryptosuite| to an empty [=struct=].
          </li>
          <li>
If |options|.|type| does not equal `DataIntegrityProof`, return |cryptosuite|.
          </li>
          <li>
If |options|.|cryptosuite| is `eddsa-rdfc-2022`:
            <ol class="algorithm">
              <li>
Set |cryptosuite|.|createProof| to the algorithm in Section
[[[#create-proof-eddsa-rdfc-2022]]].
              </li>
              <li>
Set |cryptosuite|.|verifyProof| to the algorithm in Section
[[[#verify-proof-eddsa-rdfc-2022]]].
              </li>
            </ol>
          </li>
          <li>
If |options|.|cryptosuite| is `eddsa-jcs-2022`:
            <ol class="algorithm">
              <li>
Set |cryptosuite|.|createProof| to the algorithm in Section
[[[#create-proof-eddsa-jcs-2022]]].
              </li>
              <li>
Set |cryptosuite|.|verifyProof| to the algorithm in Section
[[[#verify-proof-eddsa-jcs-2022]]].
              </li>
            </ol>
          </li>
          <li>
Return |cryptosuite|.
          </li>
        </ol>

      </section>

      <section>
        <h3>eddsa-rdfc-2022</h3>

        <p>
The `eddsa-rdfc-2022` cryptographic suite takes an input document, canonicalizes
the document using the RDF Dataset Canonicalization algorithm [[RDF-CANON]], and then
cryptographically hashes and signs the output
resulting in the production of a data integrity proof. The algorithms in this
section also include the verification of such a data integrity proof.
        </p>

        <p class="advisement">
When the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] is used,
implementations will detect <a data-cite="RDF-CANON#dataset-poisoning">
dataset poisoning</a> by default, and abort processing upon such detection.
        </p>

        <section>
          <h4>Create Proof (eddsa-rdfc-2022)</h4>

          <p>
The following algorithm specifies how to create a [=data integrity proof=] given
an <a>unsecured data document</a>. Required inputs are an
<a>unsecured data document</a> ([=map=] |unsecuredDocument|), and a set of proof
options ([=map=] |options|). A [=data integrity proof=] ([=map=]), or an error,
is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Let |proof| be a clone of the proof options, |options|.
            </li>
            <li>
Let |proofConfig| be the result of running the algorithm in
Section [[[#proof-configuration-eddsa-rdfc-2022]]] with
|options| passed as a parameter.
            </li>
            <li>
Let |transformedData| be the result of running the algorithm in Section <a
href="#transformation-eddsa-rdfc-2022"></a> with |unsecuredDocument|,
|proofConfig|, and |options| passed as parameters.
            </li>
            <li>
Let |hashData| be the result of running the algorithm in Section
[[[#hashing-eddsa-rdfc-2022]]] with |transformedData| and |proofConfig|
passed as a parameters.
            </li>
            <li>
Let |proofBytes| be the result of running the algorithm in Section
[[[#proof-serialization-eddsa-rdfc-2022]]] with |hashData| and
|options| passed as parameters.
            </li>
            <li>
Let |proof|.|proofValue| be a <a data-cite="controller-document#multibase-0">
base58-btc-encoded Multibase value</a> of the |proofBytes|.
            </li>
            <li>
Return |proof| as the [=data integrity proof=].
            </li>
          </ol>

        </section>

        <section>
          <h4>Verify Proof (eddsa-rdfc-2022)</h4>

          <p>
The following algorithm specifies how to verify a [=data integrity proof=] given
an <a>secured data document</a>. Required inputs are an
<a>secured data document</a> ([=map=] |securedDocument|). This algorithm returns
a <dfn>verification result</dfn>, which is a [=struct=] whose
[=struct/items=] are:
          </p>
          <dl>
            <dt><dfn data-dfn-for="verification result">verified</dfn></dt>
            <dd>`true` or `false`</dd>
            <dt><dfn data-dfn-for="verification result">verifiedDocument</dfn></dt>
            <dd>
if [=verification result/verified=] is `false`, <a data-cite="INFRA#nulls">Null</a>;
otherwise, an [=unsecured data document=]
            </dd>
          </dl>

          <ol class="algorithm">
          <li>
Let |unsecuredDocument| be a copy of |securedDocument| with
the `proof` value removed.
          </li>
          <li>
Let |proofOptions| be the result of a copy of |securedDocument|.|proof| with `proofValue`
removed.
          </li>
          <li>
Let |proofBytes| be the
<a data-cite="controller-document#multibase-0">Multibase decoded base58-btc
value</a> in |securedDocument|.|proof|.|proofValue|.
          </li>
          <li>
Let |transformedData| be the result of running the algorithm in Section <a
href="#transformation-eddsa-rdfc-2022"></a> with |unsecuredDocument| and
|proofOptions| passed as parameters.
          </li>
          <li>
Let |proofConfig| be the result of running the algorithm in Section <a
href="#proof-configuration-eddsa-rdfc-2022"></a> with |unsecuredDocument| and
|proofOptions| passed as parameters.
          </li>
          <li>
Let |hashData| be the result of running the algorithm in Section
[[[#hashing-eddsa-rdfc-2022]]] with |transformedData| and |proofConfig|
passed as a parameters.
          </li>
          <li>
Let |verified:boolean| be the result of running the algorithm in Section
[[[#proof-verification-eddsa-rdfc-2022]]] algorithm on |hashData|,
|proofBytes|, and |proofConfig|.
            </li>
            <li>
Return a [=verification result=] with [=struct/items=]:
              <dl data-link-for="verification result">
                <dt>[=verified=]</dt>
                <dd>|verified|</dd>
                <dt>[=verifiedDocument=]</dt>
                <dd>
if |verified| is `true`, |unsecuredDocument|;
otherwise, <a data-cite="INFRA#nulls">Null</a></dd>
              </dl>
            </li>
          </ol>

        </section>

        <section>
          <h4>Transformation (eddsa-rdfc-2022)</h4>

          <p>
The following algorithm specifies how to transform an unsecured input document
into a transformed document that is ready to be provided as input to the
hashing algorithm in Section [[[#hashing-eddsa-rdfc-2022]]].
          </p>

          <p>
Required inputs to this algorithm are an
<a data-cite="vc-data-integrity#dfn-unsecured-data-document">
unsecured data document</a> (`unsecuredDocument`) and
transformation options (`options`). The
transformation options MUST contain a type identifier for the
<a data-cite="vc-data-integrity#dfn-cryptosuite">
cryptographic suite</a> (`type`) and a cryptosuite
identifier (`cryptosuite`). A <em>transformed data document</em> is
produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8
encoding.
          </p>

          <ol class="algorithm">
            <li>
If `options`.`type` is not set to the string
`DataIntegrityProof` and `options`.`cryptosuite` is not
set to the string `eddsa-rdfc-2022`,
an error MUST be raised that SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_TRANSFORMATION_ERROR">PROOF_TRANSFORMATION_ERROR</a>.
            </li>
            <li>
Let |canonicalDocument| be the result of converting |unsecuredDocument|
<a data-cite="JSON-LD11-API#deserialize-json-ld-to-rdf-algorithm">
to RDF statements</a>, applying the <a data-cite="RDF-CANON#canon-algorithm">RDF Dataset Canonicalization
Algorithm</a> [[RDF-CANON]] to the result, and then serializing the result to a
<a data-cite="RDF-CANON#dfn-serialized-canonical-form">serialized canonical form</a> [[RDF-CANON]].
            </li>
            <li>
Return `canonicalDocument` as the <em>transformed data document</em>.
            </li>
          </ol>
        </section>

        <section>
          <h4>Hashing (eddsa-rdfc-2022)</h4>

          <p>
The following algorithm specifies how to cryptographically hash a
<em>transformed data document</em> and <em>proof configuration</em>
into cryptographic hash data that is ready to be provided as input to the
algorithms in Section [[[#proof-serialization-eddsa-rdfc-2022]]] or
Section [[[#proof-verification-eddsa-rdfc-2022]]].
          </p>

          <p>
The required inputs to this algorithm are a <em>transformed data document</em>
(`transformedDocument`) and <em>canonical proof configuration</em>
(`canonicalProofConfig`). A single <em>hash data</em> value represented as
series of bytes is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Let `proofConfigHash` be the result of applying the
SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]]
to the `canonicalProofConfig`. `proofConfigHash` will be
exactly 32 bytes in size.
            </li>
            <li>
Let `transformedDocumentHash` be the result of applying the
SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]]
to the `transformedDocument`. `transformedDocumentHash` will
be exactly 32 bytes in size.
            </li>
            <li>
Let `hashData` be the result of concatenating `proofConfigHash`
(the first hash produced above) followed by `transformedDocumentHash`
(the second hash produced above).
            </li>
            <li>
Return `hashData` as the <em>hash data</em>.
            </li>
          </ol>

        </section>

        <section>
          <h4>Proof Configuration (eddsa-rdfc-2022)</h4>

          <p>
The following algorithm specifies how to generate a
<em>proof configuration</em> from a set of <em>proof options</em>
that is used as input to the <a href="#hashing-eddsa-rdfc-2022">proof hashing algorithm</a>.
          </p>

          <p>
The required inputs to this algorithm are the <em>document</em>
(|unsecuredDocument|) and the <em>proof options</em>
(`options`). The <em>proof options</em> MUST contain a type identifier
for the
<a data-cite="vc-data-integrity#dfn-cryptosuite">
cryptographic suite</a> (`type`) and MUST contain a cryptosuite
identifier (`cryptosuite`). A <em>proof configuration</em>
object is produced as output.
          </p>
          <ol class="algorithm">
            <li>
Let |proofConfig| be a clone of the |options| object.
            </li>
            <li>
If |proofConfig|.|type| is not set to `DataIntegrityProof` and/or
|proofConfig|.|cryptosuite| is not set to `eddsa-rdfc-2022`, an
error MUST be raised and SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_GENERATION_ERROR">PROOF_GENERATION_ERROR</a>.
            </li>
            <li>
If |proofConfig|.|created| is present and set to a value that is not a
valid [[XMLSCHEMA11-2]] datetime, an error MUST be
raised and SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_GENERATION_ERROR">PROOF_GENERATION_ERROR</a>.
            </li>
            <li>
Set |proofConfig|.`@context `to
|unsecuredDocument|.<var>@context</var>.
            </li>
            <li>
Let |canonicalProofConfig| be the result of applying the
RDF Dataset Canonicalization Algorithm
[[RDF-CANON]] to the |proofConfig|.
            </li>
            <li>
Return |canonicalProofConfig|.
            </li>
          </ol>

        </section>

        <section>
          <h4>Proof Serialization (eddsa-rdfc-2022)</h4>

          <p>
The following algorithm specifies how to serialize a digital signature from
a set of cryptographic hash data. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#algorithms">
Section 4: Algorithms</a>. Required inputs are
cryptographic hash data (`hashData`) and
<em>proof options</em> (`options`). The
<em>proof options</em> MUST contain a type identifier for the
<a data-cite="vc-data-integrity#dfn-cryptosuite">
cryptographic suite</a> (`type`) and MAY contain a cryptosuite
identifier (`cryptosuite`). A single <em>digital proof</em> value
represented as series of bytes is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Let `privateKeyBytes` be the result of retrieving the
private key bytes associated with the
`options`.`verificationMethod` value as described in the
Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#processing-model">
Section 4.1: Processing Model</a>.
            </li>
            <li>
Let `proofBytes` be the result of applying the Edwards-Curve Digital
Signature Algorithm (EdDSA) [[RFC8032]], using the `Ed25519` variant
(Pure EdDSA), with `hashData` as the data to be signed using
the private key specified by `privateKeyBytes`.
`proofBytes` will be exactly 64 bytes in size.
            </li>
            <li>
Return `proofBytes` as the <em>digital proof</em>.
            </li>
          </ol>

        </section>

        <section>
          <h4>Proof Verification (eddsa-rdfc-2022)</h4>

          <p>
The following algorithm specifies how to verify a digital signature from
a set of cryptographic hash data. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#algorithms">
Section 4: Algorithms</a>. Required inputs are
cryptographic hash data (`hashData`),
a digital signature (`proofBytes`) and
proof options (`options`). A <em>verification result</em>
represented as a boolean value is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Let `publicKeyBytes` be the result of retrieving the
public key bytes associated with the
`options`.`verificationMethod` value as described in the
[[[controller-document]]] specification,
<a data-cite="controller-document#retrieve-verification-method">
Section 3.3: Retrieve Verification Method</a>.
            </li>
            <li>
Let `verificationResult` be the result of applying the verification
algorithm for the Edwards-Curve Digital Signature Algorithm (EdDSA)
[[RFC8032]], using the `Ed25519` variant (Pure EdDSA),
with `hashData` as the data to be verified against the
`proofBytes` using the public key specified by
`publicKeyBytes`.
            </li>
            <li>
Return `verificationResult` as the <em>verification result</em>.
            </li>
          </ol>

        </section>
      </section>

      <section>
        <h3>eddsa-jcs-2022</h3>

          <p>
The `eddsa-jcs-2022` cryptographic suite takes an input document, canonicalizes
the document using the JSON Canonicalization Scheme [[RFC8785]], and then
cryptographically hashes and signs the output resulting in the production of a
data integrity proof.
          </p>



          <section>
            <h4>Create Proof (eddsa-jcs-2022)</h4>

            <p>
The following algorithm specifies how to create a [=data integrity proof=] given
an <a>unsecured data document</a>. Required inputs are an
<a>unsecured data document</a> ([=map=] |unsecuredDocument|), and a set of proof
options ([=map=] |options|). A [=data integrity proof=] ([=map=]), or an error,
is produced as output.
            </p>

            <ol class="algorithm">
              <li>
Let |proof| be a clone of the proof options, |options|.
              </li>
              <li>
If `unsecuredDocument`.<var>@context</var> is present,
set `proof`.<var>@context</var> to
`unsecuredDocument`.<var>@context</var>.
              </li>
              <li>
Let |proofConfig| be the result of running the algorithm in
Section [[[#proof-configuration-eddsa-jcs-2022]]] with
|proof| passed as the <em>proof options</em> parameter.
              </li>
              <li>
Let |transformedData| be the result of running the algorithm in Section
[[[#transformation-eddsa-jcs-2022]]] with |unsecuredDocument|
and |options| passed as parameters.
              </li>
              <li>
Let |hashData| be the result of running the algorithm in Section
[[[#hashing-eddsa-jcs-2022]]] with |transformedData| and |proofConfig|
passed as a parameters.
              </li>
              <li>
Let |proofBytes| be the result of running the algorithm in Section
[[[#proof-serialization-eddsa-jcs-2022]]] with |hashData| and
|options| passed as parameters.
              </li>
              <li>
Let |proof|.|proofValue| be a <a data-cite="controller-document#multibase-0">
base58-btc-encoded Multibase value</a> of the |proofBytes|.
              </li>
              <li>
Return |proof| as the [=data integrity proof=].
              </li>
            </ol>
          </section>

          <section>
            <h4>Verify Proof (eddsa-jcs-2022)</h4>

          <p>
The following algorithm specifies how to verify a [=data integrity proof=] given
an <a>secured data document</a>. Required inputs are an
<a>secured data document</a> ([=map=] |securedDocument|). This algorithm returns
a [=verification result=], which is a [=struct=] whose [=struct/items=] are:
          </p>
          <dl>
            <dt>[=verification result/verified=]</dt>
            <dd>`true` or `false`</dd>
            <dt>[=verification result/verifiedDocument=]</dt>
            <dd>
if [=verification result/verified=] is `true`, an [=unsecured data document=];
otherwise <a data-cite="INFRA#nulls">Null</a>
            </dd>
          </dl>

          <ol class="algorithm">
            <li>
Let |unsecuredDocument| be a copy of |securedDocument| with the `proof` value
removed.
            </li>
            <li>
Let |proofOptions| be the result of a copy of |securedDocument|.|proof| with
`proofValue` removed.
            </li>
            <li>
Let |proofBytes| be the
<a data-cite="controller-document#multibase-0">Multibase decoded base58-btc
value</a> in |securedDocument|.|proof|.|proofValue|.
            </li>
            <li>
If |proofOptions|.<var>@context</var> exists:
              <ol class="algorithm">
                <li>
Check that the |securedDocument|.<var>@context</var> starts with all values
contained in the |proofOptions|.<var>@context</var> in the same order.
Otherwise, set |verified| to `false` and skip to the last step.
                </li>
                <li>
Set |unsecuredDocument|.<var>@context</var> equal to
|proofOptions|.<var>@context</var>.
                </li>
              </ol>
            </li>
            <li>
Let |transformedData| be the result of running the algorithm in Section
[[[#transformation-eddsa-jcs-2022]]] with |unsecuredDocument| and
|proofOptions| passed as parameters.
              </li>
            <li>
Let |proofConfig| be the result of running the algorithm in Section
[[[#proof-configuration-eddsa-jcs-2022]]] with |proofOptions| passed
as the parameter.
            </li>
            <li>
Let |hashData| be the result of running the algorithm in Section
[[[#hashing-eddsa-jcs-2022]]] with |transformedData| and |proofConfig| passed as
a parameters.
            </li>
            <li>
Let |verified:boolean| be the result of running the algorithm in Section
[[[#proof-verification-eddsa-jcs-2022]]] on |hashData|, |proofBytes|,
and |proofConfig|.
              </li>
              <li>
Return a [=verification result=] with [=struct/items=]:
                <dl data-link-for="verification result">
                  <dt>[=verified=]</dt>
                  <dd>|verified|</dd>
                  <dt>[=verifiedDocument=]</dt>
                  <dd>
if |verified| is `true`, |unsecuredDocument|;
otherwise, <a data-cite="INFRA#nulls">Null</a></dd>
                </dl>
              </li>
            </ol>
        </section>
        <section>
          <h4>Transformation (eddsa-jcs-2022)</h4>

          <p>
The following algorithm specifies how to transform an unsecured input document
into a transformed document that is ready to be provided as input to the
hashing algorithm in Section [[[#hashing-eddsa-jcs-2022]]].
          </p>

          <p>
Required inputs to this algorithm are an
<a data-cite="vc-data-integrity#dfn-unsecured-data-document">
unsecured data document</a> (`unsecuredDocument`) and
transformation options (`options`). The
transformation options MUST contain a type identifier for the
<a data-cite="vc-data-integrity#dfn-cryptosuite">
cryptographic suite</a> (`type`) and a cryptosuite
identifier (`cryptosuite`). A <em>transformed data document</em> is
produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8
encoding.
          </p>

          <ol class="algorithm">
            <li>
If `options`.`type` is not set to the string
`DataIntegrityProof` and `options`.`cryptosuite` is not
set to the string `eddsa-jcs-2022`,
an error MUST be raised that SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_VERIFICATION_ERROR">PROOF_VERIFICATION_ERROR</a>.
            </li>
            <li>
Let `canonicalDocument` be the result of applying the
JSON Canonicalization Scheme [[RFC8785]] to a JSON serialization of the
`unsecuredDocument`.
            </li>
            <li>
Return `canonicalDocument` as the <em>transformed data document</em>.
            </li>
          </ol>
        </section>
        <section>
          <h4>Hashing (eddsa-jcs-2022)</h4>

          <p>
The following algorithm specifies how to cryptographically hash a
<em>transformed data document</em> and <em>proof configuration</em>
into cryptographic hash data that is ready to be provided as input to the
algorithms in Section [[[#proof-serialization-eddsa-jcs-2022]]] or
Section [[[#proof-verification-eddsa-jcs-2022]]].
          </p>

          <p>
The required inputs to this algorithm are a <em>transformed data document</em>
(`transformedDocument`) and <em>canonical proof configuration</em>
(`canonicalProofConfig`). A single <em>hash data</em> value represented as
series of bytes is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Let `transformedDocumentHash` be the result of applying the
SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]]
to the `transformedDocument`. `transformedDocumentHash` will
be exactly 32 bytes in size.
            </li>
            <li>
Let `proofConfigHash` be the result of applying the
SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]]
to the `canonicalProofConfig`. `proofConfigHash` will be
exactly 32 bytes in size.
            </li>
            <li>
Let `hashData` be the result of joining `proofConfigHash` (the
first hash) with `transformedDocumentHash` (the second hash).
            </li>
            <li>
Return `hashData` as the <em>hash data</em>.
            </li>
          </ol>

        </section>
        <section>
          <h4>Proof Configuration (eddsa-jcs-2022)</h4>

          <p>
The following algorithm specifies how to generate a
<em>proof configuration</em> from a set of <em>proof options</em>
that is used as input to the <a href="#hashing-eddsa-jcs-2022">proof hashing algorithm</a>.
          </p>

          <p>
The required inputs to this algorithm are <em>proof options</em>
(`options`). The <em>proof options</em> MUST contain a type identifier
for the
<a data-cite="vc-data-integrity#dfn-cryptosuite">
cryptographic suite</a> (`type`) and MUST contain a cryptosuite
identifier (`cryptosuite`). A <em>proof configuration</em>
object is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Let `proofConfig` be a clone of the `options` object.
            </li>
            <li>
If `proofConfig`.`type` is not set to `DataIntegrityProof` or
`proofConfig`.`cryptosuite` is not set to `eddsa-jcs-2022`,
an error MUST be raised that SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_GENERATION_ERROR">PROOF_GENERATION_ERROR</a>.
            </li>
            <li>
If |proofConfig|.|created| is set to a value that is not a
valid [[XMLSCHEMA11-2]] datetime, an error MUST be
raised and SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_GENERATION_ERROR">PROOF_GENERATION_ERROR</a>.
            </li>
            <li>
Let `canonicalProofConfig` be the result of applying the
JSON Canonicalization Scheme [[RFC8785]] to the `proofConfig`.
            </li>
            <li>
Return `canonicalProofConfig`.
            </li>
          </ol>

        </section>
        <section>
          <h4>Proof Serialization (eddsa-jcs-2022)</h4>

          <p>
The following algorithm specifies how to serialize a digital signature from
a set of cryptographic hash data. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#algorithms">
Section 4: Algorithms</a>. Required inputs are
cryptographic hash data (`hashData`) and
<em>proof options</em> (`options`). The
<em>proof options</em> MUST contain a type identifier for the
<a data-cite="vc-data-integrity#dfn-cryptosuite">
cryptographic suite</a> (`type`) and MAY contain a cryptosuite
identifier (`cryptosuite`). A single <em>digital proof</em> value
represented as series of bytes is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Let `privateKeyBytes` be the result of retrieving the
private key bytes associated with the
`options`.`verificationMethod` value as described in the
Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#algorithms">
Section 4: Retrieving Cryptographic Material</a>.
            </li>
            <li>
Let `proofBytes` be the result of applying the Edwards-Curve Digital
Signature Algorithm (EdDSA) [[RFC8032]], using the `Ed25519` variant
(Pure EdDSA), with `hashData` as the data to be signed using
the private key specified by `privateKeyBytes`.
`proofBytes` will be exactly 64 bytes in size.
            </li>
            <li>
Return `proofBytes` as the <em>digital proof</em>.
            </li>
          </ol>

        </section>
        <section>
          <h4>Proof Verification (eddsa-jcs-2022)</h4>

          <p>
The following algorithm specifies how to verify a digital signature from
a set of cryptographic hash data. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#algorithms">
Section 4: Algorithms</a>. Required inputs are
cryptographic hash data (`hashData`),
a digital signature (`proofBytes`) and
proof options (`options`). A <em>verification result</em>
represented as a boolean value is produced as output.
          </p>

          <ol class="algorithm">
            <li>
Let `publicKeyBytes` be the result of retrieving the
public key bytes associated with the
`options`.`verificationMethod` value as described in the
Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#algorithms">
Section 4: Retrieving Cryptographic Material</a>.
            </li>
            <li>
Let `verificationResult` be the result of applying the verification
algorithm for the Edwards-Curve Digital Signature Algorithm (EdDSA)
[[RFC8032]], using the `Ed25519` variant (Pure EdDSA),
with `hashData` as the data to be verified against the
`proofBytes` using the public key specified by
`publicKeyBytes`.
            </li>
            <li>
Return `verificationResult` as the <em>verification result</em>.
            </li>
          </ol>

        </section>
      </section>

    </section>

    <section>
      <h2>Security Considerations</h2>

      <p class="advisement">
Before reading this section, readers are urged to familiarize themselves
with general security advice provided in the
<a href="https://www.w3.org/TR/vc-data-integrity/#security-considerations">
Security Considerations section of the Data Integrity specification</a>.
      </p>

      <p>
The following section describes security considerations that developers
implementing this specification should be aware of in order to create secure
software.
      </p>

      <section class="informative">
        <h3>Security Properties of Ed25519 Implementations</h3>
        <p>
Ed25519 signatures (EdDSA algorithm with edwards25519 curve) have
been widely adopted, due both to the compact size of the keys and
signatures and to the speed at
which signatures can be produced and verified. Many libraries exist that can
create and verify Ed25519 signatures. Since the publication of [[RFC8032]],
security properties of Ed25519 signatures have been rigorously proven (see
[[Provable_Ed25519]] and [[Taming_EdDSAs]]). However, it has been observed that a
significant number of libraries do not achieve these security levels, due to
missing input validity checks during the signature verification process. In
this section, we summarize the security levels achievable with Ed25519
signatures, and indicate how one can determine whether a library will support those
levels.
        </p>
        <section>
          <h4>Signature Security Properties</h4>
          <p>
Digital signatures might exhibit a number of desirable cryptographic
properties [[Taming_EdDSAs]] among these are:
          </p>
          <p>
<strong>EUF-CMA</strong> (<em>existential unforgeability under
chosen message attacks</em>) is usually the minimal security property required
of a signature scheme. It guarantees that any efficient adversary who has the
public key
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mi>p</mi>
            <mi>k</mi>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math> of the signer and received an arbitrary number of signatures on
messages of its choice (in an adaptive manner):
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mo fence="false" stretchy="false">{</mo>
            <msub>
              <mi>m</mi>
              <mi>i</mi>
            </msub>
            <mo>,</mo>
            <msub>
              <mi>&#x3C3;</mi>
              <mi>i</mi>
            </msub>
            <msubsup>
              <mo fence="false" stretchy="false">}</mo>
              <mrow data-mjx-texclass="ORD">
                <mi>i</mi>
                <mo>=</mo>
                <mn>1</mn>
              </mrow>
              <mi>N</mi>
            </msubsup>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>,
cannot output a valid signature
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <msup>
              <mi>&#x3C3;</mi>
              <mo>&#x2217;</mo>
            </msup>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
for a new message
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <msup>
              <mi>m</mi>
              <mo>&#x2217;</mo>
            </msup>
            <mo>&#x2209;</mo>
            <mo fence="false" stretchy="false">{</mo>
            <msub>
              <mi>m</mi>
              <mi>i</mi>
            </msub>
            <msubsup>
              <mo fence="false" stretchy="false">}</mo>
              <mrow data-mjx-texclass="ORD">
                <mi>i</mi>
                <mo>=</mo>
                <mn>1</mn>
              </mrow>
              <mi>N</mi>
            </msubsup>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
(except with negligible probability). If the attacker outputs a valid
signature on a new message:
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mo stretchy="false">(</mo>
            <msup>
              <mi>m</mi>
              <mo>&#x2217;</mo>
            </msup>
            <mo>,</mo>
            <msup>
              <mi>&#x3C3;</mi>
              <mo>&#x2217;</mo>
            </msup>
            <mo stretchy="false">)</mo>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>,
it is called an <em>existential
forgery</em>.
          </p>
          <p>
<strong>SUF-CMA</strong> (<em>strong unforgeability under chosen
message attacks</em>) is a stronger notion than <em>EUF-CMA</em>. It guarantees
that for any efficient adversary who has the public key
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mi>p</mi>
            <mi>k</mi>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
of the signer and
received an arbitrary number of signatures on messages of its choice:
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mo fence="false" stretchy="false">{</mo>
            <msub>
              <mi>m</mi>
              <mi>i</mi>
            </msub>
            <mo>,</mo>
            <msub>
              <mi>&#x3C3;</mi>
              <mi>i</mi>
            </msub>
            <msubsup>
              <mo fence="false" stretchy="false">}</mo>
              <mrow data-mjx-texclass="ORD">
                <mi>i</mi>
                <mo>=</mo>
                <mn>1</mn>
              </mrow>
              <mi>N</mi>
            </msubsup>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>,
it cannot output a new valid signature pair
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mo stretchy="false">(</mo>
            <msup>
              <mi>m</mi>
              <mo>&#x2217;</mo>
            </msup>
            <mo>,</mo>
            <msup>
              <mi>&#x3C3;</mi>
              <mo>&#x2217;</mo>
            </msup>
            <mo stretchy="false">)</mo>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>,
such that
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mo stretchy="false">(</mo>
            <msup>
              <mi>m</mi>
              <mo>&#x2217;</mo>
            </msup>
            <mo>,</mo>
            <msup>
              <mi>&#x3C3;</mi>
              <mo>&#x2217;</mo>
            </msup>
            <mo stretchy="false">)</mo>
            <mo>&#x2209;</mo>
            <mo fence="false" stretchy="false">{</mo>
            <msup>
              <mi>m</mi>
              <mi>i</mi>
            </msup>
            <mo>,</mo>
            <msup>
              <mi>&#x3C3;</mi>
              <mi>i</mi>
            </msup>
            <msubsup>
              <mo fence="false" stretchy="false">}</mo>
              <mrow data-mjx-texclass="ORD">
                <mi>i</mi>
                <mo>=</mo>
                <mn>1</mn>
              </mrow>
              <mi>N</mi>
            </msubsup>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
(except with negligible probability). Strong unforgeability implies that an
adversary not only cannot sign new messages, but also cannot find a new signature
on an old message. See [[Provable_Ed25519]] for a real world attack that would
have been circumvented with SUF-CMA security over EUF-CMA security.
          </p>
          <p>
<strong>Binding signature</strong> (BS) We say that a signature
scheme is <em>binding</em> if no efficient signer can output a tuple
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mo stretchy="false">[</mo>
            <mi>p</mi>
            <mi>k</mi>
            <mo>,</mo>
            <mi>m</mi>
            <mo>,</mo>
            <msup>
              <mi>m</mi>
              <mi data-mjx-alternate="1">&#x2032;</mi>
            </msup>
            <mo>,</mo>
            <mi>&#x3C3;</mi>
            <mo stretchy="false">]</mo>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>,
where both
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mo stretchy="false">(</mo>
            <mi>m</mi>
            <mo>,</mo>
            <mi>&#x3C3;</mi>
            <mo stretchy="false">)</mo>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
and
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mo stretchy="false">(</mo>
            <msup>
              <mi>m</mi>
              <mi data-mjx-alternate="1">&#x2032;</mi>
            </msup>
            <mo>,</mo>
            <mi>&#x3C3;</mi>
            <mo stretchy="false">)</mo>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
are valid message signature pairs under the public key
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mi>p</mi>
            <mi>k</mi>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
and
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mi>m</mi>
            <mo>&#x2260;</mo>
            <msup>
              <mi>m</mi>
              <mi data-mjx-alternate="1">&#x2032;</mi>
            </msup>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
(except with negligible probability). A binding signature makes it impossible
for the signer to claim later that it has signed a different message; the
signature <em>binds</em> the signer to the message.
          </p>
          <p>
<strong>Strongly Binding signature</strong> (SBS) Certain
applications may require a signature to not only be binding to the message but
also be binding to the public key. We say that a signature scheme is
strongly-binding if any efficient signer cannot output a tuple
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mo stretchy="false">[</mo>
            <mi>p</mi>
            <mi>k</mi>
            <mo>,</mo>
            <mi>m</mi>
            <mo>,</mo>
            <mi>p</mi>
            <msup>
              <mi>k</mi>
              <mi data-mjx-alternate="1">&#x2032;</mi>
            </msup>
            <mo>,</mo>
            <msup>
              <mi>m</mi>
              <mi data-mjx-alternate="1">&#x2032;</mi>
            </msup>
            <mo>,</mo>
            <mi>&#x3C3;</mi>
            <mo stretchy="false">]</mo>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>,
where
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mo stretchy="false">(</mo>
            <mi>m</mi>
            <mo>,</mo>
            <mi>&#x3C3;</mi>
            <mo stretchy="false">)</mo>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
is a valid signature for the public key
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mi>p</mi>
            <mi>k</mi>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
and
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mo stretchy="false">(</mo>
            <msup>
              <mi>m</mi>
              <mi data-mjx-alternate="1">&#x2032;</mi>
            </msup>
            <mo>,</mo>
            <mi>&#x3C3;</mi>
            <mo stretchy="false">)</mo>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
is a valid signature for the public key
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mi>p</mi>
            <msup>
              <mi>k</mi>
              <mi data-mjx-alternate="1">&#x2032;</mi>
            </msup>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
and either
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <msup>
              <mi>m</mi>
              <mi data-mjx-alternate="1">&#x2032;</mi>
            </msup>
            <mo>&#x2260;</mo>
            <mi>m</mi>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>
or
<math xmlns="http://www.w3.org/1998/Math/MathML" display="inline">
  <mstyle displaystyle="true" scriptlevel="0">
    <mrow data-mjx-texclass="ORD">
      <mtable rowspacing=".5em" columnspacing="1em" displaystyle="true">
        <mtr>
          <mtd>
            <mi>p</mi>
            <mi>k</mi>
            <mo>&#x2260;</mo>
            <mi>p</mi>
            <msup>
              <mi>k</mi>
              <mi data-mjx-alternate="1">&#x2032;</mi>
            </msup>
          </mtd>
        </mtr>
      </mtable>
    </mrow>
  </mstyle>
</math>,
or both (except with negligible probability). See [[Provable_Ed25519]] for real
world attacks that would have been circumvented with the SBS property.
          </p>
          <p>Note that the <em>BS</em> and <em>SBS</em> properties are forms of
<em>non-repudiation</em>.
          </p>
        </section>
        <section>
          <h4>Achieving Ed25519 Security Properties</h4>
          <p>
As pointed out in [[Taming_EdDSAs]], flaws in Ed25519 libraries
primarily occur on the signature verification side, where edge cases
are sometimes not properly checked. An Ed25519 signature library that is in conformance
with [[RFC8032]] or [[FIPS-186-5]], i.e., one that performs <strong>all
</strong> specified validation checks, will have the <strong>SUF-CMA</strong>
property in addition to <strong>EUF-CMA</strong>.
          </p>
          <p>
Reference [[Taming_EdDSAs]] achieves the <strong>BS</strong> and
<strong>SBS</strong> properties along with <strong>SUF-CMA</strong> in their
&quot;signature verification algorithm 2&quot; where an additional check is
performed against the public key <em>A</em> to make sure that it is not one of
eight &quot;small order points&quot;. These additional checks incur minimal processing overhead.
          </p>
          <p>
Reference [[Taming_EdDSAs]] included a set of twelve test vectors
to test various Ed25519 libraries available at the time of publication. They
found that a significant portion missed edge cases and hence did not achieve
<strong>SUF-CMA</strong> (just EUF-CMA), and only two libraries out of sixteen
achieved all the security properties. Since the time of publication, more
Ed25519 libraries have been created, and some of the libraries have been updated
to include all verification checks. Implementers are recommended to test the
Ed25519 library they are using against the test vectors of [[Taming_EdDSAs]].
          </p>
        </section>
      </section>

    </section>

    <section>
      <h2>Privacy Considerations</h2>

      <p class="advisement">
Before reading this section, readers are urged to familiarize themselves
with general privacy advice provided in the
<a href="https://www.w3.org/TR/vc-data-integrity/#privacy-considerations">
Privacy Considerations section of the Data Integrity specification</a>.
      </p>

      <p>
The following section describes privacy considerations that developers
implementing this specification should be aware of in order to avoid violating
privacy assumptions.
      </p>

    <section>
      <h3>Selective and Unlinkable Disclosure</h3>

      <p>
The cryptographic suites described in this specification do not support
[=selective disclosure=] or [=unlinkable disclosure=]. If
[=selective disclosure=] is a desired feature, readers might find the
[[[?VC-DI-ECDSA]]] specification useful. If [=unlinkable disclosure=] is of
interest, the [[[?VC-DI-BBS]]] specification provides an unlinkable digital
signature mechanism.
      </p>

    </section>
    </section>

    <section class="appendix">
      <h2>The Ed25519Signature2020 Suite</h2>

      <p>
`Ed25519Signature2020` is an earlier version of a cryptographic suite
for use of the EdDSA algorithm and Curve25519. While it has
been used in production systems, new implementations should instead use
<a href="#eddsa-rdfc-2022">`eddsa-rdfc-2022`</a>. `Ed25519Signature2020` has
been kept in this specification to provide a stable reference.
      </p>

      <section>
        <h3>Data Model</h3>
        <section>
          <h3>Verification Methods</h3>
          <section>
            <h4>Ed25519VerificationKey2020</h4>

            <p>
The key format described in this section is provided to document a legacy
mechanism that has been deployed to production. The key format described in
section [[[#multikey]]] supercedes the one described in this section. New
applications are strongly urged to use the newer key format.
            </p>

            <p>
The `type` of the verification method MUST be
<a href="#ed25519verificationkey2020">Ed25519VerificationKey2020</a>.
            </p>

            <p>
The `controller` of the verification method MUST be a URL.
            </p>

            <p>
The `publicKeyMultibase` value of the verification method MUST start with the
base-58-btc prefix (`z`), as defined in the
<a data-cite="controller-document#multibase-0">Multibase section</a> of
[[VC-DATA-INTEGRITY]]. A Multibase-encoded Multikey value follows, which MUST
consist of a binary value that starts with the two-byte prefix `0xed01`, which
is the Multikey header for an Ed25519 public key, followed by the 32-byte
public key data, all of which is then encoded using base-58-btc. Any other
encoding MUST NOT be allowed.
            </p>

            <p class="advisement">
Developers are advised to not accidentally publish a representation of a private
key. Implementations of this specification will raise errors in the event of a
Multikey header value other than `0xed01` being used in a
`publicKeyMultibase` value.
            </p>

            <pre class="example nohighlight" title="An Ed25519 public key encoded as an
              Ed25519VerificationKey2020">
  {
    "id": "https://example.com/issuer/123#key-0",
    "type": "Ed25519VerificationKey2020",
    "controller": "https://example.com/issuer/123",
    "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP"
  }
            </pre>

            <pre class="example nohighlight" title="An Ed25519 public key encoded as an
              Ed25519VerificationKey2020 in a controller document.">
  {
    "@context": [
      "https://www.w3.org/ns/did/v1",
      "https://w3id.org/security/suites/ed25519-2020/v1"
    ],
    "id": "did:example:123",
    "verificationMethod": [{
      "id": "did:example:123#key-0",
      "type": "Ed25519VerificationKey2020",
      "controller": "did:example:123",
      "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP"
    }],
    "authentication": [
      "did:example:123#key-0"
    ],
    "assertionMethod": [
      "did:example:123#key-0"
    ],
    "capabilityDelegation": [
      "did:example:123#key-0"
    ],
    "capabilityInvocation": [
      "did:example:123#key-0"
    ]
  }
            </pre>
          </section>

        </section>
        <section>
          <h3>Proof representations</h3>
          <section>
            <h4>Ed25519Signature2020</h4>

            <p>
The proof format described in this section is provided to document a legacy
mechanism that has been deployed to production. The `DataIntegrityProof` formats
described in section [[[#dataintegrityproof]]] supercede the one described in
this section. New applications are strongly urged to use the newer proof format.
            </p>

            <p>
The `verificationMethod` property of the proof MUST be a URL.
Dereferencing the `verificationMethod` MUST result in an object
containing a `type` property with the value set to
`Ed25519VerificationKey2020`.
            </p>

            <p>
The `type` property of the proof MUST be `Ed25519Signature2020`.
            </p>
            <p>
The `created` property of the proof MUST be an [[XMLSCHEMA11-2]]
formatted date string.
            </p>
            <p>
The `proofPurpose` property of the proof MUST be a string, and MUST
match the verification relationship expressed by the verification method
`controller`.
            </p>
            <p>
The `proofValue` property of the proof MUST be a detached EdDSA
produced according to [[RFC8032]], encoded using
the base-58-btc header and alphabet as described in the
<a href="https://www.w3.org/TR/vc-data-integrity/#multibase-0">
Multibase section</a> of [[VC-DATA-INTEGRITY]].
            </p>

            <pre class="example nohighlight"
              title="An Ed25519 digital signature expressed as a
              Ed25519Signature2020">
  {
    "@context": [
      {"myWebsite": "https://vocabulary.example/myWebsite"},
      "https://w3id.org/security/suites/ed25519-2020/v1"
    ],
    "myWebsite": "https://hello.world.example/",
    "proof": {
      "type": "Ed25519Signature2020",
      "created": "2020-11-05T19:23:24Z",
      "verificationMethod": "https://di.example/issuer#z6MkjLrk3gKS2nnkeWcmcxiZPGskmesDpuwRBorgHxUXfxnG",
      "proofPurpose": "assertionMethod",
      "proofValue": "z4oey5q2M3XKaxup3tmzN4DRFTLVqpLMweBrSxMY2xHX5XTYVQeVbY8nQAVHMrXFkXJpmEcqdoDwLWxaqA3Q1geV6"
    }
  }
            </pre>

          </section>

        </section>
      </section>

      <section>
        <h3>Algorithms</h3>
        <section>
          <h3>Ed25519Signature2020</h3>

          <p>
The `Ed25519Signature2020` cryptographic suite takes an input document,
canonicalizes the document using the RDF Dataset Canonicalization algorithm [[RDF-CANON]],
and then cryptographically hashes and signs the output
resulting in the production of a data integrity proof. The algorithms in this
section also include the verification of such a data integrity proof.
          </p>

          <section>
            <h4>Add Proof (Ed25519Signature2020)</h4>

            <p>
To generate a proof, the algorithm in
<a data-cite="vc-data-integrity#add-proof">
Section 4.1: Add Proof</a> in the Data Integrity
[[VC-DATA-INTEGRITY]] specification MUST be executed.
For that algorithm, the cryptographic suite specific
<a data-cite="vc-data-integrity#dfn-transformation-algorithm">
transformation algorithm</a> is defined in Section
[[[#transformation-ed25519signature2020]]], the
<a data-cite="vc-data-integrity#dfn-hashing-algorithm">
hashing algorithm</a> is defined in Section
[[[#hashing-ed25519signature2020]]], and the
<a data-cite="vc-data-integrity#dfn-proof-serialization-algorithm">
proof serialization algorithm</a> is defined in Section
[[[#proof-serialization-ed25519signature2020]]].
            </p>
          </section>

          <section>
            <h4>Verify Proof (Ed25519Signature2020)</h4>

            <p>
To verify a proof, the algorithm in
<a data-cite="vc-data-integrity#verify-proof">
Section 4.2: Verify Proof</a> in the Data Integrity
[[VC-DATA-INTEGRITY]] specification MUST be executed.
For that algorithm, the cryptographic suite specific
<a data-cite="vc-data-integrity#dfn-transformation-algorithm">
transformation algorithm</a> is defined in Section
[[[#transformation-ed25519signature2020]]], the
<a data-cite="vc-data-integrity#dfn-hashing-algorithm">
hashing algorithm</a> is defined in Section [[[#hashing-ed25519signature2020]]],
and the
<a data-cite="vc-data-integrity#dfn-proof-serialization-algorithm">
proof verification algorithm</a> is defined in Section
[[[#proof-verification-ed25519signature2020]]].
            </p>
          </section>

          <section>
            <h4>Transformation (Ed25519Signature2020)</h4>

            <p>
The following algorithm specifies how to transform an unsecured input document
into a transformed document that is ready to be provided as input to the
hashing algorithm in Section [[[#hashing-ed25519signature2020]]].
            </p>

            <p>
Required inputs to this algorithm are an
<a data-cite="vc-data-integrity#dfn-unsecured-data-document">
unsecured data document</a> (`unsecuredDocument`) and
transformation options (`options`). The
transformation options MUST contain a type identifier for the
<a data-cite="vc-data-integrity#dfn-cryptosuite">
cryptographic suite</a> (`type`) and a cryptosuite
identifier (`cryptosuite`). A <em>transformed data document</em> is
produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8
encoding.
            </p>

            <ol class="algorithm">
              <li>
If `options`.`type` is not set to the string
`Ed25519Signature2020`,
an error MUST be raised that SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_TRANSFORMATION_ERROR">PROOF_TRANSFORMATION_ERROR</a>.
              </li>
              <li>
Let |canonicalDocument| be the result of converting |unsecuredDocument| to
<a data-cite="JSON-LD11-API#expansion-algorithm">JSON-LD expanded form</a>
and then <a data-cite="JSON-LD11-API#deserialize-json-ld-to-rdf-algorithm">
to RDF statements</a>, applying the <a data-cite="RDF-CANON#canon-algorithm">
Universal RDF Dataset Canonicalization Algorithm</a>, and then serializing the result to a
<a data-cite="RDF-CANON#dfn-serialized-canonical-form">serialized canonical form</a>.
              </li>
              <li>
Return `canonicalDocument` as the <em>transformed data document</em>.
              </li>
            </ol>

          </section>

          <section>
            <h4>Hashing (Ed25519Signature2020)</h4>

            <p>
The following algorithm specifies how to cryptographically hash a
<em>transformed data document</em> and <em>proof configuration</em>
into cryptographic hash data that is ready to be provided as input to the
algorithms in Section [[[#proof-serialization-ed25519signature2020]]] or
Section [[[#proof-verification-ed25519signature2020]]].
            </p>

            <p>
The required inputs to this algorithm are a
<em>transformed data document</em> (`transformedDocument`) and
<em>proof configuration</em> (`proofConfig`). The
<em>proof configuration</em> MUST contain a type identifier for the
<a data-cite="vc-data-integrity#dfn-cryptosuite">
cryptographic suite</a> (`type`) and MAY contain a cryptosuite
identifier (`cryptosuite`). A single <em>hash data</em> value
represented as series of bytes is produced as output.
            </p>

            <ol class="algorithm">
              <li>
Let `transformedDocumentHash` be the result of applying the
SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]]
to the `transformedDocument`. `transformedDocumentHash` will
be exactly 32 bytes in size.
              </li>
              <li>
Let `proofConfigHash` be the result of applying the
SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [[RFC6234]]
to the `canonicalProofConfig`. `proofConfigHash` will be
exactly 32 bytes in size.
              </li>

              <li>
Let `hashData` be the result of joining `proofConfigHash` (the
first hash) with `transformedDocumentHash` (the second hash).
              </li>
              <li>
Return `hashData` as the <em>hash data</em>.
              </li>
            </ol>

          </section>

          <section>
            <h4>Proof Configuration (Ed25519Signature2020)</h4>

            <p>
The following algorithm specifies how to generate a
<em>proof configuration</em> from a set of <em>proof options</em>
that is used as input to the <a href="#hashing-ed25519signature2020">proof hashing algorithm</a>.
            </p>

            <p>
The required inputs to this algorithm are <em>proof options</em>
(`options`). The <em>proof options</em> MUST contain a type identifier
for the
<a data-cite="vc-data-integrity#dfn-cryptosuite">
cryptographic suite</a> (`type`) and MAY contain a cryptosuite
identifier (`cryptosuite`). A <em>proof configuration</em>
object is produced as output.
            </p>

            <ol class="algorithm">
              <li>
Let |proofConfig| be a clone of the |options| object.
              </li>
              <li>
If `proofConfig`.`type` is not set to `Ed25519Signature2020`,
an error MUST be raised and SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_GENERATION_ERROR">PROOF_GENERATION_ERROR</a>.
              </li>
              <li>
If |proofConfig|.|created| is present and set to a value that is not a
valid [[XMLSCHEMA11-2]] datetime, an error MUST be
raised and SHOULD convey an error type of
<a data-cite="VC-DATA-INTEGRITY#PROOF_GENERATION_ERROR">PROOF_GENERATION_ERROR</a>.
              </li>
              <li>
Set `proofConfig`.<var>@context</var> to
`unsecuredDocument`.<var>@context</var>
              </li>
              <li>
Let `canonicalProofConfig` be the result of applying the
RDF Dataset Canonicalization algorithm [[RDF-CANON]] to the `proofConfig`.
              </li>
              <li>
Return `canonicalProofConfig`.
              </li>
            </ol>

          </section>

          <section>
            <h4>Proof Serialization (Ed25519Signature2020)</h4>

            <p>
The following algorithm specifies how to serialize a digital signature from
a set of cryptographic hash data. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#algorithms">
Section 4: Algorithms</a>. Required inputs are
cryptographic hash data (`hashData`) and
<em>proof options</em> (`options`). The
<em>proof options</em> MUST contain a type identifier for the
<a data-cite="vc-data-integrity#dfn-cryptosuite">
cryptographic suite</a> (`type`) and MAY contain a cryptosuite
identifier (`cryptosuite`). A single <em>digital proof</em> value
represented as series of bytes is produced as output.
            </p>

            <ol class="algorithm">
              <li>
Let `privateKeyBytes` be the result of retrieving the
private key bytes associated with the
`options`.`verificationMethod` value as described in the
Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#algorithms">
Section 4: Retrieving Cryptographic Material</a>.
              </li>
              <li>
Let `proofBytes` be the result of applying the Edwards-Curve Digital
Signature Algorithm (EdDSA) [[RFC8032]], using the `Ed25519` variant
(Pure EdDSA), with `hashData` as the data to be signed using
the private key specified by `privateKeyBytes`.
`proofBytes` will be exactly 64 bytes in size.
              </li>
              <li>
Return `proofBytes` as the <em>digital proof</em>.
              </li>
            </ol>

          </section>

          <section>
            <h4>Proof Verification (Ed25519Signature2020)</h4>

            <p>
The following algorithm specifies how to verify a digital signature from
a set of cryptographic hash data. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#algorithms">
Section 4: Algorithms</a>. Required inputs are
cryptographic hash data (`hashData`),
a digital signature (`proofBytes`) and
proof options (`options`). A <em>verification result</em>
represented as a boolean value is produced as output.
            </p>

            <ol class="algorithm">
              <li>
Let `publicKeyBytes` be the result of retrieving the
public key bytes associated with the
`options`.`verificationMethod` value as described in the
Data Integrity [[VC-DATA-INTEGRITY]] specification,
<a data-cite="vc-data-integrity#algorithms">
Section 4: Retrieving Cryptographic Material</a>.
              </li>
              <li>
Let `verificationResult` be the result of applying the verification
algorithm for the Edwards-Curve Digital Signature Algorithm (EdDSA)
[[RFC8032]], using the `Ed25519` variant (Pure EdDSA),
with `hashData` as the data to be verified against the
`proofBytes` using the public key specified by
`publicKeyBytes`.
              </li>
              <li>
Return `verificationResult` as the <em>verification result</em>.
              </li>
            </ol>

          </section>
        </section>
      </section>
    </section>


    <section class="appendix informative">
      <h2>Test Vectors</h2>
      <section>
        <h3>Representation: eddsa-rdfc-2022</h3>
        <p>
The signer needs to generate a private/public key pair with the private key used
for signing and the public key made available for verification. The
representation of the public key and the representation of the private key
are shown below.
        </p>
        <pre class="example nohighlight" title="Private and Public keys for Signature">
{
    publicKeyMultibase: "z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
    secretKeyMultibase: "z3u2en7t5LR2WtQH5PfFqMqwVHBeXouLzo6haApm8XHqvjxq"
}
        </pre>

        <p>
Signing begins with a credential without an attached proof, which is converted
to canonical form, and then hashed, as shown in the following three examples.
        </p>

        <pre class="example nohighlight" title="Credential without Proof" data-include="TestVectors/unsigned.json"
        data-include-format="text"></pre>

        <pre class="example nohighlight" title="Canonical Credential without Proof" data-include="TestVectors/eddsa-rdfc-2022/canonDocDataInt.txt"
        data-include-format="text"></pre>


        <pre class="example nohighlight" title="Hash of Canonical Credential without Proof (hex)"
        data-include="TestVectors/eddsa-rdfc-2022/docHashDataInt.txt" data-include-format="text"></pre>

        <p>
The next step is to take the proof options document, convert it to canonical form,
and obtain its hash, as shown in the next three examples.
        </p>

        <pre class="example nohighlight" title="Proof Options Document"
        data-include="TestVectors/eddsa-rdfc-2022/proofConfigDataInt.json" data-include-format="text"></pre>

        <pre class="example nohighlight" title="Canonical Proof Options Document"
        data-include="TestVectors/eddsa-rdfc-2022/proofCanonDataInt.txt" data-include-format="text"></pre>

        <pre class="example nohighlight" title="Hash of Canonical Proof Options Document (hex)"
        data-include="TestVectors/eddsa-rdfc-2022/proofHashDataInt.txt" data-include-format="text"></pre>

        <p>
Finally, we concatenate the hash of the proof options followed by the hash of the credential without proof, use the private key with the combined hash to
compute the Ed25519 signature, and then base58-btc encode the signature.
        </p>

        <pre class="example nohighlight" title="Combine hashes of Proof Options and Credential (hex)"
        data-include="TestVectors/eddsa-rdfc-2022/combinedHashDataInt.txt" data-include-format="text"></pre>

        <pre class="example nohighlight" title="Signature of Combined Hashes (hex)"
        data-include="TestVectors/eddsa-rdfc-2022/sigHexDataInt.txt" data-include-format="text"></pre>

        <pre class="example nohighlight" title="Signature of Combined Hashes base58-btc"
        data-include="TestVectors/eddsa-rdfc-2022/sigBTC58DataInt.txt" data-include-format="text"></pre>

        <p>Assemble the signed credential with the following two steps:</p>
        <ol>
          <li>
Add the <code>proofValue</code> field with the previously computed base58-btc
value to the proof options document.
          </li>
          <li>
Set the <code>proof</code> field of the credential to the augmented proof
option document.
          </li>
        </ol>

        <pre class="example nohighlight" title="Signed Credential"
        data-include="TestVectors/eddsa-rdfc-2022/signedDataInt.json" data-include-format="text"></pre>
      </section>
      <section>
        <h3>Representation: eddsa-jcs-2022</h3>
        <p>
The signer needs to generate a private/public key pair with the private key used
for signing and the public key made available for verification. The
representation of the public key, and the representation of the private key
are shown below.
        </p>
        <pre class="example nohighlight" title="Private and Public keys for Signature">
{
  publicKeyMultibase: "z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
  secretKeyMultibase: "z3u2en7t5LR2WtQH5PfFqMqwVHBeXouLzo6haApm8XHqvjxq"
}
        </pre>

        <p>
Signing begins with a credential without an attached proof, which is converted
to canonical form, and then hashed, as shown in the following three examples.
        </p>

        <pre class="example nohighlight" title="Credential without Proof" data-include="TestVectors/unsigned.json"
        data-include-format="text"></pre>

        <pre class="example nohighlight" title="Canonical Credential without Proof" data-include="TestVectors/eddsa-jcs-2022/canonDocJCS.txt"
        data-include-format="text"></pre>


        <pre class="example nohighlight" title="Hash of Canonical Credential without Proof (hex)"
        data-include="TestVectors/eddsa-jcs-2022/docHashJCS.txt" data-include-format="text"></pre>

        <p>
The next step is to take the proof options document, convert it to canonical form,
and obtain its hash, as shown in the next three examples.
        </p>

        <pre class="example nohighlight" title="Proof Options Document"
        data-include="TestVectors/eddsa-jcs-2022/proofConfigJCS.json" data-include-format="text"></pre>

        <pre class="example nohighlight" title="Canonical Proof Options Document"
        data-include="TestVectors/eddsa-jcs-2022/proofCanonJCS.txt" data-include-format="text"></pre>

        <pre class="example nohighlight" title="Hash of Canonical Proof Options Document (hex)"
        data-include="TestVectors/eddsa-jcs-2022/proofHashJCS.txt" data-include-format="text"></pre>

        <p>
Finally, we concatenate the hash of the proof options followed by the hash of the credential without proof, use the private key with the combined hash to
compute the Ed25519 signature, and then base58-btc encode the signature.
        </p>

        <pre class="example nohighlight" title="Combine hashes of Proof Options and Credential (hex)"
        data-include="TestVectors/eddsa-jcs-2022/combinedHashJCS.txt" data-include-format="text"></pre>

        <pre class="example nohighlight" title="Signature of Combined Hashes (hex)"
        data-include="TestVectors/eddsa-jcs-2022/sigHexJCS.txt" data-include-format="text"></pre>

        <pre class="example nohighlight" title="Signature of Combined Hashes base58-btc"
        data-include="TestVectors/eddsa-jcs-2022/sigBTC58JCS.txt" data-include-format="text"></pre>

        <p>
Assemble the signed credential with the following two steps:
	</p>
        <ol>
          <li>
Add the <code>proofValue</code> field with the previously computed base58-btc
value to the proof options document.
          </li>
          <li>
Set the <code>proof</code> field of the credential to the augmented proof
option document.
          </li>
        </ol>

        <pre class="example nohighlight" title="Signed Credential"
        data-include="TestVectors/eddsa-jcs-2022/signedJCS.json" data-include-format="text"></pre>
      </section>
      <section>
        <h3>Representation: Ed25519Signature2020</h3>
        <p>
The signer needs to generate a private/public key pair with the private key used
for signing and the public key made available for verification. The
representation of the public key, and the representation of the private key,
are shown below.
        </p>
        <pre class="example nohighlight" title="Private and Public keys for Signature">
{
    publicKeyMultibase: "z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
    secretKeyMultibase: "z3u2en7t5LR2WtQH5PfFqMqwVHBeXouLzo6haApm8XHqvjxq"
}
        </pre>

        <p>
Signing begins with a credential without an attached proof, which is converted
to canonical form, and then hashed, as shown in the following three examples.
        </p>

        <pre class="example nohighlight" title="Credential without Proof" data-include="TestVectors/unsigned.json"
        data-include-format="text"></pre>

        <pre class="example nohighlight" title="Canonical Credential without Proof" data-include="TestVectors/Ed25519Signature2020/canonDocEdSig.txt"
        data-include-format="text"></pre>


        <pre class="example nohighlight" title="Hash of Canonical Credential without Proof (hex)"
        data-include="TestVectors/Ed25519Signature2020/docHashEdSig.txt" data-include-format="text"></pre>

        <p>
The next step is to take the proof options document, convert it to canonical form,
and obtain its hash, as shown in the next three examples.
        </p>

        <pre class="example nohighlight" title="Proof Options Document"
        data-include="TestVectors/Ed25519Signature2020/proofConfigEdSig.json" data-include-format="text"></pre>

        <pre class="example nohighlight" title="Canonical Proof Options Document"
        data-include="TestVectors/Ed25519Signature2020/proofCanonEdSig.txt" data-include-format="text"></pre>

        <pre class="example nohighlight" title="Hash of Canonical Proof Options Document (hex)"
        data-include="TestVectors/Ed25519Signature2020/proofHashEdSig.txt" data-include-format="text"></pre>

        <p>
Finally, we concatenate the hash of the proof options followed by the hash of the credential without proof, use the private key with the combined hash to
compute the Ed25519 signature, and then base58-btc encode the signature.
        </p>

        <pre class="example nohighlight" title="Combine hashes of Proof Options and Credential (hex)"
        data-include="TestVectors/Ed25519Signature2020/combinedHashEdSig.txt" data-include-format="text"></pre>

        <pre class="example nohighlight" title="Signature of Combined Hashes (hex)"
        data-include="TestVectors/Ed25519Signature2020/sigHexEdSig.txt" data-include-format="text"></pre>

        <pre class="example nohighlight" title="Signature of Combined Hashes base58-btc"
        data-include="TestVectors/Ed25519Signature2020/sigBTC58EdSig.txt" data-include-format="text"></pre>

        <p>Assemble the signed credential with the following two steps:</p>
          <ol>
            <li>
Add the <code>proofValue</code> field with the previously computed base58-btc
value to the proof options document.
            </li>
            <li>
Set the <code>proof</code> field of the credential to the augmented proof
option document.
            </li>
          </ol>

        <pre class="example nohighlight" title="Signed Credential"
        data-include="TestVectors/Ed25519Signature2020/signedEdSig.json" data-include-format="text"></pre>
      </section>
      <section>
        <h3>Proof Sets and Chains</h3>
        <p>
Proof sets and chains are defined in the [[VC-DATA-INTEGRITY]]. We
provide test vectors showing the creation of proof sets and chains with the
`eddsa-rdfc-2022` cryptosuite. Multiple signers can be involved in the generation
of proof sets and chains so multiple public/private key pairs are needed. These
are shown below.
        </p>
        <pre class="example nohighlight" title="Public and Private Key Pairs" data-include="TestVectors/proof-set-chain/multiKeyPairs.json"
        data-include-format="text"></pre>
        <p>
The original unsigned credential is shown below:
        </p>
        <pre class="example nohighlight" title="Unsigned Credential" data-include="TestVectors/proof-set-chain/unsigned.json"
        data-include-format="text"></pre>
        <section>
          <h4>Proof Set</h4>
          <p>
To demonstrate creating a proof set, we start with a document containing a
single proof and add another proof to it. The starting document is shown below and
contains a proof signed with `keyPair1`.
          </p>
          <pre class="example nohighlight" title="Starting Document for Proof Set" data-include="TestVectors/proof-set-chain/signedProofSet1.json"
          data-include-format="text"></pre>
          <p>
The `options` input to <a data-cite="vc-data-integrity#add-proof-set/chain">
Section 4.4: Add Proof Set/Chain</a> in [[VC-DATA-INTEGRITY]]
is shown below. Note that it does not include a `previousProof` attribute since
we are constructing a proof set and not a chain. In addition, we will be using
`keyPair2` for signing.
          </p>
          <pre class="example nohighlight" title="Proof Options for Set" data-include="TestVectors/proof-set-chain/proofSetConfig2.json"
          data-include-format="text"></pre>
          <p>
Per the algorithm of <a data-cite="vc-data-integrity#add-proof-set/chain">
Section 4.4: Add Proof Set/Chain</a> in [[VC-DATA-INTEGRITY]],
we create an array variable, `allProofs`, and add the proof from the
starting document to it. Since there is no `previousProof` attribute, no
modification of `unsignedDocument` is needed prior to computing the signed proof
in step 6 of <a data-cite="vc-data-integrity#add-proof-set/chain">
Section 4.4: Add Proof Set/Chain</a> in
[[VC-DATA-INTEGRITY]]. The signed proof configuration is shown below.
          </p>
          <pre class="example nohighlight" title="Signed Proof Options" data-include="TestVectors/proof-set-chain/proofSetConfigSigned2.json"
          data-include-format="text"></pre>
          <p>
The signed proof `options` above gets appended to the `allProofs`
variable, which then gets set as the `proof` attribute of the unsigned document
to produce the final signed document as shown below.
          </p>
          <pre class="example nohighlight" title="Signed Proof Set" data-include="TestVectors/proof-set-chain/signedProofSet2.json"
          data-include-format="text"></pre>
        </section>

        <section>
          <h4>Proof Chain with Multiple Dependencies</h4>
          <p>
This collection of test vectors demonstrates the construction a proof chain. We
start with a document containing a proof set, i.e., our previous example, and
then add a new proof to the credential that has a dependency on the existing
proofs. This example also demonstrates the case where the `previousProofs`
attribute is an array. This example uses `keyPair3` and the starting document is
given below.
          </p>
          <pre class="example nohighlight" title="Starting Document for Proof Chain" data-include="TestVectors/proof-set-chain/signedProofSet2.json"
          data-include-format="text"></pre>
          <p>
The `options` input to <a data-cite="vc-data-integrity#add-proof-set/chain">
Section 4.4: Add Proof Set/Chain</a> in [[VC-DATA-INTEGRITY]]
is shown below. Note that it includes a `previousProof` attribute since we are
constructing a proof chain.
          </p>
          <pre class="example nohighlight" title="Options for Proof Chain" data-include="TestVectors/proof-set-chain/proofChainConfig1.json"
          data-include-format="text"></pre>
          <p>
Per the algorithm of <a data-cite="vc-data-integrity#add-proof-set/chain">
Section 4.4: Add Proof Set/Chain</a> in [[VC-DATA-INTEGRITY]],
we create an array variable, `allProofs`, and add the proofs from the
starting document to it. Since the options contains the `previousProof`
attribute, we compute the `matchingProofs` variable per step 4
of <a data-cite="vc-data-integrity#add-proof-set/chain">Section 4.4: Add Proof
Set/Chain</a>, and we set the
`unsecuredDocument.proof` equal to the `matchingProofs`. This
produces the document shown below.
          </p>
          <pre class="example nohighlight" title="Temporary Unsecured Document for Binding Previous Proofs" data-include="TestVectors/proof-set-chain/proofChainTempDoc1.json"
          data-include-format="text"></pre>
          <p>
In step 6, we use the previous document (unsecured document with previous proofs
added to it) to compute the `proofValue` attribute. This gives the signed
configuration options (proof) shown below:
          </p>
          <pre class="example nohighlight" title="Signed Configuration Options (proof)" data-include="TestVectors/proof-set-chain/proofChainConfigSigned1.json"
          data-include-format="text"></pre>
          <p>
The signed proof `options` above gets appended to the `allProofs`
variable, which then gets set as the `proof` attribute of the unsigned document
to produce the final signed document as shown below.
          </p>
          <pre class="example nohighlight" title="Signed Proof Chain" data-include="TestVectors/proof-set-chain/signedProofChain1.json"
          data-include-format="text"></pre>
        </section>
        <section>
          <h4>Extended Proof Chain</h4>
          <p>
This collection of test vectors demonstrates construction of an extended proof
chain. We start with the output of the previous section and add an additional
proof that is dependent on one of the existing proofs. This example uses
`keyPair4`, and the starting document is given below.
          </p>
          <pre class="example nohighlight" title="Starting Document for Extended Proof Chain" data-include="TestVectors/proof-set-chain/signedProofChain1.json"
          data-include-format="text"></pre>
          <p>
The `options` input to <a data-cite="vc-data-integrity#add-proof-set/chain">
Section 4.4: Add Proof Set/Chain</a> in [[VC-DATA-INTEGRITY]]
is shown below. Note that it includes a `previousProof` attribute since we are
constructing a proof chain, however this time it is a single value.
          </p>
          <pre class="example nohighlight" title="Options for Extended Proof Chain" data-include="TestVectors/proof-set-chain/proofChainConfig2.json"
          data-include-format="text"></pre>
          <p>
Per the algorithm of <a data-cite="vc-data-integrity#add-proof-set/chain">
Section 4.4: Add Proof Set/Chain</a> in [[VC-DATA-INTEGRITY]],
we create an array variable, `allProofs`, and add the proofs from the
starting document to it. Since the `options` contains the `previousProof`
attribute, we compute the `matchingProofs` variable per step 4
of <a data-cite="vc-data-integrity#add-proof-set/chain">Section 4.4: Add Proof
Set/Chain</a>, and we set the
`unsecuredDocument.proof` equal to the `matchingProofs`. This
produces the document shown below.
          </p>
          <pre class="example nohighlight" title="Temporary Unsecured Document for Binding Previous Proofs (Extended Chain)" data-include="TestVectors/proof-set-chain/proofChainTempDoc2.json"
            data-include-format="text"></pre>
          <p>
In step 6, we use the previous document (unsecured document with previous proofs
added to it) to compute the `proofValue` attribute. This gives the signed
configuration options (proof) shown below:
          </p>
          <pre class="example nohighlight" title="Signed Configuration Options (Extended)" data-include="TestVectors/proof-set-chain/proofChainConfigSigned2.json"
          data-include-format="text"></pre>
          <p>
The signed proof `options` above gets appended to the `allProofs`
variable, which then gets set as the `proof` attribute of the unsigned document
to produce the final signed document as shown below.
          </p>
          <pre class="example nohighlight" title="Signed Proof Chain (Extended)" data-include="TestVectors/proof-set-chain/signedProofChain2.json"
          data-include-format="text"></pre>
        </section>
      </section>
    </section>

    <section class="informative">
      <h2>Revision History</h2>

      <p>
This section contains the substantive changes that have been made to this
specification over time.
      </p>

      <p>
Changes since the
<a href="https://www.w3.org/TR/2023/CR-vc-di-eddsa-20231121/">
First Candidate Recommendation</a>:
      </p>

      <ul>
        <li>
Various editorial changes in algorithms and descriptions to improve readability.
        </li>
        <li>
Moved Multikey definitions to Controller Document.
        </li>
        <li>
Update examples to align with updates in Data Integrity.
        </li>
        <li>
Unify error handling between all Data Integrity cryptosuites.
        </li>
        <li>
Ensure that the `created` proof option is not required and additional proof
options are included in the generated proof.
        </li>
        <li>
Move language related to context injection to Data Integrity.
        </li>
        <li>
Align proof serialization format and algorithm arguments with interfaces
defined in Data Integrity.
        </li>
      </ul>

      <p>
Changes since the
<a href="https://www.w3.org/TR/2023/WD-vc-di-eddsa-20230418/">
First Public Working Draft</a>:
      </p>

      <ul>
        <li>
Added support for JSON Canonicalization Scheme in addition to RDF Dataset
Canonicalization.
        </li>
        <li>
Added test vectors for rdfc and jcs cryptosuites.
        </li>
        <li>
Deprecated and moved Ed25519Signature2020 to appendix.
        </li>
        <li>
Add Security Considerations for proper implementation of EdDSA.
        </li>
        <li>
Move normative definition of Multikey to the Data Integrity specification.
        </li>
        <li>
Add RDF-CANON mitigation for Dataset poisoning.
        </li>
        <li>
Revise cryptographic suite names and align with other cryptosuites.
        </li>
        <li>
Add secretKeyMultibase definition.
        </li>
      </ul>
    </section>


    <section class="informative">
      <h2>Acknowledgements</h2>

      <p>
Work on this specification has been supported by the Rebooting the Web of Trust
community facilitated by Christopher Allen, Shannon Appelcline, Kiara Robles,
Brian Weller, Betty Dhamers, Kaliya Young, Manu Sporny, Drummond Reed, Joe
Andrieu, Heather Vescent, Kim Hamilton Duffy, Samantha Chase, Andrew Hughes,
Erica Connell, Shigeya Suzuki, and Zaïda Rivai. The participants in the Internet
Identity Workshop, facilitated by Phil Windley, Kaliya Young, Doc Searls, and
Heidi Nobantu Saul, also supported the refinement of this work through numerous
working sessions designed to educate about, debate on, and improve this
specification.
      </p>

      <p>
The Working Group also thanks our Chair, Brent Zundel, our ex-Chair Kristina
Yasuda, as well as our W3C Staff Contact, Ivan Herman, for their expert
management and steady guidance of the group through the W3C standardization
process.
      </p>

      <p>
Portions of the work on this specification have been funded by the United States
Department of Homeland Security's Science and Technology Directorate under
contracts 70RSAT20T00000029, 70RSAT21T00000016, 70RSAT23T00000005,
70RSAT20T00000010/P00001, 70RSAT20T00000029, 70RSAT21T00000016/P00001,
70RSAT23T00000005, 70RSAT23C00000030, 70RSAT23R00000006, and the National
Science Foundation through NSF 22-572. The content of this specification does
not necessarily reflect the position or the policy of the U.S. Government and no
official endorsement should be inferred.
      </p>

      <p>
The Working Group would like to thank the following individuals for reviewing
and providing feedback on the specification (in alphabetical order):
      </p>

      <p>
Will Abramson,
Mahmoud Alkhraishi,
Christopher Allen,
Joe Andrieu,
Bohdan Andriyiv,
Anthony,
George Aristy,
Hadley Beeman,
Greg Bernstein,
Bob420,
Sarven Capadisli,
Melvin Carvalho,
David Chadwick,
Matt Collier,
Gabe Cohen,
Sebastian Crane,
Kyle Den Hartog,
Veikko Eeva,
Eric Elliott,
Raphael Flechtner,
Julien Fraichot,
Benjamin Goering,
Kim Hamilton Duffy,
Joseph Heenan,
Helge,
Ivan Herman,
Michael Herman,
Anil John,
Andrew Jones,
Michael B. Jones,
Rieks Joosten,
Gregory K,
Gregg Kellogg,
Filip Kolarik,
David I. Lehn,
Charles E. Lehner,
Christine Lemmer-Webber,
Eric Lim,
Dave Longley,
Tobias Looker,
Jer Miller,
nightpool,
Luis Osta,
Nate Otto,
George J. Padayatti,
Addison Phillips,
Mike Prorock,
Brian Richter,
Anders Rundgren,
Eugeniu Rusu,
Markus Sabadello,
silverpill,
Wesley Smith,
Manu Sporny,
Patrick St-Louis,
Orie Steele,
Henry Story,
Oliver Terbu,
Ted Thibodeau Jr,
John Toohey,
Bert Van Nuffelen,
Mike Varley,
Snorre Lothar von Gohren Edwin,
Jeffrey Yasskin,
Kristina Yasuda,
Benjamin Young,
Dmitri Zagidulin,
and
Brent Zundel.
      </p>

    </section>

  </body>
</html>