CRSet: Non-Interactive Verifiable Credential Revocation with Metadata Privacy for Issuers and Everyone Else

Like any digital certificate, Verifiable Credentials (VCs) require a way to revoke them in case of an error or key compromise. Existing solutions for VC revocation, most prominently Bitstring Status List, are not viable for many use cases since they leak the issuer's behavior, which in turn leaks internal business metrics. For instance, exact staff fluctuation through issuance and revocation of employee IDs. We introduce CRSet, a revocation mechanism that allows an issuer to encode revocation information for years worth of VCs as a Bloom filter cascade. Padding is used to provide deniability for issuer metrics. Issuers periodically publish this filter cascade on a decentralized storage system. Relying Parties (RPs) can download it to perform any number of revocation checks locally. Compared to existing solutions, CRSet protects the metadata of subject, RPs, and issuer equally. At the same time, it is non-interactive, making it work with wallet devices having limited hardware power and drop-in compatible with existing VC exchange protocols and wallet applications. We present a prototype using the Ethereum blockchain as decentralized storage. The recently introduced blob-carrying transactions, enabling cheaper data writes, allow us to write each CRSet directly to the chain. We built software for issuers and RPs that we successfully tested end-to-end with an existing publicly available wallet agents and the OpenID for Verifiable Credentials protocols. Storage and bandwidth costs paid by issuers and RP are higher than for Bitstring Status List, but still manageable at around 1 MB for an issuer issuing hundreds of thousands of VCs annually and covering decades.