Multikey

The Multikey format, defined in [[[controller-document]]], is used to express public keys for the cryptographic suites defined in this specification.

The `publicKeyMultibase` property represents a Multibase-encoded Multikey expression of a P-256 or P-384 public key.

The `publicKeyMultibase` value of the verification method MUST start with the base-58-btc prefix (`z`), as defined in the Multibase section of [[[controller-document]]]. A Multibase-encoded ECDSA 256-bit public key value or an ECDSA 384-bit public key value follows, as defined in the Multikey section of [[[controller-document]]]. Any other encoding MUST NOT be allowed.

Developers are advised to not accidentally publish a representation of a private key. Implementations of this specification will raise errors in the event of a Multicodec value other than `0x1200` or `0x1201` being used in a `publicKeyMultibase` value.

{
  "id": "https://example.com/issuer/123#key-0",
  "type": "Multikey",
  "controller": "https://example.com/issuer/123",
  "publicKeyMultibase": "zDnaerx9CtbPJ1q36T5Ln5wYt3MQYeGRG5ehnPAmxcf5mDZpv"
}
          

{
  "id": "https://example.com/issuer/123#key-0",
  "type": "Multikey",
  "controller": "https://example.com/issuer/123",
  "publicKeyMultibase": "z82LkvCwHNreneWpsgPEbV3gu1C6NFJEBg4srfJ5gdxEsMGRJ
    Uz2sG9FE42shbn2xkZJh54"
}
          

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/security/multikey/v1"
  ],
  "id": "did:example:123",
  "verificationMethod": [{
    "id": "https://example.com/issuer/123#key-1",
    "type": "Multikey",
    "controller": "https://example.com/issuer/123",
    "publicKeyMultibase": "zDnaerx9CtbPJ1q36T5Ln5wYt3MQYeGRG5ehnPAmxcf5mDZpv"
  }, {
    "id": "https://example.com/issuer/123#key-2",
    "type": "Multikey",
    "controller": "https://example.com/issuer/123",
    "publicKeyMultibase": "z82LkvCwHNreneWpsgPEbV3gu1C6NFJEBg4srfJ5gdxEsMGRJ
      Uz2sG9FE42shbn2xkZJh54"
  }],
  "authentication": [
    "did:example:123#key-1"
  ],
  "assertionMethod": [
    "did:example:123#key-2"
  ],
  "capabilityDelegation": [
    "did:example:123#key-2"
  ],
  "capabilityInvocation": [
    "did:example:123#key-2"
  ]
}
          

The `secretKeyMultibase` property represents a Multibase-encoded Multikey expression of a P-256 or P-384 secret key (also sometimes referred to as a private key).

The `secretKeyMultibase` value of the verification method MUST start with the base-58-btc prefix (`z`), as defined in the Multibase section of [[[controller-document]]]. A Multibase-encoded ECDSA 256-bit secret key value or an ECDSA 384-bit secret key value follows, as defined in the Multikey section of [[[controller-document]]]. Any other encoding MUST NOT be allowed.

Developers are advised to prevent accidental publication of a representation of a secret key, and to not export the `secretKeyMultibase` property by default, when serializing key pairs as Multikey.

DataIntegrityProof

A proof contains the attributes specified in the Proofs section of [[VC-DATA-INTEGRITY]] with the following restrictions.

The `type` property MUST be `DataIntegrityProof`.

The `cryptosuite` property MUST be `ecdsa-rdfc-2019`, `ecdsa-jcs-2019`, or `ecdsa-sd-2023`.

The value of the `proofValue` property is produced according to the `cryptosuite` type and is specified in either Section [[[#create-proof-ecdsa-rdfc-2019]]], or Section [[[#create-proof-ecdsa-jcs-2019]]], or Section [[[#create-base-proof-ecdsa-sd-2023]]], or Section [[[#add-derived-proof-ecdsa-sd-2023]]].

{
  "@context": [
    {"myWebsite": "https://vocabulary.example/myWebsite"},
    "https://www.w3.org/ns/credentials/v2"
  ],
  "myWebsite": "https://hello.world.example/",
  "proof": {
    "type": "DataIntegrityProof",
    "cryptosuite": "ecdsa-rdfc-2019",
    "created": "2023-02-24T23:36:38Z",
    "verificationMethod": "https://vc.example/issuers/5678#zDnaepBuvsQ8cpsWrVKw8
      fbpGpvPeNSjVPTWoq6cRqaYzBKVP",
    "proofPurpose": "assertionMethod",
    "proofValue": "z2iAR3F2Sk3mWfYyrinKzSQpSbvfxnz9kkv7roxxumB5RZDP9JUw5QAXuchUd
      huiwE18hyyZTjiEreKmhH3oj9Q8"
  }
}
          

Create Proof (ecdsa-rdfc-2019)

The following algorithm specifies how to create a [=data integrity proof=] given an unsecured data document. Required inputs are an unsecured data document ([=map=] |unsecuredDocument|), and a set of proof options ([=map=] |options|). A [=data integrity proof=] ([=map=]), or an error, is produced as output.

1. Let |proof| be a clone of the proof options, |options|.
2. Let |proofConfig| be the result of running the algorithm in Section [[[#proof-configuration-ecdsa-rdfc-2019]]] with |options| passed as a parameter.
3. Let |transformedData| be the result of running the algorithm in Section with |unsecuredDocument|, |proofConfig|, and |options| passed as parameters.
4. Let |hashData| be the result of running the algorithm in Section [[[#hashing-ecdsa-rdfc-2019]]] with |transformedData| and |proofConfig| passed as a parameters.
5. Let |proofBytes| be the result of running the algorithm in Section [[[#proof-serialization-ecdsa-rdfc-2019]]] with |hashData| and |options| passed as parameters.
6. Let |proof|.|proofValue| be a base58-btc-encoded Multibase value of the |proofBytes|.
7. Return |proof| as the [=data integrity proof=].

Verify Proof (ecdsa-rdfc-2019)

The following algorithm specifies how to verify a [=data integrity proof=] given an secured data document. Required inputs are an secured data document ([=map=] |securedDocument|). This algorithm returns a verification result, which is a [=struct=] whose [=struct/items=] are:

verified

`true` or `false`

verifiedDocument

Null, if [=verification result/verified=] is `false`; otherwise, an [=unsecured data document=]

1. Let |unsecuredDocument| be a copy of |securedDocument| with the `proof` value removed.
2. Let |proofConfig| be a copy of |securedDocument|.|proof| with `proofValue` removed.
3. Let |proofBytes| be the Multibase decoded base58-btc value in |securedDocument|.|proof|.|proofValue|.
4. Let |transformedData| be the result of running the algorithm in Section with |unsecuredDocument| and |proofConfig| passed as parameters.
5. Let |hashData| be the result of running the algorithm in Section [[[#hashing-ecdsa-rdfc-2019]]] with |transformedData| and |proofConfig| passed as a parameters.
6. Let |verified:boolean| be the result of running the algorithm in Section [[[#proof-verification-ecdsa-rdfc-2019]]] algorithm on |hashData|, |proofBytes|, and |proofConfig|.
7. Return a [=verification result=] with [=struct/items=]:

   [=verified=]

   |verified|

   [=verifiedDocument=]

   |unsecuredDocument| if |verified| is `true`, otherwise Null

Transformation (ecdsa-rdfc-2019)

The following algorithm specifies how to transform an unsecured input document into a transformed document that is ready to be provided as input to the hashing algorithm in Section [[[#hashing-ecdsa-rdfc-2019]]].

Required inputs to this algorithm are an unsecured data document (|unsecuredDocument|) and transformation options (|options|). The transformation options MUST contain a type identifier for the cryptographic suite (|type|) and a cryptosuite identifier (|cryptosuite|). A transformed data document is produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8 encoding.

1. If |options|.|type| is not set to the string `DataIntegrityProof` and |options|.|cryptosuite| is not set to the string `ecdsa-rdfc-2019`, an error MUST be raised and SHOULD convey an error type of PROOF_TRANSFORMATION_ERROR.
2. Let |canonicalDocument| be the result of converting |unsecuredDocument| to JSON-LD expanded form and then to RDF statements, applying the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] to the result, and then serializing the result to a serialized canonical form [[RDF-CANON]]. For canonicalization, one is expected to use a hash algorithm that has an appropriate security level for the curve used; see further details.
3. Return |canonicalDocument| as the transformed data document.

Hashing (ecdsa-rdfc-2019)

The following algorithm specifies how to cryptographically hash a transformed data document and proof configuration into cryptographic hash data that is ready to be provided as input to the algorithms in Section [[[#proof-serialization-ecdsa-rdfc-2019]]] or Section [[[#proof-verification-ecdsa-rdfc-2019]]]. One must use the hash algorithm appropriate in security level to the curve used, i.e., for curve P-256 one uses SHA-256 and for curve P-384 one uses SHA-384.

The required inputs to this algorithm are a transformed data document (|transformedDocument|) and canonical proof configuration (|canonicalProofConfig|). A single hash data value represented as series of bytes is produced as output.

1. Let |transformedDocumentHash| be the result of applying the SHA-256 (SHA-2 with 256-bit output) or SHA-384 (SHA-2 with 384-bit output) cryptographic hashing algorithm [[RFC6234]] to the respective curve P-256 or curve P-384 |transformedDocument|. Respective |transformedDocumentHash| will be exactly 32 or 48 bytes in size.
2. Let |proofConfigHash| be the result of applying the SHA-256 (SHA-2 with 256-bit output) or SHA-384 (SHA-2 with 384-bit output) cryptographic hashing algorithm [[RFC6234]] to the respective curve P-256 or curve P-384 |canonicalProofConfig|. Respective |proofConfigHash| will be exactly 32 or 48 bytes in size.
3. Let |hashData| be the result of joining |proofConfigHash| (the first hash) with |transformedDocumentHash| (the second hash).
4. Return |hashData| as the hash data.

Proof Configuration (ecdsa-rdfc-2019)

The following algorithm specifies how to generate a proof configuration from a set of proof options that is used as input to the proof hashing algorithm.

The required inputs to this algorithm are proof options (|options|). The proof options MUST contain a type identifier for the cryptographic suite (|type|) and MUST contain a cryptosuite identifier (|cryptosuite|). A proof configuration object is produced as output.

1. Let |proofConfig| be a clone of the |options| object.
2. If |proofConfig|.|type| is not set to `DataIntegrityProof` and/or |proofConfig|.|cryptosuite| is not set to `ecdsa-rdfc-2019`, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
3. If |proofConfig|.|created| is set and if the value is not a valid [[XMLSCHEMA11-2]] datetime, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
4. Set |proofConfig|.@context to |unsecuredDocument|.@context.
5. Let |canonicalProofConfig| be the result of applying the [[[RDF-CANON]]] [[RDF-CANON]] to the |proofConfig|.
6. Return |canonicalProofConfig|.

Proof Serialization (ecdsa-rdfc-2019)

The following algorithm specifies how to serialize a digital signature from a set of cryptographic hash data. This algorithm is designed to be used in conjunction with the algorithms defined in the Data Integrity [[VC-DATA-INTEGRITY]] specification, Section 4: Algorithms. Required inputs are cryptographic hash data (|hashData|) and proof options (|options|). The proof options MUST contain a type identifier for the cryptographic suite (|type|) and MAY contain a cryptosuite identifier (|cryptosuite|). A single digital proof value represented as series of bytes is produced as output.

1. Let |privateKeyBytes| be the result of retrieving the private key bytes (or a signing interface enabling the use of the private key bytes) associated with the verification method identified by the |options|.|verificationMethod| value.
2. Let |proofBytes| be the result of applying the Elliptic Curve Digital Signature Algorithm (ECDSA) [[FIPS-186-5]], with |hashData| as the data to be signed using the private key specified by |privateKeyBytes|. |proofBytes| will be exactly 64 bytes in size for a P-256 key, and 96 bytes in size for a P-384 key.
3. Return |proofBytes| as the digital proof.

Proof Verification (ecdsa-rdfc-2019)

The following algorithm specifies how to verify a digital signature from a set of cryptographic hash data. This algorithm is designed to be used in conjunction with the algorithms defined in the Data Integrity [[VC-DATA-INTEGRITY]] specification, Section 4: Algorithms. Required inputs are cryptographic hash data (|hashData|), a digital signature (|proofBytes|) and proof options (|options|). A verification result represented as a boolean value is produced as output.

1. Let |publicKeyBytes| be the result of retrieving the public key bytes associated with the |options|.|verificationMethod| value as described in the [[[controller-document]]] specification, Section: Retrieve Verification Method.
2. Let |verificationResult| be the result of applying the verification algorithm Elliptic Curve Digital Signature Algorithm (ECDSA) [[FIPS-186-5]], with |hashData| as the data to be verified against the |proofBytes| using the public key specified by |publicKeyBytes|.
3. Return |verificationResult| as the verification result.

Create Proof (ecdsa-jcs-2019)

The following algorithm specifies how to create a [=data integrity proof=] given an unsecured data document. Required inputs are an unsecured data document ([=map=] |unsecuredDocument|), and a set of proof options ([=map=] |options|). A [=data integrity proof=] ([=map=]), or an error, is produced as output.

1. Let |proof| be a clone of the proof options, |options|.
2. If unsecuredDocument.@context is present, set proof.@context to unsecuredDocument.@context.
3. Let |proofConfig| be the result of running the algorithm in Section [[[#proof-configuration-ecdsa-jcs-2019]]] with |proof| passed as the proof options parameter.
4. Let |transformedData| be the result of running the algorithm in Section with |unsecuredDocument| and |options| passed as parameters.
5. Let |hashData| be the result of running the algorithm in Section [[[#hashing-ecdsa-jcs-2019]]] with |transformedData| and |proofConfig| passed as a parameters.
6. Let |proofBytes| be the result of running the algorithm in Section [[[#proof-serialization-ecdsa-jcs-2019]]] with |hashData| and |options| passed as parameters.
7. Let |proof|.|proofValue| be a base58-btc-encoded Multibase value of the |proofBytes|.
8. Return |proof| as the [=data integrity proof=].

Verify Proof (ecdsa-jcs-2019)

The following algorithm specifies how to verify a [=data integrity proof=] given an secured data document. Required inputs are an secured data document ([=map=] |securedDocument|). This algorithm returns a [=verification result=], which is a [=struct=] whose [=struct/items=] are:

[=verification result/verified=]

`true` or `false`

[=verification result/verifiedDocument=]

if [=verification result/verified=] is `true`, an [=unsecured data document=]; otherwise Null

1. Let |unsecuredDocument| be a copy of |securedDocument| with the `proof` value removed.
2. Let |proofOptions| be the result of a copy of |securedDocument|.|proof| with `proofValue` removed.
3. Let |proofBytes| be the Multibase decoded base58-btc value in |securedDocument|.|proof|.|proofValue|.
4. If |proofOptions|.@context exists:
   1. Check that the |securedDocument|.@context starts with all values contained in the |proofOptions|.@context in the same order. Otherwise, set |verified| to `false` and skip to the last step.
   2. Set |unsecuredDocument|.@context equal to |proofOptions|.@context.
5. Let |transformedData| be the result of running the algorithm in Section [[[#transformation-ecdsa-jcs-2019]]] with |unsecuredDocument| and |proofOptions| passed as parameters.
6. Let |proofConfig| be the result of running the algorithm in Section [[[#proof-configuration-ecdsa-jcs-2019]]] with |proofOptions| passed as the parameter.
7. Let |hashData| be the result of running the algorithm in Section [[[#hashing-ecdsa-jcs-2019]]] with |transformedData| and |proofConfig| passed as a parameters.
8. Let |verified:boolean| be the result of running the algorithm in Section [[[#proof-verification-ecdsa-jcs-2019]]] on |hashData|, |proofBytes|, and |proofConfig|.
9. Return a [=verification result=] with [=struct/items=]:

   [=verified=]

   |verified|

   [=verifiedDocument=]

   if |verified| is `true`, |unsecuredDocument|; otherwise, Null

Transformation (ecdsa-jcs-2019)

The following algorithm specifies how to transform an unsecured input document into a transformed document that is ready to be provided as input to the hashing algorithm in Section [[[#hashing-ecdsa-jcs-2019]]].

Required inputs to this algorithm are an unsecured data document (|unsecuredDocument|) and transformation options (|options|). The transformation options MUST contain a type identifier for the cryptographic suite (|type|) and a cryptosuite identifier (|cryptosuite|). A transformed data document is produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8 encoding.

1. If |options|.|type| is not set to the string `DataIntegrityProof` or |options|.|cryptosuite| is not set to the string `ecdsa-jcs-2019`, an error MUST be raised and SHOULD convey an error type of PROOF_TRANSFORMATION_ERROR.
2. Let |canonicalDocument| be the result of applying the JSON Canonicalization Scheme [[RFC8785]] to a JSON serialization of the |unsecuredDocument|.
3. Return |canonicalDocument| as the transformed data document.

Hashing (ecdsa-jcs-2019)

The following algorithm specifies how to cryptographically hash a transformed data document and proof configuration into cryptographic hash data that is ready to be provided as input to the algorithms in Section [[[#proof-serialization-ecdsa-jcs-2019]]] or Section [[[#proof-verification-ecdsa-jcs-2019]]]. One must use the hash algorithm appropriate in security level to the curve used, i.e., for curve P-256 one uses SHA-256, and for curve P-384 one uses SHA-384.

The required inputs to this algorithm are a transformed data document (|transformedDocument|) and a canonical proof configuration (|canonicalProofConfig|). A single hash data value represented as series of bytes is produced as output.

1. Let |transformedDocumentHash| be the result of applying the SHA-256 (SHA-2 with 256-bit output) or SHA-384 (SHA-2 with 384-bit output) cryptographic hashing algorithm [[RFC6234]] to the respective curve P-256 or curve P-384 |transformedDocument|. Respective |transformedDocumentHash| will be exactly 32 or 48 bytes in size.
2. Let |proofConfigHash| be the result of applying the SHA-256 (SHA-2 with 256-bit output) or SHA-384 (SHA-2 with 384-bit output) cryptographic hashing algorithm [[RFC6234]] to the respective curve P-256 or curve P-384 |canonicalProofConfig|. Respective |proofConfigHash| will be exactly 32 or 48 bytes in size.
3. Let |hashData| be the result of concatenating |proofConfigHash| (the first hash) followed by |transformedDocumentHash| (the second hash).
4. Return |hashData| as the hash data.

Proof Configuration (ecdsa-jcs-2019)

The following algorithm specifies how to generate a proof configuration from a set of proof options that is used as input to the proof hashing algorithm.

The required inputs to this algorithm are the proof options (|options|). The proof options MUST contain a type identifier for the cryptographic suite (|type|) and MUST contain a cryptosuite identifier (|cryptosuite|). A proof configuration object is produced as output.

1. Let |proofConfig| be a clone of the |options| object.
2. If |proofConfig|.|type| is not set to `DataIntegrityProof` and/or |proofConfig|.|cryptosuite| is not set to `ecdsa-jcs-2019`, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
3. If |proofConfig|.|created| is set and if the value is not a valid [[XMLSCHEMA11-2]] datetime, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
4. Let |canonicalProofConfig| be the result of applying the JSON Canonicalization Scheme [[RFC8785]] to the |proofConfig|.
5. Return |canonicalProofConfig|.

Proof Serialization (ecdsa-jcs-2019)

The following algorithm specifies how to serialize a digital signature from a set of cryptographic hash data. This algorithm is designed to be used in conjunction with the algorithms defined in the Data Integrity [[VC-DATA-INTEGRITY]] specification, Section 4: Algorithms. Required inputs are cryptographic hash data (|hashData|) and proof options (|options|). The proof options MUST contain a type identifier for the cryptographic suite (|type|) and MAY contain a cryptosuite identifier (|cryptosuite|). A single digital proof value represented as series of bytes is produced as output.

1. Let |privateKeyBytes| be the result of retrieving the private key bytes associated with the |options|.|verificationMethod| value.
2. Let |proofBytes| be the result of applying the Elliptic Curve Digital Signature Algorithm (ECDSA) [[FIPS-186-5]], with |hashData| as the data to be signed using the private key specified by |privateKeyBytes|. |proofBytes| will be exactly 64 bytes in size for a P-256 key, and 96 bytes in size for a P-384 key.
3. Return |proofBytes| as the digital proof.

Proof Verification (ecdsa-jcs-2019)

The following algorithm specifies how to verify a digital signature from a set of cryptographic hash data. This algorithm is designed to be used in conjunction with the algorithms defined in the Data Integrity [[VC-DATA-INTEGRITY]] specification, Section 4: Algorithms. Required inputs are cryptographic hash data (|hashData|), a digital signature (|proofBytes|), and proof options (|options|). A verification result represented as a boolean value is produced as output.

1. Let |publicKeyBytes| be the result of retrieving the public key bytes associated with the |options|.|verificationMethod| value as described in the [[[controller-document]]] specification, Section: Retrieve Verification Method.
2. Let |verificationResult| be the result of applying the verification algorithm, Elliptic Curve Digital Signature Algorithm (ECDSA) [[FIPS-186-5]], with |hashData| as the data to be verified against the |proofBytes| using the public key specified by |publicKeyBytes|.
3. Return |verificationResult| as the verification result.

labelReplacementCanonicalizeNQuads

The following algorithm canonicalizes an array of N-Quad [[N-QUADS]] strings and replaces any blank node identifiers in the canonicalized result using a label map factory function, |labelMapFactoryFunction|. The required inputs are an array of N-Quad strings (|nquads|), and a label map factory function (|labelMapFactoryFunction|). Any custom options can also be passed. An N-Quads representation of the canonicalNQuads as an array of N-Quad strings, with the replaced blank node labels, and a map from the old blank node IDs to the new blank node IDs, labelMap, is produced as output.

1. Run the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] on the joined |nquads|, passing any custom options, and as output, get the canonicalized dataset, which includes a canonical bnode identifier map, |canonicalIdMap|.
2. Pass |canonicalIdMap| to |labelMapFactoryFunction| to produce a new bnode identifier map, labelMap.
3. Use the canonicalized dataset and labelMap to produce the canonical N-Quads representation as an array of N-Quad strings, canonicalNQuads.
4. Return an object containing labelMap and canonicalNQuads.

labelReplacementCanonicalizeJsonLd

The following algorithm canonicalizes a JSON-LD document and replaces any blank node identifiers in the canonicalized result using a label map factory function, |labelMapFactoryFunction|. The required inputs are a JSON-LD document (|document|) and a label map factory function (|labelMapFactoryFunction|). Additional custom options (such as a document loader) can also be passed. An N-Quads representation of the canonicalNQuads as an array of N-Quad strings, with the replaced blank node labels, and a map from the old blank node IDs to the new blank node IDs, labelMap, is produced as output.

1. Deserialize the JSON-LD document to RDF, |rdf|, using the Deserialize JSON-LD to RDF algorithm, passing any custom options (such as a document loader).
2. Serialize |rdf| to an array of N-Quad strings, |nquads|.
3. Return the result of calling the algorithm in Section [[[#labelreplacementcanonicalizenquads]]], passing |nquads|, |labelMapFactoryFunction|, and any custom options.

createLabelMapFunction

The following algorithm creates a label map factory function that uses an input label map to replace canonical blank node identifiers with another value. The required input is a label map, |labelMap|. A function, labelMapFactoryFunction, is produced as output.

1. Create a function, |labelMapFactoryFunction|, with one required input (a canonical node identifier map, |canonicalIdMap|), that will return a blank node identifier map, bnodeIdMap, as output. Set the function's implementation to:
   1. Generate a new empty bnode identifier map, bnodeIdMap.
   2. For each map entry, entry, in |canonicalIdMap|:
      1. Use the canonical identifier from the value in entry as a key in |labelMap| to get the new label, newLabel.
      2. Add a new entry, |newEntry|, to bnodeIdMap using the key from entry and newLabel as the value.
   3. Return bnodeIdMap.
2. Return |labelMapFactoryFunction|.

createHmacIdLabelMapFunction

The following algorithm creates a label map factory function that uses an HMAC to replace canonical blank node identifiers with their encoded HMAC digests. The required input is an HMAC (previously initialized with a secret key), |HMAC|. A function, labelMapFactoryFunction, is produced as output.

1. Create a function, |labelMapFactoryFunction|, with one required input (a canonical node identifier map, |canonicalIdMap|), that will return a blank node identifier map, bnodeIdMap, as output. Set the function's implementation to:
   1. Generate a new empty bnode identifier map, bnodeIdMap.
   2. For each map entry, entry, in |canonicalIdMap|:
      1. HMAC the canonical identifier from the value in entry to get an HMAC digest, digest.
      2. Generate a new string value, b64urlDigest, and initialize it to "u" followed by appending a base64url-no-pad encoded version of the digest value.
      3. Add a new entry, |newEntry|, to bnodeIdMap using the key from entry and b64urlDigest as the value.
   3. Return bnodeIdMap.
2. Return |labelMapFactoryFunction|.

A different primitive could be created that returned a label map factory function that would instead sort the resulting HMAC digests and assign labels in the produced label map using a prefix and integers based on their sorted order. This primitive might be useful for selective disclosure schemes, such as BBS, that favor unlinkability over minimizing unrevealed data leakage.

skolemizeNQuads

The following algorithm replaces all blank node identifiers in an array of N-Quad strings with custom scheme URNs. The required inputs are an array of N-Quad strings (|inputNQuads|) and a URN scheme (|urnScheme|). An array of N-Quad strings, skolemizedNQuads, is produced as output. This operation is intended to be reversible through the use of the algorithm in Section [[[#deskolemizenquads]]].

1. Create a new array of N-Quad strings, skolemizedNQuads.
2. For each N-Quad string, s1, in |inputNQuads|:
   1. Create a new string, s2, that is a copy of s1 replacing any occurrence of a blank node identifier with a URN ("urn:"), plus the input custom scheme (|urnScheme|), plus a colon (":"), and the value of the blank node identifier. For example, a regular expression of a similar form to the following would achieve the desired result: s1.replace(/(_:([^\s]+))/g, '<urn:custom-scheme:$2>').
   2. Append s2 to skolemizedNQuads.
3. Return skolemizedNQuads.

deskolemizeNQuads

The following algorithm replaces all custom scheme URNs in an array of N-Quad statements with a blank node identifier. The required inputs are an array of N-Quad strings (|inputNQuads|) and a URN scheme (|urnScheme|). An array of N-Quad strings, deskolemizedNquads, is produced as output. This operation is intended to reverse use of the algorithm in Section [[[#deskolemizenquads]]].

1. Create a new array of N-Quad strings, deskolemizedNQuads.
2. For each N-Quad string, s1, in |inputNQuads|:
   1. Create a new string, s2, that is a copy of s1 replacing any occurrence of a URN ("urn:"), plus the input custom scheme (|urnScheme|), plus a colon (":"), and the value of the blank node identifier with a blank node prefix ("_:"), plus the value of the blank node identifier. For example, a regular expression of a similar form to the following would achieve the desired result: s1.replace(/(<urn:custom-scheme:([^>]+)>)/g, '_:$2')..
   2. Append s2 to deskolemizedNQuads.
3. Return deskolemizedNQuads.

skolemizeExpandedJsonLd

The following algorithm replaces all blank node identifiers in an expanded JSON-LD document with custom-scheme URNs, including assigning such URNs to blank nodes that are unlabeled. The required inputs are an expanded JSON-LD document (|expanded|), a custom URN scheme (|urnScheme|), a UUID string or other comparably random string (|randomString|), and reference to a shared integer (|count|). Any additional custom options (such as a document loader) can also be passed. It produces the expanded form of the skolemized JSON-LD document (|skolemizedExpandedDocument| as output. The skolemization used in this operation is intended to be reversible through the use of the algorithm in Section [[[#todeskolemizednquads]]].

1. Initialize |skolemizedExpandedDocument| to an empty array.
2. For each |element| in |expanded|:
   1. If either |element| is not an object or it contains the key @value, append a copy of |element| to |skolemizedExpandedDocument| and continue to the next |element|.
   2. Otherwise, initialize |skolemizedNode| to an object, and for each property and value in |element|:
      1. If value is an array, set the value of property in |skolemizedNode| to the result of calling this algorithm recursively passing value for |expanded| and keeping the other parameters the same.
      2. Otherwise, set the value of property in |skolemizedNode| to the first element in the array result of calling this algorithm recursively passing an array with value as its only element for |expanded| and keeping the other parameters the same.
   3. If |skolemizedNode| has no @id property, set the value of the @id property in |skolemizedNode| to the concatenation of "urn:", |urnScheme|, "_", |randomString|, "_" and the value of |count|, incrementing the value of |count| afterwards.
   4. Otherwise, if the value of the @id property in |skolemizedNode| starts with "_:", preserve the existing blank node identifier when skolemizing by setting the value of the @id property in |skolemizedNode| to the concatenation of "urn:", |urnScheme|, and the blank node identifier (i.e., the existing value of the @id property minus the "_:" prefix; e.g., if the existing value of the @id property is `_:b0`, the blank node identifier is `b0`).
   5. Append |skolemizedNode| to |skolemizedExpandedDocument|.
3. Return |skolemizedExpandedDocument|.

skolemizeCompactJsonLd

The following algorithm replaces all blank node identifiers in a compact JSON-LD document with custom-scheme URNs. The required inputs are a compact JSON-LD document (|document|) and a custom URN scheme (|urnScheme|). The |document| is assumed to use only one @context property at the top level of the document. Any additional custom options (such as a document loader) can also be passed. It produces both an expanded form of the skolemized JSON-LD document (|skolemizedExpandedDocument| and a compact form of the skolemized JSON-LD document (|skolemizedCompactDocument|) as output. The skolemization used in this operation is intended to be reversible through the use of the algorithm in Section [[[#todeskolemizednquads]]].

1. Initialize |expanded| to the result of the JSON-LD Expansion Algorithm, passing |document| and any custom options.
2. Initialize |skolemizedExpandedDocument| to the result of the algorithm in Section [[[#skolemizeexpandedjsonld]]].
3. Initialize |skolemizedCompactDocument| to the result of the JSON-LD Compaction Algorithm, passing |skolemizedExpandedDocument| and any custom options.
4. Return an object with both |skolemizedExpandedDocument| and |skolemizedCompactDocument|.

toDeskolemizedNQuads

The following algorithm converts a skolemized JSON-LD document, such as one created using the algorithm in Section [[[#skolemizecompactjsonld]]], to an array of deskolemized N-Quads. The required input is a JSON-LD document, skolemizedDocument. Additional custom options (such as a document loader) can be passed. An array of deskolemized N-Quad strings (|deskolemizedNQuads|) is produced as output.

1. Initialize |skolemizedDataset| to the result of the Deserialize JSON-LD to RDF algorithm, passing any custom options (such as a document loader), to convert |skolemizedDocument| from JSON-LD to RDF in N-Quads format.
2. Split |skolemizedDataset| into an array of individual N-Quads, |skolemizedNQuads|.
3. Set |deskolemizedNQuads| to the result of the algorithm in Section [[[#deskolemizenquads]]] with |skolemizedNQuads| and "custom-scheme:" as parameters. Implementations MAY choose a different urnScheme that is different than "custom-scheme:" so long as the same scheme name was used to generate skolemizedDocument.
4. Return |deskolemizedNQuads|.

jsonPointerToPaths

The following algorithm converts a JSON Pointer [[RFC6901]] to an array of paths into a JSON tree. The required input is a JSON Pointer string (|pointer|). An array of paths (paths) is produced as output.

1. Initialize |paths| to an empty array.
2. Initialize |splitPath| to an array by splitting |pointer| on the "/" character and skipping the first, empty, split element. In Javascript notation, this step is equivalent to the following code: `pointer.split('/').slice(1)`
3. For each |path| in |splitPath|:
   1. If |path| does not include `~`, then add |path| to |paths|, converting it to an integer if it parses as one, leaving it as a string if it does not.
   2. Otherwise, unescape any JSON pointer escape sequences in |path| and add the result to |paths|.
4. Return |paths|.

createInitialSelection

The following algorithm creates an initial selection (a fragment of a JSON-LD document) based on a JSON-LD object. This is a helper function used within the algorithm in Section [[[#selectjsonld]]]. The required input is a JSON-LD object (|source|). A JSON-LD document fragment object (|selection|) is produced as output.

1. Initialize |selection| to an empty object.
2. If |source| has an `id` that is not a blank node identifier, set |selection|.|id| to its value. Note: All non-blank node identifiers in the path of any JSON Pointer MUST be included in the selection, this includes any root document identifier.
3. If |source|.|type| is set, set |selection|.|type| to its value. Note: The selection MUST include all `type`s in the path of any JSON Pointer, including any root document `type`.
4. Return |selection|.

selectPaths

The following algorithm selects a portion of a compact JSON-LD document using paths parsed from a parsed JSON Pointer. This is a helper function used within the algorithm in Section [[[#selectjsonld]]]. The required inputs are an array of paths (|paths|) parsed from a JSON Pointer, a compact JSON-LD document (|document|), a selection document (|selectionDocument|) to be populated, and an array of arrays (|arrays|) for tracking selected arrays. This algorithm produces no output; instead it populates the given |selectionDocument| with any values selected via |paths|.

1. Initialize |parentValue| to |document|.
2. Initialize |value| to |parentValue|.
3. Initialize |selectedParent| to |selectionDocument|.
4. Initialize |selectedValue| to |selectedParent|.
5. For each |path| in |paths|:
   1. Set |selectedParent| to |selectedValue|.
   2. Set |parentValue| to |value|.
   3. Set |value| to |parentValue|.|path|. If |value| is now undefined, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR, indicating that the JSON pointer does not match the given |document|.
   4. Set |selectedValue| to |selectedParent|.|path|.
   5. If |selectedValue| is now undefined:
      1. If |value| is an array, set |selectedValue| to an empty array and append |selectedValue| to |arrays|.
      2. Otherwise, set |selectedValue| to an initial selection passing |value| as |source| to the algorithm in Section [[[#createinitialselection]]].
      3. Set |selectedParent|.|path| to |selectedValue|.
6. Note: With path traversal complete at the target value, the selected value will now be computed.
7. If |value| is a literal, set |selectedValue| to |value|.
8. If |value| is an array, Set |selectedValue| to a copy of |value|.
9. In all other cases, set |selectedValue| to an object that merges a shallow copy of |selectedValue| with a deep copy of |value|, e.g., `{...selectedValue, …deepCopy(value)}`.
10. Get the last |path|, |lastPath|, from |paths|.
11. Set |selectedParent|.|lastPath| to |selectedValue|.

selectJsonLd

The following algorithm selects a portion of a compact JSON-LD document using an array of JSON Pointers. The required inputs are an array of JSON Pointers (|pointers|) and a compact JSON-LD document (|document|). The |document| is assumed to use a JSON-LD context that aliases `@id` and `@type` to `id` and `type`, respectively, and to use only one `@context` property at the top level of the document. A new JSON-LD document that represents a selection (selectionDocument) of the original JSON-LD document is produced as output.

1. If |pointers| is empty, return `null`. This indicates nothing has been selected from the original document.
2. Initialize |arrays| to an empty array. This variable will be used to track selected sparse arrays to make them dense after all |pointers| have been processed.
3. Initialize |selectionDocument| to an initial selection passing |document| as |source| to the algorithm in Section [[[#createinitialselection]]].
4. Set the value of the `@context` property in |selectionDocument| to a copy of the value of the `@context` property in |document|.
5. For each |pointer| in |pointers|, walk the document from root to the pointer target value, building the |selectionDocument|:
   1. Parse the |pointer| into an array of paths, |paths|, using the algorithm in Section [[[#jsonpointertopaths]]].
   2. Use the algorithm in Section [[[#selectpaths]]], passing |document|, |paths|, |selectionDocument|, and |arrays|.
6. For each |array| in |arrays|:
   1. Make |array| dense by removing any undefined elements between elements that are defined.
7. Return |selectionDocument|.

relabelBlankNodes

The following algorithm relabels the blank node identifiers in an array of N-Quad strings using a blank node label map. The required inputs are an array of N-Quad strings (|nquads|) and a blank node label map (|labelMap|). An array of N-Quad strings with relabeled blank node identifiers (|relabeledNQuads|) is produced as output.

1. Create a new array of N-Quad strings, relabeledNQuads.
2. For each N-Quad string, s1, in |nquads|:
   1. Create a new string, s2, such it that is a copy of s1 except each blank node identifier therein has been replaced with the value associated with it as a key in |labelMap|.
   2. Append s2 to relabeledNQuads.
3. Return relabeledNQuads.

selectCanonicalNQuads

The following algorithm selects a portion of a skolemized compact JSON-LD document using an array of JSON Pointers, and outputs the resulting canonical N-Quads with any blank node labels replaced using the given label map. The required inputs are an array of JSON Pointers (|pointers|), a skolemized compact JSON-LD document (|skolemizedCompactDocument|), and a blank node label map (|labelMap|). Additional custom options (such as a document loader) can be passed. The |document| is assumed to use a JSON-LD context that aliases `@id` and `@type` to `id` and `type`, respectively, and to use only one `@context` property at the top level of the document. An object containing the new JSON-LD document that represents a selection of the original JSON-LD document (|selectionDocument|), an array of deskolemized N-Quad strings (|deskolemizedNQuads|), and an array of canonical N-Quads with replacement blank node labels (|nquads|) is produced as output.

1. Initialize |selectionDocument| to the result of the algorithm in Section [[[#selectjsonld]]], passing |pointers|, and |skolemizedCompactDocument| as document.
2. Initialize |deskolemizedNQuads| to the result of the algorithm in Section [[[#todeskolemizednquads]]], passing |selectionDocument| as |skolemizedCompactDocument|, and any custom options.
3. Initialize |nquads| to the result of the algorithm in Section [[[#relabelblanknodes]]], passing |labelMap|, and |deskolemizedNQuads| as |nquads|.
4. Return an object containing |selectionDocument|, |deskolemizedNQuads|, and |nquads|.

canonicalizeAndGroup

The following algorithm is used to output canonical N-Quad strings that match custom selections of a compact JSON-LD document. It does this by canonicalizing a compact JSON-LD document (replacing any blank node identifiers using a label map) and grouping the resulting canonical N-Quad strings according to the selection associated with each group. Each group will be defined using an assigned name and array of JSON pointers. The JSON pointers will be used to select portions of the skolemized document, such that the output can be converted to canonical N-Quads to perform group matching.

The required inputs are a compact JSON-LD document (|document|), a label map factory function (|labelMapFactoryFunction|), and a map of named group definitions (|groupDefinitions|). Additional custom options (such as a document loader) can be passed. The |document| is assumed to use a JSON-LD context that aliases `@id` and `@type` to `id` and `type`, respectively, and to use only one `@context` property at the top level of the document. An object containing the created groups (|groups|), the skolemized compact JSON-LD document (|skolemizedCompactDocument|), the skolemized expanded JSON-LD document (|skolemizedExpandedDocument|), the deskolemized N-Quad strings (|deskolemizedNQuads|), the blank node label map (|labelMap|), and the canonical N-Quad strings |nquads|, is produced as output.

1. Initialize |skolemizedExpandedDocument| and |skolemizedCompactDocument| to their associated values in the result of the algorithm in Section [[[#skolemizecompactjsonld]]], passing |document| and any custom options.
2. Initialize |deskolemizedNQuads| to the result of the algorithm in Section [[[#todeskolemizednquads]]], passing |skolemizedExpandedDocument| and any custom options.
3. Initialize |nquads| and |labelMap| to their associated values in the result of the algorithm in Section [[[#labelreplacementcanonicalizenquads]]], passing |labelMapFactoryFunction|, |deskolemizedNQuads| as |nquads|, and any custom options.
4. Initialize |selections| to a new map.
5. For each key (|name|) and value (|pointers|) entry in |groupDefinitions|:
   1. Add an entry with a key of |name| and a value that is the result of the algorithm in Section [[[#selectcanonicalnquads]]], passing |pointers|, |labelMap|, |skolemizedCompactDocument| as |document|, and any custom options.
6. Initialize |groups| to an empty object.
7. For each key (|name|) and value (|selectionResult|) entry in |selections|:
   1. Initialize |matching| to an empty map.
   2. Initialize |nonMatching| to an empty map.
   3. Initialize |selectedNQuads| to nquads from |selectionResult|.
   4. Initialize |selectedDeskolemizedNQuads| from deskolemizedNQuads from |selectionResult|.
   5. For each element (|nq|) and index (|index|) in |nquads|:
      1. Create a map entry, |entry|, with a key of |index| and a value of |nq|.
      2. If |selectedNQuads| includes |nq| then add |entry| to |matching|; otherwise, add |entry| to |nonMatching|.
   6. Set |name| in |groups| to an object containing |matching|, |nonMatching|, and |selectedDeskolemizedNQuads| as |deskolemizedNQuads|.
8. Return an object containing |groups|, |skolemizedExpandedDocument|, |skolemizedCompactDocument|, |deskolemizedNQuads|, |labelMap|, and |nquads|.

hashMandatoryNQuads

The following algorithm cryptographically hashes an array of mandatory to disclose N-Quads using a provided hashing API. The required input is an array of mandatory to disclose N-Quads (|mandatory|) and a hashing function (|hasher|). A cryptographic hash (mandatoryHash) is produced as output.

1. Initialize `bytes` to the UTF-8 representation of the joined `mandatory` N-Quads.
2. Initialize `mandatoryHash` to the result of using `hasher` to hash `bytes`.
3. Return `mandatoryHash`.

serializeSignData

The following algorithm serializes the data that is to be signed by the private key associated with the base proof verification method. The required inputs are the proof options hash (|proofHash|), the proof-scoped multikey-encoded public key (|publicKey|), and the mandatory hash (|mandatoryHash|). A single sign data value, represented as series of bytes, is produced as output.

1. Return the concatenation of |proofHash|, |publicKey|, and |mandatoryHash|, in that order, as sign data.

serializeBaseProofValue

The following algorithm serializes the base proof value, including the base signature, public key, HMAC key, signatures, and mandatory pointers. The required inputs are a base signature |baseSignature|, a public key |publicKey|, an HMAC key |hmacKey|, an array of |signatures|, and an array of |mandatoryPointers|. A single base proof string value is produced as output.

1. Initialize a byte array, |proofValue|, that starts with the ECDSA-SD base proof header bytes 0xd9, 0x5d, and 0x00.
2. Initialize |components| to an array with five elements containing the values of: |baseSignature|, |publicKey|, |hmacKey|, |signatures|, and |mandatoryPointers|.
3. CBOR-encode |components| per [[RFC8949]] where CBOR tagging MUST NOT be used on any of the |components|. Append the produced encoded value to |proofValue|.
4. Initialize |baseProof| to a string with the Multibase base64url-no-pad-encoding of |proofValue| as described in the Multibase section of [[[controller-document]]]. That is, return a string starting with "`u`" and ending with the base64url-no-pad-encoded value of |proofValue|.
5. Return |baseProof| as base proof.

parseBaseProofValue

The following algorithm parses the components of an `ecdsa-sd-2023` selective disclosure base proof value. The required inputs are a proof value (|proofValue|). A single object parsed base proof, containing five elements, using the names `baseSignature`, `publicKey`, `hmacKey`, `signatures`, and `mandatoryPointers`, is produced as output.

1. If the |proofValue| string does not start with `u`, indicating that it is a multibase-base64url-no-pad-encoded value, an error MUST be raised and SHOULD convey an error type of PROOF_VERIFICATION_ERROR.
2. Initialize |decodedProofValue| to the result of base64url-no-pad-decoding the substring after the leading `u` in |proofValue|.
3. If the |decodedProofValue| does not start with the ECDSA-SD base proof header bytes `0xd9`, `0x5d`, and `0x00`, an error MUST be raised and SHOULD convey an error type of PROOF_VERIFICATION_ERROR.
4. Initialize |components| to an array that is the result of CBOR-decoding the bytes that follow the three-byte ECDSA-SD base proof header. Confirm that the result is an array of five elements.
5. Return an object with properties set to the five elements, using the names `baseSignature`, `publicKey`, `hmacKey`, `signatures`, and `mandatoryPointers`, respectively.

createDisclosureData

The following algorithm creates data to be used to generate a derived proof. The inputs include a JSON-LD document (|document|), an ECDSA-SD base proof (|proof|), an array of JSON pointers to use to selectively disclose statements (|selectivePointers|), and any custom JSON-LD API options, such as a document loader). A single object, disclosure data, is produced as output, which contains the "baseSignature", "publicKey", "signatures" for "filteredSignatures", "labelMap", "mandatoryIndexes", and "revealDocument" fields.

1. Initialize |baseSignature|, |publicKey|, |hmacKey|, |signatures|, and |mandatoryPointers| to the values of the associated properties in the object returned when calling the algorithm in Section [[[#parsebaseproofvalue]]], passing the |proofValue| from |proof|.
2. Initialize |hmac| to an HMAC API using |hmacKey|. The HMAC uses the same hash algorithm used in the signature algorithm, i.e., SHA-256 for a P-256 curve.
3. Initialize |labelMapFactoryFunction| to the result of calling the |createHmacIdLabelMapFunction| algorithm passing |hmac|.
4. Initialize |combinedPointers| to the concatenation of |mandatoryPointers| and |selectivePointers|.
5. Initialize |groupDefinitions| to a map with the following entries: key of the string `"mandatory"` and value of |mandatoryPointers|, key of the string `"selective"` and value of |selectivePointers|, and key of the string `"combined"` and value of |combinedPointers|.
6. Initialize |groups| and |labelMap| to their associated values in the result of calling the algorithm in Section [[[#canonicalizeandgroup]]], passing |document|, |labelMapFactoryFunction|, |groupDefinitions|, and any custom JSON-LD API options as parameters. Note: This step transforms the document into an array of canonical N-Quad strings with pseudorandom blank node identifiers based on |hmac|, and groups the N-Quad strings according to selections based on JSON pointers.
7. Initialize |relativeIndex| to zero.
8. Initialize |mandatoryIndexes| to an empty array.
9. For each |absoluteIndex| in the keys in |groups|.|combined|.|matching|, convert the absolute index of any mandatory N-Quad to an index relative to the combined output that is to be revealed:
   1. If |groups|.|mandatory|.|matching| has |absoluteIndex| as a key, then append |relativeIndex| to |mandatoryIndexes|.
   2. Increment |relativeIndex|.
10. Determine which signatures match a selectively disclosed statement, which requires incrementing an index counter while iterating over all |signatures|, skipping over any indexes that match the mandatory group.
    1. Initialize |index| to `0`.
    2. Initialize |filteredSignatures| to an empty array.
    3. For each |signature| in |signatures|:
       1. While |index| is in |groups|.|mandatory|.|matching|, increment |index|.
       2. If |index| is in |groups|.|selective|.|matching|, add |signature| to |filteredSignatures|.
       3. Increment |index|.
11. Initialize |revealDocument| to the result of the "selectJsonLd" algorithm, passing |document|, and |combinedPointers| as |pointers|.
12. Run the RDF Dataset Canonicalization Algorithm [[RDF-CANON]] on the joined |combinedGroup.deskolemizedNQuads|, passing any custom options, and get the canonical bnode identifier map, |canonicalIdMap|. Note: This map includes the canonical blank node identifiers that a verifier will produce when they canonicalize the reveal document.
13. Initialize |verifierLabelMap| to an empty map. This map will map the canonical blank node identifiers the verifier will produce when they canonicalize the revealed document to the blank node identifiers that were originally signed in the base proof.
14. For each key (|inputLabel|) and value (|verifierLabel|) in |canonicalIdMap|:
    1. Add an entry to |verifierLabelMap| using |verifierLabel| as the key and the value associated with |inputLabel| as a key in |labelMap| as the value.
15. Return an object with properties matching |baseSignature|, |publicKey|, `signatures` for |filteredSignatures|, `verifierLabelMap` for |labelMap|, |mandatoryIndexes|, and |revealDocument|.

compressLabelMap

The following algorithm compresses a label map. The required inputs are label map (|labelMap|). The output is a compressed label map.

1. Initialize |map| to an empty map.
2. For each entry (|k|, |v|) in |labelMap|:
   1. Add an entry to |map| with a key that is a base-10 integer parsed from the characters following the "c14n" prefix in |k| and a value that is a byte array resulting from base64url-no-pad-decoding the characters after the "u" prefix in |v|.
3. Return |map| as compressed label map.

decompressLabelMap

The following algorithm decompresses a label map. The required input is a compressed label map (|compressedLabelMap|). The output is a decompressed label map.

1. Initialize |map| to an empty map.
2. For each entry (|k|, |v|) in |compressedLabelMap|:
   1. Add an entry to |map| with a key that adds the prefix "c14n" to |k| and a value that adds a prefix of "u" to the base64url-no-pad-encoded value for |v|.
3. Return |map| as decompressed label map.

serializeDerivedProofValue

The following algorithm serializes a derived proof value. The required inputs are a base signature (|baseSignature|), public key (|publicKey|), an array of signatures (|signatures|), a label map (|labelMap|), and an array of mandatory indexes (|mandatoryIndexes|). A single derived proof value, serialized as a byte string, is produced as output.

1. Initialize |compressedLabelMap| to the result of calling the algorithm in Section [[[#compresslabelmap]]], passing |labelMap| as the parameter.
2. Initialize a byte array, |proofValue|, that starts with the ECDSA-SD disclosure proof header bytes `0xd9`, `0x5d`, and `0x01`.
3. Initialize |components| to an array with five elements containing the values of: |baseSignature|, |publicKey|, |signatures|, |compressedLabelMap|, and |mandatoryIndexes|.
4. CBOR-encode |components| per [[RFC8949]] where CBOR tagging MUST NOT be used on any of the |components|. Append the produced encoded value to |proofValue|.
5. Return the derived proof as a string with the base64url-no-pad-encoding of |proofValue| as described in the Multibase section of [[[controller-document]]]. That is, return a string starting with "`u`" and ending with the base64url-no-pad-encoded value of |proofValue|.

parseDerivedProofValue

The following algorithm parses the components of the derived proof value. The required input is a derived proof value (|proofValue|). A single derived proof value value object is produced as output, which contains a set to five elements, using the names "baseSignature", "publicKey", "signatures", "labelMap", and "mandatoryIndexes".

1. If the |proofValue| string does not start with `u`, indicating that it is a multibase-base64url-no-pad-encoded value, an error MUST be raised and SHOULD convey an error type of PROOF_VERIFICATION_ERROR.
2. Initialize |decodedProofValue| to the result of base64url-no-pad-decoding the substring after the leading `u` in |proofValue|.
3. If the |decodedProofValue| does not start with the ECDSA-SD disclosure proof header bytes `0xd9`, `0x5d`, and `0x01`, an error MUST be raised and SHOULD convey an error type of PROOF_VERIFICATION_ERROR.
4. Initialize |components| to an array that is the result of CBOR-decoding the bytes that follow the three-byte ECDSA-SD disclosure proof header. If the result is not an array of the following five elements — a byte array of length 64; a byte array of length 36; an array of byte arrays, each of length 64; a map of integers to byte arrays, each of length 32; and an array of integers — an error MUST be raised and SHOULD convey an error type of PROOF_VERIFICATION_ERROR.
5. Replace the fourth element in |components| using the result of calling the algorithm in Section [[[#decompresslabelmap]]], passing the existing fourth element of |components| as |compressedLabelMap|.
6. Return derived proof value as an object with properties set to the five elements, using the names "baseSignature", "publicKey", "signatures", "labelMap", and "mandatoryIndexes", respectively.

createVerifyData

The following algorithm creates the data needed to perform verification of an ECDSA-SD-protected [=verifiable credential=]. The inputs include a JSON-LD document (|document|), an ECDSA-SD disclosure proof (|proof|), and any custom JSON-LD API options, such as a document loader. A single verify data object value is produced as output containing the following fields: "baseSignature", "proofHash", "publicKey", "signatures", "nonMandatory", and "mandatoryHash".

1. Initialize |proofHash| to the result of perform RDF Dataset Canonicalization [[RDF-CANON]] on the proof options. The hash used is the same as the one used in the signature algorithm, i.e., SHA-256 for a P-256 curve. Note: This step can be performed in parallel; it only needs to be completed before this algorithm needs to use the |proofHash| value.
2. Initialize |baseSignature|, |publicKey|, |signatures|, |labelMap|, and |mandatoryIndexes|, to the values associated with their property names in the object returned when calling the algorithm in Section [[[#parsederivedproofvalue]]], passing |proofValue| from |proof|.
3. Initialize |labelMapFactoryFunction| to the result of calling the "createLabelMapFunction" algorithm.
4. Initialize |nquads| to the result of calling the "labelReplacementCanonicalize" algorithm, passing |document|, |labelMapFactoryFunction|, and any custom JSON-LD API options. Note: This step transforms the document into an array of canonical N-Quads with pseudorandom blank node identifiers based on |labelMap|.
5. Initialize |mandatory| to an empty array.
6. Initialize |nonMandatory| to an empty array.
7. For each entry (|index|, |nq|) in |nquads|, separate the N-Quads into mandatory and non-mandatory categories:
   1. If |mandatoryIndexes| includes |index|, add |nq| to |mandatory|.
   2. Otherwise, add |nq| to |nonMandatory|.
8. Initialize |mandatoryHash| to the result of calling the "hashMandatory" primitive, passing |mandatory|.
9. Return an object with properties matching |baseSignature|, |proofHash|, |publicKey|, |signatures|, |nonMandatory|, and |mandatoryHash|.

Create Base Proof (ecdsa-sd-2023)

The following algorithm specifies how to create a [=data integrity proof=] given an unsecured data document. Required inputs are an unsecured data document ([=map=] |unsecuredDocument|), and a set of proof options ([=map=] |options|). A [=data integrity proof=] ([=map=]), or an error, is produced as output.

1. Let |proof| be a clone of the proof options, |options|.
2. Let |proofConfig| be the result of running the algorithm in Section [[[#base-proof-configuration-ecdsa-sd-2023]]] with |options| passed as a parameter.
3. Let |transformedData| be the result of running the algorithm in Section with |unsecuredDocument|, |proofConfig|, and |options| passed as parameters.
4. Let |hashData| be the result of running the algorithm in Section [[[#base-proof-hashing-ecdsa-sd-2023]]] with |transformedData| and |proofConfig| passed as a parameters.
5. Let |proofBytes| be the result of running the algorithm in Section [[[#base-proof-serialization-ecdsa-sd-2023]]] with |hashData| and |options| passed as parameters.
6. Let |proof|.|proofValue| be a base64-url-encoded Multibase value of the |proofBytes|.
7. Return |proof| as the [=data integrity proof=].

Base Proof Transformation (ecdsa-sd-2023)

The following algorithm specifies how to transform an unsecured input document into a transformed document that is ready to be provided as input to the hashing algorithm in Section [[[#base-proof-hashing-ecdsa-sd-2023]]].

Required inputs to this algorithm are an unsecured data document (|unsecuredDocument|) and transformation options (|options|). The transformation options MUST contain a type identifier for the cryptographic suite (|type|), a cryptosuite identifier (|cryptosuite|), and a verification method (|verificationMethod|). The transformation options MUST contain an array of mandatory JSON pointers (|mandatoryPointers|) and MAY contain additional options, such as a JSON-LD document loader. A transformed data document is produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8 encoding.

1. Initialize |hmac| to an HMAC API using a locally generated and exportable HMAC key. The HMAC uses the same hash algorithm used in the signature algorithm, which is detected via the |verificationMethod| provided to the function, i.e., SHA-256 for a P-256 curve. Per the recommendations of [[RFC2104]], the HMAC key MUST be the same length as the digest size; for SHA-256, this is 256 bits or 32 bytes.
2. Initialize |labelMapFactoryFunction| to the result of calling the |createHmacIdLabelMapFunction| algorithm passing |hmac|.
3. Initialize |groupDefinitions| to a map with an entry with a key of the string "mandatory" and a value of |mandatoryPointers|.
4. Initialize |groups| to the result of calling the algorithm in Section [[[#canonicalizeandgroup]]], passing |labelMapFactoryFunction|, |groupDefinitions|, |unsecuredDocument| as |document|, and any custom JSON-LD API options. Note: This step transforms the document into an array of canonical N-Quads with pseudorandom blank node identifiers based on |hmac|, and groups the N-Quad strings according to selections based on JSON pointers.
5. Initialize |mandatory| to the values in the |groups|.|mandatory|.|matching| map.
6. Initialize |nonMandatory| to the values in the |groups|.|mandatory|.|nonMatching| map.
7. Initialize |hmacKey| to the result of exporting the HMAC key from |hmac|.
8. Return an object with `mandatoryPointers` set to |mandatoryPointers|, `mandatory` set to |mandatory|, `nonMandatory` set to |nonMandatory|, and `hmacKey` set to |hmacKey|.

Base Proof Hashing (ecdsa-sd-2023)

The following algorithm specifies how to cryptographically hash a transformed data document and proof configuration into cryptographic hash data that is ready to be provided as input to the algorithms in Section [[[#base-proof-serialization-ecdsa-sd-2023]]].

The required inputs to this algorithm are a transformed data document (|transformedDocument|) and canonical proof configuration (|canonicalProofConfig|). A hash data value represented as an object is produced as output.

1. Initialize |proofHash| to the result of calling the RDF Dataset Canonicalization algorithm [[RDF-CANON]] on |canonicalProofConfig| and then cryptographically hashing the result using the same hash that is used by the signature algorithm, i.e., SHA-256 for a P-256 curve. Note: This step can be performed in parallel; it only needs to be completed before this algorithm terminates as the result is part of the return value.
2. Initialize |mandatoryHash| to the result of calling the the algorithm in Section [[[#hashmandatorynquads]]], passing |transformedDocument|.|mandatory|.
3. Initialize |hashData| as a deep copy of |transformedDocument| and add |proofHash| as `proofHash` and |mandatoryHash| as `mandatoryHash` to that object.
4. Return |hashData| as hash data.

Base Proof Configuration (ecdsa-sd-2023)

The following algorithm specifies how to generate a proof configuration from a set of proof options that is used as input to the base proof hashing algorithm.

The required inputs to this algorithm are proof options (|options|). The proof options MUST contain a type identifier for the cryptographic suite (|type|) and MUST contain a cryptosuite identifier (|cryptosuite|). A proof configuration object is produced as output.

1. Let |proofConfig| be a clone of the |options| object.
2. If |proofConfig|.|type| is not set to `DataIntegrityProof` and/or |proofConfig|.|cryptosuite| is not set to `ecdsa-sd-2023`, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
3. If |proofConfig|.|created| is set and if the value is not a valid [[XMLSCHEMA11-2]] datetime, an error MUST be raised and SHOULD convey an error type of PROOF_GENERATION_ERROR.
4. Set |proofConfig|.@context to |unsecuredDocument|.@context.
5. Let |canonicalProofConfig| be the result of applying the [[[RDF-CANON]]] [[RDF-CANON]] to the |proofConfig|.
6. Return |canonicalProofConfig|.

Base Proof Serialization (ecdsa-sd-2023)

The following algorithm specifies how to create a base proof; called by an issuer of an ECDSA-SD-protected Verifiable Credential. The base proof is to be given only to the holder, who is responsible for generating a derived proof from it, exposing only selectively disclosed details in the proof to a verifier. This algorithm is designed to be used in conjunction with the algorithms defined in the Data Integrity [[VC-DATA-INTEGRITY]] specification, Section 4: Algorithms. Required inputs are cryptographic hash data (|hashData|) and proof options (|options|). The proof options MUST contain a type identifier for the cryptographic suite (|type|) and MAY contain a cryptosuite identifier (|cryptosuite|). A single digital proof value represented as series of bytes is produced as output.

1. Initialize |proofHash|, |mandatoryPointers|, |mandatoryHash|, |nonMandatory|, and |hmacKey| to the values associated with their property names |hashData|.
2. Initialize |proofScopedKeyPair| to a locally generated P-256 ECDSA key pair. Note: This key pair is scoped to the specific proof; it is not used for anything else and the private key will be destroyed when this algorithm terminates.
3. Initialize |signatures| to an array where each element holds the result of digitally signing the UTF-8 representation of each N-Quad string in |nonMandatory|, in order. The digital signature algorithm is ES256, i.e., uses a P-256 curve over a SHA-256 digest, and uses the private key from |proofScopedKeyPair|. Note: This step generates individual signatures for each statement that can be selectively disclosed using a local, proof-scoped key pair that binds them together; this key pair will be bound to the proof by a signature over its public key using the private key associated with the base proof verification method.
4. Initialize |publicKey| to the multikey expression of the public key exported from |proofScopedKeyPair|. That is, an array of bytes starting with the bytes 0x80 and 0x24 (which is the multikey p256-pub header (0x1200) expressed as a varint) followed by the compressed public key bytes (the compressed header with `2` for an even `y` coordinate and `3` for an odd one followed by the `x` coordinate of the public key).
5. Initialize |toSign| to the result of calling the algorithm in Section [[[#serializesigndata]]], passing |proofHash|, |publicKey|, and |mandatoryHash| as parameters to the algorithm.
6. Initialize |baseSignature| to the result of digitally signing |toSign| using the private key associated with the base proof verification method.
7. Initialize |proofValue| to the result of calling the algorithm in Section [[[#serializebaseproofvalue]]], passing |baseSignature|, |publicKey|, |hmacKey|, |signatures|, and |mandatoryPointers| as parameters to the algorithm.
8. Return |proofValue| as digital proof.

Add Derived Proof (ecdsa-sd-2023)

The following algorithm creates a selective disclosure derived proof; called by a holder of an `ecdsa-sd-2023`-protected [=verifiable credential=]. The derived proof is to be given to the [=verifier=]. The inputs include a JSON-LD document (|document|), an ECDSA-SD base proof (|proof|), an array of JSON pointers to use to selectively disclose statements (|selectivePointers|), and any custom JSON-LD API options, such as a document loader. A single selectively revealed document value, represented as an object, is produced as output.

1. Initialize |baseSignature|, |publicKey|, |signatures|, |labelMap|, |mandatoryIndexes|, |revealDocument| to the values associated with their property names in the object returned when calling the algorithm in Section [[[#createdisclosuredata]]], passing the |document|, |proof|, |selectivePointers|, and any custom JSON-LD API options, such as a document loader.
2. Initialize |newProof| to a shallow copy of |proof|.
3. Replace |proofValue| in |newProof| with the result of calling the algorithm in Section [[[#serializederivedproofvalue]]], passing |baseSignature|, |publicKey|, |signatures|, |labelMap|, and |mandatoryIndexes|.
4. Set the value of the "proof" property in |revealDocument| to |newProof|.
5. Return |revealDocument| as the selectively revealed document.

Verify Derived Proof (ecdsa-sd-2023)

The following algorithm attempts verification of an `ecdsa-sd-2023` derived proof. This algorithm is called by a verifier of an ECDSA-SD-protected [=verifiable credential=]. The inputs include a JSON-LD document (|document|), an ECDSA-SD disclosure proof (|proof|), and any custom JSON-LD API options, such as a document loader. This algorithm returns a [=verification result=]:

1. Let |unsecuredDocument| be a copy of |document| with the `proof` value removed.
2. Initialize |baseSignature|, |proofHash|, |publicKey|, |signatures|, |nonMandatory|, and |mandatoryHash| to the values associated with their property names in the object returned when calling the algorithm in Section [[[#createverifydata]]], passing the |document|, |proof|, and any custom JSON-LD API options, such as a document loader.
3. If the length of |signatures| does not match the length of |nonMandatory|, an error MUST be raised and SHOULD convey an error type of PROOF_VERIFICATION_ERROR, indicating that the signature count does not match the non-mandatory message count.
4. Initialize |publicKeyBytes| to the public key bytes expressed in |publicKey|. Instructions on how to decode the public key value can be found in Section [[[#multikey]]].
5. Initialize |toVerify| to the result of calling the algorithm in Setion [[[#serializesigndata]]], passing |proofHash|, |publicKey|, and |mandatoryHash|.
6. Initialize |verified| to true.
7. Initialize |verificationCheck| be the result of applying the verification algorithm of the Elliptic Curve Digital Signature Algorithm (ECDSA) [FIPS-186-5], with |toVerify| as the data to be verified against the |baseSignature| using the public key specified by |publicKeyBytes|. If |verificationCheck| is `false`, set |verified| to false.
8. For every entry (|index|, |signature|) in |signatures|, verify every signature for every selectively disclosed (non-mandatory) statement:
   1. Initialize |verificationCheck| to the result of applying the verification algorithm Elliptic Curve Digital Signature Algorithm (ECDSA) [FIPS-186-5], with the UTF-8 representation of the value at |index| of |nonMandatory| as the data to be verified against |signature| using the public key specified by |publicKeyBytes|.
   2. If |verificationCheck| is `false`, set |verified| to false.
9. Return a [=verification result=] with [=struct/items=]:

   [=verified=]

   The value of |verified|

   [=verifiedDocument=]

   |unsecuredDocument| if |verified| is `true`, otherwise Null