# Security & Privacy ## Purpose This page defines the security and privacy posture expected for S.I.G.N. deployments: * what goes on-chain vs off-chain, * how privacy is preserved while keeping lawful auditability, * the baseline security controls operators should implement. This is not legal advice; each jurisdiction should adapt controls to local law and procurement rules. *** ## Security goals S.I.G.N. deployments should satisfy: 1. **Integrity** * evidence and records cannot be forged without detection * state transitions are verifiable over time 2. **Confidentiality** * sensitive citizen data is not exposed broadly * privacy-sensitive payments remain confidential to the public 3. **Availability** * systems continue operating under national concurrency and adversarial conditions 4. **Non-repudiation** * actions (issuance, approvals, distributions) are cryptographically attributable 5. **Auditability** * authorized parties can reconstruct “who did what, when, and why” * evidence is inspection-ready and consistent across systems *** ## The privacy principle: “private to the public, auditable to lawful authorities” This means: * **The public** should not be able to trivially enumerate: * citizen identities, * balances, * private benefit distributions, * sensitive eligibility data. * **Authorized oversight** can verify: * that rules were followed, * that recipients were eligible at time of distribution, * that budgets reconcile to outcomes, * that approvals exist for exceptional actions. The mechanism is a combination of: * **data minimization** (do not publish sensitive payloads), * **cryptographic proofs** (prove without revealing), * **segmented rails** (public vs private settlement), * **access-controlled audit systems** (lawful inspection). *** ## Data classification and placement ### Recommended classification * **Public** * program rulesets (high-level) * aggregate statistics * public benefit distributions (when transparency is desired) * **Restricted** * issuer keys, operator runbooks, monitoring endpoints * **Confidential** * PII * private payment details * eligibility payloads * internal case files and investigations * **Sensitive (lawful access only)** * audit reconstruction maps linking pseudonyms to identities * regulatory investigation artifacts ### Placement rules of thumb * **PII should be off-chain** by default. * **On-chain artifacts should be proofs/anchors**, such as: * schema IDs * attestation IDs (or commitment hashes) * revocation/status registry references * rule version hashes * audit manifest hashes * settlement references (tx hashes / commit IDs) * **Hybrid** is preferred when: * verifiers need open verification, * but payload confidentiality must be maintained. *** ## Cryptography and standards (reference) ### Credential + identity stack * VC model: W3C Verifiable Credentials 2.0 * DID standard: W3C DIDs * Formats: VC-JWT, SD-JWT VC, JSON-LD with BBS+ * Issuance protocol: OIDC4VCI * Presentation protocol: OIDC4VP * Revocation: W3C Bitstring Status List * Offline presentation: QR and NFC * mDL compatibility: ISO/IEC 18013-5/7 ### Signature schemes (reference) * ECDSA (secp256k1, P‑256) * EdDSA (Ed25519) * RSA ### Privacy / ZK (reference) * Groth16, Plonk * BBS+ (unlinkable credentials / selective disclosure) ### ePassport integration (reference) * ICAO 9303 compatible proofs/verification *** ## Privacy mechanisms in practice ### Selective disclosure A holder can prove a predicate (e.g., “age ≥ 18”) without revealing the underlying value (exact DOB). ### Unlinkability When supported, presentations should prevent third parties from linking: * the same citizen across different service contexts, * or the same credential presentation across time. ### Minimal disclosure A verifier should request only what is necessary: * a “yes/no” eligibility proof instead of full identity payload, * an attribute proof instead of a complete credential. *** ## Payment privacy (New Money System alignment) A common pattern is dual-rail support: * **Public rail** for transparency-first use cases\ Example: public spending programs where the state wants public accountability. * **Private rail (CBDC)** for confidentiality-first use cases\ Example: sensitive assistance programs requiring strong privacy protections. Within a private CBDC rail, privacy tiers may exist: * **wCBDC** (wholesale): RTGS-like transparency for institutions * **rCBDC** (retail): stronger privacy protections (potentially ZK-based) *** ## Access control and lawful audit ### Role-based access control (RBAC) Deployments should define: * who can issue credentials, * who can approve distributions, * who can operate bridges, * who can run indexers, * who can perform audits. ### Audit access Audit access should be: * logged, * time-bounded, * least-privilege, * and require multi-party approval when appropriate. ### Evidence export Audits should be able to export: * signed approvals, * rule versions and hashes, * batch manifests and reconciliation outputs, * settlement references, * revocation/status proof checks. *** ## Operational security baseline ### Key management * Root governance keys should be protected by **HSM** and/or **multisig**. * Issuer keys (credential/attestation signing) should be separated by agency/domain. * Operator keys (infrastructure) should not be issuer keys. * Rotation and recovery must be documented and tested. ### Monitoring and incident response Minimum recommended: * service health dashboards (indexers, APIs, bridge) * tamper-evident logs * alerting for abnormal issuance/distribution rates * rollback / pause procedures for emergency controls ### Supply chain and SDLC security * dependency scanning + SBOM generation * reproducible builds where possible * staging environments mirroring production * third-party audits for critical components * bug bounty program / coordinated disclosure *** ## Threat model (high-level) Threats to plan for: * **Credential forgery / issuer compromise** * mitigations: trust registry, issuer governance, key custody, revocation * **Sybil or duplicate claims** * mitigations: identity-linked targeting, duplicate prevention rules, attestation checks * **Bridge abuse** * mitigations: atomicity, limits, approvals, monitoring, emergency pause * **Indexer/API tampering** * mitigations: integrity anchors, replayable verification from raw sources, signed responses (optional) * **Privacy leakage via metadata** * mitigations: minimal disclosure, unlinkability, careful logging and analytics policies *** ## Recommended evidence artifacts (standard set) Every sovereign program should be able to produce: * **RuleSet** * `ruleset_id`, `ruleset_version`, `ruleset_hash` * **Eligibility proof reference** * VC presentation proof or attestation reference, plus status check time * **Distribution manifest** * list of recipients (pseudonymous references), amounts, timestamps, assets * **Settlement references** * public tx hash or private commit ID(s) * **Audit export package** * signed approvals, logs, reconciliation outputs (Examples appear in the [New Money System](https://docs.sign.global/national-systems/new-money-system) and [New Capital System](https://docs.sign.global/national-systems/new-capital-system) pages.)