This is a PoC imlementation for the Master's Thesis: Peer Review Verification with Verifiable Credentials and Zero-Knowledge Proofs. The code is deployed and a Demo is available under Try it out section.
Thesis document is accesible here
Final presentation available here
Peer Review is the formal process of the evaluation of scholarly works by people specialized in the subject of the work. It is the gold standard of scientific publishing. Usually a manuscript goes through 2-3 peer reviews. Each peer reviewer assesses the manuscript in written format and submits to the editor their recommendation such as accepting the manuscript, sending it to revision or rejecting it. The editor oversees the processs and gives the decision on the publication of the manuscript. Things may vary slightly at each journal.
The process can be done open i.e. the identities of the author and reviewers will be open; or single/double blinded where the identities of one/both party/ies will be open. Most of the reviews are anonymized and many scholars seem to favor blinded reviews to avoid social conflicts, better scrutiny etc. Although some claim this is often useless in niche fields and the reviews should be open for transparency, this discussion is out of scope of this work, and is more of a political issue in scientific publishing.
Despite its importance, peer review lacks incentives. Since publication based metrics (citations, h-index etc.) are proxies for academic success, academics' goal is to increase their (perceived) impact by publishing more and getting cited more. Promotion, tenure, grants, many achievements in scholarship are gained by improving one's metrics. Peer review, however, is (mostly) not recognized and not included in these metrics. One of the reasons it is not recognized is the nature of blinded reviews, that the identities and, to avoid identification, the contents of a review are not publishable. It is therefore not possible to credit a researcher for their anonymized reviews.
There are platforms trying to solve this problem, the most prominent being Publons. Publons verifies the reviews of a researcher through journal integrations or manually upon reveiving a review acceptance email forwarded by the user. Then they build a peer review profile without revealing the peer reviews. They act as trusted third parties for the verification of peer reviews and effectively own the whole peer review data. Publons was recently acquired by Clarivate Analytics, provider of Web of Science and the Journal Impact Factor. This raises questions for the Open Science perspective of the peer review ecosystem. Also the journals are in the end giving away their peer review data to another company, which in turn aggregates this data and uses it to fuel its services such as reviewer finder tools.
So, current solutions to review recognition problem creates new problems. We have first hand experience in scientific publishing of what happens when scientific data is put behind walled gardens and when for profit institutions decides what constitutes sound science and what is not. How can we avoid the problems in manuscript publishing to occur in peer reviewing? How can we create direct trust in the peer review ecosystem and avoid third parties? How can we open peer review data, without violating current peer review practices?
Recent technologies may enable this. Verifiable Credentials is a recent W3C specification for exchanging digital credentials in a secure, tamper-evident, privacy preserving, and a machine verifiable, interoperable way. It could be used for driver's licenses, passports, tickets, university degrees, vaccinations [1, 2]... Any claim by anyone may be a credential. It leverages digital signatures to provide verifiablity and tamper-evidence. Also through Zero Knowledge Proofs it is possible to selectively disclose attributes of a credential. The classical example is when buying drinks, you wouldn't need to share your whole ID card, but selectively disclose your birthday but not your photo, address etc., or even create a zk-proof of "Over 18".
This repo is a prototype implementation of peer reviewing using verifiable credentials and zero-knowledge proofs. It has two platforms: Journal X which is a hypothetical journal where manuscript submission and reviewing takes place, and Veriview which is a review showcase platform.
The platforms are MongoDB, Express, React, Node.js (MERN) apps. The key part of the application which is the credential issuence, verification relies on jsonld-signatures and the selective disclosure (zk-proofs) uses jsonld-signatures-bbs which uses the BBS+ Signatures under the hood that allows efficient zk-proof generation. The contexts are cached in documentLoader
. The id
fields in the Verifiable Credentials are DID's and uses the did:web
method. On Veriview this DID gets actually resolved and the verifiaction follows from its public keys. The DID is under JournalX's /.well-known/did.json.
A typical flow is as follows:
- An author submits a manuscript to the Journal X
- The editor starts a review by assigning other reviewers in the Journal X.
- The reviewers submit their review. The editor collects reviews and gives publication decision.
- The reviewers generate "peer review credentials" that they have done a review in the Journal X for a manuscript.
- The reviewers then share this credential in their Veriview profile.
- Reviewers upload the review verifiable credential to Veriview
- Veriview verifies the credentials by checking the
proof
attribute which contains a digital signature and the DID of Journal X. The DID contains the public key of Journal X. Veriview resolves this DID and if public and signatures match it gets verified. - The review author then selects which attributes they want to disclose. For example, if it's a blinded review they would want to exclude identifiable information such as the title, content, date. But leave the journal information.
- Veriview generates a derived credential containing the selected attributes only, and a zero-knowledge proof that the holder of this derived proof knows a valid signature of the original credential. (This is where the magic is)
- The review author finally submits the derived credential and it gets added to their profile. They can share their profile publicly or share the peer reviews on their profile.
The two platforms are deployed at: journalx.herokuapp.com and veriview.herokuapp.com. You may have to wait a little for the pages to load as Heroku dynos wake up.
- Go to Journal X and register a user. (You can leave ORCID blank, set a password with both numbers and characters. like: alice12345)
- Take note of the user id on the sidebar (60b0a7851137b00...).
- Log in to the editor: email:
editor@test.com
pass:admin12345
- Click "Manage Reviews" and "Start a Review" above.
- Click on the manuscript card you want to start the review process for. (not on the title)
- Click "Add Reviewer" and paste the user id you took note of. Set a deadline. Add more reviewers if you'd like.
- Click "Assign Reviewers"
- Log in to the reviewer account. Click "Reviews". You'll see an assigned review. Click "Write Review".
- Fill the review fields. Submit your review.
- Click "Issue Credential" to download your Verifiable Credential.
- Go to Veriview and create a profile (again, password with numbers and characters).
- Click "Add Review" and "Add a Review Credential". Choose your downloaded Verifiable Credential.
- Select the attributes you'd like to publicly disclose. Click "Next". Check the information you'll share. Click "Next". This will generate a selectively disclosed credential.
- You can view the generated credential and its proof. Also you can view the raw JSON-LD by clicking "Show Code". "Submit" the generated credential.
- If it was successful you can view your peer reviews on your Profile. You can also share the Public Profile link to view the profile without logging in.