Rowdy Chotkan,Jérémie Decouchant,Johan Pouwelse

DOI: https://doi.org/10.48550/arXiv.2208.05339

2022-08-10

Distributed, Parallel, and Cluster Computing

Abstract:Self-Sovereign Identity (SSI) aspires to create a standardised identity layer for the Internet by placing citizens at the centre of their data, thereby weakening the grip of big tech on current digital identities. However, as millions of both physical and digital identities are lost annually, it is also necessary for SSIs to possibly be revoked to prevent misuse. Previous attempts at designing a revocation mechanism typically violate the principles of SSI by relying on central trusted components. This lack of a distributed revocation mechanism hampers the development of SSI. In this paper, we address this limitation and present the first fully distributed SSI revocation mechanism that does not rely on specialised trusted nodes. Our novel gossip-based propagation algorithm disseminates revocations throughout the network and provides nodes with a proof of revocation that enables offline verification of revocations. We demonstrate through simulations that our protocol adequately scales to national levels.

A. M. Papathanasiou,G.C. Polyzos

DOI: https://doi.org/10.1109/ICOIN59985.2024.10572151

2024-01-17

Abstract:Self-Sovereign Identity (SSI) has highlighted the benefits and importance of granting users complete control over their identity. Unlike previous solutions, which entrust identity management to third-party applications or services, SSI empowers users to control their personal data. Nonetheless, compromised identities remain a challenge as they must be revoked in order to prevent additional privacy and security issues. However, in several SSI systems, privacy is compromised in favor of efficiency, allowing third parties to gain access to users’ personal data. In this paper, we highlight the shortcomings of existing SSI solutions and propose a system that addresses credential revocation by balancing privacy with efficiency, by leveraging Verifiable Random Functions (VRFs).

Computer Science

Jing He,Xiaofeng MA,Dawei Zhang,Feng Peng

DOI: https://doi.org/10.1051/sands/2024013

2024-10-16

Security and Safety

Abstract:Decentralized identity represents an innovative approach based on blockchain to achieve effective identity management. This method utilizes decentralized identifiers and verifiable credential to enable trusted authentication, free circulation of identity information, and self-sovereign control over identity data functionalities. The current decentralized identity systems rely on entirely anonymous identifiers, lacking robust identity regulation. Furthermore, they face challenges such as identity attribute leakage during verifiable credential presentation and the issuers' struggle to reliably revoke credentials. To address these issues, efficient and practical schemes have been designed based on BBS signature, zero-knowledge proof, dynamic accumulator and blockchain technology: one for decentralized identifiers management and the other for verifiable credential privacy protection, both of which are supervised and revocable. The former ensures the privacy of subject identity while achieving regulatability and revocability of identity data by regulator. The latter facilitates selective disclosure of anonymous credentials and reliable revocation. A security analysis shows that the proposed scheme meets anonymity, non-forgeability, regulatory reliability, and revocability reliability, and offers comprehensive and effective privacy protection measures. The experimental results demonstrate that the algorithms designed operate at a millisecond level, which satisfies the demands of blockchain identity management scenarios.

Denis Roio,Rebecca Selvaggini,Gabriele Bellini,Andrea D'Intino

2024-08-16

Abstract:Ensuring privacy and protection from issuer corruption in digital identity systems is crucial. We propose a method for selective disclosure and privacy-preserving revocation of digital credentials using second-order Elliptic Curves and Boneh-Lynn-Shacham (BLS) signatures. We make holders able to present proofs of possession of selected credentials without disclosing them, and we protect their presentations from replay attacks. Revocations may be distributed among multiple revocation issuers using publicly verifiable secret sharing (PVSS) and activated only by configurable consensus, ensuring robust protection against issuer corruption. Our system's unique design enables extremely fast revocation checks, even with large revocation lists, leveraging optimized hash map lookups.

Cryptography and Security

Kai Zhang,Zirui Guo,Liangliang Wang,Lei Zhang,Lifei Wei

DOI: https://doi.org/10.1016/j.csi.2024.103848

IF: 3.721

2024-08-01

Computer Standards & Interfaces

Abstract:Provable Data Possession (PDP) has gained widespread adoption for ensuring the integrity of data in remote cloud storage, where a data owner can delegate a third party auditor (TPA) to perform data auditing. To eliminate key escrow problem or complicated certificate management in classic solutions, numerous certificateless PDP schemes have been proposed while they failed to achieve efficient user revocation and protect user identity privacy. Therefore, we propose ReCIP, a revocable certificateless PDP scheme with identity privacy, where a TPA can perform public data integrity batch verification for a user while learning no useful knowledge about user identity privacy. Technically, we introduce a new user revocation strategy that directly revokes users’ secret keys, with no correlation to the number of data blocks in place for revocation time cost. To further boost the efficiency of ReCIP, we employ a semi-generic online–offline strategy to obtain an online–offline ReCIP (ReCIPoo) to reduce the time cost of tag generation. Moreover, we conduct a formal security proof of ReCIP, where the security is reduced to simple computational Diffie–Hellman problem and discrete logistic problem. Compared to state-of-the-art solutions, our ReCIPoo achieves comparable computation and communication cost while still achieving user revocation and protecting user identity privacy.

computer science, software engineering, hardware & architecture

Carlo Mazzocca,Abbas Acar,Selcuk Uluagac,Rebecca Montanari,Paolo Bellavista,Mauro Conti

2024-02-04

Abstract:Digital identity has always been considered the keystone for implementing secure and trustworthy communications among parties. The ever-evolving digital landscape has gone through many technological transformations that have also affected the way entities are digitally identified. During this digital evolution, identity management has shifted from centralized to decentralized approaches. The last era of this journey is represented by the emerging Self-Sovereign Identity (SSI), which gives users full control over their data. SSI leverages decentralized identifiers (DIDs) and verifiable credentials (VCs), which have been recently standardized by the World Wide Web Community (W3C). These technologies have the potential to build more secure and decentralized digital identity systems, remarkably contributing to strengthening the security of communications that typically involve many distributed participants. It is worth noting that the scope of DIDs and VCs extends beyond individuals, encompassing a broad range of entities including cloud, edge, and Internet of Things (IoT) resources. However, due to their novelty, existing literature lacks a comprehensive survey on how DIDs and VCs have been employed in different application domains, which go beyond SSI systems. This paper provides readers with a comprehensive overview of such technologies from different perspectives. Specifically, we first provide the background on DIDs and VCs. Then, we analyze available implementations and offer an in-depth review of how these technologies have been employed across different use-case scenarios. Furthermore, we examine recent regulations and initiatives that have been emerging worldwide. Finally, we present some challenges that hinder their adoption in real-world scenarios and future research directions.

Cryptography and Security,Computers and Society

Hu Xiong,Kim-Kwang Raymond Choo,Athanasios V. Vasilakos

DOI: https://doi.org/10.1109/tbdata.2017.2697448

2017-01-01

IEEE Transactions on Big Data

Abstract:To be able to leverage big data to achieve enhanced strategic insight, process optimization and make informed decision, we need to be an efficient access control mechanism for ensuring end-to-end security of such information asset. Signcryption is one of several promising techniques to simultaneously achieve big data confidentiality and authenticity. However, signcryption suffers from the limitation of not being able to revoke users from a large-scale system efficiently. We put forward, in this paper, the first identity-based (ID-based) signcryption scheme with efficient revocation as well as the feature to outsource unsigncryption to enable secure big data communications between data collectors and data analytical system(s). Our scheme is designed to achieve end-to-end confidentiality, authentication, non-repudiation, and integrity simultaneously, while providing scalable revocation functionality such that the overhead demanded by the private key generator (PKG) in the key-update phase only increases logarithmically based on the cardiality of users. Although in our scheme the majority of the unsigncryption tasks are outsourced to an untrusted cloud server, this approach does not affect the security of the proposed scheme. We then prove the security of our scheme, as well as demonstrating its utility using simulations.

Geoff Goodell,Tomaso Aste

DOI: https://doi.org/10.3389/fbloc.2019.00017

2019-10-27

Abstract:Current architectures to validate, certify, and manage identity are based on centralised, top-down approaches that rely on trusted authorities and third-party operators. We approach the problem of digital identity starting from a human rights perspective, with a primary focus on identity systems in the developed world. We assert that individual persons must be allowed to manage their personal information in a multitude of different ways in different contexts and that to do so, each individual must be able to create multiple unrelated identities. Therefore, we first define a set of fundamental constraints that digital identity systems must satisfy to preserve and promote privacy as required for individual autonomy. With these constraints in mind, we then propose a decentralised, standards-based approach, using a combination of distributed ledger technology and thoughtful regulation, to facilitate many-to-many relationships among providers of key services. Our proposal for digital identity differs from others in its approach to trust in that we do not seek to bind credentials to each other or to a mutually trusted authority to achieve strong non-transferability. Because the system does not implicitly encourage its users to maintain a single aggregated identity that can potentially be constrained or reconstructed against their interests, individuals and organisations are free to embrace the system and share in its benefits.

Computers and Society

Wei Ren,Kui Ren,Wenjing Lou,Yanchao Zhang

DOI: https://doi.org/10.4108/icst.qshine2008.3824

2008-01-01

Abstract:Privacy-aware Public Key Infrastructure (PKI) can maintain user access control and yet protect user privacy, which is envisioned as a promising technique in many emerging applications. To justify the applicability of privacy-aware PKI and optimize the performance, it is highly important to ensure the efficiency of handling user revocations. In practice, user revocation can be due to various predictable and unpredictable reasons, e.g., subscription expiration, network access policy violation, group changing, secret key exposure, etc. Both predictable and unpredictable reasons can happen concurrently, which makes the design of efficient user revocation mechanism challenging. In this paper, we study how to achieve optimized user revocation cost with respect to various revocation approaches. We also propose an advanced scheme Delta-RL that ensures an optimized overall performance in terms of communication, computation and storage, as justified by the extensive analysis.

Zhang Manman,Liu Zhiyuan

DOI: https://doi.org/10.3969/j.issn.1008-8245.2007.05.014

2007-01-01

Abstract:Certificate revocation is always a hard problem in the research and application of public key infrastructure(PKI).In this paper,a review of certificate revocation schemes is present.The working principles of all schemes are described,and the advantages and disadvantages of each scheme are analyzed in details.And the future work is outlined in the end.

Zhichao Ruan,Wei Ye,Yankai Xie,Haixing Li,Chi Zhang,Lingbo Wei

DOI: https://doi.org/10.1109/icc45041.2023.10278733

2023-01-01

Abstract:Blockchain is the most promising technology to tackle the security challenges of certificate revocation schemes, such as vulnerability to the single point of failure and lack of accountability systems. However, current blockchain-based certificate revocation systems suffer from privacy problems as the blockchain nodes can learn which website the client is going to connect with and infer the end-user's private information, such as identity, location, and health condition. In this paper, we propose a decentralized certificate revocation scheme that allows clients to securely and privately verify revocation information. We not only take advantage of blockchain to provide security guarantees but also further craft a novel multi-server offline/online private information retrieval (PIR) protocol named MOO-PIR to preserve query privacy for clients even if a subset of servers collude. Finally, we provide security analysis and performance evaluation, demonstrating that our scheme can protect client privacy without compromising efficiency.

Wei Song,Yu Wu,Yihui Cui,Qilie Liu,Yuan Shen,Zicheng Qiu,Jianjun Yao,Zhiyong Peng

DOI: https://doi.org/10.1016/j.dcan.2021.02.002

IF: 6.348

2022-01-01

Digital Communications and Networks

Abstract:Cloud data sharing service, which allows a group of people to access and modify the shared data, is one of the most popular and efficient working styles in enterprises. Recently, there is an uprising trend that enterprises tend to move their IT service from local to cloud to ease the management and reduce the cost. Under the new cloud environment, the cloud users require the data integrity verification to inspect the data service at the cloud side. Several recent studies have focused on this application scenario. In these studies, each user within a group is required to sign a data block created or modified by him. While a user is revoked, all the data previously signed by him should be resigned. In the existing research, the resigning process is dependent on the revoked user. However, cloud users are autonomous. They may exit the system at any time without notifying the system admin and even are revoked due to misbehaviors. As the developers in the cloud-based software development platform, they are voluntary and not strictly controlled by the system. Due to this feature, cloud users may not always follow the cloud service protocol. They may not participate in generating the resigning key and may even expose their secret keys after being revoked. If the signature is not resigned in time, the subsequent verification will be affected. And if the secret key is exposed, the shared data will be maliciously modified by the attacker who grasps the key. Therefore, forcing a revoked user to participate in the revocation process will lead to efficiency and security problems. As a result, designing a practical and efficient integrity verification scheme that supports this scenario is highly desirable. In this paper, we identify this challenging problem as the asynchronous revocation, in which the revocation operations (i.e., re-signing key generation and resigning process) and the user's revocation are asynchronous. All the revocation operations must be able to be performed without the participation of the revoked user. Even more ambitiously, the revocation process should not rely on any special entity, such as the data owner or a trusted agency. To address this problem, we propose a novel public data integrity verification mechanism in which the data blocks signed by the revoked user will be resigned by another valid user. From the perspectives of security and practicality, the revoked user does not participate in the resigning process and the re-signing key generation. Our scheme allows anyone in the cloud computing system to act as the verifier to publicly and efficiently verify the integrity of the shared data using Homomorphic Verifiable Tags (HVTs). Moreover, the proposed scheme resists the collusion attack between the cloud server and the malicious revoked users. The numerical analysis and experimental results further validate the high efficiency and scalability of the proposed scheme. The experimental results manifest that re-signing 10,000 data blocks only takes 3.815 ​s and a user can finish the verification in 300 ​ms with a 99% error detection probability.

Rujia Li,David Galindo,Qi Wang

DOI: https://doi.org/10.48550/arXiv.1908.02443

2019-08-10

Abstract:Anonymity revocation is an essential component of credential issuing systems since unconditional anonymity is incompatible with pursuing and sanctioning credential misuse. However, current anonymity revocation approaches have shortcomings with respect to the auditability of the revocation process. In this paper, we propose a novel anonymity revocation approach based on privacy-preserving blockchain-based smart contracts, where the code self-execution property ensures availability and public ledger immutability provides auditability. We describe an instantiation of this approach, provide an implementation thereof and conduct a series of evaluations in terms of running time, gas cost and latency. The results show that our scheme is feasible and efficient.

Cryptography and Security

Uwe Der,Stefan Jähnichen,Jan Sürmeli

DOI: https://doi.org/10.48550/arXiv.1712.01767

2017-12-05

Computers and Society

Abstract:The interconnectedness of people, services and devices is a defining aspect of the digital revolution, and, secure digital identities are an important prerequisite for secure and legally compliant information exchange. Existing approaches to realize a secure identity management focus on central providers of identities such as national authorities or online service providers. Hence, changing residence or service provider often means to start over and creating new identities, because procedures for data portability are missing. Self-sovereign digital identities are instead created and managed by individuals, and enable them to maintain their digital identities independent from residence, national eID infrastructure and market-dominating service providers.

Cristian Nicolae Butincu,Adrian Alexandrescu

DOI: https://doi.org/10.1109/access.2024.3394537

IF: 3.9

2024-05-03

IEEE Access

Abstract:The increased digitalization of society raises concerns regarding data protection and user privacy, and criticism on how the companies handle user data without being transparent and without providing adequate mechanisms for users to control how their own data is being processed or shared. To address this problem and open the way for a secure and efficient society, where the privacy of citizens is paramount, the identity concept and proof of identity mechanisms need to be redesigned from the ground up. In this paper we discuss how the emerging Web3 technologies like distributed ledger technology (DLT), blockchain, smart contracts, decentralized storage systems, and crypto wallets can be leveraged to design and implement a decentralized digital identity system based on decentralized identifiers (DID) and self-sovereign identities (SSI). Such a system puts the users in full control over their own data while also providing a solid backbone for building interoperable systems that are secure, scalable, and efficient. We propose different architectures for the decentralized identity infrastructure and storage layer, and also discuss the mapping of these architectures on cloud platforms. The main goal is to provide an architectural blueprint for a scalable, secure, privacy-preserving and trusted system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Abubakar-Sadiq Shehu

2024-09-05

Abstract:Identity Management Systems (IdMs) have complemented how users are identified, authenticated, and authorised on e-services. Among the methods used for this purpose are traditional IdMs (isolated, centralised and federated) that mostly rely on identity providers (IdPs) to broker trust between a user and service-providers (SPs). An IdP also identifies and authenticates a user on-behalf of the SP, who then determines the authorisation of the user. In these processes, both SP and IdP collect, process or store private users' data, which can be prone to breach. One approach to address the data breach is to relieve the IdP, and return control and storage of personal data to the owner. Self-sovereign identity (SSI) was introduced as an IdM model to reduce the possibility of data breaches by offering control of personal data to the owner. SSI is a decentralised IdM, where the data owner has sovereign control of personal data stored in their digital wallet. Since SSI is an emerging technology, its components and methods require careful evaluation. This paper provides an evolution to IdMs and reviews the state-of-the-art SSI frameworks. We explored articles in the literature that reviewed blockchain solutions for General Data Protection Regulation (GDPR). We systematically searched recent SSI and blockchain proposals, evaluated the compliance of the retrieved documents with the GDPR privacy principles, and discussed their potentials, constraints, and limitations. This work identifies potential research gaps and opportunities.

Cryptography and Security

Haotian Cheng,Xiaofeng Li,He Zhao,Tong Zhou,Bin Yu,Nianzu Sheng

DOI: https://doi.org/10.1016/j.jisa.2024.103735

IF: 4.96

2024-03-09

Journal of Information Security and Applications

Abstract:The popularization of digital credentials brings convenience to people, but it also increases the risks of privacy leakage and capability abuse. Designing an accountable anonymous credential scheme offers a promising solution to this problem. However, most existing schemes of accountable anonymous credentials cannot effectively support both decentralized verification and flexible revocation. In this paper, we present S-Cred, an accountable anonymous credential scheme with decentralized verification and flexible revocation, to provide a delegation issuance method for credentials. The ownership of attributes will be transferred to users' temporary identities on the blockchain. In order to prevent credentials misuse, we also design several constraint mechanisms for tracing misbehaving users and revoking their credentials. We further construct a non-fungible obfuscation mechanism by introducing special roles called cloakers. In addition, this paper conducts analysis on security, functionality, efficiency and performance. The results show that S-Cred combines decentralized authentication and flexible revocation with a low computational cost in verification, which demonstrates the practicality of our solution.

computer science, information systems

Alexander Mühle,Andreas Grüner,Tatiana Gayvoronskaya,Christoph Meinel

DOI: https://doi.org/10.48550/arXiv.1807.06346

2018-07-17

Cryptography and Security

Abstract:This paper provides an overview of the Self-Sovereign Identity (SSI) concept, focusing on four different components that we identified as essential to the architecture. Self-Sovereign Identity is enabled by the new development of blockchain technology. Through the trustless, decentralised database that is provided by a blockchain, classic Identity Management registration processes can be replaced. We start off by giving a simple overview of blockchain based SSI, introducing an architecture overview as well as relevant actors in such a system. We further distinguish two major approaches, namely the Identifier Registry Model and its extension the Claim Registry Model. Subsequently we discuss identifiers in such a system, presenting past research in the area and current approaches in SSI in the context of Zooko's Triangle. As the user of an SSI has to be linked with his digital identifier we also discuss authentication solutions. Most central to the concept of an SSI are the verifiable claims that are presented to relying parties. Resources in the field are only losely connected. We will provide a more coherent view of verifiable claims in regards to blockchain based SSI and clarify differences in the used terminology. Storage solutions for the verifiable claims, both on- and off-chain, are presented with their advantages and disadvantages.

Quinten Stokkink,Johan Pouwelse

DOI: https://doi.org/10.1109/cybermatics_2018.2018.00230

2018-07-01

Abstract:Digital identity is unsolved: after many years of research there is still no trusted communication over the Internet. To provide identity within the context of mutual distrust, this paper presents a blockchain-based digital identity solution. Without depending upon a single trusted third party, the proposed solution achieves passport-level legally valid identity. This solution for making identities Self-Sovereign, builds on a generic provable claim model for which attestations of truth from third parties need to be collected. The claim model is then shown to be both blockchain structure and proof method agnostic. Four different implementations in support of these two claim model properties are shown to offer sub-second performance for claim creation and claim verification. Through the properties of Self-Sovereign Identity, legally valid status and acceptable performance, our solution is considered to be fit for adoption by the general public.

Kheng Leong Tan,Chi-Hung Chi,Kwok-Yan Lam

DOI: https://doi.org/10.1145/3616400

IF: 16.6

2023-08-17

ACM Computing Surveys

Abstract:Through digital transformation, lots of personal data are captured, but individuals often do not have ownership or control over them. This results in the emerging Web 3.0, where people demand for data sovereignty. There are actually two conceptually related terms, data sovereignty and digital sovereignty. This paper first explains these two concepts in terms of their points of focus, guiding principles, laws and regulations requirements, and then analyses the requirements and technical challenges of their implementation. To understand the emerging trend shift in digital sovereignty towards individuals taking control of security and privacy preserving over their own digital assets, this paper conducts a systematic review and analysis on Self-Sovereign Identity (SSI), which is a user-centric decentralized model and autonomy for an individual to self-determine the access and use of one's identity and credentials. The review covers existing SSI solutions and points out that an efficient key management system, the scalability and interoperability of the solution, and a well-established standard are some of the challenges for SSI deployment. Finally, the paper concludes with open issues about digital identity, including dynamic attributes, persona, and attribute ownership, that challenge the current reference architecture of SSI as well as its implementation.

computer science, theory & methods