Libin Xia,Jiashuo Zhang,Xihan Zhang,Yue Li,Jianbo Gao,Zhi Guan,Zhong Chen

DOI: https://doi.org/10.1109/dapps57946.2023.00028

2023-01-01

Abstract:The popularity of decentralized applications brings increasing on-chain audit concerns. Since on-chain accounts do not link to real-world identities, decentralized applications have been wildly used for illegal activities like money laundering. Decentralized identity (DID) is one of the most promising solutions to guarantee on-chain auditability in a privacy-preserving way. However, the existing DID systems suffer from two limitations, making them rarely adopted in on-chain decentralized applications. First, most previous systems only provide partial auditability, meaning that their regulators cannot trace users' real-world identities after users' malicious behaviors occur. Second, current solutions are usually isolated systems, causing a lack of interoperability with on-chain decentralized applications. To address the problems, we propose Didapper, a practical and auditable on-chain identity service with both privacy and auditability for decentralized applications. We introduce group signatures to provide anonymous and traceable credentials for on-chain users and decentralized applications. In order to meet the efficiency and flexibility requirements, we design credential structure and workflow mostly compatible with W3C standards (a DID recommendation that enables verifiable, decentralized digital identity), and realize credential verification service with updatable policies. We implement Didapper and evaluate it on Ethereum, and the results show that the performance of Didapper is acceptable in practice.

Deepak Maram,Harjasleen Malvai,Fan Zhang,Nerla Jean-Louis,Alexander Frolov,Tyler Kell,Tyrone Lobban,Christine Moy,Ari Juels,Andrew Miller

DOI: https://doi.org/10.1109/SP40001.2021.00038

2021-01-01

Abstract:We present CanDID, a platform for practical, user-friendly realization of decentralized identity, the idea of empowering end users with management of their own credentials.While decentralized identity promises to give users greater control over their private data, it burdens users with management of private keys, creating a significant risk of key loss. Existing and proposed approaches also presum...

Huijiong Yang,Rui Song,Bing Chen,Yubo Song,Bin Xiao

DOI: https://doi.org/10.1109/icc51166.2024.10622445

2024-01-01

Abstract:Identity management plays a critical role in Web3 applications. Decentralized Identity (DID) offers a privacy-preserving solution, giving users full control over their identity information. Existing research on DID primarily focuses on single-owner scenarios, where owners have complete privileges for owner management and credentials. However, in multi-owner cases, current coarse-grained identity management approaches lead to serious privacy and security problems, such as identity impersonation and high key recovery overhead. Little work has been done on identity management for multiple owners. In this paper, we propose MoDID, a fine-grained identity management scheme for multiple owners, which complies with the DID standard proposed by W3C. First, our solution allows multiple owners to control DID subjects flexibly and reliably through hierarchical owner management. Additionally, we design a secure key recovery scheme to reduce the risk of identity loss while introducing lower overhead. Finally, we implement MoDID on the Sepolia Ethereum Test Network to evaluate the effectiveness of our proposed scheme. The result demonstrates that our system allows multiple owners to manage a single identity with lower gas consumption and time consumption than the state-of-the-art.

Jiakun Hao,Jianbo Gao,Peng Xiang,Jiashuo Zhang,Ziming Chen,Hao Hu,Zhong Chen

DOI: https://doi.org/10.1109/smc53992.2023.10394499

2023-01-01

Abstract:Decentralized identity (DID) is an identity management framework aiming to return the ownership of an identity to its corresponding user. Recent studies propose to store the identifiers of DID issuers and implement identity management systems based on blockchain. However, existing systems cannot avoid identity tampering and verifiable credential abuse of decentralized identities, which makes the identity management opaque. In this paper, we propose TDID, a Transparent and efficient Decentralized IDentity management system with blockchain. The key insight behind TDID is to manage the registration and authentication of DIDs via smart contracts, and design Structured Merkle Patricia Tree (SMPT) as an underlying data structure to store identity data on blockchain. The smart contract based processes can improve transparency of decentralized identity management, while the SMPT data structure can realize efficient storage of DID data. We implement and evaluate TDID on different identity management operations, and the experimental results show that TDID can achieve about 3.1 times for write operation and 6.3 times for read operation while improving the transparency of DID management.

Haotian Deng,Jinwen Liang,Chuan Zhang,Ximeng Liu,Liehuang Zhu,Song Guo

DOI: https://doi.org/10.1109/tc.2024.3398509

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:Decentralized identity (DID) systems conforming to the World Wide Web Consortium (W3C) Decentralized Identifiers (DIDs) and Verifiable Credentials Data Model recommendations have recently attracted attention due to their better autonomy, interoperability, and openness design. However, those W3C recommendations lack a design for addressing the single point of failure (SPOF) and identity revocation, which could seriously compromise the robustness and practicality of DID systems. To remedy these limitations, we propose FutureDID, a DID system that enables multiple parties to jointly issue credentials and efficiently revoke DID identities, providing a robust and practical DID system. FutureDID is designed with a multi-party credential issuing mechanism based on distributed key generation technology, which transforms trust from a single entity to distributed committees and facilitates authentication between issuers, making it more resistant to SPOF. Moreover, the underlying blockchain system is built on a chameleon hash function to ensure tamper-proof and enable efficient identity revocation. We have implemented a prototype system using FISCO BCOS and conducted extensive evaluations to demonstrate the effectiveness and practicality of our system. Our evaluations have shown that FutureDID provides a significant improvement in efficiency, achieving at least a 60 × efficiency improvement in identity revocation compared to state-of-the-art systems.

Yizhong Liu,Boyu Zhao,Zedan Zhao,Jianwei Liu,Xun Lin,Qianhong Wu,Willy Susilo

DOI: https://doi.org/10.1109/jiot.2024.3380068

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Web3 is a revolutionary Internet paradigm that focusing decentralization, user empowerment, and intelligence. One of its key technologies is decentralized identity (DID), which has gained significant attention recently. However, existing DID solutions are not scalable enough to be compatible with the large-scale identity node applications required by Web3 across various fields. To overcome this challenge, we propose the first multi-layer Web3 DID architecture utilizing sharding blockchain, which provides management, scalability, and compatibility. This architecture leverages leader shards and the main chain to establish trust, while regular shards manage DID-related transactions. Specific system processes and query optimizations are also given. Besides, formal security analysis and comprehensive simulation evaluations have demonstrated that the architecture can achieve all proposed security and performance goals, including low latency of down to 2 seconds and high throughput of up to 90KTPS.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shrey Jain,Leon Erichsen,Glen Weyl

DOI: https://doi.org/10.48550/arXiv.2208.11443

2022-08-24

Abstract:In this article, we explore the tension between abstraction and composability in web3 today, specifically within identity solutions, and argue that the current standard DID v1.0 is sufficiently under specified, allowing for many methods and instantiations, including blockchain based certificates. We view experiments today in web3 identity as additive and complementary, and argue that often cited differences are of degree and more in form, less in substance. By way of illustration, we compare decentralized naming services and blockchain based identity certificates such as soulbound tokens (SBTs) to decentralized identifiers (DIDs) and verifiable credentials (VCs). Both paradigms, to the extent they can be meaningfully differentiated, share similar potential as well as challenges. Specifically, we refer to fears about non consensual verification (scarlet letters) and show DID method iterations are not immune by issuing an innocuous public scarlet letter to a DIDs associated public address for anyone to see. Moreover, we argue that because SBTs are unspecified, one could characterize SBTs as an iteration, or extension, of VCs that additionally aspire to achieve composability with web3 smart contracts for correct execution of code, privacy, coercion resistance, and censorship resistance. We offer research paths for how VCs can also achieve these properties. We do not comment on cost, scalability, transferability, or common knowledge as they have been previously reviewed.

Cryptography and Security

Weiqi Dai,Shuyue Tuo,Liangliang Yu,Kim-Kwang Raymond Choo,Deqing Zou,Hai Jin

DOI: https://doi.org/10.1109/jiot.2022.3197708

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Data is a key asset in our interconnected and smart city. Especially, in the context of healthcare, healthcare data can facilitate remote diagnosis and medical research. Because of the potentially sensitive nature of healthcare data, privacy is a key consideration for both individuals and organizations. We can broadly categorize privacy considerations into data privacy, attribute privacy, and privilege policy privacy. To support one or more notions of privacy, the potential of solutions, such as fine-grained access control [e.g., those based on attribute-based encryption (ABE)] and blockchain in realizing data sharing has been explored. However, these approaches generally only facilitate access control of data and the traceability of the sharing process, and do not protect the attribute and privilege policy privacy of users. Therefore, in this article, we implement HAPPS, a hidden attribute and privilege-protection data-sharing scheme with verifiability. The three key building blocks of HAPPS are zero-knowledge proof, blockchain, and distributed ABE (DABE). Specifically, in our approach, we propose a new data access control strategy (i.e., attribute-hidden zero-knowledge proof—at-ZKP) to hide user identity and attributes during the authorization process. Our scheme is embedded in the blockchain and built into the decentralized sharing platform to prevent central verifier counterfeiting and support auditing. To demonstrate utility, we prove that HAPPS ensures data, attribute, and privilege policy privacy. Findings of our evaluations implemented on Ethereum and using the data set from the healthcare cost and utilization project (HCUP), we demonstrate that our scheme can share sensitive healthcare records belonging to minors (e.g., children) without the at-ZKP incurring unrealistic cost.

Jing He,Xiaofeng MA,Dawei Zhang,Feng Peng

DOI: https://doi.org/10.1051/sands/2024013

2024-10-16

Security and Safety

Abstract:Decentralized identity represents an innovative approach based on blockchain to achieve effective identity management. This method utilizes decentralized identifiers and verifiable credential to enable trusted authentication, free circulation of identity information, and self-sovereign control over identity data functionalities. The current decentralized identity systems rely on entirely anonymous identifiers, lacking robust identity regulation. Furthermore, they face challenges such as identity attribute leakage during verifiable credential presentation and the issuers' struggle to reliably revoke credentials. To address these issues, efficient and practical schemes have been designed based on BBS signature, zero-knowledge proof, dynamic accumulator and blockchain technology: one for decentralized identifiers management and the other for verifiable credential privacy protection, both of which are supervised and revocable. The former ensures the privacy of subject identity while achieving regulatability and revocability of identity data by regulator. The latter facilitates selective disclosure of anonymous credentials and reliable revocation. A security analysis shows that the proposed scheme meets anonymity, non-forgeability, regulatory reliability, and revocability reliability, and offers comprehensive and effective privacy protection measures. The experimental results demonstrate that the algorithms designed operate at a millisecond level, which satisfies the demands of blockchain identity management scenarios.

Rui Song

2024-01-02

Abstract:Decentralized identity mechanisms endeavor to endow users with complete sovereignty over their digital assets within the Web3 ecosystem. Unfortunately, this benefit frequently comes at the expense of users' credential and identity privacy. Additionally, existing schemes fail to resist Sybil attacks that have long plagued Web3, and lack reasonable key recovery mechanisms to regain control of digital assets after loss. In this work, we propose LinkDID, a privacy-preserving, Sybil-resistant, and key-recoverable decentralized identity scheme that supports selective disclosure of credentials for arbitrary predicates while maintaining privacy for credentials and identities. Through an identifier association mechanism, LinkDID can privately and forcibly aggregate users' identifiers, providing Sybil resistance without relying on any external data or collateral from benign users. To enable key recovery, LinkDID permits users to establish proofs of ownership for identifiers with lost keys and request an update of corresponding keys from the decentralized ledger. We provide a detailed theoretical analysis and security proofs of LinkDID, along with an exhaustive performance evaluation that shows its ability to complete interactions in less than 10 seconds on consumer-grade devices.

Cryptography and Security

Shuo Yang,Xingwei Lin,Jiachi Chen,Qingyuan Zhong,Lei Xiao,Renke Huang,Yanlin Wang,Zibin Zheng

2024-08-12

Abstract:The rapid advancement of blockchain platforms has significantly accelerated the growth of decentralized applications (DApps). Similar to traditional applications, DApps integrate front-end descriptions that showcase their features to attract users, and back-end smart contracts for executing their business logic. However, inconsistencies between the features promoted in front-end descriptions and those actually implemented in the contract can confuse users and undermine DApps's trustworthiness. In this paper, we first conducted an empirical study to identify seven types of inconsistencies, each exemplified by a real-world DApp. Furthermore, we introduce HYPERION, an approach designed to automatically identify inconsistencies between front-end descriptions and back-end code implementation in DApps. This method leverages a fine-tuned large language model LLaMA2 to analyze DApp descriptions and employs dataflow-guided symbolic execution for contract bytecode analysis. Finally, HYPERION reports the inconsistency based on predefined detection patterns. The experiment on our ground truth dataset consisting of 54 DApps shows that HYPERION reaches 84.06% overall recall and 92.06% overall precision in reporting DApp inconsistencies. We also implement HYPERION to analyze 835 real-world DApps. The experimental results show that HYPERION discovers 459 real-world DApps containing at least one inconsistency.

Software Engineering

Qianwen Wei,Shujun Li,Wei Li,Hong Li,Mingsheng Wang

DOI: https://doi.org/10.1007/978-3-030-23597-0_29

2019-01-01

Abstract:In Bitcoin, the knowledge of private key equals to the ownership of bitcoin, which occurs two problems: the first problem is that the private key must be kept properly, and the second one is that once the private key is given, it can't be taken back, hence the bitcoin system can only implement the transfer function. In this paper, we first propose a new digital signature algorithm and use it to design an online wallet, which can help the user derive the signature without obtaining the user's private key. Secondly, using our proposed online wallet, we extend the application of private key so that the cryptocurrency system can implement the authorization function. In more detail, we define a new primitive that we call decentralized hierarchical authorized payment scheme (DHAP scheme). We next propose a concrete instantiation and prove its correctness. Finally, we analyze the security and usability of our scheme. For security, we prove our scheme to be secure under the random oracle model. For usability, we examine its performance and compare it with bitcoin's performance.

Caimei Wang,Jianhao Lu,Xinlu Li,Pei Cao,Zijian Zhou,Qilue Wen

DOI: https://doi.org/10.1109/access.2023.3296781

IF: 3.9

2023-01-01

IEEE Access

Abstract:With the frequent occurrence of private data breaches, it is now more necessary than ever to address how to protect private data. The combination of Ciphertext-Policy Attribute-Based Encryption (CP-ABE) and blockchain typically enables secure storage and sharing of data. However, in high-dimensional attribute domains, that is, the number of attributes is large, these schemes have issues such as low security of data protection, high computational overhead, and high cost of attribute revocation. This paper proposes a personal privacy data protection scheme for encryption and revocation of high-dimensional attribute domains to address these issues. The proposed scheme is made up of three components. Firstly, Fast High-dimensional Attribute Domain-based Message Encryption (HAD-FME) is proposed to improve data security and reduce computational cost. Secondly, an Attribute Revocation Mechanism Based on Sentry Mode (SM-ARM) is designed in combination with smart contracts. Lastly, a Blockchain-based Model for Personal Privacy Data Protection (BC-PPDP) is proposed by integrating HAD-FME with SM-ARM. The security analysis results show that HAD-FME proposed in this paper is secure under the DLIN assumption, and the attribute revocation satisfies both forward and backward security. Experiments show that HAD-FME has higher computational efficiency than existing schemes in the high-dimensional attribute domains, SM-ARM has lower revocation cost than existing attribute revocation mechanisms, and smart contracts and blockchain work well.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shengwei You,Kristina Radivojevic,Jarek Nabrzyski,Paul Brenner

DOI: https://doi.org/10.1007/s10586-023-04222-4

2024-01-06

Cluster Computing

Abstract:In the advancing world of blockchain technology, the paramount need for trustworthy oracles, the entities responsible for providing external data to blockchain's smart contracts, is becoming more apparent. This paper introduces a novel protocol, the Persona Preserving Reputation Protocol (P2RP), which leverages Decentralized Identity (DID)-based reputation systems to maintain security and user privacy while ensuring the trustworthiness of blockchain oracles. Leveraging the innovative application of Ordinary Differential Equations (ODEs), we introduce a technique for forecasting and calculating the reputation scores of users, a crucial component within the P2RP protocol. The design of P2RP features four distinct account types with varying degrees of privacy and reputation characteristics. The simulation results suggest that the P2RP protocol can lead towards a secure, privacy-preserving, and reliable oracle service in the Web3 ecosystem.

computer science, information systems, theory & methods

Jie Yin,Yang Xiao,Qingqi Pei,Ying Ju,Lei Liu,Ming Xiao,Celimuge Wu

DOI: https://doi.org/10.1109/jiot.2022.3145089

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) applications have penetrated into all aspects of human life. Millions of IoT users and devices, online services, and applications combine to create a complex and heterogeneous network, which complicates the digital identity management. Distributed identity is a promising paradigm to solve IoT identity problems and allows users to have soverignty over their private data. However, the existing state-of-the-art methods are unsuitable for IoT due to continuing issues regarding resource limitations for IoT devices, security and privacy issues, and lack of a systematic proof system. Accordingly, in this article, we propose SmartDID, a novel blockchain-based distributed identity aimed at establishing a self-sovereign identity and providing strong privacy preservation. First, we configure IoT devices as light nodes and design a Sybil-resistant, unlinkable, and supervisable distributed identity that does not rely on central identity providers. We further develop a dual-credential model based on commitment and zero-knowledge proofs to protect the privacy of sensitive attributes, on-chain identity data, and linkage of credentials. Moreover, we combine the basic credential proofs to prove the knowledge of solutions to more complex problems and create a systematic proof system. We go on to provide the security analysis of SmartDID. Experimental analysis shows that our scheme achieves better performance in terms of both credential generation and proof generation when compared with CanDID.

computer science, information systems,telecommunications,engineering, electrical & electronic

YiNing Qi,YongFeng Huang

DOI: https://doi.org/10.1007/s11431-017-9258-0

2018-01-01

Science China Technological Sciences

Abstract:Multi-cloud storage is a promising platform to offer resilient solution for clients in financial or confidentiality aspects. The research of provable data possession (PDP) schemes has long been a popular topic in the perspective of enhancing trust between clients and clouds. For multi-cloud, the works almost rely on centralized agent server called organizer to control the clouds and third party auditor (TPA) to realize public verification and reputation system. However, such centralized structure brings in the risk of collusion attack that malicious clouds can collaborate with TPA to deceive the client. This paper tries to explore a new way to construct decentralized integrity and reputation audit (DIRA) scheme, by taking advantage of improved blockchain with two-step transaction validation and removing all the centralized structure from the multi-cloud storage. The analysis shows that the DIRA scheme obtains the resistance to collusion attack.

Jiahe Wang,Songjie Wei,Haozhe Liu

DOI: https://doi.org/10.1007/978-3-030-23404-1_14

2019-01-01

Abstract:To overcome the difficulties in the traditional password-based identity authentication procedure with high security risk and complexity, and to avoid the privacy leaking problems arising from a series of new techniques such as using biometrics as key, this paper proposes a universal solution for decentralized identity authentication by block chain integrated with a trusted execution environment, through a separate hardware to establish a secure area, enabling identity anonymity and avoiding feature disclosure. Smart contract and consensus mechanism are adopted for building trusted identity nodes between decentralized nodes by constructing a traceable identity data structure in blockchain. We conduct formal theoretical and empirical evaluations to show that the proposed can realize user identity registration, cross-platform authentication, and guarantee security in the whole procedure with efficiency and reliability.

Yiwei Feng,Tianxiu Xie,Weilin Chan,Hongchen Guo,Keke Gai

DOI: https://doi.org/10.1109/hdis60872.2023.10499582

2023-01-01

Abstract:The maturation of blockchain technology has spurred a growing scholarly interest in Decentralized Identity (DID) within the industry. Existing decentralized identity solutions have been extensively applied and deeply researched in blockchain scenarios. However, blockchain-based decentralized digital identity still encounters significant hurdles, including issues related to limited consensus scalability, subpar authen-tication efficiency, and burdensome storage requirements. In this work, we propose a Verifiable Dispersal Consensus and identity Aggregation-based DID (VDCA-DID) model, which incor-porates content aggregation and signature aggregation to enhance identity authentication efficiency. Moreover, in VDCA-DID, the trusted components and verifiable dispersal-based BFT Consen-sus protocol is employed to maintain consensus stability even in the presence of network fluctuations, achieving node agreement in asynchronous networks. This paper analyzes and evaluates VDCA-DID from the aspects of correctness and security to ensure the consensus robustness within asynchronous networks. Our experiment evaluations have demonstrated that the proposed model can increase the identity aggreaation efficiency. 1 1 This work is partially supported by the National Key Research and Development Program of China (Grant No. 2021YFB2701300), National Natural Science Foundation of China (Grant No. 62372044), and the Defense Industrial Technology Development Program (Grant No. JCKY2020206C058). 2 2 *Corresponding author.

Cristian Nicolae Butincu,Adrian Alexandrescu

DOI: https://doi.org/10.1109/access.2024.3394537

IF: 3.9

2024-05-03

IEEE Access

Abstract:The increased digitalization of society raises concerns regarding data protection and user privacy, and criticism on how the companies handle user data without being transparent and without providing adequate mechanisms for users to control how their own data is being processed or shared. To address this problem and open the way for a secure and efficient society, where the privacy of citizens is paramount, the identity concept and proof of identity mechanisms need to be redesigned from the ground up. In this paper we discuss how the emerging Web3 technologies like distributed ledger technology (DLT), blockchain, smart contracts, decentralized storage systems, and crypto wallets can be leveraged to design and implement a decentralized digital identity system based on decentralized identifiers (DID) and self-sovereign identities (SSI). Such a system puts the users in full control over their own data while also providing a solid backbone for building interoperable systems that are secure, scalable, and efficient. We propose different architectures for the decentralized identity infrastructure and storage layer, and also discuss the mapping of these architectures on cloud platforms. The main goal is to provide an architectural blueprint for a scalable, secure, privacy-preserving and trusted system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhiming Song,Enhua Yan,Junrong Song,Rong Jiang,Yimin Yu,Taowei Chen

DOI: https://doi.org/10.1007/s13369-024-09178-0

IF: 2.807

2024-06-06

Arabian Journal for Science and Engineering

Abstract:The blockchain-based digital identity system (BDIS) has emerged as a promising alternative to centralized digital identity systems. While BDISs offer numerous advantages such as decentralization and enhanced security, traditional implementations still exhibit weaknesses in ensuring identity authenticity, controllability, and auditability while maintaining privacy. This paper aims to address these challenges by proposing novel approaches. It separates the functions of verifying physical identity and issuing digital credentials into two distinct roles: the identity verifier and the credential provider, employing linkable ring signatures to obscure the verifier's identity and significantly mitigate the risk of identity information leakage—a common issue in traditional schemes where a single entity performs both tasks. Additionally, this paper addresses the overlooked aspect of identity controllability in traditional schemes, especially proactive and passive revocation with privacy in mind, by integrating cryptographic commitments, zero-knowledge proofs, PS randomized signatures, cryptographic accumulators, and AES encryption. This approach ensures privacy while enabling both types of revocation. Furthermore, it tackles the neglected auditability of identity privacy in traditional schemes by combining linkable ring signatures with smart contract events and other technologies, ensuring auditable privacy protection. Fourth, a blockchain smart contract is utilized to manage system parameters and implement on-chain verification of privacy-protected identities, ensuring cross-platform capability, transparent verification, and resilience against single-point failures. A use case is provided, evaluating the system's performance. Comparative analysis and security discussions suggest that the proposed system rectifies deficiencies in current BDISs and offers improved applicability, execution performance, and security.

multidisciplinary sciences