Deepak Maram,Harjasleen Malvai,Fan Zhang,Nerla Jean-Louis,Alexander Frolov,Tyler Kell,Tyrone Lobban,Christine Moy,Ari Juels,Andrew Miller

DOI: https://doi.org/10.1109/SP40001.2021.00038

2021-01-01

Abstract:We present CanDID, a platform for practical, user-friendly realization of decentralized identity, the idea of empowering end users with management of their own credentials.While decentralized identity promises to give users greater control over their private data, it burdens users with management of private keys, creating a significant risk of key loss. Existing and proposed approaches also presum...

Haotian Deng,Jinwen Liang,Chuan Zhang,Ximeng Liu,Liehuang Zhu,Song Guo

DOI: https://doi.org/10.1109/tc.2024.3398509

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:Decentralized identity (DID) systems conforming to the World Wide Web Consortium (W3C) Decentralized Identifiers (DIDs) and Verifiable Credentials Data Model recommendations have recently attracted attention due to their better autonomy, interoperability, and openness design. However, those W3C recommendations lack a design for addressing the single point of failure (SPOF) and identity revocation, which could seriously compromise the robustness and practicality of DID systems. To remedy these limitations, we propose FutureDID, a DID system that enables multiple parties to jointly issue credentials and efficiently revoke DID identities, providing a robust and practical DID system. FutureDID is designed with a multi-party credential issuing mechanism based on distributed key generation technology, which transforms trust from a single entity to distributed committees and facilitates authentication between issuers, making it more resistant to SPOF. Moreover, the underlying blockchain system is built on a chameleon hash function to ensure tamper-proof and enable efficient identity revocation. We have implemented a prototype system using FISCO BCOS and conducted extensive evaluations to demonstrate the effectiveness and practicality of our system. Our evaluations have shown that FutureDID provides a significant improvement in efficiency, achieving at least a 60 × efficiency improvement in identity revocation compared to state-of-the-art systems.

Jiakun Hao,Jianbo Gao,Peng Xiang,Jiashuo Zhang,Ziming Chen,Hao Hu,Zhong Chen

DOI: https://doi.org/10.1109/smc53992.2023.10394499

2023-01-01

Abstract:Decentralized identity (DID) is an identity management framework aiming to return the ownership of an identity to its corresponding user. Recent studies propose to store the identifiers of DID issuers and implement identity management systems based on blockchain. However, existing systems cannot avoid identity tampering and verifiable credential abuse of decentralized identities, which makes the identity management opaque. In this paper, we propose TDID, a Transparent and efficient Decentralized IDentity management system with blockchain. The key insight behind TDID is to manage the registration and authentication of DIDs via smart contracts, and design Structured Merkle Patricia Tree (SMPT) as an underlying data structure to store identity data on blockchain. The smart contract based processes can improve transparency of decentralized identity management, while the SMPT data structure can realize efficient storage of DID data. We implement and evaluate TDID on different identity management operations, and the experimental results show that TDID can achieve about 3.1 times for write operation and 6.3 times for read operation while improving the transparency of DID management.

Rui Song

2024-01-02

Abstract:Decentralized identity mechanisms endeavor to endow users with complete sovereignty over their digital assets within the Web3 ecosystem. Unfortunately, this benefit frequently comes at the expense of users' credential and identity privacy. Additionally, existing schemes fail to resist Sybil attacks that have long plagued Web3, and lack reasonable key recovery mechanisms to regain control of digital assets after loss. In this work, we propose LinkDID, a privacy-preserving, Sybil-resistant, and key-recoverable decentralized identity scheme that supports selective disclosure of credentials for arbitrary predicates while maintaining privacy for credentials and identities. Through an identifier association mechanism, LinkDID can privately and forcibly aggregate users' identifiers, providing Sybil resistance without relying on any external data or collateral from benign users. To enable key recovery, LinkDID permits users to establish proofs of ownership for identifiers with lost keys and request an update of corresponding keys from the decentralized ledger. We provide a detailed theoretical analysis and security proofs of LinkDID, along with an exhaustive performance evaluation that shows its ability to complete interactions in less than 10 seconds on consumer-grade devices.

Cryptography and Security

Yizhong Liu,Boyu Zhao,Zedan Zhao,Jianwei Liu,Xun Lin,Qianhong Wu,Willy Susilo

DOI: https://doi.org/10.1109/jiot.2024.3380068

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Web3 is a revolutionary Internet paradigm that focusing decentralization, user empowerment, and intelligence. One of its key technologies is decentralized identity (DID), which has gained significant attention recently. However, existing DID solutions are not scalable enough to be compatible with the large-scale identity node applications required by Web3 across various fields. To overcome this challenge, we propose the first multi-layer Web3 DID architecture utilizing sharding blockchain, which provides management, scalability, and compatibility. This architecture leverages leader shards and the main chain to establish trust, while regular shards manage DID-related transactions. Specific system processes and query optimizations are also given. Besides, formal security analysis and comprehensive simulation evaluations have demonstrated that the architecture can achieve all proposed security and performance goals, including low latency of down to 2 seconds and high throughput of up to 90KTPS.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ke Wang,Jianbo Gao,Qiao Wang,Jiashuo Zhang,Yue Li,Zhi Guan,Zhong Chen

DOI: https://doi.org/10.1145/3627106.3627110

2023-01-01

Abstract:Decentralized identity (DID), the idea of giving users complete control over their identity-related data, is being used to solve the privacy tension in the identity management of decentralized applications (Dapps). While existing approaches do an excellent job of solving the privacy tension, they have not adequately addressed the accountability and Sybil-resistance issues. Moreover, these approaches have a considerable gas overhead, making them impractical for Dapps. We presented Hades, a novel practical DID system supporting full accountability and fine-grained Sybil-resistance while providing strong privacy properties. Hades supports three aspects of accountability, i.e., auditability, traceability, and revocation. Hades is the first DID system that supports accountability in all these three aspects. Hades is also the first DID system that supports fine-grained Sybil-resistance, enabling Dapps to customize personalized Sybil resistance strategies based on users’ identity attributes. Hades can run efficiently on the Ethereum Virtual Machine (EVM). We implemented and evaluated Hades. The benchmarks showed that Hades has the lowest gas cost incurred on EVM as far as we know. Also, we presented a case study on attribute-associated fair NFT distribution (“airdrops”) where all previous works failed, whereas we gave a solution leveraging Hades.

Jing He,Xiaofeng MA,Dawei Zhang,Feng Peng

DOI: https://doi.org/10.1051/sands/2024013

2024-10-16

Security and Safety

Abstract:Decentralized identity represents an innovative approach based on blockchain to achieve effective identity management. This method utilizes decentralized identifiers and verifiable credential to enable trusted authentication, free circulation of identity information, and self-sovereign control over identity data functionalities. The current decentralized identity systems rely on entirely anonymous identifiers, lacking robust identity regulation. Furthermore, they face challenges such as identity attribute leakage during verifiable credential presentation and the issuers' struggle to reliably revoke credentials. To address these issues, efficient and practical schemes have been designed based on BBS signature, zero-knowledge proof, dynamic accumulator and blockchain technology: one for decentralized identifiers management and the other for verifiable credential privacy protection, both of which are supervised and revocable. The former ensures the privacy of subject identity while achieving regulatability and revocability of identity data by regulator. The latter facilitates selective disclosure of anonymous credentials and reliable revocation. A security analysis shows that the proposed scheme meets anonymity, non-forgeability, regulatory reliability, and revocability reliability, and offers comprehensive and effective privacy protection measures. The experimental results demonstrate that the algorithms designed operate at a millisecond level, which satisfies the demands of blockchain identity management scenarios.

Ruibiao Chen,Fangxing Shu,Shuokang Huang,Lei Huang,Huafang Liu,Jin Liu,Kai Lei

DOI: https://doi.org/10.23919/jcin.2021.9387704

2021-01-01

Journal of Communications and Information Networks

Abstract:Reliable identity management and authentication are significant for network security. In recent years, as traditional centralized identity management systems suffer from security and scalability problems, decentralized identity management has received considerable attention in academia and industry. However, with the increasing sharing interaction among each domain, management and authentication of decentralized identity has raised higher requirements for cross-domain trust and faced implementation challenges galore. To solve these problems, we propose BIdM, a decentralized cross- domain identity management system based on blockchain. We design a decentralized identifier (DID) for naming identities based on the consortium blockchain technique. Since the identity subject fully controls the life cycle and ownership of the proposed DID, it can be signed and issued without a central authentication node's intervention. Simultaneously, every node in the system can participate in identity authentication and trust establishment, thereby solving the centralized mechanism's single point of failure problem. To further improve authentication efficiency and protect users' privacy, BIdM introduces a one-way accumulator as an identity data structure, which guarantees the validity of entity identity. We theoretically analyze the feasibility and performance of BIdM and conduct evaluations on a prototype implementation. The experimental results demonstrate that BIdM achieves excellent optimization on cross-domain authentication compared with existing identity management systems.

Jie Yin,Yang Xiao,Qingqi Pei,Ying Ju,Lei Liu,Ming Xiao,Celimuge Wu

DOI: https://doi.org/10.1109/jiot.2022.3145089

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) applications have penetrated into all aspects of human life. Millions of IoT users and devices, online services, and applications combine to create a complex and heterogeneous network, which complicates the digital identity management. Distributed identity is a promising paradigm to solve IoT identity problems and allows users to have soverignty over their private data. However, the existing state-of-the-art methods are unsuitable for IoT due to continuing issues regarding resource limitations for IoT devices, security and privacy issues, and lack of a systematic proof system. Accordingly, in this article, we propose SmartDID, a novel blockchain-based distributed identity aimed at establishing a self-sovereign identity and providing strong privacy preservation. First, we configure IoT devices as light nodes and design a Sybil-resistant, unlinkable, and supervisable distributed identity that does not rely on central identity providers. We further develop a dual-credential model based on commitment and zero-knowledge proofs to protect the privacy of sensitive attributes, on-chain identity data, and linkage of credentials. Moreover, we combine the basic credential proofs to prove the knowledge of solutions to more complex problems and create a systematic proof system. We go on to provide the security analysis of SmartDID. Experimental analysis shows that our scheme achieves better performance in terms of both credential generation and proof generation when compared with CanDID.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tianxiu Xie,Yue Zhang,Keke Gai,Lei Xu

DOI: https://doi.org/10.1007/978-3-030-82153-1_51

2021-01-01

Abstract:Decentralized Identity (DID) has been deemed an ideal mechanism for identity sharing and authentication, which allows users to process control over identity information. However, the centralized storage of DID hinders further expansion due to security issues. Combining the existing blockchain technology with the DID theory has a great development prospect in terms of privacy protection and security enhancement. In order to address the identity authentication issue of collateral in financial loans, this paper proposes the Cross-chain Channel-based DID (C3-DID) model, which realizes the distributed storage of DID and allows relay-based cross-chain data exchange. We deploy the loan process and the identity verification process on consortium blockchains, separately. In addition, a permission chain channel, called peer-to-peer Matching Channel (MC), is established to accomplish cross-chain data exchange. Our security analysis indicates that the proposed model can resist multiple threats.

Yang Su,Jing Wu,Chengnian Long,Lijun Wei

DOI: https://doi.org/10.1145/3390566.3391670

2020-01-01

Abstract:The digital identities of Internet of Things (IoT) devices are vital to the security of IoT system. However, current centralized identity management systems have many drawbacks such as the single point of failure, suffering DDoS attacks and privacy issues. In this paper, to solve the above problems, we combine with the scenario of electrical vehicles charging to present our decentralized machine identifier (DMID) and identity management scheme. The scheme is based on blockchain and InterPlanetary File System (IPFS) technologies. Moreover, to improve the security of DMID, we design a secure hardware module by employing Physical Unclonable Function (PUF), True Random Number Generation (TRNG) and Trustzone. At last, we design a simulation system, and the result demonstrates the feasibility and effectiveness of our proposed scheme.

Libin Xia,Jiashuo Zhang,Xihan Zhang,Yue Li,Jianbo Gao,Zhi Guan,Zhong Chen

DOI: https://doi.org/10.1109/dapps57946.2023.00028

2023-01-01

Abstract:The popularity of decentralized applications brings increasing on-chain audit concerns. Since on-chain accounts do not link to real-world identities, decentralized applications have been wildly used for illegal activities like money laundering. Decentralized identity (DID) is one of the most promising solutions to guarantee on-chain auditability in a privacy-preserving way. However, the existing DID systems suffer from two limitations, making them rarely adopted in on-chain decentralized applications. First, most previous systems only provide partial auditability, meaning that their regulators cannot trace users' real-world identities after users' malicious behaviors occur. Second, current solutions are usually isolated systems, causing a lack of interoperability with on-chain decentralized applications. To address the problems, we propose Didapper, a practical and auditable on-chain identity service with both privacy and auditability for decentralized applications. We introduce group signatures to provide anonymous and traceable credentials for on-chain users and decentralized applications. In order to meet the efficiency and flexibility requirements, we design credential structure and workflow mostly compatible with W3C standards (a DID recommendation that enables verifiable, decentralized digital identity), and realize credential verification service with updatable policies. We implement Didapper and evaluate it on Ethereum, and the results show that the performance of Didapper is acceptable in practice.

Lihong Lin,Hui Li,Weijuan Yin,Han Wang,He Bai,Ao Yang

DOI: https://doi.org/10.1109/CECIT58139.2022.00012

2022-01-01

Abstract:Since the birth of the Internet, there has been no identity management design at the network architecture level, leaving each service and platform to build its own identity system. As a new future network architecture, the Multi-Identifier Network considers identity design at the beginning of network design. It uses a blockchain-based Multi-Identifier System to manage identities. However, there is no unified design for the definition, application and revocation process of identity. In this paper, we propose a definition of identity format and design an operational logic for identity application, query and revocation. For the encoding method of the protocol, we compare the packet size and encoding speed between Protobuf and TLV methods.

Bishakh Chandra Ghosh,Venkatraman Ramakrishna,Chander Govindarajan,Dushyant Behl,Dileban Karunamoorthy,Ermyas Abebe,Sandip Chakraborty

DOI: https://doi.org/10.1109/ICBC51069.2021.9461064

2021-04-08

Abstract:Interoperation for data sharing between permissioned blockchain networks relies on networks' abilities to independently authenticate requests and validate proofs accompanying the data; these typically contain digital signatures. This requires counterparty networks to know the identities and certification chains of each other's members, establishing a common trust basis rooted in identity. But permissioned networks are ad hoc consortia of existing organizations, whose network affiliations may not be well-known or well-established even though their individual identities are. In this paper, we describe an architecture and set of protocols for distributed identity management across permissioned blockchain networks to establish a trust basis for data sharing. Networks wishing to interoperate can associate with one or more distributed identity registries that maintain credentials on shared ledgers managed by groups of reputed identity providers. A network's participants possess self-sovereign decentralized identities (DIDs) on these registries and can obtain privacy-preserving verifiable membership credentials. During interoperation, networks can securely and dynamically discover each others' latest membership lists and members' credentials. We implement a solution based on Hyperledger Indy and Aries, and demonstrate its viability and usefulness by linking a trade finance network with a trade logistics network, both built on Hyperledger Fabric. We also analyze the extensibility, security, and trustworthiness of our system.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

Ting Cai,Zicong Hong,Shuo Liu,Wuhui Chen,Zibin Zheng,Yang Yu

DOI: https://doi.org/10.1109/tsc.2021.3128959

IF: 11.019

2021-01-01

IEEE Transactions on Services Computing

Abstract:Social data produced from widely emerged social media activities are expected to promote information dissemination and engagement, or even make business intelligence more powerful. However, the recent increase in social media incidents of illegal surveillance and data breaches raises questions about the current data ownership model, in which centralized applications collect and control large amounts of user data. In this article, we present SocialChain, which is a decentralized social data storage and sharing system based on blockchain that decouples user data and social applications to return data ownership to the user. We adopt Personal Data Store to extend off-chain storage for the social data, set up an identity establishment mechanism that can support WebID-based authentication functions using a unique identity assignment (i.e., WebID) as well as certificateless cryptography, and design a general framework that leverages smart contracts to help securely store and share social data in an automated manner. We develop a software prototype based on Ethereum and conduct case studies to test the effects of the adopted techniques on the performance. Experimental results show that SocialChain can provide easy-to-use interfaces while introducing relatively low latency, cost, and overhead and that it can support real-world social media applications.

Wei,Bochao An,Ke Qiao,Jun Shen

DOI: https://doi.org/10.1109/jsac.2023.3310105

IF: 16.4

2023-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Digital twin (DT) constructs virtual counterparts of physical devices to monitor and optimize their life cycle processes. With the emergence of industry 4.0, Industrial Internet of Things (IIoT) has became the backbone of the DT by providing a fundamental way to transform physical devices to their virtual counterparts. With the deployment of IIoT, built-in sensors enable real-time collection of critical DT data involving various physical parameters associated with devices during their life cycle. However, traditional data sharing services rely on a centralized infrastructure, which inevitably brings severe security threats to share large volume of sensitive DT data derived from numerous sensors. To address the above issue, this paper presents a blockchain based Multi-users Oblivious Data Sharing scheme (MODS) for the digital twin system in the context of IIoT. MODS supports a broad range of security properties including confidentiality, obliviousness, and access control for the DT data stored on the blockchain. MODS adopts a hybrid design approach by combing trusted hardware and cryptography to achieve well balances between security and efficiency. To demonstrate the design advantages of MODS, we explore the design space of a multi-users oblivious data sharing scheme by using pure cryptographic approach, which incurs several design tradeoffs that must be addressed. We show that MODS performs well in these tradeoffs. A comprehensive evaluation has been conducted to demonstrate that MODS is practical to support secure data sharing via blockchain for IIoT.

Zhikui Chen

DOI: https://doi.org/10.1109/CNSR.2007.6

2007-01-01

Abstract:Digital Identity corresponds to the electronic information associated generally with an individual in a particular identity system. This is used by online service providers to authenticate and authorize users for services protected by access policies. Having good identity systems can enable individuals to use effectively and extensively electronic transactions in a secure yet privacy preserving manner. In order to match the above purpose, this paper introduces an identity scenario, a user-centric identity management, in terms of VID - virtual identity, which concept is designed to protect a user's privacy and secure communication data, which contemplates the multitude of identities and roles we take on each time we turn on our computer, mobile phone or PDA.. Simultaneously, the associated identity management system with its related infrastructure is described. A key component, the ID broker, of the proposed infrastructure is also detailed including some interfaces and their related components. Furthermore, a method that allows a user to manage his/her service via the VID is introduced.

Cristian Nicolae Butincu,Adrian Alexandrescu

DOI: https://doi.org/10.1109/access.2024.3394537

IF: 3.9

2024-05-03

IEEE Access

Abstract:The increased digitalization of society raises concerns regarding data protection and user privacy, and criticism on how the companies handle user data without being transparent and without providing adequate mechanisms for users to control how their own data is being processed or shared. To address this problem and open the way for a secure and efficient society, where the privacy of citizens is paramount, the identity concept and proof of identity mechanisms need to be redesigned from the ground up. In this paper we discuss how the emerging Web3 technologies like distributed ledger technology (DLT), blockchain, smart contracts, decentralized storage systems, and crypto wallets can be leveraged to design and implement a decentralized digital identity system based on decentralized identifiers (DID) and self-sovereign identities (SSI). Such a system puts the users in full control over their own data while also providing a solid backbone for building interoperable systems that are secure, scalable, and efficient. We propose different architectures for the decentralized identity infrastructure and storage layer, and also discuss the mapping of these architectures on cloud platforms. The main goal is to provide an architectural blueprint for a scalable, secure, privacy-preserving and trusted system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Qi Lyu,Hui Li,Xinnan Lin,Han Wang,Hanxu Hou,Yuguo Yin,Qianbin Chen,Ping Fan,Gang Wan,Xiang Zhu,Selwyn Deng,Weixiang Huang,Jianping Wu,Jieren Cheng,Wenyuan Yang

DOI: https://doi.org/10.1109/BigData59044.2023.10386505

2023-01-01

Abstract:With its wide range of applications, the Internet shows a future trend towards abundant and diverse data resources with multiple types of identifiers (multi-identifiers). However, the legacy Domain Name System (DNS) in the current TCP/IP network architecture has failed to manage these identifiers due to the centralized security issue. While some decentralized DNS alternatives have been proposed, they also face scalability issues. In this paper, we propose a blockchain-based Hierarchical Multi-Identifier System, named H-MIS, as a DNS alternative. Specially, it realizes optimal decentralization and scalability by introducing the Zero-Knowledge rollup (ZK-rollup) solution to synchronize the upper and lower on-chain identifier data, as well as off-chain associated resource data. Finally, we implement H-MIS on Ethereum and evaluate its performance. The experimental results indicate that compared to the original MIS and Ethereum Name Service (ENS), H-MIS has advantages in such aspects as efficiency, data consumption, and Gas fees.

Yunqing Bian,Xin Wang,Jian Jin,Zhenzhen Jiao,Sisi Duan

DOI: https://doi.org/10.1109/jiot.2024.3399535

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:We present FLEXDID, a decentralized identity management system with flexible credential presentation and efficient revocation. FLEXDID allows identity holders to perform both vertical disclosure and horizontal disclosure. Vertical disclosure allows an identity holder to derive a credential to prove only a subset of all attributes it holds. Meanwhile, horizontal disclosure allows multiple identity holders with the same attributes to aggregate their credentials for fast verification. We also introduce a three-layer architecture. Besides the roles of identity holders and issuers in conventional identity management systems, we introduce a layer of secondary brokers. The secondary brokers can be viewed as delegates for identity holders to perform flexible disclosure. Together with our system optimizations, such as batch verification, FLEXDID is able to manage the credentials for a large number of identity holders, making it a perfect fit for applications such as the Industrial Internet of Things. Our evaluation shows all the operations of FLEXDID can complete in millisecond level and the most computationally extensive operation has a latency of up to 34% lower compared to existing identity management systems.