Contributions

2.1  Digital Identity and Decentralized Digital Identity

The importance of “digital identity” is rapidly increasing under the current circumstances, even after the pandemic. People would need to do much more things online than before. Researchers and influencers in the tech industry in this domain refer to Kim Cameron’s blog article, “The Laws of Identity” [20]. Beyond the contribution, researchers and the industry have made significant efforts, including standardization bodies resolving many problems from various perspectives, such as identity proofing, authentication, and federation.

In digital identity approaches, managing claims and credentials is one of the essential elements of representing who I am or who you are. Identity is a set of attributes or claims by definitions, e.g., ISO/IEC 24760-1:2019/Amd 1:2023(en) [21], and a credential represents an identity for authentication. There are also many activities at standardization bodies such as W3C³, OpenID Foundation⁴, and FIDO Alliance⁵. The NIST’s Digital Identity Guidelines [22] is a set of guidelines that address various perspectives through its digital identity model.

Digital identity management started from the Isolated User Identity (SILO) model and moved to the Federated User Identity (FED) model by the mathematical definition of Md Sadek Ferdous et al.’s work [23]. The (full) identity representing a natural person is a union of partial identities, each set of claims consisting of an attribute and value pair. They demonstrated that digital identity and identity management move from the most straightforward model toward federated models in a decentralized fashion.

In the tech industry, several initiatives are addressing decentralized digital identity. Microsoft has been driving an initiative⁶ and announced ION⁷ on behalf of the Decentralized Identity Foundation (DIF)⁸ in May 2021. The approach utilizes W3C’s DIDs [24], decentralized systems such as blockchains and ledgers, and DIF’s standards.

2.2  Hardware-Assisted Security and Attested Execution Secure Processors (AESPs)

Hardware-assisted security may provide tamper-resistant features, and some of them support attested execution capability. Such hardware-assisted security has recently been becoming the norm for mobile devices.

Apple’s iPhone implements Secure Enclave, a dedicated secure subsystem. It is isolated from the app execution environment on the main processor⁹. Android devices support KeyStore and other security-related functionality utilizing hardware-assisted implementations, e.g., TEE (Trusted Execution Environment), Arm’s TrustZone in particular. Google recently announced the Android Ready SE program¹⁰, which will be supporting hardware-backed security applets for various use cases such as digital keys and identity credentials. In addition, Microsoft recently announced Windows 11 with new hardware requirements in which TPM (Trusted Platform Module) 2.0 is mandated¹¹. There are also other design choices among implementations in the industry, such as Global Platform-supported Secure Elements¹² and Intel’s SGX¹³, in addition to TrustZone and TPM 2.0.

Among numerous implementations and research addressing hardware-assisted security, including how to realize [15] and how to utilize [25], Rafael Pass et al. uniquely addressed hardware-assisted security, secure processors, in a formal fashion [18]. In their words, trusted hardware is commonly believed to provide a powerful abstraction for building secure systems. They approached to formalize the attested execution abstraction and retrieved the formal modeling of a broad class of Attested Execution Secure Processors (AESPs) from the common belief. The authors are very encouraged to utilize Rafael Pass et al.’s formal abstraction of AESPs to formulate and demonstrate our proposed scheme in this paper.

2.3  Self-Sovereign Identity (SSI)

Christopher Allen published his blog article entitled “The Path to Self-Sovereign Identity” in 2016 [4]. It presented the evolution of digital identity from Phase 1: Centralized Identity, Phase 2: Federated Identity, Phase 3: User-Centric Identity through Phase 4: Self-Sovereign Identity, followed by his definition of SSI with the ten principles:

2.3.3  SSI Systems with Mobile Devices

There are several SSI implementations, such as uPort and Sovrin [14], [29]. Also, some experimental research and prototypes in the tech industry support governmental agencies’ interests [31], [32]. Through such activities, including W3C’s efforts on verifiable credentials and DIDs [24], [33], there has been becoming a common structure and primary roles involved in exchanging verifiable credentials among an issuer, a holder (a natural person), and a verifier.

Figure 1 illustrates such an SSI solution architecture in our interpretation. In the figure, \(\mathsf{VC}\) stands for Verifiable Credential, and \(\mathsf{DC}\) stands for Derived Credential. An issuer issues the holder a verifiable credential (\(\mathsf{VC}\)). They may have a derived credential (\(\mathsf{DC}\)) for presentation to minimize disclosure. A verifier may verify with the received derived credential per a request. Blockchain technology can be a verifiable data registry in the architecture.

Fig. 1  Self-Sovereign Identity Systems in the Tech Industry

We put a mobile phone next to the user in the figure because some SSI implementations provide a mobile app, such as a wallet app, for their use with the SSI systems. To the best of our knowledge, however, such mobile apps never play their roles in utilizing hardware-assisted security features of the mobile device. Kalman C. Torh et al. addressed using users’ mobile devices as a digital identity for each of them [17]; however, they have not mentioned opportunities for hardware-backed attestations.

2.4  Sybil-Attack and Sybil-Resistance

“Sybil” is a book by Flora Rheta Schreiber in 1973 and a pseudonym for Shirley Ardell Mason, who was in dissociative identity disorder with 16 multiple personalities in the book. Brian Zill, a researcher at Microsoft, suggested in 2002 to name a type of attack by creating a large number of pseudonymous identities and using them to gain a disproportionately large influence [34]. Sybil-resistance has become a critical requirement to deal with impersonation by preventing Sybil-attack.

3.1  CanDID

It can do decentralized identity with legacy compatibility, Sybil-resistance, and accountability. Among numerous research addressing decentralized digital identity, Deepak Maram et al. identified remaining problems for building a decentralized identity system, legacy compatibility, Sybil-resistance, and accountability as entitled [19]. To solve the problems, they proposed system protocols with a trusted committee of nodes-based architecture.

Figure 2 illustrates the overview of CanDID’s approach. In the figure, \(\mathsf{VC}\) is a verifiable credential, \(\mathsf{DC}_\mathsf{master}\) means a master credential, and \(\mathsf{DC}_\mathsf{context}\) means a context-based credential in their work, and a combination of two credential types (\(\mathsf{DC}_\mathsf{master}\) and \(\mathsf{DC}_\mathsf{context}\)) is designed for supporting Sybil-resistance. CanDID assumes a trusted party of nodes, each of which may trust the others, and it is called the DID Committee.

Fig. 2  CanDID - A State-of-the-Art Approach toward DID

The CanDID system protocols provide three APIs for issuing credentials, \(\mathtt{issuePreCred()}\), \(\mathtt{issueMasterCred()}\), and \(\mathtt{issueCtxCred()}\). \(\mathtt{issuePreCred()}\) issues \(\mathsf{VC}\) from a legacy credential issuer. CanDID supports deduplication of identities that may ensure the existence of at most one pseudonym with a unique identifier such as Social Security Number (SSN) in the U.S. For this, the master credential, generated by \(\mathtt{issueMasterCred()}\), includes a special attribute \(\mathtt{dedupOver}\) that is designed to avoid deduplicating their identity by adversaries. Then, the holder may create a various verifiable credential depending on the context, derived from the master credential by \(\mathtt{issueCtxCred()}\). This scheme enables the system to issue credentials uniquely per user and meets Sybil-resistance.

They utilize multi-party computation (MPC) to prevent committee members from learning unnecessarily private information. They also utilize SNARK proofs for registration-time screening and other various purposes of privacy-preserving. They successfully demonstrated that the committee-based architecture achieves its goals with some particular purpose MPC protocols for privacy-preserving deduplication and fuzzy matching for scanning sanction lists to avoid AML.

3.2  The Formal Modeling of AESPs: \(\color{brown}{\mathcal{G}_{\mathtt{att}}}\)

According to Rafael Pass et al.s’ efforts [18], the attested execution abstraction enables the following:

The ideal functionality \(\color{brown}{\mathcal{G}_{\mathtt{att}}}\) captures the core abstraction that a broad class of AESPs intends to provide. \(\color{brown}{\mathcal{G}_{\mathtt{att}}}\) is parameterized with a signature scheme \(\Sigma\) and also a registry \(\mathtt{reg}\) that is meant to capture all the platforms equipped with an AESP. The registry \(\mathtt{reg}\) is treated as a static registry for simplicity in the research. \(\color{brown}{\mathcal{G}_{\mathtt{att}}}\) consists of the initialization function to generate a key pair of the manufacturer public key \(\mathtt{pk}_{M}\) and secret key \(\mathtt{sk}_{M}\), public query interface \(\mathsf{getpk()}\), and stateful enclave operations of \(\mathsf{Install}()\) and \(\mathsf{Resume}()\), which realize the anonymous attestation capability. A platform \(\mathcal{P}\) that is in the registry \(\mathtt{reg}\) may invoke those enclave operations¹⁵.

Figure 3 illustrates the relationship between an AESP and \(\color{brown}{\mathcal{G}_{\mathtt{att}}}\) within a platform \(\mathcal{P}\), which we may assume a mobile device for a prover, along with an issuer and a verifier. Once a program \(\mathtt{prog}\) is installed and executed within an enclave, \(\color{brown}{\mathcal{G}_{\mathtt{att}}}\) returns both \(\mathtt{outp}\) and the anonymous attestation \(\sigma_M\) to \(\mathcal{P}\). Since a platform \(\mathcal{P}\) builts an AESP within it, we assume the AESP communicates with the platform \(\mathcal{P}\) that is in \(\mathtt{reg}\).

Fig. 3  An AESP and \(\color{brown}{\mathcal{G}_{\mathtt{att}}}\) within a Platform \(\mathcal{P}\)

4.1  Architecture

Figure 4 illustrates an overview of the architecture and how the basic AESP enclave operations of \(\mathsf{Install}()\) and \(\mathsf{Resume}()\) are integrated into the proposed architecture.

Fig. 4  Overview of the Proposed Architecture and the AESP Enclave Operations of \(\mathsf{Install}()\) and \(\mathsf{Resume}()\)

Overview of the main ideas are below:

In this proposal, the owner of a mobile device equipped with an AESP is the person who may represent their Self-Sovereign Identity. Because of utilizing AESPs, computation for preserving privacy can securely be executed within a device. In addition, verifiers may identify if the holder is the same person since the proof is attested by the holder’s device equipped with an AESP. It means that MPC requiring a committee of trusted parties is not required, and permissionless blockchain can efficiently be utilized for openness.

4.2  Derived Credentials

Because of various needs, the proposed SSI architecture allows people to create programs for issuing derived credentials to meet different requirements. For example, some service providers need to verify if customers are not younger than 18 years old but do not need to know their birthdays. Some agencies need to verify if applicants are formally registered as residents in the city but do not need any other claims. For infinite varieties of needs to utilize derived credentials for presentation, which allows minimizing disclosure, and the programmable architecture enables users to choose appropriate \(\mathtt{prog}\) for their needs. Those programs for the proposed SSI architecture must be public and open source for anyone to verify.

Derived Credentials for Sybil-Resistance

Unlike CanDID, the AESP-based SSI architecture does not assume generating the master credential, an interim credential designed to support the deduplication of identities for satisfying Sybil-resistance. An AESP is a unique entity capable of secure computation within a local processor. The equipped AESP may embed an encrypted link for derived credentials with a natural person by their key pair \((\mathtt{pk}_U, \mathtt{sk}_U)\). Figure 5 illustrates the relationship among real identities \(\mathcal{I}\), Symbil-resistant credentials \(\mathcal{C}\), and derived credentials some of which are Sybil-resistant.

Fig. 5  Sybil-resistant derived credentials and the identification map \(\psi: \mathtt{cred} \rightarrow \mathcal{C}\)

Programs requiring to manage credentials that meet the Sybil-resistance requirement should implement a function of injective identification map \(\psi\) between Sybil-resistant derived credentials and \(\mathcal{C}\). The function \(\psi\) ensures the existence of at most one Sybil-resistant derived credential associated with a Sybil-resistant credential in \(\mathcal{C}\), and a derived credential with a dashed line in Fig. 5 is not Sybil-resistant. AESP may install and execute programs capable of treating \(\psi\) securely. The following section and Fig. 7 will describe the protocol for creating Sybil-resistant credentials.

7.1  Sybil-Resistance

An adversary cannot obtain Sybil-resistant credentials, which we define below:

Definition 4 (Sybil-resistant credential). Let \(\mathcal{I}\) be a set of real identities and \(\mathcal{C}\) be a set of credentials. The credentials \(\mathcal{C}\) is said to be Sybil-resistant credentials if and only if there exists a bijective map \(\phi: \mathcal{C} \rightarrow \mathcal{I}\).

In the real world, a national PKI system, e.g., JPKI (described in Sect. 9.1), is an example of authorities that can provide a unique identifier for creating Sybil-resistant credentials. A master credential in CanDID corresponds to a Sybil-resistant credential. We assume a single system of Sybil-resistant credentials for brevity in this paper.

Definition 5 (Existence). Suppose \(\mathcal{C}\) be a set of all Sybil-resistant credentials. A derived credential \(\mathtt{cred}\) is said to be Sybil-resistant with respect to \(\mathcal{C}\) if and only if, for any \(P P T\) (Probabilistic Polynomial-Time) adversary \(\mathcal{A}\) and security parameter \(\lambda\), there exists anidentification map \(\psi: \mathtt{cred} \rightarrow \mathcal{C}\) only with negligible error probability, namely:

Informally, this definition captures the infeasibility of an adversary to obtain a derived credential \(\mathtt{cred}\) that is not in the set of all Sybil-resistant credentials such that \(\psi(\mathtt{cred}) \in \mathcal{C}\) as far as \(\mathtt{cred}\) bears a valid attestation signature, namely, \(\mathcal{V}_{\mathtt{pk}_{M}}\left(\mathtt{cred}.\mathtt{body}, \mathtt{cred}.\sigma\right) = \mathtt{true}\). Here, the identification map \(\psi\) is defined over all elements in derived credentials such that \(\psi(\mathtt{cred}) \in \mathcal{C}\). Thus, \(\psi\) uniquely ‘identifies’ the holders’ real identity from anonymous derived credentials. In our scheme, we assume the map \(\psi\) is accessed only by the AESP internally. Thus, the link between derived credentials and the Sybil-resistant credentials is hidden; it supports preserving privacy.

This game resides on the malicious prover model in our attacker models. An adversary \(\mathcal{A}\) attacks the holder to create potentially a wrong derived credential under the assumption that \(\mathcal{V}_{\mathtt{pk}_{M}}\) is honest.

7.2  Unforgeability

An adversary cannot forge the credentials of honest users or otherwise impersonate them.

Definition 6 (Unforgeability). Let \(\mathtt{chals}\) denote a set of all challenges and their responses produced by \(\mathcal{A}\) in oracle access with \(\mathcal{O}^*\) and a special oracle \(\mathcal{O}_{\mathtt{sk}_{U}}^*\) that allows calling any \(\color{blue}{\Pi^{\mathcal{G}_{\mathtt{att}}}}\) functions with the user key parameter set to \(\mathtt{sk}_{U}\). The protocol \(\color{blue}{\Pi^{\mathcal{G}_{\mathtt{att}}}}\) offers unforgeability if, for any stateful \(P P T\) adversary \(\mathcal{A}\),

The definition captures that it must be infeasible for an adversary to impersonate users, i.e., forge signatures with users’ keys. This game also resides on the malicious prover model where an adversary \(\mathcal{A}\) attacks the holder to potentially create a wrong credential under the assumption that the verifier is honest.

7.3  Privacy - Credential-Issuance

It is infeasible for an adversary to learn users’ attributes from observing the derived credential-issuance protocol.

Definition 7 (Credential issuance privacy). The protocol \(\color{blue}{\Pi^{\mathcal{G}_{\mathtt{att}}}}\) offers derived credential issue privacy if, for any stateful \(P P T\) adversary \(\mathcal{A}\),

This game resides on the malicious verifier model in our attacker models. An adversary \(\mathcal{A}\) tries to violate a holder’s privacy by retrieving information from their credential, assuming that the holder is honest.

7.4  Privacy - Credential-Verification

An adversary can learn about a user no more than the information they explicitly present while using their credentials.

Definition 8 (Credential verification privacy). Given an open-source map \(\mathtt{prog}\) that maps user data in verifiable credentials to derived credential claims, any \(P P T\) adversary \(\mathcal{A}\) learns negligibly more about any given user than the output of \(\mathtt{prog}\).

7.5  Unlinkability

The entities administering the protocol \(\color{blue}{\Pi^{\mathcal{G}_{\mathtt{att}}}}\) reliant programs cannot collude and link the respective transactions of any given user.

Definition 9 (Unlinkability across programs). The protocol \(\color{blue}{\Pi^{\mathcal{G}_{\mathtt{att}}}}\) offers unlinkability if, for any stateful \(P P T\) adversary \(\mathcal{A}\),

This game also resides on the malicious verifier model in our attacker models. An adversary \(\mathcal{A}\) tries to violate a holder’s privacy by retrieving information from their new credential, assuming that the holder is honest.

8.1  Sybil-Resistance

First, we prove \(\color{blue}{\Pi^{\mathcal{G}_{\mathtt{att}}}}\) satisfies Definition 5 for Existence. It is sufficient to prove that every derived credential \(\mathtt{cred}\) has an identification map \(\psi\) such that \(\psi(\texttt{cred}) \in \mathcal{C}\). In the protocol \(\color{blue}{\Pi^{\mathcal{G}_{\mathtt{att}}}}\), every \(\mathtt{cred}\) has the following form

where \(\widehat{\psi}\) is a ciphertext of a verifiable and Sybil-resistant credential \(\texttt{cred}\) encrypted with the public key of \(\color{brown}{\mathcal{G}_{\mathtt{att}}}\). Therefore, given

it implies that \(\color{brown}{\mathcal{G}_{\mathtt{att}}}\) can decrypt \(\widehat{\psi}\) to get \(\texttt{cred}\) as \(\mathtt{cred} = \mathcal{E}.\operatorname{Dec}_{\mathtt{sk}_M}(\widehat{\psi})\) and verify the relation \(\texttt{cred} \in \mathcal{C}\) unless the signature \(\sigma_M\) is forged. \(\mathcal{E}\) denotes IND-CCA encryption scheme. The latter probability is negligible in \(\lambda\) given \(\Sigma\) is the EUF-CMA signature scheme.

8.2  Unforgeability

In \(\color{blue}{\Pi^{\mathcal{G}_{\mathtt{att}}}}\) based SSI systems, users’ key never leaves their device with an AESP. During the protocols, they use it only to sign challenges issued as part of \(\mathsf{VerifyCred}()\). Thus, unforgeability of the \(\color{blue}{\Pi^{\mathcal{G}_{\mathtt{att}}}}\) based SSI systems follows in a straightforward way.

Here, \(\mathtt{cred}\) has the following form:

Queries to \(\mathcal{O}^*\) and \(\mathcal{O}^*_{\mathtt{sk}_U}\) must be a set of tuples

and the responses are \((\mathtt{pk}_U, \widehat{\psi}, \{\mathtt{claim}_j\}_{j=1, \ldots, m}, \sigma_M)\) where a set of claims \(\{\mathtt{claim}_j\}_{j=1, \ldots, m}\) is the image of \(\mathtt{prog}\) with inputs \(\{\mathtt{cred}_k\}_{k=1, \ldots, l}\). Thus, \(\mathtt{chals}\) contains all tuples appeared in the oracle access by \(\mathcal{A}\) of the form \((\mathtt{pk}_U, \widehat{\psi}, \{\mathtt{claim}_j\}_{j=1, \ldots, m})\). For creating new \(\mathtt{cred}\) such that \(\mathtt{cred}.\mathtt{body} \notin \mathtt{chals}\), \(\mathcal{A}\) must forge a signature \(\mathtt{cred}.\sigma\) on the message tuple \(\mathtt{cred}.\mathtt{body}\). Given the underlying EUF-CMA signature scheme \(\Sigma\), this probability is bounded by \(\operatorname{negl}(\lambda)\), which is negligible in the security parameter \(\lambda\).

8.3  Privacy - Credential-Issuance

In our privacy game for privacy - credential-issuance, the adversary chooses a pseudonym of the user who initiates each query and which providers are used but otherwise learns nothing else about users’ identities or attributes during operations such as credentials issuance.

By Definition 7, the adversary chooses two identities of \(\{0, 1\}\) and observes that derived credentials are created by executing \(\mathsf{IssueDCred}()\) with inputs of claims for each identity and the program \(\mathtt{prog}\) with the encrypted identification map \(\widehat{\psi}\). The adversary tries to access and guess any attributes and/or values; however, they cannot guess from a derived credential selected randomly.

Let us explain the reason behind it more. Since two credentials, \(\mathtt{cred}^0\) and \(\mathtt{cred}^1\) only differ in \(\widehat{\psi}^0\), \(\widehat{\psi}^1\) and related signatures, \(\sigma_U^0\) and \(\sigma_U^1\). \(\widehat{\psi}^0\) and \(\widehat{\psi}^1\) are encrypted by the IND-CCA encryption algorithm \(\mathcal{E}\). Probability to distinguish them is upper-bounded \(\operatorname{negl}(\lambda)\). Therefore, we conclude that the adversary cannot win the game as it does not learn any information to distinguish the verifiable credentials.

8.4  Privacy - Credential-Verification

In our scheme, we assume that all privacy operations for issuing and treating credentials are executed within an AESP internally by \(\mathtt{prog}\), including \(\mathsf{IssueDCred}()\) and \(\mathsf{VerifyCred}()\). We also expect that only \(\mathtt{prog}\) will be accepted by users and providers who reach the consensus. Such \(\mathtt{prog}\) only leaks required privacy information described as a set of claims \(\{\mathtt{claim}_j\}_{j=1,\ldots, m}\). This process is expected to leak any more information as defined in Definition 8.

8.5  Unlinkability

As the same as the other privacy game for privacy - credential issuance, the adversary needs to try an input but randomly selected, and a credential \(\mathtt{cred}^0\) or \(\mathtt{cred}^1\) in this case as defined in Definition 9. It cannot guess any information to distinguish which provider from a credential selected randomly. Therefore, we conclude that the adversary cannot win the game of unlinkability in our scheme.\(\tag*{◻}\)

9.1  Applications

One of the well-known initiatives is mDL, mobile driver’s license¹⁷. It must be helpful, but people would not always be happy to show their driver’s license even though it allows them to choose to display only requested data such as name and age. The AESP-based SSI architecture and protocols will enable service providers to create programs that request only they need to verify; it encourages their users to contact them without hesitating to disclose unnecessary information. More importantly, people on the planet will gain Self-Sovereign Identity consisting of the ten principles, including existence and control.

9.2  Limitations and Future Directions

We want to describe two problems that remain and will be addressed to solve in our future work.