Difference between revisions of "Vol-2599/paper5"

         Private Digital Identity on Blockchain

              Tom Hamer, Kerry Taylor, Kee Siong Ng, Alwen Tiu

 College of Engineering and Computer Science, The Australian National University,
                          Canberra ACT 0200, Australia
     tomhamer@live.com, kerry.taylor@anu.edu.au, keesiong.ng@anu.edu.au
                             alwen.tiu@anu.edu.au



       Abstract. For many identification systems, including those in govern-
       ment, finance and healthcare, it is critical that at most one identity
       exists for each human individual within a given system. Many existing
       approaches identify individuals through an exchange of verifiable docu-
       ments attesting to basic identification information. However, the same
       basic information is collected for identification in almost every system,
       meaning that persons are linkable across different identity systems and
       are not in control of how their identity is used. We propose Unique Self-
       Sovereign Identity, (USI), combining Cancelable Biometrics [6] and W3C
       Verifiable Claims [8] to achieve privacy preserving and non-linkable iden-
       tification, with guarantees against double enrolment with any system.
       Because our protocol is based on biometrics, it permits individuals to
       enrol without official identification documents. Our protocol can be used
       in a wide range of situations, offering data security for large organisa-
       tions, access to basic services for over one billion people who lack official
       identifying documents, and personal identity control for all individuals.

       Keywords: Verifiable Claims · Blockchain · Cancelable Biometrics ·
       Homomorphic Signature


1     Introduction
1.1   Motivation
One fundamental aspect of many human identification systems is that for each
individual, no more than one identity exists [1]. This is often due to an unfair
advantage that can be gained by a malicious individual having two identities,
for example, they may be able to fraudulently access additional credit at a bank
[2]. However, preventing malicious double enrolment is difficult. Many exist-
ing approaches uniquely identify individuals through an exchange of verifiable
documents and basic identification information [3]. However, these traditional
identification methods have a number of fundamental drawbacks:
    1. Through organisations storing basic identity attributes such as name,
birthdate and address, individuals can be linked across multiple independent
uses of their identity, without consent.
    2. When organisations requiring identity verification store a large amount
of information about each individual for identification purposes, it makes the


Copyright c 2019 for this paper by its authors. Use permitted under Creative
       Commons License Attribution 4.0 International (CC BY 4.0).
�2       Tom Hamer, Kerry Taylor, Kee Siong Ng, Alwen Tiu

system vulnerable to attacks, as it is easy for a hacker who obtains access to the
internal records to learn many details about each individual. Worse still, basic
attributes such as address cannot easily be cancelled or changed and so a fresh
identity is very hard to establish.
    3. Over 1 billion individuals worldwide lack a form of officially recognised
identity such as a passport [4], which makes it very difficult to enrol with service
providers–such as banks, which need to uniquely identify individuals.
    We propose a decentralised, privacy-preserving identity system which can
identify individuals through a bijective mapping from individuals to identifiers
used in a specific organisational context. It is designed to give individuals con-
trol over their own identity and shared information but to give organisations a
guarantee of uniqueness. To our knowledge, such a privacy preserving biometric
identification system does not exist in the literature.

1.2   Related Work
Biometrics are a useful tool in identification of individuals because biometric
signatures, such as fingerprints, are unique to each human [5]. Further, they do
not depend on an individual needing to hold official identity documents. Cance-
lable biometrics have been created as a method to protect biometric signatures;
rather than storing the full biometric in identification databases, biometrics are
non-invertibly transformed to obfuscate the original biometric signature [6], and
only the obfuscated version is stored. However, one problem with current can-
celable biometric protocols is that the individual must trust the organisation
receiving their biometric signature to correctly transform and securely manage
the biometric signatures.
    Homomorphic signatures allow a verifier to prove that a calculation has been
done correctly without having to access the underlying data [7]. We propose
utilising homomorphic signatures as a proof mechanism to allow the individ-
ual to obfuscate their own biometric signature on their personal device through
applying a specific non-invertable transformation that is requested by the organ-
isation wanting to identify the individual. The authors are unaware of previous
research proposing the use of homomorphic signatures to prove the validity of
cancelable biometrics. For the first time, we propose that the combination of
these techniques enables self-sovereign identity.
    The W3C, an international standards organization, has introduced Distributed
Identifiers (DIDs) and Verifiable Claims. DIDs are linked to DID documents,
which store mechanisms used to authenticate the DID, service endpoints, and
other claims [8]. Using DIDs, the W3C aims to create a standard for individuals
and organizations to control their own identity. W3C Verifiable Claims are a
mechanism to express credentials on the Web in way that is cryptographically
secure, privacy respecting, and machine-verifiable [9]. The Sovrin foundation has
used DID and Verifiable claims to create a Blockchain based Identity System [10],
which enables distributed management of public keys and revocation of verifi-
able claims. Similarly, we propose to facilitate transfer of obfuscated biometrics
using Blockchain-based verifiable claims.
�                                      Private Digital Identity on Blockchain     3

    Self-sovereign identity can be defined as “the concept of individuals or or-
ganizations having sole ownership of their digital and analogue identities, and
control over how their personal data is shared and used” [11]. A number of or-
ganisations including The Sovrin Foundation [10], Civic Ledger [13] and uPort
[14] have recently launched of self-sovereign identity protocols. The Sovrin Foun-
dation has been involved in the development of ID2020 which aims to create an
open and human-centric approach to identity [12]. They suggest benefits includ-
ing no physical papers and the convenience of biometric authentication. Other
attempts, such as Civic ledger’s solution, depend on the individual holding of-
ficial identity documents such as passports to enrol with their system, which is
problematic for displaced persons and others.
    No self-sovereign identity schemes are currently available which offer non-
linkability of individually-controlled identities. Where existing protocols offer
the capacity to use biometric signatures, they do not allow individuals to non-
invertably transform their biometric signature before it is sent, and therefore do
not protect the privacy of personal biometrics.
    We propose the concept of Unique Self-Sovereign Identity, or USI. USI means
that an individual can have at most one identity in a particular context, but iden-
tities cannot be linked between contexts without permission from the individual.
Therefore, individuals can be uniquely identified but still have control over their
personal identifying data.


2     Solution Sketch

2.1   Our USI protocol

We define three key roles:
Individual: a human who wants to be identified by a Service Provider.
Service Provider: an organisation requiring its individual users to complete
identity verification for access to services. The service provider commits to re-
quiring a specific variety of biometric for all of its users.
Trusted Organisation: an organisation within the trust network of both a
service provider and an individual. Service providers trust these organisations
to ensure that the biometric signatures are accurate and individuals trust these
organisations to destroy their biometric signature immediately after use. Trusted
organisations maintain public keys for each variety of biometric signature they
sign, meaning that service providers are able to verify that the biometric signa-
ture is of the variety they require.
    In our protocol, each individual is identified for each service provider by a
cancelable (non-invertibly transformed) version of their biometric signature. To
achieve this non-invertibility, we use a Partial Discrete Fourier Transform for
non-linkable biometrics [6]. We extend existing cancelable biometric schemes
so that the service provider never has access to the complete biometric signa-
ture of each individual. To enable this, we use fully homomorphic signatures [7]
to prove the validity and correctness of a biometric signature which is already
�4      Tom Hamer, Kerry Taylor, Kee Siong Ng, Alwen Tiu




Fig. 1: Our USI Protocol showing the interactions between an Individual repre-
sented by a User Device, a Trusted Organisation, and several Service Providers



non-invertibly transformed by the individual before it is sent. Finally, the solu-
tion uses a Blockchain W3C standard Verifiable claims system [10], where our
homomorphic signature acts as the proof mechanism, meaning that individual
biometric signatures can be revoked when needed, and requiring that the pub-
lic key of the Trusted Organisation is publicly available. Our protocol does not
address authentication, that can employ conventional means such as username
and password. Our protocol is as follows (see figure 1).
    1. The individual enrols for an identity with a trusted organisation C of
their choice (see Algorithm 1). C collects finger print and vein scans, ensuring
that the biometrics are collected accurately and are truly the biometrics of the
individual. The assurance process will be determined by C’s own policy, but
will probably include human supervision. The individual stores the biometrics
together with a corresponding signature which is provided by C. C must not
store the biometrics–and is trusted not to by the individual. C has its pub-
lic key available on the Blockchain Verifiable Claims system. C adds required
randomly generated public parameters for homomorphic signature verification
to the ledger, and adds the signature for the biometric to a public revocation
register, attesting to the validity of the biometric.
    2. The individual wants to enrol with a service provider Bi and Bi requires
proof that they have not enrolled previously with Bi . To check, Bi requests an
P-DFT transform [6] with the trusted organisation’s specific parameters, from
the individual. These parameters are derived using the public key of Bi and
are therefore not used by any other organisation requiring identity verification.
�                                      Private Digital Identity on Blockchain      5

The individual computes the result of the transformation and sends it to Bi ,
with a fully homomorphic signature under that P-DFT, along with the name of
trusted organisation C for lookup in the Blockchain Verifiable Claims Public Key
register. Verifying that the calculation was done correctly does not require the
individual to send the initial signature from C or the individual’s raw biometric.
    3. Service provider Bi looks up trusted organisation C’s public key on-chain
and verifies the homomorphic signature against the transformed biometrics sent
by the individual, the public parameters, and the public key of C (see Algorithm
2). If it holds as valid, and the proof of non-revocation holds, then Bi checks all
current biometric vectors in its database for any vectors within a thresholded
similarity of the provided biometric. If it finds no matches, then Bi has verified
that the individual has not previously enrolled.


Algorithm 1 Trusted Organisation Creates Verifiable Claim for Individual to
Store
 1: procedure VCgen(pk,device)
 2:    bV ec ← retrieve(device) //retrieve processed biometric vector for individual
    from trusted organisation’s external device
 3:    l ← length of bVec
 4:    V ← randomly generate l public parameters
 5:    x ← Signsk (bVec)//trusted organisation homomorphically signs the biometric
    vector using its secret key
 6:    writeToChain(V) //write the public parameters V onto the Blockchain
 7:    claim ← generate a verifiable claim from trusted organisation’s metadata [9]
 8:    claim.proof ← generate a proof property from signature x
 9:    addToNonRevocationRegister(claim) //add the claim to a public non-
    revocation register
10:    cleanup() //critically, trusted organisation must delete bVec, the user’s raw
    biometric vector
11:    return claim




2.2   Features of our USI System

Self-sovereignty: The identity holder has complete control over storage and
use of their identity. This is provided through the use of verifiable claims, and
the homomorphic proof mechanism, which allows individuals to reliably store
their own biometric signature [9],[7].
Privacy and Non-linkability: The verifier, who receives a non-invertibly trans-
formed version of the biometric is unable to reverse the transformation and
discover the individual’s actual biometric signature. Provided that the transfor-
mations have different parameters, cross matching of biometrics is impossible.
These privacy and non-linkability features are provided by definition through
cancelable biometrics [5]. Further work is required on the non-linkability of the
proof mechanism as it is in some cases possible for proofs to be linked via the
�6       Tom Hamer, Kerry Taylor, Kee Siong Ng, Alwen Tiu

Algorithm 2 Service Provider Enrols Individual
 1: procedure AddNewUser(pi , biometricVariety, similarityThreshold ) //pi is
    unique to each service provider
 2:    claimP res ← request verifiable claim for P-DFT biometric transform from user
    with parameters pi
 3:    sig ← claimP res.proof.proof V alue // extract the transformed biometric from
    the claim presentation [9]
 4:    transbV ec ← claimP res.credentialSubject.transf ormedBiometric // extract
    the proof from the verifiable claim presentation [9]
 5:    V, pk ← retrieve(biometricVariety) //get public parameters V and trusted or-
    ganisation’s public key for the biometric typepk from Blockchain
 6:    if not validpk (V, sig, transbV ec) or isRevoked(claimPres) then
 7:        //if the homomorphic signature does not hold, or the claim has been revoked
 8:        return false
 9:    for transformedBiometric in database do
10:        if transbV ec.isSimilar, similarityThreshold(transf ormedBiometric) then
11:            return false //if a similar biometric exists already then reject.
12:     addNewUserToDb(transbVec) //save transformed biometric
13:     return true //success



public parameters. This issue may be rectified either through Gorbunov’s multi-
data signing scheme [7] or by having the trusted organisation issue a number of
public parameters to each individual, and each one could be used to establish
an unlinkable identity.
Unique Identification: An individual can create as many signed biometrics
or identities as they like and enrol with any trusted organisation. The trans-
formation will always map them back to the same identifier, with an error rate
that is dependant on the quality of the matching algorithm and the number of
individuals in the system. This is irrespective of the trusted organisation and is
a result of biometric classification algorithms. The error rate arises from the im-
precise nature of biometric feature extraction. Note that each Service Provider
must require the same variety of biometric from all of their clients, or unique
identification is impossible. [5].
Decentralisation: The trusted organisations do not have to communicate or be
in consensus for the Unique Identification property to hold. This is enabled
through Blockchain technology, which allows public keys and parameters to be
stored without a central authority [10].
Biometrically Derived: Biometrics are used, meaning that the system does
not depend on individuals holding previous identity documents in order to enrol.


3    Conclusion

We describe a USI identity system which is capable of addressing number of sig-
nificant current challenges in identity management. A key area for further work
is improving the performance of biometric identification. The error rate could
�                                       Private Digital Identity on Blockchain        7

prove to be an obstacle due to the compounding of errors in biometric identifi-
cation systems [15]. The need to trust the trusted organisation’s management of
biometric data is a potential drawback of our protocol that could be addressed
by legal or social mechanisms. Personal enrolment with the trusted organisation
potentially exposes information about identity that could be exploited. However,
we believe that this system could be feasible for distributed and privacy preserv-
ing identification at large scale. Future work includes a reference implementation
and security analysis.


References
1. UNHCR.: UNHCR Resettlement Handbook. UNHCR - the UN Refugee Agency,
   Geneva (2011)
2. Saunders, K., Zucker, B.: Counteracting Identity Fraud in the Information Age: The
   Identity Theft and Assumption Deterrence Act. In: International Review of Law,
   Computers & Technology 1999, 2, pp 183–192. Routledge (1999).
3. Moyano, J. P., Ross, O.: KYC Optimization Using Distributed Ledger Technology.
   Business & Information Systems Engineering, 59(6), pp 411-423. (2017).
4. Kour, G. & Saabne, R.: Global Identification Challenge by the Numbers.
   http://id4d.worldbank.org/global-dataset/visualization. Accessed 30 July 2019.
5. Punithavathi, P., Subbiah, G., 2017. Can Cancelable Biometrics Preserve Privacy?
   Biometric Technology Today, 2017(7), pp 8–11.
6. Yang, W. et al.: A fingerprint and finger-vein based cancelable multi-biometric sys-
   tem. Pattern Recognition, Volume 78, pp 242–251. (2018)
7. Gorbunov, S., Vaikuntanathan, V., Wichs, D: Leveled Fully Homomorphic Signa-
   tures from Standard Lattices. In: STOC’15 Proceedings of the forty-seventh annual
   ACM symposium on Theory of Computing, pp 469–477. ACM, New York, NY, USA
   (2015)
8. Reed, D. et al.: 2019. DID Spec. https://w3c-ccg.github.io/did-spec/. Accessed 30
   July 2019.
9. Sporny, M. et al.: Verifiable Credentials Data Model, https://www.w3.org/TR/vc-
   data-model/. Accessed 30 July 2019.
10. Sovrin.: Sovrin Protocol and Token White Paper. https://sovrin.org/wp-
   content/uploads/Sovrin-Protocol-and-Token-White-Paper.pdf Accessed 30 July
   2019.
11. Metadium.: Introduction to Self-Sovereign Identity and Its 10 Guiding Prin-
   ciples. https://medium.com/metadium/introduction-to-self-sovereign-identity-and-
   its-10-guiding-principles-97c1ba603872. Accessed 30 July 2019.
12. Leong, C.: ID2020: Digital Identity. https://www.accenture.com/us-en/insight-
   blockchain-id2020. Accessed 30 July 2019.
13. Civic Technologies.: Civic Whitepaper.
   https://tokensale.civic.com/CivicTokenSaleWhitePaper.pdf. Accessed 30 July 2019.
14. Dunphy, P., Petitcolas, F.: A First Look at Identity Management Schemes on the
   Blockchain. https://arxiv.org/pdf/1801.03294.pdf. Accessed 30 July 2019.
15. Pato, J. N., Millett, L. I.: Biometric Recognition: Challenges and Opportunities.
   Washington, DC: The National Academies Press. (2010)