Privacy-Preserving eID Derivation for Self-Sovereign Identity Systems

  • Andreas AbrahamEmail author
  • Felix Hörandner
  • Olamide Omolola
  • Sebastian Ramacher
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11999)


As centralized identity management solutions amass identity data, they increasingly become attractive targets for cyber attacks, which entail consequences for users that range from service disruptions to exposure of sensitive user data. Self-sovereign identity (SSI) strives to return the control over identity data to the users by building on decentralized architectures. However, the adoption of SSI systems is currently hampered by a lack of qualified identity data that satisfies the services’ requirements. Additionally, there is a gap w.r.t the user’s privacy: Intermediate components (e.g., importers or SSI network nodes) learn the users’ sensitive attributes during the derivation of eID data.

In this work, we present a decentralized eID derivation concept that preserves the users’ privacy while maintaining the data’s trustworthiness without revealing the plain data to any component outside the users’ control. Our proposed system also enables users to selectively disclose only relevant parts of the imported identity assertion according to the service’s requirements. We also implement and evaluate a proof-of-concept to demonstrate the feasibility and performance of our concept.


Qualified electronic identity Self-Sovereign Identity Distributed ledger Identity derivation Distributed trust Privacy 

Supplementary material


  1. 1.
    Abe, M., Hoshino, F., Ohkubo, M.: Design in Type-I, run in Type-III: fast and scalable bilinear-type conversion using integer programming. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 387–415. Springer, Heidelberg (2016). Scholar
  2. 2.
    Abraham, A., Theuermann, K., Kirchengast, E.: Qualified eID derivation into a distributed ledger based IdM system. In: TrustCom/BigDataSE, pp. 1406–1412. IEEE (2018)Google Scholar
  3. 3.
    Albrecht, M.R., et al.: Feistel structures for MPC, and more. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 151–171. Springer, Cham (2019). Scholar
  4. 4.
    Allen, C.: The Path to Self-Sovereign-Identity (2016). Accessed 15 Feb 2019
  5. 5.
    Aranha, D.F., Gouvêa, C.P.L.: RELIC is an Efficient LIbrary for Cryptography.
  6. 6.
    Aublin, P., Mokhtar, S.B., Quéma, V.: RBFT: redundant byzantine fault tolerance. In: ICDCS, pp. 297–306. IEEE Computer Society (2013)Google Scholar
  7. 7.
    Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Non-interactive anonymous credentials. ePrint 2007, 384 (2007)zbMATHGoogle Scholar
  8. 8.
    Bernabe, J.B., Skarmeta, A., Notario, N., Bringer, J., David, M.: Towards a privacy-preserving reliable European identity ecosystem. In: Schweighofer, E., Leitold, H., Mitrakas, A., Rannenberg, K. (eds.) APF 2017. LNCS, vol. 10518, pp. 19–33. Springer, Cham (2017). Scholar
  9. 9.
    Bertino, E., Takahashi, K.: Identity Management: Concepts, Technologies, and Systems. Artech House, Norwood (2010)Google Scholar
  10. 10.
    Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003). Scholar
  11. 11.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). Scholar
  12. 12.
    Camenisch, J., Herreweghen, E.V.: Design and implementation of the idemix anonymous credential system. In: ACM CCS, pp. 21–30. ACM (2002)Google Scholar
  13. 13.
  14. 14.
    Castro, M., Liskov, B.: Practical Byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst. 20(4), 398–461 (2002)CrossRefGoogle Scholar
  15. 15.
    Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: ACM CCS, pp. 1825–1842. ACM (2017)Google Scholar
  16. 16.
    Chase, M., Kohlweiss, M.: A new hash-and-sign approach and structure-preserving signatures from DLIN. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 131–148. Springer, Heidelberg (2012). Scholar
  17. 17.
    Drijvers, M., Gorbunov, S., Neven, G., Wee, H.: Pixel: multi-signatures for consensus. ePrint 2019, 514 (2019)Google Scholar
  18. 18.
    Fuchsbauer, G., Pointcheval, D.: Proofs on encrypted values in bilinear groups and an application to anonymity of signatures. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 132–149. Springer, Heidelberg (2009). Scholar
  19. 19.
    Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006). Scholar
  20. 20.
    Isaac, M., Frenkel, S.: Facebook security breach exposes accounts of 50 million users (2018). Accessed 04 June 2019
  21. 21.
    Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: ACM CCS, pp. 525–537. ACM (2018)Google Scholar
  22. 22.
    Lenz, T., Alber, L.: Towards cross-domain eID by using agile mobile authentication. In: TrustCom/BigDataSE/ICESS, pp. 570–577. IEEE Computer Society (2017)Google Scholar
  23. 23.
    Mathews, L.: Equifax data breach impacts 143 million Americans (2017). Accessed 04 June 2019
  24. 24.
    Menezes, A., Sarkar, P., Singh, S.: Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography. In: Phan, R.C.-W., Yung, M. (eds.) Mycrypt 2016. LNCS, vol. 10311, pp. 83–108. Springer, Cham (2017). Scholar
  25. 25.
    Mühle, A., Grüner, A., Gayvoronskaya, T., Meinel, C.: A survey on essential components of a self-sovereign identity. Comput. Sci. Rev. 30, 80–86 (2018)CrossRefGoogle Scholar
  26. 26.
    NIST: SP 800-157. Guidelines for Derived Personal Identity Verification (PIV) Credentials (2014)Google Scholar
  27. 27.
    OASIS: SAML (security assertion markup language) specifications. Accessed 13 Apr 2019
  28. 28.
    Paquin, C., Zaverucha, G.: U-prove cryptographic specification v1.1 (revision 3) (2013).
  29. 29.
    Reed, D., Sporny, M., Longley, D., Allen, C., Grant, R., Sabadello, M.: Decentralized Identifiers (DIDs) v0.9 (2018).
  30. 30.
    Sovrin Foundation: Sovrin: A Protocol and Token for Self-Sovereign Identity and Decentralized Trust (2018).
  31. 31.
    Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). Scholar
  32. 32.
    Zwattendorfer, B., Zefferer, T., Stranacher, K.: An overview of cloud identity management-models. In: WEBIST (1), pp. 82–92. SciTePress (2014)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Andreas Abraham
    • 1
    Email author
  • Felix Hörandner
    • 1
  • Olamide Omolola
    • 1
  • Sebastian Ramacher
    • 2
  1. 1.Graz University of TechnologyGrazAustria
  2. 2.AIT Austrian Institute of TechnologyViennaAustria

Personalised recommendations