Privacy-Preserving eID Derivation for Self-Sovereign Identity Systems

Abstract

As centralized identity management solutions amass identity data, they increasingly become attractive targets for cyber attacks, which entail consequences for users that range from service disruptions to exposure of sensitive user data. Self-sovereign identity (SSI) strives to return the control over identity data to the users by building on decentralized architectures. However, the adoption of SSI systems is currently hampered by a lack of qualified identity data that satisfies the services’ requirements. Additionally, there is a gap w.r.t the user’s privacy: Intermediate components (e.g., importers or SSI network nodes) learn the users’ sensitive attributes during the derivation of eID data.

In this work, we present a decentralized eID derivation concept that preserves the users’ privacy while maintaining the data’s trustworthiness without revealing the plain data to any component outside the users’ control. Our proposed system also enables users to selectively disclose only relevant parts of the imported identity assertion according to the service’s requirements. We also implement and evaluate a proof-of-concept to demonstrate the feasibility and performance of our concept.

S. Ramacher—Work done while the author was with Graz University of Technology.

A Cryptographic Assumptions and Primitives

We recall the standard notion of digital signature schemes.

Definition 1 (Signature Scheme)

A signature scheme \(\varSigma \) is a triple \((\mathsf {KeyGen}, \mathsf {Sign}, \mathsf {Verify})\) of PPT algorithms, which are defined as follows:

• \(\mathsf {KeyGen} (1^\kappa ){:}\) This algorithm takes a security parameter \(\kappa \) as input and outputs a secret (signing) key \(\mathsf {sk}\) and a public (verification) key \(\mathsf {pk}\).

• \(\mathsf {Sign} (\mathsf {sk}, m){:}\) This algorithm takes a secret key \(\mathsf {sk}\) and a message \(m\) as input and outputs a signature \(\sigma \).

• \(\mathsf {Verify} (\mathsf {pk},m,\sigma ){:}\) This algorithm takes a public key \(\mathsf {pk}\), a message m and a signature \(\sigma \) as input and outputs a bit \(b \in \{0,1\}\).

We require a signature scheme to be correct and to provide existential unforgeability under adaptively chosen message attacks (EUF-CMA).

For the concrete instantiations we need bilinear groups, which are generated by \(\mathsf {BGGen}\) taking a security parameter \(1^\kappa \) as input and returning bilinear group description including groups \(\mathbb {G}\) and \(\mathbb {G}_T\) of prime order \(q\), a Type-1⁶ pairing \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) and a generator \(g\) of \(\mathbb {G}\). The Waters’ signature scheme [31] is depicted in Scheme 1, which is secure under the computational Diffie-Hellman assumption (CDH).

Furthermore, we are interested in an extension of signature schemes to multi-signature schemes. In this case, signatures on the same message w.r.t. some public keys, can be aggregated into one compact signature which is valid w.r.t. an aggregated public key. We define such signatures following the definition of Drijvers et al. [17]:

Definition 2 (Multi-Signature Scheme)

A multi-signature scheme \(\varSigma _M \) extends a signature scheme with PPT algorithms \((\mathsf {APKs}, \mathsf {ASigs}, \mathsf {AVerify})\), which are defined as follows:

• \(\mathsf {APKs} (\mathsf {pk}_1, \ldots , \mathsf {pk}_n){:}\) This algorithm takes n public keys \((\mathsf {pk}_i)_{i=1}^n\) as input and outputs an aggregated public key \(\mathsf {pk}_{M}\).

• \(\mathsf {ASigs} ((\mathsf {pk}_1, \sigma _1), \ldots , (\mathsf {pk}_n, \sigma _n), m){:}\) This algorithm takes signatures \({(\sigma _{i})}_{i=1}^n\) on the message \(m\) and the corresponding public keys \({(\mathsf {pk}_{i})}_{i=1}^n\), and outputs an aggregated signature \(\sigma _M \) on the message \(m\) or \(\bot \) on error.

• \(\mathsf {AVerify} (\mathsf {pk}_{M},m,\sigma _M){:}\) This algorithm takes an aggregated public key \(\mathsf {pk}_{M}\), a message \(m \in \mathcal {M}\) and an aggregated signature \(\sigma _M \) as input and outputs a bit \(b \in \{0,1\}\).

The BLS signature scheme [11] is a prominent example of a signature scheme that can be extended to a multi-signature [10].

Finally, we recall a standard definition of non-interactive zero-knowledge proof systems. Let \(L \subseteq \mathsf {X}\) be an \(\mathbf {NP}\)-language with associated witness relation \(R\) so that \(L = \{x ~|~ \exists w: R(x, w) = 1\}\).

Definition 3 (NIZK)

A non-interactive proof system \(\mathsf {\Pi }\) is a tuple of algorithms \((\mathsf {Setup}, \mathsf {Proof}, \mathsf {Verify})\), which are defined as follows:

• \(\mathsf {Setup}(1^\kappa ){:}\) This algorithm takes a security parameter \(\kappa \) as input, and outputs a common reference string \(\mathsf {crs}\).

• \(\mathsf {Proof}(\mathsf {crs}, x, w){:}\) This algorithm takes a common reference string \(\mathsf {crs}\), a statement x, and a witness w as input, and outputs a proof \(\pi \).

• \(\mathsf {Verify}(\mathsf {crs}, x, \pi ){:}\) This algorithm takes a common reference string \(\mathsf {crs}\), a statement x, and a proof \(\pi \) as input, and outputs a bit \(b \in \{0,1\}\).

We require such proof system to be complete (all proofs for statements in the language verify), sound (a proof for a statement outside the language verifies only with negligible probability) and zero-knowledge (proof reveals no information on the witness). We are especially interested in proof systems for statements of the form \( F = \mathcal {F}(m_1 \Vert \ldots \Vert m_n) \wedge \bigwedge _{i=1}^n c_i = \mathsf {Com} (m_i; r_i) \) where \(\mathcal {F}\) is derived from the hash function \(H\) used in Waters’ signature scheme, i.e. \(H(m) = u_0 \cdot \mathcal {F}(m)\). Secondly, for commitments, i.e. \(\mathsf {Com} \),⁷ we use Groth-Ostrovsky-Sahai commitments [19]. We can now define the relation \(R_{cF}\) as

$$\begin{aligned} \begin{aligned} ((F, c_1, \ldots , c_n), (m_1, \ldots , m_n, r_1, \ldots , r_n)) \in R_{cF} \Leftrightarrow \\ F = \mathcal {F}(m_1 \Vert \ldots \Vert m_n) \wedge \bigwedge _{i=1}^n c_i = \mathsf {Com} (m_i; r_i) \end{aligned} \end{aligned}$$

and denote the corresponding proof system based on [18] as \(\mathsf {\Pi }_{cF}\), which is complete, sound and zero-knowledge.