One fundamental aspect of many human identi cation systems is that for each individual, no more than one identity exists [ 1 ]. This is often due to an unfair advantage that can be gained by a malicious individual having two identities, for example, they may be able to fraudulently access additional credit at a bank [ 2 ]. However, preventing malicious double enrolment is di cult. Many existing approaches uniquely identify individuals through an exchange of veri able documents and basic identi cation information [ 3 ]. However, these traditional identi cation methods have a number of fundamental drawbacks: 1. Through organisations storing basic identity attributes such as name, birthdate and address, individuals can be linked across multiple independent uses of their identity, without consent.

2. When organisations requiring identity veri cation store a large amount of information about each individual for identi cation purposes, it makes the Copyright c 2019 for this paper by its authors. Use permitted under Creative

Commons License Attribution 4.0 International (CC BY 4.0). system vulnerable to attacks, as it is easy for a hacker who obtains access to the internal records to learn many details about each individual. Worse still, basic attributes such as address cannot easily be cancelled or changed and so a fresh identity is very hard to establish.

3. Over 1 billion individuals worldwide lack a form of o cially recognised identity such as a passport [ 4 ], which makes it very di cult to enrol with service providers{such as banks, which need to uniquely identify individuals.

We propose a decentralised, privacy-preserving identity system which can identify individuals through a bijective mapping from individuals to identi ers used in a speci c organisational context. It is designed to give individuals control over their own identity and shared information but to give organisations a guarantee of uniqueness. To our knowledge, such a privacy preserving biometric identi cation system does not exist in the literature. 1.2

Biometrics are a useful tool in identi cation of individuals because biometric signatures, such as ngerprints, are unique to each human [ 5 ]. Further, they do not depend on an individual needing to hold o cial identity documents. Cancelable biometrics have been created as a method to protect biometric signatures; rather than storing the full biometric in identi cation databases, biometrics are non-invertibly transformed to obfuscate the original biometric signature [ 6 ], and only the obfuscated version is stored. However, one problem with current cancelable biometric protocols is that the individual must trust the organisation receiving their biometric signature to correctly transform and securely manage the biometric signatures.

Homomorphic signatures allow a veri er to prove that a calculation has been done correctly without having to access the underlying data [ 7 ]. We propose utilising homomorphic signatures as a proof mechanism to allow the individual to obfuscate their own biometric signature on their personal device through applying a speci c non-invertable transformation that is requested by the organisation wanting to identify the individual. The authors are unaware of previous research proposing the use of homomorphic signatures to prove the validity of cancelable biometrics. For the rst time, we propose that the combination of these techniques enables self-sovereign identity.

The W3C, an international standards organization, has introduced Distributed Identi ers (DIDs) and Veri able Claims. DIDs are linked to DID documents, which store mechanisms used to authenticate the DID, service endpoints, and other claims [ 8 ]. Using DIDs, the W3C aims to create a standard for individuals and organizations to control their own identity. W3C Veri able Claims are a mechanism to express credentials on the Web in way that is cryptographically secure, privacy respecting, and machine-veri able [ 9 ]. The Sovrin foundation has used DID and Veri able claims to create a Blockchain based Identity System [ 10 ], which enables distributed management of public keys and revocation of veri able claims. Similarly, we propose to facilitate transfer of obfuscated biometrics using Blockchain-based veri able claims.

Self-sovereign identity can be de ned as \the concept of individuals or organizations having sole ownership of their digital and analogue identities, and control over how their personal data is shared and used" [ 11 ]. A number of organisations including The Sovrin Foundation [ 10 ], Civic Ledger [ 13 ] and uPort [ 14 ] have recently launched of self-sovereign identity protocols. The Sovrin Foundation has been involved in the development of ID2020 which aims to create an open and human-centric approach to identity [ 12 ]. They suggest bene ts including no physical papers and the convenience of biometric authentication. Other attempts, such as Civic ledger's solution, depend on the individual holding ofcial identity documents such as passports to enrol with their system, which is problematic for displaced persons and others.

No self-sovereign identity schemes are currently available which o er nonlinkability of individually-controlled identities. Where existing protocols o er the capacity to use biometric signatures, they do not allow individuals to noninvertably transform their biometric signature before it is sent, and therefore do not protect the privacy of personal biometrics.

We propose the concept of Unique Self-Sovereign Identity, or USI. USI means that an individual can have at most one identity in a particular context, but identities cannot be linked between contexts without permission from the individual. Therefore, individuals can be uniquely identi ed but still have control over their personal identifying data. 2 2.1

We de ne three key roles: Individual: a human who wants to be identi ed by a Service Provider. Service Provider: an organisation requiring its individual users to complete identity veri cation for access to services. The service provider commits to requiring a speci c variety of biometric for all of its users.

Trusted Organisation: an organisation within the trust network of both a service provider and an individual. Service providers trust these organisations to ensure that the biometric signatures are accurate and individuals trust these organisations to destroy their biometric signature immediately after use. Trusted organisations maintain public keys for each variety of biometric signature they sign, meaning that service providers are able to verify that the biometric signature is of the variety they require.

In our protocol, each individual is identi ed for each service provider by a cancelable (non-invertibly transformed) version of their biometric signature. To achieve this non-invertibility, we use a Partial Discrete Fourier Transform for non-linkable biometrics [ 6 ]. We extend existing cancelable biometric schemes so that the service provider never has access to the complete biometric signature of each individual. To enable this, we use fully homomorphic signatures [ 7 ] to prove the validity and correctness of a biometric signature which is already non-invertibly transformed by the individual before it is sent. Finally, the solution uses a Blockchain W3C standard Veri able claims system [ 10 ], where our homomorphic signature acts as the proof mechanism, meaning that individual biometric signatures can be revoked when needed, and requiring that the public key of the Trusted Organisation is publicly available. Our protocol does not address authentication, that can employ conventional means such as username and password. Our protocol is as follows (see gure 1).

1. The individual enrols for an identity with a trusted organisation C of their choice (see Algorithm 1). C collects nger print and vein scans, ensuring that the biometrics are collected accurately and are truly the biometrics of the individual. The assurance process will be determined by C's own policy, but will probably include human supervision. The individual stores the biometrics together with a corresponding signature which is provided by C. C must not store the biometrics{and is trusted not to by the individual. C has its public key available on the Blockchain Veri able Claims system. C adds required randomly generated public parameters for homomorphic signature veri cation to the ledger, and adds the signature for the biometric to a public revocation register, attesting to the validity of the biometric.

2. The individual wants to enrol with a service provider Bi and Bi requires proof that they have not enrolled previously with Bi. To check, Bi requests an P-DFT transform [ 6 ] with the trusted organisation's speci c parameters, from the individual. These parameters are derived using the public key of Bi and are therefore not used by any other organisation requiring identity veri cation. The individual computes the result of the transformation and sends it to Bi, with a fully homomorphic signature under that P-DFT, along with the name of trusted organisation C for lookup in the Blockchain Veri able Claims Public Key register. Verifying that the calculation was done correctly does not require the individual to send the initial signature from C or the individual's raw biometric.

3. Service provider Bi looks up trusted organisation C's public key on-chain and veri es the homomorphic signature against the transformed biometrics sent by the individual, the public parameters, and the public key of C (see Algorithm 2). If it holds as valid, and the proof of non-revocation holds, then Bi checks all current biometric vectors in its database for any vectors within a thresholded similarity of the provided biometric. If it nds no matches, then Bi has veri ed that the individual has not previously enrolled.

Algorithm 1 Trusted Organisation Creates Veri able Claim for Individual to Store 1: procedure VCgen(pk,device) 2: bV ec retrieve(device) //retrieve processed biometric vector for individual from trusted organisation's external device 3: l length of bVec 4: V randomly generate l public parameters 5: x Signsk(bVec)//trusted organisation homomorphically signs the biometric vector using its secret key 6: writeToChain(V) //write the public parameters V onto the Blockchain 7: claim generate a veri able claim from trusted organisation's metadata [ 9 ] 8: claim:proof generate a proof property from signature x 9: addToNonRevocationRegister(claim) //add the claim to a public nonrevocation register 10: cleanup() //critically, trusted organisation must delete bVec, the user's raw biometric vector 11: return claim 2.2

Self-sovereignty: The identity holder has complete control over storage and use of their identity. This is provided through the use of veri able claims, and the homomorphic proof mechanism, which allows individuals to reliably store their own biometric signature [ 9 ],[ 7 ].

Privacy and Non-linkability: The veri er, who receives a non-invertibly transformed version of the biometric is unable to reverse the transformation and discover the individual's actual biometric signature. Provided that the transformations have di erent parameters, cross matching of biometrics is impossible. These privacy and non-linkability features are provided by de nition through cancelable biometrics [ 5 ]. Further work is required on the non-linkability of the proof mechanism as it is in some cases possible for proofs to be linked via the Algorithm 2 Service Provider Enrols Individual 6: 7: 8: 9: 10: 11: 1: procedure AddNewUser(pi, biometricVariety, similarityThreshold ) //pi is unique to each service provider 2: claimP res request veri able claim for P-DFT biometric transform from user with parameters pi 3: sig claimP res:proof:proof V alue // extract the transformed biometric from the claim presentation [ 9 ] 4: transbV ec claimP res:credentialSubject:transf ormedBiometric // extract the proof from the veri able claim presentation [ 9 ] 5: V; pk retrieve(biometricVariety) //get public parameters V and trusted organisation's public key for the biometric typepk from Blockchain if not validpk(V; sig; transbV ec) or isRevoked(claimPres) then //if the homomorphic signature does not hold, or the claim has been revoked return false for transformedBiometric in database do if transbV ec:isSimilar, similarityThreshold(transf ormedBiometric) then return false //if a similar biometric exists already then reject. addNewUserToDb(transbVec) //save transformed biometric return true //success public parameters. This issue may be recti ed either through Gorbunov's multidata signing scheme [ 7 ] or by having the trusted organisation issue a number of public parameters to each individual, and each one could be used to establish an unlinkable identity.

Unique Identi cation: An individual can create as many signed biometrics or identities as they like and enrol with any trusted organisation. The transformation will always map them back to the same identi er, with an error rate that is dependant on the quality of the matching algorithm and the number of individuals in the system. This is irrespective of the trusted organisation and is a result of biometric classi cation algorithms. The error rate arises from the imprecise nature of biometric feature extraction. Note that each Service Provider must require the same variety of biometric from all of their clients, or unique identi cation is impossible. [ 5 ].

Decentralisation: The trusted organisations do not have to communicate or be in consensus for the Unique Identi cation property to hold. This is enabled through Blockchain technology, which allows public keys and parameters to be stored without a central authority [ 10 ].

Biometrically Derived: Biometrics are used, meaning that the system does not depend on individuals holding previous identity documents in order to enrol. 3