One fundamental aspect of many human identification systems is that for each individual, no more than one identity exists [1]. This is often due to an unfair advantage that can be gained by a malicious individual having two identities, for example, they may be able to fraudulently access additional credit at a bank [2]. However, preventing malicious double enrolment is difficult. Many existing approaches uniquely identify individuals through an exchange of verifiable documents and basic identification information [3]. However, these traditional identification methods have a number of fundamental drawbacks:
1. Through organisations storing basic identity attributes such as name, birthdate and address, individuals can be linked across multiple independent uses of their identity, without consent.
2. When organisations requiring identity verification store a large amount of information about each individual for identification purposes, it makes the system vulnerable to attacks, as it is easy for a hacker who obtains access to the internal records to learn many details about each individual. Worse still, basic attributes such as address cannot easily be cancelled or changed and so a fresh identity is very hard to establish.
3. Over 1 billion individuals worldwide lack a form of officially recognised identity such as a passport [4], which makes it very difficult to enrol with service providers-such as banks, which need to uniquely identify individuals.
We propose a decentralised, privacy-preserving identity system which can identify individuals through a bijective mapping from individuals to identifiers used in a specific organisational context. It is designed to give individuals control over their own identity and shared information but to give organisations a guarantee of uniqueness. To our knowledge, such a privacy preserving biometric identification system does not exist in the literature.
Biometrics are a useful tool in identification of individuals because biometric signatures, such as fingerprints, are unique to each human [5]. Further, they do not depend on an individual needing to hold official identity documents. Cancelable biometrics have been created as a method to protect biometric signatures; rather than storing the full biometric in identification databases, biometrics are non-invertibly transformed to obfuscate the original biometric signature [6], and only the obfuscated version is stored. However, one problem with current cancelable biometric protocols is that the individual must trust the organisation receiving their biometric signature to correctly transform and securely manage the biometric signatures.
Homomorphic signatures allow a verifier to prove that a calculation has been done correctly without having to access the underlying data [7]. We propose utilising homomorphic signatures as a proof mechanism to allow the individual to obfuscate their own biometric signature on their personal device through applying a specific non-invertable transformation that is requested by the organisation wanting to identify the individual. The authors are unaware of previous research proposing the use of homomorphic signatures to prove the validity of cancelable biometrics. For the first time, we propose that the combination of these techniques enables self-sovereign identity.
The W3C, an international standards organization, has introduced Distributed Identifiers (DIDs) and Verifiable Claims. DIDs are linked to DID documents, which store mechanisms used to authenticate the DID, service endpoints, and other claims [8]. Using DIDs, the W3C aims to create a standard for individuals and organizations to control their own identity. W3C Verifiable Claims are a mechanism to express credentials on the Web in way that is cryptographically secure, privacy respecting, and machine-verifiable [9]. The Sovrin foundation has used DID and Verifiable claims to create a Blockchain based Identity System [10], which enables distributed management of public keys and revocation of verifiable claims. Similarly, we propose to facilitate transfer of obfuscated biometrics using Blockchain-based verifiable claims.
Self-sovereign identity can be defined as "the concept of individuals or organizations having sole ownership of their digital and analogue identities, and control over how their personal data is shared and used" [11]. A number of organisations including The Sovrin Foundation [10], Civic Ledger [13] and uPort [14] have recently launched of self-sovereign identity protocols. The Sovrin Foundation has been involved in the development of ID2020 which aims to create an open and human-centric approach to identity [12]. They suggest benefits including no physical papers and the convenience of biometric authentication. Other attempts, such as Civic ledger's solution, depend on the individual holding official identity documents such as passports to enrol with their system, which is problematic for displaced persons and others.
No self-sovereign identity schemes are currently available which offer nonlinkability of individually-controlled identities. Where existing protocols offer the capacity to use biometric signatures, they do not allow individuals to noninvertably transform their biometric signature before it is sent, and therefore do not protect the privacy of personal biometrics.
We propose the concept of Unique Self-Sovereign Identity, or USI. USI means that an individual can have at most one identity in a particular context, but identities cannot be linked between contexts without permission from the individual. Therefore, individuals can be uniquely identified but still have control over their personal identifying data.
We define three key roles: Individual: a human who wants to be identified by a Service Provider. Service Provider: an organisation requiring its individual users to complete identity verification for access to services. The service provider commits to requiring a specific variety of biometric for all of its users. Trusted Organisation: an organisation within the trust network of both a service provider and an individual. Service providers trust these organisations to ensure that the biometric signatures are accurate and individuals trust these organisations to destroy their biometric signature immediately after use. Trusted organisations maintain public keys for each variety of biometric signature they sign, meaning that service providers are able to verify that the biometric signature is of the variety they require.
In our protocol, each individual is identified for each service provider by a cancelable (non-invertibly transformed) version of their biometric signature. To achieve this non-invertibility, we use a Partial Discrete Fourier Transform for non-linkable biometrics [6]. We extend existing cancelable biometric schemes so that the service provider never has access to the complete biometric signature of each individual. To enable this, we use fully homomorphic signatures [7] to prove the validity and correctness of a biometric signature which is already Fig. 1: Our USI Protocol showing the interactions between an Individual represented by a User Device, a Trusted Organisation, and several Service Providers non-invertibly transformed by the individual before it is sent. Finally, the solution uses a Blockchain W3C standard Verifiable claims system [10], where our homomorphic signature acts as the proof mechanism, meaning that individual biometric signatures can be revoked when needed, and requiring that the public key of the Trusted Organisation is publicly available. Our protocol does not address authentication, that can employ conventional means such as username and password. Our protocol is as follows (see figure 1).
1. The individual enrols for an identity with a trusted organisation C of their choice (see Algorithm 1). C collects finger print and vein scans, ensuring that the biometrics are collected accurately and are truly the biometrics of the individual. The assurance process will be determined by C's own policy, but will probably include human supervision. The individual stores the biometrics together with a corresponding signature which is provided by C. C must not store the biometrics-and is trusted not to by the individual. C has its public key available on the Blockchain Verifiable Claims system. C adds required randomly generated public parameters for homomorphic signature verification to the ledger, and adds the signature for the biometric to a public revocation register, attesting to the validity of the biometric.
2. The individual wants to enrol with a service provider B i and B i requires proof that they have not enrolled previously with B i . To check, B i requests an P-DFT transform [6] with the trusted organisation's specific parameters, from the individual. These parameters are derived using the public key of B i and are therefore not used by any other organisation requiring identity verification.
The individual computes the result of the transformation and sends it to B i , with a fully homomorphic signature under that P-DFT, along with the name of trusted organisation C for lookup in the Blockchain Verifiable Claims Public Key register. Verifying that the calculation was done correctly does not require the individual to send the initial signature from C or the individual's raw biometric.
3. Service provider B i looks up trusted organisation C's public key on-chain and verifies the homomorphic signature against the transformed biometrics sent by the individual, the public parameters, and the public key of C (see Algorithm 2). If it holds as valid, and the proof of non-revocation holds, then B i checks all current biometric vectors in its database for any vectors within a thresholded similarity of the provided biometric. If it finds no matches, then B i has verified that the individual has not previously enrolled.
Algorithm 1 Trusted Organisation Creates Verifiable Claim for Individual to Store 1: procedure VCgen(pk,device) 2:
bV ec ← retrieve(device) //retrieve processed biometric vector for individual from trusted organisation's external device 3:
l ← length of bVec 4:
V ← randomly generate l public parameters 5:
x ← Sign sk (bVec)//trusted organisation homomorphically signs the biometric vector using its secret key 6:
writeToChain(V) //write the public parameters V onto the Blockchain 7:
claim ← generate a verifiable claim from trusted organisation's metadata [9] 8:
claim.proof ← generate a proof property from signature x 9:
addToNonRevocationRegister(claim) //add the claim to a public nonrevocation register 10: cleanup() //critically, trusted organisation must delete bVec, the user's raw biometric vector 11: return claim
Self-sovereignty: The identity holder has complete control over storage and use of their identity. This is provided through the use of verifiable claims, and the homomorphic proof mechanism, which allows individuals to reliably store their own biometric signature [9], [7].
Privacy and Non-linkability: The verifier, who receives a non-invertibly transformed version of the biometric is unable to reverse the transformation and discover the individual's actual biometric signature. Provided that the transformations have different parameters, cross matching of biometrics is impossible. These privacy and non-linkability features are provided by definition through cancelable biometrics [5]. Further work is required on the non-linkability of the proof mechanism as it is in some cases possible for proofs to be linked via the Algorithm 2 Service Provider Enrols Individual 1: procedure AddNewUser(pi, biometricVariety, similarityThreshold ) //pi is unique to each service provider 2:
claimP res ← request verifiable claim for P-DFT biometric transform from user with parameters pi 3:
sig ← claimP res.proof.proof V alue // extract the transformed biometric from the claim presentation [9] 4:
transbV ec ← claimP res.credentialSubject.transf ormedBiometric // extract the proof from the verifiable claim presentation [9] 5:
V, pk ← retrieve(biometricVariety) //get public parameters V and trusted organisation's public key for the biometric typepk from Blockchain 6:
if not valid pk (V, sig, transbV ec) or isRevoked(claimPres) then 7:
//if the homomorphic signature does not hold, or the claim has been revoked 8:
return false 9:
for transformedBiometric in database do 10:
if transbV ec.isSimilar, similarityThreshold(transf ormedBiometric) then 11:
return false //if a similar biometric exists already then reject. 12: addNewUserToDb(transbVec) //save transformed biometric 13:
return true //success public parameters. This issue may be rectified either through Gorbunov's multidata signing scheme [7] or by having the trusted organisation issue a number of public parameters to each individual, and each one could be used to establish an unlinkable identity. Unique Identification: An individual can create as many signed biometrics or identities as they like and enrol with any trusted organisation. The transformation will always map them back to the same identifier, with an error rate that is dependant on the quality of the matching algorithm and the number of individuals in the system. This is irrespective of the trusted organisation and is a result of biometric classification algorithms. The error rate arises from the imprecise nature of biometric feature extraction. Note that each Service Provider must require the same variety of biometric from all of their clients, or unique identification is impossible. [5]. Decentralisation: The trusted organisations do not have to communicate or be in consensus for the Unique Identification property to hold. This is enabled through Blockchain technology, which allows public keys and parameters to be stored without a central authority [10].
Biometrically Derived: Biometrics are used, meaning that the system does not depend on individuals holding previous identity documents in order to enrol.
We describe a USI identity system which is capable of addressing number of significant current challenges in identity management. A key area for further work is improving the performance of biometric identification. The error rate could prove to be an obstacle due to the compounding of errors in biometric identification systems [15]. The need to trust the trusted organisation's management of biometric data is a potential drawback of our protocol that could be addressed by legal or social mechanisms. Personal enrolment with the trusted organisation potentially exposes information about identity that could be exploited. However, we believe that this system could be feasible for distributed and privacy preserving identification at large scale. Future work includes a reference implementation and security analysis.