¹¹institutetext: Blockpass ID Lab, Edinburgh Napier University, Edinburgh, UK
¹¹email: {d.kasimatis,s.grierson2,b.buchanan}@napier.ac.uk ²²institutetext: Condatis Group Limited, Edinburgh, UK
²²email: [email protected]

DID:RING: Ring Signatures using Decentralised Identifiers For Privacy-Aware Identity Proof^†^†thanks: This work is the result of research co-funded by Condatis Group Limited and The Data Lab. Permanent ID of this document: 6c52ab3735631b399f6ea954d3c91231. Date: March 11, 2024.

Dimitrios Kasimatis 11 0009-0009-2036-426X Sam Grierson 11 0000-0002-3625-6337 William J. Buchanan 11 0000-0003-0809-3523 Chris Eckl 22 Pavlos Papadopoulos 11 0000-0001-5927-6026 Nikolaos Pitropakis 11 0000-0002-3392-9970 Craig Thomson 11 0000-0001-7320-7262 Baraq Ghaleb 11 0000-0002-8361-0634

Abstract

Decentralised identifiers have become a standardised element of digital identity architecture, with supra-national organisations such as the European Union adopting them as a key component for a unified European digital identity ledger. This paper delves into enhancing security and privacy features within decentralised identifiers by integrating ring signatures as an alternative verification method. This allows users to identify themselves through digital signatures without revealing which public key they used. To this end, the study proposed a novel decentralised identity method showcased in a decentralised identifier-based architectural framework. Additionally, the investigation assesses the repercussions of employing this new method in the verification process, focusing specifically on privacy and security aspects. Although ring signatures are an established asset of cryptographic protocols, this paper seeks to leverage their capabilities in the evolving domain of digital identities.

Keywords:

Ring Signatures Decentralised Identifiers Decentralised Identification Documents Digital Identities Digital Signatures

1 Introduction

The European Union (EU) has advocated a transition in identity management among its member states, aiming to implement European-wide electronic identification (eID) and identity trust services. To that effect, the EU introduced the Electronic Identification, Authentication, and Trust Services (eIDAS) regulation authority, tasked with overseeing the emerging digital identity infrastructure for cross-border engagements [26]. Although this shift towards digital identities is crucial for develo** online services and facilitating transactions, it raises concerns regarding privacy and security that warrant consideration when implementing any such framework [15].

Typically, the private credentials of individuals are stored in their cryptographically secure digital wallets and, from there, can be referenced through the use of a Decentralised IDentifier (DID) [25]. DIDs constitute a notable transition in digital identity, introducing a novel category of globally unique identifiers that facilitate a verifiable, decentralised digital identity [27]. Unlike conventional identifiers, DIDs remove the need for a centralised registration authority, forming an essential element of self-sovereign identity (SSI) systems. This concept is in harmony with the principles of evolving digital identity management, which reinstates control and privacy of identity data to the individual [30]. A DID is designed to function across decentralised networks, including various blockchains, and is resolved into DID documents. These documents encapsulate critical information such as public keys and service endpoints, which are requisite for secure cryptographic interactions [27]. These methods outline the procedures for creating, reading, modifying, and revoking DIDs, ensuring each DID’s uniqueness within its method’s namespace [18].

DIDs can be verified using cryptographic proofs, one of the more common ones being digital signatures. In this work, the application of ring signature algorithms is proposed as a means to anonymise the identification of DID documents. For example, within the EU e-ID infrastructure, the EBSI (European Blockchain Service Infrastructure) blockchain [29] is used to store the public keys of citizens and trusted entities and where the associated digital wallet will hold the private key. When a citizen or trust entity wishes to sign a message, they will use their private key to produce the signature, and then this can be proven against their public key, which is held on the EBSI ledger.

Ring signatures [23] allow signers to dynamically choose a set of public keys and sign messages on behalf of the set without revealing who the real signer is. Furthermore, it is impossible to check if any two signatures were issued by the same signer. The core property of the is the interest of this work is the provision of anonymity, making them useful for privacy-preserving protocols, such as e-voting, whistleblowing, and private transactions for cryptocurrencies [5]. This paper leverages the capabilities of DIDs to present a use case for implementing ring signatures, as the SSI nature of DID-related architectures can benefit from the anonymised identification features of the method.

1.1 Contributions

The contributions of this paper can be summarised as follows:

1.

DID Method with Ring Signature Verification. The study introduces a new DID method that outlines the specifications to create a DID document that encapsulates the DIDs of the identity documents that are part of the signature ring. The new DID method is required to leverage the proposed verification method of ring signatures to enhance privacy and security in DID-related architectures.
2.

Ring Signature DID Architecture. The investigation examines the implementation of the proposed DID method within a DID-oriented architectural framework, focusing on the identification procedure. It further analyses the impact of this method on privacy and security, assessing its effectiveness and prospects. Further potential integration with privacy-preserving technologies, such as Zero Knowledge Proofs (ZKPs), is also considered to achieve digital identity verification without losing functionality.
3.

Ring Signature Implementation Results. The study implements into the architecture the Borromean ring signature as a considered method and analyses its computational impact, drawing conclusions based on the number of DID documents on the ring.

1.2 Organisation

The rest of the paper is structured as follows. Section 2 examines related works in ring signatures and decentralised identifiers. In addition, it outlines the cryptographic-related research of ring signatures. Section 3 defines the proposed DID method and architecture for anonymous identification while also discussing the privacy and security considerations of the solution. Section 4 includes the implementation results of a ring signature. Finally, section 5 summarises the paper’s insights while giving suggestions for future work.

2 Related work

This section outlines some of the related work on ring signatures and distributed identifiers.

2.1 Distributed Identifers

DIDs and DID methods were proposed as a decentralised identity standard by a W3C working group [27]. Since their proposal, the landscape of DID methods has seen significant advancements, with various approaches proposed to enhance security, interoperability, and usability within decentralised systems.

Park and Nam [22] introduced a novel method for DIDs utilising an infinite one-way hash chain to improve security and facilitate key rotation. This method addresses the significant issue of identity theft and the challenge of managing multiple identifiers for a single entity. The effectiveness of their approach was demonstrated through implementations on Hyperledger Fabric and the Contiki Cooja simulator. In a related study, Alangot et al. [2] developed DID authentication protocols incorporating features for auditability and privacy, designed to identify malicious authentication attempts to prevent the association of authentication events with individual users.

Alzahrani [4] investigated the application of Information-Centric Networking (ICN) for the registry of DIDs and Verifiable Credentials (VCs), capitalising on the decentralised nature and efficient lookup capabilities of ICN to reduce network overhead and improved lookup times. In a comparative study, Alizadeh et al. [3] analysed the performance of permissionless blockchain and Distributed Hash Tables (DHT)-based registries for verifiable data, concluding that DHT-based systems offer better performance in large-scale environments.

Huh et al. [14] conducted an analysis of the security and privacy considerations of the W3C DID standard [27] and its universal resolver component. They introduced Oblivira, a design for privacy-preserving DID resolution that ensures the resolver processes requests without accessing their content, thereby enhancing users’ privacy within digital identity frameworks.

2.2 Ring Signatures

The first ring signature scheme was proposed by Rivest et al. [23], who used the RSA digital signature algorithm, along with hash and one-way functions, to instantiate a practical ring signature scheme. Abe et al. [1] generalised the classical ring signature, resulting in a more standard approach to constructing ring signature schemes. Their paper was also the first to propose using a discrete logarithm-based signature scheme to construct ring signatures. Liu et al. [16] further advanced ring signature schemes by enabling signatures to be generated associated with spontaneous groups of public keys. Dodi et al. [10] also works on spontaneous group signatures; however, their approach involves using cryptographic accumulators.

A major advancement in the practicality of ring signature schemes was the Borromean signature scheme of Maxwell and Poelstra [19], enabling multiple signatures to be validated far more efficiently. The efficiency of the Borromean signature scheme was used by the Monero cryptocurrency to enable efficient validation of anonymous transactions [21]. Other approaches to efficient ring signatures were proposed more recently, using non-interactive zero-knowledge proofs to achieve $O(\log n)$ -sized signatures such as in Bootle et al. [8] or Groth’s [13] discrete logarithm based constructions. A general approach to non-interactive zero knowledge proof-based ring signatures was given by Backes et al. [5] with efficient lattice-based constructions from Esgin et al. [12, 11] and Yuen et al. [32].

2.3 Ring Signature Schemes

In this section, we describe classical ring signature constructions, a generalised definition of a ring signature, and the necessary security and anonymity properties to which a ring signature should conform.

Notation.

Let $\mathbb{R}$ , $\mathbb{Z}$ , and $\mathbb{N}$ denote the sets of real, integer, and natural numbers, respectively. For a $q\in\mathbb{N}$ , the notation $\mathbb{Z}_{q}$ denotes the congruence classes modulo $q$ and $\mathbb{Z}^{\ast}_{q}$ denotes the multiplicative group of order $q$ over the integers. Let $x\xleftarrow{\text{\tiny\$}}S$ denote a sampling of an element $x$ from the set $S$ independently and uniformly at random. The notation $x\in[n]$ will be used as shorthand for $x\in\{1,\ldots,n\}$ . The function $\mathsf{negl}:\mathbb{N}\to\mathbb{R}$ is a negligible function if for every polynomial $f$ there are values $n,m\in\mathbb{N}$ such that for all $n>m$ it holds that $\mathsf{negl}(n)<\frac{1}{f(n)}$ .

2.3.1 Classical Ring Signature Constructions

Rivest et al.’s [23] classical ring signatures for a set of $n$ public keys $\{\mathsf{pk}_{i}\}_{1\leq i\leq n}$ is constructed by computing $n-1$ “pseudo-signatures” sequentially in a ring-like structure and then using the signer’s secret key $\mathsf{sk}$ to close the ring with a “real” signature. The $n$ signatures form a ring signature on behalf of the set of public keys. Abe et al. [1] provided the first generic construction for signatures using either the hash-and-one-way type (Type-H) or the three-move type (Type-T) [32].

The following briefly describes a Type-T signature and how the AOS signature constructions [1] function when built on top of Schnorr identification [24]. Type-T signatures consist of three steps three signing with a secret key $\mathsf{sk}$ and public key $\mathsf{pk}=g^{\mathsf{sk}}$ for a group generator element $g$ and message $m$ : the commitment step $c=g^{r}$ , the hashing step $e=H(m,c)$ , and the response step $z=r-c\cdot\mathsf{sk}$ . The resulting Type-T signature for a single public key is $\sigma=(e,z)$ . Verification involves reconstructing the commitment from the signature, i.e. $c^{\prime}=g^{z}\cdot\mathsf{pk}^{e}$ , and then hashing to check if $H(m,c^{\prime})=e$ .

Figure 1: The Type-T structure of a ring signature as defined by the generic AOS ring signatures schemes [1]. In the figure,

H

corresponds to a collision-resistant hash function,

v

is a cryptographic commitment function and the

r_{i}

s and

\mathsf{pk}_{i}

s for

1\leq i\leq n

are unique randomness inputs and public keys respectively.

In the Type-T AOS ring signature for a ring of public keys $\mathsf{R}=\{\mathsf{pk}_{i}\}_{1\leq i\leq n}$ the signer with index $s$ follows the structure in Fig. 1 in which the signer is assumed to have the $\mathsf{sk}$ corresponding to $\mathsf{pk}_{s}$ . More specifically, a signer would choose randomness $r_{s}$ to generate their commitment and use this to compute the $i+1$ ^th challenge with the hash function $H$ . By picking a random $i+1$ ^th response $r_{i}$ and public key $\mathsf{pk}_{i}$ for $s+1\leq i\leq n$ then $1\leq i\leq s-1$ the signer can reconstruct the $i$ ^th commitment $c_{i}$ and generate the $i+1$ ^th challenge $e_{i+1}$ using the hash function $H$ . This sequentially forms the ring; the final step is to then close the ring by computing $z$ from the response function. The resulting signature is $\sigma=(e_{1},r_{1},\ldots,r_{n})$ .

2.3.2 Generic Ring Signatures

This paper considers an adaptation of the functional definition of ring signatures given by Bender et al. [6]. A ring of size $n$ is an ordered set of pubic keys $\mathsf{R}=(\mathsf{pk}_{1},\ldots,\mathsf{pk}_{n})$ where the notation $\mathsf{R}[i]$ denotes the $i$ ^th public key in the ring. Assume that the keys in the ring are unique and ordered lexicographically and that $\lvert\mathsf{R}\rvert\geq 2$ , since the scheme does not intend to support standard single public key verification.

Definition 1 (Ring Signature Scheme [6])

A ring signature scheme $\mathsf{Ring}$ is a tuple of efficient algorithms $\mathsf{gen}$ , $\mathsf{sign}$ , and $\mathsf{vrfy}$ defined by

(\mathsf{pk},\mathsf{sk})\xleftarrow{\text{\tiny\$}}\mathsf{gen}(1^{\lambda})% \quad\sigma\xleftarrow{\text{\tiny\$}}\mathsf{sign}_{\mathsf{sk},s}(m,\mathsf{% R})\quad\mathsf{vrfy}_{\mathsf{R}}(m,\sigma)\in\{0,1\}

for a security parameter $\lambda\in\mathbb{N}$ such that $\mathsf{vrfy}_{\mathsf{R}}(m,\mathsf{sign}_{\mathsf{sk},s}(m,\mathsf{R}))=1$ for any $(\mathsf{pk}_{i},\mathsf{sk}_{i})$ for $i\in[n]$ output by $\mathsf{gen}(1^{\lambda})$ , any $s\in[n]$ , and any $m$ where $\mathsf{R}=(\mathsf{pk}_{1},\ldots,\mathsf{pk}_{n})$ .

A ring signature scheme should conform to the security definitions based on the basic property of anonymity, i.e. an efficient adversary should be unable to determine which public key in a ring corresponds to the secret key used for signing, and strong unforgeability for a fixed-ring. There are some stronger definitions of anonymity, such as those considered in [6]; however, this paper considers signatures that correspond to a fixed ring. The following definition of anonymity considers a probabilistic security experiment in which an efficient adversary guesses a public key associated with a signature. Some previous works considered a variant of security in which the adversary is given a uniformly chosen public key in the ring $\mathsf{R}$ and asked to guess the signer with probability greater than $\frac{1}{\lvert\mathsf{R}\rvert}+\mathsf{negl}(\lambda)$ for $\lambda\in\mathbb{N}$ . The signer guessing experiment is equivalent to the bit guessing experiment given below.

Definition 2 (Signer Anonymity)

Given a ring signature scheme $\mathsf{Ring}$ defined by $\mathsf{gen}$ , $\mathsf{sign}$ , and $\mathsf{vrfy}$ and an efficient adversary $\mathcal{A}$ define the following probabilistic experiment:

\mathsf{Adv}^{\text{anon}}_{\mathcal{A},\mathsf{Ring}}(\lambda):=\Pr\left[b=b^% {\prime}\middle|\begin{aligned} &\mathsf{S}:=(\mathsf{pk}_{i})_{i\in[\mathsf{% poly}(\lambda)]}\ \text{for}\ \mathsf{pk}_{i}\xleftarrow{\text{\tiny\$}}% \mathsf{gen}(1^{\lambda})\\ &\mathcal{A}^{\mathcal{O}}\ \text{chooses}\ m,i_{0},i_{1},\mathsf{R}\subseteq% \mathsf{S}\ \text{where}\ \mathsf{pk}_{i_{0}},\mathsf{pk}_{i_{1}}\in\mathsf{R}% \\ &b\xleftarrow{\text{\tiny\$}}\{0,1\},\ \sigma\xleftarrow{\text{\tiny\$}}% \mathsf{sign}_{\mathsf{sk}_{i_{b}},i_{b}}(m,\mathsf{R}),\ \text{and}\ b^{% \prime}:=\mathcal{A}^{\mathcal{O}}(\sigma)\end{aligned}\right]

where $\mathcal{O}$ is a signing oracle that returns $\sigma_{i}\xleftarrow{\text{\tiny\$}}\mathsf{sign}_{\mathsf{sk},s_{i}}(m_{i},% \mathsf{R}_{i})$ for $i\in[q]$ where $q\in\mathbb{N}$ is the number of queries $\mathcal{A}$ can make to $\mathcal{O}$ , $\mathsf{R}_{i}\subseteq\mathsf{S}$ and $\mathsf{pk}_{s}\in\mathsf{R}_{i}$ . A ring signature scheme provides signer anonymity if $\mathsf{Adv}^{\text{anon}}_{\mathcal{A},\mathsf{Ring}}\leq\frac{1}{2}+\mathsf{% negl}(\lambda)$ holds for $\lambda\in\mathbb{N}$ .

Much like for anonymity, unforgeability has some additional stronger definitions such as those considered in [6]. In this paper, the ring signature schemes considered are fixed-ring schemes; therefore, the definition of security given is Strong UnForgeability against Fixed-Ring Attacks (SUF-FRA). The SUF-FRA definition given below should be familiar as if follows closely the principles of the SUF-CMA definition of security for standard digital signature schemes. The only significant difference between the two definitions of strong unforgeability is the use of a ring of public keys rather than a single uniformly generated public key.

Definition 3 (Strong Unforgeability Against Fixed-Ring Attacks)

Given a ring signature scheme $\mathsf{Ring}$ defined by $\mathsf{gen}$ , $\mathsf{sign}$ , and $\mathsf{vrfy}$ and an efficient adversary $\mathcal{A}$ define the following probabilistic experiment:

\mathsf{Adv}^{\text{suf-fra}}_{\mathcal{A},\mathsf{Ring}}(\lambda):=\Pr\left[% \begin{aligned} &\mathsf{vrfy}_{\mathsf{R}}(m,\sigma)=1\\ &(m,\sigma)\notin\{(m_{i},\sigma_{i})\}_{i\in[q]}\end{aligned}\middle|\begin{% aligned} &\mathsf{R}:=(\mathsf{pk}_{i})_{i\in[\mathsf{poly}(\lambda)]}\ \text{% for}\ \mathsf{pk}_{i}\xleftarrow{\text{\tiny\$}}\mathsf{gen}(1^{\lambda})\\ &(m,\sigma):=\mathcal{A}^{\mathcal{O}}(\mathsf{R})\end{aligned}\right]

where $\mathcal{O}$ is a signing oracle that returns $\sigma_{i}\xleftarrow{\text{\tiny\$}}\mathsf{sign}_{\mathsf{sk},s_{i}}(m_{i},% \mathsf{R})$ for $i\in[q]$ where $q\in\mathbb{N}$ is the number of queries $\mathcal{A}$ can make to $\mathcal{O}$ . A ring signature scheme provides unforgeability against fixed-ring attacks if $\mathsf{Adv}^{\text{suf-fra}}_{\mathcal{A},\mathsf{Ring}}\leq\mathsf{negl}(\lambda)$ holds for $\lambda\in\mathbb{N}$ .

3 Using Ring Signatures With Decentralised Identifiers

In this section, we describe DIDs and DID methods and propose a DID method specification to enable a holder of a DID to anonymously identify themselves based on the properties of ring signature schemes.

DIDs and DID Methods.

A DID [27] is a representative string that uniquely designates a digital subject, such as an individual, organisation, device, or document. The configuration and syntax of a DID is defined by the World Wide Web Consortium (W3C) standard, guaranteeing interoperability and uniformity across diverse platforms and systems. An example of a DID would be:

did:example:bef4a730573ea233f02fbd58d83fc344

where did is the URI scheme identifier, example is the DID method, and bef4a730573ea233f02fbd58d83fc344 is the method-specific-identifier which is unique to the DID method namespace. A primary characteristic of DIDs is their capability to be resolved into DID Documents, which constitute digital records that delineate the DID subject and contain cryptographic elements like public keys and service endpoints to aid in secure communication and authentication of the DID owner’s identity [20].

The decentralised aspect of a DID is enabled by distributed ledger technology, which is used to establish that DIDs are resistant to tampering, verifiable, and transferable across different systems and applications [17]. The decentralised approach to identity management strengthens security and privacy and gives individuals sovereignty over their digital identities, permitting them to disclose solely the information they opt for through the use of cryptographic methods such as zero-knowledge proofs [31].

DID methods define how an implementer realises the features described by the specification of the DID, often associated with a specific verifiable data registry [28]. One of the main advantages of using a DID method is that new DID methods can be defined to enable interoperability between implementations of the same DID method. DID methods require the definition of both a DID scheme or syntax and specific mechanisms for creating, resolving, updating and revoking DIDs and DID documents [27].

3.1 The Ring DID Method Syntax

The Ring DID method specification proposed in this paper is designed to conform to the DID specification currently published by the W3C Credentials Community Group [27]. To implement a proposed ring signature, we leverage the verifiable credentials that are stored in a holder’s digital wallet and identified by their own DIDs. The credentials’ DID public keys are linked together using the newly introduced Ring DID method specification to form a DID that uses the ring signature for verification.

The name string that will be used to identify the Ring DID method is ring. A DID that uses this method must begin with the prefix did:ring, and, per the DID specification, this string must be in lowercase. The content of the DID after the prefix for the Ring DID method is the base58 encoding of the method-specific identifier. The W3C DID specification uses the Augmented Backus–Naur Form (ABNF) to produce DIDs as URIs compliant with RFC 3986 [7]. The proposed method’s namespace-specific identifier follows this standard, which can be seen in Listing 1. All Ring DIDs are encoded in base58 encoding using the Bitcoin/IPFS alphabets, resulting in the most alphas and digits to avoid readability issues.

⬇

ring-did = "did:ring:" idstring

idstring = 40*48(base58char)

base58char = "1" / "2" / "3" / "4" / "5" / "6" / "7" / "8"

/ "9" / "A" / "B" / "C" / "D" / "E" / "F" / "G" / "H"

/ "J" / "K" / "L" / "M" / "N" / "P" / "Q" / "R" / "S"

/ "T" / "U" / "V" / "W" / "X" / "Y" / "Z" / "a" / "b"

/ "c" / "d" / "e" / "f" / "g" / "h" / "i" / "j" / "k"

/ "m" / "n" / "o" / "p" / "q" / "r" / "s" / "t" / "u"

/ "v" / "w" / "x" / "y" / "z"

Listing 1: The ABNF for the namespace specific identifier of the Ring DID method. All Ring DIDs are encoded in base58 with the Bitcoin/IPFS character set. Ring DIDs are 40-48 characters in length and are case-sensitive.

Identifier Generator Procedure.

As per the W3C standard, each proposed DID method must specify a generation method for the method-specific identifier component of the DID. For the Ring DID method we propose the following: Let $\mathsf{R}$ be a ring of public keys such that $\lvert\mathsf{R}\rvert=n$ and the public key of the signer $\mathsf{pk}_{s}=\mathsf{R}[s]$ for the index $s\in\mathbb{N}$ . Define a collision-resistant hash function $H$ as $H:\{0,1\}^{\ast}\to\{0,1\}^{512}$ and compute

r\xleftarrow{\text{\tiny\$}}\{0,1\}^{\geq\lambda}\qquad H(\mathsf{pk}_{s}\mid% \mid r\mid\mid\mathtt{ring}||\mathsf{pk}_{1}\mid\mid\cdots\mid\mid\mathsf{pk}_% {n})

for a $\lambda\in\mathbb{N}$ where $\mathtt{ring}$ is the ASCII of the method name represented in bytes. The method-specific ID for the user is the first $256$ bits of the output of $H$ encoded in base58. For example, a valid ring DID may be:

did:ring:BZEwrymg8P7aCwpJVGzuXHejijUBsmoCLWR4dgfNPuWd.

3.2 DID Operation Definitions

The W3C DID core standard requires that DID methods define mechanisms to create, read, update, and delete a DID and its DID document. In the following, we outline each required mechanism for the did:ring method and provide an overview of the intended functionality of did:ring.

⬇

{

"@context": ["https://www.w3.org/ns/did/v1"],

"id": "did:ring:IDENTIFIER",

"authenticationMethod": [{

"id": "did:ring:IDENTIFIER",

"type": "RING_VERIFICATION_METHOD",

"controller": "did:ring:IDENTIFIER",

"publicKeyBase58": "RING"

}],

"service": [{

"id": "did:DID_1:IDENTIFIER_1#cred-1",

"type": "LinkedDomains",

"serviceEndpoint": "did:DID_1:IDENTIFIER_1"

}, {

"id": "did:DID_2:IDENTIFIER_2#cred-2",

"type": "LinkedDomains",

"serviceEndpoint": "did:DID_2:IDENTIFIER_2"

}]

}

Listing 2: A valid did:ring document for a ring of two public keys defined under the LinkedDomain services as serviceEndpoints.

Create (Register) Method.

The create or register method initialises a did:ring DID and creates the DID document. To create a ring:did, the user must specify a minimum of $2$ credentials that will constitute the ring. In this paper, the DID method we propose is designed to use an arbitrary ring signature method, i.e. AOS [1] or Borromean [19] signatures. As such, the credentials that constitute the ring signature need to use signing algorithms that are supported by the ring:did signing method.

Forming the actual ring of the ring signature is achieved by pointing to credentials via serviceEndpoints which are LinkedDomains. The serviceEndpointss act as links to the DIDs corresponding to each verifiable credential encapsulated within the ring, thereby establishing a verifiable linkage. The serviceEndpoint parameter is essentially a DID that contains a verifiable signing key enabling ring signature’s ability to generate a legitimate signatory output. Listing 2 shows an example DID document for the did:ring method for a size $2$ ring.

Read (Resolve) Method.

Resolution of a did:ring DID is slightly more involved that simple verification with a single public key digital signature scheme. The did:ring would be resolved by the DID resolver, which would take each serviceEndpoint specified by the did:ring DID document and find the public key associated with the credential those endpoints point to. The public keys found by the resolved from the ring that would be used in a ring signature verification specified by the authenticationMethod.

Update (Replace) Method.

A did:ring can be dynamically updated by invoking add and remove key mechanisms that essentially just add new endpoints for the resolver to locate public keys from. The controller attribute, while not mandatory, can play a role in defining the entities authorised to enact changes to the DID document.

Delete (Revoke) Method.

Due to the nature of a ring signature, a did:ring DID cannot be deleted or revoked. However, by deleting or revoking the credentials that constitute the ring of public keys that is used in the signing process the did:ring DID would be unable to generate valid signatures.

3.3 Ring DID Identification Architecture

The proposed DID method, referred to as did:ring, is implemented within a DID-based framework, as depicted in Figure 2. The figure is a template digital identification architecture that consists of several DID documents, specifically did:DID_1:IDENTIFIER_1, did:DID_2:IDENTIFIER_2, and did:DID3:IDENTIFIER_3. These documents are pre-existing, verified credentials of the holder and constitute the elements of the ring structure. The primary function of the did:ring method is to aggregate these individual DIDs into a unified ring DID document, identified as did:ring:IDENTIFIER. This document incorporates the DIDs of the verified credentials and employs ring signatures as its verification mechanism. Upon receiving a request for identification from a verifier, the holder is able to provide a signatory output from the ring DID, thereby verifying their identity without disclosing the specific DID document used in the process.

Refer to caption — Figure 2: Ring DID Identification Architecture.

3.4 Security and Privacy Considerations

Security Considerations.

The implementation of the ring signature within the proposed DID method and architecture is primarily focused on reinforcing security and privacy, which are fundamental in the governance of SSI digital identities. By integrating the ring signature mechanism into the DID framework, the architecture achieves a higher level of security through the obfuscation of the DID document, which is essential for verifying the identity of the holder. According to the specifications outlined in the DID method schema, although the DIDs comprising the ring are disclosed, it remains impossible to ascertain which specific DID document is employed in the generation of the signatory output. This security through obscurity complicates potential unauthorised attempts to decipher or alter the signature, essentially making the system tamper-proof, ensuring the integrity and authenticity of the digital identities are maintained.

Privacy Considerations.

Concerning privacy, the architecture not only conceals the identity of the signing DID document but also establishes a foundational framework conducive to further advancements in privacy preservation. This is achievable through the potential integration of ZKPs, which offer a method for validating transactions or data exchanges without disclosing the underlying information. Such an enhancement would significantly augment the privacy aspect of the architecture, making it a versatile and secure foundation for managing digital identities in the realm of SSI.

4 Implementation Results

The proposed method can be used with a range of ring-based signatures. Table 1 outlines the results based on a Borromean Ring Signature method [9]. This uses an AWS t3.medium instance with an Intel Xeon Platinum 8000 series processor, 3.1 GHz clock speed, and 4GB of RAM. We can see, in this evaluation, that a two DID ring can perform 5,849 ring creations, while we get 1,296 ring signing operations and 995 ring verifications. The greater the number of DIDs on the ring thus reduces the over performance of the processing.

Table 1: Borromean Ring Signature Evaluation (operations per second)

Ring size	Ring creation	Ring signing	Ring verification
2	5,849	1,296	995
3	5,128	888	606
4	3,525	573	540
5	2,951	491	410
6	2,584	402	330
7	2,198	297	310
8	2,142	302	265
9	1,691	255	197
10	1,607	220	183

5 Conclusion

This study addresses the integration of verification processes within digital identity frameworks utilising DIDs. It introduces a novel DID method designed to incorporate ring signatures alongside a practical case for its architectural deployment. This identification approach offers significant improvements in security and privacy by obscuring the DID document of the holder during the verification process and ensuring the integrity of the signatory output against malicious interference. The investigation proposes a distributed ledger-agnostic method, with its applicability to a functioning ledger necessitating further exploration and refinement.

Future research should focus on refining the proposed DID method. In particular, adjustments to the identifier generator procedure are recommended, such as directly incorporating the public keys from the ring DID documents rather than relying on LinkedDomains, assuming this can be achieved without data loss. Moreover, the potential of ring signatures warrants further investigation to enhance anonymous identification capabilities and computational efficiency, particularly as the number of ring elements grows. Despite these challenges, ring signatures emerge as a promising solution for identity verification within DID-based frameworks, offering a balance between user privacy and security.

References

[1] Abe, M., Ohkubo, M., Suzuki, K.: 1-out-of-n signatures from a variety of keys. In: Zheng, Y. (ed.) Advances in Cryptology — ASIACRYPT 2002. pp. 415–432. Springer Berlin Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_26
[2] Alangot, B., Szalachowski, P., Dinh, T.T.A., Meftah, S., Gana, J.I., Aung, K.M.M., Li, Z.: Decentralized identity authentication with auditability and privacy. Algorithms 16(1), 4 (2022)
[3] Alizadeh, M., Andersson, K., Schelén, O.: Performance analysis of verifiable data registry solutions for decentralized identifiers. In: 2022 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE). pp. 1–8. IEEE (2022)
[4] Alzahrani, B.: An information-centric networking based registry for decentralized identifiers and verifiable credentials. IEEE Access 8, 137198–137208 (2020)
[5] Backes, M., Döttling, N., Hanzlik, L., Kluczniak, K., Schneider, J.: Ring signatures: Logarithmic-size, no setup—from standard assumptions. In: Ishai, Y., Rijmen, V. (eds.) Advances in Cryptology – EUROCRYPT 2019. pp. 281–311. Springer International Publishing (2019). https://doi.org/10.1007/978-3-030-17659-4_10
[6] Bender, A., Katz, J., Morselli, R.: Ring signatures: Stronger definitions, and constructions without random oracles. In: Halevi, S., Rabin, T. (eds.) Theory of Cryptography. pp. 60–79 (2006). https://doi.org/10.1007/11681878_4
[7] Berners-Lee, T., Fielding, R.T., Masinter, L.M.: Uniform Resource Identifier (URI): Generic Syntax. RFC 3986 (Jan 2005). https://doi.org/10.17487/RFC3986
[8] Bootle, J., Cerulli, A., Chaidos, P., Ghadafi, E., Groth, J., Petit, C.: Short accountable ring signatures based on ddh. In: Pernul, G., Y A Ryan, P., Weippl, E. (eds.) Computer Security – ESORICS 2015. pp. 243–265. Springer International Publishing (2015). https://doi.org/10.1007/978-3-319-24174-6_13
[9] Buchanan, W.J.: Borromean ring signature (brs). https://asecuritysite.com/signatures/brs (2024), https://asecuritysite.com/ signatures/brs, accessed: February 29, 2024
[10] Dodis, Y., Kiayias, A., Nicolosi, A., Shoup, V.: Anonymous identification in ad hoc groups. In: Cachin, C., Camenisch, J.L. (eds.) Advances in Cryptology - EUROCRYPT 2004. pp. 609–626. Springer Berlin Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_36
[11] Esgin, M.F., Steinfeld, R., Sakzad, A., Liu, J.K., Liu, D.: Short lattice-based one-out-of-many proofs and applications to ring signatures. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) Applied Cryptography and Network Security. pp. 67–88. Springer International Publishing (2019). https://doi.org/10.1007/978-3-030-21568-2_4
[12] Esgin, M.F., Zhao, R.K., Steinfeld, R., Liu, J.K., Liu, D.: Matrict: Efficient, scalable and post-quantum blockchain confidential transactions protocol. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. pp. 567–584. CCS ’19, Association for Computing Machinery (2019). https://doi.org/10.1145/3319535.3354200
[13] Groth, J., Kohlweiss, M.: One-out-of-many proofs: Or how to leak a secret and spend a coin. In: Oswald, E., Fischlin, M. (eds.) Advances in Cryptology - EUROCRYPT 2015. pp. 253–280. Springer Berlin Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_9
[14] Huh, S., Shim, M., Lee, J., Woo, S., Kim, H., Lee, H.: Did we miss anything?: Towards privacy-preserving decentralized id architecture. IEEE Transactions on Dependable and Secure Computing (2023)
[15] Lips, S., Bharosa, N., Draheim, D.: eidas implementation challenges: the case of estonia and the netherlands. In: Chugunov, A., Khodachek, I., Misnikov, Y., Trutnev, D. (eds.) International conference on electronic governance and open society: challenges in Eurasia. pp. 75–89. Springer International Publishing (2020). https://doi.org/10.1007/978-3-030-67238-6_6
[16] Liu, J.K., Wei, V.K., Wong, D.S.: Linkable spontaneous anonymous group signature for ad hoc groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) Information Security and Privacy. pp. 325–335. Springer Berlin Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_28
[17] Liu, Y., Lu, Q., Paik, H.Y., Xu, X.: Design patterns for blockchain-based self-sovereign identity. In: Proceedings of the European Conference on Pattern Languages of Programs 2020. EuroPLoP ’20, Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3424771.3424802
[18] Mahalle, P.N., Shinde, G., Shafi, P.M.: Rethinking decentralised identifiers and verifiable credentials for the internet of things. In: Dey, N., Mahalle, P.N., Shafi, P.M., Kimabahune, V.V., Hassanien, A.E. (eds.) Internet of things, smart computing and technology: A roadmap ahead. pp. 361–374. Springer International Publishing (2020). https://doi.org/10.1007/978-3-030-39047-1_16
[19] Maxwell, G., Poelstra, A.: Borromean ring signatures. draft, Blockstream (Jun 2015), commit 34241bb
[20] Moreno, R.T., García-Rodríguez, J., Bernabé, J.B., Skarmeta, A.: A trusted approach for decentralised and privacy-preserving identity management. IEEE Access 9, 105788–105804 (2021). https://doi.org/10.1109/ACCESS.2021.3099837
[21] Noether, S.: Ring signature confidential transactions for monero. Cryptology ePrint Archive, Paper 2015/1098 (2015), https://eprint.iacr.org/2015/1098, https://eprint.iacr.org/2015/1098
[22] Park, C.S., Nam, H.M.: A new approach to constructing decentralized identifier for secure and flexible key rotation. IEEE Internet of Things Journal 9(13), 10610–10624 (2021)
[23] Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Advances in Cryptology—ASIACRYPT 2001: 7th International Conference on the Theory and Application of Cryptology and Information Security Gold Coast, Australia, December 9–13, 2001 Proceedings 7. pp. 552–565. Springer (2001)
[24] Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) Advances in Cryptology — CRYPTO’ 89 Proceedings. pp. 239–252. Springer New York (1990). https://doi.org/10.1007/0-387-34805-0_22
[25] Sedlmeir, J., Smethurst, R., Rieger, A., Fridgen, G.: Digital identities and verifiable credentials. Business & Information Systems Engineering 63(5), 603–613 (Oct 2021). https://doi.org/10.1007/s12599-021-00722-y
[26] Sharif, A., Ranzi, M., Carbone, R., Sciarretta, G., Marino, F.A., Ranise, S.: The eidas regulation: A survey of technological trends for european electronic identity schemes. Applied Sciences 12(24), 12679 (2022). https://doi.org/10.3390/app122412679
[27] Sporny, M., Longley, D., Sabadello, M., Reed, D., Steele, O., Allen, C.: Decentralized identifiers (dids) v1.0. Recommendation, W3C (Jul 2022), https://www.w3.org/TR/did-core/
[28] Sporny, M., Steele: Did specification registries. Group note, W3C (Sep 2023), https://www.w3.org/TR/did-spec-registries
[29] Tan, E., Lerouge, E., Du Caju, J., Du Seuil, D.: Verification of education credentials on european blockchain services infrastructure (ebsi): Action research in a cross-border use case between belgium and italy. Big Data and Cognitive Computing 7(2), 79 (2023). https://doi.org/10.3390/bdcc7020079
[30] Toth, K.C., Anderson-Priddy, A.: Self-sovereign digital identity: A paradigm shift for identity. IEEE Security & Privacy 17(3), 17–27 (2019). https://doi.org/10.1109/MSEC.2018.2888782
[31] Yang, X., Li, W.: A zero-knowledge-proof-based digital identity management scheme in blockchain. Computers & Security 99, 102050 (2020). https://doi.org/10.1016/j.cose.2020.102050
[32] Yuen, T.H., Esgin, M.F., Liu, J.K., Au, M.H., Ding, Z.: Dualring: Generic construction of ring signatures with efficient instantiations. In: Malkin, T., Peikert, C. (eds.) Advances in Cryptology – CRYPTO 2021. pp. 251–281. Springer International Publishing (2021). https://doi.org/10.1007/978-3-030-84242-0_10

DID:RING: Ring Signatures using Decentralised Identifiers For Privacy-Aware Identity Proof††thanks: This work is the result of research co-funded by Condatis Group Limited and The Data Lab. Permanent ID of this document: 6c52ab3735631b399f6ea954d3c91231. Date: March 11, 2024.