ION: decentralized identity on Bitcoin
The digital identity of tomorrow
Identity is an integral part of the digital world in which we live. Any individual, organization or computer is represented virtually by one or more identifiers, closely or distantly linked to different data. The digital identity allows to make the link between a real entity and its virtual representation.
Whether it is to authenticate, communicate or use a service on the Web, we use unique identifiers, which are associated with several personal information (email addresses, pseudonyms, random ids, etc.). These identifiers are usually managed by organizations that have control over our data. This data can be analyzed, altered, sold or stolen without the users’ consent, which represents a threat to their privacy. We must not forget that the data business is worth billions of euros; users do not always realize that their data has a real value.
It is from this observation that the concept of decentralized identity, also called self-sovereign identity (SSI), was born.
Decentralized identity aims to give users back control over their data, being at the core of Web3. It is based on decentralized identifiers (DID), deployed on a distributed registry. Users are the only ones who can manage their DID and the data linked to them. They can associate only the information they wish to share.
Several actors are developing solutions to build decentralized identity systems. Today we are going to take a look at one of them: ION (Identity Overlay Network). It is a decentralized identity management network, based on Bitcoin.
SideTree: an identifier management protocol
In 2017, members of the Decentralized Identity Foundation (DIF) began working on a solution to manage decentralized identifiers, particularly using Blockchains as registries. The idea being to register credentials on a block chain, so that they can be verified and self-monitored by their holders. Because of its decentralized registry properties, Blockchains are particularly well suited to this need. Several projects around decentralized identity have used this type of technology to manage DID.
One of the problems of blockchains is the difficulty to scale up: scalability. For example, on Ethereum the network is often saturated, which causes slowness in transactions processing and increasing costs. Other blockchains offer better performance, but make a compromise on security or on system decentralization. This is known as the blockchains trilemma.
For an identity system to work on a global scale, it must be scalable. For this, there are solutions called Layer 2. These are solutions built “on top” of an existing blockchain, in order to aggregate several operations into a single transaction. This allows to significantly increase the number of transactions per second that can be processed, and thus to decrease the costs. This mechanism is particularly used by the Lighning Network on Bitcoin, and by various applications on Ethereum.
The members of the DIF then developed a Layer 2 protocol to manage decentralized identities: SideTree. This protocol allows to create a network on which the different nodes are connected in peer-to-peer. The protocol can be adapted to different underlying blockchains, to offer some interoperability. It is also important to underline that it follows the recommendations of the W3C regarding DID and Verifiable Credentials.
SideTree is built with several software components:
REST API: an interface to allow users to interact with the system.
SideTree Core: this is the “logical” part of the system, which manages the various operations on the identifiers.
Content Addressable Storage: manages the storage of identifiers and their metadata. SideTree uses IPFS, a protocol allowing to store and distribute data in a decentralized way. A MongoDB database is also used for local storage.
Blockchain Adapter: allows to communicate with an underlying blockchain, in order to record “states”.
ION: SideTree protocol coupled with Bitcoin
Bitcoin as layer 1
ION (Identity Overlay Network) is an implementation of the SideTree protocol based on Bitcoin and developed by members of the DIF. Thus it is a public, decentralized identity management system that is not controlled by any organization. It is able to handle several thousand transactions per second.
SideTree also has other implementations, including Element, which is based on the Ethereum blockchain.
ION has chosen Bitcoin for:
- The network is open to all
- The nodes are numerous and decentralized
- Transactions are transparent, checkable and unchangeable
- Bitcoin has proven its resistance for over 10 years
- Participants are encouraged to maintain and operate the network
- The cost of a 50% attack is extremely high, and considered impossible
DID and documents
Concretely, an identifier on ION looks like a unique and complex sequence of characters: did:ion:EiD3DIbDgBCajj2zCkE48x74FKTV9_Dcu1u_imzZddDKfg
This DID is linked to a JSON document that contains several properties.
The user can also add all the properties he wants. It is possible to obtain the document from the identifier, by performing a resolution. This can be done using the REST API of an ION node, or by using a dedicated explorer. The idea is to be able to retrieve the information associated with a DID, in the same way as when retrieving IP addresses associated with domain names (DNS).
How does it work?
To generate a DID, a user must either use their own node or use one available on the network. The node operator must have a wallet with Bitcoin, as the operation requires a transaction. Managing identifiers is a multi-step process, on the command line and through a REST API; it is not trivial.
Each identifier is linked to 3 pairs of cryptographic keys:
- Update keys
- Recovery keys
- Signature keys
The operations carried out during creation are recorded in a file. This instruction file is distributed on IPFS, and its unique identifier is recorded in a Bitcoin transaction. Simultaneous operations on multiple identifiers are grouped together, in order to have a single executed Bitcoin transaction. SideTree uses Merkel trees to structure the states of the different identifiers, and to allow the management of a large number of operations per transaction.
All other nodes in the ION network observe Bitcoin transactions and extract those that match the ION protocol. They retrieve the instruction file from IPFS, thanks to the unique identifier contained in the transaction. Then they execute the instructions in order to update themselves and contain the latest created identifiers. Thus, the new identifier is distributed throughout the network. The synchronization time may vary; we have not found any measurements of this time.
By definition, DID are not transferable; the user at the origin of an operation on a DID is thus necessarily the “owner” and the only one to have control over it with his private key. This property allows, in particular, to do without a consensus mechanism during operations on DID, because there are no possible double expenses.
Several use cases
The ION project is developed by members of the DIF, and actively supported by Microsoft. The American company wants to exploit this protocol to offer new services based on decentralized identity.
Several use cases are possible:
- Users can create their DID and use the OpenID authentication system. Thus, it would be possible to authenticate on various applications, sites and web services with a unique and decentralized identifier. Passwordless authentication is possible.
- Users could choose the data they want to associate with their DID and revoke their access at any time. Business models could be developed to pay users directly for their data.
- Users can manage different identities with multiple DID, through their digital wallets.
- Companies, schools or organizations can generate verifiable digital certificates associated with DID. (Verifiable Credentials).
- DID can be associated with domain names, in order to use readable names rather than complex addresses.
Services to be developed
ION’s ambition is to become a standard for tomorrow’s decentralized identity. The ingenuity of the protocol is interesting, and could stand out from other competitive solutions in particular thanks to the use of the Bitcoin protocol. Layer 2 solutions are promising for many use cases, and can significantly increase the scalability of decentralized registries.
However, today the protocol remains complex to use; tools and applications to facilitate its use will have to be developed. Microsoft will certainly offer services using ION, but it is to be hoped that other players will follow this path, especially with non-proprietary “end solutions”.
Furthermore, the recommended technical specifications for deploying a node are quite demanding; this can represent a significant cost in terms of hosting. The cost of registering a DID is also the responsibility of the node operator, who will submit the transaction on the network. Thus, there is no economic incentive to deploy a node, other than to create a business model by selling DID registration to other users. At first glance, these elements may be barriers to decentralization and adoption of ION, but it is still too early to tell.
Competition is tough in the world of digital identity. On the one hand, there are the identity solutions proposed by the big players (Google, Facebook, Thales, etc.), which today dominate the market, and on the other hand, there are the sovereign identity solutions pushed by governments (France Connect, Essif, etc.). Alongside these more or less centralized systems, there are also many self-sovereign identity protocols. Apart from ION, there is also Ethereum Name Service based on Ethereum, Evernym, Sovrin and countless projects under development.
The realization of concrete applications and the adoption by the general public are essential points in the success of a project; time will show us which ones will make the difference and become indispensable to tomorrow’s Web.
Are you interested in blockchains and crypto-assets? Do not hesitate to visit the website of our expert Steve Despres: cryptoms.fr/
Image source : TheDigitalArtist via Pixabay
First published at nameshield blog