2022 IEEE 24th Int Conf on High Performance Computing & Communications; 8th Int Conf on Data Science
& Systems; 20th Int Conf on Smart City; 8th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys) | 979-8-3503-1993-4/22/$31.00 ©2022 IEEE | DOI: 10.1109/HPCC-DSS-SMARTCITY-DEPENDSYS57074.2022.00237
2022 IEEE 24th Int Conf on High Performance Computing & Communications; 8th Int Conf on Data Science & Systems; 20th
Int Conf on Smart City; 8th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application
DcDID: Highly privacy-secure decentralized identity
system based on dynamic committee
1st Xiaohua Wu
University of Electronic Science and Technology of China
Chengdu, Sichuan
wuxh@uestc.edu.cn
3rd Fengheng Wu
Chengdu Huanhaishaqiu Network Technology Co., Ltd
Chengdu, Sichuan
wufengheng@icloud.com
Abstract—The proposed self-sovereign identity satisfies the de-
centralized nature of blockchain. It ensures that users have com-
plete control over their personal information. While decentralized
identity systems have made great strides in guaranteeing cre-
dential uniqueness and securing user information, most existing
systems are based on static committees. For decentralized identity
systems on the blockchain, the committee nodes usually are made
up of honest nodes on the chain. Nodes on the blockchain may join
or quit at any time, so ignoring the dynamic changes of committee
nodes can pose a severe threat to users’ information security. In
this paper, a decentralized identity system is proposed, based
on dynamic committees(DcDID). The protocols in the system
are constructed based on dynamic committee. A new contextual
credential issuance protocol is constructed in the DcDID system.
The protocol uses dynamic secret sharing techniques to store
pairs of DIDs in the committee. This approach ensures the
uniqueness of the credentials and dramatically improves the
security of the user’s private information during the dynamic
change phase of the committee. Moreover, a new key recovery
protocol is constructed in the DcDID system. In this protocol,
asymmetric binary polynomial technique is used to change the
secret sharing threshold. This approach ensures the security of
the user’s private key during the dynamic change phase of the
committee. The security analysis included in this paper shows that
DcDID significantly improves user privacy security compared to
static committee-based systems. Our experimental results also
show that our proposed protocol is feasible.
Index Terms—self-sovereign identity, decentralized identity
system, dynamic committee, blockchain, private, secret sharing
I. I NTRODUCTION
Identity management is the core element of blockchain [1],
so it should not only meet the decentralized characteristics
of blockchain, but also ensure the security of user identity
information. The proposed decentralized identity breaks the
centralized characteristics of identity management [2], [3].
The users can manage their identity information independently
through their private keys. Simultaneously, in order to avoid the
great loss caused by the loss of the user’s private key, the secret
sharing technique is applied to serve the user’s private key
backup. This method ensures the recoverability of the user’s
private key [4].
979-8-3503-1993-4/22/$31.00 ©2022 IEEE
DOI 10.1109/HPCC-DSS-SmartCity-DependSys57074.2022.00237
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:06:59 UTC from IEEE Xplore. Restrictions apply.
2nd Xueqi Feng*
University of Electronic Science and Technology of China
Chengdu, Sichuan
fengxueqi@std.uestc.edu.cn
4th Jing Wang
University of Electronic Science and Technology of China
Chengdu, Sichuan
jingwang@std.uestc.edu.cn
The concept of committee was first introduced in W3C [3],
which is composed of any number of nodes in the blockchain.
In blockchain, the committee nodes in a decentralized identity
system usually consist of honest nodes on the chain. The
dynamic change of committee nodes is basically not mentioned
in existing decentralized identity systems, ignoring the node
churning problem of blockchain. In the system, the committee
stores some information about the user in a secret sharing man-
ner. The committee is responsible for verifying the correctness
of the verifiable claims and issuing the verifiable credentials
[5]. The secret sharing protocol chosen now for supports static
but not dynamic committees [6], [7]. When a committee node
quits the blockchain or a malicious node attacks the committee,
it is very easy to cause leakage of user information. In terms
of user private key backup, ignoring node loss can also cause
the security problem of user private keys.
In a decentralized identity system, the committee consists
of nodes on the blockchain. To ensure the uniqueness of user
credentials, the committee nodes in the system need to store
the user’s pairs of DIDs locally, and the committee nodes
will check the information of the locally stored pairs of DIDs
to ensure the uniqueness of the credentials when issuing the
credentials. A malicious attacker can select any committee
node to steal the pairwise DIDs information, resulting in the
loss of user data. At the same time, the malicious node may
learn the user’s private information based on other transaction
information on the blockchain combined with paired DIDs.
At the same time, the security of the user’s private key
is crucial in the blockchain’s identity management domain.
In a decentralized identity management system, users manage
and use various credentials through their private keys. Once
the user’s private key is lost, it may cause great property
damage to the user. The decentralized identity system proposes
to backup the user private key in the committee node to
ensure that the user can retrieve the private key after loss. In
the existing research, the committee consists of static nodes,
and users back up their private keys in the committee in a
1547
secret shared manner. However, the nodes in the blockchain
are dynamically changing. If there exists an attacker stealing
the secret share in the nodes, then during the dynamic change
phase of the blockchain nodes, the attacker may obtain a
secret share exceeding the threshold k and thus recover the
user private key. A malicious attacker can manage and use
credential information that does not belong to it through the
stolen user private key, falsely proving the relevant information
for illegal activities or even causing property damage to others.
Under the premise of dynamic committee nodes, how to
strengthen the privacy protection of user information while
ensuring the uniqueness of credentials and how to guarantee
the security of users’ private keys are two major security prob-
lems that need to be solved urgently. Therefore, we propose
to apply the dynamic secret sharing technology CHURP [8]
to the decentralized identity system to build a new credential
issuance protocol and key recovery protocol. Our contributions
are as follows. Contributions: Our contributions are three-fold:
• The new credential issuance protocol is constructed in
DcDID. In the identity management subsystem, the com-
mittee nodes store pairs of DIDs to ensure the uniqueness
of credential issuance. In the new credential issuance
protocol, DIDs [9] are stored in the committee in a
dynamic secret sharing manner. This method ensures the
privacy and security of user information and achieves the
uniqueness of credentials.
• This paper proposed a new key recovery protocol that
utilizes the asymmetric binary polynomial technique to
change the secret sharing threshold, which ensures the
security of the private key under the dynamic change
phase of the committee nodes.
• This paper demonstrates the feasibility of DcDID through
experiments. Execute the credential issuance protocol
under different context requirements in the experiment.
This paper compares DcDID with available systems based
on static committees. Experiments show that DcDID can
improve security while ensuring system performance.
II. P RELIMINARIES
In this section, we will briefly review the relevant symbols
and definitions that will be used in this paper.
A. Secret-sharing technology
Secret-Sharing is an important branch of the modern cryp-
tography field. It is an important tool in information security
and data confidentiality, as well as a fundamental application
technology in areas such as multi-party secure computing
and federation learning. In practical applications, it plays
an important role in key management [10], digital signature
[11]- [13], identity authentication [14], and multi-party secure
computing [15]. Secret sharing is a technique for sharing
secrets among a group of participants, which is mainly used
to protect important information from being lost, corrupted, or
tampered with.
In 2019, Deepak Maram proposed CHURP [8], a dynamic
committee secret sharing scheme designed specifically for
1548
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:06:59 UTC from IEEE Xplore. Restrictions apply.
blockchain, based on the threshold key sharing scheme. This
scheme uses asymmetric bi-variate polynomials to efficiently
change the secret sharing threshold, thus achieving secure
secret in a dynamic setting sharing. In this paper, we combine
CHURP with decentralized identity systems to construct a new
credential issuance protocol and key recovery protocol.
B. Decentralized Identity
In the beginning, digital authentication was centralized, such
as the assignment of domain names and IP addresses managed
by ICANN, and digital certificates managed by Certificate
Authority (CA) in Public Key Infrastructure (PKI)systems [16].
Because the authentication and authorization around the data
are determined by a centralized authority, the essence of a
centralized identity system is that a centralized authority holds
the identity data. The identity is not controlled by the user
themselves. The proposed decentralized identity (DID) enables
the user’s autonomous access and use of identity data.
In 2019, the W3C proposed the DID standard, which
standardizes DID identifiers, DID documents, and verifiable
statements. Decentralized identity systems allow users to col-
lect and manage their credential information under a self-
created decentralized identifier DID. Users can disclose or
retain credentials as needed when interacting with applications
by controlling the private key associated with the DID. The
existing decentralized identity system has a committee con-
sisting of honest nodes of the blockchain. The system uses
the committee for issuance of user credentials and backup of
private keys. However, the loss of nodes in the blockchain
is not considered, making the system suffer from privacy
protection problems and the security of the user’s private key
is not guaranteed.
This paper proposes to store paired DIDs in committee
nodes in a secret shared manner.The paired DIDs are com-
posed of user public key P Ku and new public key P Kunew .
The new public key P Kunew is generated in the execution
context credential issuance protocol. This paper created a new
decentralized identity system DcDID. In DcDID, we construct
credential issuing protocol and key recovery protocol based
on dynamic committee. DcDID realizes the privacy security
of user information based on dynamic committee.
III. S YSTEM AND SECURITY MODEL
In the previous section, we introduced basic decentralized
identities. Existing decentralized identity systems still suffer
from many user security issues. Then in this section, we
propose a brand new identity management system using a mas-
ter credential issuance protocol with dynamic secret sharing
scheme as well as a contextual credential issuance protocol
to ensure the unlinkability among committee nodes and the
privacy security of users in the case of dynamic committee
changes. At the same time, we propose a new key recovery
system using a user private key backup scheme based on
dynamic committee changes, which ensures the security of
users’ private keys and further improves the security of the
system.
A. Identity Management System
The main goal of the identity management system is to
transform the existing data in the web server into decentralized
credentials required for user interaction. This is achieved in
two main steps, first the system converts legacy data into
unique master credentials according to the master credential
issuance protocol. Secondly we generate contextual credentials
that can be used for application interactions according to the
contextual issuance credential protocol. In the above steps, to
achieve unlinkability of committee nodes while protecting user
privacy, we propose a master credential issuance protocol using
a dynamic secret sharing scheme and a contextual credential
issuance protocol.Fig 1 depicts the process of generating
master credentials with contextual credentials.
Fig. 1. The process of generating master credentials and contextual credential.
B. Master Credential Issuance Protocol
The Master Credential Issuance Protocol is used to con-
vert pre-credentials with unique attributes into sybil-resistant
master credentials required by the user. Each user can have
only one master credential. The master credential issuance
protocol consists of two major steps. First, the legacy data from
the existing web server is transformed into the pre-credentials
required by the user. Then the pre-credentials are transformed
into unique master credentials.
The participants of this protocol mainly consist of committee
nodes as well as users U. We set committee of C to consist
of n nodes, C1, C2, ... , Cn. We set the pre-credential PC
= (Pku, CL,π)to be a verifiable statement. First CL denotes
a declaration,where each CL is set to CL=a,Cv.a denotes the
declared attribute string,e.g., ”asset”; Cv=com(v,p) denotes the
commitment to the attribute value v, where the witness is p.
This step effectively hides the user’s private information.
Next π proves that the statement is true,i.e., that the value
associated with a is indeed v.
Pre-credentials are used to create master credentials, as well
as to link other attributes to create context-based credentials. In
the following we describe the specific implementation steps of
the master credential issuance protocol using a dynamic secret
sharing scheme.
System initialization: In this step, the user first generates
the public-private key pair (P ku ,Sku ). The committee nodes
execute distributed key generation protocol to generate private
key Skc and public key P kc . Committee node Ci receives the
1549
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:06:59 UTC from IEEE Xplore. Restrictions apply.
secret share Ski of Skc and P kc . At the same time, Committee
nodes maintain CmTable together in a secret shared manner.
The CmTable is used to store P ku and unique attribute value
Vu of the user in the published master credential. The table
is used for duplicate data deletion to ensure the uniqueness of
the user’s master credentials, it is initialized to CmTable=∅.
From legacy data to pre-credentials: Pre-credentials are
the basis for the generation of other credentials in the system.
The user’s primary credentials are generated from the pre-
credentials, while the primary and pre-credentials together gen-
erate the contextual credentials required for user interaction.
To obtain the pre-credentials, first we need to extract the
relevant user information from the existing web server and
port the information securely to the committee. The committee
node then uses the relevant information to generate the pre-
credentials required by the user. In this step, the relevant
concepts involved include attribute a, attribute value v with
proof π. We use CL to denote the user declaration and CL
contains a, v.
Firstly, the user selects the attribute a, and uses the DECO
protocol to safely transplant the attribute value v in the existing
web server. The committee node uses the threshold signature
algorithm and uses Ski as the threshold signature key. Nodes
use SKi to sign the CL and generate the proof πDECO in the
pre-certificate. The user finally generates the pre-credential PC
= (P ku , CL, πDECO ).
From pre-credentials to master credentials: The master
credential in the system has a unique feature, and each user
generates only a unique master credential. The master creden-
tial is generated by the unique identifier of the user and can
effectively prove the user’s identity. At the same time, in the
contextual credential protocol, the master credential is used as
the basis to generate contextual credentials that can be used for
program interaction by linking other statements in the master
credential.
Firstly, the committee nodes need to first confirm whether
the user already has a unique master credential. During the
inspection process, the committee node generates a new ran-
dom blind factor ([b],B=g b ) and sends it to the user U, while
the user U reconstructs b from it. Then, the user U calculates
Vu’=Vu+b to hide the attribute value Vu. The user generates
the correct blinding proof:
πiblind =ZK-Pokb,Vu,p:Vu’=Vu+b(g b =B)(com(Vu,p)=Cv
Next, the user generates its corresponding pre-credential
P Cu for its unique attribute value Vu according to the previous
step. The user interacts with the committee node and sends
(PC,Vu’,π blind ) to the committee node. Each committee node
Ci verifies the received proofs and calculates V ui ,
V ui =Vu’/ni λi -bi ,where λ is the Lagrangian coefficient.
Committee nodes implement a dynamic secret sharing pro-
tocol. This step merges the secret shared shares of the stored
CmTable to generate a complete CmTable. Committee nodes
execute the MPC protocol to calculate Vu=ΣV ui . The node
matches the property Vu with the contents of the CmTable.
 If there is no successful match in the CmTable, then
the master credential is unique and the committee node
can issue the master credential for the user. The com-
mittee issues the master credential by signing the pre-
credential PC with the ”Delete duplicates” statement. Then
the process of issuing master credentials consists of the
following steps. Firstly,each committee node Ci computes
h={P ku , ”master”, CL, {”Deleteduplicates”, a}},and signs
h with the private key Ski to generate partial signature σi .
σi =TS.Sig(SKi ,h)
The committee node Ci encrypts the generated partial sig-
nature σi using the user’s public key P ku and sends it to U.
User U uses the private key Sku to decrypt t valid signatures
{σi }, which U combines into a complete signature.
σc =TS.Comb({σi })
After obtaining the full signature, U builds master creden-
tials
CDmaster =
{P ku , ” master” , CL, {” Deleteduplicates”, a}, c}
C. Context Credential Issuance Protocol
During user interaction with the application, the user is
required to provide credentials that meet the application re-
quirements and contain multiple declarations. Since master
credentials contain only declarations with unique attributes,
they cannot be used to interact with the application. However,
master credentials are linkable, i.e., they can be linked to
declarations for interaction. This summary then details the
contextual credential issuance protocol, which implements a
master credential as the basis for issuing contextual credentials
that can be used for application interaction.Fig 2 shows an
overview of the flow of the protocol.
In the contextual credential issuance protocol, pairwise DIDs
are proposed to achieve the unlinkability of contextual creden-
tials, i.e., the authentication nodes cannot learn the information
related to the user node credentials through interaction. Paired
DIDs consist of a user public key P Ku and a new public key
P Kunew . The user generates the new public key P Kunew during
the execution of the contextual credential issuance protocol.
The committee nodes construct cxtTable to store the paired
DIDs.
Fig. 2. Contextual Credential Issuance Protocol Process Overview.
1550
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:06:59 UTC from IEEE Xplore. Restrictions apply.
If each committee node stores ctxTable locally, a malicious
attacker only needs to attack any of the committee nodes and
it can steal ctxTable and learn user identity information from
it. In the identity management system, we achieve credential
uniqueness by storing paired DIDs information in the commit-
tee nodes. However, at the same time, it is crucial for users to
ensure the security of their private information in the system.
We propose to store ctxTable in a dynamic secret sharing
manner.
We first assume that the user has obtained the only master
credential CDmaster . The application specifies the unique con-
text string ctx during interaction with the user. The following
describes the implementation steps of the contextual credential
issuance protocol.Fig 3 shows the exact process of performing
deduplication and issuing credentials in this protocol.
Fig. 3. The detailed flow of step 2—Deduplicate in Figure.
• The user sends (CDmaster , P Kunew , P Cnew , which
includes the user’s master credential,the new identifier
P Kunew and a set of pre-credentials that meet the require-
ments of the string ctx.
• The committee nodes maintain the ctxTable in a dynamic
secret sharing manner. The table stores pairs of P Ku and
P Kunew . The committee node stores the paired DIDs of
the issued context credentials in the table, and the node
checks the P Kunew in the table.
• If P Kunew is not in the ctxTable, the committee issues a
credential CDctx that satisfies the context ctx and updates
the ctxTable.
P Cnew sent by the user to the committee node. The P Cnew
is generated according to step 2. in 3.1.1. In this step, the
legacy data is the data that meets the application context
requirements, it is transformed into a pre-credential containing
the new claim CLnew . CLnew is based on the declarative
content required by the application context. At the same time,
to ensure that the newly added claim CLnew belongs to the
user who holds the master credential, that is, the claim is valid.
We attach a zero-knowledge proof in CLnew , proving that the
name attribute in the master credential is the same as the name
attribute in CLnew .
In step 2., the committee stores the ctxTable in a dynamic
secret sharing manner. This approach treats each pair of DIDs
in the ctxTable as a separate secret. Suppose a committee
consists of n dynamically changing nodes, namely C1 ...Cn .
The user selects m(m >max(tx+1 ,ty+1 )) committee nodes
as secret sharing nodes, and uses an asymmetric bivariate
polynomial,i.e.
 S(x,y)=k0,0 +k0,1 x+k1,0 y+k1,1 xy+...+ktx ,ty xtx y tx
Each paired DIDs secret is divided into m secret fragments
using the above formula and sent to m committee nodes.
Meanwhile, the bivariate polynomial enables the mutual trans-
formation of the two sharing methods, and the goal of changing
the secret sharing threshold can be achieved by changing the
number of polynomials during the dynamic change of the
committee, thus preventing malicious nodes from learning into
DIDs, i.e.
• If x in the bivariate polynomial of S(x,y) is set to 0,
the dynamic secret sharing scheme becomes a univariate
Shamir threshold secret sharing scheme with a threshold
of ty , and the secret fragment is
S(0,j0 ),S(0,j1 ),...,S(0,jty )
• Conversely setting y to 0, the threshold of the dynamic
secret sharing scheme becomes tx and the secret fragment
is
S(i0 ,0),S(i1 ,0),...,S(itx ,0)
After sending the secret shares in the ctxTable to each of the
m committee nodes, the user executes the context credential
issuance protocol. To obtain the context credentials, the user
first designates a committee node at random to execute the
dynamic secret sharing protocol, such that the committee node
obtains the complete ctxTable.
After the designated committee node successfully acquires
the ctxTable, it compares the P Kunew sent by the user with
the contents of the table. If the same P Kunew is not found, the
ctxTable is updated and the new DIDs are added to the table.
Then the node executes the dynamic secret sharing protocol
and stores the new ctxTable in the committee node in a secret
shared manner. Finally the node issues contextual credentials
for the user.
The above solution of storing ctxTable as a dynamic secret
share ensures the uniqueness of credentials while achieving
privacy protection of user information. Each time a committee
node is in the process of issuing contextual credentials, the
user randomly assigns a new committee node to restore the
complete ctxTable.
D. Key Recovery System
The current decentralized identity system chooses to backup
private keys in the honest nodes of the blockchain in a key-
sharing way, but this scheme does not consider the dynamic
changes of nodes in the blockchain, so the security of users’
private keys is poor. In this section, we use asymmetric
bivariate polynomials to effectively change the secret sharing
threshold and achieve private key security under dynamic
changes of nodes.Fig 4 describes the specific flow of the key
recovery system.
In the user registration key recovery service phase, the
system provides a more flexible identity verification scheme for
the user. First the user specifies a set of accounts to be used for
authentication and the access structure to them. For example,
the user provides an authentication scheme for successfully
1551
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:06:59 UTC from IEEE Xplore. Restrictions apply.
Fig. 4. Key Recovery System Overview.
logging into any two-thirds of the accounts in WeChat, Baidu,
and QQ, which means that the authentication is successful. By
using DECO [17], the user sends the authentication scheme to
the committee node when registering the key recovery service.
After the registration is completed, the user uses the dynamic
secret sharing technology to back up the private key Sku to
the committee. The specific steps are as follows.
• The user executes a dynamic secret sharing protocol
with the private key Sku as a secret, using a bivariate
polynomial,i.e.
S(x,y)=k0,0 +k0,1 x+k1,0 y+k1,1 xy+...+km,2m xm y 2m
Simultaneously the polynomial satisfies
S(0,0)=k0, 0=Sku . Let y = 0 such that the threshold of
the shared solution is m. Bringing arbitrary k (k >(m
+ 1)) values of x into the polynomial yields the secret
fragment, i.e.
S(i0 ,0), S(i1 ,0), ... , S(im ,0), S(im+1 ,0), ... , S(ik ,0)
When the committee nodes change dynamically, let x=0
so that the threshold value becomes 2m. Then re-select
any k’(k’>(2m+1)) x values to bring into the polynomial
to get the new secret fragment, i.e.
S(0,j0 ), S(0,j1 ), ... , S(0,j2m ), S(0,j2m+1 ), ... S(0,jk′ )
Back up secret fragments to the committee node.
• The user performs the specified authentication, and if
the authentication is successful, the authentication node
generates a zero-knowledge proof that the user has passed
the authentication. The node sends the zero-knowledge
proof to the committee node.
• After the verification of the committee node is successful,
the dynamic secret sharing protocol is executed, and the
secret fragments are sent to the user. The user finally
restores the private key Sku .
E. System Security
The credential issuance protocol and key backup protocol
are based on dynamic secret sharing technology and are
developed for decentralized identity systems. The security
challenges faced by our system can be divided into two
categories: user information security and user key security. The
possible attacks on the system by malicious attackers are as
follows.
 • A malicious attacker attacks any committee node and committee nodes in the experiment run in a distributed network
steals the table of paired DIDs stored in the node, leading of EC2 C5, with each instance acting as a committee node, and
to leakage of user privacy information. each instance has 2 vCPU and 4 GB RAM.
• The malicious node attacks some committee nodes during
the dynamic change of the committee and steals the secret
share of Sku stored in the node, resulting in the loss of
the user’s private key.
Our system is secure against the above possible attack
methods. For the leakage of user privacy information, we
propose a CHUPR-based credential issuance protocol. Under
this protocol, the table of paired DIDs is divided into multiple
secret shares using a dynamic secret sharing scheme, and the
secret shares are stored in committee nodes separately. When
the system performs credential uniqueness checking, the user
randomly assigns a committee node to recover a complete
table of DIDs for duplicate information removal. Under this
mechanism, each committee node stores the secret share of the
DIDs table instead of the full DIDs table. The stolen secret Fig. 5. Execution time of each stage of the contextual credential issuance
share is useless to the attacker, and thus the system secures protocol.
the user information in such attacks.
In the face of key theft by malicious nodes, our system still In order to visualize the system performance, our experi-
shows good security. The reason is that our system combines a ments use the student ID as the master credential attribute in
dynamic secret sharing scheme to build a new key management the master credential issuance phase. In the contextual creden-
system. In this system, we store the user private keys in the tial issuance phase, we simulate two contextual ctx strings,
committee nodes in a dynamic secret sharing scheme. The namely ”majoring in science or engineering” and ”having a
scheme changes the secret sharing threshold of the user private minimum grade point average of 75 in school”. To satisfy these
key Sku by an asymmetric bivariate polynomial. During the two ctx requirements, our data source combinations involve
dynamic change of committee nodes, the secret sharing thresh- two websites and include three combinations of data sources:
old of Sku is increased to be 2t, i.e., the private key Sku can student ID and name from the Academic Information Network;
be obtained only if at least 2t secret shares are obtained. It subject and name from the University student management
is known in CHUPR [8] that the maximum number of secret system; and grade point average and name, where the name is
shares that an attacker can steal is less than 2t. Therefore, used as a link attribute between the statements.
even if a malicious node attacks a committee node to steal a To finally obtain contextual credentials that can be interacted
secret share, it is impossible to obtain the user private key Sku . with the application, we need to first generate pre-credentials in
Our system integrates dynamic secret sharing technology into our experiments. We use DECO to convert the data information
the key management system, which provides strong security into pre-credentials. These data come from the Academic
protection for user private keys. Information Network and the University student management
system.
IV. I MPLEMENTATION A ND E VALUATION
In this section, we evaluate the performance of the DcDID
by implementing key components, including the implemen-
tation of a master credential issuance protocol as well as a
contextual credential issuance protocol. We will conduct com-
parative experiments with existing systems to demonstrate the
feasibility of DcDID while enhancing user privacy protection.
We generated pre-credentials based on DECO [17] and
implemented a master credential issuance protocol and con-
textual credential issuance protocol. In our experiments, we
use student identity IDs as deduplication attributes to obtain
master credentials. For zero-knowledge proofs required in the
credential issuance process, we build the circuit for preprocess-
ing zk-SNARKs using jsnark a java library that uses libsnark
as the backend to instantiate zero-knowledge proofs.
In the experiment, our user party ran on a laptop with Fig. 6. Credential issuance rates for DcDID versus the available systems based
SSD storage, 16 GB RAM, and an Intel i77600U CPU. The on static committees.

1552

Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:06:59 UTC from IEEE Xplore. Restrictions apply.
 To test the execution efficiency of the contextual creden-
tialing protocol, we assume two different contextual states
in advance, ctx1 ”majoring in science or engineering” and
ctx2 ”having a minimum grade point average of 75”. In our
experiments, we test the execution efficiency of the contex-
tual credential issuance protocol under two different ctxes.
We have divided the contextual credential issuance protocol
into four phases, namely, ’Deduplication’, ’Restore ctxTable’,
’Inspection ctxTable’, and ’Linking name’. In the experiments
performing the master credential issuance protocol, we have
generated pre-credentials with student ID as the attribute,
pre-credentials with subject information as the attribute, and
grade point average as the attribute. Then in the experiments
performing the contextual credential issuance protocol, we use
the name attribute as the link attribute linking the master
credential to the pre-credential. To ensure the generality of the
experiment, we performed more than one hundred tests. Fig. 5
shows the average execution time of the contextual credential
issuance protocol under two different ctx, from which we can
clearly visualize the average execution time of different phases.
To demonstrate that DcDID improve the security of user
information while also ensuring the efficiency of credential
issuance, we conducted comparative experiments as shown in
Figure 6. In the experiments, the attributes in the pre-credential
and master credential are consistent. Meanwhile, we keep ctx
the same. We execute different contextual credential issuance
protocols and divide the protocol execution into four phases.
In the contextual credential issuance protocol based on static
committee, each committee node stores the paired DIDs table
locally without Restore ctxTable. It can be observed from the
comparison bar chart in Fig. 6 that the time difference of each
phase is within 0.05s. This shows that DcDID ensures the
efficiency of credential issuance while improving user security.
V. C ONCLUSION A ND F UTURE W ORKS
This paper proposes the DcDID that is a highly secure
decentralized identity system. DcDID can be used in the field
of identity management in the blockchain. In this paper, the
dynamic changes of blockchain nodes are considered in the
decentralized identity system. DcDID transforms the static
committee into a dynamic committee. This change makes the
decentralized identity system more suitable for blockchain. At
the same time, we use dynamic secret sharing technology to
build a new contextual credential issuance protocol, aiming to
enhance the security of user information in the decentralized
identity system and improve the privacy protection of user
information.
However, in DcDID, the user encrypts all the attribute
values in the credential using ZKP technology. It produces
a completely anonymous credential. For the committee, the
node needs to perform ZKP authentication. Not all the attribute
values in the credential are private data for the users, there
are also some publicly available attributes. For such publicly
available attributes, encrypting them undoubtedly reduces the
efficiency of credential issuance during the credential issuance
1553
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:06:59 UTC from IEEE Xplore. Restrictions apply.
process. Therefore, we will continue to focus on new encryp-
tion schemes. Using knowledge of cryptography to implement
a selective disclosure credential scheme may be a way that
supports the issuance of credentials with both public and
private attributes. This could be a way to increase the efficiency
of the system.
ACKNOWLEDGMENT
This research is funded by National Natural Science Foun-
dation of China(62173066) and Grant of Intelligent Terminal
Key Laboratory of SiChuan Province (SCITLAB-1014).
R EFERENCES
[1] Liu Y, He D, Obaidat M S, et al. Blockchain-based identity management
systems: A review. Journal of network and computer applications, 2020,
166: 102731.
[2] Naik N, Jenkins P. uPort open-source identity management system:
An assessment of self-sovereign identity and user-centric data platform
built on blockchain//2020 IEEE International Symposium on Systems
Engineering (ISSE). IEEE, 2020: 1-7.
[3] W3C. Decentralized identifiers (DIDs) v0.11:data model and syntaxes
for decentralized identifiers. https://w3c-ccg.github.io/did-spec/, 2018.
[4] Herzberg A, Jarecki S, Krawczyk H, et al. Proactive secret sharing or:
How to cope with perpetual leakage//annual international cryptology
conference. Springer, Berlin, Heidelberg, 1995: 339-352.
[5] M. Sporny, D. Longley, and D. Chadwick, “Verifiable Credentials Data
Model 1.0,” 2022. [Online]. Available: https://www.w3.org/TR/ vc-data-
model/
[6] Cachin C, Kursawe K, Lysyanskaya A, et al. Asynchronous verifiable
secret sharing and proactive cryptosystems//Proceedings of the 9th ACM
Conference on Computer and Communications Security. 2002: 88-97.
[7] Herzberg A, Jarecki S, Krawczyk H, et al. Proactive secret sharing or:
How to cope with perpetual leakage//annual international cryptology
conference. Springer, Berlin, Heidelberg, 1995: 339-352.
[8] Maram S K D, Zhang F, Wang L, et al. CHURP: dynamic-committee
proactive secret sharing//Proceedings of the 2019 ACM SIGSAC Con-
ference on Computer and Communications Security. 2019: 2369-2386.
[9] W3C. Peer DID method specification. https://openssi.github.io/ peer-did-
method-spec/index.html#privacy-considerations, 2020.
[10] Eschenauer L, Gligor V D. A key-management scheme for distributed
sensor networks//Proceedings of the 9th ACM Conference on Computer
and Communications Security. 2002: 41-47.
[11] Boldyreva A. Threshold signatures, multisignatures and blind signatures
based on the gap-Diffie-Hellman-group signature scheme//International
Workshop on Public Key Cryptography. Springer, Berlin, Heidelberg,
2003: 31-46.
[12] Pang L J, Wang Y M. A new (t, n) multi-secret sharing scheme based on
Shamir’s secret sharing. Applied Mathematics and Computation, 2005,
167(2): 840-848.
[13] Chen D, Lu W, Xing W, et al. An efficient verifiable threshold multi-
secret sharing scheme with different stages. IEEE Access, 2019, 7:
107104-107110.
[14] Yang Y G, Wen Q, Zhang X. Multiparty simultaneous quantum identity
authentication with secret sharing. Science in China Series G: Physics,
Mechanics and Astronomy, 2008, 51(3): 321-327.
[15] Zhong H, Sang Y, Zhang Y, et al. Secure multi-party computation on
blockchain: An overview//International symposium on parallel architec-
tures, algorithms and programming. Springer, Singapore, 2019: 452-460.
[16] Ethereum name service, [Accessed June 2020]. https://ens.domains/.
[17] Zhang F, Maram D, Malvai H, et al. Deco: Liberating web data using
decentralized oracles for tls//Proceedings of the 2020 ACM SIGSAC
Conference on Computer and Communications Security. 2020: 1919-
1938.