6718
8, 15 APRIL 2023
SmartDID: A Novel Privacy-Preserving Identity
Based on Blockchain for IoT
Jie Yin , Student Member, IEEE, Yang Xiao , Member, IEEE, Qingqi Pei , Senior Member, IEEE,
Ying Ju, Member, IEEE, Lei Liu , Member, IEEE, Ming Xiao , Senior Member, IEEE,
and Celimuge Wu , Senior Member, IEEE
Abstract—Internet of Things (IoT) applications have pene-
trated into all aspects of human life. Millions of IoT users and
devices, online services, and applications combine to create a
complex and heterogeneous network, which complicates the dig-
ital identity management. Distributed identity is a promising
paradigm to solve IoT identity problems and allows users to have
soverignty over their private data. However, the existing state-of-
the-art methods are unsuitable for IoT due to continuing issues
regarding resource limitations for IoT devices, security and pri-
vacy issues, and lack of a systematic proof system. Accordingly, in
this article, we propose SmartDID, a novel blockchain-based dis-
tributed identity aimed at establishing a self-sovereign identity
and providing strong privacy preservation. First, we configure
IoT devices as light nodes and design a Sybil-resistant, unlink-
able, and supervisable distributed identity that does not rely on
central identity providers. We further develop a dual-credential
model based on commitment and zero-knowledge proofs to pro-
tect the privacy of sensitive attributes, on-chain identity data, and
linkage of credentials. Moreover, we combine the basic creden-
tial proofs to prove the knowledge of solutions to more complex
Manuscript received 6 December 2021; accepted 7 January 2022. Date
of publication 21 January 2022; date of current version 7 April 2023.
This work was supported in part by the National Key Research and
Development Program of China under Grant 2020YFB1807500; in part by
the National Natural Science Foundation of China under Grant 62102295,
Grant 62132013, Grant 62001357, and Grant 62102301; in part by the Key
Research and Development Program of Shaanxi under Grant 2021ZDLGY06-
03; in part by the Guangdong Basic and Applied Basic Research
Foundation under Grant 2020A1515110772 and Grant 2020A1515110079;
in part by the China Postdoctoral Science Foundation under Grant
2021M692501; in part by the Fundamental Research Funds for the Central
Universities under Grant XJS211513, Grant XJS201502, Grant XJS210105,
and Grant XJS210107; in part by the Okawa Foundation for Information and
Telecommunications; and in part by JSPS KAKENHI under Grant 21H03424.
(Corresponding author: Qingqi Pei.)
Jie Yin and Qingqi Pei are with the State Key Laboratory of Integrated
Service Networks, School of Telecommunications Engineering, and the
Engineering Research Center of Trusted Digital Economy, Universities
of Shaanxi Province, Xidian University, Xi’an 710071, China (e-mail:
yinjie0003@stu.xidian.edu.cn; qqpei@mail.xidian.edu.cn).
Yang Xiao is with the State Key Laboratory of Integrated Services
Networks, School of Cyber Engineering, and the Engineering Research
Center of Trusted Digital Economy, Universities of Shaanxi Province, Xidian
University, Xi’an 710071, China (e-mail: yxiao@xidian.edu.cn).
Ying Ju and Lei Liu are with the State Key Laboratory of Integrated Service
Networks, School of Telecommunications Engineering, Xidian University,
Xi’an 710071, China, and also with the Guangzhou Institute of Technology,
Xidian University, Guangzhou 510555, China (e-mail: juying@xidian.edu.cn;
leiliu@xidian.edu.cn).
Ming Xiao is with the Division of Information Science and Engineering,
KTH Royal Institute of Technology, 10044 Stockholm, Sweden (e-mail:
mingx@kth.se).
Celimuge Wu is with the Graduate School of Informatics and Engineering,
The University of Electro-Communications, Chofu 182-8585, Japan (e-mail:
clmg@is.uec.ac.jp).
Digital Object Identifier 10.1109/JIOT.2022.3145089
2327-4662 
c 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO.
problems and create a systematic proof system. We go on to pro-
vide the security analysis of SmartDID. Experimental analysis
shows that our scheme achieves better performance in terms of
both credential generation and proof generation when compared
with CanDID.
Index Terms—Blockchain-based distributed identity, Internet
of Things (IoT), privacy preservation, systematic proof system,
zero-knowledge proofs.
I. I NTRODUCTION
NTERNET of Things (IoT) applications have penetrated
I into all aspects of human life, such as intelligent cities,
innovative healthcare, and smart agriculture [1]. However, the
rapid growth of the new IoT paradigm has presented several
challenges related to availability, scalability, and security that
constrain the sustainable development of IoT [2]. Sustainable
computing is a potential solution for energy-constrained IoT
devices that involves energy sustainability and security sus-
tainability [3], [4]. The proliferation of millions of IoT users
and devices, online services, and applications forms a com-
plex and heterogeneous network that has complicated digital
identity management [5], [6]. The proper management of the
identities of these IoT devices plays a vital role in achieving
the security and sustainability of the IoT network as a whole. It
is therefore of great significance to study identity management
in the IoT context.
Traditional IoT identity management primarily adopts a cen-
tralized authentication method, where the identity remains
in the possession of the identity provider and is not inter-
operable. These centralized identity systems [7]–[9] usually
rely on trusted third parties, such as credential authorities
(CAs), which are prone to becoming single points of failure.
Blockchain, as an emerging paradigm, naturally adapts to the
distributed nature of IoT owing to its decentralized, tamper-
proof, and traceable characteristics [10]–[12]. It provides a
new solution for the IoT identity security problem and has
given rise to a new form of digital identity, namely, distributed
identity [13]–[15]. Blockchain-based distributed identity lever-
ages distributed infrastructure to change the providers’ mode
of controlling digital identities. Moreover, distributed iden-
tity is in fact a distributed public-key infrastructure (DPKI)
with multiple issuers that allows users to have soverignty over
their identities and credentials through decentralized identifiers
(DIDs) [13] and verifiable credentials (VCs) [16].
YIN et al.: SmartDID: NOVEL PRIVACY-PRESERVING IDENTITY BASED ON BLOCKCHAIN FOR IoT
Several state-of-the-art methods for distributed iden-
tity [17]–[19] have been developed. Most existing
schemes [20], [21] do not consider the resource limita-
tions of user devices, and IoT devices usually suffer from
resource limitations [22]–[24]. Moreover, existing schemes
are unsuitable for the IoT context because of the following
challenges.
1) Security and Privacy Issues: Most available
schemes [25]–[27] pay little attention to security
and privacy issues. Some methods only consider
anonymous credential systems and do not consider the
demand for both plaintext and cryptographic creden-
tials. Since the system does contain some plaintext
credentials, an adversary may collect some attributes
(not always sensitive) from different credentials that
correspond to a specific identifier and thereby infer the
user’s real-world identity, referred to as linkage attacks.
Three kinds of information need to be protected: a)
sensitive credential attributes; b) on-chain identity
data; and c) attribute linkage between credentials.
The combination of commitments and zero-knowledge
proofs is a promising solution to the former two. The
public blockchain of the UTXO model does not have
this linkage problem because it can generate a new
identity for each transaction [28]. While the creation
of multiple identities by a single user may solve the
linking problem, it also introduces the possibility of
Sybil attacks [29] in a consortium chain. Moreover, the
uniqueness of identities is crucial in many scenarios,
such as voting systems [30]. It is therefore challenging
to balance Sybil attacks and linkage attacks. In addition,
most of these schemes do not consider the supervision
of IoT users and devices. Users are required to provide
their true identities for accountability purposes in
many schemes, such as know-your-customer (KYC),
which appears to conflict with privacy. It is accord-
ingly challenging to provide both user privacy and
supervision.
2) The Lack of a Systematic Proof System: Most exist-
ing distributed identity systems [31]–[33] only allow
fragmented credential verification rather than a system-
atic consideration of the logic between credentials. A
certain logical relationship exists between credentials,
such as {ID card ∪ driving license ∩ business creden-
tials}, and we need a container to express this logic:
that is, a systematic proof system. The lack of system-
atic descriptions of multiple credentials makes it difficult
for the system to return an appropriate result, even if all
individual credentials have been completed.
Considering the resource limitations of IoT user devices, we
provide an organic integration of the IoT and blockchain archi-
tecture and configure IoT devices as blockchain light nodes1
to reduce their computation, storage, and communication
overhead.
1 Light nodes only need to store the block header rather than the full list
of transactions. Full nodes are required to synchronize all blockchain data.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
6719
In response to the above challenges, we propose a novel
blockchain-based distributed identity, with the aim of estab-
lishing a self-sovereign identity and providing strong privacy
preservation based on zero-knowledge proofs. Moreover, we
combine the basic credential proofs to prove the knowledge of
solutions to more complex problems and create a systematic
proof system. SmartDID comprises the identity system, the
dual-credential model, and the distributed proof system. Our
contributions are as follows.
1) We propose a distributed identity for IoT that balances
identity privacy and supervisability and enables Sybil
resistance and unlinkability. Inspired by the account
model and the UTXO model, the distributed identity
is composed of a unique master identifier (masterID)
and several pseudonymous identifiers (userIDs). We
conduct supervision based on commitments and zero-
knowledge proofs to verify masterID without opening it.
The uniqueness of the master identity also resists Sybil
attacks. To prevent linkage attacks against identities, we
construct the userIDs based on the UTXO model.
2) We propose a privacy-preserving dual-credential model
that protects sensitive attributes, on-chain identity data,
and credential linkage. The model is composed of both
plaintext credentials and cryptographic credentials. We
design the cryptographic credentials based on commit-
ments [34] and zero-knowledge proofs [35] to hide
sensitive attributes and on-chain identity data. To discon-
nect the linkage between different credentials, we apply
userIDs designed in the distributed identity system.
3) We combine the basic credential proofs to prove the
knowledge of solutions to more complex problems and
create a systematic distributed proof system, which orga-
nizes the fragmented credentials according to a certain
logic to facilitate their adaptation to multiconditional
verification.
The remainder of this article is organized as follows. Related
work is reviewed in Section II. The system overview is
described in Section III. Section IV gives the specific design of
SmartDID. Security analysis is in Section V, and implementa-
tion and experimental analysis are in Section VI. Finally, the
conclusion is given in Section VII.
II. R ELATED W ORK
SmartDID is related to work on distributed identities,
anonymous credentials, and distributed proof systems.
A. Distributed Identity
With the rapid development of blockchain, scholars have
started to explore the application of blockchain technol-
ogy in personal data management and privacy protection.
Zyskind et al. [32] employed blockchain to protect the pri-
vacy of individuals with respect to personal data, allowing
users to take full control of their own data. Jacobovitz [20]
proposed Bitnation, an ethereum-based identity registry that
provides passports, driving licenses, and other public facility
services in Estonian. Uport [17] is also a self-governed iden-
tity system based on public Ethereum [36]. However, these are
6720
all public blockchain-based projects with low throughput and
difficulty in achieving the supervision of malicious users.
As for the permission blockchain, Hyperledger Indy [21]
is a distributed self-sovereign identity framework based on
Hyperledger Fabric [37] that allows decentralized identity gen-
eration on the blockchain and identity interoperability across
applications and ledgers. ShoCard [26] and WeIdentity [27]
are multicentric distributed identity systems that enable data
exchange between users. Nevertheless, these works are unsuit-
able for IoT, and they pay little attention to the resource
limitations and security and privacy issues of IoT devices.
According to Swan’s survey [38], the factors limiting
blockchain applications were security, availability, and latency.
A comprehensive study [39] from both technical and applica-
tion perspectives indicates the possibility of associating users’
IPs and attributes with their pseudonym identifiers, leading
to security and privacy issues for on-chain transactions. In
this article, SmartDID is trying to disconnect the linkage
between different credentials and build a security and privacy-
preserving distributed identity system that fulfills the basic
requirements of self-sovereign identity.
B. Anonymous Credentials
In the traditional public-key infrastructure (DPKI),
Garman et al. [40] proposed a decentralized anonymous
credential scheme that eliminates the need for a centralized
trusted issuer and allows identity assertion while maintaining
privacy. Sonnino et al. [41] proposed a selective disclosure
credential scheme based on the multihybrid signature method
that enables multithreshold publishing and multidisplay of
credentials. However, they are only individual credential
issuance systems and are still far from a self-sovereign
distributed identity system.
With limited exceptions, Isaakidis et al. [18] proposed
UnlimitID, a pseudonym system that makes IdPs untrace-
able to users and protects the privacy of credentials based
on algebraic MACs. However, it requires users to reveal their
personal values to prove the correctness of the credentials.
Maram et al. [42] constructed an identity and credential system
based on zero-knowledge proofs and secure multiparty com-
putation (MPC), bringing in high computational overhead.
Moreover, these schemes consider only cryptographic creden-
tials, while in reality, there is often a coexistence of plaintext
and cryptographic credentials, which may bring additional
security and privacy concerns. In this article, we are con-
cerned about the privacy of both plaintext and cryptographic
credentials and balance the performance of SmartDID.
C. Proof Systems
Camenisch and Stadler [31] designed a proof system for
complex and general statements that proves the knowledge
of elements of any knowledge specification set. It is, how-
ever, a centralized proof system. Zyskind et al. [32] proposed
a blockchain-based privacy-preserving personal data manage-
ment system involving an access module (Taccess ) and a data
storage module (Tdata ). Data owners can modify authentica-
tion methods by configuring different sets of access policies
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 8, 15 APRIL 2023
in Taccess transactions. Taccess enables a dynamic, fine-grained
access control based on protocol transactions. Wang et al. [33]
designed a blockchain-based distributed storage system with
fine-grained access control based on attributes. However, these
works are designed for single-cloud scenarios and are inap-
propriate for the cross-system and cross-application in a
distributed environment. Furthermore, the heavy overhead pre-
cluded their applicability to IoT scenarios. In this article,
SmartDID combines the basic credential proofs and cre-
ates a systematic distributed proof system for more complex
problems.
III. S YSTEM OVERVIEW
In this section, we first give the intuition of the idea and
then describe the system model and security model, followed
by the introduction of cryptographic credentials.
A. Intuition of the Idea
When adapting distributed identities to the IoT, we need to
consider constrained IoT devices and reduce their computation
overhead. So, we integrate the IoT and blockchain and con-
figure IoT devices as blockchain light nodes. In SmartDID,
there are three kinds of information should be protected:
1) sensitive credential attributes; 2) on-chain identity data;
and 3) attribute linkage between credentials. We consider a
dual-credential model with both plaintext and cryptographic
credentials to hide the privacy information. Cryptographic cre-
dentials are encrypted by a commitment scheme and verified
by zero-knowledge without disclosing the attribute values. The
commitment uplinking strategy also preserves the privacy of
on-chain identity data.
However, the above methods cannot hide the attribute link-
age between different plaintext credentials. While creating
multiple identities by a single user may solve this problem,
it also introduces the possibility of Sybil attacks in a consor-
tium chain. To solve this contradiction, we design a distributed
identity system with a unique masterID and several pseudony-
mous userIDs. We regard masterID as a sensitive attribute,
secret to the public, and open to the supervisor. SmartDID
uses a unique masterID to prevent Sybil attacks and employs
multiple userIDs to address the privacy issues of attribute link-
age. We record the masterID and some KYC information to
supervise the user by zero-knowledge. Moreover, we combine
the basic credential proofs to prove the knowledge and create a
systematic distributed proof system to solve general statements
and more complex problems.
In summary, SmartDID has designed an identity system,
a dual-credential model, and a distributed proof system. The
unique masterID is for supervising and preventing Sybil
attacks, Sybil attacks, and multiple userIDs are adopted to
address the privacy issues of attribute linkage. The commit-
ment and zero-knowledge proofs are employed to protect
the privacy of sensitive credential attributes, on-chain identity
data, and attribute linkage between cryptographic credentials.
A distributed proof system is designed to describe general and
complex credentials statements effectively.
YIN et al.: SmartDID: NOVEL PRIVACY-PRESERVING IDENTITY BASED ON BLOCKCHAIN FOR IoT
Fig. 1. System model of SmartDID. There are holders, issuers, veri-
fiers, and supervisors in the model. SmartDID consists of a masterID and
multiple userIDs. The underlined values in credentials are commitments to
hide sensitive attributes.
B. System Model
There are issuers, verifiers, users (also called holders), and
supervisors in our system model. Suppose there are N com-
mittee nodes, denoted as (C1 , . . . , CN ). SmartDID takes a
(t, N)-Shamir threshold scheme [43], which means that the
user needs to select at least t nodes to verify the transaction,
which case is the credential service. We choose a consor-
tium blockchain, where the committee can act as a credential
issuer, and any IoT applications or devices can act as a ver-
ifier. We configure issuers, such as committees as full nodes
and deploy constrained IoT devices as light nodes. In addi-
tion, blockchain can collectively monitor the activities of IoT
devices and quickly disconnect them from the network once
hijacking is detected, which enhances the security and sustain-
ability of IoT. The issuer signs and issues the credentials, while
the verifier publishes the access policy and verifies the cre-
dential. The supervisor is the authority that verifies the user’s
real-world identity and audits. The user is the credential owner
who wants to access the application. Each user holds a pair
of DIDs (masterID, userIDs), as shown in Fig. 1. The mas-
terID is unique for supervision, while the userID is for daily
applications with many. Each user has a public–private key
(pk, sk), pk = hsk , where h is a generator of group G.
For ease of reference, the main notations of this article are
listed in Table I.
C. Security Model
We define the adversarial mode based on the Byzantine
failure model, allowing for t faulty or attacking nodes in the
committee, t < N/3. We assume an asynchronous communica-
tion model that permits messages to be undeliverable, delayed,
or erroneous.
Security Properties: We achieve Sybil resistance, unlinkabil-
ity, and supervisibility in the identity system. 1) a Sybil attack
is defined as the forgery of multiple peer identities by a few
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
6721
TABLE I
N OTATIONS
entities to extract additional shares of the system; 2) if the
two are unlinkable, there are no more or less related between
them than the prior knowledge of the attacker after observa-
tion; and 3) supervisability is the ability of the supervisor to
quickly trace the relevant accounts and real-world identities
and search for relevant information when supervising.
Furthermore, we achieve unforgeability, unlinkability, and
privacy in the credential system.
1) Unforgeability: An adversary cannot forge legal creden-
tials by the existing credentials of honest users.
2) Unlinkability: An adversary cannot learn anything about
attributes or identifiers, nor can he partner to link a cre-
dential to multiple submissions or transactions of a given
user.
3) Privacy: An adversary cannot learn user attributes
by following the process for issuing and verifying
credentials.
D. Cryptographic Credentials
1) Commitment Schemes: Sensitive identity information
cannot simply be declared in plaintext, such as an ID card. To
hide the privacy of one’s identity attributes, we publish com-
mitments to hide personal values to the claim(s). In particular,
SmartDID utilizes the Pedersen commitments scheme [34].
Let G be a cyclic group of order q with two random gen-
erators of g and h. Then, the Pedersen commitment for a
secret integer value v ∈ {0, 1, . . . , q − 1} can be calculated
as com := Comm(v, r) = gv hr with the randomness r. The
Pedersen commitment has perfect hiding with the random
6722 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 8, 15 APRIL 2023

TABLE II
E XAMPLE S TRUCTURE OF C REDENTIAL

Fig. 2. Components of DID structure.

number r. If r = 0, then the commitment is binding but not

hiding.
2) Pedersen Vector Commitment: Let g = {g1 , . . . , gn } ∈
Gn and h ∈ G be the two random generators of G. Then,
the Pedersen commitment for a secret integer vector v =
{v1 , . . . , vn
} can be calculated as com := Comm(v, r) =
gv hr = hr i gvi ∈ G with the randomness r. Pedersen vector
commitment is computationally binding under the assumption
of perfect hiding and discrete logarithms (DLs).
3) Zero-Knowledge Proofs: SmartDID protects the creden-
tials privacy by zero-knowledge proofs [35]. The protocol
involves two or more parties who perform some steps to com-
plete a mission. Generally, the prover is someone who holds
the secret, and the verifier is someone who is convinced to
believe that secret. For example, a prover may know the open-
ing to the commitment com and want to convince a verifier
that he knows the committed value v, for example, v = 100.
By using noninteractive Bulletproofs, the prover can generate
a proof σ , which can convince the verifier without revealing
any information about v. There is no interaction between the
prover and verifier with the hash technique. The prover can
add σ to the credentials and upload them to the decentralized
ledger so that any proof system can perform verification.
Range Proofs of Bulletproofs: Similarly, if a prover knows
the opening to the commitment com and wants to convince
a verifier that the committed value v is in a specific range, IV. S MART DID D ESIGN
for example, 0 ≤ v < 103 . Then, the prover generates a This section gives the algorithm definition and then
Range proof σ and adds it to the credential and the distributed describes the detailed construction of the distributed identity
ledger so that any proof system can verify the credentials via system, dual-credential model, and the distributed systemic
blockchain. proof system.
4) Decentralized Identifier: As shown in Fig. 2, the DID
syntax can be define as DID = “did:did-method:did-method-
specific-id”, where “did” is a fixed string, “:” is to combine A. Description of SmartDID
strings, and “did-method” and “did-method-specific-id” are An identity management scheme includes the distributed
variable names. Each userID corresponds to a DID document, identity system, the dual-credential model, and the sys-
which is used to reveal user’s public information, such as temic distributed proof system. We defined SmartDID as
public key, authentication method, etc.  = (Setup, CreateDID, CreateClaim, CreateCredential,
5) Verifiable Credentials: Credentials follow the verifiable VerCredential).
credential specification on World Wide Web [16] and consist Setup (1λ ) → sp: On inputting the security parameter λ,
of credential metadata, claims, and proofs. the issuer generates q-order cyclic groups G with generators
1) Metadata: The metadata contains standard entries, such of (g, h) or (g, h). Let e : G × G → GT denote a bilin-
as issuance and expiration dates. For simplicity, we will ear map. Select collision-resistant SHA-256 hash functions
omit the metadata later. H : {0, 1}∗ → Zq and a signature scheme (Sign, VerSign),
2) Claim(s): The claim is a statement issued by IoT devices respectively. The parameter is sp = {q, g, g, h, G, GT , e, H}.
or users. A claim can be expressed in an attribute-value- CreateDID(sp) → {(pkU , skU ), DID}: On inputting the
user relationship as claim = {att, val, U }, or an attribute- system parameter sp, the algorithm generates identifiers
commitment-user relationship as claim = {att, com, U }. DID = (masterID, userIDs) and a public–private key pair
U is the identity of IoT devices or users. (pk, sk).
3) Proof(s): The proof refers to the digital signature or CreateClaim (att, val, U) → (Claim, σU ): On inputting
zero-knowledge proof of the credential. the attributes (att, val) with user U, the algorithm output
As stated above, some portion of a sample credential is the claim as claim = {claim1 , . . . , claimm } with signature
shown in Table II. σU = Sign(skU , claim), where claimi = {att,val, U }.

Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
YIN et al.: SmartDID: NOVEL PRIVACY-PRESERVING IDENTITY BASED ON BLOCKCHAIN FOR IoT
CreateCredential (pkU , skI , Claim, σU , ) → (Cred,
Proof): On inputting the user public key pkU , issuer private
key skI , claim of credential, and Shamir threshold scheme ,
committee nodes consensus and verify the authenticity of the
claim and generate signature as σ . Then, the issuer verifies
σU and outputs the credential as cred = { pkU , claim, σ }
and proof = (dg, σI ), where dg is a hash or commitment
digest of cred and σI = Sign{ skI , (pkU , σ , dg)}.
VerCredential (ch, DID, pkI , cred, E) → b: On inputting
the verifier’s challenge ch (to protect against replay attract),
user identifier DID, issuer public key pkI , tree structure E,
and credential cred, the verifier computes the Boolean value
of tree proof system and checks the validity of each credential.
The algorithm would output b = 1 if all verifications passed;
otherwise, b = 0.
It is worth noting that the credential update and revocation
of SmartDID follow the PKI infrastructure system.
B. Distributed Identity System
We explain detailed specifics of the distributed identity
system in SmartDID. The overall goals of the identity system
are Sybil resistance, Unlinkability, and Supervisibility.
It seems that Sybil resistance and unlinkability are an
oxymoron. Since the system does contain some plaintext cre-
dentials, an adversary may collect some attributes (not always
sensitive) from different credentials that correspond to a spe-
cific identifier and thereby infer the user’s real-world identity.
Bitcoin [28] does not have this problem because it can gener-
ate a new identity for each transaction. While creating multiple
identities by a single user may solve the linking problem, it
also introduces the possibility of Sybil attacks [29] in a con-
sortium chain. A single user may publish multiple identities to
perform Sybil attacks to compromise a disproportionate share.
We design a distributed identity system with a unique masterID
and several pseudonymous identifiers (userIDs) to solve this
problem.
Similarly, it is hard to provide both supervisibility and pri-
vacy. Supervisibility entails traceability back to the user’s real
identity, which contradicts identity privacy. SmartDID builds
a mapping table of masterID and userIDs to settle the Sybil
attack and linkage attack paradox. The combination of com-
mitment and zero-knowledge proofs enables us to protect the
privacy as well as the supervisibility of users.
1) Identity Registration: SmartDID constructs an identity
system with a masterID and many pseudonyms IDs (userIDs),
following the W3C DID protocol [13]. Like a database, mas-
terID is the master key and is unique to the entire system.
The masterID takes the form of Pedersen commitment to IoT
network, denoted as com := Comm(v, r) = gv hr , where r
is a random number and varies with different credentials.
There can be many userIDs, and each userID corresponds to
a public–private key pair.
Blockchain consensus is the core of DID registration and
issuance for IoT devices and users. In the PBFT consensus
model, there are client nodes, master nodes, and replica nodes.
The client node is in charge of sending transaction requests.
The primary node is for packing transactions into blocks and
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
6723
Fig. 3. Identity registration process. In consensus, 0 is the primary node,
and 3 is the faulty node in red.
block consensus, and only one primary node in each round
of consensus process. Replica nodes are for block consensus,
and there are multiple replica nodes in each round of the con-
sensus process, and each replica node has similar processing.
Among them, both primary and replica nodes belong to con-
sensus nodes. PBFT consensus mainly includes three stages:
1) preprepare; 2) prepare; and 3) commit.
As shown in Fig. 3, the user DID registration process is:
1) client sends masterID registration request; 2) system per-
forms consensus algorithm; 3) system replies to the client’s
request; 4) client confirms that the consensus has been com-
pleted; and 5) client sends userID registration request and open
a new consensus round. The specifics are as follows.
1) The IoT user/device first sends a masterID registra-
tion request to the identity system. Users should pro-
vide supervisors with verifiable identity proofs, such
as electronic ID, device mac address, or other guar-
antees, in a general or committed way. The supervi-
sor then verifies the identification and publishes the
result of the authentication. If passed, the system
will generate a DID Identifier as the masterID and
issue the corresponding commitment to the blockchain
network, and the supervisor has access to the original
masterID.
2) System Consensus With PBFT: In the preprepare phase,
the primary node verifies the receiving request and
authentication results and broadcasts the preprepare mes-
sages to backups. Subsequently, each backup checks
the preprepare messages. If accepted, it generates the
prepare messages, publishes them to replicas, and then
enters the prepare phase. The same goes for replicas.
After a node has collected enough prepare messages, it
has reached a state to commit the block and broadcast
the commit messages. If a node has gathered enough
commit messages, it can process the request in the local
cache and reply to the client.
3) When the client receives the commit messages, he con-
firms whether the system has reached a consensus on his
request. If so, the system will reply to the client with
the masterID.
4) The client receives the reply and confirms that the con-
sensus has been completed and then stores masterID
secretly.
5) The client continues to apply for userIDs and submits the
masterID commitment to open a new consensus round.
6724
The difference is that userID is public to the network.
A more detailed process of PBFT can be seen in [44].
2) Identity Verification: Considering that masterID is
unique, a user only needs to provide the masterID commit-
ment and its corresponding random number to the supervisor.
Theoretically, different random numbers should be used for
different credentials, but recording them all may cause a bur-
den to the system, making it hard for the supervisor to open
up the commitment.
To solve this problem, inspired by [45], SmartDID requires
the user to provide a public verifiable token during the identity
verification process, defined as tk = (pk)r , where masterID is
encrypted as com := Comm(v, r) = gv hr . As long as the user
← gr ych
exposes the token, the supervisor can open its commitment
)
without storing the random number r.
Suppose a supervisor wants to prove that com = gv hr is an
open commitment to v (here v is the value of masterID), then
he can calculate s = com/gv = hr and tk = pkr = hsk·r = ssk .
Note that pk = hsk , so the supervisor only needs to prove that
logs tk = logh pk, from which we can see that both logarithms
are calculated as sk, and the whole equation is independent of
r. Therefore, the supervisor does not need r to generate this
proof.
 Similarly, SmartDID
  supports batch verification, denoted as
comk = g vk h rk . Due to the DL problem, the public
tokens are only useful for supervisors to verify their commit-
ments, malicious users cannot learn any identity information
about other users.
C. Dual-Credential Model
Our system has plaintext credentials and cryptographic
credentials, corresponding to the plaintext claim and com-
mitment claim. Benefitting from the consensus mechanism of
blockchain, SmartDID has the following properties.
1) The user cannot create attributes that do not exist.
2) The user must own the declared attributes to pass the
verification.
1) Hidding Attributes: SmartDID supports both plaintext
attributes and commitment attributes. In cryptographic cre-
dentials, SmartDID uses Pedersen commitments to encrypt
the attributes in the claims. Assuming that a commitment
com := Comm(v, r) = gv hr is opening to an attribute value
v, or a commitment vector com := Comm(v, r) = gv hr is
opening to an attribute vector v. Thus, the commitments of
attributes are entirely indistinguishable, meaning an adversary
cannot distinguish whether the value is positive, negative, or
0. The user can display the value v and random r to a verifier
who knows com if necessary, and the verifier can confirm their
consistency.
= grp ych = gv−ch∗x gx·ch =
2) Building Claims: Let vector val = {val1 , . . . , valn } be
= H(g, y, com
) = ch.
the corresponding values of user attributes vector att =
{att1 , . . . , attn } with user U. Suppose a credential contains
m claims, that is, claim = {claim1 , . . . , claimm }. There are
plaintext claims and commitment claims in the system. The
1 = g1 1 ych = gv11 −ch·x1 g1x1 ·ch = gv11 = com1 and
specifics are as follows.
rp2 ch
1) Plaintext Claim: In a plaintext claim, the values to
attributes are in plaintext, that is claimi = {att,val, U }.
= H(g1 , y1 , g2 , y2 , com
1 , com
2 ) = ch.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 8, 15 APRIL 2023
Algorithm 1 Example of DL Proof
Input: secret x, generator g, to prove that y is the discrete
logarithm of x with base g
Output: challenge ch, response rp
1: function CREATE _DL_ PROOF (x, g)
2: y ← gx
3: v ← random ∈ Zq
4: com ← gv // commitment to v
5: ch ← H(g, y, com)
6: rp ← v − ch · x(mod q)
7: end function
8: function VERIFY _DL_ PROOF (ch, rp)
9: com
10: flag ← ch = ?
H(g, y, com
11: return flag ;
12: end function
2) Commitment Claim: In a commitment claim, claimi =
{att, com, U } and com = Comm(val, r) is the commit-
ment to val with randomness r.
Finally, the user U generates the proof of the claim with his
private key, expressed as σU = Sign(skU , claim).
3) Creating Credentials: For the credibility and reliability
of credentials, the blockchain performs consensus before the
credential proofs are uploaded on the chain. Generally, some
issuers are institutions and have some knowledge about the
users. For example, the issuer is a school and the user is a
student, or the issuer is a hospital and the user is a patient.
For the (t, N) Shamir threshold scheme , three are at least
t nodes to prove the claim. Each committee node Cj con-
sensus and verifies the claim and generates a signature as
σj = Sign(skj , claim), so that it can be convinced that the
claim is authentic. Finally, the user combines all signatures to
obtain σ = {σ1 || · · · ||σN }.
The issuer then generates a credential as cred =
{pkU , claim, σ }, where σ is the signature proof of the claim.
Assuming that (pkI , skI ) and (pkU , skU ) are the key pair of
issuer and user, respectively. Finally, the issuer calculates a
proof of σI = Sign{skI , (pkU , σ , dg)}, where dg is a hash or
commitment value of cred.
We can support various cryptographic credentials, such as
AND credential and OR credential based on [31] and Range
credential based on [35], etc. The details are as follows.
DL Proof: If a prover needs to prove that he possesses a
certain private value, then DL proof can be used, as shown
in Algorithm 1. It is necessary to note that the commitment
function can be changed to any other commitment scheme. We
can prove the correctness that com
com, so ch
AND Proof: We can further build AND Proofs based
on the DL proof. If a prover needs to prove that he has
multiple attributes at once, AND Proof can be applied, as
shown in Algorithm 2. We can prove the correctness that
com
rp
1
com2 = g2 y2 = gv22 −ch·x2 g2x2 ·ch = gv22 = com2 , so
ch
YIN et al.: SmartDID: NOVEL PRIVACY-PRESERVING IDENTITY BASED ON BLOCKCHAIN FOR IoT 6725

Algorithm 2 Example of AND Proof

Input: secret x1 , x2 , generator g1 , g2 , to prove that y1 is the
discrete logarithm of x1 with base g1 , y2 is the discrete
logarithm of x2 with base g2
Output: challenge ch, response rp1 , rp2
1: function CREATE _ AND _ PROOF (x1 , x2 , g1 , g2 )
2: y1 ← gx11 , y2 ← gx22
3: v1 , v2 ← random ∈ Zq
4: com1 ← gv11 , com2 = gv22 // commitments
5: ch ← H(g1 , y1 , g2 , y2 , com1 , com2 )
6: rp1 ← v1 − ch · x1 (mod q), rp2 ← v2 − ch · x2 (mod q)
7: end function
8: function VERIFY _ AND _ PROOF (ch, rp1 , rp2 )
com
1 ← g1 1 ych

rp rp2 ch
9: 1 , com2 ← g2 y2
10: flag ← ch = ?
H(g1 , y1 , g2 , y2 , com
1 , com
2 )
11: return flag ; Fig. 4. Construction of the access tree.
12: end function

On input a credential as cred = {pkU , claim, σ }, if the

Algorithm 3 Example of OR Proof claims in a credential provided by U are authentic, the cre-
Input: secret x, generator g1 , g2 , to prove that y1 is the dis- dential will be hashed to dg = H(cred, r), where H is a hash
crete logarithm of x1 with base g1 , or y2 is the discrete function, and r is a random number. Then, the issuer signs the
logarithm of x2 with base g2 hash value of the credential as σI = Sign{skI , (pkU , σ, dg)}, so
Output: challenge ch, ch1 , ch2 response rp1 , rp2 the proof is proof = {dg, σI }. The credential proof is uploaded
1: function CREATE _ AND _ PROOF (x1 , x2 , g1 , g2 ) to the blockchain through the smart contract.
2: x1 ← random ∈ Zq , x2 ← x Commitment Strategy for Cryptographic Credentials:
3: y1 ← gx11 , y2 ← gx22 Considering the low entropy due to the small amount of
4: v1 , v2 , a ← random ∈ Zq attribute values, this may expose the hash to traversal attacks
5: com1 ← gv11 ya1 , com2 ← gv22 // commitments and, thus, leak the user’s private data. Therefore, we guarantee
6: ch ← H(g1 , y1 , g2 , y2 , com1 , com2 ) the security of the digest data on the chain by uplinking the
7: ch1 ← a and ch2 ← ch − ch1 commitment rather than the credential hash value. The algo-
8: rp1 ← v1 (mod q), rp2 ← v2 − ch2 · x(mod q) rithm is similar to the hash strategy for plaintext credentials;
9: end function the difference is digest dg = Comm(cred, r), where Comm(·)
10: function VERIFY _ OR _ PROOF (ch, ch1 , ch2 , rp1 , rp2 ) is a commitment function.
com
1 = g1 1 ych

rp rp2 ch2
1 , com2 = g2 y2
1
11:
12: flag ← ch = ?
H(g1 , y1 , g2 , y2 , com
1 , com
2 ) && ch1 + D. Distributed Systemic Proof System
ch2 =?
H(g1 , y1 , g2 , y2 , com
1 , com
2 ) The current PKI is an infrastructure built with public-key
13: return flag ; technology [46]. We combine the basic credential proofs and
14: end function construct a logical access structure, a tree-based distributed
systemic proof system that embeds credentials in leaf nodes.
It is an extension of PKI and implements attribute-based fine-
grained access control.
Credential of OR Proof: If the prover needs to prove that In the tree structure, each nonleaf node is described by
he satisfies the attribute sets of OR operation, OR Proof can its child nodes, whose values can be the AND-gate, OR-
be used to construct the proof, which will be signed and gate structure, i.e., op = {∪, ∩}. We can further add attribute
uploaded to the chain, as shown in Algorithm 3. We can weights and threshold algorithms. The verification value of
prove the correctness that com
1 = g1 1 ych
rp v1 a
1 = g1 y1 = com1 ,
1
a nonleaf node is a Boolean value after the operation on its
com
2 = g2 2 ych = gv22 −ch2 ·x2 gx22 ·ch2 = gv22 = com2 , so
rp 2
2 child nodes. The AND gate implies that the user needs to sat-
ch = H(g1 , y1 , g2 , y2 , com
1 , com
2 ) = ch, and ch1 + ch2 =

a + (ch − a) = ch.
4) Uplinking Strategy: SmartDID designs credential
uplinking strategies that support different security require-
ments for hash and commitment uplinking to echo the
plaintext claim and commitment claim.
Hash Strategy for Plaintext Credentials: Suppose there is a
weak privacy requirement for the user attributes on the chain,
the system defaults to using a hash strategy for uplinking.
isfy both the left and right child node conditions, while the
OR gate needs to satisfy only one of the left and right child
nodes.
1) Construction of Access Tree: Let the set of credential
relationships be E = ((cred0 ∩cred1 )∪(cred2 ∩cred3 ) )∩cred4 .
Let {cred0 , cred1 , cred2 , cred3 , cred4 } with weight values of
W = {0.4, 0.3, 0.3, 0.3, 0.9}, respectively. Then, the tree is
constructed as Fig. 4. It is worth noting that we sort the
weight values of the credentials and sort the credentials with

Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
6726 IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 8, 15 APRIL 2023

Algorithm 4 Access Tree Creation Algorithm 5 Access Tree Verification

Input: Suffix expression E containing creds, creds is sorted Input: Node tree, pnode ∗p
by weights W Output: TRUE / FALSE
Output: ProofTree 1: function VERIFY (Node tree, pnode ∗p)
1: function CREATE _ PROOF _ TREE (suffixExpression E) 2: if (tree) then
2: stack s ← empty stack; 3: if (tree.val is operand) then
3: for each element e ∈ E do 4: return verify(tree.val);
4: if e is operand then 5: end if
5: Node tree ←new Node(e); 6: if (tree.val == ∪) then
6: s.push(tree); 7: return (verify(tree.lchild, p) || verify
7: end if (tree.rchild, p));
8: if e is operator then 8: end if
9: Node secondOperand ← s.pop(); 9: if (tree.val == ∩) then
10: Node firstOperand ← s.pop(); 10: return (verify(tree.lchild, p) && verify
11: Node tree ← new Node(e); (tree.rchild, p));
12: tree.setLeftChild(firstOperand); 11: end if
13: tree.setRightChild(secondOperand); 12: else
14: s.push(tree); 13: return FALSE;
15: end if 14: end if
16: end for 15: end function
17: return s.pop();
18: end function

2) The verifier checks the existence of the issuer. Call the

larger weights on the left node to ensure that the maximum
weight value of the left subtree is larger than the right subtree,
which prevents the recursive insertion operation on the set of
credentials. As shown in Fig. 4, the weight of left subtree
L1.100 is 0.4 and the weight of right subtree L1.101 is 0.3,
0.4 > 03. The tree’s root node is labeled as Level 0(abbre-
viated as L0). Its left and right child nodes are labeled L1.0,
L1.1, so continue.
2) Verification of the Access Tree: We adopt the depth-
first search (DFS) algorithm in the verification process of the
access tree. For operator ∪, as long as one of the left and
right children returns TRUE, the tree returns TRUE, and the
verification is completed; for operator ∩, as long as one of
the left and right children returns FALSE, the tree returns
FALSE, and the verification is completed. Returns TRUE if the
Boolean value is TRUE for the whole tree; otherwise, returns
FALSE. The verification algorithm of the access tree is shown
in Algorithm 5.
Verification of Leaf Node: The following steps are required
for each credential in a leaf node to verify the identity holder.
1) The verifier authenticates the identity holder. This step
confirms whether the private key is in the holder’s pos-
session. First, the holder sends a challenge, generates
the challenge hash, and signs the hash value with his
private key. Both the challenge and signature are sent
to the verifier. Then, the verifier decrypts the signature
with the holder’s public key to obtain a hash, and he
takes the same hash algorithm to generate a new hash
with the original challenge. Finally, the verifier com-
pares the new hash against the original hash. Only if
the two hash values match will pass the verification,
which indicates that the public key used to decrypt the
signature corresponds to the private key used to create
the signature.
smart contract and check if the issuer’s identity is in the
list of issuers. The verifier then validates the validity
of credential content, such as expiration date, creden-
tial format, and the signature signed by the issuer. A
digital signature is indeed encryption using the issuer’s
private key. The verifier can decrypt the signature via
the issuer’s public key to obtain a credential hash or
commitment (noted as digest dg1 ).
3) The verifier reconstructs the digest of the credential. The
verifier computes the hash value or commitment value
of the credential body of the holder to generate a new
digest and compare the two digests. The verification will
pass only when the two digests match, which means that
the holder’s attributes are certified by the official issuer.
4) Furthermore, the verifier will call smart contracts to
compare the digests to the proof on the blockchain.
Only when the three digests match, the verification
will pass.
In summary, the algorithm returns TRUE if all steps passed;
otherwise, FALSE. The detailed steps are in Fig. 5.
Example: Fig. 6 is an example of an access tree for a
company hiring employees. The recruitment requires verifi-
cation of the authenticity of education degree and identity
information of candidates and reviewing their resumes. The
first strategy that a candidate needs to satisfy is ((“cre-
dential of Bachelor degree” ∩ “Graduation credential”) ∩
“ID card”) ∩ “Personal resume,” and the second is ((“cre-
dential of Bachelor degree” ∩ “Graduation credential”) ∩
“Student card”) ∩ “Personal resume”). Otherwise, it will
not pass.
A verifier typically has multiple access policies, and he
updates the access policies following a tree structure of
rules. SmartDID supports multiple access policies such as the
combination of Plaintext, AND, OR, and Range credentials.

Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
YIN et al.: SmartDID: NOVEL PRIVACY-PRESERVING IDENTITY BASED ON BLOCKCHAIN FOR IoT
Fig. 5. Credential validation process for each leaf node.
Fig. 6. Example of access tree.
V. S ECURITY A NALYSIS
In this section, we analyze the security properties of
SmartDID.
A. Security Properties of the Identity System
We achieve Sybil resistance, unlinkability, and supervisibil-
ity in the identity system. The system can be Sybil-resistant
with the unique masterID. The different random numbers
in masterID encryption make userIDs unlinkable to each
other. SmartDID supports supervisibility by identifying and
recording users’ masterID and real-world identity information.
Verifier verifies the masterID by zero-knowledge proofs,
which can effectively protect the privacy of IoT devices and
users. SmartDID further enhances the authenticity of identities
through identity consensus and credential consensus.
B. Security Properties of the Credential System
We achieve unforgeability, unlinkability, and privacy in the
credential system. Zero-knowledge proofs technology has the
properties of completeness, soundness, and zero-knowledge,
which we can extend to our cryptographic credentials. The
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
6727
analysis of the security properties of the dual-credential model
is as follows.
Unforgeability: In distributed identity system of SmartDID,
the user’s private key is always stored locally in the identity
wallet. The user only uses the private key to sign the verifier’s
challenge during the protocol execution in the verCredential
phase. Similarly, during the createCredential phase, the issuer
only uses the private key to sign the digest of the claims in
the proofs. In addition, the public key is only revealed to the
owner who can prove its identity, and it is difficult to infer the
system’s private key backward from the system’s public key.
That is, the system is unforgeable.
Unlinkability: First, masterID is anonymous, and different
random number encryption is used for different userIDs to get
different encryption results, so userID and masterID are also
unlinkable.
In cryptographic credential creation and verification
phase, the user uses the security parameters sp =
(q, g, h, g, G, GT , e, H) and pkI to randomize the attribute
(att, val) in credential cred = {pkU , claim, σ }, where σ is
proof of claim signed by committee nodes and claim =
{att, com, U } and com = Comm(val, r) is the commit-
ment to val. Then, algorithm generates the proof as σI =
Sign{skI , (pkU , σ , dg)}. In each verification, the prover should
first choose a random number before presentation and veri-
fier checks the signatures of σ and σI . The zero-knowledge
attribute ensures that the zero-knowledge verification algo-
rithm will not reveal any information about (att, val). The
credential is randomized by the random number during the
verification phrase to ensure the anonymity and unlinkabil-
ity between different executions of the verification phrase. In
addition, the masterID is encrypted and the userID is gener-
ated almost randomly each time, so the commitment attributes
even plaintext of a single credential cannot be linked to a user
identity.
Since the masterID is encrypted and the userIDs are gen-
erated almost randomly each time, attributes collected in the
previous time cannot be associated with the next time. As a
result, an attacker cannot perform multiple collections to exe-
cute a linkage attack, so credentials and identity are unlinkable.
In conclusion, identity–credential–verification is not linkable
to each other.
Privacy: The cryptographic credential creation phase and
cryptographic credential verification phase are private. We
start the credential creation phase and analyze what the
adversary has learned. On building the claim phrase, the
attributes (att, val) are encrypted into a commitment vector
of com = Comm(val, r), where r is a random number, so
claim = {att, com, U }. Then, the issuer sign and outputs
the credential as cred = {pkU , claim, σ }. In this credential
issuance process, the issuer (committee node) verifies the com-
mitment, and the adversary learns the output commitment
through the committee node. The adversary can learn the com-
mitment value of the claim. Since the commitment is hidden
and the proof process is zero-knowledge, nothing more is
revealed.
In the verification phase, on inputting the identifier DID,
Issuer’s public key pkI , and the cryptographic credential cred,
6728
TABLE III
C OMPARISON OF E FFICIENCY AND G ENERALITY OF Z ERO -K NOWLEDGE P ROOFS A RITHMETIC C IRCUITS
an adversary can learn the output commitment through the
verifier. In this process, the adversary can only learn claims’
commitment value, and the proof includes the signature by
the Issuer and the digest of the claim. However, it can only
verify the correctness of the signature and the correctness of
the commitment. Since the commitment is hidden based on the
DL problem and the verification process is zero-knowledge,
nothing more is revealed.
VI. I MPLEMENTATION AND P ERFORMANCE
In this section, we will design experiments and evaluate the
performance of the proposed scheme.
A. Implementation
We implement the prototype of our identity management
scheme based on Bulletproofs [35], general statements proof
systems [31], and Fisco Bcos blockchain [47], where con-
strained IoT devices and users are deployed as light nodes.
The main components of SmartDID are the distributed identity
system, the dual-credential model, and the nested distributed
proof system.
We take Pedersen commitment and Bulletproofs of nor-
mal zero-knowledge and Range proof, with extra AND proof
and OR proof, to construct cryptographic credentials. We take
Barreto-Naehrig 256 (BN256) as the default elliptic curve in
Bulletproofs and use SHA-256 as the default hash function,
the same as Bitcoin.
SmartDID supports Pedersen commitment, DL proofs,
Range proofs credential based on Bulletproofs, AND proof,
and OR proof credential based on the proof system. SmartDID
constructs their respective zero-knowledge proofs based on
their respective circuits, the operations of which include
{+, −, >, <, hash} and so on.
It can be seen from Table III that three types of knowledge
proof have their own advantages and disadvantages. Here, n
denotes the number of gates, l is the size of the circuit instance,
 indicates the scheme have this feature, while × not having
this feature. DL stands for DL and KOE stands for knowl-
edge index. Both SNARKs, STARKs, and Bulletproofs are
privacy protocols for knowledge proofs. Similar to SNARKs
and STARKs, Bulletproofs can natively support elliptic curves
and Pedersen commitments, which naturally support Range
proofs and can compress (aggregate) multiple Range proofs.
Bulletproofs has the full 128-bit security system under the
zero-standard DL hypothesis, without the need to initial-
ize trusted settings. The comparison in the table shows that
Bulletproofs has a short proof size, fast proof speed, and uni-
versality, with the disadvantage of slightly longer verification
time.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 8, 15 APRIL 2023
Bulletproofs provide more efficient Range proofs that can
be integrated with transactions (each credential application and
verification can be regarded as a transaction), but the number
grows only logarithmically, and the bulk multiplier is much
faster than the old version of the proof through full integration.
Bulletproofs have a smaller byte count. Bulletproofs proto-
col can double the range size, while the proof size increases
by 64 bytes because the volume grows only logarithmically.
Bulletproofs are faster and the protocol is more general, which
supports a very efficient form of bulk verification that can be
used in zero-knowledge prove arbitrary determinations.
SmartDID constructs a tree-based systemic distributed proof
system to achieve attribute-level access control given a par-
ticular data set. All types of credentials are nested in the leaf
nodes, and other nodes are credential operators such as {∪, ∩}.
B. Performance
End users of SmartDID are applied on desktop with
Intel@Core(TM) i5-4590 CPU @ 3.30-GHz 3.30-GHz, RAM
8.00 GB with the Windows operating system. The system
deployment environment of SmartDID is a laptop equipped
with Intel@Core i5 2.30 GHz, RAM 8.00-GB 2133 MHz
(SSD) with the macOS Mojave operating system. The system
development language is Java 1.8. Also, we deploy Fisco
Bcos as the blockchain platform on this machine. We set
up a local network on these two machines to ensure their
communication. The network bandwidth is 28.5/11.21 Mbps
(download/upload), and the average communication delay is
about 10 ms.
1) Functionality Comparison: We first compare the func-
tionality of SmartDID with WeIdentity, Uport and CanDID
scenario. As we can see from Table IV, all Uport, WeIdentity,
CanDID, and SmartDID support features of identity privacy
and credential privacy, e.g., selective disclosure. As far as we
can see, private credentials are not available online in open-
source projects, so we did not compare performance with
them in the next section. SmartDID constructs a tree-based
distributed systemic proof system that supports mixed pol-
icy proofs and fine-grained attribute access control. SmartDID
supports the unlinkability between credentials, multiple dis-
play verification, and the user’s real social identity.
2) Performance Comparison: We compare the
performance of SmartDID with WeIdentity [27] and
CanDID [42]. We run SmartDID and WeIdentity in the same
environment. Since our computer performance is inferior
to that of CanDID, we select data from their performance
analysis to compare with the experiments of our scheme,
as shown in Table V. The table shows that CanDID takes
4.27 s to generate a master credential, including precredential
YIN et al.: SmartDID: NOVEL PRIVACY-PRESERVING IDENTITY BASED ON BLOCKCHAIN FOR IoT
TABLE IV
F UNCTIONALITY C OMPARISON W ITH OTHER S CHEMES
TABLE V
P ERFORMANCE C OMPARISON
conversion time. SmartDID performs best in credential
generation and proof generation since we do not need a
precredential conversion time. The proof time of Bulletproofs
is worse than that of zk-Snarks, so the original proof time
for a credential is slightly worse than that of CanDID.
Nevertheless, it is still within a reasonable range, and we
have further designed a tree-based proof system to improve
the proof efficiency.
3) Performance of SmartDID: The main steps of
SmartDID is system setup, credential creation, creden-
tial verification, and algorithm definition is  = (Setup,
CreateDID, CreateClaim, CreateCredential, VerCredential).
Since the Setup phase is one-off, we will focus on the
performance analysis of CreateDID, CreateClaim, various
types of credential creation, and their correlative verification
in CPU time and storage. In the CreateDID algorithm, the
average creation time of SmartDID is about 0.4s, running 50
times.
CreateClaim Algorithm: There are plaintext claims and
commitment claims in the claim protocol. A plaintext claim
can be denoted as claim = {att,val, U} and a commitment
claim can be denoted as claim = {att, com, U}. With 15
attributes running 50 times, the average time to create a plain-
text claim and a commitment claim is about 2 and 4 ms,
respectively, which is hardly growing with the number of
attributes.
CreateCredential Algorithm: The steps of credential cre-
ation are claim creation, credential creation, proof genera-
tion, and uploading proofs to the chain. We first give the
performance of credential construction in Fig. 7(a), including
Plaintext credential, Commitment credential, AND credential,
and OR credential. We separate the Range credential because
it has the highest creation time overhead. Fig. 7(b) describes
the construction and verification time of the Range credential.
The construction time increases linearly with the attributes,
where Plaintext credential is most efficient, AND, OR is rather
complicated, and Range credential is the most time consuming.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
6729
Fig. 7(c) shows the block generation time and transaction
commit time of SmartDID in blockchain with the different
number of consensus nodes. The transaction in the SmartDID
system refers to the issuance and uplink of credentials. With
the increase of consensus nodes, the block generation time
shows a small oscillation with a slightly increasing trend. It
is the communication overhead between nodes and the PBFT
consensus algorithm. Regarding communication, each node is
interconnected with other nodes for transaction broadcast and
synchronization of blocks. Regarding the latter, PBFT avoids
nodes competing for arithmetic power to confirm transactions
on the test network utilizing elections. Testing a blockchain
with more consensus nodes leads to a higher communication
load and increases the time cost of processing transactions.
The message complexity of PBFT is O(N 2 ), where N denotes
the number of nodes. If there are more than 100 nodes in the
system, it may lead to bottlenecks in network transmission
efficiency and latency, thus limiting reliability. To compensate,
the Fisco Bcos blockchain in SmartDID can support many
different consensus mechanisms such as RAFT to satisfy the
system’s demands.
As the node number increases, the block committing time to
backend storage is limited to a small oscillation within a spe-
cific range, regardless of the number of nodes. Since the block
size and channel size are stable and fixed, time-consuming
operations such as node consensus are no longer required for
committing blocks to the backend storage.
Fig. 7(d) depicts the storage space in SmartDID for the iden-
tifier DID, DID document, Plaintext credential, Commitment
credential, Range credential, AND credential, and OR creden-
tial in the normal state with 15 attributes, respectively. The
identifier and DID documents format is standardized and a fixed
value. The storage space of each credential object is linear,
with the bit size of the attribute information to be proven.
VerCredential Algorithm: The main steps of each creden-
tial verification of leaf node are checking: 1) the validity of
identifiers; 2) the validity of signature signed by the issuer;
and 3) reconstructing the digest of the credential (hash or
commit) and comparing with the proof on the blockchain.
We give the performance of all kinds of credential verifica-
tion in Fig. 7(b) and (e) describes the credential construction
and verification time of the Range proof. The time consump-
tion of credential verification tends to increase as the number
of attributes increases, but overall it is within the available
range of the system. As we can predict, plaintext creden-
tial verification is the fastest because it does not participate
6730
(a)
(d)
Fig. 7. Performance of SmartDID. (a) Time per type of credential. (b) Time for Range credential. (c) Block generation time of SmartDID. (d) Credentials
size of SmartDID. (e) Average verification time per-type of credential. (f) Time for credentials verification in tree-based proof system.
in zero-knowledge proofs. The pervasive verification pro-
cess is consistent across credentials, so the time consumption
of individual cryptographic credentials verification is essen-
tially determined by the complexity of their corresponding
zero-knowledge verification algorithms.
To solve the issue of multiconditional verification of the ver-
ifier, SmartDID constructs a tree-based nested distributed proof
system, supporting fine-grained access control and mixed
strategy proofs of plaintext credentials and cryptographic cre-
dentials. As shown in Algorithm 4, the verifier first initializes
the verification conditions to construct a tree-based proof
system. The leaf nodes are the credentials, and the nonleaf
nodes are the operations on the credentials. The TRUE result
of the whole tree indicates that the verification passes. It can
be seen that the verification process here is equivalent to the
search operation in the tree-based proof system. As long as
the result of the proof system can be calculated, the proof
result can be returned without traversing the whole structure.
Due to the wide variety of credentials and operations, we
categorized and sorted them to test the performance of the
proof system. Fig. 7(f) demonstrates the optimal verification
time for Range proof, AND proof, OR proof, Commitment
proof, and Plaintext proof, respectively, with time complexity
approximately O(logn), where n denotes the number of tree
nodes. In the worst case, the proof time complexity of the
proof system is O(n). Furthermore, since the system supports
mixed strategy proofs, any combination of proof structures
has a time complexity between the performance of Range
and Plaintext. Therefore, the proof performance of the entire
system is efficient.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 8, 15 APRIL 2023
(b) (c)
(e) (f)
VII. C ONCLUSION
SmartDID is a distributed identity management system
for IoT consisting of an identity system. First, we inte-
grated the IoT and blockchain and configured IoT devices
as blockchain light nodes. We further designed a distributed
identity system with Sybil resistance, unlinkability, and super-
visability. Specifically, we employed a unique masterID to
supervise and prevent Sybil attacks and adopted multiple
userIDs to disconnect the linkage between different creden-
tials. Moreover, we developed a dual-credential model with
plaintext and privacy credentials based on commitment and
Bulletproofs to preserve the privacy of sensitive attributes
and on-chain data. Besides, we combined the basic credential
proofs to prove the knowledge and created a systematic dis-
tributed proof system to solve general statements and more
complex problems. In future work, we will study identity
revocation in distributed systems.
ACKNOWLEDGMENT
The authors appreciate the powerful computation of remote
server supported by Alibaba Cloud EFLOPS AI Platform.
R EFERENCES
[1] M. Banerjee, J. Lee, and K.-K. R. Choo, “A blockchain future for
Internet of Things security: A position paper,” Digit. Commun. Netw.,
vol. 4, no. 3, pp. 149–160, 2018.
[2] A. Čolaković and M. Hadžialić, “Internet of Things (IoT): A review of
enabling technologies, challenges, and open research issues,” Comput.
Netw., vol. 144, pp. 17–39, Oct. 2018.
[3] D. Mocigemba, “Sustainable computing,” Poiesis Praxis, vol. 4, no. 3,
pp. 163–184, 2006.
YIN et al.: SmartDID: NOVEL PRIVACY-PRESERVING IDENTITY BASED ON BLOCKCHAIN FOR IoT
[4] O. L. López, H. Alves, R. D. Souza, S. Montejo-Sánchez,
E. M. G. Fernández, and M. Latva-Aho, “Massive wireless energy trans-
fer: Enabling sustainable IoT toward 6G era,” IEEE Internet Things J.,
vol. 8, no. 11, pp. 8816–8835, Jun. 2021.
[5] B. B. Gupta and M. Quamara, “An overview of Internet of Things (IoT):
Architectural aspects, challenges, and protocols,” Concurrency Comput.
Pract. Exp., vol. 32, no. 21, p. e4946, 2020.
[6] X. Zhu and Y. Badr, “Identity management systems for the Internet of
Things: A survey towards blockchain solutions,” Sensors, vol. 18, no. 12,
p. 4215, 2018.
[7] C. H. Cap and N. Maibaum, “Digital identity and its implication
for electronic government,” in Towards the E-Society: E-Commerce,
E-Business, and E-Government, B. Schmid, K. Stanoevska-Slabeva, and
V. Tschammer, Eds. Boston, MA, USA: Springer, 2001, pp. 803–816.
[8] M. H. Kulkarni, A. Yadav, D. Shah, P. Bhandari, and S. Mahapatra,
“Unique ID management,” Int. J. Comput. Technol. Appl., vol. 3, no. 2,
pp. 520–524, 2012.
[9] S. Sarkar, “The unique identity (UID) project, biometrics and re-
imagining governance in India,” Oxford Develop. Stud., vol. 42, no. 4,
pp. 516–533, 2014.
[10] M. S. Ali, M. Vecchio, M. Pincheira, K. Dolui, F. Antonelli, and
M. H. Rehmani, “Applications of blockchains in the Internet of Things:
A comprehensive survey,” IEEE Commun. Surveys Tuts., vol. 21, no. 2,
pp. 1676–1717, 2nd Quart., 2019.
[11] Y. Wu, H.-N. Dai, and H. Wang, “Convergence of blockchain and edge
computing for secure and scalable IIoT critical infrastructures in industry
4.0,” IEEE Internet Things J., vol. 8, no. 4, pp. 2300–2317, Feb. 2021.
[12] Y. Wu, H. N. Dai, H. Wang, and K.-K. R. Choo, “Blockchain-based pri-
vacy preservation for 5G-enabled drone communications,” IEEE Netw.,
vol. 35, no. 1, pp. 50–56, Jan./Feb. 2021.
[13] “Decentralized Identifiers (DIDs) v1.0: Core Architecture, Data
Model, and Representations.” Aug. 2021. [Online]. Available:
https://www.w3.org/TR/did-core/
[14] “Digital Identity Alliance.” ID2020. 2020. [Online]. Available:
https://id2020.org/
[15] “Decentralized Identity Foundation. DIF Website.” 2020. [Online].
Available: https://identity.foundation/
[16] “Verifiable Credentials Data Model Implementation Report 1.0.”
Oct. 2021. [Online]. Available: https://www.w3.org/TR/vc-data-model-
implementation-report/
[17] C. Lundkvist, R. Heck, J. Torstensson, Z. Mitton, and M. Sena, “Uport:
A platform for self-sovereign identity,” Brooklyn, NY, USA, uPort,
White Paper, 2018. [Online]. Available: https://whitepaper.uport.me/
uPort_whitepaper_DRAFT20170221.pdf
[18] M. Isaakidis, H. Halpin, and G. Danezis, “UnlimitID: Privacy-preserving
federated identity management using algebraic MACs,” in Proc. ACM
Workshop Privacy Electron. Soc., 2016, pp. 139–142.
[19] S. Azouvi, M. Al-Bassam, and S. Meiklejohn, “Who am I?
Secure identity registration on distributed ledgers,” in Data Privacy
Management, Cryptocurrencies and Blockchain Technology, J. Garcia-
Alfaro, G. Navarro-Arribas, H. Hartenstein, and J. Herrera-Joancomartí,
Eds. Cham, Switzerland: Springer Int., 2017, pp. 373–389.
[20] O. Jacobovitz, “Blockchain for identity management,” Lynne William
Frankel Center Comput. Sci. Dept. Comput. Sci., Ben-Gurion Univ.,
Beer Sheva, Israel, Rep. #16-02, 2016.
[21] D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and
W. T. Polk. “Hyperledger Indy: Distributed Ledger Purpose-
Built for Decentralized Identity.” 2020. [Online]. Available:
https://www.hyperledger.org/use/hyperledger-indy
[22] D. Zhai, H. Li, X. Tang, R. Zhang, Z. Ding, and F. R. Yu, “Height
optimization and resource allocation for NOMA enhanced UAV-aided
relay networks,” IEEE Trans. Commun., vol. 69, no. 2, pp. 962–975,
Feb. 2021.
[23] D. Zhai, Q. Shi, R. Zhang, X. Tang, and H. Cao, “Coverage
maximization for heterogeneous aerial networks,” IEEE Wireless
Commun. Lett., vol. 11, no. 1, pp. 91–95, Jan. 2022.
[24] L. Liu et al., “Blockchain-enabled secure data sharing scheme in
mobile-edge computing: An asynchronous advantage actor–critic learn-
ing approach,” IEEE Internet Things J., vol. 8, no. 4, pp. 2342–2353,
Feb. 2021.
[25] P. Windley and D. Reed, “Sovrin: A protocol and token for self-
sovereign identity and decentralized trust,” Sovrin Found., Provo, UT,
USA, Rep. 1.0, Jan. 2018.
[26] “ShoCard with ShoCoin tokens whitepaper: Identity management ver-
ified using the blockchain,” Cupertino, CA, USA, ShoCard, White
Paper, 2017. [Online]. Available: https://static.coinpaprika.com/storage/
cdn/whitepapers/448345.pdf
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
6731
[27] “Weidentity: Digital Identity for Data Sharing on Open
Consortium Chain.” Mar. 29, 2022. [Online]. Available:
https://fintech.webank.com/en/weidentity/
[28] S. Nakamoto. “Bitcoin: A Peer-to-Peer Electronic Cash System.” 2009.
[Online]. Available: http://www.bitcoin.org/bitcoin.pdf
[29] A. Mohaisen and J. Kim, “The sybil attacks and defenses: A survey,”
2013, arXiv:1312.6349.
[30] J.-H. Hsiao, R. Tso, C.-M. Chen, and M.-E. Wu, “Decentralized E-voting
systems based on the blockchain technology,” in Advances in Computer
Science and Ubiquitous Computing, J. J. Park, V. Loia, G. Yi, and
Y. Sung, Eds. Singapore: Springer, 2017, pp. 305–309.
[31] J. Camenisch and M. Stadler, “Proof systems for general statements
about discrete logarithms,” Dept. Comput. Sci., ETH Zurich, Zürich,
Switzerland, Rep. TR 260, 1997.
[32] G. Zyskind, O. Nathan, and A. S. Pentland, “Decentralizing privacy:
Using blockchain to protect personal data,” in Proc. IEEE Security
Privacy Workshops, San Jose, CA, USA, 2015, pp. 180–184.
[33] S. Wang, Y. Zhang, and Y. Zhang, “A blockchain-based framework for
data sharing with fine-grained access control in decentralized storage
systems,” IEEE Access, vol. 6, pp. 38437–38450, 2018.
[34] T. P. Torben, “Non-interactive and information-theoretic secure verifiable
secret sharing,” in Proc. Int. Cryptol. Conf., 1991, pp. 129–140.
[35] B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell,
“Bulletproofs: Short proofs for confidential transactions and more,” in
Proc. IEEE Symp. Security Privacy (SP), 2018, pp. 315–334.
[36] G. Wood, “Ethereum: A secure decentralised generalised transaction
ledger,” Ethereum Project, Zug, Switzerland, Yellow Paper, vol. 151,
2014, pp. 1–32.
[37] E. Androulaki et al., “Hyperledger fabric: A distributed operating system
for permissioned blockchains,” in Proc. 13th EuroSys Conf., 2018,
pp. 1–15.
[38] M. Swan, Blockchain: Blueprint for a New Economy. Sebastopol, CA,
USA: O’Reilly Media, Inc., 2015.
[39] Z. Zheng, S. Xie, H.-N. Dai, X. Chen, and H. Wang, “Blockchain chal-
lenges and opportunities: A survey,” Int. J. Web Grid Serv., vol. 14,
no. 4, pp. 352–375, 2018.
[40] C. Garman, M. Green, and I. Miers, “Decentralized anonymous creden-
tials,” in Proc. NDSS, 2014, pp. 622–636.
[41] A. Sonnino, M. Al-Bassam, S. Bano, S. Meiklejohn, and G. Danezis,
“Coconut: Threshold issuance selective disclosure credentials with appli-
cations to distributed ledgers,” 2018, arXiv:1802.07344.
[42] D. Maram et al., “CanDID: Can-do decentralized identity with legacy
compatibility, sybil-resistance, and accountability,” IACR Cryptol. ePrint
Arch., Lyon, France, Rep. 934/2020, 2020.
[43] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11,
pp. 612–613, 1979.
[44] M. Castro and B. Liskov, “Practical Byzantine fault tolerance,” in Proc.
3rd Symp. Oper. Syst. Des. Implement., vol. 99, 1999, pp. 173–186.
[45] N. Narula, W. Vasquez, and M. Virza, “zkledger: Privacy-preserving
auditing for distributed ledgers,” in Proc. 15th USENIX Conf. Netw.
Syst. Des. Implement., 2018, pp. 65–80.
[46] J. Weise, Public Key Infrastructure Overview, Sun BluePrints, Palo Alto,
CA, USA, Aug. 2001, pp. 1–27.
[47] Z. Li, C. Li, H. Li, X. Bai, and X. Shi, “FISCO BCOS technology
application in practice,” Inf. Commun. Technol. Policy, vol. 46, no. 1,
pp. 52–60, 2020.
Jie Yin (Student Member, IEEE) received the B.S.
and M.S. degrees from the School of communica-
tion engineering, Xidian University, Xi’an, China,
in 2016 and 2019, respectively, where she is cur-
rently pursuing the Ph.D. degree in communication
and information system.
From 2019 to 2020, she worked with Huawei
Technologies Company Ltd., Shenzhen, China. Her
current research interests include blockchain, dis-
tributed identity, security and privacy, decentralized
trust management, and Internet of Things.
6732
Yang Xiao (Member, IEEE) received the B.S. and
Ph.D. degrees in communication engineering from
Xidian University, Xi’an, China, in 2013 and 2020,
respectively.
From 2017 to 2019, he was supported by the
China Scholarship Council to be a visiting Ph.D.
student with the University of New South Wales,
Sydney, NSW, Australia. He is currently a Lecturer
with the State Key Laboratory of Integrated Services
Networks, School of Cyber Engineering, Xidian
University. His research interests include social
networks, joint recommendations, graph neural network, trust evaluation, and
blockchain.
Qingqi Pei (Senior Member, IEEE) received the
B.S., M.S., and Ph.D. degrees in computer science
and cryptography from Xidian University, Xi’an,
China, in 1998, 2005, and 2008, respectively.
He is currently a Professor and a Member of
the State Key Laboratory of Integrated Services
Networks, Xidian University. His research interests
focus on privacy preserving, blockchain, and edge
computing security.
Prof. Pei is a Professional Member of ACM
and a Senior Member of the Chinese Institute of
Electronics, and China Computer Federation.
Ying Ju (Member, IEEE) received the B.S.
and M.S. degrees from the School of Electronic
Information Engineering, Tianjin University, Tianjin,
China, in 2008 and 2010, respectively, and the
Ph.D. degree from the School of Electronic and
Information Engineering, Xi’an Jiaotong University,
Xi’an, China, in 2018.
From 2016 to 2017, she was a Visiting
Scholar with the Department of Computer Science,
University of California at Santa Barbara, Santa
Barbara, CA, USA. From 2010 to 2018, she was
a Senior Engineer with State Radio Monitoring Center, Xi’an. She is cur-
rently an Associate Professor with the Department of Telecommunications
Engineering, Xidian University, Xi’an. Her research interests include physical-
layer security of wireless communications, millimeter-wave communication
systems, and blockchain.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:43:54 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 10, NO. 8, 15 APRIL 2023
Lei Liu (Member, IEEE) received the B.Eng. degree
in communication engineering from Zhengzhou
University, Zhengzhou, China, in 2010, and the
M.Sc. and Ph.D. degrees in communication engi-
neering from Xidian University, Xi’an, China, in
2013 and 2019, respectively.
From 2013 to 2015, he worked with Technology
Company. From 2018 to 2019, he was supported by
the China Scholarship Council to be a visiting Ph.D.
student with the University of Oslo, Oslo, Norway.
He is currently a Lecturer with the Department
of Electrical Engineering and Computer Science, Xidian University. His
research interests include vehicular ad-hoc networks, intelligent transportation,
mobile-edge computing, and Internet of Things.
Ming Xiao (Senior Member, IEEE) received the
bachelor’s and master’s degrees in engineering from
the University of Electronic Science and Technology
of China, Chengdu, China, in 1997 and 2002, respec-
tively, and the Ph.D. degree from the Chalmers
University of Technology, Gothenburg, Sweden, in
November 2007.
From 1997 to 1999, he worked as a Network
and Software Engineer with China Telecom, Beijing,
China. From 2000 to 2002, he held a position with
Sichuan Communications Administration, Chengdu.
Since November 2007, he has been with the Department of Information
Science and Engineering, School of Electrical Engineering and Computer
Science, KTH Royal Institute of Technology, Stockholm, Sweden, where he
is currently an Associate Professor.
Dr. Xiao was an Editor for IEEE W IRELESS C OMMUNICATIONS L ETTERS
from 2012 to 2016 and IEEE T RANSACTIONS ON C OMMUNICATIONS from
2012 to 2017. Since January 2015, he has been a Senior Editor of IEEE
C OMMUNICATIONS L ETTERS. In 2017, he was a Lead Guest Editor for
IEEE J OURNAL ON S ELECTED A REAS IN C OMMUNICATIONS Special Issue
on Millimeter Wave Communications for Future Mobile Networks. Since
2018, he has been an Editor for IEEE T RANSACTIONS ON W IRELESS
C OMMUNICATIONS. Since 2019, he has been an Area Editor for IEEE O PEN
J OURNAL OF THE C OMMUNICATIONS S OCIETY.
Celimuge Wu (Senior Member, IEEE) received the
M.E. degree from Beijing Institute of Technology,
Beijing, China, in 2006, and the Ph.D. degree from
The University of Electro-Communications, Chofu,
Japan, in 2010.
He is currently an Associate Professor with the
Graduate School of Informatics and Engineering,
The University of Electro-Communications. His cur-
rent research interests include vehicular networks,
sensor networks, intelligent transport systems, IoT,
and edge computing.
Dr. Wu is an Associate Editor of IEEE ACCESS, the IEICE Transactions on
Communications, the International Journal of Distributed Sensor Networks,
and MDPI Sensors.