Noname manuscript No.

(will be inserted by the editor)

Towards a Blockchain based digital identity verification,

record attestation and record sharing system

Mehmet Aydar · Serkan Ayvaz · Salih

Cemil Çetin

Received: date / Accepted: date

arXiv:1906.09791v2 [cs.CR] 23 Jun 2020

Abstract The Covid-19 pandemic has made individuals and organizations to

rethink the way of handling identity verification and credentials sharing partic-
ularly in quarantined situations. In this study, we investigate the inefficiencies
of traditional identity systems, and discuss how a proper implementation of
Blockchain technology would result in safer, more secure, privacy respecting
and remote friendly identity systems. As a result, we propose a Blockchain
based framework for digital identity verification, record attestation and record
sharing, and we explain the framework in details with certain use cases. Our
proposed framework promotes individuals to fully control their identity data
and govern the level of the identity data sharing.
Keywords Blockchain · distributed ledger · identity management · self-
sovereign digital identity · attestation

1 Introduction

Individuals identify themselves using various identity assets such as their name,
national identity number and passport number. Identity assets are recorded
in physical documents which are attested by central authorities. In the world
Mehmet Aydar
AI Enablement Department, Huawei Turkey Research and Development Center, Istanbul,
Turkey
E-mail: maydar@kent.edu

Serkan Ayvaz
Department of Software Engineering, Bahcesehir University, Istanbul, Turkey
E-mail: serkan.ayvaz@eng.bau.edu.tr
Salih Cemil Çetin
AI Enablement Department, Huawei Turkey Research and Development Center, Istanbul,
Turkey
E-mail: salihcemil@gmail.com
2 Mehmet Aydar et al.

of the internet, identity owners are required to provide their identity assets
to institutions in order to verify their identities. Traditionally, institutions
keep these sensitive information in centralized data silos. This traditional way
of identity management methods are prone to data breaches, identity theft
and fraud. Moreover, these methods have inefficiencies in terms of security,
usability, privacy and globalization. As a matter of the fact, the digital trans-
formation has further emphasized the need to move away from intermediary
and provider-controlled identity management models toward user-controlled
digital identity.
The advent of Blockchain technology has created an opportunity to trans-
form how relationships between people and institutions are established and
maintained. Blockchain technology can deliver secure solutions by integrating
trust in the network itself. As for digital identity management, Blockchain tech-
nology can enable identity owners to have sovereignty of their identity based
personal records, control access to their records and allow identity owners to
share minimum amount of information while ensuring data integrity and trust.
This study focuses on using Blockchain technology for identity management
systems.
The paper is organized as follows: Section 2 expresses the motivation of
the study by describing current problems in traditional identity management
methods. Section 3 presents Blockchain technology, the main concepts used in
Blockchain based identity management systems, and explains why the tech-
nology is suitable for a robust digital identity management system. In section
4, we describe the proposed solution in details. Section 5 reviews existing so-
lutions in the field. Then, it is followed by conclusion.

2 Problems in traditional identity management methods

The main challenges persisting in traditional identity management methods

can be grouped into four categories: Usability, Privacy, Security and Global-
ization.

2.1 Usability

Identity verification is challenging to handle remotely using traditional iden-

tity systems. During the pandemic caused by Covid-19 [WHO, ], a considerable
amount of businesses moved their services online. As a result, remotely man-
aging identity verification, Know Your Customer (KYC) requirements, doc-
ument signing and credentials sharing became more essential for individuals,
businesses and organizations.
Identity owners typically use a combination of username/password in order
to be authenticated for online services, in which they are required to provide
their personal information in order to create an account. This leads to hassles
such as having too many login information for each service, trying to remember
Towards a Blockchain based digital identity verification 3

various login credentials, and giving out private information for recovery of an
account in case of forgetting the password. For remote authentication, identity
owners are in most cases obliged to answer security questions containing their
personal and sensitive information for verification of their identity. As a result,
users pay a price by spending a great deal of time proving their identity, and
risking their privacy by providing private identity information. A survey report
by Centrify in 2014 indicated that even small businesses with 500 employees
approximately lose $200,000 annually in productivity due to the time spent
on password management [Centrify, 2014].

2.2 Privacy

Identity assets define an individual. Yet, in traditional systems, individual’s

identity assets are stored by third parties. A third party, whether it is a website,
a company or a government, keeps silos of identity data. They often require
more information than they need in order to verify individual’s identity such
as “mother’s maiden name”, “phone number” and “social security number.”
Sensitive identity details are often stored in repositories that identity owners
are unaware of, shared without their approvals, and exploited for commercial
purposes.

2.3 Security

In traditional systems, each service provider keeps some portion of individual’s

identity information for identity verification. Hackers constantly attack these
systems to steal the identity information. Potential data breaches result in
tremendous setbacks for both the identity owners and the businesses. Accord-
ing to Javelin’s Identity Fraud Study [Pascual et al., 2018] over 16.7 million
customers in the U.S. were affected from identity frauds, which cost them a
total of $16.8 billion in 2017 alone.
What’s more interesting is that the number of victims affected by identity
frauds was increased by 8% when compared to the previous year. There is an in-
creasing trend in cyber-security breaches and a rise in their economic damages.
A report by Herjavec Group predicts that damages caused by cyber-security
breaches will cost the world $6 trillion in a year by 2021 [Morgan, 2017].

2.4 Globalization

From global perspective, identity verification and record attestation are chal-
lenging tasks across borders due to the institutional and international barriers.
When a person travels to a different country, identity verification often starts
from scratch and boils down to a manual process of verifying his/her physi-
cal documents (i.e., passports.) In addition, verification of credentials such as
4 Mehmet Aydar et al.

education certificates, diplomas and credit reports is often slow. Also, discon-
nected processes requires involvement of multiple third parties for attestation.
For instance, individuals who have earned a particular college degree in India
have to go through trusted third parties, costing them a significant amount of
money and time in order to prove their degrees in a U.S. governmental office.

3 Concepts and definitions

3.1 Blockchain

Blockchain is an immutable distributed ledger that stores ownership of digital

assets in the form of transactions and blocks. A Blockchain network consists
of peers, each keeping the same copy of the ledger data managed through
peer-to-peer (P2P) networking. Unlike traditional decentralized peer-to-peer
networks, in which each peer acts independently, in Blockchain final decision is
made through a consensus among the peers. Blockchain was first introduced as
the backbone technology in Bitcoin, a digital currency system which eliminates
the necessity of trusted third parties in electronic payments but still guarantees
trust among the peers [Nakamoto, 2008].
In a Blockchain ledger, transactions are ownership transfer of digital as-
sets. In Bitcoin system, ownership transfer is called “payment,” in which dig-
ital asset is the digital currency (also called Bitcoin), and the owners are Bit-
coin wallet holders identified by asymmetric cryptographic keys. Specific peers
called miners are responsible for approving transactions. When a transaction
is initiated, transaction details including sender, receiver, digital asset amount
being transferred, and the timestamp indicating the time of the transaction
are hashed and broadcasted to the pending transaction pool. Miners grab a
list of transactions to constitute a candidate block. The candidate block also
contains a timestamp, the hash value of the candidate block which is gener-
ated from the block header and the Merkle root hash value [Merkle, 1980] of
transactions included in the block, and the hash value of the last approved
block in the ledger.
The Blockchain network utilizes a consensus algorithm to approve and ap-
pend candidate blocks to the ledger. For instance, in Bitcoin network the proof
of work (PoW) consensus algorithm [Vukolić, 2015] is used, in which miners
compete to approve candidate blocks by trying to compute a computationally
hard Nonce value. The Nonce value is determined by the cryptographic con-
sensus algorithm and an ever growing difficulty of the network. Once a block
is validated, it is appended to the previously approved blocks by referencing
to the last block’s hash value, constituting a chain of approved blocks in the
ledger.
The chained and distributed mechanism of Blockchain makes tampering
the previously approved transactions impractical. Because tampering a single
transaction in a block would result in a different Merkle root hash value of
the transactions contained in the block, and a different hash value for the
Towards a Blockchain based digital identity verification 5

tampered block. Therefore, it invalidates all the following blocks in the chain
due to the hash linking feature of the ledger. This requires the re-calculation
of a different Nonce value for all the blocks including and after the tampered
block in the chain for the current peer. In order to verify the fake transaction,
aforementioned process must also be done for the majority of the peers in
the network. It is computationally impractical in a widely adapted Blockchain
network. Thereby, the ledger data stored in a Blockchain network is typically
considered immutable.

3.2 Cryptography, hashing and digital signature

Public-key cryptography (asymmetric cryptography) [Rivest et al., 1978] is an

encryption technique that has been used for decades. It makes use of a key pair
consisting a private and a corresponding public key. Asymmetric cryptography
enables encryption and decryption of messages using two separate keys, in a
way that a message encrypted with a public key can only be decrypted with
the relevant private key that belongs to the key pair, and vice-versa. While
private keys are meant to be only known by the key owners, public keys are
open to others. In Blockchain, public-key cryptography is utilized for asset
ownership and for verifying the authenticity of transactions.
Hashing is a mathematical mechanism of generating a fixed size value from
input data. It is impractical to regenerate the original input given its hash
value. In Blockchain, hashing is utilized in hashing transaction and block data.
For example, Bitcoin system uses SHA256 hashing algorithm which was orig-
inally designed by United States National Security Agency (NSA). SHA256
is also being used for decades in many sectors and services that require solid
security such as in financial services, and it has proven to be secure. Table 1
shows sample inputs and output of SHA256 hash function.

Table 1 Sample inputs and outputs of SHA256 hash function.

Original text SHA256 hash

“tubitak” 8c9b3371a4cae382bad1d752000902f871f8f78b
1a2b62e4fe3ac47f40a2b742
“Tubitak” 50ae8005208300584bd519ecfca19a083ad2831
930668cee1b594bc8bb1b353c
“The Scientific and Technologi-
cal Research Council of Turkey e18dd11e01d89410631d22829ea7786c6422878
(TUBITAK)” 5669d6a5f665e33fa348f3fc2

Digital signature refers to digitally signing a message in order to certify

authenticity and ensure integrity of the message in peer-to-peer communi-
cation, which is achieved using public-key cryptography and hashing. As an
example, in Figure 1, Bob sends a message to Alice using digital signatures.
6 Mehmet Aydar et al.

Bob Bob's private key

Bob's message to
Hash 6DC96A6E25092BF7 Encrypt
Alice

6DC96A6E25092BF7

Bob's public key

Check if they match Decrypt

Alice
6DC96A6E25092BF7

Message came from

Bob's message to Hash 6DC96A6E25092BF7 Bob and is not
Alice tampered

Fig. 1 Sending data using digital signature.

Bob encrypts the hash of original message with his private key. This action is
called signing. Bob sends original message and signed message to Alice. Alice
applies the same hash function to the original message and decrypts signed
message using Bob’s public key. Alice then compares these two results. If they
are equal, then it means that the message was indeed came from Bob and
was not tampered. In Blockchain, digital signatures are utilized in verifying
authenticity of digitally signed transactions. For instance, in Bitcoin system,
only transactions initiated by the asset owner itself are verified, which means
that asset owners can only spend the assets they own. This is ensured via the
concept of digital signatures.

3.3 Self-sovereign identity

Self-sovereign identity (SSI) is an identity model, in which any person, orga-

nization, or entity has the ownership and full control of their own data. It
is not governed by centralized authorities, and it can never be removed from
the identity owner. The requirements of an SSI model are described as below
[Abraham, 2017]:

– Identity owners have full control over the data they own.
– Integrity, security and privacy of owner’s identity are ensured by the sys-
tem, a central authority is not required for trust.
– Provides full portability of the data. This means that identity owners can
use their identity data in where they want (for instance in accessing an
online service.)
Towards a Blockchain based digital identity verification 7

– Any changes to the data is transparent, and transparency is sustained by

the system.

3.4 Decentralized identifier

Decentralized identifier (DID) is an identification mechanism which assigns a

standard, cryptographically verifiable, globally unique and permanent iden-
tity to individuals, organizations, and things. DIDs are completely under the
identity owner’s control and do not depend on central authorities. Public-key
cryptography is used in DID as each DID contains an asymmetric key pair
of a public and an associated private key. The control of a DID is managed
through the DID’s private key. DIDs provide an identity owner a lifetime long
encrypted private channel with another identity owner. Identity owners use
DIDs to identify themselves. Each DID resolves to a DID document (DID
descriptor object), which contains DID’s cryptographic keys, publicly avail-
able metadata (if any) regarding the DID owner, and resource pointers for the
discovery of endpoints for initiating interactions with the DID owner.

3.5 Verifiable credentials

Credentials are proof for identity owners to assert their license or qualification
on certain subjects. They are widely used in individuals’ daily lives. Driver’s
licenses, university diplomas and travel passports are examples of the creden-
tials. Verifiable credentials are machine readable, privacy respecting, crypto-
graphically secure digital credentials of identity owners. Verifiable credentials
support self-sovereign identity, such that identity owners accumulate creden-
tials into an identity account and use the credentials to prove who they are.
Verifiable credentials usually involve a third-party attestation, but they
can also be self-attested. Attestation is done by utilizing the concept of digital
signatures. An attester (issuer) having a DID creates a verifiable credential by
signing identity owner’s records using its private key. Then, the credential is
cryptographically verified by a verifier using the attester’s public key. Verifiers
rely on the credibility of issuers when issuing the trust on the credentials.

4 Proposed solution

We propose a Blockchain based digital identity solution, which makes use of

attribute-based data sharing, self-sovereign identity, decentralized identifiers,
verifiable credentials, and allowing identity owners to use trust relationships
that they already have with trusted partners. The system enables identity
owners to prove that they are who they claim to be (authentication, i.e., login
systems) and making a certain claim involving third-party certifications (at-
testation, i.e., proof of education degree certificates). The aim of the proposed
8 Mehmet Aydar et al.

Fig. 2 Overall workflow of the proposed identity system.

system is to provide a framework that is remote-friendly, scalable, globally

usable and providing both privacy and security by design.
Figure 2 shows the overall workflow of the proposed solution. In the system,
individuals and institutions are assigned to a digital identity through a decen-
tralized platform orchestrated by Blockchain. The system does not store any
private user identity data, not even encrypted version, in public ledger. It only
contains the proofs of transactions for the verification in Blockchain. Identity
owners fully control the user identity data and solely determine whom to share
their identity data. Identity owners receive their cryptographically signed doc-
uments in the form of cryptographically verifiable credentials from the related
institutions, and keep them in their mobile wallets. Consequently, the system
also reduces the time spent in tasks requiring verification of user identity and
eliminates the need for central authority in verification and management of
identity data.
The main benefits of proposed solution include eliminating the need for
central authority for identity verification and identity data management, re-
ducing the time spent in verification of identity, allowing data sharing with
permission, and verifying origin of the data while sharing.
Towards a Blockchain based digital identity verification 9

Fig. 3 An example use case for patients medical records.

4.1 Sample Use Cases

In this section, we describe the proposed framework with sample use cases.
The framework enables organizations to issue digitally signed documents to
identity owners. The signed documents are in the form of verifiable creden-
tials. Verifying parties are able to verify that the documents are original, not
mutated and signed by the issuers with the help of digital signatures. Figure
3 shows an example use case regarding a patient’s medical records involving
multiple medical institutions. In the use case, a patient named Alice was previ-
ously treated in hospitals A and B, and presents her previous medical records
from these institutions at hospital C. Hospitals A and B issue Alice’s medical
records to her in the form of verifiable credentials. Alice gathers these docu-
ments in her secure digital wallet, and presents to her physician at hospital
C. Knowing hospital A and B’s public keys, hospital C is able to verify that
Alice medical records are indeed originally issued by hospital A and hospital
B and are not mutated.
Figure 4 shows an example use case for presenting documents and creden-
tials to a new employer in order to start a new job. In the example, Bob’s
new company requires Bob to present proof of educational degree, proof of
former employment, lab results from hospital, proof of address details and
documents regarding background check. Bob gathers the documents from re-
lated institutions online in the form of verifiable credentials and keeps them in
his digital wallet, and Bob’s new company verifies the authenticity of the doc-
uments once presented. The process saves time, enables issuing and verifying
documents online and prevents counterfeiting of records.
Figure 5 shows an example use case regarding a loan application. In the use
case, a loan applicant Alice applies for a loan with Bank B. Alice is a current
customer of Bank A, which is trusted by Bank B. In addition, Alice owns a
land and regarding information are kept by government departments. However,
Alice has never worked with Bank B, previously. Therefore, Bank B does not
have any records about Alice. As part of KYC regulations, Bank B is required
10 Mehmet Aydar et al.

Fig. 4 An example use case for presenting documents to a new employer.

to know Alice in order to serve her. Using the proposed framework, Alice
authenticates herself with Bank B. Then, Bank B requests Alice’s information
from related organizations online, and she receives a notification regarding
the request. Alice gives her consent for her information to be shared with
Bank B in the form of verifiable credentials. Bank B processes Alice loan
application based on the gathered information. The whole process happens
online in minutes without Alice physically having go to the bank.

4.2 Blockchain Network

The backbone of our identity management system is the Blockchain network.

In the system, Blockchain network is used for bringing transparency and trust
to digital ecosystem by assigning a digital identity, distributing the storage
rather than centralizing, and automating the processes with smart contracts.
Towards a Blockchain based digital identity verification 11

Fig. 5 An example use case for a loan application.

The concept of “decentralized digital identity” is in line with the fundamental

design of Blockchain. Namely, the following aspects of Blockchain technology
made it the ideal choice for the proposed identity management system:
– Blockchain ledger is immutable and transparent (based on permissions),
which are essential parts of identity management.
– Blockchain is resistant to single point of failure and denial-of-service at-
tacks.
– Blockchain provides an efficient implementation of public-key cryptography
and hashing, which:
– can be extended for digital identity ownership.
– helps ensuring integrity and authenticity of identity-based records.
– can be utilized for third-party attestation of records.
– helps facilitating permission-based record sharing with smart contracts.
– Blockchain eliminates or diminishes monopoly in identity management, as
it is not controlled by any central authority. This also enables identity and
record integration in global scale.
– Blockchain supports incentives via crypto-currencies, which can be utilized
for certain tasks such as providing incentives to the participants for data
sharing.

4.2.1 What is stored on Blockchain?

For a Blockchain network, storage is a vital issue to be considered from per-

spectives of identity management, scalability, security and privacy. To avoid
potential security and privacy problems, no private data is stored on the
Blockchain ledger in our system. Even encrypted and hashed versions of private
12 Mehmet Aydar et al.

data are not stored as the encrypted data on Blockchain might become vulner-
able to advanced quantum machines in the future [Tessler and Byrnes, 2017].
Keeping sensitive private data on the ledger carries a risk that if the private
keys of the identity owner are compromised, the identity owner’s data can
be revealed to public. Thereby, in our system Blockchain is mainly utilized
for searching decentralized identifiers and identity owners. It only stores the
consent proof of data sharing between the identity owners and the revocation
registry. Since the proofs of data are stored on the Blockchain rather than the
identity data themselves, the scalability is not an operational challenge.

4.2.2 Consensus mechanism

The Blockchain network in our system utilizes Plenum Byzantine Fault Tol-
erance [hyp, 2016] consensus mechanism that is implemented by Hyperledger
Indy. Plenum is developed based on the Redundant Byzantine Fault Toler-
ance (RBFT) algorithm [Aublin et al., 2013]. The main idea of RBFT is that
it enables running multiple instances of the Byzantine Fault Tolerance (BFT)
[Lamport et al., 2019] protocol on different machines concurrently. One of the
instances is promoted to be the master node, which has the authority to exe-
cute orders. The other instance(s) in the system maintain a replica of the ledger
and can order requests. However, the updates to the ledger can only be exe-
cuted by the master node. All backup instances track and compare their per-
formances against the master instance. If the performance of master instance
with regards to latency and throughput reduces below an acceptable threshold,
the master is replaced by another backup instance [Aublin et al., 2013].
Compared to proof-of-work (PoW) [Vukolić, 2015], the RBFT based con-
sensus mechanism performs better in terms throughput and speed. Due to
nature of BFT algorithms, the time to reach consensus in RBFT increases
with the size of the nodes in network. Although our consensus mechanism is
not as scalable as Pow, its scalability is sufficient for a permissioned Blockchain
network. The only major drawback of RBFT consensus method is the require-
ment that all nodes in the network must be connected and known by all
other nodes. This introduces potential centrality to the network as the iden-
tities to the members of the network must be provided by a trusted party
[Vukolić, 2015]. However, this is not a disadvantage in our case as the pro-
posed system is based on a permissioned Blockchain network, in which the
participants of the identity management system are known to the identity
issuers.

4.3 Digital identity management

In the system, individuals and organizations identify themselves with self-

sovereign identities, which they fully control their identity based records with-
out relying on a central authority. It can also be extended to devices in internet
of things (IoT) domain for providing device identification and authentication.
Towards a Blockchain based digital identity verification 13

DID Public Key Public Key Pairwise DIDa DID

DDO DDO Public Key
End Points End Points
Private Key Meta Data Meta Data

Bank

DID
Public Key DDO Public Key Pairwise DIDb Public Key DID
DDO
End Points End Points
Private Key Meta Data Meta Data
University

DID Public Key Public Key Pairwise DIDc

DDO DDO Public Key
End Points DID
End Points
Private Key Meta Data Meta Data

Telco
encryption

Ledger

User's SSI

Fig. 6 A demonstration of how self-sovereign identity is stored on user device and pairwise
decentralized identifiers.

SSI consists of multiple decentralized identifiers (DID), one for each relation
the identity owner has with other identity owners. The advantage of using
different DIDs for each relation is that in case the keys from a particular DID
are compromised, the other DIDs of the user stay protected. Under identity
owner’s control, each DID is globally unique and includes a cryptographically
verifiable PKI (public, private key pair). Each DID resolves to a DID doc-
ument, a DID descriptor object (DDO) which is stored on the Blockchain.
A DDO includes the public key associated with the corresponding DID and
metadata needed to prove ownership the corresponding DID, and endpoints
of the DID objects to initiate trusted peer interactions between the ledger
entities.
The details of cryptographic key pairs (public and encrypted private keys)
of DIDs that belong to the user’s self-sovereign identity are stored on user’s
devices, such as mobile phones. While public keys are stored in non-encrypted
form, corresponding private keys are stored in encrypted form. A private key
is encrypted in a way such that it can only be decrypted using a biometric
signature of the identity owner, as fingerprint, facial feature, an iris or a retina.
Encrypting private keys provide multi-factor and identity owner-specific au-
thentication in order to be allowed access to the identity details. Figure 6
shows an example of how self-sovereign identity is stored on a user device and
pairwise decentralized identifiers in the system.
14 Mehmet Aydar et al.

User Verifier
User's
DID Public Key Encrypt
1001010110001001 1001010110001001
Public Key
Private Key
Decrypt

Private Key 1001010110001001 1001010110001001 == 1001010110001001

Decrypt check against original data 
authenticate if equal

DDO User's Public Key

Ledger

Fig. 7 Authentication using public-key cryptography.

4.4 Authentication mechanism of the system

Authentication is the process for identity owners to prove ownership of their

identity. It is often required in individuals’ daily lives for purposes such as
security checks, granted access to specific services. Our system uses public-key
cryptography based authentication.
Identity owners are required to prove that they have the control of the
private key of a public key associated with their identity. Verifier side (for
instance a website) encrypts a random string with this public key and sends it
to identity owner. Using the private key, identity owner decrypts and retrieves
the original string. Then, it sends the string back to the verifier. The verifier
checks it against the original string, and authenticates identity owner if they
are equal. Figure 7 illustrates how public-key cryptography based authentica-
tion works in the system.

4.5 Verifiable credentials in the system

In proposed system, identity based record sharing is achieved through the

concept of verifiable credentials. Credentials contain data about an identity
owner regarding their license or qualification on certain things. Each credential
needs to be digitally signed by the issuer of credential. There could be two type
of credentials; a self-attested credential is issued and signed by the identity
owner itself (i.e., user publishes and signs his/her own data), and a third-
Towards a Blockchain based digital identity verification 15

party credential which is generally issued and signed by a third party (i.e.,
attestation and notarization services.)
Credentials data can be in the form of free-text, graphic or pre-defined
credential definition (schema). Our system encourages identity owners and
third-party credential issuers to use a pre-defined credential definition in or-
der to make the content of credentials machine readable. Data schemas are
important for defining and making credentials machine readable. Our system
allows schemas to be published on the ledger. By making use of RDF and
ontologies, a great deal of already defined schemas can be utilized such as
ontologies regarding personal data, medical data and university diplomas.
For a credential to be issued by third parties (issuers), issuers first need
to authenticate identity owners. Once authenticated, issuer picks an appro-
priate credential definition, constructs and signs the record with its private
key, and delivers the signed record to identity owner. As an example, by using
our system, driver’s licenses can be issued digitally in the form of verifiable
credentials. For this, a government department needs to publish a credential
definition for driving licenses onto the ledger. The credential definition contains
references to attribute names and types from credential schema, which holds
information such as the driver name, license number, license issue and expi-
ration dates and license type. A license authority receives the license schema
from the ledger, fills out driver’s information accordingly, and cryptograph-
ically signs the form, which generates a digital version of a driving license
in the form of verifiable credentials. As a result, the license owner keeps the
digital credential on his/her devices. Authorities are able to verify that the
driving license is owned by the driver, was signed by a legitimate license au-
thority and is valid. Credential definitions stored in the ledger are indexed
and made discoverable. This system enables users to identify the authorities
or organizations, which issue credential definitions.
Verifiable credentials can be exchanged digitally between identity owners,
involving individuals and institutions. Figure 8 shows an example of exchang-
ing credentials of a University degree certificate. In the example, a University
supplies its former student a verifiable credential proving her educational de-
gree, using an existing claim schema from the ledger, and via pairwise decen-
tralized Identifier “A”. The University graduate presents the digital creden-
tial to her company using pairwise decentralized identifier “B”. The company
confirms that her employee’s educational credentials are valid by verifying
authenticity of the verifiable credential.
A verifiable credential can also be issued upon a request from another third
party. In this case, identity owners have already proven their identity with an
institution (credential provider), and also need to prove their identity with
another institution (credential requester,) using the trust relationship they
have with the credential provider. In order to do so, credential requester au-
thenticates identity owner, and redirects identity owner to the authentication
system of credential provider. Based on the requested information, credential
provider provides a verifiable credential to identity owner. Identity owner signs
the verifiable credential with his/her private key, and forwards it to the au-
16 Mehmet Aydar et al.

Fig. 8 An example of a verifiable claim interaction.

thentication system of credential requester. Credential requester retrieves the

DID of identity owner and DID of the credential provider, and verifies digi-
tal signatures of them using their public keys from DIDs. This whole process
can be performed online in seconds, enabling identity owners digitally proving
their identity and credentials to credential requesters.
The system also assists in satisfying Know Your Customer (KYC) require-
ments by enabling organizations linking their online services with verifiable
credentials, while ensuring that information is only shared with the consent of
identity owners. A consent proof of these actions is stored on the ledger with-
out revealing sensitive information of parties involved. For instance, if identity
owners have proven their identity with their bank, they can grant permission
to share their financial data such as credit score with a telecommunication
company in order to request a new service from the telecommunication com-
pany as illustrated in Figure 9.

4.5.1 Revocation registry

Verifiable credentials are issued to and kept by identity owners. Verifying a

credential involves confirming that the credential is owned by the identity
owner and issued by a trusted authority, and that the credential is still valid,
i.e. it has not been revoked by the issuer. Therefore, an efficient revocation
mechanism is needed which does not put a lag on the system (asynchronous),
respects the privacy of the identity owner (private) and is not controlled by
central authorities (decentralized.)
Towards a Blockchain based digital identity verification 17

Telco (credential requestor) User (Identity Owner) Bank (credential provider)

8. Telco receives the Verifiable Claim 2. User selects which information to share 1. Bank authenticates user

6. User receives the Verifiable Claim from

9. Using digital signatures, Telco verifies Bank, signs it using her private key, 3. Bank picks a schema definition
that it came from User, and verifies that it keeping both the original and signed
was signed by the Bank version. 4. Bank creates a claim based on what user
wants to share and the selected schema
7. User sends the original verifiable claim,
and the signed version to the Telco 5. Bank signs the claim using its private key and
10. After verifying User's credentials, sends it to the user
Telco provides new services to the User.

Fig. 9 Using Verifiable Claims for third-party attestation.

Our system keeps a revocation registry on the ledger. Credential issuers are
responsible to publish revoked credentials to the revocation registry. The reg-
istry is a cryptographic accumulator, which includes credentials or the specific
attributes of a credential that have been revoked, in addition to the correspond-
ing credential definitions. A cryptographic hash value of a revoked credential
is calculated and kept in the revocation registry. Verifiers check the existence
of the hash value to test whether the credential has been revoked or not.

4.5.2 Consent manager

When an identity owner shares a verifiable credential with a verifier, a proof of

the sharing agreement (consent receipt) is generated and kept on the ledger.
A concept receipt is signed by both identity owner and the verifier, and it
includes their DIDs and the shared attributes names and data types without
any of private information. The proof of a concept receipt is a cryptographic
hash of the receipt, which is stored on the ledger. By this mechanism, tamper-
proof evidences of sharing agreement of verifiable credentials are maintained,
in case they are required in the future.

5 Related work

It is noteworthy to state that in order to fully exploit the functionalities of a

Blockchain-based digital identity solution, a mainstream adoption of the sys-
tem is crucial. Although Blockchain technology enables novel innovations in
the area, Blockchain has not yet reached a large scale adoption in its current
technological state. According to a survey by Johansel et al. [Johansen, 2017],
the scalability bottlenecks, the lack of the progress in accessible data and
APIs, and the issues with disk space and bandwidth are the major hurdles
of Blockchain for a conventional adoption. Swan [Swan, 2015], on the other
hand, presented technical limitations for adaptation of Blockchain in the con-
text of security, usability, size and bandwidth, throughput and latency, ver-
18 Mehmet Aydar et al.

sioning problems and wasted resources in transaction approval. Li-Huumo et

al. [Yli-Huumo et al., 2016] revealed that Blockchain research studies mainly
focus on Bitcoin system, and only 20% of the studies concentrate on obstacles
of Blockchain technology from security and privacy point of view.
Zheng et al. [Zheng et al., 2016] brings up the concerns regarding the pri-
vacy of individuals in conventional Blockchain networks such as Bitcoin by
stating that associating identity owner’s pseudonym identifiers to IP addresses
is possible [Biryukov et al., 2014], and that transactional privacy cannot be
guaranteed by conventional Blockchain networks [Meiklejohn et al., 2013, Kosba et al., 2016].
Despite, there has been significant progress in Blockchain technologies
and their applications to digital identities in recent years. Several reports
[Institute, 2016, of Inspector General, 2016, Walport, 2016] originated by gov-
ernments state the disruptive potential of Blockchain and the opportunities of
exploiting the technology for digital identity.
With open source community perspective, Hyperledger initiative, hosted
by The Linux Foundation and members from diverse industries, led to the de-
velopment of common open source Blockchain frameworks and tools that are
publically available. As an umbrella project of the initiative, Hyperledger Fab-
ric [Foundation, 2018a, Cachin, 2016] is a Blockchain foundation for creating
private permissioned Blockchain applications with a modular design.
A Hyperledger Fabric based Blockchain system includes actors such as
client applications, asset owners, orderers and peers; each having a digital iden-
tity complies with X.509 digital certificate standard [Housley et al., 1998]. In
Hyperledger Fabric, identities are essential since apart from asset ownership,
management of resource and access permissions is also determined based on
actor identities. Hyperledger Fabric also has the concept of principal, which
includes additional properties of actor identities such as identity owner’s unit,
organization and permissions. Another distinctive feature of Hyperledger Fab-
ric is that it allows private channels that can be used for permissioned private
data sharing.
Another Hyperledger project primarily built for self-sovereign decentralized
identity supporting privacy by design, Hyperledger Indy [Foundation, 2018a]
is a public-permissioned distributed ledger project. It develops a set of iden-
tity specifications, artifacts, libraries, tools, and reusable components for cre-
ating decentralized identity on Blockchain to enable identity interoperability
across applications and distributed ledgers. Hyperledger Indy supports data
minimization. It enables identity owners to store their identity based records.
Applications don’t need to store individuals’ personal data, instead they store
a link to the identity. This way, identity owners are able to control access to
their personal data. Hyperledger Indy’s identity model supports decentralized
identifiers and verifiable credentials. Our system was also developed based on
Hyperledger Indy framework due to many built in overlapping features.
In a similar aspect, Sovrin [Foundation, 2018b] was offered as a live dis-
tributed ledger built for decentralized identity, which uses Hyperledger Indy’s
codebase. Sovrin ledger is a public resource that is designed to provide a self-
sovereign digital identity for all. However, its governance model is permis-
Towards a Blockchain based digital identity verification 19

sioned. It means that the Blockchain nodes in Sovrin are governed by private
organizations called “stewards.” Sovrin makes use of decentralized identifiers
and verifiable credentials. To increase scalability, Sovrin uses two types of
Blockchain nodes: A network of validator peers which have transaction write
access to the ledger, and a bigger network of observer peers storing write-
protected copy of ledger to handle requests for read.
According to Sovrin, decentralized identifiers and associated DID docu-
ments with verification keys and endpoints, schemas and credential definitions,
proof of consent for data sharing, public credentials and revocation registries
are stored on the ledger, whereas private data of any kind and private proof of
existence are not stored on the ledger [Foundation, 2017]. The main difference
between Sovrin and our solution is that Sovrin does not provide private key
encryption and recovery mechanism for the private keys.
SecureKey [SecureKey, 2017a, SecureKey, 2017b] is another Blockchain based
identity and authentication provider similar to the proposed system. It allows
customers to assert their identity information online using trusted providers
that they have already completed the KYC process through trusted third par-
ties such as government agencies, telecommunication companies and banks.
SecureKey ensures that personal data is privately shared with explicit consent
of identity owner.
SecureKey uses a permissioned Blockchain network based on Hyperledger
Fabric, in which participating organizations such as banks are central in man-
aging the nodes of the Blockchain network. In the Blockchain ledger, the proof,
provenance and permissions are stored. Consumer’s identity information re-
mains to be stored at the trusted providers. SecureKey also uses an incentive
mechanism to data sharing, such that the credential requester pays to the cre-
dential provider. SecureKey architecture enables privacy with a triple-blind
identity sharing, in that the data provider never knows the service a consumer
is accessing, and the data requestor does not have to know the exact creden-
tial provider other than knowing the business type of the credential provider.
However, SecureKey does not support verifiable credentials and self-sovereign
digital identity for individuals.
From identity owner empowerment perspective, ShoCard [ShoCard, 2017]
project was offered as a Blockchain based identity management platform, in
which identity details are stored in a digital file called “ShoCard”. The data is
fully owned by identity owner and usually stored on the owner’s mobile device.
Identity owners have a public-private key pair for controlling of their identity.
ShoCard system enables attribute based data sharing. The identity details are
broken into multiple separate attributes. Each attribute is hashed and then
signed by private key, and sent to be stored in a Blockchain network. Different
than our system, private data is stored in Blockchain network in ShoCard,
which might result in potential privacy implications.
From a different aspect, Walmart filed a patent [High et al., 2018] to pro-
tect a method that allows obtaining Electronic Health Record (EHR) of an
individual from a Blockchain database even the individual is unable to com-
municate. In that system, personal medical data is managed on Blockchain.
20 Mehmet Aydar et al.

Individuals have access to their own record by controlling an asymmetric key

pair, which is specific to their identity. The system is particularly useful in
cases of emergency, in which the patient is unconscious or incapacitated and
unable to provide the physician with critical information about pre-existing
conditions or allergies that may influence treatment options.
In their system, the public key along with an encrypted private key based
on a bodily feature of the patient, are stored in a wearable device. Patient’s
public key and the encrypted form of the associated private key can be obtained
by scanning the wearable device via RFID. A separate biometric scanner device
is used to obtain a bodily feature such as finger print or retina of the patient,
and the encrypted private key can be decrypted using the biometric signature
of the patient.
In another related work, Bitnation [Jacobovitz, 2016] provides identity reg-
istration on Blockchain in order to enable geography-independent world cit-
izenship unbound by governments. Bitnation can provide services like world
citizenship, Blockchain passports, marriage certificates and emergency iden-
tifiers for refugees. A Bitnation identity requires concretely proving that the
candidate existed at a definite time and location, and his/her existence was
cryptographically signed by another group of identity owners. Bitnation uses
Ethereum [Buterin et al., 2014] network, and utilizes hashing, digital signa-
tures and smart contracts.
Bitnation partnered with Estonian government for Estonia e-residency pro-
gram [Sullivan and Burger, 2017], which offers people who are not from Esto-
nia or not a resident of Estonia a door to enter services like business ownership,
digital contracts signing, banking, taxing, payment processing and notary ser-
vices.
Uport [Lundkvist et al., 2017] is a self-sovereign identity platform based
on public Ethereum Blockchain. Like Sovrin, Uport supports attribute based
data sharing, decentralized identifiers and verifiable credentials, and it does
not store any private data on the public ledger. However, as oppose to our
system, it uses a public Blockchain, and a cost is associated with transactions
in the network.

6 Conclusion

In this study, we focused on laying a foundation for “decentralized digital

identity” in Blockchain as “self-sovereign digital identity”, supported by mod-
ern cryptography and verifiable digital credentials. We described the problems
and challenges exist in traditional identity management methods in terms of
security, privacy, usability and globalization. We reviewed existing solutions
in the literature, and proposed a system which leverages powerful features of
Blockchain to realize a true private, secure and globally usable digital identity
solution, in which identity owners fully own and control their portable identity
and identity based records without depending on centralized authorities. For
future work, we intend to explore possibilities of integrating our solution on
Towards a Blockchain based digital identity verification 21

mobile applications, and creating a crypto-currency to fuel the incentive of

consent based data sharing through the concept of verifiable credentials.

References

WHO, . Who director-general’s opening remarks at the media brief-

ing on covid-19. https://www.who.int/dg/speeches/detail/
who-director-general-s-opening-remarks-at-the-media-briefing-on-covid-19---11-march-2020.
Accessed: 2020-03-20.
hyp, 2016. (2016). hyperledger/indy-plenum.
Abraham, 2017. Abraham, A. (2017). Self-sovereign identity.
Aublin et al., 2013. Aublin, P.-L., Mokhtar, S. B., and Quéma, V. (2013). Rbft: Redundant
byzantine fault tolerance. In 2013 IEEE 33rd International Conference on Distributed
Computing Systems, pages 297–306. IEEE.
Biryukov et al., 2014. Biryukov, A., Khovratovich, D., and Pustogarov, I. (2014).
Deanonymisation of clients in bitcoin p2p network. In Proceedings of the 2014 ACM
SIGSAC Conference on Computer and Communications Security, pages 15–29. ACM.
Buterin et al., 2014. Buterin, V. et al. (2014). A next-generation smart contract and de-
centralized application platform. white paper.
Cachin, 2016. Cachin, C. (2016). Architecture of the hyperledger blockchain fabric. In
Workshop on Distributed Cryptocurrencies and Consensus Ledgers, volume 310.
Centrify, 2014. Centrify (2014). Centrify survey results. Technical report, Centrify.
Foundation, 2018a. Foundation, H. (2018a). An introduction to hyperledger. Technical
report, Hyperledger Foundation.
Foundation, 2017. Foundation, S. (2017). Sovrin: What goes on the ledger? Technical
report, Sovrin Foundation.
Foundation, 2018b. Foundation, S. (2018b). Sovrin: A protocol and token for self-sovereign
identity and decentralized trust. Technical report, Sovrin Foundation.
High et al., 2018. High, D. R., Wilkinson, B. W., Mattingly, T., Cantrell, R., O’brien, V.,
John, J., Mchale, B. G., and Jurich Jr, J. (2018). Obtaining a medical record stored on a
blockchain from a wearable device. US Patent App. 15/840,589.
Housley et al., 1998. Housley, R., Ford, W., Polk, W., and Solo, D. (1998). Internet x. 509
public key infrastructure certificate and crl profile. Technical report.
Institute, 2016. Institute, N. R. (2016). Survey on blockchain technologies and related
services. fy2015 report. Technical report, Nomura Research Institute.
Jacobovitz, 2016. Jacobovitz, O. (2016). Blockchain for identity management. The Lynne
and William Frankel Center for Computer Science Department of Computer Science.
Ben-Gurion University, Beer Sheva Google Scholar.
Johansen, 2017. Johansen, S. K. (2017). A comprehensive literature review on the
blockchain technology as an technological enabler for innovation. Technical report.
Kosba et al., 2016. Kosba, A., Miller, A., Shi, E., Wen, Z., and Papamanthou, C. (2016).
Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In
2016 IEEE symposium on security and privacy (SP), pages 839–858. IEEE.
Lamport et al., 2019. Lamport, L., Shostak, R., and Pease, M. (2019). The byzantine gen-
erals problem. In Concurrency: the Works of Leslie Lamport, pages 203–226.
Lundkvist et al., 2017. Lundkvist, C., Heck, R., Torstensson, J., Mitton, Z., and Sena, M.
(2017). Uport: A platform for self-sovereign identity.
Meiklejohn et al., 2013. Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy,
D., Voelker, G. M., and Savage, S. (2013). A fistful of bitcoins: characterizing payments
among men with no names. In Proceedings of the 2013 conference on Internet measure-
ment conference, pages 127–140. ACM.
Merkle, 1980. Merkle, R. C. (1980). Protocols for public key cryptosystems. In Security
and Privacy, 1980 IEEE Symposium on, pages 122–122. IEEE.
Morgan, 2017. Morgan, S. (2017). White paper: 2017 cybercrime report. Technical report,
Herjavec Group.
Nakamoto, 2008. Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system.
22 Mehmet Aydar et al.

of Inspector General, 2016. of Inspector General, O. (2016). Blockchain technology: Possi-

bilities for the u.s. postal service. Technical report, United States Postal Service.
Pascual et al., 2018. Pascual, A., Marchini, K., and Miller, S. (2018). 2018 identity fraud:
Fraud enters a new era of complexity.
Rivest et al., 1978. Rivest, R. L., Shamir, A., and Adleman, L. (1978). A method for ob-
taining digital signatures and public-key cryptosystems. Communications of the ACM,
21(2):120–126.
SecureKey, 2017a. SecureKey (2017a). Identity now: A whitepaper for banks trying to
determine the role they should play in evolving identity ecosystems. Technical report,
SecureKey.
SecureKey, 2017b. SecureKey (2017b). Identity now: The vital role telecommunications
companies play and the tremendous opportunity in evolving identity ecosystems. Technical
report, SecureKey.
ShoCard, 2017. ShoCard, I. (2017). White paper: Identity management verified using the
blockchain. Technical report, ShoCard, Inc.
Sullivan and Burger, 2017. Sullivan, C. and Burger, E. (2017). E-residency and blockchain.
Computer Law & Security Review, 33(4):470–481.
Swan, 2015. Swan, M. (2015). Blockchain: Blueprint for a new economy. ” O’Reilly Media,
Inc.”.
Tessler and Byrnes, 2017. Tessler, L. and Byrnes, T. (2017). Bitcoin and quantum comput-
ing. arXiv preprint arXiv:1711.04235.
Vukolić, 2015. Vukolić, M. (2015). The quest for scalable blockchain fabric: Proof-of-work
vs. bft replication. In International workshop on open problems in network security, pages
112–125. Springer.
Walport, 2016. Walport, M. (2016). Distributed ledger technology: Beyond blockchain. UK
Government Office for Science.
Yli-Huumo et al., 2016. Yli-Huumo, J., Ko, D., Choi, S., Park, S., and Smolander, K.
(2016). Where is current research on blockchain technology?—a systematic review. PloS
one, 11(10):e0163477.
Zheng et al., 2016. Zheng, Z., Xie, S., Dai, H.-N., and Wang, H. (2016). Blockchain chal-
lenges and opportunities: A survey. Work Pap.–2016.