Preface
Web3, based on blockchain technology, has emerged on the historical stage. A considerable part of the driving force comes from people’s expectations that it can resist the privileges of commercial organizations and non-voluntary censorship – by replacing human governance with code to protect the rights of each participant. As things stand, the various solutions given by the industry – users interacting by recklessly registering wallets – not only lead to frequent witch attacks and phishing attacks, and cannot be held accountable, eroding the confidence of the Web3 community, damaging the privacy security and asset security of Web3 users; also makes Web3 users with on-chain credibility but lack of assets unable to enjoy high-quality financial services (such as offline credit lending model financial services).
The evil deeds of “the strong exploit the weak” in Web2 and “the inferior currency drives out the superior currency” in traditional society have reappeared in Web3. Even the data autonomy (SSI) (which is also one of the characteristics that attracts users) called for and believed by Web3 has been hindered on the road to realization, because users’ privacy data is either stored on centralized servers of decentralized projects, or presented publicly and completely on the blockchain, and its security and privacy are not actually protected; and even to a certain extent, it has brought greater economic losses than Web2, and once it is suffered, it is almost irreversible, and because of the lack of appropriate regulatory support, the identity of malicious attackers is difficult to locate and hold accountable.
In this context, Web3 realizes that visualizing the reputation of identity subjects, proposing identity-based contracts, and introducing appropriate regulations are indispensable for its long-term development. Based on such a basic awareness, the decentralized identity concept composed of “decentralized identifiers (DID) + verifiable credentials (VC)” gradually becomes clear, providing a solution for the construction of the identity system under the Web3 society.
Briefly, the development of the identity system has evolved from centralized identity managed and controlled by a single authoritative institution; to federated identity that makes user identity data somewhat portable and can log in across platforms, such as cross-platform login of Wechat and Google accounts; to the initial decentralized identity that requires authorization and permission to share identity data, such as OpenID; to the self-sovereign identity (SSI) that can truly realize that data is completely owned and controlled by individuals – in Web3, it usually refers to the privacy security decentralized identity system based on DID+VC. Centralization is partly being replaced by decentralization, and decentralization no longer involves central data storage and collection.
- Full Text of South Korea’s First Independent “Encryption Law”: Insider Trading Can Result in Life Imprisonment
- Nansen: Decoding on-chain data on Starknet
- Starknet’s four major games in the ecosystem: LootRealms, influenceth, TheDopeWars, CafeCosmosHQ
Status Quo of Identity Privacy Data
Identity and its related information are often used to prove “who I am” and “whether I meet the specific requirements for enjoying a certain service.” For example, the educational requirements when looking for a job, asset proof when buying a house and applying for a bank loan, and whether we meet the conditions to become VIP customers of some entity or virtual service providers, and many other scenarios require identity information.
In real life, people’s identity information is recorded in the public service system, and is checked and verified in various life scenarios by presenting corresponding documents and certificates. In the Internet world, our identity is represented by account passwords, and the behavior data based on this is recorded by the data storage system of the corresponding service provider.
They have two things in common:
-
User data is saved by a third-party organization (they cannot control identity-related information by themselves);
-
Users cannot freely use their own data (thus cannot decide who has the right to access their identity information, and cannot control the authorization scope of visitors).
Because when users need to connect with activities such as socializing, gaming, finance, shopping, etc. around the world through the network, this identity information needs to be uploaded to a platform without reservation, and the online game identity data, social identity data, etc. generated by user activities are also stored in the servers of giants-that is to say, users have the right to view but not to delete, add or trade their data according to their own wishes. The unrestricted exposure of this data to organizations poses considerable privacy and security risks, after all, the phenomenon of institutions using privileges to steal user data seems to be commonplace in Web2.
At the same time, the relatively independent data systems between organizations force user data to be saved in systems that cannot be accessed with each other, so users find it difficult to fully view, call, and parse their data. One of the prerequisites for implementing SSI is that users can control their own privacy data, that is, they have data sovereignty-data custody and data usage rights. DID achieves this.
DID-Returning Data Sovereignty to Users
What is DID
Simply put, a decentralized identifier (DID) is a string-form URI that has global uniqueness, high availability, resolvability, and encryption verification, and is beneficial to any application that benefits from self-managed, encrypted and verifiable identifiers, such as personal identity, organizational identity, chain activity history, IoT scenarios, etc., and can also be used to identify other forms of entities-such as products or some non-existent things, such as ideas or concepts.
Many blockchain platforms such as Ethereum and Polygon are focusing on DID, but they are still in the experimental stage and no one has provided a systematic solution. The most commonly used DID standards come from W3C (World Wide Web Consortium), the world’s largest web specification development organization, and DIF (Decentrailized Identity Foundation), among which the W3C standard is more widely used.
DID and VC are inseparable. W3C VC’s commercial deployment uses DID to identify personnel, organizations, and things, and provides a certain degree of security and privacy protection, ensuring that the identity data of DID subjects cannot be accessed, used, or leaked without permission from any other party.
A user’s DID is completely controlled by the user, generated according to a determined algorithm, and not fully assigned by a single organization. The DID can be resolved into a DID document stored on the blockchain, which includes information such as the authentication key, agreement key, delegation key, assertion key, and service endpoint links that interact with the DID subject. These keys can be understood in a common way as signatures we use for different purposes in life, and the signed documents (purposes) may be confidentiality agreements, powers of attorney, or authorization letters to allow someone to use your personal information, etc.
It is precisely because of this public key infrastructure that the DID+VC identity system enables users to better protect their data and choose whether and how to share data, because only the owner of the private key has complete authorization for the DID. This is similar to assets in blockchain being controlled by private keys.
As an aside, this also leads to the following problems:
-
It is very difficult to recover lost private keys;
-
Once your private key is stolen, malicious behavior such as impersonation may cause “you” to behave improperly.
Therefore, all users have a responsibility to secure backups of their private keys and mnemonics.
VC – Trustworthy Identity Information Online
VC is a deeper identity system element than SBT.
In May 2022, Vitalik Buterin, co-founder of Ethereum, Glen Weyl, Chief Technology Officer of Microsoft, and Puja Ahluwalia Ohlhaver, strategist of Flashbots, jointly released “Decentralized Society: Finding Web3’s Soul”, which sparked discussions on SBT (SoulBound Token). The concept of decentralized identity has also received more attention.
So as we can see, the SBT has a short life span, and its scope of use is very limited. We have already questioned the idea that “SBT can meet the complex identity data interaction needs of the future Web3 society.”
However, the DID+VC solution effectively solves the three limitations of SBT mentioned above, ensuring that the ultimate control of publishing, holding, and controlling DID and VC lies in the hands of the user through cryptographic and other technical means. And through a series of technologies and protocols, it ensures that
-
The identity system can be used across chains, platforms, and even off-chain;
-
The identity information display solution is unified, and there is no need to use different display solutions according to different scenarios;
-
Even customized products can be developed on top of the DID protocol.
(Supplement: As for NFT, I believe that it cannot be compared with VC, because NFT represents a kind of ownership, and this ownership can be changed, transferred, and tracked. VC carries information related to identity, which is unique to you and cannot be transferred.)
What is VC
VC is a descriptive statement issued by a DID (such as a trusted institution, a DAO organization, a government system, a commercial institution) endorsing some attributes of another DID (such as a user, a partner), which is generated and verified based on cryptography, to prove that its owner has some attributes and these attributes are true (such as identity, ability, qualification, etc.) [1]. These authentication results can also be recorded in other VCs stored on platforms such as Arweave and IPFS. All related information is public, verifiable, searchable, and permanently traceable, and anyone can independently verify it to ensure the authenticity and credibility of the credential content [2]. These VCs can also go online on major public chains and interoperate with other ecological applications. Only the DID subject who owns the VC can control who can access their VC and how to access it.
Note that in the paragraph above, we mentioned two types of VCs. One is used to store the user’s privacy data [1], which we call personal VC here; the other is used to store the credential [2] for verifying the personal VC. We call it result VC here. Here is a problem. At present, most verifiable credentials are stored in centralized databases or blockchains that are unable to provide privacy protection. This is acceptable for result VC [2], but intolerable for personal VC [1].
So how can we ensure the storage security and privacy of VCs containing personal privacy data? This involves the storage method of VCs:
VC Storage Methods
There are currently three main methods:
-
Storing and backing up locally on the user’s device. This is similar to recording private keys on a notebook or using programs that are not connected to the internet. However, once lost, it is almost impossible to retrieve. Users need to take on more responsibility when they enjoy more sovereignty.
-
Encrypted storage in user-controlled cloud storage. This method is different from directly storing data on centralized servers of Internet giants in Web2. The access, use, and deletion permissions of encrypted VCs can only be operated by the owner who has the corresponding DID private key. Of course, users still need to keep the DID private key or mnemonic phrase safe.
-
Storing VC information that needs to be made public on a decentralized storage platform. This makes the information traceable and verifiable, and the ownership of these pieces of information still belongs to the owner of the VC.
It should be emphasized here that regardless of the method, users should back up their VCs and private keys.
VC Presentation Methods
Let’s go deeper. Careful readers may realize that even if we achieve privacy and security in storage, if we cannot “let the other party know that I meet their conditions without disclosing any privacy information” when presenting VCs, then isn’t the information we reveal still completely exposed on the network? Won’t it form a complete user profile through the collection and tracking of similar SBT/NFT information, disturbing our daily life and economic activities?
This kind of data presentation without privacy protection is not what SSI pursues!
This is also the entry point for ZKP (Zero-Knowledge Proof) technology, which is currently being discussed.
There are many ways to achieve privacy protection, such as Secure Multi-Blockingrty Computation, Homomorphic encryption, Zero-Knowledge Proof, etc. But
-
Secure multi-party computation requires more than n participants and has many usage limitations at the level of independent users, but it is the cryptographic foundation that enables many applications such as electronic voting, threshold signatures, and online auctions.
-
Homomorphic encryption often requires high computational time or storage costs, and its performance and strength are still far behind traditional encryption algorithms.
-
Zero-knowledge proof does not have the limitations of the previous two, and can be made highly scalable through multiple recursions, but the only drawback is that the development threshold is relatively high.
ZKP is currently the most popular technology in Web3 for privacy and security and network scalability, which can help users prove some attribute or qualification without revealing any information, or simply return a “yes” or “no” to the service provider. The emerging zCloak Network has done a good job in this regard, achieving fine-grained control over the display of identity information – its VC presentation has four options: ZKP Disclosure, Digest Disclosure, Selective Disclosure, and Full Disclosure 0).
In other words, based on ZKP technology, users can choose to disclose some or all or none of their information, or use secretive data analysis to obtain a “DeFi Master” label to show their ability and qualifications, while allowing service providers to identify whether users fully meet their business criteria. This not only greatly protects user data privacy and security, but also fully respects the diversity of user information disclosure intentions.
Analysis of ZKP
ZKP is currently divided into two systems: SNARK (Scalable Transparent Argument of Knowledge) and STARK (Succinct Non-interactive Argument of Knowledge), both of which can be used to create validity proofs. The main differences are shown in the following table:
SNARK:
-
The proof size is very small, so the verification time is short, and the gas fee required to process SNARK proofs on a blockchain like Ethereum is relatively low, which is one of its major advantages.
-
However, it relies on non-standard security assumptions and requires a trusted generation phase. If there are problems in this phase, the security of the system may be compromised.
Compared to SNARK, STARK is based on weaker security assumptions, is completely transparent, does not require a trusted setup phase, and is quantum-resistant (i.e., very secure). In addition, it is more general-purpose, has better adaptability for parallelization, and does not require circuit customization for different scenarios, which can greatly save development costs and simplify development work, unlike SNARK. (So, we see that currently, SNARK is more commonly used in cross-chain and L2 expansion, while STARK is used more for privacy data protection because the former has smaller proofs, faster verification times, and lower gas fees, while the latter has extremely high security and is more conducive to development. On June 20th, Ethereum co-founder Vitalik Buterin pointed out in his latest article “A Deeper Exploration of Cross-L2 Readings for Wallets and Other Use Cases” that zero-knowledge proof (ZK-SNARK) is a very feasible technology choice for cross-chain proofs, and in the future, zk-SNARK will be as important as blockchain in the next 10 years.)
Let’s use a scenario to illustrate the use of these two. Suppose we want to implement a privacy voting system on the blockchain. This system requires verification of whether users have the right to vote, but cannot reveal their identities:
-
If we prioritize the efficiency of the system and the cost of gas, then SNARK may be a better choice because it can generate smaller proofs and verify faster. However,
-
If we are more concerned about the transparency and security of the system, then STARK may be a better choice, even though its proof size is larger and verification time is longer, but it does not require a trusted setup phase and is based on weaker security assumptions.
Overall, SNARK and STARK each have their own advantages, and which technology to use depends on the specific needs and scenarios of the application.
Participants in the DID Identity System
It mainly includes VC holder, issuer, and verifier.
The Holder is the owner of a certain DID and the holder of VC. They are the only ones authorized to share their credentials and the only ones authorized to choose individuals or organizations they are willing to share their own identity information with.
The Issuer is the issuer of the VC, usually played by a trusted organization, such as a DAO, government, or industry association. It should be noted that even if the Issuer creates and signs the VC, they do not have the right to use the VC because it requires the private key of the corresponding DID for authorization signature, and the Issuer does not own the private key of the Holder. However, for certain types of VCs, the Issuer has the right to revoke them. For example, if a community member is found to be misbehaving, the DAO community can revoke the honorary certificate previously issued to him, or the traffic police department has the right to revoke the digital driver’s license issued to a driver when dealing with violations.
Verifier is the validator and recipient of VC. They can only verify the corresponding DID and VC and know whether the Holder has certain attributes or meets certain conditions (such as user compliance) if authorized by the Holder, so that the Holder can enjoy the services they provide with limited conditions through their DID.
Let’s take an example to understand the relationship between the three:
(Web 2) For example, when a company conducts a background check for a new potential employee, the company needs to verify the candidate’s job application information to determine whether they have the corresponding educational background, whether their past work experience is true, and whether they are a legal citizen. In this case, the company is the Verifier, the educational institution that issues the degree certificate and the former employer that issues the professional certificate are the Issuer, and the new employee who holds these certificates is the Holder.
(Web 3) For example, a community proposal of mockDAO requires that only Level>2 community members can participate in the voting process. In this process, mockDAO needs to verify the member certificate (VC) issued in advance to confirm whether they meet these conditions. In this case, mockDAO is both the Issuer and Verifier, and the community members who have the membership certificate are the Holder.
Why do we need a decentralized identity system with DID+VC
DID+VC identity system has a very wide range of application scenarios. Here, I have listed 6 common application scenarios in Web3:
1. Universal and secure login
Users can directly log in to all platforms through a single DID, and VC authorized by the platform or contract can control the user’s access rights. In this way, the barriers between platforms can be broken down, and it is no longer necessary to have different “account + password” for logging in to different platforms. At the same time, users can freely show different VCs to the platform to prove their certain conditions, improve the user login experience and information disclosure willingness.
In addition, the commonly used wallet login in Web3 makes the interaction between the wallet and the platform public on the chain, stimulating some platforms may provide discriminatory services to users based on on-chain data (such as financial status). Using DID login can prevent this from happening.
2. KYC certification
From a longer-term and broader perspective, all real-life or online scenarios involving identity information applications can use DID. For example, many online services, including some encrypted industry exchanges and wallets, require us to scan and upload identity documents to complete KYC certification. They usually require relying on cumbersome documents and electronic records to verify identity, which is expensive, time-consuming, may cause privacy leaks, and there may be situations where the service provider cannot verify the authenticity of the evidence.
5. Anti-Phishing Attacks
When the mnemonic phrase and private key are kept confidential, the user’s digital assets are usually safe. However, hackers can launch attacks by taking advantage of human errors or centralized platforms, such as using Discord, email, Twitter, or trading platforms to publish false information, or by guiding users to make incorrect operations through forged websites. In addition to being vigilant, carefully verifying transaction information, and protecting sensitive account information, users need to be able to verify whether unknown information comes from a real organization in a timely manner. This verification process involves:
(1) Determine the real and valid identity of the organization that publishes the information, which is not fake or cancelled;
(2) Confirm that all content in the information comes from the real and valid organization.
Regarding the first point, from the use case level, users can learn about the legal basis and official identity information of the organization’s existence through trusted yellow pages similar to “Tianyancha,” or trust the authenticity of the organization’s public account and the content it publishes through the “blue V” mark on various social platforms. However, both of these methods are manual, centralized, and inefficient authentication processes, and the platform cannot update the development, cancellation, ownership change status of the project in a timely manner, nor can it verify whether the statements of executives who are about to leave or have left can represent the organization’s intentions.
From a technical perspective, the real and valid identity can be authenticated through the public key infrastructure (PKI) system of the certificate authority (CA), or through the PGP and Web of Trust personal key system developed by Phil Zimmermann. The former is completely centralized, and its application scope is also limited to SSL/TLS encrypted communication of websites. HTTPS websites use this type of certificate for website identity verification. The latter requires prior knowledge of the PGP public key of the interacting party, and there may be security and scalability concerns. Moreover, there is no clear method to check the authenticity and validity of the identity of the other party who knows the PGP public key, and there is no punishment mechanism for handling misauthentication. Also, due to the involvement of basic principles of cryptography and command-line operations, the user-friendliness of ordinary users is extremely poor, making it difficult to empower reputation for general organizations or individuals and form network effects.
Regarding the second point – “Confirm that all content in the information comes from a real and valid organization” – in the face of massive information, especially information related to wallet and asset interaction, a valid verification path is needed to help organizations and celebrities have an official way to refute rumors and help users verify information in a timely manner to maintain reputation and protect information and asset security.
Web3 has been lacking in anti-fraud identity verification methods and anti-fraud verifiable information expression paths to solve these two problems. Until the emergence of the DID+VC identity system, it provided them with a solution.
Because a subject’s DID can be authenticated by completing KYB and KYC certifications, its history is recorded and verified through VC, but in this certification, recording, and verification process, no one knows the user’s private personal data except the user and the public trust institution with legal responsibility for issuing VC.
Alternatively, for organizations that are sensitive to KYB, linking an official channel to their DID for authentication can authorize an official attribute of a DID. From then on, only information published through the DID has credibility (although it cannot be fully legally protected, reputation is also an important element of social recognition), making users more willing to choose to believe the information they publish, helping to identify real and fake DIDs.
Promoting the Development of DeFi
All of a user’s on-chain actions can be written into VC, gradually accumulating their own on-chain credit as an important attribute of their identity, and can also provide convenience for users to obtain third-party services. The DID+VC identity system can reflect a user’s on-chain economic behavior in a way that protects their privacy and record, verifies, and presents it in VC. It can help DeFi determine the on-chain financial credit of organizations or individual users and help users obtain credit loan services similar to traditional finance. The token collateral model may be weakened or replaced, bringing better liquidity and capital efficiency to the current DeFi ecosystem.
Currently, the expansion of DeFi credit business is mainly restricted by the identification of the real identity corresponding to the on-chain identity. If DeFi wants to accurately and effectively interact with users’ on-chain financial data to help evaluate their on-chain credit and even pursue on-chain dishonest behavior, KYC certification is inevitable, but this may make the natives of Web 3 feel uncomfortable due to the risks of privacy information exposure and moral hazards of certifying institutions.
On the other hand, it is difficult to judge and measure the credit level of Web3 users, and it has also become one of the main reasons hindering DeFi from achieving low-collateralized credit business, so it can only guarantee the project’s own fund security by increasing user collateralization or over-collateralization, but at the same time, it reduces the capital utilization efficiency of the DeFi ecosystem, weakens the overall liquidity of the encrypted ecosystem, and excludes most of the encrypted users who want to use credit leverage. However, for this group of people, they borrow money precisely because they lack funds or assets that can be used as collateral, and because of the maturity and scope limitations of the off-chain credit system, they may not be able to obtain their desired credit limit due to insufficient credit records in the real world.
The DID+VC identity system can provide a potential solution to the above DeFi credit business problems. Through VC with multiple presentation functions that are completely controlled by users, it can (1) reduce the cost of credit institutions to collect and verify past credit data. At the same time, even if the future DeFi interacts with off-chain data is forced to implement KYC certification; (2) it can ensure the privacy demands during the user data verification and presentation, and no one knows any relevant private data of the user except for the public credibility institution that authenticates KYC, the institution that authenticates corresponding financial data, and the user himself. If there is a leak, there is also a clear corresponding information accountability path. In this way, DeFi applications can easily provide targeted services to different users, such as verifying users’ past on-chain and off-chain credit conditions through users’ DID and verifiable digital credentials. If the repayment record is good, they can obtain low-interest credit loans or low-pledge-rate loans.
Conclusion
The DID+VC identity system is the cornerstone of Web3’s popularity.
As mentioned at the beginning, our expectations for blockchain or Web3 come from its ability to resist privileges and involuntary censorship, but this does not mean that trust is not needed at all. We just want to weaken or eliminate trust in centralized institutions that will sell or tamper with our information, and want to achieve this through data autonomy; but at the same time, we also need credible institutions with legal obligations and responsibilities, such as public security and government, to authenticate the true credibility of various organizations and individuals in the network, and even the true credibility of information and objects. We need them to supervise various entities (organizations, individuals, information) in the network to avoid and supervise fraud events caused by identity information forgery, and to be able to implement legal accountability procedures afterwards, cut off the chain of information leakage, and recover some or all of the economic losses. All of these require regulatory support and implementation of KYC and KYB. Even if a person can have multiple DIDs at the same time, our real identity is only one. When a person’s multiple DIDs are associated and authenticated with his real unique identity, it can substantially eliminate fraud events caused by information theft in Web2 and Web3; it can also make Web2 data must be used in some way in the world of Web3, and can enrich the application scenarios of on-chain DID. In the transitional period when humans enter the cyber world, DID will carry the mapping of Web2 identity and social relationships in the Web3 world.
Whether it is secure multi-party computation, homomorphic encryption, or zero-knowledge proofs, if KYC certification based on these encryption technologies can be implemented on a large scale by public institutions with legal responsibilities, it can be said that Web3 is safer than Web2, because currently, some of our KYC certifications and very important identity privacy data are controlled by many commercial institutions themselves. And when the DID of an organization or individual has a certain degree of recognition in the network, more readable DID can endorse them. Of course, this road is very long, and other solutions may emerge during this process, so we will not discuss it too much for now.
The DID identity system allows users to own their identity data through cryptography and the technical interaction logic of the system, breaking through the pain points of information abuse in traditional Internet and increasing the cost of “wrongdoing” by organizations and hackers. While giving users data sovereignty, it also gives users a sense of security. It allows people to see the dawn of the DeSoc digital society in the ideal Web3, which is composed of “code replaces human governance”. It can combine user identification problems in various tracks such as DeFi, DAO, and GameFi, solve the problems of chain KYC privacy protection, reform community governance methods, and prevent witchcraft and phishing attacks, making Web3 a society that is safer than Web2, more inclusive to users, and more respectful of user rights and wills.
Of course, the realization of this beautiful vision also requires a set of standard cross-chain, cross-platform, and even off-chain protocols to support it, as well as the recognition of countless users and platforms and even offline institutions, and the formation of network effects of use.
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
