Supervised and revocable decentralized identity privacy protection scheme

Jing He; Xiaofeng Ma; Dawei Zhang; Feng Peng

doi:10.1051/sands/2024013

All issues

Volume 3 (2024)

Security and Safety, 3 (2024) 2024013

Full HTML

Open Access

Issue		Security and Safety Volume 3, 2024


Article Number		2024013
Number of page(s)		23
Section		Digital Finance
DOI		https://doi.org/10.1051/sands/2024013
Published online		30 October 2024

Security and Safety, Vol. 3, 2024013 (2024)

Research Article

Supervised and revocable decentralized identity privacy protection scheme

Jing He¹, Xiaofeng Ma¹^*, Dawei Zhang²^,3 and Feng Peng⁴

¹ School of Electronics and Information Engineering, Tongji University, Shanghai, 201804, China
² School of Computer and Information Technology, Beijing Jiaotong University, Beijing, 100044, China
³ Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, Beijing, 100044, China
⁴ China Securities Information Technology Service Limited Company, Beijing, 100033, China

^* Corresponding authors (email: xiaofengma@tongji.edu.cn)

Received: 19 August 2024
Revised: 23 September 2024
Accepted: 15 October 2024

Abstract

Decentralized identity represents an innovative approach based on blockchain to achieve effective identity management. This method utilizes decentralized identifiers and verifiable credentials to enable trusted authentication, free circulation of identity information, and self-sovereign control over identity data functionalities. The current decentralized identity systems rely on entirely anonymous identifiers, lacking robust identity regulation. Furthermore, they face challenges such as identity attribute leakage during verifiable credential presentation and the issuers’ struggle to reliably revoke credentials. To address these issues, efficient and practical schemes have been designed based on BBS signature, zero-knowledge proof, dynamic accumulator, and blockchain technology: one for decentralized identifiers management and the other for verifiable credential privacy protection, both of which are supervised and revocable. The former ensures the privacy of subject identity while achieving regulatability and revocability of identity data by the regulator. The latter facilitates selective disclosure of anonymous credentials and reliable revocation. A security analysis shows that the proposed scheme meets anonymity, non-forgeability, regulatory reliability, and revocability reliability, and offers comprehensive and effective privacy protection measures. The experimental results demonstrate that the algorithms designed operate at a millisecond level, which satisfies the demands of blockchain identity management scenarios.

Key words: Blockchain / Decentralized identity / Privacy protection / Supervision / Anonymous credential / Zero-knowledge proof

Citation: He J, Ma X and Zhang D et al. Supervised and revocable decentralized identity privacy protection scheme. Security and Safety 2024; 3: 2024013. https://doi.org/10.1051/sands/2024013

© The Author(s) 2024. Published by EDP Sciences and China Science Publishing & Media Ltd.

This is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction

In the contemporary era of pervasive digitalization and intricate networking, digital identity has become a fundamental component for individuals and organizations to interact and access services in cyberspace. One important application scenario is regional equity markets, which facilitate the issuance, trading, and management of equity shares within specific geographic regions. These markets, as an integral part of China’s multi-tiered capital market system, are characterized by decentralization, relatively low transaction volumes, and stringent requirements for compliance and security. Currently, China has 35 regional equity markets, primarily serving small and medium-sized enterprises and offering financing solutions for “specialized, refined, differentiated, and innovative” enterprises. In this environment, regulatory authorities play a key role in supervising identity verification and transaction processes to ensure market integrity and legal compliance. To balance privacy protection with regulatory oversight, robust identity and credential management systems are essential.

In recent years, the distributed digital identity framework proposed by the World Wide Web Consortium (W3C) has attracted wide attention. Based on the blockchain infrastructure, this framework provides a distributed, transparent, and secure method for identity management. It is designed to enhance users’ control over their personal data and significantly mitigate the risk of single points of failure and the potential for data tampering [1]. However, distributed digital identity systems also face several issues and challenges in practical applications, particularly concerning regulatory adaptability, privacy protection, and technical implementation.

Distributed digital identity systems utilize decentralized identifiers (DIDs) to enhance user privacy and anonymity. However, this approach introduces significant regulatory challenges. In the absence of explicit identity information, regulators encounter difficulties in tracking and auditing transactions, thereby compromising the legitimacy and security of financial operations [2]. Furthermore, verifiable credentials (VCs) in these systems often contain multiple attributes. During the verification process, it is often sufficient to ascertain a subset of attributes in VCs. However, there exists a non-negligible risk that the system may inadvertently disclose additional sensitive information, which can lead to privacy-compromising and an increased risk of identity theft. While some systems offer selective disclosure of attributes, the continued use of the same DIDs or the lack of support for randomized signatures can result in linkability issues, where multiple interactions are tied to the same user. This undermines privacy protection [3]. Additionally, the reliable revocation of credentials is crucial to prevent unauthorized access or misuse. However, existing solutions are characterized by an absence of robust and efficient mechanisms designed to manage the revocation process in a manner that ensures both security and scalability.

This paper introduces an innovative solution to address the regulatory and privacy challenges in decentralized identity management through two tightly integrated schemes: SR-DIDs (Supervised and Revocable Decentralized Identifiers) and SR-PP-VC (Supervised and Revocable Privacy-Preserving Verifiable Credentials). The SR-DIDs scheme facilitates the derivation of master DIDs based on Pedersen’s commitment, which enables users to autonomously create anonymous proxy DIDs while maintaining their privacy. A key innovation lies in the integration of BBS signatures, DLIN encryption, and zero-knowledge proofs, which not only empowers regulatory authorities to discern user identities when necessary but also ensures a secure and reliable revocation of DIDs through smart contracts. The proposed scheme ensures anonymity, unforgeability, and regulatory compliance.

The SR-PP-VC scheme builds on SR-DIDs by extending its regulatory and privacy-preserving features to verifiable credentials. By leveraging BBS signatures and dynamic accumulators, it facilitates real-time revocation of credentials and empowers users to present their credentials in a manner that ensures unlinkability. The tight integration between SR-DIDs and SR-PP-VC ensures coherence in both identity and credential management, thereby providing a unified framework where DIDs and VCs are both regulated and revocable in a harmonious manner. Selective disclosure of credential attributes via zero-knowledge proofs further strengthens privacy, addressing issues of over-disclosure prevalent in current systems.

We implemented the system on Hyperledger Fabric and conducted comprehensive simulations to validate the proposed approach. The results demonstrate that our solution not only enhances security and privacy but also significantly improves scalability and efficiency compared to existing systems. The presented framework meets the performance and security demands of blockchain-based identity management, providing a novel and effective solution to the challenges of privacy protection, regulatory oversight, and credential revocation.

2. Related work

At present, the mainstream blockchain uses identity identifiers or digital certificates to define the ownership of assets, data, and rights [4]. For example, the public chain relies on anonymous addresses to identify the identity, and the alliance chain confirms the identity of members through real-name digital certificates.

To prevent identifier association from causing user identity disclosure [5], researchers proposed to derive one-time identifiers from public and private keys through encryption algorithms to reduce the correlation between identifiers and enhance identity privacy, such as Monero [6], literature [7], literature [8] and other schemes. In order to further implement the supervision of one-time identifiers, literature [9] designed a link ring signature algorithm, which realized the privacy protection scheme of transaction sender and receiver identifiers that could be regulated by the autonomous confusion mechanism. However, the ring signature size was very large, resulting in large performance consumption. Literature [10] designed a supervised one-time identifier generation scheme to hide the real identity of the transaction receiver but did not support identifier revocation.

To solve the problem that the public and transparent feature of blockchain leads to the leakage of users’ real identity information when digital certificates are presented, Hyperledger Fabric uses Idemix solution [11], which can realize the anonymity and unlinkability of users’ identities and the selective disclosure of certificate attributes. Document [12] uses a state secret SM2 signature to create anonymous credentials to ensure user anonymity. In order to solve the certificate supervision problem, literature [13] designed a blockchain-oriented regulatory anonymous certificate authentication scheme based on the BBS04 group signature [14] and Idemix scheme but did not support certificate revocation. Literature [15] constructs a traceable and randomizable anonymous certificate based on the PS signature, but the certificate size increases linearly with attributes. As for the revocation of digital certificates, literature [16] builds an anonymous certificate that can be revoked, unlinked, and selectively disclosed based on a dynamic accumulator and PS signature algorithm. However, due to the fixed number of certificates issued, it is difficult to apply in practice and does not support identity supervision. Document [17] revocation certificates based on time fragments, but it is not a real-time operation and requires frequent updating of certificates, which consumes large storage resources.

To effectively manage a large amount of identity information, distributed digital identity technology integrates identity identifiers and credentials, builds the identity management layer of the blockchain system, and gives subjects control over their own identity data [4]. However, the research in this field is still in the initial stage, mainly focusing on its application practice. For example, the Internet of Things [18], medical health [19], finance [20], 6G communication [21], and other fields have effectively solved the problems faced by centralized digital identity systems, such as the lack of identity sovereignty, the disadvantages of centralized authentication, and large-scale identity identifiers and certificate management problems, and promoted the circulation and authentication of user identities among different organizations. Regarding the privacy protection of distributed digital identities, literature [22] proposes a VC privacy protection scheme with optional disclosure based on an editable signature algorithm. Literature [23] builds a new distributed digital identity system by combining a prophecy machine and trusted execution environment, which can obtain and issue identity credentials from Web service providers securely and conveniently, and protect user identity privacy. Literature [24] puts the VC generation process into a trusted execution environment to protect user attribute privacy. However, the above schemes do not consider identity supervision and VC revocation in the distributed digital identity system.

3. Propaedeutics

3.1. Blockchain

Blockchain is a decentralized and distributed ledger technology, first introduced in 2008 by an anonymous individual or group known as Satoshi Nakamoto, with the invention of Bitcoin [25]. The key feature of blockchain is its ability to securely record transactions across multiple computers, ensuring data integrity and transparency. The technical architecture of blockchain consists of several layers, including peer-to-peer networks, consensus mechanisms, cryptographic hash functions, and distributed ledgers. Each block contains a list of transactions that are cryptographically linked, ensuring immutability. Consensus mechanisms, such as Proof of Work (PoW) or Proof of Stake (PoS), ensure that all participants in the network agree on the validity of transactions, providing security and trust in a decentralized system.

One of the most important innovations in blockchain technology is the introduction of smart contracts, first implemented on the Ethereum blockchain. Smart contracts allow the automatic execution of contract terms on the blockchain without the need for intermediaries, enabling the automation of complex processes. This provides a flexible and powerful environment for developing and deploying decentralized applications. Smart contracts have expanded blockchain applications into areas such as finance (DeFi), supply chain management, and healthcare, making blockchain a versatile tool for ensuring transparency, efficiency, and trust in decentralized environments.

In the legal field, Sharifi introduced a formal contract specification language called Symboleo, which encodes obligations and rights into smart contracts [26]. Domestically, Wang Di proposed SPESC, which translates legal contracts into smart contract languages to enhance their legal validity [27]. Zhu Yan further designed rules for converting SPESC into Solidity, a high-level smart contract language [28]. To address the issue of smart contract performance, Zhang Fuli developed a microservice framework for smart contracts by decoupling consensus nodes from smart contracts [29]. Liu proposed parallel execution of transactions by execution nodes and asynchronous transaction ordering by consensus nodes, enabling parallel execution of smart contracts [30]. Wang Zikai introduced the SBFT consensus algorithm and a task-parallel smart contract model, optimizing the efficiency and scalability of smart contract execution [31].

3.2. Bilinear map

Given that 𝔾₁, 𝔾₂, and 𝔾_T are cyclic groups of prime order p, if there exists a mapping e such that e : 𝔾₁ × 𝔾₂ → 𝔾_T, satisfying the following properties, then this mapping is called a bilinear map:

(1) Bilinearity: For any α, β ∈ ℤ_p, g₁ ← 𝔾₁, g₂ ← 𝔾₂, it holds that $e (g_{1}^{α}, g_{2}^{β}) = {e (g_{1}, g_{2})}^{α β}$ $e( g_{1}^{\alpha},g_{2}^{\beta} ) = {e(g_{1},g_{2})}^{\alpha\beta}$ .

(2) Non-degeneracy: There exist g₁ ← 𝔾₁, g₂ ← 𝔾₂ such that e(g₁, g₂)≠1.

(3) Computability: For any g₁ ← 𝔾₁, g₁ ← 𝔾₁, there exists an efficient algorithm to compute e(g₁, g₂).

Reference [32] defines three types of bilinear maps: Type 1: 𝔾₁ = 𝔾₂, also known as symmetric pairing. Type 2: 𝔾₁ ≠ 𝔾₂, but there exists an efficient homomorphic mapping ⌀ : 𝔾₂ → 𝔾₁. Type 3: 𝔾₁ ≠ 𝔾₂, and there does not exist an efficient homomorphic mapping from 𝔾₂ to 𝔾₁. The scheme proposed in this paper is based on Type 3 bilinear maps.

3.3. Cryptographic assumptions

(1) q-DL Assumption

Given that 𝔾₁ and 𝔾₂ are two cyclic groups of order p, with g₁ and g₂ being generators of groups 𝔾₁ and 𝔾₂ respectively, it is computationally hard to solve for the integer x from the given (q+3)-tuple $(g_{1}, g_{1}^{x}, g_{1}^{x^{2}}, \dots, g_{1}^{x^{q}}, g_{2}, g_{2}^{x})$ $(g_{1},g_{1}^{x},g_{1}^{x^{2}},\ldots,g_{1}^{x^{q}},g_{2},g_{2}^{x})$ .

(2) q-SDH Assumption

Given 𝔾₁ and 𝔾₂ are two cyclic groups of order p, with g₁ and g₂ being generators of groups 𝔾₁ and 𝔾₂ respectively, it is computationally hard to output the pair $(g_{1}^{1 / (x + c)}, c)$ $(g_{1}^{1/(x + c)},c)$ from the given (q+3)-tuple $(g_{1}, g_{1}^{x}, g_{1}^{x^{2}}, \dots, g_{1}^{x^{q}}, g_{2}, g_{2}^{x})$ $(g_{1},g_{1}^{x},g_{1}^{x^{2}},\ldots,g_{1}^{x^{q}},g_{2},g_{2}^{x})$ , where x, c ∈ ℤ_p.

(3) DLIN Assumption

Given 𝔾₁ is a cyclic group of order p it is computationally hard to determine if c = a + b holds from a set of elements U, V, W, U^a, V^b, W^c, where U, V, W are random elements in group 𝔾₁ and a, b, c ∈ ℤ_p are randomly chosen.

3.4. BBS signature

The BBS signature scheme was initially part of the BBS04 group signature scheme [14] and was explicitly defined as an independent signature scheme in literature [33]. The original BBS signature lacked security proof until 2023 when it was shown in the literature [34] that the BBS signature satisfies strong existential unforgeability under chosen message attack (SUF-CMA) under the q-SDH assumption. The BBS signature process is as follows:

(1) Setup(1^λ): Input the system parameter 1^λ to generate the Type 3 bilinear map (p, 𝔾₁, 𝔾₂, 𝔾_T, e). Let g₁ and g₂ be the generators of groups 𝔾₁ and 𝔾₂, respectively. Randomly select a group element h₁ ← 𝔾₁. Output the public parameters pp = (p, 𝔾₁, 𝔾₂, 𝔾_T, e, g₁, h₁, g₂).

(2) KeyGen(pp): Randomly choose x ∈ ℤ_p as the private key sk. Compute the public key $p k = g_{2}^{x}$ $pk = g_{2}^{x}$ .

(3) Sign(m, sk, pp): Input the message m ∈ ℤ_p and the private key sk. Randomly select an integer k ∈ ℤ_p and compute $A = {(g_{1} \cdot h_{1}^{m})}^{1 / (x + k)}$ $A = ( g_{1} \cdot h_{1}^{m} )^{1/(x + k)}$ ). Output the signature σ = (A, k).

(4) Verify(σ, m, pp): Verify if $e (A, g_{2}^{k} \cdot p k) = e (g_{1} \cdot h_{1}^{m}, g_{2})$ $e( A,g_{2}^{k} \cdot pk ) = e(g_{1} \cdot h_{1}^{m},\ g_{2})$ . If the equation holds, the signature is valid; otherwise, it is invalid.

3.5. Distributed digital identity

Distributed digital identity leverages blockchain technology to transform the traditional centralized identity control model into a distributed control model. It establishes an identity management layer for blockchain systems, enabling entities to own and manage their identity data. The distributed digital identity scheme designed in this paper follows the W3C standards, with its basic component structure illustrated in Figure 1.

Figure 1.

Basic component relationships of decentralized identity

(1) Foundation Layer: DIDs serve as unique addresses for each entity, linked to detailed DID documents. These documents contain the entity’s public key information, authentication protocols, and service endpoints, facilitating multi-dimensional, flexible expression of identity and context-adaptive privacy protection.

(2) Application Layer: VCs are digitally issued certificates by authoritative entities, recording the attributes and qualifications of the entity in various contexts. Entities are allowed to independently hold and verify multiple identity attributes. VPs are composite proof structures built on VCs, enabling entities to provide comprehensive, cryptographically signed proofs of identity to third parties by selecting and combining multiple VCs.

4. Architecture design

In the regional equity market scenario, the participants–regulatory authorities, issuers, investors, and trading platforms–play distinct roles. The regulatory authority is assumed to be a trustworthy and secure entity, overseeing identity, transaction, and credential management to ensure compliance and market safety. Issuers and trading platforms are considered credible and legitimate institutions that closely collaborate with regulators and adhere to market rules. On the other hand, investors, whose identities and activities must be verified through credentials, are not regarded as fully trusted entities. Against this backdrop, the scheme is designed to protect identity and credential privacy while allowing regulatory oversight to ensure legal and transparent financial activities. Thus, the scheme does not pursue full decentralization but instead enhances system transparency and security through blockchain technology, striking a balance between regulatory oversight and privacy protection to ensure market transparency and safety.

This paper classifies DIDs into two categories, the overall architecture of digital identity management in this paper is illustrated in Figure 2.

Figure 2.

Architecture of identity management

(1) Main Decentralized Identifiers (MDIDs): Users register with regulatory authorities using real-name information. Upon approval by the regulatory authority, users can possess and use an MDID, with each user limited to one MDID.

(2) Proxy Decentralized Identifiers (PDIDs): Users can independently generate multiple PDIDs. In this paper, only the regulatory authority can associate PDIDs with MDIDs.

The specific process is as follows:

(1) Real-name Registration: Users undergo real-name authentication with the regulatory authority. Upon successful authentication, the regulatory authority registers an MDID for the user via a smart contract and signs the MDID with their private key, serving as the user’s identity regulatory key.

(2) PDID Generation: Based on their MDIDs and identity regulatory key, users independently generate unique PDIDs and corresponding regulatory information, uploading them to the blockchain for automatic verification by the smart contract.

(3) Dispute or Violation Resolution: In case of disputes or violations, the regulatory authority uses the regulatory information of PDIDs to trace the user’s real identity and revoke the corresponding DIDs if necessary.

(4) VC Application: Users apply for VCs using any DIDs and their identity attributes. The issuer verifies the attributes and issues the VCs.

(5) VC Verification: Users randomize and combine their VCs into a VP as required by the verifier, hiding unnecessary attribute values. The verifier validates the VP’s signature to determine its validity.

(6) VC Revocation: The VC issuer can update the accumulator and the revocation list on the blockchain, thereby revoking a specific VC.

(7) Credential Updates: Users check the latest revocation list and update their credentials accordingly, ensuring that revoked credentials are no longer usable.

SR-DIDs and SR-PP-VC schemes are designed to work in tandem to achieve regulatory oversight and revocability of decentralized identities (DIDs) and verifiable credentials (VCs) within the system. The SR-DIDs scheme focuses on the management of decentralized identifiers, ensuring that user identities remain anonymous while providing regulatory authorities the ability to recover the true identity through regulatory information when necessary. It allows for the creation of proxy DIDs, which can be traced back to the main DIDs under certain regulatory conditions, ensuring both privacy and accountability.

On the other hand, the SR-PP-VC scheme extends the regulatory and revocation capabilities to the verifiable credentials associated with these DIDs. By utilizing BBS signatures and dynamic accumulators, the SR-PP-VC scheme enables selective disclosure of credential attributes while ensuring that VCs can be reliably revoked in real-time. The two schemes complement each other: SR-DIDs manage the identity layer by handling DIDs, and SR-PP-VC manages the credential layer by ensuring the privacy, regulatory compliance, and revocation of credentials. Together, they provide a cohesive framework for privacy protection and regulatory oversight in decentralized identity systems.

5. Regulated and revocable DIDs management scheme

5.1. Scheme definition

The SR-DIDs scheme comprises eight algorithms, described as follows:

(1) Public System Parameter GenerationSetUp(1^λ)→pp: Input the system security parameter 1^λ. Output the system public parameters pp, which include the DIDs generation base DR used for constructing entity DIDs.

(2) Regulator Key Pair GenerationRegulatorKeyGen(pp)→(RSK, RPK, DIDsRL): Executed by the regulator, input the public parameters pp. Output the regulator’s private key RSK, public key RPK, and DIDs revocation list DIDsRL.

(3) MDIDs Request GenerationMDIDsReqGen(pp)→(UMDIDsReq, umsk, d_m): Executed by the users, input the public parameters pp, output MDIDs-registration request UMDIDsReq, user’s master secret key umsk, and user’s MDID-associated key d_m. The UMDIDsReq includes the main identity identifier UMDIDs to be registered.

(4) MDIDs RegistrationMDIDsReg(pp, MDIDsReq, RSK)→(USK): Executed by the regulator, input the public parameters pp, the user’s MDID registration request MDIDsReq, and the regulator’s private key RSK. Output the user’s identity regulatory key USK.

(5) PDIDs GenerationUserPDIDsGen(pp, umsk, d_p, RPK, USK, UMDIDs)→(UPDIDs, UPProof): Executed by the users. Input the public parameters pp, the user’s master secret key umsk, the user’s PDID-associated key d_p, the regulator’s public key RPK, the user’s identity regulatory key USK, and the user’s main decentralized identity identifier UMDIDs. Output the user’s proxy decentralized identity identifier UPDIDs and its regulatory information UPProof.

(6) User PDIDs VerificationUserPDIDsVer(pp, RPK, UPDIDs, UPProof)→(0/1): Executed by the smart contract automatically, input the public parameters pp, the regulator’s public key RPK, the user’s proxy decentralized identity identifier UPDIDs, and its regulatory information UPProof. Output 1 if the verification passes; 0 otherwise.

(7) Identity SupervisionSupervise(UPDIDs, UPProof, RSK)→(USK): Executed by the regulator, input the user’s UPDIDs, its regulatory information UPProof, and the regulator’s private key RSK. Output the identity regulatory key USK corresponding to the PDIDs.

(8) Identity RevocationDIDsRevoke(RevDIDs)→(DIDsRL): Executed by the regulator, input the identifiers to be revoked RevDIDs. Update the DID revocation list DIDsRL to render RevDIDs invalid within the system.

5.2. Security model

The security properties of the SR-DIDs scheme include anonymity, unforgeability, regulatory reliability, and revocation reliability. This scheme uses the following lists and oracles to describe its security properties:

ℒ_{H_U}, ℒ_{C_U}: Lists of honest and corrupt users, respectively, recording the indices i of honest and corrupt users. ℒ_{H_U} ∩ ℒ_{C_U} = ⌀.

ℒ_PDIDs, ℒ_{d_p}: Lists of PDIDs and their corresponding PDID keys, recording the users’ PDIDs and the keys associated with those PDIDs. For example, ℒ_PDIDs[i] denotes the set of PDIDs owned by user i. ℒ_{d_p} corresponds one-to-one with each element in ℒ_PDIDs.

Oracle for Honest Users 𝒪_{H_U}(i): Adversary 𝒜 queries this oracle with user identifier i to add a new user i. If i ∈ ℒ_{H_U} ∪ ℒ_{C_U}, return ⊥. Otherwise, execute MDIDsReqGen(pp, umsk[i],d_m[i]) → (MDIDsReq[i]) and update ℒ_{H_U} = ℒ_{H_U} ∪ {i}, then return ⊤.

Oracle for Corrupt Users 𝒪_{C_U}(i): Adversary 𝒜 queries this oracle with user identifier i to obtain the user’s identity information. If i ∉ ℒ_{H_U} ∪ ℒ_{C_U}, return ⊥. If i ∈ ℒ_{H_U}, update ℒ_{H_U} = ℒ_{H_U} − {i} and ℒ_{C_U} = ℒ_{C_U} ∪ {i}. Then return USK[i],MDIDsReq[i], umsk[i],d_m[i],ℒ_PDIDs[i],ℒ_{d_p}[i].

Oracle for MDIDs 𝒪_MDIDs(i): Adversary 𝒜 queries this oracle with user identifier i to obtain the identity regulatory key signed by the regulator for the user’s MDIDs. If i ∉ ℒ_{H_U} ∪ ℒ_{C_U}, return ⊥. Otherwise, execute MDIDsReg(pp, MDIDsReq[i],RSK[i]) → (USK[i]). If i ∈ ℒ_{H_U}, return ⊤. If i ∈ ℒ_{C_U}, return USK[i].

Oracle for PDIDs 𝒪_PDIDs(i): Adversary 𝒜 queries this oracle with user identifier i to generate the PDIDs and their regulatory information for user i. If i ∉ ℒ_{H_U} ∪ ℒ_{C_U}, return ⊥. Otherwise, execute UserPDIDsGen(pp, d_p, RPK, USK[i],UMDIDs[i]) → (UPDIDs, UPProof) and update (ℒ_PDIDs[i], ℒ_{d_p}[i]) = (ℒ_PDIDs[i],ℒ_{d_p}[i]). If i ∈ ℒ_{C_U}, return ⊤. If i ∈ ℒ_{C_U}, return UPDIDs, UPProof.

Supervision Oracle 𝒪_Sup(UPDIDs, UPProof): Adversary 𝒜 queries this oracle with UPDIDs and their regulatory information UPProof to obtain the user’s identity regulatory key. If UPDIDs ∉ ℒ_PDIDs, return ⊥. Otherwise, execute Supervise(UPDIDs, UPProof, RSK)→(USK[i]) and return USK[i].

Oracle for Public Information 𝒪_W: Adversary 𝒜 can query this oracle to obtain all public MDIDs, PDIDs, and their regulatory information from the blockchain system.

(1) Anonymity

In the SR-DIDs scheme, anonymity is defined as: except for the regulator, no other entities in the system can infer a user’s identity information through DIDs or the regulatory information of PDIDs. Therefore, the anonymity of the SR-DIDs scheme also ensures the unlinkability of DIDs.

Definition 1.

For any probabilistic polynomial-time (PPT) adversary 𝒜, if 𝒜 can make a polynomially bounded number of queries to the oracle list 𝒪 = {𝒪_{H_U}, 𝒪_{C_U}, 𝒪_MDIDs, 𝒪_PDIDs, 𝒪_W}, and the probability of Equation (1) is negligible, then the SR-DIDs scheme satisfies anonymity.

$\begin{matrix} \begin{matrix} P r [\begin{matrix} S e t U p (1^{λ}) \to p p ; \\ R e g u l a t o r K e y G e n (p p) \to (R S K, R P K, D I D s R L) ; \\ A^{O} (p p, R P K, D I D s R L) \to {i_{0}, i_{1}} ; \\ C (p p, i_{b}) \to (U M D I D s [i_{b}], {UPDIDs}_{i_{b}}, {UPProof}_{i_{b}}) ; \\ A (p p, U M D I D s [i_{b}], {UPDIDs}_{i_{b}}, {UPProof}_{i_{b}}) \to b^{*} \end{matrix} : b^{*} = b] - \frac{1}{2} \end{matrix} \end{matrix}$ $\begin{aligned} \begin{matrix} Pr\left[\begin{matrix} SetUp\left( 1^{\lambda } \right) \rightarrow pp; \\ RegulatorKeyGen(pp) \rightarrow (RSK,RPK,DIDsRL); \\ \mathcal{A} ^{\mathcal{O} }(pp,RPK,DIDsRL) \rightarrow \left\{ i_{0},i_{1} \right\} ; \\ \mathcal{C} \left( pp,i_{b} \right) \rightarrow \left( UMDIDs\left[i_{b} \right],{UPDIDs}_{i_{b}},{UPProof}_{i_{b}} \right); \\ \mathcal{A} \left( pp,UMDIDs\left[i_{b} \right],{UPDIDs}_{i_{b}},{UPProof}_{i_{b}} \right) \rightarrow b^{*} \\ \end{matrix}:b^{*} = b \right]- \frac{1}{2} \end{matrix} \end{aligned}$ (1)

(2) Unforgeability

In the SR-DIDs scheme, unforgeability is defined as: without the regulator’s private key, no attacker can generate verifiable PDIDs and their regulatory information.

Definition 2.

For any PPT adversary 𝒜, if 𝒜 can make a polynomially bounded number of queries to the oracle list 𝒪 = {𝒪_{H_U}, 𝒪_{C_U}, 𝒪_MDIDs, 𝒪_PDIDs, 𝒪_W}, and the probability of Equation (2) is negligible, then the SR-DIDs scheme satisfies unforgeability.

$\begin{matrix} \begin{matrix} P r [\begin{matrix} S e t U p (1^{λ}) \to p p ; \\ R e g u l a t o r K e y G e n (p p) \to (R S K, R P K, D I D s R L) ; \\ A^{O} (p p, R P K, D I D s R L) \to ({UPDIDs}^{*}, {UPProof}^{*}) ; \\ U s e r P D I D s V e r (p p, R P K, {UPDIDs}^{*}, {UPProof}^{*}) \to b^{*} : \\ (b^{*} = 1), (i \notin L_{C_U}), ({UPDIDs}^{*} \notin L_{PDIDs}) \end{matrix}] \end{matrix} \end{matrix}$ $\begin{aligned} \begin{matrix} Pr\begin{bmatrix} SetUp\left( 1^{\lambda } \right) \rightarrow pp; \\ RegulatorKeyGen(pp) \rightarrow (RSK,RPK,DIDsRL); \\ \mathcal{A} ^{\mathcal{O} }(pp,RPK,DIDsRL) \rightarrow \left( {UPDIDs}^{*},{UPProof}^{*} \right); \\ UserPDIDsVer\left( pp,RPK,{UPDIDs}^{*},{UPProof}^{*} \right) \rightarrow b^{*}: \\ (b^{*} = 1) , (i \notin \mathcal{L} _{C\_ U}) , ({UPDIDs}^{*} \notin \mathcal{L} _{PDIDs}) \\ \end{bmatrix} \end{matrix} \end{aligned}$ (2)

(3) Regulatory Reliability

In the SR-DIDs scheme, regulatory reliability is defined as: except for the regulator, even if users collude, no attacker can construct regulatory information that can pass system verification while preventing the regulator from tracing the real identity information. Therefore, the regulatory reliability of the SR-DIDs scheme also ensures traceability, for users operating honestly, the regulator can recover the user’s regulatory key from the PDIDs’ regulatory information.

Definition 3.

For any PPT adversary 𝒜, if 𝒜 can make a polynomially bounded number of queries to the oracle list 𝒪 = {𝒪_{H_U}, 𝒪_{C_U}, 𝒪_MDIDs, 𝒪_PDIDs, 𝒪_Sup, 𝒪_W}, and the probability of Equation (3) is negligible, then the SR-DIDs scheme satisfies regulatory reliability.

$\begin{matrix} \begin{matrix} P r [\begin{matrix} S e t U p (1^{λ}) \to p p ; \\ R e g u l a t o r K e y G e n (p p) \to (R S K, R P K, D I D s R L) ; \\ A^{O} (p p, R P K, D I D s R L) \to ({UPDIDs}^{*}, {UPProof}^{*}) ; \\ U s e r P D I D s V e r (p p, R P K, {UPDIDs}^{*}, {UPProof}^{*}) \to b^{*} : \\ {(b}^{*} = 1), (S u p e r v i s e ({UPDIDs}^{*}, {UPProof}^{*}, R S K) \neq U R S K [i]) \end{matrix}] \end{matrix} \end{matrix}$ $\begin{aligned} \begin{matrix} Pr\begin{bmatrix} SetUp\left( 1^{\lambda } \right) \rightarrow pp; \\ RegulatorKeyGen(pp) \rightarrow (RSK,RPK,DIDsRL); \\ \mathcal{A} ^{\mathcal{O} }(pp,RPK,DIDsRL) \rightarrow \left( {UPDIDs}^{*},{UPProof}^{*} \right); \\ UserPDIDsVer\left( pp,RPK,{UPDIDs}^{*},{UPProof}^{*} \right) \rightarrow b^{*}: \\ {(b}^{*} = 1) , (Supervise\left( {UPDIDs}^{*},{UPProof}^{*},RSK \right) \ne URSK[i]) \\ \end{bmatrix} \end{matrix} \end{aligned}$ (3)

(4) Revocation Reliability

In the SR-DIDs scheme, revocation reliability is defined as: if the regulator chooses to revoke a particular DID, that DID can no longer be used, and attackers in the system cannot prevent the regulator from revoking DIDs or reactivating revoked DIDs.

5.3. Scheme design

(1) SetUp(1^λ)→pp: First, input the system parameter 1^λ to generate a Type 3 bilinear map (p, 𝔾₁, 𝔾₂, 𝔾_T, e) and the integer group ℤ_p. Choose the generators g₁ and g₂ for groups 𝔾₁ and 𝔾₂ respectively. Then, randomly select two different group elements DSK, DRand ← 𝔾₁, and set the DID generation base as DR = (DSK, DRand). Also, select a cryptographic hash function ℋ : {0, 1}^* → {0, 1}^* that is one-way and collision-resistant. Finally, output the public parameters pp = (p, 𝔾₁, 𝔾₂, 𝔾_T, ℤ_p, g₁, g₂, e, ℋ, DR).

(2) RegulatorKeyGen(pp)→(RSK, RPK, DIDsRL): The regulator first selects an integer y ∈ ℤ_p and computes $\bar{Y} = g_{2}^{y}$ $\overline{Y} = \ g_{2}^{y}$ . Then, select integers u, v ∈ ℤ_p, and let $U = g_{1}^{u}$ $U = \ g_{1}^{u}$ , $V = g_{1}^{v}$ $V = \ g_{1}^{v}$ , and W = U^v, which implies $W = U^{v} = V^{u} = g_{1}^{uv}$ $W = \ U^{v} = V^{u} = g_{1}^{uv}$ . Set the regulator’s private key as (y, u, v) and the public key as $(\bar{Y}, U, V, W)$ $(\overline{Y},U,V,W)$ . The private key is stored locally, while the public key is made public on the blockchain. Finally, initialize the DID revocation list DIDsRL as an empty list and upload it to the blockchain.

(3) MDIDsReqGen(pp)→(MDIDsReq, umsk, d_m): The user first selects an integer umsk ∈ ℤ_p as their master private key. Then, select an MDID key d_m ∈ ℤ_p and generate the MDID based on the Pedersen commitment: UMDIDs = DSK^umsk ⋅ DRand^d_m. Finally, integrate the user’s real-name identity information info into the registration request UMDIDsReq = (UMDIDs, info) and send it to the regulator.

(4) MDIDsReg(pp, MDIDsReq, RSK)→(USK): Upon receiving the user’s registration request UMDIDsReq, the regulator first verifies the info and checks whether the UMDIDs has already been registered in the system. If it is already registered, the application is invalid. If verified correctly, the regulator selects an integer k_u ∈ ℤ_p and signs the user’s MDIDs with a BBS signature: compute K = (g₁ ⋅ UMDIDs)^{1/(y + k_u)}. Finally, send USK = (k_u, K) to the user as their identity regulatory key, and store info, UMDIDs, and USK = (k_u, K)) in the regulator’s private table RSList. The UMDIDs are then activated on the blockchain.

(5) UserPDIDsGen(pp, d_p, RPK, USK, UMDIDs)→(UPDIDs, UPProof): Users independently generate PDIDs based on their identity regulatory key to prevent other entities from tracking and linking.

① The user randomly selects r₁, r₂ ∈ ℤ_p and encrypts the identity regulatory key using DLIN: R₁ = U^1/r₁, R₂ = V^r₂, R₃ = K ⋅ W^{1/r₁ + r₂}. Then, randomize the calculation $\bar{K} = K^{r_{1}}$ $\overline{K} = K^{r_{1}}$ , and $\bar{J} = {\bar{K}}^{- k_{u}} \cdot {(g_{1} \cdot U M D I D s)}^{r_{1}}$ $\overline{J} = {\overline{K}}^{- k_{u}} \cdot {(g_{1} \cdot UMDIDs)}^{r_{1}}$ .

② Select a PDID key d_p ∈ ℤ_p and compute the PDID based on the Pedersen commitment: UPDIDs = DSK^umsk ⋅ DRand^d_p. Calculate t₁ = d_p − d_m and t₂ = k_u/r₁.

③ The user generates a zero-knowledge proof of knowledge for the correct generation of MDIDs, identity regulatory key, and PDIDs: ${π_{1} = N I Z K - P o K}_{1} {r_{1}, r_{2}, t_{1}, t_{2} | R_{1} = U^{1 / r_{1}} \land R_{2} = V^{r_{2}} \land R_{3} = {\bar{K}}^{1 / r_{1}} \cdot W^{1 / r_{1} + r_{2}} \land \bar{J} = {(\bar{K}}^{- t_{2}} \cdot {g_{1} \cdot U P D I D s \cdot {DRand}^{{- t}_{1}})}^{r_{1}}}$ ${\pi_{1} = NIZK - PoK}_{1}\{ r_{1},r_{2},t_{1},t_{2}|R_{1} = U^{1/r_{1}} \land R_{2} = V^{r_{2}} \land R_{3} = {\overline{K}}^{1/r_{1}} \cdot W^{1/r_{1} + r_{2}} \land \overline{J} = {(\overline{K}}^{- t_{2}} \cdot {g_{1} \cdot UPDIDs \cdot {DRand}^{{- t}_{1}})}^{r_{1}}\}$

a. Randomly select ${\bar{r}}_{1}, {\bar{r}}_{2}, {\bar{r}}_{t_{1}}, {\bar{r}}_{t_{2}} \in Z_{p}$ ${\overline{r}}_{1},{\overline{r}}_{2},{\overline{r}}_{t_{1}},{\overline{r}}_{t_{2}} \in \mathbb{Z}_{p}$ and compute auxiliary values for the zero-knowledge proof: $R_{1}' = U^{{\bar{r}}_{1}}$ $R_{1}\prime = U^{{\overline{r}}_{1}}$ , $R_{2}' = V^{{\bar{r}}_{2}}$ $R_{2}\prime = V^{{\overline{r}}_{2}}$ , $R_{3}' = {\bar{K}}^{{\bar{r}}_{1}} \cdot W^{{\bar{r}}_{1} + {\bar{r}}_{2}}$ $R_{3}\prime = {\overline{K}}^{{\overline{r}}_{1}} \cdot W^{{\overline{r}}_{1} + {\overline{r}}_{2}}$ , and $T_{1}' = {\bar{J}}^{{\bar{r}}_{1}} \cdot {{\bar{K}}^{{\bar{r}}_{t_{2}}} \cdot D R a n d}^{{\bar{r}}_{t_{1}}}$ $T_{1}\prime = {\overline{J}}^{{\overline{r}}_{1}} \cdot {{\overline{K}}^{{\overline{r}}_{t_{2}}} \cdot DRand}^{{\overline{r}}_{t_{1}}}$ .

b. Compute the challenge value: $c_{1} = H (\bar{K}, \bar{J}, U P D I D s, R_{1}, R_{2}, R_{3}, R_{1}', R_{2}', R_{3}', T_{1}')$ $c_{1}\mathcal{= \ H}( \overline{K},\overline{J},UPDIDs,R_{1},R_{2},R_{3},R_{1}\prime,R_{2}\prime,R_{3}\prime,T_{1}\prime )$ .

c. Compute the s-values: $s_{r_{1}} = {\bar{r}}_{1} + c_{1} / r_{1}$ $s_{r_{1}} = {\overline{r}}_{1} + c_{1}/r_{1}$ , $s_{r_{2}} = {\bar{r}}_{2} + c_{1} \cdot r_{2}$ $s_{r_{2}} = {\overline{r}}_{2} + c_{1} \cdot r_{2}$ , $s_{t_{1}} = {\bar{r}}_{t_{1}} + c_{1} \cdot t_{1}$ $s_{t_{1}} = {\overline{r}}_{t_{1}} + c_{1} \cdot t_{1}$ , and $s_{t_{2}} = {\bar{r}}_{t_{2}} + c_{1} \cdot t_{2}$ $s_{t_{2}} = {\overline{r}}_{t_{2}} + c_{1} \cdot t_{2}$ .

d. Generate the zero-knowledge proof π₁ = (s_r₁, s_r₂, s_t₁, s_t₂, c₁).

④ Set the regulatory information for the user’s PDIDs as $U P P r o o f = (\bar{K}, \bar{J}, R_{1}, R_{2}, R_{3}, π_{1})$ $UPProof = (\overline{K},\overline{J},R_{1},R_{2},R_{3},\pi_{1})$ , and the user uploads (UPDIDs, UPProof) to the blockchain system.

(6) UserPDIDsVer(pp, RPK, UPDIDs, UPProof)→(0/1): In the blockchain system, the user-generated PDIDs can be treated as a transaction, which is automatically verified by a smart contract.

① Check if UPDIDs already exist on the blockchain. If it does, the registration is rejected. Otherwise, verify if $e (\bar{K}, \bar{Y}) = e (\bar{J}, g_{2})$ $e ( \overline{K},\overline{Y} ) = e(\overline{J},g_{2})$ . If it does not hold, the application is invalid. If it holds, proceed to the next verification step.

② Compute auxiliary values for verification: $R_{1} ″ = U^{s_{r_{1}}} \cdot R_{1}^{- c_{1}}$ $R_{1}\prime\prime = U^{s_{r_{1}}} \cdot R_{1}^{- c_{1}}$ , $R_{2} ″ = V^{s_{r_{2}}} \cdot R_{2}^{- c_{1}}$ $R_{2}\prime\prime = V^{s_{r_{2}}} \cdot R_{2}^{- c_{1}}$ , $R_{3} ″ = {\bar{K}}^{s_{r_{1}}} \cdot W^{s_{r_{1}} + s_{r_{2}}} \cdot {R_{3}}^{- c_{1}}$ $R_{3}\prime\prime = {\overline{K}}^{s_{r_{1}}} \cdot W^{s_{r_{1}} + s_{r_{2}}} \cdot {R_{3}}^{- c_{1}}$ , and $T_{1} ″ = {\bar{J}}^{s_{r_{1}}} \cdot {\bar{K}}^{s_{t_{2}}} \cdot {DRand}^{s_{t_{1}}} \cdot {(g_{1} \cdot U P D I D s)}^{- c_{1}}$ $T_{1}\prime\prime = {\overline{J}}^{s_{r_{1}}} \cdot {\overline{K}}^{s_{t_{2}}} \cdot {DRand}^{s_{t_{1}}} \cdot {(g_{1} \cdot UPDIDs)}^{- c_{1}}$ .

③ Based on the public parameters and auxiliary values, compute the challenge value: $c_{1}' = H (\bar{K}, \bar{J}, U P D I D s, R_{1}, R_{2}, R_{3}, R_{1} ″, R_{2} ″, R_{3} ″, T_{1} ″)$ $c_{1}\prime\mathcal{= \ H(}\overline{K},\overline{J},UPDIDs,R_{1},R_{2},R_{3},R_{1}\prime\prime,R_{2}\prime\prime,R_{3}\prime\prime,T_{1}\prime\prime)$ . Then verify if $c_{1}' = c_{1}$ $c_{1}\prime = c_{1}$ . If it holds, the application is approved and UPDIDs is activated, outputting 1; otherwise, it is rejected, outputting 0.

(7) Supervise(UPDIDs, UPProof, RSK)→(USK): The regulator can access the PDIDs information (UPDIDs, UPProof) from the blockchain at any time, then perform DLIN decryption: $K' = R_{3} / (R_{1}^{v} \cdot R_{2}^{u})$ $K\prime = \ R_{3}/(R_{1}^{v} \cdot R_{2}^{u})$ to obtain one of the user’s identity regulatory keys K′. The regulator compares it with their database RSList to retrieve USK, info and UMDIDs, thereby obtaining the real identity of the user applying for the PDIDs. The UPDIDs is then associated with the user’s UMDIDs and added to the RSList. Subsequently, the regulator can directly query the user’s real identity through UPDIDs.

(8) DIDsRevoke(RevDIDs)→(DIDsRL): If a particular DID RevDIDs needs to be revoked, the regulator updates the DID revocation list DIDsRL = DIDsRL ∪ {RevDIDs} via a smart contract, rendering RevDIDs invalid.

5.4. Security analysis

(1) Anonymity

Theorem 1.

If the DLIN encryption scheme satisfies indistinguishability under chosen plaintext attacks (IND-CPA), the Fiat-Shamir non-interactive zero-knowledge (NIZK) proof protocol satisfies zero-knowledge, and the Pedersen commitment scheme satisfies hiding, then the SR-DIDs scheme satisfies anonymity.

Proof. If an adversary 𝒜 can successfully attack the anonymity of the SR-DIDs scheme with non-negligible probability, then it is possible to construct a PPT algorithm ℬ that can attack the IND-CPA property of the DLIN encryption scheme, the zero-knowledge property of the Fiat-Shamir NIZK proof protocol, or the hiding property of the Pedersen commitment scheme with the same probability. The interaction between 𝒜 and ℬ is as follows:

① Setup Phase: ℬ simulates the public parameters of the SR-DIDs scheme based on the IND-CPA property of the DLIN encryption scheme, the zero-knowledge property of the Fiat-Shamir NIZK proof protocol, and the hiding property of the Pedersen commitment scheme. ℬ constructs the system parameters pp and the regulator’s public key RPK, and sends (pp, RPK) to 𝒜.

② Query Phase I: 𝒜 can query ℬ for q times. ℬ follows the procedures of the oracles 𝒪_{H_U}, 𝒪_{C_U}, 𝒪_MDIDs, 𝒪_PDIDs, 𝒪_W and returns the results to 𝒜. During the DID generation and zero-knowledge proof generation, ℬ obtains results from the simulated IND-CPA, zero-knowledge, and hiding games.

③ Challenge Phase: 𝒜 selects two users i₀ and i₁ who have never been queried before and sends them to ℬ. ℬ forwards them to the simulated IND-CPA, zero-knowledge, and hiding games and obtains the results (UMDIDs[i_b],UPDIDs_{i_b}, UPProof_{i_b}), which are sent to 𝒜.

④ Query Phase II: 𝒜 continues querying as in Query Phase I, but cannot query the oracle 𝒪_{C_U} for users i₀ and i₁.

⑤ Guessing Phase: 𝒜 guesses ℬ and outputs b′. ℬ forwards b′ to the simulated IND-CPA, zero-knowledge, and hiding games.

If an attacker can successfully attack the IND-CPA property of the DLIN encryption scheme, the zero-knowledge property of the Fiat-Shamir NIZK proof protocol, or the hiding property of the Pedersen commitment scheme, then 𝒜 can successfully attack the anonymity of the SR-DIDs scheme. However, since the DLIN encryption scheme satisfies IND-CPA, the Fiat-Shamir NIZK proof protocol satisfies zero-knowledge, and the Pedersen commitment scheme satisfies hiding, the advantage of 𝒜 is negligible, and the probability in Equation (1) is negligible. Thus, the SR-DIDs scheme satisfies anonymity.

(2) Unforgeability

Theorem 2.

If the q-SDH assumption holds and the zero-knowledge proof π₁ satisfies zero-knowledge, completeness, and soundness, then the SR-DIDs scheme satisfies unforgeability.

Proof. Assume 𝒜 is an adversary of the unforgeability of the SR-DIDs scheme, ℬ is an algorithm that attacks the q-SDH assumption or the zero-knowledge, completeness, and soundness of the Fiat-Shamir NIZK proof protocol, and 𝒞 is the challenger of the q-SDH assumption simulation game, while 𝒮 is the simulator for generating the zero-knowledge proof π₁ [35]. The interaction between 𝒜 and ℬ is as follows:

① Setup Phase: 𝒞 sends the public parameters $(g_{1}, g_{2}, \bar{Y} = g_{2}^{y})$ $(g_{1},g_{2},\overline{Y} = \ g_{2}^{y})$ to ℬ. Then, ℬ constructs (pp, RPK) based on the public parameters of the q-SDH simulation game and sends them to 𝒜, retaining (u, v).

② Query Phase: 𝒜 can query ℬ for q times. ℬ follows the procedures of the oracles 𝒪_{H_U}, 𝒪_{C_U}, 𝒪_MDIDs, 𝒪_PDIDs, 𝒪_W. For parts involving signatures, ℬ constructs the commitment value to be signed and sends it to 𝒞 for signing. For parts involving the zero-knowledge proof π₁, 𝒮 runs the simulation. ℬ returns the results to 𝒜.

③ Forgery Phase: 𝒜 constructs (UPDIDs^*, UPProof^*) for an honest user i and sends them to ℬ.

④ Judgment Phase: If (UPDIDs^*, UPProof^*) passes verification, it indicates 𝒜 has successfully attacked. ℬ then forwards $({\bar{K}}^{*}, {\bar{J}}^{*})$ $({\overline{K}}^{*},{\overline{J}}^{*})$ to 𝒞 and $π_{1}^{*}$ $\pi_{1}^{*}$ to 𝒮.

Since 𝒜 and ℬ are both PPT algorithms, the probability of 𝒜 successfully attacking the unforgeability of the SR-DIDs scheme is the same as the probability of ℬ successfully attacking the q-SDH assumption or the zero-knowledge, completeness, and soundness of the Fiat-Shamir NIZK proof protocol. However, the q-SDH assumption holds, and the Fiat-Shamir NIZK proof protocol satisfies zero knowledge, completeness, and soundness, so the advantage of 𝒜 is negligible, and the probability in Equation (2) is negligible. Thus, the SR-DIDs scheme satisfies unforgeability.

(3) Regulatory Reliability

Theorem 3.

If the SR-DIDs scheme satisfies unforgeability and regulatory correctness, then the SR-DIDs scheme satisfies regulatory reliability.

Proof. According to the regulatory reliability process defined in (3), if the regulator running the Supervise algorithm obtains a user identity regulatory key USK that does not belong to a corrupted user or has not appeared before, it means that the adversary 𝒜 can break the unforgeability of the SR-DIDs scheme and forge the regulator’s signature and π₁ to pass the blockchain consensus node verification. However, since the SR-DIDs scheme satisfies unforgeability, the probability of 𝒜 breaking the unforgeability of the SR-DIDs scheme is negligible. Additionally, from the algorithm (USK)←Supervise(UPDIDs, UPProof, RSK), it is known that the regulator can recover the identity regulatory key from the PDIDs’ regulatory information, satisfying traceability. Therefore, the probability in Equation (3) is negligible, and the SR-DIDs scheme satisfies regulatory reliability.

(4) Revocation Reliability

The SR-DIDs scheme uses blockchain technology for DID revocation, and the blockchain ensures tamper-resistance and transparency. If the status of DID changes, the ledger of all storage nodes on the blockchain will be updated, and all users will know that the DID has been revoked. Attackers cannot modify the ledger state or prevent the regulator from revoking DIDs unless they can compromise 1/3 of the nodes (if the blockchain uses the PBFT consensus algorithm) or 1/2 of the nodes (if the blockchain uses the Raft consensus algorithm), which is difficult to achieve in practice. Therefore, the SR-DIDs scheme satisfies revocation reliability.

6. Regulatorily accountable and revocable VC privacy protection scheme

6.1. Scheme definition

The SR-PP-VC scheme consists of eight main algorithms, described as follows:

(1) Public System Parameter GenerationSetUp(1^λ)→pp: Input the system security parameter 1^λ and output the system public parameters pp.

(2) VC Issuer Key GenerationVCIssuerKeyGen(pp)→(VCISK, VCIPK): Executed by the VC issuer, input the public parameters pp, and output the VC issuer’s private key VCISK and public key VCIPK.

(3) VC Request GenerationVCRequestGen(pp, m, VCIPK, VCDIDs)→(VCReq): Executed by the user, input the public parameters pp, attribute information m, the VC issuer’s public key VCIPK, and the identifier VCDIDs used when applying for the VC. Output the VC request VCReq.

(4) VC GenerationVCGen(pp, VCReq, VCISK, VCIPK)→(VC): Executed by the VC issuer, input the public parameters pp, the user’s VC request VCReq, the VC issuer’s private key VCISK, and the VC issuer’s public key VCIPK. Output VC signed by the VC issuer.

(5) VC RevocationVCRev(VCISK, VCIPK, VC)→(VCIPK′): Executed by the VC issuer, input the VC issuer’s private key VCISK, the VC issuer’s public key VCIPK, and the VC to be revoked. Output the updated VC issuer’s public key VCIPK′.

(6) VC UpdateVCUpdate(VCIPK′,VC)→(VC′): Executed by the user with a non-revoked VC, input the updated VC issuer’s public key VCIPK′ and their VC. Output the updated VC′, which the user needs to use for future presentations.

(7) VP GenerationVPGen(pp, VCIPKSet, VCSet, dSet, VPDIDs, d_vp)→(VP): Executed by the user, input the public parameters pp, the set of VCs to be combined into the VP VCSet, the set of public keys corresponding to the VCs VCIPKSet, the set of keys corresponding to the VCs’ DIDs dSet, the identifier VCDIDs used for the VP presentation, and the key d_vp corresponding to this identifier. Output the selectively disclosed verifiable presentation VP.

(8) VP VerificationVPVer(pp, VCIPKSet, VP, VPDIDs)→(0/1): Executed by the verifier, input the public parameters pp, the selectively disclosed presentation VP, the set of public keys of the VC issuers included in the presentation VCIPKSet, and the identifier VCDIDs used for the presentation. Output 0 or 1, where 1 indicates the verification is successful, and 0 indicates failure.

6.2. Security model

The security properties of the SR-PP-VC scheme include anonymity, unforgeability, regulatory reliability, and revocation reliability. This scheme constructs a formal definition of security properties using a single VC issuer and a VP composed of a single VC. If an extension to multiple VC issuers and VPs composed of multiple VCs is required, the corresponding public and private keys for the issuers need to be generated. The scheme uses the following lists and oracles to describe the security model:

ℒ_{H_U}, ℒ_{C_U}: Lists of honest and corrupt users, respectively, recording the indices i of honest and corrupt users, ℒ_{H_U} ∩ ℒ_{C_U} = ⌀.

ℒ_DIDs, ℒ_{DIDs_sk}: Lists of users’ DIDs (including MDIDs and PDIDs) and the corresponding keys.

ℒ_Owner, ℒ_VC, ℒ_m, ℒ_VCDIDs: Lists of VC owners, VCs, VC attribute sets, and DIDs used to apply for VCs, respectively. Elements in ℒ_Owner, ℒ_VC, ℒ_m and ℒ_VCDIDs correspond one-to-one.

ℒ_VP, ℒ_VPDIDs: Lists of VPs and the DIDs used to present the VPs, recording the VPs that users have presented and the DIDs used during the presentation.

ℒ_RevVC: List of revoked VCs.

Oracle for Honest Users 𝒪_{H_U}(i): Adversary 𝒜 queries this oracle with user identifier i to add new user i, if i ∉ ℒ_{H_U} ∪ ℒ_{C_U}, executing ℒ_{H_U} = ℒ_{H_U} ∪ {i}.

Oracle for Corrupt Users 𝒪_{C_U}(i): Adversary 𝒜 queries this oracle with user identifier i to obtain all identity information of the user, including the VCs the user owns, the set of DIDs, and the corresponding keys.

Oracle for VC 𝒪_VC(i, m): Adversary 𝒜 queries this oracle with user identifier i and attribute information m to generate a VC for the user. If i ∉ ℒ_{H_U}, return ⊥. Otherwise, randomly select VCDIDs ∈ ℒ_DIDs[i] and ensure VCDIDs ∩ ℒ_VCDIDs = ⌀. Execute the VCRequestGen and VCGen algorithms, updating (ℒ_Owner, ℒ_VC, ℒ_m, ℒ_VCDIDs)=({i},{VC},{m},{VCDIDs}) ∪ (ℒ_Owner, ℒ_VC, ℒ_m, ℒ_VCDIDs), and return ⊤.

Oracle for VC Request 𝒪_VCReq(i, m): Adversary 𝒜 queries this oracle with user identifier i and attribute information m to obtain a VC request. If i ∉ ℒ_{H_U}, return ⊥. Otherwise, randomly select VCDIDs ∈ ℒ_DIDs[i] and ensure VCDIDs ∩ ℒ_VCDIDs = ⌀. Execute the VCRequestGen algorithm, updating (ℒ_Owner, ℒ_VC, ℒ_m, ℒ_VCDIDs)=({i},{⊥},{m},{VCDIDs}) ∪ (ℒ_Owner, ℒ_VC, ℒ_m, ℒ_VCDIDs), and return VCReq, VCDIDs.

Oracle for VC Generation 𝒪_VCGen(i, m, VCDIDs, VCReq): Adversary 𝒜 queries this oracle with user identifier i, attribute information m, the identifier VCDIDs used to apply for the VC, and the VC request parameters VCReq to obtain a VC. If i ∉ ℒ_{H_U}, return ⊥. Otherwise, execute the VCGen algorithm, updating (ℒ_Owner, ℒ_VC, ℒ_m, ℒ_VCDIDs)=({i},{VC},{m},{VCDIDs}) ∪ (ℒ_Owner, ℒ_VC, ℒ_m, ℒ_VCDIDs), and return VC.

Oracle for VP Generation 𝒪_VP(j): Adversary 𝒜 queries this oracle with VC index j to obtain a VP. Assume i = ℒ_Owner[j]. If i ∉ ℒ_{H_U} or ℒ_VC[j]∈ℒ_RevVC, return ⊥. Otherwise, set VCDIDs = ℒ_VCDIDs[j] and d_vc as the corresponding key. Randomly select VPDIDs ∈ ℒ_DIDs[i] and its corresponding key d_vp, ensuring VPDIDs ∩ ℒ_VPDIDs = ⌀. Execute VPGen(pp, VCIPK, ℒ_VC[j],d_vc, VPDIDs, d_vp)→(VP), and update (ℒ_VP, ℒ_VPDIDs)=(ℒ_VP, ℒ_VPDIDs)∪({VP},{VPDIDs}), then return VP, VPDIDs.

Oracle for VC Revocation 𝒪_VCRev(j): Adversary 𝒜 queries this oracle with VC index j to revoke the VC. Execute VCRev(VCISK, VCIPK, ℒ_VC[j]) → (VCIPK) and update ℒ_RevVC = ℒ_RevVC ∪ {ℒ_VC[j]}. For all k < ℒ_VC.length and k ≠ j, execute (VCUpdate(VCIPK, ℒ_VC[k]) → ℒ_VC[k]). Finally, return VCIPK.

(1) Anonymity

In the SR-PP-VC scheme, anonymity is defined as except for the regulator, no other entities can infer a user’s identity information through DIDs. Additionally, VC issuers and verifiers can only access the necessary disclosed information within the user’s VC or VP and cannot learn more about the user’s identity attributes. Even if the same credential is used with different DIDs to disclose different attributes at different times, verifiers cannot link these presentations to the same user or credential, ensuring the unlinkability of DIDs and VPs.

Definition 4.

For any probabilistic polynomial-time adversary 𝒜, if 𝒜 can make a polynomially bounded number of queries to the oracle list 𝒪 = {𝒪_{H_U}, 𝒪_{C_U}, 𝒪_VC, 𝒪_VCReq, 𝒪_VP}, and the probability in Equation (4) is negligible, then the SR-PP-VC scheme satisfies anonymity.

$\begin{matrix} \begin{matrix} P r [\begin{matrix} S e t U p (1^{λ}) \to p p ; \\ V C I s s u e r K e y G e n (p p) \to (V C I S K, V C I P K) ; \\ A^{O} (p p, V C I P K) \to {i_{0}, i_{1}, m^{*}} ; \\ C (p p, i_{b}, m^{*}) \to ({VP}_{i_{b}}, {VPDIDs}_{i_{b}}) ; \\ A (p p, {VP}_{i_{b}}, {VPDIDs}_{i_{b}}) \to b^{*} \end{matrix} : b^{*} = b] - \frac{1}{2} \end{matrix} \end{matrix}$ $\begin{aligned} \begin{matrix} Pr\left[\begin{matrix} SetUp\left( 1^{\lambda } \right) \rightarrow pp; \\ VCIssuerKeyGen(pp) \rightarrow (VCISK,VCIPK); \\ \mathcal{A} ^{\mathcal{O} }(pp,VCIPK) \rightarrow \left\{ i_{0},i_{1},m^{*} \right\} ; \\ \mathcal{C} \left( pp,i_{b},m^{*} \right) \rightarrow \left( {VP}_{i_{b}},{VPDIDs}_{i_{b}} \right); \\ \mathcal{A} \left( pp,{VP}_{i_{b}},{VPDIDs}_{i_{b}} \right) \rightarrow b^{*} \\ \end{matrix}:b^{*} = b \right]- \frac{1}{2} \\ \end{matrix} \end{aligned}$ (4)

(2) Unforgeability

In the SR-PP-VC scheme, unforgeability is defined as without the VC issuer’s private key, no attacker can generate a verifiable VP, even if they have obtained multiple VPs from honest users. Additionally, users cannot modify any attribute values in an issued VC.

Definition 5.

For any PPT adversary 𝒜, if 𝒜 can make a polynomially bounded number of queries to the oracle list 𝒪 = {𝒪_{H_U}, 𝒪_{C_U}, 𝒪_VC, 𝒪_VCGen, 𝒪_VP}, and the probability in Equation (5) is negligible, then the SR-PP-VC scheme satisfies unforgeability.

$\begin{matrix} \begin{matrix} P r [\begin{matrix} S e t U p (1^{λ}) \to p p ; \\ V C I s s u e r K e y G e n (p p) \to (V C I S K, V C I P K) ; \\ A^{O} (p p, V C I P K) \to ({VP}^{*}, {VPDIDs}^{*}, m^{*}) ; \\ V P V e r (p p, V C I P K, {VP}^{*}, {VPDIDs}^{*}) \to b^{*} : \\ (b^{*} = 1), (m^{*} \notin L_{m} \lor \\ ({VP}^{*} \notin L_{VP}, {VPDIDs}^{*} \notin L_{VPDIDs})) \end{matrix}] \end{matrix} \end{matrix}$ $\begin{aligned} \begin{matrix} Pr\begin{bmatrix} SetUp\left( 1^{\lambda } \right) \rightarrow pp; \\ VCIssuerKeyGen(pp) \rightarrow (VCISK,VCIPK); \\ \mathcal{A} ^{\mathcal{O} }(pp,VCIPK) \rightarrow \left( {VP}^{*},{VPDIDs}^{*},m^{*} \right); \\ VPVer\left( pp,VCIPK,{VP}^{*},{VPDIDs}^{*} \right) \rightarrow b^{*}: \\ (b^{*} = 1) , (m^{*} \notin \mathcal{L} _{m} \vee \\ ({VP}^{*} \notin \mathcal{L} _{VP} , {VPDIDs}^{*} \notin \mathcal{L} _{VPDIDs})) \\ \end{bmatrix} \end{matrix} \end{aligned}$ (5)

(3) Regulatory Reliability

In the SR-PP-VC scheme, regulatory reliability is defined as the regulator can correctly trace a user’s real identity information from the DIDs associated with the selectively disclosed VC.

(4) Revocation Reliability

In the SR-PP-VC scheme, revocation reliability is defined as: users with revoked VCs cannot forge a valid VC.

Definition 6.

For any PPT adversary 𝒜, if 𝒜 can make a polynomially bounded number of queries to the oracle list 𝒪 = {𝒪_{H_U}, 𝒪_{C_U}, 𝒪_VC, 𝒪_VCGen, 𝒪_VP, 𝒪_VCRev}, and the probability in Equation (6) is negligible, then the SR-PP-VC scheme satisfies revocation reliability.

$\begin{matrix} \begin{matrix} P r [\begin{matrix} S e t U p (1^{λ}) \to p p ; \\ V C I s s u e r K e y G e n (p p) \to (V C I S K, V C I P K) ; \\ A^{O} (p p, V C I P K, V C \in L_{RevVC}, V P D I D s) \to ({VP}^{*}) ; \\ V P V e r (p p, V C I P K, {VP}^{*}, V P D I D s) \to b^{*} : \\ b^{*} = 1 \end{matrix}] \end{matrix} \end{matrix}$ $\begin{aligned} \begin{matrix} Pr\begin{bmatrix} SetUp\left( 1^{\lambda } \right) \rightarrow pp; \\ VCIssuerKeyGen(pp) \rightarrow (VCISK,VCIPK); \\ \mathcal{A} ^{\mathcal{O} }\left( pp,VCIPK,VC \in \mathcal{L} _{RevVC},VPDIDs \right) \rightarrow \left( {VP}^{*} \right); \\ VPVer\left( pp,VCIPK,{VP}^{*},VPDIDs \right) \rightarrow b^{*}: \\ b^{*} = 1 \\ \end{bmatrix} \end{matrix} \end{aligned}$ (6)

6.3. Scheme design

(1) SetUp(1^λ)→pp: This algorithm is the same as the SetUp algorithm in the SR-DIDs scheme. Output public parameters pp = (p, 𝔾₁, 𝔾₂, 𝔾_T, ℤ_p, g₁, g₂, e, ℋ, DR).

(2) VCIssuerKeyGen(pp)→(VCISK, VCIPK): The VC issuer selects an integer x ∈ ℤ_p and computes $\bar{X} = g_{2}^{x}$ $\overline{X} = g_{2}^{x}$ . Assume the number of attributes in the issued VC is l, set the attribute name list as AttrNames = [name₁, …, name_l], and randomly choose HATTR = (HAttr₁, …, HAttr_l)←𝔾₁. Then choose ${\tilde{g}}_{1} \leftarrow G_{1}$ ${\widetilde{g}}_{1} \leftarrow \mathbb{G}_{1}$ , initialize the accumulator $Δ = {\tilde{g}}_{1}$ $\mathrm{\Delta} = {\widetilde{g}}_{1}$ , and generate an empty VC revocation list VCRList = ⌀. Finally, output the VC issuer’s private key VCISK = x and public key $V C I P K = (\bar{X}, A t t r N a m e s, H A T T R, Δ, V C R L i s t)$ $VCIPK = (\overline{X},AttrNames,HATTR,\mathrm{\Delta},VCRList)$ . The VC issuer stores VCISK locally and uploads VCIPK to the blockchain in the issuer’s corresponding DID document.

(3) VCRequestGen(pp, m, VCIPK, VCDIDs)→(VCReq): Users can apply for a VC using any of their DIDs. Assume the DID used is VCDIDs = DSK^umsk ⋅ DRand^d_vc. The user provides their attribute information m based on the attribute name list AttrName, let m = (m₁, …, m_l)∈ℤ_p. The user’s attribute values are divided into two types: attributes to be hidden from the VC issuer (set HI) and attributes that do not need to be hidden (set NHI). The user computes the commitment of the hidden attributes: C_HI = g₁∏_i ∈ HIHAttr_i^m_i. The VC request parameters are VCReq = (C_HI, (m_i)_{i ∈ NHI}), which are sent to the VC issuer via VCDIDs.

(4) VCGen(pp, VCReq, VCISK, VCIPK)→(VC):

① The VC issuer verifies the validity of the applicant’s VCDIDs and (m_i)_{i ∈ NHI}. If valid, the issuer signs the user’s attributes. First, compute C = C_HI ⋅ VCDIDs ⋅ Δ ⋅ ∏_{i ∈ NHI}HAttr_i^m_i. Then, select an integer k ∈ ℤ_p and compute the BBS signature A = C^{1/(x + k)} and the validity proof Valid = Δ^{1/(x + k)}. Finally, send the attribute signature Sign = (A, C, k, Valid) to the user and store (Sign, VCDID, k, C_HI, (m_i)_{i ∈ NHI}) in the local database.

② Upon receiving Sign, the user can verify its validity by checking if $C = g_{1} \cdot V C D I D s \cdot Δ \cdot \prod_{i}^{l} {HAttr}_{i}^{m_{i}}$ $C = g_{1} \cdot VCDIDs \cdot \mathrm{\Delta} \cdot \prod_{i}^{l}{{HAttr}_{i}}^{m_{i}}$ and $e (A \cdot V a l i d, \bar{X}) = e (C \cdot A^{- k} \cdot Δ \cdot {Valid}^{- k}, g_{2})$ $e( A \cdot Valid,\overline{X} ) = e( C \cdot A^{- k} \cdot \mathrm{\Delta} \cdot {Valid}^{- k},g_{2} )$ hold. If valid, the user generates the VC certificate VC = (A, C, k, Valid, m) and stores it locally; otherwise, the signature is invalid.

(5) VCRev(VCISK, VCIPK, VC)→ (VCIPK′): The VC issuer first finds the information related to the VC to be revoked $(Sign', VCDIDs', k', C_{HI}', {(m_{i}')}_{i \in N H I})$ $({Sign}\prime,{VCDIDs}\prime,k\prime,{C_{HI}}\prime,{(m_{i}\prime)}_{i \in NHI})$ in the local database. Set VCRList = VCRList ∪ {k′} and update the revocation accumulator Δ_new = Δ^{1/(x + k′)}. Finally, update the issuer’s public key on the blockchain to $VCIPK' = (\bar{X}, A t t r N a m e s, H A T T R, Δ_{new}, V C R L i s t)$ ${VCIPK}\prime = (\overline{X},AttrNames,HATTR,\mathrm{\Delta}_{new},VCRList)$ .

(6) VCUpdate(VCIPK′,VC)→ (VC′): Users can check if the issuer’s public key has been updated. If updated and the revoked VCs does not belong to them, they need to update their VC. First, update the validity proof Valid_new = (Valid/Δ_new)^1/(k′−k). Then, update the VC signature A_new = A ⋅ Valid_new/Valid. Finally, update their VC to VC′=(A_new, k, Valid_new, m).

(7) VPGen(pp, VCIPKSet, VCSet, dSet, VPDIDs, d_vp)→(VP): Users can combine n VCs into a single VP, using any DID for presentation, and selectively disclose attributes. The variables in this algorithm are explained in Table 1.

Table 1.

Variable definition and explanation

① Compute C_{DI_j} = g₁ ⋅ VPDIDs ⋅ Δ_j ⋅ ∏_{i ∈ DI_j}HAttr_j, i^m_j, i for all j ∈ N. Randomly select r₃ ∈ ℤ_p and compute ${\bar{A}}_{j} = A_{j}^{r_{3}}$ ${\overline{A}}_{j} = A_{j}^{r_{3}}$ for all j ∈ N, ${\bar{F}}_{j} = {(C_{j} \cdot A_{j}^{- k_{j}})}^{r_{3}}$ ${\overline{F}}_{j} = ( C_{j} \cdot A_{j}^{- k_{j}} )^{r_{3}}$ for all j ∈ N, and let $\bar{G} = \prod_{j \in N} {\bar{F}}_{j}$ $\overline{G} = \prod_{j \in N}{\overline{F}}_{j}$ , t_dj = d_vcj − d_vp for all j ∈ N.

② Compute the zero-knowledge proof ${π_{2} = N I Z K - P o K}_{2} {r_{3}, {(k_{j})}_{j \in N}, {(t_{dj})}_{j \in N}, {(m_{j, i})}_{j \in N, i \in {NDI}_{j}} | \bar{G}$ ${\pi_{2} = NIZK - PoK}_{2}\{ r_{3},( k_{j})_{j \in N},{(t_{dj})}_{j \in N},{(m_{j,i})}_{j \in N,i \in {NDI}_{j}}|\overline{G}$ = ${\prod_{j \in N} ((C_{{DI}_{j}} \cdot {DRand}^{t_{dj}} \cdot \prod_{i \in N D I} {HAttr}_{j, i}^{m_{j, i}})}^{r_{3}} \cdot {\bar{A}}_{j}^{- k_{j}})}$ ${\prod_{j \in N}((C_{{DI}_{j}} \cdot {DRand}^{t_{dj}} \cdot \prod_{i \in NDI}{{HAttr}_{j,i}}^{m_{j,i}})}^{r_{3}} \cdot {{\overline{A}}_{j}}^{- k_{j}})\}$ : Randomly select ${\bar{r}}_{3}$ ${\overline{r}}_{3}$ , ${({\bar{r}}_{k_{j}})}_{j \in N}$ ${({\overline{r}}_{k_{j}})}_{j \in N}$ , ${({\bar{r}}_{t_{j}})}_{j \in N}$ ${({\overline{r}}_{t_{j}})}_{j \in N}$ , ${{(\bar{δ}}_{j, i})}_{j \in N, i \in {NDI}_{j}} \in Z_{p}$ ${{(\overline{\delta}}_{j,i})}_{j \in N,i \in {NDI}_{j}} \in \mathbb{Z}_{p}$ , and compute the auxiliary value $\bar{G}' = \prod_{j \in N} ({C_{{DI}_{j}}}^{{\bar{r}}_{3}} \cdot {\bar{A}}_{j}^{- {\bar{r}}_{k_{j}}} \cdot {DRand}^{{\bar{r}}_{t_{j}}} \cdot \prod_{i \in {NDI}_{j}} {HAttr}_{j, i}^{{\bar{δ}}_{j, i}})$ ${\overline{G}}\prime = \prod_{j \in N}{({C_{{DI}_{j}}}^{{\overline{r}}_{3}} \cdot {\overline{A}}_{j}^{- {\overline{r}}_{k_{j}}} \cdot {DRand}^{{\overline{r}}_{t_{j}}} \cdot \prod_{i \in {NDI}_{j}}{{HAttr}_{j,i}}^{{\overline{\delta}}_{j,i}})}$ . Compute the challenge value $c_{2} = H (V P D I D s, {{(\bar{A}}_{j})}_{j \in N}, \bar{G}, \bar{G}')$ $c_{2}\mathcal{= \ H(}VPDIDs,{{(\overline{A}}_{j})}_{j \in N},\overline{G},{\overline{G}}\prime)$ and $s_{r_{3}} = {\bar{r}}_{3} + c_{2} \cdot r_{3}$ $s_{r_{3}} = {\overline{r}}_{3} + c_{2} \cdot r_{3}$ , $s_{k_{j}} = {\bar{r}}_{k_{j}} + c_{2} \cdot k_{j}$ $s_{k_{j}} = {\overline{r}}_{k_{j}} + c_{2} \cdot k_{j}\$ , $s_{t_{j}} = {\bar{r}}_{t_{j}} + c_{2} \cdot t_{dj} \cdot r_{3}$ $s_{t_{j}} = {\overline{r}}_{t_{j}} + c_{2} \cdot t_{dj} \cdot r_{3}$ and $s_{δ_{j, i}} = {\bar{δ}}_{j, i} + c_{2} \cdot r_{3} \cdot m_{j, i}$ $s_{\delta_{j,i}} = {\overline{\delta}}_{j,i} + c_{2} \cdot r_{3} \cdot m_{j,i}$ for all j ∈ N and i ∈ NDI_j. Let π₂ = (c₂, s_r₃, (s_{k_j})_j ∈ N, (s_{t_j})_j ∈ N, (s_{δ_j, i})_{j ∈ N, i ∈ NDI_j}).

③ Finally, generate $V P = ({({\bar{A}}_{j})}_{j \in N}, \bar{G}, {(m_{j, i})}_{j \in N, i \in {DI}_{j}}, π_{2})$ $VP = ({({\overline{A}}_{j})}_{j \in N},\overline{G},{(m_{j,i})}_{j \in N,i \in {DI}_{j}},\pi_{2})$ and send VP to the verifier via VPDIDs.

(8) VPVer(pp, VCIPKSet, VP, VPDIDs)→(0/1): Upon receiving the VP, the verifier first checks if $\prod_{j \in N} (e ({\bar{A}}_{j}, {\bar{X}}_{j})) = e (\bar{G}, g_{2})$ $\prod_{j \in N}( e({\overline{A}}_{j},{\overline{X}}_{j}) ) = e(\overline{G},g_{2})$ . If not, the VP is invalid. Otherwise, proceed to zero-knowledge proof verification:

① Compute the auxiliary value C_{DI_j} = g₁ ⋅ VPDIDs ⋅ Δ_j ⋅ ∏_{i ∈ DI_j}HAttr_j, i^m_j, i for all j ∈ N and $\bar{G} ″ = {\bar{G}}^{- c_{2}} \cdot \prod_{j \in N} ({C_{{DI}_{j}}}^{s_{r_{3}}} \cdot {\bar{A}}_{j}^{- s_{k_{j}}} \cdot {DRand}^{s_{t_{j}}} \cdot \prod_{i \in {NDI}_{j}} {HAttr}_{j, i}^{s_{δ_{j, i}}})$ ${\overline{G}}\prime\prime = {\overline{G}}^{- c_{2}} \cdot \prod_{j \in N}{({C_{{DI}_{j}}}^{s_{r_{3}}} \cdot {\overline{A}}_{j}^{- s_{k_{j}}} \cdot {DRand}^{s_{t_{j}}} \cdot \prod_{i \in {NDI}_{j}}{{HAttr}_{j,i}}^{s_{\delta_{j,i}}})}$ , where Δ_j should be the latest value on the blockchain.

② Compute the challenge value $c_{2}' = H (V P D I D s, {{(\bar{A}}_{j})}_{j \in N}, \bar{G}, \bar{G} ″)$ $c_{2}\prime\mathcal{= \ H(}VPDIDs,{{(\overline{A}}_{j})}_{j \in N},\overline{G},{\overline{G}}\prime\prime)$ ;

③ Verify if $c_{2}' = c_{2}$ $c_{2}\prime = c_{2}$ . If so, the VP is valid, output 1; otherwise, output 0.

6.4. Security analysis

(1) Anonymity

bold>Theorem 4.

If the SR-DIDs scheme satisfies anonymity, the Pedersen commitment scheme satisfies hiding, and the Fiat-Shamir non-interactive zero-knowledge (NIZK) proof protocol satisfies zero-knowledge, then the SR-PP-VC scheme satisfies anonymity.

Proof. If an adversary 𝒜 can successfully attack the anonymity of the SR-PP-VC scheme with non-negligible probability, then it is possible to construct an algorithm ℬ that can attack the anonymity of the SR-DIDs scheme, the hiding property of the Pedersen commitment, or the zero-knowledge property of the Fiat-Shamir NIZK proof protocol with the same probability. The interaction between 𝒜 and ℬ is as follows:

① Setup Phase: ℬ constructs the system parameters pp and the VC issuer’s public key VCIPK for the SR-PP-VC scheme based on the anonymity of the SR-DIDs scheme, the hiding property of the Pedersen commitment, and the zero-knowledge property of the NIZK proof protocol. ℬ then sends (pp, VCIPK) to 𝒜.

② Query Phase I: 𝒜 can make a polynomially bounded number of queries to ℬ. ℬ follows the procedures of the oracles 𝒪_{H_U}, 𝒪_{C_U}, 𝒪_VC, 𝒪_VCReq, 𝒪_VP and returns the results to 𝒜. During the generation of DIDs, the calculation of hidden attribute commitments, and the generation of zero-knowledge proofs, ℬ obtains results from the anonymity of the SR-DIDs scheme, the Pedersen commitment scheme, and the NIZK proof protocol simulation games.

③ Challenge Phase: 𝒜 first selects two honest users i₀, i₁ and attribute information m^* and sends them to ℬ. ℬ then forwards them to the SR-DIDs anonymity, Pedersen commitment hiding, and NIZK proof protocol simulation games, obtaining the results (SVC_{i_b}, SVCDIDs_{i_b}), and sends them to 𝒜.

④ Query Phase II: 𝒜 continues querying as in Query Phase I but cannot query the oracle 𝒪_{C_U} for users i₀, i₁.

⑤ Guessing Phase: 𝒜 guesses b and outputs b′. ℬ forwards b′ to the SR-DIDs anonymity, Pedersen commitment hiding, and NIZK-proof can successfully attack the anonymity of the SR-DIDs scheme, the hiding property of the Pedersen commitment, or the zero-knowledge property of the Fiat-Shamir NIZK proof protocol, then 𝒜 can succeed in the anonymity experiment of the SR-PP-VC scheme. However, since the SR-DIDs scheme satisfies anonymity, the Pedersen commitment scheme satisfies hiding, and the Fiat-Shamir NIZK proof protocol satisfies zero-knowledge, the probability of 𝒜 winning is negligible, i.e., the probability in Equation (4) is negligible. Therefore, the SR-PP-VC scheme satisfies anonymity.

(2) Unforgeability

Theorem 5.

If the BBS signature scheme satisfies SUF-CMA security, the Pedersen commitment scheme satisfies binding, and the zero-knowledge proof π₂ satisfies zero-knowledge, completeness, and soundness, then the SR-PP-VC scheme satisfies unforgeability.

Proof. Suppose 𝒜 is an adversary of the unforgeability of the SR-PP-VC scheme, ℬ is an algorithm that attacks the SUF-CMA security of the BBS signature scheme, the binding property of the Pedersen commitment, or the zero-knowledge, completeness, and soundness of the Fiat-Shamir NIZK proof protocol, and 𝒞_BBS is the challenger of the SUF-CMA security of the BBS signature scheme, 𝒞_Pedersen is the challenger of the binding property of the Pedersen commitment, and 𝒮 is the simulator for generating the zero-knowledge proof π₂. The interaction between 𝒜 and ℬ is as follows:

① Setup Phase: 𝒞_BBS generates the public parameters $(g_{1}, g_{2}, \bar{X} = g_{2}^{x})$ $(g_{1},g_{2},\overline{X} = \ g_{2}^{x})$ for the SUF-CMA security game of the BBS signature scheme, and 𝒞_Pedersen generates the public parameters (HAttr₁, …, HAttr_l) for the binding property game of the Pedersen commitment. ℬ constructs (pp, VCIPK) based on these public parameters and sends them to 𝒜.

② Query Phase: 𝒜 can make q queries to ℬ. ℬ follows the procedures of the oracles 𝒪_{H_U}, 𝒪_{C_U}, 𝒪_VC, 𝒪_VCGen, 𝒪_VP. For parts involving signatures, ℬ constructs the commitment value to be signed and sends it to 𝒞_BBS for signing, then sends the result to ℬ. For parts involving attribute commitment calculations, 𝒞_Pedersen performs the calculations and sends the results to ℬ. For parts involving the generation of the zero-knowledge proof π₂, 𝒮 runs the simulation. Finally, ℬ returns the results to 𝒜.

③ Forgery Phase: 𝒜 constructs a verifiable presentation VP^* about the attribute information m^* and its corresponding identifier VPDIDs^* for user i, and sends (VP^*, VPDIDs^*, m^*) to ℬ.

④ Judgment Phase: If VP^* passes verification and $(m^{*} \notin L_{m} \lor ({VP}^{*} \notin L_{VP} \land {VPDIDs}^{*} \notin L_{VPDIDs}))$ $(m^{*} \notin \mathcal{L}_{m} \vee ({VP}^{*} \notin \mathcal{L}_{VP} \land {VPDIDs}^{*} \notin \mathcal{L}_{VPDIDs}))$ , then 𝒜 has successfully attacked. At this point, ℬ forwards $({\bar{A}}^{*}, {\bar{G}}^{*})$ $\ ({\overline{A}}^{*},{\overline{G}}^{*})$ to 𝒞_BBS and 𝒞_Pedersen, and the knowledge proof $π_{2}^{*}$ $\pi_{2}^{*}$ to 𝒮.

It is evident that 𝒜’s observations in the SR-PP-VC scheme’s unforgeability experiment are equivalent to those in ℬ’s experiment. Since both 𝒜 and ℬ are PPT algorithms, the probability of 𝒜 successfully attacking the unforgeability of the SR-PP-VC scheme is the same as the probability of ℬ successfully attacking the SUF-CMA security of the BBS signature scheme, the binding property of the Pedersen commitment, or the zero-knowledge, completeness, and soundness of the Fiat-Shamir NIZK proof protocol. However, since the BBS signature scheme satisfies SUF-CMA security, the Pedersen commitment satisfies binding, and the Fiat-Shamir NIZK proof protocol satisfies zero-knowledge, completeness, and soundness, the probability in Equation (5) is negligible. Therefore, the SR-PP-VC scheme satisfies unforgeability.

(3)Regulatory Reliability

Theorem 6.

If the SR-DIDs scheme satisfies regulatory reliability, then the SR-PP-VC scheme satisfies regulatory reliability.

Proof. Since the DIDs in the SR-PP-VC scheme are generated based on the SR-DIDs scheme, and users must disclose the corresponding DIDs each time they apply for and present a credential, the regulator can reliably monitor user identity information.

(4) Revocation Reliability

Theorem 7.

If the BBS signature scheme satisfies SUF-CMA security and the zero-knowledge proof π₂ satisfies zero-knowledge, completeness, and soundness, then the SR-PP-VC scheme satisfies revocation reliability.

Proof. For the specific scheme, when a user attempts to construct a false VP with selective disclosure, there are three possible cases:

① Case 1: The user continues to generate the VP as usual. Since Δ_new ≠ Δ, the user’s calculated C_DI = g₁ ⋅ VPDIDs ⋅ Δ ⋅ ∏_i ∈ DIHAttr_i^m_i will not equal the verifier’s calculated C_DI = g₁ ⋅ VPDIDs ⋅ Δ_new ⋅ ∏_i ∈ DIHAttr_i^m_i. Consequently, $\bar{G} \neq \bar{G}'$ $\overline{G} \neq {\overline{G}}\prime$ , and due to the collision resistance of the hash function, $c_{2} \neq c_{2}'$ $c_{2} \neq c_{2}\prime$ .

② Case 2: The user calculates C_DI = g₁ ⋅ VPDIDs ⋅ Δ_new ⋅ ∏_i ∈ DIHAttr_i^m_i using Δ_new. However, $A \neq {(C_{DI} \cdot {DRand}^{t_{3}} \cdot \prod_{i \in N D I} {HAttr}_{i}^{m_{i}})}^{1 / (x + k)}$ $A \neq {(C_{DI} \cdot {DRand}^{t_{3}} \cdot \prod_{i \in NDI}{{HAttr}_{i}}^{m_{i}})}^{1/(x + k)}$ . Therefore, $\bar{G} \neq \bar{G}'$ $\overline{G} \neq {\overline{G}}\prime$ , and $c_{2} \neq c_{2}'$ $c_{2} \neq c_{2}\prime$ .

③ Case 3: The user can construct a VP based on the revoked VC that passes verification. This implies the ability to break the SUF-CMA security of the BBS signature scheme. In this scheme, the accumulator acts as one of the attributes signed by the VC issuer. If verification is successful, it indicates that a forged signature m^* ≠ m_i was created in the SUF-CMA security game of the BBS signature scheme, thus breaking its SUF-CMA security.

In conclusion, the SR-PP-VC scheme satisfies revocation reliability.

7. Scheme analysis and comparison

7.1. Security comparison

The security comparison of the SR-DIDs scheme, SR-PP-VC scheme, and related works are shown in Tables 2 and 3, respectively. It can be seen that, compared to other similar schemes, the proposed schemes in this paper provide more comprehensive security and privacy protection measures.

Table 2.

Comparison of security between SR-DIDs and related schemes

Table 3.

Comparison of security between SR-PP-VC and related schemes

7.2. Performance testing

The experiments were conducted on a PC running Windows 10 Professional 64-bit, equipped with Intel(R) Core(TM) i7-11700 @ 2.50GHz processor and 16GB of RAM. The simulation tests used Hyperledger Fabric blockchain version 2.5.4, deployed via Docker with 2 peer nodes and 1 order node. The development was done in JAVA, utilizing the BLS12-381 bilinear pairing curves [36], implemented using the MIRACL library, and the SHA-384 algorithm for the hash function ℋ.

(1) Performance comparison of SR-DIDs scheme

This study implemented the ring signature-based regulatory scheme proposed in Reference [9] and the BBS04-SR-DIDs scheme designed based on the BBS04 group signature [14], as benchmarks for evaluating the performance of the SR-DIDs scheme. The BBS04-SR-DIDs scheme uses the original BBS04 group signature to construct the generation and verification mechanism of PDIDs, while SR-DIDs employs an optimized group signature algorithm, demonstrating the effect of optimization.

For example, the space complexity comparison of generating a single proxy identity identifier among the three schemes is shown in Table 4, where ℤ_p, 𝔾₁, 𝔾₂, 𝔾_T represent the element lengths in the groups ℤ_p, 𝔾₁, 𝔾₂, 𝔾_T, respectively. In the BLS12-381 curve, their sizes are 48 bytes, 48 bytes, 96 bytes, and 576 bytes, respectively, and k is the number of ring signature members. In the BLS12-381 curve, the SR-DIDs scheme shows an increase in the space complexity of the regulator’s key pair and the user’s key compared to Reference [9], but since it is generated once and can be reused, the additional 336 bytes of space is negligible compared to modern storage capacities. In Reference [9], the complexity of identity generation increases with the number of ring signature members k, and its security is positively correlated with k, leading to higher overall space consumption. The SR-DIDs scheme and the BBS04-SR-DIDs scheme have limited differences, with only an additional 48 bytes.

Table 4.

Comparison of space complexity between SR-DIDs and related schemes

The time complexity of identity generation, verification, and regulation for the three schemes is also compared, as shown in Table 5, and implemented and tested through code. Here, E₁, M₁ represent exponentiation and multiplication operations in the group 𝔾₁, E_T, M_T represent exponentiation and multiplication operations in the group 𝔾_T, P represents bilinear pairing operations, and H represents hash operations. The experimental design follows the principle that the number of ring signature members in practical applications usually does not exceed 10, with k = 5 chosen for testing. Figure 3 shows the average time results for 100 executions of each scheme’s algorithm. The identity generation, verification, and regulation times for the SR-DIDs scheme are approximately 11.8 ms, 17.5 ms, and 0.81 ms, respectively.

Table 5.

Comparison of time complexity between SR-DIDs and related schemes

Figure 3.

Time comparison of identity identifier management

(2) Performance comparison of SR-PP-VC scheme

This study compares the space complexity of the SR-PP-VC scheme with the anonymous certificate management scheme (Idemix) on Hyperledger Fabric, using examples of issuer key pair storage, single VC storage, and VP generation, as shown in Table 6. The parameters l represent the number of attributes in a single credential, n represents the number of VCs in the VP, and h represents the total number of hidden attributes in the VP. Although Idemix does not have a direct implementation of VP, VP is essentially multiple VCs combined, so the complexity of managing a single credential in Idemix multiplied by the number of credentials n can be considered the VP management complexity for Idemix.

Table 6.

Comparison of space complexity between SR-PP-VC and idemix

This section also compares the time complexity of single credential application and issuance, update, and VP generation and verification for the SR-PP-VC scheme and the Idemix scheme, as shown in Table 7. Here, s represents the total number of attributes in each VC in the VP. The study tests and compares the management of a single credential for both schemes. In practical applications, the number of attributes in a single credential generally does not exceed 30, so tests were conducted for l = 5,10,20,30, and for h values at 0%, 20%, 40%, 60%, 80%, and 100% of l. The average time for 100 executions of single credential application and issuance, credential presentation, and verification are shown in Figure 4. When the number of credential attributes is 30, the SR-PP-VC scheme’s time for single credential application and issuance is approximately 9.6 ms, the time for full attribute hiding presentation is approximately 12.8 ms, and the verification time is approximately 15.9 ms, representing efficiency improvements of approximately 35.6%, 23.6%, and 13.4% over the Idemix scheme, respectively.

Table 7.

Comparison of time complexity between SR-PP-VC and idemix

Figure 4.

Time comparison of single credential management

(3) Contract testing

Based on the SR-DIDs and SR-PP-VC schemes, we deployed the MDIDs registration contract, DID document management contract, DIDs resolution contract, PDIDs verification contract, and DIDs revocation contract on Hyperledger Fabric. 12We used the Apache JMeter testing tool, with the number of test threads set to 10,000, to conduct average single-run time and TPS (transactions per second) tests for these contracts. The results are shown in Figure 5. The DID document management contract registers, updates, or disables DID documents on the blockchain, corresponding to the updating of VC issuer public keys in this paper.

Figure 5.

Test of smart contract

7.3. Result analysis

Based on the results of security analysis and performance analysis, the following conclusions can be drawn:

SR-DIDs Scheme: The complexities of identity generation, verification, and regulation in the SR-DIDs scheme are all constant, reducing computational and storage overhead compared to Reference [9]. While the SR-DIDs scheme consumes an additional 2|𝔾₁| − 1|ℤ_p| storage space for signatures compared to the original BBS04 group signature algorithm (generally not exceeding 100 bytes on mainstream bilinear pairing curves), it optimizes the time efficiency for identity generation and verification, improving generation efficiency by approximately 48% and verification efficiency by approximately 38%.

SR-PP-VC Scheme: Compared to the Idemix scheme, the SR-PP-VC scheme optimizes credential management and performance while adding regulatory and revocation mechanisms. It reduces storage overhead by (6n − 2)|ℤ_p| + (3n − 1)|𝔾₁|. Although the time complexity of VP generation in the SR-PP-VC scheme is O(s) compared to O(h) in the Idemix scheme, when the number of attributes in a single credential does not exceed 30, the overall efficiency of the SR-PP-VC scheme is superior to the Idemix scheme. Furthermore, as n increases, the SR-PP-VC scheme saves more time compared to the Idemix scheme, as shown in Table 7. For credential revocation, both the SR-PP-VC scheme and Reference [16] use accumulator technology. However, the SR-PP-VC scheme includes the credential revocation accumulator as one of the attributes signed by the issuer, allowing it to be verified along with other attributes, and reducing computational overhead. Additionally, the SR-PP-VC scheme does not require a fixed number of credential issuances, making it more suitable for practical scenarios.

PDIDs Verification Contract on Hyperledger Fabric: The throughput of the PDIDs verification contract in Hyperledger Fabric is 327, which is primarily due to the cryptographic operations involved in the verification process, as well as hardware limitations. However, in the context of regional equity markets, where the frequency of user identity management operations is relatively low and primarily focused on identity verification, credential management, and equity trading, this performance is sufficient to meet practical demands. Furthermore, deploying the system on a production-level Fabric network would significantly enhance performance by leveraging distributed nodes, more powerful hardware resources, and optimized consensus mechanisms. The dynamic expansion of nodes and organizations would also allow the system to scale effectively, ensuring stable operation under increased loads as the market grows.

In summary, the proposed distributed digital identity privacy protection scheme offers improvements in both security and performance compared to related works. Each algorithm operates at the millisecond level, meeting the requirements for blockchain identity management scenarios.

8. Conclusion

This paper designs a blockchain-driven, regulatorily accountable, and revocable distributed digital identity privacy protection scheme. While effectively protecting the privacy of entity identities, the scheme achieves reliable supervision and revocation of identity identifiers and credentials. By optimizing cryptographic algorithms, the efficiency of identity management is improved. Future research will focus on further optimizing the VP generation scheme to ensure that the size of VPs remains constant. Additionally, the concepts presented in this paper will be used to enhance and optimize more signature algorithms, enabling VC issuers to sign VCs using various signature schemes, thereby further enhancing system security.

Conflicts of Interest

The authors declare that they have no conflict of interest.

Data Availability

No data are associated with this article.

Authors’ Contributions

Jing He was responsible for the design of the proposed scheme, simulation experiments, and writing the paper; Xiaofeng Ma provided guidance on the innovation and architectural design of the scheme and reviewed and revised the paper; Dawei Zhang was responsible for the feasibility analysis of the paper’s proposal; Feng Peng was responsible for the verification of feasibility and experimental design.

Acknowledgments

We thank the anonymous reviewers for their helpful comments.

Funding

This work was supported by the National Key Research and Development Program of China. Research on Reliable Regulatory Technology Based on Blockchain of Regional Equity Market (2021YFC3340600).

References

Sporny M, Longley D and Sabadello M et al. Decentralized identifiers (DIDs) v1.0 core architecture, data model, and representations. [2024-03-26]. https://www.w3.org/TR/did-core/ [Google Scholar]
Chen XF, Song ZX, Zheng PY et al. A multichain-collaborating governing chain-supervising-chain supervision framework (in Chinese). J Comput Res Dev 2024; 61: 2290–2306. [Google Scholar]
Wang Z, Chen Q and Liu L. Permissioned blockchain-based secure and privacy-preserving data sharing protocol. IEEE Internet Things J 2023; 10: 10698–10707. [CrossRef] [Google Scholar]
Yao Q and Zhang D. Survey on identity management in blockchain (in Chinese). J Software 2021; 32: 2260–2286. [Google Scholar]
Wang C, Cheng J and Sang X et al. Data privacy-preserving for blockchain: State of the art and trends (in Chinese). J Comput Res Dev 2021; 58: 2099–2119. [Google Scholar]
Biryukov A and Tikhomirov S. Security and privacy of mobile wallet users in Bitcoin, Dash, Monero, and Zcash. Pervasive Mobile Comput 2019; 59: 101030. [CrossRef] [Google Scholar]
AbdulKader MM and Kumar SG. A privacy-preserving data transfer in a blockchain-based commercial real estate platform using random address generation mechanism. J Supercomput 2023; 79: 10796–10822. [CrossRef] [Google Scholar]
Li J, Wang Z and Guan S et al. ProChain: A privacy-preserving blockchain-based supply chain traceability system model. Comput Indust Eng 2024; 187: 109831. [CrossRef] [Google Scholar]
Song J, Zhang D and Han X et al. Supervised identity privacy protection scheme in blockchain (in Chinese). J Software 2023; 34: 3292–3312. [Google Scholar]
Zhao L, Zhong L and Zhang J. Traceable one-time address solution to the interactive blockchain for digital museum assets. Inf Sci 2023; 625: 157–174. [CrossRef] [Google Scholar]
Camenisch J, Mödersheim S and Sommer D. A formal model of identity mixer. In: Proc of the 15th International Workshop on Formal Methods for Industrial Critical Systems. Berlin: Springer, 2010, 198–214. [Google Scholar]
Zhao Y, Yang X and Feng Q et al. Anonymous credential protocol based on SM2 digital signature (in Chinese). J Software 2024; 35: 3469–3481. [Google Scholar]
Wang Z, Fan J and Cheng L et al. Supervised anonymous authentication scheme (in Chinese). J Software 2019; 30: 1705–1720. [Google Scholar]
Boneh D, Boyen X and Shacham H. Short group signatures. In: Proc of the 24th Annual International Cryptology Conference. Berlin: Springer, 2004, 41–55. [Google Scholar]
Zhu Y, Zheng H and Qin B et al. tsrCert: traceable self-randomization certificate and its application to blockchain supervision. Tsinghua Sci Technol 2023; 28: 1128–1147. [CrossRef] [Google Scholar]
Yu Y, Zhao Y and Li Y et al. Blockchain-based anonymous authentication with selective revocation for smart industrial applications. IEEE Trans Indust Inf 2019; 16: 3290–3300. [Google Scholar]
Connolly A, Deschamps J and Lafourcade P et al. Protego: efficient, revocable and auditable anonymous credentials with applications to Hyperledger Fabric. In: Proc of the 23rd International Conference on Cryptology in India. Switzerland: Springer, 2023, 249–271. [Google Scholar]
Li X, Jing T and Li R et al. BDRA: blockchain and decentralized identifiers assisted secure registration and authentication for VANETs. IEEE Int Things J 2023; 10: 12140–12155. [CrossRef] [Google Scholar]
Manoj T, Makkithaya K and Narendra V. A blockchain based decentralized identifiers for entity authentication in electronic health records. Cogent Eng 2022; 9: 2035134. [CrossRef] [Google Scholar]
Fukami Y, Shimizu T and Matsushima H. The impact of decentralized identity architecture on data exchange. In: Proc of the 9th IEEE International Conference on Big Data. Piscataway, NJ: IEEE, 2021, 3461–3465. [Google Scholar]
Garzon SR, Yildiz H and Küpper A. Decentralized identifiers and self-sovereign identity in 6g. IEEE Network 2022; 36: 142–148. [CrossRef] [Google Scholar]
Mukta R, Martens J and Paik H et al. Blockchain-based verifiable credential sharing with selective disclosure. In: Proc of the 19th International Conference on Trust, Security and Privacy in Computing and Communications. Piscataway, NJ: IEEE, 2020, 959–966. [Google Scholar]
Maram D, Malvai H and Zhang F et al. Candid: can-do decentralized identity with legacy compatibility, sybil-resistance, and accountability. In: Proc of the 2021 IEEE Symposium on Security and Privacy. Piscataway, NJ: IEEE, 2021, 1348–1366. [Google Scholar]
Ran J and Cai D. Attribute signature identity authentication scheme based on blockchain and trusted execution environment (in Chinese). J Comput Res Dev 2023; 60: 2555–2566. [Google Scholar]
Nakamoto S. Bitcoin: A peer-to-peer electronic cash system. Decentralized Business Review 2008; 21260. [Google Scholar]
Sharifi S, Parvizimosaed A and Amyot D et al. Symboleo: Towards a specification language for legal contracts. In: 2020 IEEE 28th International Requirements Engineering Conference (RE). IEEE, 2020, 364–369. [Google Scholar]
Wang D, Qin B and Song W et al. SPESC: Design and practice of smart contracts for legal purposes. Cyberspace Secur 2020; 11: 39–46. [Google Scholar]
Zhu Y, Qin B and Chen E et al. A method for transforming high-level smart contracts and the design and implementation of an auction contract. J Comput Sci 2021; 44: 652–668. [Google Scholar]
Zhang F, Hou P and Li S et al. A microservice framework for smart contracts. J Software 2021; 32: 3423–3439. [Google Scholar]
Liu J, Li P and Cheng R et al. Parallel and asynchronous smart contract execution. IEEE Trans Parallel Distrib Syst 2021; 33: 1097–1108. [Google Scholar]
Wang Z, Zhu J and Zhang B et al. Research and implementation of parallel methods for blockchain and smart contracts. Comput Sci 2022; 49: 312–317. [Google Scholar]
Galbraith SD, Paterson KG and Smart NP. Pairings for cryptographers. Discr Appl Math 2008; 156: 3113–3121. [CrossRef] [Google Scholar]
Camenisch J and Lysyanskaya A. Signature schemes and anonymous credentials from bilinear maps. In: Proc of the 24th Annual International Cryptology Conference. Berlin: Springer, 2004, 56–72. [Google Scholar]
Tessaro S and Chenzhi Z. Revisiting BBS Signatures. In: Proc of the 2023 Annual International Conference on the Theory and Applications of Cryptographic Techniques. Cham, Springer, 2023, 691–721. [Google Scholar]
Chase M and Lysyanskaya A. On signatures of knowledge. In: Proc of the 26th Annual International Cryptology Conference. Switzerland: Springer, 2006, 78–96. [Google Scholar]
Sean B. BLS12-381: New zk-SNARK Elliptic Curve Construction[EB/OL]. (2017-03-11), [2024-03-26]. https://electriccoin.co/blog/new-snark-curve/ [Google Scholar]

Jing He is currently a master’s student at Tongji University, China. His main research interests include blockchain and privacy protection.

Xiaofeng Ma is an associate professor at Tongji University, China. He is also the vice chairman of the blockchain branch of the Chinese Institute of Electronics. His main research interests include blockchain and financial technology.

Dawei Zhangis an associate professor at Beijing Jiaotong University, China. His main research interests include information security and blockchain.

Feng Peng is a senior engineer of China Securities Information Technology Service Limited Company. His main research interests include blockchain and financial technology.

All Tables

Table 1.

Variable definition and explanation

In the text

Table 2.

Comparison of security between SR-DIDs and related schemes

In the text

Table 3.

Comparison of security between SR-PP-VC and related schemes

In the text

Table 4.

Comparison of space complexity between SR-DIDs and related schemes

In the text

Table 5.

Comparison of time complexity between SR-DIDs and related schemes

In the text

Table 6.

Comparison of space complexity between SR-PP-VC and idemix

In the text

Table 7.

Comparison of time complexity between SR-PP-VC and idemix

In the text

All Figures

	Figure 1. Basic component relationships of decentralized identity
In the text

	Figure 2. Architecture of identity management
In the text

	Figure 3. Time comparison of identity identifier management
In the text

	Figure 4. Time comparison of single credential management
In the text

	Figure 5. Test of smart contract
In the text

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.

[1] Sporny M, Longley D and Sabadello M et al. Decentralized identifiers (DIDs) v1.0 core architecture, data model, and representations. [2024-03-26]. https://www.w3.org/TR/did-core/ [Google Scholar]

[2] Chen XF, Song ZX, Zheng PY et al. A multichain-collaborating governing chain-supervising-chain supervision framework (in Chinese). J Comput Res Dev 2024; 61: 2290–2306. [Google Scholar]

[3] Wang Z, Chen Q and Liu L. Permissioned blockchain-based secure and privacy-preserving data sharing protocol. IEEE Internet Things J 2023; 10: 10698–10707. [CrossRef] [Google Scholar]

[4] Yao Q and Zhang D. Survey on identity management in blockchain (in Chinese). J Software 2021; 32: 2260–2286. [Google Scholar]

[5] Wang C, Cheng J and Sang X et al. Data privacy-preserving for blockchain: State of the art and trends (in Chinese). J Comput Res Dev 2021; 58: 2099–2119. [Google Scholar]

[6] Biryukov A and Tikhomirov S. Security and privacy of mobile wallet users in Bitcoin, Dash, Monero, and Zcash. Pervasive Mobile Comput 2019; 59: 101030. [CrossRef] [Google Scholar]

[7] AbdulKader MM and Kumar SG. A privacy-preserving data transfer in a blockchain-based commercial real estate platform using random address generation mechanism. J Supercomput 2023; 79: 10796–10822. [CrossRef] [Google Scholar]

[8] Li J, Wang Z and Guan S et al. ProChain: A privacy-preserving blockchain-based supply chain traceability system model. Comput Indust Eng 2024; 187: 109831. [CrossRef] [Google Scholar]

[9] Song J, Zhang D and Han X et al. Supervised identity privacy protection scheme in blockchain (in Chinese). J Software 2023; 34: 3292–3312. [Google Scholar]

[10] Zhao L, Zhong L and Zhang J. Traceable one-time address solution to the interactive blockchain for digital museum assets. Inf Sci 2023; 625: 157–174. [CrossRef] [Google Scholar]

[11] Camenisch J, Mödersheim S and Sommer D. A formal model of identity mixer. In: Proc of the 15th International Workshop on Formal Methods for Industrial Critical Systems. Berlin: Springer, 2010, 198–214. [Google Scholar]

[12] Zhao Y, Yang X and Feng Q et al. Anonymous credential protocol based on SM2 digital signature (in Chinese). J Software 2024; 35: 3469–3481. [Google Scholar]

[13] Wang Z, Fan J and Cheng L et al. Supervised anonymous authentication scheme (in Chinese). J Software 2019; 30: 1705–1720. [Google Scholar]

[14] Boneh D, Boyen X and Shacham H. Short group signatures. In: Proc of the 24th Annual International Cryptology Conference. Berlin: Springer, 2004, 41–55. [Google Scholar]

[15] Zhu Y, Zheng H and Qin B et al. tsrCert: traceable self-randomization certificate and its application to blockchain supervision. Tsinghua Sci Technol 2023; 28: 1128–1147. [CrossRef] [Google Scholar]

[16] Yu Y, Zhao Y and Li Y et al. Blockchain-based anonymous authentication with selective revocation for smart industrial applications. IEEE Trans Indust Inf 2019; 16: 3290–3300. [Google Scholar]

[17] Connolly A, Deschamps J and Lafourcade P et al. Protego: efficient, revocable and auditable anonymous credentials with applications to Hyperledger Fabric. In: Proc of the 23rd International Conference on Cryptology in India. Switzerland: Springer, 2023, 249–271. [Google Scholar]

[18] Li X, Jing T and Li R et al. BDRA: blockchain and decentralized identifiers assisted secure registration and authentication for VANETs. IEEE Int Things J 2023; 10: 12140–12155. [CrossRef] [Google Scholar]

[19] Manoj T, Makkithaya K and Narendra V. A blockchain based decentralized identifiers for entity authentication in electronic health records. Cogent Eng 2022; 9: 2035134. [CrossRef] [Google Scholar]

[20] Fukami Y, Shimizu T and Matsushima H. The impact of decentralized identity architecture on data exchange. In: Proc of the 9th IEEE International Conference on Big Data. Piscataway, NJ: IEEE, 2021, 3461–3465. [Google Scholar]

[21] Garzon SR, Yildiz H and Küpper A. Decentralized identifiers and self-sovereign identity in 6g. IEEE Network 2022; 36: 142–148. [CrossRef] [Google Scholar]

[22] Mukta R, Martens J and Paik H et al. Blockchain-based verifiable credential sharing with selective disclosure. In: Proc of the 19th International Conference on Trust, Security and Privacy in Computing and Communications. Piscataway, NJ: IEEE, 2020, 959–966. [Google Scholar]

[23] Maram D, Malvai H and Zhang F et al. Candid: can-do decentralized identity with legacy compatibility, sybil-resistance, and accountability. In: Proc of the 2021 IEEE Symposium on Security and Privacy. Piscataway, NJ: IEEE, 2021, 1348–1366. [Google Scholar]

[24] Ran J and Cai D. Attribute signature identity authentication scheme based on blockchain and trusted execution environment (in Chinese). J Comput Res Dev 2023; 60: 2555–2566. [Google Scholar]

[25] Nakamoto S. Bitcoin: A peer-to-peer electronic cash system. Decentralized Business Review 2008; 21260. [Google Scholar]

[26] Sharifi S, Parvizimosaed A and Amyot D et al. Symboleo: Towards a specification language for legal contracts. In: 2020 IEEE 28th International Requirements Engineering Conference (RE). IEEE, 2020, 364–369. [Google Scholar]

[27] Wang D, Qin B and Song W et al. SPESC: Design and practice of smart contracts for legal purposes. Cyberspace Secur 2020; 11: 39–46. [Google Scholar]

[28] Zhu Y, Qin B and Chen E et al. A method for transforming high-level smart contracts and the design and implementation of an auction contract. J Comput Sci 2021; 44: 652–668. [Google Scholar]

[29] Zhang F, Hou P and Li S et al. A microservice framework for smart contracts. J Software 2021; 32: 3423–3439. [Google Scholar]

[30] Liu J, Li P and Cheng R et al. Parallel and asynchronous smart contract execution. IEEE Trans Parallel Distrib Syst 2021; 33: 1097–1108. [Google Scholar]

[31] Wang Z, Zhu J and Zhang B et al. Research and implementation of parallel methods for blockchain and smart contracts. Comput Sci 2022; 49: 312–317. [Google Scholar]

[32] Galbraith SD, Paterson KG and Smart NP. Pairings for cryptographers. Discr Appl Math 2008; 156: 3113–3121. [CrossRef] [Google Scholar]

[33] Camenisch J and Lysyanskaya A. Signature schemes and anonymous credentials from bilinear maps. In: Proc of the 24th Annual International Cryptology Conference. Berlin: Springer, 2004, 56–72. [Google Scholar]

[34] Tessaro S and Chenzhi Z. Revisiting BBS Signatures. In: Proc of the 2023 Annual International Conference on the Theory and Applications of Cryptographic Techniques. Cham, Springer, 2023, 691–721. [Google Scholar]

[35] Chase M and Lysyanskaya A. On signatures of knowledge. In: Proc of the 26th Annual International Cryptology Conference. Switzerland: Springer, 2006, 78–96. [Google Scholar]

[36] Sean B. BLS12-381: New zk-SNARK Elliptic Curve Construction[EB/OL]. (2017-03-11), [2024-03-26]. https://electriccoin.co/blog/new-snark-curve/ [Google Scholar]