This is a proposal to include did:iden3 in the initial set of DID methods that will be standardized by the DID Methods WG.
did:iden3 is a blockchain-based DID Method that runs atop various blockchain networks including Ethereum, Polygon, Linea among others.
The DID method leverages open source Iden3 protocol and it's tools to work with different Zero-Knowledge Protocols. Iden3 project started its development back in 2018, led by Jordi Baylina, David Schwartz, and Antoni Martin, with the goal of empowering individuals with privacy and control over their personal data by creating Self-Sovereign & Privacy-Preserving Identity Protocol that could be used in the scenarios such as national voting.
Iden3 is owned by a nonprofit “0KIMS Association” and is managed as a public good. Iden3 is not owned nor controlled by Privado ID, however Privado ID actively contributes to the open-source project along with other large organizations, universities and a broad opensource community.
A few components developed by (or co-created with) Iden3 worth highlighting:
- Circom - world most used language and compiler to create zk-SNARK circuits
- SnarkJS - the first general-purpose zk-SNARK prover capable of running on edge devices and a tool to run trusted setup ceremonies
- Rapidsnark - very fast zk-SNARK prover, which efficiently generates proofs in broad range of scenarios from client-side proving on tiny mobile devices to bulky servers with hundreds of CPU cores and terabytes of RAM
- Baby Jubjub Elliptic Curve (BJJ) - elliptic curve designed to work efficiently with zk-SNARKs
- Sparse Merkle Tree (SMT) - a data structure that allows for efficient verification of the integrity of the data stored in the tree, including the ability to prove the absence of a key in the tree
- JSON Web Zero-knowledge (JWZ) - method of signing and verifying authenticity of JWT payload messages using Zero-Knowledge Proofs
- zkQuery Language - first general-purpose query language for zkp-enabled credentials
Currently, Iden3 libraries have been integrated into more than 9.000 projects, some of them are mentioned in the supporting use cases section.
The Iden3 Signature Schemes (BJJ + zk-SNARKs and SMT + zk-SNARKs) enable organizations and users to have a higher degree of data minimization when exchanging credential data peer-to-peer and over distributed ledger networks.
Iden3 protocol supports the following features:
-
Predicate proofs: The Iden3 protocol supports advanced predicate proofs that allow for complex zkQueries to be made on the data without revealing the data itself. This is useful for scenarios where the data is sensitive and the user wants to prove a certain property without revealing the data itself, for example, proving that the user is over 18 years old without revealing the exact age, or proving that the user is a resident of a country not present in a sanctioned country list. Our query language supports a wide range of operations and data types, and works well with complex credential schemas (in contrast to AnonCreds).
-
Selective disclosure: The Iden3 protocol supports selective disclosure of attributes in the credential. This allows the user to share only the required attributes with the verifier without revealing the entire credential.
- The Iden3 approach is different from other selective disclosure schemes like SD-JWT and BBS+ in that information on credential metadata like issuing date, expiration date, revocation nonce, credential signature are not shared with the Relying Party but instead verified inside a zk circuit. This prevents the Relying Party (RP, also known as a Verifier) to uniquely identify the credential that is being used. This is not possible in other schemes where all credential metadata (with SD-JWT) or some part of it (such as the revocation status field in case of BBS+) is shared in clear text.
- The Iden3 protocol also prevents the RP from inferring the structure and number of fields in the credential. In the case of selective disclosure, only the required attributes are shared without revealing any credential structure information. Contrast this with other schemes (such as BBS+) in which the signature that is sent during the presentation reveals the information on the number of fields to the verifier.
-
Privacy-preserving credential non-revocation proofs: The Iden3 protocol allows the user to prove that credential is not revoked without revealing unique credential or user identifiers. This also eliminates the "Phone Home" problem where the Verifier needs to check the revocation status of the credential with the Issuer, revealing the user's activity to the Issuer.
-
Pairwise Pseudonymous Identifiers (Profiles): The Iden3 protocol allows the user to present different identifiers to each counterparty, and still is able to use all the credentials issued to other pseudonymous identifiers (maintaining strong cryptographic identity holder binding) without revealing to which identifier credential was issued. This helps prevent the correlation of user activities across different services.
-
zkLogin: The Iden3 protocol supports zk authentication which allows the user to authenticate to the Verifier without revealing the user's public key. All pairwise pseudonymous identifiers are controlled by the same key (or set of keys) and through zkLogin, the user proves control over the specific identifier without revealing the keys.
-
Client-side Proving: The Iden3 protocol utilizes client-side proving which allows the user to store personal data and efficiently generate zero-knowledge proofs on edge devices (without relying on cloud services to store data and generate zero-knowledge proofs there like in the case of AnonCreds).
-
Key Rotation: The Iden3 protocol supports key rotation which allows the User to rotate the keys used to authenticate, and for Issuers - keys used to sign the credentials. This is important for security reasons as it allows the user to change the keys in case of a compromise.
-
OnChain Identities and Decentralized Trustless Issuance: The Iden3 protocol allows the identity to be controlled by a Smart Contract and the user to self-issue credentials without relying on a centralized Issuer. For example the user can generate a passport credential out of their biometric passport by verifying the passport's authenticity and correctness of the credential creation using zero-knowledge circuits and then only send the zk proof and credential hash to be signed by the OnChain Issuer after the zkp verification (all without personal data leaving user's mobile device).
The did:iden3 method specification is available here.
A few major components and libraries related to the did method are listed here:
- Credential issuance methods supported: BJJSignature2021 and Iden3SparseMerkleTreeProof.
- iden3comm didcomm based communication protocol
- Universal Resolver Driver
- Developer documentation for the Iden3 Protocol
In addition, Privado ID has implemented a few components utilizing the iden3 protocol which might be helpful for implementers such as the issuer node, verifier libraries, wallet SDKs, and developer tools (schema explorer, schema builder, and query builder).
| Criteria | Details |
|---|---|
| Alignment with DID Core specification | Fully compliant with core specification. |
| Security and privacy features | Robust security and privacy through the usage of zk-snarks and sparse merkle trees. |
| Scalability and performance | Higly scalable did:iden3 has been tested by leading banks in production environments. |
| Ease of implementation and use | Documentation for developers is available for both the iden3 components and Privado ID. |
| Community adoption and support | Used by the Ethereum Foundation, Deutsche Bank, HBSC, Kaleido, Rarimo, among others. See the supporting use cases section . |
| Compliance with relevant regulations and best practices | Yes, zk-proofs allow to practically achieve GDPR's data minimization objective. The DID method is registered with the W3C and compliant to W3C DID Specification. |
| Global government-approved crypto | The cryptography is under review by ETSI currently under TR 119 476. |
| Privacy-preserving crypto | Yes, using zk-SNARKs and zk-friendly data formats. Advanced techniques to prevent tracking and correlation of user actions. |
| Digitally signed cryptographic log of changes to the DID Document | Yes, all identity state transitions which impact the DID Document are recorded on-chain, |
| Multi-factor binding to DNS | No. |
| Specification with multiple implementers | Yes. |
| Scope/domain of the types of entities/subjects addressed/named by a particular method | Wide. |
| Estimate of the daily transaction volume of each scope/domain | Unknown. |
| DID Methods that do not serve the needs of a particular company or government | Yes. Broad use, not used by a specific entity only. |
| Governance: Clear frameworks for updates, dispute resolution, and decision-making | Yes. Governed in the nonprofit “0KIMS Association”. |
| Usability: Simple implementation for developers | Yes. Tutorials and documentation from implementers such as Privado ID and others. Third-party integrations & SaaS solutions available. |
| Sustainability: Energy efficiency and eco-friendly infrastructure | Identifier management is inexpensive and blockchain infrastructure which is deployed on typically uses proof-of-stake consensus mechanism which is environmentally friendly. |
| Economic Feasibility: Reasonable costs | It is free to create did:iden3 identifiers. Some operations like key rotation and claims revocation incur minimal blockchain gas costs (cents of the dollar). |
| Legal Recognition: Cross-border frameworks for DID acceptance | No. |
| Revocation and Recovery: Decentralized mechanisms | Yes, fully supported. |
| Emerging Markets: Offline-friendly, low-bandwidth | Yes, mobile zk-prover optimized for low end devices. |
| Long-lived DIDs for long-lived VCs | Yes. |
| Low and predictable marginal cost at scale | Yes. |
| Ability to create and update identifiers rapidly (within seconds) | Yes. |
| Support for key rotation | Yes. |
| Reliable and predictable-latency operation for updates and resolutions | Generally yes, depends on the blockchain used. |
| Resolution does not require additional state or context | Basic resolution is done from the identifier itself and the state contract of the blockchain. |
| DIDs as permanent and immutable identifiers | Yes, the identifier remains stable, while key states can change via on-chain identity state transitions. |
| Support for various DID Traits | Yes. Update supported, Service Endpoints can be updated, Deactivate supported, Transactional Fees, Verification Methods can be updated, Globally Resolvable, DID Document History, Cryptographically signed DID Document History, Decentrally Hosted, Privacy Preserving Crypto - niZKPs. |
| Consider categories defined by DID Rubric | Not evaluated. |
| Support for standardization by interested parties | Yes, Privado ID, and other private entities are committed to standardization. |
| Support from at least two WG members | Yes. |
| No trademark or IP issues | None. |
| What type of DID method is this? | Decentralized. |
Due to its privacy-first design the did:iden3 method lends itself well to a variety of use cases such as age verification, Intellectual Property (IP) Protection, and B2B processes such as know your customer (KYC) for banking). Major web2 and web3 projects and organizations such as the Ethereum Foundation, Deutsche Bank, HBSC, Kaleido, Rarimo, and others are using the Iden3 stack. Organizations and Projects using the did:iden3 method are listed below with evidence:
- Linea / Verax Airdrop - link with evidence
- Rarimo - link with evidence
- Blockchain Lab:UM - link with evidence
- Kaleido - link with evidence
- Targecy.xyz - link with evidence
- Tookey - link with evidence
- Privado ID - link with evidence
- Deutsche Bank - link with evidence
- Hovi.id - link with evidence
- zk-firma-digital - link with evidence
- HSBC - link with evidence 1 and link with evidence 2
Here is a list of projects which have implemented various aspects of the Iden3 stack:
- Masca - snap plugin for Metamask - supports the
did:iden3method - Ethereum Foundation - PSE Group - Anon Aadhar - zero-knowledge protocol that allows Aadhaar ID owners to prove their identity in a privacy-preserving way, leverages the CIRCOM library
- Ethereum Foundation - PSE Group - Minimal Anti-Collusion Infrastructure (MACI) - leverages the CIRCOM library
- Ethereum Foundation - Semaphore Protocol - leverages the Baby Jubjub cryptography which is also utilized by
BJJSignature2021credential issuance method - Reclaim Protocol - Leverages the rapidsnark and snarkjs libraries from Iden3
- Vocdoni - universally verifiable, privacy-centric and scalable digital voting protocol. Leverages the rapidsnark, baby jubjub, and CIRCOM components.