Multiple Registration

Summary

A party registers a unique identifier for each relationship (i.e., every identity) it has.

Context

An identifier is used to uniquely identify a party and to retrieve the identity attribute data. A party is engaged in multiple transactional relationships.

Problem

The use of a single key for all the transactions has privacy implications where the transactions could be correlated to expose the identity of the party. Alternatively, key management becomes a nightmare when different keys are used to sign different transactions. How can a party sign multiple transactions without potentially exposing his/her identity?

Forces:

  • Identifiability – A party needs to create an identity to send transactions in the blockchain network.
  • Re-identification – Each party can have more than one identity in the real world. For example, one person is both a client of a bank and a patient of a hospital. When the party handles all the interactions with the same identity or a single key representing that identity, his/her privacy could be compromised as the transactions on a blockchain are transparent hence can be correlated.
  • Transparency – All the historical transactions on blockchain can be accessed by every participant within the same blockchain network. The transactions on a public blockchain are also accessible to everyone on the Internet.
  • Security – There is no standard approach to protect or recover a user’s secret key when exposed/compromised.

Solution

Each party can establish a unique identifier for every relationship (i.e. every identity) they have. This enables the party to isolate interactions with one party from another. For example, the relationship a person builds with a hospital is separate to the one that is established with a university. Neither the hospital nor the university could proactively use the identifiers to correlate this person’s activities. For each of those relationships, store a separate identifier and identity attributes tuples in the identity registry. Only the identifier owner should be allowed to update the identity attributes. Hence, each tuple should also track ownership information. However, this should still be at the respective identifier level to prevent one from linking different identities of the same party/user. Similarly, we need to ensure identity attributes do not provide information that could be used to link two identifiers.

Multiple registration pattern

Multiple registration pattern

Benefits

  • Identifiability – Each sub-key maintains its own identity. The transactions sent under different identities are less likely to be mapped and correlated to re-identify the user.
  • Availability – The loss of signing key of one identifier does not affect the other identifiers.

Drawbacks

  • Cost – Compared to a single identifier, multiple identifiers cost more for identifier registration and updates.
  • Re-identification – On-chain identity attributes such as date of birth, gender, and zip code could be compared against multiple tuples to link multiple identifiers from the same party. For e.g., while different identities could be presented a hospital and university attributes such as date of birth, gender, and zip code could be requested by both organisations.

Related patterns

Known uses

  • Sovrin suggests users to use a separate identifier for every relationship. Consequently, if a relationship suffers a breach and the identifier is compromised, the user can still have normal interactions in other relationships.
  • Blockstack allows entities to create as many identities as they want. Each identity is represented by an identifier and a secret key. Entities can utilise their identities to sign in different decentralised applications.
  • In DAML, participants can use human-readable strings as identifiers to identify themselves. A real-world entity is able to possess multiple identifiers in the same ledger network to denote different identities.