Decentralized identity (DID) system on blockchain

Development of Decentralized Identity (DID) System on Blockchain

Decentralized Identifiers (DID) — W3C standard for self-sovereign identity. Instead of your identity existing in databases of Google, Facebook or the state — you control your DID yourself. Nobody can revoke your identity, freeze your account or disclose data to third parties without your knowledge.

DID Structure

DID — is a URI of the form did:method:identifier:

did:ethr:0x742d35Cc6634C0532925a3b844Bc454e4438f44e
did:key:z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuias8sisDArDJF
did:web:example.com
did:ion:EiClkZMDxPKqC9c-umQfTkR8vvZ9JPhl_xLDI9Nfk38zA

DID Method: defines how DID is created, updated, resolved. ethr — Ethereum-based, ion — Bitcoin-anchored via Sidetree, web — via web domain.

DID Document: JSON document associated with DID. Contains public keys, service endpoints, authentication methods.

{
    "@context": ["https://www.w3.org/ns/did/v1"],
    "id": "did:ethr:0x742d35Cc...",
    "verificationMethod": [
        {
            "id": "did:ethr:0x742d35Cc...#controller",
            "type": "EcdsaSecp256k1RecoveryMethod2020",
            "controller": "did:ethr:0x742d35Cc...",
            "ethereumAddress": "0x742d35Cc..."
        }
    ],
    "authentication": ["did:ethr:0x742d35Cc...#controller"],
    "service": [
        {
            "id": "did:ethr:0x742d35Cc...#messaging",
            "type": "DIDComm",
            "serviceEndpoint": "https://agents.example.com"
        }
    ]
}

Verifiable Credentials (VC)

DID — is an identifier. Verifiable Credentials — these are claims about the holder of a DID, signed by another DID (issuer).

{
    "@context": ["https://www.w3.org/2018/credentials/v1"],
    "type": ["VerifiableCredential", "UniversityDegreeCredential"],
    "issuer": "did:web:university.example.edu",
    "issuanceDate": "2024-06-01T00:00:00Z",
    "credentialSubject": {
        "id": "did:ethr:0xGraduateAddress",
        "degree": {
            "type": "Bachelor",
            "name": "Computer Science"
        }
    },
    "proof": {
        "type": "Ed25519Signature2020",
        "created": "2024-06-01T12:00:00Z",
        "verificationMethod": "did:web:university.example.edu#key-1",
        "proofPurpose": "assertionMethod",
        "jws": "eyJhbGciOiJFZERTQS..."
    }
}

DID Registry Implementation

contract DIDRegistry {
    // DID Document attributes
    mapping(address => mapping(bytes32 => mapping(address => uint256))) public delegates;
    mapping(address => mapping(bytes32 => mapping(bytes32 => uint256))) public attributes;
    mapping(address => uint256) public changed;
    mapping(address => address) public owners;
    
    event DIDDelegateChanged(
        address indexed identity,
        bytes32 delegateType,
        address delegate,
        uint256 validTo,
        uint256 previousChange
    );
    
    event DIDAttributeChanged(
        address indexed identity,
        bytes32 name,
        bytes value,
        uint256 validTo,
        uint256 previousChange
    );
    
    function identityOwner(address identity) public view returns (address) {
        address owner = owners[identity];
        return owner == address(0) ? identity : owner;
    }
    
    function setAttribute(
        address identity,
        bytes32 name,
        bytes calldata value,
        uint256 validity
    ) external onlyOwner(identity) {
        attributes[identity][name][keccak256(value)] = block.timestamp + validity;
        emit DIDAttributeChanged(identity, name, value, block.timestamp + validity, changed[identity]);
        changed[identity] = block.number;
    }
}

This is a simplified version of ethr-did-registry — standard contract from uPort/Consensys.

DID Resolver

DID Resolver transforms DID into DID Document. For did:ethr — reads events from DIDRegistry contract:

import { Resolver } from 'did-resolver';
import { getResolver as getEthrResolver } from 'ethr-did-resolver';

const providerConfig = {
    networks: [{
        name: 'mainnet',
        rpcUrl: 'https://mainnet.infura.io/v3/...'
    }]
};

const ethrResolver = getEthrResolver(providerConfig);
const resolver = new Resolver({ ...ethrResolver });

const didDocument = await resolver.resolve('did:ethr:0x742d35Cc...');

Selective Disclosure and ZK

Full VC reveals all fields. Selective Disclosure — prove only needed facts:

BBS+ Signatures: cryptographic scheme allowing selective disclosure of VC fields with mathematical proof that they are part of original document.

Zero-Knowledge Proofs: prove "I have VC stating I'm > 18 years old" without revealing exact date of birth or any other VC data.

Polygon ID: implementation of ZK-based verifiable credentials based on Iden3 protocol. Holder proves claims via zkSNARK without revealing the VC itself.

Full SSI System Architecture

Issuer Service: backend service for organizations issuing VCs (universities, KYC providers, DAOs).

Wallet: user storage of DIDs + VCs. Local (browser extension, mobile app) or custody.

Verifier: service receiving VPs (Verifiable Presentation) and verifying signatures.

Registry: smart contract for DID Documents and VC schemas.

Revocation Registry: list of revoked VCs (statusList2021 standard — bitmap approach efficient on gas).

Real-world Applications

• KYC once, use everywhere: passed KYC with one provider — use credential everywhere without re-verification
• Academic credentials: diploma as VC — verified by employer instantly
• DAO membership: VC confirming DAO participation, voting rights
• Professional licenses: medical, legal licenses

Development of DID system from scratch — 8-16 weeks. Integration of ready components (Veramo, SpruceID, Polygon ID) for specific use case — 3-6 weeks.