Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Combining Decentralized IDentifiers with Proof of Membership to Enable Trust in IoT Networks

Alessandro Pino, Davide Margaria, Andrea Vesco

TL;DR

The paper tackles trust in IoT networks using Self-Sovereign Identity by augmenting DID-based mutual authentication with a proof-of-membership that a DID belongs to an evolving trusted set, avoiding heavy Verifiable Credential exchanges. It analyzes two membership schemes—Merkle-tree-based and BBS group signatures—and provides a performance-focused evaluation on a resource-constrained IoT node. Results indicate that the Merkle-tree approach delivers substantially lower computation times for provisioning, membership proof, and verification, making it more suitable for IoT, while the BBS approach offers constant-size proofs at the cost of higher compute and more intricate revocation handling. The work highlights practical trade-offs, confirming SSI compatibility and proposing future directions such as threshold signatures and dynamic accumulators to mitigate Trusted Party risks and further optimize scalability and security in IoT environments.

Abstract

The Self-Sovereign Identity (SSI) is a decentralized paradigm enabling full control over the data used to build and prove the identity. In Internet of Things networks with security requirements, the Self-Sovereign Identity can play a key role and bring benefits with respect to centralized identity solutions. The challenge is to make the SSI compatible with resource-constraint IoT networks. In line with this objective, the paper proposes and discusses an alternative (mutual) authentication process for IoT nodes under the same administration domain. The main idea is to combine the Decentralized IDentifier (DID)-based verification of private key ownership with the verification of a proof that the DID belongs to an evolving trusted set. The solution is built around the proof of membership notion. The paper analyzes two membership solutions, a novel solution designed by the Authors based on Merkle trees and a second one based on the adaptation of Boneh, Boyen and Shacham (BBS) group signature scheme. The paper concludes with a performance estimation and a comparative analysis.

Combining Decentralized IDentifiers with Proof of Membership to Enable Trust in IoT Networks

TL;DR

The paper tackles trust in IoT networks using Self-Sovereign Identity by augmenting DID-based mutual authentication with a proof-of-membership that a DID belongs to an evolving trusted set, avoiding heavy Verifiable Credential exchanges. It analyzes two membership schemes—Merkle-tree-based and BBS group signatures—and provides a performance-focused evaluation on a resource-constrained IoT node. Results indicate that the Merkle-tree approach delivers substantially lower computation times for provisioning, membership proof, and verification, making it more suitable for IoT, while the BBS approach offers constant-size proofs at the cost of higher compute and more intricate revocation handling. The work highlights practical trade-offs, confirming SSI compatibility and proposing future directions such as threshold signatures and dynamic accumulators to mitigate Trusted Party risks and further optimize scalability and security in IoT environments.

Abstract

The Self-Sovereign Identity (SSI) is a decentralized paradigm enabling full control over the data used to build and prove the identity. In Internet of Things networks with security requirements, the Self-Sovereign Identity can play a key role and bring benefits with respect to centralized identity solutions. The challenge is to make the SSI compatible with resource-constraint IoT networks. In line with this objective, the paper proposes and discusses an alternative (mutual) authentication process for IoT nodes under the same administration domain. The main idea is to combine the Decentralized IDentifier (DID)-based verification of private key ownership with the verification of a proof that the DID belongs to an evolving trusted set. The solution is built around the proof of membership notion. The paper analyzes two membership solutions, a novel solution designed by the Authors based on Merkle trees and a second one based on the adaptation of Boneh, Boyen and Shacham (BBS) group signature scheme. The paper concludes with a performance estimation and a comparative analysis.
Paper Structure (18 sections, 4 equations, 3 figures, 1 table)

This paper contains 18 sections, 4 equations, 3 figures, 1 table.

Table of Contents

  1. Introduction
  2. Membership through Merkle trees
  3. Provisioning
  4. Operation
  5. Secret rotation
  6. Network update
  7. Critical analysis
  8. Membership through BBS Group Signature
  9. Provisioning
  10. Operation
  11. Secret rotation
  12. Network update
  13. Critical Analysis
  14. Performance estimation
  15. Results for Merkle tree-based solution
  16. ...and 3 more sections

Figures (3)

  • Figure 1: The Self-Sovereign Identity stack.
  • Figure 2: Mutual authentication between two peers in the SSI framework.
  • Figure 3: Example of Merkle tree with four Decentralized IDentifiers.