reclaimID: Secure, Self-Sovereign Identities using Name Systems and Attribute-Based Encryption

TL;DR

reclaimID introduces a decentralized identity system enabling users to securely share and control access to their identity attributes using name systems and attribute-based encryption, eliminating reliance on central providers.

Contribution

It presents a novel architecture combining name systems and attribute-based encryption for secure, self-sovereign identities with practical implementation and standard-compliant integration.

Findings

Efficient attribute resolution performance demonstrated.

Implementation based on GNU Name System and ciphertext-policy ABE.

Compatible with OpenID Connect standard.

Abstract

In this paper we present reclaimID: An architecture that allows users to reclaim their digital identities by securely sharing identity attributes without the need for a centralised service provider. We propose a design where user attributes are stored in and shared over a name system under user-owned namespaces. Attributes are encrypted using attribute-based encryption (ABE), allowing the user to selectively authorize and revoke access of requesting parties to subsets of his attributes. We present an implementation based on the decentralised GNU Name System (GNS) in combination with ciphertext-policy ABE using type-1 pairings. To show the practicality of our implementation, we carried out experimental evaluations of selected implementation aspects including attribute resolution performance. Finally, we show that our design can be used as a standard OpenID Connect Identity Provider allowing our implementation to be integrated into standard-compliant services.