3.4.7 DID & KYC

3.4.7.1 Introduction to Identity and Decentralized Identifiers (DIDs)

In the age of digital connectivity, identity is more than just a name or a number. It is a composite of various attributes that characterize an individual, an organization, or a device. In the realm of information science, this concept is known as 'Partial Identity.' An individual's partial identity can include a vast array of attributes, such as name, date of birth, biological traits, and digital data, including email addresses and social media profiles. However, identity isn't limited to these explicit identifiers; it also involves quasi-identifiers, attributes that aren't unique on their own but can potentially lead to unique identification when combined with others.

The challenge of partial identity is that it often exposes an individual to the risk of re-identification, thereby threatening their privacy. In a digital environment where vast amounts of data are continuously collected and analyzed, the probability of re-identification increases significantly, making it a crucial area of concern in the era of big data and machine learning.

Figure 27 Re-Identification Attack

Traditional models of digital identity, being centralized, are vulnerable to these privacy issues. A single authority that verifies and control’s identity information can become a single point of failure, susceptible to data breaches. Besides, the centralization of identity data doesn't allow individuals to maintain full control over their data, making it challenging to manage privacy effectively.

Each entity in the selected domain context is defined by attributes that accept some values. Some of the attributes determine the uniqueness of the entity (the combination of their values allows you to select a single entity), such attributes are called quasi-identifiers. Based on a set of quasi-identifiers (in each domain of such sets there can be several), the entity is assigned an alias - ID. An entity can be represented in multiple domains, and each set of quasi-identifiers denoted by an alias form an entity profile in the domain.

Thus, the entity is represented by a set of profiles, each of which only partially represents the essence - is a partial identity. As part of identity management, an alias (CREATEID function) is created sequentially based on identifiers, then a set of attributes (in the aggregate credentials) is mapped to this ID (alias) - represented by the IDENT function, then when authenticating, the uniqueness of the entity and the existing alias is checked by the AUTH function.

Figure 28

In contrast, Decentralized Identifiers (DIDs) offer a paradigm shift in digital identity management. DIDs are globally unique identifiers, created, owned, and managed by the entity they refer to, whether that's a person, organization, or a device. The decentralized nature of DIDs means no central authority issues or controls them, making them resistant to censorship or control.

In the blockchain and distributed ledger technology (DLT) context, DIDs provide a means to authenticate and identify network participants without the need for a centralized authority. They enable the creation of verifiable digital identities that are 'self-sovereign,' granting individuals control over their identity data. This decentralized approach allows for enhanced privacy, security, and trust in digital transactions.

Figure 29 Decentralized or Self-Sovereign Architecture

Standardization of DIDs is essential to ensure their interoperability across different networks and platforms. The World Wide Web Consortium (W3C) has set the standards for DIDs to ensure this interoperability, paving the way for widespread adoption (W3C, 2022).

3.4.7.2 DID Architecture

Decentralized Identifiers (DIDs) are a new type of identifier that enable verifiable, self-sovereign digital identity. DIDs are fully under the control of the DID subject, independent from any centralized registry, identity provider, or certificate authority.

Figure 30 Example of DID (W3C, 2022)

A DID has three integral components:

• DID Subject: The entity that the DID is about. The subject can be a person, a device, an organization, or even a data model.

• DID Document: This is a data structure that is associated with a DID and contains metadata necessary to prove ownership and control over the DID. A DID Document typically includes public keys for digital signatures, service endpoints for interaction, and authentication methods.

• DID Method: The specification that explains how a specific DID scheme works on a specific verifiable data registry (blockchain, distributed ledger, or other type of decentralized network).

DID Documents provide proof of control over a DID. They contain a list of verification methods and service endpoints. Verification methods are ways to authenticate the DID subject, for example, through cryptographic materials like public keys. Service endpoints are ways to interact with the DID subject, such as a messaging address, a social media profile, or a blockchain address.

Verifiable Credentials are digital credentials that are tamper-evident and cryptographically verifiable. They are associated with a DID and can provide additional claims about the DID subject. For example, a Verifiable Credential might assert that the holder of a particular DID has a certain qualification or permission.

DIDs are resolved using a DID Resolver, which is a software or service that takes a DID as input and produces a DID Document as output. This process, known as DID Resolution, follows the specific DID Method for the given DID.

Figure 31 Verifiable Data Registry

Verifiable Data Registries are systems that allow for the creation, reading, updating, and deletion (CRUD) of DIDs and DID Documents. Blockchain or other types of distributed ledgers are often used as Verifiable Data Registries. They provide a decentralized and secure way to manage DIDs and DID Documents.

In a typical DID-based process:

• Identification: The entity (person, organization, etc.) identifies itself using a DID. The DID refers to a DID Document, which includes verification methods and service endpoints for interaction.

• Verification: The verifier (who could be another entity or a service) verifies the identity by resolving the DID to a DID Document and verifying the provided credentials. This might involve checking a digital signature against a public key in the DID Document.

• Authorization: Once the identity is verified, the entity is authorized to perform actions, possibly based on its Verifiable Credentials.

Figure 32 DID-BASED PROCESS

In DID-based process have participation:

• The Holder of a DID can prove control over it and the DID Document.

• The Issuer of a Verifiable Credential can vouch for certain claims about a DID subject.

• The Inspector verifies the authenticity of a DID and the associated credentials, possibly as part of an authorization process.

• The Identifier Registry is the verifiable data registry where DIDs and DID Documents are stored.

3.4.7.3 Blockchain-Based Decentralized Identifications

Blockchain-based decentralized identifiers (DIDs) are vital in the digital world, primarily due to the inherent immutability and decentralized nature of blockchain technology. These identifiers make it possible to establish a decentralized, secure, and efficient system of identity verification and authentication:

• Importance: The importance of this process lies in its potential to revolutionize the way we manage identities online. Traditional centralized systems suffer from vulnerabilities that can lead to identity theft and unauthorized access to personal data. Blockchain-based DIDs provide a remedy to these issues by facilitating a secure, transparent, and tamper-proof way of managing digital identities.

• Utility: Blockchain-based DIDs are versatile and can serve a variety of purposes. They can be used to manage user accounts or wallets, allowing for region-specific or compliance-specific restrictions to be implemented. For instance, a user may have different rights or permissions based on their location, age, or other personal attributes. Furthermore, blockchain-based DIDs can be used in tokenizing real-world assets (RWA) such as property or artwork. The verification of these RWAs can be simplified and made more transparent with DIDs, ensuring that the asset exists and has certain attributes.

• Implementation: In a blockchain-based DID process, Verifiable Credentials (VCs), which represent the attributes of an object, are stored off-chain. Storing VCs off-chain is necessary to maintain the scalability and performance of the blockchain, as well as to comply with privacy regulations, since VCs can potentially contain sensitive information. Notaries are critical actors in this process as they manage the off-chain data.

• Transaction Cost: On the contrary, a blockchain-based DID system has its identity verification mechanism integrated into the blockchain network. This setup eliminates the need for requests to an external service for every transaction, as identities can be verified within the blockchain network itself. Since the DIDs are stored on the blockchain, they can be quickly and easily referenced or updated, reducing transaction times and associated costs. Moreover, as the system is integrated, it can leverage the blockchain's inherent security and immutability to ensure the integrity of the DIDs.

The basic identification process in a blockchain-based DID system is as follows:

• Notary nodes are registered within the system.

• One or more public keys are presented to the notary. The notary, based on these keys, creates a DID and registers roles (as defined by the transaction family).

• The DID is recorded on the blockchain (in this case, a Directed Acyclic Graph, or DAG), serving as an anchor for VCs stored on the notary's side. For simplification, a temporary command of the DID transaction family allows immediate DID creation from within the system at the notary.

• When transactions, such as Decentralized Exchange of Credentials (DEC) or banking transactions, are performed, the transaction family's processor accesses the notary's API. This allows retrieval of the appropriate role for the transaction.

In this context, the key elements are:

• DID: A unique abstract identifier (essentially a number), formatted in a way that allows future interaction with other networks.

• DID Document (DOD): An extended representation of a DID (the body of the identifier), processed in JWT or JSON-LD formats. It is akin to an X.509 certificate but can store multiple public keys and doesn't store significant attributes.

• Verifiable Credentials (VCs): Attributes for an identifiable object that allow object identification or retrieval of its properties. VCs are stored in an encrypted format off-chain, with access only through notaries.

Figure 33 DID Construction in DGT

3.4.7.4 Utilization of DIDs in DGT Transactions

The Decentralized Identification mechanism, although applicable to a wide range of applications, has profound implications when implemented in the conduct of payment transactions. Specifically, in DGT Blockchain, this concept is integrated into the DEC banking family transactions.

The DEC banking family enables the execution of payments and other operations based on an advanced account-based scheme. The scheme's complexity can range from a simple addressing on a pair of keys (a common blockchain scheme where a user's account is defined by their public key derived from a randomly generated private key, and the amounts are calculated via UTXO), to a more intricate model involving the attachment of attributes. By attaching attributes to a DID, the basic account's functionality can be extended, offering businesses the means to implement a complex policy that limits the amount and frequency of payments made from a specified group of accounts. This approach brings flexibility and control in setting transactional policies, creating a secure and reliable environment for financial transactions.

Consider the following diagram, which illustrates how DIDs are implemented within the DEC banking family in the DGT Blockchain:

Figure 34 DEC Transaction Family with DID-proof process

Through this diagram, it's evident how the integration of DIDs into the transactional operations brings about a new level of sophistication in managing and controlling transactions. Each transaction can be associated with specific attributes, enabling the enforcement of policy-driven control over account transactions.

In the DGT Blockchain, the DEC banking family, combined with the flexibility of DIDs, empowers businesses to define a transactional framework that aligns with their operational needs while also ensuring transactional integrity and security. It embodies a new approach in blockchain transactions, reinforcing the security and flexibility of blockchain technology.

3.4.7.5 Know Your Customer (KYC) Procedures

Decentralized Know-Your-Customer (KYC) in the context of DGT enhances the trustworthiness and validity of transactions while preserving the privacy of the participants. As the DGT system is based on Decentralized Identifiers (DID), the decentralized KYC process involves performing various checks and operations to verify the authenticity of a participant’s identity and the information associated with it.

• Membership Verification: One crucial aspect of decentralized KYC is checking the membership of a DID. It involves validating whether a particular object, denoted by 'X', belongs to any of a specified group of objects {Y1, Y2, ...}. For instance, in a decentralized finance scenario, an object 'X' might represent a user, and the groups {Y1, Y2, ...} might represent different user groups with distinct roles or permissions. A user belonging to a specific group might have unique transaction privileges or access rights.

• Attribute Verification: In addition to membership verification, decentralized KYC also involves checking whether the object 'X' possesses certain attributes {A1, A2, ...}. These attributes could be associated with the object's identity or status within the network. For example, an object's attributes might indicate its credit score, account balance, or transaction history, and these attributes can be important when deciding transaction approval.

• Scoring Calculation: Decentralized KYC may also involve calculating a score (SCOR_x) for the object 'X' based on its attributes {A1, A2, ...}. This scoring mechanism can be used to evaluate the object's trustworthiness or risk level within the network. In a financial context, this score could be similar to a credit score, indicating the user's creditworthiness based on past transactions and account behavior.

In many cases, these operations need to be performed while preserving the confidentiality and privacy of the participant. This is where cryptographic techniques such as Zero-Knowledge Proofs (ZKPs), cryptographic accumulators, and Bloom filters come into play.

ZKPs enable one party to prove to another that they know certain information without revealing the information itself, which is crucial for privacy preservation. Cryptographic accumulators allow efficient verification of whether an element is part of a set, aiding in membership checks. Lastly, Bloom filters are used to efficiently check whether an element is part of a set, ensuring speedy and secure membership verification.

The following algorithm outlines a process of object tokenization utilizing the Decentralized Global Trade (DGT) blockchain. The process is centered on maintaining the privacy of the object's attributes while ensuring their accuracy. This is achieved through a combination of Decentralized Identifiers (DIDs) and bulletproofs, a type of Zero-Knowledge Proof (ZKP), alongside the involvement of Notary nodes acting as Off-Chain Oracles. The algorithm commences with the initiation of a request for attribute verification, followed by the creation of a DID for the object. The object's attributes are then encoded using Bulletproofs, which are subsequently verified by a Notary node. If the verification is successful, a Bulletproof is generated and posted to the DGT blockchain, along with the DID. Tokens representing the object are then generated, linked to the DID, and can be distributed to investors.

Table 14 Attribute-based KYC

Step	Action	Description	Implementation
1.	Intro	Initiate the process of object tokenization.	This process is about tokenizing an object while preserving the privacy of its attributes over the DGT blockchain.
2.	Attribute Verification Request	Start a request for attribute verification.	The object owner or an interested party initiates a request to verify certain object attributes without disclosing their exact values.
3.	DID-Based Identifier Creation	Generate a DID.	The Notary uses the object owner's public key and other relevant information to create a DID (Decentralized Identifier). This includes recording the roles of the object owner in the DID Document.
4.	Attribute Encoding	Encode the object's attributes.	The object's attributes are encoded into a digital format. This process uses Bulletproofs, a type of Zero-Knowledge Proof (ZKP) to assert the correctness of the attributes without revealing their actual values.
5.	Attribute Verification	Confirm the encoded attributes.	The Notary verifies the encoded attributes against the official records of the object stored in an off-chain database, ensuring the integrity of the data.
6.	Zero-Knowledge Proof Generation	Generate ZKP.	If the attributes are verified, the Notary generates a Bulletproof. This proof attests the validity of the attributes without revealing their actual values.
7.	ZKP and DID on Blockchain	Post the ZKP and DID on the blockchain.	The Notary then puts the ZKP and the DID onto the DGT blockchain. This process connects the object to a unique, verifiable identity and confirms that its attributes have been validated.
8.	Token Generation	Create tokens.	Once the ZKP and DID are confirmed on the blockchain, tokens representing shares of the object can be generated. These tokens are linked to the DID, and their value is implicitly associated with the verified attributes of the object.
9.	Token Distribution	Distribute the tokens.	The tokens can now be sold or distributed to investors. Investors can trust that the object's key attributes have been validated, even though they do not know the specifics.

This process leverages the capabilities of the DGT blockchain, Notary nodes (Off-Chain Oracles), and Bulletproofs (a form of ZKP) to ensure privacy-preserving object tokenization.

3.4.7.6 DID Applications

Decentralized Identifiers (DIDs) and Know Your Customer (KYC) procedures are crucial elements in today's digital world, especially in the context of blockchain and decentralized technologies. The use of DIDs and KYC enables secure identity verification, data protection, and regulatory compliance, enhancing trust among all involved parties. Here we delve into some use cases that demonstrate the effectiveness and utility of DIDs and KYC procedures within the Decentralized Global Trade (DGT) blockchain:

Table 15 DID Application Samples

Use Case	Description
1. Tokenization of Real-World Assets	DIDs are used to provide unique identities for real-world assets such as real estate properties or works of art. This allows for effective tokenization of these assets on the blockchain, facilitating ownership tracking and trading. The KYC process helps ensure that all participants involved in the tokenization and trading process are authenticated and verified, reducing the risk of fraud and regulatory non-compliance.
2. Digital Identity Verification	DIDs can be used to create unique digital identities for individuals or entities on the DGT blockchain. These identities can then be utilized for secure access to services, signing transactions, and more. The KYC process ensures that the identities are based on verified real-world data, enhancing trust and security.
3. Cross-Border Payments	DIDs allow for secure identification of participants in cross-border transactions, ensuring the correct sender and recipient. KYC processes aid in preventing illegal activities such as money laundering or fraud by verifying the identity of all involved parties.
4. Decentralized Finance (DeFi) Services	DeFi platforms can use DIDs and KYC to ensure secure and trustworthy lending, borrowing, and trading. Users are verified and given unique DIDs, improving transparency and reducing the risk of fraud.
5. Supply Chain Tracking	DIDs can be assigned to individual products or batches to track their journey through a supply chain. The KYC process can verify the identities of suppliers, manufacturers, and retailers, ensuring authenticity and preventing counterfeit products.

These use cases illustrate the broad application scope of DIDs and KYC, highlighting their potential to bring about transformative changes in how we manage identities and verify individuals or entities in a decentralized environment.