基于区块链智能合约的数字身份可验证凭证零知识认证和管理架构

宋智明; 余益民; 王贵文; 陈韬伟

引用本文：

宋智明,余益民,王贵文,陈韬伟.基于区块链智能合约的数字身份可验证凭证零知识认证和管理架构[J].信息安全学报,2023,8(1):55-77 [点击复制]
SONG Zhiming,YU Yimin,WANG Guiwen,CHEN Taowei.Zero-knowledge Authentication and Management Architecture of Verifiable Certificate of Digital Identity Based on Smart Contracts of Blockchain[J].Journal of Cyber Security,2023,8(1):55-77 [点击复制]

本文已被：浏览 3873次下载 3022次	码上扫一扫！
基于区块链智能合约的数字身份可验证凭证零知识认证和管理架构
宋智明^1,2,3, 余益民^1,2, 王贵文¹, 陈韬伟¹
0 字体:加大+\|默认\|缩小-
(1.信息学院云南财经大学昆明中国 650221;2.智能应用研究院云南财经大学昆明中国 650221;3.云南省智慧城市网络空间安全重点实验室玉溪师范学院玉溪中国 653100)

摘要:

数字身份认证和管理系统是计算机和互联网应用的安全基础设施, 当前的数字身份认证和管理系统暴露出了许多的问题,例如, 数字身份的中心化存储和管理、数字身份的自主权特性较差、数字身份的隐私无保障、数字身份的认证过程不公开透明等。伴随着区块链技术的发展, 其去中心、防篡改、可追溯和安全透明等特点受到了越来越多的关注, 各种基于区块链的数字身份认证和管理架构相继出现, 然而这些架构仍然不同程度存在上述问题。对此, 本文将区块链智能合约技术、非交互式零知识证明技术、可验证凭证数字身份等结合, 提出了一个基于区块链智能合约的数字身份可验证凭证零知识认证和管理架构, 并详细描述了架构角色和协议流程等, 其中, 在协议流程中, 服务提供商根据服务授权要求构造零知识证明约束条件验证程序,用户基于该程序生成零知识证明, 该零知识证明可以在不透露身份和私钥的情况下向服务提供商证明用户是身份的所有者, 且身份满足服务授权要求, 而服务提供商对零知识证明的认证和管理等都是在智能合约中完成的, 实现了认证和授权的公开透明和安全。此外, 本文设计了该架构的原型系统, 并基于原型系统, 评估了架构中智能合约的成本和时间开销, 同时讨论了基于智能合约进行零知识证明认证和管理的安全性和必要性等, 最后还对整个架构的有效性和安全性等进行了评估和比较。上述结果表明, 本文所提出的架构能较好的实现数字身份认证和管理的去中心化、隐私安全、认证和授权公开透明等, 可为相关系统的设计提供有价值的技术参考。

关键词: 数字身份认证和管理区块链智能合约零知识身份认证可验证凭证

DOI：10.19363/J.cnki.cn10-1380/tn.2023.01.05

投稿时间：2021-09-30修订日期：2022-02-09

基金项目:本课题得到国家自然科学基金项目(No. 71964037), 中央引导地方科技发展专项资金项目(No. 202007AD110001), 云南省教育厅科学研究基金(No. 2022J0473), 云南省基础研究计划青年项目(No. 202101AU070132), 云南省刑事科学技术重点实验室(No. YJXK005), 云南省智慧城市网络空间安全重点实验室(No. 202105AG070010-SG-07)的资助。

Zero-knowledge Authentication and Management Architecture of Verifiable Certificate of Digital Identity Based on Smart Contracts of Blockchain

SONG Zhiming^1,2,3, YU Yimin^1,2, WANG Guiwen¹, CHEN Taowei¹

(1.School of Information, Yunnan University of Finance and Economics, Kunming 650221, China;2.Institute of Intelligent Application, Yunnan University of Finance and Economics, Kunming 650221, China;3.Yunnan Key Laboratory of Smart City and Cyberspace Security, Yuxi Normal University, Yuxi 653100, China)

Abstract:

Digital identity authentication and management system (DIAMS) is the security infrastructure of computer and internet applications. However, current DIAMSs have exposed many problems such as centralized storage and management of digital identities, poor self-sovereignty management on user’s own identity, poor privacy protection, non-transparent authentication and authorization and so on. Currently, along with the development of blockchain technology, its features such as decentralization, tamper-proof, traceability, security, and transparency and so on are receiving increasing attentions, resulting in that various DIAMSs based on blockchain are proposed. However, the problems mentioned above still exist in the DIAMSs based on blockchain. Therefore, this paper combines smart contract of blockchain, non-interactive zero knowledge proof with the verifiable certificate of digital identity, and proposes an architecture of DIAMS based on blockchain. Firstly, in the proposed architecture, entity roles and protocol flows are described in detail. Secondly, in the protocol flows, the verification program of constraint conditions of zero-knowledge proof (VPCCZKP) is constructed by service provider based on service authorization requirements, and user takes advantage of the VPCCZKP to generate the zero-knowledge proof which can prove that he/she is the holder of the legal identity which meets service authorization requirements without disclosing his/her private key and legal identity. In the meantime, the generated zero-knowledge proof is provided to service provider, and service provider uses the on-chain smart contracts to authenticate and manage the zero-knowledge proof in order to implement the transparency and security of authentication and authorization. On the other hand, the prototype system of proposed architecture is designed and based on the prototype system, the cost and time overhead of smart contracts of the proposed architecture is assessed. In the meantime, the security and necessity of on-chain authentication and authorization of zero-knowledge proof based on smart contracts is discussed. Furthermore, evaluations and comparisons of effectiveness and safety of the proposed architecture are conducted at the end of this paper. Finally, the results from the prototype system indicate that the proposed architecture can well realize the decentralization, privacy security, openness and transparency of digital identity authentication and management and provide value technology references for designing corresponding DIAMSs.

Key words: digital identity authentication and management system blockchain smart contract zero-knowledge identity authentication verifiable certificate