A Decentralized Identity-Based Blockchain Solution for Privacy-Preserving Licensing of Individual-Controlled Data to Prevent Unauthorized Secondary Data Usage
Keywords:blockchain, self-sovereign identity, verifiable credentials, privacy, data management, fully homomorphic encryption
This paper presents a design for a blockchain solution aimed at the prevention of unauthorized secondary use of data. This solution brings together advances from the fields of identity management, confidential computing, and advanced data usage control. In the area of identity management, the solution is aligned with emerging decentralized identity standards: decentralized identifiers (DIDs), DID communication and verifiable credentials (VCs). In respect to confidential computing, the Cheon-Kim-Kim-Song (CKKS) fully homomorphic encryption (FHE) scheme is incorporated with the system to protect the privacy of the individual’s data and prevent unauthorized secondary use when being shared with potential users. In the area of advanced data usage control, the solution leverages the PRIV-DRM solution architecture to derive a novel approach to licensing of data usage to prevent unauthorized secondary usage of data held by individuals. Specifically, our design covers necessary roles in the data-sharing ecosystem: the issuer of personal data, the individual holder of the personal data (i.e., the data subject), a trusted data storage manager, a trusted license distributor, and the data consumer. The proof-of-concept implementation utilizes the decentralized identity framework being developed by the Hyperledger Indy/Aries project. A genomic data licensing use case is evaluated, which shows the feasibility and scalability of the solution.
“esatus SSI Wallet.” (2020) (accessed 6 May 2020) https://web.archive.org/web/20210506165649/https://esatus.com/esatus-ssi-wallet-app-ab-sofort-fuer-ios-undandroid-verfuegbar/?lang=en.
“Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.” 104th Congress of the United States of America (accessed 18 November 2021) https://www.congress.gov/104/plaws/publ191/PLAW-104publ191.pdf.
“Investing in Verified Information.” University of Washington APL and Digital ID and Authentication Council of Canada (DIACC) (academic conference, held 6-7 November 2019 in Seattle, Washington) https://depts.washington.edu/uwconf/wordpress/ivi2019/.
“Sharing an Object with a Presigned URL.” AWS (2021) (accessed 29 March 2021) https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html.
“V4 Signing Process with Your Own Program.” Google Cloud (2021) (accessed 29 March 2021) https://cloud.google.com/storage/docs/access-control/signing-urls-manually.
Allen, C. “The Path to Self-Sovereign Identity.” Life with Alacrity (2016) (accessed 18 November 2021) http://www.lifewithalacrity.com/previous/2016/04/the-path-to-self-soverereignidentity.html.
Amer, K., Noujain, J. “The Great Hack.” Netflix (2019) https://www.netflix.com/ca/title/80117542.
Au, S., Power, T. Tokenomics: The Crypto Shift of Blockchains, ICOs, and Tokens. Birmingham: Packt Publishing Ltd. (2018).
Aydar, M., Ayvaz, S. “Towards a Blockchain Based Digital Identity Verification, Record Attestation and Record Sharing System.” arXiv (accessed 18 November 2021) https://arxiv.org/abs/1906.09791v2.
Beimel, A. “Secret-Sharing Schemes: A Survey.” In International Conference on Coding and Cryptology Springer 11–46 (2011) https://doi.org/10.1007/978-3-642-20901-7_2.
Belchior, R., Putz, B., Pernul, G., Correia, M., Vasconcelos, A., Guerreiro, S. “SSIBAC: Self-Sovereign Identity Based Access Control.” In 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) 1935–1943 (2020) https://doi.org/10.1109/TrustCom50675.2020.00264.
Benaissa, A., et al. “TenSEAL: A Library for Doing Homomorphic Encryption Operations on Tensors.” GitHub (2020) (accessed 20 November 2021) https://github.com/OpenMined/TenSEAL/.
Blatt, M., Gusev, A., Polyakov, Y., Goldwasser, S. “Secure Large-Scale Genome-Wide Association Studies Using Homomorphic Encryption.” Proceedings of the National Academy of Sciences 117.21 11608–11613 (2020) https://doi.org/10.1073/pnas.1918257117.
Bonawitz, K., et al. “Towards Federated Learning at Scale: System design.” arXiv (2019) (accessed 20 November 2021) https://arxiv.org/abs/1902.01046v2.
Buterin, V. “A Next-Generation Smart Contract and Decentralized Application Platform.” Ethereum.org (2014) (accessed 18 November 2021) https://ethereum.org/en/whitepaper/.
C. Lundkvist, R. Heck, J. Torstensson, Z. Mitton, and M. Sena. “Uport: A Platform for Self-Sovereign Identity.” (2018) (accessed 18 November 2021) https://www.uport.me/.
Camenisch, J., Lysyanskaya, A. “A Signature Scheme with Efficient Protocols.” In Security in Communication Networks, SCN 2002 268–289 (2003) https://doi.org/10.1007/3-540-36413-7_20.
Cavoukian, A. “Privacy by Design: The 7 Foundational Principles.” Information and Privacy Commissioner of Ontario (2011) (accessed 18 November 2021) https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf.
Chen, H., et al. “Logistic Regression Over Encrypted Data from Fully Homomorphic Encryption.” BMC Medical Genomics 11.4 81 (2018) https://doi.org/10.1186/s12920-018-0397-z.
Chen, H., Laine, K., Player, R. “Simple encrypted arithmetic library-SEAL v2. 1.” In International Conference on Financial Cryptography and Data Security, FC2017 Springer 3–18 (2017) https://doi.org/10.1007/978-3-319-70278-0_1.
Cheon, J. H., et al. “Toward a Secure Drone System: Flying with Real-Time Homomorphic Authenticated Encryption.” IEEE Access 6 24325–24339 (2018) https://doi.org/10.1109/ACCESS.2018.2819189.
Cheon, J. H., Kim, A., Kim, M., Song, Y. “Homomorphic Encryption for Arithmetic of Approximate Numbers.” In International Conference on the Theory and Application of Cryptology and Information Security Springer 409–437 (2017) https://doi.org/10.1007/978-3-319-70694-8-_15.
Damgard, I., Geisler, M., Kroigard, M. “Homomorphic Encryption and Secure Comparison.” International Journal of Applied Cryptography 1.1 22–31 (2008) https://doi.org/10.1504/IJACT.2008.017048.
Diffie, W., Hellman, M. “New Directions in Cryptography.” IEEE Transactions on Information Theory 22.6 644–654 (1976) https://doi.org/10.1109/TIT.1976.1055638.
Digital Trust Team, Government of British Columbia, et al. “Hyperledger Aries Cloud Agent Python (ACAPy).” GitHub (accessed 23 February 2021) https://github.com/hyperledger/aries-cloudagentpython.
ElGamal, T. “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms.” IEEE Transactions on Information Theory 31.4 469–472 (1985) https://doi.org/10.1007/3-540-39568-7_2.
Gaber, T., Ahmed, A., Mostafa, A. “PrivDRM: A Privacy-Preserving Secure Digital Right Management System.” In Proceedings of the Evaluation and Assessment in Software Engineering 481–486 (2020) https://doi.org/10.1145/3383219.3383289.
Gentry, C. “Fully Homomorphic Encryption Using Ideal Lattices.” In Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing 169–178 (2009) https://doi.org/10.1145/1536414.1536440.
Goldreich, O. “Secure Multi-Party Computation.” (1998, 2002) Preliminary manuscript (accessed 20 November 2021) https://www.wisdom.weizmann.ac.il/~oded/pp.html.
Graupner, H., Torkura, K., Berger, P., Meinel, C., Schnjakin, M. “Secure Access Control for Multi-Cloud Resources.” In 2015 IEEE 40th Local Computer Networks Conference Workshops (LCN Workshops) IEEE 722–729 (2015) https://doi.org/10.1109/LCNW.2015.7365920.
Hardman, D. “Hyperledger Aries RFC 0005: DID Communication.” GitHub (2019) (accessed 20 November 2021) https://github.com/hyperledger/aries-rfcs/blob/master/concepts/0005-didcomm/.
Hardman, D., et al. “Peer DID Method Specification.” GitHub (2019) (accessed 20 November 2021) https://github.com/decentralized-identity/peer-did-method-spec.
Hofman, D., Lemieux, V. L., Joo, A., Batista, D. A. “The Margin Between the Edge of the World and Infinite Possibility: Blockchain, GDPR, and Information Governance.” Records Management Journal 29.1/2 240–257 (2019) https://doi.org/10.1108/RMJ-12-2018-0045.
Huynh, D. “CKKS Explained: Part I, Vanilla Encoding and Decoding.” OpenMined (accessed 14 May 2021) https://blog.openmined.org/ckks-explained-part-1-simple-encoding-and-decoding/.
Kazdin, A. E. “The Token Economy.” In Applications of Conditioning Theory. Routledge (1981, 2017) http://doi.org/10.4324/9781351273084.
Kim, A., Song, Y., Kim, M., Lee, K., Cheon, J. H. “Logistic Regression Model Training Based on the Approximate Homomorphic Encryption.” BMC Medical Genomics 11.4 23–31 (2018) https://doi.org/10.1186/s12920-018-0401-7.
Kim, D., Son, Y., Kim, D., Kim, A., Hong, S., Cheon, J. H. “Privacy-Preserving Approximate GWAS Computation Based on Homomorphic Encryption.” BMC Medical Genomics 13.7 1–12 (2020) https://doi.org/10.1186/s12920-020-0722-1.
Kim, M., Song, Y., Li, B., Micciancio, D. “Semi-Parallel Logistic Regression for GWAS on Encrypted Data.” BMC Medical Genomics 13.7 1–13 (2020) https://doi.org/10.1186/s12920-020-0724-z.
Kim, M., Song, Y., Wang, S., Xia, Y., Jiang, X. “Secure Logistic Regression Based on Homomorphic Encryption: Design and Evaluation.” JMIR Medical Informatics 6.2 e19 (2018) https://doi.org/10.2196/medinform.8805.
Lemieux, V. L., et al. “Having Our “Omic” Cake and Eating It Too?: Evaluating User Response to Using Blockchain Technology for Private and Secure Health Data Management and Sharing.” Frontiers in Blockchain 3 558705 (2021) https://doi.org/10.3389/fbloc.2020.558705.
Liu, Y., Lu, Q., Zhu, C., Yu, Q. “A Blockchain-Based Platform Architecture for Multimedia Data Management.” Multimedia Tools and Applications 80 30707–30723 (2021) https://doi.org/10.1007/s11042-021-10558-z.
Muhle, A., Gruner, A., Gayvoronskaya, T., Meinel, C. “A Survey on Essential Components of a Self-Sovereign Identity.” Computer Science Review 30 80–86 (2018) http://dx.doi.org/10.1016/j.cosrev.2018.10.002.
Nagaratnam, N. “What is Confidential Computing?” IBM (2020) https://www.ibm.com/cloud/learn/confidential-computing.
Naik, N., Jenkins, P. “Governing Principles of Self-Sovereign Identity Applied to Blockchain Enabled Privacy Preserving Identity Management Systems.” In 2020 IEEE International Symposium on Systems Engineering (ISSE) IEEE 1–6 (2020) https://doi.org/10.1109/ISSE49799.2020.9272212.
Naik, N., Jenkins, P. “Your Identity Is Yours: Take Back Control of Your Identity Using GDPR Compatible Self-Sovereign Identity.” In 2020 7th International Conference on Behavioural and Social Computing (BESC) IEEE 1–6 (2020) https://doi.org/10.1109/BESC51023.2020.9348298.
Nakamoto, S. “Bitcoin: A Peer-to-Peer Electronic Cash System.” (2008) (accessed 18 October 2021) https://bitcoin.org/bitcoin.pdf.
No Author. “Hyperledger Indy.” Hyperledger (accessed 22 March 2021) https://www.hyperledger.org/use/hyperledger-indy.
No Author. “Intel Software Guard Extensions.” (accessed 20 November 2021) https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions.html.
No Author. “Starting January 1, Businesses Must Follow More Robust Guidelines on Meaningful Consent for Personal Information.” Office of the Privacy Commisioner of Canada (2018) (accessed 20 November 2021) https://www.priv.gc.ca/en/opc-news/news-and-announcements/2018/an_181221/.
No Author. “TRON Advanced Decentralized Blockchain Platform, Whitepaper v. 2.0, TRON Protocol v. 3.2.” TRON Foundation (2018) (accessed 20 November 2021) https://tron.network/static/doc/white paper v 2 0.pdf.
No Author. “TRUSTZONE.” ARM (accessed 20 November 2021) https://www.arm.com/why-arm/ technologies/trustzone-for-cortex-a.
Papadopoulos, P., Abramson, W., Hall, A. J., Pitropakis, N., Buchanan, W. J. “Privacy and Trust Redefined in Federated Machine Learning.” Machine Learning and Knowledge Extraction 3.2 333–356 (2021) https://doi.org/10.3390/make3020017
Paszke, A., et al. “Pytorch: An Imperative Style, High-Performance Deep Learning Library.” arXiv (2019) (accessed 20 November 2021) https://arxiv.org/abs/1912.01703v1.
Pretschner, A., Hilty, M., Basin, D. “Distributed Usage Control.” Communications of the ACM 49.9 39–44 (2006) https://doi.org/10.1145/1151030.1151053.
Preukschat, A., Reed, D. Self-Sovereign Identity: Decentralized Digital Identity and Verifiable Credentials. New York: Manning Publications Co. (2021).
Reed, D., et al. “Decentralized Identifiers (dids) v1.0.” World Wide Web Consortium (W3C) (2020) (accessed 20 November 2021) Latest draft available at: https://www.w3.org/TR/did-core/.
Rivest, R. L., Adleman, L., Dertouzos, M. L., et al. “On Data Banks and Privacy Homomorphisms.” Foundations of Secure Computation 4.11 169–180 (1978).
Rivest, R. L., Shamir, A., Adleman, L. “A Method for Obtaining Digital Signatures and PublicKey Cryptosystems.” Communications of the ACM 21.2 120–126 (1978) https://doi.org/10.1145/359340.359342.
Romm, T. “U.S. Government Issues Stunning Rebuke, Historic $5 Billion Fine Against Facebook for Repeated Privacy Violations.” The Washington Post (2019) (accessed 20 November 2021) https://www.washingtonpost.com/technology/2019/07/24/us-government-issues-stunningrebuke-historic-billion-fine-against-facebook-repeated-privacy-violations/.
Rosenblatt, B., Trippe, B., Mooney, S. Digital Rights Management. New York: Wiley (2002).
Russinovich, M., et al. “Toward Confidential Cloud Computing.” Communications of the ACM 64.6 54–61 (2021) https://doi.org/10.1145/3454122.3456125.
Sabt, M., Achemlal, M., Bouabdallah, A. “Trusted Execution Environment: What It Is, and What It Is Not.” In 2015 IEEE Trustcom/BigDataSE/ISPA. 1 IEEE 57–64 (2015) https://doi.org/10.1109/Trustcom.2015.357.
Saint-Andre, P., Klensin, J. “Uniform Resource Names (URNs).” Internet Engineering Task Force (IETF) (2017) Internet Requests for Comments 8141 (accessed 20 November 2021) https://www.rfceditor.org/rfc/rfc8141.html.
Tobin, A. “Sovrin: What Goes on the Ledger?” Evernym (2018) (accessed 18 November 2021) https://www.evernym.com/wp-content/uploads/2017/07/What-Goes-On-The-Ledger.pdf.
Tobin, A., Reed, D. “The Inevitable Rise of Self-Sovereign Identity.” The Sovrin Foundation (2017) (accessed 18 November 2021) https://sovrin.org/wp-content/uploads/2017/06/The-InevitableRise-of-Self-Sovereign-Identity.pdf.
Verifiable Credentials Working Group. “Verifiable Credentials Data Model 1.0: Expressing Verifiable Information on the Web.” World Wide Web Consortium (W3C) (2019) (accessed 23 February 2021) https://www.w3.org/TR/vc-data-model/.
Voigt, P., Von dem Bussche, A. The EU General Data Protection Regulation (GDPR), A Practical Guide. Cham: Springer International Publishing (2017).
Yaga, D., Mell, P., Roby, N., Scarfone, K. “Blockchain Technology Overview.” arXiv (accessed 18 November 2021) https://doi.org/10.6028/NIST.IR.8202.
Yao, A. C.-C. “How to Generate and Exchange Secrets.” In 27th Annual Symposium on Foundations of Computer Science (sfcs 1986) IEEE 162–167 (1986) https://doi.org/10.1109/SFCS.1986.25.
How to Cite
Authors who publish with this journal agree to the following terms:
- The Author retains copyright in the Work, where the term “Work” shall include all digital objects that may result in subsequent electronic publication or distribution.
- Upon acceptance of the Work, the author shall grant to the Publisher the right of first publication of the Work.
- The Author shall grant to the Publisher and its agents the nonexclusive perpetual right and license to publish, archive, and make accessible the Work in whole or in part in all forms of media now or hereafter known under a Creative Commons Attribution 4.0 International License or its equivalent, which, for the avoidance of doubt, allows others to copy, distribute, and transmit the Work under the following conditions:
- Attribution—other users must attribute the Work in the manner specified by the author as indicated on the journal Web site;
- The Author is able to enter into separate, additional contractual arrangements for the nonexclusive distribution of the journal's published version of the Work (e.g., post it to an institutional repository or publish it in a book), as long as there is provided in the document an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post online a prepublication manuscript (but not the Publisher’s final formatted PDF version of the Work) in institutional repositories or on their Websites prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work. Any such posting made before acceptance and publication of the Work shall be updated upon publication to include a reference to the Publisher-assigned DOI (Digital Object Identifier) and a link to the online abstract for the final published Work in the Journal.
- Upon Publisher’s request, the Author agrees to furnish promptly to Publisher, at the Author’s own expense, written evidence of the permissions, licenses, and consents for use of third-party material included within the Work, except as determined by Publisher to be covered by the principles of Fair Use.
- The Author represents and warrants that:
- the Work is the Author’s original work;
- the Author has not transferred, and will not transfer, exclusive rights in the Work to any third party;
- the Work is not pending review or under consideration by another publisher;
- the Work has not previously been published;
- the Work contains no misrepresentation or infringement of the Work or property of other authors or third parties; and
- the Work contains no libel, invasion of privacy, or other unlawful matter.
- The Author agrees to indemnify and hold Publisher harmless from Author’s breach of the representations and warranties contained in Paragraph 6 above, as well as any claim or proceeding relating to Publisher’s use and publication of any content contained in the Work, including third-party content.
- The Author agrees to digitally sign the Publisher’s final formatted PDF version of the Work.
Revised 7/16/2018. Revision Description: Removed outdated link.