*Duke Jones* *Sovereign Technologies* *duke@worldtree.io* Attributes: - Self-sovereign identity - Self-authenticating - Chain-agnostic wallet functionality - MPC-based multisig - Trust-minimized account recovery Identikey is a set of enabling technologies, building blocks for higher-level functionality. It is blockchain-agnostic and privacy-centric, while still allowing for authoritative attestations and publicly disclosing information. It is designed so that one does not have to be an expert in managing private keys to be able to maintain a self-custodied keypair, which is the basis for cryptographically secure self-sovereign identity. Although it provides a mechanism for account recovery (on an opt-in basis), the system remains firmly non-custodial. # Identity Users must create separate accounts and identities on nearly every digital platform they use. Their personal information is currently fragmented across a multitude of web applications, and must be updated and/or redacted individually on each one of these. Identikey solves this through its secure persona management and platform-agnostic verifiable data registry. ## Personas A user creates an account by securely generating their own keypair. By signing and publishing an account DID, the account becomes a fresh persona. By self-attesting and publishing further metadata about the account, the persona becomes more rich and starts to be a reference point for identity and reputation. The way that such personal metadata is published is completely user-configurable: it may be published open and publically accessible, or privately encrypted and selectively disclosed to specific recipients. The Identikey application will allow switching between personas, taking care not to leak correlatable data across personas. ## Social Graph Identity, attached to a specific account keypair, acts as a handle. Specific attestations can be made from your persona, referencing another persona. This creates a directed graph between user accounts, which can be used to compose various forms of social graphs, reputation networks, trust graphs, etc. ## Proof of humanity When interfacing with e.g. nation-state regulated services, unique person-specific authoritative attestations that associate an account with that person can be useful, but should never be required. The user should always have the option of creating/switching to a persona which is not directly associated to their legal person. Binding a persona to a legal person through KYC-style authoritative attestations can be effectively anonymized by generating a Zero-Knowledge Proof (ZKP) of the attestation. This can be effective for applications that need sybil-resistance. Note that authoritative attestations by definition are vulnerable to being dependent on a particular authority or set of authorities, and leak information about the account and its usage to this authority. ## Security Being a single system for storing this sensitive personal data, there is a reduced attack surface and it is easier to comply with regulation about personally identifiable information. Identikey is based on end-to-end strong encryption with user-custodied private keys. Each piece of data is encrypted separately, so a sweeping data breach is impossible. # Self-Sovereign Authentication Identikey includes private key based account authentication. Integrations with popular web frameworks will be available for a simple Web2 development experience to integrate keypair-based self-authentication. This effectively makes Identikey a self-sovereign form of single-sign on. ## Wallet Wallet keys are separable from account keys, and may be attached to different personas. Providing wallet functionality democratizes access to decentralized finance Wallet functionality generally boils down to receiving bytes and generating & broadcasting a signature with the user's explicit permission. Good UI and UX flows are what differentiate wallet applications and are important for winning and retaining user trust. UX for the various blockchain platforms will be treated as a separate concern, implemented as per-blockchain plugins for parsing and providing meaningful information about the payload to sign, and display the information to the user. # Key Management ## Stored on-device Using secure local storage and device-specific secure enclaves, private key material will be securely stored on a user's local device in one of our client applications. ## Account Recovery Users can opt in to a federated guardian system for account recovery. The user chooses *n* guardians, which a recovery key is sharded across. In order to recover the account, a user must authenticate with a subset of the guardians they have chosen, as a sort of multi-factor authentication. Each guardian authenticates the user separately with different methods, including username/password, SMS, TOTP, etc. The guardians then generate a recovery signature. Guardians are trusted entities that are incentivized to retain professional uptime guarantees, ensuring continuous access to one's account keys. ## Multisig Via Multi-Party Computation Using multi-party computation (MPC), Identikey implements multisig without having to use smart contracts for account abstraction. This allows users to remain autonomous, reducing vendor lock-in for any particular blockchain / settlement layer. # Secure and Verifiable Data Publishing Identikey provides a platform for publishing verifiably signed data on a platform-agnostic data storage layer, which is effectively a secure data commons. Signed attestation is the fundamental building block of this commons, provably signed by a particular account key. Attestations may be composed together to form collaborative data structures. ## Verifiable Data Registry We will be offering a platform for publishing data in a verifiable way that has guarantees of retrieval times & liveness. Using content-based addressing to reference the data allows data to be stored in any compatible service. This storage system is called "verifiable" because data is referenced by its hash, which is self-verifying by content. Published data, cleartext or ciphertext, will include a protocol for attaching a signature from its author key(s) for provenance and authenticity verification. ## Attestations Multiple important properties emerge from offering users the capability of publishing signed attestations. 1. Publish a self-signed DID, reference that as a persona in further attestations. This is the handle, or basis of identity. Attaching identifiable metadata is optional; this persona may remain as pseudonymous as the user wishes. 2. Publish self-signed metadata about your persona. This may be signed cleartext or ciphertext that can be selectively disclosed. 3. Publish attestations about other personas. The meaning of these are determined by the attestation schema used. This can be parsed into a graph data structure and form the basis of a decentralized social network graph. ## Attestation Schemas There will be many different forms of published attestations with different functions and meanings. Identikey will use a robust system for representing and designing different types of attestations, as well as methods for defining morphisms across compatible schemas. ## Selective Disclosure The ability to disclose parts of published data to specific recipients solves many problems with publishing information to a public data store which might not be intended to be public. We are offering several methods of selective disclosure, from a ZKP to demonstrate proof of a value or signature without disclosing it, to giving a decryption key within a hierarchical tree-based public-key encryption scheme, to a proxy re-encryption service. # Applications ## Data Provenance With the rapid advancement of AI technologies, it is becoming more and more difficult to ascertain whether even photo or video evidence is real, i.e. has actually recorded what it represents. Self-attesting to creation with a private key proves that whoever has access to that private key is claiming to have created that data. Combine this with reputational data and/or authoritative attestations of identity, and you have the building blocks for reasonably determining provenance of media creation. ## Legal Agreements Ricardian Contracts have long been theoretically part of a robust societal smart contract system, although there have been precious few implementations in the wild. In the US, the ESIGN act specifically allows for cryptographic signatures to be used for legally binding agreement. The technical hurdles are in 1) Users maintaining private keys, and 2) Associating legal identity with a keypair. Identikey specifically addresses both of these issues, first through democratizing maintenance of private keys by its trust-minimized account recovery system, and second by its reputational and authoritative attestations (issuance of KYC-style verifiable credentials). ## Abstraction-free Multisig Using multi-party computation (MPC) techniques to emulate multisig on what looks like an externally owned account (non-smart contract), we can provide the benefits of shared management of a treasury or account without the complexities involved in interfacing with a smart contract. This includes authentication-based accounts -- so it is possible to share access to an account without having to share username/password. # The Future There are many possible applications unlocked through this combination of technologies. User-managed keypairs with account recovery, secure private shareable publishing of attestations, open identity through self-attested metadata, cross-account attestation-based social graph and decentralized trust/reputation network, a self-authentication interface for web2 logins, a blockchain-agnostic self-custodied wallet enabling more universal access to decentralized finance, multisig for group management of accounts and assets, as well as an open legal agreement framework are some of the planned use cases and applications. Self-custody of cryptographic keys is a necessity for true self-sovereign identity, which is the basis for creating social systems that don't fall prey to the perverse incentives of value extraction, but are created for net group benefit, creating an actual digital commons. We are excited to be bringing these important solutions to life, and would love to connect with like-minded allies and supporters. If this sounds like it might include you, please reach out! *duke@worldtree.io* Reclaiming privacy and self-sovereignty and our own identity