Decentralised Credentials Issuer

Decentralising credentials issuance with Multiparty computation based threshold signatures

Comment

Inspiration

While we are shifting from centralised certificate authorities to decentralised identity paradigm (Self Sovereign Identity), the credentials Issuers have remained centralised, being single point of failure. This project tries to implement a proof of concept how a centralised issuing authority can be decentralised to eliminate single point of failure.

What it does

This project implements a OID4VCI based decentralised verifiable credentials issuer that uses MPC based threshold schnorr signature to sign the credentials.

How we built it

The implementation leverages existing frost library from the paper https://eprint.iacr.org/2020/852.pdf.

The project was built on rust. It uses multiple frameworks like tokio for async programming and multithreading, Actix and Warp for http servers,** Apache Kafka** for internode communication. Scalable Concurrent Collections (SCC) lib for handling the operations in thread safe manner.

Challenges we ran into

  • we were using DashMap lib to handle the concurrent operations on the in memory db. DashMap is a hash map implementation that already uses Mutex. This library could not handle the threads safely and lead to deadlocks. To solve this issue, we used SCC library.
  • the signing nodes can be owned by different entities, while signing, one entity might not want to send their data to other signing nodes owned by other entities due to privacy concerns. To tackle this issue we are using the signature on hash of payload. This way the actual payload remains unseen by the signing nodes.

Accomplishments that we're proud of

  • solving above challenge with deadlocks
  • implemented a valid OID4VCI based issuer that uses threshold signature.

What we learned

  • async programming in rust, handling threads, apache kafka, FROST paper

What's next for Decentralised Credentials Issuer

  • extending it to support other threshold signatures like ECDSA, BBS+..
  • replace signature on hash of payload approach with blind signatures to enhance privacy

Built With

  • actix
  • apache-kafka
  • rust
  • tokio
Share this project:

Updates