Understand the decentralized identity: Where is the bottleneck? Which solution is right?

Everyone who works on cryptography is imagining that each of us has an embedded private key chip in our brain, so that we can determine our identity at any time without worrying about identity being stolen or deceived. Unfortunately, we are not living in such a cytop punk utopia, but in a broken system where passwords and social security numbers are constantly stolen.

At the same time, blockchain technology promises to return the ownership of personal data from individuals and governments to individuals for digital identity change, thereby enabling individuals to have the power to share data with others and to withdraw at any time.

To gain a deeper understanding of why blockchain technology is effective for identity (authentication), we first need to understand the definition of identity from a philosophical perspective. Please envision the following thought experiment – the two marbles put together look exactly the same. Although the nature of the two marbles (bits and atoms) are the same, their identity is different because we can give each marble a unique identifier similar to "ball A" and "ball B". To distinguish their identity. However, once we put the two marbles in our pockets and mix them together, the logo will be invalid. We can no longer distinguish which one is "ball A" and which is "ball B". One solution to this identification problem is to have an omniscient observer who keeps staring at the marbles during the mixing of the two marbles (so that after the two marbles are mixed, it is still possible to distinguish which is the "bomb" Bead A", which is "Pinball B").

This solution is feasible because time (fourth dimensional space) is used as a time indicator of identity. The blockchain (which keeps the logs of past states from being tampered with) provides time continuity, so that even when the physical environment changes, it can be used to track identity.

Identity is the most important part of the lack of Web 3 infrastructure, and many projects use different ways to build the identity layer that the entire decentralized application ecosystem can use. The two most current levels of attention are namespaces and attestations.


A key point in decentralizing identity is how to identify people, devices, and other entities in the world without a centrally held registration authority. In the blockchain system, we now use the address to identify our identity – a long string that is not practical and difficult to remember, such as "0x9992437898114d2770522e050883d6b2dfc48326". What if we were able to match each address to a unique and readable name?

In computer science, namespaces are used to organize objects so that some objects have the same naming, but they are not confusing. File systems (naming files) and DNS (full name: Domain Name System, naming websites) are examples of namespaces.

Similarly, in the blockchain, we want to maintain a global table that contains a unique correspondence between the address and the name. In addition, ideally, we hope that this correspondence table is always safe, decentralized, and easy to understand . Is this feasible? Let's take a look at the Zooko Triangle.

The Zooko Triangle, named after Zcash CEO and Zooko Wilcox, is the three dilemma of the three ideals of the naming system in the network.

  • Security : When you look up a name, you get the right result, not a pseudonym.
  • Decentralization : There is no centralized authority to control all names.
  • Understandable : Names are people that can be remembered, not a long list of random characters.

Zooko claims that the digital name cannot contain the above three properties. The following examples use this framework:

  • DNSSEC , a security extension to DNS, provides a decentralized and easy-to-understand naming mechanism that is insecure and does not protect against root servers.
  • Bitcoin addresses are secure and decentralized, but are not easy to understand and have no practical meaning.
  • I2P , an anonymous, anti-censorship peer-to-peer communication protocol that uses locally-run secure name translation services and is easy to understand, but requires the addition of authoritative nodes in the decentralized network.


Since Zooko proposed his trilemma, there have been several solutions to the Zooko Triangle. Nick Szabo first proposed a solution in his paper "Secure Property Titles with Owner Authority", which pointed out that all three attributes can achieve Byzantine fault tolerance.

Aaron Swartz later proposed a bitcoin-based naming system that uses the PoW consensus to establish a name ownership consensus. This solution facilitates the generation of Namecoin. Namecoin is the first fork of the Bitcoin blockchain and the underlying blockchain where Dot-Bit is located. Dot-Bit is the first decentralized DNS instance that satisfies the Zooko triangle , enabling users to bind their existing domain names to .bit addresses.

Since its release seven years ago, Namecoin has rarely been adopted due to poor user experience. There are thousands of domain names (in Namecoin), but only about 30 have developed Dot-Bit sites. There are rumors that Namecoin developers have sought out potential cooperation between Gu Ge and ICANN, deviating from the original goal of using decentralized DNS instead of centralized management.

Onename, launched by Princeton researchers Ryan Shea and Muneeb Ali in March 2014, is another identity system that stores usernames and profiles on the Bitcoin blockchain. Currently, Onename has evolved into a namespace registrar for Blockstack's decentralized application platform (similar to GoDaddy). Onename is also a technology that enables Blockstack users to retain ownership of all personal data in different decentralized applications, thereby reducing the current data monopoly of Google and Facebook.

ENS is the DNS on Ethereum, with security and decentralization . Smart contracts act as registrars to manage and update the names in Ethereum, rather than using centralized services like in GoDaddy. Anyone can use ENS to create a readable subdomain of .eth, and the ENS parser acts like a translator, converting the ENS name to the corresponding address. In INS-enabled wallets such as Metamask, MyCrypto, Status, etc., users can transfer money to some easy-to-remember addresses (similar to "alice.eth") instead of '0x4cbe58c50480…'. Since its launch, ENS has registered more than 160,000 domain names, involving over 3.2 million ETH accounts. (Note: I have given up my own namespace service)

Handshake is a new project led by Joseph Poon (Lightning Network and Plasma Presenter) to decentralize the DNS root zones and replace ICANN and the Certification Authority (CA). Handshake is built on a new UTXO blockchain where all point-to-point nodes are root servers that hold root space files, leaving the root space unreviewed, unlicensed, and unrestricted by the gateway. Currently, projects such as Namebase allow users to register top-level domains on the Handshake blockchain, build wallets and exchange Handshake coins (HNS), making Handshake easier to use.

– As you can see from the above figure, projects such as Dot-Bit and ENS support .bit and .eth domain addresses separately, and Handshake goes further to decentralizing ICANN (root domain file gateway). Source: zk Capital-

All in all, Handshake is a very ambitious project that has the potential to change the current mode of operation of DNS and domain name services. However, it is very difficult to gain widespread acceptance and break the monopoly of existing certification authorities such as Verisign, because the operating system defaults to DNS.

Projects such as OpenAlias ​​and Portal Network are also trying to solve the Zooko triangle.


For a decentralized identity system, having a namespace that meets both security, decentralization, and ease of understanding is not enough. Explain that when OneName was launched, someone immediately registered the username +gavin, and for that OneName had to reserve +gavinandresen for the Bitcoin core developer.

In order to prevent someone from impersonating others on the Internet, we need to verify that everyone is actually the one they claim to be. For example, before you rent a home on Airbnb, you must verify your email address and phone number, and possibly verify your Facebook, LinkedIn, and Google accounts. In this case, Airbnb acts as a trust intermediary—both buyers and sellers are confident that Airbnb has completed the verification process. But in a world of decentralized applications, we no longer trust third parties, but we still need to verify someone's identity before the smart contract is executed .

Therefore, certification is the cornerstone of trust and reputation in a decentralized identity system. In the real world, we use a driver's license or passport to prove our identity. These files contain facts about us, such as our name, age, and eye color. But the driver's license does not exist on the Internet. Instead, we need to find a way to associate the real identity with the encrypted identity. As for how to best achieve this goal, there is no final conclusion, and many organizations are exploring.

Identity autonomous product

One solution is to have a separate identity product. This identity product needs to meet four basic characteristics:

  1. Identity has some kind of unique identity. (The best architecture for storing this identity is the namespace described above that satisfies the Zooko triangle.)
  2. A third party can declare (register) information about an identity. The statement includes, for example, a name, an address, an email, and the like.
  3. The user's identity can be requested in some way.
  4. There is some way to query a statement about an identity.

– Facebook and Twitter are currently able to authenticate someone's Blockstack identity.

Independent identity products have the advantage of self-sovereign . Identity autonomy is a digital identity that can be migrated between different decentralized applications. It does not depend on any government or company, and will never be taken away, unlike the current Internet, as long as you put your social security code ( SSN) gives someone who can use it anywhere without your consent, which can lead to identity theft. With an autonomous identity, you can maintain control over identity information such as social security codes and prove your identity when connecting to the dApp. You don't need to copy this identity information to the dApp.

There are many teams trying to build identity autonomy standards.

ERC 725 proposes a standard for managing identity on the Ethereum blockchain . Proposed by Fabian Vogelsteller, he also presented a very successful ERC 20 token standard. An ERC 725 identity contract contains a cryptographic signature that proves that the contract owner controls a specific statement about its identity, such as an email or phone number. The Origin Protocol is a protocol for creating a shared economy that does not require an intermediary. Before the smart contract is executed, the ERC 725 is used to verify the identity of the participants.

uPort is an identity autonomous wallet that gives you complete control over your identity and personal data . The development team is ConsenSys, you can use uPort to create identity, secure login decentralized applications on Ethereum without passwords, manage your personal information and authentication, sign Ethereum transactions and digitally signed files. uPort has recently developed a new decentralized data storage solution – 3Box, 3Box that enables Ethereum users to upload their information using any wallet and share it among different dApps. uPort has partnered with the Swiss state of Zug to provide residents with digital IDs that link real-world identity to the blockchain.

-uPort was upgraded on the ERC 725 standard by breaking down the identity smart contract. Their new layered architecture proposal is ERC 780. Source: uPort-


The project, led by continuous entrepreneur Vinny Lingham, is an authentication-based decentralized application based on Ethereum. In the Civic decentralized ecosystem, users need to verify their identity and then request a recipient (such as a company that sells services) to accept the user as a customer. To this end, the verifier verifies the user's claim by cross-referencing the documents of the government database. Once the verifier confirms the identity of the user, they use the Merkel root value to authenticate the message, and the Merkel tree takes the user's statement to make the leaf node of the Merkel tree.

Other similar identity products are: Sovrin, Evernym, Nuggets. The Decentralized Identity Foundation home page lists a list of teams currently working on identity issues, and the Foundation currently includes more than 50 partner organizations. These organizations aim to enhance inter-system interoperability and work together to try different decentralized identities (scenarios) so that users do not need to spread some of their personal information across multiple protocols.

Will decentralized identity become central again?

One problem with identity autonomy is what to do if the user's private key is lost or stolen. Should an attacker get the assets in the private key? Remember, we are not living in a cytoppunk utopia, and we have not implanted a private key into our brains. Perhaps this question requires a trusted third party to hold (the user's) identity.

Coinbase recently acquired a startup called Distributed Systems, a startup that is developing a decentralized identity standard for DApps called the Clear Protocol. In the process, Coinbase may add a “Facebook link” to test users to make it easier for users to log in and connect to their encrypted wallets. Given that Coinbase has KYC (Know Your Customer) data for 20 million users, Coinbase can use its identity database in the dApp.

The -Web 3 identity may end up looking like this.

It is assumed that the Facebook blockchain team is building an identity and single sign-on platform for dApp because Facebook has our personal information. In the #DeleteFacebook event, users downloaded a .zip file containing all of their personal information, and they were shocked by how much Facebook knows about them…

Telegram Passport is another unified authorization method for services that require personal identification. With Telegram Passport, you can upload all your files at once and share your data with a service that requires a real ID.

in conclusion

While anonymous and pseudonyms are often seen as a use case for cryptocurrencies, identity resolution is also needed for many new encryption native behaviors, such as chain governance, token registration, and more. In particular, voting systems, such as quadratic voting, rely heavily on verifiable, independent user identities because one can significantly improve their influence by simulating the identity of multiple people. At the same time, identity is still the bottleneck for these systems to resist witch attacks and large-scale effective operations.

In my opinion, a layered identity architecture that combines the best namespace products with the best certified products is the best way. It will be interesting to see which identity solution the encryption community will adopt in the future.

(Author: Richard Chen; Source: Nash signature chain)