Protocol Architecture

The Protocol Architecture forms the foundation of IOST 3.0's Decentralized Identity (DID) system. This document outlines the fundamental specifications, data structures, and mechanisms that enable secure, interoperable digital identities.

DID Identifier Format

IOST 3.0 implements the W3C DID standard with a specific method identifier:

did:iost:<specific-idstring>

Where:

• did: The scheme identifier
• iost: The method identifier specific to IOST blockchain
• specific-idstring: A unique identifier string conforming to method-specific format

Identifier Generation

IOST DIDs can be generated through multiple mechanisms:

1. Deterministic Key Derivation: Generated from cryptographic keys

2. Account-Based: Derived from existing IOST accounts

3. UUID-Based: For systems requiring traditional identifiers

4. Biometric-Based: Unique identifiers derived from biometric templates (hardware integration)

Subnets and Namespaces

IOST 3.0 supports hierarchical identifiers for organizational and specialized use cases:

did:iost:org:<organization-id>:<entity-id>

did:iost:subnet:<subnet-id>:<entity-id>

This enables isolated identity domains while maintaining global resolution capabilities.

DID Document Structure

Each IOST DID is associated with a DID Document containing the following core components:

Core Components

1. Context (@context): Defines the schema and vocabulary for the document

2. Identifier (id): The DID that the document describes

3. Controller (controller): DIDs with authority to make changes to the document

4. Verification Methods (verificationMethod): Cryptographic keys and other verification materials

5. Authentication (authentication): Methods that can be used to authenticate the DID subject

6. Service Endpoints (service): Services associated with the DID subject

7. Biometric Binding (biometricBinding): IOST-specific extension linking DIDs to biometric verification

8. Timestamps and Proofs: Metadata about document creation, updates, and cryptographic proofs

IOST-Specific Extensions

IOST 3.0 extends the standard DID Document with additional features:

1. Layer 2 References: Links to Layer 2 identity data

2. Trust Level Assertions: Standardized trust level claims

3. Recovery Configuration: Advanced recovery mechanisms

4. Privacy Settings: Granular privacy controls

DID Resolution

IOST 3.0 implements a multi-layered DID resolution system:

Resolution Methods

1. On-Chain Resolution: Direct blockchain-based resolution for maximum security

2. Layer 2 Resolution: Optimized resolution through Layer 2 for high efficiency

3. Distributed Cache Network: Edge-cached resolution for high performance

4. Local Resolution: Offline resolution capabilities for certain use cases

Resolution Parameters

Standard parameters for customizing resolution behavior:

Parameter	Description	Values
resolveType	Resolution method to use	on-chain, layer2, cache, local
versionTime	Resolve document as of a specific time	ISO timestamp
versionId	Resolve specific version by ID	String
trustLevel	Minimum required trust level	Integer (0-3)
includeDeactivated	Include deactivated DIDs	Boolean

DID Operations

IOST 3.0 supports the full lifecycle of DID operations:

• Create: Generating a new DID and associated document

4. Registration on the IOST blockchain

// Example DID creation
const iostDID = require('@iost/did-sdk');

async function createNewDID() {
  // Generate keys
  const keyPair = await iostDID.generateKeyPair();
  
  // Create DID with default document
  const did = await iostDID.create({
    publicKey: keyPair.publicKey,
    controller: [],  // Self-controlled by default
    serviceEndpoints: []
  });
  
  return {
    did: did.id,
    document: did.document,
    privateKey: keyPair.privateKey
  };
}

• Read: Resolving DIDs to retrieve their associated DID Document

// Example DID resolution
const iostDID = require('@iost/did-sdk');

async function resolveDID(didString, options = {}) {
  const resolution = await iostDID.resolve(didString, {
    resolveType: options.resolveType || 'layer2',
    versionTime: options.versionTime,
    trustLevel: options.trustLevel || 0
  });
  
  return resolution.didDocument;
}

• Update: Modifying an existing DID Document

// Example DID update
const iostDID = require('@iost/did-sdk');

async function updateDIDService(didString, privateKey, serviceEndpoint) {
  // Resolve current document
  const currentDoc = await iostDID.resolve(didString);
  
  // Create update payload
  const update = {
    id: didString,
    service: [
      ...currentDoc.didDocument.service,
      {
        id: `${didString}#new-service`,
        type: "IOSTService",
        serviceEndpoint: serviceEndpoint
      }
    ]
  };
  
  // Sign and submit update
  const updated = await iostDID.update(update, privateKey);
  return updated.didDocument;
}

• Deactivate: Permanently deactivating a DID

// Example DID deactivation
const iostDID = require('@iost/did-sdk');

async function deactivateDID(didString, privateKey) {
  const result = await iostDID.deactivate(didString, privateKey);
  return result.success;
}

DID Methods Registry

IOST 3.0 provides a registry system for specialized DID methods:

Method	Format	Description	Status
did:iost	did:iost:<idstring>	Core IOST DID method	Active
did:iost:bio	did:iost:bio:<idstring>	Biometric-anchored DIDs	Active
did:iost:org	did:iost:org:<org-id>:<entity-id>	Organizational DIDs	Active
did:iost:subnet	did:iost:subnet:<subnet-id>:<idstring>	Subnet-specific DIDs	Active
did:iost:temp	did:iost:temp:<idstring>	Temporary/short-lived DIDs	Active
did:iost:cross	did:iost:cross:<chain-id>:<foreign-did>	Cross-chain linked DIDs	Proposed

Storage Architecture

IOST 3.0 implements a hybrid storage model balancing security, privacy, and efficiency:

On-Chain Storage

Minimalist data stored directly on blockchain:

• DID Registry: Maps DID identifiers to storage locations and metadata

• Public Keys: Essential verification keys

• State Transitions: Hash-based record of document updates

• Revocation Registry: Credential revocation information

Layer 2 Storage

Extended DID document components stored in Layer 2:

• Complete DID Documents: Full document storage

• Service Endpoints: Dynamic service declarations

• Verification Relationships: Authentication and authorization methods

• Metadata: Additional non-critical information

Off-Chain Storage

Private and large-volume data stored securely off-chain:

• Encrypted Credentials: Private credential data

• Personal Data: User attributes and sensitive information

• Document History: Historical document versions

• Biometric Templates: Encrypted biometric verification templates

Security Considerations

The IOST DID Method implements several security measures:

1. Multi-level Key Management: Supporting hierarchical deterministic (HD) key generation and management

2. Revocation Mechanisms: Clear processes for revoking compromised keys

3. Replay Attack Prevention: Timestamp and nonce-based protection

4. Smart Contract Auditing: Rigorous security auditing of DID registry contracts

Privacy Features

Privacy-enhancing features of the IOST DID Method include:

1. Selective Disclosure: Support for zero-knowledge proofs and selective attribute disclosure

2. Minimal On-chain Footprint: Limited personal data stored on-chain

3. Identifier Pairwise Usage: Different DIDs for different contexts

4. Privacy-preserving Authentication: Biometric verification without exposing templates

Performance Characteristics

The IOST DID Method is optimized for:

1. Resolution Speed: Sub-second resolution times for cached DIDs

2. Scalability: Support for billions of DIDs through Layer 2 optimizations

3. Gas Efficiency: Minimized on-chain operations for cost reduction

4. Batched Operations: Support for bulk DID operations

Interoperability

The IOST DID Method ensures interoperability through:

1. Cross-chain Resolution: Support for resolving DIDs across multiple blockchains

2. Standard Verification Credentials: Compatibility with W3C VC standards

3. Universal Resolver Integration: Compatibility with the Universal Resolver

4. DID Method Negotiation: Protocol for interacting with other DID methods

Protocol Compliance

IOST 3.0's DID Protocol adheres to key standards while introducing innovative extensions:

W3C Compliance

Full compliance with:

• W3C Decentralized Identifiers (DIDs) v1.0
• W3C Verifiable Credentials Data Model v1.1
• DID Resolution Specification

ERC-3643 Out-of-the-box Support

IOST 3.0's DID protocol provides native compatibility with the ERC-3643 standard for tokenized assets, offering:

• Identity Verification Interface: Standardized verification of identity claims for compliant token transfers

• Claim Registry Integration: Direct mapping to ERC-3643 claim structures

• Cross-Chain Token Compliance: Identity verification across multiple blockchain networks

• Permissioned Token Operations: Identity-based access control for tokenized securities

• Regulatory-Compliant Interfaces: Ready-to-use components for jurisdictional compliance

The integration enables securities issuers to leverage IOST's identity infrastructure for compliant token operations without additional development work.

Unique Protocol Extensions

IOST-specific enhancements:

1. Layer 2 Integration: Optimistic rollups for scalable identity operations

2. Biometric Protocol Extensions: Hardware-integrated continuous authentication

3. Advanced Trust Levels: Standardized trust framework expressions

4. Cross-Chain Resolution: Universal resolver for multi-chain compatibility

Technical Specifications Summary

Feature	Specification
Identifier Format	did:iost:<specific-idstring> conforming to W3C DID syntax
Public Key Types	Ed25519, secp256k1, RSA (2048+), BLS12-381
Signature Schemes	EdDSA, ECDSA, RSA-PSS, BLS
Document Format	JSON-LD with IOST extensions
Anchoring Mechanism	Dual-layer: blockchain header + Layer 2 batch proofs
Resolution Time	<500ms (cached), <3s (on-chain)
Update Latency	<2s (Layer 2), <30s (confirmed on-chain)
Recovery Methods	Social recovery, multi-sig, biometric, secret sharing
Privacy Features	Selective disclosure, ZKPs, encrypted storage
Cross-Chain Support	Universal resolver, BNB Chain integration, Ethereum compatibility