A COVID Vaccination Passport Scheme Based on IOTA
Do you remember what it was like to be able to travel freely overseas to any country? Unfortunately a little thing called COVID-19 has put a stop to all that. All we have now is travel problems, not only for people who need to visit family members, but for those who work in the travel and tourism sectors.
The concept of a vaccination passport has since been raised as a solution to the current travel problems faced by many people worldwide. Yet, a poorly implemented and insecure scheme may only cause more problems. Problems such as causing many countries to hesitate in re-opening their borders, fraudulent claims or personal data loss.
The COVID vaccination certificate currently issued within the UK is a handwritten card issued by a nurse at the time of vaccination. This card is not intended for use as a vaccination certificate or passport. Yet, unfortunately it’s the only way we can prove our vaccination.
Now with pubs and restaurants potentially asking customers of their vaccination status before entering, we had better not to lose that card!
If we are going to go down the path of vaccination passports, and it certainly seems we are, we are going to need a secure digital solution. A solution that not only prevents fraudulent claims, but protects user privacy. Is that too much to ask in 2021?
Distributed Ledger Technology
One solution is to implement a vaccination passport scheme using Distributed Ledger Technology (DLT). No, not quite a blockchain. On the outset, the general properties of a DLT do seem attractive for hosting a digital vaccination passport scheme:
- Distributed: Copies of the ledger are distributed amongst all participating nodes.
- Immutable: Data confirmed on the ledger is cryptographically sealed and cannot be altered without invalidating the entire chain.
- Decentralised: No central authority controls the network.
DLTs based on blockchain such as Bitcoin and Ethereum, however, do have drawbacks for hosting a possible digital vaccine passport scheme.
IOTA
Thus, the DLT we will discuss today is known as IOTA. One of the main features of IOTA is the Tangle, which is a Directed Acyclic Graph (DAG) used for storing transactions.
The tangle is the next step in succeeding a blockchain because of its DAG-based consensus mechanism. The consensus mechanism used by the Bitcoin and Ethereum blockchains is a Proof-of-Work (PoW) mechanism. A PoW mechanism requires the miners to solve a hard puzzle to write a block to the chain. This is what causes the power consumption of the Bitcoin network to be more than the entire country of Argentina.
Why IOTA?
IOTA overcomes these shortcomings of a traditional blockchain for hosting a vaccine passport:
- Throughput: On a blockchain, the Transactions per Second (TPS) is limited. In IOTA the TPS is not limited as nodes can insert new blocks onto the ledger immediately, as long as they process earlier transactions.
- Confirmation Delay: There is a delay in confirming a block on the chain. In Bitcoin this can be many hours. In IOTA the confirmation rate is not limited.
- Transaction Fees: At the time of writing, a transaction fee on the Bitcoin network is $13.41 USD. This is unacceptable for a digital vaccine passport scheme. IOTA has no transaction fees.
Furthermore, IOTA provides support for Decentralised Identifiers and Verifiable Credentials, which make it even more attractive for hosting a vaccination passport scheme.
DIDs and VCs
A Decentralised Identifier (DID) as defined by the W3C is a machine-readable, decentralised and verifiable digital identity for an individual or entity. As a DID is a JSON formatted data structure, it can be stored as a message on the IOTA tangle.
A Verifiable Credential (VC), also defined by the W3C, is a trusted mechanism to represent real-world credentials in a digital and machine-readable format and which is cryptographically verifiable. It is also associated with a DID. For example, a real-world credential could be a drivers license or university accreditation. In this case, the VC will be a digital certificate confirming COVID vaccination.
A VC in this scheme is held by the individual who has been vaccinated. This can be, for example, held within a smartphone app. An example of a VC is shown below:
{
“@context”:”https://www.w3.org/2018/credentials/v1",
“type”:[
“VerifiableCredential”,
“VaccinationCertificate”
],
“credentialSubject”:{
“id”:”did:iota:6BPsjvhjgmvZJJEwCTi4BSsTUbg74KaouAMegtB6o3EQ”,
“vaccine”:{
“vaccine_type”:”Pfizer-BioNTech”,
“batch_id”:”6EQUJ5",
“clinic_id”:”LV-426"
}
},
“issuer”:”did:iota:957omZpmiG84SqmrYqg94nW7ay5uNpsQH4U8ouAEBwPz”,
“issuanceDate”:”2021–05–13T07:12:16Z”,
“proof”:{
“type”:”JcsEd25519Signature2020",
“verificationMethod”:”did:iota:957omZpmiG84SqmrYqg94nW7ay5uNpsQH4U8ouAEBwPz#authentication”,
“signatureValue”:”3ars26H9JPRbuPBaGH8NgKAVkz2io8LnFVyK1pLk2hcmmK4b$\\$JypZZHCyw7uPBbkK38r6EdPgdpzUNDKnDMRZfWEM”
}
How does it work?
Within the context of a digital vaccination certificate scheme, the DID will identify the subject who has been vaccinated and the VC will represent their vaccination certificate. In practice the sequence of actions may be:
- A subject will create a DID for themselves and store it on the IOTA Tangle.
- When a subject is vaccinated, the vaccination clinic will issue a Verifiable Credential which is linked to the DID of the subject and the DID of the clinic.
- The subject will hold this VC in digital format, for example within an app on a smartphone.
- When the subject needs to prove their vaccination status, such as when booking a flight or arriving at an airport, they will present their VC to a verifier, such as airport security or the airline.
- The verifier will validate the VC using a cryptographic proof, in this case a digital signature. If the VC is valid, the subject is then permitted to travel.
The Benefits
Using IOTA to host a digital vaccination passport scheme will have the following benefits:
- The IOTA Tangle provides an immutable and distributed datastore with which to store Decentralised Identifiers (DIDs). This means that the DIDs are always accessible on the Tangle and cryptographically tamper-proof to prevent fraudulent or malicious tampering.
- There is no cost to sending transactions on the Tangle, including messages used to store DIDs.
- The DID is controlled by the subject alone, and by no other third parties. This means that an individual can discard and recreate a DID as necessary. The DID also stores no directly identifiable personal information.
- The vaccination certificate is held and controlled by the subject. This means that the subject only reveals the Verifiable Credential to a verifier when they wish to prove their vaccination claim. No other party can reveal or access the VC.
Conclusion
While a COVID vaccine passport could be as basic as the yellow fever card, or a stamp in a passport, how do you trust that it’s legitimate? How many different stamps will there be, and what happens when you need to renew your passport? These are the questions many countries will be asking before opening their borders again.
It’s 2021. It needs to be digital. While the UK’s NHS have announced they will add a vaccine passport to the NHS app (I have yet to see it), what we need is a core trustworthy infrastructure. This needs to include cryptographic signing with strong digital identity checking. Individuals should have the right to generate these, and own them in their digital wallets.