Clear DefinitionsPairwise DID
3 min read
Pronunciation
[pɛər-waɪz diː-aɪ-diː]
Analogy
Think of pairwise DIDs as having a different business card for each person you meet, rather than giving everyone the same card. Imagine if you created a unique phone number and email address for every professional contact—one set of contact details for your bank, another for your employer, a third for your doctor, and so on. While cumbersome in the physical world, this approach would prevent these different organizations from correlating your identity across contexts—your bank couldn't easily discover who your doctor is, and your employer couldn't easily find your banking relationships. Pairwise DIDs implement this concept in digital identity systems, automatically generating a unique cryptographic identifier for each relationship. Each party sees only the identifier you've created specifically for them, preventing unwanted correlation of your activities across different relationships while maintaining verifiable connection with each individual party.
Definition
A specialized type of decentralized identifier (DID) created for exclusive use between exactly two parties in a digital relationship, enhancing privacy by preventing correlation across different contexts. Pairwise DIDs enable each relationship in a blockchain identity system to use a unique identifier, preventing third parties from tracking individuals across multiple interactions while maintaining cryptographic verifiability.
Key Points Intro
Pairwise DIDs implement several key privacy principles in decentralized identity systems.
Key Points
Correlation resistance: Prevents tracking of individuals across different contexts or relationships through unique per-relationship identifiers.
Selective disclosure: Enables sharing different identity attributes in different relationships without revealing the connection between them.
Relationship-specific revocation: Allows terminating specific relationships without affecting other digital connections.
Contextual reputation: Supports building reputation within specific relationship contexts without exposing it to unrelated parties.
Example
Maria uses a self-sovereign identity wallet that implements pairwise DIDs for all her digital relationships. When she creates a relationship with her bank, her wallet automatically generates a unique DID specifically for this relationship: did:peer:1zQmXUVLaJ1y3xSQN5GY5PJ6rTPWZ. Later, when connecting with a healthcare provider, her wallet generates an entirely different DID: did:peer:1zQmPMkQrGJyb2mFGRWvk3bUz8H. Both organizations can verify Maria's necessary credentials—the bank confirms her income and credit history while the healthcare provider verifies her insurance coverage—but neither can determine she has a relationship with the other, as the identifiers share no correlatable information. When Maria later applies for a job, the prospective employer receives yet another unique DID, preventing them from discovering her banking relationships or health information without her explicit consent. Throughout all these interactions, Maria maintains cryptographic control over each relationship-specific identity while preventing unwanted correlation of her activities across different life contexts.
Technical Deep Dive
Pairwise DIDs implement several technical approaches to achieve unlinkability while maintaining verifiability. Most production systems use the did:peer method defined in the Peer DID Specification, which generates a unique DID for each relationship without requiring registration on a public ledger. The technical implementation typically employs elliptic curve cryptography to derive unique key pairs for each relationship, often using hierarchical deterministic derivation paths (similar to BIP32 in Bitcoin) from a single master seed to enable key recovery across all relationships. For operation without central resolution, implementations use direct peer-to-peer DID resolution where each peer maintains the DID Documents relevant to their specific relationships. Communication between peers typically employs authenticated encryption with forward secrecy using the X25519 key exchange, often following the DIDComm encrypted messaging protocol. Advanced implementations support nuanced key management including key rotation, multiple signature types for different operations, and recovery mechanisms specific to each relationship context. For credential issuance, most systems support Zero-Knowledge Proof credential formats like BBS+ signatures that enable unlinkable presentations across contexts even when credentials come from the same issuer. Security models typically implement object capability-based authorization where capabilities granted in one relationship context cannot be used in others. Advanced privacy features include blinded key hierarchies that prevent derivation path analysis, making it computationally infeasible to determine if different pairwise DIDs originate from the same root identity.
Security Warning
While pairwise DIDs prevent straightforward correlation, sophisticated behavioral fingerprinting or metadata analysis might still enable linking identities across contexts. Ensure implementations include additional privacy protections like network-level anonymity and consistent behavior patterns to maximize correlation resistance.
Caveat
Pairwise DIDs face several practical challenges including increased complexity in identity management, as each relationship requires separate key material and credential storage. The approach creates significant backup and recovery challenges compared to single-identifier systems, potentially resulting in identity loss if recovery mechanisms aren't carefully implemented. There's also a performance cost to managing multiple identifiers, particularly on resource-constrained devices. Additionally, while pairwise DIDs protect against identifier-based correlation, they don't prevent other forms of correlation through behavioral patterns, shared attributes across contexts, or temporal analysis. For organizations implementing identity systems, supporting pairwise DIDs requires more complex infrastructure and recovery processes compared to traditional centralized or even standard DID approaches.
Pairwise DID - Related Articles
No related articles for this term.