The Self-Sovereign Identity (SSI) is a decentralized paradigm enabling full control over the data used to build and prove the identity. In Internet of Things networks with security requirements, the Self-Sovereign Identity can play a key role and bring benefits with respect to centralized identity solutions. The challenge is to make the SSI compatible with resource-constraint IoT networks. In line with this objective, the paper proposes and discusses an alternative (mutual) authentication process for IoT nodes under the same administration domain. The main idea is to combine the Decentralized IDentifier (DID)-based verification of private key ownership with the verification of a proof that the DID belongs to an evolving trusted set. The solution is built around the proof of membership notion. The paper analyzes two membership solutions, a novel solution designed by the Authors based on Merkle trees and a second one based on the adaptation of Boneh, Boyen and Shacham (BBS) group signature scheme. The paper concludes with a performance estimation and a comparative analysis.

翻译：自我主权身份（Self-Sovereign Identity, SSI）是一种去中心化范式，能够实现对构建和证明身份所需数据的完全控制。在具有安全需求的物联网网络中，自我主权身份可发挥关键作用，并相较于集中式身份解决方案带来显著优势。其挑战在于使SSI与资源受限的物联网网络兼容。基于此目标，本文提出并探讨了一种适用于同一管理域内物联网节点的替代性（双向）认证流程。核心思路是将基于去中心化标识符（Decentralized IDentifier, DID）的私钥所有权验证与DID属于动态可信集合的证明验证相结合。该方案围绕成员证明这一概念构建。本文分析了两种成员解决方案：作者基于默克尔树设计的新型方案，以及基于Boneh、Boyen和Shacham（BBS）群签名方案改进的第二种方案。最后，本文通过性能评估与对比分析进行了总结。