hi @adecaro , I gated GetSigner() behind IsMe() to skip unnecessary idemix crypto costs for remote identities.

Hi @atharrva01 , thank you for submitting this and sorry for the late reply 🙏

I'll review ASAP. I'm curious to look at your approach more carefully 😄

Hi @atharrva01 , apologies for this late reply. I just want to double check the semantic.
I'm not sure if we are solving the problem. That code that uses the signatures might still be needed.

Hi @adecaro! You're right to flag this.

The issue is that IsMe() relies on GetExistingSignerInfo, which only tracks identities where StoreSignerInfo was previously called, and that only happens inside a successful GetSigner(). RegisterIdentityDescriptor (called at wallet init) writes to a separate table and populates the in-memory cache, but not the signer-info row. So after a restart, IsMe() can return false for a locally-owned identity that hasn't been through GetSigner() in the current process, causing the gate to skip local signing incorrectly.

I fixed it by calling StoreSignerInfo inside RegisterIdentityDescriptor when the descriptor has a signer, so IsMe() stays accurate across restarts.

Also, for idemixnym identities specifically, DeserializeSigner calls GetSignerInfo first and fails fast before any crypto for remote identities, so the expensive sign-and-verify was only being hit for raw idemix, not pseudonyms. The gate still cuts that cost.

All identity and ttx tests pass.

Hi @atharrva01 , I think we are still not there. We need to check the function DeserializeSigningIdentity in token/services/identity/idemix/km.go. That function generates a signature and verifies it against the issuer public key to make sure the deserialized signer is good with the respect to the issuer public key inside the deserializer.
Now, I think we don't need that check anymore because in

func (p *KeyManager) DeserializeSigningIdentity(ctx context.Context, raw []byte) (tdriver.SigningIdentity, error) {
	id, err := p.Deserialize(ctx, raw)
	if err != nil {
		return nil, err
	}

p.Deserialize, the code verifies the identity itself against the issuer public key.

So, I would start with a unit-test that checks that p.Deserialize fails when given an identity that is valid under a different idemix issuer public key. If this is case, then I would remove the code that generates the ephemeral signature and see if the integration tests are still happy in the CI. If unit-tests fail to show that p.Deserialize is enough to tell apart a valid identity, then, we need to check if there is some other way to optmize the code.

What do you think?

@adecaro, implemented the suggested approach.

Added a unit test (TestDeserialize_RejectsDifferentIssuerIdentity) confirming that p.Deserialize already rejects identities from a different issuer via verifyProof(), returning cannot deserialize, invalid identity.
Removed the temporary Sign+Verify block from DeserializeSigningIdentity.

One thing I noticed: identities from the same issuer but belonging to another user now deserialize successfully, since ownership of the nym key is no longer checked there. In a real deployment, Sign would still fail because the local CSP does not have the corresponding nym secret key.

That’s why I kept the earlier IsMe guard, without it, same-issuer remote signers end up causing transaction failures instead of falling back to remote signing. Happy to adjust if you’d prefer a different direction.