Cryptographers’ Feedback on the EU Identity Wallet

June 23, 2024
1

A handful cryptographers were asked for feedback on the architecture of the European Identity Wallet (the Architecture Reference Framwork (ARF), currently at version 1.4.0). We seized the opportunity to write a short report to urge Europe to reconsider the design, and to base it on the use of anonymous (aka attribute-based) credentials.

Anonymous credentials were designed specifically to achieve authentication and identification that are both secure and privacy-preserving. As a result, they fully meet the requirements put forth in the eiDAS 2.0 regulation. (The current design does not.) Moreover, they are by now a mature technology. In particular we recommend to use the BBS family of anonymous credentials, which are efficient and mathematically proven secure.

We additionally recommend that the EU wallet be designed following the principle of crypto-agility, meaning that its underlying technologies can be upgraded quickly in the future if the need arises. This is necessary to migrate to quantum safe schemes once quantum attacks become practical. This is not an immediate concern at the moment, because anonymous credentials are used for authentication and thus the integrity protection is very short lived and does not need to be guaranteed for a very long time. Currently, there do not exist practical anonymous credential schemes that are plausibly post-quantum secure. At the same time, the hash and signature-based mechanism currently being proposed is neither post-quantum secure nor privacy- preserving.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
Jorn Lapon
, 2024-06-23
(reply)

Hi Jaap-henk,

Still following your blog 😉.

I hope its the right time and you really can make a difference and bring it to practice. Revocation is indeed still a problem. Short lived creds is good. You might combine it with proving that it is not revoked e.g. with accumulators only in special cases in which the lifetime is too much. E.g, only in case of signing contracts.

Keep up the good work!

Jorn

Verzonden vanaf Outlook voor Androidhttps://aka.ms/AAb9ysg