This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Cryptographers' Feedback on the EU Digital Identity’s ARF #200
Comments
|
Hello,
In order to give more credibility to the last point, we just posted a proposal explaining how BBS/BBS+ can be implemented with already deployed SEs in a very efficient way. This can even be made compatible with mDL / SD-JWT. |
|
I believe this document addresses details of #193, among other issues. |
|
@ad-Orange: thanks for your comment! Indeed, your post seems extremely relevant. Glad that we are all in agreement! |
|
The one main question still is: Why signing at all?! We successfully showed in BSI TR-03110, TR-03130, etc. how to perform ephemeral authentication without having to sign anything without the need of "zero knowledge proof" or similar algorithms. 15 years ago and every single bit of it is still valid. The main problem of "verifiable credentials" is 3rd-party-verifiability by unauthorized, illegal / criminal 3rd parties. Also introducing data protection issues when verifiable credentials are accumulated at service providers. Verifiable credentials have their origins in the idea of "signed tokens" as used in OpenID Connect / OAuth2 tokens and SAML2 assertions (this was back in 2001!). The concept of unprotected CWT (RFC 8392) claims set in COSE (RFC 9052) revives the idea of using encrypted, authenticated point-to-point channels to securely transmit all required claims WITHOUT SIGNATURES: One could think about a hash or set of hashes to double-check overall integrity. But the idea of signing personally identifiable information is bad, obsolete and not needed at all. Proven during the past one-and-a-half decades in one of the largest EU member states. Best, Edit 1: added missing link to current IETF draft for UCCS. |
|
I fully support the general recommendation towards more privacy-tailored cryptographic approaches, such as BBS/BBS+ Signatures, which has been put forward in this issue. In addition, I would like to mention the following two points:
|
|
@kernoelpanic Thanks a lot. As we're on the jump to post quantum cryptography or currently hybrid mechanisms as well we need versatile "basic" cryptographic primitives. BBS / BBS+ is a DEAD END STREET under the view point of crypto agility and especially forward towards PQC interoperability. |
|
@ckahlo I would not call BBS/BBS+ a "dead end", it is probably the most thoroughly researched algorithm specifically designed for the use case at hand and the most advanced in terms standardization (compared to other newcomers). Is it perfect? Probably not, as nothing will be. I am getting your point regarding signatures and 3rd-party-verifiability and the demand for repudiation, which I also support. Although BBS+ as put forward in the RFC does not have this as an explicit goal, I believe the underlying primitives can be used to achieve schemes which can do it, at least with a performance decrease e.g, when used interactively (please correct me if I am wrong). So assuming, repudiation/deniable authentication could also be solved, what remains is the threat of a quantum computer, but abandoning a by-today's-standards well thought through approach that ticks almost all boxes (maybe all with some tweaks) because of this is also not the way to go my opinion. This does not mean, that we should not consider upgradeability right from the start. Generally, it would be a good idea for the discussion to agree on a prioritized list of boxes which should be ticked by a solution first. Maybe, there is no one-size-fits-all solution ... |
|
Please note that the main basis for this document is the published legal text of the regulation, i.e. the list of requirements (unlinkability, selective disclosure, pseudonymity, etc.) is taken directly from the regulation. We intentionally did not want to go through the requirements analysis itself, because this is defined in the law at this point. |
|
@kernoelpanic As regards to repudiation, there is indeed a technology invented in 1996 to implement plausible deniability for all ZKP based anonymous credentials. We detail its use with our BBS# proposal in page 20 of our paper (it is called DVP and referenced as [JSI96]). Please also note that contrary to popular belief, interactive ZKP do not provide plausible deniability. |
|
@ad-Orange Following IT-Security best practices:
that the user does not need to rely on trusting the relying party that they do not forward the tokens? If we also take the eIDAS2 requierments by heart following security by design at state of the art, do you see a way around 2FA for LOA high including an airgapped physical token? |
|
@ckahlo So in essence, you are opposing a possible but as of yet hypothetical threat (“quantum supremacy”) to a legal requirement (respect of GDPR including minimization and unlinkability) due today. Furthermore, it's not even clear how you would end up being GDPR compliant with your so called 'versatile "basic" cryptographic primitives'. Now, let’s talk about authenticated channels:
As long as there is no clear advantage identified today for authenticated channels as opposed to other proposals (including the paper we just posted), especially taking into account the constraints that will be there at the launch of eIDAS in a few years, it doesn’t seem like less of a “dead street end” than BBS/BBS+… |
|
@LittleDetritus, I'm not sure you are understanding how DVPs work. Basically, you can steal or forward the ZKP to anyone you want, they will not be able to assess their validity (except its designated target, e.g. the verifier to whom the holder is doing the presentation). Once again, it's a technology that dates back to 1996 and how to use it in the realm of BBS signatures is explained in our paper around page 20. |
|
Speaking as an Editor for the W3C work cited in the paper (W3C Verifiable Credentials, W3C Data Integrity, the W3C Data Integrity BBS Cryptosuite), and as someone deploying that technology with national and state governments globally, I agree with the findings of the cryptographic review and the experts that put the paper together. The current approach taken by SD-JWT is deeply flawed, as it relates to unlinkability and cryptographic agility, and has been flawed from the beginning. This has been expressed multiple times over the years, but the review from the cryptographic experts listed above hopefully places more weight on the previous criticisms of the use of SD-JWT. It is not fit for purpose for the EU's Digital Identity initiatives. I will also note that the W3C VCWG has known about these limitations for years and has provided a viable alternate path via W3C Verifiable Credentials, W3C Data Integrity, and the W3C Data Integrity BBS Cryptosuite. Additionally, future cryptographic innovations utilizing W3C Data Integrity wouldn't require a format change, by design. The same cannot be said for VC-JWT, SD-JWT, or JWP. I will also note that a review of the ARF's data model choices and cryptographic primitives have not been requested of any W3C Working Group. I would strongly suggest that the European Commission (or relevant body) officially request a review from the W3C on the ARF, as many of the experts in the W3C would not feel comfortable volunteering an unsolicited review. |
|
@ckahlo the German solution is well-known and from security point of view the best solution. The disadvantage: Lack of adoption. Germany achieved 15% usage rate after 14 (!) years since publishment Your statement " But the idea of signing personally identifiable information is bad, obsolete and not needed at all. Proven during the past one-and-a-half decades in one of the largest EU member states." is a bit wrong looking at the less usage rate in Germany. Looking at Germany its proven that the German approach was best for security because it also mitigates the biggest security risk - the user. "One could think about a hash or set of hashes to double-check overall integrity." - a hash without PoE is useless. Majority of EU Member states use signed data in eID: Which fraud identity or data dealers for which signed eiD Data from which eID means based on which eID Scheme do you know? Please provide so that we can analyse commonly. This information is essential to assess the security risk and possible measures |
|
At first: I gave a ❤️ emoji to the initial post, because I totally AGREE on BBS+ in case one has to rely on software certificates or weak key stores like Androids StrongBox or Apples SecureEnclave. In absence of stronger protection mechanisms of the private key, signed ID data is the only option we have. I am very well aware of that and was looking for a clear answer, because we're talking about secure elements as if this was the very same thing as well. So, without a secure element of any kind: BBS+ is probably the best way to go. Authenticated channels would lead to forgeable identities if the authentication key is leaked. A clear no-brainer I assume. @ad-Orange 1st comment: my question "why signing at all" wasn't with repudiation in mind, it's an option. Reduced to repudiation I might agree. @ad-Orange 2nd comment: Thanks for https://github.com/user-attachments/files/15905230/BBS_Sharp_Short_TR.pdf,
Authenticated channels:
BUT: I would be interested in having a closer look into the backgrounds of your paper. Because from I would be happy if we could confirm your findings from your paper and would encourage our BSI to have a closer look at it. If it works out, we could push it together. Hint: I've some dozen top-notch secure elements here - but older ones as well. :-) @KeepTrust: what a bold comment from an account created just 15 hours ago! That being said: Germany has a high population density with a good offline infrastructure compared to more rural areas within the EU. Additionally there is the "silver generation" with a fear of technology. Let's have a look how the adoption in the EU will be before judging too early. Technically the usage rate is not linked to the underlying protocols. We started to issue the first And we're also aware about some EU members not applying any reasonable security measures as well! Thanks for the fish. Just a hint: use Google with "estonian identity disaster", look up how Petr Švenda became able to impersonate basically everybody in Estonia. And continue, there are more examples. But that's your homework, not mine. From my side this is end of discussion. Good bye & good night, |
|
@ckahlo Interesting comment. REality on eID in Germany. The reality is given below. Adoption in Europe https://www.strategyand.pwc.com/de/en/industries/public-sector/global-eid-country-report.html https://www.zealid.com/en/blog/the-state-of-eidas-eid-and-impact-on-the-eu-wallet eID is no QES as you may know - so bad argument Estonia is > 8 years old and no Identity trade or similar. So long story short: Your arguments are less. 29 of 31 EU/EFTA Members use signed data - no Identity Thefts nor trade known. So please do your homework and look at real issues |
|
@KeepTrust You're citing the old survey numbers from June 2021. Please read again what I said above. And I never said "QES is eID". I said "signature based schemes" claimed as eID - basically all the countries you mention. And please re-read the part about BBS+ support in secure elements. @ad-Orange claims this to be solved and I said I would be happy if this is the case. But I don't see any support for real ECSchnorr in "standard secure elements on the market" as claimed in the paper. We all agreed on SD JWT being flawed as @msporny also said. So to support a PQC-forward selective disclosure scheme with all the properties defined by the ARF on current secure elements I am still at https://datatracker.ietf.org/doc/draft-ietf-rats-uccs/. Well, the Estonian model has no way to detect forged identities and if the private key is known to the attacker it doesn't matter anymore if you "know" about the theft. The theft happened already, if used or not does not matter for the situation. So, your ad hominem "your arguments are less" from an anonymous(!) account applies very well to yourself. Edit1: BTW, BSI confirmed BBS+ has not yet seen any national standards body for review or standardization. This should happen as soon as possible. I've no personal feelings about which national standards body this is. |
|
@ckahlo ELSTER is a software certificate and only authentication no identification mean. You That PID on SecureElement is most secure solution is common sense. But as you can see in decision by German Federal Office for Information Security: It The Estonian Breach didn`t lead to identity theft nor identity trade. The lessons learned are different from your claims. The issue was not related to signed data in SmartCard. And the issue was eliminated 2017, means your claims on Estonian eiD are not valid anymore. https://ria.ee/media/742/download https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3644664 Except this thread there https://decentralized-id.com/web-standards/w3c/verifiable-credentials/jose-jwt+cose-cbor/ The standardization on signatures in ongoing in ETSI ESI - with currently no view on BBS+ as it`s not established yet. The cryptographers feedback is great but has to be analysed further without the mission to sell one solution on how to put the PID in EUDIW. |
|
I suggest opening a separate issue for proposing schemes that do not rely on asymmetric signatures, as that would be a completely different approach to the ones analyzed in this paper. It seems hard to discuss the technical details of two completely different approaches, even if the main security and privacy requirements largely agree. |
|
@ad-Orange: there is no contact info in the paper you posted, and no contact information for you in your GitHub profile. How do we get in touch with you? |
|
@rmayr I fully agree on that. Neithertheless I wanted to hear your opinions and I think the discussion already solved a part of that. |
|
@KeepTrust You don't need to tell me about TRs I know. And I am not comparing apples and oranges, I am pretty aware of the different LoA levels and I hope ELSTER will never be LoA high - as it is clearly not suitable for that. While "qualified" signature cards - as accepted by ESLTER as well are considered to fulfill LoA high. But we're not discussing LoA levels here. My argument about Estonia AS AN EXAMPLE is still valid, because what I said is not introducing such problems AGAIN. If you need to discuss anything regarding SD JWT vs. BBS+ talk to @rmayr, @alysyans, @msporny but NOT TO ME. |
|
@msporny "The current approach taken by SD-JWT is deeply flawed, as it relates to unlinkability and cryptographic agility, and has been flawed from the beginning. This has been expressed multiple times over the years, but the review from the cryptographic experts listed above hopefully places more weight on the previous criticisms of the use of SD-JWT. It is not fit for purpose for the EU's Digital Identity initiatives." This can`t be confirmed based on results of Large Scale Pilots. Unlinkability required by law see Art. 6 ff. eIDAS 2.0. It fits perfectly for EUDIW as it allows integration of W3CVCDM but also JAdES Signatures which are widely used across Europe and as AdES easily adoptable by existing QTSP. @ckahlo: Signature Cards don´t fulfill LoA "high". The LoA is related to eID Schemes and means only. See. Art. 8 eIDAS. As you can get a Signature card with VideoIdent - it will never fulfill LoA "high", You are seemingly done with everything which fits not in your mission to sell one solution which was stopped by German BSI due to lack of adoption. BBS+ has to be evaluated correct but not from National Standardization Body but European one as only standards from ETSI/CEN will be referenced by implementing acts and so relevant for eIDAS. Your claims on SD-JWT are limited as the format also used for QEAA, not only PID and "So to support a PQC-forward selective disclosure scheme with all the properties defined by the ARF on current secure elements I am still at https://datatracker.ietf.org/doc/draft-ietf-rats-uccs/." would IMHO not fit but if you have further knowledge on this please elaborate. Your claim " But the idea of signing personally identifiable information is bad, obsolete and not needed at all. Proven during the past one-and-a-half decades in one of the largest EU member states." remain unproven as German eID lacks of utilization - which was reason why SmarteID stopped. |
|
@KeepTrust Again, I am NOT involved in Smart-eID. I NEVER WAS involved in the Smart-eID project. My part in the past (literally 5 years ago!) delivering prototypes long before Smart-eID started was related to technical evaluation. And I am not selling anything to anybody, I am not "Sales". I was just trying to help realizing the idea "eID on mobile device". NOTHING ELSE. Smart-eID was not stopped by BSI. And it was not stopped because lack of adoption, it was stopped by BMI, because the SRPIN-D challenge should be started. You're mixing up things completely. Consider ETSI being a "national standards body" on EU-level, I am fine with that. For the others: @KeepTrust is obviously some German account involved in the OpenID4VC / SD JWT implementation for SPRIN-D. As you can see WE DO NOT AGREE :-) @ad-Orange: may be that helps to understand not every German is the same ... |
|
@KeepTrust wrote:
As hesitant as I am to respond to an account that was created less than 24h ago... There has been very little focused effort or work in the W3C VCWG on how the W3C VCDM works with SD-JWT. For example, there is no guidance how contexts at multiple levels of objects in the VCDM would work with SD-JWT, no guidance of how Additionally, the group has done zero official review on SD-JWT-VC (or whatever that alternate format which claims to be VCDM compatible, but doesn't seem to actually be compatible, is called these days). Some of us have seen presentations with flawed premises, but are unsure where the work is these days. If anyone associated with the ARF believes that SD-JWT can encapsulate VCDM in its current form, they are misinformed. Again, I suggest the relevant parties set up a liaison relationship with the W3C VCWG and work with the group to determine a safe profile for the EUDIW, or at least get some official review on what the ARF is proposing, whether that is SD-JWT or SD-JWT-VC or something else. |
|
@msporny As polite as I`m I focus on content not on the time an account was created. The standardization on SD-JWT VCDM is ongoing and currently your claim that SD-JWT and W3C VCDM 2.0 are not compatible is wrong. The official review of ARF is done in LSP - so already ongoing. There are many subjects in optimizing SD-JWT (e.g. possibility for lightwight signing with JAdES Signatures for Integrity proof and fulfilment of Annex V eIDAS. The W3C VCWG is currently not involved in ARF process, the work on SD-JWT VCDM is ongoing in European Standardization bodies. So if W3C WG has concrete claims would be great if you contact eIDAS Toolbox Group or ETSI/CEN. Long Story short: You focus on wrong group to get the status quo. So if you focus on W3C VCWG and use this as basement for your claims - you are misinformed. Means the relevant parties already work to determine a safe profile for the EUDIW, What ARF is proposing can be seen in ARF... @ckahlo "Smart-eID was not stopped by BSI" - the reality given in following Video: https://www.youtube.com/watch?v=LHMIYTZc2SM (from 6.58h). The SPRIND Challenge started in March, the stop of SmarteID was in December 2023.... You was involved in previous projects as you mentioned on which SmarteID was based on - so fully understandable that you propose this approach (which from security point of view is best one - but lack of adoption which was one main reason why SmarteID was stopped - but planned as final goal for German EUDIW as BSI mentioned) ETSI = European Standardization Body not national one. BTW: I don`t work for SPRIND but thanks for the flowers ;-) |
Please identify yourself, you seem to be speaking on behalf of ARF. Who are you? |
|
@msporny Nobody is allowed to speak on behalf of eIDAS toolbox except maybe Paolo da Rosa but I |
Then, identify yourself, please. |
|
@KeepTrust hiding your identity, pretending be an insider, making bold statements, and creating distrust in a discussion that must be transparent - as it is in every EU citizens interests - makes your comments irrelevant and possibly even a threat. How is the weather in Moscow today? |
First - compliment for addressing the main issues so clearly. ARF is obviously not compliant legally nor state-of-the-art technically. Whatever the reasons. Second - we support the main discussion and support for BBS-style credentials as a key building block. BBS# (when scrutinized) look like a good first step. Third - it is, however and without contradicting the first two above, also clear the this minimum credential approach may be able to support simple transactions, but most realworld transactions such as all ARF Use Cases require moving beyond this integrating different technologies and supporting multiple issuers, providers and more complex security requirements. We will be incorporating trustworthy PKI and atomic credentials within the present standards as a way to resolve these critical issue even more generic in the basic structures IN ADDITION to BBS# on the application layer. |
|
@ckahlo • Hardware support: We much prefer ECSDSA / ECSchnorr to ECDSA due to better theoretical security properties but as explained above, both work. • As you probably understand, BBS# is quite new, but: • BBS# has the everlasting / unconditional privacy property • For crypto agility for PQC, I think the situation is all but clear and I wouldn’t draw immediate conclusions on the present from forward looking assumptions about the future • For authenticated channels, I’ll try and be brief but basically, while they were probably amazing for Germany when it was first invented decades ago, we have much better tools today as advocated by these renowned cryptographers in their position paper: “Our specific recommendation is to use the BBS family of anonymous credentials” |
|
As a side note, please use the Markdown formatting when composing the messages. It's really hard to follow the discussion when the messages are filled with ad-hoc formatting characters and there's no proper spacing between paragraphs, lists, and headings. Also, when replying to a message, please use proper quotations. Thanks! |
|
@ad-Orange thanks a lot for your response, I'll try to make it short and clear as possible:
Thanks for this clarification. In the meantime I had more time to read your paper more thoroughly and realized you were talking about ECDSA and ECSchnorr as two options. And thanks for pointing out, you don't need to use Weiterstraß transformations of other curves, but can work with standard curves. It also helped pointing out, that the complex operations are done on the mobile device as already shown 2016/2017 with MAC_BBS. As said I am aware of the paper.
Totally agree. ECSchnorr has even more desireable attributes. That's why it is used in Chip Authentication v3. (BSI TR-03110-3)
Of course CSP is deployed to "higher end" embedded secure elements, but don't expect it to be "everywhere".
Yes, HSMs and on natively programmed (no GlobalPlatform/JavaCard) Secure Elements as well, but those aren't used within mobile phones. They only would be an option for air-gapped devices.
I saw that and I simply said "let's have peer reviews on your paper" and "a standards body should evaluate and standardize it".
. . .
Again: it is NOT about believing someone. It is about peer review, evaluation and standardization. Don't get triggered just because I say "let's have a closer look and let's have a review from other experts". So, all I say: let's have a review und evaluation.
Again, I am not against BBS+/# and I also said those approaches are older and were implemented in abscence of better choices. BUT: authenticated channels also have more and other properties than just credential transport. They also ensure an encrypted link between the authenticating and relying parties cryptographic endpoints.
Please don't mix up toy secure elements and EAL5+. Show me an attack on NXP P71D321 and I might change my mind. :-)
First: I would probably not agree with keeptrust on anything, it may happen by accident. But it is not the intention of keeptrust.
Correct, you missed the point I was never talking about the "German ARF" as I said in my reply before: I am NOT involved in that. You may ask that question to someone in charge of the "German ARF", of course. But I am the wrong contact person in this case.
1 and 2 is also described in the ANSSI-version of TR-03110. The document signer lifetime is subject to issuance policy. But as you also can see it is clearly en vogue in Germany to discredit and attack people - and this is a long story. I probably even know the person behind keeptrust and it's probably already blocked by me on other plattforms. I hope we can agree on: moving forward is a good option.
The same applies for authenticated channels as this is only one ECDHE-private key (or a PQC KEM scheme) with a KDF creating the key material for AES-GCM / AES-CMAC - whatever you want. Sorry for the harsh words, but please have a closer look at the previosly mentioned technical reports before doing such claims.
First: this was never subject to the "old system". And again: take this an example, I'm not saying we have to stick to that.
It is, you should read before making such claims. As restricted identification splits the revocation information in an ECDHE-manner on the "document signer CA"-level, the point where the relying party keys are known.
It mostly depends on secure element support and peer review and standardization of your paper as said before. Thanks & best, Edit1 PS: regarding the BBS# / authenicated channels comparison from above. You could also use this very exact private ECDSA signer key and sign the emphemaral chosen public key for ECDHE ... so implementation properties are reduced to "securely store an ECDSA" key. ;-) And this is hopefully a point we can also agree on. Anyway thanks for discussing as well! I am sure this also helps to emphasize the key facts of your (BBS#) and BBS+ work. |
The authors of the feedback document are confident that anonymous signatures based on BBS are relevant to the ARF, in particular that they are practical and secure. Anonymous credentials are described as a mature technology well understood by the scientific community. Tessaro and Zhu recently noted that analyzing the security of the (entire) credential system is non-trivial. I am a bit confused.
|
So you just chose to ignore the regulation considering your opinion more valid than the regulator? Unlinkability is not "limited benefits" - it is a difference between a functional market-based democracy or not. Without this, all transaction will feed centralized profiling. |
|
Unlinkability is not simply a function of a cryptographic format. Its also impacted by ecosystem properties, such as competition / concentration, and protocol support. I would recommend considering security based on the protocol and format, and not just looking at the format by itself. |
|
@OBIvision: I agree on the unlinkability pattern. However, for centralized profiling due to observing transactions this would imply the observer is able to see the transaction (... in clear-text or harvest-now,decrypt-later pattern as mentioned with the Y2Q link from above). This is the case e.g. for TLS-breaking company proxies. On the other hand unlinkability towards the relying party relies on the user not providing attributes or other means of information undermining unlinkability. We had these discussions a lot with restricted identification as the goal of RID was making it impossible for 2 or more relying parties to match their users using RID credentials. In past discussions with Thomas Lohninger / EDRi I explained the concept of RID for unlinkablity in existing systems as a reference. I, myself, also proposed unlinkability in past EU meetings in 2022. It heavily depends on what you want to achieve by "unlinkability" - hiding from observers, or having "pseudonymous" (as anonymous makes it impossible) accounts at service providers. Best, |
A quick (rookie) question, if allowed, would this work with TPM 2.0? |
|
@veikkoeeva Yes. E.g. ECSchnorr as signing scheme in the toolchains. The TCG specs also specify it. |
It is pretty clear that ARF is heading for BIG TIME failure - doing the exact opposite (i.e. total surveillance) of what is needed (empowerment of citizens). |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
and others
The EUDI Wallet Team of the European Commission invited subject-matter experts (i.e. cryptographers) to participate in a Webex meeting on June 5th or 6th, 2024, in which the team presented their current design of the EUDIW (ARF version 1.4.0), and requested feedback. They specifically requested feedback concerning attestations and zero-knowledge proofs. Our feedback is in this document: cryptographers-feedback.pdf
The attached document was co-authored by and thus represents the consensus opinion of the following cryptographers who were present on one of the two calls:
Carsten Baum, Technical University of Denmark
Olivier Blazy, École Polytechnique
Jaap-Henk Hoepman, Karlstad University & Radboud University
Anja Lehmann, Hasso-Plattner-Institute, University of Potsdam
Anna Lysyanskaya, Brown University
René Mayrhofer, Johannes Kepler University Linz
Hart Montgomery
Ngoc Khanh Nguyen, King's College London
abhi shelat, Northeastern University
Daniel Slamanig, Universität der Bundeswehr München
Søren Eller Thomsen, Partisia
Five additional experts (who were unable to participate in the calls, but carefully reviewed the ARF and other relevant materials) also co-authored this document:
Jan Camenisch, Dfinity
Eysa Lee, Brown University
Bart Preneel, KU Leuven
Stefano Tessaro, University of Washington
Carmela Troncoso, EPFL
Executive summary:
The eiDAS 2.0 regulation (electronic identification and trust services) that defines the new EU Digital Identity Wallet (EUDIW) is an important step towards developing interoperable digital identities in Europe for the public and private sectors. The regulation, if realized with the right technology, can make Europe the front runner in private and secure identification mechanisms in the digital space, and act as a template for future digital identity systems in other regions.
Unfortunately, we believe that some of the currently suggested design aspects of the EUDI and its credential mechanism fall short of the privacy requirements that were explicitly defined after extensive debate in the Digital Identity regulation. The main reason for this shortcoming in the current proposal is that it relies on cryptographic methods that were never designed for such requirements.
We do not see a way to fix the proposed solution to meet all the privacy features as required by the regulation; we believe that a larger redesign is in order.
In this document, we propose to use a different cryptographic mechanism instead; namely, anonymous credentials. Anonymous credentials were designed specifically to achieve authentication and identification that are both secure and privacy-preserving. As a result, they fully meet the requirements put forth in the eiDAS 2.0 regulation. Moreover, they are by now a mature technology. This technology was developed more than twenty years ago, and extensive efforts have been expended to analyze, improve, implement, standardize, test, and deploy it. Anonymous credentials are well understood by the scientific community.
Our specific recommendation is to use the BBS family of anonymous credentials. For BBS, thanks to prior work by the W3C, the Decentralized Identity Foundation, IETF/IRTF, ISO, and other standardization bodies, as well as the availability of open-source software libraries, the EC can develop a standard and reference implementation with only a modest effort. We additionally recommend that the EUDI be designed following the principle of crypto-agility, meaning that its underlying technologies can be upgraded quickly in the future if the need arises.
We thank the EC for this opportunity to weigh in. We would be excited to continue to provide feedback on this important endeavor, and see this document as the beginning of a longer dialogue.
cryptographers-feedback.pdf
NOTE: We are still polishing the document for readability and adding pointers to relevant literature; an updated version will likely be posted here in the near future.
The text was updated successfully, but these errors were encountered: