EUDI Wallet: Technical aspects (Part 2)

In the article EUDI Wallet: Technical aspects (Part 1) we delved into the various states the EUDI Wallet can take and its intended ways of keeping the users’ privacy protected. For that matter, we only touched the surface of the EUDI Wallet trusted means. This piece will underline the Wallet’s actual root of trust and the cryptographic mechanisms that can ensure this trust; namely digital signatures. In conclusion we will introduce Zero-Knowledge Proofs (ZKPs) and their role of bridging trust and privacy.

The trust-enabler: digital signatures

Due to their robust cryptographic underpinnings, digital signatures are a fundamental trust-enabler in the digital world. At the core of this technology lies a pair of cryptographic keys: a private key and a corresponding public key. To create a digital signature, a signer uses his or her private key to generate a unique mathematical representation of the data being signed. This signature is specific to both the data and the signer's identity. Upon verification, the recipient can use the signer's public key to authenticate the signature's integrity and origin. The strength of this process lies in the asymmetry of the keys – the private key remains securely held by the signer, while the public key can be freely shared without compromising security.

Digital signatures provide several critical benefits for trust-building. First, they ensure data integrity, as any modification to the signed data would invalidate the signature during verification. Second, they establish authenticity, as the recipient can verify the signer's identity through the associated public key. This helps to prevent impersonation and ensures that the signature belongs to the claimed individual or entity. They also offer non-repudiation, meaning the signer cannot deny his or her involvement in signing the data since the private key uniquely corresponds to them.     

Digital signatures play a crucial role in ensuring the authenticity and integrity of entities' credentials within the EUDI Wallet. These credentials are signed by authoritative bodies listed in the Trusted Lists, which are recognized as trustworthy sources; hence their crucial role as roots of trust.

Trusted Lists

The Architecture Reference Framework (ARF) defines Trusted Lists as follows.

Repository of information about authoritative entities in a particular legal or contractual context which provides information about their current and historical status. Trusted Lists can be implemented in different ways.

These repositories are the means for verifying any claims related to the EUDI Wallet, whether from checking a user’s credential or a Trusted Service Provider (TSP) is genuine or verify that data is shared with a legitimate entity. In essence, Trusted Lists are the roots of trust of the EUDI Wallet.

This system of trusted lists is not a new idea in the European digital world. For example, the Electronic Identification, Authentication and Trust Services (eIDAS) Regulation mandates Member States “to establish, maintain and publish trusted lists of qualified trust service providers and the services provided by them". As for the European Union Digital COVID Certificates (EU DCCs), their authenticity and integrity were validated against a list of Certification Authorities (via public-key certificates). 

By maintaining a comprehensive and up-to-date trusted list of qualified providers, eIDAS ensures that users can confidently engage in electronic transactions. eIDAS is fostering a safe and trustworthy digital environment across the EU through the validation of the eSignatures and eSeals genuineness within the common market.

The EUDI Wallet has similar purposes, except that the trusted commodities shared and used between European entities are attestations and personal attributes.

Zero-Knowledge Proofs: the bridge between trust and privacy

We have determined that digital signatures serve as a method for acquiring trust. This trust ultimately relies on the inherent trustworthiness of a central authority and it entails the sharing of data with the verifier, facilitating the verifier to confirm the authenticity of the data through the associated digital signature. But what if the data owner lacks trust in the verifier regarding his or her data but still desires the verifier to validate his or her claim? Cryptography has an answer: Zero-Knowledge Proofs (ZKPs).

ZKPs are cryptographic protocols that authorize one party (the prover) to demonstrate the validity of a statement to another party (the verifier) without revealing any specific information about the statement itself. In simpler terms, it allows the prover to prove the truth of a claim without disclosing the underlying data or the details of the claim.

In the context of the EUDI Wallet, ZKPs can be used to prove a certain attribute or credential of an entity while maintaining the privacy of its data. For instance, let us say a verifier needs to verify that an individual is above the legal drinking age without knowing his or her exact birthdate. With a ZKP, the prover (individual) can demonstrate that he or she is of legal drinking age by providing a proof without revealing his or her birthdate or any other unnecessary personal details.

This approach ensures that sensitive information remains private and secure and at the same time allowing entities to assert specific claims about their attributes or credentials. For this reason, ZKPs could be a powerful tool for enhancing privacy and data protection in the EUDI Wallet, endorsing secure and confidential interactions between users and services while maintaining trust in the system. The ARF currently does not include provisions for the use of ZKPs, but it does recommend the adoption of a credential format that is compatible with them, like the World Wide Web Consortium (W3C) Verifiable Credentials (VC).

Last two articles looked into the vital technical elements foreseeing the secure ecosystem of the EUDI Wallet. In the next publication we will present some of the possible Wallet use cases, concluding the articles series.