Practical Zero-Knowledge within the European Digital Identity Framework: Implementing Privacy-Preserving Identity Checks
Name
Uuna Susanna Saarela
Abstract
The eIDAS regulation defines standards within the European Union (EU) for electronic identification, authentication, and trust services. Its successor eIDAS2 expands the standard and proposes establishing an ecosystem of interoperable national digital identity services for EU citizens. The new regulation will mandate member states to make these services available, and work is ongoing to define the technologies and protocols that will constitute the European Digital Identity (EUDI) framework. The framework is expected to facilitate many use cases that require a person's identity to be verified with a high degree of assurance. These include opening a bank account and authenticating to online services in different EU countries. It will also be possible to hold and present valid digital documents, such as driving licenses and other permits, medical prescriptions, and professional and educational certificates. Widespread adoption of the EUDI framework would significantly increase the volume of digital identification events, which include sensitive personal data and metadata about when and where credentials are used.
This poses a threat to the privacy of EU citizens who wish to access the many benefits of digital identity services. The eIDAS2 regulation includes a provision for the use of privacy-preserving technologies, which enable performing business logic on data that remains hidden. Zero-knowledge proof systems are one such technology. A zero-knowledge toolchain can be used to obtain a cryptographic proof that some statement is true while revealing nothing else about the statement itself. ZK-SecreC is a language developed by Estonian research and development company Cybernetica for writing zero-knowledge programs, which are then compiled into equivalent circuit descriptions. This thesis explores using ZK-SecreC to program the real-world identity checks performed by Finnish company Talenom in conjunction with their user onboarding process. The input data for the program is assumed to be a valid EUDI credential under the current reference architecture, and as such is formatted according to the ISO/IEC 18013-5 standard for mobile driving licenses. The technical contribution of the thesis is a ZK-SecreC program and two variants thereof that perform the desired identity checks. The runtime of the resulting circuits are benchmarked with two different proving backends. The thesis also describes the steps required to integrate zero-knowledge proofs into the EUDI architecture.
This poses a threat to the privacy of EU citizens who wish to access the many benefits of digital identity services. The eIDAS2 regulation includes a provision for the use of privacy-preserving technologies, which enable performing business logic on data that remains hidden. Zero-knowledge proof systems are one such technology. A zero-knowledge toolchain can be used to obtain a cryptographic proof that some statement is true while revealing nothing else about the statement itself. ZK-SecreC is a language developed by Estonian research and development company Cybernetica for writing zero-knowledge programs, which are then compiled into equivalent circuit descriptions. This thesis explores using ZK-SecreC to program the real-world identity checks performed by Finnish company Talenom in conjunction with their user onboarding process. The input data for the program is assumed to be a valid EUDI credential under the current reference architecture, and as such is formatted according to the ISO/IEC 18013-5 standard for mobile driving licenses. The technical contribution of the thesis is a ZK-SecreC program and two variants thereof that perform the desired identity checks. The runtime of the resulting circuits are benchmarked with two different proving backends. The thesis also describes the steps required to integrate zero-knowledge proofs into the EUDI architecture.
Graduation Thesis language
English
Graduation Thesis type
Master - Computer Science
Supervisor(s)
Peeter Laud, Chris Brzuska
Defence year
2024