Hasso-Plattner-Institut
Prof. Dr. Anja Lehmann
 

Anonymous Credentials for the EUDI

We are working on the cryptographic foundations of anonymous credentials to enable their integration in the upcoming European Digital Identity (EUDI) wallet. This work is funded by SPRIND. 

Anonymous credentials are the privacy-preserving version of traditional certificates. After receiving a credential with attested attributes from a trusted issuer, users can derive presentations that a third party (the “relying party”) can verify. With every presentation, the user can choose which subset of the attested information to present, and each presentation is unlinkable. That is, if users do not share identifiable information in their presentations — for example, merely proving they are over 18 — the relying party cannot track or correlate their presentations. This can be done repeatedly from the same base credential (multi-show unlinkability), and even holds when the issuer and relying party collude. These features are enabled by a technique called zero-knowledge proofs. Zero-knowledge proofs allow one to prove that a statement is correct without revealing any information about why. In the context of anonymous credentials they are used to prove knowledge of a credential for the presented attributes – convincing the relying party that the information is indeed correct, without revealing anything about the underlying cryptographic evidence.

The built-in privacy features set anonymous credentials apart from traditional certificates, making them the ideal solution for satisfying all privacy requirements for the EUDI wallet, as specified in the eIDAS 2.0 regulation. For more information on this assessment, see the Cryptographers’ Feedback (06/24) or Anja Lehmann’s talk at the Real-World Crypto Symposium 2025

The lack of established standards and deployed support for device binding has hindered their adoption so far, and our project aims at closing these gaps.

 

Resources & Results

Here we list our recent research results and survey articles in the context of a ZKP-based EUDI Wallet.

Overview and Standardisation

  • SoK: Anonymous Credentials for Digital Identity Wallets. Christian Bormann, Anja Lehmann (SSR 2025). Survey article on the landscape of anonymous credentials and their trade-offs in the context of digital identity wallets.
  • Vision: A Modular Framework for Anonymous Credential Systems. Anja Lehmann, Andrey Sidorenko, and Alexandros Zacharakis (SSR 2025). This work discusses how to modularize the cryptographic protocols for anonymous credentials, such that the standardized components can be used outside of the EUDI context too. For the EUDI wallet context, a particular focus is on a modular solution for device binding of BBS credentials to legacy phones, that only support ECDSA-signatures.
  • EUDI Wallet Technical Specification (TS14). We have contributed to the technical specification (TS14) for a ZKP-based EUDI Wallet, and are currently working on the corresponding standardisation in ETSI.

Demo & Implementations

Device-Binding

Credentials deployed in digital-identity systems must satisfy non-transferability: only the rightful holder should be able to use a credential, which should resist copying and sharing. In practice, this property is achieved through device binding. Here, the credential is bound to a cryptographic key stored inside a secure element (SE) on the holder's device. When the credential is presented, the holder generates a fresh signature under the matching secret key - a proof of possession. Since the key itself cannot be exported from the SE, using the credential is impossible without access to the device on which it resides.

  • Device Binding for Anonymous Credentials on Legacy Phones. Sofia Celi, Anja Lehmann, Shai Levin, Alexandros Zacharakis. Deploying anonymous credentials in the EUDI Wallet is hindered by the fact that the secure hardware in today's smartphones only support legacy algorithms like ECDSA, not the cryptography required by native device binding protocols for anonymous credentials. We address the gap by showing how to prove possession of an ECDSA signature under a committed device public key, so that ECDSA device binding can be composed with a modern credential layer. We present several approaches, offering trade-offs between implementation simplicity, standardization compatibility, and efficiency.  
  • Device-Bound Anonymous Credentials With(out) Trusted Hardware. Karla Friedrichs, Franklin Harding, Anja Lehmann, and Anna Lysyanskaya (Eurocrypt 2026). We propose simple device-binding solutions for BBS credentials, that require little - or even no - trust in the secure hardware for privacy. Our work also formalizes the setting of a remote HSM, as currently considered for the start of the EUDI wallet, and proposes a privacy-preserving solution for such a setting. All protocols are highly efficient and simple, as the only API needed from the secure element is for a standard BLS or Schnorr signature.

Further Features

  • Issuer-Hiding for BBS Anonymous Credentials. Even an anonymous credential presentation can reveal more than expected: namely, the issuer's identity. For instance, a simple age proof based on a national ID not only shows that the user is old enough, but also which country issued the credential — effectively disclosing the user's nationality. Issuer-hiding schemes conceal this information as well, and our work shows how efficient protocols can be realized for BBS credentials. Our first construction achieves issuer-hiding presentations without any additional policy keys, but presentation size scales (at least) logarithmically in the number of issuers, making it well suited to policies with up to 64 issuers. Our second construction achieves constant-size presentations by relying on a trusted authority to generate policy keys.
  • A Brief Note on Cryptographic Pseudonyms for Anonymous Credentials. Rene Mayrhofer, Anja Lehmann, and abhi shelat. Brief survey article on how to construct pseudonyms with anonymous credentials.

Talks

Overview of presentations related to anonymous credentials for the EUDI Wallet:

  • Anonymous Credentials for the EUDI Wallet: Closing the Gaps [slides]
    EUDI ON Community Event, Berlin, June 2026
  • EUDI Wallet & Anonymous Credentials - Status and Open Challenges [slides]
    PrivCrypt Workshop @ Eurocrypt, Rom, May 2026
  • Enabling Anonymous Credentials for Digital Identity Wallets [slides]
    European Identity and Cloud Conference (EIC), Berlin, May 2026
  • EUDI Wallet: Strong Security and Privacy - How to combine both? [slides]
    VSDI Politischer Abend, Berlin, April 2026
  • Zero-Knowledge Proofs for the EUDI Wallet - Wishlist for HSMs and Secure Elements [slides]
    Global Platform – Digital Wallet Task Force, Online Meeting, February 2026
  • EUDI Wallet: Perspectives and Challenges for ZKP and PQC (Part 1) [slides
    European Conference on PQC Migration, Den Haag, December 2025 
  • ZKP Innovation Highlights [slides] [video]
    SPRIND EUDI Wallet Funke Conference, Berlin, October 2025
  • EU Digital Identity and Anonymous Credentials - A Happy End? [slides] [video]
    Real-World Cryptography Symposium, Sofia, March 2025
  • EU's Digital Identity Systems - Reality Check and Techniques for Better Privacy [slides] [video]
    Chaos Communication Congress 38c3, Hamburg, December 2024
  • ZKPs and BBS for Digital Identities - Overview & Perspectives [slides]
    SPRIND EUDI Wallet Conference, Berlin, September 2024