Prof. Anja Lehmann, Karla Friedrichs, Cavit Özbay
The eIDAS 2.0 regulation requires every EU member state to provide a digital identity solution—the EU Digital Identity (EUDI) Wallet—by the end of 2026. The EU decided to build the wallet from classic ECDSA-signed credentials, where a digital identity is simply an issuer’s signature on the set of user attributes. In Germany this choice drew criticism from consumer- and data-protection organizations, who argued that signed credentials lack an important privacy property: plausible deniability. When a user presents their digital identity, anyone can verify this presentation—and hence verifiers might be tempted to store and trade the authenticated data. This issue received attention since it is perceived as a downgrade from the prior German eID, where authentication is an online process between chip and verifier and cannot be forwarded.
This criticism, however, conflates a property of the signature scheme with a property of the presentation protocol. Deniability is easy to add on top of ECDSA, using standard zero-knowledge techniques. The idea (sketched in more detail here) is that the verifier holds its own key pair and that the user never hands over the issuer's signature in full. Instead, she reveals only a part of it and proves, in zero knowledge, that she either knows the rest of a valid issuer signature or the verifier's secret key. Since the verifier knows its own secret key, it could have produced this proof itself—so the presentation convinces the intended verifier but is worthless as evidence to anyone else, exactly the deniability the critics asked for.
This is a promising starting point, but it is only a first step: The construction relies on each credential being used only once—which, while consistent with the planned EUDI deployment, might be more restrictive than necessary—and it has not yet been integrated into real EUDI data formats. This master project takes up these two open challenges.
Your Tasks
The exact scope will depend on the size and interests of the group.
- Formalise a multi-show security model for deniable signed credentials
- Design and formally analyse constructions that satisfy the requirements of the model, in particular, that allow the reuse of (ECDSA) signatures without losing deniability
- Integrate deniable presentations into the EUDI data formats and protocol flows
- Demonstrate real-world feasibility through a proof-of-concept implementation and a performance evaluation.
For more information on our project, see our project description or poster.
The deniable ECDSA construction is sketched here.