Master Project, 12 ECTS

Prof. Anja Lehmann

The eIDAS 2.0 regulation requires every EU member state to provide a digital identity solution—
the EU Digital Identity (EUDI) Wallet—by the end of 2026 [1]. The EU decided to build the wallet
from classic ECDSA-signed credentials, where a digital identity is simply an issuer’s signature on
the set of user attributes. In Germany this choice drew criticism from consumer- and data-
protection organizations [4,5], who argued that signed credentials lack an important privacy
property: plausible deniability. When a user presents their digital identity, anyone can verify this
presentation—and hence verifiers might be tempted to store and trade the authenticated data.
This issue received attention since it is perceived as a downgrade from the prior German eID,
where authentication is an online process between chip and verifier and cannot be forwarded.

This criticism, however, conflates a property of the signature scheme with a property of the
presentation protocol. Recent work [2] shows that deniability is easy to add on top of ECDSA,
using standard zero-knowledge techniques. The idea (sketched in more detail at the end of this
document) is that the verifier holds its own key pair and that the user never hands over the
issuer's signature in full. Instead, she reveals only a part of it and proves, in zero knowledge,
that she either knows the rest of a valid issuer signature or the verifier's secret key. Since the
verifier knows its own secret key, it could have produced this proof itself—so the presentation
convinces the intended verifier but is worthless as evidence to anyone else, exactly the
deniability the critics asked for.

For more information, see our paper.