Are ZK-proofs the key to Europe’s new digital ID regulations?
According to Dr. Jonas Gross, CEO of Hakata, zero-knowledge proofs (ZKPs) could be the key to enhancing privacy and security in the EU’s groundbreaking digital identity and wallet regulation.
A new digital identity regulation has come into effect in the European Union (EU), requiring member states to provide at least one EU digital identity wallet to all citizens and residents.
On May 21, the EU updated its European Digital Identity (EUDI) regulation, which was initially released in February 2023, and stated that it must be fully implemented by 2026.
It is set to transform the way European citizens live and work, with the digital ID wallet to be used for electronically signing and storing documents; from university diplomas to train tickets.
Thierry Breton, the EU commissioner for the internal market, said the wallet will “revolutionize the way European citizens and businesses engage with online services by seamlessly integrating convenience, safety and privacy.”
The European Commission has invested 46 million euros ($50 million) in four large-scale pilots to test the EU Digital Identity Wallet. Additionally, they have announced a second call for large-scale pilots to further support the deployment of these wallets.
This development raises questions about the appearance and functionality of a government-issued digital ID wallet, as well as how individual privacy and regulatory compliance can be maintained on such a large scale.
Cointelegraph spoke to Dr. Jonas Gross, the CEO of Hakata, a company providing “compliant privacy” solutions for Web2 and Web3 businesses through the Mina Protocol.
The discussion aimed to understand the challenges developers face when integrating privacy-preserving features into digital ID solutions and to explore ways to overcome these obstacles.
Dr. Gross said for digital identity solutions, and particularly the EU digital identity, there are two “paramount” principles: A user-centric design and a privacy-first approach.
“It needs to be ensured that the user is always at the center and maintains ownership of the confidential, personal data. User data, such as identity data, credentials, attestations, or personal information, should be stored on the user’s device.”
He stressed that the user should be the sole decision maker and have the freedom to decide which data is shared and with whom, and this sovereignty should be a main design principle in the EU identity infrastructure.
Zero-knowledge proof solution
To ensure a privacy-first approach and the confidentiality of personal information, zero-knowledge proofs (ZKPs) are a Web3 tool that could be used to make this possible.
ZKPs would allow users with the opportunity to only reveal cryptographic proofs instead of clear data, and thereby preserve their privacy. Dr. Gross said:
“ZKPs have the potential to start a new paradigm of compliance that breaks down data silos around identity information.”
He gave a concrete example of ZKPs being used in the context of an identity solution, painting the picture of a government-issued digital ID that sits on an end device, aka a phone. Only the user knows the information in this digital ID, which includes a name, address, date of birth, nationality, etc.
Related: EU Commission urged to prepare for blockchain and AI integration
“Imagine that [someone] wants to buy a glass of wine,” he said. “While ordering, the bartender wants to validate if [they] are older than 18 years. In today’s world, this would mean showing the ID to the bartender, thereby revealing the full (physical) ID.”
In such a situation, attributes like address and nationality, which are irrelevant to the bartender, are also revealed. Dr. Gross suggested that in the future, a specific ZKP could be shared to verify someone is older than 18 instead of their entire ID. Consequently, the bartender would only know that fact and nothing more.
Dr. Gross emphasized that this is just one specific example of ZKPs. They can take various forms and can also be used to verify different types of information in the context of identity. For instance, they can prove that a person is not from a particular country or that they hold a European passport.
He said the described solution is exactly what they are building out with Hakata.
“As ZKPs only expose proofs instead of clear data — as described in the previous example — privacy is substantially enhanced and security is improved.”
Developer challenges
While implementing ZKPs as a solution may seem like a straightforward answer to some of the woes officials could potentially face, behind the scenes developers may have a bit of a challenge on their hands to create such solutions at scale.
Dr. Gross said one of those challenges is the lack of standardization in the ZK space, with every ZK tech stack working differently and making it so that interoperability is not a given.
“This makes it very difficult to build applications that are supposed to work on different tech stacks,” he said.
Additionally, in many countries, the technology is still in the process of security evaluation to make it available to governmental and regulated services.
“Because some cryptographic elements of the ZK technology are not yet supported in standard consumer hardware, the adoption in regulated markets requires dedicated solutions, e.g. cloud-based security modules.”
While not a challenge, Dr. Gross also recommended that reference implementations — like the EUDI Wallet Reference Implementation — should be made available open-source on GitHub by those developing the wallet.
This would allow “tech-savvy” people to look at the solution/wallet’s source code. As a result, one does not need to trust the solution provider regarding privacy but could instead personally verify that the highest privacy standards are met.
“I do see this transparency as a great driver for trust and ultimately adoption.”
EU’s digital future
This new regulation will entail that all member states provide at least one EUDI wallet to their citizens and make the support of the wallet mandatory within a variety of industries.
Such a development, according to Dr. Gross, would help the EU foster a rebuild of its complete online infrastructure and put the digital identity in all relevant workflows of its digital ecosystem.
He said with the EUDI wallet, “freaking out in a foreign country in the case that the physical ID cannot be found before flying back home, belongs to the past.”
Responses