The European Digital Identity Wallet (EUDI Wallet) promises to significantly enhance the convenience and security of end-users' identity-related online activities, such as registration, log-in to a service or application, or the bank account opening process, by using cryptographic key pairs and digitally signed documents (attestations of attributes). However, while the EUDI Wallet is marketed as a privacy-centric solution and indeed designed to enhance privacy substantially compared to today's prevailing approaches to digital identity management, such as "log-in with Google", there is still room for improvement.

The paper “The impact of zero-knowledge proofs on data minimization compliance of digital identity wallets” is a collaboration between the researchers Emanuela Podda (Università degli Studi di Milano), Pol Hölzmer, Alexandre Amard and Gilbert Fridgen (University of Luxembourg), and Johannes Sedlmeir (University of Münster). It describes some remaining shortcomings regarding privacy in the current cryptographic formats used for attestations of attributes in the EUDI Wallet and argues that the General Data Protection Regulation (GDPR)'s mandate for data minimization should be continuously re-evaluated given the fast progress in privacy-enhancing technologies, particularly zero-knowledge proofs (ZKPs) (see, e.g., the work by Google researchers Abhi Shelat and Matto Frigo on anonymous credentials from ECDSA). ZKPs allow for maintaining the verifiability of the integrity, authenticity, and validity of digital identity-related documents while reducing the amount of information revealed to the relying party to what can formally be considered the bare minimum.

The researchers hope their findings encourage decision-makers working on the EUDI wallet to maintain the high initial ambitions regarding privacy, as specified by the regulation which literally mandates unlinkability, after the first rollout of the EUDI wallet in late 2026. However, it is highly unlikely that ZKPs will be incorporated at this stage, as their practical implementation is still very complex and lacks standardization and audits by national and international certification bodies.

The full paper can be found here.