NOTE: This thesis is reserved.

Background

The Swiss federal council has decided to build the Swiss E-ID based on self-sovereign identity (SSI) principles. Similarly, the European Union and many companies around the world plan to introduce SSI-based solutions for identity and access management. With SSI, users own their digital identity and autonomously control what information is revealed to which service providers. This contrasts with current Internet single sign-on architectures, which threaten user privacy by deploying central identity providers.

SSI combines many foundational technologies, such as blockchain-based distributed ledgers (DLT), cryptographic proofs of identity attributes (zero-knowledge proofs), PKI with distributed key management, and various software components such as mobile wallets and agents connected in a P2P network. Accordingly, the technology stack of SSI is very complex. In order for SSI to develop into a secure technological basis for a national E-ID, various aspects need to be researched:

  • security of the protocols
  • scalability of solutions
  • protection of privacy
  • usability for consumers
  • trust management and governance

Goal of the project

When presenting verifiable credentials to verifiers, holders want to make sure they protect their privacy by selectively disclosing only the information required and not more. To achieve this, several techniques have been proposed:

  • Deriving a presentation from the credential that simply omits sensitive attributes
  • Zero-Knowledge Proofs (ZKP), e.g., proving that the holder is older than 18 without disclosing the actual date of birth
  • Privacy-Preserving data structures, e.g., using cryptographic accumulators for implementing a credential revocation service

However, if multiple credentials are presented, it is important to achieve a binding with regard to the holder. That is, the verifier wants to verify that all credentials have been issued to the same holder and have not been transferred from a third person. Unfortunately, privacy protection is often a point solution for a specific use case and is based on cryptographic tricks specific to the algorithms used. If cryptographic algorithms are changed (e.g., when moving from CL signatures to BBS), these tricks may not be transferable.

Recently, General-purpose ZKP frameworks based on zk-SNARKs have been proposed. These solutions allow the execution of “arbitrary” logic and give the holder a way of proving the correct execution to anybody. Hence, a verifier could specify the information it needs to have in a formal way, e.g.:

AccessGranted := 
    (eid.nationality == Swiss) AND (eid.age >= 18) AND (NOT eid.revoked) AND
    (residence.city == Zurich) AND (NOT residence.revoked) AND
    [ (diploma.university LIKE ”%EPFL%” OR diploma.university LIKE ”%ETHZ%”) ]
    AND (NOT diploma.revoked) AND
    (eid.person == diploma.person) AND (eid.person == residence.person)

Instead of presenting a number of credentials, linking them and using a separate revocation service for each issuer, the holder could just run the computation for the flag AccessGranted and prove correct execution to the verifier. That would be perfectly ZK and very flexible! Yet, the overhead of running a computation with ZKP is still several orders of magnitude. Therefore, it is an open question whether this is practical for holders, in particular if the wallet runs on a mobile device.

Tasks

  • Overview and comparison of general-purpose ZKP frameworks
  • Designing and implementing flexible credential verification logic
  • Performance analysis of the logic execution. What is expensive? Are there ZKP-optimized primitives? Could it run on a smartphone?
  • How can private keys stored in secure enclaves be used in these proofs?
  • Discussing ideas and results with the E-ID team

Requirements

  • Analytical skills
  • good knowledge in cryptography
  • coding skills
  • Interest in self-sovereign identities (SSI)