The impact of zero-knowledge proofs on data minimisation compliance of digital identity wallets

PODDA, Emanuela; HÖLZMER, Pol; AMARD, Alexandre; SCHÖNRICH-SEDLMEIR, Johannes; FRIDGEN, Gilbert

doi:10.14763/2025.3.2019

Download

Article (Scientific journals)

The impact of zero-knowledge proofs on data minimisation compliance of digital identity wallets

PODDA, Emanuela; HÖLZMER, Pol; AMARD, Alexandre et al.

2025 • In Internet Policy Review, 14 (3)

Peer Reviewed verified by ORBi

Permalink
https://hdl.handle.net/10993/65538

DOI
10.14763/2025.3.2019

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

policyreview-2025-3-2019.pdf

Publisher postprint (2.31 MB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Electronic attestation; Electronic identification; eIDAS; GDPR; Zero-knowledge proofs

Abstract :

[en] The recent amendment to the European eIDAS Regulation has established the European Digital Identity Framework, which introduces electronic attestations of attributes. Technically, these attestations involve auxiliary information to ensure their verifiability, leading to the generation, processing, and storage of more than just personal data. In particular, this auxiliary information contains globally unique information that can be misused as personal identifiers and poses risks to the privacy of individuals engaging in transactions using a European Digital Identity Wallet. As such, they create tension with the principle of data minimisation under the General Data Protection Regulation (GDPR). On the positive side, privacy-enhancing technologies, especially zero-knowledge proofs (ZKPs), are rapidly advancing and capable of addressing this tension. In this paper, we analyse the impact of the availability of these techniques on legal compatibility in the European electronic identification context and explore the tension field between the technical requirements of the digital identity wallet and the GDPR’s data minimisation principle. We illustrate this dynamic through the specific examples of cryptographic data processed to ensure the authenticity and integrity of attributes' electronic attestations and shed light on how ZKPs can support legal compliance. This paper contributes to the privacy-oriented electronic identity management literature by providing policy and technical recommendations for achieving data minimisation compliance. We emphasise the necessity for regulatory bodies to enforce the use of advanced solutions like ZKPs to achieve unlinkability and unobservability. Accelerating the standardisation of these technologies is crucial for safeguarding user privacy and achieving seamless regulatory compliance in digital identity systems.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > FINATRAX - Digital Financial Services and Cross-organizational Digital Transformations

Disciplines :

Computer science

Author, co-author :

PODDA, Emanuela ^✱; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust > FINATRAX > Team Gilbert FRIDGEN

HÖLZMER, Pol ^✱; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX

AMARD, Alexandre ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust > FINATRAX > Team Gilbert FRIDGEN

SCHÖNRICH-SEDLMEIR, Johannes ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust > FINATRAX > Team Gilbert FRIDGEN

FRIDGEN, Gilbert ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX

^✱ These authors have contributed equally to this work.

External co-authors :

yes

Language :

English

Title :

The impact of zero-knowledge proofs on data minimisation compliance of digital identity wallets

Publication date :

30 July 2025

Journal title :

Internet Policy Review

eISSN :

2197-6775

Publisher :

Internet Policy Review, Alexander von Humboldt Institute for Internet and Society

Volume :

Issue :

Peer reviewed :

Peer Reviewed verified by ORBi

Focus Area :

Law / European Law

Additional URL :

https://policyreview.info/articles/analysis/impact-zero-knowledge-proofs

FnR Project :

FNR13342933 - DFS - Paypal-fnr Pearl Chair In Digital Financial Services, 2019 (01/01/2020-31/12/2024) - Gilbert Fridgen
FNR16326754 - PABLO - Privacy-preserving Tokenisation Of Artworks, 2021 (01/06/2022-31/05/2025) - Gilbert Fridgen

Funding text :

This research was supported in part by Luxembourg’s Ministry for Digitalisation, PayPal and the Luxembourg National Research Fund (FNR), Luxembourg (P17/IS/13342933/ PayPalFNR/Chair in DFS/Gilbert Fridgen, as well as by the FNR, grant reference 16326754 (PABLO).

Available on ORBilu :

since 08 August 2025

Statistics

Number of views

142 (8 by Unilu)

Number of downloads

46 (4 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

Bibliography

Abellán Álvarez, I., Hölzmer, P., & Sedlmeir, J. (2025). Privacy evaluation of the European Digital Identity Wallet’s architecture and reference framework. https://ssrn.com/abstract=5247521
Aggarwal, C. C., & Yu, P. S. (2008). A general survey of privacy-preserving data mining models and algorithms, 11-52. Springer US.
Ah-Fat, P., & Huth, M. (2019). Optimal accuracy-privacy trade-off for secure computations. IEEE Transactions on Information Theory, 65(5), 3165–3182. https://doi.org/10.1109/tit.2018.2886458
Babel, M., & Sedlmeir, J. (2023). Bringing data minimization to digital wallets at scale with general-purpose zero-knowledge proofs (No. arXiv:2301.00823). arXiv. https://doi.org/10.48550/arXiv.2301.00823
Bamberger, Kenneth A.; Canetti, Ran; Goldwasser, Shafi; Wexler, Rebecca; Zimmerman, Evan J.; (2022). Verification dilemmas in law and the promise of zero-knowledge proofs. https://doi.org/10.15779/Z38P55DH8N
Bastian, P., Kraus, M., & Fischer, J. (2023). Konzepte für sichere wallets in dezentralen Identitätsökosystemen. HMD Praxis der Wirtschaftsinformatik, 60(2), 381–404. https://doi.org/10.1365/s40702-023-00954-4
Baum, C., Chiang, J. H., David, B., & Frederiksen, T. K. (2023). SoK: Privacy-enhancing technologies in finance. 5th Conference on Advances in Finanical Technologies (AFT 2023), 282, 12:1-12:30. https://d oi.org/10.4230/LIPICS.AFT.2023.12
Bender, J., Kügler, D., Margraf, M., & Naumann, I. (2010). Privacy-friendly revocation management without unique chip identifiers for the German national ID card. Computer Fraud & Security, 2010(9), 14–17. https://doi.org/10.1016/s1361-3723(10)70122-6
Boneh, D., & Boyen, X. (2004). Short signatures without random oracles. In Cachin, C. & Camenisch, J.L. (Eds), Advances in cryptology – EUROCRYPT 2004 (Vol. 3027, pp. 56–73). Springer. https://doi.org/10.1007/978-3-540-24676-3_4
Camenisch, J., & Lysyanskaya, A. (2001). An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In Pfitzmann, B. (Ed.), Advances in cryptology – EUROCRYPT 2001 (Vol. 2045, pp. 93–118). Springer. https://doi.org/10.1007/3-540-44987-6_7
Camenisch, J., & Lysyanskaya, A. (2004). Signature schemes and anonymous credentials from bilinear maps. In Franklin, M. (Ed.), Advances in cryptology—CRYPTO 2004 (Vol. 3152, pp. 56–72). Springer. https://doi.org/10.1007/978-3-540-28628-8_4
Council of the European Union & General Secretariat. (2022). Glossary: Technical terms related to security features and to security documents in general (in alphabetical order) (No. 12344/22; Public Register of Authentic Travel and Identity Documents Online (PRADO)). https://www.consilium.europ a.eu/prado/en/prado-glossary/prado-glossary.pdf
Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., & Parno, B. (2016). Cinderella: Turning shabby X.509 certificates into elegant anonymous credentials with the magic of verifiable computation. 2016 IEEE Symposium on Security and Privacy (SP), 235–254. https://doi.org/10.1109/sp.2016.22
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., & Joosen, W. (2011). A privacy threat analysis framework: Supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering, 16(1), 3–32. https://doi.org/10.1007/s00766-010-0115-7
eIDAS eID Technical Subgroup. (2019). eIDAS SAML AttributeProfile v1.2. EU Login. https://ec.europ a.eu/digital-building-blocks/wikis/digital-building-blocks/wikis/display/DIGITAL/eIDAS+eID+Profile
eIDAS Expert Group. (2021). eIDAS expert group meeting: The toolbox process. European Commission. https://webgate.ec.europa.eu/regdel/web/meetings/2409/documents/6690
ETSI. (2023). Electronic signatures and infrastructures (ESI); Analysis of selective disclosure and zero-knowledge proofs applied to Electronic Attestation of Attributes (Technical Report No. ETSI TR 119 476). https://www.etsi.org/deliver/etsi_tr/119400_119499/119476/01.01.01_60/tr_119476v010101 p.pdf
European Commission. (2014). Regulation (EU) ) No 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. Official Journal of the European Union, 910/2014.
European Commission. (2015). Commission implementing Regulation (EU) 2015/ 1502—Of 8 September 2015—On setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/ 2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
European Commission. (2021a). Commission Staff Working Document accompanying the document report from the Commission to the European Parliament and the Council on the evaluation of Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52021SC0 130
European Commission. (2021b). Recommendation—C(2021) 3968—A trusted and secure European e-ID. https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-recommendation
European Commission. (2021c). Report from the Commission to the European Parliament and the Council on the evaluation of Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS). European Commission. https://eu r-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52021DC0290
European Commission. (2024, January 10). EU Digital Identity Wallet Toolbox process. European Commission. https://digital-strategy.ec.europa.eu/en/policies/eudi-wallet-toolbox
European Commission. (2025, April). The European Union Digital Identity (EUDI) Architecture Reference Model (ARF) v1.9.0. https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-referenc e-framework/blob/85756d5b958c77053e4086f94c62c9155e07bf5f/docs/architecture-and-referenc e-framework-main.md
European Commission: Directorate General for Communications Networks, Content and Technology., PwC., DLA Piper., Garbasso, G., & Bianchini, D. et al. (2021). Study to support the impact assessment for the revision of the eIDAS regulation: Final report. Publications Office. https://data.euro pa.eu/doi/10.2759/671740
European Data Protection Board. (2020). Guidelines 4/2019 on Article 25 Data Protection by Design and by Default (Version 2.0 10/2022). European Data Protection Board, EDPB. https://www.edpb.euro pa.eu/sites/default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_defa ult_v2.0_en.pdf
European Data Protection Board. (2022). Guidelines 01/2022 on Data Subject Rights—Right of Access (Version 2.1 03/). European Data Protection Board, EDPB. https://www.edpb.europa.eu/system/files/2 023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf
European Parliament & Council. (2021). Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity.
European Parliament & Council. (2024). Agreed text for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework (No. 2021/0136 (COD)). https://data.consilium.europa.eu/doc/document/PE-68-2 023-COR-1/en/pdf
European Union Agency for Cybersecurity. (2022). Data protection engineering: From theory to practice. Publications Office. https://data.europa.eu/doi/10.2824/09079
Fernández, R. R. (2024). Evaluation of trust service and software product regimes for zero-knowledge proof development under eIDAS 2.0. Computer Law & Security Review, 53, 105968. http s://doi.org/10.1016/j.clsr.2024.105968
Finck, M., & Biega, A. J. (2021). Reviving purpose limitation and data minimisation in data-driven systems. Technology and Regulation, 2021, 44–61. https://doi.org/10.71265/z7r0t122
Frigo, M. & Shelat. (2024). Anonymous credentials from ECDSA. Cryptology ePrint Archive. https://ia.cr/2024/2010
Fuster, G. G. (2014). The emergence of personal data protection as a fundamental right of the EU, 16. Springer Science & Business.
Garrido, G. M., Sedlmeir, J., Uludağ, Ö., Alaoui, I. S., Luckow, A., & Matthes, F. (2022). Revealing the landscape of privacy-enhancing technologies in the context of data markets for the IoT: A systematic literature review. Journal of Network and Computer Applications, 207, 103465. https://doi.o rg/10.1016/j.jnca.2022.103465
Giannopoulou, A., & Wang, F. (2021). Self-sovereign identity. Internet Policy Review, 10(2). https://do i.org/10.14763/2021.2.1550
Glöckler, J., Sedlmeir, J., Frank, M., & Fridgen, G. (2024). A systematic review of identity and access management requirements in enterprises and potential contributions of self-sovereign identity. Business & Information Systems Engineering, 66(4), 421–440. https://doi.org/10.1007/s12599-023-00830-x
Government of British Columbia & Canada. (2023). BC Digital Trust: Leveraging Hyperledger tools for digital trust. LF Decentralized Trust. https://www.lfdecentralizedtrust.org/blog/bc-digital-trust-leveraging-hyperledger-tools-for-digital-trust
Grassi, P. A., Garcia, M. E., & Fenton, J. L. (2017). Digital identity guidelines: Revision 3. National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S P.800-63-3.pdf
Heurix, J., Zimmermann, P., Neubauer, T., & Fenz, S. (2015). A taxonomy for privacy enhancing technologies. Computers & Security, 53, 1–17. https://doi.org/10.1016/j.cose.2015.05.002
Housley, R., Polk, T., Ford, D. W. S., & Solo, D. (2002). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) (No. RFC 3280). https://www.rfc-editor.org/info/rfc328 0
Hundepool, A., Domingo-Ferrer, J., Franconi, L., Giessing, S., Nordholt, E. S., Spicer, K., & Wolf, P. P. (2012). Statistical disclosure control. John Wiley & Sons.
International Organization for Standardization & International Electrotechnical Commission. (2021). Information security, cybersecurity and privacy protection—Requirements for attribute-based unlinkable entity authentication (ISO/IEC Standard No. 27551:2021).
Kaaniche, N., Laurent, M., & Belguith, S. (2020). Privacy enhancing technologies for solving the privacy-personalization paradox: Taxonomy and survey. Journal of Network and Computer Applications, 171, 102807. https://doi.org/10.1016/j.jnca.2020.102807
Kakvi, S. A., Martin, K. M., Putman, C., & Quaglia, E. A. (2023). SoK: Anonymous credentials. In Günther, F. & Hesse, J. (Eds), Security Standardisation Research (Vol. 13895, pp. 129–151). Springer Nature Switzerland. https://doi.org/10.1007/978-3-031-30731-7_6
Kanevskaia, O., & Pałka, P. (2023). Introduction to the research handbook on law and technology. In Research handbook on law and technology (pp. 1–10). Edward Elgar Publishing. https://www.elgaronl ine.com/view/book/9781803921327/chapter1.xml
Looker, T., Kalos, V., Whitehead, A., & Lodder, M. (2023). The BBS signature scheme (Internet Draft draft-irtf-cfrg-bbs-signatures-05. Internet Engineering Task Force. https://datatracker.ietf.org/doc/dra ft-irtf-cfrg-bbs-signatures
McConville, M., & Chui, W. H. (Eds). (2017). Research methods for law (Second). Edinburgh University Press.
McCorquodale, R. (1994). Self-determination: A human rights approach. International & Comparative Law Quarterly, 43(4), 857–885.
Mejias, U. A., & Couldry, N. (2019). Datafication. Internet Policy Review, 8(4). https://doi.org/10.14763/2019.4.1428
Menezes, A. J., Vanstone, S. A., & Oorschot, P. C. V. (1996a). Chapter 9—Hash functions and data integrity. In Handbook of applied cryptography (1st edn). CRC Press, Inc. https://cacr.uwaterloo.ca/ha c/about/chap9.pdf
Menezes, A. J., Vanstone, S. A., & Oorschot, P. C. V. (1996b). Chapter 10—Identification and entity authentication. In Handbook of applied cryptography (1st edn). CRC Press, Inc. https://cacr.uwaterlo o.ca/hac/about/chap10.pdf
Menezes, A. J., Vanstone, S. A., & Oorschot, P. C. V. (1996c). Chapter 11—Digital signatures. In Handbook of applied cryptography (1st edn). CRC Press, Inc. https://cacr.uwaterloo.ca/hac/about/chap 11.pdf
Monteiro, A. P. L. (2023). Privacy at a crossroads. In Research Handbook on Law and Technology (pp. 214–221). Edward Elgar Publishing. https://www.elgaronline.com/view/book/9781803921327/cha pter13.xml
Paquin, C., Policharla, G. V., & Zaverucha, G. (2024). Crescent: Stronger privacy for existing credentials. Cryptology ePrint Archive. https://ia.cr/2024/2013
Pfitzmann, A., Dresden, T., & Hansen, M. (2010). A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management.
Podgorelec, B., Alber, L., & Zefferer, T. (2022). What is a (Digital) Identity Wallet? A systematic literature review. 2022 IEEE 46th Annual Computers, Software, and Applications Conference (COMPSAC), 809–818. https://doi.org/10.1109/compsac54236.2022.00131
Purtova, N. (2022). From knowing by name to targeting: The meaning of identification under the GDPR. International Data Privacy Law, 12(3), 163–183. https://doi.org/10.1093/idpl/ipac013
Rieger, A., Roth, T., Sedlmeir, J., Weigl, L., & Fridgen, G. (2021). Not yet another digital identity. Nature Human Behaviour, 6(1), 3–3. https://doi.org/10.1038/s41562-021-01243-0
Rieger, A., University of Arkansas, Roth, T., University of Arkansas, Sedlmeir, J., University of Luxembourg, Fridgen, G., University of Luxembourg, Young, A., & University of Arkansas. (2024). Organizational identity management policies. Journal of the Association for Information Systems, 25(3), 522–527. https://doi.org/10.17705/1jais.00887
Rivest, R. L., Shamir, A., & Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2), 120–126. https://doi.org/10.1145/359340.359342
Rosenberg, M., White, J., Garman, C., & Miers, I. (2023, May). Zk-creds: Flexible anonymous credentials from zkSNARKs and existing identity infrastructure. 2023 IEEE Symposium on Security and Privacy (SP). 2023 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA. http s://doi.org/10.1109/sp46215.2023.10179430
Samarati, P. (2001). Protecting respondents identities in microdata release. IEEE Transactions on Knowledge and Data Engineering, 13(6), 1010–1027. https://doi.org/10.1109/69.971193
Schwarz, F., Do, K., Heide, G., Hanzlik, L., & Rossow, C. (2022). Feido: Recoverable FIDO2 tokens using electronic IDs. Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2581–2594.
Sedlmeir, J., Huber, J., Barbereau, T., Weigl, L., & Roth, T. (2022). Transition pathways towards design principles of Self-Sovereign Identity. Forty-Third International Conference on Information Systems.
Sedlmeir, J., Smethurst, R., Rieger, A., & Fridgen, G. (2021). Digital identities and verifiable credentials. Business & Information Systems Engineering, 63(5), 603–613. https://doi.org/10.1007/s12599-021-00722-y
Smits, J. M. (2015). What is legal doctrine? On the aims and methods of legal-dogmatic research. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2644088
Spensky, C., Stewart, J., Yerukhimovich, A., Shay, R., Trachtenberg, A., Housley, R., & Cunningham, R. K. (2016). SoK: Privacy on mobile devices-It’s complicated. Proceedings on Privacy Enhancing Technologies, 2016(3), 96–116. https://doi.org/10.1515/popets-2016-0018
Stevens, T., Elliott, J., Hoikkanen, A., Maghiros, I., & Lusoli, W. (2010). The State of the electronic identity market: Technologies, infrastructure, services and policies. JRC Scientific and Technical Reports. https://papers.ssrn.com/abstract=1708884
Torra, V. (2017). Data privacy: Foundations, new developments and the big data challenge. Springer International Publishing. https://doi.org/10.1007/978-3-319-57358-8
Tosoni, L. (2020). Article 4(25). Information society service. In The EU General Data Protection Regulation (GDPR) (pp. 292–302). Oxford University PressNew York. https://doi.org/10.1093/oso/9780198826491.003.0031
Trang, S., Kraemer, T., Trenz, M., & Weiger, W. H. (2025). Deeper down the rabbit hole: How technology conspiracy beliefse emerge and foster a conspiracy mindset. Information Systems Research, 36(2), 709–735. https://doi.org/10.1287/isre.2022.0494
Tsakalakis, N. (2020). Analysing the impact of the GDPR on eIDAS: Supporting effective data protection by design for cross-border electronic identification through unlinkability measures.
Tsakalakis, N., Stalla-Bourdillon, S., & O’Hara, K. (2019). Data protection by design for cross-border electronic identification: Does the eIDAS interoperability framework need to be modernised? In Kosta, E., Pierson, J., Slamanig, D., Fischer-Hübner, S., & Krenn, S. (Eds), Privacy and identity management. Fairness, accountability, and transparency in the age of big data (Vol. 547, pp. 255–274). Springer International Publishing. https://link.springer.com/10.1007/978-3-030-16744-8_17
Van Dijck, J. (2014). Datafication, dataism and dataveillance: Big Data between scientific paradigm and ideology. Surveillance & Society, 12(2), 197–208. https://doi.org/10.24908/ss.v12i2.4776
Van Hoecke, M. (2011). Legal doctrine: Which method(s) for what kind of discipline? In Methodologies of legal research: Which kind of method for what kind of discipline? (pp. 1–18). Hart Publishing. http://hdl.handle.net/1854/LU-1091776
W3C. (2022). Verifiable credentials data model v1.1. W3C. https://www.w3.org/TR/vc-data-model/
Wairimu, S., Iwaya, L. H., Fritsch, L., & Lindskog, S. (2024). On the evaluation of privacy impact assessment and privacy risk assessment methodologies: A systematic literature review. IEEE Access, 12, 19625–19650. https://doi.org/10.1109/access.2024.3360864
Weigl, L., Amard, A., Codagnone, C., & Fridgen, G. (2022). The EU’s digital identity policy: Tracing policy punctuations. Proceedings of the 15th International Conference on Theory and Practice of Electronic Governance, 74–81. https://doi.org/10.1145/3560107.3560121