Call to participation: Unlinkability topics, ideas and contacts

[bj-alexh]

As mentioned during the participation meeting on the 6th of February 2025 the topic of unlinkability is being explicitly addressed by the Swiss Confederation’s e-ID program.

Our current focus is on the following topics:

Unlinkability

• What technical solutions can be implemented to ensure unlinkability of the e-ID and other verifiable credentials?
• What organizational measures can be taken in the short term to mitigate linkability?

Observability:

• What additional measures could be taken to prevent traceability of who is using the infrastructure when and how?

Post-Quantum Cryptography

• How will post-quantum cryptography affect privacy and security of the Swiss trust infrastructure?

Deniability & Purpose Limitation

• How could a purpose limitation of data disclosure be enforced on a technical level?
• How is deniability relevant for holders?

We would like to collect the community’s feedback on these topics:

- Are they chosen appropriately?
- Are there important topics missing?
- Are there any experts the e-ID program should get in touch with?

[cybee42]

I think it's a good collection of topics. One might add a couple of questions:

Unlinkability

• solutions are required both during credential presentation and for the revocation service
• forensics: what if law enforcement actually WANTS to link actions of a suspected child kidnapper? Will there be a way to do it?

Non-transferability

• prevent users from selling presentations of their credentials. (e.g., false COVID credentials), maybe covered by deniability.

Post-Quantum Cryptography

• How will the emergence of quantum computers affect security & privacy of the E-ID as designed today (with non-quantum safe algorithms)?
• How can PQC be used to design a quantum-safe version of the E-ID and retain as many desirable features as possible?
• How could cryptographic agility be built into the 2026 E-ID to ease the transition to a post-quantum safe stage later?

Observability

• Also on the network level? Would offering a mixing service similar to TOR be an option?

[jurajsarinay]

Your approach makes sense to me. I suggest you also consider the following topics:

1. Motivation

I miss more detail on the very motivation for this endeavour. I am aware that there is a trivial shortcut, you can now simply claim that the Federal Council told you to explore unlinkability. Given the government likely acted upon input from the departments, you should be able to provide relevant (non-political) reasons. Describe specific real-world scenarios where unlinkable credentials would be useful. Until there is a more specific problem to solve, you are unlikely to make progress.

There is the usual (valid) argument that unlinkability means more privacy and more privacy is always good. Yet complete anonymity is even better. When does it make sense to sacrifice (some) anonymity? From an academic perspective, exploring the continuum between complete anonymity and reliable unique identification is no doubt worthwhile. We would all be delighted to work on that. In your setting, the fact that a problem is interesting is not enough. Where exactly would one use a credential that can be presented in an unlinkable manner?

The following vague examples keep getting mentioned:

• on-line access to age-restricted content
• ordering age-restricted goods

Whenever there is a physical interaction, physical delivery of goods or any payment involved, transactions are inherently linkable no matter how advanced your credentials are. The usual example of only disclosing a single bit of information (i.e. "old enough") to a bartender when ordering a drink is beyond ridiculous.

2. Accountability

As pointed out by @cybee42, one needs to consider the implications of credential sharing. Most electronic credentials can easily be shared with others. This can be done interactively and works even if you are careful to prevent cloning. In general, nothing stops a legitimate holder from presenting their credential and handing over to the "impersonator". A credential that can be presented in an unlinkable manner can typically be shared without risk. It only takes a single holder willing to share theirs to render the credentials rather meaningless. If age (say) were to be proved in an unlinkable manner, we all could appear "old enough".

One must assume that any kind of credentials will be abused. Many (even private) participants (issuers, attribute providers, relying parties) need a way to detect and counter abuse. Imagine a holder sharing their unlinkable credential widely. I am not even asking who they are, after all, true unlinkability means they cannot be identified. Can you at least stop the abuse by revoking the credential?

[bj-alexh]

Thank you for your comments! We will take them into consideration.