Paper 2025/619

Making BBS Anonymous Credentials eIDAS 2.0 Compliant

Nicolas Desmoulins, Orange (France)
Antoine Dumanois, Orange (France)
Seyni Kane, Orange (France), Institut Polytechnique de Paris
Jacques Traoré, Orange (France)
Abstract

eIDAS 2.0 (electronic IDentification, Authentication and trust Services) is a very ambitious regulation aimed at equipping European citizens with a personal digital identity wallet (EU Digital Identity Wallet) on a mobile phone that not only needs to achieve a high level of security, but also needs to be available as soon as possible for a large number of citizens and respect their privacy (as per GDPR - General Data Protection Regulation). In this paper, we introduce the foundations of a digital identity wallet solution that could help move closer to this objective by leveraging the proven anonymous credentials system BBS (Eurocrypt 2023), also known as BBS+, but modifying it to avoid the limitations that have hindered its widespread adoption, especially in certified infrastructures requiring trusted hardware implementation. In particular, the solution we propose, which we call BBS#, does not rely, contrary to BBS/BBS +, on bilinear maps and pairing-friendly curves (which are not supported by existing hardware) and only depends on the hardware implementation of well-known digital signature schemes such as ECDSA (ISO/IEC 14888-3) or ECSDSA (also known as ECSchnorr, ISO/IEC 14888-3) using classical elliptic curves. More precisely, BBS# can be rolled out without requiring any change in existing hardware or the algorithms that hardware supports. BBS# , which is proven secure in the random oracle model, retains the well-known security property (unforgeability of the credentials under the (gap) q-SDH assumption) and anonymity properties (multi-show full unlinkability and statistical anonymity of presentation proofs) of BBS/BBS+. By implementing BBS# on several smartphones using different secure execution environments, we show that it is possible to achieve eIDAS 2.0 transactions which are not only efficient (around 70 ms on Android StrongBox), secure and certifiable at the highest level but also provide strong (optimal) privacy protection for all European ID Wallet users.

Note: This paper provides a detailed description of the BBS# protocol, a recent candidate for the EU Digital Identity Wallet, that has been first presented at the NIST Workshop on Privacy-Enhancing Cryptography 2024 (WPEC 2024). The authors of ePrint 2025/513 recently generalized, formalized and analyzed a specific mode of BBS# protocol, that they called 'Server-Aided Anonymous Credentials' (SAAC for short).

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Anonymous CredentialsBBS SignatureseIDAS 2.0EU Digital Identity Wallet
Contact author(s)
nicolas desmoulins @ orange com
antoine dumanois @ orange com
seyni kane @ orange com
jacques traore @ orange com
History
2025-04-11: approved
2025-04-04: received
See all versions
Short URL
https://ia.cr/2025/619
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/619,
      author = {Nicolas Desmoulins and Antoine Dumanois and Seyni Kane and Jacques Traoré},
      title = {Making {BBS} Anonymous Credentials {eIDAS} 2.0 Compliant},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/619},
      year = {2025},
      url = {https://eprint.iacr.org/2025/619}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.