Pairwise Identifier: Pairwise Pseudonymous Identifier

Definition

How Pairwise Identifiers Work Technically

The generation of pairwise identifiers relies on cryptographic key derivation functions that take two inputs: a master secret held by the wallet instance and a unique identifier for the relying party (such as the verifier's domain name, public key, or registered entity identifier). By applying a deterministic but one-way derivation function, the wallet produces a unique public key or identifier for each relying party. The same relying party will always receive the same identifier from the same wallet, ensuring session continuity, but different relying parties will receive completely unrelated identifiers.

The mathematical foundation typically involves elliptic curve key derivation. Starting from a master key pair, the wallet computes a derived key pair using a function like HKDF (HMAC-based Key Derivation Function) with the relying party identifier as the context parameter. The resulting derived public key serves as the pairwise identifier. Because the derivation is one-way, even an attacker who obtains multiple pairwise identifiers cannot reverse-engineer the master key or link the identifiers to each other without access to the wallet's secure enclave.

In practice, the wallet may generate pairwise identifiers at different levels of granularity. The Architecture and Reference Framework (ARF) allows for identifiers that are pairwise per verifier organization, per verifier service, or even per transaction. The appropriate granularity depends on the use case: a banking relationship benefits from a stable pairwise identifier for account continuity, while a one-time age verification at a nightclub might use a per-transaction identifier that provides no continuity at all.

Pairwise Identifiers in the EUDI Wallet Ecosystem

The eIDAS 2.0 regulation explicitly requires that EUDI Wallets prevent the tracking and linking of user activities across different relying parties. Article 5a of the regulation mandates that wallet providers shall not collect information about the use of the wallet that is not necessary for the provision of wallet services, and shall not combine personal data from other sources with data processed for providing the wallet. Pairwise identifiers are the primary technical mechanism for fulfilling these requirements.

When a user presents a credential to a verifier through the OpenID4VP (Verifiable Presentation) protocol, the wallet signs the presentation using the pairwise key pair associated with that specific verifier. The verifier receives the credential data along with a cryptographic proof bound to the pairwise public key. This allows the verifier to confirm the presentation is authentic and was made by a consistent entity (enabling return visits and account linking within that single service), without gaining any ability to correlate with other services.

The wallet provider (the entity that develops and distributes the wallet application) also cannot track user activity through pairwise identifiers. Because the key derivation happens entirely within the device's secure enclave and the master secret never leaves the device, the wallet provider has no visibility into which pairwise identifiers are generated or which verifiers the user interacts with. This architectural separation is a deliberate design choice that prevents the wallet provider from becoming a surveillance intermediary.

Privacy Guarantees and Limitations

Pairwise identifiers provide strong cryptographic unlinkability between different relying parties, but they are not a complete privacy solution on their own. If a user presents credentials containing unique personal data (such as a full name and date of birth) to two different services, those services could still potentially correlate the records based on the credential content rather than the identifier. This is why pairwise identifiers work best in combination with selective disclosure and zero-knowledge proofs, which allow users to present only the minimum necessary attributes.

For example, when verifying age at an online service, the ideal approach combines a pairwise identifier (so the service cannot correlate with other services) with a zero-knowledge proof of age (so the service learns only that the user is over 18, not their actual birthdate). This layered approach maximizes privacy while still satisfying the verifier's legitimate requirements.

The EUDI Wallet's implementation of pairwise identifiers also addresses the tension between privacy and accountability. In scenarios where law enforcement has a legitimate, court-ordered need to identify a user, the regulatory framework provides mechanisms for authorized disclosure that do not compromise the privacy of other users. However, these mechanisms operate through the legal system and the credential issuers, not through the pairwise identifier infrastructure itself, preserving the architectural integrity of the privacy protections for the vast majority of interactions.

Examples

Related Terms