Unlinkability: Transaction Unlinkability

Definition

Unlinkability Mechanisms in the EUDI Wallet

The EUDI Wallet implements unlinkability through several complementary technical mechanisms that work together to prevent cross-verifier correlation. The most fundamental mechanism is pairwise pseudonymous identifiers: instead of using a single, global user identifier (like a national ID number) across all interactions, the wallet generates a unique, verifier-specific pseudonym for each relying party. This means that Verifier A receives identifier "abc123" while Verifier B receives "xyz789" for the same user. Even if Verifiers A and B compare their records, they cannot match these identifiers to determine they served the same person.

The SD-JWT (Selective Disclosure JSON Web Token) credential format provides additional unlinkability through its disclosure mechanism. When the wallet presents a credential, it creates fresh disclosure values for each presentation session, including a new key binding proof with a unique nonce. The cryptographic values in the presentation are session-specific, so two presentations of the same credential produce different byte-level outputs. This prevents verifiers from comparing raw presentation data to detect that the same underlying credential was used. The issuer's signature on the credential is the same, but it is embedded in a format that does not reveal a correlation handle when combined with selective disclosure.

For the ISO 18013-5 mDoc credential format used in proximity scenarios (face-to-face verification), unlinkability is achieved through the device engagement protocol. Each presentation session establishes a new ephemeral key pair for the session encryption, and the device response is bound to the session-specific transcript. The mDoc format includes a mechanism for generating randomized device-signed data elements that change with each presentation, preventing the same credential presentation from producing identical outputs that could be used for correlation by different verifiers.

Unlinkability vs. Selective Disclosure: Complementary Protections

Unlinkability and selective disclosure are often discussed together because they address different but complementary aspects of privacy. Selective disclosure controls what information is shared (minimizing the attributes revealed to each verifier), while unlinkability controls whether separate sharing events can be connected (preventing verifiers from linking presentations to the same person). Both are necessary for complete privacy protection: selective disclosure alone does not prevent correlation if the same technical identifier appears in every presentation, and unlinkability alone does not prevent profiling if excessive personal data is shared in each interaction.

Consider a practical example: a user proves they are over 18 at an online store (selective disclosure: sharing only "age >= 18" rather than full birthdate) and proves their driving licence category at a car rental (selective disclosure: sharing only the licence category, not the full licence details). Unlinkability ensures these two presentations cannot be linked to the same person through technical identifiers. Together, selective disclosure and unlinkability mean that neither verifier learns more than necessary, and neither can cross-reference their records with the other to build a more complete profile.

The EUDI Wallet Architecture Reference Framework recognizes both properties as requirements. The framework mandates that wallet implementations must support selective disclosure for all credential formats and must implement anti-correlation measures including pairwise identifiers and session-unique presentation values. The combination of these two properties positions the EUDI Wallet as significantly more privacy-preserving than traditional digital identity systems (like federated SSO or centralized identity databases), where both data minimization and transaction unlinkability are typically absent.

Challenges and Limitations of Unlinkability

While the EUDI Wallet's technical mechanisms provide strong unlinkability guarantees at the protocol level, several practical challenges can weaken unlinkability in real-world deployments. The most significant is attribute-based correlation: if the disclosed attributes themselves are sufficiently unique to identify the individual (such as a rare name combined with a specific date of birth), technical unlinkability provides no additional protection because the verifier can simply match the attribute values. This is why data minimization through selective disclosure is essential as a complement to technical unlinkability measures.

Network-level correlation presents another challenge. If the user's network traffic is observable (for example, through their IP address or device fingerprinting), an attacker monitoring network connections could potentially link different credential presentations to the same device even if the protocol-level identifiers are different. Mitigations include using VPN or Tor for wallet communications, randomizing network identifiers, and designing the wallet to minimize distinguishing characteristics in its network traffic patterns. The EUDI Wallet Architecture Reference Framework acknowledges this challenge and recommends wallet providers implement network-level privacy measures.

Temporal and contextual correlation is a subtler issue. If a user presents credentials at two locations within a short time window and in close geographic proximity, an observer with access to both verification logs could infer that the same person was involved based on timing and location, even without any technical correlation handle. This type of correlation is inherent to the physical world (the same challenge exists with physical documents) and cannot be fully addressed through cryptographic mechanisms alone. The EUDI Wallet mitigates this risk by implementing data minimization in verification logs and enforcing strict retention limits on presentation records held by verifiers.

Unlinkability in the Broader Privacy Architecture

Unlinkability is one pillar of the EUDI Wallet's complete privacy architecture, which also includes data minimization (sharing only necessary attributes), purpose limitation (verifiers can only request attributes justified by their stated purpose), user consent (the wallet user explicitly approves each presentation), issuer non-involvement (the credential issuer is not contacted during presentations and cannot track when or where credentials are used), and storage minimization (verifiers should not retain credential data beyond their immediate need).

The interaction between unlinkability and the GDPR is particularly important. Under GDPR, pairwise pseudonymous identifiers used by the EUDI Wallet may qualify as pseudonymous data rather than directly identifying personal data, which provides additional legal protections and may reduce the regulatory burden on verifiers. However, the status of pseudonymous identifiers under GDPR depends on whether the verifier has additional information that could be used to re-identify the individual, making the legal analysis context-dependent.

Looking forward, advanced cryptographic techniques such as zero-knowledge proofs offer the potential for even stronger unlinkability guarantees. With zero-knowledge proofs, the wallet can prove a statement about credential attributes (such as "I am over 18") without revealing any additional information, including the credential itself. This eliminates even the theoretical possibility of issuer-signature-based correlation, providing information-theoretic unlinkability rather than computational unlinkability. While the current EUDI Wallet specification uses SD-JWT and mDoc formats that provide computational unlinkability, future versions may incorporate zero-knowledge proof systems for enhanced privacy in sensitive use cases.

Related Terms