What is EUDI and how does Dusk Network’s Citadel fit in it?

News

On 10 February, 2023, the European Union published an exciting, but incredibly complicatedly named document, specifically The Common Union Toolbox for a Coordinated Approach Towards a European Digital Identity Framework: The European Digital Identity Wallet Architecture and Reference Framework, or ARF. We will dive into this document and what it means for Europe and for Dusk Network here, and to keep things brief, will follow the EU’s own suggested abbreviations for this document: EUDI and ARF.

The concept of a European Digital Identity (EUDI) has been brewing for a while now. All the way back on the 3rd of June 2021, the European Commission announced its intention to lead the way in making this product available to all European citizens. Now, almost two years later, the EU is ready to start moving on to the piloting phase. But piloting what?

In effect, EUDI is a form of identification that can be used by any citizen of any European Union member state, by any company operating in the European Union, and accepted by any business or government agency in the European Union. Rather than replacing pre-existing identity mechanisms (i.e. national ID cards), EUDI sits alongside those as an auxiliary digitized identity system. For example, a bank in the Netherlands would continue to accept the Dutch identity card for new account openings, but would also accept EUDI for non-Dutch residents, meaning that they would only need to support two forms of identity verification. This is a step forward from banks’ current options to either learn how to support a plethora of identity certificates OR to restrict services to only people with Dutch IDs.

EUDI would not be limited, however, only by the services that a member state’s identity card is used for, but rather would also extend to any interaction where attributes about a person need to be proven. The use cases that the EU itself identified are far and wide, including:

  • Secure and trusted identification to access online services
  • Mobility and digital driving license
  • Professional business certifications
  • Paying for things where different prices occur, such as toll roads
  • Health records such as patent summaries, or ePrescriptions
  • Educational credentials and professional qualifications
  • Digital Finance products
  • Digital Travel Credentials (such as passports and visas)

Currently, proving identity and credentials in the European Union is confusing and prone to errors. In fact, a huge number of different certifications are needed for whatever it is that a citizen is trying to do, which also differ in number and style from member state to member state. True to the European mission to harmonize all member states into a single trade and travel area, they wish to solve this problem with one single EUDI for all.

 

What is ARF?

ARF is a recent document that marks the beginning of the EUDI pilot phase. It is essentially a checklist for each member state to agree upon and harmonize before piloting can commence. This includes:

  • Defining roles and responsibilities of every player in the EUDI process.
  • Outlining functional and non-functional requirements of the EUDI Wallet.
  • Identifying potential building blocks.

Since each member state’s implementation of EUDI needs to be interoperable with all the others, it is critical that everyone starts by building on the same set of standards and using consistent terminology. This is important when it comes to specifics like certifying the validity of an ID or document. For example, if a certificate has an expiry date, it should automatically become invalid on or after that date. But should the issuer also have the ability to revoke the certificate at any point before the certificate naturally expires? And if something is valid ‘until it is revoked’, does it need an expiry date just in case? The ARF sets guidelines for how all these things should be set up, how the information would flow between the parties involved, and who should have access to what.

This is crucial, given that multiple parties are involved in even a simple transaction like issuing a discount rail ticket to a student. In this example, the parties include:

  • The student.
  • The railway operator.
  • The university (which verifies the student’s status).
  • A national student body (who may also have to verify the student).
  • The operator of the railway station (if different from the operator).
  • The train ticket website that sold the ticket.

As you can see, even a seemingly simple transaction like purchasing a train ticket for a student can involve up to six different parties. Can you imagine what kind of complexity might be involved in dealing with sophisticated financial instruments?

 

Why does Dusk Network welcome this?

At Dusk Network we believe that the ARF specifications are an important step towards improving privacy and security in the EUDI process: two of our main priorities. The above (fairly simple) example of a student purchasing a train ticket highlights the need for selective disclosures. They would allow individuals to share only the necessary information, while simultaneously making unsafe practices like sharing copies of IDs or requiring personal data completely obsolete. You can think of selective disclosures like showing someone your driving license, but with your fingers covering all the information except your photo, since that is all that is really needed.

Data leaks are becoming increasingly more common in society, and we at Dusk are alarmed that even the simplest of transactions carry a big potential for data leakage. The easiest way to protect users and organizations is to either store data in a secure encrypted format or to not get any exposure to it.

To address this concern, the ARF specifications point to a EUDI that must-have features such as certificate issuance and revocation, encryption, secure transfer of identity and other personal information, and a range of selective disclosure options.

That sounds a little familiar, doesn’t it?

 

Why use Citadel for EUDI?

Citadel is Dusk’s privacy-preserving digital identity solution that allows for privacy, compliance, decentralization, and a one-and-done approach to KYC. As such it would be a great choice for EUDI for multiple reasons, but mostly for privacy, compliance, and efficiency.

Privacy is a key concern for everyone involved in the EUDI process. Citadel is built using zero-knowledge proofs (ZKPs), which means that private data does not need to be revealed in order to confirm that a person has legitimate access to a service, is authorized to enter a country, or has a legitimate right to be somewhere. This approach to privacy and identity is new and revolutionary and allows for a solution that preserves privacy while still providing secure identity verification. In that sense, it goes above and beyond the EUDI’s current ambition of issuing a digital version of what already exists.

ZKPs have the power to prove that something is true without any other disclosure and in the case of the EUDI, that would translate into giving people the power to prove eligibility without having to share their identity. Whether they enter a country, open a bank account, or even access a service, Citadel would ensure that their data remains private as well as dramatically reducing any chance of hackers’ attacks.

Compliance is another advantage that Citadel offers, specifically programmable compliance. The EU can program its regulations into Citadel itself, which not only ensures compliance but it also makes it easier to update the regulations as things change.

For example, during Brexit, Citadel as the EUDI could have been used to update the system and change what was and wasn’t allowed, making it simpler to maintain compliance. Presumably, UK citizens’ EUDIs would have been made invalid.

Finally, efficiency is a crucial advantage of Citadel. Unlike traditional systems that require extensive data storage and compliance departments, Citadel eliminates the need for these costs. With Citadel, there would be no need to maintain redundant copies of databases storing the digital identities of approximately 450 million people, alongside entire legal, compliance, and cybersecurity departments. Only proof of eligibility would be transmitted, while data would not. If there is nothing to hack, there’s no need for all this overhead.

In conclusion, Citadel has the potential to provide both the EU and its citizens with the privacy, programmable compliance, and efficiency that they need to make digital identities a success. Thanks to its use of zero-knowledge cryptography and programmable compliance, Citadel offers a new approach to digital identity that is both secure and efficient and has the potential to revolutionize the way we approach identity verification.