Enabling SSI-Compliant Use of EUDI Wallet Credentials through Trusted Execution Environment and Zero-Knowledge Proof
Nacereddine Sitouah, Francesco Bruschi, Stefano De Cillis
TL;DR
This paper tackles the mismatch between the centralized trust model of eIDAS 2.0/EUDIW and Self-Sovereign Identity (SSI) principles, proposing a TEEs+$ZK$ framework to enable SSI-compliant use of IT-Wallet credentials. The authors outline an architecture where IT-Wallet credentials are minted into a SGX-attested $SD-JWT-VC$ within an SGX-enabled SSI-Wallet, with trust-chain verification performed inside a TEE and verifiable proofs published via $ZK$ techniques. Key contributions include a concrete workflow for exporting, validating, and re-issuing credentials, hardware-attested proofs, and a confidential-cloud approach using Kubernetes-based confidential executions to preserve privacy while enabling SSI-compatible verification. The work aims to reduce centralized dependency, enhance privacy, and improve interoperability for EU digital identity, with future work on prototypes, performance benchmarking of $ZK$ proofs, live verification of short-lived credentials, and scalable revocation schemes using Merkle trees.
Abstract
The passing of the eIDAS amendment marks an important milestone for EU countries and changes how they must manage digital credentials for both public services and businesses. Italy has led in adopting eIDAS, first with CIE and SPID identity schemes, and now with the Italian Wallet (IO app) aligned to eIDAS 2.0. Self-Sovereign Identity (SSI) is a decentralized model born from the success of Distributed Ledgers, giving individuals full control over their digital identity. The current eIDAS 2.0 and its implementation acts diverge from SSI principles, rendering the European Digital Identity Wallet (EUDIW) centralized and merely user-centric, prioritizing security and legal protection over true self-sovereignty. This paper proposes an architecture that enables the use of IT Wallet credentials and services in an SSI-compliant environment through Trusted Execution Environments and Zero-Knowledge Proofs.
