{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T02:46:48Z","timestamp":1773283608425,"version":"3.50.1"},"reference-count":61,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T00:00:00Z","timestamp":1773187200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Cryptography"],"abstract":"<jats:p>Pseudonymisation constitutes an essential technical and organisational measure for implementing personal data-protection safeguards. Its main goal is to hide identities of individuals, thus reducing data protection and privacy risks through facilitating the fulfilment of several principles such as data minimisation and security. However, selecting and deploying appropriate pseudonymisation mechanisms in a risk-based approach, tailored to the specific data processing context, remains a non-trivial task. This survey paper aims to present especially how cryptography can be used at the service of pseudonymisation, putting emphasis not only on traditional approaches but also on advanced cryptographic techniques that have been proposed to address special pseudonymisation challenges. To this end, we systematically classify existing approaches according to a taxonomy that captures key design dimensions that are relevant to specific data-protection challenges. Finally, since the notion of pseudonymisation adopted in this work is grounded in European data-protection law, we also discuss recent legal developments, in particular the CJEU\u2019s latest judgment, which refined the interpretation of pseudonymous data.<\/jats:p>","DOI":"10.3390\/cryptography10020018","type":"journal-article","created":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T10:43:27Z","timestamp":1773225807000},"page":"18","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Cryptographic Foundations of Pseudonymisation for Personal Data Protection"],"prefix":"10.3390","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7663-7169","authenticated-orcid":false,"given":"Konstantinos","family":"Limniotis","sequence":"first","affiliation":[{"name":"Hellenic Data Protection Authority, Kifissias 1-3, 11523 Athens, Greece"}]}],"member":"1968","published-online":{"date-parts":[[2026,3,11]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Dhirani, L.L., Mukhtiar, N., Chowdhry, B.S., and Newe, T. (2023). Ethical Dilemmas and Privacy Issues in Emerging Technologies: A Review. Sensors, 23.","DOI":"10.3390\/s23031151"},{"key":"ref_2","first-page":"145","article-title":"Comparing the Benefits of Pseudonymisation and Anonymisation under the GDPR","volume":"2","author":"Hintze","year":"2018","journal-title":"J. Data Prot. Priv."},{"key":"ref_3","unstructured":"European Union Agency for Cybersecurity (ENISA) (2019). Recommendations on Shaping Technology According to GDPR Provisions: An Overview on Data Pseudonymisation, European Union Agency for Cybersecurity (ENISA). Technical Report."},{"key":"ref_4","unstructured":"European Union Agency for Cybersecurity (ENISA) (2019). Pseudonymisation Techniques and Best Practices, European Union Agency for Cybersecurity (ENISA). Technical Report, ENISA Report."},{"key":"ref_5","unstructured":"(2026, March 05). Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95\/46\/EC (General Data Protection Regulation). Official Journal of the European Union, L119, 4 May 2016, pp. 1\u201388. 2016. Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2016\/679\/oj\/eng."},{"key":"ref_6","unstructured":"European Parliament and Council of the European Union (2026, March 05). Regulation (EU) 2025\/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and Amending Directive 2011\/24\/EU and Regulation (EU) 2024\/2847. Official Journal of the European Union, L 327, 2025. Regulation (EU) 2025\/327, 5.3.2025. Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2025\/327\/oj\/eng."},{"key":"ref_7","unstructured":"European Parliament and Council of the European Union (2026, March 05). Regulation (EU) 2022\/868 of the European Parliament and of the Council of 30 May 2022 on European Data Governance and Amending Regulation (EU) 2018\/1724 (Data Governance Act). Official Journal of the European Union, L 152, 2022. Regulation (EU) 2022\/868. Available online: https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=celex%3A32022R0868."},{"key":"ref_8","unstructured":"European Parliament and Council of the European Union (2026, March 05). Regulation (EU) 2023\/2854 of the European Parliament and of the Council of 13 December 2023 on Harmonised Rules on Fair Access to and Use of Data and Amending Regulation (EU) 2017\/2394 and Directive (EU) 2020\/1828 (Data Act). Official Journal of the European Union, L 327, 2023. Regulation (EU) 2023\/2854, Published 22 December 2023, Commonly Referred to as the Data Act. Available online: https:\/\/eur-lex.europa.eu\/eli\/reg\/2023\/2854\/oj\/eng."},{"key":"ref_9","unstructured":"European Union Agency for Cybersecurity (ENISA) (2021). Data Pseudonymisation: Advanced Techniques and Use Cases, European Union Agency for Cybersecurity (ENISA). Technical Report TP-01-21-024-EN-N."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Limniotis, K. (2021). Cryptography as the Means to Protect Fundamental Human Rights. Cryptography, 5.","DOI":"10.3390\/cryptography5040034"},{"key":"ref_11","unstructured":"(2026, March 05). Charter of Fundamental Rights of the European Union. Official Journal of the European Communities C 364\/01, 18 December 2000, 2000. Proclaimed by the European Parliament, the Council and the Commission, Consolidated Versions Commonly Cited (e.g., 2012) Available. Available online: https:\/\/www.europarl.europa.eu\/charter\/pdf\/text_en.pdf."},{"key":"ref_12","first-page":"153","article-title":"On the (Non-)anonymity of Anonymous Social Networks","volume":"Volume 792","author":"Katsikas","year":"2017","journal-title":"Communications in Computer and Information Science, E-Democracy\u2014Privacy-Preserving, Secure, Intelligent E-Government Services\u20147th International Conference, E-Democracy 2017, Athens, Greece, 14\u201315 December 2017"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"11","DOI":"10.1093\/idpl\/ipz026","article-title":"They who must not be identified\u2014Distinguishing personal from non-personal data under the GDPR","volume":"10","author":"Finck","year":"2020","journal-title":"Int. Data Priv. Law"},{"key":"ref_14","unstructured":"Pfitzmann, A., and Hansen, M. (2026, March 05). Anonymity, Unlinkability, Unobservability, Pseudonymity, and Identity Management\u2014A Consolidated Proposal for Terminology (Version v0.28). Technical Terminology Draft, TU Dresden, Faculty of Computer Science\/ULD Kiel, 2006. Available online: https:\/\/dud.inf.tu-dresden.de\/literatur\/Anon_Terminology_v0.28.pdf."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Jajodia, S., Samarati, P., and Yung, M. (2025). Encyclopedia of Cryptography, Security and Privacy, Springer Nature.","DOI":"10.1007\/978-3-030-71522-9"},{"key":"ref_16","unstructured":"European Data Protection Board (2025). Guidelines 01\/2025 on Pseudonymisation, European Data Protection Board. Technical Report."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"168470","DOI":"10.1109\/ACCESS.2020.3023659","article-title":"Privacy-Preserving Identifiers for IoT: A Systematic Literature Review","volume":"8","author":"Akil","year":"2020","journal-title":"IEEE Access"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Abu Attieh, H., M\u00fcller, A., Wirth, F.N., and Prasser, F. (2025). Pseudonymization tools for medical research: A systematic review. BMC Med. Inform. Decis. Mak., 25.","DOI":"10.1186\/s12911-025-02958-0"},{"key":"ref_19","first-page":"52:1","article-title":"A Survey of Network Traffic Anonymisation Techniques and Implementations","volume":"51","author":"Dijkhuizen","year":"2018","journal-title":"ACM Comput. Surv."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Asad, M., Shaukat, S., Javanmardi, E., Nakazato, J., and Tsukada, M. (2023). A Comprehensive Survey on Privacy-Preserving Techniques in Federated Recommendation Systems. Appl. Sci., 13.","DOI":"10.3390\/app13106201"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"110560","DOI":"10.1016\/j.dib.2024.110560","article-title":"Evaluation and utilisation of privacy enhancing technologies\u2014A data spaces perspective","volume":"55","author":"Rahmian","year":"2024","journal-title":"Data Brief"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"103465","DOI":"10.1016\/j.jnca.2022.103465","article-title":"Revealing the landscape of privacy-enhancing technologies in the context of data markets for the IoT: A systematic literature review","volume":"207","author":"Garrido","year":"2022","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"557","DOI":"10.1142\/S0218488502001648","article-title":"k -Anonymity: A Model for Protecting Privacy","volume":"10","author":"Sweeney","year":"2002","journal-title":"Int. J. Uncertain. Fuzziness Knowl.-Based Syst."},{"key":"ref_24","unstructured":"National Institute of Standards and Technology (NIST) (2023). Federal Information Processing Standards Publication 197 (FIPS 197): Advanced Encryption Standard (AES), Technical Report FIPS 197-upd1."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"284","DOI":"10.1007\/s10278-006-1051-4","article-title":"Pseudonymization of Radiology Data for Research Purposes","volume":"20","author":"Noumeir","year":"2007","journal-title":"J. Digit. Imaging"},{"key":"ref_26","first-page":"186","article-title":"Privacy-Preserving Storage and Access of Medical Data through Pseudonymization and Encryption","volume":"Volume 6863","author":"Heurix","year":"2011","journal-title":"Proceedings of the 8th International Conference on Trust, Privacy and Security in Digital Business (TrustBus 2011)"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Aamot, H., Kohl, C.D., Richter, D., and Knaup-Gregori, P. (2013). Pseudonymization of patient identifiers for translational research. BMC Med. Inform. Decis. Mak., 13.","DOI":"10.1186\/1472-6947-13-75"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"230","DOI":"10.1016\/j.cmpb.2009.12.001","article-title":"Strategies for health data exchange for secondary, cross-institutional clinical research","volume":"99","author":"Elger","year":"2010","journal-title":"Comput. Methods Programs Biomed."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Dworkin, M. (2016). Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, NIST Special Publication 800-38G.","DOI":"10.6028\/NIST.SP.800-38G"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"551","DOI":"10.1109\/COMST.2017.2747598","article-title":"The Pitfalls of Hashing for Privacy","volume":"20","author":"Demir","year":"2018","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_31","unstructured":"Schwartmann, R., Wei\u00df, S., and Group, D.P.F. (2017). White Paper on Pseudonymization: Guidelines for the Legally Secure Deployment of Pseudonymization Solutions in Compliance with the General Data Protection Regulation, Digital Summit Data Protection Focus Group\/ePrivacy.eu. White Paper\/Technical Report."},{"key":"ref_32","unstructured":"Zimmer, E., Burkert, C., Petersen, T., and Federrath, H. (April, January 30). PEEPLL: Privacy-Enhanced Event Pseudonymisation with Limited Linkability. Proceedings of the 35th ACM\/SIGAPP Symposium on Applied Computing (SAC \u201920), Brno, Czech Republic."},{"key":"ref_33","first-page":"103021","article-title":"Log pseudonymization: Privacy maintenance in practice","volume":"63","author":"Varanda","year":"2021","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_34","unstructured":"(2026, March 05). University of Nottingham and Julia Hippisley-Cox. OpenPseudonymiser. Open Source Pseudonymisation Software for Dataset Digest Generation. Available online: https:\/\/www.openpseudonymiser.org\/."},{"key":"ref_35","first-page":"47","article-title":"Identity-Based Cryptosystems and Signature Schemes","volume":"Volume 196","author":"Chaum","year":"1985","journal-title":"Advances in Cryptology\u2014CRYPTO 84"},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"586","DOI":"10.1137\/S0097539701398521","article-title":"Identity Based Encryption from the Weil Pairing","volume":"32","author":"Boneh","year":"2003","journal-title":"SIAM J. Comput."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Boussada, R., Elhdhili, M.E., and Saidane, L.A. (2018, January 28\u201330). A Lightweight Privacy-Preserving Solution for IoT: The Case of E-Health. Proceedings of the IEEE 20th International Conference on High Performance Computing and Communications, IEEE 16th International Conference on Smart City, IEEE 4th International Conference on Data Science and Systems (HPCC\/SmartCity\/DSS), Exeter, UK.","DOI":"10.1109\/HPCC\/SmartCity\/DSS.2018.00104"},{"key":"ref_38","unstructured":"Verheul, E., Jacobs, B., Meijer, C., Hildebrandt, M., and de Ruiter, J. (2026, March 05). Polymorphic Encryption and Pseudonymisation for Personalised Healthcare. Cryptology ePrint Archive, Paper 2016\/411. Available online: https:\/\/eprint.iacr.org\/2016\/411."},{"key":"ref_39","first-page":"S19","article-title":"Data Protection Using Polymorphic Pseudonymisation in a Large-Scale Parkinson\u2019s Disease Study","volume":"11","author":"Jacobs","year":"2021","journal-title":"J. Park. Dis."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Casacuberta, S., Hesse, J., and Lehmann, A. (2022, January 6\u201310). SoK: Oblivious Pseudorandom Functions. Proceedings of the 7th IEEE European Symposium on Security and Privacy, Genoa, Italy.","DOI":"10.1109\/EuroSP53844.2022.00045"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"289","DOI":"10.2478\/popets-2019-0048","article-title":"ScrambleDB: Oblivious (Chameleon) Pseudonymization-as-a-Service","volume":"2019","author":"Lehmann","year":"2019","journal-title":"Proc. Priv. Enhancing Technol."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"164","DOI":"10.1515\/popets-2018-0026","article-title":"Privacy Pass: Bypassing Internet Challenges Anonymously","volume":"2018","author":"Davidson","year":"2018","journal-title":"Proc. Priv. Enhancing Technol."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Kolesnikov, V., Kumaresan, R., Rosulek, M., and Trieu, N. (2016, January 24\u201328). Efficient Batched Oblivious PRF with Applications to Private Set Intersection. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS \u201916), Vienna, Austria.","DOI":"10.1145\/2976749.2978381"},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"86","DOI":"10.1145\/3387108","article-title":"Secure Multiparty Computation (MPC)","volume":"64","author":"Lindell","year":"2020","journal-title":"Commun. ACM"},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"612","DOI":"10.1145\/359168.359176","article-title":"How to Share a Secret","volume":"22","author":"Shamir","year":"1979","journal-title":"Commun. ACM"},{"key":"ref_46","doi-asserted-by":"crossref","first-page":"1178","DOI":"10.1007\/s12083-019-00786-4","article-title":"Blockchain Meets VANET: An Architecture for Identity and Location Privacy Protection in VANET","volume":"12","author":"Li","year":"2019","journal-title":"Peer-to-Peer Netw. Appl."},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"161","DOI":"10.1007\/3-540-44702-4_10","article-title":"On Pseudonymization of Audit Data for Intrusion Detection","volume":"Volume 2009","author":"Biskup","year":"2001","journal-title":"Designing Privacy Enhancing Technologies"},{"key":"ref_48","doi-asserted-by":"crossref","first-page":"113","DOI":"10.1007\/978-3-642-22890-2_10","article-title":"Decentralized Generation of Multiple, Uncorrelatable Pseudonyms without Trusted Third Parties","volume":"Volume 6863","author":"Furnell","year":"2011","journal-title":"Trust, Privacy and Security in Digital Business (TrustBus 2011)"},{"key":"ref_49","doi-asserted-by":"crossref","first-page":"194","DOI":"10.1007\/11560326_15","article-title":"Unique User-Generated Digital Pseudonyms","volume":"Volume 3685","author":"Gorodetsky","year":"2005","journal-title":"Computer Network Security (MMM-ACNS 2005)"},{"key":"ref_50","doi-asserted-by":"crossref","first-page":"89","DOI":"10.1007\/978-3-030-76663-4_5","article-title":"User-Generated Pseudonyms Through Merkle Trees","volume":"Volume 12703","author":"Gruschka","year":"2021","journal-title":"Privacy Technologies and Policy (APF 2021)"},{"key":"ref_51","unstructured":"Camenisch, J., and Hansen, M. (2011). Privacy and Identity Management for Life, Springer. Lecture Notes in Computer Science."},{"key":"ref_52","doi-asserted-by":"crossref","unstructured":"Chaum, D. (1983). Blind Signatures for Untraceable Payments. Advances in Cryptology: Proceedings of CRYPTO \u201982, Plenum Press.","DOI":"10.1007\/978-1-4757-0602-4_18"},{"key":"ref_53","doi-asserted-by":"crossref","first-page":"93","DOI":"10.1007\/3-540-44987-6_7","article-title":"An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation","volume":"Volume 2045","author":"Camenisch","year":"2001","journal-title":"Advances in Cryptology\u2014EUROCRYPT 2001"},{"key":"ref_54","doi-asserted-by":"crossref","first-page":"129","DOI":"10.1007\/978-3-031-30731-7_6","article-title":"SoK: Anonymous Credentials","volume":"Volume 13895","author":"Kakvi","year":"2023","journal-title":"Security Standardisation Research"},{"key":"ref_55","doi-asserted-by":"crossref","unstructured":"Camenisch, J., and Herreweghen, E.V. (2002, January 18\u201322). Design and Implementation of the Idemix Anonymous Credential System. Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, USA.","DOI":"10.1145\/586111.586114"},{"key":"ref_56","unstructured":"Paquin, C. (U-Prove Cryptographic Specification, 2011). U-Prove Cryptographic Specification, Technical Report."},{"key":"ref_57","doi-asserted-by":"crossref","unstructured":"Brands, S. (2000). Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy, MIT Press.","DOI":"10.7551\/mitpress\/5931.001.0001"},{"key":"ref_58","doi-asserted-by":"crossref","unstructured":"Asghar, R., Backes, M., and Simeonovski, M. (2018, January 20\u201324). PRIMA: Privacy-Preserving Identity and Access Management at Internet-Scale. Proceedings of the 2018 IEEE International Conference on Communications (ICC), Kansas City, MO, USA.","DOI":"10.1109\/ICC.2018.8422732"},{"key":"ref_59","unstructured":"Court of Justice of the European Union (2026, March 05). Judgment of the Court (First Chamber) of 4 September 2025, Case C-413\/23 P: European Data Protection Supervisor v Single Resolution Board (Concept of Personal Data\/Pseudonymisation). Available online: https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:62023CJ0413."},{"key":"ref_60","unstructured":"European Data Protection Board (2026). Report on Stakeholder Event on Anonymisation and Pseudonymisation of 12 December 2025, European Data Protection Board. Technical Report."},{"key":"ref_61","doi-asserted-by":"crossref","unstructured":"Khutsaeva, A., Leevik, A., and Bezzateev, S. (2025). A Survey of Post-Quantum Oblivious Protocols. Cryptography, 9.","DOI":"10.3390\/cryptography9040062"}],"container-title":["Cryptography"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2410-387X\/10\/2\/18\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T11:32:21Z","timestamp":1773228741000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2410-387X\/10\/2\/18"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,11]]},"references-count":61,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2026,4]]}},"alternative-id":["cryptography10020018"],"URL":"https:\/\/doi.org\/10.3390\/cryptography10020018","relation":{},"ISSN":["2410-387X"],"issn-type":[{"value":"2410-387X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,11]]}}}