ChapterPDF Available

Abstract and Figures

Attribute-based credential systems enable users to authenticate in a privacy-preserving manner. However, in such schemes verifying a user’s credential requires knowledge of the issuer’s public key, which by itself might already reveal private information about the user.
Content may be subject to copyright.
An extended abstract of this paper appeared in the 20th International Conference on Cryptology
and Network Security CANS 2021, December 13–15, 2021, Vienna, Austria. Springer, 2021.
https://doi.org/10.1007/978-3-030-92548-2_9
Issuer-Hiding Attribute-Based Credentials ?
Jan Bobolz1, Fabian Eidens1,
Stephan Krenn2, Sebastian Ramacher2, and Kai Samelin3
1Paderborn University, Paderborn, Germany
{jan.bobolz,fabian.eidens}@uni-paderborn.de
2AIT Austrian Institute of Technology, Vienna, Austria
{stephan.krenn,sebastian.ramacher}@ait.ac.at
3Independent, Germany
kaispapers@gmail.com
Abstract. Attribute-based credential systems enable users to authenticate in a privacy-preserving manner.
However, in such schemes verifying a user’s credential requires knowledge of the issuer’s public key, which by
itself might already reveal private information about the user.
In this paper, we tackle this problem by introducing the notion of issuer-hiding attribute-based credential
systems. In such a system, the verifier can define a set of acceptable issuers in an ad-hoc manner, and the user
can then prove that her credential was issued by one of the accepted issuers – without revealing which one.
We then provide a generic construction, as well as a concrete instantiation based on Groth’s structure preserving
signature scheme (ASIACRYPT’15) and simulation-sound extractable NIZK, for which we also provide concrete
benchmarks in order to prove its practicability.
The online complexity of all constructions is independent of the number of acceptable verifiers, which makes it
also suitable for highly federated scenarios.
Keywords: Cryptographic protocols ·issuer-hiding ·privacy-preserving ·anonymous credentials ·au-
thentication
1 Introduction
Anonymous credential systems and their attribute-based extensions (ABCs) allow users to receive digi-
tal certificates (credentials) certifying certain pieces of personal information (attributes) from issuers. A
user can then present her credential to a verifier in a way that respects the user’s privacy while giving
high authenticity guarantees to the verifier. That is, the user can decide, on a fine-granular basis, which
information about her attributes she wants to disclose to the verifier, while no further information, in-
cluding metadata, is revealed. In particular, different actions of the same user can only be linked through
the disclosed information. In the most general case, the verifier can publish arbitrary predicates (Boolean
formulas) over attribute values that users need to satisfy for authentication (e.g., a user is older than
21, comes from a specific country, or has a certain name), and receives cryptographic evidence that such
attribute values were certified by the given issuer. Anonymous credential systems were first envisioned by
Chaum [Cha81,Cha85]. Besides well-known systems like Microsoft’s U-Prove [Bra99,PZ13] and IBM’s Iden-
tity Mixer [CL04,CL03, CV02, CL01], a large body of work with different optimizations and functionalities
can be found in the literature, e.g. [HK19, CL19, CDHK15, CKL+16, BBDE19, BB18, RVH17, CLNR14].
All of the aforementioned ABC systems have in common that the privacy guarantees only hold with
respect to a single issuer key: whilst not being able to link actions of a single user, a verifier learns the
?This work was in parts supported by the European Union’s Horizon 2020 research and innovation programme under grant
agreement No 871473 (KRAKEN) and 830929 (CyberSec4Europe), and by the German Research Foundation (DFG)
within the Collaborative Research Centre On-The-Fly Computing (GZ: SFB 901/3) under the project number 160364472.
public key of the issuer of the underlying credential. Even though this seems to be a natural property at
first glance, it turns out that this approach leads to a tradeoff between scalability and user privacy. As
an example, consider a state-wide electronic identity system with millions of users. In order to give users
the highest level of privacy, all citizens’ personal credentials need to be issued under the same public key.
In case of a compromise of the secret key, all previously issued keys need to be invalidated, potentially
requiring millions of certificates to be re-issued under a new key. Alternatively, different keys could be
used for groups of citizens, e.g., randomly, per time period, or per administrative region. However, as
the issuer’s public key is revealed upon presentation, this approach dramatically reduces the size of the
anonymity set of a specific user.
Furthermore, many scenarios would benefit from a dynamic and ad-hoc definition of a set of issuer
keys accepted by a verifier. For instance, universities may issue electronic student IDs to their students.
Depending on the concrete scenario, students may need to prove that they are enrolled at a specific uni-
versity (e.g., to enter the campus), or that they are enrolled at any university without needing to reveal
the university (e.g., to be granted an online student discount). Similarly, citizens may receive electronic
identities from their nation state, which they can then use to prove that they are eligible, e.g., for par-
ticipation in opinion polls in their country. However, they might want to use the same credential to also
prove that they are living in any country of a specific region (e.g., the European Union) for cross-country
citizen engagement processes which do not require to reveal the specific citizenship.
In vehicular ad-hoc networks (VANETs) [dFGSV17] or vehicle-to-infrastructure networks (V2I), such
a solution allows each car manufacturer to use their own secret keys (e.g., per model), while avoiding to
reveal unnecessary information (e.g., the model) when authenticating towards other parties.
Finally, Cloudflare recently announced a replacement of CAPTCHAs by cryptographic attestation of
personhood using, e.g., FIDO tokens.4The idea is that instead of solving a puzzle, users click a physical
button on an accepted hardware token, which responds to a cryptographic challenge. However, as pointed
out by Cloudflare, a user’s key “looks like all other keys in the batch”, meaning that the anonymity set of a
user shrinks to the number of devices in a batch. It would thus be desirable to dynamically add additional
batches to this anonymity set, without users needing to obtain new credentials for their existing devices.
Related work. Different mitigation strategies for these challenges exists. For instance, approaches for de-
centralizing the issuer have been proposed, e.g., by fully avoiding the need for a trusted issuer leveraging
public append-only ledgers [GGM14, YAXY18], or by deploying threshold cryptography to require mul-
tiple issuers to contribute to the credential issuance process [SAB+19, CDL+20, MBR+20]. While such
approaches reduce the risk of compromised issuer keys, they do not directly allow to dynamically adjust
the set of issuers among which a user should remain private.
Delegatable credentials [CL06,BCC+09,CL19,CDD17,BB18] offer an alternative solution, where users
can issue credentials derived from their own credentials to other users. All credentials eventually trace
back to a root authority’s public key, yet the verifier does not learn the precise issuer within the delegation
“tree”. While delegatable credentials are a valuable tool, e.g., for managing privileges within organizations,
they do not solve the issues addressed in this paper as they assume a single root authority, which will
typically not exist in the federated scenarios sketched above. They also do not allow for ad-hoc definitions
of accepted issuers. Furthermore, revocation of sub-issuers within the delegation tree is computationally
expensive, while it can be achieved for free in our construction.
Closely related to anonymous credentials, also in self-sovereign identity (SSI) systems multiple issuers
will participate. In such systems, e.g, [ATK18, AHOR19, KL16], users can join by presenting some form
4https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/
2
of credential to one or multiple verification nodes. In eSSIF5, which is the European Union’s attempt to
build a large scale SSI system, these credentials are issued by national authorities run by each member
state. If the credential is accepted by the nodes, they record their decision on a distributed ledger. Even
if these systems are not built from ABCs, they can be designed to mimic some of their functionalities.
Indeed, whenever the user wants to present attributes included in their credential to a service provider,
a presentation of some of the attributes can be computed with respect to the information stored on
the ledger. Due to the trust put into the distributed ledger and the verification nodes, it is thereby not
necessary to show the issuer public key to the verifier. Hence, this additional layer, i.e. the ledger and
verification nodes, provides some level of mitigation against identification attempts based on the issuer.
Yet, the issuer is known to the verification nodes responsible for the initial joining of the system. Especially
when the system is built from a public ledger, a service provider could also run such a node and therefore
information on the issuers could potentially be gathered. Also, the authenticity guarantees are no longer
end-to-end, but partially rely on the verification nodes and the consensus mechanism employed for the
distributed ledger.
Finally, in an independent and parallel work, Conolly et al. [CLP22] introduced the notion of signer
hiding, where similar to our notion the adversary cannot identify the issuer of a credential. This is achieved
by using structure-preserving signatures on equivalence classes (SPS-EQ), and not only considering equiv-
alence classes on the message and signature spaces, but also on the key space. Their construction is secure
in the standard model, assuming a common reference string (CRS). However, their construction requires
an explicit proof that the issuer’s key is among the set of keys accepted by the verifier, resulting in a proof
size linear in the number nof issuers; we will explain in the following how this is avoided in our approach.
Our Contributions. In this paper we address the discussed challenges by presenting an issuer-hiding
attribute-based credential system. That is, our system allows a user to hide the issuer of her credential
among a set of issuers. More specifically, the verifier may issue a policy defining the issuers he is willing to
accept for a certain presentation session, and the user may then prove that she indeed owns a credential
issued by one of those issuers.
Firstly, this approach allows a user to use her credential in various contexts, as described in the examples
above. Secondly, the revocation of issuers becomes efficient in the sense that credentials issued by a specific
issuer can be revoked by simply no longer including this issuer in the policy. Finally, additional issuers can
be added in a seamless fashion by adding them to the policy.
Overview of Our Approach. To explain the technicalities of our construction let us first solve the hiding
of public keys during authentication straightforwardly. As already mentioned, a user’s credential on at-
tributes m= [age, name, state, reputation] by issuer Ijis a signature cred on the message vector
mvalid under the issuer’s public key ipk j. To authenticate at a verifier Vkthe user Uproves validity
of cred under the public key ipk j. More formally, Usends a non-interactive proof NIZK[(x=ipk j, w =
{m, cred }) : Verify(ipkj,cred , m)]. Public common input to the NIZK is ipk j. The witness, hence private
input by the user are cred and m. The NIZK deals with the privacy of the witness, but ipk jis publicly
known. As a feature this lets verifiers interpret attributes and credentials with respect to the issuer, e.g.
reputation has potentially more weight if ipkjbelongs to a government agency. In other cases, this is a
detriment to user privacy, e.g. the attribute state certified in cred is never revealed by the user, nonetheless
the verifier may learn state implicitly by looking at ipkj.
An idea to hide ipkjin the above NIZK is to build a structure reminiscent of ring signatures. For
authentication, the user collects an appropriate set of issuer public keys PK :={ipk 1,...,ipk j,...,ipk n}.
5https://decentralized-id.com/government/europe/eSSIF/
3
Then we change the NIZK statement to NIZK[(x=PK , w ={ipkj, m, cred}) : n
i=1 Verify(ipki,cred , m)].
We solved our problem, the or-statement in the NIZK hides under which ipk the user’s credential is valid.
The downside is that naively the proof size and verification cost is now linear in n:=|PK |which limits
the practicability of this approach. Hence, the next essential step is to avoid the or-statement in the NIZK.
This can be achieved by letting the verifier sign the public keys of the accepted issuers, by computing
σj
$
Sign(vsk,ipk j) for all ipk jPK , where (vsk ,vpk ) is the verifier’s key pair. Instead of performing
an or-proof, the user can now show that she knows a signature, issued by the verifier, on the public
key of the issuer that issued the user’s credential. That is, the user can now send NIZK[(x=vpk , w =
(σ, ipk,cred , m) : Verify(ipk,cred , m)Verify(vpk , σ, ipk )], which is independent of the number of accepted
issuers, i.e., |PK |.
A remaining technicality is now that the same verifier may accept different issuers for different scenarios,
which is why every σjneeds to be bound to the specific scenario. Using ephemeral signature keys (vpk ,vsk )
in each presentation session would require linear computation for computing and verifying the signatures;
alternatively, a unique key pair per verifier could be used, and σj
$
(vsk,(ipk j,domain)) could be bound
to a specific application domain. We finally opted for a combination, where the verifier is still key-less, yet
signatures on public keys can be reused. This is done by letting the verifier define policies where a policy
consists of signatures on all ipk’s for a specific domain, but different signing keys are used for different
domains, and thus the respective signing keys can be discarded after publishing a policy.
We formalize the above intuition through a generic construction, for which we provide formal se-
curity proofs. We then give a concrete instantiation based on Groth’s structure preserving signature
scheme [Gro15]. To ease readability, our basic construction focuses on the core functionality of anony-
mous credential systems; however, we finally also discuss how to achieve advances functionalities including
non-frameability, revocation of credentials, and fine-granular linkability.
Outline. We briefly introduce notation and necessary background in Section 2. Then, in Section 3 we
present the syntax and security requirements for issuer-hiding ABCs, before giving our generic construction
and security proofs in Section 4. A concrete instantiation is presented in Section 5 and numerous possible
extensions are discussed in Section 6. We finally conclude in Section 7.
2 Preliminaries
We denote the main security parameter by λ. We write a$
Ato denote that ais the output of a potentially
randomized algorithm Aand v$
← S to denote that vis uniformly sampled at random from a set S. If not
explicitly stated otherwise, all algorithms are assumed to be polynomial-time (PPT).
2.1 Digital Signatures
A digital signature scheme consists of four algorithms:
pp $
Σ.ParGen(1λ) generates public parameters pp.
(sk,pk )$
Σ.KGen(pp) generates a secret key sk and a public key pk.
σ$
Σ.Sign(pp,sk , m) creates a signature σon message m.
bΣ.Verify(pp,pk, σ, m) verifies the signature.
Following Goldwasser et al [GMR88], we require a digital signature scheme to be existentially unforge-
able, meaning that no adversary can efficiently come up with a valid signature on a new message of the
adversary’s choice, even if it is given access to a signing oracle that may sign an arbitrary number of
messages chosen by the adversary:
4
ExpEUFCMA
Adv (λ)
pp $
Σ.ParGen(1λ)
(sk,pk)$
Σ.KGen(pp)
Q ← ∅
(m, σ)$
AdvOsign (pk)
return 0, if m∈ Q
return 1, if Σ.Verify(pp,pk, σ, m) = 1
return 0
where:
Osign(m):
σ$
Σ.Sign(pp,sk, m)
Q ← Q ∪ {m}
return σ
Exp. 1: EUF-CMA experiment for digital signatures.
Definition 1. A digital signature scheme is EUF-CMA secure if and only if for every PPT adversary
Adv there exists a negligible function negl such that:
Pr hExpEUFCMA
Adv (λ)=1inegl(λ),
where the experiment is as defined in Experiment 1.
Structure-preserving signatures. We recall the randomizable structure-preserving signature scheme by
Groth [Gro15]. While the scheme is able to sign matrices of group elements, we only require it to sign a
single group element. Similar to Camenisch et al. [CDD17], we consider the scheme in two variants: Groth1
signs elements of G1(and its public keys live in G2), and Groth2, which signs elements of G2(with public
keys in G1). We describe Groth1. The other scheme, Groth2, can be obtained easily by switching the roles
of G1and G2.
Groth1.ParGen(1λ) generates public parameters pp consisting of a bilinear group (G1,G2,GT, e, p, G, ˜
G)
of prime order pwith generators GG1,˜
GG2, and a random element Y$
G1.
Groth1.KGen(pp) generates a secret key sk sps =v$
Z
pand the corresponding public key pksps =˜
V=
˜
Gv.
Groth1.Sign(pp,sk sps, M ) chooses r$
Z
pand outputs the signature σ= ( ˜
R, S, T ) = ( ˜
Gr,(Y·Gv)1/r,(Yv·
M)1/r).
Groth1.Rand(pp, σ ) chooses r0$
Z
pand outputs σ0= ( ˜
R0, S0, T 0)=(˜
Rr, S1/r , T 1/r ).
Groth1.Verify(pp,pk sps , σ, M ) checks that e(S, ˜
R) = e(Y, ˜
G)·e(G, ˜
V) and e(T, ˜
R) = e(Y, ˜
V)·e(M, ˜
G).
This construction is EUF-CMA secure in the generic group model [Gro15].
2.2 Zero-Knowledge Proofs
A non-interactive zero-knowledge proof of knowledge (NIZK) allows a prover to generate a cryptographic
proof that he knows a secret witness wsuch that (x, w)∈ R for some binary relation Rand a public
statement x, without revealing any additional information about wthan what is already revealed by x.
We denote the language associated with Rby L.
Formally, a NIZK consists of three algorithms:
pp $
Π.ParGen(1λ) generates the public parameters pp.
π$
Π.Prove(pp, x, w, ctx) generates a non-interactive zero-knowledge proof of knowledge πof wsuch
that (x, w)∈ R bound to ctx.
bΠ.Verify(pp, x, ctx, π) verifies a proof π.
5
Expzeroknowledge
Adv (λ)
(pp, τ )$
Sim1(1λ)
b$
← {0,1}
b$
AdvOb(pp)
return 1, if b=b
return 0
where:
O0(x, w, ctx):
return π$
Π.Prove(pp, x, w, ctx), if (x, w)∈ R
return
O1(x, w, ctx):
return π$
Sim2(pp, τ , x, ctx), if (x, w)∈ R
return
Exp. 2: Zero-knowledge experiment for NIZKs.
ExpSimSoundExt
Adv (λ)
(pp, τ , ζ)$
Ext1(1λ)
Q← ∅
(x,ctx, π)$
AdvOSIM (pp)
w$
Ext2(pp, ζ , x,ctx, π)
return 1, if:
Π.Verify(pp, x,ctx, π ) = 1,
(x, w)/∈ R, and
(x,ctx)/Q
return 0
where:
OSIM(x, ctx):
π$
Sim2(pp, τ , x, ctx)
QQ∪ {(x, ctx)}
return π
Exp. 3: Simulation-sound extractability experiment for NIZKs.
Besides correctness, we will require zero-knowledge and simulation-sound extractability from all NIZKs.
Informally, the zero-knowledge property ensures that the receiver of a NIZK does not learn anything
beyond what is already revealed by the statement itself.
Definition 2. A non-interactive proof system Πsatisfies zero-knowledge for a relation R, if and only
if for every PPT adversary Adv there exists a PPT simulator Sim = (Sim1,Sim2)such that there exists
negligible functions negl1and negl2such that:
Pr hAdv(pp) = 1 : pp $
Π.ParGen(1λ)iPr hAdv(pp)=1:(pp, τ )$
Sim1(1λ)i
negl1(λ),
and
Pr hExpzeroknowledge
Adv (λ)=1i1
2
negl2(λ),
where the experiment is as defined in Experiment 2.
Intuitively, simulation-sound extractability requires that any adversary that can generate a valid proof
must also know a valid witness for this statement, even if it has previously seen arbitrarily many (simu-
lated) proofs of potentially false statements. Note that the original definition of Groth [Gro06], combining
simulation-soundness [Sah99] and proofs of knowledge [DP92], is stronger than ours in the sense that
the adversary also gets access to the extraction trapdoor; however, similar to previous work [ADK+13,
DHLW10, DKSS20] the following slightly weaker definition is sufficient for our purposes. Furthermore, the
inclusion of a context ctx essentially makes the NIZK a signature of knowledge [CL06].
Definition 3. A zero-knowledge non-interactive proof system Πsatisfies simulation-sound extractability
for a relation R, if and only if for every PPT adversary Adv there exists a PPT extractor Ext = (Ext1,Ext2)
such that there exists a negligible function negl such that:
Pr hAdv(pp, τ ) = 1 : (pp, τ )$
Sim1(1λ)iPr hAdv(pp, τ )=1:(pp, τ , ζ)$
Ext1(1λ)i
= 0 ,
6
and
Pr hExpSimSoundExt
Adv (λ)=1inegl(λ),
where the experiment is as defined in Experiment 3 and Sim = (Sim1,Sim2)is as in Definition 2.
For notational convenience, we use the following notation for NIZKs, initially introduced by Camenisch
and Stadler [CS97]. In this notation, a statement like
NIZK h(α, β, γ ) : y1=gα
1gβ
2y2=gα
1gγ
3αγi(ctx)
denotes a non-interactive zero-knowledge proof of knowledge, bound to the context ctx, of values α, β , γ
such that the relation on the right hand side is satisfied. We also omit the public proof parameters pp.
3 Framework for Issuer-Hiding ABCs
We next define the syntax for issuer-hiding attribute-based credential systems, and then formalize the
security properties required from such a system.
3.1 Syntax
An issuer-hiding ABC system is specified by eight algorithms. Initially, the parameters are generated by
ParGen. Having generated a key pair using IKGen, an issuer can then issue credentials on attributes to
a user by means of Issue; users can verify the received credential locally by VfCred in order to detect
malformed credentials. To define the set of accepted issuers, a verifier generates a policy using PresPolicy,
which can be checked for well-formedness using VfPolicy by everyone. Finally, holding a credential from an
issuer and a policy from the verifier, a user uses Present to derive a presentation token, which is verified
by Verify. The inputs and outputs of the algorithms are introduced in the following:
Parameter generation. The public parameters are generated as:
pp $
ParGen(1λ).
The public parameters are assumed to be implicit input to all algorithms presented in the following. We
assume pp in particular specifies the number Lof attributes that may be certified per credential, as well
as the attribute space A.
Key generation. Issuers compute their respective private and public keys as:
(isk,ipk )$
IKGen(pp).
Issuance. The issuer creates a credential cred on attributes ~aas follows:
cred $
Issue(isk, ~a).
For the sake of simplicity, this process is modeled as a non-interactive algorithm as opposed an interac-
tive protocol between the issuer and the user.We assume that both entities have previously set up their
respective keys, and that they agreed on attributes ~a= (~a1, . . . ,~aL) to be certified.
Credential verification. The validity of a credential can be checked as follows:
b$
VfCred(cred , ~a,ipk).
7
Presentation policies. Verifiers can define presentation policies defining sets of issuers they are willing to
accept for certain presentation sessions:
pol $
PresPolicy({ipki}).
Note that pol only defines the sets of issuers accepted by a verifier, but not, e.g., which attributes a verifier
needs to disclose. By this, pol can be reused for multiple contexts, reducing the number of policies.
Policy verification. Presentation policies can be checked for validity as follows:
bVfPolicy(pol,{ipk i}).
Presentation. For practical reasons, we only focus on non-interactive presentation protocols. Having agreed
on a presentation policy which has been verified by the user, she computes a presentation token:
pt $
Present(ipk,cred , φ, ~a,pol ,ctx).
The verifier then validates the token as:
bVerify(pt, φ, pol,ctx).
Here, φ:AL→ {0,1}is a predicate over the user’s attributes that needs to be satisfied in order to pass
verification, i.e., verification only passes if φ(~a) = 1. For instance, φmight require that some aiequals some
previously agreed value, corresponding to the disclosure of this attribute, or that ai[l, r] for some bounds
land r. Finally, the purpose of ctx is to define a context in which the presentation token is accepted, e.g.,
a session identifier or a random nonce to avoid replay attacks or similar.
Policies will typically be long-lived, and it thus not necessary for a user to verify the policy every time
before computing a presentation token. We thus do not consider these computational costs as part of the
verification algorithm.
3.2 Security Definitions
We next define necessary security properties for an issuer-hiding ABC system.
Correctness. We omit a formal definition here, as the requirements are what one would expect: if all parties
follow the protocol specifications during all phases, any presentation token computed by the user will be
accepted by the verifier.
Unforgeability. Unforgeability requires that it is infeasible for an adversary to generate a valid presentation
token, if it has not previously received a credential on attributes satisfying φfrom one of the accepted
issuers, or a presentation token for the same (ctx,φ,pol ).
In the following definition, note that while the challenge policy polmay only include honest issuers’
keys, the adversary may request presentation tokens for arbitrary sets of ipk’s from the presentation oracle
Opresent, covering the case of adversarial issuers.
Definition 4. An issuer-hiding ABC system satisfies unforgeability, if and only if for every PPT adver-
sary Adv and every number of issuers6nIthere exists a negligible function negl such that:
Pr hExpUnforgeability
Adv (λ, nI)=1inegl(λ),
where the experiment is as defined in Experiment 4.
6Parametrizing Experiment 4 by nIis for notational convenience only. Modifying the experiment and the proofs in the
remainder of this paper to support an arbitrary polynomial number of issuers is straightforward.
8
ExpUnforgeability
Adv (λ, nI)
pp $
ParGen(1λ)
Qissue ← ∅,Qpresent ← ∅,Qreveal ← ∅
(iski,ipki)$
IKGen(pp) for i= 1,...,nI
(I,st)$
AdvOissue,Opresent ,Oreveal (pp,{ipk i}nI
i=1)
pol$
PresPolicy(I)
(pt, φ,ctx)$
AdvOissue,Opresent ,Oreveal (st,pol)
return 1 if:
I⊆ {ipki}nI
i=1
Verify(pt,pol , φ,ctx) = 1
(pol, φ,ctx)/Qpresent
@(ij, ~aj)Qreveal such that φ(~aj) = 1 and ipk ijI
return 0
where:
Oissue(ij, ~aj)
cred j
$
Issue(iskij, ~aj)
add (ij, ~aj) to Qissue
Opresent(j, pol, φ, ctx)
add (pol, φ, ctx) to Qpresent
return pt $
Present(cred j,ipk ij, ~aj, φ, pol ,ctx)
Oreveal(j)
add (ij, ~aj) to Qreveal
return cred j
Exp. 4: Unforgeability experiment
ExpUnlinkability
Adv (λ)
b$
← {0,1}
pp $
ParGen(1λ)
({cred l, ~al, il}1
l=0,pol, φ, {ipki},ctx,st)$
Adv(pp)
pt$
Present({ipki},cred b, φ, ~ab,pol,ctx)
b$
Adv(pt,st)
return 1 if and only if:
b=b,
VfCred(cred l, ~al,ipk il) = 1 for l∈ {0,1},
φ(~al) = 1 for l∈ {0,1}, and
VfPolicy(pol,{ipk i}) = 1
return b0$
← {0,1}
Exp. 5: Unlinkability experiment
Unlinkability. Unlinkability requires that no two user actions can be linked by an adversary. This even
needs to hold if the adversary has full control over verifiers, issuers, and the user’s credential. In the
experiment (cf. Experiment 5), we thus let the adversary output two sets of credentials, attributes, and
respective issuers, as well as a presentation policy pol , a predicate φ, and the issuers’ public keys. Upon
receiving a presentation token derived from one of the two credentials, the adversary must not be able to
decide which underlying credential was used, as long as both credentials are valid and consistent with φ.
Definition 5. An issuer-hiding ABC system satisfies unlinkability, if and only if for every PPT adversary
Adv there exists a negligible function negl such that:
Pr hExpUnlinkability
Adv (λ)=1i1
2
negl(λ),
where the experiment is as defined in Experiment 5.
4 A Generic Construction
The following section describes a generic construction of issuer-hiding attribute-based credentials, and
gives a formal security analysis of its security.
9
ParGen(1λ).Return pp $
Σ.ParGen(1λ).
IKGen(pp).Return (isk ,ipk )$
ΣI.KGen(pp).
Issue(isk, ~a).Return cred $
ΣI.Sign(pp,isk , ~a).
VfCred(cred , ~a,ipk ).Return 1 if ΣI.Verify(pp ,ipk ,cred, ~a) = 1. Otherwise, return 0.
PresPolicy({ipki}).Generate a signature key pair (vsk,vpk )$
ΣV.KGen(pp) and compute the signature σi
$
ΣV.Sign(pp,vsk ,ipk i). Return
pol = (vpk,{(ipk i, σi)}).
VfPolicy(pol,{ipk i}).Parse pol as (vpk,{(ipk i, σi)}). Return 1 if and only if
ΣV.Verify(pp,vpk , σi,ipk i) = 1 for all i .
Otherwise, return 0.
Present(cred ,ipk , ~a, φ, pol ,ctx).Parse pol as (vpk,{(ipk i, σi)}). Set jsuch that ipkj=ipk. Return a presentation token pt as
follows:
pt $
NIZK[(σj,ipkj,cred , ~a) :ΣV.Verify(pp ,vpk , σj,ipkj) = 1
ΣI.Verify(pp,ipk j,cred, ~a) = 1 (1)
φ(~a) = 1](pol, φ, ctx)
Verify(pt,pol , φ).Return 1 if and only if pt verifies correctly. Otherwise, return 0.
Construction 1: Generic construction of issuer-hiding ABCs.
4.1 Construction
Let ΣI= (Σ.ParGen, ΣI.KGen, ΣI.Sign, ΣI.Verify) and ΣV= (Σ.ParGen, ΣV.KGen, ΣV.Sign, ΣV.Verify) be
digital signature schemes (cf. Section 2.1) with a common parameter generation algorithm.
Our generic construction is now depicted in Construction 1. We refer to Section 1 for a detailed
description of the intuition underlying this construction.
4.2 Security Analysis
Theorem 1. If ΣIand ΣVare EUF-CMA secure and the NIZK is zero-knowledge and simulation-sound
extractable, then Construction 1 is unforgeable.
Intuitively, the adversary has two potential ways of breaking unforgeability: (1) he can forge a ΣVsignature
on his own public key ipk0(that is not part of the challenge policy pol), or (2) he can forge a credential
by forging a ΣIsignature w.r.t. some honest issuer’s public key ipki.
Proof. Let Adv be a PPT adversary. We first modify the unforgeability game by simulating all NIZK pt
output by Opresent. Because the NIZK is zero-knowledge, this increases the winning probability by at most
a negligible amount. In the following, we argue that Adv’s winning probability in the modified game is
negligible.
In the (modified) unforgeability game, Adv outputs poland (pt , φ). If Adv wins, we can apply the
NIZK extractor to ptto extract a witness (σ, ipk,cred , ~a). Let extractfail be the event that Adv wins but
the extractor fails to output a valid witness. Let polforge be the event that Adv wins, the extractor does
not fail, and the extracted ipk is not any honest issuer’s public key, i.e. ipk /∈ {ipki}. Let credforge be the
10
event that Adv wins, the extractor does not fail, and the extracted ipk is one of the honest issuer’s public
keys, i.e. ipk ∈ {ipki}.
It holds that Pr[Adv wins] Pr[Adv wins∧¬extractfail]+Pr[extractfail] = Pr[polforge]+Pr[credforge]+
Pr[extractfail]. Because the NIZK is simulation-sound extractable, Pr[extractfail] is negligible. We now
show that both Pr[polforge] and Pr[credforge] are negligible, which will conclude this proof.
Type 1 adversaries. We construct an adversary Bagainst ΣV’s EUF-CMA security.
Bgets pp,pk as input and access to a signing oracle Osign .
Bgenerates (iski,ipk i)$
IKGen(pp) for i= 1, . . . , nIand runs (I,st )$
AdvOissue,Opresent ,Oreveal (pp,{ipki}nI
i=1).
It answers oracle queries honestly using {iski}.
Bqueries Osign for signatures σion ipkiI. It sets pol= (pk,{(ipki, σi)}) and runs (pt, φ,ctx)$
AdvOissue,Opresent ,Oreveal (st,pol).
If Adv’s winning condition is not fulfilled, Baborts.
Otherwise, Bextracts a witness (σ, ipk,cred , ~a) from pt.
If ipk /∈ {ipki},B, it outputs (ipk, σ) as a forgery.
By construction, Pr[Bwins] = Pr[polforge] (note that if polforge occurs, Bhas not queried for a
signature on ipk). Because ΣVis EUF-CMA secure, Pr[polforge] is negligible.
Type 2 adversaries. We construct an adversary Bagainst ΣI’s EUF-CMA security.
Bgets pp,pk as input and access to a signing oracle Osign .
Bchooses a random k$
← {1, . . . , nI}.
Bsets ipkk=pk and generates (isk i,ipk i)$
IKGen(pp) for i∈ {1, . . . , nI} \ {k}. It runs (I,st )$
AdvOissue,Opresent ,Oreveal (pp,{ipki}nI
i=1).
It answers Oissue(ij, ~aj) by adding (ij, ~aj) to Qissue (but not generating a credential).
It answers Opresent(j, pol, φ, ctx) by creating a simulated NIZK pt (unless φ(~aj) = 0).
It answers Oreveal(j) with cred jas follows: if ij=k, it queries credj
$
← Osign(~aj). Otherwise, it
computes cred j
$
ΣI.Sign(pp,isk ij, ~aj). Repeat reveal queries for jare answered with the same
value credjevery time.
Bgenerates pol$
PresPolicy(I). Afterwards, it runs (pt, φ,ctx)$
AdvOissue,Opresent ,Oreveal (st,pol).
Banswers oracle queries as above.
If Adv’s winning condition is not fulfilled, Baborts.
Otherwise, Bextracts a witness (σ, ipk,cred , ~a) from pt.
If ipk =pk,Boutputs (~a, σ) as a forgery.
Note that the way Banswers oracle queries is consistent with the way the (modified) unforgeability
experiment does so.
If credforge ipk =pk , then (~a, σ) is a valid forgery. σis a valid signature on ~aby guarantee of the
NIZK extractor. Furthermore, Bhas not queried for a signature on ~a(because φ(~a) = 1 by guarantee of
the extractor, but the winning condition guarantees that φ(~a0) = 0 for all signatures revealed through
Oreveal). Hence Pr[Bwins] Pr[credforge ipk =pk ] = 1
nI·Pr[credforge]. Because ΣIis EUF-CMA secure,
Pr[credforge] is negligible. ut
Theorem 2. If NIZK is zero-knowledge, then Construction 1 is unlinkable.
Proof. Because the property follows almost immediately from the zero-knowledge property, we omit a full
proof. Note that the unlinkability experiment ensures that the witnesses used when computing ptare
valid for both b= 0 and b= 1 (for cases where the adversary does not output valid values, the experiment
ends up outputting a random bit, not providing any advantage to the adversary). This means that the
unlinkability experiment is computationally indistinguishable from one where ptis created by the NIZK
simulator. In the latter, the view of Adv is independent of b.ut
11
5 Concrete Instantiation
One possible instantiation of Construction 1 in Section 4 is with Groth’s structure-preserving signatures
(Section 2.1). This instantiation is inspired by delegatable credentials [CDD17] where the issue of proving
knowledge of a hidden signature on the hidden public key of another hidden signature also comes up
(though in a different scenario).
Concretely, in this instantiation, the issuer signs attributes using hash-then-sign with the Pedersen
hash H(~a) = QL
i=1 Hai
iand the structure-preserving signature scheme Groth1. The verifier signs valid
issuer public keys using Groth2. A presentation token is a Schnorr-style proof of knowledge [Sch91] turned
non-interactive using the Fiat-Shamir heuristic [FS87] which gives us a simulation-sound extractable NIZK.
We assume that the statement and public values are included in the computation of the challenge in order
to avoid malleability issues [BPW12].
With these choices, the scheme works as specified in Construction 2.
5.1 Security Analysis
Theorem 3. If Groth1and Groth2are EUF-CMA secure and the NIZK is zero-knowledge and simulation-
sound extractable, then the concrete instantiation in Construction 2 is unforgeable and unlinkable.
Unforgeability and unlinkability follow from the generic construction’s unforgeability and unlinkability,
which we’re instantiating.
If Groth1is EUF-CMA secure, then also the hash-then-sign version of it (which is what we are effectively
using in the concrete construction) is EUF-CMA secure (under the discrete logarithm assumption, which
is implied by security of Groth1, the hash function His collision-resistant). It remains to argue that Present
is a good instantiation of the NIZK specified in the generic construction.
For the zero-knowledge property, pt = (( ˜
R, S0, T 0),ipk0
j,(Rj,˜
Sj,˜
T0
j), π) can be simulated by choosing
random S0, T 0,ipk 0
j
$
G1and ˜
R, ˜
T0
j
$
G2, setting (Rj,˜
Sj)=(Rr
1,˜
S1/r
1) for random r$
Z
p(where
(R1,˜
S1,·) = ipk1), and then simulating a corresponding πusing the NIZK simulator.
For the proof of knowledge property, note that from πone can extract α, β, γ, δ, ~awith properties that
guarantee that cred := ( ˜
R, (S0)α,(T0)β) is a valid Groth1signature on H(~a) under ipk j:= (ipk 0
j)γand that
σj:= (Rj,˜
Sj,(˜
T0
j)δ) is a valid Groth2signature on ipkjunder vpk , and that φ(~a) = 1. This means that we
can extract a valid witness σj,ipkj,cred, ~afrom pt, as required.
5.2 Performance Evaluation
To practically evaluate our construction, we have implemented7a benchmarking prototype of Construc-
tion 2 using the Cryptimeleon library [BEHF21]. The results are shown in Table 1. For credentials, we are
considering L= 10 random attributes, none of which are disclosed during presentation (which is the most
expensive case of partial attribute disclosure). The policy consists of 10 or 100 valid issuers. This does not
affect token verification, which is independent of policy size. Overall, performance is practical, especially
given that VfPolicy only has to be run once for each new policy and can be delegated to a trusted party.
The sizes of all keys and tokens can be found in Table 2.
7Code available at https://github.com/cryptimeleon/issuer-hiding-cred.
12
ParGen(1λ).For e:G1×G2GTas in Groth1.ParGen, choose Y, Hi
$
G1and ˜
Y$
G2. Define the hash function
H:ZL
pG1,H(~a) = QL
i=1 Hai
i. Return pp = (G1,G2,GT, e, p, G, ˜
G, Y, ˜
Y , (Hi)L
i=1).
IKGen(pp).Generate a Groth1key pair (isk,ipk) = (v, ˜
V)$
Groth1.KGen(pp).
Issue(isk, ~a).Return cred = ( ˜
R, S, T )$
Groth1.Sign(pp, v , H(~a)).
VfCred(cred , ~a,ipk ).Return whatever Groth1.Verify(pp,˜
V , cred, H (~a)) returns.
PresPolicy({ipki}).Generate (vsk,vpk) = (u, U)$
Groth2.KGen(pp) and σi= (Ri,˜
Si,˜
Ti)$
Groth2.Sign(pp, u, ipk i). Return
pol = (U, {(ipki, σi)}).
VfPolicy(pol,{ipk i}).Parse pol as (vpk,{(ipk i, σi)}). Return 1 if Groth2.Verify(pp,vpk, σi,ipki) = 1 for all i. Otherwise, return
0.
Present(cred ,ipk , ~a, φ, pol ,ctx).Parse pol as (vpk,{(ipk i, σi)}). Let jbe the index of the credential’s issuer’s public key, i.e.,
ipkj=ipk. Randomize cred and σjas
(˜
R, S, T )$
Groth1.Rand(pp,cred) and (Rj,˜
Sj,˜
Tj)$
Groth2.Rand(pp, σj).
Choose random blinding values α, β, γ, δ $
Z
pand compute
the blinded credential ( ˜
R, S0, T 0) := ( ˜
R, S1 , T 1) on H(~a) under the issuer’s key ipkj
the issuer’s blinded key ipk0
j:= ipk1
j
the blinded policy signature (Rj,˜
Sj,˜
T0
j) := (Rj,˜
Sj,˜
T1
j) on Vjunder the verifier’s public key vpk
Compute a Schnorr-style proof π:
π$
NIZK[(α, β, γ ,δ,~a) :
Groth1credential check: e(S0,˜
R)α=e(Y, ˜
G)·e(G, ipk0
j)γ
Groth1credential check: e(T0,˜
R)β=e(Y, ipk 0
j)γ·e(
L
Y
i=1
Hai
i,˜
G)
Groth2policy check: e(Rj,˜
Sj) = e(G, ˜
Y)·e(vpk,˜
G)
Groth2policy check: e(Rj,˜
T0
j)δ=e(vpk,˜
Y)·e(G, ipk0
j)γ
Attribute check: φ(~a) = 1](pol, φ, ctx)
Finally, return pt = (( ˜
R, S0, T 0),ipk 0
j,(Rj,˜
Sj,˜
T0
j), π).
Verify(pt,pol , φ).Return 1 if and only if pt verifies correctly. Otherwise, return 0.
Construction 2: Concrete instantiation of our generic construction.
Table 1: Performance of Construction 2 on a Macbook Pro (i9-9980HK) with BN254 as the bilinear group.
Other columns show the (device-independent) number of group operations (multiply and square operations,
including those happening within exponentiations) and pairings performed.
Runtime G1G2GTPairings
PresPolicy (10 issuers) 14 ms 3 027 11 448 0 100
PresPolicy (100 issuers) 115 ms 27 666 115 430 0 0
VfPolicy (10 issuers) 3 ms 0 0 20 60
VfPolicy (100 issuers) 27 ms 0 0 200 600
Issue 2 ms 1 684 278 0 0
Present 4 ms 3 327 1 206 4 7
Verify 3 ms 2 398 0 901 12
13
Table 2: Number of group elements for the different keys and tokens in Construction 2, where Iis the
number of issuer keys accepted by a verifier, and Lis the number of attributes certified in the credential.
G1G2GTZp
Issuer secret key (isk) - - - 1
Issuer public key (ipk) - 1 - -
Credential (cred ) 2 1 - -
Presentation policy (pol)I+ 1 3I- -
Presentation token (pt) 3 4 - L+ 5
6 Extensions
To simplify presentation, our main construction only focuses on the key functionality of an issuer-hiding
ABC system. In the following, we discuss in detail how to achieve non-frameability and anonymity revo-
cation, controlled linkability and pseudonyms, and credential revocation. Further extensions like updating
of credentials [BBDE19] or advanced predicates over attributes [BBB+18,Lip03] are omitted here because
of space limitations.
Anonymity revocation and non-frameability. While ABCs are important to protect the users’ privacy and
related fundamental rights, the high anonymity guarantees may lead to misuse of credentials and associated
rights. In order to prevent such misuse, anonymity revocation (or inspection) is an important advanced
functionality. Anonymity revocation allows a predefined opener (or inspector) to identify the originator
of a given presentation token pt [CL01, Cam13]. Closely related to this is the notion of non-frameability,
which guarantees that even if issuers and the opener collude, it is infeasible for them to convince any third
party that a specific user computed a given pt unless she indeed did so. This notion is closely related to
non-frameability for group signatures [CP95,BCC+16, KSS19].
This feature is achieved by letting the user generate a secret private key (upk,usk)$
UKGen(pp),
and the opener a key pair (opk,osk )$
Γ.KGen(pp) for an encryption scheme Γ. Upon issuance, the
user would now embed upk as an additional attribute which is signed by the issuer. When computing a
presentation token, the user would treat upk as an undisclosed attribute, yet still prove that she knows the
corresponding usk . Furthermore, she would encrypt upk under the opener’s key as enc $
Γ.Enc(upk ,opk ),
and prove that enc contains the same upk which is also certified in the credential.
More formally, the basic presentation token would then be extended as follows (changes to Eq. (1) are
highlighted):
pt $
NIZK[(σj,ipkj,cred , ~a,upk ,usk , r ) : ΣV.Verify(pp,vpk, σj,ipkj)=1
ΣI.Verify(pp,ipk j,cred,(~a,upk )) = 1 VfUKey(upk ,usk )=1
enc =Γ.Enc(upk ,opk ;r)φ(~a) = 1](pol, φ, ctx)
where VfUKey(upk ,usk ) = 1 if and only if usk is the corresponding secret key for upk, and rdenotes
the random coins used for encryption. To inspect, the opener can now decrypt enc and prove that the
decryption was performed correctly.
As a concrete instantiation compatible with our generic construction, the user’s key pair could be
(upk,usk ):= (gx, x), and the corresponding encryption scheme could be ElGamal encryption [ElG85].
Controlled linkability. In the case of stateful applications, for instance, users may wish to be recognized
yet not identified by a verifier. This can be achieved by using scope-exclusive pseudonyms [CKL+16], in
14
which pseudonyms can be linked within a given scope, but not across different scopes. For a pseudonym
system Ψwith user secret key usk, the users’ public key would be upk Ψ.Gen(usk , ε), which similar to
before is embedded into the credential. For a given scope sc, the user now shares nym =Ψ.Gen(usk ,sc)
with the verifier, and proves that this is consistent with the (undisclosed) upk .
The presentation token would now be computed as follows:
pt $
NIZK[(σj,ipkj,cred , ~a,upk ,usk ) : ΣV.Verify(pp,vpk, σj,ipk j)=1
ΣI.Verify(pp,ipk j,cred,(~a,upk )) = 1 upk =Ψ.Gen(usk, ε)
nym =Ψ.Gen(usk ,sc)φ(~a) = 1](pol, φ, ctx,sc,nym )
A possible instantiation compatible with our construction is based on the pseudonym system by Ca-
menisch et al. [CKL+16], where a pseudonym for a scope is computed as nym :=H(sc)usk for a random
oracle H.
Revocation. In case of misuse, loss of privileges, or compromise of a credential, it may become necessary
to invalidate an issued credential. Many approaches for revocation of anonymous credentials can be found
in the literature. In the following we show how to incorporate an approach along the lines of Nakanishi et
al. [NFHF09] into our solution. Their work follows a black-listing approach, where each credential contains
a revocation handle rh which is never disclosed upon presentation. The revocation authority, holding a
signature key pair (rpk,rsk), issues intervals [ai, bi] of currently still valid revocation handles, together
with signatures αi
$
ΣR.Sign(pp,rsk , ai) and βi
$
ΣR.Sign(pp,rsk , bi). When computing a presentation
token, the user now proves that the revocation handle embedded in her credential lies in some interval
[ai, bi] for which she knows corresponding signatures αiand βi. However, it may be the case that multiple
revocation authorities, e.g., one per issuer, exist in our setting. We thus not only embed the rh but also
the revocation authority’s public key rpk as attributes in our credentials, and the user shows that the
known signatures on the interval boundaries verify under this (undisclosed) signature key.
More formally, a presentation token would now be derived as follows:
pt $
NIZK[(σj,ipkj,cred , ~a,rpk ,rh , α, β, a, b ) : ΣV.Verify(pp,vpk , σj,ipkj)=1
ΣI.Verify(pp,ipk j,cred,(~a,rh ,rpk )) = 1
ΣR.Verify(pp,rpk , α, a) = 1 ΣR.Verify(pp,rpk , β, b) = 1
rh [a, b]φ(~a) = 1](pol, φ, ctx)
7 Conclusion & Future Work
We introduced the notion of issuer-hiding anonymous credential system, which allows for a dynamic and ad-
hoc definition of sets of issuers among whose credentials a user may stay anonymous during presentation—
a feature with various application domains, ranging from student identities over national eIDs to remote
attestation. We provided a generic construction where the communication and computational complexity
during presentation is independent of the number of issuers, as well as an efficient instantiation.
Nevertheless, we identified some open research questions. While our construction requires a minor joint
setup across different issuers to define some group generators and the number of attributes L, in real appli-
cations, e.g., different nation states may wish to include different numbers of attributes in their credentials,
vary the order of attributes, or use alternative generators for security reasons. It would be interesting to
15
see whether this can be achieved more efficiently than via the generic or-composition discussed in Sec-
tion 1. Also, the size of verifier policies is currently linear in the number of accepted issuers. One approach
to overcome this limitation could be to add the accepted public keys to an accumulator, for which users,
knowing all accumulated values, could compute the witnesses themselves, resulting in constant-size policies
if the ipk’s are assumed to be known. Instead of proving knowledge of a signature from the verifier, users
would now prove that they know a witness for the public key that issued the credential. However, we are
not aware of any accumulator and compatible signature scheme allowing for an efficient instantiation.
References
ADK+13. Masayuki Abe, Bernardo David, Markulf Kohlweiss, Ryo Nishimaki, and Miyako Ohkubo. Tagged one-time
signatures: Tight security and optimal tag size. In Kaoru Kurosawa and Goichiro Hanaoka, editors, PKC 2013:
16th International Conference on Theory and Practice of Public Key Cryptography, volume 7778 of Lecture Notes
in Computer Science, pages 312–331. Springer, Heidelberg, February / March 2013. 6
AHOR19. Andreas Abraham, Felix H¨orandner, Olamide Omolola, and Sebastian Ramacher. Privacy-preserving eID deriva-
tion for self-sovereign identity systems. In Jianying Zhou, Xiapu Luo, Qingni Shen, and Zhen Xu, editors, ICICS
19: 21st International Conference on Information and Communication Security, volume 11999 of Lecture Notes
in Computer Science, pages 307–323. Springer, Heidelberg, December 2019. 2
ATK18. Andreas Abraham, Kevin Theuermann, and Emanuel Kirchengast. Qualified eid derivation into a distributed
ledger based idm system. In TrustCom/BigDataSE, pages 1406–1412. IEEE, 2018. 2
BB18. Johannes Bl¨omer and Jan Bobolz. Delegatable attribute-based anonymous credentials from dynamically malleable
signatures. In Bart Preneel and Frederik Vercauteren, editors, ACNS 18: 16th International Conference on Applied
Cryptography and Network Security, volume 10892 of Lecture Notes in Computer Science, pages 221–239. Springer,
Heidelberg, July 2018. 1,2
BBB+18. Kai Bemmann, Johannes Bl¨omer, Jan Bobolz, Henrik Br¨ocher, Denis Diemert, Fabian Eidens, Lukas Eilers, Jan
Haltermann, Jakob Juhnke, Burhan Otour, Laurens Porzenheim, Simon Pukrop, Erik Schilling, Michael Schlichtig,
and Marcel Stienemeier. Fully-featured anonymous credentials with reputation system. In ARES, pages 42:1–
42:10. ACM, 2018. 14
BBDE19. Johannes Bl¨omer, Jan Bobolz, Denis Diemert, and Fabian Eidens. Updatable anonymous credentials and applica-
tions to incentive systems. In Lorenzo Cavallaro, Johannes Kinder, XiaoFeng Wang, and Jonathan Katz, editors,
ACM CCS 2019: 26th Conference on Computer and Communications Security, pages 1671–1685. ACM Press,
November 2019. 1,14
BCC+09. Mira Belenkiy, Jan Camenisch, Melissa Chase, Markulf Kohlweiss, Anna Lysyanskaya, and Hovav Shacham.
Randomizable proofs and delegatable anonymous credentials. In Shai Halevi, editor, Advances in Cryptology –
CRYPTO 2009, volume 5677 of Lecture Notes in Computer Science, pages 108–125. Springer, Heidelberg, August
2009. 2
BCC+16. Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Essam Ghadafi, and Jens Groth. Foundations of fully dynamic
group signatures. In Mark Manulis, Ahmad-Reza Sadeghi, and Steve Schneider, editors, ACNS 16: 14th Inter-
national Conference on Applied Cryptography and Network Security, volume 9696 of Lecture Notes in Computer
Science, pages 117–136. Springer, Heidelberg, June 2016. 14
BEHF21. Jan Bobolz, Fabian Eidens, Raphael Heitjohann, and Jeremy Fell. Cryptimeleon: A library for fast prototyping
of privacy-preserving cryptographic schemes. IACR ePrint, 2021. 12
BPW12. David Bernhard, Olivier Pereira, and Bogdan Warinschi. How not to prove yourself: Pitfalls of the Fiat-Shamir
heuristic and applications to Helios. In Xiaoyun Wang and Kazue Sako, editors, Advances in Cryptology –
ASIACRYPT 2012, volume 7658 of Lecture Notes in Computer Science, pages 626–643. Springer, Heidelberg,
December 2012. 12
Bra99. Stefan Brands. Rethinking Public Key Infrastructure and Digital Certificates – Buildingin Privacy. PhD thesis,
Eindhoven Institute of Technology, 1999. 1
Cam13. Jan Camenisch. Concepts around privacy-preserving attribute-based credentials - making authentication with
anonymous credentials practical. In Privacy and Identity Management, volume 421 of IFIP Advances in Informa-
tion and Communication Technology, pages 53–63. Springer, 2013. 14
CDD17. Jan Camenisch, Manu Drijvers, and Maria Dubovitskaya. Practical UC-secure delegatable credentials with at-
tributes and their application to blockchain. In Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan
Xu, editors, ACM CCS 2017: 24th Conference on Computer and Communications Security, pages 683–699. ACM
Press, October / November 2017. 2,5,12
16
CDHK15. Jan Camenisch, Maria Dubovitskaya, Kristiyan Haralambiev, and Markulf Kohlweiss. Composable and modular
anonymous credentials: Definitions and practical constructions. In Tetsu Iwata and Jung Hee Cheon, editors,
Advances in Cryptology – ASIACRYPT 2015, Part II, volume 9453 of Lecture Notes in Computer Science, pages
262–288. Springer, Heidelberg, November / December 2015. 1
CDL+20. Jan Camenisch, Manu Drijvers, Anja Lehmann, Gregory Neven, and Patrick Towa. Short threshold dynamic
group signatures. In Clemente Galdi and Vladimir Kolesnikov, editors, SCN 20: 12th International Conference
on Security in Communication Networks, volume 12238 of Lecture Notes in Computer Science, pages 401–423.
Springer, Heidelberg, September 2020. 2
Cha81. David Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM, 24(2):84–
88, 1981. 1
Cha85. David Chaum. Security without identification: Transaction systems to make big brother obsolete. Commun.
ACM, 28(10):1030–1044, 1985. 1
CKL+16. Jan Camenisch, Stephan Krenn, Anja Lehmann, Gert Læssøe Mikkelsen, Gregory Neven, and Michael Østergaard
Pedersen. Formal treatment of privacy-enhancing credential systems. In Orr Dunkelman and Liam Keliher, editors,
SAC 2015: 22nd Annual International Workshop on Selected Areas in Cryptography, volume 9566 of Lecture Notes
in Computer Science, pages 3–24. Springer, Heidelberg, August 2016. 1,14,15
CL01. Jan Camenisch and Anna Lysyanskaya. An efficient system for non-transferable anonymous credentials with
optional anonymity revocation. In Birgit Pfitzmann, editor, Advances in Cryptology – EUROCRYPT 2001, volume
2045 of Lecture Notes in Computer Science, pages 93–118. Springer, Heidelberg, May 2001. 1,14
CL03. Jan Camenisch and Anna Lysyanskaya. A signature scheme with efficient protocols. In Stelvio Cimato, Clemente
Galdi, and Giuseppe Persiano, editors, SCN 02: 3rd International Conference on Security in Communication
Networks, volume 2576 of Lecture Notes in Computer Science, pages 268–289. Springer, Heidelberg, September
2003. 1
CL04. Jan Camenisch and Anna Lysyanskaya. Signature schemes and anonymous credentials from bilinear maps. In
Matthew Franklin, editor, Advances in Cryptology – CRYPTO 2004, volume 3152 of Lecture Notes in Computer
Science, pages 56–72. Springer, Heidelberg, August 2004. 1
CL06. Melissa Chase and Anna Lysyanskaya. On signatures of knowledge. In Cynthia Dwork, editor, Advances in Cryp-
tology – CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science, pages 78–96. Springer, Heidelberg,
August 2006. 2,6
CL19. Elizabeth C. Crites and Anna Lysyanskaya. Delegatable anonymous credentials from mercurial signatures. In
Mitsuru Matsui, editor, Topics in Cryptology – CT-RSA 2019, volume 11405 of Lecture Notes in Computer Science,
pages 535–555. Springer, Heidelberg, March 2019. 1,2
CLNR14. Jan Camenisch, Anja Lehmann, Gregory Neven, and Alfredo Rial. Privacy-preserving auditing for attribute-based
credentials. In Miroslaw Kutylowski and Jaideep Vaidya, editors, ESORICS 2014: 19th European Symposium on
Research in Computer Security, Part II, volume 8713 of Lecture Notes in Computer Science, pages 109–127.
Springer, Heidelberg, September 2014. 1
CLP22. Aisling Connolly, Pascal Lafourcade, and Octavio Perez Kempner. Improved constructions of anonymous cre-
dentials from structure-preserving signatures on equivalence classes. In Public-Key Cryptography - PKC 2022,
Lecture Notes in Computer Science. Springer, 2022. (to appear). 3
CP95. Lidong Chen and Torben Pryds Pedersen. New group signature schemes (extended abstract). In Alfredo De
Santis, editor, Advances in Cryptology – EUROCRYPT’94, volume 950 of Lecture Notes in Computer Science,
pages 171–181. Springer, Heidelberg, May 1995. 14
CS97. Jan Camenisch and Markus Stadler. Efficient group signature schemes for large groups (extended abstract). In
Burton S. Kaliski Jr., editor, Advances in Cryptology – CRYPTO’97, volume 1294 of Lecture Notes in Computer
Science, pages 410–424. Springer, Heidelberg, August 1997. 7
CV02. Jan Camenisch and Els Van Herreweghen. Design and implementation of the idemix anonymous credential
system. In Vijayalakshmi Atluri, editor, ACM CCS 2002: 9th Conference on Computer and Communications
Security, pages 21–30. ACM Press, November 2002. 1
dFGSV17. Jos´e Mar´ıa de Fuentes, Lorena Gonz´alez-Manzano, Jetzabel Serna-Olvera, and Fatbardh Veseli. Assessment of
attribute-based credentials for privacy-preserving road traffic services in smart cities. Pers. Ubiquitous Comput.,
21(5):869–891, 2017. 2
DHLW10. Yevgeniy Dodis, Kristiyan Haralambiev, Adriana L´opez-Alt, and Daniel Wichs. Efficient public-key cryptography
in the presence of key leakage. In Masayuki Abe, editor, Advances in Cryptology – ASIACRYPT 2010, volume
6477 of Lecture Notes in Computer Science, pages 613–631. Springer, Heidelberg, December 2010. 6
DKSS20. David Derler, Stephan Krenn, Kai Samelin, and Daniel Slamanig. Fully collision-resistant chameleon-hashes from
simpler and post-quantum assumptions. In Clemente Galdi and Vladimir Kolesnikov, editors, SCN 20: 12th
International Conference on Security in Communication Networks, volume 12238 of Lecture Notes in Computer
Science, pages 427–447. Springer, Heidelberg, September 2020. 6
17
DP92. Alfredo De Santis and Giuseppe Persiano. Zero-knowledge proofs of knowledge without interaction (extended
abstract). In 33rd Annual Symposium on Foundations of Computer Science, pages 427–436. IEEE Computer
Society Press, October 1992. 6
ElG85. Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans-
actions on Information Theory, 31:469–472, 1985. 14
FS87. Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems.
In Andrew M. Odlyzko, editor, Advances in Cryptology – CRYPTO’86, volume 263 of Lecture Notes in Computer
Science, pages 186–194. Springer, Heidelberg, August 1987. 12
GGM14. Christina Garman, Matthew Green, and Ian Miers. Decentralized anonymous credentials. In ISOC Network and
Distributed System Security Symposium – NDSS 2014. The Internet Society, February 2014. 2
GMR88. Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-
message attacks. SIAM Journal on Computing, 17(2):281–308, April 1988. 4
Gro06. Jens Groth. Simulation-sound NIZK proofs for a practical language and constant size group signatures. In Xuejia
Lai and Kefei Chen, editors, Advances in Cryptology – ASIACRYPT 2006, volume 4284 of Lecture Notes in
Computer Science, pages 444–459. Springer, Heidelberg, December 2006. 6
Gro15. Jens Groth. Efficient fully structure-preserving signatures for large messages. In Tetsu Iwata and Jung Hee Cheon,
editors, Advances in Cryptology – ASIACRYPT 2015, Part I, volume 9452 of Lecture Notes in Computer Science,
pages 239–259. Springer, Heidelberg, November / December 2015. 4,5
HK19. Ulrich Hab¨ock and Stephan Krenn. Breaking and fixing anonymous credentials for the cloud. In Yi Mu, Robert H.
Deng, and Xinyi Huang, editors, CANS 19: 18th International Conference on Cryptology and Network Security,
volume 11829 of Lecture Notes in Computer Science, pages 249–269. Springer, Heidelberg, October 2019. 1
KL16. Dmitry Khovratovich and Jason Law. Sovrin: digitial signatures in the blockchain area, 2016. 2
KSS19. Stephan Krenn, Kai Samelin, and Christoph Striecks. Practical group-signatures with privacy-friendly openings.
In ARES, pages 10:1–10:10. ACM, 2019. 14
Lip03. Helger Lipmaa. On diophantine complexity and statistical zero-knowledge arguments. In Chi-Sung Laih, editor,
Advances in Cryptology – ASIACRYPT 2003, volume 2894 of Lecture Notes in Computer Science, pages 398–415.
Springer, Heidelberg, November / December 2003. 14
MBR+20. Rafael Torres Moreno, Jorge Bernal Bernab´e, Jes´us Garc´ıa Rodr´ıguez, Tore Kasper Frederiksen, Michael
Stausholm, Noelia Mart´ınez, Evangelos Sakkopoulos, Nuno Ponte, and Antonio F. Skarmeta. The OLYMPUS
architecture - oblivious identity management for private user-friendly services. Sensors, 20(3):945, 2020. 2
NFHF09. Toru Nakanishi, Hiroki Fujii, Yuta Hira, and Nobuo Funabiki. Revocable group signature schemes with constant
costs for signing and verifying. In Stanislaw Jarecki and Gene Tsudik, editors, PKC 2009: 12th International
Conference on Theory and Practice of Public Key Cryptography, volume 5443 of Lecture Notes in Computer
Science, pages 463–480. Springer, Heidelberg, March 2009. 15
PZ13. Christian Paquin and Greg Zaverucha. U-prove cryptographic specification v1.1 (revision2). Technical report,
Microsoft Corporation, April 2013. 1
RVH17. Sietse Ringers, Eric R. Verheul, and Jaap-Henk Hoepman. An efficient self-blindable attribute-based credential
scheme. In Aggelos Kiayias, editor, FC 2017: 21st International Conference on Financial Cryptography and Data
Security, volume 10322 of Lecture Notes in Computer Science, pages 3–20. Springer, Heidelberg, April 2017. 1
SAB+19. Alberto Sonnino, Mustafa Al-Bassam, Shehar Bano, Sarah Meiklejohn, and George Danezis. Coconut: Threshold
issuance selective disclosure credentials with applications to distributed ledgers. In ISOC Network and Distributed
System Security Symposium – NDSS 2019. The Internet Society, February 2019. 2
Sah99. Amit Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In 40th
Annual Symposium on Foundations of Computer Science, pages 543–553. IEEE Computer Society Press, October
1999. 6
Sch91. Claus-Peter Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, January
1991. 12
YAXY18. Rupeng Yang, Man Ho Au, Qiuliang Xu, and Zuoxia Yu. Decentralized blacklistable anonymous credentials with
reputation. In Willy Susilo and Guomin Yang, editors, ACISP 18: 23rd Australasian Conference on Information
Security and Privacy, volume 10946 of Lecture Notes in Computer Science, pages 720–738. Springer, Heidelberg,
July 2018. 2
18
Technical Report
Full-text available
This is the third and last of a sequence of three research and development roadmaps of the CyberSec4Europe project. The goal of this roadmap is to identify major research challenges in the verticals of the project, and to explain what is at stake and what can go wrong if problems are left unsolved. The verticals studied are: (i) Open Banking, (ii) Supply Chain Security Assurance, (iii) Privacy-Preserving Identity Management, (iv) Incident Reporting, (v) Maritime Transport, (vi) Medical Data Exchange, and (vii) Smart Cities. For each vertical we identify the research challenges that need to be addressed and group them according to time in three phases: short term (until the end of the project), medium term (until 2025 – Security 2025), and long term (until 2030 – Security 2030). To emphasise the European nature of these roadmaps, each vertical clearly demonstrates how it can contribute to emerging dimensions including (i) the Climate Change Dimension, (ii) the Impact on Democracy, and (iii) the new EU Cybersecurity Strategy for the Digital Decade.
Chapter
This paper summarizes the contents and presentations held at a workshop at the IFIP Summer School on Privacy and Identity Management 2021, focusing on privacy-preserving identity management. In this document, we first introduce the necessary background on privacy-preserving identity management, including core cryptographic concepts. We then present a demonstrator scenario which benefits from the use of such technologies. Finally, we present a distributed privacy-preserving identity management framework offering an even higher level of security and privacy than previous work.
Article
Full-text available
Privacy enhancing technologies (PETs) allow to achieve user’s transactions unlinkability across different online Service Providers. However, current PETs fail to guarantee unlinkability against the Identity Provider (IdP), which becomes a single point of failure in terms of privacy and security, and therefore, might impersonate its users. To address this issue, OLYMPUS EU project establishes an interoperable framework of technologies for a distributed privacy-preserving identity management based on cryptographic techniques that can be applied both to online and offline scenarios. Namely, distributed cryptographic techniques based on threshold cryptography are used to split up the role of the Identity Provider (IdP) into several authorities so that a single entity is not able to impersonate or track its users. The architecture leverages PET technologies, such as distributed threshold-based signatures and privacy attribute-based credentials (p-ABC), so that the signed tokens and the ABC credentials are managed in a distributed way by several IdPs. This paper describes the Olympus architecture, including its associated requirements, the main building blocks and processes, as well as the associated use cases. In addition, the paper shows how the Olympus oblivious architecture can be used to achieve privacy-preserving M2M offline transactions between IoT devices.
Chapter
Chameleon-hashes are collision-resistant hash-functions parametrized by a public key. If the corresponding secret key is known, arbitrary collisions for the hash can be found. Recently, Derler et al. (PKC ’20) introduced the notion of fully collision-resistant chameleon-hashes. Full collision-resistance requires the intractability of finding collisions, even with full-adaptive access to a collision-finding oracle. Their construction combines simulation-sound extractable (SSE) NIZKs with perfectly correct IND-CPA secure public-key encryption (PKE) schemes. We show that, instead of perfectly correct PKE, non-interactive commitment schemes are sufficient. For the first time, this gives rise to efficient instantiations from plausible post-quantum assumptions and thus candidates of chameleon-hashes with strong collision-resistance guarantees and long-term security guarantees. On the more theoretical side, our results relax the requirement to not being dependent on public-key encryption.
Chapter
Traditional group signatures feature a single issuer who can add users to the group of signers and a single opening authority who can reveal the identity of the group member who computed a signature. Interestingly, despite being designed for privacy-preserving applications, they require strong trust in these central authorities who constitute single points of failure for critical security properties. To reduce the trust placed on authorities, we introduce dynamic group signatures which distribute the role of issuer and opener over several entities, and support -out-of- issuance and -out-of- opening. We first define threshold dynamic group signatures and formalize their security. We then give an efficient construction relying on the pairing-based Pointcheval–Sanders (PS) signature scheme (CT-RSA 2018), which yields very short group signatures of two first-group elements and three field elements. We also give a simpler variant of our scheme in which issuance requires the participation of all issuers, but still supports -out-of- opening. It is based on a new multi-signature variant of the PS scheme which allows for efficient proofs of knowledge and is a result of independent interest. We prove our schemes secure in the random-oracle model under a non-interactive q-type of assumption.
Chapter
As centralized identity management solutions amass identity data, they increasingly become attractive targets for cyber attacks, which entail consequences for users that range from service disruptions to exposure of sensitive user data. Self-sovereign identity (SSI) strives to return the control over identity data to the users by building on decentralized architectures. However, the adoption of SSI systems is currently hampered by a lack of qualified identity data that satisfies the services’ requirements. Additionally, there is a gap w.r.t the user’s privacy: Intermediate components (e.g., importers or SSI network nodes) learn the users’ sensitive attributes during the derivation of eID data.
Conference Paper
We introduce updatable anonymous credential systems (UACS) and use them to construct a new privacy-preserving incentive system. In a UACS, a user holding a credential certifying some attributes can interact with the corresponding issuer to update his attributes. During this, the issuer knows which update function is run, but does not learn the user's previous attributes. Hence the update process preserves anonymity of the user. One example for a class of update functions are additive updates of integer attributes, where the issuer increments an unknown integer attribute value v by some known value k. This kind of update is motivated by an application of UACS to incentive systems. Users in an incentive system can anonymously accumulate points, e.g. in a shop at checkout, and spend them later, e.g. for a discount. In this paper, we (1) formally define UACS and their security, (2) give a generic construction for UACS supporting arbitrary update functions, and (3) construct a new incentive system using UACS that is efficient while offering offline double-spending protection and partial spending.
Chapter
In an attribute-based credential (ABC) system, users obtain a digital certificate on their personal attributes, and can later prove possession of such a certificate in an unlinkable way, thereby selectively disclosing chosen attributes to the service provider. Recently, the concept of encrypted ABCs (EABCs) was introduced by Krenn et al. at CANS 2017, where virtually all computation is outsourced to a semi-trusted cloud-provider called wallet, thereby overcoming existing efficiency limitations on the user’s side, and for the first time enabling “privacy-preserving identity management as a service”.
Conference Paper
Group signatures allow creating signatures on behalf of a group, while remaining anonymous. To prevent misuse, there exists a designated entity, named the opener, which can revoke anonymity by generating a proof which links a signature to its creator. Still, many intermediate cases have been discussed in the literature, where not the full power of the opener is required, or the users themselves require the power to claim (or deny) authorship of a signature and (un-)link signatures in a controlled way. However, these concepts were only considered in isolation. We unify these approaches, supporting all these possibilities simultaneously, providing fine-granular openings, even by members. Namely, a member can prove itself whether it has created a given signature (or not), and can create a proof which makes two created signatures linkable (or unlinkable resp.) in a controlled way. Likewise, the opener can show that a signature was not created by a specific member and can prove whether two signatures stem from the same signer (or not) without revealing anything else. Combined, these possibilities can make full openings irrelevant in many use-cases. This has the additional benefit that the requirements on the reachability of the opener are lessened. Moreover, even in the case of an involved opener, our framework is less privacy-invasive, as the opener no longer requires access to the signed message. Our provably secure black-box CCA-anonymous construction with dynamic joins requires only standard building blocks. We prove its practicality by providing a performance evaluation of a concrete instantiation, and show that our non-optimized implementation is competitive compared to other, less feature-rich, notions.
Article
Blacklistable anonymous credential systems provide service providers with a way to authenticate users according to their historical behaviors, while guaranteeing that all users can access services in an anonymous and unlinkable manner, thus are potentially useful in practice. Traditionally, to protect services from illegal access, the credential issuer, which completes the registration with users, must be trusted by the service provider. However, in practice, this trust assumption is usually unsatisfied. In this paper, we solve this problem and present the decentralized blacklistable anonymous credential system with reputation (DBLACR), which inherits nearly all features of the BLACR system presented in Au et al. (2012) but does not need a trusted party to register users.The new system also has extra advantages. In particular, it enables blacklist (historical behaviors) sharing among different service providers and is partially resilient to the blacklist gaming attack, where dishonest service providers attempt to compromise the privacy of users via generating blacklist maliciously. Technically, the main approach to achieve DBLACR system is a novel use of the blockchain technique, which serves as a public append-only ledger. The system can be instantiated from three different types of cryptographic systems, including the RSA system, the classical DL system, and the pairing based system. To demonstrate the practicability of our system, we also give a proof of concept implementation for the instantiation under the RSA system. The experiment results indicate that when authenticating with blacklists of reasonable size, our implementation can fulfill practical efficiency demands.