Chapter

Advances in Cryptology — EUROCRYPT 2001

Volume 2045 of the series Lecture Notes in Computer Science pp 93-118

Date:

An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation

  • Jan CamenischAffiliated withZurich Research Laboratory, IBM Research
  • , Anna LysyanskayaAffiliated withMIT LCS

Abstract

A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing all-or-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.

Keywords

Privacy protection credential system pseudonym system e-cash blind signatures circular encryption key-oblivious encryption