An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation

  • Jan Camenisch
  • Anna Lysyanskaya
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2045)


A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing all-or-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.


Privacy protection credential system pseudonym system e-cash blind signatures circular encryption key-oblivious encryption 


  1. 1.
    N. Asokan, V. Shoup, and M. Waidner. Optimistic fair exchange of digital signatures. IEEE Journal on Selected Areas in Communications, 18(4):591–610, 2000.CrossRefGoogle Scholar
  2. 2.
    G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In CRYPTO 2000, vol. 1880 of LNCS, pp. 255–270. Springer Verlag, 2000.CrossRefGoogle Scholar
  3. 3.
    M. Bellare, A. Boldyreva, A. Desai, and D. Pointcheval. Key-privacy in public-key encryption. Manuscript, 2001.Google Scholar
  4. 4.
    M. Bellare, J. A. Garay, and T. Rabin. Fast batch verification for modular exponentiation and digital signatures. In EUROCRYPT '98, vol. 1403 of LNCS, pp. 236–250. Springer Verlag, 1998.CrossRefGoogle Scholar
  5. 5.
    J. Black, P. Rogaway, and T. Shrimpton. Encryption scheme security in the presence of key-dependent messages. Manuscript, 2001.Google Scholar
  6. 6.
    F. Boudot. Efficient proofs that a committed number lies in an interval. In EUROCRYPT 2000, vol. 1807 of LNCS, pp. 431–444. Springer Verlag, 2000.CrossRefGoogle Scholar
  7. 7.
    S. Brands. Untraceable Off-line Cash in Wallets With Observers. In CRYPTO '93, vol. of LNCS. pp. 302–318. Springer Verlag, 1993.Google Scholar
  8. 8.
    S. Brands. Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy. PhD thesis, Eindhoven Institute of Technology, the Netherlands, 1999.Google Scholar
  9. 9.
    E. Brickell, P. Gemmel, and D. Kravitz. Trustee-based tracing extensions to anonymous cash and the making of anonymous change. In Proc. ACM-SIAMs, pp. 457–466. ACM press, 1995.Google Scholar
  10. 10.
    J. Camenisch and I. Damgård. Verifiable encryption and applications to group signatures and signature sharing. Technical Report RS-98-32, BRICS, Departement of Computer Science, University of Aarhus, December 1998.Google Scholar
  11. 11.
    J. Camenisch and A. Lysyanskaya. Efficient non-transferable anonymous multishow credential system with optional anonymity revocation. Technical Report Research Report RZ 3295, IBM Research Division, 2000.Google Scholar
  12. 12.
    J. Camenisch and A. Lysyanskaya. An Efficient Non-transferable Anonymous Credential System with Optional Anonymity Revocation.
  13. 13.
    J. Camenisch and M. Michels. Proving in zero-knowledge that a number n is the product of two safe primes. In EUROCRYPT '99, vol. 1592 of LNCS, pp. 107–122.Google Scholar
  14. 14.
    J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In CRYPTO '97, vol. 1296 of LNCS, pp. 410–424. Springer Verlag, 1997.CrossRefGoogle Scholar
  15. 15.
    R. Canetti. Studies in Secure Multiparty Computation and Applications. PhD thesis, Weizmann Institute of Science, Rehovot 76100, Israel, 1995.Google Scholar
  16. 16.
    R. Canetti. Security and composition of multi-party cryptographic protocols. Journal of Cryptology, 13(1):143–202, 2000.zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    D. Chaum. Blind signatures for untraceable payments. In CRYPTO '82, pp. 199–203. Plenum Press, 1983.Google Scholar
  18. 18.
    D. Chaum. Security without identification: Transaction systems to make big brother obsolete. Communications of the ACM, 28(10):1030–1044, 1985.CrossRefGoogle Scholar
  19. 19.
    D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In CRYPTO '86, vol. 263 of LNCS, pp. 118–167. Springer-Verlag, 1987.CrossRefGoogle Scholar
  20. 20.
    D. Chaum and E. van Heyst. Group signatures. In EUROCRYPT '91, vol. 547 of LNCS, pp. 257–265. Springer-Verlag, 1991.Google Scholar
  21. 21.
    L. Chen. Access with pseudonyms. In Cryptography: Policy and Algorithms, vol. 1029 of LNCS, pp. 232–243. Springer Verlag, 1995.CrossRefGoogle Scholar
  22. 22.
    R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In CRYPTO '98, vol. 1642 of LNCS, pp. 13–25, 1998, Springer Verlag.CrossRefGoogle Scholar
  23. 23.
    R. Cramer and V. Shoup. Signature schemes based on the strong RSA assumption. In Proc. 6th ACM CCS, pp. 46–52. ACM press, 1999.Google Scholar
  24. 24.
    I. Damgård. Efficient concurrent zero-knowledge in the auxiliary string model. In EUROCRYPT 2000, vol. 1807 of LNCS, pp. 431–444. Springer Verlag, 2000.CrossRefGoogle Scholar
  25. 25.
    I. Damgård. Payment systems and credential mechanism with provable security against abuse by individuals. In CRYPTO '88, vol. 403 of LNCS, pp. 328–335.Google Scholar
  26. 26.
    C. Dwork, J. Lotspiech, and M. Naor. Digital signets: Self-enforcing protection of digital information. In Proc. 28th STOC, 1996.Google Scholar
  27. 27.
    T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In CRYPTO '84, vol. 196 of LNCS, pp. 10–18. Springer Verlag, 1985.Google Scholar
  28. 28.
    A. Fiat and A. Shamir. How to prove yourself: Practical solution to identification and signature problems. In CRYPTO '86, vol. 263 of LNCS, pp. 186–194, 1987.CrossRefGoogle Scholar
  29. 29.
    E. Fujisaki and T. Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In CRYPTO '97, vol. 1294 of LNCS, pp. 16–30, 1997.CrossRefGoogle Scholar
  30. 30.
    R. Gennaro, S. Halevi, and T. Rabin. Secure hash-and-sign signatures without the random oracle. In EUROCRYPT '99, vol. 1592 of LNCS, pp. 123–139, 1999.Google Scholar
  31. 31.
    S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. In Proc. 27th FOCS, pages 291–304, 1985.Google Scholar
  32. 32.
    O. Goldreich, B. Pfitzman, and R. Rivest. Self-delegation with controlled propagation-or-what if you lose your laptop. In CRYPTO '98, vol. 1642 of LNCS, pp. 153–168, 1998.CrossRefGoogle Scholar
  33. 33.
    J. Kilian and E. Petrank. Identity escrow. In CRYPTO '98, vol. 1642 of LNCS, pp. 169–185, Springer Verlag, 1998.CrossRefGoogle Scholar
  34. 34.
    A. Lysyanskaya, R. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. In Selected Areas in Cryptography, vol. 1758 of LNCS. Springer Verlag, 1999.Google Scholar
  35. 35.
    S. Micali, C. Rackoff, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412–426, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  36. 36.
    B. Pfitzmann and M. Waidner. Composition and integrity preservation of secure reactive systems. In Proc. 7th ACM CCS, pp. 245–254. ACM press, 2000.Google Scholar
  37. 37.
    M. Stadler, J.-M. Piveteau, and J. Camenisch. Fair blind signatures. In EUROCRYPT '95, vol. 921 of LNCS, pp. 209–219. Springer Verlag, 1995.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Jan Camenisch
    • 1
  • Anna Lysyanskaya
    • 2
  1. 1.Zurich Research LaboratoryIBM ResearchRüschlikon
  2. 2.MIT LCSCambridgeUSA

Personalised recommendations