Pseudonym Systems

Extended Abstract
  • Anna Lysyanskaya
  • Ronald L. Rivest
  • Amit Sahai
  • Stefan Wolf
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1758)


Pseudonym systems allow users to interact with multiple organizations anonymously, using pseudonyms. The pseudonyms cannot be linked, but are formed in such a way that a user can prove to one organization a statement about his relationship with another. Such a statement is called a credential. Previous work in this area did not protect the system against dishonest users who collectively use their pseudonyms and credentials, i.e., share an identity. Previous practical schemes also relied very heavily on the involvement of a trusted center. In the present paper we give a formal definition of pseudonym systems where users are motivated not to share their identity, and in which the trusted center’s involvement is minimal. We give theoretical constructions for such systems based on any one-way function. We also suggest an efficient and easy-to-implement practical scheme.


Anonymity pseudonyms nyms credentials unlinkability credential transfer 


  1. 1.
    M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notions of security for public-key encryption schemes. In Advances in Cryptology—CRYPTO 98, pages 26–40. Springer-Verlag, 1998.Google Scholar
  2. 2.
    Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In First ACM Conference on Computer and Communications Security, pages 62–73, 1993.Google Scholar
  3. 3.
    Dan Boneh. The decision Diffie-Hellman problem. In Proceedings of the Third Algorithmic Number Theory Symposium, pages 48–63. Springer-Verlag, 1998.Google Scholar
  4. 4.
    David Brin. The Transparent Society: Will Technology Force Us to Choose between Privacy and Freedom? Perseus Press, 1998.Google Scholar
  5. 5.
    Jan Camenisch and Markus Stadler. Efficient group signature schemes for large groups (extended abstract). In Advances in Cryptology—CRYPTO’ 97, pages 410–424. Springer-Verlag, 1997.Google Scholar
  6. 6.
    Ran Canetti, Moses Charikar, Ravi Kumar, Sridhar Rajagopalan, Amit Sahai, and Andrew Tomkins. Non-transferable anonymous credentials. Manuscript, 1998. Revision in submission, 1999.Google Scholar
  7. 7.
    Ran Canetti, Oded Goldreich, and Shai Halevi. Random oracle methodology, revisited. In Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, pages 209–218, 1998.Google Scholar
  8. 8.
    David Chaum. Security without identification: transaction systems to make Big Brother obsolete. Communications of the ACM, 28(10), 1985.Google Scholar
  9. 9.
    David Chaum. Designated confirmer signatures. In Advances in Cryptology—EUROCRYPT 94, pages 86–91. Springer-Verlag, 1994.Google Scholar
  10. 10.
    David Chaum and Jan-Hendrik Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology—CRYPTO’ 86, pages 118–167. Springer-Verlag, 1986.Google Scholar
  11. 11.
    David Chaum and Torben Pryds Pedersen. Wallet databases with observers (extended abstract). In Advances in Cryptology—CRYPTO’ 92, pages 89–105. Springer-Verlag, 1992.Google Scholar
  12. 12.
    Lidong Chen. Access with pseudonyms. In Ed Dawson and Jovan Golić, editors, Cryptography: Policy and Algorithms, pages 232–243. Springer-Verlag, 1995. Lecture Notes in Computer Science No. 1029.CrossRefGoogle Scholar
  13. 13.
    R. Cramer and V. Shoup. A practical public-key cryptosystem provably secure against adaptive chosen ciphertext attack. In Advances in Cryptology—CRYPTO 98. Springer-Verlag, 1998.Google Scholar
  14. 14.
    Ivan Bjerre Damgård. Payment systems and credential mechanisms with provable security against abuse by individuals (extended abstract). In Advances in Cryptology—CRYPTO’ 88, pages 328–335. Springer-Verlag, 1988.Google Scholar
  15. 15.
    W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644–654, 1976.zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    C. Dwork, J. Lotspiech, and M. Naor. Digital signets: Self-enforcing protection of digital information. In Proceedings of the 28th STOC, pages 489–498, 1996.Google Scholar
  17. 17.
    E. Dyson. Release 2.1: A design for living in the digital age. Broadway, 1998.Google Scholar
  18. 18.
    T. ElGamal. A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31(4):469–472, 1985.zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Oded Goldreich. Secure multi-party computation., 1998.Google Scholar
  20. 20.
    Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or a completeness theorem for protocols with honest majority. In Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, pages 218–229, 1987.Google Scholar
  21. 21.
    Oded Goldreich, Birgit Pfitzmann, and Ronald L. Rivest. Self-delegation with controlled propagation-or-what if you lose your laptop. In Advances in Cryptology—CRYPTO 98, pages 153–168. Springer-Verlag, 1998.Google Scholar
  22. 22.
    Shafi Goldwasser and Mihir Bellare. Lecture notes in cryptography., 1996.Google Scholar
  23. 23.
    Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2):270–299, April 1984.zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281–308, April 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Joe Kilian and Erez Petrank. Identity escrow. In Advances in Cryptology—CRYPTO’ 98, pages 169–185. Springer-Verlag, 1998.Google Scholar
  26. 26.
    Anna Lysyanskaya, Ronald L. Rivest, Amit Sahai, and Stefan Wolf. Pseudonym systems., 1999.Google Scholar
  27. 27.
    David Mazières and M. Frans Kaashoek. The design, implementation and operation of an email pseudonym server. In Proceedings of the 5th ACM Conference on Computer and Communications Security, 1998.Google Scholar
  28. 28.
    Moni Naor. Bit commitment using pseudorandomness. Journal of Cryptology, 4(2):151–158, 1991.zbMATHCrossRefGoogle Scholar
  29. 29.
    Tatsuaki Okamoto. Designated confirmer signatures and public-key encryption are equivalent. In Advances in Cryptology—CRYPTO’ 94, pages 61–74. Springer-Verlag, 1994.Google Scholar
  30. 30.
    John Rompel. One-way functions are necessary and sufficient for secure signatures. In Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing, pages 387–394, 1990.Google Scholar
  31. 31.
    C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991.zbMATHCrossRefMathSciNetGoogle Scholar
  32. 32.
    V. Shoup. Lower bounds on discrete logarithms and related problems. In Advances in Cryptology—EUROCRYPT’ 97, pages 256–266. Springer-Verlag, 1997.Google Scholar
  33. 33.
    Michael Sipser. Introduction to the Theory of Computation. PWS Publishing Company, 1997.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Anna Lysyanskaya
    • 1
  • Ronald L. Rivest
    • 1
  • Amit Sahai
    • 1
  • Stefan Wolf
    • 2
  1. 1.MIT LCSCambridgeUSA
  2. 2.Computer Science DepartmentETH ZürichZürichSwitzerland

Personalised recommendations