Fast Keyed-Verification Anonymous Credentials on Standard Smart Cards

  • Jan Camenisch
  • Manu Drijvers
  • Petr Dzurenda
  • Jan HajnyEmail author
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 562)


Cryptographic anonymous credential schemes allow users to prove their personal attributes, such as age, nationality, or the validity of a ticket or a pre-paid pass, while preserving their privacy, as such proofs are unlinkable and attributes can be selectively disclosed. Recently, Chase et al. (CCS 2014) observe that in such systems, a typical setup is that the credential issuer also serves as the verifier. They introduce keyed-verification credentials that are tailored to this setting. In this paper, we present a novel keyed-verification credential system designed for lightweight devices (primarily smart cards). By using a novel algebraic MAC based on Boneh-Boyen signatures, we achieve the most efficient proving protocol compared to existing schemes. To demonstrate the practicality of our scheme in real applications, including large-scale services such as public transportation or e-government, we present an implementation on a standard, off-the-shelf, Multos smart card. While using significantly higher security parameters than most existing implementations, we achieve performance that is more than 44% better than the current state-of-the-art implementation.


Privacy Anonymous credentials Authentication Smart cards 



This paper is supported in part by European Union’s Horizon 2020 research and innovation programme under grant agreement No 830892, project SPARTA, the Ministry of Industry and Trade grant # FV20354 and the National Sustainability Program under grant LO1401. For the research, infrastructure of the SIX Center was used.


  1. 1.
    Arfaoui, G., Lalande, J.F., Traoré, J., Desmoulins, N., Berthomé, P., Gharout, S.: A practical set-membership proof for privacy-preserving NFC mobile ticketing. In: PoPETs, pp. 25–45 (2015)Google Scholar
  2. 2.
    Barki, A., Brunet, S., Desmoulins, N., Gambs, S., Gharout, S., Traoré, J.: Private eCash in practice (short paper). In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 99–109. Springer, Heidelberg (2017). Scholar
  3. 3.
    Barki, A., Brunet, S., Desmoulins, N., Traoré, J.: Improved algebraic MACs and practical keyed-verification anonymous credentials. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 360–380. Springer, Cham (2017). Scholar
  4. 4.
    Barki, A., Desmoulins, N., Gharout, S., Traoré, J.: Anonymous attestations made practical. In: ACM WiSec 2017 Proceedings, pp. 87–98 (2017)Google Scholar
  5. 5.
    Belenkiy, M., Camenisch, J., Chase, M., Kohlweiss, M., Lysyanskaya, A., Shacham, H.: Randomizable proofs and delegatable anonymous credentials. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 108–125. Springer, Heidelberg (2009). Scholar
  6. 6.
    Bichsel, P., Camenisch, J., Groß, T., Shoup, V.: Anonymous credentials on a standard java card. In: ACM CCS 2009 Proceedings, pp. 600–610 (2009)Google Scholar
  7. 7.
    Boneh, D.: The decision Diffie-Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998). Scholar
  8. 8.
    Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004). Scholar
  9. 9.
    Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptol. 21, 149–177 (2008)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Brands, S.A.: Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy (2000)CrossRefGoogle Scholar
  11. 11.
    Camenisch, J., Drijvers, M., Dzurenda, P., Hajny, J.: Fast keyed-verification anonymous credentials on standard smart cards. Cryptology ePrint Archive, Report 2019 (2019).
  12. 12.
    Camenisch, J., Drijvers, M., Hajny, J.: Scalable revocation scheme for anonymous credentials based on n-times unlinkable proofs. In: ACM CCS WPES 2016 Proceedings, pp. 123–133 (2016)Google Scholar
  13. 13.
    Camenisch, J., Dubovitskaya, M., Neven, G.: Oblivious transfer with access control. In: ACM CCS 2009 Proceedings, pp. 131–140 (2009)Google Scholar
  14. 14.
    Camenisch, J., Hohenberger, S., Kohlweiss, M., Lysyanskaya, A., Meyerovich, M.: How to win the clonewars: efficient periodic n-times anonymous authentication. In: ACM CCS 2006 Proceedings, pp. 201–210 (2006)Google Scholar
  15. 15.
    Camenisch, J., Kohlweiss, M., Soriente, C.: Solving revocation with efficient update of anonymous credentials. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 454–471. Springer, Heidelberg (2010). Scholar
  16. 16.
    Camenisch, J., Krenn, S., Lehmann, A., Mikkelsen, G.L., Neven, G., Pedersen, M.Ø.: Scientific comparison of ABC protocols (2014)Google Scholar
  17. 17.
    Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). Scholar
  18. 18.
    Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002). Scholar
  19. 19.
    Camenisch, J., Neven, G., Rückert, M.: Fully anonymous attribute tokens from lattices. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 57–75. Springer, Heidelberg (2012). Scholar
  20. 20.
    Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997). Scholar
  21. 21.
    Camenisch, J., Van Herreweghen, E.: Design and implementation of the idemix anonymous credential system. In: ACM CCS 2002 Proceedings, pp. 21–30 (2002)Google Scholar
  22. 22.
    Chase, M., Meiklejohn, S., Zaverucha, G.: Algebraic MACs and keyed-verification anonymous credentials. In: ACM SIGSAC 2014 Proceedings, pp. 1205–1216 (2014)Google Scholar
  23. 23.
    Chaum, D.: Security without identification: transaction systems to make big brother obsolete. Commun. ACM 28, 1030–1044 (1985)CrossRefGoogle Scholar
  24. 24.
    Couteau, G., Reichle, M.: Non-interactive keyed-verification anonymous credentials. Cryptology ePrint Archive, Report 2019/117 (2019).
  25. 25.
    Dodis, Y., Kiltz, E., Pietrzak, K., Wichs, D.: Message authentication, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 355–374. Springer, Heidelberg (2012). Scholar
  26. 26.
    Hajny, J., Malina, L.: Unlinkable attribute-based credentials with practical revocation on smart-cards. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 62–76. Springer, Heidelberg (2013). Scholar
  27. 27.
    Hinterwälder, G., Riek, F., Paar, C.: Efficient E-cash with attributes on MULTOS smartcards. In: Mangard, S., Schaumont, P. (eds.) RFIDSec 2015. LNCS, vol. 9440, pp. 141–155. Springer, Cham (2015). Scholar
  28. 28.
    Isaakidis, M., Halpin, H., Danezis, G.: UnlimitID: privacy-preserving federated identity management using algebraic MACs. In: ACM CCS WPES 2016 Proceedings, pp. 139–142 (2016)Google Scholar
  29. 29.
    Kerry, C.F., Secretary, A., Director, C.R.: FIPS PUB 186–4 Federal Information Processing Standards Publication: Digital Signature Standard (DSS) (2013)Google Scholar
  30. 30.
    Mostowski, W., Vullers, P.: Efficient U-prove implementation for anonymous credentials on smart cards. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.) SecureComm 2011. LNICST, vol. 96, pp. 243–260. Springer, Heidelberg (2012). Scholar
  31. 31.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). Scholar
  32. 32.
    Paquin, C.: U-Prove cryptographic specification v1.1. Technical report, Microsoft Corporation (2011)Google Scholar
  33. 33.
    de la Piedra, A., Hoepman, J.-H., Vullers, P.: Towards a full-featured implementation of attribute based credentials on smart cards. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 270–289. Springer, Cham (2014). Scholar
  34. 34.
    Ringers, S., Verheul, E., Hoepman, J.-H.: An efficient self-blindable attribute-based credential scheme. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 3–20. Springer, Cham (2017). Scholar
  35. 35.
    Rivest, R.L., Kaliski, B.: RSA problem. In: van Tilborg, H.C.A. (ed.) Encyclopedia of Cryptography and Security, pp. 532–536. Springer, New York (2005). Scholar
  36. 36.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). Scholar
  37. 37.
    Smart, N.: Yearly report on algorithms and keysizes. Katholieke Universiteit Leuven, Technical report (2012)Google Scholar
  38. 38.
    Vullers, P., Alpár, G.: Efficient selective disclosure on smart cards using idemix. In: Fischer-Hübner, S., de Leeuw, E., Mitchell, C. (eds.) IDMAN 2013. IFIP AICT, vol. 396, pp. 53–67. Springer, Heidelberg (2013). Scholar
  39. 39.
    Wei, V.K., Yuen, T.H.: More short signatures without random oracles (2005).

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  • Jan Camenisch
    • 1
  • Manu Drijvers
    • 1
  • Petr Dzurenda
    • 2
  • Jan Hajny
    • 2
    Email author
  1. 1.DfinityZurichSwitzerland
  2. 2.Brno University of TechnologyBrnoCzech Republic

Personalised recommendations