Security Analysis and Fix of an Anonymous Credential System

  • Yanjiang Yang
  • Feng Bao
  • Robert H. Deng
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3574)


Anonymous credentials are an important privacy-enhancing technique that allows users to convince a service provider of their legitimacy for service accesses in an anonymous manner. Among others, a fundamental feature of anonymous credentials is unlinkability, that is, multiple showings of the same credential should not be linked by the service providers, the issuing organization, or the coalition of the two. Recently, Persiano et. al. proposed an interesting anonymous credential system, which was claimed to be unlinkable. In this paper, we prove that their unlinkability claim is false. In particular, we show that the issuing organization can easily relate two showings of the same credential, point out the flaw in their original security proof and present a fix to avoid our attack.


Anonymous Credentials Privacy Unlinkability Chameleon Certificate 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Brands, S.: Rapid Demonstration of Linear Relations Connected by Boolean Operators. In: Pelillo, M., Hancock, E.R. (eds.) EMMCVPR 1997. LNCS, vol. 1223, pp. 318–333. Springer, Heidelberg (1997)Google Scholar
  2. 2.
    Brands, S.: Rethinking Public Key Infrastructures and Digital Certificates: Building in Privay. MIT Press, Cambridge (2000)Google Scholar
  3. 3.
    Bressoud, D., Wagon, S.: A Course in Computational Number Theory. Key College Publishing (1999)Google Scholar
  4. 4.
    Chaum, D.: Security Without Identification: Transaction Systems to Make Big Brother Obsolete. Communications of the ACM 28(10), 1030–1044 (1985)CrossRefGoogle Scholar
  5. 5.
    Chaum, D., Evertse, J.H.: A Secure and Privacy-protection Protocol for Transmitting Personal Information Between Organizations. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 118–167. Springer, Heidelberg (1987)Google Scholar
  6. 6.
    Chen, L.: Acess with Pseudonyms. In: Dawson, E.P., Golić, J.D. (eds.) Cryptography: Policy and Algorithms 1995. LNCS, vol. 1029, pp. 232–243. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  7. 7.
    Camenisch, J., Lysyanskaya, A.: An Efficient Non-Transferable Anonymous Multi-Show Credential System with Optional Anonymity Revocation. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 93–118. Springer, Heidelberg (2003)Google Scholar
  8. 8.
    Camenisch, J., Michels, M.: Proving in Zero-knowledge that a Number is the Product of Two Safe Primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 107–122. Springer, Heidelberg (1999)Google Scholar
  9. 9.
    Damgard, I.B.: Payment Systems and Credential Mechanism with Provable Security Against Abuse by Individuals. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 328–335. Springer, Heidelberg (1990)Google Scholar
  10. 10.
    Damgard, I., Fujisaki, E.: A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Lysyanskaya, A., Rivest, R., Sahai, A., Wolf, S.: Pseudonym Systems. In: Heys, H.M., Adams, C.M. (eds.) SAC 1999. LNCS, vol. 1758, pp. 184–199. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. 12.
    Pedersen, T.P.: Non-interactive and Information-Theoretic Secre Verifiable Secret Sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  13. 13.
    Persiano, P., Visconti, I.: An Anonymous Credential System and A Privacy-Aware PKI. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 27–38. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Schneier, B.: Applied Cryptography, 2nd edn. John Wiley & Sons, Chichester (1996)Google Scholar
  15. 15.
    de Santis, A., di Grescenzo, G., Persiano, P.: Communication Efficient Anonymous Group Identification. In: Proc. ACM Conference on Computer and Communications Security, pp. 73-82 (1998) Google Scholar
  16. 16.
    de Santis, A., di Grescenzo, G., Persiano, G., Yung, M.: On Monotone Formula Closure of SZK. In: Proc. Foundations of Computer Science, FOCS 1994, pp. 454–465 (1994)Google Scholar
  17. 17.
    Verheul, E.: Self-Blindable Credential Certificates from the Weil Pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 533–551. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Yanjiang Yang
    • 1
    • 2
  • Feng Bao
    • 1
  • Robert H. Deng
    • 2
  1. 1.Institute for Infocomm ResearchSingapore
  2. 2.School of Information SystemsSingapore Management UniversitySingapore

Personalised recommendations