Abstract
We propose an anonymous credential system equipped with independent decentralized authorities who issue credentials. In our system, the number of authorities can dynamically increase or decrease. A credential is a private secret key issued by an authority, and it is given to an entity distinguished by an identifier. In the issuing phase, an authority only has to sign identifiers. In the proving phase, under a principle of “commit-to-id”, an entity proves to a verifier the knowledge of his/her identifier and private secret keys by generating a unified proof. The verifier should resist against collusion attacks executed by adversaries who bring together the private secret keys issued to different identifiers. To construct our system, we employ two building blocks; the structure-preserving signature scheme and the Groth-Sahai non-interactive proof system. Both blocks work in the setting of bilinear groups. To attain the collusion resistance, we propose a notion of “bundled language” that is abstraction of simultaneous pairing-product equations which include an identifier as a variable.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_12
Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. J. Cryptol. 29(2), 363–421 (2016)
Abe, M., Hofheinz, D., Nishimaki, R., Ohkubo, M., Pan, J.: Compact structure-preserving signatures with almost tight security. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 548–580. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_19
Anada, H., Arita, S.: Witness-indistinguishable arguments with \(\Sigma \)-protocols for bundled witness spaces and its application to global identities. In: Proceedings of 20th International Conference on Information and Communications Security (ICICS 2018), pp. 530–547, Lille, France, October 29–31 (2018)
Camenisch, J., Dubovitskaya, M., Haralambiev, K., Kohlweiss, M.: Composable and modular anonymous credentials: definitions and practical constructions. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 262–288. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_11
Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_7
Camenisch, J., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7_20
Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_4
Escala, A., Groth, J.: Fine-Tuning Groth-Sahai Proofs. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 630–649. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_36
Fuchsbauer, G.: Commuting signatures and verifiable encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 224–245. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_14
Fuchsbauer, G., Hanser, C., Slamanig, D.: Structure-preserving signatures on equivalence classes and constant-size anonymous credentials. J. Cryptol. 32(2), 498–546 (2019)
Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008)
Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_24
Lewko, A., Waters, B.: Decentralizing attribute-based encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 568–588. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_31
Okamoto, T., Takashima, K.: Decentralized attribute-based signatures. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 125–142. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_9
Okishima, R., Nakanishi, T.: An anonymous credential system with constant-size attribute proofs for CNF formulas with negations. In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 89–106. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26834-3_6
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Four Properties of Commitment Part
Definition 2
(Correctness [9, 13]). A commitment scheme \(\textsf {Cmt}_{\textit{pp}}\) is said to be correct if it satisfies the following condition: For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\), any commitment key \({ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {mode})\) where \(\texttt {mode}= \texttt {nor}\) or \(\texttt {ext}\) or \(\texttt {sim}\), and any message w,
Definition 3
(Dual Mode [13]). A commitment scheme \(\textsf {Cmt}_{\textit{pp}}\) is said to be dual mode if it satisfies the following condition: For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\),
The computational indistinguishability (11) is equivalent to the following: For any security parameter \(1^{\lambda }\), for any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\), the advantage \(\mathbf {Adv}^{\text {ind-dual}}_{\textsf {Cmt}_{\textit{pp}},\mathbf {A}}(\lambda )\) of \(\mathbf {A}\) over \(\textsf {Cmt}_{\textit{pp}}\) defined by the difference below is negligible in \(\lambda \):
The indistinguishability holds, for example, for an instance of the Groth-Sahai proof system under the SXDH assumption [9, 13].
Definition 4
(Perfectly Binding [13]). A commitment scheme \(\textsf {Cmt}_{\textit{pp}}\) is said to be perfectly binding if it satisfies the following condition for some unbounded algorithm \(\textsf {Cmt.Open}_{\textit{pp}}\): For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\), any commitment key \({ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {nor})\) and any message w,
Definition 5
(Perfectly Hiding [13]). A commitment scheme \(\textsf {Cmt}_{\textit{pp}}\) is said to be perfectly hiding if it satisfies the following condition: For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\), any commitment key ck s.t. \(({ck}, {tk}) \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {sim})\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\),
B Four Properties of Proof Part
Definition 6
(Perfect Correctness [13]). A commit-and-prove scheme \(\textsf {CmtPrv}\) is said to be perfectly correct if it satisfies the following condition: For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\), any commitment key \({ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {mode})\) where \(\texttt {mode}= \texttt {nor}\) or \(\texttt {ext}\) or \(\texttt {sim}\) with \(\textit{pp}:= (\textit{pp},{ck})\), and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\),
Definition 7
(Perfect Soundness [13]). A commit-and-prove scheme \(\textsf {CmtPrv}\) is said to be perfectly sound if it satisfies the following condition for some unbounded algorithm \(\textsf {Cmt.Open}_{\textit{pp}}\): For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\), any commitment key \({ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {nor})\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\),
Let \(\mathcal {C}_{ck}\) be the set of commitments under ck to some message w.
Definition 8
(Perfect Knowledge Extraction[13]). A commit-and-prove scheme \(\textsf {CmtPrv}\) is said to be perfectly knowledge extractable if it satisfies the following condition for some \(\textsc {ppt}\) algorithm \(\textsf {Cmt.Ext}_{\textit{pp}}\): For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\), any commitment key \(({ck}, {xk}) \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {ext})\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\),
Definition 9
(Composable Witness-Indistinguishability [13]). A commit-and-prove scheme \(\textsf {CmtPrv}\) is said to be composably witness-indistinguishable if it satisfies the following condition: For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\),
Especially, perfect witness-indistinguishability holds from (14).
C Instantiation of Structure-Preserving Signature Scheme [1, 2]
We concretely describe an instantiation of the SPS scheme [1, 2], which is known to be EUF-CMA under the q-SFP assumption.
\(\textsf {Sig.Setup}(1^{\lambda }) \rightarrow \textit{pp}\). On input the security parameter \(1^{\lambda }\), this \(\textsc {ppt}\) algorithm executes the bilinear group generator algorithm, and it puts the output as a set of public parameters: \(\mathcal {BG}(1^{\lambda }) \rightarrow (p, {\hat{\mathbb {G}}}, \check{{\mathbb {H}}}, \mathbb {T}, e, \hat{G}, \check{H}) =: \textit{pp}\). It returns \(\textit{pp}\).
\(\textsf {Sig.KG}_{\textit{pp}}() \rightarrow (\text {PK}, \text {SK})\). Based on the set of public parameters \(\textit{pp}\), this \(\textsc {ppt}\) algorithm generates a signing key \(\text {SK}\) and the corresponding public key \(\text {PK}\) as follows: \(\hat{G}_u \in _R{\hat{\mathbb {G}}}\), \(\gamma _1, \delta _1 \in _R\mathbb {Z}_p^*\), \(\hat{G}_1 := \hat{G}^{\gamma _1}, \hat{G}_{u, 1} := \hat{G}_u^{\delta _1}\). \(\gamma _z, \delta _z \in _R\mathbb {Z}_p^*\), \(\hat{G}_z := \hat{G}^{\gamma _z}, \hat{G}_{u, z} := \hat{G}_u^{\delta _z}\). \(\alpha , \beta \in _R\) \(\mathbb {Z}_p^*\), \((\hat{A}_i, \check{A}_i)_{i=0}^{1} \leftarrow \textsf {Extend}(\hat{G}, \check{H}^{\alpha })\), \((\hat{B}_i, \check{B}_i)_{i=0}^{1} \leftarrow \textsf {Extend}(\hat{G}_u, \check{H}^{\beta })\) (for \(\textsf {Extend}\), see [1, 2]). It puts \(\text {PK}:= (\hat{G}_z, \hat{G}_{u, z}, \hat{G}_u, \hat{G}_1, \hat{G}_{u, 1}, (\hat{A}_i, \check{A}_i, \hat{B}_i, \check{B}_i )_{i=0}^{1} )\) and \(\text {SK}:= (\alpha , \beta , \gamma _z, \delta _z, \gamma _1, \delta _1)\). It returns \((\text {PK}, \text {SK})\).
\(\textsf {Sig.Sign}_{\textit{pp}}(\text {PK}, \text {SK}, m) \rightarrow \sigma \). On input the public key \(\text {PK}\), the secret key \(\text {SK}\) and a message \(m = \check{M}\in \check{{\mathbb {H}}}\), this \(\textsc {ppt}\) algorithm generates a signature \(\sigma \) as follows.
It returns \(\sigma := (\check{Z}, \check{R}, \hat{S}, \check{T}, \check{U}, \hat{V}, \check{W})\).
\(\textsf {Sig.Vrf}_{\textit{pp}}(\text {PK}, m, \sigma ) \rightarrow d\). On input the public key \(\text {PK}\), a message \(m = \check{M}\in \check{{\mathbb {H}}}\) and a signature \(\sigma = (\check{Z}, \check{R}, \hat{S}, \check{T}, \check{U}, \hat{V}, \check{W})\), this deterministic algorithm checks whether the following verification equation system holds or not.
It returns a boolean decision d.
D Proof of Proposition 1
Proof
(Sketc.h). Suppose that any \(\textsc {ppt}\) algorithm \(\mathbf {A}\) that is in accordance with the experiment \(\textsf {Exp}^{\text {ano-prf}}_{\textsf {dACS},\mathbf {A}}{(1^\lambda , 1^\mu )}\) is given. Then we construct a \(\textsc {ppt}\) algorithm \(\mathbf {A}\) that is in accordance with the experiment \(\textsf {Exp}^{\text {unlink-prf}}_{\textsf {dACS},\mathbf {B}}{(1^\lambda , 1^\mu )}\) as follows. \(\mathbf {B}\) employs A as a subroutine. \(\mathbf {B}\) is able to generate \(\mathbf {A}\)’s input by using \(\mathbf {B}\)’s input and \(\mathbf {A}\)’s output. Also, \(\mathbf {B}\) is able to answer to \(\mathbf {A}\)’s queries by issuing queries to \(\mathbf {B}\)’s oracle and using the answers. Finally, when \(\mathbf {A}\) outputs \(b'\), \(\mathbf {B}\) puts \(d:=b'\). \(\square \)
E Proof of Theorem 1
Proof
Given any \(\textsc {ppt}\) algorithm \(\mathbf {A}\) that is in accordance with the experiment \(\textsf {Exp}^{\text {euf-coll}}_{\textsf {dACS},\mathbf {A}}{(1^\lambda , 1^\mu )}\), we construct a \(\textsc {ppt}\) algorithm \(\mathbf {F}\) that generates an existential forgery of \(\textsf {Sig}\) according to the experiment \(\textsf {Exp}^{\text {euf-cma}}_{\textsf {Sig},\mathbf {F}}(1^\lambda )\). \(\mathbf {F}\) is given as input the set of public parameters \(\textit{pp}\) and a public key \(\text {PK}_{\textsf {Sig}}\). \(\mathbf {F}\) is also given an auxiliary input \(\mu \). \(\mathbf {F}\) executes \(\textsf {Cmt.KG}_{\textit{pp}}(\texttt {ext})\) to obtain a pair (ck, xk). \(\mathbf {F}\) puts \(\textit{pp}:= (\textit{pp}, {ck})\). \(\mathbf {F}\) invokes the algorithm \(\mathbf {A}\) with \(1^{\lambda }\) to obtain the number \(\mu \) and \(S t\). \(\mathbf {F}\) chooses a target index \(a^{\dag }\) from the set \(A := \{ 1,\dots ,\mu \}\) uniformly at random. \(\mathbf {F}\) executes the authority key generation algorithm honestly for \(a \in A\) except the target index \(a^{\dag }\). As for \(a^{\dag }\), \(\mathbf {F}\) uses the input public key:
\(\mathbf {F}\) inputs \(S t\) and the public keys \((\text {PK}^{a})^{a \in A}\) into \(\mathbf {A}\). Then \(\mathbf {F}\) obtains a set of corrupted authority indices \(\tilde{A}\) from \(\mathbf {A}\). \(\mathbf {F}\) puts \(\bar{\tilde{A}} := A \backslash \tilde{A}\). If \(a^{\dag } \in \bar{\tilde{A}}\) (the case \(\textsc {TgtIdx}_1\)), then \(a^{\dag }\) is not in \(\tilde{A}\) and \(\mathbf {F}\) is able to input \((S t, (\text {MSK}^{a})^{a \in \tilde{A}})\) into \(\mathbf {A}\). Otherwise \(\mathbf {F}\) aborts.
Simulation of Private Secret Key Oracle. When \(\mathbf {A}\) issues a private secret key query with \(a \in A_j \subsetneq \bar{\tilde{A}}\) and \(\texttt {i}_j \in \mathbb {Z}_p (j=1,\dots , q_{\text {sk}})\), \(\mathbf {F}\) executes the private secret key generation algorithm with \(\texttt {i}_j\) honestly for \(a \in \bar{\tilde{A}}\) such that \(a \ne a^{\dag }\). As for \(a = a^{\dag }\), \(\mathbf {F}\) issues a signing query to its oracle with \(\texttt {i}_j\):
\(\mathbf {F}\) replies to \(\mathbf {A}\) with the secret key \(\text {sk}^{a}_{\texttt {i}_j}\). This is a perfect simulation.
At the end \(\mathbf {A}\) returns a forgery proof and the target set of authority indices \((\pi ^*, A^*)\). Note here that \(A^* \subset \bar{\tilde{A}}\) as in the definition.
Generating Existential Forgery. Next, \(\mathbf {F}\) runs a \(\textsf {Verifier}_{\textit{pp}}\) with an input \(((\text {PK}^{a})^{a \in A^*}, \pi ^*)\). If the decision d of \(\textsf {Verifier}_{\textit{pp}}\) is \(1\), then \(\mathbf {F}\) executes for each \(a \in A^*\) the extraction algorithm \(\textsf {Cmt.Ext}_{\textit{pp}}({xk}, c^{a})\) to obtain a committed message \((w^{a})^* = ((w^{a}_0)^*, ((w^{a}_{k})^*)_{k} )\) (see Definition 8 in Appendix). Note here that, for all \(a \in A^*\), \((w^{a}_0)^*\) is equal to a single element \((w_0)^*\) in \({\mathbb {G}}\). This is because of the perfectly binding property of \(\textsf {Cmt}_{\textit{pp}}\). Then \(\mathbf {F}\) puts \(\texttt {i}^* := (w_0)^*\). Here the restriction (8)(9) assures that, if \(q_{\text {sk}} > 0\), then there exists at least one \(\hat{a} \in (A^* \backslash A_j)\) for some \(j \in \{1,\dots , q_{\text {sk}}\}\). If \(q_{\text {sk}} = 0\), then there exists at least one \(\hat{a} \in A^*\). \(\mathbf {F}\) chooses one such \(\hat{a}\) and puts \(\sigma ^* := (\sigma ^{\hat{a}})^* := ( (w^{\hat{a}}_{k})^*)_{k}\). \(\mathbf {F}\) returns a forgery pair of a message and a signature \((\texttt {i}^*, \sigma ^*)\). This completes the description of \(\mathbf {F}\).
Probability Evaluation. The probability that the returned value \((\texttt {i}^*, \sigma ^*)\) is actually an existential forgery is evaluated as follows. We name the events in the above \(\mathbf {F}\) as:
We have the following equalities.
The left-hand side of the equality (18) is expanded as follows.
Claim 1
Proof
\(\hat{a}\) coincides with \(a^{\dag }\) with probability 1/|A| because \(a^{\dag }\) is chosen uniformly at random from A by \(\mathbf {F}\) and no information of \(a^{\dag }\) is leaked to \(\mathbf {A}\). \(\square \)
Claim 2
If \(\textsc {TgtIdx}\) occurs, then \(\texttt {i}^*\) is not queried by \(\mathbf {F}\) to its oracle \(\mathbf {SignO}_{\textit{pp}}\).
Proof
This is because of the restriction (8)(9). \(\square \)
Claim 3
Proof
This is because of the perfect knowledge extraction of \({\textsf {Prv}_{\textit{pp}}}\) (see Definition 8 in Appendix). \(\square \)
Combining (17), (18), (19), (20), (21) and (22) we have:
\(\square \)
F Proof of Theorem 2
Proof
Suppose that any \(\textsc {ppt}\) algorithm \(\mathbf {A}\) that is in accordance with the experiment \(\textsf {Exp}^{\text {unlink-prf}}_{\textsf {dACS},\mathbf {A}}{(1^\lambda , 1^\mu )}\) is given. We set a sequence of games, \(\textsf {Game}_0\) and \(\textsf {Game}_1\), as follows. \(\textsf {Game}_0\) is exactly the same as \(\textsf {Exp}^{\text {unlink-prf}}_{\textsf {dACS},\mathbf {A}}{(1^\lambda , 1^\mu )}\). Note that when a set of public parameters \(\textit{pp}= (\textit{pp}', {ck})\) is given to \(\mathbf {A}\) where \(\textit{pp}'\) is for bilinear groups, the commitment key ck is chosen as a commitment key ck of the mode \(\texttt {nor}\). We denote the probability that \(\textsf {Game}_0\) returns \(\textsc {Win}\) as \(\Pr [\textsc {Win}_0]\).
\(\textsf {Game}_1\) is the same as \(\textsf {Game}_0\) except that, when a set of public parameters \(\textit{pp}= (\textit{pp}', {ck})\) is given to \(\mathbf {A}\), the commitment key ck is chosen as a commitment key ck of the mode \(\texttt {sim}\). We denote the probability that \(\textsf {Game}_1\) returns \(\textsc {Win}\) as \(\Pr [\textsc {Win}_1]\). The values in \(\textsf {Game}_1\) distribute identically for both \(\texttt {i}_0\) and \(\texttt {i}_1\) due to the perfectly hiding property (13) and the perfect witness-indistinguishability (14). Therefore, \(\Pr [\textsc {Win}_1] = 1/2\).
Employing \(\mathbf {A}\) as a subroutine, we construct a \(\textsc {ppt}\) distinguisher algorithm \(\mathbf {D}\) as follows. Given an input \(\textit{pp}, {ck}\), \(\mathbf {D}\) reads out the security parameter. \(\mathbf {D}\) simulates the environment of \(\mathbf {A}\) in \(\textsf {Game}_0\) or \(\textsf {Game}_1\) honestly except that \(\mathbf {D}\) puts \(\textit{pp}:= (\textit{pp}, {ck})\) instead of executing \(\textsf {Setup}(1^{\lambda })\). If \(b = b'\), then \(\mathbf {D}\) returns 1, and otherwise, 0. By the definition of (12) (see Definition 3 in Appendix), \(\Pr [\mathbf {D}(\textit{pp}, {ck}) = 1 \mid {ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {nor}) ] = \Pr [\textsc {Win}_0]\) and \(\Pr [\mathbf {D}(\textit{pp}, {ck}) = 1 \mid ({ck}, {tk}) \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {sim}) ] = \Pr [\textsc {Win}_1]\), and
Therefore,
\(\square \)
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Anada, H. (2021). Decentralized Multi-authority Anonymous Credential System with Bundled Languages on Identifiers. In: Maimut, D., Oprina, AG., Sauveron, D. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2020. Lecture Notes in Computer Science(), vol 12596. Springer, Cham. https://doi.org/10.1007/978-3-030-69255-1_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-69255-1_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-69254-4
Online ISBN: 978-3-030-69255-1
eBook Packages: Computer ScienceComputer Science (R0)