(1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization.
(2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions.
(3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other.
Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing {\em all-or-nothing} sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called {\em circular encryption}, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.
Category / Keywords: cryptographic protocols / Publication Info: Extended version of what is going to appear in EUROCPRYPT 2001 Date: received 1 Mar 2001 Contact author: jca at zurich ibm com Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation Version: 20010301:163800 (All versions of this report) Short URL: ia.cr/2001/019 Discussion forum: Show discussion | Start new discussion