Paper 2022/004

Publicly verifiable anonymous tokens with private metadata bit

Fabrice Benhamouda, Tancrède Lepoint, Michele Orrù, and Mariana Raykova


We present a new construction for publicly verifiable anonymous tokens with private metadata. This primitive enables an issuer to generate an anonymous authentication token for a user while embedding a single private metadata bit. The token can be publicly verified, while the value of the private metadata is only accessible to the party holding the secret issuing key and remains hidden to any other party, even to the user. The security properties of this primitive also include unforgeability, which guarantees that only the issuer can generate new valid tokens, and unlinkability that guarantees that tokens issued with the same private metadata bit are indistinguishable. Our anonymous tokens scheme builds on the top of blind Schnorr signatures. We analyze its security in the algebraic group model and prove its security under the modified ROS assumption, one-more discrete logarithm, and decisional Diffie-Hellman assumptions.

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
cryptographic protocolsanonymity
Contact author(s)
fabrice benhamouda @ gmail com
crypto @ tancre de
marianar @ google com
michele orru @ berkeley edu
2022-01-02: revised
2022-01-01: received
See all versions
Short URL
Creative Commons Attribution


      author = {Fabrice Benhamouda and Tancrède Lepoint and Michele Orrù and Mariana Raykova},
      title = {Publicly verifiable anonymous tokens with private metadata bit},
      howpublished = {Cryptology ePrint Archive, Paper 2022/004},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.