Cryptology ePrint Archive: Report 2022/004

Publicly verifiable anonymous tokens with private metadata bit

Fabrice Benhamouda and Tancrède Lepoint and Michele Orrù and Mariana Raykova

Abstract: We present a new construction for publicly verifiable anonymous tokens with private metadata. This primitive enables an issuer to generate an anonymous authentication token for a user while embedding a single private metadata bit. The token can be publicly verified, while the value of the private metadata is only accessible to the party holding the secret issuing key and remains hidden to any other party, even to the user. The security properties of this primitive also include unforgeability, which guarantees that only the issuer can generate new valid tokens, and unlinkability that guarantees that tokens issued with the same private metadata bit are indistinguishable. Our anonymous tokens scheme builds on the top of blind Schnorr signatures.

We analyze its security in the algebraic group model and prove its security under the modified ROS assumption, one-more discrete logarithm, and decisional Diffie-Hellman assumptions.

Category / Keywords: public-key cryptography / cryptographic protocols, anonymity

Date: received 1 Jan 2022, last revised 2 Jan 2022

Contact author: fabrice benhamouda at gmail com, crypto at tancre de, marianar at google com, michele orru at berkeley edu

Available format(s): PDF | BibTeX Citation

Version: 20220102:171054 (All versions of this report)

Short URL: ia.cr/2022/004


[ Cryptology ePrint archive ]