Paper 2022/680

Practical Delegatable Anonymous Credentials From Equivalence Class Signatures

Omid Mir, Johannes Kepler University Linz
Daniel Slamanig, AIT Austrian Institute of Technology
Balthazar Bauer, IRIF, Université de Paris Cité
René Mayrhofer, Johannes Kepler University Linz

Anonymous credentials systems (ACs) are a powerful cryptographic tool for privacy-preserving applications and provide strong user privacy guarantees for authentication and access control. ACs allow users to prove possession of attributes encoded in a credential without revealing any information beyond them. A delegatable AC (DAC) system is an enhanced AC system that allows the owners of credentials to delegate the obtained credential to other users. This allows to model hierarchies as usually encountered within public-key infrastructures (PKIs). DACs also provide stronger privacy guarantees than traditional AC systems since the identities of issuers and delegators are also hidden. A credential issuer's identity may convey information about a user's identity even when all other information about the user is protected. We present a novel delegatable anonymous credential scheme that supports attributes, provides anonymity for delegations, allows the delegators to restrict further delegations, and also comes with an efficient construction. In particular, our DAC credentials do not grow with delegations, i.e., are of constant size. Our approach builds on a new primitive that we call structure-preserving signatures on equivalence classes on updatable commitments (SPSEQ-UC). The high-level idea is to use a special signature scheme that can sign vectors of set commitments which can be extended by additional set commitments. Signatures additionally include a user's public key, which can be switched. This allows us to efficiently realize delegation in the DAC. Similar to conventional SPSEQ signatures, the signatures and messages can be publicly randomized and thus allow unlinkable showings in the DAC system. We present further optimizations such as cross-set commitment aggregation that, in combination, enable selective, efficient showings in the DAC without using costly zero-knowledge proofs. We present an efficient instantiation that is proven to be secure in the generic group model and finally demonstrate the practical efficiency of our DAC by presenting performance benchmarks based on an implementation.

Available format(s)
Cryptographic protocols
Publication info
Equivalence-class signatures Set commitments Delegatable anonymous credentials
Contact author(s)
mir @ ins jku at
daniel slamanig @ ait ac at
Balthazar Bauer @ ens fr
rm @ ins jku at
2022-05-31: approved
2022-05-30: received
See all versions
Short URL
Creative Commons Attribution


      author = {Omid Mir and Daniel Slamanig and Balthazar Bauer and René Mayrhofer},
      title = {Practical Delegatable Anonymous Credentials From Equivalence Class Signatures},
      howpublished = {Cryptology ePrint Archive, Paper 2022/680},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.