Paper 2023/320

Anonymous Counting Tokens

Fabrice Benhamouda, Algorand Foundation
Mariana Raykova, Google
Karn Seth, Google

We introduce a new primitive called anonymous counting tokens (ACTs) which allows clients to obtain blind signatures or MACs (aka tokens) on messages of their choice, while at the same time enabling issuers to enforce rate limits on the number of tokens that a client can obtain for each message. Our constructions enforce that each client will be able to obtain only one token per message and we show a generic transformation to support other rate limiting as well. We achieve this new property while maintaining the unforgeability and unlinkability properties required for anonymous tokens schemes. We present four ACT constructions with various trade-offs for their efficiency and underlying security assumptions. One construction uses factorization-based primitives and a cyclic group. It is secure in the random oracle model under the q-DDHI assumption (in a cyclic group) and the DCR assumption. Our three other constructions use bilinear maps: one is secure in the standard model under q-DDHI and SXDH, one is secure in the random oracle model under SXDH, and the most efficient of the three is secure in the random oracle model and generic bilinear group model.

Available format(s)
Cryptographic protocols
Publication info
Contact author(s)
fbenhamo102 @ gmail com
marianar @ google com
karn @ google com
2023-03-05: approved
2023-03-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Fabrice Benhamouda and Mariana Raykova and Karn Seth},
      title = {Anonymous Counting Tokens},
      howpublished = {Cryptology ePrint Archive, Paper 2023/320},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.