Paper 2024/1874

Multi-Holder Anonymous Credentials from BBS Signatures

Andrea Flamini, University of Trento
Eysa Lee, Brown University
Anna Lysyanskaya, Brown University
Abstract

The eIDAS 2.0 regulation aims to develop interoperable digital identities for European citizens, and it has recently become law. One of its requirements is that credentials be unlinkable. Anonymous credentials (AC) allow holders to prove statements about their identity in a way that does not require to reveal their identity and does not enable linking different usages of the same credential. As a result, they are likely to become the technology that provides digital identity for Europeans. Any digital credential system, including anonymous credentials, needs to be secured against identity theft and fraud. In this work, we introduce the notion of a multi-holder anonymous credential scheme that allows issuing shares of credentials to different authentication factors (or ``holders''). To present the credential, the user's authentication factors jointly run a threshold presentation protocol. Our definition of security requires that the scheme provide unforgeability: the adversary cannot succeed in presenting a credential with identity attributes that do not correspond to an identity for which the adversary controls at least $t$ shares; this is true even if the adversary can obtain credentials of its choice and cause concurrent executions of the presentation protocol. Further, our definition requires that the presentation protocol provide security with identifiable abort. Finally, presentations generated by all honest holders must be unlinkable and must not reveal the user's secret identity attributes even to an adversary that controls some of the user's authentication factors. We design and prove the (concurrent) security of a multi-holder version of the BBS anonymous credential scheme. In our construction, each holder is issued a secret share of a BBS credential. Using these shares, the holders jointly compute a credential presentation that is identical to (and therefore compatible with) the traditional, single-holder variant (due to Tessaro and Zhu, Eurocrypt'23) of a BBS credential presentation.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Anonymous CredentialsMultiparty ComputationVerifiable Presentation
Contact author(s)
andrea flamini @ unitn it
eysa_lee @ brown edu
anna_lysyanskaya @ brown edu
History
2024-11-18: approved
2024-11-16: received
See all versions
Short URL
https://ia.cr/2024/1874
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1874,
      author = {Andrea Flamini and Eysa Lee and Anna Lysyanskaya},
      title = {Multi-Holder Anonymous Credentials from {BBS} Signatures},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1874},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1874}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.