Paper 2024/042

Foundations of Anonymous Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions

Jan Bobolz, University of Edinburgh
Jesus Diaz, Input Output Global, Spain
Markulf Kohlweiss, University of Edinburgh, Input Output Global, UK

In today's systems, privacy is often at odds with utility: users that reveal little information about themselves get restricted functionality, and service providers mistrust them. In practice, systems tip to either full anonymity (e.g. Monero), or full utility (e.g. Bitcoin). Well-known cryptographic primitives for bridging this gap exist: anonymous credentials (AC) let users disclose a subset of their credentials' attributes, revealing to service providers "just what they need"; group signatures (GS) allow users to authenticate anonymously, to be de-anonymized "just when deemed necessary". However, these primitives are hard to deploy. Current AC and GS variants reach specific points in the privacy-utility tradeoff, which we point as counter-productive engineering-wise, as it requires full and error-prone re-engineering to adjust the tradeoff. Also, so far, GS and AC have been studied separately by theoretical research. We take the first steps toward unifying and generalizing both domains, with the goal of bringing their benefits to practice, in a flexible way. We give a common model capturing their core properties, and use functional placeholders to subsume intermediate instantiations of the privacy-utility tradeoff under the same model. To prove its flexibility, we show how concrete variants of GS, AC (and others, like ring signatures) can be seen as special cases of our scheme – to which we refer as universal anonymous signatures (UAS). In practice, this means that instantiations following our construction can be configured to behave as variant X of a GS scheme, or as variant Y of an AC scheme, by tweaking a few functions.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Major revision. Financial Cryptography and Data Security 2024
AnonymityPrivacy-vs-UtilityGroup SignaturesAnonymous CredentialsRing Signatures
Contact author(s)
jan bobolz @ ed ac uk
jesus diazvico @ iohk io
markulf kohlweiss @ ed ac uk
2024-01-12: approved
2024-01-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jan Bobolz and Jesus Diaz and Markulf Kohlweiss},
      title = {Foundations of Anonymous Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions},
      howpublished = {Cryptology ePrint Archive, Paper 2024/042},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.