In this page we go over various proposed anonymous credential and token schemes.
We start our investigation with anonymous credentials schemes that have been specified and implemented. We first present the various schemes and their security properties in this table, and then we dive more in depth right below.
| Scheme | Type | Attributes | Public Verifiability | Other notes |
|---|---|---|---|---|
| Privacy Pass | Single-show | ? | No | Perfect Unlinkability |
| Signal Creds | Multi-show | Yes | No | |
| Coconut | Multi-show | Yes | Yes | Complex attributes / Threshold Issuance |
| Idemix | Multi-show | ? | ? | |
| FB PrivateStats | Single-show | Yes | No | |
| U-Prove | Single-show | Yes | ? | |
| FB Blind Sigs | Single-show | ? | Yes | Perfect Unlinkability |
| aeonflux | Multi-show | Yes | No |
[DGST18]: Privacy Pass
Click for details
[CPZ19]: Signal Private Group System
Click for details
- Implementation
- Properties: Multi-show, Public Attributes
- Based on: KVAC
- Performance:
[SABM19]: Coconut
Click for details
- Implementation and another implementation
- Properties: Public Verifiability, Multi-show, Public/Private Attributes, Threshold Issuance
- Based on: PS signatures & BGLS Signatures & Waters Signatures
- Performance:
[CH03]: Idemix
Click for details
- Implementation
- Properties: Constant Credential Size, Multi-show
- Based on: CL03
[HIJK21]: Facebook’s PrivateStats
Click for details
- Properties: Single-show, Public Attributes
- Based on:
[PZ13]: U-Prove
Click for details
- U-Prove implementation
- Properties: Single-show, Public Attributes
- Based on: Brand’s blind signature
- Notes: The U-Prove token is single-show, but can be shown multiple times to serve as a pseudonym.
Facebook’s Blind Signatures
Click for details
- Implementation
- Properties: Public Verifiability
- Based on: Blind RSA
aeonflux
Click for details
We now continue with credential schemes that have been proposed and can serve as a basis for more complete systems but have not been implemented yet.
[BL13]: Anonymous Credentials Light
Click for details
- Based on: Abe-Okamoto
- Properties: Attributes, Single-show
- Notes: Small anonymous credentials that allow a user with a list of attributes (L_1, \dots, L_n)
[KVAC]: Keyed-Verification Anonymous Credentials
Click for details
- Based on: Algebraic MACs
- Properties: Multi-show, Public Attributes, Selective Disclosure
[TAKS10]: BLAC: Revoking Repeatedly Misbehaving Anonymous Users …
Click for details
[AMO08]: An Efficient Anonymous Credential System
Click for details
- Based on: Bilinear Pairings, TODO
- Properties: Strong-unlinkability, Attributes
[CL06]: Randomizable Proofs and Delegatable Anon Credentials
Click for details
[CL04]: Signature Schemes and Anonymous Credentials from …
Click for details
- Based on: Group Signatures
- Properties: TODO
[CL03]: A Signature Scheme with Efficient Protocols
Click for details
- Based on: ZKPs
- Properties: Multi-show, Attributes
- Notes: The distinguishing feature of a CL signature is that it allows a user to prove possession of a signature without revealing the underlying messages or even the signature itself using efficient zero-knowledge proofs of knowledge. As the proof is “zero-knowledge”, the user can repeat such a proof as many times as she wants and still it is not possible to link the individual proofs.
- Related: [CL01] An Efficient System for Non-transferable Anonymous Credentials
[CL02]: Dynamic Accumulators and Application to Efficient, Revocable Credentials
Click for details
- Based on: Accumulators
- Properties: Revocation
[EPID]: Enhanced Privacy ID
Click for details
- Based on: BBS+ signatures
- Properties: Revocation
Tor Anonymous Res Tokens
Click for details
- Tor summary and proposed specification
- Properties: Single-show
- Based on: Blind RSA
[ZKSZ20]: EL PASSO: Privacy-preserving, Asynchronous Single Sign-On
Click for details
- Based on: PS signatures
- Properties: Multi-show, Selective Attribute Disclosure
- Performance:
- Show size: 414 bytes