Anonymous Credentials with Practical Revocation using Elliptic Curves

Petr Dzurenda

, Jan Hajny

, Lukas Malina

and Sara Ricci

Brno University of Technology, Technicka 12, Brno, Czech Republic

UNESCO Chair in Data privacy, Department of Computer Science and Mathematics, Universitat Rovira i Virgili,

Av. Pa

ısos Catalans 26, Tarragona, Catalonia, Spain

Keywords:

Attribute-based Credentials, Anonymity, Efﬁcient Revocation, Elliptic Curves, Privacy, Smart Cards.

Abstract:

Anonymous Attribute-Based Credential (ABC) schemes allow users to anonymously prove the ownership of

their attributes, such as age, citizenship, gender. The ABC schemes are part of a larger group of crypto-

graphic constructions called Privacy Enhancing Technologies (PETs), aiming to increase user’s privacy. In

the article, we present a new ABC scheme based on elliptic curves and HM12 scheme. The scheme provides

anonymity, untraceability, unlinkability, selective disclosure of attributes, non-transferability, revocation and

malicious user identiﬁcation. By involving elliptic curves, we achieved faster veriﬁcation phase (by 30%) and

smaller communication cost between user and veriﬁer (by 85%) compared to the original HM12 scheme, with

equivalent or greater security level.

1 INTRODUCTION

Current authentication schemes use identity-based au-

thentication approach, i.e., a user reveals his identity

to a veriﬁer. In other words, a veriﬁer asks a user the

question ”Who are you?” at ﬁrst. This question has

a big impact on user’s privacy. Nevertheless, user’s

identity does not need to be always disclosed. For in-

stance, a hospital wants to give an access to the HIV

discussion group to a user who presents this disease,

but a patient could be reluctant to participate in the

group if he has to reveal his identity. In many cases,

it is enough to know some particular user’s attributes

only.

ABC schemes are modern cryptographic schemes

which provide higher protection of users’ privacy dur-

ing a veriﬁcation phase. Users can anonymously

prove the possession of some personal attributes with-

out disclosing their identity or any other sensitive in-

formation. ABC schemes change the question from

”Who are you?” to ”What can you do?”, which is

more privacy-preserving for a user and sufﬁcient for

a veriﬁer. A user in the system holds some personal

attributes, and during the veriﬁcation phase, he proves

the possession of the attributes required by a veriﬁer.

The examples of attributes include age, citizenship,

gender or nationality for eIDs (electronic ID cards),

validity of ticket for public transportation, etc.

Elliptic curves cryptography (ECC) provides se-

curity level comparable to classic systems while us-

ing fewer bits and less computing power. For this

reason, ECC is very suitable for ultra-low-power de-

vices. Nowadays, there are only few well-known

ABC schemes such as U-Prove (Christian Paquin,

2013), Idemix (Bichsel et al., 2010), Verheul (Ver-

heul, 2001) and HM12 (Hajny and Malina, 2013; Ha-

jny et al., 2014). Most of them can be easily con-

structed over ECC except the HM12 scheme.

In this article, we present a new ABC scheme

based on elliptic curves (ECs) and the HM12 scheme.

Our variant meets all requirements for an ABC

scheme, in particular anonymity, untraceability, un-

linkability, selective disclosure of attributes, non-

transferability, revocation and malicious user identiﬁ-

cation. Furthermore, by involving ECs in the scheme,

we achieve higher computational efﬁciency compared

with the standard HM12 scheme, especially during

the veriﬁcation phase.

1.1 Related Work

There are only few practical ABC schemes, such as

U-Prove (Christian Paquin, 2013), Idemix (Bichsel

et al., 2010), Verheul (Verheul, 2001) and HM12 (Ha-

jny and Malina, 2013; Hajny et al., 2014), which

allow users to anonymously prove the possession of

534

Dzurenda, P., Hajny, J., Malina, L. and Ricci, S.

Anonymous Credentials with Practical Revocation using Elliptic Curves.

DOI: 10.5220/0006467705340539

In Proceedings of the 14th International Joint Conference on e-Business and Telecommunications (ICETE 2017) - Volume 4: SECRYPT, pages 534-539

ISBN: 978-989-758-259-2

their attributes. These schemes also provide untrace-

ability, which means that an issuer, who issued at-

tributes to a user, is not able to track the user dur-

ing the veriﬁcation phase. U-prove is a crypto-

graphic technology maintained by Microsoft Corpo-

ration. The main drawback of the scheme is the ses-

sion linkability, i.e., all anonymous credentials of a

single user are mutually linkable. Moreover, U-prove

does not provide features for malicious user identi-

ﬁcation. Idemix technology (Identity Mixer) is an

anonymous credential system developed at IBM Re-

search in Zurich. Idemix provides session unlinkabil-

ity. On the other hand, there is no universal efﬁcient

revocation mechanism, therefore it is not possible to

directly revoke users’ credentials and identify mali-

cious users. Verheul scheme allow users to random-

ize their key pairs and the corresponding certiﬁcate.

The drawbacks of the scheme are the unsupported se-

lective disclosure of attributes and the inefﬁcient re-

vocation mechanism. At last, HM12 scheme solves

all drawbacks of the previous schemes by providing

anonymity, untraceability, unlinkability, selective dis-

closure of attributes and non-transferability. Revoca-

tion of anonymous credentials and identiﬁcation of

malicious users are made possible by using Okamoto-

Uchiyama trapdoor (Okamoto and Uchiyama, 1998).

The most efﬁcient implementation of U-prove

protocol was done on a MultOS card and was de-

scribed in (Mostowski and Vullers, 2011). The proof

of attribute ownership is faster than 1 s. Idemix was

also implemented on MultOS card and its proof of

attribute ownership needs around 1.2 s. EC imple-

mentation of Verhoul’s scheme on Java Card was

described in (Batina et al., 2010), where the proof

of attribute ownership implementation lasts around

1.5 s. Implementation results of HM12 on MultOS

card platform were published in (Hajny and Malina,

2013), where the implementation of attribute owner-

ship proof requires more than 2 s.

2 PRELIMINARIES

We use the notation introduced by Camenisch and

Stadler (Camenisch and Stadler, 1997) to describe

Proof of Knowledge (PK) protocols. Let c be a num-

ber in a ﬁnite group K and g a generator of the

same group K, the protocol proving the knowledge

of discrete logarithm of c with respect to g is de-

noted as PK{w : c = g

}. Equivalently, given C,G

two points of an elliptic curve E over a ﬁnite ﬁeld

F, where G is a base point of E, the protocol prov-

ing the knowledge of EC discrete logarithm of C

with respect to G is denoted as PK{w : C = w • G}.

Furthermore, we use the proof of representation de-

noted as PK{w

,... ,w

: c = g

· g

···g

} in

the standard variant and as PK{w

,... ,w

: C =

• G

+ w

• G

+ · ·· + w

• G

} in the EC vari-

ant. The proof of discrete log equivalence with re-

spect to different generators g

, g

∈ K is denoted as

PK{w : c

= g

∧ c

= g

}. A signature by a tradi-

tional scheme (e.g., RSA) of a user U on some data

is denoted as Sig

(data). The symbol ”·” denotes

multiplication, ”•” denotes scalar EC point multipli-

cation, ”:” means ”such that”, ”|” means ”divides”,

”|x|” is the bitlength of x, and ”x ∈

{0,1}

” is a ran-

domly chosen bitstring of maximum length l. As in

the original HM12 scheme, we also use the trapdoor

one-way function of Okamoto-Uchiyama (OU) cryp-

tosystem (Okamoto and Uchiyama, 1998) during the

attribute issuance, nevertheless, the veriﬁcation phase

completely runs over ECs. OU cryptosystem relies

on the assumption that the discrete logarithm prob-

lem is hard to compute in OU groups similarly as in

RSA composite groups. However, if the factorization

of the OU modulus n = r

· s is known, i.e., r, s are

known, the discrete logarithms can be efﬁciently com-

puted and, therefore, it is possible to recover w from

c = g

mod n using the following equation,

w = dlog

c =

[(c

r−1

mod r

) − 1]/r

[(g

r−1

mod r

) − 1]/r

mod r,

(1)

where g ∈ Z

is the generator of the OU group such

that g mod r

is a primitive element of Z

and the

value r is the trapdoor in the OU scheme.

3 PROPOSED SCHEME

The entities involved in the ecHM12 scheme are fol-

lowing:

• User (U) – gets issued attributes from Issuer and

anonymously proves their possession to Veriﬁer.

• Issuer (I) – is responsible for issuing user at-

tributes.

• Revocation Authority (RA) – validates user cre-

dentials (collection of attributes issued by Issuer),

can revoke a (dishonest) user, and in collaboration

with Issuer, can identify the (dishonest) user.

• Veriﬁer (V) – veriﬁes possession of required at-

tributes provided by User.

Each entity communicates in the system through spe-

ciﬁc cryptographic protocols. All the protocols and

involved entities are depicted in Figure. 1.

As well as the HM12 scheme, also ecHM12

scheme provides the properties required for ABC

schemes:

Anonymous Credentials with Practical Revocation using Elliptic Curves

535

Figure 1: Architecture of proposed ecHM12 scheme.

• Anonymity – U anonymously proves possession

of attributes. Therefore, his identity and his be-

haviour remains hidden in the system.

• Untraceability – all the credentials are random-

ized, i.e., I is not able to track U’s movements and

behaviour.

• Unlinkability – all sessions are mutually unlink-

able. Therefore, V or an eavesdropper are not able

to link individual sessions together and proﬁle U.

• Non-transferability – U is equipped with unique

private key, which is stored on a secure element,

e.g. a smart card.

• Selective disclosure of attributes – U can choose

the attributes which have to be disclosed, other at-

tributes remain hidden.

• Revocation – RA is able to remove U from the

system, to revoke U’s credentials or to disclose

U’s identity and to revoke the unlinkability prop-

erty.

3.1 Cryptography Speciﬁcation

In this section we provide a description of each proto-

col which runs within the proposed scheme.

3.1.1 Setup Protocol

(sysparam,K

) ← Setup(k, l,m) – The Setup

protocol mostly matches the original HM12 scheme,

only in the ﬁnal step the scheme is switched to the EC

variant. The main purpose of this protocol is to estab-

lish sysparam and to generate K

and K

. The input

parameters k,l,m deﬁne the security level of the cryp-

tographic scheme, where k presents the length of the

hash function, l is related to the length of U’s secrets

and m is the veriﬁcation error parameter. I deﬁnes a

group H modulo big prime number p and generators

of order q, with q|p − 1. H is the subgroup of the

group Z

∗

as in the DSA signature scheme. In addi-

tion, I generates the key pair sk

and pk

for signing

purpose using a deﬁned signature scheme, e.g. RSA.

RA needs to:

• deﬁne the OU group G by specifying the modulus

n = r

· s, where r and s are big prime numbers

(|r| > 720, |r| > 2|q|, |n| ≥ 2048, r = 2r

+ 1, s =

+ 1, where r

and s

are primes).

• generate g

∈

∗

of ord(g

mod r

) = r(r − 1)

in Z

∗

and ord(g

) = r · r

· s

in Z

∗

• choose an EC over ﬁnite ﬁeld E(F

) with the do-

main parameters (a,b, p,q,G, h), where p is an big

prime number specifying the ﬁeld F

, a, b ∈ F

are coefﬁcients of the EC, G is an EC point gen-

erator G = (x

) of order q, and the h is the

cofactor deﬁned by h = #E(F

)/q.

• randomly choose RA secrets s

∈

, such

that GCD(s

,q) = GCD(s

,q) = 1.

• compute g

= g

mod n in the OU group.

• compute G

= G, ecA

seed

= s

• G

, G

= s

• G

and G

= s

• G

over E(F

The system parameters sysparam = (g

, g

,n = r · s,H, G, E(F

), G

,ecA

seed

, pk

) are

made public, the values r, s representing the RA key

are securely stored by RA, and the key K

= sk

is securely stored by I.

3.1.2 Issue

Att Protocol

) ← Issue Att(sysparam,K

) – Following

the HM12 idea, the protocol is split into two parts

Issuer Att1 and Issuer Att2 protocols, see Fig-

ure 2. The goal is to compute U’s key K

}. Issuer

Att1 runs between U and I.

U generates a cryptographic commitment

H = h

mod p in H, where U’s keys w

are commit-

ted values. After, U signs the commitment with his

private key sk

and sends it and the signature with

the proof of construction PK to I. I veriﬁes the signa-

ture and signs U’s commitments by his private key sk

Commitments are stored by I for identiﬁcation and

revocation purposes. Any secure signature scheme,

e.g. RSA, DSA, can be used. Issuer Att2 runs be-

tween U and RA. U computes another commitment

A = g

· g

mod n in OU group G and sends

the signature of

H (generated by I) and the proof of

discrete log equivalence PK to RA. Now, RA is able

to compute the User’s key w

using the Equation 1

such that the following equations hold:

ecA

seed

= w

• G

+ w

• G

+ w

• G

ecA

seed

= w

• G

+ w

· s

• G

+ w

· s

• G

ecA

seed

= (w

+ w

· s

+ w

· s

) • G

(2)

SECRYPT 2017 - 14th International Conference on Security and Cryptography

536

Revocation Authority User Issuer

sysparam = (g

,n,H, G, E(F

),G

,ecA

seed

, pk

)

= (r, s) sk

= sk

∈

, w

∈

H = h

· h

mod p

PK{w

: h

· h

},Sig

(sk

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Check PK and signature

Store: (

H,Sig

(

H))

Sig

(sk

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

A = g

· g

mod n

H,Sig

(sk

H),PK{w

H = h

· h

∧

A = g

· g

}

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

Check PK

= (s

− dlog

A) · s

−1

mod q

Store:

H,Sig

(

H,sk

),w

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Store: K

= {w

} : ecA

seed

= w

• G

+ w

• G

+ w

• G

Figure 2: Issue Att protocol of the ecHM12 scheme.

H and w

are stored in RA’s database and w

sent to U. U securely stores K

= (w

), eg. on

a smart card.

3.1.3 Prove Att Protocol

(proo f ) ← Prove Att(sysparam, K

) – This proto-

col runs fully over E(F

). The protocol is depicted

in Figure 3. U proves the ownership of attributes

) to V using PK protocols. The unlink-

ability is provided by using the random number K

which is re-generated in every session. Moreover, the

protocol provides revocation features by committing

the value K

in the commitment C

and the commit-

ted value w

(revocable key part of the User’s key)

in the commitment C

. C

and C

permit to check if

the U is in the black list or not, and to remove him

from the system by involving RA in the revocation

process. The veriﬁcation time depends on the amount

of disclosed attributes by U and on the amount of all

revoked Us.

3.1.4 Revoke Protocol

(rev) ← Revoke(sysparam, proo f ,K

) – The origi-

nal HM12 scheme uses OU trapdoor to solve discrete

logarithm problem. In ecHM12 scheme, this trapdoor

cannot be used. However, revocation of a dishonest

user is still possible. The protocol input parameters

are system parameters sysparam and proo f generated

by the User within Prove Att protocol. The revo-

cation part of the proof consists of commitments C

and C

. RA computes Equation 3 for all user keys

DATABASE

in RA’s database until a match is found.

DATABASE

•C

= C

(3)

If a match is found, the commitment that be-

longs to this particular U is revoked by publishing

on a black list. The revocation complexity is lin-

ear in the number of Us instead of constant as in the

HM12 scheme. Yet revocation remains practical, see

Section 5 for implementation details. On the other

hand, the protocol Prove

Att is faster than in HM12

scheme.

4 SECURITY ANALYSIS

The ProveAtt protocol is a standard proof

of knowledge protocol that can be denoted as

PK{(K

) : A = K

• ecA

seed

∧ A =

• G

+ K

• G

+ K

• G

Completeness. (i.e., honest users are always ac-

cepted by the protocol) is given by the design of the

protocol and can be proven by expanding veriﬁer’s

equations.

Soundness. (i.e., dishonest users are always re-

jected by the protocol) is proven by employing the

standard PK knowledge extractor that can extract

) and thus obtain valid user

keys (w

). Thus, the ProveAtt protocol never

accepts a user that does not know correct keys.

Zero-Knowledge. (i.e., the protocol does not release

any information about user keys) is proven by creat-

Anonymous Credentials with Practical Revocation using Elliptic Curves

537

User Veriﬁer

sysparam = (g

,n = r · s, H, G,E(F

),G

,ecA

seed

, pk

)

= {w

}

∈

A = K

• ecA

seed

= (K

· w

) • G

, C

= K

• G

∈

ecA

seed

= r

• G

+ r

• G

+ r

• G

A = r

• ecA

seed

= r

• G

= r

• G

ecA

seed

A,C

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

e ∈

= (r

− e · K

· w

) mod q

= (r

− e · K

· w

) mod q

= (r

− e · K

· w

) mod q

= (r

− e · K

) mod q z

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Check BL: C

• w

blacklisted

= C

ecA

seed

≡ e •A + z

• G

+ z

• G

+ z

• G

A ≡ e • A + z

• ecA

seed

≡ e •C

+ z

• G

≡ e •C

+ z

• G

Figure 3: Prove Att protocol of the ecHM12 scheme.

ing the zero-knowledge simulator that can simulate

the ProveAtt protocol. The simulator is constructed

in the standard way, that is by choosing the answers

in random and reconstructing the remaining values

using Veriﬁer’s equations:

) ∈

E(F

),(z

) ∈

(4)

ecA

seed

= e • A

+ z

• G

+ z

• G

+ z

• G

= e • A

+ z

• ecA

seed

= e •C

+ z

• G

= e •C

+ z

• G

(5)

The simulator’s output (A

ecA

seed

) is indistinguishable from

the real transcript of the ProveAtt protocol

(A,C

,e,

ecA

seed

5 EXPERIMENTAL RESULTS

ABC schemes are usually implemented using Java

Card and MultOS smart card platforms. The Java

Card (JC) platform lacks modular operations support

as well as EC primitives support. Basic operations

over ECs are available on JC-3.0.5, but there is still

no smart card with this operation system available.

Therefore, we cannot consider JC in our tests. On

the other hand, MultOS cards support EC point ad-

dition and EC scalar multiplication over ECs. We

use Multos 4.2.1 card to compare the HM12 standard

scheme with the proposed ecHM12 scheme. We mea-

sured both schemes with comparable security level

deﬁned by NIST (Barker, 2016), i.e., 1392 bit ver-

sion of HM12 and 160 bit version of ecHM12, and

we also provided a comparison with 224 bit version of

ecHM12 (higher level of security with respect to the

previous values). On the smart card side, the compar-

ison of the Prove Att protocol is shown in Table 1.

The ecHM12 scheme is faster than HM12 scheme in

the veriﬁcation phase, even if a much higher security

level of the ecHM12 scheme is used. Note that the

efﬁciency of the veriﬁcation phase is crucial for the

scheme’s speed, thus user friendliness. The EC scalar

multiplication (ecPointMul) over E(F

160

) takes only

43 ms and 52 ms over E(F

224

) instead of 94 ms, that

is the time required by modular exponentiation with

1392 bit base length and 560 bit exponent length in

∗

. Data transmission is also improved: we need to

transfer only 220 B in case of E(F

160

) or 308 B in

case of E(F

224

) instead of 1,558 B in original scheme

(1392 bit version) in the Prove Att protocol. On

the V side, the time needed for checking blacklist is

also more efﬁcient in ecHM12 scheme than in HM12

scheme because of the involved operations: ecHM12

uses scalar multiplication and HM12 uses the slower

modular exponentiation.

For ecHM12 scheme, the revocation mechanism

complexity is linear instead of constant as in HM12

scheme. However, we expect RA to be computation-

ally strong and, consequently, the slow-down does not

really affect the protocol complexity. We use old-

SECRYPT 2017 - 14th International Conference on Security and Cryptography

538

Table 1: Comparison results in milliseconds for 1392 bit

version of the HM12 scheme and equivalent variant 160 bit

and 224 bit versions of the proposed ecHM12 scheme.

HM12 ecHM12 ecHM12

1392 bit 160 bit 224 bit

Operation tpo n. tt n. tt n. tt

mExp(160) 46 3 138 0 - 0 -

mExp(400) 72 2 150 0 - 0 -

mExp(560) 94 1 94 0 - 0 -

mExp(720) 112 2 224 0 - 0 -

mExp(880) 131 2 262 0 - 0 -

mMul 100 9 900 6 600 6 600

Sub 50 3 150 3 150 3 150

RNG 49 5 245 5 245 5 245

ecMul 52/48 0 - 10 480 10 520

ecAdd 25/23 0 - 2 46 2 50

Total - - 2163 - 1521 - 1565

Note: tpo - time per operation, n. - number of operations, tt - total time per

operation.

ish mid-range server, namely the 2009 IBM x3550

M2 with two Intel Xeon 2.27 GHz processors with

8 cores each and 32 GB RAM, to represent RA. The

EC scalar multiplication over E(F

224

) took negligible

0.0189 ms, i.e. with 100,000 users in the system, the

revocation time will be 1.9 s at maximum.

6 CONCLUSIONS

We presented a new ABC scheme based on ECs and

HM12 scheme. This variant meets all standard re-

quirements on ABC schemes, i.e. anonymity, un-

traceability, unlinkability, selective disclosure of at-

tributes, non-transferability, revocation and malicious

user identiﬁcation. By involving elliptic curves, the

ecHM12 is faster in the Prove att protocol, which

makes the scheme more applicable in current access

control systems. Prove att protocol (on card) is

about 30% faster than in the HM12 scheme. The efﬁ-

ciency advantage of our scheme grows with a higher

security level of schemes. Our solution has also good

impact on bandwidth, in fact, lower amount of data

is transferred. Data communication is 85% smaller

compared to HM12 protocol and considering compa-

rable security level (1392 bit / 160 bit).

The revocation process requires linear time in the

number of Us instead of constant time of the HM12

scheme, but, considering that the current servers have

high computing power, the slow-down does not really

affect the protocol usability. Our next steps are the

MultOS smart card optimisation and black list check

optimization on V’s side. Further, we would like to

improve the complexity of the Revoke protocol.

ACKNOWLEDGEMENTS

Research was sponsored by the Technology Agency

of the Czech Republic project TA04010476 ”Secure

Systems for Electronic Services User Veriﬁcation”,

the National Sustainability Program LO1401, Euro-

pean Commission (project H2020 644024 CLARUS)

and Spanish Government (Sec-MCloud TIN2016-

80250-R). For the research, infrastructure of the SIX

Center was used.

REFERENCES

Barker, E. (2016). Recommendation for key management

part 1: General (revision 4). NIST Special Publication

Part 1, 800(57):1–147.

Batina, L., Hoepman, J.-H., Jacobs, B., Mostowski, W.,

and Vullers, P. (2010). Developing efﬁcient blinded

attribute certiﬁcates on smart cards via pairings. In

CARDIS, pages 209–222. Springer.

Bichsel, P., Binding, C., Camenisch, J., Groß, T., Heydt-

Benjamin, T., Sommer, D., and Zaverucha, G. (2010).

Speciﬁcation of the identity mixer cryptographic li-

brary version 2.3.0*. Technical report, IBM.

Camenisch, J. and Stadler, M. (1997). Efﬁcient group

signature schemes for large groups. Advances in

Cryptology—CRYPTO’97, pages 410–424.

Christian Paquin, G. Z. (2013). U-prove cryptographic

speciﬁcation v1.1. In Microsoft, pages 1–23.

Hajny, J., Dzurenda, P., and Malina, L. (2014). Privacy-

pac: Privacy-enhanced physical access control. In

Proceedings of the ACM CCS, WPES ’14, pages 93–

96, New York, NY, USA. ACM.

Hajny, J. and Malina, L. (2013). Unlinkable attribute-

based credentials with practical revocation on smart-

cards. In Smart Card Research and Advanced Ap-

plications: 11th International Conference, CARDIS

2012, Graz, Austria, November 28-30, 2012, Revised

Selected Papers, pages 62–76, Berlin, Heidelberg.

Springer Berlin Heidelberg.

Mostowski, W. and Vullers, P. (2011). Efﬁcient u-prove

implementation for anonymous credentials on smart

cards. In International Conference on Security and

Privacy in Communication Systems, pages 243–260.

Springer.

Okamoto, T. and Uchiyama, S. (1998). A new public-key

cryptosystem as secure as factoring. In International

Conference on the Theory and Applications of Cryp-

tographic Techniques, pages 308–318. Springer.

Verheul, E. R. (2001). Self-blindable credential certiﬁcates

from the weil pairing. pages 533–551.

Anonymous Credentials with Practical Revocation using Elliptic Curves

539