Anonymous credentials (AC) offer privacy in user-centric identity
management. They enable users to authenticate anonymously, revealing only necessary attributes. With the rise of decentralized
systems like self-sovereign identity, the demand for efficient AC
systems in a decentralized setting has grown. Relying on conventional AC systems, however, require users to present independent
credentials when obtaining them from different issuers, leading
to increased complexity. AC systems should ideally support being
multi-authority for efficient presentation of multiple credentials
from various issuers. Another vital property is issuer hiding, ensuring that the issuer’s identity remains concealed, revealing only
compliance with the verifier’s policy. This prevents unique identification based on the sole combination of credential issuers. To
date, there exists no AC scheme satisfying both properties simultaneously.
This paper introduces Issuer-Hiding Multi-Authority Anonymous Credentials (IhMA), utilizing two novel signature primitives:
Aggregate Signatures with Randomizable Tags and Public Keys and
Aggregate Mercurial Signatures. We provide two constructions of
IhMA with different trade-offs based on these primitives and believe
that they will have applications beyond IhMA. Besides defining the
notations and rigorous security definitions for our primitives, we
provide provably secure and efficient constructions, and present
benchmarks to showcase practical efficiency.
