## Abstract

Structure-preserving signatures (SPS) are a powerful building block for cryptographic protocols. We introduce SPS on equivalence classes (SPS-EQ), which allow joint randomization of messages and signatures. Messages are projective equivalence classes defined on group-element vectors, so multiplying a vector by a scalar yields a different representative of the same class. Our scheme lets one adapt a signature for one representative to a signature for another representative without knowledge of any secret. Moreover, given a signature, an adapted signature for a different representative is indistinguishable from a fresh signature on a random message. We propose a definitional framework for SPS-EQ and an efficient construction in Type-3 bilinear groups, which we prove secure against generic forgers. We also introduce set-commitment schemes that let one open subsets of the committed set. From this and SPS-EQ, we then build an efficient multi-show attribute-based anonymous credential system for an arbitrary number of attributes. Our ABC system avoids costly zero-knowledge proofs and only requires a short interactive proof to thwart replay attacks. It is the first credential system whose bandwidth required for credential showing is independent of the number of its attributes, i.e., constant-size. We propose strengthened game-based security definitions for ABC and prove our scheme anonymous against malicious organizations in the standard model; finally, we discuss a concurrently secure variant in the CRS model.

This is a preview of subscription content, log in to check access.

## Notes

- 1.
More generally, the user could prove knowledge of a signature without revealing it. Although this can be a significant performance bottleneck, this allows for using ABCs with conventional signatures such as ECDSA, as in [36].

- 2.
- 3.
We use this as a shorthand for “appends

*i*to \(\mathtt{OWNR}\), \(\mathsf{cred}\) to \(\mathtt{CRED}\) and \(\mathtt {A}\) to \(\mathtt{ATTR}\). - 4.
- 5.
Hence, the only random choice made by the set-commitment setup algorithm is picking the commitment trapdoor

*a*. Inside \(\mathsf {OrgKeyGen}\), we will make this randomness explicit. - 6.
For instance, the approach in [35] for CL credentials in the RSA setting (encoding attributes as prime numbers) or in a pairing-based setting using BBS\(^+\) credentials [85] (encoding attributes using accumulators) where the latter additionally requires very large public parameters (one

*F*-secure BB signature [19] for every possible attribute value). - 7.
In ABC schemes, one can add interactive proofs of knowledge of the logarithms when obtaining a signature; the reduction can then make signing queries using the logarithms instead of the group elements itself, as required by the security model in [52]. However, round-optimality of blind signatures precludes adding interaction; it is also not possible to add NIZKs of knowledge, as they require a CRS, which is not compatible with the strong security model (malicious-signer anonymity) for blind signatures considered in [55].

## References

- 1.
J.H. Ahn, D. Boneh, J. Camenisch, S. Hohenberger, A. Shelat, B. Waters, Computing on authenticated data, in Ronald Cramer, editor,

*TCC 2012*, volume 7194 of*LNCS*. (Springer, Heidelberg, March 2012), pp. 1–20 - 2.
M. Abe, M. Chase, B. David, M. K., R. Nishimaki, M. Ohkubo, Constant-size structure-preserving signatures: Generic constructions and simple assumptions, in Xiaoyun Wang and Kazue Sako, editors,

*ASIACRYPT 2012*, volume 7658 of*LNCS*. (Springer, Heidelberg, 2012), pp. 4–24 - 3.
M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Structure-preserving signatures and commitments to group elements, in Tal Rabin, editor,

*CRYPTO 2010*, volume 6223 of*LNCS*. (Springer, Heidelberg, August 2010), pp. 209–236 - 4.
M. Abe, J. Groth, K. Haralambiev, M. Ohkubo, Optimal structure-preserving signatures in asymmetric bilinear groups, in Phillip Rogaway, editor,

*CRYPTO 2011*, volume 6841 of*LNCS*. (Springer, Heidelberg, August 2011), pp. 649–666 - 5.
M. Abe, J. Groth, M. Ohkubo, M. Tibouchi, Structure-preserving signatures from type II pairings, in Juan A. Garay and Rosario Gennaro, editors,

*CRYPTO 2014, Part I*, volume 8616 of*LNCS*. (Springer, Heidelberg, August 2014), pp. 390–407 - 6.
M. Abe, J. Groth, M. Ohkubo, M. Tibouchi, Unified, minimal and selectively randomizable structure-preserving signatures, in Yehuda Lindell, editor,

*TCC 2014*, volume 8349 of*LNCS*. (Springer, Heidelberg, February 2014), pp. 688–712 - 7.
M. Abe, D. Hofheinz, R. Nishimaki, M. Ohkubo, J. Pan, Compact structure-preserving signatures with almost tight security, in Jonathan Katz and Hovav Shacham, editors,

*CRYPTO 2017, Part II*, volume 10402 of*LNCS*. (Springer, Heidelberg, August 2017), pp. 548–580 - 8.
M. Abe, K. Haralambiev, M. Ohkubo, Signing on elements in bilinear groups for modular protocol design. Cryptology ePrint Archive, Report 2010/133, (2010). http://eprint.iacr.org/2010/133

- 9.
M. Abe, M. Kohlweiss, M. Ohkubo, M. Tibouchi, Fully structure-preserving signatures and shrinking commitments, in Elisabeth Oswald and Marc Fischlin, editors,

*EUROCRYPT 2015, Part II*, volume 9057 of*LNCS*. (Springer, Heidelberg, April 2015), pp. 35–65 - 10.
N. Attrapadung, B. Libert, T. Peters, Computing on authenticated data: New privacy definitions and constructions, in Xiaoyun Wang and Kazue Sako, editors,

*ASIACRYPT 2012*, volume 7658 of*LNCS*. (Springer, Heidelberg, December 2012), pp. 367–385 - 11.
N. Attrapadung, B. Libert, T. Peters, Efficient completely context-hiding quotable and linearly homomorphic signatures, in K. Kurosawa and G. Hanaoka, editors,

*PKC 2013*, volume 7778 of*LNCS*. (Springer, Heidelberg, February/March 2013), pp. 386–404 - 12.
N. Akagi, Y. Manabe, T. Okamoto, An efficient anonymous credential system, in G. Tsudik, editor,

*FC 2008*, volume 5143 of*LNCS*. (Springer, Heidelberg, January 2008), pp. 272–286 - 13.
M.H. Au, W. Susilo, Y. Mu, Constant-size dynamic k-TAA, in R. De Prisco and M. Yung, editors,

*SCN 06*, volume 4116 of*LNCS*. (Springer, Heidelberg, September 2006), pp. 111–125 - 14.
D. Boneh, X. Boyen, Short signatures without random oracles, in C. Cachin and J. Camenisch, editors,

*EUROCRYPT 2004*, volume 3027 of*LNCS*. (Springer, Heidelberg, May 2004), pp. 56–73 - 15.
D. Boneh, X. Boyen, E.-J. Goh, Hierarchical identity based encryption with constant size ciphertext, in R. Cramer, editor,

*EUROCRYPT 2005*, volume 3494 of*LNCS*. (Springer, Heidelberg, May 2005), pp. 440–456 - 16.
D. Boneh, X. Boyen, H. Shacham, Short group signatures, in M. Franklin, editor,

*CRYPTO 2004*, volume 3152 of*LNCS*. (Springer, Heidelberg, August 2004), pp. 41–55 - 17.
D. Boneh, H. Corrigan-Gibbs, Bivariate polynomials modulo composites and their applications, in P. Sarkar and T. Iwata, editors,

*ASIACRYPT 2014, Part I*, volume 8873 of*LNCS*. (Springer, Heidelberg, December 2014), pp. 42–62 - 18.
M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya, H. Shacham, Randomizable proofs and delegatable anonymous credentials, in S. Halevi, editor,

*CRYPTO 2009*, volume 5677 of*LNCS*. (Springer, Heidelberg, August 2009), pp. 108–125 - 19.
M. Belenkiy, M. Chase, M. Kohlweiss, A. Lysyanskaya, P-signatures and noninteractive anonymous credentials, in R. Canetti, editor,

*TCC 2008*, volume 4948 of*LNCS*. (Springer, Heidelberg, March 2008), pp. 356–374 - 20.
G. Barthe, E. Fagerholm, D. Fiore, A. Scedrov, B. Schmidt, M. Tibouchi, Strongly-optimal structure preserving signatures from type II pairings: Synthesis and lower bounds, in J. Katz, editor,

*PKC 2015*, volume 9020 of*LNCS*. (Springer, Heidelberg, March/April 2015), pp. 355–376 - 21.
D. Boneh, D. Freeman, J. Katz, B. Waters, Signing a linear subspace: Signature schemes for network coding, in S. Jarecki and G. Tsudik, editors,

*PKC 2009*, volume 5443 of*LNCS*. (Springer, Heidelberg, March 2009), pp. 68–87 - 22.
O. Blazy, G. Fuchsbauer, D. Pointcheval, D. Vergnaud, Signatures on randomizable ciphertexts, in D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi, editors,

*PKC 2011*, volume 6571 of*LNCS*. (Springer, Heidelberg, March 2011), pp. 403–422 - 23.
M. Bellare, G. Fuchsbauer, A. Scafuro, NIZKs with an untrusted CRS: Security in the face of parameter subversion, in J. H. Cheon and T. Takagi, editors,

*ASIACRYPT 2016, Part II*, volume 10032 of*LNCS*. (Springer, Heidelberg, December 2016), pp. 777–804 - 24.
F. Baldimtsi, A. Lysyanskaya, Anonymous credentials light, in A.-R. Sadeghi, V.D. Gligor, and M. Yung, editors,

*ACM CCS 13*. (ACM Press, November 2013), pp. 1087–1098 - 25.
P.S.L.M. Barreto, M. Naehrig, Pairing-friendly elliptic curves of prime order, in B. Preneel and S. Tavares, editors,

*SAC 2005*, volume 3897 of*LNCS*. (Springer, Heidelberg, August 2006), pp. 319–331 - 26.
X. Boyen, The uber-assumption family (invited talk), in S.D. Galbraith and K.G. Paterson, editors,

*PAIRING 2008*, volume 5209 of*LNCS*. (Springer, Heidelberg, 2008), pp. 39–56 - 27.
N. Bari, B. Pfitzmann, Collision-free accumulators and fail-stop signature schemes without trees, in W. Fumy, editor,

*EUROCRYPT’97*, volume 1233 of*LNCS*. (Springer, Heidelberg, May 1997), pp. 480–494 - 28.
S. Brands,

*Rethinking public-key Infrastructures and Digital Certificates: Building in Privacy*. (MIT Press, 2000) - 29.
M. Bellare, H. Shi, C. Zhang, Foundations of group signatures: The case of dynamic groups, in A. Menezes, editor,

*CT-RSA 2005*, volume 3376 of*LNCS*. (Springer, Heidelberg, February 2005), pp. 136–153 - 30.
R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in

*42nd FOCS*. IEEE Computer Society Press, (October 2001), pp. 136–145 - 31.
J. Camenisch, M. Dubovitskaya, K. Haralambiev, M. Kohlweiss, Composable and modular anonymous credentials: definitions and practical constructions, in T. Iwata and J.H. Cheon, editors,

*ASIACRYPT 2015, Part II*, volume 9453 of*LNCS*. (Springer, Heidelberg, November/December 2015), pp. 262–288 - 32.
R. Cramer, I. Damgård, P.D. MacKenzie, Efficient zero-knowledge proofs of knowledge without intractability assumptions, in H. Imai and Y. Zheng, editors,

*PKC 2000*, volume 1751 of*LNCS*. (Springer, Heidelberg, January 2000), pp. 354–372 - 33.
D. Catalano, D. Fiore, Vector commitments and their applications. In K. Kurosawa and G. Hanaoka, editors,

*PKC 2013*, volume 7778 of*LNCS*. (Springer, Heidelberg, February / March 2013), pp. 55–72 - 34.
D. Catalano, D. Fiore, B. Warinschi, Efficient network coding signatures in the standard model, in M. Fischlin, J. Buchmann, and M. Manulis, editors,

*PKC 2012*, volume 7293 of*LNCS*. (Springer, Heidelberg, 2012), pp. 680–696 - 35.
J. Camenisch, T. Groß, Efficient attributes for anonymous credentials.

*ACM Transactions on Information and System Security*,**15**(1), 4, (2012) - 36.
M. Chase, C. Ganesh, P. Mohassel, Efficient zero-knowledge proof of algebraic and non-algebraic statements with applications to privacy preserving credentials, in M. Robshaw and J. Katz, editors,

*CRYPTO 2016, Part III*, volume 9816 of*LNCS*. (Springer, Heidelberg, 2016), pp. 499–530 - 37.
J. Camenisch, S. Krenn, A. Lehmann, G.L. Mikkelsen, G. Neven, M.Ø. Pedersen, Formal treatment of privacy-enhancing credential systems, in O. Dunkelman and L. Keliher, editors,

*SAC 2015*, volume 9566 of*LNCS*. (Springer, Heidelberg, August 2016), pp. 3–24 - 38.
M. Chase, M. Kohlweiss, A. Lysyanskaya, S. Meiklejohn. Malleable proof systems and applications, in D. Pointcheval and T. Johansson, editors,

*EUROCRYPT 2012*, volume 7237 of*LNCS*. (Springer, Heidelberg, April 2012), pp. 281–300 - 39.
M. Chase, M. Kohlweiss, A. Lysyanskaya, S. Meiklejohn. Malleable signatures: New definitions and delegatable anonymous credentials, in

*IEEE 27th Computer Security Foundations Symposium, CSF 2014*, (2014), pp. 199–213 - 40.
J. Camenisch, A. Lysyanskaya, An efficient system for non-transferable anonymous credentials with optional anonymity revocation, in B. Pfitzmann, editor,

*EUROCRYPT 2001*, volume 2045 of*LNCS*. (Springer, Heidelberg, May 2001), pp. 93–118 - 41.
J. Camenisch, A. Lysyanskaya, A signature scheme with efficient protocols, in S. Cimato, C. Galdi, and G. Persiano, editors,

*SCN 02*, volume 2576 of*LNCS*. (Springer, Heidelberg, September 2003), pp. 268–289 - 42.
J. Camenisch, A. Lysyanskaya, Signature schemes and anonymous credentials from bilinear maps, in M. Franklin, editor,

*CRYPTO 2004*, volume 3152 of*LNCS*. (Springer, Heidelberg, August 2004), pp. 56–72 - 43.
S. Canard, R. Lescuyer, Anonymous credentials from (indexed) aggregate signatures, in

*DIM’11, Proceedings of the 2013 ACM Workshop on Digital Identity Management, Chicago, IL, USA - October 21, 2011*, (2011), pp. 53–62 - 44.
S. Canard, R. Lescuyer, Protecting privacy by sanitizing personal data: a new approach to anonymous credentials, in K. Chen, Q. Xie, W. Qiu, N. Li, and W.-G. Tzeng, editors,

*ASIACCS 13*. (ACM Press, May 2013), pp. 381–392 - 45.
S. Chatterjee, A. Menezes, On cryptographic protocols employing asymmetric pairings - the role of \(\varPsi \) revisited.

*Discrete Applied Mathematics***159**(13), 1311–1322, (2011) - 46.
D. Chaum, T.P. Pedersen, Wallet databases with observers, in E.F. Brickell, editor,

*CRYPTO’92*, volume 740 of*LNCS*. (Springer, Heidelberg, 1993), pp. 89–105 - 47.
I. Damgård, Efficient concurrent zero-knowledge in the auxiliary string model, in B. Preneel, editor,

*EUROCRYPT 2000*, volume 1807 of*LNCS*. (Springer, Heidelberg, May 2000), pp. 418–430 - 48.
I. Damgård, H. Haagh, C. Orlandi, Access control encryption: Enforcing information flow with cryptography, in M. Hirt and A.D. Smith, editors,

*TCC 2016-B, Part II*, volume 9986 of*LNCS*. (Springer, Heidelberg, October/November 2016), pp. 547–576 - 49.
D. Derler, C. Hanser, D. Slamanig, A new approach to efficient revocable attribute-based anonymous credentials, in J. Groth, editor,

*15th IMA International Conference on Cryptography and Coding*, volume 9496 of*LNCS*. (Springer, Heidelberg, 2015), pp. 57–74 - 50.
D. Derler, C. Hanser, D. Slamanig, Revisiting cryptographic accumulators, additional properties and relations to other primitives, in K. Nyberg, editor,

*CT-RSA 2015*, volume 9048 of*LNCS*. (Springer, Heidelberg, April 2015), pp. 127–144 - 51.
D. Derler, D. Slamanig, Fully-anonymous short dynamic group signatures without encryption.

*IACR Cryptology ePrint Archive*, 2016:154, (2016) - 52.
G. Fuchsbauer, R. Gay, Weakly secure equivalence-class signatures from standard assumptions, in M. Abdalla, editor,

*PKC 2018*, LNCS. (Springer, 2018) - 53.
G. Fuchsbauer, R. Gay, L. Kowalczyk, C. Orlandi, Access control encryption for equality, comparison, and more, in S. Fehr, editor,

*PKC 2017, Part II*, volume 10175 of*LNCS*. (Springer, Heidelberg, 2017), pp. 88–118 - 54.
G. Fuchsbauer, C. Hanser, C. Kamath, D. Slamanig, Practical round-optimal blind signatures in the standard model from weaker assumptions, in V. Zikas and R. De Prisco, editors,

*SCN 16*, volume 9841 of*LNCS*. (Springer, Heidelberg, August/September 2016), pp. 391–408 - 55.
G. Fuchsbauer, C. Hanser, D. Slamanig, Practical round-optimal blind signatures in the standard model, in R. Gennaro and M.J.B. Robshaw, editors,

*CRYPTO 2015, Part II*, volume 9216 of*LNCS*, pp. 233–253. (Springer, Heidelberg, August 2015) - 56.
E. Fujisaki, T. Okamoto, A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In K. Nyberg, editor,

*EUROCRYPT’98*, volume 1403 of*LNCS*. (Springer, Heidelberg, May/June 1998), pp. 32–46 - 57.
D.M. Freeman, Improved security for linearly homomorphic signatures: A generic framework, in M. Fischlin, J. Buchmann, and M. Manulis, editors,

*PKC 2012*, volume 7293 of*LNCS*. (Springer, Heidelberg, May 2012), pp. 697–714 - 58.
G. Fuchsbauer, Automorphic signatures in bilinear groups and an application to round-optimal blind signatures. Cryptology ePrint Archive, Report 2009/320 (2009). http://eprint.iacr.org/2009/320.

- 59.
G. Fuchsbauer, Commuting signatures and verifiable encryption, in K.G. Paterson, editor,

*EUROCRYPT 2011*, volume 6632 of*LNCS*. (Springer, Heidelberg, May 2011), pp. 224–245 - 60.
G. Fuchsbauer, Breaking existential unforgeability of a signature scheme from asiacrypt 2014. Cryptology ePrint Archive, Report 2014/892, (2014). http://eprint.iacr.org/2014/892

- 61.
E. Ghadafi, Short structure-preserving signatures, in K. Sako, editor,

*CT-RSA 2016*, volume 9610 of*LNCS*. (Springer, Heidelberg, February / March 2016), pp. 305–321 - 62.
S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks.

*SIAM Journal on Computing***17**(2), 281–308, (1988) - 63.
O. Goldreich,

*The Foundations of Cryptography - Volume 1, Basic Techniques*. (Cambridge University Press, 2001) - 64.
V. Goyal, Reducing trust in the PKG in identity based cryptosystems, in A. Menezes, editor,

*CRYPTO 2007*, volume 4622 of*LNCS*. (Springer, Heidelberg, August 2007), pp. 430–447 - 65.
J. Groth, Short pairing-based non-interactive zero-knowledge arguments, in M. Abe, editor,

*ASIACRYPT 2010*, volume 6477 of*LNCS*. (Springer, Heidelberg, December 2010), pp. 321–340 - 66.
J. Groth, Efficient fully structure-preserving signatures for large messages, in T. Iwata and J.H. Cheon, editors,

*ASIACRYPT 2015, Part I*, volume 9452 of*LNCS*. (Springer, Heidelberg, November / December 2015), pp. 239–259 - 67.
J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups, in N.P. Smart, editor,

*EUROCRYPT 2008*, volume 4965 of*LNCS*. (Springer, Heidelberg, 2008), pp. 415–432 - 68.
C. Hanser, M. Rabkin, D. Schröder, Verifiably encrypted signatures: Security revisited and a new construction, in G. Pernul, P.Y.A. Ryan, and E.R. Weippl, editors,

*ESORICS 2015, Part I*, volume 9326 of*LNCS*. (Springer, Heidelberg, September 2015), pp. 146–164 - 69.
C. Hanser, D. Slamanig, Structure-preserving signatures on equivalence classes and their application to anonymous credentials, in P. Sarkar and T. Iwata, editors,

*ASIACRYPT 2014, Part I*, volume 8873 of*LNCS*. (Springer, Heidelberg, December 2014), pp. 491–511 - 70.
M. Izabachène, B. Libert, D. Vergnaud, Block-wise P-signatures and non-interactive anonymous credentials with efficient attributes, in L. Chen, editor,

*13th IMA International Conference on Cryptography and Coding*, volume 7089 of*LNCS*. (Springer, Heidelberg, December 2011), pp. 431–450 - 71.
R. Johnson, D. Molnar, D.X. Song, D. Wagner, Homomorphic signature schemes, in B. Preneel, editor,

*CT-RSA 2002*, volume 2271 of*LNCS*. (Springer, Heidelberg, February 2002), pp. 244–262 - 72.
C.S. Jutla, A. Roy, Improved structure preserving signatures under standard bilinear assumptions, in S. Fehr, editor,

*PKC 2017, Part II*, volume 10175 of*LNCS*. (Springer, Heidelberg, March 2017), pp. 183–209 - 73.
E. Kiltz, J. Pan, H. Wee, Structure-preserving signatures from standard assumptions, revisited, in R. Gennaro and M.J.B. Robshaw, editors,

*CRYPTO 2015, Part II*, volume 9216 of*LNCS*. (Springer, Heidelberg, August 2015), pp. 275–295 - 74.
A. Kate, G.M. Zaverucha, I. Goldberg, Constant-size commitments to polynomials and their applications, in M. Abe, editor,

*ASIACRYPT 2010*, volume 6477 of*LNCS*. (Springer, Heidelberg, December 2010), pp. 177–194 - 75.
H. Lipmaa, Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments, in R. Cramer, editor,

*TCC 2012*, volume 7194 of*LNCS*. (Springer, Heidelberg, March 2012), pp. 169–189 - 76.
B. Libert, T. Peters, M. Joye, M. Yung, Linearly homomorphic structure-preserving signatures and their applications, in R. Canetti and J.A. Garay, editors,

*CRYPTO 2013, Part II*, volume 8043 of*LNCS*. (Springer, Heidelberg, August 2013), pp. 289–307 - 77.
A. Lysyanskaya, R.L. Rivest, A. Sahai, S. Wolf, Pseudonym systems, in H.M. Heys and C.M. Adams, editors,

*SAC 1999*, volume 1758 of*LNCS*. (Springer, Heidelberg, August 1999), pp. 184–199 - 78.
R.C. Merkle, A digital signature based on a conventional encryption function, in C. Pomerance, editor,

*CRYPTO’87*, volume 293 of*LNCS*. (Springer, Heidelberg, August 1988), pp. 369–378 - 79.
S. Micali, M.O. Rabin, J. Kilian, Zero-knowledge sets. In

*44th FOCS*. (IEEE Computer Society Press, October 2003), pp. 80–91 - 80.
T.P. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing, in J. Feigenbaum, editor,

*CRYPTO’91*, volume 576 of*LNCS*. (Springer, Heidelberg, 1992), pp. 129–140 - 81.
D. Pointcheval, O. Sanders, Short randomizable signatures, in K. Sako, editor,

*CT-RSA 2016*, volume 9610 of*LNCS*. (Springer, Heidelberg, February / March 2016), pp. 111–126 - 82.
S. Ringers, E.R. Verheul, J.-H. Hoepman, An efficient self-blindable attribute-based credential scheme.

*IACR Cryptology ePrint Archive*,**2017**, 115, (2017). (to appear at Financial Crypto 2017) - 83.
R. Steinfeld, L. Bull, Y. Zheng, Content extraction signatures, in K. Kim, editor,

*ICISC 01*, volume 2288 of*LNCS*. (Springer, Heidelberg, December 2002), pp. 285–304 - 84.
V. Shoup, Lower bounds for discrete logarithms and related problems, in W. Fumy, editor,

*EUROCRYPT’97*, volume 1233 of*LNCS*. (Springer, Heidelberg, May 1997), pp. 256–266 - 85.
A. Sudarsono, T. Nakanishi, N. Funabiki, Efficient proofs of attributes in pairing-based anonymous credential system, in

*Privacy Enhancing Technologies - 11th International Symposium, PETS 2011, Waterloo, ON, Canada, July 27-29, 2011. Proceedings*, pp. 246–263 (2011) - 86.
E.R. Verheul, Self-blindable credential certificates from the Weil pairing, in C. Boyd, editor,

*ASIACRYPT 2001*, volume 2248 of*LNCS*. (Springer, Heidelberg, December 2001), pp. 533–551 - 87.
B.R. Waters, Efficient identity-based encryption without random oracles, in R. Cramer, editor,

*EUROCRYPT 2005*, volume 3494 of*LNCS*. (Springer, Heidelberg, May 2005), pp. 114–127

## Acknowledgements

Work started while the first author was at IST Austria and supported by the European Research Council, ERC Starting Grant (259668-PSPC); now supported by the French ANR EfTrEC project (ANR-16-CE39-0002). Work has been done while the second and third authors were at IAIK, Graz University of Technology. The second author has been supported by the European Commission through projects FP7-MATTHEW (GA No. 610436) and FP7-FutureID (GA No. 318424). The work of the last author has been supported by the European Commission through project FP7-FutureID (GA No. 318424) and by EU Horizon 2020 through project Prismacloud (GA No. 644962).

## Author information

## Additional information

Communicated by Nigel Smart.

## Rights and permissions

## About this article

### Cite this article

Fuchsbauer, G., Hanser, C. & Slamanig, D. Structure-Preserving Signatures on Equivalence Classes and Constant-Size Anonymous Credentials.
*J Cryptol* **32, **498–546 (2019). https://doi.org/10.1007/s00145-018-9281-4

Received:

Revised:

Published:

Issue Date:

### Keywords

- Public-key cryptography
- Pairing-based cryptography
- Structure-preserving signatures
- Attribute-based anonymous credentials
- Set commitments