coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f05b2e1575a516b979919515582f257e193eea1
opaque-lattice/papers_txt/Fully-decentralized-period-k-times-anonymous-authen_2026_Computer-Standards-.txt
Cole Leavitt dfa968ec7d initial
2026-01-06 12:49:26 -07:00

989 lines
128 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
Computer Standards & Interfaces 97 (2026) 104097
Contents lists available at ScienceDirect
Computer Standards & Interfaces
journal homepage: www.elsevier.com/locate/csi
Fully decentralized period k-times anonymous authentication with access
criteriaI , II
Hongyan Di a , Yinghui Zhang a ,, Ziqi Zhang a , Yibo Pang a , Rui Guo a , Yangguang Tian b
a
School of Cyberspace Security, Xian University of Posts & Telecommunications, 710121, Xian, China
b
University of Surrey, GU2 7XH, Surrey, UK
ARTICLE INFO ABSTRACT
Keywords: The explosive growth of Internet user devices highlights the strong and urgent need for digital identity
Fully decentralized infrastructure. However, the existing decentralized identity schemes are still not fully decentralized, and there
Publicly auditable is still a contradiction between publicly auditable credentials and maintaining anonymity. Therefore, using
Access criteria
advanced cryptographic techniques such as signature proof of knowledge, Pedersen commitment, and Merkle
Anonymous authentication
tree, this paper propose a fully decentralized period k-times anonymous authentication with access criteria.
Signature proof of knowledge
The scheme allows user credentials to be publicly audited, users can manage their identity independently, and
the verifier can not only verify the users identity, but also implement access control. The issuer does not need
to hold a key or maintain a list, and it can still authenticate even after the trusted center is attacked, and only
three zero-knowledge proofs are needed for registration and verification. The security analysis indicates that
this scheme satisfies unforgeability, anonymity, unlinkability and attribute privacy. Performance evaluation
shows significant improvements in both computational and communication efficiency over existing schemes.
1. Introduction control over digital resources such as services. The core of this system is
the concept of digital identity. The evolution of digital identity has gone
With the surge in digital services accessed through network con- through multiple eras, during which digital identity recognition has
nections, the number of digital identities has seen an unprecedented gradually shifted from centralized to decentralized identity models [3].
increase. Therefore, the vast majority of the global population has In fact, the way entities prove the ownership of digital identities may be
at least one digital identity, which becomes the key to unlocking a affected by various vulnerabilities [4]. The current Internet ecosystem
variety of online functions and services. However, the concept of digital generally adopts the centralized Identity Provider (IdP) model, with
identity goes far beyond human identity recognition [1]. With the wide tech giants such as Google and Facebook (e.g., Meta) serving as the
adoption of IoT and the powerful functions of the 5th Generation Mo- custodians of digital identities. Other services can directly rely on the
bile Communication Technology (5G) network, as well as the upcoming identity information provided by IdP. This architecture simplifies the
6th Generation Mobile Communication Technology (6G), the number authentication process by achieving single sign-on through protocols
of connected devices has increased significantly [2]. These devices such as OAuth, it has fundamental flaws when examined from the
require unique digital identities to enable their participation in digital perspective of privacy protection, users lose control over their digital
ecosystems, such as establishing secure communications. identities [5], and all their identity attributes are centrally stored in the
Authentication and authorization are crucial security-related core IdPs servers. Users neither know the specific usage of these data nor
tasks in the digital world. Their purpose is to ensure the authenticity can they effectively manage their flow. More seriously, this architecture
of the identities of the communicating parties and implement access has created a dangerous data island phenomenon—IdP can fully
I This article is part of a Special issue entitled: Information Security and Privacy published in Computer Standards & Interfaces.
II This work is supported by the National Cryptologic Science Fund of China (2025NCSF02037), the National Natural Science Foundation of China (62072369),
the Youth Innovation Team of Shaanxi Universities (23JP160), the Shaanxi Special Support Program Youth Top-notch Talent Program, the Technology Innovation
Leading Program of Shaanxi (2023-YD-CGZH-31), the Technology Innovation Guidance Special Fund of Shaanxi Province (2024QY-SZX-17), the Graduate
Innovation Fund of Xi an University of Posts and Telecommunications (CXJJBDL2024004).
Corresponding author.
E-mail addresses: 15029659213@163.com (H. Di), yhzhaang@163.com (Y. Zhang), qiqizhang0408@163.com (Z. Zhang), ybpang1998@163.com (Y. Pang),
guorui@xupt.edu.cn (R. Guo), yangguang.tian@surrey.ac.uk (Y. Tian).
URLs: https://www.xiyou.edu.cn/ (Y. Zhang), http://www.surrey.ac.uk (Y. Tian).
https://doi.org/10.1016/j.csi.2025.104097
Received 12 July 2025; Received in revised form 26 September 2025; Accepted 11 November 2025
Available online 19 November 2025
0920-5489/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies.
H. Di et al. Computer Standards & Interfaces 97 (2026) 104097
grasp the cross-platform service usage trajectory and behavioral char- have emerged. These include zero-knowledge credentials, lightweight
acteristics of users, essentially constructing a panoramic user profile. anonymous credentials without heavy zero-knowledge proofs and other
IdP, on the other hand, can obtain information about all the network computationally intensive operations, self-blinding credentials, group
services used by users (and related usage data). When the server storing signatures, AC schemes without unlinkability, and post-quantum AC
user data is invaded, sensitive personal information may be obtained schemes. In order to reduce the trust dependence of the credential
by malicious attackers, causing significant loss of personal data and issuance process on a central authority in traditional anonymous cre-
damaging the reputation of stakeholders [6]. In 2022 alone, there were dential schemes, Garman et al. [14] proposed the concept of decen-
over 1800 major data breaches worldwide, involving more than 400 tralized anonymous credential (DAC), which allows users to construct
million user records. The increasing number of data breach cases has and manage credentials in a completely anonymous manner. Derler
raised significant concerns to data confidentiality and transparency et al. [15] designed a new revocable multi-show attribute anonymous
in the field of digital identity management. In addition, centralized credential based on previous work, which has good scalability and con-
identity management systems rely on specific identity service nodes, stant operation of two roles. Bui and Aura [16] developed a distributed
making them vulnerable to single point of failure problem [7]. access control revocation framework to facilitate the manipulation of
Therefore, the increasing popularity of online services, the growing revocation methods. Subsequently, Sonnino et al. [17] proposed a
trend of decentralization, and the rising awareness of the shortcomings special selective disclosure voucher solution based on blind signatures
of traditional methods are paving the way for more secure and privacy- and bilinear pairing, which holds short and highly efficient vouch-
protecting approaches. Under this trend, supported by current laws and ers. Inspired by Sonninos work, Halpin [18] redesigned the tagging
regulations (such as the General Data Protection Regulation (GDPR) mechanism to improve scalability and support embedding arbitrary
of the European Union) [8], the concept of Self-Sovereign Identity attributes. Cui et al. [19] constructed a Blockchain Digital Identity
(SSI) [9] has attracted significant attention from both academia and Management System (BDIdM) by extending the functional features of
industry. SSI is based on the idea that individuals should have full the DAC scheme [14], which enabled limited reusability of specific cre-
control over their information without being forced to outsource data dentials on the premise of maintaining the security of the DAC scheme.
to any centralized institution or third party. Such technologies play a In addition, decentralized anonymous credentials are widely integrated
crucial role in establishing trust among entities (including non-human with other scenarios. Lin et al. [20] applied the DAC scheme to the
entities such as humans and IoT devices) and ensuring communication smart grid scenario and enhanced the privacy protection mechanism.
security through digital identities. Decentralized Identifiers (DIDs) and The solutions combined with the application scenarios of blockchain-
Verifiable Credentials (VCs), as effective solutions for enhancing pri- based Internet of Vehicles include [2125], Zeng et al. [26] also applied
vacy and security, have been promoted in multiple application fields anonymous credentials to cross-domain authentication in IIoT.
such as intelligent transportation and smart healthcare. These standards
can be extended to anyone or anything, covering cloud, edge, and IoT 2.2. 𝑘-Time anonymous authentication (𝑘-TAA)
resources. It is worth noting that several institutions, including industry
giants such as Microsoft, have recently developed and released a variety The 𝑘-period anonymous authentication allows users to be authen-
of implementation plans to support these technologies. In addition, ticated up to 𝑘-times within a certain time period while remaining
global government agencies are also actively promoting the widespread anonymous. Teranishi et al. [27] introduced the first 𝑘-TAA scheme,
application of DIDs and VCs. For instance, the European union pro- allowing the identification of users who exceeded the authentication
mulgated regulation 2024/1183 [10] in May 2024, establishing the limit. Nguyen and Safavi-Naini [28] extended this concept to dynamic
European digital identity framework, aiming to provide European cit- 𝑘-TAA, enabling each authenticator to independently grant or revoke
izens with digital passes for cross-border access to public and private access rights. Au et al. [29] proposed a fixed-size dynamic 𝑘-times.
services through the SSI system. This represents a significant milestone Chaterjee et al. [30] proposed a 𝑘-TAA scheme based on physically
in the development of digital identity solutions. However, current unclonable functions (PUFs), which is applicable to trusted platform
decentralized anonymous authentication schemes still face significant modules (TPM). Huang et al. [31] designed an efficient 𝑘-TAA system
challenges. These include the inability to achieve full decentralization, tailored for pay-as-you-go pricing, facilitating multiple service accesses
a lack of mutual trust between users and issuers, and the persistent and related payments within each certification cycle. However, many
contradiction between public verifiability and true anonymity. Against existing 𝑘-TAA schemes fail to provide periodic anonymous authenti-
this backdrop, AI-driven identity threat analysis has become a new cation. Although the existing schemes [32,33] support periodic anony-
focus of security research. Initiatives such as the Global Digital Iden- mous authentication, they have deficiencies in supporting the selective
tity Wallet (GDIW) have launched cross-border interoperability tests, disclosure of credential attributes to achieve fine-grained authentica-
while Digital Identity Chain has completed the integration of DIDs tion. In addition, they require a large number of pairing operations,
with the national government service platform—efforts that represent resulting in significant verification delays. In contrast, scheme [34,35]
preliminary but critical explorations in addressing these underlying supports periodic 𝑘-times anonymous authentication while reducing
issues. cumbersome pairing operations. However, scheme [34] does not sup-
port credential revocation. As shown in Table 1, our scheme, while
2. Relate work meeting the above requirements, supports full decentralization and
access control.
2.1. Decentralized anonymous credential (DAC)
• Research Contributions
In the 1980s, David Chaum [11,12] introduced privacy-preserving Next, we list the main research contributions of this paper.
cryptographic techniques, aiming to create a more privacy-focused The Proposed Scheme: We propose a fully decentralized 𝑘-times
and user-centered authentication and authorization solution. It enables period anonymous authentication scheme with access control.
users to prove their membership, identity, or any other arbitrary at- The scheme enforces both access criteria and authentication dur-
tribute in a group in a privacy-preserving manner. Such techniques are ing the verification process, while eliminating the need for issuers
often referred to as anonymous credentials (ACs), and various methods to hold keys or maintain lists, thus remaining secure even if the
for building AC systems have been widely studied in the academic com- trusted center is compromised. Only three zero-knowledge proofs
munity. However, since Camenish and Lysyanskaya [13] first proposed are required for registration and verification.
a completely anonymous credential scheme in 2001, a large number of Security Analysis: We conducted a correctness and theoretical
anonymous credit construction schemes suitable for various scenarios security analysis based on the game definition of the proposed
2
H. Di et al. Computer Standards & Interfaces 97 (2026) 104097
Table 1
Function comparison.
Security features [29] [30] [31] [33] [19] [34] [35] Our Scheme
Anonymity ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Unlinkability ✓ N.A ✓ N.A ✓ ✓ ✓ ✓
𝑘-times period anonymous authentication × × ×× ✓ N.A ✓
Publicly auditable N.A × N.A N.A ✓ ✓ ✓ ✓
Select attribute disclosure × × × × ✓ ✓ N.A ✓
Key forward and backward secure ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Reveal violators identity without TTP ✓ ✓ × ✓ ✓ ✓ ×
Issuer not hold key and identity list × × × × × × ×
Support credential revocation ✓ ✓ ✓ ✓ ✓ × ✓ ✓
Note*: ✓: Support this feature; ×: Does not support this feature; N.A: No applicable; TTP: Trusted third party.
scheme. By simulating games and citing programmable random 3.2. Zero-knowledge proof
oracles and fork lemmas, among other techniques, we demon-
strated that the scheme meets the requirements of unforgeability,
A signature proof of knowledge (SPK) is a non-interactive zero-
anonymity, unlinkability, and attribute privacy. This analysis em-
knowledge proof (ZKP) technique that enables a prover to demonstrate
phasizes that the plan has protected the integrity and validity of
the data. knowledge of a secret value without revealing it, while also signing
Performance Evaluation: We conducted a detailed analysis of a message. We constructed a cyclic group G of prime order 𝑞 and
this authentication scheme, demonstrating its efficiency advan- employed the FiatShamir heuristic [36] to convert an interactive
tages over existing authentication schemes. Tests were also car- proof into a non-interactive one. These non-interactive constructs are
ried out on secp256k1 and BLS12-381 curves, verifying that the precisely referred to as signature proofs of knowledge (SPK). All the
proposed algorithm performs better on lightweight curves. signatures of knowledge are secure in the random oracle model. Ac-
• Structure of Paper cording to the symbols introduced by Camenisch and Stadler [37],
The remaining paper is structured as follows: Section 3 intro- 𝑃 𝑜𝐾{(𝑥) 𝑦 = 𝑔 𝑥 } represents the zero-knowledge proof protocol
duces the problem assumptions and fundamentals. Section 4 de- between the prover and the verifier. Such prover knows 𝑥 ∈ Z𝑝 and
fines the syntax, security model, and detailed construction of 𝑦 = 𝑔 𝑥 ∈ G. The corresponding non-interactive signature knowledge
the scheme. Section 5 analyzes its correctness and theoretical proof on the message 𝑚 should be expressed as 𝑆𝑃 𝐾{(𝑥) 𝑦 = 𝑔 𝑥 }(𝑚).
security. Section 6 evaluates performance in terms of computation It can be regarded as a signature on the message 𝑚, which is signed by
and communication overhead, and Section 7 concludes the paper. a key pair (𝑔 𝑥 , 𝑥) based on discrete logarithms.
3. Preliminaries
3.3. Pedersen commitment
3.1. Group description and hardness assumptions
Literature [38] uses Poseidon to realize the hash of Merkle tree
A group generator 𝐺𝐺𝑒𝑛(1𝜅 ) → (G, 𝑞) inputs a security parameter 𝜅 and commitment. Instantiate another method of using Pedersen hash-
and outputs a cyclic group G of prime order 𝑞. This scheme is based on ing and perfectly hiding commitments in the scheme. The Pedersen
the following hard problem assumption.
commitment algorithm as follows:
Definition 2.1 (Discrete Logarithm Problem (DLP) Assumption). Let 𝑔 be
𝐺𝑒𝑛(1𝜅 ) → 𝑐𝑘 Select a finite group G with a large prime order
a generator of a group G. Given a tuple (𝑔, 𝑔 𝑎 ) ∈ G2 , where 𝑎 ∈ Z𝑞 , the
𝑞, and choose two generators 𝑔 and from the group G. The
Discrete Logarithm Problem is output 𝑎. The DLP assumption holds if
parameters of this commitment scheme are 𝑐𝑘 = (G, 𝑞, 𝑔, ).
for all PPT adversary , the advantage is negligible.
• 𝐶𝑜𝑚𝑚𝑖𝑡(𝑐𝑘, 𝑢) → 𝑐: Generate a commitment 𝑐 for a secret value 𝑢.
AdvDLP
 (𝜅) = |𝑃 𝑟[(𝑔, 𝑔 )| = 𝑎] ≤ 𝑛𝑒𝑔𝑙(𝜅).
𝑎 The commitment party randomly selects a blind factor 𝑟 and then
calculates 𝑐 = 𝑔 𝑢 𝑟 .
• 𝑂𝑝𝑒𝑛𝐶𝑜𝑚(𝑐𝑘, 𝑐, 𝑢, 𝑟) → 01: The verifier checks whether 𝑐 is equal
Definition 2.2 (Decisional DiffieHellman (DDH) Assumption). Let G
to 𝑔 𝑢 𝑟 .
be a group of order a large prime 𝑞, 𝑔 be the generator of G. The
input is a random quadruple  = (𝑔, 𝑔 𝑥 , 𝑔 𝑦 , 𝑔 𝑥𝑦 ) ∈ G3 , and quadruple
 = (𝑔, 𝑔 𝑥 , 𝑔 𝑦 , 𝑔 𝑧 ) ∈ G3 , where 𝑥, 𝑦, 𝑧 ← Z𝑞 . It is computationally hard
3.4. Merkle tree
for adversary  to distinguish between two tuples, the advantage of
PPT adversary  is negligible.
In the proposed scheme, the Merkle tree 𝑇 is used to represent the
𝐴𝑑𝑣DDH
 (𝜅) = |𝑃 𝑟[() = 1] 𝑃 𝑟[() = 1]| ≤ 𝑛𝑒𝑔𝑙(𝜅). membership of the set. The root of the tree 𝑇 is denoted 𝑇𝑟𝑜𝑜𝑡 . The
Merkle tree has the following functions:
Definition 2.3 (Computing DiffieHellman (CDH) Assumption). Let G
be a cyclic group of order 𝑞 with generator 𝑔. Given the tuple  = • 𝑇 .𝐼𝑛𝑠𝑒𝑟𝑡(𝑣) → 𝑇 Inserts the value 𝑣 into the next available leaf
(𝑔, 𝑔 𝑎 , 𝑔 𝑏 ) where 𝑎, 𝑏 ← Z𝑞 , computing 𝑔 𝑎𝑏 is hard. For all probabilistic in 𝑇 and returns the modified tree.
polynomial-time (PPT) algorithms , the advantage probability of • 𝑇 .𝑅𝑒𝑚𝑜𝑣𝑒(𝑣) → 𝑇 Removes 𝑣 from the tree, if it exists, and
successfully solving the CDH problem is negligible. returns the modified tree 𝑇 .
| [ ]| • 𝑇 .𝐴𝑢𝑡𝑃 𝑎𝑡(𝑣) → 𝜃 Generate an authentication path 𝜃 that
𝐴𝑑𝑣𝐶𝐷𝐻 (𝜅) = |𝑃 𝑟 (𝑔, 𝑔 𝑎 , 𝑔 𝑏 ) = 𝑔 𝑎𝑏 | ≤ 𝑛𝑒𝑔𝑙(𝜅).
 | | proves 𝑣𝑇 . The size of 𝜃 is proportional to the height of the
where 𝜅 is a security parameter, 𝑛𝑒𝑔𝑙(𝜅) denotes a negligible function. tree, ensuring efficient verification in cryptographic protocols.
3
H. Di et al. Computer Standards & Interfaces 97 (2026) 104097
Table 2
Summary of notations.
Symbol Description
 , ,  User, Issuer, Verifier
𝜆 Security parameter
The maximum height of the Merkle tree
𝑚 The maximum number of attributes
𝑛 The number of access criteria the verifier is allowed to define
𝜄𝑝𝑢𝑏 , 𝜄𝑧𝑘 Verify the access policy for ancillary information when the request is issued
𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 Auxiliary information when requesting registration
𝜙𝑖 The verifier defines the 𝑖th access criterion
𝑎𝑢𝑥𝑖 Show proof of auxiliary information
{ }𝑚
𝐴𝑡𝑡𝑟𝑠 = 𝑎𝑡𝑡𝑟𝑖 𝑖=1 The 𝑖th attribute of the user and the attribute set
𝑤 Witness Collection
𝑐𝑡𝑥 Context information
𝐼, 𝑉 Collection of issuance criteria and access criteria
𝛱𝑈1 , 𝛱𝑉1 , 𝛱̃ Zero-knowledge proofs generated by the user and issuer
𝑠 ← Z𝑞 A secret random number randomly selected by the issuer
𝜃 The authentication path generated by the Merkle tree
𝑇𝑟𝑜𝑜𝑡 , 𝑇𝜅 , 𝑇𝜅′ Merkle tree root, Merkle tree, updated Merkle tree
Note*: 𝜄, 𝜙  → {0, 1} is a predicate over the users attributes that needs to be satisfied in order to pass verification, i.e.,
verification only passes if 𝜄𝑝𝑢𝑏 (𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) = 1, 𝜙(𝐴𝑡𝑡𝑟𝑠, 𝑎𝑢𝑥) = 1.
3.5. Pseudo-Random Function (PRF) • 𝑆𝑒𝑡𝑢𝑝(1𝜆 , 1 , 1𝑚 ) → 𝑝𝑝 The algorithm inputs the security pa-
rameter 𝜆, the maximum height of the Merkle tree, and the
A Pseudo-Random Function (PRF) is a family of computational func- maximum number 𝑚 of attributes in a credential. Generates the
{ } system parameters 𝑝𝑝.
tions 𝐹𝑘 , where 𝑘 is a key and 𝐹𝑘 is a function from the input space
to the output space. For an ideal PRF, when the key 𝑘 is unknown, its • 𝐼𝑠𝑠𝑢𝑒𝑆𝑒𝑡𝑢𝑝𝐼 (𝑝𝑝) → (𝐼, 𝜄𝑝𝑢𝑏 ) The algorithm inputs the public
output is computationally indistinguishable from that of a true random parameter 𝑝𝑝, outputs the issue criteria set 𝐼 and the issue criteria
for verifying public auxiliary information 𝜄𝑝𝑢𝑏 .
function. We construct a PRF with efficient correctness proof. We adopt
the specific PRF construction proposed by Dodis and Yampolskiy [39] • 𝑆𝑜𝑤𝑆𝑒𝑡𝑢𝑝𝑉 (𝑝𝑝) → 𝑉 The verifier sets up 𝑛 access criteria to
(DY-PRF). The DY-PRF is defined by the tuple (G, 𝑞, 𝑔, 𝑠), where G = ⟨𝑔⟩ define the users access policy. This algorithm outputs a collection
of access criteria 𝑉 = {𝜙1 , 𝜙2 , … , 𝜙𝑛 } where each 𝜙𝑖 represents an
is a cyclic group of prime order 𝑞 and 𝑠 ∈ Z𝑞 . For an input 𝑘, 𝑃 𝑅𝐹𝑔,𝑠 (𝑘)
access criteria.
is defined as 𝑃 𝑅𝐹𝑔,𝑠 (𝑘) 𝑘𝑔 (𝑠+𝑘+1) . There exists an efficient proof of
𝐼𝑠𝑠𝑢𝑒𝑅𝑒𝑞
( ( 𝑈 (𝑝𝑝, 𝐼, 𝐴𝑡𝑡𝑟𝑠,
) ) 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 )
𝑤, 𝑐𝑡𝑥, →
correct formation for the output, and as long as the 𝑞-DDHI assumption
𝐶𝑚, 𝛱𝑈1 , 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 The issue request algorithm inputs
holds, the output 𝑃 𝑅𝐹𝑔,𝑠 (𝑘) is indistinguishable from a random element
the public parameters 𝑝𝑝, the issue criteria 𝐼, the set of attributes
in G𝑞 .
𝐴𝑡𝑡𝑟𝑠 of  , the secret value 𝑤, the context 𝑐𝑡𝑥, and the auxiliary
information (𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ).  generates the 𝛱𝑈1 associated with
4. Proposed scheme 𝑖𝑎𝑢𝑥𝑧𝑘 and outputs ((𝛱𝑈1 , 𝑖𝑎𝑢𝑥𝑧𝑘 ), 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ).
𝐼𝑠𝑠𝑢𝑒𝐺𝑟𝑎𝑛𝑡𝐼 (𝑝𝑝, (𝐼, 𝜄𝑝𝑢𝑏 ), (𝛱𝑈1 , 𝑖𝑎𝑢𝑥𝑧𝑘 ), 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) →
In this section, we describe in Table 2 all the symbolic definitions (𝑠 , (𝜃, 𝑇𝑟𝑜𝑜𝑡 ), 𝑘, 𝑇𝜅 ) The algorithm inputs the zero-knowledge sig-
involved as well as the implications, followed by defining the syntax nature 𝛱𝑈1 , and the auxiliary information (𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ). Then
and designing the scheme.  return the random value 𝑠 , authentication path 𝜃, number of
times 𝑘 to  , and locally generated Merkle tree 𝑇𝜅 .
{ }𝑛 { }
𝑆𝑜𝑤𝐶𝑟𝑒𝑑𝑈 (𝑝𝑝, 𝑉 , 𝑇𝑟𝑜𝑜𝑡 , 𝑐𝑟𝑒𝑑, 𝜃, 𝑤𝑖 , 𝑎𝑢𝑥𝑖 𝑖=1 ) → (𝛱, ̃ 𝑎𝑢𝑥𝑖 𝑛 )
4.1. Syntax and security model 𝑖=1
 inputs the root 𝑇𝑟𝑜𝑜𝑡 of the affiliated tree, the credential 𝑐𝑟𝑒𝑑,
and the authentication path 𝜃.  shows that the sent credential
4.1.1. Security definition satisfies the access criterion 𝜙𝑖 and proves that the displayed
The security of the system is defined by the standard properties credential
{ } belongs to the tree 𝑇𝜅 . Then, the algorithm outputs
of anonymous credentials, including unforgeability, anonymity, un- ̃ 𝑎𝑢𝑥𝑖 𝑛 ).
(𝛱, 𝑖=1 { }
linkability, and attribute privacy. In our model, the attacker is as- • 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆𝑜𝑤𝑉 (𝑝𝑝, 𝑉 , (𝑐𝑟𝑒𝑑, 𝑇𝑟𝑜𝑜𝑡 ), (𝛱, ̃ 𝑎𝑢𝑥𝑖 𝑛 )) → 01  ver-
𝑖=1
sumed to have only polynomial-time computational capability, and all ifies that the credentials 𝑐𝑟𝑒𝑑 displayed by  meet the access
communications occur over open channels. criteria and that 𝑐𝑟𝑒𝑑 belongs to the Merkle tree 𝑇𝜅 ,  outputting
Threat Model. Our model considers adversaries as external attack- 0/1.
ers intercepting or modifying communications without breaking hard • 𝑅𝑒𝑣𝑜𝑘𝑒𝐶𝑟𝑒𝑑𝐼 (𝑝𝑝, 𝑇𝜅 , 𝑐𝑟𝑒𝑑) → 𝑇𝜅′  revoke the 𝑐𝑟𝑒𝑑 registered by
cryptographic problems, internal attackers misusing valid credentials dishonest users and update the Merkle tree 𝑇𝜅 to 𝑇𝜅′ .
for forgery, transfer, or link attacks, semi-honest verifiers inferring user
identities or attributes while following the protocol, and trusted-but- 4.1.3. Security requirements
curious issuers complying with the protocol but attempting to snoop The scheme is required to satisfy the following security require-
on user data. ments:
Unforgeability: Attackers cannot forge valid credentials and de-
ceive validators into performing correct verification. This game is
4.1.2. Syntax definition reduced to discrete logarithm or CDH problems.
Referring to the ideal function  in [38], the zk-credit anonymous Anonymity: Credentials are displayed without revealing the users
credential approach realizes  using Groth16 [40], which is not suitable identity. This game specification is reduced to the DDH problem.
for authentication. In this work,  is instantiated using signatures of Unlinkability: Different displays of the same certificate cannot
knowledge, resulting in an algorithm that meets the authentication be linked, even if the merkle path remains identical across multiple
requirements. The specific algorithm is as follows: authentications.
4
H. Di et al. Computer Standards & Interfaces 97 (2026) 104097
Fig. 1. System Model.
Attribute Privacy: Hides attributes when displaying credentials from untrusted channels, forge information and impersonate users.
unless the access policy requires them to be displayed. Therefore, this paper adopts the method of zero-knowledge proof to
Security is analyzed using a formal game-based model [41] under realize the users verification of the certificate sent by the issuer, and
the random oracle assumption [42]. The game is defined as follows: prove to the verifier that the certificate is the users own, and at the
same time, it can reduce the risk of privacy leakage. As shown in Fig.
Game 1: Unforgeability Game 1.
Setup. The challenger-1 run system initialization algorithm
𝑆𝑒𝑡𝑢𝑝(1𝜆 , 1 , 1𝑚 ) generate 𝑝𝑝, send 𝑝𝑝 to adversary 1 . 1 save issuer • Issuer: The issuer is the issuer of the certificate, usually an
private key 𝑖𝑠𝑘. authority or trusted entity (such as government, enterprise, de-
Query. In this phase, the adversary 1 can querie three random centralized organization, etc.), which is responsible for verifying
oracles, as follows: the identity or attribute of the user and generating the encrypted
credential. Before sending the certificate, the issuing criteria will
1. − 𝑄𝑢𝑒𝑟𝑦: 1 query random oracle 1 , 2 , 3 , 1 random re- be verified.
sponse and recording. • User: The user is the holder of the credential, requests the cre-
2. 𝑄𝑢𝑒𝑟𝑦2 : 1 query the issuer to registered certificate, 1 use dential from the issuer, upon receipt, verifies the credential.
the simulator  Simulate the interaction between 𝐼𝑠𝑠𝑢𝑒𝑅𝑒𝑞 and • Verifier: The verifier is the receiver of credentials, who receives
𝐼𝑠𝑠𝑢𝑒𝐺𝑟𝑎𝑛𝑡, using the programmability of random oracle to gen- the users credentials, goes through a secure channel, downloads
erate effective 𝑆𝑃 𝐾2 . the criteria and auxiliary verification data, verifies the access
3. 𝑄𝑢𝑒𝑟𝑦3 : 1 query certificate display, simulate the interaction criteria, and then verifies the users identity.
between 𝑆𝑜𝑤𝐶𝑟𝑒𝑑 and 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆𝑜𝑤, and simulate 𝑆𝑃 𝐾3 using
a zero-knowledge simulator. 4.2.1. System ( initialization
)
𝑆𝑒𝑡𝑢𝑝 1𝜆 , 1 , 1𝑚 → 𝑝𝑝
Forgery. 1 output a forged certificate 𝑐𝑟𝑒𝑑 , correspond Merkle  select a cyclic group G of order 𝑞, and generate generators
tree path 𝜃 , satisfy that 𝑐𝑟𝑒𝑑 is not on the list of previously issued 𝑢, {𝑢𝑖 }𝑖∈[0,𝑛] ) ∈ G, along with hash functions 𝐻1
(𝑔0 , 𝑔1 , 𝑔2 , 𝛾, 0 , 1 , 2 , ̃
credentials. 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆𝑜𝑤 accept 𝑐𝑟𝑒𝑑 and 𝜃 . 1 wins conditional on {0, 1} → Z𝑞 and 𝐻2 {0, 1} × {0, 1} → Z𝑞 ;
the output of valid forged credentials. Define a Merkle tree of height , where for public input (𝑇𝑟𝑜𝑜𝑡 , 𝑐𝑟𝑒𝑑),
it can prove 𝑐𝑟𝑒𝑑 ∈ 𝑇𝜅 through an authentication path 𝜃;
Game 2: Anonymity and Unlinkability Game Define the global period 𝑒𝑝𝑜𝑐 and pseudorandom function
Setup. The challenger-2 run system initialization algorithm 𝑃 𝑅𝐹𝑔,𝑠 (𝑘) 𝑘𝑔𝑠+𝑘+1 1
;
𝑆𝑒𝑡𝑢𝑝(1𝜆 , 1 , 1𝑚 ) generate 𝑝𝑝, send 𝑝𝑝 to adversary 2 . 2 save issuer 𝑦
 selects random number 𝑦1 , 𝑦2 ← Z𝑞 , computes 𝑌1 = 11 , 𝑌2 =
private key 𝑖𝑠𝑘. 𝑦2
2 , and sets the issuer secret key 𝑖𝑠𝑘 = (𝑦1 , 𝑦2 ) and issuer public key
Query. Adversary 2 can continue to query issuance and pre-
𝑖𝑝𝑘 = (𝑌1 , 𝑌2 ); (
sentation, but cannot query revocation or presentation of challenge
Set the public parameters 𝑝𝑝 ) = 𝑞, G, 𝑔0 , 𝑔1 , 𝑔2 , 𝛾, 0 , 1 , 2 ,
credentials. 𝑢, {𝑢𝑖 }𝑖∈[0,𝑛] , 𝐻1 , 𝐻2 , 𝑇𝜅 (, 𝑇𝑟𝑜𝑜𝑡 , 𝑒𝑝𝑜𝑐,
̃ 𝑖𝑝𝑘 .
challenge. The adversary 2 selects the identity and attribute sets )
( ) ( ) 𝐼𝑠𝑠𝑢𝑒𝑆𝑒𝑡𝑢𝑝𝐼 (𝑝𝑝) → 𝐼, 𝜄𝑝𝑢𝑏
of two users, 𝐼0 , 𝐴𝑡𝑡𝑟𝑠0 , 𝐼1 , 𝐴𝑡𝑡𝑟𝑠1 , which satisfy the same access Define the relevant issuance criteria 𝜄 = (𝜄𝑧𝑘 , 𝜄𝑝𝑢𝑏 ), set
policy. Send it to the challenger 2 . 2 randomly selects 𝑏 ← {0, 1} 𝐼𝑠𝑠𝑢𝑒𝐶𝑟𝑖𝑡𝑒𝑟𝑖𝑎[𝐼] = 𝐼𝑠𝑠𝑢𝑒𝐶𝑟𝑖𝑡𝑒𝑟𝑖𝑎[𝐼] 𝜄;
to generate a credential for 𝐼𝑏 and display it (i.e., run 𝑆𝑜𝑤𝐶𝑟𝑒𝑑 to For the public input auxiliary information 𝑖𝑎𝑢𝑥𝑧𝑘 , prove:
generate 𝛱𝑏 ), and then gives 𝛱𝑏 to 2 . 𝜄𝑧𝑘 (𝐴𝑡𝑡𝑟𝑠, 𝑖𝑎𝑢𝑥𝑧𝑘 ) = 1;
Guess. 2 outputs 𝑏 and wins if 𝑏 = 𝑏. Publish (𝐼, 𝜄𝑝𝑢𝑏 ).
𝑆𝑜𝑤𝑆𝑒𝑡𝑢𝑝𝑉 (𝑝𝑝) → 𝑉
4.2. Scheme construction  define access criteria 𝜙 for user attributes 𝐴𝑡𝑡𝑟𝑠 (Multiple access
criteria 𝜙𝑖 can be defined), and set 𝐴𝑐𝑐𝑒𝑠𝑠𝐶𝑟𝑖𝑡𝑒𝑟𝑖𝑎[𝑉 ]
In this scheme, the user is untrusted, the issuer is semi-trusted, the = 𝐴𝑐𝑐𝑒𝑠𝑠𝐶𝑟𝑖𝑡𝑒𝑟𝑖𝑎[𝑉 ] {𝜙𝑖 };
channel between the verifier and the issuer is trusted, and the rest of For public input (𝑇root , 𝑐𝑟𝑒𝑑, 𝑎𝑢𝑥), prove: 𝜙(𝐴𝑡𝑡𝑟𝑠, 𝑎𝑢𝑥) = 1𝛬𝑐𝑟𝑒𝑑;
the channels are untrusted channels. Attackers can steal information Publish the access criteria set 𝑉 .
5
H. Di et al. Computer Standards & Interfaces 97 (2026) 104097
4.2.2. Credential registration Proof 𝛱̃ = 𝑆𝑃 𝐾3 . The generation of 𝛱̃ = 𝑆𝑃 𝐾3 is as follows:
( ( ))
𝐼𝑠𝑠𝑢𝑒𝑅𝑒𝑞𝑈 𝑝𝑝, 𝐼, 𝐴𝑡𝑡𝑟𝑠, 𝑤, 𝑐𝑡𝑥, 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 → ( )
( ( 1 ) ) ⎧ 𝑛𝑘, 𝑟𝑘, 𝐴𝑡𝑡𝑟𝑠, 𝛼0 , 𝑥𝑢 , 𝑠, 𝑡, 𝑛𝑗 , 𝑎𝑡𝑡𝑟𝑗𝐴𝑇 𝑇 𝑅
𝐶𝑚, 𝛱𝑈 , 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 𝛼
𝑋0 = 𝑔0 0 𝛾 𝐻1 (𝜃) ⎪
 generate anonymous key 𝑛𝑘 and rate-limiting key 𝑟𝑘 us-
⎪ ∧ 𝜁 = 𝑌1𝑥𝑢 𝑌2𝑠 ⋅ 𝐶𝑚𝑡 ⎪
ing pseudorandom function 𝑃 𝑅𝐹 and context 𝑐𝑡𝑥, calculate 𝑛𝑘 = ⎪ 1 ⎪
𝑃 𝑅𝐹 (𝑐𝑡𝑥), 𝑟𝑘 = 𝑃 𝑅𝐹 (𝑒𝑝𝑜𝑐𝑐𝑡𝑥), define 𝑚 attributes 𝐴𝑡𝑡𝑟𝑠 = ⎪ ∧ 𝜂 = 𝑃 𝑅𝐹𝑟𝑘,𝑢̃ (𝑛𝑗 ) = 𝑟𝑘+𝑛 +1 ⎪
⎪ 𝑢̃ 𝑗
{𝑎𝑡𝑡𝑟1 , 𝑎𝑡𝑡𝑟2 , … , 𝑎𝑡𝑡𝑟𝑚 }; 𝛱̃ = 𝑆𝑃 𝐾3 ⎨ 𝑥𝑢 𝑅 𝑥𝑢
𝑅
𝑛𝑘+𝑛𝑗 +1 ⎬
Select a random blind factor 𝑟 ← Z𝑞 and compute pedersen ⎪ ∧ 𝛤 = 𝑢0 𝑃 𝑅𝐹𝑛𝑘,𝑢̃ (𝑛𝑗 ) = 𝑢0 ⋅ 𝑢̃ ⎪
⎪ ∧ 0 ≤ 𝑛𝑗 < 𝑘
commitment 𝐶𝑚, where 𝐶𝑚 ∈ G: ⎪ ⎪
( 𝑚 ) ⎪ ∧ 𝜙 1 (𝐴𝑡𝑡𝑟𝑠, 𝑎𝑢𝑥 1 ) = 1 ⎪
𝐻 (𝑎𝑡𝑡𝑟 ) ⎪ ∧ ⋮ ⎪
𝐶𝑚 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑛𝑘, 𝑟𝑘, 𝐴𝑡𝑡𝑟𝑠; 𝑟) = 𝑔1𝑛𝑘 𝑔2𝑟𝑘 𝑢𝑖 1 𝑖𝑟0 ; ⎪ ∧ 𝜙 (𝐴𝑡𝑡𝑟𝑠, 𝑎𝑢𝑥 ) = 1 ⎪
𝑖 𝑖
𝑖=1 ( )
Set 𝑤 = (𝑟, 𝑛𝑘, 𝑟𝑘, 𝐴𝑡𝑡𝑟𝑠) (collect private witness 𝑤), select × 𝑎𝑢𝑥𝑖 , 𝑋0 , 𝜁 , 𝜂, 𝛤 , 𝑇𝑟𝑜𝑜𝑡 ;
𝑥𝑢 , 𝑠 , 𝑡 ← Z𝑞 and generate 𝛱𝑈1 :
Send (𝛱, ̃ {𝑎𝑢𝑥𝑖 }𝑛 , 𝑋0 , 𝜁 , 𝜂, 𝛤 , (𝜃, 𝑇𝑟𝑜𝑜𝑡 ), 𝛷′ , 𝑎𝑡𝑡𝑟𝑖𝐴𝑇 𝑇 𝑅 ) to the
𝑖=1
⎧ ( ) ⎫ verifier .
𝑥𝑢 , 𝑠 , 𝑡, 𝑟, 𝑛𝑘, 𝑟𝑘, 𝐴𝑡𝑡𝑟𝑠 ⎪ ( ( ) ( { } ))
𝑥𝑢 𝑠 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆𝑜𝑤𝑉 𝑝𝑝, 𝑉 , 𝑐𝑟𝑒𝑑, 𝑇𝑟𝑜𝑜𝑡 , 𝛱, ̃ 𝑎𝑢𝑥𝑖 𝑛 → 01
𝑋𝑢 = 𝑔1 𝑔2 ⎪( ) 𝑖=1
𝛱𝑈1 = 𝑆𝑃 𝐾1 ⎨ 𝑥𝑢 𝑠 𝑡𝑋𝑢 , 𝜁, 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ;  checks whether the users submitted 𝛷′ matches its defined
⎪ ∧ 𝜁 = 𝑌 𝑌 ⋅ 𝐶𝑚 ⎪
( 1 2 ) access criteria set 𝛷. Using 𝜃, verify and calculate 𝑐𝑟𝑒𝑑 = 𝜁 𝑢0 2
? 𝐻 (𝑒𝑝𝑜𝑐ℎ∥𝑘)
.
⎪ ∧ 𝜄𝑧𝑘 𝐴𝑡𝑡𝑟𝑠, 𝑖𝑎𝑢𝑥𝑧𝑘 = 1 ⎪
⎩ ⎭ If (𝜂, 𝛤 ) is valid, it proves that 𝑛𝑗 is within the range allowed to be
1
 send (𝛱𝑈 , 𝑋𝑢 , 𝜁, 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) to Issuer ; displayed within 𝑒𝑝𝑜𝑐;
 received 𝛱𝑉1 . If verification passes, receive the returned au- If verification succeeds, accept the request, otherwise reject it and
thentication path 𝜃, 𝑠 and 𝑘; invoke the 𝑅𝑒𝑣𝑜𝑘𝑒𝐶𝑟𝑒𝑑 function to revoke 𝑐𝑟𝑒𝑑. For the specific process,
Locally store (𝑛𝑘, 𝑟𝑘, 𝑟, 𝐴𝑡𝑡𝑟𝑠, 𝜃, 𝑠, 𝑡, 𝑒𝑝𝑜𝑐, 𝑘), where 𝑠 = 𝑠 + 𝑠 and please refer to Fig. 2.
𝑘 is the maximum allowed accesses within epoch 𝑒𝑝𝑜𝑐.
𝐼𝑠𝑠𝑢𝑒𝐺𝑟𝑎𝑛𝑡𝐼 (𝑝𝑝, (𝐼, 𝜄𝑝𝑢𝑏 ), (𝛱𝑈1 , 𝑖𝑎𝑢𝑥𝑧𝑘 ), 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) →
( ( ) ) 4.2.4. Credential revocation
𝑐𝑟𝑒𝑑, 𝑠 , 𝜃, 𝑇𝑟𝑜𝑜𝑡 , 𝑘, 𝑇𝜅 ( )
𝑅𝑒𝑣𝑜𝑘𝑒𝐶𝑟𝑒𝑑 𝑝𝑝, 𝑇𝜅 , 𝑐𝑟𝑒𝑑 → 𝑇𝜅′
− verify 𝜄𝑝𝑢𝑏 (𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ), 𝜄𝑝𝑢𝑏 checks for publicly auxiliary information Search for 𝑐𝑟𝑒𝑑 ∈ 𝑇𝜅 , if 𝑐𝑟𝑒𝑑 is not found, terminate the process;
𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ;
Else run 𝑇𝜅′ = 𝑇𝜅 . Remove(𝑐𝑟𝑒𝑑), store and update the Merkle
Verify 𝛱𝑈1 = 𝑆𝑃 𝐾1 , where 𝛱𝑈1 proves the correctness of tree 𝑇𝜅′ ;
(𝜁, 𝑋𝑢 , 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) and that the hidden attributes satisfy the issuance Return 𝑇𝑘 and publicly notify that 𝑐𝑟𝑒𝑑 has been revoked.
criteria 𝜄𝑧𝑘 . If verification fails, reject issuance and abort ⟂;
Else verification passes,  randomly selects 𝑠 ← Z𝑞 , and define
5. Analysis of correctness and security
the maximum times of accesses 𝑘 allowed by users within 𝑒𝑝𝑜𝑐,
𝐻 (𝑒𝑝𝑜𝑐ℎ∥𝑘)
calculate 𝑐𝑟𝑒𝑑 = (𝜁 ⋅ 𝑌2𝑠 ) ⋅ 𝑢0 1 , run 𝑇𝜅 = 𝑇 .Insert(𝑐𝑟𝑒𝑑) registers
5.1. Correctness analysis
the anonymous credential. Where the registered 𝑐𝑟𝑒𝑑 is only known
privately by the issuer. Then, run 𝜃 = 𝑇𝜅 .AuthPath(𝑐𝑟𝑒𝑑) generate
authentication path. Updated Merkle tree root 𝑇𝑟𝑜𝑜𝑡 , and upload to a 5.1.1. Details of 𝑆𝑃 𝐾1
public panel such as blockchain; 𝑆𝑃 𝐾1 can be implemented using standard discrete logarithm proof
techniques.
Next, select 𝑧0 , 𝑧1 ← Z𝑞 and generate 𝛱𝑉1 :
( ) 1. (Commitment.) User  randomly selects 𝑠1 , 𝑠2 , 𝑠3 ∈𝑅 Z𝑞 and
𝑧0 , 𝑧1 , 𝑦1 , 𝑦2
1 ⎪ 𝑌 =
𝑦1 𝑦2
⎪(
) computes:
𝛱𝑉 = 𝑆𝑃 𝐾2 ⎨ 𝑢 ( 1 2 )𝑧1 ⎬ 𝑌𝑢 , 𝑠 , 𝑘,  ; 𝑠 𝑠 𝑠 𝑠 𝑦 𝑦
⎪ ∧ = 𝜁 ⋅𝑌 𝑠 𝐻 2 (𝑒𝑝𝑜𝑐ℎ∥𝑘)⋅𝑧 0 ⎪ 𝑇1 = 𝑔11 𝑔22 , 𝑇2 = 𝑌1 1 𝑌2 2 ⋅ 𝐶𝑚𝑠3 = (11 )𝑠1 (22 )𝑠2 ⋅ 𝐶𝑚𝑠3 .
⎩ 2
𝑢0 ⎭ 2. (Challenge.) The scheme uses non-interactive zero-knowledge
 store the Merkle tree 𝑇𝜅 and send (𝛱𝑉1 , 𝑠 , 𝑘, 𝜃) to user  .
proof, where the user  generates challenge 𝑐:
4.2.3. Show and verification certificate 𝑐 = 𝐻(𝑇1 ∥ 𝑇2 ∥ 𝑋𝑢 ∥ 𝜁 ∥ 𝑖𝑎𝑢𝑥𝑧𝑘𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ).
( { }𝑛 ) ( { } )
̃ 𝑎𝑢𝑥𝑖 𝑛
𝑆𝑜𝑤𝐶𝑟𝑒𝑑𝑈 𝑝𝑝, 𝑉 , 𝑇𝑟𝑜𝑜𝑡 , cred, 𝜃, 𝑤𝑖 , 𝑎𝑢𝑥𝑖 𝑖=1 → 𝛱,
𝑖=1 3. (Proof.)  generates proof 𝛱𝑈1 that satisfies issuer policy
User  sends an access request message 𝑚𝑠𝑔, and the verifier 𝜄𝑧𝑘 , 𝜄𝑧𝑘 (𝐴𝑡𝑡𝑟𝑠, 𝑖𝑎𝑢𝑥𝑧𝑘 ) = 1, and computes 𝑆1 = 𝑠1 𝑐𝑥𝑢 , 𝑆2 =
returns a random number 𝑅 = 𝐻2 (𝑛𝑜𝑛𝑐𝑒 ∥ 𝑚𝑠𝑔); 𝑠2 𝑐𝑠 , 𝑆3 = 𝑠3 𝑐𝑡. The proof 𝛱𝑈1 = (𝑐, 𝑆1 , 𝑆2 , 𝑆3 ), and sends
 locally retrieves the verifiers access criteria 𝑉 and the root ((𝛱𝑈1 , 𝑖𝑎𝑢𝑥𝑧𝑘 ), 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ) to the issuer .
node 𝑇𝑟𝑜𝑜𝑡 of the tree containing 𝑐𝑟𝑒𝑑; 𝑆 𝑆 𝑆 𝑆
4. (Verify.)  computes 𝑇1 = 𝑋𝑢𝑐 𝑔1 1 𝑔2 2 , 𝑇2 = 𝜁 𝑐 𝑌1 1 𝑌2 2 ⋅ 𝐶𝑚𝑆3 , and
? ?
Upon receiving (𝑛𝑜𝑛𝑐𝑒, 𝑅), verify 𝑅 = 𝐻2 (𝑛𝑜𝑛𝑐𝑒 ∥ 𝑚𝑠𝑔), then verify: 𝑐 = 𝐻(𝑇1𝑇2𝑋𝑢 ∥ 𝜁 ∥ 𝑖𝑎𝑢𝑥𝑧𝑘𝑖𝑎𝑢𝑥𝑝𝑢𝑏 ). If verification
randomly select 𝛼0 ← Z𝑞 . For 𝑛 access criteria 𝛷′ = {𝜙1 , 𝜙2 , … , 𝜙𝑛 }, passes, then 𝛱𝑈1 is correct, otherwise abort.
partition the attribute set into public attributes 𝐴𝑇 𝑇 𝑅 and secret
attributes {𝑎𝑡𝑡𝑟𝑗𝐴𝑇 𝑇 𝑅 }. Compute the commitment using blind
5.1.2. Details of 𝑆𝑃 𝐾2
factor 𝑟:
SPK2 can also be implemented using standard discrete logarithm
𝐶𝑚 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑛𝑘, 𝑟𝑘, {𝑎𝑡𝑡𝑟𝑗𝐴𝑇 𝑇 𝑅 }; 𝑟) proof techniques.
⎛ ∏ ⎞ ∏
𝐻 (𝑎𝑡𝑡𝑟 ) 1. (Commitment.) The issuer/trust authority randomly selects
= ⎜𝑔1𝑛𝑘 𝑔2𝑟𝑘𝑢𝑖 1 𝑗𝑟0 ⎟ ⋅
𝐻 (𝑎𝑡𝑡𝑟 )
𝑢𝑖 1 𝑖 ;
⎜ ⎟ 𝑡1 , 𝑡2 , 𝑡3 , 𝑡4 ∈𝑅 Z𝑞 and computes:
𝑎𝑡𝑡𝑟 𝑗 ∉𝐴𝑇 𝑇 𝑅 ⎠ 𝑎𝑡𝑡𝑟 𝑖 ∉𝐴𝑇 𝑇 𝑅
Next, the times of certificate displays is initialized to 𝑛𝑗 = 1, and 𝑡 𝑡 𝐻 (𝑒𝑝𝑜𝑐ℎ∥𝑘)⋅𝑡4
𝐶1 = 11 22 , 𝐶2 = (𝜁 ⋅ 𝑌2𝑠 )𝑡3 ⋅ 𝑢0 2 .
𝑛𝑗 = 𝑛𝑗 + 1 (0 ≤ 𝑛𝑗 < 𝑘) is set for each generation of zero-knowledge
6
H. Di et al. Computer Standards & Interfaces 97 (2026) 104097
Fig. 2. System Flowchart.
2. (Challenge.) The scheme uses non-interactive zero-knowledge 2. (Challenge.) Using non-interactive zero-knowledge proof, the
proof, where  generates challenge 𝑐: user generates challenge 𝑐:
𝑐 = 𝐻(𝐶1 ∥ 𝐶2 ∥ 𝑌𝑢 ∥  ∥ 𝑠𝑘). 𝑐 = 𝐻(𝐴1 ∥ 𝐴2 ∥ 𝐴3 ∥ 𝐴4 ∥ 𝐴5 ∥ 𝑋0 ∥ 𝜁 ∥ 𝜂 ∥ 𝛤 ∥ 𝑇𝑟𝑜𝑜𝑡𝑎𝑢𝑥𝑖 ).
3. (Proof.) The issuer generates proof 𝛱𝑉1 by computing 𝐶1 = 3. (Proof.)  generates proof 𝛱̃ by computing:
𝑡1 𝑐𝑦1 , 𝐶2 = 𝑡2 𝑐𝑦2 , 𝐶3 = 𝑡3 𝑐𝑧1 , 𝐶4 = 𝑡4 𝑐𝑧0 . The
proof 𝛱𝑉1 = (𝑐, 𝐶1 , 𝐶2 , 𝐶3 , 𝐶4 ),  sends (𝛱𝑉1 , 𝑠 , 𝑘) to user. 𝐴1 = t3 𝑐𝛼0 , 𝐴2 = t4 𝑐𝑥𝑤 , 𝐴3 = t5 𝑐𝑠,
𝐶 𝐶 𝐴4 = t6 𝑐𝑡, 𝐴5 = n7 𝑐𝑛𝑗 , 𝐴6 = n8 𝑐𝜌1 ,
4. (Verify.) computes, C1 = 𝑌𝑢𝑐 1 1 2 2 , C2 = 𝑐 (𝜁 ⋅ 𝑌 𝑠 )𝐶3
2
𝐻2 (𝑒𝑝𝑜𝑐ℎ∥𝑘)⋅𝐶4 ?
𝑢0 , and verify: 𝑐 = 𝐻(C1 ∥ C2 ∥ 𝑌𝑢𝑍𝑘). ∥ 𝑠 𝐴7 = 𝜚2 𝑐𝑟𝑘, 𝐴8 = 𝜚1 𝑐𝑛𝑘.
If verification passes, then 𝛱𝑉1 is correct, otherwise abort.
The proof 𝛱̃ = (𝑐, 𝐴1 , 𝐴2 , 𝐴3 , 𝐴4 , 𝐴5 , 𝐴6 , 𝐴7 , 𝐴8 ), and sends
̃ 𝑎𝑢𝑥𝑖 , 𝑋0 , 𝜁 , 𝜂, 𝛤 , 𝑇𝑟𝑜𝑜𝑡 ) to verifier .
(𝛱,
5.1.3. Details of 𝑆𝑃 𝐾3
4. (Verify.)  computes:
The construction of 𝑆𝑃 𝐾3 includes zero-knowledge proof and range
proof. We divide 𝑆𝑃 𝐾3 into two parts 𝑆𝑃 𝐾3𝐴 and 𝑆𝑃 𝐾3𝐵 . The specific 𝐴 𝐴 𝐴
A1 = 𝑋0𝑐 𝑔0 1 𝛾 𝐻1 (𝜃) , A2 = 𝜁 𝑐 𝑌1 2 𝑌2 3 𝐶𝑚𝐴4 ,
details are as follows: ( )𝑐
( ) 𝐴 𝐴 ̃
𝑢
𝑛𝑘, 𝑟𝑘, 𝛼0 , 𝑥𝑢 , 𝑠, 𝑡, 𝑛𝑗 , 𝜌1 ⎫ A3 =  𝑐 𝑔1 5 𝑔2 6 , A4 = 𝜂 𝐴7 𝜂 𝐴5 ,
𝜂
𝑋0 = 𝑔0 𝛾 1
𝛼0 𝐻 (𝜃)
= 𝑌 𝑥𝑢 𝑌 𝑠 ⋅ 𝐶𝑚𝑡 ⎪ [ 𝑅 ]𝑐
⎪ ∧ 𝜁 1 2 ⎪( ) 𝑢𝑢0
̃ 𝐴 𝐴 𝐴
𝑆𝑃 𝐾3𝐴 ⎨ ∧  = 𝑔 𝑛𝑗 𝑔 𝜌1
𝑎𝑢𝑥𝑖 , 𝑋0 , 𝜁 , 𝜂, 𝛤 , 𝑇𝑟𝑜𝑜𝑡 , A5 = 𝑢0 8 𝑢0 5 𝑢0 2 𝛤 𝐴8 𝛤 𝐴5 ,
𝛤
⎪ 𝑢̃
1 2
𝑟𝑘 𝑛
⎪ ∧ 𝜂 =𝜂 𝜂 𝑗 ⎪ ?
⎪ and verify: 𝑐 = 𝐻(A1 ∥ A2 ∥ A3 ∥ A4 ∥ A5 ∥ 𝑋0 ∥ 𝜁 ∥ 𝜂 ∥ 𝛤 ∥
𝑢̃ 𝑅𝑢0 𝑛𝑘 𝑢𝑛𝑗 𝑢𝑥𝑢 𝛤 𝑛𝑘 𝛤 𝑛𝑗
⎩ ∧ 𝛤
= 𝑢 0 0 0
𝑇𝑟𝑜𝑜𝑡𝑎𝑢𝑥𝑖 ).
𝑛 𝜌
𝑆𝑃 𝐾3𝐵 {(𝑛𝑗 , 𝜌1 )  = 𝑔1 𝑗 𝑔2 1 ∧ 0 ≤ 𝑛𝑗 < 𝑘}(𝑚). In groups of unknown order, range proofs currently widely recognized
SPK3𝐵 is instantiated as a simple range proof, which will be dis- by academia and industry are based on the square decomposition
cussed later. Next, we demonstrate how to implement SPK3𝐴 . assumption [43] and 𝑛-ary decomposition [40], which can achieve
secure and efficient range proofs. However, we note that the range
1. (Commitment.)  randomly selects 𝜚1 , 𝜚2 , t3 , t4 , t5 , t6 , n7 , n8 ∈𝑅 proofs required in authentication protocols always take the form 0 ≤
Z𝑛𝑞 and computes: 𝑛 < 𝑘. If we set 𝑘 = 2𝜅 , we can easily construct a simple range proof
t t t n n
with complexity (𝜅), as shown in Eq. (1):
𝐴1 = 𝑔03 𝑦𝐻1 (𝜃) , 𝐴2 = 𝑌1 4 𝑌2 5 𝐶𝑚t6 , 𝐴3 = 𝑔1 7 𝑔2 8 ,
𝜚 n 𝑡 𝑃 𝑂𝐾𝑅𝐴𝑁𝐺𝐸 {(𝑛, 𝑟) 𝐶𝑛 = 𝑔0𝑛 𝑔1𝑟 ∧ 0 ≤ 𝑛 < 2𝜅 }. (1)
𝐴4 = 𝜂 𝜚2 𝜂 n7 , 𝐴5 = 𝑢0 1 𝑢0 7 𝑢0 4 𝛤 𝜚1 𝛤 n7 .
7
H. Di et al. Computer Standards & Interfaces 97 (2026) 104097
In this scheme, we use a Bulletproofs-based instantiation of 𝑆𝑃 𝐾3𝐵 . the adversary 1 forges parameters (𝑐𝑡𝑥 , 𝑛𝑘 , 𝑟𝑘 , 𝐴𝑡𝑡𝑟𝑠 ), selects the
Here we will briefly describe and provide a detailed proof process. random blind factor 𝑟 ∈ Z𝑞 , query 1 𝑄𝑢𝑒𝑟𝑦, and generates 𝐶𝑚∗ =
Please refer to the Ref. [29,43]. 𝐶𝑜𝑚𝑚𝑖𝑡 (𝑛𝑘 , 𝑟𝑘 , 𝐴𝑡𝑡𝑟𝑠 ; 𝑟 ). Next, choose 𝑥𝑢 , 𝑠 , 𝑡 ← Z𝑞 , calculate 𝛱𝑈1 :
∑ ( )
1. (Prove.) First, perform binary decomposition on 𝑛, 𝑛 = 𝑘1 𝑖
𝑖=0 𝑏𝑖 2 ,
𝑥𝑢 , 𝑠 , 𝑡 , 𝑟 , 𝑛𝑘 , 𝑟𝑘 , 𝐴𝑡𝑡𝑟𝑠
where 𝑏 ∈ {0, 1}. Construct vector 𝐚𝐿 = (𝑏0 , 𝑏1 , … , 𝑏𝑘1 ), 𝐚𝑅 = ⎪ 𝑥𝑢 𝑠
𝑋𝑢 = 𝑔1 𝑔2 ⎪( )
𝐚𝐿 𝟏𝑘 (𝑎𝑅,𝑖 = 𝑏𝑖 1). Next, choose blind factor 𝛼, 𝜌 ← Z𝑞 , 𝒔𝐿 , 𝒔𝑅 ← 𝛱𝑈1 = 𝑆𝑃 𝐾1 ⎨ ( ) 𝑋𝑢 , 𝜁 , 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 .
𝑎 𝑥 𝑏 𝑠 ⋅ 𝐶𝑚∗𝑡∗
Z𝑘𝑞 , compute the initialization commitment 𝐴 = 𝛼 𝒈𝒂𝐿 𝒉𝒂𝑅 , 𝑆 = ⎪ 𝛬 𝜁 (= ( ) 𝑢  ) ⎪
⎪ 𝛬 𝜄𝑧𝑘 𝐴𝑡𝑡𝑟𝑠 , 𝑖𝑎𝑢𝑥𝑧𝑘 = 1 ⎪
𝜌 𝒈𝒔𝐿 𝒉𝒔𝑅 . Then, construct a non-interactive proof challenge 𝑦 = ⎩
( ) ⎭ ( )
( ) Sending 𝛱𝑈1 , 𝑖𝑎𝑢𝑥𝑧𝑘 , 𝑖𝑎𝑢𝑥𝑝𝑢𝑏 to the issuer,  checks 𝜄𝑝𝑢𝑏 𝑖𝑎𝑢𝑥𝑝𝑢𝑏
𝐻 𝐴, 𝑆, 𝐶𝑛 , 𝑧 = 𝐻(𝑦, 𝐴, 𝑆) based on FiatShamir and polyno-
( ) 1
and validates 𝛱𝑈 , aborts if it fails, otherwise it selects a random
mials 𝒍(𝑥) = 𝒂𝐿 𝑧𝟏𝑘 + 𝒔𝐿 𝑥, 𝒓(𝑥) = 𝑦𝑘𝒂𝑅 + 𝑧𝟏𝑘 + 𝒔𝑅 𝑥, calculate
the inner product 𝑡 = ⟨𝒍(𝑥), 𝒓(𝑥)⟩, 𝜏𝑥 ← Z𝑝 , 𝑇 = 𝑔 𝑡 ℎ𝜏𝑥 . The final number 𝑠 ∈ Z𝑞 and performs 2 𝑄𝑢𝑒𝑟𝑦. Embed tuple  = (, 𝑎 , 𝑏 ),
challenge is 𝑥 = 𝐻(𝑧, 𝑦, 𝑇 ), generate response 𝒍 = 𝒍(𝑥), 𝒓 = register 𝑐𝑟𝑒𝑑 = (𝜁 ⋅ (𝑏 )𝑠 ) ⋅ 𝑢𝑤 0
, generate the forged Merkle
tree 𝑇 , update the root node to 𝑇𝑟𝑜𝑜𝑡 , select 𝑧 , 𝑧 ← Z , Calculate
𝒓(𝑥), 𝑡̂ = ⟨𝒍, 𝒓⟩, 𝜏 = 𝜏𝑥 + 𝑥2 𝜌, 𝜇 = 𝛼 + 𝑥𝜌. Finally output the proof { 0 1 𝑞 }
𝜋 = (𝐴, 𝑆, 𝑇 , 𝑡̂, 𝜏, 𝜇, 𝒍, 𝒓). ( ) 𝑤 ⋅𝑧∗
𝛱𝑉1 = 𝑆𝑃 𝐾2 𝑧0 , 𝑧1 , 𝑎, 𝑏 𝑌𝑢 = 𝑎 𝑏 ∧ ∗ = (𝜁 ⋅ (𝑏 )𝑠 )𝑧1 ⋅ 𝑢0 0
2. (Verify.) Upon receiving the commitment 𝐶𝑛 , proof 𝜋, recal-
( )
(𝑌𝑢 , 𝑠 , 𝑘 , ∗ ), send (𝛱𝑉1 , 𝑠 , 𝑘 , 𝜃 ) to adversary 1 , 1 calculate
culate the challenge 𝑦 = 𝐻 𝐴, 𝑆, 𝐶𝑛 , 𝑧 = 𝐻(𝑦, 𝐴, 𝑆), 𝑥 =
⟨ ⟩ 𝑠 = 𝑠 + 𝑠 and save to local.
𝐻(𝑧, 𝑦, 𝑇 ). Next, compute offset value 𝛿𝑦 = 𝑦𝑘 , 𝑧𝟏𝑘 + 𝑧2 2𝑘 , and
𝑘 ( )𝑧𝟏 𝑘 +𝑧2 2𝑘 𝑄𝑢𝑒𝑟𝑦3 : In this phase 1 to show the proof, using zero knowledge
reconstruct the commitment 𝑃 = 𝐴𝑆 𝑥 ⋅ ℎ−𝜇 ⋅ 𝒈𝑧𝟏𝒉 ,
? 2
simulator , run algorithm 𝑆𝑜𝑤𝐶𝑟𝑒𝑑 forged 𝑡𝑜𝑘𝑒𝑛 and 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆𝑜𝑤
where 𝒉 = 𝒉◦𝑦𝑘 . Then, verify inner product 𝑔 𝑡̂ℎ𝜏 = 𝑇𝐶𝑛𝑍𝑔 𝛿𝑦 . interact. Adversary 1 forges the message 𝑚𝑠𝑔 requesting access to
If passed, accept, otherwise, reject. .  selects 𝑛𝑜𝑛𝑐𝑒 , conducts 3 𝑄𝑢𝑒𝑟𝑦 query, calculates 𝑟 , and
returns it to adversary 1 . Adversary 3 𝑄𝑢𝑒𝑟𝑦 hash verification,
5.2. Theoretical security analysis if by selecting public attribute 𝑎𝑡𝑡𝑟𝑖𝐴𝑇
( 𝑇 𝑅 , the secret attribute )is
𝑎𝑡𝑡𝑟𝑗𝐴𝑇 𝑇 𝑅∗ , calculate 𝐶𝑚∗ = Commit 𝑛𝑘 , 𝑟𝑘 , 𝑎𝑡𝑡𝑟𝑗𝐴𝑇 𝑇 𝑅∗ ; 𝑟 ,
5.2.1. Proof of Game1 ( )
select 𝑛𝑗 0 ≤ 𝑛𝑗 < 𝑘 , 𝛼0 ← Z𝑞 , generate 𝛱 ̃ , send
{ } 𝑖=𝑛 ( )
Theorem 1. The scheme is unforgeable if the DLP and DDH assumptions ̃ , 𝑎𝑢𝑥𝑖
(𝛱
, 𝜃 , 𝑇𝑟𝑜𝑜𝑡 , 𝛷′ , 𝑎𝑡𝑡𝑟𝑖𝐴𝑇 𝑇 𝑅∗ ) to .
𝑖=1
hold. Forgery. Adversary 1 outputs the forged certificate 𝑐𝑟𝑒𝑑 and the
corresponding authentication path 𝜃 , which meets the condition that
Proof. Suppose that the adversary 1 forges the credential with the 𝑐𝑟𝑒𝑑 was not generated through legal issuance.  running )algorithm
( ( ) { }
non-negligible probability 𝜖, we construct reduction algorithm  to VerifyShow, 𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆𝑜𝑤 𝑝𝑝, 𝑉 , 𝑐𝑟𝑒𝑑 , 𝑇𝑟𝑜𝑜𝑡 ̃ , 𝑎𝑢𝑥𝑖 𝑖=𝑖 = 1.
,𝛱 𝑖=1
solve the DLP or CDH problem with the non-negligible advantage Then, requery 3 by rewinding technique to obtain 𝑟 , modify the
𝜖 𝑛𝑒𝑔𝑙. The reduction algorithm  embeds the group parameter tuple new challenge to 𝑐 ≠( 𝑐 , compute the response and output ̃
) 𝛱 to
 = (, 𝑎 , 𝑏 ) into the problem instance,  can control and program
extract witness 𝑤 = 𝑥𝑢 , 𝑠 , 𝑡 , 𝑟 , 𝑛𝑘 , 𝑟𝑘 , 𝑎𝑡𝑡𝑟𝑗𝐴𝑇 𝑇 𝑅∗ , separate
the random oracle, and simulates the whole system:
Setup. Challenger 1 run system initialization algorithm from the witness 𝜁 = (𝑎 )𝑥𝑢 (𝑏 )𝑠 ⋅ 𝐶𝑚∗𝑡 = (𝑎𝑏 )𝑥𝑢 ⋅𝑠 ⋅ 𝐶𝑚∗𝑡 . According
𝑆𝑒𝑡𝑢𝑝(1𝜆 , 1 , 1𝑚 ) generate 𝑝𝑝, send 𝑝𝑝 to simulator . 1 save issuer to the above proof, if the forgery credential 𝑐𝑟𝑒𝑑 and the corresponding
private key 𝑖𝑠𝑘 = (𝑦1 , 𝑦2 ). authentication path 𝜃 make it difficult to compute 𝑎𝑏 on G, the
Query. In this phase, 1 query random Oracle − 𝑄𝑢𝑒𝑟𝑦, 𝑄𝑢𝑒𝑟𝑦2 , probability that adversary 1 will successfully forge a credential for the
and 𝑄𝑢𝑒𝑟𝑦3 , 1 random response and recording. first time is 𝜖, and the probability of a single retry is about 𝜖 2 . By the
− 𝑄𝑢𝑒𝑟𝑦: The adversary 1 can query the random oracle 1 , 2 , 3 . universal bifurcation Lemma, since adversary 1 performs 𝑞𝐻3 queries.
Before any hash query,  will prepare three empty hash lists 1,2,3 , The probability of success is 𝜖 2 𝑞𝐻3 , then the advantage of simulator
and define the query number size as 𝑞𝐻1 , 𝑞𝐻2 , 𝑞𝐻3 to record the query to break CDH hard problem successfully is 𝜖 2 𝑞𝐻3 𝑛𝑒𝑔𝑙.
response. [ ]
1 𝑄𝑢𝑒𝑟𝑦: Before 1 query,  randomly selected 𝑖1 ∈ 1, 𝑞𝐻1 , the 5.2.2. Proof of Game2
input attribute 𝑎𝑡𝑡𝑟𝑖 ,  record of all the queries in the list 1 , and make
a response. If 𝑖 = 𝑖1 ,  return values in the list, otherwise  generated Theorem 2. The Scheme is anonymity and unlinkability if the CDH
1 (𝑎𝑡𝑡𝑟𝑖 ), records (𝑖, 𝑎𝑡𝑡𝑟𝑖 , 1 (𝑎𝑡𝑡𝑟𝑖 )) in 1 . assumption hold.
[ ]
2 𝑄𝑢𝑒𝑟𝑦: Before the 2 query,  randomly selects 𝑖2 ∈ 1, 𝑞𝐻2 ,
Proof. Suppose that the adversary 2 distinguishes credentials with
after entering each user time period 𝑒𝑝𝑜𝑐𝑖 , and the maximum number
a non-negligible advantage 𝜖, and construct a reduction algorithm 
of credentials to be initialized 𝑘𝑖 ,  records all queries in the list 2 ,
to solve the DDH problem with a non-negligible advantage 𝜖 𝑛𝑒𝑔𝑙.
and responds. If 𝑖 = 𝑖2 ,  returns the value in the list, otherwise 
generates 2 (𝑒𝑝𝑜𝑐𝑘) with the following Eq. (2): The reduction algorithm  embedded the group parameter tuple  =
{ (, 𝑎 , 𝑏 , 𝑐 ) into the DDH problem instance, and the adversary 2
( ) 𝑤 , 𝑖 = 𝑖2 determined whether 𝑐 = 𝑎𝑏 or random, and simulated the whole
2 𝑒𝑝𝑜𝑐𝑖𝑘𝑖 = . (2)
𝑤 , otherwise process:
( (𝑖 ) ( ))
Then,  record 𝑖, epoch 𝑖𝑘𝑖 , 2 𝑒𝑝𝑜𝑐𝑖𝑘𝑖 in the [ list ]2 . Setup. Same with the initialization of Game 1.
3 𝑄𝑢𝑒𝑟𝑦: Before 3 queries,  randomly selected 𝑖3 ∈ 1, 𝑞𝐻3 , the Query. Adversary 2 can continue to query issuance and show, but
input random 𝑛𝑜𝑛𝑐𝑒𝑖 and message 𝑚𝑠𝑔𝑖 ,  record of all the queries in cannot query revocation or presentation of challenge credentials. At the
the list 3 , and respond. If 𝑖 = 𝑖3 ,  return values in the list, otherwise same time also can query 1 𝑄𝑢𝑒𝑟𝑦.
 generated 2 (𝑛𝑜𝑛𝑐𝑒 ∥ 𝑚𝑠𝑔) in the following Eq. (3): Challenge. Adversary 2 submits two attribute sets 𝐴𝑡𝑡𝑟𝑠0 and
{ 𝐴𝑡𝑡𝑟𝑠1 , that satisfy the same access policy to challenger 2 . Since the
( ) 𝑟 , 𝑖 = 𝑖3
2 𝑛𝑜𝑛𝑐𝑒𝑖 ∥ 𝑚𝑠𝑔𝑖 = . (3) parameter related to the attribute set in zero-knowledge is 𝜁 . The
𝑟𝑖 , otherwise
challenger 2 calls the simulator  to simulate the SPK and prove
( ( ) ( ))
Then,  record 𝑖, 𝑛𝑜𝑛𝑐𝑒𝑖 ∥ 𝑚𝑠𝑔𝑖 , 2 𝑛𝑜𝑛𝑐𝑒𝑖 ∥ 𝑚𝑠𝑔𝑖 in the list 3 , the embedding group parameter tuple  = (, 𝑎 , 𝑏 , 𝑐 ), randomly
where oracle 2 and 3 share a hash function. 𝑄𝑢𝑒𝑟𝑦2 : In this phase, select 𝑎, 𝑏 ← Z𝑞 , and calculate 𝜁1 . Select 𝑐 ← Z𝑞 calculate 𝜁2 . Next,
8
H. Di et al. Computer Standards & Interfaces 97 (2026) 104097
Table 3
Average times of cryptographic and Merkle tree operations.
Symbol Definition secp256k1 (128-bit security) BLS12-381 (128-bit security)
100 s/Leaves 1000 s/Leaves 100 s/Leaves 1000 s/Leaves
𝑇𝑏𝑝 Bilinear pairing operation time 0.9162 ms 0.9466 ms
𝑇 Hash computation time 0.0003 ms 0.0000 ms 0.0001 ms 0.0000 ms
𝑇𝑒𝑝 Exponentiation time in group G 0.0211 ms 0.0314 ms 0.2606 ms 0.2677 ms
G1 :0.3958 ms G1 :0.2686 ms
𝑇𝑚𝑝−𝑒𝑐 Elliptic curve point multiplication time 0.0254 ms 0.0234 ms
G2 :0.8140 ms G2 :0.8009 ms
G1 :0.0007 ms G1 :0.0006 ms
𝑇𝑎𝑑𝑑𝑒𝑐 Elliptic curve point addition time 0.0462 ms 0.0530 ms
G2 :0.0018 ms G2 :0.0018 ms
𝑇𝜅𝐺 Generation algorithm of tree 𝑇𝜅 0.0025 ms 0.0024 ms 0.0029 ms 0.0023 ms
𝑇𝜅𝑉 Verification algorithm of tree 𝑇𝜅 0.0004 ms 0.0002 ms 0.0020 ms 0.0002 ms
𝑇𝜅𝑈 Update algorithm of tree 𝑇𝜅 0.0002 ms 0.0002 ms 0.0003 ms 0.0003 ms
Table 4
Computation and communication cost analysis.
Algorithms Parameter Phase Computation cost Communication cost
𝑆𝑒𝑡𝑢𝑝 𝑝𝑝 2𝑇𝑒𝑝 (13 + 𝑚)|G|
𝐼𝑠𝑠𝑢𝑒𝑆𝑒𝑡𝑢𝑝𝐼 (𝐼, 𝜄𝑝𝑢𝑏 )
𝑆𝑜𝑤𝑆𝑒𝑡𝑢𝑝𝑉 𝑉
𝐶𝑚 (3 + 𝑚)𝑇𝑒𝑝 + 𝑚𝑇ℎ + 3𝑇𝑚𝑝𝑒𝑐 |G|
𝐼𝑠𝑠𝑢𝑒𝑅𝑒𝑞𝑈
Proof (16 + 𝑚)𝑇𝑒𝑝 + 3𝑇𝑚𝑝𝑒𝑐 2|G| + 5|Z𝑞 |
𝛱𝑈1
Verify 7𝑇𝑒𝑝
𝑐𝑟𝑒𝑑 1𝑇𝑒𝑝 + 2𝑇𝑚𝑝𝑒𝑐 + 1𝑇
𝐼𝑠𝑠𝑢𝑒𝐺𝑟𝑎𝑛𝑡𝐼 𝑇𝜅 𝑇𝜅𝐺
Proof 8𝑇𝑒𝑝 + 1𝑇 + 3𝑇𝑚𝑝𝑒𝑐 2|G| + 6|Z𝑞 |
𝛱𝑉1
Verify 6𝑇𝑒𝑝
𝛱̃ Proof 25𝑇𝑒𝑝 5|G| + 7|Z𝑞 |
𝑆𝑜𝑤𝐶𝑟𝑒𝑑𝑈
{𝑎𝑢𝑥𝑖 }𝑛𝑖=1 i|Z𝑞 |
𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆𝑜𝑤𝑉 Verify 26𝑇𝑒𝑝 + 𝑇𝜅𝑉
𝑅𝑒𝑣𝑜𝑘𝑒𝐶𝑟𝑒𝑑 𝑇𝜅′ 𝑇𝜅𝑈
Note*: i is the number of access criteria defined per verifier.
simulator  selects 𝑏 ← ( {0, 1}, and uses 𝐴𝑡𝑡𝑟𝑠𝑏 to generate the cre- ) 6.2. Algorithm computation and communication cost analysis
{ } ( )
dential display 𝛱̃ 𝑏 . Send 𝛱 ̃ 𝑏 , 𝑎𝑢𝑥𝑖 𝑖=𝑖 , 𝜃, 𝑇𝑟𝑜𝑜𝑡 , 𝛷′ , 𝑎𝑡𝑡𝑟𝑖𝐴𝑇 𝑇 𝑅
𝑖=1
to adversary 2 . Table 4 shows the computational cost and communication cost
Guess. 2 guesses 𝑏 from the output 𝛱 ̃ 𝑏 , and the advantage is of the proposed algorithm in the scheme. The algorithm includes
| [ ] |
defined as: |Pr 𝑏 = 𝑏 12 |. 8 algorithms as follows. 𝑆𝑒𝑡𝑢𝑝, 𝐼𝑠𝑠𝑢𝑒𝑆𝑒𝑡𝑢𝑝𝐼 , 𝑆𝑜𝑤𝑆𝑒𝑡𝑢𝑝𝑉 , 𝐼𝑠𝑠𝑢𝑒𝑅𝑒𝑞𝑈 ,
| |
𝐼𝑠𝑠𝑢𝑒𝐺𝑟𝑎𝑛𝑡𝐼 , 𝑆𝑜𝑤𝐶𝑟𝑒𝑑𝑈 ,
According to the above proof, if two attribute sets satisfying the
𝑉 𝑒𝑟𝑖𝑓 𝑦𝑆𝑜𝑤𝑉 and 𝑅𝑒𝑣𝑜𝑘𝑒𝐶𝑟𝑒𝑑. The computational cost increases
same access policy are (submitted 𝐴𝑡𝑡𝑟𝑠0 , 𝐴𝑡𝑡𝑟𝑠 ̃
) 1 . It( is difficult for 𝛱)𝑏 linearly with the number of attributes 𝑚. We compared the single user
to distinguish between 𝑎 , 𝑏 , 𝑎⋅𝑛𝑘+𝑏⋅𝑟𝑘+𝑎𝑏⋅𝑟 and 𝑎 , 𝑏 , 𝑎⋅𝑛𝑘+𝑏⋅𝑟𝑘+𝑐⋅𝑟
in Table 4 cases for each verifier ℶ access criteria general computation
on G, then adversary 2 succeeds in distinguishing credentials with
and communication costs. Respectively, (94 + 2 𝑚)𝑇𝑒𝑝 + (𝑚 + 2)𝑇 +
non-negligible probability 𝜖𝑞𝐻1 . Then the advantage of the simulator
11𝑇𝑚𝑝𝑒𝑐 + 𝑇𝜅𝐺 + 𝑇𝜅𝑉 and (22 + 𝑚)|G| + (18 + ℶ)|Z𝑞 |. The cost of a single
 to break the DDH hard problem successfully is 𝜖𝑞𝐻1 𝑛𝑒𝑔𝑙.
algorithm is shown in Table 4 below:
Note that even if the underlying Merkle path remains the same
for repeated authentications, the simulator ensures that each creden-
6.3. Computation and communication cost comparison
tial presentation is randomized. Therefore, the adversarys advantage
does not increase by observing identical path values, which remain
In Table 1 of Section 2, we have compared the functions of the ex-
computationally indistinguishable across sessions.
isting schemes [19,2931,3335]. The scheme [3234] satisfies the 𝑘-
times period anonymous authentication function. Since the scheme [32]
Theorem 3. The Scheme is attribute Privacy if the CDH assumption hold.
is constructed based on bilinear pairing. Here, we compare the scheme
Similar anonymity, but in view of the properties rather than identity.
[33,34] with the proposed scheme in the computation cost processes of
6. Performance analysis issuance, show and verification. Using the lightweight curve secp256k1
environment, as shown in Table 5 and Fig. 3. In Table 1, the scheme
6.1. Experimental setup [33] does not support the attribute selection disclosure function and
does not increase with the increase of the number of attributes 𝑚.
The scheme is based on AMD Ryzen9 7945HX processor, Rust 1.75 Therefore, the data results in Fig. 3 show that our scheme is better
and Ubuntu 22.04 LTS environment, and the error is controlled within than the scheme [33] when the number of attributes 𝑚 is small.
5%. The test program is written in 𝑅𝑢𝑠𝑡 and performs benchmark Throughout the entire process, the overall performance was superior
evaluations on SHA-256 hacks, elliptic curve operations, and Merkle to the scheme [34]. Finally, the data results show that our scheme
tree operations with the 128-bit security secp256k1, BLS12-381, and is superior to the existing schemes under the condition of similar
sha2 libraries. The experiment measured the average time of 100 and functions.
1000 operations (as shown in Table 3). All tests were compiled based In addition to the above experimental comparison, we also added
on release optimization to ensure accurate and reliable performance the proposed scheme to test the computational overhead under two
results. different curve environments, BLS12-381 supporting bilinear pairing
9
H. Di et al. Computer Standards & Interfaces 97 (2026) 104097
Table 5
Computation cost comparison.
Scheme Computation cost (ms)
Credential issuance Certificate showing Authentication credentials
[33] 15𝑇𝑒𝑝 + 10𝑇𝑚𝑝𝑒𝑐 + 2𝑇𝑎𝑑𝑑𝑒𝑐 31𝑇𝑒𝑝 + 6𝑇𝑚𝑝𝑒𝑐 + 𝑇 20𝑇𝑒𝑝 + 9𝑇𝑚𝑝𝑒𝑐 + 𝑇
[34] (5 𝑚 + 40)𝑇𝑒𝑝 + (3 𝑚 + 4)𝑇 (𝑚 + 22)𝑇𝑒𝑝 + 𝑇 (𝑚 + 23)𝑇𝑒𝑝
Our Scheme (𝑚 + 35)𝑇𝑒𝑝 + (𝑚 + 2)𝑇 + 11𝑇𝑚𝑝𝑒𝑐 + 𝑇𝜅𝐺 (16 + 𝑚)𝑇𝑒𝑝 + 𝑚𝑇ℎ 19𝑇𝑒𝑝 + 𝑇 + 𝑇𝜅𝑉
(a) (b) (c) (d)
Fig. 3. Computation cost comparison.
Fig. 4. Computation cost comparison of different curves.
Fig. 5. Communication cost comparison.
and lightweight curve secp256k1, as shown in Fig. 4. The exper- 7. Conclusion
imental results show that the scheme has more advantages under
lightweight curve. It is suggested to apply the proposed scheme under In this paper, we propose a 𝑘-times periodic anonymous authen-
curve secp256k1.
tication that does not require the issuer to hold a key and supports
Finally, the communication cost of the existing scheme [33,34] is
the access criteria. Compared with other existing 𝑘-Times periodic
compared and calculated based on the size of the data to be transmitted
anonymous authentication schemes, the proposed scheme not only has
during the anonymous certificate display process. We test the commu-
lower computational cost, but also eliminates the need for the issuer to
nication efficiency on curve secp256k1, where the group element and
hold the issuing information or the user key, and only needs to upload
integer size of curve secp256k1 are |G| = 264𝑏𝑖𝑡𝑠 = 33𝑏𝑦𝑡𝑒𝑠, |Z𝑞 | =
256𝑏𝑖𝑡𝑠 = 32𝑏𝑦𝑡𝑒𝑠, respectively. In the test, it is assumed that the the root path of the Merkle tree to the blockchain or public panel, which
access criterion ℶ is 1, and the number of user attributes is 1. The ensures that the subsequent authentication can still be carried out even
communication costs of the schemes [33,34] are respectively 8|G| + in the case of the failure of the issuing center. In terms of security,
11|Z𝑞 |, and (𝑚 + 14)|G| + 8|Z𝑞 |. The parameters that our scheme needs it satisfies a series of DAC security properties, including anonymity,
to transmit for presentation are (𝛱, ̃ {𝑎𝑢𝑥𝑖 }𝑛 , 𝑋0 , 𝜁 , 𝜂, 𝛤 , 𝜃), where 𝛱̃ = unlinkability, unforgeability and attribute privacy. The limitation of
𝑖=1
(𝑐, 𝐴1 , 𝐴2 , 𝐴3 , 𝐴4 , 𝐴5 , 𝐴6 , 𝐴7 , 𝐴8 ). Therefore, the total communication current schemes is that they rely on classical cryptography, which
cost during the transmission process is 4|G| + (9 + ℶ)|Z𝑞 |. As shown cannot resist quantum computing attacks. To address this challenge,
in Fig. 5. we plan to integrate quantum-resistant cryptographic frameworks, such
10
H. Di et al. Computer Standards & Interfaces 97 (2026) 104097
as lattice-based signature, coding cryptography, or multivariate poly- [14] C. Garman, M. Green, I. Miers, Decentralized anonymous credentials, in: Proceed-
nomial encryption in future research to construct periodic 𝑘-times ings of the 21st NDSS, 2014, URL: https://www.ndss-symposium.org/ndss2014/
authentication schemes with post-quantum security. decentralized-anonymous-credentials.
[15] D. Derler, C. Hanser, D. Slamanig, A new approach to efficient revocable
attribute-based anonymous credentials, in: Cryptography and Coding, 2015, pp.
CRediT authorship contribution statement 5774.
[16] T. Bui, T. Aura, Application of public ledgers to revocation in distributed access
Hongyan Di: Writing original draft, Methodology, Formal analy- control, in: Information and Communications Security, 2018, pp. 781792.
[17] A. Sonnino, M. Al-Bassam, S. Bano, S. Meiklejohn, G. Danezis, Coconut: Thresh-
sis, Data curation, Conceptualization. Yinghui Zhang: Writing review
old issuance selective disclosure credentials with applications to distributed
& editing, Supervision, Project administration, Methodology, Funding ledgers, in: 26th Annual Network and Distributed System Security Symposium,
acquisition. Ziqi Zhang: Writing original draft, Formal analysis, Data NDSS, 2019, URL: https://arxiv.org/pdf/1802.07344.
curation. Yibo Pang: Project administration, Formal analysis, Data [18] H. Halpin, Nym credentials: Privacy-preserving decentralized identity with
curation. Rui Guo: Writing original draft, Methodology, Formal anal- blockchains, in: 2020 Crypto Valley Conference on Blockchain Technology,
ysis. Yangguang Tian: Writing original draft, Project administration, CVCBT, 2020, pp. 5667, http://dx.doi.org/10.1109/CVCBT50464.2020.00010.
[19] H. Cui, M. Whitty, A. Miyaji, Z. Li, A blockchain-based digital identity manage-
Methodology, Funding acquisition. ment system via decentralized anonymous credentials, in: Proceedings of the 6th
ACM International Symposium on Blockchain and Secure Critical Infrastructure,
Declaration of competing interest 2025, pp. 111, http://dx.doi.org/10.1145/3659463.3660027.
[20] C. Lin, D. He, H. Zhang, L. Shao, X. Huang, Privacy-enhancing decentralized
anonymous credential in smart grids, Comput. Stand. Interfaces 75 (2021)
The authors declare that they have no known competing finan-
103505, http://dx.doi.org/10.1016/j.csi.2020.103505.
cial interests or personal relationships that could have appeared to [21] Z. Ma, J. Zhang, Y. Guo, Y. Liu, X. Liu, W. He, An efficient decentralized key
influence the work reported in this paper. management mechanism for VANET with blockchain, IEEE Trans. Veh. Technol.
69 (2020) 58365849, http://dx.doi.org/10.1109/TVT.2020.2972923.
Data availability [22] J. Zhang, J. Cui, H. Zhong, I. Bolodurina, L. Liu, Intelligent drone-assisted
anonymous authentication and key agreement for 5G/B5G vehicular ad-hoc
networks, IEEE Trans. Netw. Sci. Eng. 8 (2021) 29822994, http://dx.doi.org/
Data will be made available on request. 10.1109/TNSE.2020.3029784.
[23] D. Liu, H. Wu, C. Huang, J. Ni, X. Shen, Blockchain-based credential management
for anonymous authentication in SAGVN, IEEE J. Sel. Areas Commun. 40 (2022)
References 31043116, http://dx.doi.org/10.1109/JSAC.2022.3196091.
[24] D. Liu, H. Wu, J. Ni, X. Shen, Efficient and anonymous authentication with
[1] K.Y. Lam, C.H. Chi, Identity in the internet-of-things (IoT): New challenges and succinct multi-subscription credential in SAGVN, IEEE Trans. Intell. Transp. Syst.
opportunities, in: Information and Communications Security, 2016, pp. 1826. 23 (2022) 28632873, http://dx.doi.org/10.1109/TITS.2022.3147354.
[2] K. Shafique, B.A. Khawaja, F. Sabir, S. Qazi, M. Mustaqim, Internet of things [25] L. Wei, Y. Zhang, J. Cui, H. Zhong, I. Bolodurina, D. He, A threshold-based full-
(IoT) for next-generation smart systems: A review of current challenges, future decentralized authentication and key agreement scheme for VANETs powered
trends and prospects for emerging 5G-IoT scenarios, IEEE Access 8 (2020) by consortium blockchain, IEEE Trans. Mob. Comput. 23 (2024) 1250512521,
2302223040, http://dx.doi.org/10.1109/ACCESS.2020.2970118. http://dx.doi.org/10.1109/TMC.2024.3412106.
[3] L. Ante, C. Fischer, E. Strehle, A bibliometric review of research on digital [26] M. Zeng, J. Cui, Q. Zhang, H. Zhong, D. He, Efficient revocable cross-domain
identity: Research streams, influential works and future research paths, J. Manuf. anonymous authentication scheme for IIoT, IEEE Trans. Inf. Forensics Secur. 20
Syst. 62 (2022) 523538, http://dx.doi.org/10.1016/j.jmsy.2022.01.005. (2025) 9961010, http://dx.doi.org/10.1109/TIFS.2024.3523198.
[4] M.A. Olivero, A. Bertolino, F.J.D. Mayo, M.J.E. Cuaresma, I. Matteucci, Digital [27] I. Teranishi, J. Furukawa, K. Sako, K-times anonymous authentication (extended
persona portrayal: Identifying pluridentity vulnerabilities in digital life, J. Inf. abstract), in: Advances in Cryptology - ASIACRYPT 2004, 2004, pp. 308322.
Secur. Appl. 52 (2020) 102492, URL: https://api.semanticscholar.org/CorpusID: [28] L. Nguyen, R. Safavi-Naini, Dynamic k-times anonymous authentication, in:
215881538. Applied Cryptography and Network Security, 2005, pp. 318333.
[29] M.H. Au, W. Susilo, Y. Mu, Constant-size dynamic k-TAA, in: Security and
[5] M.S. Ferdous, F. Chowdhury, M.O. Alassafi, In search of self-sovereign identity
Cryptography for Networks, 2006, pp. 111125.
leveraging blockchain technology, IEEE Access 7 (2019) 103059103079, http:
[30] U. Chaterjee, D. Mukhopadhyay, R.S. Chakraborty, 3PAA: A private PUF protocol
//dx.doi.org/10.1109/ACCESS.2019.2931173.
for anonymous authentication, IEEE Trans. Inf. Forensics Secur. 16 (2021)
[6] A. Shabtai, Y. Elovici, L. Rokach, List of data breaches and cyber attacks in 2023.
756769, http://dx.doi.org/10.1109/TIFS.2020.3021917.
Media report. IT governance, 2023, URL: https://www.itgovernance.co.uk/blog/
[31] J. Huang, W. Susilo, F. Guo, G. Wu, Z. Zhao, Q. Huang, An anonymous
list-of-data-breaches-andcyber-attacks-in-2023.
authentication system for pay-as-you-go cloud computing *, IEEE Trans. Depend-
[7] P.C. Bartolomeu, E. Vieira, S.M. Hosseini, J. Ferreira, Self-sovereign identity:
able Secur. Comput. 19 (2) (2022) 12801291, http://dx.doi.org/10.1109/TDSC.
Use-cases, technologies, and challenges for industrial IoT, in: 2019 24th IEEE
2020.3007633.
International Conference on Emerging Technologies and Factory Automation,
[32] J. Camenisch, S. Hohenberger, M. Kohlweiss, A. Lysyanskaya, M. Meyerovich,
ETFA, 2019, pp. 11731180, http://dx.doi.org/10.1109/ETFA.2019.8869262.
How to win the clonewars: efficient periodic n-times anonymous authentication,
[8] European Union, Regulation (EU) 2016/679 of the European parliament and of
in: Proceedings of the 13th ACM Conference on Computer and Communications
the council of 27 april 2016 on the protection of natural persons with regard
Security, 2006, pp. 201210, http://dx.doi.org/10.1145/1180405.1180431.
to the processing of personal data and on the free movement of such data,
[33] B. Lian, G. Chen, M. Ma, J. Li, Periodic 𝐾 -times anonymous authentication with
and repealing directive 95/46/EC (general data protection regulation), 2016,
efficient revocation of violators credential, IEEE Trans. Inf. Forensics Secur. 10
[Online] Available: URL: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng.
(3) (2015) 543557, http://dx.doi.org/10.1109/TIFS.2014.2386658.
[9] A. Mühle, A. Grüner, T. Gayvoronskaya, C. Meinel, A survey on essential [34] Y. Yang, W. Xue, J. Sun, G. Yang, Y. Li, H. Hwa Pang, R.H. Deng, PkT-
components of a self-sovereign identity, Comput. Sci. Rev. 30 (2018) 8086, SIN: A secure communication protocol for space information networks with
http://dx.doi.org/10.1016/j.cosrev.2018.10.002. periodic k-time anonymous authentication, IEEE Trans. Inf. Forensics Secur.
[10] European Union, Regulation (EU) 2024/1183 of the European parliament and (2024) 60976112, http://dx.doi.org/10.1109/TIFS.2024.3409070.
of the council of 5 June 2024 on European digital identity wallets, 2024, URL: [35] C. Wiraatmaja, S. Kasahara, Scalable anonymous authentication scheme based
https://eur-lex.europa.eu/eli/reg/2024/1183/oj. (Accessed 13 October 2024). on zero-knowledge set-membership proof, Distrib. Ledger Technol. 4 (2025)
[11] D. Chaum, Security without identification: transaction systems to make big http://dx.doi.org/10.1145/3676285.
brother obsolete, Commun. ACM 28 (1985) 10301044, http://dx.doi.org/10. [36] R. Canetti, Y. Chen, J. Holmgren, A. Lombardi, G.N. Rothblum, R.D. Rothblum,
1145/4372.4373. D. Wichs, Fiat-Shamir: from practice to theory, 2019, http://dx.doi.org/10.1145/
[12] D. Chaum, Showing credentials without identification. Signatures transferred 3313276.3316380.
between unconditionally unlinkable pseudonyms, in: Proc. of a Workshop on [37] J. Camenisch, M. Stadler, Efficient group signature schemes for large groups, in:
the Theory and Application of Cryptographic Techniques on Advances in Advances in Cryptology — CRYPTO 97, 1997, pp. 410424.
Cryptology—EUROCRYPT 85, 1986, pp. 241244. [38] M. Rosenberg, J. White, C. Garman, I. Miers, zk-creds: Flexible anonymous
[13] J. Camenisch, A. Lysyanskaya, An efficient system for non-transferable anony- credentials from zkSNARKs and existing identity infrastructure, in: 2023 IEEE
mous credentials with optional anonymity revocation, in: Advances in Cryptology Symposium on Security and Privacy, SP, 2023, pp. 790808, http://dx.doi.org/
— EUROCRYPT 2001, 2001, pp. 93118. 10.1109/SP46215.2023.10179430.
11
H. Di et al. Computer Standards & Interfaces 97 (2026) 104097
[39] Y. Dodis, A. Yampolskiy, A verifiable random function with short proofs and Yibo Pang received the B.S. degree in Information Security
keys, 2004, URL: https://eprint.iacr.org/2004/310. Cryptology ePrint Archive, from the School of Cyberspace Security, Xian University of
Paper 2004/310. Posts and Telecommunications, Xian, China, in 2020, and
[40] J. Groth, On the size of pairing-based non-interactive arguments, in: Advances the M.S. degree in Cyberspace Security from the School of
in Cryptology EUROCRYPT 2016, 2016, pp. 305326. Cyberspace Security, Xian University of Posts and Telecom-
[41] V. Shoup, Sequences of games: a tool for taming complexity in security proofs, munications, Xian, China, in 2023. He is currently pursuing
IACR Cryptol. EPrint Arch. (2004) 332, URL: http://eprint.iacr.org/2004/332. a PhD at Xian University of Posts and Telecommunica-
[42] M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing tions. His research interests include multimedia security and
efficient protocols, in: Proceedings of the 1st ACM Conference on Computer and privacy.
Communications Security, 1993, pp. 6273, http://dx.doi.org/10.1145/168588.
168596.
[43] B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, G. Maxwell, Bulletproofs:
Short proofs for confidential transactions and more, in: 2018 IEEE Symposium Rui Guo is an associate professor and masters supervisor at
on Security and Privacy, SP, 2018, pp. 315334, http://dx.doi.org/10.1109/SP. Xian an University of Posts and Telecommunications. He
2018.00020. has presided over a total of 9 scientific research projects,
including those funded by the National Natural Science
Foundation of China, the Key Research and Development
Hongyan Di is currently studying for a masters degree in
Program of Shaanxi Province, and the Basic Research Pro-
Cyberspace and Information Security from Xian University
gram of Shaanxi Province. As a major participant, he has
of Posts and Telecommunications. Her research interests
participated in and completed more than 10 projects, such
include cross-domain authentication and digital signature
as the National Key Research and Development Plan and the
security.
National Natural Science Foundation of China. As the first
author, I have published over 20 academic papers, among
which 12 are indexed by SCI (including 1 TOP 1% ESI
highly cited paper).
Dr. Yangguang Tian received his Ph.D. degree in applied
Yinghui Zhang received his Ph.D. degree in Cryptography cryptography from the University of Wollongong, Australia.
from Xidian University, China, in 2013. He is a professor After Ph.D., he did post-docs at School of Information
at School of Cyberspace Security, National Engineering System, Singapore Management University, and iTrust, Sin-
Research Center for Secured Wireless (NERCSW), Xian gapore University of Technology and Design. Before Surrey,
University of Posts & Telecommunications. He was a re- he was a research-based assistant professor at Osaka Uni-
search fellow at School of Information System, Singapore versity, Japan. He is currently a lecturer at the University
Management University. He has published over 100 research of Surrey, UK. His research interests include applied cryp-
articles in ACM CSUR, IEEE TDSC, IEEE TCC, Computer tography, network security, blockchain technologies, and
Networks, etc. He served on the program committee of privacy-preserving technologies. Dr. Tians recent research
several conferences and the editorial member of several works have been published in the cybersecurity-related
international journals in information security. His research international conferences and journals, such as USENIX24,
interests include public key cryptography, cloud security, AsiaCCS24, IEEE TIFS23, IEEE TDSC24, etc.
and wireless network security.
Ziqi Zhang is currently studying for a masters degree in
Cyberspace and Information Security from Xian University
of Posts and Telecommunications. Her research interests
include digital signature security and its applications.
12
Reference in New Issue View Git Blame Copy Permalink