# Attribute Based Pseudonyms: Anonymous and Linkable Scoped Credentials

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**

## 1. Introduction

- Unlinkability between scopes, i.e., the same user with the same credential cannot be linked between scopes.
- Reusability detection within the same scope, i.e., it prevents misbehavior by the user, who, thanks to their anonymity, could try to authenticate more than once.

## 2. State of the Art

## 3. Preliminaries

#### 3.1. Bilinear Pairings

- Bilineality: $e(aP,bQ)=e{(P,Q)}^{ab}$ for all $P,Q\in {\mathbb{G}}_{1}$, $a,b\in {\mathbb{F}}_{q}$
- Non-degeneracy: There exists $P,Q\in {\mathbb{G}}_{1}$ such that $e(P,Q)\ne 1$, that is, mapping does not send all pairs in ${\mathbb{G}}_{1}\times {\mathbb{G}}_{1}$ to identity in ${\mathbb{G}}_{2}$
- Computability: Computing $e(P,Q)$ for all $P,Q\in {\mathbb{G}}_{1}$ can be achieved with an efficient algorithm.

#### 3.2. Cryptographic Problems in Additive Groups

- Problem 1: Discrete logarithm problem (DLP): it is hard for $\tilde{A}$, given $P,Q\in ({\mathbb{G}}_{1}:+)$, to find $n\in {\mathbb{F}}_{q}^{*}$ such that $Q=nP$.
- Problem 2: Computational Diffie–Hellman Problem (CDHP): it is hard for $\tilde{A}$, given $P,aP,bP$ with $a,b\in {\mathbb{F}}_{q}^{*}$ to compute $abP$.
- Problem 3: decisional Diffie–Hellman problem (DDHP): it is hard for $\tilde{A}$, given $P,aP,bP,cP$ with $a,b,c\in {\mathbb{F}}_{q}^{*}$ to decide whether $c\equiv ab$ mod q israndomly chosen from ${\mathbb{F}}_{q}$.
- Problem 4: Inverse computational Diffie–Hellman problem (Inv-CDHP): For $a\in {\mathbb{F}}_{q}^{*}$ and given $P,aP$, it is hard to compute ${a}^{-1}P$.
- Problem 5: The bilinear Diffie–Hellman problem (BDHP) in $({\mathbb{G}}_{1},{\mathbb{G}}_{2},e)$: given$(P,aP,bP,cP)$ for some $a,b,c\in {\mathbb{F}}_{q}^{*}$, it is hard for $\tilde{A}$ to compute $v\in {\mathbb{G}}_{2}$ such that $v=e{(P,P)}^{abc}$.

#### 3.3. A Short Signature Scheme from Pairings

- Parameter generation: {${\mathbb{G}}_{1}$, ${\mathbb{G}}_{2}$, e, q, P, H} will be the system parameters.
- Key generation: the key generation is performed by randomly selecting $x{\in}_{R}{\mathbb{F}}_{q}^{*}$ and computing ${P}_{pub}=xP$, where ${P}_{pub}$ will be the public key and x will be the secret key.
- Signature: the signature will be$$S={(H\left(m\right)+x)}^{-1}\xb7P,$$
- Verification: we will verify the signature, taking the public key ${P}_{pub}$, a message m, and a signature S and computing$$\begin{array}{cc}\hfill e(H\left(m\right)P+{P}_{pub},S)& =e(H\left(m\right)\xb7P+x\xb7P,{(H\left(m\right)+x)}^{-1}P)\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e{(P,P)}^{(H\left(m\right)+x)\xb7{(H\left(m\right)+x)}^{-1}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e(P,P)\hfill \end{array}$$

#### 3.4. Non-Interactive Zero-Knowledge Proofs

- $\mathcal{P}$ chooses a random $r\in {\mathbb{F}}_{q}$ and calculates$$\begin{array}{cc}\hfill {r}^{\prime}& =P\xb7\phantom{\rule{3.33333pt}{0ex}}r\hfill \\ \hfill {v}^{\prime}& =v\xb7\phantom{\rule{3.33333pt}{0ex}}P\hfill \\ \hfill {h}^{\prime}& =H\left({r}^{\prime}\right)\hfill \\ \hfill {t}^{\prime}& ={h}^{\prime}\xb7v+r\hfill \end{array}$$
- $\mathcal{V}$ computes ${h}^{\prime}=H\left({r}^{\prime}\right)$ and verifies$$\begin{array}{cc}\hfill {t}^{\prime}\xb7P& =({h}^{\prime}\xb7v+r)\xb7\phantom{\rule{3.33333pt}{0ex}}P\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={h}^{\prime}\xb7v\xb7P+r\xb7\phantom{\rule{3.33333pt}{0ex}}P\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={h}^{\prime}\xb7{v}^{\prime}+{r}^{\prime}\hfill \end{array}$$

## 4. The Proposed Protocol

#### 4.1. Overview

- A service provider, known as $\mathcal{SP}$, offers a service only if the user is of legal age.
- $\mathcal{SP}$ needs to know that the user $\mathcal{U}$ is of legal age, and nothing else.
- $\mathcal{SP}$ needs to be able to identify $\mathcal{U}$ through different interactions because the provided service should be accessed only once.
- An attribute provider $\mathcal{AP}$, for instance, the civil registry, has all the information of all users and can provide anonymous credentials in the form of verifiable attributes. This anonymous credential is verifiable since it contains the signature of $\mathcal{AP}$.
- To overcome linkability, $\mathcal{U}$ blinds the credentials using Verheul’s algorithm. This allows the verification of a blinded attribute with a blinded signature. Once blinded, the linkability between the attribute and the real user $\mathcal{U}$ is broken.
- $\mathcal{U}$ could blind one attribute in different ways, with different final values, without losing the verifiable characteristic, which makes it impossible to link different uses of the same attribute. To overcome this, the use of a universal identifier $i{d}_{\mathcal{U}}$ is proposed. Computed for a given scope S, it includes the values of S and the attribute. $i{d}_{\mathcal{U}}$ will not be blinded; it will be anonymous and unique, and used together with the blinded attribute. It enables anonymous authentication with linkability.
- $\mathcal{SP}$ acts as a consumer of anonymous credentials and can identify the use of one credential with the $i{d}_{\mathcal{U}}$ associated with a given scope S.

#### 4.2. Actors

- The user, $\mathcal{U}$, obtains and uses an anonymous credential.
- The attribute provider, $\mathcal{AP}$, provides $\mathcal{U}$ with a verifiable attribute in a given scope S by signing the hash S and the public key provided by $\mathcal{U}$.
- The service provider, $\mathcal{SP}$, grants access to a particular service to identified users with a verifiable attribute and their universal identifier $i{d}_{\mathcal{U}}$, after verifying both.

#### 4.3. Key Generation

#### 4.4. Issuance of Anonymous Credentials: $\mathcal{U}\u27fa\mathcal{AP}$

- $\mathcal{U}$ requests authorization for a given scope S.
- $\mathcal{AP}$ reliably checks the identity and possible attributes requested to belong to the scope S.
- $\mathcal{AP}$ generates the signature with the modified short $ZSS$ signature scheme for bilinear pairing$${\sigma}_{\mathcal{AP}}={(H\left(S\right)+s{k}_{\mathcal{AP}})}^{-1}\xb7p{k}_{\mathcal{U}}.$$
- $\mathcal{AP}$ sends ${\sigma}_{\mathcal{AP}},p{k}_{\mathcal{AP}}$ to $\mathcal{U}$.
- $\mathcal{U}$ verifies the received signature:$$\begin{array}{cc}\hfill e(H(S)\xb7P+p{k}_{\mathcal{AP}},{\sigma}_{\mathcal{AP}})& =e((H(S)\xb7P+s{k}_{\mathcal{AP}}\xb7P),{(H(S)\xb7s{k}_{\mathcal{AP}})}^{-1}\xb7p{k}_{\mathcal{U}})\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e((H(S)+s{k}_{\mathcal{AP}})\xb7P,{(H(S)+s{k}_{\mathcal{AP}})}^{-1}\xb7p{k}_{\mathcal{U}})\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e{(P,p{k}_{\mathcal{U}})}^{(H(S)+s{k}_{\mathcal{AP}})\xb7{(H(S)+s{k}_{\mathcal{AP}})}^{-1}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e(P,p{k}_{\mathcal{U}})\hfill \end{array}$$

#### 4.5. Presentation of Credentials: $\mathcal{U}\u27f9\mathcal{SP}$

- $\mathcal{U}$ has ${\sigma}_{\mathcal{AP}}$, $H\left(S\right)$, $s{k}_{\mathcal{U}}$, $p{k}_{\mathcal{U}}$, and $i{d}_{\mathcal{U}}$.
- $\mathcal{U}$ chooses $b{\in}_{R}{\mathbb{F}}_{q}^{*}$ as a blind factor.
- $\mathcal{U}$ computes:$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& s{k}_{\mathcal{U}}^{\prime}=b\xb7s{k}_{\mathcal{U}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& p{k}_{\mathcal{U}}^{\prime}=s{k}_{\mathcal{U}}^{\prime}\xb7\phantom{\rule{3.33333pt}{0ex}}P\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& {\sigma}_{\mathcal{AP}}^{\prime}=b\xb7{\sigma}_{\mathcal{AP}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& {P}^{\prime}=b\xb7\phantom{\rule{3.33333pt}{0ex}}P\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& p{k}_{\mathcal{AP}}^{\prime}=b\xb7p{k}_{\mathcal{AP}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& {C}^{\prime}=b\xb7H\left(S\right)\xb7P\hfill \end{array}$$
- $\mathcal{U}$ also computes a NI-Schnorr ZKP, choosing ${r}^{\prime}{\in}_{R}{\mathbb{F}}_{q}^{*}$ and finds:$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& {R}^{\prime}={r}^{\prime}\xb7\phantom{\rule{3.33333pt}{0ex}}P\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& {h}^{\prime}=H\left({R}^{\prime}\right)\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& {t}^{\prime}={h}^{\prime}\xb7s{k}_{\mathcal{U}}^{\prime}+{r}^{\prime}\hfill \end{array}$$
- $\mathcal{U}$ sends $\mathcal{SP}$ the anonymous credential ${\sigma}_{\mathcal{AP}}^{\prime}$, $p{k}_{\mathcal{U}}^{\prime}$, $p{k}_{\mathcal{AP}}^{\prime}$, ${P}^{\prime}$, ${C}^{\prime}$. $\mathcal{U}$ also sends the universal identifier $i{d}_{\mathcal{U}}$, and the NI-Schnorr ZKP proof-of-possession of the private key (${R}^{\prime},{h}^{\prime},{t}^{\prime}$), to allow the verification of the credentials and the universal identifier.
- $\mathcal{SP}$ needs to verify that $p{k}_{\mathcal{AP}}^{\prime}$ is really $p{k}_{\mathcal{AP}}$ after being blinded. To accomplish this, $\mathcal{SP}$ can test the following equality:$$\begin{array}{cc}\hfill e(p{k}_{\mathcal{AP}}^{\prime},P)& =e(b\xb7p{k}_{\mathcal{AP}},P)\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e{(p{k}_{\mathcal{AP}},P)}^{b}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e(p{k}_{\mathcal{AP}},b\xb7P)\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e(p{k}_{\mathcal{AP}},{P}^{\prime})\hfill \end{array}$$
- If $p{k}_{\mathcal{AP}}^{\prime}$ is correct, $\mathcal{SP}$ can verify the following:$$\begin{array}{cc}\hfill e({C}^{\prime}+p{k}_{\mathcal{AP}}^{\prime},{\sigma}_{\mathcal{AP}}^{\prime})\phantom{\rule{1.em}{0ex}}& =e(b\xb7H(S)\xb7P+b\xb7p{k}_{\mathcal{AP}},b\xb7{\sigma}_{\mathcal{AP}})\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e(b\xb7(H(S)\xb7P+s{k}_{\mathcal{AP}}\xb7P),b\xb7{(H(S)+s{k}_{\mathcal{AP}})}^{-1}\xb7p{k}_{\mathcal{U}})\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e(b\xb7P\xb7(H(S)+s{k}_{\mathcal{AP}}),b\xb7{(H(S)+s{k}_{\mathcal{AP}})}^{-1}\xb7p{k}_{\mathcal{U}})\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e({P}^{\prime}\xb7(H(S)+s{k}_{\mathcal{AP}}),b\xb7{(H(S)+s{k}_{\mathcal{AP}})}^{-1}\xb7p{k}_{\mathcal{U}})\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e({P}^{\prime}\xb7(H(S)+s{k}_{\mathcal{AP}}),b\xb7{(H(S)+s{k}_{\mathcal{AP}})}^{-1}\xb7s{k}_{\mathcal{U}}\xb7P)\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e{({P}^{\prime},b\xb7s{k}_{\mathcal{U}}\xb7P)}^{(H(S)+s{k}_{\mathcal{AP}})\xb7{(H(S)+s{k}_{\mathcal{AP}})}^{-1}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e({P}^{\prime},p{k}_{\mathcal{U}}^{\prime})\hfill \end{array}$$
- $\mathcal{SP}$ can also verify the universal identifier $i{d}_{\mathcal{U}}$ following this process:$$\begin{array}{cc}\hfill e({C}^{\prime}+p{k}_{\mathcal{U}}^{\prime},H(S)\xb7i{d}_{\mathcal{U}})\phantom{\rule{1.em}{0ex}}& =e(b\xb7H(S)\xb7P+b\xb7p{k}_{\mathcal{U}},H(S)\xb7H{(S)}^{-1}\xb7{(s{k}_{\mathcal{U}}+H(S))}^{-1}\xb7p{k}_{\mathcal{U}})\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e(b\xb7(H(S)\xb7P+s{k}_{\mathcal{U}}\xb7P),{(H(S)+s{k}_{\mathcal{U}})}^{-1}\xb7p{k}_{\mathcal{U}})\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e{(P\xb7(H(S)+s{k}_{\mathcal{U}}),{(H(S)+s{k}_{\mathcal{U}})}^{-1}\xb7p{k}_{\mathcal{U}})}^{b}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e{(P,b\xb7p{k}_{\mathcal{U}})}^{(H(S)+s{k}_{\mathcal{U}})\xb7{(H(S)+s{k}_{\mathcal{U}})}^{-1}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =e(P,p{k}_{\mathcal{U}}^{\prime})\hfill \end{array}$$
- Finally, $\mathcal{SP}$ can also verify that $\mathcal{U}$ has the correct private key:$$\begin{array}{cc}\hfill {t}^{\prime}\xb7P& =({h}^{\prime}\xb7s{k}_{\mathcal{U}}^{\prime}+{r}^{\prime})\xb7\phantom{\rule{3.33333pt}{0ex}}P\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={h}^{\prime}\xb7s{k}_{\mathcal{U}}^{\prime}\xb7P+{r}^{\prime}\xb7\phantom{\rule{3.33333pt}{0ex}}P\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={r}^{\prime}P+{h}^{\prime}\xb7p{k}_{\mathcal{U}}^{\prime}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={R}^{\prime}+p{k}_{\mathcal{U}}^{\prime}\xb7{h}^{\prime}\hfill \end{array}$$

## 5. Security Analysis

- $\mathcal{U}$ can forge fake credentials.
- $\mathcal{U}$ can blind credentials many times with different results to use credentials more than once.

- $\mathcal{AP}$ knows the real identity of $\mathcal{U}$.
- $\mathcal{AP}$ and $\mathcal{SP}$ collude and collect all messages exchanged with $\mathcal{U}$.

#### 5.1. Unforgeability

#### 5.2. User Anonymity

#### 5.3. Identifier Unlinkability between Scopes

#### 5.4. Identifier Reusability Detection within the Same Scope

## 6. Conclusions and Future Line of Research

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Conflicts of Interest

## References

- Berkowsky, J.A.; Hayajneh, T. Security issues with certificate authorities. In Proceedings of the 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), New York, NY, USA, 19–21 October 2017; pp. 449–455. [Google Scholar]
- Khan, M.A.; Salah, K. IoT security: Review, blockchain solutions, and open challenges. Future Gener. Comput. Syst.
**2018**, 82, 395–411. [Google Scholar] [CrossRef] - Dib, O.; Huyart, C.; Toumi, K. A novel data exploitation framework based on blockchain. Pervasive Mob. Comput.
**2020**, 61, 101104. [Google Scholar] [CrossRef] - Singh, K.; Dib, O.; Huyart, C.; Toumi, K. A novel credential protocol for protecting personal attributes in blockchain. Comput. Electr. Eng.
**2020**, 83, 106586. [Google Scholar] [CrossRef] - Camenisch, J.; Lysyanskaya, A. An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation. In Advances in Cryptology—EUROCRYPT 2001; Pfitzmann, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; pp. 93–118. [Google Scholar]
- Bogatov, D.; Caro, A.D.; Elkhiyaoui, K.; Tackmann, B. Anonymous Transactions with Revocation and Auditing in Hyperledger Fabric. Cryptology ePrint Archive, Report 2019/1097. 2019. Available online: https://eprint.iacr.org/2019/1097 (accessed on 1 June 2022).
- IBM. Specification of the Identity Mixer Cryptographic Library. In Information Security; IBM: Armonk, NY, USA, 2010; pp. 1–52. [Google Scholar]
- Paquin, C.; Zaverucha, G. U-Prove Cryptographic Specification V1.1 (Revision 3). 2013. Available online: https://www.microsoft.com/en-us/research/publication/u-prove-cryptographic-specification-v1-1-revision-3/ (accessed on 1 June 2022).
- Zhang, F.; Safavi-Naini, R.; Susilo, W. An Efficient Signature Scheme from Bilinear Pairings and Its Applications. In Public Key Cryptography—PKC 2004; Bao, F., Deng, R., Zhou, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2004; pp. 277–290. [Google Scholar]
- Verheul, E.R. Self-Blindable Credential Certificates from the Weil Pairing. In Advances in Cryptology—ASIACRYPT 2001; Boyd, C., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; pp. 533–551. [Google Scholar]
- Knutsen, T.D.; Manum, T.; Strand, M. FFI-NOTAT Anonymous Tokens-Implementation and Development; FFI/NOTAT: Kjeller, Norway, 2022. [Google Scholar]
- Camenisch, J.; Lysyanskaya, A. A Signature Scheme with Efficient Protocols. In Security in Communication Networks; Cimato, S., Persiano, G., Galdi, C., Eds.; Springer: Berlin/Heidelberg, Germany, 2003; pp. 268–289. [Google Scholar]
- Camenisch, J.; Herreweghen, E. Design and Implementation of the idemix Anonymous Credential System. In Proceedings of the ACM Conference on Computer and Communications Security, Washington, DC, USA, 27–30 October 2003. [Google Scholar] [CrossRef]
- Davidson, A.; Goldberg, I.; Sullivan, N.; Tankersley, G.; Valsorda, F. Privacy Pass: Bypassing Internet Challenges Anonymously. Proc. Priv. Enhancing Technol.
**2018**, 2018, 164–180. [Google Scholar] [CrossRef][Green Version] - Internet Engineering Task Force. Privacy Pass Datatracker. 2021. Available online: https://datatracker.ietf.org/wg/privacypass (accessed on 26 March 2022).
- Davidson, A.; Internet Engineering Task Force. Privacy Pass: The Protocol. Internet-Draft Draft-Davidson-pp-Protocol-01. 2020. Available online: https://datatracker.ietf.org/doc/html/draft-davidson-pp-protocol-01 (accessed on 26 March 2022).
- Celi, S.; Davidson, A.; Faz-Hernández, A.; Valdez, S.; Wood, C.A.; Internet Engineering Task Force. Privacy Pass Issuance Protocol. Internet-Draft draft-ietf-privacypass-protocol-03. 2022. Available online: https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-protocol-03 (accessed on 26 March 2022).
- Davidson, A.; Iyengar, J.; Wood, C.A.; Internet Engineering Task Force. Privacy Pass Architectural Framework. Internet-Draft Draft-Ietf-Privacypass-Architecture-03. 2022. Available online: https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-03 (accessed on 26 March 2022).
- Moe, H.W.; Silde, T.; Strand, M. Anonymous Tokens. 2021. Available online: https://github.com/HenrikWM/anonymous-tokens/ (accessed on 26 March 2022).
- Norwegian Institute of Public Health. The Smittestopp App—Helsenorge.no. Available online: https://www.helsenorge.no/en/smittestopp/ (accessed on 26 March 2022).
- Silde, T.; Strand, M. Anonymous Tokens with Public Metadata and Applications to Private Contact Tracing. Cryptology ePrint Archive, Report 2021/203. 2021. Available online: https://ia.cr/2021/203 (accessed on 26 March 2022).
- Tyagi, N.; Celi, S.; Ristenpart, T.; Sullivan, N.; Tessaro, S.; Wood, C.A. A Fast and Simple Partially Oblivious PRF, with Applications. Cryptology ePrint Archive, Report 2021/864. 2021. Available online: https://ia.cr/2021/864 (accessed on 26 March 2022).
- Casacuberta, S.; Hesse, J.; Lehmann, A. SoK: Oblivious Pseudorandom Functions. Cryptology ePrint Archive, Report 2022/302. 2022. Available online: https://ia.cr/2022/302 (accessed on 26 March 2022).
- Davidson, A.; Faz-Hernández, A.; Sullivan, N.; Wood, C.A.; Internet Engineering Task Force. Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups. Internet-Draft draft-irtf-cfrg-voprf-09. 2022. Available online: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-09 (accessed on 26 March 2022).
- Alzahrani, B.A.; Mahmood, K. Provable Privacy Preserving Authentication Solution for Internet of Things Environment. IEEE Access
**2021**, 9, 82857–82865. [Google Scholar] [CrossRef] - Chen, C.M.; Li, X.; Liu, S.; Wu, M.E.; Kumari, S. Enhanced Authentication Protocol for the Internet of Things Environment. Secur. Commun. Netw.
**2022**, 2022, 8543894. [Google Scholar] [CrossRef] - Ahmed, W.; Di, W.; Mukathe, D. Privacy-preserving blockchain-based authentication and trust management in VANETs. IET Netw.
**2022**. [Google Scholar] [CrossRef] - Goudarzi, S.; Soleymani, S.A.; Anisi, M.H.; Azgomi, M.A.; Movahedi, Z.; Kama, N.; Rusli, H.M.; Khan, M.K. A privacy-preserving authentication scheme based on Elliptic Curve Cryptography and using Quotient Filter in fog-enabled VANET. Ad Hoc Netw.
**2022**, 128, 102782. [Google Scholar] [CrossRef] - Ryu, J.; Oh, J.; Kwon, D.; Son, S.; Lee, J.; Park, Y.; Park, Y. Secure ECC-Based Three-Factor Mutual Authentication Protocol for Telecare Medical Information System. IEEE Access
**2022**, 10, 11511–11526. [Google Scholar] [CrossRef] - Wu, T.; Guo, X.; Chen, Y.; Kumari, S.; Chen, C. Amassing the Security: An Enhanced Authentication Protocol for Drone Communications over 5G Networks. Drones
**2022**, 6, 10. [Google Scholar] [CrossRef] - Khan, N.; Zhang, J.; Jan, S.U. A Robust and Privacy-Preserving Anonymous User Authentication Scheme for Public Cloud Server. Secur. Commun. Netw.
**2022**, 2022, 1943426. [Google Scholar] [CrossRef] - Xie, Q.; Li, K.; Tan, X.; Han, L.; Tang, W.; Hu, B. A secure and privacy-preserving authentication protocol for wireless sensor networks in smart city. Eurasip J. Wirel. Commun. Netw
**2021**, 119. [Google Scholar] [CrossRef] - Wei, G.h.; Qin, Y.l.; Fu, W. An Improved Security Authentication Protocol for Lightweight RFID Based on ECC. J. Sens.
**2022**, 7516010. [Google Scholar] [CrossRef] - Schnorr, C.P. Efficient signature generation by smart cards. J. Cryptol.
**1991**, 4, 161–174. [Google Scholar] [CrossRef][Green Version]

**Figure 1.**Overview of the information exchange between roles. (

**1**) $\mathcal{U}$ begins the protocol by requesting $\mathcal{AP}$ for a credential for a given scope S. In this case, this is carried out two times, one for scope ${S}_{1}$ and one for scope ${S}_{2}$. (

**2**) After user identity verification, $\mathcal{AP}$ provides the user with a credential. This credential is only valid for ${S}_{x}$ within the request. (

**3**) $\mathcal{U}$ stores both credentials. (

**4**) $\mathcal{U}$ presents the credentials to $\mathcal{SP}$. The figure illustrates four cases: (

**4a**) $\mathcal{U}$ presents the credential for ${S}_{1}$ to $SP$ of scope ${S}_{1}$, verification succeeds and $SP$ accepts the credential (

**4b**) $\mathcal{U}$ presents the credential for ${S}_{1}$ to $SP$ of scope ${S}_{2}$, verification fails and $SP$ rejects the credential. (

**4c**) $\mathcal{U}$ presents credential for ${S}_{2}$ to $SP$ of scope ${S}_{1}$, verification fails and $SP$ rejects the credential. (

**4d**) $\mathcal{U}$ presents credential for ${S}_{2}$ to $SP$ of scope ${S}_{2}$, verification succeeds and $SP$ accepts the credential.

**Figure 2.**Message exchange between $\mathcal{U}$ and $\mathcal{AP}$ during the credential issuance phase.

**Figure 3.**Message exchange between $\mathcal{U}$ and $\mathcal{SP}$ during the credential presentation phase.

Notation | Meaning | Notation | Meaning |
---|---|---|---|

$\mathcal{AP}$ | Attribute provider | $\mathcal{U}$ | User |

$\mathcal{SP}$ | Service provider | $\tilde{A}$ | Adversary |

$i{d}_{\mathcal{U}}$ | User identifier | S | Scope (arbitrary string) |

$i{d}_{\mathcal{U}}^{{S}_{i}}$ | User identifier for scope ${S}_{i}$ | ${\tilde{id}}_{\mathcal{U}}$ | Fake user identifier |

$s{k}_{\mathcal{U}}$ | User secret key | $p{k}_{\mathcal{U}}$ | User public key |

${\tilde{sk}}_{\mathcal{U}}$ | Fake user secret key | ${\tilde{pk}}_{\mathcal{U}}$ | Fake user public key |

$s{k}_{\mathcal{AP}}$ | Attribute provider secret key | $p{k}_{\mathcal{AP}}$ | Attribute provider public key |

$s{k}_{\mathcal{SP}}$ | Service provider secret key | $p{k}_{\mathcal{SP}}$ | Service provider public key |

${\sigma}_{\mathcal{AP}}$ | Signature of attribute provider | $H\left(S\right)$ | hash of scope |

P | Generator of cyclic group $\mathbb{G}$ | b | Random blind factor |

$s{k}_{\mathcal{U}}^{\prime}$ | Blinded user secret key | $p{k}_{\mathcal{U}}^{\prime}$ | Blinded user public key |

${\sigma}_{\mathcal{AP}}^{\prime}$ | Blinded signature | $({R}^{\prime},{h}^{\prime},{t}^{\prime})$ | NI-Schnorr ZKP |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Garcia-Grau, F.; Herrera-Joancomartí, J.; Dorca Josa, A.
Attribute Based Pseudonyms: Anonymous and Linkable Scoped Credentials. *Mathematics* **2022**, *10*, 2548.
https://doi.org/10.3390/math10152548

**AMA Style**

Garcia-Grau F, Herrera-Joancomartí J, Dorca Josa A.
Attribute Based Pseudonyms: Anonymous and Linkable Scoped Credentials. *Mathematics*. 2022; 10(15):2548.
https://doi.org/10.3390/math10152548

**Chicago/Turabian Style**

Garcia-Grau, Francesc, Jordi Herrera-Joancomartí, and Aleix Dorca Josa.
2022. "Attribute Based Pseudonyms: Anonymous and Linkable Scoped Credentials" *Mathematics* 10, no. 15: 2548.
https://doi.org/10.3390/math10152548