Anonymous Authentication with Optional Shared Anonymity Revocation and Linkability Martin Schaffer and Peter Schartner Computer Science, System Security, University of Klagenfurt, Austria {m.schaffer, p.schartner}@syssec.at Abstract. In this paper we propose three smartcard-based variants of anonymous authentication using unique one-time pseudonyms. The first variant can be used to authenticate a user. However, his identity cannot be revealed and linked to other pseudonyms unless solving the compu- tational Diffie-Hellman problem. In the second variant a set R of re- vocation centers is able to revoke the anonymity in collaboration with a trust center T but they are not able to link the revealed identity to other pseudonyms of the same user. Using the third variant additionally provides linkability if R and T cooperate. Some selected applications for the proposed protocols include physical access control, secure auctions, eCoins and online gambling. 1 Introduction Nowadays smartcards appear to be a building block in several applications. Once mainly used for physical access control, their usage has been extended to more general applications related to different areas like eCommerce in the recent years. When using a smartcard, a user normally authenticates to the smartcard by en- tering a personal identification number. Then the smartcard itself authenticates to an instance (e.g. device (un)locking a door or service provider). Several stan- dard methods exist, how to perform a unilateral authentication process, most of which do not really provide the anonymity of the user. So a lot of research has taken place to provide anonymous authentication based on zero-knowledge proofs. Such protocols have two advantages. First, the anonymity can be pro- vided and second, collected communication data of several protocol runs of the same smartcard – depending on the particular solution – are not linkable by an eavesdropper. However, several standard proofs of identity require the same public input on the verifier’s side during every authentication process (e.g. proof of knowledge of a private key, where the verifier must have access to the public key). Thus, the usage of the smartcard is traceable. Providing authentication processes with anonymity and unlinkability pro- tects the user’s privacy. However, the verifier of the authentication process has to be protected as well, namely against malicious behaviour of the smartcard- holder in the protocols run thereafter. So we also need a mechanism to revoke J. Domingo-Ferrer, J. Posegga, and D. Schreckling (Eds.): CARDIS 2006, LNCS 3928, pp. 206–221, 2006. c  IFIP International Federation for Information Processing 2006