{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,8]],"date-time":"2026-05-08T16:44:46Z","timestamp":1778258686977,"version":"3.51.4"},"reference-count":59,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T00:00:00Z","timestamp":1769644800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2026,4,26]]},"abstract":"<jats:p>Self-sovereign identity (SSI) systems empower users to (anonymously) establish and verify their identity when accessing both digital and real-world resources, emerging as a promising privacy-preserving solution for user-centric identity management. While prior work, such as CanDID (IEEE S&amp; P 2021) made strides toward decentralized and Sybil-resistant SSI, significant limitations remain. Specifically, CanDID fails to ensure unlinkability in the presence of a single malicious issuer and requires frequent user-issuer interactions to obtain each application-specific credential, contradicting the non-interactive ideals of SSI, whose core aim is to give users full control over their identities.<\/jats:p>\n                  <jats:p>This paper first introduces the concept of publicly verifiable threshold anonymous counting tokens (tACT). Unlike recent approaches confined to centralized settings (Benhamouda et al., ASIACRYPT 2023), tACT operates in a distributed-trust environment. Accompanied by a formal security model and a provably secure instantiation, tACT introduces a novel dimension to token issuance, which, we believe, holds independent interest.<\/jats:p>\n                  <jats:p>Next, the paper leverages the proposed tACT scheme to construct an efficient Sybil-resistant SSI system. This system supports various functionalities, including threshold issuance, unlinkable multi-show selective disclosure, and non-interactive, non-transferable     credentials.     The proposed construction is backed by rigorous security definitions and proofs. In particular, we formalize the notion of strong unlinkability and prove our system secure under this model, addressing the privacy limitations of CanDID and ensuring robust privacy guarantees even in the presence of issuer-verifier collusion.     Finally, our benchmark results show an efficiency improvement in our construction when compared to CanDID, all while accommodating a greater number of issuers and additionally reducing to a one-round protocol that can be run in parallel with all issuers.<\/jats:p>","DOI":"10.62056\/ayivr-zn4","type":"journal-article","created":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T18:09:08Z","timestamp":1777918148000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":1,"title":["Attribute-Based Threshold Issuance Anonymous Counting Tokens and Its Application to Sybil-Resistant Self-Sovereign Identity"],"prefix":"10.62056","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-8335-2787","authenticated-orcid":false,"given":"Behzad","family":"Abdolmaleki","sequence":"first","affiliation":[{"name":"University of Sheffield","place":["Sheffield, UK"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0189-3520","authenticated-orcid":false,"given":"Antonis","family":"Michalas","sequence":"additional","affiliation":[{"name":"Tampere University","place":["Tampere, Finnland"]},{"name":"Research Institute of Sweden (RISE)","place":["Gothenburg, Sweden"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4907-2844","authenticated-orcid":false,"given":"Reyhaneh","family":"Rabaninejad*","sequence":"additional","affiliation":[{"name":"Tampere University","place":["Tampere, Finnland"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1957-3725","authenticated-orcid":false,"given":"Sebastian","family":"Ramacher","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/04knbh022","id-type":"ROR","asserted-by":"publisher"}],"name":"AIT Austrian Institute of Technology","place":["Giefinggasse 4, Vienna, 1210, Austria"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4181-2561","authenticated-orcid":false,"given":"Daniel","family":"Slamanig","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/031v4g827","id-type":"ROR","asserted-by":"publisher"}],"name":"Research Institute CODE, Universit\u00e4t der Bundeswehr M\u00fcnchen","place":["Carl-Wery-Stra\u00dfe 18, Munich, 81739, Germany"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"48349","published-online":{"date-parts":[[2026,5,4]]},"reference":[{"key":"ref1:yahoo","volume-title":"Yahoo data breach","year":"2017"},{"key":"ref2:facebook","volume-title":"Facebook data breach","year":"2018"},{"key":"ref3:ms","volume-title":"Microsoft data breach","year":"2023"},{"key":"ref4:dif","volume-title":"Decentralized Identity Foundation.","year":"2020"},{"key":"ref5:w3c","volume-title":"Decentralized identifiers (DIDs). v0.11:data model and\n  syntaxes for decentralized identifiers.","author":"W3C.","year":"2018"},{"key":"ref6:sovrin","volume-title":"Public service utility enabling self-sovereign identity on\n  the internet.","author":"Sovrin.","year":"2018"},{"key":"ref7:sharma2023unpacking","doi-asserted-by":"publisher","first-page":"416","DOI":"10.1109\/ICBC59979.2024.10634404","article-title":"Unpacking how decentralized autonomous organizations (daos)\n  work in practice","author":"Tanusree Sharma","year":"2024"},{"key":"ref8:borge2017proof","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1109\/EuroSPW.2017.46","article-title":"Proof-of-personhood: Redemocratizing permissionless\n  cryptocurrencies","author":"Maria Borge","year":"2017"},{"key":"ref9:maram2021candid","doi-asserted-by":"publisher","first-page":"1348","DOI":"10.1109\/SP40001.2021.00038.","article-title":"Candid: Can-do decentralized identity with legacy\n  compatibility, sybil-resistance, and accountability","author":"Deepak Maram","year":"2021"},{"key":"ref10:zhang2020deco","doi-asserted-by":"publisher","first-page":"1919","DOI":"10.1145\/3372297.3417239","article-title":"Deco: Liberating web data using decentralized oracles for\n  tls","author":"Fan Zhang","year":"2020"},{"key":"ref11:wang2023hades","doi-asserted-by":"publisher","first-page":"216","DOI":"10.1145\/3627106.3627110","article-title":"Hades: Practical decentralized identity with full\n  accountability and fine-grained sybil-resistance","author":"Ke Wang","year":"2023"},{"key":"ref12:chatzigiannis2023sok","article-title":"SoK: Web3 Recovery Mechanisms","author":"Panagiotis Chatzigiannis","year":"2023","journal-title":"Cryptology ePrint Archive"},{"key":"ref13:crites2024syra","doi-asserted-by":"publisher","first-page":"423","DOI":"10.1145\/3719027.3744806","article-title":"SyRA: Sybil-resilient anonymous signatures with applications\n  to decentralized identity","author":"Elizabeth Crites","year":"2025"},{"key":"ref14:pointcheval2016short","doi-asserted-by":"publisher","first-page":"111","DOI":"10.1007\/978-3-319-29485-8_7","article-title":"Short randomizable signatures","author":"David Pointcheval","year":"2016"},{"key":"ref15:sanders2020efficient","doi-asserted-by":"publisher","first-page":"628","DOI":"10.1007\/978-3-030-45388-6_22","article-title":"Efficient redactable signature and application to anonymous\n  credentials","author":"Olivier Sanders","year":"2020"},{"key":"ref16:hanzlik2021little","doi-asserted-by":"publisher","first-page":"2004","DOI":"10.1145\/3460120.3484582","article-title":"With a little help from my friends: Constructing practical\n  anonymous credentials","author":"Lucjan Hanzlik","year":"2021"},{"key":"ref17:connolly2022improved","doi-asserted-by":"publisher","first-page":"409","DOI":"10.1007\/978-3-030-97121-2_15","article-title":"Improved constructions of anonymous credentials from\n  structure-preserving signatures on equivalence classes","author":"Aisling Connolly","year":"2022"},{"key":"ref18:davidson2018privacy","doi-asserted-by":"publisher","first-page":"164","DOI":"10.1515\/popets-2018-0026","article-title":"Privacy Pass: Bypassing Internet Challenges Anonymously.","volume":"2018","author":"Alex Davidson","year":"2018","journal-title":"Proc. Priv. Enhancing Technol."},{"key":"ref19:kreuter2020anonymous","doi-asserted-by":"publisher","first-page":"308","DOI":"10.1007\/978-3-030-56784-2_11","article-title":"Anonymous tokens with private metadata bit","author":"Ben Kreuter","year":"2020"},{"key":"ref20:huang2021dit","volume-title":"Dit: De-identified authenticated telemetry at scale","author":"Sharon Huang","year":"2021"},{"key":"ref21:cachin2016architecture","first-page":"1","article-title":"Architecture of the hyperledger blockchain fabric","volume":"310","author":"Christian Cachin","year":"2016"},{"key":"ref22:camenisch2004signature","doi-asserted-by":"publisher","first-page":"56","DOI":"10.1007\/978-3-540-28628-8_4","article-title":"Signature schemes and anonymous credentials from bilinear\n  maps","author":"Jan Camenisch","year":"2004"},{"key":"ref23:sonnino2018coconut","article-title":"Coconut: Threshold issuance selective disclosure credentials\n  with applications to distributed ledgers","author":"Alberto Sonnino","year":"2018","journal-title":"arXiv preprint arXiv:1802.07344"},{"key":"ref24:10214089","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/TDSC.2023.3303834","article-title":"Threshold Delegatable Anonymous Credentials with Controlled\n  and Fine-Grained Delegation","author":"Omid Mir","year":"2023","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"ref25:DBLP:conf\/sp\/DoernerKLST23","doi-asserted-by":"publisher","first-page":"773","DOI":"10.1109\/SP46215.2023.10179470","article-title":"Threshold BBS+ Signatures for Distributed Anonymous\n  Credential Issuance","author":"Jack Doerner","year":"2023"},{"key":"ref26:hebant2023traceable","doi-asserted-by":"crossref","first-page":"105060","DOI":"10.1016\/j.ic.2023.105060","article-title":"Traceable constant-size multi-authority credentials","author":"Chlo\u00e9 H\u00e9bant","year":"2023","journal-title":"Information and Computation"},{"key":"ref27:mir2023aggregate","doi-asserted-by":"publisher","first-page":"30","DOI":"10.1145\/3576915.3623203","article-title":"Aggregate Signatures with Versatile Randomization and\n  Issuer-Hiding Multi-Authority Anonymous Credentials","author":"Omid Mir","year":"2023"},{"key":"ref28:baldimtsi2024zklogin","doi-asserted-by":"publisher","first-page":"3182","DOI":"10.1145\/3658644.3690356","article-title":"zklogin: Privacy-preserving blockchain authentication with\n  existing credentials","author":"Foteini Baldimtsi","year":"2024"},{"key":"ref29:benhamouda2023anonymous","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-99-8724-5_8","article-title":"Anonymous Counting Tokens","author":"Fabrice Benhamouda","year":"2023"},{"key":"ref30:goldreich2009foundations","volume-title":"Foundations of cryptography: volume 2, basic applications","author":"Oded Goldreich","year":"2009"},{"key":"ref31:bonawitz2017practical","doi-asserted-by":"publisher","first-page":"1175","DOI":"10.1145\/3133956.3133982","article-title":"Practical secure aggregation for privacy-preserving machine\n  learning","author":"Keith Bonawitz","year":"2017"},{"key":"ref32:rabaninejad2023secure","doi-asserted-by":"publisher","first-page":"640","DOI":"10.1109\/PerComWorkshops56833.2023.10150348","article-title":"A secure bandwidth-efficient treatment for dropout-resistant\n  time-series data aggregation","author":"Reyhaneh Rabaninejad","year":"2023"},{"key":"ref33:bell2020secure","doi-asserted-by":"publisher","first-page":"1253","DOI":"10.1145\/3372297.3417885","article-title":"Secure single-server aggregation with (poly) logarithmic\n  overhead","author":"James Henry Bell","year":"2020"},{"key":"ref34:fuchsbauer2018weakly","doi-asserted-by":"publisher","first-page":"153","DOI":"10.1007\/978-3-319-76581-5_6","article-title":"Weakly secure equivalence-class signatures from standard\n  assumptions","author":"Georg Fuchsbauer","year":"2018"},{"key":"ref35:fuchsbauer2019structure","doi-asserted-by":"publisher","first-page":"498","DOI":"10.1007\/s00145-018-9281-4","article-title":"Structure-preserving signatures on equivalence classes and\n  constant-size anonymous credentials","volume":"32","author":"Georg Fuchsbauer","year":"2019","journal-title":"Journal of Cryptology"},{"key":"ref36:karantaidou2024blind","doi-asserted-by":"publisher","first-page":"1508","DOI":"10.1145\/3658644.3690364","article-title":"Blind Multisignatures for Anonymous Tokens with\n  Decentralized Issuance","author":"Ioanna Karantaidou","year":"2024"},{"key":"ref37:shacham2013compact","doi-asserted-by":"publisher","first-page":"442","DOI":"10.1007\/s00145-012-9129-2","article-title":"Compact proofs of retrievability","volume":"26","author":"Hovav Shacham","year":"2013","journal-title":"Journal of cryptology"},{"key":"ref38:thyagarajan2020verifiable","doi-asserted-by":"publisher","first-page":"1733","DOI":"10.1145\/3372297.3417263","article-title":"Verifiable timed signatures made practical","author":"Sri Aravinda Krishnan Thyagarajan","year":"2020"},{"key":"ref39:fiat1986prove","doi-asserted-by":"publisher","first-page":"186","DOI":"10.1007\/3-540-47721-7_12","article-title":"How to prove yourself: Practical solutions to identification\n  and signature problems","author":"Amos Fiat","year":"1986"},{"key":"ref40:camenisch2013concepts","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1007\/978-3-642-37282-7_4","article-title":"Concepts and languages for privacy-preserving\n  attribute-based authentication","author":"Jan Camenisch","year":"2013"},{"key":"ref41:DBLP:conf\/eurocrypt\/NaorPR99","doi-asserted-by":"publisher","first-page":"327","DOI":"10.1007\/3-540-48910-X_23","article-title":"Distributed Pseudo-random Functions and KDCs","volume":"1592","author":"Moni Naor","year":"1999"},{"key":"ref42:dodis2005verifiable","doi-asserted-by":"publisher","first-page":"416","DOI":"10.1007\/978-3-540-30580-4_28","article-title":"A verifiable random function with short proofs and keys","author":"Yevgeniy Dodis","year":"2005"},{"key":"ref43:DBLP:conf\/sp\/RosenbergWGM23","doi-asserted-by":"publisher","first-page":"790","DOI":"10.1109\/SP46215.2023.10179430.","article-title":"zk-creds: Flexible Anonymous Credentials from zkSNARKs and\n  Existing Identity Infrastructure","author":"Michael Rosenberg","year":"2023"},{"key":"ref44:pedersen1991non","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1007\/3-540-46766-1_9","article-title":"Non-interactive and information-theoretic secure verifiable\n  secret sharing","author":"Torben Pryds Pedersen","year":"1991"},{"key":"ref45:cramer1994proofs","doi-asserted-by":"publisher","first-page":"174","DOI":"10.1007\/3-540-48658-5_19","article-title":"Proofs of partial knowledge and simplified design of witness\n  hiding protocols","author":"Ronald Cramer","year":"1994"},{"key":"ref46:cramer1996modular","article-title":"Modular design of secure yet practical cryptographic\n  protocols","volume":"2","author":"Ronald Cramer","year":"1996","journal-title":"Ph. D.-thesis, CWI and U. of Amsterdam"},{"key":"ref47:DBLP:journals\/siamcomp\/GrothS12","doi-asserted-by":"publisher","first-page":"1193","DOI":"10.1137\/080725386","article-title":"Efficient Noninteractive Proof Systems for Bilinear Groups","volume":"41","author":"Jens Groth","year":"2012","journal-title":"SIAM J. Comput."},{"key":"ref48:camenisch1997proof","article-title":"Proof systems for general statements about discrete\n  logarithms","volume":"260","author":"Jan Camenisch","year":"1997","journal-title":"Technical Report\/ETH Zurich"},{"key":"ref49:zhang2016town","doi-asserted-by":"publisher","first-page":"270","DOI":"10.1145\/2976749.2978326","article-title":"Town crier: An authenticated data feed for smart contracts","author":"Fan Zhang","year":"2016"},{"key":"ref50:breidenbach2021chainlink","first-page":"1","article-title":"Chainlink 2.0: Next steps in the evolution of decentralized\n  oracle networks","volume":"1","author":"Lorenz Breidenbach","year":"2021","journal-title":"Chainlink Labs"},{"key":"ref51:DBLP:conf\/crypto\/CritesKM23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"678","DOI":"10.1007\/978-3-031-38557-5_22","article-title":"Fully Adaptive Schnorr Threshold Signatures","volume":"14081","author":"Elizabeth C. Crites","year":"2023"},{"key":"ref52:boneh2001short","doi-asserted-by":"publisher","first-page":"514","DOI":"10.1007\/3-540-45682-1_30","article-title":"Short signatures from the Weil pairing","volume":"2248","author":"Dan Boneh","year":"2001"},{"key":"ref53:DBLP:conf\/ccs\/BachoL22","doi-asserted-by":"publisher","first-page":"193","DOI":"10.1145\/3548606.3560656","article-title":"On the Adaptive Security of the Threshold BLS Signature\n  Scheme","author":"Renas Bacho","year":"2022"},{"key":"ref54:DBLP:conf\/crypto\/AbeGOT14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"241","DOI":"10.1007\/978-3-662-44371-2_14","article-title":"Converting Cryptographic Schemes from Symmetric to\n  Asymmetric Bilinear Groups","volume":"8616","author":"Masayuki Abe","year":"2014"},{"key":"ref55:DBLP:conf\/ccs\/AkinyeleGH15","doi-asserted-by":"publisher","first-page":"1370","DOI":"10.1145\/2810103.2813601","article-title":"Automating Fast and Secure Translations from Type-I to\n  Type-III Pairing Schemes","author":"Joseph A. Akinyele","year":"2015"},{"key":"ref56:DBLP:conf\/crypto\/AbeHO16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"387","DOI":"10.1007\/978-3-662-53015-3_14","article-title":"Design in Type-I, Run in Type-III: Fast and Scalable\n  Bilinear-Type Conversion Using Integer Programming","volume":"9816","author":"Masayuki Abe","year":"2016"},{"key":"ref57:kate2012distributed","article-title":"Distributed key generation in the wild","author":"Aniket Kate","year":"2012","journal-title":"Cryptology ePrint Archive"},{"key":"ref58:DBLP:conf\/crypto\/BellareCKMTZ22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"517","DOI":"10.1007\/978-3-031-15985-5_18","article-title":"Better than Advertised Security for Non-interactive\n  Threshold Signatures","volume":"13510","author":"Mihir Bellare","year":"2022"},{"key":"ref59:DBLP:conf\/eurocrypt\/Groth16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"305","DOI":"10.1007\/978-3-662-49896-5_11","article-title":"On the Size of Pairing-Based Non-interactive Arguments","volume":"9666","author":"Jens Groth","year":"2016"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:03:03Z","timestamp":1778040183000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/3\/1\/19"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,4]]},"references-count":59,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,5,4]]}},"URL":"https:\/\/doi.org\/10.62056\/ayivr-zn4","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,4]]},"assertion":[{"value":"2026-01-29","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-04-26","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc3-1-46"}}