pith. sign in

arxiv: 2605.30212 · v1 · pith:EYGHG2KVnew · submitted 2026-05-28 · 💻 cs.CR

bpK#: Delegatable Pseudonyms And Their Applications to National eID Systems

Stephan Krenn , Doryan Lesaignoux , Sebastian Ramacher This is my paper

Pith reviewed 2026-06-29 06:40 UTC · model grok-4.3

classification 💻 cs.CR
keywords delegatable pseudonymselectronic identitieseID systemsdistributed architectureprivacysecurity proofspseudonym computation
0
0 comments X

The pith

Delegatable pseudonyms enable users and service providers to compute their own identifiers in national eID systems while preserving security guarantees.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes bPk#, a distributed architecture for electronic identity systems that delegates the right to compute sector-specific pseudonyms to individual users and to subsets of service providers. This reduces the metadata sent to the central authority and lowers its availability requirements compared to fully centralized designs like Austria's existing bPk. The authors supply the first formal framework for such delegatable pseudonym systems, a generic construction equipped with security proofs, a concrete instantiation of that construction, and a reference implementation that demonstrates practical performance. A sympathetic reader would care because the approach keeps the functional and authenticity properties of current governmental eID systems while addressing their centralization drawbacks.

Core claim

The paper establishes the first formal framework for delegatable pseudonym systems and gives a generic construction, accompanied by formal security proofs, that lets users compute their own pseudonyms and lets service-provider subsets compute pseudonyms only inside their own domain, thereby meeting all functional requirements of the centralized bPk system while reducing reliance on the central authority.

What carries the argument

Delegatable pseudonym systems, realized by a generic construction that securely transfers pseudonym-computation rights to users and authorized provider subsets.

Load-bearing premise

Delegation of pseudonym computation rights to users and service-provider subsets can be realized securely while still satisfying all functional requirements and authenticity guarantees of the existing centralized bPk system.

What would settle it

An attack that forges a valid pseudonym outside the intended delegation scope or links pseudonyms across domains in a way forbidden by the security model would disprove the claims.

Figures

Figures reproduced from arXiv: 2605.30212 by Doryan Lesaignoux, Sebastian Ramacher, Stephan Krenn.

Figure 1
Figure 1. Figure 1: Logical information flow in the current bPk archi [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Logical information flow for the proposed [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Correctness of pseudonym generation knowing 𝑢𝑠𝑘 and 𝑠𝑝𝑝𝑘 should result in the same nym as starting from 𝑢𝑝𝑘 and 𝑠𝑝𝑠𝑘). 3.3.2 Non-Frameability. As discussed earlier, authenticity of user￾generated pseudonyms is of high importance due to the potential legal implications of formal authentications. This property is cap￾tured by our notion of non-frameability, which ensures that an hon￾est user cannot be falsel… view at source ↗
Figure 4
Figure 4. Figure 4: Benchmark results for NymGen. Density (a.u.) Average Time (ms) 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 7.5 8 8.5 [PITH_FULL_IMAGE:figures/full_fig_p012_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Benchmark results for NymVf . Implementation of Central Authority and Service Providers. Note that for the central authority it is of paramount importance that its secret key is stored in an HSM. With our scheme, all operations that need to be performed by the central authority consist of group operations in either G1 or G2. Furthermore, observe that the secret key of Groth1 is only applied to group elemen… view at source ↗
Figure 6
Figure 6. Figure 6: Modification of Setup and NymGen𝑢𝑠𝑒𝑟 for Game 1. • O 𝑁 𝑦𝑚 (𝑢𝑝𝑘, 𝑠𝑝𝑝𝑘): 4: nym, 𝜋∗ ← NymGen∗ 𝑢𝑠𝑒𝑟 (𝑢𝑠𝑘, 𝑢𝑝𝑘, 𝑠𝑝𝑝𝑘,𝑚𝑝𝑘, 𝜏) • O 𝐿𝑜𝑅 ({𝑢𝑝𝑘0 , 𝑢𝑝𝑘1 }, 𝑠𝑝𝑝𝑘): 5: nym𝑏 , 𝜋∗ ← NymGen∗ 𝑢𝑠𝑒𝑟 (𝑢𝑠𝑘𝑏 , 𝑢𝑝𝑘𝑏 , 𝑠𝑝𝑝𝑘,𝑚𝑝𝑘, 𝜏) [PITH_FULL_IMAGE:figures/full_fig_p014_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Modification of line 4 of O 𝑁 𝑦𝑚 and O 𝐿𝑜𝑅 described in Oracles 3 and 5. Game 2: As in Game 1, but we replace 𝑢𝑝𝑘 by 0 in the encryption process inside NymGen𝑢𝑠𝑒𝑟 (see [PITH_FULL_IMAGE:figures/full_fig_p014_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Modification of NymGen𝑢𝑠𝑒𝑟 for Game 2 [PITH_FULL_IMAGE:figures/full_fig_p014_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Modification of NymGen𝑢𝑠𝑒𝑟 for Game 3. The outputs of O 𝐿𝑜𝑅 are now independent of the challenge bit 𝑏. This proves that our scheme achieves anonymity. □ B Sequence Diagrams In [PITH_FULL_IMAGE:figures/full_fig_p015_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: High-level sequence diagrams for the existing (left) and proposed (right) bPk system. [PITH_FULL_IMAGE:figures/full_fig_p016_10.png] view at source ↗
read the original abstract

Electronic identities (eIDs) are crucial in an increasingly digitalized environment. Pseudonyms, as offered by Austria's governmental sector-specific personal identifiers (bPks), can significantly improve privacy by ensuring that personal data is not universally traceable across public services and private companies. However, the current architecture comes with several challenges regarding availability, privacy, and authenticity, due to a fully centralized design. This paper proposes bPk#, a distributed architecture to address these issues, reducing reliance on the central authority, while still providing all functional requirements to the existing bPk system. In particular, users are delegated the rights to compute their own pseudonyms, thereby minimizing metadata revealed to the central authority, while (subsets of) service providers may receive the right to compute pseudonyms only within their own domain, thereby reducing the availability needs of the central authority. To the best of our knowledge, we provide the first formal framework for such delegatable pseudonym systems, together with a generic construction for which we provide formal security proofs. Furthermore, we propose a concrete instantiation of our construction, together with a reference implementation demonstrating the practical efficiency.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes bPk#, a distributed architecture extending Austria's centralized bPk pseudonym system for eIDs. Users are delegated rights to compute their own pseudonyms (reducing metadata to the central authority), and subsets of service providers may compute pseudonyms only within their domains (reducing central availability needs). The central claims are that this is the first formal framework for delegatable pseudonym systems, accompanied by a generic construction with formal security proofs, a concrete instantiation, and a reference implementation demonstrating practical efficiency, all while preserving the functional and authenticity requirements of the original bPk system.

Significance. If the security proofs and delegation mechanics hold, the work could meaningfully advance privacy and availability in governmental eID infrastructures by enabling controlled decentralization without new authenticity gaps. The explicit provision of a formal framework, machine-checkable-style proofs (if present), and a working reference implementation would be notable strengths for a CR paper targeting real-world national systems.

major comments (2)
  1. [Abstract / Security Model section] The abstract states that the generic construction receives formal security proofs and that delegation satisfies all functional/authenticity requirements of the original bPk system, yet the provided text gives no indication of the security model definition, the precise delegation syntax, or the reduction steps. Without these, it is impossible to confirm that the delegation does not introduce new traceability or forgery vectors.
  2. [Construction / Security Definitions] The claim that subsets of service providers receive domain-restricted computation rights must be shown to preserve the cross-domain unlinkability property of bPks; the manuscript needs to state explicitly (with a theorem) whether the restriction is enforced cryptographically or only by policy, as the latter would not meet the stated authenticity guarantees.
minor comments (2)
  1. [Implementation / Evaluation] The reference implementation is cited as demonstrating practical efficiency, but no concrete performance numbers, comparison baseline (e.g., original bPk latency), or hardware platform are given in the abstract; these should appear in the evaluation section with tables.
  2. [Preliminaries] Notation for the delegatable pseudonym computation (e.g., how a user or SP subset receives and uses the delegation token) should be introduced early and used consistently to aid readability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their careful review and constructive feedback. Below we respond point-by-point to the major comments, directing attention to the relevant sections of the full manuscript where the security model, delegation syntax, and proofs are defined, while agreeing to improve clarity and explicitness where needed.

read point-by-point responses

  1. Referee: [Abstract / Security Model section] The abstract states that the generic construction receives formal security proofs and that delegation satisfies all functional/authenticity requirements of the original bPk system, yet the provided text gives no indication of the security model definition, the precise delegation syntax, or the reduction steps. Without these, it is impossible to confirm that the delegation does not introduce new traceability or forgery vectors.

    Authors: The full manuscript defines the security model (including delegation syntax and security properties such as unlinkability and authenticity) in Section 3. The generic construction appears in Section 4, and the formal security proofs with reduction steps are given in Section 5 (Theorems 5.1–5.4). These sections establish that delegation introduces no new traceability or forgery vectors. We will revise the abstract and introduction to include explicit forward references to Sections 3–5. revision: yes

  2. Referee: [Construction / Security Definitions] The claim that subsets of service providers receive domain-restricted computation rights must be shown to preserve the cross-domain unlinkability property of bPks; the manuscript needs to state explicitly (with a theorem) whether the restriction is enforced cryptographically or only by policy, as the latter would not meet the stated authenticity guarantees.

    Authors: Domain restriction is enforced cryptographically via domain-specific delegation keys (see Construction 4.2). Theorem 5.3 proves that this preserves cross-domain unlinkability; the enforcement is not policy-based. We will revise the construction section to state this explicitly and highlight the theorem statement. revision: yes

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper introduces a new formal framework for delegatable pseudonym systems along with a generic construction, security proofs, concrete instantiation, and reference implementation. No load-bearing steps reduce by construction to fitted parameters, self-definitions, or self-citation chains; the derivation chain consists of independent cryptographic definitions and proofs that do not equate outputs to inputs via renaming or ansatz smuggling. The architecture description and claims remain self-contained against external benchmarks without internal reduction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

Review based on abstract only; no specific free parameters, axioms, or invented entities are detailed beyond the high-level proposal of the bPk# system itself.

axioms (1)
  • domain assumption Standard cryptographic hardness assumptions underlying the security proofs of the generic construction
    Typical for formal security proofs in cryptography; not specified in the abstract.
invented entities (1)
  • bPk# delegatable pseudonym architecture no independent evidence
    purpose: To enable distributed computation of pseudonyms reducing central authority involvement
    The system is introduced in the paper; no independent external evidence is mentioned in the abstract.

pith-pipeline@v0.9.1-grok · 5732 in / 1360 out tokens · 33867 ms · 2026-06-29T06:40:43.390925+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

55 extracted references · 34 canonical work pages

  1. [1]

    A-SIT Plus GmbH. 2021. ID Austria: Technisches Whitepaper - Hintergrund- informationen. https://eid.egiz.gv.at/wp-content/uploads/2021/12/ID-Austria- Technische-Hintergrundinformationen-v1.4-1.pdf

    2021

  2. [2]

    Andreas Abraham, Karl Koch, Stefan More, Sebastian Ramacher, and Miha Stopar

  3. [3]

    In TrustCom

    Privacy-Preserving eID Derivation to Self-Sovereign Identity Systems with Offline Revocation. In TrustCom. IEEE, 506–513

  4. [4]

    Albrecht, Valerio Cini, Russell W

    Martin R. Albrecht, Valerio Cini, Russell W. F. Lai, Giulio Malavolta, and Sri Aravinda Krishnan Thyagarajan. 2022. Lattice-Based SNARKs: Publicly Ver- ifiable, Preprocessing, and Recursively Composable - (Extended Abstract). In CRYPTO 2022, Part II (LNCS, Vol. 13508) , Yevgeniy Dodis and Thomas Shrimpton (Eds.). Springer, Cham, 102–132. doi:10.1007/978-3...

    work page doi:10.1007/978-3-031-15979-4_4 2022

  5. [5]

    Foteini Baldimtsi, Jan Camenisch, Maria Dubovitskaya, Anna Lysyanskaya, Leonid Reyzin, Kai Samelin, and Sophia Yakoubov. 2017. Accumulators with bPk#: Delegatable Pseudonyms Applications to Anonymity-Preserving Revocation. In 2017 IEEE European Symposium on Security and Privacy . IEEE Computer Society Press, 301–315. doi:10.1109/EuroSP.2017.13

    work page doi:10.1109/eurosp.2017.13 2017

  6. [6]

    David Bernhard, Olivier Pereira, and Bogdan Warinschi. 2012. How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios. In ASIACRYPT 2012 (LNCS, Vol. 7658) , Xiaoyun Wang and Kazue Sako (Eds.). Springer, Berlin, Heidelberg, 626–643. doi:10.1007/978-3-642-34961-4_38

    work page doi:10.1007/978-3-642-34961-4_38 2012

  7. [7]

    Ward Beullens, Vadim Lyubashevsky, Ngoc Khanh Nguyen, and Gregor Seiler

  8. [8]

    In ACM CCS 2023, Weizhi Meng, Christian Damsgaard Jensen, Cas Cremers, and Engin Kirda (Eds.)

    Lattice-Based Blind Signatures: Short, Efficient, and Round-Optimal. In ACM CCS 2023, Weizhi Meng, Christian Damsgaard Jensen, Cas Cremers, and Engin Kirda (Eds.). ACM Press, 16–29. doi:10.1145/3576915.3616613

    work page doi:10.1145/3576915.3616613 2023

  9. [9]

    Jan Bobolz, Fabian Eidens, Stephan Krenn, Sebastian Ramacher, and Kai Samelin

  10. [10]

    In CANS 21 (LNCS, Vol

    Issuer-Hiding Attribute-Based Credentials. In CANS 21 (LNCS, Vol. 13099) , Mauro Conti, Marc Stevens, and Stephan Krenn (Eds.). Springer, Cham, 158–178. doi:10.1007/978-3-030-92548-2_9

    work page doi:10.1007/978-3-030-92548-2_9

  11. [11]

    Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Essam Ghadafi, and Jens Groth

  12. [12]

    In ACNS 16International Conference on Applied Cryptography and Network Security (LNCS, Vol

    Foundations of Fully Dynamic Group Signatures. In ACNS 16International Conference on Applied Cryptography and Network Security (LNCS, Vol. 9696) , Mark Manulis, Ahmad-Reza Sadeghi, and Steve Schneider (Eds.). Springer, Cham, 117–136. doi:10.1007/978-3-319-39555-5_7

    work page doi:10.1007/978-3-319-39555-5_7

  13. [13]

    Julien Bringer, Hervé Chabanne, Roch Lescuyer, and Alain Patey. 2014. Efficient and Strongly Secure Dynamic Domain-Specific Pseudonymous Signatures for ID Documents. In Financial Cryptography and Data Security - 18th International Conference, FC 2014, Christ Church, Barbados, March 3-7, 2014, Revised Selected Pa- pers (Lecture Notes in Computer Science, V...

    work page doi:10.1007/978-3-662-45472-5_16 2014

  14. [14]

    Jan Camenisch, Manu Drijvers, and Maria Dubovitskaya. 2017. Practical UC-Secure Delegatable Credentials with Attributes and Their Application to Blockchain. In ACM CCS 2017 , Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM Press, 683–699. doi:10.1145/3133956. 3134025

    work page doi:10.1145/3133956 2017

  15. [15]

    Jan Camenisch, Markulf Kohlweiss, and Claudio Soriente. 2009. An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials. In PKC 2009 (LNCS, Vol. 5443) , Stanislaw Jarecki and Gene Tsudik (Eds.). Springer, Berlin, Heidelberg, 481–500. doi:10.1007/978-3-642-00468-1_27

    work page doi:10.1007/978-3-642-00468-1_27 2009

  16. [16]

    Jan Camenisch, Stephan Krenn, Anja Lehmann, Gert Læssøe Mikkelsen, Gregory Neven, and Michael Østergaard Pedersen. 2016. Formal Treatment of Privacy- Enhancing Credential Systems. In SAC 2015 (LNCS, Vol. 9566) , Orr Dunkelman and Liam Keliher (Eds.). Springer, Cham, 3–24. doi:10.1007/978-3-319-31301-6_1

    work page doi:10.1007/978-3-319-31301-6_1 2016

  17. [17]

    Jan Camenisch and Anja Lehmann. 2015. (Un) linkable pseudonyms for gov- ernmental databases. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security . 1467–1479

    2015

  18. [18]

    Jan Camenisch and Anja Lehmann. 2017. Privacy-preserving user-auditable pseudonym systems. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 269–284

    2017

  19. [19]

    Jan Camenisch and Anna Lysyanskaya. 2002. Dynamic Accumulators and Appli- cation to Efficient Revocation of Anonymous Credentials. InCRYPTO 2002 (LNCS, Vol. 2442), Moti Yung (Ed.). Springer, Berlin, Heidelberg, 61–76. doi:10.1007/3- 540-45708-9_5

    work page doi:10.1007/3- 2002

  20. [20]

    Jan Camenisch and Markus Stadler. 1997. Efficient Group Signature Schemes for Large Groups (Extended Abstract). In CRYPTO’97 (LNCS, Vol. 1294), Burton S. Kaliski, Jr. (Ed.). Springer, Berlin, Heidelberg, 410–424. doi:10.1007/BFb0052252

    work page doi:10.1007/bfb0052252 1997

  21. [21]

    Jan Camenisch and Els Van Herreweghen. 2002. Design and Implementation of The Idemix Anonymous Credential System. In ACM CCS 2002, Vijayalakshmi Atluri (Ed.). ACM Press, 21–30. doi:10.1145/586110.586114

    work page doi:10.1145/586110.586114 2002

  22. [22]

    David Cash, Eike Kiltz, and Victor Shoup. 2008. The Twin Diffie-Hellman Problem and Applications. In EUROCRYPT 2008 (LNCS, Vol. 4965) , Nigel P. Smart (Ed.). Springer, Berlin, Heidelberg, 127–145. doi:10.1007/978-3-540-78967-3_8

    work page doi:10.1007/978-3-540-78967-3_8 2008

  23. [23]

    David Chaum. 1985. Security Without Identification: Transaction Systems to Make Big Brother Obsolete. Commun. ACM 28, 10 (1985), 1030–1044. doi:10. 1145/4372.4373

    work page arXiv 1985

  24. [24]

    David Chaum and Eugène van Heyst. 1991. Group Signatures. InEUROCRYPT’91 (LNCS, Vol. 547), Donald W. Davies (Ed.). Springer, Berlin, Heidelberg, 257–265. doi:10.1007/3-540-46416-6_22

    work page doi:10.1007/3-540-46416-6_22 1991

  25. [25]

    Özgür Dagdelen. 2013. The cryptographic security of the German electronic identity card. (2013)

    2013

  26. [26]

    David Derler and Daniel Slamanig. 2019. Key-homomorphic signatures: def- initions and applications to multiparty signatures and non-interactive zero- knowledge. DCC 87, 6 (2019), 1373–1413. doi:10.1007/s10623-018-0535-9

    work page doi:10.1007/s10623-018-0535-9 2019

  27. [27]

    Yves Deswarte and Sébastien Gambs. 2010. A Proposal for a Privacy-preserving National Identity Card. Trans. Data Priv. 3, 3 (2010), 253–276

    2010

  28. [28]

    Whitfield Diffie and Martin E. Hellman. 1976. New Directions in Cryptography. IEEE Transactions on Information Theory 22, 6 (1976), 644–654. doi:10.1109/TIT. 1976.1055638

    work page doi:10.1109/tit 1976

  29. [29]

    Taher ElGamal. 1984. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In CRYPTO’84 (LNCS, Vol. 196), G. R. Blakley and David Chaum (Eds.). Springer, Berlin, Heidelberg, 10–18. doi:10.1007/3-540-39568-7_2

    work page doi:10.1007/3-540-39568-7_2 1984

  30. [30]

    Sebastian Faust, Markulf Kohlweiss, Giorgia Azzurra Marson, and Daniele Venturi. 2012. On the Non-malleability of the Fiat-Shamir Transform. In IN- DOCRYPT 2012 (LNCS, Vol. 7668) , Steven D. Galbraith and Mridul Nandi (Eds.). Springer, Berlin, Heidelberg, 60–79. doi:10.1007/978-3-642-34931-7_5

    work page doi:10.1007/978-3-642-34931-7_5 2012

  31. [31]

    Amos Fiat and Adi Shamir. 1987. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. InCRYPTO’86 (LNCS, Vol. 263), Andrew M. Odlyzko (Ed.). Springer, Berlin, Heidelberg, 186–194. doi:10.1007/3-540-47721- 7_12

    work page doi:10.1007/3-540-47721- 1987

  32. [32]

    Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz, and Kenneth G. Paterson

  33. [33]

    In PKC 2013 (LNCS, Vol

    Non-Interactive Key Exchange. In PKC 2013 (LNCS, Vol. 7778) , Kaoru Kurosawa and Goichiro Hanaoka (Eds.). Springer, Berlin, Heidelberg, 254–271. doi:10.1007/978-3-642-36362-7_17

    work page doi:10.1007/978-3-642-36362-7_17 2013

  34. [34]

    Shafi Goldwasser, Silvio Micali, and Charles Rackoff. 1985. The Knowledge Complexity of Interactive Proof-Systems (Extended Abstract). In 17th ACM STOC. ACM Press, 291–304. doi:10.1145/22145.22178

    work page doi:10.1145/22145.22178 1985

  35. [35]

    Jens Groth. 2015. Efficient Fully Structure-Preserving Signatures for Large Messages. In ASIACRYPT 2015, Part I (LNCS, Vol. 9452) , Tetsu Iwata and Jung Hee Cheon (Eds.). Springer, Berlin, Heidelberg, 239–259. doi:10.1007/978-3-662- 48797-6_11

    work page doi:10.1007/978-3-662- 2015

  36. [36]

    Jens Groth and Amit Sahai. 2008. Efficient Non-interactive Proof Systems for Bilinear Groups. In EUROCRYPT 2008 (LNCS, Vol. 4965) , Nigel P. Smart (Ed.). Springer, Berlin, Heidelberg, 415–432. doi:10.1007/978-3-540-78967-3_24

    work page doi:10.1007/978-3-540-78967-3_24 2008

  37. [37]

    Lucjan Hanzlik and Daniel Slamanig. 2021. With a Little Help from My Friends: Constructing Practical Anonymous Credentials. In ACM CCS 2021 , Giovanni Vigna and Elaine Shi (Eds.). ACM Press, 2004–2023. doi:10.1145/3460120.3484582

    work page doi:10.1145/3460120.3484582 2021

  38. [38]

    Jonathan Katz and Yehuda Lindell. 2014. Introduction to Modern Cryptography, Second Edition. CRC Press. https://www.crcpress.com/Introduction-to-Modern- Cryptography-Second-Edition/Katz-Lindell/p/book/9781466570269

    work page arXiv 2014

  39. [39]

    Markulf Kohlweiss, Mary Maller, Janno Siim, and Mikhail Volkhov. 2021. Snarky Ceremonies. In ASIACRYPT 2021, Part III (LNCS, Vol. 13092) , Mehdi Tibouchi and Huaxiong Wang (Eds.). Springer, Cham, 98–127. doi:10.1007/978-3-030-92078- 4_4

    work page doi:10.1007/978-3-030-92078- 2021

  40. [40]

    Stephan Krenn, Kai Samelin, and Christoph Striecks. 2019. Practical Group- Signatures with Privacy-Friendly Openings. In Proceedings of the 14th Interna- tional Conference on A vailability, Reliability and Security, ARES 2019, Canterbury, UK, August 26-29, 2019. ACM, 10:1–10:10. doi:10.1145/3339252.3339256

    work page doi:10.1145/3339252.3339256 2019

  41. [41]

    Benoît Libert, Khoa Nguyen, Alain Passelègue, and Radu Titiu. 2020. Simulation- Sound Arguments for LWE and Applications to KDM-CCA2 Security. In ASI- ACRYPT 2020, Part I (LNCS, Vol. 12491) , Shiho Moriai and Huaxiong Wang (Eds.). Springer, Cham, 128–158. doi:10.1007/978-3-030-64837-4_5

    work page doi:10.1007/978-3-030-64837-4_5 2020

  42. [42]

    Rivest, Amit Sahai, and Stefan Wolf

    Anna Lysyanskaya, Ronald L. Rivest, Amit Sahai, and Stefan Wolf. 1999. Pseudo- nym Systems. In SAC 1999 (LNCS, Vol. 1758) , Howard M. Heys and Carlisle M. Adams (Eds.). Springer, Berlin, Heidelberg, 184–199. doi:10.1007/3-540-46513- 8_14

    work page doi:10.1007/3-540-46513- 1999

  43. [43]

    Vadim Lyubashevsky, Ngoc Khanh Nguyen, and Maxime Plançon. 2022. Lattice- Based Zero-Knowledge Proofs and Applications: Shorter, Simpler, and More General. In CRYPTO 2022, Part II (LNCS, Vol. 13508) , Yevgeniy Dodis and Thomas Shrimpton (Eds.). Springer, Cham, 71–101. doi:10.1007/978-3-031-15979-4_3

    work page doi:10.1007/978-3-031-15979-4_3 2022

  44. [44]

    Deepak Maram, Harjasleen Malvai, Fan Zhang, Nerla Jean-Louis, Alexander Frolov, Tyler Kell, Tyrone Lobban, Christine Moy, Ari Juels, and Andrew Miller

  45. [45]

    & Zimmermann, P

    CanDID: Can-Do Decentralized Identity with Legacy Compatibility, Sybil- Resistance, and Accountability. In 2021 IEEE Symposium on Security and Privacy . IEEE Computer Society Press, 1348–1366. doi:10.1109/SP40001.2021.00038

    work page doi:10.1109/sp40001.2021.00038 2021

  46. [46]

    Toru Nakanishi, Hiroki Fujii, Yuta Hira, and Nobuo Funabiki. 2009. Revocable Group Signature Schemes with Constant Costs for Signing and Verifying. In PKC 2009 (LNCS, Vol. 5443) , Stanislaw Jarecki and Gene Tsudik (Eds.). Springer, Berlin, Heidelberg, 463–480. doi:10.1007/978-3-642-00468-1_26

    work page doi:10.1007/978-3-642-00468-1_26 2009

  47. [47]

    Christian Paquin and Greg Zaverucha. 2023. U-Prove Cryptographic Specification V1.1 (Revision 5). Technical Report. Microsoft Corporation, Redmond, WA

    2023

  48. [48]

    Karl-Christian Posch, Reinhard Posch, Arne Tauber, Thomas Zefferer, and Bernd Zwattendorfer. 2011. Secure and Privacy-Preserving eGovernment - Best Practice Austria. In Rainbow of Computer Science (LNCS, Vol. 6570) . Springer, 259–269

    2011

  49. [49]

    Thomas Rössler. 2008. Giving an interoperable e-ID solution: Using foreign e-IDs in Austrian e-Government. Comput. Law Secur. Rev. 24, 5 (2008), 447–453

    2008

  50. [50]

    Stammzahlregisterbehörde. 2025. Personal communication

    2025

  51. [51]

    Arne Tauber and Thomas Rössler. 2009. Professional Presentation in Austrian E-Government. In EGOV (LNCS, Vol. 5693) . Springer, 388–398

    2009

  52. [52]

    Kevin Theuermann. 2019. Selected Topics IT-Security 1 (E-Government) – Aus- trian E-Government Infrastructure. https://www.isec.tugraz.at/wp-content/ uploads/2019/09/L08-2019-E-Government-Infrastructure.pdf

    2019

  53. [53]

    Bernd Zwattendorfer and Daniel Slamanig. 2013. On Privacy-Preserving Ways to Porting the Austrian eID System to the Public Cloud. In SEC (IFIP AICT, Vol. 405). Springer, 300–314

    2013

  54. [54]

    Bernd Zwattendorfer and Daniel Slamanig. 2015. Design strategies for a privacy- friendly Austrian eID system in the public cloud. Comput. Secur. 52 (2015), 178–193

    2015

  55. [55]

    bPk-as-a-service

    Bernd Zwattendorfer and Daniel Slamanig. 2016. The Austrian eID ecosystem in the public cloud: How to obtain privacy while preserving practicality. J. Inf. Stephan Krenn, Doryan Lesaignoux, and Sebastian Ramacher Secur. Appl. 27-28 (2016), 35–53. A Security Proofs In the following we now provide detailed formal proofs for our main security properties. We ...

    2016