Password-based anonymous authentication schemes provide not only password-based authentication but also user anonymity. In [15], Yang et al., proposed a password-based anonymous authentication scheme (we call it YZWB10 scheme) using the password-protected credentials. This scheme has being standardized in ISO/IEC 20009-4 that was approved to proceed to the CD stage in the 49th ISO/IEC JTC 1/SC 27 Mexico meeting. In this paper, we analyze unlinkability of the YZWB10 scheme [15]. In particular, we show that a (malicious) server in the YZWB10 scheme can specify which user actually sent the login request to the server. Unlike Yang et al.,'s claim, the YZWB10 scheme [15] does not provide unlinkability against server.

For the sake of privacy preservation, services that are offered with reference to individual user preferences should do so with a sufficient degree of anonymity. We surveyed various tools that meet requirements of such services and decided that group signature schemes with weakened anonymity (without unlinkability) are adequate. Then, we investigated a theoretical gap between unlinkability of group signature schemes and their other requirements. We show that this gap is significantly large. Specifically, we clarify that if unlinkability can be achieved from any other property of group signature schemes, it becomes possible to construct a chosen-ciphertext secure cryptosystem from any one-way function. This result implies that the efficiency of group signature schemes can be drastically improved if unlinkability is not taken into account. We also demonstrate a way to construct a scheme without unlinkability that is significantly more efficient than the best known full-fledged scheme.

In 2006, Miranda et al. proposed an anonymity scheme to achieve peers' anonymity in Peer-to-Peer (P2P) reputation systems. In this paper, we show that this scheme can not achieve peers' anonymity in two cases. We also propose an improvement which solves the problem and improves the degree of anonymity.

Previously Verifier-Local Revocation (VLR) group signature schemes from bilinear maps were proposed. In VLR schemes, only verifiers are involved in the revocation of a member, while signers are not. Thus, the VLR schemes are suitable for mobile environments. Furthermore, the previously proposed schemes satisfy the important backward unlinkability. This means that even after a member is revoked, signatures produced by the member before the revocation remain anonymous. This property is needed in case of a voluntary leave of a member or in case of a key loss. However, in the previous schemes, signatures become long, due to the adopted assumption, which should be improved in order to apply the schemes to the mobile environments. In this paper an improved VLR scheme is proposed with the shorter group signatures. This is achieved by using a different assumption, DLDH assumption, and improving zero-knowledge proofs in the group signatures. The length of the proposed group signatures is reduced to about 53% of that of the previous ones.

An approach of membership revocation in group signatures is verifier-local revocation (VLR for short). In this approach, only verifiers are involved in the revocation mechanism, while signers have no involvement. Thus, since signers have no load, this approach is suitable for mobile environments. Although Boneh and Shacham recently proposed a VLR group signature scheme from bilinear maps, this scheme does not satisfy the backward unlikability. The backward unlinkability means that even after a member is revoked, signatures produced by the member before the revocation remain anonymous. In this paper, we propose VLR group signature schemes with the backward unlinkability from bilinear maps.

This paper introduces the concept of "revocable unlinkability" for unlinkable anonymous signatures and proposes a generalized scheme that modifies the signatures to include revocable unlinkability. Revocable unlinkability provides a condition in which multiple messages signed using an unlinkable anonymous signature are unlinkable for anyone except the unlinkability revocation manager. Noteworthy is that the identifier of the signer is kept secret from the manager. In addition, examples are presented in which the proposed scheme is applied to existing group/ring signatures. The proposed scheme employs a verifiable MIX-net to shuffle the identifiers of all potential signers, thus giving it the potential for wide application to unlinkable anonymous signatures.

Though there are intensive researches on off-line electronic cash (e-cash), the current computer network infrastructure sufficiently accepts on-line e-cash. The on-line means that the payment protocol involves with the bank, and the off-line means no involvement. For customers' privacy, the e-cash system should satisfy unlinkability, i.e., any pair of payments is unlinkable w.r.t. the sameness of the payer. In addition, for the convenience, exact payments, i.e., the payments with arbitrary amounts, should be also able to performed. In an existing off-line system with unlinkable exact payments, the customers need massive computations. On the other hand, an existing on-line system does not satisfy the efficiency and the perfect unlinkability simultaneously. This paper proposes an on-line system, where the efficiency and the perfect unlinkability are achieved simultaneously.

We present an efficiency improvement on an existing unlinkable divisible e-cash system. In the based e-cash system, an e-coin can be divided to spent, and thus the exact payments are available. Furthermore, to protect customer's privacy, the system also satisfies the unlinkability in all the payments, which is not satisfied in other existing divisible e-cash systems. The unlinkability means the infeasibility of determining whether two payments are made by the same customer. However, in the unlinkable divisible e-cash system, the payment protocol needs O(N) computations, and thus inefficient, where N indicates the divisibility precision. For example, in case of N=100,000, about 200,000 exponentiations are needed for the worst. We improve the payment protocol using the tree approach. In case of N=100,000, the protocol with our improvement needs only about 600 exponentiations for the worst. This good result can be obtained for other N which is more than about 100.

In this paper a public key certification scheme, which protects privacy of user of the public key certificate, is proposed. In the proposed scheme a certification authority issues anonymous public key certificates, with which a certificate user having his/her own secret key can make use of public key cryptography and a certificate verifier can confirm the authenticity of the cryptographic communication of the certificate user. The anonymity of their users is preserved against the verifier. In general, user's activities should not be linked each other from the viewpoint of privacy protection. The use of the same certificate results in the linkage of the cryptographic communications. So, ideally, a certificate should be used only once, and such a certificate is called a one-time certificate. In the proposed scheme one-time certificates are realized with low cost of communication and computation for the certificate user. Multiple certificates can be issued without interaction between CA and the user. The additional computation of the user to obtain a new anonymous public key certificate is one modular exponentiation. In addition, only one secret key is required for multiple certificates. Therefore, the proposed scheme is useful for applications which require anonymity, unlinkability, and efficiency.