Anonymous credential systems allow users to obtain certified credentials from organizations and use them later without being traced. For instance, a student will be able to prove, using his student card certified by the University, that he is a student living e.g. in Hangzhou without revealing other information given by the student card, such as his name or studies. Besides, sanitizable signatures enable a designated person, called the sanitizer, to modify some parts of a signed message in a

more »

... trolled way, such that the message can still be verified w.r.t. the original signer. We propose in this paper to formalize the following new idea. A user gets from the organization a signed document certifying personal data (e.g. name, address, studies, etc.) and plays the role of the sanitizer. When showing his credential, he uses sanitization techniques to hide the information he does not want to reveal (e.g. name, studies or complete address), and shows the resulting document, which is still seen as a document certified by the organization. Unfortunately, existing sanitizable signatures can not directly be used for this purpose. We thus seek for generic conditions on them to be used as anonymous credentials. We also provide a concrete construction based on standard assumptions and secure in the random oracle model.