]> Anonymous Credit Tokens Google
samschlesinger@google.com
Google
jkcrypto@google.com
This document specifies Anonymous Credit Tokens (ACT), a privacy-preserving authentication protocol that enables numerical credit systems without tracking individual clients. Based on keyed-verification anonymous credentials and privately verifiable BBS-style signatures, the protocol allows issuers to grant tokens containing credits that clients can later spend anonymously with that issuer. The protocol's key features include: (1) unlinkable transactions - the issuer cannot correlate credit issuance with spending, or link multiple spends by the same client, (2) partial spending - clients can spend a portion of their credits and receive anonymous change, and (3) double-spend prevention through cryptographic nullifiers that preserve privacy while ensuring each token is used only once. Anonymous Credit Tokens are designed for modern web services requiring rate limiting, usage-based billing, or resource allocation while respecting user privacy. Example applications include rate limiting and API credits. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Crypto Forum Research Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction Modern web services face a fundamental tension between operational needs and user privacy. Services need to implement rate limiting to prevent abuse, charge for API usage to sustain operations, and allocate computational resources fairly. However, traditional approaches require tracking client identities and creating detailed logs of client behavior, raising significant privacy concerns in an era of increasing data protection awareness and regulation. Anonymous Credit Tokens (ACT) help to resolve this tension by providing a cryptographic protocol that enables credit-based systems without client tracking. Built on keyed-verification anonymous credentials and privately verifiable BBS-style signatures , the protocol allows services to issue, track, and spend credits while maintaining client privacy.
Key Properties The protocol provides four essential properties that make it suitable for privacy-preserving credit systems:
  1. Unlinkability: The issuer cannot link credit issuance to spending, or connect multiple transactions by the same client. This property is information-theoretic, not merely computational.
  2. Partial Spending: Clients can spend any amount up to their balance and receive anonymous change without revealing their previous or current balance, enabling flexible spending.
  3. Double-Spend Prevention: Cryptographic nullifiers ensure each token is used only once, without linking it to issuance.
  4. Balance Privacy: During spending, only the amount being spent is revealed, not the total balance in the token, protecting clients from balance-based profiling.
Use Cases Anonymous Credit Tokens can be applied to various scenarios:
  • Rate Limiting: Services can issue daily credit allowances that clients spend anonymously for API calls or resource access.
  • API Credits: API providers can sell credit packages that developers use to pay for API requests without creating a detailed usage history linked to their identity. This enables:
    • Pre-paid API access without requiring credit cards for each transaction
    • Anonymous API usage for privacy-sensitive applications
    • Usage-based billing without tracking individual request patterns
    • Protection against competitive analysis through usage monitoring
Protocol Overview The protocol involves two parties: an issuer (typically a service provider) and clients (typically users of the service). The interaction follows three main phases:
  1. Setup: The issuer generates a key pair and publishes the public key.
  2. Issuance: A client requests credits from the issuer. The issuer creates a blind signature on the credit value and a client-chosen nullifier, producing a credit token.
  3. Spending: To spend credits, the client reveals a nullifier and proves possession of a valid token associated with that nullifier having sufficient balance. The issuer verifies the proof, checks the nullifier hasn't been used before, and issues a new token (which remains hidden from the issuer) for any remaining balance.
Design Goals The protocol is designed with the following goals:
  • Privacy: Unlinkability between issuance and spending; see the Security Properties section for the formal definition.
  • Security: Clients cannot spend more credits than they possess or use the same credits multiple times.
  • Efficiency: All operations should be computationally efficient, with performance characteristics suitable for high-volume web services and a large number of applications.
  • Simplicity: The protocol should be straightforward to implement and integrate into existing systems relative to other comparable solutions.
Relation to Existing Work This protocol builds upon several cryptographic primitives:
  • BBS Signatures : The core signature scheme that enables efficient proofs of possession. We use a variant that is privately verifiable, which avoids the need for pairings and makes our protocol more efficient.
  • Sigma Protocols : The zero-knowledge proof framework used for spending proofs.
  • Fiat-Shamir Transform : The technique to make the interactive proofs non-interactive.
The protocol can be viewed as a specialized instantiation of keyed-verification anonymous credentials optimized for numerical values and partial spending.
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Notation This document uses the following notation:
  • ||: Concatenation of byte strings
  • x <- S: Sampling x uniformly from the set S
  • x := y: Assignment of the value y to the variable x
  • [n]: The set of integers {0, 1, ..., n-1}
  • |x|: The length of byte string x
  • 0x prefix: Hexadecimal values
  • We use additive notation for group operations, so group elements are added together like a + b and scalar multiplication of a group element by a scalar is written as a * n, with group element a and scalar n.
Data Types The protocol uses the following data types:
  • Scalar: An integer modulo the group order q
  • Element: An element of the Ristretto255 group
  • ByteString: A sequence of bytes
Cryptographic Parameters The protocol uses the Ristretto group , which provides a prime-order group abstraction over Curve25519. It would be easy to adapt this approach to using any other prime order group based on the contents of this document. The key parameters are:
  • q: The prime order of the group (2^252 + 27742317777372353535851937790883648493)
  • G: The standard generator of the Ristretto group
  • L: The bit length for credit values
Protocol Specification
System Parameters The protocol requires the following system parameters: Implementations MUST enforce 1 <= L <= 128. See the Parameter Selection section for the rationale behind this constraint. The generators H1, H2, H3, and H4 MUST be generated deterministically from a nothing-up-my-sleeve value to ensure they are independent of each other and of G. This prevents attacks whereby malicious parameters could compromise security. Note that these generators are independent of the choice of L. The domain_separator MUST be unique for each deployment to ensure cryptographic isolation between different services. The domain separator SHOULD follow this structured format: Each component (organization, service, deployment_id, version) MUST NOT contain the colon character ':'. Where:
  • organization: A unique identifier for the organization (e.g., "example-corp", "acme-inc")
  • service: The specific service or application name (e.g., "payment-api", "rate-limiter")
  • deployment_id: The deployment environment (e.g., "production", "staging", "us-west-1")
  • version: An ISO 8601 date (YYYY-MM-DD) indicating when parameters were generated
Example: "ACT-v1:example-corp:payment-api:production:2024-01-15" This structured format ensures: 1. Protocol identification through the "ACT-v1:" prefix 2. Organizational namespace isolation 3. Service-level separation within organizations 4. Environment isolation (production vs staging) 5. Version tracking for parameter updates Using generic or unstructured domain separators creates security risks through parameter collision and MUST NOT be used. When parameters need to be updated (e.g., for security reasons or protocol upgrades), a new version date MUST be used, creating entirely new parameters. The OneWayMap function is defined in Section 4.3.4, which provides a cryptographically secure mapping from uniformly random byte strings to valid Ristretto255 points.
Key Generation The issuer generates a key pair as follows:
Token Issuance The issuance protocol is an interactive protocol between a client and the issuer:
Client: Issuance Request
Issuer: Issuance Response 0) - ctx: Request context (Scalar) Output: - response: Issuance response or INVALID Exceptions: - InvalidIssuanceRequestProof, raised when the client proof verification fails Steps: 1. Parse request as (K, gamma, k_bar, r_bar) 2. // Verify proof of knowledge 3. K1 = H2 * k_bar + H3 * r_bar - K * gamma 4. transcript = CreateTranscript("request") 5. AddToTranscript(transcript, K) 6. AddToTranscript(transcript, K1) 7. if GetChallenge(transcript) != gamma: 8. raise InvalidIssuanceRequestProof 9. // Create BBS signature on (c, ctx, k, r) 10. e <- Zq 11. A = (G + H1 * c + H4 * ctx + K) * (1/(e + sk)) // K = H2 * k + H3 * r 12. // Generate proof of correct computation 13. alpha <- Zq 14. Y_A = A * alpha 15. Y_G = G * alpha 16. X_A = G + H1 * c + H4 * ctx + K 17. X_G = G * e + pk 18. transcript_resp = CreateTranscript("respond") 19. AddToTranscript(transcript_resp, c) 20. AddToTranscript(transcript_resp, ctx) 21. AddToTranscript(transcript_resp, e) 22. AddToTranscript(transcript_resp, A) 23. AddToTranscript(transcript_resp, X_A) 24. AddToTranscript(transcript_resp, X_G) 25. AddToTranscript(transcript_resp, Y_A) 26. AddToTranscript(transcript_resp, Y_G) 27. gamma_resp = GetChallenge(transcript_resp) 28. z = gamma_resp * (sk + e) + alpha 29. response = (A, e, gamma_resp, z, c, ctx) 30. return response ]]>
Client: Token Verification
Token Spending The spending protocol allows a client to spend s credits from a token containing c credits (where 0 <= s <= c). Note: Spending s = 0 is permitted and produces a new token with the same balance but a fresh nullifier. This "re-anonymization" operation is useful for securely transferring a token to another party: after a zero-spend, the original holder can no longer use the old nullifier, and the recipient obtains a token that is cryptographically unlinkable to the original.
Client: Spend Proof Generation c or s >= 2^L or c >= 2^L Steps: 1. // Validate inputs 2. if s >= 2^L: 3. raise InvalidAmount 4. if c >= 2^L: 5. raise InvalidAmount 6. if s > c: 7. raise InvalidAmount 8. // Randomize the signature 9. r1, r2 <- Zq 10. B = G + H1 * c + H2 * k + H3 * r + H4 * ctx 11. A' = A * (r1 * r2) 12. B_bar = B * r1 13. r3 = 1/r1 14. // Generate initial proof components 15. c' <- Zq 16. r' <- Zq 17. e' <- Zq 18. r2' <- Zq 19. r3' <- Zq 20. // Compute first round messages 21. A1 = A' * e' + B_bar * r2' 22. A2 = B_bar * r3' + H1 * c' + H3 * r' 23. // Decompose c - s into bits 24. m = c - s 25. (i[0], ..., i[L-1]) = BitDecompose(m) // See Section 3.7 26. // Create commitments for each bit 27. k* <- Zq 28. s[0] <- Zq 29. Com[0] = H1 * i[0] + H2 * k* + H3 * s[0] 30. For j = 1 to L-1: 31. s[j] <- Zq 32. Com[j] = H1 * i[j] + H3 * s[j] 33. // Initialize range proof arrays 34. C = array[L][2] 35. C' = array[L][2] 36. gamma0 = array[L] 37. z = array[L][2] 38. // Process bit 0 (with k* component) 39. C[0][0] = Com[0] 40. C[0][1] = Com[0] - H1 41. k0' <- Zq 42. s_prime = array[L] 43. s_prime[0] <- Zq 44. gamma0[0] <- Zq 45. w0 <- Zq 46. z[0] <- Zq 47. if i[0] == 0: 48. C'[0][0] = H2 * k0' + H3 * s_prime[0] 49. C'[0][1] = H2 * w0 + H3 * z[0] - C[0][1] * gamma0[0] 50. else: 51. C'[0][0] = H2 * w0 + H3 * z[0] - C[0][0] * gamma0[0] 52. C'[0][1] = H2 * k0' + H3 * s_prime[0] 53. // Process remaining bits 54. For j = 1 to L-1: 55. C[j][0] = Com[j] 56. C[j][1] = Com[j] - H1 57. s_prime[j] <- Zq 58. gamma0[j] <- Zq 59. z[j] <- Zq 60. 61. if i[j] == 0: 62. C'[j][0] = H3 * s_prime[j] 63. C'[j][1] = H3 * z[j] - C[j][1] * gamma0[j] 64. else: 65. C'[j][0] = H3 * z[j] - C[j][0] * gamma0[j] 66. C'[j][1] = H3 * s_prime[j] 67. // Compute K' commitment 68. K' = Sum(Com[j] * 2^j for j in [L]) 69. r* = Sum(s[j] * 2^j for j in [L]) 70. k' <- Zq 71. s' <- Zq 72. C_final = H1 * (-c') + H2 * k' + H3 * s' 73. // Generate challenge using transcript 74. transcript = CreateTranscript("spend") 75. AddToTranscript(transcript, k) 76. AddToTranscript(transcript, ctx) 77. AddToTranscript(transcript, A') 78. AddToTranscript(transcript, B_bar) 79. AddToTranscript(transcript, A1) 80. AddToTranscript(transcript, A2) 81. For j = 0 to L-1: 82. AddToTranscript(transcript, Com[j]) 83. For j = 0 to L-1: 84. AddToTranscript(transcript, C'[j][0]) 85. AddToTranscript(transcript, C'[j][1]) 86. AddToTranscript(transcript, C_final) 87. gamma = GetChallenge(transcript) 88. // Compute responses 89. e_bar = -gamma * e + e' 90. r2_bar = gamma * r2 + r2' 91. r3_bar = gamma * r3 + r3' 92. c_bar = -gamma * c + c' 93. r_bar = -gamma * r + r' 94. // Complete range proof responses 95. z_final = array[L][2] 96. gamma0_final = array[L] 97. 98. // For bit 0 99. if i[0] == 0: 100. gamma0_final[0] = gamma - gamma0[0] 101. w00 = gamma0_final[0] * k* + k0' 102. w01 = w0 103. z_final[0][0] = gamma0_final[0] * s[0] + s_prime[0] 104. z_final[0][1] = z[0] 105. else: 106. gamma0_final[0] = gamma0[0] 107. w00 = w0 108. w01 = (gamma - gamma0_final[0]) * k* + k0' 109. z_final[0][0] = z[0] 110. z_final[0][1] = (gamma - gamma0_final[0]) * s[0] + s_prime[0] 111. // For remaining bits 112. For j = 1 to L-1: 113. if i[j] == 0: 114. gamma0_final[j] = gamma - gamma0[j] 115. z_final[j][0] = gamma0_final[j] * s[j] + s_prime[j] 116. z_final[j][1] = z[j] 117. else: 118. gamma0_final[j] = gamma0[j] 119. z_final[j][0] = z[j] 120. z_final[j][1] = (gamma - gamma0_final[j]) * s[j] + s_prime[j] 121. k_bar = gamma * k* + k' 122. s_bar = gamma * r* + s' 123. // Construct proof 124. proof = (k, s, ctx, A', B_bar, Com, gamma, e_bar, 125. r2_bar, r3_bar, c_bar, r_bar, 126. w00, w01, gamma0_final, z_final, 127. k_bar, s_bar) 128. state = (k*, r*, m, ctx) 129. return (proof, state) ]]>
Issuer: Spend Verification and Refund
Refund Issuance After verifying a spend proof, the issuer creates a refund token for the remaining balance. The issuer may optionally return t credits (where 0 <= t <= s) back to the client via a partial credit return. This enables pre-authorization patterns where the client holds s credits but only t are returned unused. The resulting token will have c - s + t credits. Use t = 0 to consume the full spend amount: s or t >= 2^L Steps: 1. // Validate partial return amount 2. if t >= 2^L: 3. raise InvalidAmount 4. if t > s: 5. raise InvalidAmount 6. // Create new BBS signature on remaining balance + partial return 7. e* <- Zq 8. X_A* = G + K' + H1 * t + H4 * ctx 9. A* = X_A* * (1/(e* + sk)) 10. // Generate proof of correct computation 11. alpha <- Zq 12. Y_A = A* * alpha 13. Y_G = G * alpha 14. X_G = G * e* + pk 15. // Create challenge using transcript 16. transcript = CreateTranscript("refund") 17. AddToTranscript(transcript, e*) 18. AddToTranscript(transcript, t) 19. AddToTranscript(transcript, ctx) 20. AddToTranscript(transcript, A*) 21. AddToTranscript(transcript, X_A*) 22. AddToTranscript(transcript, X_G) 23. AddToTranscript(transcript, Y_A) 24. AddToTranscript(transcript, Y_G) 25. gamma = GetChallenge(transcript) 26. // Compute response 27. z = gamma * (sk + e*) + alpha 28. refund = (A*, e*, gamma, z, t) 29. return refund ]]>
Client: Refund Token Construction The client verifies the refund and constructs a new credit token:
Spend Proof Verification The issuer verifies a spend proof as follows:
Cryptographic Primitives
Protocol Version The protocol version string for domain separation is: This version string MUST be used consistently across all implementations for interoperability. The curve specification is included to prevent cross-curve attacks and ensure implementations using different curves cannot accidentally interact.
Hash Function and Fiat-Shamir Transform The protocol uses BLAKE3 as the underlying hash function for the Fiat-Shamir transform . Following the sigma protocol framework , challenges are generated using a transcript that accumulates all protocol messages: This approach ensures:
  • Domain separation through the label and protocol version
  • Inclusion of all public parameters to prevent parameter substitution attacks
  • Proper ordering with length prefixes to prevent ambiguity
  • Deterministic challenge generation from the complete transcript
Encoding Functions Elements and scalars are encoded as follows: The following function provides consistent length-prefixing for hash inputs: Note: Implementations MAY use standard serialization formats (e.g. CBOR) for complex structures, but MUST ensure deterministic encoding for hash inputs.
Binary Decomposition To decompose a scalar into its binary representation: > bit_position) & 1 6. bits[i] = Scalar(bit) 7. return bits ]]> Note: This algorithm produces bits in LSB-first order (i.e., bits[0] is the least significant bit). See Section 3.1 for constraints on L.
Scalar Conversion Converting between credit amounts and scalars: = 2^L: 2. return AmountTooBigError 3. return Scalar(amount) ScalarToCredit(s): Input: - s: Scalar value Output: - amount: Integer credit amount or ERROR Exceptions: - ScalarOutOfRangeError: raised when the scalar value is >= 2^L Steps: 1. amount = s as integer // Interpret little-endian scalar bytes as integer 2. if amount >= 2^L: 3. return ScalarOutOfRangeError 4. return amount ]]>
Protocol Messages and Wire Format
Message Encoding All protocol messages SHOULD be encoded using deterministic CBOR (RFC 8949) for interoperability. Decoders MUST reject messages containing unknown CBOR map keys. The following sections define the structure of each message type.
Issuance Request Message
Issuance Response Message
Spend Proof Message
Refund Message
Error Responses Error responses SHOULD use the following format: Error codes are defined in Section 5.3.
Protocol Flow The complete protocol flow with message types: | | | |<-- IssuanceResponseMsg -----------------------| | | | (client creates token) | | | |-- SpendProofMsg ----------------------------->| | | |<-- RefundMsg or ErrorMsg ---------------------| | | ]]>
Example Usage Scenario Consider an API service that sells credits in bundles of 1000:
  1. Purchase: Alice buys 1000 API credits
    • Alice generates a random nullifier k and blinding factor r
    • Alice sends IssuanceRequestMsg to the service
    • Service creates a BBS signature on (1000, k, r) and returns it
    • Alice now has a token worth 1000 credits
  2. First API Call: Alice makes an API call costing 50 credits
    • Alice creates a SpendProofMsg proving she has ≥ 50 credits
    • Alice reveals nullifier k to prevent double-spending
    • Service verifies the proof and records k as used
    • Service issues a RefundMsg for a new token worth 950 credits
    • Alice generates new nullifier k' for the refund token
  3. Subsequent Calls: Alice continues using the API
    • Each call repeats the spend/refund process
    • Each new token has a fresh nullifier
    • The service cannot link Alice's calls together
This example demonstrates how the protocol maintains privacy while preventing double-spending and enabling flexible partial payments.
Implementation Considerations
Nullifier Management Implementations MUST maintain a persistent database of used nullifiers to prevent double-spending. The nullifier storage requirements grow linearly with the number of spent tokens. Implementations MAY use the following strategies to manage storage:
  1. Expiration: If tokens have expiration dates, old nullifiers can be pruned.
  2. Sharding: Nullifiers can be partitioned across multiple databases.
  3. Bloom Filters: Probabilistic data structures can reduce memory usage with a small false-positive rate. WARNING: false positives cause legitimate spends to be rejected. Bloom filters MUST NOT be the sole nullifier check; a positive result MUST be confirmed against authoritative storage before rejecting a spend.
Constant-Time Operations Implementations MUST use constant-time operations for all secret-dependent computations. See the Security Considerations section for detailed requirements and mitigations.
Randomness Generation The security of the protocol critically depends on the quality of random number generation. Implementations MUST use cryptographically secure random number generators (CSPRNGs) for:
  • Private key generation
  • Blinding factors (r, k)
  • Proof randomness (nonces)
RNG Requirements
  1. Entropy Source: Use OS-provided entropy (e.g., /dev/urandom on Unix systems)
  2. Fork Safety: Reseed after fork() to prevent nonce reuse
  3. Backtracking Resistance: Use forward-secure PRNGs when possible
Nonce Generation Following , nonces (the randomness used in proofs) MUST be generated with extreme care:
  1. Fresh Randomness: Generate new nonces for every proof
  2. No Reuse: Never reuse nonces across different proofs
  3. Full Entropy: Use the full security parameter (256 bits) of randomness
  4. Zeroization: Clear nonces from memory after use
WARNING: Leakage of even a few bits of a nonce can allow complete recovery of the witness (secret values). Implementations MUST use constant-time operations and secure memory handling for all nonce-related computations.
Point Validation All Ristretto points received from external sources MUST be validated:
  1. Deserialization: Verify the point deserializes to a valid Ristretto point
  2. Non-Identity: Verify the point is not the identity element
  3. Subgroup Check: Ristretto guarantees prime-order subgroup membership
Example validation: All implementations MUST validate points at these locations:
  • When receiving K in issuance request
  • When receiving A in issuance response
  • When receiving A' and B_bar in spend proof
  • When receiving Com[j] commitments in spend proof
  • When receiving A* in refund response
Error Handling Implementations SHOULD NOT provide detailed error messages that could leak information about the verification process. A single INVALID response should be returned for all verification failures.
Error Codes While detailed error messages should not be exposed to untrusted parties, implementations MAY use the following internal error codes:
  • INVALID_PROOF: Proof verification failed
  • NULLIFIER_REUSE: Double-spend attempt detected
  • MALFORMED_REQUEST: Request format is invalid
  • INVALID_AMOUNT: Credit amount is invalid (exceeds 2^L - 1, spend exceeds balance, or partial return exceeds spend)
Parameter Selection Implementations MUST choose L based on their maximum credit requirements and performance constraints. See Section 3.1 for constraints on L. The bit length L is configurable and determines the range of credit values (0 to 2^L - 1). The choice of L involves several trade-offs:
  1. Range: Larger L supports higher credit values
  2. Performance: Proof size and verification time scale linearly with L
Performance Characteristics The protocol has the following computational complexity: Notation for Operations:
  • Group Operations: Point additions in the Ristretto255 group (e.g., P + Q)
  • Group Exponentiations: Scalar multiplication of group elements (e.g., P * s)
  • Scalar Additions/Multiplications: Arithmetic operations modulo the group order q
  • Issuance:
Operation Group Operations Group Exponentiations Scalar Additions Scalar Multiplications Hashes
Client Request 2 4 2 1 1
Issuer Response 5 8 3 1 2
Client Credit Token Construction 5 5 0 0 1
  • Spending:
Operation Group Operations Group Exponentiations Scalar Additions Scalar Multiplications Hashes
Client Request 17 + 4L 27 + 8L 13 + 5L 12 + 3L 1
Issuer Response 16 + 4L 24 + 5L 4 + L 1 1
Client Credit Token Construction 3 5 L L 1
Note: L is the configurable bit length for credit values.
  • Storage:
Component Size
Token size 192 bytes (6 × 32 bytes)
Spend proof size 32 × (14 + 4L) bytes
Nullifier database entry 32 bytes per spent token
Note: Token size is independent of L.
Security Considerations
Security Model and Definitions
Threat Model We consider a setting with:
  • Multiple issuers who can operate independently, though malicious issuers may collude with each other
  • Potentially malicious clients who may attempt to spend more credits than they should (whether by forging tokens, spending more credits than a token has, or double-spending a token)
Security Properties The protocol provides the following security guarantees:
  1. Unforgeability: For an honest isser I, no probabilistic polynomial-time (PPT) adversary controlling a set of malicious clients and other malicious issuers can spend more credits than have been issued by I.
  2. Anonymity/Unlinkability: For an honest client C, no adversary controlling a set of malicious issuers and other malicious clients can link a token issuance/refund to C with a token spend by C. This property is information-theoretic in nature.
Cryptographic Assumptions Security relies on:
  1. The q-SDH Assumption in the Ristretto255 group. We refer to for the formal definition.
  2. Random Oracle Model: The BLAKE3 hash function H is modeled as a random oracle.
Privacy Properties The protocol provides the following privacy guarantees:
  1. Unlinkability: The issuer cannot link a token issuance/refund to a later spend of that token.
However, the protocol does NOT provide:
  1. Network-Level Privacy: IP addresses and network metadata can still link transactions.
  2. Amount Privacy: The spent amount s is revealed to the issuer.
  3. Timing Privacy: Transaction timing patterns could potentially be used for correlation.
  4. Context Privacy: The request context (ctx) is revealed in the clear during spending. If the issuer assigns distinct ctx values per issuance, the resulting token chain (issuance, spend, refund, subsequent spends) becomes linkable through the shared ctx value. This is by design for application-level context binding, but deployments that require full unlinkability MUST use a shared ctx across all clients within the same context (e.g., per-service or per-epoch), not per-client values. The ctx value persists across refunds: a token produced by a refund inherits the ctx of the original token.
Implementation Vulnerabilities and Mitigations
Critical Security Requirements
  1. RNG Failures: Weak randomness can completely break the protocol's security. Attack Vector: Predictable or repeated nonces in proofs can allow complete recovery of secret values including private keys and token contents. Mitigations:
    • MUST use cryptographically secure RNGs (e.g., OS-provided entropy sources)
    • MUST reseed after fork() operations to prevent nonce reuse
    • MUST implement forward-secure RNG state management
    • SHOULD use separate RNG instances for different protocol components
    • MUST zeroize RNG state on process termination
  2. Timing Attacks: Variable-time operations can leak information about secret values. Attack Vector: Timing variations in scalar arithmetic or bit operations can reveal secret bit patterns, potentially exposing credit balances or allowing token forgery. Mitigations:
    • MUST use constant-time scalar arithmetic libraries
    • MUST use constant-time conditional selection for range proof conditionals
    • MUST avoid early-exit conditions based on secret values
    • Critical constant-time operations include:
      • Scalar multiplication and addition
      • Binary decomposition in range proofs
      • Conditional assignments based on secret bits
      • Challenge verification comparisons
  3. Nullifier Database Attacks: Corruption or manipulation of the nullifier database enables double-spending. Attack Vectors:
    • Database corruption allowing nullifier deletion
    • Race conditions in concurrent nullifier checks
    Mitigations:
    • MUST use ACID-compliant database transactions
    • MUST check nullifier uniqueness within the same transaction as insertion
    • SHOULD implement append-only audit logs for nullifier operations
    • MUST implement proper database backup and recovery procedures
  4. Eavesdropping/Message Modification Attacks: A network-level adversary can copy spend proofs or modify messages sent between an honest client and issuer. Attack Vectors:
    • Eavesdropping and copying of proofs
    • Message modifications causing protocol failure
    Mitigations:
    • Client and issuer MUST use TLS 1.3 or above when communicating.
  5. State Management Vulnerabilities: Improper state handling can lead to security breaches. Attack Vectors:
    • State confusion between protocol sessions
    • Memory disclosure of sensitive state
    • Incomplete state cleanup
    Mitigations:
    • MUST use separate state objects for each protocol session
    • MUST zeroize all sensitive data (keys, nonces, intermediate values) after use
    • SHOULD use memory protection mechanisms (e.g., mlock) for sensitive data
    • MUST implement proper error handling that doesn't leak state information
    • SHOULD use explicit state machines for protocol flow
  6. Concurrency and Race Conditions: Parallel operations can introduce vulnerabilities. Attack Vectors:
    • TOCTOU (Time-of-check to time-of-use) vulnerabilities in nullifier checking
    • Race conditions in balance updates
    • Concurrent modification of shared state
    Mitigations:
    • MUST use appropriate locking for all shared resources
    • MUST perform nullifier check and insertion atomically
    • SHOULD document thread-safety guarantees
    • MUST ensure atomic read-modify-write for all critical operations
Known Attack Scenarios
1. Parallel Spend Attack Scenario: A malicious client attempts to spend the same token multiple times by initiating parallel spend operations before any nullifier is recorded. Prevention: The issuer MUST ensure atomic nullifier checking and recording within a single database transaction. Network-level rate limiting can provide additional protection.
2. Balance Inflation Attack Scenario: An attacker attempts to create a proof claiming to have more credits than actually issued by manipulating the range proof. Prevention: The cryptographic soundness of the range proof prevents this attack.
3. Token Linking Attack Scenario: An issuer attempts to link transactions by analyzing patterns in nullifiers, amounts, or timing. Prevention: Nullifiers are cryptographically random and unlinkable. However, implementations MAY add random delays and amount obfuscation where possible.
Protocol Composition and State Management
State Management Requirements Before they make a spend request or an issue request, the client MUST store their private state (the nullifier, the blinding factor, and the new balance) durably. For the issuer, the spend and refund operations MUST be treated as an atomic transaction. However, even more is required. If a nullifier associated with a given spend is persisted to the database, clients MUST be able to access the associated refund. If they cannot access this, then they can lose access to the rest of their credits. For performance reasons, an issuer SHOULD automatically clean these up after some expiry, but if they do so, they MUST inform the client of this policy so the client can ensure they can retry to retrieve the rest of their credits in time. Issuers MAY implement functionality to notify the issuer that the refund request was processed, so they can delete the refund record. It is not clear that this is worth the cost relative to just cleaning them up in bulk at some specified expiration date, however if you are memory constrained this could be useful.
Session Management Each protocol session (issuance or spend/refund) MUST use fresh randomness. See the Randomness Generation section for detailed RNG requirements.
Version Negotiation To support protocol evolution, implementations MAY include version negotiation in the initial handshake. All parties MUST agree on the protocol version before proceeding.
Quantum Resistance This protocol is NOT quantum-resistant. The discrete logarithm problem can be solved efficiently by quantum computers using Shor's algorithm. Organizations requiring long-term security should consider post-quantum alternatives. However, user privacy is preserved even in the presence of a cryptographically relevant quantum computer.
IANA Considerations This document has no IANA actions.
References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Concise Binary Object Representation (CBOR) The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. Hashing to Elliptic Curves This document specifies a number of algorithms for encoding or hashing an arbitrary string to a point on an elliptic curve. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. The ristretto255 and decaf448 Groups This memo specifies two prime-order groups, ristretto255 and decaf448, suitable for safely implementing higher-level and complex cryptographic protocols. The ristretto255 group can be implemented using Curve25519, allowing existing Curve25519 implementations to be reused and extended to provide a prime-order group. Likewise, the decaf448 group can be implemented using edwards448. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. BLAKE3: One Function, Fast Everywhere Informative References RSA Blind Signatures This document specifies an RSA-based blind signature protocol. RSA blind signatures were first introduced by Chaum for untraceable payments. A signature that is output from this protocol can be verified as an RSA-PSS signature. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. Sigma Protocols The Fiat-Shamir Transform Short Group Signatures Keyed-Verification Anonymous Credentials Revisiting BBS Signatures
Test Vectors This appendix provides test vectors for implementers to verify their implementations. All values are encoded in hexadecimal. The following test vector was generated deterministically using a ChaCha20 RNG seeded with the bytes 00 01 02 ... 1e 1f and L=8. The domain separator is "ACT-v1:test:vectors:v0:2025-01-01", credit amount c=100, spend amount s=30, partial return t=10, and ctx=0. Values labelled *_cbor are the CBOR wire-format encodings (Section 4) of each protocol message, displayed in hexadecimal. Implementations SHOULD verify they can deserialize these CBOR messages and that a full protocol run with the same deterministic RNG produces identical output.
Parameters
Key Generation
Issuance
Spending
Refund
Refund Token
Implementation Status This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942.
anonymous-credit-tokens Organization: Google Description: Reference implementation in Rust Maturity: Beta Coverage: Complete protocol implementation License: Apache 2.0 Contact: sgschlesinger@gmail.com URL: https://github.com/SamuelSchlesinger/anonymous-credit-tokens
Terminology Glossary This glossary provides quick definitions of key terms used throughout this document: ACT (Anonymous Credit Tokens): The privacy-preserving authentication protocol specified in this document. Blind Signature: A cryptographic signature where the signer signs a message without seeing its content. Refund: The refund issued for the remaining balance after a partial spend. Credit: A numerical unit of authorization that can be spent by clients. Domain Separator: A unique string used to ensure cryptographic isolation between different deployments. Element: A point in the Ristretto255 elliptic curve group. Issuer: The entity that creates and signs credit tokens. Nullifier: A unique value revealed during spending that prevents double-spending of the same token. Partial Spending: The ability to spend less than the full value of a token and receive change. Scalar: An integer modulo the group order q, used in cryptographic operations. Sigma Protocol: An interactive zero-knowledge proof protocol following a commit-challenge-response pattern. Token: A cryptographic credential containing a BBS signature and associated data (A, e, k, r, c, ctx). Unlinkability: The property that transactions cannot be correlated with each other or with token issuance.
Acknowledgments The authors would like to thank the Crypto Forum Research Group for their valuable feedback and suggestions. Special thanks to the contributors who provided implementation guidance and security analysis. This work builds upon the foundational research in anonymous credentials and zero-knowledge proofs by numerous researchers in the cryptographic community, particularly the work on BBS signatures by Boneh, Boyen, and Shacham, and keyed-verification anonymous credentials by Chase, Meiklejohn, and Zaverucha.