Anonymous Tokens with Designated-Reader Metadata Bit

Anonymous tokens with private metadata bit convey hidden signals to verifiers when presented by the user and are under discussion in standardization. Existing solutions only allow the token issuer to read the signals, which places a heavy burden on the issuer and makes it challenging to support issuer-hiding because verifiers have to contact the issuer. In this paper, we propose an anonymous token scheme with designated-reader metadata bit, allowing the user to specify an issuer-accepted verifier to read the signal from the token directly. We also extend our scheme to support reader-hiding, which conceals the user's intended verifier from the issuer and other verifiers, and issuer-hiding, which prevents exposure of the token issuer from verifiers. We prove the security of our constructions and report their performance.