AnonTokens: Privacy-Preserving Crypto Tokens

Updated 19 November 2025

AnonTokens are a versatile class of cryptographic tokens that provide anonymity, unlinkability, and controlled accountability using methods like DAA, EPID, accountable ring signatures, and quantum techniques.
They support diverse applications including anonymous credential systems, blockchain governance, privacy-preserving contact tracing, and decoy-based data anonymization, backed by formal security proofs and practical scalability.
Variants such as decoy-based tokens and oblivious digital tokens offer actionable insights for adversarial detection and regulatory recourse while balancing performance and privacy.

AnonTokens are a class of cryptographic tokens, credential constructs, or decoy artifacts engineered to provide anonymity, unlinkability, and/or accountability within privacy-preserving systems. Their applications span anonymous data collection, Sybil-resistant credentialing, privacy-preserving on-chain governance, access control, trust-marking/blockchain attestation, and adversarial decoying. Multiple cryptographic instantiations exist—ranging from Direct Anonymous Attestation (DAA)-based group signatures, ERC-20 extensions with privacy overlays, accountable ring signatures, EPID/CL membership proofs, to quantum and physical variants.

1. Anonymous Credential Systems: DAA-Based AnonTokens

DAA-based AnonTokens, as exemplified in anonymous data collection (Catarineu et al., 2018), utilize pairing-friendly group signatures for scalable, anonymous, yet rate-limited reporting. The system comprises:

Issuance: A DAA issuer provisions users with a group secret key and credential.
Token Construction: User computes programmable basenames encoding both norm-quotas and content digests; signs data using their DAA secret, generating a tuple consisting of the message, basename(s), and signature(s).
Verification/Rate-Limiting: Collectors, upon message receipt, verify DAA signatures and extract “link tags” (H₁(basename)^{gsk}) for linkage. Presentation of the same tag (due to quota violation) provably links deterministic overuse, allowing the system to filter excess or malicious data without revealing honest user identity.
Security: Signatures are unlinkable across distinct basenames; linkability is strictly by construction according to rate-limiting rules.

Performance measurements report throughput up to 125 messages/s client-side and 140/s server-side; link-age logic adds negligible overhead on standard hardware (Catarineu et al., 2018).

2. Blockchain Applications: Trust-Marking, Governance, and Privacy

a) Anonymous Trust-Marking and Attestation

AnonTokens for blockchain trust-marking (Sato et al., 2020) employ accountable ring signatures (Bootle et al., Eurocrypt'15) and Pedersen commitments:

Token Admitters sign address-tagging tokens indicating “trust” or “untrust.” Each signature is unlinkable within a defined public key ring.
Designated auditors (opener keys) alone can break signature anonymity for audit or recourse.
Revocation capability is achieved via Pedersen commitment linkage; the original admitter can publicize their commitment opening, linking issuance to a later revocation event.
All algorithms are realized over Curve25519 with signature sizes ≈1.4 kB and 10–15 ms signing/verification, practical for on-chain or off-chain embedding in UTXO systems or smart contracts.

b) Anonymous On-Chain Governance and Mixer Participation

In Autonomous Coin Mixer (AMR) (Le et al., 2020), AnonTokens (ERC-20) serve to reward (and govern) mixer participation, with privacy guarantees enforced through zero-knowledge SNARKs:

Deposited notes accrue eligibility for reward after a temporal lock (t_con blocks) and can be redeemed using ZK-proofs of inclusion. Minted governance tokens (“AnonTokens”) are distributed to the redeemer in a privacy-preserving manner.
Staking AnonTokens in an interest-distribution pool confers proportionate rewards, with voting power computed as w = amount × (t_lock_remain / t_max).
Anonymity set and unlinkability are quantified formally: for withdrawal at block h, adversary linking advantage is Adv_{A,wdr}^h ≤ 1/|AnomSet^h| + negl(λ).
AMR supports >66,000 deposit events/day at depth d=30 (Merkle tree), confirming high scalability.

c) Access Control and Anonymous Membership in Permissioned Blockchains

ChainAnchor (Hardjono et al., 2019) deploys EPID-based AnonTokens:

Users obtain zero-knowledge group credentials (EPID “member private keys”) from an issuer and prove membership to a verifier, registering ephemeral transaction keypairs (K_trans).
The permission database holds only transaction public keys; consensus nodes admit only transactions signed with registered keys, enforcing both access control and transaction unlinkability.
Users may disclose linkage to specific transaction keys for regulatory or compliance reasons, with disclosure limited to single tokens.

3. Decoy-Based AnonTokens in Data Anonymization

AnonTokens as “bait” or honeytokens (Antonatos et al., 2019) are decoy records embedded in k-anonymized datasets:

Design: Identify equivalence classes in auxiliary population datasets with high re-identification risk (size in [k, m_inℓ)), and inject their records as decoy eq-classes into the released view.
Adversarial Model: Attacker attempts re-identification; a hit on a decoy triggers detection. Collusion-resistant variants delete certain genuine classes in each recipient’s view.
Detection Probability: For d decoys and t re-identification attempts, the probability of detection is P_det = 1 - ∏_{i=1}^t (1 - p_i), with p_i the per-decoy detection probability.
Empirical Results: Decoy insertions are feasible at scale, blending into equivalence class distributions and incurring minimal utility loss under standard anonymization metrics (Antonatos et al., 2019).

4. Privacy-Preserving Contact Tracing with Physical Tokens

In decentralized contact tracing (Bhat et al., 2021), Tracer Tokens are physical BLE fobs conforming to the GAEN protocol:

Each device generates rolling ephemeral identifiers (RPIs) using a daily TEK and per-disease HKDF “salt,” offering cryptographic unlinkability and perfect forward secrecy. No personally identifying information or registration is stored.
Notification capacity scales combinatorially: n Diagnosis Key sets distributed to n fobs yields up to nⁿ parallel notification comparisons, each device performing O(1) local work per key set.
Empirical validation shows battery consumption (~100 mAh/24 h) and responsiveness are compatible with real-world deployments.

5. Quantum and Novel Token Variants

a) Quantum AnonTokens with Classical Verification

“Anonymous Quantum Tokens with Classical Verification” (Gavinsky et al., 7 Oct 2025) leverage the no-cloning theorem to provide unconditionally unforgeable, single-use tokens:

All tokens |ϕ_S⟩ in a minted series are identically prepared, preventing issuer-enabled linkage. Validity is established by classical measurement (computational basis), producing a proof (I, R) for RunVerify.
Anonymity auditing is achieved by swap-test: if the issuer attempts to track users by deviating from repetition, the deviation is detected with probability ≥ 2ε.
The scheme is practical at scale (N_m ≈ 2^{4k} tokens/series), with applications in anonymous one-time pads and voting.

b) Oblivious Digital Tokens

Oblivious Digital Tokens (ODTs) (Liskij et al., 5 Mar 2025) address the unique problem of verifier-oblivious credential checking:

ODTs are TEE-signed ephemeral artifacts, with device attestation, private memory sampling, and private equality-test (PPET) protocols embedded in standard TLS handshakes.
Binding integrity, verification obliviousness, and privacy are defined rigorously: Adv_ODT-Forge(A) negligible; Adv_ODT-Obl(A) negligible; Adv_ODT-Priv(A) negligible.
TEE-side overhead (<1 ms) and full handshake latency (≈144 ms for enclave client) support deployment in sensitive cyber-conflict and “protected asset” scenarios without observable device or channel signatures.

6. Formal Properties and Security Guarantees

Several AnonToken instantiations define and achieve:

Property	Construction	Proof/Bound
Anonymity	DAA, EPID, ARS, Quantum	Basename unlinkability, swap-test, group proofs
Unforgeability	DAA, ODT, Quantum	Group/TEE sig security, no-clone, ZK soundness
Auditability	ARS, EPID, AMR	Opener keys, credential opening, ZK traceability
Rate-limiting/linking	DAA (basenames)	ExtractTag collisions
Regulatory Recourse	KYC records (ARTeX), EPID opening	Lawful disclosure, optional key reveal

Specific claims such as “Adv_{A,wdr}^h ≤ 1/|AnomSet^h| + negl(λ)” (Le et al., 2020), “swap-test detection ≥2ε” (Gavinsky et al., 7 Oct 2025), and “binding-integrity by TEE+sig unforgeability” (Liskij et al., 5 Mar 2025) are detailed in their respective works.

7. Limitations, Trade-Offs, and Implementation Considerations

DAA/EPID techniques offer strong anonymity yet imposed computation and key-management requirements.
Decoy-based approaches (honeytokens) are not suited for public release with thousands of recipients; they require carefully curated auxiliary population data and utility impact analysis.
Quantum tokens require short-lived quantum storage but are verifiable purely classically and provide unconditional security under no-cloning.
ODTs require trusted execution hardware and still face residual side-channel risk.

Practical deployments (e.g., Ethereum contracts, BLE hardware) demonstrate acceptable performance within constraints documented above.

AnonTokens comprise a diverse family of cryptographic and system constructions uniting anonymity, unlinkability, and controlled accountability. Their design space includes classical group-credential primitives, quantum indistinguishability, privacy-preserving on-chain governance mechanisms, and adversarial detection via decoying. Each instantiation is tightly coupled with precise threat models and formal guarantees as documented in the cited corpus (Catarineu et al., 2018, Sato et al., 2020, Le et al., 2020, Hardjono et al., 2019, Antonatos et al., 2019, Bhat et al., 2021, Gavinsky et al., 7 Oct 2025, Liskij et al., 5 Mar 2025).