Anonyma: anonymous invitation-only registration in malicious adversarial model

Abstract

In invitation-based systems, a new user can register only after obtaining a threshold number of invitations from existing members. The newcomer submits these invitations to the system administrator, who verifies their legitimacy. In doing so, the administrator inevitably learns who invited whom. This inviter–invitee relationship is itself privacy-sensitive information, since knowledge of it can enable inference attacks in which an invitee’s profile (e.g., political views or location) is deduced from the profiles of their inviters. To address this problem, we propose (Formula presented), an anonymous invitation-based system in which even a corrupted administrator, colluding with a subset of members, cannot determine inviter–invitee relationships. We formally define the notions of inviter anonymity and invitation unforgeability, and provide formal proofs that (Formula presented) achieves both against a malicious and adaptive adversary. Our design ensures constant cost for authenticating new registrations, unlike existing approaches where invitation generation and verification incur overhead linear in the total number of members. Moreover, (Formula presented) scales efficiently: once a user joins, the administrator can immediately issue credentials enabling the newcomer to act as an inviter without re-keying existing members. We also design (Formula presented), a cross-network extension that supports anonymous third-party authentication, allowing invitations issued in one system to be used for registration in another.