Direct Anonymous Attestation with Dependent Basename opening

We introduce a new privacy-friendly cryptographic primitive we call Direct Anonymous Attestations with Dependent Basename Opening (DAA-DBO). Such a primitive is a Direct Anonymous Attestation in which the anonymity can be revoked only if a specific authority, called the admitter, allowed to revoke the DAA signatures that include a specific basename. We also present an efficient scheme that achieves this functionality, secure in the random oracle model. Furthermore, we provide a prototype implementation of an anonymous transit pass system, based on this new primitive. Compared to previous privacy-friendly cryptographic primitives with partial linkability, we provide a way to share the power to open signatures between two entities which is more practical than the use of conventional techniques from threshold cryptography.