Existing anonymous credentials (ACs) suffer from three critical deficiencies in decentralized settings: (1) issuer identity leakage compromises context privacy; (2) rigid credential models undermine user autonomy; and (3) fragile revocation mechanisms lack sufficient attribute hiding, violating the GDPR’s data minimization principle. To address these, we propose IRAC—the first privacy-preserving authentication system supporting issuer anonymity, strong attribute hiding, and cross-heterogeneous-issuer credential aggregation. Its core innovations are a flexible credential model and a decentralized gap-based revocation mechanism, integrated with padding-based vector commitments, zk-SNARKs, and a distributed verification protocol. We provide rigorous formal security proofs under standard cryptographic assumptions. Evaluation shows practical presentation latency of approximately one second, demonstrating both theoretical soundness and engineering feasibility.

Anonymous credentials (ACs) are a crucial cryptographic tool for privacy-preserving authentication in decentralized networks, allowing holders to prove eligibility without revealing their identity. However, a major limitation of standard ACs is the disclosure of the issuer's identity, which can leak sensitive contextual information about the holder. Issuer-hiding ACs address this by making a credential's origin indistinguishable among a set of approved issuers. Despite this advancement, existing solutions suffer from practical limitations that hinder their deployment in decentralized environments: unflexible credential models that restrict issuer and holder autonomy, flawed revocation mechanisms that compromise security, and weak attribute hiding that fails to meet data minimization principles. This paper introduces a new scheme called IRAC to overcome these challenges. We propose a flexible credential model that employs vector commitments with a padding strategy to unify credentials from heterogeneous issuers, enabling privacy-preserving authentication without enforcing a global static attribute set or verifier-defined policies. Furthermore, we design a secure decentralized revocation mechanism where holders prove non-revocation by demonstrating their credential's hash lies within a gap in the issuer's sorted revocation list, effectively decoupling revocation checks from verifier policies while maintaining issuer anonymity. IRAC also strengthens attribute hiding by utilizing zk-SNARKs and vector commitments, allowing holders to prove statements about their attributes without disclosing the attributes themselves or the credential structure. Security analysis and performance evaluations demonstrate its practical feasibility for decentralized networks, where presenting a credential can be finished in 1s.