Revocation privacy is a security property in credential systems, particularly those using zero-knowledge proofs (ZKPs), that prevents an observer from learning which user's credential has been invalidated. In traditional systems, checking a revocation list (RL) or Certificate Revocation List (CRL) inherently reveals the identity of the revoked party to the verifier. Revocation privacy flips this model, allowing a verifier to confirm a credential is still valid without learning which credential from a set was presented, thereby protecting user anonymity.
LABS
Glossary
Revocation Privacy
Revocation privacy is a property of a credential revocation scheme that minimizes the information leaked about the credential holder or the credential itself during a status verification check.
Chainscore © 2026
definition
CRYPTOGRAPHY & ZK-PROOFS
What is Revocation Privacy?
A cryptographic property ensuring that the revocation of a credential or authorization does not reveal which specific user or entity was revoked.
The mechanism is crucial for privacy-preserving systems like anonymous credentials and zk-SNARKs-based identity. Common technical approaches include accumulator-based revocation, where all valid credentials are combined into a single cryptographic accumulator (e.g., a RSA accumulator or Merkle tree root). To prove validity, a user demonstrates their credential is a member of this accumulator. For revocation, the accumulator is updated to exclude the credential's unique witness, but the public accumulator value does not reveal which specific witness was removed.
Another prevalent method is the nullifier scheme, often used in zk-SNARKs applications like certain blockchain mixers. Here, each credential has a secret nullifier. When a user spends or revokes it, they publicly reveal a cryptographic hash of this nullifier. While the nullifier itself is published, it is cryptographically unlinkable to the original credential issuance, preserving privacy. The verifier simply checks the nullifier list for a match without knowing which user it corresponds to.
Implementing revocation privacy presents significant challenges, including maintaining system performance with large user sets and preventing double-spending or replay attacks. The computational overhead for updating accumulators or managing nullifier sets must be balanced with the need for real-time verification. Furthermore, these systems must be designed to resist griefing attacks where malicious users try to disrupt the revocation process for others.
Use cases for revocation privacy are found in decentralized identity (DID), private voting systems, access control, and anonymous payments. For example, a conference could issue anonymous attendance credentials that expire at the event's end via a private revocation, or a decentralized autonomous organization (DAO) could allow members to vote privately while ensuring banned members cannot cast ballots, all without exposing individual voter identities on-chain.
key-features
MECHANISMS
Key Features of Revocation Privacy
Revocation privacy refers to cryptographic techniques that allow a user to prove a credential is valid without revealing which specific credential from a set was used, enabling the revocation of compromised credentials without compromising user anonymity.
01
Zero-Knowledge Accumulators
A core cryptographic primitive for private revocation. Instead of a public list of revoked credentials, a cryptographic accumulator (like a RSA accumulator or Merkle tree) holds all valid credentials. A user proves their credential is in this set without revealing which one, using a zero-knowledge proof. Revocation updates the accumulator to exclude the credential, invalidating future proofs without identifying the user.
02
Non-Revocation Proofs
The user-generated proof that demonstrates a credential is still valid. This is a zero-knowledge proof (ZKP) that convinces a verifier of two things:
- The user possesses a valid credential.
- That credential's serial number or secret is not contained within the current revocation accumulator. The proof reveals nothing about the credential's identity, maintaining unlinkability across transactions.
03
Unlinkability
A critical privacy property ensured by proper revocation schemes. Multiple presentations (proofs) of the same credential by a user cannot be linked together by verifiers or observers. Even if a credential is later revoked, the issuer cannot retroactively identify which past transactions were made by the holder of that credential. This prevents transaction graph analysis and profiling.
04
Selective Disclosure
Revocation privacy often operates alongside this broader credential feature. A user can prove specific attributes from a credential (e.g., "I am over 21") without revealing the entire credential or a unique identifier. Private revocation ensures that even this minimal disclosure does not become a tracking vector if the underlying credential must be revoked later.
05
Epoch-Based Updates
A common implementation pattern to manage system overhead. Revocation status is updated at regular intervals (epochs). The issuer publishes a new cryptographic accumulator for each epoch. Users must provide a non-revocation proof relative to the latest epoch. This batches updates, improving efficiency, but requires users to stay synchronized with the current epoch to generate valid proofs.
06
Contrast with Certificate Revocation Lists (CRLs)
Highlights the privacy advancement. Traditional systems like CRLs or OCSP require checking a public list of revoked serial numbers, which inherently links the credential being checked to a specific identity. Private revocation cryptographically separates the act of proving validity from the act of checking a blacklist, eliminating this privacy leak.
how-it-works
MECHANISM
How Does Revocation Privacy Work?
Revocation privacy is a cryptographic technique that allows a user to prove a credential is still valid without revealing which specific credential was checked, thereby concealing their activity from the issuer and verifier.
At its core, revocation privacy addresses a key weakness in traditional digital credential systems: the revocation check. When you prove you have a valid driver's license, the verifier typically needs to contact the issuing authority (e.g., the DMV) to confirm it hasn't been revoked. This check creates a privacy leak, revealing your identity, the time of the check, and the context to both the issuer and verifier. Revocation privacy mechanisms, such as accumulators and zero-knowledge proofs (ZKPs), break this link.
A common implementation uses a cryptographic accumulator, like a RSA accumulator or Merkle tree, maintained by the issuer. This accumulator aggregates the valid, non-revoked credentials into a single, short value. The issuer publishes this value and, crucially, provides each user with a witness—a cryptographic proof that their specific credential is included in the set of valid ones. When a user needs to prove their credential is valid, they use a zero-knowledge proof to demonstrate two things: 1) they possess a valid credential, and 2) they possess a valid witness for that credential, without revealing the credential or witness itself.
This process effectively separates the act of verification from the identity of the verifier. The issuer only sees updates to the global accumulator (e.g., when a credential is revoked), not individual verification requests. The verifier only learns that the prover holds some valid credential from the issuer, not which one. This model is essential for privacy-preserving systems like anonymous credentials, zk-SNARKs-based identity, and decentralized attestations, where minimizing trust and data exposure is paramount.
examples
REVOCATION PRIVACY
Examples & Implementations
Revocation privacy mechanisms are implemented through cryptographic protocols that allow a user to prove a credential is valid without revealing its unique identifier, enabling selective disclosure and efficient, private revocation checks.
03
Dynamic Accumulators
A specialized accumulator where elements (credential identifiers) can be dynamically added and removed by an authority without re-issuing the entire structure. The accumulator's witness (proof of membership/non-membership) must be updated for non-revoked holders. This provides a scalable, privacy-preserving revocation check, as the verifier only sees the current accumulator value and a proof from the prover.
05
zk-SNARKs & zk-STARKs
General-purpose zero-knowledge proof systems (zk-SNARKs, zk-STARKs) can be used to construct sophisticated revocation privacy schemes. The entire logic of "credential is valid AND identifier is not in the revocation set" is compiled into a circuit. The prover generates a proof of this statement, which the verifier checks. This offers maximal flexibility and privacy but can have higher computational overhead.
06
Smart Contract Registries
A common implementation pattern where a smart contract on a blockchain (e.g., Ethereum) acts as the revocation registry. It stores hashes or commitments of revoked credentials. The privacy-preserving check occurs off-chain: the prover generates a zero-knowledge proof that their credential's commitment is not in the contract's storage. The verifier checks the proof and the contract's current state, ensuring decentralized and tamper-proof revocation without on-chain privacy leaks.
COMPARISON
Revocation Privacy vs. Traditional Methods
A technical comparison of privacy-preserving credential revocation mechanisms against traditional certificate revocation list (CRL) and online certificate status protocol (OCSP) methods.
| Feature / Metric | Traditional CRL/OCSP | Zero-Knowledge Accumulators | Blockchain-Based Registries |
|---|---|---|---|
Privacy Leakage | Reveals specific credential ID and reason | Reveals credential status to verifier | |
Verifier Knowledge | Learns credential was revoked | Learns only that credential is valid (non-revoked) | Learns credential status |
Proof Size | N/A (direct query) | < 1 KB | ~200-500 bytes |
Verification Latency | 100-500 ms (network dependent) | < 50 ms (local computation) | 2-15 sec (blockchain confirmation) |
Revocation Authority Role | Centralized issuer | Issuer updates private accumulator | Issuer posts public transaction |
Trust Assumptions | Issuer availability and honesty | Cryptographic security of accumulator | Blockchain consensus security |
Offline Verification | |||
Scalability (10M users) | High server load, large CRLs | Constant-size accumulator proof | High on-chain gas costs |
security-considerations
REVOCATION PRIVACY
Security & Privacy Considerations
Revocation privacy refers to the ability to invalidate credentials or permissions without revealing sensitive information about the holder or the context of the revocation.
01
The Privacy Leak in Simple Revocation
A naive revocation check, like querying a public revocation registry, inherently leaks privacy. It reveals to the verifier that the holder is interacting with a specific issuer and that the credential in question is subject to revocation, which can be sensitive metadata itself.
02
Zero-Knowledge Proofs for Revocation
The core privacy-preserving technique. Instead of revealing a credential's ID, the prover generates a zero-knowledge proof (ZKP) that cryptographically demonstrates:
- The credential is valid and signed by the issuer.
- The credential's unique identifier is not present on the issuer's current revocation list. This reveals nothing about the identifier or its status history.
03
Accumulator-Based Schemes
A common cryptographic construction for private revocation. The issuer maintains a cryptographic accumulator (e.g., a RSA or bilinear-map based accumulator) representing the set of valid (non-revoked) credentials. Holders prove membership in this accumulator via a ZKP. Revocation updates the accumulator, requiring valid holders to update a witness, but the proof itself reveals no identifying information.
04
Revocation Transparency & Auditing
While the act of proving non-revocation is private, the system's integrity must be auditable. Revocation transparency logs (inspired by Certificate Transparency) can provide a public, append-only record of all revocation events. This allows auditors and holders to verify that issuers are not revoking credentials arbitrarily or maliciously, without compromising individual privacy during verification.
05
Trade-offs: Privacy vs. Performance
Strong revocation privacy involves computational and communication overhead.
- Proof Size & Complexity: ZKPs for accumulator membership are larger than a simple status check.
- Witness Updates: Holders must periodically fetch updated witnesses from the issuer or a public service, creating a liveness dependency.
- Choice of Scheme: Dynamic accumulators allow efficient updates but may have larger proofs. Sparse Merkle Trees offer different trade-offs in proof size and update frequency.
technical-details
CREDENTIAL SECURITY
Revocation Privacy
Revocation privacy is a cryptographic property of a credential system that allows an issuer to revoke a credential without revealing which specific credential holder is being revoked during a verification check.
In traditional digital credential systems, checking if a credential like a driver's license or membership card is still valid often requires the verifier to query a central revocation list (e.g., a CRL). This process inherently leaks privacy, as the verifier learns the unique identifier of the credential being checked. Revocation privacy solves this by enabling a zero-knowledge proof that a credential is not on the revocation list, without disclosing any identifying information about the credential or its holder. This is a critical component for privacy-preserving systems like anonymous credentials and verifiable credentials.
Common technical mechanisms for achieving revocation privacy include accumulator-based schemes and cryptographic nullifiers. In an accumulator scheme (e.g., RSA or Merkle tree accumulators), all valid credentials are combined into a single, short cryptographic value. To prove non-revocation, the holder demonstrates knowledge of a secret witness that their credential is included in this accumulator. The verifier only sees the public accumulator and the proof, learning nothing about other credentials. Revocation occurs when the issuer updates the accumulator to exclude the revoked credential's witness.
Another approach uses nullifiers, often linked to the credential's unique secret. Here, revocation is managed by having the holder publish a nullifier—a one-way function of their secret—to a public ledger when they use the credential. To check for revocation, a verifier simply scans this public list for the nullifier. While the nullifier itself doesn't reveal the holder's identity, sophisticated schemes like semaphore or zk-SNARKs-based systems can unlink multiple uses of the same credential, preserving privacy across sessions while enabling public, non-interactive revocation checks.
The implementation of revocation privacy presents significant trade-offs. Accumulator schemes require the issuer to maintain and periodically update the accumulator state, which can create availability and synchronization challenges. Nullifier-based approaches shift the burden to a public transparency log, which must be consistently available to verifiers. Both methods must also guard against griefing attacks, where a malicious actor falsely claims a credential is revoked, and ensure the system scales efficiently as the number of revoked credentials grows into the millions.
Revocation privacy is essential for real-world adoption of privacy-focused credentials in domains like age verification, access control, and selective disclosure of attributes. For instance, proving you are over 21 without revealing your birthdate or a persistent identifier requires a credential that can be checked for validity in a privacy-preserving manner. Without robust revocation privacy, these systems would either compromise user anonymity or lack a practical mechanism to invalidate lost, stolen, or expired credentials, undermining their security and utility.
REVOCATION PRIVACY
Common Misconceptions
Clarifying widespread misunderstandings about how private data is managed when credentials or permissions are revoked on-chain.
No, the act of revocation itself is typically a public on-chain transaction, but the specific credential or data being revoked can remain private. Revocation mechanisms like revocation registries or accumulators allow a verifier to check a credential's status against a public list without revealing which specific credential is being validated. The privacy risk is correlation: if a user presents the same zero-knowledge proof to multiple verifiers who check the same public registry, those verifiers can infer they are interacting with the same user.
REVOCATION PRIVACY
Frequently Asked Questions
Revocation privacy refers to the cryptographic techniques that allow a user to prove a credential is valid without revealing its unique identifier, preventing tracking across different interactions.
Revocation privacy is the property of a credential system where a user can prove their credential (like a driver's license or membership card) is still valid without revealing the credential's unique serial number or identifier. This is critically important because without it, every time you use a credential, you leak a persistent identifier that can be linked across different services, creating a detailed profile of your activities. It prevents tracking, profiling, and correlation of user actions, which are fundamental privacy violations. In blockchain-based identity systems like those using Verifiable Credentials (VCs), achieving revocation privacy is a key challenge that separates basic implementations from those offering true user-centric data control.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall