Lox uses Chase et al.'s keyed-verification algebraic MAC anonymous credentials in a single-issuer/verifier setting with jointly-chosen credential IDs (neither party can unilaterally select them), so a fully compromised Lox Authority cannot link credential showings to specific users or reconstruct the social graph — the LA learns only that a shown credential was authentically issued.
From 2023-tulloch-lox — Lox: Protecting the Social Graph in Bridge Distribution
· §3.1, §4.2
· 2023
· Privacy Enhancing Technologies
Implications
Design bridge distribution servers so that the credential issuer cannot link successive credential presentations to the same user — unlinkable one-show credentials prevent server compromise from exposing social graphs to a censor.
Use jointly-chosen credential IDs (neither server-only nor client-only random nonces) so neither party can unilaterally track identities across sessions, even in the event of server seizure.