We need the proof to be unlinkable to Alice. We need an adversarial game which formally defines the hardness to violate privacy.
Given the protest pseudonym ($y$) which is derived from the blindly signed key $k$ using the PRF, Eve shouldn't be able to figure out who belongs to $y$. This probably follows from Camenisch's paper (see #27 ).
We need the proof to be unlinkable to Alice. We need an adversarial game which formally defines the hardness to violate privacy.
Given the protest pseudonym ($y$) which is derived from the blindly signed key $k$ using the PRF, Eve shouldn't be able to figure out who belongs to $y$. This probably follows from Camenisch's paper (see #27 ).