Anonymous authentication apparently seems to be an oxymoron, since authentication is the task of proving one’s identity to another party and anonymity is concerned with hiding one’s identity. However, there are quite different constructions like ring [5] and group signatures [1] to solve this task. We are focusing on anonymous authentication protocols using public-key encryption schemes as their underlying building block, which, in contrast to the aforementioned, do receive only little attention. However, such anonymous authentication protocols are much simpler than other constructions and they can provide significant advantages over the aforementioned approaches. Firstly, they are fully compatible with deployed public-key infrastructures (PKIs) and thus can be adopted very easily. Secondly, such schemes enjoy an “ad-hoc” character and thus do not require involved registration or setup procedures. This is especially advantageous in dynamic environments, e.g. when users dynamically join and leave the group of authorized users. In this context existing primitives like group signatures to date lack of an efficient and practical solution. Furthermore, the “ad-hoc” character of these schemes allows users to flexibly choose their level of anonymity, i.e. the size of the group (anonymity set), for the sake of improved efficiency and additionally do not suffer from linear complexity such as ring signatures.