This paper proposes an efficient anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product. The system offers several novel features and improvements over existing systems: 1. **Unlinkable Credential Demonstration**: Users can unlinksibly demonstrate possession of a credential multiple times without involving the issuing organization. 2. **Optional Anonymity Revocation**: The scheme includes optional features for revoking anonymity for particular transactions, enhancing security. 3. **Separability**: All organizations can choose their cryptographic keys independently, ensuring key management flexibility. 4. **All-or-nothing Non-transferability**: Users can share their credentials in a way that if they share one credential, they must share all of their credentials, preventing misuse. The paper also introduces a new primitive called *circular encryption*, which is used to implement all-or-nothing non-transferability. This primitive is based on the random oracle model and is of independent interest. Additionally, the system supports one-show credentials with an offline double-spending test, ensuring that credentials cannot be used more than once without revealing the user's identity. The authors provide formal definitions and security proofs for the system, demonstrating its correctness and security under the specified cryptographic assumptions. The system is designed to be practical, with efficient communication and computation costs, making it suitable for real-world applications.This paper proposes an efficient anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product. The system offers several novel features and improvements over existing systems: 1. **Unlinkable Credential Demonstration**: Users can unlinksibly demonstrate possession of a credential multiple times without involving the issuing organization. 2. **Optional Anonymity Revocation**: The scheme includes optional features for revoking anonymity for particular transactions, enhancing security. 3. **Separability**: All organizations can choose their cryptographic keys independently, ensuring key management flexibility. 4. **All-or-nothing Non-transferability**: Users can share their credentials in a way that if they share one credential, they must share all of their credentials, preventing misuse. The paper also introduces a new primitive called *circular encryption*, which is used to implement all-or-nothing non-transferability. This primitive is based on the random oracle model and is of independent interest. Additionally, the system supports one-show credentials with an offline double-spending test, ensuring that credentials cannot be used more than once without revealing the user's identity. The authors provide formal definitions and security proofs for the system, demonstrating its correctness and security under the specified cryptographic assumptions. The system is designed to be practical, with efficient communication and computation costs, making it suitable for real-world applications.