Distance-Bounding Protocols

Extended abstract
  • Stefan Brands
  • David Chaum
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 765)


It is often the case in applications of cryptographic protocols that one party would like to determine a practical upper-bound on the physical distance to the other party. For instance, when a person conducts a cryptographic identification protocol at an entrance to a building, the access control computer in the building would like to be ensured that the person giving the responses is no more than a few meters away.

The “distance bounding” technique we introduce solves this problem by timing the delay between sending out a challenge bit and receiving back the corresponding response bit. It can be integrated into common identification protocols. The technique can also be applied in the three-party setting of “wallets with observers” in such a way that the intermediary party can prevent the other two from exchanging information, or even developing common coinflips.


Signature Scheme Commitment Scheme Probabilistic Encryption Subliminal Channel Mafia Fraud 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bengio, S., Brassard, G., Desmedt, G., Goutier, C. and Quisquater, J., “Secure Implementation of identification schemes,” Journal of Cryptology, 4 (1991), pages 175–183.CrossRefGoogle Scholar
  2. 2.
    Beth, T. and Desmedt, Y., “Identification tokens-or: solving the chess grandmaster problem,” Crypto’ 90, Lecture Notes in Computer Science, Springer-Verlag (1991), pages 169–176.Google Scholar
  3. 3.
    Brands, S., “An efficient off-line electronic cash system based on the representation problem,” C.W.I. Technical Report CS-T9323, april 1993, The Netherlands.Google Scholar
  4. 4.
    Brassard, G., Chaum, D. and Crépeau, “Minimum Disclosure Proofs of Knowledge,” Journal of Computer and System Sciences, Vol. 37 (1988), pages 156–189.zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Brickell, E. and McCurley, K., “An interactive identification scheme based on discrete logarithms and factoring,” Journal of Cryptology, Vol. 5, no. 1 (1992), pages 29–39.zbMATHGoogle Scholar
  6. 6.
    Chaum, D., “Achieving electronic privacy,” Scientific American, Aug. 1992. pages 96–101.Google Scholar
  7. 7.
    Chaum, D. and Pedersen, T., “Wallet Databases with Observers,” Proceedings of Crypto’ 92, Abstracts, Santa Barbara, August 1992, pp. 3.1–3.6.Google Scholar
  8. 8.
    Cramer, R. and Pedersen, T., “Improved privacy in wallets with observers,” in: these proceedings.Google Scholar
  9. 9.
    Desmedt, Y., “Major security problems with the ‘unforgeable’ (Feige)-Fiat-Shamir proofs of identity and how to overcome them,” SecuriCom’ 88, SEDEP Paris, (1988), pages 15–17.Google Scholar
  10. 10.
    Desmedt, Y., Goutier, C., and Bengio, S., “Special uses and abuses of the Fiat-Shamir passport protocol,” Crypto’ 87, LNCS 293, Springer-Verlag (1988), pages 16–20.Google Scholar
  11. 11.
    Feige, U., Fiat, A. and Shamir, A., “Zero-knowledge proofs of identity,” Journal of Cryptology 1 (1988), pages 77–94.zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Fiat, A. and Shamir, A., “How to prove yourself: practical solutions to identification and signature problems,” Crypto’ 86, Springer-Verlag, (1987), pages 186–194.Google Scholar
  13. 13.
    Goldwasser, S. and Micali, S., “Probabilistic Encryption.” Journal of Computer and System Sciences. Vol. 28 (1984), pages 270–299.zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Guillou, L. and Quisquater, J.-J., “A ‘paradoxical’ identity-based signature scheme resulting from zero-knowledge,” Crypto’ 88, Springer-Verlag, pages 216–231.Google Scholar
  15. 15.
    Okamoto, T., “Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes,” Proceeding of Crypto’ 92, pages (1-15)–(1-25).Google Scholar
  16. 16.
    Okamoto, T. and Ohta, K., “Divertible zero knowledge interactive proofs and commutative random self-reducibility,” Eurocrypt’ 89, Springer-Verlag, pages 134–149.Google Scholar
  17. 17.
    Schnorr, C.P., “Efficient Signature Generation by Smart Cards,” Journal of Cryptology, Vol. 4, No. 3, (1991), pages 161–174.zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Simmons, G., “The prisoner’s problem and the subliminal channel.” Crypto’ 83, Santa Barbera (1983), Plenum, New York, pages 51–67.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1994

Authors and Affiliations

  • Stefan Brands
    • 1
  • David Chaum
    • 2
  1. 1.CWIAmsterdam
  2. 2.CWI & DigiCashAmsterdam

Personalised recommendations