Designated Verifier Proofs and Their Applications

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1070)


For many proofs of knowledge it is important that only the verifier designated by the confirmer can obtain any conviction of the cor- rectness of the proof. A good example of such a situation is for undeniable signatures, where the confirmer of a signature wants to make sure that only the intended verifier(s) in fact can be convinced about the validity or invalidity of the signature.

Generally, authentication of messages and off-the-record messages are in conflict with each other. We show how, using designation of verifiers, these notions can be combined, allowing authenticated but privat con- versations to take place. Our solution guarantees that only the specified verifier can be convinced by the proof, even if he shares all his secret information with entities that want to get convinced.

Our solution is based on trap-door commitments [4], allowing the desig- nated verifier to open up commitments in any way he wants. We demon- strate how a trap-door commitment scheme can be used to construct designated verifier proofs, both interactive and non-interactive. We ex- amplify the verifier designation method for the confirmation protocol for undeniable signatures.


Commitment Scheme Logical Entity Computational Entity Undeniable Signature Zero Knowledge Proof 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, S. Goldwasser, “New Paradigms for Digital Signatures and Message Authentication Based on Non-Interactive Zero Knowledge Proofs,” Crypto’ 89, pp. 194–211.Google Scholar
  2. 2.
    M. Bellare, S. Micali, “How to Sign Given Any Trapdoor Function,” 20th Annual STOC, 1988, pp. 32–42.Google Scholar
  3. 3.
    J.C. Benaloh, D. Tuinstra, “Receipt-Free Secret-Ballot Elections,” 26th Annual STOC, 1994, pp. 544–553.Google Scholar
  4. 4.
    G. Brassard, D. Chaum, C. Crépeau, “Minimum Disclosure Proofs of Knowledge,” Journal of Computer and System Sciences, Vol. 37, No. 2, Oct. 1988, pp. 156–189CrossRefzbMATHMathSciNetGoogle Scholar
  5. 5.
    D. Chaum, H. van Antwerpen, “Undeniable Signatures,” Crypto’ 89, pp. 212–216Google Scholar
  6. 6.
    D. Chaum, “Zero-Knowledge Undeniable Signatures,” Eurocrypt’ 90, pp. 458–464Google Scholar
  7. 7.
    D. Chaum, E. van Heijst, B. Pfitzmann, “Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer,” Crypto’ 91, pp. 470–484Google Scholar
  8. 8.
    D. Chaum, personal communicationGoogle Scholar
  9. 9.
    I. Damgård, personal communicationGoogle Scholar
  10. 10.
    Y. Desmedt, C. Goutier, S. Bengio, “Special Uses and Abuses of the Fiat-Shamir Passport Protocol,” Crypto’ 87, pp. 21–39Google Scholar
  11. 11.
    Y. Desmedt, M. Yung, “Weaknesses with Undeniable Signature Schemes,” Eurocrypt’ 91, pp. 205–220Google Scholar
  12. 12.
    W. Diffie, M.E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, v. IT-22, n. 6, Nov 1976, pp. 644–654CrossRefMathSciNetGoogle Scholar
  13. 13.
    D. Dolev, C. Dwork, M. Naor, “Non-Malleable Cryptography,” 23rd Annual STOC, 1991, pp. 542–552Google Scholar
  14. 14.
    T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithm,” IEEE IT 31 (1985), pp. 469–472MathSciNetGoogle Scholar
  15. 15.
    S. Even, O. Goldreich, S. Micali, “On-Line/Off-Line Digital Signatures,” Crypto’ 89, pp. 263–275Google Scholar
  16. 16.
    U. Feige, A. Fiat, A. Shamir, “Zero Knowledge Proofs of Identity,” Proceedings of the 19th annual ACM Symposium on Theory of Computing, pp. 210–217Google Scholar
  17. 17.
    U. Feige, A. Shamir, “Witness Indistinguishable and Witness Hiding Protocols,” 22nd Annual STOC, 1990, p. 416–426.Google Scholar
  18. 18.
    A. Fiat, A. Shamir, “How to prove yourself; practical solution to identification and signature problems,” Crypto’ 86, pp. 186–194Google Scholar
  19. 19.
    Z. Galil, S. Haber, M. Yung, “Symmetric Public-Key Cryptosystems”, submitted to J. of CryptologyGoogle Scholar
  20. 20.
    S. Goldwasser, S. Micali, “Probabilistic Encryption & How To Play Mental Poker Keeping Secret All Partial Information,” Proceedings of the 18th ACM Symposium on the Theory of Computing, 1982, pp. 270–299Google Scholar
  21. 21.
    O. Goldreich, S. Micali, A. Widgerson, “Proofs that Yield Nothing but their Validity or All Languages in NP Have Zero-Knowledge Proof Systems,” Journal of the ACM, vol. 38, n. 1, 1991, pp. 691–729zbMATHGoogle Scholar
  22. 22.
    M. Jakobsson, “Blackmailing using Undeniable Signatures”, Eurocrypt’ 94, pp. 425–427Google Scholar
  23. 23.
    R.C. Merkle, “Secure Communication over Insecure Channels,” Communications of the ACM, v. 21, n. 4, 1978, pp. 294–299CrossRefGoogle Scholar
  24. 24.
    R. Merkle, “A Certified Digital Signature,” Crypto’ 89, pp. 218–238Google Scholar
  25. 25.
    S. Micali, A. Shamir, “An Improvement of the Fiat-Shamir Identification and Signature Scheme,” Crypto’ 88, pp. 244–247Google Scholar
  26. 26.
    M. Naor, M. Yung, “Universal One-Way Hash Functions and their Cryptographic Application,” 21st Annual STOC, 1989, pp. 33–43Google Scholar
  27. 27.
    T. Okamoto, K. Ohta, “Divertible Zero-Knowledge Interactive Proofs and Commutative Random Self-Reducibility,” Eurocrypt’ 89, pp. 134–149Google Scholar
  28. 28.
    T. Okamoto, K. Ohta, “How to Utilize Randomness of Zero-Knowledge Proofs,” Crypto’ 90, pp 456–475.Google Scholar
  29. 29.
    H. Ong, C. P. Schnorr, “Fast signature generation with a Fiat-Shamir like scheme,” Eurocrypt 90, pp. 432–440Google Scholar
  30. 30.
    T. Pedersen, “Distributed Provers with Applications to Undeniable Signatures,” Eurocrypt’ 91, pp. 221–238Google Scholar
  31. 31.
    J.-J. Quisquater, L.S. Guillou, “A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory,” Eurocrypt’ 88, pp. 123–128Google Scholar
  32. 32.
    C. Rackoff, D. Simon, “Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack”, Crypto’ 91, pp. 433–444Google Scholar
  33. 33.
    R. Rivest, A. Shamir, L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, v. 21, n. 2, Feb 1978, pp. 120–126CrossRefzbMATHMathSciNetGoogle Scholar
  34. 34.
    K. Sako, J. Kilian, “Receipt-Free Mix-Type Voting Scheme,” Eurocrypt’ 95, pp 393–403.Google Scholar
  35. 35.
    A. Yao, “Protocols for Secure Computations,” Proceedings of the 23rd FOCS, 1982, pp. 160–164Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringUniversity of California, San DiegoLa Jolla
  2. 2.NEC CorporationKawasakiJapan

Personalised recommendations