# Designated Verifier Proofs and Their Applications

- 318 Citations
- 3.9k Downloads

## Abstract

For many proofs of knowledge it is important that only *the verifier designated by the confirmer* can obtain any conviction of the cor- rectness of the proof. A good example of such a situation is for undeniable signatures, where the confirmer of a signature wants to make sure that only the intended verifier(s) in fact can be convinced about the validity or invalidity of the signature.

Generally, authentication of messages and off-the-record messages are in conflict with each other. We show how, using designation of verifiers, these notions can be combined, allowing authenticated but privat con- versations to take place. Our solution guarantees that *only* the specified verifier can be convinced by the proof, even if he shares all his secret information with entities that want to get convinced.

Our solution is based on *trap-door commitments* [4], allowing the desig- nated verifier to open up commitments in any way he wants. We demon- strate how a trap-door commitment scheme can be used to construct designated verifier proofs, both interactive and non-interactive. We ex- amplify the verifier designation method for the confirmation protocol for undeniable signatures.

## Keywords

Commitment Scheme Logical Entity Computational Entity Undeniable Signature Zero Knowledge Proof## References

- 1.M. Bellare, S. Goldwasser, “New Paradigms for Digital Signatures and Message Authentication Based on Non-Interactive Zero Knowledge Proofs,” Crypto’ 89, pp. 194–211.Google Scholar
- 2.M. Bellare, S. Micali, “How to Sign Given Any Trapdoor Function,” 20th Annual STOC, 1988, pp. 32–42.Google Scholar
- 3.J.C. Benaloh, D. Tuinstra, “Receipt-Free Secret-Ballot Elections,” 26th Annual STOC, 1994, pp. 544–553.Google Scholar
- 4.G. Brassard, D. Chaum, C. Crépeau, “Minimum Disclosure Proofs of Knowledge,” Journal of Computer and System Sciences, Vol. 37, No. 2, Oct. 1988, pp. 156–189CrossRefzbMATHMathSciNetGoogle Scholar
- 5.D. Chaum, H. van Antwerpen, “Undeniable Signatures,” Crypto’ 89, pp. 212–216Google Scholar
- 6.D. Chaum, “Zero-Knowledge Undeniable Signatures,” Eurocrypt’ 90, pp. 458–464Google Scholar
- 7.D. Chaum, E. van Heijst, B. Pfitzmann, “Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer,” Crypto’ 91, pp. 470–484Google Scholar
- 8.D. Chaum, personal communicationGoogle Scholar
- 9.I. Damgård, personal communicationGoogle Scholar
- 10.Y. Desmedt, C. Goutier, S. Bengio, “Special Uses and Abuses of the Fiat-Shamir Passport Protocol,” Crypto’ 87, pp. 21–39Google Scholar
- 11.Y. Desmedt, M. Yung, “Weaknesses with Undeniable Signature Schemes,” Eurocrypt’ 91, pp. 205–220Google Scholar
- 12.W. Diffie, M.E. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, v. IT-22, n. 6, Nov 1976, pp. 644–654CrossRefMathSciNetGoogle Scholar
- 13.D. Dolev, C. Dwork, M. Naor, “Non-Malleable Cryptography,” 23rd Annual STOC, 1991, pp. 542–552Google Scholar
- 14.T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithm,” IEEE IT 31 (1985), pp. 469–472MathSciNetGoogle Scholar
- 15.S. Even, O. Goldreich, S. Micali, “On-Line/Off-Line Digital Signatures,” Crypto’ 89, pp. 263–275Google Scholar
- 16.U. Feige, A. Fiat, A. Shamir, “Zero Knowledge Proofs of Identity,” Proceedings of the 19th annual ACM Symposium on Theory of Computing, pp. 210–217Google Scholar
- 17.U. Feige, A. Shamir, “Witness Indistinguishable and Witness Hiding Protocols,” 22nd Annual STOC, 1990, p. 416–426.Google Scholar
- 18.A. Fiat, A. Shamir, “How to prove yourself; practical solution to identification and signature problems,” Crypto’ 86, pp. 186–194Google Scholar
- 19.Z. Galil, S. Haber, M. Yung, “Symmetric Public-Key Cryptosystems”, submitted to J. of CryptologyGoogle Scholar
- 20.S. Goldwasser, S. Micali, “Probabilistic Encryption & How To Play Mental Poker Keeping Secret All Partial Information,” Proceedings of the 18th ACM Symposium on the Theory of Computing, 1982, pp. 270–299Google Scholar
- 21.O. Goldreich, S. Micali, A. Widgerson, “Proofs that Yield Nothing but their Validity or All Languages in NP Have Zero-Knowledge Proof Systems,” Journal of the ACM, vol. 38, n. 1, 1991, pp. 691–729zbMATHGoogle Scholar
- 22.M. Jakobsson, “Blackmailing using Undeniable Signatures”, Eurocrypt’ 94, pp. 425–427Google Scholar
- 23.R.C. Merkle, “Secure Communication over Insecure Channels,” Communications of the ACM, v. 21, n. 4, 1978, pp. 294–299CrossRefGoogle Scholar
- 24.R. Merkle, “A Certified Digital Signature,” Crypto’ 89, pp. 218–238Google Scholar
- 25.S. Micali, A. Shamir, “An Improvement of the Fiat-Shamir Identification and Signature Scheme,” Crypto’ 88, pp. 244–247Google Scholar
- 26.M. Naor, M. Yung, “Universal One-Way Hash Functions and their Cryptographic Application,” 21st Annual STOC, 1989, pp. 33–43Google Scholar
- 27.T. Okamoto, K. Ohta, “Divertible Zero-Knowledge Interactive Proofs and Commutative Random Self-Reducibility,” Eurocrypt’ 89, pp. 134–149Google Scholar
- 28.T. Okamoto, K. Ohta, “How to Utilize Randomness of Zero-Knowledge Proofs,” Crypto’ 90, pp 456–475.Google Scholar
- 29.H. Ong, C. P. Schnorr, “Fast signature generation with a Fiat-Shamir like scheme,” Eurocrypt 90, pp. 432–440Google Scholar
- 30.T. Pedersen, “Distributed Provers with Applications to Undeniable Signatures,” Eurocrypt’ 91, pp. 221–238Google Scholar
- 31.J.-J. Quisquater, L.S. Guillou, “A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory,” Eurocrypt’ 88, pp. 123–128Google Scholar
- 32.C. Rackoff, D. Simon, “Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack”, Crypto’ 91, pp. 433–444Google Scholar
- 33.R. Rivest, A. Shamir, L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, v. 21, n. 2, Feb 1978, pp. 120–126CrossRefzbMATHMathSciNetGoogle Scholar
- 34.K. Sako, J. Kilian, “Receipt-Free Mix-Type Voting Scheme,” Eurocrypt’ 95, pp 393–403.Google Scholar
- 35.A. Yao, “Protocols for Secure Computations,” Proceedings of the 23rd FOCS, 1982, pp. 160–164Google Scholar