ZeroKnowledge Nominative Signatures @ PragoCrypt 1996

1. 4. Con rmation (Conf(nominee third party)):
Conf(nominee third party) is an interactive proof between nominee and the
third party, which, on common input strings 1n, m, s (the presumed sig-
nature of m), nominator's public-key 2 G2nominator(1n), and nominee's
public key 2 G2nominee(1n), outputs either 1 (true") or 0 (false"). Here,
nominee is the prover with an auxiliary input, nominee's secret-key 2
G1nominee(1n), and the third party is the veri er. For all m, for any con-
stant c, and for su ciently large n,
Pr(Conf(nominee third party)(1n, m, s, G2nominator(1n), G2nominee(1n)) = 1)
> 1; 1=nc,
if s =
PS(m)
, and
Pr(Conf(nominee third party)(1n, m, s, G2nominator(1n), G2nominee(1n)) = 0)
> 1; 1=nc,
otherwise.
The probability is taken over the coin tosses of nominee and the third
party.

2. 15] Schnorr, C.P., E cient Signature Generation for Smart Cards", Proc. of
Crypto'89.
16] Schnorr, C.P., E cient Signature Generation for Smart Cards", Journal
of Cryptology. v.4, n.3, 1991.
Appendix
The rst version of formal de nition of nominative signatures.
De nition. A nominativesignature"scheme is(Gnominator(signer), Gnominee(verifier),
Sign, V erify, Conf(nominee third party)) such that the following conditions hold:
1. Key generation (Gnominator Gnominee):
(a) Gnominator is a probabilistic poly-time algorithm which, on input 1n
(the security parameter), outputs a pair of strings, (nominator's
secret-key, nominator'spublic-key),which isdenoted by Gnominator(1n) =
(G1nominator(1n) G2nominator(1n)):
(b) Gnominee is a probabilisticpoly-timealgorithmwhich, on input strings
1n, outputs a pair of strings, (nominee's secret-key, nominee's public-
key), whichisdenoted by Gnominee(1n)= (G1nominee(1n), G2nominee(1n)).
The probability is taken over Gnominator's and Gnominee's coin tosses.
2. Signing (Sign):
Sign is a probabilistic poly-time algorithm which, on input string 1n,
m(message), nominator'ssecret-key 2 G1nominator(1n), and nominee'spublic-
key 2 G2nominee(1n), outputs a string (nominative signature"), which is
denoted bySign(1n, m, G1nominator(1n), G2nominee(1n))(shortly by Sign(m)).
The probability is taken over Sign's coin tosses. Let
PS(m) be the set of
Sign(m).
3. Verifying (V erify):
V erify isaprobabilisticpoly-timealgorithm. Forinputstring 1n, m(message),
Sign(m), nominator's public-key 2 G2nominator(1n), and nominee's secret-
key 2 G1nominee(1n), ifSign(m) isinthe range of Sign(1n, m, G1nominator(1n),
G2nominee(1n)),
Verify(1n G2nominator(1n) G1nominee(1n) m Sign(m)) = 1
otherwise
Verify(1n G2nominator(1n) G1nominee(1n) m Sign(m)) = 0:
The probability is taken over V erify's coin tosses.

3. References
1] Boyar, J., Chaum, D., and Damgard, I., Convertible undeniable signa-
ture", Proc. of Crypto'90.
2] Chaum,D.,Zero-knowledge undeniable signature", Proc. of Eurocrypt'90.
3] Chaum, D., Designated Con rmer Signatures", Proc. of Eurocrypt'94.
4] Chaum, D. and Antwerpen, H., Undeniable signature", Proc. of
Crypto'89.
5] Chaum, D., Evertse, J.H., Graaf, J.V., An Improved Protocol for Demon-
stration Possession of Discrete Logarithms and Some Generalizations",
Proc. of Eurocrypt'87.
6] Chaum, D., Evertse, J.H., Graaf, J.V., Peralta, R., Demonstrating Pos-
session of A Discrete Logarithm without Revealing it", Proc. of Crypto'86.
7] Kim, S.J., Park, S.J., and Won, D.H., A Survey on Directed Signature",
Proc. of The 2nd KIPS (Korea Information Processing Society) Fall Con-
ference, Vol.1/No.2, 1994.
8] Kim, S.J., Park, S.J., and Won, D.H., A Nominative Signature", Proc. of
CISC'94, Conference on Information Security and Cryptology, Vol.4/No.1,
1994.
9] Kim, S.J., Park, S.J., and Won, D.H., Nominative Signatures", Proc. of
ICEIC'95.
10] Kim, S.J., Kim. K.S., Park. S.J., and Won, D.H., Zero-Knowledge Nomi-
native Signatures", Journal of the Korean Institute of Information Security
and Cryptology, Vol.6/No.1, March 1996.
11] Lim, C.H. and Lee, P.J., Modi ed Maurer-Yacobi's scheme and its appli-
cations", Proc. of Auscrypt'92.
12] Lim,C.H. and Lee, P.J., On Mutual Authentication and Digital Signature
Schemes", Journal of the Korean Institute of Information Security and
Cryptology, Vol.2/No.1, 1992.
13] Lim,C.H.andLee, P.J.,Directed Signatures andApplicationtoThreshold
Cryptosystems", Proc. Cambridge Workshop on Security Protocols, April
1996.
14] Okamato, T. and Ohta, K., How to utilize the randomness of zero-
knowledge proofs", Proc. of Crypto'90.

4. PROTOCOL CONFIRM/DENY SIGNATURE
We can use the con rmation/disavowal protocol in subsection 4.4. Only the
signer A, who knows sany, can prove if log vany is equal to log( y ve
A x) X.
SELECTIVE CONVERSION
1. The signer A reveals sany corresponding to message m.
2. The veri er B can check that (vany x X y)is asignature on m by verifying
that
e = h(vany x X m)
( y ve
A x)sany = X (mod p):
Therefore, a single signature can be converted to an ordinary digital signa-
ture by releasing the corresponding key sany.
CONVERSION OF ALL SIGNATURES
An undeniable signature is converted to an ordinary signature by releasing
his(her) secret key kseed. Knowing kseed, everybody can verify a signature
(vany x X y) on the message m by computing sany = fkseed(m) and verifying
that ( y ve
A x)sany equals X.
1. The signer A releases his(her) key kseed.
2. Any one knowing kseed can check all previous signatures by computing
sany = fkseed(m) and verifying that e = h(vany x X m), ( y ve
A x)sany = X
(mod p).
5 Conclusion
In 9], we have introduced the concept of nominative signatures in which the
cooperation of the veri er should be necessary to convince another party that
a particular signature is valid. Thus, not a signer but veri er can control the
abuse of signatures.
In this paper, we propose a zero-knowledge nominative signature protocol
whose security is based on the di culty of discrete logarithm problem. Also we
have presented the rst integrated system ofnominativesignatures and(convert-
ible) undeniable signatures. In the appendix, we reviews the formal de nition
of our nominative signatures.

5. 5. B opens the blob and checks that it is equal to a.
The signer can cheat with probability 1=(k+1), where k is a mutuallyagreed
constant and order k operations must be performed by the signer. In practice k
might be 1023, for instance, and the protocol could be conducted 2 times for a
chance of cheating that is less than one in a millionor 10 times to give a chance
of only 2;100
.
4.5 Convertible undeniable signature scheme
In addition to the properties of undeniable signatures, it could be useful if there
were some secret information, which the signer could release at some point
after signing, which would turn the undeniable signatures into ordinary digital
signatures. Thus these signatures could be veri ed without the aid of signer,
but they should still be di cult to forge. We call such signatures convertible
undeniable signatures.1]
Furthermore, in some cases, one might prefer to convert only selected unde-
niable signatures into digital signatures. When a scheme allow this, we say that
it is a selectively convertible undeniable signature scheme.
We can construct a (selectively) convertible undeniable signature scheme by
taking randomly chosen public key, vany as KP.
PROTOCOL SIGN SIGNATURE
1. The signer chooses a key kseed to a pseudorandom function fkseed and then
computes sany as fkseed(m). The properties of families of pseudorandom
functions guarantee that, given polynomiallymanypairs (mi fkseed(mi)), it
is infeasible to nd fkseed(m) for a message m 6= mi. Therefore, conversion
of any polynomialnumber of signatures cannot a ect the undeniability of
other signatures. Next, A chooses randomly r R 2R 1 q) and computes
vany x X as follows.
sany = fkseed(m) 2 1 q)
vany = sany (mod p)
Choose r R 2R 1 q)
x = R;r (mod p)
X = vR
any (mod p):
2. Computes
e = h(vany x X m)
y = r ; sA e (mod q):
The signature on a message m is a (vany x X y).

6. 2. The prover A chooses randomly t 2R 1 q) and computes
h1 = ch t (mod p)
h2 = hsA
1 (mod p):
Give h1 h2 to the veri er.
3. The veri er B sends (a b) to the prover.
4. The prover A veri es that
ch = ( y ve
A x)a b (mod p)
and ensures that itwas formedproperly. Ifcorrect, A gives t to the veri er.
5. B veri es that
h1
?
= ( y ve
A x)a b+t (mod p)
h2
?
= Xa vb+t
A (mod p):
PROTOCOL DENY SIGNATURE
Given a false signature, (vA x X y), the signer can prove that (vA x X y) is
not a signature on m by proving that log vA is not equal to log( y ve
A x) X because
the signer knows sA = log vA. A protocol for this is as follows.
1. The veri er B chooses an integer a uniformlybetween 0 and k, andchooses
b independently and uniformly over the group elements. B Computes
ch1 = ( y ve
A x)a b (mod p)
ch2 = Xa vb
A (mod p)
and sends ch1 and ch2 to the prover.
2. The prover A computes chsA
1
=ch2 (mod p). If chsA
1 =ch2 6= 1, A can deter-
mine the value of a by trial and error. If no a is found, A uses a random
value. Next, A sends a blob(r a) committing to the value of a, but hiding
a until the randomly selected r is revealed.
3. Upon receiving the blob, B can send b.
4. A checks that b can be used to reconstruct the rst message, ch1 and ch2.
If any of conditions do not hold then A halts the protocol. Otherwise, A
provides r.

7. 1. Receives a public key KP as input.
2. The signer A chooses r R 2R 1 q) at random and computes x = R;r
(mod p), X = (KP)R (mod p).
3. Computes
e = h(KP x X m)
y = r ; sA e (mod q):
The signature on a message m is a (KP x X y).
4.3 Nominative signature scheme
Using nominee's public key, vB as KP, we can construct a nominative signature
scheme.
4.4 Undeniable signature scheme
One extension to the integrated system is undeniable signatures.2] 4]
By taking
signer's public key, vA as KP, we can construct an undeniable signature scheme
as follows.
PROTOCOL SIGN SIGNATURE
1. The signer A chooses randomly r R 2R 1 q) and computes x = R;r
(mod p), X = vR
A (mod p).
2. Computes
e = h(vA x X m)
y = r ; sA e (mod q):
The signature on a message m is a (vA x X y).
PROTOCOL CONFIRM SIGNATURE
We can use the protocol in gure 2.
1. The veri er B chooses randomly a b 2R 1 q) and computes
ch = ( y ve
A x)a b (mod p):
Give ch to the prover A.

8. Proof : Consider our arbitrary (possibly dishonest) polynomialinteractive Tur-
ing Machine (ITM) V 0
interacting with our prover P. We will describe a prob-
abilistic Turing machine M that will produce a simulation of a view with the
same distribution as V 00
s view during a real execution of the protocol. (see also
1]).
1. Get a challenge ch, from V0
.
2. Choose e and compute h1
0
= e (mod p) and h2
0
= ve
nominee (mod p).
3. Get (a b) from the veri er.
If ch 6= ( y ve
nominator x)a b (mod p), stop, and if not goto 4.
4. Rewind V0
to after the challenge is sent.
Choose t and compute h1 = ( y ve
nominator x)a b+t (mod p) and h2 =
Xa vb+t
nominee (mod p).
5. Get (a0
b0
) from the veri er.
If ch = ( y ve
nominator x)a0
b0
(mod p), send t to the veri er, and
otherwise goto 4.
This simulation works because all the veri er cannot nd two di erent pairs
(a1 b1) and (a2 b2) resulting in the same challenge without nding log ( y
ve
nominator x). In addition, the rst pair (h1
0
h2
0
) has the same distribution as a
pair (h1 h2) from the honest prover.
4 An integrated system
In this section we present an e cient integrated system of nominativesignatures
and (convertible) undeniable signatures. i.e., we show how nominativesignature
scheme can be changed into a (convertible) undeniable signatures.
4.1 Cryptographic setting
the same as nominative signature scheme.
4.2 Integrated system
We can construct an integrated system of nominative signatures and (convert-
ible) undeniable signatures as follows.

9. 5. The third party B veri es that
h1
?
= ( y ve
A x)a b+t (mod p)
h2
?
= Xa vb+t
B (mod p):
nominee B the third party
Choose a b 2R 1 q)
ch = ( y ve
A x)a b (mod p)
ch
Choose t 2R 1 q)
h1 = ch t (mod p)
h2 = hsB
1 (mod p)
h1 h2
-
The third party sends (a b) to
the nominee.
a b
Verify that
ch ?
= ( y ve
A x)a b
(mod p)
t
-
Verify that
h1
?
= ( yve
Ax)a b+t (mod p)
h2
?
= Xa vb+t
B (mod p)
Figure 2 : Con rmation between nominee and the third party
As you've seen above, contrary to the undeniable signature scheme, signa-
tures are con rmed via a protocol between the nominee and the third party, so
the cooperation of the nominee is necessary. i.e., Not a signer(nominator) but
veri er(nominee) can control the abuse of signatures.
Theorem. The above protocol is an interactive proof system.
Proof : If the nominee B does not know sB, B will not be able to respond with
the correct h1 h2 (step 2) with probability at least 1=q. Thus the third party
will detect a cheating prover with probability at least 1 ; 1=q.
Theorem. The above protocol is a zero-knowledge interactive proof system.

10. nominator A nominee B
Choose r R 2R 1 q)
x = R;r (mod p)
X = vR
B (mod p)
e = h(vB x X m)
y = r ; sA e (mod q)
m (vB x X y)
-
Verify that
h(vB x X m) = e
( y ve
A x)sB ?
= X (mod p)
Figure 1 : Signing and verifying between nominator and nominee.
3.3 Con rmation between nominee and the third party
Nominee(prover) B proves to the third party(veri er) that ( y ve
A x)sB = X
(mod p) and sB = vB (mod p) in a zero-knowledge manner (without revealing
sB) (see also 2]). The con rmation protocol between nominee B and the third
party is as follows:
1. The third party(veri er) chooses randomly a b 2R 1 q) and computes
ch = ( y ve
A x)a b (mod p):
Give ch to the nominee B(prover).
2. The nominee B chooses randomly t 2R 1 q) and computes
h1 = ch t (mod p)
h2 = hsB
1 (mod p):
Give h1, h2 to the third party.
3. The third party sends (a b) to the nominee.
4. The nominee B veri es that
ch = ( y ve
A x)a b (mod p)
and ensures that it was formed properly. If correct, B gives t to the third
party.

11. 3 The zero-knowledge scheme
Now we propose a zero-knowledge nominative signature protocol which satis es
with the above two conditions. The nominator generates a signature combined
with nominee's public key so that nominee who has the corresponding private
key can verify the signatures and if necessary, prove to the third party the valid-
ityof a signature. The proposed scheme is based on the Schnorr's scheme.15] 16]
3.1 Cryptographic setting
To generate a key pair, rst choose two primes, p and q, such that q is a prime
factor of p;1. Then, choose a random such that the order of mod p is q. All
these numbers can be common to a group of users and can be freely published.
To generate a particular public/private key pair, choose a random number less
than q. This is the private key, s. Then calculate v = s mod p. This is the
public key.
Schnorr recommends that p be about 512 bits and q be about 140 bits. First,
the signing protocol between A(nominator) and B(nominee) is as follows.
3.2 Signingand verifyingbetween nominatorand nominee
Using the Schnorr's scheme, we can construct a nominative signature scheme as
follows.
1. The nominatorA chooses r R 2R 1 q) at randomand computes x = R;r
(mod p), X = vR
B (mod p).
2. Computes
e = h(vB x X m)
y = r ; sA e (mod q):
The signature on a message m is a (vB x X y).
3. Only nominee B can check that (vB x X y) is a signature on m by veri-
fying that
e = h(vB x X m)
( y ve
A x)sB = X (mod p):

12. signatures. In section 3, we present a zero-knowledge nominative signature
scheme. And we propose an integrated system of nominative signatures and
undeniable signatures in section 4. The nal section of the paper is a summary.
2 Nominative signatures
The relatively new technique called nominative signatures" achieves these ob-
jectives : Only nominee can verify the nominator(signer)'s signature and if nec-
essary, only nominee(veri er) can prove to the third party that the signature is
issued to him(her) and is valid.
Contrary to the undeniable signature scheme, signatures are con rmed via
a protocol between the nominee and the third party, so the cooperation of the
nominee is necessary. i.e., Not a signer but veri er can control the abuse of
signatures { undeniable signature cannot be veri ed without the cooperation of
the signer, so the signer controls the abuse of signatures {. That is, nominative
signature is the dual scheme of undeniable signature. For an application of
nominative signatures, we consider the following case. 6
Bob submits to a company his academic record (or any testimonial) which
the president of his university signs. In this case, signer(nominator) is the pres-
ident of university, veri er(nominee) is Bob and the third party is the company.
That is, our nominative signature is very valuable for the case in which the
content of signature is concerned with the veri er's privacy.
To construct a nominative signature scheme, the following two conditions
must be satis ed
(1) Only nominee can verify the nominator's signature S.
(Even the nominator can not verify the signature S.)
(2) If necessary, only nominee can prove to the third party that the signature
S was issued to him(her) by nominator and is valid.
(Even the nominator can not prove that the signature S is valid.)
Remark : When the condition 1) is satis ed, we can nominate the veri er.
When the condition 2) is satis ed, the nominee himself can control the abuse
of signatures. If nominator can prove to the third party that the signature S
is valid, not only nominee but also nominator (or anyone who gets some useful
information from the nominator) can control the signatures. i.e., the nominee
himself cannot control the abuse of signatures.
6In Chaum's designated con rmer signatures, also the signer can con rm the given signature.
So, the designated party cannot fully protect the privacy of signature.

13. valuable to the industrial spy or extortionist. Thus, self-authentication is too
much authentication for many applications.
To solve the above problem, D. Chaum proposed the new type of digital
signature, undeniable signatures at Crypto'89 conference and proposed a zero-
knowledge undeniable signature at Eurocrypt'90 conference.2] 4]
Brie y, an un-
deniable signature is a signature which cannot be veri ed without the help of
the signer. They are therefore less personal than ordinary signatures in the
sense that a signature cannot be related to the signer without his help. On the
other hand, the signer can only repudiate an alleged signature by proving that
it is incorrect.
Also, Boyar, Chaum, Damgardand Pedersen introduced convertible undeni-
able signatures. In this schemes, release of a single bit string by the signer turns
all of his signatures, which were originally undeniable signatures, into ordinary
digital signatures.1]
And, in 3], new compromised schemes between normal digital signatures
andundeniable signatures were proposed byChaum,called designated con rmer
signature schemes. It was claimed that not only signer but also the designated
third party has the ability of proving the validity of the given signatures. In
undeniable signatures, the signer might refuse to cooperate in either con rming
or denying, he/she might claim the loss of keys for con rming or denying, or
he/she might just be unavailable. Designated con rmer signatures can give the
signer the protection of an undeniable signature while not letting his/her abuse
that protection.
Recently,at ICEIC'95conference, we proposed anew signaturescheme, nom-
inative signatures, that is the dual signature scheme of undeniable signatures.
4
Unlike an undeniable signature, the validity or invalidity of a nominative
signature can be ascertained by conducting a protocol with the veri er. If a
con rmation protocol is used, the cooperating veri er gives exponentially high
certainty (in the amount of work done in the protocol) that the signature is
issued to him(her) and is valid. 8] 9] 10] 5
In this paper, rstly, we construct a zero-knowledge protocol that imple-
ments it. Furthermore, we present an e cient integrated system of nomina-
tive signatures and (convertible) undeniable signatures. That is, we show how
nominative signature scheme can be changed into a (convertible) undeniable
signatures. The next section in this paper reviews the concept of nominative
4This was motivated by 11] and 12]. In 11] and 12], C.H.Lim and P.J.Lee brie y mentioned
similar paradigm (They used the terms of directed (or designated-receiver) signatures"). But
they didn't give concrete de nitions or conditions for receiver's total control of his privacy, and
their scheme were broken by 7]. Recently, in 13], Lim et al. proposed two revised methods for
constructing a direct signature scheme, however their rst method in section 3 of 13] is the same
as the author's scheme in 10]. And, in their second scheme, the receiver cannot fully control his
privacy by reason that the signer (who shared a common key with the receiver) can also prove the
validity of signature.
5 8] presented the de nition and conditions for nominative signatures", 9] appended the formal
de nition, and 10] described a construction based on ZKIP.

14. Zero-Knowledge Nominative Signatures 1
(Revised 19th November 1998)
Seungjoo Kim2
, Sungjun Park3
and Dongho Won2
Abstract
At ICEIC'95 conference, we proposed a new kind of signature scheme,
called nominative signatures", that is the dual scheme of undeniable sig-
natures. Nominative signatures achieve these objectives: Only nominee can
verify the nominator(signer)'s signature and if necessary, only nominee can
prove to the third party that the signature is issued to him(her) and is valid.
The present article contains a zero-knowledge nominative signature protocol.
Furthermore, we present the rst e cient integrated system of nominative
signatures and (convertible) undeniable signatures. That is, we show how
nominative signature scheme can be changed into a (convertible) undeniable
signatures.
Key words : zero-knowledge, nominative signatures, undeniable signatures,
integrated system
1 Introduction
Digital signatures are one of the most important techniques of modern cryp-
tography, and have many applications in information security systems. Digital
signatures are easily veri ed as authentic by anyone using the corresponding
public key. This self-authenticating" property is quite suitable for some uses,
such as broadcast of announcements and public key certi cate. But it is unsuit-
able for many other applications. Self-authentication makes signatures those
are somewhat commercially or personally sensitive, for instance, much more
1To be presented at the Proc. of Pragocrypt'96,International Conference on the Theory and Ap-
plications of Cryptology, 1996, pp.380-392 Proceedings published by CTU PUBLISHING HOUSE
ISBN 80-01-01502-5.
2Dept. ofInformationEngineering, Sungkyunkwan Univ., 300Chunchun-dong, Suwon, Kyunggi-
do, 440-746, Korea
E-mail : fsjkim, dhwong@simsan.skku.ac.kr
URL : http://dosan.skku.ac.kr/ sjkim/
3KISA (Korea Information Security Agency), 5th Fl., Dong-A Tower, 1321-6, Seocho-Dong,
Seocho-Gu, Seoul 137-070, Korea
E-mail : chaos@kisa.or.kr