Pull to refresh

Instant Digital Signature Mode

Level of difficultyHard
Reading time12 min

We adhere to established tradition and continue to present the latest findings. In this note, we discuss the Instant Digital Signature (IDS) mode, which was announced earlier. While the main content of the IDS mode was already disclosed in a previous publication, we believe that additional specifications will improve understanding.

It should be emphasized that the IDS is not a distinct type of signature, but rather a special mode in which any known digital signature (DS) scheme can be used. In other words, we do not take responsibility for developing a new scheme, but rather propose a practical way to apply existing schemes.

As the name suggests, the IDS mode operates in real-time, specifically, at the moment of signature generation. This means that the mode is used to certify data that is directly associated with an identifying entity, as confirmed in a previously presented proof. Such proof can be obtained through executing an interactive identification protocol, which is necessary for justifying the IDS mode. When discussing this combination, we assume that certain unique variables from the current identification session are used in generating the signature. It is important to understand that these variables are ephemeral by design and only have an effect within the current session.

It should be noted that in this publication, we use personal data assurance as an example, which is perhaps the most natural application for the IDS mode.

We demonstrate that the IDS mode is compatible with any known DS scheme. However, it is an open question whether this mode can be used with arbitrary identification protocols. On the other hand, the IDS mode is easily combined with an interactive identification protocol that enables the generation of a shared secret session key, which was created in the development of the protocol presented in this note.

We do not provide formal proofs in this text, but rather present examples to convey the essence of our findings. Unfortunately, we could not avoid using formal notation, but we hope that it will not pose any difficulties, as all necessary notation was introduced in our earlier publication. Additionally, we use standard mathematical notation adopted in specialized literature, such as [Cohen_etc._2006].

Interactive Identification Protocol

First of all, let us recall what an interactive identification protocol is. In fact, this is a game of two participants, each of which is endowed with its own role. To avoid unnecessary complications, we will deliberately limit the number of subjects of interaction.

There are two distinct roles: P (Prover) and V (Verifier). P provides proof of knowledge, such as a secret, which V then verifies using a decision rule. The verdict can be positive (evidence accepted), negative (evidence rejected), or indeterminate. Typically, upon acceptance or rejection of the evidence, a specific action is initiated. For example, a common scenario is when P requests access to a resource, which is granted if V accepts the proof. There are other applications for this protocol as well.

Identification protocols belong to a more general class of \hbox{$\Sigma$-protocols}, which were first introduced in [Cramer_1996]. P and V are modeled using a probabilistic interactive Turing machine, and the \hbox{$\Sigma$-protocols} itself is an interactive proof scheme based on Arthur-Merlin game style [Babai_Moran_1988], in which V always chooses some variable with a random distribution.

Let's focus on identification protocols that rely on asymmetric cryptography. 

The interactive identification protocol can be represented by the following diagram:

P \stackrel{\mbox{witness}}{\longrightarrow} V  \stackrel{\mbox{challenge}}{\longrightarrow} P \stackrel{\mbox{response}}{\longrightarrow} V.

It is clear that three messages are transmitted during the protocol: witness, challenge, and response. In this case, P transmits two messages (witness and response), and V transmits only one message (challenge). The purpose of each message is clear from its name. 

Let's call the independent variables with a random distribution that change from one protocol session to another as the ephemeris. In cryptographic terms, ephemeris is equivalent to secret keys. To reveal an unknown ephemeris, it is necessary to find a solution to some computational complexity problem or to undertake a brute force attack.

It is assumed that each participant has a pair of unique keys: a secret key and a public key. Additionally, proper certificates have been issued for the public keys.

The parties do the following:

  • P generates a witness based on the public key V and at least one ephemeris known only to P.

  • V creates a challenge using at least one ephemeris known only to V.

  • P generates a response based on their own private and public keys and the challenge.

  • V renders a verdict based on the witness, the response, the ephemeris involved in the challenge, and the public key P.

All identification protocols include three messages, which, thanks to ephemeris, are randomly distributed. It is proven that there cannot be fewer messages (there can be more). All of the above messages carry the same semantic load in different identification protocols, but the methods of their computation can vary significantly and depend on the main provisions of the computational complexity problem, as well as the chosen mathematical apparatus.

After some deliberation, we decided to keep the designations used in the interactive identification protocol we developed with the possibility of generating a shared secret session key, which has not yet been made public. Therefore, c=\hslash(g_1) is passed as a response, where \hslash(\cdot) is some cryptographic hash function known to both parties. To check the proof, V computes g_3. This uses a simple decision rule like \hslash(g_1)\stackrel{?}{=}\hslash(g_3). Here g_1, g_3\in\mathbb{G}_3. Note that the way g_1 and g_3 are computed is irrelevant in this context.

Since most of the texts we publish are interconnected, we hope that this approach will further simplify the “bridge” between our various posts.

Compatibility with any DS scheme

Let there be a pair of keys \{\mathbf{z}, \mathsf{P}=[\mathbf{z}]\mathsf{G}_1\} and a certificate \{D_{\mathsf{P}}, \mathsf{P}, \Im_{\mathsf{P}}\}. Let's show how it works taking the well-known Schnorr's DS scheme [Schnorr_1990] as an example.

P acts as the signer. Given message M, secret key \mathbf{z}, and g_1, the signer performs the following computations:

  1. \mathsf{Q}=[\varepsilon]\mathsf{G}_1, where \varepsilon\in_R\!(0,m-1];

  2. \gamma=\hslash(g_1\|M\|x_{\mathsf{Q}});

  3. \delta=\varepsilon-\gamma\mathbf{z}\pmod m;

  4. \Im=\{\gamma, \delta\}.

Let there be a signature \Im'=\{\gamma', \delta'\} and a message M' such that (\delta'\neq\delta)\land(\gamma'\neq\gamma )\land(M'\neq M). Let's assume that the authenticity and integrity of the key \mathsf{P} is confirmed by checking the valid certificate \{D_{\mathsf{P}}, \mathsf{P}, \Im_{\mathsf{P}}\}. V performs the following computations:

  1. \mathsf{S}=[\delta']\mathsf{G}_1+[\gamma']\mathsf{P}=[\delta'+\gamma'\mathbf{z}\pmod m]\mathsf{G }_1;

  2. \hslash(g_3\|M'\|x_\mathsf{S})\stackrel{?}{=}\gamma'.

If \hslash(g_3\|M'\|x_\mathsf{S})=\gamma, then \mathfrak{B}=True, where \mathfrak{B}\Leftarrow{\rm{Verify}}(\hslash(g_3\|M'\|x_{\mathsf{S}})),\Im',\mathsf{P}). Suppose \delta'=\varepsilon-\gamma\mathbf{z}\pmod m. Therefore, \mathsf{S}=[\varepsilon-\gamma\mathbf{z}+\gamma'\mathbf{z}\pmod m]\mathsf{G}_1=[\varepsilon]\mathsf{G}_1 =\mathsf{Q} if \gamma'=\gamma=\hslash(g_3\|M'\|x_\mathsf{S})\Rightarrow (M'=M)\land(x_\mathsf{S }=x_\mathsf{Q})\land(g_3=g_1). For ((\delta'\neq\delta)\land(\gamma'=\gamma))\lor((\delta'=\delta)\land(\gamma'\neq\gamma))\lor(( \delta'\neq\delta)\land(\gamma'\neq\gamma)) with overwhelming probability \mathfrak{B}=False and negligible \mathfrak{B}=True. However, if (\delta'=\delta)\land(\gamma'=\gamma), then it is \mathfrak{B}=True with overwhelming probability and \mathfrak{B}=False with negligible probability.

DS verification and verification of personal data are interconnected. Let D be some personal data and \Im\Leftarrow{\rm{Sign}}(\hslash(D), \mathbf{z}). D', \Im' and a valid certificate \{D_{\mathsf{P}}, \mathsf{P}, \Im_{\mathsf{P}}\} are presented for verification. If the DS is valid, in other words \hslash(g_3\|D'\|x_\mathsf{S})=\gamma, then D'=D. If valid, D'\stackrel{?}{=}D_{\mathsf{P}} is verified. The authenticity of personal data arises from D'=D_{\mathsf{P}}.

The IDS mode can be implemented using an arbitrary conventional scheme based on the elliptic curve points arithmetic. This approach is inherent in the vast majority of modern DS schemes [Schnorr_1990, Paterson_2002, Hess_2003, Boneh_Shacham_Lynn_2004, Zhang_Safavi-Naini_Susilo_2004, Boneh_Boyen_2004]. However, this condition is not necessary. For example, without losing the generality, one can replace a subgroup of the group of elliptic curve points with a subgroup of prime order m of the group \mathbb{F}^*_p. Note that the mode is also compatible with DS schemes, which are developed consistent with the provisions of post-quantum cryptography.

This compatibility has a simple explanation. Since in an arbitrary conventional DS scheme the computation of \hslash(M) is normative in nature, that means that it is always present in any DS scheme, then replacing \hslash(M) with \hslash(\ldots\|M\|\ldots) does not lead to negative consequences for the cryptographic strength of this scheme, since in the general case the dependence of the collision probability on the argument of the cryptographic hash function \hslash(\cdot) is unknown. Here, by collision we mean \hslash(\mathsf{x})=\hslash(\mathsf{y}) for \mathsf{x}\neq\mathsf{y} and \mathsf{x},\mathsf{y}\in\{0,1\}^*.

For example, if the DS scheme [Zhang Safavi-Naini_Susilo_2004] is used for this purpose, then for the given message M and secret key \mathbf{z} the signer first computes \phi=\hslash(g_1\|M), and then generates the signature \mathsf{Q}=[\frac{1}{\phi+\mathbf{z}\pmod m}]\mathsf{G}_1=[\psi]\mathsf{G}_1.

Let there be a signature \mathsf{Q}'=[\psi']\mathsf{G}_1 and a message M' such that (\mathsf{Q'}\neq\mathsf{Q})\land(M'\neq M). V first evaluates \phi'=\hslash(g_3\|M') and then g'=e_m([\phi']\mathsf{G}_1+ \mathsf{P}, \mathsf{Q} ')=e_m([\phi'+\mathbf{z}\pmod m]\mathsf{G}_1, [\psi']\mathsf{G}_1)=g^{\psi'(\phi'+ \mathbf{z})\pmod m}. Checks g'\stackrel{?}{=}e_m(\mathsf{G}_1, \mathsf{G}_1) and g'=g if (\psi'=\psi)\land( \phi'=\phi)\Rightarrow (M'=M)\land(g_3=g_1).

Note that at the identification stage, c=\hslash(g_1) is transmitted over an insecure communication channel, and to reveal g_1 with an unknown secret message, you must either compute g_1=\hslash^{-1}(c), or find solution of some computational complexity problem.

Let's summarize.

  1. V is unable to forge/falsify the DS given g_3 is known, because it does not know \mathbf{z}. He can use the key pair \{\mathbf{z}', \mathsf{P}'\}, where \mathbf{z}'\neq\mathbf{z}, and certificate \{D_{\mathsf{P}'}, \mathsf{P}', \Im_{\mathsf{P}'}\} has been issued for \mathsf{P}', but subsequent verification will show that D_{\mathsf{ P}'}\neq D_{\mathsf{P}}.

  2. P (signer) can generate \Im=\{\gamma, \delta\} only if he knows the secret \mathbf{z}.

  3. DS verification is possible only if there is a positive decision regarding the response c=\hslash(g_1).

Let's list the distinctive features of the IDS mode.

  1. The mode is active within the current session and is relevant only for V.

  2. V cannot convince a third party of the authenticity and integrity of the data received during a particular session.

  3. The IDS can be formed by someone who knows the secret key \mathbf{z} and is able to compute g_1.

  4. Anyone who knows \mathsf{P} and g_3 can check the IDS.

  5. The correctness of the IDS is guaranteed if the proof is accepted.

The IDS mode is ideologically close to the work of [Dwork_Naor_Sahai_1998], in which the problem of deniable authentication was first formulated and the authors proposed a specific solution.

Let's assume that V verified the authenticity of the signer's personal data using the IDS mode with subsequent verification. Now the signer can use the secret key \mathbf{z} to generate a signature using an arbitrary conventional DS scheme based on the elliptic curve points arithmetic (or any other). Note that this scheme may differ from the one used to verify personal data. It makes sense to keep such the DS in long-term memory, and you need a valid certificate \{D_{\mathsf{P}}, \mathsf{P}, \Im_{\mathsf{P}}\} to verify it. This means that after authentication in the IDS mode, undeniable authentication is guaranteed for all other data, the certification of which is made within the framework of the conventional DS scheme. And it does not need auxiliary computation and additional organizational costs.

In general, an attacker does not have access to personal data, since it is transmitted and stored in encrypted form, but can determine the serial numbers of certificates of public keys of signers by tracking requests from verifiers, for example, according to the rules of the OCSP (Online Certificate Status Protocol). Such monitoring should be regarded as a threat, because certificates contain information that allows to deanonymize a participant. Potential risks are offset by the transfer of certificates through a secure tunnel. Furthermore, certificates can be read using the Private Information Retrieval (PIR) method [Chor_Goldreich_Kushilevitz_Sudan_1995, Kushilevitz_Ostrovsky_1997].

Incompatibility with arbitrary protocol 

As it was shown, in the IDS mode, any known DS scheme based on the elliptic curve points arithmetic (or any other) can be applied. 

All identification protocols consist of one and a half rounds and provide for the transmission of witness, challenge and response messages. There is the following fundamental question to be answered: is the IDS mode possible only for a specific identification protocol or is it compatible with an arbitrary protocol?

Let's consider a specific example. To do this, when describing the Schnorr's identification protocol [Schnorr_1990], we pass from a subgroup of prime order m of the group \mathbb{F}^*_p to a subgroup of order m of the elliptic curve points group.

P first selects \mathbf{x}\in_R\!(0, m-1] and generates a pair of keys \{\mathbf{x},\mathsf{R}=[-\mathbf{x}] \mathsf{G}_1\} . Then contacts trusted authority T to issue a certificate \{D_{\mathsf{R}},\mathsf{R}, \Im_{\mathsf{R}}\}, where \Im_{\mathsf{R}}\Leftarrow{\rm{Sign}}(\hslash(\mathsf{R}||D_{\mathsf{R}}), \rm{S}_T) and D_{\mathsf{R}} are personal data of P.

For simplicity, we omit information about the location of the certificate, as well as its updating by checking with the list of revoked certificates.

Schnorr's Identification Protocol

Protocol messages.

  1. P \longrightarrow V : \mathsf{S}=[\upsilon]\mathsf{G}_1

  2. P \longleftarrow V :  \phi

  3. P \longrightarrow  V : \psi=\mathbf{x}\phi+\upsilon\pmod m

Actions of the parties. 

P proves to V that he owns (knows) \mathbf{x}. To do this, the following steps are performed:

  1. P selects {\upsilon\in_R\!(0,m-1]} (commitment), computes \mathsf{S}=[\upsilon]\mathsf{G}_1 (witness), checks the condition \mathsf{S}\stackrel{?}\neq\infty . If \mathsf{S}=\infty, then choose a new \upsilon and re-do the necessary computations and checks.

  2. V reads the valid certificate \{D_{\mathsf{R}},\mathsf{R}, \Im_{\mathsf{R}}\} and checks the DS \mathfrak{B}\Leftarrow{\rm {Verify}}(\hslash(\mathsf{R}||D_{\mathsf{R}}),\Im_{\mathsf{R}}, \rm{P}_T). If \mathfrak{B}=True then V chooses \phi\in_R\!(0, m-1] (challenge), otherwise the session ends.

  3. P checks the condition \phi\stackrel{?}\neq 0. If it is true, P evaluates \psi=\mathbf{x}\phi+\upsilon\pmod m (response), otherwise the session ends.

  4. V computes \mathsf{Q}=[\psi]\mathsf{G}_1+[\phi]\mathsf{R}=[\psi-\phi\mathbf{x}\pmod m]\mathsf{G }_1. Then V checks x_{\mathsf{Q}}\stackrel{?}{=}x_{\mathsf{S}}. If equal, then the proof is accepted, or it is rejected otherwise.

In the general case, the pair of keys \{\mathbf{z}, \mathsf{P}=[\mathbf{z}]\mathsf{G}_1]\}, with wich is signed/verified, differs from \{\mathbf{x}, \mathsf{R}\}. For \mathsf{P}, trusted authority T also issues a certificate \{D_{\mathsf{P}},\mathsf{P}, \Im_{\mathsf{P}}\}. For simplicity, we set D_{\mathsf{P}}=D_{\mathsf{R}}.

Let's assume that P sends V some data certified by DS. Moreover, the DS is generated using the secret key \mathbf{z}, and it is necessary to use the public key \mathsf{P} from the certificate \{D_{\mathsf{P}}, \mathsf{P}, \Im_{\mathsf{P}}\} for verification. At the same time, there is no guarantee that it was P who certified the data, and not an attacker who fraudulently forced P to generate the DS for this data or obtained it from open sources. However, D_{\mathsf{P}}=D_{\mathsf{R}} also does not mean that the data was certified by the one who provided the proof at the current time. Thus, for example, an attacker can impose data certified by the DS, but at the same time no longer relevant. We have shown above that the IDS mode also can be used to solve this problem. Therefore, it is necessary to demonstrate the operability of the IDS mode in the Schnorr's identification protocol.

Note that the DS in this protocol, as well as any other action, is “torn off” from the identification results. Indeed, if V accepted the proof from P, and then P certified some data with the DS and sent them to V then it is impossible to guarantee that the identity of P did not undergo fundamental changes as a result of significant events in the time interval between the acceptance of the proof and the moment the DS was created. Such events include, for example, revocation of \{D_{\mathsf{R}},\mathsf{R}, \Im_{\mathsf{R}}\} certificate due to \mathbf{x} secret key being compromised, its expiration, and others. As a result, P will not be able to provide proof, while the proof provided earlier loses legitimacy. The time interval with a significant event can be arbitrarily small, but it is nonzero, and therefore the problem is classified as fundamental. 

Thus, when discussing the IDS mode in the Schnorr's identification protocol, it is necessary to follow the unreasonable assumption of a negligible probability of a significant event.

It should be noted that significant events are also possible in the identification protocol developed by us, however, a secure data transmission tunnel due to encryption, which is established only upon the fact of proof, provides additional guarantees. In other words, identification is legitimate within a single session, which ends as a result of the session key deactivation after a predetermined time interval, which in turn is set up by the provisions of the current security policy.

The necessary condition is that the response cannot be transmitted over an unsecured communication channel without first being converted by a one-way function. Let's explain why.

If g_1 is sent as a response instead of c=\hslash(g_1), then not only P, but anyone who has gained access to g_1 will be able to generate the DS. Obviously, the use of a one-way pseudo-random function, assuming a random oracle model, such as \hslash(\cdot), violates the algebraic structure of the response in the form of g_1

The latter means that the verification of the proof must be based on a method different from the algebraic one. This is how our protocol checks \hslash(g_1)\stackrel{?}{=}\hslash(g_3). Only P can compute g_1 because it knows the secret, and V is the only one able to compute g_3 because he knows the challenge. An attacker observes c, and in order to reveal g_1, he needs to solve a computational complexity problem or compute g_1=\hslash^{-1}(c).

In the Schnorr's identification protocol, the response is given as \psi=\mathbf{x}\phi+\upsilon\pmod m, and to check, you must first compute the point \mathsf{Q}=[\psi]\mathsf{G}_1+[ \phi]\mathsf{R}=[\psi-\phi\mathbf{x}\pmod m]\mathsf{G}_1 and then check x_{\mathsf{Q}}\stackrel{?}{= }x_{\mathsf{S}}. It is clear that if you pass \hslash(\psi) instead of \psi and compute \mathsf{Q}'=[\hslash(\psi)]\mathsf{G}_1+[\phi]\mathsf{R }, then with overwhelming probability x_{\mathsf{Q}'}\neq x_{\mathsf{S}}

Therefore, checking is possible for \psi, but not for \hslash(\psi). This means that in this protocol, the response can only be transmitted in cleartext, but then the IDS mode does not meet the necessary condition.

There are two directions for future research under consideration:

  1. Search/development of identification protocols for which the necessary condition is met.

  2. A formal proof of the fact that a necessary condition is not met for any identification protocol using an algebraic way of checking the proof.

We also do not rule out that the proof of the properties such as witness indistinguishable and witness hiding [Feige_Shamir_1990] may be questioned. However, only the expert community is able to confirm/refute this proof after the publication of the identification protocol developed by us in a peer-reviewed periodical.


Compared to the conventional scheme, the IDS mode has some limitations. However, as follows from the explanations, the conventional DS schemes themselves are useless from the point of view of solving the task, since they do not guarantee that the signature was created by the one who provided the certified data at the current time.

Presumably, the IDS mode works only in our protocol, since the algebraic equation is used to verify the proof in all known identification protocols [Fiat_Shamir_1987, Feige_Fiat_Shamir_1988, Guillou_Quisquater_1988, Schnorr_1990, Brickell_Mccurley_1992, Okamoto_1993, Nguyen_2005]. For all these protocols, the necessary condition is not met.

This post omits the proof of cryptographic strength of the IDS mode. This is a conscious step, as we wanted to cut and simplify the text. Additionally, for such reasoning, it is necessary to have a detailed description of the identification protocol. We reserve the right to return to this topic after the corresponding publication.

The pdf version of this article is available here.

The Bibliography

[Cohen_etc._2006] Cohen, H., Frey, G., Roberto Avanzi, R., Doche C., Lange, T., Nguyen, K. and Vercauteren, F. Handbook of Elliptic and Hyperelliptic Curve Cryptography, Chapman and Hall/CRC, 2006.

[Cramer_1996] Cramer, R. “Modular Design of Secure, yet Practical Cryptographic Protocols.” PhD Thesis, University of Amsterdam, 1996.

[Babai_Moran_1988] Babai, L. and Moran, S. “Arthur-Merlin games: A randomized proof system, and a hierarchy of complexity classes.” Journal of Computer and System Sciences, Volume 36, Issue 2, April (1988) 254–276.

[Schnorr_1990] Schnorr, C. P. “Efficient identification and signatures for smart cards.” Advances in Cryptology — CRYPTO’89 LNCS 435, (1990) 239–252.

[Paterson_2002] Paterson, K. G. “ID-based signatures from pairings on elliptic curves.” IEEE Electronic Letters, 38(18), (2002) 1025–1026.

[Hess_2003] Hess, F. “Efficient Identity Based Signature Schemes Based on Pairings.” Revised Papers from the 9th Annual International Workshop on Selected Areas in Cryptography — SAC’02, (2003) 310–324.

[Boneh_Shacham_Lynn_2004] Boneh, D., Shacham, H. and Lynn B. “Short Signatures from the Weil Pairing.” J. Cryptol., Vol. 17, No. 4, (2004) 297–319.

[Zhang_Safavi-Naini_Susilo_2004] Zhang, F., Safavi-Naini, R. and Susilo, W. “An efficient signature scheme from bilinear pairing and its applications.” Public Key Cryptography, LNCS 2947, (2004) 277–290.

[Boneh_Boyen_2004] Boneh, D. and Boyen, X. “Short Signatures Without Random Oracles.” EUROCRYPT 2004, LNCS 3027, (2004) 56–73.

[Chor_Goldreich_Kushilevitz_Sudan_1995] Chor, B., Goldreich, O., Kushilevitz, E. and Sudan M. “Private information retrieval.” In Proc. of the 36th IEEE Symp. on Foundations of Computer Science, (1995) 41–51.

[Kushilevitz_Ostrovsky_1997] Kushilevitz, E. and Ostrovsky, R. “Replication is not needed: Single database, computationally-private information retrieval.” In Proc. of the 38th IEEE Symp. on Foundations of Computer Science, (1997) 36–373.

[Fiat_Shamir_1987] Fiat, A. and Shamir, A. “How to prove yourself: Practical solutions to identification and signature problems.” Advances in Cryptology[ — CRYPTO’86 LNCS 263, (1987) 186–194.

[Feige_Fiat_Shamir_1988] Feige, U., Fiat, A. and Shamir, A. “Zero-knowledge Proofs of Identity.” Journal of Cryptology, 1 (1988) 77–94.

[Guillou_Quisquater_1988] Guillou, L. C. and Quisquater, J. -J. “A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory.” Advances in Cryptology — EUROCRYPT’88 LNCS 330, (1988) 123–128.

[Brickell_Mccurley_1992] Brickell, E. F. and Mccurley, K. S. “An interactive identification scheme based on discrete logarithms and factoring.” Journal of Cryptology, 5 (1992) 29–39.

[Okamoto_1993] Okamoto, T. “Provably secure and practical identification schemes and corresponding signature schemes.” Advances in Cryptology  — CRYPTO’92 LNCS 740, (1993) 31–53.

[Nguyen_2005] Nguyen, L. “Accumulators from Bilinear Pairings and Applications.” In Topics in Cryptology — CT-RSA’05, LNCS 3376, (2005) 275–292.

[Dwork_Naor_Sahai_1998] Dwork, C., Naor, M. and Sahai, A. “Concurrent Zero-Knowledge.” Proc. 30th ACM Symposium on the Theory of Computing, (1998), 409–418.

[Feige_Shamir_1990] Feige, U. and Shamir, A. “Witness Indistinguishable and Witness Hiding Protocols.” In Proceedings of 22nd STOC, ACM Press, (1990) 416–426.