Construct Schnorr Protocol can only verify by designated verifier

Question

Currently I have a DLP as following, $y = g^x \bmod p$, I can easily construct a proof of knowledge by using Schnorr Protocol.

But I would like to put it a a system of 2 parties with public key and private key as following.

Prover has private key $x_p$ and public key $y_p = g^{x_p}$
Verifier has private key $x_v$ and public key $y_p = g^{x_v}$

Is it possible i can construct a proof of knowledge that prover knowing $x$ in $y = g^x \bmod p$ and only can be verified by designated verifier with public key $y_p$?

Jeff Lee · Accepted Answer · 2020-04-14T15:15:41.677

I try to add a trap door commitment to a non-interactive schnoor protocol. Trap door protocol provide a back door for selected verifier by public key.

Cryptography setup

$y=g^x$ where $r$ is the secret to prove
$y'=g^{x'}$ where $y$ is the public key of the verifier and $x'$ is the private key of the verifier

Construct the proof

Pick $w$, $r$, $d$ randomly in $Z_q$
$c=g^wy'^r$
$t=g^d$
$h=hash_q(c, t)$
$s=d + (h + w)x$
$(w, r, t, s)$ is the proof and send to verifier

Verification

$c=g^w y'^r$
$h = hash_q(c, t)$
verify $g^s = ty^{h+w}$

Simulating Transcript

Pick $\alpha$, $\beta$ randomly in $Z_q$
$c=g^\alpha$
$t=g^sy^{-\beta}$
$h=hash_q(c ,t)$
$r = (\alpha - w)(-x')$
$w = \beta - h$
$(w, r, t, s)$ is the transcript

Because of the trap door commitment, designated verifier ($y'$) can create a valid proof. But only the designated verifier know the proof is come from himself or prover. For others, they can't tell the proof is come from designated verifier or prover. Only designated verifier or prover know the proof is created by who. So only designated verifier can be convinced in this protocol.

So this protocol, can convince designated verifier knowledge of r in Schnorr Protocol. The verifier can't transfer the proof to others and he is the only one can be convinced.

Crypto Learner · Answer 2 · 2020-04-13T04:28:12.520

0

Ok, let's try without the Prover's keys.

The Prover chooses $k,t$ and commits to a random value $k$, and calculates $c= y_v^k$;
The Verifier sends a $m$ chosen at random;
Prover calculates $r=h(m,c)$; and $s = kt^{-1} -rx$. Finally sends $(r,s,t)$ to the Verifier.
Verifier can check if $h(m,(g^sy^r)^{tx_v} \bmod p) = r$

edited Apr 13 '20 at 04:28

answered Apr 13 '20 at 01:21

Crypto Learner

648
6
16

score 0 · Answer 3 · answered Apr 13 '20 at 11:13

0

Designated verifier is an OR proof against verifier public key. It goes like "either something holds, OR I know verifier' secret". OR is the well-known "add two challenges" scheme of Schoenmakers et al.

answered Apr 13 '20 at 11:13

Vadym Fedyukovych

2,347
14
19

Construct Schnorr Protocol can only verify by designated verifier

3 Answers3

Linked