Escrowed deniable identification schemes

Abstract

Generally, the goal of identification schemes is to provide security assurance against impersonation attacks. Identification schemes based on zero knowledge protocols have more advantages, for example, deniability, which enables the prover to deny an identification proof so that the verifier couldn't persuade others that it is indeed the prover who identified itself to him. This kind of identifications is called 'deniable identification'. However, in some applications we require the existence of a (trusted) party being able to find out an evidence that a party did identify itself to a verifier is required, in order to prevent parties from misbehavior. So in this case 'undeniability' is needed. To the best of our knowledge, an identification scheme that provides both deniability and undeniability does not exist in the literature. In this work we propose the notion of escrowed deniable identification schemes, which integrates both 'escrowed deniability' (undeniability) and 'deniability' properties. Intuitively, in the online communication, a verifier may sometimes need to provide an evidence of a conversation between himself and the prover, for instance, an evidence for the case of misuse of the prover's privilege. We then provide an escrowed deniable identification scheme, and prove its security, i.e. impersonation, deniability and escrowed deniability, in the standard model based on some standard number theoretic assumptions.