In wartime scenarios, device authentication operations are vulnerable to detection, compromising operational security. Method: This paper proposes Oblivious Digital Tokens (ODTs), enabling verifiers to confirm whether a device holds a valid token without revealing—either to the device, third parties, or adversaries—that verification is occurring. We formalize and construct the first “undetectable verification” cryptographic primitive, overcoming the fundamental limitation in conventional authentication where verification events inherently leak metadata. Our construction integrates zero-knowledge proofs, hardware-enforced trusted execution environments (TEEs), oblivious transfer, and verifiable random functions (VRFs) into a collusion-resistant protocol, proven secure even under full software compromise of the device. Results: A prototype implementation achieves sub-120 ms verification latency and less than 1.5 KB communication overhead, demonstrating practical feasibility and real-world applicability.

A computing device typically identifies itself by exhibiting unique measurable behavior or by proving its knowledge of a secret. In both cases, the identifying device must reveal information to a verifier. Considerable research has focused on protecting identifying entities (provers) and reducing the amount of leaked data. However, little has been done to conceal the fact that the verification occurred. We show how this problem naturally arises in the context of digital emblems, which were recently proposed by the International Committee of the Red Cross to protect digital resources during cyber-conflicts. To address this new and important open problem, we define a new primitive, called an Oblivious Digital Token (ODT) that can be verified obliviously. Verifiers can use this procedure to check whether a device has an ODT without revealing to any other parties (including the device itself) that this check occurred. We demonstrate the feasibility of ODTs and present a concrete construction that provably meets the ODT security requirements, even if the prover device's software is fully compromised. We also implement a prototype of the proposed construction and evaluate its performance, thereby confirming its practicality.