R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable Zero-Knowledge. In 32nd ACM Symposium on the Theory of Computing, pages 235--244, 2000.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....sucient for most applications, there exist a number of generic constructions to turn a special honest veri er zero knowledge protocol into one that satis es stronger notions of zero knowledge. The most important examples are probably the constructions to obtain concurrent zero knowledge protocols [23, 25, 15] or witness hiding protocols [19] In particular, the construction due to Damg ard achieves (concurrent) zero knowledge virtually for free [23] 2.3 Secure Public Key Encryption Here, we recall the notion of a public key encryption scheme. Actually, we need the notion of a public key encryption ....

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable zero-knowledge. In Proc. 32st Annual ACM Symposium on Theory of Computing (STOC), pages 235-244. ACM Press, 2000.

....if Alice and Bob are both computationally bounded, then a one round protocol exists also in the malicious model, provided they share a random string and that Alice has a public key for which she is guaranteed to know the private key. This is a realistic model, which is also used elsewhere (e.g. [10]) These results seem essentially optimal because one round of communication is needed to implement oblivious transfer [20] Securing Autonomous Mobile Agents. One round secure computation has been recognized as the solution for keeping the privacy of mobile code intact [24] Here, a code ....

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali, "Resettable zeroknowledge, " in Proc. 32nd STOC, 2000.

....three rounds. Finally, we consider a model of computation in which the prover s use of randomness is severely restricted, as, for example, in the case of a smart card, in which the prover may have a short embedded truly random seed and read only memory. Canetti, Goldreich, Goldwasser, and Micali [9] give one formalization, termed resettable zero knowledge (rZK) Informally, a protocol protects a witness (either in the zeroknowledge sense or in the indistinguishability sense) in the resettable model if the protection holds even if the prover may be re started (reset) many times and forced to ....

....prover may be re started (reset) many times and forced to repeatedly use the same random tape (the prover may also be re started using a different, but still random, tape) Using zaps and timed commitments, we construct a 3 round timing based rZK proof system for any language in NP. As noted in [9], rZK proofs cannot be proofs of knowledge, so, despite the connections between smart card, resettable, and concurrent zero knowledge [9, 28] this result is incomparable with our 3 round concurrent ZK proofs of knowledge. We also observe that 2 round (and even non constructive 1 round) ....

[Article contains additional citation context not shown here]

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali, Resettable Zero-Knowledge, Proc. 32nd ACM Symp. Theory of Computing, 2000, pp. 235--244.

.... a solution s 2 R(x) with probability at least p(x; y; r) jxj) The use there is critical as it can be shown that if the knowledge extractor is restricted to only black box access to the prover, then resettable zero knowledge arguments of knowledge are possible for languages in BPP only, see [25]. An interactive pair (P; V ) so that V is a knowledge veri er for a relation R and P is a machine satisfying the non triviality condition (with respect to V and R) is called an argument of knowledge for the relation R. The input 1 is provided to allow K to run in time which is (some xed) ....

S. G. Ran Canetti, Oded Goldreich and S. Micali. Resettable Zero-Knowledge. Cryptology STOC, pages 235-244, 2000.

....oracle access to V and can invoke it at the cost of one step. The use there is critical as it can be shown that if the knowledge extractor is restricted to only black box access to the prover, then resettable zero knowledge arguments of knowledge are possible for languages in BPP only, see [24]. Denote by p(x; y; r) the probability that the interactive machine V accepts, on input x, when interacting with the prover P upon input x, auxiliary input y and random tape r. Let t denote a bound on the maximum running time of P when its first input is x. Then, machine K, upon input ....

S. G. Ran Canetti, Oded Goldreich and S. Micali. Resettable Zero-Knowledge. Cryptology

....three rounds. Finally, we consider a model of computation in which the prover s use of randomness is severely restricted, as, for example, in the case of a smart card, in which the prover may have a short embedded truly random seed and read only memory. Canetti, Goldreich, Goldwasser, and Micali [9] give one formalization, termed resettable zero knowledge (rZK) Informally, a protocol protects a witness (either in the zero knowledge sense or in the indistinguishability sense) in the resettable model if the protection holds even if the prover may be re started (reset) many times and forced to ....

....prover may be re started (reset) many times and forced to repeatedly use the same random tape (the prover may also be re started using a different, but still random, tape) Using zaps and timed commitments, we construct a 3 round timing based rZK proof system for any language in NP. As noted in [9], rZK proofs cannot be proofs of knowledge, so, despite the connections between smart card, resettable, and concurrent zero knowledge [9, 28] this result is incomparable with our 3 round concurrent ZK proofs of knowledge. We also observe that 2 round (and even non constructive 1 round) ....

[Article contains additional citation context not shown here]

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali, Resettable Zero-Knowledge, Proc. 32nd ACM Symp. Theory of Computing, 2000, pp. 235--244.

....work, Barak, Goldreich, Goldwasser and Lindell [BGGL01] have shown another case where a black box impossibility result does not hold in the general setting. Using results of the current paper, they construct an argument of knowledge 19 that is zero knowledge in the resettable model. As noted by [CGGM00], this is trivially impossible in the black box model. Black box reductions. There are also several negative results regarding what can be achieved using black box reductions between two cryptographic primitives (rather than black box use of an adversary by a simulator) Although this paper does ....

Ran Canetti, Oded Goldreich, Shafi Goldwasser, and Silvio Micali. Resettable zero-knowledge (extended abstract). In ACM, editor, Proceedings of the 32nd annual ACM Symposium on Theory of Computing: Portland, Oregon, May 21--23, [

.... the collective set of interactive proofs) Several recent works have overcome the diculty of the asynchronous setting by putting limits on the asynchronisity of the system (timing assumptions) 10,11,6,9] or by making some set up assumptions on the environment (such as a public key infrastructure) [7,4]. 1.6 Terminology Some words on the terminology we are using. By zero knowledge we mean computational zero knowledge, i.e. the distribution output by the simulation is polynomial time indistinguishable from the distribution of the views of the veri er in the original interaction. Our proof is ....

Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In ACM, ed.: Proceedings of the thirty second annual ACM Symposium on Theory of Computing: Portland, Oregon, May 21-23, [

.... in polynomial time (by a black box simulator) Recent works have (successfully) attempted to overcome the above difficulties by augmenting the communication model with the so called timing assumption [6, 7] or, alternatively, by using various set up assumptions (such as the public key model [4, 5]) 1 For a while it was not clear whether it is even possible to come up with a concurrent zero knowledge protocol (not to mention an efficient one) without making any kind of timing or set up assumptions. It was therefore a remarkable achievement when Richardson and Kilian [20] proposed a ....

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable ZeroKnowledge. In 32nd STOC, 2000.

No context found.

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable Zero-Knowledge. In 32nd ACM Symposium on the Theory of Computing, pages 235--244, 2000.

No context found.

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable Zero-Knowledge. STOC 2000.

....by modifying the standard model in a number of ways. Dwork, Naor and Sahai augment the communication model with assumptions on the maximum delay of messages and skews of local clocks of parties [12, 13] Damgard uses a common random string [11] and Canetti et.al. use a public registry file [7]. A different approach would be to try and achieve security properties that are weaker than zero knowledge but are still useful. For example, Feige and Shamir consider the notion of witness indistinguishability [14, 15] which is preserved under concurrent composition. f(n) Omega (h(n) ....

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable Zero-Knowledge. In 32nd STOC, pages 235--244 ,2000.

....Still, in absence of more appealing alternatives (i.e. a constant round concurrent zero knowledge protocol for the pure asynchronous model) the use of the timing model may be considered reasonable. We comment than other alternatives to the timing model include various set up assumptions; cf. [26, 30]. Back to parallel composition: Given our opinion about the timing model, it is not surprising that we consider the problem of parallel composition almost as important as the problem of concurrent composition in the timing model. Firstly, it is quite reasonable to assume that the parties ....

.... The practical importance is due to the fact that in many settings it is impossible or undesirable to generate fresh randomness on the fly (or to maintain a state between executions) Resettable Zero Knowledge (rZK) Resettability of players in a cryptographic protocol was first considered in [26], which studies what happens to the security of zero knowledge interactive proofs and arguments when the verifier can reset the prover to use the same random tape in multiple concurrent executions. Protocols that remain zero knowledge against such a verifier, are called resettable zero knowledge ....

[Article contains additional citation context not shown here]

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable Zero-Knowledge. In 32nd ACM Symposium on the Theory of Computing, pages 235--244, 2000.

....in a cryptographic procotol are implemented by devices which cannot reliably keep state (e.g. smart cards) being maliciously reset to a prior state could be a real threat. 1. 1 Resettable Provers Resettability of players in a cryptographic protocol was first addressed by Canetti et al. in [7] who considered what happens to the security of zero knowledge interactive proofs and arguments when the verifier can reset the prover to use the same random tape in multiple executions. Protocols which remain zero knowledge against such a verifier, are called resettable zero knowledge (rZK) ....

....of Canetti et al. answers this question affirmatively, under some standard complexity assumptions. Specifically, assuming the existence of 1 perfectly hiding and computationally binding commitment schemes, resettable zero knowledge interactive proofs for NP using polynomially many rounds do exist [7]. 1 In order to obtain a constant round rZK protocol, Canetti et al. introduced a weak public key model and used a strong intractability assumption the existence of a perfectly hiding and computationally binding commitment scheme that cannot be broken by sub exponential size circuits, and not ....

[Article contains additional citation context not shown here]

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable Zero-Knowledge. In 32nd STOC, pages 235--244, 2000.

....Still, in absence of more appealing alternatives (i.e. a constantround concurrent zero knowledge protocol for the pure asynchronous model) the use of the timing model may be considered reasonable. We comment than other alternatives to the timing model include various set up assumptions; cf. [7, 9]. On parallel composition: Given our opinion about the timing model, it is not surprising that we consider the problem of parallel composition almost as important as the problem of concurrent composition in the timing model. Firstly, it is quite reasonable to assume that the parties local ....

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable Zero-Knowledge. In 32nd STOC, pages 235--244, 2000.

No context found.

R. Canetti, O. Goldreich, S. Goldwasser, S. Micali. Resettable Zero Knowledge. In Proc. of ACM STOC 2000.

No context found.

R. Canetti, O. Goldreich, S. Goldwasser, S. Micali. Resettable Zero Knowledge. In Proc. of ACM STOC'00, pp.235-244, 2000.

No context found.

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable Zero-Knowledge. In Proc. 32th STOC, pages 235--244. ACM, 2000.

No context found.

Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable Zero-Knowledge. In: Proceedings of the 32nd ACM Symposium on Theory of Computing (STOC '00), 235-244

No context found.

R. Canetti, O. Goldreich, S. Goldwasser and S. Micali. Resettable Zero-Knowledge. In 32nd STOC, pages 235--244, 2000.

No context found.

R. Canetti, O. Goldreich, S. Goldwasser and S. Micali. Resettable zero-knowledge. In Proc. 32nd Annual ACM Symposium on Theory of Computing May 2000.

No context found.

R. Canetti, O. Goldreich, S. Goldwasser and S. Micali. Resettable Zero-Knowledge. In ACM Symposium on Theory of Computing, pages 235-244, 2000.

No context found.

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable Zero-Knowledge. In 32nd STOC, pages 235--244 ,2000.

No context found.

R. Canetti, O. Goldreich, S. Goldwasser and S. Micali, Resettable zero-knowledge, Proc. 32nd ACM Symp. on Theory of Computing, 2000, pp. 235--244.

No context found.

R. Canetti, O. Goldreich, S. Goldwasser, and S. Micali. Resettable Zero-Knowledge. In 32nd STOC, pages 235--244 ,2000.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC