M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Cryptology, Vol. 4, pages 151--158, 1991.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....commitments that were sent earlier in the simulation) See details in [13] Finally, we note that the commitment scheme aHCG can be implemented using one way functions only. In order for this to be the case, the underlying Com commitment used in aHCG is replaced by the commitment scheme of [41], that can be based on any one way function. Indeed, the [41] scheme produces random looking commitments, as required by aHCG . In addition, we modify the protocol so that B also sends the receiver message from the [41] commitment in Step 1. 7. MULTI PARTY UC COMPUTATION We discuss how the ....

....See details in [13] Finally, we note that the commitment scheme aHCG can be implemented using one way functions only. In order for this to be the case, the underlying Com commitment used in aHCG is replaced by the commitment scheme of [41] that can be based on any one way function. Indeed, the [41] scheme produces random looking commitments, as required by aHCG . In addition, we modify the protocol so that B also sends the receiver message from the [41] commitment in Step 1. 7. MULTI PARTY UC COMPUTATION We discuss how the two party construction of Theorem 3 is extended to the setting of ....

[Article contains additional citation context not shown here]

M. Naor, Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151-158, 1991.

....value x, the committer presents x and w to F zk again but this time the relation used by F zk asserts two properties: rst that R(x; w) holds, and second that w is the same value that was previously committed to. To guarantee security against static adversaries, the commitment scheme of Naor [n91] is suf cient as an instantiation of the scheme C. We thus obtain a protocol for securely realizing F cp in the F zk hybrid model, based on any one way function. To guarantee security against adaptive adversaries we need adaptively secure commitment schemes, namely commitment schemes where a ....

....a perfectly binding commitment scheme, and denote by C(w; r) a commitment to a string w using a random string r. For simplicity, we use a non interactive commitment scheme. Such schemes exist assuming the existence of 1 1 one way functions, see [g01] Alternatively, we could use the Naor scheme [n91] that can be based on any one way function, rather than requiring 1 1 one way functions. In this scheme, the receiver sends an initial message and then the committer commits. This changes the protocol and analysis only slightly. We note that in fact, the use of perfect binding is not essential ....

[Article contains additional citation context not shown here]

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, 4(2):151-158, 1991.

.... k (x 1 ; r 1 ) commit k (x 2 ; r 2 ) That is, for every polynomial size circuit C = fC n g n2N P r[C n (k) x 1 ; r 1 ) x 2 ; r 2 ) commit k (x 1 ; r 1 ) commit k (x 2 ; r 2 ) negl(n) where the probability is over a uniformly chosen k KEY n ) It was proven by Naor in [Na91] that commitment schemes exist, assuming the existence of one way function ensembles. For the purposes of this paper, we need a special commitment scheme, which we denote by COMM = fCOMM n g n2N . For any polynomial m( COMM is a commitment scheme that for every n 2 N and for every k 2 KEY n ....

M. Naor. Bit commitment using pseudorandom generators. Journal of Cryptology, Vol.4, pages 151-158, 1991. 46

....the bounded honest but curious model. Third, T g applies to protocol (A OT ) the construction of [IL89] to obtain a one way function F . Fourth, T g uses the result of [HILL99] to transform F into a pseudo random (in the sense of [BM82, Yao82] generator G. Fifth, T g uses the result of [Nao89] to transform G into a bit commitment protocol BC. Finally, due to Fact 3, T g uses BC and the compiler of [GMW87] to transform (A g ) into a protocol (A g ; B g ) that securely computes g in the bounded malicious model. This completes the proof of Claim 4. Claims 3 and 4 together yield ....

M. Naor. Bit commitment using pseudorandom generators. J. of Cryptology, 4:151-158, 1991. Preliminary version in Advances in Cryptology { CRYPTO '89, 1989.

....almost uniformly (cf. 44] by itself) however, what we seek is zero knowledge proofs for statements that the verifier cannot decide by itself. 4. 1 Constructing Zero Knowledge Proofs for NP sets Assuming the existence of commitment schemes , which in turn exist if one way functions exist [76, 68], there exist (auxiliary input) zero knowledge proofs of membership in any NP set (i.e. sets having efficiently verifiable static proofs of membership) These zero knowledge proofs, first constructed by Goldreich, Micali and Wigderson [57] and depicted in Figure 2) have the following important ....

.... proofs, first constructed by Goldreich, Micali and Wigderson [57] and depicted in Figure 2) have the following important property: the prescribed prover strategy is efficient, provided it is given as auxiliary input an NP witness to the assertion (to be proven) That is: Theorem 5 ( 57] using [68, 76]) If one way functions exist then every set S 2 NP has a zeroknowledge interactive proof. Furthermore, the prescribed prover strategy can be implemented in probabilistic polynomial time, provided it is given as auxiliary input an NP witness for membership of the common input in S. Theorem 5 ....

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991.

....x, the committer presents x and w to zk again but this time the relation used by zk asserts two properties: first that R(x, w) holds, and second that w is the same value that was previously committed to. To guarantee security against static adversaries, the commitment scheme of Naor [n91] is sufficient as an instantiation of the scheme C. We thus obtain a protocol for securely realizing zk hybrid model, based on any one way function. To guarantee security against adaptive adversaries we need adaptively secure commitment schemes, namely commitment schemes where a simulator ....

....a perfectly binding commitment scheme, and denote by C(w; r) a commitment to a string w using a random string r. For simplicity, we use a non interactive commitment scheme. Such schemes exist assuming the existence of 1 1 one way functions, see [g01] Alternatively, we could use the Naor scheme [n91] that can be based on any one way function, rather than requiring 1 1 one way functions. In this scheme, the receiver sends an initial message and then the committer commits. This changes the protocol and analysis only slightly. We note that in fact, the use of perfect binding is not essential ....

[Article contains additional citation context not shown here]

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, 4(2):151--158, 1991.

....one, and thus choose to send a message in the second interaction as a function of messages received in the first. We stress that, in each of these interleaved interactions, the prover (i.e. each prover clone) is not aware of any other interaction, nor of having been cloned. Or, equivalently [36, 32], that one way functions exist. Zero knowledge proofs in which the prover is deterministic exist only for BPP languages (cf. 26] For instance, in [17] it suffices to repeat the protocol twice with the same prover coins to be able to extract the prover s secret. In a preliminary ....

....such (two round) commitment schemes in the above protocol. Recall that the existence of such a scheme implies the existence of one way functions [33] which suffices for constructing pseudorandom generators [32] pseudorandom functions [20] and (two round) perfectly binding commitment schemes [36]. Our description can be easily modified to utilize the latter, rather than a one round perfectly binding scheme which may be constructed assuming that one way permutations exist. Clearly, the above protocol constitutes an interactive proof system for 3 colorability (since as far as cheating ....

M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Cryptology, Vol. 4, pages 151--158, 1991.

....By now, zero knowledge is the accepted way to define and prove security of various cryptographic tasks. Its generality was demonstrated by Goldreich, Micali and Wigderson [18] who showed that any NP statement can be proven in zero knowledge, provided commitment schemes exist (or, equivalently [26, 24], one way functions exist) An important application of zero knowledge proposed by Fiat and Shamir [11] was proving identity. Alongside many applications, the notion of zero knowledge raises a few important questions. Parallel composition. The first question is whether zero knowledge is ....

M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Cryptology, Vol. 4, pages 151--158, 1991.

....scheme based on one way permutations, by requiring that any commitment to s is preceded by a commitment to . That is, define C (s) Commit(0 ) Commit(s) where each bit is separately committed to using C(oe) f(U n ) b(U n ) Phi oe) We note that the Naor commitment scheme [11] as is, has both of these above properties. Although the [11] commitment scheme is interactive, the receiver message can be hardwired into the common reference string, and so suffices for our needs here. Strong one time signature schemes. Loosely speaking, a one time signature scheme is an ....

....any commitment to s is preceded by a commitment to . That is, define C (s) Commit(0 ) Commit(s) where each bit is separately committed to using C(oe) f(U n ) b(U n ) Phi oe) We note that the Naor commitment scheme [11] as is, has both of these above properties. Although the [11] commitment scheme is interactive, the receiver message can be hardwired into the common reference string, and so suffices for our needs here. Strong one time signature schemes. Loosely speaking, a one time signature scheme is an existentially unforgeable signature scheme (secure against a ....

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991.

....perfectly binding commitment schemes can be constructed using any 1 1 one way function (see Section 4.4. 1 of [17] Allowing some minimal interaction (in which the receiver first sends a single message) almost perfectly binding) commitment schemes can be obtained from any one way function [25]. 3.1.2 Perfectly hiding commitment schemes We now informally describe the requirements for a perfectly hiding commitment scheme. In such a scheme, the binding property is guaranteed to hold only with respect to a polynomial time bounded sender. On the other hand, the hiding property is ....

....the committing party send a perfectly binding commitment of its input to the other party, followed by a zero knowledge proof of knowledge of the committed value. Both constant round commitment schemes and constant round zero knowledge arguments of knowledge are known to exist by the works of Naor [25] and Feige and Shamir [15] respectively (these constructions can also be based on any one way function) Thus the input commitment phase can be implemented as required for Proposition 4.1. 2 Next, we recall that a secure implementation of the protocol emulation phase requires zero knowledge ....

[Article contains additional citation context not shown here]

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991.

....this was a conceptual mistake. We comment that parallel composition is problematic also in the context of reducing the soundness error of arguments (cf. 3] but our focus here is on the zero knowledge aspect of protocols regardless if they are proofs, arguments or neither. 1 Or, equivalently [25, 22], that one way functions exist. 2 3. Concurrent composition: This notion generalizes both the previous ones. Here (polynomially) many instances of the protocol are invoked at arbitrary times and proceed at arbitrary pace. That is, we assume an asynchronous (rather than synchronous) model of ....

....sends c 1;1 ; c n;t to the verifier. 14 Non interactive perfectly binding commitment schemes can be constructed using any one way permutation. In case one wishes to rely here only on the existence of one way functions, one may need to use Naor s two round perfectly binding commitment scheme [25]. This calls for minor modification of the description below. 11 Verifier s decommitment step (V2) The verifier decommits the sequence e = u 1 ; v 1 ) u t ; v t ) to the prover. Namely, the verifier send (s; e) to the prover. Motivating Remark: At this point the entire commitment of ....

M. Naor. Bit Commitment using Pseudorandom Generators. J. of Crypto., Vol. 4, pages 151--158, 1991.

....By now, zero knowledge is the accepted way to define and prove security of various cryptographic tasks. Its generality was demonstrated by Goldreich, Micali and Wigderson [18] who showed that any NP statement can be proven in zero knowledge, provided commitment schemes exist (or, equivalently [26, 24], one way functions exist) An important application of zero knowledge proposed by Fiat and Shamir [11] was proving identity. Alongside many applications, the notion of zero knowledge raises a few important questions. Parallel composition. The first question is whether zero knowledge is ....

M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Cryptology, Vol. 4, pages 151--158, 1991.

....a major open problem (which in fact may be considered unprovable using current tools) Below we shortly elaborate on some of the implications shown in Fig. 2 1. For 32 extensive background and formal treatment of some of the major primitives and the relations between them we refer the reader to [Nao91, IL89, HILL99, Gol95, Gol98] and references therein, and for the PIR related results in the gure we refer the reader to Chapter 4. Primitives that are equivalent to one way functions Pseudorandom Generators Functions. Informally, a pseudorandom generator is a deterministic algorithm which expands a short truly random ....

....b semantically secure [GM84] and Binding For any probabilistic polynomial time (possibly dishonest) Alice , only with negligible probability can Alice cheat by coming up, following the commit phase, with decommitment strings dec 0 ; dec 1 that are opened by Bob as di erent bits. Naor [Nao91] proved that commitment schemes can be constructed based on pseudorandom generators (and thus based on any one way function) Primitives that require a stronger assumption Oblivious Transfer. The oblivious transfer primitive was described in a previous section. Kilian [Kil88] showed that ....

[Article contains additional citation context not shown here]

M. Naor. Bit commitment using pseudorandom generators. J. of Cryptology, 4:151-158, 1991.

....one, and thus choose to send a message in the second interaction as a function of messages received in the first. We stress that, in each of these interleaved interactions, the prover (i.e. each prover clone) is not aware of any other interaction, nor of having been cloned. 1 Or, equivalently [40, 35], that one way functions exist. 2 Zero knowledge proofs in which the prover is deterministic exist only for BPP languages (cf. 29] 3 For instance, in [20] it suffices to repeat the protocol twice with the same prover coins to be able to extract the prover s secret. 4 In a preliminary ....

....first message, and the verifier sends a single message) but is not witness indistinguishable in the hybrid model (since the verifier can obtain a full coloring of the graph by invoking the prover many times on the same r1 . In case the prover s commitment is via a two round commitment scheme (cf. [40], the proof system is not admissible (since the verifier has total freedom in selecting the edges) 16 See discussion following this abstract presentation. 18 There is one problem, however, with the above presentation. In Step (V1) we have assumed the existence of a 1 round (i.e. ....

M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Cryptology, Vol. 4, pages 151--158, 1991.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Jour. of Cryptology, Vol. 4, pages 151--158, 1991.

No context found.

M. Naor. Bit Commitment Using Pseudorandom Generators. Journal of Cryptology, 4:151--158, 1991.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, 4(2):151--158, 1991.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991. Preliminary version in Crypto89, pages 123--132.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151-158, 1991.

No context found.

M. Naor. Bit Commitment Using Pseudorandom Generators. J. Crypto. 4(2): 151--158, 1991.

No context found.

M. Naor. Bit Commitment Using Pseudorandom Generators. J. Crypto. 4(2): 151--158, 1991.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, Vol. 4, pages 151--158, 1991. Preliminary version in Crypto89, pages 123--132.

No context found.

M. Naor. Bit Commitment Using Pseudorandom Generators. Journal of Cryptology, 4:151--158, 1991.

No context found.

Moni Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, 4(2):151--158, 1991.

No context found.

M. Naor. Bit Commitment using Pseudorandom Generators. Journal of Cryptology, 4(2):151--158, 1991.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC