Moni Naor, Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung. Perfect zeroknowledge arguments for NP using any one-way permutation. Journal of Cryptology, 11(2):87--108, 1998. Preliminary version in CRYPTO '92.  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... scheme based on any quantum one way permutation [4] This scheme is statistically concealing and computationally binding, and reduces the number of interaction and the total amount of communication compared with the classical counterpart proposed by Naor, Ostrovsky, Venkatesen, and Young [9]. Incidentally, the way to convert the favor of a quantum bit commitment was also shown by Crepeau, Legare and Salvail [3] There are several measures for the cost of communication, the number of interactions, the total number of bits communicated, and so on. In this paper, we focus on the number ....

Naor, M., Ostrovsky, R., Ventkatesan, R., and Young, M. Perfect zero-knowledge arguments for NP using any one-way permutation. Journal of Cryptology 11, 2 (1998), 78--108.

....binding and computationally concealing bit commitment [21] The two part proof also holds in the quantum setting. For unconditionally concealing commitments, the weakest computational assumption for which a reduction was found is the existence of a family of classical one way permutations [22]. However, the proof is not extendable to the quantum world [9] Nevertheless, it was proven that computationally binding and unconditionally concealing quantum bit commitment can be based on any family of quantum one way permutations [9] Unfortunately, although we have candidates for quantum ....

....(using standard simulation techniques) thus breaking the concealing condition of BBC as defined in Sect. 2.2. The adversary (C n ) n 0 is specified by a uniform family of quantum circuits whenever A n n 0 is a uniform family . Our reduction is therefore uniformity preserving [22]. It is an interesting open problem to find an exact polynomial time black box reduction. One consequence of Theorem 5.0.3 is that concealing commitment schemes can be built from any quantum one way function. We first observe that Naor s commitment scheme [21] is also secure against the quantum ....

Naor, M., R. Ostrovsky, R. Ventkatesan, and M. Young, "Perfect Zero-Knowledge Arguments For NP Using Any One-Way Permutation ", Journal of Cryptology, vol. 11, no 2, 1998, pp. 87 -- 108.

....in Computer Science (www.brics.dk) funded by the Danish National Research Foundation. commitments can be based upon any one way function [17, 11, 7] On the other hand, the weakest known assumption for concealing but computationally binding commitments is the existence of one way permutations [18]. It seems that in the classical world, concealing commitments are more dicult to achieve than binding ones. The two avors allow for di erent cryptographic applications. For example, computational zero knowledge proofs [8, 9] can be constructed from binding commitments whereas perfect ....

Naor, M., R. Ostrovsky, R. Ventkatesan, and M. Young, \Perfect ZeroKnowledge Arguments For NP Using Any One-Way Permutation", Journal of Cryptology, vol. 11, no 2, 1998, pp. 87 - 108.

....in Computer Science (veww.brics.dk) funded by the Danish National Research Foundation. commitments can be based upon any one way function [17, 11, 7] On the other hand, the weakest known assumption for concealing but computationally bind ing commitments is the existence of one way permutations [18]. It seems that in the classical world, concealing commitments are more difficult to achieve than binding ones. The two flavors allow for different cryptographic applications. For example, computational zero knowledge proofs [8, 9] can be constructed from binding commitments whereas perfect ....

NAOR, M., R. OSTROVSKY, R. VENTKATESAN, and M. YOUNG, "Perfect ZeroKnowledge Arguments For NP Using Any One-Way Permutation", Journal of Cryptology, vol. 11, no 2, 1998, pp. 87-108.

....the result that it is impossible to implement 1 2 OT (information theoretically) given only a clear channel. Our upper bounds for (p; q) WOT and (p; q; WOT use some reductions rst used in [9] The reduction from bit commitment to ( UNC is based on the interactive hashing technique of [16]. The precise hashing method of [16] doesn t work for our application; instead we use families of universal hash functions [10] Hash functions are ubiquitous in cryptography; two classic results on achieving privacy with universal hash functions are [13] and [1] For the speci cs of our analysis ....

....to implement 1 2 OT (information theoretically) given only a clear channel. Our upper bounds for (p; q) WOT and (p; q; WOT use some reductions rst used in [9] The reduction from bit commitment to ( UNC is based on the interactive hashing technique of [16] The precise hashing method of [16] doesn t work for our application; instead we use families of universal hash functions [10] Hash functions are ubiquitous in cryptography; two classic results on achieving privacy with universal hash functions are [13] and [1] For the speci cs of our analysis we use bounds on their behaviour ....

[Article contains additional citation context not shown here]

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. \Perfect zeroknowledge arguments for NP using any one-way permutation". Journal of Cryptology, vol. 11, 1998.

....says nothing about the complexity of the attack. In this paper, we construct an unconditionally concealing quantum bit commitment scheme which can be attacked successfully only if the adversary can break a general quantum computational assumption. We show that similarly to the classical case [15], unconditionally concealing quantum bit commitment scheme can be based upon any family of quantum one way permutations. This result is not the direct consequence of the classical construction proposed by Noar, Ostrovsky, Ventkatesen and Young (NOVY) 15] One reason is that NOVY s analysis uses ....

....show that similarly to the classical case [15] unconditionally concealing quantum bit commitment scheme can be based upon any family of quantum one way permutations. This result is not the direct consequence of the classical construction proposed by Noar, Ostrovsky, Ventkatesen and Young (NOVY) [15]. One reason is that NOVY s analysis uses classical derandomization techniques (rewinding) in order to reduce the existence of an inverter to a successful adversary against the binding condition. In [18] it is shown that such a proof fails completely in a quantum setting: if rewinding was ....

Naor, M., R. Ostrovsky, R. Ventkatesan and M. Young, "Perfect ZeroKnowledge Arguments For NP Using Any One-Way Permutation", Journal of Cryptology, vol. 11, no 2, 1998, pp. 87 -- 108.

....some 1 2 , when a random string of size N = n 2 is broadcast, for 0, whereas a malicious receiver can have up to N bits of memory for any 1. In the course of our analysis, we provide a direct study of an interactive hashing protocol closely related to that of Naor et al. [27]. 1. Introduction Oblivious transfer is an important primitive in modern cryptography. It was introduced to cryptography in several variations by Rabin and Even et al. 29, 20] and had been studied already by Wiesner [31] under the name of multiplexing ) in a paper that marked the birth of ....

....Then they engage in a protocol to form two sets of k bits each among the bits stored by Alice: a good set consisting of the bits also known to Bob and a bad set containing at least some bits unknown to Bob. This is done using an interactive hashing protocol similar to that of Naor et al. [27]. Interactive hashing is a protocol between Alice and Bob for isolating two binary strings. One string is chosen by Bob and the other one is chosen randomly, without (much) influence by Bob. However, Alice does not learn which string corresponds to Bob s input. In order to apply interactive ....

[Article contains additional citation context not shown here]

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP using any one-way function. Journal of Cryptology, 11(2):87--108, 1998. Preliminary version presented at CRYPTO '92.

.... , when a string of size for is broadcast, whereas a malicious receiver can have up to # bits of memory for any # . In the course of our analysis, we provide a direct study of an interactive hashing protocol closely related to that of Naor et al. [NOVY98]. 1 Introduction Oblivious transfer is an important primitive in modern cryptography. It was introduced to cryptography in several variations by Rabin and Even et al. Rab81, EGL83] and had been studied already by Wiesner [Wie70] under the name of multiplexing ) in a paper that marked the ....

....Then they engage in a protocol to form two sets of E bits each among the bits stored by Alice: a good set consisting of the bits also known to Bob and a bad set containing at least some bits unknown to Bob. This is done using an interactive hashing protocol similar to that of Naor et al. [NOVY98]. Interactive hashing is a protocol between Alice and Bob for isolating two binary strings. One string is chosen by Bob and the other one is chosen randomly, without (much) influence by Bob. However, Alice does not learn which string corresponds to Bob s input. In order to apply interactive ....

[Article contains additional citation context not shown here]

Moni Naor, Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung, Perfect zeroknowledge arguments for NP using any oneway function, Journal of Cryptology 11 (1998), no. 2, 87--108, Preliminary version presented at CRYPTO '92.

....are convincing if the prover is polynomially bounded, and the proofs statistically do not reveal extra information. The notion of a proof of knowledge is from [23, 5] Under the discrete log assumption any NP predicate has a perfect zero knowledge argument of knowledge ( 11, 12, 22, 21] see also [29] for zero knowledge arguments under weaker conditions and [4] for further details on ZKA s of knowledge) We will need non interactive perfect zero knowledge arguments (ZKA) of knowledge. We make the random oracle assumption [6] that has been commonly used in the design of electronic cash ....

M. Naor, R. Ostrovsky, Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP using any one-way permutation. Journal of Cryptology, 11, 1998.

.... 1 2 , when a string of size N = n 2 Gammaff Gammafi for ff fi 0 is broadcast, whereas a malicious receiver can have up to flN bits of memory for any fl 1. In the course of our analysis, we provide a direct study of an interactive hashing protocol closely related to that of Naor et al. [NOVY98]. 1 Introduction Oblivious transfer is an important primitive in modern cryptography. It was introduced to cryptography in several variations by Rabin and Even et al. Rab81, EGL83] and had been studied already by Wiesner [Wie70] under the name of multiplexing ) in a paper that marked the ....

....Then they engage in a protocol to form two sets of k bits each among the bits stored by Alice: a good set consisting of the bits also known to Bob and a bad set containing at least some bits unknown to Bob. This is done using an interactive hashing protocol similar to that of Naor et al. [NOVY98]. Interactive hashing is a protocol between Alice and Bob for isolating two binary strings. One string is chosen by Bob and the other one is chosen randomly, without (much) influence by Bob. However, Alice does not learn which string corresponds to Bob s input. In order to apply interactive ....

[Article contains additional citation context not shown here]

Moni Naor, Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung, Perfect zeroknowledge arguments for NP using any oneway function, Journal of Cryptology 11 (1998), no. 2, 87--108, Preliminary version presented at CRYPTO '92.

....when a random string of size N = n 2 Gammaff Gammafi is broadcast, for ff fi 0, whereas a malicious receiver can have up to flN bits of memory for any fl 1. In the course of our analysis, we provide a direct study of an interactive hashing protocol closely related to that of Naor et al. [27]. 1. Introduction Oblivious transfer is an important primitive in modern cryptography. It was introduced to cryptography in several variations by Rabin and Even et al. 29, 20] and had been studied already by Wiesner [31] under the name of multiplexing ) in a paper that marked the birth of ....

....Then they engage in a protocol to form two sets of k bits each among the bits stored by Alice: a good set consisting of the bits also known to Bob and a bad set containing at least some bits unknown to Bob. This is done using an interactive hashing protocol similar to that of Naor et al. [27]. Interactive hashing is a protocol between Alice and Bob for isolating two binary strings. One string is chosen by Bob and the other one is chosen randomly, without (much) influence by Bob. However, Alice does not learn which string corresponds to Bob s input. In order to apply interactive ....

[Article contains additional citation context not shown here]

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP using any one-way function. Journal of Cryptology, 11(2):87--108, 1998. Preliminary version presented at CRYPTO '92.

....bits of memory for any fi 0 and fl 1. In the course of our analysis, we provide two tools that may be of independent interest: an efficiently computable, dense encoding of k element subsets from an n set and a direct analysis of the interactive hashing protocol by Naor et al. [NOVY98]. 1 Introduction Oblivious transfer is an important primitive in modern cryptography. It was introduced in several variations by Rabin and Even et al. Rab81, EGL83] Oblivious transfer has since become the basis for realizing a broad class of cryptographic protocols, such as bit commitment, ....

....engage in a protocol to form two sets among the bits stored by Alice, a good set and a bad set, of O(k) bits each. The good set consists of the bits also known to Bob and the bad set contains at least some bits unknown to Bob. This is done using the interactive hashing protocol of Naor et al. [NOVY98]. Interactive hashing is a protocol between Alice and Bob for isolating two binary strings. One string is Bob s input and the other one is chosen randomly, without (too much) influence by Bob. However, Alice does not learn which string corresponds to Bob s input. In order to apply interactive ....

[Article contains additional citation context not shown here]

Moni Naor, Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung, Perfect zeroknowledge arguments for NP using any one-way function, Journal of Cryptology 11 (1998), no. 2, 87--108, Preliminary version presented at CRYPTO '92.

No context found.

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP using any one-way permutation. J. Cryptology, 11(2), 1998.

No context found.

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP using any one-way permutation. J. Cryptology, 11(2), 1998.

No context found.

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for np using any one-way permutation. J. Cryptology, 11(2), 1998.

.... player also has private input w i (where w i is a witness for x i ) We would like a protocol in which each player P i proves that x i is true (and that furthermore, P i knows a witness) upon completion of this protocol, all A related notion of simulatable bit commitment was considered in [32]. honest players should accept the result if and only if all players have successfully completed their proofs. The naive approach to solving this problem is to have every (ordered) pair of players P i ; P j simultaneously execute some constant round zero knowledge proof of knowledge in which P i ....

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for np using any one-way permutation. J. Cryptology, 11(2), 1998.

....has three rounds: 1. B creates a sequence of independent commitments c = c 1 ; c m ) where each c i is de ned by We focus here on schemes with single round commit phase and single round reveal phase. For more general (i.e. interactive) de nitions of commitment schemes see e.g. [26, 27]. Although there are quite a few researchers that were concerned with problems of this nature during the last decade (e.g. 4, 5, 6, 14, 28] 34 c i = C(p i ; r i ) r i is the (independent) string of random bits used in creating the commitment c i . B then sends c to A. 2. Given the ....

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung, Perfect zero-knowledge arguments for NP using any one-way permutation, J. of Cryptology 11 (1998), pp. 87-108.

....where each c i is defined by c i = C(p i ; r i ) r i is the (independent) string of random bits used in creating the commitment 5 We focus here on schemes with single round commit phase and single round reveal phase. For more general (i.e. interactive) definitions of commitment schemes see e.g. [27, 28]. 6 Several researchers have been concerned with problems of this nature during the last decade (e.g. 4, 5, 6, 15, 29] 36 c i . B then sends c to A. 2. Given the commitments vector c, the adversary A selects a legal subset 7 of the commitments: I = fi 1 ; i k g f1; 2; ....

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung, Perfect zero-knowledge arguments for NP using any one-way permutation, J. of Cryptology 11 (1998), pp. 87--108.

No context found.

Moni Naor, Rafail Ostrovsky, Ramarathnam Venkatesan, and Moti Yung. Perfect zeroknowledge arguments for NP using any one-way permutation. Journal of Cryptology, 11(2):87--108, 1998. Preliminary version in CRYPTO '92.

No context found.

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for np using any one-way permutation. Journal of Cryptology, 11(2):87--108, 1998. preliminary version in CRYPTO 92.

No context found.

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP using any one-way permutation. J. Cryptology, 11(2):87--108, 1998.

No context found.

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zeroknowledge arguments for np using any one-way permutation. Journal of Cryptology, 11(2):87--108, 1998. preliminary version in CRYPTO 92.

No context found.

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zeroknowledge arguments for np using any one-way permutation. Journal of Cryptology, 11(2):87-108, 1998. preliminary version in CRYPTO 92.

No context found.

Naor, M., Ostrovsky, R., Ventkatesan, R., and Young, M. Perfect zero-knowledge arguments for np using any one-way permutation. Journal of Cryptology 11, 2 (1998), 78--108.

No context found.

Naor, M., R. Ostrovsky, R. Ventkatesan, and M. Young, "Perfect Zero-Knowledge Arguments For NP Using Any One-Way Permutation ", Journal of Cryptology, vol. 11, no 2, 1998, pp. 87 -- 108.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC