M. Naor, R. Ostrovsky, R. Venkatesan, M. Yung, Perfect Zero-Knowledge Arguments for NP Can be Based on General Complexity Assumptions Proceedings of CRYPTO92, Santa-Barbara, CA, August 17-20, 1992.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....cryptographic protocols, such as Zero Knowledge protocols (e.g. gmw91, bcc88, d89] general function evaluation protocols (e.g. gmw87, ghy88, g98] contract signing and electronic commerce, and more. Indeed, commitment protocols have been studied extensively in the past two decades (e.g. [B82, n91, ddn00, novy92, b96, dio98, ff00, dkos01] ) The basic idea behind the notion of commitment is attractively simple: A committer provides a receiver with the digital equivalent of a sealed envelope containing a value x. From this point on, the committer cannot change the value inside the envelope, and, as long as the committer does not ....

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung, Perfect zero-knowledge arguments for NP can be based on general complexity assumptions, Advances in Cryptology - Crypto '92, pp.. 196-214, 1992.

....a better sampling protocol, which is optimal up to a constant factor. Our basic two party sampling protocol is very similar to a protocol, called interactive hashing, which was discovered independently by Ostrovsky et al. 20] Interactive hashing has found many applications in cryptography (cf. [20, 18, 21, 10]) For details see Remark 2. 2 Preliminaries 2.1 Bivariate Functions Throughout the paper we represent the bivariate function f : f0; 1g n Theta f0; 1g n 7 f0; 1g as an N by N matrix, where N def = 2 n . An entry, x; y) in the matrix which has value v (i.e. f(x; y) v) is called ....

.... Gamma 1 (rather than l) rounds. Interactive hashing was invented for completely different purposes and consequently its analysis as in [20] and subsequent studies) is very different from what appears above. Interactive hashing was used in implementing various types of commitment protocols (cf. [20, 18, 21, 10]) Main Result Combining Propositions 20 and 21 with Theorem 15, we get Theorem 22 (efficient protocol meeting the lower bound) There exists a (generic) two party protocol, for evaluating an arbitrary bivariate function f . This protocol is performed by a pair of uniform probabilistic ....

M. Naor, R. Ostrovsky, R. Venkatesan and M. Yung, "Perfect Zero-Knowledge Arguments for NP Can Be Based on General Complexity Assumptions", Advances in Cryptology -- Proceedings of Crypto92, Springer-Verlag Lecture Notes in Computer Science. To appear in J. of Cryptology.

....interactive, and it requires 2 rounds of communication to commit to a string. The Sender in this scheme generates an O(n) bit pseudorandom string and sends an O(n) bits commitment string in order to commit to an n bit message. In the unbounded receiver model Naor, Ostrovki, Venkatesan and Yung [20] described a construction which is based on any one way permutation. Their scheme calls for 2k rounds of communication and one application of the one way permutation for each bit which is being committed to. Finally a commitment scheme which uses collision intractable hash functions was first ....

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP can be based on general complexity assumptions. In Ernest F. Brickell, editor, Proceedings CRYPTO 92, Lecture Notes in Computer Science No. 740. Springer-Verlag, 1992. Pages 196--214.

....measurements) under the sole assumption that one way functions exist. This is interesting because Impagliazzo and Rudich have proved that one way functions are not sufficient to implement OT in the classical (ie non quantum) model [21] Moreover, under the assumption that one way permutations [25] or one way group actions [10] exist, it is possible to accomplish a quantum OT protocol that will leak no additional information to either party unless the computational assumption is broken on line, while the protocol is taking place. In contrast, all classical OT protocols are susceptible to ....

Naor, M., R. Ostrovsky, R. Venkatesan and M. Yung, "Perfect zero-knowledge arguments for NP can be based on general complexity assumptions", Manuscript available from the authors, 1991.

....is unalterable, since no element can be both a residue and a nonresidue; the scheme is unreadable by a polynomially bounded receiver under the QRA. Basic bit commitment requires that the receiver be polynomially bounded. Another flavor of bit commitment, called strong bit commitment [33] 35] [115] allows the receiver to be unbounded. In this case, unreadability requires that the two probability distributions be (almost) identical. 2.1.5 Interactive Proof Systems and Zero Knowledge Proof An interactive proof system is a two party protocol in which a prover conveys a convincing argument ....

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung, "Perfect zero-knowledge arguments for NP can be based on general complexity assumptions," manuscript, 1991.

.... commitment protocols, but to realize many other quantum protocols, including the important quantum oblivious transfer protocols[23, 14] A better understanding of the situation came after that Cr epeau proposed a quantum protocol [3, 5] that uses a computationally secure classical bit commitment [21, 22] as a subprotocol. The idea was to rely temporarily on the limitation (in speed) on the cheater during the commit phase to force him to execute some measurements. The hope was that this short term assumption could be dropped after the commit phase so as to obtain a quantum bit commitment not ....

....protocol to force the cheater to execute a measurement. Our conclusion is that, surprisingly, a whole class of classical BC schemes (that are perfectly concealing) fail miserably in this scenario. Our result is illustrated with the computational BC scheme of Naor,Ostrovsky,Venkatesen,Yung [22] and the two prover BC scheme of Ben Or,Goldwasser,Kilian,Wigderson [6] The basic idea can be used regardless of the BC scheme. The attack is inspired from the discussion of the previous section, but we will focus on the fact that the objective (defeated by the attack) is to force a measurement ....

[Article contains additional citation context not shown here]

Naor, Moni, R. Ostrovsky, R. Venkatesan and M. Yung, "Perfect Zero-Knowledge Arguments for NP Can Be Based on General Complexity Assumptions", Advances in Cryptology --- Proceedings of Crypto '92, August 1992, Springer -- Verlag, pp. 196 -- 214.

.... error probability in a protocol is a (single) function associated to the verifier. A definition of negligible error arguments based on this view is given in [BJY] Earlier, however, other definitions had appeared which did not have this view of error probability in the case of negligible error [Go, NOVY]. Applying the above however we can show that the two formulations are nonetheless equivalent. See Section 4.2. Similarly, we relate two notions of computational proofs of knowledge with negligible knowledge error suggested in [BeGo] See Section 4.3. 1.4 Non uniform adversaries and ....

....sound for L, with negligible error probability, if there is a negligible function ffl such that Acc P ev ffl for every prover P 2 P. However, previous works had given a different definition of negligible error arguments. The notion proposed by Goldreich [Go, Section 6.8. 1] and Naor et al. [NOVY] is the following: Definition 4.6 [Go, NOVY] Verifier V is computationally sound for L, with negligible errorprobability, if for every prover P 2 P the function Acc P is negligible. As a notion of security this seems satisfactory. But notice that this notion does not have the view of an error ....

[Article contains additional citation context not shown here]

M. Naor, R. Ostrovsky, R. Venkatasan, M. Yung. Perfect zero knowledge arguments for NP can be based on general complexity assumptions. Advances in Cryptology -- Crypto 92 Proceedings, Lecture Notes in Computer Science Vol. 740, E. Brickell ed., Springer-Verlag, 1992.

.... There are theoretical applications in which one must use bounded to unbounded commitment schemes to yield the desired result; for instance, to obtain constant round computational zero knowledge proofs for NP (as shown in [11] or to obtain statistical zero knowledge arguments for NP (as shown by [13, 16]) 1.1 Previous Work Many commitment schemes in the unbounded receiver model are known based on number theoretic constructions. The first such scheme was suggested by Blum [3] in the context of flipping coins over the phone. Blum described a commitment scheme for one bit, which is based on the ....

....interactive, and it requires 2 rounds of communication to commit to a string. The Sender in this scheme generates an O(n) bit pseudorandom string and sends an O(n) bits commitment string in order to commit to an n bit message. In the unbounded receiver model Naor, Ostrovki, Venkatesan and Yung [16] described a construction which is based on any one way permutation. Their scheme is particularly inefficient, however, in that it calls for 2k rounds of communication and one application of the one way permutation for each bit which is being committed to. In addition to the above work, Several ....

[Article contains additional citation context not shown here]

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP can be based on general complexity assumptions. In Ernest F. Brickell, editor, Proc. Crypto '92, Lecture Notes in Computer Science, volume 740, Springer-Verlag, 1993. pages 196--214.

....fails it can return to a previous configuration in which it was successful (at least up to that point) and try another branch. This kind of simulation is often used in proofs of security for sequential composition of protocols under computational assumptions. It is also used, for instance, in [NOVY92]. In universal simulation snapshots are allowed, so resetting and re computing is unnecessary. Quantumly it is tempting to think that rewinding might be possible by reversing the computation, but this is false. Let j i i be the state at t i , i = 1; 2. Let U 1;2 be the unitary evolution between ....

....that rewinding by reversible computation, by taking snapshots, and by resetting and roll forwards from the beginning is impossible. Still, this does not prove that rewinding is completely ruled out. On the other hand, the kind of rewinding used here is in fact very realistic. For instance, in [NOVY92], Naor, Ostrowsky, Venkatesan and Yung give a Bit Commitment scheme which is computationally binding. That is, if an algorithm E exists that can open the Bit Commitment 114 as 0 or 1 with non negligible probability, they show that there exists a (classical) polynomial time algorithm S which ....

NAOR, M., R. OSTROVSKY, R. VENKATESAN AND M. YUNG, "Perfect zero-knowledge arguments for np can be based on general complexity assumptions", In Proc. CRYPTO 92 (1992), E. F. Brickell, Ed., Springer-Verlag, pp. 196--214, Lecture Notes in Computer Science No. 740. 128

No context found.

M. Naor, R. Ostrovsky, R. Venkatesan, M. Yung, Perfect Zero-Knowledge Arguments for NP Can be Based on General Complexity Assumptions Proceedings of CRYPTO92, Santa-Barbara, CA, August 17-20, 1992.

No context found.

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP can be based on general complexity assumptions. J. Cryptology, 11(2):87--108, 1998 (also CRYPTO '92).

No context found.

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP can be based on general complexity assumptions. In E. F. Brickell, editor, Advances in Cryptology - CRYPTO '92, volume 740 of Lecture Notes in Computer Science. Springer-Verlag, 1992.

No context found.

M. NAOR, R. OSTROVSKY, R. VENKATESAN, AND M. YUNG. Perfect zero-knowledge arguments for NP can be based on general complexity assumptions. Advances in Cryptology -- Crypto 92 Proceedings, Lecture Notes in Computer Science Vol. 740, E. Brickell ed., Springer-Verlag, 1992 and J. Cryptology, 11(2):87--108, 1998.

No context found.

M. NAOR, R. OSTROVSKY, R. VENKATESAN, AND M. YUNG. Perfect zero-knowledge arguments for NP can be based on general complexity assumptions. Advances in Cryptology -- Crypto 92 Proceedings, Lecture Notes in Computer Science Vol. 740, E. Brickell ed., Springer-Verlag, 1992 and J. Cryptology, 11(2):87--108, 1998.

No context found.

M. Naor, R. Ostrovsky, R. Venkatesan, M.Yung. Perfect Zero-Knowledge Arguments for NP Can Be Based on General Complexity Assumptions. CRYPTO 1992: 196-214

....may only be able to decommit his bid after viewing a decommitment of the first. Unfortunately, most known commitment protocols are easily susceptible to these types of attacks. Two types of commitment schemes have been considered in the literature: perfectly binding [19] and perfectly hiding [21] (following [15] we refer to the former as standard and the latter as perfect) In a standard commitment scheme, each commitment is information theoretically bound to only one possible (legal) decommitment value; on the other hand, the secrecy of the commitment is guaranteed only with respect to a ....

....application [15] it may also depend on assumptions regarding the computational power of the participants. For example, in many protocols certain commitments are never opened; information theoretic privacy ensures that the committed data will remain hidden indefinitely (for further discussion, see [23, 21]) Commitment size is an important parameter, particularly when committing to a very large message such as the contents of a database. Unfortunately, standard commitment schemes (even malleable ones) require commitment size at least M (log k) where M is the message size and k is the security ....

[Article contains additional citation context not shown here]

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP can be based on general complexity assumptions. J. Cryptology, 11(2):87--108, 1998 (also CRYPTO '92).

....party may only be able to decommit his bid after viewing a decommitment of the rst. Unfortunately, most known commitment protocols are easily susceptible to these types of attacks. Two types of commitment schemes have been considered in the literature: perfectly binding [19] and perfectly hiding [21] (following [15] we refer to the former as standard and the latter as perfect) In a standard commitment scheme, each commitment is information theoretically bound to only one possible (legal) decommitment value; on the other hand, the secrecy of the commitment is guaranteed only with respect to a ....

....application [15] it may also depend on assumptions regarding the computational power of the participants. For example, in many protocols certain commitments are never opened; information theoretic privacy ensures that the committed data will remain hidden inde nitely (for further discussion, see [23, 21]) Commitment size is an important parameter, particularly when committing to a very large message such as the contents of a database. Unfortunately, standard commitment schemes (even malleable ones) require commitment size at least M (log k) where M is the message size and k is the security ....

[Article contains additional citation context not shown here]

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP can be based on general complexity assumptions. J. Cryptology, 11(2):87-108, 1998 (also CRYPTO '92).

.... (this was originally based on algebraic assumptions, e.g. for statistical zero knowledge proofs the discrete logarithm was used in [BMO] Another important implication is implementing perfectly secure zero knowledge arguments (defined in [BCC] based on general complexity assumptions in [NOVY]. To summerize, the general paradigm of information theoretic security based on intractability of cryptographic tools , was developed and applied extensively in the last decade (e.g. BCC, CDV, AFK, AF] However, this valuable paradigm was always connected to some specialized property of one of ....

M. Naor, R. Ostrovsky, R. Venkatesan, M. Yung, Perfect Zero-Knowledge Arguments for NP Can be Based on General Complexity Assumptions Proceedings of CRYPTO92, Santa-Barbara, CA, August 17-20, 1992.

....) is still an interactive proof system for L and for any (possibly cheating) verifier b V there exists a simulator S b V . We specify the protocol below. For completeness sake, first we recall what is interactive hashing [OVY 91] and show the interactive hashing based bit commitment protocol [NOVY]. Remark: The bit commitment protocol parties are efficient, i.e. they need only perform polynomial time computations to execute the protocol. Commit to a bit a 1. The verifier V selects x 2R f0; 1g n at random and computes y f(x) V keeps both x and y secret from P . 2. The prover P ....

....using C as its secret coinflips. Moreover, for every message sent from V to P is accompanied by a zeroknowledge argument that V would really have sent this message if its coinflips were C. Remark: Such a proof is possible and users are engaged in Interactive Hashing based on one way permutation [NOVY] as a subroutine) More specifically, V begins by sending the message ff 1 that would have been the first message V sent on coins C, and proves that indeed it has done this. The prover checks this proof, and if it is incorrect it aborts. Otherwise it sends whatever response fi 1 the old prover P ....

[Article contains additional citation context not shown here]

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. "Perfect Zero-Knowledge Arguments for NP Can Be Based on General Complexity Assumptions", Advances in Cryptology -- Crypto '92, Lecture Notes in Computer Science, Springer, to appear.

....phase and an execution phase. In the set up phase, V 0 and P 0 each choose at random a sequences of l bits; call these sequences s 1 = s 11 s 12 : s 1l and s 2 = s 21 s 22 : s 2l , respectively. V 0 then commits s 1 to P 0 using the weak committer strong receiver protocol in [21, 23], and P 0 commits s 2 to V 0 using the strong committer weak receiver protocol in [20] In the execution phase of the protocol, the sequence r = r 1 r 2 : r l , where r i = s 1i Phi s 2i , plays the role of the verifier s random input in (P; V ) Intuitively, the execution phase is ....

....f(x) This time, of course, only V 0 gets the output. The fact that (P 0 ; V 0 ) is an ihps follows directly from the fact that (P; V ) is an ihps and from the definition of COT. To prove that (P 0 ; V 0 ) is zero knowledge, we use the simulatability properties of the COT protocol of [21, 22] and the bit commitment protocol of [20] Let C i denote the transcript of the i th execution of COT that takes place in the overall execution (P 0 ; V 0 ) x) The entire transcript of an execution of (P 0 ; V 0 ) x) is thus of the form (C 1 ; E(q 1 ) E(a 1 ) Cm ; E(qm ) E(am ....

[Article contains additional citation context not shown here]

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect Zero-Knowledge Arguments for NP Can Be Based on General Complexity Assumptions, Advances in Cryptology -- Crypto '92, Lecture Notes in Computer Science, Springer, Berlin, to appear.

....is unalterable, since no element can be both a residue and a nonresidue; the scheme is unreadable by a polynomially bounded receiver under the QRA. Basic bit commitment requires that the receiver be polynomially bounded. Another flavor of bit commitment, called strong bit commitment [25] 27] [63] allows the receiver to be unbounded. In this case, unreadability requires that the two probability distributions be identical. 2.5 Interactive Proof Systems and Zero Knowledge Proof An interactive proof system [49] 3] is a two party protocol in which a prover conveys a convincing argument to ....

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung, "Perfect zero-knowledge arguments for NP can be based on general complexity assumptions," manuscript, 1991.

....is used. ffl CZK proofs: Statistically convincing, computational ZK. For example the proofs for all of NP in [GMW] ffl SZK arguments: Computationally convincing, statistical ZK. For example the arguments for all of NP in [BrCr, BCC] when a discrete logarithm based bit commitment is used; also [NOVY]. ffl SZK proofs: Statistically convincing, statistical ZK. The strongest kind, but not possible for all of NP unless the polynomial time hierarchy collapses [Fo] But there are examples for special languages: quadratic residuosity and its complement [GMR] graph isomorphism and its complement ....

....and say a round is two consecutive moves. In their terminology, our four round protocols would be four move or two round protocols. Rounds Assumption Reference Type poly(n) One way function Combine [GMW, HILL, Na] CZK proof (log n) Algebraic [BrCr, BCC] SZK argument poly(n) One way permutation [NOVY] SZK argument 6 Claw free pairs [BCY] SZK argument 6 Claw free pairs [GoKa] CZK proof 5 One way function [FeSh] CZK argument 4 Algebraic [FeSh] CZK argument 4 Trapdoor perm. Algebraic Combine [Bl, FLS, BeYu] CZK argument 4 One way function This paper CZK argument Figure 1: Negligible error ZK ....

M. Naor, R. Ostrovsky, R. Venkatasan, M. Yung. Perfect zero knowledge arguments for NP can be based on general complexity assumptions. Advances in Cryptology -- Crypto 92 Proceedings, Lecture Notes in Computer Science Vol. 740, E. Brickell ed., Springer-Verlag, 1992.

....is unalterable, since no element can be both a residue and a nonresidue; the scheme is unreadable by a polynomially bounded receiver under the QRA. Basic bit commitment requires that the receiver be polynomially bounded. Another flavor of bit commitment, called strong bit commitment [28] 30] [80] allows the receiver to be unbounded. In this case, unreadability requires that the two probability distributions be (almost) identical. 2.5 Interactive Proof Systems and Zero Knowledge Proof An interactive proof system is a two party protocol in which a prover conveys a convincing argument to ....

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung, "Perfect zero-knowledge arguments for NP can be based on general complexity assumptions," manuscript, 1991.

No context found.

M. Naor, R. Ostrovsky, R. Venkateasan, M. Yung, Perfect Zero-Knowledge Arguments for NP Can Be Based on General Complexity Assumptions, Proceedings of Crypto '92, LNCS 740, pp. 196-214.

No context found.

M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge arguments for NP can be based on general complexity assumptions. In Advances in Cryptology -- CRYPTO '92 (LNCS 740), pp. 196--214, 1992.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC