Results 1 - 10
of
14
Perfect Zero-Knowledge Arguments for NP Using any One-Way Permutation
- Journal of Cryptology
, 1998
"... "Perfect zero-knowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomial-time player of the validity of an NP statement, without revealing any additional information (in the information-theoretic sense). Here the security achi ..."
Abstract
-
Cited by 60 (5 self)
- Add to MetaCart
(Show Context)
"Perfect zero-knowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomial-time player of the validity of an NP statement, without revealing any additional information (in the information-theoretic sense). Here the security achieved is on-line: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption on-line during the conversation, while the verifier cannot find (ever) any information unconditionally. Despite their practical and theoretical importance, it was only known how to implement zero-knowledge arguments based on specific algebraic assumptions. In this paper, we show a general construction, which can be based on any one-way permutation. The result is obtained by a construction of an information-theoretic secure bit-commitment protocol. The protocol is efficient (both parties are polynomial time) and can be based on any one-way permutation. A preliminary version of this ...
Fair Games Against an All-Powerful Adversary
- AMS DIMACS Series in Discrete Mathematics and Theoretical Computer Science
, 1991
"... Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitely-powerful) and untrustworthy adversarial device. Assuming the existence of one-way functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hi ..."
Abstract
-
Cited by 39 (15 self)
- Add to MetaCart
(Show Context)
Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitely-powerful) and untrustworthy adversarial device. Assuming the existence of one-way functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hide information from the weak device. However, to keep the game fair, the weak player must hide information from the infinitely-powerful player in the information-theoretic sense. Clearly, encryption in this case is useless, and other means must be used. In this paper, we show that under a general complexity assumption, this task is always possible to achieve. That is, we show that the weak player can play any polynomial length partial-information game (or secure protocol) with the strong player using any one-way function; we achieve this by implementing oblivious transfer protocol in this model. We also establish related impossibility results concerning oblivious transfer. In the proof of ou...
Reducing complexity assumptions for statistically-hiding commitment
- In EUROCRYPT
, 2005
"... We revisit the following question: what are the minimal assumptions needed to construct statistically-hiding commitment schemes? Naor et al. show how to construct such schemes based on any one-way permutation. We improve upon this by showing a construction based on any approximable preimage-size one ..."
Abstract
-
Cited by 31 (6 self)
- Add to MetaCart
(Show Context)
We revisit the following question: what are the minimal assumptions needed to construct statistically-hiding commitment schemes? Naor et al. show how to construct such schemes based on any one-way permutation. We improve upon this by showing a construction based on any approximable preimage-size one-way function. These are one-way functions for which it is possible to efficiently approximate the number of pre-images of a given output. A special case is the class of regular one-way functions where all points in the image of the function have the same number of pre-images. We also prove two additional results related to statistically-hiding commitment. First, we prove a (folklore) parallel composition theorem showing, roughly speaking, that the statistical hiding property of any such commitment scheme is amplified exponentially when multiple independent parallel executions of the scheme are carried out. Second, we show a compiler which transforms any commitment scheme which is statistically hiding against an honest-but-curious receiver into one which is statistically hiding even against a malicious receiver. 1
Commitment Capacity of Discrete Memoryless Channels
- In: Cryptography and Coding. LNCS
, 2003
"... In extension of the bit commitment task and following work initiated by Crépeau and Kilian, we introduce and solve the problem of characterising the optimal rate at which a discrete memoryless channel can be used for bit commitment. It turns out that the answer is very intuitive: it is the maximum e ..."
Abstract
-
Cited by 27 (1 self)
- Add to MetaCart
(Show Context)
In extension of the bit commitment task and following work initiated by Crépeau and Kilian, we introduce and solve the problem of characterising the optimal rate at which a discrete memoryless channel can be used for bit commitment. It turns out that the answer is very intuitive: it is the maximum equivocation of the channel (after removing trivial redundancy), even when unlimited noiseless bidirectional side communication is allowed. By a wellknown reduction, this result provides a lower bound on the channels capacity for implementing coin tossing, which we conjecture to be an equality. The method of proving this...
One-way trapdoor permutations are sufficient for non-trivial single-server private information retrieval
- In Proc. of EUROCRYPT ’00
, 2000
"... Abstract. We show that general one-way trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits ..."
Abstract
-
Cited by 25 (3 self)
- Add to MetaCart
Abstract. We show that general one-way trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits (for any constant c), where K is the security parameter K of the trapdoor permutations. Thus, for sufficiently large databases (e.g., when K = n ɛ for some small ɛ) our construction breaks the informationtheoretic lower-bound (of at least n bits). This demonstrates the feasibility of basing single-server private information retrieval on general complexity assumptions. An important implication of our result is that we can implement a 1-outof-n Oblivious Transfer protocol with communication complexity strictly less than n based on any one-way trapdoor permutation. 1
Interactive Hashing Simplifies Zero-Knowledge Protocol Design (Extended Abstract)
- Proc. of EuroCrypt 93
, 1998
"... Often the core difficulty in designing zero-knowledge protocols arises from having to consider every possible cheating verifier trying to extract aAditional information. ..."
Abstract
-
Cited by 21 (6 self)
- Add to MetaCart
(Show Context)
Often the core difficulty in designing zero-knowledge protocols arises from having to consider every possible cheating verifier trying to extract aAditional information.
A new interactive hashing theorem
- In Proceedings of the 22nd Annual IEEE Conference on Computational Complexity
, 2007
"... Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically hiding and computationally binding commitment schemes and of zero-knowledg ..."
Abstract
-
Cited by 13 (5 self)
- Add to MetaCart
Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically hiding and computationally binding commitment schemes and of zero-knowledge arguments based on general one-way permutations and on oneway functions. Interactive hashing with respect to a one-way permutation f, is a two-party protocol that enables a sender that knows y = f(x) to transfer a random hash z = h(y) to a receiver. The receiver is guaranteed that the sender is committed to y (in the sense that it cannot come up with x and x ′ such that f(x) � = f(x ′), but h(f(x)) = h(f(x ′)) = z). The sender is guaranteed that the receiver does not learn any additional information on y. In particular, when h is a two-to-one hash function, the receiver does not learn which of the two preimages {y, y ′ } = h −1 (z) is the one the sender can invert with respect to f. This paper reexamines the notion of interactive hashing. We give an alternative proof for the Naor et al. protocol, which seems to us significantly simpler and more intuitive than the original one. Moreover, the new proof achieves much better parameters (in terms of how security
Interactive Hashing and reductions between Oblivious Transfer variants
"... Interactive Hashing has featured as an essential ingredient in protocols realizing a large variety of cryptographic tasks. We present a study of this important cryptographic tool in the information-theoretic context. We start by presenting a security definition which is independent of any particular ..."
Abstract
-
Cited by 7 (2 self)
- Add to MetaCart
Interactive Hashing has featured as an essential ingredient in protocols realizing a large variety of cryptographic tasks. We present a study of this important cryptographic tool in the information-theoretic context. We start by presenting a security definition which is independent of any particular setting or application. We then show that a standard implementation of Interactive Hashing satisfies all the conditions of our definition. Our proof of security improves upon previous ones in several ways. Despite its generality, it is considerably simpler. Moreover, it establishes a tighter upper bound on the cheating probability of a dishonest sender. Specifically, we prove that if the fraction of good strings for a dishonest sender is f, then the probability that both outputs will be good is no larger than 15:6805 f. This upper bound is valid for any f and is tight up to a small constant since a sender acting honestly would get two good outputs with probability very close to f. We illustrate the potential of Interactive Hashing as a cryptographic primitive by demonstrating efficient reductions of String Oblivious Transfer with string length k to Bit Oblivious Transfer and several weaker variants. Our reductions incorporate tests based on Interactive Hashing that allow the sender to verify the receiver’s adherence to the protocol without compromising the latter’s privacy. This allows a much more efficient use of the available entropy without any appreciable impact on security. As a result, for Bit OT and most of its variants n = (1 +)k executions suffice, improving efficiency by a factor of two or more compared to the most efficient reductions that do not use Interactive Hashing. As it is theoretically impossible to achieve an expansion factor n=k smaller than 1, our reductions are in fact asymptotically optimal. They are also more general since they place no restrictions on the types of 2-universal hash families used for Privacy Amplification. Lastly, we present a direct reduction of String OT to Rabin OT which uses similar methods to achieve an expansion factor of 2 + which is again asymptotically optimal.
Efficient Consistency Proofs on a Committed Database
- In Automata, Languages and Programming: 31st International Colloquium, ICALP 2004
, 2003
"... A consistent query protocol allows a database owner to publish a very short string c which commits her to a particular database D with special consistency property (i.e., given c, every allowable query has unique and well-defined answer with respect to D.) Moreover, when a user makes a query, any ..."
Abstract
-
Cited by 6 (1 self)
- Add to MetaCart
A consistent query protocol allows a database owner to publish a very short string c which commits her to a particular database D with special consistency property (i.e., given c, every allowable query has unique and well-defined answer with respect to D.) Moreover, when a user makes a query, any server hosting the database can answer the query, and provide a very short proof # that the answer is well-defined, unique, and consistent with c (and hence with D). One potential application of consistent query protocols is for guaranteeing the consistency of many replicated copies of D---the owner can publish c, and users can verify the consistency of a query to some copy of D by making sure # is consistent with c. This strong guarantee holds even for owners who try to cheat, while creating c.
Instance-Hiding Proof Systems
, 1993
"... We define the notion of an instance-hiding proof system (ihps) for a function f ; informally, an ihps is a protocol in which a polynomial-time verifier interacts with one or more all-powerful provers and is convinced of the value of f(x) but does not reveal the input x to the provers. We show here t ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
We define the notion of an instance-hiding proof system (ihps) for a function f ; informally, an ihps is a protocol in which a polynomial-time verifier interacts with one or more all-powerful provers and is convinced of the value of f(x) but does not reveal the input x to the provers. We show here that a function f has a multiprover ihps if and only if it is computable in FNEXP. We formalize the notion of zero-knowledge for ihps's and show that any function that has a multiprover ihps in fact has one that is perfect zeroknowledge. Under the assumption that one-way permutations exist, we show that f has a one-prover, zero-knowledge ihps if and only if it is in FPSPACE and has a one-oracle instance-hiding scheme (ihs).
