Results 1  10
of
115
The knowledge complexity of interactive proof systems

, 1989
"... Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/nonHamiltonian. In th ..."
Abstract

Cited by 1246 (39 self)
 Add to MetaCart
Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/nonHamiltonian. In this paper a computational complexity theory of the "knowledge " contained in a proof is developed. Zeroknowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zeroknowledge proof systems are given for the languages of quadratic residuosity and quadratic nonresiduosity. These are the first examples of zeroknowledge proofs for languages not known to be efficiently recognizable.
A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
, 1995
"... We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosenmessage attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a ..."
Abstract

Cited by 959 (40 self)
 Add to MetaCart
(Show Context)
We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosenmessage attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) can not later forge the signature of even a single additional message. This may be somewhat surprising, since the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosenmessage attack were considered in the folklore to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "clawfree" pair of permutations  a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
Universally composable security: A new paradigm for cryptographic protocols
, 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract

Cited by 833 (37 self)
 Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its securitypreserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
Bit Commitment Using PseudoRandomness
 Journal of Cryptology
, 1991
"... We show how a pseudorandom generator can provide a bit commitment protocol. We also analyze the number of bits communicated when parties commit to many bits simultaneously, and show that the assumption of the existence of pseudorandom generators suffices to assure amortized O(1) bits of communicat ..."
Abstract

Cited by 275 (15 self)
 Add to MetaCart
(Show Context)
We show how a pseudorandom generator can provide a bit commitment protocol. We also analyze the number of bits communicated when parties commit to many bits simultaneously, and show that the assumption of the existence of pseudorandom generators suffices to assure amortized O(1) bits of communication per bit commitment.
Evaluating 2dnf formulas on ciphertexts
 In proceedings of TCC ’05, LNCS series
, 2005
"... Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create th ..."
Abstract

Cited by 231 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create the encryption of ψ(x1,..., xn). More generally, we can evaluate quadratic multivariate polynomials on ciphertexts provided the resulting value falls within a small set. We present a number of applications of the system: 1. In a database of size n, the total communication in the basic step of the KushilevitzOstrovsky PIR protocol is reduced from √ n to 3 √ n. 2. An efficient election system based on homomorphic encryption where voters do not need to include noninteractive zero knowledge proofs that their ballots are valid. The election system is proved secure without random oracles but still efficient. 3. A protocol for universally verifiable computation. 1
Universally Composable TwoParty and MultiParty Secure Computation
, 2002
"... We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many pa ..."
Abstract

Cited by 151 (34 self)
 Add to MetaCart
(Show Context)
We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many parties as it wishes. In this setting, our protocols allow any subset of the parties (with pairs of parties being a special case) to securely realize any desired functionality of their local inputs, and be guaranteed that security is preserved regardless of the activity in the rest of the network. This implies that security is preserved under concurrent composition of an unbounded number of protocol executions, it implies nonmalleability with respect to arbitrary protocols, and more. Our constructions are in the common reference string model and rely on standard intractability assumptions.
Efficient Cryptographic Schemes Provably as Secure as Subset Sum
"... We show very efficient constructions for a pseudorandom generator and for a universal oneway hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudorandom generators can be used for private key encryption and universal oneway hash functions for signatu ..."
Abstract

Cited by 89 (9 self)
 Add to MetaCart
(Show Context)
We show very efficient constructions for a pseudorandom generator and for a universal oneway hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudorandom generators can be used for private key encryption and universal oneway hash functions for signature schemes). The increase in efficiency in our construction is due to the fact that many bits can be generated/hashed with one application of the assumed oneway function. All our construction can be implemented in NC using an optimal number of processors.
Practical and ProvablySecure Commitment Schemes from CollisionFree Hashing
 in Advances in Cryptology  CRYPTO96, Lecture Notes in Computer Science 1109
, 1996
"... . We present a very practical stringcommitment scheme which is provably secure based solely on collisionfree hashing. Our scheme enables a computationally bounded party to commit strings to an unbounded one, and is optimal (within a small constant factor) in terms of interaction, communication, a ..."
Abstract

Cited by 77 (5 self)
 Add to MetaCart
(Show Context)
. We present a very practical stringcommitment scheme which is provably secure based solely on collisionfree hashing. Our scheme enables a computationally bounded party to commit strings to an unbounded one, and is optimal (within a small constant factor) in terms of interaction, communication, and computation. Our result also proves that constant round statistical zeroknowledge arguments and constantround computational zeroknowledge proofs for NP exist based on the existence of collisionfree hash functions. 1 Introduction String commitment is a fundamental primitive for cryptographic protocols. A commitment scheme is an electronic way to temporarily hide a value that cannot be changed. Such a scheme emulates by means of a protocol the following twostage process. In Stage 1 (the Commit stage), a party called the Sender locks a message in a box, and sends the locked box to another party called the receiver. In Stage 2 (the Decommit stage), the Sender provides the Receiver with ...
Universal Composition with Joint State
, 2002
"... We propose a new composition operation for cryptographic protocols, called universal composition with joint state, and demonstrate sufficient conditions for when the new operation preserves security. In contrast with existing composition operations, where the instances of the composed protocols are ..."
Abstract

Cited by 76 (9 self)
 Add to MetaCart
(Show Context)
We propose a new composition operation for cryptographic protocols, called universal composition with joint state, and demonstrate sufficient conditions for when the new operation preserves security. In contrast with existing composition operations, where the instances of the composed protocols are assumed to have completely disjoint local states, the new operation allows the composed protocols to have some amount of joint state (and, in particular, joint randomness) while still guaranteeing strong composability properties.
A Quantum Bit Commitment Scheme Provably Unbreakable by both Parties
, 1993
"... Assume that a party, Alice, has a bit x in mind, to which she would like to be committed toward another party, Bob. That is, Alice wishes, through a procedure commit(x), to provide Bob with a piece of evidence that she has a bit x in mind and that she cannot change it. Meanwhile, Bob should not be ..."
Abstract

Cited by 76 (13 self)
 Add to MetaCart
Assume that a party, Alice, has a bit x in mind, to which she would like to be committed toward another party, Bob. That is, Alice wishes, through a procedure commit(x), to provide Bob with a piece of evidence that she has a bit x in mind and that she cannot change it. Meanwhile, Bob should not be able to tell from that evidence what x is. At a later time, Alice can reveal, through a procedure unveil(x), the value of x and prove to Bob that the piece of evidence sent earlier really corresponded to that bit. Classical bit commitment schemes (by which Alice's piece of evidence is classical information such as a bit string) cannot be secure against unlimited computing power and none have been proven secure against algorithmic sophistication. Previous quantum bit commitment schemes (by which Alice's piece of evidence is quantum information such as a stream of polarized photons) were known to be invulnerable to unlimited computing power and algorithmic sophistication, but not to arbitrary...