Results 1  10
of
40
Concurrent ZeroKnowledge
 IN 30TH STOC
, 1999
"... Concurrent executions of a zeroknowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zeroknowledge in toto. In this paper, we study the problem of maintaining zeroknowledge We introduce the notion of an (; ) timing constraint: for any two proces ..."
Abstract

Cited by 177 (18 self)
 Add to MetaCart
Concurrent executions of a zeroknowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zeroknowledge in toto. In this paper, we study the problem of maintaining zeroknowledge We introduce the notion of an (; ) timing constraint: for any two processors P1 and P2 , if P1 measures elapsed time on its local clock and P2 measures elapsed time on its local clock, and P2 starts after P1 does, then P2 will finish after P1 does. We show that if the adversary is constrained by an (; ) assumption then there exist fourround almost concurrent zeroknowledge interactive proofs and perfect concurrent zeroknowledge arguments for every language in NP . We also address the more specific problem of Deniable Authentication, for which we propose several particularly efficient solutions. Deniable Authentication is of independent interest, even in the sequential case; our concurrent solutions yield sequential solutions without recourse to timing, i.e., in the standard model.
Efficient and NonInteractive NonMalleable Commitment
, 2001
"... . We present new constructions of nonmalleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve nearoptimal communication f ..."
Abstract

Cited by 69 (9 self)
 Add to MetaCart
. We present new constructions of nonmalleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve nearoptimal communication for arbitrarilylarge messages and are noninteractive. Previous schemes either required (several rounds of) interaction or focused on achieving nonmalleable commitment based on general assumptions and were thus efficient only when committing to a single bit. Although our main constructions are for the case of perfectlyhiding commitment, we also present a communicationefficient, noninteractive commitment scheme (based on general assumptions) that is perfectly binding. 1
C.: Lower Bounds for Zero Knowledge on the Internet
 Proc. of FOCS ’98
, 1998
"... We consider zero knowledge interactive proofs in a richer, more realistic communication environment. In this setting, one may simultaneously engage in many interactive proofs, and these proofs may take place in an asynchronous fashion. It is known that zeroknowledge is not necessarily preserved in ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
(Show Context)
We consider zero knowledge interactive proofs in a richer, more realistic communication environment. In this setting, one may simultaneously engage in many interactive proofs, and these proofs may take place in an asynchronous fashion. It is known that zeroknowledge is not necessarily preserved in such an environment; we show that for a large class of protocols, it cannot be preserved. Any 4 round (computational) zeroknowledge interactive proof (or argument) for a nontrivial language L is not blackbox simulatable in the asynchronous setting. 1
RoundOptimal Secure TwoParty Computation
 In CRYPTO 2004
, 2004
"... We consider the central cryptographic task of secure twoparty computation: two parties wish to compute some function of their private inputs (each receiving possibly di#erent outputs) where security should hold with respect to arbitrarilymalicious behavior of either of the participants. Despit ..."
Abstract

Cited by 49 (6 self)
 Add to MetaCart
We consider the central cryptographic task of secure twoparty computation: two parties wish to compute some function of their private inputs (each receiving possibly di#erent outputs) where security should hold with respect to arbitrarilymalicious behavior of either of the participants. Despite extensive research in this area, the exact roundcomplexity of this fundamental problem (i.e., the number of rounds required to compute an arbitrary polytime functionality) was not previously known.
Concurrent and Resettable ZeroKnowledge in Polylogarithmic Rounds (Extended Abstract)
 STOC'01
, 2001
"... 2 k) rounds given at most k concurrent proofs. Finally, we show that a simple modification of our proof is a resettable zeroknowledge proof for NP, with!(log 2 k) rounds; previously known protocols required a polynomial number of rounds. ..."
Abstract

Cited by 43 (1 self)
 Add to MetaCart
2 k) rounds given at most k concurrent proofs. Finally, we show that a simple modification of our proof is a resettable zeroknowledge proof for NP, with!(log 2 k) rounds; previously known protocols required a polynomial number of rounds.
Confirmer Signature Schemes Secure against Adaptive Adversaries (Extended Abstract)
, 2000
"... The main difference between confirmer signatures and ordinary digital signatures is that a confirmer signature can be verified only with the assistance of a semitrusted third party, the confirmer. Additionally, the confirmer can selectively convert single confirmer signatures into ordinary signature ..."
Abstract

Cited by 42 (1 self)
 Add to MetaCart
The main difference between confirmer signatures and ordinary digital signatures is that a confirmer signature can be verified only with the assistance of a semitrusted third party, the confirmer. Additionally, the confirmer can selectively convert single confirmer signatures into ordinary signatures. This paper points out that previous models for confirmer signature schemes are too restricted to address the case where several signers share the same confirmer. More seriously, we show that various proposed schemes (some of which are provably secure in these restricted models) are vulnerable to an adaptive signaturetransformation attack. We define a new stronger model that covers this kind of attack and provide a generic solution based on any secure ordinary signa...
Blackbox constructions of twoparty protocols from oneway functions
 In TCC
, 2009
"... Abstract. We exhibit constructions of the following twoparty cryptographic protocols given only blackbox access to a oneway function: – constantround zeroknowledge arguments (of knowledge) for any language in NP; – constantround trapdoor commitment schemes; – constantround parallel cointossi ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We exhibit constructions of the following twoparty cryptographic protocols given only blackbox access to a oneway function: – constantround zeroknowledge arguments (of knowledge) for any language in NP; – constantround trapdoor commitment schemes; – constantround parallel cointossing. Previous constructions either require stronger computational assumptions (e.g. collisionresistant hash functions), nonblackbox access to a oneway function, or a superconstant number of rounds. As an immediate corollary, we obtain a constantround blackbox construction of secure twoparty computation protocols starting from only semihonest oblivious transfer. In addition, by combining our techniques with recent constructions of concurrent zeroknowledge and nonmalleable primitives, we obtain blackbox constructions of concurrent zeroknowledge arguments for NP and nonmalleable commitments starting from only oneway functions. Key words: blackbox constructions, zeroknowledge arguments, trapdoor commitments, parallel cointossing, secure twoparty computation, nonmalleable commitments 1
Simulatable Commitments and Efficient Concurrent ZeroKnowledge
 In EUROCRYPT’03, volume 2656 of LNCS
, 2003
"... Abstract. We define and construct simulatable commitments. These are commitment schemes such that there is an efficient interactive proof system to show that a given string c is a legitimate commitment on a given value v, and furthermore, this proof is efficiently simulatable given any proper pair ( ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We define and construct simulatable commitments. These are commitment schemes such that there is an efficient interactive proof system to show that a given string c is a legitimate commitment on a given value v, and furthermore, this proof is efficiently simulatable given any proper pair (c, v). Our construction is provably secure based on the Decisional DiffieHellman (DDH) assumption. Using simulatable commitments, we show how to efficiently transform any public coin honest verifier zero knowledge proof system into a proof system that is concurrent zeroknowledge with respect to any (possibly cheating) verifier via black box simulation. By efficient we mean that our transformation incurs only an additive overhead (both in terms of the number of rounds and the computational and communication complexity of each round), and the additive term is close to optimal (for black box simulation): only ω(log n) additional rounds, and ω(log n) additional public key operations for each round of the original protocol, where n is a security parameter, and ω(log n) can be any superlogarithmic function of n independent of the complexity of the original protocol. The transformation preserves (up to negligible additive terms) the soundness and completeness error probabilities, and the new proof system is proved secure based on the DDH assumption, in the standard model of computation, i.e., no random oracles, shared random strings, or public key infrastructure is assumed. 1
Concurrent ZeroKnowledge in Polylogarithmic Rounds (Extended Abstract)
 In Cryptology ePrint Archive: Report 2000/013. Available from http://eprint.iacr.org/2000/013
, 2000
"... A proof is concurrent zeroknowledge if it remains zeroknowledge when run in an asynchronous environment, such as the Internet. It is known that zeroknowledge is not necessarily preserved in such an environment; Kilian, Petrank and Rackoff have shown that any 4 rounds zeroknowledge interactive pr ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
A proof is concurrent zeroknowledge if it remains zeroknowledge when run in an asynchronous environment, such as the Internet. It is known that zeroknowledge is not necessarily preserved in such an environment; Kilian, Petrank and Rackoff have shown that any 4 rounds zeroknowledge interactive proof (for a nontrivial language) is not concurrent zeroknowledge. On the other hand, Richardson and Kilian have shown that there exists a concurrent zeroknowledge argument for all languages in NP, but it requires a polynomial number of rounds. In this paper, we present a concurrent zeroknowledge proof for all languages in NP with a drastically improved complexity: our proof requires only a polylogarithmic, specifically, !(log 2 k) number of rounds. Thus, we narrow the huge gap between the known upper and lower bounds on the number of rounds required for a zeroknowledge proof that is robust for asynchronous composition....
Concurrent/Resettable ZeroKnowledge with Concurrent Soundness in the Bare PublicKey Model and Its Applications
, 2003
"... In this paper, we present both practical and general 4round concurrent and resettable zeroknowledge arguments with concurrent soundness in the bare publickey (BPK) model. To our knowledge, our result is the first work that achieves concurrent soundness for ZK protocols in the BPK model and stan ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
In this paper, we present both practical and general 4round concurrent and resettable zeroknowledge arguments with concurrent soundness in the bare publickey (BPK) model. To our knowledge, our result is the first work that achieves concurrent soundness for ZK protocols in the BPK model and stands for the current stateoftheart of concurrent zeroknowledge with setup assumptions.