Results 1  10
of
39
OneRound Secure Computation and Secure Autonomous Mobile Agents (Extended Abstract)
, 2000
"... This paper investigates oneround secure computation between two distrusting parties: Alice and Bob each have private inputs to a common function, but only Alice, acting as the receiver, is to learn the output; the protocol is limited to one message from Alice to Bob followed by one message from Bob ..."
Abstract

Cited by 84 (0 self)
 Add to MetaCart
(Show Context)
This paper investigates oneround secure computation between two distrusting parties: Alice and Bob each have private inputs to a common function, but only Alice, acting as the receiver, is to learn the output; the protocol is limited to one message from Alice to Bob followed by one message from Bob to Alice. A model in which Bob may be computationally unbounded is investigated, which corresponds to informationtheoretic security for Alice. It is shown that 1. for honestbutcurious behavior and unbounded Bob, any function computable by a polynomialsize circuit can be computed securely assuming the hardness of the decisional DiffieHellman problem; 2. for malicious behavior by both (bounded) parties, any function computable by a polynomialsize circuit can be computed securely, in a publickey framework, assuming the hardness of the decisional DiffieHellman problem.
Efficient and NonInteractive NonMalleable Commitment
, 2001
"... . We present new constructions of nonmalleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve nearoptimal communication f ..."
Abstract

Cited by 65 (9 self)
 Add to MetaCart
. We present new constructions of nonmalleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve nearoptimal communication for arbitrarilylarge messages and are noninteractive. Previous schemes either required (several rounds of) interaction or focused on achieving nonmalleable commitment based on general assumptions and were thus efficient only when committing to a single bit. Although our main constructions are for the case of perfectlyhiding commitment, we also present a communicationefficient, noninteractive commitment scheme (based on general assumptions) that is perfectly binding. 1
Perfect ZeroKnowledge Arguments for NP Using any OneWay Permutation
 Journal of Cryptology
, 1998
"... "Perfect zeroknowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information (in the informationtheoretic sense). Here the security achi ..."
Abstract

Cited by 60 (5 self)
 Add to MetaCart
(Show Context)
"Perfect zeroknowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information (in the informationtheoretic sense). Here the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier cannot find (ever) any information unconditionally. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions. In this paper, we show a general construction, which can be based on any oneway permutation. The result is obtained by a construction of an informationtheoretic secure bitcommitment protocol. The protocol is efficient (both parties are polynomial time) and can be based on any oneway permutation. A preliminary version of this ...
Perfect ZeroKnowledge Arguments for NP Can Be Based on General Complexity Assumptions (Extended Abstract)
 JOURNAL OF CRYPTOLOGY
, 1998
"... "Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practi ..."
Abstract

Cited by 42 (11 self)
 Add to MetaCart
"Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions; basing them on a general complexity assumption was open since their introduction in 1986 [BCC, BC, CH]. In this paper, we finally show a general construction, which can be based on any oneway permutation. We stress that our scheme is efficient: both players can execute only polynomialtime programs during the protocol. Moreover, the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier can not find (ever!) any information unconditionally (in the i...
Faulttolerant Computation in the Full Information Model
 SIAM J. Comput
, 1995
"... We initiate an investigation of general faulttolerant distributed computation in the fullinformation model. In the full information model no restrictions are made on the computational power of the faulty parties or the information available to them. (Namely, the faulty players may be infinitely po ..."
Abstract

Cited by 33 (4 self)
 Add to MetaCart
(Show Context)
We initiate an investigation of general faulttolerant distributed computation in the fullinformation model. In the full information model no restrictions are made on the computational power of the faulty parties or the information available to them. (Namely, the faulty players may be infinitely powerful and there are no private channels connecting pairs of honest players). Previous work, in this model, has concentrated on the particular problem of simulating a single boundedbias global coin flip (e.g. BenOr and Linial [4] and Alon and Naor [1]). We widen the scope of investigation to the general question of how well arbitrary faulttolerant computations can be performed in this model. The results we obtain should be considered as first steps in this direction. We present efficient twoparty protocols for faulttolerant computation of any bivariate function. We prove that the advantage of dishonest player in these protocols is the minimum one possible (up to polylogarithmic factors)...
Reducing complexity assumptions for statisticallyhiding commitment
 In EUROCRYPT
, 2005
"... We revisit the following question: what are the minimal assumptions needed to construct statisticallyhiding commitment schemes? Naor et al. show how to construct such schemes based on any oneway permutation. We improve upon this by showing a construction based on any approximable preimagesize one ..."
Abstract

Cited by 31 (6 self)
 Add to MetaCart
(Show Context)
We revisit the following question: what are the minimal assumptions needed to construct statisticallyhiding commitment schemes? Naor et al. show how to construct such schemes based on any oneway permutation. We improve upon this by showing a construction based on any approximable preimagesize oneway function. These are oneway functions for which it is possible to efficiently approximate the number of preimages of a given output. A special case is the class of regular oneway functions where all points in the image of the function have the same number of preimages. We also prove two additional results related to statisticallyhiding commitment. First, we prove a (folklore) parallel composition theorem showing, roughly speaking, that the statistical hiding property of any such commitment scheme is amplified exponentially when multiple independent parallel executions of the scheme are carried out. Second, we show a compiler which transforms any commitment scheme which is statistically hiding against an honestbutcurious receiver into one which is statistically hiding even against a malicious receiver. 1
Reducibility and Completeness In Private Computations
 SIAM J. Comput
"... We define the notions of reducibility and completeness in (two party and multiparty) private computations. Let g be an nargument function. We say that a function f is reducible to a function g if n honestbutcurious players can compute the function f nprivately, given a blackbox for g (for whi ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
(Show Context)
We define the notions of reducibility and completeness in (two party and multiparty) private computations. Let g be an nargument function. We say that a function f is reducible to a function g if n honestbutcurious players can compute the function f nprivately, given a blackbox for g (for which they secretly give inputs and get the result of operating g on these inputs). We say that g is complete (for private computations) if every function f is reducible to g. In this paper, we characterize the complete boolean functions: we show that a boolean function g is complete if and only if g itself cannot be computed nprivately (when there is no blackbox available). Namely, for boolean functions, the notions of completeness and nprivacy are complementary . This characterization gives a huge collection of complete functions (any nonprivate boolean function!) compared to very few examples given (implicitly) in previous work. On the other hand, for nonboolean functions, we show tha...
Oneway trapdoor permutations are sufficient for nontrivial singleserver private information retrieval
 In Proc. of EUROCRYPT ’00
, 2000
"... Abstract. We show that general oneway trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We show that general oneway trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits (for any constant c), where K is the security parameter K of the trapdoor permutations. Thus, for sufficiently large databases (e.g., when K = n ɛ for some small ɛ) our construction breaks the informationtheoretic lowerbound (of at least n bits). This demonstrates the feasibility of basing singleserver private information retrieval on general complexity assumptions. An important implication of our result is that we can implement a 1outofn Oblivious Transfer protocol with communication complexity strictly less than n based on any oneway trapdoor permutation. 1
Statistical ZeroKnowledge Arguments for NP from Any OneWay
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY
, 2006
"... We show that every language in NP has a statistical zeroknowledge argument system under the (minimal) complexity assumption that oneway functions exist. In such protocols, even a computationally unbounded verifier cannot learn anything other than the fact that the assertion being proven is true, w ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
We show that every language in NP has a statistical zeroknowledge argument system under the (minimal) complexity assumption that oneway functions exist. In such protocols, even a computationally unbounded verifier cannot learn anything other than the fact that the assertion being proven is true, whereas a polynomialtime prover cannot convince the verifier to accept a false assertion except with negligible probability. This resolves an open question posed by Naor, Ostrovsky, Venkatesan, and Yung (CRYPTO ‘92, J. Cryptology ‘98). Departing from previous works on this problem, we do not construct standard statistically hiding commitments from any oneway function. Instead, we construct a relaxed variant of commitment schemes called “1outof2binding commitments,” recently introduced by Nguyen and Vadhan (STOC ‘06).
Reducibility and Completeness In MultiParty Private Computations
, 1994
"... We define the notions of reducibility and completeness in multiparty private computations. Let g be an nargument function. We say that a function f is reducible to g if n honestbutcurious players can compute the function f nprivately, given a blackbox for g (for which they secretly give inputs ..."
Abstract

Cited by 23 (10 self)
 Add to MetaCart
We define the notions of reducibility and completeness in multiparty private computations. Let g be an nargument function. We say that a function f is reducible to g if n honestbutcurious players can compute the function f nprivately, given a blackbox for g (for which they secretly give inputs and get the result of operating g on these inputs). We say that g is complete (for multiparty private computations) if every function f is reducible to g. In this paper, we characterize the complete boolean functions: we show that a boolean function g is complete if and only if g itself cannot be computed nprivately (when there is no blackbox available). Namely, for boolean functions, the notions of completeness and n privacy are complementary . This characterization gives a huge collection of complete functions (any nonprivate boolean function!) compared to very few examples given (implicitly) in previous work. On the other hand, for nonboolean functions, we show that these two not...