Results 1 - 10
of
21
Perfect Zero-Knowledge Arguments for NP Using any One-Way Permutation
- Journal of Cryptology
, 1998
"... "Perfect zero-knowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomial-time player of the validity of an NP statement, without revealing any additional information (in the information-theoretic sense). Here the security achi ..."
Abstract
-
Cited by 60 (5 self)
- Add to MetaCart
(Show Context)
"Perfect zero-knowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomial-time player of the validity of an NP statement, without revealing any additional information (in the information-theoretic sense). Here the security achieved is on-line: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption on-line during the conversation, while the verifier cannot find (ever) any information unconditionally. Despite their practical and theoretical importance, it was only known how to implement zero-knowledge arguments based on specific algebraic assumptions. In this paper, we show a general construction, which can be based on any one-way permutation. The result is obtained by a construction of an information-theoretic secure bit-commitment protocol. The protocol is efficient (both parties are polynomial time) and can be based on any one-way permutation. A preliminary version of this ...
Honest-Verifier Statistical Zero-Knowledge Equals General Statistical Zero-Knowledge
- In Proceedings of the 30th Annual ACM Symposium on Theory of Computing
, 1998
"... We show how to transform any interactive proof system which is statistical zero-knowledge with respect to the honest-verifier, into a proof system which is statistical zero-knowledge with respect to any verifier. This is done by limiting the behavior of potentially cheating verifiers, without using ..."
Abstract
-
Cited by 49 (15 self)
- Add to MetaCart
We show how to transform any interactive proof system which is statistical zero-knowledge with respect to the honest-verifier, into a proof system which is statistical zero-knowledge with respect to any verifier. This is done by limiting the behavior of potentially cheating verifiers, without using computational assumptions or even referring to the complexity of such verifier strategies. (Previous transformations have either relied on computational assumptions or were applicable only to constant-round public-coin proof systems.) Our transformation also applies to public-coin (aka Arthur-Merlin) computational zero-knowledge proofs: We transform any Arthur-Merlin proof system which is computational zero-knowledge with respect to the honest-verifier, into an Arthur-Merlin proof systemwhich is computational zero-knowledgewith respect to any probabilistic polynomialtime verifier. A crucial ingredient in our analysis is a new lemma regarding 2-universal hashing functions. Keywords: Complexit...
On Monotone Formula Closure of SZK
, 1994
"... We investigate structural properties of statistical zero knowledge (SZK) both in the interactive and in the non-interactive model. Specifically, we look into the closure properties of SZK languages under monotone logical formula composition. This gives rise to new protocol techniques. We show that i ..."
Abstract
-
Cited by 43 (2 self)
- Add to MetaCart
We investigate structural properties of statistical zero knowledge (SZK) both in the interactive and in the non-interactive model. Specifically, we look into the closure properties of SZK languages under monotone logical formula composition. This gives rise to new protocol techniques. We show that interactive SZK for random self reducible languages (RSR) (and for co-RSR) is closed under monotone boolean operations. Namely, we give SZK proofs for monotone boolean formulae whose atoms are statements about an SZK language which is RSR (or a complement of RSR). All previously known languages in SZK are in these classes. We then show that if a language L has a noninteractive SZK proof system then honest-verifier interactive SZK proof systems exist for all monotone boolean formulae whose atoms are statements about the complement of L. We also discuss extensions and generalizations. 1 Introduction Goldwasser, Micali, and Rackoff [34] introduced the notion of a zero-knowledge proof, a proof ...
Fair Games Against an All-Powerful Adversary
- AMS DIMACS Series in Discrete Mathematics and Theoretical Computer Science
, 1991
"... Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitely-powerful) and untrustworthy adversarial device. Assuming the existence of one-way functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hi ..."
Abstract
-
Cited by 39 (15 self)
- Add to MetaCart
(Show Context)
Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitely-powerful) and untrustworthy adversarial device. Assuming the existence of one-way functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hide information from the weak device. However, to keep the game fair, the weak player must hide information from the infinitely-powerful player in the information-theoretic sense. Clearly, encryption in this case is useless, and other means must be used. In this paper, we show that under a general complexity assumption, this task is always possible to achieve. That is, we show that the weak player can play any polynomial length partial-information game (or secure protocol) with the strong player using any one-way function; we achieve this by implementing oblivious transfer protocol in this model. We also establish related impossibility results concerning oblivious transfer. In the proof of ou...
Fault-tolerant Computation in the Full Information Model
- SIAM J. Comput
, 1995
"... We initiate an investigation of general fault-tolerant distributed computation in the fullinformation model. In the full information model no restrictions are made on the computational power of the faulty parties or the information available to them. (Namely, the faulty players may be infinitely po ..."
Abstract
-
Cited by 33 (4 self)
- Add to MetaCart
(Show Context)
We initiate an investigation of general fault-tolerant distributed computation in the fullinformation model. In the full information model no restrictions are made on the computational power of the faulty parties or the information available to them. (Namely, the faulty players may be infinitely powerful and there are no private channels connecting pairs of honest players). Previous work, in this model, has concentrated on the particular problem of simulating a single bounded-bias global coin flip (e.g. Ben-Or and Linial [4] and Alon and Naor [1]). We widen the scope of investigation to the general question of how well arbitrary fault-tolerant computations can be performed in this model. The results we obtain should be considered as first steps in this direction. We present efficient two-party protocols for fault-tolerant computation of any bivariate function. We prove that the advantage of dishonest player in these protocols is the minimum one possible (up to polylogarithmic factors)...
One-way trapdoor permutations are sufficient for non-trivial single-server private information retrieval
- In Proc. of EUROCRYPT ’00
, 2000
"... Abstract. We show that general one-way trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits ..."
Abstract
-
Cited by 25 (3 self)
- Add to MetaCart
(Show Context)
Abstract. We show that general one-way trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits (for any constant c), where K is the security parameter K of the trapdoor permutations. Thus, for sufficiently large databases (e.g., when K = n ɛ for some small ɛ) our construction breaks the informationtheoretic lower-bound (of at least n bits). This demonstrates the feasibility of basing single-server private information retrieval on general complexity assumptions. An important implication of our result is that we can implement a 1-outof-n Oblivious Transfer protocol with communication complexity strictly less than n based on any one-way trapdoor permutation. 1
A new interactive hashing theorem
- In Proceedings of the 22nd Annual IEEE Conference on Computational Complexity
, 2007
"... Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically hiding and computationally binding commitment schemes and of zero-knowledg ..."
Abstract
-
Cited by 13 (5 self)
- Add to MetaCart
Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically hiding and computationally binding commitment schemes and of zero-knowledge arguments based on general one-way permutations and on oneway functions. Interactive hashing with respect to a one-way permutation f, is a two-party protocol that enables a sender that knows y = f(x) to transfer a random hash z = h(y) to a receiver. The receiver is guaranteed that the sender is committed to y (in the sense that it cannot come up with x and x ′ such that f(x) � = f(x ′), but h(f(x)) = h(f(x ′)) = z). The sender is guaranteed that the receiver does not learn any additional information on y. In particular, when h is a two-to-one hash function, the receiver does not learn which of the two preimages {y, y ′ } = h −1 (z) is the one the sender can invert with respect to f. This paper reexamines the notion of interactive hashing. We give an alternative proof for the Naor et al. protocol, which seems to us significantly simpler and more intuitive than the original one. Moreover, the new proof achieves much better parameters (in terms of how security
Honest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs
, 1995
"... This paper presents two transformations of public-coin/Arthur-Merlin proof systemswhich are zero-knowledge with respect to the honest verifier into (public-coin/ArthurMerlin) proof systems which are zero-knowledge with respect to any verifier. The first transformation applies only to constant-round ..."
Abstract
-
Cited by 13 (2 self)
- Add to MetaCart
(Show Context)
This paper presents two transformations of public-coin/Arthur-Merlin proof systemswhich are zero-knowledge with respect to the honest verifier into (public-coin/ArthurMerlin) proof systems which are zero-knowledge with respect to any verifier. The first transformation applies only to constant-round proof systems. It builds on Damgard's transformation (see Crypto93), using ordinary hashing functions instead of the interactive hashing protocol (of Naor, Ostrovsky, Venkatesan and Yung -- see Crypto92) which was used by Damgard. Consequently, the protocols resulting from our transformation have much lower round-complexity than those derived by Damgard's transformation. As in Damgard's transformation, our transformation preserves statistical /perfect zero-knowledge and does not rely on any computational assumptions. However, unlike Damgard's transformation, the new transformation is not applicable to argument systems or to proofs of knowledge. The second transformation can be applied to p...
Proving without knowing: On oblivious, agnostic and blindfolded provers
- Advances in Cryptology âĂŤ CRYPTO âĂŹ96
, 1996
"... ..."
(Show Context)
Hashing Functions Can Simplify Zero-Knowledge Protocol Design (too)
- BRICS TECHNICAL RERPORT
, 1994
"... In Crypto93, Damgård showed that any constant-round protocol in which the verifier sends only independent, random bits and which is zero-knowledge against the honest verifier can be transformed into a protocol (for the same problem) that is zero-knowledge in general. His transformation was based ..."
Abstract
-
Cited by 8 (2 self)
- Add to MetaCart
In Crypto93, Damgård showed that any constant-round protocol in which the verifier sends only independent, random bits and which is zero-knowledge against the honest verifier can be transformed into a protocol (for the same problem) that is zero-knowledge in general. His transformation was based on the interactive hashing technique of Naor, Ostrovsky, Venkatesan and Yung, and thus the resulting protocol had very large round-complexity. We adopt
