Results 1  10
of
21
Perfect ZeroKnowledge Arguments for NP Using any OneWay Permutation
 Journal of Cryptology
, 1998
"... "Perfect zeroknowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information (in the informationtheoretic sense). Here the security achi ..."
Abstract

Cited by 60 (5 self)
 Add to MetaCart
(Show Context)
"Perfect zeroknowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information (in the informationtheoretic sense). Here the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier cannot find (ever) any information unconditionally. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions. In this paper, we show a general construction, which can be based on any oneway permutation. The result is obtained by a construction of an informationtheoretic secure bitcommitment protocol. The protocol is efficient (both parties are polynomial time) and can be based on any oneway permutation. A preliminary version of this ...
HonestVerifier Statistical ZeroKnowledge Equals General Statistical ZeroKnowledge
 In Proceedings of the 30th Annual ACM Symposium on Theory of Computing
, 1998
"... We show how to transform any interactive proof system which is statistical zeroknowledge with respect to the honestverifier, into a proof system which is statistical zeroknowledge with respect to any verifier. This is done by limiting the behavior of potentially cheating verifiers, without using ..."
Abstract

Cited by 49 (15 self)
 Add to MetaCart
We show how to transform any interactive proof system which is statistical zeroknowledge with respect to the honestverifier, into a proof system which is statistical zeroknowledge with respect to any verifier. This is done by limiting the behavior of potentially cheating verifiers, without using computational assumptions or even referring to the complexity of such verifier strategies. (Previous transformations have either relied on computational assumptions or were applicable only to constantround publiccoin proof systems.) Our transformation also applies to publiccoin (aka ArthurMerlin) computational zeroknowledge proofs: We transform any ArthurMerlin proof system which is computational zeroknowledge with respect to the honestverifier, into an ArthurMerlin proof systemwhich is computational zeroknowledgewith respect to any probabilistic polynomialtime verifier. A crucial ingredient in our analysis is a new lemma regarding 2universal hashing functions. Keywords: Complexit...
On Monotone Formula Closure of SZK
, 1994
"... We investigate structural properties of statistical zero knowledge (SZK) both in the interactive and in the noninteractive model. Specifically, we look into the closure properties of SZK languages under monotone logical formula composition. This gives rise to new protocol techniques. We show that i ..."
Abstract

Cited by 43 (2 self)
 Add to MetaCart
We investigate structural properties of statistical zero knowledge (SZK) both in the interactive and in the noninteractive model. Specifically, we look into the closure properties of SZK languages under monotone logical formula composition. This gives rise to new protocol techniques. We show that interactive SZK for random self reducible languages (RSR) (and for coRSR) is closed under monotone boolean operations. Namely, we give SZK proofs for monotone boolean formulae whose atoms are statements about an SZK language which is RSR (or a complement of RSR). All previously known languages in SZK are in these classes. We then show that if a language L has a noninteractive SZK proof system then honestverifier interactive SZK proof systems exist for all monotone boolean formulae whose atoms are statements about the complement of L. We also discuss extensions and generalizations. 1 Introduction Goldwasser, Micali, and Rackoff [34] introduced the notion of a zeroknowledge proof, a proof ...
Fair Games Against an AllPowerful Adversary
 AMS DIMACS Series in Discrete Mathematics and Theoretical Computer Science
, 1991
"... Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitelypowerful) and untrustworthy adversarial device. Assuming the existence of oneway functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hi ..."
Abstract

Cited by 39 (15 self)
 Add to MetaCart
(Show Context)
Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitelypowerful) and untrustworthy adversarial device. Assuming the existence of oneway functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hide information from the weak device. However, to keep the game fair, the weak player must hide information from the infinitelypowerful player in the informationtheoretic sense. Clearly, encryption in this case is useless, and other means must be used. In this paper, we show that under a general complexity assumption, this task is always possible to achieve. That is, we show that the weak player can play any polynomial length partialinformation game (or secure protocol) with the strong player using any oneway function; we achieve this by implementing oblivious transfer protocol in this model. We also establish related impossibility results concerning oblivious transfer. In the proof of ou...
Faulttolerant Computation in the Full Information Model
 SIAM J. Comput
, 1995
"... We initiate an investigation of general faulttolerant distributed computation in the fullinformation model. In the full information model no restrictions are made on the computational power of the faulty parties or the information available to them. (Namely, the faulty players may be infinitely po ..."
Abstract

Cited by 33 (4 self)
 Add to MetaCart
(Show Context)
We initiate an investigation of general faulttolerant distributed computation in the fullinformation model. In the full information model no restrictions are made on the computational power of the faulty parties or the information available to them. (Namely, the faulty players may be infinitely powerful and there are no private channels connecting pairs of honest players). Previous work, in this model, has concentrated on the particular problem of simulating a single boundedbias global coin flip (e.g. BenOr and Linial [4] and Alon and Naor [1]). We widen the scope of investigation to the general question of how well arbitrary faulttolerant computations can be performed in this model. The results we obtain should be considered as first steps in this direction. We present efficient twoparty protocols for faulttolerant computation of any bivariate function. We prove that the advantage of dishonest player in these protocols is the minimum one possible (up to polylogarithmic factors)...
Oneway trapdoor permutations are sufficient for nontrivial singleserver private information retrieval
 In Proc. of EUROCRYPT ’00
, 2000
"... Abstract. We show that general oneway trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We show that general oneway trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits (for any constant c), where K is the security parameter K of the trapdoor permutations. Thus, for sufficiently large databases (e.g., when K = n ɛ for some small ɛ) our construction breaks the informationtheoretic lowerbound (of at least n bits). This demonstrates the feasibility of basing singleserver private information retrieval on general complexity assumptions. An important implication of our result is that we can implement a 1outofn Oblivious Transfer protocol with communication complexity strictly less than n based on any oneway trapdoor permutation. 1
A new interactive hashing theorem
 In Proceedings of the 22nd Annual IEEE Conference on Computational Complexity
, 2007
"... Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically hiding and computationally binding commitment schemes and of zeroknowledg ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically hiding and computationally binding commitment schemes and of zeroknowledge arguments based on general oneway permutations and on oneway functions. Interactive hashing with respect to a oneway permutation f, is a twoparty protocol that enables a sender that knows y = f(x) to transfer a random hash z = h(y) to a receiver. The receiver is guaranteed that the sender is committed to y (in the sense that it cannot come up with x and x ′ such that f(x) � = f(x ′), but h(f(x)) = h(f(x ′)) = z). The sender is guaranteed that the receiver does not learn any additional information on y. In particular, when h is a twotoone hash function, the receiver does not learn which of the two preimages {y, y ′ } = h −1 (z) is the one the sender can invert with respect to f. This paper reexamines the notion of interactive hashing. We give an alternative proof for the Naor et al. protocol, which seems to us significantly simpler and more intuitive than the original one. Moreover, the new proof achieves much better parameters (in terms of how security
Honest Verifier vs Dishonest Verifier in Public Coin ZeroKnowledge Proofs
, 1995
"... This paper presents two transformations of publiccoin/ArthurMerlin proof systemswhich are zeroknowledge with respect to the honest verifier into (publiccoin/ArthurMerlin) proof systems which are zeroknowledge with respect to any verifier. The first transformation applies only to constantround ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
(Show Context)
This paper presents two transformations of publiccoin/ArthurMerlin proof systemswhich are zeroknowledge with respect to the honest verifier into (publiccoin/ArthurMerlin) proof systems which are zeroknowledge with respect to any verifier. The first transformation applies only to constantround proof systems. It builds on Damgard's transformation (see Crypto93), using ordinary hashing functions instead of the interactive hashing protocol (of Naor, Ostrovsky, Venkatesan and Yung  see Crypto92) which was used by Damgard. Consequently, the protocols resulting from our transformation have much lower roundcomplexity than those derived by Damgard's transformation. As in Damgard's transformation, our transformation preserves statistical /perfect zeroknowledge and does not rely on any computational assumptions. However, unlike Damgard's transformation, the new transformation is not applicable to argument systems or to proofs of knowledge. The second transformation can be applied to p...
Proving without knowing: On oblivious, agnostic and blindfolded provers
 Advances in Cryptology âĂŤ CRYPTO âĂŹ96
, 1996
"... ..."
(Show Context)
Hashing Functions Can Simplify ZeroKnowledge Protocol Design (too)
 BRICS TECHNICAL RERPORT
, 1994
"... In Crypto93, Damgård showed that any constantround protocol in which the verifier sends only independent, random bits and which is zeroknowledge against the honest verifier can be transformed into a protocol (for the same problem) that is zeroknowledge in general. His transformation was based ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
In Crypto93, Damgård showed that any constantround protocol in which the verifier sends only independent, random bits and which is zeroknowledge against the honest verifier can be transformed into a protocol (for the same problem) that is zeroknowledge in general. His transformation was based on the interactive hashing technique of Naor, Ostrovsky, Venkatesan and Yung, and thus the resulting protocol had very large roundcomplexity. We adopt