Results 1  10
of
32
Secure communication in minimal connectivity models
 Journal of Cryptology
, 1998
"... Abstract. Problems of secure communication and computation have been studied extensively in network models. In this work, we ask what is possible in the informationtheoretic setting when the adversary is very strong (Byzantine) and the network connectivity is very low (minimum needed for crashtole ..."
Abstract

Cited by 62 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Problems of secure communication and computation have been studied extensively in network models. In this work, we ask what is possible in the informationtheoretic setting when the adversary is very strong (Byzantine) and the network connectivity is very low (minimum needed for crashtolerance). For some natural models, our results imply a sizable gap between the connectivity required for perfect security and for probabilistic security. Our results also have implications to the commonly studied simple channel model and to general secure multiparty computation. 1
Perfect ZeroKnowledge Arguments for NP Using any OneWay Permutation
 Journal of Cryptology
, 1998
"... "Perfect zeroknowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information (in the informationtheoretic sense). Here the security achi ..."
Abstract

Cited by 60 (5 self)
 Add to MetaCart
(Show Context)
"Perfect zeroknowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information (in the informationtheoretic sense). Here the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier cannot find (ever) any information unconditionally. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions. In this paper, we show a general construction, which can be based on any oneway permutation. The result is obtained by a construction of an informationtheoretic secure bitcommitment protocol. The protocol is efficient (both parties are polynomial time) and can be based on any oneway permutation. A preliminary version of this ...
Secure Hypergraphs: Privacy from Partial Broadcast
 In Proceedings of the TwentySeventh Annual ACM Symposium on the Theory of Computing
, 1995
"... A "partial broadcast channel" enables one processor to send the same messagesimultaneously and privately to a fixed subset of processors. Suppose that a collection of processors are connected by an arbitrary network of partial broadcast channels (a hypergraph). We initiate the study ..."
Abstract

Cited by 37 (2 self)
 Add to MetaCart
(Show Context)
A "partial broadcast channel" enables one processor to send the same messagesimultaneously and privately to a fixed subset of processors. Suppose that a collection of processors are connected by an arbitrary network of partial broadcast channels (a hypergraph). We initiate the study of necessary and sufficient conditions, complexity bounds, and protocols for individual processors to exchange private messages across this network. Private message exchange, in turn, enables the realization of general secure computation primitives. The model (motivated by various environments such as multicast network architectures and group communication in distributed systems) is an intermediate setting between the private channels model and the full information model, both of which have been investigated extensively in the last few years. We assume an allpowerful adversary (i.e., the information theoretic notion of security), and our techniques are combinatorial. Both the possibility and the poly...
Oneway trapdoor permutations are sufficient for nontrivial singleserver private information retrieval
 In Proc. of EUROCRYPT ’00
, 2000
"... Abstract. We show that general oneway trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We show that general oneway trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits (for any constant c), where K is the security parameter K of the trapdoor permutations. Thus, for sufficiently large databases (e.g., when K = n ɛ for some small ɛ) our construction breaks the informationtheoretic lowerbound (of at least n bits). This demonstrates the feasibility of basing singleserver private information retrieval on general complexity assumptions. An important implication of our result is that we can implement a 1outofn Oblivious Transfer protocol with communication complexity strictly less than n based on any oneway trapdoor permutation. 1
Fast perfectinformation leaderelection protocols with linear immunity
 COMBINATORICA
, 1995
"... In this paper we develop a leader election protocol P with the following features: 1. The protocol runs in the perfect information model: Every step taken by a player is visible to all others. 2. It has linear immunity: If P is run by n players and a coalition of cln players deviates from the protoc ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
In this paper we develop a leader election protocol P with the following features: 1. The protocol runs in the perfect information model: Every step taken by a player is visible to all others. 2. It has linear immunity: If P is run by n players and a coalition of cln players deviates from the protocol, attempting to have one of them elected, their probability of success is < 1c2, where c 1, c 2 ~ 0 are absolute constants. 3. It is fast: The running time of P is polylogarithmic in n, the number of players. A previous protocol by Alon and Naor achieving linear immunity in the perfect information model has a linear time complexity. The main ingredient of our protocol is a reduction subprotocol. This is a way for n players to elect a subset of themselves which has the following property. Assume that up to en of the players are bad and try to have as many of them elected to the subset. Then with high probability, the fraction of bad players among the elected ones will not exceed e in a significant way. The existence of such a reduction protocol is first established by a probabilistic argument. Later an explicit construction is provided which is based on the spectral properties of Ramanujan graphs.
Statistical ZeroKnowledge Arguments for NP from Any OneWay
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY
, 2006
"... We show that every language in NP has a statistical zeroknowledge argument system under the (minimal) complexity assumption that oneway functions exist. In such protocols, even a computationally unbounded verifier cannot learn anything other than the fact that the assertion being proven is true, w ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
We show that every language in NP has a statistical zeroknowledge argument system under the (minimal) complexity assumption that oneway functions exist. In such protocols, even a computationally unbounded verifier cannot learn anything other than the fact that the assertion being proven is true, whereas a polynomialtime prover cannot convince the verifier to accept a false assertion except with negligible probability. This resolves an open question posed by Naor, Ostrovsky, Venkatesan, and Yung (CRYPTO ‘92, J. Cryptology ‘98). Departing from previous works on this problem, we do not construct standard statistically hiding commitments from any oneway function. Instead, we construct a relaxed variant of commitment schemes called “1outof2binding commitments,” recently introduced by Nguyen and Vadhan (STOC ‘06).
Byzantine agreement in the fullinformation model in o(log n) rounds
"... We present a randomized Byzantine Agreement (BA) protocol with an expected running time of O(log n) rounds, in a synchronous fullinformation network of n players. For any constant ɛ> 0, the constructed protocol tolerates t nonadaptive Byzantine faults, as long as n ≥ (4+ɛ)t. In the fullinforma ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
(Show Context)
We present a randomized Byzantine Agreement (BA) protocol with an expected running time of O(log n) rounds, in a synchronous fullinformation network of n players. For any constant ɛ> 0, the constructed protocol tolerates t nonadaptive Byzantine faults, as long as n ≥ (4+ɛ)t. In the fullinformation model, no restrictions are placed on the computational power of the faulty players or the information available to them. In particular, the faulty players may be infinitely powerful, and they can observe all communication among the honest players. This constitutes significant progress over the best known randomized BA protocol in the t same setting which has a roundcomplexity of Θ( log n) rounds [9], and answers an open problem posed by Chor and Dwork [10].
Perfect Information Leader Election in log* n + O(1) Rounds
 JOURNAL OF COMPUTER AND SYSTEM SCIENCES
, 2001
"... In the leader election problem, n players wish to elect a random leader. The difficulty is that some coalition of players may conspire to elect one of its own members. We adopt the perfect information model: all communication is by broadcast, and the bad players have unlimited computational power. P ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
In the leader election problem, n players wish to elect a random leader. The difficulty is that some coalition of players may conspire to elect one of its own members. We adopt the perfect information model: all communication is by broadcast, and the bad players have unlimited computational power. Protocols proceed in rounds: though players are synchronized between rounds, within each round the bad players may wait to see the inputs of the good players. A protocol is called resilient if a good leader is elected with probability bounded away from 0. We give a simple, constructive leader election protocol that is resilient against coalitions of size fin, for any fi ! 1=2. Our protocol takes log
Games Computers Play: GameTheoretic Aspects of Computing
 In
, 1992
"... this article is on protocols allowing the wellfunctioning parts of such a large and complex system to carry out their work despite the failure of others. Many deep and interesting results on such problems have been discovered by computer scientists in recent years, the incorporation of which into g ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
this article is on protocols allowing the wellfunctioning parts of such a large and complex system to carry out their work despite the failure of others. Many deep and interesting results on such problems have been discovered by computer scientists in recent years, the incorporation of which into game theory can greatly enrich this field
Biased random walks
 In Proceedings of the TwentyFourth Annual ACM Symposium on the Theory of Computing
, 1992
"... How much can an imperfect source of randomness affect an algorithm? We examine several simple questions of this type concerning the longterm behavior of a random walk on a finite graph. In our setup, at each step of the random walk a “controller ” can, with a certain small probability, fix the next ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
How much can an imperfect source of randomness affect an algorithm? We examine several simple questions of this type concerning the longterm behavior of a random walk on a finite graph. In our setup, at each step of the random walk a “controller ” can, with a certain small probability, fix the next step, thus introducing a bias. We analyze the extent to which the bias can affect the limit behavior of the walk. The controller is assumed to associate a real, nonnegative, “benefit ” with each state, and to strive to maximize the longterm expected benefit. We derive tight bounds on the maximum of this objective function over all controller’s strategies, and present polynomial time algorithms for computing the optimal controller strategy. 1