#### DMCA

## Unconditionally Secure Commitment and Oblivious Transfer Schemes Using Private Channels and a Trusted Initializer (1999)

### Cached

### Download Links

Citations: | 42 - 0 self |

### Citations

1009 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...ommitment scheme." There are many applications for commitment schemes. Sealed-bid auctions are one obvious example: x 0 represents Alice's bid. Commitment schemes are useful for identification sc=-=hemes[16]-=-, multiparty protocols[17], and are an an essential component of many zero-knowledge proof schemes [18, 5, 11]. 2 Previous Work on Commitment Schemes Since commitment schemes were first introduced by ... |

952 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...tment schemes that are computationally binding and unconditionally private have been proposed by many researchers, including Blum[3], Goldwasser, Micali, and Rivest (implicit in their signature scheme=-=[19]-=-), Brassard, Chaum, and Cr`epeau[5], Brassard, Cr`epeau, and Yung[8], Halevi and Micali[21], and Halevi[20]. Brassard and Yung[7] develop a very general framework and theory for all bit commitment sch... |

583 | A fair protocol for signing contracts
- Ben-Or, Goldreich, et al.
- 1990
(Show Context)
Citation Context ...omitted here.) 7 Oblivious Transfer The notion of oblivious transfer was invented by Rabin [28]; the related notion of a 1-out-of-2 Oblivious Transfer was later devised by Even, Goldreich, and Lempel =-=[15]-=-. There are well-known close connections between commitment schemes and oblivious transfer [22, 27, 10, 12]. We note that a 1-out-of-2 oblivious transfer protocol invented by Bennett et al. [2] for us... |

542 |
How to play any mental game
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...re many applications for commitment schemes. Sealed-bid auctions are one obvious example: x 0 represents Alice's bid. Commitment schemes are useful for identification schemes[16], multiparty protocols=-=[17]-=-, and are an an essential component of many zero-knowledge proof schemes [18, 5, 11]. 2 Previous Work on Commitment Schemes Since commitment schemes were first introduced by Blum[3] in 1982 for the pr... |

472 | Non-malleable cryptogra-phy
- Dolev, Dwork, et al.
- 1991
(Show Context)
Citation Context ... based on any one-way function). Ohta, Okamoto, and Fujioka[26] show that Naor's scheme is secure against divertibility, and note that the non-malleable bit-commitment scheme of Dolev, Dwork, and Naor=-=[14]-=- can also be used to provide such protection. Ostrovsky, Venkatesan, and Yung[27] examine in some detail bit commitment schemes when at least one of the Sender/Receiver is computationally unbounded, a... |

376 |
How to exchange secrets by oblivious transfer
- Rabin
- 1981
(Show Context)
Citation Context ...ent Alice from cheating, the total number of initializers should be at least 2ff + fi + 1. (Analysis details omitted here.) 7 Oblivious Transfer The notion of oblivious transfer was invented by Rabin =-=[28]-=-; the related notion of a 1-out-of-2 Oblivious Transfer was later devised by Even, Goldreich, and Lempel [15]. There are well-known close connections between commitment schemes and oblivious transfer ... |

339 |
Minimum Disclosure Proofs of Knowledge
- Brassard, Chaum, et al.
- 1988
(Show Context)
Citation Context ...ous example: x 0 represents Alice's bid. Commitment schemes are useful for identification schemes[16], multiparty protocols[17], and are an an essential component of many zero-knowledge proof schemes =-=[18, 5, 11]. 2 Previo-=-us Work on Commitment Schemes Since commitment schemes were first introduced by Blum[3] in 1982 for the problem of "coin flipping by telephone," commitment schemes have been an active area o... |

304 |
Founding cryptography on oblivious transfer
- Kilian
- 1988
(Show Context)
Citation Context ...; the related notion of a 1-out-of-2 Oblivious Transfer was later devised by Even, Goldreich, and Lempel [15]. There are well-known close connections between commitment schemes and oblivious transfer =-=[22, 27, 10, 12]-=-. We note that a 1-out-of-2 oblivious transfer protocol invented by Bennett et al. [2] for use in a quantum communication model actually works well in our trusted initializer model. We assume that Ali... |

303 |
Verifiable Secret Sharing and Multi-party Protocols with Honest Majority
- Rabin, Ben-Or
- 1989
(Show Context)
Citation Context ...ensions, and Open Problems 6.1 Relation to "Check Vectors" Our scheme is very close, but not identical, to the use of "check vectors" by Rabin and Ben-Or in their classic paper on =-=multiparty protocols[29]-=-. In their scheme the trusted third party supplies a secret s to Alice and a corresponding check vector to Bob. Later, Alice can forward the secret s to Bob, and Bob can check that Alice has not modif... |

271 | Bit commitment using pseudorandomness
- Naor
- 1991
(Show Context)
Citation Context ...nn[13] show that the existence of "statistically hiding" bit commitment schemes (which provide nearly perfect unconditional privacy) is equivalent to the existence of fail-stop signature sch=-=emes. Naor[25]-=- presents a commitment scheme that is unconditionally binding and computationally private, based on any pseudorandom generator (or equivalently, based on any one-way function). Ohta, Okamoto, and Fuji... |

176 | Unconditionally secure quantum bit commitment is impossible
- Mayers
- 1997
(Show Context)
Citation Context ...ed assumptions. Other researchers have explored bit commitment in models of quan3 tum computation. Brassard et al.[6] proposed a quantum bit commitment scheme, but a subtle flaw was discovered; Mayers=-=[24]-=- proved general quantum bit commitment to be impossible, as did Lo and Chau[23]. More recently, Salvail[30] shows that under certain restricted assumptions about the Sender's ability to make measureme... |

151 |
Non-interactive zero-knowledge and its applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...rusted initializer," as formalized here, are worth further exploration. Our notion is somewhat like the notion of a KDC (key distribution center), the notion of having a common random reference s=-=tring[4], or -=-the notion of the creator of global system parameters, except that our trusted initializer may supply different, but related random parameters to each party. It is more like the notion of a "trus... |

133 | Achieving oblivious transfer using weakened security assumptions, white plains, new york
- Crepeau, Kilian
- 1988
(Show Context)
Citation Context ...blem in PSPACE. Some researchers have explored information-theoretic models, based on the assumption of noisy communication channels. For example, Cr`epeau[10] improves on his earlier work with Kilian=-=[9] by g-=-iving efficient algorithms for bit commitment and oblivious transfer over a binary symmetric channel. Later, Damgard, Kilian, and Salvail[12] explore such questions further based on "unfair noisy... |

126 |
Avi Wigderson, “Proofs that Yield Nothing But their Validity and a Methodology of Cryptographic Protocol Design
- Goldreich, Micali
- 1986
(Show Context)
Citation Context ...ous example: x 0 represents Alice's bid. Commitment schemes are useful for identification schemes[16], multiparty protocols[17], and are an an essential component of many zero-knowledge proof schemes =-=[18, 5, 11]. 2 Previo-=-us Work on Commitment Schemes Since commitment schemes were first introduced by Blum[3] in 1982 for the problem of "coin flipping by telephone," commitment schemes have been an active area o... |

115 |
Coin flipping by telephone
- Blum
- 1982
(Show Context)
Citation Context ...ltiparty protocols[17], and are an an essential component of many zero-knowledge proof schemes [18, 5, 11]. 2 Previous Work on Commitment Schemes Since commitment schemes were first introduced by Blum=-=[3] in 1982 for the problem -=-of "coin flipping by telephone," commitment schemes have been an active area of research. However, one must face the "facts of life": "It is well known (and easy to see) that ... |

76 | A quantum bit commitment scheme provably unbreakable by both parties
- Brassard, Crepeau, et al.
- 1993
(Show Context)
Citation Context ... Salvail[12] explore such questions further based on "unfair noisy channels" and related assumptions. Other researchers have explored bit commitment in models of quan3 tum computation. Brass=-=ard et al.[6]-=- proposed a quantum bit commitment scheme, but a subtle flaw was discovered; Mayers[24] proved general quantum bit commitment to be impossible, as did Lo and Chau[23]. More recently, Salvail[30] shows... |

76 | Practical and provably-secure commitment schemes from collision-free hashing
- Halevi, Micali
(Show Context)
Citation Context ...ed by many researchers, including Blum[3], Goldwasser, Micali, and Rivest (implicit in their signature scheme[19]), Brassard, Chaum, and Cr`epeau[5], Brassard, Cr`epeau, and Yung[8], Halevi and Micali=-=[21], and Hale-=-vi[20]. Brassard and Yung[7] develop a very general framework and theory for all bit commitment schemes having unconditional privacy, based on "one-way group actions." Damgard, Pedersen, and... |

71 | On the existence of statistically hiding bit commitment schemes and fail-stop signatures
- Damg˚ard, Pedersen, et al.
- 1993
(Show Context)
Citation Context ...vi[20]. Brassard and Yung[7] develop a very general framework and theory for all bit commitment schemes having unconditional privacy, based on "one-way group actions." Damgard, Pedersen, and=-= Pfitzmann[13] show that-=- the existence of "statistically hiding" bit commitment schemes (which provide nearly perfect unconditional privacy) is equivalent to the existence of fail-stop signature schemes. Naor[25] p... |

70 | Is quantum bit commitment really possible
- Lo, Chau
- 1997
(Show Context)
Citation Context ...n3 tum computation. Brassard et al.[6] proposed a quantum bit commitment scheme, but a subtle flaw was discovered; Mayers[24] proved general quantum bit commitment to be impossible, as did Lo and Chau=-=[23]-=-. More recently, Salvail[30] shows that under certain restricted assumptions about the Sender's ability to make measurements, quantum bit commitment is still possible. Bit commitment schemes occur wit... |

66 | Efficient Cryptographic Protocols Based on Noisy Channels
- Crépeau
- 1997
(Show Context)
Citation Context ...cheme may be based on any hard-on-average problem in PSPACE. Some researchers have explored information-theoretic models, based on the assumption of noisy communication channels. For example, Cr`epeau=-=[10]-=- improves on his earlier work with Kilian[9] by giving efficient algorithms for bit commitment and oblivious transfer over a binary symmetric channel. Later, Damgard, Kilian, and Salvail[12] explore s... |

57 | On the (im)possibility of basing oblivious transfer and bit commitment on weakened security assumptions
- D̊amgard, Kilian, et al.
- 1999
(Show Context)
Citation Context ..., Cr`epeau[10] improves on his earlier work with Kilian[9] by giving efficient algorithms for bit commitment and oblivious transfer over a binary symmetric channel. Later, Damgard, Kilian, and Salvail=-=[12] explore s-=-uch questions further based on "unfair noisy channels" and related assumptions. Other researchers have explored bit commitment in models of quan3 tum computation. Brassard et al.[6] proposed... |

44 | Constant-round perfect zeroknowledge computationally convincing protocols
- Brassard, Crépeau, et al.
- 1991
(Show Context)
Citation Context ...ivate have been proposed by many researchers, including Blum[3], Goldwasser, Micali, and Rivest (implicit in their signature scheme[19]), Brassard, Chaum, and Cr`epeau[5], Brassard, Cr`epeau, and Yung=-=[8], Halevi a-=-nd Micali[21], and Halevi[20]. Brassard and Yung[7] develop a very general framework and theory for all bit commitment schemes having unconditional privacy, based on "one-way group actions."... |

41 |
Avi Wigderson. Multi-prover interactive proofs: How to remove intractability assumptions
- Ben-Or, Goldwasser, et al.
- 1988
(Show Context)
Citation Context ... which are mentioned above, or which fit in the above taxonomy. Just to pick one interesting example, Ben-Or Goldwasser, Kilian, and Wigderson utilize a bit commitment scheme in a "multi-prover&q=-=uot; model[1]-=-: of two provers who can't communicate with each other, one commits a bit to a verifier, and the other reveals it. 3 Our Model We believe it is of interest to look for practical commitment schemes tha... |

30 | On the existence of bit commitment schemes and zero-knowledge proofs
- Damgård
- 1989
(Show Context)
Citation Context ...ous example: x 0 represents Alice's bid. Commitment schemes are useful for identification schemes[16], multiparty protocols[17], and are an an essential component of many zero-knowledge proof schemes =-=[18, 5, 11]. 2 Previo-=-us Work on Commitment Schemes Since commitment schemes were first introduced by Blum[3] in 1982 for the problem of "coin flipping by telephone," commitment schemes have been an active area o... |

14 | Quantum Bit Commitment from a Physical Assumption,” CRYPTO
- Salvail
- 1998
(Show Context)
Citation Context ... et al.[6] proposed a quantum bit commitment scheme, but a subtle flaw was discovered; Mayers[24] proved general quantum bit commitment to be impossible, as did Lo and Chau[23]. More recently, Salvail=-=[30]-=- shows that under certain restricted assumptions about the Sender's ability to make measurements, quantum bit commitment is still possible. Bit commitment schemes occur within a wide variety of models... |

13 |
Verif able secret sharing and multiparty protocols with honest majority
- Rabin, Ben-Or
- 1989
(Show Context)
Citation Context ...ensions, and Open Problems 6.1 Relation to \Check Vectors" Our scheme is very close, but not identical, to the use of \check vectors" by Rabin and Ben-Or in their classic paper on multiparty protocols=-=[29]-=-. In their scheme the trusted third party supplies a secret s to Alice and a corresponding check vector to Bob. Later, Alice can forward the secret s to Bob, and Bob can check that Alice has not modi ... |

12 |
One-way group actions
- Brassard
- 1991
(Show Context)
Citation Context ...3], Goldwasser, Micali, and Rivest (implicit in their signature scheme[19]), Brassard, Chaum, and Cr`epeau[5], Brassard, Cr`epeau, and Yung[8], Halevi and Micali[21], and Halevi[20]. Brassard and Yung=-=[7] develop a-=- very general framework and theory for all bit commitment schemes having unconditional privacy, based on "one-way group actions." Damgard, Pedersen, and Pfitzmann[13] show that the existence... |

8 | Efficient Commitment Schemes with Bounded Sender and Unbounded
- Halevi
- 1999
(Show Context)
Citation Context ...rchers, including Blum[3], Goldwasser, Micali, and Rivest (implicit in their signature scheme[19]), Brassard, Chaum, and Cr`epeau[5], Brassard, Cr`epeau, and Yung[8], Halevi and Micali[21], and Halevi=-=[20]. Brassard-=- and Yung[7] develop a very general framework and theory for all bit commitment schemes having unconditional privacy, based on "one-way group actions." Damgard, Pedersen, and Pfitzmann[13] s... |

3 |
MarieHelene Skubiszewska. Practical quantum oblivious transfer
- Bennett, Brassard, et al.
- 1992
(Show Context)
Citation Context ... large value; the scheme is not just a "bit-commitment" scheme. We also observe that 1-out-of-n oblivious transfer is easily handled in the same model, using a simple OT protocol due to Benn=-=ett et al.[2]-=-. Keywords: bit-commitment, commitment scheme, unconditional security, trusted third party, trusted initializer, oblivious transfer. 1 Introduction A commitment scheme must specify a Commit protocol a... |

3 |
Coin ipping by telephone
- Blum
- 1982
(Show Context)
Citation Context ..., multiparty protocols[17], and are an an essential component of many zero-knowledge proof schemes [18,5,11]. 2 Previous Work on Commitment Schemes Since commitment schemes were rst introduced by Blum=-=[3]-=- in 1982 for the problem of \coin ipping by telephone," commitment schemes have been an active area of research. However, one must face the \facts of life": \It is well known (and easy to see) that in... |

2 |
Ramarathnam Venkatesan, and Moti Yung. Secure commitment against a powerful adversary
- Ostrovsky
- 1992
(Show Context)
Citation Context ...scheme is secure against divertibility, and note that the non-malleable bit-commitment scheme of Dolev, Dwork, and Naor[14] can also be used to provide such protection. Ostrovsky, Venkatesan, and Yung=-=[27]-=- examine in some detail bit commitment schemes when at least one of the Sender/Receiver is computationally unbounded, and in particular show that when the Sender is computationally unbounded, a commit... |

1 |
Secure bit commitment function against divertibility
- Ohta, Okamoto, et al.
- 1992
(Show Context)
Citation Context ...esents a commitment scheme that is unconditionally binding and computationally private, based on any pseudorandom generator (or equivalently, based on any one-way function). Ohta, Okamoto, and Fujioka=-=[26]-=- show that Naor's scheme is secure against divertibility, and note that the non-malleable bit-commitment scheme of Dolev, Dwork, and Naor[14] can also be used to provide such protection. Ostrovsky, Ve... |

1 |
cient cryptographic protocols based on noisy channels
- unknown authors
- 1997
(Show Context)
Citation Context ...scheme may be based on any hard-on-average problem in PSPACE. Some researchers have explored information-theoretic models, based on the assumption of noisy communication channels. For example, Crepeau=-=[10]-=- improves on his earlier work with Kilian[9] by giving e cient algorithms for bit commitment and oblivious transfer over a binary symmetric channel. Later, Damgard, Kilian, and Salvail[12] explore suc... |

1 |
Birgit P tzmann. On the existence of statistically hiding bit commitment schemes and fail-stop signatures
- Damgard, Pedersen
- 1997
(Show Context)
Citation Context ...evi[20]. Brassard and Yung[7] develop a very general framework and theory for all bit commitment schemes having unconditional privacy, based on \one-way group actions." Damgard, Pedersen, and P tzmann=-=[13]-=- show that the existence of \statistically hiding" bit commitment schemes (which provide nearly perfect unconditional privacy) is equivalent to the existence of fail-stop signature schemes. Naor[25] p... |

1 |
Quantum bit commitmentfromaphysical assumption
- Salvail
- 1998
(Show Context)
Citation Context ...rd et al.[6] proposed a quantum bit commitment scheme, but a subtle aw was discovered� Mayers[24] proved general quantum bit commitment to be impossible, as did Lo and Chau[23]. More recently, Salvail=-=[30]-=- shows that under certain restricted assumptions about the Sender's ability to make measurements, quantum bit commitment is still possible. Bit commitment schemes occur within a wide variety of models... |