Results 1 
6 of
6
Witness Encryption and its Applications
"... We put forth the concept of witness encryption. A witness encryption scheme is defined for an NP language L (with corresponding witness relation R). In such a scheme, a user can encrypt a message M to a particular problem instance x to produce a ciphertext. A recipient of a ciphertext is able to dec ..."
Abstract

Cited by 41 (9 self)
 Add to MetaCart
We put forth the concept of witness encryption. A witness encryption scheme is defined for an NP language L (with corresponding witness relation R). In such a scheme, a user can encrypt a message M to a particular problem instance x to produce a ciphertext. A recipient of a ciphertext is able to decrypt the message if x is in the language and the recipient knows a witness w where R(x, w) holds. However, if x is not in the language, then no polynomialtime attacker can distinguish between encryptions of any two equal length messages. We emphasize that the encrypter himself may have no idea whether x is actually in the language. Our contributions in this paper are threefold. First, we introduce and formally define witness encryption. Second, we show how to build several cryptographic primitives from witness encryption. Finally, we give a candidate construction based on the NPcomplete Exact Cover problem and Garg, Gentry, and Halevi’s recent construction of “approximate ” multilinear maps. Our method for witness encryption also yields the first candidate construction for an open problem posed by Rudich in 1989: constructing computational secret sharing schemes for an NPcomplete access structure. 1
On Approximating the Entropy of Polynomial Mappings
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY, REPORT NO. 160 (2010)
, 2010
"... We investigate the complexity of the following computational problem: Polynomial Entropy Approximation (PEA): Given a lowdegree polynomial mapping p: F n → F m, where F is a finite field, approximate the output entropy H(p(Un)), where Un is the uniform distribution on F n and H may be any of severa ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
We investigate the complexity of the following computational problem: Polynomial Entropy Approximation (PEA): Given a lowdegree polynomial mapping p: F n → F m, where F is a finite field, approximate the output entropy H(p(Un)), where Un is the uniform distribution on F n and H may be any of several entropy measures. We show: • Approximating the Shannon entropy of degree 3 polynomials p: F n 2 → F m 2 over F2 to within an additive constant (or even n.9) is complete for SZKPL, the class of problems having statistical zeroknowledge proofs where the honest verifier and its simulator are computable in logarithmic space. (SZKPL contains most of the natural problems known to be in the full class SZKP.) • For prime fields F = F2 and homogeneous quadratic polynomials p: F n → F m, there is a probabilistic polynomialtime algorithm that distinguishes the case that p(Un) has entropy smaller than k from the case that p(Un) has minentropy (or even Renyi entropy) greater
Instancedependent commitment schemes and the round complexity of perfect zeroknowledge proofs
 Electronic Colloquium on Computational Complexity (ECCC
"... Abstract. We study the question whether the number of rounds in publiccoin perfect zeroknowledge (PZK) proofs can be collapsed to a constant. Despite extensive research into the round complexity of interactive and zeroknowledge protocols, there is no indication how to address this question. Furth ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We study the question whether the number of rounds in publiccoin perfect zeroknowledge (PZK) proofs can be collapsed to a constant. Despite extensive research into the round complexity of interactive and zeroknowledge protocols, there is no indication how to address this question. Furthermore, the main tool to tackle this question is instancedependent commitments, but currently such schemes are only statistically hiding, whereas we need perfectly hiding schemes. We give the first perfectly hiding instancedependent commitment scheme. This scheme can be constructed from any problem that has a PZK proof. We then show that obtaining such a scheme that is also constantround is not only sufficient, but also necessary to collapse the number of rounds in PZK proofs. Hence, we show an equivalence between the tasks of obtaining the commitment, and collapsing the rounds. Our idea also yields an elegant equivalence between zeroknowledge and commitments. In the second part of the paper we construct a noninteractive, perfectly hiding scheme whose binding property holds on all but an exponentially small fraction of the inputs. Informally, this shows that the rounds in publiccoin PZK proofs can be collapsed if we can guarantee that the prover is not choosing its randomness from a small set. We formalize this condition using a preamble, which we then apply to some simple cases. An interesting consequence of independent interest is that we use the circuits from the study of NIPZK in the commitment scheme of Naor [39], and this leads to a new perfectlyhiding instancedependent commitment for NIPZK problems with a small soundness error. Key words: constantround, perfect zeroknowledge, instancedependent commitment schemes. 1
On the lattice smoothing parameter problem
 In Proc. IEEE Conference on Computational Complexity
, 2013
"... Abstract The smoothing parameter η ε (L) of a Euclidean lattice L, introduced by Micciancio and Regev (FOCS'04; SICOMP'07), is (informally) the smallest amount of Gaussian noise that "smooths out" the discrete structure of L (up to error ε). It plays a central role in the best k ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract The smoothing parameter η ε (L) of a Euclidean lattice L, introduced by Micciancio and Regev (FOCS'04; SICOMP'07), is (informally) the smallest amount of Gaussian noise that "smooths out" the discrete structure of L (up to error ε). It plays a central role in the best known worstcase/averagecase reductions for lattice problems, a wealth of latticebased cryptographic constructions, and (implicitly) the tightest known transference theorems for fundamental lattice quantities. In this work we initiate a study of the complexity of approximating the smoothing parameter to within a factor γ, denoted γGapSPP. We show that (for ε = 1/ poly(n)): • (2 + o(1))GapSPP ∈ AM, via a Gaussian analogue of the classic GoldreichGoldwasser protocol (STOC'98); • (1 + o(1))GapSPP ∈ coAM, via a careful application of the GoldwasserSipser (STOC'86) set size lower bound protocol to thin shells in R n ; • (2 + o(1))GapSPP ∈ SZK ⊆ AM ∩ coAM (where SZK is the class of problems having statistical zeroknowledge proofs), by constructing a suitable instancedependent commitment scheme (for a slightly worse o(1)term); • (1 + o(1))GapSPP can be solved in deterministic 2 O(n) polylog(1/ε) time and 2 O(n) space. As an application, we demonstrate a tighter worstcase to averagecase reduction for basing cryptography on the worstcase hardness of the GapSPP problem, withÕ( √ n) smaller approximation factor than the GapSVP problem. Central to our results are two novel, and nearly tight, characterizations of the magnitude of discrete gaussian sums over L: the first relates these directly to the gaussian measure of the voronoi cell of L, and the second to the fraction of overlap between Euclidean balls centered around points of L.
Zero Knowledge and Circuit Minimization
"... Abstract. We show that every problem in the complexity class SZK (Statistical Zero Knowledge) is efficiently reducible to the Minimum Circuit Size Problem (MCSP). In particular Graph Isomorphism lies in RPMCSP. This is the first theorem relating the computational power of Graph Isomorphism and MCSP, ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. We show that every problem in the complexity class SZK (Statistical Zero Knowledge) is efficiently reducible to the Minimum Circuit Size Problem (MCSP). In particular Graph Isomorphism lies in RPMCSP. This is the first theorem relating the computational power of Graph Isomorphism and MCSP, despite the long history these problems share, as candidate NPintermediate problems. 1
Resettable Statistical Zero Knowledge
"... Abstract Two central notions of Zero Knowledge that provide very strong, yet seemingly incomparable security guarantees against malicious verifiers are those of Statistical Zero Knowledge and Resettable Zero Knowledge. The current state of the art includes several feasibility and impossibility resul ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract Two central notions of Zero Knowledge that provide very strong, yet seemingly incomparable security guarantees against malicious verifiers are those of Statistical Zero Knowledge and Resettable Zero Knowledge. The current state of the art includes several feasibility and impossibility results about the two notions separately. However, the challenging question of achieving Resettable Statistical Zero Knowledge (i.e., Resettable Zero Knowledge and Statistical Zero Knowledge simultaneously) for nontrivial languages is still open. In this paper, we show: Resettable Statistical Zero Knowledge with efficient provers: Efficientprover Resettable Statistical ZeroKnowledge proof systems exist for all languages that admit hash proof systems (e.g., QNR, QR, DDH, DCR). Furthermore, for these languages, as an application of our technique, we also construct a tworound resettable statistical witnessindistinguishable argument system. Resettable Statistical Zero Knowledge with unbounded provers: Under the assumption that subexponentially hard oneway functions exist, rSZK = SZK. In other words, every language that admits a Statistical ZeroKnowledge (SZK) proof system also admits a Resettable Statistical ZeroKnowledge (rSZK) proof system. (Further, the result can be restated unconditionally provided there exists a subexponentially hard language in SZK). Moreover, under the assumption that (standard) oneway functions exist, all languages L such that the complement of L is random self reducible, admit a rSZK, in other words: coRSR ⊆ rSZK. The round complexity of all our proof systems is Õ(log κ), where κ is the security parameter, and all our simulators are blackbox. 1