Results 1  10
of
31
On the Limits of NonApproximability of Lattice Problems
, 1998
"... We show simple constantround interactive proof systems for problems capturing the approximability, to within a factor of p n, of optimization problems in integer lattices; specifically, the closest vector problem (CVP), and the shortest vector problem (SVP). These interactive proofs are for th ..."
Abstract

Cited by 81 (3 self)
 Add to MetaCart
We show simple constantround interactive proof systems for problems capturing the approximability, to within a factor of p n, of optimization problems in integer lattices; specifically, the closest vector problem (CVP), and the shortest vector problem (SVP). These interactive proofs are for the "coNP direction"; that is, we give an interactive protocol showing that a vector is "far" from the lattice (for CVP), and an interactive protocol showing that the shortestlatticevector is "long" (for SVP). Furthermore, these interactive proof systems are HonestVerifier Perfect ZeroKnowledge. We conclude that approximating CVP (resp., SVP) within a factor of p n is in NP " coAM. Thus, it seems unlikely that approximating these problems to within a p n factor is NPhard. Previously, for the CVP (resp., SVP) problem, Lagarias et. al., Hastad and Banaszczyk showed that the gap problem corresponding to approximating CVP (resp., SVP) within n is in NP " coNP . On the other hand, Ar...
Statistical zeroknowledge proofs with efficient provers: Lattice problems and more
 In CRYPTO
, 2003
"... Abstract. We construct several new statistical zeroknowledge proofs with efficient provers, i.e. ones where the prover strategy runs in probabilistic polynomial time given an NP witness for the input string. Our first proof systems are for approximate versions of the Shortest Vector Problem (SVP) a ..."
Abstract

Cited by 39 (8 self)
 Add to MetaCart
Abstract. We construct several new statistical zeroknowledge proofs with efficient provers, i.e. ones where the prover strategy runs in probabilistic polynomial time given an NP witness for the input string. Our first proof systems are for approximate versions of the Shortest Vector Problem (SVP) and Closest Vector Problem (CVP), where the witness is simply a short vector in the lattice or a lattice vector close to the target, respectively. Our proof systems are in fact proofs of knowledge, and as a result, we immediately obtain efficient latticebased identification schemes which can be implemented with arbitrary families of lattices in which the approximate SVP or CVP are hard. We then turn to the general question of whether all problems in SZK ∩ NP admit statistical zeroknowledge proofs with efficient provers. Towards this end, we give a statistical zeroknowledge proof system with an efficient prover for a natural restriction of Statistical Difference, a complete problem for SZK. We also suggest a plausible approach to resolving the general question in the positive. 1
ZeroKnowledge Against Quantum Attacks
 STOC'06
, 2006
"... This paper proves that several interactive proof systems are zeroknowledge against general quantum attacks. This includes the wellknown GoldreichMicaliWigderson classical zeroknowledge protocols for Graph Isomorphism and Graph 3Coloring (assuming the existence of quantum computationally conceal ..."
Abstract

Cited by 34 (0 self)
 Add to MetaCart
This paper proves that several interactive proof systems are zeroknowledge against general quantum attacks. This includes the wellknown GoldreichMicaliWigderson classical zeroknowledge protocols for Graph Isomorphism and Graph 3Coloring (assuming the existence of quantum computationally concealing commitment schemes in the second case). Also included is a quantum interactive protocol for a complete problem for the complexity class of problems having “honest verifier” quantum statistical zeroknowledge proofs, which therefore establishes that honest verifier and general quantum statistical zeroknowledge are equal: QSZK = QSZK HV. Previously no nontrivial proof systems were known to be zeroknowledge against quantum attacks, except in restricted settings such as the honestverifier and common reference string models. This paper therefore establishes for the first time that true zeroknowledge is indeed possible in the presence of quantum information and computation.
ConstantRound Oblivious Transfer in the Bounded Storage Model
, 2004
"... We present a constant round protocol for Oblivious Transfer in Maurer's bounded storage model. In this model, a long random string R is initially transmitted and each of the parties interacts based on a small portion of R. Even though the portions stored by the honest parties are small, security ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
We present a constant round protocol for Oblivious Transfer in Maurer's bounded storage model. In this model, a long random string R is initially transmitted and each of the parties interacts based on a small portion of R. Even though the portions stored by the honest parties are small, security is guaranteed against any malicious party that remembers almost all of the string R.
Limits on the Power of Quantum Statistical ZeroKnowledge
, 2003
"... In this paper we propose a definition for honest verifier quantum statistical zeroknowledge interactive proof systems and study the resulting complexity class, which we denote QSZK ..."
Abstract

Cited by 30 (4 self)
 Add to MetaCart
In this paper we propose a definition for honest verifier quantum statistical zeroknowledge interactive proof systems and study the resulting complexity class, which we denote QSZK
An unconditional study of computational zero knowledge
 SIAM Journal on Computing
, 2004
"... We prove a number of general theorems about ZK, the class of problems possessing (computational) zeroknowledge proofs. Our results are unconditional, in contrast to most previous works on ZK, which rely on the assumption that oneway functions exist. We establish several new characterizations of ZK ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
We prove a number of general theorems about ZK, the class of problems possessing (computational) zeroknowledge proofs. Our results are unconditional, in contrast to most previous works on ZK, which rely on the assumption that oneway functions exist. We establish several new characterizations of ZK, and use these characterizations to prove results such as: 1. Honestverifier ZK equals general ZK. 2. Publiccoin ZK equals privatecoin ZK. 3. ZK is closed under union. 4. ZK with imperfect completeness equals ZK with perfect completeness. 5. Any problem in ZK ∩ NP can be proven in computational zero knowledge by a BPP NP prover. 6. ZK with blackbox simulators equals ZK with general, nonblackbox simulators. The above equalities refer to the resulting class of problems (and do not necessarily preserve other efficiency measures such as round complexity). Our approach is to combine the conditional techniques previously used in the study of ZK with the unconditional techniques developed in the study of SZK, the class of problems possessing statistical zeroknowledge proofs. To enable this combination, we prove that every problem in ZK can be decomposed into a problem in SZK together with a set of instances from which a oneway function can be constructed.
Can Statistical Zero Knowledge be made NonInteractive? or On the Relationship of SZK and NISZK
 IN CRYPTO ’99, LNCS SERIES
, 1999
"... We extend the study of noninteractive statistical zeroknowledge proofs. Our main focus is to compare the class NISZK of problems possessing such noninteractive proofs to the class SZK of problems possessing interactive statistical zeroknowledge proofs. Along these lines, we first show that if ..."
Abstract

Cited by 22 (11 self)
 Add to MetaCart
We extend the study of noninteractive statistical zeroknowledge proofs. Our main focus is to compare the class NISZK of problems possessing such noninteractive proofs to the class SZK of problems possessing interactive statistical zeroknowledge proofs. Along these lines, we first show that if statistical zero knowledge is nontrivial then so is noninteractive statistical zero knowledge, where by nontrivial we mean that the class includes problems which are not solvable in probabilistic polynomialtime. (The hypothesis holds under various assumptions, such as the intractability of the Discrete Logarithm Problem.) Furthermore, we show that if NISZK is closed under complement, then in fact SZK = NISZK, i.e. all statistical zeroknowledge proofs can be made noninteractive. The main tools in our analysis are two promise problems that are natural restrictions of promise problems known to be complete for SZK. We show that these restricted problems are in fact complete for NIS...
Concurrent zero knowledge without complexity assumptions
 In TCC
, 2006
"... Abstract. We provide unconditional constructions of concurrent statistical zeroknowledge proofs for a variety of nontrivial problems (not known to have probabilistic polynomialtime algorithms). The problems include Graph Isomorphism, Graph Nonisomorphism, Quadratic Residuosity, Quadratic Nonresid ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
Abstract. We provide unconditional constructions of concurrent statistical zeroknowledge proofs for a variety of nontrivial problems (not known to have probabilistic polynomialtime algorithms). The problems include Graph Isomorphism, Graph Nonisomorphism, Quadratic Residuosity, Quadratic Nonresiduosity, a restricted version of Statistical Difference, and approximate versions of the (coNP forms of the) Shortest Vector Problem and Closest Vector Problem in lattices. For some of the problems, such as Graph Isomorphism and Quadratic Residuosity, the proof systems have provers that can be implemented in polynomial time (given an NP witness) and have ~O(log n) rounds, which is known to be essentially optimal for blackbox simulation.
Random selection with an adversarial majority
 Advances in Cryptology—CRYPTO ‘06, number 4117 in Lecture Notes in Computer Science
, 2006
"... Abstract. We consider the problem of random selection, where p players follow a protocol to jointly select a random element of a universe of size n. However, some of the players may be adversarial and collude to force the output to lie in a small subset of the universe. We describe essentially the f ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. We consider the problem of random selection, where p players follow a protocol to jointly select a random element of a universe of size n. However, some of the players may be adversarial and collude to force the output to lie in a small subset of the universe. We describe essentially the first protocols that solve this problem in the presence of a dishonest majority in the fullinformation model (where the adversary is computationally unbounded and all communication is via nonsimultaneous broadcast). Our protocols are nearly optimal in several parameters, including the round complexity (as a function of n), the randomness complexity, the communication complexity, and the tradeoffs between the fraction of honest players, the probability that the output lies in a small subset of the universe, and the density of this subset. 1
On the Possibility of OneMessage Weak ZeroKnowledge
 In Theory of Cryptography, First Theory of Cryptography Conference, TCC 2004
, 2004
"... Abstract. We investigate whether it is possible to obtain any meaningful type of zeroknowledge proofs using a onemessage (i.e., noninteractive) proof system. We show that, under reasonable (although not standard) assumptions, there exists a onemessage proof system for every language in NP that sa ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
Abstract. We investigate whether it is possible to obtain any meaningful type of zeroknowledge proofs using a onemessage (i.e., noninteractive) proof system. We show that, under reasonable (although not standard) assumptions, there exists a onemessage proof system for every language in NP that satisfies the following relaxed form of zero knowledge: 1. The soundness condition holds only against cheating provers that run in uniform (rather than nonuniform) probabilistic polynomialtime. 2. The zeroknowledge condition is obtained using a simulator that runs in quasipolynomial (rather than polynomial) time. We note that it is necessary to introduce both relaxations to obtain a onemessage system for a nontrivial language. We stress that our result is in the plain model, and in particular we do not assume any setup conditions (such as the existence of a shared random string). We also discuss the validity of our assumption, and show two conditions that imply it. In addition, we show that an assumption of a similar kind is necessary in order to obtain a onemessage system that satisfies some sort of meaningful zeroknowledge and soundness conditions. 1