The notion of non-malleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zero-knowledge proofs of possession of knowledge. Non-malleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.

We define a Universal One-Way Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We prove constructively that universal one-way hash functions exist if any 1-1 one-way functions exist. Among the various applications of the primitive is a One-Way based Secure Digital Signature Scheme which is existentially secure against adoptive attacks. Previously, all provably secure signature schemes were based on the stronger mathematical assumption that trapdoor one-way functions exist. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 Part of this work was done while the authors were at the IBM Almaden Research Center. The first author was supported in part by NSF grant CCR-88 13632. A preliminary version of this work app...

We present a new algebraic technique for the construc-tion of interactive proof systems. We use our technique to prove that every language in the polynomial-time hierarchy has an interactive proof system. This tech-nique played a pivotal role in the recent proofs that IP=PSPACE (Shamir) and that MIP=NEXP (Babai, Fortnow and Lund).

We show how to construct a public-key cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a public-key cryptosystem secure against passive eavesdropping and a non-interactive zero-knowledge proof system in the shared string model. No such secure cryptosystems were known before. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 A preliminary version of this paper appeared in the Proc. of the Twenty Second ACM Symposium of Theory of Computing. y Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100, Israel. Work performed while at the IBM Almaden Research Center. Research supported by an Alon Fellowship and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences. E-mail: naor@wisdom.weizmann.ac.il. z IBM Research Division, T.J ...

We show how a pseudo-random generator can provide a bit commitment protocol. We also analyze the number of bits communicated when parties commit to many bits simultaneously, and show that the assumption of the existence of pseudo-random generators suffices to assure amortized O(1) bits of communication per bit commitment.

This paper continues the investigation of the connection between proof systems and approximation. The emphasis is on proving tight non-approximability results via consideration of measures like the "free bit complexity" and the "amortized free bit complexity" of proof systems.

This paper investigates the possibility of disposing of interaction between prover and verifier in a zero-knowledge proof if they share beforehand a short random string. Without any assumption, it is proven that noninteractive zero-knowledge proofs exist for some number-theoretic languages for which no efficient algorithm is known. If deciding quadratic residuosity (modulo composite integers whose factorization is not known) is computationally hard, it is shown that the NP-complete language of satisfiability also possesses noninteractive zero-knowledge proofs.

The contribution of this paper is two-fold. First, a connection is shown between approximating the size of the largest clique in a graph and multi-prover interactive proofs. Second, an efficient multi-prover interactive proof for NP languages is constructed, where the verifier uses very few random bits and communication bits. Last, the connection between cliques and efficient multiprover interactive proofs, is shown to yield hardness results on the complexity of approximating the size of the largest clique in a graph. Of independent interest is our proof of correctness for the multilinearity test of functions. 1

In this note, we present new zero-knowledge interac-tive proofs and arguments for languages in NP. To show that z G L, with an error probability of at most 2-k, our zero-knowledge proof system requires O(lzlc’) + O(lg ” l~l)k ideal bit commitments, where c1 and cz depend only on L. This construction is the first in the ideal bit commitment model that achieves large values of k more efficiently than by running k independent iterations of the base interactive proof system. Under suitable complexity assumptions, we exhibit a zero-knowledge arguments that require O(lg ’ Izl)ki bits of communication, where c depends only on L, and 1 is the security parameter for the prover.l This is the first construction in which the total amount of communication can be less than that needed to transmit the NP witness. Our protocols are based on efficiently checkable proofs for NP [4].

In this paper we investigate some properties of zero-knowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff. We introduce and classify two definitions of zero-knowledge: auxiliary \Gamma input zero-knowledge and blackbox \Gamma simulation zero-knowledge. We explain why auxiliary-input zero-knowledge is a definition more suitable for cryptographic applications than the original [GMR1] definition. In particular, we show that any protocol solely composed of subprotocols which are auxiliary-input zero-knowledge is itself auxiliary-input zero-knowledge. We show that blackboxsimulation zero-knowledge implies auxiliary-input zero-knowledge (which in turn implies the [GMR1] definition). We argue that all known zero-knowledge proofs are in fact blackbox-simulation zero-knowledge (i.e., were proved zero-knowledge using blackbox-simulation of the verifier). As a result, all known zero-knowledge proof systems are shown to be auxiliary-input zero-knowledge and can be used for cryptographic applications such as those in [GMW2]. We demonstrate the triviality of certain classes of zero-knowledge proof systems, in the sense that only languages in BPP have zero-knowledge proofs of these classes. In particular, we show that any language having a Las Vegas zero-knowledge proof system necessarily belongs to RP . We show that randomness of both the verifier and the prover, and non-triviality of the interaction are essential properties of (non-trivial) auxiliary-input zero-knowledge proofs.