A two party protocol in which party A uses one of several secret witnesses to an NP assertion is witness indistinguishable if party B cannot tell which witness A is actually using. The protocol is witness hiding

A central focus of modern cryptography is the construction of efficient, "high-level" cryptographic tools (e.g., encryption schemes) from weaker, "low-level" cryptographic primitives (e.g., one-way functions). Of interest are both the existence of such constructions, and also their efficiency. Here, we show essentially-tight lower bounds on the best possible efficiency that can be achieved by any black-box construction of some fundamental cryptographic tools from the most basic and widely-used cryptographic primitives. Our results concern constructions of pseudorandom generators, universal one-way hash functions, private-key encryption schemes, and digital signatures based on one-way permutations, as well as constructions of public-key encryption schemes based on trapdoor permutations. Our proofs are in the model introduced by Impagliazzo and Rudich: in each case, we show that any black-box construction beating our efficiency bound would yield the unconditional existence of a one-way function and thus, in particular, prove P

Error-correcting codes and related combinatorial constructs play an important role in several recent (and old) results in computational complexity theory. In this paper we survey results on locally-testable and locally-decodable error-correcting codes, and their applications to complexity theory and to cryptography.

"Zero-knowledge arguments" is a fundamental cryptographic primitive which allows one polynomial-time player to convince another polynomial-time player of the validity of an NP statement, without revealing any additional information in the information-theoretic sense. Despite their practical and theoretical importance, it was only known how to implement zero-knowledge arguments based on specific algebraic assumptions; basing them on a general complexity assumption was open since their introduction in 1986 [BCC, BC, CH]. In this paper, we finally show a general construction, which can be based on any one-way permutation. We stress that our scheme is efficient: both players can execute only polynomial-time programs during the protocol. Moreover, the security achieved is on-line: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption on-line during the conversation, while the verifier can not find (ever!) any information unconditionally (in the i...

Rafail Ostrovsky z Quadratic residuosity and graph isomorphism are classic problems and the canonical examples of zero-knowledge languages. However, despite much research e ort, all previous zeroknowledge proofs for them required either cryptography (and thus unproven assumptions) or an unbounded number of rounds of message exchange. For both (and similar) languages, we exhibit zero-knowledge proofs that require 5 rounds and no unproven assumptions. Our solution is essentially optimal, in this setting, due to a recent lowerbound argument of Goldreich and Krawzcyk. 1

A basic question about NP is whether or not search reduces in polynomial time to decision. We indicate that the answer is negative: under a complexity assumption (that deterministic and non-deterministic double-exponential time are unequal) we construct a language in NP for which search does not reduce to decision. These ideas extend in a natural way to interactive proofs and program checking. Under similar assumptions we present languages in NP for which it is harder to prove membership interactively than it is to decide this membership, and languages in NP which are not checkable. Keywords: NP-completeness, self-reducibility, interactive proofs, program checking, sparse sets,

We describe efficient protocols for non-malleable (interactive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applications of these protocols: -- Chosen-ciphertext-secure, interactive encryption. In settings where both parties are on-line, an interactive encryption protocol may be used. We construct chosen-ciphertext-secure interactive encryption schemes based on any of the schemes above. In each case, the improved scheme requires only a small overhead beyond the original, semantically-secure scheme...

) Joe Kilian Silvio Micali y Rafail Ostrovsky z Abstract We consider several resources relating to zero-knowledge protocols: The number of envelopes used in the protocol, the number of oblivious transfers protocols executed during the protocol, and the total amount of communication required by the protocol. We show that after a pre-processing stage consisting of O(k) executions of Oblivious Transfer, any polynomial number of NP-theorems of any poly-size can be proved non-interactively and in zero-knowledge, based on the existence of any one-way function, so that the probability of accepting a false theorem is less then 1 2 k . 1 Minimizing Envelopes 1.1 Envelopes as a resource. [GMR] puts forward the somewhat paradoxical notion of a zero-knowledge proof, and exemplifies it for a few special classes of assertions. The introduction of ideal commitment mechanisms, known as envelopes, allows us to achieve greater generality. Proofs of any NP statements can be accomplished in perfe...

Secure commitment is a primitive enabling information hiding, which is one of the most basic tools in cryptography. Specifically, it is a two-party partial-information game between a "committer" and a "receiver", in which a secure envelope is first implemented and later opened. The committer has a bit in mind which he commits to by putting it in a "secure envelope". The receiver cannot guess what the value is until the opening stage and the committer can not change his mind once committed. In this paper, we investigate the feasibility of bit commitment when one of the participants (either committer or receiver) has an unfair computational advantage. That is, we consider commitment to a strong receiver with a To appear in Symposium on Theoretical Aspects of Computer Science (STACS) 92, February 13-15, Paris, France. y MIT Laboratory for Computer Science, 545 Technology Square, Cambridge MA 02139, USA. Supported by IBM Graduate Fellowship. Part of this work done while at IBM T.J. W...

MA is a class of decision problems for which ‘yes’-instances have a proof that can be efficiently checked by a classical randomized algorithm. We prove that MA has a natural complete problem which we call the stoquastic k-SAT problem. This is a matrix-valued analogue of the satisfiability problem in which clauses are k-qubit projectors with non-negative matrix elements, while a satisfying assignment is a vector that belongs to the space spanned by these projectors. Stoquastic k-SAT is the first non-trivial example of a MA-complete problem. We also study the minimum eigenvalue problem for local stoquastic Hamiltonians that was introduced in Ref. [1], stoquastic LH-MIN. A new complexity class StoqMA is introduced so that stoquastic LH-MIN is StoqMA-complete. We show that MA ⊆ StoqMA ⊆ SBP ∩QMA. Lastly, we consider the average LH-MIN problem for local stoquastic Hamiltonians that depend on a random or ‘quenched disorder ’ parameter, stoquastic AV-LH-MIN. We prove that stoquastic AV-LH-MIN is contained in the complexity class AM, the class of decision problems for which yes-instances have a randomized interactive proof with two-way communication between prover and verifier.