Results 1  10
of
15
Witness indistinguishable and witness hiding protocols
 in 22nd STOC
, 1990
"... A two party protocol in which party A uses one of several secret witnesses to an NP assertion is witness indistinguishable if party B cannot tell which witness A is actually using. The protocol is witness hiding ..."
Abstract

Cited by 167 (0 self)
 Add to MetaCart
A two party protocol in which party A uses one of several secret witnesses to an NP assertion is witness indistinguishable if party B cannot tell which witness A is actually using. The protocol is witness hiding
Lower bounds on the Efficiency of Generic Cryptographic Constructions
 41st IEEE Symposium on Foundations of Computer Science (FOCS), IEEE
, 2000
"... A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we ..."
Abstract

Cited by 61 (6 self)
 Add to MetaCart
A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we show essentiallytight lower bounds on the best possible efficiency of any blackbox construction of some fundamental cryptographic tools from the most basic and widelyused cryptographic primitives. Our results hold in an extension of the model introduced by Impagliazzo and Rudich, and improve and extend earlier results of Kim, Simon, and Tetali. We focus on constructions of pseudorandom generators, universal oneway hash functions, and digital signatures based on oneway permutations, as well as constructions of public and privatekey encryption schemes based on trapdoor permutations. In each case, we show that any blackbox construction beating our efficiency bound would yield the unconditional existence of a oneway function and thus, in particular, prove P = NP. 1
Some Applications of Coding Theory in Computational Complexity
, 2004
"... Errorcorrecting codes and related combinatorial constructs play an important role in several recent (and old) results in computational complexity theory. In this paper we survey results on locallytestable and locallydecodable errorcorrecting codes, and their applications to complexity theory ..."
Abstract

Cited by 49 (2 self)
 Add to MetaCart
Errorcorrecting codes and related combinatorial constructs play an important role in several recent (and old) results in computational complexity theory. In this paper we survey results on locallytestable and locallydecodable errorcorrecting codes, and their applications to complexity theory and to cryptography.
Perfect ZeroKnowledge Arguments for NP Can Be Based on General Complexity Assumptions (Extended Abstract)
 JOURNAL OF CRYPTOLOGY
, 1998
"... "Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practical and th ..."
Abstract

Cited by 41 (11 self)
 Add to MetaCart
"Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions; basing them on a general complexity assumption was open since their introduction in 1986 [BCC, BC, CH]. In this paper, we finally show a general construction, which can be based on any oneway permutation. We stress that our scheme is efficient: both players can execute only polynomialtime programs during the protocol. Moreover, the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier can not find (ever!) any information unconditionally (in the i...
Perfect zeroknowledge in constant rounds
 In Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing
, 1990
"... Rafail Ostrovsky z Quadratic residuosity and graph isomorphism are classic problems and the canonical examples of zeroknowledge languages. However, despite much research e ort, all previous zeroknowledge proofs for them required either cryptography (and thus unproven assumptions) or an unbounded nu ..."
Abstract

Cited by 36 (4 self)
 Add to MetaCart
Rafail Ostrovsky z Quadratic residuosity and graph isomorphism are classic problems and the canonical examples of zeroknowledge languages. However, despite much research e ort, all previous zeroknowledge proofs for them required either cryptography (and thus unproven assumptions) or an unbounded number of rounds of message exchange. For both (and similar) languages, we exhibit zeroknowledge proofs that require 5 rounds and no unproven assumptions. Our solution is essentially optimal, in this setting, due to a recent lowerbound argument of Goldreich and Krawzcyk. 1
The complexity of decision versus search
 SIAM Journal on Computing
, 1994
"... A basic question about NP is whether or not search reduces in polynomial time to decision. We indicate that the answer is negative: under a complexity assumption (that deterministic and nondeterministic doubleexponential time are unequal) we construct a language in NP for which search does not red ..."
Abstract

Cited by 32 (1 self)
 Add to MetaCart
A basic question about NP is whether or not search reduces in polynomial time to decision. We indicate that the answer is negative: under a complexity assumption (that deterministic and nondeterministic doubleexponential time are unequal) we construct a language in NP for which search does not reduce to decision. These ideas extend in a natural way to interactive proofs and program checking. Under similar assumptions we present languages in NP for which it is harder to prove membership interactively than it is to decide this membership, and languages in NP which are not checkable. Keywords: NPcompleteness, selfreducibility, interactive proofs, program checking, sparse sets,
Efficient and NonMalleable Proofs of Plaintext Knowledge and Applications (Extended Abstract)
 Advances in Cryptology – proc. of EUROCRYPT ’03, LNCS 2656
, 2002
"... We describe efficient protocols for nonmalleable (interactive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applications of these protocols:  Chosenciphertextsecure, interactive encryption. In settings where both p ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
We describe efficient protocols for nonmalleable (interactive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applications of these protocols:  Chosenciphertextsecure, interactive encryption. In settings where both parties are online, an interactive encryption protocol may be used. We construct chosenciphertextsecure interactive encryption schemes based on any of the schemes above. In each case, the improved scheme requires only a small overhead beyond the original, semanticallysecure scheme...
Minimum Resource ZeroKnowledge Proofs
 In 30th Annual Symposium on Foundations of Computer Science
, 1989
"... ) Joe Kilian Silvio Micali y Rafail Ostrovsky z Abstract We consider several resources relating to zeroknowledge protocols: The number of envelopes used in the protocol, the number of oblivious transfers protocols executed during the protocol, and the total amount of communication required by ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
) Joe Kilian Silvio Micali y Rafail Ostrovsky z Abstract We consider several resources relating to zeroknowledge protocols: The number of envelopes used in the protocol, the number of oblivious transfers protocols executed during the protocol, and the total amount of communication required by the protocol. We show that after a preprocessing stage consisting of O(k) executions of Oblivious Transfer, any polynomial number of NPtheorems of any polysize can be proved noninteractively and in zeroknowledge, based on the existence of any oneway function, so that the probability of accepting a false theorem is less then 1 2 k . 1 Minimizing Envelopes 1.1 Envelopes as a resource. [GMR] puts forward the somewhat paradoxical notion of a zeroknowledge proof, and exemplifies it for a few special classes of assertions. The introduction of ideal commitment mechanisms, known as envelopes, allows us to achieve greater generality. Proofs of any NP statements can be accomplished in perfe...
The tale of oneway functions
 Problems of Information Transmission
, 2003
"... All the king’s horses, and all the king’s men, Couldn’t put Humpty together again. The existence of oneway functions (owf) is arguably the most important problem in computer theory. The article discusses and refines a number of concepts relevant to this problem. For instance, it gives the first com ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
All the king’s horses, and all the king’s men, Couldn’t put Humpty together again. The existence of oneway functions (owf) is arguably the most important problem in computer theory. The article discusses and refines a number of concepts relevant to this problem. For instance, it gives the first combinatorial complete owf, i.e., a function which is oneway if any function is. There are surprisingly many subtleties in basic definitions. Some of these subtleties are discussed or hinted at in the literature and some are overlooked. Here, a unified approach is attempted. 1
Secure Commitment Against A Powerful Adversary  A security primitive based on average intractability (Extended Abstract)
, 1992
"... Secure commitment is a primitive enabling information hiding, which is one of the most basic tools in cryptography. Specifically, it is a twoparty partialinformation game between a "committer" and a "receiver", in which a secure envelope is first implemented and later opened. The committer has a b ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
Secure commitment is a primitive enabling information hiding, which is one of the most basic tools in cryptography. Specifically, it is a twoparty partialinformation game between a "committer" and a "receiver", in which a secure envelope is first implemented and later opened. The committer has a bit in mind which he commits to by putting it in a "secure envelope". The receiver cannot guess what the value is until the opening stage and the committer can not change his mind once committed. In this paper, we investigate the feasibility of bit commitment when one of the participants (either committer or receiver) has an unfair computational advantage. That is, we consider commitment to a strong receiver with a To appear in Symposium on Theoretical Aspects of Computer Science (STACS) 92, February 1315, Paris, France. y MIT Laboratory for Computer Science, 545 Technology Square, Cambridge MA 02139, USA. Supported by IBM Graduate Fellowship. Part of this work done while at IBM T.J. W...