Results 1  10
of
32
On the Power of MultiProver Interactive Protocols
 Theoretical Computer Science
, 1988
"... this paper we consider a further generalization of the proof system model, due to BenOr, Goldwasser, Kilian and Wigderson [6], where instead of a single prover there may be many. This apparently gives the model additional power. The intuition for this may be seen by considering the case of two crim ..."
Abstract

Cited by 132 (9 self)
 Add to MetaCart
this paper we consider a further generalization of the proof system model, due to BenOr, Goldwasser, Kilian and Wigderson [6], where instead of a single prover there may be many. This apparently gives the model additional power. The intuition for this may be seen by considering the case of two criminal suspects who are under interrogation to see if they are guilty of together robbing a bank. Of course they (the provers) are trying to convince Scotland Yard (the verifier) of their innocence. Assuming that they are in fact innocent, it is clear that their ability to convince the police of this is enhanced if they are questioned in separate rooms and can corroborate each other's stories without communicating. We shall see later in this paper that this sort of corroboration is the key to the additional power of multiple provers. Interactive proof systems have seen a number of important applications to cryptography [23, 22], algebraic complexity [3], program testing [7, 8] and distributed computation [16, 23]. For example, a chain of results concerning interactive proof systems [22, 3, 24, 9] conclude that if the graph isomorphism problem is NPcomplete then the polynomial time hierarchy collapses. Multipleprover interactive proof systems have also seen several important applications including the analysis of program testing [7, 4] and the complexity of approximation algorithms [14, 2, 1]. Brief summary of results: First we give a simple characterization of the power of the multiprover model in terms of probabilistic oracle Turing machines. Then we show that every language accepted by multiple prover interactive proof systems can be computed in nondeterministic exponential time. Babai, Fortnow and Lund [4] have since shown this bound is tight. We then show results like th...
Universally Composable TwoParty and MultiParty Secure Computation
, 2002
"... We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many pa ..."
Abstract

Cited by 125 (32 self)
 Add to MetaCart
We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many parties as it wishes. In this setting, our protocols allow any subset of the parties (with pairs of parties being a special case) to securely realize any desired functionality of their local inputs, and be guaranteed that security is preserved regardless of the activity in the rest of the network. This implies that security is preserved under concurrent composition of an unbounded number of protocol executions, it implies nonmalleability with respect to arbitrary protocols, and more. Our constructions are in the common reference string model and rely on standard intractability assumptions.
NonInteractive CryptoComputing for NC1
 In 40th Annual Symposium on Foundations of Computer Science
, 1999
"... The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the ..."
Abstract

Cited by 70 (0 self)
 Add to MetaCart
The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the mid 80's. In its basic twoparty case, two parties (Alice and Bob) evaluate a known circuit over private inputs (or a private input and a private circuit). Much attention has been paid to the important issue of minimizing rounds of computation in this model. Namely, the number of communication rounds in which Alice and Bob need to engage in to evaluate a circuit on encrypted data securely. Advancements in these areas have been recognized as open problems and have remained open for a number of years. In this paper we give a one round, and thus round optimal, protocol for secure evaluation of circuits which is in polynomialtime for NC
Comparing Information Without Leaking It
 Communications of the ACM
, 1996
"... We consider simple means by which two people may determine whether they possess the same information, without revealing anything else to each other in case that they do not. Incumbent of the Morris and Rose Goldman Career Development Chair. Research supported by an Alon Fellowship and a grant from ..."
Abstract

Cited by 63 (4 self)
 Add to MetaCart
We consider simple means by which two people may determine whether they possess the same information, without revealing anything else to each other in case that they do not. Incumbent of the Morris and Rose Goldman Career Development Chair. Research supported by an Alon Fellowship and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences. Most of this work was done while the author was at the IBM Almaden Research Center. y Most of this work was done while the author was with Bellcore. 1 Introduction Consider the following problem, which actually arose in real life (we have masked the problem somewhat to protect confidentiality). Bob comes to Ron, a manager at his company, with a complaint about a sensitive matter; he asks Ron to keep his identity confidential. A few months later, Moshe (another manager) tells Ron that someone has complained to him, also with a confidentiality request, about the same matter. Ron and Moshe would like to determi...
Committed Oblivious Transfer and Private MultiParty Computation
, 1995
"... . In this paper we present an efficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits a0 and a1 and Bob is committed to b, they both want Bob to learn and commit to a b without Alice learning b nor Bob learning a¯ b ..."
Abstract

Cited by 50 (10 self)
 Add to MetaCart
. In this paper we present an efficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits a0 and a1 and Bob is committed to b, they both want Bob to learn and commit to a b without Alice learning b nor Bob learning a¯ b . Our protocol, based on the properties of error correcting codes, uses Bit Commitment (bc) and oneoutoftwo Oblivious Transfer (ot) as black boxes. Consequently the protocol may be implemented with or without a computational assumption, depending on the kind of bc and ot used by the participants. Assuming a Broadcast Channel is also available, we exploit this result to obtain a protocol for Private MultiParty Computation, without making assumptions about a specific number or fraction of participants being honest. We analyze the protocol's efficiency in terms of bcs and ots performed. Our approach connects Zero Knowledge proofs on bcs, Oblivious Circuit Evaluation and Private MultiParty ...
A Minimal Model for Secure Computation
, 1994
"... We consider a minimal scenario for secure computation: Parties A and B have private inputs x and y and a shared random string r. A and B are each allowed to send a single message to a third party C, from which C is to learn the value of f(x; y) for some function f , but nothing else. ..."
Abstract

Cited by 39 (7 self)
 Add to MetaCart
We consider a minimal scenario for secure computation: Parties A and B have private inputs x and y and a shared random string r. A and B are each allowed to send a single message to a third party C, from which C is to learn the value of f(x; y) for some function f , but nothing else.
PublicKey Cryptography and Password Protocols: The MultiUser Case
 In CCS ’99: Proceedings of the 6th ACM conference on Computer and communications security
, 1999
"... The problem of password authentication over an insecure network when the user holds only a humanmemorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied offline password guessing attacks in the scenario in whi ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
The problem of password authentication over an insecure network when the user holds only a humanmemorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied offline password guessing attacks in the scenario in which the authentication server possesses a pair of private and public keys. In this work we: ffl Show the inadequacy of both the HK formalization and protocol in the case where there is more than a single user: using a simple and realistic attack, we prove failure of the HK solution in the twouser case. ffl Propose a new definition of security for the multiuser case, expressed in terms of transcripts of the entire system, rather than individual protocol executions. ffl Suggest several ways of achieving this security against both static and dynamic adversaries. In a recent revision of their paper, Halevi and Krawczyk again attempted to handle the multiuser case. We expose a weakness in their revised definition. 1
The AllorNothing Nature of TwoParty Secure Computation
 In Proc. of CRYPTO 99
, 1999
"... A function f is computationally securely computable if two computationallybounded parties, Alice, having a secret input x, and Bob, having a secret input y, can talk back and forth so that (even if one of them is malicious) (1) Bob learns essentially only f(x; y) while (2) Alice learns essential ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
A function f is computationally securely computable if two computationallybounded parties, Alice, having a secret input x, and Bob, having a secret input y, can talk back and forth so that (even if one of them is malicious) (1) Bob learns essentially only f(x; y) while (2) Alice learns essentially nothing.
Secure and Efficient OffLine Digital Money
 In Proceedings of ICALP'93, (LNCS 700
, 1993
"... An electronic (or "digital") coin scheme is a set of cryptographic protocols for withdrawal (by a customer from the bank), purchase (by a customer to a vendor), and deposit (by a vendor to the bank), such that the security needs of all participants are satisfied  money is unforgeable, unreusable, ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
An electronic (or "digital") coin scheme is a set of cryptographic protocols for withdrawal (by a customer from the bank), purchase (by a customer to a vendor), and deposit (by a vendor to the bank), such that the security needs of all participants are satisfied  money is unforgeable, unreusable, and untraceable. A coin scheme is "offline" if the purchase protocol does not involve the bank. In this work, we present new techniques for offline coin schemes which are secure and efficient. (An earlier version of this work appeared in [16].)
Secure Electronic Voting over the World Wide Web
 Massachusetts Institute of Technology
, 1997
"... publicly paper and electronic copies of this thesis and to grant others the right to do so. Author...................................................................................................................... ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
publicly paper and electronic copies of this thesis and to grant others the right to do so. Author......................................................................................................................