We consider the central cryptographic task of secure twoparty computation: two parties wish to compute some function of their private inputs (each receiving possibly di#erent outputs) where security should hold with respect to arbitrarily-malicious behavior of either of the participants. Despite extensive research in this area, the exact roundcomplexity of this fundamental problem (i.e., the number of rounds required to compute an arbitrary poly-time functionality) was not previously known.

Following Dwork, Naor, and Sahai (30th STOC, 1998), we consider concurrent execution of protocols in a semi-synchronized network. Specifically, we assume that each party holds a local clock such that a constant bound on the relative rates of these clocks is a-priori known, and consider protocols that employ time-driven operations (i.e., time-out in-coming messages and delay out-going messages). We show that the constant-round zero-knowledge proof for N P of Goldreich and Kahan (Jour. of Crypto., 1996) preserves its security when polynomially-many independent copies are executed concurrently under the above timing model. We stress that our main result establishes zero-knowledge of interactive proofs, whereas the results of Dwork et. al. are either for zero-knowledge arguments or for a weak notion of zero-knowledge (called ffl-knowledge) proofs.

We show that if a language has an interactive proof of logarithmic statistical knowledge-complexity, then it belongs to the class AM \ co AM. Thus, if the polynomial time hierarchy does not collapse, then NP-complete languages do not have logarithmic knowledge complexity. Prior to this work, there was no indication that would contradict NP languages being proven with even one bit of knowledge. Our result is a common generalization of two previous results: The rst asserts that statistical zero knowledge is contained in AM \ co AM [F-89, AH-91], while the second asserts that the languages recognizable in logarithmic statistical knowledge complexity are in BPP NP [GOP-94]. Next, we consider the relation between the error probability and the knowledge complexity of an interactive proof. Note that reducing the error probability via repetition is not free: it may increase the knowledge complexity. We show that if the negligible error probability (n) is less than 2 3k(n) (where k(n) is the knowledge complexity) then the language proven is in the third level of the polynomial time hierarchy (specically, it is in AM NP . In the standard setting of negligible error probability, there exist PSPACE-complete languages which have sub-linear knowledge complexity. However, if we insist, for example, that the error probability is less than 2 n 2 , then PSPACE-complete languages do not have sub-quadratic knowledge complexity, unless PSPACE= P 3 . In order to prove our main result, we develop an AM protocol for checking that a samplable distribution D has a given entropy h. For any fractions ; , the verier runs in time polynomial in 1= and log(1=) and fails with probability at most to detect an additive error in the entropy. We believe that this ...

In cryptographic protocols it is often necessary to verify/certify the \tools " in use. This work demonstrates certain subtleties in treating a family of trapdoor permutations in this context, noting the necessity to\check " certain properties of these functions. The particular case we illustrate is that of non-interactive zero-knowledge. We point out that the elegant recent protocol of Feige, Lapidot and Shamir for proving NP statements in non-interactive zero-knowledge requires an additional certi cation of the underlying trapdoor permutation, and suggest a method for certifying permutations which lls this gap.

In this paper, we study connections among one-way functions, hard on the average problems, and statistical zero-knowledge proofs. In particular, we show how these three notions are related and how the third notion can be better characterized, assuming the first one.

A Uniform Generation procedure for NP is an algorithm which given any input in a fixed NP-language, outputs a uniformly distributed NP-witness for membership of the input in the language. We present a Uniform Generation procedure for NP that runs in probabilistic polynomial-time with an NP-oracle. This improves upon results of Jerrum, Valiant and Vazirani, which either require a \Sigma P 2 oracle or obtain only almost uniform generation. Our procedure utilizes ideas originating in the works of Sipser, Stockmeyer, and Jerrum, Valiant and Vazirani. Dept. of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. E-Mail: mihir@cs.ucsd.edu. URL: http://www-cse.ucsd.edu/users/mihir. Supported in part by NSF CAREER Award CCR-9624439 and a 1996 Packard Foundation Fellowship in Science and Engineering. y Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot, Israel. E-Mail: oded@wis...

We look at the question of how powerful a prover must be to give a zero-knowledge proof. We present the first unconditional bounds on the complexity of a statistical ZK prover. The result is that if a language possesses a statistical zero-knowledge then it also possesses a statistical zero-knowledge proof in which the prover runs in probabilistic, polynomial time with an NP oracle. Previously this was only known given the existence of one-way permutations. Extending these techniques to protocols of knowledge complexity k(n) ? 0, we derive bounds on the time complexity of languages of "small" knowledge complexity. Underlying these results is a technique for efficiently generating an "almost" random element of a set S 2 NP. Specifically, we construct a probabilistic machine with an NP oracle which, on input 1 n and ffi ? 0 runs in time polynomial in n and lg ffi \Gamma1 , and outputs a random string from a distribution within distance ffi of the uniform distribution on S " f0; 1g n ...

Often the core difficulty in designing zero-knowledge protocols arises from having to consider every possible cheating verifier trying to extract aAditional information.

Secure commitment is a primitive enabling information hiding, which is one of the most basic tools in cryptography. Specifically, it is a two-party partial-information game between a "committer" and a "receiver", in which a secure envelope is first implemented and later opened. The committer has a bit in mind which he commits to by putting it in a "secure envelope". The receiver cannot guess what the value is until the opening stage and the committer can not change his mind once committed. In this paper, we investigate the feasibility of bit commitment when one of the participants (either committer or receiver) has an unfair computational advantage. That is, we consider commitment to a strong receiver with a To appear in Symposium on Theoretical Aspects of Computer Science (STACS) 92, February 13-15, Paris, France. y MIT Laboratory for Computer Science, 545 Technology Square, Cambridge MA 02139, USA. Supported by IBM Graduate Fellowship. Part of this work done while at IBM T.J. W...

s, and Summary of Discussions Joan Feigenbaum and Michael Merritt AT&T Bell Laboratories Murray Hill, NJ 07974 The DIMACS Workshop on Distributed Computing and Cryptography was held at the Nassau Inn in Princeton, New Jersey, on October 4, 5, and 6, 1989. Participants took a critical look at the results, choice of problems, guiding philosophies, research methodology, and engineering projects that currently absorb much of the effort of people working in "cryptography" and "computer system security." This report summarizes both the formal presentations and the informal discussions that took place. Section 1 contains our account of the group discussions and statements of open questions, both general and specific, that we think are important. This report on the workshop is based on our recollections, our notes, and notes taken by the graduate-student participants; we assume responsibility for any inaccuracies in our account. Section 2 contains abstracts of the talks presented at the worksh...