Results 11  20
of
42
Concurrent ZeroKnowledge With Timing, Revisited
, 2002
"... Following Dwork, Naor, and Sahai (30th STOC, 1998), we consider concurrent execution of protocols in a semisynchronized network. Specifically, we assume that each party holds a local clock such that a constant bound on the relative rates of these clocks is apriori known, and consider protocols tha ..."
Abstract

Cited by 33 (0 self)
 Add to MetaCart
Following Dwork, Naor, and Sahai (30th STOC, 1998), we consider concurrent execution of protocols in a semisynchronized network. Specifically, we assume that each party holds a local clock such that a constant bound on the relative rates of these clocks is apriori known, and consider protocols that employ timedriven operations (i.e., timeout incoming messages and delay outgoing messages). We show that the constantround zeroknowledge proof for N P of Goldreich and Kahan (Jour. of Crypto., 1996) preserves its security when polynomiallymany independent copies are executed concurrently under the above timing model. We stress that our main result establishes zeroknowledge of interactive proofs, whereas the results of Dwork et. al. are either for zeroknowledge arguments or for a weak notion of zeroknowledge (called fflknowledge) proofs.
Roundoptimal zeroknowledge arguments based on any oneway function
 Advances in Cryptology – Eurocrypt ’97, volume 1223 of Lecture Notes in Computer Science
, 1997
"... ..."
Uniform Generation of NPwitnesses using an NPoracle
 Information and Computation
, 1997
"... A Uniform Generation procedure for NP is an algorithm which given any input in a fixed NPlanguage, outputs a uniformly distributed NPwitness for membership of the input in the language. We present a Uniform Generation procedure for NP that runs in probabilistic polynomialtime with an NPoracle. T ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
A Uniform Generation procedure for NP is an algorithm which given any input in a fixed NPlanguage, outputs a uniformly distributed NPwitness for membership of the input in the language. We present a Uniform Generation procedure for NP that runs in probabilistic polynomialtime with an NPoracle. This improves upon results of Jerrum, Valiant and Vazirani, which either require a \Sigma P 2 oracle or obtain only almost uniform generation. Our procedure utilizes ideas originating in the works of Sipser, Stockmeyer, and Jerrum, Valiant and Vazirani. Dept. of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. EMail: mihir@cs.ucsd.edu. URL: http://wwwcse.ucsd.edu/users/mihir. Supported in part by NSF CAREER Award CCR9624439 and a 1996 Packard Foundation Fellowship in Science and Engineering. y Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot, Israel. EMail: oded@wis...
Certifying Permutations: NonInteractive ZeroKnowledge Based on any Trapdoor Permutation
 Journal of Cryptology
, 1996
"... In cryptographic protocols it is often necessary to verify/certify the \tools " in use. This work demonstrates certain subtleties in treating a family of trapdoor permutations in this context, noting the necessity to\check " certain properties of these functions. The particular cas ..."
Abstract

Cited by 28 (6 self)
 Add to MetaCart
In cryptographic protocols it is often necessary to verify/certify the \tools &quot; in use. This work demonstrates certain subtleties in treating a family of trapdoor permutations in this context, noting the necessity to\check &quot; certain properties of these functions. The particular case we illustrate is that of noninteractive zeroknowledge. We point out that the elegant recent protocol of Feige, Lapidot and Shamir for proving NP statements in noninteractive zeroknowledge requires an additional certi cation of the underlying trapdoor permutation, and suggest a method for certifying permutations which lls this gap.
OneWay Functions, Hard on Average Problems, and Statistical ZeroKnowledge Proofs (Extended Abstract)
 IN PROCEEDINGS OF THE 6TH ANNUAL STRUCTURE IN COMPLEXITY THEORY CONFERENCE
, 1991
"... In this paper, we study connections among oneway functions, hard on the average problems, and statistical zeroknowledge proofs. In particular, we show how these three notions are related and how the third notion can be better characterized, assuming the first one. ..."
Abstract

Cited by 28 (8 self)
 Add to MetaCart
In this paper, we study connections among oneway functions, hard on the average problems, and statistical zeroknowledge proofs. In particular, we show how these three notions are related and how the third notion can be better characterized, assuming the first one.
On the Knowledge Complexity of ...
 In 37th FOCS
, 1996
"... We show that if a language has an interactive proof of logarithmic statistical knowledgecomplexity, then it belongs to the class AM \ co AM. Thus, if the polynomial time hierarchy does not collapse, then NPcomplete languages do not have logarithmic knowledge complexity. Prior to this work, ther ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
We show that if a language has an interactive proof of logarithmic statistical knowledgecomplexity, then it belongs to the class AM \ co AM. Thus, if the polynomial time hierarchy does not collapse, then NPcomplete languages do not have logarithmic knowledge complexity. Prior to this work, there was no indication that would contradict NP languages being proven with even one bit of knowledge. Our result is a common generalization of two previous results: The rst asserts that statistical zero knowledge is contained in AM \ co AM [F89, AH91], while the second asserts that the languages recognizable in logarithmic statistical knowledge complexity are in BPP NP [GOP94]. Next, we consider the relation between the error probability and the knowledge complexity of an interactive proof. Note that reducing the error probability via repetition is not free: it may increase the knowledge complexity. We show that if the negligible error probability (n) is less than 2 3k(n) (where k(n) is the knowledge complexity) then the language proven is in the third level of the polynomial time hierarchy (specically, it is in AM NP . In the standard setting of negligible error probability, there exist PSPACEcomplete languages which have sublinear knowledge complexity. However, if we insist, for example, that the error probability is less than 2 n 2 , then PSPACEcomplete languages do not have subquadratic knowledge complexity, unless PSPACE= P 3 . In order to prove our main result, we develop an AM protocol for checking that a samplable distribution D has a given entropy h. For any fractions ; , the verier runs in time polynomial in 1= and log(1=) and fails with probability at most to detect an additive error in the entropy. We believe that this ...
Making ZeroKnowledge Provers Efficient
 Proceedings of the 24th Annual Symposium on the Theory of Computing, ACM
, 1995
"... We look at the question of how powerful a prover must be to give a zeroknowledge proof. We present the first unconditional bounds on the complexity of a statistical ZK prover. The result is that if a language possesses a statistical zeroknowledge then it also possesses a statistical zeroknowledge ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
We look at the question of how powerful a prover must be to give a zeroknowledge proof. We present the first unconditional bounds on the complexity of a statistical ZK prover. The result is that if a language possesses a statistical zeroknowledge then it also possesses a statistical zeroknowledge proof in which the prover runs in probabilistic, polynomial time with an NP oracle. Previously this was only known given the existence of oneway permutations. Extending these techniques to protocols of knowledge complexity k(n) ? 0, we derive bounds on the time complexity of languages of "small" knowledge complexity. Underlying these results is a technique for efficiently generating an "almost" random element of a set S 2 NP. Specifically, we construct a probabilistic machine with an NP oracle which, on input 1 n and ffi ? 0 runs in time polynomial in n and lg ffi \Gamma1 , and outputs a random string from a distribution within distance ffi of the uniform distribution on S " f0; 1g n ...
Open Questions, Talk Abstracts, and Summary of Discussions
, 1991
"... s, and Summary of Discussions Joan Feigenbaum and Michael Merritt AT&T Bell Laboratories Murray Hill, NJ 07974 The DIMACS Workshop on Distributed Computing and Cryptography was held at the Nassau Inn in Princeton, New Jersey, on October 4, 5, and 6, 1989. Participants took a critical look at the ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
s, and Summary of Discussions Joan Feigenbaum and Michael Merritt AT&T Bell Laboratories Murray Hill, NJ 07974 The DIMACS Workshop on Distributed Computing and Cryptography was held at the Nassau Inn in Princeton, New Jersey, on October 4, 5, and 6, 1989. Participants took a critical look at the results, choice of problems, guiding philosophies, research methodology, and engineering projects that currently absorb much of the effort of people working in "cryptography" and "computer system security." This report summarizes both the formal presentations and the informal discussions that took place. Section 1 contains our account of the group discussions and statements of open questions, both general and specific, that we think are important. This report on the workshop is based on our recollections, our notes, and notes taken by the graduatestudent participants; we assume responsibility for any inaccuracies in our account. Section 2 contains abstracts of the talks presented at the worksh...
Interactive Hashing Simplifies ZeroKnowledge Protocol Design (Extended Abstract)
 Proc. of EuroCrypt 93
, 1998
"... Often the core difficulty in designing zeroknowledge protocols arises from having to consider every possible cheating verifier trying to extract aAditional information. ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
Often the core difficulty in designing zeroknowledge protocols arises from having to consider every possible cheating verifier trying to extract aAditional information.
ZeroKnowledge from Secure Multiparty Computation
 SIAM JOURNAL ON COMPUTING (SICOMP) SPECIAL ISSUE DEVOTED TO STOC2007
, 2007
"... A zeroknowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows n mutually suspicious players to jointly compute a function of their local inputs without revealing ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
A zeroknowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows n mutually suspicious players to jointly compute a function of their local inputs without revealing to any t corrupted players additional information beyond the output of the function. We present a new general connection between these two fundamental notions. Specifically, we present a general construction of a zeroknowledge proof for an NP relation R(x, w) which only makes a blackbox use of any secure protocol for a related multiparty functionality f. The latter protocol is only required to be secure against a small number of “honest but curious” players. We also present a variant of the basic construction that can leverage security against a large number of malicious players to obtain better efficiency. As an application, one can translate previous results on the efficiency of secure multiparty computation to the domain of zeroknowledge, improving over previous constructions of efficient zeroknowledge proofs. In particular, if verifying R on a witness of length m can be done by a circuit C of size s, and assuming oneway functions exist, we get the following types of zeroknowledge proof