Results 11  20
of
32
Concurrent ZeroKnowledge With Timing, Revisited
, 2002
"... Following Dwork, Naor, and Sahai (30th STOC, 1998), we consider concurrent execution of protocols in a semisynchronized network. Specifically, we assume that each party holds a local clock such that a constant bound on the relative rates of these clocks is apriori known, and consider protocols tha ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
Following Dwork, Naor, and Sahai (30th STOC, 1998), we consider concurrent execution of protocols in a semisynchronized network. Specifically, we assume that each party holds a local clock such that a constant bound on the relative rates of these clocks is apriori known, and consider protocols that employ timedriven operations (i.e., timeout incoming messages and delay outgoing messages). We show that the constantround zeroknowledge proof for N P of Goldreich and Kahan (Jour. of Crypto., 1996) preserves its security when polynomiallymany independent copies are executed concurrently under the above timing model. We stress that our main result establishes zeroknowledge of interactive proofs, whereas the results of Dwork et. al. are either for zeroknowledge arguments or for a weak notion of zeroknowledge (called fflknowledge) proofs.
RoundOptimal ZeroKnowledge Arguments Based on any OneWay Function
, 1997
"... We fill a gap in the theory of zeroknowledge protocols by presenting NParguments that achieve negligible error probability and computational zeroknowledge in four rounds of interaction, assuming only the existence of a oneway function. This result is optimal in the sense that four rounds and a o ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
We fill a gap in the theory of zeroknowledge protocols by presenting NParguments that achieve negligible error probability and computational zeroknowledge in four rounds of interaction, assuming only the existence of a oneway function. This result is optimal in the sense that four rounds and a oneway function are each individually necessary to achieve a negligible error zeroknowledge argument for NP. Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA. Email: mihir@cs.ucsd.edu. Supported in part by NSF CAREER Award CCR9624439 and a Packard Foundation Fellowship in Science and Engineering. y Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA. Email: markus@cs.ucsd.edu. z CertCo, New York, NY, USA. Email: moti@certco.com Contents 1 Introduction 3 1.1 The big picture . . . . . . . . . . ...
Certifying Permutations: NonInteractive ZeroKnowledge Based on any Trapdoor Permutation
 Journal of Cryptology
, 1996
"... In cryptographic protocols it is often necessary to verify/certify the \tools " in use. This work demonstrates certain subtleties in treating a family of trapdoor permutations in this context, noting the necessity to\check " certain properties of these functions. The particular case we ill ..."
Abstract

Cited by 28 (6 self)
 Add to MetaCart
In cryptographic protocols it is often necessary to verify/certify the \tools " in use. This work demonstrates certain subtleties in treating a family of trapdoor permutations in this context, noting the necessity to\check " certain properties of these functions. The particular case we illustrate is that of noninteractive zeroknowledge. We point out that the elegant recent protocol of Feige, Lapidot and Shamir for proving NP statements in noninteractive zeroknowledge requires an additional certi cation of the underlying trapdoor permutation, and suggest a method for certifying permutations which lls this gap.
OneWay Functions, Hard on Average Problems, and Statistical ZeroKnowledge Proofs (Extended Abstract)
 IN PROCEEDINGS OF THE 6TH ANNUAL STRUCTURE IN COMPLEXITY THEORY CONFERENCE
, 1991
"... In this paper, we study connections among oneway functions, hard on the average problems, and statistical zeroknowledge proofs. In particular, we show how these three notions are related and how the third notion can be better characterized, assuming the first one. ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
In this paper, we study connections among oneway functions, hard on the average problems, and statistical zeroknowledge proofs. In particular, we show how these three notions are related and how the third notion can be better characterized, assuming the first one.
On the Knowledge Complexity of ...
 In 37th FOCS
, 1996
"... We show that if a language has an interactive proof of logarithmic statistical knowledgecomplexity, then it belongs to the class AM \ co AM. Thus, if the polynomial time hierarchy does not collapse, then NPcomplete languages do not have logarithmic knowledge complexity. Prior to this work, ther ..."
Abstract

Cited by 26 (7 self)
 Add to MetaCart
We show that if a language has an interactive proof of logarithmic statistical knowledgecomplexity, then it belongs to the class AM \ co AM. Thus, if the polynomial time hierarchy does not collapse, then NPcomplete languages do not have logarithmic knowledge complexity. Prior to this work, there was no indication that would contradict NP languages being proven with even one bit of knowledge. Our result is a common generalization of two previous results: The rst asserts that statistical zero knowledge is contained in AM \ co AM [F89, AH91], while the second asserts that the languages recognizable in logarithmic statistical knowledge complexity are in BPP NP [GOP94]. Next, we consider the relation between the error probability and the knowledge complexity of an interactive proof. Note that reducing the error probability via repetition is not free: it may increase the knowledge complexity. We show that if the negligible error probability (n) is less than 2 3k(n) (where k(n) is the knowledge complexity) then the language proven is in the third level of the polynomial time hierarchy (specically, it is in AM NP . In the standard setting of negligible error probability, there exist PSPACEcomplete languages which have sublinear knowledge complexity. However, if we insist, for example, that the error probability is less than 2 n 2 , then PSPACEcomplete languages do not have subquadratic knowledge complexity, unless PSPACE= P 3 . In order to prove our main result, we develop an AM protocol for checking that a samplable distribution D has a given entropy h. For any fractions ; , the verier runs in time polynomial in 1= and log(1=) and fails with probability at most to detect an additive error in the entropy. We believe that this ...
Uniform Generation of NPwitnesses using an NPoracle
 Information and Computation
, 1997
"... A Uniform Generation procedure for NP is an algorithm which given any input in a fixed NPlanguage, outputs a uniformly distributed NPwitness for membership of the input in the language. We present a Uniform Generation procedure for NP that runs in probabilistic polynomialtime with an NPoracle. T ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
A Uniform Generation procedure for NP is an algorithm which given any input in a fixed NPlanguage, outputs a uniformly distributed NPwitness for membership of the input in the language. We present a Uniform Generation procedure for NP that runs in probabilistic polynomialtime with an NPoracle. This improves upon results of Jerrum, Valiant and Vazirani, which either require a \Sigma P 2 oracle or obtain only almost uniform generation. Our procedure utilizes ideas originating in the works of Sipser, Stockmeyer, and Jerrum, Valiant and Vazirani. Dept. of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. EMail: mihir@cs.ucsd.edu. URL: http://wwwcse.ucsd.edu/users/mihir. Supported in part by NSF CAREER Award CCR9624439 and a 1996 Packard Foundation Fellowship in Science and Engineering. y Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot, Israel. EMail: oded@wis...
Making ZeroKnowledge Provers Efficient
 Proceedings of the 24th Annual Symposium on the Theory of Computing, ACM
, 1995
"... We look at the question of how powerful a prover must be to give a zeroknowledge proof. We present the first unconditional bounds on the complexity of a statistical ZK prover. The result is that if a language possesses a statistical zeroknowledge then it also possesses a statistical zeroknowledge ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
We look at the question of how powerful a prover must be to give a zeroknowledge proof. We present the first unconditional bounds on the complexity of a statistical ZK prover. The result is that if a language possesses a statistical zeroknowledge then it also possesses a statistical zeroknowledge proof in which the prover runs in probabilistic, polynomial time with an NP oracle. Previously this was only known given the existence of oneway permutations. Extending these techniques to protocols of knowledge complexity k(n) ? 0, we derive bounds on the time complexity of languages of "small" knowledge complexity. Underlying these results is a technique for efficiently generating an "almost" random element of a set S 2 NP. Specifically, we construct a probabilistic machine with an NP oracle which, on input 1 n and ffi ? 0 runs in time polynomial in n and lg ffi \Gamma1 , and outputs a random string from a distribution within distance ffi of the uniform distribution on S " f0; 1g n ...
Open Questions, Talk Abstracts, and Summary of Discussions
, 1991
"... s, and Summary of Discussions Joan Feigenbaum and Michael Merritt AT&T Bell Laboratories Murray Hill, NJ 07974 The DIMACS Workshop on Distributed Computing and Cryptography was held at the Nassau Inn in Princeton, New Jersey, on October 4, 5, and 6, 1989. Participants took a critical look at the res ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
s, and Summary of Discussions Joan Feigenbaum and Michael Merritt AT&T Bell Laboratories Murray Hill, NJ 07974 The DIMACS Workshop on Distributed Computing and Cryptography was held at the Nassau Inn in Princeton, New Jersey, on October 4, 5, and 6, 1989. Participants took a critical look at the results, choice of problems, guiding philosophies, research methodology, and engineering projects that currently absorb much of the effort of people working in "cryptography" and "computer system security." This report summarizes both the formal presentations and the informal discussions that took place. Section 1 contains our account of the group discussions and statements of open questions, both general and specific, that we think are important. This report on the workshop is based on our recollections, our notes, and notes taken by the graduatestudent participants; we assume responsibility for any inaccuracies in our account. Section 2 contains abstracts of the talks presented at the worksh...
Interactive Hashing Simplifies ZeroKnowledge Protocol Design (Extended Abstract)
 Proc. of EuroCrypt 93
, 1998
"... Often the core difficulty in designing zeroknowledge protocols arises from having to consider every possible cheating verifier trying to extract aAditional information. ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
Often the core difficulty in designing zeroknowledge protocols arises from having to consider every possible cheating verifier trying to extract aAditional information.
Secure Commitment Against A Powerful Adversary  A security primitive based on average intractability (Extended Abstract)
, 1992
"... Secure commitment is a primitive enabling information hiding, which is one of the most basic tools in cryptography. Specifically, it is a twoparty partialinformation game between a "committer" and a "receiver", in which a secure envelope is first implemented and later opened. The committer has a b ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
Secure commitment is a primitive enabling information hiding, which is one of the most basic tools in cryptography. Specifically, it is a twoparty partialinformation game between a "committer" and a "receiver", in which a secure envelope is first implemented and later opened. The committer has a bit in mind which he commits to by putting it in a "secure envelope". The receiver cannot guess what the value is until the opening stage and the committer can not change his mind once committed. In this paper, we investigate the feasibility of bit commitment when one of the participants (either committer or receiver) has an unfair computational advantage. That is, we consider commitment to a strong receiver with a To appear in Symposium on Theoretical Aspects of Computer Science (STACS) 92, February 1315, Paris, France. y MIT Laboratory for Computer Science, 545 Technology Square, Cambridge MA 02139, USA. Supported by IBM Graduate Fellowship. Part of this work done while at IBM T.J. W...