Results 1  10
of
29
On the Composition of ZeroKnowledge Proof Systems
 SIAM Journal on Computing
, 1990
"... : The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We ..."
Abstract

Cited by 195 (14 self)
 Add to MetaCart
: The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We demonstrate the limitations of the composition of zeroknowledge protocols by proving that the original definition of zeroknowledge is not closed under sequential composition; and that even the strong formulations of zeroknowledge (e.g. blackbox simulation) are not closed under parallel execution. We present lower bounds on the round complexity of zeroknowledge proofs, with significant implications to the parallelization of zeroknowledge protocols. We prove that 3round interactive proofs and constantround ArthurMerlin proofs that are blackbox simulation zeroknowledge exist only for languages in BPP. In particular, it follows that the "parallel versions" of the first interactive proo...
On Defining Proofs of Knowledge
, 1998
"... The notion of a "proof of knowledge," suggested by Gold wasset, Micali and Rackoff, has been used in many works as a tool for the construction of cryptographic protocols and other schemes. Yet the commonly cited formalizations of this notion are unsatisfactory and in particular inadequate for s ..."
Abstract

Cited by 143 (23 self)
 Add to MetaCart
The notion of a "proof of knowledge," suggested by Gold wasset, Micali and Rackoff, has been used in many works as a tool for the construction of cryptographic protocols and other schemes. Yet the commonly cited formalizations of this notion are unsatisfactory and in particular inadequate for some of the applications in which they are used. Consequently,
On the Concurrent Composition of ZeroKnowledge Proofs
 In EuroCrypt99, Springer LNCS 1592
, 1999
"... Abstract. We examine the concurrent composition of zeroknowledge proofs. By concurrent composition, we indicate a single prover that is involved in multiple, simultaneous zeroknowledge proofs with one or multiple verifiers. Under this type of composition it is believed that standard zeroknowledge ..."
Abstract

Cited by 113 (3 self)
 Add to MetaCart
Abstract. We examine the concurrent composition of zeroknowledge proofs. By concurrent composition, we indicate a single prover that is involved in multiple, simultaneous zeroknowledge proofs with one or multiple verifiers. Under this type of composition it is believed that standard zeroknowledge protocols are no longer zeroknowledge. We show that, modulo certain complexity assumptions, any statement in NP has k ɛround proofs and arguments in which one can efficiently simulate any k O(1) concurrent executions of the protocol.
Definitions And Properties Of ZeroKnowledge Proof Systems
 Journal of Cryptology
, 1994
"... In this paper we investigate some properties of zeroknowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff. We introduce and classify two definitions of zeroknowledge: auxiliary \Gamma input zeroknowledge and blackbox \Gamma simulation zeroknowledge. We explain why auxiliaryinp ..."
Abstract

Cited by 113 (10 self)
 Add to MetaCart
In this paper we investigate some properties of zeroknowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff. We introduce and classify two definitions of zeroknowledge: auxiliary \Gamma input zeroknowledge and blackbox \Gamma simulation zeroknowledge. We explain why auxiliaryinput zeroknowledge is a definition more suitable for cryptographic applications than the original [GMR1] definition. In particular, we show that any protocol solely composed of subprotocols which are auxiliaryinput zeroknowledge is itself auxiliaryinput zeroknowledge. We show that blackboxsimulation zeroknowledge implies auxiliaryinput zeroknowledge (which in turn implies the [GMR1] definition). We argue that all known zeroknowledge proofs are in fact blackboxsimulation zeroknowledge (i.e., were proved zeroknowledge using blackboxsimulation of the verifier). As a result, all known zeroknowledge proof systems are shown to be auxiliaryinput zeroknowledge and can be used for cryptographic applications such as those in [GMW2]. We demonstrate the triviality of certain classes of zeroknowledge proof systems, in the sense that only languages in BPP have zeroknowledge proofs of these classes. In particular, we show that any language having a Las Vegas zeroknowledge proof system necessarily belongs to RP . We show that randomness of both the verifier and the prover, and nontriviality of the interaction are essential properties of (nontrivial) auxiliaryinput zeroknowledge proofs.
Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer
, 1991
"... "Undeniable" (or perhaps rather "invisible") signatures are digital signatures which the recipient cannot show round without the help of the signer. If forced to either acknowledge or deny a signature, however, the signer cannot deny it if it is authentic. We present the first undeniable signature ..."
Abstract

Cited by 70 (1 self)
 Add to MetaCart
"Undeniable" (or perhaps rather "invisible") signatures are digital signatures which the recipient cannot show round without the help of the signer. If forced to either acknowledge or deny a signature, however, the signer cannot deny it if it is authentic. We present the first undeniable signature scheme which is unconditionally secure for the signer (except for an exponentially small error probability). The security for the recipient is provably as secure as the discrete logarithm in certain groups. Besides, this is the first practical cryptographically strong undeniable signature scheme at all. In many cases, it is more efficient than previous signature schemes unconditionally secure for the signer. Interesting subprotocols are efficient cryptographically collisionfree hash functions based on the discrete log, and efficient perfectly hiding commitments on numbers modulo a prime with particular inequality proofs.
Magic Functions
, 1999
"... We consider three apparently unrelated fundamental problems in distributed computing, cryptography and complexity theory and prove that they are essentially the same problem. ..."
Abstract

Cited by 55 (0 self)
 Add to MetaCart
We consider three apparently unrelated fundamental problems in distributed computing, cryptography and complexity theory and prove that they are essentially the same problem.
The (True) Complexity of Statistical Zero Knowledge (Extended Abstract)
 Proceedings of the 22nd Annual ACM Symposium on the Theory of Computing, ACM
, 1990
"... ) Mihir Bellare Silvio Micali y Rafail Ostrovsky z MIT Laboratory for Computer Science 545 Technology Square Cambridge, MA 02139 Abstract Statistical zeroknowledge is a very strong privacy constraint which is not dependent on computational limitations. In this paper we show that given a comp ..."
Abstract

Cited by 42 (17 self)
 Add to MetaCart
) Mihir Bellare Silvio Micali y Rafail Ostrovsky z MIT Laboratory for Computer Science 545 Technology Square Cambridge, MA 02139 Abstract Statistical zeroknowledge is a very strong privacy constraint which is not dependent on computational limitations. In this paper we show that given a complexity assumption a much weaker condition suffices to attain statistical zeroknowledge. As a result we are able to simplify statistical zeroknowledge and to better characterize, on many counts, the class of languages that possess statistical zeroknowledge proofs. 1 Introduction An interactive proof involves two parties, a prover and a verifier, who talk back and forth. The prover, who is computationally unbounded, tries to convince the probabilistic polynomial time verifier that a given theorem is true. A zeroknowledge proof is an interactive proof with an additional privacy constraint: the verifier does not learn why the theorem is true [11]. That is, whatever the polynomialtime verif...
Concurrent and Resettable ZeroKnowledge in Polylogarithmic Rounds (Extended Abstract)
 STOC'01
, 2001
"... 2 k) rounds given at most k concurrent proofs. Finally, we show that a simple modification of our proof is a resettable zeroknowledge proof for NP, with!(log 2 k) rounds; previously known protocols required a polynomial number of rounds. ..."
Abstract

Cited by 42 (1 self)
 Add to MetaCart
2 k) rounds given at most k concurrent proofs. Finally, we show that a simple modification of our proof is a resettable zeroknowledge proof for NP, with!(log 2 k) rounds; previously known protocols required a polynomial number of rounds.
Practical ZeroKnowledge Proofs: Giving Hints and Using Deficiencies
 JOURNAL OF CRYPTOLOGY
, 1994
"... New zeroknowledge proofs are given for some numbertheoretic problems. All of the problems are in NP, but the proofs given here are much more efficient than the previously known proofs. In addition, these proofs do not require the prover to be superpolynomial in power. A probabilistic polynomial t ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
New zeroknowledge proofs are given for some numbertheoretic problems. All of the problems are in NP, but the proofs given here are much more efficient than the previously known proofs. In addition, these proofs do not require the prover to be superpolynomial in power. A probabilistic polynomial time prover with the appropriate trapdoor knowledge is sufficient. The proofs are perfect or statistical zeroknowledge in all cases except one.
OneWay Functions, Hard on Average Problems, and Statistical ZeroKnowledge Proofs (Extended Abstract)
 IN PROCEEDINGS OF THE 6TH ANNUAL STRUCTURE IN COMPLEXITY THEORY CONFERENCE
, 1991
"... In this paper, we study connections among oneway functions, hard on the average problems, and statistical zeroknowledge proofs. In particular, we show how these three notions are related and how the third notion can be better characterized, assuming the first one. ..."
Abstract

Cited by 28 (8 self)
 Add to MetaCart
In this paper, we study connections among oneway functions, hard on the average problems, and statistical zeroknowledge proofs. In particular, we show how these three notions are related and how the third notion can be better characterized, assuming the first one.