Results 1  10
of
109
An Uninstantiable RandomOracleModel Scheme for a HybridEncryption Problem,” Full version of this paper. Available at http://wwwcse.ucsd.edu/users/mihir
"... Abstract. We present a simple, natural randomoracle (RO) model scheme, for a practical goal, that is uninstantiable, meaning is proven in the RO model to meet its goal yet admits no standardmodel instantiation that meets this goal. The goal in question is INDCCApreserving asymmetric encryption w ..."
Abstract

Cited by 82 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We present a simple, natural randomoracle (RO) model scheme, for a practical goal, that is uninstantiable, meaning is proven in the RO model to meet its goal yet admits no standardmodel instantiation that meets this goal. The goal in question is INDCCApreserving asymmetric encryption which formally captures security of the most common practical usage of asymmetric encryption, namely to transport a symmetric key in such a way that symmetric encryption under the latter remains secure. The scheme is an ElGamal variant, called Hash ElGamal, that resembles numerous existing ROmodel schemes, and on the surface shows no evidence of its anomalous properties. These results extend our understanding of the gap between the standard and RO models, and bring concerns raised by previous work closer to practice by indicating that the problem of ROmodel schemes admitting no secure instantiation can arise in domains where RO schemes are commonly designed. 1
Robust PCPs of Proximity, Shorter PCPs and Applications to Coding
 in Proc. 36th ACM Symp. on Theory of Computing
, 2004
"... We continue the study of the tradeo between the length of PCPs and their query complexity, establishing the following main results (which refer to proofs of satis ability of circuits of size n): 1. We present PCPs of length exp( ~ O(log log n) ) n that can be veri ed by making o(log log n) ..."
Abstract

Cited by 80 (29 self)
 Add to MetaCart
(Show Context)
We continue the study of the tradeo between the length of PCPs and their query complexity, establishing the following main results (which refer to proofs of satis ability of circuits of size n): 1. We present PCPs of length exp( ~ O(log log n) ) n that can be veri ed by making o(log log n) Boolean queries.
On the (In)security of the FiatShamir Paradigm
 In Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
, 2003
"... In 1986, Fiat and Shamir suggested a general method for transforming secure 3round publiccoin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen ..."
Abstract

Cited by 48 (2 self)
 Add to MetaCart
In 1986, Fiat and Shamir suggested a general method for transforming secure 3round publiccoin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen message attacks. All other known constructions which achieve such security are substantially more inefficient and complicated in design. In 1996...
ZeroKnowledge Sets
, 2003
"... We show how a polynomialtime prover can commit to an arbitrary finite set S of strings so that, later on, he can, for any string x, reveal with a proof whetherÜËorÜ�Ë, without revealing any knowledge beyond the verity of these membership assertions. Our method is non interactive. Given a public ran ..."
Abstract

Cited by 48 (0 self)
 Add to MetaCart
We show how a polynomialtime prover can commit to an arbitrary finite set S of strings so that, later on, he can, for any string x, reveal with a proof whetherÜËorÜ�Ë, without revealing any knowledge beyond the verity of these membership assertions. Our method is non interactive. Given a public random string, the prover commits to a set by simply posting a short and easily computable message. After that, each time it wants to prove whether a given element is in the set, it simply posts another short and easily computable proof, whose correctness can be verified by any one against the public random string. Our scheme is very efficient; no reasonable prior way to achieve our desiderata existed. Our new primitive immediately extends to providing zeroknowledge “databases.”
Simple PCPs with Polylog Rate and Query Complexity
, 2005
"... We give constructions of probabilistically checkable proofs (PCPs) of length n·poly(log n) (to prove satisfiability of circuits of size n) that can verified by querying poly(log n) bits of the proof. We also give constructions of locally testable codes (LTCs) with similar parameters. Previous constr ..."
Abstract

Cited by 45 (15 self)
 Add to MetaCart
We give constructions of probabilistically checkable proofs (PCPs) of length n·poly(log n) (to prove satisfiability of circuits of size n) that can verified by querying poly(log n) bits of the proof. We also give constructions of locally testable codes (LTCs) with similar parameters. Previous constructions of short PCPs (from [5] to [9]) relied extensively on properties of low degree multivariate polynomials. In contrast, our constructions rely on new problems and techniques revolving around the properties of codes based on high degree polynomials in one variable (also known as ReedSolomon codes). We show how to convert the problem of verifying the satisfaction of a circuit by a given assignment to the task of verifying that a given function is close to being a ReedSolomon codeword, i.e., a univariate polynomial of specified degree. This reduction is simpler than the corresponding steps in previous reductions, and gives a new alternative to using the popular “sumcheck protocol”. We then give a new PCP for the special task of proving that a function is close to being a ReedSolomon codeword. This step of the construction is by a selfcontained recursion, and the only ingredient needed in the analysis is the bivariate lowdegree test of Polischuk and Spielman [27]. Note that our constructions yield LTCs first, which are then converted to PCPs. In contrast, most recent constructions go in the opposite (and less natural) direction of getting LTCs from PCPs.
From extractable collision resistance to succinct noninteractive arguments of knowledge, and back again
, 2011
"... The existence of succinct noninteractive arguments for NP (i.e., noninteractive computationallysound proofs where the verifier’s work is essentially independent of the complexity of the NP nondeterministic verifier) has been an intriguing question for the past two decades. Other than CS proofs in ..."
Abstract

Cited by 37 (14 self)
 Add to MetaCart
The existence of succinct noninteractive arguments for NP (i.e., noninteractive computationallysound proofs where the verifier’s work is essentially independent of the complexity of the NP nondeterministic verifier) has been an intriguing question for the past two decades. Other than CS proofs in the random oracle model [Micali, FOCS ’94], the only existing candidate construction is based on an elaborate assumption that is tailored to a specific protocol [Di Crescenzo and Lipmaa, CiE ’08]. We formulate a general and relatively natural notion of an extractable collisionresistant hash function (ECRH) and show that, if ECRHs exist, then a modified version of Di Crescenzo and Lipmaa’s protocol is a succinct noninteractive argument for NP. Furthermore, the modified protocol is actually a succinct noninteractive adaptive argument of knowledge (SNARK). We then propose several candidate constructions for ECRHs and relaxations thereof. We demonstrate the applicability of SNARKs to various forms of delegation of computation, to succinct noninteractive zero knowledge arguments, and to succinct twoparty secure computation. Finally, we show that SNARKs essentially imply the existence of ECRHs, thus demonstrating the necessity of
Improved delegation of computation using fully homomorphic encryption
 CRYPTO 2010, LNCS 6223
, 2010
"... Following Gennaro, Gentry, and Parno (Cryptology ePrint Archive 2009/547), we use fully homomorphic encryption to design improved schemes for delegating computation. In such schemes, a delegator outsources the computation of a function F on many, dynamically chosen inputs xi to a worker in such a wa ..."
Abstract

Cited by 37 (2 self)
 Add to MetaCart
Following Gennaro, Gentry, and Parno (Cryptology ePrint Archive 2009/547), we use fully homomorphic encryption to design improved schemes for delegating computation. In such schemes, a delegator outsources the computation of a function F on many, dynamically chosen inputs xi to a worker in such a way that it is infeasible for the worker to make the delegator accept a result other than F (xi). The “online stage ” of the Gennaro et al. scheme is very efficient: the parties exchange two messages, the delegator runs in time poly(log T), and the worker runs in time poly(T), where T is the time complexity of F. However, the “offline stage ” (which depends on the function F but not the inputs to be delegated) is inefficient: the delegator runs in time poly(T) and generates a public key of length poly(T) that needs to be accessed by the worker during the online stage. Our first construction eliminates the large public key from the Gennaro et al. scheme. The delegator still invests poly(T) time in the offline stage, but does not need to communicate or publish anything. Our second construction reduces the work of the delegator in the offline stage to poly(log T) at the price of a 4message (offline) interaction with a poly(T)time worker
Homomorphic signatures for polynomial functions
, 2010
"... We construct the first homomorphic signature scheme that is capable of evaluating multivariate polynomials on signed data. Given the public key and a signed data set, there is an efficient algorithm to produce a signature on the mean, standard deviation, and other statistics of the signed data. Prev ..."
Abstract

Cited by 31 (4 self)
 Add to MetaCart
(Show Context)
We construct the first homomorphic signature scheme that is capable of evaluating multivariate polynomials on signed data. Given the public key and a signed data set, there is an efficient algorithm to produce a signature on the mean, standard deviation, and other statistics of the signed data. Previous systems for computing on signed data could only handle linear operations. For polynomials of constant degree, the length of a derived signature only depends logarithmically on the size of the data set. Our system uses ideal lattices in a way that is a “signature analogue” of Gentry’s fully homomorphic encryption. Security is based on hard problems on ideal lattices similar to those in Gentry’s system.