Results 1  10
of
10
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 493 (22 self)
 Add to MetaCart
(Show Context)
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
Publickey Cryptosystems Provably Secure against Chosen Ciphertext Attacks
 In Proc. of the 22nd STOC
, 1995
"... We show how to construct a publickey cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a publickey cryptosystem secure against passive eavesdropping and a noninteractive zeroknowledge proof system in the shared string model. No such secure ..."
Abstract

Cited by 284 (20 self)
 Add to MetaCart
(Show Context)
We show how to construct a publickey cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a publickey cryptosystem secure against passive eavesdropping and a noninteractive zeroknowledge proof system in the shared string model. No such secure cryptosystems were known before. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 A preliminary version of this paper appeared in the Proc. of the Twenty Second ACM Symposium of Theory of Computing. y Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100, Israel. Work performed while at the IBM Almaden Research Center. Research supported by an Alon Fellowship and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences. Email: naor@wisdom.weizmann.ac.il. z IBM Research Division, T.J ...
How to Construct ConstantRound ZeroKnowledge Proof Systems for NP
 Journal of Cryptology
, 1995
"... Constantround zeroknowledge proof systems for every language in NP are presented, assuming the existence of a collection of clawfree functions. In particular, it follows that such proof systems exist assuming the intractability of either the Discrete Logarithm Problem or the Factoring Problem for ..."
Abstract

Cited by 173 (8 self)
 Add to MetaCart
Constantround zeroknowledge proof systems for every language in NP are presented, assuming the existence of a collection of clawfree functions. In particular, it follows that such proof systems exist assuming the intractability of either the Discrete Logarithm Problem or the Factoring Problem for Blum Integers.
Committed Oblivious Transfer and Private MultiParty Computation
, 1995
"... . In this paper we present an efficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits a0 and a1 and Bob is committed to b, they both want Bob to learn and commit to a b without Alice learning b nor Bob lear ..."
Abstract

Cited by 66 (10 self)
 Add to MetaCart
. In this paper we present an efficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits a0 and a1 and Bob is committed to b, they both want Bob to learn and commit to a b without Alice learning b nor Bob learning a¯ b . Our protocol, based on the properties of error correcting codes, uses Bit Commitment (bc) and oneoutoftwo Oblivious Transfer (ot) as black boxes. Consequently the protocol may be implemented with or without a computational assumption, depending on the kind of bc and ot used by the participants. Assuming a Broadcast Channel is also available, we exploit this result to obtain a protocol for Private MultiParty Computation, without making assumptions about a specific number or fraction of participants being honest. We analyze the protocol's efficiency in terms of bcs and ots performed. Our approach connects Zero Knowledge proofs on bcs, Oblivious Circuit Evaluation and Private MultiParty ...
An Efficient NonInteractive ZeroKnowledge Proof System for NP with General Assumptions
 Journal of Cryptology
, 1995
"... We consider noninteractive zeroknowledge proofs in the shared random string model proposed by Blum, Feldman and Micali [BFM88]. Until recently there was a sizable polynomial gap between the most efficient noninteractive proofs for NP based on general complexity assumptions [FLS90] versus those base ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
(Show Context)
We consider noninteractive zeroknowledge proofs in the shared random string model proposed by Blum, Feldman and Micali [BFM88]. Until recently there was a sizable polynomial gap between the most efficient noninteractive proofs for NP based on general complexity assumptions [FLS90] versus those based on specific algebraic assumptions [Dam92]. Recently, this gap was reduced to a polylogarithmic factor [Kil94]; we further reduce the gap to a constant factor. Our proof system relies on the existence of oneway permutations (or trapdoor permutations for bounded provers). Our protocol is based on the random committed bit model introduced by Feige, Lapidot and Shamir. We show how to prove that an ngate circuit is satisfiable, with error probability 1=n O(1) , using only O(n lg n) random committed bits. For this error probability, this result matches to within a constant factor the number of committed bits required by the most efficient known interactive proof systems. 1 Introduction A ba...
Blackbox constructions of twoparty protocols from oneway functions
 In TCC
, 2009
"... Abstract. We exhibit constructions of the following twoparty cryptographic protocols given only blackbox access to a oneway function: – constantround zeroknowledge arguments (of knowledge) for any language in NP; – constantround trapdoor commitment schemes; – constantround parallel cointossi ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We exhibit constructions of the following twoparty cryptographic protocols given only blackbox access to a oneway function: – constantround zeroknowledge arguments (of knowledge) for any language in NP; – constantround trapdoor commitment schemes; – constantround parallel cointossing. Previous constructions either require stronger computational assumptions (e.g. collisionresistant hash functions), nonblackbox access to a oneway function, or a superconstant number of rounds. As an immediate corollary, we obtain a constantround blackbox construction of secure twoparty computation protocols starting from only semihonest oblivious transfer. In addition, by combining our techniques with recent constructions of concurrent zeroknowledge and nonmalleable primitives, we obtain blackbox constructions of concurrent zeroknowledge arguments for NP and nonmalleable commitments starting from only oneway functions. Key words: blackbox constructions, zeroknowledge arguments, trapdoor commitments, parallel cointossing, secure twoparty computation, nonmalleable commitments 1
Subquadratic ZeroKnowledge
, 1995
"... We improve on the communication complexity of zeroknowledge proof systems. Let C be a boolean circuit of size n. Previous zeroknowledge proof systems for the satisfiability of C require the use of \Omega\Gamma kn) bit commitments in order to achieve a probability of undetected cheating below 2 \G ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We improve on the communication complexity of zeroknowledge proof systems. Let C be a boolean circuit of size n. Previous zeroknowledge proof systems for the satisfiability of C require the use of \Omega\Gamma kn) bit commitments in order to achieve a probability of undetected cheating below 2 \Gammak . In the case k = n, the communication complexity of these protocols is therefore\Omega\Gamma n 2 ) bit commitments. In this paper, we present a zeroknowledge proof system for achieving the same goal with only O(n 1+"n + k p n 1+"n ) bit commitments, where " n goes to zero as n goes to infinity. In the case k = n, this is O(n p n 1+"n ). Moreover, only O(k) commitments need ever be opened, which is interesting if it is substantially less expensive to commit to a bit than to open a commitment. A preliminary version of this paper appeared in the Proceedings of the 32nd Annual IEEE Symposium on Foundations of Computer Science, October 1991. y Supported in part by NSA Gr...
RandomnessEfficient NonInteractive Zero Knowledge (Extended Abstract)
, 1997
"... The model of NonInteractive ZeroKnowledge allows to obtain minimal interaction between prover and verifier in a zeroknowledge proof if a public random string is available to both parties. In this paper we investigate upper bounds for the length of the random string for proving one and many statem ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
The model of NonInteractive ZeroKnowledge allows to obtain minimal interaction between prover and verifier in a zeroknowledge proof if a public random string is available to both parties. In this paper we investigate upper bounds for the length of the random string for proving one and many statements, obtaining the following results:  We show how to prove in noninteractive perfect zeroknowledge any polynomial number of statements using a random string of fixed length, that is, not depending on the number of statements. Previously, such a result was known only in th...
Probabilistic Proof Systems  A Survey
 IN SYMPOSIUM ON THEORETICAL ASPECTS OF COMPUTER SCIENCE
, 1996
"... Various types of probabilistic proof systems have played a central role in the development of computer science in the last decade. In this exposition, we concentrate on three such proof systems  interactive proofs, zeroknowledge proofs, and probabilistic checkable proofs  stressing the essen ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Various types of probabilistic proof systems have played a central role in the development of computer science in the last decade. In this exposition, we concentrate on three such proof systems  interactive proofs, zeroknowledge proofs, and probabilistic checkable proofs  stressing the essential role of randomness in each of them.
Assumptions
"... Our protocol is stated in the hidden bit model introduced by Feige, Lapidot and Shamir. We show how to prove that an ngate circuit is satisfiable, with error probability 1=nO(1), using only O(n lg n) random committed bits. For this error probability, this result matches to within a constant factor ..."
Abstract
 Add to MetaCart
(Show Context)
Our protocol is stated in the hidden bit model introduced by Feige, Lapidot and Shamir. We show how to prove that an ngate circuit is satisfiable, with error probability 1=nO(1), using only O(n lg n) random committed bits. For this error probability, this result matches to within a constant factor the number of committed bits required by the most efficient known interactive proof systems. Keywords: Oneway permutations, Zeroknowledge, Efficient proofs, Noninteractive zeroknowledge, Circuit satisfiability.