Assume A owns t secret k--bit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other strings. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement One-out-of-t String Oblivious Transfer, denoted ( t 1 )--OT k 2 . This primitive is particularly useful in a variety of cryptographic settings. An apparently simpler task corresponds to the case k = 1 and t = 2 of two one-bit secrets: this is known as One-out-of-two Bit Oblivious Transfer, denoted ( 2 1 )--OT 2 . We address the question of implementing ( t 1 )--OT k 2 assuming the existence of a ( 2 1 )--OT 2 . In particular, we prove that unconditionally secure ( 2 1 )--OT k 2 can be implemented from \Theta(k) calls to ( 2 1 )--OT 2 . This is optimal up to a small multiplicative constant. Our solution is based on the notion of self-intersecting codes. Of independent interest, we give several...

Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitely-powerful) and untrustworthy adversarial device. Assuming the existence of one-way functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hide information from the weak device. However, to keep the game fair, the weak player must hide information from the infinitely-powerful player in the information-theoretic sense. Clearly, encryption in this case is useless, and other means must be used. In this paper, we show that under a general complexity assumption, this task is always possible to achieve. That is, we show that the weak player can play any polynomial length partial-information game (or secure protocol) with the strong player using any one-way function; we achieve this by implementing oblivious transfer protocol in this model. We also establish related impossibility results concerning oblivious transfer. In the proof of ou...

In this paper we consider the one-way function fg�N(X) =g X (modN), where N is a Blum integer. We prove that under the commonly assumed intractability of factoring Blum integers, all its bits are individually hard, and the lower as well as upper halves of them are simultaneously hard. As a result, fg�N can be used in efficient pseudo-random bit generators and multi-bit commitment schemes, where messages can be drawn according to arbitrary probability distributions.

. We prove the first general and non-trivial lower bound for the number of times a 1-outof -n Oblivious Transfer of strings of length ` should be invoked so as to obtain, by an informationtheoretically secure reduction, a 1-out-of-N Oblivious Transfer of strings of length L. Our bound is tight in many significant cases. We also prove the first non-trivial lower bound for the number of random bits needed to implement such a reduction whenever the receiver sends no messages to the sender. This bound is also tight in many significant cases. 1 Introduction The Oblivious Transfer. The Oblivious Transfer (OT) is a fundamental primitive in secure protocol design, which has been defined in many different ways and contexts (e.g. [17], [10], [9]) and has found enormously many applications (e.g. [2], [17], [9], [13], [7], [16], [1], [14], [11]). The OT is a protocol typically involving two players, the sender and the receiver, and several parameters. In the most used form, the \Gamma N 1 \Del...

Abstract. The exponentiation function in a finite field of order p (a prime number) is believed to be a one-way function. It is well known that O(log log p) bits are simultaneously hard for this function. We consider a special case of this problem, the discrete logarithm with short exponents, which is also believed to be hard to compute. Under this intractibility assumption we show that discrete exponentiation modulo a prime p can hide n−ω(log n) bits(n=⌈log p ⌉ and p =2q+1, where q is also a prime). We prove simultaneous security by showing that any information about the n − ω(log n) bits can be used to discover the discrete log of g s mod p where s has ω(log n) bits. For all practical purposes, the size of s can be a constant c bits. This leads to a very efficient pseudo-random number generator which produces n − c bits per iteration. For example, when n = 1024 bits and c = 128 bits our pseudo-random number generator produces a little less than 900 bits per exponentiation. 1

Abstract not found

We improve on the communication complexity of zero-knowledge proof systems. Let C be a boolean circuit of size n. Previous zero-knowledge proof systems for the satisfiability of C require the use of \Omega\Gamma kn) bit commitments in order to achieve a probability of undetected cheating below 2 \Gammak . In the case k = n, the communication complexity of these protocols is therefore\Omega\Gamma n 2 ) bit commitments. In this paper, we present a zero-knowledge proof system for achieving the same goal with only O(n 1+"n + k p n 1+"n ) bit commitments, where " n goes to zero as n goes to infinity. In the case k = n, this is O(n p n 1+"n ). Moreover, only O(k) commitments need ever be opened, which is interesting if it is substantially less expensive to commit to a bit than to open a commitment. A preliminary version of this paper appeared in the Proceedings of the 32nd Annual IEEE Symposium on Foundations of Computer Science, October 1991. y Supported in part by NSA Gr...

The standard definition of digital signatures allows a document to have many valid signatures. In this paper, we consider a subclass of digital signatures, called invariant signatures, in which all legal signatures of a document must be identical according to some polynomial-time computable function (of a signature) which is hard to predict given an unsigned document. We formalize this notion and show its equivalence to non-interactive zero-knowledge proofs.

We present a zero-knowledge proof system [19] for any NP language L, which allows showing that x 2 L with error probability less than 2 using communication corresponding to O(jxj ) + k bit commitments, where c is a constant depending only on L. The proof can be based on any bit commitment scheme with a particular set of properties. We suggest an efficient implementation based on factoring. We also

A zero-knowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows n mutually suspicious players to jointly compute a function of their local inputs without revealing to any t corrupted players additional information beyond the output of the function. We present a new general connection between these two fundamental notions. Specifically, we present a general construction of a zero-knowledge proof for an NP relation R(x, w) which only makes a black-box use of any secure protocol for a related multi-party functionality f. The latter protocol is only required to be secure against a small number of “honest but curious” players. We also present a variant of the basic construction that can leverage security against a large number of malicious players to obtain better efficiency. As an application, one can translate previous results on the efficiency of secure multiparty computation to the domain of zero-knowledge, improving over previous constructions of efficient zeroknowledge proofs. In particular, if verifying R on a witness of length m can be done by a circuit C of size s, and assuming one-way functions exist, we get the following types of zero-knowledge proof