Results 1  10
of
21
Oblivious Transfers and Intersecting Codes
, 1996
"... Assume A owns t secret kbit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other strings. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement Oneoutoft St ..."
Abstract

Cited by 39 (4 self)
 Add to MetaCart
Assume A owns t secret kbit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other strings. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement Oneoutoft String Oblivious Transfer, denoted ( t 1 )OT k 2 . This primitive is particularly useful in a variety of cryptographic settings. An apparently simpler task corresponds to the case k = 1 and t = 2 of two onebit secrets: this is known as Oneoutoftwo Bit Oblivious Transfer, denoted ( 2 1 )OT 2 . We address the question of implementing ( t 1 )OT k 2 assuming the existence of a ( 2 1 )OT 2 . In particular, we prove that unconditionally secure ( 2 1 )OT k 2 can be implemented from \Theta(k) calls to ( 2 1 )OT 2 . This is optimal up to a small multiplicative constant. Our solution is based on the notion of selfintersecting codes. Of independent interest, we give several...
Fair Games Against an AllPowerful Adversary
 AMS DIMACS Series in Discrete Mathematics and Theoretical Computer Science
, 1991
"... Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitelypowerful) and untrustworthy adversarial device. Assuming the existence of oneway functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hi ..."
Abstract

Cited by 38 (14 self)
 Add to MetaCart
Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitelypowerful) and untrustworthy adversarial device. Assuming the existence of oneway functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hide information from the weak device. However, to keep the game fair, the weak player must hide information from the infinitelypowerful player in the informationtheoretic sense. Clearly, encryption in this case is useless, and other means must be used. In this paper, we show that under a general complexity assumption, this task is always possible to achieve. That is, we show that the weak player can play any polynomial length partialinformation game (or secure protocol) with the strong player using any oneway function; we achieve this by implementing oblivious transfer protocol in this model. We also establish related impossibility results concerning oblivious transfer. In the proof of ou...
The discrete logarithm modulo a composite hides O(n) bits
 JOURNAL OF COMPUTER AND SYSTEM SCIENCES
, 1993
"... In this paper we consider the oneway function fg�N(X) =g X (modN), where N is a Blum integer. We prove that under the commonly assumed intractability of factoring Blum integers, all its bits are individually hard, and the lower as well as upper halves of them are simultaneously hard. As a result, f ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
In this paper we consider the oneway function fg�N(X) =g X (modN), where N is a Blum integer. We prove that under the commonly assumed intractability of factoring Blum integers, all its bits are individually hard, and the lower as well as upper halves of them are simultaneously hard. As a result, fg�N can be used in efficient pseudorandom bit generators and multibit commitment schemes, where messages can be drawn according to arbitrary probability distributions.
An efficient discrete log pseudo random generator
 Proc. of Crypto '98
, 1998
"... Abstract. The exponentiation function in a finite field of order p (a prime number) is believed to be a oneway function. It is well known that O(log log p) bits are simultaneously hard for this function. We consider a special case of this problem, the discrete logarithm with short exponents, which ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
Abstract. The exponentiation function in a finite field of order p (a prime number) is believed to be a oneway function. It is well known that O(log log p) bits are simultaneously hard for this function. We consider a special case of this problem, the discrete logarithm with short exponents, which is also believed to be hard to compute. Under this intractibility assumption we show that discrete exponentiation modulo a prime p can hide n−ω(log n) bits(n=⌈log p ⌉ and p =2q+1, where q is also a prime). We prove simultaneous security by showing that any information about the n − ω(log n) bits can be used to discover the discrete log of g s mod p where s has ω(log n) bits. For all practical purposes, the size of s can be a constant c bits. This leads to a very efficient pseudorandom number generator which produces n − c bits per iteration. For example, when n = 1024 bits and c = 128 bits our pseudorandom number generator produces a little less than 900 bits per exponentiation. 1
Lower Bounds for Oblivious Transfer Reductions
, 1999
"... . We prove the first general and nontrivial lower bound for the number of times a 1outof n Oblivious Transfer of strings of length ` should be invoked so as to obtain, by an informationtheoretically secure reduction, a 1outofN Oblivious Transfer of strings of length L. Our bound is tight in ma ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
. We prove the first general and nontrivial lower bound for the number of times a 1outof n Oblivious Transfer of strings of length ` should be invoked so as to obtain, by an informationtheoretically secure reduction, a 1outofN Oblivious Transfer of strings of length L. Our bound is tight in many significant cases. We also prove the first nontrivial lower bound for the number of random bits needed to implement such a reduction whenever the receiver sends no messages to the sender. This bound is also tight in many significant cases. 1 Introduction The Oblivious Transfer. The Oblivious Transfer (OT) is a fundamental primitive in secure protocol design, which has been defined in many different ways and contexts (e.g. [17], [10], [9]) and has found enormously many applications (e.g. [2], [17], [9], [13], [7], [16], [1], [14], [11]). The OT is a protocol typically involving two players, the sender and the receiver, and several parameters. In the most used form, the \Gamma N 1 \Del...
Invariant Signatures and NonInteractive ZeroKnowledge Proofs are Equivalent (Extended Abstract)
 ADVANCES IN CRYPTOLOGY — CRYPTO ’92
, 1992
"... The standard definition of digital signatures allows a document to have many valid signatures. In this paper, we consider a subclass of digital signatures, called invariant signatures, in which all legal signatures of a document must be identical according to some polynomialtime computable function ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
The standard definition of digital signatures allows a document to have many valid signatures. In this paper, we consider a subclass of digital signatures, called invariant signatures, in which all legal signatures of a document must be identical according to some polynomialtime computable function (of a signature) which is hard to predict given an unsigned document. We formalize this notion and show its equivalence to noninteractive zeroknowledge proofs.
Subquadratic ZeroKnowledge
, 1995
"... We improve on the communication complexity of zeroknowledge proof systems. Let C be a boolean circuit of size n. Previous zeroknowledge proof systems for the satisfiability of C require the use of \Omega\Gamma kn) bit commitments in order to achieve a probability of undetected cheating below 2 \G ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We improve on the communication complexity of zeroknowledge proof systems. Let C be a boolean circuit of size n. Previous zeroknowledge proof systems for the satisfiability of C require the use of \Omega\Gamma kn) bit commitments in order to achieve a probability of undetected cheating below 2 \Gammak . In the case k = n, the communication complexity of these protocols is therefore\Omega\Gamma n 2 ) bit commitments. In this paper, we present a zeroknowledge proof system for achieving the same goal with only O(n 1+"n + k p n 1+"n ) bit commitments, where " n goes to zero as n goes to infinity. In the case k = n, this is O(n p n 1+"n ). Moreover, only O(k) commitments need ever be opened, which is interesting if it is substantially less expensive to commit to a bit than to open a commitment. A preliminary version of this paper appeared in the Proceedings of the 32nd Annual IEEE Symposium on Foundations of Computer Science, October 1991. y Supported in part by NSA Gr...
ZeroKnowledge from Secure Multiparty Computation
 SIAM JOURNAL ON COMPUTING (SICOMP) SPECIAL ISSUE DEVOTED TO STOC2007
, 2007
"... A zeroknowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows n mutually suspicious players to jointly compute a function of their local inputs without revealing ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
A zeroknowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows n mutually suspicious players to jointly compute a function of their local inputs without revealing to any t corrupted players additional information beyond the output of the function. We present a new general connection between these two fundamental notions. Specifically, we present a general construction of a zeroknowledge proof for an NP relation R(x, w) which only makes a blackbox use of any secure protocol for a related multiparty functionality f. The latter protocol is only required to be secure against a small number of “honest but curious” players. We also present a variant of the basic construction that can leverage security against a large number of malicious players to obtain better efficiency. As an application, one can translate previous results on the efficiency of secure multiparty computation to the domain of zeroknowledge, improving over previous constructions of efficient zeroknowledge proofs. In particular, if verifying R on a witness of length m can be done by a circuit C of size s, and assuming oneway functions exist, we get the following types of zeroknowledge proof
Linear ZeroKnowledge  A Note on Efficient ZeroKnowledge Proofs and Arguments
, 1996
"... We present a zeroknowledge proof system [19] for any NP language L, which allows showing that x 2 L with error probability less than 2 using communication corresponding to O(jxj ) + k bit commitments, where c is a constant depending only on L. The proof can be based on any bit commitment s ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
We present a zeroknowledge proof system [19] for any NP language L, which allows showing that x 2 L with error probability less than 2 using communication corresponding to O(jxj ) + k bit commitments, where c is a constant depending only on L. The proof can be based on any bit commitment scheme with a particular set of properties. We suggest an efficient implementation based on factoring. We also