Results 1  10
of
86
How to Go Beyond the BlackBox Simulation Barrier
 In 42nd FOCS
, 2001
"... The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction of the adversary with an honest party, without knowing the private input of this honest party. Almost all known simulators use the adversary’s algorithm as a blackbox. We present t ..."
Abstract

Cited by 221 (14 self)
 Add to MetaCart
The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction of the adversary with an honest party, without knowing the private input of this honest party. Almost all known simulators use the adversary’s algorithm as a blackbox. We present the first constructions of nonblackbox simulators. Using these new nonblackbox techniques we obtain several results that were previously proven to be impossible to obtain using blackbox simulators. Specifically, assuming the existence of collision resistent hash functions, we construct a new zeroknowledge argument system for NP that satisfies the following properties: 1. This system has a constant number of rounds with negligible soundness error. 2. It remains zero knowledge even when composed concurrently n times, where n is the security parameter. Simultaneously obtaining 1 and 2 has been recently proven to be impossible to achieve using blackbox simulators. 3. It is an ArthurMerlin (public coins) protocol. Simultaneously obtaining 1 and 3 was known to be impossible to achieve with a blackbox simulator. 4. It has a simulator that runs in strict polynomial time, rather than in expected polynomial time. All previously known constantround, negligibleerror zeroknowledge arguments utilized expected polynomialtime simulators.
On the Composition of ZeroKnowledge Proof Systems
 SIAM Journal on Computing
, 1990
"... : The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We ..."
Abstract

Cited by 195 (14 self)
 Add to MetaCart
: The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We demonstrate the limitations of the composition of zeroknowledge protocols by proving that the original definition of zeroknowledge is not closed under sequential composition; and that even the strong formulations of zeroknowledge (e.g. blackbox simulation) are not closed under parallel execution. We present lower bounds on the round complexity of zeroknowledge proofs, with significant implications to the parallelization of zeroknowledge protocols. We prove that 3round interactive proofs and constantround ArthurMerlin proofs that are blackbox simulation zeroknowledge exist only for languages in BPP. In particular, it follows that the "parallel versions" of the first interactive proo...
How to Construct ConstantRound ZeroKnowledge Proof Systems for NP
 Journal of Cryptology
, 1995
"... Constantround zeroknowledge proof systems for every language in NP are presented, assuming the existence of a collection of clawfree functions. In particular, it follows that such proof systems exist assuming the intractability of either the Discrete Logarithm Problem or the Factoring Problem for ..."
Abstract

Cited by 160 (8 self)
 Add to MetaCart
Constantround zeroknowledge proof systems for every language in NP are presented, assuming the existence of a collection of clawfree functions. In particular, it follows that such proof systems exist assuming the intractability of either the Discrete Logarithm Problem or the Factoring Problem for Blum Integers.
Universally Composable TwoParty and MultiParty Secure Computation
, 2002
"... We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many pa ..."
Abstract

Cited by 128 (32 self)
 Add to MetaCart
We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many parties as it wishes. In this setting, our protocols allow any subset of the parties (with pairs of parties being a special case) to securely realize any desired functionality of their local inputs, and be guaranteed that security is preserved regardless of the activity in the rest of the network. This implies that security is preserved under concurrent composition of an unbounded number of protocol executions, it implies nonmalleability with respect to arbitrary protocols, and more. Our constructions are in the common reference string model and rely on standard intractability assumptions.
Efficient Concurrent ZeroKnowledge in the Auxiliary String Model
, 2000
"... We show that if any oneway function exists, then 3round concurrent zeroknowledge arguments for all NP problems can be built in a model where a short auxiliary string with a prescribed distribution is available to the players. We also show that a wide range of known efficient proofs of knowledge ..."
Abstract

Cited by 109 (2 self)
 Add to MetaCart
We show that if any oneway function exists, then 3round concurrent zeroknowledge arguments for all NP problems can be built in a model where a short auxiliary string with a prescribed distribution is available to the players. We also show that a wide range of known efficient proofs of knowledge using specialized assumptions can be modified to work in this model with no essential loss of efficiency. We argue that the assumptions of the model will be satisfied in many practical scenarios where public key cryptography is used, in particular our construction works given any secure public key infrastructure. Finally, we point out that in a model with preprocessing (and no auxiliary string) proposed earlier, concurrent zeroknowledge for NP can be based on any oneway function.
Parallel CoinTossing and ConstantRound Secure TwoParty Computation
 Journal of Cryptology
, 2001
"... Abstract. In this paper we show that any twoparty functionality can be securely computed in a constant number of rounds, where security is obtained against malicious adversaries that may arbitrarily deviate from the protocol specification. This is in contrast to Yao’s constantround protocol that e ..."
Abstract

Cited by 77 (14 self)
 Add to MetaCart
Abstract. In this paper we show that any twoparty functionality can be securely computed in a constant number of rounds, where security is obtained against malicious adversaries that may arbitrarily deviate from the protocol specification. This is in contrast to Yao’s constantround protocol that ensures security only in the face of semihonest adversaries, and to its malicious adversary version that requires a polynomial number of rounds. In order to obtain our result, we present a constantround protocol for secure cointossing of polynomially many coins (in parallel). We then show how this protocol can be used in conjunction with other existing constructions in order to obtain a constantround protocol for securely computing any twoparty functionality. On the subject of cointossing, we also present a constantround perfect cointossing protocol, where by “perfect ” we mean that the resulting coins are guaranteed to be statistically close to uniform (and not just pseudorandom). 1
ConstantRound CoinTossing With a Man in the Middle or Realizing the Shared Random String Model
 In 43rd FOCS
, 2002
"... We construct the first constantround nonmalleable commitment scheme and the first constantround nonmalleable zeroknowledge argument system, as defined by Dolev, Dwork and Naor. Previous constructions either used a nonconstant number of rounds, or were only secure under stronger setup assumption ..."
Abstract

Cited by 70 (5 self)
 Add to MetaCart
We construct the first constantround nonmalleable commitment scheme and the first constantround nonmalleable zeroknowledge argument system, as defined by Dolev, Dwork and Naor. Previous constructions either used a nonconstant number of rounds, or were only secure under stronger setup assumptions. An example of such an assumption is the shared random string model where we assume all parties have access to a reference string that was chosen uniformly at random by a trusted dealer. We obtain these results by defining an adequate notion of nonmalleable cointossing, and presenting a constantround protocol that satisfies it. This protocol allows us to transform protocols that are nonmalleable in (a modified notion of) the shared random string model into protocols that are nonmalleable in the plain model (without any trusted dealer or setup assumptions). Observing that known constructions of a noninteractive nonmalleable zeroknowledge argument systems in the shared random string model are in fact nonmalleable in the modified model, and combining them with our cointossing protocol we obtain the results mentioned above. The techniques we use are different from those used in previous constructions of nonmalleable protocols. In particular our protocol uses diagonalization and a nonblackbox proof of security (in a sense similar to Barak’s zeroknowledge argument).
Robust Efficient Distributed RSAKey Generation
"... We solve a central open problem in distributed cryptography, that of robust efficient distributed generation of RSA keys. An efficient protocol is one which is independent of the primality test "circuit size", while a robust protocol allows correct completion even in the presence of a minority of ar ..."
Abstract

Cited by 55 (4 self)
 Add to MetaCart
We solve a central open problem in distributed cryptography, that of robust efficient distributed generation of RSA keys. An efficient protocol is one which is independent of the primality test "circuit size", while a robust protocol allows correct completion even in the presence of a minority of arbitrarily misbehaving malicious parties. Our protocol is shown to be secure against any minority of malicious parties (which is optimal). The above problem was mentioned in various works in the last decade and most recently by Boneh and Franklin [BF97]. The solution is a crucial step in establishing sensitive distributed cryptographic function sharing services (certification authorities, signature schemes with distributed trust, and key escrow authorities) , as well as other applications besides RSA (namely: composite ElGamal, identification schemes, simultaneous bit exchange, etc.). Of special interest is the fact that the solution can be combined with recent proactive function sharing tec...
On Deniability in the Common Reference String and Random Oracle Model
 In proceedings of CRYPTO ’03, LNCS series
, 2003
"... Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there ..."
Abstract

Cited by 54 (5 self)
 Add to MetaCart
Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there exist a specific natural security property that is not captured by these definitions. This is the property of deniability. We formally define the notion of deniable zeroknowledge in these models and investigate the possibility of achieving it. Our results are different for the two models: – Concerning the CRS model, we rule out the possibility of achieving deniable zeroknowledge protocols in “natural ” settings where such protocols cannot already be achieved in plain model. – In the RO model, on the other hand, we construct an efficient 2round deniable zeroknowledge argument of knowledge, that preserves both the zeroknowledge property and the proof of knowledge property under concurrent executions (concurrent zeroknowledge and concurrent proofof knowledge). 1