Results 1 
6 of
6
A Complete Promise Problem for Statistical ZeroKnowledge
 In Proceedings of the 38th Annual Symposium on the Foundations of Computer Science
, 1997
"... We present a complete promise problem for SZK, the class of languages possessing statistical zeroknowledge proofs (against an honest verifier). The problem is to decide whether two efficiently samplable distributions are either statistically close or far apart. This characterizes SZK with no refer ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
We present a complete promise problem for SZK, the class of languages possessing statistical zeroknowledge proofs (against an honest verifier). The problem is to decide whether two efficiently samplable distributions are either statistically close or far apart. This characterizes SZK with no reference to interaction or zeroknowledge. From this theorem and its proof, we are able to establish several other results about SZK, knowledge complexity, and efficiently samplable distributions. 1 Introduction A revolution in theoretical computer science occurred when it was discovered that NP has complete problems [11, 24, 23]. Most often, this theorem and other completeness results are viewed as negative statements, as they provide evidence of a problem's intractability. These same results, viewed as positive statements, enable one to study an entire class of problems by focusing on a single problem. For example, all languages in NP were shown to have computational zeroknowledge proofs wh...
Comparing Entropies in Statistical Zero Knowledge with Applications to the Structure of SZK
 In Proceedings of the Fourteenth Annual IEEE Conference on Computational Complexity
, 1998
"... We consider the following (promise) problem, denoted ED (for Entropy Difference): The input is a pairs of circuits, and yes instances (resp., no instances) are such pairs in which the first (resp., second) circuit generates a distribution with noticeably higher entropy. On one hand we show that a ..."
Abstract

Cited by 31 (11 self)
 Add to MetaCart
We consider the following (promise) problem, denoted ED (for Entropy Difference): The input is a pairs of circuits, and yes instances (resp., no instances) are such pairs in which the first (resp., second) circuit generates a distribution with noticeably higher entropy. On one hand we show that any language having a (honestverifier) statistical zeroknowledge proof is Karpreducible to ED. On the other hand, we present a publiccoin (honestverifier) statistical zeroknowledge proof for ED. Thus, we obtain an alternative proof of Okamoto's result by which HVSZK (i.e., HonestVerifier Statistical ZeroKnowledge) equals publiccoin HVSZK. The new proof is much simpler than the original one. The above also yields a trivial proof that HVSZK is closed under complementation (since ED easily reduces to its complement). Among the new results obtained is an equivalence of a weak notion of statistical zeroknowledge to the standard one. Keywords: Complexity and Cryptography, Universa...
ConstantRound Oblivious Transfer in the Bounded Storage Model
, 2004
"... We present a constant round protocol for Oblivious Transfer in Maurer's bounded storage model. In this model, a long random string R is initially transmitted and each of the parties interacts based on a small portion of R. Even though the portions stored by the honest parties are small, security ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
We present a constant round protocol for Oblivious Transfer in Maurer's bounded storage model. In this model, a long random string R is initially transmitted and each of the parties interacts based on a small portion of R. Even though the portions stored by the honest parties are small, security is guaranteed against any malicious party that remembers almost all of the string R.
A New Sampling Protocol and Applications to Basing Cryptographic Primitives on the Hardness of NP
, 2009
"... We investigate the question of what languages can be decided efficiently with the help of a recursive collisionfinding oracle. Such an oracle can be used to break collisionresistant hash functions or, more generally, statistically hiding commitments. The oracle we consider, Samd where d is the rec ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
We investigate the question of what languages can be decided efficiently with the help of a recursive collisionfinding oracle. Such an oracle can be used to break collisionresistant hash functions or, more generally, statistically hiding commitments. The oracle we consider, Samd where d is the recursion depth, is based on the identicallynamed oracle defined in the work of Haitner et al. (FOCS ’07). Our main result is a constantround publiccoin protocol “AM−Sam” that allows an efficient verifier to emulate a Samd oracle for any constant depth d = O(1) with the help of a BPP NP prover. AM−Sam allows us to conclude that if L is decidable by a kadaptive randomized oracle algorithm with access to a Sam O(1) oracle, then L ∈ AM[k] ∩ coAM[k]. The above yields the following corollary: assume there exists an O(1)adaptive reduction that bases constantround statistically hiding commitment on NPhardness, then NP ⊆ coAM and the polynomial hierarchy collapses. The same result holds for any primitive that can be broken by Sam O(1) including collisionresistant hash functions and O(1)round oblivious transfer where security holds statistically for one of the parties. We also obtain nontrivial (though weaker) consequences for kadaptive reductions for any k = poly(n). Prior to our work, most results in
Commitments and Efficient ZeroKnowledge Proofs from Learning Parity with Noise ⋆
"... Abstract. We construct a perfectly binding string commitment scheme whose security is based on the learning parity with noise (LPN) assumption, or equivalently, the hardness of decoding random linear codes. Our scheme not only allows for a simple and efficient zeroknowledge proof of knowledge for c ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We construct a perfectly binding string commitment scheme whose security is based on the learning parity with noise (LPN) assumption, or equivalently, the hardness of decoding random linear codes. Our scheme not only allows for a simple and efficient zeroknowledge proof of knowledge for committed values (essentially a Σprotocol), but also for such proofs showing any kind of relation amongst committed values, i.e., proving that messages m0,..., mu, are such that m0 = C(m1,..., mu) for any circuit C. To get soundness which is exponentially small in a security parameter t, and when the zeroknowledge property relies on the LPN problem with secrets of length ℓ, our 3 round protocol has communication complexity O(tCℓ log(ℓ)) and computational complexity of O(tCℓ) bit operations. The hidden constants are small, and the computation consists mostly of computing inner products of bitvectors. 1
Studies in the Efficiency and (versus) Security of Cryptographic Tasks
"... In this thesis, we deal with the following questions: (1) How efficient a cryptographic algorithm can be while achieving a desired level of security? (2) Since mathematical conjectures like P = NP are necessary for the possibility of secure cryptographic primitives in the standard models of computa ..."
Abstract
 Add to MetaCart
In this thesis, we deal with the following questions: (1) How efficient a cryptographic algorithm can be while achieving a desired level of security? (2) Since mathematical conjectures like P = NP are necessary for the possibility of secure cryptographic primitives in the standard models of computation: (a) Can we base cryptography solely based on the widely believed assumption of P = NP, or do we need stronger assumptions? (b) Which alternative nonstandard models offer us provable security unconditionally, while being implementable in real life? First we study the question of security vs. efficiency in publickey cryptography and prove tight bounds on the efficiency of blackbox constructions of keyagreement and (publickey) digital signatures that achieve a desired level of security using “randomlike ” functions. Namely, we prove that any keyagreement protocol in the random oracle model where the parties ask at most n oracle queries can be broken by an adversary who asks at most O(n 2) oracle queries and finds the key with high probability. This improves upon the previous Õ(n 6)query attack of Impagliazzo and Rudich [98] and proves that a simple keyagreement protocol due to Merkle [118] is optimal. We also prove that any signature scheme in the