Results 1  10
of
17
Uniform Generation of NPwitnesses using an NPoracle
 Information and Computation
, 1997
"... A Uniform Generation procedure for NP is an algorithm which given any input in a fixed NPlanguage, outputs a uniformly distributed NPwitness for membership of the input in the language. We present a Uniform Generation procedure for NP that runs in probabilistic polynomialtime with an NPoracle. T ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
A Uniform Generation procedure for NP is an algorithm which given any input in a fixed NPlanguage, outputs a uniformly distributed NPwitness for membership of the input in the language. We present a Uniform Generation procedure for NP that runs in probabilistic polynomialtime with an NPoracle. This improves upon results of Jerrum, Valiant and Vazirani, which either require a \Sigma P 2 oracle or obtain only almost uniform generation. Our procedure utilizes ideas originating in the works of Sipser, Stockmeyer, and Jerrum, Valiant and Vazirani. Dept. of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. EMail: mihir@cs.ucsd.edu. URL: http://wwwcse.ucsd.edu/users/mihir. Supported in part by NSF CAREER Award CCR9624439 and a 1996 Packard Foundation Fellowship in Science and Engineering. y Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot, Israel. EMail: oded@wis...
Efficient Arguments without Short PCPs
"... Current constructions of efficient argument systems combine a short (polynomial size) PCP with a cryptographic hashing technique. We suggest an alternative approach for this problem that allows to simplify the underlying PCP machinery using a stronger cryptographic technique. More concretely, we pre ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
Current constructions of efficient argument systems combine a short (polynomial size) PCP with a cryptographic hashing technique. We suggest an alternative approach for this problem that allows to simplify the underlying PCP machinery using a stronger cryptographic technique. More concretely, we present a direct method for compiling an exponentially long PCP which is succinctly described by a linear oracle function π: F n → F into an argument system in which the verifier sends to the prover O(n) encrypted field elements and receives O(1) encryptions in return. This compiler can be based on an arbitrary homomorphic encryption scheme. Applying our general compiler to the exponential size Hadamard code based PCP of Arora et al. (JACM 1998) yields a simple argument system for NP in which the communication from the prover to the verifier only includes a constant number of short encryptions. The main tool we use is a new cryptographic primitive which allows to efficiently commit to a linear function and later open the output of the function on an arbitrary vector. Our efficient implementation of this primitive is independently motivated by cryptographic applications.
ZeroKnowledge from Secure Multiparty Computation
 SIAM JOURNAL ON COMPUTING (SICOMP) SPECIAL ISSUE DEVOTED TO STOC2007
, 2007
"... A zeroknowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows n mutually suspicious players to jointly compute a function of their local inputs without revealing ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
A zeroknowledge proof allows a prover to convince a verifier of an assertion without revealing any further information beyond the fact that the assertion is true. Secure multiparty computation allows n mutually suspicious players to jointly compute a function of their local inputs without revealing to any t corrupted players additional information beyond the output of the function. We present a new general connection between these two fundamental notions. Specifically, we present a general construction of a zeroknowledge proof for an NP relation R(x, w) which only makes a blackbox use of any secure protocol for a related multiparty functionality f. The latter protocol is only required to be secure against a small number of “honest but curious” players. We also present a variant of the basic construction that can leverage security against a large number of malicious players to obtain better efficiency. As an application, one can translate previous results on the efficiency of secure multiparty computation to the domain of zeroknowledge, improving over previous constructions of efficient zeroknowledge proofs. In particular, if verifying R on a witness of length m can be done by a circuit C of size s, and assuming oneway functions exist, we get the following types of zeroknowledge proof
Succinct noninteractive arguments via linear . . .
, 2012
"... Succinct noninteractive arguments (SNARGs) enable verifying NP statements with lower complexity than required for classical NP verification. Traditionally, the focus has been on minimizing the length of such arguments; nowadays researches have focused also on minimizing verification time, by drawin ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Succinct noninteractive arguments (SNARGs) enable verifying NP statements with lower complexity than required for classical NP verification. Traditionally, the focus has been on minimizing the length of such arguments; nowadays researches have focused also on minimizing verification time, by drawing motivation from the problem of delegating computation. A common relaxation is a preprocessing SNARG, which allows the verifier to conduct an expensive offline phase that is independent of the statement to be proven later. Recent constructions of preprocessing SNARGs have achieved attractive features: they are publiclyverifiable, proofs consist of only O(1) encrypted (or encoded) field elements, and verification is via arithmetic circuits of size linear in the NP statement. Additionally, these constructions seem to have “escaped the hegemony ” of probabilisticallycheckable proofs (PCPs) as a basic building block of succinct arguments. We present
Polylogarithmic tworound Argument Systems
"... Abstract. We present a tworound argument system for NP languages with polylogarithmic communication complexity. We introduce a novel property of private information retrieval (PIR) schemes, that we call databaseawareness. We construct a concrete databaseaware PIR scheme and build our argument sys ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Abstract. We present a tworound argument system for NP languages with polylogarithmic communication complexity. We introduce a novel property of private information retrieval (PIR) schemes, that we call databaseawareness. We construct a concrete databaseaware PIR scheme and build our argument system by combining a databaseaware PIR scheme with a probabilistically checkable proof system (PCP). Dwork et.al. (2004) pointed out difficulties to prove the soundness of such constructions for arbitrary PIR schemes. But we show the restriction to databaseaware PIR schemes is sufficient to overcome these difficulties.
Interactive PCP
 In Proceedings of the 35th International Colloquium on Automata, Languages and Programming, ICALP ’08
, 2008
"... A central line of research in the area of PCPs is devoted to constructing short PCPs. In this paper, we show that if we allow an additional interactive verification phase, with very low communication complexity, then for some NP languages, one can construct PCPs that are significantly shorter than t ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
A central line of research in the area of PCPs is devoted to constructing short PCPs. In this paper, we show that if we allow an additional interactive verification phase, with very low communication complexity, then for some NP languages, one can construct PCPs that are significantly shorter than the known PCPs (without the additional interactive phase) for these languages. We give many cryptographical applications and motivations for our results and for the study of the new model in general. More specifically, we study a new model of proofs: interactivePCP. Roughly speaking, an interactivePCP (say, for the membership x ∈ L) is a proofstring that can be verified by reading only one of its bits, with the help of an interactiveproof with very small communication complexity. We show that for membership in some NP languages L, there are interactivePCPs that are significantly shorter than the known (noninteractive) PCPs for these languages. Our main result is that for any constant depth Boolean formula Φ(z1,...,zk) of size n (over the gates ∧, ∨, ⊕, ¬), a prover, Alice, can publish a proofstring for the satisfiability of Φ, where the size of the proofstring is poly(k). Later on, any user who wishes to verify the published
On roundefficient argument systems
 In Proc. 32nd ICALP (Track
"... Abstract. We consider the problem of constructing roundefficient publiccoin argument systems, that is, interactive proof systems that are only computationally sound with a constant number of rounds. We focus on argument systems for NTime(T (n)) where either the communication complexity or the veri ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Abstract. We consider the problem of constructing roundefficient publiccoin argument systems, that is, interactive proof systems that are only computationally sound with a constant number of rounds. We focus on argument systems for NTime(T (n)) where either the communication complexity or the verifier’s running time is subpolynomial in T (n), such as Kilian’s argument system for NP [Kil92] and universal arguments [BG02,Mic00]. We begin with the observation that under standard complexity assumptions, such argument systems require at least 2 rounds. Next, we relate the existence of nontrivial 2round argument systems to that of hardonaverage search problems in NP and that of efficient publiccoin zeroknowledge arguments for NP. Finally, we show that the FiatShamir paradigm [FS86] and BabaiMoran round reduction [BM88] fails to preserve computational soundness for some 3round and 4round argument systems.
SNARKs for C: Verifying program executions succinctly and in zero knowledge
 In Proceedings of CRYPTO 2013, LNCS
"... An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, anyone can use the proving key to generate noninteractive proofs for adaptivelychosen NP statements, and proofs can be verified by anyone by using the verification key. We present an implementation of a publiclyverifiable noninteractive argument system for NP. The system, moreover, is a zeroknowledge proofofknowledge. It directly proves correct executions of programs on TinyRAM, a randomaccess machine tailored for efficient verification of nondeterministic computations. Given a program P and time bound T, the system allows for proving correct execution of P, on any input x, for up to T steps, after a onetime setup requiring Õ(P  · T) cryptographic operations. An honest prover requires Õ(P  · T) cryptographic operations to generate such a proof, while proof verification can be performed with only O(x) cryptographic operations. This system can be used to prove the correct execution of C programs, using our TinyRAM port of the GCC compiler. This yields a zeroknowledge Succinct Noninteractive ARgument of Knowledge (zkSNARK) for
Polylogarithmicround interactive proofs for coNP collapse the exponential hierarchy
, 2004
"... It is known [BHZ87] that if every language in coNP has a constantround interactive proof system, then the polynomial hierarchy collapses. On the other hand, Lund et al. [LFKN92] have shown that #SAT, the #Pcomplete function that outputs the number of satisfying assignments of a Boolean formula, c ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
It is known [BHZ87] that if every language in coNP has a constantround interactive proof system, then the polynomial hierarchy collapses. On the other hand, Lund et al. [LFKN92] have shown that #SAT, the #Pcomplete function that outputs the number of satisfying assignments of a Boolean formula, can be computed by a linearround interactive protocol. As a consequence, the coNPcomplete set SAT has a proof system with linear rounds of interaction. We show that if every set in coNP has a polylogarithmicround interactive protocol then the exponential hierarchy collapses to the third level. In order to prove this, we obtain an exponential version of Yap’s result [Yap83], and improve upon an exponential version of the KarpLipton theorem [KL80], obtained first by Buhrman and Homer [BH92].
Finding Pessiland
, 2006
"... We explore the minimal assumptions that are necessary for nontrivial argument systems, such as Kilian’s argument system for NP with polylogarithmic communication complexity [K92]. We exhibit an oracle relative to which there is a 2round argument system with polylogarithmic communication complexit ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We explore the minimal assumptions that are necessary for nontrivial argument systems, such as Kilian’s argument system for NP with polylogarithmic communication complexity [K92]. We exhibit an oracle relative to which there is a 2round argument system with polylogarithmic communication complexity for some language in NP, but no oneway functions. The language lies outside BPTime(2 o(n)), so the relaxation to computational soundness is essential for achieving sublinear communication complexity. We obtain as a corollary that under blackbox reductions, nontrivial argument systems do not imply oneway functions.