Results 1 
7 of
7
The (True) Complexity of Statistical Zero Knowledge (Extended Abstract)
 Proceedings of the 22nd Annual ACM Symposium on the Theory of Computing, ACM
, 1990
"... ) Mihir Bellare Silvio Micali y Rafail Ostrovsky z MIT Laboratory for Computer Science 545 Technology Square Cambridge, MA 02139 Abstract Statistical zeroknowledge is a very strong privacy constraint which is not dependent on computational limitations. In this paper we show that given a comp ..."
Abstract

Cited by 42 (17 self)
 Add to MetaCart
) Mihir Bellare Silvio Micali y Rafail Ostrovsky z MIT Laboratory for Computer Science 545 Technology Square Cambridge, MA 02139 Abstract Statistical zeroknowledge is a very strong privacy constraint which is not dependent on computational limitations. In this paper we show that given a complexity assumption a much weaker condition suffices to attain statistical zeroknowledge. As a result we are able to simplify statistical zeroknowledge and to better characterize, on many counts, the class of languages that possess statistical zeroknowledge proofs. 1 Introduction An interactive proof involves two parties, a prover and a verifier, who talk back and forth. The prover, who is computationally unbounded, tries to convince the probabilistic polynomial time verifier that a given theorem is true. A zeroknowledge proof is an interactive proof with an additional privacy constraint: the verifier does not learn why the theorem is true [11]. That is, whatever the polynomialtime verif...
Perfect ZeroKnowledge Arguments for NP Can Be Based on General Complexity Assumptions (Extended Abstract)
 JOURNAL OF CRYPTOLOGY
, 1998
"... "Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practical and th ..."
Abstract

Cited by 41 (11 self)
 Add to MetaCart
"Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions; basing them on a general complexity assumption was open since their introduction in 1986 [BCC, BC, CH]. In this paper, we finally show a general construction, which can be based on any oneway permutation. We stress that our scheme is efficient: both players can execute only polynomialtime programs during the protocol. Moreover, the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier can not find (ever!) any information unconditionally (in the i...
Does Parallel Repetition Lower the Error in Computationally Sound Protocols
 In Proceedings of 38th Annual Symposium on Foundations of Computer Science, IEEE
, 1997
"... Whether or not parallel repetition lowers the error has been a fundamental question in the theory of protocols, with applications in many di erent areas. It is well known that parallel repetition reduces the error at an exponential rate in interactive proofs and ArthurMerlin games. It seems to have ..."
Abstract

Cited by 36 (5 self)
 Add to MetaCart
Whether or not parallel repetition lowers the error has been a fundamental question in the theory of protocols, with applications in many di erent areas. It is well known that parallel repetition reduces the error at an exponential rate in interactive proofs and ArthurMerlin games. It seems to have been taken for granted that the same is true in arguments, or other proofs where the soundness only holds with respect to computationally bounded parties. We show that this is not the case. Surprisingly, parallel repetition can actually fail in this setting. We present fourround protocols whose error does not decrease under parallel repetition. This holds for any (polynomial) number of repetitions. These protocols exploit nonmalleable encryption and can be based on any trapdoor permutation. On the other hand we show that for threeround protocols the error does go down exponentially fast. The question of parallel error reduction is particularly important when the protocol is used in cryptographic settings like identi cation, and the error represent the probability that an intruder succeeds.
RoundOptimal ZeroKnowledge Arguments Based on any OneWay Function
, 1997
"... We fill a gap in the theory of zeroknowledge protocols by presenting NParguments that achieve negligible error probability and computational zeroknowledge in four rounds of interaction, assuming only the existence of a oneway function. This result is optimal in the sense that four rounds and a o ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
We fill a gap in the theory of zeroknowledge protocols by presenting NParguments that achieve negligible error probability and computational zeroknowledge in four rounds of interaction, assuming only the existence of a oneway function. This result is optimal in the sense that four rounds and a oneway function are each individually necessary to achieve a negligible error zeroknowledge argument for NP. Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA. Email: mihir@cs.ucsd.edu. Supported in part by NSF CAREER Award CCR9624439 and a Packard Foundation Fellowship in Science and Engineering. y Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA. Email: markus@cs.ucsd.edu. z CertCo, New York, NY, USA. Email: moti@certco.com Contents 1 Introduction 3 1.1 The big picture . . . . . . . . . . ...
Secure Commitment Against A Powerful Adversary  A security primitive based on average intractability (Extended Abstract)
, 1992
"... Secure commitment is a primitive enabling information hiding, which is one of the most basic tools in cryptography. Specifically, it is a twoparty partialinformation game between a "committer" and a "receiver", in which a secure envelope is first implemented and later opened. The committer has a b ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
Secure commitment is a primitive enabling information hiding, which is one of the most basic tools in cryptography. Specifically, it is a twoparty partialinformation game between a "committer" and a "receiver", in which a secure envelope is first implemented and later opened. The committer has a bit in mind which he commits to by putting it in a "secure envelope". The receiver cannot guess what the value is until the opening stage and the committer can not change his mind once committed. In this paper, we investigate the feasibility of bit commitment when one of the participants (either committer or receiver) has an unfair computational advantage. That is, we consider commitment to a strong receiver with a To appear in Symposium on Theoretical Aspects of Computer Science (STACS) 92, February 1315, Paris, France. y MIT Laboratory for Computer Science, 545 Technology Square, Cambridge MA 02139, USA. Supported by IBM Graduate Fellowship. Part of this work done while at IBM T.J. W...
Basing Cryptographic Protocols on TamperEvident Seals
 In Proceedings of the 32nd International Colloquium on Automata, Languages and Programming
, 2005
"... In this paper we attempt to formally study two very intuitive physical models: sealed envelopes and locked boxes, often used as illustrations for common cryptographic operations. We relax the security properties usually required from locked boxes (such as in bitcommitment protocols) and require onl ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
In this paper we attempt to formally study two very intuitive physical models: sealed envelopes and locked boxes, often used as illustrations for common cryptographic operations. We relax the security properties usually required from locked boxes (such as in bitcommitment protocols) and require only that a broken lock or torn envelope be identifiable to the original sender. Unlike the completely impregnable locked box, this functionality may be achievable in real life, where containers having this property are called “tamperevident seals”. Another physical object with this property is the “scratchoff card”, often used in lottery tickets. We consider three variations of tamperevident seals, and show that under some conditions they can be used to implement oblivious transfer, bitcommitment and coin flipping. We also show a separation between the three models. One of our results is a stronglyfair coin flipping protocol with bias bounded by O(1/r) (where r is the number of rounds); this was a stepping stone towards achieving such a protocol in the standard model (in subsequent work). 1
MicroPayments via Efficient CoinFlipping (Extended Abstract)
"... We present an authenticated coinflipping protocol and its proof of security. We demonstrate the applicability of our scheme for online randomized micropayment protocols. We also review some essential aspects of other micropayment proposals (including SET, PayWord and MicroMint, PayTree, NetCheque ..."
Abstract
 Add to MetaCart
We present an authenticated coinflipping protocol and its proof of security. We demonstrate the applicability of our scheme for online randomized micropayment protocols. We also review some essential aspects of other micropayment proposals (including SET, PayWord and MicroMint, PayTree, NetCheque, NetCash, Agora, NetCard, CAFE, Pederson's proposal, microiKP, Milicent, proposal of JareckiOdlyzko, proposal of Yacobi, SVP, DigiCash, Rivest's "Lottery tickets as MicroCash" and Wheeler's proposal) and compare it with our scheme.