Results 1 
7 of
7
Efficient noninteractive proof systems for bilinear groups
 In EUROCRYPT 2008, volume 4965 of LNCS
, 2008
"... Noninteractive zeroknowledge proofs and noninteractive witnessindistinguishable proofs have played a significant role in the theory of cryptography. However, lack of efficiency has prevented them from being used in practice. One of the roots of this inefficiency is that noninteractive zeroknow ..."
Abstract

Cited by 70 (5 self)
 Add to MetaCart
Noninteractive zeroknowledge proofs and noninteractive witnessindistinguishable proofs have played a significant role in the theory of cryptography. However, lack of efficiency has prevented them from being used in practice. One of the roots of this inefficiency is that noninteractive zeroknowledge proofs have been constructed for general NPcomplete languages such as Circuit Satisfiability, causing an expensive blowup in the size of the statement when reducing it to a circuit. The contribution of this paper is a general methodology for constructing very simple and efficient noninteractive zeroknowledge proofs and noninteractive witnessindistinguishable proofs that work directly for groups with a bilinear map, without needing a reduction to Circuit Satisfiability. Groups with bilinear maps have enjoyed tremendous success in the field of cryptography in recent years and have been used to construct a plethora of protocols. This paper provides noninteractive witnessindistinguishable proofs and noninteractive zeroknowledge proofs that can be used in connection with these protocols. Our goal is to spread the use of noninteractive cryptographic proofs from mainly theoretical purposes to the large class of practical cryptographic protocols based on bilinear groups.
Perfect noninteractive zero knowledge for NP
 Proceedings of Eurocrypt 2006, volume 4004 of LNCS
, 2006
"... Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a ..."
Abstract

Cited by 39 (3 self)
 Add to MetaCart
Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a concurrent setting, which is notoriously hard for interactive zeroknowledge protocols. However, while for interactive zeroknowledge we know how to construct statistical zeroknowledge argument systems for all NP languages, for noninteractive zeroknowledge, this problem remained open since the inception of NIZK in the late 1980's. Here we resolve two problems regarding NIZK: We construct the first perfect NIZK argument system for any NP
Derandomization in cryptography
 SIAM J. Computing
"... Abstract. We give two applications of Nisan–Wigdersontype (“noncryptographic”) pseudorandom generators in cryptography. Specifically, assuming the existence of an appropriate NWtype generator, we construct: 1. A onemessage witnessindistinguishable proof system for every language in NP, based on ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
Abstract. We give two applications of Nisan–Wigdersontype (“noncryptographic”) pseudorandom generators in cryptography. Specifically, assuming the existence of an appropriate NWtype generator, we construct: 1. A onemessage witnessindistinguishable proof system for every language in NP, based on any trapdoor permutation. This proof system does not assume a shared random string or any setup assumption, so it is actually an “NP proof system.” 2. A noninteractive bit commitment scheme based on any oneway function. The specific NWtype generator we need is a hitting set generator fooling nondeterministic circuits. It is known how to construct such a generator if E = DTIME(2 O(n) ) has a function of nondeterministic circuit complexity 2 Ω(n) (Miltersen and Vinodchandran, FOCS ‘99). Our witnessindistinguishable proofs are obtained by using the NWtype generator to derandomize the ZAPs of Dwork and Naor (FOCS ‘00). To our knowledge, this is the first construction of an NP proof system achieving a secrecy property. Our commitment scheme is obtained by derandomizing the interactive commitment scheme of Naor (J. Cryptology, 1991). Previous constructions of noninteractive commitment schemes were only known under incomparable assumptions. 1
Amplifying Collision Resistance: A ComplexityTheoretic Treatment
 Advances in Cryptology — Crypto 2007, Volume 4622 of Lecture
"... Abstract. We initiate a complexitytheoretic treatment of hardness amplification for collisionresistant hash functions, namely the transformation of weakly collisionresistant hash functions into strongly collisionresistant ones in the standard model of computation. We measure the level of collisi ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Abstract. We initiate a complexitytheoretic treatment of hardness amplification for collisionresistant hash functions, namely the transformation of weakly collisionresistant hash functions into strongly collisionresistant ones in the standard model of computation. We measure the level of collision resistance by the maximum probability, over the choice of the key, for which an efficient adversary can find a collision. The goal is to obtain constructions with short output, short keys, small loss in adversarial complexity tolerated, and a good tradeoff between compression ratio and computational complexity. We provide an analysis of several simple constructions, and show that many of the parameters achieved by our constructions are almost optimal in some sense.
Minimizing Noninteractive ZeroKnowledge Proofs Using Fully Homomorphic Encryption
, 2011
"... A noninteractive zeroknowledge proof can be used to demonstrate the truth of a statement without revealing anything else. It has been shown under standard cryptographic assumptions that noninteractive zeroknowledge proofs of membership exist for all languages in NP. However, known noninteractiv ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
A noninteractive zeroknowledge proof can be used to demonstrate the truth of a statement without revealing anything else. It has been shown under standard cryptographic assumptions that noninteractive zeroknowledge proofs of membership exist for all languages in NP. However, known noninteractive zeroknowledge proofs of membership of NPlanguages yield proofs that are larger than the corresponding membership witnesses. We investigate the question of minimizing the communication overhead involved in making noninteractive zeroknowledge proofs and show that if fully homomorphic encryption exists then it is possible to minimize the size of noninteractive zeroknowledge proofs and get proofs that are of the same size as the witnesses. Our technique is applicable to many types of noninteractive zeroknowledge proofs. We apply it to both standard noninteractive zeroknowledge proofs and to universally composable noninteractive zeroknowledge proofs. The technique can also be applied outside the realm of noninteractive zeroknowledge proofs, for instance to get witnesssize interactive zeroknowledge proofs in the plain model without any setup. Keywords: Noninteractive zeroknowledge proofs, fully homomorphic encryption. 1
Short Noninteractive ZeroKnowledge Proofs
, 2010
"... Abstract. We show that probabilistically checkable proofs can be used to shorten noninteractive zeroknowledge proofs. We obtain publicly verifiable noninteractive zeroknowledge proofs for circuit satisfiability with adaptive and unconditional soundness where the size grows quasilinearly in the ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. We show that probabilistically checkable proofs can be used to shorten noninteractive zeroknowledge proofs. We obtain publicly verifiable noninteractive zeroknowledge proofs for circuit satisfiability with adaptive and unconditional soundness where the size grows quasilinearly in the number of gates. The zeroknowledge property relies on the existence of trapdoor permutations, or it can be based on a specific number theoretic assumption related to factoring to get better efficiency. As an example of the latter, we suggest a noninteractive zeroknowledge proof for circuit satisfiability based on the NaccacheStern cryptosystem consisting of a quasilinear number of bits. This yields the shortest known noninteractive zeroknowledge proof for circuit satisfiability. Keywords: Noninteractive zeroknowledge proofs, adaptive soundness, probabilistically checkable proofs, NaccacheStern encryption. 1
Lower Bounds For Noninteractive Zeroknowledge
, 2007
"... We establish new lower bounds and impossibility results for noninteractive zeroknowledge proofs and arguments with setup assumptions. – For the common random string model, we exhibit a lower bound for the tradeoff between hardness assumptions and the length of the random string for noninteract ..."
Abstract
 Add to MetaCart
We establish new lower bounds and impossibility results for noninteractive zeroknowledge proofs and arguments with setup assumptions. – For the common random string model, we exhibit a lower bound for the tradeoff between hardness assumptions and the length of the random string for noninteractive zeroknowledge proofs. This generalizes a previous result ruling out noninteractive zeroknowledge proofs for nontrivial languages with a random string of length O(log n). – In the registered public key model, we show that there does not exist a noninteractive zeroknowledge proof for a nontrivial language. – In the bare public key model with fully nonuniform simulation wherein the size of the simulator is also allowed to depend on the size of the distinguisher and the distinguishing gap, there does not exist a noninteractive zeroknowledge proof for an NPcomplete language, unless the polynomial hierarchy collapses. On the other hand, there is a noninteractive zeroknowledge argument for all of NP with a fully nonuniform simulator. Our negative results complement upper bounds and feasibility results from previous work.