Results 1  10
of
29
Noninteractive ZeroKnowledge
 SIAM J. COMPUTING
, 1991
"... This paper investigates the possibility of disposing of interaction between prover and verifier in a zeroknowledge proof if they share beforehand a short random string. Without any assumption, it is proven that noninteractive zeroknowledge proofs exist for some numbertheoretic languages for which ..."
Abstract

Cited by 199 (20 self)
 Add to MetaCart
(Show Context)
This paper investigates the possibility of disposing of interaction between prover and verifier in a zeroknowledge proof if they share beforehand a short random string. Without any assumption, it is proven that noninteractive zeroknowledge proofs exist for some numbertheoretic languages for which no efficient algorithm is known. If deciding quadratic residuosity (modulo composite integers whose factorization is not known) is computationally hard, it is shown that the NPcomplete language of satisfiability also possesses noninteractive zeroknowledge proofs.
Perfect noninteractive zero knowledge for NP
 Proceedings of Eurocrypt 2006, volume 4004 of LNCS
, 2006
"... Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a ..."
Abstract

Cited by 41 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a concurrent setting, which is notoriously hard for interactive zeroknowledge protocols. However, while for interactive zeroknowledge we know how to construct statistical zeroknowledge argument systems for all NP languages, for noninteractive zeroknowledge, this problem remained open since the inception of NIZK in the late 1980's. Here we resolve two problems regarding NIZK: We construct the first perfect NIZK argument system for any NP
A Complete Problem for Statistical Zero Knowledge
, 2002
"... We present the rst complete problem for SZK, the class of promise problems possessing statistical zeroknowledge proofs (against an honest veri er). The problem, called Statistical Difference, is to decide whether two eciently samplable distributions are either statistically close or far apart. Th ..."
Abstract

Cited by 40 (17 self)
 Add to MetaCart
We present the rst complete problem for SZK, the class of promise problems possessing statistical zeroknowledge proofs (against an honest veri er). The problem, called Statistical Difference, is to decide whether two eciently samplable distributions are either statistically close or far apart. This gives a new characterization of SZK that makes no reference to interaction or zero knowledge. We propose the use of complete problems to unify and extend the study of statistical zero knowledge. To this end, we examine several consequences of our Completeness Theorem and its proof, such as: A way to make every (honestveri er) statistical zeroknowledge proof very communication ecient, with the prover sending only one bit to the veri er (to achieve soundness error 1=2). Simpler proofs of many of the previously known results about statistical zero knowledge, such as the Fortnow and Aiello{Hastad upper bounds on the complexity of SZK and Okamoto's result that SZK is closed under complement.
An unconditional study of computational zero knowledge
 SIAM Journal on Computing
, 2004
"... We prove a number of general theorems about ZK, the class of problems possessing (computational) zeroknowledge proofs. Our results are unconditional, in contrast to most previous works on ZK, which rely on the assumption that oneway functions exist. We establish several new characterizations of ZK ..."
Abstract

Cited by 29 (10 self)
 Add to MetaCart
(Show Context)
We prove a number of general theorems about ZK, the class of problems possessing (computational) zeroknowledge proofs. Our results are unconditional, in contrast to most previous works on ZK, which rely on the assumption that oneway functions exist. We establish several new characterizations of ZK, and use these characterizations to prove results such as: 1. Honestverifier ZK equals general ZK. 2. Publiccoin ZK equals privatecoin ZK. 3. ZK is closed under union. 4. ZK with imperfect completeness equals ZK with perfect completeness. 5. Any problem in ZK ∩ NP can be proven in computational zero knowledge by a BPP NP prover. 6. ZK with blackbox simulators equals ZK with general, nonblackbox simulators. The above equalities refer to the resulting class of problems (and do not necessarily preserve other efficiency measures such as round complexity). Our approach is to combine the conditional techniques previously used in the study of ZK with the unconditional techniques developed in the study of SZK, the class of problems possessing statistical zeroknowledge proofs. To enable this combination, we prove that every problem in ZK can be decomposed into a problem in SZK together with a set of instances from which a oneway function can be constructed.
Can Statistical Zero Knowledge be made NonInteractive? or On the Relationship of SZK and NISZK
 IN CRYPTO ’99, LNCS SERIES
, 1999
"... We extend the study of noninteractive statistical zeroknowledge proofs. Our main focus is to compare the class NISZK of problems possessing such noninteractive proofs to the class SZK of problems possessing interactive statistical zeroknowledge proofs. Along these lines, we first show that if ..."
Abstract

Cited by 25 (15 self)
 Add to MetaCart
We extend the study of noninteractive statistical zeroknowledge proofs. Our main focus is to compare the class NISZK of problems possessing such noninteractive proofs to the class SZK of problems possessing interactive statistical zeroknowledge proofs. Along these lines, we first show that if statistical zero knowledge is nontrivial then so is noninteractive statistical zero knowledge, where by nontrivial we mean that the class includes problems which are not solvable in probabilistic polynomialtime. (The hypothesis holds under various assumptions, such as the intractability of the Discrete Logarithm Problem.) Furthermore, we show that if NISZK is closed under complement, then in fact SZK = NISZK, i.e. all statistical zeroknowledge proofs can be made noninteractive. The main tools in our analysis are two promise problems that are natural restrictions of promise problems known to be complete for SZK. We show that these restricted problems are in fact complete for NIS...
Statistical ZeroKnowledge Arguments for NP from Any OneWay
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY
, 2006
"... We show that every language in NP has a statistical zeroknowledge argument system under the (minimal) complexity assumption that oneway functions exist. In such protocols, even a computationally unbounded verifier cannot learn anything other than the fact that the assertion being proven is true, w ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
We show that every language in NP has a statistical zeroknowledge argument system under the (minimal) complexity assumption that oneway functions exist. In such protocols, even a computationally unbounded verifier cannot learn anything other than the fact that the assertion being proven is true, whereas a polynomialtime prover cannot convince the verifier to accept a false assertion except with negligible probability. This resolves an open question posed by Naor, Ostrovsky, Venkatesan, and Yung (CRYPTO ‘92, J. Cryptology ‘98). Departing from previous works on this problem, we do not construct standard statistically hiding commitments from any oneway function. Instead, we construct a relaxed variant of commitment schemes called “1outof2binding commitments,” recently introduced by Nguyen and Vadhan (STOC ‘06).
AverageCase Complexity
 in Foundations and Trends in Theoretical Computer Science Volume 2, Issue 1
, 2006
"... We survey the averagecase complexity of problems in NP. We discuss various notions of goodonaverage algorithms, and present completeness results due to Impagliazzo and Levin. Such completeness results establish the fact that if a certain specific (but somewhat artificial) NP problem is easyonav ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
(Show Context)
We survey the averagecase complexity of problems in NP. We discuss various notions of goodonaverage algorithms, and present completeness results due to Impagliazzo and Levin. Such completeness results establish the fact that if a certain specific (but somewhat artificial) NP problem is easyonaverage with respect to the uniform distribution, then all problems in NP are easyonaverage with respect to all samplable distributions. Applying the theory to natural distributional problems remain an outstanding open question. We review some natural distributional problems whose averagecase complexity is of particular interest and that do not yet fit into this theory. A major open question is whether the existence of hardonaverage problems in NP can be based on the P ̸ = NP assumption or on related worstcase assumptions. We review negative results showing that certain proof techniques cannot prove such a result. While the relation between worstcase and averagecase complexity for general NP problems remains open, there has been progress in understanding the relation between different “degrees ” of averagecase complexity. We discuss some of these “hardness amplification ” results. 1
Secure Commitment Against A Powerful Adversary  A security primitive based on average intractability (Extended Abstract)
, 1992
"... Secure commitment is a primitive enabling information hiding, which is one of the most basic tools in cryptography. Specifically, it is a twoparty partialinformation game between a "committer" and a "receiver", in which a secure envelope is first implemented and later opened. T ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
Secure commitment is a primitive enabling information hiding, which is one of the most basic tools in cryptography. Specifically, it is a twoparty partialinformation game between a "committer" and a "receiver", in which a secure envelope is first implemented and later opened. The committer has a bit in mind which he commits to by putting it in a "secure envelope". The receiver cannot guess what the value is until the opening stage and the committer can not change his mind once committed. In this paper, we investigate the feasibility of bit commitment when one of the participants (either committer or receiver) has an unfair computational advantage. That is, we consider commitment to a strong receiver with a To appear in Symposium on Theoretical Aspects of Computer Science (STACS) 92, February 1315, Paris, France. y MIT Laboratory for Computer Science, 545 Technology Square, Cambridge MA 02139, USA. Supported by IBM Graduate Fellowship. Part of this work done while at IBM T.J. W...
Concurrent zero knowledge without complexity assumptions
 In TCC
, 2006
"... Abstract. We provide unconditional constructions of concurrent statistical zeroknowledge proofs for a variety of nontrivial problems (not known to have probabilistic polynomialtime algorithms). The problems include Graph Isomorphism, Graph Nonisomorphism, Quadratic Residuosity, Quadratic Nonresid ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
Abstract. We provide unconditional constructions of concurrent statistical zeroknowledge proofs for a variety of nontrivial problems (not known to have probabilistic polynomialtime algorithms). The problems include Graph Isomorphism, Graph Nonisomorphism, Quadratic Residuosity, Quadratic Nonresiduosity, a restricted version of Statistical Difference, and approximate versions of the (coNP forms of the) Shortest Vector Problem and Closest Vector Problem in lattices. For some of the problems, such as Graph Isomorphism and Quadratic Residuosity, the proof systems have provers that can be implemented in polynomial time (given an NP witness) and have ~O(log n) rounds, which is known to be essentially optimal for blackbox simulation.
Cryptography in the multistring model
 In Advances in Cryptology — Crypto 2007
, 2007
"... The common random string model introduced by Blum, Feldman and Micali permits the construction of cryptographic protocols that are provably impossible to realize in the standard model. We can think of this model as a trusted party generating a random string and giving it to all parties in the protoc ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
The common random string model introduced by Blum, Feldman and Micali permits the construction of cryptographic protocols that are provably impossible to realize in the standard model. We can think of this model as a trusted party generating a random string and giving it to all parties in the protocol. However, the introduction of such a third party should set alarm bells going off: Who is this trusted party? Why should we trust that the string is random? Even if the string is uniformly random, how do we know it does not leak private information to the trusted party? The very point of doing cryptography in the first place is to prevent us from trusting the wrong people with our secrets. In this paper, we propose the more realistic multistring model. Instead of having one trusted authority, we have several authorities that generate random strings. We do not trust any single authority; we only assume a majority of them generate random strings honestly. This security model is reasonable, yet at the same time it is very easy to implement. We could for instance imagine random strings being provided on the Internet, and any set of parties that want to execute a protocol just need to agree on which authorities’ strings they want to use. We demonstrate the use of the multistring model in several fundamental cryptographic tasks. We