Results 1 
7 of
7
Proofs of partial knowledge and simplified design of witness hiding protocols
, 1994
"... Suppose we are given a proof of knowledge P in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing scheme S on n participants. Then under certain assumptions on P and S, we show how to transform P into a witness indistinguishab ..."
Abstract

Cited by 268 (12 self)
 Add to MetaCart
Suppose we are given a proof of knowledge P in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing scheme S on n participants. Then under certain assumptions on P and S, we show how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to a subset of n problem instances corresponding to a qualified set of participants. For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances are independently generated, this can lead to witness hiding protocols, even if P did not have this property. Our transformation produces a protocol with the same number of rounds as P and communication complexity n times that of P. Our results use no unproven complexity assumptions.
Efficient ZeroKnowledge Proofs of Knowledge Without Intractability Assumptions
, 2000
"... We initiate the investigation of the class of relations that admit extremely efficient perfect zero knowledge proofs of knowledge: constant number of rounds, communication linear in the length of the statement and the witness, and negligible knowledge error. In its most general incarnation, our ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
We initiate the investigation of the class of relations that admit extremely efficient perfect zero knowledge proofs of knowledge: constant number of rounds, communication linear in the length of the statement and the witness, and negligible knowledge error. In its most general incarnation, our result says that for relations that have a particular threemove honestverifier zeroknowledge (HVZK) proof of knowledge, and which admit a particular threemove HVZK proof of knowledge for an associated commitment relation, perfect zero knowledge (against a general verifier) can be achieved essentially for free, even when proving statements on several instances combined under under monotone function composition. In addition, perfect zeroknowledge is achieved with an optimal 4moves. Instantiations of our main protocol lead to efficient perfect ZK proofs of knowledge of discrete logarithms and RSAroots, or more generally, qoneway group homomorphisms. None of our results rely...
RandomnessEfficient NonInteractive Zero Knowledge (Extended Abstract)
, 1997
"... The model of NonInteractive ZeroKnowledge allows to obtain minimal interaction between prover and verifier in a zeroknowledge proof if a public random string is available to both parties. In this paper we investigate upper bounds for the length of the random string for proving one and many statem ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
The model of NonInteractive ZeroKnowledge allows to obtain minimal interaction between prover and verifier in a zeroknowledge proof if a public random string is available to both parties. In this paper we investigate upper bounds for the length of the random string for proving one and many statements, obtaining the following results:  We show how to prove in noninteractive perfect zeroknowledge any polynomial number of statements using a random string of fixed length, that is, not depending on the number of statements. Previously, such a result was known only in th...
Efficient NonInteractive ZeroKnowledge Proofs of Circuit Satisfiability
 Institut for Matematik og Datalogi, Odense Universitet, Preprints 1994, Nr. 1, ISSN
, 1994
"... We show how to construct a "zeroknowledge proof" that a circuit of size m is satisfiable. The proof is a string of length O(m lg m) which is constructed (and can be verified) using a trusted random string of length O(m lg m). The probability of failure or of cheating is exponentially small in a sec ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
We show how to construct a "zeroknowledge proof" that a circuit of size m is satisfiable. The proof is a string of length O(m lg m) which is constructed (and can be verified) using a trusted random string of length O(m lg m). The probability of failure or of cheating is exponentially small in a security parameter which is defined independently Supported in part by NSF Grant CCR9207204. of the circuit size. Our methods assume that a Quadratic Residuosity Bit Commitment Scheme is available as a primitive and does not consider the cost of establishing this scheme, only the cost of using it. Thus, these "proofs" are essentially noninteractive zeroknowledge proofs, with a couple of changes to the standard definition, though they can easily be modified to fit the standard definition. The techniques used yield more efficient "proofs" than those previously known. 1 Introduction A noninteractive zeroknowledge proof system is a protocol that allows a prover to convince a verifier tha...
Doubleauthenticationpreventing signatures
, 2013
"... Digital signatures are often used by trusted authorities to make unique bindings between a subject and a digital object; for example, certificate authorities certify a public key belongs to a domain name, and timestamping authorities certify that a certain piece of information existed at a certain ..."
Abstract
 Add to MetaCart
Digital signatures are often used by trusted authorities to make unique bindings between a subject and a digital object; for example, certificate authorities certify a public key belongs to a domain name, and timestamping authorities certify that a certain piece of information existed at a certain time. Traditional digital signature schemes however impose no uniqueness conditions, so a malicious or coerced authority can make multiple certifications for the same subject but different objects. We propose the notion of a doubleauthenticationpreventing signature, in which a value to be signed is split into two parts: a subject and a message. If a signer ever signs two different messages for the same subject, enough information is revealed to allow anyone to compute valid signatures on behalf of the signer. This doublesignature forgeability property prevents, or at least strongly discourages, signers misbehaving. We give a generic construction using a new type of trapdoor functions with extractability properties, which we show can be instantiated using the group of signagnostic quadratic residues modulo a Blum integer.
unknown title
"... The literature of cryptography has a curious history. Secrecy, of course, has always played a central role, but until the First World War, important developments appeared in print in a more or less timely fashion and the field moved forward in much the same way as other specialized disciplines. As l ..."
Abstract
 Add to MetaCart
The literature of cryptography has a curious history. Secrecy, of course, has always played a central role, but until the First World War, important developments appeared in print in a more or less timely fashion and the field moved forward in much the same way as other specialized disciplines. As late as 1918, one of the most influential cryptanalytic papers of the twentieth century, William F. Friedman’s monograph The Index of Coincidence and Its Applications in Cryptography, appeared as a research report of the private Riverbank Laboratories [577]. And this, despite the fact that the work had been done as part of the war effort. In the same year Edward H. Hebern of Oakland, California filed the first patent for a rotor machine [710], the device destined to be a mainstay of military cryptography for nearly 50 years. After the First World War, however, things began to change. U.S. Army and Navy organizations, working entirely in secret, began to make fundamental advances in cryptography. During the thirties and forties a few basic papers did appear in the open literature and several treatises on the subject were published, but the latter were farther and farther behind the state of the art. By the end of the war the transition was complete. With one notable exception, the public literature had died. That exception was Claude Shannon’s paper “The Communication Theory of Secrecy Systems, ” which