Results 11  20
of
137
BlackBox Concurrent ZeroKnowledge Requires (almost) Logarithmically Many Rounds
 SIAM Journal on Computing
, 2002
"... We show that any concurrent zeroknowledge protocol for a nontrivial language (i.e., for a language outside BPP), whose security is proven via blackbox simulation, must use at least ~ \Omega\Gamma/10 n) rounds of interaction. This result achieves a substantial improvement over previous lower bound ..."
Abstract

Cited by 85 (6 self)
 Add to MetaCart
We show that any concurrent zeroknowledge protocol for a nontrivial language (i.e., for a language outside BPP), whose security is proven via blackbox simulation, must use at least ~ \Omega\Gamma/10 n) rounds of interaction. This result achieves a substantial improvement over previous lower bounds, and is the first bound to rule out the possibility of constantround concurrent zeroknowledge when proven via blackbox simulation. Furthermore, the bound is polynomially related to the number of rounds in the best known concurrent zeroknowledge protocol for languages in NP (which is established via blackbox simulation).
On the Limitations of Universally Composable TwoParty Computation without Setup Assumptions
 Journal of Cryptology
, 2003
"... Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrar ..."
Abstract

Cited by 82 (16 self)
 Add to MetaCart
Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrary multiparty, multiprotocol, multiexecution environments. Protocols for securely carrying out essentially any cryptographic task in a universally composable way exist, both in the case of an honest majority (in the plain model, i.e., without setup assumptions) and in the case of no honest majority (in the common reference string model). However, in the plain model, little was known for the case of no honest majority and, in particular, for the important special case of twoparty protocols. We study the feasibility of universally composable twoparty function evaluation in the plain model. Our results show that very few functions can be computed in this model so as to provide the UC security guarantees. Specifically, for the case of deterministic functions, we provide a full characterization of the functions computable in this model. (Essentially, these are the functions that depend on at most one of the parties’ inputs, and furthermore are “efficiently invertible ” in a sense defined within.) For the case of probabilistic functions, we show that the only functions computable in this model are those where one of the parties can essentially uniquely determine the joint output. 1
RSABased Undeniable Signatures
"... We present the first undeniable signatures scheme based on RSA. Since their introduction in 1989 a significant amount of work has been devoted to the investigation of undeniable signatures. So far, this work has been based on discrete log systems. In contrast, our scheme uses regular RSA signature ..."
Abstract

Cited by 76 (5 self)
 Add to MetaCart
We present the first undeniable signatures scheme based on RSA. Since their introduction in 1989 a significant amount of work has been devoted to the investigation of undeniable signatures. So far, this work has been based on discrete log systems. In contrast, our scheme uses regular RSA signatures to generate undeniable signatures. In this new setting, both the signature and verification exponents of RSA are kept secret by the signer, while the public key consists of a composite modulus and a sample RSA signature on a single public message. Our scheme possesses several attractive properties. First of all, provable security, as forging the undeniable signatures is as hard as forging regular RSA signatures. Second, both the confirmation and denial protocols are zeroknowledge. In addition, these protocols are efficient (particularly, the confirmation protocol involves only two rounds of communication and a small number of exponentiations). Furthermore the RSAbased structure of our scheme provides with simple and elegant solutions to add several of the more advanced properties of undeniable signatures found in the literature, including convertibility of the undeniable signatures (into publicly verifiable ones), the possibility to delegate the ability to confirm and deny signatures to a third party without giving up the power to sign, and the existence of distributed (threshold) versions of the signing and confirmation operations. Due to the above properties and the fact that our undeniable signatures are identical in form to standard RSA signatures, the scheme we present becomes a very attractive candidate for practical implementations.
Parallel CoinTossing and ConstantRound Secure TwoParty Computation
 Journal of Cryptology
, 2001
"... Abstract. In this paper we show that any twoparty functionality can be securely computed in a constant number of rounds, where security is obtained against malicious adversaries that may arbitrarily deviate from the protocol specification. This is in contrast to Yao’s constantround protocol that e ..."
Abstract

Cited by 76 (14 self)
 Add to MetaCart
Abstract. In this paper we show that any twoparty functionality can be securely computed in a constant number of rounds, where security is obtained against malicious adversaries that may arbitrarily deviate from the protocol specification. This is in contrast to Yao’s constantround protocol that ensures security only in the face of semihonest adversaries, and to its malicious adversary version that requires a polynomial number of rounds. In order to obtain our result, we present a constantround protocol for secure cointossing of polynomially many coins (in parallel). We then show how this protocol can be used in conjunction with other existing constructions in order to obtain a constantround protocol for securely computing any twoparty functionality. On the subject of cointossing, we also present a constantround perfect cointossing protocol, where by “perfect ” we mean that the resulting coins are guaranteed to be statistically close to uniform (and not just pseudorandom). 1
Resettable ZeroKnowledge
 In 32nd STOC
, 1999
"... We introduce the notion of Resettable ZeroKnowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zeroknowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, eac ..."
Abstract

Cited by 71 (7 self)
 Add to MetaCart
We introduce the notion of Resettable ZeroKnowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zeroknowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, each time resetting the prover to its initial state and forcing him to use the same random tape.
Separating random oracle proofs from complexity theoretic proofs: The noncommitting encryption case
 IN PROCEEDINGS OF CRYPTO ’02, LNCS SERIES
, 2002
"... We show that there exists a natural protocol problem which has a simple solution in the randomoracle (RO) model and which has no solution in the complexitytheoretic (CT) model, namely the problem of constructing a noninteractive communication protocol secure against adaptive adversaries a.k.a. n ..."
Abstract

Cited by 71 (2 self)
 Add to MetaCart
We show that there exists a natural protocol problem which has a simple solution in the randomoracle (RO) model and which has no solution in the complexitytheoretic (CT) model, namely the problem of constructing a noninteractive communication protocol secure against adaptive adversaries a.k.a. noninteractive noncommitting encryption. This separation between the models is due to the socalled programability of the random oracle. We show this by providing a formulation of the RO model in which the oracle is not programmable, and showing that in this model, there does not exist noninteractive noncommitting encryption.
NonInteractive CryptoComputing for NC1
 In 40th Annual Symposium on Foundations of Computer Science
, 1999
"... The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the ..."
Abstract

Cited by 70 (0 self)
 Add to MetaCart
The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the mid 80's. In its basic twoparty case, two parties (Alice and Bob) evaluate a known circuit over private inputs (or a private input and a private circuit). Much attention has been paid to the important issue of minimizing rounds of computation in this model. Namely, the number of communication rounds in which Alice and Bob need to engage in to evaluate a circuit on encrypted data securely. Advancements in these areas have been recognized as open problems and have remained open for a number of years. In this paper we give a one round, and thus round optimal, protocol for secure evaluation of circuits which is in polynomialtime for NC
Universal Composition with Joint State
, 2002
"... We propose a new composition operation for cryptographic protocols, called universal composition with joint state, and demonstrate sufficient conditions for when the new operation preserves security. In contrast with existing composition operations, where the instances of the composed protocols are ..."
Abstract

Cited by 61 (5 self)
 Add to MetaCart
We propose a new composition operation for cryptographic protocols, called universal composition with joint state, and demonstrate sufficient conditions for when the new operation preserves security. In contrast with existing composition operations, where the instances of the composed protocols are assumed to have completely disjoint local states, the new operation allows the composed protocols to have some amount of joint state (and, in particular, joint randomness) while still guaranteeing strong composability properties.
Magic Functions
, 1999
"... We consider three apparently unrelated fundamental problems in distributed computing, cryptography and complexity theory and prove that they are essentially the same problem. ..."
Abstract

Cited by 55 (0 self)
 Add to MetaCart
We consider three apparently unrelated fundamental problems in distributed computing, cryptography and complexity theory and prove that they are essentially the same problem.
Concurrent ZeroKnowledge: Reducing the Need for Timing Constraints
 In Crypto98, Springer LNCS 1462
, 1998
"... Abstract. An interactive proof system (or argument) (P, V)isconcurrent zeroknowledge if whenever the prover engages in polynomially many concurrent executions of (P, V), with (possibly distinct) colluding polynomial time bounded verifiers V1,...,Vpoly(n), the entire undertaking is zeroknowledge. D ..."
Abstract

Cited by 52 (7 self)
 Add to MetaCart
Abstract. An interactive proof system (or argument) (P, V)isconcurrent zeroknowledge if whenever the prover engages in polynomially many concurrent executions of (P, V), with (possibly distinct) colluding polynomial time bounded verifiers V1,...,Vpoly(n), the entire undertaking is zeroknowledge. Dwork, Naor, and Sahai recently showed the existence of a large class of concurrent zeroknowledge arguments, including arguments for all of NP, under a reasonable assumption on the behavior of clocks of nonfaulty processors. In this paper, we continue the study of concurrent zeroknowledge arguments. After observing that, without recourse to timing, the existence of a trusted center considerably simplifies the design and proof of many concurrent zeroknowledge arguments (again including arguments for all of NP), we design a preprocessing protocol protocol, making use of timing, to simulate the trusted center for the purposes of achieving concurrent zeroknowledge. Once a particular prover and verifier have executed the preprocessing protocol protocol, any polynomial number of subsequent executions of a rich class of protocols will be concurrent zeroknowledge. 1