Results 1  10
of
15
Perfect ZeroKnowledge Arguments for NP Using any OneWay Permutation
 Journal of Cryptology
, 1998
"... "Perfect zeroknowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information (in the informationtheoretic sense). Here the security achi ..."
Abstract

Cited by 62 (5 self)
 Add to MetaCart
(Show Context)
"Perfect zeroknowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information (in the informationtheoretic sense). Here the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier cannot find (ever) any information unconditionally. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions. In this paper, we show a general construction, which can be based on any oneway permutation. The result is obtained by a construction of an informationtheoretic secure bitcommitment protocol. The protocol is efficient (both parties are polynomial time) and can be based on any oneway permutation. A preliminary version of this ...
Fair Games Against an AllPowerful Adversary
 AMS DIMACS Series in Discrete Mathematics and Theoretical Computer Science
, 1991
"... Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitelypowerful) and untrustworthy adversarial device. Assuming the existence of oneway functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hi ..."
Abstract

Cited by 44 (15 self)
 Add to MetaCart
(Show Context)
Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitelypowerful) and untrustworthy adversarial device. Assuming the existence of oneway functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hide information from the weak device. However, to keep the game fair, the weak player must hide information from the infinitelypowerful player in the informationtheoretic sense. Clearly, encryption in this case is useless, and other means must be used. In this paper, we show that under a general complexity assumption, this task is always possible to achieve. That is, we show that the weak player can play any polynomial length partialinformation game (or secure protocol) with the strong player using any oneway function; we achieve this by implementing oblivious transfer protocol in this model. We also establish related impossibility results concerning oblivious transfer. In the proof of ou...
Reducing complexity assumptions for statisticallyhiding commitment
 In EUROCRYPT
, 2005
"... We revisit the following question: what are the minimal assumptions needed to construct statisticallyhiding commitment schemes? Naor et al. show how to construct such schemes based on any oneway permutation. We improve upon this by showing a construction based on any approximable preimagesize one ..."
Abstract

Cited by 35 (8 self)
 Add to MetaCart
(Show Context)
We revisit the following question: what are the minimal assumptions needed to construct statisticallyhiding commitment schemes? Naor et al. show how to construct such schemes based on any oneway permutation. We improve upon this by showing a construction based on any approximable preimagesize oneway function. These are oneway functions for which it is possible to efficiently approximate the number of preimages of a given output. A special case is the class of regular oneway functions where all points in the image of the function have the same number of preimages. We also prove two additional results related to statisticallyhiding commitment. First, we prove a (folklore) parallel composition theorem showing, roughly speaking, that the statistical hiding property of any such commitment scheme is amplified exponentially when multiple independent parallel executions of the scheme are carried out. Second, we show a compiler which transforms any commitment scheme which is statistically hiding against an honestbutcurious receiver into one which is statistically hiding even against a malicious receiver. 1
Oneway trapdoor permutations are sufficient for nontrivial singleserver private information retrieval
 In Proc. of EUROCRYPT ’00
, 2000
"... Abstract. We show that general oneway trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits ..."
Abstract

Cited by 32 (4 self)
 Add to MetaCart
Abstract. We show that general oneway trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits (for any constant c), where K is the security parameter K of the trapdoor permutations. Thus, for sufficiently large databases (e.g., when K = n ɛ for some small ɛ) our construction breaks the informationtheoretic lowerbound (of at least n bits). This demonstrates the feasibility of basing singleserver private information retrieval on general complexity assumptions. An important implication of our result is that we can implement a 1outofn Oblivious Transfer protocol with communication complexity strictly less than n based on any oneway trapdoor permutation. 1
Commitment Capacity of Discrete Memoryless Channels
 In: Cryptography and Coding. LNCS
, 2003
"... In extension of the bit commitment task and following work initiated by Crépeau and Kilian, we introduce and solve the problem of characterising the optimal rate at which a discrete memoryless channel can be used for bit commitment. It turns out that the answer is very intuitive: it is the maximum e ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
(Show Context)
In extension of the bit commitment task and following work initiated by Crépeau and Kilian, we introduce and solve the problem of characterising the optimal rate at which a discrete memoryless channel can be used for bit commitment. It turns out that the answer is very intuitive: it is the maximum equivocation of the channel (after removing trivial redundancy), even when unlimited noiseless bidirectional side communication is allowed. By a wellknown reduction, this result provides a lower bound on the channels capacity for implementing coin tossing, which we conjecture to be an equality. The method of proving this...
Interactive Hashing Simplifies ZeroKnowledge Protocol Design (Extended Abstract)
 Proc. of EuroCrypt 93
, 1998
"... Often the core difficulty in designing zeroknowledge protocols arises from having to consider every possible cheating verifier trying to extract aAditional information. ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
(Show Context)
Often the core difficulty in designing zeroknowledge protocols arises from having to consider every possible cheating verifier trying to extract aAditional information.
A new interactive hashing theorem
 In Proceedings of the 22nd Annual IEEE Conference on Computational Complexity
, 2007
"... Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically hiding and computationally binding commitment schemes and of zeroknowledg ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically hiding and computationally binding commitment schemes and of zeroknowledge arguments based on general oneway permutations and on oneway functions. Interactive hashing with respect to a oneway permutation f, is a twoparty protocol that enables a sender that knows y = f(x) to transfer a random hash z = h(y) to a receiver. The receiver is guaranteed that the sender is committed to y (in the sense that it cannot come up with x and x ′ such that f(x) � = f(x ′), but h(f(x)) = h(f(x ′)) = z). The sender is guaranteed that the receiver does not learn any additional information on y. In particular, when h is a twotoone hash function, the receiver does not learn which of the two preimages {y, y ′ } = h −1 (z) is the one the sender can invert with respect to f. This paper reexamines the notion of interactive hashing. We give an alternative proof for the Naor et al. protocol, which seems to us significantly simpler and more intuitive than the original one. Moreover, the new proof achieves much better parameters (in terms of how security
Efficient Consistency Proofs on a Committed Database
 In Automata, Languages and Programming: 31st International Colloquium, ICALP 2004
, 2003
"... A consistent query protocol allows a database owner to publish a very short string c which commits her to a particular database D with special consistency property (i.e., given c, every allowable query has unique and welldefined answer with respect to D.) Moreover, when a user makes a query, any ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
A consistent query protocol allows a database owner to publish a very short string c which commits her to a particular database D with special consistency property (i.e., given c, every allowable query has unique and welldefined answer with respect to D.) Moreover, when a user makes a query, any server hosting the database can answer the query, and provide a very short proof # that the answer is welldefined, unique, and consistent with c (and hence with D). One potential application of consistent query protocols is for guaranteeing the consistency of many replicated copies of Dthe owner can publish c, and users can verify the consistency of a query to some copy of D by making sure # is consistent with c. This strong guarantee holds even for owners who try to cheat, while creating c.
Interactive Hashing and reductions between Oblivious Transfer variants
"... Interactive Hashing has featured as an essential ingredient in protocols realizing a large variety of cryptographic tasks. We present a study of this important cryptographic tool in the informationtheoretic context. We start by presenting a security definition which is independent of any particular ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
Interactive Hashing has featured as an essential ingredient in protocols realizing a large variety of cryptographic tasks. We present a study of this important cryptographic tool in the informationtheoretic context. We start by presenting a security definition which is independent of any particular setting or application. We then show that a standard implementation of Interactive Hashing satisfies all the conditions of our definition. Our proof of security improves upon previous ones in several ways. Despite its generality, it is considerably simpler. Moreover, it establishes a tighter upper bound on the cheating probability of a dishonest sender. Specifically, we prove that if the fraction of good strings for a dishonest sender is f, then the probability that both outputs will be good is no larger than 15:6805 f. This upper bound is valid for any f and is tight up to a small constant since a sender acting honestly would get two good outputs with probability very close to f. We illustrate the potential of Interactive Hashing as a cryptographic primitive by demonstrating efficient reductions of String Oblivious Transfer with string length k to Bit Oblivious Transfer and several weaker variants. Our reductions incorporate tests based on Interactive Hashing that allow the sender to verify the receiver’s adherence to the protocol without compromising the latter’s privacy. This allows a much more efficient use of the available entropy without any appreciable impact on security. As a result, for Bit OT and most of its variants n = (1 +)k executions suffice, improving efficiency by a factor of two or more compared to the most efficient reductions that do not use Interactive Hashing. As it is theoretically impossible to achieve an expansion factor n=k smaller than 1, our reductions are in fact asymptotically optimal. They are also more general since they place no restrictions on the types of 2universal hash families used for Privacy Amplification. Lastly, we present a direct reduction of String OT to Rabin OT which uses similar methods to achieve an expansion factor of 2 + which is again asymptotically optimal.
InstanceHiding Proof Systems
, 1993
"... We define the notion of an instancehiding proof system (ihps) for a function f ; informally, an ihps is a protocol in which a polynomialtime verifier interacts with one or more allpowerful provers and is convinced of the value of f(x) but does not reveal the input x to the provers. We show here t ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We define the notion of an instancehiding proof system (ihps) for a function f ; informally, an ihps is a protocol in which a polynomialtime verifier interacts with one or more allpowerful provers and is convinced of the value of f(x) but does not reveal the input x to the provers. We show here that a function f has a multiprover ihps if and only if it is computable in FNEXP. We formalize the notion of zeroknowledge for ihps's and show that any function that has a multiprover ihps in fact has one that is perfect zeroknowledge. Under the assumption that oneway permutations exist, we show that f has a oneprover, zeroknowledge ihps if and only if it is in FPSPACE and has a oneoracle instancehiding scheme (ihs).