Results 1  10
of
49
Oneway accumulators: A decentralized alternative to digital signatures
, 1993
"... Abstract. This paper describes a simple candidate oneway hash function which satisfies a quasicommutative property that allows it to be used aa an accumulator. This property allows protocols to be developed in which the need for a trusted central authority can be eliminated. Spaceefficient distr ..."
Abstract

Cited by 121 (0 self)
 Add to MetaCart
Abstract. This paper describes a simple candidate oneway hash function which satisfies a quasicommutative property that allows it to be used aa an accumulator. This property allows protocols to be developed in which the need for a trusted central authority can be eliminated. Spaceefficient distributed protocols are given for document time stamping and for membership testing, and many other applications are possible. 1
ZeroKnowledge Proofs for Finite Field Arithmetic, or: Can ZeroKnowledge be for Free?
 IN PROC. CRYPTO
, 1997
"... We present zeroknowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given a circuit, show in zeroknowledge that inputs can be selected leading to a given output. For a field GF (q), where q is an nbit prime, a circuit of size O(n), and error probability 2 ..."
Abstract

Cited by 53 (5 self)
 Add to MetaCart
We present zeroknowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given a circuit, show in zeroknowledge that inputs can be selected leading to a given output. For a field GF (q), where q is an nbit prime, a circuit of size O(n), and error probability 2 , our protocols require communication of O(n ) bits. This is the same worstcast complexity as the trivial (non zeroknowledge) interactive proof where the prover just reveals the input values. If the circuit involves n multiplications, the best previously known methods would in general require communication of \Omega\Gamma n log n) bits. Variations of the
Signature Schemes and Applications to Cryptographic Protocol Design
, 2002
"... Signature schemes are fundamental cryptographic primitives, useful as a standalone application, and as a building block in the design of secure protocols and other cryptographic objects. In this thesis, we study both the uses that signature schemes find in protocols, and the design of signature sch ..."
Abstract

Cited by 32 (8 self)
 Add to MetaCart
Signature schemes are fundamental cryptographic primitives, useful as a standalone application, and as a building block in the design of secure protocols and other cryptographic objects. In this thesis, we study both the uses that signature schemes find in protocols, and the design of signature schemes suitable for a broad range of applications. An important
Efficient Secure MultiParty Computation
, 2000
"... ) Martin Hirt 1 , Ueli Maurer 1 , and Bartosz Przydatek 2?? 1 ETH Zurich, Switzerland, fhirt,maurerg@inf.ethz.ch 2 Carnegie Mellon University, USA, bartosz@cs.cmu.edu Asiacrypt 2000 Abstract. Since the introduction of secure multiparty computation, all proposed protocols that provide s ..."
Abstract

Cited by 29 (4 self)
 Add to MetaCart
) Martin Hirt 1 , Ueli Maurer 1 , and Bartosz Przydatek 2?? 1 ETH Zurich, Switzerland, fhirt,maurerg@inf.ethz.ch 2 Carnegie Mellon University, USA, bartosz@cs.cmu.edu Asiacrypt 2000 Abstract. Since the introduction of secure multiparty computation, all proposed protocols that provide security against cheating players suer from very high communication complexities. The most ecient unconditionally secure protocols among n players, tolerating cheating by up to t < n=3 of them, require communicating O(n 6 ) eld elements for each multiplication of two elements, even if only one player cheats. In this paper, we propose a perfectly secure multiparty protocol which requires communicating O(n 3 ) eld elements per multiplication. In this protocol, the number of invocations of the broadcast primitive is independent of the size of the circuit to be computed. The proposed techniques are generic and apply to other protocols for robust distributed computations. Furthe...
Perfect nizk with adaptive soundness
 In proceedings of TCC ’07, LNCS series
, 2007
"... Abstract. The notion of noninteractive zeroknowledge (NIZK) is of fundamental importance in cryptography. Despite the vast attention the concept of NIZK has attracted since its introduction, one question has remained very resistant: Is it possible to construct NIZK schemes for any NPlanguage with ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The notion of noninteractive zeroknowledge (NIZK) is of fundamental importance in cryptography. Despite the vast attention the concept of NIZK has attracted since its introduction, one question has remained very resistant: Is it possible to construct NIZK schemes for any NPlanguage with statistical or even perfect ZK? Groth, Ostrovsky and Sahai recently answered this question in the affirmative. However, in order to achieve adaptive soundness, i.e., soundness against dishonest provers who may choose the target statement depending on the common reference string (CRS), their schemes require some restriction to be put upon the statements to be proven, e.g. an apriori bound on its size. In this work, we first present a very simple and efficient adaptivelysound perfect NIZK argument system for any NPlanguage. Besides being the first adaptivelysound statistical NIZK argument for all NP that does not pose any restriction on the statements to be proven, it enjoys a number of additional desirable properties: it allows to reuse the CRS, it can handle arithmetic circuits, and the CRS can be setup very efficiently without the need for an honest party. We then show an application of our techniques in constructing efficient NIZK schemes for proving arithmetic relations among committed secrets, whereas previous methods required expensive generic NPreductions. The security of the proposed schemes is based on a strong nonstandard assumption, an extended version of the socalled KnowledgeofExponent Assumption (KEA) over bilinear groups. We give some justification for using such an assumption by showing that the commonlyused approach for proving NIZK arguments sound does not allow for adaptivelysound statistical NIZK arguments (unless NP ⊂ P/poly). Furthermore, we show that the assumption used in our construction holds with respect to generic adversaries that do not exploit the specific representation of the group elements. We also discuss how to avoid the nonstandard assumption in a preprocessing model.
On 2Round Secure Multiparty Computation
 In Proc. Crypto ’02
, 2002
"... Abstract. Substantial efforts have been spent on characterizing the round complexity of various cryptographic tasks. In this work we study the round complexity of secure multiparty computation in the presence of an active (Byzantine) adversary, assuming the availability of secure pointtopoint chan ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Substantial efforts have been spent on characterizing the round complexity of various cryptographic tasks. In this work we study the round complexity of secure multiparty computation in the presence of an active (Byzantine) adversary, assuming the availability of secure pointtopoint channels and a broadcast primitive. It was recently shown that in this setting three rounds are sufficient for arbitrary secure computation tasks, with a linear security threshold, and two rounds are sufficient for certain nontrivial tasks. This leaves open the question whether every function can be securely computed in two rounds. We show that the answer to this question is “no”: even some very simple functions do not admit secure 2round protocols (independently of their communication and time complexity) and thus 3 is the exact round complexity of general secure multiparty computation. Yet, we also present some positive results by identifying a useful class of functions which can be securely computed in two rounds. Our results apply both to the informationtheoretic and to the computational notions of security.
PerfectlySecure MPC with Linear Communication Complexity
 Theory of Cryptography, Fifth Theory of Cryptography Conference, TCC 2008
, 2008
"... Abstract. Secure multiparty computation (MPC) allows a set of n players to securely compute an agreed function, even when up to t players are under the control of an adversary. Known perfectly secure MPC protocols require communication of at least Ω(n3) field elements per multiplication, whereas ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Secure multiparty computation (MPC) allows a set of n players to securely compute an agreed function, even when up to t players are under the control of an adversary. Known perfectly secure MPC protocols require communication of at least Ω(n3) field elements per multiplication, whereas cryptographic or unconditional security is possible with communication linear in the number of players. We present a perfectly secure MPC protocol communicating O(n) field elements per multiplication. Our protocol provides perfect security against an active, adaptive adversary corrupting t < n/3 players, which is optimal. Thus our protocol improves the security of the most efficient informationtheoretically secure protocol at no extra costs, respectively improves the efficiency of perfectly secure MPC protocols by a factor of Ω(n2). To achieve this, we introduce a novel technique – constructing detectable protocols with the help of socalled hyperinvertible matrices, which we believe to be of independent interest. Hyperinvertible matrices allow (among other things) to perform efficient correctness checks of many instances in parallel, which was until now possible only if errorprobability was allowed. Keywords:Multiparty computation, efficiency, perfect security, hyperinvertible matrix. 1
Robustness for free in unconditional multiparty computation
 CRYPTO
, 2001
"... Abstract. We present a very efficient multiparty computation protocol unconditionally secure against an active adversary. The security is maximal, i.e., active corruption of up to t < n/3 of the n players is tolerated. The communication complexity for securely evaluating a circuit with m multipl ..."
Abstract

Cited by 26 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We present a very efficient multiparty computation protocol unconditionally secure against an active adversary. The security is maximal, i.e., active corruption of up to t < n/3 of the n players is tolerated. The communication complexity for securely evaluating a circuit with m multiplication gates over a finite field is O(mn 2) field elements, including the communication required for simulating broadcast, but excluding some overhead costs (independent of m) for sharing the inputs and reconstructing the outputs. This corresponds to the complexity of the best known protocols for the passive model, where the corrupted players are guaranteed not to deviate from the protocol. The complexity of our protocol may well be optimal. The constant overhead factor for robustness is small and the protocol is practical. 1
Semihomomorphic encryption and multiparty computation
 In EUROCRYPT, volume 6632 of Lecture Notes in Computer Science
, 2011
"... Abstract. An additivelyhomomorphic encryption scheme enables us to compute linear functions of an encrypted input by manipulating only the ciphertexts. We define the relaxed notion of a semihomomorphic encryption scheme, where the plaintext can be recovered as long as the computed function does not ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
(Show Context)
Abstract. An additivelyhomomorphic encryption scheme enables us to compute linear functions of an encrypted input by manipulating only the ciphertexts. We define the relaxed notion of a semihomomorphic encryption scheme, where the plaintext can be recovered as long as the computed function does not increase the size of the input “too much”. We show that a number of existing cryptosystems are captured by our relaxed notion. In particular, we give examples of semihomomorphic encryption schemes based on lattices, subset sum and factoring. We then demonstrate how semihomomorphic encryption schemes allow us to construct an efficient multiparty computation protocol for arithmetic circuits, UCsecure against a dishonest majority. The protocol consists of a preprocessing phase and an online phase. Neither the inputs nor the function to be computed have to be known during preprocessing. Moreover, the online phase is extremely efficient as it requires no cryptographic operations: the parties only need to exchange additive shares and verify information theoretic MACs. Our contribution is therefore twofold: from a theoretical point of view, we can base multiparty computation on a variety of different assumptions, while on the practical side we offer a protocol with better efficiency than any previous solution. 1
Minimallatency secure function evaluation
 In Proc. EUROCRYPT 2000
, 2000
"... Abstract. Sander, Young and Yung recently exhibited a protocol for computing on encrypted inputs, for functions computable in NC 1. In their variant of secure function evaluation, Bob (the “CryptoComputer”) accepts homomorphicallyencrypted inputs (x) from client Alice, and then returns a string fro ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Sander, Young and Yung recently exhibited a protocol for computing on encrypted inputs, for functions computable in NC 1. In their variant of secure function evaluation, Bob (the “CryptoComputer”) accepts homomorphicallyencrypted inputs (x) from client Alice, and then returns a string from which Alice can extract f(x, y) (where y is Bob’s input, or e.g. the function f itself). Alice must not learn more about y than what f(x, y) reveals by itself. We extend their result to encompass NLOGSPACE (nondeterministic logspace functions). In the domain of multiparty computations, constantround protocols have been known for years [BB89,FKN95]. This paper introduces novel parallelization techniques that, coupled with the [SYY99] methods, reduce the constant to 1 with preprocessing. This resolves the conjecture that NLOGSPACE subcomputations (including logslices of circuit computation) can be evaluated with latency 1 (as opposed to just O(1)). 1