Results 1  10
of
34
Optimistic fair exchange of digital signatures
 IEEE Journal on Selected Areas in Communications
, 1998
"... Abstract. We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other’s signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an elect ..."
Abstract

Cited by 279 (10 self)
 Add to MetaCart
Abstract. We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other’s signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted data. The protocol relies on a trusted third party, but is “optimistic, ” in that the third party is only needed in cases where one player attempts to cheat or simply crashes. A key feature of our protocol is that a player can always force a timely and fair termination, without the cooperation of the other player. 1
How to Construct ConstantRound ZeroKnowledge Proof Systems for NP
 Journal of Cryptology
, 1995
"... Constantround zeroknowledge proof systems for every language in NP are presented, assuming the existence of a collection of clawfree functions. In particular, it follows that such proof systems exist assuming the intractability of either the Discrete Logarithm Problem or the Factoring Problem for ..."
Abstract

Cited by 166 (8 self)
 Add to MetaCart
Constantround zeroknowledge proof systems for every language in NP are presented, assuming the existence of a collection of clawfree functions. In particular, it follows that such proof systems exist assuming the intractability of either the Discrete Logarithm Problem or the Factoring Problem for Blum Integers.
A note on efficient zeroknowledge proofs and arguments (Extended Abstract)
, 1992
"... In this note, we present new zeroknowledge interactive proofs and arguments for languages in NP. To show that z G L, with an error probability of at most 2k, our zeroknowledge proof system requires O(lzlc’) + O(lg ” l~l)k ideal bit commitments, where c1 and cz depend only on L. This construction ..."
Abstract

Cited by 165 (2 self)
 Add to MetaCart
In this note, we present new zeroknowledge interactive proofs and arguments for languages in NP. To show that z G L, with an error probability of at most 2k, our zeroknowledge proof system requires O(lzlc’) + O(lg ” l~l)k ideal bit commitments, where c1 and cz depend only on L. This construction is the first in the ideal bit commitment model that achieves large values of k more efficiently than by running k independent iterations of the base interactive proof system. Under suitable complexity assumptions, we exhibit a zeroknowledge arguments that require O(lg ’ Izl)ki bits of communication, where c depends only on L, and 1 is the security parameter for the prover.l This is the first construction in which the total amount of communication can be less than that needed to transmit the NP witness. Our protocols are based on efficiently checkable proofs for NP [4].
Resettable zeroknowledge
, 2000
"... We introduce the notion of Resettable ZeroKnowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zeroknowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, each ..."
Abstract

Cited by 78 (6 self)
 Add to MetaCart
We introduce the notion of Resettable ZeroKnowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zeroknowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, each time resetting the prover to its initial state and forcing it to use the same random tape. All known examples of zeroknowledge proofs and arguments are trivially breakable in this setting. Moreover, by definition, all zeroknowledge proofs of knowledge are breakable in this setting. Under general complexity assumptions, which hold for example if the Discrete Logarithm Problem is hard, we construct: ffl Resettable ZeroKnowledge proofsystems for NP with nonconstant number of rounds. ffl Fiveround Resettable WitnessIndistinguishable proofsystems for NP. ffl Fourround Resettable ZeroKnowledge arguments for NP in the public key model: where verifiers have fixed, public keys associated with them.
Perfect ZeroKnowledge Arguments for NP Using any OneWay Permutation
 Journal of Cryptology
, 1998
"... "Perfect zeroknowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information (in the informationtheoretic sense). Here the security achi ..."
Abstract

Cited by 61 (5 self)
 Add to MetaCart
(Show Context)
"Perfect zeroknowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information (in the informationtheoretic sense). Here the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier cannot find (ever) any information unconditionally. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions. In this paper, we show a general construction, which can be based on any oneway permutation. The result is obtained by a construction of an informationtheoretic secure bitcommitment protocol. The protocol is efficient (both parties are polynomial time) and can be based on any oneway permutation. A preliminary version of this ...
Perfect ZeroKnowledge Arguments for NP Can Be Based on General Complexity Assumptions (Extended Abstract)
 JOURNAL OF CRYPTOLOGY
, 1998
"... "Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practi ..."
Abstract

Cited by 42 (11 self)
 Add to MetaCart
"Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions; basing them on a general complexity assumption was open since their introduction in 1986 [BCC, BC, CH]. In this paper, we finally show a general construction, which can be based on any oneway permutation. We stress that our scheme is efficient: both players can execute only polynomialtime programs during the protocol. Moreover, the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier can not find (ever!) any information unconditionally (in the i...
Chameleon Hashing and Signatures
, 1998
"... We introduce chameleon signatures that provide with an undeniable commitment of the signer to the contents of the signed document (as regular digital signatures do) but, at the same time, do not allow the recipient of the signature to disclose the contents of the signed information to any third p ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
We introduce chameleon signatures that provide with an undeniable commitment of the signer to the contents of the signed document (as regular digital signatures do) but, at the same time, do not allow the recipient of the signature to disclose the contents of the signed information to any third party without the signer's consent. These signatures are closely related to "undeniable signatures", but chameleon signatures allow for simpler and more efficient realizations than the latter. In particular, they are essentially noninteractive and do not involve the design and complexity of zeroknowledge proofs on which traditional undeniable signatures are based. Instead, chameleon signatures are generated under the standard method of hashthensign. Yet, the hash functions which are used are chameleon hash functions. These hash functions are characterized by the nonstandard property of being collisionresistant for the signer but collision tractable for the recipient. We present simple and efficient constructions of chameleon hashing and chameleon signatures. The former can be constructed based on standard cryptographic assumptions (such as the hardness of factoring or discrete logarithms) and have efficient realizations based on these assumptions. For the signature part we can use any digital signature (such as RSA or DSS) and prove the unforgeability property of the resultant chameleon signatures solely based on the unforgeability of the underlying digital signature in use.
Finding collisions in interactive protocols – A tight lower bound on the round complexity of statisticallyhiding commitments
 In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
, 2007
"... We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches th ..."
Abstract

Cited by 35 (11 self)
 Add to MetaCart
(Show Context)
We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches the round complexity of the statisticallyhiding commitment scheme due to Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as singleserver private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collisionfinding oracle due to Simon (EUROCRYPT ’98) to the setting of interactive protocols (our extension also implies an alternative proof for the main property of the original oracle). In addition, we substantially extend the reconstruction paradigm of Gennaro and Trevisan (FOCS ‘00). In both cases, our extensions are quite delicate and may be found useful in proving additional blackbox separation results.
Paillier's Cryptosystem Revisited
 IN ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY 2001
, 2001
"... We reexamine Paillier's cryptosystem, and show that by choosing a particular discrete log base g, and by introducing an alternative decryption procedure, we can extend the scheme to allow an arbitrary exponent e instead of N. The use of low exponents substantially increases the eciency of the ..."
Abstract

Cited by 33 (5 self)
 Add to MetaCart
We reexamine Paillier's cryptosystem, and show that by choosing a particular discrete log base g, and by introducing an alternative decryption procedure, we can extend the scheme to allow an arbitrary exponent e instead of N. The use of low exponents substantially increases the eciency of the scheme. The semantic security is now based on a new decisional assumption, namely the hardness of deciding whether an element is a "small" eth residue modulo N². We also
Statisticallyhiding commitment from any oneway function
 In 39th STOC
, 2007
"... We give a construction of statisticallyhiding commitment schemes (ones where the hiding property holds information theoretically), based on the minimal cryptographic assumption that oneway functions exist. Our construction employs twophase commitment schemes, recently constructed by Nguyen, Ong a ..."
Abstract

Cited by 30 (7 self)
 Add to MetaCart
We give a construction of statisticallyhiding commitment schemes (ones where the hiding property holds information theoretically), based on the minimal cryptographic assumption that oneway functions exist. Our construction employs twophase commitment schemes, recently constructed by Nguyen, Ong and Vadhan (FOCS ‘06), and universal oneway hash functions introduced and constructed by Naor and Yung (STOC ‘89) and Rompel (STOC ‘90).