Results 1  10
of
86
Concurrent ZeroKnowledge
 IN 30TH STOC
, 1999
"... Concurrent executions of a zeroknowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zeroknowledge in toto. In this paper, we study the problem of maintaining zeroknowledge We introduce the notion of an (; ) timing constraint: for any two proces ..."
Abstract

Cited by 156 (19 self)
 Add to MetaCart
Concurrent executions of a zeroknowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zeroknowledge in toto. In this paper, we study the problem of maintaining zeroknowledge We introduce the notion of an (; ) timing constraint: for any two processors P1 and P2 , if P1 measures elapsed time on its local clock and P2 measures elapsed time on its local clock, and P2 starts after P1 does, then P2 will finish after P1 does. We show that if the adversary is constrained by an (; ) assumption then there exist fourround almost concurrent zeroknowledge interactive proofs and perfect concurrent zeroknowledge arguments for every language in NP . We also address the more specific problem of Deniable Authentication, for which we propose several particularly efficient solutions. Deniable Authentication is of independent interest, even in the sequential case; our concurrent solutions yield sequential solutions without recourse to timing, i.e., in the standard model.
Universally Composable TwoParty and MultiParty Secure Computation
, 2002
"... We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many pa ..."
Abstract

Cited by 125 (32 self)
 Add to MetaCart
We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many parties as it wishes. In this setting, our protocols allow any subset of the parties (with pairs of parties being a special case) to securely realize any desired functionality of their local inputs, and be guaranteed that security is preserved regardless of the activity in the rest of the network. This implies that security is preserved under concurrent composition of an unbounded number of protocol executions, it implies nonmalleability with respect to arbitrary protocols, and more. Our constructions are in the common reference string model and rely on standard intractability assumptions.
Delegating computation: interactive proofs for muggles
 In Proceedings of the ACM Symposium on the Theory of Computing (STOC
, 2008
"... In this work we study interactive proofs for tractable languages. The (honest) prover should be efficient and run in polynomial time, or in other words a “muggle”. 1 The verifier should be superefficient and run in nearlylinear time. These proof systems can be used for delegating computation: a se ..."
Abstract

Cited by 57 (4 self)
 Add to MetaCart
In this work we study interactive proofs for tractable languages. The (honest) prover should be efficient and run in polynomial time, or in other words a “muggle”. 1 The verifier should be superefficient and run in nearlylinear time. These proof systems can be used for delegating computation: a server can run a computation for a client and interactively prove the correctness of the result. The client can verify the result’s correctness in nearlylinear time (instead of running the entire computation itself). Previously, related questions were considered in the Holographic Proof setting by Babai, Fortnow, Levin and Szegedy, in the argument setting under computational assumptions by Kilian, and in the random oracle model by Micali. Our focus, however, is on the original interactive proof model where no assumptions are made on the computational power or adaptiveness of dishonest provers. Our main technical theorem gives a public coin interactive proof for any language computable by a logspace uniform boolean circuit with depth d and input length n. The verifier runs in time (n+d)·polylog(n) and space O(log(n)), the communication complexity is d · polylog(n), and the prover runs in time poly(n). In particular, for languages computable by logspace uniform N C (circuits of polylog(n) depth), the prover is efficient, the verifier runs in time n · polylog(n) and space O(log(n)), and the communication complexity is polylog(n).
The knowledgeofexponent assumptions and 3round zeroknowledge protocols
, 2004
"... Abstract. Hada and Tanaka [11, 12] showed the existence of 3round, negligibleerror zeroknowledge arguments for NP based on a pair of nonstandard assumptions, here called KEA1 and KEA2. In this paper we show that KEA2 is false. This renders vacuous the results of [11, 12]. We recover these result ..."
Abstract

Cited by 52 (1 self)
 Add to MetaCart
Abstract. Hada and Tanaka [11, 12] showed the existence of 3round, negligibleerror zeroknowledge arguments for NP based on a pair of nonstandard assumptions, here called KEA1 and KEA2. In this paper we show that KEA2 is false. This renders vacuous the results of [11, 12]. We recover these results, however, under a suitably modified new assumption called KEA3. What we believe is most interesting is that we show that it is possible to “falsify ” assumptions like KEA2 that, due to their nature and quantifierstructure, do not lend themselves easily to “efficient falsification ” (Naor [15]). 1
On Deniability in the Common Reference String and Random Oracle Model
 In proceedings of CRYPTO ’03, LNCS series
, 2003
"... Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there ..."
Abstract

Cited by 52 (5 self)
 Add to MetaCart
Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there exist a specific natural security property that is not captured by these definitions. This is the property of deniability. We formally define the notion of deniable zeroknowledge in these models and investigate the possibility of achieving it. Our results are different for the two models: – Concerning the CRS model, we rule out the possibility of achieving deniable zeroknowledge protocols in “natural ” settings where such protocols cannot already be achieved in plain model. – In the RO model, on the other hand, we construct an efficient 2round deniable zeroknowledge argument of knowledge, that preserves both the zeroknowledge property and the proof of knowledge property under concurrent executions (concurrent zeroknowledge and concurrent proofof knowledge). 1
On the Existence of 3Round ZeroKnowledge Protocols
 In Crypto98, Springer LNCS 1462
, 1999
"... In this paper, we construct a 3round zeroknowledge protocol for any NP language. Our protocol achieves weaker notions of zeroknowledge than blackbox simulation zeroknowledge. Therefore, our result does not contradict the triviality result of Goldreich and Krawczyk [GoKr96] which shows that 3ro ..."
Abstract

Cited by 51 (2 self)
 Add to MetaCart
In this paper, we construct a 3round zeroknowledge protocol for any NP language. Our protocol achieves weaker notions of zeroknowledge than blackbox simulation zeroknowledge. Therefore, our result does not contradict the triviality result of Goldreich and Krawczyk [GoKr96] which shows that 3round blackbox simulation zeroknowledge exist only for BPP languages. Our main contribution is to provide a nonblackbox simulation technique. Whether there exists such a simulation technique was a major open problem in the theory of zeroknowledge. Our simulation technique is based on a nonstandard computational assumption related to the Di#eHellman problem, which was originally proposed by Damgard [Da91]. This assumption, which we call the DA1, says that, given randomly chosen instance of the discrete logarithm problem (p, q, g, g a ), it is infeasible to compute (B, X) such that X = B a mod p without knowing the value b satisfying B = g b mod p. Our protocol achieves di#erent no...
Boundedconcurrent secure twoparty computation without setup assumptions
 STOC 2003
, 2003
"... ..."
Concurrent Zero Knowledge with Logarithmic RoundComplexity
 In 43rd FOCS
, 2002
"... We show that every language in has a (blackbox) concurrent zeroknowledge proof system using O(log n) rounds of interaction. The number of rounds in our protocol is optimal, in the sense that any language outside requires at least #11 n) rounds of interaction in order to be proved in blac ..."
Abstract

Cited by 43 (7 self)
 Add to MetaCart
We show that every language in has a (blackbox) concurrent zeroknowledge proof system using O(log n) rounds of interaction. The number of rounds in our protocol is optimal, in the sense that any language outside requires at least #11 n) rounds of interaction in order to be proved in blackbox concurrent zeroknowledge. The zeroknowledge property of our main protocol is proved under the assumption that there exists a collection of clawfree functions. Assuming only the existence of oneway functions, we show the existence of O(log n)round concurrent zeroknowledge arguments for all languages in .
Strict Polynomialtime in Simulation and Extraction
, 2004
"... The notion of efficient computation is usually identified in cryptography and complexity with (strict) probabilistic polynomial time. However, until recently, in order to obtain constantround ..."
Abstract

Cited by 43 (8 self)
 Add to MetaCart
The notion of efficient computation is usually identified in cryptography and complexity with (strict) probabilistic polynomial time. However, until recently, in order to obtain constantround
Simulation in quasipolynomial time, and its application to protocol composition
 In EUROCRYPT
, 2003
"... Abstract. We propose a relaxation of zeroknowledge, by allowing the simulator to run in quasipolynomial time. We show that protocols satisfying this notion can be constructed in settings where the standard definition is too restrictive. Specifically, we construct constantround straightline concur ..."
Abstract

Cited by 37 (10 self)
 Add to MetaCart
Abstract. We propose a relaxation of zeroknowledge, by allowing the simulator to run in quasipolynomial time. We show that protocols satisfying this notion can be constructed in settings where the standard definition is too restrictive. Specifically, we construct constantround straightline concurrent quasipolynomial time simulatable arguments and show that such arguments can be used in advanced composition operations without any setup assumptions. Our protocols rely on slightly strong, but standard type assumptions (namely the existence of onetoone oneway functions secure against subexponential circuits). 1