Results 1  10
of
43
The knowledge complexity of interactive proof systems
 in Proc. 27th Annual Symposium on Foundations of Computer Science
, 1985
"... Abstract. Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/nonHamiltoni ..."
Abstract

Cited by 1051 (39 self)
 Add to MetaCart
Abstract. Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/nonHamiltonian. In this paper a computational complexity theory of the "knowledge " contained in a proof is developed. Zeroknowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zeroknowledge proof systems are given for the languages of quadratic residuosity and quadratic nonresiduosity. These are the first examples of zeroknowledge proofs for languages not known to be efficiently recognizable. Key words, cryptography, zero knowledge, interactive proofs, quadratic residues AMS(MOS) subject classifications. 68Q15, 94A60 1. Introduction. It is often regarded that saying a language L is in NP (that is, acceptable in nondeterministic polynomial time) is equivalent to saying that there is a polynomial time "proof system " for L. The proof system we have in mind is one where on input x, a "prover " creates a string a, and the "verifier " then computes on x and a in time polynomial in the length of the binary representation of x to check that
Replication Is Not Needed: Single Database, ComputationallyPrivate Information Retrieval (Extended Abstract)
 IN PROC. OF THE 38TH ANNU. IEEE SYMP. ON FOUNDATIONS OF COMPUTER SCIENCE
, 1997
"... We establish the following, quite unexpected, result: replication of data for the computational Private Information Retrieval problem is not necessary. More specifically, based on the quadratic residuosity assumption, we present a single database, computationallyprivate informationretrieval scheme ..."
Abstract

Cited by 215 (18 self)
 Add to MetaCart
We establish the following, quite unexpected, result: replication of data for the computational Private Information Retrieval problem is not necessary. More specifically, based on the quadratic residuosity assumption, we present a single database, computationallyprivate informationretrieval scheme with O(n ffl ) communication complexity for any ffl ? 0.
The NPcompleteness column: an ongoing guide
 Journal of Algorithms
, 1985
"... This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NPcompleteness. The presentation is modeled on that used by M. R. Garey and myself in our book ‘‘Computers and Intractability: A Guide to the Theory of NPCompleteness,’ ’ W. H. Freeman & Co ..."
Abstract

Cited by 189 (0 self)
 Add to MetaCart
This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NPcompleteness. The presentation is modeled on that used by M. R. Garey and myself in our book ‘‘Computers and Intractability: A Guide to the Theory of NPCompleteness,’ ’ W. H. Freeman & Co., New York, 1979 (hereinafter referred to as ‘‘[G&J]’’; previous columns will be referred to by their dates). A background equivalent to that provided by [G&J] is assumed, and, when appropriate, crossreferences will be given to that book and the list of problems (NPcomplete and harder) presented there. Readers who have results they would like mentioned (NPhardness, PSPACEhardness, polynomialtimesolvability, etc.) or open problems they would like publicized, should
The Complexity of Perfect ZeroKnowledge
, 1987
"... A Perfect ZeroKnowledge interactive proof system convinces a verifier that a string is in a language without revealing any additional knowledge in an informationtheoretic sense. We show that for any language that has a perfect zeroknowledge proof system, its complement has a short interactive pro ..."
Abstract

Cited by 87 (3 self)
 Add to MetaCart
A Perfect ZeroKnowledge interactive proof system convinces a verifier that a string is in a language without revealing any additional knowledge in an informationtheoretic sense. We show that for any language that has a perfect zeroknowledge proof system, its complement has a short interactive protocol. This result implies that there are not any perfect zeroknowledge protocols for NPcomplete languages unless the polynomial time hierarchy collapses. This paper demonstrates that knowledge complexity can be used to show that a language is easy to prove. 1 Introduction Interactive protocols and zeroknowledge, as described by Goldwasser, Micali and Rackoff [GMR], have in recent years proven themselves to be important models of computation in both complexity and cryptography. Interactive proof systems are a randomized extension to NP which give us a greater understanding of what an infinitely powerful machine can prove to a probabilistic polynomial one. Recent results about interactive...
Practical and ProvablySecure Commitment Schemes from CollisionFree Hashing
 in Advances in Cryptology  CRYPTO96, Lecture Notes in Computer Science 1109
, 1996
"... . We present a very practical stringcommitment scheme which is provably secure based solely on collisionfree hashing. Our scheme enables a computationally bounded party to commit strings to an unbounded one, and is optimal (within a small constant factor) in terms of interaction, communication, a ..."
Abstract

Cited by 66 (6 self)
 Add to MetaCart
. We present a very practical stringcommitment scheme which is provably secure based solely on collisionfree hashing. Our scheme enables a computationally bounded party to commit strings to an unbounded one, and is optimal (within a small constant factor) in terms of interaction, communication, and computation. Our result also proves that constant round statistical zeroknowledge arguments and constantround computational zeroknowledge proofs for NP exist based on the existence of collisionfree hash functions. 1 Introduction String commitment is a fundamental primitive for cryptographic protocols. A commitment scheme is an electronic way to temporarily hide a value that cannot be changed. Such a scheme emulates by means of a protocol the following twostage process. In Stage 1 (the Commit stage), a party called the Sender locks a message in a box, and sends the locked box to another party called the receiver. In Stage 2 (the Decommit stage), the Sender provides the Receiver with ...
On the Existence of 3Round ZeroKnowledge Protocols
 In Crypto98, Springer LNCS 1462
, 1999
"... In this paper, we construct a 3round zeroknowledge protocol for any NP language. Our protocol achieves weaker notions of zeroknowledge than blackbox simulation zeroknowledge. Therefore, our result does not contradict the triviality result of Goldreich and Krawczyk [GoKr96] which shows that 3ro ..."
Abstract

Cited by 53 (2 self)
 Add to MetaCart
In this paper, we construct a 3round zeroknowledge protocol for any NP language. Our protocol achieves weaker notions of zeroknowledge than blackbox simulation zeroknowledge. Therefore, our result does not contradict the triviality result of Goldreich and Krawczyk [GoKr96] which shows that 3round blackbox simulation zeroknowledge exist only for BPP languages. Our main contribution is to provide a nonblackbox simulation technique. Whether there exists such a simulation technique was a major open problem in the theory of zeroknowledge. Our simulation technique is based on a nonstandard computational assumption related to the Di#eHellman problem, which was originally proposed by Damgard [Da91]. This assumption, which we call the DA1, says that, given randomly chosen instance of the discrete logarithm problem (p, q, g, g a ), it is infeasible to compute (B, X) such that X = B a mod p without knowing the value b satisfying B = g b mod p. Our protocol achieves di#erent no...
ConstantRound Perfect ZeroKnowledge Computationally Convincing Protocols
, 1991
"... A perfect zeroknowledge interactive protocol allows a prover to convince a verifier of the validity of a statement in a way that does not give the verifier any additional information [GMR,GMW]. Such protocols take place by the exchange of messages back and forth between the prover and the verifier. ..."
Abstract

Cited by 45 (5 self)
 Add to MetaCart
A perfect zeroknowledge interactive protocol allows a prover to convince a verifier of the validity of a statement in a way that does not give the verifier any additional information [GMR,GMW]. Such protocols take place by the exchange of messages back and forth between the prover and the verifier. An important measure of efficiency for these protocols is the number of rounds in the interaction. In previously known perfect zeroknowledge protocols for statements concerning NPcomplete problems [BCC], at least k rounds were necessary in order to prevent one party from having a probability of undetected cheating greater than 2 \Gammak . In this paper, we give the first perfect zeroknowledge protocol that offers arbitrarily high security for any statement in NP with a constant number of rounds. The protocol is computationally convincing (rather than statistically convincing as would have been an interactive proofsystem in the sense of Goldwasser, Micali and Rackoff) because the ver...
Private Access to Distributed Information
 Master's thesis, Technion  Israel Institute of Technology
, 1998
"... This research was carried out in the Faculty of Computer Science under the supervision of Prof. Eyal Kushilevitz. I would like to thank Prof. Eyal Kushilevitz for his instructive guidance, and the (formal and informal) members of room 429 for fruitfull discussions on relevant subjects. The generous ..."
Abstract

Cited by 44 (0 self)
 Add to MetaCart
This research was carried out in the Faculty of Computer Science under the supervision of Prof. Eyal Kushilevitz. I would like to thank Prof. Eyal Kushilevitz for his instructive guidance, and the (formal and informal) members of room 429 for fruitfull discussions on relevant subjects. The generous financial help of the Technion is gratefully acknowledged.
The (True) Complexity of Statistical Zero Knowledge (Extended Abstract)
 Proceedings of the 22nd Annual ACM Symposium on the Theory of Computing, ACM
, 1990
"... ) Mihir Bellare Silvio Micali y Rafail Ostrovsky z MIT Laboratory for Computer Science 545 Technology Square Cambridge, MA 02139 Abstract Statistical zeroknowledge is a very strong privacy constraint which is not dependent on computational limitations. In this paper we show that given a comp ..."
Abstract

Cited by 42 (17 self)
 Add to MetaCart
) Mihir Bellare Silvio Micali y Rafail Ostrovsky z MIT Laboratory for Computer Science 545 Technology Square Cambridge, MA 02139 Abstract Statistical zeroknowledge is a very strong privacy constraint which is not dependent on computational limitations. In this paper we show that given a complexity assumption a much weaker condition suffices to attain statistical zeroknowledge. As a result we are able to simplify statistical zeroknowledge and to better characterize, on many counts, the class of languages that possess statistical zeroknowledge proofs. 1 Introduction An interactive proof involves two parties, a prover and a verifier, who talk back and forth. The prover, who is computationally unbounded, tries to convince the probabilistic polynomial time verifier that a given theorem is true. A zeroknowledge proof is an interactive proof with an additional privacy constraint: the verifier does not learn why the theorem is true [11]. That is, whatever the polynomialtime verif...
Perfect ZeroKnowledge Arguments for NP Can Be Based on General Complexity Assumptions (Extended Abstract)
 JOURNAL OF CRYPTOLOGY
, 1998
"... "Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practical and th ..."
Abstract

Cited by 41 (11 self)
 Add to MetaCart
"Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions; basing them on a general complexity assumption was open since their introduction in 1986 [BCC, BC, CH]. In this paper, we finally show a general construction, which can be based on any oneway permutation. We stress that our scheme is efficient: both players can execute only polynomialtime programs during the protocol. Moreover, the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier can not find (ever!) any information unconditionally (in the i...