## Fair Games Against an All-Powerful Adversary (1991)

### Cached

### Download Links

Venue: | AMS DIMACS Series in Discrete Mathematics and Theoretical Computer Science |

Citations: | 40 - 15 self |

### BibTeX

@INPROCEEDINGS{Ostrovsky91fairgames,

author = {Rafail Ostrovsky and Ramarathnam Venkatesan and Moti Yung},

title = {Fair Games Against an All-Powerful Adversary},

booktitle = {AMS DIMACS Series in Discrete Mathematics and Theoretical Computer Science},

year = {1991},

pages = {155--169}

}

### Years of Citing Articles

### OpenURL

### Abstract

Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitely-powerful) and untrustworthy adversarial device. Assuming the existence of one-way functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hide information from the weak device. However, to keep the game fair, the weak player must hide information from the infinitely-powerful player in the information-theoretic sense. Clearly, encryption in this case is useless, and other means must be used. In this paper, we show that under a general complexity assumption, this task is always possible to achieve. That is, we show that the weak player can play any polynomial length partial-information game (or secure protocol) with the strong player using any one-way function; we achieve this by implementing oblivious transfer protocol in this model. We also establish related impossibility results concerning oblivious transfer. In the proof of ou...

### Citations

863 | A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...various applications where information must be hidden from polynomiallybounded adversary, such as pseudo-random generators [BM], computational zero-knowledge proofs [GMR, GMW1] and digital signatures =-=[GMRi]-=- which were shown to be equivalent to the existence of general one-way functions [ILL, H, N, OW, NY, Ro]. This motivates us to investigate the weakest possible complexity assumptions needed for inform... |

750 | A pseudorandom generator from any one-way function - Hastad, Impagliazzo, et al. - 1999 |

621 |
How to generate cryptographically strong sequences of pseudorandom bits
- UM, MICALI
- 1984
(Show Context)
Citation Context ...cific algebraic functions, e.g., [BCC, AFK, CDV, AF]. This is in contrast to various applications where information must be hidden from polynomiallybounded adversary, such as pseudo-random generators =-=[BM]-=-, computational zero-knowledge proofs [GMR, GMW1] and digital signatures [GMRi] which were shown to be equivalent to the existence of general one-way functions [ILL, H, N, OW, NY, Ro]. This motivates ... |

591 |
How to generate and exchange secrets
- Yao
- 1986
(Show Context)
Citation Context ...multiparty) secure distributed circuit evaluation (partial information games) among weak players [K, GMW2], and used to implement bounded-interaction zero-knowledge proof systems for NP in [KMO]. Yao =-=[Y]-=- used OT to construct secure circuit evaluation, based on factoring, while in [GMW2] it was based on any trapdoor permutation. Cryptographic Applications: Our results can be used to reduce the complex... |

501 | A randomized protocol for signing contracts
- Even, Goldreich, et al.
- 1985
(Show Context)
Citation Context ...r's bit only with probability 1=2 + " (uncertain transferability requirement). S does not know whether R got the value (oblivious-ness requirement). An equivalent notion called 1-2-OT (1-out-of-2=-= OT) [EGL]-=-, involves S with two bits b 0 and b 1 and R has a selection bit i. After the transfer, R gets only b i , while S does not know the value of i. 1-k-string-OT (for a constant k) is similar and equivale... |

468 |
How to play any mental game
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...weak, implementing OT using any one-way permutation, in some technical sense (using black-box reduction), is as difficult as separating P from NP [IR]; on the other hand trapdoor permutations suffice =-=[GMW2]-=- (a trapdoor function is, roughly speaking, a family one-way functions with the additional property that there is a secret associated with each function, whose possession enables easy inversion of the... |

309 | Algebraic Methods for Interactive Proof Systems
- Lund, Fortnow, et al.
- 1990
(Show Context)
Citation Context ... 2=n and hence is zero with probabilitys1 \Gamma 2 n (when F is one-to-one as well). Notice, that since the sender can perform P #P computations, he can convince the receiver of any statement in P #P =-=[LFKN]-=- (also [S] but the prover needs PSPACE power). Moreover, any interactive proof can be turned into a zero-knowledge one, assuming the existence of one-way functions [IY] (using bit commitment [N]). Let... |

247 |
Founding cryptography on oblivious transfer, in
- Kilian
- 1988
(Show Context)
Citation Context ...tely. Fortunately, the simple protocol of Oblivious Transfer (OT) due to Rabin [R] , is sufficient for all two-party secure computations. (This was put forth in [GMW2, Y] and sufficiency was shown in =-=[K]-=-.) OT is a protocol between a sender and a receiver with an input string d. Using the protocol, the receiver gets d with probability 1/2 (and nothing otherwise) while the sender does not learn whether... |

215 |
NP is as easy as detecting unique solutions
- Valiant, Vazirani
- 1986
(Show Context)
Citation Context ... 1=2 + " . Then there is an algorithm that inverts f at y in polynomial time if " = 1=O(n c ); c ? 0 for all but negligible fraction of its coin-flips. We get the following as an easy deriva=-=tion from [VV]. Remark 2 Le-=-t the rows h i ; i := 1; k of matrix H k be randomly and independently chosen from f0; 1g n , non-empty A ae f0; 1g n ; b 2 f0; 1g k . �� X k = A " fx : H k x = bg; X k = j �� X k j. Then... |

204 | One-way functions are necessary and sufficient for secure signatures - Rompel - 1990 |

112 | Achieving oblivious transfer using weakened security assumptions - Crépeau, Kilian - 1988 |

77 | Information Theoretic Reduction among Disclosure - Brassard, CrCpeau, et al. - 1986 |

75 |
Hard-core predicates for any one-way function
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ...n is invertible only on negligible fraction of instances. A permutation is length preserving and one-to-one. B(x; y) denotes the inner-product mod 2 of x and y. We use the following results. Remark 1 =-=[GL] Let -=-f be one-way, and f(x) = y. Let G(!; y; p) be an algorithm with internal coin flips ! running in polynomial time that guesses B(x; p) with probability (over p) 1=2 + " . Then there is an algorith... |

43 | The (true) complexity of statistical zero knowledge
- Bellare, Micali, et al.
- 1990
(Show Context)
Citation Context ...en cheating) verifier [OVY3] based on general complexity assumptions (this was originally based on algebraic assumptions, e.g. for statistical zero-knowledge proofs the discrete logarithm was used in =-=[BMO]). An-=-other important implication is implementing perfectly secure zero-knowledge arguments (defined in [BCC]) based on general complexity assumptions in [NOVY]. To summerize, the general paradigm of "... |

42 | Perfect zeroknowledge arguments for NP can be based on general complexity assumptions
- Naor, Ostrovsky, et al.
- 1998
(Show Context)
Citation Context ...proofs the discrete logarithm was used in [BMO]). Another important implication is implementing perfectly secure zero-knowledge arguments (defined in [BCC]) based on general complexity assumptions in =-=[NOVY]. To summe-=-rize, the general paradigm of "information-theoretic security based on intractability of cryptographic tools", was developed and applied extensively in the last decade (e.g., [BCC, CDV, AFK,... |

39 | One-Way Functions Are Essential for Non-Trivial Zero-Knowledge - Ostrovsky, Wigderson - 1993 |

36 | One-way functions are necessary and su±cient for secure signatures - Rompel - 1990 |

31 | An equivalence between two flavors of oblivious transfer - Crepeau - 1987 |

30 | One-Way Functions Are Essential for Complexity-Based Cryptography - Impagliazzo, Luby - 1989 |

27 | Minimum resource zero-knowledge proofs (extended abstract
- Kilian, Micali, et al.
- 1989
(Show Context)
Citation Context ... (two- and multiparty) secure distributed circuit evaluation (partial information games) among weak players [K, GMW2], and used to implement bounded-interaction zero-knowledge proof systems for NP in =-=[KMO]-=-. Yao [Y] used OT to construct secure circuit evaluation, based on factoring, while in [GMW2] it was based on any trapdoor permutation. Cryptographic Applications: Our results can be used to reduce th... |

23 | Multiparty computations ensuring privacy of each party’s input and correctness of the result - CHAUM, ˚ARD, et al. - 1987 |

22 | Minimum-Knowledge Interactive Proofs for Decision Problems - Galil, Haber, et al. - 1989 |

18 | Interactive hashing simplifies zero-knowledge protocol design
- Ostrovsky, Venkatesan, et al.
- 1993
(Show Context)
Citation Context ...lications to zero-knowledge proofs, showing that any zero-knowledge proof protocol designed for a honest verifier can be compiled into a zero-knowledge proof protocol for any (even cheating) verifier =-=[OVY3]-=- based on general complexity assumptions (this was originally based on algebraic assumptions, e.g. for statistical zero-knowledge proofs the discrete logarithm was used in [BMO]). Another important im... |

15 | Secure Commitment Against a Powerful Adversary
- Ostrovsky, Venkatesan, et al.
- 1992
(Show Context)
Citation Context ...owing examples. The technique was employed in characterizing instance-hiding zero-knowledge proof systems [FO]. It was also used in implementing bit commitment protocols with players of unequal power =-=[OVY2]-=-. It can also have applications to zero-knowledge proofs, showing that any zero-knowledge proof protocol designed for a honest verifier can be compiled into a zero-knowledge proof protocol for any (ev... |

14 |
The Knowledge Complexity of Interactive
- Goldwasser, Micali, et al.
- 1985
(Show Context)
Citation Context ...ure and fair. This model of a weak player communicating with a strong one having unlimited computing power, represents naturally a variety of settings: the statistical zero-knowledge proof systems of =-=[GMR]-=-, zero-knowledge arguments of [BCC] where the hiding from a verifier must be perfect (i.e. in information theoretic sense), computing a function with the help of powerful oracle while hiding the argum... |

8 |
M.Yung: On certifying cryptographic tools: the case of trapdoor permutations
- Bellare
(Show Context)
Citation Context ... specific algebraic trapdoor assumptions [CDV, AF]. The player who simulates the strong player first presents a trapdoor permutation and certifies in zero-knowledge the validity of this property (see =-=[BY]-=- for the need for certification in this case). Then, the players can use OT in both directions, and can use the availability of OT to further validate their actions; all these activities can be done w... |

7 |
Rackoff An Oblivious Transfer Protocol Equivalent to Factoring, Manuscript
- Fischer, Micali, et al.
- 1985
(Show Context)
Citation Context ...lexity enables a reduction of the protocol's underlying complexity assumption. Relation to earlier work: Rabin based his implementation of OT for honest parties on the intractability of factoring. In =-=[FMR]-=- an implementation of OT based on factoring and robust against cheaters was given. Various flavors of OT and their information-theoretic equivalence was studied [EGL, BCR, C, K, CK]. OT is complete fo... |

7 | Proofs that Yield Nothing but their Validity", FOCS 86 - Goldreich, Micali, et al. |

6 |
Applications of Oblivious Transfer, Unpublished manuscript
- Blum
(Show Context)
Citation Context ...ive cryptographic OT protocol (and 1-2-OT protocol). Proof: Assume first both the sender S and the receiver R are weak. In this case, we prove the result by showing that Blum's coin-flipping protocol =-=[B] need-=-s at least three messages and is reducible to 1-2-OT plus one additional message. Similar result holds for plain OT (when B's win of the flip is redefined to mean "B successfully gets the input s... |

5 |
On the Limitations of certain One-Way
- Impagliazzo, Rudich
- 1989
(Show Context)
Citation Context ...mptions needed to implement OT? When both players are weak, implementing OT using any one-way permutation, in some technical sense (using black-box reduction), is as difficult as separating P from NP =-=[IR]-=-; on the other hand trapdoor permutations suffice [GMW2] (a trapdoor function is, roughly speaking, a family one-way functions with the additional property that there is a secret associated with each ... |

4 |
Ostrovsky A note on one-prover, instance-hiding zeroknowledge proof systems
- Feigenbaum, R
- 1993
(Show Context)
Citation Context ...seems to combine with other method and to yield various implications of which we list the following examples. The technique was employed in characterizing instance-hiding zero-knowledge proof systems =-=[FO]-=-. It was also used in implementing bit commitment protocols with players of unequal power [OVY2]. It can also have applications to zero-knowledge proofs, showing that any zero-knowledge proof protocol... |

4 |
Completeness Theorem for Two-party Secure Computation
- Kilian
- 1991
(Show Context)
Citation Context ...s a one-way function [IL, BCG]; we next show explicitly that complexity assumptions (and a weak player) are needed for OT (related ideas have appeared in [K], another related more recent result is in =-=[K2]-=-). Theorem 5 It is impossible to implement an information-theoretic OT protocol. Proof: The following Mental Poker is shown impossible in [SRA]: given two honest (but curious) players A and B, deal ea... |

3 |
How to Exchange Secrets by Oblivious Transfer TR-81 Aiken Computation Laboratory
- Rabin
- 1981
(Show Context)
Citation Context ...us circuit evaluation". Until recently, one needed to analyze each individual partial-information game of interest separately. Fortunately, the simple protocol of Oblivious Transfer (OT) due to R=-=abin [R]-=- , is sufficient for all two-party secure computations. (This was put forth in [GMW2, Y] and sufficiency was shown in [K].) OT is a protocol between a sender and a receiver with an input string d. Usi... |

3 |
Interactive hashing simpli es zero-knowledge protocol design
- Ostrovsky, Venkatesan, et al.
- 1993
(Show Context)
Citation Context ...pplications to zero-knowledge proofs, showing that any zero-knowledge proof protocol designed for a honest veri er can be compiled into a zero-knowledge proof protocol for any (even cheating) veri er =-=[OVY3]-=- based on general complexity assumptions (this was originally based on algebraic assumptions, e.g. for statistical zero-knowledge proofs the discrete logarithm was used in [BMO]). Another important im... |

2 | Pseudo-Random Generators under Uniform - Hastad |

2 |
Bit Commitment Using Pseudo-Randomness Crypto-89
- Naor
(Show Context)
Citation Context ...#P [LFKN] (also [S] but the prover needs PSPACE power). Moreover, any interactive proof can be turned into a zero-knowledge one, assuming the existence of one-way functions [IY] (using bit commitment =-=[N]-=-). Let e S j ; j := 0; 1 be the simulator for such a P #P protocol for proving the stopping condition for the repeat loop and the uniqueness of x i respectively in step (P) above (the simulators get a... |

1 | Simple Protocol for Secure Circuit Computation Symposium on Theoretical - Abadi, Feigenbaum |

1 |
On Hiding Information from an Oracle Journ
- Abadi, Feigenbaum, et al.
- 1989
(Show Context)
Citation Context ...ro-knowledge arguments of [BCC] where the hiding from a verifier must be perfect (i.e. in information theoretic sense), computing a function with the help of powerful oracle while hiding the argument =-=[AFK]-=- and secure circuit computation while keeping one party perfectly secure [CDV, AF]. So far, all the works requiring information hiding from a strong adversary relied on assumed hardness of some specif... |

1 |
The Nature of Key-Exchange
- Cowen, Goldwasser
- 1991
(Show Context)
Citation Context ...space should not know the outcome. Thus, a third message is needed. However, the reduction above holds, a contradiction. When both players are weak, existence of OT protocol yields a one-way function =-=[IL, BCG]-=-; we next show explicitly that complexity assumptions (and a weak player) are needed for OT (related ideas have appeared in [K], another related more recent result is in [K2]). Theorem 5 It is impossi... |

1 |
Certifying Cryptographic Tools:TheCaseoftheTrapdoor Permutation Crypto-92
- Bellare, Yung
(Show Context)
Citation Context ...nder speci c algebraic trapdoor assumptions [CDV, AF]. The player who simulates the strong player rst presents a trapdoor permutation and certi es in zero-knowledge the validity of this property (see =-=[BY]-=- for the need for certi cation in this case). Then, the players can use OT in both directions, and can use the availability of OT to further validate their actions� all these activities can be done wh... |