Results 1  10
of
13
Constantround concurrent zero knowledge from falsifiable assumptions
, 2012
"... We present a constantround concurrent zeroknowledge protocol for NP. Our protocol is sound against uniform polynomialtime attackers, and relies on the existence of families of collisionresistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly s ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
We present a constantround concurrent zeroknowledge protocol for NP. Our protocol is sound against uniform polynomialtime attackers, and relies on the existence of families of collisionresistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly speaking, that Micali’s noninteractive CSproofs are sound for languages in P.
Adaptive Hardness and Composable Security in the Plain Model from Standard Assumptions
"... Abstract—We construct the first general secure computation protocols that require no trusted infrastructure other than authenticated communication, and that satisfy a meaningful notion of security that is preserved under universal composition— assuming only the existence of enhanced trapdoor permuta ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
(Show Context)
Abstract—We construct the first general secure computation protocols that require no trusted infrastructure other than authenticated communication, and that satisfy a meaningful notion of security that is preserved under universal composition— assuming only the existence of enhanced trapdoor permutations. The notion of security fits within a generalization of the “angelbased” framework of Prabhakaran and Sahai (STOC’04) and implies superpolynomial time simulation security. Security notions of this kind are currently known to be realizable only under strong and specific hardness assumptions. A key element in our construction is a commitment scheme that satisfies a new and strong notion of security. The notion, security against chosencommitmentattacks (CCA security), means that security holds even if the attacker has access to a extraction oracle that gives the adversary decommitment information to commitments of the adversary’s choice. This notion is stronger than concurrent nonmalleability and is of independent interest. We construct CCAsecure commitments based on standard oneway functions, and with no trusted setup. To the best of our knowledge, this provides the first construction of a natural cryptographic primitive requiring adaptive hardness from standard hardness assumptions, using no trusted setup or public keys. Keywordscryptography; adaptive hardness; secure multiparty computation; composable security I.
Limits of Provable Security From Standard Assumptions
, 2011
"... We show that the security of some wellknown cryptographic protocols, primitives and assumptions (e.g., the Schnorr identification scheme, commitments secure under adaptive selectivedecommitment, the “onemore ” discrete logarithm assumption) cannot be based on any standard assumption using a Turing ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
We show that the security of some wellknown cryptographic protocols, primitives and assumptions (e.g., the Schnorr identification scheme, commitments secure under adaptive selectivedecommitment, the “onemore ” discrete logarithm assumption) cannot be based on any standard assumption using a Turing (i.e., blackbox) reduction. These results follow from a general result showing that Turing reductions cannot be used to prove security of constantround sequentially witnesshiding specialsound protocols for unique witness relations, based on standard assumptions; we emphasize that this result holds even if the protocol makes nonblackbox use of the
Precise Zero Knowledge
, 2007
"... We put forward the notion of Precise Zero Knowledge and provide its first implementations in a variety of settings under standard complexity assumptions. Whereas the classical notion of Zero Knowledge bounds the knowledge of a player in terms of his potential computational power (technically defined ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
We put forward the notion of Precise Zero Knowledge and provide its first implementations in a variety of settings under standard complexity assumptions. Whereas the classical notion of Zero Knowledge bounds the knowledge of a player in terms of his potential computational power (technically defined as polynomialtime computation), Precise Zero Knowledge bounds the knowledge gained by a player in terms of its actual computation (which can be considerably less than any arbitrary polynomialtime computation). Consequently, our approach not only remains valid even if P = NP, but is most meaningful when modeling knowledge of computationally easy properties.
Obfuscationbased Nonblackbox Simulation and Four Message Concurrent Zero Knowledge for NP
, 2013
"... As recent studies show, the notions of program obfuscation and zero knowledge are intimately connected. In this work, we explore this connection further, and prove the following general result. If there exists differing input obfuscation (diO) for the class of all polynomial time Turing machines, th ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
As recent studies show, the notions of program obfuscation and zero knowledge are intimately connected. In this work, we explore this connection further, and prove the following general result. If there exists differing input obfuscation (diO) for the class of all polynomial time Turing machines, then there exists a four message, fully concurrent zeroknowledge proof system for all languages inNP with negligible soundness error. This result is constructive: given diO, our reduction yields an explicit protocol along with an explicit simulator that is “straight line” and runs in strict polynomial time. Our reduction relies on a new nonblackbox simulation technique which does not use the PCP theorem. In addition to assuming diO, our reduction also assumes (standard and polynomial time) cryptographic assumptions such as collisionresistant hash functions. The round complexity of our protocol also sheds new light on the exact round complexity of concurrent zeroknowledge. It shows, for the first time, that in the realm of nonblackbox simulation, concurrent zeroknowledge may not necessarily require more rounds than stand alone zeroknowledge!
ConstantRound BlackBox Construction of Composable MultiParty Computation Protocol?
"... Abstract. We present the first general MPC protocol that satisfies the following: (1) the construction is blackbox, (2) the protocol is universally composable in the plain model, and (3) the number of rounds is constant. The security of our protocol is proven in angelbased UC security under the a ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present the first general MPC protocol that satisfies the following: (1) the construction is blackbox, (2) the protocol is universally composable in the plain model, and (3) the number of rounds is constant. The security of our protocol is proven in angelbased UC security under the assumption of the existence of oneway functions that are secure against subexponentialtime adversaries and constantround semihonest oblivious transfer protocols that are secure against quasipolynomialtime adversaries. We obtain the MPC protocol by constructing a constantround CCAsecure commitment scheme in a blackbox way under the assumption of the existence of oneway functions that are secure against subexponentialtime adversaries. To justify the use of such a subexponential hardness assumption in obtaining our constantround CCAsecure commitment scheme, we show that if blackbox reductions are used, there does not exist any constantround CCAsecure commitment scheme under any falsifiable polynomialtime hardness assumptions. 1
Eye for an Eye: Efficient Concurrent ZeroKnowledge in the Timing Model
, 2009
"... We present new and efficient concurrent zeroknowledge protocols in the timing model. In contrast to earlier works—which through artificiallyimposed delays require every protocol execution to run at the speed of the slowest link in the network—our protocols essentially only delay messages based on ..."
Abstract
 Add to MetaCart
We present new and efficient concurrent zeroknowledge protocols in the timing model. In contrast to earlier works—which through artificiallyimposed delays require every protocol execution to run at the speed of the slowest link in the network—our protocols essentially only delay messages based on the actual response time of each verifier (which can be significantly smaller). Cornell University,
Precise BoundedConcurrent ZeroKnowledge in Almost Constant
"... Precise concurrent zeroknowledge is a new notion introduced by Pandey et al. [23] in Eurocrypt’08 (which generalizes the work on precise zeroknowledge by Micali and Pass [19] in STOC’06). This notion captures the idea that the view of any verifier in concurrent interaction can be reconstructed in ..."
Abstract
 Add to MetaCart
(Show Context)
Precise concurrent zeroknowledge is a new notion introduced by Pandey et al. [23] in Eurocrypt’08 (which generalizes the work on precise zeroknowledge by Micali and Pass [19] in STOC’06). This notion captures the idea that the view of any verifier in concurrent interaction can be reconstructed in the almost same time. [23] constructed some (privatecoin) concurrent zeroknowledge argument systems for NP which achieve precision in different levels and all these protocols use at least ω(log n) rounds. In this paper we investigate the feasibility of reducing the round complexity and still keeping precision simultaneously. Our result is that we construct a publiccoin precise boundedconcurrent zeroknowledge argument system for NP only using almost constant rounds, i.e., ω(1) rounds. Boundedconcurrency means an apriori bound on the (polynomial) number of concurrent sessions is specified before the protocol is constructed. Our result doesn’t need any setup assumption. We stress that this result cannot be obtained
RoundEfficient Concurrently Composable Secure Computation via a Robust Extraction Lemma
"... We consider the problem of constructing protocols for secure computation that achieve strong concurrent and composable notions of security in the plain model. Unfortunately UCsecure secure computation protocols are impossible in this setting, but the AngelBased Composable Security notion offers a ..."
Abstract
 Add to MetaCart
We consider the problem of constructing protocols for secure computation that achieve strong concurrent and composable notions of security in the plain model. Unfortunately UCsecure secure computation protocols are impossible in this setting, but the AngelBased Composable Security notion offers a promising alternative. Until now, however, under standard (polynomialtime) assumptions, only protocols with polynomially many rounds were known to exist. In this work, we give the first Õ(log n)round secure computation protocol in the plain model that achieves angelbased composable security in the concurrent setting, under standard assumptions. We do so by constructing the first Õ(log n)round CCAsecure commitment protocol. Our CCAsecure commitment protocol is secure based on the minimal assumption that oneway functions exist. A central tool in obtaining our result is a new robust concurrent extraction lemma that we introduce and prove, based on the minimal assumptions that oneway functions exist. This robust concurrent extraction lemma shows how to build concurrent extraction procedures that work even in the context of an “external ” protocol that cannot be rewound by the extractor. We believe this lemma can be used to simplify many existing works on concurrent security, and is of independent interest. In fact, our lemma when used in conjunction with the concurrentsimulation schedule of Pass and Venkitasubramaniam (TCC’08), also yields a constant round construction based additionally on the existence of quasipolynomial time (PQT) secure oneway functions. 1
The Knowledge Tightness of Parallel ZeroKnowledge
"... Abstract. We investigate the concrete security of blackbox zeroknowledge protocols when composed in parallel. As our main result, we give essentially tight upper and lower bounds (up to logarithmic factors in the security parameter) on the following measure of security (closely related to knowledge ..."
Abstract
 Add to MetaCart
Abstract. We investigate the concrete security of blackbox zeroknowledge protocols when composed in parallel. As our main result, we give essentially tight upper and lower bounds (up to logarithmic factors in the security parameter) on the following measure of security (closely related to knowledge tightness): the number of queries made by blackbox simulators when zeroknowledge protocols are composed in parallel. As a function of the number of parallel sessions, k, and the round complexity of the protocol, m, the bound is roughly k 1/m. We also construct a modular procedure to amplify simulatorquery lower bounds (as above), to generic lower bounds in the blackbox concurrent zeroknowledge setting. As a demonstration of our techniques, we give a selfcontained proof of the o(log n / log log n) lower bound for the round complexity of blackbox concurrent zeroknowledge protocols, first shown by Canetti, Kilian, Petrank and Rosen (STOC 2002). Additionally, we give a new lower bound regarding constantround blackbox concurrent zeroknowledge protocols: the running time of the blackbox simulator must be at least n Ω(log n).