Results 1  10
of
44
On the Composition of ZeroKnowledge Proof Systems
 SIAM Journal on Computing
, 1990
"... : The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We ..."
Abstract

Cited by 207 (15 self)
 Add to MetaCart
: The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We demonstrate the limitations of the composition of zeroknowledge protocols by proving that the original definition of zeroknowledge is not closed under sequential composition; and that even the strong formulations of zeroknowledge (e.g. blackbox simulation) are not closed under parallel execution. We present lower bounds on the round complexity of zeroknowledge proofs, with significant implications to the parallelization of zeroknowledge protocols. We prove that 3round interactive proofs and constantround ArthurMerlin proofs that are blackbox simulation zeroknowledge exist only for languages in BPP. In particular, it follows that the "parallel versions" of the first interactive proo...
On Defining Proofs of Knowledge
, 1998
"... The notion of a "proof of knowledge," suggested by Gold wasset, Micali and Rackoff, has been used in many works as a tool for the construction of cryptographic protocols and other schemes. Yet the commonly cited formalizations of this notion are unsatisfactory and in particular inadeq ..."
Abstract

Cited by 159 (22 self)
 Add to MetaCart
The notion of a "proof of knowledge," suggested by Gold wasset, Micali and Rackoff, has been used in many works as a tool for the construction of cryptographic protocols and other schemes. Yet the commonly cited formalizations of this notion are unsatisfactory and in particular inadequate for some of the applications in which they are used. Consequently,
Perfect ZeroKnowledge Arguments for NP Using any OneWay Permutation
 Journal of Cryptology
, 1998
"... "Perfect zeroknowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information (in the informationtheoretic sense). Here the security achi ..."
Abstract

Cited by 60 (5 self)
 Add to MetaCart
(Show Context)
"Perfect zeroknowledge arguments" is a cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information (in the informationtheoretic sense). Here the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier cannot find (ever) any information unconditionally. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions. In this paper, we show a general construction, which can be based on any oneway permutation. The result is obtained by a construction of an informationtheoretic secure bitcommitment protocol. The protocol is efficient (both parties are polynomial time) and can be based on any oneway permutation. A preliminary version of this ...
Verifiable partial key escrow
 PROCEEDINGS OF 4TH ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY
, 1995
"... One of the main objections to existing proposals for key escrow is that the individual's privacy relies on too high a level of trust in the law enforcement agencies. In particular, even if the government is trustworthy today, it may be replaced by an untrustworthy government tomorrow which coul ..."
Abstract

Cited by 54 (1 self)
 Add to MetaCart
One of the main objections to existing proposals for key escrow is that the individual's privacy relies on too high a level of trust in the law enforcement agencies. In particular, even if the government is trustworthy today, it may be replaced by an untrustworthy government tomorrow which could immediately and suddenly recover the secret keys of all users. "Partial key escrow" was suggested to address this concern, in the context of DES keys. Only some part of a user key is escrowed, so that the authority must make a computational effort to find the rest. We extend this idea and provide schemes to perform partial key escrow in a verifiable manner in a publickey encryption setting. We uncover some subtle issues which must be addressed for any partial key escrow scheme to be secure, the most important of which is the danger of early recovery. We show that other proposals for verifiable partial key escrow suffer from the early recovery problem, and thus do not in fact offer an advantage over standard keyescrow schemes. Our verifiable partial key escrow scheme for the DiffieHellman cryptosystem does not suffer from early recovery. Political debate will not make the user versus lawenforcement conflict on privacy vanish. Today
RoundOptimal Secure TwoParty Computation
 In CRYPTO 2004
, 2004
"... We consider the central cryptographic task of secure twoparty computation: two parties wish to compute some function of their private inputs (each receiving possibly di#erent outputs) where security should hold with respect to arbitrarilymalicious behavior of either of the participants. Despit ..."
Abstract

Cited by 49 (6 self)
 Add to MetaCart
We consider the central cryptographic task of secure twoparty computation: two parties wish to compute some function of their private inputs (each receiving possibly di#erent outputs) where security should hold with respect to arbitrarilymalicious behavior of either of the participants. Despite extensive research in this area, the exact roundcomplexity of this fundamental problem (i.e., the number of rounds required to compute an arbitrary polytime functionality) was not previously known.
HonestVerifier Statistical ZeroKnowledge Equals General Statistical ZeroKnowledge
 In Proceedings of the 30th Annual ACM Symposium on Theory of Computing
, 1998
"... We show how to transform any interactive proof system which is statistical zeroknowledge with respect to the honestverifier, into a proof system which is statistical zeroknowledge with respect to any verifier. This is done by limiting the behavior of potentially cheating verifiers, without using ..."
Abstract

Cited by 46 (15 self)
 Add to MetaCart
We show how to transform any interactive proof system which is statistical zeroknowledge with respect to the honestverifier, into a proof system which is statistical zeroknowledge with respect to any verifier. This is done by limiting the behavior of potentially cheating verifiers, without using computational assumptions or even referring to the complexity of such verifier strategies. (Previous transformations have either relied on computational assumptions or were applicable only to constantround publiccoin proof systems.) Our transformation also applies to publiccoin (aka ArthurMerlin) computational zeroknowledge proofs: We transform any ArthurMerlin proof system which is computational zeroknowledge with respect to the honestverifier, into an ArthurMerlin proof systemwhich is computational zeroknowledgewith respect to any probabilistic polynomialtime verifier. A crucial ingredient in our analysis is a new lemma regarding 2universal hashing functions. Keywords: Complexit...
A Complete Problem for Statistical Zero Knowledge
, 2002
"... We present the rst complete problem for SZK, the class of promise problems possessing statistical zeroknowledge proofs (against an honest veri er). The problem, called Statistical Difference, is to decide whether two eciently samplable distributions are either statistically close or far apart. Th ..."
Abstract

Cited by 46 (15 self)
 Add to MetaCart
We present the rst complete problem for SZK, the class of promise problems possessing statistical zeroknowledge proofs (against an honest veri er). The problem, called Statistical Difference, is to decide whether two eciently samplable distributions are either statistically close or far apart. This gives a new characterization of SZK that makes no reference to interaction or zero knowledge. We propose the use of complete problems to unify and extend the study of statistical zero knowledge. To this end, we examine several consequences of our Completeness Theorem and its proof, such as: A way to make every (honestveri er) statistical zeroknowledge proof very communication ecient, with the prover sending only one bit to the veri er (to achieve soundness error 1=2). Simpler proofs of many of the previously known results about statistical zero knowledge, such as the Fortnow and Aiello{Hastad upper bounds on the complexity of SZK and Okamoto's result that SZK is closed under complement.
On Monotone Formula Closure of SZK
, 1994
"... We investigate structural properties of statistical zero knowledge (SZK) both in the interactive and in the noninteractive model. Specifically, we look into the closure properties of SZK languages under monotone logical formula composition. This gives rise to new protocol techniques. We show that i ..."
Abstract

Cited by 43 (2 self)
 Add to MetaCart
We investigate structural properties of statistical zero knowledge (SZK) both in the interactive and in the noninteractive model. Specifically, we look into the closure properties of SZK languages under monotone logical formula composition. This gives rise to new protocol techniques. We show that interactive SZK for random self reducible languages (RSR) (and for coRSR) is closed under monotone boolean operations. Namely, we give SZK proofs for monotone boolean formulae whose atoms are statements about an SZK language which is RSR (or a complement of RSR). All previously known languages in SZK are in these classes. We then show that if a language L has a noninteractive SZK proof system then honestverifier interactive SZK proof systems exist for all monotone boolean formulae whose atoms are statements about the complement of L. We also discuss extensions and generalizations. 1 Introduction Goldwasser, Micali, and Rackoff [34] introduced the notion of a zeroknowledge proof, a proof ...
Perfect ZeroKnowledge Arguments for NP Can Be Based on General Complexity Assumptions (Extended Abstract)
 JOURNAL OF CRYPTOLOGY
, 1998
"... "Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practi ..."
Abstract

Cited by 42 (11 self)
 Add to MetaCart
"Zeroknowledge arguments" is a fundamental cryptographic primitive which allows one polynomialtime player to convince another polynomialtime player of the validity of an NP statement, without revealing any additional information in the informationtheoretic sense. Despite their practical and theoretical importance, it was only known how to implement zeroknowledge arguments based on specific algebraic assumptions; basing them on a general complexity assumption was open since their introduction in 1986 [BCC, BC, CH]. In this paper, we finally show a general construction, which can be based on any oneway permutation. We stress that our scheme is efficient: both players can execute only polynomialtime programs during the protocol. Moreover, the security achieved is online: in order to cheat and validate a false theorem, the prover must break a cryptographic assumption online during the conversation, while the verifier can not find (ever!) any information unconditionally (in the i...
Fair Games Against an AllPowerful Adversary
 AMS DIMACS Series in Discrete Mathematics and Theoretical Computer Science
, 1991
"... Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitelypowerful) and untrustworthy adversarial device. Assuming the existence of oneway functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hi ..."
Abstract

Cited by 39 (15 self)
 Add to MetaCart
(Show Context)
Suppose that a weak (polynomial time) device needs to interact over a clear channel with a strong (infinitelypowerful) and untrustworthy adversarial device. Assuming the existence of oneway functions, during this interaction (game) the infinitelypowerful device can encrypt and (computationally) hide information from the weak device. However, to keep the game fair, the weak player must hide information from the infinitelypowerful player in the informationtheoretic sense. Clearly, encryption in this case is useless, and other means must be used. In this paper, we show that under a general complexity assumption, this task is always possible to achieve. That is, we show that the weak player can play any polynomial length partialinformation game (or secure protocol) with the strong player using any oneway function; we achieve this by implementing oblivious transfer protocol in this model. We also establish related impossibility results concerning oblivious transfer. In the proof of ou...