Showing papers by "Silvio Micali published in 1999"
02 May 1999
TL;DR: A single-database computationally private information retrieval scheme with polylogarithmic communication complexity based on a new, but reasonable intractability assumption, which is essentially the difficulty of deciding whether a small prime divides φ(m), where m is a composite integer of unknown factorization.
Abstract: We present a single-database computationally private information retrieval scheme with polylogarithmic communication complexity. Our construction is based on a new, but reasonable intractability assumption, which we call the φ-Hiding Assumption (φHA): essentially the difficulty of deciding whether a small prime divides φ(m), where m is a composite integer of unknown factorization.
699 citations
17 Oct 1999
TL;DR: This work efficiently combines unpredictability and verifiability by extending the Goldreich-Goldwasser-Micali (1986) construction of pseudorandom functions f/sub s/ from a secret seed s to provide an NP-proof that the value f/ sub s/(x) is indeed correct without compromising the unpredictability of f/ Sub s/ at any other point for which no such a proof was provided.
Abstract: We efficiently combine unpredictability and verifiability by extending the Goldreich-Goldwasser-Micali (1986) construction of pseudorandom functions f/sub s/ from a secret seed s, so that knowledge of s not only enables one to evaluate f/sub s/ at any point x, but also to provide an NP-proof that the value f/sub s/(x) is indeed correct without compromising the unpredictability of f/sub s/ at any other point for which no such a proof was provided.
609 citations
Journal Article•
TL;DR: Resettable zero-knowledge (rZK) as discussed by the authors is a security measure for cryptographic protocols which strengthens the classical notion of zero knowledge, and it has great relevance to applications.
Abstract: We introduce the notion of Resettable Zero-Knowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zero-knowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, each time resetting the prover to its initial state and forcing him to use the same random tape. Under general complexity assumptions, which hold for example if the Discrete Logarithm Problem is hard, we construct (non-constant round) Resettable Zero-Knowledge proof-systems for NP constant-round Resettable Witness-Indistinguishable proof-systems for NP constant-round Resettable Zero-Knowledge arguments for NP in the public key model where verifiers have fixed, public keys associated with them. In addition to shedding new light on what makes zero knowledge possible (by constructing ZK protocols that use randomness in a dramatically weaker way than before), rZK has great relevance to applications. Firstly, we show that rZK protocols are closed under parallel and concurrent execution and thus are guaranteed to be secure when implemented in fully asynchronous networks, even if an adversary schedules the arrival of every message sent. Secondly, rZK protocols enlarge the range of physical ways in which provers of a ZK protocols can be securely implemented, including devices which cannot reliably toss coins on line, nor keep state between invocations. (For instance, because ordinary smart cards with secure hardware are resettable, they could not be used to implement securely the provers of classical ZK protocols, but can now be used to implement securely the provers of rZK protocols.)
161 citations
Posted Content•
TL;DR: Resettable zero-knowledge (rZK) as mentioned in this paper is a security measure for cryptographic protocols which strengthens the classical notion of zero knowledge, and it has great relevance to applications.
Abstract: We introduce the notion of Resettable Zero-Knowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zero-knowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, each time resetting the prover to its initial state and forcing him to use the same random tape. Under general complexity assumptions, which hold for example if the Discrete Logarithm Problem is hard, we construct (non-constant round) Resettable Zero-Knowledge proof-systems for NP constant-round Resettable Witness-Indistinguishable proof-systems for NP constant-round Resettable Zero-Knowledge arguments for NP in the public key model where verifiers have fixed, public keys associated with them. In addition to shedding new light on what makes zero knowledge possible (by constructing ZK protocols that use randomness in a dramatically weaker way than before), rZK has great relevance to applications. Firstly, we show that rZK protocols are closed under parallel and concurrent execution and thus are guaranteed to be secure when implemented in fully asynchronous networks, even if an adversary schedules the arrival of every message sent. Secondly, rZK protocols enlarge the range of physical ways in which provers of a ZK protocols can be securely implemented, including devices which cannot reliably toss coins on line, nor keep state between invocations. (For instance, because ordinary smart cards with secure hardware are resettable, they could not be used to implement securely the provers of classical ZK protocols, but can now be used to implement securely the provers of rZK protocols.)
128 citations
15 Aug 1999
TL;DR: It is proved that, if any non-trivial function can be so computed, then so can every function, and the complexity assumptions sufficient and/or required for computationally securely computing f are the same for every non-Trivialfunction f.
Abstract: A function f is computationally securely computable if two computationally-bounded parties Alice, having a secret input x, and Bob, having a secret input y, can talk back and forth so that (even if one of them is malicious) (1) Bob learns essentially only f(x, y) while (2) Alice learns essentially nothing.
We prove that, if any non-trivial function can be so computed, then so can every function. Consequently, the complexity assumptions sufficient and/or required for computationally securely computing f are the same for every non-trivial function f.
70 citations
Posted Content•
TL;DR: In this paper, a new method of constructing Fiat-Shamir-like signature schemes that yields better "exact security" than the original signature method was proposed, and they also point out that such tight security does not make their modified schemes always preferable to the original ones.
Abstract: We put forward a new method of constructing Fiat-Shamir-like signature schemes that yields better “exact security” than the original Fiat-Shamir method. (We also point out, however, that such tight security does not make our modified schemes always preferable to the original ones. Indeed, there exist particularly efficient Fiat-Shamir-like schemes that, though only enjoying “loose security,” by using longer keys may provably provide more security at a lower computational cost than their “tight-security” counterparts.)
67 citations
02 May 1999
TL;DR: It is proved that the first general and non-trivial lower bound for the number of times a 1-out-of-n Oblivious Transfer of strings of length l should be invoked so as to obtain, by an information-theoretically secure reduction, a 2-in-N Oblivious transfer ofstrings of length L is proved.
Abstract: We prove the first general and non-trivial lower bound for the number of times a 1-out-of-n Oblivious Transfer of strings of length l should be invoked so as to obtain, by an information-theoretically secure reduction, a 1-out-of-N Oblivious Transfer of strings of length L. Our bound is tight in many significant cases.
We also prove the first non-trivial lower bound for the number of random bits needed to implement such a reduction whenever the receiver sends no messages to the sender. This bound is also tight in many significant cases.
60 citations
Journal Article•
TL;DR: A function f is computationally securely computable if two computationally bounded parties Alice and Bob can talk back and forth so that (even if one of them is malicious) Bob learns essentially only f(x,y) while Alice learns essentially nothing.
Abstract: A function f is computationally securely computable if two computationally-bounded parties Alice, having a secret input x, and Bob, having a secret input y 1 can talk back and forth so that (even if one of them is malicious) (1) Bob learns essentially only f(x,y) while (2) Alice learns essentially nothing. We prove that, if any non-trivial function can be so computed, then so can every function. Consequently, the complexity assumptions sufficient and/or required for computationally securely computing f are the same for every non-trivial function f.
60 citations
TL;DR: This work puts forward a new method of constructing Fiat-Shamir-like signature schemes that yields better "exact security" than the original Fiat- Shamir method and extends exact security analysis to exact cost-security analysis by showing that digital signature schemes with "loose security" may be preferable for reasonable measures of cost.
Abstract: We provide two contributions to exact security analysis of digital signatures: 1. We put forward a new method of constructing Fiat-Shamir-like signature schemes that yields better "exact security" than the original Fiat-Shamir method; and 2. We extend exact security analysis to exact cost-security analysis by showing that digital signature schemes with "loose security" may be preferable for reasonable measures of cost.
9 citations
Journal Article•
5 citations