On the Existence of 3-Round Zero-Knowledge Proofs Matthew Lepinski

Total Page:16

File Type:pdf, Size:1020Kb

On the Existence of 3-Round Zero-Knowledge Proofs Matthew Lepinski On the Existence of 3-Round Zero-Knowledge Proofs by Matthew Lepinski Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Master of Science in Computer Science and Engineering at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY June 2002 © Massachusetts Institute of Technology 2002. All rights reserved. X, Author.. Department of Electricd Engineering and Computer Science November 2, 2001 Certified by.................. .............. Silvio Micali Professor Thesis Supervisor I Accepted by .... ........................ ......... Arthur C. Smith Chairman, Department Committee on Graduate Students BARKER MASSACHUSMlSiTTWRT OF TECHNOLOGY JUL 3 12002 LIBRARIES 2 On the Existence of 3-Round Zero-Knowledge Proofs by Matthew Lepinski Submitted to the Department of Electrical Engineering and Computer Science on November 2, 2001, in partial fulfillment of the requirements for the degree of Master of Science in Computer Science and Engineering Abstract Goldreich and Krawczyk proved that there do not exist 3-round black-box zero- knowledge proofs or arguments for languages outside BPP. In 1998, Hada and Tanaka used non-standard assumptions to provide a 3-round zero-knowledge argument for every language in NP which was not black-box zero-knowledge. We present a non- black-box simulatable 3-round zero-knowledge proof system for NP, which is secure even when the prover has unbounded computational resources. However, we require a non-standard assumption (similar to those used by Hada and Tanaka) in order to prove our protocol is zero-knowledge. Additionally, we provide a proof of knowledge framework in which to view this type of non-standard assumption. In this thesis, I designed and implemented a compiler which performs optimizations that reduce the number of low-level floating point operations necessary for a specific task; this involves the optimization of chains of floating point operations as well as the imple- mentation of a "fixed" point data type that allows some floating point operations to simulated with integer arithmetic. The source language of the compiler is a subset of C, and the destination language is assembly language for a micro-floating point CPU. An instruction-level simulator of the CPU was written to allow testing of the code. A series of test pieces of codes was compiled, both with and without optimization, to determine how effective these optimizations were. Thesis Supervisor: Silvio Micali Title: Professor 3 4 Acknowledgments I would like to thank my adviser, Silvio Micali for all of his assistance in producing this work. This material is based upon work supported under a National Science Foundation Graduate Research Fellowship. 5 6 Contents 1 Introduction 9 2 Notation 11 3 Background 13 3.1 Zero-Knowledge Proofs .......................... 13 3.2 Round Minimization in Zero-Knowledge Protocols ........... 15 3.3 The Protocol of Hada and Tanaka .................... 16 3.4 Blum's Zero-Knowledge Proof for Hamiltonian Cycle ......... 18 3.5 The Goldreich-Levin Theorem ...................... 20 4 Our Assumptions 21 4.1 Proofs of Knowledge ........................... 22 4.2 Our Proof of Knowledge Assumption .................. 24 5 Our Protocol 27 5.1 The Actual Protocol ........................... 27 5.2 Proof of Soundness ............................ 29 5.3 Proof of Zero-Knowledgeness .................. ..... 30 6 Conclusion 41 Bibliography 43 7 8 Chapter 1 Introduction A zero-knowledge proof system is a protocol which allows a prover to convince a verifier that a statement is true without providing the verifier with any additional information about the statement being proved. Zero-Knowledge proofs have seen much application in the design of cryptographic protocols. This is due in large part to the result by Goldreich, Micali and Wigderson[16] that there exists a zero-knowledge proof system for any language in NP. Additionally, work has been done to determine the minimum number messages which must be exchanged in order to complete a zero-knowledge proof ([10], [13], [12]). Of particular interest to us is a paper by Hada and Tanaka which provides a three round (three message) protocol for any language in NP which is proven to be zero-knowledge given a set of strong assumptions. This is significant because it is known that no two round zero-knowledge protocol exists for any language outside BPP.[13] We present a three round zero-knowledge proof system for any language in NP which is an improvement over the Hada-Tanaka protocol in two important ways. First, our protocol is secure even the prover has unbounded resources.1 Second, we assume the hardness of the discrete logarithm problem for a randomly chosen prime and generator instead of assuming the discrete logarithm problem is hard for every 'The Hada-Tanaka protocol is a zero-knowledge argument and not a zero-knowledge proof system since it is secure only if the prover is polynomially bounded 9 prime number of a certain form.2 Like the Hada-Tanaka paper we rely on a non- standard assumption which seems to be quite strong. In Chapter 2 we provide a summary of the notation that we use in this paper. In Chapter 3 we provide definitions and background from related work. In Chapter 4 we provide the assumptions which we need to prove our protocol correct. In Chapter 5 we provide our protocol and a proof that it is correct. 2 All of our hardness assumptions are with respect to a randomly chosen prime and generator. The Hada-Tanaka paper assumes that the discrete logarithm problem and the Diffie-Hellman problem are hard for every generator and for every prime which is one more than twice a prime. 10 Chapter 2 Notation Point of Notation 1 Let X and Y be distributions and let P(-, .) be a predicate then by Pr[x +- X; y *- Y : P(x, y)] we mean the probability that P(x, y) is true when x is drawn randomly from distribu- tion X and Y is drawn randomly from distribution Y. For any set S, let x <- S denote that x is drawn from the uniform distribution over S. Similarly for any randomized algorithm A, let x *- A(y) denote that x is drawn from the distribution induced by a random execution of algorithm A on input y. Point of Notation 2 When X and Y are distributions then [XY] denotes the distribution which produces pairs (x, y) where x is drawn from X and y is drawn from Y Point of Notation 3 When X and Y are distributions and A is a randomized al- gorithm then [x <-- X, y +- Y, A(x, y)] 11 denotes the distribution which produces triples (x, y, a) where x is drawn from X, y is drawn from Y and a is drawn from the distribution induced by a random execution of A on inputs x and y. Point of Notation 4 We denote the result of the interaction between A and B on common input x by the random variable [A(x) ++B(x)] e {accept,reject} Point of Notation 5 Let x, y E {O, 1}. Then by < x, y > we mean the inner product of x and y in the vector space Z2n. That is, <X,y>> xiyi mod2 where x2 is the ith bit of x. 12 Chapter 3 Background 3.1 Zero-Knowledge Proofs In their paper, "The Knowledge Complexity of Interactive Proofs", Goldwasser, Mi- cali and Rackoff[18] introduced the concept of a zero-knowledge proof system. In- formally a zero-knowledge proof system for a language, L, is an interactive protocol by which a prover can convince a verifier that a common input x is in L without providing V with any additional information. Definition 1 (Zero-Knowledge Proof System) A zero-knowledge proof system for a language, L, is a protocol for a prover, P, and a verifier, V, that satisfies the following three properties. 1 1. Completeness: For all x E L, Pr[[P(x) ++V(x)] = accept] = 1 1As done in [19] We present a non-uniform formulation of Zero-Knowledge in terms of cir- cuit families. Hada and Tanaka claim that non-uniform zero-knowledge is strictly weaker than the original GMR definition of zero-knowledge since one can construct protocols for which non-uniform simulators exist but uniform simulators do not. However, it is not clear whether one could construct protocols in which a non-uniform cheating verifier could extract knowledge but a uniform cheating verifier could not. A protocol of this type would satisfy the GMR definition of zero-knowledge, but not the non-uniform definition of zero-knowledge. 13 2. Soundness: For all circuit families P', for all c and for all sufficiently long strings x V L, 1 Pr[[P'(x) *-4 V(x)] = accept] < 3. Zero-Know ledgeness: For all polynomial size circuit families, V', there ex- ists a polynomial size circuit family, Sv', such that the probability ensembles {Sv'}xCL and VIEW([P(x) ++ V'(x)] are computationally indistinguishable. Where VIEW([P(x) +- V'(x)]) denotes the distribution over the random input of V' and the messages sent by P in a random interaction of P and V' with common input x. Property 3 above formalizes the notion that V' learns nothing from interacting with P besides the fact that x E L. So if V' already knew that x E L, V' could run Sv, and obtain a view which is indistinguishable from the view he would receive if he were to interact with the true prover. Thus, V' has no reason to interact with P other than to learn that x E L. One can also consider a modification to Property 3 in which instead of allowing a separate simulator for each cheating verifier, V', it is required that there exist a single simulator, S, which, when given black-box access to V', produces views which are indistinguishable from the views V' would receive when interacting with the true prover.
Recommended publications
  • Race in the Age of Obama Making America More Competitive
    american academy of arts & sciences summer 2011 www.amacad.org Bulletin vol. lxiv, no. 4 Race in the Age of Obama Gerald Early, Jeffrey B. Ferguson, Korina Jocson, and David A. Hollinger Making America More Competitive, Innovative, and Healthy Harvey V. Fineberg, Cherry A. Murray, and Charles M. Vest ALSO: Social Science and the Alternative Energy Future Philanthropy in Public Education Commission on the Humanities and Social Sciences Reflections: John Lithgow Breaking the Code Around the Country Upcoming Events Induction Weekend–Cambridge September 30– Welcome Reception for New Members October 1–Induction Ceremony October 2– Symposium: American Institutions and a Civil Society Partial List of Speakers: David Souter (Supreme Court of the United States), Maj. Gen. Gregg Martin (United States Army War College), and David M. Kennedy (Stanford University) OCTOBER NOVEMBER 25th 12th Stated Meeting–Stanford Stated Meeting–Chicago in collaboration with the Chicago Humanities Perspectives on the Future of Nuclear Power Festival after Fukushima WikiLeaks and the First Amendment Introduction: Scott D. Sagan (Stanford Introduction: John A. Katzenellenbogen University) (University of Illinois at Urbana-Champaign) Speakers: Wael Al Assad (League of Arab Speakers: Geoffrey R. Stone (University of States) and Jayantha Dhanapala (Pugwash Chicago Law School), Richard A. Posner (U.S. Conferences on Science and World Affairs) Court of Appeals for the Seventh Circuit), 27th Judith Miller (formerly of The New York Times), Stated Meeting–Berkeley and Gabriel Schoenfeld (Hudson Institute; Healing the Troubled American Economy Witherspoon Institute) Introduction: Robert J. Birgeneau (Univer- DECEMBER sity of California, Berkeley) 7th Speakers: Christina Romer (University of Stated Meeting–Stanford California, Berkeley) and David H.
    [Show full text]
  • Magic Adversaries Versus Individual Reduction: Science Wins Either Way ?
    Magic Adversaries Versus Individual Reduction: Science Wins Either Way ? Yi Deng1;2 1 SKLOIS, Institute of Information Engineering, CAS, Beijing, P.R.China 2 State Key Laboratory of Cryptology, P. O. Box 5159, Beijing ,100878,China [email protected] Abstract. We prove that, assuming there exists an injective one-way function f, at least one of the following statements is true: – (Infinitely-often) Non-uniform public-key encryption and key agreement exist; – The Feige-Shamir protocol instantiated with f is distributional concurrent zero knowledge for a large class of distributions over any OR NP-relations with small distinguishability gap. The questions of whether we can achieve these goals are known to be subject to black-box lim- itations. Our win-win result also establishes an unexpected connection between the complexity of public-key encryption and the round-complexity of concurrent zero knowledge. As the main technical contribution, we introduce a dissection procedure for concurrent ad- versaries, which enables us to transform a magic concurrent adversary that breaks the distribu- tional concurrent zero knowledge of the Feige-Shamir protocol into non-black-box construc- tions of (infinitely-often) public-key encryption and key agreement. This dissection of complex algorithms gives insight into the fundamental gap between the known universal security reductions/simulations, in which a single reduction algorithm or simu- lator works for all adversaries, and the natural security definitions (that are sufficient for almost all cryptographic primitives/protocols), which switch the order of qualifiers and only require that for every adversary there exists an individual reduction or simulator. 1 Introduction The seminal work of Impagliazzo and Rudich [IR89] provides a methodology for studying the lim- itations of black-box reductions.
    [Show full text]
  • The Best Nurturers in Computer Science Research
    The Best Nurturers in Computer Science Research Bharath Kumar M. Y. N. Srikant IISc-CSA-TR-2004-10 http://archive.csa.iisc.ernet.in/TR/2004/10/ Computer Science and Automation Indian Institute of Science, India October 2004 The Best Nurturers in Computer Science Research Bharath Kumar M.∗ Y. N. Srikant† Abstract The paper presents a heuristic for mining nurturers in temporally organized collaboration networks: people who facilitate the growth and success of the young ones. Specifically, this heuristic is applied to the computer science bibliographic data to find the best nurturers in computer science research. The measure of success is parameterized, and the paper demonstrates experiments and results with publication count and citations as success metrics. Rather than just the nurturer’s success, the heuristic captures the influence he has had in the indepen- dent success of the relatively young in the network. These results can hence be a useful resource to graduate students and post-doctoral can- didates. The heuristic is extended to accurately yield ranked nurturers inside a particular time period. Interestingly, there is a recognizable deviation between the rankings of the most successful researchers and the best nurturers, which although is obvious from a social perspective has not been statistically demonstrated. Keywords: Social Network Analysis, Bibliometrics, Temporal Data Mining. 1 Introduction Consider a student Arjun, who has finished his under-graduate degree in Computer Science, and is seeking a PhD degree followed by a successful career in Computer Science research. How does he choose his research advisor? He has the following options with him: 1. Look up the rankings of various universities [1], and apply to any “rea- sonably good” professor in any of the top universities.
    [Show full text]
  • Party Time for Mathematicians in Heidelberg
    Mathematical Communities Marjorie Senechal, Editor eidelberg, one of Germany’s ancient places of Party Time HHlearning, is making a new bid for fame with the Heidelberg Laureate Forum (HLF). Each year, two hundred young researchers from all over the world—one for Mathematicians hundred mathematicians and one hundred computer scientists—are selected by application to attend the one- week event, which is usually held in September. The young in Heidelberg scientists attend lectures by preeminent scholars, all of whom are laureates of the Abel Prize (awarded by the OSMO PEKONEN Norwegian Academy of Science and Letters), the Fields Medal (awarded by the International Mathematical Union), the Nevanlinna Prize (awarded by the International Math- ematical Union and the University of Helsinki, Finland), or the Computing Prize and the Turing Prize (both awarded This column is a forum for discussion of mathematical by the Association for Computing Machinery). communities throughout the world, and through all In 2018, for instance, the following eminences appeared as lecturers at the sixth HLF, which I attended as a science time. Our definition of ‘‘mathematical community’’ is journalist: Sir Michael Atiyah and Gregory Margulis (both Abel laureates and Fields medalists); the Abel laureate the broadest: ‘‘schools’’ of mathematics, circles of Srinivasa S. R. Varadhan; the Fields medalists Caucher Bir- kar, Gerd Faltings, Alessio Figalli, Shigefumi Mori, Bào correspondence, mathematical societies, student Chaˆu Ngoˆ, Wendelin Werner, and Efim Zelmanov; Robert organizations, extracurricular educational activities Endre Tarjan and Leslie G. Valiant (who are both Nevan- linna and Turing laureates); the Nevanlinna laureate (math camps, math museums, math clubs), and more.
    [Show full text]
  • LEONID REYZIN Boston University, Department of Computer Science, Boston, MA 02215 (617) 353-3283 [email protected] Updated February 15, 2014
    LEONID REYZIN Boston University, Department of Computer Science, Boston, MA 02215 (617) 353-3283 [email protected] http://www.cs.bu.edu/~reyzin Updated February 15, 2014 EDUCATION A. B. Summa cum Laude in Computer Science, Harvard University 1992-1996 Honors Senior Thesis on the relation between PCP and NP: “Verifying Membership in NP-languages, or How to Avoid Reading Long Proofs” Thesis Advisor: Michael O. Rabin M.S. in Computer Science, MIT 1997-1999 M.S. Thesis: “Improving the Exact Security of Digital Signature Schemes” Thesis Advisor: Silvio Micali Ph. D. in Computer Science, MIT 1999-2001 Ph. D. Thesis: “Zero-Knowledge with Public Keys” Thesis Advisor: Silvio Micali POSITIONS HELD Associate Professor, Department of Computer Science, Boston University 2007-present Consultant at Microsoft Corp. 2011 Visiting Scholar, Computer Science and Artificial Intelligence Laboratory, MIT 2008 Assistant Professor, Department of Computer Science, Boston University 2001-2007 Fellow, Institute for Pure and Applied Mathematics (IPAM), UCLA 2006 Consultant at CoreStreet, Ltd. (part-time) 2001-2009 Consultant at Peppercoin, Inc. (part-time) 2004 Consultant at RSA Laboratories (part-time) 1998-2000 Research Staff at RSA Laboratories 1996-1997 PUBLICATIONS Note: most are available from http://www.cs.bu.edu/fac/reyzin/research.html Refereed Journal Articles “Improving the Exact Security of Digital Signature Schemes,” by S. Micali and L. Reyzin, appears in Journal of Cryptology, 15(1), pp. 1-18, 2002. Conference versions in SCN 99 and CQRE ’99. “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data,” by Y. Dodis, R. Ostrovsky, L. Reyzin and A.
    [Show full text]
  • Arxiv:2106.11534V1 [Cs.DL] 22 Jun 2021 2 Nanjing University of Science and Technology, Nanjing, China 3 University of Southampton, Southampton, U.K
    Noname manuscript No. (will be inserted by the editor) Turing Award elites revisited: patterns of productivity, collaboration, authorship and impact Yinyu Jin1 · Sha Yuan1∗ · Zhou Shao2, 4 · Wendy Hall3 · Jie Tang4 Received: date / Accepted: date Abstract The Turing Award is recognized as the most influential and presti- gious award in the field of computer science(CS). With the rise of the science of science (SciSci), a large amount of bibliographic data has been analyzed in an attempt to understand the hidden mechanism of scientific evolution. These include the analysis of the Nobel Prize, including physics, chemistry, medicine, etc. In this article, we extract and analyze the data of 72 Turing Award lau- reates from the complete bibliographic data, fill the gap in the lack of Turing Award analysis, and discover the development characteristics of computer sci- ence as an independent discipline. First, we show most Turing Award laureates have long-term and high-quality educational backgrounds, and more than 61% of them have a degree in mathematics, which indicates that mathematics has played a significant role in the development of computer science. Secondly, the data shows that not all scholars have high productivity and high h-index; that is, the number of publications and h-index is not the leading indicator for evaluating the Turing Award. Third, the average age of awardees has increased from 40 to around 70 in recent years. This may be because new breakthroughs take longer, and some new technologies need time to prove their influence. Besides, we have also found that in the past ten years, international collabo- ration has experienced explosive growth, showing a new paradigm in the form of collaboration.
    [Show full text]
  • Verifiable Random Functions
    Verifiable Random Functions y z Silvio Micali Michael Rabin Salil Vadhan Abstract random string of the proper length. The possibility thus ex- ists that, if it so suits him, the party knowing the seed s may We efficiently combine unpredictability and verifiability by declare that the value of his pseudorandom oracle at some x f x extending the Goldreich–Goldwasser–Micali construction point is other than s without fear of being detected. It f s of pseudorandom functions s from a secret seed , so that is for this reason that we refer to these objects as “pseudo- s f knowledge of not only enables one to evaluate s at any random oracles” rather than using the standard terminology f x x NP point , but also to provide an -proof that the value “pseudorandom functions” — the values s come “out f x s is indeed correct without compromising the unpre- of the blue,” as if from an oracle, and the receiver must sim- s f dictability of s at any other point for which no such a proof ply trust that they are computed correctly from the seed . was provided. Therefore, though quite large, the applicability of pseu- dorandom oracles is limited: for instance, to settings in which (1) the “seed owner”, and thus the one evaluating 1Introduction the pseudorandom oracle, is totally trusted; or (2) it is to the seed-owner’s advantage to evaluate his pseudorandom oracle correctly; or (3) there is absolutely nothing for the PSEUDORANDOM ORACLES. Goldreich, Goldwasser, and seed-owner to gain from being dishonest. Micali [GGM86] show how to simulate a random ora- f x One efficient way of enabling anyone to verify that s b cle from a-bit strings to -bit strings by means of a con- f x really is the value of pseudorandom oracle s at point struction using a seed, that is, a secret and short random clearly consists of publicizing the seed s.However,this string.
    [Show full text]
  • An Interview with Shafi Goldwasser & Silvio Micali
    last byte DOI:10.1145/2461256.2461281 Leah Hoffmann Q&A Cracking the Code Turing Award recipients Shafi Goldwasser and Silvio Micali talk about proofs, probability, and poker. THOUGH THEIR ROUTES to computer science differed, ACM A.M. Turing Award recipients Shafi Goldwasser and Silvio Micali have forged a com- mon path in the field since they met in graduate school. Goldwasser was born in Israel and got hooked on programming in college at Carnegie Mellon University. Micali was born in Italy and discovered his interest in the field at the University of Rome through courses in lambda cal- culus and logic. Now both at MIT (Gold- wasser holds a joint appointment at the Weizmann Institute of Science in Israel), the two have revolutionized cryptography by working through fun- damental questions and forging a link with computational complexity. Since their groundbreaking 1983 paper on probabilistic encryption, their work has transformed the scope of cryptog- raphy from encrypting private mes- sages to strengthening data security, facilitating financial transactions, and supporting cloud computing. What drew you both to the field? SILVIO: I started in physics and switched to mathematics. Then, to- ward the very end, I took two courses in discrete mathematics. So I switched to theoretical computer science and went to Berkeley, and that’s where I I drove up with a friend to see Berkeley cited and an exciting bunch. met Shafi. on a very sunny day. It was beautiful— SILVIO: By contrast, when I landed at SHAFI: I went to college at Carnegie green hills, bright blue skies—so off I Berkeley, it was raining, and I discov- Mellon in applied mathematics.
    [Show full text]
  • Cryptography, the Clipper Chip, and the Constitution A
    University of Miami Law School University of Miami School of Law Institutional Repository Articles Faculty and Deans 1995 The etM aphor Is the Key: Cryptography, the Clipper Chip, and the Constitution A. Michael Froomkin University of Miami School of Law, [email protected] Follow this and additional works at: https://repository.law.miami.edu/fac_articles Part of the Constitutional Law Commons, and the Privacy Law Commons Recommended Citation A. Michael Froomkin, The Metaphor Is the Key: Cryptography, the Clipper Chip, and the Constitution, 143 U. Pa. L. Rev. 709 (1995). This Article is brought to you for free and open access by the Faculty and Deans at University of Miami School of Law Institutional Repository. It has been accepted for inclusion in Articles by an authorized administrator of University of Miami School of Law Institutional Repository. For more information, please contact [email protected]. THE METAPHOR IS THE KEY: CRYPTOGRAPHY, THE CLIPPER CHIP, AND THE CONSTITUTION A. MICHAEL FROOMKINt TABLE OF CONTENTS INTRODUCTION .................................. 712 I. MODERN CRYPTOGRAPHY: PRIVATE SECURITY, GOVERNMENT INSECURITY .................................. 718 A. Who Needs Cryptography?....................... 718 1. Banks, ATM-Users, Electronic Transactors ..... .719 2. Businesses with Commercial and Trade Secrets . 722 3. Professionals ............................ 724 4. National ID Cards and Data Authentication .... 725 5. Criminals ............................... 727 6. Users of Telephones, Electronic Mail, Faxes, or Computers .......................... 728 a. Cellular Telephones ..................... 728 b. Standard Telephones .................... 729 c. Faxes ............................... 729 d. E-mail ............................. 729 e. PersonalRecords ....................... 730 t © A. Michael Froomkin, 1995. Associate Professor, University of Miami School of Law. B.A. 1982, Yale College; M.Phil. 1984, Cambridge University;J.D.
    [Show full text]
  • Improving the Exact Security of Digital Signature Schemes*
    J. Cryptology (2002) 15:1-18 Journal of DOI: 10.1007/s00145-001-0005-8 ERYPTOLOGY 2002 International Association for Cryptologic Research Improving the Exact Security of Digital Signature Schemes* Silvio Micali and Leonid Reyzin MIT LCS, 545 Technology Square, Cambridge, MA 02139, U.S.A. reyzin @theory.lcs.mit.edu Communicated by Jaques Stern Received September 1999 and revised September 2000 Online publication 9 April 2001 Abstract, We put forward a new method of constructing Fiat-Shamir-like signature schemes that yields better "exact security" than the original Fiat-Shamir method. (We also point out, however, that such tight security does not make our modified schemes always preferable to the original ones. Indeed, there exist particularly efficient Fiat- Shamir-like schemes that, though only enjoying "loose security," by using longer keys may provably provide more security at a lower computational cost than their "tight- security" counterparts.) Key words, Digital signatures, ID schemes, Random oracles, Exact security. 1. Introduction 1.1. Exact Security of Signature Schemes Goldwasser et al,'s [GMR] classical notion of security for a digital signature scheme is asymptotic in nature. In essence, a proof of security amounts to a reduction from forging a signature to solving a computationally hard problem: if a polynomial-time forger exists, then we can use it to solve the hard problem in polynomial time. It has been often pointed out that this asymptotic approach, which uses notions such as "polynomial time" and "sufficiently large," is too coarse for practical security recom- mendations. Knowing that no polynomial-time adversary has a better than exponentially small chance of forgery for a sufficiently large security parameter does not provide one with an answer to the practical problem of finding the appropriate security parameters to ensure security against adversaries with certain concrete capabilities.
    [Show full text]
  • Goldwasser, Micali and Rivest Discuss How to Protect Citizens' Security In
    PRESS RELEASE www.fbbva.es Press event with the three MIT researchers distinguished with the Frontiers of Knowledge Award in Information and Communication Technologies Goldwasser, Micali and Rivest discuss how to protect citizens’ security in the digital society without compromising privacy The work done by these mathematicians has laid the foundations of the cryptography field, with a vast impact in multiple areas of daily life in the new digital age: from the use of e-mail or social networks to online shopping by way of financial transactions Goldwasser explains that the technology is already in place to extract the fullest benefit from biomedical data without compromising their owners’ privacy: “Different hospitals can share information on what treatments produce the best outcomes without identifying the patient whose information they are handling” Rivest declares himself skeptical about the security of electronic voting: “Right now, the safest bet is a paper ballot. I would not advise anyone to vote over the Internet” Micali, an expert in cryptocurrencies like Bitcoin, is convinced of their usefulness, but warns that “many of those around at the moment are not safe at all” Madrid, 12 June 2018.- The question of how far we can go to preserve citizens’ security without compromising their privacy has no easy answer: not even for the foremost authorities in cryptography. Shafi Goldwasser, Silvio Micali and Ronald Rivest, the three researchers distinguished with the Frontiers of Knowledge Award in the Information and Communication Technologies category, along with Israeli colleague Adi Shamir, engaged in a lively discussion this morning at a press conference prior to tomorrow’s award presentation ceremony in the BBVA Foundation.
    [Show full text]
  • Problem A: Welcome Party
    10/17/2014 Welcome Party Problem A: Welcome Party Source file: welcome.{c, cpp, java} Input file: welcome.in For many summers, the Agile Crystal Mining company ran an internship program for students. They greatly valued interns' ability to self-organize into teams. So as a get-to-know-you activity during orientation, they asked the interns to form teams such that all members of a given team either have first names beginning with the same letter, or last names beginning with the same letter. To make it interesting, they asked the interns to do this while forming as few teams as possible. As an example, one year there were six interns: Stephen Cook, Vinton Cerf, Edmund Clarke, Judea Pearl, Shafi Goldwasser, and Silvio Micali. They were able to self-organize into three teams: Stephen Cook, Vinton Cerf, and Edmund Clarke (whose last names all begin with C) Shafi Goldwasser and Silvio Micali (whose first names begin with S) Judea Pearl (not an interesting group, but everyone's first name in this group starts with J) As a historical note, the company was eventually shut down due to a rather strange (and illegal) hiring practice---they refused to hire any interns whose last names began with the letter S, T, U, V, W, X, Y, or Z. (First names were not subject to such a whim, which was fortunate for our friend Vinton Cerf.) Input: Each year's group of interns is considered as a separate trial. A trial begins with a line containing a single integer N, such that 1 ≤ N ≤ 300, designating the number of interns that year.
    [Show full text]