Abstract not found

This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NP-completeness. The presentation is modeled on that used by M. R. Garey and myself in our book ‘‘Computers and Intractability: A Guide to the Theory of NP-Completeness,’ ’ W. H. Freeman & Co., New York, 1979 (hereinafter referred to as ‘‘[G&J]’’; previous columns will be referred to by their dates). A background equivalent to that provided by [G&J] is assumed, and, when appropriate, cross-references will be given to that book and the list of problems (NP-complete and harder) presented there. Readers who have results they would like mentioned (NP-hardness, PSPACE-hardness, polynomial-time-solvability, etc.) or open problems they would like publicized, should

We present strong evidence that the implication, "if one-way permutations exist, then secure secret key agreement is possible" is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new model. We consider a world where dl parties have access to a black box or a randomly selected permutation. Being totally random, this permutation will be strongly oneway in provable, information-thevretic way. We show that, if P = NP, no protocol for secret key agreement is secure in such setting. Thus, to prove that a secret key greement protocol which uses a one-way permutation as a black box is secure is as hrd as proving F NP. We also obtain, as corollary, that there is an oracle relative to which the implication is false, i.e., there is a one-way permutation, yet secret-exchange is impossible. Thus, no technique which relativizes can prove that secret exchange can be based on any one-way permutation. Our results present a general framework for proving statements of the form, "Cryptographic application X is not likely possible based solely on complexity assumption Y." 1

We show simple constant-round interactive proof systems for problems capturing the approximability, to within a factor of p n, of optimization problems in integer lattices; specifically, the closest vector problem (CVP), and the shortest vector problem (SVP). These interactive proofs are for the "coNP direction"; that is, we give an interactive protocol showing that a vector is "far" from the lattice (for CVP), and an interactive protocol showing that the shortest-latticevector is "long" (for SVP). Furthermore, these interactive proof systems are Honest-Verifier Perfect Zero-Knowledge. We conclude that approximating CVP (resp., SVP) within a factor of p n is in NP " coAM. Thus, it seems unlikely that approximating these problems to within a p n factor is NPhard. Previously, for the CVP (resp., SVP) problem, Lagarias et. al., Hastad and Banaszczyk showed that the gap problem corresponding to approximating CVP (resp., SVP) within n is in NP " coNP . On the other hand, Ar...

We show that if an NP-complete problem has a nonadaptive self-corrector with respect to a samplable distribution then coNP is contained in AM/poly and the polynomial hierarchy collapses to the third level. Feigenbaum and Fortnow show the same conclusion under the stronger assumption that an NP-complete problem has a non-adaptive random self-reduction. Our result

This technical point will prevent the reader from suspecting any measure-theoretic fallacy.

When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collision-free function, we can derive others which are also collision-free, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...

Abstract We demonstrate an average-case problem which is as hard as finding fl(n)-approximateshortest vectors in certain n-dimensional lattices in the worst case, where fl(n) = O(plog n).The previously best known factor for any class of lattices was fl(n) = ~O(n).To obtain our results, we focus on families of lattices having special algebraic structure. Specifically, we consider lattices that correspond to ideals in the ring of integers of an algebraicnumber field. The worst-case assumption we rely on is that in some `p length, it is hard to findapproximate shortest vectors in these lattices, under an appropriate form of preprocessing of the number field. Our results build upon prior works by Micciancio (FOCS 2002), Peikert andRosen (TCC 2006), and Lyubashevsky and Micciancio (ICALP 2006). For the connection factors fl(n) we achieve, the corresponding decisional promise problemson ideal lattices are not known to be NP-hard; in fact, they are in P. However, the search approximation problems still appear to be very hard. Indeed, ideal lattices are well-studiedobjects in computational number theory, and the best known algorithms for them seem to perform no better than the best known algorithms for general lattices.To obtain the best possible connection factor, we instantiate our constructions with infinite families of number fields having constant root discriminant. Such families are known to existand are computable, though no efficient construction is yet known. Our work motivates the search for such constructions. Even constructions of number fields having root discriminant upto O(n2/3-ffl) would yield connection factors better than the current best of ~O(n).

Recent works by Ajtai and by Ajtai and Dwork bring to light the old (general) question of whether it is at all possible to base the security of cryptosystems on the assumption that P 6= NP . We discuss this question and in particular review and extend a two-decade old result of Brassard regarding this question. Our conclusion is that the question remains open. Keywords: Cryptography, P 6= NP, promise problems, smart reductions. Work done while visiting LCS, MIT. y DARPA grant DABT63-96-C-0018. 0 1

Two long-standing open problems exist on the fringe of Complexity Theory and Cryptography: 1. Does there exist a reduction from an NP-Complete Problem to a one-way function? 2. Do parallelized versions of classical constant-round zero-knowledge proofs for NP conceal every “hard ” bit of the witness to the statement proved? We show that, unless the Polynomial-Hierarchy collapses, black-box reductions cannot be used to provide positive answers to both questions. 1