Results 1  10
of
22
Quantum theory, the ChurchTuring principle and the universal quantum computer
, 1985
"... computer ..."
The NPcompleteness column: an ongoing guide
 Journal of Algorithms
, 1985
"... This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NPcompleteness. The presentation is modeled on that used by M. R. Garey and myself in our book ‘‘Computers and Intractability: A Guide to the Theory of NPCompleteness,’ ’ W. H. Freeman & Co ..."
Abstract

Cited by 188 (0 self)
 Add to MetaCart
This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NPcompleteness. The presentation is modeled on that used by M. R. Garey and myself in our book ‘‘Computers and Intractability: A Guide to the Theory of NPCompleteness,’ ’ W. H. Freeman & Co., New York, 1979 (hereinafter referred to as ‘‘[G&J]’’; previous columns will be referred to by their dates). A background equivalent to that provided by [G&J] is assumed, and, when appropriate, crossreferences will be given to that book and the list of problems (NPcomplete and harder) presented there. Readers who have results they would like mentioned (NPhardness, PSPACEhardness, polynomialtimesolvability, etc.) or open problems they would like publicized, should
Limits on the Provable Consequences of Oneway Permutations
, 1989
"... We present strong evidence that the implication, "if oneway permutations exist, then secure secret key agreement is possible" is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new m ..."
Abstract

Cited by 162 (0 self)
 Add to MetaCart
We present strong evidence that the implication, "if oneway permutations exist, then secure secret key agreement is possible" is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new model. We consider a world where dl parties have access to a black box or a randomly selected permutation. Being totally random, this permutation will be strongly oneway in provable, informationthevretic way. We show that, if P = NP, no protocol for secret key agreement is secure in such setting. Thus, to prove that a secret key greement protocol which uses a oneway permutation as a black box is secure is as hrd as proving F NP. We also obtain, as corollary, that there is an oracle relative to which the implication is false, i.e., there is a oneway permutation, yet secretexchange is impossible. Thus, no technique which relativizes can prove that secret exchange can be based on any oneway permutation. Our results present a general framework for proving statements of the form, "Cryptographic application X is not likely possible based solely on complexity assumption Y." 1
On the Limits of NonApproximability of Lattice Problems
, 1998
"... We show simple constantround interactive proof systems for problems capturing the approximability, to within a factor of p n, of optimization problems in integer lattices; specifically, the closest vector problem (CVP), and the shortest vector problem (SVP). These interactive proofs are for th ..."
Abstract

Cited by 81 (3 self)
 Add to MetaCart
We show simple constantround interactive proof systems for problems capturing the approximability, to within a factor of p n, of optimization problems in integer lattices; specifically, the closest vector problem (CVP), and the shortest vector problem (SVP). These interactive proofs are for the "coNP direction"; that is, we give an interactive protocol showing that a vector is "far" from the lattice (for CVP), and an interactive protocol showing that the shortestlatticevector is "long" (for SVP). Furthermore, these interactive proof systems are HonestVerifier Perfect ZeroKnowledge. We conclude that approximating CVP (resp., SVP) within a factor of p n is in NP " coAM. Thus, it seems unlikely that approximating these problems to within a p n factor is NPhard. Previously, for the CVP (resp., SVP) problem, Lagarias et. al., Hastad and Banaszczyk showed that the gap problem corresponding to approximating CVP (resp., SVP) within n is in NP " coNP . On the other hand, Ar...
On WorstCase to AverageCase Reductions for NP Problems
 IN PROCEEDINGS OF THE 44TH IEEE SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE
, 2003
"... We show that if an NPcomplete problem has a nonadaptive selfcorrector with respect to a samplable distribution then coNP is contained in AM/poly and the polynomial hierarchy collapses to the third level. Feigenbaum and Fortnow show the same conclusion under the stronger assumption that an NPcompl ..."
Abstract

Cited by 51 (5 self)
 Add to MetaCart
We show that if an NPcomplete problem has a nonadaptive selfcorrector with respect to a samplable distribution then coNP is contained in AM/poly and the polynomial hierarchy collapses to the third level. Feigenbaum and Fortnow show the same conclusion under the stronger assumption that an NPcomplete problem has a nonadaptive random selfreduction. Our result
Limits on the Provable Consequences of Oneway Functions
, 1989
"... This technical point will prevent the reader from suspecting any measuretheoretic fallacy. ..."
Abstract

Cited by 32 (1 self)
 Add to MetaCart
This technical point will prevent the reader from suspecting any measuretheoretic fallacy.
The Classification of Hash Functions
, 1993
"... When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explai ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...
Lattices that admit logarithmic worstcase to averagecase connection factors
 In STOC
, 2007
"... Abstract We demonstrate an averagecase problem which is as hard as finding fl(n)approximateshortest vectors in certain ndimensional lattices in the worst case, where fl(n) = O(plog n).The previously best known factor for any class of lattices was fl(n) = ~O(n).To obtain our results, we focus on ..."
Abstract

Cited by 19 (9 self)
 Add to MetaCart
Abstract We demonstrate an averagecase problem which is as hard as finding fl(n)approximateshortest vectors in certain ndimensional lattices in the worst case, where fl(n) = O(plog n).The previously best known factor for any class of lattices was fl(n) = ~O(n).To obtain our results, we focus on families of lattices having special algebraic structure. Specifically, we consider lattices that correspond to ideals in the ring of integers of an algebraicnumber field. The worstcase assumption we rely on is that in some `p length, it is hard to findapproximate shortest vectors in these lattices, under an appropriate form of preprocessing of the number field. Our results build upon prior works by Micciancio (FOCS 2002), Peikert andRosen (TCC 2006), and Lyubashevsky and Micciancio (ICALP 2006). For the connection factors fl(n) we achieve, the corresponding decisional promise problemson ideal lattices are not known to be NPhard; in fact, they are in P. However, the search approximation problems still appear to be very hard. Indeed, ideal lattices are wellstudiedobjects in computational number theory, and the best known algorithms for them seem to perform no better than the best known algorithms for general lattices.To obtain the best possible connection factor, we instantiate our constructions with infinite families of number fields having constant root discriminant. Such families are known to existand are computable, though no efficient construction is yet known. Our work motivates the search for such constructions. Even constructions of number fields having root discriminant upto O(n2/3ffl) would yield connection factors better than the current best of ~O(n).
On the possibility of basing Cryptography on the assumption that P!=NP
, 1998
"... Recent works by Ajtai and by Ajtai and Dwork bring to light the old (general) question of whether it is at all possible to base the security of cryptosystems on the assumption that P 6= NP . We discuss this question and in particular review and extend a twodecade old result of Brassard regarding ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Recent works by Ajtai and by Ajtai and Dwork bring to light the old (general) question of whether it is at all possible to base the security of cryptosystems on the assumption that P 6= NP . We discuss this question and in particular review and extend a twodecade old result of Brassard regarding this question. Our conclusion is that the question remains open. Keywords: Cryptography, P 6= NP, promise problems, smart reductions. Work done while visiting LCS, MIT. y DARPA grant DABT6396C0018. 0 1
Parallel Repetition of ZeroKnowledge Proofs and the Possibility of Basing Cryptography on NPHardness
, 2007
"... Two longstanding open problems exist on the fringe of Complexity Theory and Cryptography: 1. Does there exist a reduction from an NPComplete Problem to a oneway function? 2. Do parallelized versions of classical constantround zeroknowledge proofs for NP conceal every “hard ” bit of the witness ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
Two longstanding open problems exist on the fringe of Complexity Theory and Cryptography: 1. Does there exist a reduction from an NPComplete Problem to a oneway function? 2. Do parallelized versions of classical constantround zeroknowledge proofs for NP conceal every “hard ” bit of the witness to the statement proved? We show that, unless the PolynomialHierarchy collapses, blackbox reductions cannot be used to provide positive answers to both questions. 1