Abstract. We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the Subset-Cover framework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantees the security of a revocation algorithm in this class. We describe two explicit Subset-Cover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of log N and 1 2 log2 N keys respectively (N is the total number of users), and in order to revoke r users the required message lengths are of r log N and 2r keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any Subset-Cover revocation scheme that satisfies a “bifurcation property”. This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors. The main improvements of these methods over previously suggested methods, when adopted to the stateless scenario, are: (1) reducing the message length to O(r) regardless of the coalition size while maintaining a single decryption at the user’s end (2) provide a seamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.

The Minimum Vertex Cover problem is the problem of, given a graph, finding a smallest set of vertices that touches all edges. We show that it is NP-hard to approximate this problem 1.36067, improving on the previously known hardness result for a 6 factor. 1

Abstract. A broadcast encryption system allows a center to communi-cate securely over a broadcast channel with selected sets of users. Each time the set of privileged users changes, the center enacts a protocol to establish a new broadcast key that only the privileged users can obtain, and subsequent transmissions by the center are encrypted using the new broadcast key. We study the inherent trade-off between the number of establishment keys held by each user and the number of transmissions needed to establish a new broadcast key. For every given upper bound on the number of establishment keys held by each user, we prove a lower bound on the number of transmissions needed to establish a new broad-cast key. We show that these bounds are essentially tight, by describing broadcast encryption systems that come close to these bounds. 1

Abstract not found

This review of some solved and unsolved problems in combinatorial analysis will be highly subjective. i will only discuss problems which I either worked on or at least thought about. The disadvantages of such an approach are obvious, but the disadvantages are perhaps counterbalanced by the fact that I certainly know more about these problems than about others (which perhaps are more important). i will mainly discuss finite combinatorial problems. I cannot claim completeness in any way but will try to refer to the literature in some cases; even so many things will be omitted. ISO will denote the cardinal number of S; c, cl, c2,... will denote absolute constants not necessarily the same at each occurrence. I. I will start with some problems dealing with subsets of a set. Let IS I =n. A well known theorem of Sperner [57] states that if A i a S, 15 i 5 m, is such that no A, contains any other, then max m=(aA). The theorem of Sperner has many applications in number theory; as far as I know these were first noticed by Behrend [2] and myself [8]. I asked 30 years ago several further extremal problems about subsets which also have number theoretic consequences. Let At a S, 15 i 5mi, assume that there are no three distinct A's so that Ai V A! = A,. I conjectured that

We show that all sets that arecomplete for NP under non-uniform AC are isomorphic under non-uniform AC -computable isomorphisms. Furthermore, these sets remain NP-complete even under non-uniform NC reductions.

We show lower bounds in the cell probe model for the redundancy/query time tradeoff of solutions to static data structure problems.

Let t1,..., tn be independent, but not necessarily identical, {0, 1} random variables. We prove a general large deviation bound for multi-variate polynomials (in t1,..., tn) with small expectation (order O(polylog(n))). Few applications in random graphs and combinatorial number theory will be discussed. Our result is closely related to a classical result of Janson [Jan]. Both of them can be applied in similar situations. On the other hand, our result is symmetric, while Janson’s inequality only deals with the lower tail probability.

Naor and Yung ([NY89]) show that a onebit -compressing universal one-way hash function (UOWHF) can be constructed based on a one-way permutation. This construction can be iterated to build a UOWHF which compresses by "n bits, at the cost of "n invocations of the one-way permutation. We show that this construction is not far from optimal, in the following sense: there exists an oracle relative to which there exists a one-way permutation with inversion probability 2 \Gammap(n) (for any p(n) 2 !(log n)), but any construction of an "n-bit-compressing UOWHF requires \Omega\Gamma p n=p(n)) invocations of the one-way permutation, on average. (For example, there exists in this relativized world a one-way permutation with inversion probability n \Gamma!(1) , but no UOWHF that invokes it fewer than \Omega\Gamma p n= log n) times.) Thus any proof that a more efficient UOWHF can be derived from a one-way permutation is necessarily non-relativizing; in particular, no provable construction...

We develop efficient deterministic algorithms for approximating the fraction of truth assignments that satisfy a disjunctive normal form formula. Although the algorithms themselves are deterministic, their analysis is probabilistic and uses the notion of limited independence between random variables. International Computer Science Institute, 1947 Center Street, Berkeley, California 94704 and Computer Science Department, UC Berkeley, research partially supported by NSF operating grant CCR-9016468 and by grant No. 89-00312 from the United States-Israel Binational Science Foundation (BSF), Jerusalem, Israel. y Department of Mathematics, U.C. Berkeley, research partially supported by NSF, research partially done while visiting the International Computer Science Institute ii 1 Introduction Throughout this paper, let F denote a formula in disjunctive normal form (DNF) on n variables with m clauses of length at most t, and let Pr[F ] denote the probability that a random, independent and...