Results 1  10
of
11
Designing Programs That Check Their Work
, 1989
"... A program correctness checker is an algorithm for checking the output of a computation. That is, given a program and an instance on which the program is run, the checker certifies whether the output of the program on that instance is correct. This paper defines the concept of a program checker. It d ..."
Abstract

Cited by 358 (18 self)
 Add to MetaCart
A program correctness checker is an algorithm for checking the output of a computation. That is, given a program and an instance on which the program is run, the checker certifies whether the output of the program on that instance is correct. This paper defines the concept of a program checker. It designs program checkers for a few specific and carefully chosen problems in the class FP of functions computable in polynomial time. Problems in FP for which checkers are presented in this paper include Sorting, Matrix Rank and GCD. It also applies methods of modern cryptography, especially the idea of a probabilistic interactive proof, to the design of program checkers for group theoretic computations. Two strucural theorems are proven here. One is a characterization of problems that can be checked. The other theorem establishes equivalence classes of problems such that whenever one problem in a class is checkable, all problems in the class are checkable.
Cryptographic Limitations on Learning Boolean Formulae and Finite Automata
 PROCEEDINGS OF THE TWENTYFIRST ANNUAL ACM SYMPOSIUM ON THEORY OF COMPUTING
, 1989
"... In this paper we prove the intractability of learning several classes of Boolean functions in the distributionfree model (also called the Probably Approximately Correct or PAC model) of learning from examples. These results are representation independent, in that they hold regardless of the syntact ..."
Abstract

Cited by 348 (15 self)
 Add to MetaCart
In this paper we prove the intractability of learning several classes of Boolean functions in the distributionfree model (also called the Probably Approximately Correct or PAC model) of learning from examples. These results are representation independent, in that they hold regardless of the syntactic form in which the learner chooses to represent its hypotheses. Our methods reduce the problems of cracking a number of wellknown publickey cryptosystems to the learning problems. We prove that a polynomialtime learning algorithm for Boolean formulae, deterministic finite automata or constantdepth threshold circuits would have dramatic consequences for cryptography and number theory: in particular, such an algorithm could be used to break the RSA cryptosystem, factor Blum integers (composite numbers equivalent to 3 modulo 4), and detect quadratic residues. The results hold even if the learning algorithm is only required to obtain a slight advantage in prediction over random guessing. The techniques used demonstrate an interesting duality between learning and cryptography. We also apply our results to obtain strong intractability results for approximating a generalization of graph coloring.
The complexity of decision versus search
 SIAM Journal on Computing
, 1994
"... A basic question about NP is whether or not search reduces in polynomial time to decision. We indicate that the answer is negative: under a complexity assumption (that deterministic and nondeterministic doubleexponential time are unequal) we construct a language in NP for which search does not red ..."
Abstract

Cited by 35 (1 self)
 Add to MetaCart
A basic question about NP is whether or not search reduces in polynomial time to decision. We indicate that the answer is negative: under a complexity assumption (that deterministic and nondeterministic doubleexponential time are unequal) we construct a language in NP for which search does not reduce to decision. These ideas extend in a natural way to interactive proofs and program checking. Under similar assumptions we present languages in NP for which it is harder to prove membership interactively than it is to decide this membership, and languages in NP which are not checkable. Keywords: NPcompleteness, selfreducibility, interactive proofs, program checking, sparse sets,
Signature Schemes and Applications to Cryptographic Protocol Design
, 2002
"... Signature schemes are fundamental cryptographic primitives, useful as a standalone application, and as a building block in the design of secure protocols and other cryptographic objects. In this thesis, we study both the uses that signature schemes find in protocols, and the design of signature sch ..."
Abstract

Cited by 34 (7 self)
 Add to MetaCart
Signature schemes are fundamental cryptographic primitives, useful as a standalone application, and as a building block in the design of secure protocols and other cryptographic objects. In this thesis, we study both the uses that signature schemes find in protocols, and the design of signature schemes suitable for a broad range of applications. An important
Lecture Notes on Cryptography
, 2001
"... This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MI ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.
Cryptology
"... Cryptology has advanced tremendously since 1976; this chapter provides a brief overview of the current stateoftheart in the field. Several major themes predominate in the development. One such theme is the careful elaboration of the definition of security for a cryptosystem. A second theme has be ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Cryptology has advanced tremendously since 1976; this chapter provides a brief overview of the current stateoftheart in the field. Several major themes predominate in the development. One such theme is the careful elaboration of the definition of security for a cryptosystem. A second theme has been the search for provably secure cryptosystems, based on plausible assumptions about the difficulty of specific numbertheoretic problems or on the existence of certain kinds of functions (such as oneway functions). A third theme is the invention of many novel and surprising cryptographic capabilities, such as publickey cryptography, digital signatures, secretsharing, oblivious transfers, and zeroknowledge proofs. These themes have been developed and interwoven so that today theorems of breathtaking generality and power assert the existence of cryptographic techniques capable of solving almost any imaginable cryptographic problem.
Zero knowledge interactive proofs of knowledge (a digest)", Second Conference on Theoretical Aspects of Reasoning about Knowledge
 IBM Research Division, T. J. Watson Research
, 1988
"... ..."
Cryptographic Hardness of Distributionspecific Learning
"... We investigate cryptographic lower bounds on the learnability of Boolean formulas and constant depth circuits on the {niform distribution and other specifi; distributions. We first show that weakly learning Boolean formulas and constant depth threshold circuits with membership queries on the unifor ..."
Abstract
 Add to MetaCart
We investigate cryptographic lower bounds on the learnability of Boolean formulas and constant depth circuits on the {niform distribution and other specifi; distributions. We first show that weakly learning Boolean formulas and constant depth threshold circuits with membership queries on the uniform distribution in polynomial time is as hard as factoring Blum integers (or inverting RSA, or deciding quadratic residuosity. We formalize the notion of a trivially learnable distri 1? ution and extend these hardness results to all nontrivial distributions. Moreover, we show that under appropriate assumptions on the hardness of factoring, the learnability of Boolean formulas and constant depth threshold circuits on any distribution is characterized by the distribution’s Renyi entropy. Furthermore, we show that a subexponential lower bound for factoring implies a Q(2’Og @ ‘‘) lower bound (for some constant ~) for learning Boolean circuits of depth d on the uniform distribution (with membership queries), which matches the upper bound of Linial, M ansour, and Nisan [19]. From this we conclude that, assuming such a lower bound for factoring, there is no O(npOLy 10g n) algorithm to learn all of ACO on the uniform distribution. We observe that, under cryptographic assumptions, all our bounds can be used to establish trade~trs between the running time and the number of samples necessary to learn. 1
Mathematical Foundations of Modern Cryptography: Computational Complexity Perspective
, 2002
"... Theoretical computer science has found fertile ground in many areas of mathematics. The approach has been to consider classical problems through the prism of computational complexity, where the number of basic computational steps taken to solve a problem is the crucial qualitative parameter. This ne ..."
Abstract
 Add to MetaCart
(Show Context)
Theoretical computer science has found fertile ground in many areas of mathematics. The approach has been to consider classical problems through the prism of computational complexity, where the number of basic computational steps taken to solve a problem is the crucial qualitative parameter. This new approach has led to a sequence of advances, in setting and solving new mathematical challenges as well as in harnessing discrete mathematics to the task of solving realworld problems. In this talk, I will survey the development of modern cryptography — the mathematics behind secret communications and protocols — in this light. I will describe the complexity theoretic foundations underlying the cryptographic tasks of encryption, pseudorandomness number generators and functions, zero knowledge interactive proofs, and multiparty secure protocols. I will attempt to highlight the paradigms and proof techniques which unify these foundations, and which have made their way into the mainstream of complexity theory.