A program correctness checker is an algorithm for checking the output of a computation. That is, given a program and an instance on which the program is run, the checker certifies whether the output of the program on that instance is correct. This paper defines the concept of a program checker. It designs program checkers for a few specific and carefully chosen problems in the class FP of functions computable in polynomial time. Problems in FP for which checkers are presented in this paper include Sorting, Matrix Rank and GCD. It also applies methods of modern cryptography, especially the idea of a probabilistic interactive proof, to the design of program checkers for group theoretic computations. Two strucural theorems are proven here. One is a characterization of problems that can be checked. The other theorem establishes equivalence classes of problems such that whenever one problem in a class is checkable, all problems in the class are checkable. Supported by NSF Grant #CCR88-136...

In this paper we prove the intractability of learning several classes of Boolean functions in the distribution-free model (also called the Probably Approximately Correct or PAC model) of learning from examples. These results are representation independent, in that they hold regardless of the syntactic form in which the learner chooses to represent its hypotheses. Our methods reduce the problems of cracking a number of well-known public-key cryptosystems to the learning problems. We prove that a polynomial-time learning algorithm for Boolean formulae, deterministic finite automata or constant-depth threshold circuits would have dramatic consequences for cryptography and number theory: in particular, such an algorithm could be used to break the RSA cryptosystem, factor Blum integers (composite numbers equivalent to 3 modulo 4), and detect quadratic residues. The results hold even if the learning algorithm is only required to obtain a slight advantage in prediction over random guessing. The techniques used demonstrate an interesting duality between learning and cryptography. We also apply our results to obtain strong intractability results for approximating a generalization of graph coloring.

A basic question about NP is whether or not search reduces in polynomial time to decision. We indicate that the answer is negative: under a complexity assumption (that deterministic and non-deterministic double-exponential time are unequal) we construct a language in NP for which search does not reduce to decision. These ideas extend in a natural way to interactive proofs and program checking. Under similar assumptions we present languages in NP for which it is harder to prove membership interactively than it is to decide this membership, and languages in NP which are not checkable. Keywords: NP-completeness, self-reducibility, interactive proofs, program checking, sparse sets,

Signature schemes are fundamental cryptographic primitives, useful as a stand-alone application, and as a building block in the design of secure protocols and other cryptographic objects. In this thesis, we study both the uses that signature schemes find in protocols, and the design of signature schemes suitable for a broad range of applications. An important

This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.

Suppose an associate handed you a 500 digit number N, and informed you, "I know the prime factorization of N. " What would convince you of the truth of your associate's statement? If your associate could be persuaded to reveal the factorization to you, a few simple tests would convince you of the statement's truth. Unfortunately the associate responds to this request by saying, "The factorization is a secret. In fact, I would like to convince you that I know the factorization of N without divulging any other useful information." How can you hope to be convinced that your associate is not deceiving you? Needless to say, a primality testing algorithm quickly reveals N to be composite, but your favorite factorization algorithms make no progress whatever. These seemingly irreconcilable positions (the associate's unwillingness to reveal any knowledge, your unwillingness to accept your associate's statement without proof) are reconcilable through a protocol known as a "zero knowledge interactive proof", intro-duced by Goldwasser, Mica]i, and Rackofl ~ [15] in 1985. Informally, an interactive proof is a pair of protocols executed by two parties, called the "prover " and the "verifier",