Results 1  10
of
10
Efficient Cryptographic Schemes Provably as Secure as Subset Sum
 Journal of Cryptology
, 1993
"... We show very efficient constructions for a pseudorandom generator and for a universal oneway hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudorandom generators can be used for private key encryption and universal oneway hash functions for sign ..."
Abstract

Cited by 78 (8 self)
 Add to MetaCart
We show very efficient constructions for a pseudorandom generator and for a universal oneway hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudorandom generators can be used for private key encryption and universal oneway hash functions for signature schemes). The increase in efficiency in our construction is due to the fact that many bits can be generated/hashed with one application of the assumed oneway function. All our construction can be implemented in NC using an optimal number of processors. Part of this work done while both authors were at UC Berkeley and part when the second author was at the IBM Almaden Research Center. Research supported by NSF grant CCR 88  13632. A preliminary version of this paper appeared in Proc. of the 30th Symp. on Foundations of Computer Science, 1989. 1 Introduction Many cryptosystems are based on the intractability of such number theoretic problems such as factoring and discrete logarit...
The Classification of Hash Functions
, 1993
"... When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explai ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...
A FirstOrder Isomorphism Theorem
 SIAM JOURNAL ON COMPUTING
, 1993
"... We show that for most complexity classes of interest, all sets complete under firstorder projections are isomorphic under firstorder isomorphisms. That is, a very restricted version of the BermanHartmanis Conjecture holds. ..."
Abstract

Cited by 24 (5 self)
 Add to MetaCart
We show that for most complexity classes of interest, all sets complete under firstorder projections are isomorphic under firstorder isomorphisms. That is, a very restricted version of the BermanHartmanis Conjecture holds.
A Lower Bound for Primality
, 1999
"... Recent work by Bernasconi, Damm and Shparlinski proved lower bounds on the circuit complexity of the squarefree numbers, and raised as an open question if similar (or stronger) lower bounds could be proved for the set of prime numbers. In this short note, we answer this question affirmatively, by s ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
Recent work by Bernasconi, Damm and Shparlinski proved lower bounds on the circuit complexity of the squarefree numbers, and raised as an open question if similar (or stronger) lower bounds could be proved for the set of prime numbers. In this short note, we answer this question affirmatively, by showing that the set of prime numbers (represented in the usual binary notation) is not contained in AC 0 [p] for any prime p. Similar lower bounds are presented for the set of squarefree numbers, and for the problem of computing the greatest common divisor of two numbers. 1 Introduction What is the computational complexity of the set of prime numbers? There is a large body of work presenting important upper bounds on the complexity of the set of primes (including [AH87, APR83, Mil76, R80, SS77]), but  Supported in part by NSF grant CCR9734918. y Supported in part by NSF grant CCR9700239. z Supported in part by ARC grant A69700294. as was pointed out recently in [BDS98a, BDS9...
The Difficulty with Difficulty (A Guide to the Transparencies from the EUROCRYPT '96 IACR Distinguished Lecture)
, 1996
"... this paper. Transparency 2 indicates the kind of provable security that I would like to see eventually reached in cryptography. By way of contrast, transparency 3 indicates the kind of provable security that most people talk about today. From a complexity viewpoint, transparency 2 deals with a nonu ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
this paper. Transparency 2 indicates the kind of provable security that I would like to see eventually reached in cryptography. By way of contrast, transparency 3 indicates the kind of provable security that most people talk about today. From a complexity viewpoint, transparency 2 deals with a nonuniform complexity measure while transparency 3 deals with a uniform complexity measure #i.e., the same algorithm must compute all instances of the function#. In the former case, it makes sense to talk about a function #i.e., one and only one instance of a #function"# being di#cult, whereas in the latter case one must always talk about the di#culty of an in#nite sequence of functions. My lecture was aimed at the former kind of di#culty.
OneWay Functions and Balanced NP
 Theoretical Computer Science
"... The existence of cryptographically secure oneway functions is related to the measure of a subclass of NP. This subclass, called fiNP ("balanced NP"), contains 3SAT and other standard NP problems. The hypothesis that fiNP is not a subset of P is equivalent to the P 6= NP conjecture. A stronger hypo ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
The existence of cryptographically secure oneway functions is related to the measure of a subclass of NP. This subclass, called fiNP ("balanced NP"), contains 3SAT and other standard NP problems. The hypothesis that fiNP is not a subset of P is equivalent to the P 6= NP conjecture. A stronger hypothesis, that fiNP is not a measure 0 subset of E 2 = DTIME(2 polynomial ) is shown to have the following two consequences. 1. For every k, there is a polynomial time computable, honest function f that is (2 n k =n k )oneway with exponential security. (That is, no 2 n k timebounded algorithm with n k bits of nonuniform advice inverts f on more than an exponentially small set of inputs. ) 2. If DTIME(2 n ) "separates all BPP pairs," then there is a (polynomial time computable) pseudorandom generator that passes all probabilistic polynomialtime statistical tests. (This result is a partial converse of Yao, Boppana, and Hirschfeld's theorem, that the existence of pseudorandom ge...
Normal Numbers and Sources for BPP
 Proc. 12 th STACS conference
"... In [10], Lutz proposed a notion of source, a nonrandom sequence that can substitute in a certain way for the random bits used by boundederror probabilistic machines. He showed that almost every sequence in DSPACE(2 polynomial ) is a source. We improve this abundance result to PSPACE, by first showin ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
In [10], Lutz proposed a notion of source, a nonrandom sequence that can substitute in a certain way for the random bits used by boundederror probabilistic machines. He showed that almost every sequence in DSPACE(2 polynomial ) is a source. We improve this abundance result to PSPACE, by first showing that the sources are exactly the classical normal numbers (or normal sequences) of Borel. There are sequences clearly in P that have long been known to be normal, and we go on to show there are sources in AC 0 : This suggests that alternate notions of source should be explored. 1 Introduction In [10], Lutz examines a particular kind of pseudorandomness useful for simulating the boundederror probabilistic machines. The pseudorandomness is not in the form of a generator, that expands a short truly random string, but instead is a single computable sequence, called a source, whose elements can substitute for random bits in a repeated simulation of every boundederror machine. Thus a source...
News from the Isomorphism Front
"... this article. First, however, we will need to make a digression, while we discuss some recent progress on the isomorphism conjecture. ..."
Abstract
 Add to MetaCart
this article. First, however, we will need to make a digression, while we discuss some recent progress on the isomorphism conjecture.
A Lower Bound for Primality
, 1999
"... Recent work by Bernasconi, Damm and Shparlinski showed that the set of squarefree numbers is not in AC , and raised as an open question whether similar (or stronger) lower bounds could be proved for the set of prime numbers. In this note, we show that the Boolean majority function is AC  ..."
Abstract
 Add to MetaCart
Recent work by Bernasconi, Damm and Shparlinski showed that the set of squarefree numbers is not in AC , and raised as an open question whether similar (or stronger) lower bounds could be proved for the set of prime numbers. In this note, we show that the Boolean majority function is AC Turing reducible to the set of prime numbers (represented in binary). From known lower bounds on Maj (due to Razborov and Smolensky) we conclude that primality cannot be tested in AC [p] for any prime p. Similar results are obtained for the set of squarefree numbers, and for the problem of computing the greatest common divisor of two numbers.
ALPS’07  Groups and Complexity
, 2007
"... The connection between groups and recursive (un)decidability has a long history, going back to the early 1900s. Also, various polynomialtime algorithms have been known in group theory for a long time. However the impact of more general computational complexity (e.g., NPcompleteness or PSpacecompl ..."
Abstract
 Add to MetaCart
The connection between groups and recursive (un)decidability has a long history, going back to the early 1900s. Also, various polynomialtime algorithms have been known in group theory for a long time. However the impact of more general computational complexity (e.g., NPcompleteness or PSpacecompleteness) has been relatively small and recent. These lectures review a sampling of older facts about algorithmic problems in group theory, and then present more recent results about the connection with complexity: isoperimetric functions and NP; Thompson groups, boolean circuits, and coNP; Thompson monoids and circuit complexity; Thompson groups, reversible computing, and #P; distortion of Thompson groups within Thompson monoids, and oneway permutations. We are especially interested in deep connections between computational complexity and group theory. By “connection ” we do not just mean analyzing the computational complexity of algorithms about groups. We are more interested in algebraic characterizations of complexity classes in terms of group theory, i.e., in finding a “mirror image” of all of complexity theory within group theory. Conversely, we are interested in the computational nature of concepts that appear at first purely algebraic.