Entity authentication and key distribution are central cryptographic problems in distributed computing -- but up until now, they have lacked even a meaningful definition. One consequence is that incorrect and inefficient protocols have proliferated. This paper provides the first treatment of these problems in the complexity-theoretic framework of modern cryptography. Addressed in detail are two problems of the symmetric, two-party setting: mutual authentication and authenticated key exchange. For each we present a definition, protocol, and proof that the protocol meets its goal, assuming the (minimal) assumption of pseudorandom function. When this assumption is appropriately instantiated, the protocols given are practical and efficient.

Given an arbitrary k-bit to k-bit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme can be proven semantically secure assuming the hash function is \ideal. " Moreover, a slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she \knows " the corresponding plaintexts|such ascheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.

Abstract. We describe a digital signature scheme in which the public key is fixed but the secret signing key is updated at regular intervals so as to provide a forward security property: compromise of the current secret key does not enable an adversary to forge signatures pertaining to the past. This can be useful to mitigate the damage caused by key exposure without requiring distribution of keys. Our construction uses ideas from the Fiat-Shamir and Ong-Schnorr identification and signature schemes, and is proven to be forward secure based on the hardness of factoring, in the random oracle model. The construction is also quite efficient. 1

Abstract: What should it mean for an agent toknowor believe an assertion is true with probability:99? Di erent papers [FH88, FZ88a, HMT88] givedi erent answers, choosing to use quite di erent probability spaces when computing the probability that an agent assigns to an event. We showthat each choice can be understood in terms of a betting game. This betting game itself can be understood in terms of three types of adversaries in uencing three di erent aspects of the game. The rst selects the outcome of all nondeterministic choices in the system� the second represents the knowledge of the agent's opponent in the betting game (this is the key place the papers mentioned above di er) � the third is needed in asynchronous systems to choose the time the bet is placed. We illustrate the need for considering all three types of adversaries with a number of examples. Given a class of adversaries, we show howto assign probability spaces to agents in a way most appropriate for that class, where \most appropriate " is made precise in terms of this betting game. We conclude by showing how di erent assignments of probability spaces (corresponding to di erent opponents) yield di erent levels of guarantees in probabilistic coordinated attack.

Rafail Ostrovsky z Quadratic residuosity and graph isomorphism are classic problems and the canonical examples of zero-knowledge languages. However, despite much research e ort, all previous zeroknowledge proofs for them required either cryptography (and thus unproven assumptions) or an unbounded number of rounds of message exchange. For both (and similar) languages, we exhibit zero-knowledge proofs that require 5 rounds and no unproven assumptions. Our solution is essentially optimal, in this setting, due to a recent lowerbound argument of Goldreich and Krawzcyk. 1

A basic question about NP is whether or not search reduces in polynomial time to decision. We indicate that the answer is negative: under a complexity assumption (that deterministic and non-deterministic double-exponential time are unequal) we construct a language in NP for which search does not reduce to decision. These ideas extend in a natural way to interactive proofs and program checking. Under similar assumptions we present languages in NP for which it is harder to prove membership interactively than it is to decide this membership, and languages in NP which are not checkable. Keywords: NP-completeness, self-reducibility, interactive proofs, program checking, sparse sets,

This paper initiates a study of the quantitative aspects of randomness in interactive proofs. Our main result, which applies to the equivalent form of IP known as Arthur-Merlin (AM) games, is a randomness-efficient technique for decreasing the error probability. Given an AM proof system for L which achieves error probability 1=3 at the cost of Arthur sending l(n) random bits per round, and given a polynomial k = k(n), we show how to construct an AM proof system for L which, in the same number of rounds as the original proof system, achieves error 2 \Gammak(n) at the cost of Arthur sending only O(l + k) random bits per round. Underlying the transformation is a novel sampling method for approximating the average value of an arbitrary function f : f0; 1g l ! [0; 1]. The method evaluates the function on O(ffl \Gamma2 log ffi \Gamma1 ) sample points generated using only O(l + log ffi \Gamma1 ) coin tosses to get an estimate which with probability at least 1 \Gamma ffi is within ...

The Random Oracle Hypothesis, attributed to Bennett and Gill, essentially states that the relationships between complexity classes which hold for almost all relativized worlds must also hold in the unrelativized case. Although this paper is not the first to provide a counterexample to the Random Oracle Hypothesis, it does provide a most compelling counterexample by showing that for almost all oracles A, IP A 6= PSPACE A . If the Random Oracle Hypothesis were true, it would contradict Shamir's result that IP = PSPACE. In fact, it is shown that for almost all oracles A, co-NP A 6` IP A . These results extend to the multi-prover proof systems of Ben-Or, Goldwasser, Kilian and Wigderson. In addition, this paper shows that the Random Oracle Hypothesis is sensitive to small changes in the definition. A class IPP, similar to IP, is defined. Surprisingly, the IPP = PSPACE result holds for all oracle worlds. 1 Department of Computer Science, Cornell University, Ithaca, NY 14853, U.S.A...

) Joe Kilian Silvio Micali y Rafail Ostrovsky z Abstract We consider several resources relating to zero-knowledge protocols: The number of envelopes used in the protocol, the number of oblivious transfers protocols executed during the protocol, and the total amount of communication required by the protocol. We show that after a pre-processing stage consisting of O(k) executions of Oblivious Transfer, any polynomial number of NP-theorems of any poly-size can be proved non-interactively and in zero-knowledge, based on the existence of any one-way function, so that the probability of accepting a false theorem is less then 1 2 k . 1 Minimizing Envelopes 1.1 Envelopes as a resource. [GMR] puts forward the somewhat paradoxical notion of a zero-knowledge proof, and exemplifies it for a few special classes of assertions. The introduction of ideal commitment mechanisms, known as envelopes, allows us to achieve greater generality. Proofs of any NP statements can be accomplished in perfe...

In this paper, we study connections among one-way functions, hard on the average problems, and statistical zero-knowledge proofs. In particular, we show how these three notions are related and how the third notion can be better characterized, assuming the first one.