We show how to construct a public-key cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a public-key cryptosystem secure against passive eavesdropping and a non-interactive zero-knowledge proof system in the shared string model. No such secure cryptosystems were known before. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 A preliminary version of this paper appeared in the Proc. of the Twenty Second ACM Symposium of Theory of Computing. y Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100, Israel. Work performed while at the IBM Almaden Research Center. Research supported by an Alon Fellowship and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences. E-mail: naor@wisdom.weizmann.ac.il. z IBM Research Division, T.J ...

We show that if the Generalized Riemann Hypothesis is true, the problem of deciding whether a system of polynomial equations in several complex variables has a solution is in the second level of the polynomial hierarchy. In fact, this problem is in AM, the "Arthur-Merlin" class (recall that NP ` AM ` RP NP ` \Pi 2 ). The best previous bound was PSPACE. An earlier version of this paper was distributed as NeuroCOLT Technical Report 96-44. The present paper includes in particular a new lower bound for unsatisfiable systems, and remarks on the ArthurMerlin class. 1 A part of this work was done when the author was visiting DIMACS at Rutgers University. 1 Introduction In its weak form, Hilbert's Nullstellensatz states that a system f 1 (x) = 0; : : : ; f s (x) = 0 (1) of polynomial equations in n unknowns has no solution over C if and only if there are polynomials g 1 ; : : : ; g s 2 C [X 1 ; : : : ; X n ] such that P s i=1 f i g i = 1. For this reason, the problem of deciding whethe...

We prove old and new results on the complexity of computing the dimension of algebraic varieties. In particular, we show that this problem is NP-complete in the Blum-Shub-Smale model of computation over C , that it admits a s O(1) D O(n) deterministic algorithm, and that for systems with integer coefficients it is in the Arthur-Merlin class under the Generalized Riemann Hypothesis. The first two results are based on a general derandomization argument. 1 Introduction We wish to compute the dimension of an algebraic variety V ` C n defined by a system of algebraic equations f 1 (x) = 0; : : : ; f s (x) = 0 (1) where f i 2 C [X 1 ; : : : ; Xn ]. This can be formalized as a decision problem DIMC . An instance of DIMC is a system of this form together with an integer d n. An instance is accepted if the variety defined by the system has dimension at least d. We also consider for each fixed value of d the restriction DIM d C of DIMC . For instance, DIM 0 C is the problem of dec...

An interactive proof system with Perfect Completeness (resp. Perfect Soundness) for a language L is an interactive proof (for L) in which for every x 2 L (resp. x 62 L) the verifier always accepts (resp. always rejects). We show that any language having an interactive proof system has one (of the Arthur-Merlin type) with perfect completeness. On the other hand, only languages in NP have interactive proofs with perfect soundness. Work done while third author was working at the IBM-Scientific Center, Technion City, Haifa, Israel. Second author was partially supported by the Fund for Basic Research Administered by the Israeli Academy of Sciences and Humanities. Fifth author was partially supported by PSC-CUNY grant. Appeared in Advances in Computing Research: A Research Annual, Vol. 5 (Randomness and Computation, S. Micali, ed.), pages 429--442, 1989. Warning: Reproduced almost automatically from an old troff file. The resulting text was not proofread. Updated affiliation for Oded Gold...

Let IP[f(n)] be the class of languages recognized by interactive proofs with f(jxj) interactions. Babai [B] showed that all languages recognized by interactive proofs with a bounded number of interactions can be recognized by interactive proofs with only two interactions � i.e., for every constant k, IP[k] collapses to IP[2]. In this paper, we give evidence that interactive proofs with an unbounded number of interactions may be more powerful than interactive proofs with a bounded number of interactions. We show that for any polynomially bounded polynomial time computable function f(n) and any g(n) =o(f(n)) there exists an oracle B such that IPB [f(n)] 6 IPB [g(n)]. The techniques employed are extensions of the techniques for proving lower bounds on small depth circuits used in [FSS], [Y] and [H1].

In 1985, Goldwasser, Micali and Rackoff formulated interactive proof systems as a tool for developing cryptographic protocols. Indeed, many exciting cryptographic results followed from studying interactive proof systems and the related concept of zero-knowledge. Interactive proof systems also have an important part in complexity theory merging the well established concepts of probabilistic and nondeterministic computation. This thesis will study the complexity of various models of interactive proof systems. A perfect zero-knowledge interactive protocol convinces a verifier that a string is in a language without revealing any additional knowledge in an information theoretic sense. This thesis will show that for any language that has a perfect zero-knowledge proof system, its complement has a short interactive protocol. This result implies that there are not any perfect zero-knowledge protocols for NP-complete languages unless the polynomial-time hierarchy collapses. Thus knowledge comp...

In this paper, we give an oracle under which BPP is equal to probabilistic linear time, an unusual collapse of a complexity time hierarchy. In addition, we also give oracles where \Delta P 2 is contained in probabilistic linear time and where BPP has linear sized circuits, as well as oracles for the negation of these questions. This indicates that these questions will not be solved by techniques that relativize. We also note that probabilistic linear time can not contain both NP and BPP, implying that there are languages solvable by interactive proof systems that can not be solved in probabilistic linear time. 1 Introduction According to general belief, a problem has an efficient deterministic algorithm when the algorithm runs in time polynomial in the size of the problem. At first this seems natural, though algorithms that take time n 10 , where n is the size of the problem, strain the notion of efficiency. Most of the natural problems that have polynomial time algorithms have al...

The research presented in this paper is motivated by the some new results on the complexity of the unique satisfiability problem, USAT. These results, which are shown for the first time in this paper, are: ffl if USATj P m USAT, then D P = co-D P and PH collapses. ffl if USAT 2 co-D P , then PH collapses. ffl if USAT has OR! , then PH collapses. The proofs of these results use only the fact that USAT is complete for D P under randomized reductions---even though the probability bound of these reductions may be low. Furthermore, these results show that the structural complexity of USAT and of D P many-one complete sets are very similar, and so they lend support to the argument that even sets complete under "weak" randomized reductions can capture the properties of the many-one complete sets. However, under these "weak" randomized reductions, USAT is complete for P SAT[log n] as well, and in this case, USAT does not capture the properties of the sets many-one complete for ...

Let HN denote the problem of determining whether a system of multivariate polynomials with integer coefficients has a complex root. It has long been known that HN ∈P = ⇒ P =NP and, thanks to recent work of Koiran, it is now known that the truth of the Generalized Riemann Hypothesis (GRH) yields the implication HN ̸∈P = ⇒ P ̸=NP. We show that the assumption of GRH in the latter implication can be replaced by either of two more plausible hypotheses from analytic number theory. The first is an effective short interval Prime Ideal Theorem with explicit dependence on the underlying field, while the second can be interpreted as a quantitative statement on the higher moments of the zeroes of Dedekind zeta functions. In particular, both assumptions can still hold even if GRH is false. We thus obtain a new application of Dedekind zero estimates to computational algebraic geometry. Along the way, we also apply recent explicit algebraic and analytic estimates, some due to Silberman and Sombra, which may be of independent interest.

We study the relationship between probabilistic and unambiguous computation, and provide strong relativized evidence that they are incomparable. In particular, we display a relativized world in which the complexity classes embodying these paradigms of computation are mutually immune. We answer questions formulated in---and extend the line of research opened by---Geske and Grollman [15] and Balcazar and Russo [3]. 1 Introduction: Why Compare Computational Paradigms? Many complexity classes have been defined in recent years to characterize the computational powers of natural approaches to computation. However, # Some of these results were announced at the 1989 International Conference on Computing and Information, Toronto, Canada. + Xerox Palo Alto Research Center, 3333 Coyote Hill Road, Palo Alto, CA 94304. Research performed in part while at Columbia University, supported in part by NSF grants DCR-85-11713 and CCR-86-05353. # Department of Computer Science, University of Roc...