Results 1  10
of
16
Publickey Cryptosystems Provably Secure against Chosen Ciphertext Attacks
 In Proc. of the 22nd STOC
, 1995
"... We show how to construct a publickey cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a publickey cryptosystem secure against passive eavesdropping and a noninteractive zeroknowledge proof system in the shared string model. No such secure ..."
Abstract

Cited by 252 (16 self)
 Add to MetaCart
We show how to construct a publickey cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a publickey cryptosystem secure against passive eavesdropping and a noninteractive zeroknowledge proof system in the shared string model. No such secure cryptosystems were known before. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 A preliminary version of this paper appeared in the Proc. of the Twenty Second ACM Symposium of Theory of Computing. y Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100, Israel. Work performed while at the IBM Almaden Research Center. Research supported by an Alon Fellowship and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences. Email: naor@wisdom.weizmann.ac.il. z IBM Research Division, T.J ...
Hilbert's Nullstellensatz is in the Polynomial Hierarchy
 Journal of Complexity
, 1996
"... We show that if the Generalized Riemann Hypothesis is true, the problem of deciding whether a system of polynomial equations in several complex variables has a solution is in the second level of the polynomial hierarchy. In fact, this problem is in AM, the "ArthurMerlin" class (recall tha ..."
Abstract

Cited by 39 (9 self)
 Add to MetaCart
We show that if the Generalized Riemann Hypothesis is true, the problem of deciding whether a system of polynomial equations in several complex variables has a solution is in the second level of the polynomial hierarchy. In fact, this problem is in AM, the "ArthurMerlin" class (recall that NP ` AM ` RP NP ` \Pi 2 ). The best previous bound was PSPACE. An earlier version of this paper was distributed as NeuroCOLT Technical Report 9644. The present paper includes in particular a new lower bound for unsatisfiable systems, and remarks on the ArthurMerlin class. 1 A part of this work was done when the author was visiting DIMACS at Rutgers University. 1 Introduction In its weak form, Hilbert's Nullstellensatz states that a system f 1 (x) = 0; : : : ; f s (x) = 0 (1) of polynomial equations in n unknowns has no solution over C if and only if there are polynomials g 1 ; : : : ; g s 2 C [X 1 ; : : : ; X n ] such that P s i=1 f i g i = 1. For this reason, the problem of deciding whethe...
On Completeness and Soundness in Interactive Proof Systems
, 1989
"... An interactive proof system with Perfect Completeness (resp. Perfect Soundness) for a language L is an interactive proof (for L) in which for every x 2 L (resp. x 62 L) the verifier always accepts (resp. always rejects). We show that any language having an interactive proof system has one (of the A ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
An interactive proof system with Perfect Completeness (resp. Perfect Soundness) for a language L is an interactive proof (for L) in which for every x 2 L (resp. x 62 L) the verifier always accepts (resp. always rejects). We show that any language having an interactive proof system has one (of the ArthurMerlin type) with perfect completeness. On the other hand, only languages in NP have interactive proofs with perfect soundness. Work done while third author was working at the IBMScientific Center, Technion City, Haifa, Israel. Second author was partially supported by the Fund for Basic Research Administered by the Israeli Academy of Sciences and Humanities. Fifth author was partially supported by PSCCUNY grant. Appeared in Advances in Computing Research: A Research Annual, Vol. 5 (Randomness and Computation, S. Micali, ed.), pages 429442, 1989. Warning: Reproduced almost automatically from an old troff file. The resulting text was not proofread. Updated affiliation for Oded Gold...
Randomized and Deterministic Algorithms for the Dimension of Algebraic Varieties
 In Proc. 38th IEEE Symposium on Foundations of Computer Science
, 1997
"... We prove old and new results on the complexity of computing the dimension of algebraic varieties. In particular, we show that this problem is NPcomplete in the BlumShubSmale model of computation over C , that it admits a s O(1) D O(n) deterministic algorithm, and that for systems with integer ..."
Abstract

Cited by 24 (9 self)
 Add to MetaCart
We prove old and new results on the complexity of computing the dimension of algebraic varieties. In particular, we show that this problem is NPcomplete in the BlumShubSmale model of computation over C , that it admits a s O(1) D O(n) deterministic algorithm, and that for systems with integer coefficients it is in the ArthurMerlin class under the Generalized Riemann Hypothesis. The first two results are based on a general derandomization argument. 1 Introduction We wish to compute the dimension of an algebraic variety V ` C n defined by a system of algebraic equations f 1 (x) = 0; : : : ; f s (x) = 0 (1) where f i 2 C [X 1 ; : : : ; Xn ]. This can be formalized as a decision problem DIMC . An instance of DIMC is a system of this form together with an integer d n. An instance is accepted if the variety defined by the system has dimension at least d. We also consider for each fixed value of d the restriction DIM d C of DIMC . For instance, DIM 0 C is the problem of dec...
ON THE POWER OF INTERACTION
"... Let IP[f(n)] be the class of languages recognized by interactive proofs with f(jxj) interactions. Babai [B] showed that all languages recognized by interactive proofs with a bounded number of interactions can be recognized by interactive proofs with only two interactions � i.e., for every constant k ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
Let IP[f(n)] be the class of languages recognized by interactive proofs with f(jxj) interactions. Babai [B] showed that all languages recognized by interactive proofs with a bounded number of interactions can be recognized by interactive proofs with only two interactions � i.e., for every constant k, IP[k] collapses to IP[2]. In this paper, we give evidence that interactive proofs with an unbounded number of interactions may be more powerful than interactive proofs with a bounded number of interactions. We show that for any polynomially bounded polynomial time computable function f(n) and any g(n) =o(f(n)) there exists an oracle B such that IPB [f(n)] 6 IPB [g(n)]. The techniques employed are extensions of the techniques for proving lower bounds on small depth circuits used in [FSS], [Y] and [H1].
ComplexityTheoretic Aspects of Interactive Proof Systems
, 1989
"... In 1985, Goldwasser, Micali and Rackoff formulated interactive proof systems as a tool for developing cryptographic protocols. Indeed, many exciting cryptographic results followed from studying interactive proof systems and the related concept of zeroknowledge. Interactive proof systems also have a ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
In 1985, Goldwasser, Micali and Rackoff formulated interactive proof systems as a tool for developing cryptographic protocols. Indeed, many exciting cryptographic results followed from studying interactive proof systems and the related concept of zeroknowledge. Interactive proof systems also have an important part in complexity theory merging the well established concepts of probabilistic and nondeterministic computation. This thesis will study the complexity of various models of interactive proof systems. A perfect zeroknowledge interactive protocol convinces a verifier that a string is in a language without revealing any additional knowledge in an information theoretic sense. This thesis will show that for any language that has a perfect zeroknowledge proof system, its complement has a short interactive protocol. This result implies that there are not any perfect zeroknowledge protocols for NPcomplete languages unless the polynomialtime hierarchy collapses. Thus knowledge comp...
Probabilistic Computation and Linear Time
 Proc. 21st IEEE Symposium on Foundations of Computer Science
, 1997
"... In this paper, we give an oracle under which BPP is equal to probabilistic linear time, an unusual collapse of a complexity time hierarchy. In addition, we also give oracles where \Delta P 2 is contained in probabilistic linear time and where BPP has linear sized circuits, as well as oracles for t ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
In this paper, we give an oracle under which BPP is equal to probabilistic linear time, an unusual collapse of a complexity time hierarchy. In addition, we also give oracles where \Delta P 2 is contained in probabilistic linear time and where BPP has linear sized circuits, as well as oracles for the negation of these questions. This indicates that these questions will not be solved by techniques that relativize. We also note that probabilistic linear time can not contain both NP and BPP, implying that there are languages solvable by interactive proof systems that can not be solved in probabilistic linear time. 1 Introduction According to general belief, a problem has an efficient deterministic algorithm when the algorithm runs in time polynomial in the size of the problem. At first this seems natural, though algorithms that take time n 10 , where n is the size of the problem, strain the notion of efficiency. Most of the natural problems that have polynomial time algorithms have al...
On Unique Satisfiability and the Threshold Behavior of Randomized Reductions
 Journal of Computer and System Sciences
, 1995
"... The research presented in this paper is motivated by the some new results on the complexity of the unique satisfiability problem, USAT. These results, which are shown for the first time in this paper, are: ffl if USATj P m USAT, then D P = coD P and PH collapses. ffl if USAT 2 coD P , the ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
The research presented in this paper is motivated by the some new results on the complexity of the unique satisfiability problem, USAT. These results, which are shown for the first time in this paper, are: ffl if USATj P m USAT, then D P = coD P and PH collapses. ffl if USAT 2 coD P , then PH collapses. ffl if USAT has OR! , then PH collapses. The proofs of these results use only the fact that USAT is complete for D P under randomized reductionseven though the probability bound of these reductions may be low. Furthermore, these results show that the structural complexity of USAT and of D P manyone complete sets are very similar, and so they lend support to the argument that even sets complete under "weak" randomized reductions can capture the properties of the manyone complete sets. However, under these "weak" randomized reductions, USAT is complete for P SAT[log n] as well, and in this case, USAT does not capture the properties of the sets manyone complete for ...
Dedekind Zeta Functions and the Complexity of Hilbert’s Nullstellensatz
, 2008
"... Let HN denote the problem of determining whether a system of multivariate polynomials with integer coefficients has a complex root. It has long been known that HN ∈P = ⇒ P =NP and, thanks to recent work of Koiran, it is now known that the truth of the Generalized Riemann Hypothesis (GRH) yields the ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
Let HN denote the problem of determining whether a system of multivariate polynomials with integer coefficients has a complex root. It has long been known that HN ∈P = ⇒ P =NP and, thanks to recent work of Koiran, it is now known that the truth of the Generalized Riemann Hypothesis (GRH) yields the implication HN ̸∈P = ⇒ P ̸=NP. We show that the assumption of GRH in the latter implication can be replaced by either of two more plausible hypotheses from analytic number theory. The first is an effective short interval Prime Ideal Theorem with explicit dependence on the underlying field, while the second can be interpreted as a quantitative statement on the higher moments of the zeroes of Dedekind zeta functions. In particular, both assumptions can still hold even if GRH is false. We thus obtain a new application of Dedekind zero estimates to computational algebraic geometry. Along the way, we also apply recent explicit algebraic and analytic estimates, some due to Silberman and Sombra, which may be of independent interest.
Simultaneous Strong Separations of Probabilistic and Unambiguous Complexity Classes
, 1992
"... We study the relationship between probabilistic and unambiguous computation, and provide strong relativized evidence that they are incomparable. In particular, we display a relativized world in which the complexity classes embodying these paradigms of computation are mutually immune. We answer q ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We study the relationship between probabilistic and unambiguous computation, and provide strong relativized evidence that they are incomparable. In particular, we display a relativized world in which the complexity classes embodying these paradigms of computation are mutually immune. We answer questions formulated inand extend the line of research opened byGeske and Grollman [15] and Balcazar and Russo [3]. 1 Introduction: Why Compare Computational Paradigms? Many complexity classes have been defined in recent years to characterize the computational powers of natural approaches to computation. However, # Some of these results were announced at the 1989 International Conference on Computing and Information, Toronto, Canada. + Xerox Palo Alto Research Center, 3333 Coyote Hill Road, Palo Alto, CA 94304. Research performed in part while at Columbia University, supported in part by NSF grants DCR8511713 and CCR8605353. # Department of Computer Science, University of Roc...