Abstract. In this paper the generality and wide applicability of Zero-knowledge proofs, a notion introduced by Goldwasser, Micali, and Rackoff is demonstrated. These are probabilistic and interactive proofs that, for the members of a language, efficiently demonstrate membership in the language without conveying any additional knowledge. All previously known zero-knowledge proofs were only for number-theoretic languages in NP fl CONP. Under the assumption that secure encryption functions exist or by using “physical means for hiding information, ‘ ‘ it is shown that all languages in NP have zero-knowledge proofs. Loosely speaking, it is possible to demonstrate that a CNF formula is satisfiable without revealing any other property of the formula, in particular, without yielding neither a

We study notions and schemes for symmetric (ie. private key) encryption in a concrete security framework. We give four di erent notions of security against chosen plaintext attack and analyze the concrete complexity ofreductions among them, providing both upper and lower bounds, and obtaining tight relations. In this way we classify notions (even though polynomially reducible to each other) as stronger or weaker in terms of concrete security. Next we provide concrete security analyses of methods to encrypt using a block cipher, including the most popular encryption method, CBC. We establish tight bounds (meaning

In this paper we prove the intractability of learning several classes of Boolean functions in the distribution-free model (also called the Probably Approximately Correct or PAC model) of learning from examples. These results are representation independent, in that they hold regardless of the syntactic form in which the learner chooses to represent its hypotheses. Our methods reduce the problems of cracking a number of well-known public-key cryptosystems to the learning problems. We prove that a polynomial-time learning algorithm for Boolean formulae, deterministic finite automata or constant-depth threshold circuits would have dramatic consequences for cryptography and number theory: in particular, such an algorithm could be used to break the RSA cryptosystem, factor Blum integers (composite numbers equivalent to 3 modulo 4), and detect quadratic residues. The results hold even if the learning algorithm is only required to obtain a slight advantage in prediction over random guessing. The techniques used demonstrate an interesting duality between learning and cryptography. We also apply our results to obtain strong intractability results for approximating a generalization of graph coloring.

this paper date to early 1983. Yet, the paper, being rejected three times from major conferences, has first appeared in public only in 1985, concurrently to the paper of Babai [B85].) A restricted form of interactive proofs, known by the name Arthur Mer'lin Games, was introduced by Babai [B85]. (The restricted form turned out to be equivalent in power see Section [mssng(eff-p.sec)].) The interactive proof for Graph Non-Isomorphism is due to Goldreich, Micali and Wigderson The concept of zero-knowledge has been introduced by Goldwasser, Micali and Rackoff, in the same paper quoted above [R85]. Their paper contained also a perfect zeroknowledge proof for Quadratic Non Residuousity. The perfect zero-knowledge proof system for Graph Isomorphism is due to Goldreich, Micali and Wigderson [W86]. The latter paper is also the source to the zero-knowledge proof systems for all languages in 2V72, using any (nonunifomly) one-way function. (Brassard and Crapeau have later' constructed alternative zero-knowledge proof systems for 2V72, using a stronger' intractability assumption, specifically the intractability of the Quadratic Residuousity Problem.) The cryptographic applications of zero-knowledge proofs were the very motivation for their presentation in [R85]. Zero-knowledge proofs were applied to solve cryptographic problems in [FRW85] and [CF85]. However, many more applications were possible once it was shown how to construct zero-knowledge proof systems for every language in In particular, general methodologies for the construction of cryptographic protocols have appeared in [6MW86,GW87]

Software protection is one of the most important issues concerning computer practice. There exist many heuristics and ad-hoc methods for protection, but the problem as a whole has not received the theoretical treatment it deserves. In this paper we provide theoretical treatment of software protection. We reduce the problem of software protection to the problem of efficient simulation on oblivious RAM. A machine is oblivious if the sequence in which it accesses memory locations is equivalent for any two inputs with the same running time. For example, an oblivious Turing Machine is one for which the movement of the heads on the tapes is identical for each computation. (Thus, it is independent of the actual input.) What is the slowdown in the running time of any machine, if it is required to be oblivious? In 1979 Pippenger and Fischer showed how a two-tape oblivious Turing Machine can simulate, on-line, a one-tape Turing Machine, with a logarithmic slowdown in the running time. We s...

Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical instantiation with the Diffie-Hellman problems. Then, we see how the gap problems find natural applications in cryptography, namely for proving the security of very efficient schemes, but also for solving a more than 10-year old open security problem: the Chaum’s undeniable signature.

The purpose of this note is to present a new sampling technique and to demonstrate some of its properties. The new technique consists of picking two elements at random, and deterministically generating (from them) a long sequence of pairwise independent elements. The sequence is guarantees to intersect, with high probability, any set of non-negligible density. 1. Introduction In recent years the role of randomness in computation has become more and more dominant. Randomness was used to speed up sequential computations (e.g. primality testing, testing polynomial identities etc.), but its effect on parallel and distributed computation is even more impressive. In either cases the solutions are typically presented such that they are guarateed to produce the desired result with some non-negligible probability. It is implicitly suggested that if a higher degree of confidence is required the algorithm should be run several times, each time using different coin tosses. Since the coin tosses f...

The Dyad project at Carnegie Mellon University is using physically secure coprocessors to achieve new protocols and systems addressing a number of perplexing security problems. These coprocessors can be produced as boards or integrated circuit chips and can be directly inserted in standard workstations or PC-style computers. This paper presents a set of security problems and easily implementable solutions that exploit the power of physically secure coprocessors: (1) protecting the integrity of publicly accessible workstations, (2) tamper-proof accounting/audit trails, (3) copy protection, and (4) electronic currency without centralized servers. We outline the architectural requirements for the use of secure coprocessors. 1 Introduction and Motivation The Dyad project at Carnegie Mellon University is using physically secure coprocessors to achieve new protocols and systems addressing a number of perplexing security problems. These coprocessors can be produced as boards or integrated ...

This paper surveys recent results concerning the inference of deterministic finite automata (DFAs). The results discussed determine the extent to which DFAs can be feasibly inferred, and highlight a number of interesting approaches in computational learning theory. 1

We show that there is a pair of disjoint NP-sets, whose disjointness is provable in S 1 2 and which cannot be separated by a set in P=poly, if the cryptosystem RSA is secure. Further we show that factoring and the discrete logarithm are implicitly definable in any extension of S 1 2 admitting an NP -definition of primes about which it can prove that no number satisfying the definition is composite. As a corollary we obtain that the Extended Frege (EF) proof system does not admit feasible interpolation theorem unless the RSA cryptosystem is not secure, and that an extension of EF by tautologies p (p primes), formalizing that p is not composite, as additional axioms does not admit feasible interpolation theorem unless factoring and the discrete logarithm are in P=poly . The NP 6= coNP conjecture is equivalent to the statement that no propositional proof system (as defined in [6]) admits polynomial size proofs of all tautologies. However, only for few proof systems occur...