We describe results from an apparatus and protocol designed to implement quantum key distribution, by which two users, who share no secret information initially: 1) exchange a random quantum transmission, consisting of very faint flashes of polarized light; 2) by subsequent public discussion of the sent and received versions of this transmission estimate the extent of eavesdropping that might have taken place on it, and finally 3) if this estimate is small enough, distill from the sent and received versions a smaller body of shared random information, which is certifiably secret in the sense that any third party's expected information on it is an exponentially small fraction of one bit. Because the system depends on the uncertainty principle of quantum physics, instead of usual mathematical assumptions such as the difficulty of factoring, it remains secure against an adversary with unlimited computing power. A preliminary version of this paper was presented at Eurocrypt '90, May 21 ...

this paper date to early 1983. Yet, the paper, being rejected three times from major conferences, has first appeared in public only in 1985, concurrently to the paper of Babai [B85].) A restricted form of interactive proofs, known by the name Arthur Mer'lin Games, was introduced by Babai [B85]. (The restricted form turned out to be equivalent in power see Section [mssng(eff-p.sec)].) The interactive proof for Graph Non-Isomorphism is due to Goldreich, Micali and Wigderson The concept of zero-knowledge has been introduced by Goldwasser, Micali and Rackoff, in the same paper quoted above [R85]. Their paper contained also a perfect zeroknowledge proof for Quadratic Non Residuousity. The perfect zero-knowledge proof system for Graph Isomorphism is due to Goldreich, Micali and Wigderson [W86]. The latter paper is also the source to the zero-knowledge proof systems for all languages in 2V72, using any (nonunifomly) one-way function. (Brassard and Crapeau have later' constructed alternative zero-knowledge proof systems for 2V72, using a stronger' intractability assumption, specifically the intractability of the Quadratic Residuousity Problem.) The cryptographic applications of zero-knowledge proofs were the very motivation for their presentation in [R85]. Zero-knowledge proofs were applied to solve cryptographic problems in [FRW85] and [CF85]. However, many more applications were possible once it was shown how to construct zero-knowledge proof systems for every language in In particular, general methodologies for the construction of cryptographic protocols have appeared in [6MW86,GW87]

We show very efficient constructions for a pseudo-random generator and for a universal one-way hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudo-random generators can be used for private key encryption and universal one-way hash functions for signature schemes). The increase in efficiency in our construction is due to the fact that many bits can be generated/hashed with one application of the assumed one-way function. All our construction can be implemented in NC using an optimal number of processors. Part of this work done while both authors were at UC Berkeley and part when the second author was at the IBM Almaden Research Center. Research supported by NSF grant CCR 88 - 13632. A preliminary version of this paper appeared in Proc. of the 30th Symp. on Foundations of Computer Science, 1989. 1 Introduction Many cryptosystems are based on the intractability of such number theoretic problems such as factoring and discrete logarit...

. The general subset sum problem is NP-complete. However, there are two algorithms, one due to Brickell and the other to Lagarias and Odlyzko, which in polynomial time solve almost all subset sum problems of sufficiently low density. Both methods rely on basis reduction algorithms to find short non-zero vectors in special lattices. The Lagarias-Odlyzko algorithm would solve almost all subset sum problems of density ! 0:6463 : : : in polynomial time if it could invoke a polynomial-time algorithm for finding the shortest non-zero vector in a lattice. This paper presents two modifications of that algorithm, either one of which would solve almost all problems of density ! 0:9408 : : : if it could find shortest non-zero vectors in lattices. These modifications also yield dramatic improvements in practice when they are combined with known lattice basis reduction algorithms. Key words. subset sum problems; knapsack cryptosystems; lattices; lattice basis reduction. Subject classifications. 1...

Lattices are regular arrangements of points in n-dimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra -Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist public-key cryptosystems based on the hardness of lattice problems, and lattices play a crucial role in a few security proofs.

Abstract not found

Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography.

The paper study counter-dependent pseudorandom number generators based on m-variate (m> 1) ergodic mappings of the space of 2-adic integers Z2. The sequence of internal states of these generators is defined by the recurrence law xi+1 = H B i (xi) mod 2 n, whereas their output sequence is zi = F B i (xi) mod 2 n; here xj, zj are m-dimensional vectors over Z2. It is shown how the results obtained for a univariate case could be extended to a multivariate case.

We present and implement a ciphertext-only algorithm to break Gifford's cipher, a stream cipher designed in 1984 by David Gifford of MIT and used to encrypt New York Times and Associated Press wire reports. Applying linear algebra over finite fields, we exploit a time-space tradeoff to separately determine key segments derived from a decomposition of the feedback function. This work, the first proposed attack on Gifford's cipher, illustrates a powerful attack on stream ciphers and shows that Gifford's cipher is ill-suited for encrypting broadcast data in the MIT-based Boston Community Information System (BCIS). Gifford's cipher is a filter generator---a linear feedback shift register with nonlinear output. Our cryptanalytic problem is to determine the secret 64-bit initial fill, which is changed for each news article. Representing the feedback function as a binary matrix F , we decompose the vector space of register states into a direct sum of four F -invariant subspaces determined fr...

this document, authentication will generally refer to the use of digital signatures, which play a function for digital documents similar to that played by handwritten signatures for printed documents: the signature is an unforgeable piece of data asserting that a named person wrote or otherwise agreed to the document to which the signature is attached. The recipient, as well as a third party, can verify both that the document did indeed originate from the person whose signature is attached and that the document has not been altered since it was signed. A secure digital signature system thus consists of two parts: a method of signing a document such that forgery is infeasible, and a method of verifying that a signature was actually generated by whomever it represents. Furthermore, secure digital signatures cannot be repudiated; i.e., the signer of a document cannot later disown it by claiming it was forged.