Abstract rity of f. In fact, for inputs (to f*) of practical size, the pieces effected by f are so small A central tool in constructing pseudorandom that f can be inverted (and the “hard-core” generators, secure encryption functions, and bit computed) by exhaustive search. in other areas are “hard-core ” predicates b In this paper we show that every oneof functions (permutations) f, discovered in way function, padded to the form f(p,z) = [Blum Micali $21. Such b ( 5) cannot be effi- (P,9(X)), llPl / = 11z//, has bY itself a hard-core ciently guessed (substantially better than SO- predicate of the same (within a polynomial) 50) given only f(z). Both b, f are computable security. Namely, we prove a conjecture of in polynomial time. [Levin 87, sec. 5.6.21 that the sca1a.r product [Yao 821 transforms any one-way function of boolean vectors p, x is a hard-core of every f into a more complicated one, f*, which has one-way function f(p, x) = (p,g(x)). The rea hard-core predicate. The construction ap- sult extends to multiple (up to the logarithm plies the original f to many small pieces of of security) such bits and to any distribution the input to f * just to get one “hard-core ” on the z’s for which f is hard to invert.

We present three alternative simple constructions of small probability spaces on n bits for which any k bits are almost independent. The number of bits used to specify a point in the sample space is (2 + o(1))(log log n + k/2 + log k + log 1 ɛ), where ɛ is the statistical difference between the distribution induced on any k bit locations and the uniform distribution. This is asymptotically comparable to the construction recently presented by Naor and Naor (our size bound is better as long as ɛ < 1/(k log n)). An additional advantage of our constructions is their simplicity.

Random numbers are the nuts and bolts of simulation. Typically, all the randomness required by the model is simulated by a random number generator whose output is assumed to be a sequence of independent and identically distributed (IID) U(0, 1) random variables (i.e., continuous random variables distributed uniformly over the interval

Given a function f mapping n-variate inputs from a finite Kearns et. al. [21] (see also [27, 28, 22]). In the setting of ag-fieldFintoF, we consider the task of reconstructing a list nostic learning, the learner is to make no assumptions regarding of alln-variate degreedpolynomials which agree withfon a the natural phenomena underlying the input/output relationship tiny but non-negligible fraction, , of the input space. We give a of the function, and the goal of the learner is to come up with a randomized algorithm for solving this task which accessesfas a simple explanation which best fits the examples. Therefore the black box and runs in time polynomial in1;nand exponential in best explanation may account for only part of the phenomena. d, provided is(pd=jFj). For the special case whend=1, In some situations, when the phenomena appears very irregular, we solve this problem for jFj>0. In this case the providing an explanation which fits only part of it is better than nothing. Interestingly, Kearns et. al. did not consider the use of running time of our algorithm is bounded by a polynomial queries (but rather examples drawn from an arbitrary distribu-and exponential ind. Our algorithm generalizes a previously tion) as they were skeptical that queries could be of any help. known algorithm, due to Goldreich and Levin, that solves this We show that queries do seem to help (see below). task for the case whenF=GF(2)(andd=1).

Abstract. This paper considers two questions in cryptography. Cryptography Secure Against Memory Attacks. A particularly devastating side-channel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a cryptographic algorithm can be measured by an adversary if the secret key is ever stored in a part of memory which can be accessed even after power has been turned off for a short amount of time. Such an attack has been shown to completely compromise the security of various cryptosystems in use, including the RSA cryptosystem and AES. We show that the public-key encryption scheme of Regev (STOC 2005), and the identity-based encryption scheme of Gentry, Peikert and Vaikuntanathan (STOC 2008) are remarkably robust against memory attacks where the adversary can measure a large fraction of the bits of the secret-key, or more generally, can compute an arbitrary function of the secret-key of bounded output length. This is done without increasing the size of the secret-key, and without introducing any

. A protocol is described which allows to send and receive messages anonymously using an arbitrary communication network, and it is proved to be unconditionally secure. This improves a result by DAVID CHAUM: The DC-net guarantees the same, but on the assumption of a reliable broadcast network. Since unconditionally secure Byzantine Agreement cannot be achieved, such a reliable broadcast network cannot be realized by algorithmic means. The solution proposed here, the DC + -net, uses the DC-net, but replaces the reliable broadcast network by a fail-stop one. By choosing the keys necessary for the DC-net dependently on the previously broadcast messages, the fail-stop broadcast can be achieved unconditionally secure and without increasing the complexity of the DC-net significantly, using an arbitrary communication network. Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General --- Security and protection, E.3 [Data Encryption], F.2.1 [Analysis of Algorithms...

In this paper we consider the one-way function fg�N(X) =g X (modN), where N is a Blum integer. We prove that under the commonly assumed intractability of factoring Blum integers, all its bits are individually hard, and the lower as well as upper halves of them are simultaneously hard. As a result, fg�N can be used in efficient pseudo-random bit generators and multi-bit commitment schemes, where messages can be drawn according to arbitrary probability distributions.

Security concerns for battery-operated wireless systems require the development of energy-efficient data-encryption techniques that can adapt to the time-varying data rates and quality-of-service requirements inherent in a wireless application. This work describes the design and implementation of a configurable encryption processor that allows the security provided to be traded off with respect to the energy that is dissipated to encrypt a bit. The processor features an embedded high-efficiency variable-output DC/DC converter that allows the supply voltage to be dynamically varied to match the time-varying throughput and quality requirements of the data stream being encrypted. The resulting processor consumes 134 mW at 2.5 V when encrypting data at a rate of 1 Mb/s using a maximum bit width of 512 bits. The converter efficiency is 96% at the peak load of 134 mW. A comparison of our processor to a software implementation running on a low-power programmable processor shows that our implementation is two to three orders of magnitude more energy efficient.

Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper half of the bits of fN;g , proven by Hastad, Schrift and Shamir. Yet, we supply a different proof that is significantly simpler than the original one. In addition, we suggest a pseudorandom generator which is more efficient than all previously known factoring based pseudorandom generators. Keywords: Modular exponentiation, discrete logarithm, hard core predicates, simultaneous security, pseudorandom generator, factoring assumption. This write-up is based on the Master Thesis of the second author (supervised by the first author). 0 1 Introduction One-way functions play an extremely important role in modern cryptography. Loosely speaking, these are functions which are easy to evaluate bu...

Abstract. The exponentiation function in a finite field of order p (a prime number) is believed to be a one-way function. It is well known that O(log log p) bits are simultaneously hard for this function. We consider a special case of this problem, the discrete logarithm with short exponents, which is also believed to be hard to compute. Under this intractibility assumption we show that discrete exponentiation modulo a prime p can hide n−ω(log n) bits(n=⌈log p ⌉ and p =2q+1, where q is also a prime). We prove simultaneous security by showing that any information about the n − ω(log n) bits can be used to discover the discrete log of g s mod p where s has ω(log n) bits. For all practical purposes, the size of s can be a constant c bits. This leads to a very efficient pseudo-random number generator which produces n − c bits per iteration. For example, when n = 1024 bits and c = 128 bits our pseudo-random number generator produces a little less than 900 bits per exponentiation. 1