Results 1 
9 of
9
How to leak a secret
 PROCEEDINGS OF THE 7TH INTERNATIONAL CONFERENCE ON THE THEORY AND APPLICATION OF CRYPTOLOGY AND INFORMATION SECURITY: ADVANCES IN CRYPTOLOGY
, 2001
"... In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and ..."
Abstract

Cited by 1774 (4 self)
 Add to MetaCart
In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination: any user can choose any set of possible signers that includes himself, and sign any message by using his secret key and the others ’ public keys, without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a way which can only be verified by its intended recipient, and to solve other problems in multiparty computations. The main contribution of this paper is a new construction of such signatures which is unconditionally signerambiguous, provably secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption.
Coding for Interactive Communication
 IN PROCEEDINGS OF THE 25TH ANNUAL SYMPOSIUM ON THEORY OF COMPUTING
, 1996
"... Let the input to a computation problem be split between two processors connected by a communication link; and let an interactive protocol ß be known by which, on any input, the processors can solve the problem using no more than T transmissions of bits between them, provided the channel is noiseless ..."
Abstract

Cited by 38 (4 self)
 Add to MetaCart
Let the input to a computation problem be split between two processors connected by a communication link; and let an interactive protocol ß be known by which, on any input, the processors can solve the problem using no more than T transmissions of bits between them, provided the channel is noiseless in each direction. We study the following question: if in fact the channel is noisy, what is the effect upon the number of transmissions needed in order to solve the computation problem reliably? Technologically this concern is motivated by the increasing importance of communication as a resource in computing, and by the tradeoff in communications equipment between bandwidth, reliability and expense. We treat a model with random channel noise. We describe a deterministic method for simulating noiselesschannel protocols on noisy channels, with only a constant slowdown. This is an analog for general interactive protocols of Shannon's coding theorem, which deals only with data transmission, ...
Number theory and elementary arithmetic
 Philosophia Mathematica
, 2003
"... Elementary arithmetic (also known as “elementary function arithmetic”) is a fragment of firstorder arithmetic so weak that it cannot prove the totality of an iterated exponential function. Surprisingly, however, the theory turns out to be remarkably robust. I will discuss formal results that show t ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
Elementary arithmetic (also known as “elementary function arithmetic”) is a fragment of firstorder arithmetic so weak that it cannot prove the totality of an iterated exponential function. Surprisingly, however, the theory turns out to be remarkably robust. I will discuss formal results that show that many theorems of number theory and combinatorics are derivable in elementary arithmetic, and try to place these results in a broader philosophical context. 1
How to leak a secret: Theory and applications of ring signatures
 Essays in Theoretical Computer Science: in Memory of Shimon Even, volume 3895 of LNCS Festschrift
, 2006
"... Abstract. In this work we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedu ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. In this work we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination: any user can choose any set of possible signers that includes himself, and sign any message by using his secret key and the others ’ public keys, without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a way that can only be verified by its intended recipient, and to solve other problems in multiparty computations. Our main contribution lies in the presentation of efficient constructions of ring signatures; the general concept itself (under different terminology) was first introduced by Cramer et al. [CDS94]. Our constructions of such signatures are unconditionally signerambiguous, secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption. We also describe a large number of extensions, modifications and applications of ring signatures which were published after the original version of this work (in Asiacrypt 2001).
Mathematical method and proof
"... Abstract. On a traditional view, the primary role of a mathematical proof is to warrant the truth of the resulting theorem. This view fails to explain why it is very often the case that a new proof of a theorem is deemed important. Three case studies from elementary arithmetic show, informally, that ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
Abstract. On a traditional view, the primary role of a mathematical proof is to warrant the truth of the resulting theorem. This view fails to explain why it is very often the case that a new proof of a theorem is deemed important. Three case studies from elementary arithmetic show, informally, that there are many criteria by which ordinary proofs are valued. I argue that at least some of these criteria depend on the methods of inference the proofs employ, and that standard models of formal deduction are not wellequipped to support such evaluations. I discuss a model of proof that is used in the automated deduction community, and show that this model does better in that respect.
Randomized Algorithms Georgia Tech CS8113F, Winter 1999 Prof. Leonard Schulman CCB 234, (404) 8946438, schulman@cc.gatech.edu Lectures 16 17: Mar 8 10 '99. "Perfect Matchings in Graphs"
"... Introduction Let G be a graph with edge set E. (Undirected, no multiple edges or loops.) A matching is a set of edges joining disjoint vertices. A perfect matching is one that uses all the vertices. Theorem 1.1 (SchwartzZippel). Let f be a multivariate polynomial of total degree k in the variable ..."
Abstract
 Add to MetaCart
Introduction Let G be a graph with edge set E. (Undirected, no multiple edges or loops.) A matching is a set of edges joining disjoint vertices. A perfect matching is one that uses all the vertices. Theorem 1.1 (SchwartzZippel). Let f be a multivariate polynomial of total degree k in the variables x 1 ; : : : ; xm , over the field GF (q). The fraction of vectors ~x 2 GF (q) m which are roots of f is at most k=q. The total degree of a polynomial is the maximum, over its monomials, of the sum of the degrees of the variables appearing in the monomial. For a proof of this theorem see the scribe notes from the previous offering of this course. Note that in the univariate case this is the fundamental theorem of algebra.
IFP772UNC Mersenne Primes, Polygonal Anomalies and String Theories Classification
, 1999
"... It is pointed out that the Mersenne primes Mp = (2p − 1) and associated perfect numbers Mp = 2p−1Mp play a significant role in string theory; this observation may suggest a classification of consistent string theories. Typeset using REVTEX 1 Anomalies and their avoidance have provided a guidepost in ..."
Abstract
 Add to MetaCart
It is pointed out that the Mersenne primes Mp = (2p − 1) and associated perfect numbers Mp = 2p−1Mp play a significant role in string theory; this observation may suggest a classification of consistent string theories. Typeset using REVTEX 1 Anomalies and their avoidance have provided a guidepost in constraining viable particle physics theories. From the standard model to superstrings, the importance of finding models where the concelation of local and global anomalies that spoil local invariance properties of theories, and hence render them inconsistent, cannot be overestimated. The fact that anomalous thories can be dropped from contention has made progress toward the true theory of elementary particles proceed at an enormously accelerated rate. Here we take up a systematic search, informed by previous results and as yet partially understood connections to number theory, for theories free of leading gauge anomalies in higher dimensions. We will find new cases and be able to place previous results in perspective. In number theory a very important role is played by the Mersenne primes Mp based on the formula Mp = 2 p − 1 (1) where p is a prime number. Mp is sometimes itself a prime number. The first 33 such Mersenne primes correspond [1–3] to prime numbers below one million: