Results 1  10
of
153
PseudoRandom Generation from OneWay Functions
 PROC. 20TH STOC
, 1988
"... Pseudorandom generators are fundamental to many theoretical and applied aspects of computing. We show howto construct a pseudorandom generator from any oneway function. Since it is easy to construct a oneway function from a pseudorandom generator, this result shows that there is a pseudorandom gene ..."
Abstract

Cited by 861 (18 self)
 Add to MetaCart
Pseudorandom generators are fundamental to many theoretical and applied aspects of computing. We show howto construct a pseudorandom generator from any oneway function. Since it is easy to construct a oneway function from a pseudorandom generator, this result shows that there is a pseudorandom generator iff there is a oneway function.
A randomized protocol for signing contracts
, 1990
"... Two parties, A and B, want to sign a contract C over a communication network. To do so, they must “simultaneously” exchange their commitments to C. Since simultaneous exchange is usually impossible in practice, protocols are needed to approximate simultaneity by exchanging partial commitments in pie ..."
Abstract

Cited by 599 (11 self)
 Add to MetaCart
Two parties, A and B, want to sign a contract C over a communication network. To do so, they must “simultaneously” exchange their commitments to C. Since simultaneous exchange is usually impossible in practice, protocols are needed to approximate simultaneity by exchanging partial commitments in piece by piece manner. During such a protocol, one party or another may have a slight advantage; a “fair” protocol keeps this advantage within acceptable limits. We present a new protocol that is fair in the sense that, at any stage in its execution, the conditional probability that one party cannot commit both parties to the contract given that the other party can, is close to zero. This is true even if A and B have vastly different computing powers, and is proved under very weak cryptographic assumptions. Our protocol has the following additional properties: 4 during the procedure the parties exchange probadilistic options for committing both parties to the contract; the protocol never terminates in an asymmetric situation where party A knows that party B is committed to the contract while he is not; the protocol makes use of a weak form of a third party (judge). If both A and B are honest, the judge will never be called upon. Otherwise, the judge rules by performing a simple computation. No bookkeeping is required of the judge.
A hardcore predicate for all oneway functions
 In Proceedings of the Twenty First Annual ACM Symposium on Theory of Computing
, 1989
"... Abstract rity of f. In fact, for inputs (to f*) of practical size, the pieces effected by f are so small A central tool in constructing pseudorandom that f can be inverted (and the “hardcore” generators, secure encryption functions, and bit computed) by exhaustive search. in other areas are “hardc ..."
Abstract

Cited by 440 (5 self)
 Add to MetaCart
Abstract rity of f. In fact, for inputs (to f*) of practical size, the pieces effected by f are so small A central tool in constructing pseudorandom that f can be inverted (and the “hardcore” generators, secure encryption functions, and bit computed) by exhaustive search. in other areas are “hardcore ” predicates b In this paper we show that every oneof functions (permutations) f, discovered in way function, padded to the form f(p,z) = [Blum Micali $21. Such b ( 5) cannot be effi (P,9(X)), llPl / = 11z//, has bY itself a hardcore ciently guessed (substantially better than SO predicate of the same (within a polynomial) 50) given only f(z). Both b, f are computable security. Namely, we prove a conjecture of in polynomial time. [Levin 87, sec. 5.6.21 that the sca1a.r product [Yao 821 transforms any oneway function of boolean vectors p, x is a hardcore of every f into a more complicated one, f*, which has oneway function f(p, x) = (p,g(x)). The rea hardcore predicate. The construction ap sult extends to multiple (up to the logarithm plies the original f to many small pieces of of security) such bits and to any distribution the input to f * just to get one “hardcore ” on the z’s for which f is hard to invert.
Universal OneWay Hash Functions and their Cryptographic Applications
, 1989
"... We define a Universal OneWay Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We ..."
Abstract

Cited by 351 (15 self)
 Add to MetaCart
(Show Context)
We define a Universal OneWay Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We prove constructively that universal oneway hash functions exist if any 11 oneway functions exist. Among the various applications of the primitive is a OneWay based Secure Digital Signature Scheme which is existentially secure against adoptive attacks. Previously, all provably secure signature schemes were based on the stronger mathematical assumption that trapdoor oneway functions exist. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 Part of this work was done while the authors were at the IBM Almaden Research Center. The first author was supported in part by NSF grant CCR88 13632. A preliminary version of this work app...
Cryptographic Limitations on Learning Boolean Formulae and Finite Automata
 PROCEEDINGS OF THE TWENTYFIRST ANNUAL ACM SYMPOSIUM ON THEORY OF COMPUTING
, 1989
"... In this paper we prove the intractability of learning several classes of Boolean functions in the distributionfree model (also called the Probably Approximately Correct or PAC model) of learning from examples. These results are representation independent, in that they hold regardless of the syntact ..."
Abstract

Cited by 347 (14 self)
 Add to MetaCart
In this paper we prove the intractability of learning several classes of Boolean functions in the distributionfree model (also called the Probably Approximately Correct or PAC model) of learning from examples. These results are representation independent, in that they hold regardless of the syntactic form in which the learner chooses to represent its hypotheses. Our methods reduce the problems of cracking a number of wellknown publickey cryptosystems to the learning problems. We prove that a polynomialtime learning algorithm for Boolean formulae, deterministic finite automata or constantdepth threshold circuits would have dramatic consequences for cryptography and number theory: in particular, such an algorithm could be used to break the RSA cryptosystem, factor Blum integers (composite numbers equivalent to 3 modulo 4), and detect quadratic residues. The results hold even if the learning algorithm is only required to obtain a slight advantage in prediction over random guessing. The techniques used demonstrate an interesting duality between learning and cryptography. We also apply our results to obtain strong intractability results for approximating a generalization of graph coloring.
Publickey Cryptosystems Provably Secure against Chosen Ciphertext Attacks
 In Proc. of the 22nd STOC
, 1995
"... We show how to construct a publickey cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a publickey cryptosystem secure against passive eavesdropping and a noninteractive zeroknowledge proof system in the shared string model. No such secure ..."
Abstract

Cited by 284 (19 self)
 Add to MetaCart
(Show Context)
We show how to construct a publickey cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a publickey cryptosystem secure against passive eavesdropping and a noninteractive zeroknowledge proof system in the shared string model. No such secure cryptosystems were known before. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 A preliminary version of this paper appeared in the Proc. of the Twenty Second ACM Symposium of Theory of Computing. y Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100, Israel. Work performed while at the IBM Almaden Research Center. Research supported by an Alon Fellowship and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences. Email: naor@wisdom.weizmann.ac.il. z IBM Research Division, T.J ...
HardCore Distributions for Somewhat Hard Problems
 In 36th Annual Symposium on Foundations of Computer Science
, 1995
"... Consider a decision problem that cannot be 1 \Gamma ffi approximated by circuits of a given size in the sense that any such circuit fails to give the correct answer on at least a ffi fraction of instances. We show that for any such problem there is a specific "hardcore" set of inputs whic ..."
Abstract

Cited by 123 (11 self)
 Add to MetaCart
(Show Context)
Consider a decision problem that cannot be 1 \Gamma ffi approximated by circuits of a given size in the sense that any such circuit fails to give the correct answer on at least a ffi fraction of instances. We show that for any such problem there is a specific "hardcore" set of inputs which is at least a ffi fraction of all inputs and on which no circuit of a slightly smaller size can get even a small advantage over a random guess. More generally, our argument holds for any nonuniform model of computation closed under majorities. We apply this result to get a new proof of the Yao XOR lemma [Y], and to get a related XOR lemma for inputs that are only kwise independent. 1 Introduction If you have a difficult computational problem, is it always the case that several independent instances of the problem are proportionately harder than a single instance? In particular, if any algorithm taking less than R resources has failure probability at least ffi for a particular problem on a certai...
On the Theory of Average Case Complexity
 Journal of Computer and System Sciences
, 1997
"... This paper takes the next step in developing the theory of average case complexity initiated by Leonid A Levin. Previous works [Levin 84, Gurevich 87, Venkatesan and Levin 88] have focused on the existence of complete problems. We widen the scope to other basic questions in computational complexity. ..."
Abstract

Cited by 121 (6 self)
 Add to MetaCart
This paper takes the next step in developing the theory of average case complexity initiated by Leonid A Levin. Previous works [Levin 84, Gurevich 87, Venkatesan and Levin 88] have focused on the existence of complete problems. We widen the scope to other basic questions in computational complexity. Our results include: ffl the equivalence of search and decision problems in the context of average case complexity; ffl an initial analysis of the structure of distributionalNP (i.e. NP problems coupled with "simple distributions") under reductions which preserve average polynomialtime; ffl a proof that if all of distributionalNP is in average polynomialtime then nondeterministic exponentialtime equals deterministic exponential time (i.e., a collapse in the worst case hierarchy); ffl definitions and basic theorems regarding other complexity classes such as average logspace. An exposition of the basic definitions suggested by Levin and suggestions for some alternative definitions ...
OnLine/OffLine Digital Signatures
, 1994
"... A new type of signature scheme is proposed. It consists of two phases. The first phase is performed offline, before the message to be signed is even known. The second online phase is performed once the message to be signed is known, and is supposed to be very fast. A method for constructing such o ..."
Abstract

Cited by 105 (1 self)
 Add to MetaCart
A new type of signature scheme is proposed. It consists of two phases. The first phase is performed offline, before the message to be signed is even known. The second online phase is performed once the message to be signed is known, and is supposed to be very fast. A method for constructing such online/offline signature schemes is presented. The method uses onetime signature schemes, which are very fast, for the online signing. An ordinary signature scheme is used for the offline stage. In a practical implementation of our scheme, we use a variant of Rabin's signature scheme (based on factoring) and DES. In the online phase, all we use is a moderate amount of DES computation and a single modular multiplication. We stress that the costly modular exponentiation operation is performed offline. This implementation is ideally suited for electronic wallets or smart cards. A preliminary version appeared in the proceedings of Crypto89. OnLine/OffLine Digital Signing has obtained p...