In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination: any user can choose any set of possible signers that includes himself, and sign any message by using his secret key and the others ’ public keys, without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a way which can only be verified by its intended recipient, and to solve other problems in multiparty computations. The main contribution of this paper is a new construction of such signatures which is unconditionally signer-ambiguous, provably secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption.

Let the input to a computation problem be split between two processors connected by a communication link; and let an interactive protocol ß be known by which, on any input, the processors can solve the problem using no more than T transmissions of bits between them, provided the channel is noiseless in each direction. We study the following question: if in fact the channel is noisy, what is the effect upon the number of transmissions needed in order to solve the computation problem reliably? Technologically this concern is motivated by the increasing importance of communication as a resource in computing, and by the tradeoff in communications equipment between bandwidth, reliability and expense. We treat a model with random channel noise. We describe a deterministic method for simulating noiseless-channel protocols on noisy channels, with only a constant slow-down. This is an analog for general interactive protocols of Shannon's coding theorem, which deals only with data transmission, ...

The prime number theorem, established by Hadamard and de la Vallée Poussin independently in 1896, asserts that the density of primes in the positive integers is asymptotic to 1 / ln x. Whereas their proofs made serious use of the methods of complex analysis, elementary proofs were provided by Selberg and Erdös in 1948. We describe a formally verified version of Selberg’s proof, obtained using the Isabelle proof assistant. 1

Elementary arithmetic (also known as “elementary function arithmetic”) is a fragment of first-order arithmetic so weak that it cannot prove the totality of an iterated exponential function. Surprisingly, however, the theory turns out to be remarkably robust. I will discuss formal results that show that many theorems of number theory and combinatorics are derivable in elementary arithmetic, and try to place these results in a broader philosophical context. 1

Abstract. In this work we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination: any user can choose any set of possible signers that includes himself, and sign any message by using his secret key and the others ’ public keys, without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a way that can only be verified by its intended recipient, and to solve other problems in multiparty computations. Our main contribution lies in the presentation of efficient constructions of ring signatures; the general concept itself (under different terminology) was first introduced by Cramer et al. [CDS94]. Our constructions of such signatures are unconditionally signer-ambiguous, secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption. We also describe a large number of extensions, modifications and applications of ring signatures which were published after the original version of this work (in Asiacrypt 2001).

Introduction Let G be a graph with edge set E. (Undirected, no multiple edges or loops.) A matching is a set of edges joining disjoint vertices. A perfect matching is one that uses all the vertices. Theorem 1.1 (Schwartz-Zippel). Let f be a multivariate polynomial of total degree k in the variables x 1 ; : : : ; xm , over the field GF (q). The fraction of vectors ~x 2 GF (q) m which are roots of f is at most k=q. The total degree of a polynomial is the maximum, over its monomials, of the sum of the degrees of the variables appearing in the monomial. For a proof of this theorem see the scribe notes from the previous offering of this course. Note that in the univariate case this is the fundamental theorem of algebra.

It is pointed out that the Mersenne primes Mp = (2p − 1) and associated perfect numbers Mp = 2p−1Mp play a significant role in string theory; this observation may suggest a classification of consistent string theories. Typeset using REVTEX 1 Anomalies and their avoidance have provided a guidepost in constraining viable particle physics theories. From the standard model to superstrings, the importance of finding models where the concelation of local and global anomalies that spoil local invariance properties of theories, and hence render them inconsistent, cannot be overestimated. The fact that anomalous thories can be dropped from contention has made progress toward the true theory of elementary particles proceed at an enormously accelerated rate. Here we take up a systematic search, informed by previous results and as yet partially understood connections to number theory, for theories free of leading gauge anomalies in higher dimensions. We will find new cases and be able to place previous results in perspective. In number theory a very important role is played by the Mersenne primes Mp based on the formula Mp = 2 p − 1 (1) where p is a prime number. Mp is sometimes itself a prime number. The first 33 such Mersenne primes correspond [1–3] to prime numbers below one million: