Andrew Chi-Chih Yao

Protocols for secure computations

Two millionaires wish to know who is richer; however, they do not want to find out inadvertently any additional information about each other’s wealth. How can they carry out such a conversation? This is a special case of the following general problem. Suppose m people wish to compute the value of a function f(x1, x2, x3, . . . , xm), which is an integer-valued function of m integer variables xi of bounded range. Assume initially person Pi knows the value of xi and no other x’s. Is it possible for them to compute the value of f , by communicating among themselves, without unduly giving away any information about the values of their own variables? The millionaires’ problem corresponds to the case when m = 2 and f(x1, x2) = 1 if x1 < x2, and 0 otherwise. In this paper, we will give precise formulation of this general problem and describe three ways of solving it by use of one-way functions (i.e., functions which are easy to evaluate but hard to invert). These results have applications to secret voting, private querying of database, oblivious negotiation, playing mental poker, etc. We will also discuss the complexity question “How many bits need to be exchanged for the computation”, and describe methods to prevent participants from cheating. Finally, we study the question “What cannot be accomplished with one-way functions”. Before describing these results, we would like to put this work in perspective by first considering a unified view of secure computation in the next section.

How to generate and exchange secrets

In this paper we introduce a new tool for controlling the knowledge transfer process in cryptographic protocol design. It is applied to solve a general class of problems which include most of the two-party cryptographic problems in the literature. Specifically, we show how two parties A and B can interactively generate a random integer N = p?q such that its secret, i.e., the prime factors (p, q), is hidden from either party individually but is recoverable jointly if desired. This can be utilized to give a protocol for two parties with private values i and j to compute any polynomially computable functions f(i,j) and g(i,j) with minimal knowledge transfer and a strong fairness property. As a special case, A and B can exchange a pair of secrets sA, sB, e.g. the factorization of an integer and a Hamiltonian circuit in a graph, in such a way that sA becomes computable by B when and only when sB becomes computable by A. All these results are proved assuming only that the problem of factoring large intergers is computationally intractable.

Theory and application of trapdoor functions

The purpose of this paper is to introduce a new information theory and explore its appplications. Using modern computational complexity, we study the notion of information that can be accessed through a feasible computation. In Part 1 of this paper, we lay the foundation of the theory and set up a framework for cryptography and pseudorandom number generation. In Part 2, we study the concept of trapdoor functions and examine applications of such functions in cryptography, pseudorandom number generation, and abstract complexity theory.

Some complexity questions related to distributive computing(Preliminary Report)

Let <italic>M</italic> &equil; {0, 1, 2, ..., <italic>m</italic>—1} , <italic>N</italic> &equil; {0, 1, 2,..., <italic>n</italic>—1} , and <italic>f:M</italic> × <italic>N</italic> → {0, 1} a Boolean-valued function. We will be interested in the following problem and its related questions. Let <italic>i</italic> ε <italic>M</italic>, <italic>j</italic> ε <italic>N</italic> be integers known only to two persons <italic>P</italic><subscrpt>1</subscrpt> and <italic>P</italic><subscrpt>2</subscrpt>, respectively. For <italic>P</italic><subscrpt>1</subscrpt> and <italic>P</italic><subscrpt>2</subscrpt> to determine cooperatively the value <italic>f</italic>(<italic>i, j</italic>), they send information to each other alternately, one bit at a time, according to some algorithm. The quantity of interest, which measures the information exchange necessary for computing <italic>f</italic>, is the minimum number of bits exchanged in any algorithm. For example, if <italic>f</italic>(<italic>i, j</italic>) &equil; (<italic>i</italic> + <italic>j</italic>) <italic>mod</italic> 2. then 1 bit of information (conveying whether <italic>i</italic> is odd) sent from <italic>P</italic><subscrpt>1</subscrpt> to <italic>P</italic><subscrpt>2</subscrpt> will enable <italic>P</italic><subscrpt>2</subscrpt> to determine <italic>f</italic>(<italic>i, j</italic>), and this is clearly the best possible. The above problem is a variation of a model of Abelson [1] concerning information transfer in distributive computions.

On constructing minimum spanning trees in k-dimensional spaces and related problems

The problem of finding a minimum spanning tree connecting n points in a k-dimensional space is discussed under three common distance metrics -- Euclidean, rectilinear, and

Separating the polynomial-time hierarchy by oracles

L_\infty

Optimal Expected-Time Algorithms for Closest Point Problems

. By employing a subroutine that solves the post office problem, we show that, for fixed k

On the security of public key protocols

\geq

Storing a sparse table

3, such a minimum spanning tree can be found in time O(

New Algorithms for Bin Packing

n^{2-a(k)} {(log n)}^{1-a(k)}