Joan Boyar

Convertible Undeniable Signatures

We introduce a new concept called convertible undeniable signature schemes. In these schemes, release of a single bit string by the signer turns all of his signatures, which were originally undeniable signatures, into ordinary digital signatures. We prove that the existence of such schemes is implied by the existence of digital signature schemes. Then, looking at the problem more practically, we present a very efficient convertible undeniable signature scheme. This scheme has the added benefit that signatures can also be selectively converted.

Inferring sequences produced by pseudo-random number generators

In this paper, efficient algorithms are given for inferring sequences produced by certain pseudo-random number generators. The generators considered are all of the form <italic>X<subscrpt>n</subscrpt></italic> = &Sgr;<supscrpt>k</supscrpt><subscrpt>j-l</subscrpt> α<subscrpt>j</subscrpt>φ<subscrpt>j</subscrpt>(<italic>X</italic><subscrpt>o</subscrpt>, <italic>X</italic><subscrpt>l</subscrpt>, . . ., <italic>X<subscrpt>n</italic>-l</subscrpt>) (mod <italic>m</italic>). In each case, we assume that the functions φ<italic>j</italic> are known and polynomial time computable, but that the coefficients aj and the modulus <italic>m</italic> are unknown. Using this general method, specific examples of generators having this form, the linear congruential method, linear congruences with <italic>n</italic> terms in the recurrence, and quadratic congruences are shown to be cryptographically insecure.

The relative worst order ratio for online algorithms

We define a new measure for the quality of online algorithms, the relative worst order ratio, using ideas from the max/max ratio [Ben-David and Borodin 1994] and from the random order ratio [Kenyon 1996]. The new ratio is used to compare online algorithms directly by taking the ratio of their performances on their respective worst permutations of a worst-case sequence. Two variants of the bin packing problem are considered: the classical bin packing problem, where the goal is to fit all items in as few bins as possible, and the dual bin packing problem, which is the problem of maximizing the number of items packed in a fixed number of bins. Several known algorithms are compared using this new measure, and a new, simple variant of first-fit is proposed for dual bin packing. Many of our results are consistent with those previously obtained with the competitive ratio or the competitive ratio on accommodating sequences, but new separations and easier proofs are found.

A discrete logarithm implementation of perfect zero-knowledge blobs

Brassard and Crépeau [BCr] introduced a simple technique for producing zero-knowledge proof systems based on blobs. As is to be expected, their implementation rests on an unproven cryptographic assumption, specifically, that it is easy to generate numbers that are difficult to factor. In this paper we present an implementation of blobs based on a different cryptographic assumption, specifically, that it is easy to generate primes p over which it is difficult to compute discrete logarithms. If, in addition, we can produce a generator for Zp*, this implementation then has the advantage that it leads to proof systems which are perfect zeroknowledge, rather than only almost perfect zero-knowledge.The relationship between factoring and finding discrete logarithms is not well understood, although Bach [Bac1] is an important contribution. Given our current state of number theoretic knowlege, there is no reason to prefer the cryptographic assumption required by one of these implementations over that required by the other. In any event, we introduce the notion of a product blob, whose favorable properties depend only on at least one of these assumptions holding.

A new combinational logic minimization technique with applications to cryptology

A new technique for combinational logic optimization is described. The technique is a two-step process. In the first step, the non-linearity of a circuit – as measured by the number of non-linear gates it contains – is reduced. The second step reduces the number of gates in the linear components of the already reduced circuit. The technique can be applied to arbitrary combinational logic problems, and often yields improvements even after optimization by standard methods has been performed. In this paper we show the results of our technique when applied to the S-box of the Advanced Encryption Standard (AES [6]). This is an experimental proof of concept, as opposed to a full-fledged circuit optimization effort. Nevertheless the result is, as far as we know, the circuit with the smallest gate count yet constructed for this function. We have also used the technique to improve the performance (in software) of several candidates to the Cryptographic Hash Algorithm Competition. Finally, we have experimentally verified that the second step of our technique yields significant improvements over conventional methods when applied to randomly chosen linear transformations.

On the multiplicative complexity of Boolean functions over the basis ∧,⊕,1

Abstract The multiplicative complexity c ∧ (f) of a Boolean function f is the minimum number of AND gates in a circuit representing f which employs only AND, XOR and NOT gates. A constructive upper bound, c ∧ (f)=2 (n/2)+1 −n/2−2 , for any Boolean function f on n variables ( n even) is given. A counting argument gives a lower bound of c ∧ (f)=2 (n/2) − O (n) . Thus we have shown a separation, by an exponential factor, between worst-case Boolean complexity (which is known to be Θ (2 n n −1 )) and worst-case multiplicative complexity. A construction of circuits for symmetric Boolean functions on n variables, requiring less than n+3 n AND gates, is described.

The relative worst-order ratio applied to paging

The relative worst order ratio, a new measure for the quality of on-line algorithms, was recently defined and applied to two bin packing problems. Here, we apply it to the paging problem and obtain the following results: We devise a new deterministic paging algorithm, Retrospective-LRU, and show that it performs better than LRU. This is supported by experimental results, but contrasts with the competitive ratio. All deterministic marking algorithms have the same competitive ratio, but here we find that LRU is better than FWF. According to the relative worst order ratio, no deterministic marking algorithm can be significantly better than LRU, but the randomized algorithm MARK is better than LRU. Finally, look-ahead is shown to be a significant advantage, in contrast to the competitive ratio, which does not reflect that look-ahead can be helpful.

The Accommodating Function: A Generalization of the Competitive Ratio

A new measure, the accommodating function, for the quality of on-line algorithms is presented. The accommodating function, which is a generalization of both the competitive ratio and the competitive ratio on accommodating sequences, measures the quality of an on-line algorithm as a function of the resources that would be sufficient for an optimal off-line algorithm to fully grant all requests. More precisely, if we have some amount of resources n, the function value at

Practical zero-knowledge proofs: Giving hints and using deficiencies

\alpha

Logic Minimization Techniques with Applications to Cryptology

is the usual ratio (still on some fixed amount of resources n), except that input sequences are restricted to those where the optimal off-line algorithm will not obtain a better result by having more than the amount