Michael Ben-Or

Completeness theorems for non-cryptographic fault-tolerant distributed computation

Every function of <italic>n</italic> inputs can be efficiently computed by a complete network of <italic>n</italic> processors in such a way that:<list><item>If no faults occur, no set of size <italic>t</italic> < <italic>n</italic>/2 of players gets any additional information (other than the function value), </item><item>Even if Byzantine faults are allowed, no set of size <italic>t</italic> < <italic>n</italic>/3 can either disrupt the computation or get additional information. </item></list> Furthermore, the above bounds on <italic>t</italic> are tight!

Verifiable secret sharing and multiparty protocols with honest majority

Under the assumption that each participant can broadcast a message to all other participants and that each pair of participants can communicate secretly, we present a verifiable secret sharing protocol, and show that any multiparty protocol, or game with incomplete information, can be achieved if a majority of the players are honest. The secrecy achieved is unconditional and does not rely on any assumption about computational intractability. Applications of these results to Byzantine Agreement are also presented. Underlying our results is a new tool of Information Checking which provides authentication without cryptographic assumptions and may have wide applications elsewhere.

Lower bounds for algebraic computation trees

A topological method is given for obtaining lower bounds for the height of algebraic computation trees, and algebraic decision trees. Using this method we are able to generalize, and present in a uniform and easy way, almost all the known nonlinear lower bounds for algebraic computations. Applying the method to decision trees we extend all the apparently known lower bounds for linear decision trees to bounded degree algebraic decision trees, thus answering the open questions raised by Steele and Yao [20]. We also show how this new method can be used to establish lower bounds on the complexity of constructions with ruler and compass in plane Euclidean geometry.

Multi-prover interactive proofs: how to remove intractability assumptions

Quite complex cryptographic machinery has been developed based on the assumption that one-way functions exist, yet we know of only a few possible such candidates. It is important at this time to find alternative foundations to the design of secure cryptography. We introduce a new model of generalized interactive proofs as a step in this direction. We prove that all NP languages have perfect zero-knowledge proof-systems in this model, without making any intractability assumptions. The generalized interactive-proof model consists of two computationally unbounded and untrusted provers, rather than one, who jointly agree on a strategy to convince the verifier of the truth of an assertion and then engage in a polynomial number of message exchanges with the verifier in their attempt to do so. To believe the validity of the assertion, the verifier must make sure that the two provers can not communicate with each other during the course of the proof process. Thus, the complexity assumptions made in previous work, have been traded for a physical separation between the two provers. We call this new model the multi-prover interactive-proof model, and examine its properties and applicability to cryptography.

Another advantage of free choice (Extended Abstract): Completely asynchronous agreement protocols

Recently, Fischer, Lynch and Paterson [3] proved that no completely asynchronous consensus protocol can tolerate even a single unannounced process death. We exhibit here a probabilistic solution for this problem, which guarantees that as long as a majority of the processes continues to operate, a decision will be made (Theorem 1). Our solution is completely asynchronous and is rather strong: As in [4], it is guaranteed to work with probability 1 even against an adversary scheduler who knows all about the system.

Fault-tolerant quantum computation with constant error

In the past year many developments have taken place in the area of quantum error corrections. Recently Shor showed how to perform fault tolerant quantum computation when, ~, the probability for a fault in one time step per qubit or per gate, is polylogarithmically small. This paper closes the gap and shows how to perform fault tolerant quantum computation when the error probability, q, is smaller than some constant threshold, q.. The cost is polylogarithmic in time and space, and no measurements are used during the quantum computation. The same result is shown also for quantum circuits which operate on nearest neighbors only. To achieve this noise resistance, we use concatenated quantum error correcting codes. The scheme presented is general, and works with any quantum code, that satisfies certain restm”ctions, namely that it is a “proper quantum code”. The constant threshold r10 is a function of the parameters of the specifc proper code used. We present two explicit classes of proper quantum codes. The first class generalizes classical secret sharing with polynomials. The codes are defined over a field with p elements, which means that the elementary quantum particle is not a qubit but a “qupit”. The second class uses a known class of quantum codes and converts it to a proper code. We estimate the threshold qO to be = 10-6. Hopefully, this paper motivates a search for proper quantum codes with higher thresholds, at which point quantum computation becomes practical.

A fair protocol for signing contracts

Two parties, A and B, want to sign a contract C over a communication network. To do so, they must simultaneously exchange their commitments to C. Since simultaneous exchange is usually impossible in practice, protocols are needed to approximate simultaneity by exchanging partial commitments in piece-by-piece manner. During such a protocol, one party or another may have a slight advantage; a fair protocol keeps this advantage within acceptable limits. A new protocol is proposed. It is fair in the sense that, at any stage in its execution, the conditional probability that one party cannot commit both parties to the contract given that the other party can, is close to zero. This is true even if A and B have vastly different computing powers and is proved under very weak cryptographic assumptions. >

A deterministic algorithm for sparse multivariate polynomial interpolation

An efficient deterministic polynomial time algorithm is developed for the sparse polynomial interpolation problem. The number of evaluations needed by this algorithm is very small. The algorithm also has a simple NC implementation.

Fault-Tolerant Quantum Computation with Constant Error Rate

This paper shows that quantum computation can be made fault-tolerant against errors and inaccuracies when

Everything provable is provable in zero-knowledge

\eta