Oded Goldreich

How to play ANY mental game

We present a polynomial-time algorithm that, given as a input the description of a game with incomplete information and any number of players, produces a protocol for playing the game that leaks no partial information, provided the majority of the players is honest. Our algorithm automatically solves all the multi-party protocol problems addressed in complexity-based cryptography during the last 10 years. It actually is a completeness theorem for the class of distributed protocols with honest majority. Such completeness theorem is optimal in the sense that, if the majority of the players is not honest, some protocol problems have no efficient solution [C].

How to construct random functions

A constructive theory of randomness for functions, based on computational complexity, is developed, and a pseudorandom function generator is presented. This generator is a deterministic polynomial-time algorithm that transforms pairs (<italic>g</italic>, <italic>r</italic>), where <italic>g</italic> is <italic>any</italic> one-way function and <italic>r</italic> is a random <italic>k</italic>-bit string, to polynomial-time computable functions ƒ<italic><subscrpt>r</subscrpt></italic>: {1, … , 2<italic><supscrpt>k</supscrpt></italic>} → {1, … , 2<italic><supscrpt>k</supscrpt></italic>}. These ƒ<italic><subscrpt>r</subscrpt></italic>s cannot be distinguished from <italic>random</italic> functions by any probabilistic polynomial-time algorithm that asks and receives the value of a function at arguments of its choice. The result has applications in cryptography, random constructions, and complexity theory.

A randomized protocol for signing contracts

Randomized protocols for signing contracts, certified mail, and flipping a coin are presented. The protocols use a 1-out-of-2 oblivious transfer subprotocol which is axiomatically defined. The 1-out-of-2 oblivious transfer allows one party to transfer exactly one secret, out of two recognizable secrets, to his counterpart. The first (second) secret is received with probability one half, while the sender is ignorant of which secret has been received. An implementation of the 1-out-of-2 oblivious transfer, using any public key cryptosystem, is presented.

A hard-core predicate for all one-way functions

A central tool in constructing pseudorandom generators, secure encryption functions, and in other areas are “hard-core” predicates <italic>b</italic> of functions (permutations) ƒ, discovered in [Blum Micali 82]. Such <italic>b</italic>(<italic>x</italic>) cannot be efficiently guessed (substantially better than 50-50) given only ƒ(<italic>x</italic>). Both <italic>b</italic>, ƒ are computable in polynomial time. [Yao 82] transforms any one-way function ƒ into a more complicated one, ƒ<supscrpt>*</supscrpt>, which has a hard-core predicate. The construction applies the original ƒ to many small pieces of the input to ƒ<supscrpt>*</supscrpt> just to get one “hard-core” bit. The security of this bit may be smaller than any constant positive power of the security of ƒ. In fact, for inputs (to ƒ<supscrpt>*</supscrpt>) of practical size, the pieces effected by ƒ are so small that ƒ can be inverted (and the “hard-core” bit computed) by exhaustive search. In this paper we show that every one-way function, padded to the form ƒ(<italic>p</italic>, <italic>x</italic>) = (<italic>p</italic>, <italic>g</italic>(<italic>x</italic>)), ‖‖<italic>p</italic>‖‖ = ‖<italic>x</italic>‖, has by itself a hard-core predicate of the same (within a polynomial) security. Namely, we prove a conjecture of [Levin 87, sec. 5.6.2] that the scalar product of Boolean vectors <italic>p</italic>, <italic>x</italic> is a hard-core of every one-way function ƒ(<italic>p</italic>, <italic>x</italic>) = (<italic>p</italic>, <italic>g</italic>(<italic>x</italic>)). The result extends to multiple (up to the logarithm of security) such bits and to any distribution on the <italic>x</italic>s for which ƒ is hard to invert.

Software protection and simulation on oblivious RAMs

Software protection is one of the most important issues concerning computer practice. There exist many heuristics and ad-hoc methods for protection, but the problem as a whole has not received the theoretical treatment it deserves. In this paper, we provide theoretical treatment of software protection. We reduce the problem of software protection to the problem of efficient simulation on oblivious RAM. A machine is oblivious if thhe sequence in which it accesses memory locations is equivalent for any two inputs with the same running time. For example, an oblivious Turing Machine is one for which the movement of the heads on the tapes is identical for each computation. (Thus, the movement is independent of the actual input.) What is the slowdown in the running time of a machine, if it is required to be oblivious? In 1979, Pippenger and Fischer showed how a two-tape oblivious Turing Machine can simulate, on-line, a one-tape Turing Machine, with a logarithmic slowdown in the running time. We show an analogous result for the random-access machine (RAM) model of computation. In particular, we show how to do an on-line simulation of an arbitrary RAM by a probabilistic oblivious RAM with a polylogaithmic slowdown in the running time. On the other hand, we show that a logarithmic slowdown is a lower bound.

Property testing and its connection to learning and approximation

In this paper, we consider the question of determining whether a function <italic>f</italic> has property P or is ε-far from any function with property P. A <italic>property testing</italic> algorithm is given a sample of the value of <italic>f</italic> on instances drawn according to some distribution. In some cases, it is also allowed to query <italic>f</italic> on instances of its choice. We study this question for different properties and establish some connections to problems in learning theory and approximation. In particular, we focus our attention on testing graph properties. Given access to a graph G in the form of being able to query whether an edge exists or not between a pair of vertices, we devise algorithms to test whether the underlying graph has properties such as being bipartite, <italic>k</italic>-Colorable, or having a <italic>p</italic>-Clique (clique of density <italic>p</italic> with respect to the vertex set). Our graph property testing algorithms are probabilistic and make assertions that are correct with high probability, while making a number of queries that is <italic>independent</italic> of the size of the graph. Moreover, the property testing algorithms can be used to efficiently (i.e., in time linear in the number of vertices) construct partitions of the graph that correspond to the property being tested, if it holds for the input graph.

Private information retrieval

We describe schemes that enable a user to access k replicated copies of a database (k/spl ges/2) and privately retrieve information stored in the database. This means that each individual database gets no information on the identity of the item retrieved by the user. For a single database, achieving this type of privacy requires communicating the whole database, or n bits (where n is the number of bits in the database). Our schemes use the replication to gain substantial saving. In particular, we have: A two database scheme with communication complexity of O(n/sup 1/3/). A scheme for a constant number, k, of databases with communication complexity O(n/sup 1/k/). A scheme for 1/3 log/sub 2/ n databases with polylogarithmic (in n) communication complexity.

Simple Constructions of Almost k‐wise Independent Random Variables

We present three alternative simple constructions of small probability spaces on n bits for which any k bits are almost independent. The number of bits used to specify a point in the sample space is (2 + o(1)) (log log n + k/2 + log k + log 1/ϵ), where ϵ is the statistical difference between the distribution induced on any k bit locations and the uniform distribution. This is asymptotically comparable to the construction recently presented by Naor and Naor (our size bound is better as long as ϵ < 1/(k log n)). An additional advantage of our constructions is their simplicity.

The random oracle methodology, revisited (preliminary version)

WC take a formal look at the relationship between the security of cryptographic schemes in the Random Oracle Model, and the security of the schemes which result from implementing the random oracle by so called “cryptographic hash functionon, The main result of this paper is a negative one: There exist signature and encryption schemes which are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes. In the process of devising the above schemes, me consider possible definitions for the notion of a “good implementatlon” of a random oracle, pointing out limitations and challenges,

Unbiased bits from sources of weak randomness and probabilistic communication complexity

A new model for weak random physical sources is presented. The new model strictly generalizes previous models (e.g., the Santha and Vazirani model [27]). The sources considered output strings according to probability distributions in which no single string is too probable.The new model provides a fruitful viewpoint on problems studied previously such as: • Extracting almost-perfect bits from sources of weak randomness. The question of possibility as well as the question of efficiency of such extraction schemes are addressed. • Probabilistic communication complexity. It is shown that most functions have linear communication complexity in a very strong probabilistic sense. • Robustness of BPP with respect to sources of weak randomness (generalizing a result of Vazirani and Vazirani [32], [33]).