Peter Gemmell

Optimal-resilience proactive public-key cryptosystems

We introduce new efficient techniques for sharing cryptographic functions in a distributed dynamic fashion. These techniques dynamically and securely transform a distributed function (or secret sharing) representation between t-out-of-l (polynomial sharing) and t-out-of-t (additive sharing). We call the techniques poly-to-sum and sum-to-poly, respectively. Employing these techniques, we solve a number of open problems in the area of cryptographic function sharing. We design a threshold function sharing scheme with proactive security for general functions with a homomorphic property (a class which includes all RSA variants and Discrete logarithm variants). The sharing has optimal resilience (server redundancy) and enables computation of the function by the servers assuring high availability, security and efficiency. Proactive security enables function sharing among servers while tolerating an adversary which is mobile and which dynamically corrupts and abandons servers (and perhaps visits all of them over the lifetime of the system, as long as the number of corruptions (faults) is bounded within a time period). Optimal resilience assures that the adversary can corrupt any minority of servers at any time-period.

Self-testing/correcting for polynomials and for approximate functions

The study of self-testing/correcting programs was introduced in [8] in order to allow one to use program P to compute function f without trusting that P works correctly. A self-tester for f estimates the fraction of x for which P (x) = f(x); and a self-corrector for f takes a program that is correct on most inputs and turns it into a program that is correct on every input with high probability . Both access P only as a black-box and in some precise way are not allowed to compute the function f . Self-correcting is usually easy when the function has the random self-reducibility property. One class of such functions that has this property is the class of multivariate polynomials over finite fields [4] [12]. We extend this result in two directions. First, we show that polynomials are random self-reducible over more general domains: specifically, over the rationals and over noncommutative rings. Second, we show that one can get self-correctors even when the program satisfies weaker conditions, i.e. when the program has more errors, or when the program behaves in a more adversarial manner by changing the function it computes between successive calls. Self-testing is a much harder task. Previously it was known how to self-test for a few special examples of functions, such as the class of linear functions. We show that one can self-test the whole class of polynomial functions over Zp for prime p. ∗U.C. Berkeley. Supported by NSF Grant No. CCR 8813632 †Princeton University. ‡Princeton University. Supported by DIMACS (Center for Discrete Mathematics and Theoretical Computer Science), NSF-STC88-09648. §U.C. Berkeley. Part of this work was done while this author was visiting IBM Almaden. ¶Hebrew University and Princeton University. Partially supported by the Wolfson Research Awards administered by the Israel Academy of Sciences and Humanities. 1[12] independently introduces a notion which is essentially equivalent to self-correcting. We initiate the study of self-testing (and self-correcting) programs which only approximately compute f . This setting captures in particular the digital computation of real valued functions. We present a rigorous framework and obtain the first results in this area: namely that the class of linear functions, the log function and floating point exponentiation can be self-tested. All of the above functions also have self-correctors.

Highly resilient correctors for polynomials

Abstract We consider the problem of correcting programs that compute multivariate polynomials over large finite fields and give an efficient procedure to transform any program that computes a multivariate polynomial ⨍ correctly on a 1 2+δ fraction of its inputs (δ>0) into a randomized program that computes ⨍ correctly on every input with high probability. This shows that programs computing polynomials are “resilient” to a high fraction of errors. The resilience shown in this paper is better than that of the previously known correction procedures and is close to the information theoretic optimum. The running time of the correction procedure is polynomial in the degree of ⨍, the number of variables, and 1 δ , where calls to the incorrect program are assessed a unit cost per call. An important consequence of this result is that the nxn permanent is resilient to errors of up to 1 2 −p(n) for any polynomial p(n).

Checking the correctness of memories

The notion of program checking is extended to include programs that alter their environment, in particular, programs that store and retrieve data from memory. The model considered allows the checker a small amount of reliable memory. The checker is presented with a sequence of requests (online) to a data structure which must reside in a large but unreliable memory. The data structure is viewed as being controlled by an adversary. The checker is to perform each operation in the input sequence using its reliable memory and the unreliable data structure so that any error in the operation of the structure will be detected by the checker with high probability. Checkers for various data structures are presented. Lower bounds of log n on the amount of reliable memory needed by these checkers, where n is the size of the structure, are proved.<<ETX>>

Checking approximate computations over the reals

Checking Approximate Computations over the Reals S. Ar” M. Blumt B. Codenotti

Tight bounds on expected time to add correctly and add mostly correctly

P. Gemmell~ This paper provides the first systematic investigation of checking approximate numerical computations over subsets of the reals. In most cases, approximate checking is more challenging than exact checking. Problem conditioning, i.e., the measure of sensitivity of the output to slight changes in the input, and the presence of approximate ion parameters foil the direct transformation of many exact checkers to the approximate setting. Furthermore, approximate checking over the reals is complicated by the lack of nice finite field properties such as the existence of a samplable distribution which is invariant under addition or multiplication by a scalar. We overcome the above problems by using such techniques as testing and checking over similar but distinct distributions, using functions’ random and downward self-reducibility properties, and taking advantage of the small variance of the sum of independent identically distributed random variables. We provide approximate checkers for a variety of computations, including matrix multiplication, linear system solution, matrix inversion, and computation of the determinant. We also present an approximate version of Beigel’s trick and extend the approximate linear self tester/corrector of [8] and the trigonometric selftester/corrector of [5] to more general computations. *Department of Computer Science, Princeton University, Princeton, NJ 08544-2087. Supported by NSF PYI grant CCR9057486 and a grant from MITL. t Computer Science Division, UC Berkeley, Berkeley, CA 94720, and International Computer Science Institute, Berkeley CA 94704. Supported by NSF grant CCR88-13632. t International Computer Science Institute, Berkeley, CA 94704, and IEI-CNR, Piss (Italy). Partially supported by the “ Progetto Finalizzato Sistemi Informatici e Calcolo Parallelo”. Subproject 2. e-mail: codenotti@iei.pi .cnr.it ~Computer Science Division, UC Berkeley, Berkeley, CA 94720. Supported by GTE, Schlumberger Fellowships, and by NSF grant CCR88-13632.

Proactive RSA

We consider the problem of adding two n-bit numbers that are chosen independently and uniformly at random, where the adder is a circuit of AND, OR, and NOT gates of fan-in two. n nWe first present a circuit that adds at least 1 - e fraction of pairs of numbers correctly and has running time log log(n/e) + O(√log log(n/e)). We then prove that this running time is optimal. n nNext we present a circuit that always produces the correct answer. We show that this circuit adds two n-bit numbers from the uniform distribution in expected 12 log n + O(√log n) time, a speed up factor of two over the best possible running time of a worst-case adder. We prove that this expected running time is optimal.