René Peralta

Simple Constructions of Almost k‐wise Independent Random Variables

We present three alternative simple constructions of small probability spaces on n bits for which any k bits are almost independent. The number of bits used to specify a point in the sample space is (2 + o(1)) (log log n + k/2 + log k + log 1/ϵ), where ϵ is the statistical difference between the distribution induced on any k bit locations and the uniform distribution. This is asymptotically comparable to the construction recently presented by Naor and Naor (our size bound is better as long as ϵ < 1/(k log n)). An additional advantage of our constructions is their simplicity.

Computation in networks of passively mobile finite-state sensors

We explore the computational power of networks of small resource-limited mobile agents. We define two new models of computation based on pairwise interactions of finite-state agents in populations of finite but unbounded size. With a fairness condition on interactions, we define the concept of stable computation of a function or predicate, and give protocols that stably compute functions in a class including Boolean combinations of threshold-k, parity, majority, and simple arithmetic. We prove that all stably computable predicates are in NL. With uniform random sampling of pairs to interact, we define the model of conjugating automata and show that any counter machine with O(1) counters of capacity O(n) can be simulated with high probability by a protocol in a population of size n. We prove that all predicates computable with high probability in this model are in P ∩ RL. Several open problems and promising future directions are discussed.

Demonstrating possession of a discrete logarithm without revealing it

Techniques are presented that allow A to convince B that she knows a solution to the Discrete Log Problem--i.e. that she knows an x such that ?x ? s (mod N) holds--without revealing anything about x to B. Protocols are given both for N prime and for N composite. We prove these protocols secure under a formal model which is of interest in its own right. We also show how A can convince B that two elements ? and s generate the same subgroup in ZN*, without revealing how to express either as a power of the other.

Stably computable properties of network graphs

We consider a scenario in which anonymous, finite-state sensing devices are deployed in an ad-hoc communication network of arbitrary size and unknown topology, and explore what properties of the network graph can be stably computed by the devices. We show that they can detect whether the network has degree bounded by a constant d, and, if so, organize a computation that achieves asymptotically optimal linear memory use. We define a model of stabilizing inputs to such devices and show that a large class of predicates of the multiset of final input values are stably computable in any weakly-connected network. We also show that nondeterminism in the transition function does not increase the class of stably computable predicates.

On the multiplicative complexity of Boolean functions over the basis ∧,⊕,1

Abstract The multiplicative complexity c ∧ (f) of a Boolean function f is the minimum number of AND gates in a circuit representing f which employs only AND, XOR and NOT gates. A constructive upper bound, c ∧ (f)=2 (n/2)+1 −n/2−2 , for any Boolean function f on n variables ( n even) is given. A counting argument gives a lower bound of c ∧ (f)=2 (n/2) − O (n) . Thus we have shown a separation, by an exponential factor, between worst-case Boolean complexity (which is known to be Θ (2 n n −1 )) and worst-case multiplicative complexity. A construction of circuits for symmetric Boolean functions on n variables, requiring less than n+3 n AND gates, is described.

Short discreet proofs

We show how to produce short proofs of theorems such that a distrusting Verifier can be convinced that the theorem is true yet obtains no information about the proof itself. The proofs are non-interactive provided that the quadratic residuosity bit commitment scheme is available to the Prover and Verifier. For typical applications, the proofs are short enough to fit on a floppy disk.

Implementation of Virtual Private Networks at the Transport Layer

Virtual Private Network (VPN) solutions mainly focus on security aspects. Their main aims are to isolate a distributed network from outsiders and to protect the confidentiality and integrity of sensitive information traversing a non-trusted network such as the Internet. But when security is considered the unique problem, some collateral ones arise. VPN users suffer from restrictions in their access to the network. They are not free to use traditional Internet services such as electronic mail exchange with non-VPN users, and to access Web and FTP servers external to the organization. In this paper we present a new solution, located at the TCP/IP transport layer that, while maintaining strong security features, allows the open use of traditional network services. The solution does not require the addition of new hardware because it is an exclusively software solution. As a consequence, the application is totally portable. Moreover, the implementation is located at the transport layer; thus, there is no need to modify any software previously installed, like FTP, Telnet, HTTP, electronic mail or other network applications.

Subquadratic zero-knowledge

We improve on the communication complexity of zero-knowledge proof systems. Let C be a Boolean circuit of size n. Previous zero-knowledge proof systems for the satisfiability of C require the use of Ω(kn) bit commitments in order to achieve a probability of undetected cheating below 2 -k . In the case k = n, the communication complexity of these protocols is therefore Ω(n 2 ) bit commitments. In this paper, we present a zero-knowledge proof system for achieving the same goal with only O(n 1+en + k√n 1+en ) bit commitments, where e n goes to zero as n goes to infinity. In the case k = n, this is O(n√n 1+en ). Moreover, only O(k) commitments need ever be opened, which is interesting if it is substantially less expensive to commit to a bit than to open a commitment.

On the communication complexity of zero-knowledge proofs

The fact that there are zero-knowledge proofs for all languages in NP (see [15], [6], and [5]) has, potentially, enormous implications to cryptography. For cryptographers, the issue is no longer “which languages in NP have zeroknowledge proofs” but rather “which languages in NP have practical zeroknowledge proofs.” Thus, the concrete complexity of zero-knowledge proofs for different languages must be established.In this paper we study the concrete complexity of the known general methods for constructing zero-knowledge proofs. We establish that circuit-based methods, which can be applied in either the GMR or the BCC model, have the potential of producing proofs which can be used in practice. Then we introduce several techniques which greatly reduce the concrete complexity of circuit-based proofs, and we show that these techniques lead to zero-knowledge proofs of knowledge.Finally, we show how to combine the techniques of Kilian, Micali, and Ostrovsky, for designing zero-knowledge proofs with only two envelopes, with some of our techniques for reducing the number of bits which the prover must commit to.

Primality testing with fewer random bits

In the usual formulations of the Miller-Rabin and Solovay-Strassen primality testing algorithms for a numbern, the algorithm chooses “candidates”x1,x2, ...,xk uniformly and independently at random from ℤn, and tests if any is a “witness” to the compositeness ofn. For either algorithm, the probabilty that it errs is at most 2−k.In this paper, we study the error probabilities of these algorithms when the candidates are instead chosen asx, x+1, ..., x+k−1, wherex is chosen uniformly at random from ℤn. We prove that fork=[1/2log2n], the error probability of the Miller-Rabin test is no more thann−1/2+o(1), which improves on the boundn−1/4+o(1) previously obtained by Bach. We prove similar bounds for the Solovay-Strassen test, but they are not quite as strong; in particular, we only obtain a bound ofn−1/2+o(1) if the number of distinct prime factors ofn iso(logn/loglogn).