Shafi Goldwasser

Completeness theorems for non-cryptographic fault-tolerant distributed computation

Every function of <italic>n</italic> inputs can be efficiently computed by a complete network of <italic>n</italic> processors in such a way that:<list><item>If no faults occur, no set of size <italic>t</italic> < <italic>n</italic>/2 of players gets any additional information (other than the function value), </item><item>Even if Byzantine faults are allowed, no set of size <italic>t</italic> < <italic>n</italic>/3 can either disrupt the computation or get additional information. </item></list> Furthermore, the above bounds on <italic>t</italic> are tight!

How to construct random functions

A constructive theory of randomness for functions, based on computational complexity, is developed, and a pseudorandom function generator is presented. This generator is a deterministic polynomial-time algorithm that transforms pairs (<italic>g</italic>, <italic>r</italic>), where <italic>g</italic> is <italic>any</italic> one-way function and <italic>r</italic> is a random <italic>k</italic>-bit string, to polynomial-time computable functions ƒ<italic><subscrpt>r</subscrpt></italic>: {1, … , 2<italic><supscrpt>k</supscrpt></italic>} → {1, … , 2<italic><supscrpt>k</supscrpt></italic>}. These ƒ<italic><subscrpt>r</subscrpt></italic>s cannot be distinguished from <italic>random</italic> functions by any probabilistic polynomial-time algorithm that asks and receives the value of a function at arguments of its choice. The result has applications in cryptography, random constructions, and complexity theory.

The knowledge complexity of interactive proof-systems

Permission to copy without fee all or part of this material is granted provided that the copies arc not made or distributed for direct commercial advantage. rhe ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to repubhsh. requires a fee and/or specific permission.

Probabilistic encryption & how to play mental poker keeping secret all partial information

This paper proposes an Encryption Scheme that possess the following property : An adversary, who knows the encryption algorithm and is given the cyphertext, cannot obtain any information about the clear-text. Any implementation of a Public Key Cryptosystem, as proposed by Diffie and Hellman in [8], should possess this property. Our Encryption Scheme follows the ideas in the number theoretic implementations of a Public Key Cryptosystem due to Rivest, Shamir and Adleman [13], and Rabin [12].

Multi-prover interactive proofs: how to remove intractability assumptions

Quite complex cryptographic machinery has been developed based on the assumption that one-way functions exist, yet we know of only a few possible such candidates. It is important at this time to find alternative foundations to the design of secure cryptography. We introduce a new model of generalized interactive proofs as a step in this direction. We prove that all NP languages have perfect zero-knowledge proof-systems in this model, without making any intractability assumptions. The generalized interactive-proof model consists of two computationally unbounded and untrusted provers, rather than one, who jointly agree on a strategy to convince the verifier of the truth of an assertion and then engage in a polynomial number of message exchanges with the verifier in their attempt to do so. To believe the validity of the assertion, the verifier must make sure that the two provers can not communicate with each other during the course of the proof process. Thus, the complexity assumptions made in previous work, have been traded for a physical separation between the two provers. We call this new model the multi-prover interactive-proof model, and examine its properties and applicability to cryptography.

Interactive proofs and the hardness of approximating cliques

The contribution of this paper is two-fold. First, a connection is established between approximating the size of the largest clique in a graph and multi-prover interactive proofs. Second, an efficient multi-prover interactive proof for NP languages is constructed, where the verifier uses very few random bits and communication bits. Last, the connection between cliques and efficient multi-prover interaction proofs, is shown to yield hardness results on the complexity of approximating the size of the largest clique in a graph. Of independent interest is our proof of correctness for the multilinearity test of functions.

Fair Computation of General Functions in Presence of Immoral Majority

This paper describes a method for n players, a majority of which may be faulty, to compute correctly, privately, and fairly any computable function f(x1,... ,xn) where xi, is the input of the i-th. player. The method uses as a building block an oblivious transfer primitive.Previous methods achieved these properties, only for boolean functions, which, in particular, precluded composition of such protocols.We also propose a simpler definition of security for multi-player protocols which still implies previous definitions of privacy and correctness.

Advances in Cryptology — CRYPTO’ 88

We present strong evidence that the implication, “if one-way permutations exist, then secure secret key agreement is possible”, is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new model. We consider a world where all parties have access to a black box for a randomly selected permutation. Being totally random, this permutation will be strongly oneway in a provable, information-theoretic way. We show that, if P = N P , no protocol for secret key agreement is secure in such a setting. Thus, to prove that a secret key agreement protocol which uses a one-way permutation as a black box is secure is as hard as proving P # N P . We also obtain, as a corollary, that there is an oracle relative to which the implication is false, i.e., there is a one-way permutation, yet secret-exchange is impossible. Thus, no technique which relativizes can prove that secret exchange can be based on any one-way permutation. Our results present a general framework for proving statements of the form, “Cryptographic application X is not likely possible based solely on complexity assumption Y .”

Efficient probabilistically checkable proofs and applications to approximations

Efficient Probabilistically Checkable Proofs and Applications to Approximation M. BELLARE* S. GOLDWASSERt C. LUNDi A. RUSSELL

An efficient probabilistic public key encryption scheme which hides all partial information

We construct multi-prover proof systems for NP which use only a constant number of provers to simultaneously achieve low error, low randomness and low answer size. As a consequence, we obtain asymptotic improvements to approximation hardness results for a wide range of optimization problems including minimum set cover, dominating set, maximum clique, chromatic number, and quartic programming; and constant factor improvements on the hardness results for MAXSNP problems. In particular, we show that approximating minimum set cover within any constant is NP-complete; approximating minimum set cover within c log n, for c < 1/8, implies NP C DTIME(nlOglOgn); approximat— ing the maximum of a quartic program within any constant is NP-complete; approximating maximum clique or chromatic number within nl/29 implies NP ~ BPP; and approximating MAX-3 SAT within 113/112 is NPcomplete. * High Performance Computing and Communications, IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, NY 10598, USA. e-mail: mihirf.Qwatson. ibm. corn. t MIT Laboratory for Computer Science, 545 Technology Square, Cambridge, MA 02139, USA. e-mail: shaf i@theory. lcs. init. edu. Partially supported by NSF FAW grant No. 9023312-CCR, DARPA g-rant No. NOO014-92-J-1799, and grant No. 89-00312 from the United States Israel Binationsl Science Foundation (BSF), Jerusalem, Israel.