Charles Rackoff - Academia.edu (original) (raw)
Papers by Charles Rackoff
Lecture Notes in Mathematics, 1979
Proceedings of the eighteenth annual ACM symposium on Theory of computing - STOC '86, 1986
number generator, then there is a pseudo-random function generator. We prove here that if there i... more number generator, then there is a pseudo-random function generator. We prove here that if there is a pseudo-random function generator, then there is a pseudo-random permutation generator. We also prove that if two permutation generators which are "slightly secure" are cryptographically composed, the result is more secure than either one alone.
Theoretical Computer Science, 1978
New decision proct; &,res for the covering and bcwdcdrxss pro Aems for cector addition systems ar... more New decision proct; &,res for the covering and bcwdcdrxss pro Aems for cector addition systems are obtained. These procedures require at most space 2'" lop" t'or some constant c. The procedures nearly achieve recently established lower bounds on the amount of space inherently required to solve these problems, and so are much more efficienr than prt viously known non-primitive-recursive decision lxocedures.
Lecture Notes in Computer Science, 2004
A consistent query protocol (CQP) allows a database owner to publish a very short string c which ... more A consistent query protocol (CQP) allows a database owner to publish a very short string c which commits her and everybody else to a particular database D, so that any copy of the database can later be used to answer queries and give short proofs that the answers are consistent with the commitment c. Here commits means that there is at most one database D that anybody can find (in polynomial time) which is consistent with c. (Unlike in some previous work, this strong guarantee holds even for owners who try to cheat while creating c.) Efficient CQPs for membership and one-dimensional range queries are known [5, 17, 22]: given a query pair a, b ∈ R, the server answers with all the keys in the database which lie in the interval [a, b] and a proof that the answer is correct. This paper explores CQPs for more general types of databases. We put forward a general technique for constructing CQPs for any type of query, assuming the existence of a data structure/algorithm with certain inherent robustness properties that we define (called a data robust algorithm). We illustrate our technique by constructing an efficient protocol for orthogonal range queries, where the database keys are points in R d and a query asks for all keys in a rectangle [a 1 , b 1 ] ×. .. × [a d , b d ]. Our data-robust algorithm is within a O(log N) factor of the best known standard data structure (a range tree, due to Bentley [2]). We modify our protocol so that it is also private, that is, the proofs leak no information about the database beyond the query answers. We show a generic modification to ensure privacy based on zeroknowledge proofs, and also give a new, more efficient protocol tailored to hash trees.
Advances in Cryptology — CRYPTO ’91
The zero-knowledge proof of knowledge, first defined by Fiat, Fiege and Shamir, was used by Galil... more The zero-knowledge proof of knowledge, first defined by Fiat, Fiege and Shamir, was used by Galil, Haher and Yung as a means of constructing (out of a trapdoor function) an interactive public-key cryptosystem provably secure against chosen ciphertext attack. We introduce a revised setting which permits the definition of a non-interactive analogue, the non-interactive zereknowledge proof of knowledge, and show how it may be constructed in that setting from a non-interactive zeroknowledge proof system for N P (of the type introduced by Blum, Feldman and Micali). We give a formalization of chosen ciphertext attack in our model which is stronger than the "lunchtime attack" considered by Naor and Yung, and prove a non-interactive public-key cryptosystem based on non-interactive zero-knowledge proof of knowledge to be secure against it.
Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280)
We consider zero knowledge interactive proofs in a richer, more realistic communication environme... more We consider zero knowledge interactive proofs in a richer, more realistic communication environment. In this setting, one may simultaneously engage in many interactive proofs, and these proofs may take place in an asynchronous fashion. It is known that zero-knowledge is not necessarily preserved in such an environment; we show that for a large class of protocols, it cannot be preserved. Any 4 round (computational) zero-knowledge interactive proof (or argument) for a non-trivial language L is not black-box simulatable in the asynchronous setting.
20th Annual Symposium on Foundations of Computer Science (sfcs 1979), 1979
... The motivation for this question lies in the attempt to prove lower bounds on the space compl... more ... The motivation for this question lies in the attempt to prove lower bounds on the space complex-ity of ... This would mean that, even if we allowed a sequence {Tn} of two-way finite automata ... Many of the methods used to attack this problem work equally as well on undirected graphs ...
24th Annual Symposium on Foundations of Computer Science (sfcs 1983), 1983
We present a cryptographic protocol allowing two mutually distrusting parties, A and B, each havi... more We present a cryptographic protocol allowing two mutually distrusting parties, A and B, each having a secret bit, to "simultaneously" exchange the values of those bits. It is assumed that initially each party presents a correct encryption of his secret bit to the other party. We develop a new tool to implement our protocol: a slightly biased symmetric coin. The
Lecture Notes in Computer Science
We study the problem of Key Exchange (KE), where authentication is two-factor and based on both e... more We study the problem of Key Exchange (KE), where authentication is two-factor and based on both electronically stored long keys and human-supplied credentials (passwords or biometrics). The latter credential has low entropy and may be adversarily mistyped. Our main contribution is the first formal treatment of mistyping in this setting. Ensuring security in presence of mistyping is subtle. We show mistypingrelated limitations of previous KE definitions and constructions (of Boyen et al. [7, 6, 10] and Kolesnikov and Rackoff [16]). We concentrate on the practical two-factor authenticated KE setting where servers exchange keys with clients, who use short passwords (memorized) and long cryptographic keys (stored on a card). Our work is thus a natural generalization of Halevi-Krawczyk [15] and Kolesnikov-Rackoff [16]. We discuss the challenges that arise due to mistyping. We propose the first KE definitions in this setting, and formally discuss their guarantees. We present efficient KE protocols and prove their security.
Lecture Notes in Computer Science, 2006
We propose a new model for key exchange (KE) based on a combination of different types of keys. I... more We propose a new model for key exchange (KE) based on a combination of different types of keys. In our setting, servers exchange keys with clients, who memorize short passwords and carry (stealable) storage cards containing long (cryptographic) keys. Our setting is a generalization of that of Halevi and Krawczyk [17] (HK), where clients have a password and the public key of the server. We point out a subtle flaw in the protocols of HK and demonstrate a practical attack on them, resulting in a full password compromise. We give a definition of security of KE in our (and thus also in the HK) setting and discuss many related subtleties. We define and discuss protection against denial of access attacks, which is not possible in any of the previous KE models that use passwords. Finally, we give a very simple and efficient protocol satisfying all our requirements.
Theoretical Computer Science, 2005
We study the random composition of a small family of O(n 3) simple permutations on {0, 1} n. Spec... more We study the random composition of a small family of O(n 3) simple permutations on {0, 1} n. Specifically we ask what is the number of compositions needed to achieve a permutation that is close to k-wise independent. We improve on a result of Gowers [7] and show that up to a polylogarithmic factor, n 3 k 3 compositions of random permutations from this family suffice. Additionally, we introduce a new notion analogous to closeness to k-wise independence against adaptive adversaries and show the constructed permutation has the stronger property. This question is essentially about the rapid mixing of the random walk on a certain graph which we establish using a new approach to construct the so called canonical paths, which may be of independent interest. We also show that if we are willing to use a much larger family of simple permutations then we can guaranty closeness to k-wise independence with fewer compositions and fewer random bits.
Bulletin of Symbolic Logic, 2006
SIAM Journal on Computing, 1989
Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true... more Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/non-Hamiltonian. In this paper a computational complexity theory of the "knowledge" contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and quadratic nonresiduosity. These are the first examples of zeroknowledge proofs for languages not known to be efficiently recognizable.
SIAM Journal on Computing, 1980
Space Lower Bounds for Maze Threadability on Restricted Machines. [SIAM Journal on Computing 9, 6... more Space Lower Bounds for Maze Threadability on Restricted Machines. [SIAM Journal on Computing 9, 636 (1980)]. Stephen A. Cook, Charles W. Rackoff. Abstract. A restricted model of a Turing machine called a JAG (Jumping ...
SIAM Journal on Computing, 1983
It is shown that any multivariate polynomial of degree d that can be computed sequentially in C s... more It is shown that any multivariate polynomial of degree d that can be computed sequentially in C steps can be computed in parallel in O((log d)(log C + log d)) steps using only (Cd) 1) processors.
SIAM Journal on Computing, 1975
SIAM Journal on Computing, 1988
Journal of Scheduling, 2009
The " Priority Algorithm" is a model of computation introduced by Borodin, Nielsen and Rackoff [B... more The " Priority Algorithm" is a model of computation introduced by Borodin, Nielsen and Rackoff [BNR03] which formulates a wide class of greedy algorithms. For an arbitrary set S of jobs, we are interested in whether or not there exists a priority algorithm that gains optimal profit on every subset of S. In the case where the jobs are all intervals, we characterize such sets S and give an efficient algorithm (when S is finite) for determining this. We show that in general, however, the problem is NP-hard.
Lecture Notes in Mathematics, 1979
Proceedings of the eighteenth annual ACM symposium on Theory of computing - STOC '86, 1986
number generator, then there is a pseudo-random function generator. We prove here that if there i... more number generator, then there is a pseudo-random function generator. We prove here that if there is a pseudo-random function generator, then there is a pseudo-random permutation generator. We also prove that if two permutation generators which are "slightly secure" are cryptographically composed, the result is more secure than either one alone.
Theoretical Computer Science, 1978
New decision proct; &,res for the covering and bcwdcdrxss pro Aems for cector addition systems ar... more New decision proct; &,res for the covering and bcwdcdrxss pro Aems for cector addition systems are obtained. These procedures require at most space 2'" lop" t'or some constant c. The procedures nearly achieve recently established lower bounds on the amount of space inherently required to solve these problems, and so are much more efficienr than prt viously known non-primitive-recursive decision lxocedures.
Lecture Notes in Computer Science, 2004
A consistent query protocol (CQP) allows a database owner to publish a very short string c which ... more A consistent query protocol (CQP) allows a database owner to publish a very short string c which commits her and everybody else to a particular database D, so that any copy of the database can later be used to answer queries and give short proofs that the answers are consistent with the commitment c. Here commits means that there is at most one database D that anybody can find (in polynomial time) which is consistent with c. (Unlike in some previous work, this strong guarantee holds even for owners who try to cheat while creating c.) Efficient CQPs for membership and one-dimensional range queries are known [5, 17, 22]: given a query pair a, b ∈ R, the server answers with all the keys in the database which lie in the interval [a, b] and a proof that the answer is correct. This paper explores CQPs for more general types of databases. We put forward a general technique for constructing CQPs for any type of query, assuming the existence of a data structure/algorithm with certain inherent robustness properties that we define (called a data robust algorithm). We illustrate our technique by constructing an efficient protocol for orthogonal range queries, where the database keys are points in R d and a query asks for all keys in a rectangle [a 1 , b 1 ] ×. .. × [a d , b d ]. Our data-robust algorithm is within a O(log N) factor of the best known standard data structure (a range tree, due to Bentley [2]). We modify our protocol so that it is also private, that is, the proofs leak no information about the database beyond the query answers. We show a generic modification to ensure privacy based on zeroknowledge proofs, and also give a new, more efficient protocol tailored to hash trees.
Advances in Cryptology — CRYPTO ’91
The zero-knowledge proof of knowledge, first defined by Fiat, Fiege and Shamir, was used by Galil... more The zero-knowledge proof of knowledge, first defined by Fiat, Fiege and Shamir, was used by Galil, Haher and Yung as a means of constructing (out of a trapdoor function) an interactive public-key cryptosystem provably secure against chosen ciphertext attack. We introduce a revised setting which permits the definition of a non-interactive analogue, the non-interactive zereknowledge proof of knowledge, and show how it may be constructed in that setting from a non-interactive zeroknowledge proof system for N P (of the type introduced by Blum, Feldman and Micali). We give a formalization of chosen ciphertext attack in our model which is stronger than the "lunchtime attack" considered by Naor and Yung, and prove a non-interactive public-key cryptosystem based on non-interactive zero-knowledge proof of knowledge to be secure against it.
Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280)
We consider zero knowledge interactive proofs in a richer, more realistic communication environme... more We consider zero knowledge interactive proofs in a richer, more realistic communication environment. In this setting, one may simultaneously engage in many interactive proofs, and these proofs may take place in an asynchronous fashion. It is known that zero-knowledge is not necessarily preserved in such an environment; we show that for a large class of protocols, it cannot be preserved. Any 4 round (computational) zero-knowledge interactive proof (or argument) for a non-trivial language L is not black-box simulatable in the asynchronous setting.
20th Annual Symposium on Foundations of Computer Science (sfcs 1979), 1979
... The motivation for this question lies in the attempt to prove lower bounds on the space compl... more ... The motivation for this question lies in the attempt to prove lower bounds on the space complex-ity of ... This would mean that, even if we allowed a sequence {Tn} of two-way finite automata ... Many of the methods used to attack this problem work equally as well on undirected graphs ...
24th Annual Symposium on Foundations of Computer Science (sfcs 1983), 1983
We present a cryptographic protocol allowing two mutually distrusting parties, A and B, each havi... more We present a cryptographic protocol allowing two mutually distrusting parties, A and B, each having a secret bit, to "simultaneously" exchange the values of those bits. It is assumed that initially each party presents a correct encryption of his secret bit to the other party. We develop a new tool to implement our protocol: a slightly biased symmetric coin. The
Lecture Notes in Computer Science
We study the problem of Key Exchange (KE), where authentication is two-factor and based on both e... more We study the problem of Key Exchange (KE), where authentication is two-factor and based on both electronically stored long keys and human-supplied credentials (passwords or biometrics). The latter credential has low entropy and may be adversarily mistyped. Our main contribution is the first formal treatment of mistyping in this setting. Ensuring security in presence of mistyping is subtle. We show mistypingrelated limitations of previous KE definitions and constructions (of Boyen et al. [7, 6, 10] and Kolesnikov and Rackoff [16]). We concentrate on the practical two-factor authenticated KE setting where servers exchange keys with clients, who use short passwords (memorized) and long cryptographic keys (stored on a card). Our work is thus a natural generalization of Halevi-Krawczyk [15] and Kolesnikov-Rackoff [16]. We discuss the challenges that arise due to mistyping. We propose the first KE definitions in this setting, and formally discuss their guarantees. We present efficient KE protocols and prove their security.
Lecture Notes in Computer Science, 2006
We propose a new model for key exchange (KE) based on a combination of different types of keys. I... more We propose a new model for key exchange (KE) based on a combination of different types of keys. In our setting, servers exchange keys with clients, who memorize short passwords and carry (stealable) storage cards containing long (cryptographic) keys. Our setting is a generalization of that of Halevi and Krawczyk [17] (HK), where clients have a password and the public key of the server. We point out a subtle flaw in the protocols of HK and demonstrate a practical attack on them, resulting in a full password compromise. We give a definition of security of KE in our (and thus also in the HK) setting and discuss many related subtleties. We define and discuss protection against denial of access attacks, which is not possible in any of the previous KE models that use passwords. Finally, we give a very simple and efficient protocol satisfying all our requirements.
Theoretical Computer Science, 2005
We study the random composition of a small family of O(n 3) simple permutations on {0, 1} n. Spec... more We study the random composition of a small family of O(n 3) simple permutations on {0, 1} n. Specifically we ask what is the number of compositions needed to achieve a permutation that is close to k-wise independent. We improve on a result of Gowers [7] and show that up to a polylogarithmic factor, n 3 k 3 compositions of random permutations from this family suffice. Additionally, we introduce a new notion analogous to closeness to k-wise independence against adaptive adversaries and show the constructed permutation has the stronger property. This question is essentially about the rapid mixing of the random walk on a certain graph which we establish using a new approach to construct the so called canonical paths, which may be of independent interest. We also show that if we are willing to use a much larger family of simple permutations then we can guaranty closeness to k-wise independence with fewer compositions and fewer random bits.
Bulletin of Symbolic Logic, 2006
SIAM Journal on Computing, 1989
Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true... more Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/non-Hamiltonian. In this paper a computational complexity theory of the "knowledge" contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and quadratic nonresiduosity. These are the first examples of zeroknowledge proofs for languages not known to be efficiently recognizable.
SIAM Journal on Computing, 1980
Space Lower Bounds for Maze Threadability on Restricted Machines. [SIAM Journal on Computing 9, 6... more Space Lower Bounds for Maze Threadability on Restricted Machines. [SIAM Journal on Computing 9, 636 (1980)]. Stephen A. Cook, Charles W. Rackoff. Abstract. A restricted model of a Turing machine called a JAG (Jumping ...
SIAM Journal on Computing, 1983
It is shown that any multivariate polynomial of degree d that can be computed sequentially in C s... more It is shown that any multivariate polynomial of degree d that can be computed sequentially in C steps can be computed in parallel in O((log d)(log C + log d)) steps using only (Cd) 1) processors.
SIAM Journal on Computing, 1975
SIAM Journal on Computing, 1988
Journal of Scheduling, 2009
The " Priority Algorithm" is a model of computation introduced by Borodin, Nielsen and Rackoff [B... more The " Priority Algorithm" is a model of computation introduced by Borodin, Nielsen and Rackoff [BNR03] which formulates a wide class of greedy algorithms. For an arbitrary set S of jobs, we are interested in whether or not there exists a priority algorithm that gains optimal profit on every subset of S. In the case where the jobs are all intervals, we characterize such sets S and give an efficient algorithm (when S is finite) for determining this. We show that in general, however, the problem is NP-hard.