Projects

General

• Study projects involve the survey of a series of research papers on a particular subject. The outcome of the project is a report describing the general problem, the solutions provided in the various papers, and the conceptual and technical contributions of each paper. One or more key results should be stated and proved in the report, possibly filling any gap in the original presentation. A clear description of how the presented result fits into the general picture should also be given. A report would typically be about 10 to 15 pages long, be written in latex, and have an extensive bibliography. An alternative format is to submit a shorter report, without proofs, and then give a presentation in class about one selected result. Four slots of thirty minutes are available for such presentations. If more requests are submitted than slots are available, students will be selected in order of submission of their proposal, subject to the constraints that there will not be two presentations on the same topic.

• Implementation projects involve the implementation of new cryptographic protocols. The project involve writing working code, obtaining experimental data as required in the description of the project, and write a report on the development of the implementation and on the results of the experiment.

• Research projects are of theoretical nature, and require to prove a certain result. Topics have been chosen so that proofs should not be very hard, and that the final result should be interesting. Since theoretical research is intrinsecally inpredictable, it is possible that two months (or twenty years, for what matters) might not be enough to come up with a solution. Partial solutions will be accepted. In case of no results, the project can be turned into a study project on the same topic.

Format of the Report

Collaboration

Other Topics

Schedule

Study projects

• Amplification of Hardness for One-Way Functions and Permutations.
  If f is a weak one way function, then fk(x1,...,xk) = f(x1),...,f(xk) is a strong one-way function. In general, the probability that an adversary can invert the function goes down (about) exponentially in k. If f is a permutation, then there is a way of doing a similar amplification without blowing up the input size of the function (which is what becomes the length of the key in applications to encryption).
  References: Goldreich's fragments, Sections 2.3 and 2.6; Luby's book, Chapter 3; and
  Goldreich, Impagliazzo, Levin, Venkatesen, Zuckerman, "Security-preserving amplification of hardness", FOCS'90.
• Pseudorandom Generators from Regular One-Way Functions
  A regular function f has the property that every element in the range of f has the same number of pre-images (permutations are a special case). It is not too hard to use hashing techniques to get a pseudorandom generator out of any strong regular one-way function.
  References: Goldreich Section 3.5, Luby Chapter 9.
• Relation Between Trapdoor Functions, One-Way Functions, and Public-Key encryption.
  Semantically secure public key cryptosystems exist iff trapdoor predicates exist. Trapdoor premutations (and even trapdoor functions with small pre-images) imply trapdoor predicates, but vice-versa is not known (unless in the random oracle model). One-way functions imply trapdoor functions with big pre-images but, conceivably, not trapdoor functions with small pre-images. The picture has still a few holes but is taking shape.
  References:
  • Impagliazzo, Rudich, Limits on the provable consequences of one-way permutations, STOC'89.
  • Bellare, Halevi, Sahai, Vadhan, Many-to-one trapdoor functions and their relation to public-key cryptosystems, Crypto'98.
• Relations Among Notions of Security
  There are several notions of security for public-key encryption, ranging from semantic security to security against adaptive chosen ciphertext attacks. For some definitions, it is not immediately clear whether they are special cases of other definitions or not. A complete picture of the relation between different definition has now emerged.
  Reference:
  • Bellare, Desai, Pointcheval, Rogaway, Relations among notions of security for public-key encryption schemes. Crypto'98.
  Chosen by
  • Janice Cheung (with presentation, 4/28)
• Shor's Quantum Algorithms for factoring and discrete log
  A quantum computer, if it can be built, can factor and take discrete logarithms efficiently, thus breaking several cryptosystems. In fact, it is quite conceivable that quantum computers can invert any one-way function, though this is currently a very hard open question. Peter Shor's paper is quite fascinating and the result is exciting, but it is quite challenging, unless for students of good mathematical maturity.
  References:
  • Shor Polynomial time algorithms for prime factorization and discrete log on a quantum computer, FOCS'94 and SICOMP 26:1484-1509, 1997.
  • Shor Quantum computing, ICM'98.
  • Umesh Vazirani's course on quantum computing.
• Attacks to RSA
  Several innocent-looking restrictions of RSA or ways to implement it as a cryptosystem can yield dramatic security flaws.
  References:
  • Hastad Solving simultaneous modular equations of low degree, SICOMP 17(2):336-341, 1988. (Shows that having a small encryption exponent is bad)
  • Boneh Twenty years of attacks on the RSA cryptosystem, Notices of the AMS 46(2)203-213, 1999. (Lots of results. Concentrate your report only on the result(s) that you are more interested in)
  Chosen by:
  • Kahil Jallad (with presentation, 4/28)
  • Hou-Yu Alex Su
  • Plamen Mitrikov
  • Chun Jin
• Candidate one-way and trapdoor functions related to lattice problems.
  
  • Ajtai, Dwork A public key cryptosystem with wost-case/average-case equivalence. STOC'97.
  • Nguyen, Stern, Cryptanalysis of the Ajtai-Dwork cryptosystem, CRYPTO'98.
  • Goldreich, Goldwasser, Halevi Public-key cryptosystems from lattice reduction problems, 1997.
• Perfect Zero Knowledge is Contained in co-AM
  The result implies that, under standard assumptions, one cannot have statistical zero-knowledge proofs of NP-hard problems. So one needs to use computational zero-knowledge in order to prove everything. This is for people familiar with complexity theory.
  References:
  • Aiello, Hastad, Statistical zero knowlege languages can be recognized in two rounds. JCSS 42:327-345, 1991.
  • Hastad also wrote a note on the paper.
  Chosen by:
  • Unmesh Ballal
• Computationally Private Information Retrieval With polylog Communication
  But with an unusual assumption. Very nice, and very new, result.
  
  • Chor, Goldreich, Kushilevitz, Sudan Private Information Retrieval
  • Cachin, Micali, Stadler, Computationally Private Information Retrieval with Polylograrithmic Communication, Eurocrypt'99.
  Chosen by
  • Alex Mann

Independent Study Projects

• Quantum Cryptography. Proposed by V. Guruprasad (with presentation).

Implementation projects

• Implementation of Information Theoretic PIR Scheme.
  The protocol to implement is the one for two databases and n^(1/3) communication by Chor, Goldreich, Kushilevitz and Sudan. There should be code for each database and for the user. Possibly, the database would be a cgi application and the user a java application, and retrieval could happen over the web. A goal of the project is to compare the efficiency of the system with the efficiency of the trivial solution of sending the whole database. The project should report the computation and communication time of the PIR system for increasing lengths of the database, and determine a threshold where it becomes competitive with respect to the trivial solution.
  References:
  • Chor, Goldreich, Kushilevitz, Sudan Private Information Retrieval
  Chosen by
  • Yunzhi Ren and Jianping Yu
  • Juno Suk
  • Weiwen Yang
• Implementation of Computational PIR Scheme.
  The protocol to implement is the one with one database and communication n^(1/2) by Kushilevitz and Ostrovsky. A reasonably large domain should be used for the quadratic residuosity problem to hard. There should be code for the database and for the user. Possibly, the database would be a cgi application and the user a java application, and retrieval could happen over the web. A goal of the project is to compare the efficiency of the system with the efficiency of the trivial solution of sending the whole database. The project should report the computation and communication time of the PIR system for increasing lengths of the database, and determine a threshold where it becomes competitive with respect to the trivial solution.
  
  • Kushilevitz and Ostrovsky Replication is not needed: single database, computationally private information retrieval
• Implementation of the Bellare-Rogaway Efficient Cryptosystem
  SHA or MD5 can be used instead of the ideal hash function. Experiments should show how slower is encryption with respect to plain RSA.
  
  • Rivest The MD5 Message Digest Algorithm, Internet RFC 1321, 1992.
  • M. Bellare and P. Rogaway. Optimal Asymmetric Encryption Eurocrypt'94.
  Chosen by
  • Fritz Schneider
  • Naoki Nakashima
• Implementation of the Cramer-Shoup Efficient Cryptosystem
  Experiments should show how slower is encryption with respect to plain RSA.
  
  • R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack, Crypto'98.
  Chosen by:
  • Larry Wong
  • Rahul Mervah
  • Maksim Khorovskiy
  • Lars larsen
  • Chen Zhou

Research Projects

• A version of Yao's XOR Lemma for general groups.
  For a function f: D -> G, where G is a group, that is weakly hard to predict, one would expect fk : D^k -> G defined as fk(x1,...,xk) = f(x1) + ... + f(xk) to be increasingly hard to predict. Specifically one would expect the fraction of inputs on which prediction is possible to tend to 1/|G|. As it turns out, if G has a subgroup, then this is not necessarily true. Study this problem in general, and see whether, at least for certain classes of groups, a strong analog of Yao's XOR lemma does hold. A complete characterization of the cases where prediction tends to 1/|G| could be publishable. Partial results would still gain full credit.
  Reference: Goldreich, Nisan, Wigderson, On Yao's XOR Lemma, ECCC TR95-50, 1995 (Revised 1998).
• The Blum-Micali-Yao Generator with a Weak One-Way Permutation
  What can be said about the output of the Blum-Micali-Yao generator when it is constructed starting from a weak one-way permutation. Perhaps the output is indistinguishable from some distribution having large entropy (a similar result was proved for a different kind of generator). If this is true, and the proof has good quantitative parameters, the consequence would be a new, more efficient, transformation of weak one permutations into pseudorandom generators.
  References:
  
  • Impagliazzo Hard core distributions for somewhat hard problems, FOCS'95. (Contains a result that might be helpful)
  • Goldreich, Nisan, Wigderson, On Yao's XOR Lemma, ECCC TR95-50, 1995 (Revised 1998). (Contains a good exposition of Impagliazzo's result)
  • Nisan Extracting randomness: how and why, 1996. (General reference on entropy, statistical distance, and efficient transformation of certain distributions in certain other ones)
  • Sudan, Trevisan, Vadhan Pseudorandom generators without the XOR Lemma, STOC'99. (The result about the different kind of generator)
• The Blum-Micali-Yao Generator with a Random Permutation
  Can we say that the Blum-Micali-Yao generator applied to a random permutation has an output statistically close to uniform, provided the permutation comes from a distribution with sufficiently large entropy? Probably not, and indeed a certain type of proof would not work. On the other hand a similar result holds for a different kind of generator. It would be of interest to find a counter-example for the BMY construction, or just even to show that certain more general proof techniques will fail to prove the result for BMY.
  References:
  
  • Nisan Extracting randomness: how and why, 1996. (General reference on entropy, statistical distance, and efficient transformation of certain distributions in certain other ones)
  • Trevisan Extractors and pseudorandom generators, STOC'99 (Contains the result for a different type of generator)
  Chosen by:
  • Tracy Hammond
• Beyond bit-wise private information retrieval
  This project is more open-ended. The goal of the project is to define a more general type of query (rather than "give me the i-th bit") and to show how this kind of queries can be served, say, with sublinear communication, information-theoretic privacy, and two servers. The case of search by keywords and block-wise retrieval have already been considered. You may try to implement queries of the form "give me all the blocks that contains this keyword AND this other one", and likewise for OR, and perhaps arbitrary Boolean expressions. Note that the server may maintain an index, and that the index can be accessed privately using known PIR systems as subroutines. So every type of query that can be done in logarithmic time using indices and without privacy requirements, can also be trivially (?) extended to the PIR setting.
  Reference:
  • Chor, Goldreich, Kushilevitz, Sudan Private Information Retrieval, penultimate revision. (This is not the version appeared in JACM, and contains more details about block-wise retrieval)
  • Chor, Gilboa, Naor Private information retrieval by keywords, 1998.

• Connections between PIR and error-correcting codes. Proposed by Jonathan Katz

Created by Luca Trevisan. Mar 1st, 1999.