The class of Basic Feasible Functionals $$\mathtt{BFF}$$ BFF is the second-order counterpart of t... more The class of Basic Feasible Functionals $$\mathtt{BFF}$$ BFF is the second-order counterpart of the class of first-order functions computable in polynomial time. We present several implicit characterizations of $$\mathtt{BFF}$$ BFF based on a typed programming language of terms. These terms may perform calls to imperative procedures, which are not recursive. The type discipline has two layers: the terms follow a standard simply-typed discipline and the procedures follow a standard tier-based type discipline. $$\mathtt{BFF}$$ BFF consists exactly of the second-order functionals that are computed by typable and terminating programs. The completeness of this characterization surprisingly still holds in the absence of lambda-abstraction. Moreover, the termination requirement can be specified as a completeness-preserving instance, which can be decided in time quadratic in the size of the program. As typing is decidable in polynomial time, we obtain the first tractable (i.e., decidable in...
This paper provides an alternate characterization of type-two polynomial-time computability, with... more This paper provides an alternate characterization of type-two polynomial-time computability, with the goal of making second-order complexity theory more approachable. We rely on the usual oracle machines to model programs with subroutine calls. In contrast to previous results, the use of higher-order objects as running times is avoided, either explicitly or implicitly. Instead, regular polynomials are used. This is achieved by refining the notion of oracle-polynomial-time introduced by Cook. We impose a further restriction on the oracle interactions to force feasibility. Both the restriction as well as its purpose are very simple: it is well-known that Cook's model allows polynomial depth iteration of functional inputs with no restrictions on size, and thus does not guarantee that polynomial-time computability is preserved. To mend this we restrict the number of lookahead revisions, that is the number of times a query can be asked that is bigger than any of the previous queries....
Zero-knowledge protocols are often studied through specific problems, like GRAPH-ISOMORPHISM. In ... more Zero-knowledge protocols are often studied through specific problems, like GRAPH-ISOMORPHISM. In many cases this approach prevents an important level of abstraction and leads to limited results, whereas in fact the constructions apply to a wide variety of problems. We propose to address this issue with a formal framework of non-interactive instance-dependent commitment schemes (NIC). We define NIC in both the perfect, statistical, and computational settings, and formally characterize problems admitting NIC in all of these settings. We also prove other useful lemmas such as closure properties. Consequently, results that previously applied only to specific problems are now strengthened by our framework to apply to classes of problems. By providing formal yet intuitive tools, our framework facilitates the construction of zero-knowledge protocols for a wide variety of problems, in various settings, without the need to refer to a specific problem. Our results are unconditional.
We consider a mild extension of universal algebra in which terms are built both from deterministi... more We consider a mild extension of universal algebra in which terms are built both from deterministic and probabilistic variables, and are interpreted as distributions. We formulate an equational proof system to establish equality between probabilistic terms, show its soundness, and provide heuristics for proving the validity of equations. Moreover, we provide decision procedures for deciding the validity of a system of equations under specific theories that are commonly used in cryptographic proofs, and use concatenation, truncation, and xor. We illustrate the applicability of our formalism in cryptographic proofs, showing how it can be used to prove standard equalities such as optimistic sampling and one-time padding as well as non-trivial equalities for standard schemes such as OAEP.
We present two logical systems for reasoning about cryptographic constructions which are sound wi... more We present two logical systems for reasoning about cryptographic constructions which are sound with respect to standard cryptographic definitions of security. Soundness of the first system is proved using techniques from nonstandard models of arithmetic. Soundness of the second system is proved by an interpretation into the first system. We also present examples of how these systems may be used to formally prove the correctness of some elementary cryptographic constructions.
A type 1 function is a total mapping from N to N. We will denote the set of all such functions by... more A type 1 function is a total mapping from N to N. We will denote the set of all such functions by N N. A type 2 functional is a total mapping from ( N N) k \Theta N l to N, for some k; l. More specifically, we will call a mapping of this sort a functional with rank (k; l). For type 1 functions, there is a well established notion of computational feasibility. Namely a function is feasible if it is computable in polynomial time on a Turing machine. More specifically, a function f is poly time if there is a TM M and a polynomial p such that for all x, M with input x computes f(x) and runs in time p(n), where n = jxj, and for x 2 N, jxj denotes the length of the binary notation of x, that is dlog(x + 1)e. This notion of f...
Abstract. We provide a new characterization of certain zero-knowledge protocols as non-interactiv... more Abstract. We provide a new characterization of certain zero-knowledge protocols as non-interactive instance-dependent commitment-schemes (NIC). To obtain this result we consider the notion of V-bit protocols, which are very common, and found many applications in zero-knowledge. Our characterization result states that a protocol has a V-bit zero-knowledge protocol if and only if it has a NIC. TheNIC inherits its hiding property from the zero-knowledge property of the protocol, and vice versa. Our characterization result yields a framework that strengthens and simplifies many zero-knowledge protocols in various settings. For example, applying this framework to the result of Micciancio et al. [18] (who showed that some problems, including GRAPH-NONISOMORPHISM and QUADRATIC-RESIDUOUSITY, unconditionally have a concurrent zero-knowledge proof) we easily get that arbitrary, monotone boolean formulae over a large class of problems (which contains, e.g., the complement of any random self-re...
Computational Indistinguishability Logic (CIL) is a logic for reasoning about cryptographic primi... more Computational Indistinguishability Logic (CIL) is a logic for reasoning about cryptographic primitives in computational models. It captures reasoning patterns that are common in provable security, such as simulations and reductions. CIL is sound for the standard model, but also supports reasoning in the random oracle and other idealized models. We illustrate the benefits of CIL by formally proving the security of the probabilistic signature scheme (PSS). 1.
We resolve two long-standing open problems in distributed computation by showing that both Byzant... more We resolve two long-standing open problems in distributed computation by showing that both Byzantine agreement and Leader Election can be solved in sub-exponential time in the asynchronous full information model. Surprisingly, our protocols for both problems run in only polylogarithmic time. We thus achieve a better than exponential speedup over previous results for asynchronous Byzantine agreement. In addition, to the best of our knowledge, ours is the first protocol for asynchronous full-information leader election. Our protocols work in the full information model with a non-adaptive adversary: the adversary is assumed to control up to a constant fraction of the processors, have unlimited computational power as well as access to all communications, but no access to processors ’ private random bits. The adversary is non-adaptive only in the sense that the corrupted processors must be chosen at the outset. Our protocols run in time that is polylogarithmic in the number of processors...
1995 IEEE International Conference on Systems, Man and Cybernetics. Intelligent Systems for the 21st Century
In this paper a new conceptual framework for investigating the deadlock avoidance problem in flex... more In this paper a new conceptual framework for investigating the deadlock avoidance problem in flexible manufacturing systems (FMSs) is introduced. The aim of the framework is to capture the production route information, which is relevant to deadlock avoidance, and more specifically to avoidance of circular wait situations. Three sources of circular wait situations in FMSs are identified. Based on these,
This paper considers fully dynamic graph algorithms with both faster worst case update time and s... more This paper considers fully dynamic graph algorithms with both faster worst case update time and sublinear space. The fully dynamic graph connectivity problem is the following: given a graph on a fixed set of n nodes, process an online sequence of edge insertions, edge deletions, and queries of the form "Is there a path between nodes a and b?" In 2013, the first data structure was presented with worst case time per operation which was polylogarithmic in n. In this paper, we shave off a factor of log n from that time, to O(log^4 n) per update. For sequences which are polynomial in length, our algorithm answers queries in O(log n/\log\log n) time correctly with high probability and using O(n \log^2 n) words (of size log n). This matches the amount of space used by the most space-efficient graph connectivity streaming algorithm. We also show that 2-edge connectivity can be maintained using O(n log^2 n) words with an amortized update time of O(log^6 n).
Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science, 2020
The class of Basic Feasible Functionals BFF2 is the type-2 counterpart of the class FP of type-1 ... more The class of Basic Feasible Functionals BFF2 is the type-2 counterpart of the class FP of type-1 functions computable in polynomial time. Several characterizations have been suggested in the literature, but none of these present a programming language with a type system guaranteeing this complexity bound. We give a characterization of BFF2 based on an imperative language with oracle calls using a tier-based type system whose inference is decidable. Such a characterization should make it possible to link higher-order complexity with programming theory. The low complexity (cubic in the size of the program) of the type inference algorithm contrasts with the intractability of the aforementioned methods and does not restrain strongly the expressive power of the language.
We relax the notion of malware obfuscation to include semantically non-preserving transformations... more We relax the notion of malware obfuscation to include semantically non-preserving transformations. Unlike traditional obfuscation techniques, these transformation may not preserve original code behaviour. Using web-based malware we focus on transformations which modify abstract syntax trees. While such transformations yield syntactically valid programs, they may yield dysfunctional samples, so that it is not clear that this is a practical approach to producing detection-evading malware. However, by implementing an automated system that efficiently filters dysfunctional samples on a virtual cloud architecture, we show that such transformations are in fact practical. Using two simple transformations, we evaluated four antivirus products and were able to create many samples that evade detection, demonstrating that semantic-preserving obfuscation is not the only effective way to mutate malware.
The class of Basic Feasible Functionals $$\mathtt{BFF}$$ BFF is the second-order counterpart of t... more The class of Basic Feasible Functionals $$\mathtt{BFF}$$ BFF is the second-order counterpart of the class of first-order functions computable in polynomial time. We present several implicit characterizations of $$\mathtt{BFF}$$ BFF based on a typed programming language of terms. These terms may perform calls to imperative procedures, which are not recursive. The type discipline has two layers: the terms follow a standard simply-typed discipline and the procedures follow a standard tier-based type discipline. $$\mathtt{BFF}$$ BFF consists exactly of the second-order functionals that are computed by typable and terminating programs. The completeness of this characterization surprisingly still holds in the absence of lambda-abstraction. Moreover, the termination requirement can be specified as a completeness-preserving instance, which can be decided in time quadratic in the size of the program. As typing is decidable in polynomial time, we obtain the first tractable (i.e., decidable in...
This paper provides an alternate characterization of type-two polynomial-time computability, with... more This paper provides an alternate characterization of type-two polynomial-time computability, with the goal of making second-order complexity theory more approachable. We rely on the usual oracle machines to model programs with subroutine calls. In contrast to previous results, the use of higher-order objects as running times is avoided, either explicitly or implicitly. Instead, regular polynomials are used. This is achieved by refining the notion of oracle-polynomial-time introduced by Cook. We impose a further restriction on the oracle interactions to force feasibility. Both the restriction as well as its purpose are very simple: it is well-known that Cook's model allows polynomial depth iteration of functional inputs with no restrictions on size, and thus does not guarantee that polynomial-time computability is preserved. To mend this we restrict the number of lookahead revisions, that is the number of times a query can be asked that is bigger than any of the previous queries....
Zero-knowledge protocols are often studied through specific problems, like GRAPH-ISOMORPHISM. In ... more Zero-knowledge protocols are often studied through specific problems, like GRAPH-ISOMORPHISM. In many cases this approach prevents an important level of abstraction and leads to limited results, whereas in fact the constructions apply to a wide variety of problems. We propose to address this issue with a formal framework of non-interactive instance-dependent commitment schemes (NIC). We define NIC in both the perfect, statistical, and computational settings, and formally characterize problems admitting NIC in all of these settings. We also prove other useful lemmas such as closure properties. Consequently, results that previously applied only to specific problems are now strengthened by our framework to apply to classes of problems. By providing formal yet intuitive tools, our framework facilitates the construction of zero-knowledge protocols for a wide variety of problems, in various settings, without the need to refer to a specific problem. Our results are unconditional.
We consider a mild extension of universal algebra in which terms are built both from deterministi... more We consider a mild extension of universal algebra in which terms are built both from deterministic and probabilistic variables, and are interpreted as distributions. We formulate an equational proof system to establish equality between probabilistic terms, show its soundness, and provide heuristics for proving the validity of equations. Moreover, we provide decision procedures for deciding the validity of a system of equations under specific theories that are commonly used in cryptographic proofs, and use concatenation, truncation, and xor. We illustrate the applicability of our formalism in cryptographic proofs, showing how it can be used to prove standard equalities such as optimistic sampling and one-time padding as well as non-trivial equalities for standard schemes such as OAEP.
We present two logical systems for reasoning about cryptographic constructions which are sound wi... more We present two logical systems for reasoning about cryptographic constructions which are sound with respect to standard cryptographic definitions of security. Soundness of the first system is proved using techniques from nonstandard models of arithmetic. Soundness of the second system is proved by an interpretation into the first system. We also present examples of how these systems may be used to formally prove the correctness of some elementary cryptographic constructions.
A type 1 function is a total mapping from N to N. We will denote the set of all such functions by... more A type 1 function is a total mapping from N to N. We will denote the set of all such functions by N N. A type 2 functional is a total mapping from ( N N) k \Theta N l to N, for some k; l. More specifically, we will call a mapping of this sort a functional with rank (k; l). For type 1 functions, there is a well established notion of computational feasibility. Namely a function is feasible if it is computable in polynomial time on a Turing machine. More specifically, a function f is poly time if there is a TM M and a polynomial p such that for all x, M with input x computes f(x) and runs in time p(n), where n = jxj, and for x 2 N, jxj denotes the length of the binary notation of x, that is dlog(x + 1)e. This notion of f...
Abstract. We provide a new characterization of certain zero-knowledge protocols as non-interactiv... more Abstract. We provide a new characterization of certain zero-knowledge protocols as non-interactive instance-dependent commitment-schemes (NIC). To obtain this result we consider the notion of V-bit protocols, which are very common, and found many applications in zero-knowledge. Our characterization result states that a protocol has a V-bit zero-knowledge protocol if and only if it has a NIC. TheNIC inherits its hiding property from the zero-knowledge property of the protocol, and vice versa. Our characterization result yields a framework that strengthens and simplifies many zero-knowledge protocols in various settings. For example, applying this framework to the result of Micciancio et al. [18] (who showed that some problems, including GRAPH-NONISOMORPHISM and QUADRATIC-RESIDUOUSITY, unconditionally have a concurrent zero-knowledge proof) we easily get that arbitrary, monotone boolean formulae over a large class of problems (which contains, e.g., the complement of any random self-re...
Computational Indistinguishability Logic (CIL) is a logic for reasoning about cryptographic primi... more Computational Indistinguishability Logic (CIL) is a logic for reasoning about cryptographic primitives in computational models. It captures reasoning patterns that are common in provable security, such as simulations and reductions. CIL is sound for the standard model, but also supports reasoning in the random oracle and other idealized models. We illustrate the benefits of CIL by formally proving the security of the probabilistic signature scheme (PSS). 1.
We resolve two long-standing open problems in distributed computation by showing that both Byzant... more We resolve two long-standing open problems in distributed computation by showing that both Byzantine agreement and Leader Election can be solved in sub-exponential time in the asynchronous full information model. Surprisingly, our protocols for both problems run in only polylogarithmic time. We thus achieve a better than exponential speedup over previous results for asynchronous Byzantine agreement. In addition, to the best of our knowledge, ours is the first protocol for asynchronous full-information leader election. Our protocols work in the full information model with a non-adaptive adversary: the adversary is assumed to control up to a constant fraction of the processors, have unlimited computational power as well as access to all communications, but no access to processors ’ private random bits. The adversary is non-adaptive only in the sense that the corrupted processors must be chosen at the outset. Our protocols run in time that is polylogarithmic in the number of processors...
1995 IEEE International Conference on Systems, Man and Cybernetics. Intelligent Systems for the 21st Century
In this paper a new conceptual framework for investigating the deadlock avoidance problem in flex... more In this paper a new conceptual framework for investigating the deadlock avoidance problem in flexible manufacturing systems (FMSs) is introduced. The aim of the framework is to capture the production route information, which is relevant to deadlock avoidance, and more specifically to avoidance of circular wait situations. Three sources of circular wait situations in FMSs are identified. Based on these,
This paper considers fully dynamic graph algorithms with both faster worst case update time and s... more This paper considers fully dynamic graph algorithms with both faster worst case update time and sublinear space. The fully dynamic graph connectivity problem is the following: given a graph on a fixed set of n nodes, process an online sequence of edge insertions, edge deletions, and queries of the form "Is there a path between nodes a and b?" In 2013, the first data structure was presented with worst case time per operation which was polylogarithmic in n. In this paper, we shave off a factor of log n from that time, to O(log^4 n) per update. For sequences which are polynomial in length, our algorithm answers queries in O(log n/\log\log n) time correctly with high probability and using O(n \log^2 n) words (of size log n). This matches the amount of space used by the most space-efficient graph connectivity streaming algorithm. We also show that 2-edge connectivity can be maintained using O(n log^2 n) words with an amortized update time of O(log^6 n).
Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science, 2020
The class of Basic Feasible Functionals BFF2 is the type-2 counterpart of the class FP of type-1 ... more The class of Basic Feasible Functionals BFF2 is the type-2 counterpart of the class FP of type-1 functions computable in polynomial time. Several characterizations have been suggested in the literature, but none of these present a programming language with a type system guaranteeing this complexity bound. We give a characterization of BFF2 based on an imperative language with oracle calls using a tier-based type system whose inference is decidable. Such a characterization should make it possible to link higher-order complexity with programming theory. The low complexity (cubic in the size of the program) of the type inference algorithm contrasts with the intractability of the aforementioned methods and does not restrain strongly the expressive power of the language.
We relax the notion of malware obfuscation to include semantically non-preserving transformations... more We relax the notion of malware obfuscation to include semantically non-preserving transformations. Unlike traditional obfuscation techniques, these transformation may not preserve original code behaviour. Using web-based malware we focus on transformations which modify abstract syntax trees. While such transformations yield syntactically valid programs, they may yield dysfunctional samples, so that it is not clear that this is a practical approach to producing detection-evading malware. However, by implementing an automated system that efficiently filters dysfunctional samples on a virtual cloud architecture, we show that such transformations are in fact practical. Using two simple transformations, we evaluated four antivirus products and were able to create many samples that evade detection, demonstrating that semantic-preserving obfuscation is not the only effective way to mutate malware.
Uploads
Papers by Bruce Kapron