mihir bellare curriculum vitae research summarymihir/cvrs.pdf · mihir bellare curriculum vitae and...

Mihir Bellare

Curriculum vitae and Research Summary

April 2006

Department of Computer Science & Engineering, Mail Code 0114University of California at San Diego9500 Gilman DriveLa Jolla, CA 92093, USA.

Phone: (858) 534-4544FAX: (858) 534-7029E-mail: [email protected] Page: http://www-cse.ucsd.edu/users/mihir

Contents

1 Research areas 3

2 Education 3

3 Awards 3

4 Grants 4

5 Professional Activities 4

6 Industrial relations 4

7 Work Experience 5

8 Impact 5

9 Teaching 6

10 Publications 6

10.1 Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

10.2 Survey Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

10.3 Publications on Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

10.4 Publications on Computational Complexity Theory . . . . . . . . . . . . . . . . . . . 13

10.5 Technical reports and manuscripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

10.6 Standards documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

10.7 Patents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

10.8 Publication summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2 Curriculum vitae, April 2006

11 Students 1611.1 Ph.D students . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1611.2 MS students . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

12 Presentations 1712.1 Invited talks at conferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1712.2 Invited lectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1712.3 Presentations at government organizations . . . . . . . . . . . . . . . . . . . . . . . . 1712.4 Presentations at workshops with invited participation . . . . . . . . . . . . . . . . . 1712.5 Presentations at Universities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1812.6 Presentations in Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1812.7 Technical presentations at conferences . . . . . . . . . . . . . . . . . . . . . . . . . . 19

13 Personal Information 20

14 My research in cryptography 2114.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2114.2 Practice-oriented provable security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

14.2.1 Real-world impact and recognition of the approach . . . . . . . . . . . . . . . 2214.2.2 Technical elements of the approach . . . . . . . . . . . . . . . . . . . . . . . . 23

14.3 Topics and results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2314.3.1 Digital signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2414.3.2 Asymmetric encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2414.3.3 Symmetric encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2514.3.4 Entity authentication and session key distribution . . . . . . . . . . . . . . . 2614.3.5 Message authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2714.3.6 Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2814.3.7 Protocol design with random oracles . . . . . . . . . . . . . . . . . . . . . . . 2814.3.8 Improving usage of block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . 2914.3.9 Incremental cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3014.3.10Zero-knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3014.3.11Politics of privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3214.3.12Design and implementation of a secure transport protocol . . . . . . . . . . . 32

15 My research in complexity theory 3215.1 Probabilistic proofs and approximation . . . . . . . . . . . . . . . . . . . . . . . . . . 33

15.1.1 Background and directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3315.1.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

15.2 Complexity of interactive and zero-knowledge proofs . . . . . . . . . . . . . . . . . . 3515.2.1 Background and directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3515.2.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

15.3 Randomness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3715.3.1 Background and directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3715.3.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

15.4 Machine learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Mihir Bellare 3

1 Research areas

∗ Cryptography and computer security: Practice oriented provable security; secure pro-tocols; authentication; MACs; key distribution; signatures; encryption; zero-knowledge;implementations.

∗ Complexity theory: Interactive and probabilistically checkable proofs; applications of theseto obtaining non-approximability results for optimzation problems; complexity of zero-knowledge; randomness in protocols and algorithms; computational learning theory.

2 Education

Massachusetts Institute of Technology

∗ Ph.D in Computer Science, September 1991. Thesis title: Randomness in Interactive

Proofs. Thesis supervisor: Prof. S. Micali.

∗ Masters in Computer Science, September 1988. Thesis title: A Signature Scheme Based

on Trapdoor Permutations. Thesis supervisor: Prof. S. Micali.

California Institute of Technology

∗ B.S. with honors, June 1986. Subject: Mathematics. GPA 4.0. Class rank 4 out of 227.Summer Undergraduate Research Fellow 1984 and 1985.

Ecole Active Bilingue, Paris, France

∗ Baccalaureat Serie C, June 1981.

3 Awards

∗ RSA conference award in mathematics, 2003, jointly with Phil Rogaway.

∗ David and Lucille Packard Foundation fellowship in science and Engineering, 1996. (Twentyawarded annually in all of Science and Engineering.)

∗ NSF CAREER award, 1996.

∗ IBM Faculty Partnership Award, 2001.

∗ Publication [14] was the highest ranked paper at the Crypto 93 conference, 1993.

∗ Publication [15] was the highest ranked paper at the 1st ACM Computer and Communi-cations security conference, 1993.

∗ Publication [66] was the highest ranked paper at the 9th ACM Computer and Communi-cations security conference, 2002.

∗ Publication [69] was the highest ranked paper at the CT-RSA conference, 2003.

∗ An IBM outstanding innovation award was given for HMAC (a data integrity algorithmpresented in publication [25]), March 1997.

∗ An IBM outstanding technical achievement award was given for iKP (an electronic paymentprotocol presented in publication [48]), August 1996.


∗ IBM invention achievement awards: April 1993 and April 1995.

∗ IBM author recognition awards: January 1993, June 1993, and December 1993.

∗ Spencer Eaken Allmond Scholarship, 1986.

∗ Carnation Prize, Caltech, 1985.

∗ Member, Tau Beta Pi honor society

4 Grants

∗ David and Lucille Packard Foundation fellowship in science and Engineering. Period:1996–2001. Amount: $575,000.

∗ NSF CAREER award. Period: 1996–2000. Amount: $200,000.

∗ NSF grant CCR-0098123, Design and Analysis of Cryptographic Protocols for Secure Com-munication. Period: 2001–2004. Amount: $236,830.

∗ IBM Faculty Partnership Award. Period: 2001. Amount: $40,000.

∗ NSF grant ANR-0129617, Cryptographic Mechanisms for Internet Security. 2002–2005.Amount: $218,585.

5 Professional Activities

∗ Program chair, Crypto 2000 conference

∗ Program committee member for the following conferences: Crypto 93; Eurocrypt 95;Crypto 96; 29th Annual ACM Symposium on the theory of computing (STOC), 1997;39th IEEE Symposium on Foundations of Computer Science (FOCS), 1998; Eurocrypt 99;Principles of Distributed Computing (PODC), 1999; Symposium on Discrete Algorithms(SODA), 2000; IEEE conference on Security and Privacy, 2001; Sigcomm 2001; ACM Con-ference on Computer and Communications Security, 2002; Crypto 2003; ACM Conferenceon Computer and Communications Security, 2003.

∗ Member of the Advisory Editorial Board for the book CRC Handbook of Applied Cryp-tography by A. Menezes, P. Van Oorschot, and S. Vanstone, CRC Press, 1996.

∗ Refereed papers for numerous journals including: Journal of the ACM; SIAM Journal onComputing; Journal of Cryptology; IEEE/ACM Transactions on Networking; IEEE Trans-actions on Systems, Man and Cybernetics; Information and Computation; IEEE Transac-tions on Information Theory; IEEE Journal on Special Areas in Communications; WirelessNetwork Journal; Computational Complexity; Information Processing Letters; Mathemat-ical and Computer Modelling; Information Systems; Theoretical Computer Science A; IBMJ. of Research and Development.

∗ Reviewed grant proposals for various funding agencies including: NSF; Israel Science Foun-dation; Research Grants Council of Hong Kong.

6 Industrial relations

∗ Chief Cryptographer, Securivacy Coroporation.

Mihir Bellare 5

∗ Scientific advisory board member, Corestreet corporation.

∗ Scientific Advisor, CyberDog Communications.

7 Work Experience

∗ Professor, Dept. of Computer Science and Engineering, University of California at SanDiego, July 01–Present.

∗ Associate Professor, Dept. of Computer Science and Engineering, University of Californiaat San Diego, June 97–June 01.

∗ Assistant Professor, Dept. of Computer Science and Engineering, University of Californiaat San Diego, September 1995–May 97.

∗ Research Staff Member, IBM T.J. Watson Research Center, New York, September 1991– September 1995. Full time. Groups: Network security (Manager Dr. A. Herzberg)and Network System Design (Manager Dr. R. Guerin). Responsible for design of securesystems.

∗ Research Assistant, Laboratory for Computer Science, MIT, various times from February1987 to September 1991. Worked with Professors S. Micali and S. Goldwasser on topics incryptography and complexity theory.

∗ Teaching Assistant in the Department of Computer Science, MIT, various times fromFebruary 1987 to September 1991. Courses: Computability, Logic and Programming(Instructor: Prof. A. Meyer); Automata, computability and complexity ( Instructors:Prof. S. Goldwasser and Prof. S. Micali); Introduction to Algorithms (Instructor: Prof. S. Gold-wasser). Duties: teaching sections, drafting assignments and exams.

∗ Undergraduate research fellow at the California Institute of Technology, June – August1984. Designed and implemented a spread sheet application in the ASK natural languagesystem. Supervisor: Prof. F. B. Thompson.

8 Impact

∗ HMAC, the message authentication scheme of publication [25], is part of the followingstandards or proposed standards:

IETF IPSEC Internet Draft Standard RFC

ANSI X.9 keyed hash standard

FIPS (Federal Information Processing Standard), by NIST

It is implemented in various products and systems including BSAFE (RSA Data SecurityCorporation); SSL (3.0 and 3.1); S-HTTP; NetBSD; CDSA (Hewlett-Packard corporation’scryptographic API).

HMAC is presented in some recent books, such as “Cryptography and Network Security,Principles and Practice” by William Stallings, the “Handbook of Applied Cryptography”by Menezes, Van Oorschott and Vanstone, and “SSL and TLS” by Eric Rescorla.

∗ The RSA-OAEP (Optimal Asymmetric Encryption Padding) encryption procedure of pub-lication [16] is part of the following standards or proposed standards:


RSA PKCS #1 v2.0 (A standard by RSA corporation)

IEEE P1363

It is implemented in various products and systems including SET; CDSA (Hewlett-Packardcorporation’s cryptographic API).OAEP is discussed in the “Handbook of Applied Cryptography” by Menezes, Van Oorschottand Vanstone. OAEP is mentioned in a New York Times on the web article by PeterWayner, August 25th, 1998.

∗ The DHIES (Diffie-Hellman integrated encryption scheme) of publication [57] is part ofthe following standards or proposed standards:

ANSI X9.63EC

SEC

IEEE P1363a

∗ Mastercard and Visa’s SET standard for credit card based electronic commerce is basedon the iKP family of electronic payment protocols, developed in publications [22, 48].

∗ The PSS (Probabilistic Signature Scheme) of publication [24] is included in the IEEEP1363a draft standard.

9 Teaching

∗ Computability and complexity (CSE 200)– Graduate core course in the CSE Dept., UCSD,1996, 1997, 1999, 2000, 2001, 2002, 2003.

∗ Cryptography and network security (CSE207)– Graduate Introduction to modern cryptog-raphy, CSE Dept., UCSD, 1996, 1997, 1999, 2001, 2002.

∗ Cryptography and Information Security– A one week summer course, taught jointly withShafi Goldwasser at MIT annually 1996–2002.

∗ Introduction to the theory of computation (CSE 105)– Undergraduate course in the CSEDept. at UCSD, 1996, 2002.

∗ Mathematics for algorithms and systems analysis (CSE 21)– Undergraduate course in theCSE Dept. at UCSD, 1998, 1999.

∗ Introduction to modern cryptography (CSE107)– Undergraduate course in the CSE Dept. atUCSD. 2001, 2002, 2003.

∗ Advanced topics in cryptography (CSE291)– Graduate seminar on the design of secureprotocols, CSE Dept., UCSD, 1998, 2002.

∗ Advanced topics in cryptography (CSE291)– Graduate seminar on the electronic paymentmechanisms, CSE Dept., UCSD, 2000.

10 Publications

10.1 Editor

Mihir Bellare 7

[1] M. Bellare. Advances in Cryptology – Crypto 2000, 20th Annual International Cryp-tology Conference, August 2000, Proceedings. Lecture Notes in Computer ScienceVol. 1880, Springer-Verlag, 2000.

10.2 Survey Articles

[2] M. Bellare. Proof Checking and Approximation: Towards Tight Results. Sigact News,Vol 27, No 1, March 1996.

[3] M. Bellare, R. Canetti and H. Krawczyk. Message authentication using hashfunctions: The HMAC construction. RSA Laboratories’ CryptoBytes, Vol. 2, No. 1,Spring 1996.

[4] M. Bellare. Practice-oriented provable-security. Proceedings of First InternationalWorkshop on Information Security (ISW 97), Lecture Notes in Computer ScienceVol. 1396, E. Okamoto, G. Davida and M. Mambo eds., Springer Verlag, 1998. Also inModern Cryptology in Theory and Practice, Lectures on Data Security series, LectureNotes in Computer Science Tutorial, Ivan Damgard, ed., Springer, 1999.

10.3 Publications on Cryptography

[5] M. Bellare and S. Micali. How to sign given any trapdoor function. Proceedings ofthe 20th Annual Symposium on the Theory of Computing, ACM, 1988 and Advances inCryptology – CRYPTO ’88, Lecture Notes in Computer Science Vol. 403, S. Goldwassered., Springer-Verlag, 1988. [Preliminary version of [11].]

[6] M. Bellare and S. Micali. Non-interactive oblivious transfer and its applications.Advances in Cryptology – CRYPTO ’89, Lecture Notes in Computer Science Vol. 435,G. Brassard ed., Springer-Verlag, 1989.

[7] M. Bellare and S. Goldwasser. New paradigms for digital signatures and messageauthentication based on non-interactive zero-knowledge proofs. Advances in Cryptology– CRYPTO ’89, Lecture Notes in Computer Science Vol. 435, G. Brassard ed., Springer-Verlag, 1989.

[8] M. Bellare, L. Cowen and S. Goldwasser. On the structure of secret key ex-change protocols. Distributed Computing and Cryptography , Dimacs Series in DiscreteMathematics and Theoretical Computer Science Volume 2, AMS/ACM, 1991.

[9] M. Bellare, S. Micali and R. Ostrovsky. Perfect zero-knowledge in constantrounds. Proceedings of the 22nd Annual Symposium on the Theory of Computing,ACM, 1990.

[10] M. Bellare, S. Micali and R. Ostrovsky. The (true) complexity of statisticalzero-knowledge. Proceedings of the 22nd Annual Symposium on the Theory of Com-puting, ACM, 1990.

[11] M. Bellare and S. Micali. How to sign given any trapdoor permutation. Journal ofthe Association for Computing Machinery, Vol. 39, No. 1, January 1992, pp. 214-233.[Journal version of [5].]


[12] M. Bellare and O. Goldreich. On defining proofs of knowledge. Advances in Cryp-tology – CRYPTO ’92, Lecture Notes in Computer Science Vol. 740, E. Brickell ed.,Springer-Verlag, 1992.

[13] M. Bellare and M. Yung. Certifying permutations: Non-interactive zero-knowledgebased on any trapdoor permutation. Advances in Cryptology – CRYPTO ’92, LectureNotes in Computer Science Vol. 740, E. Brickell ed., Springer-Verlag, 1992. [Preliminary

version of [23].]

[14] M. Bellare and P. Rogaway. Entity authentication and key distribution. Advancesin Cryptology – CRYPTO ’93, Lecture Notes in Computer Science Vol. 773, D. Stinsoned., Springer-Verlag, 1993.

[15] M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for de-signing efficient protocols. Proceedings of the 1st Annual Conference on Computer andCommunications Security , ACM, 1993.

[16] M. Bellare and P. Rogaway. Optimal asymmetric encryption. Advances in Cryp-tology – EUROCRYPT ’94, Lecture Notes in Computer Science Vol. 950, A. De Santised., Springer-Verlag, 1994.

[17] M. Bellare, J. Kilian and P. Rogaway. The security of cipher block chaining.Advances in Cryptology – CRYPTO ’94, Lecture Notes in Computer Science Vol. 839,Y. Desmedt ed., Springer-Verlag, 1994. [Preliminary version of [55].]

[18] M. Bellare, O. Goldreich and S. Goldwasser. Incremental cryptography: Thecase of hashing and signing. Advances in Cryptology – CRYPTO ’94, Lecture Notes inComputer Science Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994.

[19] M. Bellare, O. Goldreich and S. Goldwasser. Incremental cryptography withapplication to virus protection. Proceedings of the 27th Annual Symposium on theTheory of Computing, ACM, 1995.

[20] M. Bellare and P. Rogaway. Provably secure session key distribution– the threeparty case. Proceedings of the 27th Annual Symposium on the Theory of Computing,ACM, 1995.

[21] M. Bellare, R. Guerin and P. Rogaway. XOR MACs: New methods for mes-sage authentication using finite pseudorandom functions. Advances in Cryptology –CRYPTO ’95, Lecture Notes in Computer Science Vol. 963, D. Coppersmith ed.,Springer-Verlag, 1995.

[22] M. Bellare, J. Garay, R. Hauser, A. Herzberg, H. Krawczyk, M. Steiner,

G. Tsudik and M. Waidner. iKP – A Family of Secure Electronic Payment Protocols.Proceedings of the First USENIX Workshop on Electronic Commerce, USENIX, 1995.

[23] M. Bellare and M. Yung. Certifying permutations: Non-interactive zero-knowledgebased on any trapdoor permutation. Journal of Cryptology, Vol. 9, No. 1, pp. 149–166,Winter 1996. [Journal version of [13].]

[24] M. Bellare and P. Rogaway. The exact security of digital signatures: How to signwith RSA and Rabin. Advances in Cryptology – EUROCRYPT ’96, Lecture Notes inComputer Science Vol. 1070, U. Maurer ed., Springer-Verlag, 1996.

Mihir Bellare 9

[25] M. Bellare, R. Canetti and H. Krawczyk. Keying hash functions for messageauthentication. Advances in Cryptology – CRYPTO ’96, Lecture Notes in ComputerScience Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996.

[26] M. Bellare, R. Canetti and H. Krawczyk. Pseudorandom functions revisited:The cascade construction and its concrete security. Proceedings of the 37th Symposiumon Foundations of Computer Science, IEEE, 1996.

[27] M. Bellare and S. Goldwasser. Verifiable partial key escrow. Proceedings of the4th Annual Conference on Computer and Communications Security , ACM, 1997.

[28] M. Bellare and D. Micciancio. A new paradigm for collision-free hashing: Incre-mentality at reduced cost. Advances in Cryptology – EUROCRYPT ’97, Lecture Notesin Computer Science Vol. 1233, W. Fumy ed., Springer-Verlag, 1997.

[29] M. Bellare, M. Jakobsson and M. Yung. Round-optimal zero-knowledge argu-ments based on any one-way function. Advances in Cryptology – EUROCRYPT ’97,Lecture Notes in Computer Science Vol. 1233, W. Fumy ed., Springer-Verlag, 1997.

[30] M. Bellare, S. Goldwasser and D. Micciancio. “Pseudo-random” number gen-eration within cryptographic algorithms: The DSS case. Advances in Cryptology –CRYPTO ’97, Lecture Notes in Computer Science Vol. 1294, B. Kaliski ed., Springer-Verlag, 1997.

[31] M. Bellare and P. Rogaway. Collision-resistant hashing: towards makingUOWHFs practical. Advances in Cryptology – CRYPTO ’97, Lecture Notes in Com-puter Science Vol. 1294, B. Kaliski ed., Springer-Verlag, 1997.

[32] M. Bellare, R. Impagliazzo and M. Naor. Does parallel repetition lower theerror in computationally sound protocols? Proceedings of the 38th Symposium onFoundations of Computer Science, IEEE, 1997.

[33] M. Bellare, A. Desai, E. Jokipii and P. Rogaway. A concrete security treat-ment of symmetric encryption. Proceedings of the 38th Symposium on Foundations ofComputer Science, IEEE, 1997.

[34] M. Bellare and P. Rogaway. Minimizing the use of random oracles in authenticatedencryption schemes. First International Conference on Information and CommunicationSecurity (ICICS’97), Lecture Notes in Computer Science Vol. 1334, T. Okamoto andS. Qing, ed., Springer-Verlag, 1997.

[35] M. Bellare, T. Krovetz and P. Rogaway. Luby Rackoff backwards: Increasing se-curity by making block ciphers non-invertible. Advances in Cryptology – EUROCRYPT’98, Lecture Notes in Computer Science Vol. 1403, K. Nyberg ed., Springer-Verlag,1998.

[36] M. Bellare, J. Garay and T. Rabin. Fast batch verification for modular exponen-tiation and digital signatures. Advances in Cryptology – EUROCRYPT ’98, LectureNotes in Computer Science Vol. 1403, K. Nyberg ed., Springer-Verlag, 1998.

[37] M. Bellare, R. Canetti and H. Krawczyk. A modular approach to the designand analysis of authentication and key exchange protocols. Proceedings of the 30thAnnual Symposium on the Theory of Computing, ACM, 1998.


[38] M. Bellare, S. Halevi, A. Sahai and S. Vadhan. Many-to-one trapdoor functionsand their relation to public-key cryptosystems. Advances in Cryptology – CRYPTO ’98,Lecture Notes in Computer Science Vol. 1462, H. Krawczyk ed., Springer-Verlag, 1998.

[39] M. Bellare, A. Desai, D. Pointcheval and P. Rogaway. Relations among no-tions of security for public-key encryption schemes. Advances in Cryptology – CRYPTO’98, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk ed., Springer-Verlag,1998.

[40] W. Aiello, M. Bellare, G. Di Crescenzo and R. Venkatesan. Security ampli-fication by composition: The case of doubly-iterated, ideal ciphers. Advances in Cryp-tology – CRYPTO ’98, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk ed.,Springer-Verlag, 1998.

[41] M. Bellare, J. Garay, C. Jutla and M. Yung. VarietyCash: a Multi-purposeelectronic payment system. Proceedings of the 3rd Usenix Workshop on ElectronicCommerce, Usenix, 1998.

[42] M. Bellare and P. Rogaway. On the construction of variable-input-length ciphers.Proceedings of the 6th Workshop on Fast Software Encryption, 1999.

[43] M. Bellare and R. Rivest. Translucent cryptography – An alternative to key escrow,and its implementation via fractional oblivious transfer. Journal of Cryptology, Vol. 12,No. 2, 1999, pp. 117–140.

[44] J. An and M. Bellare. Constructing VIL-MACs from FIL-MACs: Message authen-tication under weakened assumptions. Advances in Cryptology – CRYPTO ’99, LectureNotes in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999.

[45] M. Bellare, O. Goldreich and H. Krawczyk. Stateless evaluation of pseudo-random functions: Security beyond the birthday barrier. Advances in Cryptology –CRYPTO ’99, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999.

[46] M. Bellare and S. Miner. A forward-secure digital signature scheme. Advances inCryptology – CRYPTO ’99, Lecture Notes in Computer Science Vol. 1666, M. Wienered., Springer-Verlag, 1999.

[47] M. Bellare and A. Sahai. Non-Malleable Encryption: Equivalence between TwoNotions, and an Indistinguishability-Based Characterization. Advances in Cryptology– CRYPTO ’99, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999.

[48] M. Bellare, J. Garay, R. Hauser, A. Herzberg, H. Krawczyk, M. Steiner,

G. Tsudik, E. Van Herreveghen and M. Waidner. Design, implementation anddeployment of the iKP secure electronic payment system. IEEE Journal on SelectedAreas in Communications, Vol. 18, No. 4, 2000, pp. 611–627.

[49] M. Bellare, A. Boldyreva and S. Micali. Public-key Encryption in a Multi-UserSetting: Security Proofs and Improvements. Advances in Cryptology – EUROCRYPT’00, Lecture Notes in Computer Science Vol. 1807, B. Preneel ed., Springer-Verlag,2000.

Mihir Bellare 11

[50] M. Bellare, D. Pointcheval and P. Rogaway. Authenticated Key Exchange Se-cure Against Dictionary Attacks. Advances in Cryptology – EUROCRYPT ’00, LectureNotes in Computer Science Vol. 1807, B. Preneel ed., Springer-Verlag, 2000.

[51] M. Abdalla and M. Bellare. Increasing the lifetime of a key: A comparitive analysisof the security of rekeying techniques. Advances in Cryptology – ASIACRYPT ’00,Lecture Notes in Computer Science Vol. 1976, T. Okamoto ed., Springer-Verlag, 2000.

[52] M. Bellare and A. Boldyreva. The Security of Chaffing and Winnowing. Ad-vances in Cryptology – ASIACRYPT ’00, Lecture Notes in Computer Science Vol. 1976,T. Okamoto ed., Springer-Verlag, 2000.

[53] M. Bellare and P. Rogaway. Encode-then-encipher encryption: How to exploitnonces or redundancy in plaintexts for efficient cryptography. Advances in Cryptology– ASIACRYPT ’00, Lecture Notes in Computer Science Vol. 1976, T. Okamoto ed.,Springer-Verlag, 2000.

[54] M. Bellare and C. Namprempre. Authenticated Encryption: Relations amongnotions and analysis of the generic composition paradigm. Advances in Cryptology– ASIACRYPT ’00, Lecture Notes in Computer Science Vol. 1976, T. Okamoto ed.,Springer-Verlag, 2000.

[55] M. Bellare, J. Kilian and P. Rogaway. The security of the cipher block chainingmessage authentication code. Journal of Computer and System Sciences, Vol. 61, No. 3,Dec 2000, pp. 362–399. [Journal version of [17].]

[56] M. Bellare, C. Namprempre, D. Pointcheval and M. Semanko. The Powerof RSA Inversion Oracles and the Security of Chaum’s RSA-Based Blind SignatureScheme. Financial Cryptography ’01, Lecture Notes in Computer Science Vol. 2339,P. Syverson ed., Springer-Verlag, 2001.

[57] M. Abdalla, M. Bellare and P. Rogaway. The Oracle Diffie-Hellman Assump-tions and an Analysis of DHIES. Topics in Cryptology – CT-RSA ’01, Lecture Notesin Computer Science Vol. 2020, D. Naccache ed., Springer-Verlag, 2001.

[58] J. An and M. Bellare. Does encryption with redundancy provide authenticity?Advances in Cryptology – EUROCRYPT ’01, Lecture Notes in Computer ScienceVol. 2045, B. Pfitzmann ed., Springer-Verlag, 2001.

[59] M. Bellare, M. Fischlin, S. Goldwasser, and S. Micali. Identification ProtocolsSecure Against Reset Attacks. Advances in Cryptology – EUROCRYPT ’01, LectureNotes in Computer Science Vol. 2045, B. Pfitzmann ed., Springer-Verlag, 2001.

[60] M. Bellare, A. Boldyreva, L. Knudsen and C. Namprempre. On-line ciphersand the Hash-CBC construction. Advances in Cryptology – CRYPTO ’01, LectureNotes in Computer Science Vol. 2139, J. Kilian ed., Springer-Verlag, 2001.

[61] P. Rogaway, M. Bellare, J. Black and T. Krovetz. OCB: A block ciphermode of operation for efficient authenticated encryption. Proceedings of the 8th AnnualConference on Computer and Communications Security , ACM, 2001.

[62] M. Bellare, A. Boldyreva, A. Desai and D. Pointcheval. Key-privacy inpublic-key encryption. Advances in Cryptology – ASIACRYPT ’01, Lecture Notes inComputer Science Vol. 2248, C. Boyd ed., Springer-Verlag, 2001.


[63] M. Abdalla, J. An, M. Bellare and C. Namprempre. From identification tosignatures via the Fiat-Shamir transform: Minimizing assumptions for security andforward-security. Advances in Cryptology – EUROCRYPT ’02, Lecture Notes in Com-puter Science Vol. 2332, L. Knudsen ed., Springer-Verlag, 2002.

[64] M. Bellare and A. Palacio. GQ and Schnorr identification schemes: Proofs ofsecurity against impersonation under active and concurrent attack. Advances in Cryp-tology – CRYPTO ’02, Lecture Notes in Computer Science Vol. 2442, M. Yung ed.,Springer-Verlag, 2002.

[65] M. Bellare. A note on negligible functions. Journal of Cryptology Vol. 15, No. 4,2002, pp. 271–284.

[66] M. Bellare, T. Kohno and C. Namprempre. Authenticated Encryption inSSH: Provably Fixing the SSH Binary Packet Protocol. Proceedings of the 9th An-nual Conference on Computer and Communications Security , ACM, 2002.

[67] M. Bellare and G. Neven. Transitive Signatures based on Factoring and RSA. Ad-vances in Cryptology – ASIACRYPT ’02, Lecture Notes in Computer Science Vol. 2501,Y. Zheng ed., Springer-Verlag, 2002. [Preliminary version of [82].]

[68] M. Bellare, A. Boldyreva and J. Staddon. Randomness-reuse in multi-recipientencryption schemes. Public-Key Cryptography ’03, Lecture Notes in Computer ScienceVol. 2567, Y. Desmdedt ed., Springer-Verlag, 2003.

[69] M. Bellare and B. Yee. Forward-security in private-key cryptography. Topics inCryptology – CT-RSA ’03, Lecture Notes in Computer Science Vol. 2612, M. Joye ed.,Springer-Verlag, 2003.

[70] M. Bellare and T. Kohno. A theoretical treatment of related-key attacks. Advancesin Cryptology – EUROCRYPT ’03, Lecture Notes in Computer Science Vol. 2656,E. Biham ed., Springer-Verlag, 2003.

[71] M. Bellare, D. Micciancio and B. Warinschi. Foundations of group signatures:Formal definitions, simplified requirements and a construction based on general as-sumptions. Advances in Cryptology – EUROCRYPT ’03, Lecture Notes in ComputerScience Vol. 2656, E. Biham ed., Springer-Verlag, 2003.

[72] M. Bellare, C. Namprempre, D. Pointcheval and M. Semanko. The One-More-RSA-Inversion Problems and the Security of Chaum’s Blind Signature Scheme.Journal of Cryptology Vol. 16, No. 3, 2003, pp. 185–215. [Journal version of [56].]

[73] P. Rogaway, M. Bellare and J. Black. OCB: A block cipher mode of operationfor efficient authenticated encryption. ACM Transactions on Information and SystemSecurity (TISSEC), Vol. 6, Iss. 3, August 2003, pp. 365–403. [Journal version of [61].]

[74] M. Bellare, P. Rogaway and D. Wagner. The EAX Mode of Operation. FastSoftware Encryption ’04, Lecture Notes in Computer Science Vol. , ed., Springer-Verlag, 2004.

[75] M. Bellare, A. Boldyreva and A. Palacio. An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. Advances in Cryptology – EURO-CRYPT ’04, Lecture Notes in Computer Science Vol. 3027, C. Cachin and J. Camenisched., Springer-Verlag, 2004.

Mihir Bellare 13

[76] M. Bellare and T. Kohno. Hash function balance and its impact on birthday at-tacks. Advances in Cryptology – EUROCRYPT ’04, Lecture Notes in Computer ScienceVol. 3027, C. Cachin and J. Camenisch ed., Springer-Verlag, 2004.

[77] M. Bellare, C. Namprempre and G. Neven. Security proofs for identity-basedidentification and signature schemes. Advances in Cryptology – EUROCRYPT ’04, Lec-ture Notes in Computer Science Vol. 3027, C. Cachin and J. Camenisch ed., Springer-Verlag, 2004.

[78] M. Bellare, T. Kohno and C. Namprempre. Breaking and provably repairing theSSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm. ACM Transactions on Information and System Security (TISSEC),Vol. 7, Iss. 2, May 2004, pp. 206–241. [Journal version of [66].]

[79] M. Bellare and A. Palacio. The knowledge-of-exponent assumptions and 3-roundzero-knowledge protocols. Advances in Cryptology – CRYPTO ’04, Lecture Notes inComputer Science Vol. 3152, M. Franklin ed., Springer-Verlag, 2004.

[80] M. Bellare and A. Palacio. Towards Plaintext-Aware Public-Key Encryption with-out Random Oracles. Advances in Cryptology – ASIACRYPT ’04, Lecture Notes inComputer Science Vol. 3329, P. J. Lee ed., Springer-Verlag, 2004.

[81] M. Bellare, H. Shi and C. Zhang. Foundations of Group Signatures: The Caseof Dynamic Groups. Topics in Cryptology – CT-RSA ’05, Lecture Notes in ComputerScience Vol. , ed., Springer-Verlag, 2005.

[82] M. Bellare and G. Neven. Transitive Signatures: New Schemes and Proofs. IEEETransactions on Information Theory, Vol. 51, No. 6, June 2005, pp. 2133–2151. [Journal

version of [67].]

[83] M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange,

J. Malone-Lee, G. Neven, P. Paillier, and H. Shi. Searchable Encryption Revis-ited: Consistency Properties, Relation to Anonymous IBE, and Extensions. Advancesin Cryptology – CRYPTO ’05, Lecture Notes in Computer Science Vol. 3621 , V. Shouped., Springer-Verlag, 2005.

[84] M. Bellare, K. Pietrzak and P. Rogaway. Improved Security Analyses forCBC MACs. Advances in Cryptology – CRYPTO ’05, Lecture Notes in ComputerScience Vol. 3621 , V. Shoup ed., Springer-Verlag, 2005.

[85] M. Bellare and A. Palacio. Protecting against key-exposure: Strongly key-insulated encryption with optimal threshold. Applicable Algebra in Engineering, Com-munication and Computing, Vol. 16, No. 6, February 2006, pp. 379–396.

10.4 Publications on Computational Complexity Theory

[86] M. Bellare, O. Goldreich and S. Goldwasser. Randomness in interactive proofs.Proceedings of the 31st Symposium on Foundations of Computer Science, IEEE, 1990.[Preliminary version of [91].]

[87] R. Beigel, M. Bellare, J. Feigenbaum and S. Goldwasser. Languages thatare easier than their proofs. Proceedings of the 32nd Symposium on Foundations ofComputer Science, IEEE, 1991.


[88] M. Bellare and E. Petrank. Making zero-knowledge provers efficient. Proceedingsof the 24th Annual Symposium on the Theory of Computing, ACM, 1992.

[89] M. Bellare. A technique for upper bounding the spectral norm with applicationsto learning. Proceedings of the Fifth Annual Workshop on Computational LearningTheory , ACM, 1992.

[90] M. Bellare and P. Rogaway. The complexity of approximating a nonlinear pro-gram. Journal of Mathematical Programming B, Vol. 69, No. 3, pp. 429–441, September1995. Also in Complexity of Numerical Optimization, Ed. P. M. Pardalos, World Sci-entific, 1993.

[91] M. Bellare, O. Goldreich and S. Goldwasser. Randomness in interactive proofs.Computational Complexity, Vol. 3, No. 4, 1993, pp. 319–354. [Journal version of [86].]

[92] M. Bellare, S. Goldwasser, C. Lund and A. Russell. Efficient probabilisticallycheckable proofs and applications to approximation. Proceedings of the 25th AnnualSymposium on the Theory of Computing, ACM, 1993.

[93] M. Bellare. Interactive proofs and approximation: reductions from two provers inone round. Proceedings of the Second Israel Symposium on Theory and ComputingSystems, IEEE, 1993.

[94] M. Bellare and M. Sudan. Improved non-approximability results. Proceedings ofthe 26th Annual Symposium on the Theory of Computing, ACM, 1994.

[95] M. Bellare and S. Goldwasser. The complexity of decision versus search. SIAMJ. on Computing, Vol. 23, No. 1, February 1994.

[96] M. Bellare and J. Rompel. Randomness-efficient oblivious sampling. Proceedingsof the 35th Symposium on Foundations of Computer Science, IEEE, 1994.

[97] M. Bellare, U. Feige and J. Kilian. On the role of shared randomness in two proverproof systems. Proceedings of the Third Israel Symposium on Theory and ComputingSystems, IEEE, 1995.

[98] W. Aiello, M. Bellare, and R. Venkatesan. Knowledge on the average— perfect,statistical and logarithmic. Proceedings of the 27th Annual Symposium on the Theoryof Computing, ACM, 1995.

[99] M. Bellare, O. Goldreich and M. Sudan. Free bits, PCPs and non-approximability– Towards tight results. Proceedings of the 36th Symposium on Foun-dations of Computer Science, IEEE, 1995. [Preliminary version of [103].]

[100] M. Bellare, D. Coppersmith, J. Hastad, M. Kiwi and M. Sudan. Linearitytesting in characteristic two. Proceedings of the 36th Symposium on Foundations ofComputer Science, IEEE, 1995. [Preliminary version of [101].]

[101] M. Bellare, D. Coppersmith, J. Hastad, M. Kiwi and M. Sudan. Linearitytesting in characteristic two. IEEE Transactions on Information Theory Vol. 42, No. 6,pp. 1781–1795, November 1996. [Journal version of [100].]

[102] M. Bellare, J. Garay and T. Rabin. Distributed pseudo-random bit generators:A new way to speed-up shared coin tossing. Proceedings of the 15th Symposium on thePrinciples of Distributed Computing, ACM, 1996.

Mihir Bellare 15

[103] M. Bellare, O. Goldreich and M. Sudan. Free bits, PCPs and non-approximability– Towards tight results. SIAM J. on Computing, Vol. 27, No. 3, 1998,pp. 804–915. [Journal version of [99].]

[104] A. Bar-Noy, M. Bellare, M. Halldorsson, H. Shachnai and T. Tamir. Onchromatic sums and distributed resource allocation. Information and Computation,Vol. 140, No. 2, February 1998, pp. 183–202.

[105] M. Bellare, O. Goldreich and E. Petrank. Uniform Generation of NP-witnessesusing an NP-oracle. Information and Computation, Vol. 163, 2000, pp. 510–526.

10.5 Technical reports and manuscripts

[106] M. Bellare. The spectral norm of finite functions. MIT Laboratory for ComputerScience Technical Report TR–465, 1991.

[107] M. Bellare, E. Basturk, C. S. Chow, and R. Guerin. Secure transport protocolsfor high-speed networks. IBM Research Report 19981, March 1994.

[108] M. Bellare and P. Rogaway. Distributing keys with perfect forward secrecy.Manuscript, January 1994.

[109] M. Bellare and S. Goldwasser. Encapsulated key escrow. MIT Laboratory forComputer Science Technical Report 688, April 1996.

[110] M. Bellare. A note on negligible functions. Technical Report CS97-529, Departmentof Computer Science and Engineering, University of California at San Diego, March1997.

10.6 Standards documents

[111] H. Krawczyk, M. Bellare and R. Canetti. HMAC: Keyed-Hashing for MessageAuthentication. Internet RFC 2104, February 1997.

[112] M. Abdalla, M. Bellare and P. Rogaway. DHAES: An Encryption Scheme Basedon the Diffie-Hellman Problem. Contribution to IEEE P1363, March 1999.

10.7 Patents

[113] M. Bellare, R. Guerin and P. Rogaway. Method and apparatus for data authen-tication in a data communication environment. US Patent 5,673,318, September 1997,and US Patent 5,757,913, May 1998.

[114] M. Bellare and P. Rogaway. Method and apparatus for three party entity authen-tication and key distribution using message authentication codes. US Patent 5,491,750,February 1996.

[115] M. Bellare and P. Rogaway. Block cipher mode of operation for secure lengthpreserving encryption. US Patent 5,673,319, September 1997.

[116] S. Goldwasser and M. Bellare. Time delayed key escrow. US Patent 5,768,388,June 1998.


[117] M. Bellare, J. Garay, C. Jutla and M. Yung. Method for electronic paymentsystem with issuer control. US Patent 5,999,625, December 7, 1999.

[118] M. Bellare and P. Rogaway. Probabilistic signature scheme. US Patent 6,266,771B1, July 24, 2001.

10.8 Publication summary

Publication venue Number of Publications

1st tier cryptography conferences: Crypto & Eurocrypt 40

Other cryptography conferences: Asiacrypt, FSE, FC, CT-RSA, PKC, etc

17

1st tier security conferences: CCS 4

1st tier theory conferences: FOCS, STOC 18

Other theory conferences: 4

Journal 19

Survey article 3

Editor 1

Standards document 2

Patent 6

11 Students

11.1 Ph.D students

∗ Anand Desai, Ph.D 2000.

∗ Jeehea Lee (nee An), Ph.D 2001.

∗ Michel Abdalla, Ph.D 2001.

∗ Chanathip Namprempre, Ph.D 2002.

∗ Alexandra Boldyreva, Ph.D 2004.

∗ Adriana Palacio, Ph.D expected 2006.

∗ Tadayoshi Kohno, Ph.D expected 2006.

∗ Anton Mityagin, Ph.D expected 2006.

11.2 MS students

∗ Eron Jokipii, MS 1997.

∗ Sara Miner, MS 2000.

∗ Michael Semanko, MS 2001.

∗ Haixia Shi, MS 2005.

∗ Chong Zhang, MS 2005.

Mihir Bellare 17

12 Presentations

12.1 Invited talks at conferences

1. Improved non-approximability results. Mathematical Programming Symposium, AnnArbor, August 1994.

2. Free bits in PCP– Towards tight non-approximability results. Columbia Theory Day,Columbia University, September 1995.

3. Practice oriented provable security. Maryland Theory Day, Johns Hopkins University,Baltimore, November 1996.

4. Practice oriented provable security. Invited talk at the Information security workshop,Tokyo, Japan, September 1997.

5. Practice oriented provable security: How to protect yourself against unanticipatedattacks. Invited talk at 3rd workshop on Elliptic Curve Cryptography (ECC ’99),Waterloo, Canada, November 1999.

6. The Provable-Security Approach to Authenticated Session-key Exchange. Invitedtalk at the 7th Annual Workshop on Selected Areas in Cryptography (SAC 2000),Waterloo, Canada, August 2000.

7. Provably-Secure Public-Key Cryptosystems. Invited talk at the 4th InternationalWorkshop on Practice and Theory in Public Key Cryptography (PKC 2001), Cheju,Korea, February 2001.

12.2 Invited lectures

8. Modern cryptography. Rowland Institute for Science, Cambridge, Massachusetts,March 1991.

9. A concrete security treatment of symmetric encryption: analysis of the DES modesof operation. RSA Laboratories seminar series, Oakland, August 1997.

10. Practice oriented provable security. Lectures at the summer school on cryptography,Aarhus University, Denmark, July 1998.

11. Electronic payment mechanisms. Lectures at the International School for ComputerScience Researchers, Lipari, Italy, July 2000.

12.3 Presentations at government organizations

12. Provably secure cryptosystems: How to protect yourself against un-anticipated at-tacks. Space and Naval Warfare Systems Command, San Diego, December 1998.

12.4 Presentations at workshops with invited participation

13. Randomness in interactive proofs. DIMACS Workshop on Cryptography, Princeton,October 1990.

14. Trading interaction for randomness: speedup at logarithmic cost. DIMACS Workshopon Structural Complexity and Cryptography, Rutgers University, December 1990.

15. Improved non-approximability results. Weizmann workshop on probabilistic proofs,Weizmann Institute, Israel, January 1994.


16. Free bits in PCP. Complexity theory workshop, Oberwolfach, Germany, November1994.

17. Finite pseudo-random functions: A primitive for efficient, private key cryptography.Weizmann workshop on randomness in computation, Weizmann Institute, Israel, Jan-uary 1995.

18. How to key Merkle: Cascaded Pseudo-randomness and its exact security. Random-ness and Computation Workshop, Berkeley, December 1995.

19. Provably secure session key distribution– the three party case. Workshop on Cryp-tography, Luminy, France, September 1995.

20. The design and analysis of cryptographic protocols. Annual meeting of the Packardfoundation fellows in science and engineering, Monterey, September 1997.

21. Does parallel repetition lower the error of computationally sound protocols? Work-shop on cryptography, Dagstuhl, Germany, September 1997.

22. Relations among notions of security for public-key encryption schemes. Workshop onPCPs and Fundamentals of Cryptography, Toronto, May 1998.

12.5 Presentations at Universities

23. Interactive complexity. Cornell University, Ithaca, April 1991.

24. Interactive complexity. University of Manitoba, Canada, May 1991.

25. Interactive complexity. Ohio State University, Columbus, Ohio, June 1991.

26. Interactive proofs and approximation. University of Milwaukee, February 1993.

27. Entity authentication and key distribution. University of Chicago, August 1993.

28. Entity authentication and key distribution. Technion, Israel, January 1994.

29. Improved non-approximability results. Columbia University, February 1994.

30. Improved non-approximability results. Massachusetts Institute of Technology, March1994.

31. Improved non-approximability results. Rutgers University, April 1994.

32. Practice oriented provable security. University of California at San Diego, April 1995.

33. Free bits and approximation. Massachusetts Institute of Technology, April 1995.

34. Practice oriented provable security. Stanford University, May 1995.

35. Improved non-approximability results. University of California at Davis, May 1995.

36. Verifiable cryptographic time capsules: A new approach to key escrow. Universityof Toronto, June 1996.

37. Message authentication. Stanford University, October 1996.

12.6 Presentations in Industry

38. Entity authentication and key distribution. Bellcore, August 1993.

39. XOR MACs: New methods for message authentication using finite pseudorandomfunctions. Bellcore, July 1995.

40. The exact security of digital signatures: How to sign with RSA and Rabin. IBMT. J. Watson Research Center, Hawthorne, NY, July 1996.

Mihir Bellare 19

41. The exact security of digital signatures: How to sign with RSA and Rabin. Bellcore,July 1996.

12.7 Technical presentations at conferences

42. How to sign given any trapdoor function. Twentieth Annual ACM Symposium onthe Theory of Computing, Chicago, May 1988.

43. How to sign given any trapdoor function. Crypto 88, Santa Barbara, August 1988.

44. Non-interactive oblivious transfer and its applications. Crypto 89, Santa Barbara,August 1989.

45. New paradigms for digital signatures and message authentication based on non-interactive zero-knowledge proofs. Crypto 89, Santa Barbara, August 1989.

46. The (true) complexity of statistical zero-knowledge. Twenty second Annual ACMSymposium on the Theory of Computing, Baltimore, May 1990.

47. Randomness in interactive proofs. Thirty first Annual IEEE Symposium on theFoundations of Computer Science, St. Louis, October 1990.

48. Languages that are easier than their proofs. Thirty second Annual IEEE Symposiumon the Foundations of Computer Science, San Juan, October 1991.

49. Making zero-knowledge provers efficient. Twenty fourth Annual ACM Symposiumon the Theory of Computing, Victoria, May 1992.

50. A technique for upper bounding the spectral norm with applications to learning.Fifth Annual ACM Workshop on Computational Learning Theory, Pittsburgh, July1992.

51. On defining proofs of knowledge. Crypto 92, Santa Barbara, August 1992.

52. Interactive proofs and approximation: reductions from two provers in one round.Second Israel Symposium on Theory and Computing Systems, Netanya, Israel, June1993.

53. Improved non-approximability results. Twenty sixth Annual ACM Symposium onthe Theory of Computing, Montreal, May 1994.

54. Incremental cryptography: The case of hashing and signing. Crypto 94, Santa Bar-bara, August 1994.

55. Randomness-efficient oblivious sampling. Thirty fifth Annual IEEE Symposium onthe Foundations of Computer Science, Santa Fe, November 1994.

56. On the role of shared randomness in two prover proof systems. Third Israel Sympo-sium on Theory and Computing Systems, Tel Aviv, Israel, January 1995.

57. Provably secure session key distribution– the three party case. Twenty seventh An-nual ACM Symposium on the Theory of Computing, Las Vegas, May–June 1995.

58. XOR MACs: New methods for message authentication using finite pseudorandomfunctions. Crypto 95, Santa Barbara, August 1995.

59. Free bits, PCPs and non-approximability– Towards tight results. Thirty sixth AnnualIEEE Symposium on the Foundations of Computer Science, Milwaukee, October 1995.

60. The exact security of digital signatures: How to sign with RSA and Rabin. Eurocrypt96, Zaragoza, Spain, May 1996.


61. Pseudorandom functions revisited: The cascade construction and its concrete security.Thirty seventh Annual IEEE Symposium on the Foundations of Computer Science,Burlington, October 1996.

62. Verifiable partial key escrow. Fourth ACM conference on computer and communica-tions security, Zurich, April 1997.

63. Does parallel repetition lower the error in computationally sound protocols? Thirtyeighth Annual IEEE Symposium on the Foundations of Computer Science, El Paso,October 1997.

64. Fast batch verification for modular exponentiation and digital signatures. Euro-crypt 98, Espoo, Finland, June 1998.

65. On the construction of variable-input-length ciphers. Workshop on Fast SoftwareEncryption, Rome, Italy, March 1999.

66. Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization. Crypto 99, Santa Barabara, August 1999.

13 Personal Information

US Citizen.

Research Summary, April 2006 21

This research summary divides my research into two broad areas: cryptography and complexity the-ory. They are discussed in turn. Citations refer to publications in my publication list in Section 10of my CV. (This is different from my official UC-format bibliography which is also enclosed.) Allpublications since 1991 are available via http://www-cse.ucsd.edu/users/mihir.

14 My research in cryptography

The revolution in computer and communications technologies is making it easier and faster to dothings, but also brings with it some new risks. As data and transactions ranging from personal tobusiness to strategic are increasingly on-line, compromises of security can become easier than in thedays of paper data and phone transactions while at the same time having farther reaching and moredamaging consequences. The security problem is widely recognized: individuals are concerned withthe privacy of their data, industry views security as the needed enabler of many applications, thegovernment is concerned about information warfare, and the press tells us about security breacheson a weekly basis.

Cryptography is the science of secure protocol design. A cryptographer designs schemes, or pro-tocols, for tasks such as data authentication, data encryption, identification, and key distribution.(This is only a small part of the list.) These protocols are implemented and incorporated intothe computer systems and are responsible for imbuing data and transactions with attributes likeprivacy and integrity.

Cryptography is, of course, only one component of security (one must also worry about correctimplementation of code, closing of system-level holes in the operating system, education of users,security policy, insider attacks, and a host of other things), but it is a crucial one. The quality of thecryptographic protocols impacts security while their performance and cost impacts functionality.High quality, cost-effective cryptography is an important step towards making security a reality.Providing such cryptography is however a challenge. Cryptographic protocols are easy to specifybut hard to analyze and notorious for containing bugs that take a long time to be discovered.

My research has been directed towards the goal of providing high quality, cost effective security.It is my belief that this goal will be reached by the correct application of modern cryptographictheory to practice. This view (which is not universal) underlies my choice of research directions,and I believe is substantiated by the results obtained.

14.1 Background

Everyone knows that cryptography is an old art. (Julius Caesar used encryption.) But onlyrecently was it realized that the practice of this art can be aided and understood by mathematicalfoundations.

Cryptographic protocols were designed by trial and error: a scheme was declared good if thedesigners saw no way to break it. Not surprisingly, this method was not always successful; proposedprotocols are often broken, sometimes years after they were first put forward. A superior approachwas propounded in a series of works beginning with that of Goldwasser and Micali (1982). “Provablesecurity” is achieved for a given problem of interest when one provides (i) a definition of the goal; (ii)a protocol; and (iii) a proof that the protocol meets its goal, assuming some standard complexity-theoretic assumption —such as the intractability of factoring— holds true.

The foundation of theoretical cryptography consists of proper formalizations of various goalsand results about whether these goals can be attained at all under reasonable cryptographic as-

22 Mihir Bellare

sumptions. I think that today we can consider these foundations to be largely laid. This was animportant and deep collective accomplishment of the community, in which I played some part withmy work on digital signatures [11], proofs of knowledge [12], and zero-knowledge [9, 10].

I believe that provable security is the basis for good protocols. My work after my Ph.D hasbeen directed at bringing the advantages of this notion to practice.

14.2 Practice-oriented provable security

Following our Ph.D work on provable-security at MIT, my colleague Phillip Rogaway and I joined(different divisions of) IBM. We found that in industry, cryptographic protocol design is donemostly in ad hoc ways, and important security systems, and even standards, are not of as a higha quality as they could be, so that bugs do emerge, leading to costly and inconvenient patches. Itwas natural to try to apply provable-security, but we found a big gap between theory and practice.We started developing practice-oriented provable-security which involved new models and analysisparadigms enabling the design and analysis of efficient but proven-secure protocols. We have sincemoved to academia and continued the efforts here.

We have sought to take the principles of modern cryptography and apply them in novel ways,to both old and new problems, blending them with traditional practical cryptography to come upwith protocols that have theoretical guarantees, yet can be used in practice. This has lead us tointroduce new models and address new problems, brought us to important realizations, lead us tore-address basic issues, and pinpoint new ones.

14.2.1 Real-world impact and recognition of the approach

This approach has been able to impact the usage of cryptography in industry. We have seen agrowing appreciation on the part of industry for cryptographic protocols that are accompanied byproofs of security, to the point where this is now often a requirement. Many of our protocols havebeen standardized, implemented and incorporated into products. Here are a few examples of thistype of work.

The HMAC message authentication algorithm due to Bellare, Canetti and Krawczyk, describedin [25], is an IETF IPSEC Internet Standard and ANSI X.9 keyed hash standard, currently beingused in numerous products including BSAFE (RSA Data Security Corp.), SSL (3.0 and 3.1), S-HTTP, NetBSD, and CDSA (Hewlett-Packard). The OAEP padding method for encryption andassociated RSA encryption procedure due to Bellare and Rogaway, described in [16], was recentlyadopted by RSA Data Security Corp. as the RSA PKCS #1 v2.0 standard, replacing the olderversion of the standard that was subject to the highly publicized attacks of Bleichenbacher. It isalso included in the IEEE P1363 draft standard. The family of Internet payment protocols knownas iKP, developed by an IBM team and described in publication [48], lead to MasterCard andVisa’s SET (Secure Electronic Transactions) system. The DHAES (Diffie-Hellman authenticatedencryption scheme) due to Abdalla, Bellare and Rogaway and described in [112] is included in draftstandards ANSI X9.63EC, SEC, and IEEE P1363a.

HMC received an IBM outstanding innovation award in March 1997. It is presented in somerecent books, such as “Cryptography and Network Security, Principles and Practice” by WilliamStallings and the “Handbook of Applied Cryptography” by Menezes, Van Oorschott and Vanstone.The last book also includes OAEP. OAEP is mentioned in a New York Times on the web articleby Peter Wayner, August 25th, 1998.


14.2.2 Technical elements of the approach

Some of the central technical elements of the approach are the following: Analysis of block-cipherbased protocols made by modeling the block cipher as a pseudorandom function; concrete (asopposed to asymptotic) security analyses; attention to and improvement of the quality of securityreductions leading to improved efficiency of protocols; and use of the random oracle model. Let usdiscuss these in more detail.

Block ciphers like the DES or AES are the most ubiquitous tool in practical cryptographicprotocol design. However, nothing is proved about protocols that use them. An important elementof our line of work is to integrate these primitives into the fabric of provable security. We suggest tomodel them formally as pseudorandom functions in the sense of Goldreich, Goldwasser and Micali.We then design protocols using them, and prove the protocols correct under the assumption thatthe block ciphers are indeed PRFs. (Concrete security analyses, discussed below, are crucial tomaking this meaningful since block ciphers are finite objects.) This leads to much more efficientprotocols, because block ciphers are fast. Instances in this line of work are publications [55, 21, 26,33, 35, 42, 45, 51]. This work has had an influence: now others are using the same models.

Rather than prove asymptotic results about the infeasability of breaking a protocol in polyno-mial time, we present and prove “exact” or “concrete” reductions. Our results have the form: “IfDES withstands an attack in which the adversary gets to see 236 plaintext-ciphertext pairs, thenour protocol is secure against an adversary who can run for t steps, for the following value of t.”This enables a protocol designer to know exactly how much security he/she gets. And it brings anew dimension to protocols: rather than just being secure or non-secure, one can be “more” securethan another. We found that improving the concrete security was a rich and rewarding line of work,and thinking about it greatly increases understanding of the problem. Instances of our work whichdo security concretely are publications [55, 21, 26, 25, 16, 24, 18, 19, 33, 35, 42, 45, 51, 53, 54].Since we have put emphasis on concrete security, we have found that others are doing so as well.

Practitioners think only about concrete attacks; theoreticians ignore them, since they provethe security. We found that even when proofs are provided, much is to be gained by finding thebest possible attacks. We find new kinds of attacks, which break the system as measured by ourmore stringent notions of security: an encryption scheme is broken of you can tell whether themessage encrypted was 0 or 1, not just if you find the key. This is actually important in practice.Meanwhile, these attacks provide, effectively, the lower bounds to our concrete security analyses,telling us whether the proven security is optimal or not. Publications in which we assess theoptimality of our reductions via attacks include [55, 21, 26, 25, 33, 39, 54].

We have systematized the use of the random oracle model in proving correct cryptographicprotocols, and used the ensuing paradigm in several places. We claim it provides a “bridge” betweentheory and practice when standard cryptographic assumptions prove too weak. We have, we hope,been careful in being clear both what are the strengths and the weaknesses of this paradigm. In thisline are some of our most successful schemes (from the point of view of adoption by practioners),namely the RSA based protocols for encryption and signatures described in [15, 16, 24].

14.3 Topics and results

In this section I will summarize my results and contributions on specific topics in cryptography.Some of these have been alluded to above; many have not.

24 Mihir Bellare

14.3.1 Digital signatures

A digital signature is the electronic analogue of an ordinary handwritten signature: a user willdigitally sign an electronic document (such as an electronic check) to prove its authenticity. Thesetting (as described by Diffie and Hellman, 1979) is that each user produces signature based on asecret key, while possession of a matching public key allows the possessor to verify the correctnessof the signature.

Signing with trapdoor permutations. Diffie and Hellman suggested a signing method whichused as primitive a “trapdoor permutation.” But their scheme wasn’t very secure. Focusing onsecurity, ensuing work culminated in a notion now accepted as the best possible (Goldwasser, Micaliand Rivest, 1984). In achieving it, however, the authors used assumptions that were stronger thanthose of Diffie and Hellman. In publication [11], we bridged the gap, showing that the strongnotion of security was achievable using only the initial Diffie-Hellman assumption of a trapdoorpermutation. This work seems to have rekindled interest in the area of “reducing cryptographicassumptions” and paved the way for later improvements which lead to the proof that any one-wayfunction suffices.

Signing with NIZK proofs. Publication [7] suggested a different paradigm for signing, based onnon-interactive zero-knowledge (NIZK) proofs. These signatures possess several properties othersignatures don’t. In addition they have proven useful outside cryptography, for example to showhardness results in computational learning theory.

Signing with RSA. Theoretical signature schemes are not very efficient. In practice, one signsby the “hash-then-decrypt” paradigm of first “hashing” the message and then inverting the resultunder the RSA function. Publication [15] noted that this was secure if the hash functions are“ideal,” meaning random oracles. Publication [24] pointed to weaknesses in the way the hash-then-decrypt paradigm was implemented in some current standards and then proposed a new schemefor signing with RSA called the PSS (probabilistic signature scheme). This scheme is as efficient ashash-then-decrypt schemes; can be proven secure assuming RSA is one-way and some underlyinghash functions are ideal; and moreover, has a concrete security reduction which is tight. It is aviable alternative to current RSA signature schemes, and is being considered for standardizationby the IEEE P1363 committee.

Forward-secure signatures. In [46] we describe a digital signature scheme in which the publickey is fixed but the secret signing key is updated at regular intervals so as to provide a forward

security property: compromise of the current secret key does not enable an adversary to forgesignatures pertaining to the past. This can be useful to mitigate the damage caused by key exposurewithout requiring distribution of keys. Our construction uses ideas from the Fiat-Shamir and Ong-Schnorr identification and signature schemes, and is proven to be forward secure based on thehardness of factoring, in the random oracle model. The construction is also quite efficient.

14.3.2 Asymmetric encryption

Encryption ensures privacy of information transmitted across an insecure network. There are twomain settings for it. In the symmetric or private-key setting, encryption and decryption are basedon the same key which is shared by the communicating parties. In the asymmetric or public-keysetting, the recipient’s public key, known to the sender and the adversary, permits encryption, andthe recipient’s secret key permits decryption.


OAEP. The practical problem in asymmetric encryption is to encrypt a short string (a few hundredbits) with a single RSA operation. (Typically this string is a key for a symmetric encryption schemeunder which the data is encrypted.) Existing and standardized schemes did not have a well justifiedsecurity. Known theoretically good solutions, however, were considerably less efficient.

We designed an RSA based scheme called OAEP —for “optimal asymmetric encryption padding”—to fill this gap [16]. It uses some hash function applications and one RSA operation to encrypt ashort string, so that it is as efficient as practioners want. But the scheme is provably secure aslong as RSA is a one-way function and the underlying hash functions are “ideal,” meaning ran-dom oracles. Furthermore, a simple modification of OAEP achieves much stronger properties likenon-malleability and chosen ciphertext security for which known theoretically sound solutions wereexorbitant.

OAEP is a included in SET, the electronic payment protocol of MasterCard and Visa, where itis used to encrypt credit card numbers. It is also the RSA PKCS#1 v2.0 standard and part of theIEEE P1363 draft standard.

Relating notions. Several notions of security for asymmetric cryptosystems are used in theliterature, varying in the what kinds of attacks are considered and what is considered a break.Publication [39] sorts out this area. We consider the goals of privacy and non-malleability, eachunder chosen-plaintext attack and two kinds of chosen-ciphertext attack. For each of the resultingpairs of definitions we prove either an implication (every scheme meeting one notion must meetthe other) or a separation (there is a scheme meeting one notion but not the other, assuming thefirst notion can be met at all). We similarly treat plaintext awareness, a notion of security in therandom-oracle model that we introduced in [16].

Simplifying the notion of non-malleability. In [47] we prove the equivalence of two defini-tions of non-malleable encryption appearing in the literature— the original one of Dolev, Dwork andNaor and the later one of [39]. The equivalence relies on a new characterization of non-malleableencryption in terms of the standard notion of indistinguishability of Goldwasser and Micali. Weshow that non-malleability is equivalent to indistinguishability under a “parallel chosen ciphertextattack,” this being a new kind of chosen ciphertext attack we introduce, in which the adversary’sdecryption queries are not allowed to depend on answers to previous queries, but must be made allat once.

The multi-user setting. In [49] we addresses the security of public-key cryptosystems in a“multi-user” setting, namely in the presence of attacks involving the encryption of related messagesunder different public keys, as exemplified by Hastad’s classical attacks on RSA. We prove thatsecurity in the single-user setting implies security in the multi-user setting as long as the formeris interpreted in the strong sense of “indistinguishability,” thereby pin-pointing many schemesguaranteed to be secure against Hastad-type attacks. We then highlight the importance, in practice,of considering and improving the concrete security of the general reduction, and present suchimprovements for two Diffie-Hellman based schemes, namely El Gamal and Cramer-Shoup.

14.3.3 Symmetric encryption

As indicated above, a symmetric encryption scheme is used to assure privacy of information trans-mitted across an insecure network between parties who share a secret key.

Analyses of modes of operation. The world’s most popular encryption scheme is one called“Cipher Block Chaining” (CBC). It is an American National Standard, and a banking industry

26 Mihir Bellare

standard. Although seventeen years old, it had to date never had its security rigorously analyzed.This is one of the gaps filled by publication [33]. We were able to do this by following the “practice-oriented provable security” approach. The approach, based on our previous works, is to model theblock cipher underlying the encryption (typically DES) as a “pseudorandom function” (PRF) andthe reduce the security of the encryption scheme to that of the PRF. The reductions are “concrete”so that security can be measure numerically.

In addition, this publication provides a foundation for the treatment of symmetric encryption inpractical settings. We study various notions of security and the concrete complexity of reductionsbetween them. We also suggest new ways to encrypt that are “more secure” than traditional CBC.

Authenticated encryption. In [54] we consider two possible notions of authenticity for sym-metric encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relatethem to the standard notions of privacy for symmetric encryption schemes by presenting implica-tions and separations between all notions considered. We then analyze the security of authenticatedencryption schemes designed by “generic composition,” meaning making black-box use of a givensymmetric encryption scheme and a given MAC. Three composition methods are considered, namelyEncrypt-and-MAC plaintext, MAC-then-encrypt, and Encrypt-then-MAC. For each of these, andfor each notion of security, we indicate whether or not the resulting scheme meets the notion inquestion assuming the given symmetric encryption scheme is secure against chosen-plaintext attackand the given MAC is unforgeable under chosen-message attack. We provide proofs for the caseswhere the answer is “yes” and counter-examples for the cases where the answer is “no.”

Encode-then-encipher. In [53] we investigate the following approach to symmetric encryption:first encode the message via some keyless transform, and then encipher the encoded message,meaning apply a permutation FK based on a shared key K. We provide conditions on the encodingfunctions and the cipher which ensure that the resulting encryption scheme meets strong privacy(eg. semantic security) and/or authenticity goals. The encoding can either be implemented ina simple way (eg. prepend a counter and append a checksum) or viewed as modeling existingredundancy or entropy already present in the messages, whereby encode-then-encipher encryptionprovides a way to exploit structured message spaces to achieve compact ciphertexts.

14.3.4 Entity authentication and session key distribution

“Entity authentication” is the process by which a party gains confidence in the identity of a commu-nication partner. It is usually coupled with the distribution of a “session key.” These are arguablythe most basic problems for secure distributed computation— without a correct solution there canbe no meaningful access control or accountability; there cannot even be reliable distribution of workacross network resources. Despite a long history and a large literature, this problem rested on nomeaningful formal foundation. This is more than an academic complaint: it is an area in which aninformal approach has often lead to work which has subsequently been found to be wrong, and insome cases the flaws have taken years to discover.

The two-party setting. Publication [14] addresses the two party setting of the problem. Itachieves provable security by providing a model, definitions, protocols, and proofs of correctnessfor these protocols under standard assumptions.

The three-party setting. The three party case of this problem may be the most well-known. Itwas first addressed by Needham and Schroeder in 1978. Its most popular incarnation is the Kerberos

system. However this system, and existing solutions, suffer from the same problems discussed above.


In publication [20] we provide provably secure protocols for the three party session key distributionproblem.

Protecting against dictionary attacks. Password-based protocols for authenticated keyexchange (AKE) are designed to work despite the use of passwords drawn from a space so small thatan adversary might well enumerate, off line, all possible passwords. While several such protocolshave been suggested, the underlying theory has been lagging. In [50] we begin by defining amodel for this problem, one rich enough to deal with password guessing, forward secrecy, servercompromise, and loss of session keys. The one model can be used to define various goals. We takeAKE (with implicit authentication) as the basic goal, and we give definitions for it, and for entity-authentication goals as well. Then we prove correctness for the idea at the center of the EncryptedKey-Exchange (EKE) protocol of Bellovin and Merritt: we prove security, in an ideal-cipher model,of the two-flow protocol at the core of EKE.

All our protocols are efficient and practical, viable alternatives to current systems. Some havebeen implemented.

14.3.5 Message authentication

On an insecure network, we need to make sure that a received message originates with the personwho claims to have sent it, and not with some imposter. Two parties who share a secret key a canuse message authentication. The sender computes a tag (called the MAC, or message authenticationcode), function of the message and key, and attaches it to the message; the receiver has a meansto check the validity of the tag, based on the received message and key.

As network usage grows, message authentication is becoming a ubiquitous requirement. We needit on essentially any packet transmitted across the network. Thus there is a need for mechanismsthat are both fast and secure.

In practice, message authentication is done using block ciphers like DES. No analysis accompa-nies this usage. On the other hand theoretically good solutions exist, but are way to inefficient.

Message authentication represents one the first and most successful areas in which we haveapplied practice oriented provable security. Our work in this area illustrates the central elementsof the approach: formal modeling of block ciphers via finite pseudorandom functions; analysis ofexisting and new practical constructions based on this; concrete security analysis; optimality ofthese analyses considered via attacks.

CBC MAC. The CBC MAC is the most popular message authentication scheme in practice. Inparticular it is a standard in the financial industry. It uses a block cipher, typically DES. Publication[55] set out to analyze this scheme. We suggested that block ciphers be modeled as pseudorandomfunctions (PRFs) and we showed that if the underlying block cipher is a secure PRF then the CBCMAC based on it is a secure MAC. Our analysis was concrete, showing exactly how the security ofthe MAC depends on the security of the block cipher.

Besides providing the first evidence of security for the CBC MAC, this work introduced thePRF based approach to the analysis of block cipher based schemes which has been employed inseveral places since.

XOR MACs. With our work on the CBC MAC, it became possible to think analytically aboutblock cipher based constructions. This lead to the consideration of new constructions. In pub-lication [21], we introduced XOR MACs. These MACs are parallelizable, making them suitablefor on-line packet authentication over high-speed networks. They also have the property of being

28 Mihir Bellare

incremental, discussed in Section 14.3.9 below. Perhaps most interestingly, our concrete securityanalyses show that they are “more secure” than the CBC MAC, in the sense that for a givenstrength in the underlying PRF, an XOR MAC has a higher proven security than the CBC MAC.This was our first instance of being able to make comparisons of security via concrete analyses.

HMAC. Hash functions like MD5 and SHA-1 have been getting very popular, due their softwarespeed and easy availability. Various groups thus tried to use these functions to design MACs. Itis a tricky business, because hash functions are not naturally keyed primitives, and it is not clearhow best to key them for use as MACs. We have put forth two solutions to the problem.

The first is the HMAC construction of publication [25] which uses two applications of the hashfunction, both appropriately keyed. We show that this is a secure MAC given only quite weakassumptions about the two keyed applications. HMAC has been very popular: it is used in theBSAFE product of RSA Data Security Corporation, in SSL (3.0 and 3.1), S-HTTP, and NetBSD.It is also an IETF IPSEC Internet Draft Standard and is being considered for an ANSI X.9 keyedhash standard.

Our second approach was to look to the structure of the hash functions as being iterations of abasic compression function. In publication [26] we suggest that one assume the keyed compressionfunction is a PRF. Under this assumption we provide (concrete) analyses showing that the hashfunction, when keyed by its initial vector, is itself a secure PRF, and hence a secure MAC.

Big MACs from small ones. Many practical MACs are designed by iterating applications ofsome fixed-input-length (FIL) primitive, namely one like a block cipher or compression function thatonly applies to data of a fixed length. Existing security analyses of these constructions either requirea stronger security property from the FIL primitive (eg. pseudorandomness) than the unforgeabilityrequired of the final MAC, or, as in the case of HMAC, make security assumptions about the iteratedfunction itself. In [44] we consider the design of iterated MACs under the (minimal) assumptionthat the given FIL primitive is itself a MAC. We look at three popular transforms, namely CBC,Feistel and the Merkle-Damgard method,es and ask for each whether it preserves unforgeability. Weshow that the answer is no in the first two cases and yes in the third. The last yields an alternativecryptographic hash function based MAC which is secure under weaker assumptions than existingones.

14.3.6 Hashing

Recent attacks on the cryptographic hash functions MD4 and MD5 make it clear that (strong)collision-resistance is a hard-to-achieve goal. In publication [31], we look towards making morepractical hash functions to meet a weaker notion of hashing introduced earlier by Naor and Yung.We study the process of turning compression functions into full-fledged hash functions. We pointout that the classic Merkle-Damgard method does not work and provide alternatives that do work.

Publication [28] provides new designs of collision-resistant hash functions (meaning it is hardto find two distinct points with the same image) that are incremental. These functions are fasterthan previous ones but still have a security that can be proven based on standard assumptions, ina random oracle model.

14.3.7 Protocol design with random oracles

Cryptographic practice provides primitives (like the secure hash algorithm SHA) which seem notonly to satisfy the strongest kinds of assumptions theoreticians like to make, but even have strengths


which have not yet been defined or formalized. Theoreticians may suggest that we not rely onthese strengths until we have a theory that captures them; this caution is sound in principle, butis meanwhile denying practioners the use of the strengths they see in the primitives.

The random oracle paradigm that we advocate in [15] provides a way for practioners a wayto use the primitives while retaining some of the assurances of provable security. The idea is asimple one: namely, provide all parties —good and bad alike— with access to a (public) randomoracle; prove correct a protocol in this model; then replace the random oracle by an MD5 like hashfunction. The fruits of the method are protocols which are very efficient.

To avoid confusion, we clarify that random oracles are very different from (finite) pseudorandomfunctions. The latter are based on a secret key, while the former are completely public.

We stress that the proof is in the random oracle model and the last step is heuristic in nature.But it is our experience that this paradigm results in “secure in practice” protocols as long as theoriginal protocol is “independent” of the hash function.

We exploited the random oracle model in [15] and then in [16, 24, 28, 46].

14.3.8 Improving usage of block ciphers

PRFs rather than PRPs. Block ciphers are invertible: given the key one can not only encipher,but also decipher. That is, for each key, the induced map is a permutation. This classical propertyseems necessary; else how do you decrypt? We point out in publication [35] that not only isthe permutivity unnecessary but in fact it is a drawback, because it reduces the security of thecipher. We argue that a better starting point for scheme design is the non-invertible analog of ablock cipher, that is, a pseudorandom function (PRF). Since a block cipher may be viewed as apseudorandom permutation, we are led to investigate the reverse of a well-known problem studiedby Luby and Rackoff, and ask: “how can one transform a PRP into a PRF in as security-preservinga way as possible?” The solution we propose and analyze is data-dependent re-keying.

Increasing security without counters. Many block cipher based protocols (for commonproblems like encryption, message-authentication or challenge-response protocols) have the follow-ing feature: There is a stateful (counter based) version of the scheme that has high security, but if,to avoid the use of state, we substitute a random value for the counter, the security of the schemedrops below the birthday bound. In some situations the use of counters or other forms of stateis impractical or unsafe. In [45] we present a paradigm for strengthening pseudorandom functionusages to this end, the idea of which is roughly to use the XOR of the values of a pseudorandomfunction on a small number of distinct random points in place of its value on a single point. Weestablish two general security properties of our construction, “pseudorandomness” and “integrity”,with security beyond the birthday bound. These can be applied to derive encryption schemes, andMAC schemes (based on universal hash functions), that have security well beyond the birthdaybound, without the use of state and at moderate computational cost.

Rekeying. Rather than use a shared key directly to cryptographically process (e.g. encrypt orauthenticate) data one can use it as a master key to derive subkeys, and use the subkeys for theactual cryptographic processing. This popular paradigm is called re-keying, and the expectationis that it is good for security. In [51] we provide concrete security analyses of various block-cipherbased re-keying mechanisms and their usage. We show that re-keying does indeed “increase”security, effectively extending the lifetime of the master key and bringing significant, provablesecurity gains in practical situations. We quantify the security provided by different re-keying

30 Mihir Bellare

processes as a function of the security of the primitives they use, thereby enabling a user to choosebetween different re-keying processes given the constraints of some application.

Enciphering long messages. Whereas a block cipher enciphers messages of some one particularlength (the blocklength), a variable-input-length cipher takes messages of varying (and preferablyarbitrary) lengths. Still, the length of the ciphertext must equal the length of the plaintext. In[42] we introduce the problem of constructing such objects, and provide a practical solution. OurVIL mode of operation makes a variable-input-length cipher from any block cipher. The method isdemonstrably secure in the provable-security sense of modern cryptography: we give a quantitativesecurity analysis relating the difficulty of breaking the constructed (variable-input-length) cipherto the difficulty of breaking the underlying block cipher.

14.3.9 Incremental cryptography

The notion of incrementality was advanced in publications [18, 19]. We consider that when we cryp-tographically process documents in bulk, these documents may be related to each other, somethingwe could take advantage of to speed up the computation of the cryptographic transformations. Forexample, a message x′ I want to hash may be a simple modification of a message x I previouslyhashed. If I have already computed the hash f(x) of x then, rather than re-computing f(x′) fromscratch, I would like to just quickly “update” the old hash value f(x) to the new value f(x′). Anincremental hash function is one that permits this. Similarly for other cryptographic primitives.

In [18] we designed schemes for incremental collision-free hashing in which, if a block of themessage was replaced by another, the new hash value could be quickly re-computed from the oldone. Then in [19] we broadened the scope. First, we considered more general update operationson data, such as insertion and deletion of blocks, not just replacement. We then designed suchmore general incremental schemes for primitives like message authentication, digital signatures,and encryption.

Publication [28] provides new designs of collision-resistant hash functions (meaning it is hardto find two distinct points with the same image) that are incremental in the above sense. Thesefunctions are faster than previous ones but still have a security that can be proven based on standardassumptions, in a random oracle model.

14.3.10 Zero-knowledge

Zero-knowledge was introduced by Goldwasser, Micali and Rackoff in 1985. It is one of the mostinfluential cryptographic ideas of the last decade, with applications which have revolutionized cryp-tographic protocol design (e.g. Goldreich, Micali, Wigderson 1986). Roughly, a “zero-knowledge”proof convinces its verifier of the validity of an assertion without revealing why the assertion istrue. Perhaps unsurprisingly, it is not easy to achieve; zero-knowledge protocols tend to be hardto design, and when designed are often inefficient.

Perfect ZK in constant rounds. A classic example of a (perfect) zero-knowledge proof isthe one for graph isomorphism presented by Goldreich, Micali and Wigderson (1986). To achievezero-knowledge, their protocol used an unbounded number of rounds of communication. Whether aconstant round proof was possible was a fairly long standing open question. Publication [9] resolvesit by presenting a five round, perfect zero-knowledge proof for the problem in question.

Automatic security boosting. The definition of zero-knowledge demands (in the light ofapplications, rightfully) that even if the verifier deviates from his prescribed protocol he should


learn nothing from the prover. Now, experience has shown that the construction of a protocol whichis zero-knowledge with respect to an “honest” verifier is often not so hard; it is in maintaining thezero-knowledge in the presence of “cheating” that design complexity is incurred. Publication [10]presents an “automatic” way to convert a zero-knowledge proof secure against an honest verifierinto one secure against any verifier; it is a tool which can significantly simplify protocol design. Our“compiler” has applications both in cryptography and in complexity theory. Amongst the formeris a general method for parallelizing zero-knowledge protocols. For the latter the reader is referredto Section 15.2.

Proofs of knowledge. Zero-knowledge proofs of knowledge found their first application insmart card based identification (Feige, Fiat and Shamir, 1987). A user A would identify herselfby proving in zero-knowledge that she “knew” some secret key whose associated public key wasavailable to the verifier. The success of proofs of knowledge in this context lead to their use in otherapplications. Some of these later uses were careless in claiming provable security: the definitionsgiven in the above mentioned work were adequate for the smart card setting, but when lifted toother settings they did not suffice to guarantee the claims of provable security that were made.Publication [12] identifies these problems and provides the first general definition of a proof ofknowledge under which all presently known applications can find provability.

Public key zero-knowledge. Public key cryptography, as proposed by Diffie and Hellman,is a convenient setting. User A will make known a public key PKA while keeping to himself anassociated secret key SKA. Then anyone knowing A’s public key can send A encrypted traffic andverify A’s digital signatures. Our work in [6] suggests a way in which more complex primitivescan be achieved in the same public key model. The primary tool is a non-interactive, public keybased protocol for implementing a primitive known as “oblivious transfer.” With this in place, weare able to provide a way in which users A and B, knowing each other’s public keys, could sendeach other zero-knowledge proofs which are non-interactive— each proof consists of just a singlemessage.

Non-interactive zero-knowledge. A model suggested by Blum, De Santis, Micali and Per-siano (1991) is perhaps even more convenient than the public key one. In this model, a singlerandom string, published by some trusted center, serves as the reference point for all users. Theauthors showed how, in this setting, one could implement non-interactive zero-knowledge proofsunder certain algebraic assumptions. A scheme based on the general assumption of a trapdoorpermutation was claimed by Feige, Lapidot and Shamir (1990). Publication [23] points out thatthis scheme only works if the trapdoor permutation has the (rare!) property of being certified. Wethen fill the gap by providing a general certification method, so that the claim of non-interactivezero-knowledge given any trapdoor permutation is now valid.

In using non-interactive zero-knowledge to construct digital signatures, our work in [7] demon-strated the applicability of these proofs. It also identified the kinds of “attacks” a non-interactivezero-knowledge proof ought to withstand to be useful for applications, and this motivated laterwork to construct proofs with the properties we defined.

Zero-knowledge arguments. Publication [29] resolves an open question in the theory of zero-knowledge protocols by presenting NP-arguments that achieve negligible error probability andcomputational zero-knowledge in four rounds of interaction, assuming only the existence of a one-way function. This result is optimal in the sense that four rounds and a one-way function are eachindividually necessary to achieve a negligible error zero-knowledge argument for NP.

32 Mihir Bellare

14.3.11 Politics of privacy

Time capsules in key escrow. We introduce a new approach to key escrow in publications[27, 109]. With this approach it is computationally possible for an authority to wiretap individualusers, but computationally prohibitive for the authority to launch large scale wiretapping. Thisis achieved by imposing a time delay between obtaining the escrowed information of a user andactually recovering the secret key. Furthermore, the recoverability is verifiable at escrow time. Theapproach is applicable both for session keys and for public key cryptography.

The idea behind one of our implementations is a new cryptographic tool called a verifiablecryptographic time capsule. This has broader applications to “sending information into the future.”

Translucent crypto. Translucent cryptography is an alternative to key escrow for the problemof having a form of encryption that is secure to unauthorized listeners but which an authorizedagency can open. The idea is that some fraction of the traffic is recoverable by the authority. In [43]we propose the idea and some protocols for fractional oblivious transfer that implement it.

Chaffing and winnowing. In [52] we take a closer look at Rivest’s chaffing-and-winnowingparadigm for data privacy. We begin with a definition which enables one to clearly determinewhether a given scheme qualifies as “chaffing-and-winnowing.” We then analyze Rivest’s schemesto see what quality of data privacy they provide. His bit-by-bit scheme is easily proven secure butis inefficient. His more efficient scheme —based on all-or-nothing transforms (AONTs)— can beattacked under Rivest’s definition of security of an AONT, and even under stronger notions doesnot appear provable. However we show that by using OAEP as the AONT one can prove security,and also present a different scheme, still using AONTs, that is equally efficient and easily provensecure even under a relatively weak notion of security of AONTs.

14.3.12 Design and implementation of a secure transport protocol

We address in [107] the problem of designing and implementing a secure means of point to pointcommunication. The communicating parties A and B are naturally viewed as applications usinga common transport protocol and are assumed to possess a secret key unknown to the adversary.The latter is assumed to monitor the parties’ communications, and is even capable of injecting orremoving messages from the lines.

Our design provides data integrity and confidentiality. But it also identifies the need for a newsecurity feature we call secure delivery. We argue that the latter cannot be efficiently provided atthe application level, and thus advocate implementing the security at the transport level.

A prototype of our secure transport protocol was implemented by Erol Basturk. It runs on ahigh-speed network, and the design is directed at maximizing performance in this setting.

Our implementation uses variants of the entity authentication and key distribution protocolsdiscussed in Section 14.3.4.

15 My research in complexity theory

I have divided this work into four sections: probabilistic proofs and approximation; complexityof interactive and zero-knowledge proofs; randomness; and machine learning. In each case I willprovide a brief introduction, discuss the directions I have followed, and then discuss the results inmore depth.


15.1 Probabilistic proofs and approximation

I believe my most important contributions in complexity theory are in the area of probabilisticproofs and their application to obtaining non-approximability results for NP-complete optimizationproblems.

15.1.1 Background and directions

During the last five years, a remarkable sequence of results in combinatorial optimization hasbeen obtained by use of techniques from probabilistic proofs. These results demonstrate the non-

approximability of various important optimization problems. Today, researchers have come to thepoint of having tight bounds on the approximation complexity of a host of problems. This is widelyrecognized as one of the more important accomplishments in theoretical computer science in thelast decade. I believe I have contributed to this accomplishment and played a role in getting us towhere we are.

The problems being addressed here are quite classical. By the 70s, people were finding thatmost interesting optimization problems were NP-complete, meaning there was little hope of findingefficient algorithms to solve them. Thus, attention was focused on finding (efficient) approxima-tion algorithms: algorithms that would yield solutions close to, if not quite equal to, the optimalsolutions. As the investigation of approximation grew it was found that results were mixed. Someproblems succumbed to approximation. Others, however defied all efforts to find good approxi-mation algorithms. Did such algorithms actually not exist, or were we not clever enough to findthem?

This question remained largely open until very recently. A breakthrough came in a paper byFeige, Goldwasser, Lovasz, Safra, and Szegedy (FGLSS, 1991). They used results on probabilisti-cally checkable proofs (PCPs) to show that Max-Clique is hard to approximate, even within quitelarge factors. This was the birth of the new area. I have followed two major directions in this area.

One is applying PCP techniques to other problems. The FGLSS result was about the Max-Clique problem. What about other optimization problems: could PCP based techniques be usedto prove non-approximability results about these as well? Publications [90, 93] seem to have beenamongst the first to address this question and indeed succeed in taking the techniques beyondMax-Clique. Techniques from here, such as the use of two prover proofs, were then successfullyused elsewhere.

The other is improving PCPs and non-approximability results. Although impressed with thestrength of initial PCP based approximation results, people did not at first imagine these resultscould actually become tight, meaning that we would prove non-approximability to within the factorachievable by the best known algorithms. Yet today we can. In publication [92] we took the firststep, emphasizing how “better” proof systems yielded stronger non-approximability results, andbuilding such systems. In publications [94, 103] we focused on new parameters such as “free bitcomplexity” and made the gaps small enough that tight results were in sight.

Next I discuss the above mentioned results in more depth.

15.1.2 Results

Non-approximability of nonlinear programs. Polynomial programming is the problem ofmaximizing a polynomial f(x1, . . . , xn) subject to linear constraints. When f is linear we havelinear programming, known to be solvable in polynomial time. When f is nonlinear things are much

34 Mihir Bellare

harder, and people seek approximation algorithms. However, no decent approximation algorithmsare known.

We applied the PCP technology to the problem. We used certain two-prover proof systems toshow that approximating quadratic programming is hard. This work, eventually published in [90],was actually the first indication that the PCP method could be applied to problems other thanMax-Clique. It also introduced the use of two-prover proofs in reductions, and is interesting in thatresults on continuous optimization problems are obtained by discrete methods.

Reductions from two-prover proofs. Publication [93] went on to use two-prover proofsystems to show a wide variety of non-approximability results, in the areas of network flow, systemsof representatives, and longest paths in graphs. These results further exemplified the applicabilityof PCP based techniques to showing non-approximability of problems beyond Max-Clique. Sincethen two-prover proofs were used to prove other non-approximability results, most importantly forthe Set Cover problem.

Efficient PCPs, Set Cover, and other improvements. Following the work of FGLSS,improvements were obtained by Arora and Safra (AS, 1992), Arora, Lund, Motwani, Sudan andSzegedy (ALMSS, 1992) and Lund and Yannakakis (LY, 1993). These brought us to the pointwhere Max-Clique and Chromatic number where known to be un-approximable within N ε, forsome constant ε > 0, N being the number of nodes in the graph. But the value of ε was very small.

Publication [92] drew attention to how the complexity of the underlying proof system, undervarious measures, impacted the non-approximability results in different ways. In particular it drewattention to the number of queries made to the proof (as opposed to the number of proof bitsread) as a parameter. We designed new, constant-query PCPs for NP and thence derived improvednon-approximability results for many problems: Set Cover, Max-Clique, Chromatic Number, andMax-3SAT. In particular we had the first reasonable and explicit values of the constant ε > 0 forMax-Clique and Chromatic number, and the first explicit constant for Max-3SAT. This work seemsto have been widely influential, and is my most referenced work in the literature.

Towards tight results via free bit complexity. Although publication [92] showed thatexplicit and large non-approximability factors were possible, tight results still did not seem in sight.The step to tight results was made in publication [94]. Key to this step was the consideration ofa new complexity measure introduced by Feige and Kilian in 1994. Publication [94] named itthe number of “free” bits. It then introduced the notion of “amortization” of free bit complexity(implicitly– a proper definition was provided later, in [103]) and constructed proof systems for NPwith amortized free bit complexity three. The result was that Max-Clique was hard to approximatewithin N1/4. This work also provided a new, tighter reduction of Max-Clique to Chromatic number,thereby showing the latter was hard to approximate within N 1/10.

Publication [103] took the use of free bits even further. First we build proof systems for NPwith amortized free bit complexity two, showing that Max-Clique was hard to approximate withinN1/3. Then we initiated a systematic derivation of strong non-approximability results for Max-SNP problems, obtaining results for Max-2SAT, Max-3SAT, Vertex Cover, and Max-Cut. At thetechnical level this work introduced the “long code,” which has been used in later improvements.

Hastad has since constructed proof systems for NP with amortized free bit complexity as lowas any constant, thereby showing Max-Clique is hard to approximate within N 1−δ for any δ > 0,which is tight. More recently he is getting tight results for Max-SNP problems. All these resultsuse the long code. Feige and Kilian used Hastad’s proof systems to show tight results for theChromatic Number problem.


15.2 Complexity of interactive and zero-knowledge proofs

Interactive proofs were the first extension of the classical NP notion of efficient provability. Sincethen, several variants and enhancements have been proposed and investigated, including zero-knowledge proofs, multi-prover proofs, and the probabilistic proofs we have mentioned above. Re-search in this area has been, globally speaking, a successful and rewarding enterprise in theoreticalcomputer science, and although the most striking and well-known part is the connection to ap-proximation, several other issues, many of them older, have been important and influential as well.Here I would like to discuss my contributions in this area.


NP is naturally viewed as a proof system. A (deterministic, polynomial time) verifier V has accessto the input x and a proof string supplied by the prover, and must decide whether or not x belongsto an underlying L ∈ NP. Interactive proofs (Goldwasser, Micali and Rackoff, 1985, and Babai,1985) extend the NP notion of efficient provability by adding interaction and randomization to theprocess. The verifier, now probabilistic, exchanges a sequence of poly(n) messages with the prover,and takes his decision at the end of the exchange. (Here n = |x|). The prover is said to succeedif he can make the verifier accept. We ask that the prover succeed with high probability when xis indeed in L, and, no matter what strategy he follows, fail with high probability otherwise. Themost important result in this area is that the class IP of languages recognized by interactive proofsequals PSPACE (Shamir, 1990).

My research in the complexity of interactive proof is directed at understanding how the powerof the system varies with the complexity of the system under various measures. These measuresinclude: the number of rounds of interaction allowed to the parties; the number of random bits theverifier uses; the computational complexity allowed to the prover; and the knowledge complexityof the proof system.

15.2.2 Results

Randomness complexity of interactive proofs. Randomness is an essential resource inan interactive proof: if the verifier was deterministic, IP would collapse to NP. Publication [91]initiates an investigation of interactive proof properties as a function of the amount of randomnessused. The specific problem considered is error-reduction. We show how to do it in a way which ismore cost-effective than the naive way. Underlying our protocol is a randomness-efficient samplingtechnique discussed in Section 15.3.

Publication [97] investigates the power of two-prover proofs as a function of the shared random-ness complexity, and shows that shared randomness is essential to the zero-knowledge property ofthese proofs.

Decision versus search and prover complexity. Although NP is formalized in terms ofdecision problems (eg. decide whether given graph G has a Hamiltonian cycle) the real goal is morelikely to be that of solving the associated search problem (find a Hamiltonian cycle in G if it exists).The relation of search to decision has attracted research since NP was introduced. Publication [95]indicates that search can be harder than decision. Let us say that search reduces to decision if thesearch problem can be solved in polynomial time given an oracle for the decision problem. Thenthe result is that there is a language L ∈ NP such that none of the (many possible) search problems

36 Mihir Bellare

defining L are reducible to the decision problem. This result is obtained under the complexityassumption that the double-exponential time counterparts of P and NP are distinct.

The search versus decision question has a nice formulation in terms of NP proof systems:search reduces to decision for L if and only if it has an NP proof system with a prover who runs inpolynomial time given an oracle for L. Thus, it becomes natural to ask whether the prover’s taskwould be alleviated by allowing interaction and randomness. In other words, does L possess aninteractive proof in which the prover is polynomial time with an L-oracle? Publication [95] indicatesthat the answer is still no: there are NP languages not possessing such competitive interactive proofs.Similar negative results are obtained for program checking. These results assume that the double-exponential time counterpart of NP is not contained in the double-exponential time counterpart ofBPP.

Every language in IP is easily seen to have an interactive proof in which the prover runs inpolynomial space. But when zero-knowledge must be maintained, it appears the prover must workmuch harder. In fact, it is not obvious that a statistical zero-knowledge prover is even Turingcomputable, although the corresponding class of languages, SZK, is in ΣP

2 ∩ ΠP2 (Fortnow and

Aiello-Hastad, 1987). Publication [88] addressed this question and was able to obtain quite astrong result, showing that any L ∈ SZK has a statistical zero-knowledge proof in which the proveris a probabilistic, polynomial time machine with access to an NP oracle. This result makes nocomplexity assumptions. Underlying this result is an efficient procedure for uniform generation,discussed in Section 15.3.

Complexity of statistical ZK. Publication [10] introduces a paradigm for establishing com-plexity theoretic properties of the class SZK of languages possessing statistical zero-knowledgeproofs. The idea is to first establish the property assuming the verifier behaves honestly, and thentransform the protocol in such a way that the property is maintained and the honesty of the verifieris enforced. Specific results obtained include the following. First, every L ∈ SZK has a statisti-cal zero-knowledge proof with perfect completeness (the probability that the verifier accepts whenx ∈ L is exactly one). Second, every L ∈ SZK has a statistical zero-knowledge proof in which thesimulation satisfies the “blackbox simulation” property. The main tool underlying these results is a“cryptographic compiler” which applied to any protocol forces honesty of the verifier and maintainsthe two properties discussed above. See Section 14.3.10 for a discussion of cryptographic (ratherthan complexity theoretic) applications of this compiler.

These results rely on the assumption that the discrete log problem is hard. These assump-tions have since been reduced by Ostrovsky, Venkatesan and Yung (1991), Damgard (1993), andDamgard, Goldreich, and Wigderson (1995).

Knowledge complexity. The extension of zero-knowledge to a notion of proofs which might leaka little information, or knowledge, is natural to undertake for many reasons. For example, perhapsone can gain efficiency at the cost of leaking a little knowledge. Quantifying knowledge, however,involves some definitional subtleties, and appropriate definitions are quite recent (Goldreich andPetrank, 1991).

The class SZK of languages possessing statistical zero-knowledge proofs of membership is inΣP

2 ∩ΠP2 (Fortnow and Aiello-Hastad, 1987). Publication [88] shows that languages possessing proofs

that leak a little knowledge still remain relatively simple: specifically, it shows that a languagepossessing a g(n) round proof leaking κ(n) bits is in BPPNP as long as g(n) · κ(n) = O(log n).Goldreich, Ostrovsky and Petrank (1994) present an improved analysis of our protocol, plus areduction of the statistical case to the perfect case, to show that any language with a O(log n)


knowledge complexity proof is in BPPNP.

In publication [98] we further extended this result to hold for languages with logarithmic knowl-edge complexity on the average. We also introduced a new measure of knowledge complexity, calledoracle entropy, and showed tight relations between perfect and statistical knowledge complexity viathis notion.

Failure of parallel repetition for arguments. Cryptographic protocols need to have a lowerror-probability. A common strategy aimed at achieving this is to repeat often enough a protocolwith fixed error. It is easy to show this works in an “interactive proof” setting where the proveris computationally unrestricted. It seems to have been take for granted that it also works in thecryptographic setting where the prover is polynomial-time. In publication [32], we show that thisis not the case, by presenting protocols for which the error does not go down upon repetition. Thisis a somewhat surprising and unexpected result.

15.3 Randomness

The recognition of the power of randomization is one of the more important accomplishments ofthe field of computer science. In algorithms and distributed computing, randomization is used toachieve efficiency. In cryptography it is crucial since a hidden random string is the only source of akey one can be sure an adversary doesn’t know. Research directing at understanding and exploitingrandomness tends to be useful.

In some sense, everything discussed above is about randomness. What I discuss below is researchpertaining directly to randomness usage.


High-quality random bits are expensive to generate. Thus it makes sense to use as few of them aspossible. This has lead to a large body of work on the subject of randomness-efficient algorithmdesign. Publication [91] addresses in this regard the basic sampling problem.

Sometimes, we are given the problem of computing a function which is by definition probabilistic.One such, important in applications, is uniform generation. Publication [88] addresses the questionof computing this function as efficiently as possible.

15.3.2 Results

Sampling. The problem of approximating the average value E[f ] = 2−n ∑x∈{0,1}n f(x) of a func-

tion f : {0, 1}n → [0, 1] is ubiquitous. The standard technique is to pick O(ε−2 log δ−1) samplepoints at random and evaluate the average of the function on these sample points: this yieldsan estimate that with probability ≥ 1 − δ is within ε of E[f ]. But the cost in randomness —O(nε−2 log δ−1) coin tosses — is excessive. Although many randomness-efficient approximationmethods are known, they have various limitations: either they work only for some values of theparameters ε and δ, or they only work for special classes of functions.

Publication [91] presents a sampling method which is optimal in terms of randomness and num-ber of sample points. Our method uses only O(n + log δ−1) coins tosses to generate O(ε−2 log δ−1)sample points x1,1, . . . , x1,t, . . . , xm,1, . . . , xm,t; we then let vi = (1/t) ·

∑tj=1 f(xi,j) and output as

estimate the median value amongst v1, . . . , vm. Our method works for all functions, and the samerange of parameters as the standard method. It combines pairwise independence with random walks

38 Mihir Bellare

on expander graphs. It is used in the randomness-efficient error-reduction protocols discussed inSection 15.2.

Publication [96] introduces the notion of a sampling procedure being oblivious. That is, thesampling algorithm should simply output a list of points x1, . . . , xl and the estimate should be givenby (1/l) ·

∑li=1 f(xi). This is important in some applications. The method of [91], although optimal

in coins and sample points, is not oblivious. Publication [96] shows how to implement oblivioussampling using only O(n+log δ−1 · log n) coin tosses (and polynomially many sample points), usinglow independence hash functions. This has since been improved by Zuckerman.

Uniform generation. Many applications call for the ability to generate points (almost) uniformlyat random from a given set S ⊆ {0, 1}n. More precisely, the problem is to design a probabilisticalgorithm M such that for some distribution D having distance δ from the uniform distributionon S, it is the case that on input n, δ the output of M is uniformly distributed according to D.The question is how to do this efficiently. The running time is measured as a function of n andlog δ−1. A well-known result (Jerrum, Valiant and Vazirani, 1986) presents a procedure whichruns in probabilistic, polynomial time given access to a ΣP

2 oracle. Publication [105] presents aprocedure which runs in probabilistic, polynomial time given access to only an NP oracle. It canbe applied to obtain the efficient zero-knowledge provers and bounds on the complexity of lowknowledge complexity languages which are discussed in Section 15.2, and some results about twoprover proofs in publication [97].

Distributed coin tossing. Many distributed protocols require the parties to produce a “commoncoin.” (This is distributed object, which is defined by certain pieces of information held by thedifferent players.) Production of such coins can be expensive. Publication [102] introduces thenotion of a distributed pseudorandom bit generator. In analogy to a normal pseudorandom bitgenerator, it takes a short “seed” of common coins and “expands” it to a long sequence of commoncoins, at low amortized cost per coin produced. The “generator” is of course, in this case, adistributed protocol. We provide an efficient implementation of such a generator, and use this toderive efficiency improvements for various distributed algorithms.

15.4 Machine learning

Learning is a tool in artificial intelligence and robotics. The general problem is to design algorithmswhich somehow “learn” their environment. Computational learning theory, an active area of currentresearch, attempts to provide efficient algorithms whose properties can be argued correct in somemanner. I have done a little work in this area.

The problem addressed is to be able to learn a target boolean function from its values on asmall set of points. Spectral techniques (Fourier series) have been shown to be useful. In particularthe KM-algorithm (Kushilevitz and Mansour, 1991) learns boolean functions in time proportionalto their spectral norm (the spectral norm L(f) of a function f : {0, 1}n → {−1, +1} is the sum ofthe absolute values of all the coefficients in its Fourier series). Motivated by this and other results,I have looked at two aspects of spectral techniques for learning.

A technique for upper bounding the spectral norm. If one can prove a function has apolynomially bounded spectral norm, then the above mentioned results will imply it is learnable.This motivates the search for general techniques to upper bound the spectral norm. Publication [89]presents such a technique. It shows how a function f can be broken into a collection of “simpler”functions f1, . . . , fm in such a way that computing L(f) reduces to computing L(f1), . . . , L(fm).


The method can be applied repeatedly, until the functions are simple enough that their spectralnorms are easy to compute. This method is applied to show that the class of DNF formulas havinga logarithmic number of terms has polynomially bounded spectral norm and hence is learnable.

Learning under mutually independent distributions. While learning in Valiant’s distri-bution free framework is the acknowledged desideratum, the KM-algorithm learns only under theuniform distribution. Publication [106] extends techniques of Furst, Jackson and Smith to show howthe KM-algorithm can be extended to learn under distributions which are mutually independent .This may represent a (small) step towards achieving true distribution free learning.

mihir bellare curriculum vitae research summarymihir/cvrs.pdf · mihir bellare curriculum vitae and...

Documents