Decremental Single-Source Shortest Paths on Undirected Graphs in Near-Linear Total Update Time

In the decremental single-source shortest paths (SSSP) problem we want to maintain the distances between a given source node $s$ and every other node in an $n$-node $m$-edge graph $G$ undergoing edge deletions. While its static counterpart can be solved in near-linear time, this decremental problem is much more challenging even in the undirected unweighted case. In this case, the classic $O(mn)$ total update time of Even and Shiloach [JACM 1981] has been the fastest known algorithm for three decades. At the cost of a $(1+\epsilon)$-approximation factor, the running time was recently improved to $n^{2+o(1)}$ by Bernstein and Roditty [SODA 2011]. In this paper, we bring the running time down to near-linear: We give a $(1+\epsilon)$-approximation algorithm with $m^{1+o(1)}$ expected total update time, thus obtaining near-linear time. Moreover, we obtain $m^{1+o(1)} \log W$ time for the weighted case, where the edge weights are integers from $1$ to $W$. The only prior work on weighted graphs in $o(m n)$ time is the $m n^{0.9 + o(1)}$-time algorithm by Henzinger et al. [STOC 2014, ICALP 2015] which works for directed graphs with quasi-polynomial edge weights. The expected running time bound of our algorithm holds against an oblivious adversary. In contrast to the previous results which rely on maintaining a sparse emulator, our algorithm relies on maintaining a so-called sparse $(h, \epsilon)$-hop set introduced by Cohen [JACM 2000] in the PRAM literature. An $(h, \epsilon)$-hop set of a graph $G=(V, E)$ is a set $F$ of weighted edges such that the distance between any pair of nodes in $G$ can be $(1+\epsilon)$-approximated by their $h$-hop distance (given by a path containing at most $h$ edges) on $G'=(V, E\cup F)$. Our algorithm can maintain an $(n^{o(1)}, \epsilon)$-hop set of near-linear size in near-linear time under edge deletions.Comment: Accepted to Journal of the ACM. A preliminary version of this paper was presented at the 55th IEEE Symposium on Foundations of Computer Science (FOCS 2014). Abstract shortened to respect the arXiv limit of 1920 character

Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation

Abstract-Despite advances in security engineering, authentication in applications such as email and the Web still primarily relies on the X.509 public key infrastructure introduced in 1988. This PKI has many issues but is nearly impossible to replace. Leveraging recent progress in verifiable computation, we propose a novel use of existing X.509 certificates and infrastructure. Instead of receiving & validating chains of certificates, our applications receive & verify proofs of their knowledge, their validity, and their compliance with application policies. This yields smaller messages (by omitting certificates), stronger privacy (by hiding certificate contents), and stronger integrity (by embedding additional checks, e.g. for revocation). X.509 certificate validation is famously complex and errorprone, as it involves parsing ASN.1 data structures and interpreting them against diverse application policies. To manage this diversity, we propose a new format for writing application policies by composing X.509 templates, and we provide a template compiler that generates C code for validating certificates within a given policy. We then use the Geppetto cryptographic compiler to produce a zero-knowledge verifiable computation scheme for that policy. To optimize the resulting scheme, we develop new C libraries for RSA-PKCS#1 signatures and ASN.1 parsing, carefully tailored for cryptographic verifiability. We evaluate our approach by providing two real-world applications of verifiable computation: a drop-in replacement for certificates within TLS; and access control for the Helios voting protocol. For TLS, we support fine-grained validation policies, with revocation checking and selective disclosure of certificate contents, effectively turning X.509 certificates into anonymous credentials. For Helios, we obtain additional privacy and verifiability guarantees for voters equipped with X.509 certificates, such as those readily available from some national ID cards