The Game-Playing Technique

Size: px
Start display at page:

Download "The Game-Playing Technique"

Transcription

1 The Game-Playing Technique M. Bellare P. Rogaway December 11, 2004 (Draft 0.4) Abtract In the game-playing technique, one write a peudocode game uch that an adverary advantage in attacking ome cryptographic contruction i bounded above by the probability that the game et a flag bad. Thi probability i then upper bounded by making tepwie, yntactical refinement to the peudocode a chain of game. The approach wa firt ued by Kilian and Rogaway (1996) and ha been ued repeatedly ince, but it ha never received a ytematic treatment. In thi paper we provide one. We develop the foundation for game-playing, formalizing a general framework for doing game-playing proof and providing general and ueful lemma that jutify variou kind of game-refinement tep. We ue thi to provide impler and more eaily verifiable proof of ome claic exiting reult, including the ecurity of the baic CBC MAC. We then extend thi to prove a ignificant new reult, namely an improved ecurity bound for the baic CBC MAC. Keyword: CBC MAC, cryptographic analyi technique, game, provable ecurity. Department of Computer Science & Engineering, Univerity of California at San Diego, 9500 Gilman Drive, La Jolla, California USA. mihir@c.ucd.edu WWW: Department of Computer Science, Univerity of California at Davi, Davi, California, 95616, USA; and Department of Computer Science, aculty of Science, Chiang Mai Univerity, Chiang Mai 50200, Thailand. rogaway@c.ucdavi.edu WWW: rogaway/ 1

2 Content 1 Introduction The game-playing approach oundation of game playing Application Related work Dicuion and outline The PRP/PR Switching Lemma 6 3 The Game-Playing ramework Game yntax Running a game Identical-until-bad-i-et game The fundamental lemma Game-Rewriting Technique After bad i et, nothing matter Coin fixing Lazy ampling Baic technique urther advice Elementary Proof for the CBC MAC 15 6 Improved Bound for the CBC MAC 18 7 OAEP 22 Acknowledgment 25 Reference 26 A ixing the PRP/PR Switching Lemma without game 28 B Bug in [JJV02] and an Earlier Draft of Thi Paper 28 2

3 1 Introduction Thi paper i about the game-playing approach for analyzing cryptographic contruction. We develop a theory of game-playing, elevating it from example to a general and readily uable technique, and we howcae the ue of the method with ome illutrative application. Our work upport the thei that game-playing, done right, i a powerful tool, capable of delivering more complete and eaily verifiable proof of trong reult than are obtainable by competing conventional method. 1.1 The game-playing approach The firt tep in our program i to ditill from different approache in the literature a ingle paradigm to capture what we want to call game playing. Roughly it work like thi. Suppoe we wih to upper bound the advantage of an adverary A in attacking ome cryptographic contruction. Thi i a number between 0 and 1 that i computed a the difference between the probabilitie that A output 1 in two different world. 1 We proceed a follow: (1) Write ome peudocode a game that capture the behavior of world 1. The game initialize variable, interact with the adverary, and then run ome more. (2) Write another piece of peudocode a econd game that capture the behavior of world 0. Arrange that game 1 and 0 are yntactically identical program apart from tatement that follow the etting of a flag bad to true. (3) Invoke a fundamental lemma of game playing to ay that, in thi etup, the adverary advantage i upper-bounded by the probability that bad get et (in either game). (4) Chooe one of the two game and lowly tranform it, modifying it in way that increae or leave unchanged the probability that bad get et, or decreae the probability that bad get et by a bounded amount. (5) In thi way you produce a game chain, ending at ome terminal game. Bound the probability that bad get et in the terminal game. It i central to our approach that game are code, not ome equivalent functional decription; the method, a we develop it, center around making diciplined tranformation to code to get a cryptographic bound. 1.2 oundation of game playing We begin by giving a general framework for game-playing proof. A game G i formalized a a tuple of program, each written in ome programming language. 2 The program have a common et of global, tatic variable. A game G can be run with an adverary A (look ahead to igure 2), the adverary calling out to the program that are provided. We define what it mean for two game to be identical-until-bad-i-et, where bad i a boolean variable in the game. Thi i a yntactical condition. We prove a fundamental lemma for game-playing that ay that if two game are identical-until-bad-i-et then the difference in the probabilitie of a given outcome i bounded by the probability that bad get et (in either game). The fundamental lemma i the central tool jutifying the game-playing technique. We go on to give ome general lemma and technique for analyzing the probability that bad get et. Principle among thee i a imple lemma that let you change anything you want after the flag bad get et, and a lemma that jutifie, in ome cae, a commonly-ued technique of lazy coin-flipping. We comment that while element of thi framework have been ued before, nothing ha been done with much care or formality. 1.3 Application The application we provide are choen to illutrate the applicability of game in a wide variety of environment: they range acro the tandard model and the random oracle model [BR93], and acro both 1 Sometime the advantage might be omething ele, uch a the probability that the adverary forge, but the cae we conider i very common. 2 We actually ue peudocode a our programming language. We could have formally pecified the deired programming language, and there would eem to be ome advantage to doing o, but we have not followed that path. 3

4 ymmetric and aymmetric cryptographic primitive. PRP/PR Switching Lemma. We begin with a motivating obervation, due to Tadayohi Kohno, that the tandard proof of the PRP/PR witching lemma, a given in [BKR94, HWKS98], contain an error in reaoning about conditional probabilitie. (The lemma ay that an adverary that ak at mot q querie can ditinguih with advantage at mot q 2 /2 n+1 a random permutation on n-bit from a random function of n-bit to n-bit. It i frequently employed in the analyi of contruction that ue blockcipher and model them a PRP.) We regard thi a evidence that reaoning about cryptographic contruction via conditional probabilitie can be ubtle and error-prone even in the implet of etting, and motivate the ue of game a an alternative. We re-prove the witching lemma with a very imple game-baed proof. CBC MAC. Let Adv cbc n,m(q) denote the maximum advantage that an adverary, retricted to making at mot q oracle querie, can obtain, in ditinguihing between (1) the m-block CBC MAC, keyed by a random permutation on n bit, and (2) a random function from mn-bit to n-bit. A reult of [BKR94] ay that Adv cbc n,m(q) 2m 2 q 2 /2 n. The contant of 2 wa reduced to 1 in [Ma02]. The proof of [BKR94] wa complex and did not directly capture the intuition behind the ecurity of the cheme. In thi paper we ue game to give an elementary proof of the m 2 q 2 /2 n bound that capture thi intuition. We then go on to provide a ignificant improvement, howing that Adv cbc n,m(q) cmq 2 /2 n + cm 4 /2 2n for ome abolute contant c. (Note thi bound i alway better, up to a contant factor, than the previou one, and alo that it implie Adv cbc n,m(q) 2c mq 2 /2 n for m N 1/3.) Thi reult i obtained by uing a carefully choen game chain to reduce the problem of bounding Adv cbc n,m(q) to bounding omething we call the full colliion probability of the CBC MAC and then invoking a lemma of Pietrzak [Pi04], in turn baed on technique of [DGHKR04], to bound the latter. We note that improving the ecurity bound for the CBC MAC ha been a well-known open problem for ten year. The quantitative difference in the ecurity guaranteed by thee bound can be ignificant when dealing with long meage. or example, if n = 64 and meage are 128 KByte (m = 2 14 ) then a m 2 q 2 /2 n bound ceae to jutify the CBC MAC at around q = 2 18 meage, while our bound jutifie the CBC MAC to around q = 2 25 meage. (Thi dicuion ignore the contant factor in the bound.) OAEP. inally, we give an example of uing game in the public-key, random-oracle etting by proving that OAEP [BR94] with any trapdoor permutation i an IND-CPA ecure encryption cheme. The original proof [BR94] of thi (known) reult wa hard to follow or verify; the new proof i impler and clearer, and illutrate the ue of game in a computational rather than information-theoretic etting. 1.4 Related work Prior ue of game. The firt ue of the game-playing technique i due to Kilian and Rogaway [KR96], who ued the approach to analye DESX. The method oon became the favored one of Rogaway, who ued it, along with coauthor, in ome ten or o ubequent paper [BKR98, BR00, RBB01, BR02, BRS02, R02, HR03, BRW04, HR04, R04]. Shoup wa the firt to analye a public-key contruction uing a game chain [Sh00], and game-playing oon became a favored technique of hi, too [SS00, Sh01a, Sh01b, CS02, CS03a, CS03b, GS04]. Nowaday many further author develop their proof in term of game chain; ee [BBKN01, BCP03, BK05, Bo01, DKY03, OPS04, GMMV03, KD04, PP04] a a ample. A notable difference between the Rogaway and Shoup approache to game i that in the former, game are een a peudocode object that et flag and are formally manipulated. Thi i the viewpoint that the preent paper develop and advocate, becaue we think that it give rie to more tructured and eailyverified proof, and we believe that it will engender a richer and more eaily applied theory. At the ame time, we ee the difference in the approache to date (a ditinction we are only now introducing) a being omewhat a matter of tate. Alternative to game. With motivation imilar to our own, Maurer develop a framework for the analyi of cryptographic contruction and applie it to the CBC MAC and other example [Ma02]. Vaudenay ha likewie developed a general framework for the analyi of blockcipher and blockcipher-baed contruction, and ha applied it to the encrypted CBC MAC [Va01]. Neither Maurer nor Vaudenay approach are widely employed, and neither i geared toward making tepwie, code-directed refinement for computing a probability. 4

5 Making game-playing rigorou. A more limited and le formal verion of our fundamental lemma (Lemma 5) appear in [BKR98, Lemma 7.1]. A lemma by Shoup [Sh01a, Lemma 1] function in a imilar way. CBC. Work like [PR00, Va01, BR00] analye variant of the baic CBC MAC. Their method do not eem to apply to the baic CBC MAC itelf, and in any cae they all get bound of (a contant time) m 2 q 2 /2 n. Dodi, Gennaro, Håtad, Krawczyk, and Rabin [DGHKR04] provide a bound on the colliion probability CP (n, m), defined a the maximum, over all pair of ditinct meage of exactly m block, that the CBC MAC of thee meage, taken over a random permutation, coincide. Thi doe not appear to be immediately ueful toward bounding Adv cbc n,m(q), but we reduced the latter tak to bounding a related probability CP(n, m), defined in Section 6, that, a indicated above, wa analyzed by Pietrzk [Pi04], baed on technique of [DGHKR04]. We note that a trong bound on CP(n, m), defined jut a CP (n, m) but for meage of at mot m block rather than exactly m block, would immediately yield not only a bound on CP(n, m), but alo an improved bound on Adv ecbc n,m (q) (the advantage of the encrypted CBC MAC, defined analogouly to that for the baic CBC MAC), for the latter i imply q 2 CP(n, m), a fact eaily hown uing game. At the time of writing of thi draft, no bound on CP(n, m) analogou to that on CP (n, m) ha been hown. An improved bound on the colliion probability of the CBC MAC had been claimed, prior to [DGHKR04], by [JJV02], and an earlier attempt of our at an improved bound for the CBC MAC had been to ue the idea of [JJV02]. However, it turn out that the proof in [JJV02] wa wrong, and o alo wa our attempt at an extenion. We thank Krzyztof Pietrzak and Shai Halevi for pointing thi out. See Appendix B for further explanation and dicuion. Concurrent work. Shoup ha independently and contemporaneouly prepared a manucript on the gameplaying technique [Sh04]. It i more pedagogically-oriented than thi paper, employing impler example and focuing on known, claroom-friendly reult. Shoup make no attempt to develop a theory for game playing beyond [Sh01a, Lemma 1] that we mentioned above and reappear here. A with u, one of Shoup example i the PRP/PR witching lemma. 1.5 Dicuion and outline Why game? We advocate the game-playing paradigm for everal reaon. irt, we believe that the approach can lead to more eaily verified, le error-prone proof than thoe grounded in more conventional probabilitic language. In our opinion, many proof in cryptography are eentially unverifiable, and we view well-executed game-playing argument a an approach to help remedy thi problem. Second, we believe that game-playing i very widely applicable. Game can be ued in the tandard model, the random-oracle model, the ideal-blockcipher model, and more; they can be ued ymmetric etting, public-key etting, and further trut model; they can be ued for imple cheme (eg, jutifying the Carter-Wegman MAC) and complex protocol (eg, proving the correctne of a key-ditribution protocol). Third, game-playing i eaily applied and quickly matered: one needn t pend week to learn ome upporting theory. Indeed the econd author ha been uing game-playing in hi graduate crypto cla for year, increaingly employing it to provide a unifying tructure for proof. Student do well at following game-baed proof, perhap becaue the incremental character of contructing a game chain mehe well with the mechanic of a blackboard talk, and perhap too becaue the approach i relatively forgiving if a tudent mie ome particular tep. inally, a we demontrate, the game-playing technique can lead to ignificant new reult that would eem to be hard to get to uing any other technique. Why hould thi work? It i fair to ak if anything i actually going on when uing game couldn t you recat everything into more conventional mathematical language and drop all that ugly peudocode? Our experience i that it doen t work to do o. The kind of probabilitic tatement and thought encouraged by the game-playing paradigm eem to be a better fit, for many cryptographic problem, than that which i encouraged by (jut) defining random-variable, writing conventional probability expreion, conditioning, and the like. The power of the approach ultimately tem from the fact that peudocode i the mot precie and eay-to-undertand language we know for decribing the ort of probabilitic, reactive environment encountered in cryptography, and by remaining in that domain to do one reaoning you are better able to 5

6 ee what i happening, manipulate what i happening, and validate the change. In hort, form matter. Challenge. The extent to which game deliver eaily verifiable proof depend on the way they are ued. One hould make mall, eaily-checked adjutment a one move from one game to the next; longer game chain with mall change between adjacent game are eaier to verify than hort chain with big jump between adjacent game. Thi can be tediou and lead to lengthy proof. To be fully rigorou, each adjutment to a game hould be jutified by a formally proven rule the ort of rule that an optimizing compiler might employ to jutify reuing a regiter or doing ome code motion. There i not yet a rich enough theory to upport all of the modification to the code that you might want to make in a game. We believe that thi will get better in time; thi paper i one tep. Outline. We begin with the PRP/PR witching lemma a a motivating example and gentle introduction to game. Next, in Section 3, we provide a general framework for game playing, where we tate and prove the fundamental lemma. In Section 4 we catalogue and jutify ome technique for manipulating and refining game. In Section 5 we provide a imple, game-baed proof of ecurity of the CBC MAC with the tandard (known) bound, and in Section 6 we provide the proof of the improved bound. inally Section 7 provide a imple game-baed proof of the reult of [BR94] that OAEP with any trapdoor permutation i IND-CPA. Document hitory : irt public preentation (Luminy, rance) : Verion 0.1 poted to eprint : Verion 0.2 (retructure, clarify related work) : Verion 0.3 (temporarilly retract improved CBC bound due to bug) : Verion 0.4 (reintate improved CBC bound). 2 The PRP/PR Switching Lemma Let Perm(n) be the et of all permutation on {0, 1} n. Let Rand(n) be the et of all function from {0, 1} n to {0, 1} n. By A f 1 we refer to the event that adverary A, equipped with an oracle f, output the bit 1. In what follow, aume that π i randomly ampled from Perm(n) and ρ i randomly ampled from Rand(n). Lemma 1 [PRP/PR Switching Lemma] Let n 1 be an integer. Let A be an adverary that ak at mot q oracle querie. Then Pr[A π 1] Pr[A ρ 1] q(q 1)/2 n+1. The reult i folklore, and i ued extenively. It value i the following. In analyzing a blockcipher-baed contruction C we need to bound how well an adverary A can do in breaking C[π], for a random permutation π on n bit. But it i often technically eaier to upper bound how well the adverary can do in attacking C[ρ], for a random function ρ from n bit to n bit. Doing thi uffice becaue we can then apply the Switching Lemma to conclude that the difference i mall. In thi ection we point to ome ubtletie in the tandard proof, a given for example in [HWKS98, BKR94], of thi apparently imple reult, howing that one of the claim made in thee proof i incorrect. We then how how to prove the lemma uing game. Thi example provide a gentle introduction to the game-playing technique and a warning about peril of following one intuition when dealing with conditional probability in provable-ecurity cryptography. The tandard analyi proceed a follow. Let Coll ( colliion ) be the event that an adverary, interacting with an oracle ρ, ak ditinct querie X and X that return the ame anwer. Let Dit ( ditinct ) be the complementary event. Now Pr[A π 1] = Pr[A ρ 1 Dit] (1) ince a random permutation i inditinguihable from a random function in which one oberve no colliion. Letting x be thi common value and y = Pr[A ρ 1 Coll] we have Pr[A π 1] Pr[A ρ 1] = x x Pr[Dit] y Pr[Coll] = x(1 Pr[Dit]) y Pr[Coll] = x Pr[Coll] y Pr[Coll] = (x y) Pr[Coll] Pr[Coll] where the final inequality follow becaue x, y [0, 1]. One next argue that Pr[Coll] q(q 1)/2 n+1 and o the Switching Lemma follow. Where i the error in the imple proof above? It at (1); it needn t be the cae that Pr[A π 1] = Pr[A ρ 1 Dit], and the entence we gave by way of jutification wa mathematically meaningle. Here i 6

7 Initialize On query f(x) Game S1 100 bad fale 110 Y {0, 1} n 101 for X {0, 1} n do π(x) undefined 111 if Y Range(π) then bad true, Y Range(π) 112 return π(x) Y omit for Game S0 igure 1: Game ued in the proof of the Switching Lemma. a imple example to demontrate that Pr[A π 1] can be different from Pr[A ρ 1 Dit]. Let n = 2, name the four point of {0, 1} 2 a 0, 1, 2, and 3, and conider the following adverary A with oracle f: if f(0) = 0 then return 1 ele if f(1) = 1 then return 1 ele return 0. Then Pr[A π 1] = 5/ becaue there are 12 poibilitie for π(0)π(1) and A return 1 for five of them: 01, 02, 03, 21, 31. On the other hand, Pr[A ρ 1 Dit] = Pr[A ρ 1 Dit]/ Pr[Dit] = (6/16)/(13/16) = 6/ becaue there are 16 poible value ρ(0)ρ(1) and A ρ 1 Dit i true for ix of them, 00, 01, 02, 03, 21, 31, while Dit i true for 13 of them: 00, 01, 02, 03, 10, 12, 13, 20, 21, 23, 30, 31, 32. Notice that the number of oracle querie made by the adverary of our counterexample varie, being either one or two, depending on the reply it receive to it firt query. A we how in Appendix A (thi wa alo pointed out by Kohno), if A alway make exactly q oracle querie (regardle of A coin and the anwer returned to it querie) then (1) i true. Since one can alway firt modify A to make exactly q querie, we would be loth to ay that the proof in [HWKS98, BKR94] are incorrect, but the author make claim (1), and view it a obviou, without retricting the adverary to exactly q querie, making a ubtlety that i not apparent at a firt (or even econd) glance. The fact that one can write omething like (1) and people aume thi to be correct, and even obviou, ugget to u that the language of conditional probability may often be unuitable for thinking about and dealing with the kind of probabilitic cenario that arie in cryptography. Game may more directly capture the deired intuition. Let ue them to give a correct proof. Aume without lo of generality that A never ak an oracle query twice. We imagine anwering A querie by running one of two game. Intead of thinking of A interacting with a random permutation oracle π Perm(n) think of A interacting with the Game S1 hown in igure 1. Intead of thinking of A interacting with a random function oracle ρ Rand(n) think of A interacting with the game S0 hown in the ame figure. Game S0 i game S1 without the haded tatement. In both game S1 and S0 we tart off performing the initialization tep, etting a flag bad to fale and etting a variable π to be undefined at every n-bit tring. (We will oon etablih convention that eliminate the need to write thee tep.) A the game run, we fill-in value of π(x) with n-bit tring. At any point in time, we let Range(π) be the et of all n-bit tring Y uch that π(x) = Y for ome X. Let Range(π) be the complement of thi et relative to {0, 1} n. Notice that the adverary never ee the flag bad. The flag will play a central part in our analyi, but it i not omething that the adverary can oberve. It only there for our bookkeeping. What doe adverary A ee a it play game S0? Whatever query X it ak, the game return a random n-bit tring Y. So game S0 perfectly imulate a random function ρ Rand(n) (remember that the adverary in t allowed to repeat a query) and Pr[A ρ 1] = Pr[A S0 1]. Similarly, if we re in game S1, then what the adverary get in repone to each query X i a random point Y that ha not already been returned to A. The behavior of a random permutation oracle i exactly thi, too. (Thi i guaranteed by what we will call the principle of lazy ampling. ) So Pr[A π 1] = Pr[A S1 1]. At thi point we have that Pr[A π 1] Pr[A ρ 1] = Pr[A S1 1] Pr[A S0 1]. We next claim that Pr[A S1 1] Pr[A S0 1] Pr[A S0 et bad ]. We refer to the lemma that make thi tep poible a the fundamental lemma of game playing. The lemma ay that whenever two game are written o a to be yntactically identical except for thing that immediately follow the etting of bad, the difference in the probabilitie that A output 1 in the two game i bounded by the probability that bad i et in either game. (It actually ay omething a bit more general, a we will ee.) So we have left only to bound Pr[A S0 et bad ]. By the union bound, the probability that a Y will ever be in Range(π) at line 111 i at mot ( (q 1))/2 n = q(q 1)/2 n+1. Thi complete the proof. 7

8 Global variable: a, b, c, P 1... P n game G param inp out Initialize A inalize outcome igure 2: Running a game G with an adverary A. The game the box that urround A conit of peudocode procedure Initialize, P 1,..., P n, and inalize. The adverary A receive an (optional) input from the game, interact with it oracle P 1,..., P n, and produce an output. The outcome of the game i determined by inalize. 3 The Game-Playing ramework 3.1 Game yntax A program P i a finite, valid equence of tatement written in ome programming language, L. We identify a program with it pare tree. Program take zero or more tring a input and produce zero or more tring a output. We only conider program that alway terminate. We will not formally pecify the programming language L; our language will be peudocode and we will keep it imple enough that there won t be any ambiguity about how to run a program. Certainly one could rigorouly define the programming language that one wanted to ue for pecifying game, and one could then endow it with a proper execution emantic, but thi won t be neceary for u. We will, however, need to explain ome baic characteritic and convention for our peudocode. We include the uual repertoire of contruct one find in a procedural programming language: variable, aignment tatement, if-tatement, for-tatement, and o forth. We alo include a ample-then-aign operator where X X mean to elect a random element from the finite et X (all element equally probable) and aign the reulting value to the variable X. Thi i the only ource of randomne in program, o probabilitie are taken over the choice aociated to ample-then-aign tatement. Variable in program are undertood to be tatic and global: their value hang around from call to call and have a cope of all program in an aociated game, which we will define hortly. We ll aume a relatively rich et of type: boolean, integer, tring, array (including array indexed by tring), finite et, and partial function from finite et to finite et. We won t explicitly declare variable, but each variable will have a fixed type, that type being clear from the context. We ll ue a comma a a tatement eparator, and S, S i a tatement when S and S are. The empty tatement ε i alo a tatement, and we regard S and S, ε a the ame. We ue indentation to indicate grouping. Boolean variable are automatically initialized to fale and other variable are initially everywhere undefined (an array i undefined for all poible indice and a function i undefined at all domain point). Definition 2 [Game] A game G = (Initialize, P 1, P 2,..., P n, inalize) i a equence of program. Program P 1,..., P n are the oracle of the game. If we omit pecifying Initialize or inalize it mean that the program doe nothing: it compute the identity function. We let param denote the input to Initialize and we let inp denote it output. We let out be the input to inalize and we let outcome be it output. If we decribe a game by giving a ingle unlabeled program, that program i the inalize program. or all of our game, the Initialize and inalize program will have thoe name, but we will chooe uggetive name for P 1,..., P n. To ee example of game, look ahead to any of the game appearing later in thi paper, which we name a in C4 or S Running a game To run a game G we need an adverary A to interact with it. See igure 2. An adverary i a probabilitic algorithm equipped with the ability to query ome number n 0 of oracle. or convenience, we aume that an adverary i decribed by a program in particular, it ource of randomne i ample-then-aign 8

9 tatement X X where the adverary ha contructed the finite et X uing the contruct of the programming language. 3 The pair coniting of a game G and an adverary A i called a runnable game. We will refer to a runnable game between G and A by writing either G A or A G. We ll ue the firt notation if we want to emphaize what the game i doing, and we ll ue the econd notation if we want to emphaize what the adverary i doing. To run G = (Initialize, P 1, P 2,, P n, inalize) with A and tring parameter param, begin by calling program Initialize with input param. (In the aymptotic etting, thi might be a ecurity parameter k. or all of our non-aymptotic example param i empty.) We now run A, paing it any (tring) return value inp produced by Initialize. When adverary A call it i th oracle with a given tring, we pa that tring to program P i and run it. We return to A whatever tring the program P i ay to return. We aume that an adverary eventually terminate, regardle of what it receive from it environment. (That i, adverary A hould terminate even if we were to run it in ome other, arbitrary game.) When A halt, poibly with ome output out, we call inalize, providing it any output produced by A. The outcome of the game i the tring value returned by inalize. The outcome of a game can be regarded a a random variable, the randomne taken over the ample-then-aign tatement of the adverary A and the game G. Often the outcome of the game i the return value of A, procedure inalize not doing anything beyond paing on it input a it output. We write Pr[G A 1] for the probability that the outcome of game G i 1 when we run G A. We ay that game G and H are equivalent if for any adverary A it i the cae that Pr[G A 1] = Pr[H A 1]. We write Pr[A G 1] to refer to the probability that the adverary A output 1 when we run G A. The advantage of A in ditinguihing game G and H i the real number Adv dit G,H(A) = Pr[A G 1] Pr[A H 1]. We ay that game G and H are (perfectly) adverarially inditinguihable if for any adverary A it i the cae that Pr[A G 1] = Pr[A H 1]. 3.3 Identical-until-bad-i-et game A boolean variable bad in a game G i called a flag if tart off a fale and change value at mot once: once a flag become true, it can never revert to fale. We are intereted in program that are yntactically identical until a flag bad ha been et to true. The formal definition i a follow. Definition 3 [Identical-until-bad-i-et] Let P and Q be program and let bad be a flag in each of them. Then P and Q are identical-until-bad-i-et if their pare tree are the ame except for the following: wherever program P ha a tatement bad true, S in it pare tree, program Q ha at the correponding poition of it pare tree that tatement bad true, T for a T that i poibly different from S. Game G = (Initialize, P 1,..., P n, inalize) and H = (Initialize, Q 1,..., Q n, inalize ) are identical-untilbad-i-et if each of their correponding program are identical-until-bad-i-et. A an example, game S0 and S1 from igure 1 are identical-until-bad-i-et. or one of thee game, S0, we have the empty tatement following bad true in the pare tree of S0; for S1, we have the tatement Y Range(π). Since thi i the only difference in the program, the game are identical-until-bad-i-et. We ll alo ay that G and H are are identical-until-bad-i-et if one game ha the tatement if bad then S where the other ha the empty tatement ε. One can conider if bad then S to be the ame a if bad then bad true, S and one can conider the empty tatement ε to be the ame a if bad then bad true, ε and under thi convention the game are identical-until-bad-i-et under the given definition. We write Pr[G A et bad ] to refer to the probability that the flag bad i true at the end of the execution of the runnable game G A, when inalize terminate. The following i eay to ee: Propoition 4 Identical-until-bad-i-et i an equivalence relation on game. 3.4 The fundamental lemma The lemma that jutifie the game-playing technique i the following. 3 Thi definition exclude the poibility of an adverary being able to to flip a coin with bia p = 1/π, for example. It i poible to how that an optimal adverary for a game G need not flip coin with irrational biae; in that ene, auming an adverary ource of randomne to be to be ample-then-aign tatement i without lo of generality. 9

10 Lemma 5 [undamental lemma of game-playing] and let A be an adverary. Then Pr[G A 1] Pr[H A 1] Pr[G A et bad ]. Let G and H be identical-until-bad-i-et game, More generally, Pr[G A 1] Pr[H A 1] Pr[I A et bad ] for any identical-until-bad-i-et game G, H, I. Proof of Lemma 5: Ignore for now the econd tatement in the lemma; it will follow immediately from the firt tatement by uing Propoition 6. We have aumed that the adverary and all program compriing a game alway terminate, and o there exit a mallet number b uch that A and G A and G B perform no more than b ample-then-aign tatement, each of thee ample-then-aign tatement ampling from a et of ize at mot b. Let C = Coin(A, G, H) = [1.. b!] b be the et of b-tuple of number, each number between 1 and b!. We call C the coin for (A, G, H). A random execution of G A can be determined in the following way. irt, draw a random ample c = (c 1,..., c b ) from C. Then, uing c, determinitically execute G A a follow: On the i th ample-then-aign tatement, X i {X 0,..., X ni 1}, let X i be X ci mod n i Thi way to perform ample-then-aign tatement i done regardle of whether A i the one performing the ample-then-aign tatement or one of the program from G i performing the tatement. Now notice that n i divide b! and o the mechanim above will return a uniform point X i from {X 0,..., X ni 1}. The return value for each ample-then-aign tatement are independent, o we have properly imulated G A uing the random point from C and no other ource of randomne. Similarly, tarting from a random point (c 1,..., c b ) from C we can run H A without any further coin by performing the i th ample-then-aign tatement X i {X 0,..., X ni 1} tatement a before. rom now on in the proof, aume that we realize G A and H A a we have decribed, by ampling (c 1,..., c b ) from the coin C for (A, G, H). We let G A (c) and H A (c) denote the run of G and H, repectively, with A and the indicated coin c C. Let CG one = {c C : G A (c) 1} be the coin that caue G A to output 1, and imilarly define CH one for H A. Partition CG one into CG bad one and CG good one according to whether bad i et to true in the run, and imilarly define CH bad one and CH good one. Define CG bad = {c C : G A (c) et bad }. Oberve that becaue game H and G are identical-until-bad-i et game, an element c C i in CG good one iff it i in CH good one, o = CH good. Thu CG good one one Pr[G A 1] Pr[H A 1] = CG one CH one C = CG bad one CH bad one C = CG bad one + CG good one C CG bad one C CG bad C CH good one CH bad one = Pr[G A et bad ]. The final claim in the lemma, that Pr[A G 1] Pr[A H 1] Pr[A I et bad ] when G, H, and I are identical-until-bad-i-et, follow directly from Lemma 6 (to be given later). That lemma enure that Pr[G A et bad ] = Pr[H A et bad ] = Pr[I A et bad ] and o Pr[A G 1] Pr[A H 1] Pr[A I et bad ] and, by ymmetry, Pr[A H 1] Pr[A G 1] Pr[A I et bad ]. Thi complete the proof. Terminology. The power of the game-playing technique tem, in large part, from our ability to incrementally rewrite game, contructing chain of game that are at the center of a game-playing proof. Uing the fundamental lemma, you firt arrange that the analyi you want to carry out amount to bounding ɛ = Pr[G1 A et bad ] for ome firt game G1 and ome adverary A. 4 You want to bound ɛ a a function of the reource expended by A. To thi end, you modify the game G1, one tep at a time, contructing a chain of game G1 G2 G3 Gn. Game G1 i the initial game and game Gn i the terminal game. Game G1 i played againt A; other game may be played againt other adverarie (though they uually are not). Conider a tranition G A H B. Let p G = Pr[G A et bad ] and let p H = Pr[H B et bad ]. We want to bound p G in term of p H. (1) Sometime we how that p G p H. In thi cae, the tranformation i aid to be afe. A pecial cae of thi i when p G = p H, in which cae the tranformation i aid to be conervative. (2) Sometime we how that p G p H + ɛ or p G c p H for ome particular ɛ > 0 or c > 1. Either way, we call the tranformation loy. or an additive loy tranformation, ɛ i the lo 4 In fact, a game chain may be ued alo for thi firt phae, before we apply the fundamental lemma; an example i given in our OAEP analyi. 10

11 term; for a multiplicative loy tranformation, c i the dilation term. When a chain of afe and additively loy tranformation i performed, a bound for bad getting et in the initial game i obtained by adding up all the lo term and the bound for bad getting et in the terminal game. If there are multiplicative loe then we bound bad getting et in the initial game in the natural way. We ue the word conervative, afe, and loy to apply to pair of game even in the abence of an adverary: the tatement i then undertood to apply to all adverarie, or to all adverarie with undertood reource. or example, the tranformation G H i conervative if for all adverarie A we have that Pr[G A et bad ] = Pr[H A et bad ]. 4 Game-Rewriting Technique In thi ection we name, decribe, and jutify ome game-tranformation technique that eem univerally ueful. Our enumeration i not comprehenive, only aiming to hit ome of the mot intereting or widely applicable technique. We ugget that a reader might want to kip Section on a firt reading. 4.1 After bad i et, nothing matter One of the mot common manipulation of game i to modify what happen after bad get et to true. Quite often the modification conit of dropping ome code, but it i alo fine to inert alternative code. Any modification following the etting of bad i conervative. The formal reult i a follow. Propoition 6 [After bad i et, nothing matter] Let G and H be identical-until-bad-i-et game. Let A be an adverary. Then Pr[G A et bad ] = Pr[H A et bad ]. Proof of Propoition 6: Uing the definition from the proof of Lemma 5, fix coin C = Coin(A, G, H) and execute G A and H A in the manner we decribed uing thee coin. Let CG bad C be the coin that reult in bad getting et to true when we run G A, and let CH bad C be the coin that reult in bad getting et to true when we run H A. Since G and H are identical-until-bad-i-et, each c C caue bad to be et to true in G A iff it caue bad to be et to true in H A. Thu CG bad = CH bad and hence CG bad = CH bad and CG bad / C = CH bad / C, which i to ay that Pr[G A et bad ] = Pr[H A et bad ]. 4.2 Coin fixing Conider a game G with an oracle P. The adverary A hope, running with G, to et bad. It adaptively ak P tring X 1,..., X q getting back tring Y 1,..., Y q. We would like to change G to a different game H in which X 1,..., X q, Y 1,..., Y q are all fixed, contant tring. We do thi when we can uing the coin-fixing technique. It tem from a claical method in complexity theory to eliminate coin [Ad78], hardwiring them in, a in the proof that BPP P/poly. One can t alway apply the coin-fixing; we now decribe a ufficient condition in which one can. We firt decribe the baic etup. Suppoe that the runnable game G A ha the following characteritic. There i a ingle oracle P There i no input param upplied to A and no output out received from it. The game contain a flag bad. Adverary A ak, in equence, exactly q tring querie to P, which the program tore in writeonce variable X 1,..., X q ; and the program compute in repone write-once tring variable Y 1,..., Y q, providing thee anwer, one-by-one, to A. That there i a ingle oracle and that X i and Y i are in write-once variable are without lo of generality in our current context. Let C be a et of (X 1,..., X q, Y 1,..., Y q ) tuple uch that every vector of querie X 1,..., X q and their repone Y 1,..., Y q that could arie in an execution of G A occur in C. We call C a query/repone et for G A. A query/repone et doe not need to be the mallet et that include all poible querie and their repone, it only ha to include it. Let Y be the et of all variable Y {X 1,..., X q, Y 1,..., Y q } in the game G for which ome Y i depend on Y (here we peak of depend on in the information-flow ene of programming-language theory). We ay that G A i obliviou if the variable bad doe not depend on any variable in Y. Informally, a game i obliviou if it doen t ue anything about how the Y i -value were made in order to compute bad: no variable that influenced a Y i -value (excluding X i - and Y i - value) alo influence bad. A pecial cae of an obliviou game i when the vector (Y 1,..., Y q ) i choen at random from ome finite et V Note that in an obliviou program the X i and Y i value themelve may influence bad. 11

12 Given an obliviou game G A, a query/repone et C for G A, and a point C = (X 1,..., X q, Y 1,..., Y q ) C, we form a new game H C a follow. Game H C i like G except it ha no oracle P. Each (R-value) ue of an X i or Y i in G i replaced by the correponding contant X i or Y i. Each (R-value) ue of a variable Y Y i replaced by an arbitrary contant of the correct type. At the beginning of the inalize program for H C a for-loop i executed imulating the arrival of the equence of P-querie X 1,..., X q and doing whatever program P would have done on receipt of each of thee querie (apart from the change we have already mandated). Thi complete the decription of H C. Let H = CoinixA(G) C be H C for the lexicographically firt C C that maximize Pr[H C A et bad ]. Since H A no longer depend on A, we may omit mention of it and till have a runnable game. We can now tate the coin-fixing lemma. Lemma 7 [Coin-fixing technique] Let G A be an obliviou game and let C be a query/repone et for it. Let H = CoinixA(G). C Then Pr[G A et bad ] Pr[H et bad ]. Proof of Lemma 7: Uing the technique of Lemma 5, define coin et for the runnable game G A a follow: let C A be coin for running A; let C Y be coin for ample-then-aign tatement to variable Y i and variable in Y; and let C B be any further coin ued by G. Each of thee i a finite et, and all that i required i that by chooing one random point from each of thee et, c A C A, c Y C Y, and c B C B, one can determinitically run G A, determining a final value for bad for thi run, which we ll denote bad(c A, c Y, c B ). Coin c B alo determine an execution of H, determining, in particular, if bad get et there: call the final value of that variable bad(c B ). Since ome number in a et of real number mut be at leat a large a the average, there mut exit a (c A, c Y ) C A C Y uch that Pr ca,c Y,c B [G A (c A, c Y, c B ) et bad ] Pr cb [G A (c A, c Y, c B ) et bad ]. Let C = (X 1,..., X q, Y 1,..., Y q) be the querie and repone that reult from running G A with coin c A, c Y. Our notion of oblivioune enure that Pr cb [G A (c A, c Y, c B ) et bad ] = Pr cb [H C (c B ) et bad ], with notation a in the paragraph preceding the lemma. Thi i becaue coin C reult in oracle querie X 1,..., X q, repone Y 1,..., Y q), and unpecified additional value to variable, and the execution of H C proceed identically apart for incorrect value for variable in Y and the variable thee impact, but, by definition of oblivioune, thee incorrect value are not relevant when it come to determining whether or not bad get et. Now Pr cb [H C (c B ) et bad ] Pr[H et bad ] becaue C C mut be in the query/repone et by our definition of it. Thi complete the proof. Coin-fixing i our primary method for eliminating adverarial adaptivity. Many time in analyzing a game, adaptivity i at the center of the analytic difficulty. It i worth pointing out that in uing coin-fixing to banih adaptivity, one never etablihe that the bet non-adaptive adverary for the original game or any other game doe no better than the bet adaptive one. Thi may be fale (or at leat not otenibly true) even though the coin-fixing technique can be ued to expunge adaptivity in the analyi. 4.3 Lazy ampling Intead of making random choice up front, it i often convenient rewrite a game o a to delay making random choice until they are actually needed. We call uch jut-in-time flipping of coin lazy ampling. A a imple but frequently ued example let call it example 1 conider a game that urface to the adverary a random permutation π on n bit. One way to realize thi game i to chooe π at random from Perm(n) during Initialize and then, when aked a query X {0, 1} n, anwer π(x). The alternative, lazy, method for implementing π would tart with a partial permutation π from n bit to n bit that i everywhere undefined. When aked a query X not yet in the domain of π, the oracle would chooe a value Y randomly from the co-range of π, define π(x) Y, and return Y. You can think of the current partial function π a impoing the contraint that π(x) Range(π) on our choice of π(x). We chooe π(x) at random from all point repecting the contraint. or example 1, it eem obviou that the two way to imulate a random permutation are equivalent. (Recall that equivalent i a technical term we have defined: it mean that no adverary can ditinguih, with any advantage, which of the two game it i playing.) But lazy ampling method can get more complex and propective method for lazy ampling often fail to work. One need to carefully verify any propective ue of lazy ampling. To ee thi, conider the following example 2. The game provide the adverary with permutation π 1, π 2 : {1, 2, 3} {1, 2, 3} ubject to the contraint that π 1 (x) π 2 (x) for all x {1, 2, 3}. 12

13 Initialize 100 (f 1,..., f k ) On query f i(x) 110 return f i(x) Game Eager Initialize 200 f i : X Y i everywhere undefined for each i [1.. k] On query f i(x) 210 if f i(x) then return f i(x) 211 return f i(x) An f 1,...,f k (i, x) Game Lazy igure 3: Eager and lazy ampling game aociated to, where i given by contraint function. The eager way to imulate the pair of oracle i to chooe π 1, π 2 uniformly at random from the et of pair of permutation that obey the contraint. A poible lazy way, where we anwer an oracle query with a random point not violating any contraint on already-defined point, may proceed like thi. On query π 1 (1) we would return a random point in {1, 2, 3}. Say thi i 1. On query π 1 (2) we would return a random point in {2, 3}, ay 2. On query π 1 (3) we would be forced to return 3. On query π 2 (1) we would return a random point in {2, 3}, ay 2. On query π 2 (2) we would return a random point in {1, 3}, ay 1. But now we are tuck, for on query π 2 (3) there i nothing correct to return. Here lazy ampling, at leat in the way we jut implemented it, didn t work. We now ay, more preciely, what we mean by lazy ampling, and then give ome condition under which it work, in particular jutifying the firt example above while identifying what make the econd one fail. Let X, Y be finite, non-empty et. A contraint function with locality parameter t i a function that aign a boolean output to any input of the form i 1, x 1, y 1,..., i, x, y, where i j [1.. k], x j X, y j Y and [1.. t]. Let P = rand(x, Y) be the et of all partial function from X to Y and let T = Rand(X, Y) be the et of all total function from X to Y. We ay that a et of k-vector of function in T i decribed by if i exactly the et of all ( f 1,..., f k ) T k uch that ( t) ( i 1,..., i [1.. k]) ( x 1,..., x X ) [ (i 1, x 1, f i1 (x 1 ),..., i, x, f i (x )) = 1 ]. The framework we conider i that we provide adverary A with a equence of oracle (f 1,..., f k ) drawn at random, with uniform ditribution, from a et that i decribed via a contraint function. The example we have given above can be put into thi framework. or example 1 we have X = Y = {0, 1} n and for example 2 we have X = Y = {1, 2, 3}. The contraint function for example 1 ha locality t = 2 and i defined by 1 (i, x 1, y 1, i, x 2, y 2 ) = 1 iff (x 1 x 2 ) (y 1 y 2 ). The contraint function for example 2 ha locality t = 2 and i defined by 3 (1, x 1, y 1, 2, x 2, y 2 ) = 1 iff (a) (x 1 = x 2 ) (y 1 y 2 ) and (b) 1 (i, x, y, i, x, y ) = 1 for all i {1, 2}. Now we explain how lazy ampling work. If f T i conitent with f P (meaning the two are equal on all point where partial function f i defined) then we write f f. or f 1,..., f k P, i [1.. k], x X, and y Y let Ext f1,...,f k (i, x, y) = { ( f 1,..., f k ) : fj f j (1 j k) and f i (x) = y } be the et of extenion of f 1,..., f k relative to (i, x, y). Thi can be viewed a the et of all poible way to aign value to the a-yet-undefined point of the partial function (f 1,..., f k ) ubject to the contraint that f i (x) i aigned y. Let An f1,...,f k (i, x) be the et of all y Y uch that Ext f1,...,f k (i, x, y). Thi i the et of poible anwer to query f i (x), meaning thoe that have non-zero probability of occurring. igure 3 how two game, one decribing eager ampling and the other lazy ampling. We claim that lazy ampling, a formally decribed in thi game, capture the way it wa done in our firt example, in that the et of poible anwer i exactly the et of point that do not violate any contraint. In example 1, from the decription of 1 we ee that An π (1, x) i exactly Range(π). However, the way we ampled in example 2 fail to implement what we have now formally defined a lazy ampling, explaining why it failed. To ee thi conider the tage where π 1 (i) = i for i {1, 2, 3} and π 2 (1) = 2. Then An π1,π2 (2, 2) = {3}, while in the example we aid that the candidate et from which to draw π 2 (2) wa {1, 3}. Thi how that determining the et of poible anwer purely by looking at the contraint on defined point doe not work. Now we move to aying under what condition lazy ampling work. We ay that i admiible if for all f 1,..., f k P, all i [1.. k], and all x X ( ) y 1, y 2 An f1,...,f k (i, x) Ext f1,...,f k (i, x, y 1 ) = Ext f1,...,f k (i, x, y 2 ). 13

14 In other word, the number of way to extend f 1,..., f k relative to (i, x, y) doe not depend on y a long a y i allowed, or, intuitively, any two allowed value are equi-probable a anwer to an oracle query. We ay that i admiible if it i decribed by an admiible contraint function. Our reult about eager veru lazy ampling i the following. It proof i given later. Lemma 8 [Principle of lazy ampling] Let be an admiible et. Then game Eager and Lazy are equivalent. We claim that the contraint function 1 of example 1 i admiible, which explain why lazy ampling worked in thee cae. Verifying thi claim i quite eay. Suppoe π ha been defined on ome m 1 point and π(x) i the m-th query. Then for every y Range(π) there are (N m)! poible way to aign value to the undefined point while etting π(x) = y, meaning Ext π 1 (1, x, y) = (N m)! for every y An π (1, x). Proof of Lemma 8: Suppoe the adverary ha made ome number of oracle querie, reulting in the partial function f 1,..., f k. Now it make another query, f i (x). We conider the probability that a particular point y Y i returned in repone, and how thi i the ame in both game. Any y An f1,...,f k (i, x) ha zero probability of being returned in either game. Suppoe y An f1,...,f k (i, x). Let (f 1,..., f k ) = { ( f 1,..., f k ) : fj f j (1 j k) }. The aumption implie that An f1,...,f k (i, x). Now the probability that y i returned a the anwer to query f i (x) in Eager i Ext f1,...,f k (i, x, y) (f 1,..., f k ) = = = Ext f1,...,f k (i, x, y) y An f 1,...,f k (i,x) Extf1,...,f k An f1,...,f k 1 Ext f1,...,f k (i, x, y) (i, x) Ext f1,...,f k (i, x, y ) (i, x, y) An f1,...,f k (i, x). (3) The aumption that i admiible jutifie 2. The proof i complete becaue (3) i the probability that y i returned a the anwer to query f i (x) in Lazy. (2) 4.4 Baic technique We briefly urvey ome other intereting or commonly ued technique. Ue of mot of thee technique i illutrated in the example of thi paper. Swapping dependent and independent variable. Intead of chooing a random value X {0, 1} n and then defining Y X C, one can chooe Y {0, 1} n and define X Y C. Thi can be generalized in natural way. Swapping dependent and independent variable i invariably a conervative change (it doen t affect the probability that bad get et). Reampling idiom. Let S T be finite, nonempty et. Then the code fragment X S can be replaced by the equivalent code fragment X T, if X S then X S. We call thi motif reampling. It i a baic idiom employed in game, often with bad getting et, too: X T, if X S then bad true, X S. Introducing or removing reampling i invariably a conervative change. Code motion. It i often convenient to move around tatement, a an optimizing compiler might. Permiible code motion i uually trivial to verify becaue game need not need to employ the programming-language contruct (aliaing and ide-effect) that complicate eeing whether or not code motion i permiible. One particular form of code motion that i often ued i to potpone until inalize making random choice that had been made earlier. Permiible code motion conervative. 14

Social Studies 201 Notes for November 14, 2003

Social Studies 201 Notes for November 14, 2003 1 Social Studie 201 Note for November 14, 2003 Etimation of a mean, mall ample ize Section 8.4, p. 501. When a reearcher ha only a mall ample ize available, the central limit theorem doe not apply to the

More information

Lecture 8: Period Finding: Simon s Problem over Z N

Lecture 8: Period Finding: Simon s Problem over Z N Quantum Computation (CMU 8-859BB, Fall 205) Lecture 8: Period Finding: Simon Problem over Z October 5, 205 Lecturer: John Wright Scribe: icola Rech Problem A mentioned previouly, period finding i a rephraing

More information

Social Studies 201 Notes for March 18, 2005

Social Studies 201 Notes for March 18, 2005 1 Social Studie 201 Note for March 18, 2005 Etimation of a mean, mall ample ize Section 8.4, p. 501. When a reearcher ha only a mall ample ize available, the central limit theorem doe not apply to the

More information

Dimensional Analysis A Tool for Guiding Mathematical Calculations

Dimensional Analysis A Tool for Guiding Mathematical Calculations Dimenional Analyi A Tool for Guiding Mathematical Calculation Dougla A. Kerr Iue 1 February 6, 2010 ABSTRACT AND INTRODUCTION In converting quantitie from one unit to another, we may know the applicable

More information

Lecture 9: Shor s Algorithm

Lecture 9: Shor s Algorithm Quantum Computation (CMU 8-859BB, Fall 05) Lecture 9: Shor Algorithm October 7, 05 Lecturer: Ryan O Donnell Scribe: Sidhanth Mohanty Overview Let u recall the period finding problem that wa et up a a function

More information

7.2 INVERSE TRANSFORMS AND TRANSFORMS OF DERIVATIVES 281

7.2 INVERSE TRANSFORMS AND TRANSFORMS OF DERIVATIVES 281 72 INVERSE TRANSFORMS AND TRANSFORMS OF DERIVATIVES 28 and i 2 Show how Euler formula (page 33) can then be ued to deduce the reult a ( a) 2 b 2 {e at co bt} {e at in bt} b ( a) 2 b 2 5 Under what condition

More information

into a discrete time function. Recall that the table of Laplace/z-transforms is constructed by (i) selecting to get

into a discrete time function. Recall that the table of Laplace/z-transforms is constructed by (i) selecting to get Lecture 25 Introduction to Some Matlab c2d Code in Relation to Sampled Sytem here are many way to convert a continuou time function, { h( t) ; t [0, )} into a dicrete time function { h ( k) ; k {0,,, }}

More information

EME : extending EME to handle arbitrary-length messages with associated data

EME : extending EME to handle arbitrary-length messages with associated data EME : extending EME to handle arbitrary-length meage with aociated data (Preliminary Report) Shai Halevi May 27, 2004 Abtract Thi work decribe a mode of operation, EME, that turn a regular block cipher

More information

(b) Is the game below solvable by iterated strict dominance? Does it have a unique Nash equilibrium?

(b) Is the game below solvable by iterated strict dominance? Does it have a unique Nash equilibrium? 14.1 Final Exam Anwer all quetion. You have 3 hour in which to complete the exam. 1. (60 Minute 40 Point) Anwer each of the following ubquetion briefly. Pleae how your calculation and provide rough explanation

More information

Bogoliubov Transformation in Classical Mechanics

Bogoliubov Transformation in Classical Mechanics Bogoliubov Tranformation in Claical Mechanic Canonical Tranformation Suppoe we have a et of complex canonical variable, {a j }, and would like to conider another et of variable, {b }, b b ({a j }). How

More information

Theoretical Computer Science. Optimal algorithms for online scheduling with bounded rearrangement at the end

Theoretical Computer Science. Optimal algorithms for online scheduling with bounded rearrangement at the end Theoretical Computer Science 4 (0) 669 678 Content lit available at SciVere ScienceDirect Theoretical Computer Science journal homepage: www.elevier.com/locate/tc Optimal algorithm for online cheduling

More information

μ + = σ = D 4 σ = D 3 σ = σ = All units in parts (a) and (b) are in V. (1) x chart: Center = μ = 0.75 UCL =

μ + = σ = D 4 σ = D 3 σ = σ = All units in parts (a) and (b) are in V. (1) x chart: Center = μ = 0.75 UCL = Our online Tutor are available 4*7 to provide Help with Proce control ytem Homework/Aignment or a long term Graduate/Undergraduate Proce control ytem Project. Our Tutor being experienced and proficient

More information

Singular perturbation theory

Singular perturbation theory Singular perturbation theory Marc R. Rouel June 21, 2004 1 Introduction When we apply the teady-tate approximation (SSA) in chemical kinetic, we typically argue that ome of the intermediate are highly

More information

An Inequality for Nonnegative Matrices and the Inverse Eigenvalue Problem

An Inequality for Nonnegative Matrices and the Inverse Eigenvalue Problem An Inequality for Nonnegative Matrice and the Invere Eigenvalue Problem Robert Ream Program in Mathematical Science The Univerity of Texa at Dalla Box 83688, Richardon, Texa 7583-688 Abtract We preent

More information

DIFFERENTIAL EQUATIONS

DIFFERENTIAL EQUATIONS DIFFERENTIAL EQUATIONS Laplace Tranform Paul Dawkin Table of Content Preface... Laplace Tranform... Introduction... The Definition... 5 Laplace Tranform... 9 Invere Laplace Tranform... Step Function...4

More information

Codes Correcting Two Deletions

Codes Correcting Two Deletions 1 Code Correcting Two Deletion Ryan Gabry and Frederic Sala Spawar Sytem Center Univerity of California, Lo Angele ryan.gabry@navy.mil fredala@ucla.edu Abtract In thi work, we invetigate the problem of

More information

Problem Set 8 Solutions

Problem Set 8 Solutions Deign and Analyi of Algorithm April 29, 2015 Maachuett Intitute of Technology 6.046J/18.410J Prof. Erik Demaine, Srini Devada, and Nancy Lynch Problem Set 8 Solution Problem Set 8 Solution Thi problem

More information

Lecture 7: Testing Distributions

Lecture 7: Testing Distributions CSE 5: Sublinear (and Streaming) Algorithm Spring 014 Lecture 7: Teting Ditribution April 1, 014 Lecturer: Paul Beame Scribe: Paul Beame 1 Teting Uniformity of Ditribution We return today to property teting

More information

Clustering Methods without Given Number of Clusters

Clustering Methods without Given Number of Clusters Clutering Method without Given Number of Cluter Peng Xu, Fei Liu Introduction A we now, mean method i a very effective algorithm of clutering. It mot powerful feature i the calability and implicity. However,

More information

Lecture 21. The Lovasz splitting-off lemma Topics in Combinatorial Optimization April 29th, 2004

Lecture 21. The Lovasz splitting-off lemma Topics in Combinatorial Optimization April 29th, 2004 18.997 Topic in Combinatorial Optimization April 29th, 2004 Lecture 21 Lecturer: Michel X. Goeman Scribe: Mohammad Mahdian 1 The Lovaz plitting-off lemma Lovaz plitting-off lemma tate the following. Theorem

More information

Chapter 4. The Laplace Transform Method

Chapter 4. The Laplace Transform Method Chapter 4. The Laplace Tranform Method The Laplace Tranform i a tranformation, meaning that it change a function into a new function. Actually, it i a linear tranformation, becaue it convert a linear combination

More information

Source slideplayer.com/fundamentals of Analytical Chemistry, F.J. Holler, S.R.Crouch. Chapter 6: Random Errors in Chemical Analysis

Source slideplayer.com/fundamentals of Analytical Chemistry, F.J. Holler, S.R.Crouch. Chapter 6: Random Errors in Chemical Analysis Source lideplayer.com/fundamental of Analytical Chemitry, F.J. Holler, S.R.Crouch Chapter 6: Random Error in Chemical Analyi Random error are preent in every meaurement no matter how careful the experimenter.

More information

Preemptive scheduling on a small number of hierarchical machines

Preemptive scheduling on a small number of hierarchical machines Available online at www.ciencedirect.com Information and Computation 06 (008) 60 619 www.elevier.com/locate/ic Preemptive cheduling on a mall number of hierarchical machine György Dóa a, Leah Eptein b,

More information

Physics 741 Graduate Quantum Mechanics 1 Solutions to Final Exam, Fall 2014

Physics 741 Graduate Quantum Mechanics 1 Solutions to Final Exam, Fall 2014 Phyic 7 Graduate Quantum Mechanic Solution to inal Eam all 0 Each quetion i worth 5 point with point for each part marked eparately Some poibly ueful formula appear at the end of the tet In four dimenion

More information

List coloring hypergraphs

List coloring hypergraphs Lit coloring hypergraph Penny Haxell Jacque Vertraete Department of Combinatoric and Optimization Univerity of Waterloo Waterloo, Ontario, Canada pehaxell@uwaterloo.ca Department of Mathematic Univerity

More information

CHAPTER 6. Estimation

CHAPTER 6. Estimation CHAPTER 6 Etimation Definition. Statitical inference i the procedure by which we reach a concluion about a population on the bai of information contained in a ample drawn from that population. Definition.

More information

Code-Based Game-Playing Proofs and the Security of Triple Encryption

Code-Based Game-Playing Proofs and the Security of Triple Encryption The proceedings version of this papers, entitled The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs, appears in Advances in Cryptology Eurocrypt 2006, LNCS vol. 4004,

More information

Department of Mechanical Engineering Massachusetts Institute of Technology Modeling, Dynamics and Control III Spring 2002

Department of Mechanical Engineering Massachusetts Institute of Technology Modeling, Dynamics and Control III Spring 2002 Department of Mechanical Engineering Maachuett Intitute of Technology 2.010 Modeling, Dynamic and Control III Spring 2002 SOLUTIONS: Problem Set # 10 Problem 1 Etimating tranfer function from Bode Plot.

More information

1. The F-test for Equality of Two Variances

1. The F-test for Equality of Two Variances . The F-tet for Equality of Two Variance Previouly we've learned how to tet whether two population mean are equal, uing data from two independent ample. We can alo tet whether two population variance are

More information

UNIT 15 RELIABILITY EVALUATION OF k-out-of-n AND STANDBY SYSTEMS

UNIT 15 RELIABILITY EVALUATION OF k-out-of-n AND STANDBY SYSTEMS UNIT 1 RELIABILITY EVALUATION OF k-out-of-n AND STANDBY SYSTEMS Structure 1.1 Introduction Objective 1.2 Redundancy 1.3 Reliability of k-out-of-n Sytem 1.4 Reliability of Standby Sytem 1. Summary 1.6 Solution/Anwer

More information

IEOR 3106: Fall 2013, Professor Whitt Topics for Discussion: Tuesday, November 19 Alternating Renewal Processes and The Renewal Equation

IEOR 3106: Fall 2013, Professor Whitt Topics for Discussion: Tuesday, November 19 Alternating Renewal Processes and The Renewal Equation IEOR 316: Fall 213, Profeor Whitt Topic for Dicuion: Tueday, November 19 Alternating Renewal Procee and The Renewal Equation 1 Alternating Renewal Procee An alternating renewal proce alternate between

More information

NCAAPMT Calculus Challenge Challenge #3 Due: October 26, 2011

NCAAPMT Calculus Challenge Challenge #3 Due: October 26, 2011 NCAAPMT Calculu Challenge 011 01 Challenge #3 Due: October 6, 011 A Model of Traffic Flow Everyone ha at ome time been on a multi-lane highway and encountered road contruction that required the traffic

More information

CS 170: Midterm Exam II University of California at Berkeley Department of Electrical Engineering and Computer Sciences Computer Science Division

CS 170: Midterm Exam II University of California at Berkeley Department of Electrical Engineering and Computer Sciences Computer Science Division 1 1 April 000 Demmel / Shewchuk CS 170: Midterm Exam II Univerity of California at Berkeley Department of Electrical Engineering and Computer Science Computer Science Diviion hi i a cloed book, cloed calculator,

More information

ON THE APPROXIMATION ERROR IN HIGH DIMENSIONAL MODEL REPRESENTATION. Xiaoqun Wang

ON THE APPROXIMATION ERROR IN HIGH DIMENSIONAL MODEL REPRESENTATION. Xiaoqun Wang Proceeding of the 2008 Winter Simulation Conference S. J. Maon, R. R. Hill, L. Mönch, O. Roe, T. Jefferon, J. W. Fowler ed. ON THE APPROXIMATION ERROR IN HIGH DIMENSIONAL MODEL REPRESENTATION Xiaoqun Wang

More information

Alternate Dispersion Measures in Replicated Factorial Experiments

Alternate Dispersion Measures in Replicated Factorial Experiments Alternate Diperion Meaure in Replicated Factorial Experiment Neal A. Mackertich The Raytheon Company, Sudbury MA 02421 Jame C. Benneyan Northeatern Univerity, Boton MA 02115 Peter D. Krau The Raytheon

More information

Design By Emulation (Indirect Method)

Design By Emulation (Indirect Method) Deign By Emulation (Indirect Method he baic trategy here i, that Given a continuou tranfer function, it i required to find the bet dicrete equivalent uch that the ignal produced by paing an input ignal

More information

DIFFERENTIAL EQUATIONS Laplace Transforms. Paul Dawkins

DIFFERENTIAL EQUATIONS Laplace Transforms. Paul Dawkins DIFFERENTIAL EQUATIONS Laplace Tranform Paul Dawkin Table of Content Preface... Laplace Tranform... Introduction... The Definition... 5 Laplace Tranform... 9 Invere Laplace Tranform... Step Function...

More information

PhysicsAndMathsTutor.com

PhysicsAndMathsTutor.com 1. A teacher wihe to tet whether playing background muic enable tudent to complete a tak more quickly. The ame tak wa completed by 15 tudent, divided at random into two group. The firt group had background

More information

CHAPTER 8 OBSERVER BASED REDUCED ORDER CONTROLLER DESIGN FOR LARGE SCALE LINEAR DISCRETE-TIME CONTROL SYSTEMS

CHAPTER 8 OBSERVER BASED REDUCED ORDER CONTROLLER DESIGN FOR LARGE SCALE LINEAR DISCRETE-TIME CONTROL SYSTEMS CHAPTER 8 OBSERVER BASED REDUCED ORDER CONTROLLER DESIGN FOR LARGE SCALE LINEAR DISCRETE-TIME CONTROL SYSTEMS 8.1 INTRODUCTION 8.2 REDUCED ORDER MODEL DESIGN FOR LINEAR DISCRETE-TIME CONTROL SYSTEMS 8.3

More information

Convex Hulls of Curves Sam Burton

Convex Hulls of Curves Sam Burton Convex Hull of Curve Sam Burton 1 Introduction Thi paper will primarily be concerned with determining the face of convex hull of curve of the form C = {(t, t a, t b ) t [ 1, 1]}, a < b N in R 3. We hall

More information

Nonlinear Single-Particle Dynamics in High Energy Accelerators

Nonlinear Single-Particle Dynamics in High Energy Accelerators Nonlinear Single-Particle Dynamic in High Energy Accelerator Part 6: Canonical Perturbation Theory Nonlinear Single-Particle Dynamic in High Energy Accelerator Thi coure conit of eight lecture: 1. Introduction

More information

Chapter 2 Sampling and Quantization. In order to investigate sampling and quantization, the difference between analog

Chapter 2 Sampling and Quantization. In order to investigate sampling and quantization, the difference between analog Chapter Sampling and Quantization.1 Analog and Digital Signal In order to invetigate ampling and quantization, the difference between analog and digital ignal mut be undertood. Analog ignal conit of continuou

More information

COHOMOLOGY AS A LOCAL-TO-GLOBAL BRIDGE

COHOMOLOGY AS A LOCAL-TO-GLOBAL BRIDGE COHOMOLOGY AS A LOCAL-TO-GLOBAL BRIDGE LIVIU I. NICOLAESCU ABSTRACT. I dicu low dimenional incarnation of cohomology and illutrate how baic cohomological principle lead to a proof of Sperner lemma. CONTENTS.

More information

Lecture 10 Filtering: Applied Concepts

Lecture 10 Filtering: Applied Concepts Lecture Filtering: Applied Concept In the previou two lecture, you have learned about finite-impule-repone (FIR) and infinite-impule-repone (IIR) filter. In thee lecture, we introduced the concept of filtering

More information

Logic, Automata and Games

Logic, Automata and Games Logic, Automata and Game Jacque Duparc EJCIM 27 EJCIM, 23-27 January 27 J. Duparc ( & ) Logic, Automata and Game Lyon, 23-27 January 27 / 97 Reference [] K. R. Apt and E. Grädel. Lecture in game theory

More information

Root Locus Diagram. Root loci: The portion of root locus when k assume positive values: that is 0

Root Locus Diagram. Root loci: The portion of root locus when k assume positive values: that is 0 Objective Root Locu Diagram Upon completion of thi chapter you will be able to: Plot the Root Locu for a given Tranfer Function by varying gain of the ytem, Analye the tability of the ytem from the root

More information

The machines in the exercise work as follows:

The machines in the exercise work as follows: Tik-79.148 Spring 2001 Introduction to Theoretical Computer Science Tutorial 9 Solution to Demontration Exercie 4. Contructing a complex Turing machine can be very laboriou. With the help of machine chema

More information

Aggregating value ranges: preference elicitation and truthfulness

Aggregating value ranges: preference elicitation and truthfulness DOI 10.1007/10458-009-9118-5 Aggregating value range: preference elicitation and truthfulne Joeph Farfel Vincent Conitzer The Author() 009 Abtract We tudy the cae where agent have preference over range

More information

Suggestions - Problem Set (a) Show the discriminant condition (1) takes the form. ln ln, # # R R

Suggestions - Problem Set (a) Show the discriminant condition (1) takes the form. ln ln, # # R R Suggetion - Problem Set 3 4.2 (a) Show the dicriminant condition (1) take the form x D Ð.. Ñ. D.. D. ln ln, a deired. We then replace the quantitie. 3ß D3 by their etimate to get the proper form for thi

More information

Bayesian Learning, Randomness and Logic. Marc Snir

Bayesian Learning, Randomness and Logic. Marc Snir Bayeian Learning, Randomne and Logic Marc Snir Background! 25 year old work, far from my current reearch! why preent now?! Becaue it wa done when I wa Eli tudent! Becaue it i about the foundation of epitemology!

More information

Lecture 15 - Current. A Puzzle... Advanced Section: Image Charge for Spheres. Image Charge for a Grounded Spherical Shell

Lecture 15 - Current. A Puzzle... Advanced Section: Image Charge for Spheres. Image Charge for a Grounded Spherical Shell Lecture 15 - Current Puzzle... Suppoe an infinite grounded conducting plane lie at z = 0. charge q i located at a height h above the conducting plane. Show in three different way that the potential below

More information

Assignment for Mathematics for Economists Fall 2016

Assignment for Mathematics for Economists Fall 2016 Due date: Mon. Nov. 1. Reading: CSZ, Ch. 5, Ch. 8.1 Aignment for Mathematic for Economit Fall 016 We now turn to finihing our coverage of concavity/convexity. There are two part: Jenen inequality for concave/convex

More information

What lies between Δx E, which represents the steam valve, and ΔP M, which is the mechanical power into the synchronous machine?

What lies between Δx E, which represents the steam valve, and ΔP M, which is the mechanical power into the synchronous machine? A 2.0 Introduction In the lat et of note, we developed a model of the peed governing mechanim, which i given below: xˆ K ( Pˆ ˆ) E () In thee note, we want to extend thi model o that it relate the actual

More information

Laplace Transformation

Laplace Transformation Univerity of Technology Electromechanical Department Energy Branch Advance Mathematic Laplace Tranformation nd Cla Lecture 6 Page of 7 Laplace Tranformation Definition Suppoe that f(t) i a piecewie continuou

More information

Optimal Coordination of Samples in Business Surveys

Optimal Coordination of Samples in Business Surveys Paper preented at the ICES-III, June 8-, 007, Montreal, Quebec, Canada Optimal Coordination of Sample in Buine Survey enka Mach, Ioana Şchiopu-Kratina, Philip T Rei, Jean-Marc Fillion Statitic Canada New

More information

Control Systems Analysis and Design by the Root-Locus Method

Control Systems Analysis and Design by the Root-Locus Method 6 Control Sytem Analyi and Deign by the Root-Locu Method 6 1 INTRODUCTION The baic characteritic of the tranient repone of a cloed-loop ytem i cloely related to the location of the cloed-loop pole. If

More information

Avoiding Forbidden Submatrices by Row Deletions

Avoiding Forbidden Submatrices by Row Deletions Avoiding Forbidden Submatrice by Row Deletion Sebatian Wernicke, Jochen Alber, Jen Gramm, Jiong Guo, and Rolf Niedermeier Wilhelm-Schickard-Intitut für Informatik, niverität Tübingen, Sand 13, D-72076

More information

Lecture 8. PID control. Industrial process control ( today) PID control. Insights about PID actions

Lecture 8. PID control. Industrial process control ( today) PID control. Insights about PID actions Lecture 8. PID control. The role of P, I, and D action 2. PID tuning Indutrial proce control (92... today) Feedback control i ued to improve the proce performance: tatic performance: for contant reference,

More information

Standard Guide for Conducting Ruggedness Tests 1

Standard Guide for Conducting Ruggedness Tests 1 Deignation: E 69 89 (Reapproved 996) Standard Guide for Conducting Ruggedne Tet AMERICA SOCIETY FOR TESTIG AD MATERIALS 00 Barr Harbor Dr., Wet Conhohocken, PA 948 Reprinted from the Annual Book of ASTM

More information

Question 1 Equivalent Circuits

Question 1 Equivalent Circuits MAE 40 inear ircuit Fall 2007 Final Intruction ) Thi exam i open book You may ue whatever written material you chooe, including your cla note and textbook You may ue a hand calculator with no communication

More information

A BATCH-ARRIVAL QUEUE WITH MULTIPLE SERVERS AND FUZZY PARAMETERS: PARAMETRIC PROGRAMMING APPROACH

A BATCH-ARRIVAL QUEUE WITH MULTIPLE SERVERS AND FUZZY PARAMETERS: PARAMETRIC PROGRAMMING APPROACH Mathematical and Computational Application Vol. 11 No. pp. 181-191 006. Aociation for Scientific Reearch A BATCH-ARRIVA QEE WITH MTIPE SERVERS AND FZZY PARAMETERS: PARAMETRIC PROGRAMMING APPROACH Jau-Chuan

More information

2 Hatad, Jukna & Pudlak gate, namely we hall tudy the ize of depth-three circuit. The technique we hall ue ha two ource. The rt one i a \nite" verion

2 Hatad, Jukna & Pudlak gate, namely we hall tudy the ize of depth-three circuit. The technique we hall ue ha two ource. The rt one i a \nite verion TOP-DOWN LOWER BOUNDS FOR DEPTH-THREE CIRCUITS J. Hatad, S. Jukna and P. Pudlak Abtract. We preent a top-down lower bound method for depth-three ^ _ :-circuit which i impler than the previou method and

More information

Suggested Answers To Exercises. estimates variability in a sampling distribution of random means. About 68% of means fall

Suggested Answers To Exercises. estimates variability in a sampling distribution of random means. About 68% of means fall Beyond Significance Teting ( nd Edition), Rex B. Kline Suggeted Anwer To Exercie Chapter. The tatitic meaure variability among core at the cae level. In a normal ditribution, about 68% of the core fall

More information

Multicolor Sunflowers

Multicolor Sunflowers Multicolor Sunflower Dhruv Mubayi Lujia Wang October 19, 2017 Abtract A unflower i a collection of ditinct et uch that the interection of any two of them i the ame a the common interection C of all of

More information

Comparing Means: t-tests for Two Independent Samples

Comparing Means: t-tests for Two Independent Samples Comparing ean: t-tet for Two Independent Sample Independent-eaure Deign t-tet for Two Independent Sample Allow reearcher to evaluate the mean difference between two population uing data from two eparate

More information

Memory Erasability Amplification

Memory Erasability Amplification Memory Eraability Amplification Jan Camenich 1, Robert R. Enderlein 1,2, and Ueli Maurer 2 1 IBM Reearch Zurich, Switzerland 2 Department of Computer Science, ETH Zürich, Switzerland Abtract. Eraable memory

More information

arxiv: v1 [math.mg] 25 Aug 2011

arxiv: v1 [math.mg] 25 Aug 2011 ABSORBING ANGLES, STEINER MINIMAL TREES, AND ANTIPODALITY HORST MARTINI, KONRAD J. SWANEPOEL, AND P. OLOFF DE WET arxiv:08.5046v [math.mg] 25 Aug 20 Abtract. We give a new proof that a tar {op i : i =,...,

More information

AP Physics Charge Wrap up

AP Physics Charge Wrap up AP Phyic Charge Wrap up Quite a few complicated euation for you to play with in thi unit. Here them babie i: F 1 4 0 1 r Thi i good old Coulomb law. You ue it to calculate the force exerted 1 by two charge

More information

The Laplace Transform (Intro)

The Laplace Transform (Intro) 4 The Laplace Tranform (Intro) The Laplace tranform i a mathematical tool baed on integration that ha a number of application It particular, it can implify the olving of many differential equation We will

More information

GNSS Solutions: What is the carrier phase measurement? How is it generated in GNSS receivers? Simply put, the carrier phase

GNSS Solutions: What is the carrier phase measurement? How is it generated in GNSS receivers? Simply put, the carrier phase GNSS Solution: Carrier phae and it meaurement for GNSS GNSS Solution i a regular column featuring quetion and anwer about technical apect of GNSS. Reader are invited to end their quetion to the columnit,

More information

THE SPLITTING SUBSPACE CONJECTURE

THE SPLITTING SUBSPACE CONJECTURE THE SPLITTING SUBSPAE ONJETURE ERI HEN AND DENNIS TSENG Abtract We anwer a uetion by Niederreiter concerning the enumeration of a cla of ubpace of finite dimenional vector pace over finite field by proving

More information

FUNDAMENTALS OF POWER SYSTEMS

FUNDAMENTALS OF POWER SYSTEMS 1 FUNDAMENTALS OF POWER SYSTEMS 1 Chapter FUNDAMENTALS OF POWER SYSTEMS INTRODUCTION The three baic element of electrical engineering are reitor, inductor and capacitor. The reitor conume ohmic or diipative

More information

Fermi Distribution Function. n(e) T = 0 T > 0 E F

Fermi Distribution Function. n(e) T = 0 T > 0 E F LECTURE 3 Maxwell{Boltzmann, Fermi, and Boe Statitic Suppoe we have a ga of N identical point particle in a box ofvolume V. When we ay \ga", we mean that the particle are not interacting with one another.

More information

Lecture 17: Analytic Functions and Integrals (See Chapter 14 in Boas)

Lecture 17: Analytic Functions and Integrals (See Chapter 14 in Boas) Lecture 7: Analytic Function and Integral (See Chapter 4 in Boa) Thi i a good point to take a brief detour and expand on our previou dicuion of complex variable and complex function of complex variable.

More information

Technical Appendix: Auxiliary Results and Proofs

Technical Appendix: Auxiliary Results and Proofs A Technical Appendix: Auxiliary Reult and Proof Lemma A. The following propertie hold for q (j) = F r [c + ( ( )) ] de- ned in Lemma. (i) q (j) >, 8 (; ]; (ii) R q (j)d = ( ) q (j) + R q (j)d ; (iii) R

More information

Jul 4, 2005 turbo_code_primer Revision 0.0. Turbo Code Primer

Jul 4, 2005 turbo_code_primer Revision 0.0. Turbo Code Primer Jul 4, 5 turbo_code_primer Reviion. Turbo Code Primer. Introduction Thi document give a quick tutorial on MAP baed turbo coder. Section develop the background theory. Section work through a imple numerical

More information

Introduction to Laplace Transform Techniques in Circuit Analysis

Introduction to Laplace Transform Techniques in Circuit Analysis Unit 6 Introduction to Laplace Tranform Technique in Circuit Analyi In thi unit we conider the application of Laplace Tranform to circuit analyi. A relevant dicuion of the one-ided Laplace tranform i found

More information

Math Skills. Scientific Notation. Uncertainty in Measurements. Appendix A5 SKILLS HANDBOOK

Math Skills. Scientific Notation. Uncertainty in Measurements. Appendix A5 SKILLS HANDBOOK ppendix 5 Scientific Notation It i difficult to work with very large or very mall number when they are written in common decimal notation. Uually it i poible to accommodate uch number by changing the SI

More information

CONGESTION control is a key functionality in modern

CONGESTION control is a key functionality in modern IEEE TRANSACTIONS ON INFORMATION TEORY, VOL. X, NO. X, XXXXXXX 2008 On the Connection-Level Stability of Congetion-Controlled Communication Network Xiaojun Lin, Member, IEEE, Ne B. Shroff, Fellow, IEEE,

More information

III.9. THE HYSTERESIS CYCLE OF FERROELECTRIC SUBSTANCES

III.9. THE HYSTERESIS CYCLE OF FERROELECTRIC SUBSTANCES III.9. THE HYSTERESIS CYCLE OF FERROELECTRIC SBSTANCES. Work purpoe The analyi of the behaviour of a ferroelectric ubtance placed in an eternal electric field; the dependence of the electrical polariation

More information

EC381/MN308 Probability and Some Statistics. Lecture 7 - Outline. Chapter Cumulative Distribution Function (CDF) Continuous Random Variables

EC381/MN308 Probability and Some Statistics. Lecture 7 - Outline. Chapter Cumulative Distribution Function (CDF) Continuous Random Variables EC38/MN38 Probability and Some Statitic Yanni Pachalidi yannip@bu.edu, http://ionia.bu.edu/ Lecture 7 - Outline. Continuou Random Variable Dept. of Manufacturing Engineering Dept. of Electrical and Computer

More information

A Provably Secure Scheme for Remote User Authentication

A Provably Secure Scheme for Remote User Authentication A Provably Secure Scheme for Remote Uer Authentication Fuw-Yi Yang 1, Su-Hui Chiu 2 1 Department of Computer Science and Information Engineering, Chaoyang Univerity of Technology Taichung County 41349,

More information

(3) A bilinear map B : S(R n ) S(R m ) B is continuous (for the product topology) if and only if there exist C, N and M such that

(3) A bilinear map B : S(R n ) S(R m ) B is continuous (for the product topology) if and only if there exist C, N and M such that The material here can be found in Hörmander Volume 1, Chapter VII but he ha already done almot all of ditribution theory by thi point(!) Johi and Friedlander Chapter 8. Recall that S( ) i a complete metric

More information

MAE140 Linear Circuits Fall 2012 Final, December 13th

MAE140 Linear Circuits Fall 2012 Final, December 13th MAE40 Linear Circuit Fall 202 Final, December 3th Intruction. Thi exam i open book. You may ue whatever written material you chooe, including your cla note and textbook. You may ue a hand calculator with

More information

Unavoidable Cycles in Polynomial-Based Time-Invariant LDPC Convolutional Codes

Unavoidable Cycles in Polynomial-Based Time-Invariant LDPC Convolutional Codes European Wirele, April 7-9,, Vienna, Autria ISBN 978--87-4-9 VE VERLAG GMBH Unavoidable Cycle in Polynomial-Baed Time-Invariant LPC Convolutional Code Hua Zhou and Norbert Goertz Intitute of Telecommunication

More information

arxiv: v2 [nucl-th] 3 May 2018

arxiv: v2 [nucl-th] 3 May 2018 DAMTP-207-44 An Alpha Particle Model for Carbon-2 J. I. Rawlinon arxiv:72.05658v2 [nucl-th] 3 May 208 Department of Applied Mathematic and Theoretical Phyic, Univerity of Cambridge, Wilberforce Road, Cambridge

More information

RaneNote BESSEL FILTER CROSSOVER

RaneNote BESSEL FILTER CROSSOVER RaneNote BESSEL FILTER CROSSOVER A Beel Filter Croover, and It Relation to Other Croover Beel Function Phae Shift Group Delay Beel, 3dB Down Introduction One of the way that a croover may be contructed

More information

Gain and Phase Margins Based Delay Dependent Stability Analysis of Two- Area LFC System with Communication Delays

Gain and Phase Margins Based Delay Dependent Stability Analysis of Two- Area LFC System with Communication Delays Gain and Phae Margin Baed Delay Dependent Stability Analyi of Two- Area LFC Sytem with Communication Delay Şahin Sönmez and Saffet Ayaun Department of Electrical Engineering, Niğde Ömer Halidemir Univerity,

More information

DYNAMIC MODELS FOR CONTROLLER DESIGN

DYNAMIC MODELS FOR CONTROLLER DESIGN DYNAMIC MODELS FOR CONTROLLER DESIGN M.T. Tham (996,999) Dept. of Chemical and Proce Engineering Newcatle upon Tyne, NE 7RU, UK.. INTRODUCTION The problem of deigning a good control ytem i baically that

More information

arxiv: v3 [quant-ph] 23 Nov 2011

arxiv: v3 [quant-ph] 23 Nov 2011 Generalized Bell Inequality Experiment and Computation arxiv:1108.4798v3 [quant-ph] 23 Nov 2011 Matty J. Hoban, 1, 2 Joel J. Wallman, 3 and Dan E. Browne 1 1 Department of Phyic and Atronomy, Univerity

More information

Lecture 4 Topic 3: General linear models (GLMs), the fundamentals of the analysis of variance (ANOVA), and completely randomized designs (CRDs)

Lecture 4 Topic 3: General linear models (GLMs), the fundamentals of the analysis of variance (ANOVA), and completely randomized designs (CRDs) Lecture 4 Topic 3: General linear model (GLM), the fundamental of the analyi of variance (ANOVA), and completely randomized deign (CRD) The general linear model One population: An obervation i explained

More information

The Secret Life of the ax + b Group

The Secret Life of the ax + b Group The Secret Life of the ax + b Group Linear function x ax + b are prominent if not ubiquitou in high chool mathematic, beginning in, or now before, Algebra I. In particular, they are prime exhibit in any

More information

Statistics and Data Analysis

Statistics and Data Analysis Simulation of Propenity Scoring Method Dee H. Wu, Ph.D, David M. Thompon, Ph.D., David Bard, Ph.D. Univerity of Oklahoma Health Science Center, Oklahoma City, OK ABSTRACT In certain clinical trial or obervational

More information

New bounds for Morse clusters

New bounds for Morse clusters New bound for More cluter Tamá Vinkó Advanced Concept Team, European Space Agency, ESTEC Keplerlaan 1, 2201 AZ Noordwijk, The Netherland Tama.Vinko@ea.int and Arnold Neumaier Fakultät für Mathematik, Univerität

More information

ECE 3510 Root Locus Design Examples. PI To eliminate steady-state error (for constant inputs) & perfect rejection of constant disturbances

ECE 3510 Root Locus Design Examples. PI To eliminate steady-state error (for constant inputs) & perfect rejection of constant disturbances ECE 350 Root Locu Deign Example Recall the imple crude ervo from lab G( ) 0 6.64 53.78 σ = = 3 23.473 PI To eliminate teady-tate error (for contant input) & perfect reection of contant diturbance Note:

More information

CSE 355 Homework Two Solutions

CSE 355 Homework Two Solutions CSE 355 Homework Two Solution Due 2 Octoer 23, tart o cla Pleae note that there i more than one way to anwer mot o thee quetion. The ollowing only repreent a ample olution. () Let M e the DFA with tranition

More information

Asymptotics of ABC. Paul Fearnhead 1, Correspondence: Abstract

Asymptotics of ABC. Paul Fearnhead 1, Correspondence: Abstract Aymptotic of ABC Paul Fearnhead 1, 1 Department of Mathematic and Statitic, Lancater Univerity Correpondence: p.fearnhead@lancater.ac.uk arxiv:1706.07712v1 [tat.me] 23 Jun 2017 Abtract Thi document i due

More information

Molecular Dynamics Simulations of Nonequilibrium Effects Associated with Thermally Activated Exothermic Reactions

Molecular Dynamics Simulations of Nonequilibrium Effects Associated with Thermally Activated Exothermic Reactions Original Paper orma, 5, 9 7, Molecular Dynamic Simulation of Nonequilibrium Effect ociated with Thermally ctivated Exothermic Reaction Jerzy GORECKI and Joanna Natalia GORECK Intitute of Phyical Chemitry,

More information

Annex-A: RTTOV9 Cloud validation

Annex-A: RTTOV9 Cloud validation RTTOV-91 Science and Validation Plan Annex-A: RTTOV9 Cloud validation Author O Embury C J Merchant The Univerity of Edinburgh Intitute for Atmo. & Environ. Science Crew Building King Building Edinburgh

More information

4.6 Principal trajectories in terms of amplitude and phase function

4.6 Principal trajectories in terms of amplitude and phase function 4.6 Principal trajectorie in term of amplitude and phae function We denote with C() and S() the coinelike and inelike trajectorie relative to the tart point = : C( ) = S( ) = C( ) = S( ) = Both can be

More information