Padding Oracle Attacks on CBC-mode Encryption with Secret and Random IVs
Size: px
Start display at page:

Download "Padding Oracle Attacks on CBC-mode Encryption with Secret and Random IVs"

Transcription

1 Paddig Oracle Attacks o CBC-mode Ecryptio with Secret ad Radom IVs Arold K. L. Yau, Keeth G. Paterso ad Chris J. Mitchell Iformatio Security Group, Royal Holloway, Uiversity of Lodo, Egham, Surrey, TW20 0EX, UK {a.yau,key.paterso,c.mitchell@rhul.ac.uk Abstract. I [8], Paterso ad Yau preseted paddig oracle attacks agaist a committee draft versio of a revisio of the ISO CBC-mode ecryptio stadard [3]. Some of the attacks i [8] require kowledge ad maipulatio of the iitialisatio vector (IV). The latest draft of the revisio of the stadard [4] recommeds the use of IVs that are secret ad radom. This obviates most of the attacks of [8]. I this paper we cosider the security of CBC-mode ecryptio agaist paddig oracle attacks i this secret, radom IV settig. We preset ew attacks showig that several ISO paddig methods are still weak i this situatio. Keywords: paddig oracle; CBC-mode; ISO stadards; side chael 1 Itroductio Vaudeay [9] itroduced the otio of paddig oracle attacks o CBC-mode ecryptio. His work showed that several uses of CBC-mode ecryptio i well-kow products ad stadards are potetially vulerable to attack wheever the attacker ca submit ciphertexts for decryptio ad has access to a side-chael which tells him oly whether or ot the correspodig plaitext is correctly padded. Cavel et al. [7] applied ad exteded the ideas of [9] to show that a particular implemetatio of SSL used to protect passwords could be attacked ad the passwords extracted. Further paddig methods were examied i [6]. I [8], Paterso ad Yau examied the security of the ISO stadard for CBC-mode ecryptio with respect to paddig oracle attacks. The draft revisio of the stadard [3] aalyzed i [8] proposes the use of paddig methods from ISO/IEC [1] ad ISO/IEC [2]. Paterso ad Yau showed that several of these paddig methods, whe used with CBC-mode ecryptio, are vulerable to paddig oracle attacks 1. The work of [8] highlights the dagers of cuttig-adpastig methods from oe set of stadards ito aother. Partly as a cosequece of the work of [8], a later draft of the revised ISO stadard [4] omits all metio of paddig methods. Additioally, it recommeds that itegrity-protected secret ad radomly chose statistically uique IVs be used. The motivatio for usig secret IVs give i [4] is to prevet iformatio leakage. The recommedatio for radom IVs is i-lie with the formal security aalysis of [5] which shows (i a sese that ca be made precise) that CBC-mode is secure provided that the uderlyig block cipher is strog ad that the IV is radom. We also ote that [4] allows the use of multiple IVs (called startig variables, or SVs i [4]) ad iterleavig of multiple cipher block chais; this allows for parallelism i ecryptio. We expect that i most applicatios, a sigle IV will be used, ad this is the situatio we focus o here. The attack model i [8] assumes that the IV ca be chose by the attacker ad is submitted to the paddig oracle alog with the ciphertext. To be successful, most of the attacks i [8] do i fact Supported by EPSRC ad Hewlett-Packard Laboratories Bristol through CASE award I fact, [8] claims paddig oracle attacks agaist the secod editio of ISO/IEC 10116, though this editio of the stadard makes o metio of paddig methods. Paddig methods did ot appear i draft revisios of the stadard util the committee draft stage i the proposed 3rd editio of ISO/IEC

2 require the attacker to have kowledge of the IV ad the ability to maipulate it. For this reaso, the attacks i [8] would ot apply to CBC-mode as defied i [4] if the paddig methods of [1] ad [2] were used ad if the ew recommedatios to use secret, radom IVs were followed. More specifically, the oly attack i [8] that remais practicable is Attack 2 agaist paddig method 3 of [2]. This attack o its ow arguably has a small impact o the cofidetiality of data because it works oly agaist the last oe or two blocks of a target ciphertext ad recovers relatively few useful data bits. Despite their omissio from the draft ISO stadard [4], paddig methods are eeded i order to fully specify the CBC-mode of operatio. It is ot ureasoable to assume that, i the absece of ay other guidace, a implemeter of CBC-mode accordig to [4] might borrow techiques from other ISO stadards, as was ideed proposed i [3]. Here, we demostrate that paddig oracle attacks ca still be effective agaist CBC-mode ecryptio eve whe IVs are secret ad radom. I particular, we show that several paddig methods from [1, 2] are still weak eve i this situatio. 1.1 Attack Models Before givig details of our attacks, we clarify the attack models uder which these attacks will take place. Whe IVs are secret ad radom, a variety of practical methods could be used to esure the IVs are available to both ecryptig ad decryptig parties. For example, the IV could be ecrypted usig ECB-mode ad prefixed to the ciphertext. Alteratively, a value V could be prefixed to the ciphertext ad the IV geerated by ecryptig V usig ECB mode. Or, as a third possibility, a pre-agreed list of IVs could be used ad a idex set with ciphertexts to idicate which etry i the list was used as the IV. Because these approaches iclude iformatio determiig IVs alog with ciphertexts, they allow the adversary to ifluece which IV is used by the paddig oracle whe decryptig, without the adversary ecessarily kowig the actual value of the IV. I particular, they allow the adversary to force the oracle to re-use a old IV. We ca model this kid of attack by assumig that, whe submittig a ciphertext to the paddig oracle, the attacker specifies a additioal strig I which i some way determies the IV used by the paddig oracle. The cotets of I will deped o the particular method used for establishig IVs: for example, i the case of ecrypted IVs, I will simply be the ecrypted IV, while i the case of a pre-established list, I would be a idex i the list. We expect that the above kid of approach for establishig secret, radom IVs is most likely to be used i practice. But it is also coceivable that a secod approach, i which o iformatio at all about the IV is trasmitted as part of ciphertexts, might be used. For example, the commuicatig parties may be able to maitai a sychroised couter ad the obtai IVs by applyig a keyed pseudo-radom fuctio to the couter. We also wat to model attacks i this sceario, which presets a tougher attack eviromet to the adversary. We ca do this by assumig that the paddig oracle simply selects a fresh, radom IV before every decryptio ad that o IV-related iformatio is icluded i ciphertexts. Thus i this paper, we will cosider two slightly differet attack models. I the first model, IVs are secret ad radom but are determied by additioal iformatio I available to the attacker ad submitted to the oracle. I the secod model, IVs are secret ad radom ad the attacker has o cotrol over the IV used by the paddig oracle. Obviously, attacks i the secod model are more powerful, but attacks i the first model already capture may likely practical situatios. 1.2 Our Results I Sectio 3.2, we itroduce a ew paddig oracle attack agaist CBC-mode whe used with paddig method 3 of [1]. Our ew attack applies for secret, radom IVs i the first attack model. The ew attack uses a set of auxiliary ciphertexts correspodig to plaitexts of differet legths as a aid to recoverig the plaitext correspodig to a target ciphertext block. The complexity

3 of the attack depeds o the spread of legths of the auxiliary ciphertexts; it ca be as low as queries to the paddig oracle, where is the block size. We have bee able to adapt the attacks of [8] agaist CBC-mode whe used with paddig method 3 of [2] to the secret ad radom IV settig without sigificat pealties o complexity or geerality. These attacks are applicable i our secod, tougher attack sceario. A attack applicable to ay ciphertext block is preseted i Sectio 4.2. This attack first costructs a valid ciphertext with the target block as the fial block ad the uses the attack of Sectio 4.3 to decrypt that block. The first phase requires, o average, roughly 2 r 1 calls to the paddig oracle. Here r is a parameter associated with the paddig method. The attack of Sectio 4.3 is applicable to the fial block of ay ciphertext ad is always efficiet, requirig oly O() oracle queries to recover all the plaitext bits i the last block. We ote that our results do ot cotradict the results of [5], sice the security model of [5] does ot cater for the kid of side-chael iformatio that a paddig oracle provides to a attacker. We also ote that all of our attacks are idepedet of the particular block cipher used. Our attacks ca be further developed to hadle the situatio where multiple IVs are i use. Agai, we ca obtai attacks agaist method 3 of [1] for multiple secret, radom IVs i the first attack model. We ca also fid attacks agaist method 3 of [2] for multiple secret, radom IVs i the secod attack model. Sice the modificatios to our existig attacks are quite straightforward, we do ot iclude the details i this paper. Nor have we aalyzed the other paddig methods from [1, 2] i the secret ad radom IV settig. Paddig method 1 i both stadards does ot de-pad uiquely ad is oly useful whe plaitexts have fixed or kow legths. We expect that paddig oracle attacks may be possible agaist this method. As was oted i [6, 8], paddig method 2 i the two stadards seems to be largely immue to such a side-chael aalysis ad ideed makes a good cadidate for recommedatio as a paddig method i the ISO stadard for CBC-mode ecryptio. 2 Symbols ad Notatio We largely use the same otatio as i [8], with oly oe major differece. I [8], the first block of the ciphertext C 0 submitted to the paddig oracle was take to be the IV. Here, the attacker o loger submits the IV (sice he does ot kow it), but he may or may ot submit additioal iformatio I, depedig o whether the attack is i the first or secod attack model. Therefore i our ew otatio, the first block of the ciphertext will be the first ecrypted block C 1, ad, i makig paddig oracle queries, we will preped additioal iformatio I to ciphertexts wheever appropriate. The cotext will make clear whe this is beig doe. For a detailed descriptio of CBC-mode ecryptio, see [8, Sectio 2.2]. We summarise our other frequetly used otatio here for ease of referece. C : ciphertext output after CBC-mode ecryptio; target ciphertext the attacker is tryig to decrypt. C : ciphertext to be submitted to the paddig oracle durig a attack. d K (Y ) : decryptio of ciphertext block Y uder key K. D : upadded data strig to be CBC-mode ecrypted. e K (X) : ecryptio of plaitext block X uder key K. I : iformatio determiig the IV i our first attack model. IV : the iitialisatio vector used i CBC-mode. L D : the legth (i bits) of the data strig D. : the block size (i bits) of the block cipher. P : the result of applyig a give paddig method to D. q : the umber of blocks i data strig P after paddig. VALID ad INVALID: paddig oracle resposes to, respectively, correct ad icorrect paddig after receipt ad decryptio of ciphertext. X Y : the result of cocateatio of strigs X ad Y. X Y : the result of exclusive-or (XOR) of strigs X ad Y.

4 (X) 2 : the biary represetatio of the value X. X j : the j th block of the plaitext or ciphertext X (1 j q). X j,k : the k th bit of the plaitext or ciphertext block X j, 0 k <. 3 Aalysis of Paddig Method 3 of ISO/IEC Review of Paddig Method ad Previous Attack We reproduce the origial text of the paddig method from [1]: The data strig D to be iput to the [... ] algorithm shall be right-padded with as few (possibly oe) 0 bits as ecessary to obtai a data strig whose legth (i bits) is a positive iteger multiple of. The resultig strig shall the be left-padded with a block L. The block L cosists of the biary represetatio of the legth (i bits) L D of the upadded data strig D, left-padded with as few (possibly oe) 0 bits as ecessary to obtai a -bit block. The right-most bit of the block L correspods to the least sigificat bit of the biary represetatio of L D. The attack i [8, Sectio 3.4] decrypts, oe block at a time, arbitrary ciphertexts C 1 C 2... C q that are padded usig the above method. The attack makes repeated use of a paddig oracle ad has two phases. The geeral case of the first phase applies to ciphertexts cosistig of three or more blocks ad was preseted as Algorithm m3-get-L D -geeral i [8]. The algorithm, whe give a q-block valid ciphertext as iput, fids L D by maipulatig the paddig bits. The procedure requires the re-use of old IVs. Sice we will use it i our ew attack, we reproduce this algorithm here as Algorithm 1, with otatio modified to reflect the use of additioal iformatio I to determie IVs. I the algorithm (which, i commo with all the algorithms preseted here, ca be foud i the Appedix), I deotes the IV-determiig iformatio that accompaied the target ciphertext. The special case of the first phase applies to two-block ciphertexts ad was preseted as Algorithm m3-get-L D -special i [8]. This algorithm does require the ability to directly maipulate bits i the IV ad so does ot apply i either of our attack models. The secod phase of the attack o Method 3 of ISO/IEC i [8, Sectio 3.4] is the actual decryptio. Algorithm m3-decrypt i [8] returs the rightmost 1 bits of a plaitext block but i so doig makes repeated updates to the IV. It is therefore uusable i our attack models. Algorithm m3-decrypt-last-bit i [8] returs the leftmost bit of a plaitext block. It is also uusable, sice it requires a customised settig of the IV ad a successful ru of Algorithm m3-decrypt. 3.2 A Attack with Secret ad Radom IVs We require some further mild assumptios i order to obtai a attack agaist paddig method 3 of [1] with secret ad radom IVs. The attack is i our first attack model. We assume that, i additio to havig a target ciphertext C which he wishes to decrypt, the attacker has also gathered a set of m auxiliary ciphertexts labelled C 1, C 2,..., C m, ad associated IV-determiig iformatio I 1,..., I m. We write q j for the umber of blocks i ciphertext C j ad require that q j 3 for each j. The attacker ca immediately use Algorithm 1 ad the paddig oracle to fid the legth L j of each ciphertext C j. We write F j = L j mod. We require that the F j be distict ad that o F j is equal to zero. Without loss of geerality, we ca the write 1 F 1 < F 2 <... < F m 1. We also set F m+1 =. Notice that auxiliary ciphertexts with the required properties ca easily be selected from a larger pool of ciphertexts. The auxiliary ciphertexts are ot themselves decrypted i the course of the attack (though they ca idividually be used as target ciphertexts if their decryptio is desired). Our attack is preseted i Algorithm 2 ad described i words below.

5 The attack attempts to recover the plaitext block P k matchig the block C k of the q-block ciphertext C. I fact, we are oly able to extract the rightmost F 1 bits of P k for each k 2. The attack attempts to costruct, for decreasig values of j, a valid q j -block ciphertext whose last block is the target block C k ad whose first block is C j 1. Because of the paddig rule, such a ciphertext must correspod to a plaitext i which the last block P q j cosists etirely of 0 s i the rightmost F j positios. By carefully cotrollig the values i the peultimate ciphertext block, we ca esure that oly a relatively small umber of trials is eeded i order to achieve this for each successive value of j. Evetually, whe j = 1, we have a ciphertext with last block C k where the matchig plaitext block P q 1 has 0 s i the rightmost F 1 positios. From this iformatio ad C k 1 it is easy to recover the rightmost F 1 positios of the origial plaitext block P k. We ow explai i more detail the operatio of the attack. We begi by cosiderig the rightmost F m positios. Cosider submittig to the paddig oracle a ciphertext of the form: I m, C1 m S C k {{ q m 3 blocks where S is a block takig o a radom value i the rightmost F m positios. Because I m determies the origial IV used i obtaiig C m, block C1 m idicates that F m 0 paddig bits should be foud i the last plaitext block, ad hece the oracle will retur VALID with a probability of 2 Fm. A INVALID respose idicates that aother value of S should be tested. I the algorithm we simply use a icreasig ( F m )-bit couter for this purpose. After a average of aroud 2 Fm 1 ad at most 2 F m trials, we will obtai a VALID respose. I this case, we lear that S d K (C k ) is equal to 0 i the rightmost F m positios. Notice that from this iformatio ad kowledge of C k 1, we could immediately recover the rightmost F m bits of P k. However, we ow preserve the successful value of S by settig R = S, ad proceed to examie the rightmost F m 1 bits. Now cosider submittig to the paddig oracle a ciphertext of the form: I m 1, C1 m S C k {{ q m 1 3 blocks where ow S is a block takig o a radom (F m F m 1 )-bit value i positios F m 1, F m 1 + 1,..., F m 1, ad equallig R i the rightmost F m positios. Now block C1 m 1 idicates that F m 1 0 paddig bits should be foud i the last plaitext block. By usig R to set the rightmost F m bits of S, we have already arraged 0 bits i the rightmost F m positios of the last plaitext block. So the oracle returs a VALID respose with probability 2 (F m F m 1 ). Agai, we use a couter to test the 2 Fm Fm 1 values i positios F m 1, F m 1 +1,..., F m 1. After a average of about 2 Fm Fm 1 1 ad at most 2 Fm Fm 1 trials, we will obtai a VALID respose. I this case, we lear that S d K (C k ) is equal to 0 i the rightmost F m 1 positios. It is ow straightforward to see how Algorithm 2 proceeds i this maer to evetually costruct a valid ciphertext of the form: I 1, C R C k {{ q 1 3 blocks so that the correspodig last plaitext block cotais 0 paddig bits i the rightmost F 1 positios. The a simple calculatio shows that the rightmost F 1 bits of P k are equal to the rightmost F 1 bits of the block R C k Complexity ad Impact It takes a average of just over 2 F j+1 F j 1 oracle queries to obtai a VALID respose ad recover the bits at positios F j to F j+1 1 of P k. So the average umber of oracle queries eeded to recover

6 F 1 bits of plaitext is m j=1 2F j+1 F j 1. The worst-case complexity is twice this. Notice that whe F 1 = 1 ad F j+1 F j = 1 for each j, the average umber of oracle queries eeded to decrypt all but the leftmost bit of a -bit block is just 1. I this case, at most two oracle queries are made for each j. I fact, sice the outcome of the secod oracle query is determied by the first, it is trivial to modify the attack so that 1 queries also represets the worst-case performace. As a example, suppose the block size = 64 ad the data is byte-orieted. Suppose we ca obtai 7 auxiliary ciphertexts whose legths modulo 64 are 8, 16, 24,..., 56. The we have m = 7 ad the average umber of oracle queries eeded to obtai 56 out of 64 plaitext bits is roughly 900. If the plaitext has some sort of predictability (e.g. ASCII characters makig up a Eglish text, or certai positios i a message withi some kow protocol), the the remaiig byte might be easily guessed. 3.4 Limitatios Ufortuately, we have ot succeeded i fidig a method to extract the leftmost F 1 1 bits of the plaitext block P k. The uderlyig reaso is that, whe the origial data fits exactly withi blocks, the default paddig rule is to add o paddig bits at all. This makes it difficult to set up a paddig oracle test givig plaitext iformatio. Algorithm 1 ca oly fid the cotets of the legth block for ciphertexts with at least 3 blocks. Whilst we are usually more iterested i plaitext bits tha legth iformatio, it would be coveiet if Algorithm 2 could be applied to block C 1 of a two-block target ciphertext to extract the legth iformatio L D. However, this would require kowledge of the IV (sice block C k 1 is used at the last stage of our attack to recover the origial plaitext bits). A lower boud o this legth ca be foud by ruig Algorithm 2 o target block C 2 ad fidig the positio of the rightmost oe i P Compariso The secret ad radom coditios o IVs have forced us to develop a completely ew attack strategy agaist paddig method 3 of [1]. The correspodig attack i [8] makes ear-optimal use of the paddig oracle ad extracts all plaitext bits. To be efficiet, our ew attack requires the collectio of auxiliary ciphertexts with a good spread of data legths. There might be scearios where this is urealistic. Our ew attack ca ever extract the leftmost data bits i each block. I the best case, it ca recover all but the leftmost bit of plaitext usig a optimal umber of oracle queries (if we igore the cost of fidig the legths of the auxiliary ciphertexts). Our attack caot be exteded to yield efficiet attacks i the secod attack sceario i which the adversary has o iformatio about IVs at all. The reaso is that the legth iformatio is placed i the first plaitext block as a result, a radom settig of the IV is almost certai to produce a INVALID respose from the paddig oracle. I summary, i compariso to [8], the secret IV restrictio has succeeded i icreasig the complexity ad decreasig the effectiveess of a attack. However, the attack is still feasible i may circumstaces. 4 Aalysis of Paddig Method 3 of ISO/IEC Review of Paddig Method ad Previous Attacks We reproduce below the origial descriptio of the paddig method from [2], except that here, ad throughout, we use i place of L 1 to deote the block size: This paddig method requires the selectio of a parameter r (where r ), e.g. r = 64, ad a method of ecodig the bit legth of the data D, i.e. L D as a bit strig of legth r. The choice for r will limit the legth of D, i that L D < 2 r. The data D [... ] is padded usig the followig procedure.

7 1. D is cocateated with a sigle 1 bit. 2. The result of the previous step is cocateated with betwee zero ad 1 0 bits, such that the legth of the resultat strig is cogruet to r modulo. The result will be a bit strig whose legth will be r bits short of a iteger multiple of bits (i the case r =, the result will be a bit strig whose legth is a exact multiple of bits). 3. Apped a r-bit ecodig of L D usig the selected ecodig method, yieldig the padded versio of D. No ecodig method (for L D ) is specified i the stadard. We assume that base 2 ecodig is used. Our attacks here work o matter which ecodig method is used, though the attacker eeds to kow this method. Usig this paddig method, the paddig bits for data strig D are appeded i oe of two ways: Same-block Here (L D mod ) ( r 1). The last block of D has eough space after the last data bit to cotai at least a sigle 1 bit ad the r bits ecodig L D. The umber of paddig bits (icludig the legth iformatio) is betwee r + 1 ad 1. Cross-block Here (L D mod ) ( r). The last block of D does ot have eough space to cotai a 1 bit ad the r bits ecodig L D. The umber of bits padded is betwee ad + r ad the paddig either fits exactly ito a extra block or exteds over two blocks. Note that this will always be the case whe r = or r = 1. I [8], the authors preseted two iter-depedet attacks agaist this paddig method. The first attack creates a valid ciphertext with the target ciphertext block as the last block, while the secod attack decrypts the last block of ay ciphertext. I more detail, Attack 1 of [8] (amed directed IV search ) takes a ciphertext block C k as iput, ad outputs a valid ciphertext of the form IV C k. It operates by searchig for a IV settig that produces a valid ciphertext. This ciphertext is the fed ito Attack 2 for decryptio. The eed to vary the IV i a cotrolled maer meas that the attack does ot work whe IVs are secret. Attack 2 of [8] (amed attackig the last block(s) ) takes as iput a whole ciphertext ad operates i two phases. I the first phase, it fids L D ; i some cases (icludig those resultig from Attack 1 of [8]) this ivolves chagig bits i the IV. So this phase does ot work i geeral for secret IVs. I the secod phase plaitext bits are extracted. I the case of a same-block padded ciphertext, this secod phase does ot require ay cotrol over the IV. So it will cotiue to fuctio with oly mior modificatios i the ew settig. I the case of a cross-block padded ciphertext, the secod phase ca be used to speed up Attack 1 of [8]. This will fail with secret IVs, sice Attack 1 of [8] requires their cotrolled modificatio. Despite the failure of Attacks 1 ad 2 of [8], a similar strategy ca be followed ad the origial attacks ca be modified to work i the tougher of our two attack scearios. Aalogues of Attacks 1 ad 2 of [8] are preseted i Sectios 4.2 ad Attackig a Arbitrary Ciphertext Block The attack we preset i this sectio attempts to decrypt a arbitrary block C k of a ciphertext C 1 C 2... C q. I fact, our attacks oly work for k 2. It proceeds i two phases. I the first phase, a valid ciphertext is costructed havig C k as the fial block. I the secod phase, the attack of Sectio 4.3 is used to decrypt that fial block. From this, P k is easily foud. Note that if C q is the target block, the oe should proceed directly to the attack of Sectio 4.3. Phase 1: Costructig a valid ciphertext I this phase, we costruct a valid three-block or four-block ciphertext havig target block C k as the last block. We aim for ciphertexts of these

8 legths because they simplify the secod phase of the attack: we will see i Sectio 4.3 that ciphertexts cotaiig q 3 blocks are the easiest oes to deal with. This phase splits ito two cases, depedet o the value of r. I the first case, we have r <. The algorithm for this case is give i Algorithm 3 ad is ext described i words. The algorithm essetially submits three-block ciphertexts of the form: 00 {{ R 2 C k to the paddig oracle, for various values of R 2 chose i such a way that at least oe choice is guarateed to produce a valid ciphertext. Our algorithm works o matter what IVs are used by the paddig oracle. Note that we suppress ay iformatio I i submissios to the paddig oracle here, ad throughout this sectio, because we are operatig i the secod attack model. I more detail, a couter i is used to determie the rightmost r+1 bits of R 2, while the leftmost r 1 bits are set to 0. This effectively meas that ciphertexts with all possible values of the legth field i plaitext block P 3 are submitted to the oracle as i rus betwee 0 ad 2 r 1, the first half of the search space. At least oe choice of i i this rage is guarateed to result i a VALID respose from the oracle uless C k ad the selectio of R 2 mea that the leftmost r bits of P 3 are all 0. If this last case occurs, the cosiderig all i betwee 2 r ad 2 r+1 1 esures that oe of the leftmost r bits of P 3 is a 1 ad that at least oe choice of i results i a VALID respose. We will evaluate the average ad worst-case complexity of this case of Phase 1 below. I the secod case, where r =, a similar attack applies. We ow submit four-block ciphertexts of the form: 00 {{ R 1 R 2 C k to the paddig oracle, where we try all possible settigs of R 2 ad the rightmost bit of R 1. We are the guarateed to ecouter a valid ciphertext after a maximum of 2 +1 oracle calls. The algorithm for this case is give i Algorithm 4; we aalyse its complexity i detail below. Phase 2: Decryptig C k Oce we have a valid three or four-block ciphertext, the attack of Sectio 4.3 ca be applied to obtai the plaitext block P 3 (or P 4 i the four-block case) correspodig to the fial block of C. From P 3, the origial plaitext block P k ca be recovered usig the relatio P k = P 3 R 2 C k 1. (A similar procedure applies for the four-block case.) As we shall see below, the attack of Sectio 4.3 is always efficiet whe attackig the last block of a three-block (or four-block) ciphertext. So this approach allows efficiet extractio of P k. A little more detail is appropriate at this stage. We focus o the three-block case. The first phase of the attack i Sectio 4.3 fids the legth L D of the data ecrypted i C. If L D > 2, the the data is same-block padded, while if L D 2 it is cross-block padded. If it happes that the data is cross-block padded, the all the bits i P 3 (or P 4 i the four-block case) are already determied ad are of the form: 00 {{ (L D ) 2 {{ r r or 10 {{ (L D ) 2. {{ r r So i this case o actual decryptio step is eeded to recover P k. Notice that this case will always apply whe r = or r = 1. Whe the data is same-block padded, we must proceed to the secod phase of the attack i Sectio 4.3. I the three-block case, this phase will efficietly recover the etire plaitext block P 3 cosistig of (i geeral) data bits, paddig bits ad legth iformatio. From P 3, we ca recover P k usig the relatio P k = P 3 R 2 C k 1. A similar procedure applies for the four-block case. Complexity We begi by aalyzig Phase 1 of the attack i the case where r <. The aalysis is complicated by the fact that Algorithm 3 might output a valid three-block ciphertext C for which the correspodig plaitext P = P 1 P 2 P 3 is cross-block padded. This will have the effect

9 of slightly lowerig the average-case complexity whe compared to the correspodig attack i [8]. Such a cross-block padded plaitext requires that blocks P 2 P 3 take the form: P 2,0P 2,1... P 2,L D 1 10 {{ 00 {{ (L D ) 2 {{ 2 L D r r where each P 2,i ca be either a 0 or 1 bit ad (2 r) L D (2 1). There are r -bit patters (correspodig to the r possible values of L D ) for P 3 that have the correct form. So the probability that Phase 1 produces cross-block paddig is at most r2 r as we vary the rightmost r bits of R 2 i Algorithm 3. Of course, such cross-block paddig may ever occur durig the executio of Algorithm 3: give that R 1 ad the decryptio key K are fixed, there may be o choice of R 2 that produces the required bit patter i P 2 = d K (R 2 ) R 1. I ay case, we see that there is a probability of at least 1 2 r that either there is a 1 somewhere i the leftmost r bits of P 3, or we obtai a cross-block padded ciphertext. I these cases, Algorithm 3 takes o average 2 r 1 oracle calls. O the other had, there is a probability of at most 2 r that the leftmost r bits of P 3 are all 0 ad Algorithm 3 tries all 2 r possible settigs for the rightmost bits of P 3 without a VALID respose. Algorithm 3 will the take o average a further 2 r 1 oracle calls before obtaiig a VALID respose. A simple calculatio ow shows that the average umber of oracle calls eeded by Algorithm 3 is at most 2 r r, while i the worst-case it is 2 r+1. Whe r is small relative to, the average-case complexity is domiated by the term 2 r 1. Phase 1 of the attack i the case r = uses Algorithm 4. This algorithm uses o average 2 oracle calls to obtai a VALID respose ad 2 +1 i the worst case. Phase 2 uses the attack i Sectio 4.3 for the same-block padded case, which has a complexity of O() oracle calls. So Phase 2 does ot cotribute sigificatly to the overall complexity required to decrypt a sigle block (uless r is very small). Impact This attack applies to ay ciphertext block C k of a ciphertext C 1 C 2... C q, except for the first block C 1. It is ot possible to decrypt C 1 because of the use of the relatio P k = P 3 C k 1 R 2 at the ed of the attack: this would ecessitate a XOR with the secret IV. The attack recovers all bits withi the block ad does so may orders faster tha exhaustive search for may choices or r. Whe r = our attack is still better tha exhaustive key search for block ciphers whose key size is greater tha the block legth. We restate the observatio from [8] that the seemigly iocuous parameter r has uexpected implicatios for security. Compariso This attack is a adaptatio of Attack 1 i [8] to the secod of our attack models, where IVs are secret, radom ad completely hidde from the adversary. These extra restrictios do ot seem to be a major hidrace to the effectiveess of the attack. Specifically, the complexity of the attack has remaied practically the same as the correspodig attack i [8], ad, except for the first ciphertext block, the impact remais uchaged. The attack uses three-block or fourblock ciphertexts istead of two-block oes whe r < ; this is ot expected to be of ay practical sigificace. 4.3 Attackig the Last Block(s) The attack we preset i this sectio attempts to decrypt the last block C q of a ciphertext C 1 C 2... C q. It is a adaptatio of Attack 2 i Sectio 4.3 of [8] to the secret ad radom IV settig, ad, like that attack, proceeds i two phases. Phase 1 determies the legth L D of the ciphertext, while Phase 2 will recover plaitext bits i the mixed block cotaiig both paddig ad data bits. (If there is such a block, the it is uique.) Recall that, as well as beig directly applicable to the last block C q, our attack ca also be used i cojuctio with the attack i Sectio 4.2 to decrypt arbitrary ciphertext blocks.

10 Phase 1: Fidig L D This phase of our attack is derived from the correspodig phase i [8]. The case q = 2 requires special treatmet ad our methods fail completely whe q = 1. We first examie the geeral case q 3. For ease of presetatio we take r 2, but Algorithm 5 hadles all values of r. Here, i the same-block padded case, the last plaitext block P q has the followig format: [DATA] 10 {{{{ (L D ) 2 {{ t p r where t + p + r = ad p 1. I the cross-block padded case, the above format spas the last two blocks P q 1 ad P q ad we put t + p + r = 2. We ote that the attacker does ot, at first, kow which of the cases he is faced with. Give our q-block ciphertext, the rightmost positio at which a data bit could ever reside is at P q, r 2. Cosider the submittig to the paddig oracle the ciphertext: The oracle will retur either: C 1 C 2... C q 1 00 {{ 1 00 {{ C q. r 2 r+1 VALID, meaig the paddig has ot bee disturbed so the bit flipped i P q by modifyig C q 1 is a data bit. Sice this bit is at the rightmost possible data bit positio, we ca deduce that the data legth L D equals (q 1) + r 1 = q r 1. or INVALID, meaig a paddig bit has bee flipped so the paddig is o loger valid. Therefore the paddig boudary is somewhere to the left of this bit. We ca geeralise the above observatio about P q, r 2 to produce Algorithm 5, a biary search algorithm to fid L D. I this algorithm, we iitialise two poiters l ad u at the extremities of the possible paddig rage ad modify the ciphertext so as to ivert the plaitext bit that lies i the middle positio h := (l + u)/2 of the rage. We the submit the ciphertext to the oracle. A VALID respose meas the start of the paddig is to the right of this test bit so we set the lower poiter l to the positio h + 1, whereas INVALID idicates it is to the left ad we set the upper poiter u to h. We must the reset the test bit before proceedig to the ext test. This process is repeated util the upper ad lower poiters coicide, at which poit they idicate the rightmost data bit. It is the easy to determie L D. Clearly, the algorithm makes roughly log 2 calls to the paddig oracle ad so is efficiet. This completes our discussio of the geeral case where q 3. Next we focus o the case q = 2. This case requires special treatmet because settig up a biary search as above requires the ability to modifiy plaitext bits i the whole rage of paddig positios, which i this case icludes those i the rightmost r positios of the plaitext block P 1. This i turs ecessitates the ability to modify bits i the correspodig positios i the IV, which is ot possible i the settig of secret ad radom IVs. Our solutio, preseted i Algorithm 6, is to perform a biary search over the restricted rage of those paddig positios i the secod (ad last) plaitext block P 2. This is doe by iitializig the lower ad upper poiters to ad 2 + r 1 respectively. If the search fiishes poitig to ay positio betwee P 2,1 ad P 2, r 1 the this idicates the actual leftmost paddig positio from which L D ca be determied. O the other had, if the search eds poitig at P 2,0, the we ca deduce that the bit at that positio is a paddig bit ad hece the boudary is somewhere to the left of that positio. From this we ca deduce that the plaitext block P 2 cosists oly of paddig bits ad ecoded legth iformatio, ad that L d. We could go further ad deduce most of the cotets of block P 2, but these bits are ot usually of much iterest to the attacker. I this case, we caot cotiue with the attack. We ote that this q = 2 versio of the legth-fidig algorithm is ever ivoked by the attack i Sectio 4.2 (uless C 2 is the last block ad happes to be the iitial target). Fially we cosider the case q = 1. Here we are ot able to fid L D by performig ay kid of search for the data/paddig boudary sice this would require maipulatig the IV. Thus our methods fail i this case.

11 Phase 2: Decryptig We assume that q 2 ad that L D has bee successfully obtaied from Phase 1. This will always be the case for q 3 ad ofte the case for q = 2. Same-block ad cross-block padded messages are treated differetly; recall that kowledge of L D idicates with which case the attacker is faced. Decryptig: Same-block Recall the structure of the last plaitext block P q : t ukow data bits, followed by p paddig bits i the form 10 ad fially r bits ecodig the data legth L D. The oly bits remaiig to be foud are the t data bits. We ca assume that t 1 ad recover these as follows. Cosider submittig to the oracle the ciphertext C = R C q where: R = C q 1 00 {{ (L D ) 2 {{ 00 {{ 10 {{ ( + t 1) 2. {{ r r t p r This ciphertext is costructed i such a way that, after decryptio to obtai plaitext P 1 P 2, the legth block i P 2 ecodes the legth + t 1, while the p paddig bits are modified to be all 0 s. Moreover, data bits are copied itact from P q to P 2, so that P q,i = P 2,i for 0 i < t. From the costructio of C, we see that the oracle will output VALID if ad oly if P 2,t 1 = 1. Sice we have P q,t 1 = P 2,t 1, we ca obtai the last data bit of block P q. This idea ca be exteded to recover all t data bits i P q i a similar maer: we reduce the legth field i P 2 oe step at a time whilst fixig the data i all recovered bit positios to be 0 so that they become part of a valid paddig. A sigle bit of P 2 ad hece of P q is revealed at each iteratio, util all the data bits i P q are recovered. This procedure is give i detail i Algorithm 7. Note that the algorithm makes use of the fuctio Ω defied by: { 1 if the paddig oracle returs VALID for iput C, Ω(C) = 0 if the paddig oracle returs INVALID for iput C. Note that Ω is the complemet of the fuctio Ω i [8]. Decryptig: Cross-block For cross-block padded plaitexts with q 3 blocks, P q is determied completely by L D ad the paddig. However, the paddig ofte exteds ito the peultimate plaitext block P q 1 ad we ca exploit this fact whe decryptig block C q 1. Suppose t = L D mod ad t 0. The u = t bits of paddig of the form 10 {{ are preset i P q 1. We show how to decrypt C q 1 usig the attack i Sectio 4.2, but with a speed-up factor of 2 u 1. Cosider ciphertexts of the form C = 00 R 2 C q 1 where: R 2 = C q 2 00 {{ 10 {{ 00 {{ (3 r 1) 2. {{ t u r r Upo decryptio, this ciphertext will produce a plaitext block P 3 of the form: P 3,0P 3,1... P 3,t 1y 0 y 1... y u 1 where y 0 y 1... y u 1 are the u least sigificat bits of the biary ecodig of the legth field 3 r 1. Now it is straightforward to see that ruig through all 2 r u+1 settigs of the r u + 1 bits immediately to the left of the rightmost u bits (by varyig the relevat bits of R 2 ) will esure that at least oe valid three-block ciphertext C is obtaied. Naturally, after obtaiig such a valid C, we ca apply the attack of this sectio agai, ow usig C as the iput ciphertext. Evetually, that attack will output a cadidate P 3 for the decryptio of block C q 1 i ciphertext C ; from this we ca deduce the decryptio P q 1 of C q 1 i the origial ciphertext C usig the relatio P q 1 = P 3 R 2 C q 2. This strategy takes o average about 2 r u oracle calls which is roughly a fractio 2 (u 1) of the umber of oracle calls eeded o average for the correspodig attack i Algorithm 3 without the kowledge of the u paddig bits. Ufortuately this strategy does ot work for two-block cross-block padded ciphertexts i our attack model, because the very last step would eed to use IV i place of C q 2. u

12 Complexity For q 3, Phase 1 of the attack takes roughly log 2 oracle calls to fid the data legth L D. For same-block padded plaitexts, Phase 2 the takes oe call per bit for decryptig. So to recover the t data bits i the last block, t + log 2 oracle calls are required. For cross-block padded plaitexts, the block P q is completely determied by L D. The Phase 2 eeds o average aroud 2 r u oracle calls to recover the whole of the peultimate plaitext block P q 1. Here u is the umber of kow paddig bits i P q 1 ad we have igored the comparatively small cost of ruig the legth-fidig ad last-block decryptio algorithms of this sectio. For two-block ciphertexts, Phase 1 will take o average log 2 ( r) oracle calls to fid either the actual value of L D or to fid that L D. I the former case, the complexity of Phase 2 is exactly as above. I the latter case, the data is cross-block padded but we are ot able to recover the peultimate plaitext block. Phase 1 of the attack is ot successful for sigle-block ciphertexts ad o data bits ca be extracted usig our attack i this case. It is importat to ote that, eve though the two attacks preseted here ad i Sectio 4.2 are iter-depedet, there is o possibility of the attack eterig a ifiite loop. This is ot difficult to show. Impact The attack is highly efficiet (i terms of oracle access) at extractig plaitext bits i the last plaitext block P q. A maximum of r 1 bits of data ca be recovered i this way ad the attack is therefore sigificat for short messages, especially i combiatio with a small r. Oe might argue that r = is a atural choice for the implemetor. I this case, the paddig is always cross-block ad the attacker must resort to the speeded-up versio of the attack i Sectio 4.2. Compariso Oe impact of assumig that IVs are secret ad radom o the attack i this sectio is that Phase 1 of the attack is preveted from determiig the exact data legth of sigle-block ciphertexts, ad two-block oes whe the plaitext is cross-block padded. This, i tur, stops us from extractig ay data bits i these cases. This is i cotrast to the correspodig cases i [8], where the ability to maipulate the IV ca be used to advatage. The complexity of the two phases remais uchaged whe compared to the correspodig attack i [8] (log 2 oracle calls to fid L D ad oe oracle call per data bit extracted for same-block paddig). Short ciphertexts, typically two or three blocks log, are used throughout, so there is little or o message expasio. 5 Coclusios We have show that the use of IVs that are secret ad radom does ot prevet paddig oracle attacks o CBC-mode ecryptio. We have show this to be the case i the cotext of two paddig methods previously aalyzed i [8]. The use of secret, radom IVs required us to develop ew ideas ad to exted the aalysis of [8]. The ew attacks are, at best, of roughly equal complexity to those of [8] ad the assumptios we have made to obtai attacks seem reasoable. The attacks recover most, if ot all, plaitext bits may orders of magitude faster tha exhaustive key search. The 2004 FCD text for the 3rd editio of ISO/IEC [4], which supersedes [3], cotais ew text regardig paddig methods i Clause 5 (Requiremets). It ow reads... Paddig techiques... are ot withi the scope of this Iteratioal Stadard, ad throughout this stadard it is assumed that ay paddig, as ecessary, has already bee applied. This effectively off-loads the resposibility of choosig a paddig method to the implemetor of this stadard (if it is published with the text as it stads). I our view, ot specifyig a paddig method at all has the potetial to be eve more dagerous tha specifyig a method that is kow to be weak agaist certai attack types. After all, there is o guaratee that a implemetor will ot choose a method that falls to some eve more realistic form of attack. Methods that appear

13 to resist paddig oracle attacks have bee aalysed [6]. For example, paddig method 2 of [1], i which the plaitext is padded with a sigle 1 ad as may 0 s as are ecessary to complete a block, seems like a good cadidate. We curretly kow of o reaso ot to recommed it for use. We argue that the more complete ad uambiguous a specificatio is, the smaller the chace for isecure approaches to be take by a implemetor. Fially, we wish to repeat the poit made i [6, 8] that paddig oracle attacks ca be easily thwarted by the proper use of strog itegrity checks. It is ow widely held that ecryptio should be accompaied by a data itegrity mechaism wheever feasible ad appropriate. Of course there are situatios (for example, costraied eviromets) where the use of a MAC algorithm i additio to ecryptio is ot possible. I these scearios, the careful selectio of a paddig method ad the avoidace of paddig oracles i implemetatios is of paramout importace. Refereces 1. ISO/IEC : Iformatio techology Security techiques Message Autheticatio Codes (MACs) Part 1: Mechaisms usig a block cipher, ISO/IEC (2d editio): Iformatio techology Security techiques Hash-fuctios Part 1: Geeral, ISO/IEC 2d CD (revisio): Iformatio techology Security techiques Modes of operatio for a -bit block cipher, (Secod committee draft of proposed 3rd editio of the stadard). 4. ISO/IEC FCD (2d editio): Iformatio techology Security techiques Modes of operatio for a -bit block cipher, (Fial committee draft of proposed 3rd editio of the stadard). 5. M. Bellare, A. Desai, E. Jokipii, ad P. Rogaway. A Cocrete Aalysis of Symmetric Ecryptio: Aalysis of the DES Modes of Operatios. I 38th IEEE Symposium o Foudatios of Computer Sciece, pages IEEE, J. Black ad H. Urtubia. Side-Chael Attacks o Symmetric Ecryptio Schemes: The Case for Autheticated Ecryptio. I Proceedigs of the 11th USENIX Security Symposium, Sa Fracisco, CA, USA, August 5-9, 2002, pages USENIX, B. Cavel, A. Hiltge, S. Vaudeay, ad M. Vuagoux. Password Iterceptio i a SSL/TLS Chael. I D. Boeh, editor, Advaces i Cryptology CRYPTO 2003, volume 2729 of Lecture Notes i Computer Sciece, pages Spriger-Verlag, K.G. Paterso ad A. Yau. Paddig Oracle Attacks o the ISO CBC Mode Paddig Stadard. I T. Okamoto, editor, Topics i Cryptology CT-RSA 2004, volume 2964 of Lecture Notes i Computer Sciece, pages Spriger-Verlag, S. Vaudeay. Security Flaws Iduced by CBC Paddig Applicatios to SSL, IPSEC, WTLS.... I L. Kudse, editor, Advaces i Cryptology EUROCRYPT 2002, volume 2332 of Lecture Notes i Computer Sciece, pages Spriger-Verlag, Appedix We preset here pseudo-code for the various algorithms developed i the text.

14 Algorithm 1 Iput: I, C 1 C 2... C q Output: L D fuctio m3-get-L D-geeral l := 0 u := 1 repeat h := (l + u)/2 C q 1,h := C q 1,h 1 if oracle(i, C 1 C 2... C q ) = VALID the l := h else u := h 1 ed if C q 1,h := C q 1,h 1 util l = u retur L D := (q 1) + l + 1 ed fuctio Algorithm 2 Iput: auxiliary ciphertexts C 1, C 2,..., C m, IV-determiig iformatio I 1, I 2,..., I m, legth iformatio q 1,..., q m ad F 1,..., F m, target ciphertext blocks C k 1, C k Output: rightmost F 1 bits of P k fuctio m3-decrypt R := 00 {{ F m+1 := for j := m to 1 do i := 1 repeat i := i + 1 S := R 00 {{ (i) 2 00 {{{{ F j F j+1 F F j j+1 util oracle(i j, C j S C k ) = VALID {{ q j 3 blocks R := R 00 {{ (i) 2 00 {{{{ F j F j+1 F F j j+1 ed for retur rightmost F 1 bits of R C k 1 ed fuctio

15 Algorithm 3 Iput: C k, r, Output: A valid three-block ciphertext, the last block of which is C k Require: 1 r < fuctio m3-geeral(C k, r, ) R 1 := 00 {{ R 2 := 00 {{ i := 0 while oracle(r 1 R 2 C k ) = INVALID do i := i + 1 R 2 := 00 {{ (i) 2 {{ r 1 r+1 ed while retur R 1 R 2 C k ed fuctio Algorithm 4 Iput: C k, r, Output: A valid four-block ciphertext, the last block of which is C k Require: r = fuctio m3-special(C k, r, ) R 1 := 00 {{ R 2 := 00 {{ i := 0 while oracle(00 {{ R 1 R 2 C k ) = INVALID do i := i + 1 if i = 2 r the i := 0 R 1 := 00 1 {{ ed if R 2 := (i) 2 {{ ed while retur 00 {{ R 1 R 2 C k ed fuctio

16 Algorithm 5 Iput: C 1 C 2... C q,, r Output: L D Require: q 3 fuctio m3-fid-L D -geeral(c 1 C 2... C q,, r) C := C 1 C 2... C q l := (q 2) + r u := (q 1) + r 1 repeat h := (l + u)/2 C h/,h mod := C h/,h mod 1 if oracle(c) = VALID the l := h + 1 else u := h ed if C h/,h mod := C h/,h mod 1 util l = u retur L D := l ed fuctio Algorithm 6 Iput: C 1 C 2,, r Output: L D or Plaitext legth at most fuctio m3-fid-L D -special(c 1 C 2,, r) C := C 1 C 2 l := u := 2 r 1 repeat h := (l + u)/2 C h/,h mod := C h/,h mod 1 if oracle(c) = VALID the l := h + 1 else u := h ed if C h/,h mod := C h/,h mod 1 util l = u if l > the retur L D := l else retur Plaitext legth at most ed if ed fuctio

17 Algorithm 7 Iput: L D, C q 1, C q, r, Output: P q := P q,0 P q,1... P q,t 1 10 {{ (L D ) 2 {{ p r Require: L D idicates that the plaitext is same-block padded fuctio m3-decrypt(L D, C q 1, C q, r, ) t := L D mod p := r t R := C q 1 00 {{ 10 {{ (L D) 2 00 {{{{ ( + t) 2 {{ t p r r r for j := t 1 to 0 do R := R 00 {{ ( + j + 1) 2 00 {{{{ ( + j) 2 {{ r r r r P q,j := Ω(R C q ) R j := R j P q,j ed for retur P q := P q,0 P q,1... P q,t 1 10 ed fuctio {{ p (L D ) 2 {{ r

Similar documents

OPTIMAL ALGORITHMS -- SUPPLEMENTAL NOTES

OPTIMAL ALGORITHMS -- SUPPLEMENTAL NOTES OPTIMAL ALGORITHMS -- SUPPLEMENTAL NOTES Peter M. Maurer Why Hashig is θ(). As i biary search, hashig assumes that keys are stored i a array which is idexed by a iteger. However, hashig attempts to bypass

More information

4.3 Growth Rates of Solutions to Recurrences

4.3 Growth Rates of Solutions to Recurrences 4.3. GROWTH RATES OF SOLUTIONS TO RECURRENCES 81 4.3 Growth Rates of Solutios to Recurreces 4.3.1 Divide ad Coquer Algorithms Oe of the most basic ad powerful algorithmic techiques is divide ad coquer.

More information

7. Modern Techniques. Data Encryption Standard (DES)

7. Modern Techniques. Data Encryption Standard (DES) 7. Moder Techiques. Data Ecryptio Stadard (DES) The objective of this chapter is to illustrate the priciples of moder covetioal ecryptio. For this purpose, we focus o the most widely used covetioal ecryptio

More information

Infinite Sequences and Series

Infinite Sequences and Series Chapter 6 Ifiite Sequeces ad Series 6.1 Ifiite Sequeces 6.1.1 Elemetary Cocepts Simply speakig, a sequece is a ordered list of umbers writte: {a 1, a 2, a 3,...a, a +1,...} where the elemets a i represet

More information

6.3 Testing Series With Positive Terms

6.3 Testing Series With Positive Terms 6.3. TESTING SERIES WITH POSITIVE TERMS 307 6.3 Testig Series With Positive Terms 6.3. Review of what is kow up to ow I theory, testig a series a i for covergece amouts to fidig the i= sequece of partial

More information

A Block Cipher Using Linear Congruences

A Block Cipher Using Linear Congruences Joural of Computer Sciece 3 (7): 556-560, 2007 ISSN 1549-3636 2007 Sciece Publicatios A Block Cipher Usig Liear Cogrueces 1 V.U.K. Sastry ad 2 V. Jaaki 1 Academic Affairs, Sreeidhi Istitute of Sciece &

More information

Oblivious Transfer using Elliptic Curves

Oblivious Transfer using Elliptic Curves Oblivious Trasfer usig Elliptic Curves bhishek Parakh Louisiaa State Uiversity, ato Rouge, L May 4, 006 bstract: This paper proposes a algorithm for oblivious trasfer usig elliptic curves lso, we preset

More information

Sequences. Notation. Convergence of a Sequence

Sequences. Notation. Convergence of a Sequence Sequeces A sequece is essetially just a list. Defiitio (Sequece of Real Numbers). A sequece of real umbers is a fuctio Z (, ) R for some real umber. Do t let the descriptio of the domai cofuse you; it

More information

w (1) ˆx w (1) x (1) /ρ and w (2) ˆx w (2) x (2) /ρ.

w (1) ˆx w (1) x (1) /ρ and w (2) ˆx w (2) x (2) /ρ. 2 5. Weighted umber of late jobs 5.1. Release dates ad due dates: maximimizig the weight of o-time jobs Oce we add release dates, miimizig the umber of late jobs becomes a sigificatly harder problem. For

More information

1 Hash tables. 1.1 Implementation

1 Hash tables. 1.1 Implementation Lecture 8 Hash Tables, Uiversal Hash Fuctios, Balls ad Bis Scribes: Luke Johsto, Moses Charikar, G. Valiat Date: Oct 18, 2017 Adapted From Virgiia Williams lecture otes 1 Hash tables A hash table is a

More information

CHAPTER 10 INFINITE SEQUENCES AND SERIES

CHAPTER 10 INFINITE SEQUENCES AND SERIES CHAPTER 10 INFINITE SEQUENCES AND SERIES 10.1 Sequeces 10.2 Ifiite Series 10.3 The Itegral Tests 10.4 Compariso Tests 10.5 The Ratio ad Root Tests 10.6 Alteratig Series: Absolute ad Coditioal Covergece

More information

6 Integers Modulo n. integer k can be written as k = qn + r, with q,r, 0 r b. So any integer.

6 Integers Modulo n. integer k can be written as k = qn + r, with q,r, 0 r b. So any integer. 6 Itegers Modulo I Example 2.3(e), we have defied the cogruece of two itegers a,b with respect to a modulus. Let us recall that a b (mod ) meas a b. We have proved that cogruece is a equivalece relatio

More information

t distribution [34] : used to test a mean against an hypothesized value (H 0 : µ = µ 0 ) or the difference

t distribution [34] : used to test a mean against an hypothesized value (H 0 : µ = µ 0 ) or the difference EXST30 Backgroud material Page From the textbook The Statistical Sleuth Mea [0]: I your text the word mea deotes a populatio mea (µ) while the work average deotes a sample average ( ). Variace [0]: The

More information

Statistics 511 Additional Materials

Statistics 511 Additional Materials Cofidece Itervals o mu Statistics 511 Additioal Materials This topic officially moves us from probability to statistics. We begi to discuss makig ifereces about the populatio. Oe way to differetiate probability

More information

CS284A: Representations and Algorithms in Molecular Biology

CS284A: Representations and Algorithms in Molecular Biology CS284A: Represetatios ad Algorithms i Molecular Biology Scribe Notes o Lectures 3 & 4: Motif Discovery via Eumeratio & Motif Represetatio Usig Positio Weight Matrix Joshua Gervi Based o presetatios by

More information

Problem Set 2 Solutions

Problem Set 2 Solutions CS271 Radomess & Computatio, Sprig 2018 Problem Set 2 Solutios Poit totals are i the margi; the maximum total umber of poits was 52. 1. Probabilistic method for domiatig sets 6pts Pick a radom subset S

More information

x a x a Lecture 2 Series (See Chapter 1 in Boas)

x a x a Lecture 2 Series (See Chapter 1 in Boas) Lecture Series (See Chapter i Boas) A basic ad very powerful (if pedestria, recall we are lazy AD smart) way to solve ay differetial (or itegral) equatio is via a series expasio of the correspodig solutio

More information

UC Berkeley CS 170: Efficient Algorithms and Intractable Problems Handout 17 Lecturer: David Wagner April 3, Notes 17 for CS 170

UC Berkeley CS 170: Efficient Algorithms and Intractable Problems Handout 17 Lecturer: David Wagner April 3, Notes 17 for CS 170 UC Berkeley CS 170: Efficiet Algorithms ad Itractable Problems Hadout 17 Lecturer: David Wager April 3, 2003 Notes 17 for CS 170 1 The Lempel-Ziv algorithm There is a sese i which the Huffma codig was

More information

SNAP Centre Workshop. Basic Algebraic Manipulation

SNAP Centre Workshop. Basic Algebraic Manipulation SNAP Cetre Workshop Basic Algebraic Maipulatio 8 Simplifyig Algebraic Expressios Whe a expressio is writte i the most compact maer possible, it is cosidered to be simplified. Not Simplified: x(x + 4x)

More information

Lecture 11: Pseudorandom functions

Lecture 11: Pseudorandom functions COM S 6830 Cryptography Oct 1, 2009 Istructor: Rafael Pass 1 Recap Lecture 11: Pseudoradom fuctios Scribe: Stefao Ermo Defiitio 1 (Ge, Ec, Dec) is a sigle message secure ecryptio scheme if for all uppt

More information

The Growth of Functions. Theoretical Supplement

The Growth of Functions. Theoretical Supplement The Growth of Fuctios Theoretical Supplemet The Triagle Iequality The triagle iequality is a algebraic tool that is ofte useful i maipulatig absolute values of fuctios. The triagle iequality says that

More information

Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell

Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell Message Autheticatio Codes Readig: Chapter 4 of Katz & Lidell 1 Message autheticatio Bob receives a message m from Alice, he wats to ow (Data origi autheticatio) whether the message was really set by Alice.

More information

Quantum Computing Lecture 7. Quantum Factoring

Quantum Computing Lecture 7. Quantum Factoring Quatum Computig Lecture 7 Quatum Factorig Maris Ozols Quatum factorig A polyomial time quatum algorithm for factorig umbers was published by Peter Shor i 1994. Polyomial time meas that the umber of gates

More information

CS161: Algorithm Design and Analysis Handout #10 Stanford University Wednesday, 10 February 2016

CS161: Algorithm Design and Analysis Handout #10 Stanford University Wednesday, 10 February 2016 CS161: Algorithm Desig ad Aalysis Hadout #10 Staford Uiversity Wedesday, 10 February 2016 Lecture #11: Wedesday, 10 February 2016 Topics: Example midterm problems ad solutios from a log time ago Sprig

More information

(A sequence also can be thought of as the list of function values attained for a function f :ℵ X, where f (n) = x n for n 1.) x 1 x N +k x N +4 x 3

(A sequence also can be thought of as the list of function values attained for a function f :ℵ X, where f (n) = x n for n 1.) x 1 x N +k x N +4 x 3 MATH 337 Sequeces Dr. Neal, WKU Let X be a metric space with distace fuctio d. We shall defie the geeral cocept of sequece ad limit i a metric space, the apply the results i particular to some special

More information

Discrete Mathematics for CS Spring 2007 Luca Trevisan Lecture 22

Discrete Mathematics for CS Spring 2007 Luca Trevisan Lecture 22 CS 70 Discrete Mathematics for CS Sprig 2007 Luca Trevisa Lecture 22 Aother Importat Distributio The Geometric Distributio Questio: A biased coi with Heads probability p is tossed repeatedly util the first

More information

An Introduction to Randomized Algorithms

An Introduction to Randomized Algorithms A Itroductio to Radomized Algorithms The focus of this lecture is to study a radomized algorithm for quick sort, aalyze it usig probabilistic recurrece relatios, ad also provide more geeral tools for aalysis

More information

Simon Blackburn. Sean Murphy. Jacques Stern. Laboratoire d'informatique, Ecole Normale Superieure, Abstract

Simon Blackburn. Sean Murphy. Jacques Stern. Laboratoire d'informatique, Ecole Normale Superieure, Abstract The Cryptaalysis of a Public Key Implemetatio of Fiite Group Mappigs Simo Blackbur Sea Murphy Iformatio Security Group, Royal Holloway ad Bedford New College, Uiversity of Lodo, Egham, Surrey TW20 0EX,

More information

Analysis of Algorithms. Introduction. Contents

Analysis of Algorithms. Introduction. Contents Itroductio The focus of this module is mathematical aspects of algorithms. Our mai focus is aalysis of algorithms, which meas evaluatig efficiecy of algorithms by aalytical ad mathematical methods. We

More information

Fortgeschrittene Datenstrukturen Vorlesung 11

Fortgeschrittene Datenstrukturen Vorlesung 11 Fortgeschrittee Datestruture Vorlesug 11 Schriftführer: Marti Weider 19.01.2012 1 Succict Data Structures (ctd.) 1.1 Select-Queries A slightly differet approach, compared to ra, is used for select. B represets

More information

Lecture 9: Hierarchy Theorems

Lecture 9: Hierarchy Theorems IAS/PCMI Summer Sessio 2000 Clay Mathematics Udergraduate Program Basic Course o Computatioal Complexity Lecture 9: Hierarchy Theorems David Mix Barrigto ad Alexis Maciel July 27, 2000 Most of this lecture

More information

µ and π p i.e. Point Estimation x And, more generally, the population proportion is approximately equal to a sample proportion

µ and π p i.e. Point Estimation x And, more generally, the population proportion is approximately equal to a sample proportion Poit Estimatio Poit estimatio is the rather simplistic (ad obvious) process of usig the kow value of a sample statistic as a approximatio to the ukow value of a populatio parameter. So we could for example

More information

Recurrence Relations

Recurrence Relations Recurrece Relatios Aalysis of recursive algorithms, such as: it factorial (it ) { if (==0) retur ; else retur ( * factorial(-)); } Let t be the umber of multiplicatios eeded to calculate factorial(). The

More information

IP Reference guide for integer programming formulations.

IP Reference guide for integer programming formulations. IP Referece guide for iteger programmig formulatios. by James B. Orli for 15.053 ad 15.058 This documet is iteded as a compact (or relatively compact) guide to the formulatio of iteger programs. For more

More information

THE ASYMPTOTIC COMPLEXITY OF MATRIX REDUCTION OVER FINITE FIELDS

THE ASYMPTOTIC COMPLEXITY OF MATRIX REDUCTION OVER FINITE FIELDS THE ASYMPTOTIC COMPLEXITY OF MATRIX REDUCTION OVER FINITE FIELDS DEMETRES CHRISTOFIDES Abstract. Cosider a ivertible matrix over some field. The Gauss-Jorda elimiatio reduces this matrix to the idetity

More information

CS / MCS 401 Homework 3 grader solutions

CS / MCS 401 Homework 3 grader solutions CS / MCS 401 Homework 3 grader solutios assigmet due July 6, 016 writte by Jāis Lazovskis maximum poits: 33 Some questios from CLRS. Questios marked with a asterisk were ot graded. 1 Use the defiitio of

More information

Product measures, Tonelli s and Fubini s theorems For use in MAT3400/4400, autumn 2014 Nadia S. Larsen. Version of 13 October 2014.

Product measures, Tonelli s and Fubini s theorems For use in MAT3400/4400, autumn 2014 Nadia S. Larsen. Version of 13 October 2014. Product measures, Toelli s ad Fubii s theorems For use i MAT3400/4400, autum 2014 Nadia S. Larse Versio of 13 October 2014. 1. Costructio of the product measure The purpose of these otes is to preset the

More information

Recursive Algorithms. Recurrences. Recursive Algorithms Analysis

Recursive Algorithms. Recurrences. Recursive Algorithms Analysis Recursive Algorithms Recurreces Computer Sciece & Egieerig 35: Discrete Mathematics Christopher M Bourke cbourke@cseuledu A recursive algorithm is oe i which objects are defied i terms of other objects

More information

Randomized Algorithms I, Spring 2018, Department of Computer Science, University of Helsinki Homework 1: Solutions (Discussed January 25, 2018)

Randomized Algorithms I, Spring 2018, Department of Computer Science, University of Helsinki Homework 1: Solutions (Discussed January 25, 2018) Radomized Algorithms I, Sprig 08, Departmet of Computer Sciece, Uiversity of Helsiki Homework : Solutios Discussed Jauary 5, 08). Exercise.: Cosider the followig balls-ad-bi game. We start with oe black

More information

Hashing and Amortization

Hashing and Amortization Lecture Hashig ad Amortizatio Supplemetal readig i CLRS: Chapter ; Chapter 7 itro; Sectio 7.. Arrays ad Hashig Arrays are very useful. The items i a array are statically addressed, so that isertig, deletig,

More information

Disjoint set (Union-Find)

Disjoint set (Union-Find) CS124 Lecture 7 Fall 2018 Disjoit set (Uio-Fid) For Kruskal s algorithm for the miimum spaig tree problem, we foud that we eeded a data structure for maitaiig a collectio of disjoit sets. That is, we eed

More information

Discrete Mathematics for CS Spring 2008 David Wagner Note 22

Discrete Mathematics for CS Spring 2008 David Wagner Note 22 CS 70 Discrete Mathematics for CS Sprig 2008 David Wager Note 22 I.I.D. Radom Variables Estimatig the bias of a coi Questio: We wat to estimate the proportio p of Democrats i the US populatio, by takig

More information

Sequences A sequence of numbers is a function whose domain is the positive integers. We can see that the sequence

Sequences A sequence of numbers is a function whose domain is the positive integers. We can see that the sequence Sequeces A sequece of umbers is a fuctio whose domai is the positive itegers. We ca see that the sequece 1, 1, 2, 2, 3, 3,... is a fuctio from the positive itegers whe we write the first sequece elemet

More information

Lecture 2: April 3, 2013

Lecture 2: April 3, 2013 TTIC/CMSC 350 Mathematical Toolkit Sprig 203 Madhur Tulsiai Lecture 2: April 3, 203 Scribe: Shubhedu Trivedi Coi tosses cotiued We retur to the coi tossig example from the last lecture agai: Example. Give,

More information

Axioms of Measure Theory

Axioms of Measure Theory MATH 532 Axioms of Measure Theory Dr. Neal, WKU I. The Space Throughout the course, we shall let X deote a geeric o-empty set. I geeral, we shall ot assume that ay algebraic structure exists o X so that

More information

Mathematical Induction

Mathematical Induction Mathematical Iductio Itroductio Mathematical iductio, or just iductio, is a proof techique. Suppose that for every atural umber, P() is a statemet. We wish to show that all statemets P() are true. I a

More information

Convergence of random variables. (telegram style notes) P.J.C. Spreij

Convergence of random variables. (telegram style notes) P.J.C. Spreij Covergece of radom variables (telegram style otes).j.c. Spreij this versio: September 6, 2005 Itroductio As we kow, radom variables are by defiitio measurable fuctios o some uderlyig measurable space

More information

Lecture 11: Hash Functions and Random Oracle Model

Lecture 11: Hash Functions and Random Oracle Model CS 7810 Foudatios of Cryptography October 16, 017 Lecture 11: Hash Fuctios ad Radom Oracle Model Lecturer: Daiel Wichs Scribe: Akshar Varma 1 Topic Covered Defiitio of Hash Fuctios Merkle-Damgaård Theorem

More information

HOMEWORK 2 SOLUTIONS

HOMEWORK 2 SOLUTIONS HOMEWORK SOLUTIONS CSE 55 RANDOMIZED AND APPROXIMATION ALGORITHMS 1. Questio 1. a) The larger the value of k is, the smaller the expected umber of days util we get all the coupos we eed. I fact if = k

More information

Math 155 (Lecture 3)

Math 155 (Lecture 3) Math 55 (Lecture 3) September 8, I this lecture, we ll cosider the aswer to oe of the most basic coutig problems i combiatorics Questio How may ways are there to choose a -elemet subset of the set {,,,

More information

Section 5.1 The Basics of Counting

Section 5.1 The Basics of Counting 1 Sectio 5.1 The Basics of Coutig Combiatorics, the study of arragemets of objects, is a importat part of discrete mathematics. I this chapter, we will lear basic techiques of coutig which has a lot of

More information

This is an introductory course in Analysis of Variance and Design of Experiments.

This is an introductory course in Analysis of Variance and Design of Experiments. 1 Notes for M 384E, Wedesday, Jauary 21, 2009 (Please ote: I will ot pass out hard-copy class otes i future classes. If there are writte class otes, they will be posted o the web by the ight before class

More information

A statistical method to determine sample size to estimate characteristic value of soil parameters

A statistical method to determine sample size to estimate characteristic value of soil parameters A statistical method to determie sample size to estimate characteristic value of soil parameters Y. Hojo, B. Setiawa 2 ad M. Suzuki 3 Abstract Sample size is a importat factor to be cosidered i determiig

More information

NUMERICAL METHODS FOR SOLVING EQUATIONS

NUMERICAL METHODS FOR SOLVING EQUATIONS Mathematics Revisio Guides Numerical Methods for Solvig Equatios Page 1 of 11 M.K. HOME TUITION Mathematics Revisio Guides Level: GCSE Higher Tier NUMERICAL METHODS FOR SOLVING EQUATIONS Versio:. Date:

More information

NUMERICAL METHODS COURSEWORK INFORMAL NOTES ON NUMERICAL INTEGRATION COURSEWORK

NUMERICAL METHODS COURSEWORK INFORMAL NOTES ON NUMERICAL INTEGRATION COURSEWORK NUMERICAL METHODS COURSEWORK INFORMAL NOTES ON NUMERICAL INTEGRATION COURSEWORK For this piece of coursework studets must use the methods for umerical itegratio they meet i the Numerical Methods module

More information

Feedback in Iterative Algorithms

Feedback in Iterative Algorithms Feedback i Iterative Algorithms Charles Byre (Charles Byre@uml.edu), Departmet of Mathematical Scieces, Uiversity of Massachusetts Lowell, Lowell, MA 01854 October 17, 2005 Abstract Whe the oegative system

More information

The Binomial Theorem

The Binomial Theorem The Biomial Theorem Robert Marti Itroductio The Biomial Theorem is used to expad biomials, that is, brackets cosistig of two distict terms The formula for the Biomial Theorem is as follows: (a + b ( k

More information

Commutativity in Permutation Groups

Commutativity in Permutation Groups Commutativity i Permutatio Groups Richard Wito, PhD Abstract I the group Sym(S) of permutatios o a oempty set S, fixed poits ad trasiet poits are defied Prelimiary results o fixed ad trasiet poits are

More information

ANALYSIS OF EXPERIMENTAL ERRORS

ANALYSIS OF EXPERIMENTAL ERRORS ANALYSIS OF EXPERIMENTAL ERRORS All physical measuremets ecoutered i the verificatio of physics theories ad cocepts are subject to ucertaities that deped o the measurig istrumets used ad the coditios uder

More information

A sequence of numbers is a function whose domain is the positive integers. We can see that the sequence

A sequence of numbers is a function whose domain is the positive integers. We can see that the sequence Sequeces A sequece of umbers is a fuctio whose domai is the positive itegers. We ca see that the sequece,, 2, 2, 3, 3,... is a fuctio from the positive itegers whe we write the first sequece elemet as

More information

SECTION 1.5 : SUMMATION NOTATION + WORK WITH SEQUENCES

SECTION 1.5 : SUMMATION NOTATION + WORK WITH SEQUENCES SECTION 1.5 : SUMMATION NOTATION + WORK WITH SEQUENCES Read Sectio 1.5 (pages 5 9) Overview I Sectio 1.5 we lear to work with summatio otatio ad formulas. We will also itroduce a brief overview of sequeces,

More information

The Random Walk For Dummies

The Random Walk For Dummies The Radom Walk For Dummies Richard A Mote Abstract We look at the priciples goverig the oe-dimesioal discrete radom walk First we review five basic cocepts of probability theory The we cosider the Beroulli

More information

Math 113 Exam 3 Practice

Math 113 Exam 3 Practice Math Exam Practice Exam will cover.-.9. This sheet has three sectios. The first sectio will remid you about techiques ad formulas that you should kow. The secod gives a umber of practice questios for you

More information

PH 425 Quantum Measurement and Spin Winter SPINS Lab 1

PH 425 Quantum Measurement and Spin Winter SPINS Lab 1 PH 425 Quatum Measuremet ad Spi Witer 23 SPIS Lab Measure the spi projectio S z alog the z-axis This is the experimet that is ready to go whe you start the program, as show below Each atom is measured

More information

Section 1.1. Calculus: Areas And Tangents. Difference Equations to Differential Equations

Section 1.1. Calculus: Areas And Tangents. Difference Equations to Differential Equations Differece Equatios to Differetial Equatios Sectio. Calculus: Areas Ad Tagets The study of calculus begis with questios about chage. What happes to the velocity of a swigig pedulum as its positio chages?

More information

A PROOF OF THE TWIN PRIME CONJECTURE AND OTHER POSSIBLE APPLICATIONS

A PROOF OF THE TWIN PRIME CONJECTURE AND OTHER POSSIBLE APPLICATIONS A PROOF OF THE TWI PRIME COJECTURE AD OTHER POSSIBLE APPLICATIOS by PAUL S. BRUCKMA 38 Frot Street, #3 aaimo, BC V9R B8 (Caada) e-mail : pbruckma@hotmail.com ABSTRACT : A elemetary proof of the Twi Prime

More information

If, for instance, we were required to test whether the population mean μ could be equal to a certain value μ

If, for instance, we were required to test whether the population mean μ could be equal to a certain value μ STATISTICAL INFERENCE INTRODUCTION Statistical iferece is that brach of Statistics i which oe typically makes a statemet about a populatio based upo the results of a sample. I oesample testig, we essetially

More information

Lecture 10 October Minimaxity and least favorable prior sequences

Lecture 10 October Minimaxity and least favorable prior sequences STATS 300A: Theory of Statistics Fall 205 Lecture 0 October 22 Lecturer: Lester Mackey Scribe: Brya He, Rahul Makhijai Warig: These otes may cotai factual ad/or typographic errors. 0. Miimaxity ad least

More information

DS 100: Principles and Techniques of Data Science Date: April 13, Discussion #10

DS 100: Principles and Techniques of Data Science Date: April 13, Discussion #10 DS 00: Priciples ad Techiques of Data Sciece Date: April 3, 208 Name: Hypothesis Testig Discussio #0. Defie these terms below as they relate to hypothesis testig. a) Data Geeratio Model: Solutio: A set

More information

Discrete-Time Systems, LTI Systems, and Discrete-Time Convolution

Discrete-Time Systems, LTI Systems, and Discrete-Time Convolution EEL5: Discrete-Time Sigals ad Systems. Itroductio I this set of otes, we begi our mathematical treatmet of discrete-time s. As show i Figure, a discrete-time operates or trasforms some iput sequece x [

More information

6.867 Machine learning, lecture 7 (Jaakkola) 1

6.867 Machine learning, lecture 7 (Jaakkola) 1 6.867 Machie learig, lecture 7 (Jaakkola) 1 Lecture topics: Kerel form of liear regressio Kerels, examples, costructio, properties Liear regressio ad kerels Cosider a slightly simpler model where we omit

More information

Seunghee Ye Ma 8: Week 5 Oct 28

Seunghee Ye Ma 8: Week 5 Oct 28 Week 5 Summary I Sectio, we go over the Mea Value Theorem ad its applicatios. I Sectio 2, we will recap what we have covered so far this term. Topics Page Mea Value Theorem. Applicatios of the Mea Value

More information

INTEGRATION BY PARTS (TABLE METHOD)

INTEGRATION BY PARTS (TABLE METHOD) INTEGRATION BY PARTS (TABLE METHOD) Suppose you wat to evaluate cos d usig itegratio by parts. Usig the u dv otatio, we get So, u dv d cos du d v si cos d si si d or si si d We see that it is ecessary

More information

Kinetics of Complex Reactions

Kinetics of Complex Reactions Kietics of Complex Reactios by Flick Colema Departmet of Chemistry Wellesley College Wellesley MA 28 wcolema@wellesley.edu Copyright Flick Colema 996. All rights reserved. You are welcome to use this documet

More information

It is always the case that unions, intersections, complements, and set differences are preserved by the inverse image of a function.

It is always the case that unions, intersections, complements, and set differences are preserved by the inverse image of a function. MATH 532 Measurable Fuctios Dr. Neal, WKU Throughout, let ( X, F, µ) be a measure space ad let (!, F, P ) deote the special case of a probability space. We shall ow begi to study real-valued fuctios defied

More information

Number Representation

Number Representation Number Represetatio 1 Number System :: The Basics We are accustomed to usig the so-called decimal umber system Te digits :: 0,1,2,3,4,5,6,7,8,9 Every digit positio has a weight which is a power of 10 Base

More information

Notes for Lecture 5. 1 Grover Search. 1.1 The Setting. 1.2 Motivation. Lecture 5 (September 26, 2018)

Notes for Lecture 5. 1 Grover Search. 1.1 The Setting. 1.2 Motivation. Lecture 5 (September 26, 2018) COS 597A: Quatum Cryptography Lecture 5 (September 6, 08) Lecturer: Mark Zhadry Priceto Uiversity Scribe: Fermi Ma Notes for Lecture 5 Today we ll move o from the slightly cotrived applicatios of quatum

More information

Statistical Pattern Recognition

Statistical Pattern Recognition Statistical Patter Recogitio Classificatio: No-Parametric Modelig Hamid R. Rabiee Jafar Muhammadi Sprig 2014 http://ce.sharif.edu/courses/92-93/2/ce725-2/ Ageda Parametric Modelig No-Parametric Modelig

More information

Lecture 1: Basic problems of coding theory

Lecture 1: Basic problems of coding theory Lecture 1: Basic problems of codig theory Error-Correctig Codes (Sprig 016) Rutgers Uiversity Swastik Kopparty Scribes: Abhishek Bhrushudi & Aditya Potukuchi Admiistrivia was discussed at the begiig of

More information

LONG SNAKES IN POWERS OF THE COMPLETE GRAPH WITH AN ODD NUMBER OF VERTICES

LONG SNAKES IN POWERS OF THE COMPLETE GRAPH WITH AN ODD NUMBER OF VERTICES J Lodo Math Soc (2 50, (1994, 465 476 LONG SNAKES IN POWERS OF THE COMPLETE GRAPH WITH AN ODD NUMBER OF VERTICES Jerzy Wojciechowski Abstract I [5] Abbott ad Katchalski ask if there exists a costat c >

More information

Activity 3: Length Measurements with the Four-Sided Meter Stick

Activity 3: Length Measurements with the Four-Sided Meter Stick Activity 3: Legth Measuremets with the Four-Sided Meter Stick OBJECTIVE: The purpose of this experimet is to study errors ad the propagatio of errors whe experimetal data derived usig a four-sided meter

More information

Some Explicit Formulae of NAF and its Left-to-Right. Analogue Based on Booth Encoding

Some Explicit Formulae of NAF and its Left-to-Right. Analogue Based on Booth Encoding Vol.7, No.6 (01, pp.69-74 http://dx.doi.org/10.1457/ijsia.01.7.6.7 Some Explicit Formulae of NAF ad its Left-to-Right Aalogue Based o Booth Ecodig Dog-Guk Ha, Okyeo Yi, ad Tsuyoshi Takagi Kookmi Uiversity,

More information

Output Analysis and Run-Length Control

Output Analysis and Run-Length Control IEOR E4703: Mote Carlo Simulatio Columbia Uiversity c 2017 by Marti Haugh Output Aalysis ad Ru-Legth Cotrol I these otes we describe how the Cetral Limit Theorem ca be used to costruct approximate (1 α%

More information

subject to A 1 x + A 2 y b x j 0, j = 1,,n 1 y j = 0 or 1, j = 1,,n 2

subject to A 1 x + A 2 y b x j 0, j = 1,,n 1 y j = 0 or 1, j = 1,,n 2 Additioal Brach ad Boud Algorithms 0-1 Mixed-Iteger Liear Programmig The brach ad boud algorithm described i the previous sectios ca be used to solve virtually all optimizatio problems cotaiig iteger variables,

More information

Matrices and vectors

Matrices and vectors Oe Matrices ad vectors This book takes for grated that readers have some previous kowledge of the calculus of real fuctios of oe real variable It would be helpful to also have some kowledge of liear algebra

More information

Optimally Sparse SVMs

Optimally Sparse SVMs A. Proof of Lemma 3. We here prove a lower boud o the umber of support vectors to achieve geeralizatio bouds of the form which we cosider. Importatly, this result holds ot oly for liear classifiers, but

More information

A representation approach to the tower of Hanoi problem

A representation approach to the tower of Hanoi problem Uiversity of Wollogog Research Olie Departmet of Computig Sciece Workig Paper Series Faculty of Egieerig ad Iformatio Scieces 98 A represetatio approach to the tower of Haoi problem M. C. Er Uiversity

More information

Analysis of Algorithms -Quicksort-

Analysis of Algorithms -Quicksort- Aalysis of Algorithms -- Adreas Ermedahl MRTC (Mälardales Real-Time Research Ceter) adreas.ermedahl@mdh.se Autum 2004 Proposed by C.A.R. Hoare i 962 Worst- case ruig time: Θ( 2 ) Expected ruig time: Θ(

More information

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 15

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 15 CS 70 Discrete Mathematics ad Probability Theory Summer 2014 James Cook Note 15 Some Importat Distributios I this ote we will itroduce three importat probability distributios that are widely used to model

More information

Machine Learning Theory Tübingen University, WS 2016/2017 Lecture 11

Machine Learning Theory Tübingen University, WS 2016/2017 Lecture 11 Machie Learig Theory Tübige Uiversity, WS 06/07 Lecture Tolstikhi Ilya Abstract We will itroduce the otio of reproducig kerels ad associated Reproducig Kerel Hilbert Spaces (RKHS). We will cosider couple

More information

SOME TRIBONACCI IDENTITIES

SOME TRIBONACCI IDENTITIES Mathematics Today Vol.7(Dec-011) 1-9 ISSN 0976-38 Abstract: SOME TRIBONACCI IDENTITIES Shah Devbhadra V. Sir P.T.Sarvajaik College of Sciece, Athwalies, Surat 395001. e-mail : drdvshah@yahoo.com The sequece

More information

Math 2784 (or 2794W) University of Connecticut

Math 2784 (or 2794W) University of Connecticut ORDERS OF GROWTH PAT SMITH Math 2784 (or 2794W) Uiversity of Coecticut Date: Mar. 2, 22. ORDERS OF GROWTH. Itroductio Gaiig a ituitive feel for the relative growth of fuctios is importat if you really

More information

TR/46 OCTOBER THE ZEROS OF PARTIAL SUMS OF A MACLAURIN EXPANSION A. TALBOT

TR/46 OCTOBER THE ZEROS OF PARTIAL SUMS OF A MACLAURIN EXPANSION A. TALBOT TR/46 OCTOBER 974 THE ZEROS OF PARTIAL SUMS OF A MACLAURIN EXPANSION by A. TALBOT .. Itroductio. A problem i approximatio theory o which I have recetly worked [] required for its solutio a proof that the

More information

Discrete Mathematics for CS Spring 2005 Clancy/Wagner Notes 21. Some Important Distributions

Discrete Mathematics for CS Spring 2005 Clancy/Wagner Notes 21. Some Important Distributions CS 70 Discrete Mathematics for CS Sprig 2005 Clacy/Wager Notes 21 Some Importat Distributios Questio: A biased coi with Heads probability p is tossed repeatedly util the first Head appears. What is the

More information

Chapter 8: Estimating with Confidence

Chapter 8: Estimating with Confidence Chapter 8: Estimatig with Cofidece Sectio 8.2 The Practice of Statistics, 4 th editio For AP* STARNES, YATES, MOORE Chapter 8 Estimatig with Cofidece 8.1 Cofidece Itervals: The Basics 8.2 8.3 Estimatig

More information

End-of-Year Contest. ERHS Math Club. May 5, 2009

End-of-Year Contest. ERHS Math Club. May 5, 2009 Ed-of-Year Cotest ERHS Math Club May 5, 009 Problem 1: There are 9 cois. Oe is fake ad weighs a little less tha the others. Fid the fake coi by weighigs. Solutio: Separate the 9 cois ito 3 groups (A, B,

More information

Probability, Expectation Value and Uncertainty

Probability, Expectation Value and Uncertainty Chapter 1 Probability, Expectatio Value ad Ucertaity We have see that the physically observable properties of a quatum system are represeted by Hermitea operators (also referred to as observables ) such

More information

1 Inferential Methods for Correlation and Regression Analysis

1 Inferential Methods for Correlation and Regression Analysis 1 Iferetial Methods for Correlatio ad Regressio Aalysis I the chapter o Correlatio ad Regressio Aalysis tools for describig bivariate cotiuous data were itroduced. The sample Pearso Correlatio Coefficiet

More information

Estimation of a population proportion March 23,

Estimation of a population proportion March 23, 1 Social Studies 201 Notes for March 23, 2005 Estimatio of a populatio proportio Sectio 8.5, p. 521. For the most part, we have dealt with meas ad stadard deviatios this semester. This sectio of the otes

More information

The target reliability and design working life

The target reliability and design working life Safety ad Security Egieerig IV 161 The target reliability ad desig workig life M. Holický Kloker Istitute, CTU i Prague, Czech Republic Abstract Desig workig life ad target reliability levels recommeded

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback