Bounded Memory Leakage
|
|
- Gervais Lloyd
- 6 years ago
- Views:
Transcription
1 6.889: New Developments n Cryptography prl 5, 2011 Instructor: Yael Tauman Kala Bounded Memory Leakage Scrbe: Raluca da Popa When desgnng cryptographc schemes, we usually rely on the assumpton that every bt of the secret key s secret. However, n practce, loss of secrecy can happen due to sde-channel attacks. For example, an adversary can get secret nformaton usng tmng attacks, acoustc attacks, or even by gettng access to parts of the memory used by a cryptographc protocol such as n the cold-boot attack demonstrated by Halderman et al. [HSH + 09]. Wth some bts of the secret key revealed, securty guarantees may no longer hold. 1 Prelmnares 1.1 Notaton For a dstrbuton X, weusex R X to denote that x s a sample drawn from the dstrbuton X. For a set S, weusex R S to denote that x s drawn unformly at random from the set S. We use H (X) to denote the mn-entropy of a random varable X defned as H (X) = mn u U log Pr[X = u],whereu s the set of all values X may take. We use Ud to denote the unform dstrbuton over {0, 1} d. The notaton s ndcates that s s a vector. If D 1 and D 2 are dstrbutons, the notaton D 1 D 2 ndcates statstcal ndstngushablty wth an advantage of at most. 1.2 Leftover hash lemma We recall the leftover hash lemma ntroduced n prevous lectures n a form useful to some of the constructons n these notes. Theorem 1 (Leftover Hash Lemma). Fx >0. Let X be a random varable on {0, 1} n wth mn-entropy k. Let H = {H n } n N where H n = {h s } s {0,1} d for all n, be a unversal hash famly wth output length m k 2 log(1/). Then, {(h(x),h):x R X, h R H n } {(u, h) :u R U m,h R H n }. 2 Semantc Securty wth λ-bt leakage We frst recall the defnton of semantc securty and then enhance t wth λ-bt leakage reslence. Defnton 2 (Semantc securty). publc-key encrypton scheme E =(Gen, Enc, Dec) s semantcally secure f for all PPT, foranypolynomalp, for any suffcently large n N, Pr[Expt 0 (E,,n) = 1] Pr[Expt 1 (E,,n) = 1] < 1/p(n), where Expt b (E,,n) s defned as follows. Expt b (E,,n): 1. The challenger generates (PK, SK) Gen(1 n ) and sends PK to. 1-1
2 2. The adversary reples wth (m 0,m 1 ). 3. The challenger computes y Enc(PK,m b ), and sends y to. 4. outputs b. Let λ be a nonnegatve nteger ndcatng the amount of allowed leakage. Defnton 3 (Semantc Securty wth λ bt Leakage). publc-key encrypton scheme E = (Gen, Enc, Dec) s semantcally secure wth λ-bt leakage f, for all PPT, foranypolynomalp, for all suffcently large n N, we have Pr[Expt λ 0(E,,n) = 1] Pr[Expt λ 1(E,,n) = 1] < 1/p(n), where Expt λ b (E,,n) s the output of the followng game between and a challenger: 1. The adversary selects a leakage functon L : {0, 1} {0, 1} λ and sends t to the challenger. 2. Challenger generates (SK, PK) Gen(1 n ) and sends (PK,L(SK, PK)) to. 3. chooses two messages m 0 and m 1 such that m 0 = m 1 and sends (m 0,m 1 ) to the challenger. 4. Challenger sends C Enc(PK,m b ) to. 5. outputs b. Note that ths defnton s smlar to the defnton of semantc securty wth the addton of the leakage functon L. Even though the adversary chooses L before recevng PK, the defnton s stll adaptve wth respect to PK: the leakage functon L can frst look at the value of PK and choose the actual leakage based on the value of PK. The adversary s a PPT algorthm so any functon that t would run to compute a leakage functon based on PK must be polynomal-tme as well, and thus can be ncorporated n L. 2.1 Decsonal Dffe-Hellman ssumpton We recall the DDH assumpton as well as present a more general form proven equvalent by Naor and Rengold [NR04]. Let GroupGen be a probablstc polynomal-tme algorthm that takes as nput a securty parameter 1 n for some postve nteger n, and outputs (G,q,g), where q s an n-bt prme number, G s a group of order q, and g s a generator of G. Decsonal Dffe-Hellman ssumpton (DDH). The DDH assumpton s that the ensembles (G,g1,g 2,g1 r,gr 2 ) n N and (G,g 1,g 2,g r 1 1,gr 2 2 ) are computatonally ndstngushable, where n N (G,q,g) GroupGen(1 n ), and the elements g 1,g 2 G and r, r 1,r 2 Z q are chosen ndependently and unformly at random. Naor and Rengold [NR04] showed that, f DDH holds, so does the followng generalzaton of DDH consderng >2 generators. Lemma 4 ([NR04]). Under the DDH assumpton, for any postve nteger, the ensembles (g1,...,g,g r 1,...,g r ):g R G,r R Z q and (g1,...,g,g r 1 1,...,gr ):g R R G,r Zq are computatonally ndstngushable, where (G,q,g) GroupGen(1 n ). 1-2
3 2.2 Dffcultes wth straghtforward reductons Before showng a constructon of a leakage reslent encrypton scheme, we gve some ntuton showng why a typcal securty reducton s unlkely to yeld a proof of securty. Suppose we would lke to prove that, under the DDH assumpton, E s secure wth λ-bts of leakage. The proof would typcally proceed by contradcton: suppose there exsts a PPT that breaks E, and we construct a PPT B that breaks the DDH assumpton. The adversary behaves as n Defnton 3 so t wll frst provde B wth the leakage functon L. The reducton B s supposed to return PK and L(SK, PK). In order to use L as a black box, B needs to generate SK and PK because L may be checkng that SK s correct. If L checks SK and fnds that t s not a correct secret key, t may only output certan values whch wll recognze and for whch t wll not break E. Now that B had to generate SK and PK hmself, t seems that can no longer help B because t wll not tell B anythng about the secret key that B could not compute hmself from SK and PK. Thus, t seems that B cannot explot the power of. However, the above ntuton s ncorrect. The nsght n these proofs s for B to generate an mproper encrypton C nstead of C = Enc(PK,m b ); B computes C usng some nformaton from the DDH nstance t s tryng to solve and hopefully leverage s power to learn some new nformaton. 2.3 Constructon: BHHO Naor and Segev [NS09] show that the scheme of Boneh et al. [BHHO08] can be made secure aganst bounded leakage. Boneh et al. have proposed ths scheme as a crcular-secure encrypton scheme and t can be thought of as an extenson of the El-Gamal scheme. slghtly modfed verson of the BHHO encrypton scheme s defned as follows: Gen(1 n ) : Choose s Z q,where s some polynomal n n dependng on the desred reslence to leakage, and g 1,...,g R G. Let y = =1 gs and output keys SK = s and PK = (g 1,...g,y). Enc(PK,m) for m G, performs: choose r R Z q and output (c 1,...,c l+1 )=(g1 r,...,gr,yr m) as the encrypton of m. c l+1 Dec(SK,c 1,...,c,c l+1 )= ( =1 cs ). The completeness property of the encrypton scheme s mmedate: Dec(SK,c 1,...,c,c l+1 )= c l+1 =1 cs = =1 grs =1 grs m Clam 5. Under the DDH assumpton, BHHO s a semantcally secure encrypton scheme wth λ = SK (1 o(1)) bts of leakage, where SK s the length of the secret key. Proof. We proceed by contradcton: assume there s a polynomal p(n) and a PPT that breaks the BHHO scheme above wth at least 1/p(n) advantage and construct a PPT B that breaks DDH. The algorthm B s defned as follows: lgorthm 1 (B on nput (g 1,...,g,c 1,...,c ) for securty parameter n). Recall that B has to decde f the nput s of the form (g 1,...,g,g1 r,...,gr ) or (g 1,...,g,g r 1 1,...,gr ). The reducton B emulates the securty game for as follows: = m 1-3
4 1. Receve L from. 2. Run Gen(1 n ) to obtan (SK, PK) and send PK and L(SK, PK) to. 3. B receves m 0 and m 1 from. 4. B flps a con b and computes C = Enc (SK,m b )=(c 1,...,c, =1 cs m b ) 5. reples wth ts guess b. 6. If guesses rght (that s, b = b ), B outputs 0 (meanng the nput s of the frst form), else B outputs 1 (meanng the nput s of the second form). Let us compute the probablty of B dstngushng correctly. There are two cases for the nputs to B, each equally lkely. Case 1: (c 1 = g1 r,...,c = g r ). We can see that, n ths case, receves the rght dstrbuton of nputs t expects and therefore, t can dstngush wth probablty at least 1/2 + 1/p(n); thus, B wll also make the correct decson wth probablty at least 1/2 + 1/p(n). Case 2: (c 1 = g r 1 1,...,c = g r ). In ths case, we would lke to make sure that does not guess b correctly too often because ths would cause B to output the wrong answer. The approach s to show that C hdes b nformaton-theoretcally even wth leakage, and thus wll guess the correct answer wth probablty at most 1/2 plus a neglgble amount. In ths case, the vew of can be summarzed by (PK,L(PK, SK),g r 1 1,...,gr, =1 gr s m b ) and we want to argue that t s statstcally ndstngushable from (PK,L(PK, SK),g r 1 1,...,gr,U) wth some small error. Note that dstngushng between these two ensembles s at least as hard as dstngushng between a second par of ensembles, (PK, L(SK, PK), r 1,..., r, r, s) and (PK, L(SK, PK), r 1,...,r, U), as follows. For some generator g of G, consder replacng each g = g δ for some δ n the frst par of ensembles and rewrtng the ensembles. The reducton now becomes straghtforward: t conssts of smply rasng g to the power of r and r, s. To prove that (PK, L(SK, PK), r 1,..., r, r, s) and (PK, L(SK, PK), r 1,..., r, U) are statstcally close, we apply the leftover hash lemma, Theorem 1. Consder the collecton of hash functons H n consstng of h r ( s) = r, s q. We can see that ths s a unversal hash famly. To apply the leftover hash lemma we need H ( s) log q+2 log(1/). We have that H ( s) = log q λ log q because s (the secret key) s log q bts long, λ of them leak due to L, and log q of them leak due to r, s. Therefore, as long as λ log q 2 log q 2 log 1/ = SK (1 o(1)), by Theorem 1, the dstrbutons n queston have statstcal dfference at most /2. Puttng together these two cases: Pr[B wns] = 1/2Pr[B wns Case 1] + 1/2Pr[B wns Case 2] 1/2(1/2+ 1/p(n))+ 1/2(1/2 /2) = 1/2+ 1/2(1/p(n) /2). We can choose to be n log n ; n ths case, B s advantage remans nonneglgble at breakng the DDH assumpton (by contradctng Lemma 4) and the leakage tolerated becomes log q 2 log q 2 log 2 n = SK (1 o(1)). In the constructon of ths proof, we allowed the leakage λ to be SK (1 o(1)). If n log q s the sze of the securty parameter, and the sze of the secret key s a polynomal n ths sze, say n c, we allow leakage of at most n c+1 2n; ths amount of leakage s sgnfcant and can be made larger than any fracton of the secret key s length. The followng queston now arses naturally: what f we allow a larger leakage to happen as long as t s stll computatonally nfeasble for an adversary to fnd SK? We may gve away SK nformaton-theoretcally, but a polynomally-bounded adversary may stll not be able to compute 1-4
5 SK. In the proof above, we provded nformaton-theoretc guarantees, but we may be able to provde computatonal guarantees wth such a settng. We explore ths drecton next. 3 Semantc securty wth auxlary nput Semantc securty wth respect to auxlary nputs was frst defned by Dods et al. [DKL09]. Defnton 6 (Semantc securty wth 2 λ -hard-to-nvert auxlary nput). publc-key encrypton scheme E =(Gen, Enc, Dec) wth message space M = {M n } n N s semantcally secure wth auxlary nput f for any PPT adversary, anypolynomalp, and any suffcently large n N, where wn(e,,n): Pr[wn(E,,n) = 1] < 1/2+1/p(n), dversary chooses a leakage functon L and sends t to the challenger. Challenger computes (SK, PK) Gen(1 n ) and sends (PK,L(SK, PK)) to the adversary. reples wth two messages m 0 and m 1. The challenger flps a con b and sends Enc(PK,m b ) to. reples wth b, ts guess for b. If b = b and L s 2 λ -hard-to-nvert ( wns), output 1 else output 0. By 2 λ -hard-to-nvert, we mean that for all PPT B,Pr[(PK, SK) Gen(1 n ), B(PK,L(PK, SK)) = SK] 1/2 λ. Dods et al. [DGK + 10] show that BHHO s secure wth 2 lλ -hard-to-nvert auxlary nput. s part of ther proof, they extend the Goldrech-Levn theorem to large felds. Thus, let us frst state ths theorem: Theorem 7 (Goldrech-Levn for large felds [DGK + 10]). Let q be a prme, and let H be an arbtrary subset of GF(q). Let f : H n {0, 1} be any (possbly randomzed) functon. If there s a dstngusher D that runs n tme t such that Pr[ s H n,y f( s), r GF(q) n : D(y, r, r, s) = 1] Pr[ s H n,y f( s), r GF(q) n,u GF(q) :D(y, r, u) = 1] =, then there s an nverter that runs n tme t = t poly(n, H, 1/) such that Pr[ s H n,y f( s) :(y) = s] n q 2. Clam 8 ([DGK + 10]). Under the DDH assumpton, BHHO s secure wth 2 λ -hard-to-nvert auxlary nput. Proof. The constructon of the reducton s the same as n the proof of Clam 5: lgorthm 1. We now consder a sequence of four experments wth ether the same or computatonally ndstngushable nput dstrbutons to the adversary. The last dstrbuton wll enable us to prove the 1-5
6 clam easly. Let dv () (n) be the advantage of the adversary n guessng rght n Experment for securty parameter n. Experment 0: Ths experment s the same as n Defnton 6. Experment 1: Ths s the same experment as Experment 0, except that nstead of C = Enc(PK,m b ), the challenger sends C = Enc (SK,m b )=(g1,...,g r r,c= g rs m b ). Now let us argue that the nput dstrbutons to the adversary are the same n Experment 0 and Experment 1. We can see that for both Enc(PK,m b ) and Enc (SK,m b ), the challenger chooses r R Z q. For the same r, we can see that Enc (SK,m b )=Enc(PK,m b ). Experment 2: In ths experment, we have c R G for =1,...,l and C = =1 cs =1 m b. We would lke to clam that the advantage of the adversary n Experments 1 and 2 only dffers by a neglgble amount. Clam: If DDH s hard for G, then for every PPT, dv (1) (n) dv(2) (n) negl(n). Proof: We would lke to show that (PK,L(SK, PK),c 1,...,c, =1 cs R : c G) (Exp.1) and (SK,L(SK, PK),g1 r,...,gr, =1 grs : r R Z q ) (Exp. 2) are computatonally ndstngushable (where we omtted the dstrbutons from whch some random varables are drawn for brevty). ssumng there exsts a dstngusher for these two dstrbutons D 12, we want to construct a dstngusher D DDH that breaks the DDH assumpton from Lemma 4. Upon recevng nput for the general DDH problem (g 1,...g,c 1,...c ), D DDH smply generates SK and PK as n the case of the BHHO scheme usng g 1,...,g, and provdes to D 12 (PK,L(SK, PK),c 1,...,c, =1 cs ). D DDH outputs exactly what D 12 outputs and we can see that they have the same wnnng probablty. Therefore D DDH has nonneglgble advantage of breakng the general DDH problem; by Lemma 4 and assumng DDH, we reach a contradcton. Experment 3: In ths experment, C s replaced wth C =(g r 1,...,g r,g u R ) for r Zq, u R Z q, and some fxed generator g of G. Now we clam that the advantage of the adversary n Experments 2 and 3 only dffers by a neglgble factor: Clam: For every PPT, dv (2) (n) dv(3) (n) negl(n). R R Proof: In Experment 2, choosng c 1,...,c G s equvalent to choosng r1,...,r Zq for some fxed generator g of G. Therefore, we need to prove that (PK,L(SK, PK),g r 1,...,g r, =1 gr s m b ) (see Exp. 2) and (PK,L(SK, PK),g r 1,...,g r, =1 gu ) (see Exp. 3) are computatonally ndstngushable. Note that t s enough to prove D 1 =(PK,L(SK, PK),,r 1,...,r, r, s) s computatonally ndstngushable from D 2 =(PK,L(SK, PK),,r 1,...,r,u). The reason s that we can reduce the computatonal ndstngushablty of the ntal dstrbutons to the computatonal ndstngushablty of D 1 and D 2. The reducton would smply consst of rasng g to the power of r before feedng to a dstngusher for the second par of dstrbutons. We now use Goldrech-Levn for large numbers. From Theorem 7, t follows that f we can dstngush D 1 and D 2 wth δ>2 lλ /4 advantage, we can nvert L and obtan SK wth probablty: 1-6
7 δ 3 q 512nq 3 >q 1 512n2 3lλ /4 poly(n) >q2 lλ Ths contradcts our computatonal hardness assumpton about L; we can thus conclude that Experments 2 and 3 are computatonally ndstngushable. Note that n Experment 3, the cphertext C sent by the challenger s a random value ndependent of the bt b, and therefore the adversary has zero advantage of guessng ths bt. By followng the sequence of experment ndstngushablty we proved above, the overall adversary advantage of breakng BHHO s at most neglgble, thus concludng our proof. 4 The GPV Cryptosystem The GPV cryptosystem [GPV08] s a constructon based on lattces. Before we present the cryptosystem, let us present the Learnng wth Errors ssumpton on whch t s based. Learnng wth Errors ssumpton (LWE). Consder ntegers n, m, q and a probablty dstrbuton χ on Z q, typcally taken to be a normal dstrbuton that has been dscretzed. The nput s a par (, v) where Z m n q s chosen unformly, and v s ether chosen unformly from Z m q or chosen to be s + x for a unformly chosen s Z n q and a vector x Zq m chosen accordng to χ m. The assumpton s that no PPT can dstngush wth some non-neglgble probablty between these two cases. The GPV cryptosystem s the followng bt-encrypton scheme. Let n, m, and q be nteger parameters of the scheme. Gen(1 n ): r {0, R 1} m, Z m n q, SK = r, PK =(, r). Output (SK, PK). Enc(PK,b) for b {0, 1}: Choose s R Z n q, x R χ m, and x R χ. Output( s + x, r s + x + bq/2). Dec(SK, (c 1,c 2 )): Compute c 2 c 1 r = bq/2 + x r x. Output 0 f ths value s closer to 0 than to q/2, and output 1 otherwse. Snce x r x s small n comparson to q, we can see that the decrypton wll return the correct result and the completeness property of E thus follows. Clam 9. GPV s secure wth λ-bt of leakage under LWE. Proof. s before, we would lke to construct a PPT B that can break LWE wth nonneglgble advantage gven a PPT that can break GPV. B receves an nput of the form (, y), whch could be (, v) or (, s + x). The constructon for B s the same as lgorthm 1 except that Enc SK (m b)=(y, ry x +bq/2), where x s generated such that the dstrbuton of rx x s statstcally ndstngushable from the dstrbuton of x and y s the second term receved by B as nput. Let s consder each case of B s nputs: B receves (, s+ x) and therefore receves ( s+ x, s r + xr x +bq/2) for C. Sncex s drawn from a dstrbuton such that rx x would nduce a statstcally ndstngushable dstrbuton, we can see that the nputs to wll be statstcally ndstngushable from what expects and therefore, wll guess the rght b wth nonneglgble probablty. 1-7
8 B receves (, v). receves ( v, r v x + bq/2). Usng the leftover hash lemma, Theorem 1, we can bound by 1/2+/2 the probablty wth whch succeeds n guessng the rght b and hence mslead B nto outputtng an ncorrect bt. We can choose = n log n to enable B to mantan the nonneglgble advantage gven by the frst case. Combnng the two steps, we can see that B wll have nonneglgble probablty of breakng LWE, thus reachng a contradcton. When applyng LHL, Theorem 1, we obtan m n log q λ 2 log(1/), therefore, enablng λ m n log q 2 log(1/) leakage. The GPV cryptosystem can also be proven secure wth auxlary nput. References [BHHO08] Dan Boneh, Sha Halev, Mke Hamburg, and Rafal Ostrovsky. Crcular-secure encrypton from decson Dffe-Hellman. In Proceedngs of the 28th nnual Internatonal Cryptology Conference, CRYPTO 08, pages , Berln, Hedelberg, Sprnger-Verlag. [DGK + 10] Yevgeny Dods, Shaf Goldwasser, Yael Tauman Kala, Chrs Pekert, and Vnod Vakuntanathan. Publc-key encrypton schemes wth auxlary nputs. In TCC, pages , [DKL09] [GPV08] [HSH + 09] Yevgeny Dods, Yael Tauman Kala, and Shachar Lovett. On cryptography wth auxlary nput Crag Gentry, Chrs Pekert, and Vnod Vakuntanathan. Trapdoors for hard lattces and new cryptographc constructons. In Proceedngs of the 40th annual CM symposum on Theory of computng, STOC 08, pages , New York, NY, US, CM. J. lex Halderman, Seth D. Schoen, Nada Hennger, Wllam Clarkson, Wllam Paul, Joseph. Calandrno, rel J. Feldman, Jacob ppelbaum, and Edward W. Felten. Lest we remember: cold-boot attacks on encrypton keys. Commun. CM, 52(5):91 98, [NR04] Mon Naor and Omer Rengold. Number-theoretc constructons of effcent pseudorandom functons. J. CM, pages , [NS09] Mon Naor and Gl Segev. Publc-key cryptosystems reslent to key leakage. In CRYPTO, pages 18 35,
Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction
Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard
More informationProblem Set 9 Solutions
Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem
More information6.842 Randomness and Computation February 18, Lecture 4
6.842 Randomness and Computaton February 18, 2014 Lecture 4 Lecturer: Rontt Rubnfeld Scrbe: Amartya Shankha Bswas Topcs 2-Pont Samplng Interactve Proofs Publc cons vs Prvate cons 1 Two Pont Samplng 1.1
More information2.3 Nilpotent endomorphisms
s a block dagonal matrx, wth A Mat dm U (C) In fact, we can assume that B = B 1 B k, wth B an ordered bass of U, and that A = [f U ] B, where f U : U U s the restrcton of f to U 40 23 Nlpotent endomorphsms
More informationLecture Space-Bounded Derandomization
Notes on Complexty Theory Last updated: October, 2008 Jonathan Katz Lecture Space-Bounded Derandomzaton 1 Space-Bounded Derandomzaton We now dscuss derandomzaton of space-bounded algorthms. Here non-trval
More informationFinding Primitive Roots Pseudo-Deterministically
Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms
More informationG /G Advanced Cryptography 12/9/2009. Lecture 14
G22.3220-001/G63.2180 Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we
More information1 The Mistake Bound Model
5-850: Advanced Algorthms CMU, Sprng 07 Lecture #: Onlne Learnng and Multplcatve Weghts February 7, 07 Lecturer: Anupam Gupta Scrbe: Bryan Lee,Albert Gu, Eugene Cho he Mstake Bound Model Suppose there
More informationRandomness and Computation
Randomness and Computaton or, Randomzed Algorthms Mary Cryan School of Informatcs Unversty of Ednburgh RC 208/9) Lecture 0 slde Balls n Bns m balls, n bns, and balls thrown unformly at random nto bns usually
More informationLecture 3: Shannon s Theorem
CSE 533: Error-Correctng Codes (Autumn 006 Lecture 3: Shannon s Theorem October 9, 006 Lecturer: Venkatesan Guruswam Scrbe: Wdad Machmouch 1 Communcaton Model The communcaton model we are usng conssts
More informationLecture 4: Universal Hash Functions/Streaming Cont d
CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected
More informationand problem sheet 2
-8 and 5-5 problem sheet Solutons to the followng seven exercses and optonal bonus problem are to be submtted through gradescope by :0PM on Wednesday th September 08. There are also some practce problems,
More informationU.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan 2/21/2008. Notes for Lecture 8
U.C. Berkeley CS278: Computatonal Complexty Handout N8 Professor Luca Trevsan 2/21/2008 Notes for Lecture 8 1 Undrected Connectvty In the undrected s t connectvty problem (abbrevated ST-UCONN) we are gven
More informationMaximizing the number of nonnegative subsets
Maxmzng the number of nonnegatve subsets Noga Alon Hao Huang December 1, 213 Abstract Gven a set of n real numbers, f the sum of elements of every subset of sze larger than k s negatve, what s the maxmum
More informationOn a CCA2-secure variant of McEliece in the standard model
On a CCA2-secure varant of McElece n the standard model Edoardo Perschett Department of Mathematcs, Unversty of Auckland, New Zealand. e.perschett@math.auckland.ac.nz Abstract. We consder publc-key encrypton
More informationEdge Isoperimetric Inequalities
November 7, 2005 Ross M. Rchardson Edge Isopermetrc Inequaltes 1 Four Questons Recall that n the last lecture we looked at the problem of sopermetrc nequaltes n the hypercube, Q n. Our noton of boundary
More informationLecture 4. Instructor: Haipeng Luo
Lecture 4 Instructor: Hapeng Luo In the followng lectures, we focus on the expert problem and study more adaptve algorthms. Although Hedge s proven to be worst-case optmal, one may wonder how well t would
More informationPassword Based Key Exchange With Mutual Authentication
Password Based Key Exchange Wth Mutual Authentcaton Shaoquan Jang and Guang Gong Department of Electrcal and Computer Engneerng Unversty of Waterloo Waterloo, Ontaro N2L 3G1, CANADA Emal:{angshq,ggong}@callope.uwaterloo.ca
More informationFinding Dense Subgraphs in G(n, 1/2)
Fndng Dense Subgraphs n Gn, 1/ Atsh Das Sarma 1, Amt Deshpande, and Rav Kannan 1 Georga Insttute of Technology,atsh@cc.gatech.edu Mcrosoft Research-Bangalore,amtdesh,annan@mcrosoft.com Abstract. Fndng
More informationNotes on Frequency Estimation in Data Streams
Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to
More informationMath 426: Probability MWF 1pm, Gasson 310 Homework 4 Selected Solutions
Exercses from Ross, 3, : Math 26: Probablty MWF pm, Gasson 30 Homework Selected Solutons 3, p. 05 Problems 76, 86 3, p. 06 Theoretcal exercses 3, 6, p. 63 Problems 5, 0, 20, p. 69 Theoretcal exercses 2,
More informationLecture 10: May 6, 2013
TTIC/CMSC 31150 Mathematcal Toolkt Sprng 013 Madhur Tulsan Lecture 10: May 6, 013 Scrbe: Wenje Luo In today s lecture, we manly talked about random walk on graphs and ntroduce the concept of graph expander,
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00 No extra materal s allowed durng the exam except for pens and a smple calculator (not smartphones).
More informationExcess Error, Approximation Error, and Estimation Error
E0 370 Statstcal Learnng Theory Lecture 10 Sep 15, 011 Excess Error, Approxaton Error, and Estaton Error Lecturer: Shvan Agarwal Scrbe: Shvan Agarwal 1 Introducton So far, we have consdered the fnte saple
More informationIntroduction to Algorithms
Introducton to Algorthms 6.046J/8.40J Lecture 7 Prof. Potr Indyk Data Structures Role of data structures: Encapsulate data Support certan operatons (e.g., INSERT, DELETE, SEARCH) Our focus: effcency of
More informationprinceton univ. F 17 cos 521: Advanced Algorithm Design Lecture 7: LP Duality Lecturer: Matt Weinberg
prnceton unv. F 17 cos 521: Advanced Algorthm Desgn Lecture 7: LP Dualty Lecturer: Matt Wenberg Scrbe: LP Dualty s an extremely useful tool for analyzng structural propertes of lnear programs. Whle there
More informationAssortment Optimization under MNL
Assortment Optmzaton under MNL Haotan Song Aprl 30, 2017 1 Introducton The assortment optmzaton problem ams to fnd the revenue-maxmzng assortment of products to offer when the prces of products are fxed.
More information3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X
Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number
More informationCS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016
CS 29-128: Algorthms and Uncertanty Lecture 17 Date: October 26, 2016 Instructor: Nkhl Bansal Scrbe: Mchael Denns 1 Introducton In ths lecture we wll be lookng nto the secretary problem, and an nterestng
More informationHMMT February 2016 February 20, 2016
HMMT February 016 February 0, 016 Combnatorcs 1. For postve ntegers n, let S n be the set of ntegers x such that n dstnct lnes, no three concurrent, can dvde a plane nto x regons (for example, S = {3,
More informationWeek 5: Neural Networks
Week 5: Neural Networks Instructor: Sergey Levne Neural Networks Summary In the prevous lecture, we saw how we can construct neural networks by extendng logstc regresson. Neural networks consst of multple
More informationExploring Naccache-Stern Knapsack Encryption
Explorng Naccache-Stern Knapsack Encrypton Érc Brer 1, Rém Géraud 2, and Davd Naccache 2 1 Ingenco Termnals 9 Avenue de la Gare f-26300 Alxan, France erc.brer@ngenco.com 2 École normale supéreure 45 rue
More informationModule 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:
More informationHomework Assignment 3 Due in class, Thursday October 15
Homework Assgnment 3 Due n class, Thursday October 15 SDS 383C Statstcal Modelng I 1 Rdge regresson and Lasso 1. Get the Prostrate cancer data from http://statweb.stanford.edu/~tbs/elemstatlearn/ datasets/prostate.data.
More informationStanford University CS359G: Graph Partitioning and Expanders Handout 4 Luca Trevisan January 13, 2011
Stanford Unversty CS359G: Graph Parttonng and Expanders Handout 4 Luca Trevsan January 3, 0 Lecture 4 In whch we prove the dffcult drecton of Cheeger s nequalty. As n the past lectures, consder an undrected
More informationHash functions : MAC / HMAC
Hash functons : MAC / HMAC Outlne Message Authentcaton Codes Keyed hash famly Uncondtonally Secure MACs Ref: D Stnson: Cryprography Theory and Practce (3 rd ed), Chap 4. Unversal hash famly Notatons: X
More informationDifference Equations
Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1
More informationU.C. Berkeley CS294: Beyond Worst-Case Analysis Luca Trevisan September 5, 2017
U.C. Berkeley CS94: Beyond Worst-Case Analyss Handout 4s Luca Trevsan September 5, 07 Summary of Lecture 4 In whch we ntroduce semdefnte programmng and apply t to Max Cut. Semdefnte Programmng Recall that
More informationStanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7
Stanford Unversty CS54: Computatonal Complexty Notes 7 Luca Trevsan January 9, 014 Notes for Lecture 7 1 Approxmate Countng wt an N oracle We complete te proof of te followng result: Teorem 1 For every
More informationGeneralized Linear Methods
Generalzed Lnear Methods 1 Introducton In the Ensemble Methods the general dea s that usng a combnaton of several weak learner one could make a better learner. More formally, assume that we have a set
More informationVapnik-Chervonenkis theory
Vapnk-Chervonenks theory Rs Kondor June 13, 2008 For the purposes of ths lecture, we restrct ourselves to the bnary supervsed batch learnng settng. We assume that we have an nput space X, and an unknown
More informationProvable Security Signatures
Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -
More informationMASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.265/15.070J Fall 2013 Lecture 12 10/21/2013. Martingale Concentration Inequalities and Applications
MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.65/15.070J Fall 013 Lecture 1 10/1/013 Martngale Concentraton Inequaltes and Applcatons Content. 1. Exponental concentraton for martngales wth bounded ncrements.
More informationCryptanalysis of pairing-free certificateless authenticated key agreement protocol
Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen
More informationSecure and practical identity-based encryption
Secure and practcal dentty-based encrypton D. Naccache Abstract: A varant of Waters dentty-based encrypton scheme wth a much smaller system parameters sze (only a few klobytes) s presented. It s shown
More informationKernel Methods and SVMs Extension
Kernel Methods and SVMs Extenson The purpose of ths document s to revew materal covered n Machne Learnng 1 Supervsed Learnng regardng support vector machnes (SVMs). Ths document also provdes a general
More informationTightly CCA-Secure Encryption without Pairings
Tghtly CCA-Secure Encrypton wthout Parngs Roman Gay 1,, Denns Hofhenz 2,, Eke Kltz 3,, and Hoeteck Wee 1, 1 ENS, Pars, France rgay,wee@d.ens.fr 2 Ruhr-Unverstät Bochum, Bochum, Germany eke.kltz@rub.de
More informationLearning Theory: Lecture Notes
Learnng Theory: Lecture Notes Lecturer: Kamalka Chaudhur Scrbe: Qush Wang October 27, 2012 1 The Agnostc PAC Model Recall that one of the constrants of the PAC model s that the data dstrbuton has to be
More informationComputationally Private Randomizing Polynomials and Their Applications
Computatonally Prvate Randomzng Polynomals and Ther Applcatons Benny Applebaum Yuval Isha Eyal Kushlevtz Computer Scence Department, Technon {abenny,yuval,eyalk}@cs.technon.ac.l March 5, 2006 Abstract
More informationIntroductory Cardinality Theory Alan Kaylor Cline
Introductory Cardnalty Theory lan Kaylor Clne lthough by name the theory of set cardnalty may seem to be an offshoot of combnatorcs, the central nterest s actually nfnte sets. Combnatorcs deals wth fnte
More informationClassical Encryption and Authentication under Quantum Attacks
Classcal Encrypton and Authentcaton under Quantum Attacks arxv:1307.3753v1 [cs.cr] 14 Jul 2013 Mara Velema July 12, 2013 Abstract Post-quantum cryptography studes the securty of classcal,.e. non-quantum
More informationExpected Value and Variance
MATH 38 Expected Value and Varance Dr. Neal, WKU We now shall dscuss how to fnd the average and standard devaton of a random varable X. Expected Value Defnton. The expected value (or average value, or
More informationAugmented Broadcaster Identity-based Broadcast Encryption
Augmented Broadcaster Identty-based Broadcast Encrypton Janhong Zhang Yuwe Xu Zhpeng Chen Insttuton of Image Processng and Pattern Recognton North Chna Unversty of Technology Bejng Chna 100144 ywxupaper@163com
More informationCOS 521: Advanced Algorithms Game Theory and Linear Programming
COS 521: Advanced Algorthms Game Theory and Lnear Programmng Moses Charkar February 27, 2013 In these notes, we ntroduce some basc concepts n game theory and lnear programmng (LP). We show a connecton
More informationFeature Selection: Part 1
CSE 546: Machne Learnng Lecture 5 Feature Selecton: Part 1 Instructor: Sham Kakade 1 Regresson n the hgh dmensonal settng How do we learn when the number of features d s greater than the sample sze n?
More informationCryptanalysis of a Public-key Cryptosystem Using Lattice Basis Reduction Algorithm
www.ijcsi.org 110 Cryptanalyss of a Publc-key Cryptosystem Usng Lattce Bass Reducton Algorthm Roohallah Rastagh 1, Hamd R. Dall Oskoue 2 1,2 Department of Electrcal Engneerng, Aeronautcal Unversty of Snce
More informationLectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix
Lectures - Week 4 Matrx norms, Condtonng, Vector Spaces, Lnear Independence, Spannng sets and Bass, Null space and Range of a Matrx Matrx Norms Now we turn to assocatng a number to each matrx. We could
More informationPh 219a/CS 219a. Exercises Due: Wednesday 12 November 2008
1 Ph 19a/CS 19a Exercses Due: Wednesday 1 November 008.1 Whch state dd Alce make? Consder a game n whch Alce prepares one of two possble states: ether ρ 1 wth a pror probablty p 1, or ρ wth a pror probablty
More informationLeakage-Resilient Identification Schemes from Zero-Knowledge Proofs of Storage
Leakage-Reslent Identfcaton Schemes from Zero-Knowledge Proofs of Storage Guseppe Atenese Sapenza, Unversty of Rome atenese@d.unroma1.t Antono Faono Aarhus Unversty antfa@cs.au.dk Seny Kamara Mcrosoft
More informationStrongly Unforgeable Signatures Resilient to Polynomially Hard-to-Invert Leakage under Standard Assumptions
Strongly nforgeable Sgnatures Reslent to Polynomally Hard-to-Invert Leakage under Standard Assumptons Masahto Ishzaka and Kanta Matsuura Insttute of Industral Scence, The nversty of Tokyo, Tokyo, Japan.
More informationU.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016
U.C. Berkeley CS94: Spectral Methods and Expanders Handout 8 Luca Trevsan February 7, 06 Lecture 8: Spectral Algorthms Wrap-up In whch we talk about even more generalzatons of Cheeger s nequaltes, and
More informationImproving the Round Complexity of VSS in Point-to-Point Networks
Improvng the Round Complexty of VSS n Pont-to-Pont Networks Jonathan Katz Chu-Yuen Koo Rant Kumaresan Abstract We revst the followng queston: what s the optmal round complexty of verfable secret sharng
More informationSome Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM
Example of Extended Eucldean Algorthm Recall that gcd(84, 33) = gcd(33, 18) = gcd(18, 15) = gcd(15, 3) = gcd(3, 0) = 3 We work backwards to wrte 3 as a lnear combnaton of 84 and 33: 3 = 18 15 [Now 3 s
More informationCollege of Computer & Information Science Fall 2009 Northeastern University 20 October 2009
College of Computer & Informaton Scence Fall 2009 Northeastern Unversty 20 October 2009 CS7880: Algorthmc Power Tools Scrbe: Jan Wen and Laura Poplawsk Lecture Outlne: Prmal-dual schema Network Desgn:
More informationEnsemble Methods: Boosting
Ensemble Methods: Boostng Ncholas Ruozz Unversty of Texas at Dallas Based on the sldes of Vbhav Gogate and Rob Schapre Last Tme Varance reducton va baggng Generate new tranng data sets by samplng wth replacement
More informationSection 8.3 Polar Form of Complex Numbers
80 Chapter 8 Secton 8 Polar Form of Complex Numbers From prevous classes, you may have encountered magnary numbers the square roots of negatve numbers and, more generally, complex numbers whch are the
More informationDepartment of Computer Science Artificial Intelligence Research Laboratory. Iowa State University MACHINE LEARNING
MACHINE LEANING Vasant Honavar Bonformatcs and Computatonal Bology rogram Center for Computatonal Intellgence, Learnng, & Dscovery Iowa State Unversty honavar@cs.astate.edu www.cs.astate.edu/~honavar/
More information18.1 Introduction and Recap
CS787: Advanced Algorthms Scrbe: Pryananda Shenoy and Shjn Kong Lecturer: Shuch Chawla Topc: Streamng Algorthmscontnued) Date: 0/26/2007 We contnue talng about streamng algorthms n ths lecture, ncludng
More informationVARIATION OF CONSTANT SUM CONSTRAINT FOR INTEGER MODEL WITH NON UNIFORM VARIABLES
VARIATION OF CONSTANT SUM CONSTRAINT FOR INTEGER MODEL WITH NON UNIFORM VARIABLES BÂRZĂ, Slvu Faculty of Mathematcs-Informatcs Spru Haret Unversty barza_slvu@yahoo.com Abstract Ths paper wants to contnue
More informationLecture 3. Ax x i a i. i i
18.409 The Behavor of Algorthms n Practce 2/14/2 Lecturer: Dan Spelman Lecture 3 Scrbe: Arvnd Sankar 1 Largest sngular value In order to bound the condton number, we need an upper bound on the largest
More informationLecture 4: November 17, Part 1 Single Buffer Management
Lecturer: Ad Rosén Algorthms for the anagement of Networs Fall 2003-2004 Lecture 4: November 7, 2003 Scrbe: Guy Grebla Part Sngle Buffer anagement In the prevous lecture we taled about the Combned Input
More informationErrors for Linear Systems
Errors for Lnear Systems When we solve a lnear system Ax b we often do not know A and b exactly, but have only approxmatons  and ˆb avalable. Then the best thng we can do s to solve ˆx ˆb exactly whch
More informationStructure and Drive Paul A. Jensen Copyright July 20, 2003
Structure and Drve Paul A. Jensen Copyrght July 20, 2003 A system s made up of several operatons wth flow passng between them. The structure of the system descrbes the flow paths from nputs to outputs.
More informationCircular chosen-ciphertext security with compact ciphertexts
Crcular chosen-cphertext securty wth compact cphertexts Denns Hofhenz March 22, 2012 Abstract A key-dependent message KDM) secure encrypton scheme s secure even f an adversary obtans encryptons of messages
More informationUtility Dependence in Correct and Fair Rational Secret Sharing
Utlty Dependence n Correct and Far Ratonal Secret Sharng Glad Asharov and Yehuda Lndell Department of Computer Scence Bar-Ilan Unversty, Israel glad asharov@yahoo.com, lndell@cs.bu.ac.l Abstract. The problem
More informationCircular chosen-ciphertext security with compact ciphertexts
Crcular chosen-cphertext securty wth compact cphertexts Denns Hofhenz January 19, 2013 Abstract A key-dependent message (KDM secure encrypton scheme s secure even f an adversary obtans encryptons of messages
More informationSociété de Calcul Mathématique SA
Socété de Calcul Mathématque SA Outls d'ade à la décson Tools for decson help Probablstc Studes: Normalzng the Hstograms Bernard Beauzamy December, 202 I. General constructon of the hstogram Any probablstc
More information} Often, when learning, we deal with uncertainty:
Uncertanty and Learnng } Often, when learnng, we deal wth uncertanty: } Incomplete data sets, wth mssng nformaton } Nosy data sets, wth unrelable nformaton } Stochastcty: causes and effects related non-determnstcally
More informationPseudorandom Functions and Lattices
Pseudorandom Functons and Lattces Abhshek Banerjee Chrs Pekert Alon Rosen September 29, 2011 Abstract We gve drect constructons of pseudorandom functon (PRF) famles based on conjectured hard lattce problems
More informationRSA /2002/13(08) , ); , ) RSA RSA : RSA RSA [2] , [1,4]
1000-9825/2002/13(081729-06 2002 Journal of Software Vol13, No8 RSA 1,2 1, 1 (, 200433; 2 (, 200070 E-mal: yfhu@fudaneducn http://wwwfudaneducn : RSA RSA :, ; RSA,,, RSA,, : ; RSA ; ;RSA; : TP309 : A RSA
More informationSpectral Graph Theory and its Applications September 16, Lecture 5
Spectral Graph Theory and ts Applcatons September 16, 2004 Lecturer: Danel A. Spelman Lecture 5 5.1 Introducton In ths lecture, we wll prove the followng theorem: Theorem 5.1.1. Let G be a planar graph
More informationCOS 511: Theoretical Machine Learning
COS 5: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture #0 Scrbe: José Sões Ferrera March 06, 203 In the last lecture the concept of Radeacher coplexty was ntroduced, wth the goal of showng that
More informationLecture 3: Probability Distributions
Lecture 3: Probablty Dstrbutons Random Varables Let us begn by defnng a sample space as a set of outcomes from an experment. We denote ths by S. A random varable s a functon whch maps outcomes nto the
More information= z 20 z n. (k 20) + 4 z k = 4
Problem Set #7 solutons 7.2.. (a Fnd the coeffcent of z k n (z + z 5 + z 6 + z 7 + 5, k 20. We use the known seres expanson ( n+l ( z l l z n below: (z + z 5 + z 6 + z 7 + 5 (z 5 ( + z + z 2 + z + 5 5
More informationLecture Notes on Linear Regression
Lecture Notes on Lnear Regresson Feng L fl@sdueducn Shandong Unversty, Chna Lnear Regresson Problem In regresson problem, we am at predct a contnuous target value gven an nput feature vector We assume
More informationCalculation of time complexity (3%)
Problem 1. (30%) Calculaton of tme complexty (3%) Gven n ctes, usng exhaust search to see every result takes O(n!). Calculaton of tme needed to solve the problem (2%) 40 ctes:40! dfferent tours 40 add
More information2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification
E395 - Pattern Recognton Solutons to Introducton to Pattern Recognton, Chapter : Bayesan pattern classfcaton Preface Ths document s a soluton manual for selected exercses from Introducton to Pattern Recognton
More informationNP-Completeness : Proofs
NP-Completeness : Proofs Proof Methods A method to show a decson problem Π NP-complete s as follows. (1) Show Π NP. (2) Choose an NP-complete problem Π. (3) Show Π Π. A method to show an optmzaton problem
More informationCOS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture # 15 Scribe: Jieming Mao April 1, 2013
COS 511: heoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 15 Scrbe: Jemng Mao Aprl 1, 013 1 Bref revew 1.1 Learnng wth expert advce Last tme, we started to talk about learnng wth expert advce.
More informationIntroduction to Algorithms
Introducton to Algorthms 6.046J/18.401J Lecture 7 Prof. Potr Indyk Data Structures Role of data structures: Encapsulate data Support certan operatons (e.g., INSERT, DELETE, SEARCH) What data structures
More informationDistinguishing Distributions Using Chernoff Information
Dstngushng Dstrbutons Usng Chernoff Informaton Thomas Bagnères 1, Pouyan Sepehrdad 2, and Serge Vaudenay 2 1 CryptoExperts, Pars, France 2 EPFL, Swtzerland thomas.bagneres@cryptoexperts.com, {pouyan.sepehrdad,serge.vaudenay}@epfl.ch
More information11 Tail Inequalities Markov s Inequality. Lecture 11: Tail Inequalities [Fa 13]
Algorthms Lecture 11: Tal Inequaltes [Fa 13] If you hold a cat by the tal you learn thngs you cannot learn any other way. Mark Twan 11 Tal Inequaltes The smple recursve structure of skp lsts made t relatvely
More informationPolynomials. 1 More properties of polynomials
Polynomals 1 More propertes of polynomals Recall that, for R a commutatve rng wth unty (as wth all rngs n ths course unless otherwse noted), we defne R[x] to be the set of expressons n =0 a x, where a
More informationPh 219a/CS 219a. Exercises Due: Wednesday 23 October 2013
1 Ph 219a/CS 219a Exercses Due: Wednesday 23 October 2013 1.1 How far apart are two quantum states? Consder two quantum states descrbed by densty operators ρ and ρ n an N-dmensonal Hlbert space, and consder
More informationfind (x): given element x, return the canonical element of the set containing x;
COS 43 Sprng, 009 Dsjont Set Unon Problem: Mantan a collecton of dsjont sets. Two operatons: fnd the set contanng a gven element; unte two sets nto one (destructvely). Approach: Canoncal element method:
More informationTuring Machines (intro)
CHAPTER 3 The Church-Turng Thess Contents Turng Machnes defntons, examples, Turng-recognzable and Turng-decdable languages Varants of Turng Machne Multtape Turng machnes, non-determnstc Turng Machnes,
More informationTHE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens
THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of
More informationMin Cut, Fast Cut, Polynomial Identities
Randomzed Algorthms, Summer 016 Mn Cut, Fast Cut, Polynomal Identtes Instructor: Thomas Kesselhem and Kurt Mehlhorn 1 Mn Cuts n Graphs Lecture (5 pages) Throughout ths secton, G = (V, E) s a mult-graph.
More informationANSWERS. Problem 1. and the moment generating function (mgf) by. defined for any real t. Use this to show that E( U) var( U)
Econ 413 Exam 13 H ANSWERS Settet er nndelt 9 deloppgaver, A,B,C, som alle anbefales å telle lkt for å gøre det ltt lettere å stå. Svar er gtt . Unfortunately, there s a prntng error n the hnt of
More informationECE559VV Project Report
ECE559VV Project Report (Supplementary Notes Loc Xuan Bu I. MAX SUM-RATE SCHEDULING: THE UPLINK CASE We have seen (n the presentaton that, for downlnk (broadcast channels, the strategy maxmzng the sum-rate
More information