Cryptanalysis of Pseudorandom Generators
|
|
- Delphia Carpenter
- 5 years ago
- Views:
Transcription
1 CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we consider the construction of seudorandom generators. We recall that a seudorandom generator is a rogram G(x) (comutable in deterministic olynomial time) that mas bitstrings x {0, 1} n to longer strings G(x) {0, 1} m such that, if x is chosen uniformly at random and ket secret, then the outut G(x) will look random to any efficient observer or adversary. We will formally define secure seudorandom generators later on. But, for now, we will use the minimal security requirement that given G(x), it should be comutationally hard to recover the secret seed x. We consider two oular tyes of generators: subset-sum generators and linear congruential generators. For simlicity, in both cases, we consider a generalized definition of generator where the inut x and outut G(x) are not necessarily bitstrings, but elements of some arbitrary set. We will assume that the secret seed x is chosen uniformly at random from a set of size aroximately 2 n, so that mounting an exhaustive search attack on the seed would take exonential time. The task of the generator is to stretch this relatively short random seed into a olynomially longer string, e.g., an element from a set of size roughly 2 n2. Subset-Sum Generator Let be a rime of size log 2 n 2, and a 1,..., a n Z be chosen uniformly at random. The arameters, a 1,..., a n are made ublic, and known to everybody. You can think of these arameters as art of the rogram that comutes G. The inut to the generator is a sequence of n bits (x 1,..., x n ) {0, 1} n. The outut is G(x) = i a i x i (mod ). Notice that the outut is reresented by log 2 n 2 bits. So, the generator stretches n-bits to roughly n 2 bits. You can think of the outut G(x) as the sum (modulo ) of a random subset I = {i: x i = 1} of the values a 1,..., a n, hence the name subset-sum. The subset-sum roblem asks, given a 1,..., a n and target value b, recover a subset I (or its indicator vector x) that adds u to G(x) = b. Subsetsum is a famous NP-hard roblem, so one may hoe that recovering x from b is indeed comutationally hard, and cannot be solved much faster than an exonential time exhaustive search. Truncated Linear Congruential Generator (LCG) Here we consider another oular tye of generators based on linear recurrence relations. The oularity of the generator is due to its simlicity, and variants of this generator were used for some time as the standard seudorandom generator for the Unix oerating system.
2 As before, we first choose random ublic arameters. Let be a rime with log 2 n bits, and choose a, b Z uniformly at random. The values, a, b are made ublic and hardwired in the rogram comuting the generator. The inut to the generator is a value x Z, reresentable with log 2 n bits. This value defines a sequence according to the recurrence relation 1. x 0 = x 2. x i+1 = a x i + b (mod ) for i = 1, 2,.... Of course, roducing x 0,..., x as the outut of G would be insecure, because it would reveal the secret x 0. (Omitting x 0, and starting the outut with x 1 would hardly make any difference because the secret seed can still be recovered as x = (x 1 b)/a (mod ).) In order to rotect the seed x, the generator G will outut only a ortion of the bits from each x i. For examle, G may outut only the n/10 least significant bits y i = x i mod 2 n/10. (Here we are imlicitly assuming n is a multile of 10. Alternatively, one can round n/10 to an integer.) In order to stretch the n inut bits x to a sequence of n 2 bits, the generator comutes a sequence of length k = 10n, and oututs G(x) = (y 0,..., y ). Since each y i is n/10 bits, the outut of G has length k (n/10) = n 2. In summary, for some arameter δ [0, 1]: The inut to the generator is a value x Z, reresentable with log 2 n bits. The outut of the generator is G(x) = (y 0,..., y ) where y i = x i mod 2 δn is obtained by truncating the values roduced by the linear congruential recurrence x 0 = x, x i+1 = ax i + b mod. 1 Lattices Neither generator (LCG or subsetsum) is trivially insecure. In fact, both tyes of generators, for some values of the arameters, have been (or may still be) used in ractice. However, we will see that both generators can be comletely broken using lattices. This may be surrising at first because neither generator makes exlicit use of lattices, and demonstrates how lattices are owerful combinatorial objects that can be used to attack a variety of seemingly unrelated roblems. So, the first question to answer is: where is the hidden lattice, and what lattice roblem is relevant to the crytanalysis roblem? We will see that in both cases the relevant lattice roblem is the Closest Vector Problem. Definition 1 The closest vector roblem (CVP), given a lattice basis B and a target vector t, asks to find the lattice oint Bx closest to the target, i.e., find an integer vector x such that Bx t is minimized.
3 In general, as we will see, CVP is an NP-hard roblem. So, we have little hoe to efficiently solve this roblem in its full generality. However, in ractice one often needs to solve only a secial variant of this roblem, where the target is known to be close to the lattice. Definition 2 The Bounded Distance Decoding roblem (α-bdd), given a lattice basis B and a target vector t such that dist(t, L(B)) αλ 1 (L(B)), asks to find a lattice oint Bx such that dist(t, Bx) αλ 1 (L(B)). In the above definition dist(t, L(B)) = min{ t Bx : x Z n } is the distance between the target and the closest lattice oint, and λ 1 (L(B)) = min{ Bx : x Z \ {0}} is the minimum distance of the lattice. Tyically, α is very close to 0, making the target very close to the lattice, comared to the distance between lattice oints. Notice than as soon as α < 1/2, the solution to BDD is necessarily unique, as for any two solutions x, y, their difference x y is a lattice vector of length at most x y x t + t y 2αλ 1 < λ 1. So, by definition of λ 1 it must be x y = 0, i.e., x = y are the same solution. Later in the course we will show that the LLL basis reduction algorithm allows to solve α-bdd in olynomial time when α = 2 (n 1)/2 is exonentially small in the lattice dimension n. 2 Crytanalysis of LCG First thing to do is to set u an aroriate lattice. Let, a, b be the ublicly known arameters, and, for any seed x, define the sequence x 0,..., x where x 0 = x and x i = ax i 1 + b (mod ) for i = 1,..., k 1. By solving the recurrence we see that x i = a i x + b i (mod ) for b i = b j<i aj (mod ). (The exact exression for b i is not really relevant. All that matters is that each b i can be easily comuted from the ublic arameters a, b,.) Write each x i as x i = z i 2 u + y i, where u is the number of bits outut by the generator from each x i, z i = x i /2 u < /2 u and y i = x i mod 2 u. The outut of the generator can be written as y = y 0,..., y. In vector notation ax + b = 2 u z + y (mod ) where a = (1, a, a 2,..., a ) (mod ), b = (b 0,..., b ), and y are known, and z is an unknown vector with relatively small entries z i [0, /2 u ). To fix some arameters, let n = log 2 be the bitsize of the modulus, and assume u = δ n for some (small) constant 0 < δ < 1. Let k be the number of oututs the attacker takes from the generator. At the end of the roof, we discuss aroriate choices of k for which the attacker can recover the seed with high robability.
4 Consider the integer lattice Λ a generated by the basis 1 a B = a 2 t = 2 u (y b) (mod ).... a and the target vector t. We remark that in the definition of t, the value 2 u should be interreted as the inverse of 2 u in Z, so that the target vector has integer coordinates. Note that k, the number of generator oututs, becomes the dimension of the lattice. First, we claim that the target t is close to the lattice. In fact, if we multily the first basis vector by by 2 u x (mod ) and using the other basis vectors for reduction modulo gives a(2 u x) = 2 u (2 u z + (y b)) = z + t (mod ) which is at distance z k(/2 u ) = µ from the target t. If the minimum distance of the lattice Λ is much larger than µ, then this is an instance of the BDD roblem, and can be efficiently solved by lattice aroximation algorithms. We conclude the analysis by showing that if a is chosen uniformly at random, then λ(λ) is much larger than µ (say, by a factor γ > 1) with very high robability. We will see that BDD can be solved in olynomial time when γ is exonential in the dimension of the lattice. Since B defines a k-dimensional lattice, we may set γ = 2. All vectors in Λ a equal c a (mod ) for some integer c. So, the shortest nonzero vector in Λ a can be obtained by icking an integer c 0 (mod ), and then bringing all coordinates of c a in the range ( /2, /2) by reduction modulo. Let A be the set of all a s such that there is a c Z for which c a i (mod ) γµ for all i = 0,..., k 1. (When taking the absolute value of a number modulo, we always assume that the number has been reduced to the interval ( /2, /2).) Note that a A is a necessary but insufficient condition for λ(λ) < γµ. Certainly, if any comonent of the shortest vector satisfies c a i (mod ) > γµ, then the length of the vector will be greater than γµ. So a / A imlies λ(λ) > γµ. But even if no comonent is longer than γµ, it may turn out that the vector is still longer than this value. We will show that satisfying even this relaxed condition is imrobable by bounding the size of A. To this end, we claim that all a A are the root of a nonzero olynomial m(a) = 0 (mod ) with small coefficients. Lemma 3 For any a A there is a nonzero olynomial q Z [x] of degree less than k with coefficients q i β = (kγµ) 1/() such that q(a) = 0. Proof. Fix an a A and let c 0 (mod ) be an integer such that c a i (mod ) γµ for all i < k. Let M be the set of all olynomials m(x) Z [x] with coefficients m i β/2. Notice that for any m(x) M we have c m(a) (mod ) = i c m i a i (mod ) i m i (mod ) c a i (mod ) β 2 kγµ.
5 So, cm(a) (mod ) ranges over a set { βkγµ/2,..., βkγµ/2} of size at most βkγµ + 1. Since M has size (β + 1) k > β k + 1 = (kγµ) k/() + 1 = βkγµ + 1, by the igeonhole rincile, there must be two distinct olynomials m(x), ˆm(x) M such that c m(a) = c ˆm(a) (mod ). Dividing by c and subtracting gives a nonzero olynomial q(x) = (m ˆm)(x) with coefficients q i (mod ) β, such that (m ˆm)(a) = 0 (mod ). The number of nonzero olynomials of degree < k with coefficients bounded by β is (2β + 1) k 1, and each one of them has at most k 1 roots. Therefore, the set A has size at most A (k 1)(2β + 1) k < k(3β) k. So, the robability that Λ a has a nonzero vector of length bounded by γµ is at most Pr a {λ(λ a ) γµ} A k(3β)k = k3k (kγµ) k/() = k3k (k2 k(/2 u )) k/() = k3k (k 3 2 (2 )(2 u )) k/() = k3k k 3 2 k 2 ()( k ) k () 2 u k = 6k k ( 3 k 2 )+1 1 () 2 δn k This exression, though comlicated, informs the attacker of how to choose k. Setting k = 1 results in an exression with no sensible interretation, so k 2, in which case we can simlify the inequality: Pr a {λ(λ a ) γµ} 6k k ( 3 k 2 )+1 1 () 2 δn k 6k k 4 1 () 2 δn k Note that so the quantity 1/() has less than n + 1 bits. Note also that as k increases, the denominator aroaches 2 δn, which has δn + 1 bits. Thus, the attacker should ick n k so that + 1 < δn + 1, or k 1 > 1, to ensure that the numerator has fewer bits δ than the denominator. In fact, k needs to be a bit larger than this to offset the additional contributions of 6 k and k 4, and then a bit more to ensure the robability is low. Setting k = 2/δ is sufficient to result in a failure robability that is exonentially small in the security arameter n, in which case the attack is almost certain to succeed. 3 Crytanalysis of the Subset-Sum generator Let be a rime of length log 2 = n 2, and a = (a 1,..., a n ) Z n be chosen uniformly at random. These values are ublic and known to the attacker. The Subset-Sum generator, on inut a uniformly random string x = (x 1,..., x n ) {0, 1} n, oututs b = G(x) = i a ix i (mod ) Z. Given the ublic arameters, a and outut b we set u the following lattice and target
6 vector: B = C Ca 1... Ca n t = where C is a large constant to be determined. Clearly, there is a lattice vector B(c, x) = (Cb, 2x) within distance n from the target. We will rove that the minimum distance of the lattice Λ a generated by B is much larger than that (say, by an exonential factor γ = 2 n/2,) so, this is an instance of the BDD roblem, and it can be easily solved using lattice reduction algorithms. We set C = γ n, so that all lattice vectors of length bounded by C = γ n must have the form (0, z) for some z C. We consider the set Z of all nonzero integer vectors z of length z C. For each z Z, (0, z) is a lattice vector if and only if i a iz i = 0 (mod ). But, when the a i are chosen uniformly at random and z 0, the value i a iz i is uniformly distributed in Z. So, (0, z) is a lattice vector with robability 1/. By union bound, the robability (over the choice of a) that there is a short vector is Cb 1. 1 Pr a {λ(λ a ) C} Z (2C + 1)n 1 2 n/2. So, the failure robability is exonentially small. 4 Conclusion We have seen how the crytanalysis of different tyes of seudorandom generators reduces to the bounded distance decoding (BDD) roblem, a variant of the closest vector roblem (CVP) on oint lattices. In the case of the truncated LCG generators, we have seen that even stretching the seed by a small constant factor allows to recover the seed by solving a lattice roblem in constant dimension k = O(1/δ). In the case of subset-sum, we used an n-dimensional lattice, where n is the security arameter of the seudorandom generator. The attack works when the generator oututs more than n 2 bits. Performing a similar attack on subset-sum generators with smaller outut (say, O(n) bits), is closely related to finding better solutions to lattice roblems. In fact, we will see that subset-sum can be quite a fine roblem to build crytograhic functions if used roerly. Both attacks illustrate a common feature of lattice algorithms when alied in crytograhy: both for the linear congruential generator, and the subset-sum generator, the attack we described is not guaranteed to work for any inut. Rather, it works with high robability when run on a randomly selected roblem instance. This makes erfect sense in crytograhy, where keys are chosen at random, and define a robability distribution on roblem instances. Knowing that a roblem is easy or hard in the average case, tells you if your randomly chosen key can or cannot be cracked. Notice how both crytanalysis roblems defined a certain (natural) distribution on lattices, and we roved that the relevant lattice
7 roblem could be solved with high robability when the lattice is chosen according to that distribution. Average case comlexity is relevant not only in crytanalysis, but also in most ractical setting, when the inut distribution is known. For this reason, we will be rimarily interested in the average case comlexity of lattice roblems.
Tanja Lange Technische Universiteit Eindhoven
Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein Main goal of this course: We are the attackers. We want to break ECC and RSA.
More informationCryptography. Lecture 8. Arpita Patra
Crytograhy Lecture 8 Arita Patra Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous
More informationHENSEL S LEMMA KEITH CONRAD
HENSEL S LEMMA KEITH CONRAD 1. Introduction In the -adic integers, congruences are aroximations: for a and b in Z, a b mod n is the same as a b 1/ n. Turning information modulo one ower of into similar
More informationAdvanced Cryptography Midterm Exam
Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will
More informationElliptic Curves and Cryptography
Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a
More informationApproximating min-max k-clustering
Aroximating min-max k-clustering Asaf Levin July 24, 2007 Abstract We consider the roblems of set artitioning into k clusters with minimum total cost and minimum of the maximum cost of a cluster. The cost
More informationOutline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding
Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationMA3H1 TOPICS IN NUMBER THEORY PART III
MA3H1 TOPICS IN NUMBER THEORY PART III SAMIR SIKSEK 1. Congruences Modulo m In quadratic recirocity we studied congruences of the form x 2 a (mod ). We now turn our attention to situations where is relaced
More information#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS
#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS Ramy F. Taki ElDin Physics and Engineering Mathematics Deartment, Faculty of Engineering, Ain Shams University, Cairo, Egyt
More informationCryptography Assignment 3
Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some
More informationAN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction
J. Al. Math. & Comuting Vol. 20(2006), No. 1-2,. 485-489 AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly
More informationf(r) = a d n) d + + a0 = 0
Math 400-00/Foundations of Algebra/Fall 07 Polynomials at the Foundations: Roots Next, we turn to the notion of a root of a olynomial in Q[x]. Definition 8.. r Q is a rational root of fx) Q[x] if fr) 0.
More informationBilinear Entropy Expansion from the Decisional Linear Assumption
Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo
More informationON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS
#A13 INTEGERS 14 (014) ON THE LEAST SIGNIFICANT ADIC DIGITS OF CERTAIN LUCAS NUMBERS Tamás Lengyel Deartment of Mathematics, Occidental College, Los Angeles, California lengyel@oxy.edu Received: 6/13/13,
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationUnit 1 - Computer Arithmetic
FIXD-POINT (FX) ARITHMTIC Unit 1 - Comuter Arithmetic INTGR NUMBRS n bit number: b n 1 b n 2 b 0 Decimal Value Range of values UNSIGND n 1 SIGND D = b i 2 i D = 2 n 1 b n 1 + b i 2 i n 2 i=0 i=0 [0, 2
More informationCDH/DDH-Based Encryption. K&L Sections , 11.4.
CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be
More information0.6 Factoring 73. As always, the reader is encouraged to multiply out (3
0.6 Factoring 7 5. The G.C.F. of the terms in 81 16t is just 1 so there is nothing of substance to factor out from both terms. With just a difference of two terms, we are limited to fitting this olynomial
More informationMath 104B: Number Theory II (Winter 2012)
Math 104B: Number Theory II (Winter 01) Alina Bucur Contents 1 Review 11 Prime numbers 1 Euclidean algorithm 13 Multilicative functions 14 Linear diohantine equations 3 15 Congruences 3 Primes as sums
More informationSOME SUMS OVER IRREDUCIBLE POLYNOMIALS
SOME SUMS OVER IRREDUCIBLE POLYNOMIALS DAVID E SPEYER Abstract We rove a number of conjectures due to Dinesh Thakur concerning sums of the form P hp ) where the sum is over monic irreducible olynomials
More informationMATH 361: NUMBER THEORY EIGHTH LECTURE
MATH 361: NUMBER THEORY EIGHTH LECTURE 1. Quadratic Recirocity: Introduction Quadratic recirocity is the first result of modern number theory. Lagrange conjectured it in the late 1700 s, but it was first
More informationComputer arithmetic. Intensive Computation. Annalisa Massini 2017/2018
Comuter arithmetic Intensive Comutation Annalisa Massini 7/8 Intensive Comutation - 7/8 References Comuter Architecture - A Quantitative Aroach Hennessy Patterson Aendix J Intensive Comutation - 7/8 3
More informationFor q 0; 1; : : : ; `? 1, we have m 0; 1; : : : ; q? 1. The set fh j(x) : j 0; 1; ; : : : ; `? 1g forms a basis for the tness functions dened on the i
Comuting with Haar Functions Sami Khuri Deartment of Mathematics and Comuter Science San Jose State University One Washington Square San Jose, CA 9519-0103, USA khuri@juiter.sjsu.edu Fax: (40)94-500 Keywords:
More informationLattice Attacks on the DGHV Homomorphic Encryption Scheme
Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr
More informationOn the Chvatál-Complexity of Knapsack Problems
R u t c o r Research R e o r t On the Chvatál-Comlexity of Knasack Problems Gergely Kovács a Béla Vizvári b RRR 5-08, October 008 RUTCOR Rutgers Center for Oerations Research Rutgers University 640 Bartholomew
More informationGOOD MODELS FOR CUBIC SURFACES. 1. Introduction
GOOD MODELS FOR CUBIC SURFACES ANDREAS-STEPHAN ELSENHANS Abstract. This article describes an algorithm for finding a model of a hyersurface with small coefficients. It is shown that the aroach works in
More informationCMSC 425: Lecture 4 Geometry and Geometric Programming
CMSC 425: Lecture 4 Geometry and Geometric Programming Geometry for Game Programming and Grahics: For the next few lectures, we will discuss some of the basic elements of geometry. There are many areas
More informationMATH 2710: NOTES FOR ANALYSIS
MATH 270: NOTES FOR ANALYSIS The main ideas we will learn from analysis center around the idea of a limit. Limits occurs in several settings. We will start with finite limits of sequences, then cover infinite
More informationSQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)
SQUARES I Z/Z We study squares in the ring Z/Z from a theoretical and comutational oint of view. We resent two related crytograhic schemes. 1. SQUARES I Z/Z Consider for eamle the rime = 13. Write the
More informationBy Evan Chen OTIS, Internal Use
Solutions Notes for DNY-NTCONSTRUCT Evan Chen January 17, 018 1 Solution Notes to TSTST 015/5 Let ϕ(n) denote the number of ositive integers less than n that are relatively rime to n. Prove that there
More informationPseudorandom Sequence Generation
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Crytograhy and Comuter Security Handout #21 Professor M. J. Fischer November 29, 2005 Pseudorandom Seuence Generation 1 Distinguishability and
More informationCSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basic Algorithms Instructor: Daniele Micciancio UCSD CSE We have already seen an algorithm to compute the Gram-Schmidt orthogonalization of a lattice
More informationRandomness Extraction in finite fields F p
Randomness Extraction in finite fields F n Abdoul Aziz Ciss École doctorale de Mathématiques et d Informatique, Université Cheikh Anta Dio de Dakar, Sénégal BP: 5005, Dakar Fann abdoul.ciss@ucad.edu.sn,
More informationCS 6260 Some number theory. Groups
Let Z = {..., 2, 1, 0, 1, 2,...} denote the set of integers. Let Z+ = {1, 2,...} denote the set of ositive integers and = {0, 1, 2,...} the set of non-negative integers. If a, are integers with > 0 then
More informationAn Overview of Witt Vectors
An Overview of Witt Vectors Daniel Finkel December 7, 2007 Abstract This aer offers a brief overview of the basics of Witt vectors. As an alication, we summarize work of Bartolo and Falcone to rove that
More informationElementary Analysis in Q p
Elementary Analysis in Q Hannah Hutter, May Szedlák, Phili Wirth November 17, 2011 This reort follows very closely the book of Svetlana Katok 1. 1 Sequences and Series In this section we will see some
More informationAMS10 HW1 Grading Rubric
AMS10 HW1 Grading Rubric Problem 1 (16ts- ts/each). Left hand side is shown to equal right hand side using examles with real vectors. A vector sace is a set V on which two oerations, vector addition and
More informationPrimes - Problem Sheet 5 - Solutions
Primes - Problem Sheet 5 - Solutions Class number, and reduction of quadratic forms Positive-definite Q1) Aly the roof of Theorem 5.5 to find reduced forms equivalent to the following, also give matrices
More informationCSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary
More informationarxiv:math/ v2 [math.nt] 21 Oct 2004
SUMS OF THE FORM 1/x k 1 + +1/x k n MODULO A PRIME arxiv:math/0403360v2 [math.nt] 21 Oct 2004 Ernie Croot 1 Deartment of Mathematics, Georgia Institute of Technology, Atlanta, GA 30332 ecroot@math.gatech.edu
More informationp-adic Measures and Bernoulli Numbers
-Adic Measures and Bernoulli Numbers Adam Bowers Introduction The constants B k in the Taylor series exansion t e t = t k B k k! k=0 are known as the Bernoulli numbers. The first few are,, 6, 0, 30, 0,
More informationWhy Proofs? Proof Techniques. Theorems. Other True Things. Proper Proof Technique. How To Construct A Proof. By Chuck Cusack
Proof Techniques By Chuck Cusack Why Proofs? Writing roofs is not most student s favorite activity. To make matters worse, most students do not understand why it is imortant to rove things. Here are just
More informationPublic Key Cryptosystems RSA
Public Key Crytosystems RSA 57 17 Receiver Sender 41 19 and rime 53 Attacker 47 Public Key Crytosystems RSA Comute numbers n = * 2337 323 57 17 Receiver Sender 41 19 and rime 53 Attacker 2491 47 Public
More informationPretest (Optional) Use as an additional pacing tool to guide instruction. August 21
Trimester 1 Pretest (Otional) Use as an additional acing tool to guide instruction. August 21 Beyond the Basic Facts In Trimester 1, Grade 8 focus on multilication. Daily Unit 1: Rational vs. Irrational
More informationSection 0.10: Complex Numbers from Precalculus Prerequisites a.k.a. Chapter 0 by Carl Stitz, PhD, and Jeff Zeager, PhD, is available under a Creative
Section 0.0: Comlex Numbers from Precalculus Prerequisites a.k.a. Chater 0 by Carl Stitz, PhD, and Jeff Zeager, PhD, is available under a Creative Commons Attribution-NonCommercial-ShareAlike.0 license.
More informationDepartment of Mathematics
Deartment of Mathematics Ma 3/03 KC Border Introduction to Probability and Statistics Winter 209 Sulement : Series fun, or some sums Comuting the mean and variance of discrete distributions often involves
More informationConvex Optimization methods for Computing Channel Capacity
Convex Otimization methods for Comuting Channel Caacity Abhishek Sinha Laboratory for Information and Decision Systems (LIDS), MIT sinhaa@mit.edu May 15, 2014 We consider a classical comutational roblem
More informationSolvability and Number of Roots of Bi-Quadratic Equations over p adic Fields
Malaysian Journal of Mathematical Sciences 10(S February: 15-35 (016 Secial Issue: The 3 rd International Conference on Mathematical Alications in Engineering 014 (ICMAE 14 MALAYSIAN JOURNAL OF MATHEMATICAL
More informationErnie Croot 1. Department of Mathematics, Georgia Institute of Technology, Atlanta, GA Abstract
SUMS OF THE FORM 1/x k 1 + + 1/x k n MODULO A PRIME Ernie Croot 1 Deartment of Mathematics, Georgia Institute of Technology, Atlanta, GA 30332 ecroot@math.gatech.edu Abstract Using a sum-roduct result
More informationANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM
ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM JOHN BINDER Abstract. In this aer, we rove Dirichlet s theorem that, given any air h, k with h, k) =, there are infinitely many rime numbers congruent to
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013
18.782 Introduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013 In this lecture we lay the groundwork needed to rove the Hasse-Minkowski theorem for Q, which states that a quadratic form over
More informationAn Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security
An extended abstract of this aer aears in the Proceedings of the 35th Annual Crytology Conference (CRYPTO 2015), Part I, Rosario ennaro and Matthew Robshaw (Eds.), volume 9215 of Lecture Notes in Comuter
More informationEvaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models
Evaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models Ketan N. Patel, Igor L. Markov and John P. Hayes University of Michigan, Ann Arbor 48109-2122 {knatel,imarkov,jhayes}@eecs.umich.edu
More informationAn Attack on a Fully Homomorphic Encryption Scheme
An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, 710071 Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University,
More informationRound-off Errors and Computer Arithmetic - (1.2)
Round-off Errors and Comuter Arithmetic - (.). Round-off Errors: Round-off errors is roduced when a calculator or comuter is used to erform real number calculations. That is because the arithmetic erformed
More informationAlmost 4000 years ago, Babylonians had discovered the following approximation to. x 2 dy 2 =1, (5.0.2)
Chater 5 Pell s Equation One of the earliest issues graled with in number theory is the fact that geometric quantities are often not rational. For instance, if we take a right triangle with two side lengths
More informationON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE
MATHEMATICS OF COMPUTATIO Volume 75, umber 256, October 26, Pages 237 247 S 25-5718(6)187-9 Article electronically ublished on June 28, 26 O POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE THORSTE
More informationOn the Rank of the Elliptic Curve y 2 = x(x p)(x 2)
On the Rank of the Ellitic Curve y = x(x )(x ) Jeffrey Hatley Aril 9, 009 Abstract An ellitic curve E defined over Q is an algebraic variety which forms a finitely generated abelian grou, and the structure
More information2 Asymptotic density and Dirichlet density
8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime
More informationHotelling s Two- Sample T 2
Chater 600 Hotelling s Two- Samle T Introduction This module calculates ower for the Hotelling s two-grou, T-squared (T) test statistic. Hotelling s T is an extension of the univariate two-samle t-test
More informationPOINTS ON CONICS MODULO p
POINTS ON CONICS MODULO TEAM 2: JONGMIN BAEK, ANAND DEOPURKAR, AND KATHERINE REDFIELD Abstract. We comute the number of integer oints on conics modulo, where is an odd rime. We extend our results to conics
More informationThe Euler Phi Function
The Euler Phi Function 7-3-2006 An arithmetic function takes ositive integers as inuts and roduces real or comlex numbers as oututs. If f is an arithmetic function, the divisor sum Dfn) is the sum of the
More informationMulti-Operation Multi-Machine Scheduling
Multi-Oeration Multi-Machine Scheduling Weizhen Mao he College of William and Mary, Williamsburg VA 3185, USA Abstract. In the multi-oeration scheduling that arises in industrial engineering, each job
More informationLinear diophantine equations for discrete tomography
Journal of X-Ray Science and Technology 10 001 59 66 59 IOS Press Linear diohantine euations for discrete tomograhy Yangbo Ye a,gewang b and Jiehua Zhu a a Deartment of Mathematics, The University of Iowa,
More informationTopic 7: Using identity types
Toic 7: Using identity tyes June 10, 2014 Now we would like to learn how to use identity tyes and how to do some actual mathematics with them. By now we have essentially introduced all inference rules
More informationOn the Unpredictability of Bits of the Elliptic Curve Diffie Hellman Scheme
On the Unredictability of Bits of the Ellitic Curve Diffie Hellman Scheme Dan Boneh 1 and Igor E. Sharlinski 2 1 Deartment of Comuter Science, Stanford University, CA, USA dabo@cs.stanford.edu 2 Deartment
More informationA Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem
A Modified Menezes-Vanstone Ellitic Curve Multi-Keys Crytosystem By K.H. Rahouma Electrical Technology Deartment Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationECE 534 Information Theory - Midterm 2
ECE 534 Information Theory - Midterm Nov.4, 009. 3:30-4:45 in LH03. You will be given the full class time: 75 minutes. Use it wisely! Many of the roblems have short answers; try to find shortcuts. You
More informationRadial Basis Function Networks: Algorithms
Radial Basis Function Networks: Algorithms Introduction to Neural Networks : Lecture 13 John A. Bullinaria, 2004 1. The RBF Maing 2. The RBF Network Architecture 3. Comutational Power of RBF Networks 4.
More informationThe Hasse Minkowski Theorem Lee Dicker University of Minnesota, REU Summer 2001
The Hasse Minkowski Theorem Lee Dicker University of Minnesota, REU Summer 2001 The Hasse-Minkowski Theorem rovides a characterization of the rational quadratic forms. What follows is a roof of the Hasse-Minkowski
More informationδ(xy) = φ(x)δ(y) + y p δ(x). (1)
LECTURE II: δ-rings Fix a rime. In this lecture, we discuss some asects of the theory of δ-rings. This theory rovides a good language to talk about rings with a lift of Frobenius modulo. Some of the material
More informationElliptic Curves Spring 2015 Problem Set #1 Due: 02/13/2015
18.783 Ellitic Curves Sring 2015 Problem Set #1 Due: 02/13/2015 Descrition These roblems are related to the material covered in Lectures 1-2. Some of them require the use of Sage, and you will need to
More informationFinding Shortest Hamiltonian Path is in P. Abstract
Finding Shortest Hamiltonian Path is in P Dhananay P. Mehendale Sir Parashurambhau College, Tilak Road, Pune, India bstract The roblem of finding shortest Hamiltonian ath in a eighted comlete grah belongs
More informationExcerpt from "Intermediate Algebra" 2014 AoPS Inc.
Ecert from "Intermediate Algebra" 04 AoPS Inc. www.artofroblemsolving.com for which our grah is below the -ais with the oints where the grah intersects the -ais (because the ineuality is nonstrict), we
More informationUniversity of Bristol - Explore Bristol Research. Peer reviewed version. Link to published version (if available): 10.
Booker, A. R., & Pomerance, C. (07). Squarefree smooth numbers and Euclidean rime generators. Proceedings of the American Mathematical Society, 45(), 5035-504. htts://doi.org/0.090/roc/3576 Peer reviewed
More informationCSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Winter 2016 The dual lattice Instructor: Daniele Micciancio UCSD CSE 1 Dual Lattice and Dual Basis Definition 1 The dual of a lattice Λ is the set ˆΛ of all
More informationNumerical Linear Algebra
Numerical Linear Algebra Numerous alications in statistics, articularly in the fitting of linear models. Notation and conventions: Elements of a matrix A are denoted by a ij, where i indexes the rows and
More informationx 2 a mod m. has a solution. Theorem 13.2 (Euler s Criterion). Let p be an odd prime. The congruence x 2 1 mod p,
13. Quadratic Residues We now turn to the question of when a quadratic equation has a solution modulo m. The general quadratic equation looks like ax + bx + c 0 mod m. Assuming that m is odd or that b
More informationCSC165H, Mathematical expression and reasoning for computer science week 12
CSC165H, Mathematical exression and reasoning for comuter science week 1 nd December 005 Gary Baumgartner and Danny Hea hea@cs.toronto.edu SF4306A 416-978-5899 htt//www.cs.toronto.edu/~hea/165/s005/index.shtml
More information2. Review of Calculus Notation. C(X) all functions continuous on the set X. C[a, b] all functions continuous on the interval [a, b].
CHAPTER Mathematical Preliminaries and Error Analysis. Review of Calculus Notation. C(X) all functions continuous on the set X. C[a, b] all functions continuous on the interval [a, b]. C n(x) all functions
More information(Workshop on Harmonic Analysis on symmetric spaces I.S.I. Bangalore : 9th July 2004) B.Sury
Is e π 163 odd or even? (Worksho on Harmonic Analysis on symmetric saces I.S.I. Bangalore : 9th July 004) B.Sury e π 163 = 653741640768743.999999999999.... The object of this talk is to exlain this amazing
More information1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings
Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, 43007 Abstract: Many identity-based
More information2 Asymptotic density and Dirichlet density
8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime
More informationMPRI Cours I. Motivations. Lecture VI: continued fractions and applications. II. Continued fractions
F Morain École olytechnique MPRI cours 222 200-20 3/25 F Morain École olytechnique MPRI cours 222 200-20 4/25 MPRI Cours 222 I Motivations F Morain Aroximate π by rationals Solve 009 = u 2 + v 2 Lecture
More informationCharacteristics of Fibonacci-type Sequences
Characteristics of Fibonacci-tye Sequences Yarden Blausa May 018 Abstract This aer resents an exloration of the Fibonacci sequence, as well as multi-nacci sequences and the Lucas sequence. We comare and
More informationMATH 248A. THE CHARACTER GROUP OF Q. 1. Introduction
MATH 248A. THE CHARACTER GROUP OF Q KEITH CONRAD 1. Introduction The characters of a finite abelian grou G are the homomorhisms from G to the unit circle S 1 = {z C : z = 1}. Two characters can be multilied
More informationMAS 4203 Number Theory. M. Yotov
MAS 4203 Number Theory M. Yotov June 15, 2017 These Notes were comiled by the author with the intent to be used by his students as a main text for the course MAS 4203 Number Theory taught at the Deartment
More informationPHYS 301 HOMEWORK #9-- SOLUTIONS
PHYS 0 HOMEWORK #9-- SOLUTIONS. We are asked to use Dirichlet' s theorem to determine the value of f (x) as defined below at x = 0, ± /, ± f(x) = 0, - < x
More informationIE418 Integer Programming
IE418: Integer rogramming Department of Industrial and Systems Engineering Lehigh University 21st February 2005 lease Don t Call On Me! Any questions on the homework? roblem #5: Linear Ordering roblem.
More informationOn Character Sums of Binary Quadratic Forms 1 2. Mei-Chu Chang 3. Abstract. We establish character sum bounds of the form.
On Character Sums of Binary Quadratic Forms 2 Mei-Chu Chang 3 Abstract. We establish character sum bounds of the form χ(x 2 + ky 2 ) < τ H 2, a x a+h b y b+h where χ is a nontrivial character (mod ), 4
More informationSets of Real Numbers
Chater 4 Sets of Real Numbers 4. The Integers Z and their Proerties In our revious discussions about sets and functions the set of integers Z served as a key examle. Its ubiquitousness comes from the fact
More informationMath 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,
MATH 4400 roblems. Math 4400/6400 Homework # solutions 1. Let P be an odd integer not necessarily rime. Show that modulo, { P 1 0 if P 1, 7 mod, 1 if P 3, mod. Proof. Suose that P 1 mod. Then we can write
More information1-way quantum finite automata: strengths, weaknesses and generalizations
1-way quantum finite automata: strengths, weaknesses and generalizations arxiv:quant-h/9802062v3 30 Se 1998 Andris Ambainis UC Berkeley Abstract Rūsiņš Freivalds University of Latvia We study 1-way quantum
More informationLecture 10: Hypercontractivity
CS 880: Advanced Comlexity Theory /15/008 Lecture 10: Hyercontractivity Instructor: Dieter van Melkebeek Scribe: Baris Aydinlioglu This is a technical lecture throughout which we rove the hyercontractivity
More information3 Properties of Dedekind domains
18.785 Number theory I Fall 2016 Lecture #3 09/15/2016 3 Proerties of Dedekind domains In the revious lecture we defined a Dedekind domain as a noetherian domain A that satisfies either of the following
More informationInequalities for the L 1 Deviation of the Empirical Distribution
Inequalities for the L 1 Deviation of the Emirical Distribution Tsachy Weissman, Erik Ordentlich, Gadiel Seroussi, Sergio Verdu, Marcelo J. Weinberger June 13, 2003 Abstract We derive bounds on the robability
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationMAT 311 Solutions to Final Exam Practice
MAT 311 Solutions to Final Exam Practice Remark. If you are comfortable with all of the following roblems, you will be very well reared for the midterm. Some of the roblems below are more difficult than
More informationCSC 2414 Lattices in Computer Science October 11, Lecture 5
CSC 244 Lattices in Computer Science October, 2 Lecture 5 Lecturer: Vinod Vaikuntanathan Scribe: Joel Oren In the last class, we studied methods for (approximately) solving the following two problems:
More information