A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
Size: px
Start display at page:

Download "A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems"

Transcription

1 A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology 2 University of Louisville 7th June, th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 1/23

2 Prototypical Multivariate Public Key Scheme Let f be an efficiently invertible (in some sense) system of n quadratic equations in m variables over some field F q. Let U and T be F q -linear maps of dimension m and n, respectively. Let P = T f U. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 2/23

3 Prototypical Multivariate Public Key Scheme Let f be an efficiently invertible (in some sense) system of n quadratic equations in m variables over some field F q. Let U and T be F q -linear maps of dimension m and n, respectively. Let P = T f U. Next... BELIEVE! 1 Inversion requires solving an instance of MQ or IP. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 2/23

4 Prototypical Multivariate Public Key Scheme Let f be an efficiently invertible (in some sense) system of n quadratic equations in m variables over some field F q. Let U and T be F q -linear maps of dimension m and n, respectively. Let P = T f U. Next... BELIEVE! 1 Inversion requires solving an instance of MQ or IP. 2 Solving such an instance of MQ is hard. 3 Solving such an instance of IP is hard. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 2/23

5 Discrete Differential Multivariate Systems Definition The Discrete Differential of a map f : k k is given by: Df(a,x) = f(a+x) f(x) f(a)+f(0). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 3/23

6 Discrete Differential Multivariate Systems Definition The Discrete Differential of a map f : k k is given by: Df(a,x) = f(a+x) f(x) f(a)+f(0). Elementary Properties 1 Linear operator. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 3/23

7 Discrete Differential Multivariate Systems Definition The Discrete Differential of a map f : k k is given by: Df(a,x) = f(a+x) f(x) f(a)+f(0). Elementary Properties 1 Linear operator. 2 Reduces complexity of a function: If f is quadratic, Df is bilinear. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 3/23

8 Discrete Differential Multivariate Systems Definition The Discrete Differential of a map f : k k is given by: Df(a,x) = f(a+x) f(x) f(a)+f(0). Elementary Properties 1 Linear operator. 2 Reduces complexity of a function: If f is quadratic, Df is bilinear. 3 If f is quadratic, D(Tf(Ux +c)+d) = D(Tf(Ux)). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 3/23

9 Differential of Multivariate Scheme DP Let P = T f U. DP(a,x) = TDf(La,Lx). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 4/23

10 Differential of Multivariate Scheme DP Let P = T f U. DP(a,x) = TDf(La,Lx). Differential Coordinate Forms Since P has n coordinates, DP can be split into n bilinear differential coordinate forms, DP i = T i Df(La,Lx), where T i represents the action of T on the ith coordinate. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 4/23

11 Differential of Multivariate Scheme DP Let P = T f U. DP(a,x) = TDf(La,Lx). Differential Coordinate Forms Since P has n coordinates, DP can be split into n bilinear differential coordinate forms, DP i = T i Df(La,Lx), where T i represents the action of T on the ith coordinate. Span of Forms For all multivariate schemes, Span(DP i ) Span(D(f L) i ). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 4/23

12 The C Scheme Multivariate Systems The C cryptosystem is the simplest example of a big field scheme. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 5/23

13 The C Scheme Multivariate Systems The C cryptosystem is the simplest example of a big field scheme. Construction ] k n F q 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 5/23

14 The C Scheme Multivariate Systems The C cryptosystem is the simplest example of a big field scheme. Construction ] k n We can identify x k with x F n q. F q 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 5/23

15 The C Scheme Multivariate Systems The C cryptosystem is the simplest example of a big field scheme. Construction ] k n We can identify x k with x F n q. F q Encryption Scheme y = P(x) = (T f U)x where f(x) = x qθ +1. (Df(a,x) = ax qθ +a qθ x.) 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 5/23

16 Differential Attack on C -Patarin s Relation Trivial Differential Relation We know that Df(v,v) = 0, since Df is antisymmetric. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 6/23

17 Differential Attack on C -Patarin s Relation Trivial Differential Relation We know that Df(v,v) = 0, since Df is antisymmetric. We Compute... 0 = Df(v,v) 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 6/23

18 Differential Attack on C -Patarin s Relation Trivial Differential Relation We know that Df(v,v) = 0, since Df is antisymmetric. We Compute... 0 = Df(v,v) = Df(v,u qθ +1 ) 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 6/23

19 Differential Attack on C -Patarin s Relation Trivial Differential Relation We know that Df(v,v) = 0, since Df is antisymmetric. We Compute... 0 = Df(v,v) = Df(v,u qθ +1 ) = vu q2θ +q θ +v qθ u qθ +1 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 6/23

20 Differential Attack on C -Patarin s Relation Trivial Differential Relation We know that Df(v,v) = 0, since Df is antisymmetric. We Compute... 0 = Df(v,v) = Df(v,u qθ +1 ) = vu q2θ +q θ +v qθ u qθ +1 ( ) = u qθ vu q2θ +v qθ u 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 6/23

21 Differential Attack on C -Patarin s Relation Trivial Differential Relation We know that Df(v,v) = 0, since Df is antisymmetric. We Compute... 0 = Df(v,v) = Df(v,u qθ +1 ) = vu q2θ +q θ +v qθ u qθ +1 ( ) = u qθ vu q2θ +v qθ u Therefore, vu q2θ = v qθ u. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 6/23

22 Differential Attack on C -Patarin s Relation Trivial Differential Relation We know that Df(v,v) = 0, since Df is antisymmetric. We Compute... 0 = Df(v,v) = Df(v,u qθ +1 ) = vu q2θ +q θ +v qθ u qθ +1 ( ) = u qθ vu q2θ +v qθ u Therefore, (T 1 y)(ux) q2θ = (T 1 y) qθ (Ux). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 6/23

23 Multiplicative Attack on C and C Definition [based on Dubois et al. (2007)] A function f has the Multiplicative Symmetry if: Df(σa,x)+Df(a,σx) = p(σ)df(a,x) for all σ k. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 7/23

24 Multiplicative Attack on C and C Definition [based on Dubois et al. (2007)] A function f has the Multiplicative Symmetry if: Df(σa,x)+Df(a,σx) = p(σ)df(a,x) for all σ k. C monomial Df(σa,x)+Df(a,σx) = (σ qθ +σ)df(a,x), 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 7/23

25 Multiplicative Attack on C and C Definition [based on Dubois et al. (2007)] A function f has the Multiplicative Symmetry if: Df(σa,x)+Df(a,σx) = p(σ)df(a,x) for all σ k. C monomial Df(σa,x)+Df(a,σx) = (σ qθ +σ)df(a,x), DP(U 1 σua,x)+dp(a,u 1 σux) = L σ DP(a,x). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 7/23

26 Multiplicative Attack on C and C Definition [based on Dubois et al. (2007)] A function f has the Multiplicative Symmetry if: Df(σa,x)+Df(a,σx) = p(σ)df(a,x) for all σ k. C monomial Df(σa,x)+Df(a,σx) = (σ qθ +σ)df(a,x), DP(U 1 σua,x)+dp(a,u 1 σux) = L σ DP(a,x). This relation provides a criterion for discovering the multiplicative structure of k which undermines C. Since this method doesn t require that T be invertible, this method works for C as well to generate enough relations to turn it into C. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 7/23

27 Balanced Oil-Vinegar Multivariate Systems The Core Map Let f : F 2o q F o q be a random quadratic map such that given random constants c 1,...,c o F q, f(x 1,...,x o,c 1,...,c o ) is affine in x 1,...,x o. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 8/23

28 Balanced Oil-Vinegar Multivariate Systems The Core Map Let f : F 2o q F o q be a random quadratic map such that given random constants c 1,...,c o F q, f(x 1,...,x o,c 1,...,c o ) is affine in x 1,...,x o. The Entire Map The public map, P, is defined by P = f L for some affine map, L. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 8/23

29 Balanced Oil-Vinegar Multivariate Systems The Core Map Let f : F 2o q F o q be a random quadratic map such that given random constants c 1,...,c o F q, f(x 1,...,x o,c 1,...,c o ) is affine in x 1,...,x o. The Entire Map The public map, P, is defined by P = f L for some affine map, L. Inversion Randomly choose c 1,...,c o, solve y = f(x 1,...,x o,c 1,...,c o ), compute L 1 (x 1,...,x o,c 1,...,c o ) T. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 8/23

30 Differential Version of Kipnis-Shamir Attack Trivial Differential Property of Core Map Let O represent the subspace generated by the first o coordinates. For all a,x O, Df(a,x) = 0. Therefore each differential coordinate form, Df i, has the form: [ 0 Dfi1 Df T i1 Df i2 ]. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 9/23

31 Differential Version of Kipnis-Shamir Attack Trivial Differential Property of Core Map Let O represent the subspace generated by the first o coordinates. For all a,x O, Df(a,x) = 0. Therefore each differential coordinate form, Df i, has the form: [ 0 Dfi1 Df T i1 Df i2 Differential Invariant Let M 1 and M 2 be two invertible matrices in the span of the Df i. Then M1 1 M 2 is an O-invariant transformation of the form: [ ] A B. 0 C ]. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 9/23

32 Broken Multivariate Systems Find the Invariant Subspace Since D(f L) i = L T Df i L, an attacker needs only find two invertible maps, M 1,M 2, in the span of DP i, and find the invariant subspace of M 1 1 M 2. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 10/23

33 Broken Multivariate Systems Find the Invariant Subspace Since D(f L) i = L T Df i L, an attacker needs only find two invertible maps, M 1,M 2, in the span of DP i, and find the invariant subspace of M 1 1 M 2. New Decryption Map Once recovered, the attacker produces a change of basis, M, sending the basis of O to the first o standard basis vectors. The attacker can then sign a document by the same method as the legitimate user. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 10/23

34 General Linear Symmetries Previous Work - Symmetries Present Work - Invariants Definition [based on Dubois et al. (2007)] We say that f satisfies a general linear symmetry if the following equation holds: Df(La,x)+Df(a,Lx) = Λ L Df(a,x). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 11/23

35 General Linear Symmetries Previous Work - Symmetries Present Work - Invariants Definition [based on Dubois et al. (2007)] We say that f satisfies a general linear symmetry if the following equation holds: Df(La,x)+Df(a,Lx) = Λ L Df(a,x). Definition We denote the space of linear maps inducing the above symmetry, S G, and call this the space of symmetries. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 11/23

36 Previous Work - Symmetries Present Work - Invariants Classification of the Space of Symmetries for C Multiplicative Symmetry Since multiplication by σ, M σ S G, k < S G. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 12/23

37 Previous Work - Symmetries Present Work - Invariants Classification of the Space of Symmetries for C Multiplicative Symmetry Since multiplication by σ, M σ S G, k < S G. Theorem If f is a C monomial then S G equipped with standard multiplication is a k-algebra. Furthermore, if 3θ n then k = S G. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 12/23

38 Previous Work - Symmetries Present Work - Invariants Classification of the Space of Symmetries for C Multiplicative Symmetry Since multiplication by σ, M σ S G, k < S G. Theorem If f is a C monomial then S G equipped with standard multiplication is a k-algebra. Furthermore, if 3θ n then k = S G. In the case of the C scheme, the large size of this space allows a portion to survive when restrictions are made to the maps inducing symmetry while most arbitrary linear maps are eliminated. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 12/23

39 Previous Work - Symmetries Present Work - Invariants Classification of Maps Inducing Symmetry Theorem Let f(x) = x qθ +1, be a C monomial map. Let πx = d i=0 xqi and Mx = n 1 i=0 m ix qi be linear. Suppose Df(Ma,πx)+Df(πa,Mx) = Λ M Df(πa,πx). If θ +d < n 2, n 3θ > d, and 0 < d < θ 1, then M = M σ π for some σ k. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 13/23

40 Previous Work - Symmetries Present Work - Invariants Classification of Maps Inducing Symmetry Theorem Let f(x) = x qθ +1, be a C monomial map. Let πx = d i=0 xqi and Mx = n 1 i=0 m ix qi be linear. Suppose Df(Ma,πx)+Df(πa,Mx) = Λ M Df(πa,πx). If θ +d < n 2, n 3θ > d, and 0 < d < θ 1, then M = M σ π for some σ k. In the case of a codimension 1 projection, this result proves that the only linear symmetries of a pc scheme are the trivial scalar symmetries. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 13/23

41 Simultaneous Differential Invariants Previous Work - Symmetries Present Work - Invariants Definition Let f : k k. A simultaneous differential invariant of f is an F q -subspace V k such that AV V for all A Span(Df i ). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 14/23

42 Simultaneous Differential Invariants Previous Work - Symmetries Present Work - Invariants Definition Let f : k k. A simultaneous differential invariant of f is an F q -subspace V k such that AV V for all A Span(Df i ). Example Let x V W where k = V W as an F q -vector space. Define f(x) = g(y)+h(z) where y V and z W. [ ] Dgi 0 Df i = ; 0 Dh i therefore, V and W are simultaneous differential invariants of f. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 14/23

43 First-order Differential Invariant Previous Work - Symmetries Present Work - Invariants Definition Let f : k k. A first-order differential invariant of f is an F q -subspace V k such that there exists a subspace W k of dimension at most dim(v) for which simultaneously AV W for all A Span(Df i ). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 15/23

44 First-order Differential Invariant Previous Work - Symmetries Present Work - Invariants Definition Let f : k k. A first-order differential invariant of f is an F q -subspace V k such that there exists a subspace W k of dimension at most dim(v) for which simultaneously AV W for all A Span(Df i ). Clearly, every simultaneous differential invariant is first-order. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 15/23

45 Trivial Property I Multivariate Systems Previous Work - Symmetries Present Work - Invariants Proposition Let f : k k be quadratic and let L : k k be a nonsingular F q -linear map. If V is a first-order differential invariant of f L, then L 1 V is a first-order differential invariant of f. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 16/23

46 Trivial Property I Multivariate Systems Previous Work - Symmetries Present Work - Invariants Proposition Let f : k k be quadratic and let L : k k be a nonsingular F q -linear map. If V is a first-order differential invariant of f L, then L 1 V is a first-order differential invariant of f. Proof: A Span(Df i ) L T AL Span(D(f L) i ) L T ALV W for all L T AL Span(D(f L) i ) A(LV) (L T ) 1 W Since L is invertible, dim((l T ) 1 W) = dim(w) dim(v) = dim(lv). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 16/23

47 Trivial Property II Multivariate Systems Previous Work - Symmetries Present Work - Invariants Proposition Let f : k k be quadratic and let L : k k be F q -linear. If V is a first-order differential invariant of f then the preimage of V under L is a first-order differential invariant of f L. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 17/23

48 Trivial Property II Multivariate Systems Previous Work - Symmetries Present Work - Invariants Proposition Let f : k k be quadratic and let L : k k be F q -linear. If V is a first-order differential invariant of f then the preimage of V under L is a first-order differential invariant of f L. Proof: A Span(Df i ) L T AL Span(D(f L) i ) Let ˆV be the preimage of V under L ALˆV W for all A Span(Df i ) L T ALˆV L T W for all L T AL Span(D(f L) i ) dim(l T W) dim(w) dim(v) dim(ˆv). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 17/23

49 Previous Work - Symmetries Present Work - Invariants Induced Nonlinear Differential Symmetry To study the existence of a first-order differential invariant, we can analyze a particular nonlinear symmetry. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 18/23

50 Previous Work - Symmetries Present Work - Invariants Induced Nonlinear Differential Symmetry To study the existence of a first-order differential invariant, we can analyze a particular nonlinear symmetry. Orthogonal Subspaces Let V k be an F q -subspace of k. Define V = {x k x,v for all v V}. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 18/23

51 Previous Work - Symmetries Present Work - Invariants Induced Nonlinear Differential Symmetry To study the existence of a first-order differential invariant, we can analyze a particular nonlinear symmetry. Orthogonal Subspaces Let V k be an F q -subspace of k. Define V = {x k x,v for all v V}. Symmetric Relation Let V be a first-order differential invariant of f. Let M be a projection onto V and M be a projection onto (Span(Df i V)). Then Df(M a,mx) 0. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 18/23

52 C Invariants Multivariate Systems Previous Work - Symmetries Present Work - Invariants Theorem Let f be a C monomial. Then f has no nontrivial first-order differential invariant. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 19/23

53 C Invariants Multivariate Systems Previous Work - Symmetries Present Work - Invariants Theorem Let f be a C monomial. Then f has no nontrivial first-order differential invariant. Proof: Therefore, n 1 n 1 Df(M a,mx) = (m j (mj ) qθ +mi m qθ j )a qi x qj. for all 0 i,j n 1. i=0 j=0 m j (m j ) qθ +m i m qθ j = 0 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 19/23

54 C Invariants Proof Cont d Previous Work - Symmetries Present Work - Invariants Rank One over k [ m0 m 0 m 1 m n 1 m n 1 ] m qθ θ (m θ )qθ m qθ 1 θ m qθ n 1 θ (m n 1 θ )qθ 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 20/23

55 C Invariants Proof Cont d Previous Work - Symmetries Present Work - Invariants Rank One over k [ m0 m 0 m 1 m n 1 m n 1 ] m qθ θ (m θ )qθ m qθ 1 θ m qθ n 1 θ (m n 1 θ )qθ Relations on Coefficients Therefore there exists and s k such that m i = s qi m i. Thus, M x = M(sx). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 20/23

56 C Invariants Proof Cont d Previous Work - Symmetries Present Work - Invariants Rank One over k [ m0 m 0 m 1 m n 1 m n 1 ] m qθ θ (m θ )qθ m qθ 1 θ m qθ n 1 θ (m n 1 θ )qθ Relations on Coefficients Therefore there exists and s k such that m i = s qi m i. Thus, M x = M(sx). Df(M(sa),Mx) 0 only possible if M is of rank one. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 20/23

57 pc Invariants Multivariate Systems Previous Work - Symmetries Present Work - Invariants Theorem Let f : k k be a C monomial and let π : k k be a projection. There exist no nontrivial first-order differential invariants of f π beyond ker(π). Proof Let V be a first-order differential invariant of f π. 0 D(f π)(m a,mx) = Df(πM a,πmx). From the previous proof, πm x = πm(sx). Also dim(πmk) 1, so dim(mk) dim(mk ker(π))+1, so there is no nontrivial first-order differential structure beyond ker(π). 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 21/23

58 Conclusions Multivariate Systems The existential criteria can provide a proof of security against any first-order differential adversary. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 22/23

59 Conclusions Multivariate Systems The existential criteria can provide a proof of security against any first-order differential adversary. The lack of a symmetric or invariant differential security argument does not necessarily mean that a scheme is vulerable to a differential adversary. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 22/23

60 Conclusions Multivariate Systems The existential criteria can provide a proof of security against any first-order differential adversary. The lack of a symmetric or invariant differential security argument does not necessarily mean that a scheme is vulerable to a differential adversary. Surprisingly, the pc model provably has no nontrivial first-order differential structure. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 22/23

61 Conclusions Multivariate Systems The existential criteria can provide a proof of security against any first-order differential adversary. The lack of a symmetric or invariant differential security argument does not necessarily mean that a scheme is vulerable to a differential adversary. Surprisingly, the pc model provably has no nontrivial first-order differential structure. It has been shown that the projection in pc can be removed, resulting in HFE ; the extra structure the particular resulting scheme retains may reveal a weakness. Any new attack on this system would be very interesting. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 22/23

62 Done Multivariate Systems Thanks! Please see the references in the paper. 7th June, 2013 Ray Perlner & Daniel Smith-Tone A Classification of Differential Invariants for MPQCs 23/23

Similar documents

Differential Security of the HF Ev Signiture Primitive

Differential Security of the HF Ev Signiture Primitive Differential Security of the HF Ev Signiture Primitive Ryann Cartor 1 Ryan Gipson 1 Daniel Smith-Tone 1,2 Jeremy Vates 1 1 University of Louisville 2 National Institute of Standards and Technology 25th

More information

A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems

A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg, Maryland,

More information

Improved Cryptanalysis of HFEv- via Projection

Improved Cryptanalysis of HFEv- via Projection Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection

More information

Rank Analysis of Cubic Multivariate Cryptosystems

Rank Analysis of Cubic Multivariate Cryptosystems Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2 Karan Khathuria 3 Javier Verbel 1 April 10, 2018 1 Universidad Nacional de Colombia, Colombia 2 Aarhus

More information

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University

More information

Oil-Vinegar signature cryptosystems

Oil-Vinegar signature cryptosystems Oil-Vinegar signature cryptosystems Jintai Ding University of Cincinnati Workshop on multivariate public key cryptosystems, 2006 Taiwan Information Security Center The National Taiwan University of Science

More information

HFERP - A New Multivariate Encryption Scheme

HFERP - A New Multivariate Encryption Scheme - A New Multivariate Encryption Scheme Yasuhiko Ikematsu (Kyushu University) Ray Perlner (NIST) Daniel Smith-Tone (NIST, University of Louisville) Tsuyoshi Takagi (Kyushi University) Jeremy Vates (University

More information

Improved Cryptanalysis of HFEv- via Projection

Improved Cryptanalysis of HFEv- via Projection Improved Cryptanalysis of HFEv- via Projection Jintai Ding 1, Ray Perlner 2, Albrecht Petzoldt 2, and Daniel Smith-Tone 2,3 1 Department of Mathematical Sciences, University of Cincinnati, Cincinnati,

More information

Simple Matrix Scheme for Encryption (ABC)

Simple Matrix Scheme for Encryption (ABC) Simple Matrix Scheme for Encryption (ABC) Adama Diene, Chengdong Tao, Jintai Ding April 26, 2013 dama Diene, Chengdong Tao, Jintai Ding ()Simple Matrix Scheme for Encryption (ABC) April 26, 2013 1 / 31

More information

On the Complexity of the Hybrid Approach on HFEv-

On the Complexity of the Hybrid Approach on HFEv- On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature

More information

Cryptanalysis of the Oil & Vinegar Signature Scheme

Cryptanalysis of the Oil & Vinegar Signature Scheme Cryptanalysis of the Oil & Vinegar Signature Scheme Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Dept. of Applied Math, Weizmann Institute, Israel Abstract. Several multivariate algebraic

More information

Key Recovery on Hidden Monomial Multivariate Schemes

Key Recovery on Hidden Monomial Multivariate Schemes Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,

More information

Linearity Measures for MQ Cryptography

Linearity Measures for MQ Cryptography Linearity Measures for MQ Cryptography Simona Samardjiska 1,2 and Danilo Gligoroski 1 Department of Telematics, NTNU, Trondheim, Norway, 1 FCSE, UKIM, Skopje, Macedonia. 2 simonas@item.ntno.no,simona.samardjiska@finki.ukim.mk,

More information

New Directions in Multivariate Public Key Cryptography

New Directions in Multivariate Public Key Cryptography New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in

More information

Cryptanalysis of Simple Matrix Scheme for Encryption

Cryptanalysis of Simple Matrix Scheme for Encryption Cryptanalysis of Simple Matrix Scheme for Encryption Chunsheng Gu School of Computer Engineering, Jiangsu University of Technology, Changzhou, 213001, China {chunsheng_gu}@163.com Abstract. Recently, Tao

More information

An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme

An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme Dustin Moody 1, Ray Perlner 1, and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg,

More information

Multivariate Quadratic Public-Key Cryptography Part 1: Basics

Multivariate Quadratic Public-Key Cryptography Part 1: Basics Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)

More information

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields Nonlinear Phenomena in Complex Systems, vol. 17, no. 3 (2014), pp. 278-283 Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields N. G. Kuzmina and E. B. Makhovenko Saint-Petersburg

More information

2. Linear algebra. matrices and vectors. linear equations. range and nullspace of matrices. function of vectors, gradient and Hessian

2. Linear algebra. matrices and vectors. linear equations. range and nullspace of matrices. function of vectors, gradient and Hessian FE661 - Statistical Methods for Financial Engineering 2. Linear algebra Jitkomut Songsiri matrices and vectors linear equations range and nullspace of matrices function of vectors, gradient and Hessian

More information

1. What is the determinant of the following matrix? a 1 a 2 4a 3 2a 2 b 1 b 2 4b 3 2b c 1. = 4, then det

1. What is the determinant of the following matrix? a 1 a 2 4a 3 2a 2 b 1 b 2 4b 3 2b c 1. = 4, then det What is the determinant of the following matrix? 3 4 3 4 3 4 4 3 A 0 B 8 C 55 D 0 E 60 If det a a a 3 b b b 3 c c c 3 = 4, then det a a 4a 3 a b b 4b 3 b c c c 3 c = A 8 B 6 C 4 D E 3 Let A be an n n matrix

More information

Multivariate Public Key Cryptography

Multivariate Public Key Cryptography Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016 Outline Outline What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems,

More information

New candidates for multivariate trapdoor functions

New candidates for multivariate trapdoor functions New candidates for multivariate trapdoor functions Jaiberth Porras 1, John B. Baena 1, Jintai Ding 2,B 1 Universidad Nacional de Colombia, Medellín, Colombia 2 University of Cincinnati, Cincinnati, OH,

More information

CSL361 Problem set 4: Basic linear algebra

CSL361 Problem set 4: Basic linear algebra CSL361 Problem set 4: Basic linear algebra February 21, 2017 [Note:] If the numerical matrix computations turn out to be tedious, you may use the function rref in Matlab. 1 Row-reduced echelon matrices

More information

Lecture Summaries for Linear Algebra M51A

Lecture Summaries for Linear Algebra M51A These lecture summaries may also be viewed online by clicking the L icon at the top right of any lecture screen. Lecture Summaries for Linear Algebra M51A refers to the section in the textbook. Lecture

More information

Linear Algebra Lecture Notes-I

Linear Algebra Lecture Notes-I Linear Algebra Lecture Notes-I Vikas Bist Department of Mathematics Panjab University, Chandigarh-6004 email: bistvikas@gmail.com Last revised on February 9, 208 This text is based on the lectures delivered

More information

Linear Algebra. Min Yan

Linear Algebra. Min Yan Linear Algebra Min Yan January 2, 2018 2 Contents 1 Vector Space 7 1.1 Definition................................. 7 1.1.1 Axioms of Vector Space..................... 7 1.1.2 Consequence of Axiom......................

More information

October 25, 2013 INNER PRODUCT SPACES

October 25, 2013 INNER PRODUCT SPACES October 25, 2013 INNER PRODUCT SPACES RODICA D. COSTIN Contents 1. Inner product 2 1.1. Inner product 2 1.2. Inner product spaces 4 2. Orthogonal bases 5 2.1. Existence of an orthogonal basis 7 2.2. Orthogonal

More information

Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization

Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Computer Science Dept., The Weizmann Institute, Israel Abstract. The RSA

More information

Differential Cryptanalysis for Multivariate Schemes

Differential Cryptanalysis for Multivariate Schemes Differential Cryptanalysis for Multivariate Schemes Jacques Stern Joint work with P. A. Fouque and L. Granboulan École normale supérieure Differential Cryptanalysis for Multivariate Schemes p.1/23 MI Cryptosystem

More information

LINEAR ALGEBRA BOOT CAMP WEEK 1: THE BASICS

LINEAR ALGEBRA BOOT CAMP WEEK 1: THE BASICS LINEAR ALGEBRA BOOT CAMP WEEK 1: THE BASICS Unless otherwise stated, all vector spaces in this worksheet are finite dimensional and the scalar field F has characteristic zero. The following are facts (in

More information

Key Recovery on Hidden Monomial Multivariate Schemes

Key Recovery on Hidden Monomial Multivariate Schemes Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,

More information

Cryptanalysis of the TTM Cryptosystem

Cryptanalysis of the TTM Cryptosystem Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract

More information

Linear Algebra Massoud Malek

Linear Algebra Massoud Malek CSUEB Linear Algebra Massoud Malek Inner Product and Normed Space In all that follows, the n n identity matrix is denoted by I n, the n n zero matrix by Z n, and the zero vector by θ n An inner product

More information

Linear Algebra Notes. Lecture Notes, University of Toronto, Fall 2016

Linear Algebra Notes. Lecture Notes, University of Toronto, Fall 2016 Linear Algebra Notes Lecture Notes, University of Toronto, Fall 2016 (Ctd ) 11 Isomorphisms 1 Linear maps Definition 11 An invertible linear map T : V W is called a linear isomorphism from V to W Etymology:

More information

Math 350 Fall 2011 Notes about inner product spaces. In this notes we state and prove some important properties of inner product spaces.

Math 350 Fall 2011 Notes about inner product spaces. In this notes we state and prove some important properties of inner product spaces. Math 350 Fall 2011 Notes about inner product spaces In this notes we state and prove some important properties of inner product spaces. First, recall the dot product on R n : if x, y R n, say x = (x 1,...,

More information

LINEAR ALGEBRA W W L CHEN

LINEAR ALGEBRA W W L CHEN LINEAR ALGEBRA W W L CHEN c W W L Chen, 1997, 2008. This chapter is available free to all individuals, on the understanding that it is not to be used for financial gain, and may be downloaded and/or photocopied,

More information

Ir O D = D = ( ) Section 2.6 Example 1. (Bottom of page 119) dim(v ) = dim(l(v, W )) = dim(v ) dim(f ) = dim(v )

Ir O D = D = ( ) Section 2.6 Example 1. (Bottom of page 119) dim(v ) = dim(l(v, W )) = dim(v ) dim(f ) = dim(v ) Section 3.2 Theorem 3.6. Let A be an m n matrix of rank r. Then r m, r n, and, by means of a finite number of elementary row and column operations, A can be transformed into the matrix ( ) Ir O D = 1 O

More information

Linear Algebra Practice Problems

Linear Algebra Practice Problems Linear Algebra Practice Problems Page of 7 Linear Algebra Practice Problems These problems cover Chapters 4, 5, 6, and 7 of Elementary Linear Algebra, 6th ed, by Ron Larson and David Falvo (ISBN-3 = 978--68-78376-2,

More information

Inoculating Multivariate Schemes Against Differential Attacks

Inoculating Multivariate Schemes Against Differential Attacks Inoculating Multivariate Schemes Against Differential Attacks Jintai Ding and Jason E. Gower Department of Mathematical Sciences University of Cincinnati Cincinnati, OH 45221-0025 USA Email: ding@math.uc.edu,

More information

MAT Linear Algebra Collection of sample exams

MAT Linear Algebra Collection of sample exams MAT 342 - Linear Algebra Collection of sample exams A-x. (0 pts Give the precise definition of the row echelon form. 2. ( 0 pts After performing row reductions on the augmented matrix for a certain system

More information

MI-T-HFE, a New Multivariate Signature Scheme

MI-T-HFE, a New Multivariate Signature Scheme MI-T-HFE, a New Multivariate Signature Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. In this paper, we propose

More information

Categories and Quantum Informatics: Hilbert spaces

Categories and Quantum Informatics: Hilbert spaces Categories and Quantum Informatics: Hilbert spaces Chris Heunen Spring 2018 We introduce our main example category Hilb by recalling in some detail the mathematical formalism that underlies quantum theory:

More information

The Shortest Signatures Ever

The Shortest Signatures Ever The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp

More information

Family Feud Review. Linear Algebra. October 22, 2013

Family Feud Review. Linear Algebra. October 22, 2013 Review Linear Algebra October 22, 2013 Question 1 Let A and B be matrices. If AB is a 4 7 matrix, then determine the dimensions of A and B if A has 19 columns. Answer 1 Answer A is a 4 19 matrix, while

More information

On the Security and Key Generation of the ZHFE Encryption Scheme

On the Security and Key Generation of the ZHFE Encryption Scheme On the Security and Key Generation of the ZHFE Encryption Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. At

More information

Poly Dragon: An efficient Multivariate Public Key Cryptosystem

Poly Dragon: An efficient Multivariate Public Key Cryptosystem Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010

More information

5.) For each of the given sets of vectors, determine whether or not the set spans R 3. Give reasons for your answers.

5.) For each of the given sets of vectors, determine whether or not the set spans R 3. Give reasons for your answers. Linear Algebra - Test File - Spring Test # For problems - consider the following system of equations. x + y - z = x + y + 4z = x + y + 6z =.) Solve the system without using your calculator..) Find the

More information

Assignment 1 Math 5341 Linear Algebra Review. Give complete answers to each of the following questions. Show all of your work.

Assignment 1 Math 5341 Linear Algebra Review. Give complete answers to each of the following questions. Show all of your work. Assignment 1 Math 5341 Linear Algebra Review Give complete answers to each of the following questions Show all of your work Note: You might struggle with some of these questions, either because it has

More information

Vectors To begin, let us describe an element of the state space as a point with numerical coordinates, that is x 1. x 2. x =

Vectors To begin, let us describe an element of the state space as a point with numerical coordinates, that is x 1. x 2. x = Linear Algebra Review Vectors To begin, let us describe an element of the state space as a point with numerical coordinates, that is x 1 x x = 2. x n Vectors of up to three dimensions are easy to diagram.

More information

Structural Cryptanalysis of SASAS

Structural Cryptanalysis of SASAS tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which

More information

Math Linear Algebra Final Exam Review Sheet

Math Linear Algebra Final Exam Review Sheet Math 15-1 Linear Algebra Final Exam Review Sheet Vector Operations Vector addition is a component-wise operation. Two vectors v and w may be added together as long as they contain the same number n of

More information

Hidden Field Equations

Hidden Field Equations Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org

More information

Linear Algebra. Session 12

Linear Algebra. Session 12 Linear Algebra. Session 12 Dr. Marco A Roque Sol 08/01/2017 Example 12.1 Find the constant function that is the least squares fit to the following data x 0 1 2 3 f(x) 1 0 1 2 Solution c = 1 c = 0 f (x)

More information

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/

More information

Answers in blue. If you have questions or spot an error, let me know. 1. Find all matrices that commute with A =. 4 3

Answers in blue. If you have questions or spot an error, let me know. 1. Find all matrices that commute with A =. 4 3 Answers in blue. If you have questions or spot an error, let me know. 3 4. Find all matrices that commute with A =. 4 3 a b If we set B = and set AB = BA, we see that 3a + 4b = 3a 4c, 4a + 3b = 3b 4d,

More information

Advanced Linear Algebra Math 4377 / 6308 (Spring 2015) March 5, 2015

Advanced Linear Algebra Math 4377 / 6308 (Spring 2015) March 5, 2015 Midterm 1 Advanced Linear Algebra Math 4377 / 638 (Spring 215) March 5, 215 2 points 1. Mark each statement True or False. Justify each answer. (If true, cite appropriate facts or theorems. If false, explain

More information

Math 4A Notes. Written by Victoria Kala Last updated June 11, 2017

Math 4A Notes. Written by Victoria Kala Last updated June 11, 2017 Math 4A Notes Written by Victoria Kala vtkala@math.ucsb.edu Last updated June 11, 2017 Systems of Linear Equations A linear equation is an equation that can be written in the form a 1 x 1 + a 2 x 2 +...

More information

Cryptanalysis of the Tractable Rational Map Cryptosystem

Cryptanalysis of the Tractable Rational Map Cryptosystem Cryptanalysis of the Tractable Rational Map Cryptosystem Antoine Joux 1, Sébastien Kunz-Jacques 2, Frédéric Muller 2, and Pierre-Michel Ricordel 2 1 SPOTI Antoine.Joux@m4x.org 2 DCSSI Crypto Lab 51, Boulevard

More information

Further Mathematical Methods (Linear Algebra)

Further Mathematical Methods (Linear Algebra) Further Mathematical Methods (Linear Algebra) Solutions For The Examination Question (a) To be an inner product on the real vector space V a function x y which maps vectors x y V to R must be such that:

More information

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems

A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère, Danilo Gligoroski, Ludovic Perret, Simona Samardjiska, Enrico Thomae PKC 2015, March 30 - April 1, Maryland, USA 2 Summary

More information

DS-GA 1002 Lecture notes 0 Fall Linear Algebra. These notes provide a review of basic concepts in linear algebra.

DS-GA 1002 Lecture notes 0 Fall Linear Algebra. These notes provide a review of basic concepts in linear algebra. DS-GA 1002 Lecture notes 0 Fall 2016 Linear Algebra These notes provide a review of basic concepts in linear algebra. 1 Vector spaces You are no doubt familiar with vectors in R 2 or R 3, i.e. [ ] 1.1

More information

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October

More information

Chapter 5 Eigenvalues and Eigenvectors

Chapter 5 Eigenvalues and Eigenvectors Chapter 5 Eigenvalues and Eigenvectors Outline 5.1 Eigenvalues and Eigenvectors 5.2 Diagonalization 5.3 Complex Vector Spaces 2 5.1 Eigenvalues and Eigenvectors Eigenvalue and Eigenvector If A is a n n

More information

MATH 20F: LINEAR ALGEBRA LECTURE B00 (T. KEMP)

MATH 20F: LINEAR ALGEBRA LECTURE B00 (T. KEMP) MATH 20F: LINEAR ALGEBRA LECTURE B00 (T KEMP) Definition 01 If T (x) = Ax is a linear transformation from R n to R m then Nul (T ) = {x R n : T (x) = 0} = Nul (A) Ran (T ) = {Ax R m : x R n } = {b R m

More information

Solution to Homework 1

Solution to Homework 1 Solution to Homework Sec 2 (a) Yes It is condition (VS 3) (b) No If x, y are both zero vectors Then by condition (VS 3) x = x + y = y (c) No Let e be the zero vector We have e = 2e (d) No It will be false

More information

Algebra Workshops 10 and 11

Algebra Workshops 10 and 11 Algebra Workshops 1 and 11 Suggestion: For Workshop 1 please do questions 2,3 and 14. For the other questions, it s best to wait till the material is covered in lectures. Bilinear and Quadratic Forms on

More information

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,

More information

Linear Algebra. Workbook

Linear Algebra. Workbook Linear Algebra Workbook Paul Yiu Department of Mathematics Florida Atlantic University Last Update: November 21 Student: Fall 2011 Checklist Name: A B C D E F F G H I J 1 2 3 4 5 6 7 8 9 10 xxx xxx xxx

More information

1. General Vector Spaces

1. General Vector Spaces 1.1. Vector space axioms. 1. General Vector Spaces Definition 1.1. Let V be a nonempty set of objects on which the operations of addition and scalar multiplication are defined. By addition we mean a rule

More information

Review 1 Math 321: Linear Algebra Spring 2010

Review 1 Math 321: Linear Algebra Spring 2010 Department of Mathematics and Statistics University of New Mexico Review 1 Math 321: Linear Algebra Spring 2010 This is a review for Midterm 1 that will be on Thursday March 11th, 2010. The main topics

More information

4.1 Eigenvalues, Eigenvectors, and The Characteristic Polynomial

4.1 Eigenvalues, Eigenvectors, and The Characteristic Polynomial Linear Algebra (part 4): Eigenvalues, Diagonalization, and the Jordan Form (by Evan Dummit, 27, v ) Contents 4 Eigenvalues, Diagonalization, and the Jordan Canonical Form 4 Eigenvalues, Eigenvectors, and

More information

Definition 1. A set V is a vector space over the scalar field F {R, C} iff. there are two operations defined on V, called vector addition

Definition 1. A set V is a vector space over the scalar field F {R, C} iff. there are two operations defined on V, called vector addition 6 Vector Spaces with Inned Product Basis and Dimension Section Objective(s): Vector Spaces and Subspaces Linear (In)dependence Basis and Dimension Inner Product 6 Vector Spaces and Subspaces Definition

More information

1. Let m 1 and n 1 be two natural numbers such that m > n. Which of the following is/are true?

1. Let m 1 and n 1 be two natural numbers such that m > n. Which of the following is/are true? . Let m and n be two natural numbers such that m > n. Which of the following is/are true? (i) A linear system of m equations in n variables is always consistent. (ii) A linear system of n equations in

More information

GRE Subject test preparation Spring 2016 Topic: Abstract Algebra, Linear Algebra, Number Theory.

GRE Subject test preparation Spring 2016 Topic: Abstract Algebra, Linear Algebra, Number Theory. GRE Subject test preparation Spring 2016 Topic: Abstract Algebra, Linear Algebra, Number Theory. Linear Algebra Standard matrix manipulation to compute the kernel, intersection of subspaces, column spaces,

More information

Chapter 2: Linear Independence and Bases

Chapter 2: Linear Independence and Bases MATH20300: Linear Algebra 2 (2016 Chapter 2: Linear Independence and Bases 1 Linear Combinations and Spans Example 11 Consider the vector v (1, 1 R 2 What is the smallest subspace of (the real vector space

More information

Math Linear Algebra II. 1. Inner Products and Norms

Math Linear Algebra II. 1. Inner Products and Norms Math 342 - Linear Algebra II Notes 1. Inner Products and Norms One knows from a basic introduction to vectors in R n Math 254 at OSU) that the length of a vector x = x 1 x 2... x n ) T R n, denoted x,

More information

MATH 320: PRACTICE PROBLEMS FOR THE FINAL AND SOLUTIONS

MATH 320: PRACTICE PROBLEMS FOR THE FINAL AND SOLUTIONS MATH 320: PRACTICE PROBLEMS FOR THE FINAL AND SOLUTIONS There will be eight problems on the final. The following are sample problems. Problem 1. Let F be the vector space of all real valued functions on

More information

Chapter 3: Theory Review: Solutions Math 308 F Spring 2015

Chapter 3: Theory Review: Solutions Math 308 F Spring 2015 Chapter : Theory Review: Solutions Math 08 F Spring 05. What two properties must a function T : R m R n satisfy to be a linear transformation? (a) For all vectors u and v in R m, T (u + v) T (u) + T (v)

More information

Lecture: Linear algebra. 4. Solutions of linear equation systems The fundamental theorem of linear algebra

Lecture: Linear algebra. 4. Solutions of linear equation systems The fundamental theorem of linear algebra Lecture: Linear algebra. 1. Subspaces. 2. Orthogonal complement. 3. The four fundamental subspaces 4. Solutions of linear equation systems The fundamental theorem of linear algebra 5. Determining the fundamental

More information

Linear Algebra. Paul Yiu. 6D: 2-planes in R 4. Department of Mathematics Florida Atlantic University. Fall 2011

Linear Algebra. Paul Yiu. 6D: 2-planes in R 4. Department of Mathematics Florida Atlantic University. Fall 2011 Linear Algebra Paul Yiu Department of Mathematics Florida Atlantic University Fall 2011 6D: 2-planes in R 4 The angle between a vector and a plane The angle between a vector v R n and a subspace V is the

More information

arxiv: v1 [math.gr] 8 Nov 2008

arxiv: v1 [math.gr] 8 Nov 2008 SUBSPACES OF 7 7 SKEW-SYMMETRIC MATRICES RELATED TO THE GROUP G 2 arxiv:0811.1298v1 [math.gr] 8 Nov 2008 ROD GOW Abstract. Let K be a field of characteristic different from 2 and let C be an octonion algebra

More information

Linear Algebra Highlights

Linear Algebra Highlights Linear Algebra Highlights Chapter 1 A linear equation in n variables is of the form a 1 x 1 + a 2 x 2 + + a n x n. We can have m equations in n variables, a system of linear equations, which we want to

More information

Linear Algebra Homework and Study Guide

Linear Algebra Homework and Study Guide Linear Algebra Homework and Study Guide Phil R. Smith, Ph.D. February 28, 20 Homework Problem Sets Organized by Learning Outcomes Test I: Systems of Linear Equations; Matrices Lesson. Give examples of

More information

Chapter 1 Vector Spaces

Chapter 1 Vector Spaces Chapter 1 Vector Spaces Per-Olof Persson persson@berkeley.edu Department of Mathematics University of California, Berkeley Math 110 Linear Algebra Vector Spaces Definition A vector space V over a field

More information

Math 321: Linear Algebra

Math 321: Linear Algebra Math 32: Linear Algebra T. Kapitula Department of Mathematics and Statistics University of New Mexico September 8, 24 Textbook: Linear Algebra,by J. Hefferon E-mail: kapitula@math.unm.edu Prof. Kapitula,

More information

Lecture 2: Linear Algebra Review

Lecture 2: Linear Algebra Review EE 227A: Convex Optimization and Applications January 19 Lecture 2: Linear Algebra Review Lecturer: Mert Pilanci Reading assignment: Appendix C of BV. Sections 2-6 of the web textbook 1 2.1 Vectors 2.1.1

More information

Online Exercises for Linear Algebra XM511

Online Exercises for Linear Algebra XM511 This document lists the online exercises for XM511. The section ( ) numbers refer to the textbook. TYPE I are True/False. Lecture 02 ( 1.1) Online Exercises for Linear Algebra XM511 1) The matrix [3 2

More information

Page 712. Lecture 42: Rotations and Orbital Angular Momentum in Two Dimensions Date Revised: 2009/02/04 Date Given: 2009/02/04

Page 712. Lecture 42: Rotations and Orbital Angular Momentum in Two Dimensions Date Revised: 2009/02/04 Date Given: 2009/02/04 Page 71 Lecture 4: Rotations and Orbital Angular Momentum in Two Dimensions Date Revised: 009/0/04 Date Given: 009/0/04 Plan of Attack Section 14.1 Rotations and Orbital Angular Momentum: Plan of Attack

More information

(a) II and III (b) I (c) I and III (d) I and II and III (e) None are true.

(a) II and III (b) I (c) I and III (d) I and II and III (e) None are true. 1 Which of the following statements is always true? I The null space of an m n matrix is a subspace of R m II If the set B = {v 1,, v n } spans a vector space V and dimv = n, then B is a basis for V III

More information

ELEMENTARY SUBALGEBRAS OF RESTRICTED LIE ALGEBRAS

ELEMENTARY SUBALGEBRAS OF RESTRICTED LIE ALGEBRAS ELEMENTARY SUBALGEBRAS OF RESTRICTED LIE ALGEBRAS J. WARNER SUMMARY OF A PAPER BY J. CARLSON, E. FRIEDLANDER, AND J. PEVTSOVA, AND FURTHER OBSERVATIONS 1. The Nullcone and Restricted Nullcone We will need

More information

MATH 240 Spring, Chapter 1: Linear Equations and Matrices

MATH 240 Spring, Chapter 1: Linear Equations and Matrices MATH 240 Spring, 2006 Chapter Summaries for Kolman / Hill, Elementary Linear Algebra, 8th Ed. Sections 1.1 1.6, 2.1 2.2, 3.2 3.8, 4.3 4.5, 5.1 5.3, 5.5, 6.1 6.5, 7.1 7.2, 7.4 DEFINITIONS Chapter 1: Linear

More information

web: HOMEWORK 1

web: HOMEWORK 1 MAT 207 LINEAR ALGEBRA I 2009207 Dokuz Eylül University, Faculty of Science, Department of Mathematics Instructor: Engin Mermut web: http://kisideuedutr/enginmermut/ HOMEWORK VECTORS IN THE n-dimensional

More information

Math 4377/6308 Advanced Linear Algebra

Math 4377/6308 Advanced Linear Algebra 2.4 Inverse Math 4377/6308 Advanced Linear Algebra 2.4 Invertibility and Isomorphisms Jiwen He Department of Mathematics, University of Houston jiwenhe@math.uh.edu math.uh.edu/ jiwenhe/math4377 Jiwen He,

More information

Properties of Matrices and Operations on Matrices

Properties of Matrices and Operations on Matrices Properties of Matrices and Operations on Matrices A common data structure for statistical analysis is a rectangular array or matris. Rows represent individual observational units, or just observations,

More information

Study Guide for Linear Algebra Exam 2

Study Guide for Linear Algebra Exam 2 Study Guide for Linear Algebra Exam 2 Term Vector Space Definition A Vector Space is a nonempty set V of objects, on which are defined two operations, called addition and multiplication by scalars (real

More information

MATH 2331 Linear Algebra. Section 2.1 Matrix Operations. Definition: A : m n, B : n p. Example: Compute AB, if possible.

MATH 2331 Linear Algebra. Section 2.1 Matrix Operations. Definition: A : m n, B : n p. Example: Compute AB, if possible. MATH 2331 Linear Algebra Section 2.1 Matrix Operations Definition: A : m n, B : n p ( 1 2 p ) ( 1 2 p ) AB = A b b b = Ab Ab Ab Example: Compute AB, if possible. 1 Row-column rule: i-j-th entry of AB:

More information

(II.B) Basis and dimension

(II.B) Basis and dimension (II.B) Basis and dimension How would you explain that a plane has two dimensions? Well, you can go in two independent directions, and no more. To make this idea precise, we formulate the DEFINITION 1.

More information

Numerical Linear Algebra Homework Assignment - Week 2

Numerical Linear Algebra Homework Assignment - Week 2 Numerical Linear Algebra Homework Assignment - Week 2 Đoàn Trần Nguyên Tùng Student ID: 1411352 8th October 2016 Exercise 2.1: Show that if a matrix A is both triangular and unitary, then it is diagonal.

More information

EE263: Introduction to Linear Dynamical Systems Review Session 2

EE263: Introduction to Linear Dynamical Systems Review Session 2 EE263: Introduction to Linear Dynamical Systems Review Session 2 Basic concepts from linear algebra nullspace range rank and conservation of dimension EE263 RS2 1 Prerequisites We assume that you are familiar

More information

LS.1 Review of Linear Algebra

LS.1 Review of Linear Algebra LS. LINEAR SYSTEMS LS.1 Review of Linear Algebra In these notes, we will investigate a way of handling a linear system of ODE s directly, instead of using elimination to reduce it to a single higher-order

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback