Exploring Naccache-Stern Knapsack Encryption
|
|
- Christopher Norman
- 5 years ago
- Views:
Transcription
1 Explorng Naccache-Stern Knapsack Encrypton Érc Brer 1, Rém Géraud 2, and Davd Naccache 2 1 Ingenco Termnals 9 Avenue de la Gare f Alxan, France erc.brer@ngenco.com 2 École normale supéreure 45 rue d Ulm, f Pars cedex 05, France {rem.geraud,davd.naccache}@ens.fr Abstract. The Naccache Stern publc-key cryptosystem (NS) reles on the conjectured hardness of the modular multplcatve knapsack problem: Gven p, {v }, v m mod p, fnd the {m }. Gven ths scheme s algebrac structure t s nterestng to systematcally explore ts varants and generalzatons. In partcular t mght be useful to enhance NS wth features such as semantc securty, re-randomzablty or an extenson to hgher-resdues. Ths paper addresses these questons and proposes several such varants. 1 Introducton In 1997, Naccache and Stern (NS, [15]) presented a publc-key cryptosystem based on the conjectured hardness of the modular multplcatve knapsack problem. Ths problem s defned as follows: Let p be a modulus 3 and let v 0,..., v Z p. Gven p, v 0,..., v, and v m mod p, fnd the {m }. Gven ths scheme s algebrac structure t s nterestng to determne f varants and generalzatons can add to NS features such as semantc securty, re-randomzablty or extend t to operate on hgher-resdues. Ths paper addresses these questons and explores several such varants. 1.1 The Orgnal Naccache Stern Cryptosystem The NS cryptosystem uses the followng sub-algorthms: 3 p s usually prme but nothng prevents extendng the problem to composte RSA modul.
2 Setup: Pck a large prme p and a postve nteger n. Let P = {p 0 = 2,..., p } be the set of the n frst prmes, so that p < p (We leave asde a one-bt leakage dealt wth n [15] ths technque apples mutats mutands to the algorthm presented n ths paper). KeyGen: Pck a secret nteger s < p 1, such that gcd(p 1, s) = 1. Set v = s p mod p. The publc key s (p, n, v 0,..., v ). The prvate key s s. Encrypt: To encrypt an n-bt message m, compute the cphertext c: where m s the -th bt of m. c = Decrypt: To decrypt c, compute v m mod p m = 2 µ (c, s, p) where µ (c, s, p) {0, 1} s the functon defned by: µ (c, s, p) = gcd(p, c s mod p) 1. p 1 To ths day, NS has nether been proven secure n the usual models, nor has t been attacked. Rather, ts securty reles on the conjectured hardness of a multplcatve varant of the knapsack problem 4 : Defnton 1 (Multplcatve Knapsack Problem). Gven p, c, and a set {v }, fnd a bnary vector x such that c = v x mod p. Just as n addtve knapsacks, ths problem s NP-hard n general but can be solved effcently n some stuatons; the secret key enablng precsely to transform the cphertext nto an easly-solvable nstance. Unlke addtve knapsacks, ths multplcatve knapsack doesn t lend tself to lattce reducton attacks, whch completely break many addtve knapsack-based cryptosystems [1, 3, 5, 11 13]. Over the past years, several NS varants were publshed, these notably seek to ether ncrease effcency [6] or extend NS to polynomal rngs [11]; to the best of our knowledge, no effcent attacks aganst the orgnal NS are known. 4 Ths can also be descrbed as a modular varant of the subset product problem. 2
3 1.2 Securty Notons A cryptosystem s semantcally secure, or equvalently IND-CPA-secure [9], f there s no adversary A capable of dstngushng between two cphertexts of plantexts of hs choosng. To capture ths noton, A starts by creatng two messages m 0 and m 1 and sends them to a challenger C. C randomly selects one of the m (hereafter m b ) and encrypts t nto a cphertext c. A s then challenged wth c and has to guess b wth probablty sgnfcantly hgher than 1/2. Gven a publc-key cryptosystem PKC = {Setup, KeyGen, Encrypt, Decrypt}, ths securty noton can be formally defned by the followng game: Defnton 2 (IND-CPA-Securty). The followng game s played: C selects a secret random bt b; A outputs two messages m 0 and m 1 ; C sends to A the cphertext c Encrypt(m b ); A outputs a guess b. A wns the game f b = b. The advantage of A n ths game s defned as: Adv IND-CPA PKC,A := Pr [b = b ] 1 2 A publc-key cryptosystem PKC s IND-CPA-secure f Adv IND-CPA PKC,A all PPT adversares A. s neglgble for IND-CPA-securty s a very basc requrement, and n some scenaros t s desrable to have stronger securty notons, capturng stronger adversares. The strongest securty noton for a publc-key cryptosystem s ndstngushablty under adaptve chosen cphertext attacks, or IND-CCA2-securty. IND-CCA2 s also defned n terms of a game, where A s furthermore gven access to an encrypton oracle and a decrypton oracle: Defnton 3 (IND-CCA2-Securty). An adversary A s gven access to an encrypton oracle O E and a decrypton oracle O D. The followng game s played: C selects a secret random bt b; A queres O E and O D and outputs two messages m 0 and m 1 ; C sends to A the cphertext c Encrypt(m b ); A queres O E and O D and outputs a guess b. A wns the game f b = b and f no query to the oracles concerned m 0 nor m 1. The advantage of A n ths game s defned as Adv IND-CCA2 PKC,A := Pr [b = b ] 1 2 A publc-key cryptosystem PKC s IND-CCA2-secure f Adv IND-CCA2 PKC,A for all PPT adversares A. s neglgble 3
4 We further remnd the syntax of a perfectly re-randomzable encrypton scheme [4, 10,16]. A perfectly re-randomzable encrypton scheme conssts n four polynomaltme algorthms (polynomal n the mplct securty parameter k): 1. KeyGen: a randomzed algorthm whch outputs a publc key pk and a correspondng prvate key sk. 2. Encrypt: a randomzed encrypton algorthm whch takes a plantext m (from a plantext space) and a publc key pk, and outputs a cphertext c. 3. ReRand: a randomzed algorthm whch takes a cphertext c and outputs another cphertext c ; c decrypts to the same message m as the orgnal cphertext c. 4. Decrypt: a determnstc decrypton algorthm whch takes a prvate key sk and a cphertext c, and outputs ether a plantext m or an error ndcator. In other words: {sk, pk} KeyGen(1 k ) Decrypt(ReRand(Encrypt(m, pk), pk), sk) = Decrypt(Encrypt(m, pk), sk) = m Note that ReRand takes only a cphertext and a publc key as nput, and n partcular, does not requre sk. 2 Hgher-Resdues Naccache-Stern The determnstc nature of NS prevents t from achevng IND-CPA-securty: Indeed, a gven message m 0 wll always produce the same cphertext c 0, so A wll always wn the game of Defnton 2. We now descrbe an NS varant that s randomzed. We then show how ths modfcaton guarantees semantc securty, and even CCA2 securty n the random oracle model, assumng the hardness of solvng the multplcatve knapsack descrbed earler. In dong so, we must be very careful not to ntroduce addtonal structure that an adversary could leverage. To make ths very vsble, we decomposed the constructon nto three steps, each step pontng out the flaws avoded n the fnal constructon. 2.1 Constructon Step 1 Because the modfed cryptosystem uses specal prme modul, algorthms Setup and KeyGen are merged nto one sngle Setup + KeyGen algorthm 5. Setup + KeyGen: Pck a large prme p such that (p 1)/2 = as s a factorngresstant RSA modulus. 5 Alternatvely, we can regard Setup as a pro forma empty algorthm. 4
5 Pck a postve nteger n. Let P = {p 0 = 2,..., p } be the set of the n frst prmes, so that Set p < p v = s p mod p Let g be a generator of F p, and l = g 2a mod p. The publc key s (p, n, l, v 0,..., v ). The prvate key s s. Encrypt: To encrypt m, pck a random nteger k [1, p 2] and compute: c = l k v m where m s the -th bt of the message m. Decrypt: To decrypt c compute mod p m = 2 µ (c, s, p). To understand why decrypton works we frst observe that Hence: c s = (l k ) s = ((g 2a ) k ) s = g k(p 1) = 1 mod p. ( l k v m ) s = (l k ) s p m mod p. And we are brought back to the orgnal NS decrypton process. The problem: The (attentve) reader could have noted at ths step that because s s large and because the p are very few, the odds that a p s an s-th resdue modulo p are neglgble. Hence, unless p s constructed n a very partcular way, key pars smply... cannot be constructed. 6 A soluton consstng n usng a specfc p and s detaled n Secton 4. The alternatve conssts n proceedng wth 2 hereafter. 2.2 Constructon Step 2 The workaround wll be the followng: Assume that we pck a v at random, rase t to the power s and get some nteger π: π = v s mod p 6 Note that ths s obvously not be an ssue wth the orgnal NS scheme. 5
6 Refresh v untl π = 0 mod p where π s consdered as an element of Z. (In the worst case ths takes p trals.) Lettng y = π/p, we have: p y = v s mod p p = y 1 We wll now add the u as auxlary publc keys. v s = u v s mod p Setup + KeyGen: Pck a large prme p such that (p 1)/2 = as s a factorngresstant RSA modulus. Pck a postve nteger n. Let P = {p 0 = 2,..., p } be the set of the n frst prmes, so that p < p Generate the u, v pars as prevously descrbed so that: p = u v s mod p Let g be a generator of F p, and l = g 2a mod p. The publc key s (p, n, l, u 0,..., u, v 0,..., v ). The prvate key s s. Encrypt: To encrypt m, pck a random nteger k [1, p 2] and compute: c 0 = l k v m mod p and c 1 = where m s the -th bt of the message m. Decrypt: To decrypt c 0, c 1 compute Where m = 2 (c 0, c 1, s, p) u m (c 0, c 1, s, p) = gcd(p, c 1 c s 0 mod p) 1. p 1 To understand why decrypton works remnd that (l k ) s = 1 mod p and hence c 1 c s 0 = u m ( l k v m ) s = (l k ) s (u v s ) m = And we are brought back to the orgnal NS decrypton process. p m mod p. The problem: The (very attentve) reader could have noted that the resultng cryptosystem does not acheve semantc securty because the constructon process of c 1 s determnstc. 6
7 2.3 Constructon Step 3 The workaround s the followng: we provde the sender wth two extra elements of Z p that wll allow hm to blnd c 0, c 1. To that end, pck a random α Z p, let βα s = 1 mod p and add α, β to the publc key. The algorthms Setup + KeyGen and Decrypt reman otherwse unchanged but Encrypt now becomes: Encrypt: To encrypt m, pck a random nteger k [1, p 2] and compute: c 0 = α k v m mod p and c 1 = β k To understand why decrypton works we note that (modulo p): c 1 c s 0 = β k u m ( α k v m u m. ) s = (βα s ) k (u v s ) m = And we are brought back to the orgnal NS decrypton process. p m. 3 Securty 3.1 Semantc Securty The modfed scheme s securty essentally reles on blndng an NS cphertext usng a multplcatve factor l k = g 2ka mod p, whch belongs to the subgroup of Z p of order b. Lemma 1. Under the subgroup hdng assumpton n Z p, the scheme descrbed n Secton 2.1 s IND-CPA-secure. Recall that the subgroup-hdng assumpton [2] states that the unform dstrbuton over Z p s ndstngushable from the unform dstrbuton over one of ts subgroups. Proof. Assume that A(pk) wns the IND-CPA game wth non-neglgble advantage. Then n partcular A(pk) has non-neglgble advantage n the real-or-random game Adv R/R A := Pr[AE pk (pk) = 1] Pr[A O (pk) = 1] where E pk s an encrypton oracle and O s a random oracle. We defne B(pk, γ) as follows: Let E B (m) = γ vm mod p; B(pk, γ) returns the same result as A E B (pk) 7
8 The scenaro B(pk, γ = g 2au ) yelds E B = E pk. The scenaro B(pk, γ = g u ) for random u gves a cphertext that s a unform value, and therefore behaves as a perfect smulator of a random oracle,.e. E B = O. Hence f A s an effcent adversary aganst our scheme, then B s an effcent solver for the subgroup-hdng problem. Note that ths part of the argument does not fundamentally rely on the orgnal NS beng secure ndeed, we may consder an encrypton scheme that produces cphertexts of the form c = x k m. Decrypton for such a cryptosystem would be trcky, as c b = m b and there are b possble roots. That s why usng NS s useful, as we do not have decrypton ambguty ssues. As we ponted out, the constructon of Secton 2.2 s not semantcally secure: ndeed, c 1 s generated determnstcally from m. Ths s addressed n Secton 2.3 by ntroducng two numbers α and β. Usng a smlar argument as n Lemma 1, we have Lemma 2. Under the DDH assumpton n Z p, and assumng that factorng (p 1)/2 s nfeasble, the scheme descrbed n Secton 2.3 s IND-CPA-secure. Note that these hypotheses can be smultaneously satsfed. 3.2 CCA2 Securty Even more nterestng s the case for securty aganst adaptve chosen-cphertext attacks (IND-CCA2) [7, 8]. The orgnal NS s naturally not IND-CCA2; nor s n fact the Step 1 varant dscussed above: ndeed t s possble to re-randomse a cphertext, whch mmedately gves a way to wn the IND-CCA2 game. To remedy ths, we leverage the fact that upon successful decrypton, we can recover the randomness l k. The dea s to choose k n some way that depends on m. If k s a determnstc functon of m only however, randomsaton s lost. Therefore we suggest the followng varant, at the cost of some bandwdth: Instead of m, we encrypt a message m r where r s a random strng. Let k H(m r) where H s a cryptographc hash functon, and use ths value of k nstead of choosng t randomly n Encrypt. Modfy Decrypt to recover l k (or α k and β k ). Upon successfully recoverng (m r), extract r, and check that l k (resp. α k and β k ) correspond to the correct value of k otherwse t ouputs. Ths approach guarantees IND-CCA2 n the random oracle model; ths can be captured as a seres of games: Game 0: Ths s the IND-CCA2 game aganst our scheme (1 or 3), nstantated wth some hash functon H. Game 1: Ths game dffers from Game 0 n replacng H by a random oracle O. In the random oracle model, ths game s computatonally ndstngushable from Game 0. 8
9 Game 2: Ths game dffers from Game 1 by the fact that the cphertext s replaced by an unformly-sampled random element of the cphertext space. The results on IND-CPA securty tell us that ths game s computatonally ndstngushable from Game 1 (under ther respectve hypotheses). 4 Generatng Strong Pseudo-Prmes n Several Bases We now backtrack and turn our attenton to generatng specfc modul allowng to mplement securely the 1 scheme of Secton 2.1. Ths bols down to descrbng how to effcently generate strong pseudo-prme numbers. In ths secton, we denote N the sought-after modulus. Usng quadratc recprocty, we frst ntroduce an algorthm generatng numbers passng Fermat s test. Then we leverage quartc recprocty to generate numbers passng Mller-Rabn s test. The pseudoprmes we need must be strong over several bases, and complexty s polynomal n the sze of the product of these bases. 4.1 Prmalty Tests A base-a Fermat prmalty test conssts n checkng that A B A mod B. Every prme passes ths test for all bases A. There are however composte numbers, known as Carmchael numbers, that also pass ths test n all bases. For nstance, 1729 = s such a number. There are an nfnty of Carmchael numbers. The Mller-Rabn prmalty test also reles on Fermat s lttle theorem. Let B 1 = 2 e m wth m odd. An nteger B passes the Mller-Rabn test f A m 1 mod B or f there exsts an e 1 such that A 2m 1 mod B. Defnton 4 (Strong pseudo-prme). A number that passes the Mller-Rabn test s sad strongly pseudo-prme n base A. An nterestng theorem [14, Proposton 2] [17] states that a composte number can only be strongly pseudo-prme for a quarter of the possble bases. 4.2 Constructng Pseudo-Prmes When p and 2p 1 are prme, Fermat s test amounts to the computng of a Jacob symbol. Indeed, Theorem 1. Let p be a prme such that q = 2p 1 s also prme. Let A QR q. Then B = pq passes Fermat s test n base A. Proof. A B (A p ) q A q A 2(p 1)+1 A mod p ( ) A A B (A q ) p A p A (q 1)/2+1 A A mod q q By the Chnese remander theorem, we fnd that A B A mod B. 9
10 From Gauss quadratc recprocty theorem, f q 1 mod 4 we can take q 1 mod A whch guarantees that A QR q. To make 2 a quadratc resdue modulo q we must have q ±1 mod 8. It s therefore easy to construct numbers that pass Fermat s test n a prescrbed lst of bases. 4.3 Constructng Strong Pseudo-prmes In ths secton we seek to generate numbers that are strongly pseudo-prme n base, where s prme. Let p denote a prme number such that q = 2p 1 s also prme, and N = pq. We have the followng equatons: N 1 0 mod p 1 N 1 q 1 mod q 1 2 n 1 p 1 mod p n 1 3 q 1 mod q From there on, we wll use the notaton ( ) to denote the quartc resdue symbol. Theorem 2. Let p be a prme such that q = 2p 1 1 mod 8 s also prme. Let A be an nteger such that ( ) ( ) ( ) A A A = 1, = +1, and = 1. p q q 4 Then N = pq passes the Mller-Rabn test n base A. Proof. Note that f A (N 1)/2 1 mod N, then n passes the Mller-Rabn test n base a. It then suffces to compute ths quantty modulo p and q respectvely: ( ) A A (N 1)/2 A (p 1)/2 1 mod p p ( ) 3 A A (N 1)/2 A 3(q 1)/4 1 mod q. p Bases > 5. Let 7 be a prme number. We consder here the case p 5 mod 8,.e. q 9 mod 16. We wll leverage the followng classcal result: Theorem 3. Let q be a prme number, q = A 2 + B 2 1 mod 8 wth B even. Let be a prme number such that (p/) = 1, then ( ) B ( ), or 2 = 1 A and = 1, or q ) 4 A µb where µ λ 2 mod and = ( λ(λ+1) 10
11 We wll also need the followng easy lemmata: Lemma 3. Let 7 be a prme number, there s at least an nteger Λ such that ( ) Λ = ( ) 2 Λ = 1. Proof. Let { ( ) ( ) } 2 s 1 = # F, = +1, = +1, { ( ) ( ) } 2 s 2 = # F, = +1, = 1, { ( ) ( ) } 2 s 3 = # F, = 1, = +1, { ( ) ( ) } 2 s 4 = # F, = 1, = 1,. Then t s clear that s 1 + s 2 + s 3 + s 4 = 2. The quantty s 1 + s 2 corresponds to the number of quadratc resdues modulo, except maybe 2. Therefore, ( s 1 + s 2 = 2 2 ) 1. By symmetry between and 2, we have s 2 = s 3. We also have From that we get the value of s 4 : { ( ) } (2 ) s 2 + s 3 = # F, = 1 { ( ) } 2/ 1 = # F, = 1 { ( ) } u = # u F, u 1, = 1 ( ) 1 + = 1. 2 ( + 2 s 4 = 2 ) ( 4 ) 1 2. Therefore, for every 7, s 4 > 0. 11
12 Choosng such an, we denote λ the nteger such that = 1 + 1/λ mod. Then, ( ) ( ) 1 + 1/λ 1 1/λ = = 1 ( ) ( ) (λ + 1)λ (λ 1)λ = = 1 ( λ 2 ) ( ) ( ) 1 (λ + 1)λ (λ 1)λ = = 1. Let µ be such that µ = λ 2. We can thus construct λ and µ so that the thrd possblty of Theorem 3 s never satsfed. Lemma 4. Let 7 be a prme number, there s at least an nteger x such that (x/) = 1 and (2x 1/) = +1. Proof. As for the prevous lemma, we show that there are 1 4 such values of x, whch strctly postve for 7. ( + 2 ( 2 ) ( ) ) 1 2 For such an x, we wrte y = 2x 1 = z 2 mod, A = z/λ mod, and B = A µ. We then have A 2 + B 2 = (1 + µ 2 )A 2 = λ 2 A 2 = z 2 = y mod If q = A 2 + B 2 1 mod 8 s prme, wth B even, A A mod, and B B mod, then we see that the condtons of Theorem 3 are not satsfed, hence (/q) 4 = 1. Furthermore, q y mod so that (/q) = +1. If we assume that p = (q + 1)/2 s prme, and that p 5 mod 8, then the condtons of Theorem 2 are satsfed. Indeed, p x mod so that (/p) = (x/) = 1. Thus we generated a pseudo-prme n base. All n all, the results from ths secton are captured by the followng theorem. Theorem 4. Let 7 be a prme number. There are ntegers A, A such that N = pq s strongly pseudo-prme n base, provded that q = A 2 + B 2 B s even A A mod B B mod q 9 mod 16 p = (q 1)/2 q s prme p s prme 12
13 Base = 2. In that case the followng theorem apples. Theorem 5. The nteger N = pq s strongly pseudo-prme n base 2 provded that q = A 2 + B 2 A 3 mod 8 B 4 mod 8 p = (q 1)/2 q s prme p s prme Proof. From the condtons of Theorem 5, q 9 mod 16 and q 5 mod 8, whch proves that 2 s a square modulo q and not modulo p, as t s not of the form α β 2. Bases = 3 and = 5. In both cases, we cannot fnd p and q such that the base s a square modulo q and not modulo p. As we wll see n the next secton ths s not too much of a problem n practce. We can n any case ensure that the base s a quartc resdue modulo q, usng for nstance the followng choces: A 3 = 1, B 3 = 0, A 5 = 1, B 5 = Combnng Bases Consder a set P of prme numbers, whch wll be used as bases. For each P, we construct a, b as descrbed n the prevous secton, usng ether the general constructon (for 7) or the specfc constructons (for = 2, 3, 5). Then we nvoke the Chnese remander theorem, to get three ntegers a P, b P, and m P such that N = pq s strongly pseudo-prme n all bases of P (except maybe 3 and 5), provded that q = A 2 + B 2 B s even A A P mod m P B B P mod m P q 9 mod 16 p = (q 1)/2 q s prme p s prme In fact, runnng the algorthm several tmes eventually yelds an nteger N that s also strongly pseudo-prme n bases 3 and 5. 13
14 4.5 Numercal Example Consder P = {p 1 = 2,..., p 46 } the set of all prmes smaller than 200. We get: A P = B P = m P = From these we get the followng number N, whch s strongly pseudo-prme over all the bases n P: p = q = N = Ths N can hence be used as the mssng modulus needed to nstantate a Step 1 NS varant. 14
15 5 Extensons 5.1 Usng Composte Modul In the 2/3 varants of our scheme, one mght be tempted to replace p tself by an RSA modulus n, where φ(n) = 2ab. Indeed, the orgnal NS constructon allows for such a choce. Dong so, however, would mmedately leak nformaton about the factorsaton of n: Indeed, gcd(g a 1, n) = p. There s a workaround: Frst we choose p and q so that (p 1)/2 and (q 1)/2 are RSA modul,.e. p 1 = 2s 1 s 2 and q 1 = 2r 1 r 2, wth large s 1, s 2, r 1, r 2. Then we set n = pq, a = s 1 r 1, and b = 2s 2 r 2. Therefore φ(n) = 2ab as before, but the GCD attack mentoned above does not apply, and the modfed 2/3 Naccache-Stern cryptosystem works. 5.2 Bandwdth Improvements The dea descrbed n ths paper s fully compatble wth the modfcatons ntroduced n [6] to mprove encrypton bandwdth. But there s even more: An nterestng observaton s that, upon decrypton, t s possble to recover both the message m and the whtenng x k. Ths s unlke most randomzed encrypton schemes, where the random nonce s lost. Thus we may contemplate storng some nformaton n k, thereby augmentng somewhat the total nformaton contaned n a cphertext. Alternatvely, x k may also be used as key materal f NS s used (n a hybrd mode) as a key transfer mechansm. For nstance, gven a message m = m 1 m 2, we may encrypt m 1 k usng the blndng m k 2 wth odd k. Upon decrypton, one recovers k, and computes the k-th root of the blndng factor m k 2 such a root s unque wth overwhelmng probablty thereby reconstructng the whole message. One nontrval research drecton s to provde, n the message m, hnts that make solvng the dscrete log modulo p easer and thereby embed drectly nformaton n k. References 1. Adleman, L.M.: On breakng the terated Merkle-Hellman publc-key cryptosystem. In: Chaum, D., Rvest, R.L., Sherman, A.T. (eds.) Advances n Cryptology CRYPTO 82. pp Plenum Press, New York, USA, Santa Barbara, CA, USA (1982) 2. Boneh, D., Goh, E.J., Nssm, K.: Evaluatng 2-DNF formulas on cphertexts. In: Klan, J. (ed.) TCC 2005: 2nd Theory of Cryptography Conference. Lecture Notes n Computer Scence, vol. 3378, pp Sprnger, Hedelberg, Germany, Cambrdge, MA, USA (Feb 10 12, 2005) 3. Brckell, E.F.: Breakng terated knapsacks. In: Blakley, G.R., Chaum, D. (eds.) Advances n Cryptology CRYPTO 84. Lecture Notes n Computer Scence, vol. 196, pp Sprnger, Hedelberg, Germany, Santa Barbara, CA, USA (Aug 19 23, 1984) 15
16 4. Canett, R., Krawczyk, H., Nelsen, J.B.: Relaxng chosen-cphertext securty. In: Boneh, D. (ed.) Advances n Cryptology CRYPTO Lecture Notes n Computer Scence, vol. 2729, pp Sprnger, Hedelberg, Germany, Santa Barbara, CA, USA (Aug 17 21, 2003) 5. Chee, Y.M., Joux, A., Stern, J.: The cryptoanalyss of a new publc-key cryptosystem based on modular Knapsacks. In: Fegenbaum, J. (ed.) Advances n Cryptology CRYPTO 91. Lecture Notes n Computer Scence, vol. 576, pp Sprnger, Hedelberg, Germany, Santa Barbara, CA, USA (Aug 11 15, 1992) 6. Chevaller-Mames, B., Naccache, D., Stern, J.: Lnear bandwdth Naccache-Stern encrypton. In: Ostrovsky, R., Prsco, R.D., Vscont, I. (eds.) SCN 08: 6th Internatonal Conference on Securty n Communcaton Networks. Lecture Notes n Computer Scence, vol. 5229, pp Sprnger, Hedelberg, Germany, Amalf, Italy (Sep 10 12, 2008) 7. Cramer, R., Shoup, V.: A practcal publc key cryptosystem provably secure aganst adaptve chosen cphertext attack. In: Krawczyk, H. (ed.) Advances n Cryptology CRYPTO 98. Lecture Notes n Computer Scence, vol. 1462, pp Sprnger, Hedelberg, Germany, Santa Barbara, CA, USA (Aug 23 27, 1998) 8. Fujsak, E., Okamoto, T., Pontcheval, D., Stern, J.: RSA-OAEP s secure under the RSA assumpton. Journal of Cryptology 17(2), (Mar 2004) 9. Goldwasser, S., Mcal, S.: Probablstc encrypton and how to play mental poker keepng secret all partal nformaton. In: Lews, H.R., Smons, B.B., Burkhard, W.A., Landweber, L.H. (eds.) Proceedngs of the 14th Annual ACM Symposum on Theory of Computng, May 5-7, 1982, San Francsco, Calforna, USA. pp ACM (1982) 10. Groth, J.: Rerandomzable and replayable adaptve chosen cphertext attack secure cryptosystems. In: Naor, M. (ed.) TCC 2004: 1st Theory of Cryptography Conference. Lecture Notes n Computer Scence, vol. 2951, pp Sprnger, Hedelberg, Germany, Cambrdge, MA, USA (Feb 19 21, 2004) 11. Herold, G., Meurer, A.: New attacks for knapsack based cryptosystems. In: Vscont, I., Prsco, R.D. (eds.) SCN 12: 8th Internatonal Conference on Securty n Communcaton Networks. Lecture Notes n Computer Scence, vol. 7485, pp Sprnger, Hedelberg, Germany, Amalf, Italy (Sep 5 7, 2012) 12. Joux, A., Stern, J.: Cryptanalyss of another knapsack cryptosystem. In: Ima, H., Rvest, R.L., Matsumoto, T. (eds.) Advances n Cryptology ASIACRYPT 91. Lecture Notes n Computer Scence, vol. 739, pp Sprnger, Hedelberg, Germany, Fujyoshda, Japan (Nov 11 14, 1993) 13. Lenstra Jr., H.W.: On the Chor-Rvest knapsack cryptosystem. Journal of Cryptology 3(3), (1991) 14. Moner, L.: Evaluaton and comparson of two effcent probablstc prmalty testng algorthms. Theoretcal Computer Scence 12(1), (1980) 15. Naccache, D., Stern, J.: A new publc-key cryptosystem. In: Fumy, W. (ed.) Advances n Cryptology EUROCRYPT 97. Lecture Notes n Computer Scence, vol. 1233, pp Sprnger, Hedelberg, Germany, Konstanz, Germany (May 11 15, 1997) 16. Prabhakaran, M., Rosulek, M.: Rerandomzable RCCA encrypton. In: Menezes, A. (ed.) Advances n Cryptology CRYPTO Lecture Notes n Computer Scence, vol. 4622, pp Sprnger, Hedelberg, Germany, Santa Barbara, CA, USA (Aug 19 23, 2007) 17. Rabn, M.O.: Probablstc algorthm for testng prmalty. Journal of number theory 12(1), (1980) 16
Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction
Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard
More informationFinding Primitive Roots Pseudo-Deterministically
Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00 No extra materal s allowed durng the exam except for pens and a smple calculator (not smartphones).
More informationPRIME NUMBER GENERATION BASED ON POCKLINGTON S THEOREM
PRIME NUMBER GENERATION BASED ON POCKLINGTON S THEOREM Alexandros Papankolaou and Song Y. Yan Department of Computer Scence, Aston Unversty, Brmngham B4 7ET, UK 24 October 2000, Receved 26 June 2001 Abstract
More informationProvable Security Signatures
Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -
More informationLecture 4: Universal Hash Functions/Streaming Cont d
CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected
More informationSome Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM
Example of Extended Eucldean Algorthm Recall that gcd(84, 33) = gcd(33, 18) = gcd(18, 15) = gcd(15, 3) = gcd(3, 0) = 3 We work backwards to wrte 3 as a lnear combnaton of 84 and 33: 3 = 18 15 [Now 3 s
More informationCryptanalysis of pairing-free certificateless authenticated key agreement protocol
Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen
More informationCryptanalysis of a Public-key Cryptosystem Using Lattice Basis Reduction Algorithm
www.ijcsi.org 110 Cryptanalyss of a Publc-key Cryptosystem Usng Lattce Bass Reducton Algorthm Roohallah Rastagh 1, Hamd R. Dall Oskoue 2 1,2 Department of Electrcal Engneerng, Aeronautcal Unversty of Snce
More informationAlgorithms for factoring
CSA E0 235: Crytograhy Arl 9,2015 Instructor: Arta Patra Algorthms for factorng Submtted by: Jay Oza, Nranjan Sngh Introducton Factorsaton of large ntegers has been a wdely studed toc manly because of
More informationOn a CCA2-secure variant of McEliece in the standard model
On a CCA2-secure varant of McElece n the standard model Edoardo Perschett Department of Mathematcs, Unversty of Auckland, New Zealand. e.perschett@math.auckland.ac.nz Abstract. We consder publc-key encrypton
More informationDifference Equations
Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1
More informationAugmented Broadcaster Identity-based Broadcast Encryption
Augmented Broadcaster Identty-based Broadcast Encrypton Janhong Zhang Yuwe Xu Zhpeng Chen Insttuton of Image Processng and Pattern Recognton North Chna Unversty of Technology Bejng Chna 100144 ywxupaper@163com
More informationFoundations of Arithmetic
Foundatons of Arthmetc Notaton We shall denote the sum and product of numbers n the usual notaton as a 2 + a 2 + a 3 + + a = a, a 1 a 2 a 3 a = a The notaton a b means a dvdes b,.e. ac = b where c s an
More informationSecure and practical identity-based encryption
Secure and practcal dentty-based encrypton D. Naccache Abstract: A varant of Waters dentty-based encrypton scheme wth a much smaller system parameters sze (only a few klobytes) s presented. It s shown
More informationProblem Set 9 Solutions
Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem
More informationG /G Advanced Cryptography 12/9/2009. Lecture 14
G22.3220-001/G63.2180 Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we
More informationa b a In case b 0, a being divisible by b is the same as to say that
Secton 6.2 Dvsblty among the ntegers An nteger a ε s dvsble by b ε f there s an nteger c ε such that a = bc. Note that s dvsble by any nteger b, snce = b. On the other hand, a s dvsble by only f a = :
More informationMath 261 Exercise sheet 2
Math 261 Exercse sheet 2 http://staff.aub.edu.lb/~nm116/teachng/2017/math261/ndex.html Verson: September 25, 2017 Answers are due for Monday 25 September, 11AM. The use of calculators s allowed. Exercse
More informationCS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016
CS 29-128: Algorthms and Uncertanty Lecture 17 Date: October 26, 2016 Instructor: Nkhl Bansal Scrbe: Mchael Denns 1 Introducton In ths lecture we wll be lookng nto the secretary problem, and an nterestng
More informationLecture Space-Bounded Derandomization
Notes on Complexty Theory Last updated: October, 2008 Jonathan Katz Lecture Space-Bounded Derandomzaton 1 Space-Bounded Derandomzaton We now dscuss derandomzaton of space-bounded algorthms. Here non-trval
More informationRecover plaintext attack to block ciphers
Recover plantext attac to bloc cphers L An-Png Bejng 100085, P.R.Chna apl0001@sna.com Abstract In ths paper, we wll present an estmaton for the upper-bound of the amount of 16-bytes plantexts for Englsh
More informationPractical Functional Encryption for Quadratic Functions with Applications to Predicate Encryption
Practcal Functonal Encrypton for Quadratc Functons wth Applcatons to Predcate Encrypton Carmen Elsabetta Zara Baltco 1, Daro Catalano 1, Daro Fore 2, and Roman Gay 3 1 Dpartmento d Matematca e Informatca,
More informationStanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7
Stanford Unversty CS54: Computatonal Complexty Notes 7 Luca Trevsan January 9, 014 Notes for Lecture 7 1 Approxmate Countng wt an N oracle We complete te proof of te followng result: Teorem 1 For every
More informationTHE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens
THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of
More informationSpeeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem
H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng Speedng up Computaton of Scalar Multplcaton n Ellptc Curve Cryptosystem H. K. Pathak Manju Sangh S.o.S n Computer scence
More informationIntroduction to Algorithms
Introducton to Algorthms 6.046J/8.40J Lecture 7 Prof. Potr Indyk Data Structures Role of data structures: Encapsulate data Support certan operatons (e.g., INSERT, DELETE, SEARCH) Our focus: effcency of
More informationHomework Assignment 3 Due in class, Thursday October 15
Homework Assgnment 3 Due n class, Thursday October 15 SDS 383C Statstcal Modelng I 1 Rdge regresson and Lasso 1. Get the Prostrate cancer data from http://statweb.stanford.edu/~tbs/elemstatlearn/ datasets/prostate.data.
More information3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X
Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number
More informationChristian Aebi Collège Calvin, Geneva, Switzerland
#A7 INTEGERS 12 (2012) A PROPERTY OF TWIN PRIMES Chrstan Aeb Collège Calvn, Geneva, Swtzerland chrstan.aeb@edu.ge.ch Grant Carns Department of Mathematcs, La Trobe Unversty, Melbourne, Australa G.Carns@latrobe.edu.au
More informationGeneralized Linear Methods
Generalzed Lnear Methods 1 Introducton In the Ensemble Methods the general dea s that usng a combnaton of several weak learner one could make a better learner. More formally, assume that we have a set
More informationk(k 1)(k 2)(p 2) 6(p d.
BLOCK-TRANSITIVE 3-DESIGNS WITH AFFINE AUTOMORPHISM GROUP Greg Gamble Let X = (Z p d where p s an odd prme and d N, and let B X, B = k. Then t was shown by Praeger that the set B = {B g g AGL d (p} s the
More informationFinding Dense Subgraphs in G(n, 1/2)
Fndng Dense Subgraphs n Gn, 1/ Atsh Das Sarma 1, Amt Deshpande, and Rav Kannan 1 Georga Insttute of Technology,atsh@cc.gatech.edu Mcrosoft Research-Bangalore,amtdesh,annan@mcrosoft.com Abstract. Fndng
More informationU.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016
U.C. Berkeley CS94: Spectral Methods and Expanders Handout 8 Luca Trevsan February 7, 06 Lecture 8: Spectral Algorthms Wrap-up In whch we talk about even more generalzatons of Cheeger s nequaltes, and
More informationCollege of Computer & Information Science Fall 2009 Northeastern University 20 October 2009
College of Computer & Informaton Scence Fall 2009 Northeastern Unversty 20 October 2009 CS7880: Algorthmc Power Tools Scrbe: Jan Wen and Laura Poplawsk Lecture Outlne: Prmal-dual schema Network Desgn:
More informationarxiv: v1 [cs.cr] 22 Oct 2018
CRYPTOGRAPHIC ANALYSIS OF THE MODIFIED MATRIX MODULAR CRYPTOSYSTEM arxv:181109876v1 [cscr] 22 Oct 2018 VITALIĬ ROMAN KOV Abstract We show that the Modfed Matrx Modular Cryptosystem proposed by SK Rososhek
More informationBounded Memory Leakage
6.889: New Developments n Cryptography prl 5, 2011 Instructor: Yael Tauman Kala Bounded Memory Leakage Scrbe: Raluca da Popa When desgnng cryptographc schemes, we usually rely on the assumpton that every
More informationMaximizing the number of nonnegative subsets
Maxmzng the number of nonnegatve subsets Noga Alon Hao Huang December 1, 213 Abstract Gven a set of n real numbers, f the sum of elements of every subset of sze larger than k s negatve, what s the maxmum
More informationGeneric Hardness of the Multiple Discrete Logarithm Problem
Generc Hardness of the Multple Dscrete Logarthm Problem Aaram Yun Ulsan Natonal Insttute of Scence and Technology (UNIST) Republc of Korea aaramyun@unst.ac.kr Abstract. We study generc hardness of the
More informationPassword Based Key Exchange With Mutual Authentication
Password Based Key Exchange Wth Mutual Authentcaton Shaoquan Jang and Guang Gong Department of Electrcal and Computer Engneerng Unversty of Waterloo Waterloo, Ontaro N2L 3G1, CANADA Emal:{angshq,ggong}@callope.uwaterloo.ca
More informationExercises. 18 Algorithms
18 Algorthms Exercses 0.1. In each of the followng stuatons, ndcate whether f = O(g), or f = Ω(g), or both (n whch case f = Θ(g)). f(n) g(n) (a) n 100 n 200 (b) n 1/2 n 2/3 (c) 100n + log n n + (log n)
More informationLecture 2: Gram-Schmidt Vectors and the LLL Algorithm
NYU, Fall 2016 Lattces Mn Course Lecture 2: Gram-Schmdt Vectors and the LLL Algorthm Lecturer: Noah Stephens-Davdowtz 2.1 The Shortest Vector Problem In our last lecture, we consdered short solutons to
More informationNumerical Heat and Mass Transfer
Master degree n Mechancal Engneerng Numercal Heat and Mass Transfer 06-Fnte-Dfference Method (One-dmensonal, steady state heat conducton) Fausto Arpno f.arpno@uncas.t Introducton Why we use models and
More information1 GSW Iterative Techniques for y = Ax
1 for y = A I m gong to cheat here. here are a lot of teratve technques that can be used to solve the general case of a set of smultaneous equatons (wrtten n the matr form as y = A), but ths chapter sn
More informationLecture 4. Instructor: Haipeng Luo
Lecture 4 Instructor: Hapeng Luo In the followng lectures, we focus on the expert problem and study more adaptve algorthms. Although Hedge s proven to be worst-case optmal, one may wonder how well t would
More informationAnonymous Identity-Based Broadcast Encryption with Revocation for File Sharing
Anonymous Identty-Based Broadcast Encrypton wth Revocaton for Fle Sharng Janchang La, Y Mu, Fuchun Guo, Wlly Suslo, and Rongmao Chen Centre for Computer and Informaton Securty Research, School of Computng
More informationMin Cut, Fast Cut, Polynomial Identities
Randomzed Algorthms, Summer 016 Mn Cut, Fast Cut, Polynomal Identtes Instructor: Thomas Kesselhem and Kurt Mehlhorn 1 Mn Cuts n Graphs Lecture (5 pages) Throughout ths secton, G = (V, E) s a mult-graph.
More informationECE559VV Project Report
ECE559VV Project Report (Supplementary Notes Loc Xuan Bu I. MAX SUM-RATE SCHEDULING: THE UPLINK CASE We have seen (n the presentaton that, for downlnk (broadcast channels, the strategy maxmzng the sum-rate
More informationHash functions : MAC / HMAC
Hash functons : MAC / HMAC Outlne Message Authentcaton Codes Keyed hash famly Uncondtonally Secure MACs Ref: D Stnson: Cryprography Theory and Practce (3 rd ed), Chap 4. Unversal hash famly Notatons: X
More informationRSA /2002/13(08) , ); , ) RSA RSA : RSA RSA [2] , [1,4]
1000-9825/2002/13(081729-06 2002 Journal of Software Vol13, No8 RSA 1,2 1, 1 (, 200433; 2 (, 200070 E-mal: yfhu@fudaneducn http://wwwfudaneducn : RSA RSA :, ; RSA,,, RSA,, : ; RSA ; ;RSA; : TP309 : A RSA
More informationDISCRIMINANTS AND RAMIFIED PRIMES. 1. Introduction A prime number p is said to be ramified in a number field K if the prime ideal factorization
DISCRIMINANTS AND RAMIFIED PRIMES KEITH CONRAD 1. Introducton A prme number p s sad to be ramfed n a number feld K f the prme deal factorzaton (1.1) (p) = po K = p e 1 1 peg g has some e greater than 1.
More informationA Novel Feistel Cipher Involving a Bunch of Keys supplemented with Modular Arithmetic Addition
(IJACSA) Internatonal Journal of Advanced Computer Scence Applcatons, A Novel Festel Cpher Involvng a Bunch of Keys supplemented wth Modular Arthmetc Addton Dr. V.U.K Sastry Dean R&D, Department of Computer
More informationNotes on Frequency Estimation in Data Streams
Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to
More informationThe Order Relation and Trace Inequalities for. Hermitian Operators
Internatonal Mathematcal Forum, Vol 3, 08, no, 507-57 HIKARI Ltd, wwwm-hkarcom https://doorg/0988/mf088055 The Order Relaton and Trace Inequaltes for Hermtan Operators Y Huang School of Informaton Scence
More informationLai-Massey Scheme and Quasi-Feistel Networks (Extended Abstract)
La-Massey Scheme and Quas-Festel Networks (Extended Abstract Aaram Yun, Je Hong Park 2, and Jooyoung Lee 2 Unversty of Mnnesota - Twn Ctes aaramyun@gmalcom 2 ETRI Network & Communcaton Securty Dvson, Korea
More informationAnonymous identity-based broadcast encryption with revocation for file sharing
Unversty of Wollongong Research Onlne Faculty of Engneerng and Informaton Scences - Papers: Part A Faculty of Engneerng and Informaton Scences 2016 Anonymous dentty-based broadcast encrypton wth revocaton
More informationNUMERICAL DIFFERENTIATION
NUMERICAL DIFFERENTIATION 1 Introducton Dfferentaton s a method to compute the rate at whch a dependent output y changes wth respect to the change n the ndependent nput x. Ths rate of change s called the
More informationMath 426: Probability MWF 1pm, Gasson 310 Homework 4 Selected Solutions
Exercses from Ross, 3, : Math 26: Probablty MWF pm, Gasson 30 Homework Selected Solutons 3, p. 05 Problems 76, 86 3, p. 06 Theoretcal exercses 3, 6, p. 63 Problems 5, 0, 20, p. 69 Theoretcal exercses 2,
More information20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The first idea is connectedness.
20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The frst dea s connectedness. Essentally, we want to say that a space cannot be decomposed
More informationFast Variants of RSA
Fast Varants of RSA Dan Boneh dabo@cs.stanford.edu Hovav Shacham hovav@cs.stanford.edu Abstract We survey four varants of RSA desgned to speed up RSA decrypton and sgnng. We only consder varants that are
More informationLecture 10: May 6, 2013
TTIC/CMSC 31150 Mathematcal Toolkt Sprng 013 Madhur Tulsan Lecture 10: May 6, 013 Scrbe: Wenje Luo In today s lecture, we manly talked about random walk on graphs and ntroduce the concept of graph expander,
More informationDecentralized Multi-Client Functional Encryption for Inner Product
Ths paper s a slght varant of the Extended Abstract that appears n Advances n Cryptology ASIACRYPT 2018 (December 2 6, Brsbane, Australa) Sprnger-Verlag, LNCS?????, pages??????. Decentralzed Mult-Clent
More informationClassical Encryption and Authentication under Quantum Attacks
Classcal Encrypton and Authentcaton under Quantum Attacks arxv:1307.3753v1 [cs.cr] 14 Jul 2013 Mara Velema July 12, 2013 Abstract Post-quantum cryptography studes the securty of classcal,.e. non-quantum
More information2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification
E395 - Pattern Recognton Solutons to Introducton to Pattern Recognton, Chapter : Bayesan pattern classfcaton Preface Ths document s a soluton manual for selected exercses from Introducton to Pattern Recognton
More informationwhere a is any ideal of R. Lemma 5.4. Let R be a ring. Then X = Spec R is a topological space Moreover the open sets
5. Schemes To defne schemes, just as wth algebrac varetes, the dea s to frst defne what an affne scheme s, and then realse an arbtrary scheme, as somethng whch s locally an affne scheme. The defnton of
More informationSL n (F ) Equals its Own Derived Group
Internatonal Journal of Algebra, Vol. 2, 2008, no. 12, 585-594 SL n (F ) Equals ts Own Derved Group Jorge Macel BMCC-The Cty Unversty of New York, CUNY 199 Chambers street, New York, NY 10007, USA macel@cms.nyu.edu
More information2.3 Nilpotent endomorphisms
s a block dagonal matrx, wth A Mat dm U (C) In fact, we can assume that B = B 1 B k, wth B an ordered bass of U, and that A = [f U ] B, where f U : U U s the restrcton of f to U 40 23 Nlpotent endomorphsms
More informationAlgebraic properties of polynomial iterates
Algebrac propertes of polynomal terates Alna Ostafe Department of Computng Macquare Unversty 1 Motvaton 1. Better and cryptographcally stronger pseudorandom number generators (PRNG) as lnear constructons
More informationChapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems
Numercal Analyss by Dr. Anta Pal Assstant Professor Department of Mathematcs Natonal Insttute of Technology Durgapur Durgapur-713209 emal: anta.bue@gmal.com 1 . Chapter 5 Soluton of System of Lnear Equatons
More informationOn the size of quotient of two subsets of positive integers.
arxv:1706.04101v1 [math.nt] 13 Jun 2017 On the sze of quotent of two subsets of postve ntegers. Yur Shtenkov Abstract We obtan non-trval lower bound for the set A/A, where A s a subset of the nterval [1,
More informationEcon107 Applied Econometrics Topic 3: Classical Model (Studenmund, Chapter 4)
I. Classcal Assumptons Econ7 Appled Econometrcs Topc 3: Classcal Model (Studenmund, Chapter 4) We have defned OLS and studed some algebrac propertes of OLS. In ths topc we wll study statstcal propertes
More informationComputationally Private Randomizing Polynomials and Their Applications
Computatonally Prvate Randomzng Polynomals and Ther Applcatons Benny Applebaum Yuval Isha Eyal Kushlevtz Computer Scence Department, Technon {abenny,yuval,eyalk}@cs.technon.ac.l March 5, 2006 Abstract
More informationTightly CCA-Secure Encryption without Pairings
Tghtly CCA-Secure Encrypton wthout Parngs Roman Gay 1,, Denns Hofhenz 2,, Eke Kltz 3,, and Hoeteck Wee 1, 1 ENS, Pars, France rgay,wee@d.ens.fr 2 Ruhr-Unverstät Bochum, Bochum, Germany eke.kltz@rub.de
More informationCase A. P k = Ni ( 2L i k 1 ) + (# big cells) 10d 2 P k.
THE CELLULAR METHOD In ths lecture, we ntroduce the cellular method as an approach to ncdence geometry theorems lke the Szemeréd-Trotter theorem. The method was ntroduced n the paper Combnatoral complexty
More informationTHERE ARE INFINITELY MANY FIBONACCI COMPOSITES WITH PRIME SUBSCRIPTS
Research and Communcatons n Mathematcs and Mathematcal Scences Vol 10, Issue 2, 2018, Pages 123-140 ISSN 2319-6939 Publshed Onlne on November 19, 2018 2018 Jyot Academc Press http://jyotacademcpressorg
More informationCOMPLEX NUMBERS AND QUADRATIC EQUATIONS
COMPLEX NUMBERS AND QUADRATIC EQUATIONS INTRODUCTION We know that x 0 for all x R e the square of a real number (whether postve, negatve or ero) s non-negatve Hence the equatons x, x, x + 7 0 etc are not
More informationLECTURE V. 1. More on the Chinese Remainder Theorem We begin by recalling this theorem, proven in the preceeding lecture.
LECTURE V EDWIN SPARK 1. More on the Chnese Remander Theorem We begn by recallng ths theorem, proven n the preceedng lecture. Theorem 1.1 (Chnese Remander Theorem). Let R be a rng wth deals I 1, I 2,...,
More informationCanonical transformations
Canoncal transformatons November 23, 2014 Recall that we have defned a symplectc transformaton to be any lnear transformaton M A B leavng the symplectc form nvarant, Ω AB M A CM B DΩ CD Coordnate transformatons,
More informationStructure and Drive Paul A. Jensen Copyright July 20, 2003
Structure and Drve Paul A. Jensen Copyrght July 20, 2003 A system s made up of several operatons wth flow passng between them. The structure of the system descrbes the flow paths from nputs to outputs.
More informationNEW CONSTRUCTIONS IN LINEAR CRYPTANALYSIS OF BLOCK CIPHERS
Proceedngs of ACS 000, Szczecn, pp.53-530 NEW CONSTRUCTIONS IN LINEAR CRYPTANALYSIS OF BLOCK CIPHERS ANNA ZUGAJ, KAROL GÓRSKI, ZBIGNIEW KOTULSKI, ANDRZEJ PASZKIEWICZ 3, JANUSZ SZCZEPAŃSKI ENIGMA Informaton
More informationExample: (13320, 22140) =? Solution #1: The divisors of are 1, 2, 3, 4, 5, 6, 9, 10, 12, 15, 18, 20, 27, 30, 36, 41,
The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no confuson
More informationLecture 5 Decoding Binary BCH Codes
Lecture 5 Decodng Bnary BCH Codes In ths class, we wll ntroduce dfferent methods for decodng BCH codes 51 Decodng the [15, 7, 5] 2 -BCH Code Consder the [15, 7, 5] 2 -code C we ntroduced n the last lecture
More informationA New Biometric Identity Based Encryption Scheme
NEYIRE DENIZ SARIER (2008). A New Bometrc Identty Based Encrypton Scheme. In Techncal Sessons for 2008 Internatonal Symposum on Trusted Computng (TrustCom 2008) n Proceedngs of the 9th Internatonal Conference
More informationStanford University CS359G: Graph Partitioning and Expanders Handout 4 Luca Trevisan January 13, 2011
Stanford Unversty CS359G: Graph Parttonng and Expanders Handout 4 Luca Trevsan January 3, 0 Lecture 4 In whch we prove the dffcult drecton of Cheeger s nequalty. As n the past lectures, consder an undrected
More informationLOW BIAS INTEGRATED PATH ESTIMATORS. James M. Calvin
Proceedngs of the 007 Wnter Smulaton Conference S G Henderson, B Bller, M-H Hseh, J Shortle, J D Tew, and R R Barton, eds LOW BIAS INTEGRATED PATH ESTIMATORS James M Calvn Department of Computer Scence
More informationCOS 521: Advanced Algorithms Game Theory and Linear Programming
COS 521: Advanced Algorthms Game Theory and Lnear Programmng Moses Charkar February 27, 2013 In these notes, we ntroduce some basc concepts n game theory and lnear programmng (LP). We show a connecton
More information12. The Hamilton-Jacobi Equation Michael Fowler
1. The Hamlton-Jacob Equaton Mchael Fowler Back to Confguraton Space We ve establshed that the acton, regarded as a functon of ts coordnate endponts and tme, satsfes ( ) ( ) S q, t / t+ H qpt,, = 0, and
More informationand problem sheet 2
-8 and 5-5 problem sheet Solutons to the followng seven exercses and optonal bonus problem are to be submtted through gradescope by :0PM on Wednesday th September 08. There are also some practce problems,
More informationHomomorphic Trapdoor Commitments to Group Elements
Homomorphc Trapdoor Commtments to Group Elements Jens Groth Unversty College London j.groth@ucl.ac.uk Abstract We present homomorphc trapdoor commtments to group elements. In contrast, prevous homomorphc
More informationLecture 3: Probability Distributions
Lecture 3: Probablty Dstrbutons Random Varables Let us begn by defnng a sample space as a set of outcomes from an experment. We denote ths by S. A random varable s a functon whch maps outcomes nto the
More information1 The Mistake Bound Model
5-850: Advanced Algorthms CMU, Sprng 07 Lecture #: Onlne Learnng and Multplcatve Weghts February 7, 07 Lecturer: Anupam Gupta Scrbe: Bryan Lee,Albert Gu, Eugene Cho he Mstake Bound Model Suppose there
More informationModule 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:
More informationwhere a is any ideal of R. Lemma Let R be a ring. Then X = Spec R is a topological space. Moreover the open sets
11. Schemes To defne schemes, just as wth algebrac varetes, the dea s to frst defne what an affne scheme s, and then realse an arbtrary scheme, as somethng whch s locally an affne scheme. The defnton of
More information6.842 Randomness and Computation February 18, Lecture 4
6.842 Randomness and Computaton February 18, 2014 Lecture 4 Lecturer: Rontt Rubnfeld Scrbe: Amartya Shankha Bswas Topcs 2-Pont Samplng Interactve Proofs Publc cons vs Prvate cons 1 Two Pont Samplng 1.1
More informationCommunication Complexity 16:198: February Lecture 4. x ij y ij
Communcaton Complexty 16:198:671 09 February 2010 Lecture 4 Lecturer: Troy Lee Scrbe: Rajat Mttal 1 Homework problem : Trbes We wll solve the thrd queston n the homework. The goal s to show that the nondetermnstc
More informationKernel Methods and SVMs Extension
Kernel Methods and SVMs Extenson The purpose of ths document s to revew materal covered n Machne Learnng 1 Supervsed Learnng regardng support vector machnes (SVMs). Ths document also provdes a general
More informationMore metrics on cartesian products
More metrcs on cartesan products If (X, d ) are metrc spaces for 1 n, then n Secton II4 of the lecture notes we defned three metrcs on X whose underlyng topologes are the product topology The purpose of
More informationPerfect Competition and the Nash Bargaining Solution
Perfect Competton and the Nash Barganng Soluton Renhard John Department of Economcs Unversty of Bonn Adenauerallee 24-42 53113 Bonn, Germany emal: rohn@un-bonn.de May 2005 Abstract For a lnear exchange
More informationMessage modification, neutral bits and boomerangs
Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1 Dfferental
More informationA Threshold Digital Signature Issuing Scheme without Secret Communication
A Threshold Dgtal Sgnature Issung Scheme wthout Secret Communcaton Kazuo Takarag, Kunhko Myazak, Masash Takahash Systems Development Laboratory, Htach, Ltd e-mal: {takara, kunhko, takahas}@sdlhtachcop
More information