New Gröbner Bases for formal verification and cryptography
|
|
- Merry Barker
- 5 years ago
- Views:
Transcription
1 New Gröbner Bases for formal verification and cryptography Gert-Martin Greuel Diamant/Eidma Symposium November 29th - November 30th November 29th, 2007
2 Introduction Focus of this talk New developements for Gröbner bases Gröbner bases in polynomial rings over general rings Gröbner bases in Boolean rings Implementations and Applications Formal verification of hardware Algebraic attacks on block ciphers
3 Introduction Contributors Michael Brickenstein (PhD student) Stanislav Bulygin (PhD student) Alexander Dreyer (Fraunhofer ITWM) Oliver Wienand (PhD student) Cooperation Joint project with Prof. Kunz, Dept. of Electrical Engineering and Information Technology, University of Kaiserslautern Sponsored by the Deutsche Forschungsgemeinschaft
4 Outline 1 Introduction 2 Formal verification of hardware 3 Standard Bases over Rings 4 Standard Bases over Weak Factorial Rings 5 A Polynomial Framework for Boolean Rings 6 Gröbner Bases on Top of PolyBoRi 7 Cryptography 8 Conclusion
5 Formal verification of hardware Property checking Motivation Limitations in hardware design are imposed by the scope of the designer. Automated tools help to extend the abilities of the designer. Already standard in a later part of the production process. Key Ideas of Property Checking Design the circuit and develop easy properties which the circuit should fulfill. Try to cover all possible behaviors. Use automated tools to prove all properties given the circuit design.
6 Formal verification of hardware Production flow
7 Formal verification of hardware Problem A set of axioms M representing the circuit with variables V. A set of statements P representing the property. Does the circuit M fulfill the property P. Reformulation Assume M is consistent, i.e. there is no contradiction. Example If M P is contradictable, then M implies P. M be a multiplication unit. P the property, that after one cycle the output of M is the multiplication of the inputs of M.
8 Formal verification of hardware Example: Formulation Equations in Z/ 2 n, n {8, 16, 32, 64} number of bits System M M = {b + c d, a d e} Property P P = {b, a c f } M P M P {f e 0} (not closed) f e iff s : s(f e) = 2 n 1 (in Z/ 2 n!)
9 Formal verification of hardware Proving a property with SAT
10 Formal verification of hardware Example: Encoding b+c=d, ad=e Encoding in Z/ 2 = Z 2 (bit level) Display every number trough bits: a = ( a 0 + a a n 1 2 n 1) Rewrite equations in a i, b i, c i, d i, e i, f i. The polynomial for e 5 contains the variables a 0, a 1, a 2, a 3, a 4, a 5, b 0, b 1, b 2, b 3, b 4, b 5. For every equation n (number of bits) equations are created. Add (1 f i + e i ) (= 0 f e) Gather all polynomials in I. Is V Z2 ( I ) =? Encoding in Z/ 2 n = Z 2 n (word level) I = M P {s(e f ) 2 n 1 } V Z2 n ( I ) = M satisfies P.
11 Formal verification of hardware Example for n = 4: p = a b a = a 0 + 2a a a 3 b = b 0 + 2b b b 3 p = p 0 + 2p p p 3 p 3 = a 3 b 0 + a 2 b 1 + a 1 b 2 + a 0 b 3 + a 2 a 1 a 0 b 1 b 0 + a 2 a 1 b 1 b 0 + a 2 a 0 b 2 b 0 + a 1 a 0 b 2 b 1 b 0 + a 1 a 0 b 2 b 1 + a 1 a 0 b 1 b 0 p 2 = a 2 b 0 + a 1 b 1 + a 0 b 2 + a 1 a 0 b 1 b 0 p 1 = a 1 b 0 + a 0 b 1 p 0 = a 0 b 0
12 Formal verification of hardware Solving in Z 2 Let I 0 be the ideal of vanishing polynomials in Z 2 [x], i.e. generated by x 2 i x i for every variable x i. Compute a Gröbner basis of I in the ring Z 2 [x]/i 0. In this ring every ideal is a principal ideal. Moreover, I = 1 V ( I ) = property P holds (since we added the field equations). Solving in Z 2 n Let I 0 be the ideal of vanishing polynomials in Z 2 n[x]. This ideal has more structure than in the field case and even its Gröbner basis can become huge. Compute a Gröbner basis of I in the ring Z 2 n[x]/i 0. There is no theorem similar to the Nullstellensatz.
13 Modeling advantages and disadvantages Utilizing Z 2 Bit-level modeling is always possible disadvantage: Huge number of variables and equations Utilizing Z 2 n Word-level modeling not always possible (more functions than polynomial functions) The ring Z 2 n has zero-divisors advantage: Requires less variables and equations
14 Modeling advantages and disadvantages Functions versus polynomials functions: Z k m Z m Theorem: Gröbner basis for the ideal of vanishing polynomials There exists a Gröbner basis G 0 of I 0 independent of the global ordering and it can be stated explicitly. Polynomial functions Functions, k=1 There are a lot more functions than polynomial functions in the case of Z/ m = Z m, where m is not prime. m = 2 2 F R R[x]/I 0 m = 2 8 F R R[x]/I 0 m = 2 16 F R R[x]/I 0 m = 2 32 F R R[x]/I 0
15 Standard Bases over Rings Assumption: Let R be a noetherian ring with 1. Assume that linear equations are solvable in R (we allow zero-divisors). Then we can compute standard bases and syzygies. Standard bases theory For arbitrary monomials orders there exists a weak normal form algorithm and a variant of Buchberger s algorithm. Hence standard bases are computable for arbitrary orders, given that linear equations are solvable. Note that linear equations are solvable includes the computations of syzygy generators in the coefficient ring.
16 Standard Bases over Rings Monomial order < monomial order (global, local or mixed) LT (f ), LM (f ), LC (f ) leading term, monomial, coefficient L (I ) ideal of the leading terms R[x 1,..., x n ] < = { f g } f R[x], LT (g) R. Definition of Standard Bases I R[x 1,..., x n ] < an ideal. G is a standard basis of I G I, L (G) = L (I ). G is a strong standard basis of I f I \{0} g G : LT (g) LT (f ).
17 Standard Bases over Weak Factorial Rings Let R be a noetherian ring with 1 and R the multiplicative subgroups of its units. Definition A map ν = (ν p ) p P : R (N) P, ν p : C N, P R\R is an element factorization for R, if ν(a) < for all a R and If further for any a, b R n R : a = n p νp(a) = n p ν(a). p P a b ν(a) ν(b), we call R weak factorial w.r.t. (ν, P). Note that we allow zero divisors.
18 Standard Bases over Weak Factorial Rings Problem in rings with zero-divisors: Z 12 : 6 = 3 6 = =... (no finite decomposition into irreducible elements) Element factorization In the case of Z/ m with m = p e 1 1 pen n, we define ν as ν i (a) = min{ν Z p i (a), e i }, with P = {p 1,..., p n } i.e. it is ν 3 (9) = 1 in Z/ = 3 3 but also 9 = 7 3. (nice weak factorial) Example: Noetherian weak factorial principal rings Examples: The ring of integers Z, the quotient rings Z m and for every prime ideal P Z the local ring (Z\P) 1 Z. Also the finite product of such rings is noetherian weak factorial and principal.
19 Standard Bases over Weak Factorial Rings Theorem: Buchberger algorithm over weak factorial principal rings Example There exists an algorithm to compute a weak normal form for any ordering, similar to the classical one. New type of s-poly due to zero divisors as leading coefficients Take leading terms instead of leading monomials Buchberger criterion and syzygy basis theorem are valid (same formulation but with new s-polynomials) 2x + y I Z/ 12 [x, y] = 6y I, (a single polynomial need not be a Gröbner basis) NF (x {2x, 3x}) = 0, but NF (x {2x}) = x and NF (x {3x}) = x
20 Standard Bases over Weak Factorial Rings The 1-factorial case (Z/ p n ) Normal form No solving of linear equations necessary, only divisibility tests. Similar running time as for finite fields. Buchberger algorithm Extra s-polynomials for every polynomial f with p LC (f ). More possibilities for the leading ideal, since coefficients matter. Further chain-like criterium due to new s-polynomials Gröbner bases in the ring of polynomial functions (I 0 added) Possible, but computational difficult due to very large G 0. Even if only the needed elements of G 0 are generated on the fly.
21 Benchmarks: Gröbner bases in Z 2 10[x] #mons. #vars. #polys. maxdeg #polys. #GB Singular Magma s s s s s time out after 1h s s s time out after 1h s s s time out after 1h s s s time out after 1h s s s time out after 1h s time out after 1h s time out after 1h Table: Computation of a Gröbner basis in Z 2 10 with degree reverse lexicographical ordering. Randomly generated examples on an AMD Dual Opteron 2.2 GHz, 16 GB RAM.
22 Standard Bases over Weak Factorial Rings The general case (Z/ m ) Problem In the normal form computation solving of linear equations is necessary. Idea Compute a strong standard basis. How? Generate extra gcd-polynomials, as we generated s-polynomials to compute classic standard bases.
23 Standard Bases over Weak Factorial Rings gcd-polynomials The general case (Z/ m ) Let g, f R[x] with g = c g x g +... and f = c f x f Now compute d g c g + d f c f = gcd (c g, c f ) and add gcd poly(g, f ) = d g g + d f f = gcd (c g, c f ) lcm (x g, x f ) +... to the critical pair set. Benefits No solving of linear equations in every step of the normal form algorithm. Reduce the coefficient growth in infinite rings.
24 A Polynomial Framework for Boolean Rings Boolean Functions and Polynomials B n := {f : Z n 2 > Z 2} is the ring of Boolean functions. R n := the ring of Boolean polynomials, consists of polynomials of the form p = a 1 x ν x ν 1n n a m x ν m xn νmn under the restrictions: a i {0, 1} (coefficients in Z 2 ) ν ij 1 (degree bound due to constraints x 2 i = x i )
25 A Polynomial Framework for Boolean Rings Boolean Rings R n Z 2 [x 1,..., x n ] is given a ring structure via the canonical bijection to the quotient ring Q n := Z 2 [x 1,, x n ]/ x 2 1 x 1,, x 2 n x n. Since Z 2 is a field, B n, R n and Q n can be canonically identified. We call any of them a Boolean ring. Note that they have a quite different representation.
26 Ideals and Varieties over Boolean Rings One to one correspondences Boolean polynomials Boolean functions (interpolation) sets algebraic sets in Z n 2 (indicator functions) algebraic sets Boolean ideals (Boolean ideals are radical) Boolean polynomials ideals containing field polynomials reduced Gröbner bases (Boolean ideals are principal) In the case of Z m none of these correspondences survives.
27 Boolean Polynomials as Sets Set Representation of Boolean polynomials A Boolean monomial can be considered as a subset s of {x 1,, x n } and any Boolean polynomial p as a subset S p of the set of all monomials, such that p = s S p ( x ν s x ν). Example: x y + x + z = {{x, y}, {x}, {z}} Addition in Set Representation Let p = s S p ( x x ) ( ν s ν, q = s S q x x ν s ν) be Boolean polynomials, then addition is given as p + q = s S p+q ( x x ν s ν), for the set S p+q = (S p S q )\(S p S q ).
28 Binary Decision Diagrams A Binary Decision Diagram (BDD) is a rooted tree with terminal nodes {0, 1} decision nodes, two edges per node (corresponding to x i := true or x i := false) A BDD is ordered if the variable order is constant over all paths f = xy + x + z
29 Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z
30 Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z
31 Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z
32 Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z
33 Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z
34 Boolean Polynomials as ZDDs Use ZDDs to store the term structure represented as sparse sets, not the Boolean function behind! Advantages Compact data structure, suitable for sparse subsets S p of the power set over the variables. Polynomial structure still recognizable Properties Polynomial arithmetic can be done using set operations Valid paths (to 1-terminal) correspond to polynomial terms Natural path sequence is in lexicographical order Ordering-dependent functionality possible for degree and product orderings with reasonable effort (trivial for lex.)
35 C++Library PolyBoRi Internal data structure based on ZDDs High-level data types for Boolean polynomials, monomials, and exponent vectors hide ZDD management from the user Implements polynomial arithmetic and basic functionality Ordering-dependent procedures for leading terms, monomial comparisions, iterating over terms... Singular interface is scheduled Python Interface Parsing of complex polynomial systems, interactive use as command line tool (via ipython) Extensive testsuite for periodic checks during development (mainly satisfiability examples; some from cryptography) Sophisticated and extendable strategies for Gröbner bases
36 Gröbner Bases on Top of PolyBoRi Task: Algorithm and Implementation Design and implement a Gröbner Basis algorithm of an ideal in a Boolean ring generated by Boolean ploynomials. Proposed Method: symmgbf2 ( = slimgb + symmetry) Use slimgb which introduced new concepts into GB calculation Use symmetry, i.e. special structure of ideals in boolean rings Many examples from practice are highly symmetric Cryptography (AES) Electrical engineering (integrated circuits) Invariant theory Avoid multiple computations for similar patterns
37 PolyBoRi Benchmarks - Formal Verification PolyBoRi FGb via Maple Magma Singular Example Vars./Eqs. s MB s MB s MB s MB mult4x mult5x mult6x failed mult8x mult10x Table: Timings and memory usage for benchmark examples. The symbols in time and memory columns mark timeout after 1 hour and out of memory at 15 GB.
38 TITLE Example Vars./Eqs. Order. PolyBoRi Magma uuf lp 8.76 s MB 9.77 s MB dlex 8.98 s MB s MB dp asc 8.14 s MB 8.40 s MB uuf lp s MB s MB dlex s MB s MB dp asc s MB s MB uuf lp s MB dlex s MB dp asc s MB Table: Timings and memory usage for Gröbner basis computations w. r. t. various orderings. The symbols means timeout after 2 days, failed stopped with error message, and dp asc denotes dp with reversed variable order.
39 TITLE Vars./Eqs. PolyBoRi MiniSat hole s MB 0.30 s 2.08 MB hole s MB 2.31 s 2.35 MB hole s MB s 3.24 MB hole s MB s 7.19 MB hole s MB s MB mult4x s MB 0.00 s 1.95 MB mult5x s MB 0.01 s 1.95 MB mult6x s MB 0.03 s 1.95 MB mult8x s MB 0.96 s 2.21 MB mult10x s MB s 3.61 MB Table: Deciding satisfiability with PolyBoRi using Gröbner basis computations in comparison with MiniSat, a state-of-the-art SAT solver.
40 PolyBoRi - Cryptography Cryptography: CTC and AES final goal: attack AES (Advanced Encryption Standard since 2001) originally encodes 128-bit blocks with 128-bit keys (4 by 4 arrays of bytes), 10 rounds: AES test algorithms on easier, but similar ciphers Small Scale Variants of AES-n-r-c-e variable number of rounds (n) (1 10) rows (r), columns (c) in the arrays (1,2, or 4) size of a bit vector e (4 or 8) Courtois Toy Cipher, 2006 similarly designed, but more scalable than AES designed for testing algebraic attacks
41 PolyBoRi - Cryptography Cryptography: Scaled AES description Perform some prescribed sets of operations n times (rounds) Plaintext (known), ciphertext (known), key (unknown), and all intermediate states are vectors of length r c e bits, and are seen as arrays with r rows and c columns. For example, if r = 2, c = 4, e = 8: P 1 P 3 P 5 P 7 P 2 P 4 P 6 P 8 So the vector p = (p 1,..., p 64 ) is seen as array above with entries P 1 = (p 1,..., p 8 ), P 2 = (p 9,..., p 16 ),... Initial AES has n = 10, r = c = 4, e = 8 (there are keys)
42 PolyBoRi - Cryptography Cryptography: Scaled AES description Cyphertext c is created from plaintext p and key k 0 as follows: Initial componentwise key addition: w 0 := p + k 0. w 0 is an array with entries w 0,1,..., w 0,r c. For i = 1,..., rc perform a nonlinear transformation: SBOX (w 0,i ), where w 0,i is seen as an element of GF (2 e ). SBOX (a) is defined as: 1 a b, where { a 1 a 0 b = 0 a = 0 2 b is seen as a vector from GF (2) e, then b c = L SBOX (b), where L SBOX is an affine transformation defined over GF (2) e. Result is an array x 1 with entries x 1,1,..., x 1,r c, where x 1,i = SBOX (w 0,i ).
43 PolyBoRi - Cryptography Cryptography: Scaled AES description The array x 1 is then processed with two linear transformations, namely: 1 ShiftRows: i-th row of the array x 1 is cyclically shifted by (i 1) positions to the right, so an array x 1 is obtained 2 MixColumns: denote the columns of x 1 by α 1,..., α c. They are considered as vectors from GF (2 e ) r. There is a prescribed matrix M using which β i = Mα i, i = 1,..., c are calculated. 3 The result ˆx 1 has β 1,..., β c as its columns.
44 PolyBoRi - Cryptography Cryptography: Scaled AES description In parallel to the above, a similar procedure (called key schedule) is performed to obtain k 1 from the initial key k 0 key addition: w 1 = ˆx 1 + k 1 repeat the whole procedure above (n 1) rounds more. The c = w n is a resulting ciphertext It is possible to write a corresponding polynomial system defined over GF (2). It is possible to rewrite a round in such a way that SBOX transformation only does inversion and a composition of three maps (one affine and two linear) is done next on the whole array.
45 PolyBoRi - Cryptography Cryptography: Structure of equations Structure of equations for AES and CTC is similar System for AES can be seen as iterative blocks of equations, where output variables of one block are input variables for the next block (system S). So blocks only intersect on a frontier. every block has similar structure and equations therein are of two types: quadratic equations correspond to Substitution Box (nonlinear operation) linear equations correspond to the Diffusion Layer
46 PolyBoRi - Cryptography Cryptography: Ideas Schematically: at the beginning we have the system S of the form w 0 = p + k 0, SBOX (x i, w i 1 ) = 0, i = 1,..., n, w i = L(x i ) + k i, i = 1,..., n 1, SBOX K (s i, k i 1 ) = 0, i = 1,..., n, k i = L K (s i ), i = 1,..., n, c = L(x n ) + k n, together with the field equations. Here SBOX, SBOX K are quadratic S-Box transformations for the encryption and the key schedule resp.; L, L K are affine transformations.
47 PolyBoRi - Cryptography Cryptography: Ideas Rewrite equations in the S-Boxes so that every output variable could be expressed via input variables of the S-Box (by a GB computation w.r.t. some block ordering) + It is easier to see how every variable depends on preceding variables - Degree of equations rises from 2 to 3 (for e = 4) or to 7 (for e = 8) Get system S 1 by writing equations in such a way. The major part of this system S 1 is already a Gröbner basis w.r.t to some degree ordering Get system S 2 by doing normal form computation of the remaining equations modulo the major part. S 2 is a system in the initial key variables only
48 PolyBoRi - Cryptography Cryptography: Ideas Rewriting S-Boxes yields the system S 1 : w 0 = p + k 0, x i = sbox(w i 1 ), i = 1,..., n, w i = L(x i ) + k i, i = 1,..., n 1, s i = sbox K (k i 1 ), i = 1,..., n, k i = L K (s i ), i = 1,..., n, c = L(x n ) + k n, which are satisfied with high probability. Here sbox, sbox K are higher degree S-Box transformations for the encryption and the key schedule resp.
49 PolyBoRi - Cryptography Cryptography: Ideas An example on how an S-Box changes for e = 4 follows. A quadratic S-Box from the system S (from ab = 1): x 2 w 3 + x 1 w 3 + x 3 w 2 + x 2 w 2 + x 3 w 1 + x 0 w = 0, x 3 w 3 + x 1 w 3 + x 2 w 2 + x 3 w 1 + x 0 w 1 + x 1 w 0 = 0, x 1 w 3 + x 2 w 2 + x 0 w 2 + x 3 w 1 + x 1 w 1 + x 2 w 0 = 0, x 1 w 3 + x 0 w 3 + x 2 w 2 + x 1 w 2 + x 3 w 1 + x 2 w 1 + x 3 w 0 = 0. A cubic S-Box from the system S 1 (rewrite b = f (a)): x 0 = w 3 w 2 w 1 + w 2 w 1 w 0 + w 2 w 1 + w 2 w 0 + w 3 + w 2 + w 1 + w 0, x 1 = w 3 w 1 w 0 + w 3 w 1 + w 2 w 1 + w 2 w 0 + w 1 w 0 + w 3, x 2 = w 3 w 2 w 0 + w 3 w 0 + w 2 w 0 + w 1 w 0 + w 3 + w 2, x 3 = w 3 w 2 w 1 + w 3 w 2 + w 3 w 1 + w 3 w 0 + w 3 + w 2 + w 1.
50 PolyBoRi - Cryptography Example (S 1 ) var eq PolyBoRi Singular ctc s 49 MB 32 s 69 MB ctc s 52 MB 117 s 154 MB ctc s 69 MB 748 s 379 MB aes pp s 0.25 s aes pp s 50 MB 18 s aes pp s 51 MB 1080 s 694 MB Example (S 1 ) var eq Magma Maple ctc s 64 MB > 1800 s ctc s 335 MB ctc > 3000 s > 570 MB aes pp s 9.25 MB > 1000 s aes pp s 211 MB aes pp s 477 MB > 70 h
51 Cryptography Cryptography: Ideas The method of S 2 system gives an opportunity to use many plaintext/ciphertext pairs, it was not possible if working with the systems S or S 1 We could attack keys of weight up to 4 in the small scale cipher of 3 rounds, dimensions 2 2, e = 4: aes in 250 sec with SINGULAR using 100 pairs Drawback: high degree (r c e) dense equations (every term appears practically with probability 1/2) in the resulting system S 2 composed of only key variables.
52 Cryptography Cryptography: Cutting technique Let f i (x 1,..., x n ) = 0, i = 1,..., m be a polynomial system over GF (2). If a GF (2) n is a solution: f i (a) = 0 i, such that weight(a) := #{i a i 0} = s, then a is also a solution of f i (x 1,..., x n ) = 0, i = 1,..., m. Here f i is obtained from f i by dropping out the monomials of degree > s So, if we are looking for solutions of low weight in a system composed of high degree polynomials, it is sufficient to consider low-degree parts of every polynomial in the system.
53 Cryptography Cryptography: Cutting technique Let supp(a) = {i a i 0} and weight(a) = s. Perform a coordinate change x i x i + 1 for i I supp(a) on the initial system f i (x 1,..., x n ) = 0, i = 1,..., m Let s = s I, then there is a solution a for the system f i (x 1,..., x n ) = 0, i = 1,..., m, where each f i is obtained from f i by dropping out the monomials of degree > s By doing x i x i + 1 for i I again we are able to find the solution a of weight s > s, working with a system composed of polynomials of degree s Thus, by doing coordinate change x i x i + 1 for several i s on the initial system S 1 and working with linear (or quadratic) parts of equations we reduce the problem of finding a key to solving many simple linear (or quadratic) systems instead of one large S 2
54 Cryptography Cryptography: Cutting technique Using this cutting technique even with a naive Python script half of the key space of - aes can be scanned in < 3 min - aes can be scanned in < 30 min - negligible memory consumption Exhaustive search turns out to be a particular case of the above, if we consider only constant terms in the system every time; coordinate change corresponds to a trial key selection. It is faster, than linear or quadratic analogue Further analysis may reveal benefits of the linear (or quadratic) cutting technique
55 Conclusion More problems in mathematics, science and engineering wait for new, perhaps specialized, applications of Gröbner bases We considered real life challenges coming from formal verification (in collaboration with electrical engineers) crypto systems We considered improvements for GB computations over weak factorial rings (new s-polys, new criteria) by special data structures (PolyBoRi) by specialized algorithms (using symmetry) By using this we showed that Gröbner bases are comparable to state-of-the-art SAT solvers in verification can be used to rewrite crypto systems in the key variables only for better algebraic attacks to AES
Algebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationGröbner Bases. Applications in Cryptology
Gröbner Bases. Applications in Cryptology Jean-Charles Faugère INRIA, Université Paris 6, CNRS with partial support of Celar/DGA FSE 20007 - Luxembourg E cient Goal: how Gröbner bases can be used to break
More informationGroebner Bases in Boolean Rings. for Model Checking and. Applications in Bioinformatics
Groebner Bases in Boolean Rings for Model Checking and Applications in Bioinformatics Quoc-Nam Tran, Ph.D. Professor of Computer Science Lamar University Invited Talk at CMU on October 8, 2010 Outline
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationCurrent Advances. Open Source Gröbner Basis Algorithms
Current Advances in Open Source Gröbner Basis Algorithms My name is Christian Eder I am from the University of Kaiserslautern 3 years ago Christian Eder, Jean-Charles Faugère A survey on signature-based
More informationObtaining and solving systems of equations in key variables only for the small variants of AES
Obtaining and solving systems of equations in key variables only for the small variants of AES Stanislav Bulygin and Michael Brickenstein October 9, 2008 Abstract This work is devoted to attacking the
More informationDESPITE considerable progress in verification of random
IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS 1 Formal Analysis of Galois Field Arithmetic Circuits - Parallel Verification and Reverse Engineering Cunxi Yu Student Member,
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationAnatomy of SINGULAR talk at p. 1
Anatomy of SINGULAR talk at MaGiX@LIX 2011- p. 1 Anatomy of SINGULAR talk at MaGiX@LIX 2011 - Hans Schönemann hannes@mathematik.uni-kl.de Department of Mathematics University of Kaiserslautern Anatomy
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationPolynomials, Ideals, and Gröbner Bases
Polynomials, Ideals, and Gröbner Bases Notes by Bernd Sturmfels for the lecture on April 10, 2018, in the IMPRS Ringvorlesung Introduction to Nonlinear Algebra We fix a field K. Some examples of fields
More informationDecoding linear codes via systems solving: complexity issues
Decoding linear codes via systems solving: complexity issues Stanislav Bulygin (joint work with Ruud Pellikaan) University of Kaiserslautern June 19, 2008 Outline Outline of the talk Introduction: codes
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationarxiv: v1 [cs.sc] 16 Nov 2016
1 Efficient Parallel Verification of Galois Field Multipliers Cunxi Yu, Maciej Ciesielski ECE Department, University of Massachusetts, Amherst, USA ycunxi@umass.edu, ciesiel@ecs.umass.edu arxiv:1611.05101v1
More informationLOOKING INSIDE AES AND BES
23 LOOKING INSIDE AES AND BES Ilia Toli, Alberto Zanoni Università degli Studi di Pisa Dipartimento di Matematica Leonida Tonelli Via F. Buonarroti 2, 56127 Pisa, Italy {toli, zanoni}@posso.dm.unipi.it
More informationElliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm Problem Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM October 19, 2009 Vanessa VITSE (UVSQ) Elliptic Curve Discrete Logarithm Problem October
More informationWORKING WITH MULTIVARIATE POLYNOMIALS IN MAPLE
WORKING WITH MULTIVARIATE POLYNOMIALS IN MAPLE JEFFREY B. FARR AND ROMAN PEARCE Abstract. We comment on the implementation of various algorithms in multivariate polynomial theory. Specifically, we describe
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationFrom Gauss. to Gröbner Bases. John Perry. The University of Southern Mississippi. From Gauss to Gröbner Bases p.
From Gauss to Gröbner Bases p. From Gauss to Gröbner Bases John Perry The University of Southern Mississippi From Gauss to Gröbner Bases p. Overview Questions: Common zeroes? Tool: Gaussian elimination
More informationJournal of Symbolic Computation. The Gröbner basis of the ideal of vanishing polynomials
Journal of Symbolic Computation 46 (2011) 561 570 Contents lists available at ScienceDirect Journal of Symbolic Computation journal homepage: www.elsevier.com/locate/jsc The Gröbner basis of the ideal
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationAlgebraic Attacks and Stream Ciphers
November 25 th, 24 Algebraic Attacks and Stream Ciphers Helsinki University of Technology mkivihar@cc.hut.fi Overview Stream ciphers and the most common attacks Algebraic attacks (on LSFR-based ciphers)
More informationIntro to Rings, Fields, Polynomials: Hardware Modeling by Modulo Arithmetic
Intro to Rings, Fields, Polynomials: Hardware Modeling by Modulo Arithmetic Priyank Kalla Associate Professor Electrical and Computer Engineering, University of Utah kalla@ece.utah.edu http://www.ece.utah.edu/~kalla
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationThe XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty
The XL and XSL attacks on Baby Rijndael by Elizabeth Kleiman A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics
More informationarxiv: v1 [math.ac] 14 Sep 2016
NEW STRATEGIES FOR STANDARD BASES OVER Z arxiv:1609.04257v1 [math.ac] 14 Sep 2016 CHRISTIAN EDER, GERHARD PFISTER, AND ADRIAN POPESCU Abstract. Experiences with the implementation of strong Gröbner bases
More informationA variant of the F4 algorithm
A variant of the F4 algorithm Vanessa VITSE - Antoine JOUX Université de Versailles Saint-Quentin, Laboratoire PRISM CT-RSA, February 18, 2011 Motivation Motivation An example of algebraic cryptanalysis
More informationChapter 4 Mathematics of Cryptography
Chapter 4 Mathematics of Cryptography Part II: Algebraic Structures Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 4.1 Chapter 4 Objectives To review the concept
More informationAlgebraic Varieties. Notes by Mateusz Micha lek for the lecture on April 17, 2018, in the IMPRS Ringvorlesung Introduction to Nonlinear Algebra
Algebraic Varieties Notes by Mateusz Micha lek for the lecture on April 17, 2018, in the IMPRS Ringvorlesung Introduction to Nonlinear Algebra Algebraic varieties represent solutions of a system of polynomial
More informationPolynomial multiplication and division using heap.
Polynomial multiplication and division using heap. Michael Monagan and Roman Pearce Department of Mathematics, Simon Fraser University. Abstract We report on new code for sparse multivariate polynomial
More informationAlgebra Homework, Edition 2 9 September 2010
Algebra Homework, Edition 2 9 September 2010 Problem 6. (1) Let I and J be ideals of a commutative ring R with I + J = R. Prove that IJ = I J. (2) Let I, J, and K be ideals of a principal ideal domain.
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationSparse Polynomial Multiplication and Division in Maple 14
Sparse Polynomial Multiplication and Division in Maple 4 Michael Monagan and Roman Pearce Department of Mathematics, Simon Fraser University Burnaby B.C. V5A S6, Canada October 5, 9 Abstract We report
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationUnderstanding and Implementing F5
Understanding and Implementing F5 John Perry john.perry@usm.edu University of Southern Mississippi Understanding and Implementing F5 p.1 Overview Understanding F5 Description Criteria Proofs Implementing
More informationAttacking AES via SAT
Computer Science Department Swansea University BCTCS Warwick, April 7, 2009 Introduction In the following talk, a general translation framework, based around SAT, is considered, with the aim of providing
More informationAn Improved Affine Equivalence Algorithm for Random Permutations
An Improved Affine Equivalence Algorithm for Random Permutations Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. In this paper we study the affine equivalence problem,
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationAlgebraic Cryptanalysis of Symmetric Primitives
Algebraic Cryptanalysis of Symmetric Primitives Editor Carlos Cid (RHUL) Contributors Martin Albrecht (RHUL), Daniel Augot (INRIA), Anne Canteaut (INRIA), Ralf-Philipp Weinmann (TU Darmstadt) 18 July 2008
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationFields in Cryptography. Çetin Kaya Koç Winter / 30
Fields in Cryptography http://koclab.org Çetin Kaya Koç Winter 2017 1 / 30 Field Axioms Fields in Cryptography A field F consists of a set S and two operations which we will call addition and multiplication,
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationAbstract Algebra for Polynomial Operations. Maya Mohsin Ahmed
Abstract Algebra for Polynomial Operations Maya Mohsin Ahmed c Maya Mohsin Ahmed 2009 ALL RIGHTS RESERVED To my students As we express our gratitude, we must never forget that the highest appreciation
More informationSlimgb. Gröbner bases with slim polynomials
Slimgb Gröbner bases with slim polynomials The Aim avoid intermediate expression swell Classical Buchberger algorithm with parallel reductions guided by new weighted length functions Often: big computations
More informationMCS 563 Spring 2014 Analytic Symbolic Computation Monday 27 January. Gröbner bases
Gröbner bases In this lecture we introduce Buchberger s algorithm to compute a Gröbner basis for an ideal, following [2]. We sketch an application in filter design. Showing the termination of Buchberger
More informationLinear Algebra, Boolean Rings and Resolution? Armin Biere. Institute for Formal Models and Verification Johannes Kepler University Linz, Austria
Linear Algebra, Boolean Rings and Resolution? Armin Biere Institute for Formal Models and Verification Johannes Kepler University Linz, Austria ACA 08 Applications of Computer Algebra Symbolic Computation
More informationCalcul d indice et courbes algébriques : de meilleures récoltes
Calcul d indice et courbes algébriques : de meilleures récoltes Alexandre Wallet ENS de Lyon, Laboratoire LIP, Equipe AriC Alexandre Wallet De meilleures récoltes dans le calcul d indice 1 / 35 Today:
More informationComputing Minimal Polynomial of Matrices over Algebraic Extension Fields
Bull. Math. Soc. Sci. Math. Roumanie Tome 56(104) No. 2, 2013, 217 228 Computing Minimal Polynomial of Matrices over Algebraic Extension Fields by Amir Hashemi and Benyamin M.-Alizadeh Abstract In this
More informationPOLYNOMIAL DIVISION AND GRÖBNER BASES. Samira Zeada
THE TEACHING OF MATHEMATICS 2013, Vol. XVI, 1, pp. 22 28 POLYNOMIAL DIVISION AND GRÖBNER BASES Samira Zeada Abstract. Division in the ring of multivariate polynomials is usually not a part of the standard
More informationPREMUR Seminar Week 2 Discussions - Polynomial Division, Gröbner Bases, First Applications
PREMUR 2007 - Seminar Week 2 Discussions - Polynomial Division, Gröbner Bases, First Applications Day 1: Monomial Orders In class today, we introduced the definition of a monomial order in the polyomial
More informationThe F 4 Algorithm. Dylan Peifer. 9 May Cornell University
The F 4 Algorithm Dylan Peifer Cornell University 9 May 2017 Gröbner Bases History Gröbner bases were introduced in 1965 in the PhD thesis of Bruno Buchberger under Wolfgang Gröbner. Buchberger s algorithm
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationUNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY
UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY Rainer Steinwandt 1,2 Florida Atlantic University, USA (joint work w/ B. Amento, M. Grassl, B. Langenberg 2, M. Roetteler) 1 supported
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationGraph structure in polynomial systems: chordal networks
Graph structure in polynomial systems: chordal networks Pablo A. Parrilo Laboratory for Information and Decision Systems Electrical Engineering and Computer Science Massachusetts Institute of Technology
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More information1 Introduction to information theory
1 Introduction to information theory 1.1 Introduction In this chapter we present some of the basic concepts of information theory. The situations we have in mind involve the exchange of information through
More informationIntroduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard +,0, and -a are only notations! Review - Groups Def (group): A set G with a binary
More information8. Prime Factorization and Primary Decompositions
70 Andreas Gathmann 8. Prime Factorization and Primary Decompositions 13 When it comes to actual computations, Euclidean domains (or more generally principal ideal domains) are probably the nicest rings
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom {M.R.Albrecht,carlos.cid}@rhul.ac.uk
More informationCourse 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra
Course 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra D. R. Wilkins Contents 3 Topics in Commutative Algebra 2 3.1 Rings and Fields......................... 2 3.2 Ideals...............................
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationAlgebraic Side-Channel Collision Attacks on AES
Algebraic Side-Channel Collision Attacks on AES Andrey Bogdanov 1 and Andrey Pyshkin 2 1 Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de 2 Department of Computer
More informationHybrid Approach : a Tool for Multivariate Cryptography
Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale, Jean-Charles Faugère and Ludovic Perret INRIA, Centre Paris-Rocquencourt, SALSA Project UPMC, Univ. Paris 06, LIP6 CNRS, UMR 7606, LIP6
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationComplexity Theory VU , SS The Polynomial Hierarchy. Reinhard Pichler
Complexity Theory Complexity Theory VU 181.142, SS 2018 6. The Polynomial Hierarchy Reinhard Pichler Institut für Informationssysteme Arbeitsbereich DBAI Technische Universität Wien 15 May, 2018 Reinhard
More informationOutline. Complexity Theory EXACT TSP. The Class DP. Definition. Problem EXACT TSP. Complexity of EXACT TSP. Proposition VU 181.
Complexity Theory Complexity Theory Outline Complexity Theory VU 181.142, SS 2018 6. The Polynomial Hierarchy Reinhard Pichler Institut für Informationssysteme Arbeitsbereich DBAI Technische Universität
More informationLinear Ciphers. Klaus Pommerening Fachbereich Physik, Mathematik, Informatik der Johannes-Gutenberg-Universität Saarstraße 21 D Mainz
Linear Ciphers Klaus Pommerening Fachbereich Physik, Mathematik, Informatik der Johannes-Gutenberg-Universität Saarstraße 21 D-55099 Mainz January 16, 2000 English version July 28, 2014 last change August
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationADVANCED TOPICS IN ALGEBRAIC GEOMETRY
ADVANCED TOPICS IN ALGEBRAIC GEOMETRY DAVID WHITE Outline of talk: My goal is to introduce a few more advanced topics in algebraic geometry but not to go into too much detail. This will be a survey of
More informationECEN 5022 Cryptography
Elementary Algebra and Number Theory University of Colorado Spring 2008 Divisibility, Primes Definition. N denotes the set {1, 2, 3,...} of natural numbers and Z denotes the set of integers {..., 2, 1,
More informationABSTRACT. Department of Mathematics. interesting results. A graph on n vertices is represented by a polynomial in n
ABSTRACT Title of Thesis: GRÖBNER BASES WITH APPLICATIONS IN GRAPH THEORY Degree candidate: Angela M. Hennessy Degree and year: Master of Arts, 2006 Thesis directed by: Professor Lawrence C. Washington
More informationSummer Project. August 10, 2001
Summer Project Bhavana Nancherla David Drescher August 10, 2001 Over the summer we embarked on a brief introduction to various concepts in algebraic geometry. We used the text Ideals, Varieties, and Algorithms,
More informationGraph structure in polynomial systems: chordal networks
Graph structure in polynomial systems: chordal networks Pablo A. Parrilo Laboratory for Information and Decision Systems Electrical Engineering and Computer Science Massachusetts Institute of Technology
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationGröbner Bases. eliminating the leading term Buchberger s criterion and algorithm. construct wavelet filters
Gröbner Bases 1 S-polynomials eliminating the leading term Buchberger s criterion and algorithm 2 Wavelet Design construct wavelet filters 3 Proof of the Buchberger Criterion two lemmas proof of the Buchberger
More informationGroebner Bases and Applications
Groebner Bases and Applications Robert Hines December 16, 2014 1 Groebner Bases In this section we define Groebner Bases and discuss some of their basic properties, following the exposition in chapter
More informationNon-commutative reduction rings
Revista Colombiana de Matemáticas Volumen 33 (1999), páginas 27 49 Non-commutative reduction rings Klaus Madlener Birgit Reinert 1 Universität Kaiserslautern, Germany Abstract. Reduction relations are
More informationSignature-based algorithms to compute Gröbner bases
Signature-based algorithms to compute Gröbner bases Christian Eder (joint work with John Perry) University of Kaiserslautern June 09, 2011 1/37 What is this talk all about? 1. Efficient computations of
More informationGRÖBNER BASES AND POLYNOMIAL EQUATIONS. 1. Introduction and preliminaries on Gróbner bases
GRÖBNER BASES AND POLYNOMIAL EQUATIONS J. K. VERMA 1. Introduction and preliminaries on Gróbner bases Let S = k[x 1, x 2,..., x n ] denote a polynomial ring over a field k where x 1, x 2,..., x n are indeterminates.
More informationFinite Fields. Mike Reiter
1 Finite Fields Mike Reiter reiter@cs.unc.edu Based on Chapter 4 of: W. Stallings. Cryptography and Network Security, Principles and Practices. 3 rd Edition, 2003. Groups 2 A group G, is a set G of elements
More informationDecision Diagrams for Discrete Optimization
Decision Diagrams for Discrete Optimization Willem Jan van Hoeve Tepper School of Business Carnegie Mellon University www.andrew.cmu.edu/user/vanhoeve/mdd/ Acknowledgments: David Bergman, Andre Cire, Samid
More informationLecture 15: Algebraic Geometry II
6.859/15.083 Integer Programming and Combinatorial Optimization Fall 009 Today... Ideals in k[x] Properties of Gröbner bases Buchberger s algorithm Elimination theory The Weak Nullstellensatz 0/1-Integer
More information12. Hilbert Polynomials and Bézout s Theorem
12. Hilbert Polynomials and Bézout s Theorem 95 12. Hilbert Polynomials and Bézout s Theorem After our study of smooth cubic surfaces in the last chapter, let us now come back to the general theory of
More informationDecoding linear codes via systems solving: complexity issues and generalized Newton identities
Decoding linear codes via systems solving: complexity issues and generalized Newton identities Stanislav Bulygin (joint work with Ruud Pellikaan) University of Valladolid Valladolid, Spain March 14, 2008
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More information16.41 NCPOLY: Non commutative polynomial ideals
644 CHAPTER 16. USER CONTRIBUTED PACKAGES 16.41 NCPOLY: Non commutative polynomial ideals This package allows the user to set up automatically a consistent environment for computing in an algebra where
More informationGroebner Bases, Toric Ideals and Integer Programming: An Application to Economics. Tan Tran Junior Major-Economics& Mathematics
Groebner Bases, Toric Ideals and Integer Programming: An Application to Economics Tan Tran Junior Major-Economics& Mathematics History Groebner bases were developed by Buchberger in 1965, who later named
More informationVerification using Satisfiability Checking, Predicate Abstraction, and Craig Interpolation. Himanshu Jain THESIS ORAL TALK
Verification using Satisfiability Checking, Predicate Abstraction, and Craig Interpolation Himanshu Jain THESIS ORAL TALK 1 Computer Systems are Pervasive Computer Systems = Software + Hardware Software/Hardware
More informationCHAPTER 3: THE INTEGERS Z
CHAPTER 3: THE INTEGERS Z MATH 378, CSUSM. SPRING 2009. AITKEN 1. Introduction The natural numbers are designed for measuring the size of finite sets, but what if you want to compare the sizes of two sets?
More information1 Algebraic Methods. 1.1 Gröbner Bases Applied to SAT
1 Algebraic Methods In an algebraic system Boolean constraints are expressed as a system of algebraic equations or inequalities which has a solution if and only if the constraints are satisfiable. Equations
More informationQR Decomposition. When solving an overdetermined system by projection (or a least squares solution) often the following method is used:
(In practice not Gram-Schmidt, but another process Householder Transformations are used.) QR Decomposition When solving an overdetermined system by projection (or a least squares solution) often the following
More information