Introduction Cryptography and Security Fall 2009 Steve Lai
|
|
- Martin Doyle
- 5 years ago
- Views:
Transcription
1 Itroducto Cryptography ad Securty Fall 2009 Steve La
2 Outle Bascs of ecrypto Homomorphc ecrypto
3 Bascs of Ecrypto For more formato, see my CSE 651 or 794Q otes
4 Summary Symmetrc ecrypto Stream cpher (e.g., RC4) Block cpher (e.g., DES, AES) Asymmetrc ecrypto RSA ElGamal (based o Dffe-Hellma) Performace ssues Securty ssues
5 Symmetrc-Key Ecrypto Stream cpher (e.g., Vera s oe-tme pad, RC4) Block cpher (e.g., DES, AES) 5
6 Stream cphers 6
7 Stream cphers Stream cphers typcally process the platext byte by byte. So, the platext s a stream of bytes: P1, P2, P3, Use a key K as the seed to geerate a sequece of pseudoradom bytes (key-stream): K1, K2, K3, The cphertext s C1, C2, C3, C4,, where C = P K Varous stream cphers dffer ther key-stream geerators. Stream cphers requre that a ew key be used for each platext (or t wll ot be sesure). 7
8 I practce, Alce ad Bob wsh to share a permaet key K ad use t to ecrypt may messages. Oe possble strategy: Suppose Bob ad Alce share a secret key K. Each tme Bob (or Alce) wats to sed a message, he radomly geerates a strg IV ad use K IV as the key (seed) to the pseudoradom geerator. Sed IV alog wth the cphertext. Ufortuately, the resultg scheme s ot ecessarly secure. 8
9 Example: WEP s use of RC4 WEP s a protocol usg RC4 to ecrypt packets for trasmsso over IEEE wreless LAN. Each packet s ecrypted wth a separate key equal to the cocateato of a 24-bt IV (talzato vector) ad a 40 or 104-bt permaet key. Not secure. See Breakg 104 bt WEP less tha 60 secods. RC4 key: IV (24) Permaet l key (40 or 104 bts) 9
10 Block Cphers Block cphers are ecrypto schemes that use pseudoradom fuctos or pseudoradom permutatos. 10
11 Tradtoal vew of block cphers A block cpher s a symmetrc-key ecrypto scheme that maps a block of bts to a block of bts. r M = C = {0,1} ad K = {0,1}. Block legth:. Key legth: r. { } { } For a fxed key k K, E : 0,1 0,1 s a permutato. k 11
12 Practcal Block Cphers: DES ad AES DES: Data Ecrypto Stadard AES: Advaced Ecrypto Stadard 12
13 Publc Key Cryptography ad RSA
14 Publc-Key Cryptography Also kow as asymmetrc-key cryptography. Each user has a par of keys: a publc key ad a prvate key. The publc key s used for ecrypto. The key s kow to the publc. The prvate key s used for decrypto. The key s oly kow to the ower.
15 Publc-Key Cryptosystem (PKC) Each user u has a par of keys (PK u, SK u ). PK u s the publc key, avalable a publc drectory. SK u the prvate key, kow to u oly. Key-geerato algorthm: to geerate keys. Ecrypto algorthm E: to sed message M to user u, compute C = E(PK u, M). Decrypto algorthm D: Upo recevg C, user u computes D(SK u, C). Requremet: D(SK u,e(pk u, M)) = M.
16 Why Publc-Key Cryptography? Developed to address two ma ssues: key dstrbuto dgtal sgatures Iveted by Dffe & Hellma 1976.
17 Oe-way fucto wth trapdoor Easy: Hard: Easy: x x f 1 f 1 f trapdoor y y x y Use trapdoor as the prvate key. Most (beleved) oe-way fuctos come from umber theory.
18 The RSA Cryptosystem RSA Ecrypto RSA Dgtal sgature
19 The RSA Cryptosystem By Rvest, Shamr & Adlema of MIT Best kow ad most wdely used publc-key scheme. Based o the assumed oe-way property of modular powerg: e f : x x mod (easy) 1 e f x x : mod (hard)
20 Idea behd RSA It works group Z *. Ecrypto (easy): Decrypto (hard): x x RSA 1 RSA x x e e e d Lookg for a trapdoor: ( x ) = x. If d s a umber such that ed 1mod ϕ( ), the ed = kϕ( ) + 1 for some k, ad e ( ) 1 ( ) ( ) d ed ϕ k + k x x x x x 1 x x. ( ϕ ) = = = = =
21 RSA Cryptosystem Key geerato: (a) Choose large prmes p ad q, ad let : = pq. (b) Choose e (1 < e< ϕ( )) coprme to ϕ( ), ad 1 compute : mod ( ). (.) d = e ϕ ed 1 mod ϕ( ) (c) Publc key: pk = (, e). Secret key: sk = ( d, ). Ecrypto: Decrypt E x x x Z e * pk ( ) : = mod, where. D y y y Z d * o: sk ( ) : = mod, where. * ( Epk ad Dsk work for xy, Z \ Z, but ot secu re.)
22 Mathematcal Attacks Factor to pq. 1 d = e The ϕ( ) = ( p 1)( q 1) ad mod ϕ( ) ca be calculated easly. Determe ϕ( ) drectly. Equvalet to factorg. Kowg ϕ( ) wll eable us to factor by solvg = pq ϕ ( ) = ( p 1)( q 1) Determe d drectly. The best kow algorthms are ot faster tha those for factorg. Also, f d s kow, ca be factored wth hgh probablty.
23 Remarks I lght of curret factorzato techolges, RSA recommeds that be of bts. * If a message m Z \ Z, RSA works, but Sce gcd( m, ) > 1, the seder ca factor. e Also, scegcd( m, ) > 1, the adversary ca factor, too. * Questo: how lkely s m Z \ Z?
24 Securty of RSA We have see may attacks o RSA. Also, RSA s determstc ad, therefore, ot CPA-secure (.e., ot cphertext-dstgushable agast CPA). We wsh to make RSA secure agast CPA ad aforemetoed attacks. RSA prmtve: the RSA we have descrbed. also called pla RSA or textbook RSA
25 Padded RSA e Ecrypto: E ( m) = RSA( r m) = ( r m) mod, where r s a radom strg. pk Thus, Padded-RSA( m) = RSA( r m) for some radom r. Secure agast may of aforemetoed attacks. ( ) Theorem: Padded RSA s CPA-secure f m = O log. Padded RSA s adopted PKCS #1 v.1.5.
26 Padded RSA as PKCS #1 v.1.5 PKCS: Publc Key Cryptography Stadard. Let ( ed,, ) gve a par of RSA keys. Say = k bytes (e.g., k = 216). Frst byte 00. To ecrypt a message m : pad m so that m = r 00 m ( k bytes) where r = 8 or more radom bytes 00. orgal message m must be k 11 bytes. ( m ) ( m ) the cphertext s c: = RSA = mod. I 1998, Blechebacher publshed a chose-cphertext attack, forcg RSA to upgrade ts PKCS #1, ow usg OAEP. e
27 OAEP: basc dea Message paddg: stead of ecryptg m drectly, we ecrypt m r r, where r s a radom bt strg. As such, however, there s a 50% overhead. So, we wsh to use a shorter bt strg r. Besdes, r should be protected, too. Ths leads to a scheme called Optmal Asymmetrc Ecrypto Paddg ( OAEP). It ca be appled ot oly to RSA but to other trapdoor fuctos.
28 OAEP Choose k, l ( k l) s.t. k + l =. (, RSA modulus). k l G :{0,1} {0,1}, a pseudoradom geerator. l k h :{0,1} {0,1}, a hash fucto. Ecrypto. To ecrypt a block m of l bts : k 1. choose a radom bt strg r {0,1}. 2. ecode m as x: = ( m G( r) r h( m G( r))) (f x Z, the message space of RSA, retur to step 1). 3. compute the cphertext y: = E ( x). Decrypto: x: = D ( y) = a b. sk pk m= a G( b h a ) ( ).
29 Remarks o OAEP OAEP s adopted curret RSA PKCS #1 (v. 2.1). It s a paddg scheme, ot a ecrypto scheme. Itutvely, wth OAEP, the cphertext should ot reveal ay formato about the platext f RSA s oe-way ad h ad G are truely radom (radom oral ces). A slghtly more complcated verso of OAEP, whch k k x = ( m0 G( r) r h( m0 G( r))), has bee proved CCA-secure the radom oracle model (.e., f G, h are radom oracles.) I practce, hash fuctos such as SHA-1 are used for G, h.
30 Radom Oracle l( ) A radom oracle s a radom fucto f :{0,1} {0,1}. l( )2 Recall: there are 2 such fuctos. Each radom oracle s a black box that mplemets oe of the 2 l( )2 radom fuctos, say f. The 2 values of f0 are totally depedet ad radom. The oly way to kow the value of f0( x) s to explctly evaluate f0 at x (.e., to ask the oracle). No practcal/feasble way to mplemet a radom oracle. Ifeasble: use a trusted authorty. Ifeasble: use a l ( ) 2 -bt ds k. 0
31 Cryptosystems Based o Dscrete Logarthms 31
32 Outle Dscrete Logarthm Problem Dffe-Hellma key agreemet ElGamal ecrypto 32
33 Dscrete logarthm problem (DLP) A group G s cyclc f there s a elemet α G of order G. { G 1 } I ths case, G = α, α, α,, α ; α s called a geerator. If ( G, ) be a fte group (ot ecessarly cyclc) ad α G a elemet of order, the { } α = α, α, α,, α s a cyclc (sub)group of order. x For ay y α, there s a uque x Z such that α = y. Ths teger x s called the dscrete logarthm (or dex) of y wth respect to base α. We wrte log α y = x. The DLP s to compute log y for a gve y. α 33
34 Frequetly used settgs { p } G = Z. α = α, α, α,, α = G, * p where p s a large prme, ad α s a geerator of G. * ( Zp s cyclc whe p s prme.) { q } G = Z. α = α, α, α,, α Z, * * p p where α Z * p s a elemet of prme order q. For these settgs, there s o polyomal-tme algorthm for DLP. 34
35 Example 1 G = Z = {1, 2,..., 18}. * 19 2 s a geerator. That s, Z = = 1, 2 = 2, 2 = 4, 2 = 8, 2 = 16, 2 = 13, = 7, 2 = 14, log 7 = 6 2 log 14 = 7 2 log 12 =? 2 * 19 35
36 Example 2 G G = = Z = 3 3 * 11 { } 1, 2,, 10. { } 3 = 1, 3, 9, 5, 4 3 s a geerator of G, but ot a geerator of Z. log 5 = 3 log 10 = ot defed * 11 36
37 DLP Z * p * Let α be a geerator of Zp (a prmtve root of uty modulo p). Z p 1 { } { p 2 p α α α α } * Zp = 1,2,, 1 =,,,,. = { 012 p 2},,,,. * x Gve y Zp, fd the uque x Zp 1 such that y = α mod p. α x * That s, gve Z p, fd x. There s a subexpoetal-tme algorthm for DLP ( ( )) O log Idex Calculus, O 2, where = log p. Z * p 37
38 RSA vs. Dscrete Logarthm RSA s a oe-way trapdoor fucto: x x RSA 1 x RSA e x 1 RSA d x x d e ( e ) (easy) (dffcult) ( s a trapdoor) Logarthm s the verse of expoetato: expα x x α (easy) logα x x α (dffcult) log s hard to compute, so exp s a oe-way fucto, but wthout a trapdoor. A ecrypto scheme based o the dffculty of log x wll ot smply ecrypt x as α. 38
39 Dffe-Hellma key agreemet { 0 1 p α α α α } Z p 1 { 012 p 2} = = * 2 2 Z p,,,,.,,,,. Alce ad Bob wsh to set up a secret key. 1. Alce ad Bob agree o a large prme p ad a prmtve root * (geerator) α Z p. ( p, α, ot secret) a 2. Alce Bob: α mod p, where a Z. R p 1 b 3. Alce Bob: α mod p, where b Z. ab 4. They agree o the key: α mod p. a b Dffe-Hellma problem: gve α, α R p 1 * ab Z, compute α. Dffe-Hellma assumpto: the Dffe-Hellma problem s tractable. p 39
40 Ideas behd ElGamal ecrypto Z * p 0. Bob s to sed a message m to Alce, who x has prvate key x ad publc key y: = α. * 1. Regard m as a elemet Z p. 2. Use Dffe-Hellma to set up a temporary key. k xk Bob geerates k ad computes y ( = α ). k 3. Bob uses ths key to ecrypt m as m y. k k xk 4. Bob seds α alog wth m y so that Alce ca compute α. ( k k α m y) That s, Em ( ) =, 40
41 ElGamal ecrypto 1. Key geerato (e.g. for Alce): * choose a large prme p ad a prmtve root α Z p, where Z p 1 has a large prme factor. * p x radomly choose a umber x Z ad compute y = α ; k k * 2. Ecrypto: Epk ( m) = ( α, my ), where m Z p, k R Zp 1. x sk * 4. Remarks: All operatos are doe Z p, e.., modulo p. p 1 set sk = ( p, α, x) ad pk = ( p, α, y). 3. Decrypto: D ( a, b) = ba. The ecrypto scheme s o-determstc. 41
42 Securty of ElGamal ecrypto agast CPA Based o the Dffe-Hellma assumpto. Dffe-Hellma problem dscrete logarthm problem. Ope problem: dscrete logarthm Dffe-Hellma? Theorem: If the Dffe-Hellma assumpto s true, the the ElGamal ecrypto scheme s CPA-secure. 42
43 Securty of ElGamal ecrypto agast CCA A fucto f : G G s homomorphc f f( xy) = f( x) f( y). ElGamal ecrypto s h omomorphc, Emm ( ) = Em ( ) Em ( ), the followg sese: If Em ( ) k = ( k α, ) ad ( ) ( k k my Em = α, my ), the Em ( ) Em ( ) ( k k) ( k k ) ( k k k k ) ( k k k k α my α m y = α α mymy = α + mm y + ) =,,,, s a vald ecrypto of mm. As such, ElGamal ecrypto s ot CCA-secure (.e., ot dstgushable agast CCA). 43
44 Symmetrc vs. Asymmetrc Symmetrc ecryptos are much faster tha asymmetrc oes. AES s typcally 100 tmes faster tha RSA ecrypto, ad1000 tmes faster tha RSA decrypto. Use asymmetrc cpher to set up a sesso key ad the use symmetrc cpher to ecrypt data.
45 Securty Issues What does t mea that a ecrypto scheme s secure (or secure)? Sematc securty Cphertext-dstgushablty No-malleablty
46 Dfferet levels of securty Cosder cphertext-oly attacks;.e., the adversary s a eavesdropper. How to defe securty? Several optos : A ecrypto scheme s securef gve a cphertext c= Ek ( m), o adversary ca (1) fd the secret key k (2) fd the platext m (3) fd ay character of the platext (4) fd ay meagful formato about the platext (5) fd ay formato about the platext. We wll adopt (ad formalze) #5, whch s called sematc securt y ad seems to dcat the hghest level of securty. 46
47 Dfferet types of attackers Dfferet types of attacks (classfed by the amout of formato that may be obtaed by the attacker): Cphertext-oly attack Kow-platext attack Chose-platext attack (CPA) Chose-cphertext attack (CCA) 47
48 Securty Parameter The securty of a ecrypto scheme typcally depeds o ts key legth. Is RSA secure f = 216, 512, or 1024? I geeral, a ecrypto scheme s assocated wth a teger called ts securty parameter. (For ow, you may thk of t as key legth.) Whe we say that the beg broke securty parameter. probablty Pr( ) of a ecrypto scheme s eglgble, t s w. r.t. the ecrypto scheme' s 48
49 Neglgble fuctos A oegatve fucto f : N R s sad to be eglgble f for every postve polyomal P ( ), there s a teger 0 such that 1 f( ) < for all > 0 (. e., for suffcetly large ). P ( ) log Examples: 2, 2, are eglgble fuctos. Neglgble fuctos approach zero faster tha the recprocal of every polyomal. We wrte egl( ) to deote a uspecfed eglgble fucto. 49
50 Symmetrc-key ecrypto scheme * Message space: M {0,1}. Key geerato algorthm G: O put 1, G(1 ) outputs a key k {0,1}. ( K = {0,1} ; ad s the securty parameter.) Ecrypto algorthm E: O put a key k ad a platext m M, E outputs a cphertext c. We wrte c E( k, m) or c Ek ( m). Decrypto algorthm D : O put a key k ad a cphertext c, D outputs a message m. We wrte m: = D( k, c) or m: = Dk ( c). Correctess requremet: for each k K ad m M, ( ) D E ( m) = m. k k G, E are polyomal probablstc algorthms. D s determstc. 50
51 Sematc Securty Iformally, a ecrypto scheme s sematcally secure f whatever a adversary wth c = Em ( ) ca lear about m, oe ca lear equally well wthout c. A prvate-key ecrypto scheme ( GED,, ) wth securty parameter s sematcally secure agast a eavesdropper f for every probablstc polyomal-tme (PPT) algorthm A there exsts a PPT A such that for all polyomal-tme computable fuctos f ad h, there exsts a eglgble fucto egl such that: ( E ( ) ) k m Pr A 1,, h( m) = f( m) : k G(1 ), m {0,1} ( ) Pr A 1, h( m) = f( m) : m {0,1} egl( ). 51
52 Cphertext-Idstgushablty Adversary: a polyomal-tme eavesdropper. ( GED,, ) : a ecrypto scheme wth securty parameter. Image a game played by Bob ad Eve (adversary): Eve s gve put 1 ad outputs a par of messages m0, m1 of the same legth. Bob chooses a key k G(1 ) ad m u { m0, m1}. He computes c Ek ( m) ad gves c to Eve. Eve tres to determe whether c s the ecrypto of m or m. 0 1 A ecrypto scheme s cphertext-dstgushable agast eavesdroppers f o adversary ca succeed wth probablty o-eglgbly greater tha
53 Defto: A ecrypto scheme s cphertext-dstgushable agast eavesdroppers f for every PPT algorthm A ad all m, m M, m = m, t holds: Pr A(1, m0, m1, Ek( m)) = m: m u { m0, m1}, k G(1 ) 1 + egl( ) 2 53
54 Equvalece of sematc securty ad cphertext-dstgushablty Theorem: Agast a eavesdropper, a ecrypto scheme s sematcally secure ff t s cphertext-dstgushable. Theorem: Uder CPA, CCA1 or CCA2, a ecrypto scheme s sematcally secure f ad oly f t s cphertext-dstgusha ble. 54
55 Chose-platext attacks (CPA) I CSE 651 we descrbed CPA as follows: Gve : ( m, c ), ( m, c ),, ( m, c ), where m, m,, m t t 1 2 t are chose by the adversary; ad a ew cphertext c. Q : what s the platext of c? Adaptvely-chose-platext attack : m1, m2,, mt are chose adaptvely. Now we descrbe CPA terms of oracle. 55
56 Chose-platext attacks (CPA) A CPA o a ecrypto scheme ( GED,, ) s modeled as follows. 1. A key k G(1 ) s geerated. 2. The adversary s gve put 1 ad oracle access to E. She may request the oracle to ecrypt platexts of her choce. 3. The adversary chooses two message m, m wth m = m ; ad s gve a challege cphertext c E ( m ), where b {0,1}. k b u 4. The adversary cotues to have oracle access ad may request the ecryptos of addtoal platexts of her choce, eve m ad m. 5. The adversary fally aswers 0 or 1. k 0 1 Note: The CPA here actually refers to a adaptve CPA. 56
57 Cphertext-dstgushablty agast CPA A ecrypto scheme ( GED,, ) s IND-CPA f o polyomal-tme adversary ca aswer correctly wth probablty o-eglgbly greater tha 1 2. Defto: a ecrypto scheme ( GED,, ) s IND-CPA f for ever polyomal adversary A t holds that: k ( ) k m E Pr A 1, m0, m1, E ( ) = m: k G(1 ), m u { m0, m1}, m, m 0 1 A M ] 1 + egl( ) 2 57
58 Chose-cphertext attacks (CCA) I CSE 651 we also descrbed CCA as follows: Gve : ( m, c ), ( m, c ),, ( m, c ), where c, c,, c t t 1 2 t are chose by the adversary; ad a ew cphertext c. Q : what s the platext of c? Adaptvely-chose-cphertext attack : c1, c2,, ct are chose adaptvely. Now we descrbe CCA terms of oracle. We wll allow a CCA adversary to also have CPA capablty. (So, combed CCA+CPA, rather tha pure CCA.) 58
59 Chose-cphertext attacks (CCA) A CCA o a ecrypto scheme ( GED,, ) s modeled as follow s. 1. A key k G(1 ) s geerated. 2. The adversary s gve put 1 ad oracle access to E ad D. She may request the oracles to perform ecryptos ad/or decryptos for her. 3. The adversary chooses two message m, m wth m = m ; ad s gve a challege cphertext c E ( m ), where b {0,1}. 4. The k b u adversary cotues to have oracle access to E ad D, but s ot allowed to request the decrypto of c. 5. The adversary fally aswers 0 or 1. k k k k 59
60 CCA1 vs. CCA2 The CCA descrbed above s also called CCA2. If tem #4 the adversary has o access to the decrypto oracle, the CCA s called CCA1. 60
61 Cphertext-dstgushablty agast CCA A ecrypto scheme ( GED,, ) s IND-CCA f o polyomal-tme adversary ca aswer correctly wth probablty o-eglgbly greater tha 1 2. Defto: a ecrypto scheme ( GED,, ) s IND-CCA f for ever polyomal-tme adversary A, t holds that: k ( ) k m E, Dk Pr A 1, m0, m1, E ( ) = m: k G(1 ), m u { m0, m1}, m, m 0 1 A M ] 1 + egl( ) 2 61
62 No-malleablty A ecrypto scheme ( GED,, ) s o-malleable f gve a cphertext c= E( m), t s computatoally feasble for a adversary to produce a cphertext c such that m = D( c ) has some kow relato wth m. RSA s malleable. IND-CCA2 o-malleable. Later we wll see that every homomorphc ecrypto scheme s malleable, ad hece caot be IND-CCA2. Hghest securty level possble: IND-CCA1. (?) 62
63 Homomorphc Ecrypto Fotae ad Galad, A survey of homomorphc ecrypto for ospecalsts, EURASIP Joural o Iformato Securty, 2007.
64 RSA s homomorphc RSA( m m ) = RSA( m ) RSA( m ) * where s the multplcato Z (.e., modulo ). Easy to verfy: ( ) RSA( m m ) = m m RSA( m ) RSA( m ) e 1 = m1 e 2 = m2 e e RSA( m ) RSA( m ) = m m = ( m m ) 1 e e
65 Homomorphc ecrypto M C : message space : cphertext space M C : some bary operato : some bary operato Defto: A ecrypto scheme s homomorphc f for ay ecrypto key k the ecrypto fucto E satsfes Em ( 1 m2) = Em ( 1) Em ( 2) M C for all messages m, m M. 1 2 M C Commet: applcable oly to determstc ecrypto schemes.
66 ElGamal ecrypto s homomorphc Em ( m) Em ( ) Em ( ), the followg sese: Em ( ) Em ( ) s a vald ecrypto of mm. 1 2 Verfcato: ( k ) ( ) 1 k1 k2 k If Em ( ) = g, my ad Em ( ) = g, my, the Em ( 1 ( k ) ( ) 1 k1 k2 k2 ) Em ( ) = g, my g, my = s a ecrypto of mm. ( k ) 1+ k2 k1+ k2 g, mm 1 2 y 66
67 Homomorphc ecrypto redefed M : message space C : cphertext space M C : some bary operato M : some bary operato C Defto : A ecrypto scheme s homomorphc f for ay ecrypto key k the ecrypto fucto E satsfes Em ( m) Em ( ) Em ( ) 1 M 2 1 C 2 for all messages m, m M. 1 2 Comm et: meas " a ecrypto ca be computed from"
68 A equvalet defto Defto: A ecrypto scheme s homomorphc f ts ecrypto E ad decrypto D satsfy ( ( ) ( )) m m = D E m E m 1 M 2 1 C 2 for all messages m, m M ad all ecrypto/decrypto key pars. 1 2
69 A geeralzed defto Defto: A ecrypto scheme s homomorphc w.r.t f there s a polyomal tme algorthm A such that or Em ( m) m 1 M m 1 M 2 2 = D ( ( ), E( m )) A E m 1 2 ( ( ), E( m )) ( A E m ) 1 2 M for all messages m, m M ad all ecrypto/decrypto key pars. 1 2 Questo: How to further geeralze t?
70 Varous homomorphc ecryptos A ecrypto scheme s addtvely homomorphc f t s homomorphc w.r.t multplcatvely homomorphc f t s homomorphc w.r.t algebracly + M ad M homomorphc f t s homomorphc w.r.t both + M M RSA ad ElGamal are multplcatvely homomorphc. Padded RSA ad OAEP-RSA are ot homomorphc. RSA s ot IND-CPA secure; ElGamal s.
71 Addtvely homomorphc ElGamal ecrypto ElGamal ecrypto ca be made addtvely homomorphc. ( k k) Orgal ElGamal: Em ( ) = g, my. ( k m k) Now, ecrypt m as c = E( m) = g, h y geerators of Descryptg c takes two steps: Z * p., where g, h are m DL h m ElGamal decrypto c Em ( + m) Em ( ) Em ( )
72 A smple applcato To vote yes or o, ecode a yes-vote as m = 1 ad a o-vote as m = 1. ( k m k ) Ecrypt m as c = g, h y. Sed the ecrypted vote c to a trusted party. { c c c c } All votes:,,,, k (, ) k k m k c = g h y E mmod ( p 1) = 1 = 1 k k k D c = mmod ( p 1) = m (why?) = 1 = 1 = 1 k
73 Yao's Mlloare Problem Two mlloars, Alce ad Bob, wat to kow who s rcher wthout revealg ther actual wealth. Alce s worth a mllos, ad Bob b mllos. Q: a < b? Itally suggested ad solved by Adrew Yao Later latergeeralzed to a problem called Computato. Multparty Would be trval f there s a secure ecrypto scheme that s homomorphc w.r.t. " <", amely, ( ( ), ( )) ( ) m < m D A E m E m
74 Quadratc Resdues Let 2 be ay umber. * Quadratc resdues: elemets Z whch are a square. * QR = the subgroup of quadratc resdues Z. { Z } * * QNR = Z QR = quadratc o-resdues. + 1 f [ x] QR p ( x s a square) Legedre symbol: ( x ) p = 1 f [ x] QNR p (ot a square) 0 f [ x] = 0 ( ) = ( p 1)/2 Euler's crtero: mod. x p ( x) ( x)( x) Jacob symbol: =, assumg = pq. x p q p
75 Quadratc Resdues (cot'd) x ( ) x ( ) x ( ) ( x) ( x) Thus, = 1 ff = = ± 1. ( x) ( x) * s a quadratc resdue Z ff p q 1. Z = QR QNR = QR QNR QNR. * + If = 1, the x QNR. + If = 1, x QR QNR. p x = = Quadratc resduosty assumpto: x ( ) q * Gve x Z wth = 1, t s tractable to determe + whether x QR or x QNR wthout kowg = pq. Kowg = pq, easy to determe f x QR or QNR +.
76 Goldwasser-Mcal ecrypto scheme (dea) Frst probablstc ecrypto scheme. Ecrypt oe bt b { } 0,1 at a tme. Ecrypt b = 0 as a radom umber QR. + Ecrypt b = 1 as a radom umber QNR. To decrypt c= E( b), smply determe f c QR ( c) ( c) p = q (.e., = 1?)
77 Goldwasser-Mcal ecrypto scheme Publc key: ( g, ). Prvate key: ( pq, ) + 1 System setup: Alce chooses = pq ad g R QNR. b 2 * Ecrypto: Eb ( ) = gr, where r R Z. Note: Eb ( ) s a quadratc resdue ff b = 0. To decrypt c= E( b), smply determe f c QR. Drawback: t takes =1024 bts to ecrypt a sgle bt. Ths scheme has a expaso of 1024.
78 Reducg the expaso Idea of Goldwasser-Mcal: Take a group G ad a subgroup H. Partto G to two parts: M0 = H ad M1 = G\ H. Radomly select a elemet M b to ecrypt b. To geeralze, choose G ad H such that G ca be splt to more parts. { } m k Bealoh: k = small prme; E( m) = g r, m 0, k 1 ; expaso: k. Okamoto & Uchyama: reduced the expaso to 3. * Paller: reduced the expaso to 2 usg group Z 2. Damgard & Jurk: geeralzed Paller's scheme usg Z * group s+ 1, wth expaso 1 1/. + s
79 Paller's ecrypto scheme Oe of the most well-kow homomorphc ecrypto. G = Z, where = pq. * 2 ( 2 ) G = ϕ = ϕ( ). { 2} H = z G: z s a th resdue mod. z = y y G 2 mod for some. H s a subgroup ad H = ϕ( ). Use H to dvde G to classes. Let g G be ay elemet wth order a multple of.
80 Defe f : Z Z Z * * ( ) x xy, gymod Theorem: f s bjectve. * Each x Z defes a class Z 2, amely, ( *) { *, (, ) : } = f x Z f x y y Z Ecrypto: platext m Z select a radom m cphertext c= g r mod addtvely homomorphc r Z * 2 2 2
81 Decrypto: (prvate key: = pq or λ( )) cphertext c Z * 2 ( λ ( ) 2 mod ) ( λ ( ) 2 mod ) L c platext m= mod L g where Lu ( ) = ( u 1) / λ( ) s the Carmchael fucto,.e., the smallest a a Z For = pq, λ( ) = lcm( p 1, q 1). (I RSA, λ( ) ca be used place of ϕ( ).) λ ( ) * teger such that 1mod for all.
82 Securty: Assumpto: Wthout kowg = pq, t s tractable * to determe f a elemet 2 s a th resdue 2 modulo. z Z If ths assumpto holds, Paller's ecrypto scheme s sematcally secure uder CPA. Let c be the cphertext of ether m or m. m0 m1 m m0 m1 So, ether c = g r mod or g r mod. So, cg = r m0 s the cphertext of ff s a th resdue 2 modulo. mod or g r mod. c m cg 0
83 Questo: I the above argumet, whch problem s reduced to whch problem?
84 Addtvely homomorphc o Z : m Recall: Em ( ) = g rmod, m Z, r Z. ( 2 ) ( k 2 ) ( m 2 ) 2 m2 ( ) mod mod * R D E( m ) E( m ) mod = m + m mod. k D E( m) mod = m mod. D E m = m
85 A smple applcato To vote yes or o, ecode a yes vote as m = 1 ad a o vote as m = 1. m c= g r m 2 Ecrypt as mod. Sed the ecrypted vote c to a trusted party. { c c c c } All votes:,,,, k k k 2 D c mod = m mod m (why?) = 1 = 1 = 1 k
86 Fully homomorphc ecrypto At STOC'09, Crag Getry preseted a fully homomorphc ecrypto scheme. A homomorphc publc-key ecrypto scheme S has four algorthms: KeyGe, Ecrypt, Decrypt, Evaluate. C : a crcut. S s homomorphc for C f for ay key par (sk, pk) output by KeyGe, ay platext π1,, πt, ad ay cphertext ψ,, ψ wth ψ = Ecrypt( π ), t holds that: 1 t ( C ) ( ) C( π,, π ) = Decrypt Evaluate, ψ,, ψ. 1 t 1 S s fully homomorphc f t s homomorphc for all crcuts. t
87 Applcatos Protecto of moble agets Watermarkg/fgerprtg protocols Electroc aucto ad lottery protocols Multparty computato Oblvous trasfer Prvacy preservg data mg Others
Pseudo-random Functions
Pseudo-radom Fuctos Debdeep Mukhopadhyay IIT Kharagpur We have see the costructo of PRG (pseudo-radom geerators) beg costructed from ay oe-way fuctos. Now we shall cosder a related cocept: Pseudo-radom
More informationPseudo-random Functions. PRG vs PRF
Pseudo-radom Fuctos Debdeep Muhopadhyay IIT Kharagpur PRG vs PRF We have see the costructo of PRG (pseudo-radom geerators) beg costructed from ay oe-way fuctos. Now we shall cosder a related cocept: Pseudo-radom
More informationReview of Elementary Cryptography. For more material, see my notes of CSE 5351, available on my webpage
Review of Elemetary Cryptography For more material, see my otes of CSE 5351, available o my webpage Outlie Security (CPA, CCA, sematic security, idistiguishability) RSA ElGamal Homomorphic ecryptio 2 Two
More informationHard Core Predicates: How to encrypt? Recap
Hard Core Predcates: How to ecrypt? Debdeep Mukhopadhyay IIT Kharagpur Recap A ecrypto scheme s secured f for every probablstc adversary A carryg out some specfed kd of attack ad for every polyomal p(.),
More informationPolynomial Encryption Using The Subset Problem Based On Elgamal. Raipur, Chhattisgarh , India. Raipur, Chhattisgarh , India.
Polyomal Ecrypto Usg The Subset Problem Based O Elgamal Khushboo Thakur 1, B. P. Trpath 2 1 School of Studes Mathematcs Pt. Ravshakar Shukla Uversty Rapur, Chhattsgarh 92001, Ida. 2 Departmet of Mathematcs,
More informationLecture 6: October 10, DES: Modes of Operation
Lecture 6: October 1, 21 Revew: DES, Merkle s puzzles Oe-tme sgatures Publc key cryptography Proect proposals due ext Moday Homework : due ext Wedesday Aoymous commets gts@dr.com Sged PGP/GPG emal gts@dr.com
More informationA note on An efficient certificateless aggregate signature with constant pairing computations
A ote o A effcet certfcateless aggregate sgature wth costat parg computatos Debao He Maomao Ta Jahua Che School of Mathematcs ad Statstcs Wuha Uversty Wuha Cha School of Computer Scece ad Techology Uversty
More informationCHAPTER 4 RADICAL EXPRESSIONS
6 CHAPTER RADICAL EXPRESSIONS. The th Root of a Real Number A real umber a s called the th root of a real umber b f Thus, for example: s a square root of sce. s also a square root of sce ( ). s a cube
More informationDiscrete Mathematics and Probability Theory Fall 2016 Seshia and Walrand DIS 10b
CS 70 Dscrete Mathematcs ad Probablty Theory Fall 206 Sesha ad Walrad DIS 0b. Wll I Get My Package? Seaky delvery guy of some compay s out delverg packages to customers. Not oly does he had a radom package
More informationLattices. Mathematical background
Lattces Mathematcal backgroud Lattces : -dmesoal Eucldea space. That s, { T x } x x = (,, ) :,. T T If x= ( x,, x), y = ( y,, y), the xy, = xy (er product of xad y) x = /2 xx, (Eucldea legth or orm of
More informationPTAS for Bin-Packing
CS 663: Patter Matchg Algorthms Scrbe: Che Jag /9/00. Itroducto PTAS for B-Packg The B-Packg problem s NP-hard. If we use approxmato algorthms, the B-Packg problem could be solved polyomal tme. For example,
More informationCIS 800/002 The Algorithmic Foundations of Data Privacy October 13, Lecture 9. Database Update Algorithms: Multiplicative Weights
CIS 800/002 The Algorthmc Foudatos of Data Prvacy October 13, 2011 Lecturer: Aaro Roth Lecture 9 Scrbe: Aaro Roth Database Update Algorthms: Multplcatve Weghts We ll recall aga) some deftos from last tme:
More information1 Onto functions and bijections Applications to Counting
1 Oto fuctos ad bectos Applcatos to Coutg Now we move o to a ew topc. Defto 1.1 (Surecto. A fucto f : A B s sad to be surectve or oto f for each b B there s some a A so that f(a B. What are examples of
More informationLecture 9: Tolerant Testing
Lecture 9: Tolerat Testg Dael Kae Scrbe: Sakeerth Rao Aprl 4, 07 Abstract I ths lecture we prove a quas lear lower boud o the umber of samples eeded to do tolerat testg for L dstace. Tolerat Testg We have
More informationAlgorithms Theory, Solution for Assignment 2
Juor-Prof. Dr. Robert Elsässer, Marco Muñz, Phllp Hedegger WS 2009/200 Algorthms Theory, Soluto for Assgmet 2 http://lak.formatk.u-freburg.de/lak_teachg/ws09_0/algo090.php Exercse 2. - Fast Fourer Trasform
More information8.1 Hashing Algorithms
CS787: Advaced Algorthms Scrbe: Mayak Maheshwar, Chrs Hrchs Lecturer: Shuch Chawla Topc: Hashg ad NP-Completeess Date: September 21 2007 Prevously we looked at applcatos of radomzed algorthms, ad bega
More informationInvestigating Cellular Automata
Researcher: Taylor Dupuy Advsor: Aaro Wootto Semester: Fall 4 Ivestgatg Cellular Automata A Overvew of Cellular Automata: Cellular Automata are smple computer programs that geerate rows of black ad whte
More informationChapter 9 Jordan Block Matrices
Chapter 9 Jorda Block atrces I ths chapter we wll solve the followg problem. Gve a lear operator T fd a bass R of F such that the matrx R (T) s as smple as possble. f course smple s a matter of taste.
More informationLecture 3 Probability review (cont d)
STATS 00: Itroducto to Statstcal Iferece Autum 06 Lecture 3 Probablty revew (cot d) 3. Jot dstrbutos If radom varables X,..., X k are depedet, the ther dstrbuto may be specfed by specfyg the dvdual dstrbuto
More informationThe Mathematical Appendix
The Mathematcal Appedx Defto A: If ( Λ, Ω, where ( λ λ λ whch the probablty dstrbutos,,..., Defto A. uppose that ( Λ,,..., s a expermet type, the σ-algebra o λ λ λ are defed s deoted by ( (,,...,, σ Ω.
More informationbest estimate (mean) for X uncertainty or error in the measurement (systematic, random or statistical) best
Error Aalyss Preamble Wheever a measuremet s made, the result followg from that measuremet s always subject to ucertaty The ucertaty ca be reduced by makg several measuremets of the same quatty or by mprovg
More informationIntroduction to Probability
Itroducto to Probablty Nader H Bshouty Departmet of Computer Scece Techo 32000 Israel e-mal: bshouty@cstechoacl 1 Combatorcs 11 Smple Rules I Combatorcs The rule of sum says that the umber of ways to choose
More information{ }{ ( )} (, ) = ( ) ( ) ( ) Chapter 14 Exercises in Sampling Theory. Exercise 1 (Simple random sampling): Solution:
Chapter 4 Exercses Samplg Theory Exercse (Smple radom samplg: Let there be two correlated radom varables X ad A sample of sze s draw from a populato by smple radom samplg wthout replacemet The observed
More informationThe Primitive Idempotents in
Iteratoal Joural of Algebra, Vol, 00, o 5, 3 - The Prmtve Idempotets FC - I Kulvr gh Departmet of Mathematcs, H College r Jwa Nagar (rsa)-5075, Ida kulvrsheora@yahoocom K Arora Departmet of Mathematcs,
More informationSolving Constrained Flow-Shop Scheduling. Problems with Three Machines
It J Cotemp Math Sceces, Vol 5, 2010, o 19, 921-929 Solvg Costraed Flow-Shop Schedulg Problems wth Three Maches P Pada ad P Rajedra Departmet of Mathematcs, School of Advaced Sceces, VIT Uversty, Vellore-632
More informationNP!= P. By Liu Ran. Table of Contents. The P versus NP problem is a major unsolved problem in computer
NP!= P By Lu Ra Table of Cotets. Itroduce 2. Prelmary theorem 3. Proof 4. Expla 5. Cocluso. Itroduce The P versus NP problem s a major usolved problem computer scece. Iformally, t asks whether a computer
More informationFunctions of Random Variables
Fuctos of Radom Varables Chapter Fve Fuctos of Radom Varables 5. Itroducto A geeral egeerg aalyss model s show Fg. 5.. The model output (respose) cotas the performaces of a system or product, such as weght,
More informationIntroduction to local (nonparametric) density estimation. methods
Itroducto to local (oparametrc) desty estmato methods A slecture by Yu Lu for ECE 66 Sprg 014 1. Itroducto Ths slecture troduces two local desty estmato methods whch are Parze desty estmato ad k-earest
More informationExercises for Square-Congruence Modulo n ver 11
Exercses for Square-Cogruece Modulo ver Let ad ab,.. Mark True or False. a. 3S 30 b. 3S 90 c. 3S 3 d. 3S 4 e. 4S f. 5S g. 0S 55 h. 8S 57. 9S 58 j. S 76 k. 6S 304 l. 47S 5347. Fd the equvalece classes duced
More informationAssignment 5/MATH 247/Winter Due: Friday, February 19 in class (!) (answers will be posted right after class)
Assgmet 5/MATH 7/Wter 00 Due: Frday, February 9 class (!) (aswers wll be posted rght after class) As usual, there are peces of text, before the questos [], [], themselves. Recall: For the quadratc form
More informationAlgorithms Design & Analysis. Hash Tables
Algorthms Desg & Aalyss Hash Tables Recap Lower boud Order statstcs 2 Today s topcs Drect-accessble table Hash tables Hash fuctos Uversal hashg Perfect Hashg Ope addressg 3 Symbol-table problem Symbol
More informationEvaluating Polynomials
Uverst of Nebraska - Lcol DgtalCommos@Uverst of Nebraska - Lcol MAT Exam Expostor Papers Math the Mddle Isttute Partershp 7-7 Evaluatg Polomals Thomas J. Harrgto Uverst of Nebraska-Lcol Follow ths ad addtoal
More information(b) By independence, the probability that the string 1011 is received correctly is
Soluto to Problem 1.31. (a) Let A be the evet that a 0 s trasmtted. Usg the total probablty theorem, the desred probablty s P(A)(1 ɛ ( 0)+ 1 P(A) ) (1 ɛ 1)=p(1 ɛ 0)+(1 p)(1 ɛ 1). (b) By depedece, the probablty
More informationTESTS BASED ON MAXIMUM LIKELIHOOD
ESE 5 Toy E. Smth. The Basc Example. TESTS BASED ON MAXIMUM LIKELIHOOD To llustrate the propertes of maxmum lkelhood estmates ad tests, we cosder the smplest possble case of estmatg the mea of the ormal
More informationMA 524 Homework 6 Solutions
MA 524 Homework 6 Solutos. Sce S(, s the umber of ways to partto [] to k oempty blocks, ad c(, s the umber of ways to partto to k oempty blocks ad also the arrage each block to a cycle, we must have S(,
More information1 Mixed Quantum State. 2 Density Matrix. CS Density Matrices, von Neumann Entropy 3/7/07 Spring 2007 Lecture 13. ψ = α x x. ρ = p i ψ i ψ i.
CS 94- Desty Matrces, vo Neuma Etropy 3/7/07 Sprg 007 Lecture 3 I ths lecture, we wll dscuss the bascs of quatum formato theory I partcular, we wll dscuss mxed quatum states, desty matrces, vo Neuma etropy
More informationNon-uniform Turán-type problems
Joural of Combatoral Theory, Seres A 111 2005 106 110 wwwelsevercomlocatecta No-uform Turá-type problems DhruvMubay 1, Y Zhao 2 Departmet of Mathematcs, Statstcs, ad Computer Scece, Uversty of Illos at
More informationå 1 13 Practice Final Examination Solutions - = CS109 Dec 5, 2018
Chrs Pech Fal Practce CS09 Dec 5, 08 Practce Fal Examato Solutos. Aswer: 4/5 8/7. There are multle ways to obta ths aswer; here are two: The frst commo method s to sum over all ossbltes for the rak of
More informationCHAPTER VI Statistical Analysis of Experimental Data
Chapter VI Statstcal Aalyss of Expermetal Data CHAPTER VI Statstcal Aalyss of Expermetal Data Measuremets do ot lead to a uque value. Ths s a result of the multtude of errors (maly radom errors) that ca
More informationMu Sequences/Series Solutions National Convention 2014
Mu Sequeces/Seres Solutos Natoal Coveto 04 C 6 E A 6C A 6 B B 7 A D 7 D C 7 A B 8 A B 8 A C 8 E 4 B 9 B 4 E 9 B 4 C 9 E C 0 A A 0 D B 0 C C Usg basc propertes of arthmetc sequeces, we fd a ad bm m We eed
More informationWireless Link Properties
Opportustc Ecrypto for Robust Wreless Securty R. Chadramoul ( Moul ) moul@steves.edu Multmeda System, Networkg, ad Commucatos (MSyNC) Laboratory, Departmet of Electrcal ad Computer Egeerg, Steves Isttute
More informationECONOMETRIC THEORY. MODULE VIII Lecture - 26 Heteroskedasticity
ECONOMETRIC THEORY MODULE VIII Lecture - 6 Heteroskedastcty Dr. Shalabh Departmet of Mathematcs ad Statstcs Ida Isttute of Techology Kapur . Breusch Paga test Ths test ca be appled whe the replcated data
More informationX X X E[ ] E X E X. is the ()m n where the ( i,)th. j element is the mean of the ( i,)th., then
Secto 5 Vectors of Radom Varables Whe workg wth several radom varables,,..., to arrage them vector form x, t s ofte coveet We ca the make use of matrx algebra to help us orgaze ad mapulate large umbers
More informationHomework 1: Solutions Sid Banerjee Problem 1: (Practice with Asymptotic Notation) ORIE 4520: Stochastics at Scale Fall 2015
Fall 05 Homework : Solutos Problem : (Practce wth Asymptotc Notato) A essetal requremet for uderstadg scalg behavor s comfort wth asymptotc (or bg-o ) otato. I ths problem, you wll prove some basc facts
More informationAnalysis of Lagrange Interpolation Formula
P IJISET - Iteratoal Joural of Iovatve Scece, Egeerg & Techology, Vol. Issue, December 4. www.jset.com ISS 348 7968 Aalyss of Lagrage Iterpolato Formula Vjay Dahya PDepartmet of MathematcsMaharaja Surajmal
More informationParameter, Statistic and Random Samples
Parameter, Statstc ad Radom Samples A parameter s a umber that descrbes the populato. It s a fxed umber, but practce we do ot kow ts value. A statstc s a fucto of the sample data,.e., t s a quatty whose
More informationChapter 5 Properties of a Random Sample
Lecture 6 o BST 63: Statstcal Theory I Ku Zhag, /0/008 Revew for the prevous lecture Cocepts: t-dstrbuto, F-dstrbuto Theorems: Dstrbutos of sample mea ad sample varace, relatoshp betwee sample mea ad sample
More informationNP!= P. By Liu Ran. Table of Contents. The P vs. NP problem is a major unsolved problem in computer
NP!= P By Lu Ra Table of Cotets. Itroduce 2. Strategy 3. Prelmary theorem 4. Proof 5. Expla 6. Cocluso. Itroduce The P vs. NP problem s a major usolved problem computer scece. Iformally, t asks whether
More informationA tighter lower bound on the circuit size of the hardest Boolean functions
Electroc Colloquum o Computatoal Complexty, Report No. 86 2011) A tghter lower boud o the crcut sze of the hardest Boolea fuctos Masak Yamamoto Abstract I [IPL2005], Fradse ad Mlterse mproved bouds o the
More informationFeature Selection: Part 2. 1 Greedy Algorithms (continued from the last lecture)
CSE 546: Mache Learg Lecture 6 Feature Selecto: Part 2 Istructor: Sham Kakade Greedy Algorthms (cotued from the last lecture) There are varety of greedy algorthms ad umerous amg covetos for these algorthms.
More informationUNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS
UNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS Exam: ECON430 Statstcs Date of exam: Frday, December 8, 07 Grades are gve: Jauary 4, 08 Tme for exam: 0900 am 00 oo The problem set covers 5 pages Resources allowed:
More informationFor combinatorial problems we might need to generate all permutations, combinations, or subsets of a set.
Addtoal Decrease ad Coquer Algorthms For combatoral problems we mght eed to geerate all permutatos, combatos, or subsets of a set. Geeratg Permutatos If we have a set f elemets: { a 1, a 2, a 3, a } the
More informationKnowledge-Proof Based Versatile Smart Card Verification Protocol
Kowledge-Proof Based Versatle Smart Card Verfcato Protocol DaeHu Nyag ad JooSeok Sog Departmet of Computer Scece Departmet, Yose Uversty SeodaemuGu ShchoDog 34, Seoul 20-749, Korea fyag, jssogg@emerald.yose.ac.kr
More informationLecture 1. (Part II) The number of ways of partitioning n distinct objects into k distinct groups containing n 1,
Lecture (Part II) Materals Covered Ths Lecture: Chapter 2 (2.6 --- 2.0) The umber of ways of parttog dstct obects to dstct groups cotag, 2,, obects, respectvely, where each obect appears exactly oe group
More informationLecture 7. Confidence Intervals and Hypothesis Tests in the Simple CLR Model
Lecture 7. Cofdece Itervals ad Hypothess Tests the Smple CLR Model I lecture 6 we troduced the Classcal Lear Regresso (CLR) model that s the radom expermet of whch the data Y,,, K, are the outcomes. The
More information1. A real number x is represented approximately by , and we are told that the relative error is 0.1 %. What is x? Note: There are two answers.
PROBLEMS A real umber s represeted appromately by 63, ad we are told that the relatve error s % What s? Note: There are two aswers Ht : Recall that % relatve error s What s the relatve error volved roudg
More informationA BASIS OF THE GROUP OF PRIMITIVE ALMOST PYTHAGOREAN TRIPLES
Joural of Algebra Number Theory: Advaces ad Applcatos Volume 6 Number 6 Pages 5-7 Avalable at http://scetfcadvaces.co. DOI: http://dx.do.org/.864/ataa_77 A BASIS OF THE GROUP OF PRIMITIVE ALMOST PYTHAGOREAN
More information5 Short Proofs of Simplified Stirling s Approximation
5 Short Proofs of Smplfed Strlg s Approxmato Ofr Gorodetsky, drtymaths.wordpress.com Jue, 20 0 Itroducto Strlg s approxmato s the followg (somewhat surprsg) approxmato of the factoral,, usg elemetary fuctos:
More informationAN UPPER BOUND FOR THE PERMANENT VERSUS DETERMINANT PROBLEM BRUNO GRENET
AN UPPER BOUND FOR THE PERMANENT VERSUS DETERMINANT PROBLEM BRUNO GRENET Abstract. The Permaet versus Determat problem s the followg: Gve a matrx X of determates over a feld of characterstc dfferet from
More informationLecture 3. Sampling, sampling distributions, and parameter estimation
Lecture 3 Samplg, samplg dstrbutos, ad parameter estmato Samplg Defto Populato s defed as the collecto of all the possble observatos of terest. The collecto of observatos we take from the populato s called
More informationL5 Polynomial / Spline Curves
L5 Polyomal / Sple Curves Cotets Coc sectos Polyomal Curves Hermte Curves Bezer Curves B-Sples No-Uform Ratoal B-Sples (NURBS) Mapulato ad Represetato of Curves Types of Curve Equatos Implct: Descrbe a
More informationChapter 4 (Part 1): Non-Parametric Classification (Sections ) Pattern Classification 4.3) Announcements
Aoucemets No-Parametrc Desty Estmato Techques HW assged Most of ths lecture was o the blacboard. These sldes cover the same materal as preseted DHS Bometrcs CSE 90-a Lecture 7 CSE90a Fall 06 CSE90a Fall
More informationA New Measure of Probabilistic Entropy. and its Properties
Appled Mathematcal Sceces, Vol. 4, 200, o. 28, 387-394 A New Measure of Probablstc Etropy ad ts Propertes Rajeesh Kumar Departmet of Mathematcs Kurukshetra Uversty Kurukshetra, Ida rajeesh_kuk@redffmal.com
More informationInvestigation of Partially Conditional RP Model with Response Error. Ed Stanek
Partally Codtoal Radom Permutato Model 7- vestgato of Partally Codtoal RP Model wth Respose Error TRODUCTO Ed Staek We explore the predctor that wll result a smple radom sample wth respose error whe a
More informationMultiple Regression. More than 2 variables! Grade on Final. Multiple Regression 11/21/2012. Exam 2 Grades. Exam 2 Re-grades
STAT 101 Dr. Kar Lock Morga 11/20/12 Exam 2 Grades Multple Regresso SECTIONS 9.2, 10.1, 10.2 Multple explaatory varables (10.1) Parttog varablty R 2, ANOVA (9.2) Codtos resdual plot (10.2) Trasformatos
More informationMA/CSSE 473 Day 27. Dynamic programming
MA/CSSE 473 Day 7 Dyamc Programmg Bomal Coeffcets Warshall's algorthm (Optmal BSTs) Studet questos? Dyamc programmg Used for problems wth recursve solutos ad overlappg subproblems Typcally, we save (memoze)
More informationEntropy ISSN by MDPI
Etropy 2003, 5, 233-238 Etropy ISSN 1099-4300 2003 by MDPI www.mdp.org/etropy O the Measure Etropy of Addtve Cellular Automata Hasa Aı Arts ad Sceces Faculty, Departmet of Mathematcs, Harra Uversty; 63100,
More information9 U-STATISTICS. Eh =(m!) 1 Eh(X (1),..., X (m ) ) i.i.d
9 U-STATISTICS Suppose,,..., are P P..d. wth CDF F. Our goal s to estmate the expectato t (P)=Eh(,,..., m ). Note that ths expectato requres more tha oe cotrast to E, E, or Eh( ). Oe example s E or P((,
More informationAttribute-Based Key-Insulated Encryption *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 7 437-449 (0) Attrbute-Based Key-Isulated Ecrypto JIAN-HONG CHEN YONG-TAO WANG AND KE-FEI CHEN 3 Departmet of Computer Scece ad Egeerg Shagha Jao Tog Uversty
More informationDepartment of Agricultural Economics. PhD Qualifier Examination. August 2011
Departmet of Agrcultural Ecoomcs PhD Qualfer Examato August 0 Istructos: The exam cossts of sx questos You must aswer all questos If you eed a assumpto to complete a questo, state the assumpto clearly
More informationQR Factorization and Singular Value Decomposition COS 323
QR Factorzato ad Sgular Value Decomposto COS 33 Why Yet Aother Method? How do we solve least-squares wthout currg codto-squarg effect of ormal equatos (A T A A T b) whe A s sgular, fat, or otherwse poorly-specfed?
More informationChapter 4 Multiple Random Variables
Revew for the prevous lecture: Theorems ad Examples: How to obta the pmf (pdf) of U = g (, Y) ad V = g (, Y) Chapter 4 Multple Radom Varables Chapter 44 Herarchcal Models ad Mxture Dstrbutos Examples:
More informationhp calculators HP 30S Statistics Averages and Standard Deviations Average and Standard Deviation Practice Finding Averages and Standard Deviations
HP 30S Statstcs Averages ad Stadard Devatos Average ad Stadard Devato Practce Fdg Averages ad Stadard Devatos HP 30S Statstcs Averages ad Stadard Devatos Average ad stadard devato The HP 30S provdes several
More informationEconometric Methods. Review of Estimation
Ecoometrc Methods Revew of Estmato Estmatg the populato mea Radom samplg Pot ad terval estmators Lear estmators Ubased estmators Lear Ubased Estmators (LUEs) Effcecy (mmum varace) ad Best Lear Ubased Estmators
More informationρ < 1 be five real numbers. The
Lecture o BST 63: Statstcal Theory I Ku Zhag, /0/006 Revew for the prevous lecture Deftos: covarace, correlato Examples: How to calculate covarace ad correlato Theorems: propertes of correlato ad covarace
More informationThis lecture and the next. Why Sorting? Sorting Algorithms so far. Why Sorting? (2) Selection Sort. Heap Sort. Heapsort
Ths lecture ad the ext Heapsort Heap data structure ad prorty queue ADT Qucksort a popular algorthm, very fast o average Why Sortg? Whe doubt, sort oe of the prcples of algorthm desg. Sortg used as a subroute
More informationQualifying Exam Statistical Theory Problem Solutions August 2005
Qualfyg Exam Statstcal Theory Problem Solutos August 5. Let X, X,..., X be d uform U(,),
More informationUNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS
UNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS Postpoed exam: ECON430 Statstcs Date of exam: Jauary 0, 0 Tme for exam: 09:00 a.m. :00 oo The problem set covers 5 pages Resources allowed: All wrtte ad prted
More informationLikewise, properties of the optimal policy for equipment replacement & maintenance problems can be used to reduce the computation.
Whe solvg a vetory repleshmet problem usg a MDP model, kowg that the optmal polcy s of the form (s,s) ca reduce the computatoal burde. That s, f t s optmal to replesh the vetory whe the vetory level s,
More informationThe internal structure of natural numbers, one method for the definition of large prime numbers, and a factorization test
Fal verso The teral structure of atural umbers oe method for the defto of large prme umbers ad a factorzato test Emmaul Maousos APM Isttute for the Advacemet of Physcs ad Mathematcs 3 Poulou str. 53 Athes
More informationArithmetic Mean and Geometric Mean
Acta Mathematca Ntresa Vol, No, p 43 48 ISSN 453-6083 Arthmetc Mea ad Geometrc Mea Mare Varga a * Peter Mchalča b a Departmet of Mathematcs, Faculty of Natural Sceces, Costate the Phlosopher Uversty Ntra,
More informationRandom Variables and Probability Distributions
Radom Varables ad Probablty Dstrbutos * If X : S R s a dscrete radom varable wth rage {x, x, x 3,. } the r = P (X = xr ) = * Let X : S R be a dscrete radom varable wth rage {x, x, x 3,.}.If x r P(X = x
More informationBayes (Naïve or not) Classifiers: Generative Approach
Logstc regresso Bayes (Naïve or ot) Classfers: Geeratve Approach What do we mea by Geeratve approach: Lear p(y), p(x y) ad the apply bayes rule to compute p(y x) for makg predctos Ths s essetally makg
More informationLinear Approximating to Integer Addition
Lear Approxmatg to Iteger Addto L A-Pg Bejg 00085, P.R. Cha apl000@a.com Abtract The teger addto ofte appled cpher a a cryptographc mea. I th paper we wll preet ome reult about the lear approxmatg for
More informationSTATISTICAL PROPERTIES OF LEAST SQUARES ESTIMATORS. x, where. = y - ˆ " 1
STATISTICAL PROPERTIES OF LEAST SQUARES ESTIMATORS Recall Assumpto E(Y x) η 0 + η x (lear codtoal mea fucto) Data (x, y ), (x 2, y 2 ),, (x, y ) Least squares estmator ˆ E (Y x) ˆ " 0 + ˆ " x, where ˆ
More informationChapter 3 Sampling For Proportions and Percentages
Chapter 3 Samplg For Proportos ad Percetages I may stuatos, the characterstc uder study o whch the observatos are collected are qualtatve ature For example, the resposes of customers may marketg surveys
More informationIdeal multigrades with trigonometric coefficients
Ideal multgrades wth trgoometrc coeffcets Zarathustra Brady December 13, 010 1 The problem A (, k) multgrade s defed as a par of dstct sets of tegers such that (a 1,..., a ; b 1,..., b ) a j = =1 for all
More informationGiven a table of data poins of an unknown or complicated function f : we want to find a (simpler) function p s.t. px (
Iterpolato 1 Iterpolato Gve a table of data pos of a ukow or complcated fucto f : y 0 1 2 y y y y 0 1 2 we wat to fd a (smpler) fucto p s.t. p ( ) = y for = 0... p s sad to terpolate the table or terpolate
More informationCS286.2 Lecture 4: Dinur s Proof of the PCP Theorem
CS86. Lecture 4: Dur s Proof of the PCP Theorem Scrbe: Thom Bohdaowcz Prevously, we have prove a weak verso of the PCP theorem: NP PCP 1,1/ (r = poly, q = O(1)). Wth ths result we have the desred costat
More informationClass 13,14 June 17, 19, 2015
Class 3,4 Jue 7, 9, 05 Pla for Class3,4:. Samplg dstrbuto of sample mea. The Cetral Lmt Theorem (CLT). Cofdece terval for ukow mea.. Samplg Dstrbuto for Sample mea. Methods used are based o CLT ( Cetral
More informationMATH 247/Winter Notes on the adjoint and on normal operators.
MATH 47/Wter 00 Notes o the adjot ad o ormal operators I these otes, V s a fte dmesoal er product space over, wth gve er * product uv, T, S, T, are lear operators o V U, W are subspaces of V Whe we say
More informationENGI 4421 Joint Probability Distributions Page Joint Probability Distributions [Navidi sections 2.5 and 2.6; Devore sections
ENGI 441 Jot Probablty Dstrbutos Page 7-01 Jot Probablty Dstrbutos [Navd sectos.5 ad.6; Devore sectos 5.1-5.] The jot probablty mass fucto of two dscrete radom quattes, s, P ad p x y x y The margal probablty
More informationMedian as a Weighted Arithmetic Mean of All Sample Observations
Meda as a Weghted Arthmetc Mea of All Sample Observatos SK Mshra Dept. of Ecoomcs NEHU, Shllog (Ida). Itroducto: Iumerably may textbooks Statstcs explctly meto that oe of the weakesses (or propertes) of
More informationd dt d d dt dt Also recall that by Taylor series, / 2 (enables use of sin instead of cos-see p.27 of A&F) dsin
Learzato of the Swg Equato We wll cover sectos.5.-.6 ad begg of Secto 3.3 these otes. 1. Sgle mache-fte bus case Cosder a sgle mache coected to a fte bus, as show Fg. 1 below. E y1 V=1./_ Fg. 1 The admttace
More informationSimulation Output Analysis
Smulato Output Aalyss Summary Examples Parameter Estmato Sample Mea ad Varace Pot ad Iterval Estmato ermatg ad o-ermatg Smulato Mea Square Errors Example: Sgle Server Queueg System x(t) S 4 S 4 S 3 S 5
More informationMultiple Choice Test. Chapter Adequacy of Models for Regression
Multple Choce Test Chapter 06.0 Adequac of Models for Regresso. For a lear regresso model to be cosdered adequate, the percetage of scaled resduals that eed to be the rage [-,] s greater tha or equal to
More informationIntroduction to Matrices and Matrix Approach to Simple Linear Regression
Itroducto to Matrces ad Matrx Approach to Smple Lear Regresso Matrces Defto: A matrx s a rectagular array of umbers or symbolc elemets I may applcatos, the rows of a matrx wll represet dvduals cases (people,
More informationIII-16 G. Brief Review of Grand Orthogonality Theorem and impact on Representations (Γ i ) l i = h n = number of irreducible representations.
III- G. Bref evew of Grad Orthogoalty Theorem ad mpact o epresetatos ( ) GOT: h [ () m ] [ () m ] δδ δmm ll GOT puts great restrcto o form of rreducble represetato also o umber: l h umber of rreducble
More informationOrdinary Least Squares Regression. Simple Regression. Algebra and Assumptions.
Ordary Least Squares egresso. Smple egresso. Algebra ad Assumptos. I ths part of the course we are gog to study a techque for aalysg the lear relatoshp betwee two varables Y ad X. We have pars of observatos
More information( ) 2 2. Multi-Layer Refraction Problem Rafael Espericueta, Bakersfield College, November, 2006
Mult-Layer Refracto Problem Rafael Espercueta, Bakersfeld College, November, 006 Lght travels at dfferet speeds through dfferet meda, but refracts at layer boudares order to traverse the least-tme path.
More information