Lattice Cryptography: Introduction and Open Problems
|
|
- Virgil Strickland
- 6 years ago
- Views:
Transcription
1 Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 2015 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
2 Point Lattices The simplest example of lattice is Z n = {(x 1,..., x n ): x i Z} Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
3 Point Lattices The simplest example of lattice is Z n = {(x 1,..., x n ): x i Z} Other lattices are obtained by applying a linear transformation B: x = (x 1,..., x n ) Bx = x 1 b x n b n (0, 1) b 2 (1, 0) B b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
4 Lattice Cryptography cryptanalysis crypto design today Lenstra, Lenstra, Lovasz (1982) : The LLL paper Factoring Polynomials with Rational Coefficients Algorithmic breakthrough Efficient approximate solution of lattice problems Exponential approximation factor, but very good in practice Killer App: Cryptanalysis Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
5 Lattice Cryptography cryptanalysis crypto design today Lenstra, Lenstra, Lovasz (1982) : The LLL paper Factoring Polynomials with Rational Coefficients Algorithmic breakthrough Efficient approximate solution of lattice problems Exponential approximation factor, but very good in practice Killer App: Cryptanalysis Ajtai (1996) : Generating Hard Instances of Lattice Problems Marks the beginning of the modern use of lattices in the design of cryptographic functions Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
6 Ajtai s paper (quotes) cryptography... generation of a specific instance of a problem in NP which is thought to be difficult. NP-hard problems very famous question (e.g., prime factorization). Unfortunately difficult to solve means... in the worst case no guidance about how to create [a hard instance] possible solution 1 find a set of randomly generated problems, and 2 show that if there is an algorithm which [works] with a positive probability, then there is also an algorithm which solves the famous problem in the worst case. In this paper we give such a class of random problems. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
7 Example: Discrete Logrithm (DLOG) p: a prime Z p: multiplicative group g Z p: generator of (prime order sub-)group G = {g i : i Z} Z p Input: h = g i mod p DLOG Problem Given p, g, h, recover i (modulo q = o(g)) Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
8 Example: Discrete Logrithm (DLOG) p: a prime Z p: multiplicative group g Z p: generator of (prime order sub-)group G = {g i : i Z} Z p Input: h = g i mod p DLOG Problem Given p, g, h, recover i (modulo q = o(g)) Random Self Reducibility If you can solve DLOG for random g and h (with some probability), then you can solve it for any g, h in the worst-case. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
9 DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g, h Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
10 DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g, h 2 Compute g = g a and h = h ab for random a, b Z q. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
11 DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g, h 2 Compute g = g a and h = h ab for random a, b Z q. 3 Notice: g, h G are (almost) uniformly random h = h ab = g iab = (g ) ib Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
12 DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g, h 2 Compute g = g a and h = h ab for random a, b Z q. 3 Notice: g, h G are (almost) uniformly random h = h ab = g iab = (g ) ib 4 Find j = DLOG(g, h ) = ib Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
13 DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g, h 2 Compute g = g a and h = h ab for random a, b Z q. 3 Notice: g, h G are (almost) uniformly random h = h ab = g iab = (g ) ib 4 Find j = DLOG(g, h ) = ib 5 Output j/b (mod q). Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
14 DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g, h 2 Compute g = g a and h = h ab for random a, b Z q. 3 Notice: g, h G are (almost) uniformly random h = h ab = g iab = (g ) ib 4 Find j = DLOG(g, h ) = ib 5 Output j/b (mod q). Conclusion We know how to choose g, h G. But, how do we choose G? Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
15 DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n-dimensional lattices grows superpolynomially (or exponentially) in n. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
16 DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n-dimensional lattices grows superpolynomially (or exponentially) in n. Similarly, one may conjecture that the complexity of DLOG grows superpolynomially in n = log p or n = log G. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
17 DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n-dimensional lattices grows superpolynomially (or exponentially) in n. Similarly, one may conjecture that the complexity of DLOG grows superpolynomially in n = log p or n = log G. This is not the same: For any n, there are (exponentially) many primes p. Typically, p is chosen at random among all n-bit primes Assumption is still average-case: DLOG is hard for random p. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
18 DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n-dimensional lattices grows superpolynomially (or exponentially) in n. Similarly, one may conjecture that the complexity of DLOG grows superpolynomially in n = log p or n = log G. This is not the same: For any n, there are (exponentially) many primes p. Typically, p is chosen at random among all n-bit primes Assumption is still average-case: DLOG is hard for random p. We do not know how to reduce DLOG(Z p) to DLOG(Z q). RSR provides no guidance on how to choose p. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
19 DLOG vs Lattices (2) Alternative assumption DLOG(p n ) is hard when p n is the smallest prime > 2 n. Equivalent to worst-case family of problems (indexed by n) Ad-hoc: problem definition seems rather arbitrary Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
20 DLOG vs Lattices (2) Alternative assumption DLOG(p n ) is hard when p n is the smallest prime > 2 n. Equivalent to worst-case family of problems (indexed by n) Ad-hoc: problem definition seems rather arbitrary There is more: Lattice problems in dimension n reduce to lattice problems in dimension m > n: B = B O O No such reduction for DLOG: DLOG(p n )? = DLOG(p n+1 ) Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
21 DLOG vs Lattices (3) Other (natural) representations: but DLOG in (Z p 1, +) is easy. Other (still natural) groups: G = (Z p, ) (Z p 1, +) G = Z pq Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
22 DLOG vs Lattices (3) Other (natural) representations: but DLOG in (Z p 1, +) is easy. Other (still natural) groups: G = (Z p, ) (Z p 1, +) G = Z pq Question Assume one of DLOG(Z p ) and DLOG(Z p q ) is polynomial time solvable, and one is not. Which group family would you choose? Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
23 DLOG vs Lattices (3) Other (natural) representations: but DLOG in (Z p 1, +) is easy. Other (still natural) groups: G = (Z p, ) (Z p 1, +) G = Z pq Question Assume one of DLOG(Z p ) and DLOG(Z p q ) is polynomial time solvable, and one is not. Which group family would you choose? Chinese Reminder Theorem (CRT): Z pq Z p Z q DLOG(Z p) = DLOG(Z pq). Reduction in the other direction requires factoring. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
24 Ajtai s one-way function (SIS) Parameters: m, n, q Z Key: A Z n m q Input: x {0, 1} m m x T n A Ax Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
25 Ajtai s one-way function (SIS) m Parameters: m, n, q Z x T Key: A Z n m q Input: x {0, 1} m Output: f A (x) = Ax mod q n A f Ax Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
26 Ajtai s one-way function (SIS) m Parameters: m, n, q Z x T Key: A Z n m q Input: x {0, 1} m Output: f A (x) = Ax mod q n A f Ax Theorem (A 96) For m > n lg q, if lattice problems (SIVP) are hard to approximate in the worst-case, then f A (x) = Ax mod q is a one-way function. Applications: OWF [A 96], Hashing [GGH 97], Commit [KTX 08], ID schemes [L 08], Signatures [LM 08,GPV 08,...,DDLL 13]... Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
27 Relation to lattices The kernel set Λ (A) is a lattice Λ (A) = {z Z m : Az = 0 (mod q)} Collisions Ax = Ay (mod q) can be represented by a single vector z = x y { 1, 0, 1} such that z = x y Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
28 Relation to lattices The kernel set Λ (A) is a lattice Λ (A) = {z Z m : Az = 0 (mod q)} Collisions Ax = Ay (mod q) can be represented by a single vector z = x y { 1, 0, 1} such that Az = Ax Ay = 0 mod q Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
29 Relation to lattices The kernel set Λ (A) is a lattice Λ (A) = {z Z m : Az = 0 (mod q)} Collisions Ax = Ay (mod q) can be represented by a single vector z = x y { 1, 0, 1} such that Az = Ax Ay = 0 mod q Collisions are lattice vectors z Λ (A) with small norm z = max i z i = 1. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
30 Relation to lattices The kernel set Λ (A) is a lattice Λ (A) = {z Z m : Az = 0 (mod q)} Collisions Ax = Ay (mod q) can be represented by a single vector z = x y { 1, 0, 1} such that Az = Ax Ay = 0 mod q Collisions are lattice vectors z Λ (A) with small norm z = max i z i = there is a much deeper and interesting relation between breaking f A and lattice problems. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
31 Shortest Vector Problem Definition (Shortest Vector Problem, SVP) Given a lattice L(B), find a (nonzero) lattice vector Bx (with x Z k ) of length (at most) Bx λ 1 b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
32 Shortest Vector Problem Definition (Shortest Vector Problem, SVP) Given a lattice L(B), find a (nonzero) lattice vector Bx (with x Z k ) of length (at most) Bx λ 1 b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
33 Shortest Vector Problem Definition (Shortest Vector Problem, SVP) Given a lattice L(B), find a (nonzero) lattice vector Bx (with x Z k ) of length (at most) Bx λ 1 Bx = 5b 1 2b 2 λ 1 b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
34 Shortest Vector Problem Definition (Shortest Vector Problem, SVP γ ) Given a lattice L(B), find a (nonzero) lattice vector Bx (with x Z k ) of length (at most) Bx γλ 1 Bx = 5b 1 2b 2 2λ 1 λ 1 b1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
35 Closest Vector Problem Definition (Closest Vector Problem, CVP) Given a lattice L(B) and a target point t, find a lattice vector Bx within distance Bx t µ from the target t b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
36 Closest Vector Problem Definition (Closest Vector Problem, CVP) Given a lattice L(B) and a target point t, find a lattice vector Bx within distance Bx t µ from the target t b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
37 Closest Vector Problem Definition (Closest Vector Problem, CVP) Given a lattice L(B) and a target point t, find a lattice vector Bx within distance Bx t µ from the target Bx µ t b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
38 Closest Vector Problem Definition (Closest Vector Problem, CVP γ ) Given a lattice L(B) and a target point t, find a lattice vector Bx within distance Bx t γµ from the target Bx t µ 2µ b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
39 Shortest Independent Vectors Problem Definition (Shortest Independent Vectors Problem, SIVP) Given a lattice L(B), find n linearly independent lattice vectors Bx 1,..., Bx n of length (at most) max i Bx i λ n b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
40 Shortest Independent Vectors Problem Definition (Shortest Independent Vectors Problem, SIVP) Given a lattice L(B), find n linearly independent lattice vectors Bx 1,..., Bx n of length (at most) max i Bx i λ n b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
41 Shortest Independent Vectors Problem Definition (Shortest Independent Vectors Problem, SIVP) Given a lattice L(B), find n linearly independent lattice vectors Bx 1,..., Bx n of length (at most) max i Bx i λ n Bx 2 Bx 1 λ 2 b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
42 Shortest Independent Vectors Problem Definition (Shortest Independent Vectors Problem, SIVP γ ) Given a lattice L(B), find n linearly independent lattice vectors Bx 1,..., Bx n of length (at most) max i Bx i γλ n Bx 2 Bx 1 2λ 2 λ 2 b1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
43 Minimum Distance and Successive Minima Minimum distance λ 1 = min x y x,y L,x y = min x L,x 0 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
44 Minimum Distance and Successive Minima Minimum distance λ 1 = min x y x,y L,x y = min x L,x 0 λ 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
45 Minimum Distance and Successive Minima Minimum distance λ 1 = min x y x,y L,x y = min x L,x 0 Successive minima (i = 1,..., n) λ 1 λ i = min{r : dim span(b(r) L) i} Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
46 Minimum Distance and Successive Minima Minimum distance λ 1 = min x y x,y L,x y = min x L,x 0 Successive minima (i = 1,..., n) λ i = min{r : dim span(b(r) L) i} λ 2 λ 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
47 Minimum Distance and Successive Minima Minimum distance λ 1 = min x y x,y L,x y = min x L,x 0 Successive minima (i = 1,..., n) λ i = min{r : dim span(b(r) L) i} Examples Z n : λ 1 = λ 2 =... = λ n = 1 Always: λ 1 λ 2... λ n λ 2 λ 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
48 Blurring a lattice Consider a lattice Λ, and Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
49 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
50 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
51 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
52 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. How much noise is needed? r n λn /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
53 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? r n λn /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
54 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? r n λn /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
55 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? r n λn /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
56 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? r n λn /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
57 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? [MR] r (log n) n λ n /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. a R n /Λ is uniformly distributed. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
58 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? [MR] r (log n) n λ n /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. a R n /Λ is uniformly distributed. Think of R n 1 q Λ [GPV 07] Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
59 Average-case hardness (sketch) Generate random points a i = v i + r i 1 q Λ, where v i Λ is a random lattice point r i is a random error vector of length r i nλ n A = [a 1,..., a m ] 1 q Λm Z n m q Assume we can find a short lattice vector z Z m Az = 0 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
60 Average-case hardness (sketch) Generate random points a i = v i + r i 1 q Λ, where v i Λ is a random lattice point r i is a random error vector of length r i nλ n A = [a 1,..., a m ] 1 q Λm Z n m q Assume we can find a short lattice vector z Z m (vi + r i )z i = a i z i = Az = 0 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
61 Average-case hardness (sketch) Generate random points a i = v i + r i 1 q Λ, where v i Λ is a random lattice point r i is a random error vector of length r i nλ n A = [a 1,..., a m ] 1 q Λm Z n m q Assume we can find a short lattice vector z Z m (vi + r i )z i = a i z i = Az = 0 Rearranging the terms yields a lattice vector vi z i = r i z i of length at most r i z i m max r i n λ n Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
62 Shortcomings of Ajtai s function Expressivity: Ajtai s proof requires m > n log q The function f A : {0, 1} m Z n q is not injective Enough for one-way functions, collision resistant hashing, some digital siguatures, commitments, identification, etc.... but (public key) encryption seem to require stronger assumptions. 1996: Ajtai-Dwork cryptosystem, based on the unique Shortest Vector Problem. Efficiency: The matrix/key A Zq n m requires Ω(n 2 ) storage (and computation) 1996: NTRU Cryptosystem, efficient, but not supported by security proof from worst-case lattice problems. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
63 Learning with errors (LWE) A Z m n q, s Z n q, e E m. g A (s ) = As mod q n s T m A g b Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
64 Learning with errors (LWE) A Z m n q, s Z n q, e E m. g A (s; e) = As + e mod q Learning with Errors: Given A and g A (s, e), recover s. n s T m A + e g b Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
65 Learning with errors (LWE) A Z m n q, s Z n q, e E m. g A (s; e) = As + e mod q n Learning with Errors: Given A and g A (s, e), recover s. s T Theorem (Regev 05) The function g A (s, e) is hard to invert on the average, assuming SIVP is hard to approximate in the worst-case even for quantum computers. m A + e g b Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
66 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β x Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
67 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β Output: f L (x) = x mod L x f L 0 b 2 x b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
68 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β Output: f L (x) = x mod L β < λ 1 /2: f L is injective f L b 2 0 b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
69 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β Output: f L (x) = x mod L β < λ 1 /2: f L is injective β > λ 1 /2: f L is not injective f L b 2 0 b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
70 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β Output: f L (x) = x mod L β < λ 1 /2: f L is injective β > λ 1 /2: f L is not injective β µ: f L is surjective f L b 2 0 b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
71 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β Output: f L (x) = x mod L β < λ 1 /2: f L is injective β > λ 1 /2: f L is not injective β µ: f L is surjective β µ: f L (x) is almost uniform f L b 2 0 b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
72 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β Output: f L (x) = x mod L β < λ 1 /2: f L is injective β > λ 1 /2: f L is not injective β µ: f L is surjective β µ: f L (x) is almost uniform f L Question Are these functions cryptographically hard to invert? 0 b 2 b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
73 Special Versions of CVP Definition (Closest Vector Problem (CVP)) Given (L, t, d), with µ(t, L) d, find a lattice point within distance d from t. If d is arbitrary, then one can find the closest lattice vector by binary search on d. Bounded Distance Decoding (BDD): If d < λ 1 (L)/2, then there is at most one solution. Solution is the closest lattice vector. Absolute Distance Decoding (ADD): If d ρ(l), then there is always at least one solution. Solution may not be closest lattice vector. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
74 Computational problems on random lattices Ajtai s class of random lattices an their duals: A Z n m Λ q (A) = {x Z m : Ax = 0 mod q} Λ q (A) = A T Z n + qz m Inverting Ajtai s function Ax = b Solution x always exist, but it is hard to find Average case version of ADD on random Λ q (A) Solving LWE sa + x = b For small enough x, solution is unique Average case version of BDD on random dual lattice Λ q (A). Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
75 ADD reduces to SIVP ADD input: L and arbitrary t Compute short vectors V = SIVP(L) Use V to find a lattice vector within distance 1 i 2 v i (n/2)λ n nρ from t v 2 x P t v 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
76 BDD reduces to SIVP BDD input: t close to L 0 t Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
77 BDD reduces to SIVP BDD input: t close to L Compute V = SIVP(L ) v i 0 t Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
78 BDD reduces to SIVP BDD input: t close to L Compute V = SIVP(L ) For each v i L, find the layer L i = {x x v i = c i } closest to t v i 0 t Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
79 BDD reduces to SIVP BDD input: t close to L Compute V = SIVP(L ) For each v i L, find the layer L i = {x x v i = c i } closest to t v i Output L 1 L 2 L n 0 t Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
80 BDD reduces to SIVP BDD input: t close to L Compute V = SIVP(L ) For each v i L, find the layer L i = {x x v i = c i } closest to t v i Output L 1 L 2 L n Output is correct as long as 0 t µ(t, L) λ 1 2n 1 2λ n 1 2 v i Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
81 Special Versions of SVP and SIVP GapSVP: compute (or approximate) the value λ 1 without necessarily finding a short vector GapSIVP: compute (or approximate) the value λ n without necessarily finding short linearly independent vectors Transference Theorem λ 1 1/λ n: GapSVP can be (approximately) solved by solving GapSIVP in the dual lattice, and vice versa Problems Exercise: Computing λ 1 (or λ n ) exactly is as hard as SVP (or SIVP) Open Problem: Reduce approximate SVP (or SIVP) to approximate GapSVP (or GapSIVP) Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
82 Relations among lattice problems SIVP ADD [MG 01] SVP CVP [GMSS 99] SIVP CVP [M 08] BDD SIVP CVP SVP [L 87] GapSVP GapSIVP [LLS 91,B 93] GapSVP BDD [LM 09] GapSVP GapSIVP BDD SIVP ADD SVP CVP Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
83 Relations among lattice problems SIVP ADD [MG 01] SVP CVP [GMSS 99] SIVP CVP [M 08] BDD SIVP CVP SVP [L 87] GapSVP GapSIVP [LLS 91,B 93] GapSVP BDD [LM 09] GapSVP GapSIVP BDD SIVP ADD SVP CVP Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
84 Open Problems Does the ability to approximate λ 1 helps in solving SVP? Does the ability to approximate λ n helps in solving SIVP? Is there a reduction from CVP/SVP to SIVP? Yes, for the exact version of the problems [M. 08] Open for approximation version Is there a classical (nonquantum) reduction from SIVP/ADD to GapSVP/BDD? Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
85 Efficient Lattice Cryptography from Structured Lattices Idea Use structured matrix A = [A (1)... A (m/n) ] where A (i) Z n n q is circulant A (i) = a (i) 1 a n (i) a (i) 2 a (i) 2 a (i) 1 a (i) 3. a (i) n..... a (i) n 1 a (i) 1 Generalized Compact Knapsacks and Efficient One-Way Functions (Micciancio, FOCS 2002) Efficient version of Ajtai s connection: O(n log n) space and time complexity Provable security: guidance on how to choose random instances. Theorem CyclicSIS is hard to invert on average, assuming the worst-case hardness of lattice problems over cyclic lattices. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
86 Ideal Lattices and Algebraic number theory Isomorphism: A cyc Z[X ]/(X n 1) Cyclic SIS: f a1,...,a k (u 1,..., u k ) = i a i (X ) u i (X ) (mod X n 1) where a i, u i R = Z[X ]/(X n 1). More generally, use R = Z[X ]/p(x ) for some monic polynomial p(x ) Z[X ] If p(x ) is irreducible, then finding collisions to f a for random a is as hard as solving lattice problems in the worst case in ideal lattices Can set R to the ring of integers of K = Q[X ]/p(x ). Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
87 How to choose p(x )/R? RingSIS (Lyubashevsky, PhD Thesis, UCSD 2008) define f a (u) = i a i(x ) u i (X ) Notice: no reduction modulo p(x )! If f a (u) = f a (u ) in Z[X ], then f a (u) = f a (u ) (mod p(x )). Conclusion: breaking f is at least as hard as solving lattices problems in ideal lattices for any p(x ). Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
88 How to choose p(x )/R? RingSIS (Lyubashevsky, PhD Thesis, UCSD 2008) define f a (u) = i a i(x ) u i (X ) Notice: no reduction modulo p(x )! If f a (u) = f a (u ) in Z[X ], then f a (u) = f a (u ) (mod p(x )). Conclusion: breaking f is at least as hard as solving lattices problems in ideal lattices for any p(x ). RingLWE: Most applications require not only hardness of inverting f a, but also pseudorandomness of output f a (u) [Lyubashevsky,Peikert,Regev 10]: For cyclotomic p(x ), hardness of inverting f a implies pseudorandomness of f a (u). [Lauter 15] constructs polynomial rings where inverting f a is conceivably hard, but f a (u) is easily distinguished from random. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
89 Classical Hardness of LWE [P 09, BLPRS 13] There is a classical reduction from GapSVP to LWE when q = 2 O(n), or LWE dimension d = O(n 2 ) Open Problems Is there a more efficient reduction from GapSVP to LWE? Is there a classical reduction from SIVP to LWE? Is there a reduction from SVP/SIVP to LWE on ideal lattices? Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
90 More Open Problems Tonight 7:30pm Bring your own open problems to share! Send to with estimated time for scheduling.... or, just talk to me over lunch or coffee break. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
91 More Open Problems Tonight 7:30pm Bring your own open problems to share! Send to with estimated time for scheduling.... or, just talk to me over lunch or coffee break. Thank you! Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32
Lattice Problems. Daniele Micciancio UC San Diego. TCC 2007 Special Event: Assumptions for cryptography
Lattice Problems Daniele Micciancio UC San Diego TCC 2007 Special Event: Assumptions for cryptography Outline Lattice Problems Introduction to Lattices, SVP, SIVP, etc. Cryptographic assumptions Average-case
More informationCryptography from worst-case complexity assumptions
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based
More informationIntroduction to the Lattice Crypto Day
MAYA Introduction to the Lattice Crypto Day Phong Nguyễn http://www.di.ens.fr/~pnguyen May 2010 Summary History of Lattice-based Crypto Background on Lattices Lattice-based Crypto vs. Classical PKC Program
More informationLattice based cryptography
Lattice based cryptography Abderrahmane Nitaj University of Caen Basse Normandie, France Kuala Lumpur, Malaysia, June 23, 2014 Abderrahmane Nitaj (LMNO) Q AK ËAÓ Lattice based cryptography 1 / 54 Contents
More informationFIT5124 Advanced Topics in Security. Lecture 1: Lattice-Based Crypto. I
FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton School of IT Monash University March 2016 Acknowledgements: Some figures sourced from Oded Regev s Lecture Notes
More informationIntroduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion. Ideal Lattices. Damien Stehlé. ENS de Lyon. Berkeley, 07/07/2015
Ideal Lattices Damien Stehlé ENS de Lyon Berkeley, 07/07/2015 Damien Stehlé Ideal Lattices 07/07/2015 1/32 Lattice-based cryptography: elegant but impractical Lattice-based cryptography is fascinating:
More informationParameters Optimization of Post-Quantum Cryptography Schemes
Parameters Optimization of Post-Quantum Cryptography Schemes Qing Chen ECE 646 Presentation George Mason University 12/18/2015 Problem Introduction Quantum computer, a huge threat to popular classical
More informationMix-nets for long-term privacy
Mix-nets for long-term privacy October 2017 Núria Costa nuria.costa@scytl.com Index 1. Introdution: Previous work 2. Mix-nets 3. Lattice-based cryptography 4. Proof of a shuffle for lattice-based cryptography
More informationImprovement and Efficient Implementation of a Lattice-based Signature scheme
Improvement and Efficient Implementation of a Lattice-based Signature scheme, Johannes Buchmann Technische Universität Darmstadt TU Darmstadt August 2013 Lattice-based Signatures1 Outline Introduction
More informationRecursive Lattice Reduction
Recursive Lattice Reduction Thomas Plantard Willy Susilo Centre for Computer and Information Security Research Universiy of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au Plantard and Susilo
More informationLATTICES AND CRYPTOGRAPHY
LATTICES AND CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme University de Caen, France Nouakchott, February 15-26, 2016 Abderrahmane Nitaj (LMNO, Caen) LATTICES AND CRYPTOGRAPHY
More informationLattices and Cryptography:An Overview of Recent Results October with Emphasis 12, 2006on RSA 1 / and 61 N. Cryptosystems.
Lattices and Cryptography:An Overview of Recent Results with Emphasis on RSA and NTRU Cryptosystems. Petros Mol NYU Crypto Seminar October 12, 2006 Lattices and Cryptography:An Overview of Recent Results
More informationA New Lattice-Based Cryptosystem Mixed with a Knapsack
A New Lattice-Based Cryptosystem Mixed with a Knapsack Yanbin Pan and Yingpu Deng and Yupeng Jiang and Ziran Tu Key Laboratory of Mathematics Mechanization Academy of Mathematics and Systems Science,Chinese
More informationMulti-bit Cryptosystems Based on Lattice Problems
Multi-bit Cryptosystems Based on Lattice Problems Akinori Kawachi, Keisuke Tanaka, and Keita Xagawa Department of Mathematical and Computing Sciences, Tokyo Institute of Technology, W8-55, 2-12-1 Ookayama
More informationQuadratic Time, Linear Space Algorithms for Gram-Schmidt Orthogonalization and Gaussian Sampling in Structured Lattices
1 / 24 Quadratic Time, Linear Space Algorithms for Gram-Schmidt Orthogonalization and Gaussian Sampling in Structured Lattices Vadim Lyubashevsky and Thomas Prest 2 / 24 1 Introduction: Key Sizes in Lattice-Based
More informationLecture 8 : The dual lattice and reducing SVP to MVP
CSE 206A: Lattice Algorithms and Applications Spring 2007 Lecture 8 : The dual lattice and reducing SVP to MVP Lecturer: Daniele Micciancio Scribe: Scott Yilek 1 Overview In the last lecture we explored
More informationLattice-based Signcryption without Random Oracles. Graduate School of Environment and Information Sciences, Yokohama National University, Japan
Lattice-based Signcryption without Random Oracles Shingo Sato Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography
More informationMULTI-BIT CRYPTOSYSTEMS BASED ON LATTICE PROBLEMS
MULTI-BIT CRYPTOSYSTEMS BASED ON LATTICE PROBLEMS PKC 2007 Akinori Kawachi, Keisuke Tanaka, and Keita Xagawa (Tokyo Institute of Technology) Agenda Background Our Results Conclusion Agenda Background Lattices
More informationPseudorandom Functions and Lattices
Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Institute of Technology 2 IDC Herzliya EUROCRYPT 12 19 April 2012 Outline 1 Introduction 2 Learning with Rounding
More informationA Lattice-Based Group Signature Scheme with Message-Dependent Opening
A Lattice-Based Group Signature Scheme with Message-Dependent Opening Benoît Libert Fabrice Mouhartem Khoa Nguyen École Normale Supérieure de Lyon, France Nanyang Technological University, Singapore ACNS,
More informationEfficient Implementation of Lattice-based Cryptography for Embedded Devices
Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the Internet of Things and Cloud 2017 09.11.2017 Lattice-based
More informationZero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption Benoît Libert 1 San Ling 2 Fabrice Mouhartem 1 Khoa Nguyen 2 Huaxiong Wang 2 1 École Normale Supérieure de Lyon (France)
More informationSession #6: Another Application of LWE: Pseudorandom Functions. Chris Peikert Georgia Institute of Technology
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 1/12 Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on
More informationEssays on Some Combinatorial Optimization Problems with Interval Data
Essays on Some Combinatorial Optimization Problems with Interval Data a thesis submitted to the department of industrial engineering and the institute of engineering and sciences of bilkent university
More information1102 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 51, NO. 3, MARCH Genyuan Wang and Xiang-Gen Xia, Senior Member, IEEE
1102 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 51, NO 3, MARCH 2005 On Optimal Multilayer Cyclotomic Space Time Code Designs Genyuan Wang Xiang-Gen Xia, Senior Member, IEEE Abstract High rate large
More informationLattice Coding and its Applications in Communications
Lattice Coding and its Applications in Communications Alister Burr University of York alister.burr@york.ac.uk Introduction to lattices Definition; Sphere packings; Basis vectors; Matrix description Codes
More informationProgrammable Hash Functions and their applications
Programmable Hash Functions and their applications Dennis Hofheinz, Eike Kiltz CWI, Amsterdam Leiden - June 2008 Programmable Hash Functions 1 Overview 1. Hash functions 2. Programmable hash functions
More informationDesigning a Dynamic Group Signature Scheme using Lattices
Designing a Dynamic Group Signature Scheme using Lattices M2 Internship Defense Fabrice Mouhartem Supervised by Benoît Libert ÉNS de Lyon, Team AriC, LIP 06/24/2015 Fabrice Mouhartem Dynamic Group Signature
More informationCPSC 540: Machine Learning
CPSC 540: Machine Learning Monte Carlo Methods Mark Schmidt University of British Columbia Winter 2018 Last Time: Markov Chains We can use Markov chains for density estimation, p(x) = p(x 1 ) }{{} d p(x
More informationCPSC 540: Machine Learning
CPSC 540: Machine Learning Monte Carlo Methods Mark Schmidt University of British Columbia Winter 2019 Last Time: Markov Chains We can use Markov chains for density estimation, d p(x) = p(x 1 ) p(x }{{}
More informationLecture outline. Monte Carlo Methods for Uncertainty Quantification. Importance Sampling. Importance Sampling
Lecture outline Monte Carlo Methods for Uncertainty Quantification Mike Giles Mathematical Institute, University of Oxford KU Leuven Summer School on Uncertainty Quantification Lecture 2: Variance reduction
More informationA Result on the Distribution of Quadratic Residues with Applications to Elliptic Curve Cryptography
A Result on the Distribution of Quadratic Residues with Applications to Elliptic Curve Cryptography Muralidhara V.N. and Sandeep Sen {murali, ssen}@cse.iitd.ernet.in Department of Computer Science and
More informationRewriting Codes for Flash Memories Based Upon Lattices, and an Example Using the E8 Lattice
Rewriting Codes for Flash Memories Based Upon Lattices, and an Example Using the E Lattice Brian M. Kurkoski kurkoski@ice.uec.ac.jp University of Electro-Communications Tokyo, Japan Workshop on Application
More informationDownloaded from
9. Algebraic Expressions and Identities Q 1 Using identity (x - a) (x + a) = x 2 a 2 find 6 2 5 2. Q 2 Find the product of (7x 4y) and (3x - 7y). Q 3 Using suitable identity find (a + 3)(a + 2). Q 4 Using
More informationCS 237: Probability in Computing
CS 237: Probability in Computing Wayne Snyder Computer Science Department Boston University Lecture 12: Continuous Distributions Uniform Distribution Normal Distribution (motivation) Discrete vs Continuous
More informationZero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors Benoît Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale
More informationThe Complexity of Simple and Optimal Deterministic Mechanisms for an Additive Buyer. Xi Chen, George Matikas, Dimitris Paparas, Mihalis Yannakakis
The Complexity of Simple and Optimal Deterministic Mechanisms for an Additive Buyer Xi Chen, George Matikas, Dimitris Paparas, Mihalis Yannakakis Seller has n items for sale The Set-up Seller has n items
More informationConvex-Cardinality Problems
l 1 -norm Methods for Convex-Cardinality Problems problems involving cardinality the l 1 -norm heuristic convex relaxation and convex envelope interpretations examples recent results Prof. S. Boyd, EE364b,
More informationYao s Minimax Principle
Complexity of algorithms The complexity of an algorithm is usually measured with respect to the size of the input, where size may for example refer to the length of a binary word describing the input,
More informationAn Optimal Odd Unimodular Lattice in Dimension 72
An Optimal Odd Unimodular Lattice in Dimension 72 Masaaki Harada and Tsuyoshi Miezaki September 27, 2011 Abstract It is shown that if there is an extremal even unimodular lattice in dimension 72, then
More information6. Continous Distributions
6. Continous Distributions Chris Piech and Mehran Sahami May 17 So far, all random variables we have seen have been discrete. In all the cases we have seen in CS19 this meant that our RVs could only take
More informationNon replication of options
Non replication of options Christos Kountzakis, Ioannis A Polyrakis and Foivos Xanthos June 30, 2008 Abstract In this paper we study the scarcity of replication of options in the two period model of financial
More informationOn the Balasubramanian-Koblitz Results
On the Balasubramanian-Koblitz Results Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Institute of Mathematical Sciences, 22 nd February 2012 As Part
More informationPhysical Unclonable Functions (PUFs) and Secure Processors. Srini Devadas Department of EECS and CSAIL Massachusetts Institute of Technology
Physical Unclonable Functions (PUFs) and Secure Processors Srini Devadas Department of EECS and CSAIL Massachusetts Institute of Technology 1 Security Challenges How to securely authenticate devices at
More informationLattices from equiangular tight frames with applications to lattice sparse recovery
Lattices from equiangular tight frames with applications to lattice sparse recovery Deanna Needell Dept of Mathematics, UCLA May 2017 Supported by NSF CAREER #1348721 and Alfred P. Sloan Fdn The compressed
More informationALGEBRAIC EXPRESSIONS AND IDENTITIES
9 ALGEBRAIC EXPRESSIONS AND IDENTITIES Exercise 9.1 Q.1. Identify the terms, their coefficients for each of the following expressions. (i) 5xyz 3zy (ii) 1 + x + x (iii) 4x y 4x y z + z (iv) 3 pq + qr rp
More informationOn the statistical leak of the GGH13 multilinear map and its variants
On the statistical leak of the GGH13 multilinear map and its variants Léo Ducas 1, Alice Pellet--Mary 2 1 Cryptology Group, CWI, Amsterdam 2 LIP, ENS de Lyon. 25th April, 2017 A. Pellet-Mary On the statistical
More informationA Harmonic Analysis Solution to the Basket Arbitrage Problem
A Harmonic Analysis Solution to the Basket Arbitrage Problem Alexandre d Aspremont ORFE, Princeton University. A. d Aspremont, INFORMS, San Francisco, Nov. 14 2005. 1 Introduction Classic Black & Scholes
More informationThe illustrated zoo of order-preserving functions
The illustrated zoo of order-preserving functions David Wilding, February 2013 http://dpw.me/mathematics/ Posets (partially ordered sets) underlie much of mathematics, but we often don t give them a second
More informationELEMENTS OF MONTE CARLO SIMULATION
APPENDIX B ELEMENTS OF MONTE CARLO SIMULATION B. GENERAL CONCEPT The basic idea of Monte Carlo simulation is to create a series of experimental samples using a random number sequence. According to the
More informationMATH3075/3975 FINANCIAL MATHEMATICS TUTORIAL PROBLEMS
MATH307/37 FINANCIAL MATHEMATICS TUTORIAL PROBLEMS School of Mathematics and Statistics Semester, 04 Tutorial problems should be used to test your mathematical skills and understanding of the lecture material.
More informationOn the Feasibility of Extending Oblivious Transfer
On the Feasibility of Extending Oblivious Transfer Yehuda Lindell Hila Zarosim Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il,zarosih@cs.biu.ac.il January 23, 2013 Abstract Oblivious
More informationDiscrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers
Discrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers Johannes Buchmann, Daniel Cabarcas, Florian Göpfert, Andreas Hülsing, Patrick Weiden Technische Universität
More informationSYLLABUS AND SAMPLE QUESTIONS FOR MSQE (Program Code: MQEK and MQED) Syllabus for PEA (Mathematics), 2013
SYLLABUS AND SAMPLE QUESTIONS FOR MSQE (Program Code: MQEK and MQED) 2013 Syllabus for PEA (Mathematics), 2013 Algebra: Binomial Theorem, AP, GP, HP, Exponential, Logarithmic Series, Sequence, Permutations
More informationCS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 6: Prior-Free Single-Parameter Mechanism Design (Continued)
CS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 6: Prior-Free Single-Parameter Mechanism Design (Continued) Instructor: Shaddin Dughmi Administrivia Homework 1 due today. Homework 2 out
More informationarxiv: v5 [quant-ph] 16 Oct 2008
Violation of Equalities in Bipartite Qutrits Systems Hossein Movahhedian Department of Physics, Shahrood University of Technology, Seventh Tir Square, Shahrood, Iran We have recently shown that for the
More informationHandout 8: Introduction to Stochastic Dynamic Programming. 2 Examples of Stochastic Dynamic Programming Problems
SEEM 3470: Dynamic Optimization and Applications 2013 14 Second Term Handout 8: Introduction to Stochastic Dynamic Programming Instructor: Shiqian Ma March 10, 2014 Suggested Reading: Chapter 1 of Bertsekas,
More informationHints on Some of the Exercises
Hints on Some of the Exercises of the book R. Seydel: Tools for Computational Finance. Springer, 00/004/006/009/01. Preparatory Remarks: Some of the hints suggest ideas that may simplify solving the exercises
More informationProperties of IRR Equation with Regard to Ambiguity of Calculating of Rate of Return and a Maximum Number of Solutions
Properties of IRR Equation with Regard to Ambiguity of Calculating of Rate of Return and a Maximum Number of Solutions IRR equation is widely used in financial mathematics for different purposes, such
More informationImplementing Candidate Graded Encoding Schemes from Ideal Lattices
Implementing Candidate Graded Encoding Schemes from Ideal Lattices Martin R. Albrecht 1, Catalin Cocis 2, Fabien Laguillaumie 3 and Adeline Langlois 4 1. Information Security Group, Royal Holloway, University
More informationExercises. 140 Chapter 3: Factors and Products
Exercises A 3. List the first 6 multiples of each number. a) 6 b) 13 c) 22 d) 31 e) 45 f) 27 4. List the prime factors of each number. a) 40 b) 75 c) 81 d) 120 e) 140 f) 192 5. Write each number as a product
More informationOutline. 1 Introduction. 2 Algorithms. 3 Examples. Algorithm 1 General coordinate minimization framework. 1: Choose x 0 R n and set k 0.
Outline Coordinate Minimization Daniel P. Robinson Department of Applied Mathematics and Statistics Johns Hopkins University November 27, 208 Introduction 2 Algorithms Cyclic order with exact minimization
More informationForecast Horizons for Production Planning with Stochastic Demand
Forecast Horizons for Production Planning with Stochastic Demand Alfredo Garcia and Robert L. Smith Department of Industrial and Operations Engineering Universityof Michigan, Ann Arbor MI 48109 December
More informationLarge-Scale SVM Optimization: Taking a Machine Learning Perspective
Large-Scale SVM Optimization: Taking a Machine Learning Perspective Shai Shalev-Shwartz Toyota Technological Institute at Chicago Joint work with Nati Srebro Talk at NEC Labs, Princeton, August, 2008 Shai
More informationChapter 6: Quadratic Functions & Their Algebra
Chapter 6: Quadratic Functions & Their Algebra Topics: 1. Quadratic Function Review. Factoring: With Greatest Common Factor & Difference of Two Squares 3. Factoring: Trinomials 4. Complete Factoring 5.
More informationSublinear Time Algorithms Oct 19, Lecture 1
0368.416701 Sublinear Time Algorithms Oct 19, 2009 Lecturer: Ronitt Rubinfeld Lecture 1 Scribe: Daniel Shahaf 1 Sublinear-time algorithms: motivation Twenty years ago, there was practically no investigation
More informationComputational Independence
Computational Independence Björn Fay mail@bfay.de December 20, 2014 Abstract We will introduce different notions of independence, especially computational independence (or more precise independence by
More information(2/3) 3 ((1 7/8) 2 + 1/2) = (2/3) 3 ((8/8 7/8) 2 + 1/2) (Work from inner parentheses outward) = (2/3) 3 ((1/8) 2 + 1/2) = (8/27) (1/64 + 1/2)
Exponents Problem: Show that 5. Solution: Remember, using our rules of exponents, 5 5, 5. Problems to Do: 1. Simplify each to a single fraction or number: (a) ( 1 ) 5 ( ) 5. And, since (b) + 9 + 1 5 /
More informationFinding Equilibria in Games of No Chance
Finding Equilibria in Games of No Chance Kristoffer Arnsfelt Hansen, Peter Bro Miltersen, and Troels Bjerre Sørensen Department of Computer Science, University of Aarhus, Denmark {arnsfelt,bromille,trold}@daimi.au.dk
More informationAccelerated Stochastic Gradient Descent Praneeth Netrapalli MSR India
Accelerated Stochastic Gradient Descent Praneeth Netrapalli MSR India Presented at OSL workshop, Les Houches, France. Joint work with Prateek Jain, Sham M. Kakade, Rahul Kidambi and Aaron Sidford Linear
More informationDevelopmental Math An Open Program Unit 12 Factoring First Edition
Developmental Math An Open Program Unit 12 Factoring First Edition Lesson 1 Introduction to Factoring TOPICS 12.1.1 Greatest Common Factor 1 Find the greatest common factor (GCF) of monomials. 2 Factor
More informationFinding optimal arbitrage opportunities using a quantum annealer
Finding optimal arbitrage opportunities using a quantum annealer White Paper Finding optimal arbitrage opportunities using a quantum annealer Gili Rosenberg Abstract We present two formulations for finding
More informationMulti-period Portfolio Choice and Bayesian Dynamic Models
Multi-period Portfolio Choice and Bayesian Dynamic Models Petter Kolm and Gordon Ritter Courant Institute, NYU Paper appeared in Risk Magazine, Feb. 25 (2015) issue Working paper version: papers.ssrn.com/sol3/papers.cfm?abstract_id=2472768
More information3.1 Factors and Multiples of Whole Numbers
3.1 Factors and Multiples of Whole Numbers LESSON FOCUS: Determine prime factors, greatest common factors, and least common multiples of whole numbers. The prime factorization of a natural number is the
More informationNotes on the symmetric group
Notes on the symmetric group 1 Computations in the symmetric group Recall that, given a set X, the set S X of all bijections from X to itself (or, more briefly, permutations of X) is group under function
More informationWorksheet A ALGEBRA PMT
Worksheet A 1 Find the quotient obtained in dividing a (x 3 + 2x 2 x 2) by (x + 1) b (x 3 + 2x 2 9x + 2) by (x 2) c (20 + x + 3x 2 + x 3 ) by (x + 4) d (2x 3 x 2 4x + 3) by (x 1) e (6x 3 19x 2 73x + 90)
More informationUsing condition numbers to assess numerical quality in HPC applications
Using condition numbers to assess numerical quality in HPC applications Marc Baboulin Inria Saclay / Université Paris-Sud, France INRIA - Illinois Petascale Computing Joint Laboratory 9th workshop, June
More informationAlgebra Module A33. Factoring - 2. Copyright This publication The Northern Alberta Institute of Technology All Rights Reserved.
Algebra Module A33 Factoring - 2 Copyright This publication The Northern Alberta Institute of Technology 2002. All Rights Reserved. LAST REVISED November, 2008 Factoring - 2 Statement of Prerequisite
More informationApplications of Good s Generalized Diversity Index. A. J. Baczkowski Department of Statistics, University of Leeds Leeds LS2 9JT, UK
Applications of Good s Generalized Diversity Index A. J. Baczkowski Department of Statistics, University of Leeds Leeds LS2 9JT, UK Internal Report STAT 98/11 September 1998 Applications of Good s Generalized
More informationSmoothed Analysis of Binary Search Trees
Smoothed Analysis of Binary Search Trees Bodo Manthey and Rüdiger Reischuk Universität zu Lübeck, Institut für Theoretische Informatik Ratzeburger Allee 160, 23538 Lübeck, Germany manthey/reischuk@tcs.uni-luebeck.de
More informationApplication of an Interval Backward Finite Difference Method for Solving the One-Dimensional Heat Conduction Problem
Application of an Interval Backward Finite Difference Method for Solving the One-Dimensional Heat Conduction Problem Malgorzata A. Jankowska 1, Andrzej Marciniak 2 and Tomasz Hoffmann 2 1 Poznan University
More informationLecture 10: The knapsack problem
Optimization Methods in Finance (EPFL, Fall 2010) Lecture 10: The knapsack problem 24.11.2010 Lecturer: Prof. Friedrich Eisenbrand Scribe: Anu Harjula The knapsack problem The Knapsack problem is a problem
More informationThe reciprocal lattice. Daniele Toffoli December 2, / 24
The reciprocal lattice Daniele Toffoli December 2, 2016 1 / 24 Outline 1 Definitions and properties 2 Important examples and applications 3 Miller indices of lattice planes Daniele Toffoli December 2,
More informationDiploma in Business Administration Part 2. Quantitative Methods. Examiner s Suggested Answers
Cumulative frequency Diploma in Business Administration Part Quantitative Methods Examiner s Suggested Answers Question 1 Cumulative Frequency Curve 1 9 8 7 6 5 4 3 1 5 1 15 5 3 35 4 45 Weeks 1 (b) x f
More informationStrategic Trading of Informed Trader with Monopoly on Shortand Long-Lived Information
ANNALS OF ECONOMICS AND FINANCE 10-, 351 365 (009) Strategic Trading of Informed Trader with Monopoly on Shortand Long-Lived Information Chanwoo Noh Department of Mathematics, Pohang University of Science
More informationMartingale Pricing Theory in Discrete-Time and Discrete-Space Models
IEOR E4707: Foundations of Financial Engineering c 206 by Martin Haugh Martingale Pricing Theory in Discrete-Time and Discrete-Space Models These notes develop the theory of martingale pricing in a discrete-time,
More informationTHE NUMBER OF UNARY CLONES CONTAINING THE PERMUTATIONS ON AN INFINITE SET
THE NUMBER OF UNARY CLONES CONTAINING THE PERMUTATIONS ON AN INFINITE SET MICHAEL PINSKER Abstract. We calculate the number of unary clones (submonoids of the full transformation monoid) containing the
More informationECE 586GT: Problem Set 1: Problems and Solutions Analysis of static games
University of Illinois Fall 2018 ECE 586GT: Problem Set 1: Problems and Solutions Analysis of static games Due: Tuesday, Sept. 11, at beginning of class Reading: Course notes, Sections 1.1-1.4 1. [A random
More informationSCHOOL OF BUSINESS, ECONOMICS AND MANAGEMENT. BF360 Operations Research
SCHOOL OF BUSINESS, ECONOMICS AND MANAGEMENT BF360 Operations Research Unit 3 Moses Mwale e-mail: moses.mwale@ictar.ac.zm BF360 Operations Research Contents Unit 3: Sensitivity and Duality 3 3.1 Sensitivity
More informationResults of the block cipher design contest
Results of the block cipher design contest The table below contains a summary of the best attacks on the ciphers you designed. 13 of the 17 ciphers were successfully attacked in HW2, and as you can see
More informationBraid Group Cryptography
Tutorials: Braid Group Cryptography Second part Singapore, June 2007 David Garber Department of Applied Mathematics, School of Sciences Holon Institute of Technology Holon, Israel The underlying (apparently
More informationZooming Algorithm for Lipschitz Bandits
Zooming Algorithm for Lipschitz Bandits Alex Slivkins Microsoft Research New York City Based on joint work with Robert Kleinberg and Eli Upfal (STOC'08) Running examples Dynamic pricing. You release a
More informationA Transferrable E-cash Payment System. Abstract
Fuw-Yi Yang 1, Su-Hui Chiu 2 and Chih-Wei Hsu 3 Department of Computer Science and Information Engineering, Chaoyang University of Technology, Taiwan 1,3 Office of Accounting, Chaoyang University of Technology,
More informationSignature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benoît Libert 1,2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 É.N.S. de Lyon, France
More informationThe mean-variance portfolio choice framework and its generalizations
The mean-variance portfolio choice framework and its generalizations Prof. Massimo Guidolin 20135 Theory of Finance, Part I (Sept. October) Fall 2014 Outline and objectives The backward, three-step solution
More informationIs Greedy Coordinate Descent a Terrible Algorithm?
Is Greedy Coordinate Descent a Terrible Algorithm? Julie Nutini, Mark Schmidt, Issam Laradji, Michael Friedlander, Hoyt Koepke University of British Columbia Optimization and Big Data, 2015 Context: Random
More informationu (x) < 0. and if you believe in diminishing return of the wealth, then you would require
Chapter 8 Markowitz Portfolio Theory 8.7 Investor Utility Functions People are always asked the question: would more money make you happier? The answer is usually yes. The next question is how much more
More informationThe Normal Distribution
Will Monroe CS 09 The Normal Distribution Lecture Notes # July 9, 207 Based on a chapter by Chris Piech The single most important random variable type is the normal a.k.a. Gaussian) random variable, parametrized
More informationName. 5. Simplify. a) (6x)(2x 2 ) b) (5pq 2 )( 4p 2 q 2 ) c) (3ab)( 2ab 2 )(2a 3 ) d) ( 6x 2 yz)( 5y 3 z)
3.1 Polynomials MATHPOWER TM 10, Ontario Edition, pp. 128 133 To add polynomials, collect like terms. To subtract a polynomial, add its opposite. To multiply monomials, multiply the numerical coefficients.
More informationCS364A: Algorithmic Game Theory Lecture #14: Robust Price-of-Anarchy Bounds in Smooth Games
CS364A: Algorithmic Game Theory Lecture #14: Robust Price-of-Anarchy Bounds in Smooth Games Tim Roughgarden November 6, 013 1 Canonical POA Proofs In Lecture 1 we proved that the price of anarchy (POA)
More information