Improvement and Efficient Implementation of a Lattice-based Signature scheme
|
|
- Sara Eaton
- 5 years ago
- Views:
Transcription
1 Improvement and Efficient Implementation of a Lattice-based Signature scheme, Johannes Buchmann Technische Universität Darmstadt TU Darmstadt August 2013 Lattice-based Signatures1
2 Outline Introduction to Lattice-based Crypto Lattice-based Hash Function Lattice-based Signature Scheme Contributions Experimental Resaults Lattice-based Signatures2
3 Introduction A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R n : L = n b i Z = {Bx : x Z n } R n i=1 A lattice has infinitely many bases: L = n c i Z i=1 Definition (Lattices) A discrete additive subgroup of R n Lattice-based Signatures3
4 Introduction A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R n : L = n b i Z = {Bx : x Z n } R n i=1 A lattice has infinitely many bases: L = n c i Z i=1 Definition (Lattices) A discrete additive subgroup of R n Lattice-based Signatures3
5 Introduction A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R n : L = n b i Z = {Bx : x Z n } R n i=1 A lattice has infinitely many bases: L = n c i Z i=1 Definition (Lattices) A discrete additive subgroup of R n Lattice-based Signatures3
6 Introduction The shortest vector v in a lattice: lattice point with minimum distance λ 1 = v to the origin λ 1 (L) = min x x 0, x L More generally, λ k denotes the smallest radius of a ball containing k linearly independent vectors Lattice-based Signatures4
7 Introduction The shortest vector v in a lattice: lattice point with minimum distance λ 1 = v to the origin λ 1 (L) = min x x 0, x L More generally, λ k denotes the smallest radius of a ball containing k linearly independent vectors Lattice-based Signatures4
8 Computational Problems Definition (Shortest Vector Problem) Given a basis B = {b 1,..., b n }, find the shortest nonzero vector v in the lattice L(B), i.e. v = λ 1 Lattice-based Signatures5
9 Computational Problems Definition (Shortest Vector Problem) Given a basis B = {b 1,..., b n }, find the shortest nonzero vector v in the lattice L(B), i.e. v = λ 1 Lattice-based Signatures5
10 Computational Problems Definition (Shortest Vector Problem) Given a basis B = {b 1,..., b n }, find the shortest nonzero vector v in the lattice L(B), i.e. v = λ 1 Lattice-based Signatures5
11 Hash function Lattice-based hash function [Ajtai96]: f A (x) = A x mod q Input parameters: q Z (e.g ) Choose A Z n m q uniformly at random, n (e.g. n=256) is main security parameter m > n log 2 q x is from a bounded domain, e.g. x {0, 1} n Lattice-based Signatures6
12 Hash function Lattice-based hash function [Ajtai96]: f A (x) = A x mod q Input parameters: q Z (e.g ) Choose A Z n m q uniformly at random, n (e.g. n=256) is main security parameter m > n log 2 q x is from a bounded domain, e.g. x {0, 1} n Lattice-based Signatures6
13 Hash function Lattice-based hash function [Ajtai96]: f A (x) = A x mod q Input parameters: q Z (e.g ) Choose A Z n m q uniformly at random, n (e.g. n=256) is main security parameter m > n log 2 q x is from a bounded domain, e.g. x {0, 1} n Lattice-based Signatures6
14 Hash function Lattice-based hash function [Ajtai96]: f A (x) = A x mod q Input parameters: q Z (e.g ) Choose A Z n m q uniformly at random, n (e.g. n=256) is main security parameter m > n log 2 q x is from a bounded domain, e.g. x {0, 1} n Lattice-based Signatures6
15 Hash Function f A (x) = A x mod q: is a compression function maps m bits to n log 2 q bits inversion and finding collisions as hard as worst-case lattice problems Lattice-based Signatures7
16 Hash Function Hardness of finding collisions Finding collisions in the average case, where A is chosen at random, is hard, provided approximating SIVP is hard in the worst-case Lattice-based Signatures8
17 From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A Zq n m and trapdoor R, RO H( ), PSTF: f A (x) = A x mod q Signing of message m: signature σ = f 1 A (H(m)) using trapdoor R. Verification: σ bound and f A (σ) = H(m) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Lattice-based Signatures9
18 From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A Zq n m and trapdoor R, RO H( ), PSTF: f A (x) = A x mod q Signing of message m: signature σ = f 1 A (H(m)) using trapdoor R. Verification: σ bound and f A (σ) = H(m) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Lattice-based Signatures9
19 From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A Zq n m and trapdoor R, RO H( ), PSTF: f A (x) = A x mod q Signing of message m: signature σ = f 1 A (H(m)) using trapdoor R. Verification: σ bound and f A (σ) = H(m) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Lattice-based Signatures9
20 From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A Zq n m and trapdoor R, RO H( ), PSTF: f A (x) = A x mod q Signing of message m: signature σ = f 1 A (H(m)) using trapdoor R. Verification: σ bound and f A (σ) = H(m) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Lattice-based Signatures9
21 From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A Zq n m and trapdoor R, RO H( ), PSTF: f A (x) = A x mod q Signing of message m: signature σ = f 1 A (H(m)) using trapdoor R. Verification: σ bound and f A (σ) = H(m) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Lattice-based Signatures9
22 From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A Zq n m and trapdoor R, RO H( ), PSTF: f A (x) = A x mod q Signing of message m: signature σ = f 1 A (H(m)) using trapdoor R. Verification: σ bound and f A (σ) = H(m) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Lattice-based Signatures9
23 From Hash Hunctions to a Signature Scheme Main challenge: How to generate random Matrix A, enabling the signer to sign messages? Solution: Use the trapdoor R to generate a random matrix A. Lattice-based Signatures10
24 From Hash Functions to a Signature Scheme Construction of A according to Micciancio an Peikert [MP12]: Parameters: A = [ Ā G ĀR ] Ā Z n n q is uniformly dist. R Z n nk is the secret/trapdoor (small entries) A is pseudorandom (comp. instantiation) Lattice-based Signatures11
25 From Hash Functions to a Signature Scheme Implementation issues: q = 2 k more suitable for practice entries of R are sampled from a discrete Gaussian k 1 0 G = k 1 Lattice-based Signatures12
26 From Hash Functions to a Signature Scheme Implementation issues: q = 2 k more suitable for practice entries of R are sampled from a discrete Gaussian k 1 0 G = k 1 Lattice-based Signatures12
27 From Hash Functions to a Signature Scheme Implementation issues: q = 2 k more suitable for practice entries of R are sampled from a discrete Gaussian k 1 0 G = k 1 Lattice-based Signatures12
28 From Hash Functions to a Signature Scheme How to compute signature f 1 u 2 (u), u =. Zn q: u n Sample x Z nk according to the discrete Gaussian distribution s.th. G x = u mod q [ ] R Then signature σ = x is a preimage of u I Proof: A σ = [ Ā G ĀR ] u 1 [ ] R x = I ĀR x + (G ĀR) x = G x = u Lattice-based Signatures13
29 From Hash Functions to a Signature Scheme How to compute signature f 1 u 2 (u), u =. Zn q: u n Sample x Z nk according to the discrete Gaussian distribution s.th. G x = u mod q [ ] R Then signature σ = x is a preimage of u I Proof: A σ = [ Ā G ĀR ] u 1 [ ] R x = I ĀR x + (G ĀR) x = G x = u Lattice-based Signatures13
30 From Hash Functions to a Signature Scheme How to compute signature f 1 u 2 (u), u =. Zn q: u n Sample x Z nk according to the discrete Gaussian distribution s.th. G x = u mod q [ ] R Then signature σ = x is a preimage of u I Proof: A σ = [ Ā G ĀR ] u 1 [ ] R x = I ĀR x + (G ĀR) x = G x = u Lattice-based Signatures13
31 From Hash Hunctions to a Signature Scheme Problem: Distribution of σ is skewed Leaks information about the trapdoor Need for spherically distributed signatures Lattice-based Signatures14
32 Signature Scheme Solution: Add perturbations p to correct distribution of signature Sample perturbations p with covariance matrix [ ] C = s 2 I r 2 RR R and perturbation matrix C R I Compute perturbed syndrome v = H(m) Ap = u Ap Sample x such that Gx = v [ ] R Signatures: σ = x + p I Distribution of signatures independent from secret key Lattice-based Signatures15
33 Contributions Implementation and Improvements: Construction of the ring variant for more efficiency and practicality Space improvement of perturbation matrix used to sample preimages Runtime improvement of Keygen and Signing due to improved perturbation matrix (sparse) and ring variant Implementation of the signature scheme (ring and matrix variant) Lattice-based Signatures16
34 Contributions Implementation and Improvements: Construction of the ring variant for more efficiency and practicality Space improvement of perturbation matrix used to sample preimages Runtime improvement of Keygen and Signing due to improved perturbation matrix (sparse) and ring variant Implementation of the signature scheme (ring and matrix variant) Lattice-based Signatures16
35 Contributions Implementation and Improvements: Construction of the ring variant for more efficiency and practicality Space improvement of perturbation matrix used to sample preimages Runtime improvement of Keygen and Signing due to improved perturbation matrix (sparse) and ring variant Implementation of the signature scheme (ring and matrix variant) Lattice-based Signatures16
36 Contributions Implementation and Improvements: Construction of the ring variant for more efficiency and practicality Space improvement of perturbation matrix used to sample preimages Runtime improvement of Keygen and Signing due to improved perturbation matrix (sparse) and ring variant Implementation of the signature scheme (ring and matrix variant) Lattice-based Signatures16
37 Contributions Ring variant: Consider the Ring R q = Z q [X ]/x n + 1 for n = 2 d and q = 2 k Choose a polynomial a uniformly at random from R q Draw k Ring-LWE-samples ar i + e i Furthermore, consider the primitive vector of polynomials g = [1,..., 2 k 1 ] The public key is A = [1, a, g 1 (ar 1 + e 1 ),..., g k (ar k + e k )] Lattice-based Signatures17
38 Contributions A = [1, a, g 1 (ar 1 + e 1 ),..., g k (ar k + e k )] A primitive matrix of polynomials G is explicitly not required [a, ar 1 + e 1,..., ar k + e k ] is pseudorandom Sampling preimages slightly differs from the matrix variant Lattice-based Signatures18
39 Contributions How to sample x R k 1 q such that g x = k 1 Consider matrix expansion of g : i=0 G = [I n 2I n... 2 k 1 I n ] There exists permutation matrix P s.th. G = G P = G from matrix variant k i x i = u R q k 1 P Lattice-based Signatures19
40 Contributions How to sample x R k 1 q We have Thus, sample x s.th. G x = u such that g x = u R q x 1 G... = u x k 1 x = P x is a preimage for G since G x = G PP x = Gx = u If x spherically distributed, then so x. Lattice-based Signatures20
41 Contributions How to sign a message m: Sample perturbation polynomials p = [p 1,..., p k+2 ] Compute perturbed syndrome v = H(m) A p Sample x R k s.th. g x = v Signature is σ = p + [ex, rx, r 1 x 1,..., r k x k ] Signature is spherically distributed Lattice-based Signatures21
42 Experimental results Running times for ring (polynomials) and matrix version Lattice-based Signatures22
43 Experimental results Sizes for ring (polynomials) and matrix version Lattice-based Signatures23
44 Thanks for your attention! Lattice-based Signatures24
Introduction to the Lattice Crypto Day
MAYA Introduction to the Lattice Crypto Day Phong Nguyễn http://www.di.ens.fr/~pnguyen May 2010 Summary History of Lattice-based Crypto Background on Lattices Lattice-based Crypto vs. Classical PKC Program
More informationLattice Cryptography: Introduction and Open Problems
Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 2015 Daniele Micciancio (UCSD) Lattice
More informationFIT5124 Advanced Topics in Security. Lecture 1: Lattice-Based Crypto. I
FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton School of IT Monash University March 2016 Acknowledgements: Some figures sourced from Oded Regev s Lecture Notes
More informationCryptography from worst-case complexity assumptions
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based
More informationLattice Problems. Daniele Micciancio UC San Diego. TCC 2007 Special Event: Assumptions for cryptography
Lattice Problems Daniele Micciancio UC San Diego TCC 2007 Special Event: Assumptions for cryptography Outline Lattice Problems Introduction to Lattices, SVP, SIVP, etc. Cryptographic assumptions Average-case
More informationMix-nets for long-term privacy
Mix-nets for long-term privacy October 2017 Núria Costa nuria.costa@scytl.com Index 1. Introdution: Previous work 2. Mix-nets 3. Lattice-based cryptography 4. Proof of a shuffle for lattice-based cryptography
More informationIntroduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion. Ideal Lattices. Damien Stehlé. ENS de Lyon. Berkeley, 07/07/2015
Ideal Lattices Damien Stehlé ENS de Lyon Berkeley, 07/07/2015 Damien Stehlé Ideal Lattices 07/07/2015 1/32 Lattice-based cryptography: elegant but impractical Lattice-based cryptography is fascinating:
More informationLattice-based Signcryption without Random Oracles. Graduate School of Environment and Information Sciences, Yokohama National University, Japan
Lattice-based Signcryption without Random Oracles Shingo Sato Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography
More informationDiscrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers
Discrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers Johannes Buchmann, Daniel Cabarcas, Florian Göpfert, Andreas Hülsing, Patrick Weiden Technische Universität
More informationParameters Optimization of Post-Quantum Cryptography Schemes
Parameters Optimization of Post-Quantum Cryptography Schemes Qing Chen ECE 646 Presentation George Mason University 12/18/2015 Problem Introduction Quantum computer, a huge threat to popular classical
More informationA Lattice-Based Group Signature Scheme with Message-Dependent Opening
A Lattice-Based Group Signature Scheme with Message-Dependent Opening Benoît Libert Fabrice Mouhartem Khoa Nguyen École Normale Supérieure de Lyon, France Nanyang Technological University, Singapore ACNS,
More informationA New Lattice-Based Cryptosystem Mixed with a Knapsack
A New Lattice-Based Cryptosystem Mixed with a Knapsack Yanbin Pan and Yingpu Deng and Yupeng Jiang and Ziran Tu Key Laboratory of Mathematics Mechanization Academy of Mathematics and Systems Science,Chinese
More informationLattice based cryptography
Lattice based cryptography Abderrahmane Nitaj University of Caen Basse Normandie, France Kuala Lumpur, Malaysia, June 23, 2014 Abderrahmane Nitaj (LMNO) Q AK ËAÓ Lattice based cryptography 1 / 54 Contents
More informationZero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors Benoît Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale
More informationProxy Re-Encryption and Re-Signatures from Lattices
Proxy Re-Encryption and Re-Signatures from Lattices Xiong Fan Feng-Hao Liu Abstract Proxy re-encryption (PRE) and Proxy re-signature (PRS) were introduced by Blaze, Bleumer and Strauss [Eurocrypt 98].
More informationRewriting Codes for Flash Memories Based Upon Lattices, and an Example Using the E8 Lattice
Rewriting Codes for Flash Memories Based Upon Lattices, and an Example Using the E Lattice Brian M. Kurkoski kurkoski@ice.uec.ac.jp University of Electro-Communications Tokyo, Japan Workshop on Application
More informationQuadratic Time, Linear Space Algorithms for Gram-Schmidt Orthogonalization and Gaussian Sampling in Structured Lattices
1 / 24 Quadratic Time, Linear Space Algorithms for Gram-Schmidt Orthogonalization and Gaussian Sampling in Structured Lattices Vadim Lyubashevsky and Thomas Prest 2 / 24 1 Introduction: Key Sizes in Lattice-Based
More informationSession #6: Another Application of LWE: Pseudorandom Functions. Chris Peikert Georgia Institute of Technology
Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 1/12 Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on
More informationZero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption Benoît Libert 1 San Ling 2 Fabrice Mouhartem 1 Khoa Nguyen 2 Huaxiong Wang 2 1 École Normale Supérieure de Lyon (France)
More informationDesigning a Dynamic Group Signature Scheme using Lattices
Designing a Dynamic Group Signature Scheme using Lattices M2 Internship Defense Fabrice Mouhartem Supervised by Benoît Libert ÉNS de Lyon, Team AriC, LIP 06/24/2015 Fabrice Mouhartem Dynamic Group Signature
More informationPseudorandom Functions and Lattices
Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Institute of Technology 2 IDC Herzliya EUROCRYPT 12 19 April 2012 Outline 1 Introduction 2 Learning with Rounding
More informationMulti-bit Cryptosystems Based on Lattice Problems
Multi-bit Cryptosystems Based on Lattice Problems Akinori Kawachi, Keisuke Tanaka, and Keita Xagawa Department of Mathematical and Computing Sciences, Tokyo Institute of Technology, W8-55, 2-12-1 Ookayama
More informationSignature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benoît Libert 1,2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 É.N.S. de Lyon, France
More informationLattice Coding and its Applications in Communications
Lattice Coding and its Applications in Communications Alister Burr University of York alister.burr@york.ac.uk Introduction to lattices Definition; Sphere packings; Basis vectors; Matrix description Codes
More informationLattices and Cryptography:An Overview of Recent Results October with Emphasis 12, 2006on RSA 1 / and 61 N. Cryptosystems.
Lattices and Cryptography:An Overview of Recent Results with Emphasis on RSA and NTRU Cryptosystems. Petros Mol NYU Crypto Seminar October 12, 2006 Lattices and Cryptography:An Overview of Recent Results
More informationOn the statistical leak of the GGH13 multilinear map and its variants
On the statistical leak of the GGH13 multilinear map and its variants Léo Ducas 1, Alice Pellet--Mary 2 1 Cryptology Group, CWI, Amsterdam 2 LIP, ENS de Lyon. 25th April, 2017 A. Pellet-Mary On the statistical
More informationSignature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benoît Libert 1,2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 É.N.S. de Lyon, France
More informationProgrammable Hash Functions and their applications
Programmable Hash Functions and their applications Dennis Hofheinz, Eike Kiltz CWI, Amsterdam Leiden - June 2008 Programmable Hash Functions 1 Overview 1. Hash functions 2. Programmable hash functions
More informationLecture outline. Monte Carlo Methods for Uncertainty Quantification. Importance Sampling. Importance Sampling
Lecture outline Monte Carlo Methods for Uncertainty Quantification Mike Giles Mathematical Institute, University of Oxford KU Leuven Summer School on Uncertainty Quantification Lecture 2: Variance reduction
More informationMULTI-BIT CRYPTOSYSTEMS BASED ON LATTICE PROBLEMS
MULTI-BIT CRYPTOSYSTEMS BASED ON LATTICE PROBLEMS PKC 2007 Akinori Kawachi, Keisuke Tanaka, and Keita Xagawa (Tokyo Institute of Technology) Agenda Background Our Results Conclusion Agenda Background Lattices
More information1102 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 51, NO. 3, MARCH Genyuan Wang and Xiang-Gen Xia, Senior Member, IEEE
1102 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 51, NO 3, MARCH 2005 On Optimal Multilayer Cyclotomic Space Time Code Designs Genyuan Wang Xiang-Gen Xia, Senior Member, IEEE Abstract High rate large
More informationThe reciprocal lattice. Daniele Toffoli December 2, / 24
The reciprocal lattice Daniele Toffoli December 2, 2016 1 / 24 Outline 1 Definitions and properties 2 Important examples and applications 3 Miller indices of lattice planes Daniele Toffoli December 2,
More informationRecursive Lattice Reduction
Recursive Lattice Reduction Thomas Plantard Willy Susilo Centre for Computer and Information Security Research Universiy of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au Plantard and Susilo
More informationLecture 8 : The dual lattice and reducing SVP to MVP
CSE 206A: Lattice Algorithms and Applications Spring 2007 Lecture 8 : The dual lattice and reducing SVP to MVP Lecturer: Daniele Micciancio Scribe: Scott Yilek 1 Overview In the last lecture we explored
More informationChapter 2 Uncertainty Analysis and Sampling Techniques
Chapter 2 Uncertainty Analysis and Sampling Techniques The probabilistic or stochastic modeling (Fig. 2.) iterative loop in the stochastic optimization procedure (Fig..4 in Chap. ) involves:. Specifying
More informationThe rth moment of a real-valued random variable X with density f(x) is. x r f(x) dx
1 Cumulants 1.1 Definition The rth moment of a real-valued random variable X with density f(x) is µ r = E(X r ) = x r f(x) dx for integer r = 0, 1,.... The value is assumed to be finite. Provided that
More informationEfficient Implementation of Lattice-based Cryptography for Embedded Devices
Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the Internet of Things and Cloud 2017 09.11.2017 Lattice-based
More informationBernstein Bound is Tight
Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian Statistical Institute, Kolkata CRYPTO 2018 Wegman-Carter-Shoup (WCS) MAC M H κ N E K T Nonce based Authenticator Initial
More informationComputational Independence
Computational Independence Björn Fay mail@bfay.de December 20, 2014 Abstract We will introduce different notions of independence, especially computational independence (or more precise independence by
More informationLattices from equiangular tight frames with applications to lattice sparse recovery
Lattices from equiangular tight frames with applications to lattice sparse recovery Deanna Needell Dept of Mathematics, UCLA May 2017 Supported by NSF CAREER #1348721 and Alfred P. Sloan Fdn The compressed
More informationOptimal Partitioning for Dual Pivot Quicksort
Optimal Partitioning for Dual Pivot Quicksort Martin Aumüller, Martin Dietzfelbinger Technische Universität Ilmenau, Germany ICALP 2013 Riga, July 12, 2013 M. Aumüller Optimal Partitioning for Dual Pivot
More informationOn the Balasubramanian-Koblitz Results
On the Balasubramanian-Koblitz Results Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Institute of Mathematical Sciences, 22 nd February 2012 As Part
More informationLATTICES AND CRYPTOGRAPHY
LATTICES AND CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme University de Caen, France Nouakchott, February 15-26, 2016 Abderrahmane Nitaj (LMNO, Caen) LATTICES AND CRYPTOGRAPHY
More informationValuation of performance-dependent options in a Black- Scholes framework
Valuation of performance-dependent options in a Black- Scholes framework Thomas Gerstner, Markus Holtz Institut für Numerische Simulation, Universität Bonn, Germany Ralf Korn Fachbereich Mathematik, TU
More informationAn Anonymous Bidding Protocol without Any Reliable Center
Vol. 0 No. 0 Transactions of Information Processing Society of Japan 1959 Regular Paper An Anonymous Bidding Protocol without Any Reliable Center Toru Nakanishi, Toru Fujiwara and Hajime Watanabe An anonymous
More informationStatistics and Their Distributions
Statistics and Their Distributions Deriving Sampling Distributions Example A certain system consists of two identical components. The life time of each component is supposed to have an expentional distribution
More informationOn the Feasibility of Extending Oblivious Transfer
On the Feasibility of Extending Oblivious Transfer Yehuda Lindell Hila Zarosim Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il,zarosih@cs.biu.ac.il January 23, 2013 Abstract Oblivious
More informationExercise List: Proving convergence of the (Stochastic) Gradient Descent Method for the Least Squares Problem.
Exercise List: Proving convergence of the (Stochastic) Gradient Descent Method for the Least Squares Problem. Robert M. Gower. October 3, 07 Introduction This is an exercise in proving the convergence
More informationForecasting: an introduction. There are a variety of ad hoc methods as well as a variety of statistically derived methods.
Forecasting: an introduction Given data X 0,..., X T 1. Goal: guess, or forecast, X T or X T+r. There are a variety of ad hoc methods as well as a variety of statistically derived methods. Illustration
More information(b) per capita consumption grows at the rate of 2%.
1. Suppose that the level of savings varies positively with the level of income and that savings is identically equal to investment. Then the IS curve: (a) slopes positively. (b) slopes negatively. (c)
More informationA Transferrable E-cash Payment System. Abstract
Fuw-Yi Yang 1, Su-Hui Chiu 2 and Chih-Wei Hsu 3 Department of Computer Science and Information Engineering, Chaoyang University of Technology, Taiwan 1,3 Office of Accounting, Chaoyang University of Technology,
More informationOptimal Search for Parameters in Monte Carlo Simulation for Derivative Pricing
Optimal Search for Parameters in Monte Carlo Simulation for Derivative Pricing Prof. Chuan-Ju Wang Department of Computer Science University of Taipei Joint work with Prof. Ming-Yang Kao March 28, 2014
More informationLossy compression of permutations
Lossy compression of permutations The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published Publisher Wang, Da, Arya Mazumdar,
More informationChapter 8. Markowitz Portfolio Theory. 8.1 Expected Returns and Covariance
Chapter 8 Markowitz Portfolio Theory 8.1 Expected Returns and Covariance The main question in portfolio theory is the following: Given an initial capital V (0), and opportunities (buy or sell) in N securities
More informationELEMENTS OF MONTE CARLO SIMULATION
APPENDIX B ELEMENTS OF MONTE CARLO SIMULATION B. GENERAL CONCEPT The basic idea of Monte Carlo simulation is to create a series of experimental samples using a random number sequence. According to the
More informationLecture 10: The knapsack problem
Optimization Methods in Finance (EPFL, Fall 2010) Lecture 10: The knapsack problem 24.11.2010 Lecturer: Prof. Friedrich Eisenbrand Scribe: Anu Harjula The knapsack problem The Knapsack problem is a problem
More informationarxiv: v1 [math.st] 6 Jun 2014
Strong noise estimation in cubic splines A. Dermoune a, A. El Kaabouchi b arxiv:1406.1629v1 [math.st] 6 Jun 2014 a Laboratoire Paul Painlevé, USTL-UMR-CNRS 8524. UFR de Mathématiques, Bât. M2, 59655 Villeneuve
More information(Practice Version) Midterm Exam 1
EECS 126 Probability and Random Processes University of California, Berkeley: Fall 2014 Kannan Ramchandran September 19, 2014 (Practice Version) Midterm Exam 1 Last name First name SID Rules. DO NOT open
More informationRethinking Verifiably Encrypted Signatures: A Gap in Functionality and Potential Solutions
Rethinking Verifiably Encrypted Signatures: A Gap in Functionality and Potential Solutions Theresa Calderon 1 and Sarah Meiklejohn 1 and Hovav Shacham 1 and Brent Waters 2 1 UC San Diego {tcaldero, smeiklej,
More informationu (x) < 0. and if you believe in diminishing return of the wealth, then you would require
Chapter 8 Markowitz Portfolio Theory 8.7 Investor Utility Functions People are always asked the question: would more money make you happier? The answer is usually yes. The next question is how much more
More informationForecast Horizons for Production Planning with Stochastic Demand
Forecast Horizons for Production Planning with Stochastic Demand Alfredo Garcia and Robert L. Smith Department of Industrial and Operations Engineering Universityof Michigan, Ann Arbor MI 48109 December
More informationPhys. Lett. A, 372/17, (2008),
Phys. Lett. A, 372/17, (2008), 3064-3070. 1 Wave scattering by many small particles embedded in a medium. A. G. Ramm (Mathematics Department, Kansas State University, Manhattan, KS66506, USA and TU Darmstadt,
More informationExtended security arguments for signature schemes
Extended security arguments for signature schemes Özgür Dagdelen, David Galindo, Pascal Véron, Sidi Mohamed El Yousfi Alaoui, Pierre-Louis Cayrel To cite this version: Özgür Dagdelen, David Galindo, Pascal
More informationMath-Stat-491-Fall2014-Notes-V
Math-Stat-491-Fall2014-Notes-V Hariharan Narayanan December 7, 2014 Martingales 1 Introduction Martingales were originally introduced into probability theory as a model for fair betting games. Essentially
More informationAlgebraic Problems in Graphical Modeling
Algebraic Problems in Graphical Modeling Mathias Drton Department of Statistics University of Chicago Outline 1 What (roughly) are graphical models? a.k.a. Markov random fields, Bayesian networks,... 2
More informationImplementing Candidate Graded Encoding Schemes from Ideal Lattices
Implementing Candidate Graded Encoding Schemes from Ideal Lattices Martin R. Albrecht 1, Catalin Cocis 2, Fabien Laguillaumie 3 and Adeline Langlois 4 1. Information Security Group, Royal Holloway, University
More informationModelling Returns: the CER and the CAPM
Modelling Returns: the CER and the CAPM Carlo Favero Favero () Modelling Returns: the CER and the CAPM 1 / 20 Econometric Modelling of Financial Returns Financial data are mostly observational data: they
More informationSYLLABUS AND SAMPLE QUESTIONS FOR MSQE (Program Code: MQEK and MQED) Syllabus for PEA (Mathematics), 2013
SYLLABUS AND SAMPLE QUESTIONS FOR MSQE (Program Code: MQEK and MQED) 2013 Syllabus for PEA (Mathematics), 2013 Algebra: Binomial Theorem, AP, GP, HP, Exponential, Logarithmic Series, Sequence, Permutations
More informationMATH3075/3975 FINANCIAL MATHEMATICS TUTORIAL PROBLEMS
MATH307/37 FINANCIAL MATHEMATICS TUTORIAL PROBLEMS School of Mathematics and Statistics Semester, 04 Tutorial problems should be used to test your mathematical skills and understanding of the lecture material.
More informationPORTFOLIO OPTIMIZATION AND EXPECTED SHORTFALL MINIMIZATION FROM HISTORICAL DATA
PORTFOLIO OPTIMIZATION AND EXPECTED SHORTFALL MINIMIZATION FROM HISTORICAL DATA We begin by describing the problem at hand which motivates our results. Suppose that we have n financial instruments at hand,
More informationCPSC 540: Machine Learning
CPSC 540: Machine Learning Monte Carlo Methods Mark Schmidt University of British Columbia Winter 2018 Last Time: Markov Chains We can use Markov chains for density estimation, p(x) = p(x 1 ) }{{} d p(x
More informationYao s Minimax Principle
Complexity of algorithms The complexity of an algorithm is usually measured with respect to the size of the input, where size may for example refer to the length of a binary word describing the input,
More informationStatistical and Computational Inverse Problems with Applications Part 5B: Electrical impedance tomography
Statistical and Computational Inverse Problems with Applications Part 5B: Electrical impedance tomography Aku Seppänen Inverse Problems Group Department of Applied Physics University of Eastern Finland
More informationAlgebra homework 8 Homomorphisms, isomorphisms
MATH-UA.343.005 T.A. Louis Guigo Algebra homework 8 Homomorphisms, isomorphisms For every n 1 we denote by S n the n-th symmetric group. Exercise 1. Consider the following permutations: ( ) ( 1 2 3 4 5
More informationEX-POST VERIFICATION OF PREDICTION MODELS OF WAGE DISTRIBUTIONS
EX-POST VERIFICATION OF PREDICTION MODELS OF WAGE DISTRIBUTIONS LUBOŠ MAREK, MICHAL VRABEC University of Economics, Prague, Faculty of Informatics and Statistics, Department of Statistics and Probability,
More informationModified Huang-Wang s Convertible Nominative Signature Scheme
Modified Huang-Wang s Convertible Nominative Signature Scheme Wei Zhao, Dingfeng Ye State Key Laboratory of Information Security Graduate University of Chinese Academy of Sciences Beijing 100049, P. R.
More informationMax Registers, Counters and Monotone Circuits
James Aspnes 1 Hagit Attiya 2 Keren Censor 2 1 Yale 2 Technion Counters Model Collects Our goal: build a cheap counter for an asynchronous shared-memory system. Two operations: increment and read. Read
More informationOutline. 1 Introduction. 2 Algorithms. 3 Examples. Algorithm 1 General coordinate minimization framework. 1: Choose x 0 R n and set k 0.
Outline Coordinate Minimization Daniel P. Robinson Department of Applied Mathematics and Statistics Johns Hopkins University November 27, 208 Introduction 2 Algorithms Cyclic order with exact minimization
More informationFinancial Risk Management
Financial Risk Management Professor: Thierry Roncalli Evry University Assistant: Enareta Kurtbegu Evry University Tutorial exercices #4 1 Correlation and copulas 1. The bivariate Gaussian copula is given
More informationMath Option pricing using Quasi Monte Carlo simulation
. Math 623 - Option pricing using Quasi Monte Carlo simulation Pratik Mehta pbmehta@eden.rutgers.edu Masters of Science in Mathematical Finance Department of Mathematics, Rutgers University This paper
More informationCPSC 540: Machine Learning
CPSC 540: Machine Learning Monte Carlo Methods Mark Schmidt University of British Columbia Winter 2019 Last Time: Markov Chains We can use Markov chains for density estimation, d p(x) = p(x 1 ) p(x }{{}
More informationNotes on the symmetric group
Notes on the symmetric group 1 Computations in the symmetric group Recall that, given a set X, the set S X of all bijections from X to itself (or, more briefly, permutations of X) is group under function
More informationM5MF6. Advanced Methods in Derivatives Pricing
Course: Setter: M5MF6 Dr Antoine Jacquier MSc EXAMINATIONS IN MATHEMATICS AND FINANCE DEPARTMENT OF MATHEMATICS April 2016 M5MF6 Advanced Methods in Derivatives Pricing Setter s signature...........................................
More informationarxiv: v1 [cs.dm] 4 Jan 2012
COPS AND INVISIBLE ROBBERS: THE COST OF DRUNKENNESS ATHANASIOS KEHAGIAS, DIETER MITSCHE, AND PAWE L PRA LAT arxiv:1201.0946v1 [cs.dm] 4 Jan 2012 Abstract. We examine a version of the Cops and Robber (CR)
More informationPORTFOLIO THEORY. Master in Finance INVESTMENTS. Szabolcs Sebestyén
PORTFOLIO THEORY Szabolcs Sebestyén szabolcs.sebestyen@iscte.pt Master in Finance INVESTMENTS Sebestyén (ISCTE-IUL) Portfolio Theory Investments 1 / 60 Outline 1 Modern Portfolio Theory Introduction Mean-Variance
More informationwww.unique-project.eu Exchange of security-critical data Computing Device generates, stores and processes security-critical information Computing Device 2 However: Cryptographic secrets can be leaked by
More informationConsumption- Savings, Portfolio Choice, and Asset Pricing
Finance 400 A. Penati - G. Pennacchi Consumption- Savings, Portfolio Choice, and Asset Pricing I. The Consumption - Portfolio Choice Problem We have studied the portfolio choice problem of an individual
More informationLecture 11: Bandits with Knapsacks
CMSC 858G: Bandits, Experts and Games 11/14/16 Lecture 11: Bandits with Knapsacks Instructor: Alex Slivkins Scribed by: Mahsa Derakhshan 1 Motivating Example: Dynamic Pricing The basic version of the dynamic
More informationBarrier Option. 2 of 33 3/13/2014
FPGA-based Reconfigurable Computing for Pricing Multi-Asset Barrier Options RAHUL SRIDHARAN, GEORGE COOKE, KENNETH HILL, HERMAN LAM, ALAN GEORGE, SAAHPC '12, PROCEEDINGS OF THE 2012 SYMPOSIUM ON APPLICATION
More informationSAQ KONTROLL AB Box 49306, STOCKHOLM, Sweden Tel: ; Fax:
ProSINTAP - A Probabilistic Program for Safety Evaluation Peter Dillström SAQ / SINTAP / 09 SAQ KONTROLL AB Box 49306, 100 29 STOCKHOLM, Sweden Tel: +46 8 617 40 00; Fax: +46 8 651 70 43 June 1999 Page
More informationFinancial Market Models. Lecture 1. One-period model of financial markets & hedging problems. Imperial College Business School
Financial Market Models Lecture One-period model of financial markets & hedging problems One-period model of financial markets a 4 2a 3 3a 3 a 3 -a 4 2 Aims of section Introduce one-period model with finite
More information3.4 Copula approach for modeling default dependency. Two aspects of modeling the default times of several obligors
3.4 Copula approach for modeling default dependency Two aspects of modeling the default times of several obligors 1. Default dynamics of a single obligor. 2. Model the dependence structure of defaults
More informationPIVOTAL QUANTILE ESTIMATES IN VAR CALCULATIONS. Peter Schaller, Bank Austria Creditanstalt (BA-CA) Wien,
PIVOTAL QUANTILE ESTIMATES IN VAR CALCULATIONS Peter Schaller, Bank Austria Creditanstalt (BA-CA) Wien, peter@ca-risc.co.at c Peter Schaller, BA-CA, Strategic Riskmanagement 1 Contents Some aspects of
More informationChapter 5 Finite Difference Methods. Math6911 W07, HM Zhu
Chapter 5 Finite Difference Methods Math69 W07, HM Zhu References. Chapters 5 and 9, Brandimarte. Section 7.8, Hull 3. Chapter 7, Numerical analysis, Burden and Faires Outline Finite difference (FD) approximation
More informationStochastic Programming and Financial Analysis IE447. Midterm Review. Dr. Ted Ralphs
Stochastic Programming and Financial Analysis IE447 Midterm Review Dr. Ted Ralphs IE447 Midterm Review 1 Forming a Mathematical Programming Model The general form of a mathematical programming model is:
More informationCourse information FN3142 Quantitative finance
Course information 015 16 FN314 Quantitative finance This course is aimed at students interested in obtaining a thorough grounding in market finance and related empirical methods. Prerequisite If taken
More informationMonte Carlo and Empirical Methods for Stochastic Inference (MASM11/FMSN50)
Monte Carlo and Empirical Methods for Stochastic Inference (MASM11/FMSN50) Magnus Wiktorsson Centre for Mathematical Sciences Lund University, Sweden Lecture 2 Random number generation January 18, 2018
More informationA new approach for scenario generation in risk management
A new approach for scenario generation in risk management Josef Teichmann TU Wien Vienna, March 2009 Scenario generators Scenarios of risk factors are needed for the daily risk analysis (1D and 10D ahead)
More informationSlides for Risk Management
Slides for Risk Management Introduction to the modeling of assets Groll Seminar für Finanzökonometrie Prof. Mittnik, PhD Groll (Seminar für Finanzökonometrie) Slides for Risk Management Prof. Mittnik,
More informationA Result on the Distribution of Quadratic Residues with Applications to Elliptic Curve Cryptography
A Result on the Distribution of Quadratic Residues with Applications to Elliptic Curve Cryptography Muralidhara V.N. and Sandeep Sen {murali, ssen}@cse.iitd.ernet.in Department of Computer Science and
More information