# Lattice-Based Threshold-Changeability for Standard Shamir Secret-Sharing Schemes

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Lattice-Based Threshold-Changeability for Standard Shamir Secret-Sharing Schemes Ron Steinfeld (Macquarie University, Australia) ( Joint work with: Huaxiong Wang (Macquarie University) ( Josef Pieprzyk (Macquarie University) ( 1

2 Overview (t,n)-threshold Secret Sharing Schemes Classical Shamir Scheme Changeable-Threshold Secret-Sharing Schemes Drawbacks of previous solutions Our Approach: Lattice-Based Threshold-Changeability for Classical Shamir Scheme Brief Review of Point Lattices Method for increasing the threshold from t to t > t Lattice-based Decoding Algorithm & Correctness Analysis Lattice-based Information-Theoretic Security Analysis 2

3 (t,n)-threshold Secret Sharing Fundamental cryptographic scheme (Shamir, 1979) Informal Definition: A Dealer owning a secret s wishes to distribute knowledge of s among a group of n shareholders such that two conditions hold: Correctness: Any subset of t shareholders can together recover s Security: Any subset of less than t shareholders cannot recover s Many applications in information security especially for achieving robustness of distributed security systems: Consider an access control system with n servers System is called t-robust if security is maintained even against attackers who succeed in breaking into up to t-1 servers Can be achieved by distributing the access control secret among the n servers using a (t,n)-threshold secret sharing scheme. 3

4 (t,n)-threshold Secret-Sharing Formal Definition (algorithms) 4

5 (t,n)-threshold Secret-Sharing Classical Shamir Scheme (Shamir 79) 5

6 Changeable-Threshold Secret-Sharing Motivation: In applications, choice of the threshold parameter t is a compromise between two conflicting factors: Value of Protected System & Attacker Resources Pushing the threshold as high as possible User Convenience and Cost Pushing the threshold as low as possible Hence actual value of t will be an equilibrium value, which will change in time as the relative strength of the above conflicting factors change in time This motivates study of Changeable-Threshold Secret-Sharing schemes 6

7 Changeable-Threshold Secret-Sharing Drawbacks of previous solutions are at least one of: Dealer Involvement after setup phase [eg. Blundo 93] Dealer broadcasts a message to all shareholders to allow them to update their shares from a (t,n) to a (t,n) scheme Implication: Dealer must communicate after setup! Initial (t,n)-threshold scheme is non-standard [eg. Martin 99] Simple example: Dealer gives each shareholder two shares of the secret, one for a (t,n) scheme, another for a (t,n) scheme Implication: Dealer must plan ahead! Shareholders privately communicate with each other [eg. Desmedt 97] E.g. Shareholders re-destribute secret among themselves for a (t,n) scheme via secure computation protocol Implication: Shareholders must communicate! Our scheme does not have any of these drawbacks! Although we only achieve relaxed correctness/security 7

8 secret Dealer... Changeable-Threshold Secret-Sharing n shares +... noise +... n subshares Basic idea of our approach Subset of t subshares... Lattice-Based Subshare Combiner secret To increase threshold from t to t > t, Each Shareholder adds a random `noise integer (of appropriate size) to his share, to obtain a subshare Subshares contain only partial information on original shares We expect that: Any t subshares are not sufficient to recover secret noise But t subshares (for some t > t depending on size of noise added) are sufficient to recover secret if we have an appropriate `error-correction algorithm (e.g if noise bit-length = ½ of share length, we expect that t ~ 2t subshares uniquely determine the secret) The new `subshare combiner algorithm is the error correction algorithm We construct this algorithm using lattice basis reduction! 8

9 Point Lattices (Brief Intro) Definition (Lattice): Given a basis of linearly-independent vectors in vector space, we call the set of all integer linear combinations of these vectors a lattice of dimension A basis matrix of lattice is an matrix listing basis vectors in rows The determinant of lattice is where is any basis matrix for. Geometrically, is equal to the volume of any fundamental parallelpiped (f.p.) of. We use infinity-norm (max. abs. value of coordinates) to measure length of lattice vectors Define Minkowski Minima of lattice : = shortest infinity-norm over all non-zero vectors of = shortest infinity-norm bound over all linearlyindependent vectors of 9

10 Point Lattices (Brief Intro) 10

11 Point Lattices (Brief Intro) The Closest Vector Problem (CVP) Exact (and near-exact) version of CVP is hard to solve efficiently in theory (NP-hard) But efficient Approximate-CVP algorithms exist First polynomial-time algorithm [Babai 86] suffices for us: 11

12 Threshold-Changeability for Classical Shamir Scheme - Algorithms Increasing the threshold from t to t > t 12

13 Threshold-Changeability for Classical Shamir Scheme - Algorithms Noisy subshares decoding algorithm (subshare combiner) 13

14 Threshold-Changeability for Classical Shamir Scheme - Correctness Decoding algorithm correctness analysis (Main ideas): By construction, the dealer s secret polynomial gives rise to a lattice vector which is close to the target vector That is,, so the approx. close lattice vector returned by satisfies. By triangle inequality, the error lattice vector is short : and our algorithm fails only if this error lattice vector is bad in the sense: We use counting argument to upper bound number of public vectors for which contains short and bad vectors 14

15 Threshold-Changeability for Classical Shamir Scheme - Correctness Algorithm correctness analysis (continued) Counting argument to upper bound number of public vectors for which contains short and bad vectors reduces to following algebraic counting lemma: We use this to obtain an upper bound on fraction of bad public vectors for which combiner may not always work This bad fraction can be made as small as we wish, for sufficiently large security parameter 15

16 Threshold-Changeability for Classical Shamir Scheme - Security Security Analysis (Main Ideas): We assume a uniform distribution on secret space : Secret entropy We show that, for all choices of the public vector except for a small bad fraction, the following holds: For all subshare subsets of size with and all values for the corresponding subshare vector, the conditional probability distribution for the secret given the observed subshare vector value, is close to uniform: Secret entropy loss is bounded as (for all I and ) 16

17 Threshold-Changeability for Classical Shamir Scheme - Security Security analysis (cont.) To derive bound we observe where for integers and we define We lower bound (no. of dealer poly consistent with shares) We upper bound (no. of dealer poly consistent with shares and any fixed value for the secret) 17

18 Threshold-Changeability for Classical Shamir Scheme - Security Security analysis (cont.) We first reduce the problem to lattice point counting: 18

19 Threshold-Changeability for Classical Shamir Scheme - Security Security analysis (cont.) Now we use lattice tools to lower bound Note is a non-homogenous counting problem: we need the number of lattice points in a box centred on a (non-lattice) vector We reduce this non-homogenous problem to two simpler problems: The homogenous problem of lower bounding the number of lattice points in an origin-centred box Upper bounding the largest Minkowski minimum 19

20 Threshold-Changeability for Classical Shamir Scheme - Security Security analysis (cont.) Proof idea of reduction of non-homogenous lower bound to homogenous lower bound + upper bound on 20

21 Threshold-Changeability for Classical Shamir Scheme - Security Security analysis (cont.) Problem 1 (point counting in origin-symmetric box) is solved directly by applying Blichfeldt-Corput Theorem: Problem 2 (upper bounding ) is solved by applying Minkowski s Second Theorem to reduce it first to the problem of lower bounding the first Minkowski minimum(shortest vector norm) We lower bound the first Minkowski minimum (except for a small fraction of bad public vectors ) by applying our algebraic counting lemma (using similar argument used in correctness analysis) 21

22 Threshold-Changeability for Classical Shamir Scheme - Security Security analysis (cont.) This completes the results needed to lower bound Recall that we also need to upper bound We reduce this problem also to lower bounding with the following result: And now we use our lower bound on again! 22

23 Conclusions Presented lattice-based threshold changeability algorithms for Shamir secret-sharing Proved concrete bounds on correctness and security using classical results from theory of lattices 23

### SECRET sharing schemes were introduced by Blakley [5]

206 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 1, JANUARY 2006 Secret Sharing Schemes From Three Classes of Linear Codes Jin Yuan Cunsheng Ding, Senior Member, IEEE Abstract Secret sharing has

### Applied Algorithm Design Lecture 5

Applied Algorithm Design Lecture 5 Pietro Michiardi Eurecom Pietro Michiardi (Eurecom) Applied Algorithm Design Lecture 5 1 / 86 Approximation Algorithms Pietro Michiardi (Eurecom) Applied Algorithm Design

### Notes 11: List Decoding Folded Reed-Solomon Codes

Introduction to Coding Theory CMU: Spring 2010 Notes 11: List Decoding Folded Reed-Solomon Codes April 2010 Lecturer: Venkatesan Guruswami Scribe: Venkatesan Guruswami At the end of the previous notes,

### by the matrix A results in a vector which is a reflection of the given

Eigenvalues & Eigenvectors Example Suppose Then So, geometrically, multiplying a vector in by the matrix A results in a vector which is a reflection of the given vector about the y-axis We observe that

### Approximation Algorithms

Approximation Algorithms or: How I Learned to Stop Worrying and Deal with NP-Completeness Ong Jit Sheng, Jonathan (A0073924B) March, 2012 Overview Key Results (I) General techniques: Greedy algorithms

### Linear Authentication Codes: Bounds and Constructions

866 IEEE TRANSACTIONS ON INFORMATION TNEORY, VOL 49, NO 4, APRIL 2003 Linear Authentication Codes: Bounds and Constructions Huaxiong Wang, Chaoping Xing, and Rei Safavi-Naini Abstract In this paper, we

### A Negative Result Concerning Explicit Matrices With The Restricted Isometry Property

A Negative Result Concerning Explicit Matrices With The Restricted Isometry Property Venkat Chandar March 1, 2008 Abstract In this note, we prove that matrices whose entries are all 0 or 1 cannot achieve

### Linear Codes. Chapter 3. 3.1 Basics

Chapter 3 Linear Codes In order to define codes that we can encode and decode efficiently, we add more structure to the codespace. We shall be mainly interested in linear codes. A linear code of length

### Secure Network Coding on a Wiretap Network

IEEE TRANSACTIONS ON INFORMATION THEORY 1 Secure Network Coding on a Wiretap Network Ning Cai, Senior Member, IEEE, and Raymond W. Yeung, Fellow, IEEE Abstract In the paradigm of network coding, the nodes

### Ideal Class Group and Units

Chapter 4 Ideal Class Group and Units We are now interested in understanding two aspects of ring of integers of number fields: how principal they are (that is, what is the proportion of principal ideals

### The Dirichlet Unit Theorem

Chapter 6 The Dirichlet Unit Theorem As usual, we will be working in the ring B of algebraic integers of a number field L. Two factorizations of an element of B are regarded as essentially the same if

### MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES 2016 47 4. Diophantine Equations A Diophantine Equation is simply an equation in one or more variables for which integer (or sometimes rational) solutions

### Chapter 6. Orthogonality

6.3 Orthogonal Matrices 1 Chapter 6. Orthogonality 6.3 Orthogonal Matrices Definition 6.4. An n n matrix A is orthogonal if A T A = I. Note. We will see that the columns of an orthogonal matrix must be

### A New Generic Digital Signature Algorithm

Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

### Math 115A HW4 Solutions University of California, Los Angeles. 5 2i 6 + 4i. (5 2i)7i (6 + 4i)( 3 + i) = 35i + 14 ( 22 6i) = 36 + 41i.

Math 5A HW4 Solutions September 5, 202 University of California, Los Angeles Problem 4..3b Calculate the determinant, 5 2i 6 + 4i 3 + i 7i Solution: The textbook s instructions give us, (5 2i)7i (6 + 4i)(

### Fairness in Routing and Load Balancing

Fairness in Routing and Load Balancing Jon Kleinberg Yuval Rabani Éva Tardos Abstract We consider the issue of network routing subject to explicit fairness conditions. The optimization of fairness criteria

### Linear Codes. In the V[n,q] setting, the terms word and vector are interchangeable.

Linear Codes Linear Codes In the V[n,q] setting, an important class of codes are the linear codes, these codes are the ones whose code words form a sub-vector space of V[n,q]. If the subspace of V[n,q]

### Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Secure Network Coding via Filtered Secret Sharing

Secure Network Coding via Filtered Secret Sharing Jon Feldman, Tal Malkin, Rocco Servedio, Cliff Stein (Columbia University) jonfeld@ieor, tal@cs, rocco@cs, cliff@ieor columbiaedu Feldman, Malkin, Servedio,

### We shall turn our attention to solving linear systems of equations. Ax = b

59 Linear Algebra We shall turn our attention to solving linear systems of equations Ax = b where A R m n, x R n, and b R m. We already saw examples of methods that required the solution of a linear system

### Lecture 15 An Arithmetic Circuit Lowerbound and Flows in Graphs

CSE599s: Extremal Combinatorics November 21, 2011 Lecture 15 An Arithmetic Circuit Lowerbound and Flows in Graphs Lecturer: Anup Rao 1 An Arithmetic Circuit Lower Bound An arithmetic circuit is just like

### Sphere Packings, Lattices, and Kissing Configurations in R n

Sphere Packings, Lattices, and Kissing Configurations in R n Stephanie Vance University of Washington April 9, 2009 Stephanie Vance (University of Washington)Sphere Packings, Lattices, and Kissing Configurations

### Applying General Access Structure to Metering Schemes

Applying General Access Structure to Metering Schemes Ventzislav Nikov Department of Mathematics and Computing Science, Eindhoven University of Technology P.O. Box 513, 5600 MB, Eindhoven, the Netherlands

### The Ideal Class Group

Chapter 5 The Ideal Class Group We will use Minkowski theory, which belongs to the general area of geometry of numbers, to gain insight into the ideal class group of a number field. We have already mentioned

### 2.1 Complexity Classes

15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look

### The Conference Call Search Problem in Wireless Networks

The Conference Call Search Problem in Wireless Networks Leah Epstein 1, and Asaf Levin 2 1 Department of Mathematics, University of Haifa, 31905 Haifa, Israel. lea@math.haifa.ac.il 2 Department of Statistics,

### Offline sorting buffers on Line

Offline sorting buffers on Line Rohit Khandekar 1 and Vinayaka Pandit 2 1 University of Waterloo, ON, Canada. email: rkhandekar@gmail.com 2 IBM India Research Lab, New Delhi. email: pvinayak@in.ibm.com

### Computer Algorithms. NP-Complete Problems. CISC 4080 Yanjun Li

Computer Algorithms NP-Complete Problems NP-completeness The quest for efficient algorithms is about finding clever ways to bypass the process of exhaustive search, using clues from the input in order

### Numerical Analysis Lecture Notes

Numerical Analysis Lecture Notes Peter J. Olver 5. Inner Products and Norms The norm of a vector is a measure of its size. Besides the familiar Euclidean norm based on the dot product, there are a number

### Information Sciences

Information Sciences 180 (2010) 3059 3064 Contents lists available at ScienceDirect Information Sciences journal homepage: www.elsevier.com/locate/ins Strong (n, t, n) verifiable secret sharing scheme

### Network Coding for Security and Error Correction

Network Coding for Security and Error Correction NGAI, Chi Kin A Thesis Submitted in Partial Fulfilment of the Requirements for the Degree of Doctor of Philosophy in Information Engineering c The Chinese

### L1 vs. L2 Regularization and feature selection.

L1 vs. L2 Regularization and feature selection. Paper by Andrew Ng (2004) Presentation by Afshin Rostami Main Topics Covering Numbers Definition Convergence Bounds L1 regularized logistic regression L1

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### Lecture 6 Online and streaming algorithms for clustering

CSE 291: Unsupervised learning Spring 2008 Lecture 6 Online and streaming algorithms for clustering 6.1 On-line k-clustering To the extent that clustering takes place in the brain, it happens in an on-line

### Algorithm Design and Analysis

Algorithm Design and Analysis LECTURE 27 Approximation Algorithms Load Balancing Weighted Vertex Cover Reminder: Fill out SRTEs online Don t forget to click submit Sofya Raskhodnikova 12/6/2011 S. Raskhodnikova;

### Lecture 4 Online and streaming algorithms for clustering

CSE 291: Geometric algorithms Spring 2013 Lecture 4 Online and streaming algorithms for clustering 4.1 On-line k-clustering To the extent that clustering takes place in the brain, it happens in an on-line

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### Optimal File Sharing in Distributed Networks

Optimal File Sharing in Distributed Networks Moni Naor Ron M. Roth Abstract The following file distribution problem is considered: Given a network of processors represented by an undirected graph G = (V,

### Share conversion, pseudorandom secret-sharing and applications to secure distributed computing

Share conversion, pseudorandom secret-sharing and applications to secure distributed computing Ronald Cramer 1, Ivan Damgård 2, and Yuval Ishai 3 1 CWI, Amsterdam and Mathematical Institute, Leiden University

### Basic Terminology for Systems of Equations in a Nutshell. E. L. Lady. 3x 1 7x 2 +4x 3 =0 5x 1 +8x 2 12x 3 =0.

Basic Terminology for Systems of Equations in a Nutshell E L Lady A system of linear equations is something like the following: x 7x +4x =0 5x +8x x = Note that the number of equations is not required

### Approximation Algorithms: LP Relaxation, Rounding, and Randomized Rounding Techniques. My T. Thai

Approximation Algorithms: LP Relaxation, Rounding, and Randomized Rounding Techniques My T. Thai 1 Overview An overview of LP relaxation and rounding method is as follows: 1. Formulate an optimization

### POLYNOMIAL RINGS AND UNIQUE FACTORIZATION DOMAINS

POLYNOMIAL RINGS AND UNIQUE FACTORIZATION DOMAINS RUSS WOODROOFE 1. Unique Factorization Domains Throughout the following, we think of R as sitting inside R[x] as the constant polynomials (of degree 0).

### THE FUNDAMENTAL THEOREM OF ARBITRAGE PRICING

THE FUNDAMENTAL THEOREM OF ARBITRAGE PRICING 1. Introduction The Black-Scholes theory, which is the main subject of this course and its sequel, is based on the Efficient Market Hypothesis, that arbitrages

### On the representability of the bi-uniform matroid

On the representability of the bi-uniform matroid Simeon Ball, Carles Padró, Zsuzsa Weiner and Chaoping Xing August 3, 2012 Abstract Every bi-uniform matroid is representable over all sufficiently large

### Network Security. Chapter 6 Random Number Generation. Prof. Dr.-Ing. Georg Carle

Network Security Chapter 6 Random Number Generation Prof. Dr.-Ing. Georg Carle Chair for Computer Networks & Internet Wilhelm-Schickard-Institute for Computer Science University of Tübingen http://net.informatik.uni-tuebingen.de/

### ON DEGREES IN THE HASSE DIAGRAM OF THE STRONG BRUHAT ORDER

Séminaire Lotharingien de Combinatoire 53 (2006), Article B53g ON DEGREES IN THE HASSE DIAGRAM OF THE STRONG BRUHAT ORDER RON M. ADIN AND YUVAL ROICHMAN Abstract. For a permutation π in the symmetric group

### Private Approximation of Clustering and Vertex Cover

Private Approximation of Clustering and Vertex Cover Amos Beimel, Renen Hallak, and Kobbi Nissim Department of Computer Science, Ben-Gurion University of the Negev Abstract. Private approximation of search

### References: Adi Shamir, How to Share a Secret, CACM, November 1979.

Ad Hoc Network Security References: Adi Shamir, How to Share a Secret, CACM, November 1979. Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu Lu, Lixia Zhang, Providing Robust and Ubiquitous Security Support

### Some Polynomial Theorems. John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA 90405 rkennedy@ix.netcom.

Some Polynomial Theorems by John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA 90405 rkennedy@ix.netcom.com This paper contains a collection of 31 theorems, lemmas,

### Optimal Index Codes for a Class of Multicast Networks with Receiver Side Information

Optimal Index Codes for a Class of Multicast Networks with Receiver Side Information Lawrence Ong School of Electrical Engineering and Computer Science, The University of Newcastle, Australia Email: lawrence.ong@cantab.net

Approximation Algorithms Chapter Approximation Algorithms Q. Suppose I need to solve an NP-hard problem. What should I do? A. Theory says you're unlikely to find a poly-time algorithm. Must sacrifice one

### 8. Linear least-squares

8. Linear least-squares EE13 (Fall 211-12) definition examples and applications solution of a least-squares problem, normal equations 8-1 Definition overdetermined linear equations if b range(a), cannot

### Efficient Recovery of Secrets

Efficient Recovery of Secrets Marcel Fernandez Miguel Soriano, IEEE Senior Member Department of Telematics Engineering. Universitat Politècnica de Catalunya. C/ Jordi Girona 1 i 3. Campus Nord, Mod C3,

### Two classes of ternary codes and their weight distributions

Two classes of ternary codes and their weight distributions Cunsheng Ding, Torleiv Kløve, and Francesco Sica Abstract In this paper we describe two classes of ternary codes, determine their minimum weight

### Lattice Attacks in Cryptography: A Partial Overview

Lattice Attacks in Cryptography: A Partial Overview M. Jason Hinek School of Computer Science, University of Waterloo Waterloo, Ontario, N2L-3G1, Canada mjhinek@alumni.uwaterloo.ca October 22, 2004 Abstract

### Network Security. Chapter 6 Random Number Generation

Network Security Chapter 6 Random Number Generation 1 Tasks of Key Management (1)! Generation:! It is crucial to security, that keys are generated with a truly random or at least a pseudo-random generation

### The van Hoeij Algorithm for Factoring Polynomials

The van Hoeij Algorithm for Factoring Polynomials Jürgen Klüners Abstract In this survey we report about a new algorithm for factoring polynomials due to Mark van Hoeij. The main idea is that the combinatorial

### Similarity and Diagonalization. Similar Matrices

MATH022 Linear Algebra Brief lecture notes 48 Similarity and Diagonalization Similar Matrices Let A and B be n n matrices. We say that A is similar to B if there is an invertible n n matrix P such that

### Open Problems in Quantum Information Processing. John Watrous Department of Computer Science University of Calgary

Open Problems in Quantum Information Processing John Watrous Department of Computer Science University of Calgary #1 Open Problem Find new quantum algorithms. Existing algorithms: Shor s Algorithm (+ extensions)

### Absolute Value Programming

Computational Optimization and Aplications,, 1 11 (2006) c 2006 Springer Verlag, Boston. Manufactured in The Netherlands. Absolute Value Programming O. L. MANGASARIAN olvi@cs.wisc.edu Computer Sciences

### Lattice Point Geometry: Pick s Theorem and Minkowski s Theorem. Senior Exercise in Mathematics. Jennifer Garbett Kenyon College

Lattice Point Geometry: Pick s Theorem and Minkowski s Theorem Senior Exercise in Mathematics Jennifer Garbett Kenyon College November 18, 010 Contents 1 Introduction 1 Primitive Lattice Triangles 5.1

### Co-Location-Resistant Clouds

Co-Location-Resistant Clouds Yossi Azar Tel-Aviv University azar@tau.ac.il Mariana Raykova SRI International mariana.raykova@sri.com Seny Kamara Microsoft Research senyk@microsoft.com Ishai Menache Microsoft

### This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

IEEE/ACM TRANSACTIONS ON NETWORKING 1 A Greedy Link Scheduler for Wireless Networks With Gaussian Multiple-Access and Broadcast Channels Arun Sridharan, Student Member, IEEE, C Emre Koksal, Member, IEEE,

### Embedding more security in digital signature system by using combination of public key cryptography and secret sharing scheme

International Journal of Computer Sciences and Engineering Open Access Research Paper Volume-4, Issue-3 E-ISSN: 2347-2693 Embedding more security in digital signature system by using combination of public

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### Continued Fractions and the Euclidean Algorithm

Continued Fractions and the Euclidean Algorithm Lecture notes prepared for MATH 326, Spring 997 Department of Mathematics and Statistics University at Albany William F Hammond Table of Contents Introduction

### Key Agreement from Close Secrets over Unsecured Channels Winter 2010

Key Agreement from Close Secrets over Unsecured Channels Winter 2010 Andreas Keller Contens 1. Motivation 2. Introduction 3. Building Blocks 4. Protocol Extractor Secure Sketches (MAC) message authentication

### 5 INTEGER LINEAR PROGRAMMING (ILP) E. Amaldi Fondamenti di R.O. Politecnico di Milano 1

5 INTEGER LINEAR PROGRAMMING (ILP) E. Amaldi Fondamenti di R.O. Politecnico di Milano 1 General Integer Linear Program: (ILP) min c T x Ax b x 0 integer Assumption: A, b integer The integrality condition

### 956 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009

956 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 4, DECEMBER 2009 Biometric Systems: Privacy and Secrecy Aspects Tanya Ignatenko, Member, IEEE, and Frans M. J. Willems, Fellow,

### Towards High Security and Fault Tolerant Dispersed Storage System with Optimized Information Dispersal Algorithm

Towards High Security and Fault Tolerant Dispersed Storage System with Optimized Information Dispersal Algorithm I Hrishikesh Lahkar, II Manjunath C R I,II Jain University, School of Engineering and Technology,

### 3. INNER PRODUCT SPACES

. INNER PRODUCT SPACES.. Definition So far we have studied abstract vector spaces. These are a generalisation of the geometric spaces R and R. But these have more structure than just that of a vector space.

### Linear Algebra Notes for Marsden and Tromba Vector Calculus

Linear Algebra Notes for Marsden and Tromba Vector Calculus n-dimensional Euclidean Space and Matrices Definition of n space As was learned in Math b, a point in Euclidean three space can be thought of

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### DATA MINING CLUSTER ANALYSIS: BASIC CONCEPTS

DATA MINING CLUSTER ANALYSIS: BASIC CONCEPTS 1 AND ALGORITHMS Chiara Renso KDD-LAB ISTI- CNR, Pisa, Italy WHAT IS CLUSTER ANALYSIS? Finding groups of objects such that the objects in a group will be similar

### Network coding for security and robustness

Network coding for security and robustness 1 Outline Network coding for detecting attacks Network management requirements for robustness Centralized versus distributed network management 2 Byzantine security

### ! Solve problem to optimality. ! Solve problem in poly-time. ! Solve arbitrary instances of the problem. !-approximation algorithm.

Approximation Algorithms Chapter Approximation Algorithms Q Suppose I need to solve an NP-hard problem What should I do? A Theory says you're unlikely to find a poly-time algorithm Must sacrifice one of

### Minimize subject to. x S R

Chapter 12 Lagrangian Relaxation This chapter is mostly inspired by Chapter 16 of [1]. In the previous chapters, we have succeeded to find efficient algorithms to solve several important problems such

### What s next? Reductions other than kernelization

What s next? Reductions other than kernelization Dániel Marx Humboldt-Universität zu Berlin (with help from Fedor Fomin, Daniel Lokshtanov and Saket Saurabh) WorKer 2010: Workshop on Kernelization Nov

### ON THE COMPLEXITY OF THE GAME OF SET. {kamalika,pbg,dratajcz,hoeteck}@cs.berkeley.edu

ON THE COMPLEXITY OF THE GAME OF SET KAMALIKA CHAUDHURI, BRIGHTEN GODFREY, DAVID RATAJCZAK, AND HOETECK WEE {kamalika,pbg,dratajcz,hoeteck}@cs.berkeley.edu ABSTRACT. Set R is a card game played with a

### Near Optimal Solutions

Near Optimal Solutions Many important optimization problems are lacking efficient solutions. NP-Complete problems unlikely to have polynomial time solutions. Good heuristics important for such problems.

### Post-Quantum Cryptography #2

Post-Quantum Cryptography #2 Prof. Claude Crépeau McGill University 49 Post-Quantum Cryptography Finite Fields based cryptography Codes Multi-variate Polynomials Integers based cryptography Approximate

2.5 ZEROS OF POLYNOMIAL FUNCTIONS Copyright Cengage Learning. All rights reserved. What You Should Learn Use the Fundamental Theorem of Algebra to determine the number of zeros of polynomial functions.

### Mathematics Course 111: Algebra I Part IV: Vector Spaces

Mathematics Course 111: Algebra I Part IV: Vector Spaces D. R. Wilkins Academic Year 1996-7 9 Vector Spaces A vector space over some field K is an algebraic structure consisting of a set V on which are

### HOMEWORK 5 SOLUTIONS. n!f n (1) lim. ln x n! + xn x. 1 = G n 1 (x). (2) k + 1 n. (n 1)!

Math 7 Fall 205 HOMEWORK 5 SOLUTIONS Problem. 2008 B2 Let F 0 x = ln x. For n 0 and x > 0, let F n+ x = 0 F ntdt. Evaluate n!f n lim n ln n. By directly computing F n x for small n s, we obtain the following

CS787: Advanced Algorithms Topic: Online Learning Presenters: David He, Chris Hopman 17.3.1 Follow the Perturbed Leader 17.3.1.1 Prediction Problem Recall the prediction problem that we discussed in class.

### MATHEMATICS (CLASSES XI XII)

MATHEMATICS (CLASSES XI XII) General Guidelines (i) All concepts/identities must be illustrated by situational examples. (ii) The language of word problems must be clear, simple and unambiguous. (iii)

### Breaking An Identity-Based Encryption Scheme based on DHIES

Breaking An Identity-Based Encryption Scheme based on DHIES Martin R. Albrecht 1 Kenneth G. Paterson 2 1 SALSA Project - INRIA, UPMC, Univ Paris 06 2 Information Security Group, Royal Holloway, University

### Some applications of LLL

Some applications of LLL a. Factorization of polynomials As the title Factoring polynomials with rational coefficients of the original paper in which the LLL algorithm was first published (Mathematische

### Permutation Betting Markets: Singleton Betting with Extra Information

Permutation Betting Markets: Singleton Betting with Extra Information Mohammad Ghodsi Sharif University of Technology ghodsi@sharif.edu Hamid Mahini Sharif University of Technology mahini@ce.sharif.edu

### Short Programs for functions on Curves

Short Programs for functions on Curves Victor S. Miller Exploratory Computer Science IBM, Thomas J. Watson Research Center Yorktown Heights, NY 10598 May 6, 1986 Abstract The problem of deducing a function

### Catalan Numbers. Thomas A. Dowling, Department of Mathematics, Ohio State Uni- versity.

7 Catalan Numbers Thomas A. Dowling, Department of Mathematics, Ohio State Uni- Author: versity. Prerequisites: The prerequisites for this chapter are recursive definitions, basic counting principles,

### Privacy-Preserving Aggregation of Time-Series Data

Privacy-Preserving Aggregation of Time-Series Data Elaine Shi PARC/UC Berkeley elaines@eecs.berkeley.edu Richard Chow PARC rchow@parc.com T-H. Hubert Chan The University of Hong Kong hubert@cs.hku.hk Dawn

### A Branch and Bound Algorithm for Solving the Binary Bi-level Linear Programming Problem

A Branch and Bound Algorithm for Solving the Binary Bi-level Linear Programming Problem John Karlof and Peter Hocking Mathematics and Statistics Department University of North Carolina Wilmington Wilmington,

### 1 Approximating Set Cover

CS 05: Algorithms (Grad) Feb 2-24, 2005 Approximating Set Cover. Definition An Instance (X, F ) of the set-covering problem consists of a finite set X and a family F of subset of X, such that every elemennt

### Definition: A square matrix A is block diagonal if A has the form A 1 O O O A 2 O A =

The question we want to answer now is the following: If A is not similar to a diagonal matrix, then what is the simplest matrix that A is similar to? Before we can provide the answer, we will have to introduce

### THE SCHEDULING OF MAINTENANCE SERVICE

THE SCHEDULING OF MAINTENANCE SERVICE Shoshana Anily Celia A. Glass Refael Hassin Abstract We study a discrete problem of scheduling activities of several types under the constraint that at most a single

### Solving Linear Systems, Continued and The Inverse of a Matrix

, Continued and The of a Matrix Calculus III Summer 2013, Session II Monday, July 15, 2013 Agenda 1. The rank of a matrix 2. The inverse of a square matrix Gaussian Gaussian solves a linear system by reducing