# How Efficient can Memory Checking be?

Save this PDF as:

Size: px
Start display at page:

## Transcription

9 Lemma 1 is used iteratively as long as there are heavy public memory locations, restricting the memory checker to only a (large) subset of its indices while lowering its query complexity (q). This comes at the cost of only a modest drop in the number of indices (n) and a moderate increase in the space complexity (s). We repeat this iteratively, reducing the query complexity until there is no set of heavy locations in the public memory. If we can apply the lemma many times, then we get a lower bound on the checker s query complexity: each application of the lemma reduces the query complexity, so if we applied the lemma many times the initial query complexity had to have been high. The reason that we can apply Lemma 1 many times is that otherwise we are left with a checker on many indices with no set of heavy locations. If there is no set of heavy public memory locations, then the (possibly reduced) public memory can be partitioned into relatively many parts that are disjoint in the sense that each part is queried only by a single index of the database. We can restrict the checker again, but this time to obtain a checker with many indices, relatively small secret memory and query complexity 1. This is formalized in Lemma 2 (proof below): Lemma 2. Let C be a (Σ, n, q, s) deterministic and non-adaptive online memory checker. Then, for every α N such that α < n, and for every threshold t N such that n > 4t q log n, the following holds: If for every integer m {1,..., α}, there are fewer than m locations in public memory that are t/m-heavy, then the memory checker C can be restricted to a (Σ q, n α/(2q t), 1, s/q)-checker. Finally, we show that such a disjoint checker implies a contradiction. In particular, it must have space complexity that is more or less proportional to the number of disjoint parts. Unless the memory checker has already been restricted to very few indices (in which case we have a query complexity lower bound), this results in a contradiction, since the checker s space complexity is bounded (by a small polynomial in n). The intuition that a disjoint checker must have large space complexity is formalized in Lemma 3 (proof below): Lemma 3. Let C be a (Σ, n, q = 1, s) deterministic and non-adaptive online memory checker, i.e. a checker that makes only a single query, where the location that each index queries in public memory is different. Then, s n 1. log Σ We postpone proving the lemmas and proceed with a formal analysis. We take α = n d, for a constant 0 < d < 1 to be specified later. We iteratively examine and restrict the memory checker. Let C i be the checker obtained after the i-th iteration (C 0 = C is the original checker), let n i be the number of indices in its database and s i its space complexity. Taking a n i log c n threshold t i =, where c > 1 is a constant specified below, we check whether or not the new checker C i has a set of heavy indices in its public memory. We only iterate as long as n i > α. Formally, there are two possible cases: 1. If C i has a set of m α public memory locations that are at least t i/m-heavy, then by Lemma 1:

10 For some j {1,..., q}, we can build from C i a (Σ, t i /2 j+2, q j, s i + α) deterministic and non-adaptive online memory checker C i If for every integer m α the checker C i does not have a set of m public memory locations that are t i/m-heavy, and choosing c, d such that n i > 4t i q log α, by Lemma 2: We can build from C i a (Σ q, n i α/(2q t i), 1, s i/q) deterministic and non-adaptive online memory checker. If n i is reasonably large, i.e. has not been reduced by repeated iterations of Case 1, then this will imply a contradiction. Recall that q 0 denotes the query complexity of the initial checker C, before any application of Lemmas 1 and 2. Assume for a contradiction that q 0 log n/(3c log log n). Let j [q + 1] be the total number of queries reduced by the iterative applications of Lemma 1, i.e., the number of queries reduced by the iterations in which Case 1 occurred. Since we assumed q log n/(3c log log n), we know that j < log n/(3c log log n). Thus, in the first iteration in which Case 2 applies (say the i-th iteration in total), it must be the case that n i n/(log c j n 2 3 log n/3c log log n ) = n/(log c j n 2 log n/c log log n ) > n 1 ε/2. Recall that we only iterate so long as n i > α, so we can choose any α < n 1 ε/2. The space s i used by this restricted checker is at most s + i α s + log n α. As usual, t i = n i/ log c n, and choosing c > 2 we get that 4t i q log α n i/(log c n log n d log n) < n i Applying Lemma 2, we obtain a (Σ q, n i α/(2q t i), 1, s i/q)-checker. Now, by Lemma 3, which bounds the space complexity of one-query checkers, we get that it must be the case that: s i n i α/(2q t i log Σ ) log c 1 n α/(2 log Σ ) But on the other hand we know that s i s + log n α. We know Σ 2 poly log n, and choose c such that log c 1 n/(2 log Σ ) > 2 log n. We also set α > 2s = 2n 1 ε. Recall that we also needed α < n i, but this is fine since n i > n 1 ε/2. In conclusion, we set α by choosing d such that 1 ε < d < 1 ε/2, i.e. such that We get that 2s = 2n 1 ε < α = n d < n i = n 1 ε/2 s > log c 1 n α/(2 log Σ ) log n α > log n α > 2s This is a contradiction! Proof (of Lemma 1). If there is a set M of m locations in public memory that are all t/m-heavy (i.e. each accessed by at least t/m indices), then we restrict the memory checker to only work for some of the indices that access one or more of the heavy locations. Let I [n] be the set

11 of database indices that access at least one of the locations in M (the heavy locations). We claim that for some i {1,..., q}, there are at least t/2 i+2 indices in I that each access at least i locations in M. To see this, assume for a contradiction that this is not the case. Then the sum of the number of locations in M that are accessed by each database index (and in particular by the indices in I) is less than: q i t/2 i+2 = t i=1 q i/2 i+2 < t On the other hand, since there are m locations in M that are at least t/m-heavy, the sum of locations in M read by database indices must be at least t and we get a contradiction. We restrict the checker to the indices in I that read at least i locations in M, and move these locations to the secret memory. This increases the space complexity (size of the secret memory) from s to s + m. By the above, there are at least t/2 i+2 such indices. For each of them, we have reduced their query complexity from q to q i. The alphabet size remains unchanged. Proof (of Lemma 2). If there are only a few relatively heavy locations in the public memory, then we eliminate indices and split the public memory in disjoint chunks : subsets of the public memory that are disjoint in the sense that no location in any chunk is accessed by two different indices. This is done in a greedy iterative manner. We go over the locations in public memory one by one; for each of them we choose one index (say j) that accesses them and eliminate any other index that accesses a location in public memory also accessed by j. This is repeated iteratively (for the analysis, we think of this as being done from the heavy public memory locations to the lighter ones). After the checker cannot be restricted any more we are left with a checker for which no two indices access the same location in public memory, and we will show that the number of remaining indices is reasonably high. More concretely, for any value i [1... log α], we know that there are at most 2 i 1 locations that are between t/2 i -heavy and 2t/2 i -heavy. In fact, in the iterative restriction process, when we consider i we have already restricted the memory checker so that no location in the public memory is more than 2t/2 i -heavy. We go over these (at most 2 i 1) locations one by one, say in lexicographic order. For each of them, we examine one index that accesses that location, say index j. We restrict the checker by eliminating all intersecting indices: indices k such that there is a public memory location queried by both j and k. Index j queries at most q locations in the public memory, and these in turn are queried by at most 2t/2 i indices each (since we have already restricted the checker so that there is no 2t/2 i -heavy location in the public memory). Thus, we eliminate at most 2t q/2 i indices per heavy location in the public memory, or at most 2t q indices in all. Repeating this for i 1... log α, in the i-th iteration there are at most 2 i locations that are at least t/2 i -heavy, and none of these locations can i=1

12 be more than 2t/2 i -heavy. We go over these locations one by one, and if they have an index accessing them that has not been eliminated yet we restrict the checker as above. This eliminates at most 2t q/2 i indices per heavy public memory location, or 2t q indices in all. In total, in all of these log α iterations, with their restrictions, the number of indices eliminated is at most: log α i=1 2t q = 2t q log α If n > 4t q log α then we have only eliminated at most n/2 indices. Now, after all the restrictions, there are no locations in the public memory that are t/α-heavy. We go over the remaining indices in lexicographic order, and for each of them we restrict the checker by eliminating all other indices that intersect its public memory accesses. Since there are no more t/α-heavy locations in the public memory, each such restriction eliminates at most q t/α indices. In the end, we are left with a memory checker on at least n α/(2q t) indices, with the property that no two indices access the same location in public memory. We can thus re-order the public memory into chunks, of q symbols each, such that each chunk is queried only by a single index and each index queries only that chunk. If we enlarge the alphabet to be comprised of these q-symbol chunks, we get a checker with query complexity 1. The price is restricting the checker to only n α/(2q t) indices and increasing the alphabet size to Σ q. Since we have increased the alphabet size, we can represent the secret memory as fewer symbols of the new larger alphabet, so the secret memory is of size s/q new alphabet symbols. Proof (of Lemma 3). The intuition is that the public memory has a single location for storing information about each database index. When reading or writing the value of the database at that index, the only information read from public memory is the information held in that index s location. Further, for two different database indices, their locations in public memory are different. To achieve soundness the checker must (intuitively) store, for every index in the database, separate authentication information in the secret memory about the value at that index s location. There are n indices (say holding boolean data base values), and only s log Σ bits of secret memory, and thus s should be at least on n log Σ. the order of To prove this we examine an adversary A, who begins by storing the all 0 database into the memory checker. This yields some public memory p 1. A then picks a random database r {0, 1} n and stores it into the checker: for every index in r which has value 1, A uses the checker to store the value 1 into that index. Say now that at the end of this operation sequence, the public memory is p 2 and the secret memory is s 2. The important thing to note is that for indices of r whose values are 0, the value of their locations in the public memory has not changed between p 1 and p 2 (since each index has a unique location in public memory that it accesses).

14 checker with efficient read but expensive write. In particular, in both these tradeoffs, for any well-behaved function d(n) : N N, the efficient operation (write or read) has query complexity O(log d(n) n), and the inefficient operation (read or write respectively) has query complexity O(d(n) log d(n) n). In both cases the space complexity is polynomial in the security parameter, and the checker uses a pseudorandom function. For desired soundness ε the length of alphabet symbols is O(log(1/ε) + log n). Overview of the Constructions. We proceed with an overview of the common elements of both constructions, the details are in the full version. Following Blum et al. (Section 5.1.2), we construct a tree structure on top of the memory. Where they constructed a binary tree, we construct instead a d(n)-ary tree. Each internal node has d(n) children, so the depth of the tree is log d(n) n. The n leaves of the tree correspond to the n database indices. We assume for convenience w.l.o.g that n is a power of d(n). In both constructions we associate a time-stamp with each node in the tree. The time-stamp of a leaf is the number of times that the user wrote to the database index that the leaf represents. The time-stamp of an internal node is the sum of its children s time-stamps, and thus the time-stamp of the root is the total number of times that the user has written to the database. We use t u to denote the current time-stamp of tree node u. The time-stamps are used to defeat replay attacks (where the adversary replays an old version of the public memory). If the adversary replays old information, then the replayed time-stamps will have smaller values than they should. For each tree node u, we store in public memory its value v u V and its time-stamp t u [T ]. For an internal node u, its value is simply 0, for a leaf l, its value represents the value that the user stored in the database index associated with that leaf. The root s time-stamp is stored in the secret reliable memory, together with the seed of a pseudorandom function (PRF). This simply a generalization of Blum et al. s construction (the tree is d(n)-ary and not binary). Our two construction differ from each other and from [6] in their use of authentication tags to authenticate different nodes values and timestamps. In the first construction (efficient write), we store for each node u an authentication tag which is the PRF evaluated on (u, t u, v u). When writing a new value to a leaf, we verify the tags of all the nodes on the path from the root to that leaf and then update the leaf s value and the time-stamps of all the nodes on the path to the leaf. Thus the write complexity is proportional to the tree depth, or O(log d(n) n). To read the value from some leaf, we read the values, time-stamps and tags of that leaf, all nodes on the path from the root to the leaf and all their children, a total of O(d(n) log d(n) n) public memory locations. We verify the consistency of all the tags, and that the time-stamp of every internal node is the sum of its children s time-stamps. This prevents replay attacks, as the root s time-stamp is in the reliable memory and thus always correct. The second construction (efficient read) is different. For each tree edge connecting a node u and one of its d(n) children w, we store in public

18 amortized O(1) time work. We note once more that Ajtai [2] proved a lower bound on the invasiveness of offline memory checkers, but his proof uses long sequences of operations that access every database index, and thus it does not apply to our setting of short sequences of operations that access only a few locations in the database. References 1. Aho, A.V., Hopcroft, J.E., Ullman, J.D.: The Design and Analysis of Computer Algorithms (Addison-Wesley Series in Computer Science and Information Processing). Addison Wesley (January 1974) 2. Ajtai, M.: The invasiveness of off-line memory checking. In: STOC. (2002) Amato, N.M., Loui, M.C.: Checking linked data structures. In: Proceedings of the 24th Annual International Symposium on Fault- Tolerant Computing (FTCS). (1994) Ateniese, G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Peterson, Z., Song, D.: Provable data possession at untrusted stores. Cryptology eprint Archive, Report 2007/202 (2007) 5. Bentley, J.: Programming Pearls. ACM, New York, NY, USA (1986) 6. Blum, M., Evans, W.S., Gemmell, P., Kannan, S., Naor, M.: Checking the correctness of memories. Algorithmica 12(2/3) (1994) Briggs, P., Torczon, L.: An efficient representation for sparse sets. ACM Letters on Programming Languages and Systems 2 (1993) Clarke, D.E., Suh, G.E., Gassend, B., Sudan, A., van Dijk, M., Devadas, S.: Towards constant bandwidth overhead integrity checking of untrusted data. In: IEEE Symposium on Security and Privacy. (2005) Cox, R.: Goldreich, O.: The Foundations of Cryptography - Volume 1. Cambridge University Press (2001) 11. Goldreich, O.: The Foundations of Cryptography - Volume 2. Cambridge University Press (2004) 12. Goldreich, O., Goldwasser, S., Micali, S.: How to construct pseudorandom functions. Journal of the ACM 33(2) (1986) Juels, A., Kaliski, B.: Pors: proofs of retrievability for large files. In: CCS 07: Proceedings of the 14th ACM conference on Computer and communications security, New York, NY, USA, ACM (2007) Naor, J., Naor, M.: Small-bias probability spaces: Efficient constructions and applications. SIAM J. Comput. 22(4) (1993) Naor, M., Rothblum, G.N.: The complexity of online memory checking. In: FOCS. (2005) Oprea, A., Reiter, M.K.: Integrity checking in cryptographic file systems with constant trusted storage. In: USENIX Security Symposium. (2007) 17. Shacham, H., Waters, B.: Compact proofs of retrievability. In: ASI- ACRYPT. (2008)

### How Efficient can Memory Checking be?

How Efficient can Memory Checking be? Cynthia Dwork Moni Naor Guy N. Rothblum Vinod Vaikuntanathan Abstract We consider the problem of memory checking, where a user wants to maintain a large database on

### The Complexity of Online Memory Checking

The Complexity of Online Memory Checking Moni Naor Guy N. Rothblum Abstract We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted,

### Diagonalization. Ahto Buldas. Lecture 3 of Complexity Theory October 8, 2009. Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach.

Diagonalization Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach. Ahto Buldas Ahto.Buldas@ut.ee Background One basic goal in complexity theory is to separate interesting complexity

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Offline sorting buffers on Line

Offline sorting buffers on Line Rohit Khandekar 1 and Vinayaka Pandit 2 1 University of Waterloo, ON, Canada. email: rkhandekar@gmail.com 2 IBM India Research Lab, New Delhi. email: pvinayak@in.ibm.com

### Merkle Hash Trees for Distributed Audit Logs

Merkle Hash Trees for Distributed Audit Logs Subject proposed by Karthikeyan Bhargavan Karthikeyan.Bhargavan@inria.fr April 7, 2015 Modern distributed systems spread their databases across a large number

### Lecture 2: Universality

CS 710: Complexity Theory 1/21/2010 Lecture 2: Universality Instructor: Dieter van Melkebeek Scribe: Tyson Williams In this lecture, we introduce the notion of a universal machine, develop efficient universal

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### The Goldberg Rao Algorithm for the Maximum Flow Problem

The Goldberg Rao Algorithm for the Maximum Flow Problem COS 528 class notes October 18, 2006 Scribe: Dávid Papp Main idea: use of the blocking flow paradigm to achieve essentially O(min{m 2/3, n 1/2 }

### On-Line/Off-Line Digital Signatures

J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

### Verifiable Delegation of Computation over Large Datasets

Verifiable Delegation of Computation over Large Datasets Siavosh Benabbas University of Toronto Rosario Gennaro IBM Research Yevgeniy Vahlis AT&T Cloud Computing Data D Code F Y F(D) Cloud could be malicious

### Secure Computation Without Authentication

Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com

### History-Independent Cuckoo Hashing

History-Independent Cuckoo Hashing Moni Naor Gil Segev Udi Wieder Abstract Cuckoo hashing is an efficient and practical dynamic dictionary. It provides expected amortized constant update time, worst case

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### CSC2420 Fall 2012: Algorithm Design, Analysis and Theory

CSC2420 Fall 2012: Algorithm Design, Analysis and Theory Allan Borodin November 15, 2012; Lecture 10 1 / 27 Randomized online bipartite matching and the adwords problem. We briefly return to online algorithms

### 8.1 Min Degree Spanning Tree

CS880: Approximations Algorithms Scribe: Siddharth Barman Lecturer: Shuchi Chawla Topic: Min Degree Spanning Tree Date: 02/15/07 In this lecture we give a local search based algorithm for the Min Degree

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Lecture 1: Course overview, circuits, and formulas

Lecture 1: Course overview, circuits, and formulas Topics in Complexity Theory and Pseudorandomness (Spring 2013) Rutgers University Swastik Kopparty Scribes: John Kim, Ben Lund 1 Course Information Swastik

### Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 17 Shannon-Fano-Elias Coding and Introduction to Arithmetic Coding

### Lecture 11: The Goldreich-Levin Theorem

COM S 687 Introduction to Cryptography September 28, 2006 Lecture 11: The Goldreich-Levin Theorem Instructor: Rafael Pass Scribe: Krishnaprasad Vikram Hard-Core Bits Definition: A predicate b : {0, 1}

### arxiv:1112.0829v1 [math.pr] 5 Dec 2011

How Not to Win a Million Dollars: A Counterexample to a Conjecture of L. Breiman Thomas P. Hayes arxiv:1112.0829v1 [math.pr] 5 Dec 2011 Abstract Consider a gambling game in which we are allowed to repeatedly

### Cost Model: Work, Span and Parallelism. 1 The RAM model for sequential computation:

CSE341T 08/31/2015 Lecture 3 Cost Model: Work, Span and Parallelism In this lecture, we will look at how one analyze a parallel program written using Cilk Plus. When we analyze the cost of an algorithm

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Notes from Week 1: Algorithms for sequential prediction

CS 683 Learning, Games, and Electronic Markets Spring 2007 Notes from Week 1: Algorithms for sequential prediction Instructor: Robert Kleinberg 22-26 Jan 2007 1 Introduction In this course we will be looking

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### The Classes P and NP

The Classes P and NP We now shift gears slightly and restrict our attention to the examination of two families of problems which are very important to computer scientists. These families constitute the

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate

### Proof of Freshness: How to efficiently use an online single secure clock to secure shared untrusted memory.

Proof of Freshness: How to efficiently use an online single secure clock to secure shared untrusted memory. Marten van Dijk, Luis F. G. Sarmenta, Charles W. O Donnell, and Srinivas Devadas MIT Computer

### Welcome to... Problem Analysis and Complexity Theory 716.054, 3 VU

Welcome to... Problem Analysis and Complexity Theory 716.054, 3 VU Birgit Vogtenhuber Institute for Software Technology email: bvogt@ist.tugraz.at office hour: Tuesday 10:30 11:30 slides: http://www.ist.tugraz.at/pact.html

### A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman

A Survey and Analysis of Solutions to the Oblivious Memory Access Problem by Erin Elizabeth Chapman A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in

### 2.1 Complexity Classes

15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look

### princeton univ. F 13 cos 521: Advanced Algorithm Design Lecture 6: Provable Approximation via Linear Programming Lecturer: Sanjeev Arora

princeton univ. F 13 cos 521: Advanced Algorithm Design Lecture 6: Provable Approximation via Linear Programming Lecturer: Sanjeev Arora Scribe: One of the running themes in this course is the notion of

### MapReduce and Distributed Data Analysis. Sergei Vassilvitskii Google Research

MapReduce and Distributed Data Analysis Google Research 1 Dealing With Massive Data 2 2 Dealing With Massive Data Polynomial Memory Sublinear RAM Sketches External Memory Property Testing 3 3 Dealing With

### Lecture 7: Approximation via Randomized Rounding

Lecture 7: Approximation via Randomized Rounding Often LPs return a fractional solution where the solution x, which is supposed to be in {0, } n, is in [0, ] n instead. There is a generic way of obtaining

### Notes on Complexity Theory Last updated: August, 2011. Lecture 1

Notes on Complexity Theory Last updated: August, 2011 Jonathan Katz Lecture 1 1 Turing Machines I assume that most students have encountered Turing machines before. (Students who have not may want to look

### Lecture 4 Online and streaming algorithms for clustering

CSE 291: Geometric algorithms Spring 2013 Lecture 4 Online and streaming algorithms for clustering 4.1 On-line k-clustering To the extent that clustering takes place in the brain, it happens in an on-line

### The Online Set Cover Problem

The Online Set Cover Problem Noga Alon Baruch Awerbuch Yossi Azar Niv Buchbinder Joseph Seffi Naor ABSTRACT Let X = {, 2,..., n} be a ground set of n elements, and let S be a family of subsets of X, S

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### 1 Approximating Set Cover

CS 05: Algorithms (Grad) Feb 2-24, 2005 Approximating Set Cover. Definition An Instance (X, F ) of the set-covering problem consists of a finite set X and a family F of subset of X, such that every elemennt

### Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. Springer-Verlag. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

### Sorting revisited. Build the binary search tree: O(n^2) Traverse the binary tree: O(n) Total: O(n^2) + O(n) = O(n^2)

Sorting revisited How did we use a binary search tree to sort an array of elements? Tree Sort Algorithm Given: An array of elements to sort 1. Build a binary search tree out of the elements 2. Traverse

### Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

### Testing LTL Formula Translation into Büchi Automata

Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland

### Dynamic TCP Acknowledgement: Penalizing Long Delays

Dynamic TCP Acknowledgement: Penalizing Long Delays Karousatou Christina Network Algorithms June 8, 2010 Karousatou Christina (Network Algorithms) Dynamic TCP Acknowledgement June 8, 2010 1 / 63 Layout

### A Practical Application of Differential Privacy to Personalized Online Advertising

A Practical Application of Differential Privacy to Personalized Online Advertising Yehuda Lindell Eran Omri Department of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il,omrier@gmail.com

### Efficiency of algorithms. Algorithms. Efficiency of algorithms. Binary search and linear search. Best, worst and average case.

Algorithms Efficiency of algorithms Computational resources: time and space Best, worst and average case performance How to compare algorithms: machine-independent measure of efficiency Growth rate Complexity

### root node level: internal node edge leaf node CS@VT Data Structures & Algorithms 2000-2009 McQuain

inary Trees 1 A binary tree is either empty, or it consists of a node called the root together with two binary trees called the left subtree and the right subtree of the root, which are disjoint from each

### The Union-Find Problem Kruskal s algorithm for finding an MST presented us with a problem in data-structure design. As we looked at each edge,

The Union-Find Problem Kruskal s algorithm for finding an MST presented us with a problem in data-structure design. As we looked at each edge, cheapest first, we had to determine whether its two endpoints

### Job Reference Guide. SLAMD Distributed Load Generation Engine. Version 1.8.2

Job Reference Guide SLAMD Distributed Load Generation Engine Version 1.8.2 June 2004 Contents 1. Introduction...3 2. The Utility Jobs...4 3. The LDAP Search Jobs...11 4. The LDAP Authentication Jobs...22

Adaptive Online Gradient Descent Peter L Bartlett Division of Computer Science Department of Statistics UC Berkeley Berkeley, CA 94709 bartlett@csberkeleyedu Elad Hazan IBM Almaden Research Center 650

### CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Cunsheng DING, HKUST Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.

### Single-Link Failure Detection in All-Optical Networks Using Monitoring Cycles and Paths

Single-Link Failure Detection in All-Optical Networks Using Monitoring Cycles and Paths Satyajeet S. Ahuja, Srinivasan Ramasubramanian, and Marwan Krunz Department of ECE, University of Arizona, Tucson,

### Security in Outsourcing of Association Rule Mining

Security in Outsourcing of Association Rule Mining W. K. Wong The University of Hong Kong wkwong2@cs.hku.hk David W. Cheung The University of Hong Kong dcheung@cs.hku.hk Ben Kao The University of Hong

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### 2.3 Scheduling jobs on identical parallel machines

2.3 Scheduling jobs on identical parallel machines There are jobs to be processed, and there are identical machines (running in parallel) to which each job may be assigned Each job = 1,,, must be processed

### Lecture 4: BK inequality 27th August and 6th September, 2007

CSL866: Percolation and Random Graphs IIT Delhi Amitabha Bagchi Scribe: Arindam Pal Lecture 4: BK inequality 27th August and 6th September, 2007 4. Preliminaries The FKG inequality allows us to lower bound

### A Practical Scheme for Wireless Network Operation

A Practical Scheme for Wireless Network Operation Radhika Gowaikar, Amir F. Dana, Babak Hassibi, Michelle Effros June 21, 2004 Abstract In many problems in wireline networks, it is known that achieving

### COMBINATORIAL PROPERTIES OF THE HIGMAN-SIMS GRAPH. 1. Introduction

COMBINATORIAL PROPERTIES OF THE HIGMAN-SIMS GRAPH ZACHARY ABEL 1. Introduction In this survey we discuss properties of the Higman-Sims graph, which has 100 vertices, 1100 edges, and is 22 regular. In fact

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Find-The-Number. 1 Find-The-Number With Comps

Find-The-Number 1 Find-The-Number With Comps Consider the following two-person game, which we call Find-The-Number with Comps. Player A (for answerer) has a number x between 1 and 1000. Player Q (for questioner)

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### Fairness in Routing and Load Balancing

Fairness in Routing and Load Balancing Jon Kleinberg Yuval Rabani Éva Tardos Abstract We consider the issue of network routing subject to explicit fairness conditions. The optimization of fairness criteria

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Energy Efficiency in Secure and Dynamic Cloud Storage

Energy Efficiency in Secure and Dynamic Cloud Storage Adilet Kachkeev Ertem Esiner Alptekin Küpçü Öznur Özkasap Koç University Department of Computer Science and Engineering, İstanbul, Turkey {akachkeev,eesiner,akupcu,oozkasap}@ku.edu.tr

### NP-Completeness I. Lecture 19. 19.1 Overview. 19.2 Introduction: Reduction and Expressiveness

Lecture 19 NP-Completeness I 19.1 Overview In the past few lectures we have looked at increasingly more expressive problems that we were able to solve using efficient algorithms. In this lecture we introduce

### Generating models of a matched formula with a polynomial delay

Generating models of a matched formula with a polynomial delay Petr Savicky Institute of Computer Science, Academy of Sciences of Czech Republic, Pod Vodárenskou Věží 2, 182 07 Praha 8, Czech Republic

### CMSC 858T: Randomized Algorithms Spring 2003 Handout 8: The Local Lemma

CMSC 858T: Randomized Algorithms Spring 2003 Handout 8: The Local Lemma Please Note: The references at the end are given for extra reading if you are interested in exploring these ideas further. You are

### 6.852: Distributed Algorithms Fall, 2009. Class 2

.8: Distributed Algorithms Fall, 009 Class Today s plan Leader election in a synchronous ring: Lower bound for comparison-based algorithms. Basic computation in general synchronous networks: Leader election

### Lecture 13. Lecturer: Yevgeniy Dodis Spring 2012

CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography April 18, 2012 Lecture 13 Lecturer: Yevgeniy Dodis Spring 2012 This lecture is dedicated to constructions of digital signature schemes. Assuming

### Approximation Algorithms

Approximation Algorithms or: How I Learned to Stop Worrying and Deal with NP-Completeness Ong Jit Sheng, Jonathan (A0073924B) March, 2012 Overview Key Results (I) General techniques: Greedy algorithms

### The P versus NP Solution

The P versus NP Solution Frank Vega To cite this version: Frank Vega. The P versus NP Solution. 2015. HAL Id: hal-01143424 https://hal.archives-ouvertes.fr/hal-01143424 Submitted on 17 Apr

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### Private Inference Control For Aggregate Database Queries

Private Inference Control For Aggregate Database Queries Geetha Jagannathan geetha@cs.rutgers.edu Rebecca N. Wright Rebecca.Wright@rutgers.edu Department of Computer Science Rutgers, State University of

### Scalable RFID Security Protocols supporting Tag Ownership Transfer

Scalable RFID Security Protocols supporting Tag Ownership Transfer Boyeon Song a,1, Chris J. Mitchell a,1 a Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, UK

### Breaking An Identity-Based Encryption Scheme based on DHIES

Breaking An Identity-Based Encryption Scheme based on DHIES Martin R. Albrecht 1 Kenneth G. Paterson 2 1 SALSA Project - INRIA, UPMC, Univ Paris 06 2 Information Security Group, Royal Holloway, University

### Lecture 4: AC 0 lower bounds and pseudorandomness

Lecture 4: AC 0 lower bounds and pseudorandomness Topics in Complexity Theory and Pseudorandomness (Spring 2013) Rutgers University Swastik Kopparty Scribes: Jason Perry and Brian Garnett In this lecture,

### Hash-based Digital Signature Schemes

Hash-based Digital Signature Schemes Johannes Buchmann Erik Dahmen Michael Szydlo October 29, 2008 Contents 1 Introduction 2 2 Hash based one-time signature schemes 3 2.1 Lamport Diffie one-time signature

### Partitioning edge-coloured complete graphs into monochromatic cycles and paths

arxiv:1205.5492v1 [math.co] 24 May 2012 Partitioning edge-coloured complete graphs into monochromatic cycles and paths Alexey Pokrovskiy Departement of Mathematics, London School of Economics and Political

### Introduction to Algorithms Review information for Prelim 1 CS 4820, Spring 2010 Distributed Wednesday, February 24

Introduction to Algorithms Review information for Prelim 1 CS 4820, Spring 2010 Distributed Wednesday, February 24 The final exam will cover seven topics. 1. greedy algorithms 2. divide-and-conquer algorithms

### Private Inference Control

Private Inference Control David Woodruff MIT dpwood@mit.edu Jessica Staddon Palo Alto Research Center staddon@parc.com Abstract Access control can be used to ensure that database queries pertaining to

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### 1 Formulating The Low Degree Testing Problem

6.895 PCP and Hardness of Approximation MIT, Fall 2010 Lecture 5: Linearity Testing Lecturer: Dana Moshkovitz Scribe: Gregory Minton and Dana Moshkovitz In the last lecture, we proved a weak PCP Theorem,

### CSE 135: Introduction to Theory of Computation Decidability and Recognizability

CSE 135: Introduction to Theory of Computation Decidability and Recognizability Sungjin Im University of California, Merced 04-28, 30-2014 High-Level Descriptions of Computation Instead of giving a Turing

### A Note on Maximum Independent Sets in Rectangle Intersection Graphs

A Note on Maximum Independent Sets in Rectangle Intersection Graphs Timothy M. Chan School of Computer Science University of Waterloo Waterloo, Ontario N2L 3G1, Canada tmchan@uwaterloo.ca September 12,

### Introduction to Algorithms. Part 3: P, NP Hard Problems

Introduction to Algorithms Part 3: P, NP Hard Problems 1) Polynomial Time: P and NP 2) NP-Completeness 3) Dealing with Hard Problems 4) Lower Bounds 5) Books c Wayne Goddard, Clemson University, 2004 Chapter

CS787: Advanced Algorithms Lecture 14: Online algorithms We now shift focus to a different kind of algorithmic problem where we need to perform some optimization without knowing the input in advance. Algorithms

### 9th Max-Planck Advanced Course on the Foundations of Computer Science (ADFOCS) Primal-Dual Algorithms for Online Optimization: Lecture 1

9th Max-Planck Advanced Course on the Foundations of Computer Science (ADFOCS) Primal-Dual Algorithms for Online Optimization: Lecture 1 Seffi Naor Computer Science Dept. Technion Haifa, Israel Introduction

### Exponential time algorithms for graph coloring

Exponential time algorithms for graph coloring Uriel Feige Lecture notes, March 14, 2011 1 Introduction Let [n] denote the set {1,..., k}. A k-labeling of vertices of a graph G(V, E) is a function V [k].