2.1 Complexity Classes

Save this PDF as:

Size: px
Start display at page:

Transcription

1 15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look at some randomized complexity classes: RP, co RP, ZP P, and BP P. We begin with a (very brief) review of P and NP. Pointers are given to the appropriate sections of Motwani & Raghavan, denoted M&R, where appropriate: for complexity classes, one can consult Section of the book. A nice complexity resource is on the web at This site contains, at last count, definitions of 406 complexity classes, including brief discussions of relations between classes. It is useful to recall the following basic definition: Definition A language L is a set of finite strings over some fixed alphabet Σ; i.e., L Σ. An algorithm is said to recognize L if on input x L, the algorithm outputs Yes, and on input x L, it outputs No. The following classes are well-known: P : Polynomial time A language L lies in P if there is a polynomial-time algorithm that recognizes L. N P : Non-deterministic Polynomial time The class N P consists of all languages L which have witnesses that can be recognised by polynomial time. More formally, L N P implies that there is some polynomial time-computable predicate P, and a polynomial p such that x L y P(x, y), and the length of y (the witness that shows that x L) is at most p( x ) Randomized Complexity Classes RP : Randomized Polynomial time Definition The class RP consists of all languages L that have a polynomial-time randomized algorithm A with the following behavior: If x L, then A always rejects x (with probability 1). If x L, then A accepts x in L with probability at least 1 2. An algorithm that always runs in polynomial time but possibly return erroneous answers is often called a Monte Carlo algorithm. Hence, RP admits Monte Carlo algorithms with one-sided error 1

2 (where the error is in acceptance). Note that while RP is a class of languages, we may call an algorithm A an RP algorithm if it satisfies the conditions in the above definition. Note that the error rate chosen above to be 1 2 is arbitrary: we could have chosen it to be any positive constant. Indeed, it can be improved through a simple process called amplification. Since the error is one-sided, we can repeat the algorithm t times independently: we reject the string x if any of the t runs reject, and accept x otherwise. Since the runs were independent, we have Pr[ algorithm makes a mistake t times ] 1 2 t. Thus, we can repeating the algorithm a polynomial number of times and make the error exponentially small. A famous example of a language in RP is Primes, the set of all prime numbers: this was shown by Adelman and Huang (1992), who gave a primality testing algorithm that always rejected composite numbers (i.e., numbers Primes), and accepted primes with probability at least 1/ co-rp : complement of RP Let the complement of the set L be denoted by L; i.e., L = Σ L. Then language L is in co-rp iff L is in RP. A more intuitive definition is the following: Definition The class co-rp consists of all languages L that have a polynomial-time randomized algorithm A with the following behavior: If x L, then A accepts x in L with probability at most 1 2. If x L, then A always accepts x (with probability 1). The language Primes is also in co-rp : Gary Miller and Michael Rabin gave a primality test that always accepts prime numbers, but rejects composites with probability at least 1 2. Again, the number 1 2 could be replaced by any positive constant, since we can use amplification to reduce the probability of error ZP P : Zero-error Probabilistic Polynomial time Definition A language L is in ZP P if there is an algorithm A that recognizes L (with no error) and runs in expected poly-time. Let us stress again that the worst-case running time of the algorithm may not be polynomial, even though the expected running time is polynomial. Another way to define ZP P is in terms of the classes RP and co RP which we saw above: indeed, the following theorem holds. Theorem ZP P = RP co RP. Proof: We first show that ZP P RP co RP. Let L ZP P : hence there is a zero-error algorithm A for L that runs in polynomial expected-time. Let this expected running time be some value t. We will now use this algorithm A to construct algorithms satisfying the requirements for RP and co RP. 2

3 Consider the following RP algorithm A which takes as input x: it runs the algorithm A on x for at most 2t steps. If A(x) halts, then we can report the answer given by it. If A(x) does not halt, then we simply reject x. Note that this new algorithm A always rejects strings not in L. Moreover, if x L, then A would reject x only if the computation A(x) ran for more than 2t steps. However, since the expected run time for A was only t, the probability that A ran for more than 2t steps is at most a half. (Why? This is just Markov s inequality.) Thus A rejects strings in L with probability at most 1 2 : this satisfies the requirements for RP. To construct an algorithm for co RP, we can do the same thing, but accept the input if A does not halt after 2t steps. An identical argument shows that the resulting algorithm indeed satisfies the requirements for co-rp. Showing ZP P RP co RP is left as an exercise for the reader. Since Primes RP and Primes co RP, we can conclude that P RIMES ZP P. It is not known whether ZP P = P or not, but in this case it was recently shown that Primes P. Exercise Show that RP NP and co-rp co NP BP P : Bounded-error Probabilistic Polynomial time Another complexity class that arises often is the class BP P. Definition The class BP P consists of all languages L that have a (worst-case) polynomialtime randomized algorithm A with the following behavior: If x L, then A accepts x in L with probability 3 4. If x L, then A accepts x in L with probability 1 4. Hence, the error probability in either case is at most 1/4. Again, we can use amplification to decrease the error. Exercise Let A be a BP P algorithm that accepts x L with probability at least 3 4, and accepts x L with probability at most 1 4. Show that if we run the algorithm A for t independent iterations and return the majority answer, then the error probability becomes at most 2 O(t). Note that both RP and co-rp are subsets of BP P. An important open question in complexity theory is whether BP P NP or not. 2.2 More Randomized Algorithms Communication complexity Alice and Bob each have n-bit numbers a and b, respectively. They want to test whether a = b or not, but there is a communication cost. In particular, they have to pay for each bit Alice sends to Bob or vice versa. The problem is to test for equality while minimizing the cost. Note that any deterministic algorithm must use n-bits of communication 1. We now give a randomized protocol that uses O(log n) bits of communication and succeeds with high probability. 1 Why? To begin with, Alice has no information about Bob s string b, except that it has one of 2 n values. Each 3

4 Here is the protocol: Alice picks a prime p [2,..., x] uniformly at random (we will define x later). Alice sends the tuple p, a mod p to Bob. Bob computes b mod p. If a mod p = b mod p, then Bob says a = b, else he says A b. Clearly, if a = b, then Bob can never say a b: hence, a mistake is only made if a b and we choose p such that a mod p = b mod p. Claim Set x = 4n 2. If a b, then P r[a mod p = b mod p] < 1 2. Proof: We have Pr[failure] = Pr[p divides (a b)]. There can be at most n primes that divide (a b) (since a b 2 n and every prime number is at least 2). Also, the number of primes in x [2,..., x] is about log x (Prime Number Theorem); setting x = 4n2 makes this quantity 2n n log 4n, which implies that there are at least 2n primes in that interval. So we have: Pr[failure] = # of primes that divide (a b) # of primes in [2,..., x] n 2n = 1 2 Moreover, since x = 4n 2, both the numbers p and a mod p require only O(log n) bits to represent. Hence the communication required is at most O(log n) bits, as claimed. (This material is covered in Section 7.4 of M&R.) Arithmetic circuit checking Given a circuit of + and gates with integer inputs and outputs, the arithmetic circuit checking problem is the problem of checking whether the output was computed correctly or not. Since we can get very large numbers which can cancel out later, the goal is to determine whether the answer is correct without recomputing the output completely. A randomized method for solving this problem is similar to the above communication complexity problem, and involves carrying out the algebraic computations mod p Matrix multiplication checking The matrix multiplication checking problem is to verify the process of matrix multiplication. Given three n n matrices A, B, and C, is it the case that AB = C? The fastest known deterministic algorithm, due to Coppersmith and Winograd, runs in O(n ) time. Note that an easy lower bound on the running time of any randomized algorithm for this problem is Ω(n 2 ) since the input bit of information partitions this space of 2 n into two halves. After i bits of information, the partition containing a has 2 n i strings. As long as i < n, Alice cannot distinguish between these 2 n i strings, and so cannot tell if Bob s string is a or not. 4

5 has to at least be read (see Lecture 4 for more details on this). We will now give a randomized algorithm (in co-rp ) which takes only O(n 2 ) time. Let us introduce some notation for the rest of the course: x R X means choose x uniformly at random from the set X. The algorithm is as follows: Pick a vector x R {0, 1} n. Compare ABx with Cx (note this takes O(n 2 ) time since we can compute in the order A(Bx)). If ABx = Cx, then output Yes, otherwise output No. Note that if the matrices are over the field F, then the computations are also carried out over the field F. Now if AB = C, the algorithm always outputs the correct answer; only if AB C, the algorithm may output the wrong answer. We now bound the probability of such an error. Theorem (Freivald) If AB C, then the above algorithm fails with probability at most 1 2. Proof: We first prove a simpler claim: Claim Given n-digit strings a, b n and x R {0, 1} n, P r[a x = b x] 1 2. Proof: [Claim] Suppose a i b i. Let α = j i a jx j and β = j i b jx j. We can write a x = α + a i x i and b x = β + b i x i. This gives us a x b x = (α β) + (a i b i )x i. We can invoke the Principle of Deferred Decisions (see Section 3.5 of M&R) to assume that we are given x j for j i. Then we can write [ P r[a x b x = 0] = P r x i = α β ] 1 b i a i 2. We now use this claim to prove the theorem: if AB C, then there is at least one row in AB, say (AB) i, that differs from the corresponding row C i in C. Now we apply the above claim with a = (AB) i and b = C i. The probability that a x = b x is at most 1/2, but in order for the algorithm to output Yes, we must have a x = b x. Therefore, the probability of failure for the algorithm is at most 1/2. (See Section 7.1 in M&R for more on this problem.) Polynomial identity checking In the polynomial identiy checking problem, we are given two multi-variate polynomials f(x 1,..., x n ) and g(x 1,..., x n ) each with degree d (again we are computing in some field F). We are not given the polynomials explicity (we cannot read the polynomials in poly-time). Instead, we have blackbox access for evaluating a polynomial (for example, see the definition of a Vandermonde matrix 5

6 on page 165 of M&R). Given these two polynomials, the problems is to determine if the polynomials are equal (i.e. f = g or f g = 0). Letting Q = f g, we can check if Q = 0. There is no known poly-time algorithm for this problem. We can show that it is in co-rp. First consider the univariate case. We can pick d + 1 distinct, arbitrary values at random from F. If Q(x) = 0 for all d + 1 values for x, then Q = 0. (With degree d it can have at most d roots.) This approach does not directly apply to the multivariate case because there can be exponentially many roots. Roughly speaking, we can handle the multivariate case by fixing n 1 variables and applying the result from the univariate case. Consider the following algorithm, which assumes we have some subset S F with S 2d. Pick r 1,..., r n R S Evaluate Q(r 1,..., r n ) If 0, return Q = 0 Theorem (Schwartz-Zippel) If, in the above algorithm, Q 0, we have P r[q(r 1,..., r n ) = 0] d S. Proof: By induction on n. The base case is the univariate case described above. With Q 0, we want to compute P r[q(r 1,..., r n ) = 0]. Let k be the largest power of x 1. We can rewrite Q(x 1,..., x n ) = x k 1 Q 1(x 2,..., x n ) + Q 2 (x 1,..., x n ) for some polynomials Q 1 and Q 2. Now we consider two events. Let A be the event that Q(r 1,, r n ) is 0, and B be the event that Q 1 (r 2,, r n ) is 0. We can rewrite the probability that Q 1 (r 2,, r n ) is 0 as: Pr[Q(r) = 0] = Pr[A] = Pr[A B] Pr[B] + Pr[A B] Pr[ B] Pr[B] + Pr[A B] Let us first bound the probability of B, or the probability that Q 1 (r 2,, r n ) = 0. Q 1 has degree d k and so we can use the inductive hypothesis to obtain. Pr[B] = Pr[Q(r 2,..., r n ) = 0] d k S Similarly, given B (or Q 1 (r 2,, r n ) 0), the univariate polynomial Q(x 1, r 2,..., r n ) has degree k. Therefore, again by inductive hypothesis, Pr[A B] = Pr[Q(x 1, r 2,..., r n ) = 0 Q 1 (r 2,..., r n ) 0] k S. 6

7 Thus, P r[q(r) = 0] P r[b] + P r[a B] d k + k S S = d S As mentioned before, there is no known poly-time algorithm for this problem. Recent results by Impagliazzo and Kabanets (2003) show that proving that p.i.c. is in P would imply that either N EXP cannot have poly-size non-uniform circuits, or Permanent cannot have poly-size nonuniform circuits. Little is known about these lower bound results, and the Impagliazzo-Kabanets result indicates that proving p.i.c. P may require new techniques in complexity theory. (For more on the polynomial identity checking problem, see Section 7.2 in M&R.) References L. Adleman and M-D A. Huang (1992). Primality Testing And Two Dimensional Abelian Varieties Over Finite Fields. In Springer Verlag Lecture Notes In Mathematics, Impagliazzo and Kabanets (2003). Derandomizing polynomial identity checking means proving circuit lower bounds. In ACM Symposium on the Theory of Computation,

Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

Lecture 15 An Arithmetic Circuit Lowerbound and Flows in Graphs

CSE599s: Extremal Combinatorics November 21, 2011 Lecture 15 An Arithmetic Circuit Lowerbound and Flows in Graphs Lecturer: Anup Rao 1 An Arithmetic Circuit Lower Bound An arithmetic circuit is just like

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

1 Formulating The Low Degree Testing Problem

6.895 PCP and Hardness of Approximation MIT, Fall 2010 Lecture 5: Linearity Testing Lecturer: Dana Moshkovitz Scribe: Gregory Minton and Dana Moshkovitz In the last lecture, we proved a weak PCP Theorem,

Primality - Factorization

Primality - Factorization Christophe Ritzenthaler November 9, 2009 1 Prime and factorization Definition 1.1. An integer p > 1 is called a prime number (nombre premier) if it has only 1 and p as divisors.

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

Notes 11: List Decoding Folded Reed-Solomon Codes

Introduction to Coding Theory CMU: Spring 2010 Notes 11: List Decoding Folded Reed-Solomon Codes April 2010 Lecturer: Venkatesan Guruswami Scribe: Venkatesan Guruswami At the end of the previous notes,

NP-Completeness I. Lecture 19. 19.1 Overview. 19.2 Introduction: Reduction and Expressiveness

Lecture 19 NP-Completeness I 19.1 Overview In the past few lectures we have looked at increasingly more expressive problems that we were able to solve using efficient algorithms. In this lecture we introduce

Lecture 2: Universality

CS 710: Complexity Theory 1/21/2010 Lecture 2: Universality Instructor: Dieter van Melkebeek Scribe: Tyson Williams In this lecture, we introduce the notion of a universal machine, develop efficient universal

Algebraic Computation Models. Algebraic Computation Models

Algebraic Computation Models Ζυγομήτρος Ευάγγελος ΜΠΛΑ 201118 Φεβρουάριος, 2013 Reasons for using algebraic models of computation The Turing machine model captures computations on bits. Many algorithms

Lecture 4: AC 0 lower bounds and pseudorandomness

Lecture 4: AC 0 lower bounds and pseudorandomness Topics in Complexity Theory and Pseudorandomness (Spring 2013) Rutgers University Swastik Kopparty Scribes: Jason Perry and Brian Garnett In this lecture,

Randomized algorithms

Randomized algorithms March 10, 2005 1 What are randomized algorithms? Algorithms which use random numbers to make decisions during the executions of the algorithm. Why would we want to do this?? Deterministic

Diagonalization. Ahto Buldas. Lecture 3 of Complexity Theory October 8, 2009. Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach.

Diagonalization Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach. Ahto Buldas Ahto.Buldas@ut.ee Background One basic goal in complexity theory is to separate interesting complexity

(67902) Topics in Theory and Complexity Nov 2, 2006. Lecture 7

(67902) Topics in Theory and Complexity Nov 2, 2006 Lecturer: Irit Dinur Lecture 7 Scribe: Rani Lekach 1 Lecture overview This Lecture consists of two parts In the first part we will refresh the definition

Faster deterministic integer factorisation

David Harvey (joint work with Edgar Costa, NYU) University of New South Wales 25th October 2011 The obvious mathematical breakthrough would be the development of an easy way to factor large prime numbers

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

Notes on Complexity Theory Last updated: August, 2011. Lecture 1

Notes on Complexity Theory Last updated: August, 2011 Jonathan Katz Lecture 1 1 Turing Machines I assume that most students have encountered Turing machines before. (Students who have not may want to look

o-minimality and Uniformity in n 1 Graphs

o-minimality and Uniformity in n 1 Graphs Reid Dale July 10, 2013 Contents 1 Introduction 2 2 Languages and Structures 2 3 Definability and Tame Geometry 4 4 Applications to n 1 Graphs 6 5 Further Directions

Introduction to computer science

Introduction to computer science Michael A. Nielsen University of Queensland Goals: 1. Introduce the notion of the computational complexity of a problem, and define the major computational complexity classes.

Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

Introduction to finite fields

Introduction to finite fields Topics in Finite Fields (Fall 2013) Rutgers University Swastik Kopparty Last modified: Monday 16 th September, 2013 Welcome to the course on finite fields! This is aimed at

Lecture 3: Finding integer solutions to systems of linear equations

Lecture 3: Finding integer solutions to systems of linear equations Algorithmic Number Theory (Fall 2014) Rutgers University Swastik Kopparty Scribe: Abhishek Bhrushundi 1 Overview The goal of this lecture

Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

Primality Testing and Factorization Methods

Primality Testing and Factorization Methods Eli Howey May 27, 2014 Abstract Since the days of Euclid and Eratosthenes, mathematicians have taken a keen interest in finding the nontrivial factors of integers,

Mathematics Course 111: Algebra I Part IV: Vector Spaces

Mathematics Course 111: Algebra I Part IV: Vector Spaces D. R. Wilkins Academic Year 1996-7 9 Vector Spaces A vector space over some field K is an algebraic structure consisting of a set V on which are

Equivalence of Polynomial Identity Testing and Deterministic Multivariate Polynomial Factorization

Equivalence of Polynomial Identity Testing and Deterministic Multivariate Polynomial Factorization Swastik Kopparty Shubhangi Saraf Amir Shpilka Abstract In this paper we show that the problem of deterministically

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY LINDSEY R. BOSKO I would like to acknowledge the assistance of Dr. Michael Singer. His guidance and feedback were instrumental in completing this

(x + a) n = x n + a Z n [x]. Proof. If n is prime then the map

22. A quick primality test Prime numbers are one of the most basic objects in mathematics and one of the most basic questions is to decide which numbers are prime (a clearly related problem is to find

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

P versus NP, and More

1 P versus NP, and More Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 If you have tried to solve a crossword puzzle, you know that it is much harder to solve it than to verify

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

Exponential time algorithms for graph coloring

Exponential time algorithms for graph coloring Uriel Feige Lecture notes, March 14, 2011 1 Introduction Let [n] denote the set {1,..., k}. A k-labeling of vertices of a graph G(V, E) is a function V [k].

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z DANIEL BIRMAJER, JUAN B GIL, AND MICHAEL WEINER Abstract We consider polynomials with integer coefficients and discuss their factorization

9.2 Summation Notation

9. Summation Notation 66 9. Summation Notation In the previous section, we introduced sequences and now we shall present notation and theorems concerning the sum of terms of a sequence. We begin with a

Outline Introduction Circuits PRGs Uniform Derandomization Refs. Derandomization. A Basic Introduction. Antonis Antonopoulos.

Derandomization A Basic Introduction Antonis Antonopoulos CoReLab Seminar National Technical University of Athens 21/3/2011 1 Introduction History & Frame Basic Results 2 Circuits Definitions Basic Properties

Lecture 7: NP-Complete Problems

IAS/PCMI Summer Session 2000 Clay Mathematics Undergraduate Program Basic Course on Computational Complexity Lecture 7: NP-Complete Problems David Mix Barrington and Alexis Maciel July 25, 2000 1. Circuit

Integer factoring and modular square roots

Integer factoring and modular square roots Emil Jeřábek Institute of Mathematics of the Academy of Sciences Žitná 25, 115 67 Praha 1, Czech Republic, email: jerabek@math.cas.cz July 28, 2015 Abstract Buresh-Oppenheim

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm. We begin by defining the ring of polynomials with coefficients in a ring R. After some preliminary results, we specialize

RSA and Primality Testing

and Primality Testing Joan Boyar, IMADA, University of Southern Denmark Studieretningsprojekter 2010 1 / 81 Correctness of cryptography cryptography Introduction to number theory Correctness of with 2

CMSC 858T: Randomized Algorithms Spring 2003 Handout 8: The Local Lemma

CMSC 858T: Randomized Algorithms Spring 2003 Handout 8: The Local Lemma Please Note: The references at the end are given for extra reading if you are interested in exploring these ideas further. You are

8.1 Min Degree Spanning Tree

CS880: Approximations Algorithms Scribe: Siddharth Barman Lecturer: Shuchi Chawla Topic: Min Degree Spanning Tree Date: 02/15/07 In this lecture we give a local search based algorithm for the Min Degree

Notes from Week 1: Algorithms for sequential prediction

CS 683 Learning, Games, and Electronic Markets Spring 2007 Notes from Week 1: Algorithms for sequential prediction Instructor: Robert Kleinberg 22-26 Jan 2007 1 Introduction In this course we will be looking

Lecture 13: Factoring Integers

CS 880: Quantum Information Processing 0/4/0 Lecture 3: Factoring Integers Instructor: Dieter van Melkebeek Scribe: Mark Wellons In this lecture, we review order finding and use this to develop a method

it is easy to see that α = a

21. Polynomial rings Let us now turn out attention to determining the prime elements of a polynomial ring, where the coefficient ring is a field. We already know that such a polynomial ring is a UF. Therefore

Introduction to Algorithms. Part 3: P, NP Hard Problems

Introduction to Algorithms Part 3: P, NP Hard Problems 1) Polynomial Time: P and NP 2) NP-Completeness 3) Dealing with Hard Problems 4) Lower Bounds 5) Books c Wayne Goddard, Clemson University, 2004 Chapter

Linearity and Group Homomorphism Testing / Testing Hadamard Codes

Title: Linearity and Group Homomorphism Testing / Testing Hadamard Codes Name: Sofya Raskhodnikova 1, Ronitt Rubinfeld 2 Affil./Addr. 1: Pennsylvania State University Affil./Addr. 2: Keywords: SumOriWork:

1 The Line vs Point Test

6.875 PCP and Hardness of Approximation MIT, Fall 2010 Lecture 5: Low Degree Testing Lecturer: Dana Moshkovitz Scribe: Gregory Minton and Dana Moshkovitz Having seen a probabilistic verifier for linearity

2 Primality and Compositeness Tests

Int. J. Contemp. Math. Sciences, Vol. 3, 2008, no. 33, 1635-1642 On Factoring R. A. Mollin Department of Mathematics and Statistics University of Calgary, Calgary, Alberta, Canada, T2N 1N4 http://www.math.ucalgary.ca/

Cryptography and Network Security Number Theory

Cryptography and Network Security Number Theory Xiang-Yang Li Introduction to Number Theory Divisors b a if a=mb for an integer m b a and c b then c a b g and b h then b (mg+nh) for any int. m,n Prime

Quantum Computing Lecture 7. Quantum Factoring. Anuj Dawar

Quantum Computing Lecture 7 Quantum Factoring Anuj Dawar Quantum Factoring A polynomial time quantum algorithm for factoring numbers was published by Peter Shor in 1994. polynomial time here means that

Applied Algorithm Design Lecture 5

Applied Algorithm Design Lecture 5 Pietro Michiardi Eurecom Pietro Michiardi (Eurecom) Applied Algorithm Design Lecture 5 1 / 86 Approximation Algorithms Pietro Michiardi (Eurecom) Applied Algorithm Design

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

Linear Codes. In the V[n,q] setting, the terms word and vector are interchangeable.

Linear Codes Linear Codes In the V[n,q] setting, an important class of codes are the linear codes, these codes are the ones whose code words form a sub-vector space of V[n,q]. If the subspace of V[n,q]

What s next? Reductions other than kernelization

What s next? Reductions other than kernelization Dániel Marx Humboldt-Universität zu Berlin (with help from Fedor Fomin, Daniel Lokshtanov and Saket Saurabh) WorKer 2010: Workshop on Kernelization Nov

RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

Mathematics for Computer Science/Software Engineering. Notes for the course MSM1F3 Dr. R. A. Wilson

Mathematics for Computer Science/Software Engineering Notes for the course MSM1F3 Dr. R. A. Wilson October 1996 Chapter 1 Logic Lecture no. 1. We introduce the concept of a proposition, which is a statement

Discrete Mathematics for CS Fall 2006 Papadimitriou & Vazirani Lecture 22

CS 70 Discrete Mathematics for CS Fall 2006 Papadimitriou & Vazirani Lecture 22 Introduction to Discrete Probability Probability theory has its origins in gambling analyzing card games, dice, roulette

Integer Factorization using the Quadratic Sieve

Integer Factorization using the Quadratic Sieve Chad Seibert* Division of Science and Mathematics University of Minnesota, Morris Morris, MN 56567 seib0060@morris.umn.edu March 16, 2011 Abstract We give

Offline sorting buffers on Line

Offline sorting buffers on Line Rohit Khandekar 1 and Vinayaka Pandit 2 1 University of Waterloo, ON, Canada. email: rkhandekar@gmail.com 2 IBM India Research Lab, New Delhi. email: pvinayak@in.ibm.com

The finite field with 2 elements The simplest finite field is

The finite field with 2 elements The simplest finite field is GF (2) = F 2 = {0, 1} = Z/2 It has addition and multiplication + and defined to be 0 + 0 = 0 0 + 1 = 1 1 + 0 = 1 1 + 1 = 0 0 0 = 0 0 1 = 0

Math 313 Lecture #10 2.2: The Inverse of a Matrix

Math 1 Lecture #10 2.2: The Inverse of a Matrix Matrix algebra provides tools for creating many useful formulas just like real number algebra does. For example, a real number a is invertible if there is

MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins

MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins The RSA encryption scheme works as follows. In order to establish the necessary public

3.2 The Factor Theorem and The Remainder Theorem

3. The Factor Theorem and The Remainder Theorem 57 3. The Factor Theorem and The Remainder Theorem Suppose we wish to find the zeros of f(x) = x 3 + 4x 5x 4. Setting f(x) = 0 results in the polynomial

P NP for the Reals with various Analytic Functions

P NP for the Reals with various Analytic Functions Mihai Prunescu Abstract We show that non-deterministic machines in the sense of [BSS] defined over wide classes of real analytic structures are more powerful

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

Is n a Prime Number? Manindra Agrawal IIT Kanpur March 27, 2006, Delft Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 1 / 47 Overview 1 The Problem 2 Two Simple, and Slow, Methods

SIMS 255 Foundations of Software Design. Complexity and NP-completeness

SIMS 255 Foundations of Software Design Complexity and NP-completeness Matt Welsh November 29, 2001 mdw@cs.berkeley.edu 1 Outline Complexity of algorithms Space and time complexity ``Big O'' notation Complexity

11 Multivariate Polynomials

CS 487: Intro. to Symbolic Computation Winter 2009: M. Giesbrecht Script 11 Page 1 (These lecture notes were prepared and presented by Dan Roche.) 11 Multivariate Polynomials References: MC: Section 16.6

A New Generic Digital Signature Algorithm

Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

Notes on Factoring. MA 206 Kurt Bryan

The General Approach Notes on Factoring MA 26 Kurt Bryan Suppose I hand you n, a 2 digit integer and tell you that n is composite, with smallest prime factor around 5 digits. Finding a nontrivial factor

Understanding Basic Calculus

Understanding Basic Calculus S.K. Chung Dedicated to all the people who have helped me in my life. i Preface This book is a revised and expanded version of the lecture notes for Basic Calculus and other

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

FIRST YEAR CALCULUS. Chapter 7 CONTINUITY. It is a parabola, and we can draw this parabola without lifting our pencil from the paper.

FIRST YEAR CALCULUS WWLCHENW L c WWWL W L Chen, 1982, 2008. 2006. This chapter originates from material used by the author at Imperial College, University of London, between 1981 and 1990. It It is is

Elementary Number Theory We begin with a bit of elementary number theory, which is concerned

CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,

Quantum Computers. And How Does Nature Compute? Kenneth W. Regan 1 University at Buffalo (SUNY) 21 May, 2015. Quantum Computers

Quantum Computers And How Does Nature Compute? Kenneth W. Regan 1 University at Buffalo (SUNY) 21 May, 2015 1 Includes joint work with Amlan Chakrabarti, U. Calcutta If you were designing Nature, how would

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

MOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao yufeiz@mit.edu

Integer Polynomials June 9, 007 Yufei Zhao yufeiz@mit.edu We will use Z[x] to denote the ring of polynomials with integer coefficients. We begin by summarizing some of the common approaches used in dealing

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 17 Shannon-Fano-Elias Coding and Introduction to Arithmetic Coding

Lecture 11: The Goldreich-Levin Theorem

COM S 687 Introduction to Cryptography September 28, 2006 Lecture 11: The Goldreich-Levin Theorem Instructor: Rafael Pass Scribe: Krishnaprasad Vikram Hard-Core Bits Definition: A predicate b : {0, 1}

The Black-Box Query Complexity of Polynomial Summation

The Black-Box Query Complexity of Polynomial Summation Ali Juma Department of Computer Science University of Toronto Toronto, Canada ajuma@cs.toronto.edu Charles Rackoff Department of Computer Science

Lecture 1: Course overview, circuits, and formulas

Lecture 1: Course overview, circuits, and formulas Topics in Complexity Theory and Pseudorandomness (Spring 2013) Rutgers University Swastik Kopparty Scribes: John Kim, Ben Lund 1 Course Information Swastik

Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

Lecture 4 Online and streaming algorithms for clustering

CSE 291: Geometric algorithms Spring 2013 Lecture 4 Online and streaming algorithms for clustering 4.1 On-line k-clustering To the extent that clustering takes place in the brain, it happens in an on-line

0.1 Phase Estimation Technique

Phase Estimation In this lecture we will describe Kitaev s phase estimation algorithm, and use it to obtain an alternate derivation of a quantum factoring algorithm We will also use this technique to design

Lecture 1: Time Complexity

Computational Complexity Theory, Fall 2010 August 25 Lecture 1: Time Complexity Lecturer: Peter Bro Miltersen Scribe: Søren Valentin Haagerup 1 Introduction to the course The field of Computational Complexity

THE FUNDAMENTAL THEOREM OF ALGEBRA VIA PROPER MAPS

THE FUNDAMENTAL THEOREM OF ALGEBRA VIA PROPER MAPS KEITH CONRAD 1. Introduction The Fundamental Theorem of Algebra says every nonconstant polynomial with complex coefficients can be factored into linear

GROUPS ACTING ON A SET

GROUPS ACTING ON A SET MATH 435 SPRING 2012 NOTES FROM FEBRUARY 27TH, 2012 1. Left group actions Definition 1.1. Suppose that G is a group and S is a set. A left (group) action of G on S is a rule for

Continued Fractions and the Euclidean Algorithm

Continued Fractions and the Euclidean Algorithm Lecture notes prepared for MATH 326, Spring 997 Department of Mathematics and Statistics University at Albany William F Hammond Table of Contents Introduction

On the representability of the bi-uniform matroid

On the representability of the bi-uniform matroid Simeon Ball, Carles Padró, Zsuzsa Weiner and Chaoping Xing August 3, 2012 Abstract Every bi-uniform matroid is representable over all sufficiently large

A Working Knowledge of Computational Complexity for an Optimizer

A Working Knowledge of Computational Complexity for an Optimizer ORF 363/COS 323 Instructor: Amir Ali Ahmadi TAs: Y. Chen, G. Hall, J. Ye Fall 2014 1 Why computational complexity? What is computational

WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT?

WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT? introduction Many students seem to have trouble with the notion of a mathematical proof. People that come to a course like Math 216, who certainly

Discrete Mathematics Lecture 3 Elementary Number Theory and Methods of Proof. Harper Langston New York University

Discrete Mathematics Lecture 3 Elementary Number Theory and Methods of Proof Harper Langston New York University Proof and Counterexample Discovery and proof Even and odd numbers number n from Z is called

HOMEWORK 5 SOLUTIONS. n!f n (1) lim. ln x n! + xn x. 1 = G n 1 (x). (2) k + 1 n. (n 1)!

Math 7 Fall 205 HOMEWORK 5 SOLUTIONS Problem. 2008 B2 Let F 0 x = ln x. For n 0 and x > 0, let F n+ x = 0 F ntdt. Evaluate n!f n lim n ln n. By directly computing F n x for small n s, we obtain the following

Gambling and Data Compression

Gambling and Data Compression Gambling. Horse Race Definition The wealth relative S(X) = b(x)o(x) is the factor by which the gambler s wealth grows if horse X wins the race, where b(x) is the fraction

MATH10040 Chapter 2: Prime and relatively prime numbers

MATH10040 Chapter 2: Prime and relatively prime numbers Recall the basic definition: 1. Prime numbers Definition 1.1. Recall that a positive integer is said to be prime if it has precisely two positive

On Factoring Integers and Evaluating Discrete Logarithms

On Factoring Integers and Evaluating Discrete Logarithms A thesis presented by JOHN AARON GREGG to the departments of Mathematics and Computer Science in partial fulfillment of the honors requirements

1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions