Ilya Mironov,Anton Mityagin,Kobbi Nissim

DOI: https://doi.org/10.48550/arXiv.math/0606771

2006-06-29

Number Theory

Abstract:The discrete logarithm problem (DLP) generalizes to the constrained DLP, where the secret exponent $x$ belongs to a set known to the attacker. The complexity of generic algorithms for solving the constrained DLP depends on the choice of the set. Motivated by cryptographic applications, we study sets with succinct representation for which the constrained DLP is hard. We draw on earlier results due to Erd\"os et al. and Schnorr, develop geometric tools such as generalized Menelaus' theorem for proving lower bounds on the complexity of the constrained DLP, and construct sets with succinct representation with provable non-trivial lower bounds.

Dongxiao Yu,Yuexuan Wang,Qiang-Sheng Hua,Francis C. M. Lau

DOI: https://doi.org/10.1007/978-3-642-22685-4_7

2011-01-01

Abstract:We present new algorithms for exact multilinear k-monomial counting which is to compute the sum of coefficients of all degree- k multilinear monomials in a given polynomial P over a ring R described by an arithmetic circuit C . If the polynomial can be represented as a product of two polynomials with degree at most d < k , our algorithm can solve this problem in O *(( n ↓ d )) time, where ( n ↓ d ) = Σ i =0 d ( n i ). O * omits a polynomial factor in n . For the general case, the proposed algorithm takes time O *(( n ↓ k ) ). In both cases, our results are superior to previous approaches presented in [Koutis, I. and Williams, R.: Limits and applications of group algebras for parameterized problems. ICALP, pages 653-664 (2009)]. We also present a polynomial space algorithm with time bound O *(2 k ( n k )). By reducing the # k -path problem and the # m -set k -packing problem to the exact multilinear k -monomial counting problem, we give algorithms for these two problems that match the fastest known results presented in [2].

Kishan Chand Gupta,Sumit Kumar Pandey,Susanta Samanta

DOI: https://doi.org/10.1007/s12095-023-00667-x

2023-07-28

Abstract:The optimal branch number of MDS matrices makes them a preferred choice for designing diffusion layers in many block ciphers and hash functions. However, in lightweight cryptography, Near-MDS (NMDS) matrices with sub-optimal branch numbers offer a better balance between security and efficiency as a diffusion layer, compared to MDS matrices. In this paper, we study NMDS matrices, exploring their construction in both recursive and nonrecursive settings. We provide several theoretical results and explore the hardware efficiency of the construction of NMDS matrices. Additionally, we make comparisons between the results of NMDS and MDS matrices whenever possible. For the recursive approach, we study the DLS matrices and provide some theoretical results on their use. Some of the results are used to restrict the search space of the DLS matrices. We also show that over a field of characteristic 2, any sparse matrix of order $n\geq 4$ with fixed XOR value of 1 cannot be an NMDS when raised to a power of $k\leq n$. Following that, we use the generalized DLS (GDLS) matrices to provide some lightweight recursive NMDS matrices of several orders that perform better than the existing matrices in terms of hardware cost or the number of iterations. For the nonrecursive construction of NMDS matrices, we study various structures, such as circulant and left-circulant matrices, and their generalizations: Toeplitz and Hankel matrices. In addition, we prove that Toeplitz matrices of order $n>4$ cannot be simultaneously NMDS and involutory over a field of characteristic 2. Finally, we use GDLS matrices to provide some lightweight NMDS matrices that can be computed in one clock cycle. The proposed nonrecursive NMDS matrices of orders 4, 5, 6, 7, and 8 can be implemented with 24, 50, 65, 96, and 108 XORs over $\mathbb{F}_{2^4}$, respectively.

Cryptography and Security

Xiaoqiang Zhang,Guiliang Zhu,Weiping Wang,Mengmeng Wang,Shilong Ma

DOI: https://doi.org/10.4304/jcp.7.1.169-178

2012-01-01

Journal of Computers

Abstract:The asymmetric cryptosystem plays an important role in the cryptology nowadays. It is widely used in the fields of data encryption, digital watermarking, digital signature, secure network protocol, etc. However, with the improvement of computing capability, longer and longer the key length is required to ensure the security of interaction information. To shorten the key length and improve the encryption efficiency, by defining the two-dimension discrete logarithm problem (DLP), a new public-key cryptosystem is proposed. This new cryptosystem generalizes the public-key cryptosystem from one dimension to two dimensions. The core algorithms of the proposed cryptosystem are also designed, including the fast algorithm, computing the inverse matrix modulo p and finding the period. To verify the correctness and rationality of the new cryptosystem, two examples are carried out. Meanwhile, the efficiency and security are analyzed in detail. Experimental results and theoretical analyses show that the new cryptosystem possesses the advantages of the outstanding robustness, short key length, high security and encrypting many data once.

Aditya Bhaskara,Moses Charikar,Venkatesan Guruswami,Aravindan Vijayaraghavan,Yuan Zhou

DOI: https://doi.org/10.1137/1.9781611973099.34

2011-01-01

Abstract:The densest k-subgraph (DkS) problem (i.e. find a size k subgraph with maximum number of edges), is one of the notorious problems in approximation algorithms. There is a significant gap between known upper and lower bounds for DkS: the current best algorithm gives an O(n^1/4) approximation, while even showing a small constant factor hardness requires significantly stronger assumptions than P != NP. In addition to interest in designing better algorithms, a number of recent results have exploited the conjectured hardness of densest k-subgraph and its variants. Thus, understanding the approximability of DkS is an important challenge. In this work, we give evidence for the hardness of approximating DkS within polynomial factors. Specifically, we expose the limitations of strong semidefinite programs from SDP hierarchies in solving densest k-subgraph. Our results include: * A lower bound of Omega(n^1/4/log^3 n) on the integrality gap for Omega(log n/log log n) rounds of the Sherali-Adams relaxation for DkS. This also holds for the relaxation obtained from Sherali-Adams with an added SDP constraint. Our gap instances are in fact Erdos-Renyi random graphs. * For every epsilon > 0, a lower bound of n^2/53-eps on the integrality gap of n^Omega(eps) rounds of the Lasserre SDP relaxation for DkS, and an n^Omega_eps(1) gap for n^1-eps rounds. Our construction proceeds via a reduction from random instances of a certain Max-CSP over large domains. In the absence of inapproximability results for DkS, our results show that even the most powerful SDPs are unable to beat a factor of n^Omega(1), and in fact even improving the best known n^1/4 factor is a barrier for current techniques.

Jian Gao,Zhenghang Xu,Ruizhi Li,Minghao Yin

DOI: https://doi.org/10.1609/aaai.v36i9.21257

2022-06-28

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:The Maximum k-Defective Clique Problem (MDCP), as a clique relaxation model, has been used to solve various problems. Because it is a hard computational task, previous works can hardly solve the MDCP for massive sparse graphs derived from real-world applications. In this work, we propose a novel branch-and-bound algorithm to solve the MDCP based on several new techniques. First, we propose two new upper bounds of the MDCP as well as corresponding reduction rules to remove redundant vertices and edges. The proposed reduction rules are particularly useful for massive graphs. Second, we present another new upper bound by counting missing edges between fixed vertices and an unfixed vertex for cutting branches. We perform extensive computational experiments to evaluate our algorithm. Experimental results show that our reduction rules are very effective for removing redundant vertices and edges so that graphs are reduced greatly. Also, our algorithm can solve benchmark instances efficiently, and it has significantly better performance than state-of-the-art algorithms.

Ce Jin,Yinzhan Xu

DOI: https://doi.org/10.48550/arXiv.2202.11250

2022-02-23

Abstract:The main theme of this paper is using $k$-dimensional generalizations of the combinatorial Boolean Matrix Multiplication (BMM) hypothesis and the closely-related Online Matrix Vector Multiplication (OMv) hypothesis to prove new tight conditional lower bounds for dynamic problems. The combinatorial $k$-Clique hypothesis, which is a standard hypothesis in the literature, naturally generalizes the combinatorial BMM hypothesis. In this paper, we prove tight lower bounds for several dynamic problems under the combinatorial $k$-Clique hypothesis. For instance, we show that: * The Dynamic Range Mode problem has no combinatorial algorithms with $\mathrm{poly}(n)$ pre-processing time, $O(n^{2/3-\epsilon})$ update time and $O(n^{2/3-\epsilon})$ query time for any $\epsilon > 0$, matching the known upper bounds for this problem. Previous lower bounds only ruled out algorithms with $O(n^{1/2-\epsilon})$ update and query time under the OMv hypothesis. Other examples include tight combinatorial lower bounds for Dynamic Subgraph Connectivity, Dynamic 2D Orthogonal Range Color Counting, Dynamic 2-Pattern Document Retrieval, and Dynamic Range Mode in higher dimensions. Furthermore, we propose the OuMv$_k$ hypothesis as a natural generalization of the OMv hypothesis. Under this hypothesis, we prove tight lower bounds for various dynamic problems. For instance, we show that: * The Dynamic Skyline Points Counting problem in $(2k-1)$-dimensional space has no algorithm with $\mathrm{poly}(n)$ pre-processing time and $O(n^{1-1/k-\epsilon})$ update and query time for $\epsilon > 0$, even if the updates are semi-online. Other examples include tight conditional lower bounds for (semi-online) Dynamic Klee's measure for unit cubes, and high-dimensional generalizations of Erickson's problem and Langerman's problem.

Computational Complexity,Computational Geometry,Data Structures and Algorithms

Kishan Chand Gupta,Sumit Kumar Pandey,Susanta Samanta

2024-04-08

Abstract:The optimal branch number of MDS matrices makes them a preferred choice for designing diffusion layers in many block ciphers and hash functions. Consequently, various methods have been proposed for designing MDS matrices, including search and direct methods. While exhaustive search is suitable for small order MDS matrices, direct constructions are preferred for larger orders due to the vast search space involved. In the literature, there has been extensive research on the direct construction of MDS matrices using both recursive and nonrecursive methods. On the other hand, in lightweight cryptography, Near-MDS (NMDS) matrices with sub-optimal branch numbers offer a better balance between security and efficiency as a diffusion layer compared to MDS matrices. However, no direct construction method is available in the literature for constructing recursive NMDS matrices. This paper introduces some direct constructions of NMDS matrices in both nonrecursive and recursive settings. Additionally, it presents some direct constructions of nonrecursive MDS matrices from the generalized Vandermonde matrices. We propose a method for constructing involutory MDS and NMDS matrices using generalized Vandermonde matrices. Furthermore, we prove some folklore results that are used in the literature related to the NMDS code.

Information Theory,Cryptography and Security

HaiJian Zhou,Ping Luo,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0159-9

2009-01-01

Science in China Series F Information Sciences

Abstract:Finding the solution to a general multivariate modular linear equation plays an important role in cryptanalysis field. Earlier results show that obtaining a relatively short solution is possible in polynomial time. However, one problem arises here that if the equation has a short solution in given bounded range, the results outputted by earlier algorithms are often not the ones we are interested in. In this paper, we present a probability method based on lattice basis reduction to solve the problem. For a general multivariate modular linear equation with short solution in the given bounded range, the new method outputs this short solution in polynomial time, with a high probability. When the number of unknowns is not too large (smaller than 68), the probability is approximating 1. Experimental results show that Knapsack systems and Lu-Lee type systems are easily broken in polynomial time with this new method.

Ainesh Bakshi,Vincent Cohen-Addad,Samuel B. Hopkins,Rajesh Jayaram,Silvio Lattanzi

2024-04-11

Abstract:Multi-dimensional Scaling (MDS) is a family of methods for embedding an $n$-point metric into low-dimensional Euclidean space. We study the Kamada-Kawai formulation of MDS: given a set of non-negative dissimilarities $\{d_{i,j}\}_{i , j \in [n]}$ over $n$ points, the goal is to find an embedding $\{x_1,\dots,x_n\} \in \mathbb{R}^k$ that minimizes \[\text{OPT} = \min_{x} \mathbb{E}_{i,j \in [n]} \left[ \left(1-\frac{\|x_i - x_j\|}{d_{i,j}}\right)^2 \right] \]

Machine Learning

Jinbao Zhu,Songze Li,Jie Li

DOI: https://doi.org/10.1109/tifs.2023.3249565

IF: 7.231

2023-03-08

IEEE Transactions on Information Forensics and Security

Abstract:We study two problems of private matrix multiplication, over a distributed computing system consisting of a master node, and multiple servers that collectively store a family of public matrices using Maximum-Distance-Separable (MDS) codes. In the first problem of Private and Secure Matrix Multiplication (PSMM) from colluding servers, the master intends to compute the product of its confidential matrix with a target matrix stored on the servers, without revealing any information about and the index of target matrix to some colluding servers. In the second problem of Fully Private Matrix Multiplication (FPMM) from colluding servers, the matrix is also selected from another family of public matrices stored at the servers in MDS form. In this case, the indices of the two target matrices should both be kept private from colluding servers. We develop novel strategies for the two PSMM and FPMM problems, which simultaneously guarantee information-theoretic data/index privacy and computation correctness. We compare the proposed PSMM strategy with a previous PSMM strategy with a weaker privacy guarantee (non-colluding servers), and demonstrate substantial improvements over the previous strategy in terms of communication and computation overheads. Moreover, compared with a baseline FPMM strategy that uses the idea of Private Information Retrieval (PIR) to directly retrieve the desired matrix multiplication, the proposed FPMM strategy significantly reduces storage overhead, but slightly incurs large communication and computation overheads.

computer science, theory & methods,engineering, electrical & electronic

Martin Ekerå

2023-09-05

Abstract:Ekerå and Håstad have introduced a variation of Shor's algorithm for the discrete logarithm problem (DLP). Unlike Shor's original algorithm, Ekerå-Håstad's algorithm solves the short DLP in groups of unknown order. In this work, we prove a lower bound on the probability of Ekerå-Håstad's algorithm recovering the short logarithm $d$ in a single run. By our bound, the success probability can easily be pushed as high as $1 - 10^{-10}$ for any short $d$. A key to achieving such a high success probability is to efficiently perform a limited search in the classical post-processing by leveraging meet-in-the-middle techniques. Asymptotically, in the limit as the bit length $m$ of $d$ tends to infinity, the success probability tends to one if the limits on the search space are parameterized in $m$. Our results are directly applicable to Diffie-Hellman in safe-prime groups with short exponents, and to RSA via a reduction from the RSA integer factoring problem (IFP) to the short DLP.

Cryptography and Security,Quantum Physics

Cem M Unsal,Rasit Onur Topaloglu

DOI: https://doi.org/10.48550/arXiv.2212.12577

2022-12-24

Abstract:Generalized Discrete Logarithm Problem (GDLP) is an extension of the Discrete Logarithm Problem where the goal is to find $x\in\mathbb{Z}_s$ such $g^x\mod s=y$ for a given $g,y\in\mathbb{Z}_s$. Generalized discrete logarithm is similar but instead of a single base element, uses a number of base elements which does not necessarily commute with each other. In this paper, we prove that GDLP is NP-hard for symmetric groups. Furthermore, we prove that GDLP remains NP-hard even when the base elements are permutations of at most 3 elements. Lastly, we discuss the implications and possible implications of our proofs in classical and quantum complexity theory.

Computational Complexity

Rong Wang,Zhen-Qiang Yin,Hang Liu,Shuang Wang,Wei Chen,Guang-Can Guo,Zheng-Fu Han

DOI: https://doi.org/10.1103/PhysRevResearch.3.023019

2021-04-09

Physical Review Research

Abstract:Due to the capability of tolerating high error rate and generating more key bits per trial, high-dimensional quantum key distribution attracts wide interest. Despite great progresses in high-dimensional quantum key distribution, there are still some gaps between theory and experiment. One of these is that the security of the secret key heavily depends on the number of the emitted signals. So far, the existing security proofs are only suitable in the case with an infinite or unpractically large number of emitted signals. Here, by introducing the idea of "key classification" and developing relevant techniques based on the uncertainty relation for smooth entropies, we propose a tight finite-key analysis suitable for generalized high-dimensional quantum key distribution protocols. Benefitting from our theory, high-dimensional quantum key distribution protocols with finite resources become experimentally feasible. https://doi.org/10.1103/PhysRevResearch.3.023019 Published by the American Physical Society under the terms of the Creative Commons Attribution 4.0 International license. Further distribution of this work must maintain attribution to the author(s) and the published article's title, journal citation, and DOI. Published by the American Physical Society

English Else

Prabhat Kushwaha

DOI: https://doi.org/10.1515/jmc-2017-0053

2018-06-01

Journal of Mathematical Cryptology

Abstract:Abstract In 2004, Muzereau, Smart and Vercauteren [A. Muzereau, N. P. Smart and F. Vercauteren, The equivalence between the DHP and DLP for elliptic curves used in practical applications, LMS J. Comput. Math. 7 2004, 50–72] showed how to use a reduction algorithm of the discrete logarithm problem to Diffie–Hellman problem in order to estimate lower bound for the Diffie–Hellman problem on elliptic curves. They presented their estimates on various elliptic curves that are used in practical applications. In this paper, we show that a much tighter lower bound for the Diffie–Hellman problem on those curves can be achieved if one uses the multiplicative group of a finite field as auxiliary group. The improved lower bound estimates of the Diffie–Hellman problem on those recommended curves are also presented. Moreover, we have also extended our idea by presenting similar estimates of DHP on some more recommended curves which were not covered before. These estimates of DHP on these curves are currently the tightest which lead us towards the equivalence of the Diffie–Hellman problem and the discrete logarithm problem on these recommended elliptic curves.

Yi Li,Ruosong Wang,David P. Woodruff

DOI: https://doi.org/10.1137/20m1311831

2019-01-01

Abstract:In the subspace sketch problem one is given an $n\times d$ matrix $A$ with $O(\log(nd))$ bit entries, and would like to compress it in an arbitrary way to build a small space data structure $Q_p$, so that for any given $x \in \mathbb{R}^d$, with probability at least $2/3$, one has $Q_p(x)=(1\pm\epsilon)\|Ax\|_p$, where $p\geq 0$, and where the randomness is over the construction of $Q_p$. The central question is: How many bits are necessary to store $Q_p$? This problem has applications to the communication of approximating the number of non-zeros in a matrix product, the size of coresets in projective clustering, the memory of streaming algorithms for regression in the row-update model, and embedding subspaces of $L_p$ in functional analysis. A major open question is the dependence on the approximation factor $\epsilon$. We show if $p\geq 0$ is not a positive even integer and $d=\Omega(\log(1/\epsilon))$, then $\tilde{\Omega}(\epsilon^{-2}d)$ bits are necessary. On the other hand, if $p$ is a positive even integer, then there is an upper bound of $O(d^p\log(nd))$ bits independent of $\epsilon$. Our results are optimal up to logarithmic factors, and show in particular that one cannot compress $A$ to $O(d)$ "directions" $v_1,\dots,v_{O(d)}$, such that for any $x$, $\|Ax\|_1$ can be well-approximated from $\langle v_1,x\rangle,\dots,\langle v_{O(d)},x\rangle$. Our lower bound rules out arbitrary functions of these inner products (and in fact arbitrary data structures built from $A$), and thus rules out the possibility of a singular value decomposition for $\ell_1$ in a very strong sense. Indeed, as $\epsilon\to 0$, for $p = 1$ the space complexity becomes arbitrarily large, while for $p = 2$ it is at most $O(d^2 \log(nd))$. As corollaries of our main lower bound, we obtain new lower bounds for a wide range of applications, including the above, which in many cases are optimal.

Lev Tauz,Debarnab Mitra,Jayanth Shreekumar,Murat Can Sarihan,Chee Wei Wong,Lara Dolecek

2024-03-01

Abstract:Quantum key distribution (QKD) is a popular protocol that provides information theoretically secure keys to multiple parties. Two important post-processing steps of QKD are 1) the information reconciliation (IR) step, where parties reconcile mismatches in generated keys through classical communication, and 2) the privacy amplification (PA) step, where parties distill their common key into a new secure key that the adversary has little to no information about. In general, these two steps have been abstracted as two distinct problems. In this work, we consider a new technique of performing the IR and PA steps jointly through sampling that relaxes the requirement on the IR step, allowing for more success in key creation. We provide a novel LDPC code construction known as Block-MDS QC-LDPC codes that can utilize the relaxed requirement by creating LDPC codes with pre-defined sub-matrices of full-rank. We demonstrate through simulations that our technique of sampling can provide notable gains in successfully creating secret keys.

Information Theory

Jiang Xin,Hu Lei,Ding Jintai

DOI: https://doi.org/10.1109/ICASID.2009.5276944

2009-01-01

Abstract:The multivariate public key cryptosystems (MPKCs) have a bigger scale of private key and public key than conventional number theoretic based public key cryptosystems like RSA, DH, and ECDH. In this paper, we present a method to construct the linear transformations in a private key of MPKC by generalized central symmetric matrices over a finite field of odd characteristic. This method reduces 3/8 of the scale of private key and improves the computation of inverting the linear transformations in decryption or signature generation to 3/4. It also speedups the generation of public and private keys of MPKC. The method can be recursively applied for achieving a further advantage.

Jan van den Brand,Yin-Tat Lee,Danupon Nanongkai,Richard Peng,Thatchaphol Saranurak,Aaron Sidford,Zhao Song,Di Wang

DOI: https://doi.org/10.1109/focs46700.2020.00090

2020-11-01

Abstract:We present an $ ilde{O}(m+n^{1.5})$-time randomized algorithm for maximum cardinality bipartite matching and related problems (e.g. transshipment, negative-weight shortest paths, and optimal transport) on m-edge, n-node graphs. For maximum cardinality bipartite matching on moderately dense graphs, i.e. $m=Omega(n^{1.5})$, our algorithm runs in time nearly linear in the input size and constitutes the first improvement over the classic $O(msqrt{n})$-time [Dinic 1970; Hopcroft-Karp 1971; Karzanov 1973] and $widetilde{O}(n^{omega})$-time algorithms [Ibarra-Moran 1981] (where currently $omegaapprox 2.373$). On sparser graphs, i.e. when $m=n^{9/8+delta}$ for any constant $delta &gt; 0$, our result improves upon the recent advances of [Madry 2013] and [Liu-Sidford 2020b, 2020a] which achieve an $widetilde{O}(m^{4/3+o(1)})$ runtime. We obtain these results by combining and advancing recent lines of research in interior point methods (IPMs) and dynamic graph algorithms. First, we simplify and improve the IPM of [v.d.Brand-Lee-Sidford-Song 2020], providing a general primal-dual IPM framework and new sampling-based techniques for handling infeasibility induced by approximate linear system solvers. Second, we provide a simple sublinear-time algorithm for detecting and sampling high-energy edges in electric flows on expanders and show that when combined with recent advances in dynamic expander decompositions, this yields efficient data structures for maintaining the iterates of both [v.d.Brand et al.] and our new IPMs. Combining this general machinery yields a simpler $widetilde{O}(nsqrt{m})$ time algorithm for matching based on the logarithmic barrier function, and our state-of-the-art $widetilde{O}(m+n^{1.5})$ time algorithm for matching based on the [Lee-Sidford 2014] barrier (as regularized in [v.d.Brand et al.]).

Joshua Brakensiek,Manik Dhar,Sivakanth Gopi

2024-08-12

Abstract:The GM-MDS theorem, conjectured by Dau-Song-Dong-Yuen and proved by Lovett and Yildiz-Hassibi, shows that the generator matrices of Reed-Solomon codes can attain every possible configuration of zeros for an MDS code. The recently emerging theory of higher order MDS codes has connected the GM-MDS theorem to other important properties of Reed-Solomon codes, including showing that Reed-Solomon codes can achieve list decoding capacity, even over fields of size linear in the message length. A few works have extended the GM-MDS theorem to other families of codes, including Gabidulin and skew polynomial codes. In this paper, we generalize all these previous results by showing that the GM-MDS theorem applies to any polynomial code, i.e., a code where the columns of the generator matrix are obtained by evaluating linearly independent polynomials at different points. We also show that the GM-MDS theorem applies to dual codes of such polynomial codes, which is non-trivial since the dual of a polynomial code may not be a polynomial code. More generally, we show that GM-MDS theorem also holds for algebraic codes (and their duals) where columns of the generator matrix are chosen to be points on some irreducible variety which is not contained in a hyperplane through the origin. Our generalization has applications to constructing capacity-achieving list-decodable codes as shown in a follow-up work by Brakensiek-Dhar-Gopi-Zhang, where it is proved that randomly punctured algebraic-geometric (AG) codes achieve list-decoding capacity over constant-sized fields.

Information Theory,Algebraic Geometry,Combinatorics