Trance-0/NoteNextra-origin
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

upgrade structures and migrate to nextra v4

Browse Source
This commit is contained in:
Zheyuan Wu
2025-07-06 12:40:25 -05:00
parent 76e50de44d
commit 717520624d
317 changed files with 18143 additions and 22777 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.gitignore vendored
View File

@@ -130,4 +130,13 @@ dist
.pnp.* .pnp.*
# vscode # vscode
.vscode .vscode
# analytics
analyze/
# heapsnapshot
*.heapsnapshot
# turbo
.turbo/

23
app/[[...mdxPath]]/page.tsx Normal file
View File

@@ -0,0 +1,23 @@
import { generateStaticParamsFor, importPage } from 'nextra/pages'
import { useMDXComponents as getMDXComponents } from '../../mdx-components'
export const generateStaticParams = generateStaticParamsFor('mdxPath')
export async function generateMetadata(props) {
const params = await props.params
const { metadata } = await importPage(params.mdxPath)
return metadata
}
const Wrapper = getMDXComponents().wrapper
export default async function Page(props) {
const params = await props.params
const result = await importPage(params.mdxPath)
const { default: MDXContent, toc, metadata } = result
return (
<Wrapper toc={toc} metadata={metadata}>
<MDXContent {...props} params={params} />
</Wrapper>
)
}

90
app/layout.tsx Normal file
View File

@@ -0,0 +1,90 @@
/* eslint-env node */
import { Footer, Layout, Navbar } from 'nextra-theme-docs'
import { Banner, Head } from 'nextra/components'
import { getPageMap } from 'nextra/page-map'
import 'nextra-theme-docs/style.css'
import { SpeedInsights } from "@vercel/speed-insights/next"
import { Analytics } from "@vercel/analytics/react"
export const metadata = {
metadataBase: new URL('https://notenextra.trance-0.com'),
title: {
template: '%s - NoteNextra'
},
description: 'A static note sharing site for minimum care',
applicationName: 'NoteNextra',
generator: 'Next.js',
appleWebApp: {
title: 'NoteNextra'
},
other: {
'msapplication-TileImage': '/ms-icon-144x144.png',
'msapplication-TileColor': '#fff'
},
twitter: {
site: 'https://notenextra.trance-0.com'
}
}
export default async function RootLayout({ children }) {
const navbar = (
<Navbar
logo={
<>
<svg width="32" height="32" viewBox="0 0 16 16">
<path fillRule="evenodd" d="M1.114 8.063V7.9c1.005-.102 1.497-.615 1.497-1.6V4.503c0-1.094.39-1.538 1.354-1.538h.273V2h-.376C2.25 2 1.49 2.759 1.49 4.352v1.524c0 1.094-.376 1.456-1.49 1.456v1.299c1.114 0 1.49.362 1.49 1.456v1.524c0 1.593.759 2.352 2.372 2.352h.376v-.964h-.273c-.964 0-1.354-.444-1.354-1.538V9.663c0-.984-.492-1.497-1.497-1.6M14.886 7.9v.164c-1.005.103-1.497.616-1.497 1.6v1.798c0 1.094-.39 1.538-1.354 1.538h-.273v.964h.376c1.613 0 2.372-.759 2.372-2.352v-1.524c0-1.094.376-1.456 1.49-1.456v-1.3c-1.114 0-1.49-.362-1.49-1.456V4.352C14.51 2.759 13.75 2 12.138 2h-.376v.964h.273c.964 0 1.354.444 1.354 1.538V6.3c0 .984.492 1.497 1.497 1.6M7.5 11.5V9.207l-1.621 1.621-.707-.707L6.792 8.5H4.5v-1h2.293L5.172 5.879l.707-.707L7.5 6.792V4.5h1v2.293l1.621-1.621.707.707L9.208 7.5H11.5v1H9.207l1.621 1.621-.707.707L8.5 9.208V11.5z"/>
</svg>
<span style={{ marginLeft: '.4em', fontWeight: 800 }}>
NoteNextra
</span>
</>
}
projectLink="https://github.com/Trance-0/NoteNextra"
/>
)
const pageMap = await getPageMap()
return (
<html lang="en" dir="ltr" suppressHydrationWarning>
<Head color={{
hue: {
dark: 336,
light: 164
},
saturation: {
dark: 72,
light: 49
},
lightness: {
dark: 59,
light: 35
}
}} />
<body>
<Layout
navbar={navbar}
footer={
<Footer>
<span>
MIT {new Date().getFullYear()} ©{' '}
<a href="https://github.com/Trance-0" target="_blank">
Trance-0
</a>
.
</span>
</Footer>
}
editLink="Edit this page on GitHub"
docsRepositoryBase="https://github.com/Trance-0/NoteNextra/tree/main"
sidebar={{ defaultMenuCollapseLevel: 1 }}
pageMap={pageMap}
>
{children}
{/* SpeedInsights in vercel */}
<SpeedInsights />
{/* Analytics in vercel */}
<Analytics />
</Layout>
</body>
</html>
)
}

0
pages/CSE332S/CSE332S_L1.md → content/CSE332S/CSE332S_L1.md
View File

0
pages/CSE332S/CSE332S_L10.md → content/CSE332S/CSE332S_L10.md
View File

0
pages/CSE332S/CSE332S_L11.md → content/CSE332S/CSE332S_L11.md
View File

0
pages/CSE332S/CSE332S_L12.md → content/CSE332S/CSE332S_L12.md
View File

0
pages/CSE332S/CSE332S_L13.md → content/CSE332S/CSE332S_L13.md
View File

0
pages/CSE332S/CSE332S_L14.md → content/CSE332S/CSE332S_L14.md
View File

0
pages/CSE332S/CSE332S_L15.md → content/CSE332S/CSE332S_L15.md
View File

0
pages/CSE332S/CSE332S_L16.md → content/CSE332S/CSE332S_L16.md
View File

0
pages/CSE332S/CSE332S_L17.md → content/CSE332S/CSE332S_L17.md
View File

0
pages/CSE332S/CSE332S_L2.md → content/CSE332S/CSE332S_L2.md
View File

0
pages/CSE332S/CSE332S_L3.md → content/CSE332S/CSE332S_L3.md
View File

0
pages/CSE332S/CSE332S_L4.md → content/CSE332S/CSE332S_L4.md
View File

0
pages/CSE332S/CSE332S_L5.md → content/CSE332S/CSE332S_L5.md
View File

0
pages/CSE332S/CSE332S_L6.md → content/CSE332S/CSE332S_L6.md
View File

0
pages/CSE332S/CSE332S_L7.md → content/CSE332S/CSE332S_L7.md
View File

0
pages/CSE332S/CSE332S_L8.md → content/CSE332S/CSE332S_L8.md
View File

0
pages/CSE332S/CSE332S_L9.md → content/CSE332S/CSE332S_L9.md
View File

2
pages/CSE332S/_meta.js → content/CSE332S/_meta.js
View File

@@ -1,5 +1,5 @@
export default { export default {
index: "Course Description", index: {type:"page",title:"Course Description",href:"/CSE332S/index.mdx"},
"---":{ "---":{
type: 'separator' type: 'separator'
}, },

0
pages/CSE332S/index.md → content/CSE332S/index.mdx
View File

490
pages/CSE347/CSE347_L1.md → content/CSE347/CSE347_L1.md
View File

@@ -1,245 +1,245 @@
# Lecture 1 # Lecture 1
## Greedy Algorithms ## Greedy Algorithms
* Builds up a solution by making a series of small decisions that optimize some objective. * Builds up a solution by making a series of small decisions that optimize some objective.
* Make one irrevocable choice at a time, creating smaller and smaller sub-problems of the same kind as the original problem. * Make one irrevocable choice at a time, creating smaller and smaller sub-problems of the same kind as the original problem.
* There are many potential greedy strategies and picking the right one can be challenging. * There are many potential greedy strategies and picking the right one can be challenging.
### A Scheduling Problem ### A Scheduling Problem
You manage a giant space telescope. You manage a giant space telescope.
* There are $n$ research projects that want to use it to make observations. * There are $n$ research projects that want to use it to make observations.
* Only one project can use the telescope at a time. * Only one project can use the telescope at a time.
* Project $p_i$ needs the telescope starting at time $s_i$ and running for a length of time $t_i$. * Project $p_i$ needs the telescope starting at time $s_i$ and running for a length of time $t_i$.
* Goal: schedule as many as possible * Goal: schedule as many as possible
Formally Formally
Input: Input:
* Given a set $P$ of projects, $|P|=n$ * Given a set $P$ of projects, $|P|=n$
* Each request $p_i\in P$ occupies interval $[s_i,f_i)$, where $f_i=s_i+t_i$ * Each request $p_i\in P$ occupies interval $[s_i,f_i)$, where $f_i=s_i+t_i$
Goal: Choose a subset $\Pi\sqsubseteq P$ such that Goal: Choose a subset $\Pi\sqsubseteq P$ such that
1. No two projects in $\Pi$ have overlapping intervals. 1. No two projects in $\Pi$ have overlapping intervals.
2. The number of selected projects $|\Pi|$ is maximized. 2. The number of selected projects $|\Pi|$ is maximized.
#### Shortest Interval #### Shortest Interval
Counter-example: `[1,10],[9,12],[11,20]` Counter-example: `[1,10],[9,12],[11,20]`
#### Earliest start time #### Earliest start time
Counter-example: `[1,10],[2,3],[4,5]` Counter-example: `[1,10],[2,3],[4,5]`
#### Fewest Conflicts #### Fewest Conflicts
Counter-example: `[1,2],[1,4],[1,4],[3,6],[7,8],[5,8],[5,8]` Counter-example: `[1,2],[1,4],[1,4],[3,6],[7,8],[5,8],[5,8]`
#### Earliest finish time #### Earliest finish time
Correct... but why Correct... but why
#### Theorem of Greedy Strategy (Earliest Finishing Time) #### Theorem of Greedy Strategy (Earliest Finishing Time)
Say this greedy strategy (Earliest Finishing Time) picks a set $\Pi$ of intervals, some other strategy picks a set $O$ of intervals. Say this greedy strategy (Earliest Finishing Time) picks a set $\Pi$ of intervals, some other strategy picks a set $O$ of intervals.
Assume sorted by finishing time Assume sorted by finishing time
* $\Pi=\{i_1,i_2,...,i_k\},|\Pi|=k$ * $\Pi=\{i_1,i_2,...,i_k\},|\Pi|=k$
* $O=\{j_1,j_2,...,j_m\},|O|=m$ * $O=\{j_1,j_2,...,j_m\},|O|=m$
We want to show that $|\Pi|\geq|O|,k>m$ We want to show that $|\Pi|\geq|O|,k>m$
#### Lemma: For all $r<k,f_{i_r}\leq f_{j_r}$ #### Lemma: For all $r<k,f_{i_r}\leq f_{j_r}$
We proceed the proof by induction. We proceed the proof by induction.
* Base Case, when r=1. * Base Case, when r=1.
$\Pi$ is the earliest finish time, and $O$ cannot pick a interval with earlier finish time, so $f_{i_r}\leq f_{j_r}$ $\Pi$ is the earliest finish time, and $O$ cannot pick a interval with earlier finish time, so $f_{i_r}\leq f_{j_r}$
* Inductive step, when r>1. * Inductive step, when r>1.
Since $\Pi_r$ is the earliest finish time, so for any set in $O_r$, $f_{i_{r-1}}\leq f_{j_{r-1}}$, for any $j_r$ inserted to $O_r$, it can also be inserted to $\Pi_r$. So $O_r$ cannot pick an interval with earlier finish time than $Pi$ since it will also be picked by definition if $O_r$ is the optimal solution $OPT$. Since $\Pi_r$ is the earliest finish time, so for any set in $O_r$, $f_{i_{r-1}}\leq f_{j_{r-1}}$, for any $j_r$ inserted to $O_r$, it can also be inserted to $\Pi_r$. So $O_r$ cannot pick an interval with earlier finish time than $Pi$ since it will also be picked by definition if $O_r$ is the optimal solution $OPT$.
#### Problem of “Greedy Stays Ahead” Proof #### Problem of “Greedy Stays Ahead” Proof
* Every problem has very different theorem. * Every problem has very different theorem.
* It can be challenging to even write down the correct statement that you must prove. * It can be challenging to even write down the correct statement that you must prove.
* We want a systematic approach to prove the correctness of greedy algorithms. * We want a systematic approach to prove the correctness of greedy algorithms.
### Road Map to Prove Greedy Algorithm ### Road Map to Prove Greedy Algorithm
#### 1. Make a Choice #### 1. Make a Choice
Pick an interval based on greedy choice, say $q$ Pick an interval based on greedy choice, say $q$
Proof: **Greedy Choice Property**: Show that using our first choice is not "fatal" at least one optimal solution makes this choice. Proof: **Greedy Choice Property**: Show that using our first choice is not "fatal" at least one optimal solution makes this choice.
Techniques: **Exchange Argument**: "If an optimal solution does not choose $q$, we can turn it into an equally good solution that does." Techniques: **Exchange Argument**: "If an optimal solution does not choose $q$, we can turn it into an equally good solution that does."
Let $\Pi^*$ be any optimal solution for project set $P$. Let $\Pi^*$ be any optimal solution for project set $P$.
- If $q\in \Pi^*$, we are done. - If $q\in \Pi^*$, we are done.
- Otherwise, let $x$ be the optimal solution from $\Pi^*$ that does not pick $q$. We create another solution $\bar{\Pi^*}$ that replace $x$ with $q$, and prove that the $\bar{\Pi^*}$ is as optimal as $\Pi^*$ - Otherwise, let $x$ be the optimal solution from $\Pi^*$ that does not pick $q$. We create another solution $\bar{\Pi^*}$ that replace $x$ with $q$, and prove that the $\bar{\Pi^*}$ is as optimal as $\Pi^*$
#### 2. Create a smaller instance $P'$ of the original problem #### 2. Create a smaller instance $P'$ of the original problem
$P'$ has the same optimization criteria. $P'$ has the same optimization criteria.
Proof: **Inductive Structure**: Show that after making the first choice, we're left with a smaller version of the same problem, whose solution we can safely combine with the first choice. Proof: **Inductive Structure**: Show that after making the first choice, we're left with a smaller version of the same problem, whose solution we can safely combine with the first choice.
Let $P'$ be the subproblem left after making first choice $q$ in problem $P$ and let $\Pi'$ be an optimal solution to $P'$. Then $\Pi=\Pi^*\cup\{q\}$ is an optimal solution to $P$. Let $P'$ be the subproblem left after making first choice $q$ in problem $P$ and let $\Pi'$ be an optimal solution to $P'$. Then $\Pi=\Pi^*\cup\{q\}$ is an optimal solution to $P$.
$P'=P-\{q\}-\{$projects conflicting with $q\}$ $P'=P-\{q\}-\{$projects conflicting with $q\}$
#### 3. Solution: Union of choices that we made #### 3. Solution: Union of choices that we made
Union of choices that we made. Union of choices that we made.
Proof: **Optimal Substructure**: Show that if we solve the subproblem optimally, adding our first choice creates an optimal solution to the *whole* problem. Proof: **Optimal Substructure**: Show that if we solve the subproblem optimally, adding our first choice creates an optimal solution to the *whole* problem.
Let $q$ be the first choice, $P'$ be the subproblem left after making $q$ in problem $P$, $\Pi'$ be an optimal solution to $P'$. We claim that $\Pi=\Pi'\cup \{q\}$ is an optimal solution to $P$. Let $q$ be the first choice, $P'$ be the subproblem left after making $q$ in problem $P$, $\Pi'$ be an optimal solution to $P'$. We claim that $\Pi=\Pi'\cup \{q\}$ is an optimal solution to $P$.
We proceed the proof by contradiction. We proceed the proof by contradiction.
Assume that $\Pi=\Pi'+\{q\}$ is not optimal. Assume that $\Pi=\Pi'+\{q\}$ is not optimal.
By Greedy choice property $GCP$. we already know that $\exists$ an optimal solution $\Pi^*$ for problem $P$ that contains $q$. If $\Pi$ is not optimal, $cost(\Pi^*)<cost(\Pi)$. Then since $\Pi^*-q$ is also a feasible solution to $P'$. $cost(\Pi^*-q)>cost(\Pi-q)=\Pi'$ which leads to contradiction that $\Pi'$ is an optimal solution to $P'$. By Greedy choice property $GCP$. we already know that $\exists$ an optimal solution $\Pi^*$ for problem $P$ that contains $q$. If $\Pi$ is not optimal, $cost(\Pi^*)<cost(\Pi)$. Then since $\Pi^*-q$ is also a feasible solution to $P'$. $cost(\Pi^*-q)>cost(\Pi-q)=\Pi'$ which leads to contradiction that $\Pi'$ is an optimal solution to $P'$.
#### 4. Put 1-3 together to write an inductive proof of the Theorem #### 4. Put 1-3 together to write an inductive proof of the Theorem
This is independent of problem, same for every problem. This is independent of problem, same for every problem.
Use scheduling problem as an example: Use scheduling problem as an example:
Theorem: given a scheduling problem $P$, if we repeatedly choose the remaining feasible project with the earliest finishing time, we will construct an optimal feasible solution to $P$. Theorem: given a scheduling problem $P$, if we repeatedly choose the remaining feasible project with the earliest finishing time, we will construct an optimal feasible solution to $P$.
Proof: We proceed by induction on $|P|$. (based on the size of problem $P$). Proof: We proceed by induction on $|P|$. (based on the size of problem $P$).
- Base case: $|P|=1$. - Base case: $|P|=1$.
- Inductive step. - Inductive step.
- Inductive hypothesis: For all problems of size $<n$, earliest finishing time (EFT) gives us an optimal solution. - Inductive hypothesis: For all problems of size $<n$, earliest finishing time (EFT) gives us an optimal solution.
- EFT is optimal for problem of size $n$. - EFT is optimal for problem of size $n$.
- Proof: Once we pick q, because of greedy choice. $P'=P=\{q\} -\{$interval that conflict with $q\}$. $|P'|<n$, By Inductive hypothesis, EFT gives us an optimal solution to $P'$, but by inductive substructure, and optimal substructure. $\Pi'$ (optimal solution to $P'$), we have optimal solution to $P$. - Proof: Once we pick q, because of greedy choice. $P'=P=\{q\} -\{$interval that conflict with $q\}$. $|P'|<n$, By Inductive hypothesis, EFT gives us an optimal solution to $P'$, but by inductive substructure, and optimal substructure. $\Pi'$ (optimal solution to $P'$), we have optimal solution to $P$.
_this step always holds as long as the previous three properties hold, and we don't usually write the whole proof._ _this step always holds as long as the previous three properties hold, and we don't usually write the whole proof._
```python ```python
# Algorithm construction for Interval scheduling problem # Algorithm construction for Interval scheduling problem
def schedule(p): def schedule(p):
# sorting takes O(n)=nlogn # sorting takes O(n)=nlogn
p=sorted(p,key=lambda x:x[1]) p=sorted(p,key=lambda x:x[1])
res=[P[0]] res=[P[0]]
# O(n)=n # O(n)=n
for i in p[1:]: for i in p[1:]:
if res[-1][-1]<i[0]: if res[-1][-1]<i[0]:
res.append(i) res.append(i)
return res return res
``` ```
## Extra Examples: ## Extra Examples:
### File compression problem ### File compression problem
You have $n$ files of different sizes $f_i$. You have $n$ files of different sizes $f_i$.
You want to merge them to create a single file. $merge(f_i,f_j)$ takes time $f_i+f_j$ and creates a file of size $f_k=f_i+f_j$. You want to merge them to create a single file. $merge(f_i,f_j)$ takes time $f_i+f_j$ and creates a file of size $f_k=f_i+f_j$.
Goal: Find the order of merges such that the total time to merge is minimized. Goal: Find the order of merges such that the total time to merge is minimized.
Thinking process: The merge process is a binary tree and each of the file is the leaf of the tree. Thinking process: The merge process is a binary tree and each of the file is the leaf of the tree.
The total time required =$\sum^n_{i=1} d_if_i$, where $d_i$ is the depth of the file in the compression tree. The total time required =$\sum^n_{i=1} d_if_i$, where $d_i$ is the depth of the file in the compression tree.
So compressing the smaller file first may yield a faster run time. So compressing the smaller file first may yield a faster run time.
Proof: Proof:
#### Greedy Choice Property #### Greedy Choice Property
Construct part of the solution by making a locally good decision. Construct part of the solution by making a locally good decision.
Lemma: $\exist$ some optimal solution that merges the two smallest file first, lets say $[f_1,f_2]$ Lemma: $\exist$ some optimal solution that merges the two smallest file first, lets say $[f_1,f_2]$
Proof: **Exchange argument** Proof: **Exchange argument**
* Case 1: Optimal choice already merges $f_1,f_2$, done. Time order does not matter in this problem at some point. * Case 1: Optimal choice already merges $f_1,f_2$, done. Time order does not matter in this problem at some point.
* eg: [2,2,3], merge 2,3 and 2,2 first don't change the total cost * eg: [2,2,3], merge 2,3 and 2,2 first don't change the total cost
* Case 2: Optimal choice does not merges $f_1$ and $f_2$. * Case 2: Optimal choice does not merges $f_1$ and $f_2$.
* Suppose the optimal solution merges $f_x,f_y$ as the deepest merge. * Suppose the optimal solution merges $f_x,f_y$ as the deepest merge.
* Then $d_x\geq d_1,d_y\geq d_2$. Exchanging $f_1,f_2$ with $f_x,f_y$ would yield a strictly less greater solution since $f_1,f_2$ already smallest. * Then $d_x\geq d_1,d_y\geq d_2$. Exchanging $f_1,f_2$ with $f_x,f_y$ would yield a strictly less greater solution since $f_1,f_2$ already smallest.
#### Inductive Structure #### Inductive Structure
* We can combine feasible solution to the subproblem $P'$ with the greedy choice to get a feasible solution to $P$ * We can combine feasible solution to the subproblem $P'$ with the greedy choice to get a feasible solution to $P$
* After making greedy choice $q$, we are left with a strictly smaller subproblem $P'$ with the same optimality criteria of the original problem * After making greedy choice $q$, we are left with a strictly smaller subproblem $P'$ with the same optimality criteria of the original problem
* *
Proof: **Optimal Substructure**: Show that if we solve the subproblem optimally, adding our first choice creates an optimal solution to the *whole* problem. Proof: **Optimal Substructure**: Show that if we solve the subproblem optimally, adding our first choice creates an optimal solution to the *whole* problem.
Let $q$ be the first choice, $P'$ be the subproblem left after making $q$ in problem $P$, $\Pi^*$ be an optimal solution to $P'$. We claim that $\Pi=\Pi'\cup \{q\}$ is an optimal solution to $P$. Let $q$ be the first choice, $P'$ be the subproblem left after making $q$ in problem $P$, $\Pi^*$ be an optimal solution to $P'$. We claim that $\Pi=\Pi'\cup \{q\}$ is an optimal solution to $P$.
We proceed the proof by contradiction. We proceed the proof by contradiction.
Assume that $\Pi=\Pi^*+\{q\}$ is not optimal. Assume that $\Pi=\Pi^*+\{q\}$ is not optimal.
By Greedy choice property $GCP$. we already know that $\Pi^*$ is optimal solution that contains $q$. Then $|\Pi^*|>|\Pi|$ $\Pi^*-q$ is also feasible solution to $P'$. $|\Pi^*-q|>|\Pi-q|=\Pi'$ which is an optimal solution to $P'$ which leads to contradiction. By Greedy choice property $GCP$. we already know that $\Pi^*$ is optimal solution that contains $q$. Then $|\Pi^*|>|\Pi|$ $\Pi^*-q$ is also feasible solution to $P'$. $|\Pi^*-q|>|\Pi-q|=\Pi'$ which is an optimal solution to $P'$ which leads to contradiction.
Proof: **Smaller problem size** Proof: **Smaller problem size**
After merging the smallest two files into one, we have strictly less files waiting to merge. After merging the smallest two files into one, we have strictly less files waiting to merge.
#### Optimal Substructure #### Optimal Substructure
* We can combine optimal solution to the subproblem $P'$ with the greedy choice to get a optimal solution to $P$ * We can combine optimal solution to the subproblem $P'$ with the greedy choice to get a optimal solution to $P$
Step 4 ignored, same for all greedy problems. Step 4 ignored, same for all greedy problems.
### Conclusion: Greedy Algorithm ### Conclusion: Greedy Algorithm
* Algorithm * Algorithm
* Runtime Complexity * Runtime Complexity
* Proof * Proof
* Greedy Choice Property * Greedy Choice Property
* Construct part of the solution by making a locally good decision. * Construct part of the solution by making a locally good decision.
* Inductive Structure * Inductive Structure
* We can combine feasible solution to the subproblem $P'$ with the greedy choice to get a feasible solution to $P$ * We can combine feasible solution to the subproblem $P'$ with the greedy choice to get a feasible solution to $P$
* After making greedy choice $q$, we are left with a strictly smaller subproblem $P'$ with the same optimality criteria of the original problem * After making greedy choice $q$, we are left with a strictly smaller subproblem $P'$ with the same optimality criteria of the original problem
* Optimal Substructure * Optimal Substructure
* We can combine optimal solution to the subproblem $P'$ with the greedy choice to get a optimal solution to $P$ * We can combine optimal solution to the subproblem $P'$ with the greedy choice to get a optimal solution to $P$
* Standard Contradiction Argument simplifies it * Standard Contradiction Argument simplifies it
## Review: ## Review:
### Essence of master method ### Essence of master method
Let $a\geq 1$ and $b>1$ be constants, let $f(n)$ be a function, and let $T(n)$ be defined on the nonnegative integers by the recurrence Let $a\geq 1$ and $b>1$ be constants, let $f(n)$ be a function, and let $T(n)$ be defined on the nonnegative integers by the recurrence
$$ $$
T(n)=aT(\frac{n}{b})+f(n) T(n)=aT(\frac{n}{b})+f(n)
$$ $$
where we interpret $n/b$ to mean either ceiling or floor of $n/b$. $c_{crit}=\log_b a$ Then $T(n)$ has to following asymptotic bounds. where we interpret $n/b$ to mean either ceiling or floor of $n/b$. $c_{crit}=\log_b a$ Then $T(n)$ has to following asymptotic bounds.
* Case I: if $f(n) = O(n^{c})$ ($f(n)$ "dominates" $n^{\log_b a-c}$) where $c<c_{crit}$, then $T(n) = \Theta(n^{c_{crit}})$ * Case I: if $f(n) = O(n^{c})$ ($f(n)$ "dominates" $n^{\log_b a-c}$) where $c<c_{crit}$, then $T(n) = \Theta(n^{c_{crit}})$
* Case II: if $f(n) = \Theta(n^{c_{crit}})$, ($f(n), n^{\log_b a-c}$ have no dominate) then $T(n) = \Theta(n^{\log_b a} \log_2 n)$ * Case II: if $f(n) = \Theta(n^{c_{crit}})$, ($f(n), n^{\log_b a-c}$ have no dominate) then $T(n) = \Theta(n^{\log_b a} \log_2 n)$
Extension for $f(n)=\Theta(n^{critical\_value}*(\log n)^k)$ Extension for $f(n)=\Theta(n^{critical\_value}*(\log n)^k)$
* if $k>-1$ * if $k>-1$
$T(n)=\Theta(n^{critical\_value}*(\log n)^{k+1})$ $T(n)=\Theta(n^{critical\_value}*(\log n)^{k+1})$
* if $k=-1$ * if $k=-1$
$T(n)=\Theta(n^{critical\_value}*\log \log n)$ $T(n)=\Theta(n^{critical\_value}*\log \log n)$
* if $k<-1$ * if $k<-1$
$T(n)=\Theta(n^{critical\_value})$ $T(n)=\Theta(n^{critical\_value})$
* Case III: if $f(n) = \Omega(n^{log_b a+c})$ ($n^{log_b a-c}$ "dominates" $f(n)$) for some constant $c >0$, and if a $f(n/b)<= c f(n)$ for some constant $c <1$ then for all sufficiently large $n$, $T(n) = \Theta(n^{log_b a+c})$ * Case III: if $f(n) = \Omega(n^{log_b a+c})$ ($n^{log_b a-c}$ "dominates" $f(n)$) for some constant $c >0$, and if a $f(n/b)<= c f(n)$ for some constant $c <1$ then for all sufficiently large $n$, $T(n) = \Theta(n^{log_b a+c})$

0
pages/CSE347/CSE347_L10.md → content/CSE347/CSE347_L10.md
View File

0
pages/CSE347/CSE347_L11.md → content/CSE347/CSE347_L11.md
View File

666
pages/CSE347/CSE347_L2.md → content/CSE347/CSE347_L2.md
View File

@@ -1,334 +1,334 @@
# Lecture 2 # Lecture 2
## Divide and conquer ## Divide and conquer
Review of CSE 247 Review of CSE 247
1. Divide the problem into (generally equal) smaller subproblems 1. Divide the problem into (generally equal) smaller subproblems
2. Recursively solve the subproblems 2. Recursively solve the subproblems
3. Combine the solutions of subproblems to get the solution of the original problem 3. Combine the solutions of subproblems to get the solution of the original problem
- Examples: Merge Sort, Binary Search - Examples: Merge Sort, Binary Search
Recurrence Recurrence
Master Method: Master Method:
$$ $$
T(n)=aT(\frac{n}{b})+\Theta(f(n)) T(n)=aT(\frac{n}{b})+\Theta(f(n))
$$ $$
### Example 1: Multiplying 2 numbers ### Example 1: Multiplying 2 numbers
Normal Algorithm: Normal Algorithm:
```python ```python
def multiply(x,y): def multiply(x,y):
p=0 p=0
for i in y: for i in y:
p+=x*y p+=x*y
return p return p
``` ```
divide and conquer approach divide and conquer approach
```python ```python
def multiply(x,y): def multiply(x,y):
n=max(len(x),len(y)) n=max(len(x),len(y))
if n==1: if n==1:
return x*y return x*y
xh,xl=x>>(n/2),x&((1<<n/2)-1) xh,xl=x>>(n/2),x&((1<<n/2)-1)
yh,yl=y>>(n/2),y&((1<<n/2)-1) yh,yl=y>>(n/2),y&((1<<n/2)-1)
return (multiply(xh,yh)<<n)+((multiply(xh,yl)+multiply(yh,xl))<<(n/2))+multiply(xl,yl) return (multiply(xh,yh)<<n)+((multiply(xh,yl)+multiply(yh,xl))<<(n/2))+multiply(xl,yl)
``` ```
$$ $$
T(n)=4T(n/2)+\Theta(n)=\Theta(n^2) T(n)=4T(n/2)+\Theta(n)=\Theta(n^2)
$$ $$
Not a useful optimization Not a useful optimization
But, But,
$$ $$
multiply(xh,yl)+multiply(yh,xl)=multiply(xh-xl,yh-yl)+multiply(xh,yh)+multiply(xl,yl) multiply(xh,yl)+multiply(yh,xl)=multiply(xh-xl,yh-yl)+multiply(xh,yh)+multiply(xl,yl)
$$ $$
```python ```python
def multiply(x,y): def multiply(x,y):
n=max(len(x),len(y)) n=max(len(x),len(y))
if n==1: if n==1:
return x*y return x*y
xh,xl=x>>(n/2),x&((1<<n/2)-1) xh,xl=x>>(n/2),x&((1<<n/2)-1)
yh,yl=y>>(n/2),y&((1<<n/2)-1) yh,yl=y>>(n/2),y&((1<<n/2)-1)
zhh=multiply(xh,yh) zhh=multiply(xh,yh)
zll=multiply(xl,yl) zll=multiply(xl,yl)
return (zhh<<n)+((multiply(xh-xl,yh-yl)+zhh+zll)<<(n/2))+zll return (zhh<<n)+((multiply(xh-xl,yh-yl)+zhh+zll)<<(n/2))+zll
``` ```
$$ $$
T(n)=3T(n/2)+\Theta(n)=\Theta(n^{\log_2 3})\approx \Theta(n^{1.58}) T(n)=3T(n/2)+\Theta(n)=\Theta(n^{\log_2 3})\approx \Theta(n^{1.58})
$$ $$
### Example 2: Closest Pairs ### Example 2: Closest Pairs
Input: $P$ is a set of $n$ points in the plane. $p_i=(x_i,y_i)$ Input: $P$ is a set of $n$ points in the plane. $p_i=(x_i,y_i)$
$$ $$
d(p_i,p_j)=\sqrt{(x_i-x_j)^2+(y_i-y_j)^2} d(p_i,p_j)=\sqrt{(x_i-x_j)^2+(y_i-y_j)^2}
$$ $$
Goal: Find the distance between the closest pair of points. Goal: Find the distance between the closest pair of points.
Naive algorithm: iterate all pairs ($O(n)=\Theta(n^2)$). Naive algorithm: iterate all pairs ($O(n)=\Theta(n^2)$).
Divide and conquer algorithm: Divide and conquer algorithm:
Preprocessing: Sort $P$ by $x$ coordinate to get $P_x$. Preprocessing: Sort $P$ by $x$ coordinate to get $P_x$.
Base case: Base case:
- 1 point: clostest d = inf - 1 point: clostest d = inf
- 2 points: clostest d = d(p_1,p_2) - 2 points: clostest d = d(p_1,p_2)
Divide Step: Divide Step:
Compute mid point and get $Q, R$. Compute mid point and get $Q, R$.
Recursive step: Recursive step:
- $d_l$ closest pair in $Q$ - $d_l$ closest pair in $Q$
- $d_r$ closest pair in $R$ - $d_r$ closest pair in $R$
Combine step: Combine step:
Calculate $d_c$ closest point such that one point is on the left side and the other is on the right. Calculate $d_c$ closest point such that one point is on the left side and the other is on the right.
return $min(d_c,d_l,d_r)$ return $min(d_c,d_l,d_r)$
Total runtime: Total runtime:
$$ $$
T(n)=2T(n/2)+\Theta(n^2) T(n)=2T(n/2)+\Theta(n^2)
$$ $$
Still no change. Still no change.
Important Insight: Can reduce the number of checks Important Insight: Can reduce the number of checks
**Lemma:** If all points within this square are at least $\delta=min\{d_r,d_l\}$ apart, there are at most 4 points in this square. **Lemma:** If all points within this square are at least $\delta=min\{d_r,d_l\}$ apart, there are at most 4 points in this square.
A better algorithm: A better algorithm:
1. Divide $P_x$ into 2 halves using the mid point 1. Divide $P_x$ into 2 halves using the mid point
2. Recursively computer the $d_l$ and $d_r$, take $\delta=min(d_l,d_r)$. 2. Recursively computer the $d_l$ and $d_r$, take $\delta=min(d_l,d_r)$.
3. Filter points into y-strip: points which are within $(mid_x-\delta,mid_x+\delta)$ 3. Filter points into y-strip: points which are within $(mid_x-\delta,mid_x+\delta)$
4. Sort y-strip by y coordinate. For every point $p$, we look at this y-strip in sorted order starting at this point and stop when we see a point with y coordinate $>p_y +\delta$ 4. Sort y-strip by y coordinate. For every point $p$, we look at this y-strip in sorted order starting at this point and stop when we see a point with y coordinate $>p_y +\delta$
```python ```python
# d is distance function # d is distance function
def closestP(P,d): def closestP(P,d):
Px=sorted(P,key=lambda x:x[0]) Px=sorted(P,key=lambda x:x[0])
def closestPRec(P,d): def closestPRec(P,d):
n=len(P) n=len(P)
if n==1: if n==1:
return float('inf') return float('inf')
if n==2: if n==2:
return d(P[0],P[1]) return d(P[0],P[1])
Q,R=Px[:n//2],Px[n//2:] Q,R=Px[:n//2],Px[n//2:]
midx=R[0][0] midx=R[0][0]
dl,dr=closestP(Q),closestP(R) dl,dr=closestP(Q),closestP(R)
dc=min(dl,dr) dc=min(dl,dr)
ys=[i if midx-dc<i[0]<midx+dc for i in P] ys=[i if midx-dc<i[0]<midx+dc for i in P]
ys.sort() ys.sort()
yn=len(ys) yn=len(ys)
# this step below checks at most 4 points, (but still runs O(n)) # this step below checks at most 4 points, (but still runs O(n))
for i in range(yn): for i in range(yn):
for j in range(i,yn): for j in range(i,yn):
curd=d(ys[i],ys[j]) curd=d(ys[i],ys[j])
if curd>dc: if curd>dc:
break break
dc=min(dc,curd) dc=min(dc,curd)
return dc return dc
return closestPRec(Px,d): return closestPRec(Px,d):
``` ```
Runtime analysis: Runtime analysis:
$$ $$
T(n)=2T(n/2)+\Theta(n\log n)=\Theta(n\log^2 n) T(n)=2T(n/2)+\Theta(n\log n)=\Theta(n\log^2 n)
$$ $$
We can do even better by presorting Y We can do even better by presorting Y
1. Divide $P_x$ into 2 halves using the mid point 1. Divide $P_x$ into 2 halves using the mid point
2. Recursively computer the $d_l$ and $d_r$, take $\delta=min(d_l,d_r)$. 2. Recursively computer the $d_l$ and $d_r$, take $\delta=min(d_l,d_r)$.
3. Filter points into y-strip: points which are within $(mid_x-\delta,mid_x+\delta)$ by visiting presorted $P_y$ 3. Filter points into y-strip: points which are within $(mid_x-\delta,mid_x+\delta)$ by visiting presorted $P_y$
```python ```python
# d is distance function # d is distance function
def closestP(P,d): def closestP(P,d):
Px=sorted(P,key=lambda x:x[0]) Px=sorted(P,key=lambda x:x[0])
Py=sorted(P,key=lambda x:x[1]) Py=sorted(P,key=lambda x:x[1])
def closestPRec(P,d): def closestPRec(P,d):
n=len(P) n=len(P)
if n==1: if n==1:
return float('inf') return float('inf')
if n==2: if n==2:
return d(P[0],P[1]) return d(P[0],P[1])
Q,R=Px[:n//2],Px[n//2:] Q,R=Px[:n//2],Px[n//2:]
midx=R[0][0] midx=R[0][0]
dl,dr=closestP(Q),closestP(R) dl,dr=closestP(Q),closestP(R)
dc=min(dl,dr) dc=min(dl,dr)
ys=[i if midx-dc<i[0]<midx+dc for i in Py] ys=[i if midx-dc<i[0]<midx+dc for i in Py]
yn=len(ys) yn=len(ys)
# this step below checks at most 4 points, (but still runs O(n)) # this step below checks at most 4 points, (but still runs O(n))
for i in range(yn): for i in range(yn):
for j in range(i,yn): for j in range(i,yn):
curd=d(ys[i],ys[j]) curd=d(ys[i],ys[j])
if curd>dc: if curd>dc:
break break
dc=min(dc,curd) dc=min(dc,curd)
return dc return dc
return closestPRec(Px,d): return closestPRec(Px,d):
``` ```
Runtime analysis: Runtime analysis:
$$ $$
T(n)=2T(n/2)+\Theta(n)=\Theta(n\log n) T(n)=2T(n/2)+\Theta(n)=\Theta(n\log n)
$$ $$
## In-person lectures ## In-person lectures
$$ $$
T(n)=aT(n/b)+f(n) T(n)=aT(n/b)+f(n)
$$ $$
$a$ is number of sub problems, $n/b$ is size of subproblems, $f(n)$ is the cost of divide and combine cost. $a$ is number of sub problems, $n/b$ is size of subproblems, $f(n)$ is the cost of divide and combine cost.
### Example 3: Max Contiguous Subsequence Sum (MCSS) ### Example 3: Max Contiguous Subsequence Sum (MCSS)
Given: array of integers (positive or negative), $S=[s_1,s_2,...,s_n]$ Given: array of integers (positive or negative), $S=[s_1,s_2,...,s_n]$
Return: $max\{\sum^i_{k=i} s_k|1\leq i\leq n, i\leq j\leq n\}$ Return: $max\{\sum^i_{k=i} s_k|1\leq i\leq n, i\leq j\leq n\}$
Trivial solution: Trivial solution:
brute force brute force
$O(n^3)$ $O(n^3)$
A bit better solution: A bit better solution:
$O(n^2)$ use prefix sum to reduce cost for sum. $O(n^2)$ use prefix sum to reduce cost for sum.
Divide and conquer solution. Divide and conquer solution.
```python ```python
def MCSS(S): def MCSS(S):
def MCSSMid(S,i,j,mid): def MCSSMid(S,i,j,mid):
res=S[j] res=S[j]
for l in range(i,j): for l in range(i,j):
curS=0 curS=0
for r in range(l,j): for r in range(l,j):
curS+=S[r] curS+=S[r]
res=max(res,curS) res=max(res,curS)
return res return res
def MCSSRec(i,j): def MCSSRec(i,j):
if i==j: if i==j:
return S[i] return S[i]
mid=(i+j)//2 mid=(i+j)//2
L,R=MCSSRec(i,mid),MCSSRec(mid,j) L,R=MCSSRec(i,mid),MCSSRec(mid,j)
C=MCSSMid(i,j) C=MCSSMid(i,j)
return min([L,C,R]) return min([L,C,R])
return MCSSRec(0,len(S)) return MCSSRec(0,len(S))
``` ```
If `MCSSMid(S,i,j,mid)` use trivial solution, the running time is: If `MCSSMid(S,i,j,mid)` use trivial solution, the running time is:
$$ $$
T(n)=2T(n/2)+O(n^2)=\Theta(n^2) T(n)=2T(n/2)+O(n^2)=\Theta(n^2)
$$ $$
and we did nothing. and we did nothing.
Observations: Any contiguous subsequence that starts on the left and ends on the right can be split into two parts as `sum(S[i:j])=sum(S[i:mid])+sum(S[mid,j])` Observations: Any contiguous subsequence that starts on the left and ends on the right can be split into two parts as `sum(S[i:j])=sum(S[i:mid])+sum(S[mid,j])`
and let $LS$ be the subsequence that has the largest sum that ends at mid, and $RS$ be the subsequence that has the largest sum on the right that starts at mid. and let $LS$ be the subsequence that has the largest sum that ends at mid, and $RS$ be the subsequence that has the largest sum on the right that starts at mid.
**Lemma:** Biggest subsequence that contains `S[mid]` is $LS+RP$ **Lemma:** Biggest subsequence that contains `S[mid]` is $LS+RP$
Proof: Proof:
By contradiction, By contradiction,
Assume for the sake of contradiction that $y=L'+R'$ is a sum of such a subsequence that is larger than $x$ ($y>x$). Assume for the sake of contradiction that $y=L'+R'$ is a sum of such a subsequence that is larger than $x$ ($y>x$).
Let $z=LS+R'$, since $LS\geq L'$, by definition of $LS$, then $z\geq y$, WOLG, $RS\geq R'$, $x\geq y$, which contradicts that $y>x$. Let $z=LS+R'$, since $LS\geq L'$, by definition of $LS$, then $z\geq y$, WOLG, $RS\geq R'$, $x\geq y$, which contradicts that $y>x$.
Optimized function as follows: Optimized function as follows:
```python ```python
def MCSS(S): def MCSS(S):
def MCSSMid(S,i,j,mid): def MCSSMid(S,i,j,mid):
res=S[mid] res=S[mid]
LS,RS=0,0 LS,RS=0,0
cl,cr=0,0 cl,cr=0,0
for l in range(mid-1,i-1,-1): for l in range(mid-1,i-1,-1):
cl+=S[l] cl+=S[l]
LS=max(LS,cl) LS=max(LS,cl)
for r in range(mid+1,j): for r in range(mid+1,j):
cr+=S[r] cr+=S[r]
RS=max(RS,cr) RS=max(RS,cr)
return res+LS+RS return res+LS+RS
def MCSSRec(i,j): def MCSSRec(i,j):
if i==j: if i==j:
return S[i] return S[i]
mid=(i+j)//2 mid=(i+j)//2
L,R=MCSSRec(i,mid),MCSSRec(mid,j) L,R=MCSSRec(i,mid),MCSSRec(mid,j)
C=MCSSMid(i,j) C=MCSSMid(i,j)
return min([L,C,R]) return min([L,C,R])
return MCSSRec(0,len(S)) return MCSSRec(0,len(S))
``` ```
The running time is: The running time is:
$$ $$
T(n)=2T(n/2)+O(n)=\Theta(n\log n) T(n)=2T(n/2)+O(n)=\Theta(n\log n)
$$ $$
Strengthening the recusions: Strengthening the recusions:
```python ```python
def MCSS(S): def MCSS(S):
def MCSSRec(i,j): def MCSSRec(i,j):
if i==j: if i==j:
return S[i],S[i],S[i],S[i] return S[i],S[i],S[i],S[i]
mid=(i+j)//2 mid=(i+j)//2
L,lp,ls,sl=MCSSRec(i,mid) L,lp,ls,sl=MCSSRec(i,mid)
R,rp,rs,sr=MCSSRec(mid,j) R,rp,rs,sr=MCSSRec(mid,j)
return min([L,R,ls+rp]),max(lp,sl+rp),max(rs,sr+ls),sl+sr return min([L,R,ls+rp]),max(lp,sl+rp),max(rs,sr+ls),sl+sr
return MCSSRec(0,len(S)) return MCSSRec(0,len(S))
``` ```
Pre-computer version: Pre-computer version:
```python ```python
def MCSS(S): def MCSS(S):
pfx,sfx=[0],[S[-1]] pfx,sfx=[0],[S[-1]]
n=len(S) n=len(S)
for i in range(n-1): for i in range(n-1):
pfx.append(pfx[-1]+S[i]) pfx.append(pfx[-1]+S[i])
sfx.insert(sfx[0]+S[n-i-2],0) sfx.insert(sfx[0]+S[n-i-2],0)
def MCSSRec(i,j): def MCSSRec(i,j):
if i==j: if i==j:
return S[i],pfx[i],sfx[i] return S[i],pfx[i],sfx[i]
mid=(i+j)//2 mid=(i+j)//2
L,lp,ls=MCSSRec(i,mid) L,lp,ls=MCSSRec(i,mid)
R,rp,rs=MCSSRec(mid,j) R,rp,rs=MCSSRec(mid,j)
return min([L,R,ls+rp]),max(lp,sfx[mid]-sfx[i]+rp),max(rs,sfx[j]-sfx[mid]+ls) return min([L,R,ls+rp]),max(lp,sfx[mid]-sfx[i]+rp),max(rs,sfx[j]-sfx[mid]+ls)
return MCSSRec(0,n) return MCSSRec(0,n)
``` ```
$$ $$
T(n)=2T(n/2)+O(1)=\Theta(n) T(n)=2T(n/2)+O(1)=\Theta(n)
$$ $$

322
pages/CSE347/CSE347_L3.md → content/CSE347/CSE347_L3.md
View File

@@ -1,161 +1,161 @@
# Lecture 3 # Lecture 3
## Dynamic programming ## Dynamic programming
When we cannot find a good Greedy Choice, the only thing we can do is to iterate all choices. When we cannot find a good Greedy Choice, the only thing we can do is to iterate all choices.
### Example 1: Edit distance ### Example 1: Edit distance
Input: 2 sequences of some character set, e.g. Input: 2 sequences of some character set, e.g.
$S=ABCADA$, $T=ABADC$ $S=ABCADA$, $T=ABADC$
Goal: Computer the minimum number of **insertions or deletions** you could do to convert $S$ into $T$ Goal: Computer the minimum number of **insertions or deletions** you could do to convert $S$ into $T$
We will call it `Edit Distance(S[1...n],T[1...m])`. where `n` and `m` be the length of `S` and `T` respectively. We will call it `Edit Distance(S[1...n],T[1...m])`. where `n` and `m` be the length of `S` and `T` respectively.
Idea: computer difference between the sequences. Idea: computer difference between the sequences.
Observe: The difference we observed appears at index 3, and in this example where the sequences are short, it is obvious that it is better to delete 'C'. But for long sequence, we donot know that the later sequence looks like so it is hard to make a decision on whether to insert 'A' or delete 'C'. Observe: The difference we observed appears at index 3, and in this example where the sequences are short, it is obvious that it is better to delete 'C'. But for long sequence, we donot know that the later sequence looks like so it is hard to make a decision on whether to insert 'A' or delete 'C'.
Use branching algorithm: Use branching algorithm:
```python ```python
def editDist(S,T,i,j): def editDist(S,T,i,j):
if len(S)<=i: if len(S)<=i:
return len(T) return len(T)
if len(T)<=j: if len(T)<=j:
return len(S) return len(S)
if S[i]==T[j]: if S[i]==T[j]:
return editDist(S,T,i+1,j+1) return editDist(S,T,i+1,j+1)
else: else:
return min(editDist(S,T,i+1,j),editDist(S,T,i,j+1)) return min(editDist(S,T,i+1,j),editDist(S,T,i,j+1))
``` ```
Correctness Proof Outline: Correctness Proof Outline:
- ~~Greedy Choice Property~~ - ~~Greedy Choice Property~~
- Complete Choice Property: - Complete Choice Property:
- The optimal solution makes **one** of the choices that we consider - The optimal solution makes **one** of the choices that we consider
- Inductive Structure: - Inductive Structure:
- Once you make **any** choice, you are left with a smaller problem of the same type. **Any** first choice + **feasible** solution to the subproblem = feasible solution to the entire problem. - Once you make **any** choice, you are left with a smaller problem of the same type. **Any** first choice + **feasible** solution to the subproblem = feasible solution to the entire problem.
- Optimal Substructure: - Optimal Substructure:
- If we optimally solve the subproblem for **a particular choice c**, and combine it with c, resulting solution is the **optimal solution that makes choice c**. - If we optimally solve the subproblem for **a particular choice c**, and combine it with c, resulting solution is the **optimal solution that makes choice c**.
Correctness Proof: Correctness Proof:
Claim: For any problem $P$, the branking algorithm finds the optimal solution. Claim: For any problem $P$, the branking algorithm finds the optimal solution.
Proof: Induct on problem size Proof: Induct on problem size
- Base case: $|S|=0$ or $|T|=0$, obvious - Base case: $|S|=0$ or $|T|=0$, obvious
- Inductive Case: By inductive hypothesis: Branching algorithm works for all smaller problems, either $S$ is smaller or $T$ is smaller or both - Inductive Case: By inductive hypothesis: Branching algorithm works for all smaller problems, either $S$ is smaller or $T$ is smaller or both
- For each choice we make, we got a strictly smaller problem: by inductive structure, and the answer is correct by inductive hypothesis. - For each choice we make, we got a strictly smaller problem: by inductive structure, and the answer is correct by inductive hypothesis.
- By Optimal substructure, we know for any choice, the solution of branching algorithm for subproblem and the choice we make is an optimal solution for that problem. - By Optimal substructure, we know for any choice, the solution of branching algorithm for subproblem and the choice we make is an optimal solution for that problem.
- Using Complete choice property, we considered all the choices. - Using Complete choice property, we considered all the choices.
Using tree graph, the left and right part of the tree has height n, but the middle part of the tree has height 2n. So the running time is $\Omega(2^n)$, at least $2^n$. Using tree graph, the left and right part of the tree has height n, but the middle part of the tree has height 2n. So the running time is $\Omega(2^n)$, at least $2^n$.
#### How could we reduce the complexity? #### How could we reduce the complexity?
There are **overlapping subproblems** that we compute more than once! Number of distinct subproblems is polynomial, we can **share the solution** that we have already computed! There are **overlapping subproblems** that we compute more than once! Number of distinct subproblems is polynomial, we can **share the solution** that we have already computed!
**store the result of subprolem in 2D array** **store the result of subprolem in 2D array**
Use dp: Use dp:
```python ```python
def editDist(S,T,i,j): def editDist(S,T,i,j):
m,n=len(S),len(T) m,n=len(S),len(T)
dp=[[0]*(n+1) for _ in range(m+1)] dp=[[0]*(n+1) for _ in range(m+1)]
for i in range(n): for i in range(n):
dp[i][m]=n-i dp[i][m]=n-i
for i in range(m): for i in range(m):
dp[n][j]=m-i dp[n][j]=m-i
for i in range(m): for i in range(m):
for j in range(n): for j in range(n):
if S[i]==T[j]: if S[i]==T[j]:
dp[i][j]=dp[i+1][j+1] dp[i][j]=dp[i+1][j+1]
else: else:
# assuming the cost of insertion and deletion is 1 # assuming the cost of insertion and deletion is 1
dp[i][j]=min(1+dp[i][j+1],1+dp[i+1][j]) dp[i][j]=min(1+dp[i][j+1],1+dp[i+1][j])
``` ```
We can use backtracking to find out how do we reach our final answer. Then the new runtime will be the time used to complete the table, which is $T(n,m)=\Theta(mn)$ We can use backtracking to find out how do we reach our final answer. Then the new runtime will be the time used to complete the table, which is $T(n,m)=\Theta(mn)$
### Example 2: Weighted Interval Scheduling (IS) ### Example 2: Weighted Interval Scheduling (IS)
Input: $P=\{p_1,p_2,...,p_n\}$, $p_i=\{s_i,f_i,w_i\}$ Input: $P=\{p_1,p_2,...,p_n\}$, $p_i=\{s_i,f_i,w_i\}$
$s_i$ is the start time, $f_i$ is the finish time, $w_i$ is the weight of the task for job $i$ $s_i$ is the start time, $f_i$ is the finish time, $w_i$ is the weight of the task for job $i$
Goal: Pick a set of **non-overlapping** intervals $\Pi$ such that $\sum_{p_i\in \Pi} w_i$ is maximized. Goal: Pick a set of **non-overlapping** intervals $\Pi$ such that $\sum_{p_i\in \Pi} w_i$ is maximized.
Trivial solution ($T(n)=O(2^n)$) Trivial solution ($T(n)=O(2^n)$)
```python ```python
# p=[[s_i,f_i,w_i],...] # p=[[s_i,f_i,w_i],...]
p=[] p=[]
p.sort() p.sort()
n=len(p) n=len(p)
def intervalScheduling(idx): def intervalScheduling(idx):
res=0 res=0
if i>=n: if i>=n:
return res return res
for i in range(idx,n): for i in range(idx,n):
# pick when end # pick when end
if p[idx][1]>p[i][0]: if p[idx][1]>p[i][0]:
continue continue
res=max(intervalScheduling(i+1)+p[i][2],res) res=max(intervalScheduling(i+1)+p[i][2],res)
return intervalScheduling(0) return intervalScheduling(0)
``` ```
Using dp ($T(n)=O(n^2)$) Using dp ($T(n)=O(n^2)$)
```python ```python
def intervalScheduling(p): def intervalScheduling(p):
p.sort() p.sort()
n=len(p) n=len(p)
dp=[0]*(n+1) dp=[0]*(n+1)
for i in range(n-1,-1,-1): for i in range(n-1,-1,-1):
# load initial best case: do nothing # load initial best case: do nothing
dp[i]=dp[i+1] dp[i]=dp[i+1]
_,e,w=p[i] _,e,w=p[i]
for j in range(bisect.bisect_left(p,e,key=lambda x:x[0]),n+1): for j in range(bisect.bisect_left(p,e,key=lambda x:x[0]),n+1):
dp[i]=max(dp[i],w+dp[j]) dp[i]=max(dp[i],w+dp[j])
return dp[0] return dp[0]
``` ```
### Example 3: Subset sums ### Example 3: Subset sums
Input: a set $S$ of positive and unique integers and another integer $K$. Input: a set $S$ of positive and unique integers and another integer $K$.
Problem: Is there a subset $X\subseteq S$ such that $sum(X)=K$ Problem: Is there a subset $X\subseteq S$ such that $sum(X)=K$
Brute force takes $O(2^n)$. Brute force takes $O(2^n)$.
```python ```python
def subsetSum(arr,i,k)->bool: def subsetSum(arr,i,k)->bool:
if i>=len(arr): if i>=len(arr):
if k==0: if k==0:
return True return True
return False return False
return subsetSum(i+1,k-arr[i]) or subsetSum(i+1,k) return subsetSum(i+1,k-arr[i]) or subsetSum(i+1,k)
``` ```
Using dp $O(nk)$ Using dp $O(nk)$
```python ```python
def subsetSum(arr,k)->bool: def subsetSum(arr,k)->bool:
n=len(arr) n=len(arr)
dp=[False]*(k+1) dp=[False]*(k+1)
dp[0]=True dp[0]=True
for e in arr: for e in arr:
ndp=[] ndp=[]
for i in range(k+1): for i in range(k+1):
ndp.append(dp[i]) ndp.append(dp[i])
if i-e>=0: if i-e>=0:
ndp[i]|=dp[i-e] ndp[i]|=dp[i-e]
dp=ndp dp=ndp
return dp[-1] return dp[-1]
``` ```

640
pages/CSE347/CSE347_L4.md → content/CSE347/CSE347_L4.md
View File

@@ -1,321 +1,321 @@
# Lecture 4 # Lecture 4
## Maximum Flow ## Maximum Flow
### Example 1: Ship cement from factory to building ### Example 1: Ship cement from factory to building
Input $s$: source, $t$: destination Input $s$: source, $t$: destination
Graph with **directed** edges weights on each edge: **capacity** Graph with **directed** edges weights on each edge: **capacity**
**Goal:** Ship as much stuff as possible while obeying capacity constrains. **Goal:** Ship as much stuff as possible while obeying capacity constrains.
Graph: $(V,E)$ directed and weighted Graph: $(V,E)$ directed and weighted
- Unique source and sink nodes $\to s, t$ - Unique source and sink nodes $\to s, t$
- Each edge has capacity $c(e)$ [Integer] - Each edge has capacity $c(e)$ [Integer]
A valid flow assignment assigns an integer $f(e)$ to each edge s.t. A valid flow assignment assigns an integer $f(e)$ to each edge s.t.
Capacity constraint: $0\leq f(e)\leq c(e)$ Capacity constraint: $0\leq f(e)\leq c(e)$
Flow conservation: Flow conservation:
$$ $$
\sum_{e\in E_{in}(v)}f(e)=\sum_{e\in E_{out}(v)}f(e),\forall v\in V-{s,t} \sum_{e\in E_{in}(v)}f(e)=\sum_{e\in E_{out}(v)}f(e),\forall v\in V-{s,t}
$$ $$
$E_{in}(v)$: set of incoming edges to $v$ $E_{in}(v)$: set of incoming edges to $v$
$E_{out}(v)$: set of outgoing edges from $v$ $E_{out}(v)$: set of outgoing edges from $v$
Compute: Maximum Flow: Find a valid flow assignment to Compute: Maximum Flow: Find a valid flow assignment to
Maximize $|F|=\sum_{e\in E_{in}(t)}f(e)=\sum_{e\in E_{out}(s)}f(e)$ (total units received by end and sent by source) Maximize $|F|=\sum_{e\in E_{in}(t)}f(e)=\sum_{e\in E_{out}(s)}f(e)$ (total units received by end and sent by source)
Additional assumptions Additional assumptions
1. $s$ has no incoming edges, $t$ has no outgoing edges 1. $s$ has no incoming edges, $t$ has no outgoing edges
2. You do not have a cycle of 2 nodes 2. You do not have a cycle of 2 nodes
A proposed algorithm: A proposed algorithm:
1. Find a path from $s$ to $t$ 1. Find a path from $s$ to $t$
2. Push as much flow along the path as possible 2. Push as much flow along the path as possible
3. Adjust the capacities 3. Adjust the capacities
4. Repeat until we cannot find a path 4. Repeat until we cannot find a path
**Residual Graph:** If there is an edge $e=(u,v)$ in $G$, we will add a back edge $\bar{e}=(v,u)$. Capacity of $\bar{e}=$ flow on $e$. Call this graph $G_R$. **Residual Graph:** If there is an edge $e=(u,v)$ in $G$, we will add a back edge $\bar{e}=(v,u)$. Capacity of $\bar{e}=$ flow on $e$. Call this graph $G_R$.
Algorithm: Algorithm:
- Find an "augmenting path" $P$. - Find an "augmenting path" $P$.
- $P$ can contain forward or backward edges! - $P$ can contain forward or backward edges!
- Say the smallest residual capacity along the path is $k$. - Say the smallest residual capacity along the path is $k$.
- Push $k$ flow on the path ($f(e) =f(e) + k$ for all edges on path $P$) - Push $k$ flow on the path ($f(e) =f(e) + k$ for all edges on path $P$)
- Reduce the capacity of all edges on the path $P$ by $k$ - Reduce the capacity of all edges on the path $P$ by $k$
- **Increase** the capacity of the corresponding mirror/back edges - **Increase** the capacity of the corresponding mirror/back edges
- Repeat until there are no augmenting paths - Repeat until there are no augmenting paths
### Formalize: Ford-Fulkerson (FF) Algorithm ### Formalize: Ford-Fulkerson (FF) Algorithm
1. Initialize the residual graph $G_R=G$ 1. Initialize the residual graph $G_R=G$
2. Find an augmenting path $P$ with capacity $k$ (min capacity of any edge on $P$) 2. Find an augmenting path $P$ with capacity $k$ (min capacity of any edge on $P$)
3. Fix up the residual capacities in $G_R$ 3. Fix up the residual capacities in $G_R$
- $c(e)=c(e)-k,\forall e\in P$ - $c(e)=c(e)-k,\forall e\in P$
- $c(\bar{e})=c(\bar{e})+k,\forall \bar{e}\in P$ - $c(\bar{e})=c(\bar{e})+k,\forall \bar{e}\in P$
4. Repeat 2 and 3 until no augmenting path can be found in $G_R$. 4. Repeat 2 and 3 until no augmenting path can be found in $G_R$.
```python ```python
def ford_fulkerson_algo(G,n,s,t): def ford_fulkerson_algo(G,n,s,t):
""" """
Args: Args:
G: is the graph for max_flow G: is the graph for max_flow
n: is the number of vertex in the graph n: is the number of vertex in the graph
s: start vertex of flow s: start vertex of flow
t: end vertex of flow t: end vertex of flow
Returns: Returns:
the max flow in graph from s to t the max flow in graph from s to t
""" """
# Initialize the residual graph $G_R=G$ # Initialize the residual graph $G_R=G$
GR=[defaultdict(int) for i in range(n)] GR=[defaultdict(int) for i in range(n)]
for i in range(n): for i in range(n):
for v,_ in enumerate(G[i]): for v,_ in enumerate(G[i]):
# weight w is unused # weight w is unused
GR[v][i]=0 GR[v][i]=0
path=set() path=set()
def augP(cur): def augP(cur):
# Find an augumentting path $P$ with capacity $k$ (min capacity of any edge on $P$) # Find an augumentting path $P$ with capacity $k$ (min capacity of any edge on $P$)
if cur==t: return True if cur==t: return True
# true for edge in residual path, false for edge in graph # true for edge in residual path, false for edge in graph
for v,w in G[cur]: for v,w in G[cur]:
if w==0 or (cur,v,False) in path: continue if w==0 or (cur,v,False) in path: continue
path.add((cur,v,False)) path.add((cur,v,False))
if augP(v): return True if augP(v): return True
path.remove((cur,v,False)) path.remove((cur,v,False))
for v,w in GR[cur]: for v,w in GR[cur]:
if w==0 or (cur,v,True) in path: continue if w==0 or (cur,v,True) in path: continue
path.add((cur,v,True)) path.add((cur,v,True))
if augP(v): return True if augP(v): return True
path.remove((cur,v,True)) path.remove((cur,v,True))
return False return False
while augP(s): while augP(s):
k=min([GR[a][b] if isR else G[a][b] for a,b,isR in path]) k=min([GR[a][b] if isR else G[a][b] for a,b,isR in path])
# Fix up the residual capacities in $G_R$ # Fix up the residual capacities in $G_R$
# - $c(e)=c(e)-k,\forall e\in P$ # - $c(e)=c(e)-k,\forall e\in P$
# - $c(\bar{e})=c(\bar{e})+k,\forall \bar{e}\in P$ # - $c(\bar{e})=c(\bar{e})+k,\forall \bar{e}\in P$
for a,b,isR in path: for a,b,isR in path:
if isR: if isR:
GR[a][b]+=k GR[a][b]+=k
else: else:
G[a][b]-=k G[a][b]-=k
return sum(GR[s].values()) return sum(GR[s].values())
``` ```
#### Proof of Correctness: Valid Flow #### Proof of Correctness: Valid Flow
**Lemma 1:** FF finds a valid flow **Lemma 1:** FF finds a valid flow
- Capacity and conservation constrains are not violated - Capacity and conservation constrains are not violated
- Capacity constraint: $0\leq f(e)\leq c(e)$ - Capacity constraint: $0\leq f(e)\leq c(e)$
- Flow conservation: $\sum_{e\in E_{in}(v)}f(e)=\sum_{e\in E_{out}(v)}f(e),\forall v\in V-\{s,t\}$ - Flow conservation: $\sum_{e\in E_{in}(v)}f(e)=\sum_{e\in E_{out}(v)}f(e),\forall v\in V-\{s,t\}$
Proof: We proceed by induction on **augmenting paths** Proof: We proceed by induction on **augmenting paths**
##### Base Case ##### Base Case
$f(e)=0$ on all edges $f(e)=0$ on all edges
##### Inductive Case ##### Inductive Case
By inductive hypothesis, we have a valid flow and the corresponding residual graph $G_R$. By inductive hypothesis, we have a valid flow and the corresponding residual graph $G_R$.
Inductive Step: Inductive Step:
Now we find an augmented path $P$ in $GR$, pushed $k$ (which is the smallest edge capacity on $P$). Argue that the constraints are not violated. Now we find an augmented path $P$ in $GR$, pushed $k$ (which is the smallest edge capacity on $P$). Argue that the constraints are not violated.
**Capacity Constrains:** Consider an edge $e$ in $P$. **Capacity Constrains:** Consider an edge $e$ in $P$.
- If $e$ is an forward edge (in the original graph) - If $e$ is an forward edge (in the original graph)
- by construction of $G_R$, it had left over capacities. - by construction of $G_R$, it had left over capacities.
- If $e$ is an back edge with residual capacity $\geq k$ - If $e$ is an back edge with residual capacity $\geq k$
- flow on real edge reduces, but the real capacity is still $\geq 0$, no capacity constrains violation. - flow on real edge reduces, but the real capacity is still $\geq 0$, no capacity constrains violation.
**Conservation Constrains:** Consider a vertex $v$ on path $P$ **Conservation Constrains:** Consider a vertex $v$ on path $P$
1. Both forward edges 1. Both forward edges
- No violation, push $k$ flow into $v$ and out. - No violation, push $k$ flow into $v$ and out.
2. Both back edges 2. Both back edges
- No violation, push $k$ less flow into $v$ and out. - No violation, push $k$ less flow into $v$ and out.
3. Redirecting flow 3. Redirecting flow
- No violation, change of $0$ by $k-k$ on $v$. - No violation, change of $0$ by $k-k$ on $v$.
#### Proof of Correctness: Termination #### Proof of Correctness: Termination
**Lemma 2:** FF terminate **Lemma 2:** FF terminate
Proof: Proof:
Every time it finds an augmenting path that increases the total flow. Every time it finds an augmenting path that increases the total flow.
Must terminate either when it finds a max flow or before. Must terminate either when it finds a max flow or before.
Each iteration we use $\Theta(m+n)$ to find a valid path. Each iteration we use $\Theta(m+n)$ to find a valid path.
The number of iteration $\leq |F|$, the total is $\Theta(|F|(m+n))$ (not polynomial time) The number of iteration $\leq |F|$, the total is $\Theta(|F|(m+n))$ (not polynomial time)
#### Proof of Correctness: Optimality #### Proof of Correctness: Optimality
From Lemma 1 and 2, we know that FF returns a feasible solution, but does it return the **maximum** flow? From Lemma 1 and 2, we know that FF returns a feasible solution, but does it return the **maximum** flow?
##### Max-flow Min-cut Theorem ##### Max-flow Min-cut Theorem
Given a graph $G(V,E)$, a **graph cut** is a partition of vertices into 2 subsets. Given a graph $G(V,E)$, a **graph cut** is a partition of vertices into 2 subsets.
- $S$: $s$ + maybe some other vertices - $S$: $s$ + maybe some other vertices
- $V-S$: $t$ + maybe some other vertices - $V-S$: $t$ + maybe some other vertices
Define capacity of the cut be the sum of capacity of edges that go from a vertex in $S$ to a vertex in $T$. Define capacity of the cut be the sum of capacity of edges that go from a vertex in $S$ to a vertex in $T$.
**Lemma 3:** For all valid flows $f$, $|f|\leq C(S)$ for all cut $S$ (Max-flow $\leq$ Min-cut) **Lemma 3:** For all valid flows $f$, $|f|\leq C(S)$ for all cut $S$ (Max-flow $\leq$ Min-cut)
Proof: all flow must go through one of the cut edges. Proof: all flow must go through one of the cut edges.
**Min-cut:** cut of smallest capacity, $S^*$. $|f|\leq C(S^*)$ **Min-cut:** cut of smallest capacity, $S^*$. $|f|\leq C(S^*)$
**Lemma 4:** FF produces a flow $=C(S^*)$ **Lemma 4:** FF produces a flow $=C(S^*)$
Proof: Let $\hat{f}$ be the flow found by FF. Mo augmenting paths in $G_R$. Proof: Let $\hat{f}$ be the flow found by FF. Mo augmenting paths in $G_R$.
Let $\hat{S}$ be all vertices that can be reached from $s$ using edges with capacities $>0$. Let $\hat{S}$ be all vertices that can be reached from $s$ using edges with capacities $>0$.
and all the forward edges going out of the cut are saturated. Since back edges have capacity 0, no flow is going into the cut $S$. and all the forward edges going out of the cut are saturated. Since back edges have capacity 0, no flow is going into the cut $S$.
If some flow was coming from $V-\hat{S}$, then there must be some edges with capacity $>0$. So, $|f|\leq C(S^*)$ If some flow was coming from $V-\hat{S}$, then there must be some edges with capacity $>0$. So, $|f|\leq C(S^*)$
### Example 2: Bipartite Matching ### Example 2: Bipartite Matching
input: Given $n$ classes and $n$ rooms; we want to match classes to rooms. input: Given $n$ classes and $n$ rooms; we want to match classes to rooms.
Bipartite graph $G=(V,E)$ (unweighted and undirected) Bipartite graph $G=(V,E)$ (unweighted and undirected)
- Vertices are either in set $L$ or $R$ - Vertices are either in set $L$ or $R$
- Edges only go between vertices of different sets - Edges only go between vertices of different sets
Matching: A subset of edges $M\subseteq E$ s.t. Matching: A subset of edges $M\subseteq E$ s.t.
- Each vertex has at most one edge from $M$ incident on it. - Each vertex has at most one edge from $M$ incident on it.
Maximum Matching: matching of the largest size. Maximum Matching: matching of the largest size.
We will reduce the problem to the problem of finding the maximum flow We will reduce the problem to the problem of finding the maximum flow
#### Reduction #### Reduction
Given a bipartite graph $G=(V,E)$, construct a graph $G'=(V',E')$ such that Given a bipartite graph $G=(V,E)$, construct a graph $G'=(V',E')$ such that
$$ $$
|max-flow (G')|=|max-flow(G)| |max-flow (G')|=|max-flow(G)|
$$ $$
Let $s$ connects to all vertices in $L$ and all vertex in $R$ connects to $t$. Let $s$ connects to all vertices in $L$ and all vertex in $R$ connects to $t$.
$G'=G+s+t+$added edges form $S$ to $T$ and added capacities. $G'=G+s+t+$added edges form $S$ to $T$ and added capacities.
#### Proof of correctness #### Proof of correctness
Claim: $G'$ has a flow of $k$ iff $G$ has a matching of size $k$ Claim: $G'$ has a flow of $k$ iff $G$ has a matching of size $k$
Proof: Two directions: Proof: Two directions:
1. Say $G$ has a matching of size $k$, we want to prove $G'$ has a flow of size $k$. 1. Say $G$ has a matching of size $k$, we want to prove $G'$ has a flow of size $k$.
2. Say $G'$ has a flow of size $k$, we want to prove $G$ has a matching of size $k$. 2. Say $G'$ has a flow of size $k$, we want to prove $G$ has a matching of size $k$.
## Conclusion: Maximum Flow ## Conclusion: Maximum Flow
Problem input and target Problem input and target
Ford-Fulkerson Algorithm Ford-Fulkerson Algorithm
- Execution: residual graph - Execution: residual graph
- Runtime - Runtime
FF correctness proof FF correctness proof
- Max-flow Min-cut Theorem - Max-flow Min-cut Theorem
- Graph Cut definition - Graph Cut definition
- Capacity of cut - Capacity of cut
Reduction to Bipartite Matching Reduction to Bipartite Matching
### Example 3: Image Segmentation: (reduction from min-cut) ### Example 3: Image Segmentation: (reduction from min-cut)
Given: Given:
- Image consisting of an object and a background. - Image consisting of an object and a background.
- the object occupies some set of pixels $A$, while the background occupies the remaining pixels $B$. - the object occupies some set of pixels $A$, while the background occupies the remaining pixels $B$.
Required: Required:
- Separate $A$ from $B$ but if doesn't know which pixels are each. - Separate $A$ from $B$ but if doesn't know which pixels are each.
- For each pixel $i,p_i$ is the probability that $i\in A$ - For each pixel $i,p_i$ is the probability that $i\in A$
- For each pair of adjacent pixels $i,j,c_{ij}$ is the cost of placing the object boundary between them. i.e. putting $i$ in $A$ and $j$ in $B$. - For each pair of adjacent pixels $i,j,c_{ij}$ is the cost of placing the object boundary between them. i.e. putting $i$ in $A$ and $j$ in $B$.
- A segmentation of the image is an assignment of each pixel to $A$ or $B$. - A segmentation of the image is an assignment of each pixel to $A$ or $B$.
- The goal is to find a segmentation that maximizes - The goal is to find a segmentation that maximizes
$$ $$
\sum_{i\in A}p_i+\sum_{i\in B}(1-p_i)-\sum_{i,j\ on \ boundary}c_{ij} \sum_{i\in A}p_i+\sum_{i\in B}(1-p_i)-\sum_{i,j\ on \ boundary}c_{ij}
$$ $$
Solution: Solution:
- Let's turn our maximization into a minimization - Let's turn our maximization into a minimization
- If the image has $N$ pixels, then we can rewrite the objective as - If the image has $N$ pixels, then we can rewrite the objective as
$$ $$
N-\sum_{i\in A}(1-p_i)-\sum_{i\in B}p_i-\sum_{i,j\ on \ boundary}c_{ij} N-\sum_{i\in A}(1-p_i)-\sum_{i\in B}p_i-\sum_{i,j\ on \ boundary}c_{ij}
$$ $$
because $N=\sum_{i\in A}p_i+\sum_{i\in A}(1-p_i)+\sum_{i\in B}p_i+\sum_{i\in B}(1-p_i)$ boundary because $N=\sum_{i\in A}p_i+\sum_{i\in A}(1-p_i)+\sum_{i\in B}p_i+\sum_{i\in B}(1-p_i)$ boundary
New maximization problem: New maximization problem:
$$ $$
Max\left( N-\sum_{i\in A}(1-p_i)-\sum_{i\in B}p_i-\sum_{i,j\ on \ boundary}c_{ij}\right) Max\left( N-\sum_{i\in A}(1-p_i)-\sum_{i\in B}p_i-\sum_{i,j\ on \ boundary}c_{ij}\right)
$$ $$
Now, this is equivalent ot minimizing Now, this is equivalent ot minimizing
$$ $$
\sum_{i\in A}(1-p_i)+\sum_{i\in B}p_i+\sum_{i,j\ on \ boundary}c_{ij} \sum_{i\in A}(1-p_i)+\sum_{i\in B}p_i+\sum_{i,j\ on \ boundary}c_{ij}
$$ $$
Second steps Second steps
- Form a graph with $n$ vertices, $v_i$ on for each pixel - Form a graph with $n$ vertices, $v_i$ on for each pixel
- Add vertices $s$ and $t$ - Add vertices $s$ and $t$
- For each $v_i$, add edges $S-T$ cut of $G$ assigned each $v_i$ to either $S$ side or $T$ side. - For each $v_i$, add edges $S-T$ cut of $G$ assigned each $v_i$ to either $S$ side or $T$ side.
- The $S$ side of an $S-T$ is the $A$ side, while the $T$ side of the cur is the $B$ side. - The $S$ side of an $S-T$ is the $A$ side, while the $T$ side of the cur is the $B$ side.
- Observer that if $v_i$ goes on the $S$ side, it becomes part of $A$, so the cut increases by $1-p$. Otherwise, it become part of $B$, so the cut increases by $p_i$ instead. - Observer that if $v_i$ goes on the $S$ side, it becomes part of $A$, so the cut increases by $1-p$. Otherwise, it become part of $B$, so the cut increases by $p_i$ instead.
- Now add edges $v_i\to v_j$ with capacity $c_{ij}$ for all adjacent pixels pairs $i,j$ - Now add edges $v_i\to v_j$ with capacity $c_{ij}$ for all adjacent pixels pairs $i,j$
- If $v_i$ and $v_j$ end up on opposite sides of the cut (boundary), then the cut increases by $c_{ij}$. - If $v_i$ and $v_j$ end up on opposite sides of the cut (boundary), then the cut increases by $c_{ij}$.
- Conclude that any $S-T$ cut that assigns $S\subseteq V$ to the $A$ side and $V\backslash S$ to the $B$ side pays a total of - Conclude that any $S-T$ cut that assigns $S\subseteq V$ to the $A$ side and $V\backslash S$ to the $B$ side pays a total of
1. $1-p_i$ for each $v_i$ on the $A$ side 1. $1-p_i$ for each $v_i$ on the $A$ side
2. $p_i$ for each $v_i$ on the $B$ side 2. $p_i$ for each $v_i$ on the $B$ side
3. $c_{ij}$ for each adjacent pair $i,j$ that is at the boundary. i.e. $i\in S\ and\ j\in V\backslash S$ 3. $c_{ij}$ for each adjacent pair $i,j$ that is at the boundary. i.e. $i\in S\ and\ j\in V\backslash S$
- Conclude that a cut with a capacity $c$ implies a segmentation with objective value $cs$. - Conclude that a cut with a capacity $c$ implies a segmentation with objective value $cs$.
- The converse can (and should) be also checked: a segmentation with subjective value $c$ implies a $S-T$ cut with capacity $c$. - The converse can (and should) be also checked: a segmentation with subjective value $c$ implies a $S-T$ cut with capacity $c$.
#### Algorithm #### Algorithm
- Given an image with $N$ pixels, build the graph $G$ as desired. - Given an image with $N$ pixels, build the graph $G$ as desired.
- Use the FF algorithm to find a minimum $S-T$ cut of $G$ - Use the FF algorithm to find a minimum $S-T$ cut of $G$
- Use this cut to assign each pixel to $A$ or $B$ as described, i.e pixels that correspond to vertices on the $S$ side are assigned to $A$ and those corresponding to vertices on the $T$ side to $B$. - Use this cut to assign each pixel to $A$ or $B$ as described, i.e pixels that correspond to vertices on the $S$ side are assigned to $A$ and those corresponding to vertices on the $T$ side to $B$.
- Minimizing the cut capacity minimizes our transformed minimization objective function. - Minimizing the cut capacity minimizes our transformed minimization objective function.
#### Running time #### Running time
The graph $G$ contains $\Theta(N)$ edges, because each pixel is adjacent to a maximum of of 4 neighbors and $S$ and $T$. The graph $G$ contains $\Theta(N)$ edges, because each pixel is adjacent to a maximum of of 4 neighbors and $S$ and $T$.
FF algorithm has running time $O((m+n)|F|)$, where $|F|\leq |n|$ is the size of set of min-cut. The edge count is $m=6n$. FF algorithm has running time $O((m+n)|F|)$, where $|F|\leq |n|$ is the size of set of min-cut. The edge count is $m=6n$.
So the total running time is $O(n^2)$ So the total running time is $O(n^2)$

682
pages/CSE347/CSE347_L5.md → content/CSE347/CSE347_L5.md
View File

@@ -1,341 +1,341 @@
# Lecture 5 # Lecture 5
## Takeaway from Bipartite Matching ## Takeaway from Bipartite Matching
- We saw how to solve a problem (bi-partite matching and others) by reducing it to another problem (maximum flow). - We saw how to solve a problem (bi-partite matching and others) by reducing it to another problem (maximum flow).
- In general, we can design an algorithm to map instances of a new problem to instances of known solvable problem (e.g., max-flow) to solve this new problem! - In general, we can design an algorithm to map instances of a new problem to instances of known solvable problem (e.g., max-flow) to solve this new problem!
- Mapping from one problem to another which preserves solutions is called reduction. - Mapping from one problem to another which preserves solutions is called reduction.
## Reduction: Basic Ideas ## Reduction: Basic Ideas
Convert solutions to the known problem to the solutions to the new problem Convert solutions to the known problem to the solutions to the new problem
- Instance of new problem - Instance of new problem
- Instance of known problem - Instance of known problem
- Solution of known problem - Solution of known problem
- Solution of new problem - Solution of new problem
## Reduction: Formal Definition ## Reduction: Formal Definition
Problems $L,K$. Problems $L,K$.
$L$ reduces to $K$ ($L\leq K$) if there is a mapping $\phi$ from **any** instance $l\in L$ to some instance $\phi(l)\in K'\subset K$, such that the solution for $\phi(l)$ yields a solution for $l$. $L$ reduces to $K$ ($L\leq K$) if there is a mapping $\phi$ from **any** instance $l\in L$ to some instance $\phi(l)\in K'\subset K$, such that the solution for $\phi(l)$ yields a solution for $l$.
This means that **L is no harder than K** This means that **L is no harder than K**
### Using reduction to design algorithms ### Using reduction to design algorithms
In the example of reduction to solve Bipartite Matching: In the example of reduction to solve Bipartite Matching:
$L:$ Bipartite Matching $L:$ Bipartite Matching
$K:$ Max-flow Problem $K:$ Max-flow Problem
Efficiency: Efficiency:
1. Reduction: $\phi:l\to\phi(l)$ (Polynomial time reduction $\phi(l)$) 1. Reduction: $\phi:l\to\phi(l)$ (Polynomial time reduction $\phi(l)$)
2. Solve prom $\phi(l)$ (Polynomial time to solve $poly(g)$) 2. Solve prom $\phi(l)$ (Polynomial time to solve $poly(g)$)
3. Convert the solution for $\phi(l)$ to a solution to $l$ (Polynomial time to solve $poly(g)$) 3. Convert the solution for $\phi(l)$ to a solution to $l$ (Polynomial time to solve $poly(g)$)
### Efficient Reduction ### Efficient Reduction
A reduction $\phi:l\to\phi(l)$ is efficient ($L\leq p(k)$) if for any $l\in L$: A reduction $\phi:l\to\phi(l)$ is efficient ($L\leq p(k)$) if for any $l\in L$:
1. $\phi(l)$ is computable from $l$ in polynomial ($|l|$) time. 1. $\phi(l)$ is computable from $l$ in polynomial ($|l|$) time.
2. Solution to $l$ is computable from solution of $\phi(l)$ in polynomial ($|l|$) time. 2. Solution to $l$ is computable from solution of $\phi(l)$ in polynomial ($|l|$) time.
We call $L$ is **poly-time reducible** to $K$, or $L$ poly-time We call $L$ is **poly-time reducible** to $K$, or $L$ poly-time
reduces to $K$. reduces to $K$.
### Which problem is harder? ### Which problem is harder?
Theorem: If $L\leq p(k)$ and there is a polynomial time algorithm to solve $K$, then there is a polynomial time algorithm to solve $L$. Theorem: If $L\leq p(k)$ and there is a polynomial time algorithm to solve $K$, then there is a polynomial time algorithm to solve $L$.
Proof: Given an instance of $l\in L$ If we can convert the problem in polynomial time with respect to the original problem $l$. Proof: Given an instance of $l\in L$ If we can convert the problem in polynomial time with respect to the original problem $l$.
1. Compute $\phi(l)$: $p(l)$ 1. Compute $\phi(l)$: $p(l)$
2. Solve $\phi(l)$: $p(\phi(l))$ 2. Solve $\phi(l)$: $p(\phi(l))$
3. Convert solution: $p(\phi(l))$ 3. Convert solution: $p(\phi(l))$
Total time: $p(l)+p(\phi(l))+p(\phi(l))=p(l)+p(\phi(l))$ Total time: $p(l)+p(\phi(l))+p(\phi(l))=p(l)+p(\phi(l))$
Need to show: $|\phi(l)|=poly(|l|)$ Need to show: $|\phi(l)|=poly(|l|)$
Proof: Proof:
Since we can convert $\phi(l)$ in $p(l)$ time, and on every time step, (constant step) we can only write constant amount of data. Since we can convert $\phi(l)$ in $p(l)$ time, and on every time step, (constant step) we can only write constant amount of data.
So $|\phi(l)|=poly(|l|)$ So $|\phi(l)|=poly(|l|)$
## Hardness Problems ## Hardness Problems
Reductions show the relationship between problem hardness! Reductions show the relationship between problem hardness!
Question: Could you solve a problem in polynomial time? Question: Could you solve a problem in polynomial time?
Easy: polynomial time solution Easy: polynomial time solution
Hard: No polynomial time solution (as far as we know) Hard: No polynomial time solution (as far as we know)
### Types of Problems ### Types of Problems
Decision Problem: Yes/No answer Decision Problem: Yes/No answer
Examples: Subset sums Examples: Subset sums
1. Is the there a flow of size $F$ 1. Is the there a flow of size $F$
2. Is there a shortest path of length $L$ from vertex $u$ to vertex $v$. 2. Is there a shortest path of length $L$ from vertex $u$ to vertex $v$.
3. Given a set of intercal, can you schedule $k$ of them. 3. Given a set of intercal, can you schedule $k$ of them.
Optimization Problem: What is the value of an optimal feasible solution of a problem? Optimization Problem: What is the value of an optimal feasible solution of a problem?
- Minimization: Minimize cost - Minimization: Minimize cost
- min cut - min cut
- minimal spanning tree - minimal spanning tree
- shortest path - shortest path
- Maximization: Maximize profit - Maximization: Maximize profit
- interval scheduling - interval scheduling
- maximum flow - maximum flow
- maximum matching - maximum matching
#### Canonical Decision Problem #### Canonical Decision Problem
Does the instance $l\in L$ (an optimization problem) have a feasible solution with objective value $k$: Does the instance $l\in L$ (an optimization problem) have a feasible solution with objective value $k$:
Objective value $\geq k$ (maximization) $\leq k$ (minimization) Objective value $\geq k$ (maximization) $\leq k$ (minimization)
$DL$ is the reduced Canonical Decision problem $L$ $DL$ is the reduced Canonical Decision problem $L$
##### Hardness of Canonical Decision Problems ##### Hardness of Canonical Decision Problems
Lemma 1: $DL\leq p(L)$ ($DL$ is no harder than $L$) Lemma 1: $DL\leq p(L)$ ($DL$ is no harder than $L$)
Proof: Assume $L$ **maximization** problem $DL(l)$: does have a solution $\geq k$. Proof: Assume $L$ **maximization** problem $DL(l)$: does have a solution $\geq k$.
Example: Does graph $G$ have flow $\geq k$. Example: Does graph $G$ have flow $\geq k$.
Let $v^$ be the maximum objective on $l$ by solving $l$. Let $v^$ be the maximum objective on $l$ by solving $l$.
Let the instance of $DL:(l,k)$ and $l$ be the problem and $k$ be the objective Let the instance of $DL:(l,k)$ and $l$ be the problem and $k$ be the objective
1. $l\to \phi(l)\in L$ (optimization problem) $\phi(l,k)=l$ 1. $l\to \phi(l)\in L$ (optimization problem) $\phi(l,k)=l$
2. Is $v^*(l)\geq k$? If so, return true, else return false. 2. Is $v^*(l)\geq k$? If so, return true, else return false.
Lemma 2: If $v^* =O(c^{|l|})$ for any constant $c$, then $L\leq p(DL)$. Lemma 2: If $v^* =O(c^{|l|})$ for any constant $c$, then $L\leq p(DL)$.
Proof: First we could show $L\leq DL$. Suppose maximization problem, canonical decision problem is is there a solution $\geq k$. Proof: First we could show $L\leq DL$. Suppose maximization problem, canonical decision problem is is there a solution $\geq k$.
Naïve Linear Search: Ask $DL(l,k)$, if returns false, ask $DL(l,k+1)$ until returns true Naïve Linear Search: Ask $DL(l,k)$, if returns false, ask $DL(l,k+1)$ until returns true
Runtime: At most $k$ search to iterate all possibilities. Runtime: At most $k$ search to iterate all possibilities.
This is exponential! How to reduce it? This is exponential! How to reduce it?
Our old friend Binary (exponential) Search is back! Our old friend Binary (exponential) Search is back!
You gets a no at some value: try power of 2 until you get a no, then do binary search You gets a no at some value: try power of 2 until you get a no, then do binary search
\# questions: $=log_2(v^*(l))=poly(l)$ \# questions: $=log_2(v^*(l))=poly(l)$
Binary search in area: from last yes to first no. Binary search in area: from last yes to first no.
Runtime: Binary search ($O(n)=\log(v^*(l))$) Runtime: Binary search ($O(n)=\log(v^*(l))$)
### Reduction for Algorithm Design vs Hardness ### Reduction for Algorithm Design vs Hardness
For problems $L,K$ For problems $L,K$
If $K$ is “easy” (exists a poly-time solution), then $L$ is also easy. If $K$ is “easy” (exists a poly-time solution), then $L$ is also easy.
If $L$ is “hard” (no poly-time solution), then $k$ is also hard. If $L$ is “hard” (no poly-time solution), then $k$ is also hard.
Every problem that we worked on so far, $K$ is “easy”, so we reduce from new problem to known problem (e.g., max-flow). Every problem that we worked on so far, $K$ is “easy”, so we reduce from new problem to known problem (e.g., max-flow).
#### Reduction for Hardness: Independent Set (ISET) #### Reduction for Hardness: Independent Set (ISET)
Input: Given an undirected graph $G = (V,E)$, Input: Given an undirected graph $G = (V,E)$,
A subset of vertices $S\subset V$ is called an **independent set** if no two vertices of are connected by an edge. A subset of vertices $S\subset V$ is called an **independent set** if no two vertices of are connected by an edge.
Problem: Does $G$ contain an independent set of size $\geq k$? Problem: Does $G$ contain an independent set of size $\geq k$?
$ISET(G,k)$ returns true if $G$ contains an independent set of size $\geq k$, and false otherwise. $ISET(G,k)$ returns true if $G$ contains an independent set of size $\geq k$, and false otherwise.
Algorithm? NO! We think that this is a hard problem. Algorithm? NO! We think that this is a hard problem.
A lot of pQEDle have tried and could not find a poly-time solution A lot of pQEDle have tried and could not find a poly-time solution
### Example: Vertex Cover (VC) ### Example: Vertex Cover (VC)
Input: Given an undirected graph $G = (V,E)$ Input: Given an undirected graph $G = (V,E)$
A subset of vertices $C\subset V$ is called a **vertex cover** if contains at least one end point of every edge. A subset of vertices $C\subset V$ is called a **vertex cover** if contains at least one end point of every edge.
Formally, for all edges $(u,v)\in E$, either $u\in C$, or $v\in C$. Formally, for all edges $(u,v)\in E$, either $u\in C$, or $v\in C$.
Problem: $VC(G,j)$ returns true if has a vertex cover of size $\leq j$, and false otherwise (minimization problem) Problem: $VC(G,j)$ returns true if has a vertex cover of size $\leq j$, and false otherwise (minimization problem)
Example: Example:
#### How hard is Vertex Cover? #### How hard is Vertex Cover?
Claim: $ISET\leq p(VC)$ Claim: $ISET\leq p(VC)$
Side Note: when we prove $VC$ is hard, we prove it is no easier than $ISET$. Side Note: when we prove $VC$ is hard, we prove it is no easier than $ISET$.
DO NOT: $VC\leq p(ISET)$ DO NOT: $VC\leq p(ISET)$
Proof: Show that $G=(V,E)$ has an independent set of $k$ **if and only if** the same graph (not always!) has a vertex cover of size $|V|-k$. Proof: Show that $G=(V,E)$ has an independent set of $k$ **if and only if** the same graph (not always!) has a vertex cover of size $|V|-k$.
Map: Map:
$$ $$
ISET(G,k)\to VC(g,|v|-k) ISET(G,k)\to VC(g,|v|-k)
$$ $$
$G'=G$ $G'=G$
##### Proof of reduction: Direction 1 ##### Proof of reduction: Direction 1
Claim 1: $ISET$ of size $k\to$ $VC$ of size $|V|-k$ Claim 1: $ISET$ of size $k\to$ $VC$ of size $|V|-k$
Proof: Assume $G$ has an $ISET$ of size $k:S$, consider $C = V-S,|C|=|V|-k$ Proof: Assume $G$ has an $ISET$ of size $k:S$, consider $C = V-S,|C|=|V|-k$
Claim: $C$ is a vertex cover Claim: $C$ is a vertex cover
##### Proof of reduction: Direction 2 ##### Proof of reduction: Direction 2
Claim 2: $VC$ of size $|V|-k\to ISET$ of size $k$ Claim 2: $VC$ of size $|V|-k\to ISET$ of size $k$
Proof: Assume $G$ has an $VC$ of size $|V| k:C$, consider $S = V C, |S| =k$ Proof: Assume $G$ has an $VC$ of size $|V| k:C$, consider $S = V C, |S| =k$
Claim: $S$ is an independent set Claim: $S$ is an independent set
### What does poly-time mean? ### What does poly-time mean?
Algorithm runs in time polynomial to input size. Algorithm runs in time polynomial to input size.
- If the input has items, algorithm runs in $\Theta(n^c)$ for any constant is poly-time. - If the input has items, algorithm runs in $\Theta(n^c)$ for any constant is poly-time.
- Examples: intervals to schedule, number of integers to sort, # vertices + # edges in a graph - Examples: intervals to schedule, number of integers to sort, # vertices + # edges in a graph
- Numerical Value (Integer $n$), what is the input size? - Numerical Value (Integer $n$), what is the input size?
- Examples: weights, capacity, total time, flow constraints - Examples: weights, capacity, total time, flow constraints
- It is not straightforward! - It is not straightforward!
### Real time complexity of F-F? ### Real time complexity of F-F?
In class: $O(F( |V| + |E|))$ In class: $O(F( |V| + |E|))$
- $|V| + |E|$ = this much space to represent the graph - $|V| + |E|$ = this much space to represent the graph
- $F$ : size of the maximum flow. - $F$ : size of the maximum flow.
If every edge has capacity , then $F = O(CE)$ If every edge has capacity , then $F = O(CE)$
Running time:$O(C|E|(|V| + |E| )))$ Running time:$O(C|E|(|V| + |E| )))$
### What is the actual input size? ### What is the actual input size?
Each edge ($|E|$ edges): Each edge ($|E|$ edges):
- 2 vertices: $|V|$ distinct symbol, $\log |V|$ bits per symbol - 2 vertices: $|V|$ distinct symbol, $\log |V|$ bits per symbol
- 1 capacity: $\log C$ - 1 capacity: $\log C$
Size of graph: Size of graph:
- $O(|E|(|V| + \log C))$ - $O(|E|(|V| + \log C))$
- $p( |E| , |V| , \log C)$ - $p( |E| , |V| , \log C)$
Running time: Running time:
- $P( |E| , |V| , |C| )$ - $P( |E| , |V| , |C| )$
- Exponential if is exponential in $|V|+|E|$ - Exponential if is exponential in $|V|+|E|$
### Pseudo-polynomial ### Pseudo-polynomial
Naïve Ford-Fulkerson is bad! Naïve Ford-Fulkerson is bad!
Problem s inputs contain some numerical values, say $|W|$. We need only log bits to store . If algorithms runs in $p(W)$, then it is exponential, or **pseudopolynomial**. Problem s inputs contain some numerical values, say $|W|$. We need only log bits to store . If algorithms runs in $p(W)$, then it is exponential, or **pseudopolynomial**.
In homework, you improved F-F to make it work in In homework, you improved F-F to make it work in
$p( |V| ,|E| , \log C)$, to make it a real polynomial algorithm. $p( |V| ,|E| , \log C)$, to make it a real polynomial algorithm.
## Conclusion: Reductions ## Conclusion: Reductions
- Reduction - Reduction
- Construction of mapping with runtime - Construction of mapping with runtime
- Bidirectional proof - Bidirectional proof
- Efficient Reduction $L\leq p(K)$ - Efficient Reduction $L\leq p(K)$
- Which problem is harder? - Which problem is harder?
- If $L$ is hard, then $K$ is hard. $\to$ Used to show hardness - If $L$ is hard, then $K$ is hard. $\to$ Used to show hardness
- If $K$ is easy, then $L$ is easy. $\to$ Used for design algorithms - If $K$ is easy, then $L$ is easy. $\to$ Used for design algorithms
- Canonical Decision Problem - Canonical Decision Problem
- Reduction to and from the optimization problem - Reduction to and from the optimization problem
- Reduction for hardness - Reduction for hardness
- Independent Set$leq p$ Vertex Cover - Independent Set$leq p$ Vertex Cover
## On class ## On class
Reduction: $V^* = O(c^k)$ Reduction: $V^* = O(c^k)$
OPT: Find max flow of at least one instance $(G,s,t)$ OPT: Find max flow of at least one instance $(G,s,t)$
DEC: Is there a flow of size $pK$, given $G,s,t \implies$ the instance is defined by the tuple $(G,s,t,k)$ DEC: Is there a flow of size $pK$, given $G,s,t \implies$ the instance is defined by the tuple $(G,s,t,k)$
Yes, if there exists one Yes, if there exists one
No, otherwise No, otherwise
Forget about F-F and assume that you have an oracle that solves the decision problem. Forget about F-F and assume that you have an oracle that solves the decision problem.
First solution (the naive solution): iterate over $k = 1, 2, \dots$ until the oracle returns false and the last one returns true would be the max flow. First solution (the naive solution): iterate over $k = 1, 2, \dots$ until the oracle returns false and the last one returns true would be the max flow.
Time complexity: $K\cdot X$, where $X$ is the time complexity of the oracle Time complexity: $K\cdot X$, where $X$ is the time complexity of the oracle
Input size: $poly(||V|,|E|, |E|log(max-capacity))$, and $V^* \leq \sum$ capacities Input size: $poly(||V|,|E|, |E|log(max-capacity))$, and $V^* \leq \sum$ capacities
A better solution: do a binary search. If there is no upper bound, we use exponential binary search instead. Then, A better solution: do a binary search. If there is no upper bound, we use exponential binary search instead. Then,
$$ $$
\begin{aligned} \begin{aligned}
log(V^*) &\leq X\cdot log(\sum capacities)\\ log(V^*) &\leq X\cdot log(\sum capacities)\\
&\leq X\cdot log(|E|\cdot maxCapacity)\\ &\leq X\cdot log(|E|\cdot maxCapacity)\\
&\leq X\cdot (log(|E| + log(maxCapacity))) &\leq X\cdot (log(|E| + log(maxCapacity)))
\end{aligned} \end{aligned}
$$ $$
As $\log(maxCapacity)$ is linear in the size of the input, the running time is polynomial to the solution of the original problem. As $\log(maxCapacity)$ is linear in the size of the input, the running time is polynomial to the solution of the original problem.
Assume that ISET is a hard problem, i.e. we don't know of any polynomial time solution. We want to show that vertex cover is also a hard problem here: Assume that ISET is a hard problem, i.e. we don't know of any polynomial time solution. We want to show that vertex cover is also a hard problem here:
$ISET \leq_{p} VC$ $ISET \leq_{p} VC$
1. Given an instance of ISET, construct an instance of VC 1. Given an instance of ISET, construct an instance of VC
2. Show that the construction can be done in polynomial time 2. Show that the construction can be done in polynomial time
3. Show that if the ISET instance is true than the CV instance is true 3. Show that if the ISET instance is true than the CV instance is true
4. Show that if the VC instance is true then the ISET instance is true. 4. Show that if the VC instance is true then the ISET instance is true.
> ISET: given $(G,K)$, is there a set of vertices that do not share edges of size $K$ > ISET: given $(G,K)$, is there a set of vertices that do not share edges of size $K$
> VC: given $(G,K)$, is there a set of vertices that cover all edges of size $K$ > VC: given $(G,K)$, is there a set of vertices that cover all edges of size $K$
1. Given $l: (G,K)$ being an instance of ISET, we construct $\phi(l): (G',K')$ as an instance of VC. $\phi(l): (G, |V|-K), \textup{i.e., } G' = G \cup K' = |V| - K$ 1. Given $l: (G,K)$ being an instance of ISET, we construct $\phi(l): (G',K')$ as an instance of VC. $\phi(l): (G, |V|-K), \textup{i.e., } G' = G \cup K' = |V| - K$
2. It is obvious that it is a polynomial time construction since copying the graph is linear, in the size of the graph and the subtraction of integers is constant time. 2. It is obvious that it is a polynomial time construction since copying the graph is linear, in the size of the graph and the subtraction of integers is constant time.
**Direction 1**: ISET of size k $\implies$ VC of size $|V| - K$ Assume that ISET(G,K) returns true, show that $VC(G, |V|-K)$ returns true **Direction 1**: ISET of size k $\implies$ VC of size $|V| - K$ Assume that ISET(G,K) returns true, show that $VC(G, |V|-K)$ returns true
Let $S$ be an independent set of size $K$ and $C = V-S$ Let $S$ be an independent set of size $K$ and $C = V-S$
We claim that $C$ is a vertex cover of size $|V|-K$ We claim that $C$ is a vertex cover of size $|V|-K$
Proof: Proof:
We proceed by contradiction. Assume that $C$ is NOT a vertex cover, and it means that there is an edge $(u,v)$ such that $u\notin c , v\notin C$. And it implies that $u\in S , v\in S$, which contradicts with the assumption that S is an independent set. We proceed by contradiction. Assume that $C$ is NOT a vertex cover, and it means that there is an edge $(u,v)$ such that $u\notin c , v\notin C$. And it implies that $u\in S , v\in S$, which contradicts with the assumption that S is an independent set.
Therefore, $c$ is an vertex cover Therefore, $c$ is an vertex cover
**Direction 2**: VC of size $|V|-K \implies$ ISET of size $K$ **Direction 2**: VC of size $|V|-K \implies$ ISET of size $K$
Let $C$ be a vertex cover of size $|V|-K$ , let $s = |v| - c$ Let $C$ be a vertex cover of size $|V|-K$ , let $s = |v| - c$
We claim that $S$ is an independent set of size $K$. We claim that $S$ is an independent set of size $K$.
Again, assume, for the sake of contradiction, that $S$ is not an independent set. And we get Again, assume, for the sake of contradiction, that $S$ is not an independent set. And we get
$\exists (u,v) \textup{such that } u\in S, v \in S$ $\exists (u,v) \textup{such that } u\in S, v \in S$
$u,v \notin C$ $u,v \notin C$
$C \textup{ is not a vertex cover}$ $C \textup{ is not a vertex cover}$
And this is a contradiction with our assumption. And this is a contradiction with our assumption.

572
pages/CSE347/CSE347_L6.md → content/CSE347/CSE347_L6.md
View File

@@ -1,287 +1,287 @@
# Lecture 6 # Lecture 6
## NP-completeness ## NP-completeness
### $P$: Polynomial-time Solvable ### $P$: Polynomial-time Solvable
$P$: Class of decision problems $L$ such that there is a polynomial-time algorithm that correctly answers yes or not for every instance $l\in L$. $P$: Class of decision problems $L$ such that there is a polynomial-time algorithm that correctly answers yes or not for every instance $l\in L$.
Algorithm "$A$ decides $L$". If algorithm $A$ always correctly answers for any instance $l\in L$. Algorithm "$A$ decides $L$". If algorithm $A$ always correctly answers for any instance $l\in L$.
Example: Example:
Is the number $n$ prime? Best algorithm so far: $O(\log^6 n)$, 2002 Is the number $n$ prime? Best algorithm so far: $O(\log^6 n)$, 2002
## Introduction to NP ## Introduction to NP
- NP$\neq$ Non-polynomial (Non-deterministic polynomial time) - NP$\neq$ Non-polynomial (Non-deterministic polynomial time)
- Let $L$ be a decision problem. - Let $L$ be a decision problem.
- Let $l$ be an instance of the problem that the answer happens to be "yes". - Let $l$ be an instance of the problem that the answer happens to be "yes".
- A **certificate** c(l) for $l$ is a "proof" that the answer for $l$ is true. [$l$ is a true instance] - A **certificate** c(l) for $l$ is a "proof" that the answer for $l$ is true. [$l$ is a true instance]
- For canonical decision problems for optimization problems, the certificate is often a feasible solution for the corresponding optimization problem. - For canonical decision problems for optimization problems, the certificate is often a feasible solution for the corresponding optimization problem.
### Example of certificates ### Example of certificates
- Problem: Is there a path from $s$ to $t$ - Problem: Is there a path from $s$ to $t$
- Instance: graph $G(V,E),s,t$. - Instance: graph $G(V,E),s,t$.
- Certificate: path from $s$ to $t$. - Certificate: path from $s$ to $t$.
- Problem: Can I schedule $k$ intervals in the room so that they do not conflict. - Problem: Can I schedule $k$ intervals in the room so that they do not conflict.
- Instance: $l:(I,k)$ - Instance: $l:(I,k)$
- Certificate: set of $k$ non-conflicting intervals. - Certificate: set of $k$ non-conflicting intervals.
- Problem: ISET - Problem: ISET
- Instance: $G(V,E),k$. - Instance: $G(V,E),k$.
- Certificate: $k$ vertices with no edges between them. - Certificate: $k$ vertices with no edges between them.
If the answer to the problem is NO, you don't need to provide anything to prove that. If the answer to the problem is NO, you don't need to provide anything to prove that.
### Useful certificates ### Useful certificates
For a problem to be in NP, the problem need to have "useful" certificates. What is considered a good certificate? For a problem to be in NP, the problem need to have "useful" certificates. What is considered a good certificate?
- Easy to check - Easy to check
- Verifying algorithm which can check a YES answer and a certificate in $poly(l)$ - Verifying algorithm which can check a YES answer and a certificate in $poly(l)$
- Not too long: [$poly(l)$] - Not too long: [$poly(l)$]
### Verifier Algorithm ### Verifier Algorithm
**Verifier algorithm** is one that takes an instance $l\in L$ and a certificate $c(l)$ and says yes if the certificate proves that $l$ is a true instance and false otherwise. **Verifier algorithm** is one that takes an instance $l\in L$ and a certificate $c(l)$ and says yes if the certificate proves that $l$ is a true instance and false otherwise.
$V$ is a poly-time verifier for $L$ is it is a verifier and runs in $poly(|l|,|c|)$ time. (c=$poly(l)$) $V$ is a poly-time verifier for $L$ is it is a verifier and runs in $poly(|l|,|c|)$ time. (c=$poly(l)$)
- The runtime must be polynomial - The runtime must be polynomial
- Must check **every** problem constraint - Must check **every** problem constraint
- Not always trivial - Not always trivial
## Class NP ## Class NP
**NP:** A class of decision problems such that exists a certificate schema $c$ and a verifier algorithm $V$ such that: **NP:** A class of decision problems such that exists a certificate schema $c$ and a verifier algorithm $V$ such that:
1. certificate is $poly(l)$ in size. 1. certificate is $poly(l)$ in size.
2. $V:poly(l)$ in time. 2. $V:poly(l)$ in time.
**P:** is a class of problems that you can **solve** in polynomial time **P:** is a class of problems that you can **solve** in polynomial time
**NP:** is a class of problems that you can **verify** TRUE instances in polynomial time given a poly-size certificate **NP:** is a class of problems that you can **verify** TRUE instances in polynomial time given a poly-size certificate
**Millennium question** **Millennium question**
$P\subseteq NP$? $NP\subseteq P$? $P\subseteq NP$? $NP\subseteq P$?
$P\subseteq NP$ is true. $P\subseteq NP$ is true.
Proof: Let $L$ be a problem in $P$, we want to show that there is a polynomial size certificate with a poly-time verifier. Proof: Let $L$ be a problem in $P$, we want to show that there is a polynomial size certificate with a poly-time verifier.
There is an algorithm $A$ which solves $L$ in polynomial time. There is an algorithm $A$ which solves $L$ in polynomial time.
**Certificate:** empty thing. **Certificate:** empty thing.
**Verifier:** $(l,c)$ **Verifier:** $(l,c)$
1. Discard $c$. 1. Discard $c$.
2. Run $A$ on $l$ and return the answer. 2. Run $A$ on $l$ and return the answer.
Nobody knows the solution $NP\subseteq P$. Sad. Nobody knows the solution $NP\subseteq P$. Sad.
### Class of problem: NP complete ### Class of problem: NP complete
Informally: hardest problem in NP Informally: hardest problem in NP
Consider a problem $L$. Consider a problem $L$.
- We want to show if $L\subseteq P$, then $NP\subseteq P$ - We want to show if $L\subseteq P$, then $NP\subseteq P$
**NP-hard**: A decision problem $L$ is NP-hard if for any problem $K\in NP$, $K\leq_p L$. **NP-hard**: A decision problem $L$ is NP-hard if for any problem $K\in NP$, $K\leq_p L$.
$L$ is at least as hard as all the problems in NP. If we have an algorithm for $L$, we have an algorithm for any problem in NP with only polynomial time extra cost. $L$ is at least as hard as all the problems in NP. If we have an algorithm for $L$, we have an algorithm for any problem in NP with only polynomial time extra cost.
MindMap: MindMap:
$K\implies L\implies sol(L)\implies sol(K)$ $K\implies L\implies sol(L)\implies sol(K)$
#### Lemma $P=NP$ #### Lemma $P=NP$
Let $L$ be an NP-hard problem. If $L\in P$, then $P=NP$. Let $L$ be an NP-hard problem. If $L\in P$, then $P=NP$.
Proof: Proof:
Say $L$ has a poly-time solution, some problem $K$ in $NP$. Say $L$ has a poly-time solution, some problem $K$ in $NP$.
For any $K\in NP$, $NP\subset P$, $P\subset NP$, then $P=NP$. For any $K\in NP$, $NP\subset P$, $P\subset NP$, then $P=NP$.
**NP-complete:** $L$ is **NP-complete** if it is both NP-hard and $L\in NP$. **NP-complete:** $L$ is **NP-complete** if it is both NP-hard and $L\in NP$.
**NP-optimization:** $L$ is **NP-optimization** problem if the canonical decision problem is NP-complete. **NP-optimization:** $L$ is **NP-optimization** problem if the canonical decision problem is NP-complete.
**Claim:** If any NP-optimization problem have polynomial-time solution, then $P=NP$. **Claim:** If any NP-optimization problem have polynomial-time solution, then $P=NP$.
### Is $P=NP$? ### Is $P=NP$?
- Answering this problem is hard. - Answering this problem is hard.
- But for any NP-complete problem, if you could find a poly-time algorithm for $L$, then you would have answered this question. - But for any NP-complete problem, if you could find a poly-time algorithm for $L$, then you would have answered this question.
- Therefore, finding a poly-time algorithm for $L$ is hard. - Therefore, finding a poly-time algorithm for $L$ is hard.
## NP-Complete problem ## NP-Complete problem
### Satisfiability (SAT) ### Satisfiability (SAT)
Boolean Formulas: Boolean Formulas:
A set of Boolean variables: A set of Boolean variables:
$x,y,a,b,c,w,z,...$ they take values true or false. $x,y,a,b,c,w,z,...$ they take values true or false.
A boolean formula is a formula of Boolean variables with and, or and not. A boolean formula is a formula of Boolean variables with and, or and not.
Examples: Examples:
$\phi:x\land (\neg y \lor z)\land\neg(y\lor w)$ $\phi:x\land (\neg y \lor z)\land\neg(y\lor w)$
$x=1,y=0,z=1,w=0$, the formula is $1$. $x=1,y=0,z=1,w=0$, the formula is $1$.
**SAT:** given a formula $\phi$, is there a setting $M$ of variables such that the $\phi$ evaluates to True under this setting. **SAT:** given a formula $\phi$, is there a setting $M$ of variables such that the $\phi$ evaluates to True under this setting.
If there is such assignment, then $\phi$ is satisfiable. Otherwise, it is not. If there is such assignment, then $\phi$ is satisfiable. Otherwise, it is not.
Example: $x\land y\land \neg(x\lor y)$ is not satisfiable. Example: $x\land y\land \neg(x\lor y)$ is not satisfiable.
A seminar paper by Cook and Levin in 1970 showed that SAT is NP-complete. A seminar paper by Cook and Levin in 1970 showed that SAT is NP-complete.
1. SAT is in NP 1. SAT is in NP
Proof: Proof:
$\exists$ a certificate schema and a poly-time verifier. $\exists$ a certificate schema and a poly-time verifier.
$c$ satisfying assignment $M$ and $v$ check that $M$ makes $\phi$ true. $c$ satisfying assignment $M$ and $v$ check that $M$ makes $\phi$ true.
2. SAT is NP-hard. we can just accept it has a fact. 2. SAT is NP-hard. we can just accept it has a fact.
#### How to show a problem is NP-complete? #### How to show a problem is NP-complete?
Say we have a problem $L$. Say we have a problem $L$.
1. Show that $L\in NP$. 1. Show that $L\in NP$.
Exists certificate schema and verification algorithm in polynomial time. Exists certificate schema and verification algorithm in polynomial time.
2. Prove that we can reduce SAT to $L$. $SAT\leq_p L$ **(NOT $L\leq_p SAT$)** 2. Prove that we can reduce SAT to $L$. $SAT\leq_p L$ **(NOT $L\leq_p SAT$)**
Solving $L$ also solve SAT. Solving $L$ also solve SAT.
### CNF-SAT ### CNF-SAT
**CNF:** Conjugate normal form of SAT **CNF:** Conjugate normal form of SAT
The formula $\phi$ must be an "and of ors" The formula $\phi$ must be an "and of ors"
$$ $$
\phi=\land_{i=1}^n(\lor^{m_i}_{j=1}l_{i,j}) \phi=\land_{i=1}^n(\lor^{m_i}_{j=1}l_{i,j})
$$ $$
$l_{i,j}$: clause $l_{i,j}$: clause
### 3-CNF-SAT ### 3-CNF-SAT
**3-CNF-SAT:** where every clauses has exactly 3 literals. **3-CNF-SAT:** where every clauses has exactly 3 literals.
is NP complete [not all version of them are, 2-CNF-SAT is in P] is NP complete [not all version of them are, 2-CNF-SAT is in P]
Input: 3-CNF expression with $n$ variables and $m$ clauses in the form: Input: 3-CNF expression with $n$ variables and $m$ clauses in the form:
number of total literals: $3m$ number of total literals: $3m$
Output: An assignment of the $n$ variables such that at least one literal from each clauses evaluates to true. Output: An assignment of the $n$ variables such that at least one literal from each clauses evaluates to true.
Note: Note:
1. One variable can be used to satisfy multiple clauses. 1. One variable can be used to satisfy multiple clauses.
2. $x_i$ and $\neg x_i$ cannot both evaluate to true. 2. $x_i$ and $\neg x_i$ cannot both evaluate to true.
Example: ISET is NP-complete. Example: ISET is NP-complete.
Proof: Proof:
Say we have a problem $L$ Say we have a problem $L$
1. Show that $ISET\in NP$ 1. Show that $ISET\in NP$
Certificate: set of $k$ vertices: $|S|=k\in poly(g)$\ Certificate: set of $k$ vertices: $|S|=k\in poly(g)$\
Verifier: checks that there are no edges between them $O(E k^2)$ Verifier: checks that there are no edges between them $O(E k^2)$
2. ISET is NP-hard. We need to prove $3SAT\leq_p ISET$ 2. ISET is NP-hard. We need to prove $3SAT\leq_p ISET$
- Construct a reduction from $3SAT$ to $ISET$. - Construct a reduction from $3SAT$ to $ISET$.
- Show that $ISET$ is harder than $3SAT$. - Show that $ISET$ is harder than $3SAT$.
We need to prove $\phi\in 3SAT$ is satisfiable if and only if the constructed $G$ has an $ISET$ of size $\geq k=m$ We need to prove $\phi\in 3SAT$ is satisfiable if and only if the constructed $G$ has an $ISET$ of size $\geq k=m$
#### Reduction mapping construction #### Reduction mapping construction
We construct an ISET instance from $3-SAT$. We construct an ISET instance from $3-SAT$.
Suppose the formula has $n$ variables and $m$ clauses Suppose the formula has $n$ variables and $m$ clauses
1. for each clause, we construct vertex for each literal and connect them (for $x\lor \neg y\lor z$, we connect $x,\neg y,z$ together) 1. for each clause, we construct vertex for each literal and connect them (for $x\lor \neg y\lor z$, we connect $x,\neg y,z$ together)
2. then we connect all the literals with their negations (connects $x$ and $\neg x$) 2. then we connect all the literals with their negations (connects $x$ and $\neg x$)
$\implies$ $\implies$
If $\phi$ has a satisfiable assignment, then $G$ has an independent set of size $\geq m$, If $\phi$ has a satisfiable assignment, then $G$ has an independent set of size $\geq m$,
For a set $S$ we pick exactly one true literal from every clause and take the corresponding vertex to that clause, $|S|=m$ For a set $S$ we pick exactly one true literal from every clause and take the corresponding vertex to that clause, $|S|=m$
Must also argue that $S$ is an independent set. Must also argue that $S$ is an independent set.
Example: picked a set of vertices $|S|=4$. Example: picked a set of vertices $|S|=4$.
A literal has edges: A literal has edges:
- To all literals in the same clause: We never pick two literals form the same clause. - To all literals in the same clause: We never pick two literals form the same clause.
- To its negation. - To its negation.
Since it is a satisfiable 3-SAT assignment, $x$ and $\neg x$ cannot both evaluate to true, those edges are not a problem, so $S$ is an independent set. Since it is a satisfiable 3-SAT assignment, $x$ and $\neg x$ cannot both evaluate to true, those edges are not a problem, so $S$ is an independent set.
$\impliedby$ $\impliedby$
If $G$ has an independent set of size $\geq m$, then $\phi$ is satisfiable. If $G$ has an independent set of size $\geq m$, then $\phi$ is satisfiable.
Say that $S$ is an independent set of $m$, we need to construct a satisfiable assignment for the original $\phi$. Say that $S$ is an independent set of $m$, we need to construct a satisfiable assignment for the original $\phi$.
- If $S$ contains a vertex corresponding to literal $x_i$, then set $x_i$ to true. - If $S$ contains a vertex corresponding to literal $x_i$, then set $x_i$ to true.
- If contains a vertex corresponding to literal $\neg x_i$, then set $x_i$ to false. - If contains a vertex corresponding to literal $\neg x_i$, then set $x_i$ to false.
- Other variables can be set arbitrarily - Other variables can be set arbitrarily
Question: Is it a valid 3-SAT assignment? Question: Is it a valid 3-SAT assignment?
Your ISET $S$ can contain at most $1$ vertex from each clause. Since vertices in a clause are connected by edges. Your ISET $S$ can contain at most $1$ vertex from each clause. Since vertices in a clause are connected by edges.
- Since $S$ contains $m$ vertices, it must contain exactly $1$ vertex from each clause. - Since $S$ contains $m$ vertices, it must contain exactly $1$ vertex from each clause.
- Therefore, we will make at least $1$ literals form each clause to be true. - Therefore, we will make at least $1$ literals form each clause to be true.
- Therefore, all the clauses are true and $\phi$ is satisfied. - Therefore, all the clauses are true and $\phi$ is satisfied.
## Conclusion: NP-completeness ## Conclusion: NP-completeness
- Prove NP-Complete: - Prove NP-Complete:
- If NP-optimization, convert to canonical decision problem - If NP-optimization, convert to canonical decision problem
- Certificate, Verification algorithm - Certificate, Verification algorithm
- Prove NP-hard: reduce from existing NP-Complete - Prove NP-hard: reduce from existing NP-Complete
problems problems
- 3-SAT Problem: - 3-SAT Problem:
- Input, output, constraints - Input, output, constraints
- A well-known NP-Complete problem - A well-known NP-Complete problem
- Reduce from 3-SAT to ISET to show ISET is NP-Complete - Reduce from 3-SAT to ISET to show ISET is NP-Complete
## On class ## On class
### NP-complete ### NP-complete
$p\in NP$, if we have a certificate schema and a verifier algorithm. $p\in NP$, if we have a certificate schema and a verifier algorithm.
### NP-complete proof ### NP-complete proof
#### P is in NP #### P is in NP
what a certificate would looks like, show that if has a polynomial time o the problem size. what a certificate would looks like, show that if has a polynomial time o the problem size.
design a verifier algorithm that checks a certificate if it indeed prove tha the answer is YES and has a polynomial time complexity. Inputs: certificate and the problem input $poly(|l|,|c|)=poly(|p|)$ design a verifier algorithm that checks a certificate if it indeed prove tha the answer is YES and has a polynomial time complexity. Inputs: certificate and the problem input $poly(|l|,|c|)=poly(|p|)$
#### P is NP hard #### P is NP hard
select an already known NP-hard problem: eg. 3-SAT, ISET, VC,... select an already known NP-hard problem: eg. 3-SAT, ISET, VC,...
show that $3-SAT\leq_p p$ show that $3-SAT\leq_p p$
- present an algorithm that given any instance of 3-SAT (on the chosen NP hard problem) to an instance of $p$. - present an algorithm that given any instance of 3-SAT (on the chosen NP hard problem) to an instance of $p$.
- show that the construction is done in polynomial time. - show that the construction is done in polynomial time.
- show that if $p$'s instance answer is YES, then the instance of 3-SAT is YES. - show that if $p$'s instance answer is YES, then the instance of 3-SAT is YES.
- show that if 3-SAT's instance answer is YES then the instance of $p$ is YES. - show that if 3-SAT's instance answer is YES then the instance of $p$ is YES.

624
pages/CSE347/CSE347_L7.md → content/CSE347/CSE347_L7.md
View File

@@ -1,312 +1,312 @@
# Lecture 7 # Lecture 7
## Known NP-Complete Problems ## Known NP-Complete Problems
- SAT and 3-SAT - SAT and 3-SAT
- Vertex Cover - Vertex Cover
- Independent Set - Independent Set
## How to show a problem $L$ is NP-Complete ## How to show a problem $L$ is NP-Complete
- Show $L \in$ NP - Show $L \in$ NP
- Give a polynomial time certificate - Give a polynomial time certificate
- Give a polynomial time verifier - Give a polynomial time verifier
- Show $L$ is NP-Hard: for some known NP-Complete problem $K$, show $K \leq_p L$ - Show $L$ is NP-Hard: for some known NP-Complete problem $K$, show $K \leq_p L$
- Construct a mapping $\phi$ from instance in $K$ to instance in $L$, given an instance $k\in K$, $\phi(k)\in L$. - Construct a mapping $\phi$ from instance in $K$ to instance in $L$, given an instance $k\in K$, $\phi(k)\in L$.
- Show that you can compute $\phi(k)$ in polynomial time. - Show that you can compute $\phi(k)$ in polynomial time.
- Show that $k \in K$ is true if and only if $\phi(k) \in L$ is true. - Show that $k \in K$ is true if and only if $\phi(k) \in L$ is true.
### Example 1: Subset Sum ### Example 1: Subset Sum
Input: A set $S$ of integers and a target positive integer $t$. Input: A set $S$ of integers and a target positive integer $t$.
Problem: Determine if there exists a subset $S' \subseteq S$ such that $\sum_{a_i\in S'} a_i = t$. Problem: Determine if there exists a subset $S' \subseteq S$ such that $\sum_{a_i\in S'} a_i = t$.
We claim that Subset Sum is NP-Complete. We claim that Subset Sum is NP-Complete.
Step 1: Subset Sum $\in$ NP Step 1: Subset Sum $\in$ NP
- Certificate: $S' \subseteq S$ - Certificate: $S' \subseteq S$
- Verifier: Check that $\sum_{a_i\in S'} a_i = t$ - Verifier: Check that $\sum_{a_i\in S'} a_i = t$
Step 2: Subset Sum is NP-Hard Step 2: Subset Sum is NP-Hard
We claim that 3-SAT $\leq_p$ Subset Sum We claim that 3-SAT $\leq_p$ Subset Sum
Given any $3$-CNF formula $\Psi$, we will construct an instance $(S, t)$ of Subset Sum such that $\Psi$ is satisfiable if and only if there exists a subset $S' \subseteq S$ such that $\sum_{a_i\in S'} a_i = t$. Given any $3$-CNF formula $\Psi$, we will construct an instance $(S, t)$ of Subset Sum such that $\Psi$ is satisfiable if and only if there exists a subset $S' \subseteq S$ such that $\sum_{a_i\in S'} a_i = t$.
#### How to construct $\Psi$? #### How to construct $\Psi$?
Reduction construction: Reduction construction:
Assumption: No clause contains both a literal and its negation. Assumption: No clause contains both a literal and its negation.
3-SAT problem: $\Psi$ has $n$ variables and $m$ clauses. 3-SAT problem: $\Psi$ has $n$ variables and $m$ clauses.
Need to: construct $S$ of positive numbers and a target $t$ Need to: construct $S$ of positive numbers and a target $t$
Ideas of construction: Ideas of construction:
For 3-SAT instance $\Psi$: For 3-SAT instance $\Psi$:
- At least one literal in each clause is true - At least one literal in each clause is true
- A variable and its negation cannot both be true - A variable and its negation cannot both be true
$S$ contains integers with $n+m$ digits (base 10) $S$ contains integers with $n+m$ digits (base 10)
$$ $$
p_1p_2\cdots p_n q_1 q_2 \cdots q_m p_1p_2\cdots p_n q_1 q_2 \cdots q_m
$$ $$
where $p_i$ are representations of variables that are either $0$ or $1$ and $q_j$ are representations of clauses. where $p_i$ are representations of variables that are either $0$ or $1$ and $q_j$ are representations of clauses.
For each variable $x_i$, we will have two integers in $S$, called $v_i$ and $\overline{v_i}$. For each variable $x_i$, we will have two integers in $S$, called $v_i$ and $\overline{v_i}$.
- For each variable $x_i$, both $v_i$ and $\overline{v_i}$ have digits $p_i=1$. all other $p$ positions are zero - For each variable $x_i$, both $v_i$ and $\overline{v_i}$ have digits $p_i=1$. all other $p$ positions are zero
- Each digit $q_j$ in $v_i$ is $1$ if $x_i$ appears in clause $j$; otherwise $q_j=0$ - Each digit $q_j$ in $v_i$ is $1$ if $x_i$ appears in clause $j$; otherwise $q_j=0$
For example: For example:
$\Psi=(x_1\lor \neg x_2 \lor x_3) \land (\neg x_1 \lor x_2 \lor x_3)$ $\Psi=(x_1\lor \neg x_2 \lor x_3) \land (\neg x_1 \lor x_2 \lor x_3)$
| | $p_1$ | $p_2$ | $p_3$ | $q_1$ | $q_2$ | | | $p_1$ | $p_2$ | $p_3$ | $q_1$ | $q_2$ |
| ---------------- | ----- | ----- | ----- | ----- | ----- | | ---------------- | ----- | ----- | ----- | ----- | ----- |
| $v_1$ | 1 | 0 | 0 | 1 | 0 | | $v_1$ | 1 | 0 | 0 | 1 | 0 |
| $\overline{v_1}$ | 1 | 0 | 0 | 0 | 1 | | $\overline{v_1}$ | 1 | 0 | 0 | 0 | 1 |
| $v_2$ | 0 | 1 | 0 | 0 | 1 | | $v_2$ | 0 | 1 | 0 | 0 | 1 |
| $\overline{v_2}$ | 0 | 1 | 0 | 1 | 0 | | $\overline{v_2}$ | 0 | 1 | 0 | 1 | 0 |
| $v_3$ | 0 | 0 | 1 | 1 | 1 | | $v_3$ | 0 | 0 | 1 | 1 | 1 |
| $\overline{v_3}$ | 0 | 0 | 1 | 0 | 0 | | $\overline{v_3}$ | 0 | 0 | 1 | 0 | 0 |
| t | 1 | 1 | 1 | 1 | 1 | | t | 1 | 1 | 1 | 1 | 1 |
Let's try to prove correctness of the reduction. Let's try to prove correctness of the reduction.
Direction 1: Say subset sum has a solution $S'$. Direction 1: Say subset sum has a solution $S'$.
We must prove that there is a satisfying assignment for $\Psi$. We must prove that there is a satisfying assignment for $\Psi$.
Set $x_i=1$ if $v_i\in S'$ Set $x_i=1$ if $v_i\in S'$
Set $x_i=0$ if $\overline{v_i}\in S'$ Set $x_i=0$ if $\overline{v_i}\in S'$
1. We want set $x_i$ to be both true and false, we will pick (in $S'$) either $v_i$ or $\overline{v_i}$ 1. We want set $x_i$ to be both true and false, we will pick (in $S'$) either $v_i$ or $\overline{v_i}$
2. For each clause we have at least one literal that is true since $q_j$ has a $1$ in the clause. 2. For each clause we have at least one literal that is true since $q_j$ has a $1$ in the clause.
Direction 2: Say $\Psi$ has a satisfying assignment. Direction 2: Say $\Psi$ has a satisfying assignment.
We must prove that there is a subset $S'$ such that $\sum_{a_i\in S'} a_i = t$. We must prove that there is a subset $S'$ such that $\sum_{a_i\in S'} a_i = t$.
If $x_i=1$, then $v_i\in S'$ If $x_i=1$, then $v_i\in S'$
If $x_i=0$, then $\overline{v_i}\in S'$ If $x_i=0$, then $\overline{v_i}\in S'$
Problem: 1,2 or 3 literals in every clause can be true. Problem: 1,2 or 3 literals in every clause can be true.
Fix Fix
Add 2 numbers to $S$ for each clause $j$. We add $y_j,z_j$. Add 2 numbers to $S$ for each clause $j$. We add $y_j,z_j$.
- All $p$ digits are zero - All $p$ digits are zero
- $q_j$ of $y_j$ is $1$, $q_j$ of $z_j$ is $2$, for all $j$, other digits are zero. - $q_j$ of $y_j$ is $1$, $q_j$ of $z_j$ is $2$, for all $j$, other digits are zero.
- Intuitively, these numbers account for the number of literals in clause $j$ that are true. - Intuitively, these numbers account for the number of literals in clause $j$ that are true.
New target are as follows: New target are as follows:
| | $p_1$ | $p_2$ | $p_3$ | $q_1$ | $q_2$ | | | $p_1$ | $p_2$ | $p_3$ | $q_1$ | $q_2$ |
| ----- | ----- | ----- | ----- | ----- | ----- | | ----- | ----- | ----- | ----- | ----- | ----- |
| $y_1$ | 0 | 0 | 0 | 1 | 0 | | $y_1$ | 0 | 0 | 0 | 1 | 0 |
| $z_1$ | 0 | 0 | 0 | 2 | 0 | | $z_1$ | 0 | 0 | 0 | 2 | 0 |
| $y_2$ | 0 | 0 | 0 | 0 | 1 | | $y_2$ | 0 | 0 | 0 | 0 | 1 |
| $z_2$ | 0 | 0 | 0 | 0 | 2 | | $z_2$ | 0 | 0 | 0 | 0 | 2 |
| $t$ | 1 | 1 | 1 | 4 | 4 | | $t$ | 1 | 1 | 1 | 4 | 4 |
#### Time Complexity of construction for Subset Sum #### Time Complexity of construction for Subset Sum
- $O(n+m)$ - $O(n+m)$
- $n$ is the number of variables - $n$ is the number of variables
- $m$ is the number of clauses - $m$ is the number of clauses
How many integers are in $S$? How many integers are in $S$?
- $2n$ for variables - $2n$ for variables
- $2m$ for new numbers - $2m$ for new numbers
- Total: $2n+2m$ integers - Total: $2n+2m$ integers
How many digits are in each integer? How many digits are in each integer?
- $n+m$ digits - $n+m$ digits
- Time complexity: $O((n+m)^2)$ - Time complexity: $O((n+m)^2)$
#### Proof of reduction for Subset Sum #### Proof of reduction for Subset Sum
Claim 1: If Subset Sum has a solution, then $\Psi$ is satisfiable. Claim 1: If Subset Sum has a solution, then $\Psi$ is satisfiable.
Proof: Proof:
Say $S'$ is a solution to Subset Sum. Then there exists a subset $S' \subseteq S$ such that $\sum_{a_i\in S'} a_i = t$. Here is an assignment of truth values to variables in $\Psi$ that satisfies $\Psi$: Say $S'$ is a solution to Subset Sum. Then there exists a subset $S' \subseteq S$ such that $\sum_{a_i\in S'} a_i = t$. Here is an assignment of truth values to variables in $\Psi$ that satisfies $\Psi$:
- Set $x_i=1$ if $v_i\in S'$ - Set $x_i=1$ if $v_i\in S'$
- Set $x_i=0$ if $\overline{v_i}\in S'$ - Set $x_i=0$ if $\overline{v_i}\in S'$
This is a valid assignment since: This is a valid assignment since:
- We pick either $v_i$ or $\overline{v_i}$ - We pick either $v_i$ or $\overline{v_i}$
- For each clause, at least one literal is true - For each clause, at least one literal is true
QED QED
Claim 2: If $\Psi$ is satisfiable, then Subset Sum has a solution. Claim 2: If $\Psi$ is satisfiable, then Subset Sum has a solution.
Proof: Proof:
If $A$ is a satisfiable assignment for $\Psi$, then we can construct a subset $S'$ of $S$ such that $\sum_{a_i\in S'} a_i = t$. If $A$ is a satisfiable assignment for $\Psi$, then we can construct a subset $S'$ of $S$ such that $\sum_{a_i\in S'} a_i = t$.
If $x_i=1$, then $v_i\in S'$ If $x_i=1$, then $v_i\in S'$
If $x_i=0$, then $\overline{v_i}\in S'$ If $x_i=0$, then $\overline{v_i}\in S'$
Say $t=\sum$ elements we picked from $S$. Say $t=\sum$ elements we picked from $S$.
- All $p_i$ in $t$ are $1$ - All $p_i$ in $t$ are $1$
- All $q_j$ in $t$ are either $1$ or $2$ or $3$. - All $q_j$ in $t$ are either $1$ or $2$ or $3$.
- If $q_j=1$, then $y_j,z_j\in S'$ - If $q_j=1$, then $y_j,z_j\in S'$
- If $q_j=2$, then $z_j\in S'$ - If $q_j=2$, then $z_j\in S'$
- If $q_j=3$, then $y_j\in S'$ - If $q_j=3$, then $y_j\in S'$
QED QED
### Example 2: 3 Color ### Example 2: 3 Color
Input: Graph $G$ Input: Graph $G$
Problem: Determine if $G$ is 3-colorable. Problem: Determine if $G$ is 3-colorable.
We claim that 3-Color is NP-Complete. We claim that 3-Color is NP-Complete.
#### Proof of NP for 3-Color #### Proof of NP for 3-Color
Homework Homework
#### Proof of NP-Hard for 3-Color #### Proof of NP-Hard for 3-Color
We claim that 3-SAT $\leq_p$ 3-Color We claim that 3-SAT $\leq_p$ 3-Color
Given a 3-CNF formula $\Psi$, we will construct a graph $G$ such that $\Psi$ is satisfiable if and only if $G$ is 3-colorable. Given a 3-CNF formula $\Psi$, we will construct a graph $G$ such that $\Psi$ is satisfiable if and only if $G$ is 3-colorable.
Construction: Construction:
1. Construct a core triangle (3 vertices for 3 colors) 1. Construct a core triangle (3 vertices for 3 colors)
2. 2 vertices for each variable $x_i:v_i,\overline{v_i}$ 2. 2 vertices for each variable $x_i:v_i,\overline{v_i}$
3. Clause widget 3. Clause widget
Clause widget: Clause widget:
- 3 vertices for each clause $C_j:y_j,z_j,t_j$ (clause widget) - 3 vertices for each clause $C_j:y_j,z_j,t_j$ (clause widget)
- 3 edges extended from clause widget - 3 edges extended from clause widget
- variable vertex connected to extended edges - variable vertex connected to extended edges
Key for dangler design: Key for dangler design:
Connect to all $v_i$ with true to the same color. and connect to all $v_i$ with false to another color. Connect to all $v_i$ with true to the same color. and connect to all $v_i$ with false to another color.
''' '''
TODO: Add dangler design image here. TODO: Add dangler design image here.
''' '''
#### Proof of reduction for 3-Color #### Proof of reduction for 3-Color
Direction 1: If $\Psi$ is satisfiable, then $G$ is 3-colorable. Direction 1: If $\Psi$ is satisfiable, then $G$ is 3-colorable.
Proof: Proof:
Say $\Psi$ is satisfiable. Then $v_i$ and $\overline{v_i}$ are in different colors. Say $\Psi$ is satisfiable. Then $v_i$ and $\overline{v_i}$ are in different colors.
For the color in central triangle, we can pick any color. For the color in central triangle, we can pick any color.
For each dangler color is connected to blue, all literals cannot be blue. For each dangler color is connected to blue, all literals cannot be blue.
... ...
QED QED
Direction 2: If $G$ is 3-colorable, then $\Psi$ is satisfiable. Direction 2: If $G$ is 3-colorable, then $\Psi$ is satisfiable.
Proof: Proof:
QED QED
### Example 3:Hamiltonian cycle problem (HAMCYCLE) ### Example 3:Hamiltonian cycle problem (HAMCYCLE)
Input: $G(V,E)$ Input: $G(V,E)$
Output: Does $G$ have a Hamiltonian cycle? (A cycle that visits each vertex exactly once.) Output: Does $G$ have a Hamiltonian cycle? (A cycle that visits each vertex exactly once.)
Proof is too hard. Proof is too hard.
but it is an existing NP-complete problem. but it is an existing NP-complete problem.
## On lecture ## On lecture
### Example 4: Scheduling problem (SCHED) ### Example 4: Scheduling problem (SCHED)
scheduling with release time, deadline and execution times. scheduling with release time, deadline and execution times.
Given $n$ jobs, where job $i$ has release time $r_i$, deadline $d_i$, and execution time $t_i$. Given $n$ jobs, where job $i$ has release time $r_i$, deadline $d_i$, and execution time $t_i$.
Example: Example:
$S=\{2,3,7,5,4\}$. we created 5 jobs release time is 0, deadline is 26, execution time is $1$. $S=\{2,3,7,5,4\}$. we created 5 jobs release time is 0, deadline is 26, execution time is $1$.
Problem: Can you schedule these jobs so that each job starts after its release time and finishes before its deadline, and executed for $t_i$ time units? Problem: Can you schedule these jobs so that each job starts after its release time and finishes before its deadline, and executed for $t_i$ time units?
#### Proof of NP-completeness #### Proof of NP-completeness
Step 1: Show that the problem is in NP. Step 1: Show that the problem is in NP.
Certificate: $\langle (h_i,j_i),(h_2,j_2),\cdots,(h_n,j_n)\rangle$, where $h_i$ is the start time of job $i$ and $j_i$ is the machine that job $i$ is assigned to. Certificate: $\langle (h_i,j_i),(h_2,j_2),\cdots,(h_n,j_n)\rangle$, where $h_i$ is the start time of job $i$ and $j_i$ is the machine that job $i$ is assigned to.
Verifier: Check that $h_i + t_i \leq d_i$ for all $i$. Verifier: Check that $h_i + t_i \leq d_i$ for all $i$.
Step 2: Show that the problem is NP-hard. Step 2: Show that the problem is NP-hard.
We proceed by proving that $SSS\leq_p$ Scheduling. We proceed by proving that $SSS\leq_p$ Scheduling.
Consider an instance of SSS: $\{ a_1,a_2,\cdots,a_n\}$ and sum $b$. We can create a scheduling instance with release time 0, deadline $b$, and execution time $1$. Consider an instance of SSS: $\{ a_1,a_2,\cdots,a_n\}$ and sum $b$. We can create a scheduling instance with release time 0, deadline $b$, and execution time $1$.
Then we prove that the scheduling instance is a "yes" instance if and only if the SSS instance is a "yes" instance. Then we prove that the scheduling instance is a "yes" instance if and only if the SSS instance is a "yes" instance.
Ideas of proof: Ideas of proof:
If there is a subset of $\{a_1,a_2,\cdots,a_n\}$ that sums to $b$, then we can schedule the jobs in that order on one machine. If there is a subset of $\{a_1,a_2,\cdots,a_n\}$ that sums to $b$, then we can schedule the jobs in that order on one machine.
If there is a schedule where all jobs are finished by time $b$, then the sum of the scheduled jobs is exactly $b$. If there is a schedule where all jobs are finished by time $b$, then the sum of the scheduled jobs is exactly $b$.
### Example 5: Component grouping problem (CG) ### Example 5: Component grouping problem (CG)
Given an undirected graph which is not necessarily connected. (A component is a subgraph that is connected.) Given an undirected graph which is not necessarily connected. (A component is a subgraph that is connected.)
Problem: Component Grouping: Give a graph $G$ that is not connected, and a positive integer $k$, is there a subset of its components that sums up to $k$? Problem: Component Grouping: Give a graph $G$ that is not connected, and a positive integer $k$, is there a subset of its components that sums up to $k$?
Denoted as $CG(G,k)$. Denoted as $CG(G,k)$.
#### Proof of NP-completeness for Component Grouping #### Proof of NP-completeness for Component Grouping
Step 1: Show that the problem is in NP. Step 1: Show that the problem is in NP.
Certificate: $\langle S\rangle$, where $S$ is the subset of components that sums up to $k$. Certificate: $\langle S\rangle$, where $S$ is the subset of components that sums up to $k$.
Verifier: Check that the sum of the sizes of the components in $S$ is $k$. This can be done in polynomial time using breadth-first search. Verifier: Check that the sum of the sizes of the components in $S$ is $k$. This can be done in polynomial time using breadth-first search.
Step 2: Show that the problem is NP-hard. Step 2: Show that the problem is NP-hard.
We proceed by proving that $SSS\leq_p CG$. (Subset Sum $\leq_p$ Component Grouping) We proceed by proving that $SSS\leq_p CG$. (Subset Sum $\leq_p$ Component Grouping)
Consider an instance of SSS: $\langle a_1,a_2,\cdots,a_n,b\rangle$. Consider an instance of SSS: $\langle a_1,a_2,\cdots,a_n,b\rangle$.
We construct an instance of CG as follows: We construct an instance of CG as follows:
For each $a_i\in S$, we create a chain of $a_i$ vertices. For each $a_i\in S$, we create a chain of $a_i$ vertices.
WARNING: this is not a valid proof for NP hardness since the reduction is not polynomial for $n$, where $n$ is the number of vertices in the SSS instance. WARNING: this is not a valid proof for NP hardness since the reduction is not polynomial for $n$, where $n$ is the number of vertices in the SSS instance.

706
pages/CSE347/CSE347_L8.md → content/CSE347/CSE347_L8.md
View File

@@ -1,353 +1,353 @@
# Lecture 8 # Lecture 8
## NP-optimization problem ## NP-optimization problem
Cannot be solved in polynomial time. Cannot be solved in polynomial time.
Example: Example:
- Maximum independent set - Maximum independent set
- Minimum vertex cover - Minimum vertex cover
What can we do? What can we do?
- solve small instances - solve small instances
- hard instances are rare - average case analysis - hard instances are rare - average case analysis
- solve special cases - solve special cases
- find an approximate solution - find an approximate solution
## Approximation algorithms ## Approximation algorithms
We find a "good" solution in polynomial time, but may not be optimal. We find a "good" solution in polynomial time, but may not be optimal.
Example: Example:
- Minimum vertex cover: we will find a small vertex cover, but not necessarily the smallest one. - Minimum vertex cover: we will find a small vertex cover, but not necessarily the smallest one.
- Maximum independent set: we will find a large independent set, but not necessarily the largest one. - Maximum independent set: we will find a large independent set, but not necessarily the largest one.
Question: How do we quantify the quality of the solution? Question: How do we quantify the quality of the solution?
### Approximation ratio ### Approximation ratio
Intuition: Intuition:
How good is an algorithm $A$ compared to an optimal solution in the worst case? How good is an algorithm $A$ compared to an optimal solution in the worst case?
Definition: Definition:
Consider algorithm $A$ for an NP-optimization problem $L$. Say for **any** instance $l$, $A$ finds a solution output $c_A(l)$ and the optimal solution is $c^*(l)$. Consider algorithm $A$ for an NP-optimization problem $L$. Say for **any** instance $l$, $A$ finds a solution output $c_A(l)$ and the optimal solution is $c^*(l)$.
Approximation ratio is either: Approximation ratio is either:
$$ $$
\max_{l \in L} \frac{c_A(l)}{c^*(l)}=\alpha \max_{l \in L} \frac{c_A(l)}{c^*(l)}=\alpha
$$ $$
for maximization problems, or for maximization problems, or
$$ $$
\min_{l \in L} \frac{c^A(l)}{c_*(l)}=\alpha \min_{l \in L} \frac{c^A(l)}{c_*(l)}=\alpha
$$ $$
for minimization problems. for minimization problems.
Example: Example:
Alice's Algorithm, $A$, finds a vertex cover of size $c_A(l)$ for instance $l(G)$. The optimal vertex cover has size $c^*(l)$. Alice's Algorithm, $A$, finds a vertex cover of size $c_A(l)$ for instance $l(G)$. The optimal vertex cover has size $c^*(l)$.
We want approximation ratio to be as close to 1 as possible. We want approximation ratio to be as close to 1 as possible.
> Vertex cover: > Vertex cover:
> >
> A vertex cover is a set of vertices that touches all edges. > A vertex cover is a set of vertices that touches all edges.
Let's try an approximation algorithm for the vertex cover problem, called Greedy cover. Let's try an approximation algorithm for the vertex cover problem, called Greedy cover.
#### Greedy cover #### Greedy cover
Pick any uncovered edge, both its endpoints are added to the cover $C$, until all edges are covered. Pick any uncovered edge, both its endpoints are added to the cover $C$, until all edges are covered.
Runtime: $O(m)$ Runtime: $O(m)$
Claim: Greedy cover is correct, and it finds a vertex cover. Claim: Greedy cover is correct, and it finds a vertex cover.
Proof: Proof:
Algorithm only terminates when all edges are covered. Algorithm only terminates when all edges are covered.
Claim: Greedy cover is a 2-approximation algorithm. Claim: Greedy cover is a 2-approximation algorithm.
Proof: Proof:
Look at the two edges we picked. Look at the two edges we picked.
Either it is covered by Greedy cover, or it is not. Either it is covered by Greedy cover, or it is not.
If it is not covered by Greedy cover, then we will add both endpoints to the cover. If it is not covered by Greedy cover, then we will add both endpoints to the cover.
In worst case, Greedy cover will add both endpoints of each edge to the cover. (Consider the graph with disjoint edges.) In worst case, Greedy cover will add both endpoints of each edge to the cover. (Consider the graph with disjoint edges.)
Thus, the size of the vertex cover found by Greedy cover is at most twice the size of the optimal vertex cover. Thus, the size of the vertex cover found by Greedy cover is at most twice the size of the optimal vertex cover.
Thus, Greedy cover is a 2-approximation algorithm. Thus, Greedy cover is a 2-approximation algorithm.
> Min-cut: > Min-cut:
> >
> Given a graph $G$ and two vertices $s$ and $t$, find the minimum cut between $s$ and $t$. > Given a graph $G$ and two vertices $s$ and $t$, find the minimum cut between $s$ and $t$.
> >
> Max-cut: > Max-cut:
> >
> Given a graph $G$, find the maximum cut. > Given a graph $G$, find the maximum cut.
#### Local cut #### Local cut
Algorithm: Algorithm:
- start with an arbitrary cut of $G$. - start with an arbitrary cut of $G$.
- While you can move a vertex from one side to the other side while increasing the size of the cut, do so. - While you can move a vertex from one side to the other side while increasing the size of the cut, do so.
- Return the cut found. - Return the cut found.
We will prove its: We will prove its:
- Runtime - Runtime
- Feasibility - Feasibility
- Approximation ratio - Approximation ratio
##### Runtime for local cut ##### Runtime for local cut
Since size of cut is at most $|E|$, the runtime is $O(m)$. Since size of cut is at most $|E|$, the runtime is $O(m)$.
When we move a vertex from one side to the other side, the size of the cut increases by at least 1. When we move a vertex from one side to the other side, the size of the cut increases by at least 1.
Thus, the algorithm terminates in at most $|V|$ steps. Thus, the algorithm terminates in at most $|V|$ steps.
So the runtime is $O(|E||V|^2)$. So the runtime is $O(|E||V|^2)$.
##### Feasibility for local cut ##### Feasibility for local cut
The algorithm only terminates when no more vertices can be moved. The algorithm only terminates when no more vertices can be moved.
Thus, the cut found is a feasible solution. Thus, the cut found is a feasible solution.
##### Approximation ratio for local cut ##### Approximation ratio for local cut
This is a half-approximation algorithm. This is a half-approximation algorithm.
We need to show that the size of the cut found is at least half of the size of the optimal cut. We need to show that the size of the cut found is at least half of the size of the optimal cut.
We could first upper bound the size of the optimal cut is at most $|E|$. We could first upper bound the size of the optimal cut is at most $|E|$.
We will then prove that solution we found is at least half of the optimal cut $\frac{|E|}{2}$ for any graph $G$. We will then prove that solution we found is at least half of the optimal cut $\frac{|E|}{2}$ for any graph $G$.
Proof: Proof:
When we terminate, no vertex could be moved When we terminate, no vertex could be moved
Therefore, **The number of crossing edges is at least the number of non-crossing edges**. Therefore, **The number of crossing edges is at least the number of non-crossing edges**.
Let $d(u)$ be the degree of vertex $u\in V$. Let $d(u)$ be the degree of vertex $u\in V$.
The total number of crossing edges for vertex $u$ is at least $\frac{1}{2}d(u)$. The total number of crossing edges for vertex $u$ is at least $\frac{1}{2}d(u)$.
Summing over all vertices, the total number of crossing edges is at least $\frac{1}{2}\sum_{u\in V}d(u)=\frac{1}{2}|E|$. Summing over all vertices, the total number of crossing edges is at least $\frac{1}{2}\sum_{u\in V}d(u)=\frac{1}{2}|E|$.
So the total number of non-crossing edges is at most $\frac{|E|}{2}$. So the total number of non-crossing edges is at most $\frac{|E|}{2}$.
QED QED
#### Set cover #### Set cover
Problem: Problem:
You are collecting a set of magic cards. You are collecting a set of magic cards.
$X$ is the set of all possible cards. You want at least one of each card. $X$ is the set of all possible cards. You want at least one of each card.
Each dealer $j$ has a pack $S_j\subseteq X$ of cards. You have to buy entire pack or none from dealer $j$. Each dealer $j$ has a pack $S_j\subseteq X$ of cards. You have to buy entire pack or none from dealer $j$.
Goal: What is the least number of packs you need to buy to get all cards? Goal: What is the least number of packs you need to buy to get all cards?
Formally: Formally:
Input $X$ is a universe of $n$ elements, and a collection of subsets of $X$, $Y=\{S_1, S_2, \ldots, S_m\}\subseteq X$. Input $X$ is a universe of $n$ elements, and a collection of subsets of $X$, $Y=\{S_1, S_2, \ldots, S_m\}\subseteq X$.
Goal: Pick $C\subseteq Y$ such that $\bigcup_{S_i\in C}S_i=X$, and $|C|$ is minimized. Goal: Pick $C\subseteq Y$ such that $\bigcup_{S_i\in C}S_i=X$, and $|C|$ is minimized.
Set cover is an NP-optimization problem. It is a generalization of the vertex cover problem. Set cover is an NP-optimization problem. It is a generalization of the vertex cover problem.
#### Greedy set cover #### Greedy set cover
Algorithm: Algorithm:
- Start with empty set $C$. - Start with empty set $C$.
- While there is an element $x$ in $X$ that is not covered, pick one such element $x\in S_i$ where $S_i$ is the set that has not been picked before. - While there is an element $x$ in $X$ that is not covered, pick one such element $x\in S_i$ where $S_i$ is the set that has not been picked before.
- Add $S_i$ to $C$. - Add $S_i$ to $C$.
- Return $C$. - Return $C$.
```python ```python
def greedy_set_cover(X, Y): def greedy_set_cover(X, Y):
# X is the set of elements # X is the set of elements
# Y is the collection of sets, hashset by default # Y is the collection of sets, hashset by default
C = [] C = []
def non_covered_elements(X, C): def non_covered_elements(X, C):
# return the elements in X that are not covered by C # return the elements in X that are not covered by C
# O(|X|) # O(|X|)
return [x for x in X if not any(x in c for c in C)] return [x for x in X if not any(x in c for c in C)]
non_covered = non_covered_elements(X, C) non_covered = non_covered_elements(X, C)
# O(|X|) every loop reduce the size of non_covered by 1 # O(|X|) every loop reduce the size of non_covered by 1
while non_covered: while non_covered:
max_cover,max_set = 0,None max_cover,max_set = 0,None
# O(|Y|) # O(|Y|)
for S in Y: for S in Y:
# Intersection of two sets is O(min(|X|,|S|)) # Intersection of two sets is O(min(|X|,|S|))
cur_cover = len(set(non_covered) & set(S)) cur_cover = len(set(non_covered) & set(S))
if cur_cover > max_cover: if cur_cover > max_cover:
max_cover,max_set = cur_cover,S max_cover,max_set = cur_cover,S
C.append(max_set) C.append(max_set)
non_covered = non_covered_elements(X, C) non_covered = non_covered_elements(X, C)
return C return C
``` ```
It is not optimal. It is not optimal.
Need to prove its: Need to prove its:
- Correctness: - Correctness:
Keep picking until all elements are covered. Keep picking until all elements are covered.
- Runtime: - Runtime:
$O(|X||Y|^2)$ $O(|X||Y|^2)$
- Approximation ratio: - Approximation ratio:
##### Approximation ratio for greedy set cover ##### Approximation ratio for greedy set cover
> Harmonic number: > Harmonic number:
> >
> $H_n=\sum_{i=1}^n\frac{1}{i}=\frac{1}{1}+\frac{1}{2}+\frac{1}{3}+\cdots+\frac{1}{n}=\Theta(\log n)$ > $H_n=\sum_{i=1}^n\frac{1}{i}=\frac{1}{1}+\frac{1}{2}+\frac{1}{3}+\cdots+\frac{1}{n}=\Theta(\log n)$
We claim that the size of the set cover found is at most $H_n\log n$ times the size of the optimal set cover. We claim that the size of the set cover found is at most $H_n\log n$ times the size of the optimal set cover.
###### First bound: ###### First bound:
Proof: Proof:
If the optimal picks $k$ sets, then the size of the set cover found is at most $(1+\log n)k$ sets. If the optimal picks $k$ sets, then the size of the set cover found is at most $(1+\log n)k$ sets.
Let $n=|X|$. Let $n=|X|$.
Observe that Observe that
For the first round, the elements that we not covered is $n$. For the first round, the elements that we not covered is $n$.
$$ $$
|U_0|=n |U_0|=n
$$ $$
In the second round, the elements that we not covered is at most $|U_0|-x$ where $x=|S_1|$ is the number of elements in the set picked in the first round. In the second round, the elements that we not covered is at most $|U_0|-x$ where $x=|S_1|$ is the number of elements in the set picked in the first round.
$$ $$
|U_1|=|U_0|-|S_1| |U_1|=|U_0|-|S_1|
$$ $$
... ...
So $x_i\geq \frac{|U_{i-1}|}{k}$. So $x_i\geq \frac{|U_{i-1}|}{k}$.
We proceed by contradiction. We proceed by contradiction.
Suppose all sets in the optimal solution are $< \frac{|U_0|}{k}$. Then the sum of the sizes of the sets in the optimal solution is $< |U_0|=n$. Suppose all sets in the optimal solution are $< \frac{|U_0|}{k}$. Then the sum of the sizes of the sets in the optimal solution is $< |U_0|=n$.
_There exists a least ratio of selection of sets determined by $k_i$. Otherwise the function (selecting the set cover) will not terminate (no such sets exists)_ _There exists a least ratio of selection of sets determined by $k_i$. Otherwise the function (selecting the set cover) will not terminate (no such sets exists)_
> Some math magics: > Some math magics:
> $$(1-\frac{1}{k})^k\leq \frac{1}{e}$$ > $$(1-\frac{1}{k})^k\leq \frac{1}{e}$$
So $n(1-\frac{1}{k})^{|C|-1}=1$, $|C|\leq 1+k\ln n$. So $n(1-\frac{1}{k})^{|C|-1}=1$, $|C|\leq 1+k\ln n$.
So the size of the set cover found is at most $(1+\ln n)k$. So the size of the set cover found is at most $(1+\ln n)k$.
QED QED
So the greedy set cover is not too bad... So the greedy set cover is not too bad...
###### Second bound: ###### Second bound:
Greedy set cover is a $H_d$-approximation algorithm of set cover. Greedy set cover is a $H_d$-approximation algorithm of set cover.
Proof: Proof:
Assign a cost to the elements of $X$ according to the decisions of the greedy set cover. Assign a cost to the elements of $X$ according to the decisions of the greedy set cover.
Let $\delta(S^i)$ be the new number of elements covered by set $S^i$. Let $\delta(S^i)$ be the new number of elements covered by set $S^i$.
$$ $$
\delta(S^i)=|S_i\cap U_{i-1}| \delta(S^i)=|S_i\cap U_{i-1}|
$$ $$
If the element $x$ is added by step $i$, when set $S_i$ is picked, then the cost of $x$ to If the element $x$ is added by step $i$, when set $S_i$ is picked, then the cost of $x$ to
$$ $$
\frac{1}{\delta(S^i)}=\frac{1}{x_i} \frac{1}{\delta(S^i)}=\frac{1}{x_i}
$$ $$
Example: Example:
$$ $$
\begin{aligned} \begin{aligned}
X&=\{A,B,C,D,E,F,G\}\\ X&=\{A,B,C,D,E,F,G\}\\
S_1&=\{A,C,E\}\\ S_1&=\{A,C,E\}\\
S_2&=\{B,C,F,G\}\\ S_2&=\{B,C,F,G\}\\
S_3&=\{B,D,F,G\}\\ S_3&=\{B,D,F,G\}\\
S_4&=\{D,G\} S_4&=\{D,G\}
\end{aligned} \end{aligned}
$$ $$
First we select $S_2$, then $cost(B)=cost(C)=cost(F)=cost(G)=\frac{1}{4}$. First we select $S_2$, then $cost(B)=cost(C)=cost(F)=cost(G)=\frac{1}{4}$.
Then we select $S_1$, then $cost(A)=cost(E)=\frac{1}{2}$. Then we select $S_1$, then $cost(A)=cost(E)=\frac{1}{2}$.
Then we select $S_3$, then $cost(D)=1$. Then we select $S_3$, then $cost(D)=1$.
If element $x$ was covered by greedy set cover due to the addition of set $S^i$ at step $i$, then the cost of $x$ is $\frac{1}{\delta(S^i)}$. If element $x$ was covered by greedy set cover due to the addition of set $S^i$ at step $i$, then the cost of $x$ is $\frac{1}{\delta(S^i)}$.
$$ $$
\textup{Total cost of GSC}=\sum_{x\in X}c(x)=\sum_{i=1}^{|C|}\sum_{X\textup{ covered at iteration }i}c(x)=\sum_{i=1}^{|C|}\delta(S^i)\frac{1}{\delta(S^i)}=|C| \textup{Total cost of GSC}=\sum_{x\in X}c(x)=\sum_{i=1}^{|C|}\sum_{X\textup{ covered at iteration }i}c(x)=\sum_{i=1}^{|C|}\delta(S^i)\frac{1}{\delta(S^i)}=|C|
$$ $$
Claim: Consider any set $S$ that is a subset of $X$. The cost paid by the greedy set cover for $S$ is at most $H_{|S|}$. Claim: Consider any set $S$ that is a subset of $X$. The cost paid by the greedy set cover for $S$ is at most $H_{|S|}$.
Suppose that the greedy set covers $S$ in order $x_1,x_2,\ldots,x_{|S|}$, where $\{x_1,x_2,\ldots,x_{|S|}\}=S$. Suppose that the greedy set covers $S$ in order $x_1,x_2,\ldots,x_{|S|}$, where $\{x_1,x_2,\ldots,x_{|S|}\}=S$.
When GSC covers $x_j$, $\{x_j,x_{j+1},\ldots,x_{|S|}\}$ are not covered. When GSC covers $x_j$, $\{x_j,x_{j+1},\ldots,x_{|S|}\}$ are not covered.
At this point, the GSC has the option of picking $S$ At this point, the GSC has the option of picking $S$
This implies that the $\delta(S)$ is at least $|S|-j+1$. This implies that the $\delta(S)$ is at least $|S|-j+1$.
Assume that $S$ is picked $\hat{S}$ for which $\delta(\hat{S})$ is maximized ($\hat{S}$ may be $S$ or other sets that have not covered $x_j$). Assume that $S$ is picked $\hat{S}$ for which $\delta(\hat{S})$ is maximized ($\hat{S}$ may be $S$ or other sets that have not covered $x_j$).
So, $\delta(\hat{S})\geq \delta(S)\geq |S|-j+1$. So, $\delta(\hat{S})\geq \delta(S)\geq |S|-j+1$.
So the cost of $x_j$ is $\delta(\hat{S})\leq \frac{1}{\delta(S)}\leq \frac{1}{|S|-j+1}$. So the cost of $x_j$ is $\delta(\hat{S})\leq \frac{1}{\delta(S)}\leq \frac{1}{|S|-j+1}$.
Summing over all $j$, the cost of $S$ is at most $\sum_{j=1}^{|S|}\frac{1}{|S|-j+1}=H_{|S|}$. Summing over all $j$, the cost of $S$ is at most $\sum_{j=1}^{|S|}\frac{1}{|S|-j+1}=H_{|S|}$.
Back to the proof of approximation ratio: Back to the proof of approximation ratio:
Let $C^*$ be optimal set cover. Let $C^*$ be optimal set cover.
$$ $$
|C|=\sum_{x\in X}c(x)\leq \sum_{S_j\in C^*}\sum_{x\in S_j}c(x) |C|=\sum_{x\in X}c(x)\leq \sum_{S_j\in C^*}\sum_{x\in S_j}c(x)
$$ $$
This inequality holds because of counting element that is covered by more than one set. This inequality holds because of counting element that is covered by more than one set.
Since $\sum_{x\in S_j}c(x)\leq H_{|S_j|}$, by our claim. Since $\sum_{x\in S_j}c(x)\leq H_{|S_j|}$, by our claim.
Let $d$ be the largest cardinality of any set in $C^*$. Let $d$ be the largest cardinality of any set in $C^*$.
$$ $$
|C|\leq \sum_{S_j\in C^*}H_{|S_j|}\leq \sum_{S_j\in C^*}H_d=H_d|C^*| |C|\leq \sum_{S_j\in C^*}H_{|S_j|}\leq \sum_{S_j\in C^*}H_d=H_d|C^*|
$$ $$
So the approximation ratio for greedy set cover is $H_d$. So the approximation ratio for greedy set cover is $H_d$.
QED QED

0
pages/CSE347/CSE347_L9.md → content/CSE347/CSE347_L9.md
View File

66
pages/CSE347/Exam_reviews/CSE347_E1.md → content/CSE347/Exam_reviews/CSE347_E1.md
View File

@@ -1,34 +1,34 @@
# Exam 1 review # Exam 1 review
## Greedy ## Greedy
A Greedy Algorithm is an algorithm whose solution applies the same choice rule at each step over and over until no more choices can be made. A Greedy Algorithm is an algorithm whose solution applies the same choice rule at each step over and over until no more choices can be made.
- Stating and Proving a Greedy Algorithm - Stating and Proving a Greedy Algorithm
- State your algorithm (“at this step, make this choice”) - State your algorithm (“at this step, make this choice”)
- Greedy Choice Property (Exchange Argument) - Greedy Choice Property (Exchange Argument)
- Inductive Structure - Inductive Structure
- Optimal Substructure - Optimal Substructure
- "Simple Induction" - "Simple Induction"
- Asymptotic Runtime - Asymptotic Runtime
## Divide and conquer ## Divide and conquer
Stating and Proving a Dividing and Conquer Algorithm Stating and Proving a Dividing and Conquer Algorithm
- Describe the divide, conquer, and combine steps of your algorithm. - Describe the divide, conquer, and combine steps of your algorithm.
- The combine step is the most important part of a divide and conquer algorithm, and in your recurrence this step is the "f (n)", or work done at each subproblem level. You need to show that you can combine the results of your subproblems somehow to get the solution for the entire problem. - The combine step is the most important part of a divide and conquer algorithm, and in your recurrence this step is the "f (n)", or work done at each subproblem level. You need to show that you can combine the results of your subproblems somehow to get the solution for the entire problem.
- Provide and prove a base case (when you can divide no longer) - Provide and prove a base case (when you can divide no longer)
- Prove your induction step: suppose subproblems (two problems of size n/2, usually) of the same kind are solved optimally. Then, because of the combine step, the overall problem (of size n) will be solved optimally. - Prove your induction step: suppose subproblems (two problems of size n/2, usually) of the same kind are solved optimally. Then, because of the combine step, the overall problem (of size n) will be solved optimally.
- Provide recurrence and solve for its runtime (Master Method) - Provide recurrence and solve for its runtime (Master Method)
## Maximum Flow ## Maximum Flow
Given a weighted directed acyclic graph with a source and a sink node, the goal is to see how much "flow" you can push from the source to the sink simultaneously. Given a weighted directed acyclic graph with a source and a sink node, the goal is to see how much "flow" you can push from the source to the sink simultaneously.
Finding the maximum flow can be solved by the Ford-Fulkerson Algorithm. Runtime (from lecture slides): $O(F (|V | + |E |))$. Finding the maximum flow can be solved by the Ford-Fulkerson Algorithm. Runtime (from lecture slides): $O(F (|V | + |E |))$.
Fattest Path improvement: $O(log |V |(|V | + |E |))$ Fattest Path improvement: $O(log |V |(|V | + |E |))$
Min Cut-Max Flow: the maximum flow from source $s$ to sink $t$ is equal to the minimum sum of an $s-t$ cut. Min Cut-Max Flow: the maximum flow from source $s$ to sink $t$ is equal to the minimum sum of an $s-t$ cut.
A cut is a partition of a graph into two disjoint sets by removing edges connecting the two parts. An $s-t$ cut will put $s$ and $t$ into the different sets. A cut is a partition of a graph into two disjoint sets by removing edges connecting the two parts. An $s-t$ cut will put $s$ and $t$ into the different sets.

0
pages/CSE347/Exam_reviews/CSE347_E2.md → content/CSE347/Exam_reviews/CSE347_E2.md
View File

2
pages/CSE347/_meta.js → content/CSE347/_meta.js
View File

@@ -1,5 +1,5 @@
export default { export default {
index: "Course Description", //index: "Course Description",
"---":{ "---":{
type: 'separator' type: 'separator'
}, },

0
pages/CSE347/index.md → content/CSE347/index.md
View File

254
pages/CSE442T/CSE442T_L1.md → content/CSE442T/CSE442T_L1.md
View File

@@ -1,127 +1,127 @@
# Lecture 1 # Lecture 1
## Chapter 1: Introduction ## Chapter 1: Introduction
### Alice sending information to Bob ### Alice sending information to Bob
Assuming _Eve_ can always listen Assuming _Eve_ can always listen
Rule 1. Message, Encryption to Code and Decryption to original Message. Rule 1. Message, Encryption to Code and Decryption to original Message.
### Kerckhoffs' principle ### Kerckhoffs' principle
It states that the security of a cryptographic system shouldn't rely on the secrecy of the algorithm (Assuming Eve knows how everything works.) It states that the security of a cryptographic system shouldn't rely on the secrecy of the algorithm (Assuming Eve knows how everything works.)
**Security is due to the security of the key.** **Security is due to the security of the key.**
### Private key encryption scheme ### Private key encryption scheme
Let $M$ be the set of message that Alice will send to Bob. (The message space) "plaintext" Let $M$ be the set of message that Alice will send to Bob. (The message space) "plaintext"
Let $K$ be the set of key that will ever be used. (The key space) Let $K$ be the set of key that will ever be used. (The key space)
$Gen$ be the key generation algorithm. $Gen$ be the key generation algorithm.
$k\gets Gen(K)$ $k\gets Gen(K)$
$c\gets Enc_k(m)$ denotes cipher encryption. $c\gets Enc_k(m)$ denotes cipher encryption.
$m'\gets Dec_k(c')$ $m'$ might be null for incorrect $c'$. $m'\gets Dec_k(c')$ $m'$ might be null for incorrect $c'$.
$P[k\gets K:Dec_k(Enc_k(M))=m]=1$ The probability of decryption of encrypted message is original message is 1. $P[k\gets K:Dec_k(Enc_k(M))=m]=1$ The probability of decryption of encrypted message is original message is 1.
*_in some cases we can allow the probability not be 1_ *_in some cases we can allow the probability not be 1_
### Some examples of crypto system ### Some examples of crypto system
Let $M=\text{all five letter strings}$. Let $M=\text{all five letter strings}$.
And $K=[1,10^{10}]$ And $K=[1,10^{10}]$
Example: Example:
$P[k=k']=\frac{1}{10^{10}}$ $P[k=k']=\frac{1}{10^{10}}$
$Enc_{1234567890}("brion")="brion1234567890"$ $Enc_{1234567890}("brion")="brion1234567890"$
$Dec_{1234567890}(brion1234567890)="brion"$ $Dec_{1234567890}(brion1234567890)="brion"$
Seems not very secure but valid crypto system. Seems not very secure but valid crypto system.
### Early attempts for crypto system ### Early attempts for crypto system
#### Caesar cipher #### Caesar cipher
$M=\text{finite string of texts}$ $M=\text{finite string of texts}$
$K=[1,26]$ $K=[1,26]$
$Enc_k=[(i+K)\% 26\ for\ i \in m]=c$ $Enc_k=[(i+K)\% 26\ for\ i \in m]=c$
$Dec_k=[(i+26-K)\% 26\ for\ i \in c]$ $Dec_k=[(i+26-K)\% 26\ for\ i \in c]$
```python ```python
def caesar_cipher_enc(s: str, k:int): def caesar_cipher_enc(s: str, k:int):
return ''.join([chr((ord(i)-ord('a')+k)%26+ord('a')) for i in s]) return ''.join([chr((ord(i)-ord('a')+k)%26+ord('a')) for i in s])
def caesar_cipher_dec(s: str, k:int): def caesar_cipher_dec(s: str, k:int):
return ''.join([chr((ord(i)-ord('a')+26-k)%26+ord('a')) for i in s]) return ''.join([chr((ord(i)-ord('a')+26-k)%26+ord('a')) for i in s])
``` ```
#### Substitution cipher #### Substitution cipher
$M=\text{finite string of texts}$ $M=\text{finite string of texts}$
$K=\text{set of all bijective linear transformations (for English alphabet},|K|=26!\text{)}$ $K=\text{set of all bijective linear transformations (for English alphabet},|K|=26!\text{)}$
$Enc_k=[iK\ for\ i \in m]=c$ $Enc_k=[iK\ for\ i \in m]=c$
$Dec_k=[iK^{-1}\ for\ i \in c]$ $Dec_k=[iK^{-1}\ for\ i \in c]$
Fails to frequency analysis Fails to frequency analysis
#### Vigenere Cipher #### Vigenere Cipher
$M=\text{finite string of texts with length }m$ $M=\text{finite string of texts with length }m$
$K=\text{[0,26]}^n$ (assuming English alphabet) $K=\text{[0,26]}^n$ (assuming English alphabet)
```python ```python
def viginere_cipher_enc(s: str, k: List[int]): def viginere_cipher_enc(s: str, k: List[int]):
res='' res=''
n,m=len(s),len(k) n,m=len(s),len(k)
j=0 j=0
for i in s: for i in s:
res+=caesar_cipher_enc(i,k[j]) res+=caesar_cipher_enc(i,k[j])
j=(j+1)%m j=(j+1)%m
return res return res
def viginere_cipher_dec(s: str, k: List[int]): def viginere_cipher_dec(s: str, k: List[int]):
res='' res=''
n,m=len(s),len(k) n,m=len(s),len(k)
j=0 j=0
for i in s: for i in s:
res+=caesar_cipher_dec(i,k[j]) res+=caesar_cipher_dec(i,k[j])
j=(j+1)%m j=(j+1)%m
return res return res
``` ```
#### One time pad #### One time pad
Completely random string, sufficiently long. Completely random string, sufficiently long.
$M=\text{finite string of texts with length }n$ $M=\text{finite string of texts with length }n$
$K=\text{[0,26]}^n$ (assuming English alphabet)$ $K=\text{[0,26]}^n$ (assuming English alphabet)$
$Enc_k=m\oplus k$ $Enc_k=m\oplus k$
$Dec_k=c\oplus k$ $Dec_k=c\oplus k$
```python ```python
def one_time_pad_enc(s: str, k: List[int]): def one_time_pad_enc(s: str, k: List[int]):
return ''.join([chr((ord(i)-ord('a')+k[j])%26+ord('a')) for j,i in enumerate(s)]) return ''.join([chr((ord(i)-ord('a')+k[j])%26+ord('a')) for j,i in enumerate(s)])
def one_time_pad_dec(s: str, k: List[int]): def one_time_pad_dec(s: str, k: List[int]):
return ''.join([chr((ord(i)-ord('a')+26-k[j])%26+ord('a')) for j,i in enumerate(s)]) return ''.join([chr((ord(i)-ord('a')+26-k[j])%26+ord('a')) for j,i in enumerate(s)])
``` ```

420
pages/CSE442T/CSE442T_L10.md → content/CSE442T/CSE442T_L10.md
View File

@@ -1,210 +1,210 @@
# Lecture 10 # Lecture 10
## Chapter 2: Computational Hardness ## Chapter 2: Computational Hardness
### Discrete Log Assumption (Assumption 52.2) ### Discrete Log Assumption (Assumption 52.2)
This is collection of one-way functions This is collection of one-way functions
$$ $$
p\gets \tilde\Pi_n(\textup{ safe primes }), p=2q+1 p\gets \tilde\Pi_n(\textup{ safe primes }), p=2q+1
$$ $$
$$ $$
a\gets \mathbb{Z}*_{p};g=a^2(\textup{ make sure }g\neq 1) a\gets \mathbb{Z}*_{p};g=a^2(\textup{ make sure }g\neq 1)
$$ $$
$$ $$
f_{g,p}(x)=g^x\mod p f_{g,p}(x)=g^x\mod p
$$ $$
$$ $$
f:\mathbb{Z}_q\to \mathbb{Z}^*_p f:\mathbb{Z}_q\to \mathbb{Z}^*_p
$$ $$
#### Evidence for Discrete Log Assumption #### Evidence for Discrete Log Assumption
Best known algorithm to always solve discrete log mod p, $p\in \Pi_n$ Best known algorithm to always solve discrete log mod p, $p\in \Pi_n$
$$ $$
O(2^{\sqrt{2}\sqrt{\log(n)}}) O(2^{\sqrt{2}\sqrt{\log(n)}})
$$ $$
### RSA Assumption ### RSA Assumption
Let $e$ be the exponents Let $e$ be the exponents
$$ $$
P[p,q\gets \Pi_n;N\gets p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;y\gets \mathbb{N}_n;x\gets \mathcal{A}(N,e,y);x^e=y\mod N]<\epsilon(n) P[p,q\gets \Pi_n;N\gets p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;y\gets \mathbb{N}_n;x\gets \mathcal{A}(N,e,y);x^e=y\mod N]<\epsilon(n)
$$ $$
#### Theorem 53.2 (RSA Algorithm) #### Theorem 53.2 (RSA Algorithm)
This is a collection of one-way functions This is a collection of one-way functions
$I=\{(N,e):N=p\cdot q,p,q\in \Pi_n \textup{ and } e\in \mathbb{Z}_{\phi(N)}^*\}$ $I=\{(N,e):N=p\cdot q,p,q\in \Pi_n \textup{ and } e\in \mathbb{Z}_{\phi(N)}^*\}$
$D_{(N,e)}=\mathbb{Z}_N^*$ $D_{(N,e)}=\mathbb{Z}_N^*$
$R_{(N,e)}=\mathbb{Z}_N^*$ $R_{(N,e)}=\mathbb{Z}_N^*$
$f_{(N,e)}(x)=x^e\mod N$ $f_{(N,e)}(x)=x^e\mod N$
Example: Example:
On encryption side On encryption side
$p=5,q=11,N=5\times 11=55$, $\phi(N)=4*10=40$ $p=5,q=11,N=5\times 11=55$, $\phi(N)=4*10=40$
pick $e\in \mathbb{Z}_{40}^*$. say $e=3$, and $f(x)=x^3\mod 55$ pick $e\in \mathbb{Z}_{40}^*$. say $e=3$, and $f(x)=x^3\mod 55$
pick $y\in \mathbb{Z}_{55}^*$. say $y=17$. We have $(55,3,17)$ pick $y\in \mathbb{Z}_{55}^*$. say $y=17$. We have $(55,3,17)$
$x^{40}\equiv 1\mod 55$ $x^{40}\equiv 1\mod 55$
$x^{41}\equiv x\mod 55$ $x^{41}\equiv x\mod 55$
$x^{40k+1}\equiv x \mod 55$ $x^{40k+1}\equiv x \mod 55$
Since $x^a\equiv x^{a\mod 40}\mod 55$ (by corollary of Fermat's little Theorem: $a^x\mod N=a^{x\mod \Phi(N)}\mod N$ Since $x^a\equiv x^{a\mod 40}\mod 55$ (by corollary of Fermat's little Theorem: $a^x\mod N=a^{x\mod \Phi(N)}\mod N$
s ) s )
The problem is, what can we multiply by $3$ to get $1\mod \phi(N)=1\mod 40$. The problem is, what can we multiply by $3$ to get $1\mod \phi(N)=1\mod 40$.
by computing the multiplicative inverse using extended Euclidean algorithm we have $3\cdot 27\equiv 1\mod 40$. by computing the multiplicative inverse using extended Euclidean algorithm we have $3\cdot 27\equiv 1\mod 40$.
$x^3\equiv 17\mod 55$ $x^3\equiv 17\mod 55$
$x\equiv 17^{27}\mod 55$ $x\equiv 17^{27}\mod 55$
On adversary side. On adversary side.
they don't know $\phi(N)=40$ they don't know $\phi(N)=40$
$$ $$
f(N,e):\mathbb{Z}_N^*\to \mathbb{Z}_N^* f(N,e):\mathbb{Z}_N^*\to \mathbb{Z}_N^*
$$ $$
is a bijection. is a bijection.
Proof: Suppose $x_1^e\equiv x_2^e\mod n$ Proof: Suppose $x_1^e\equiv x_2^e\mod n$
Then let $d=e^{-1}\mod \phi(N)$ (exists b/c $e\in\phi(N)^*$) Then let $d=e^{-1}\mod \phi(N)$ (exists b/c $e\in\phi(N)^*$)
So $(x_1^e)^d\equiv (x_2^e)^d\mod N$ So $(x_1^e)^d\equiv (x_2^e)^d\mod N$
So $x_1^{e\cdot d\mod \phi(N)}\equiv x_2^{e\cdot d\mod \phi(N)}\mod N$ (Euler's Theorem) So $x_1^{e\cdot d\mod \phi(N)}\equiv x_2^{e\cdot d\mod \phi(N)}\mod N$ (Euler's Theorem)
$x_1\equiv x_2\mod N$ $x_1\equiv x_2\mod N$
So it's one-to-one. So it's one-to-one.
QED QED
Let $y\in \mathbb{Z}_N^*$, letting $x=y^d\mod N$, where $d\equiv e^{-1}\mod \phi(N)$ Let $y\in \mathbb{Z}_N^*$, letting $x=y^d\mod N$, where $d\equiv e^{-1}\mod \phi(N)$
$x^e\equiv (y^d)^e \equiv y\mod n$ $x^e\equiv (y^d)^e \equiv y\mod n$
Proof: Proof:
It's easy to sample from $I$: It's easy to sample from $I$:
* pick $p,q\in \Pi_n$. $N=p\cdot q$ * pick $p,q\in \Pi_n$. $N=p\cdot q$
* compute $\phi(N)=(p-1)(q-1)$ * compute $\phi(N)=(p-1)(q-1)$
* pick $e\gets \mathbb{Z}^*_N$. If $gcd(e,\phi(N))\neq 1$, pick again ($\mathbb{Z}_{\phi_(N)}^*$ has plenty of elements.) * pick $e\gets \mathbb{Z}^*_N$. If $gcd(e,\phi(N))\neq 1$, pick again ($\mathbb{Z}_{\phi_(N)}^*$ has plenty of elements.)
Easy to sample $\mathbb{\mathbb{Z}_N^*}$ (domain). Easy to sample $\mathbb{\mathbb{Z}_N^*}$ (domain).
Easy to compute $x^e\mod N$. Easy to compute $x^e\mod N$.
Hard to invert: Hard to invert:
$$ $$
\begin{aligned} \begin{aligned}
&~~~~P[(N,e)\in I;x\gets \mathbb{Z}_N^*;y=x^e\mod N:f(\mathcal{A}((N,e),y))=y]\\ &~~~~P[(N,e)\in I;x\gets \mathbb{Z}_N^*;y=x^e\mod N:f(\mathcal{A}((N,e),y))=y]\\
&=P[(N,e)\in I;x\gets \mathbb{Z}_N^*;y=x^e\mod N:x\gets \mathcal{A}((N,e),y)]\\ &=P[(N,e)\in I;x\gets \mathbb{Z}_N^*;y=x^e\mod N:x\gets \mathcal{A}((N,e),y)]\\
&=P[(N,e)\in I;y\gets \mathbb{Z}_N^*;y=x^e\mod N:x\gets \mathcal{A}((N,e),y),x^e\equiv y\mod N]\\ &=P[(N,e)\in I;y\gets \mathbb{Z}_N^*;y=x^e\mod N:x\gets \mathcal{A}((N,e),y),x^e\equiv y\mod N]\\
\end{aligned} \end{aligned}
$$ $$
By RSA assumption By RSA assumption
The second equality follows because for any finite $D$ and bijection $f:D\to D$, sampling $y\in D$ directly is equivalent to sampling $x\gets D$, then computing $y=f(x)$. The second equality follows because for any finite $D$ and bijection $f:D\to D$, sampling $y\in D$ directly is equivalent to sampling $x\gets D$, then computing $y=f(x)$.
QED QED
#### Theorem If inverting RSA is hard, then factoring is hard. #### Theorem If inverting RSA is hard, then factoring is hard.
$$ $$
\textup{ RSA assumption }\implies \textup{ Factoring assumption} \textup{ RSA assumption }\implies \textup{ Factoring assumption}
$$ $$
If inverting RSA is hard, then factoring is hard. If inverting RSA is hard, then factoring is hard.
i.e If factoring is easy, then inverting RSA is easy. i.e If factoring is easy, then inverting RSA is easy.
Proof: Proof:
Suppose $\mathcal{A}$ is an adversary that breaks the factoring assumption, then Suppose $\mathcal{A}$ is an adversary that breaks the factoring assumption, then
$$ $$
P[p\gets \Pi_n;q\gets \Pi_n;N=p\cdot q;\mathcal{A}(N)=(p,q)]>\frac{1}{p(n)} P[p\gets \Pi_n;q\gets \Pi_n;N=p\cdot q;\mathcal{A}(N)=(p,q)]>\frac{1}{p(n)}
$$ $$
infinitely often.for a polynomial $p$. infinitely often.for a polynomial $p$.
Then we designing $B$ to invert RSA. Then we designing $B$ to invert RSA.
Suppose Suppose
$p,q\gets \Pi_n;N=p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;x\gets \mathbb{Z}^n;y=x^e\mod N$ $p,q\gets \Pi_n;N=p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;x\gets \mathbb{Z}^n;y=x^e\mod N$
``` python ``` python
def B(N,e,y): def B(N,e,y):
""" """
Goal: find x Goal: find x
""" """
p,q=A(N) p,q=A(N)
if n!=p*q: if n!=p*q:
return None return None
phiN=(p-1)*(q-1) phiN=(p-1)*(q-1)
# find modular inverse of e \mod N # find modular inverse of e \mod N
d=extended_euclidean_algorithm(e,phiN) d=extended_euclidean_algorithm(e,phiN)
# returns (y**d)%N # returns (y**d)%N
x=fast_modular_exponent(y,d,N) x=fast_modular_exponent(y,d,N)
return x return x
``` ```
So the probability of B succeeds is equal to A succeeds, which $>\frac{1}{p(n)}$ infinitely often, breaking RSA assumption. So the probability of B succeeds is equal to A succeeds, which $>\frac{1}{p(n)}$ infinitely often, breaking RSA assumption.
Remaining question: Can $x$ be found without factoring $N$? $y=x^e\mod N$ Remaining question: Can $x$ be found without factoring $N$? $y=x^e\mod N$
### One-way permutation (Definition 55.1) ### One-way permutation (Definition 55.1)
A collection function $\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}$ is a one-way permutation if A collection function $\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}$ is a one-way permutation if
1. $\forall i,f_i$ is a permutation 1. $\forall i,f_i$ is a permutation
2. $\mathcal{F}$ is a collection of one-way functions 2. $\mathcal{F}$ is a collection of one-way functions
_basically, a one-way permutation is a collection of one-way functions that maps $\{0,1\}^n$ to $\{0,1\}^n$ in a bijection way._ _basically, a one-way permutation is a collection of one-way functions that maps $\{0,1\}^n$ to $\{0,1\}^n$ in a bijection way._
### Trapdoor permutations ### Trapdoor permutations
Idea: $f:D\to R$ is a one-way permutation. Idea: $f:D\to R$ is a one-way permutation.
$y\gets R$. $y\gets R$.
* Finding $x$ such that $f(x)=y$ is hard. * Finding $x$ such that $f(x)=y$ is hard.
* With some secret info about $f$, finding $x$ is easy. * With some secret info about $f$, finding $x$ is easy.
$\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}$ $\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}$
1. $\forall i,f_i$ is a permutation 1. $\forall i,f_i$ is a permutation
2. $(i,t)\gets Gen(1^n)$ efficient. ($i\in I$ paired with $t$), $t$ is the "trapdoor info" 2. $(i,t)\gets Gen(1^n)$ efficient. ($i\in I$ paired with $t$), $t$ is the "trapdoor info"
3. $\forall i,D_i$ can be sampled efficiently. 3. $\forall i,D_i$ can be sampled efficiently.
4. $\forall i,\forall x,f_i(x)$ can be computed in polynomial time. 4. $\forall i,\forall x,f_i(x)$ can be computed in polynomial time.
5. $P[(i,t)\gets Gen(1^n);y\gets R_i:f_i(\mathcal{A}(1^n,i,y))=y]<\epsilon(n)$ (note: $\mathcal{A}$ is not given $t$) 5. $P[(i,t)\gets Gen(1^n);y\gets R_i:f_i(\mathcal{A}(1^n,i,y))=y]<\epsilon(n)$ (note: $\mathcal{A}$ is not given $t$)
6. (trapdoor) There is a p.p.t. $B$ such that given $i,y,t$, B always finds x such that $f_i(x)=y$. $t$ is the "trapdoor info" 6. (trapdoor) There is a p.p.t. $B$ such that given $i,y,t$, B always finds x such that $f_i(x)=y$. $t$ is the "trapdoor info"
#### Theorem RSA is a trapdoor #### Theorem RSA is a trapdoor
RSA collection of trapdoor permutation with factorization $(p,q)$ of $N$, or $\phi(N)$, as trapdoor info $f$. RSA collection of trapdoor permutation with factorization $(p,q)$ of $N$, or $\phi(N)$, as trapdoor info $f$.

228
pages/CSE442T/CSE442T_L11.md → content/CSE442T/CSE442T_L11.md
View File

@@ -1,114 +1,114 @@
# Lecture 11 # Lecture 11
Exam info posted tonight. Exam info posted tonight.
## Chapter 3: Indistinguishability and pseudo-randomness ## Chapter 3: Indistinguishability and pseudo-randomness
### Pseudo-randomness ### Pseudo-randomness
Idea: **Efficiently** produce many bits Idea: **Efficiently** produce many bits
which "appear" truly random. which "appear" truly random.
#### One-time pad #### One-time pad
$m\in\{0,1\}^n$ $m\in\{0,1\}^n$
$Gen(1^n):k\gets \{0,1\}^N$ $Gen(1^n):k\gets \{0,1\}^N$
$Enc_k(m)=m\oplus k$ $Enc_k(m)=m\oplus k$
$Dec_k(c)=c\oplus k$ $Dec_k(c)=c\oplus k$
Advantage: Perfectly secret Advantage: Perfectly secret
Disadvantage: Impractical Disadvantage: Impractical
The goal of pseudo-randomness is to make the algorithm, computationally secure, and practical. The goal of pseudo-randomness is to make the algorithm, computationally secure, and practical.
Let $\{X_n\}$ be a sequence of distributions over $\{0,1\}^{l(n)}$, where $l(n)$ is a polynomial of $n$. Let $\{X_n\}$ be a sequence of distributions over $\{0,1\}^{l(n)}$, where $l(n)$ is a polynomial of $n$.
"Probability ensemble" "Probability ensemble"
Example: Example:
Let $U_n$ be the uniform distribution over $\{0,1\}^n$ Let $U_n$ be the uniform distribution over $\{0,1\}^n$
For all $x\in \{0,1\}^n$ For all $x\in \{0,1\}^n$
$P[x\gets U_n]=\frac{1}{2^n}$ $P[x\gets U_n]=\frac{1}{2^n}$
For $1\leq i\leq n$, $P[x_i=1]=\frac{1}{2}$ For $1\leq i\leq n$, $P[x_i=1]=\frac{1}{2}$
For $1\leq i<j\leq n,P[x_i=1 \textup{ and } x_j=1]=\frac{1}{4}$ (by independence of different bits.) For $1\leq i<j\leq n,P[x_i=1 \textup{ and } x_j=1]=\frac{1}{4}$ (by independence of different bits.)
Let $\{X_n\}_n$ and $\{Y_n\}_n$ be probability ensembles (separate of dist over $\{0,1\}^{l(n)}$) Let $\{X_n\}_n$ and $\{Y_n\}_n$ be probability ensembles (separate of dist over $\{0,1\}^{l(n)}$)
$\{X_n\}_n$ and $\{Y_n\}_n$ are computationally **in-distinguishable** if for all non-uniform p.p.t adversary $\mathcal{D}$ ("distinguishers") $\{X_n\}_n$ and $\{Y_n\}_n$ are computationally **in-distinguishable** if for all non-uniform p.p.t adversary $\mathcal{D}$ ("distinguishers")
$$ $$
|P[x\gets X_n:\mathcal{D}(x)=1]-P[y\gets Y_n:\mathcal{D}(y)=1]|<\epsilon(n) |P[x\gets X_n:\mathcal{D}(x)=1]-P[y\gets Y_n:\mathcal{D}(y)=1]|<\epsilon(n)
$$ $$
this basically means that the probability of finding any pattern in the two array is negligible. this basically means that the probability of finding any pattern in the two array is negligible.
If there is a $\mathcal{D}$ such that If there is a $\mathcal{D}$ such that
$$ $$
|P[x\gets X_n:\mathcal{D}(x)=1]-P[y\gets Y_n:\mathcal{D}(y)=1]|\geq \mu(n) |P[x\gets X_n:\mathcal{D}(x)=1]-P[y\gets Y_n:\mathcal{D}(y)=1]|\geq \mu(n)
$$ $$
then $\mathcal{D}$ is distinguishing with probability $\mu(n)$ then $\mathcal{D}$ is distinguishing with probability $\mu(n)$
If $\mu(n)\geq\frac{1}{p(n)}$, then $\mathcal{D}$ is distinguishing the two $\implies X_n\cancel{\approx} Y_n$ If $\mu(n)\geq\frac{1}{p(n)}$, then $\mathcal{D}$ is distinguishing the two $\implies X_n\cancel{\approx} Y_n$
### Prediction lemma ### Prediction lemma
$X_n^0$ and $X_n^1$ ensembles over $\{0,1\}^{l(n)}$ $X_n^0$ and $X_n^1$ ensembles over $\{0,1\}^{l(n)}$
Suppose $\exists$ distinguisher $\mathcal{D}$ which distinguish by $\geq \mu(n)$. Then $\exists$ adversary $\mathcal{A}$ such that Suppose $\exists$ distinguisher $\mathcal{D}$ which distinguish by $\geq \mu(n)$. Then $\exists$ adversary $\mathcal{A}$ such that
$$ $$
P[b\gets\{0,1\};t\gets X_n^b]:\mathcal{A}(t)=b]\geq \frac{1}{2}+\frac{\mu(n)}{2} P[b\gets\{0,1\};t\gets X_n^b]:\mathcal{A}(t)=b]\geq \frac{1}{2}+\frac{\mu(n)}{2}
$$ $$
Proof: Proof:
Without loss of generality, suppose Without loss of generality, suppose
$$ $$
P[t\gets X^1_n:\mathcal{D}(t)=1]-P[t\gets X_n^0:\mathcal{D}(t)=1]\geq \mu(n) P[t\gets X^1_n:\mathcal{D}(t)=1]-P[t\gets X_n^0:\mathcal{D}(t)=1]\geq \mu(n)
$$ $$
$\mathcal{A}=\mathcal{D}$ (Outputs 1 if and only if $D$ outputs 1, otherwise 0.) $\mathcal{A}=\mathcal{D}$ (Outputs 1 if and only if $D$ outputs 1, otherwise 0.)
$$ $$
\begin{aligned} \begin{aligned}
&~~~~~P[b\gets \{0,1\};t\gets X_n^b:\mathcal{A}(t)=b]\\ &~~~~~P[b\gets \{0,1\};t\gets X_n^b:\mathcal{A}(t)=b]\\
&=P[t\gets X_n^1;\mathcal{A}=1]\cdot P[b=1]+P[t\gets X_n^0;\mathcal{A}(t)=0]\cdot P[b=0]\\ &=P[t\gets X_n^1;\mathcal{A}=1]\cdot P[b=1]+P[t\gets X_n^0;\mathcal{A}(t)=0]\cdot P[b=0]\\
&=\frac{1}{2}P[t\gets X_n^1;\mathcal{A}(t)=1]+\frac{1}{2}(1-P[t\gets X_n^0;\mathcal{A}(t)=1])\\ &=\frac{1}{2}P[t\gets X_n^1;\mathcal{A}(t)=1]+\frac{1}{2}(1-P[t\gets X_n^0;\mathcal{A}(t)=1])\\
&=\frac{1}{2}+\frac{1}{2}(P[t\gets X_n^1;\mathcal{A}(t)=1]-P[t\gets X_n^0;\mathcal{A}(t)=1])\\ &=\frac{1}{2}+\frac{1}{2}(P[t\gets X_n^1;\mathcal{A}(t)=1]-P[t\gets X_n^0;\mathcal{A}(t)=1])\\
&\geq\frac{1}{2}+\frac{1}{2}\mu(n)\\ &\geq\frac{1}{2}+\frac{1}{2}\mu(n)\\
\end{aligned} \end{aligned}
$$ $$
### Pseudo-random ### Pseudo-random
$\{X_n\}$ over $\{0,1\}^{l(n)}$ is **pseudorandom** if $\{X_n\}\approx\{U_{l(n)}\}$. i.e. indistinguishable from the true randomness. $\{X_n\}$ over $\{0,1\}^{l(n)}$ is **pseudorandom** if $\{X_n\}\approx\{U_{l(n)}\}$. i.e. indistinguishable from the true randomness.
Example: Example:
Building distinguishers Building distinguishers
1. $X_n$: always outputs $0^n$, $\mathcal{D}$: [outputs $1$ if $t=0^n$] 1. $X_n$: always outputs $0^n$, $\mathcal{D}$: [outputs $1$ if $t=0^n$]
$$ $$
\vert P[t\gets X_n:\mathcal{D}(t)=1]-P[t\gets U_n:\mathcal{D}(t)=1]\vert=1-\frac{1}{2^n}\approx 1 \vert P[t\gets X_n:\mathcal{D}(t)=1]-P[t\gets U_n:\mathcal{D}(t)=1]\vert=1-\frac{1}{2^n}\approx 1
$$ $$
2. $X_n$: 1st $n-1$ bits are truly random $\gets U_{n-1}$ nth bit is $1$ with probability 0.50001 and $0$ with 0.49999, $D$: [outputs $1$ if $X_n=1$] 2. $X_n$: 1st $n-1$ bits are truly random $\gets U_{n-1}$ nth bit is $1$ with probability 0.50001 and $0$ with 0.49999, $D$: [outputs $1$ if $X_n=1$]
$$ $$
\vert P[t\gets X_n:\mathcal{D}(t)=1]-P[t\gets U_n:\mathcal{D}(t)=1]\vert=0.5001-0.5=0.001\neq 0 \vert P[t\gets X_n:\mathcal{D}(t)=1]-P[t\gets U_n:\mathcal{D}(t)=1]\vert=0.5001-0.5=0.001\neq 0
$$ $$
3. $X_n$: For each bit $x_i\gets\{0,1\}$ **unless** there have been 1 million $0$'s. in a row. Then outputs $1$, $D$: [outputs $1$ if $x_1=x_2=...=x_{1000001}=0$] 3. $X_n$: For each bit $x_i\gets\{0,1\}$ **unless** there have been 1 million $0$'s. in a row. Then outputs $1$, $D$: [outputs $1$ if $x_1=x_2=...=x_{1000001}=0$]
$$ $$
\vert P[t\gets X_n:\mathcal{D}(t)=1]-P[t\gets U_n:\mathcal{D}(t)=1]\vert=|0-\frac{1}{2^{1000001}}|\neq 0 \vert P[t\gets X_n:\mathcal{D}(t)=1]-P[t\gets U_n:\mathcal{D}(t)=1]\vert=|0-\frac{1}{2^{1000001}}|\neq 0
$$ $$

304
pages/CSE442T/CSE442T_L12.md → content/CSE442T/CSE442T_L12.md
View File

@@ -1,152 +1,152 @@
# Lecture 12 # Lecture 12
## Chapter 3: Indistinguishability and Pseudorandomness ## Chapter 3: Indistinguishability and Pseudorandomness
$\{X_n\}$ and $\{Y_n\}$ are distinguishable by $\mu(n)$ if $\exists$ distinguisher $\mathcal{D}$ $\{X_n\}$ and $\{Y_n\}$ are distinguishable by $\mu(n)$ if $\exists$ distinguisher $\mathcal{D}$
$$ $$
|P[x\gets X_n:\mathcal{D}(x)=1]-P[y\gets Y_n:\mathcal{D}(y)=1]|\geq \mu(n) |P[x\gets X_n:\mathcal{D}(x)=1]-P[y\gets Y_n:\mathcal{D}(y)=1]|\geq \mu(n)
$$ $$
- If $\mu(n)\geq \frac{1}{p(n)}\gets poly(n)$ for infinitely many n, then $\{X_n\}$ and $\{Y_n\}$ are distinguishable. - If $\mu(n)\geq \frac{1}{p(n)}\gets poly(n)$ for infinitely many n, then $\{X_n\}$ and $\{Y_n\}$ are distinguishable.
- Otherwise, indistinguishable ($|diff|<\epsilon(n)$) - Otherwise, indistinguishable ($|diff|<\epsilon(n)$)
Property: Closed under efficient procedures. Property: Closed under efficient procedures.
If $M$ is any n.u.p.p.t. which can take a ample from $t$ from $X_n,Y_n$ as input $M(X_n)$ If $M$ is any n.u.p.p.t. which can take a ample from $t$ from $X_n,Y_n$ as input $M(X_n)$
If $\{X_n\}\approx\{Y_n\}$, then so are $\{M(X_n)\}\approx\{M(Y_n)\}$ If $\{X_n\}\approx\{Y_n\}$, then so are $\{M(X_n)\}\approx\{M(Y_n)\}$
Proof: Proof:
If $\mathcal{D}$ distinguishes $M(X_n)$ and $M(Y_n)$ by $\mu(n)$ then $\mathcal{D}(M(\cdot))$ is also a polynomial-time distinguisher of $X_n,Y_n$. If $\mathcal{D}$ distinguishes $M(X_n)$ and $M(Y_n)$ by $\mu(n)$ then $\mathcal{D}(M(\cdot))$ is also a polynomial-time distinguisher of $X_n,Y_n$.
### Hybrid Lemma ### Hybrid Lemma
Let $X^0_n,X^1_n,\dots,X^m_n$ are ensembles indexed from $1,..,m$ Let $X^0_n,X^1_n,\dots,X^m_n$ are ensembles indexed from $1,..,m$
If $\mathcal{D}$ distinguishes $X_n^0$ and $X_n^m$ by $\mu(n)$, then $\exists i,1\leq i\leq m$ where $X_{n}^{i-1}$ and $X_n^i$ are distinguished by $\mathcal{D}$ by $\frac{\mu(n)}{m}$ If $\mathcal{D}$ distinguishes $X_n^0$ and $X_n^m$ by $\mu(n)$, then $\exists i,1\leq i\leq m$ where $X_{n}^{i-1}$ and $X_n^i$ are distinguished by $\mathcal{D}$ by $\frac{\mu(n)}{m}$
Proof: (we use triangle inequality.) Let $p_i=P[t\gets X_n^i:\mathcal{D}(t)=1],0\leq i\leq m$. We have $|p_0-p_m|\geq m(n)$ Proof: (we use triangle inequality.) Let $p_i=P[t\gets X_n^i:\mathcal{D}(t)=1],0\leq i\leq m$. We have $|p_0-p_m|\geq m(n)$
Using telescoping tricks: Using telescoping tricks:
$$ $$
\begin{aligned} \begin{aligned}
|p_0-p_m|&=|p_0-p_1+p_1-p_2+\dots +p_{m-1}-p_m|\\ |p_0-p_m|&=|p_0-p_1+p_1-p_2+\dots +p_{m-1}-p_m|\\
&\leq |p_0-p_1|+|p_1-p_2|+\dots+|p_{m-1}-p_m|\\ &\leq |p_0-p_1|+|p_1-p_2|+\dots+|p_{m-1}-p_m|\\
\end{aligned} \end{aligned}
$$ $$
If all $|p_{i-1}-p_i|<\frac{\mu(n)}{m},|p_0-p_m|<\mu_n$ contradiction. If all $|p_{i-1}-p_i|<\frac{\mu(n)}{m},|p_0-p_m|<\mu_n$ contradiction.
In applications, only useful if $m\leq q(n)$ polynomial In applications, only useful if $m\leq q(n)$ polynomial
If $X^0_n$ and $X^m_n$ are distinguishable by $\frac{1}{p(n)}$, then $2$ inner "hybrids" are distinguishable $\frac{1}{p(n)q(n)}=\frac{1}{poly(n)}$ If $X^0_n$ and $X^m_n$ are distinguishable by $\frac{1}{p(n)}$, then $2$ inner "hybrids" are distinguishable $\frac{1}{p(n)q(n)}=\frac{1}{poly(n)}$
Example: Example:
For some Brian in Week 1 and Week 50, a distinguisher $\mathcal{D}$ outputs 1 if hair is considered "long". For some Brian in Week 1 and Week 50, a distinguisher $\mathcal{D}$ outputs 1 if hair is considered "long".
There is some week $i,1\leq i\leq 50$ $|p_{i-1}-p_i|\geq 0.02$ There is some week $i,1\leq i\leq 50$ $|p_{i-1}-p_i|\geq 0.02$
By prediction lemma, there is a machine that could By prediction lemma, there is a machine that could
$$ $$
P[b\to \{0,1\};pic\gets X^{i-1+b}:\mathcal{A}(pic)=b]\geq \frac{1}{2}+\frac{0.02}{2}=0.51 P[b\to \{0,1\};pic\gets X^{i-1+b}:\mathcal{A}(pic)=b]\geq \frac{1}{2}+\frac{0.02}{2}=0.51
$$ $$
### Next bit test (NBT) ### Next bit test (NBT)
We say $\{X_n\}$ passes the next bit test if $\forall i\in\{0,1,...,l(n)-1\}$ on $\{0,1\}^{l(n)}$ and for all adversaries $\mathcal{A}:P[t\gets X_n:\mathcal{A}(t_1,t_2,...,t_i)=t_{i+1}]\leq \frac{1}{2}+\epsilon(n)$ (given first $i$ bit, the probability of successfully predicts $i+1$ th bit is almost random $\frac{1}{2}$) We say $\{X_n\}$ passes the next bit test if $\forall i\in\{0,1,...,l(n)-1\}$ on $\{0,1\}^{l(n)}$ and for all adversaries $\mathcal{A}:P[t\gets X_n:\mathcal{A}(t_1,t_2,...,t_i)=t_{i+1}]\leq \frac{1}{2}+\epsilon(n)$ (given first $i$ bit, the probability of successfully predicts $i+1$ th bit is almost random $\frac{1}{2}$)
Note that for any $\mathcal{A}$, and any $i$, Note that for any $\mathcal{A}$, and any $i$,
$$ $$
P[t\gets U_{l(n)}:\mathcal{A}(t_1,...t_i)=t_{i+1}]=\frac{1}{2} P[t\gets U_{l(n)}:\mathcal{A}(t_1,...t_i)=t_{i+1}]=\frac{1}{2}
$$ $$
If $\{X_n\}\approx\{U_{l(n)}\}$ (pseudorandom), then $X_n$ must pass NBT for all $i$. If $\{X_n\}\approx\{U_{l(n)}\}$ (pseudorandom), then $X_n$ must pass NBT for all $i$.
Otherwise $\exists \mathcal{A},i$ where for infinitely many $n$, Otherwise $\exists \mathcal{A},i$ where for infinitely many $n$,
$$ $$
P[t\gets X_n:\mathcal{A}(t_1,t_2,...,t_i)=t_{i+1}]\leq \frac{1}{2}+\epsilon(n) P[t\gets X_n:\mathcal{A}(t_1,t_2,...,t_i)=t_{i+1}]\leq \frac{1}{2}+\epsilon(n)
$$ $$
We can build a distinguisher $\mathcal{D}$ from $\mathcal{A}$. We can build a distinguisher $\mathcal{D}$ from $\mathcal{A}$.
The converse if True! The converse if True!
The NBT(Next bit test) is complete. The NBT(Next bit test) is complete.
If $\{X_n\}$ on $\{0,1\}^{l(n)}$ passes NBT, then it's pseudorandom. If $\{X_n\}$ on $\{0,1\}^{l(n)}$ passes NBT, then it's pseudorandom.
Ideas of proof: full proof is on the text. Ideas of proof: full proof is on the text.
Our idea is that we want to create $H^{l(n)}_n=\{X_n\}$ and $H^0_n=\{U_{l(n)}\}$ Our idea is that we want to create $H^{l(n)}_n=\{X_n\}$ and $H^0_n=\{U_{l(n)}\}$
We construct "random" bit stream: We construct "random" bit stream:
$$ $$
H_n^i=\{x\gets X_n;u\gets U_{l(n)};t=x_1x_2\dots x_i u_{i+1}u_{i+2}\dots u_{l(n)}\} H_n^i=\{x\gets X_n;u\gets U_{l(n)};t=x_1x_2\dots x_i u_{i+1}u_{i+2}\dots u_{l(n)}\}
$$ $$
If $\{X_n\}$ were not pseudorandom, there is a $D$ If $\{X_n\}$ were not pseudorandom, there is a $D$
$$ $$
|P[x\gets X_n:\mathcal{D}(x)=1]-P[u\gets U_{l(n)}:\mathcal{D}(u)=1]|=\mu(n)\geq \frac{1}{p(n)} |P[x\gets X_n:\mathcal{D}(x)=1]-P[u\gets U_{l(n)}:\mathcal{D}(u)=1]|=\mu(n)\geq \frac{1}{p(n)}
$$ $$
By hybrid lemma, there is $i,1\leq i\leq l(n)$ where: By hybrid lemma, there is $i,1\leq i\leq l(n)$ where:
$$ $$
|P[t\gets H^{i-1}:\mathcal{D}(t)=1]-P[t\gets H^i:\mathcal{D}(t)=1]|\geq \frac{1}{p(n)l(n)}=\frac{1}{poly(n)} |P[t\gets H^{i-1}:\mathcal{D}(t)=1]-P[t\gets H^i:\mathcal{D}(t)=1]|\geq \frac{1}{p(n)l(n)}=\frac{1}{poly(n)}
$$ $$
$l(n)$ is the step we need to take transform $X$ to $X^n$ $l(n)$ is the step we need to take transform $X$ to $X^n$
Let, Let,
$$ $$
H^i=x_1\dots x_i u_{i+1}\dots u_{l(n)}\\ H^i=x_1\dots x_i u_{i+1}\dots u_{l(n)}\\
H^i=x_1\dots x_i x_{i+1}\dots u_{l(n)} H^i=x_1\dots x_i x_{i+1}\dots u_{l(n)}
$$ $$
notice that only two bits are distinguished in the procedure. notice that only two bits are distinguished in the procedure.
$\mathcal{D}$ can distinguish $x_{i+1}$ from a truly random $U_{i+1}$, knowing the first $i$ bits $x_i\dots x_i$ came from $x\gets x_n$ $\mathcal{D}$ can distinguish $x_{i+1}$ from a truly random $U_{i+1}$, knowing the first $i$ bits $x_i\dots x_i$ came from $x\gets x_n$
So $\mathcal{D}$ can predict $x_{i+1}$ from $x_1\dots x_i$ (contradicting with that $X$ passes NBT) So $\mathcal{D}$ can predict $x_{i+1}$ from $x_1\dots x_i$ (contradicting with that $X$ passes NBT)
QED QED
## Pseudorandom Generator ## Pseudorandom Generator
Suppose $G:\{0,1\}^*\to\{0,1\}^*$ is a pseudorandom generator if the following is true: Suppose $G:\{0,1\}^*\to\{0,1\}^*$ is a pseudorandom generator if the following is true:
1. $G$ is efficiently computable. 1. $G$ is efficiently computable.
2. $|G(x)|\geq |x|\forall x$ (expansion) 2. $|G(x)|\geq |x|\forall x$ (expansion)
3. $\{x\gets U_n:G(x)\}_n$ is pseudorandom 3. $\{x\gets U_n:G(x)\}_n$ is pseudorandom
$n$ truly random bits $\to$ $n^2$ pseudorandom bits $n$ truly random bits $\to$ $n^2$ pseudorandom bits
### PRG exists if and only if one-way function exists ### PRG exists if and only if one-way function exists
The other part of proof will be your homework, damn. The other part of proof will be your homework, damn.
If one-way function exists, then Pseudorandom Generator exists. If one-way function exists, then Pseudorandom Generator exists.
Ideas of proof: Ideas of proof:
Let $f:\{0,1\}^n\to \{0,1\}^n$ be a strong one-way permutation (bijection). Let $f:\{0,1\}^n\to \{0,1\}^n$ be a strong one-way permutation (bijection).
$x\gets U_n$ $x\gets U_n$
$f(x)||x$ $f(x)||x$
Not all bits of $x$ would be hard to predict. Not all bits of $x$ would be hard to predict.
**Hard-core bit:** One bit of information about $x$ which is hard to determine from $f(x)$. $P[\text{success}]\leq \frac{1}{2}+\epsilon(n)$ **Hard-core bit:** One bit of information about $x$ which is hard to determine from $f(x)$. $P[\text{success}]\leq \frac{1}{2}+\epsilon(n)$
Depends on $f(x)$ Depends on $f(x)$

322
pages/CSE442T/CSE442T_L13.md → content/CSE442T/CSE442T_L13.md
View File

@@ -1,161 +1,161 @@
# Lecture 13 # Lecture 13
## Chapter 3: Indistinguishability and Pseudorandomness ## Chapter 3: Indistinguishability and Pseudorandomness
### Pseudorandom Generator (PRG) ### Pseudorandom Generator (PRG)
#### Definition 77.1 (Pseudorandom Generator) #### Definition 77.1 (Pseudorandom Generator)
$G:\{0,1\}^n\to\{0,1\}^{l(n)}$ is a pseudorandom generator if the following is true: $G:\{0,1\}^n\to\{0,1\}^{l(n)}$ is a pseudorandom generator if the following is true:
1. $G$ is efficiently computable. 1. $G$ is efficiently computable.
2. $l(n)> n$ (expansion) 2. $l(n)> n$ (expansion)
3. $\{x\gets \{0,1\}^n:G(x)\}_n\approx \{u\gets \{0,1\}^{l(n)}\}$ 3. $\{x\gets \{0,1\}^n:G(x)\}_n\approx \{u\gets \{0,1\}^{l(n)}\}$
#### Definition 78.3 (Hard-core bit (predicate) (HCB)) #### Definition 78.3 (Hard-core bit (predicate) (HCB))
Hard-core bit (predicate) (HCB): $h:\{0,1\}^n\to \{0,1\}$ is a hard-core bit of $f:\{0,1\}^n\to \{0,1\}^*$ if for every adversary $A$, Hard-core bit (predicate) (HCB): $h:\{0,1\}^n\to \{0,1\}$ is a hard-core bit of $f:\{0,1\}^n\to \{0,1\}^*$ if for every adversary $A$,
$$ $$
Pr[x\gets \{0,1\}^n;y=f(x);A(1^n,y)=h(x)]\leq \frac{1}{2}+\epsilon(n) Pr[x\gets \{0,1\}^n;y=f(x);A(1^n,y)=h(x)]\leq \frac{1}{2}+\epsilon(n)
$$ $$
Ideas: $f:\{0,1\}^n\to \{0,1\}^*$ is a one-way function. Ideas: $f:\{0,1\}^n\to \{0,1\}^*$ is a one-way function.
Given $y=f(x)$, it is hard to recover $x$. A cannot produce all of $x$ but can know some bits of $x$. Given $y=f(x)$, it is hard to recover $x$. A cannot produce all of $x$ but can know some bits of $x$.
$h(x)$ is just a yes/no question regarding $x$. $h(x)$ is just a yes/no question regarding $x$.
Example: Example:
In RSA function, we pick $p,q\in \Pi^n$ as primes and $N=pq$. $e\gets \mathbb{Z}_N^*$ and $f(x)=x^e\mod N$. In RSA function, we pick $p,q\in \Pi^n$ as primes and $N=pq$. $e\gets \mathbb{Z}_N^*$ and $f(x)=x^e\mod N$.
$h(x)=x_n$ is a HCB of $f$. Given RSA assumption. $h(x)=x_n$ is a HCB of $f$. Given RSA assumption.
**h(x) is not necessarily one of the bits of $x=x_1x_2\cdots x_n$.** **h(x) is not necessarily one of the bits of $x=x_1x_2\cdots x_n$.**
#### Theorem Any one-way function has a HCB. #### Theorem Any one-way function has a HCB.
A HCB can be produced for any one-way function. A HCB can be produced for any one-way function.
Let $f:\{0,1\}^n\to \{0,1\}^*$ be a strong one-way function. Let $f:\{0,1\}^n\to \{0,1\}^*$ be a strong one-way function.
Define $g:\{0,1\}^{2n}\to \{0,1\}^*$ as $g(x,r)=(f(x), r),x\in \{0,1\}^n,r\in \{0,1\}^n$. $g$ is a strong one-way function. (proved in homework) Define $g:\{0,1\}^{2n}\to \{0,1\}^*$ as $g(x,r)=(f(x), r),x\in \{0,1\}^n,r\in \{0,1\}^n$. $g$ is a strong one-way function. (proved in homework)
$$ $$
h(x,r)=\langle x,r\rangle=x_1r_1+ x_2r_2+\cdots + x_nr_n\mod 2 h(x,r)=\langle x,r\rangle=x_1r_1+ x_2r_2+\cdots + x_nr_n\mod 2
$$ $$
$\langle x,1^n\rangle=x_1+x_2+\cdots +x_n\mod 2$ $\langle x,1^n\rangle=x_1+x_2+\cdots +x_n\mod 2$
$\langle x,0^{n-1}1\rangle=x_ n$ $\langle x,0^{n-1}1\rangle=x_ n$
Ideas of proof: Ideas of proof:
If A could reliably find $\langle x,1^n\rangle$, with $r$ being completely random, then it could find $x$ too often. If A could reliably find $\langle x,1^n\rangle$, with $r$ being completely random, then it could find $x$ too often.
### Pseudorandom Generator from HCB ### Pseudorandom Generator from HCB
1. $G(x)=\{0,1\}^n\to \{0,1\}^{n+1}$ 1. $G(x)=\{0,1\}^n\to \{0,1\}^{n+1}$
2. $G(x)=\{0,1\}^n\to \{0,1\}^{l(n)}$ 2. $G(x)=\{0,1\}^n\to \{0,1\}^{l(n)}$
For (1), For (1),
#### Theorem HCB generates PRG #### Theorem HCB generates PRG
Let $f:\{0,1\}^n\to \{0,1\}^n$ be a one-way permutation (bijective) with a HCB $h$. Then $G(x)=f(x)|| h(x)$ is a PRG. Let $f:\{0,1\}^n\to \{0,1\}^n$ be a one-way permutation (bijective) with a HCB $h$. Then $G(x)=f(x)|| h(x)$ is a PRG.
Proof: Proof:
Efficiently computable: $f$ is one-way so $h$ is efficiently computable. Efficiently computable: $f$ is one-way so $h$ is efficiently computable.
Expansion: $n<n+1$ Expansion: $n<n+1$
Pseudorandomness: Pseudorandomness:
We proceed by contradiction. We proceed by contradiction.
Suppose $\{G(U_n)\}\cancel{\approx} \{U_{n+1}\}$. Then there would be a next-bit predictor $A$ such that for some bit $i$. Suppose $\{G(U_n)\}\cancel{\approx} \{U_{n+1}\}$. Then there would be a next-bit predictor $A$ such that for some bit $i$.
$$ $$
Pr[x\gets \{0,1\}^n;t=G(x);A(t_1t_2\cdots t_{i-1})=t_i]\geq \frac{1}{2}+\epsilon(n) Pr[x\gets \{0,1\}^n;t=G(x);A(t_1t_2\cdots t_{i-1})=t_i]\geq \frac{1}{2}+\epsilon(n)
$$ $$
Since $f$ is a bijection, $x\gets U_n$ and $f(x)\gets U_n$. Since $f$ is a bijection, $x\gets U_n$ and $f(x)\gets U_n$.
$G(x)=f(x)|| h(x)$ $G(x)=f(x)|| h(x)$
So $A$ could not predict $t_i$ with advantage $\frac{1}{2}+\epsilon(n)$ given any first $n$ bits. So $A$ could not predict $t_i$ with advantage $\frac{1}{2}+\epsilon(n)$ given any first $n$ bits.
$$ $$
Pr[t_i=1|t_1t_2\cdots t_{i-1}]= \frac{1}{2} Pr[t_i=1|t_1t_2\cdots t_{i-1}]= \frac{1}{2}
$$ $$
So $i=n+1$ the last bit, $A$ could predict. So $i=n+1$ the last bit, $A$ could predict.
$$ $$
Pr[x\gets \{0,1\}^n;y=f(x);A(y)=h(x)]>\frac{1}{2}+\epsilon(n) Pr[x\gets \{0,1\}^n;y=f(x);A(y)=h(x)]>\frac{1}{2}+\epsilon(n)
$$ $$
This contradicts the HCB definition of $h$. This contradicts the HCB definition of $h$.
### Construction of PRG ### Construction of PRG
$G'=\{0,1\}^n\to \{0,1\}^{l(n)}$ $G'=\{0,1\}^n\to \{0,1\}^{l(n)}$
using PRG $G:\{0,1\}^n\to \{0,1\}^{n+1}$ using PRG $G:\{0,1\}^n\to \{0,1\}^{n+1}$
Let $s\gets \{0,1\}^n$ be a random string. Let $s\gets \{0,1\}^n$ be a random string.
We proceed by the following construction: We proceed by the following construction:
$G(s)=X_1||b_1$ $G(s)=X_1||b_1$
$G(X_1)=X_2||b_2$ $G(X_1)=X_2||b_2$
$G(X_2)=X_3||b_3$ $G(X_2)=X_3||b_3$
$\cdots$ $\cdots$
$G(X_{l(n)-1})=X_{l(n)}||b_{l(n)}$ $G(X_{l(n)-1})=X_{l(n)}||b_{l(n)}$
$G'(s)=b_1b_2b_3\cdots b_{l(n)}$ $G'(s)=b_1b_2b_3\cdots b_{l(n)}$
We claim $G':\{0,1\}^n\to \{0,1\}^{l(n)}$ is a PRG. We claim $G':\{0,1\}^n\to \{0,1\}^{l(n)}$ is a PRG.
#### Corollary: Combining constructions #### Corollary: Combining constructions
$f:\{0,1\}^n\to \{0,1\}^n$ is a one-way permutation with a HCB $h: \{0,1\}^n\to \{0,1\}$. $f:\{0,1\}^n\to \{0,1\}^n$ is a one-way permutation with a HCB $h: \{0,1\}^n\to \{0,1\}$.
$G(s)=h(x)||h(f(x))||h(f^2(x))\cdots h(f^{l(n)-1}(x))$ is a PRG. Where $f^a(x)=f(f^{a-1}(x))$. $G(s)=h(x)||h(f(x))||h(f^2(x))\cdots h(f^{l(n)-1}(x))$ is a PRG. Where $f^a(x)=f(f^{a-1}(x))$.
Proof: Proof:
$G'$ is a PRG: $G'$ is a PRG:
1. Efficiently computable: since we are computing $G'$ by applying $G$ multiple times (polynomial of $l(n)$ times). 1. Efficiently computable: since we are computing $G'$ by applying $G$ multiple times (polynomial of $l(n)$ times).
2. Expansion: $n<l(n)$. 2. Expansion: $n<l(n)$.
3. Pseudorandomness: We proceed by contradiction. Suppose the output is not pseudorandom. Then there exists a distinguisher $\mathcal{D}$ that can distinguish $G'$ from $U_{l(n)}$ with advantage $\frac{1}{2}+\epsilon(n)$. 3. Pseudorandomness: We proceed by contradiction. Suppose the output is not pseudorandom. Then there exists a distinguisher $\mathcal{D}$ that can distinguish $G'$ from $U_{l(n)}$ with advantage $\frac{1}{2}+\epsilon(n)$.
Strategy: use hybrid argument to construct distributions. Strategy: use hybrid argument to construct distributions.
$$ $$
\begin{aligned} \begin{aligned}
H^0&=U_{l(n)}=u_1u_2\cdots u_{l(n)}\\ H^0&=U_{l(n)}=u_1u_2\cdots u_{l(n)}\\
H^1&=u_1u_2\cdots u_{l(n)-1}b_{l(n)}\\ H^1&=u_1u_2\cdots u_{l(n)-1}b_{l(n)}\\
H^2&=u_1u_2\cdots u_{l(n)-2}b_{l(n)-1}b_{l(n)}\\ H^2&=u_1u_2\cdots u_{l(n)-2}b_{l(n)-1}b_{l(n)}\\
&\cdots\\ &\cdots\\
H^{l(n)}&=b_1b_2\cdots b_{l(n)} H^{l(n)}&=b_1b_2\cdots b_{l(n)}
\end{aligned} \end{aligned}
$$ $$
By the hybrid argument, there exists an $i$ such that $\mathcal{D}$ can distinguish $H^i$ and $H^{i+1}$ $0\leq i\leq l(n)-1$ by $\frac{1}{p(n)l(n)}$ By the hybrid argument, there exists an $i$ such that $\mathcal{D}$ can distinguish $H^i$ and $H^{i+1}$ $0\leq i\leq l(n)-1$ by $\frac{1}{p(n)l(n)}$
Show that there exists $\mathcal{D}$ for Show that there exists $\mathcal{D}$ for
$$ $$
\{u\gets U_{n+1}\}\text{ vs. }\{x\gets U_n;G(x)=u\} \{u\gets U_{n+1}\}\text{ vs. }\{x\gets U_n;G(x)=u\}
$$ $$
with advantage $\frac{1}{2}+\epsilon(n)$. (contradiction) with advantage $\frac{1}{2}+\epsilon(n)$. (contradiction)

352
pages/CSE442T/CSE442T_L14.md → content/CSE442T/CSE442T_L14.md
View File

@@ -1,176 +1,176 @@
# Lecture 14 # Lecture 14
## Recap ## Recap
$\exists$ one-way functions $\implies$ $\exists$ PRG expand by any polynomial amount $\exists$ one-way functions $\implies$ $\exists$ PRG expand by any polynomial amount
$\exists G:\{0,1\}^n \to \{0,1\}^{l(n)}$ s.t. $G$ is efficiently computable, $l(n) > n$, and $G$ is pseudorandom $\exists G:\{0,1\}^n \to \{0,1\}^{l(n)}$ s.t. $G$ is efficiently computable, $l(n) > n$, and $G$ is pseudorandom
$$ $$
\{G(U_n)\}\approx \{U_{l(n)}\} \{G(U_n)\}\approx \{U_{l(n)}\}
$$ $$
Back to the experiment we did long time ago: Back to the experiment we did long time ago:
||Group 1|Group 2| ||Group 1|Group 2|
|---|---|---| |---|---|---|
|$00000$ or $11111$|3|16| |$00000$ or $11111$|3|16|
|4 of 1's|42|56| |4 of 1's|42|56|
|balanced|too often|usual| |balanced|too often|usual|
|consecutive repeats|0|4| |consecutive repeats|0|4|
So Group 1 is human, Group 2 is computer. So Group 1 is human, Group 2 is computer.
## Chapter 3: Indistinguishability and Pseudorandomness ## Chapter 3: Indistinguishability and Pseudorandomness
### Computationally secure encryption ### Computationally secure encryption
Recall with perfect security, Recall with perfect security,
$$ $$
P[k\gets Gen(1^n):Enc_k(m_1)=c] = P[k\gets Gen(1^n):Enc_k(m_2)=c] P[k\gets Gen(1^n):Enc_k(m_1)=c] = P[k\gets Gen(1^n):Enc_k(m_2)=c]
$$ $$
for all $m_1,m_2\in M$ and $c\in C$. for all $m_1,m_2\in M$ and $c\in C$.
$(Gen,Enc,Dec)$ is **single message secure** if $\forall n.u.p.p.t \mathcal{D}$ and for all $n\in \mathbb{N}$, $\forall m_1,m_2\gets \{0,1\}^n \in M^n$, $\mathcal{D}$ distinguishes $Enc_k(m_1)$ and $Enc_k(m_2)$ with at most negligble probability. $(Gen,Enc,Dec)$ is **single message secure** if $\forall n.u.p.p.t \mathcal{D}$ and for all $n\in \mathbb{N}$, $\forall m_1,m_2\gets \{0,1\}^n \in M^n$, $\mathcal{D}$ distinguishes $Enc_k(m_1)$ and $Enc_k(m_2)$ with at most negligble probability.
$$ $$
P[k\gets Gen(1^n):\mathcal{D}(Enc_k(m_1),Enc_k(m_2))=1] \leq \epsilon(n) P[k\gets Gen(1^n):\mathcal{D}(Enc_k(m_1),Enc_k(m_2))=1] \leq \epsilon(n)
$$ $$
By the prediction lemma, ($\mathcal{A}$ is a ppt, you can also name it as $\mathcal{D}$) By the prediction lemma, ($\mathcal{A}$ is a ppt, you can also name it as $\mathcal{D}$)
$$ $$
P[b\gets \{0,1\}:k\gets Gen(1^n):\mathcal{A}(Enc_k(m_b)) = b] \leq \frac{1}{2} + \frac{\epsilon(n)}{2} P[b\gets \{0,1\}:k\gets Gen(1^n):\mathcal{A}(Enc_k(m_b)) = b] \leq \frac{1}{2} + \frac{\epsilon(n)}{2}
$$ $$
and the above equation is $\frac{1}{2}$ for perfect secrecy. and the above equation is $\frac{1}{2}$ for perfect secrecy.
### Construction of single message secure cryptosystem ### Construction of single message secure cryptosystem
cryptosystem with shorter keys. Mimic OTP(one time pad) with shorter keys with pseudorandom randomness. cryptosystem with shorter keys. Mimic OTP(one time pad) with shorter keys with pseudorandom randomness.
$K=\{0,1\}^n$, $\mathcal{M}=\{0,1\}^{l(n)}$, $G:K \to \mathcal{M}$ is a PRG. $K=\{0,1\}^n$, $\mathcal{M}=\{0,1\}^{l(n)}$, $G:K \to \mathcal{M}$ is a PRG.
$Gen(1^n)$: $k\gets \{0,1\}^n$; output $k$. $Gen(1^n)$: $k\gets \{0,1\}^n$; output $k$.
$Enc_k(m)$: $r\gets \{0,1\}^{l(n)}$; output $G(k)\oplus m$. $Enc_k(m)$: $r\gets \{0,1\}^{l(n)}$; output $G(k)\oplus m$.
$Dec_k(c)$: output $G(k)\oplus c$. $Dec_k(c)$: output $G(k)\oplus c$.
Proof of security: Proof of security:
Let $m_0,m_1\in \mathcal{M}$ be two messages, and $\mathcal{D}$ is a n.u.p.p.t distinguisher. Let $m_0,m_1\in \mathcal{M}$ be two messages, and $\mathcal{D}$ is a n.u.p.p.t distinguisher.
Suppose $\{K\gets Gen(1^n):Enc_k(m_i)\}$ is distinguished for $i=0,1$ by $\mathcal{D}$ and by $\mu(n)\geq\frac{1}{poly(n)}$. Suppose $\{K\gets Gen(1^n):Enc_k(m_i)\}$ is distinguished for $i=0,1$ by $\mathcal{D}$ and by $\mu(n)\geq\frac{1}{poly(n)}$.
Strategy: Move to OTP, then flip message. Strategy: Move to OTP, then flip message.
$$ $$
H_0(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_0\oplus G(k)\} H_0(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_0\oplus G(k)\}
$$ $$
$$ $$
H_1(OTP(m_1)) = \{u\gets U_{l(n)}: m_o\oplus u\} H_1(OTP(m_1)) = \{u\gets U_{l(n)}: m_o\oplus u\}
$$ $$
$$ $$
H_2(OTP(m_1)) = \{u\gets U_{l(n)}: m_1\oplus u\} H_2(OTP(m_1)) = \{u\gets U_{l(n)}: m_1\oplus u\}
$$ $$
$$ $$
H_3(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_1\oplus G(k)\} H_3(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_1\oplus G(k)\}
$$ $$
By hybrid argument, 2 neighboring messages are indistinguishable. By hybrid argument, 2 neighboring messages are indistinguishable.
However, $H_0$ and $H_1$ are indistinguishable since $G(U_n)$ and $U_{l(n)}$ are indistinguishable. However, $H_0$ and $H_1$ are indistinguishable since $G(U_n)$ and $U_{l(n)}$ are indistinguishable.
$H_1$ and $H_2$ are indistinguishable by perfect secrecy of OTP. $H_1$ and $H_2$ are indistinguishable by perfect secrecy of OTP.
$H_2$ and $H_3$ are indistinguishable since $G(U_n)$ and $U_{l(n)}$ are indistinguishable. $H_2$ and $H_3$ are indistinguishable since $G(U_n)$ and $U_{l(n)}$ are indistinguishable.
Which leads to a contradiction. Which leads to a contradiction.
### Multi-message secure encryption ### Multi-message secure encryption
$(Gen,Enc,Dec)$ is multi-message secure if $\forall n.u.p.p.t \mathcal{D}$ and for all $n\in \mathbb{N}$, and $q(n)\in poly(n)$. $(Gen,Enc,Dec)$ is multi-message secure if $\forall n.u.p.p.t \mathcal{D}$ and for all $n\in \mathbb{N}$, and $q(n)\in poly(n)$.
$$ $$
\overline{m}=(m_1,\dots,m_{q(n)}) \overline{m}=(m_1,\dots,m_{q(n)})
$$ $$
$$ $$
\overline{m}'=(m_1',\dots,m_{q(n)}') \overline{m}'=(m_1',\dots,m_{q(n)}')
$$ $$
are list of $q(n)$ messages in $\{0,1\}^n$. are list of $q(n)$ messages in $\{0,1\}^n$.
$\mathcal{D}$ distinguishes $Enc_k(\overline{m})$ and $Enc_k(\overline{m}')$ with at most negligble probability. $\mathcal{D}$ distinguishes $Enc_k(\overline{m})$ and $Enc_k(\overline{m}')$ with at most negligble probability.
$$ $$
P[k\gets Gen(1^n):\mathcal{D}(Enc_k(\overline{m}),Enc_k(\overline{m}'))=1] \leq \frac{1}{2} + \epsilon(n) P[k\gets Gen(1^n):\mathcal{D}(Enc_k(\overline{m}),Enc_k(\overline{m}'))=1] \leq \frac{1}{2} + \epsilon(n)
$$ $$
**THIS IS NOT MULTI-MESSAGE SECURE.** **THIS IS NOT MULTI-MESSAGE SECURE.**
We can take $\overline{m}=(0^n,0^n)\to (G(k),G(k))$ and $\overline{m}'=(0^n,1^n)\to (G(k),G(k)+1^n)$ the distinguisher can easily distinguish if some message was sent twice. We can take $\overline{m}=(0^n,0^n)\to (G(k),G(k))$ and $\overline{m}'=(0^n,1^n)\to (G(k),G(k)+1^n)$ the distinguisher can easily distinguish if some message was sent twice.
What we need is that the distinguisher cannot distinguish if some message was sent twice. To achieve multi-message security, we need our encryption function to use randomness (or change states) for each message, otherwise $Enc_k(0^n)$ will return the same on consecutive messages. What we need is that the distinguisher cannot distinguish if some message was sent twice. To achieve multi-message security, we need our encryption function to use randomness (or change states) for each message, otherwise $Enc_k(0^n)$ will return the same on consecutive messages.
Our fix is, if we can agree on a random function $F:\{0,1\}^n\to \{0,1\}^n$ satisfied that: for each input $x\in\{0,1\}^n$, $F(x)$ is chosen uniformly at random. Our fix is, if we can agree on a random function $F:\{0,1\}^n\to \{0,1\}^n$ satisfied that: for each input $x\in\{0,1\}^n$, $F(x)$ is chosen uniformly at random.
$Gen(1^n):$ Choose random function $F:\{0,1\}^n\to \{0,1\}^n$. $Gen(1^n):$ Choose random function $F:\{0,1\}^n\to \{0,1\}^n$.
$Enc_F(m):$ let $r\gets U_n$; output $(r,F(r)\oplus m)$. $Enc_F(m):$ let $r\gets U_n$; output $(r,F(r)\oplus m)$.
$Dec_F(m):$ Given $(r,c)$, output $m=F(r)\oplus c$. $Dec_F(m):$ Given $(r,c)$, output $m=F(r)\oplus c$.
Ideas: Adversary sees $r$ but has no Ideas about $F(r)$. (we choose all outputs at random) Ideas: Adversary sees $r$ but has no Ideas about $F(r)$. (we choose all outputs at random)
If we could do this, this is MMS (multi-message secure). If we could do this, this is MMS (multi-message secure).
Proof: Proof:
Suppose $m_1,m_2,\dots,m_{q(n)}$, $m_1',\dots,m_{q(n)}'$ are sent to the encryption oracle. Suppose $m_1,m_2,\dots,m_{q(n)}$, $m_1',\dots,m_{q(n)}'$ are sent to the encryption oracle.
Suppose the encryption are distinguished by $\mathcal{D}$ with probability $\frac{1}{2}+\epsilon(n)$. Suppose the encryption are distinguished by $\mathcal{D}$ with probability $\frac{1}{2}+\epsilon(n)$.
Strategy: move to OTP with hybrid argument. Strategy: move to OTP with hybrid argument.
Suppose we choose a random function Suppose we choose a random function
$$ $$
H_0:\{F\gets RF_n:((r_1,m_1\oplus F(r_1)),(r_2,m_2\oplus F(r_2)),\dots,(r_{q(n)},m_{q(n)}\oplus F(r_{q(n)})))\} H_0:\{F\gets RF_n:((r_1,m_1\oplus F(r_1)),(r_2,m_2\oplus F(r_2)),\dots,(r_{q(n)},m_{q(n)}\oplus F(r_{q(n)})))\}
$$ $$
and and
$$ $$
H_1:\{OTP:(r_1,m_1\oplus u_1),(r_2,m_2\oplus u_2),\dots,(r_{q(n)},m_{q(n)}\oplus u_{q(n)})\} H_1:\{OTP:(r_1,m_1\oplus u_1),(r_2,m_2\oplus u_2),\dots,(r_{q(n)},m_{q(n)}\oplus u_{q(n)})\}
$$ $$
$r_i,u_i\in U_n$. $r_i,u_i\in U_n$.
By hybrid argument, $H_0$ and $H_1$ are indistinguishable if $r_1,\dots,r_{q(n)}$ are different, these are the same. By hybrid argument, $H_0$ and $H_1$ are indistinguishable if $r_1,\dots,r_{q(n)}$ are different, these are the same.
$F(r_1),\dots,F(r_{q(n)})$ are chosen uniformly and independently at random. $F(r_1),\dots,F(r_{q(n)})$ are chosen uniformly and independently at random.
only possible problem is $r_i=r_j$ for some $i\neq j$, and $P[r_i=r_j]=\frac{1}{2^n}$. only possible problem is $r_i=r_j$ for some $i\neq j$, and $P[r_i=r_j]=\frac{1}{2^n}$.
And the probability that at least one pair are equal And the probability that at least one pair are equal
$$ $$
P[\text{at least one pair are equal}] =P[\bigcup_{i\neq j}\{r_i=r_j\}] \leq \sum_{i\neq j}P[r_i=r_j]=\binom{n}{2}\frac{1}{2^n} < \frac{n^2}{2^{n+1}} P[\text{at least one pair are equal}] =P[\bigcup_{i\neq j}\{r_i=r_j\}] \leq \sum_{i\neq j}P[r_i=r_j]=\binom{n}{2}\frac{1}{2^n} < \frac{n^2}{2^{n+1}}
$$ $$
which is negligible. which is negligible.
Unfortunately, we cannot do this in practice. Unfortunately, we cannot do this in practice.
How many random functions are there? How many random functions are there?
The length of description of $F$ is $n 2^n$. The length of description of $F$ is $n 2^n$.
For each $x\in \{0,1\}^n$, there are $2^n$ possible values for $F(x)$. For each $x\in \{0,1\}^n$, there are $2^n$ possible values for $F(x)$.
So the total number of random functions is $(2^n)^{2^n}=2^{n2^n}$. So the total number of random functions is $(2^n)^{2^n}=2^{n2^n}$.

378
pages/CSE442T/CSE442T_L15.md → content/CSE442T/CSE442T_L15.md
View File

@@ -1,189 +1,189 @@
# Lecture 15 # Lecture 15
## Chapter 3: Indistinguishability and Pseudorandomness ## Chapter 3: Indistinguishability and Pseudorandomness
### Random Function ### Random Function
$F:\{0,1\}^n\to \{0,1\}^n$ $F:\{0,1\}^n\to \{0,1\}^n$
For each $x\in \{0,1\}^n$, there are $2^n$ possible values for $F(x)$. For each $x\in \{0,1\}^n$, there are $2^n$ possible values for $F(x)$.
pick $y=F(x)\gets \{0,1\}^n$ independently at random. ($n$ bits) pick $y=F(x)\gets \{0,1\}^n$ independently at random. ($n$ bits)
This generates $n\cdot 2^n$ random bits to specify $F$. This generates $n\cdot 2^n$ random bits to specify $F$.
### Equivalent description of $F$ ### Equivalent description of $F$
```python ```python
# initialized empty list L # initialized empty list L
L=collections.defaultdict(int) L=collections.defaultdict(int)
# initialize n bits constant # initialize n bits constant
n=10 n=10
def F(x): def F(x):
""" simulation of random function """ simulation of random function
param: param:
x: n bits x: n bits
return: return:
y: n bits y: n bits
""" """
if L[x] is not None: if L[x] is not None:
return L[x] return L[x]
else: else:
# y is a random n-bit string # y is a random n-bit string
y=random.randbits(n) y=random.randbits(n)
L[x]=y L[x]=y
return y return y
``` ```
However, this is not a good random function since two communicator may not agree on the same $F$. However, this is not a good random function since two communicator may not agree on the same $F$.
### Pseudorandom Function ### Pseudorandom Function
$f:\{0,1\}^n\to \{0,1\}^n$ $f:\{0,1\}^n\to \{0,1\}^n$
#### Oracle Access (for function $g$) #### Oracle Access (for function $g$)
$O_g$ is a p.p.t. that given $x\in \{0,1\}^n$ outputs $g(x)$. $O_g$ is a p.p.t. that given $x\in \{0,1\}^n$ outputs $g(x)$.
The distinguisher $D$ is given oracle access to $O_g$ and outputs $1$ if $g$ is random and $0$ otherwise. It can make polynomially many queries. The distinguisher $D$ is given oracle access to $O_g$ and outputs $1$ if $g$ is random and $0$ otherwise. It can make polynomially many queries.
### Oracle indistinguishability ### Oracle indistinguishability
$\{F_n\}$ and $\{G_n\}$ are sequence of distribution on functions $\{F_n\}$ and $\{G_n\}$ are sequence of distribution on functions
$$ $$
f:\{0,1\}^{l_1(n)}\to \{0,1\}^{l_2(n)} f:\{0,1\}^{l_1(n)}\to \{0,1\}^{l_2(n)}
$$ $$
that are computationally indistinguishable that are computationally indistinguishable
$$ $$
\{f_n\}\sim \{g_n\} \{f_n\}\sim \{g_n\}
$$ $$
if for all p.p.t. $D$ (with oracle access to $F_n$ and $G_n$), if for all p.p.t. $D$ (with oracle access to $F_n$ and $G_n$),
$$ $$
\left|P[f\gets F_n:D^f(1^n)=1]-P[g\gets G_n:D^g(1^n)=1]\right|< \epsilon(n) \left|P[f\gets F_n:D^f(1^n)=1]-P[g\gets G_n:D^g(1^n)=1]\right|< \epsilon(n)
$$ $$
where $\epsilon(n)$ is negligible. where $\epsilon(n)$ is negligible.
Under this property, we still have: Under this property, we still have:
- Closure properties. under efficient procedures. - Closure properties. under efficient procedures.
- Prediction lemma. - Prediction lemma.
- Hybrid lemma. - Hybrid lemma.
### Pseudorandom Function Family ### Pseudorandom Function Family
Definition: $\{f_s:\{0,1\}^\{0.1\}^{|S|}\to \{0,1\}^P$ $t_0s\in \{0,1\}^n\}$ is a pseudorandom function family if $\{f_s\}_{s\in \{0,1\}^n}$ are oracle indistinguishable. Definition: $\{f_s:\{0,1\}^\{0.1\}^{|S|}\to \{0,1\}^P$ $t_0s\in \{0,1\}^n\}$ is a pseudorandom function family if $\{f_s\}_{s\in \{0,1\}^n}$ are oracle indistinguishable.
- It is easy to compute for every $x\in \{0,1\}^{|S|}$. - It is easy to compute for every $x\in \{0,1\}^{|S|}$.
- $\{s \gets\{0,1\}^n\}_n\approx \{F\gets RF_n,F\}$ is indistinguishable from the uniform distribution over $\{0,1\}^P$. - $\{s \gets\{0,1\}^n\}_n\approx \{F\gets RF_n,F\}$ is indistinguishable from the uniform distribution over $\{0,1\}^P$.
- $R$ is truly random function. - $R$ is truly random function.
Example: Example:
For $s\in \{0,1\}^n$, define $f_s:\overline{x}\mapsto s\cdot \overline{s}$. For $s\in \{0,1\}^n$, define $f_s:\overline{x}\mapsto s\cdot \overline{s}$.
$\mathcal{D}$ gives oracle access to $g(0^n)=\overline{y_0}$, $g(1^n)=\overline{y_1}$. If $\overline{y_0}+\overline{y_1}=1^n$, then $\mathcal{D}$ outputs $1$ otherwise $0$. $\mathcal{D}$ gives oracle access to $g(0^n)=\overline{y_0}$, $g(1^n)=\overline{y_1}$. If $\overline{y_0}+\overline{y_1}=1^n$, then $\mathcal{D}$ outputs $1$ otherwise $0$.
```python ```python
def O_g(x): def O_g(x):
pass pass
def D(): def D():
# bit_stream(0,n) is a n-bit string of 0s # bit_stream(0,n) is a n-bit string of 0s
y0=O_g(bit_stream(0,n)) y0=O_g(bit_stream(0,n))
y1=O_g(bit_stream(1,n)) y1=O_g(bit_stream(1,n))
if y0+y1==bit_stream(1,n): if y0+y1==bit_stream(1,n):
return 1 return 1
else: else:
return 0 return 0
``` ```
If $g=f_s$, then $D$ returns $\overline{s}+\overline{s}+1^n =1^n$. If $g=f_s$, then $D$ returns $\overline{s}+\overline{s}+1^n =1^n$.
$$ $$
P[f_s\gets D^{f_s}(1^n)=1]=1 P[f_s\gets D^{f_s}(1^n)=1]=1
$$ $$
$$ $$
P[F\gets RF^n,D^F(1^n)=1]=\frac{1}{2^n} P[F\gets RF^n,D^F(1^n)=1]=\frac{1}{2^n}
$$ $$
#### Theorem PRG exists then PRF family exists. #### Theorem PRG exists then PRF family exists.
Proof: Proof:
Let $g:\{0,1\}^n\to \{0,1\}^{2n}$ be a PRG. Let $g:\{0,1\}^n\to \{0,1\}^{2n}$ be a PRG.
$$ $$
g(\overline{x})=[g_0(\overline{x})] [g_1(\overline{x})] g(\overline{x})=[g_0(\overline{x})] [g_1(\overline{x})]
$$ $$
Then we choose a random $s\in \{0,1\}^n$ (initial seed) and define $\overline{x}\gets \{0,1\}^n$, $\overline{x}=x_1\cdots x_n$. Then we choose a random $s\in \{0,1\}^n$ (initial seed) and define $\overline{x}\gets \{0,1\}^n$, $\overline{x}=x_1\cdots x_n$.
$$ $$
f_s(\overline{x})=f_s(x_1\cdots x_n)=g_{x_n}(\dots (g_{x_2}(g_{x_1}(s)))) f_s(\overline{x})=f_s(x_1\cdots x_n)=g_{x_n}(\dots (g_{x_2}(g_{x_1}(s))))
$$ $$
```python ```python
s=random.randbits(n) s=random.randbits(n)
#???? #????
def g(x): def g(x):
if x[0]==0: if x[0]==0:
return g(f_s(x[1:])) return g(f_s(x[1:]))
else: else:
return g(f_s(x[1:])) return g(f_s(x[1:]))
def f_s(x): def f_s(x):
return g(x) return g(x)
``` ```
Suppose $g:\{0,1\}^3\to \{0,1\}^6$ is a PRG. Suppose $g:\{0,1\}^3\to \{0,1\}^6$ is a PRG.
| $x$ | $f_s(x)$ | | $x$ | $f_s(x)$ |
| --- | -------- | | --- | -------- |
| 000 | 110011 | | 000 | 110011 |
| 001 | 010010 | | 001 | 010010 |
| 010 | 001001 | | 010 | 001001 |
| 011 | 000110 | | 011 | 000110 |
| 100 | 100000 | | 100 | 100000 |
| 101 | 110110 | | 101 | 110110 |
| 110 | 000111 | | 110 | 000111 |
| 111 | 001110 | | 111 | 001110 |
Suppose the initial seed is $011$, then the constructed function tree goes as follows: Suppose the initial seed is $011$, then the constructed function tree goes as follows:
Example: Example:
$$ $$
\begin{aligned} \begin{aligned}
f_s(110)&=g_0(g_1(g_1(s)))\\ f_s(110)&=g_0(g_1(g_1(s)))\\
&=g_0(g_1(110))\\ &=g_0(g_1(110))\\
&=g_0(111)\\ &=g_0(111)\\
&=001 &=001
\end{aligned} \end{aligned}
$$ $$
$$ $$
\begin{aligned} \begin{aligned}
f_s(010)&=g_0(g_1(g_0(s)))\\ f_s(010)&=g_0(g_1(g_0(s)))\\
&=g_0(g_1(000))\\ &=g_0(g_1(000))\\
&=g_0(001)\\ &=g_0(001)\\
&=010 &=010
\end{aligned} \end{aligned}
$$ $$
Assume that $D$ distinguishes $f_s$ and $F\gets RF_n$ with non-negligible probability. Assume that $D$ distinguishes $f_s$ and $F\gets RF_n$ with non-negligible probability.
By hybrid argument, there exists a hybrid $H_i$ such that $D$ distinguishes $H_i$ and $H_{i+1}$ with non-negligible probability. By hybrid argument, there exists a hybrid $H_i$ such that $D$ distinguishes $H_i$ and $H_{i+1}$ with non-negligible probability.
For $H_0$, For $H_0$,
QED QED

266
pages/CSE442T/CSE442T_L16.md → content/CSE442T/CSE442T_L16.md
View File

@@ -1,134 +1,134 @@
# Lecture 16 # Lecture 16
## Chapter 3: Indistinguishability and Pseudorandomness ## Chapter 3: Indistinguishability and Pseudorandomness
PRG exists $\implies$ Pseudorandom function family exists. PRG exists $\implies$ Pseudorandom function family exists.
### Multi-message secure encryption ### Multi-message secure encryption
$Gen(1^n):$ Output $f_i:\{0,1\}^n\to \{0,1\}^n$ from PRF family $Gen(1^n):$ Output $f_i:\{0,1\}^n\to \{0,1\}^n$ from PRF family
$Enc_i(m):$ Random $r\gets \{0,1\}^n$ $Enc_i(m):$ Random $r\gets \{0,1\}^n$
Ouput $(r,m\oplus f_i(r))$ Ouput $(r,m\oplus f_i(r))$
$Dec_i(r,c):$ Output $c\oplus f_i(r)$ $Dec_i(r,c):$ Output $c\oplus f_i(r)$
Proof of security: Proof of security:
Suppose $D$ distinguishes, for infinitly many $n$. Suppose $D$ distinguishes, for infinitly many $n$.
The encryption of $a$ pair of lists The encryption of $a$ pair of lists
(1) $\{i\gets Gen(1^n):(r_1,m_1\oplus f_i(r_1)),(r_2,m_2\oplus f_i(r_2)),(r_3,m_3\oplus f_i(r_3)),\ldots,(r_q,m_q\oplus f_i(r_q)), \}$ (1) $\{i\gets Gen(1^n):(r_1,m_1\oplus f_i(r_1)),(r_2,m_2\oplus f_i(r_2)),(r_3,m_3\oplus f_i(r_3)),\ldots,(r_q,m_q\oplus f_i(r_q)), \}$
(2) $\{F\gets RF_n: (r_1,m_1\oplus F(r_1))\ldots\}$ (2) $\{F\gets RF_n: (r_1,m_1\oplus F(r_1))\ldots\}$
(3) One-time pad $\{(r_1,m_1\oplus s_1)\}$ (3) One-time pad $\{(r_1,m_1\oplus s_1)\}$
(4) One-time pad $\{(r_1,m_1'\oplus s_1)\}$ (4) One-time pad $\{(r_1,m_1'\oplus s_1)\}$
If (1) (2) distinguished, If (1) (2) distinguished,
$(r_1,f_i(r_1)),\ldots,(r_q,f_i(r_q))$ is distinguished from $(r_1,f_i(r_1)),\ldots,(r_q,f_i(r_q))$ is distinguished from
$(r_1,F(r_1)),\ldots, (r_q,F(r_q))$ $(r_1,F(r_1)),\ldots, (r_q,F(r_q))$
So $D$ distinguishing output of $r_1,\ldots, r_q$ of PRF from the RF, this contradicts with definition of PRF. So $D$ distinguishing output of $r_1,\ldots, r_q$ of PRF from the RF, this contradicts with definition of PRF.
QED QED
Noe we have Noe we have
(RSA assumption and Discrete log assumption for one-way function exists.) (RSA assumption and Discrete log assumption for one-way function exists.)
One-way function exists $\implies$ One-way function exists $\implies$
Pseudo random generator exists $\implies$ Pseudo random generator exists $\implies$
Pseudo random function familiy exists $\implies$ Pseudo random function familiy exists $\implies$
Mult-message secure encryption exists. Mult-message secure encryption exists.
### Public key cryptography ### Public key cryptography
1970s. 1970s.
The goal was to agree/share a key without meeting in advance The goal was to agree/share a key without meeting in advance
#### Diffie-Helmann Key exchange #### Diffie-Helmann Key exchange
A and B create a secret key together without meeting. A and B create a secret key together without meeting.
Rely on discrete log assumption. Rely on discrete log assumption.
They pulicly agree on modulus $p$ and generator $g$. They pulicly agree on modulus $p$ and generator $g$.
Alice picks random exponent $a$ and computes $g^a\mod p$ Alice picks random exponent $a$ and computes $g^a\mod p$
Bob picks random exponent $b$ and computes $g^b\mod p$ Bob picks random exponent $b$ and computes $g^b\mod p$
and they send result to each other. and they send result to each other.
And Alice do $(g^b)^a$ where Bob do $(g^a)^b$. And Alice do $(g^b)^a$ where Bob do $(g^a)^b$.
#### Diffie-Helmann assumption #### Diffie-Helmann assumption
With $g^a,g^b$ no one can compute $g^{ab}$. With $g^a,g^b$ no one can compute $g^{ab}$.
#### Public key encryption scheme #### Public key encryption scheme
Ideas: The recipient Bob distributes opened Bob-locks Ideas: The recipient Bob distributes opened Bob-locks
- Once closed, only Bob can open it. - Once closed, only Bob can open it.
Public-key encryption scheme: Public-key encryption scheme:
1. $Gen(1^n):$ Outputs $(pk,sk)$ 1. $Gen(1^n):$ Outputs $(pk,sk)$
2. $Enc_{pk}(m):$ Efficient for all $m,pk$ 2. $Enc_{pk}(m):$ Efficient for all $m,pk$
3. $Dec_{sk}(c):$ Efficient for all $c,sk$ 3. $Dec_{sk}(c):$ Efficient for all $c,sk$
4. $P[(pk,sk)\gets Gen(1^n):Dec_{sk}(Enc_{pk}(m))=m]=1$ 4. $P[(pk,sk)\gets Gen(1^n):Dec_{sk}(Enc_{pk}(m))=m]=1$
Let $A, E$ knows $pk$ not $sk$ and $B$ knows $pk,sk$. Let $A, E$ knows $pk$ not $sk$ and $B$ knows $pk,sk$.
Adversary can now encrypt any message $m$ with the public key. Adversary can now encrypt any message $m$ with the public key.
- Perfect secrecy impossible - Perfect secrecy impossible
- Randomness necessary - Randomness necessary
#### Security of public key #### Security of public key
$\forall n.u.p.p.t D,\exists \epsilon(n)$ such that $\forall n,m_0,m_1\in \{0,1\}^n$ $\forall n.u.p.p.t D,\exists \epsilon(n)$ such that $\forall n,m_0,m_1\in \{0,1\}^n$
$$ $$
\{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(m_0))\} \{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(m_1))\} \{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(m_0))\} \{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(m_1))\}
$$ $$
are distinguished by at most $\epsilon (n)$ are distinguished by at most $\epsilon (n)$
This "single" message security implies multi-message security! This "single" message security implies multi-message security!
_Left as exercise_ _Left as exercise_
We will achieve security in sending a single bit $0,1$ We will achieve security in sending a single bit $0,1$
Time for trapdoor permutation. (EX. RSA) Time for trapdoor permutation. (EX. RSA)
#### Encryption Scheme via Trapdoor Permutation #### Encryption Scheme via Trapdoor Permutation
Given family of trapdoor permutation $\{f_i\}$ with hardcore bit $h(i)$ Given family of trapdoor permutation $\{f_i\}$ with hardcore bit $h(i)$
$Gen(1^n):(f_i,f_i^{-1})$, where $f_i^{-1}$ uses trapdoor permutation of $t$ $Gen(1^n):(f_i,f_i^{-1})$, where $f_i^{-1}$ uses trapdoor permutation of $t$
$Output ((f_i,h_i),f_i^{-1})$ $Output ((f_i,h_i),f_i^{-1})$
$m=0$ or $1$. $m=0$ or $1$.
$Enc_{pk}(m):r\gets\{0,1\}^n$ $Enc_{pk}(m):r\gets\{0,1\}^n$
$Output (f_i(r),h_i(r)+m)$ $Output (f_i(r),h_i(r)+m)$
$Dec_{sk}(c_1,c_2)$ $Dec_{sk}(c_1,c_2)$
$r=f_i^{-1}(c_1)$ $r=f_i^{-1}(c_1)$
$m=c_2+h_1(r)$ $m=c_2+h_1(r)$

318
pages/CSE442T/CSE442T_L17.md → content/CSE442T/CSE442T_L17.md
View File

@@ -1,159 +1,159 @@
# Lecture 17 # Lecture 17
## Chapter 3: Indistinguishability and Pseudorandomness ## Chapter 3: Indistinguishability and Pseudorandomness
### Public key encryption scheme (1-bit) ### Public key encryption scheme (1-bit)
$Gen(1^n):(f_i, f_i^{-1})$ $Gen(1^n):(f_i, f_i^{-1})$
$f_i$ is the trapdoor permutation. (eg. RSA) $f_i$ is the trapdoor permutation. (eg. RSA)
$Output((f_i, h_i), f_i^{-1})$, where $(f_i, h_i)$ is the public key and $f_i^{-1}$ is the secret key. $Output((f_i, h_i), f_i^{-1})$, where $(f_i, h_i)$ is the public key and $f_i^{-1}$ is the secret key.
$Enc_{pk}(m):r\gets \{0, 1\}^n$ $Enc_{pk}(m):r\gets \{0, 1\}^n$
$Output(f_i(r), h_i(r)\oplus m)$ $Output(f_i(r), h_i(r)\oplus m)$
where $f_i(r)$ is denoted as $c_1$ and $h_i(r)\oplus m$ is the tag $c_2$. where $f_i(r)$ is denoted as $c_1$ and $h_i(r)\oplus m$ is the tag $c_2$.
The decryption function is: The decryption function is:
$Dec_{sk}(c_1, c_2)$: $Dec_{sk}(c_1, c_2)$:
$r=f_i^{-1}(c_1)$ $r=f_i^{-1}(c_1)$
$m=c_2\oplus h_i(r)$ $m=c_2\oplus h_i(r)$
#### Validity of the decryption #### Validity of the decryption
Proof of the validity of the decryption: Exercise. Proof of the validity of the decryption: Exercise.
#### Security of the encryption scheme #### Security of the encryption scheme
The encryption scheme is secure under this construction (Trapdoor permutation (TDP), Hardcore bit (HCB)). The encryption scheme is secure under this construction (Trapdoor permutation (TDP), Hardcore bit (HCB)).
Proof: Proof:
We proceed by contradiction. (Constructing contradiction with definition of hardcore bit.) We proceed by contradiction. (Constructing contradiction with definition of hardcore bit.)
Assume that there exists a distinguisher $\mathcal{D}$ that can distinguish the encryption of $0$ and $1$ with non-negligible probability $\mu(n)$. Assume that there exists a distinguisher $\mathcal{D}$ that can distinguish the encryption of $0$ and $1$ with non-negligible probability $\mu(n)$.
$$ $$
\{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(0))\} v.s.\{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(1))\} \geq \mu(n) \{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(0))\} v.s.\{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(1))\} \geq \mu(n)
$$ $$
By prediction lemma (the distinguisher can be used to create and adversary that can break the security of the encryption scheme with non-negligible probability $\mu(n)$). By prediction lemma (the distinguisher can be used to create and adversary that can break the security of the encryption scheme with non-negligible probability $\mu(n)$).
$$ $$
P[m\gets \{0,1\}; (pk,sk)\gets Gen(1^n):\mathcal{A}(pk,Enc_{pk}(m))=m]\geq \frac{1}{2}+\mu(n) P[m\gets \{0,1\}; (pk,sk)\gets Gen(1^n):\mathcal{A}(pk,Enc_{pk}(m))=m]\geq \frac{1}{2}+\mu(n)
$$ $$
We will use this to construct an agent $B$ which can determine the hardcore bit $h_i(r)$ of the trapdoor permutation $f_i(r)$ with non-negligible probability. We will use this to construct an agent $B$ which can determine the hardcore bit $h_i(r)$ of the trapdoor permutation $f_i(r)$ with non-negligible probability.
$f_i,h_i$ are determined. $f_i,h_i$ are determined.
$B$ is given $f_i(r)$ and $h_i(r)$ and outputs $b\in \{0,1\}$. $B$ is given $f_i(r)$ and $h_i(r)$ and outputs $b\in \{0,1\}$.
- $r\gets \{0,1\}^n$ is chosen uniformly at random. - $r\gets \{0,1\}^n$ is chosen uniformly at random.
- $y=f_i(r)$ is given to $B$. - $y=f_i(r)$ is given to $B$.
- $b=h_i(r)$ is given to $B$. - $b=h_i(r)$ is given to $B$.
- Choose $c_2\gets \{0,1\}= h_i(r)\oplus m$ uniformly at random. - Choose $c_2\gets \{0,1\}= h_i(r)\oplus m$ uniformly at random.
- Then use $\mathcal{A}$ with $pk=(f_i, h_i),Enc_{pk}(m)=(f_i(r), h_i(r)\oplus m)$ to determine whether $r$ is $0$ or $1$. - Then use $\mathcal{A}$ with $pk=(f_i, h_i),Enc_{pk}(m)=(f_i(r), h_i(r)\oplus m)$ to determine whether $r$ is $0$ or $1$.
- Let $m'\gets \mathcal{A}(pk,(y,c_2))$. - Let $m'\gets \mathcal{A}(pk,(y,c_2))$.
- Since $c_2=h_i(r)\oplus m$, we have $m=b\oplus c_2$, $b=m'\oplus c_2$. - Since $c_2=h_i(r)\oplus m$, we have $m=b\oplus c_2$, $b=m'\oplus c_2$.
- Output $b=m'\oplus c_2$. - Output $b=m'\oplus c_2$.
The probability that $B$ correctly guesses $b$ given $f_i,h_i$ is: The probability that $B$ correctly guesses $b$ given $f_i,h_i$ is:
$$ $$
\begin{aligned} \begin{aligned}
&~~~~~P[r\gets \{0,1\}^n: y=f_i(r), b=h_i(r): B(f_i,h_i,y)=b]\\ &~~~~~P[r\gets \{0,1\}^n: y=f_i(r), b=h_i(r): B(f_i,h_i,y)=b]\\
&=P[r\gets \{0,1\}^n,c_2\gets \{0,1\}: y=f_i(r), b=h_i(r):\mathcal{A}((f_i,h_i),(y,c_2))=(c_2+b)]\\ &=P[r\gets \{0,1\}^n,c_2\gets \{0,1\}: y=f_i(r), b=h_i(r):\mathcal{A}((f_i,h_i),(y,c_2))=(c_2+b)]\\
&=P[r\gets \{0,1\}^n,m\gets \{0,1\}: y=f_i(r), b=h_i(r):\mathcal{A}((f_i,h_i),(y,b\oplus m))=m]\\ &=P[r\gets \{0,1\}^n,m\gets \{0,1\}: y=f_i(r), b=h_i(r):\mathcal{A}((f_i,h_i),(y,b\oplus m))=m]\\
&>\frac{1}{2}+\mu(n) &>\frac{1}{2}+\mu(n)
\end{aligned} \end{aligned}
$$ $$
This contradicts the definition of hardcore bit. This contradicts the definition of hardcore bit.
QED QED
### Public key encryption scheme (multi-bit) ### Public key encryption scheme (multi-bit)
Let $m\in \{0,1\}^k$. Let $m\in \{0,1\}^k$.
We can choose random $r_i\in \{0,1\}^n$, $y_i=f_i(r_i)$, $b_i=h_i(r_i),c_i=m_i\oplus b_i$. We can choose random $r_i\in \{0,1\}^n$, $y_i=f_i(r_i)$, $b_i=h_i(r_i),c_i=m_i\oplus b_i$.
$Enc_{pk}(m)=((y_1,c_1),\cdots,(y_k,c_k)),c\in \{0,1\}^k$ $Enc_{pk}(m)=((y_1,c_1),\cdots,(y_k,c_k)),c\in \{0,1\}^k$
$Dec_{sk}:r_k=f_i^{-1}(y_k),h_i(r_k)\oplus c_k=m_k$ $Dec_{sk}:r_k=f_i^{-1}(y_k),h_i(r_k)\oplus c_k=m_k$
### Special public key cryptosystem: El-Gamal (based on Diffie-Hellman Assumption) ### Special public key cryptosystem: El-Gamal (based on Diffie-Hellman Assumption)
#### Definition 105.1 Decisional Diffie-Hellman Assumption (DDH) #### Definition 105.1 Decisional Diffie-Hellman Assumption (DDH)
> Define the group of squares mod $p$ as follows: > Define the group of squares mod $p$ as follows:
> >
> $p=2q+1$, $q\in \Pi_{n-1}$, $g\gets \mathbb{Z}_p^*/\{1\}$, $y=g^2$ > $p=2q+1$, $q\in \Pi_{n-1}$, $g\gets \mathbb{Z}_p^*/\{1\}$, $y=g^2$
> >
> $G=\{y,y^2,\cdots,y^q=1\}\mod p$ > $G=\{y,y^2,\cdots,y^q=1\}\mod p$
These two listed below are indistinguishable. These two listed below are indistinguishable.
$\{p\gets \tilde{\Pi_n};y\gets Gen_q;a,b\gets \mathbb{Z}_q:(p,y,y^a,y^b,y^{ab})\}_n$ $\{p\gets \tilde{\Pi_n};y\gets Gen_q;a,b\gets \mathbb{Z}_q:(p,y,y^a,y^b,y^{ab})\}_n$
$\{p\gets \tilde{\Pi_n};y\gets Gen_q;a,b,\bold{z}\gets \mathbb{Z}_q:(p,y,y^a,y^b,y^\bold{z})\}_n$ $\{p\gets \tilde{\Pi_n};y\gets Gen_q;a,b,\bold{z}\gets \mathbb{Z}_q:(p,y,y^a,y^b,y^\bold{z})\}_n$
> (Computational) Diffie-Hellman Assumption: > (Computational) Diffie-Hellman Assumption:
> >
> Hard to compute $y^{ab}$ given $p,y,y^a,y^b$. > Hard to compute $y^{ab}$ given $p,y,y^a,y^b$.
So DDH assumption implies discrete logarithm assumption. So DDH assumption implies discrete logarithm assumption.
Ideas: Ideas:
If one can find $a,b$ from $y^a,y^b$, then one can find $ab$ from $y^{ab}$ and compare to $\bold{z}$ to check whether $y^\bold{z}$ is a valid DDH tuple. If one can find $a,b$ from $y^a,y^b$, then one can find $ab$ from $y^{ab}$ and compare to $\bold{z}$ to check whether $y^\bold{z}$ is a valid DDH tuple.
#### El-Gamal encryption scheme (public key cryptosystem) #### El-Gamal encryption scheme (public key cryptosystem)
$Gen(1^n)$: $Gen(1^n)$:
$p\gets \tilde{\Pi_n},g\gets \mathbb{Z}_p^*/\{1\},y\gets Gen_q,a\gets \mathbb{Z}_q$ $p\gets \tilde{\Pi_n},g\gets \mathbb{Z}_p^*/\{1\},y\gets Gen_q,a\gets \mathbb{Z}_q$
Output: Output:
$pk=(p,y,y^a\mod p)$ (public key) $pk=(p,y,y^a\mod p)$ (public key)
$sk=(p,y,a)$ (secret key) $sk=(p,y,a)$ (secret key)
**Message space:** $G_q=\{y,y^2,\cdots,y^q=1\}$ **Message space:** $G_q=\{y,y^2,\cdots,y^q=1\}$
$Enc_{pk}(m)$: $Enc_{pk}(m)$:
$b\gets \mathbb{Z}_q$ $b\gets \mathbb{Z}_q$
$c_1=y^b\mod p,c_2=(y^{ab}\cdot m)\mod p$ $c_1=y^b\mod p,c_2=(y^{ab}\cdot m)\mod p$
Output: $(c_1,c_2)$ Output: $(c_1,c_2)$
$Dec_{sk}(c_1,c_2)$: $Dec_{sk}(c_1,c_2)$:
Since $c_2=(y^{ab}\cdot m)\mod p$, we have $m=\frac{c_2}{c_1^a}\mod p$ Since $c_2=(y^{ab}\cdot m)\mod p$, we have $m=\frac{c_2}{c_1^a}\mod p$
Output: $m$ Output: $m$
#### Security of El-Gamal encryption scheme #### Security of El-Gamal encryption scheme
Proof: Proof:
If not secure, then there exists a distinguisher $\mathcal{D}$ that can distinguish the encryption of $m_1,m_2\in G_q$ with non-negligible probability $\mu(n)$. If not secure, then there exists a distinguisher $\mathcal{D}$ that can distinguish the encryption of $m_1,m_2\in G_q$ with non-negligible probability $\mu(n)$.
$$ $$
\{(pk,sk)\gets Gen(1^n):D(pk,Enc_{pk}(m_1))\}\text{ vs. }\\ \{(pk,sk)\gets Gen(1^n):D(pk,Enc_{pk}(m_1))\}\text{ vs. }\\
\{(pk,sk)\gets Gen(1^n):D(pk,Enc_{pk}(m_2))\}\geq \mu(n) \{(pk,sk)\gets Gen(1^n):D(pk,Enc_{pk}(m_2))\}\geq \mu(n)
$$ $$
And proceed by contradiction. This contradicts the DDH assumption. And proceed by contradiction. This contradicts the DDH assumption.
QED QED

296
pages/CSE442T/CSE442T_L18.md → content/CSE442T/CSE442T_L18.md
View File

@@ -1,148 +1,148 @@
# Lecture 18 # Lecture 18
## Chapter 5: Authentication ## Chapter 5: Authentication
### 5.1 Introduction ### 5.1 Introduction
Signatures Signatures
**private key** **private key**
Alice and Bob share a secret key $k$. Alice and Bob share a secret key $k$.
Message Authentication Codes (MACs) Message Authentication Codes (MACs)
**public key** **public key**
Any one can verify the signature. Any one can verify the signature.
Digital Signatures Digital Signatures
#### Definitions 134.1 #### Definitions 134.1
A message authentication codes (MACs) is a triple $(Gen, Tag, Ver)$ where A message authentication codes (MACs) is a triple $(Gen, Tag, Ver)$ where
- $k\gets Gen(1^k)$ is a p.p.t. algorithm that takes as input a security parameter $k$ and outputs a key $k$. - $k\gets Gen(1^k)$ is a p.p.t. algorithm that takes as input a security parameter $k$ and outputs a key $k$.
- $\sigma\gets Tag_k(m)$ is a p.p.t. algorithm that takes as input a key $k$ and a message $m$ and outputs a tag $\sigma$. - $\sigma\gets Tag_k(m)$ is a p.p.t. algorithm that takes as input a key $k$ and a message $m$ and outputs a tag $\sigma$.
- $Ver_k(m, \sigma)$ is a deterministic algorithm that takes as input a key $k$, a message $m$, and a tag $\sigma$ and outputs "Accept" if $\sigma$ is a valid tag for $m$ under $k$ and "Reject" otherwise. - $Ver_k(m, \sigma)$ is a deterministic algorithm that takes as input a key $k$, a message $m$, and a tag $\sigma$ and outputs "Accept" if $\sigma$ is a valid tag for $m$ under $k$ and "Reject" otherwise.
For all $n\in\mathbb{N}$, all $m\in\mathcal{M}_n$. For all $n\in\mathbb{N}$, all $m\in\mathcal{M}_n$.
$$ $$
P[k\gets Gen(1^k):Ver_k(m, Tag_k(m))=\textup {``Accept''}]=1 P[k\gets Gen(1^k):Ver_k(m, Tag_k(m))=\textup {``Accept''}]=1
$$ $$
#### Definition 134.2 (Security of MACs) #### Definition 134.2 (Security of MACs)
Security: Prevent an adversary from producing any accepted $(m, \sigma)$ pair that they haven't seen before. Security: Prevent an adversary from producing any accepted $(m, \sigma)$ pair that they haven't seen before.
- Assume they have seen some history of signed messages. $(m_1, \sigma_1), (m_2, \sigma_2), \ldots, (m_q, \sigma_q)$. - Assume they have seen some history of signed messages. $(m_1, \sigma_1), (m_2, \sigma_2), \ldots, (m_q, \sigma_q)$.
- Adversary $\mathcal{A}$ has oracle access to $Tag_k$. Goal is to produce a new $(m, \sigma)$ pair that is accepted but none of $(m_1, \sigma_1), (m_2, \sigma_2), \ldots, (m_q, \sigma_q)$. - Adversary $\mathcal{A}$ has oracle access to $Tag_k$. Goal is to produce a new $(m, \sigma)$ pair that is accepted but none of $(m_1, \sigma_1), (m_2, \sigma_2), \ldots, (m_q, \sigma_q)$.
$\forall$ n.u.p.p.t. adversary $\mathcal{A}$ with oracle access to $Tag_k(\cdot)$, $\forall$ n.u.p.p.t. adversary $\mathcal{A}$ with oracle access to $Tag_k(\cdot)$,
$$ $$
\Pr[k\gets Gen(1^k);(m, \sigma)\gets\mathcal{A}^{Tag_k(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_k(m, \sigma)=\textup{``Accept''}]<\epsilon(n) \Pr[k\gets Gen(1^k);(m, \sigma)\gets\mathcal{A}^{Tag_k(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_k(m, \sigma)=\textup{``Accept''}]<\epsilon(n)
$$ $$
#### MACs scheme #### MACs scheme
$F=\{f_s\}$ is a PRF family. $F=\{f_s\}$ is a PRF family.
$f_s:\{0,1\}^{|S|}\to\{0,1\}^{|S|}$ $f_s:\{0,1\}^{|S|}\to\{0,1\}^{|S|}$
$Gen(1^k): s\gets \{0,1\}^n$ $Gen(1^k): s\gets \{0,1\}^n$
$Tag_k(m)$ outputs $f_s(m)$. $Tag_k(m)$ outputs $f_s(m)$.
$Ver_s(m, \sigma)$ outputs "Accept" if $f_s(m)=\sigma$ and "Reject" otherwise. $Ver_s(m, \sigma)$ outputs "Accept" if $f_s(m)=\sigma$ and "Reject" otherwise.
Proof of security (Outline): Proof of security (Outline):
Suppose we used $F\gets RF_n$ (true random function). Suppose we used $F\gets RF_n$ (true random function).
If $\mathcal{A}$ wants $F(m)$ for $m\in \{m_1, \ldots, m_q\}$. $F(m)\gets U_n$. If $\mathcal{A}$ wants $F(m)$ for $m\in \{m_1, \ldots, m_q\}$. $F(m)\gets U_n$.
$$ $$
\begin{aligned} \begin{aligned}
&P[F\gets RF_n; (m, \sigma)\gets\mathcal{A}^{F(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_k(m, \sigma)=\textup{``Accept''}]\\ &P[F\gets RF_n; (m, \sigma)\gets\mathcal{A}^{F(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_k(m, \sigma)=\textup{``Accept''}]\\
&=P[F\gets RF_n; (m, \sigma)\gets F(m)]\\ &=P[F\gets RF_n; (m, \sigma)\gets F(m)]\\
&=\frac{1}{2^n}<\epsilon(n) &=\frac{1}{2^n}<\epsilon(n)
\end{aligned} \end{aligned}
$$ $$
Suppose an adversary $\mathcal{A}$ has $\frac{1}{p(n)}$ chance of success with our PRF-based scheme... Suppose an adversary $\mathcal{A}$ has $\frac{1}{p(n)}$ chance of success with our PRF-based scheme...
This could be used to distinguish PRF $f_s$ from a random function. This could be used to distinguish PRF $f_s$ from a random function.
The distinguisher runs as follows: The distinguisher runs as follows:
- Runs $\mathcal{A}(1^n)$ - Runs $\mathcal{A}(1^n)$
- Whenever $\mathcal{A}$ asks for $Tag_k(m)$, we ask our oracle for $f(m)$ - Whenever $\mathcal{A}$ asks for $Tag_k(m)$, we ask our oracle for $f(m)$
- $(m, \sigma)\gets\mathcal{A}^{F(\cdot)}(1^n)$ - $(m, \sigma)\gets\mathcal{A}^{F(\cdot)}(1^n)$
- Query oracle for $f(m)$ - Query oracle for $f(m)$
- If $\sigma=f(m)$, output 1 - If $\sigma=f(m)$, output 1
- Otherwise, output 0 - Otherwise, output 0
$D$ will output 1 for PRF with probability $\frac{1}{p(n)}$ and for RF with probability $\frac{1}{2^n}$. $D$ will output 1 for PRF with probability $\frac{1}{p(n)}$ and for RF with probability $\frac{1}{2^n}$.
#### Definition 135.1(Digital Signature D.S. over $\{M_n\}_n$) #### Definition 135.1(Digital Signature D.S. over $\{M_n\}_n$)
A digital signature scheme is a triple $(Gen, Sign, Ver)$ where A digital signature scheme is a triple $(Gen, Sign, Ver)$ where
- $(pk,sk)\gets Gen(1^k)$ is a p.p.t. algorithm that takes as input a security parameter $k$ and outputs a public key $pk$ and a secret key $sk$. - $(pk,sk)\gets Gen(1^k)$ is a p.p.t. algorithm that takes as input a security parameter $k$ and outputs a public key $pk$ and a secret key $sk$.
- $\sigma\gets Sign_{sk}(m)$ is a p.p.t. algorithm that takes as input a secret key $sk$ and a message $m$ and outputs a signature $\sigma$. - $\sigma\gets Sign_{sk}(m)$ is a p.p.t. algorithm that takes as input a secret key $sk$ and a message $m$ and outputs a signature $\sigma$.
- $Ver_{pk}(m, \sigma)$ is a deterministic algorithm that takes as input a public key $pk$, a message $m$, and a signature $\sigma$ and outputs "Accept" if $\sigma$ is a valid signature for $m$ under $pk$ and "Reject" otherwise. - $Ver_{pk}(m, \sigma)$ is a deterministic algorithm that takes as input a public key $pk$, a message $m$, and a signature $\sigma$ and outputs "Accept" if $\sigma$ is a valid signature for $m$ under $pk$ and "Reject" otherwise.
For all $n\in\mathbb{N}$, all $m\in\mathcal{M}_n$. For all $n\in\mathbb{N}$, all $m\in\mathcal{M}_n$.
$$ $$
P[(pk,sk)\gets Gen(1^k); \sigma\gets Sign_{sk}(m); Ver_{pk}(m, \sigma)=\textup{``Accept''}]=1 P[(pk,sk)\gets Gen(1^k); \sigma\gets Sign_{sk}(m); Ver_{pk}(m, \sigma)=\textup{``Accept''}]=1
$$ $$
#### Security of Digital Signature #### Security of Digital Signature
$$ $$
P[(pk,sk)\gets Gen(1^k); (m, \sigma)\gets\mathcal{A}^{Sign_{sk}(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_{pk}(m, \sigma)=\textup{``Accept''}]<\epsilon(n) P[(pk,sk)\gets Gen(1^k); (m, \sigma)\gets\mathcal{A}^{Sign_{sk}(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_{pk}(m, \sigma)=\textup{``Accept''}]<\epsilon(n)
$$ $$
For all n.u.p.p.t. adversary $\mathcal{A}$ with oracle access to $Sign_{sk}(\cdot)$. For all n.u.p.p.t. adversary $\mathcal{A}$ with oracle access to $Sign_{sk}(\cdot)$.
### 5.4 One time security: $\mathcal{A}$ can only use oracle once. ### 5.4 One time security: $\mathcal{A}$ can only use oracle once.
Output $(m, \sigma)$ if $m\neq m$ Output $(m, \sigma)$ if $m\neq m$
Security parameter $n$ Security parameter $n$
One time security on $\{0,1\}^n$ One time security on $\{0,1\}^n$
One time security on $\{0,1\}^*$ One time security on $\{0,1\}^*$
Regular security on $\{0,1\}^*$ Regular security on $\{0,1\}^*$
Note: the adversary automatically has access to $Ver_{pk}(\cdot)$ Note: the adversary automatically has access to $Ver_{pk}(\cdot)$
#### One time security scheme (Lamport Scheme on $\{0,1\}^n$) #### One time security scheme (Lamport Scheme on $\{0,1\}^n$)
$Gen(1^k)$: $\mathbb{Z}_n$ random n-bit string $Gen(1^k)$: $\mathbb{Z}_n$ random n-bit string
$sk$: List 0: $\bar{x_1}^0, \bar{x_2}^0, \ldots, \bar{x_n}^0$ $sk$: List 0: $\bar{x_1}^0, \bar{x_2}^0, \ldots, \bar{x_n}^0$
List 1: $\bar{x_1}^1, \bar{x_2}^1, \ldots, \bar{x_n}^1$ List 1: $\bar{x_1}^1, \bar{x_2}^1, \ldots, \bar{x_n}^1$
All $\bar{x_i}^j\in\{0,1\}^n$ All $\bar{x_i}^j\in\{0,1\}^n$
$pk$: For a strong one-way function $f$ $pk$: For a strong one-way function $f$
List 0: $f(\bar{x_1}^0), f(\bar{x_2}^0), \ldots, f(\bar{x_n}^0)$ List 0: $f(\bar{x_1}^0), f(\bar{x_2}^0), \ldots, f(\bar{x_n}^0)$
List 1: $f(\bar{x_1}^1), f(\bar{x_2}^1), \ldots, f(\bar{x_n}^1)$ List 1: $f(\bar{x_1}^1), f(\bar{x_2}^1), \ldots, f(\bar{x_n}^1)$
$Sign_{sk}(m):(m_1, m_2, \ldots, m_n)\mapsto(\bar{x_1}^{m_1}, \bar{x_2}^{m_2}, \ldots, \bar{x_n}^{m_n})$ $Sign_{sk}(m):(m_1, m_2, \ldots, m_n)\mapsto(\bar{x_1}^{m_1}, \bar{x_2}^{m_2}, \ldots, \bar{x_n}^{m_n})$
$Ver_{pk}(m, \sigma)$: output "Accept" if $\sigma$ is a prefix of $f(m)$ and "Reject" otherwise. $Ver_{pk}(m, \sigma)$: output "Accept" if $\sigma$ is a prefix of $f(m)$ and "Reject" otherwise.
> Example: When we sign a message $01100$, $$Sign_{sk}(01100)=(\bar{x_1}^0, \bar{x_2}^1, \bar{x_3}^1, \bar{x_4}^0, \bar{x_5}^0)$$ > Example: When we sign a message $01100$, $$Sign_{sk}(01100)=(\bar{x_1}^0, \bar{x_2}^1, \bar{x_3}^1, \bar{x_4}^0, \bar{x_5}^0)$$
> We only reveal the $x_1^0, x_2^1, x_3^1, x_4^0, x_5^0$ > We only reveal the $x_1^0, x_2^1, x_3^1, x_4^0, x_5^0$
> For the second signature, we need to reveal exactly different bits. > For the second signature, we need to reveal exactly different bits.
> The adversary can query the oracle for $f(0^n)$ (reveals list0) and $f(1^n)$ (reveals list1) to produce any valid signature they want. > The adversary can query the oracle for $f(0^n)$ (reveals list0) and $f(1^n)$ (reveals list1) to produce any valid signature they want.

0
pages/CSE442T/CSE442T_L19.md → content/CSE442T/CSE442T_L19.md
View File

192
pages/CSE442T/CSE442T_L2.md → content/CSE442T/CSE442T_L2.md
View File

@@ -1,97 +1,97 @@
# Lecture 2 # Lecture 2
## Probability review ## Probability review
Sample space $S=\text{set of outcomes (possible results of experiments)}$ Sample space $S=\text{set of outcomes (possible results of experiments)}$
Event $A\subseteq S$ Event $A\subseteq S$
$P[A]=P[$ outcome $x\in A]$ $P[A]=P[$ outcome $x\in A]$
$P[\{x\}]=P[x]$ $P[\{x\}]=P[x]$
Conditional probability: Conditional probability:
$P[A|B]={P[A\cap B]\over P[B]}$ $P[A|B]={P[A\cap B]\over P[B]}$
Assuming $B$ is the known information. Moreover, $P[B]>0$ Assuming $B$ is the known information. Moreover, $P[B]>0$
Probability that $A$ and $B$ occurring: $P[A\cap B]=P[A|B]\cdot P[B]$ Probability that $A$ and $B$ occurring: $P[A\cap B]=P[A|B]\cdot P[B]$
$P[B\cap A]=P[B|A]\cdot P[A]$ $P[B\cap A]=P[B|A]\cdot P[A]$
So $P[A|B]={P[B|A]\cdot P[A]\over P[B]}$ (Bayes Theorem) So $P[A|B]={P[B|A]\cdot P[A]\over P[B]}$ (Bayes Theorem)
**There is always a chance that random guess would be the password... Although really, really, low...** **There is always a chance that random guess would be the password... Although really, really, low...**
### Law of total probability ### Law of total probability
Let $S=\bigcup_{i=1}^n B_i$. and $B_i$ are disjoint events. Let $S=\bigcup_{i=1}^n B_i$. and $B_i$ are disjoint events.
$A=\bigcup_{i=1}^n A\cap B_i$ ($A\cap B_i$ are all disjoint) $A=\bigcup_{i=1}^n A\cap B_i$ ($A\cap B_i$ are all disjoint)
$P[A]=\sum^n_{i=1} P[A|B_i]\cdot P[B_i]$ $P[A]=\sum^n_{i=1} P[A|B_i]\cdot P[B_i]$
## Chapter 1: Introduction ## Chapter 1: Introduction
### Defining security ### Defining security
#### Perfect Secrecy (Shannon Secrecy) #### Perfect Secrecy (Shannon Secrecy)
$k\gets Gen()$ $k\in K$ $k\gets Gen()$ $k\in K$
$c\gets Enc_k(m)$ or we can also write as $c\gets Enc(k,m)$ for $m\in M$ $c\gets Enc_k(m)$ or we can also write as $c\gets Enc(k,m)$ for $m\in M$
And the decryption procedure: And the decryption procedure:
$m'\gets Dec_k(c')$, $m'$ might be null. $m'\gets Dec_k(c')$, $m'$ might be null.
$P[k\gets Gen(): Dec_k(Enc_k(m))=m]=1$ $P[k\gets Gen(): Dec_k(Enc_k(m))=m]=1$
#### Definition 11.1 (Shannon Secrecy) #### Definition 11.1 (Shannon Secrecy)
Distribution $D$ over the message space $M$ Distribution $D$ over the message space $M$
$P[k\gets Gen;m\gets D: m=m'|c\gets Enc_k(m)]=P[m\gets D: m=m']$ $P[k\gets Gen;m\gets D: m=m'|c\gets Enc_k(m)]=P[m\gets D: m=m']$
Basically, we cannot gain any information from the encoded message. Basically, we cannot gain any information from the encoded message.
Code shall not contain any information changing the distribution of expectation of message after viewing the code. Code shall not contain any information changing the distribution of expectation of message after viewing the code.
**NO INFO GAINED** **NO INFO GAINED**
#### Definition 11.2 (Perfect Secrecy) #### Definition 11.2 (Perfect Secrecy)
For any 2 messages, say $m_1,m_2\in M$ and for any possible cipher $c$, For any 2 messages, say $m_1,m_2\in M$ and for any possible cipher $c$,
$P[k\gets Gen:c\gets Enc_k(m_1)]=P[k\gets Gen():c\gets Enc_k(m_2)]$ $P[k\gets Gen:c\gets Enc_k(m_1)]=P[k\gets Gen():c\gets Enc_k(m_2)]$
For a fixed $c$, any message (have a equal probability) could be encrypted to that... For a fixed $c$, any message (have a equal probability) could be encrypted to that...
#### Theorem 12.3 #### Theorem 12.3
Shannon secrecy is equivalent to perfect secrecy. Shannon secrecy is equivalent to perfect secrecy.
Proof: Proof:
If a crypto-system satisfy perfect secrecy, then it also satisfy Shannon secrecy. If a crypto-system satisfy perfect secrecy, then it also satisfy Shannon secrecy.
Let $(Gen,Enc,Dec)$ be a perfectly secret crypto-system with $K$ and $M$. Let $(Gen,Enc,Dec)$ be a perfectly secret crypto-system with $K$ and $M$.
Let $D$ be any distribution over messages. Let $D$ be any distribution over messages.
Let $m'\in M$. Let $m'\in M$.
$$ $$
={P_k[c\gets Enc_k(m')]\cdot P[m=m']\over P_{k,m}[c\gets Enc_k(m)]}\\ ={P_k[c\gets Enc_k(m')]\cdot P[m=m']\over P_{k,m}[c\gets Enc_k(m)]}\\
$$ $$
$$ $$
P[k\gets Gen();m\gets D:m=m'|c\gets Enc_k(m)]={P_{k,m}[c\gets Enc_k(m)\vert m=m']\cdot P[m=m']\over P_{k,m}[c\gets Enc_k(m)]}\\ P[k\gets Gen();m\gets D:m=m'|c\gets Enc_k(m)]={P_{k,m}[c\gets Enc_k(m)\vert m=m']\cdot P[m=m']\over P_{k,m}[c\gets Enc_k(m)]}\\
P_{k,m}[c\gets Enc_k(m)]=\sum^n_{i=1}P_{k,m}[c\gets Enc_k(m)|m=m_i]\cdot P[m=m_i]\\ P_{k,m}[c\gets Enc_k(m)]=\sum^n_{i=1}P_{k,m}[c\gets Enc_k(m)|m=m_i]\cdot P[m=m_i]\\
=\sum^n_{i=1}P_{K,m_i}[c\gets Enc_k(m_i)]\cdot P[m=m_i] =\sum^n_{i=1}P_{K,m_i}[c\gets Enc_k(m_i)]\cdot P[m=m_i]
$$ $$
and $P_{k,m_i}[c\gets Enc_k(m_i)]$ is constant due to perfect secrecy and $P_{k,m_i}[c\gets Enc_k(m_i)]$ is constant due to perfect secrecy
$\sum^n_{i=1}P_{k,m_i}[c\gets Enc_k(m_i)]\cdot P[m=m_i]=\sum^n_{i=1} P[m=m_i]=1$ $\sum^n_{i=1}P_{k,m_i}[c\gets Enc_k(m_i)]\cdot P[m=m_i]=\sum^n_{i=1} P[m=m_i]=1$

0
pages/CSE442T/CSE442T_L20.md → content/CSE442T/CSE442T_L20.md
View File

0
pages/CSE442T/CSE442T_L21.md → content/CSE442T/CSE442T_L21.md
View File

0
pages/CSE442T/CSE442T_L22.md → content/CSE442T/CSE442T_L22.md
View File

0
pages/CSE442T/CSE442T_L23.md → content/CSE442T/CSE442T_L23.md
View File

0
pages/CSE442T/CSE442T_L24.md → content/CSE442T/CSE442T_L24.md
View File

230
pages/CSE442T/CSE442T_L3.md → content/CSE442T/CSE442T_L3.md
View File

@@ -1,115 +1,115 @@
# Lecture 3 # Lecture 3
All algorithms $C(x)\to y$, $x,y\in \{0,1\}^*$ All algorithms $C(x)\to y$, $x,y\in \{0,1\}^*$
P.P.T= Probabilistic Polynomial-time Turing Machine. P.P.T= Probabilistic Polynomial-time Turing Machine.
## Chapter 2: Computational Hardness ## Chapter 2: Computational Hardness
### Turing Machine: Mathematical model for a computer program ### Turing Machine: Mathematical model for a computer program
A machine that can: A machine that can:
1. Read in put 1. Read in put
2. Read/Write working tape move left/right 2. Read/Write working tape move left/right
3. Can change state 3. Can change state
### Assumptions ### Assumptions
Anything can be accomplished by a real computer program can be accomplished by a "sufficiently complicated" Turing Machine (TM). Anything can be accomplished by a real computer program can be accomplished by a "sufficiently complicated" Turing Machine (TM).
### Polynomial time ### Polynomial time
We say $C(x),|x|=n,n\to \infty$ runs in polynomial time if it uses at most $T(n)$ operations bounded by some polynomials. $\exist c>0$ such that $T(n)=O(n^c)$ We say $C(x),|x|=n,n\to \infty$ runs in polynomial time if it uses at most $T(n)$ operations bounded by some polynomials. $\exist c>0$ such that $T(n)=O(n^c)$
If we can argue that algorithm runs in polynomially-many constant-time operations, then this is true for the T.M. If we can argue that algorithm runs in polynomially-many constant-time operations, then this is true for the T.M.
$p,q$ are polynomials in $n$, $p,q$ are polynomials in $n$,
$p(n)+q(n),p(n)q(n),p(q(n))$ are polynomial of $n$. $p(n)+q(n),p(n)q(n),p(q(n))$ are polynomial of $n$.
Polynomial-time $\approx$ "efficient" for this course. Polynomial-time $\approx$ "efficient" for this course.
### Probabilistic ### Probabilistic
Our algorithm's have access to random "coin-flips" we can produce poly(n) random bits. Our algorithm's have access to random "coin-flips" we can produce poly(n) random bits.
$P[C(x)\text{ takes at most }T(n)\text{ steps }]=1$ $P[C(x)\text{ takes at most }T(n)\text{ steps }]=1$
Our adversary $a(x)$ will be a P.P.T which is non-uniform (n.u.) (programs description size can grow polynomially in n) Our adversary $a(x)$ will be a P.P.T which is non-uniform (n.u.) (programs description size can grow polynomially in n)
### Efficient private key encryption scheme ### Efficient private key encryption scheme
#### Definition 3.2 (Efficient private key encryption scheme) #### Definition 3.2 (Efficient private key encryption scheme)
The triple $(Gen,Enc,Dec)$ is an efficient private key encryption scheme over the message space $M$ and key space $K$ if: The triple $(Gen,Enc,Dec)$ is an efficient private key encryption scheme over the message space $M$ and key space $K$ if:
1. $Gen(1^n)$ is a randomized p.p.t that outputs $k\in K$ 1. $Gen(1^n)$ is a randomized p.p.t that outputs $k\in K$
2. $Enc_k(m)$ is a potentially randomized p.p.t that outputs $c$ given $m\in M$ 2. $Enc_k(m)$ is a potentially randomized p.p.t that outputs $c$ given $m\in M$
3. $Dec_k(c')$ is a deterministic p.p.t that outputs $m$ or "null" 3. $Dec_k(c')$ is a deterministic p.p.t that outputs $m$ or "null"
4. $P_k[Dec_k(Enc_k(m))=m]=1,\forall m\in M$ 4. $P_k[Dec_k(Enc_k(m))=m]=1,\forall m\in M$
### Negligible function ### Negligible function
$\epsilon:\mathbb{N}\to \mathbb{R}$ is a negligible function if $\forall c>0$, $\exists N\in\mathbb{N}$ such that $\forall n\geq N, \epsilon(n)<\frac{1}{n^c}$ (looks like definition of limits huh) (Definition 27.2) $\epsilon:\mathbb{N}\to \mathbb{R}$ is a negligible function if $\forall c>0$, $\exists N\in\mathbb{N}$ such that $\forall n\geq N, \epsilon(n)<\frac{1}{n^c}$ (looks like definition of limits huh) (Definition 27.2)
Idea: for any polynomial, even $n^{100}$, in the long run $\epsilon(n)\leq \frac{1}{n^{100}}$ Idea: for any polynomial, even $n^{100}$, in the long run $\epsilon(n)\leq \frac{1}{n^{100}}$
Example: $\epsilon (n)=\frac{1}{2^n}$, $\epsilon (n)=\frac{1}{n^{\log (n)}}$ Example: $\epsilon (n)=\frac{1}{2^n}$, $\epsilon (n)=\frac{1}{n^{\log (n)}}$
Non-example: $\epsilon (n)=O(\frac{1}{n^c})\forall c$ Non-example: $\epsilon (n)=O(\frac{1}{n^c})\forall c$
### One-way function ### One-way function
Idea: We are always okay with our chance of failure being negligible. Idea: We are always okay with our chance of failure being negligible.
Foundational concept of cryptography Foundational concept of cryptography
Goal: making $Enc_k(m),Dec_k(c')$ easy and $Dec^{-1}(c')$ hard. Goal: making $Enc_k(m),Dec_k(c')$ easy and $Dec^{-1}(c')$ hard.
#### Definition 27.3 (Strong one-way function) #### Definition 27.3 (Strong one-way function)
$$ $$
f:\{0,1\}^n\to \{0,1\}^*(n\to \infty) f:\{0,1\}^n\to \{0,1\}^*(n\to \infty)
$$ $$
There is a negligible function $\epsilon (n)$ such that for any adversary $\mathcal{A}$ (n.u.p.p.t) There is a negligible function $\epsilon (n)$ such that for any adversary $\mathcal{A}$ (n.u.p.p.t)
$$ $$
P[x\gets\{0,1\}^n;y=f(x):f(\mathcal{A}(y))=y]\leq\epsilon(n) P[x\gets\{0,1\}^n;y=f(x):f(\mathcal{A}(y))=y]\leq\epsilon(n)
$$ $$
_Probability of guessing a message $x'$ with the same output as the correct message $x$ is negligible_ _Probability of guessing a message $x'$ with the same output as the correct message $x$ is negligible_
and and
there is a p.p.t which computes $f(x)$ for any $x$. there is a p.p.t which computes $f(x)$ for any $x$.
- Hard to go back from output - Hard to go back from output
- Easy to find output - Easy to find output
$a$ sees output y, they wan to find some $x'$ such that $f(x')=y$. $a$ sees output y, they wan to find some $x'$ such that $f(x')=y$.
Example: Suppose $f$ is one-to-one, then $a$ must find our $x$, $P[x'=x]=\frac{1}{2^n}$, which is negligible. Example: Suppose $f$ is one-to-one, then $a$ must find our $x$, $P[x'=x]=\frac{1}{2^n}$, which is negligible.
Why do we allow $a$ to get a different $x'$? Why do we allow $a$ to get a different $x'$?
> Suppose the definition is $P[x\gets\{0,1\}^n;y=f(x):\mathcal{A}(y)=x]\neq\epsilon(n)$, then a trivial function $f(x)=x$ would also satisfy the definition. > Suppose the definition is $P[x\gets\{0,1\}^n;y=f(x):\mathcal{A}(y)=x]\neq\epsilon(n)$, then a trivial function $f(x)=x$ would also satisfy the definition.
To be technically fair, $\mathcal{A}(y)=\mathcal{A}(y,1^n)$, size of input $\approx n$, let them use $poly(n)$ operations. (we also tells the input size is $n$ to $\mathcal{A}$) To be technically fair, $\mathcal{A}(y)=\mathcal{A}(y,1^n)$, size of input $\approx n$, let them use $poly(n)$ operations. (we also tells the input size is $n$ to $\mathcal{A}$)
#### Do one-way function exists? #### Do one-way function exists?
Unknown, actually... Unknown, actually...
But we think so! But we think so!
We will need to use various assumptions. one that we believe very strongly based on evidence/experience We will need to use various assumptions. one that we believe very strongly based on evidence/experience
Example: Example:
$p,q$ are large random primes $p,q$ are large random primes
$N=p\cdot q$ $N=p\cdot q$
Factoring $N$ is hard. (without knowing $p,q$) Factoring $N$ is hard. (without knowing $p,q$)

278
pages/CSE442T/CSE442T_L4.md → content/CSE442T/CSE442T_L4.md
View File

@@ -1,140 +1,140 @@
# Lecture 4 # Lecture 4
## Recap ## Recap
Negligible function $\epsilon(n)$ if $\forall c>0,\exist N$ such that $n>N$, $\epsilon (n)<\frac{1}{n^c}$ Negligible function $\epsilon(n)$ if $\forall c>0,\exist N$ such that $n>N$, $\epsilon (n)<\frac{1}{n^c}$
Example: Example:
$\epsilon(n)=2^{-n},\epsilon(n)=\frac{1}{n^{\log (\log n)}}$ $\epsilon(n)=2^{-n},\epsilon(n)=\frac{1}{n^{\log (\log n)}}$
## Chapter 2: Computational Hardness ## Chapter 2: Computational Hardness
### One-way function ### One-way function
#### Strong One-Way Function #### Strong One-Way Function
1. $\exists$ a P.P.T. that computes $f(x),\forall x\in\{0,1\}^n$ 1. $\exists$ a P.P.T. that computes $f(x),\forall x\in\{0,1\}^n$
2. $\forall \mathcal{A}$ adversaries, $\exists \epsilon(n),\forall n$. 2. $\forall \mathcal{A}$ adversaries, $\exists \epsilon(n),\forall n$.
$$ $$
P[x\gets \{0,1\}^n;y=f(x):f(\mathcal{A}(y,1^n))=y]<\epsilon(n) P[x\gets \{0,1\}^n;y=f(x):f(\mathcal{A}(y,1^n))=y]<\epsilon(n)
$$ $$
_That is, the probability of success guessing should decreasing (exponentially) as encrypted message increase (linearly)..._ _That is, the probability of success guessing should decreasing (exponentially) as encrypted message increase (linearly)..._
To negate statement 2: To negate statement 2:
$$ $$
P[x\gets \{0,1\}^n;y=f(x):f(\mathcal{A}(y,1^n))=y]=\mu(n) P[x\gets \{0,1\}^n;y=f(x):f(\mathcal{A}(y,1^n))=y]=\mu(n)
$$ $$
is a negligible function. is a negligible function.
Negation: Negation:
$\exists \mathcal{A}$, $P[x\gets \{0,1\}^n;y=f(x):f(\mathcal{A}(y,1^n))=y]=\mu(n)$ is not a negligible function. $\exists \mathcal{A}$, $P[x\gets \{0,1\}^n;y=f(x):f(\mathcal{A}(y,1^n))=y]=\mu(n)$ is not a negligible function.
That is, $\exists c>0,\forall N \exists n>N \epsilon(n)>\frac{1}{n^c}$ That is, $\exists c>0,\forall N \exists n>N \epsilon(n)>\frac{1}{n^c}$
$\mu(n)>\frac{1}{n^c}$ for infinitely many $n$. or infinitely often. $\mu(n)>\frac{1}{n^c}$ for infinitely many $n$. or infinitely often.
> Keep in mind: $P[success]=\frac{1}{n^c}$, it can try $O(n^c)$ times and have a good chance of succeeding at least once. > Keep in mind: $P[success]=\frac{1}{n^c}$, it can try $O(n^c)$ times and have a good chance of succeeding at least once.
#### Definition 28.4 (Weak one-way function) #### Definition 28.4 (Weak one-way function)
$f:\{0,1\}^n\to \{0,1\}^*$ $f:\{0,1\}^n\to \{0,1\}^*$
1. $\exists$ a P.P.T. that computes $f(x),\forall x\in\{0,1\}^n$ 1. $\exists$ a P.P.T. that computes $f(x),\forall x\in\{0,1\}^n$
2. $\forall \mathcal{A}$ adversaries, $\exists \epsilon(n),\forall n$. 2. $\forall \mathcal{A}$ adversaries, $\exists \epsilon(n),\forall n$.
$$ $$
P[x\gets \{0,1\}^n;y=f(x):f(\mathcal{A}(y,1^n))=y]<1-\frac{1}{p(n)} P[x\gets \{0,1\}^n;y=f(x):f(\mathcal{A}(y,1^n))=y]<1-\frac{1}{p(n)}
$$ $$
_The probability of success should not be too close to 1_ _The probability of success should not be too close to 1_
### Probability ### Probability
#### Useful bound $0<p<1$ #### Useful bound $0<p<1$
$1-p<e^{-p}$ $1-p<e^{-p}$
(most useful when $p$ is small) (most useful when $p$ is small)
For an experiment has probability $p$ of failure and $1-p$ of success. For an experiment has probability $p$ of failure and $1-p$ of success.
We run experiment $n$ times independently. We run experiment $n$ times independently.
$P[\text{success all n times}]=(1-p)^n<(e^{-p})^n=e^{-np}$ $P[\text{success all n times}]=(1-p)^n<(e^{-p})^n=e^{-np}$
#### Theorem 35.1 (Strong one-way function from weak one-way function) #### Theorem 35.1 (Strong one-way function from weak one-way function)
If there exists a weak one-way function, there there exists a strong one-way function If there exists a weak one-way function, there there exists a strong one-way function
In particular, if $f:\{0,1\}^n\to \{0,1\}^*$ is weak one-way function. In particular, if $f:\{0,1\}^n\to \{0,1\}^*$ is weak one-way function.
$\exists$ polynomial $q(n)$ such that $\exists$ polynomial $q(n)$ such that
$$ $$
g(x):\{0,1\}^{nq(n)}\to \{0,1\}^* g(x):\{0,1\}^{nq(n)}\to \{0,1\}^*
$$ $$
and for every $n$ bits $x_i$ and for every $n$ bits $x_i$
$$ $$
g(x_1,x_2,..,x_{q(n)})=(f(x_1),f(x_2),...,f(x_{q(n)})) g(x_1,x_2,..,x_{q(n)})=(f(x_1),f(x_2),...,f(x_{q(n)}))
$$ $$
is a strong one-way function. is a strong one-way function.
Proof: Proof:
1. Since $\exist P.P.T.$ that computes $f(x),\forall x$ we use this $q(n)$ polynomial times to compute $g$. 1. Since $\exist P.P.T.$ that computes $f(x),\forall x$ we use this $q(n)$ polynomial times to compute $g$.
2. (Idea) $a$ has to succeed in inverting $f$ all $q(n)$ times. 2. (Idea) $a$ has to succeed in inverting $f$ all $q(n)$ times.
Since $x$ is a weak one-way, $\exists$ polynomial $p(n)$. $\forall q, P[q$ inverts $f]<1-\frac{1}{p(n)}$ (Here we use $<$ since we can always find a polynomial that works) Since $x$ is a weak one-way, $\exists$ polynomial $p(n)$. $\forall q, P[q$ inverts $f]<1-\frac{1}{p(n)}$ (Here we use $<$ since we can always find a polynomial that works)
Let $q(n)=np(n)$. Let $q(n)=np(n)$.
Then $P[a$ inverting $g]\sim P[a$ inverts $f$ all $q(n)]$ times. $<(1-\frac{1}{p(n)})^{q(n)}=(1-\frac{1}{p(n)})^{np(n)}<(e^{-\frac{1}{p(n)}})^{np(n)}=e^{-n}$ which is negligible function. Then $P[a$ inverting $g]\sim P[a$ inverts $f$ all $q(n)]$ times. $<(1-\frac{1}{p(n)})^{q(n)}=(1-\frac{1}{p(n)})^{np(n)}<(e^{-\frac{1}{p(n)}})^{np(n)}=e^{-n}$ which is negligible function.
QED QED
_we can always force the adversary to invert the weak one-way function for polynomial time to reach the property of strong one-way function_ _we can always force the adversary to invert the weak one-way function for polynomial time to reach the property of strong one-way function_
Example: $(1-\frac{1}{n^2})^{n^3}<e^{-n}$ Example: $(1-\frac{1}{n^2})^{n^3}<e^{-n}$
### Some candidates of one-way function ### Some candidates of one-way function
#### Multiplication #### Multiplication
$$ $$
Mult(m_1,m_2)=\begin{cases} Mult(m_1,m_2)=\begin{cases}
1,m_1=1 | m_2=1\\ 1,m_1=1 | m_2=1\\
m_1\cdot m_2 m_1\cdot m_2
\end{cases} \end{cases}
$$ $$
But we don't want trivial answers like (1,1000000007) But we don't want trivial answers like (1,1000000007)
Idea: Our "secret" is 373 and 481, Eve can see the product 179413. Idea: Our "secret" is 373 and 481, Eve can see the product 179413.
Not strong one-way for all integer inputs because there are trivial answer for $\frac{3}{4}$ of all outputs. `Mult(2,y/2)` Not strong one-way for all integer inputs because there are trivial answer for $\frac{3}{4}$ of all outputs. `Mult(2,y/2)`
Factoring Assumption: Factoring Assumption:
The only way to efficiently factorizing the product of prime is to iterate all the primes. The only way to efficiently factorizing the product of prime is to iterate all the primes.
In other words: In other words:
$\forall a\exists \epsilon(n)$ such that $\forall n$. $P[p_1\gets \prod n_j]$ $\forall a\exists \epsilon(n)$ such that $\forall n$. $P[p_1\gets \prod n_j]$
We'll show this is a weak one-way function under the Factoring Assumption. We'll show this is a weak one-way function under the Factoring Assumption.
$\forall a,\exists \epsilon(n)$ such that $\forall n$, $\forall a,\exists \epsilon(n)$ such that $\forall n$,
$$ $$
P[p_1\gets \Pi_n;p_2\gets \Pi_n;N=p_1\cdot p_2:a(n)=\{p_1,p_2\}]<\epsilon(n) P[p_1\gets \Pi_n;p_2\gets \Pi_n;N=p_1\cdot p_2:a(n)=\{p_1,p_2\}]<\epsilon(n)
$$ $$
where $\Pi_n=\{p\text{ all primes }p<2^n\}$ where $\Pi_n=\{p\text{ all primes }p<2^n\}$

232
pages/CSE442T/CSE442T_L5.md → content/CSE442T/CSE442T_L5.md
View File

@@ -1,116 +1,116 @@
# Lecture 5 # Lecture 5
## Chapter 2: Computational Hardness ## Chapter 2: Computational Hardness
Proving that there are one-way functions relies on assumptions. Proving that there are one-way functions relies on assumptions.
Factoring Assumption: $\forall \mathcal{A}, \exist \epsilon (n)$, let $p,q\in \Pi_n,p,q<2^n$ Factoring Assumption: $\forall \mathcal{A}, \exist \epsilon (n)$, let $p,q\in \Pi_n,p,q<2^n$
$$ $$
P[p\gets \Pi_n;q\gets \Pi_n;N=p\cdot q:\mathcal{A}(N)\in \{p,q\}]<\epsilon(n) P[p\gets \Pi_n;q\gets \Pi_n;N=p\cdot q:\mathcal{A}(N)\in \{p,q\}]<\epsilon(n)
$$ $$
Evidence: To this point, best known procedure to always factor has run time $O(2^{\sqrt{n}\sqrt{log(n)}})$ Evidence: To this point, best known procedure to always factor has run time $O(2^{\sqrt{n}\sqrt{log(n)}})$
Distribution of prime numbers: Distribution of prime numbers:
- We have infinitely many prime - We have infinitely many prime
- Prime Number Theorem $\pi(n)\approx\frac{n}{\ln(n)}$, that means, $\frac{1}{\ln n}$ of all integers are prime. - Prime Number Theorem $\pi(n)\approx\frac{n}{\ln(n)}$, that means, $\frac{1}{\ln n}$ of all integers are prime.
We want to (guaranteed to) find prime: We want to (guaranteed to) find prime:
$\pi(n)>\frac{2^n}{2n}$ $\pi(n)>\frac{2^n}{2n}$
e.g. e.g.
$$ $$
P[x\gets \{0,1\}^n:x\in prime]\geq {\frac{2^n}{2n}\over 2^n}=\frac{1}{2n} P[x\gets \{0,1\}^n:x\in prime]\geq {\frac{2^n}{2n}\over 2^n}=\frac{1}{2n}
$$ $$
Theorem: Theorem:
$$ $$
f_{mult}:\{0,1\}^{2n}\to \{0,1\}^{2n},f_{mult}(x_1,x_2)=x_1\cdot x_2 f_{mult}:\{0,1\}^{2n}\to \{0,1\}^{2n},f_{mult}(x_1,x_2)=x_1\cdot x_2
$$ $$
Idea: There are enough pairs of primes to make this difficult. Idea: There are enough pairs of primes to make this difficult.
> Reminder: Weak on-way if easy to compute and $\exist p(n)$, > Reminder: Weak on-way if easy to compute and $\exist p(n)$,
> $P[\mathcal{A}\ \text{inverts=success}]<1-\frac{1}{p(n)}$ > $P[\mathcal{A}\ \text{inverts=success}]<1-\frac{1}{p(n)}$
> $P[\mathcal{A}\ \text{inverts=failure}]>\frac{1}{p(n)}$ high enough > $P[\mathcal{A}\ \text{inverts=failure}]>\frac{1}{p(n)}$ high enough
### Prove one-way function (under assumptions) ### Prove one-way function (under assumptions)
To prove $f$ is on-way (under assumption) To prove $f$ is on-way (under assumption)
1. Show $\exists p.p.t$ solves $f(x),\forall x$. 1. Show $\exists p.p.t$ solves $f(x),\forall x$.
2. Proof by contradiction. 2. Proof by contradiction.
- For weak: Provide $p(n)$ that we know works. - For weak: Provide $p(n)$ that we know works.
- Assume $\exists \mathcal{A}$ such that $P[\mathcal{A}\ \text{inverts}]>1-\frac{1}{p(n)}$ - Assume $\exists \mathcal{A}$ such that $P[\mathcal{A}\ \text{inverts}]>1-\frac{1}{p(n)}$
- For strong: Provide $p(n)$ that we know works. - For strong: Provide $p(n)$ that we know works.
- Assume $\exists \mathcal{A}$ such that $P[\mathcal{A}\ \text{inverts}]>\frac{1}{p(n)}$ - Assume $\exists \mathcal{A}$ such that $P[\mathcal{A}\ \text{inverts}]>\frac{1}{p(n)}$
Construct p.p.t $\mathcal{B}$ Construct p.p.t $\mathcal{B}$
which uses $\mathcal{A}$ to solve a problem, which contradicts assumption or known fact. which uses $\mathcal{A}$ to solve a problem, which contradicts assumption or known fact.
Back to Theorem: Back to Theorem:
We will show that $p(n)=8n^2$ works. We will show that $p(n)=8n^2$ works.
We claim $\forall \mathcal{A}$, We claim $\forall \mathcal{A}$,
$$ $$
P[(x_1,x_2)\gets \{0,1\}^{2n};y=f_{mult}(x_1,x_2):f(\mathcal{A}(y))=y]<1-\frac{1}{8n^2} P[(x_1,x_2)\gets \{0,1\}^{2n};y=f_{mult}(x_1,x_2):f(\mathcal{A}(y))=y]<1-\frac{1}{8n^2}
$$ $$
For the sake of contradiction, suppose For the sake of contradiction, suppose
$$ $$
\exists \mathcal{A} \textup{ such that} P[\mathcal{A}\ \text{inverts}]>1-\frac{1}{8n^2} \exists \mathcal{A} \textup{ such that} P[\mathcal{A}\ \text{inverts}]>1-\frac{1}{8n^2}
$$ $$
We will use this $\mathcal{A}$ to design p.p.t $B$ which can factor 2 random primes with non-negligible prob. We will use this $\mathcal{A}$ to design p.p.t $B$ which can factor 2 random primes with non-negligible prob.
```python ```python
def A(y): def A(y):
# the adversary algorithm # the adversary algorithm
# expecting N to be product of random integer, don't need to be prime # expecting N to be product of random integer, don't need to be prime
def is_prime(x): def is_prime(x):
# test if x is a prime # test if x is a prime
def gen(n): def gen(n):
# generate number up to n bits # generate number up to n bits
def B(y): def B(y):
# N is the input cipher # N is the input cipher
x1,x2=gen(n),gen(n) x1,x2=gen(n),gen(n)
p=x1*x2 p=x1*x2
if is_prime(x1) and is_prime(x2): if is_prime(x1) and is_prime(x2):
return A(p) return A(p)
return A(y) return A(y)
``` ```
How often does $\mathcal{B}$ succeed/fail? How often does $\mathcal{B}$ succeed/fail?
$\mathcal{B}$ fails to factor $N=p\dot q$, if: $\mathcal{B}$ fails to factor $N=p\dot q$, if:
- $x$ and $y$ are not both prime - $x$ and $y$ are not both prime
- $P_e=1-P(x\in \Pi_n)P(y\in \Pi_n)\leq 1-(\frac{1}{2n})^2=1-\frac{1}{4n^2}$ - $P_e=1-P(x\in \Pi_n)P(y\in \Pi_n)\leq 1-(\frac{1}{2n})^2=1-\frac{1}{4n^2}$
- if $\mathcal{A}$ fails to factor - if $\mathcal{A}$ fails to factor
- $P_f<\frac{1}{8n^2}$ - $P_f<\frac{1}{8n^2}$
So So
$$ $$
P[\mathcal{B} \text{ fails}]\leq P[E\cup F]\leq P[E]+P[F]\leq (1-\frac{1}{4n^2}+\frac{1}{8n^2})=1-\frac{1}{8n^2} P[\mathcal{B} \text{ fails}]\leq P[E\cup F]\leq P[E]+P[F]\leq (1-\frac{1}{4n^2}+\frac{1}{8n^2})=1-\frac{1}{8n^2}
$$ $$
So So
$$ $$
P[\mathcal{B} \text{ succeed}]\geq \frac{1}{8n^2} (\text{non-negligible}) P[\mathcal{B} \text{ succeed}]\geq \frac{1}{8n^2} (\text{non-negligible})
$$ $$
This contradicting factoring assumption. Therefore, our assumption that $\mathcal{A}$ exists was wrong. This contradicting factoring assumption. Therefore, our assumption that $\mathcal{A}$ exists was wrong.
Therefore $\forall \mathcal{A}$, $P[(x_1,x_2)\gets \{0,1\}^{2n};y=f_{mult}(x_1,x_2):f(\mathcal{A}(y))=y]<1-\frac{1}{8n^2}$ is wrong. Therefore $\forall \mathcal{A}$, $P[(x_1,x_2)\gets \{0,1\}^{2n};y=f_{mult}(x_1,x_2):f(\mathcal{A}(y))=y]<1-\frac{1}{8n^2}$ is wrong.

228
pages/CSE442T/CSE442T_L6.md → content/CSE442T/CSE442T_L6.md
View File

@@ -1,114 +1,114 @@
# Lecture 6 # Lecture 6
## Review ## Review
$$ $$
f_{mult}:\{0,1\}^{2n}\to \{0,1\}^{2n} f_{mult}:\{0,1\}^{2n}\to \{0,1\}^{2n}
$$ $$
is a weak one-way. is a weak one-way.
$P[\mathcal{A}\ \text{invert}]\leq 1-\frac{1}{8n^2}$ over $x,y\in$ random integers $\{0,1\}^n$ $P[\mathcal{A}\ \text{invert}]\leq 1-\frac{1}{8n^2}$ over $x,y\in$ random integers $\{0,1\}^n$
## Chapter 2: Computational Hardness ## Chapter 2: Computational Hardness
### Converting weak one-way function to strong one-way function ### Converting weak one-way function to strong one-way function
By factoring assumptions, $\exists$ strong one-way function By factoring assumptions, $\exists$ strong one-way function
$f:\{0,1\}^N\to \{0,1\}^N$ for infinitely many $N$. $f:\{0,1\}^N\to \{0,1\}^N$ for infinitely many $N$.
$f=\left(f_{mult}(x_1,y_1),f_{mult}(x_2,y_2),\dots,f_{mult}(x_q,y_q)\right)$, $x_i,y_i\in \{0,1\}^n$. $f=\left(f_{mult}(x_1,y_1),f_{mult}(x_2,y_2),\dots,f_{mult}(x_q,y_q)\right)$, $x_i,y_i\in \{0,1\}^n$.
$f:\{0,1\}^{8n^4}\to \{0,1\}^{8n^4}$ $f:\{0,1\}^{8n^4}\to \{0,1\}^{8n^4}$
Idea: With high probability, at least one pair $(x_i,y_i)$ are both prime. Idea: With high probability, at least one pair $(x_i,y_i)$ are both prime.
Factoring assumption: $\mathcal{A}$ has low chance of factoring $f_{mult}(x_i,y_i)$ Factoring assumption: $\mathcal{A}$ has low chance of factoring $f_{mult}(x_i,y_i)$
Use $P[x \textup{ is prime}]\geq\frac{1}{2n}$ Use $P[x \textup{ is prime}]\geq\frac{1}{2n}$
$$ $$
P[\forall p,q \in x_i,y_i, p\textup{ and } q \textup{ is not prime }]=P[p,q \in x_i,y_i, p\textup{ and } q \textup{ is not prime }]^q P[\forall p,q \in x_i,y_i, p\textup{ and } q \textup{ is not prime }]=P[p,q \in x_i,y_i, p\textup{ and } q \textup{ is not prime }]^q
$$ $$
$$ $$
P[\forall p,q \in x_i,y_i, p\textup{ and } q \textup{ is not prime }]\leq(1-\frac{1}{4n^2})^{4n^3}\leq (e^{-\frac{1}{4n^2}})^{4n^3}=e^{-n} P[\forall p,q \in x_i,y_i, p\textup{ and } q \textup{ is not prime }]\leq(1-\frac{1}{4n^2})^{4n^3}\leq (e^{-\frac{1}{4n^2}})^{4n^3}=e^{-n}
$$ $$
### Proof of strong one-way function ### Proof of strong one-way function
1. $f_{mult}$ is efficiently computable, and we compute it poly-many times. 1. $f_{mult}$ is efficiently computable, and we compute it poly-many times.
2. Suppose it's not hard to invert. Then 2. Suppose it's not hard to invert. Then
$\exists \text{n.u.p.p.t.}\ \mathcal{A}$such that $P[w\gets \{0,1\}^{8n^4};z=f(w):f(\mathcal{A}(z))=0]=\mu (n)>\frac{1}{p(n)}$ $\exists \text{n.u.p.p.t.}\ \mathcal{A}$such that $P[w\gets \{0,1\}^{8n^4};z=f(w):f(\mathcal{A}(z))=0]=\mu (n)>\frac{1}{p(n)}$
We will use this to construct $\mathcal{B}$ that breaks factoring assumption. We will use this to construct $\mathcal{B}$ that breaks factoring assumption.
$p\gets \Pi_n,q\gets \Pi_n,N=p\cdot q$ $p\gets \Pi_n,q\gets \Pi_n,N=p\cdot q$
```psudocode ```psudocode
function B: function B:
Receives N Receives N
Sample (x,y) q times Sample (x,y) q times
Compute z_i = f_mult(x_i,y_i) for each i Compute z_i = f_mult(x_i,y_i) for each i
From i=1 to q From i=1 to q
check if both x_i y_i are prime check if both x_i y_i are prime
If yes, If yes,
z_i = N z_i = N
break // replace first instance break // replace first instance
Let z = (z_1,z_2,...,z_q) // z_k = N hopefully Let z = (z_1,z_2,...,z_q) // z_k = N hopefully
((x_1,y_1),...,(x_k,y_k),...,(x_q,y_q)) <- a(z) ((x_1,y_1),...,(x_k,y_k),...,(x_q,y_q)) <- a(z)
if (x_k,y_k) was replaced if (x_k,y_k) was replaced
return x_k,y_k return x_k,y_k
else else
return null return null
``` ```
Let $E$ be the event that all pairs of sampled integers were not both prime. Let $E$ be the event that all pairs of sampled integers were not both prime.
Let $F$ be the event that $\mathcal{A}$ failed to invert Let $F$ be the event that $\mathcal{A}$ failed to invert
$P[\mathcal{B} \text{ fails}]\leq P[E\cup F]\leq P[E]+P[F]\leq e^{-n}+(1-\frac{1}{p(n)})=1-(\frac{1}{p(n)}-e^{-n})\leq 1-\frac{1}{2p(n)}$ $P[\mathcal{B} \text{ fails}]\leq P[E\cup F]\leq P[E]+P[F]\leq e^{-n}+(1-\frac{1}{p(n)})=1-(\frac{1}{p(n)}-e^{-n})\leq 1-\frac{1}{2p(n)}$
$P[\mathcal{B} \text{ succeeds}]=P[p\gets \Pi_n,q\gets \Pi_n,N=p\cdot q:\mathcal{B}(N)\in \{p,q\}]\geq \frac{1}{2p(n)}$ $P[\mathcal{B} \text{ succeeds}]=P[p\gets \Pi_n,q\gets \Pi_n,N=p\cdot q:\mathcal{B}(N)\in \{p,q\}]\geq \frac{1}{2p(n)}$
Contradicting factoring assumption Contradicting factoring assumption
We've defined one-way functions to hae domain $\{0,1\}^n$ for some $n$. We've defined one-way functions to hae domain $\{0,1\}^n$ for some $n$.
Our strong one-way function $f(n)$ Our strong one-way function $f(n)$
- Takes $4n^3$ pairs of random integers - Takes $4n^3$ pairs of random integers
- Multiplies all pairs - Multiplies all pairs
- Hope at least pair are both prime $p,q$ b/c we know $N=p\cdot q$ is hard to factor - Hope at least pair are both prime $p,q$ b/c we know $N=p\cdot q$ is hard to factor
### General collection of strong one-way functions ### General collection of strong one-way functions
$F=\{f_i:D_i\to R_i\},i\in I$, $I$ is the index set. $F=\{f_i:D_i\to R_i\},i\in I$, $I$ is the index set.
1. We can effectively choose $i\gets I$ using $Gen$. 1. We can effectively choose $i\gets I$ using $Gen$.
2. $\forall i$ we ca efficiently sample $x\gets D_i$. 2. $\forall i$ we ca efficiently sample $x\gets D_i$.
3. $\forall i\forall x\in D_i,f_i(x)$ is efficiently computable 3. $\forall i\forall x\in D_i,f_i(x)$ is efficiently computable
4. For any n.u.p.p.t $\mathcal{A}$, $\exists$ negligible function $\epsilon (n)$. 4. For any n.u.p.p.t $\mathcal{A}$, $\exists$ negligible function $\epsilon (n)$.
$P[i\gets Gen(1^n);x\gets D_i;y=f_i(x):f(\mathcal{A}(y,i,1^n))=y]\leq \epsilon(n)$ $P[i\gets Gen(1^n);x\gets D_i;y=f_i(x):f(\mathcal{A}(y,i,1^n))=y]\leq \epsilon(n)$
#### An instance of strong one-way function under factoring assumption #### An instance of strong one-way function under factoring assumption
$f_{mult,n}:(\Pi_n\times \Pi_n)\to \{0,1\}^{2n}$ is a collection of strong one way function. $f_{mult,n}:(\Pi_n\times \Pi_n)\to \{0,1\}^{2n}$ is a collection of strong one way function.
Ideas of proof: Ideas of proof:
1. $n\gets Gen(1^n)$ 1. $n\gets Gen(1^n)$
2. We can efficiently sample $p,q$ (with justifications) 2. We can efficiently sample $p,q$ (with justifications)
3. Factoring assumption 3. Factoring assumption
Algorithm for sampling a random prime $p\gets \Pi_n$ Algorithm for sampling a random prime $p\gets \Pi_n$
1. $x\gets \{0,1\}^n$ (n bit integer) 1. $x\gets \{0,1\}^n$ (n bit integer)
2. Check if $x$ is prime. 2. Check if $x$ is prime.
- Deterministic poly-time procedure - Deterministic poly-time procedure
- In practice, a much faster randomized procedure (Miller-Rabin) used - In practice, a much faster randomized procedure (Miller-Rabin) used
$P[x\cancel{\in} \text{prime}|\text{test said x prime}]<\epsilon(n)$ $P[x\cancel{\in} \text{prime}|\text{test said x prime}]<\epsilon(n)$
3. If not, repeat. Do this for polynomial number of times 3. If not, repeat. Do this for polynomial number of times

240
pages/CSE442T/CSE442T_L7.md → content/CSE442T/CSE442T_L7.md
View File

@@ -1,120 +1,120 @@
# Lecture 7 # Lecture 7
## Chapter 2: Computational Hardness ## Chapter 2: Computational Hardness
### Letter choosing experiment ### Letter choosing experiment
For 100 letter tiles, For 100 letter tiles,
$p_1,...,p_{27}$ (with one blank) $p_1,...,p_{27}$ (with one blank)
$(p_1)^2+\dots +(p_{27})^2\geq\frac{1}{27}$ $(p_1)^2+\dots +(p_{27})^2\geq\frac{1}{27}$
For any $p_1,...,p_n$, $0\leq p_i\leq 1$. For any $p_1,...,p_n$, $0\leq p_i\leq 1$.
$\sum p_i=1$ $\sum p_i=1$
$P[\text{the same event twice in a row}]=p_1^2+p_2^2....+p_n^2$ $P[\text{the same event twice in a row}]=p_1^2+p_2^2....+p_n^2$
By Cauchy-Schwarz: $|u\cdot v|^2 \leq ||u||\cdot ||v||^2$. By Cauchy-Schwarz: $|u\cdot v|^2 \leq ||u||\cdot ||v||^2$.
let $\vec{u}=(p_1,...,p_n)$, $\vec{v}=(1,..,1)$, so $(p_1^2+p_2^2....+p_n)^2\leq (p_1^2+p_2^2....+p_n^2)\cdot n$. So $p_1^2+p_2^2....+p_n^2\geq \frac{1}{n}$ let $\vec{u}=(p_1,...,p_n)$, $\vec{v}=(1,..,1)$, so $(p_1^2+p_2^2....+p_n)^2\leq (p_1^2+p_2^2....+p_n^2)\cdot n$. So $p_1^2+p_2^2....+p_n^2\geq \frac{1}{n}$
So for an adversary $\mathcal{A}$, who random choose $x'$ and output $f(x')=f(x)$ if matched. $P[f(x)=f(x')]\geq\frac{1}{|Y|}$ So for an adversary $\mathcal{A}$, who random choose $x'$ and output $f(x')=f(x)$ if matched. $P[f(x)=f(x')]\geq\frac{1}{|Y|}$
So $P[x\gets f(x);y=f(x):\mathcal{A}(y,1^n)=y]\geq \frac{1}{|Y|}$ So $P[x\gets f(x);y=f(x):\mathcal{A}(y,1^n)=y]\geq \frac{1}{|Y|}$
### Modular arithmetic ### Modular arithmetic
For $a,b\in \mathbb{Z}$, $N\in \mathbb{Z}^2$ For $a,b\in \mathbb{Z}$, $N\in \mathbb{Z}^2$
$a\equiv b \mod N\iff N|(a-b)\iff \exists k\in \mathbb{Z}, a-b=kN,a=kN+b$ $a\equiv b \mod N\iff N|(a-b)\iff \exists k\in \mathbb{Z}, a-b=kN,a=kN+b$
Ex: $N=23$, $-20\equiv 3\equiv 26\equiv 49\equiv 72\mod 23$. Ex: $N=23$, $-20\equiv 3\equiv 26\equiv 49\equiv 72\mod 23$.
#### Equivalent relations for any $N$ on $\mathbb{Z}$ #### Equivalent relations for any $N$ on $\mathbb{Z}$
$a\equiv a\mod N$ $a\equiv a\mod N$
$a\equiv b\mod N\iff b\equiv a\mod N$ $a\equiv b\mod N\iff b\equiv a\mod N$
$a\equiv b\mod N$ and $b\equiv c\mod N\implies a\equiv c\mod N$ $a\equiv b\mod N$ and $b\equiv c\mod N\implies a\equiv c\mod N$
#### Division Theorem #### Division Theorem
For any $a\in \mathbb{Z}$, and $N\in\mathbb{Z}^+$, $\exists unique\ r,0\leq r<N$. For any $a\in \mathbb{Z}$, and $N\in\mathbb{Z}^+$, $\exists unique\ r,0\leq r<N$.
$\mathbb{Z}_N=\{0,1,2,...,N-1\}$ with modular arithmetic. $\mathbb{Z}_N=\{0,1,2,...,N-1\}$ with modular arithmetic.
$a+b\mod N,a\cdot b\mod N$ $a+b\mod N,a\cdot b\mod N$
Theorem: If $a\equiv b\mod N$ and$c\equiv d\mod N$, then $a\cdot c\equiv b\cdot d\mod N$. Theorem: If $a\equiv b\mod N$ and$c\equiv d\mod N$, then $a\cdot c\equiv b\cdot d\mod N$.
Definition: $gcd(a,b)=d,a,b\in \mathbb{Z}^+$, is the maximum number such that $d|a$ and $d|b$. Definition: $gcd(a,b)=d,a,b\in \mathbb{Z}^+$, is the maximum number such that $d|a$ and $d|b$.
Using normal factoring is slow... (Example: large $p,q,r$, $N=p\cdot q,,M=p\cdot r$) Using normal factoring is slow... (Example: large $p,q,r$, $N=p\cdot q,,M=p\cdot r$)
##### Euclidean algorithm ##### Euclidean algorithm
Recursively relying on fact that $(a>b>0)$ Recursively relying on fact that $(a>b>0)$
$gcd(a,b)=gcd(b,a\mod b)$ $gcd(a,b)=gcd(b,a\mod b)$
```python ```python
def euclidean_algorithm(a,b): def euclidean_algorithm(a,b):
if a<b: return euclidean_algorithm(b,a) if a<b: return euclidean_algorithm(b,a)
if b==0: return a if b==0: return a
return euclidean_algorithm(b,a%b) return euclidean_algorithm(b,a%b)
``` ```
Proof: Proof:
We'll show $d|a$ and $d|b\iff d|b$ and $d|(a\mod b)$ We'll show $d|a$ and $d|b\iff d|b$ and $d|(a\mod b)$
$\impliedby$ $a=q\cdot b+r$, $r=a\mod b$ $\impliedby$ $a=q\cdot b+r$, $r=a\mod b$
$\implies$ $d|r$, $r=a\mod b$ $\implies$ $d|r$, $r=a\mod b$
Runtime analysis: Runtime analysis:
Fact: $b_{i+2}<\frac{1}{2}b_i$ Fact: $b_{i+2}<\frac{1}{2}b_i$
Proof: Proof:
Since $a_i=q_i\cdot b_i+b_{i+1}$, and $b_1=q_2\cdot b_2+b_3$, $b_2>b_3$, and $q_2$ in worst case is $1$, so $b_3<\frac{b_1}{2}$ Since $a_i=q_i\cdot b_i+b_{i+1}$, and $b_1=q_2\cdot b_2+b_3$, $b_2>b_3$, and $q_2$ in worst case is $1$, so $b_3<\frac{b_1}{2}$
$T(n)=2\Theta(\log b)=O(\log n)$ (linear in size of bits input) $T(n)=2\Theta(\log b)=O(\log n)$ (linear in size of bits input)
##### Extended Euclidean algorithm ##### Extended Euclidean algorithm
Our goal is to find $x,y$ such that $ax+by=gcd(a,b)$ Our goal is to find $x,y$ such that $ax+by=gcd(a,b)$
Given $a\cdot x\equiv b\mod N$, we do euclidean algorithm to find $gcd(a,b)=d$, then reverse the steps to find $x,y$ such that $ax+by=d$ Given $a\cdot x\equiv b\mod N$, we do euclidean algorithm to find $gcd(a,b)=d$, then reverse the steps to find $x,y$ such that $ax+by=d$
```python ```python
def extended_euclidean_algorithm(a,b): def extended_euclidean_algorithm(a,b):
if a%b==0: return (0,1) if a%b==0: return (0,1)
x,y=extended_euclidean_algorithm(b,a%b) x,y=extended_euclidean_algorithm(b,a%b)
return (y,x-y*(a//b)) return (y,x-y*(a//b))
``` ```
Example: $a=12,b=43$, $gcd(12,43)=1$ Example: $a=12,b=43$, $gcd(12,43)=1$
$$ $$
\begin{aligned} \begin{aligned}
43&=3\cdot 12+7\\ 43&=3\cdot 12+7\\
12&=1\cdot 7+5\\ 12&=1\cdot 7+5\\
7&=1\cdot 5+2\\ 7&=1\cdot 5+2\\
5&=2\cdot 2+1\\ 5&=2\cdot 2+1\\
2&=2\cdot 1+0\\ 2&=2\cdot 1+0\\
1&=1\cdot 5-2\cdot 2\\ 1&=1\cdot 5-2\cdot 2\\
1&=1\cdot 5-2\cdot (7-1\cdot 5)\\ 1&=1\cdot 5-2\cdot (7-1\cdot 5)\\
1&=3\cdot 5-2\cdot 7\\ 1&=3\cdot 5-2\cdot 7\\
1&=3\cdot (12-1\cdot 7)-2\cdot 7\\ 1&=3\cdot (12-1\cdot 7)-2\cdot 7\\
1&=3\cdot 12-5\cdot 7\\ 1&=3\cdot 12-5\cdot 7\\
1&=3\cdot 12-5\cdot (43-3\cdot 12)\\ 1&=3\cdot 12-5\cdot (43-3\cdot 12)\\
1&=-5\cdot 43+18\cdot 12\\ 1&=-5\cdot 43+18\cdot 12\\
\end{aligned} \end{aligned}
$$ $$
So $x=-5,y=18$ So $x=-5,y=18$

148
pages/CSE442T/CSE442T_L8.md → content/CSE442T/CSE442T_L8.md
View File

@@ -1,74 +1,74 @@
# Lecture 8 # Lecture 8
## Chapter 2: Computational Hardness ## Chapter 2: Computational Hardness
### Computational number theory/arithmetic ### Computational number theory/arithmetic
We want to have a easy-to-use one-way functions for cryptography. We want to have a easy-to-use one-way functions for cryptography.
How to find $a^x\mod N$ quickly. $a,x,N$ are positive integers. We want to reduce $[a\mod N]$ How to find $a^x\mod N$ quickly. $a,x,N$ are positive integers. We want to reduce $[a\mod N]$
Example: $129^{39}\mod 41\equiv (129\mod 41)^{39}\mod 41=6^{39}\mod 41$ Example: $129^{39}\mod 41\equiv (129\mod 41)^{39}\mod 41=6^{39}\mod 41$
Find the binary representation of $x$. e.g. express as sums of powers of 2. Find the binary representation of $x$. e.g. express as sums of powers of 2.
`x=39=bin(1,0,0,1,1,1)` `x=39=bin(1,0,0,1,1,1)`
Repeatedly square $floor(\log_2(x))$ times. Repeatedly square $floor(\log_2(x))$ times.
$$ $$
\begin{aligned} \begin{aligned}
6^{39}\mod 41&=6^{32+4+2+1}\mod 41\\ 6^{39}\mod 41&=6^{32+4+2+1}\mod 41\\
&=(6^{32}\mod 41)(6^{4}\mod 41)(6^{2}\mod 41)(6^{1}\mod 41)\mod 41\\ &=(6^{32}\mod 41)(6^{4}\mod 41)(6^{2}\mod 41)(6^{1}\mod 41)\mod 41\\
&=(-4)(25)(-5)(6)\mod 41\\ &=(-4)(25)(-5)(6)\mod 41\\
&=7 &=7
\end{aligned} \end{aligned}
$$ $$
The total multiplication steps is $floor(\log_2(x))$ The total multiplication steps is $floor(\log_2(x))$
_looks like fast exponentiation right?_ _looks like fast exponentiation right?_
Goal: $f_{g,p}(x)=g^x\mod p$ is a one-way function, for certain choice of $p,g$ (and assumptions) Goal: $f_{g,p}(x)=g^x\mod p$ is a one-way function, for certain choice of $p,g$ (and assumptions)
#### A group (Nice day one for MODERN ALGEBRA) #### A group (Nice day one for MODERN ALGEBRA)
A group $G$ is a set with, a binary operation $\oplus$. and $\forall a,b\in G$, $a \oplus b\to c$ A group $G$ is a set with, a binary operation $\oplus$. and $\forall a,b\in G$, $a \oplus b\to c$
1. $a,b\in G,a\oplus b\in G$ (closure) 1. $a,b\in G,a\oplus b\in G$ (closure)
2. $(a\oplus b)\oplus c=a\oplus(b\oplus c)$ (associativity) 2. $(a\oplus b)\oplus c=a\oplus(b\oplus c)$ (associativity)
3. $\exists e$ such that $\forall a\in G, e\oplus g=g=g\oplus e$ (identity element) 3. $\exists e$ such that $\forall a\in G, e\oplus g=g=g\oplus e$ (identity element)
4. $\exists g^{-1}\in G$ such that $g\oplus g^{-1}=e$ (inverse element) 4. $\exists g^{-1}\in G$ such that $g\oplus g^{-1}=e$ (inverse element)
Example: Example:
- $\mathbb{Z}_N=\{0,1,2,3,...,N-1\}$ with addition $\mod N$, with identity element $0$. $a\in \mathbb{Z}_N, a^{-1}=N-a$. - $\mathbb{Z}_N=\{0,1,2,3,...,N-1\}$ with addition $\mod N$, with identity element $0$. $a\in \mathbb{Z}_N, a^{-1}=N-a$.
- A even simpler group is $\Z$ with addition. - A even simpler group is $\Z$ with addition.
- $\mathbb{Z}_N^*=\{x:x\in \mathbb{Z},1 \leq x\leq N: gcd(x,N)=1\}$ with multiplication $\mod N$ (we can do division here! yeah...). - $\mathbb{Z}_N^*=\{x:x\in \mathbb{Z},1 \leq x\leq N: gcd(x,N)=1\}$ with multiplication $\mod N$ (we can do division here! yeah...).
- If $N=p$ is prime, then $\mathbb{Z}_p^*=\{1,2,3,...,p-1\}$ - If $N=p$ is prime, then $\mathbb{Z}_p^*=\{1,2,3,...,p-1\}$
- If $N=24$, then $\mathbb{Z}_{24}^*=\{1,5,7,11,13,17,19,23\}$ - If $N=24$, then $\mathbb{Z}_{24}^*=\{1,5,7,11,13,17,19,23\}$
- Identity is $1$. - Identity is $1$.
- Let $a\in \mathbb{Z}_N^*$, by Euclidean algorithm, $gcd(a,N)=1$,$\exists x,y \in Z$ such that $ax+Ny=1,ax\equiv 1\mod N,x=a^{-1}$ - Let $a\in \mathbb{Z}_N^*$, by Euclidean algorithm, $gcd(a,N)=1$,$\exists x,y \in Z$ such that $ax+Ny=1,ax\equiv 1\mod N,x=a^{-1}$
- $a,b\in \mathbb{Z}_N^*$. Want to show $gcd(ab,N)=1$. If $gcd(ab,N)=d>1$, then some prime $p|d$. so $p|(a,b)$, which means $p|a$ or $p|b$. In either case, $gcd(a,N)>d$ or $gcd(b,N)>d$, which contradicts that $a,b\in \mathbb{C}_N^*$ - $a,b\in \mathbb{Z}_N^*$. Want to show $gcd(ab,N)=1$. If $gcd(ab,N)=d>1$, then some prime $p|d$. so $p|(a,b)$, which means $p|a$ or $p|b$. In either case, $gcd(a,N)>d$ or $gcd(b,N)>d$, which contradicts that $a,b\in \mathbb{C}_N^*$
#### Euler's totient function #### Euler's totient function
$\phi:\mathbb{Z}^+\to \mathbb{Z}^+,\phi(N)=|\mathbb{Z}_N^*|=|\{1\leq x\leq N:gcd(x,N)=1\}|$ $\phi:\mathbb{Z}^+\to \mathbb{Z}^+,\phi(N)=|\mathbb{Z}_N^*|=|\{1\leq x\leq N:gcd(x,N)=1\}|$
Example: $\phi(1)=1$, $\phi(24)=8$, $\phi (p)=p-1$, $\phi(p\cdot q)=(p-1)(q-1)$ Example: $\phi(1)=1$, $\phi(24)=8$, $\phi (p)=p-1$, $\phi(p\cdot q)=(p-1)(q-1)$
#### Euler's Theorem #### Euler's Theorem
For any $a\in \mathbb{Z}_N^*$, $a^{\phi(N)}\equiv 1\mod N$ For any $a\in \mathbb{Z}_N^*$, $a^{\phi(N)}\equiv 1\mod N$
Consequence: $a^x\mod N$, $x=K\cdot \phi(N)+r,0\leq r\leq \phi(N)$ Consequence: $a^x\mod N$, $x=K\cdot \phi(N)+r,0\leq r\leq \phi(N)$
$$ $$
a^x\equiv a^{K \cdot \phi (N) +r}\equiv ( a^{\phi(n)} )^K \cdot a^r \mod N$ a^x\equiv a^{K \cdot \phi (N) +r}\equiv ( a^{\phi(n)} )^K \cdot a^r \mod N$
$$ $$
So computing $a^x\mod N$ is polynomial in $\log (N)$ by reducing $a\mod N$ and $x\mod \phi(N)<N$ So computing $a^x\mod N$ is polynomial in $\log (N)$ by reducing $a\mod N$ and $x\mod \phi(N)<N$
Corollary: Fermat's little theorem: Corollary: Fermat's little theorem:
$1\leq a\leq p-1,a^{p-1}\equiv 1 \mod p$ $1\leq a\leq p-1,a^{p-1}\equiv 1 \mod p$

236
pages/CSE442T/CSE442T_L9.md → content/CSE442T/CSE442T_L9.md
View File

@@ -1,118 +1,118 @@
# Lecture 9 # Lecture 9
## Chapter 2: Computational Hardness ## Chapter 2: Computational Hardness
### Continue on Cyclic groups ### Continue on Cyclic groups
$$ $$
\begin{aligned} \begin{aligned}
107^{662}\mod 51&=(107\mod 51)^{662}\mod 51\\ 107^{662}\mod 51&=(107\mod 51)^{662}\mod 51\\
&=5^{662}\mod 51 &=5^{662}\mod 51
\end{aligned} \end{aligned}
$$ $$
Remind that $\phi(p),p\in\Pi,\phi(p)=p-1$. Remind that $\phi(p),p\in\Pi,\phi(p)=p-1$.
$51=3\times 17,\phi(51)=\phi(3)\times \phi(17)=2\times 16=32$, So $5^{32}\mod 1$ $51=3\times 17,\phi(51)=\phi(3)\times \phi(17)=2\times 16=32$, So $5^{32}\mod 1$
$5^2\equiv 25\mod 51=25$ $5^2\equiv 25\mod 51=25$
$5^4\equiv (5^2)^2\equiv(25)^2 \mod 51\equiv 625\mod 51=13$ $5^4\equiv (5^2)^2\equiv(25)^2 \mod 51\equiv 625\mod 51=13$
$5^8\equiv (5^4)^2\equiv(13)^2 \mod 51\equiv 169\mod 51=16$ $5^8\equiv (5^4)^2\equiv(13)^2 \mod 51\equiv 169\mod 51=16$
$5^16\equiv (5^8)^2\equiv(16)^2 \mod 51\equiv 256\mod 51=1$ $5^16\equiv (5^8)^2\equiv(16)^2 \mod 51\equiv 256\mod 51=1$
$$ $$
\begin{aligned} \begin{aligned}
5^{662}\mod 51&=107^{662\mod 32}\mod 51\\ 5^{662}\mod 51&=107^{662\mod 32}\mod 51\\
&=5^{22}\mod 51\\ &=5^{22}\mod 51\\
&=5^{16}\cdot 5^4\cdot 5^2\mod 51\\ &=5^{16}\cdot 5^4\cdot 5^2\mod 51\\
&=19 &=19
\end{aligned} \end{aligned}
$$ $$
For $a\in \mathbb{Z}_N^*$, the order of $a$, $o(a)$ is the smallest positive $k$ such that $a^k\equiv 1\mod N$. $o(a)\leq \phi(N),o(a)|\phi (N)$ For $a\in \mathbb{Z}_N^*$, the order of $a$, $o(a)$ is the smallest positive $k$ such that $a^k\equiv 1\mod N$. $o(a)\leq \phi(N),o(a)|\phi (N)$
In a general finite group In a general finite group
$g^{|G|}=e$ (identity) $g^{|G|}=e$ (identity)
$o(g)\vert |G|$ $o(g)\vert |G|$
If a group $G=\{a,a^2,a^3,...,e\}$ $G$ is cyclic If a group $G=\{a,a^2,a^3,...,e\}$ $G$ is cyclic
In a cyclic group, if $o(a)=|G|$, then a is a generator of $G$. In a cyclic group, if $o(a)=|G|$, then a is a generator of $G$.
Fact: $\mathbb{Z}^*_p$ is cyclic Fact: $\mathbb{Z}^*_p$ is cyclic
$|\mathbb{Z}^*_p|=p-1$, so $\exists$ generator $g$, and $\mathbb{Z}$, $\phi(\mathbb{Z}_{13}^*)=12$ $|\mathbb{Z}^*_p|=p-1$, so $\exists$ generator $g$, and $\mathbb{Z}$, $\phi(\mathbb{Z}_{13}^*)=12$
For example, $2$ is a generator for $\mathbb{Z}_{13}^*$ with $2,4,8,3,6,12,11,9,5,10,7,1$. For example, $2$ is a generator for $\mathbb{Z}_{13}^*$ with $2,4,8,3,6,12,11,9,5,10,7,1$.
If $g$ is a generator, $f:\mathbb{Z}_p^*\to \mathbb{Z}_p^*$, $f(x)=g^x \mod p$ is onto. If $g$ is a generator, $f:\mathbb{Z}_p^*\to \mathbb{Z}_p^*$, $f(x)=g^x \mod p$ is onto.
What type of prime $p$? What type of prime $p$?
- Large prime. - Large prime.
- If $p-1$ is very factorable, that is very bad. - If $p-1$ is very factorable, that is very bad.
- Pohlig-Hellman algorithm - Pohlig-Hellman algorithm
- $p=2^n+1$ only need polynomial time to invert - $p=2^n+1$ only need polynomial time to invert
- We want $p=2q+1$, where $q$ is prime. (Sophie Germain primes, or safe primes) - We want $p=2q+1$, where $q$ is prime. (Sophie Germain primes, or safe primes)
There are _probably_ infinitely many safe prime and efficient to sample as well. There are _probably_ infinitely many safe prime and efficient to sample as well.
If $p$ is safe, $g$ generator. If $p$ is safe, $g$ generator.
$$ $$
\mathbb{Z}_p^*=\{g,g^2,..,e\} \mathbb{Z}_p^*=\{g,g^2,..,e\}
$$ $$
Then $\{g^2,...g^{2q}\}S_{g,p}\subseteq \mathbb{Z}_p^*$ is a subgroup; $g^{2k}\cdot g^{2l}=g^{2(k+l)}\in S_{g,p}$ Then $\{g^2,...g^{2q}\}S_{g,p}\subseteq \mathbb{Z}_p^*$ is a subgroup; $g^{2k}\cdot g^{2l}=g^{2(k+l)}\in S_{g,p}$
It is cyclic with generator $g^2$. It is cyclic with generator $g^2$.
It is easy to find a generator. It is easy to find a generator.
- Pick $a\in \mathbb{Z}_p^*$ - Pick $a\in \mathbb{Z}_p^*$
- Let $x=a^2$. If $x\neq 1$, it is a generator of subgroup $S_p$ - Let $x=a^2$. If $x\neq 1$, it is a generator of subgroup $S_p$
- $S_p=\{x,x^2,...,x^q\}\mod p$ - $S_p=\{x,x^2,...,x^q\}\mod p$
Example: $p=2\cdot 11+1=23$ Example: $p=2\cdot 11+1=23$
we have a subgroup with generator $4$ and $S_4=\{4,16,18,3,12,2,8,9,13,6,1\}$ we have a subgroup with generator $4$ and $S_4=\{4,16,18,3,12,2,8,9,13,6,1\}$
```python ```python
def get_generator(p): def get_generator(p):
""" """
p should be a prime, or you need to do factorization p should be a prime, or you need to do factorization
""" """
g=[] g=[]
for i in range(2,p-1): for i in range(2,p-1):
k=i k=i
sg=[] sg=[]
step=p step=p
while k!=1 and step>0: while k!=1 and step>0:
if k==0: if k==0:
raise ValueError(f"Damn, {i} generates 0 for group {p}") raise ValueError(f"Damn, {i} generates 0 for group {p}")
sg.append(k) sg.append(k)
k=(k*i)%p k=(k*i)%p
step-=1 step-=1
sg.append(1) sg.append(1)
# if len(sg)!=(p-1): continue # if len(sg)!=(p-1): continue
g.append((i,[j for j in sg])) g.append((i,[j for j in sg]))
return g return g
``` ```
### (Computational) Diffie-Hellman assumption ### (Computational) Diffie-Hellman assumption
If $p$ is a randomly sampled safe prime. If $p$ is a randomly sampled safe prime.
Denote safe prime as $\tilde{\Pi}_n=\{p\in \Pi_n:q=\frac{p-1}{2}\in \Pi_{n-1}\}$ Denote safe prime as $\tilde{\Pi}_n=\{p\in \Pi_n:q=\frac{p-1}{2}\in \Pi_{n-1}\}$
Then Then
$$ $$
P\left[p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1;x\gets \mathbb{Z}_q;y=g^x\mod p:\mathcal{A}(y)=x\right]\leq \epsilon(n) P\left[p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1;x\gets \mathbb{Z}_q;y=g^x\mod p:\mathcal{A}(y)=x\right]\leq \epsilon(n)
$$ $$
$p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1$ is the function condition when we do the encryption on cyclic groups. $p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1$ is the function condition when we do the encryption on cyclic groups.
Notes: $f:\Z_q\to \mathbb{Z}_p^*$ is one-to-one, so $f(\mathcal{A}(y))\iff \mathcal{A}(y)=x$ Notes: $f:\Z_q\to \mathbb{Z}_p^*$ is one-to-one, so $f(\mathcal{A}(y))\iff \mathcal{A}(y)=x$

430
pages/CSE442T/Exam_reviews/CSE442T_E1.md → content/CSE442T/Exam_reviews/CSE442T_E1.md
View File

@@ -1,215 +1,215 @@
# System check for exam list # System check for exam list
**The exam will take place in class on Monday, October 21.** **The exam will take place in class on Monday, October 21.**
The topics will cover Chapters 1 and 2, as well as the related probability discussions we've had (caveats below).  Assignments 1 through 3 span this material. The topics will cover Chapters 1 and 2, as well as the related probability discussions we've had (caveats below).  Assignments 1 through 3 span this material.
## Specifics on material: ## Specifics on material:
NOT "match-making game" in 1.2 (seems fun though) NOT "match-making game" in 1.2 (seems fun though)
NOT the proof of Theorem 31.3 (but definitely the result!) NOT the proof of Theorem 31.3 (but definitely the result!)
NOT 2.4.3 (again, definitely want to know this result, and we have discussed the idea behind it) NOT 2.4.3 (again, definitely want to know this result, and we have discussed the idea behind it)
NOT 2.6.5, 2.6.6 NOT 2.6.5, 2.6.6
NOT 2.12, 2.13 NOT 2.12, 2.13
The probability knowledge/techniques I've expanded on include conditional probability, independence, law of total probability, Bayes' Theorem, union bound, 1-p bound (or "useful bound"), collision The probability knowledge/techniques I've expanded on include conditional probability, independence, law of total probability, Bayes' Theorem, union bound, 1-p bound (or "useful bound"), collision
I expect you to demonstrate understanding of the key definitions, theorems, and proof techniques.  The assignments are designed to reinforce all of these.  However, exam questions will be written with the understanding of the time limitations. I expect you to demonstrate understanding of the key definitions, theorems, and proof techniques.  The assignments are designed to reinforce all of these.  However, exam questions will be written with the understanding of the time limitations.
The exam is "closed-book," with no notes of any kind allowed.  The advantage of this is that some questions might be very basic.  However, I will expect that you will have not just memorized definitions and theorems, but you can also explain their meaning and apply them. The exam is "closed-book," with no notes of any kind allowed.  The advantage of this is that some questions might be very basic.  However, I will expect that you will have not just memorized definitions and theorems, but you can also explain their meaning and apply them.
## Chapter 1 ## Chapter 1
### Prove security ### Prove security
#### Definition 11.1 Shannon secrecy #### Definition 11.1 Shannon secrecy
$(\mathcal{M},\mathcal{K}, Gen, Enc, Dec)$ (A crypto-system) is said to be private-key encryption scheme that is *Shannon-secrete with respect to distribution $D$ over the message space $\mathcal{M}$* if for all $m'\in \mathcal{M}$ and for all $c$, $(\mathcal{M},\mathcal{K}, Gen, Enc, Dec)$ (A crypto-system) is said to be private-key encryption scheme that is *Shannon-secrete with respect to distribution $D$ over the message space $\mathcal{M}$* if for all $m'\in \mathcal{M}$ and for all $c$,
$$ $$
P[k\gets Gen;m\gets D:m=m'|Enc_k(m)=c]=P[m\gets D:m=m'] P[k\gets Gen;m\gets D:m=m'|Enc_k(m)=c]=P[m\gets D:m=m']
$$ $$
(The adversary cannot learn all, part of, any letter of, any function off, or any partial information about the plaintext) (The adversary cannot learn all, part of, any letter of, any function off, or any partial information about the plaintext)
#### Definition 11.2 Perfect Secrecy #### Definition 11.2 Perfect Secrecy
$(\mathcal{M},\mathcal{K}, Gen, ENc, Dec)$ (A crypto-system) is said to be private-key encryption scheme that is *perfectly secret* if forall $m_1,m_2\in \mathcal{M},\forall c$: $(\mathcal{M},\mathcal{K}, Gen, ENc, Dec)$ (A crypto-system) is said to be private-key encryption scheme that is *perfectly secret* if forall $m_1,m_2\in \mathcal{M},\forall c$:
$$ $$
P[k\gets Gen:Enc_k(m_1)=c]=P[k\gets Gen:Enc_k(m_2)=c] P[k\gets Gen:Enc_k(m_1)=c]=P[k\gets Gen:Enc_k(m_2)=c]
$$ $$
(For all coding scheme in the crypto system, for any two different message, they are equally likely to be mapped to $c$) (For all coding scheme in the crypto system, for any two different message, they are equally likely to be mapped to $c$)
#### Definition 12.3 #### Definition 12.3
A private-key encryption scheme is perfectly secret if and only if it is Shannon secret. A private-key encryption scheme is perfectly secret if and only if it is Shannon secret.
## Chapter 2 ## Chapter 2
### Efficient Private-key Encryption ### Efficient Private-key Encryption
#### Definition 24.7 #### Definition 24.7
A triplet of algorithms $(Gen,Enc,Dec)$ is called an efficient private-key encryption scheme if the following holds. A triplet of algorithms $(Gen,Enc,Dec)$ is called an efficient private-key encryption scheme if the following holds.
1. $k\gets Gen(1^n)$ is a p.p.t. such that for every $n\in \mathbb{N}$, it samples a key $k$. 1. $k\gets Gen(1^n)$ is a p.p.t. such that for every $n\in \mathbb{N}$, it samples a key $k$.
2. $c\gets Enc_k(m)$ is a p.p.t. that given $k$ and $m\in \{0,1\}^n$ produces a ciphertext $c$. 2. $c\gets Enc_k(m)$ is a p.p.t. that given $k$ and $m\in \{0,1\}^n$ produces a ciphertext $c$.
3. $m\gets Dec_c(c)$ is a p.p.t. that given a ciphertext $c$ and key $k$ produces a message $m\in \{0,1\}^n\cup \perp$. 3. $m\gets Dec_c(c)$ is a p.p.t. that given a ciphertext $c$ and key $k$ produces a message $m\in \{0,1\}^n\cup \perp$.
4. For all $n\in \mathbb{N},m\in \{0,1\}^n$ 4. For all $n\in \mathbb{N},m\in \{0,1\}^n$
$$ $$
Pr[k\gets Gen(1^n);Dec_k(Enc_k(m))=m]=1 Pr[k\gets Gen(1^n);Dec_k(Enc_k(m))=m]=1
$$ $$
### One-Way functions ### One-Way functions
#### Definition 26.1 #### Definition 26.1
A function $f:\{0,1\}^*\to\{0,1\}^*$ is worst-case one-way if the function is: A function $f:\{0,1\}^*\to\{0,1\}^*$ is worst-case one-way if the function is:
1. Easy to compute. There is a p.p.t $C$ that computes $f(x)$ on all inputs $x\in \{0,1\}^*$, and 1. Easy to compute. There is a p.p.t $C$ that computes $f(x)$ on all inputs $x\in \{0,1\}^*$, and
2. Hard to invert. There is no adversary $\mathcal{A}$ such that 2. Hard to invert. There is no adversary $\mathcal{A}$ such that
$$ $$
\forall x,P[\mathcal{A}(f(x))\in f^{-1}(f(x))]=1 \forall x,P[\mathcal{A}(f(x))\in f^{-1}(f(x))]=1
$$ $$
#### Definition 27.2 Negligible function #### Definition 27.2 Negligible function
A function $\epsilon(n)$ is negligible if for every $c$. there exists some $n_0$ such that for all $n>n_0$, $\epsilon (n)\leq \frac{1}{n^c}$. A function $\epsilon(n)$ is negligible if for every $c$. there exists some $n_0$ such that for all $n>n_0$, $\epsilon (n)\leq \frac{1}{n^c}$.
#### Definition 27.3 Strong One-Way Function #### Definition 27.3 Strong One-Way Function
A function mapping strings to strings $f:\{0,1\}^*\to \{0,1\}^*$ is a strong one-way function if it satisfies the following two conditions: A function mapping strings to strings $f:\{0,1\}^*\to \{0,1\}^*$ is a strong one-way function if it satisfies the following two conditions:
1. Easy to compute. There is a p.p.t $C$ that computes $f(x)$ on all inputs $x\in \{0,1\}^*$, and 1. Easy to compute. There is a p.p.t $C$ that computes $f(x)$ on all inputs $x\in \{0,1\}^*$, and
2. Hard to invert. There is no adversary $\mathcal{A}$ such that 2. Hard to invert. There is no adversary $\mathcal{A}$ such that
$$ $$
P[x\gets\{0,1\}^n;y\gets f(x):f(\mathcal{A}(1^n,y))=y]\leq \epsilon(n) P[x\gets\{0,1\}^n;y\gets f(x):f(\mathcal{A}(1^n,y))=y]\leq \epsilon(n)
$$ $$
#### Definition 28.4 (Weak One-Way Function) #### Definition 28.4 (Weak One-Way Function)
A function mapping strings to strings $f:\{0,1\}^*\to \{0,1\}^*$ is a strong one-way function if it satisfies the following two conditions: A function mapping strings to strings $f:\{0,1\}^*\to \{0,1\}^*$ is a strong one-way function if it satisfies the following two conditions:
1. Easy to compute. There is a p.p.t $C$ that computes $f(x)$ on all inputs $x\in \{0,1\}^*$, and 1. Easy to compute. There is a p.p.t $C$ that computes $f(x)$ on all inputs $x\in \{0,1\}^*$, and
2. Hard to invert. There is no adversary $\mathcal{A}$ such that 2. Hard to invert. There is no adversary $\mathcal{A}$ such that
$$ $$
P[x\gets\{0,1\}^n;y\gets f(x):f(\mathcal{A}(1^n,y))=y]\leq 1-\frac{1}{q(n)} P[x\gets\{0,1\}^n;y\gets f(x):f(\mathcal{A}(1^n,y))=y]\leq 1-\frac{1}{q(n)}
$$ $$
#### Notation for prime numbers #### Notation for prime numbers
Denote the (finite) set of primes that are smaller than $2^n$ as Denote the (finite) set of primes that are smaller than $2^n$ as
$$ $$
\Pi_n=\{q|q<2^n\textup{ and } q \textup{ is prime}\} \Pi_n=\{q|q<2^n\textup{ and } q \textup{ is prime}\}
$$ $$
#### Assumption 30.1 (Factoring) #### Assumption 30.1 (Factoring)
For every adversary $\mathcal{A}$, there exists a negligible function $\epsilon$ such that For every adversary $\mathcal{A}$, there exists a negligible function $\epsilon$ such that
$$ $$
P[p\gets \Pi_n;q\gets \Pi_n;N\gets pq:\mathcal{A}(N)\in \{p,q\}]<\epsilon(n) P[p\gets \Pi_n;q\gets \Pi_n;N\gets pq:\mathcal{A}(N)\in \{p,q\}]<\epsilon(n)
$$ $$
(For every product of random 2 primes, the probability for any adversary to find the prime factors is negligible.) (For every product of random 2 primes, the probability for any adversary to find the prime factors is negligible.)
(There is no polynomial function that can decompose the product of two $n$ bit prime, the best function is $2^{O(n^{\frac{1}{3}}\log^{\frac{2}{3}}n)}$) (There is no polynomial function that can decompose the product of two $n$ bit prime, the best function is $2^{O(n^{\frac{1}{3}}\log^{\frac{2}{3}}n)}$)
#### Theorem 35.1 #### Theorem 35.1
For any weak one-way function $f:\{0,1\}^n\to \{0,1\}^*$, there exists a polynomial $m(\cdot)$ such that function For any weak one-way function $f:\{0,1\}^n\to \{0,1\}^*$, there exists a polynomial $m(\cdot)$ such that function
$$ $$
f'(x_1,x_2,\dots, x_{m(n)})=(f(x_1),f(x_2),\dots, f(x_{m(n)})). f'(x_1,x_2,\dots, x_{m(n)})=(f(x_1),f(x_2),\dots, f(x_{m(n)})).
$$ $$
from $f'=(\{0,1\}^n)^{m(n)}\to(\{0,1\}^*)^{m(n)}$ is strong one-way. from $f'=(\{0,1\}^n)^{m(n)}\to(\{0,1\}^*)^{m(n)}$ is strong one-way.
### RSA ### RSA
#### Definition 46.7 #### Definition 46.7
A group $G$ is a set of elements with a binary operator $\oplus:G\times G\to G$ that satisfies the following properties A group $G$ is a set of elements with a binary operator $\oplus:G\times G\to G$ that satisfies the following properties
1. Closure: $\forall a,b\in G, a\oplus b\in G$ 1. Closure: $\forall a,b\in G, a\oplus b\in G$
2. Identity: $\exists i\in G$ such that $\forall a\in G, i\oplus a=a\oplus i=a$ 2. Identity: $\exists i\in G$ such that $\forall a\in G, i\oplus a=a\oplus i=a$
3. Associativity: $\forall a,b,c\in G,(a\oplus b)\oplus c=a\oplus(b\oplus c)$. 3. Associativity: $\forall a,b,c\in G,(a\oplus b)\oplus c=a\oplus(b\oplus c)$.
4. Inverse: $\forall a\in G$, there is an element $b\in G$ such that $a\oplus b=b\oplus a=i$ 4. Inverse: $\forall a\in G$, there is an element $b\in G$ such that $a\oplus b=b\oplus a=i$
#### Definition Euler totient function $\Phi(N)$. #### Definition Euler totient function $\Phi(N)$.
$$ $$
\Phi(p)=p-1 \Phi(p)=p-1
$$ $$
if $p$ is prime if $p$ is prime
$$ $$
\Phi(N)=(p-1)(q-1) \Phi(N)=(p-1)(q-1)
$$ $$
if $N=pq$ and $p,q$ are primes if $N=pq$ and $p,q$ are primes
#### Theorem 47.10 #### Theorem 47.10
$\forall a\in \mathbb{Z}_N^*,a^{\Phi(N)}=1\mod N$ $\forall a\in \mathbb{Z}_N^*,a^{\Phi(N)}=1\mod N$
#### Corollary 48.11 #### Corollary 48.11
$\forall a\in \mathbb{Z}_p^*,a^{p-1}\equiv 1\mod p$. $\forall a\in \mathbb{Z}_p^*,a^{p-1}\equiv 1\mod p$.
#### Corollary 48.12 #### Corollary 48.12
$a^x\mod N=a^{x\mod \Phi(N)}\mod N$ $a^x\mod N=a^{x\mod \Phi(N)}\mod N$
## Some other important results ## Some other important results
### Exponent ### Exponent
$$ $$
(1-\frac{1}{n})^n\approx e (1-\frac{1}{n})^n\approx e
$$ $$
when $n$ is large. when $n$ is large.
### Primes ### Primes
Let $\pi(x)$ be the lower-bounds for prime less than or equal to $x$. Let $\pi(x)$ be the lower-bounds for prime less than or equal to $x$.
#### Theorem 31.3 Chebyshev #### Theorem 31.3 Chebyshev
For $x>1$,$\pi(x)>\frac{x}{2\log x}$ For $x>1$,$\pi(x)>\frac{x}{2\log x}$
#### Corollary 31.3 #### Corollary 31.3
For $2^n>1$, $p(n)>\frac{1}{n}$ For $2^n>1$, $p(n)>\frac{1}{n}$
(The probability that a uniformly sampled n-bit integer is prime is greater than $\frac{1}{n}$) (The probability that a uniformly sampled n-bit integer is prime is greater than $\frac{1}{n}$)
### Modular Arithmetic ### Modular Arithmetic
#### Extended Euclid Algorithm #### Extended Euclid Algorithm
```python ```python
def eea(a,b)->tuple(int): def eea(a,b)->tuple(int):
# assume a>b # assume a>b
# return x,y such that ax+by=gcd(a,b)=d. # return x,y such that ax+by=gcd(a,b)=d.
# so y is the modular inverse of b mod a # so y is the modular inverse of b mod a
# so x is the modular inverse of a mod b # so x is the modular inverse of a mod b
# so gcd(a,b)=ax+by # so gcd(a,b)=ax+by
if a%b==0: if a%b==0:
return (0,1) return (0,1)
x,y=eea(b,a%b) x,y=eea(b,a%b)
return (y,x-y(a//b)) return (y,x-y(a//b))
``` ```

0
pages/CSE442T/Exam_reviews/CSE442T_E2.md → content/CSE442T/Exam_reviews/CSE442T_E2.md
View File

0
pages/CSE442T/Exam_reviews/_meta.js → content/CSE442T/Exam_reviews/_meta.js
View File

2
pages/CSE442T/_meta.js → content/CSE442T/_meta.js
View File

@@ -1,5 +1,5 @@
export default { export default {
index: "Course Description", //index: "Course Description",
"---":{ "---":{
type: 'separator' type: 'separator'
}, },

0
pages/CSE442T/index.md → content/CSE442T/index.md
View File

0
pages/CSE559A/CSE559A_L1.md → content/CSE559A/CSE559A_L1.md
View File

0
pages/CSE559A/CSE559A_L10.md → content/CSE559A/CSE559A_L10.md
View File

0
pages/CSE559A/CSE559A_L11.md → content/CSE559A/CSE559A_L11.md
View File

0
pages/CSE559A/CSE559A_L12.md → content/CSE559A/CSE559A_L12.md
View File

0
pages/CSE559A/CSE559A_L13.md → content/CSE559A/CSE559A_L13.md
View File

0
pages/CSE559A/CSE559A_L14.md → content/CSE559A/CSE559A_L14.md
View File

0
pages/CSE559A/CSE559A_L15.md → content/CSE559A/CSE559A_L15.md
View File

0
pages/CSE559A/CSE559A_L16.md → content/CSE559A/CSE559A_L16.md
View File

0
pages/CSE559A/CSE559A_L17.md → content/CSE559A/CSE559A_L17.md
View File

0
pages/CSE559A/CSE559A_L18.md → content/CSE559A/CSE559A_L18.md
View File

0
pages/CSE559A/CSE559A_L19.md → content/CSE559A/CSE559A_L19.md
View File

0
pages/CSE559A/CSE559A_L2.md → content/CSE559A/CSE559A_L2.md
View File

0
pages/CSE559A/CSE559A_L20.md → content/CSE559A/CSE559A_L20.md
View File

0
pages/CSE559A/CSE559A_L21.md → content/CSE559A/CSE559A_L21.md
View File

0
pages/CSE559A/CSE559A_L22.md → content/CSE559A/CSE559A_L22.md
View File

0
pages/CSE559A/CSE559A_L23.md → content/CSE559A/CSE559A_L23.md
View File

0
pages/CSE559A/CSE559A_L24.md → content/CSE559A/CSE559A_L24.md
View File

0
pages/CSE559A/CSE559A_L25.md → content/CSE559A/CSE559A_L25.md
View File

0
pages/CSE559A/CSE559A_L26.md → content/CSE559A/CSE559A_L26.md
View File

0
pages/CSE559A/CSE559A_L3.md → content/CSE559A/CSE559A_L3.md
View File

0
pages/CSE559A/CSE559A_L4.md → content/CSE559A/CSE559A_L4.md
View File

0
pages/CSE559A/CSE559A_L5.md → content/CSE559A/CSE559A_L5.md
View File

0
pages/CSE559A/CSE559A_L6.md → content/CSE559A/CSE559A_L6.md
View File

0
pages/CSE559A/CSE559A_L7.md → content/CSE559A/CSE559A_L7.md
View File

0
pages/CSE559A/CSE559A_L8.md → content/CSE559A/CSE559A_L8.md
View File

0
pages/CSE559A/CSE559A_L9.md → content/CSE559A/CSE559A_L9.md
View File

2
pages/CSE559A/_meta.js → content/CSE559A/_meta.js
View File

@@ -1,5 +1,5 @@
export default { export default {
index: "Course Description", //index: "Course Description",
"---":{ "---":{
type: 'separator' type: 'separator'
}, },

0
pages/CSE559A/index.md → content/CSE559A/index.md
View File

0
pages/Math3200/Lecture_1.mdx → content/Math3200/Lecture_1.mdx
View File

0
pages/Math3200/Lecture_10.mdx → content/Math3200/Lecture_10.mdx
View File

0
pages/Math3200/Lecture_11.mdx → content/Math3200/Lecture_11.mdx
View File

0
pages/Math3200/Lecture_12.mdx → content/Math3200/Lecture_12.mdx
View File

0
pages/Math3200/Lecture_13.mdx → content/Math3200/Lecture_13.mdx
View File

0
pages/Math3200/Lecture_14.mdx → content/Math3200/Lecture_14.mdx
View File

Some files were not shown because too many files have changed in this diff Show More