ALGORITHMS FOR SOLVING LINEAR AND POLYNOMIAL ...

More documents

Recommendations

Info

theorem that random functions and random permutations cannot be distinguished inpolynomial time [GGM86]. This is a perfect simulation in either case, and thereforeAlgorithm A will be correct with probability δ and therefore Algorithm B will becorrect with probability δ. Thus h and a random permutation are computationalydistinguishable.We have now proven that h ′being computationaly distinguishable from arandom function implies that h is computationaly distinguishable from a randompermutation. The inverse proceeds along very similar lines. []Lemma 3 If h : GF(2) n→ GF(2) n is a random permutation, then the limit asn → ∞ of the probability that h has p fixed points is 1/(p!e)Proof: If h ′ (x) = h(x) ⊕ x, and if h(y) = y then h ′ (y) = 0. Thus the set offixed points of h is merely the preimage of 0 under h ′ . By Lemma 2, h ′ behaves asa random function. Thus the value of h ′ (y) for any particular y is an independentlyand identically distributed uniform random variable. The “Bernoulli trials” modeltherefore applies. If |h ′−1 (0)| is the size of the preimage of 0 under h ′ thenlim Pr { |h ′−1 (0)| = p }n→∞( ) 2n (2=) −n p ( ) 1 − 2−n 2 n −pp( ) 2n (2=) −n p ( ) 1 − 2−n 2 n ( 1 − 2 −n) −pp≈ (2n )(2 n − 1)(2 n − 2)(2 n − 3) · · · (2 n − p + 1)(2 −n ) p (e −1 )(1)p!≈(1)(1 − 1 · 2−n )(1 − 2 · 2 −n )(1 − 3 · 2 −n ) · · · (1 − (p − 1) · 2 −n )e −1p!≈1/p!e28
Thus h has p fixed points with probability 1/(p!e). []Corollary 1 If h : GF(2) n → GF(2) n is a random permutation, then h has two ormore fixed points with probability 1 − 2/e ≈ 0.26424.Assuming h has 2 or more fixed points, it has exactly 2 with probability1/2e1−2/e≈ 0.69611 and 3 or more 1 −1/2e1−2/e≈ 0.30389. Therefore it is useful tocalculate the expected number of fixed points given that we assume there are 2 ormore. This calculation is given by( ) i=∞1 ∑ i1 − 2/e e(i!) ≈ 2.3922i=22.4.9 Cycle Lengths in a Random PermutationIt is well-known that in a random permutation, the expected number of cyclesof length m is 1/m, which is proven in the lemma at the end of this subsection.Thus the expected numbers of cycles of length 1, 2, 4, and 8 in f k are 1, 1/2, 1/4,1/8. All of these are fixed points of f (8)k, providing 1, 2, 4, and 8 fixed points each,or a total of 1, 1, 1, and 1 expected fixed points, or 4 expected fixed points total.Thus n 8 = 4, in the general case.In the special case of f k having at least 2 fixed points, we claim the numbershould be largely unchanged. Remove the 2.39 expected fixed points from the domainof f k . This new function has a domain and range of size 2 n − 2 and is still a29
Page 1 and 2: ABSTRACTTitle of dissertation:ALGOR
Page 3 and 4: ALGORITHMS FOR SOLVING LINEAR AND P
Page 5 and 6: PrefacePigmaei gigantum humeris imp
Page 7 and 8: ForewordThe ignoraunte multitude do
Page 9 and 10: AcknowledgmentsI am deeply indebted
Page 11 and 12: NSF grant for the Sage project [sag
Page 13 and 14: for many years and taught me matric
Page 15 and 16: 3 Converting MQ to CNF-SAT 353.1 Su
Page 17 and 18: 6.4.4 The Conservative Algorithm .
Page 19 and 20: B.1 Algorithms and Performance, for
Page 21 and 22: List of Algorithms1 Method of Four
Page 23 and 24: Chapter 1SummaryGenerally speaking,
Page 25 and 26: adopted the author’s software lib
Page 27 and 28: Part IPolynomial Systems5
Page 29 and 30: 2.1 Special Acknowledgment of Joint
Page 31 and 32: Figure 2.1: The Keeloq Circuit Diag
Page 33 and 34: around regions of ones of size 32,
Page 35 and 36: the bit generated in the 528th and
Page 37 and 38: β = aeSince the non-linear functio
Page 39 and 40: were an obvious failure, and so we
Page 41 and 42: 2.4.3 The Consequences of Fixed Poi
Page 43 and 44: points. If it is the case that f k
Page 45 and 46: 2.4.6 Fraction of Plainspace Requir
Page 47 and 48: Then we can apply the probability d
Page 49: e the case for all block ciphers. T
Page 53 and 54: expected points. Since we require f
Page 55 and 56: too long, we may elect to “guess
Page 57 and 58: Chapter 3Converting MQ to CNF-SAT3.
Page 59 and 60: Another NP-hard problem is finding
Page 61 and 62: 3.3 Notation and DefinitionsAn inst
Page 63 and 64: Step One: From a Polynomial System
Page 65 and 66: x 1 + x 2 + x 3 + y 1 = 0y 1 + x 6
Page 67 and 68: Table 3.1 CNF Expression Difficulty
Page 69 and 70: that a satisfying solution is found
Page 71 and 72: andomness is seeded from a hash of
Page 73 and 74: Figure 3.1: The Distribution of Run
Page 75 and 76: takes only a few seconds. Furthermo
Page 77 and 78: 3.5.4 Comparison with MAGMA, Singul
Page 79 and 80: systems of equations over finite fi
Page 81 and 82: Table 3.4 CNF Expression Difficulty
Page 83 and 84: polynomial equation. The number of
Page 85 and 86: of variables, and the operators fro
Page 87 and 88: variables). However, the original v
Page 89 and 90: of variables that it contains.When
Page 91 and 92: If the contradiction stack becomes
Page 93 and 94: enough to produce a contradiction.I
Page 95 and 96: those two simple examples).Over the
Page 97 and 98: Chapter 5The Method of Four Russian
Page 99 and 100: matrix without calculating the othe
Page 101 and 102:
exactly one bit in one position fro
Page 103 and 104:
5.3.1 Role of the Gray CodeThe Gray
Page 105 and 106:
Then substitute k = γ log n and ob
Page 107 and 108:
and putting matrix A in unit upper
Page 109 and 110:
(see Section 5.5 on page 92) that s
Page 111 and 112:
= (1 − 2 −n )(1 − 2 −n+1 )
Page 113 and 114:
Table 5.3 Probabilities of a Fair-C
Page 115 and 116:
time was trivially perturbed if the
Page 117 and 118:
Table 5.6 Percentage Error for Offs
Page 119 and 120:
so there may be no work to perform
Page 121 and 122:
calculation proceeds exactly as in
Page 123 and 124:
ank is 1 − l −2c . Since there
Page 125 and 126:
ond, 10, 000 × 10, 000, where M4RI
Page 127 and 128:
algorithm (the 18 matrix additions,
Page 129 and 130:
⎡⎤⎡⎤A =⎢⎣1 0 0 01 0 1 0
Page 131 and 132:
and P can be kept invertible. The d
Page 133 and 134:
Table 5.9 Trials between M4RI and G
Page 135 and 136:
Chapter 6An Impractical Method of A
Page 137 and 138:
6.2 The Algorithm over a Finite Rin
Page 139 and 140:
c(n/b) ω multiplies in the ring M
Page 141 and 142:
which is to be compared with∼ 4cn
Page 143 and 144:
yielding a time requirement of[ (ω
Page 145 and 146:
kind. (The all zero matrix has been
Page 147 and 148:
(∼ (1 + log 2 n)n 2 1 + o(1) )log
Page 149 and 150:
Table 6.2 Memory Required (in bits)
Page 151 and 152:
While the cases of matrix rings, fi
Page 153 and 154:
Appendix ASome Basic Facts about Li
Page 155 and 156:
not orthogonal. Thus the algorithm
Page 157 and 158:
Appendix BA Model for the Complexit
Page 159 and 160:
B.1.3Success and FailureThe model d
Page 161 and 162:
example, in a matrix multiplication
Page 163 and 164:
listed in Algorithm 10 on page 142,
Page 165 and 166:
allowing one to calculate, for a la
Page 167 and 168:
Appendix COn the Exponent of Certai
Page 169 and 170:
C.2.1Figure C.1: The Relationship o
Page 171 and 172:
If the original matrix is unit lowe
Page 173 and 174:
we can write[ ] [ ] [ ] [ ]Im/2 0 I
Page 175 and 176:
Proof: If A = LUP then det(A) = det
Page 177 and 178:
[BH74]J. Bunch and J. Hopcroft. Tri
Page 179 and 180:
[FMM03]C. Fiorini, E. Martinelli, a
Page 181:
[Rys57][sag][San79][Sch81]H. J. Rys
show all

ALGORITHMS FOR SOLVING LINEAR AND POLYNOMIAL ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?