I am currently implementing NTRU keeping its homomorphic properties. I want to implement rerandomization like this:
Encryption: e = pr * h + m (mod q)
Rerandomization: e = e + pr (mod q) (Using a new random r)
Decryption is as described in the original NTRU paper
The first few rerandomizations work just fine but after some iterations i am not able to decrypt it anymore. What am I missing in my formula?
My problem might be a bit theoretical for this forum, do you know any other forum to ask my question?
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 6 years ago.
Improve this question
I would like to know what h from the numerical differentiation formulas is and how I can calculate it when I have a function.
I am speaking about this formulas:
f'(x0) = (f(x0 + h) - f(x0)) / h
f'(x0) = (f(x0) - f(x0 - h)) / h
f'(x0) = (f(x0 + h) - f(x0 - h)) / 2*h
I would really appreciate any kind of help!
In such formulae h is usually a "very small number", similar to epsilon in Calculus.
For example, the derivative of f at a is defined as:
Note how h is defined as approaching 0.
When programming, e.g. doing numerical gradient computation, it usually works to set h to something very small - many programming environments have an "epsilon" quantity; lacking that, you can just use a very small floating-point number.
Using the usual 8 byte floats, sensible values for h are 1e-8 for the first and second formula and 1e-5 for the third central difference quotient. This is valid for medium values of x, for larger x one would have to include the scale of x in some way.
In general, for a kth order difference quotient with error order p, the balance between floating point noise and numerical error is reached for h about pow(2e-16, 1.0/(p+k)).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
So I have an assignment question where I have to prove:
n^4 is in O(2^n)
Just by looking at the graphs of the functions I know that with c=1 and n[0] = 16 this is true.
While trying to prove it on paper I managed to reduce the inequality down to n <= 2^(n/4), however, I cannot figure out how to simplify this further or adequately prove from here that with n[0]=16 the big-O assertion holds.
Any help?
The title is incorrect, and the error is important.
You are not trying to prove that n ≤ 2n/4, you are trying to prove that n ∊ O(2n/4), which is a strictly weaker claim. It is impossible to prove that n ≤ 2n/4 because at n=2, the inequality is false.
By taking the logarithm of both sides, we can reduce the problem to that of showing that log n ∊ O(n), which is easy to show because d/dn log n ≤ 1 for n ≥ 1.
It is easy to prove that the inequality holds for n >= 16 using induction, no calculus required:
First, for n=16 you have 164=216.
If the inequality holds for n=k, for n=k+1 you have (k+1)4 = (####)·k4 < 2k4 ≤ 2·2k = 2k+1.
QED.
Since this is homework, I'll leave leave the crucial step, finding what goes in place of ####, to the reader.
For RSA, how do i calculate the secret exponent?
Given p and q the two primes, and phi=(p-1)(q-1), and the public exponent (0x10001), how do i get the secret exponent 'd' ?
I've read that i have to do: d = e-1 mod phi using modular inversion and the euclidean equation but i cannot understand how the above formula maps to either the a-1 ≡ x mod m formula on the modular inversion wiki page, or how it maps to the euclidean GCD equation.
Can someone help please, cheers
You can use the extended Euclidean algorithm to solve for d in the congruence
de = 1 mod phi(m)
For RSA encryption, e is the encryption key, d is the decryption key, and encryption
and decryption are both performed by exponentiation mod m. If you encrypt a message a
with key e, and then decrypt it using key d, you calculate (ae)d = ade mod m. But
since de = 1 mod phi(m), Euler's totient theorem tells us that ade is congruent
to a1 mod m -- in other words, you get back the original a.
There are no known efficient ways to obtain the decryption key d knowing only the
encryption key e and the modulus m, without knowing the factorization m = pq, so
RSA encryption is believed to be secure.
I'm working on coding the Pohlig-Hellman Algorithm but I am having problem understand the steps in the algorithm based on the definition of the algorithm.
Going by the Wiki of the algorithm:
I know the first part 1) is to calculate the prime factor of p-1 - which is fine.
However, I am not sure what I need to do in steps 2) where you calculate the co-efficents:
Let x2 = c0 + c1(2).
125(180/2) = 12590 1 mod (181) so c0 = 0.
125(180/4) = 12545 1 mod (181) so c1 = 0.
Thus, x2 = 0 + 0 = 0.
and 3) put the coefficents together and solve in the chinese remainder theorem.
Can someone help with explaining this in plain english (i) - or pseudocode. I want to code the solution myself obviously but I cannot make any more progress unless i understand the algorithm.
Note: I have done a lot of searching for this and I read S. Pohlig and M. Hellman (1978). "An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance but its still not really making sense to me.
Thanks in advance
Update:
how come q(125) stays constant in this example.
Where as in this example is appears like he is calculating a new q each time.
To be more specific I don't understand how the following is computed:
Now divide 7531 by a^c0 to get
7531(a^-2) = 6735 mod p.
Let's start with the main idea behind Pohlig-Hellman. Assume that we are given y, g and p and that we want to find x, such that
y == gx (mod p).
(I'm using == to denote an equivalence relation). To simplify things, I'm also assuming that the order of g is p-1, i.e. the smallest positive k with 1==gk (mod p) is k=p-1.
An inefficient method to find x, would be to simply try all values in the range 1 .. p-1.
Somewhat better is the "Baby-step giant-step" method that requires O(p0.5) arithmetic operations. Both methods are quite slow for large p. Pohlig-Hellman is a significant improvement when p-1 has many factors. I.e. assume that
p-1 = n r
Then what Pohlig and Hellman propose is to solve the equation
yn == (gn)z
(mod p).
If we take logarithms to the basis g on both sides, this is the same as
n logg(y) == logg(yn) == nz (mod p-1).
n can be divided out, giving
logg(y) == z (mod r).
Hence x == z (mod r).
This is an improvement, since we only have to search a range 0 .. r-1 for a solution of z. And again "Baby-step giant-step" can be used to improve the search for z. Obviously, doing this once is not a complete solution yet. I.e. one has to repeat the algorithm above for every prime factor r of p-1 and then to use the Chinese remainder theorem to find x from the partial solutions. This works nicely if p-1 is square free.
If p-1 is divisible by a prime power then a similiar idea can be used. For example let's assume that p-1 = m qk.
In the first step, we compute z such that x == z (mod q) as shown above. Next we want to extend this to a solution x == z' (mod q2). E.g. if p-1 = m q2 then this means that we have to find z' such that
ym == (gm)z' (mod p).
Since we already know that z' == z (mod q), z' must be in the set {z, z+q, z+2q, ..., z+(q-1)q }. Again we could either do an exhaustive search for z' or improve the search with "baby-step giant-step". This step is repeated for every exponent of q, this is from knowing x mod qi we iteratively derive x mod qi+1.
I'm coding it up myself right now (JAVA). I'm using Pollard-Rho to find the small prime factors of p-1. Then using Pohlig-Hellman to solve a DSA private key. y = g^x. I am having the same problem..
UPDATE: "To be more specific I don't understand how the following is computed: Now divide 7531 by a^c0 to get 7531(a^-2) = 6735 mod p."
if you find the modInverse of a^c0 it will make sense
Regards
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Let X be the set of all sets that do not contain themselves. Is X a member of X?
In ZFC, either the axiom of foundation [as mentioned] or the axiom (scheme) of comprehension will prohibit this. The first, for obvious reasons; the second, since it basically says that for given z and first-order property P, you can construct { x ∈ z : P(x) }, but to generate the Russell set, you would need z = V (the class of all sets), which is not a set (i.e. cannot be generated from any of the given axioms).
In New Foundations (NF), "x ∉ x" is not a stratified formula, and so again we cannot define the Russell set. Somewhat amusingly, however, V is a set in NF.
In von Neumann--Bernays--Gödel set theory (NBG), the class R = { x : x is a set and x ∉ x } is definable. We then ask whether R ∈ R; if so, then also R ∉ R, giving a contradiction. Thus we must have R ∉ R. But there is no contradiction here, since for any given class A, A ∉ R implies either A ∈ A or A is a proper class. Since R ∉ R, we must simply have that R is a proper class.
Of course, the class R = { x : x ∉ x }, without the restriction, is simply not definable in NBG.
Also of note is that the above procedure is formally constructable as a proof in NBG, whereas in ZFC one has to resort to meta-reasoning.
The question is ill-posed in the standard ZFC (Zermelo-Fraenkel + axiom of Choice) set theory because the object thus defined is not a set.
Since (again, assuming standard ZFC) your class {x : x\not\in x} is not a set, the answer becomes no, it's not an element of itself (even as a class) since only sets can be elements of classes or sets.
By the way, as soon as you agree to the axiom of foundation, no set can be an element of itself.
Of course the nice thing about math is you can choose whichever axioms you want :) but believing in paradoxes is just weird.
The most elegant proof I've ever seen resembles Russell's paradox closely.
Theorem (Cantor, I suppose).
Let X be a set, and 2^X the set of its subsets. Then card(X) < card(2^X).
Proof. Surely card(X) <= card(2^X), since there is a trivial bijection between X and the singletons in 2^X. We must prove that card(X) != card(2^X).
Suppose there is a bijection between X and 2^X. Then each xk in X is mapped to a set Ak in 2^X.
x1 ---> A1
x2 ---> A2
...
xk ---> Ak
...
For each xk the chances are: either xk belongs to Ak, or it does not. Let M be the set of all those xk that do not belong to their corresponding set Ak. M is a subset of X, thus there must exist an element m of X which is mapped to M by the bijection.
Does m belong to M? If it does, then it does not, for M is the set of those x that do not belong to the set they're mapped to. If it does not, then it does, for M contains all such x's. This contradiction stems from the assumption that a bijection exists. Thus a bijection cannot exist, the two cardinalities are different, and the theorem is proved.