Secret Sharing Across a Network with Low Communication Cost: Distributed Algorithm and Bounds
Size: px
Start display at page:

Download "Secret Sharing Across a Network with Low Communication Cost: Distributed Algorithm and Bounds"

Transcription

1 Secret Sharing Across a Network with Low Communication Cost: istributed Algorithm and Bounds Nihar B. Shah, K. V. Rashmi and Kannan Ramchandran, Fellow, IEEE epartment of Electrical Engineering and Computer Sciences University of California, Berkeley {nihar, rashmikv, kannanr}@eecs.berkeley.edu. arxiv:07.00v4 [cs.cr] 4 Jul 03 Abstract Shamir s (n, k) threshold secret sharing is an important component of several cryptographic protocols, such as those for secure multiparty-computation, key management, and Byzantine agreement. These protocols typically assume the presence of direct communication links from the dealer to all participants, in which case the dealer can directly pass the shares of the secret to each participant. In this paper, we consider the problem of secret sharing when the dealer does not have direct communication links to all the participants, and instead, the dealer and the participants form a general network. We present an efficient and distributed algorithm, which we call the SNEAK algorithm, for secret sharing over general networks that satisfy what we call the k-propagating-dealer condition. We also derive information-theoretic lower bounds on the communication complexity of secret sharing over any network, under any algorithm, which may be of independent interest. We show that for networks satisfying the k- propagating-dealer condition, the communication complexity of the SNEAK algorithm is Θ(n), and furthermore, is within a constant factor of the lower bound. In contrast, the current state-of-the-art solution entails a communicationcomplexity that is super-linear in n for a wide class of networks, and is Θ(n ) in the worst case. Moreover, the amount of randomness required under the SNEAK algorithm is a constant, while that required under the current state-of-the-art increases with n for a large class of networks, and in particular, is Θ(n) whenever the degree of the dealer is bounded. Finally, while the current state-of-the-art solution requires considerable coordination in the network and knowledge of the global topology, the SNEAK algorithm is completely distributed and requires each node to know only the identities of its one-hop neighbours. Our algorithm thus allows for efficient generalization of several cryptographic protocols to a large class of general networks in a distributed way. I. INTROUCTION Shamir s classical (n, k) secret sharing scheme [] is an essential ingredient of several cryptographic protocols. The scheme considers a set of (n + ) entities: a dealer and n participants. The dealer possesses a secret s and wishes to pass functions (called shares) of this secret to the n participants, such that the following properties are satisfied: k-secret-recovery: the shares of any k participants suffice to recover the secret (k )-collusion-resistance: the aggregate data gathered by any (k ) nodes reveals no knowledge (in the information-theoretic sense) about the secret. Several cryptographic protocols in the literature require execution of one or more instances of secret sharing among all the participants. These include protocols for secure multiparty-computation [3] [8], secure key management [9], [0], general Byzantine agreement between all participants [3], [] [3], proactive secret sharing [4], [5], and secure archival storage [6]. For instance, under the celebrated Ben-Or-Goldwasser-Wigderson (BGW) protocol [3] for secure-multiparty function computation, the initialization step requires n instances of secret sharing with all participants, and every multiplication operation requires n additional instances.

2 6 5 s + 6r s + 5r s + r s + 4r s + r s + 3r (b) ealer and participants form a general network (a) ealer has communication links to all participants Fig. : Shamir s secret sharing for k = and n = 6. (a) All participants are connected directly to the dealer, allowing the dealer to directly pass the shares. The share of participant i ( i 6) is s + ir, where s is the secret and r is a value chosen uniformly at random from the finite field of operation F 7. (b) The dealer and the participants form a general network, where the dealer cannot pass shares directly to participants 3, 4, 5 and 6. Most protocols including those listed above assume that the dealer has direct communication links to every participant. In this case, the dealer can compute the shares as per Shamir s scheme [] and directly pass the shares to the respective participants. Such a setting is depicted in Fig. a for the parameters (n = 6, k = ). In several situations, the dealer may not have direct communication links with every participant; instead, the dealer and the participants may form a general network. Fig. b depicts such a scenario. The network is described by a graph G with (n + ) nodes. These (n + ) nodes comprise the dealer and the n participants. An edge in this graph implies a secure communication link between its two end-points, while the absence of an edge denotes the non-existence of any direct communication link. We shall say a participant is directly connected to the dealer if there exists an edge from the dealer to that participant. We shall use the terms edge or link to refer to a communication link. Under a general network G, all communication between the dealer and any participant who is not directly connected to it, must pass through other participants in the network. This poses the challenge of secret sharing over general networks, without leaking any additional information to any participant. Existing methods require separate secure transmissions to be performed from the dealer to each participant across the network [7]. Under such a solution, in order to communicate the designated share to a participant, the dealer treats this share as a secret, employs Shamir s scheme to compute k shares of this secret, and communicates these k shares to the participant through k node-disjoint paths (this is described in more detail in Section III-B). However, such a solution incurs a high communication cost, since the dealer needs to transmit shares across the network separately for every participant. Moreover, the requirement of setting up k node-disjoint paths to every participant requires the knowledge of global topology, and also requires significant coordination in the network. ue to lack of a specific name, throughout the paper, we shall refer this solution simply as the current state-of-the-art solution. In this paper, we consider the problem of efficient dissemination of the shares of a secret to participants forming a general network. We provide an algorithm, which we call the SNEAK algorithm, that performs this task over a wide class of networks in a communication-efficient and distributed manner, and provides significant gains over the state-of-the-art. We also derive information-theoretic lower bounds on the communication complexity and randomness requirements for secret sharing over general networks. We also analyze the communication complexity and randomness requirements of the SNEAK algorithm, and show that the SNEAK algorithm is within a constant factor of the lower bounds, and furthermore, is considerably smaller than the requirements of the current state-of-the-art solution. The SNEAK algorithm is also completely distributed and requires each node to know only the identities of its one-hop SNEAK standing for Secret-sharing over a Network with Efficient communication And distributed Knowledge-of-topology.

3 3 3 5 s+r s+r 4 6 s+r, r+r a 3 5 s+3r+r 3 s+4r+r 4 r3 r4 s+3r+r 3 r 3 s+4r+r r 4 s+4r+r s+r, r+r a (s+r)+3(r+r a ) (=(s+3r)+(r+3r a )) 3 (s+r)+3(r+r a ) (=(s+3r)+(r+3r a )) (s+r)+4(r+r a ) (=(s+4r)+(r+4r a )) (s+3r)+5(r+3r a ) (=(s+5r)+3(r+5r a )) s+5r+r 5 s+6r+r 6 r5 r6 s+5r+r 5 s+6r+r 6 3 r 5 3 s+5r+r 5 r 5 4 s+6r+r s+6r+r 6 6 (s+3r)+4(r+3r a ) (=(s+4r)+3(r+4r a )) (s+4r)+5(r+4r a ) (=(s+5r)+4(r+5r a )) (s+4r)+6(r+4r a ) (=(s+6r)+4(r+6r a )) 5 (s+5r)+6(r+5r a ) (=(s+6r)+5(r+6r a )) 6 6 r 6 4 r 6 6 (a) 4 6 Fig. : Secret sharing across the network of Fig. b, for n=6 and k=: (a) current state-of-the-art, employing separate secure transmissions from the dealer to each participant, and (b) our new SNEAK algorithm. The text on an edge is the data passed by the node at the left end-point of the edge to the node at the right end-point (i.e., from the smaller numbered node to the larger numbered node). See Example for more details. (b)

4 4 neighbours. Thus, the SNEAK algorithm allows for efficient generalization of various cryptographic protocols that assume direct communication links from the dealer to every participant, to a large class of general networks. Before delving into the details, we present a toy example of secret sharing across a network, illustrating the current state-of-the-art, and the new SNEAK algorithm proposed in this paper. Example : Consider the network depicted in Fig. b. Let n = 6 and k =, with the alphabet of operation as the finite field F 7. Under Shamir s scheme of encoding the secret s, the share t i ( i 6) for participant i is t i = s + ir, where r is a value chosen by the dealer uniformly at random from the alphabet. While the dealer can directly pass the shares t and t to participants and respectively, the difficulty arises in communicating shares to the remaining participants with whom the dealer does not have direct communication links. For instance, if the dealer tries to pass share t 3 to participant 3 by simply communicating t 3 along the path dealer 3, then participant gains access to two shares, t and t 3. Using these two shares, participant can recover the secret s, thus violating the (k )-collusion resistance requirement. The current state-of-the-art is to perform separate secure transmissions from the dealer to each participant [7]. This is illustrated in the sequence of steps depicted in Fig. a. In order to pass the share t 3 to participant 3, the dealer chooses another random value r 3, passes (t 3 + r 3 ) along the path dealer 3, and r 3 along the path dealer 3. Now, participant 3 can recover its share t 3, and no participant gains any additional information about the secret s in this process. In a similar manner, the dealer can communicate t i (4 i 6) to participant i by passing (t i + r i ) and r i through k = node-disjoint paths. Although this solution guarantees successful share dissemination, it is communication inefficient, and requires knowledge of the global topology, as well as considerable coordination in the network to set up the node-disjoint paths. Observe that the solution described above transmits data across several hops in the network in every step, which is however, never used subsequently in the protocol. Thus, in order to design efficient algorithms, one may wish to propagate data in a manner that allows its subsequent reuse downstream, thus reducing the overall communication in the network. This is the key idea underlying the SNEAK algorithm proposed in this paper, which is illustrated in the sequence of steps depicted in Fig. b. Here, the dealer first draws two values r and r a uniformly at random from F 7. The dealer then passes the two values (s + r) and (r + r a ) to node, and the two values (s + r) and (r + r a ) to node. Upon receiving its data, each node passes a particular linear combination of its received data to each of its downstream neighbours. For instance, node passes (s + r) + 3(r + r a ) to node 3, which can equivalently be written as (s+3r)+(r +3r a ). Node passes (s+r)+j(r +r a ) (= (s+jr)+(r +jr a )) to node j {3, 4} respectively. Node 3 can thus recover the two values (s + 3r) and (r + 3r a ) from the data it receives. Similarly, as shown in the sequence of steps depicted in Fig. b, every node i {,..., 6} can recover its requisite share (s + ir), along with a random counterpart (r + ir a ) which is used to disseminate shares further downstream. Note that in Fig. b, the expression written above an edge is the linear combination that is transmitted, and the corresponding expression written in the parenthesis below that edge is a simple rewriting of the data transmitted. We can see that the SNEAK algorithm requires a communication of only values, as opposed to 4 under the current state-of-the-art. The number of random values generated under the SNEAK algorithm is only, whereas the current state-of-the-art solution requires generation of 5 random values. Furthermore, the SNEAK algorithm requires knowledge of only the local topology, whereas the current state-of-the-art solution requires the knowledge of the global topology in order to set-up communication over node-disjoint paths. The remainder of the paper is organized as follows. Section II provides a formal description of the system model and summarises the results of this paper. Section III reviews related literature. Section IV describes the SNEAK algorithm in full generality. Section V presents information-theoretic lower bounds on the communicationcomplexity and the randomness requirements for secret sharing on general networks, along with an analysis of these metrics under the SNEAK algorithm and the current state-of-the-art solution. Section VI presents conclusions and discusses open problems. Appendices A and B contain proofs that are omitted from the main text. Appendix C

5 5 discusses extensions to the algorithm for performing two-threshold secret sharing, handling actively-adversarial participants, and allowing for addition of new participants in the absence of trusted entities. Appendix presents techniques to perform efficient secret sharing on graphs that do not meet the conditions required for the SNEAK algorithm. A. Secret Sharing in a General Network II. SYSTEM MOEL AN SUMMARY OF RESULTS The dealer possesses a secret s that is drawn from some alphabet A, and wishes to pass shares of this secret to n participants. The dealer and the participants form a general network, denoted by graph G. The graph G has (n + ) nodes comprising the dealer and the n participants, and an edge in the graph denotes a secure and private communication link between the two end-points. The problem is to design a protocol which will allow the dealer to pass shares (of the secret) to the n participants, meeting the requirements of (k )-collusion-resistance and k-secret-recovery (described in Section I). All the participants are assumed to be honest-but-curious, i.e., they follow the protocol correctly, but may store any accessible data in order to gain information about the secret (the case of active adversaries is considered in Appendix C-B). The edges in the graph G are allowed to be directed or undirected: a directed edge implies existence of only a one way communication link, while an undirected edge implies direct communication links both ways. The parameters n and k are assumed to satisfy n k >, since n k prohibits the secret from ever being recovered, while k = degenerates the problem into a trivial case wherein no security is required. We now discuss a condition that the graph G must necessarily satisfy for any algorithm to successfully perform secret sharing on it. efinition (m-connected-dealer): A graph with (n + ) nodes (the dealer and n participants) satisfies the m- connected-dealer property for a positive integer m, if each of the n participants in the graph either has an incoming edge directly from the dealer or has at least m node-disjoint paths from the dealer to itself. Proposition (Necessary condition): For any graph G, a necessary condition for any algorithm to perform (n, k) secret sharing is that G satisfies the k-connected-dealer property. Proof: The proof of the necessity of this condition is straightforward, and is provided here for completeness. Suppose G does not satisfy the k-connected-dealer property. Then, there exists some node (say, node i) that is not directly connected to the dealer, and has at most (k ) node-disjoint paths from the dealer to itself. In other words, there exists a set V k of some other (k ) nodes such that all paths from the dealer to node i necessarily pass through at least one of the nodes in V k. Thus the entire share of participant i can be reconstructed by the participants in V k. It follows that a collusion of the (k ) nodes in V k can put together their own (k ) shares along with the share of node i and recover s, thus violating the (k ) collusion resistance property. Thus no algorithm can operate successfully on all network topologies, and must require the graph G to obey at least the k-connected-dealer condition. Additionally, an algorithm constructed for this problem may require the network topology to satisfy certain additional structural assumptions. However, in practice, the structure of the network graph may not be known beforehand. Moreover, under a dynamic network, the graph structure may also vary with time. This leads to a natural question about the outcome of an algorithm over a network that does not meet the conditions required by the algorithm. Since the security of the secret is paramount, one must ensure that the algorithm is robust to the network topology, i.e., it must satisfy the (k )-collusion-resistance property over any arbitrary network topology. The problem considered here is to construct efficient algorithms for secret sharing that satisfy the conditions of (i) k-secret-recovery, and (ii) (k )-collusion-resistance (robust to the network topology). The SNEAK algorithm Thus, at times, we will also refer to a participant as a node of the graph. We will also use the terms network and graph interchangeably.

6 6 meets these conditions for a wide class of networks. The class of networks on which the SNEAK algorithm successfully performs secret sharing are described below. B. Class of Networks Considered The SNEAK algorithm requires the communication network G k-propagating-dealer condition, as discussed below. to satisfy an additional condition, the efinition (m-propagating-dealer): A graph with (n + ) nodes (the dealer and n participants) satisfies the m-propagating-dealer property for a positive integer m, if there exists an ordering of the n participants in the graph such that every node either has an incoming edge directly from the dealer, or has incoming edges from at least m nodes preceding it in the ordering. As an illustration of this condition, consider the network of Example (Fig. b). This network satisfies the -propagating-dealer condition, with the ordering,, 3, 4, 5, 6 (observe that this is also the order in which the participants receive their shares under the SNEAK algorithm as shown in Fig. b). Appendix -A discusses examples of classes of graphs satisfying this condition, e.g., layered networks, one-dimensional geometric graphs and backbone networs, which are also illustrated in Fig. 3 in the appendix. In addition, any directed acyclic graph (AG) that satisfies the m-connected-dealer condition automatically satisfies the m-propagating-dealer condition (any topological ordering of the AG suffices as the requisite node-ordering). The SNEAK algorithm successfully performs secret share dissemination to all participants if the graph satisfies the k-propagating-dealer property. We note that while the necessity of the k-propagating-dealer condition under the SNEAK algorithm requires the existence of some such ordering of the nodes, the execution of the algorithm is completely distributed and oblivious to the actual ordering. Apart from the parameters n and k, an additional parameter d is associated to the SNEAK algorithm. We saw earlier that the k-connected-dealer condition is necessary for any secret sharing algorithm, and the SNEAK algorithm requires the k-propagating-dealer condition to be satisfied. Now, assuming that these necessary conditions have been met, one would intuitively expect the efficiency of the algorithm to be higher if the graph has a higher connectivity. The parameter d is used to capture this intuition: the SNEAK algorithm takes the parameter d ( k) as input, and under the assumption that the graph satisfies the d-propagating-dealer condition, achieves a greater communication efficiency. C. Summary of Results This paper presents an algorithm that takes parameters n, k and d ( k) as input, and enables a dealer to disseminate shares of a secret to n participants forming a general network G, such that the properties of k-secret-recovery (when G satisfies the d-propagating-dealer condition) (k )-collusion-resistance (irrespective of the network topology) are satisfied. The algorithm is completely distributed, and each node needs to know only the identities of its neighbours. For any (n, k) and any graph G with (n + ) nodes, we also derive: Information-theoretic lower bounds on the total communication complexity under any algorithm. Communication complexity under the SNEAK algorithm. Lower bounds on the communication complexity under the current state-of-the-art (that performs separate secure transmissions from the dealer to each node).

7 7 These bounds are applicable to all finite values of parameters n, k, d. In particular, the total communication performed under the SNEAK algorithm is n d d k+, and as expected, reduces with an increase in d. Using these results, we then establish that when the k-propagating dealer property is satisfied, assuming k and d as constants: The communication complexity of the SNEAK algorithm is Θ(n). For any (n, k), the communication complexity of the SNEAK algorithm is always within a constant (multiplicative) factor of the lower bounds, and furthermore, there exists a class of graphs for which the communication complexity of the SNEAK algorithm is within a constant (additive) factor of the lower bounds. The communication complexity of the current state-of-the-art grows super-linearly for a large class of graphs, and is Θ(n ) in the worst case. The amount of randomness required under the SNEAK algorithm is independent of n. The current state-ofthe-art requires an amount that grows with n (unless the number of neighbours of the dealer grows linearly with n). The SNEAK algorithm requires a Θ(n) computation complexity, identical to that of the current state-of-the-art. The algorithm can also be extended to ensure dissemination of shares to all participants even when the k- propagating-dealer condition is not satisfied, by employing separate secure transmissions from the dealer to certain intermediate nodes in the network. In addition, it also handles active adversaries and allows for efficient addition of new participants in the absence of trusted entities. The algorithm also supports two-threshold secret sharing [8], i.e., it allows for increased efficiency when the (k )-collusion-resistance condition is relaxed to l-collision-resistance with l < k.. Notational Conventions A vector will be treated as a column vector by default, and a row vector will be written as the transpose of the corresponding column vector. The transpose of a vector or matrix will be denoted by a superscript T. For any integer l, [l] will represent the set {,..., l}. For any participant j ( j n), the set of its neighbours will be denoted by N (j). In case of a directed graph, N (j) will denote the set of nodes to which node j has an outgoing edge. The dealer will be denoted by, and the set of neighbours of the dealer by N (). We shall say that a node j is directly connected to the dealer if j N (). A. Shamir s Secret Sharing Protocol III. RELATE LITERATURE We first give a brief review of Shamir s secret sharing protocol []. We assume for now that the dealer has a direct (secure) communication link with every participant (as in Fig. a). Assume that the secret s is drawn from some finite field F q of size q (> n). The dealer chooses (k ) values {r i } k i= uniformly and independently at random from F q. efine a k-length vector m as 3 Next, define a set of n vectors {ψ i } n i=, each of length k, as The share t i of participant i is simply the inner product m T = [s r r r k ]. () ψ T i = [ i i i k ]. () t i = ψ T i m. (3) 3 To suit the description of the algorithm developed subsequently in this paper, we deviate from the customary polynomial based description of Shamir s protocol, and employ a matrix-based notation instead.

8 8 It can be verified that for any set I [n] of cardinality k, the secret s can be recovered from the set of values {ψ T i m} i I. Furthermore, it can also be verified that for any set I [n] of cardinality smaller than k, the set {ψ T i m} i I provides no knowledge about s. Under the assumption that the dealer has direct communication links with each of the n participants, the dealer can simply pass t i to participant i, i n. This completes the description of Shamir s secret sharing protocol. We now describe the current state-of-the-art that addresses the situation when the dealer and participants form a general network. B. Current state-of-the-art This section describes a scheme for secret sharing over a general network employing separate secure transmissions from dealer to each participant [7]. Fig. a in Example is an example of such a solution. Under this solution, the dealer first encodes the secret s into n shares {t l } n l= using Shamir s secret sharing scheme (3). To every node l directly connected to the dealer, the dealer directly passes its share t l. To disseminate shares to the remaining nodes, the dealer performs the following actions, once separately for each remaining node. Let l now denote a node that is not connected directly to the dealer. The dealer applies Shamir s secret sharing scheme treating t l as a secret, and computes k shares {u l,j } k j=, as t l r l, u l,j = [ j j j k ] r l,, (4). r l,k where the values {r l,,..., r l,k } are chosen independently and uniformly at random from F q. The dealer then finds k node-disjoint paths (from itself) to node l, and passes u l,j along the j th path ( j k). At the end of these transmissions, node l receives {u l,j } k j= from which it can recover its share t l. Moreover, since each of the random values are independent, no participant can obtain any information about any other participant s share, or any additional information about the secret s. This process is repeated once for every node that is not connected directly to the dealer. The solution described above requires transmission of data across k node-disjoint paths once for every node that is not connected directly to the dealer. Thus this solution is not efficient in terms of communication complexity, and furthermore, is not distributed. We note that the communication efficiency of this solution can be improved if more than k node-disjoint paths are available, by employing two-threshold secret sharing [8] over these node-disjoint paths. Under this setting, for any given participant i, let us suppose there are w i ( k) node-disjoint paths from the dealer to node i. The dealer chooses a value w ( {k,..., w i }), encodes the share of participant i into w chunks in a manner [8] that satisfies w-secret-recovery and (k )-collusion-resistance, and passes these chunks via the w shortest node-disjoint paths to participant i. The dealer chooses w such that the amount of communication in transmitting the share to participant i is minimized; the special case of choosing w = k for all participants is equivalent to the procedure described in the previous paragraphs. The analysis and comparisons performed subsequently in Section V shall consider this two-threshold version of the current state-of-the-art solution. C. Network Coding, istributed Storage, and Other Related Works The problem of secret sharing over a general network can also be cast as a specific instance of a network coding problem [9], requiring security from eavesdropping on the nodes. This casting can be performed in the following

9 9 manner. The dealer is the source node, and the secret s is the message. The network graph in the network coding problem is identical to that in the secret sharing problem, but with a set of ( n k) additional nodes that act as the sinks. Each of the ( n k) sinks is connected to a distinct subset of k participants, and has one directed link of infinite capacity coming in from each of the corresponding k participants. Each sink must recover the entire message available. This corresponds to the condition of k-secret-recovery. To satisfy the (k )-collusion-resistance property, a compromise of upto (k ) arbitrary nodes (excluding the source and the sinks) to a passive eavesdropper should reveal no information about the message. In this manner, the secret sharing problem is equivalent to a network coding problem requiring secrecy from an eavesdropper that can gain access to a subset of the nodes. However, with respect to this setting, very little appears to be known in the network coding literature. To the best of our knowledge, the literature on secure network coding (e.g., [0] [3]) considers only the setting where the eavesdropper gains access to a subset of the links. The problem of node-compromise is treated as a case of link-compromise by allowing the eavesdropper to gain access to all links that are incident upon the compromised nodes. In [], [3], authors consider the setting wherein a collection of subsets of the links is specified, and an eavesdropper may gain access to precisely one of these subsets. However, the scheme provided is not explicit, requires the size of the finite field to be exponential in n. The algorithm depends on the knowledge of the network topology, and given the network topology, it is computationally intensive to obtain the actions to be performed at the nodes under this algorithm. Moreover, the scheme requires the graph to satisfy a particular condition, which is almost always violated in our problem setting. On the other hand, communication-efficient algorithms to secure a network from an eavesdropper having access to a bounded number of links are provided in [0], []. Given the network topology, the actions to be performed at the nodes can be derived in a computationally efficient manner. However, these algorithms communicate a message of size equal to the difference between the largest message that can be sent in the absence of secrecy requirements, and the bound on number of compromised links. Under our problem setting, this difference is generally zero or smaller (e.g., the difference is in the network of Fig. b), thus rendering these algorithms inapplicable. The algorithm presented in this paper thus turns out to be an instance of a secure network coding problem that admits an explicit solution that is distributed, communication-efficient, and provides deterministic (probability ) guarantees. Furthermore, the solution handles the case of nodal-eavesdropping, about which very little appears to be known in the literature. The SNEAK algorithm is based on a variant of the Product-Matrix codes [4] which were originally constructed for distributed storage systems. These codes possess useful properties that the SNEAK algorithm exploits in the present context. The product-matrix codes are a practical realization of the concept of Regenerating codes [5] for distributed storage. To date, apart from the MS codes of [6], these are the only known constructions of regenerating codes that are scalable (i.e., other parameters of the system impose no constraints on the total number of nodes in the system), an essential ingredient for our problem. Secure versions of the product-matrix codes were constructed in [7], [8]. The reader familiar with the literature on regenerating codes for distributed storage may recognize later in the paper that we employ the minimum-bandwidth (MBR) version, and not the minimum-storage (MSR) version, of the product-matrix codes [4]. We make this choice to guarantee secrecy from honest-but-curious participants, who may store all the data that they receive, a characteristic of the MBR point on the storage-bandwidth tradeoff [5]. In addition to secret share dissemination, the algorithm provided in this paper may also be employed for efficient authentication or commitment-verification (discussed in detail subsequently in Appendix C). In this context, an authentication protocol for MANETS presented in [9] and a commitment-verification protocol of [30] can be derived as special cases of the encoding part of the SNEAK algorithm (corresponding to the case when d = k). IV. ALGORITHM FOR SECRET SHARING OVER GENERAL NETWORKS This section presents the main result of the paper. Consider a network G that obeys the d-propagating-dealer condition for some parameter d ( k). The secret s belongs to the alphabet A, and we assume that A = F d k+ q,

10 0 for some q > n. Thus we can equivalently denote the secret as a vector s = [s s s d k+ ] T with each element of this vector belonging to the finite field F q. A. Initial Setting up by the ealer The dealer first constructs an (n d) Vandermonde matrix Ψ, with the i th ( i n) row of Ψ being The vector ψ i is termed the encoding vector of node i. ψ i = [ i i i d ] T. (5) Next, the dealer constructs a (d d) symmetric matrix M comprising the secret s and a collection of randomly generated values as follows: where the depicted sub-matrices of M are M = s A r T a s T B r a R b Rc T s B R c 0 }{{}}{{} k }{{} d k } {{ } d (6) s A = s d k+ is a scalar, s B = [s s d k ] T is a vector of length (d k), r a is a vector of length (k ) with its entries populated by random values, R b is a ((k ) (k )) symmetric matrix with its k(k ) distinct entries populated by random values, R c is a ((d k) (k )) matrix with its (k )(d k) entries populated by random values. These random values are all picked independently and uniformly from F q. Note that the total number of random values R in matrix M is k(k ) R = (k ) + + (k )(d k) ( ) k = (k )d. (7) The entire secret is contained in the components s A and s B as s T = [s s d k+ ] = [s B T s A ]. Observe that the structure of M as described in (6), along with the symmetry of matrix R b, makes the matrix M symmetric. The share t j for participant j ( j n) is a vector of length (d k + ): t T j = ψ T j s A r a s T B Rc T s B 0. (8) We shall show subsequently in Theorem 3 that any k of these shares suffice to recover the entire secret. Remark : To see these shares in the conventional polynomial representation of Shamir s secret sharing scheme, recall that the vector ψ T j is drawn from a Vandermonde matrix. Thus each entry of t j in (8) can be seen as the evaluation of a polynomial at value j. Thus there is one polynomial for each secret value s i ( i d k + ), having the corresponding secret symbol as its constant term with the remaining coefficients independent of the secret value s i.

11 Example : Consider the setting of Example (Fig. b), wherein n = 6, k =, d =. Here [ ] s r M =, r r a and for every j ( j n), ψ T j = [ j] and the share for participant j is t T j = [s + jr]. B. Communication across the Network Algorithm describes the communication protocol to securely transmit the shares {t j } n j= to the n participants. Algorithm Communication Protocol ealer: For every j N (), compute and pass the d-length vector ψ T j M to participant j. Participant l N (): Wait until receipt of data ψ T l M from the dealer. Upon receipt, perform the following actions. For every j N (l), compute the inner product of the data ψ T l M with the encoding vector ψ j of participant j. Transmit the resulting value ψ T l Mψ j to participant j. Participant l / N (): Wait until receipt of one value each from any d neighbours, and then perform the following actions (if more than d neighbours pass data, retain data from some arbitrary d of these nodes). enote this set of d neighbours as {i,..., i d }, and the values received from them as {σ,..., σ d } respectively. Compute the vector v = ψ T i. ψ T i d For every neighbour i N (l) from whom you did not receive data, compute and pass the inner product v T ψ i to participant i. σ. σ d. Remark : In order to reduce the communication complexity, one would like to ensure that a participant receives data from no more than d of its neighbours. This can be ensured via a simple handshaking protocol between neighbours, wherein a participant who is ready to transmit data to its neighbours, queries the neighbours for the requirement of the respective transmissions, prior to actually sending the data. Example 3: Consider the setting of Example (Fig. b), wherein n = 6, k =, d =. The values of M, ψ j and t j ( j n) under this setting are specified in Example. For the given network, we have N () = {, }. As per Algorithm, participant j {, } receives ψ T j M = [s + jr r + jr a ] directly from the dealer. Now let us focus on participant 3. Since participant 3 is a neighbour to participants and, following Algorithm, participant j {, } passes ψ T j Mψ 3 = (s + jr) + 3(r + jr a ) to participant 3. Participant 3 thus receives the two values σ = (s + r) + 3(r + r a ) and σ = (s + r) + 3(r + r a ) from neighbours i = and i =. Using the fact that ψ T = [ ] and ψ T = [ ], it computes [ ] [ ] [ ] (s + r) + 3(r + ra ) s + 3r v = =. (s + r) + 3(r + r a ) r + 3r a A similar procedure is executed at participants 4, 5 and 6 as well. C. Correctness of the Algorithm The following theorems show that each participant indeed receives its intended share (8), and the algorithm satisfies the properties of k-secret-recovery, and (k )-collusion-resistance (robust to network structure).

12 Theorem (Successful share dissemination): Under the algorithm presented, every participant l [n] can recover ψ T l M, and hence obtain its intended share. t T l = ψt l s A r a s T B Rc T s B 0 Proof: Recall that the graph satisfies the d-dealer propagation condition. Let us assume without loss of generality that that the ordering of nodes satisfying this condition is,..., n. It follows that the first d nodes in this ordering must be directly connected to the dealer. The proof proceeds via induction. The induction hypothesis is as follows: every participant l can recover the data ψ T l M, and if l passes any data to any other node j N (l) then this data is precisely the value ψ T l Mψ j. Consider the base case of node. Since this node is directly connected to the dealer, it receives the data ψ T M from the dealer. Moreover, following the communication protocol, it passes ψ T Mψ j to its neighbours j N (). Let us now assume that the hypothesis holds true for the first (l ) nodes in the ordering. If node l is directly connected to the dealer, then the hypothesis is satisfied for this node by an argument identical to the case of node. Suppose l is not directly connected to the dealer. It follows that node l must be connected to at least d other nodes preceding it in the ordering, and furthermore, must receive data from at least d of these nodes (say, nodes {j,..., j d } [l ]). By our hypothesis, these d nodes pass the d values {ψ T j Mψ l,..., ψ T j d Mψ l }. It follows that the algorithm running at node l operates on the input σ. σ d = ψ T j. ψ T j d. Mψ l. (9) By construction, the matrix in (9) comprising {ψ T j,..., ψ T j d } as its rows is a (d d) Vandermonde matrix, and is hence invertible. Thus, the computation of v as described in Algorithm can be performed efficiently using standard Reed-Solomon decoding algorithms [3], [3]. It further follows that v = Mψ l, and since M is a symmetric matrix, we get v T = ψ T l M T = ψ T l M. Finally, the data passed by node l to any other node i N (l), according to the protocol, is v T ψ i = ψ T l Mψ i. This proves the hypothesis for node l. ue to the specific structure (6) of M, the desired share t l is a subset of the elements of the vector ψ T l M. Thus, every participant obtains its intended share. Theorem 3 (k-secret-recovery): Any k shares suffice to recover the secret. Proof: Let I [n] denote the set of the k participants attempting to recover the secret. Let Ψ I be a (k d) matrix with its k rows comprising {ψ T i } i I. Further, let Ψ I denote the (k k) submatrix of Ψ I comprising the first k columns of Ψ I. In terms of this notation, these k participants collectively have access to the data Ψ I Consider the last (d k) columns of this data, i.e., s T B Ψ I Rc T 0 s A r a s T B Rc T s B 0. = Ψ I [ sb T Since Ψ I is a (k d) Vandermonde matrix, ΨI is a (k k) Vandermonde matrix. Thus, ΨI is invertible. This allows for the decoding of s B (via algorithms [3], [3] identical to those for decoding under Shamir s original R T c ].

13 3 secret sharing scheme). It now remains to recover s A, and to this end consider the first column of the data, i.e., Ψ I s A r a s B. Since the value of s B is now known, its effect can be subtracted from this data to obtain s A [ ] Ψ I r a = Ψ sa I. r 0 a Since Ψ I is invertible, the value of s A can be decoded from this data. Theorem 4 ((k )-collusion-resistance): Any set of (k ) or fewer colluding participants can gain no information about the secret. The proof of Theorem 4 is provided in Appendix B. We note that (as shown in the proof) the (k )-collusionresistance property holds for any graph, irrespective of whether it satisfies the required conditions or not. Thus, the SNEAK algorithm is robust to the network structure. This completes the proof of the correctness of the algorithm.. Extensions The SNEAK algorithm, as described in the preceding sections, requires the graph to satisfy the k-propagatingdealer property. If the graph does not satisfy this property, then a subset of the participants will not receive their shares. In Appendix, we present an extension of the SNEAK algorithm that ensures secure dissemination of shares to these participants as well, by employing separate secure transmissions [7] from the dealer to certain intermediate nodes in the graph. The SNEAK algorithm can also handle actively-adversarial participants, and allows for efficient addition of new participants in the absence of trusted entities. It also supports two-threshold secret sharing [8], i.e., allows for improved efficiency when the (k )-collusion-resistance condition is relaxed to l-collusion-resistance with l < k. These extensions are discussed in Appendix C. In certain scenarios, the network topology may be known beforehand, and it may be desired to verify whether the topology satisfies the d-propagating-dealer condition. This task can be performed efficiently by simply simulating the communication protocol of the SNEAK algorithm (Algorithm ) on the given network: the d-propagating dealer condition is satisfied if and only if all nodes receive data from at least d other nodes. V. COMPLEXITY ANALYSIS AN BOUNS In this section we provide an analysis and comparison of the complexity of the SNEAK algorithm, the current state-of-the-art solution, and lower bounds for any secret-sharing scheme. In general, as we shall subsequently see, the SNEAK algorithm provides the greatest gains over the current state-of-the-art solution when the distance in the graph between the dealer and the participants is large on an average; the communication complexity of the SNEAK algorithm is close to the information-theoretic lower bounds when the graph is close to being regular. Recall that denotes the dealer, N () denotes the set of neighbours of the dealer (or, in case of directed edges, the set of nodes with incoming edges that emanate from the dealer). Let N () denote the size of this set. In the analysis, the parameters k and d will be treated as constants; however, most of the analysis considers finite n, k, and d, and hence holds even when these parameters depend on n. The proofs of each of the results stated below are provided in Appendix A.

14 4 A. Communication Complexity We assume without loss of generality that the units of data are normalized with one unit defined to be equal to the size of the secret. We shall use the notation Γ(.) to denote communication complexity. The following theorem provides a comparison of the communication complexity of the SNEAK algorithm with lower bounds and with the communication complexity of the current state-of-the-art solution. Theorem 5: Consider (n, k) secret sharing on networks with (n + ) nodes satisfying the k-propagating-dealer condition, and assume k and d to be constants. The communication complexity of the SNEAK algorithm is Θ(n), and is always within a constant (multiplicative) factor of the lower bound for any secret-sharing algorithm. On the other hand, the current state-of-the-art solution entails a super-linear communication-complexity for a wide class of networks, and furthermore, there exists a class of graphs for which its communication complexity is Θ(n ). These claims are proved and made more precise via the following results, which may be of independent interest. ) The SNEAK Algorithm: Theorem 6: For an (n, k) secret sharing problem on any graph G with (n+) nodes satisfying the d-propagatingdealer condition for some (known) d, the SNEAK algorithm requires a download of d d k+ units of data at every node, and hence a total communication of units of data. d Γ SNEAK (G) = n d k + ) Lower Bounds: The following theorem provides an information-theoretic lower bound to the amount of download at any node in the network under any scheme. This bound will subsequently be employed for further analysis, and may also be of independent interest. Theorem 7: For an (n, k) secret sharing problem on any graph G with (n + ) nodes, any node l [n] must download at least deg(l) deg(l) k+ if l / N () and deg(l) k Γ any (l) if l N () if l / N () and deg(l) < k () units of data, where deg(l) denotes the number of incoming edges at node l. Furthermore, this bound is the best possible, given only the identities of the neighbours of node l. Corollary 8: For an (n, k) secret sharing problem on any graph G with (n + ) nodes, the total communication complexity is lower bounded by Γ any (G) N () + deg(i) () deg(i) k + i/ N () units of data. Here, deg(i) denotes the number of incoming edges at node i. (0) n (3) Thus the communication complexity of the SNEAK algorithm is within a constant multiplicative factor of the lower bound. It approaches the lower bound (3) when d >> k. Corollary 9: For any given (n, k), and for any given d (k d < n), consider any undirected graph with (n + ) nodes such that (a) every non-neighbour of has a degree of d, and (b) the graph satisfies the d-propagating-dealer condition. Under the SNEAK algorithm, the amount of data downloaded by any node l / N () meets the lower

15 5 bound (). Furthermore, under the SNEAK algorithm, the amount of data downloaded by any node l N () is independent of n. As we shall see subsequently in Corollary, the current state-of-the-art solution on such graphs requires the download per node to increase with n. Corollary 0: For any given (n, k), and for any given d (k d < n), consider any directed graph with (n + ) nodes such that (a) the dealer has d outgoing edges, (b) every non-neighbour of has d incoming edges, and (c) the graph satisfies d-propagating-dealer condition. The communication complexity of (n, k) secret sharing on such a graph is lower bounded by d d Γ any (G) n (k ) (4) d k + d k + units of data. Thus, for the class of graphs considered in Corollary 0, the communication complexity of the SNEAK algorithm is within a constant (additive) factor of the lower bound. An example of a graph satisfying the conditions of Corollary 0 is the graph in Fig. 3a (in Appendix ) with a modification: assume all edges to be directed from the left to the right, and the existence of an additional dealer node that has edges to every node in the leftmost layer. 3) Current state-of-the-art: We use the abbreviation sota to stand for the current state-of-the-art solution. Theorem : For an (n, k) secret sharing problem on any graph G with (n + ) nodes, the communication complexity of the current state-of-the-art solution is Γ sota (G) = N () + [ ] w min w k w k + l w( i) (5) i/ N () units of data, where l w ( i) is the average of the path lengths of the w shortest node-disjoint paths from the dealer to node i (with l w ( i) = if there do not exist w node-disjoint paths from to i). Corollary : For any sequence of graphs of increasing size with the maximum outgoing degree being O((log n) ɛ )) for some ɛ > 0, the current state-of-the-art solution requires a super-linear communication complexity. An intuitive explanation of Corollary is as follows. When the outgoing degree of the nodes is constrained, the average distance between the dealer and the nodes must necessarily increase with n. This constraint also restricts the number of node-disjoint paths between the dealer and the participants. The requirement of separate transmissions from the dealer to each node under the current state-of-the-art solution now causes the amount of communication required per participant, on average, to necessarily increase with n. Corollary 3: For any given (n, k), and for any given d (k d < n), there exists a class of graphs with (n + ) nodes such that each graph in this class satisfies the d-propagating dealer property, and (n, k) secret sharing on any graph G in this class using the current state-of-the-art solution requires a communication complexity lower bounded by n(n + ) Γ sota (G) (6) 4d units of data. Thus, on a sequence of such classes of graphs, the SNEAK algorithm requires a communication complexity linear in n, as compared to a quadratic (in n) communication complexity required under the current state-of-the-art. The precise construction of this class of graphs is provided in the proof of the corollary. Examples of such graphs include layered networks and one-dimensional geometric graphs as depicted in Fig. 3a and Fig. 3c respectively in Appendix.

16 6 B. Randomness Requirements We assume without loss of generality that the units of amount of randomness are normalized, with one unit defined to be equal to the size of the secret. We shall use the notation ρ(.) to denote amount of randomness required. Theorem 4: For an (n, k) secret sharing problem on any graph G with (n + ) nodes, a lower bound on the amount of randomness required under any algorithm is ρ any (G) k. (7) Theorem 5: For an (n, k) secret sharing problem on any graph G with (n+) nodes, the amount of randomness required under the SNEAK algorithm is independent of n, and is given by ρ SNEAK (G) = (k )(d k) (d k + ). (8) Theorem 6: For an (n, k) secret sharing problem on any graph G with (n+) nodes, the amount of randomness required under the current state-of-the-art solution is lower bounded by ρ sota (G) k + k (9) w max (i) k + i/ N () where w max (i) is the maximum number of node-disjoint paths from the dealer to node i. This lower bound on the randomness requirement of the current state-of-the-art solution is achievable, however, at the cost of increased communication complexity (the communication complexity will be higher than that specified in Theorem, wherein the optimal w chosen for every term inside the summation would be replaced by w max (i)). Corollary 7: For an (n, k) secret sharing problem on any graph G with (n+) nodes, the amount of randomness required under the current state-of-the-art solution is lower bounded by (k ) ρ sota (G) (n N () ) N () (k ). (0) Thus, for any sequence of graphs of increasing size, the amount of randomness required under the current state-ofthe-art solution increases with n unless the number of nodes connected directly to the dealer also increases linearly with n. Furthermore, the randomness required increases linearly in n if the dealer has a bounded degree. On the other hand, the amount of randomness required under the SNEAK algorithm is a constant, independent of n (as shown in Theorem 5). C. Computation Complexity For every node l N (), both the current state-of-the-art solution and the SNEAK algorithm require evaluation of one polynomial. For ever node l / N (), both algorithms require evaluation and interpolation of one polynomial. The two algorithms thus have identical computational complexities, and the requisite computations are equivalent to the encoding and decoding of a Reed-Solomon code for which several efficient algorithms are known [3], [3]. We note that the current state-of-the-art solution entails an additional computational overhead of finding node-disjoint paths from the dealer to every node in the graph; this is not required under our algorithm due to its distributed nature. VI. CONCLUSIONS AN OPEN PROBLEMS Many cryptographic protocols in the literature require execution of one or more instances of secret sharing among all the participants. Most of these protocols assume that the dealer has direct communication links to all the

Similar documents

Secret Share Dissemination across a Network

Secret Share Dissemination across a Network Secret Share Dissemination across a Network Nihar B. Shah, K. V. Rashmi and Kannan Ramchandran Dept. of Electrical Engineering and Computer Sciences University of California, Berkeley {nihar, rashmikv,

More information

Optimal Exact-Regenerating Codes for Distributed Storage at the MSR and MBR Points via a Product-Matrix Construction

Optimal Exact-Regenerating Codes for Distributed Storage at the MSR and MBR Points via a Product-Matrix Construction IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 57, NO 8, AUGUST 2011 5227 Optimal Exact-Regenerating Codes for Distributed Storage at the MSR and MBR Points via a Product-Matrix Construction K V Rashmi,

More information

Information-theoretically Secure Regenerating Codes for Distributed Storage

Information-theoretically Secure Regenerating Codes for Distributed Storage Information-theoretically Secure Regenerating Codes for Distributed Storage Nihar B. Shah, K. V. Rashmi and P. Vijay Kumar Abstract Regenerating codes are a class of codes for distributed storage networks

More information

Enabling Node Repair in Any Erasure Code for Distributed Storage

Enabling Node Repair in Any Erasure Code for Distributed Storage Enabling Node Repair in Any Erasure Code for Distributed Storage K. V. Rashmi, Nihar B. Shah, and P. Vijay Kumar, Fellow, IEEE Abstract Erasure codes are an efficient means of storing data across a network

More information

The Encoding Complexity of Network Coding

The Encoding Complexity of Network Coding The Encoding Complexity of Network Coding Michael Langberg Alexander Sprintson Jehoshua Bruck California Institute of Technology Email: mikel,spalex,bruck @caltech.edu Abstract In the multicast network

More information

Interference Alignment in Regenerating Codes for Distributed Storage: Necessity and Code Constructions

Interference Alignment in Regenerating Codes for Distributed Storage: Necessity and Code Constructions 2134 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 58, NO 4, APRIL 2012 Interference Alignment in Regenerating Codes for Distributed Storage: Necessity and Code Constructions Nihar B Shah, K V Rashmi, P

More information

Secure Network Coding for Distributed Secret Sharing with Low Communication Cost

Secure Network Coding for Distributed Secret Sharing with Low Communication Cost Secure Network Coing for Distribute Secret Sharing with Low Communication Cost Nihar B. Shah, K. V. Rashmi an Kannan Ramchanran, Fellow, IEEE Abstract Shamir s (n,k) threshol secret sharing is an important

More information

MOST attention in the literature of network codes has

MOST attention in the literature of network codes has 3862 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 56, NO. 8, AUGUST 2010 Efficient Network Code Design for Cyclic Networks Elona Erez, Member, IEEE, and Meir Feder, Fellow, IEEE Abstract This paper introduces

More information

2386 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 6, JUNE 2006

2386 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 6, JUNE 2006 2386 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 6, JUNE 2006 The Encoding Complexity of Network Coding Michael Langberg, Member, IEEE, Alexander Sprintson, Member, IEEE, and Jehoshua Bruck,

More information

Distributed minimum spanning tree problem

Distributed minimum spanning tree problem Distributed minimum spanning tree problem Juho-Kustaa Kangas 24th November 2012 Abstract Given a connected weighted undirected graph, the minimum spanning tree problem asks for a spanning subtree with

More information

3 No-Wait Job Shops with Variable Processing Times

3 No-Wait Job Shops with Variable Processing Times 3 No-Wait Job Shops with Variable Processing Times In this chapter we assume that, on top of the classical no-wait job shop setting, we are given a set of processing times for each operation. We may select

More information

Exact Optimized-cost Repair in Multi-hop Distributed Storage Networks

Exact Optimized-cost Repair in Multi-hop Distributed Storage Networks Exact Optimized-cost Repair in Multi-hop Distributed Storage Networks Majid Gerami, Ming Xiao Communication Theory Lab, Royal Institute of Technology, KTH, Sweden, E-mail: {gerami, mingx@kthse arxiv:14012774v1

More information

Byzantine Consensus in Directed Graphs

Byzantine Consensus in Directed Graphs Byzantine Consensus in Directed Graphs Lewis Tseng 1,3, and Nitin Vaidya 2,3 1 Department of Computer Science, 2 Department of Electrical and Computer Engineering, and 3 Coordinated Science Laboratory

More information

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland Cryptographic Primitives and Protocols for MANETs Jonathan Katz University of Maryland Fundamental problem(s) How to achieve secure message authentication / transmission in MANETs, when: Severe resource

More information

On the Max Coloring Problem

On the Max Coloring Problem On the Max Coloring Problem Leah Epstein Asaf Levin May 22, 2010 Abstract We consider max coloring on hereditary graph classes. The problem is defined as follows. Given a graph G = (V, E) and positive

More information

FUTURE communication networks are expected to support

FUTURE communication networks are expected to support 1146 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL 13, NO 5, OCTOBER 2005 A Scalable Approach to the Partition of QoS Requirements in Unicast and Multicast Ariel Orda, Senior Member, IEEE, and Alexander Sprintson,

More information

Adaptations of the A* Algorithm for the Computation of Fastest Paths in Deterministic Discrete-Time Dynamic Networks

Adaptations of the A* Algorithm for the Computation of Fastest Paths in Deterministic Discrete-Time Dynamic Networks 60 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 3, NO. 1, MARCH 2002 Adaptations of the A* Algorithm for the Computation of Fastest Paths in Deterministic Discrete-Time Dynamic Networks

More information

The Resolution Algorithm

The Resolution Algorithm The Resolution Algorithm Introduction In this lecture we introduce the Resolution algorithm for solving instances of the NP-complete CNF- SAT decision problem. Although the algorithm does not run in polynomial

More information

Solution for Homework set 3

Solution for Homework set 3 TTIC 300 and CMSC 37000 Algorithms Winter 07 Solution for Homework set 3 Question (0 points) We are given a directed graph G = (V, E), with two special vertices s and t, and non-negative integral capacities

More information

Network Routing Capacity

Network Routing Capacity IEEE TRANSACTIONS ON INFORMATION THEORY (FINAL VERSION NOV., 2005) CANNONS-DOUGHERTY-FREILING-ZEGER Network Routing Capacity Jillian Cannons, Randall Dougherty, Chris Freiling, and Kenneth Zeger Abstract

More information

On The Complexity of Virtual Topology Design for Multicasting in WDM Trees with Tap-and-Continue and Multicast-Capable Switches

On The Complexity of Virtual Topology Design for Multicasting in WDM Trees with Tap-and-Continue and Multicast-Capable Switches On The Complexity of Virtual Topology Design for Multicasting in WDM Trees with Tap-and-Continue and Multicast-Capable Switches E. Miller R. Libeskind-Hadas D. Barnard W. Chang K. Dresner W. M. Turner

More information

Attribute-based encryption with encryption and decryption outsourcing

Attribute-based encryption with encryption and decryption outsourcing Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2014 Attribute-based encryption with encryption and decryption outsourcing

More information

Advanced Algorithms Class Notes for Monday, October 23, 2012 Min Ye, Mingfu Shao, and Bernard Moret

Advanced Algorithms Class Notes for Monday, October 23, 2012 Min Ye, Mingfu Shao, and Bernard Moret Advanced Algorithms Class Notes for Monday, October 23, 2012 Min Ye, Mingfu Shao, and Bernard Moret Greedy Algorithms (continued) The best known application where the greedy algorithm is optimal is surely

More information

The Encoding Complexity of Network Coding

The Encoding Complexity of Network Coding The Encoding Complexity of Network Coding Michael Langberg Alexander Sprintson Jehoshua Bruck California Institute of Technology Email mikel,spalex,bruck @caltech.edu Abstract In the multicast network

More information

Methods and Models for Combinatorial Optimization Exact methods for the Traveling Salesman Problem

Methods and Models for Combinatorial Optimization Exact methods for the Traveling Salesman Problem Methods and Models for Combinatorial Optimization Exact methods for the Traveling Salesman Problem L. De Giovanni M. Di Summa The Traveling Salesman Problem (TSP) is an optimization problem on a directed

More information

Secure Multi-Party Computation Without Agreement

Secure Multi-Party Computation Without Agreement Secure Multi-Party Computation Without Agreement Shafi Goldwasser Department of Computer Science The Weizmann Institute of Science Rehovot 76100, Israel. shafi@wisdom.weizmann.ac.il Yehuda Lindell IBM

More information

Treewidth and graph minors

Treewidth and graph minors Treewidth and graph minors Lectures 9 and 10, December 29, 2011, January 5, 2012 We shall touch upon the theory of Graph Minors by Robertson and Seymour. This theory gives a very general condition under

More information

A Connection between Network Coding and. Convolutional Codes

A Connection between Network Coding and. Convolutional Codes A Connection between Network Coding and 1 Convolutional Codes Christina Fragouli, Emina Soljanin christina.fragouli@epfl.ch, emina@lucent.com Abstract The min-cut, max-flow theorem states that a source

More information

6 Randomized rounding of semidefinite programs

6 Randomized rounding of semidefinite programs 6 Randomized rounding of semidefinite programs We now turn to a new tool which gives substantially improved performance guarantees for some problems We now show how nonlinear programming relaxations can

More information

Approximation Algorithms

Approximation Algorithms Approximation Algorithms Prof. Tapio Elomaa tapio.elomaa@tut.fi Course Basics A 4 credit unit course Part of Theoretical Computer Science courses at the Laboratory of Mathematics There will be 4 hours

More information

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University) Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University) Scenario 1: Private Dating Alice and Bob meet at a pub If both of them want to date together they will find out If Alice doesn

More information

9.5 Equivalence Relations

9.5 Equivalence Relations 9.5 Equivalence Relations You know from your early study of fractions that each fraction has many equivalent forms. For example, 2, 2 4, 3 6, 2, 3 6, 5 30,... are all different ways to represent the same

More information

Monotone Paths in Geometric Triangulations

Monotone Paths in Geometric Triangulations Monotone Paths in Geometric Triangulations Adrian Dumitrescu Ritankar Mandal Csaba D. Tóth November 19, 2017 Abstract (I) We prove that the (maximum) number of monotone paths in a geometric triangulation

More information

Regenerating Codes for Errors and Erasures in Distributed Storage

Regenerating Codes for Errors and Erasures in Distributed Storage Regenerating Codes or Errors and Erasures in Distributed Storage K V Rashmi, Nihar B Shah, Kannan Ramchandran, Fellow, IEEE, and P Vijay Kumar, Fellow, IEEE arxiv:0050v csit] 3 May 0 Abstract Regenerating

More information

SANDRA SPIROFF AND CAMERON WICKHAM

SANDRA SPIROFF AND CAMERON WICKHAM A ZERO DIVISOR GRAPH DETERMINED BY EQUIVALENCE CLASSES OF ZERO DIVISORS arxiv:0801.0086v2 [math.ac] 17 Aug 2009 SANDRA SPIROFF AND CAMERON WICKHAM Abstract. We study the zero divisor graph determined by

More information

On the Composition of Authenticated Byzantine Agreement

On the Composition of Authenticated Byzantine Agreement On the Composition of Authenticated Byzantine Agreement Yehuda Lindell Anna Lysyanskaya Tal Rabin July 28, 2004 Abstract A fundamental problem of distributed computing is that of simulating a secure broadcast

More information

Topic: Local Search: Max-Cut, Facility Location Date: 2/13/2007

Topic: Local Search: Max-Cut, Facility Location Date: 2/13/2007 CS880: Approximations Algorithms Scribe: Chi Man Liu Lecturer: Shuchi Chawla Topic: Local Search: Max-Cut, Facility Location Date: 2/3/2007 In previous lectures we saw how dynamic programming could be

More information

Chapter S:II. II. Search Space Representation

Chapter S:II. II. Search Space Representation Chapter S:II II. Search Space Representation Systematic Search Encoding of Problems State-Space Representation Problem-Reduction Representation Choosing a Representation S:II-1 Search Space Representation

More information

Secure Multiparty Computation

Secure Multiparty Computation CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation

More information

Chapter 4: Implicit Error Detection

Chapter 4: Implicit Error Detection 4. Chpter 5 Chapter 4: Implicit Error Detection Contents 4.1 Introduction... 4-2 4.2 Network error correction... 4-2 4.3 Implicit error detection... 4-3 4.4 Mathematical model... 4-6 4.5 Simulation setup

More information

Graph Theory Questions from Past Papers

Graph Theory Questions from Past Papers Graph Theory Questions from Past Papers Bilkent University, Laurence Barker, 19 October 2017 Do not forget to justify your answers in terms which could be understood by people who know the background theory

More information

E-Companion: On Styles in Product Design: An Analysis of US. Design Patents

E-Companion: On Styles in Product Design: An Analysis of US. Design Patents E-Companion: On Styles in Product Design: An Analysis of US Design Patents 1 PART A: FORMALIZING THE DEFINITION OF STYLES A.1 Styles as categories of designs of similar form Our task involves categorizing

More information

Ramsey s Theorem on Graphs

Ramsey s Theorem on Graphs Ramsey s Theorem on Graphs 1 Introduction Exposition by William Gasarch Imagine that you have 6 people at a party. We assume that, for every pair of them, either THEY KNOW EACH OTHER or NEITHER OF THEM

More information

Structured System Theory

Structured System Theory Appendix C Structured System Theory Linear systems are often studied from an algebraic perspective, based on the rank of certain matrices. While such tests are easy to derive from the mathematical model,

More information

Error Scaling Laws for Linear Optimal Estimation From Relative Measurements Prabir Barooah, Member, IEEE, and João P. Hespanha, Fellow, IEEE

Error Scaling Laws for Linear Optimal Estimation From Relative Measurements Prabir Barooah, Member, IEEE, and João P. Hespanha, Fellow, IEEE IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 55, NO. 12, DECEMBER 2009 5661 Error Scaling Laws for Linear Optimal Estimation From Relative Measurements Prabir Barooah, Member, IEEE, João P. Hespanha,

More information

A General Analysis of the Security of Elastic Block Ciphers

A General Analysis of the Security of Elastic Block Ciphers A General Analysis of the Security of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September

More information

6. Lecture notes on matroid intersection

6. Lecture notes on matroid intersection Massachusetts Institute of Technology 18.453: Combinatorial Optimization Michel X. Goemans May 2, 2017 6. Lecture notes on matroid intersection One nice feature about matroids is that a simple greedy algorithm

More information

From Static to Dynamic Routing: Efficient Transformations of Store-and-Forward Protocols

From Static to Dynamic Routing: Efficient Transformations of Store-and-Forward Protocols SIAM Journal on Computing to appear From Static to Dynamic Routing: Efficient Transformations of StoreandForward Protocols Christian Scheideler Berthold Vöcking Abstract We investigate how static storeandforward

More information

Lecture notes on the simplex method September We will present an algorithm to solve linear programs of the form. maximize.

Lecture notes on the simplex method September We will present an algorithm to solve linear programs of the form. maximize. Cornell University, Fall 2017 CS 6820: Algorithms Lecture notes on the simplex method September 2017 1 The Simplex Method We will present an algorithm to solve linear programs of the form maximize subject

More information

NEW STABILITY RESULTS FOR ADVERSARIAL QUEUING

NEW STABILITY RESULTS FOR ADVERSARIAL QUEUING NEW STABILITY RESULTS FOR ADVERSARIAL QUEUING ZVI LOTKER, BOAZ PATT-SHAMIR, AND ADI ROSÉN Abstract. We consider the model of adversarial queuing theory for packet networks introduced by Borodin et al.

More information

Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science Algorithms For Inference Fall 2014

Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science Algorithms For Inference Fall 2014 Suggested Reading: Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science 6.438 Algorithms For Inference Fall 2014 Probabilistic Modelling and Reasoning: The Junction

More information

Disjoint directed cycles

Disjoint directed cycles Disjoint directed cycles Noga Alon Abstract It is shown that there exists a positive ɛ so that for any integer k, every directed graph with minimum outdegree at least k contains at least ɛk vertex disjoint

More information

Algebraic method for Shortest Paths problems

Algebraic method for Shortest Paths problems Lecture 1 (06.03.2013) Author: Jaros law B lasiok Algebraic method for Shortest Paths problems 1 Introduction In the following lecture we will see algebraic algorithms for various shortest-paths problems.

More information

ON CONSISTENCY CHECKING OF SPATIAL RELATIONSHIPS IN CONTENT-BASED IMAGE DATABASE SYSTEMS

ON CONSISTENCY CHECKING OF SPATIAL RELATIONSHIPS IN CONTENT-BASED IMAGE DATABASE SYSTEMS COMMUNICATIONS IN INFORMATION AND SYSTEMS c 2005 International Press Vol. 5, No. 3, pp. 341-366, 2005 004 ON CONSISTENCY CHECKING OF SPATIAL RELATIONSHIPS IN CONTENT-BASED IMAGE DATABASE SYSTEMS QING-LONG

More information

CHAPTER 9. GRAPHS 310. Figure 9.1 An undirected graph. Figure 9.2 A directed graph

CHAPTER 9. GRAPHS 310. Figure 9.1 An undirected graph. Figure 9.2 A directed graph Chapter 9 Graphs Often we need to model relationships that can be expressed using a set of pairs. Examples include distances between points on a map, links in a communications network, precedence constraints

More information

Lecture 22 Tuesday, April 10

Lecture 22 Tuesday, April 10 CIS 160 - Spring 2018 (instructor Val Tannen) Lecture 22 Tuesday, April 10 GRAPH THEORY Directed Graphs Directed graphs (a.k.a. digraphs) are an important mathematical modeling tool in Computer Science,

More information

Randomized algorithms have several advantages over deterministic ones. We discuss them here:

Randomized algorithms have several advantages over deterministic ones. We discuss them here: CS787: Advanced Algorithms Lecture 6: Randomized Algorithms In this lecture we introduce randomized algorithms. We will begin by motivating the use of randomized algorithms through a few examples. Then

More information

Diversity Coloring for Distributed Storage in Mobile Networks

Diversity Coloring for Distributed Storage in Mobile Networks Diversity Coloring for Distributed Storage in Mobile Networks Anxiao (Andrew) Jiang and Jehoshua Bruck California Institute of Technology Abstract: Storing multiple copies of files is crucial for ensuring

More information

NP-Hardness. We start by defining types of problem, and then move on to defining the polynomial-time reductions.

NP-Hardness. We start by defining types of problem, and then move on to defining the polynomial-time reductions. CS 787: Advanced Algorithms NP-Hardness Instructor: Dieter van Melkebeek We review the concept of polynomial-time reductions, define various classes of problems including NP-complete, and show that 3-SAT

More information

Matching Theory. Figure 1: Is this graph bipartite?

Matching Theory. Figure 1: Is this graph bipartite? Matching Theory 1 Introduction A matching M of a graph is a subset of E such that no two edges in M share a vertex; edges which have this property are called independent edges. A matching M is said to

More information

Module 11. Directed Graphs. Contents

Module 11. Directed Graphs. Contents Module 11 Directed Graphs Contents 11.1 Basic concepts......................... 256 Underlying graph of a digraph................ 257 Out-degrees and in-degrees.................. 258 Isomorphism..........................

More information

CS261: Problem Set #1

CS261: Problem Set #1 CS261: Problem Set #1 Due by 11:59 PM on Tuesday, April 21, 2015 Instructions: (1) Form a group of 1-3 students. You should turn in only one write-up for your entire group. (2) Turn in your solutions by

More information

How to securely perform computations on secret-shared data

How to securely perform computations on secret-shared data U N I V E R S I T Y OF T A R T U Faculty of Mathematics and Computer Science Institute of Computer Science Dan Bogdanov How to securely perform computations on secret-shared data Master s Thesis Supervisor:

More information

Multi-Cluster Interleaving on Paths and Cycles

Multi-Cluster Interleaving on Paths and Cycles Multi-Cluster Interleaving on Paths and Cycles Anxiao (Andrew) Jiang, Member, IEEE, Jehoshua Bruck, Fellow, IEEE Abstract Interleaving codewords is an important method not only for combatting burst-errors,

More information

EXTREME POINTS AND AFFINE EQUIVALENCE

EXTREME POINTS AND AFFINE EQUIVALENCE EXTREME POINTS AND AFFINE EQUIVALENCE The purpose of this note is to use the notions of extreme points and affine transformations which are studied in the file affine-convex.pdf to prove that certain standard

More information

Chapter 15 Introduction to Linear Programming

Chapter 15 Introduction to Linear Programming Chapter 15 Introduction to Linear Programming An Introduction to Optimization Spring, 2015 Wei-Ta Chu 1 Brief History of Linear Programming The goal of linear programming is to determine the values of

More information

CHAPTER 2. Graphs. 1. Introduction to Graphs and Graph Isomorphism

CHAPTER 2. Graphs. 1. Introduction to Graphs and Graph Isomorphism CHAPTER 2 Graphs 1. Introduction to Graphs and Graph Isomorphism 1.1. The Graph Menagerie. Definition 1.1.1. A simple graph G = (V, E) consists of a set V of vertices and a set E of edges, represented

More information

On the Relationships between Zero Forcing Numbers and Certain Graph Coverings

On the Relationships between Zero Forcing Numbers and Certain Graph Coverings On the Relationships between Zero Forcing Numbers and Certain Graph Coverings Fatemeh Alinaghipour Taklimi, Shaun Fallat 1,, Karen Meagher 2 Department of Mathematics and Statistics, University of Regina,

More information

Space vs Time, Cache vs Main Memory

Space vs Time, Cache vs Main Memory Space vs Time, Cache vs Main Memory Marc Moreno Maza University of Western Ontario, London, Ontario (Canada) CS 4435 - CS 9624 (Moreno Maza) Space vs Time, Cache vs Main Memory CS 4435 - CS 9624 1 / 49

More information

Recitation 4: Elimination algorithm, reconstituted graph, triangulation

Recitation 4: Elimination algorithm, reconstituted graph, triangulation Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science 6.438 Algorithms For Inference Fall 2014 Recitation 4: Elimination algorithm, reconstituted graph, triangulation

More information

Computing intersections in a set of line segments: the Bentley-Ottmann algorithm

Computing intersections in a set of line segments: the Bentley-Ottmann algorithm Computing intersections in a set of line segments: the Bentley-Ottmann algorithm Michiel Smid October 14, 2003 1 Introduction In these notes, we introduce a powerful technique for solving geometric problems.

More information

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Department of Computer Science and Applied Math, Weizmann Institute of Science, Rehovot, Israel. lindell@wisdom.weizmann.ac.il

More information

The strong chromatic number of a graph

The strong chromatic number of a graph The strong chromatic number of a graph Noga Alon Abstract It is shown that there is an absolute constant c with the following property: For any two graphs G 1 = (V, E 1 ) and G 2 = (V, E 2 ) on the same

More information

Theorem 2.9: nearest addition algorithm

Theorem 2.9: nearest addition algorithm There are severe limits on our ability to compute near-optimal tours It is NP-complete to decide whether a given undirected =(,)has a Hamiltonian cycle An approximation algorithm for the TSP can be used

More information

Fundamental Properties of Graphs

Fundamental Properties of Graphs Chapter three In many real-life situations we need to know how robust a graph that represents a certain network is, how edges or vertices can be removed without completely destroying the overall connectivity,

More information

However, this is not always true! For example, this fails if both A and B are closed and unbounded (find an example).

However, this is not always true! For example, this fails if both A and B are closed and unbounded (find an example). 98 CHAPTER 3. PROPERTIES OF CONVEX SETS: A GLIMPSE 3.2 Separation Theorems It seems intuitively rather obvious that if A and B are two nonempty disjoint convex sets in A 2, then there is a line, H, separating

More information

Group Secret Key Generation Algorithms

Group Secret Key Generation Algorithms Group Secret Key Generation Algorithms Chunxuan Ye and Alex Reznik InterDigital Communications Corporation King of Prussia, PA 9406 Email: {Chunxuan.Ye, Alex.Reznik}@interdigital.com arxiv:cs/07024v [cs.it]

More information

Mathematical and Algorithmic Foundations Linear Programming and Matchings

Mathematical and Algorithmic Foundations Linear Programming and Matchings Adavnced Algorithms Lectures Mathematical and Algorithmic Foundations Linear Programming and Matchings Paul G. Spirakis Department of Computer Science University of Patras and Liverpool Paul G. Spirakis

More information

1 A Tale of Two Lovers

1 A Tale of Two Lovers CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 12, 2006 Lecture Notes 19 (expanded): Secure Two-Party Computation Recommended Reading. Goldreich Volume II 7.2.2, 7.3.2, 7.3.3.

More information

A Reduction of Conway s Thrackle Conjecture

A Reduction of Conway s Thrackle Conjecture A Reduction of Conway s Thrackle Conjecture Wei Li, Karen Daniels, and Konstantin Rybnikov Department of Computer Science and Department of Mathematical Sciences University of Massachusetts, Lowell 01854

More information

Discrete mathematics , Fall Instructor: prof. János Pach

Discrete mathematics , Fall Instructor: prof. János Pach Discrete mathematics 2016-2017, Fall Instructor: prof. János Pach - covered material - Lecture 1. Counting problems To read: [Lov]: 1.2. Sets, 1.3. Number of subsets, 1.5. Sequences, 1.6. Permutations,

More information

Superconcentrators of depth 2 and 3; odd levels help (rarely)

Superconcentrators of depth 2 and 3; odd levels help (rarely) Superconcentrators of depth 2 and 3; odd levels help (rarely) Noga Alon Bellcore, Morristown, NJ, 07960, USA and Department of Mathematics Raymond and Beverly Sackler Faculty of Exact Sciences Tel Aviv

More information

Binary Decision Diagrams

Binary Decision Diagrams Logic and roof Hilary 2016 James Worrell Binary Decision Diagrams A propositional formula is determined up to logical equivalence by its truth table. If the formula has n variables then its truth table

More information

Algorithms for Provisioning Virtual Private Networks in the Hose Model

Algorithms for Provisioning Virtual Private Networks in the Hose Model IEEE/ACM TRANSACTIONS ON NETWORKING, VOL 10, NO 4, AUGUST 2002 565 Algorithms for Provisioning Virtual Private Networks in the Hose Model Amit Kumar, Rajeev Rastogi, Avi Silberschatz, Fellow, IEEE, and

More information

1. Lecture notes on bipartite matching February 4th,

1. Lecture notes on bipartite matching February 4th, 1. Lecture notes on bipartite matching February 4th, 2015 6 1.1.1 Hall s Theorem Hall s theorem gives a necessary and sufficient condition for a bipartite graph to have a matching which saturates (or matches)

More information

LECTURES 3 and 4: Flows and Matchings

LECTURES 3 and 4: Flows and Matchings LECTURES 3 and 4: Flows and Matchings 1 Max Flow MAX FLOW (SP). Instance: Directed graph N = (V,A), two nodes s,t V, and capacities on the arcs c : A R +. A flow is a set of numbers on the arcs such that

More information

Computer Science Technical Report

Computer Science Technical Report Computer Science Technical Report Feasibility of Stepwise Addition of Multitolerance to High Atomicity Programs Ali Ebnenasir and Sandeep S. Kulkarni Michigan Technological University Computer Science

More information

Faster parameterized algorithms for Minimum Fill-In

Faster parameterized algorithms for Minimum Fill-In Faster parameterized algorithms for Minimum Fill-In Hans L. Bodlaender Pinar Heggernes Yngve Villanger Technical Report UU-CS-2008-042 December 2008 Department of Information and Computing Sciences Utrecht

More information

Limitations of Algorithmic Solvability In this Chapter we investigate the power of algorithms to solve problems Some can be solved algorithmically and

Limitations of Algorithmic Solvability In this Chapter we investigate the power of algorithms to solve problems Some can be solved algorithmically and Computer Language Theory Chapter 4: Decidability 1 Limitations of Algorithmic Solvability In this Chapter we investigate the power of algorithms to solve problems Some can be solved algorithmically and

More information

A Simpler Variant of Universally Composable Security for Standard Multiparty Computation

A Simpler Variant of Universally Composable Security for Standard Multiparty Computation A Simpler Variant of Universally Composable Security for Standard Multiparty Computation Ran Canetti Asaf Cohen Yehuda Lindell September 21, 2015 Abstract In this paper, we present a simpler and more restricted

More information

Matching Algorithms. Proof. If a bipartite graph has a perfect matching, then it is easy to see that the right hand side is a necessary condition.

Matching Algorithms. Proof. If a bipartite graph has a perfect matching, then it is easy to see that the right hand side is a necessary condition. 18.433 Combinatorial Optimization Matching Algorithms September 9,14,16 Lecturer: Santosh Vempala Given a graph G = (V, E), a matching M is a set of edges with the property that no two of the edges have

More information

A Message Passing Strategy for Decentralized. Connectivity Maintenance in Multi-Agent Surveillance

A Message Passing Strategy for Decentralized. Connectivity Maintenance in Multi-Agent Surveillance A Message Passing Strategy for Decentralized Connectivity Maintenance in Multi-Agent Surveillance Derya Aksaray Boston University, Boston, MA, 225 A. Yasin Yazıcıoğlu 2 Massachusetts Institute of Technology,

More information

Secure Multiparty Computation

Secure Multiparty Computation Secure Multiparty Computation Li Xiong CS573 Data Privacy and Security Outline Secure multiparty computation Problem and security definitions Basic cryptographic tools and general constructions Yao s Millionnare

More information

Endomorphisms and synchronization, 2: Graphs and transformation monoids

Endomorphisms and synchronization, 2: Graphs and transformation monoids Endomorphisms and synchronization, 2: Graphs and transformation monoids Peter J. Cameron BIRS, November 2014 Relations and algebras Given a relational structure R, there are several similar ways to produce

More information

An algorithm for Performance Analysis of Single-Source Acyclic graphs

An algorithm for Performance Analysis of Single-Source Acyclic graphs An algorithm for Performance Analysis of Single-Source Acyclic graphs Gabriele Mencagli September 26, 2011 In this document we face with the problem of exploiting the performance analysis of acyclic graphs

More information

Basic Graph Theory with Applications to Economics

Basic Graph Theory with Applications to Economics Basic Graph Theory with Applications to Economics Debasis Mishra February, 0 What is a Graph? Let N = {,..., n} be a finite set. Let E be a collection of ordered or unordered pairs of distinct elements

More information

Error correction guarantees

Error correction guarantees Error correction guarantees Drawback of asymptotic analyses Valid only as long as the incoming messages are independent. (independence assumption) The messages are independent for l iterations only if

More information

Connectivity in Interdependent Networks

Connectivity in Interdependent Networks 1 Connectivity in Interdependent Networks Jianan Zhang, and Eytan Modiano arxiv:1709.03034v2 [cs.dm] 7 Sep 2018 Abstract We propose and analyze a graph model to study the connectivity of interdependent

More information

4. Simplicial Complexes and Simplicial Homology

4. Simplicial Complexes and Simplicial Homology MATH41071/MATH61071 Algebraic topology Autumn Semester 2017 2018 4. Simplicial Complexes and Simplicial Homology Geometric simplicial complexes 4.1 Definition. A finite subset { v 0, v 1,..., v r } R n

More information

A step towards the Bermond-Thomassen conjecture about disjoint cycles in digraphs

A step towards the Bermond-Thomassen conjecture about disjoint cycles in digraphs A step towards the Bermond-Thomassen conjecture about disjoint cycles in digraphs Nicolas Lichiardopol Attila Pór Jean-Sébastien Sereni Abstract In 1981, Bermond and Thomassen conjectured that every digraph

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback