fast algorithms from type theory to number theory
play

Fast algorithms: from type theory to number theory Luca De Feo - PowerPoint PPT Presentation

Jan 14, 2024 •438 likes •1.14k views

Fast algorithms: from type theory to number theory Luca De Feo INRIA Saclay, Projet TANC October 25, 2010 Sminaire Algorithmes INRIA Rocquencourt, Le Chesnay Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory

  1. Fast algorithms: from type theory to number theory Luca De Feo INRIA Saclay, Projet TANC October 25, 2010 Séminaire Algorithmes INRIA Rocquencourt, Le Chesnay Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 1 / 45

  2. Elliptic curve cryptography Weierstrass form: y 2 = x 3 + ax + b ; Group law: Chord-tangent; Crypto: Based on discrete log in E ( F q ) ; Hasse bound: | # E ( F q ) − q − 1 | � 2 √ q . Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 2 / 45

  3. Isogenies I : E → E ′ Isogenies are group morphisms of elliptic curves: � ′ � � g ( x ) � g ( x ) I ( x , y ) = h ( x ) , cy h ( x ) What do you do with an isogeny over a finite field? Point counting (Schoof 1995); Speed up point multiplication (Gallant, Lambert, and Vanstone 2001); Reduce a Discrete Logarithm Problem to another (Gaudry, Hess, and Smart 2002; Smith 2009); Construct new cryptosystems (Teske 2006; Rostovtsev and Stolbunov 2006); Construct hash functions (Charles, Lauter, and Goren 2009). Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 3 / 45

  4. Isogenies: an example The GHS attack (Gaudry, Hess, and Smart 2002) E/F q d Given an elliptic curve E defined over a composite field F q d ; Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 4 / 45

  5. Isogenies: an example The GHS attack (Gaudry, Hess, and Smart 2002) I � H/F q E/F q d Given an elliptic curve E defined over a composite field F q d ; Computes an isogeny to an hyperelliptic curve H defined over F q . For certain parameters, the discrete log is easier on H than on E . Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 4 / 45

  6. Isogenies: an example The GHS attack (Gaudry, Hess, and Smart 2002) I � H/F q E/F q d Given an elliptic curve E defined over a composite field F q d ; Computes an isogeny to an hyperelliptic curve H defined over F q . For certain parameters, the discrete log is easier on H than on E . A trapdoor cryptosystem (Teske 2006) Fact: Only a small fraction of the curves over F q d is vulnerable to GHS E trap Select a curve E trap vulnerable to GHS; Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 4 / 45

  7. � � � Isogenies: an example The GHS attack (Gaudry, Hess, and Smart 2002) I � H/F q E/F q d Given an elliptic curve E defined over a composite field F q d ; Computes an isogeny to an hyperelliptic curve H defined over F q . For certain parameters, the discrete log is easier on H than on E . A trapdoor cryptosystem (Teske 2006) Fact: Only a small fraction of the curves over F q d is vulnerable to GHS E trap � � � � � � � � � � � � � � � � � E pub � Select a curve E trap vulnerable to GHS; Take a random walk through the isogeny graph , land on a curve E pub not vulnerable to GHS; Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 4 / 45

  8. � � � Isogenies: an example The GHS attack (Gaudry, Hess, and Smart 2002) I � H/F q E/F q d Given an elliptic curve E defined over a composite field F q d ; Computes an isogeny to an hyperelliptic curve H defined over F q . For certain parameters, the discrete log is easier on H than on E . A trapdoor cryptosystem (Teske 2006) Fact: Only a small fraction of the curves over F q d is vulnerable to GHS E trap � � � � � � � � � � � � � � � � � E pub � Select a curve E trap vulnerable to GHS; Take a random walk through the isogeny graph , land on a curve E pub not vulnerable to GHS; Use E pub for public key cryptography, give E trap to a trusted authority for key escrow . Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 4 / 45

  9. Isogenies: a challenge Let F q = F 2 [ Z ] / ( Z 41 + Z 3 + 1 ) The following two curves are isogenous: y 2 + xy = x 3 + 1 / ( Z 36 + Z 35 + Z 34 + Z 32 + Z 31 + Z 30 + Z 26 + Z 23 + Z 22 + Z 21 + Z 20 + Z 18 + Z 17 + Z 13 + Z 12 + Z 11 + Z 8 + Z 7 + Z 5 + Z 4 + Z 2 ) y 2 + xy = x 3 + 1 / ( Z 40 + Z 39 + Z 38 + Z 37 + Z 35 + Z 34 + Z 28 + Z 22 + Z 15 + Z 14 + Z 11 + Z 10 + Z 9 + Z 8 + Z 7 + Z 6 + Z 5 + Z 4 + Z ) Can you tell of what degree (i.e. size of the kernel)? Can you compute the isogeny? Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 5 / 45

  10. Plan Transposition principle 1 Artin-Schreier towers 2 Isogenies 3 Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 6 / 45

  11. The transposition principle “Let P be an arbitrary set. To any R -algebraic algorithm A computing a family of linear functions ( f p : M → N ) p ∈ P corresponds an R -algebraic algorithm A ∗ computing the p : N ∗ → M ∗ ) p ∈ P . The algebraic time and dual family ( f ∗ space complexities of A ∗ are bounded by the time complexity of A .” Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 7 / 45

  12. � � � � The dual of a diagram A ∗ � B ∗ � A B � � � � � � � ⇒ � f ∗ � f � � � � � � � � D � E C ∗ � D ∗ � E ∗ C g g ∗ h ∗ h Duality and complexity ( f ◦ g ◦ h ) ∗ = h ∗ ◦ g ∗ ◦ f ∗ ; ∗ is contravariant ; A classical example is transposition of matrices: ( AB ) ⊤ = B ⊤ A ⊤ ; From an algorithmic point of view, the number of arrows is a measure of complexity, and it is preserved under dualization. Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 8 / 45

  13. Transposition of arithmetic circuits y 1 = x 1 + 3 x 2 Arithmetic circuits are like diagrams enriched with a product . In particular they can be y 2 = x 3 transposed : x 1 x 2 x 3 � 1 3 0 � & + 0 0 1 ∗ 2 + y 1 y 2 Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 9 / 45

  14. Transposition of arithmetic circuits y 1 = x 1 + 3 x 2 Arithmetic circuits are like diagrams enriched with a product . In particular they can be y 2 = x 3 transposed : x ∗ x 1 x 2 x 3 x ∗ x ∗ 1 2 3 � 1 3 0 � & & + + 0 0 1 ↔ � ∗ 2 ∗ 2 + + 1 0   y ∗ y 1 y 2 y ∗ 1 2 3 0   0 1 Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 9 / 45

  15. Transposition of arithmetic circuits y 1 = x 1 + 3 x 2 Arithmetic circuits are like diagrams enriched with a product . In particular they can be y 2 = x 3 transposed : x ∗ x 1 x 2 x 3 x ∗ x ∗ 1 2 3 � 1 3 0 � & & + + 0 0 1 ↔ � ∗ 2 ∗ 2 & + 1 0   y ∗ y 1 y 2 y ∗ 1 2 3 0   0 1 This can be made precise using category theory. Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 9 / 45

  16. Transposition of straight line programs Straight line programs = Arithmetic circuits a[1] = a[0] + a[1] a[n-2] = 0 a[0] = 0 a[n-2] = a[n-2] + a[n-1] a[2] = a[1] + a[2] ... a[1] = 0 a[1] = 0 ... a[1] = a[1] + a[2] a[n-1] = a[n-2] + a[n-1] a[0] = 0 a[n-2] = 0 a[0] = a[0] + a[1] 0 . . . . . 0   0 . . . 0 1   . . . . . . . . .  . . .  . . .    . . .  · · ·  0 . . . . . 0      0 . . . 0 1 1 . . . . . 1 Programs = Families of straight line programs Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 10 / 45

  17. Automatic transposition? Algorithms are hard to transpose, transposed algorithms are hard or impossible to understand; How to be confident that a transposed algorithm is well implemented if no one understands it? When proving programs with a proof assistant, why should we do the work twice? Previous work Originally discovered in electrical network theory by Bordewijk 1957 (only works for C ); some authors attribute the discovery to Tellegen, Bordewijk’s director, but this is debated; Fiduccia 1973 and Hopcroft and Musinski 1973: transposition of bilinear chains , the most complete formulation (non-commutative rings); Special case of automatic differentiation Baur and Strassen 1983; In computer algebra , popularized by Shoup, von zur Gathen, Kaltofen,. . . Bostan, Lecerf, and Schost 2003 improve algorithms for polynomial evaluation and solve an open question on space complexity. Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 11 / 45

  18. Multilinearity Does it make sense to transpose c := a ∗ b ? y ∗ x 1 x 2 x 3 x 1 x 2 x 3 x 3 x 1 1 ∗ x 1 ∗ ∗ ∗ x 3 ∗ ∗ y 1 y 1 x ∗ 2 Most applications require to linearize a multi-linear program. Can we automatically deduce any possible linearisation of a program? Type inference systems can help us Luca De Feo (INRIA Saclay) Fast algorithms: from type theory to number theory INRIA Rocquencourt, October 25, 2010 12 / 45

Recommend

An Invitation to Homotopy Type Theory Tingxiang Zou Type Theory Formal Systems: Churchs

An Invitation to Homotopy Type Theory Tingxiang Zou Type Theory Formal Systems: Churchs

An Invitation to Homotopy Type Theory Tingxiang Zou Type Theory Formal Systems: Churchs simply typed lambda calculus (1940); Martin L ofs dependent type theory (1971-1984) Origin: Russells theory of types The world is

848 views • 12 slides
Basic Algorithms in Number Theory Francesco Pappalardi #1 - Algorithmic Complexity & more.

Basic Algorithms in Number Theory Francesco Pappalardi #1 - Algorithmic Complexity & more.

Algorithmic Complexity ... 1 Basic Algorithms in Number Theory Basic Algorithms in Number Theory Francesco Pappalardi #1 - Algorithmic Complexity & more. August 31 st 2015 SEAMS School 2015 Number Theory and Applications in Cryptography

723 views • 27 slides
Cubical Type Theory Goal: provide a computational justification for Homotopy Type Theory and

Cubical Type Theory Goal: provide a computational justification for Homotopy Type Theory and

Cubical Type Theory: a constructive interpretation of the univalence axiom Anders M ortberg Inria Sophia-Antipolis TTT: Type Theory Based Tools January 15, 2017 - 1 / 39 Cubical Type Theory Goal: provide a computational justification for

743 views • 39 slides
Algorithms Theory Algorithms Theory 10 10 Greedy Algorithms G d Al ith Dr. Alexander

Algorithms Theory Algorithms Theory 10 10 Greedy Algorithms G d Al ith Dr. Alexander

Algorithms Theory Algorithms Theory 10 10 Greedy Algorithms G d Al ith Dr. Alexander Souza Winter term 11/12 Greedy algorithms 1 1. Introductory remarks Introductory remarks 2. Basic examples: The coin-changing problem

504 views • 19 slides
Formalizing type theory in type theory using nominal techniques Ulrik Buchholtz TU Darmstadt

Formalizing type theory in type theory using nominal techniques Ulrik Buchholtz TU Darmstadt

Formalizing type theory in type theory using nominal techniques Ulrik Buchholtz TU Darmstadt HoTT/UF Workshop, Oxford, September 9, 2017 Motivation 1 Preliminaries 2 Nominal sets and types 3 Formalizing type theory 4 Conclusion 5

831 views • 40 slides
Constructive Proofs and Program Extraction Christoph Kreitz 1. Type Theory vs. Set Theory 2.

Constructive Proofs and Program Extraction Christoph Kreitz 1. Type Theory vs. Set Theory 2.

Constructive Proofs and Program Extraction Christoph Kreitz 1. Type Theory vs. Set Theory 2. Overview of the Nuprl System 3. Proofs of the Integer Square Root Problem What distinguishes Type Theory from Set Theory? n r r 2 n

800 views • 42 slides
Number Theory Number Theory is the study of integers and their resulting structures . Why study

Number Theory Number Theory is the study of integers and their resulting structures . Why study

Number Theory Number Theory is the study of integers and their resulting structures . Why study it? 1 History: the first true algortihms were number-theoretic. 2 Analysis: Well learn about new kinds of running times and analyses. 3 Cryptography!

591 views • 10 slides
Number Theory and Cryptography Chapter 4 Chapter Motivation Number theory is the part of

Number Theory and Cryptography Chapter 4 Chapter Motivation Number theory is the part of

Number Theory and Cryptography Chapter 4 Chapter Motivation Number theory is the part of mathematics devoted to the study of the integers and their properties. Key ideas in number theory include divisibility and the primality of integers.

1.77k views • 103 slides
Algorithms Theory Algorithms Theory 14 Dynamic Programming (3) Programming (3) Optimal

Algorithms Theory Algorithms Theory 14 Dynamic Programming (3) Programming (3) Optimal

Algorithms Theory Algorithms Theory 14 Dynamic Programming (3) Programming (3) Optimal binary search trees P.D. Dr. Alexander Souza Winter term 11/12 Method of dynamic programming Recursive approach: Solve a problem by solving several

486 views • 16 slides
Type-theory of acyclic recursion and its calculi Roussanka Loukanova Stockholm University, Sweden

Type-theory of acyclic recursion and its calculi Roussanka Loukanova Stockholm University, Sweden

Introduction to Type-Theory of Algorithms Reduction Rules Current and Future Work Some References Type-theory of acyclic recursion and its calculi Roussanka Loukanova Stockholm University, Sweden Second Workshop on Mathematical Logic and its

538 views • 29 slides
Lecture 3: Homotopical models of type theory Nicola Gambino School of Mathematics University of

Lecture 3: Homotopical models of type theory Nicola Gambino School of Mathematics University of

Lecture 3: Homotopical models of type theory Nicola Gambino School of Mathematics University of Leeds Young Set Theory Copenhagen June 14th, 2016 1 What happened yesterday? Type theory the type theory T Extensional vs intensional

639 views • 28 slides
Fast Special Functions Sage Days 35: Algorithms in Number Theory and FLINT University of Warwick

Fast Special Functions Sage Days 35: Algorithms in Number Theory and FLINT University of Warwick

Fast Special Functions Sage Days 35: Algorithms in Number Theory and FLINT University of Warwick Fredrik Johansson RISC, Linz 2011-12-17 Fredrik Johansson (RISC, Linz) Fast Special Functions 2011-12-17 1 / 42 Why FLINT and special

1.67k views • 42 slides
Type Theory and Coq Herman Geuvers Lecture: Simple Type Theory ` a la Curry: assigning types to

Type Theory and Coq Herman Geuvers Lecture: Simple Type Theory ` a la Curry: assigning types to

Type Theory and Coq Herman Geuvers Lecture: Simple Type Theory ` a la Curry: assigning types to untyped terms, principal type algorithm 1 Overview of todays lecture Simple Type Theory ( ) ` a la Curry (versus ` a la Church)

449 views • 29 slides
Basic Algorithms in Number Theory Francesco Pappalardi Polynomials, Hensels Lemma, Chinese

Basic Algorithms in Number Theory Francesco Pappalardi Polynomials, Hensels Lemma, Chinese

Algorithmic Complexity ... 1 Basic Algorithms in Number Theory Basic Algorithms in Number Theory Francesco Pappalardi Polynomials, Hensels Lemma, Chinese Remainder Theorem and more. July 22 th 2010 Algorithmic Complexity ... 2 Basic

394 views • 20 slides
Algebraic simple type theory A polynomial approach Nathanael Arkor & Marcelo Fiore

Algebraic simple type theory A polynomial approach Nathanael Arkor & Marcelo Fiore

Algebraic simple type theory A polynomial approach Nathanael Arkor & Marcelo Fiore Department of Computer Science and Technology University of Cambridge Category Theory 2019 What is a type theory? What is a type theory? system of

1.29k views • 65 slides
Set Theory in Type Theory Gert Smolka Saarland University Types 2015, Tallinn, May 19, 2015 1 /

Set Theory in Type Theory Gert Smolka Saarland University Types 2015, Tallinn, May 19, 2015 1 /

Set Theory in Type Theory Gert Smolka Saarland University Types 2015, Tallinn, May 19, 2015 1 / 15 How would you teach set theory to students who are familiar with type theory and proof assistants? Classical set theory with

277 views • 15 slides
Formalising semantics of dependent type theory in dependent type theory (work in progress)

Formalising semantics of dependent type theory in dependent type theory (work in progress)

Formalising semantics of dependent type theory in dependent type theory (work in progress) Peter LeFanu Lumsdaine joint work with H akon Gylterud, Erik Palmgren DMV Hamburg, 25 September 2015 1 / 19 Modelling DTT Early models of

389 views • 19 slides
Algorithms Theory Algorithms Theory 13 13 Bin Packing Bi P ki P.D. Dr. Alexander Souza

Algorithms Theory Algorithms Theory 13 13 Bin Packing Bi P ki P.D. Dr. Alexander Souza

Algorithms Theory Algorithms Theory 13 13 Bin Packing Bi P ki P.D. Dr. Alexander Souza Winter term 11/12 Bin packing 1. Problem definition and general observations 2 Approximation algorithms for the online bin packing problem 2.

148 views • 12 slides
Universes and the limits of Martin-Lf type theory Michael Rathjen School of Mathematics

Universes and the limits of Martin-Lf type theory Michael Rathjen School of Mathematics

Universes and the limits of Martin-Lf type theory Michael Rathjen School of Mathematics University of Leeds Russell08 Proof Theory meets Type Theory Swansea, March 15, 2008 U NIVERSES AND THE LIMITS OF M ARTIN -L F TYPE THEORY U NIVERSES

837 views • 39 slides
Introduction to AdS/CFT D-branes Type IIA string theory: Dp-branes p even (0,2,4,6,8) Type IIB

Introduction to AdS/CFT D-branes Type IIA string theory: Dp-branes p even (0,2,4,6,8) Type IIB

Introduction to AdS/CFT D-branes Type IIA string theory: Dp-branes p even (0,2,4,6,8) Type IIB string theory: Dp-branes p odd (1,3,5,7,9) 10D Type IIB two parallel D3-branes low-energy effective description: Higgsed N = 4 SUSY gauge theory Two

971 views • 51 slides
Basic Algorithms in Number Theory Francesco Pappalardi Algorithmic Complexity & more. July 19

Basic Algorithms in Number Theory Francesco Pappalardi Algorithmic Complexity & more. July 19

Algorithmic Complexity ... 1 Basic Algorithms in Number Theory Basic Algorithms in Number Theory Francesco Pappalardi Algorithmic Complexity & more. July 19 th 2010 Algorithmic Complexity ... 2 Basic Algorithms in Number Theory

416 views • 26 slides
Basic Number Theory The integers are the natural numbers, 0 and the additive inverses of the

Basic Number Theory The integers are the natural numbers, 0 and the additive inverses of the

Basic Number Theory http://localhost/~senning/courses/ma229/slides/number-theory/slide01.html Basic Number Theory http://localhost/~senning/courses/ma229/slides/number-theory/slide02.html Basic Number Theory prev | slides | next prev | slides

464 views • 7 slides
Homotopy and Directed Type Theory: a Sample Dan Doel October 24, 2011 Type Theory Overview

Homotopy and Directed Type Theory: a Sample Dan Doel October 24, 2011 Type Theory Overview

Homotopy and Directed Type Theory: a Sample Dan Doel October 24, 2011 Type Theory Overview Judgments ctx A type M : A Families , x : A B ( x ) type Inference 1 J 1 2 J 2 Type Theory Overview

415 views • 27 slides
Algorithms Theory Algorithms Theory 11 11 Shortest Paths Sh t t P th Dr. Alexander Souza

Algorithms Theory Algorithms Theory 11 11 Shortest Paths Sh t t P th Dr. Alexander Souza

Algorithms Theory Algorithms Theory 11 11 Shortest Paths Sh t t P th Dr. Alexander Souza Winter term 11/12 1. Shortest-paths problem Directed graph G = (V, E) g p ( ) Cost function c : E R 2 1 3 3 3 1 4 4 4 4 2 2

186 views • 14 slides

More recommend