Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Near-Optimal Primal-Dual Algorithms for Quantity-Based Network Revenue Management

We study the canonical quantity-based network revenue management (NRM) problem where the decision-maker must irrevocably accept or reject each arriving customer request with the goal of maximizing the total revenue given limited resources. The exact solution to the problem by dynamic programming is computationally intractable due to the well-known curse of dimensionality. Existing works in the literature make use of the solution to the deterministic linear program (DLP) to design asymptotically optimal algorithms. Those algorithms rely on repeatedly solving DLPs to achieve near-optimal regret bounds. It is, however, time-consuming to repeatedly compute the DLP solutions in real time, especially in large-scale problems that may involve hundreds of millions of demand units. In this paper, we propose innovative algorithms for the NRM problem that are easy to implement and do not require solving any DLPs. Our algorithm achieves a regret bound of $O(\log k)$, where $k$ is the system size. To the best of our knowledge, this is the first NRM algorithm that (i) has an $o(\sqrt{k})$ asymptotic regret bound, and (ii) does not require solving any DLPs

The IID Prophet Inequality with Limited Flexibility

In online sales, sellers usually offer each potential buyer a posted price in a take-it-or-leave fashion. Buyers can sometimes see posted prices faced by other buyers, and changing the price frequently could be considered unfair. The literature on posted price mechanisms and prophet inequality problems has studied the two extremes of pricing policies, the fixed price policy and fully dynamic pricing. The former is suboptimal in revenue but is perceived as fairer than the latter. This work examines the middle situation, where there are at most $k$ distinct prices over the selling horizon. Using the framework of prophet inequalities with independent and identically distributed random variables, we propose a new prophet inequality for strategies that use at most $k$ thresholds. We present asymptotic results in $k$ and results for small values of $k$. For $k=2$ prices, we show an improvement of at least $11\%$ over the best fixed-price solution. Moreover, $k=5$ prices suffice to guarantee almost $99\%$ of the approximation factor obtained by a fully dynamic policy that uses an arbitrary number of prices. From a technical standpoint, we use an infinite-dimensional linear program in our analysis; this formulation could be of independent interest to other online selection problems

Effective and Efficient Reconstruction Schemes for the Inverse Medium Problem in Scattering

This thesis challenges with the development of a computational framework facilitating the solution for the inverse medium problem in time-independent scattering in two- and three-dimensional setting. This includes three main application cases: the simulation of the scattered field for a given transmitter-receiver geometry; the generation of simulated data as well as the handling of real-world data; the reconstruction of the refractive index of a penetrable medium from several measured, scattered fields. We focus on an effective and efficient reconstruction algorithm. Therefore we set up a variational reconstruction scheme. The underlying paradigm is to minimize the discrepancy between the predicted data based on the reconstructed refractive index and the given data while taking into account various structural a priori information via suitable penalty terms, which are designed to promote information expected in real-world environments. Finally, the scheme relies on a primal-dual algorithm. In addition, information about the obstacle's shape and position obtained by the factorization method can be used as a priori information to increase the overall effectiveness of the scheme. An implementation is provided as MATLAB toolbox IPscatt. It is tailored to the needs of practitioners, e.g. a heuristic algorithm for an automatic, data-driven choice of the regularization parameters is available. The effectiveness and efficiency of the proposed approach are demonstrated for simulated as well as real-world data by comparisons with existing software packages

부가정보를 이용한 이산대수 문제 연구

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2014. 2. 천정희.The modern cryptography has been developed based on mathematical hard problems. For example, it is considered hard to solve the discrete logarithm problem~(DLP). The DLP is required to solve $\alpha$ for given $g, g^\alpha$, where $G = \langle g \rangle$. It is well-known that the lower bound complexity to solve the DLP in the generic group model is $\Omega(p^{1/2})$~(EUROCRYPT 97, Shoup), where $p$ is the prime order of the group $G$. However, if the problem is given with auxiliary informations, then it can be solved faster than $O(p^{1/2})$. In the former of the thesis, we deal with the problem called discrete logarithm problem with the auxiliary inputs~(DLPwAI). The DLPwAI is a problem required to solve $\alpha$ for given $g, g^\alpha, \dots, g^{\alpha^d}$. The state-of-art algorithm to solve this problem is Cheon's algorithm which solves the problem in the case of $dp\pm 1$. In the thesis, we propose a new method to solve the DLPwAI which reduces to find a polynomial with small value sets. As a result, we solved the DLPwAI when $g^{\alpha^k}$ were given, where $k$ is an element of multiplicative subgroup of ${\mathbb Z}_{p-1}^{\times}$. In the later of the thesis, we try to solve the DLP with the pairing inversion problem. If one has an efficient algorithm to solve the pairing inversion, then it can be used to solve the DLP. We focus on how to reduce the complexity of the pairing inversion problem by reducing the size of the final exponentiation in the pairing computation. As a result, we obtained the lower bound of the size of the final exponentiation.Abstract i 1 Introduction 1 2 Discrete Logarithm Problem 4 2.1 AlgorithmsfortheDLP ..................... 4 2.1.1 Genericalgorithms .................... 4 2.1.2 Non-genericalgorithms.................. 8 3 Discrete Logairhtm Problem with Auxiliary Inputs 10 3.1 Introduction............................ 10 3.2 TheDLPwAIandCheonsalgorithm .............. 12 3.2.1 p−1cases......................... 12 3.2.2 Generalizedalgorithms.................. 14 3.3 Fast multipoint evaluation in the blackbox manner . . . . . . 16 3.4 Balls-and-BinsProblem...................... 24 3.4.1 Balls-and-Bins Problem with Uniform Probability . . . 24 3.4.2 Balls-and-Bins Problem with Non-Uniform Probability 25 3.5 Polynomialswithsmallvaluesets ................ 28 3.5.1 An approach using the polynomial of small value set: uniformcase........................ 28 3.5.2 Approach using polynomials with almost small value set:non-uniformcase................... 31 3.5.3 Generalization of the Dickson Polynomial and its value set............................. 32 4 Generalized DLP with Auxiliary Inputs 38 4.1 MultiplicativeSubgroupsofZ×n ................. 38 4.1.1 Representation of a Multiplicative Subgroup of Z×n . . 39 4.2 AGroupActiononZ×p ...................... 41 4.3 PolynomialConstruction..................... 47 4.4 MainTheorem .......................... 51 5 The Pairing Inversion Problem 56 5.1 Introduction............................ 56 5.2 Preliminaries ........................... 60 5.2.1 Pairings .......................... 60 5.2.2 Pairing-FriendlyEllipticCurves . . . . . . . . . . . . . 61 5.2.3 ExponentiationMethod ................. 63 5.3 Reducingthefinalexponentiation................ 64 5.3.1 Polynomial representation of the base-p coefficients . . 64 5.3.2 Reducingthesizeofbasepcoefficients . . . . . . . . . 72 5.3.3 Examples ......................... 77 6 Conclusion .....................81 Abstract (in Korean) .................91 Acknowledgement (in Korean) ................92Docto

Multi-modal curriculum learning for semi-supervised image classification

Semi-supervised image classification aims to classify a large quantity of unlabeled images by typically harnessing scarce labeled images. Existing semi-supervised methods often suffer from inadequate classification accuracy when encountering difficult yet critical images, such as outliers, because they treat all unlabeled images equally and conduct classifications in an imperfectly ordered sequence. In this paper, we employ the curriculum learning methodology by investigating the difficulty of classifying every unlabeled image. The reliability and the discriminability of these unlabeled images are particularly investigated for evaluating their difficulty. As a result, an optimized image sequence is generated during the iterative propagations, and the unlabeled images are logically classified from simple to difficult. Furthermore, since images are usually characterized by multiple visual feature descriptors, we associate each kind of features with a teacher, and design a multi-modal curriculum learning (MMCL) strategy to integrate the information from different feature modalities. In each propagation, each teacher analyzes the difficulties of the currently unlabeled images from its own modality viewpoint. A consensus is subsequently reached among all the teachers, determining the currently simplest images (i.e., a curriculum), which are to be reliably classified by the multi-modal learner. This well-organized propagation process leveraging multiple teachers and one learner enables our MMCL to outperform five state-of-the-art methods on eight popular image data sets