To this day, no method of finding a generator of is known to be more efficient than essentially trying 2, then 3, and so on. Who cares? Well, the difficulty of breaking a certain public key cryptosystem (due to El Gamal) depends on the difficulty of working with generators of . — Keith Conrad
An th root of unity in a finite field is an element satisfying , where is an integer. If is the smallest positive integer with this property, is called a primitive th root of unity. If is a primitive th root of unity, then all elements in the set are also roots of unity. Actually, the set form a cyclic group of order under multiplication, with generator .
Problem: Suppose you are given a finite field of degree , and you are promised that there indeed exists a primitive th root of unity for prime. Find , and in particular, produce a C++code that finds it.
In what follows, we talk about how to find such a root and provide my C++ code; the code uses the awesome NTL library.
Continue reading “Finding a Primitive p-th Root of Unity in a Finite Field, with C++ Code”
[Contents of this post are based on an ongoing discussion with Alex Russell and Aggelos Kiayias. It contains potentially unpublished material.]
In a proof-of-stake blockchain protocol such as Ouroboros, at most half of the users are dishonest. While an honest user always extends the longest available blockchain, the dishonest users try to fool him into extending a manipulated blockchain. Here, the user who is allowed to issue a block at any time-slot is called the “slot leader.” As it happens, a number of future slot leaders are computed in advance using the random values present in the blocks. Although counterintuitive, such a scheme ensures that if the adversary does not control more than half the users now, it is very unlikely that he cannot control more than half the slot leaders. The time-slots are divided into “epochs” of length .
We consider a variant of Ouroboros where the random bits necessary for selecting the slot leaders for the next epoch come from a per-epoch random value, plus the random values from a certain prefix of the blocks issued in the current epoch. Because the random values do not depend on the contents of the block, the adversary cannot maliciously choose a block-content that affects the leader selection. He, however, has one of three options:
- Issuing a block and attaching it to the longest available chain
- Not issuing a block
- Issuing a block but linking it to a shorter, possibly malicious chain. If an honest block is bypassed by this maneuver, we say the adversary has skipped an honest player
We are interested in giving an upper bound to the expected number of competing chains that the adversary can possibly present to the leader selection process. This number would limit the choices for even a computationally-unbounded adversary. Not surprisingly, we call this number the grinding power of the adversary.
Continue reading “Characterizing the Adversarial Grinding Power in a Proof-of-Stake Blockchain Protocol”
In a blockchain protocol such as Bitcoin, the users see the world as a sequence of states. A simple yet functional view of this world, for the purpose of analysis, is a Boolean string of zeros and ones, where each bit is independently biased towards favoring the “bad guys.”
A bad guy is activated when for some . He may try to present the good guys with a conflicting view of the world, such as presenting multiple candidate blockchains of equal length. This view is called a “fork”. A string that allows the bad guy to fork (with nonnegligible probability) is called a “forkable string”. Naturally, we would like to show that forkable strings are rare: that the manipulative power of the bad guys over the good guys is negligible.
Claim (, Bound 2). Suppose is a Boolean string, with every bit independently set to with probability for some . The probability that is forkable is at most .
In this post, we present a commentary on the proof that forkable strings are rare. I like the proof because it uses simple facts about random walks, generating functions, and stochastic domination to bound an apparently difficult random process.
Continue reading “Forkable Strings are Rare”
In this post, I am going to review two erasure codes: the Blaum-Bruck-Vardy code and the BASIC code (also here). These are erasure codes, which means, their purpose is to encode a number of data disks into a number of coding disks so that when one or more data/coding disks fail, the failed disk can be reconstructed using the existing data and coding disks.
A strength of these codes is that although the algebra is described on extension fields/rings over , the encoding/decoding process uses only Boolean addition/rotation operation and no finite field operation. These codes are also MDS (Maximum Distance Separable), which means they have the largest possible (minimum) distance for a fixed message-length and codeword-length.
(Recall that if a code has data components and parity components in its generator matrix in standard form, its distance is at most by the Singleton bound. Hence the code is MDS if and only if it can tolerate arbitrary disk failures.)
The BASIC code does the following things in relations to the BBV code:
- Adds a virtual parity bit after each disk, giving each disk an even parity
- Does polynomial arithmetic modulo instead of as in the case of BBV code
- Shows equivalence to the BBV code by making a nice observation via Chinese Remainder Theorem
- Proves MDS property for any number of coding disks when is “large enough” and has a certain structure
Open Question: What is the least disk size for which these codes are MDS with arbitrary distance?
Continue reading “Two MDS Array Codes for Disk Erasures: the Blaum-Bruck-Vardy Code and the BASIC Code”
[This post, which is based on an ongoing discussion with Alex Russell and Ravi Sundaram, contains some unpublished results.]
Currently, we are asking whether all submatrices of the order- Vandermonde matrix over a finite extension of are invertible where is prime. The answer is “no” in general: there are examples of fields where the Vandermonde matrix has a singular submatrix.
We can ask an easier(?) question, though. What happens if we randomly sample a set of columns and look into submatrices formed by a subset of the sampled columns. With a touch of beautiful insight, Professor Russell has connected Szemeredi’s theorem on arithmetic progressions with this question.
Let denote an arithmetic progression of length $latek k$. Let for .
The Szemerédi theorem says, any “sufficiently dense” subset contains infinitely many for all . A finitary version says: Fix your favourite . Then, there exists a natural such that if you look any subset of size at least , you will find an . Yet another version says:
Szemerédi’s Theorem. The size of the largest subset without an cannot be too large; in particular, it is .
Recall that a function is if it grows too slow compared to , so that .
Continue reading “Vandermonde Submatrices and Arithmetic Progressions”
HBO charged me $15 via Amazon for my subscription that I forgot to cancel after the Game of Thrones was over. Upon writing to Amazon, the representative said:
As per policy we are unable to issue refund for the previous month charge (September) for your HBO subscription. However, I am able to make an exception for you and have issued you a promotional credit of $15.14 in your account.
Walmart manager said he would not accept my returns (worth $107) without a receipt. Although the first guy said he would give me a gift card, the system didn’t let him proceed. The manager came in and told me they wouldn’t take these returns. Why? Because they have recently changed the rule: without a receipt, I can return items worth only up to $25.
Continue reading “Takeaways from “Never Split the Difference” by Chris Voss”