On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus...

13
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University

Transcript of On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus...

Page 1: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs

Ronald Cramer CWI

Ivan Damgaringrd Aringrhus University

Classic Zero-Knowledge Protocols- for eg discrete log or quadratic residuosity are of form

Prover Verifier

x= f(w)

e = 0 or 1

a

z

Some constructions do much better O(k+n) bits bull Schnorr only for groups of public and prime order bull Guillou-Quisquater only for qrsquoth roots mod a composite q a large prime bull Okamoto-Fujisaki discrete log in RSA groups but only under strong RSA assumption and for special moduli

No better general method known for amplifying error

wHas error probability frac12 Can

be amplified to 2-n by iterating n times Means proof has size O(kn) bits k size of problem instance

Results of this paper

For a large class of problems we show how to do a zero-knowledge proof for n problem instances simultaneously such that bull the complexity per instance proved is O(n+k) bits and bull the error probability is 2-n

Construction is unconditional

Result works for any function f that has certain homomorphic properties(f is a rdquozero-knowledge friendlyrdquo function) Given x1xn the prover shows he knows w1wn such that

f(wi) = xi

Includes bull Discrete log in any group bull Quadratic residuosity improves also classic protocol for quadratic non-residuesbull Goldwasser-Micali encryptions and similar cryptosystems bull Integer commitment schemes based on discrete log mod a composite

Results contrsquod

Result extends to show relations between preimages under f such as multiplicative relations

We obtain a Σndashprotocol a 3-move honest verifier zero-knowledge protocol

Honest-verifier zero-knowledge is enough for many applications

Upcoming work (Cramer Damgaringrd and Keller) for same class of problems can get constant-round proof of knowledge that is zero-knowledge against any verifier proof has same size as ours up to a constant factor and properties are unconditional

Related WorkIshai et al (STOC 07) have a construction of zero-knowledge protocols from multiparty computation that can give similar complexity as ours for some but not all problems and requires a complexity assumption

The Construction preliminaries

Let e be an n-bit string

We will need an efficiently computable function takes e as

input and outputs matrix Me with integer entries

n columns m rows In this example m=2n-1

Other dimensions possible as well Details on the function later

e

Me

Idea of construction- for discrete logarithm in any group

Prover Verifier

h1= gw1 hn= gwn

e= e1

enz1 zm

How to compute z1 zm Let W R Z be columns vectors

containing the wirsquos rirsquos and zirsquos Then prover sets

Z= R + MeW

How to check Z is correct Let (ti1 tin) be irsquoth row of Me

must be the case that for i=1 m

gzi = ai h1ti1 hn

tin = gri + w1ti1 + + wntin

w1wn

a1= gr1 am= grm

Z =

+ Me

WR

Why is this (honest-verifer) zero-knowledge

If entries in R chosen uniformly in a large enough interval

(compared to entries in MeW )

Z will have essentially uniform entries

Hence to simulate choose z1 zm and e uniformly compute

Me and compute a1hellipam such that

gzi = ai h1ti1 hn

tin

is true

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

Why is this sound

We show that if after sending first message the prover can answer two different challenges eersquo then he could compute

w1wn so error probability is 2-n

Intuition on this if prover can produce

Z= R + MeW and Zrsquo= R + MersquoW then he can also compute

Z - Zrsquo = (Me-Mersquo)W

So if we can construct Me from e such that this equation can

always be solved for W we are done

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Construction of Me from e

Write e as an n-bit column vector

Form the matrix

e

e

ee

e

Me=

We will get m= 2n-1 rows

Observation any difference Me ndashMersquo

is an upper triangular matrix with either +1 or -1 on the diagonal

Why focus on rdquolowestrdquo position where e is different from ersquo

This implies Me ndashMersquo is invertible

ersquo

==ne

0rsquos

0rsquos

Complexity

CommunicationPer instance proved we have sent mn group elements and numbers mnlt 2 so same complexity per instance as Schnorr up to a factor 2

Computation

Entries in Me are 0 1 or -1 so computations involving Me are

dominated by the exponentiations Hence also computation per instance same as Schnorr up to a factor 2

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

In general

The homomorphic property of the function w gw is what makes this work Many other functions are fine as well see paper for general framework

Examples

Not limited to one base can do proofs of knowledge for (ws) gwhs

Covers several known cryptosystems (Goldwasser-Micali Groth Damgaringrd-Geisler-Kroslashigaard)

- And commitment schemes for committing to integers (Fujisaki Okamoto)

More Examples

The function w w2 mod N

Here special purpose construction of Me makes it even more

efficent

Consider that n-bit string e can be thought of as an element in

GF(2n)

GF(2n) is a vector space over GF(2) and multiplication by e is a

linear mapping So fix some basis and let Me be the matrix of this

mapping

Then any Me ndashMersquo is invertible because it corresponds to

multiplication by e-ersquo ne 0

Leads to protocol for proving you know square roots mod N of x1xn Size of proof per instance is exactly equal to one run of the classic GMR protocol

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
Page 2: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Classic Zero-Knowledge Protocols- for eg discrete log or quadratic residuosity are of form

Prover Verifier

x= f(w)

e = 0 or 1

a

z

Some constructions do much better O(k+n) bits bull Schnorr only for groups of public and prime order bull Guillou-Quisquater only for qrsquoth roots mod a composite q a large prime bull Okamoto-Fujisaki discrete log in RSA groups but only under strong RSA assumption and for special moduli

No better general method known for amplifying error

wHas error probability frac12 Can

be amplified to 2-n by iterating n times Means proof has size O(kn) bits k size of problem instance

Results of this paper

For a large class of problems we show how to do a zero-knowledge proof for n problem instances simultaneously such that bull the complexity per instance proved is O(n+k) bits and bull the error probability is 2-n

Construction is unconditional

Result works for any function f that has certain homomorphic properties(f is a rdquozero-knowledge friendlyrdquo function) Given x1xn the prover shows he knows w1wn such that

f(wi) = xi

Includes bull Discrete log in any group bull Quadratic residuosity improves also classic protocol for quadratic non-residuesbull Goldwasser-Micali encryptions and similar cryptosystems bull Integer commitment schemes based on discrete log mod a composite

Results contrsquod

Result extends to show relations between preimages under f such as multiplicative relations

We obtain a Σndashprotocol a 3-move honest verifier zero-knowledge protocol

Honest-verifier zero-knowledge is enough for many applications

Upcoming work (Cramer Damgaringrd and Keller) for same class of problems can get constant-round proof of knowledge that is zero-knowledge against any verifier proof has same size as ours up to a constant factor and properties are unconditional

Related WorkIshai et al (STOC 07) have a construction of zero-knowledge protocols from multiparty computation that can give similar complexity as ours for some but not all problems and requires a complexity assumption

The Construction preliminaries

Let e be an n-bit string

We will need an efficiently computable function takes e as

input and outputs matrix Me with integer entries

n columns m rows In this example m=2n-1

Other dimensions possible as well Details on the function later

e

Me

Idea of construction- for discrete logarithm in any group

Prover Verifier

h1= gw1 hn= gwn

e= e1

enz1 zm

How to compute z1 zm Let W R Z be columns vectors

containing the wirsquos rirsquos and zirsquos Then prover sets

Z= R + MeW

How to check Z is correct Let (ti1 tin) be irsquoth row of Me

must be the case that for i=1 m

gzi = ai h1ti1 hn

tin = gri + w1ti1 + + wntin

w1wn

a1= gr1 am= grm

Z =

+ Me

WR

Why is this (honest-verifer) zero-knowledge

If entries in R chosen uniformly in a large enough interval

(compared to entries in MeW )

Z will have essentially uniform entries

Hence to simulate choose z1 zm and e uniformly compute

Me and compute a1hellipam such that

gzi = ai h1ti1 hn

tin

is true

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

Why is this sound

We show that if after sending first message the prover can answer two different challenges eersquo then he could compute

w1wn so error probability is 2-n

Intuition on this if prover can produce

Z= R + MeW and Zrsquo= R + MersquoW then he can also compute

Z - Zrsquo = (Me-Mersquo)W

So if we can construct Me from e such that this equation can

always be solved for W we are done

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Construction of Me from e

Write e as an n-bit column vector

Form the matrix

e

e

ee

e

Me=

We will get m= 2n-1 rows

Observation any difference Me ndashMersquo

is an upper triangular matrix with either +1 or -1 on the diagonal

Why focus on rdquolowestrdquo position where e is different from ersquo

This implies Me ndashMersquo is invertible

ersquo

==ne

0rsquos

0rsquos

Complexity

CommunicationPer instance proved we have sent mn group elements and numbers mnlt 2 so same complexity per instance as Schnorr up to a factor 2

Computation

Entries in Me are 0 1 or -1 so computations involving Me are

dominated by the exponentiations Hence also computation per instance same as Schnorr up to a factor 2

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

In general

The homomorphic property of the function w gw is what makes this work Many other functions are fine as well see paper for general framework

Examples

Not limited to one base can do proofs of knowledge for (ws) gwhs

Covers several known cryptosystems (Goldwasser-Micali Groth Damgaringrd-Geisler-Kroslashigaard)

- And commitment schemes for committing to integers (Fujisaki Okamoto)

More Examples

The function w w2 mod N

Here special purpose construction of Me makes it even more

efficent

Consider that n-bit string e can be thought of as an element in

GF(2n)

GF(2n) is a vector space over GF(2) and multiplication by e is a

linear mapping So fix some basis and let Me be the matrix of this

mapping

Then any Me ndashMersquo is invertible because it corresponds to

multiplication by e-ersquo ne 0

Leads to protocol for proving you know square roots mod N of x1xn Size of proof per instance is exactly equal to one run of the classic GMR protocol

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
Page 3: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Results of this paper

For a large class of problems we show how to do a zero-knowledge proof for n problem instances simultaneously such that bull the complexity per instance proved is O(n+k) bits and bull the error probability is 2-n

Construction is unconditional

Result works for any function f that has certain homomorphic properties(f is a rdquozero-knowledge friendlyrdquo function) Given x1xn the prover shows he knows w1wn such that

f(wi) = xi

Includes bull Discrete log in any group bull Quadratic residuosity improves also classic protocol for quadratic non-residuesbull Goldwasser-Micali encryptions and similar cryptosystems bull Integer commitment schemes based on discrete log mod a composite

Results contrsquod

Result extends to show relations between preimages under f such as multiplicative relations

We obtain a Σndashprotocol a 3-move honest verifier zero-knowledge protocol

Honest-verifier zero-knowledge is enough for many applications

Upcoming work (Cramer Damgaringrd and Keller) for same class of problems can get constant-round proof of knowledge that is zero-knowledge against any verifier proof has same size as ours up to a constant factor and properties are unconditional

Related WorkIshai et al (STOC 07) have a construction of zero-knowledge protocols from multiparty computation that can give similar complexity as ours for some but not all problems and requires a complexity assumption

The Construction preliminaries

Let e be an n-bit string

We will need an efficiently computable function takes e as

input and outputs matrix Me with integer entries

n columns m rows In this example m=2n-1

Other dimensions possible as well Details on the function later

e

Me

Idea of construction- for discrete logarithm in any group

Prover Verifier

h1= gw1 hn= gwn

e= e1

enz1 zm

How to compute z1 zm Let W R Z be columns vectors

containing the wirsquos rirsquos and zirsquos Then prover sets

Z= R + MeW

How to check Z is correct Let (ti1 tin) be irsquoth row of Me

must be the case that for i=1 m

gzi = ai h1ti1 hn

tin = gri + w1ti1 + + wntin

w1wn

a1= gr1 am= grm

Z =

+ Me

WR

Why is this (honest-verifer) zero-knowledge

If entries in R chosen uniformly in a large enough interval

(compared to entries in MeW )

Z will have essentially uniform entries

Hence to simulate choose z1 zm and e uniformly compute

Me and compute a1hellipam such that

gzi = ai h1ti1 hn

tin

is true

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

Why is this sound

We show that if after sending first message the prover can answer two different challenges eersquo then he could compute

w1wn so error probability is 2-n

Intuition on this if prover can produce

Z= R + MeW and Zrsquo= R + MersquoW then he can also compute

Z - Zrsquo = (Me-Mersquo)W

So if we can construct Me from e such that this equation can

always be solved for W we are done

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Construction of Me from e

Write e as an n-bit column vector

Form the matrix

e

e

ee

e

Me=

We will get m= 2n-1 rows

Observation any difference Me ndashMersquo

is an upper triangular matrix with either +1 or -1 on the diagonal

Why focus on rdquolowestrdquo position where e is different from ersquo

This implies Me ndashMersquo is invertible

ersquo

==ne

0rsquos

0rsquos

Complexity

CommunicationPer instance proved we have sent mn group elements and numbers mnlt 2 so same complexity per instance as Schnorr up to a factor 2

Computation

Entries in Me are 0 1 or -1 so computations involving Me are

dominated by the exponentiations Hence also computation per instance same as Schnorr up to a factor 2

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

In general

The homomorphic property of the function w gw is what makes this work Many other functions are fine as well see paper for general framework

Examples

Not limited to one base can do proofs of knowledge for (ws) gwhs

Covers several known cryptosystems (Goldwasser-Micali Groth Damgaringrd-Geisler-Kroslashigaard)

- And commitment schemes for committing to integers (Fujisaki Okamoto)

More Examples

The function w w2 mod N

Here special purpose construction of Me makes it even more

efficent

Consider that n-bit string e can be thought of as an element in

GF(2n)

GF(2n) is a vector space over GF(2) and multiplication by e is a

linear mapping So fix some basis and let Me be the matrix of this

mapping

Then any Me ndashMersquo is invertible because it corresponds to

multiplication by e-ersquo ne 0

Leads to protocol for proving you know square roots mod N of x1xn Size of proof per instance is exactly equal to one run of the classic GMR protocol

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
Page 4: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Results contrsquod

Result extends to show relations between preimages under f such as multiplicative relations

We obtain a Σndashprotocol a 3-move honest verifier zero-knowledge protocol

Honest-verifier zero-knowledge is enough for many applications

Upcoming work (Cramer Damgaringrd and Keller) for same class of problems can get constant-round proof of knowledge that is zero-knowledge against any verifier proof has same size as ours up to a constant factor and properties are unconditional

Related WorkIshai et al (STOC 07) have a construction of zero-knowledge protocols from multiparty computation that can give similar complexity as ours for some but not all problems and requires a complexity assumption

The Construction preliminaries

Let e be an n-bit string

We will need an efficiently computable function takes e as

input and outputs matrix Me with integer entries

n columns m rows In this example m=2n-1

Other dimensions possible as well Details on the function later

e

Me

Idea of construction- for discrete logarithm in any group

Prover Verifier

h1= gw1 hn= gwn

e= e1

enz1 zm

How to compute z1 zm Let W R Z be columns vectors

containing the wirsquos rirsquos and zirsquos Then prover sets

Z= R + MeW

How to check Z is correct Let (ti1 tin) be irsquoth row of Me

must be the case that for i=1 m

gzi = ai h1ti1 hn

tin = gri + w1ti1 + + wntin

w1wn

a1= gr1 am= grm

Z =

+ Me

WR

Why is this (honest-verifer) zero-knowledge

If entries in R chosen uniformly in a large enough interval

(compared to entries in MeW )

Z will have essentially uniform entries

Hence to simulate choose z1 zm and e uniformly compute

Me and compute a1hellipam such that

gzi = ai h1ti1 hn

tin

is true

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

Why is this sound

We show that if after sending first message the prover can answer two different challenges eersquo then he could compute

w1wn so error probability is 2-n

Intuition on this if prover can produce

Z= R + MeW and Zrsquo= R + MersquoW then he can also compute

Z - Zrsquo = (Me-Mersquo)W

So if we can construct Me from e such that this equation can

always be solved for W we are done

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Construction of Me from e

Write e as an n-bit column vector

Form the matrix

e

e

ee

e

Me=

We will get m= 2n-1 rows

Observation any difference Me ndashMersquo

is an upper triangular matrix with either +1 or -1 on the diagonal

Why focus on rdquolowestrdquo position where e is different from ersquo

This implies Me ndashMersquo is invertible

ersquo

==ne

0rsquos

0rsquos

Complexity

CommunicationPer instance proved we have sent mn group elements and numbers mnlt 2 so same complexity per instance as Schnorr up to a factor 2

Computation

Entries in Me are 0 1 or -1 so computations involving Me are

dominated by the exponentiations Hence also computation per instance same as Schnorr up to a factor 2

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

In general

The homomorphic property of the function w gw is what makes this work Many other functions are fine as well see paper for general framework

Examples

Not limited to one base can do proofs of knowledge for (ws) gwhs

Covers several known cryptosystems (Goldwasser-Micali Groth Damgaringrd-Geisler-Kroslashigaard)

- And commitment schemes for committing to integers (Fujisaki Okamoto)

More Examples

The function w w2 mod N

Here special purpose construction of Me makes it even more

efficent

Consider that n-bit string e can be thought of as an element in

GF(2n)

GF(2n) is a vector space over GF(2) and multiplication by e is a

linear mapping So fix some basis and let Me be the matrix of this

mapping

Then any Me ndashMersquo is invertible because it corresponds to

multiplication by e-ersquo ne 0

Leads to protocol for proving you know square roots mod N of x1xn Size of proof per instance is exactly equal to one run of the classic GMR protocol

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
Page 5: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

The Construction preliminaries

Let e be an n-bit string

We will need an efficiently computable function takes e as

input and outputs matrix Me with integer entries

n columns m rows In this example m=2n-1

Other dimensions possible as well Details on the function later

e

Me

Idea of construction- for discrete logarithm in any group

Prover Verifier

h1= gw1 hn= gwn

e= e1

enz1 zm

How to compute z1 zm Let W R Z be columns vectors

containing the wirsquos rirsquos and zirsquos Then prover sets

Z= R + MeW

How to check Z is correct Let (ti1 tin) be irsquoth row of Me

must be the case that for i=1 m

gzi = ai h1ti1 hn

tin = gri + w1ti1 + + wntin

w1wn

a1= gr1 am= grm

Z =

+ Me

WR

Why is this (honest-verifer) zero-knowledge

If entries in R chosen uniformly in a large enough interval

(compared to entries in MeW )

Z will have essentially uniform entries

Hence to simulate choose z1 zm and e uniformly compute

Me and compute a1hellipam such that

gzi = ai h1ti1 hn

tin

is true

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

Why is this sound

We show that if after sending first message the prover can answer two different challenges eersquo then he could compute

w1wn so error probability is 2-n

Intuition on this if prover can produce

Z= R + MeW and Zrsquo= R + MersquoW then he can also compute

Z - Zrsquo = (Me-Mersquo)W

So if we can construct Me from e such that this equation can

always be solved for W we are done

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Construction of Me from e

Write e as an n-bit column vector

Form the matrix

e

e

ee

e

Me=

We will get m= 2n-1 rows

Observation any difference Me ndashMersquo

is an upper triangular matrix with either +1 or -1 on the diagonal

Why focus on rdquolowestrdquo position where e is different from ersquo

This implies Me ndashMersquo is invertible

ersquo

==ne

0rsquos

0rsquos

Complexity

CommunicationPer instance proved we have sent mn group elements and numbers mnlt 2 so same complexity per instance as Schnorr up to a factor 2

Computation

Entries in Me are 0 1 or -1 so computations involving Me are

dominated by the exponentiations Hence also computation per instance same as Schnorr up to a factor 2

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

In general

The homomorphic property of the function w gw is what makes this work Many other functions are fine as well see paper for general framework

Examples

Not limited to one base can do proofs of knowledge for (ws) gwhs

Covers several known cryptosystems (Goldwasser-Micali Groth Damgaringrd-Geisler-Kroslashigaard)

- And commitment schemes for committing to integers (Fujisaki Okamoto)

More Examples

The function w w2 mod N

Here special purpose construction of Me makes it even more

efficent

Consider that n-bit string e can be thought of as an element in

GF(2n)

GF(2n) is a vector space over GF(2) and multiplication by e is a

linear mapping So fix some basis and let Me be the matrix of this

mapping

Then any Me ndashMersquo is invertible because it corresponds to

multiplication by e-ersquo ne 0

Leads to protocol for proving you know square roots mod N of x1xn Size of proof per instance is exactly equal to one run of the classic GMR protocol

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
Page 6: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Idea of construction- for discrete logarithm in any group

Prover Verifier

h1= gw1 hn= gwn

e= e1

enz1 zm

How to compute z1 zm Let W R Z be columns vectors

containing the wirsquos rirsquos and zirsquos Then prover sets

Z= R + MeW

How to check Z is correct Let (ti1 tin) be irsquoth row of Me

must be the case that for i=1 m

gzi = ai h1ti1 hn

tin = gri + w1ti1 + + wntin

w1wn

a1= gr1 am= grm

Z =

+ Me

WR

Why is this (honest-verifer) zero-knowledge

If entries in R chosen uniformly in a large enough interval

(compared to entries in MeW )

Z will have essentially uniform entries

Hence to simulate choose z1 zm and e uniformly compute

Me and compute a1hellipam such that

gzi = ai h1ti1 hn

tin

is true

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

Why is this sound

We show that if after sending first message the prover can answer two different challenges eersquo then he could compute

w1wn so error probability is 2-n

Intuition on this if prover can produce

Z= R + MeW and Zrsquo= R + MersquoW then he can also compute

Z - Zrsquo = (Me-Mersquo)W

So if we can construct Me from e such that this equation can

always be solved for W we are done

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Construction of Me from e

Write e as an n-bit column vector

Form the matrix

e

e

ee

e

Me=

We will get m= 2n-1 rows

Observation any difference Me ndashMersquo

is an upper triangular matrix with either +1 or -1 on the diagonal

Why focus on rdquolowestrdquo position where e is different from ersquo

This implies Me ndashMersquo is invertible

ersquo

==ne

0rsquos

0rsquos

Complexity

CommunicationPer instance proved we have sent mn group elements and numbers mnlt 2 so same complexity per instance as Schnorr up to a factor 2

Computation

Entries in Me are 0 1 or -1 so computations involving Me are

dominated by the exponentiations Hence also computation per instance same as Schnorr up to a factor 2

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

In general

The homomorphic property of the function w gw is what makes this work Many other functions are fine as well see paper for general framework

Examples

Not limited to one base can do proofs of knowledge for (ws) gwhs

Covers several known cryptosystems (Goldwasser-Micali Groth Damgaringrd-Geisler-Kroslashigaard)

- And commitment schemes for committing to integers (Fujisaki Okamoto)

More Examples

The function w w2 mod N

Here special purpose construction of Me makes it even more

efficent

Consider that n-bit string e can be thought of as an element in

GF(2n)

GF(2n) is a vector space over GF(2) and multiplication by e is a

linear mapping So fix some basis and let Me be the matrix of this

mapping

Then any Me ndashMersquo is invertible because it corresponds to

multiplication by e-ersquo ne 0

Leads to protocol for proving you know square roots mod N of x1xn Size of proof per instance is exactly equal to one run of the classic GMR protocol

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
Page 7: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Why is this (honest-verifer) zero-knowledge

If entries in R chosen uniformly in a large enough interval

(compared to entries in MeW )

Z will have essentially uniform entries

Hence to simulate choose z1 zm and e uniformly compute

Me and compute a1hellipam such that

gzi = ai h1ti1 hn

tin

is true

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

Why is this sound

We show that if after sending first message the prover can answer two different challenges eersquo then he could compute

w1wn so error probability is 2-n

Intuition on this if prover can produce

Z= R + MeW and Zrsquo= R + MersquoW then he can also compute

Z - Zrsquo = (Me-Mersquo)W

So if we can construct Me from e such that this equation can

always be solved for W we are done

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Construction of Me from e

Write e as an n-bit column vector

Form the matrix

e

e

ee

e

Me=

We will get m= 2n-1 rows

Observation any difference Me ndashMersquo

is an upper triangular matrix with either +1 or -1 on the diagonal

Why focus on rdquolowestrdquo position where e is different from ersquo

This implies Me ndashMersquo is invertible

ersquo

==ne

0rsquos

0rsquos

Complexity

CommunicationPer instance proved we have sent mn group elements and numbers mnlt 2 so same complexity per instance as Schnorr up to a factor 2

Computation

Entries in Me are 0 1 or -1 so computations involving Me are

dominated by the exponentiations Hence also computation per instance same as Schnorr up to a factor 2

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

In general

The homomorphic property of the function w gw is what makes this work Many other functions are fine as well see paper for general framework

Examples

Not limited to one base can do proofs of knowledge for (ws) gwhs

Covers several known cryptosystems (Goldwasser-Micali Groth Damgaringrd-Geisler-Kroslashigaard)

- And commitment schemes for committing to integers (Fujisaki Okamoto)

More Examples

The function w w2 mod N

Here special purpose construction of Me makes it even more

efficent

Consider that n-bit string e can be thought of as an element in

GF(2n)

GF(2n) is a vector space over GF(2) and multiplication by e is a

linear mapping So fix some basis and let Me be the matrix of this

mapping

Then any Me ndashMersquo is invertible because it corresponds to

multiplication by e-ersquo ne 0

Leads to protocol for proving you know square roots mod N of x1xn Size of proof per instance is exactly equal to one run of the classic GMR protocol

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
Page 8: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Why is this sound

We show that if after sending first message the prover can answer two different challenges eersquo then he could compute

w1wn so error probability is 2-n

Intuition on this if prover can produce

Z= R + MeW and Zrsquo= R + MersquoW then he can also compute

Z - Zrsquo = (Me-Mersquo)W

So if we can construct Me from e such that this equation can

always be solved for W we are done

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Construction of Me from e

Write e as an n-bit column vector

Form the matrix

e

e

ee

e

Me=

We will get m= 2n-1 rows

Observation any difference Me ndashMersquo

is an upper triangular matrix with either +1 or -1 on the diagonal

Why focus on rdquolowestrdquo position where e is different from ersquo

This implies Me ndashMersquo is invertible

ersquo

==ne

0rsquos

0rsquos

Complexity

CommunicationPer instance proved we have sent mn group elements and numbers mnlt 2 so same complexity per instance as Schnorr up to a factor 2

Computation

Entries in Me are 0 1 or -1 so computations involving Me are

dominated by the exponentiations Hence also computation per instance same as Schnorr up to a factor 2

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

In general

The homomorphic property of the function w gw is what makes this work Many other functions are fine as well see paper for general framework

Examples

Not limited to one base can do proofs of knowledge for (ws) gwhs

Covers several known cryptosystems (Goldwasser-Micali Groth Damgaringrd-Geisler-Kroslashigaard)

- And commitment schemes for committing to integers (Fujisaki Okamoto)

More Examples

The function w w2 mod N

Here special purpose construction of Me makes it even more

efficent

Consider that n-bit string e can be thought of as an element in

GF(2n)

GF(2n) is a vector space over GF(2) and multiplication by e is a

linear mapping So fix some basis and let Me be the matrix of this

mapping

Then any Me ndashMersquo is invertible because it corresponds to

multiplication by e-ersquo ne 0

Leads to protocol for proving you know square roots mod N of x1xn Size of proof per instance is exactly equal to one run of the classic GMR protocol

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
Page 9: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Construction of Me from e

Write e as an n-bit column vector

Form the matrix

e

e

ee

e

Me=

We will get m= 2n-1 rows

Observation any difference Me ndashMersquo

is an upper triangular matrix with either +1 or -1 on the diagonal

Why focus on rdquolowestrdquo position where e is different from ersquo

This implies Me ndashMersquo is invertible

ersquo

==ne

0rsquos

0rsquos

Complexity

CommunicationPer instance proved we have sent mn group elements and numbers mnlt 2 so same complexity per instance as Schnorr up to a factor 2

Computation

Entries in Me are 0 1 or -1 so computations involving Me are

dominated by the exponentiations Hence also computation per instance same as Schnorr up to a factor 2

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

In general

The homomorphic property of the function w gw is what makes this work Many other functions are fine as well see paper for general framework

Examples

Not limited to one base can do proofs of knowledge for (ws) gwhs

Covers several known cryptosystems (Goldwasser-Micali Groth Damgaringrd-Geisler-Kroslashigaard)

- And commitment schemes for committing to integers (Fujisaki Okamoto)

More Examples

The function w w2 mod N

Here special purpose construction of Me makes it even more

efficent

Consider that n-bit string e can be thought of as an element in

GF(2n)

GF(2n) is a vector space over GF(2) and multiplication by e is a

linear mapping So fix some basis and let Me be the matrix of this

mapping

Then any Me ndashMersquo is invertible because it corresponds to

multiplication by e-ersquo ne 0

Leads to protocol for proving you know square roots mod N of x1xn Size of proof per instance is exactly equal to one run of the classic GMR protocol

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
Page 10: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Complexity

CommunicationPer instance proved we have sent mn group elements and numbers mnlt 2 so same complexity per instance as Schnorr up to a factor 2

Computation

Entries in Me are 0 1 or -1 so computations involving Me are

dominated by the exponentiations Hence also computation per instance same as Schnorr up to a factor 2

Prover Verifier

h1= gw1 hn= gwn

e= e1

enZ= R +

MeW

w1wn

a1= gr1 am= grm

Check that

gzi = ai h1ti1 hn

tin

In general

The homomorphic property of the function w gw is what makes this work Many other functions are fine as well see paper for general framework

Examples

Not limited to one base can do proofs of knowledge for (ws) gwhs

Covers several known cryptosystems (Goldwasser-Micali Groth Damgaringrd-Geisler-Kroslashigaard)

- And commitment schemes for committing to integers (Fujisaki Okamoto)

More Examples

The function w w2 mod N

Here special purpose construction of Me makes it even more

efficent

Consider that n-bit string e can be thought of as an element in

GF(2n)

GF(2n) is a vector space over GF(2) and multiplication by e is a

linear mapping So fix some basis and let Me be the matrix of this

mapping

Then any Me ndashMersquo is invertible because it corresponds to

multiplication by e-ersquo ne 0

Leads to protocol for proving you know square roots mod N of x1xn Size of proof per instance is exactly equal to one run of the classic GMR protocol

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
Page 11: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

In general

The homomorphic property of the function w gw is what makes this work Many other functions are fine as well see paper for general framework

Examples

Not limited to one base can do proofs of knowledge for (ws) gwhs

Covers several known cryptosystems (Goldwasser-Micali Groth Damgaringrd-Geisler-Kroslashigaard)

- And commitment schemes for committing to integers (Fujisaki Okamoto)

More Examples

The function w w2 mod N

Here special purpose construction of Me makes it even more

efficent

Consider that n-bit string e can be thought of as an element in

GF(2n)

GF(2n) is a vector space over GF(2) and multiplication by e is a

linear mapping So fix some basis and let Me be the matrix of this

mapping

Then any Me ndashMersquo is invertible because it corresponds to

multiplication by e-ersquo ne 0

Leads to protocol for proving you know square roots mod N of x1xn Size of proof per instance is exactly equal to one run of the classic GMR protocol

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
Page 12: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

More Examples

The function w w2 mod N

Here special purpose construction of Me makes it even more

efficent

Consider that n-bit string e can be thought of as an element in

GF(2n)

GF(2n) is a vector space over GF(2) and multiplication by e is a

linear mapping So fix some basis and let Me be the matrix of this

mapping

Then any Me ndashMersquo is invertible because it corresponds to

multiplication by e-ersquo ne 0

Leads to protocol for proving you know square roots mod N of x1xn Size of proof per instance is exactly equal to one run of the classic GMR protocol

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13
Page 13: On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Also in Paper

Interesting connection between construction of Me and black-box

secret sharing

Most known efficent protocols (Schnorr G-Q ours) can be thought of as being based on a 2 out of T secret sharing scheme for very large T

P Va

e

z

P commits to randomness for ssV asks for ersquoth share of secret

Prover reveals requested share V checks share is correct

xw w secret x commitment to secret

Zero-knowledge because one share does reveal the secretSound because given two correct shares secret can be computed

  • Slide 1
  • Slide 2
  • Slide 3
  • Slide 4
  • Slide 5
  • Slide 6
  • Slide 7
  • Slide 8
  • Slide 9
  • Slide 10
  • Slide 11
  • Slide 12
  • Slide 13

Dynamic Set: Amortized Analysis

Dynamic Set: Amortized Analysis

Multiparty Computation Ivan Damgård BRICS, Århus University.

Multiparty Computation Ivan Damgård BRICS, Århus University.

12 – Analisis Amortized

12 – Analisis Amortized

Århus 2017

Århus 2017

Secure Multiparty Computation Ivan Damgård, Department of Computer Science, Aarhus Universitet.

Secure Multiparty Computation Ivan Damgård, Department of Computer Science, Aarhus Universitet.

Amortized Computational Complexity

Amortized Computational Complexity

Århus 24..oktober 2013

Århus 24..oktober 2013

OffsetMerkle-Damgård(OMD)version1.0 ACAESARProposalOffsetMerkle-Damgård(OMD)version1.0 ACAESARProposal Simon Cogliani 1, Diana-Ştefania Maimuț , David Naccache , Rodrigo Portella

OffsetMerkle-Damgård(OMD)version1.0 ACAESARProposalOffsetMerkle-Damgård(OMD)version1.0 ACAESARProposal Simon Cogliani 1, Diana-Ştefania Maimuț , David Naccache , Rodrigo Portella

Amortized Loans

Amortized Loans

Amortized Analysis and Union-Find - WordPress.com · 2011-02-28 · Amortized Complexity of Quick-Find • Amortized analysis: • Each time x’s parent pointer changes the size

Amortized Analysis and Union-Find - WordPress.com · 2011-02-28 · Amortized Complexity of Quick-Find • Amortized analysis: • Each time x’s parent pointer changes the size

Udfordringer ved håndtering af massive datamængder ...gerth/slides/au-samvirke10.pdf · Gerth Stølting Brodal Universitets-Samvirket Århus, Statsbiblioteket, Århus, November

Udfordringer ved håndtering af massive datamængder ...gerth/slides/au-samvirke10.pdf · Gerth Stølting Brodal Universitets-Samvirket Århus, Statsbiblioteket, Århus, November

Amortized analysis - cs.bgu.ac.ilds202/wiki.files/13-amortized-analysis.pdf · The amortized time complexity of an operation is (1). 4 $1 push(S,5) 5 $1 Amortized analysis. Stack

Amortized analysis - cs.bgu.ac.ilds202/wiki.files/13-amortized-analysis.pdf · The amortized time complexity of an operation is (1). 4 $1 push(S,5) 5 $1 Amortized analysis. Stack

Emergency planning at ntnu århus

Emergency planning at ntnu århus

Amortized Analysis - Florida State Universityackerman/Fall2015/Notes/AmortizedAnalysis.pdf · • Amortized cost is the amount we charge – When amortized cost > actual cost, store

Amortized Analysis - Florida State Universityackerman/Fall2015/Notes/AmortizedAnalysis.pdf · • Amortized cost is the amount we charge – When amortized cost > actual cost, store

Amortized Analysis - dcc.fc.up.pt › ~pribeiro › aulas › alg1819 › slides › 3_amor… · Amortized complexity The amortized sequence complexity is the worst case sequence

Amortized Analysis - dcc.fc.up.pt › ~pribeiro › aulas › alg1819 › slides › 3_amor… · Amortized complexity The amortized sequence complexity is the worst case sequence

Tutorial: Multiparty Computation for Honest Majority Ivan Damgård Århus University.

Tutorial: Multiparty Computation for Honest Majority Ivan Damgård Århus University.

09. amortized analysis

09. amortized analysis

Amortized analysis

Amortized analysis

Amortized Efficiency Of List Editor Ellis Horowitz Update and Paging …sleator/papers/amortized-efficiency.pdf · Programming Data Structures Techniques and Amortized Efficiency

Amortized Efficiency Of List Editor Ellis Horowitz Update and Paging …sleator/papers/amortized-efficiency.pdf · Programming Data Structures Techniques and Amortized Efficiency

Amortized Analysis - Stanford Universityweb.stanford.edu/class/archive/cs/cs166/cs166.1186/lectures/07/Small07.pdf · Amortized Analysis An amortized analysis is a diferent way of

Amortized Analysis - Stanford Universityweb.stanford.edu/class/archive/cs/cs166/cs166.1186/lectures/07/Small07.pdf · Amortized Analysis An amortized analysis is a diferent way of