LIST DECODING OF HERMITIAN CODES USING GRBNER BASES

Hamming codeFrom Wikipedia, the free encyclopediaJump to: navigation, searchIn telecommunication, a Hamming code is a linear error-correcting code named after its inventor, Richard Hamming. Hamming codes can detect up to two contiguous bit errors, and correct single-bit errors; thus, reliable communication is possible when the Hamming distance between the transmitted and received bit patterns is less than or equal to one. By contrast, the simple parity code cannot correct errors, and can detect only an odd number of errors.In mathematical terms, Hamming codes are a class of binary linear codes. For eachinteger there is a code with m parity bits and 2m−m− 1 data bits. The parity-check matrix of a Hamming code is constructed by listing all columns of length m that are pairwise independent. Hamming codes are an example of perfect codes, codes that exactly match the theoretical upper bound on the number of distinct code words for a given number of bits and ability to correct errors.Because of the simplicity of Hamming codes, they are widely used in computer memory (RAM). In particular, a single-error-correcting and double-error-detecting variant commonly referred to as SECDED.Contents[hide]∙ 1 Historyo 1.1 Codes predating Hamming▪ 1.1.1 Parity▪ 1.1.2 Two-out-of-five code▪ 1.1.3 Repetition∙ 2 Hamming codeso 2.1 General algorithm∙ 3 Hamming codes with additional parity (SECDED)∙ 4 Hamming(7,4) codeo 4.1 Construction of G and Ho 4.2 Encodingo 4.3 Hamming(7,4) code with an additional parity bit∙ 5 See also∙ 6 References∙7 External links[edit] HistoryHamming worked at Bell Labs in the 1940s on the Bell Model V computer, an electromechanical relay-based machine with cycle times in seconds. Input was fed in on punched cards, which would invariably have read errors. During weekdays, special code would find errors and flash lights so the operators could correct the problem. During after-hours periods and on weekends, when there were no operators, the machine simply moved on to the next job.Hamming worked on weekends, and grew increasingly frustrated with having to restart his programs from scratch due to the unreliability of the card reader. Over the next few years he worked on the problem of error-correction, developing an increasingly powerful array of algorithms. In 1950 he published what is now known as Hamming Code, which remains in use today in applications such as ECC memory.[edit] Codes predating HammingA number of simple error-detecting codes were used before Hamming codes, but none were as effective as Hamming codes in the same overhead of space.[edit] ParityMain article: Parity bitParity adds a single bit that indicates whether the number of 1 bits in the preceding data was even or odd. If an odd number of bits is changed in transmission, the message will change parity and the error can be detected at this point. (Note that the bit that changed may have been the parity bit itself!) The most common convention is that a parity value of 1 indicates that there is an odd number of ones in the data, and a parity value of 0 indicates that there is an even number of ones in the data. In other words: the data and the parity bit together should contain an even number of 1s.Parity checking is not very robust, since if the number of bits changed is even, the check bit will be valid and the error will not be detected. Moreover, parity does not indicate which bit contained the error, even when it can detect it. The data must be discarded entirely and re-transmitted from scratch. On a noisy transmission medium, a successful transmission could take a long time or may never occur. However, while the quality of parity checking is poor, since it uses only a single bit, this method results in the least overhead. Furthermore, parity checking does allow for the restoration of an erroneous bit when its position is known.[edit] Two-out-of-five codeMain article: Two-out-of-five codeA two-out-of-five code is an encoding scheme which uses five digits consisting of exactly three 0s and two 1s. This provides ten possible combinations, enough to represent the digits 0 - 9. This scheme can detect all single bit-errors and all odd numbered bit-errors. However it still cannot correct for these errors.[edit] RepetitionMain article: triple modular redundancyAnother code in use at the time repeated every data bit several times in order to ensure that it got through. For instance, if the data bit to be sent was a 1, an n=3 repetition code would send "111". If the three bits received were not identical, an error occurred. If the channel is clean enough, most of the time only one bit will change in each triple. Therefore, 001, 010, and 100 each correspond to a 0 bit, while 110, 101, and 011 correspond to a 1 bit, as though the bits counted as "votes" towards what the original bit was. A code with this ability to reconstruct the original message in the presence of errors is known as an error-correcting code. This triple repetition code is actually the simplest Hamming code with m = 2, since there are 2 parity bits, and 22− 2 − 1 = 1 data bit. Such codes cannot correctly repair all errors, however. In our example, if the channel flipped two bits and the receiver got "001", the system would detect the error, but conclude that the original bit was 0, which is incorrect. If we increase the number of times we duplicate each bit to four, we can detect all two-bit errors but can't correct them (the votes "tie"); at five, we can correct all two-bit errors, but not all three-bit errors. Moreover, the repetition code is extremely inefficient, reducing throughput by three times in our original case, and the efficiency drops drastically as we increase the number of times each bit is duplicated in order to detect and correct more errors.[edit] Hamming codesIf more error-correcting bits are included with a message, and if those bits can be arranged such that different incorrect bits produce different error results, then bad bits could be identified. In a 7-bit message, there are seven possible single bit errors, so three error control bits could potentially specify not only that an error occurred but also which bit caused the error.Hamming studied the existing coding schemes, including two-of-five, and generalized their concepts. To start with, he developed a nomenclature to describe the system, including the number of data bits and error-correction bits in a block. For instance, parity includes a single bit for any data word, so assuming ASCII words with 7-bits, Hamming described this as an (8,7) code, with eight bits in total, of which 7 are data. The repetition example would be (3,1), following the same logic. The code rate is the second number divided by the first, for our repetition example, 1/3.Hamming also noticed the problems with flipping two or more bits, and described this as the "distance" (it is now called the Hamming distance, after him). Parity has a distance of 2, as any two bit flips will be invisible. The (3,1) repetition has a distance of 3, as three bits need to be flipped in the same triple to obtain another code word with no visible errors. A (4,1) repetition (each bit is repeated four times) has a distance of 4, so flipping two bits can be detected, but not corrected. When three bits flip in the same group there can be situations where the code corrects towards the wrong code word.Hamming was interested in two problems at once; increasing the distance as much as possible, while at the same time increasing the code rate as much as possible. During the 1940s he developed several encoding schemes that were dramatic improvements on existing codes. The key to all of his systems was to have the parity bits overlap, such that they managed to check each other as well as the data.[edit] General algorithmThe following general algorithm generates a single-error correcting (SEC) code for any number of bits.1.Number the bits starting from 1: bit 1, 2, 3, 4, 5, etc.2.Write the bit numbers in binary. 1, 10, 11, 100, 101, etc.3.All bit positions that are powers of two (have only one 1 bit in the binary form oftheir position) are parity bits.4.All other bit positions, with two or more 1 bits in the binary form of their position,are data bits.5.Each data bit is included in a unique set of 2 or more parity bits, as determined bythe binary form of its bit position.1.Parity bit 1 covers all bit positions which have the least significant bit set:bit 1 (the parity bit itself), 3, 5, 7, 9, etc.2.Parity bit 2 covers all bit positions which have the second least significantbit set: bit 2 (the parity bit itself), 3, 6, 7, 10, 11, etc.3.Parity bit 4 covers all bit positions which have the third least significantbit set: bits 4–7, 12–15, 20–23, etc.4.Parity bit 8 covers all bit positions which have the fourth least significantbit set: bits 8–15, 24–31, 40–47, etc.5.In general each parity bit covers all bits where the binary AND of theparity position and the bit position is non-zero.The form of the parity is irrelevant. Even parity is simpler from the perspective of theoretical mathematics, but there is no difference in practice.This general rule can be shown visually:Bit position 1 2 3 4 5 6 7 8 9 111121314 15 16 17 18 19 20 ...Encoded d d d d d d d d d d1d1d1d1d1d11 2 3 4 5 6 7 8 90 1 2 3 4 5 Parity bit coverag e X X X X X XX X X X X X X XX X X X X X X X X XX X X X X X X X X X X X X X X X Shown are only 20 encoded bits (5 parity, 15 data) but the pattern continues indefinitely. The key thing about Hamming Codes that can be seen fro m visualinspection is that any given bit is included in a unique set of parity bits. To check for errors, check all of the parity bits. The pattern of errors, called the error syndrome , identifies the bit in error. If all parity bits are correct, there is no error. Otherwise, the sum of the positions of the erroneous parity bits identifies the erroneous bit. Forexample, if the parity bits in positions 1, 2 and 8 indicate an error, then bit 1+2+8=11 is in error. If only one parity bit indicates an error, the parity bit itself is in error. As you can see, if you have m parity bits, it can cover bits from 1 up to 2m− 1. If we subtract out the parity bits, we are left with 2m − m − 1 bits we can use for the data. As m varies, we get all the possible Hamming codes:Parity bits Total bits Data bitsName 2 3 1Hamming(3,1) (Triple repetition code ) 3 7 4Hamming(7,4) 4 15 11Hamming(15,11) 5 31 26 Hamming(31,26)... m 2m − 1 2m − m − 1 Hamming (2m − 1,2m − m − 1)If, in addition, an overall parity bit (bit 0) is included, the code can detect (but not correct) any two-bit error, making a SECDED code. The overall parity indicates whether the total number of errors is even or odd. If the basic Hamming code detects an error, but the overall parity says that there are an even number of errors, an uncorrectable 2-bit error has occurred.[edit ] Hamming codes with additional parity(SECDED)These codes have a minimum distance of 3, which means that the code can detect and correct a single error, but a double bit error is indistinguishable from a different code with a single bit error. Thus, they can detect double-bit errors only if correction is not attempted.By including an extra parity bit, it is possible to increase the minimum distance of the Hamming code to 4. This gives the code the ability to detect and correct a single error and at the same time detect (but not correct) a double error. (It could also be used to detect up to 3 errors but not correct any.)This code system is popular in computer memory systems, where it is known as SECDED ("single error correction, double error detection"). Particularly popular is the (72,64) code, a truncated (127,120) Hamming code plus an additional parity bit, which has the same space overhead as a (9,8) parity code.[edit] Hamming(7,4) codeGraphical depiction of the 4 data bits and 3 parity bits and which parity bits apply to which data bitsMain article: Hamming(7,4)In 1950, Hamming introduced the (7,4) code. It encodes 4 data bits into 7 bits by adding three parity bits. Hamming(7,4) can detect and correct single-bit errors. With the addition of an overall parity bit, it can also detect (but not correct) double-bit errors.[edit] Construction of G and HThe matrix is called a (Canonical) generator matrix of a linear (n,k) code,and is called a parity-check matrix.This is the construction of G and H in standard (or systematic) form. Regardless of form, G and H for linear block codes must satisfy, an all-zeros matrix [Moon, p. 89].Since (7,4,3)=(n,k,d)=[2m− 1, 2m−1-m, m]. The parity-check matrix H of a Hamming code is constructed by listing all columns of length m that are pair-wise independent.Thus H is a matrix whose left side is all of the nonzero n-tuples where order of the n-tuples in the columns of matrix does not matter. The right hand side is just the (n-k)-identity matrix.So G can be obtained from H by taking the transpose of the left hand side of H with the identity k-identity matrix on the left hand side of G.The code generator matrix and the parity-check matrix are:andFinally, these matrices can be mutated into equivalent non-systematic codes by the following operations [Moon, p. 85]:∙Column permutations (swapping columns)∙Elementary row operations (replacing a row with a linear combination of rows) [edit] EncodingExampleFrom the above matrix we have 2k=24=16 codewords. The codewords of thisbinary code can be obtained from . With with a i exist in F2 ( A field with two elements namely 0 and 1).Thus the codewords are all the 4-tuples (k-tuples).Therefore,(1,0,1,1) gets encoded as (1,0,1,1,0,1,0).[edit] Hamming(7,4) code with an additional parity bitThe same (7,4) example from above with an extra parity bitThe Hamming(7,4) can easily be extended to an (8,4) code by adding an extra parity bit on top of the (7,4) encoded word (see Hamming(7,4)). This can be summed up with the revised matrices:andNote that H is not in standard form. To obtain G, elementary row operations can be used to obtain an equivalent matrix to H in systematic form:For example, the first row in this matrix is the sum of the second and third rows of H in non-systematic form. Using the systematic construction for Hamming codes from above, the matrix A is apparent and the systematic form of G is written asThe non-systematic form of G can be row reduced (using elementary row operations) to match this matrix.The addition of the fourth row effectively computes the sum of all the codeword bits (data and parity) as the fourth parity bit.For example, 1011 is encoded into 01100110 where blue digits are data; red digits are parity from the Hamming(7,4) code; and the green digit is the parity added by Hamming(8,4). The green digit makes the parity of the (7,4) code even.Finally, it can be shown that the minimum distance has increasedfrom 3, as with the (7,4) code, to 4 with the (8,4) code. Therefore, the code can be defined as Hamming(8,4,4).。

Direct Chosen-Ciphertext Secure Identity-Based Encryption in the Standard Model with short CiphertextsEike KiltzCWI Amsterdamkiltz@cwi.nlAbstractWe describe a practical identity-based encryption scheme that is secure in the standard model against chosen-ciphertext(IND-CCA2)attacks.Security is based on an assumption comparable to(but slightly stronger than)Bilinear Decisonal Diffie-Hellman(BDDH).A comparison shows thatour construction outperforms all known identity-based encryption schemes in the standard modeland its performance is even comparable with the one from the random-oracle based Boneh/FranklinIBE scheme.Our proposed IBE scheme has furthermore the property that it fulfills some notion of“redundancy-freeness”,i.e.the encryption algorithm is not only a probabilistic injection but also asurjection.As a consequence the ciphertext overhead is nearly optimal:to encrypt k bit messagesfor k bit identities and with k bit randomness we get3k bit ciphertexts to guarantee(roughly)kbits of security.Keywords:Chosen-ciphertext security,Identity-Based Encryption,Bilinear Maps.1IntroductionIdentity-Based Encryption.An Identity-Based Encryption(IBE)scheme is a public-key(asym-metric)encryption scheme where any string such as email addresses,server names or phone numbers, can be used as public keys.The ability to use identities as public keys largely reduces the need for public key certificates and certificate authorities to distribute public key certificates.After Shamir proposed the concept of IBE in1984[42]it remained an open problem for almost two decades to come up with a satisfying construction for it.In2001,Boneh and Franklin[10]pro-posed formal security notions for IBE systems and designed a fully functional secure IBE scheme using bilinear maps.This scheme and the tools developed in its design have been successfully ap-plied in numerous cryptographic settings,transcending by far the identity based cryptography frame-work.Though relatively recent invented IBE is already intensively applied in practice(see,e.g., ).Furtheremore,IBE is currently in the process of getting standardized—from February2006on the new IEEE P1363.3standard for“Identity-Based Cryptographic Techniques using Pairings”[28]accepts submissions.An alternative but less efficient IBE construction was proposed by Cocks[19]based on quadratic residues.Both IBE schemes provide security against chosen-ciphertext attacks(through Fujisaki-Okamoto[22]).In a chosen ciphertext attack,the adversary is given access to a decryption oracle that allows him to obtain the decryptions of ciphertexts of his choosing.Intuitively,security in this setting means that an adversary obtains(effectively)no information about encrypted messages,provided the corresponding ciphertexts are never submitted to the decryption oracle.For different reasons, the notion of chosen-ciphertext security has emerged as the“right”notion of security for encryption schemes.We stress that,in general,chosen-ciphertext security is a much stronger security requirement than chosen-plaintext attacks[3],where in the latter an attacker is not given access to the decryption oracle.The drawback of the IBE scheme from Boneh-Franklin and Cocks is that security can only be guaranteed in the random oracle model[4],i.e.in an idealized world where all parties magically get black-box access to a truly random function.Unfortunately a proof in the random oracle model can only serve as a heuristic argument and has proved to possibly lead to insecure schemes when the random oracles are implemented in the standard model(see,e.g.,[13]).Waters’IBE.Tofill this gap Waters[45]presents thefirst efficient Identity-Based Encryption scheme that is chosen-plaintext secure without random oracles.The proof of his scheme makes use of an algebraic methodfirst used by Boneh and Boyen[7]and security of the scheme is based on the Bilinear Decisional Diffie-Hellman(BDDH)assumption.However,Waters’plain IBE scheme only guarantees security against passive adversaries(chosen-plaintext security).From2-level Hierarchical IBE to chosen-chipertext secure IBE.Hierarchical identity-based encryption(HIBE)[27,24]is a generalization of IBE allowing for hierarchical delegation of decryption keys.Recent results from Canetti,Halevi,and Katz[14],further improved upon by Boneh and Katz[11]show a generic and practical transformation from any chosen-plaintext secure2-level HIBE scheme to a chosen-ciphertext secure IBE scheme.Since Waters’IBE scheme can naturally be extended to a2-level HIBE this implies thefirst efficient chosen-ciphertext secure IBE in the standard model.Key size,as well as the security reduction of the resulting scheme are comparable to the ones from Waters’IBE.However,the transformation involves some symmetric overhead to the ciphertext in form of a one-time signature or a MAC with their respective keys.Thefirst“direct”(non2-level HIBE based)chosen-ciphertext IBE construction in the standard model was mentioned by Boyen,Mei,and Waters[12]and later improved by Galindo and Kiltz[29]. Both constructions are based on Waters’IBE and add one additional element to the ciphertext that is used for a consistency check in the decryption algorithm.However,in terms of ciphertext size and performance it did not introduce a dramatic improvement over the generic2-level HIBE based constructions.Identity-based key encapsulation.Instead of providing the full functionality of an IBE scheme, in many applications it is sufficient to let sender and receiver agree on a common random session key.This can be accomplished with an identity-based key encapsulation mechanism(IB-KEM)as formalized in[21,6].Any IB-KEM can be updated to a full IBE scheme by adding a symmetric encryption scheme.The latter one is also called a data encapsulation scheme(DEM)and the resulting identity-based encryption scheme the resulting hybrid IBE scheme.If both the IB-KEM and the DEM are chosen-ciphertext secure,then the hybrid IBE scheme is also chosen-ciphertext secure.We note that chosen-ciphertext secure DEMs can be created from relatively weak primitives such as a one-time symmetric encryption scheme(e.g.,a one-time pad)plus a message authentication code(MAC).In the public-key setting most standards are given in terms of KEM primitives and wefind it very likely that the upcoming IEEE P1363.3standard[28]will also follow this principle.We therefore decided to focus in this paper on IB-KEM’s only.1.1Our ContributionsA new chosen-ciphertext secure IB-KEM/IBE scheme.Based on Waters’chosen-plaintext secure IBE scheme we present a new and direct identity-based key encapsulation mechanism with short ciphertexts and very efficient encapsulation/decapsulation algorithms.Chosen-ciphertext security is obtained at sheer optimal pared to Waters’raw chosen-plaintext secure IBE scheme(viewed as an IB-KEM)our scheme comes with the same ciphertext overhead whereas computational overhead is one more exponentiation for encapsulation and two more exponentiations for decapsulation.We give a rigorous game-based proof reducing chosen-ciphertext security of our scheme to breaking themodified Bilinear Decisional Diffie-Hellman assumption(mBDDH),an assumption closely related to BDDH.By adding a one-time secure symmetric encryption scheme and a MAC we obtain a new hybrid IBE scheme with short ciphertexts using the IB-KEM/DEM methodology[6].An identity-preserving redundancy-free IBE scheme in the standard model.It is fur-thermore possible to obtain a full IBE scheme with shorter ciphertexts by using the DEMs based super stranding permutations[38]that avoid the usual overhead due to the MAC.Then ciphertexts of our IBE come with minimal overhead,i.e they are identity-preserving redundancy-free.Following Phan and Pointcheval[37]this property means that the IBE encryption algorithm(viewed as a mapping from randomness space,identity space,and message space into the ciphertext space)is a bijection. Consequently all possible ciphertexts in the ciphertext space are reachable by the encryption algorithm —shrinking the ciphertext any further is not possible.Our construction is thefirst identity-preserving redundancy-free IBE scheme in the standard model.The existence of redundancy DEMs(super pseu-dorandom permutations)is quite strong and the resulting schemes are computationally very inefficient. To this end we propose a direct construction of a identity-preserving redundancy-free IBE scheme only based on the mBDDH assumption.A(stronger)notion of redundancy-free IBE schemes further requires that even for any possible identity from the identity-space the encryption algorithm(now viewed as a mapping from randomness space and message space into the ciphertext space)is a bijection.Obtaining such strongly redundancy-free IBE schemes is possible but they are only known to exist in the random oracle model and under the highly non-standard“gap-BDDH”assumption[31].Wefind even the existence of identity-preserving redundancy-free IBE schemes in the standard model particularly remarkable since in the standard public-key encryption setting redundancy-free schemes(in the sense of[37])are not known to exist.We further remark that the ciphertexts of our IBE scheme have the same message expansion as the most efficient standard public-key encryption schemes(like Kurosawa/Desmedt[30]and BMW[12]),pared to standard PKE we obtain identity-based encryption with no overhead.Extensions.Furthermore,we present a couple of extensions of our IB-KEM including a chosen-ciphertext secure hierarchical identity-based KEM with short ciphertexts.The mBDDH assumption and its relation to known assumptions.As a by-product we formalize and study our new mBDDH assumption and relate its hardness to well-known pairing-based “standard assumptions”.In particular we show that“2-BDDHI is at least as strong as mBDDH is at least as strong as BDDH”.The2-BDDHI(2Biliear Decisional Diffie-Hellman Inversion)assumption was introduced by Boneh and Boyen[7]and its stronger variants(q-BDDHI for some polynomial q) already found numerous applications in[7,8,9,35].1.2Related Work and ComparisonIn[12]it was shown how to use“identity-based techniques”from[14]to obtain direct chosen-ciphertext secure public-key encryption schemes.The techniques from[12]basically rely on combining[14]with a trick already appearing in a paper by Cramer and Shoup[20]to use a(target collision resistant) hash function to“tie”some elements in the ciphertext together.As we already pointed out,chosen-ciphertext secure IBE schemes were known to exist using generic reductions[14]based on Waters’2-level HIBE[45].Thefirst direct chosen-ciphertext secure IBE scheme was mentioned in[12].Improving on the results from[12]thefirst concrete full construction with a formal security proof was provided in[29].The latter scheme can be seen as combining the2-level HIBE scheme obtained from Waters’IBE at thefirst level and Boneh-Boyen[7]at the second level with the“direct chosen-ciphertext secure techniques”from[12]to obtain a direct chosen-ciphertext secure IBE pared to Waters’chosen-plaintext secure IBE scheme,the latter direct construction adds one additional redundant element to the ciphertext.Like in the construction from[12]this element is used as a“validity check”to defend against invalid ciphertexts,where the check had to be carried out using bilinear pairings.A similar validity check is implicitly contained in the generic constructions based on2-level HIBEs[14].The main idea of our new scheme is to encode the information necessary for the validity check into Waters’original ciphertext.More precisely,we were able to encode the consistency information in ciphertext element containing the receiver’s identity.This more efficient encoding also enables us to perform a more efficient decryption.In a broader view our new scheme can also be seen as combining the2-level HIBE scheme obtained using the construction from Boneh-Boyen-Goh[9]with Waters’IBE at thefirst level and Boneh-Boyen[7]at the second level,with some variant of the techniques from[12]to obtain a direct chosen-ciphertext secure IBE scheme.However,we want to stress that it is not obvious if the Boneh-Boyen-Go[9]HIBE can be instantiated with Waters’technique to get a fully secure HIBE scheme,similar to the one described above.Nor if the technique of[20,12]can be applied to the latter construction to obtain a direct chosen-ciphertext secure IBE scheme.In some sense our results answer the two above questions to the positive.However,we consider our specific scheme and its proof of security as novel contributions that are not self-evident given the state of our knowledge in this area.In this context we want to repeat again that unlike the construction given in[12]our direct chosen-ciphertext technique does not expand the ciphertext by one element.Unfortunately it does not seem to be applicable to the original public-key setting to obtain shorter ciphertexts in[12].A comparison with chosen-ciphertext secure IBE schemes in the standard model.We will(in Section6)carefully review all known chosen-ciphertext secure IBE constructions,including the above proposals,and make an extensive comparison with our scheme.In terms of ciphertext expansion our IBE scheme saves(at least)one group element compared to all so far known construc-tions,which makes a relative saving of33%(i.e.,two instead of three elements).The relative savings for encryption/decryption are(at least)one exponentiation and one pairing plus one exponentiation, respectively which again sums up to a relative saving of(roughly)33%.We conclude that,to the best of our knowledge,the proposed IBE scheme is the most efficient chosen-ciphertext secure IBE scheme in the standard model.A comparison with the Boneh/Franklin random oracle IBE ing recent exper-imental data for atomic primitives(such as exponentiations and pairings)from Granger,Page,and Smart[26]we estimate the efficiency of a possible implementation of our scheme using asymmetric pairings over non-singular elliptic curves.We make a careful comparison at various practical security levels with the only IBE scheme that is currently employed in practice:the IBE scheme from Boneh and Franklin[10],which is only known to be secure in the random oracle model.In turns out that the efficiency of our scheme is comparable to the one from Boneh and Franklin—ciphertext expansion is more or less the same and encryption is a factor of3to10faster(depending on the chosen security parameter),whereas decryption is about1.5to3times slower.We conclude that our scheme has ciphertext size and efficiency comparable to the random oracle based Boneh/Franklin IBE scheme. Recent Results.Very recently(and independent from our work)Gentry presents another practical and direct chosen-ciphertext secure IBE scheme without random oracles[23],based on different tech-niques.We remark that our scheme is still more efficient than Gentry’s IBE scheme,in particular our ciphertexts are shorter by one group element.Furthermore,the security of Gentry’s scheme is based on a much stronger and new assumption(related to the q-BDDHI assumption).2Definitions2.1NotationIf x is a string,then|x|denotes its length,while if S is a set then|S|denotes its size.If k∈N then1k denotes the string of k ones.If S is a set then s$←S denotes the operation of picking an element s of S uniformly at random.We write A(x,y,...)to indicate that A is an algorithm with inputs x,y,... and by z$←A(x,y,...)we denote the operation of running A with inputs(x,y,...)and letting z be the output.We write A O1,O2,...(x,y,...)to indicate that A is an algorithm with inputs x,y,...and access to oracles O1,O2,...and by z$←A O1,O2,...(x,y,...)we denote the operation of running A with inputs(x,y,...)and access to oracles O1,O2,...,and letting z be the output.2.2Secure Identity Based Key EncapsulationAn identity-based key-encapsulation mechanism(IB-KEM)scheme[42,10]IBKEM=(Setup,Extract, Encaps,Decaps)consists of four polynomial-time algorithms.Via(pk,msk)$←Setup(1k)the random-ized key-generation algorithm produces master keys for security parameter k∈N;via usk[id]$←Extract(msk,id)the master computes the secret key for identity id;via(C,K)$←Encaps(pk,id)a sender creates a random session key K and a corresponding ciphertext C with respect to identity id; via K←Decaps(usk,C)the possessor of secret key usk decapsulates ciphertext C to get back a session key K.Associated to the scheme is a key space KeySp.For consistency,we require that for all k∈N, all identities id,and all(C,K)$←Encaps(pk,id),we have Pr[Decaps(Extract(msk,id),C)=K]=1, where the probability is taken over the choice of(pk,msk)$←Setup(1k),and the coins of all the algorithms in the expression above.The strongest and commonly accepted notion of security for an indentity-based key encapsulation scheme is that of indistinguishability against an adaptive chosen ciphertext attack.This notion,de-noted IND-CCA,is defined using the following game between a challenger and an adversary A.Let IBKEM=(Setup,Extract,Encaps,Decaps)be an IB-KEM with associated key space KeySp.To an adversary A we associate the following experiment:Experiment Exp ind-ccaIBKEM,A(k)(pk,msk)$←Setup(1k)(id∗,st)$←A Extract(·),Decaps(·,·)(find,pk)K∗0$←KeySp;(C∗,K∗1)$←Encaps(pk,id∗)γ$←{0,1};K∗←K∗γγ $←A Extract(·),Decaps(·,·)(guess,K∗,C∗,st)Ifγ=γ then return0else return1The oracle Extract(id)returns sk[id]$←Extract(sk,id)with the restriction that A is not allowed to query oracle Extract(·)for the target identity id∗.The oracle Decaps(id,C)first computes sk[id]$←Extract(sk,id)and then returns K←Decaps(sk[id],id,C)with the restriction that in the guess stage A is not allowed to query oracle Decaps(·,·)for the tuple(id∗,C∗).Here(and in contrast to the weaker original security definition[10]1)the output of Extract(id)is stored internally by the experiment and multiple queries to Decaps(id,·)are answered with respect to the same user secret key sk[id].The variable st represents some internal state information of adversary A and can be any 1We note that the IBE schemes presented in[10]have deterministic key derivation and hence remain secure under this stronger definition(polynomially bounded)string.We define the advantage of A in the chosen-ciphertext experiment as Adv ind -cca IBKEM ,A (k )= Pr Exp ind -cca IBKEM ,A (k )=1 −12.An IB-KEM IBKEM is said to be secure against chosen-ciphertext attacks (CCA secure)if the ad-vantage functions Adv ind -cca IBKEM ,A (k )is a negligible function in k for all polynomial-time adversaries A .We stress that storing sk [id ]when anwering decapsulation queries is an important detail when modeling the idea of a chosen-ciphertext attack for IB-KEMs.In practise [43],decapsulation queries for some identity will be answered by one single user holding one fixed user secret key.We also mention that by using the original definition from [10],i.e.relaxing this to answering decapsulation queries using a freshly generated user secret key,one may obtain more efficient schemes since now decapsulation may take benefit of the randomness used in key derivation.In fact,it is easy to verify that our IB-KEM without (implicit)consistency check already satisfies this weaker variant of CCA security.We remark that our security definition is given with respect to “full-identity”attacks,as opposed to the much weaker variant of “selective-identity”attacks where the adversary has to commit to its target identity id ∗in advance,even before seeing the public key.3Assumptions 3.1Parameter generation algorithms for Bilinear Groups.All pairing based schemes will be parameterized by a pairing parameter generator .This is a PTA G that on input 1k returns the description of an multiplicative cyclic group G of prime order p ,where 2k <p <2k +1,the description of a multiplicative cyclic group G T of the same order,and a non-degenerate bilinear pairing ˆe :G ×G →G T .See [10]for a description of the properties of suchpairings.We use G ∗to denote G \{1},i.e.the set of all group elements except the neutral element.Throughout the paper we use PG =(G ,G T ,p,ˆe ,g )as shorthand for the description of bilinear groups,where g is a generator of G .3.2The modified BDDH assumptionLet PG be the description of pairing groups.Consider the following problem:Given (g,g a ,g b ,g (b 2),g c ,W )∈G 5×G T as input,output yes if W =ˆe (g,g )abc and no otherwise.The mBDDH assumption states that,roughly,this problem is computational infeasible.Note that this is nearly the standard BDDH assumption (see Appendix D for a formal definition)with the only difference that with mBDDH a distinguisher is additionally provided with the element g (b 2)(which is hard to compute from g b ).More formally,to a parameter generation algorithm for pairing-groups G and an adversary B we assotiate the following experiment.Experiment Exp mbddh G ,B(1k )PG $←G (1k )a,b,c,w $←Z ∗pβ$←{0,1}.If β=1then W ←ˆe (g,g )abc else W ←ˆe (g,g )wβ $←B (1k ,PG ,g,g a ,g b ,g b 2,g c ,W )If β=β then return 0else return 1We define the advantage of B in the above experiment as Adv mbddh G ,B (k )= Pr Exp mbddh G ,B (1k )=1 −12.We say that the modified Bilinear Decision Diffie-Hellman(mBDDH)assumption relative to generator G holds if Adv mbddhG,Bis a negligible function in k for all PTAs B.3.3Relation to BDDH and q-BDDHIThe next lemma classifies the strength of the modified BDDH assumption we introduced between the well known standard pairing-based assumptions BDDH and2-BDDHI(see Appendix D for definitions). Here”A≤B”means that assumption B implies assumption A(in a black-box sense),i.e.assumption B is a stronger assumption than A.Lemma3.1BDDH≤mBDDH≤2-BDDHI≤3-BDDHI≤...The simple proof is postponed until Appendix D.3.Since2-BDDHI is known to hold in the generic-group model[8]this in particular implies correctness of the mBDDH assumption in generic-groups.4A chosen-ciphertext secure IB-KEM based on mBDDHIn this section we present our new chosen-ciphertext secure IB-KEM.Let PG=(G,G T,p,ˆe,g)be public system parameters obtained by running the group parameter algorithm G(1k).4.1Waters’HashWe review the hash function H:{0,1}n→G used in Waters’identity based encryption schemes[45]. On input of G and an integer n,the randomized hash key generator HGen(G;n)chooses n+1random group elements h0,...,h n∈G and returns h=(h0,h1,...,h n)∈G n+1as the public description of the hash function.The hash function H:{0,1}n→G∗is evaluated on a string id=(id1,...,id n)∈{0,1}n as the productH(id)=h0ni=1h id i i∈G.In Appendix E.1we remind the reader of Water’s original chosen-plaintext secure IBE scheme.4.2The IB-KEM ConstructionLet TCR:G→Z p be a target collision-resistant hash function(i.e.given t=TCR(a)for a random a∈G it should be hard tofind b∈G\{a}such that TCR(b)=a;a formal definition can be looked up in Appendix B).Our IB-KEM with identity space IDSp={0,1}n(n=n(k))and key space KeySp=G T is depicted in Figure1.We call a(possibly malformed)ciphertext C=(c1,c2)∈G2consistent(w.r.t identity id and public key pk)if(g,c1,H(id)·u t,c2)is a Diffie-Hellman tuple2,where t=TCR(c1).A correctly generated ciphertext for identity id has the form C=(c1,c2)=(g r,(H(id)·u t)r)and therefore (g,c1,H(id)·u t,c2)=(g,c1,H(id)·u t,(H(id)·u t)r)is always a DH tuple and consequently C is consistent.Testing for a DH-tuple is equivalent to checking ifˆe(g,c2)=ˆe(H(id)·u t,c1)and therefore consistency of C can be implemented by evaluating the bilinear map twice.Note that this consistency test can be performed by anybody knowing the public-key only.This property is called“public verification”of the ciphertext.2A tuple(g,g a,g b,g c)∈G4is said to be a Diffie-Hellman tuple(DH tuple)if ab=c mod p.Setup (1k )α,u $←G ∗;z ←ˆe (g,α);H $←HGen (G ;n )pk ←(H ,u,z )∈G n +1×G ×G Tsk ←α∈GReturn (pk ,sk )Extract (sk ,id )s $←Z p sk [id ]←(α·H (id )s ,g s ,u s )∈G 3Return sk [id ]Encaps (pk ,id )r $←Z ∗p c 1←g r ;t ←TCR (c 1)c 2←(H (id )·u t )rK ←z r ∈G TC ←(c 1,c 2)∈G 2Return (C ,K )Decaps (pk ,id ,sk [id ],C )Parse C as (c 1,c 2)Parse sk [id ]as (d 1,d 2,d 3)t ←TCR (c 1)v $←Z ∗p Return K ←ˆe (d 1·d t 3·(H (id )·u t )v ,c 1)ˆe (g v ·d 2,c 2)Figure 1:Our chosen-ciphertext secure identity-based key encapsulation.4.3Alternative DecapsulationWe now describe an alternative deterministic decapsulation algorithm which is more intuitive but less efficient.We claim that the decapsulation algorithm from Figure 1is equivalent topute t =TCR (c 1)and check if (g,c 1,H (id )·u t ,c 2)is a DH tuple.If not,a random session key K is returned (or the ciphertext gets rejected).2.Otherwise return K ←ˆe (c 1,d 1·d t 3)/ˆe(c 2,d 2)To prove this claim we define the function ∆(C )=ˆe (c 1,H (id )u t )/ˆe (g,c 2).Then ∆(C )=1if andonly if C is consistent.Consequently,for a random v ∈Z ∗p ,K =ˆe (d 1·d t 3,c 1)/ˆe (d 2,c 2)·(∆(C ))v ∈G ∗T evaluates to ˆe (d 1·d t 3,c 1)/ˆe (d 2,c 2)if C is consistent and to a random group element otherwise.Theclaim then follows byK =ˆe (c 1,d 1·d t 3)/ˆe(c 2,d 2)·(∆(C ))v =ˆe (c 1,d 1·d t 3)/ˆe(c 2,d 2)·(ˆe (c 1,H (id )u t )/ˆe (g,c 2))v =ˆe (c 1,d 1·d t 3·(H (id )u t )v )ˆe (c 2,g ·d 2).We remark that the original decapsulation algorithm roughly saves two pairing operations.We now show correctness of the scheme,i.e.that the K computed in the encapsulation algorithm matches the key K computed in the alternative decapsulation algorithm.We already showed that a correctly generated ciphertext is always consistent.A correctly generated secret key for identity id has the form sk [id ]=(d 1,d 2,d 3)=(α·H (id )s ,g s ,u s ).Therefore the key decryption algorithm computes the key K asK =ˆe (c 1,d 1·d t 3)/ˆe(c 2,d 2)=ˆe (g r ,αH (id )s ·(u s )t )/ˆe ((H (id )·u t )r ,g s )=ˆe (g r ,α)·ˆe (g r ,H (id )s ·(u s )t )/ˆe ((H (id )·u t )r ,g s )=z r ·ˆe (g r ,(H (id )·u t )s )/ˆe ((H (id )·u t )s ,g r )=z r ,as the key computed in the encryption algorithm.This shows correctness.4.4SecurityTheorem4.1Assume TCR is a target collision resistant hash function.Under the modified Bilinear Decisional Diffie-Hellman(mBDDH)assumption relative to generator G,the IB-KEM from Section4.2 is secure against chosen-ciphertext attacks.In particular,given an adversary A attacking the chosen-ciphertext security of the IB-KEM with advantageεA=Adv ind-ccaIBKEM,A and running time Time A(k)we construct an adversary B breaking themBDDH assumption with advantageεB=Adv mbddhG,B(k)and running time Time B(k)withεB(k)≥εA(k)−Adv hash-tcrTCR,H(k)8(n+1)q−q/p;Time B(k)≤Time A+˜O(nq·ε−2A(k)),where q is an upper bound on the number of key derivation/decryption queries made by adversary A. The proof of Theorem4.1will be given in Appendix C.It uses ideas from Waters[45]and will and is given in a game-based version from[29].5Extensions5.1(Redundancy-free)Identity-Based EncryptionIn this section we present various(known)extensions of our IBE construction,some of them are critical for its application.Given an IB-KEM and a symmetric encryption scheme,a hybrid identity-based encryption scheme can be obtained by using the IB-KEM to securely transport a random session key that is fed into the symmetric encryption scheme(also called data encapsulation mechanism—DEM) to encrypt the plaintext message.It was recently shown in[6]that if both the IB-KEM and the DEM are chosen-ciphertext secure,then the resulting hybrid encryption is also chosen-ciphertext secure. The security reduction is tight.A DEM secure against chosen-ciphertext attacks can be built from relatively weak primitives,i.e. from any one-time symmetric encryption scheme by essentially adding a MAC.For concreteness we mention that a chosen-ciphertext secure IBE scheme can be built from our IB-KEM construction with an additional overhead of a DEM which consists of a(one-time secure)symmetric encryption plus additional128bits for the MAC.Furthermore,Phan and Pointcheval[38]showed that super pseudo-randomn permutations directly imply redundancy-free chosen-ciphertext secure DEMs that avoid the usual overhead due to the MAC.At an abstract level,for each identity id from identity space IDSp,an IBE encryption algorithm IBEenc id can be viewed as a mappingIBEenc id:RandSp×MsgSp→CipherSp,where RandSp is the randomness space,MsgSp is the message space,and CipherSp is the ciphertext space.That also implies that decrypting afixed ciphertext with respect to different identities must consequently lead to distinct plaintexts.By our security definition we need a sufficiently large ran-domness space since otherwise the IBE scheme is not even indistinguishable against chosen-plaintext attacks[25].Following Phan and Pointcheval[37]we say that an IBE scheme is redundancy-free if for any possible identity id the above encryption mapping IBEenc id is a bijection,i.e.if all elements。

Divide-and-Conquer Interpolation for List Decoding of Reed-Solomon CodesJun MaDepartment of Electrical and Computer Engineering University of California San Diego9500Gilman Drive,La Jolla,CA92093–0407,U.S.A.jma@Peter TrifonovDistributed Computing and Networking Department St.Petersburg State Polytechnic University Polytechnicheskaya29,St.Petersburg195251,Russia petert@dcn.nord.nw.ruAlexander VardyDepartment of Electrical and Computer EngineeringUniversity of California San Diego9500Gilman Drive,La Jolla,CA92093–0407,U.S.A.vardy@AbstractAlgebraic soft-decision decoding of Reed-Solomon codes delivers promising coding gains over conventionalhard-decision decoding.The most computationally demanding step in algebraic soft-decoding(as well asSudan-type list-decoding)is bivariate polynomial interpolation.We discuss a divide-and-conquer algorithmthat could potentially reduce the complexity of the interpolation step.I.I NTRODUCTIONRecently Sudan[14]and Guruswami-Sudan[5]introduced a powerful algorithm for list decoding of Reed-Solomon and some other codes.This list-decoding method was later extended by Koetter and Vardy[9]toan algebraic soft-decision decoding algorithm,which significantly outperforms hard-decision list-decoding. Both list-decoding and algebraic soft-decision rely on interpolation of bivariate polynomials,which is much more computationally complex than hard-decision decoding.The high complexity of the interpolation re-sults from the large-degree polynomials manipulated in the iterative interpolation procedure,thus efficient implementations of the interpolation algorithm are desired.Section II gives a brief review of the interpolation algorithm based on[3,10].In section III,we present a matrix interpretation and an algebraic geometry interpretation of the interpolation algorithm.The later leadsto a divide-and-conquer algorithm.II.B ACKGROUNDLet q be thefinitefield with q elements.The ring of polynomials over q is denoted q X.Reed-Solomon codes are obtained by evaluating certain subspaces of q X in a set of points x1,x2,...,x n q. Specifically,the RS code q n,k of length n and dimension k is defined as follows:qn,k def f x1,...,f x n:x1,...,x n,f X q X,deg f X k(1)The interpolation step solves the following problem:Given a set of points x1,y1,x2,y2,...,x s,y s and a set of multiplicities M m1,m2,...,m s,find a nonzero polynomial X,Y of minimal1,k1-weighted degree,such that X,Y passes through points in with prescribed multiplicities.Fast algorithmto solve the interpolation problem can be found in[3,11].And in this paper,we refer the algorithm as IIA (iterative interpolation algorithm).The Iterative Interpolation AlgorithmInitialization:v X ,Y ∑l t 0q v ,t X Y t ,for 0v r .Iteration:Input:x i ,y i ,m x i ,y i :x i ,y i–For each triple x i ,y i ,m x i ,y i ,O v deg 1,k 1v X ,Y ,for 0v r .for a 0to m x i ,y i 1for b 0to m x i ,y i 1a Discrepancy Computation:for v 0to rd a ,b v coef v X x i ,Y y i ,X a Y b endPolynomial Update:if there exist ηargmin 0v r d a ,b v 0O vfor v 0to rif v ηand d a ,b v 0v X ,Y :v X ,Y d a ,bvr pass through points in with corresponding multiplicities M can be represented asX,Yr∑j0p j X j X,YProof.Let X,Y:wdeg0,1X,Y r be a polynomial having points from as roots of corre-sponding multiplicities from M.The following procedure is very similar both to the multivariate polynomial division[2]and matrix polynomial division algorithms[4,8].1)Order X,Y terms accordingly to deg1,k1and let R X,Y0,p j X0.2)Let LT X,Yαx a y b and LT b X,Y x c y b.(Note that the IIA guarantees that LT b X,YX c Y b throughout the whole iterative procedure.)If a c,then p b X:p b Xαx a c,X,Y:X,Yαx a c b X,Y.Otherwise,R X,Y:R X,Y LT X,Y,X,Y:X,Y LT X,Y.3)Repeat step2until X,Y0.Clearly,this procedure would lead to X,Y∑j p j X j X,Y R X,Y.Since all j X,Y have points from as roots of corresponding multiplicities M,these points will be roots of the same multiplicity of R X,Y.Thus we have obtained a polynomial with degree j wdeg0,1R X,Y r in y,having roots of multiplicities in M at all points of such that deg1,k1R X,Y deg1,k1j X,Y,which contradicts to the property of j X,Y minimality(see[10]for proof).Thus R X,Y0.This lemma proves that the j X,Y polynomials form a basis of a polynomial module and any polynomial X,Y as described in Lemma1may be represented as algorithm isX,Y X P X(2)1y...y r q00X q01X...q0r Xq10X q11X...q1r Xq r0X q r1X...q r r Xp0Xp1X...p r XThen each step of the IIA may be represented as multiplication of matrix polynopmial X obtained during previous steps by matrix10...0 001...0 0...j0...x x i...rdeterminants in GF q 0)of linear transformations required to obtain an equation.Thus the problem of ”merging”two sets of interpolation polynomials may be considered as finding a least common right multiple of the respective matrix polynomials.Unfortunately,even the most recent algorithms for performing this task (e.g.[1])appear to be too computationally expensive.B.Algebraic-geometric interpretation of the interpolation algorithmAs it can be seen from (4),the divide-and-conquer interpolation method may be considered as intersection of two modules.However,these modules posess certain additional properties which may be used to simplify computations:1)It is possible to introduce the multiplication operation for two module elements.However,its result belongs to a module of higher dimension.2)The module may be considered as a subset of bivariate polynomial ideal.Thus one can perform intersection operation in an ideal which is a superset of a module,and then convert its result back into the module.Actually we have the following lemma.Lemma 2.Let j X ,Y ,j 0,...,r be a set of polynomials,produced by the IIA after processing the set of interpolation points with corresponding multiplicities M .If LT r X ,Y Y r ,then 0X ,Y ,...,r X ,Y is a basis (actually a Groebner basis)for ideal of polynomials X ,Y that pass through points in with corresponding multiplicities M .Proof.Similar to the proof of Lemma 1,thus omitted here.It is possible to generalize the definition of affine variety to accommodate the case of roots with high mul-tiplicity.Then the IIA may be considered as a process of adding interpolation points to an affine variety defined by the ideal of interpolation polynomials.Thus the operation of module intersection may be replaced with intersection of two ideals.But again,the ideal intersection algorithm [2]appears to be too complex.However,in some cases computation of ideal intersection may be replaced with computation of their product.Let be a polynomial ideal.Then the quotient ring is isomorphic to the q -vector space spanned by the setX a Y b :X a Y b LTwhere LT denotes the ideal generated by the leading terms of the elements of .This is Proposition 4of [2,p.229].We let dim q denote the dimension of this vector space.The footprint of ,also called the deltaset of ,can be defined as the set of all monomials in that are not the leading monomials of elements of .It is known [7]that dim q ,provided is finite.However,we will not need this result.Theorem 1.Letx 1,y 1,x 2,y 2,...,x s ,y s be a set of s distinct points in 2q and let M m 1,m 2,...,m s be a sequence of positive integers,called the multiplicities of the points in .Consider the idealdef X ,Y :coef X x i ,Y y i ,X a Y b 0for a b m i (5)Following [9],define the cost of M as M 1order.Specifically,c a,b;j Q precedes c a,b;i Q in the n-dimensional vector Q iff j i or j i and a,b a,b,where is the graded lex order on2(actually,any graded order on2would suffice for our purposes).Now let us define the following polynomials:G a,b;i X,Y def X x i a Y y i b∏x r x i X x r m i Y y r m i∏x r x iy r y iY y r m i(6)for all nonnegative integers a,b such that a b m i and for all i1,2,...,s.By definition,these polynomials satisfy c a,b;i G a,b;i0.Moreover,c a,b;j G a,b;i0if j i or if j i and either a a or b b—in particular,if a,b a,b.Let us arrange the n polynomials G a,b;i in(6)in the same order as the n coefficients c a,b;i Q in the vector Q,and consider the n n matrix A having G a,b;i as itsrows.It follows from the properties of the polynomials G a,b;i that the matrix A is upper triangular.Hence its rows constitute a basis for n q.This implies that for each vector v n q,we can construct a polynomial Q X,Y such that Q v.Indeed,if v is expressed as a linear combination of the rows of A,then Q X,Y is just the corresponding linear combination of the polynomials G a,b;i in(6).This shows that the mapping is surjective.Now consider the mapping:n q defined by Q Q,where Q is the equivalence class of Q in.It follows from[2,Chapter5]that the mapping is well-defined.Moreover,since is surjective,then so is.The mapping,on the other hand,is also injective.Indeed,if Q Q0 in n q,then Q by(5)and the definition of Q.Hence Q0if and only if Q0. Together with the linearity of,this shows that is an injection,as claimed.We thus conclude that is a bijection from to n q.Hence dimqn.Theorem3.Let,M denote the ideal defined in(5)with respect to the point set and multiplicity vector M.Suppose1,M1and2,M2are such that12.Then1,M12,M21,M12,M2(7) Proof.Let11,M1and22,M2.Then V11and V22by Corollary2.It follows thatV12V1V212Hence,by the weak Nullstellensatz[2,p.168],we have12¯F X,Y,where¯F is the algebraic closure of q.Thus1and2are co-prime,which implies(7)by the Chineese remainder theorem for polynomials.The Divide-and-Conquer Interpolation AlgorithmSplitInterpolation s ,,M1:x i ,y i ,M 1:m i ,i 1,...,s 2;2:x i ,y i ,M 2:m i ,i s 21,...,s ;1:SplitInterpolation s 2,1,M 1;2:SplitInterpolation s s 2,2,M 2;:1j 1X ,Y 2j 2X ,Y ,i j i i ;:Eliminate Q ;Return One can see that the complexity of this algorithm is C n ,r ,ρ2C n 2,r ,ρ2C m C e ,,where C m is the cost of polynomial multiplication and C e is the cost of the elimination step.For the multiplication step there is a problem of efficient multiplication of large polynomials which may appear after processing of many interpolation points.Thus one has either to use FFT-based algorithm operating over some sextension of the original field,or apply a combination of Winograd linear convolution algorithm with some other methods (e.g.,again FFT-based algorithm).For the elimination step,the task is to find a Groebner basis of the poly-nomial module.One can use either the Buchberger algorithm or perform elimination in spectral domain [6].IV.C ONCLUSIONSThe main difference between our approach and the one suggested in [3]is that interpolation subproblems are solved independently and only afterwards their solutions are “merged.”This allows one to solve these subproblems in parallel.Moreover,each of the subproblems has a much smaller dimension than the original problem.However,further analysis is required to find an efficient way for eliminating the redundant entries in module bases obtained during the merging step.R EFERENCES[1] B.Beckermann and bahn.Fraction-free computation of matrix rational interpolants and matrix GCDs.SIAM Journal on Matrix Analysis and Applications ,22(1):114–144,2001.[2] D.Cox,G.Little,and D.O’Shea.Ideals,varieties and algorithms .Springer-Verlag,1992.[3]G.-L.Feng and X.Giraud.Fast algorithm in sudan decoding procedure for reed-solomon codes.preprint ,August 2002.[4] F.R.Gantmakher.Matrices theory .Moscow:Nauka,In Russian,4edition,1988.[5]V .Guruswami and M.Sudan.Improved decoding of Reed-Solomon and algebraic-geometric codes.IEEE Transactions on Information Theory ,45(6):1757–1767,September 1999.[6] D.Henrion and M.Sebek.Reliable numerical methods for polynomial matrix triangularization.IEEE Transactions on Automatic Control ,44(3),March 1999.[7]T.H ØHOLDT ,J.H.VAN L INT ,and R.P ELLIKAAN ,Algebraic geometry codes,in V .S.Pless and W.C.Huffman,Editors,Handbook of Coding Theory ,Elsevier 1998.[8]T.Kailath.Linear systems .Prentice Hall,1985.[9]R.K OETTER and A.V ARDY ,Algebraic soft-decision decoding of Reed-Solomon co-des,IEEE rm.Theory ,vol.49,pp.2009–2025,November 2003.[10]R.Refslund Nielsen and T.Hoholdt.Decoding Reed-Solomon codes beyond half the minimum distance.In Proceedings of theInternational Conference on Coding Theory and Cryptography,Mexico 1998.Springer-Verlag,1998.[11]R.R.Nielsen.List decoding of linear block codes .PhD thesis,Technical University of Denmark,2001.[12]H.O’Keeffe and P.Fitzpatrick.Groebner basis solution of constrained interpolation problems.Linear Algebra and Applications ,351-352:533–551,2002.[13]R.Roth and G.Ruckenstein.Efficient decoding of Reed-Solomon codes beyond half the minimum distance.IEEE Transactionson Information Theory ,46(1):246–257,2000.[14]M.Sudan,“Decoding of Reed-Solomon codes beyond the error correction bound,”Journal of Complexity ,vol.12,pp.180–193,1997.6。

Research StatementParikshit GopalanMy research focuses on fundamental algebraic problems such as polynomial reconstruction and interpolation arising from various areas of theoretical computer science.My main algorith-mic contributions include thefirst algorithm for list-decoding a well-known family of codes called Reed-Muller codes[13],and thefirst algorithms for agnostically learning parity functions[3]and decision trees[11]under the uniform distribution.On the complexity-theoretic side,my contribu-tions include the best-known hardness results for reconstructing low-degree multivariate polyno-mials from noisy data[12]and the discovery of a connection between representations of Boolean functions by polynomials and communication complexity[2].1IntroductionMany important recent developments in theoretical computer science,such as probabilistic proof checking,deterministic primality testing and advancements in algorithmic coding theory,share a common feature:the extensive use of techniques from algebra.My research has centered around the application of these methods to problems in Coding theory,Computational learning,Hardness of approximation and Boolean function complexity.While atfirst glance,these might seem like four research areas that are not immediately related, there are several beautiful connections between these areas.Perhaps the best illustration of these links is the noisy parity problem where the goal is to recover a parity function from a corrupted set of evaluations.The seminal Goldreich-Levin algorithm solves a version of this problem;this result initiated the study of list-decoding algorithms for error-correcting codes[5].An alternate solution is the Kushilevitz-Mansour algorithm[19],which is a crucial component in algorithms for learning decision trees and DNFs[17].H˚a stad’s ground-breaking work on the hardness of this problem has revolutionized our understanding of inapproximability[16].All these results rely on insights into the Fourier structure of Boolean functions.As I illustrate below,my research has contributed to a better understanding of these connec-tions,and yielded progress on some important open problems in these areas.2Coding TheoryThe broad goal of coding theory is to enable meaningful communication in the presence of noise, by suitably encoding the messages.The natural algorithmic problem associated with this task is that of decoding or recovering the transmitted message from a corrupted encoding.The last twenty years have witnessed a revolution with the discovery of several powerful decoding algo-rithms for well-known families of error-correcting codes.A key role has been played by the notion of list-decoding;a relaxation of the classical decoding problem where we are willing to settle for a small list of candidate transmitted messages rather than insisting on a unique answer.This relaxation allows one to break the classical half the minimum distance barrier for decoding error-correcting codes.We now know powerful list-decoding algorithms for several important code families,these algorithms have also made a huge impact on complexity theory[5,15,23].List-Decoding Reed-Muller Codes:In recent work with Klivans and Zuckerman,we give the first such list-decoding algorithm for a well-studied family of codes known as Reed-Muller codes, obtained from low-degree polynomials over thefinitefield F2[13].The highlight of this work is that our algorithm is able to tolerate error-rates which are much higher than what is known as the Johnson bound in coding theory.Our results imply new combinatorial bounds on the error-correcting capability of these codes.While Reed-Muller codes have been studied extensively in both coding theory and computer science communities,our result is thefirst to show that they are resilient to remarkably high error-rates.Our algorithm is based on a novel view of the Goldreich-Levin algorithm as a reduction from list-decoding to unique-decoding;our view readily extends to polynomials of arbitrary degree over anyfield.Our result complements recent work on the Gowers norm,showing that Reed-Muller codes are testable up to large distances[21].Hardness of Polynomial Reconstruction:In the polynomial reconstruction problem,one is asked to recover a low-degree polynomial from its evaluations at a set of points and some of the values could be incorrect.The reconstruction problem is ubiquitous in both coding theory and computational learning.Both the Noisy parity problem and the Reed-Muller decoding problem are instances of this problem.In joint work with Khot and Saket,we address the complexity of this problem and establish thefirst hardness results for multivariate polynomials of arbitrary degree [12].Previously,the only hardness known was for degree1,which follows from the celebrated work of H˚a stad[16].Our work introduces a powerful new algebraic technique called global fold-ing which allows one to bypass a module called consistency testing that is crucial to most hardness results.I believe this technique willfind other applications.Average-Case Hardness of NP:Algorithmic advances in decoding of error-correcting codes have helped us gain a deeper understand of the connections between worst-case and average case complexity[23,24].In recent work with Guruswami,we use this paradigm to explore the average-case complexity of problems in NP against algorithms in P[8].We present thefirst hardness amplification result in this setting by giving a construction of an error-correcting code where most of the symbols can be recovered correctly from a corrupted codeword by a deterministic algorithm that probes very few locations in the codeword.The novelty of our work is that our decoder is deterministic,whereas previous algorithms for this task were all randomized.3Computational LearningComputational learning aims to understand the algorithmic issues underlying how we learn from examples,and to explore how the complexity of learning is influenced by factors such as the ability to ask queries and the possibility of incorrect answers.Learning algorithms for a class of concept typically rely on understanding the structure of that concept class,which naturally ties learning to Boolean function complexity.Learning in the presence of noise has several connections to decoding from errors.My work in this area addresses the learnability of basic concept classes such as decision trees,parities and halfspaces.Learning Decision Trees Agnostically:The problem of learning decision trees is one of the central open problems in computational learning.Decision trees are also a popular hypothesis class in practice.In recent work with Kalai and Klivans,we give a query algorithm for learning decision trees with respect to the uniform distribution on inputs in the agnostic model:given black-box access to an arbitrary Boolean function,our algorithmfinds a hypothesis that agrees with it on almost as many inputs as the best decision tree[11].Equivalently,we can learn decision trees even when the data is corrupted adversarially;this is thefirst polynomial-time algorithm for learning decision trees in a harsh noise model.Previous decision-tree learning algorithms applied only to the noiseless setting.Our algorithm can be viewed as the agnostic analog of theKushilevitz-Mansour algorithm[19].The core of our algorithm is a procedure to implicitly solve a convex optimization problem in high dimensions using approximate gradient projection.The Noisy Parity Problem:The Noisy parity problem has come to be widely regarded as a hard problem.In work with Feldman et al.,we present evidence supporting this belief[3].We show that in the setting of learning from random examples(without queries),several outstanding open problems such as learning juntas,decision trees and DNFs reduce to restricted versions of the problem of learning parities with random noise.Our result shows that in some sense, noisy parity captures the gap between learning from random examples and learning with queries, as it is believed to be hard in the former setting and is known to be easy in the latter.On the positive side,we present thefirst non-trivial algorithm for the noisy parity problem under the uniform distribution in the adversarial noise model.Our result shows that somewhat surprisingly, adversarial noise is no harder to handle than random noise.Hardness of Learning Halfspaces:The problem of learning halfspaces is a fundamental prob-lem in computational learning.One could hope to design algorithms that are robust even in the presence of a few incorrectly labeled points.Indeed,such algorithms are known in the setting where the noise is random.In work with Feldman et al.,we show that the setting of adversarial errors might be intractable:given a set of points where99%are correctly labeled by some halfs-pace,it is NP-hard tofind a halfspace that correctly labels even51%of the points[3].4Prime versus Composite problemsMy thesis work focuses on new aspects of an old and famous problem:the difference between primes and composites.Beyond basic problems like primality and factoring,there are many other computational issues that are not yet well understood.For instance,in circuit complexity,we have excellent lower bounds for small-depth circuits with mod2gates,but the same problem for circuits with mod6gates is wide open.Likewise in combinatorics,set systems where sizes of the sets need to satisfy certain modular conditions are well studied.Again the prime case is well understood,but little is known for composites.In all these problems,the algebraic techniques that work well in the prime case break down for composites.Boolean function complexity:Perhaps the simplest class of circuits for which we have been unable to show lower bounds is small-depth circuits with And,Or and Mod m gates where m is composite;indeed this is one of the frontier open problems in circuit complexity.When m is prime, such bounds were proved by Razborov and Smolensky[20,22].One reason for this gap is that we do not fully understand the computational power of polynomials over composites;Barrington et.al were thefirst to show that such polynomials are surprisingly powerful[1].In joint work with Bhatnagar and Lipton,we solve an important special case:when the polynomials are symmetric in their variables[2].We show an equivalence between computing Boolean functions by symmetric polynomials over composites and multi-player communication protocols,which enables us to apply techniques from communication complexity and number theory to this problem.We use these techniques to show tight degree bounds for various classes of functions where no bounds were known previously.Our viewpoint simplifies previously known results in this area,and reveals new connections to well-studied questions about Diophantine equations.Explicit Ramsey Graphs:A basic open problem regarding polynomials over composites is: Can asymmetry in the variables help us compute a symmetric function with low degree?I show a connec-tion between this question and an important open problem in combinatorics,which is to explicitly construct Ramsey graphs or graphs with no large cliques and independent sets[6].While good Ramsey graphs are known to exist by probabilistic arguments,explicit constructions have proved elusive.I propose a new algebraic framework for constructing Ramsey graphs and showed howseveral known constructions can all be derived from this framework in a unified manner.I show that all known constructions rely on symmetric polynomials,and that such constructions cannot yield better Ramsey graphs.Thus the question of symmetry versus asymmetry of variables is precisely the barrier to better constructions by such techniques.Interpolation over Composites:A basic problem in computational algebra is polynomial interpolation,which is to recover a polynomial from its evaluations.Interpolation and related algorithmic tasks which are easy for primes become much harder,even intractable over compos-ites.This difference stems from the fact that over primes,the number of roots of a polynomial is bounded by the degree,but no such theorem holds for composites.In lieu of this theorem I presented an algorithmic bound;I show how to compute a bound on the degree of a polynomial given its zero set[7].I use this to give thefirst optimal algorithms for interpolation,learning and zero-testing over composites.These algorithms are based on new structural results about the ze-roes of polynomials.These results were subsequently useful in ruling out certain approaches for better Ramsey constructions[6].5Other Research HighlightsMy other research work spans areas of theoretical computer science ranging from algorithms for massive data sets to computational complexity.I highlight some of this work below.Data Stream Algorithms:Algorithmic problems arising from complex networks like the In-ternet typically involve huge volumes of data.This has led to increased interest in highly efficient algorithmic models like sketching and streaming,which can meaningfully deal with such massive data sets.A large body of work on streaming algorithms focuses one estimating how sorted the input is.This is motivated by the realization that sorting the input is intractable in the one-pass data stream model.In joint work with Krauthgamer,Jayram and Kumar,we presented thefirst sub-linear space data stream algorithms to estimate two well-studied measures of sortedness:the distance from monotonicity(or Ulam distance for permutations),and the length of the Longest Increasing Subsequence or LIS.In more recent work with Anna G´a l,we prove optimal lower bounds for estimating the length of the LIS in the data-stream model[4].This is established by proving a direct-sum theorem for the communication complexity of a related problem.The novelty of our techniques is the model of communication that they address.As a corollary,we obtain a separation between two models of communication that are commonly studied in relation to data stream algorithms.Structural Properties of SAT solutions:The solution space of random SAT formulae has been studied with a view to better understanding connections between computational hardness and phase transitions from satisfiable to unsatisfiable.Recent algorithmic approaches rely on connectivity properties of the space and break down in the absence of connectivity.In joint work with Kolaitis,Maneva and Papadimitriou,we consider the problem:Given a Boolean formula,do its solutions form a connected subset of the hypercube?We classify the worst-case complexity of various connectivity properties of the solution space of SAT formulae in Schaefer’s framework[14].We show that the jump in the computational hardness is accompanied by a jump in the diameter of the solution space from linear to exponential.Complexity of Modular Counting Problems:In joint work with Guruswami and Lipton,we address the complexity of counting the roots of a multivariate polynomial over afinitefield F q modulo some number r[9].We establish a dichotomy showing that the problem is easy when r is a power of the characteristic of thefield and intractable otherwise.Our results give several examples of problems whose decision versions are easy,but the modular counting version is hard.6Future Research DirectionsMy broad research goal is to gain a complete understanding of the complexity of problems arising in coding theory,computational learning and related areas;I believe that the right tools for this will come from Boolean function complexity and hardness of approximation.Below I outline some of the research directions I would like to pursue in the future.List-decoding algorithms have allowed us to break the unique-decoding barrier for error-correcting codes.It is natural to ask if one can perhaps go beyond the list-decoding radius and solve the problem offinding the codeword nearest to a received word at even higher error rates. On the negative side,we do not currently know any examples of codes where one can do this.But I think that recent results on Reed-Muller codes do offer some hope[13,21].Algorithms for solving the nearest codeword problem if they exist,could also have exciting implications in computational learning.There are concept classes which are well-approximated by low-degree polynomials over finitefields lying just beyond the threshold of what is currently known to be learnable efficiently [20,22].Decoding algorithms for Reed-Muller codes that can tolerate very high error rates might present an approach to learning such concept classes.One of the challenges in algorithmic coding theory is to determine whether known algorithms for list-decoding Reed-Solomon codes[15]and Reed-Muller codes[13,23]are optimal.This raises both computational and combinatorial questions.I believe that my work with Khot et al.rep-resents a goodfirst step towards understanding the complexity of the decoding/reconstruction problem for multivariate polynomials.Proving similar results for univariate polynomials is an excellent challenge which seems to require new ideas in hardness of approximation.There is a large body of work proving strong NP-hardness results for problems in computa-tional learning.However,all such results only address the proper learning scenario where the learning algorithm is restricted to produce a hypothesis from some particular class H which is typically the same as the concept class C.In contrast,known learning algorithms are mostly im-proper algorithms which could use more complicated hypotheses.For hardness results that are independent of the hypothesis H used by the algorithm,one currently has to resort to crypto-graphic assumptions.In ongoing work with Guruswami and Raghavendra,we are investigating the possibility of proving NP-hardness for improper learning.Finally,I believe that there are several interesting directions to explore in the agnostic learn-ing model.An exciting insight in this area comes from the work of Kalai et al.who show that 1regression is a powerful tool for noise-tolerant learning[18].A powerful paradigm in com-putational learning is to prove that the concept has some kind of polynomial approximation and then recover the approximation.Algorithms based on 1regression require a weaker polynomial approximation in comparison with previous algorithms(which use 2regression),but use more powerful machinery for the recovery step.Similar ideas might allow us to extend the boundaries of efficient learning even in the noiseless model;this is a possibility I am currently exploring.Having worked in areas ranging from data stream algorithms to Boolean function complexity, I view myself as both an algorithm designer and a complexity theorist.I have often found that working on one aspect of a problem gives insights into the other;indeed much of my work has originated from such insights([12]and[13],[10]and[4],[6]and[7]).Ifind that this is increasingly the case across several areas in theoretical computer science.My aim is to maintain this balance between upper and lower bounds in my future work.References[1]D.A.Barrington,R.Beigel,and S.Rudich.Representing Boolean functions as polynomialsmodulo composite putational Complexity,4:367–382,1994.[2]N.Bhatnagar,P.Gopalan,and R.J.Lipton.Symmetric polynomials over Z m and simultane-ous communication protocols.Journal of Computer&System Sciences(special issue for FOCS’03), 72(2):450–459,2003.[3]V.Feldman,P.Gopalan,S.Khot,and A.K.Ponnuswami.New results for learning noisyparities and halfspaces.In Proc.47th IEEE Symp.on Foundations of Computer Science(FOCS’06), 2006.[4]A.G´a l and P.Gopalan.Lower bounds on streaming algorithms for approximating the lengthof the longest increasing subsequence.In Proc.48th IEEE Symp.on Foundations of Computer Science(FOCS’07),2007.[5]O.Goldreich and L.Levin.A hard-core predicate for all one-way functions.In Proc.21st ACMSymposium on the Theory of Computing(STOC’89),pages25–32,1989.[6]P.Gopalan.Constructing Ramsey graphs from Boolean function representations.In Proc.21stIEEE symposium on Computational Complexity(CCC’06),2006.[7]P.Gopalan.Query-efficient algorithms for polynomial interpolation over composites.In Proc.17th ACM-SIAM symposium on Discrete algorithms(SODA’06),2006.[8]P.Gopalan and V.Guruswami.Deterministic hardness amplification via local GMD decod-ing.Submitted to23rd IEEE Symp.on Computational Complexity(CCC’08),2008.[9]P.Gopalan,V.Guruswami,and R.J.Lipton.Algorithms for modular counting of roots of mul-tivariate polynomials.In tin American Symposium on Theoretical Informatics(LATIN’06), 2006.[10]P.Gopalan,T.S.Jayram,R.Krauthgamer,and R.Kumar.Estimating the sortedness of a datastream.In Proc.18th ACM-SIAM Symposium on Discrete Algorithms(SODA’07),2007.[11]P.Gopalan,A.T.Kalai,and A.R.Klivans.Agnostically learning decision trees.In Proc.40thACM Symp.on Theory of Computing(STOC’08),2008.[12]P.Gopalan,S.Khot,and R.Saket.Hardness of reconstructing multivariate polynomials overfinitefields.In Proc.48th IEEE Symp.on Foundations of Computer Science(FOCS’07),2007. [13]P.Gopalan,A.R.Klivans,and D.Zuckerman.List-decoding Reed-Muller codes over smallfields.In Proc.40th ACM Symp.on Theory of Computing(STOC’08),2008.[14]P.Gopalan,P.G.Kolaitis,E.N.Maneva,and puting the connec-tivity properties of the satisfiability solution space.In Proc.33rd Intl.Colloqium on Automata, Languages and Programming(ICALP’06),2006.[15]V.Guruswami and M.Sudan.Improved decoding of Reed-Solomon and Algebraic-Geometric codes.IEEE Transactions on Information Theory,45(6):1757–1767,1999.[16]J.H˚a stad.Some optimal inapproximability results.J.ACM,48(4):798–859,2001.[17]J.Jackson.An efficient membership-query algorithm for learning DNF with respect to theuniform distribution.Journal of Computer and System Sciences,55:414–440,1997.[18]A.T.Kalai,A.R.Klivans,Y.Mansour,and R.A.Servedio.Agnostically learning halfspaces.In Proc.46th IEEE Symp.on Foundations of Computer Science,pages11–20,2005.[19]E.Kushilevitz and Y.Mansour.Learning decision trees using the Fourier spectrum.SIAMJournal of Computing,22(6):1331–1348,1993.[20]A.Razborov.Lower bounds for the size of circuits of bounded depth with basis{∧,⊕}.Mathematical Notes of the Academy of Science of the USSR,(41):333–338,1987.[21]A.Samorodnitsky.Low-degree tests at large distances.In Proc.39th ACM Symposium on theTheory of Computing(STOC’07),pages506–515,2007.[22]R.Smolensky.Algebraic methods in the theory of lower bounds for Boolean circuit com-plexity.Proc.19th Annual ACM Symposium on Theoretical Computer Science,(STOC’87),pages 77–82,1987.[23]M.Sudan,L.Trevisan,and S.P.Vadhan.Pseudorandom generators without the XOR lemma.put.Syst.Sci.,62(2):236–266,2001.[24]L.Trevisan.List-decoding using the XOR lemma.In Proc.44th IEEE Symposium on Foundationsof Computer Science(FOCS’03),pages126–135,2003.。

Econometric and Statistical Computing Using OxFRANCISCO CRIBARI–NETO1and SPYROS G.ZARKOS21Departamento de Estat´ıstica,CCEN,Universidade Federal de Pernambuco,Recife/PE,50740–540,Brazil E-mail:cribari@npd.ufpe.br2National Bank of Greece,86Eolou str.,Athens10232,GreeceE-mail:s.zarkos@primeminister.grAbstract.This paper reviews the matrix programming language Ox from the viewpoint of an econometri-cian/statistician.We focus on scientific programming using Ox and discuss examples of possible interest to econometricians and statisticians,such as random number generation,maximum likelihood estimation,and Monte Carlo simulation.Ox is a remarkable matrix programming language which is well suited to research and teaching in econometrics and statistics.Key words:C programming language,graphics,matrix programming language,maximum likelihood estima-tion,Monte Carlo simulation,OxOne of the cultural barriers that separates computer scientists from regular scientists and engineers is a differing point of view on whether a30%or50%loss of speed is worth worrying about.In many real-time state-of-the art scientific applications,such a loss is catastrophic.The practical scientist is trying to solve tomorrow’s problem with yesterday’s computer;the computer scientist,we think, often has it the other way.Press et.al.(1992,p.25) 1.IntroductionApplied statisticians,econometricians and economists often need to write programs that implement estimation and testing procedures.With computers powerful and affordable as they are nowadays,they tend to do that in programming environments rather than in low level programming languages.The former(e.g.,GAUSS,MATLAB,R,S-PLUS)make programming accessible to the vast majority of researchers,and,in many cases,can be combined with the latter(e.g.,C,Fortran)to achieve additional gains in speed.The existence of pre-packaged routines in statistical software that is otherwise best suited to perform data analysis(such as in S-PLUS)does not make the need for“statistical comput-ing”any less urgent.Indeed,many newly developed techniques are not rapidly implemented into statistical software.If one wishes to use such techniques,he/she would have to program them.Additionally,several techniques are very computer-intensive,and require efficient pro-gramming environments/languages(e.g.,bootstrap within a Monte Carlo simulation,double bootstrap,etc.).It would be nearly impossible to perform such computer-intensive tasks with traditional statistical software.Finally,programming forces one to think harder about the problem at hand,the estimation and testing methods that he/she will choose to use.Of course,the most convincing argument may be the following quote from the late John Tukey:“In a world in which the price of calculation continues to decrease rapidly,but the price of theorem proving continues to hold steady or increase,elementary economics indicates that we ought to spend a larger fraction of our time on calculation.”1The focus of our paper is on the use of Ox for‘econometric computing’.That is,we discuss features of the Ox language that may be of interest to statisticians and econometricians,and exemplify their use through examples.Readers interested in reviews of Ox,including the language structure,its syntax,and its advantages and disadvantages,are referred to Cribari–Neto(1997),Keng and Orzag(1997),Kusters and Steffen(1996)and Podivinsky(1999).1 2.A Brief Overview of OxOx is a matrix programming language with object-oriented support developed by Jur-gen Doornik,a Dutch graduate student(at the time)at Nuffield College,Oxford.The development of Ox started in April1994.Doornik’s primary goal was to develop a matrix programming language for the simulations he wished to perform for his doctoral dissertation. The veryfirst preliminary version of Ox dates back to November1994.In the summer of 1995,two other econometricians at Nuffield College started using Ox for their research:Neil Shephard and Richard Spady.From that point on,the development of Ox became a serious affair.The current Ox version is numbered3.00.Ox binaries are available for Windows and severalflavors of UNIX(including Linux)and can be downloaded from /Users/Doornik/,which is the main Ox web page.All versions are free for educational purposes and academic research,with the exception of the‘Professional Windows version’.This commercial version comes with a nice interface for graphics known as GiveWin(available for purchase from Timberlake Consultants, ).The free Ox versions can be launched from the command line in a console/terminal win-dow,which explains why they are also known as‘console versions’.Doornik also distributes freely a powerful text editor for Windows:OxEdit(see also the OxEdit web page,which is currently at ).It can be used as a front-end not only to Ox(the console version)but also to other programs and languages,such as C,C++,T E X,L a T E X,etc.The Ox syntax is very similar to that of C,C++and Java.In fact,its similarity to C (at least as far as syntax goes)is one of its major advantages.2One characteristic similarity with C/C++is in the indexing,which starts at zero,and not at one.This means that thefirst element of a matrix,say A,is accessed as A[0][0]instead of as A[1][1].A key difference between Ox and languages such as C,C++and Java is that matrix is a basic type in Ox. Also,when programming in Ox one needs to declare the variables that will be used in the program(as is the case in C/C++),but unlike in C/C++,one does not have to specify the type of the variables that are declared.Ox’s most impressive feature is that it comes with a comprehensive mathematical and statistical function library.A number of useful functions and methods are implemented into the language,which makes it very useful for scientific 1A detailed comparison involving GAUSS,Macsyma,Maple,Mathematica,MATLAB,MuPAD,O-Matrix,Ox, R-Lab,Scilab,and S-PLUS can be found at http://www.scientificweb.de/ncrunch/ncrunch.pdf(“Com-parison of mathematical programs for data analysis”by Stefan Steinhaus).Ox is the winner when it comes to speed.2Other important advantages of Ox are the fact that it is fast,free,can be easily linked to C,Fortran, etc.,and can read and write data in several different formats(ASCII,Gauss,Excel,Stata,Lotus,PcGive, etc.).2programming.Ox comes with a comprehensive set of helpfiles in HTML form.The documentation of the language can be also found in Doornik(2001).A good introduction to Ox is Doornik, Draisma and Ooms(1998).3.A Few Simple IllustrationsOurfirst example is a very simple one,and intends to show the similarity between the Ox and C syntaxes.We wish to develop a program that produces a small table converting temperatures in Fahrenheit to Celsius(from0F to300F in steps of20F).The source of this example is Kerninghan and Ritchie(1988).The C code can be written as follows./****************************************************************PROGRAM:celsius.c**USAGE:To generate a conversion table of temperatures(from*Fahrenheit to Celsius).Based on an example in the*Kernighan&Ritchie’s book.****************************************************************/#include<stdio.h>int main(void){int fahr;printf("\nConversion table(F to C)\n\n");printf("\t%3s%5s\n","F","C");/*Loop over temperatures*/for(fahr=0;fahr<=300;fahr+=20){printf("\t%3d%6.1f\n",fahr, 5.0*(fahr-32)/9.0);}printf("\n");return0;}The output produced by compiled C code using the gcc compiler(Stallman,1999)under the Linux operating system(MacKinnon,1999)is:[cribari@edgeworth c]$gcc-O2-o celsius celsius.c[cribari@edgeworth c]$./celsiusConversion table(F to C)F C0-17.820-6.7340 4.46015.68026.710037.812048.914060.016071.118082.220093.3220104.4240115.6260126.7280137.8300148.9The next step is to write the same program in Ox code.The Ox transcription of the celcius.c program follows:/****************************************************************PROGRAM:celsius.ox**USAGE:To generate a conversion table of temperatures(from*Fahrenheit to Celsius).Based on an example in the*Kernighan&Ritchie’s book.***************************************************************/#include<oxstd.h>main(){decl fahr;print("\nConversion table(F to C)\n\n");print("\t F C\n");//Loop over temperaturesfor(fahr=0;fahr<=300;fahr+=20){print("\t","%3d",fahr);print("","%6.1f", 5.0*(fahr-32)/9.0,"\n");}print("\n");}The Ox output is:[cribari@edgeworth programs]$oxl celsiusOx version 3.00(Linux)(C)J.A.Doornik,1994-2001Conversion table(F to C)F C40-17.820-6.740 4.46015.68026.710037.812048.914060.016071.118082.220093.3220104.4240115.6260126.7280137.8300148.9The two programs above show that the Ox and C syntaxes are indeed very similar.Note that Ox accepts C style comments(/*...*/),and also C++like comments to the end of the line(//).3We also note that,unlike C,Ox accepts nested comments.The similarity between the Ox and C syntaxes is a major advantage of Ox over other matrix languages.Kendrick and Amman(1999)provide an overview of programming languages in economics.In the introduction of their paper,they give the following advice to users who are starting to program:“Begin with one of the high-level or modeling languages.(...)Then work downward in the chain and learn either Fortran,C,C++,or Java.”If a user then starts with Ox and‘works downward’to C or C++the transition will be smoother than if he/she starts the chain with other high level languages.As a second illustration of the use of Ox in econometrics and statistics,we develop a simple program thatfirst simulates a large number of coin tosses,and then counts the frequency (percentage)of tails.The code which is an Ox translation,with a smaller total number of runs,of the C code given in Cribari–Neto(1999),thus illustrates Kolmogorov’s Law of Large Numbers.We begin by writing a loop-based version of the coin tossing experiment./*******************************************************************PROGRAM:coin_loop.ox**USE:Simulates a large number of coin tosses and prints*the percentage of tails.**PURPOSE:The program illustrates the first version of the*law of large numbers which dates back to James*Bernoulli.******************************************************************/#include<oxstd.h>/*maximum number of coin tosses*/3Ox also borrows from Java;the println function,for instance,comes from the Java programming language.5const decl COIN_MAX=1000000;main(){decl j,dExecTime,temp,result,tail,s;//Start the clock(to time the execution of the program).dExecTime=timer();//Choose the random number generator.ranseed("GM");//Main loop:for(j=10;j<=COIN_MAX;j*=10){tail=0;for(s=0;s<j;s++){temp=ranu(1,1);tail=temp>0.5?tail:tail+1;}result=100.0*tail/j;print("Percentage of tails from",j,"tosses:","%8.2f",result,"\n");}print("\nEXECUTION TIME:",timespan(dExecTime),"\n");}The instruction tail=temp>0.5?tail:tail+1;does exactly what it does in C: it sets the variable tail equal to itself if the stated condition is true(temp>0.5)and to tail+1otherwise.We now vectorize the above code for speed.The motivation is obvious:vectorization usually leads to efficiency gains,unless of course one runs into memory problems.It is note-worthy that one of the main differences between a matrix programming language and a low level language,such as C and C++,is that programs should exploit vector and matrix opera-tions when written and executed in a matrix-oriented language,such as Ox.The vectorized code for the example at hand is:/*******************************************************************PROGRAM:coin_vec.ox**USE:Simulates a large number of coin tosses and prints*the percentage of tails.**PURPOSE:The program illustrates the first version of the*law of large numbers which dates back to James*Bernoulli.******************************************************************/6#include<oxstd.h>/*maximum number of coin tosses*/const decl COIN_MAX=1000000;main(){decl j,dExecTime,temp,tail;//Start the clock(to time the execution of the program).dExecTime=timer();//Choose the random number generator.ranseed("GM");//Coin tossing:for(j=10;j<=COIN_MAX;j*=10){temp=ranu(1,j);tail=sumr(temp.<0.5)*(100.0/j);print("Percentage of tails from",j,"tosses:","%8.2f",double(tail),"\n");}print("\nEXECUTION TIME:",timespan(dExecTime),"\n");}The output of the loop-based program is:[cribari@edgeworth programs]$oxl coin_loopOx version 3.00(Linux)(C)J.A.Doornik,1994-2001Percentage of tails from10tosses:40.00Percentage of tails from100tosses:53.00Percentage of tails from1000tosses:49.10Percentage of tails from10000tosses:49.69Percentage of tails from100000tosses:49.83Percentage of tails from1000000tosses:49.99EXECUTION TIME: 2.41whereas the vectorized code generates the following output: [cribari@edgeworth programs]$oxl coin_vecOx version 3.00(Linux)(C)J.A.Doornik,1994-2001Percentage of tails from10tosses:40.00Percentage of tails from100tosses:53.00Percentage of tails from1000tosses:49.10Percentage of tails from10000tosses:49.69Percentage of tails from100000tosses:49.83Percentage of tails from1000000tosses:49.99EXECUTION TIME:0.237Note that the empirical frequency of tails approaches1/2,the population mean,as predicted by the Law of Large Numbers.As far as efficiency goes,we see that vectorization leads to a sizeable improvement.The loop-based program yields an execution time which is over10 times greater than that of its vectorized version,on a DELL Pentium III1GHz computer with512MB RAM running on Linux.4Some languages,like C,operate faster on rows than on columns.The same logic applies to Ox.To illustrate the claim,we modify the vectorized code so that the random draws are stored in a column vector(they were previously stored in a row vector).To that end,one only needs to change two lines of code:for(j=10;j<=COIN_MAX;j*=10){temp=ranu(j,1);//1st changetail=sumc(temp.<0.5)*(100.0/j);//2nd changeprint("Percentage of tails from",j,"tosses:","%8.2f",double(tail),"\n");}This new vectorized code now runs in0.35second.That is,we see a speed penalty of over 50%when we transpose the code so that we work with a large column vector instead of working with a large row vector.4.Econometric ApplicationsMaximum likelihood estimates oftentimes need to be computed using a nonlinear op-timization scheme.In order to illustrate how that can be done using Ox,we consider the maximum likelihood estimation of the number of degrees-of-freedom of a Student t distri-bution.Maximization is performed using a quasi-Newton method(known as the‘BFGS’method)with numerical gradient,i.e.,without specifying the score function.(Note that this estimator is substantially biased in small samples.)It is noteworthy that Ox has routines for other optimization methods as well,such as the Newton-Raphson and the BHHH methods. An advantage of the BFGS method is that it allows users to maximize likelihoods without having to specify a score function.See Press et al.(1992,Chapter10)for details on the BFGS and other nonlinear optimization methods.See also Mittelhammer,Judge and Miller(2000,§8.13),who on page199write that“[t]he BFGS algorithm is generally regarded as the best performing method.”The example below uses a random sample of size50,the true value of the parameter is3,and the initial value of the optimization scheme is2.(We have neglected a constant in the log-likelihood function.)/**************************************************************PROGRAM:t.ox**USAGE:Maximum likelihood estimation of the number of*degrees of freedom of a Student t distribution.*************************************************************/4The operating system was Mandrake Linux8.0running on kernel2.4.3.8#include<oxstd.h>#include<oxprob.h>#import<maximize>const decl N=50;static decl s_vx;fLogLik(const vP,const adFunc,const avScore,const amHess) {decl vone=ones(1,N);decl nu=vP[0];adFunc[0]=double(N*loggamma((nu+1)/2)-(N/2)*log(nu)-N*loggamma(nu/2)-((nu+1)/2)*(vone*log(1+(s_vx.^2)/nu)));if(isnan(adFunc[0])||isdotinf(adFunc[0]))return0;elsereturn1;//1indicates success}main(){decl vp,dfunc,dnu,ir;ranseed("GM");vp= 2.0;dnu= 3.0;s_vx=rant(N,1,3);ir=MaxBFGS(fLogLik,&vp,&dfunc,0,TRUE);print("\nCONVERGENCE:",MaxConvergenceMsg(ir));print("\nMaximized log-likelihood:","%7.3f",dfunc);print("\nTrue value of nu:","%6.3f",dnu);print("\nML estimate of nu:","%6.3f",double(vp));print("\nSample size:","%6d",N);print("\n");}Here is the Ox output:[cribari@edgeworth programs]$oxl tOx version 3.00(Linux)(C)J.A.Doornik,1994-2001CONVERGENCE:Strong convergenceMaximized log-likelihood:-72.813True value of nu: 3.0009ML estimate of nu: 1.566Sample size:50The maximum likelihood estimate ofν,whose true value is3,is ν=1.566.This example shows that nonlinear maximization of functions can be done with ease using Ox.Of course, one can estimate more complex models in a similar fashion.For example,the parameters of a nonlinear regression model can be estimated by setting up a log-likelihood function,and maximizing it with a MaxBFGS call.It is important to note,however,that Ox does not come with routines for performing constrained maximization.The inclusion of such functions in Ox would be a great addition to the language.A number of people have developed add-on packages for Ox.These handle dynamic panel data(DPD),ARFIMA models,conditionally heteroskedastic models,stochastic volatil-ity models,state space forms.There is,moreover,Ox code for quantile regressions,and in particular, 1(i.e.,least absolute deviations)regressions.The code corresponds to the al-gorithm described in Portnoy and Koenker(1997)and is available at Roger Koenker’s web page(/roger/research/rqn/rqn.html).We consider,next,the G@RCH2.0package recently developed by S´e bastien Laurent and Jean–Philippe Peters,which is dedicated to the estimation and forecasting of ARCH,GARCH models.The GARCH add-on package comes in two versions,namely:(i)the‘Full Version’which requires a registered copy of Ox Professional3.00,since it is launched from OxPack and makes use of the GiveWin interface,and(ii)the‘Light Version’which only requires the free (‘console’)version of Ox.It relies on Ox’s object-oriented programming capabilities,being a derived class of Ox’s Modelbase type of class.The package is available for download at http://www.egss.ulg.ac.be/garch.We borrow the example program(GarchEstim.ox)in order to illustrate the use of the GARCH code(as with everything else,in the context of the console,i.e.free,version of Ox).The GARCH object(which is created with the source code provided by this add-on package)allows for the estimation of a large number of uni-variate ARCH-type models(e.g.,ARCH,GARCH,IGARCH,FIGARCH,GJR,EGARCH, APARCH,FIEGARCH,FIAPARCH)under Gaussian,Student–t,skewed Student and gen-eralized error distributions.Forecasts(one-step-ahead density forecasts)of the conditional mean and variance are also available,as well as several misspecification tests and graphics commands.#include<oxstd.h>#import<packages/garch/garch>main(){decl garchobj;garchobj=new Garch();//***DATA***//garchobj.Load("Data/demsel.in7");();garchobj.Select(Y_VAR,{"DEM",0,0});10garchobj.SetSelSample(-1,1,-1,1);//***SPECIFICATIONS***//garchobj.CSTS(1,1);//cst in Mean(1or0),cst in Variance(1or0)garchobj.DISTRI(0);//0for Gauss,1for Student,2for GED,3for Skewed-Student garchobj.ARMA(0,0);//AR order(p),MA order(q).garchobj.ARFIMA(0);//1if Arfima wanted,0otherwisegarchobj.GARCH(1,1);//p order,q ordergarchobj.FIGARCH(0,0,1000);//Arg.1:1if Fractionnal Integration wanted.//Arg.2:0->BBM,1->Chung//Arg.3:if BBM,Truncation ordergarchobj.IGARCH(0);//1if IGARCH wanted,0otherwisegarchobj.EGARCH(0);//1if EGARCH wanted,0otherwisegarchobj.GJR(0);//1if GJR wanted,0otherwisegarchobj.APARCH(0);//1if APARCH wanted,0otherwise//***TESTS&FORECASTS***//garchobj.BOXPIERCE(<5;10;20>);//Lags for the Box-Pierce Q-statistics.garchobj.ARCHLAGS(<2;5;10>);//Lags for Engle’s LM ARCH test.garchobj.NYBLOM(1);//1to compute the Nyblom stability test,0otherwisegarchobj.PEARSON(<40;50;60>);//Cells(<40;50;60>)for the adjusted Pearson//Chi-square Goodness-of-fit test,0if not computed//G@RCH1.12garchobj.FORECAST(0,100);//Arg.1:1to launch the forecasting procedure,//0elsewhere//Arg.2:Number of one-step ahead forecasts//***OUTPUT***//garchobj.MLE(1);//0:both,1:MLE,2:QMLEgarchobj.COVAR(0);//if1,prints variance-covariance matrix of the parameters.garchobj.ITER(0);//Interval of iterations between printed intermediary results//(if no intermediary results wanted,enter’0’) garchobj.TESTSONLY(0);//if1,runs tests for the raw Y series,prior to//any estimation.garchobj.GRAPHS(0);//if1,prints graphics of the estimations//(only when using GiveWin).garchobj.FOREGRAPHS(0);//if1,prints graphics of the forecasts//(only when using GiveWin).//***PARAMETERS***//garchobj.BOUNDS(0);//1if bounded parameters wanted,0otherwisegarchobj.DoEstimation(<>);garchobj.STORE(0,0,0,0,0,"01",0);//Arg.1,2,3,4,5:if1->stored.(Res-SqRes-CondV-MeanFor-VarFor)//Arg.6:Suffix.The name of the saved series will be"Res_ARG6"//(or"MeanFor_ARG6",...).//Arg.7:if0,saves as an Excel spreadsheet(.xls).//If1,saves as a GiveWin dataset(.in7)delete garchobj;}11We have run the above code to obtain the MLE and QMLE results of an ARMA(0,0)model in the mean equation and GARCH(1,1)model in the variance equation,assuming Gaussian distributed errors.Some portmanteau tests,such as the Box–Pierce Q-statistic and the LM ARCH test,the Jarque–Bera normality test etc,were also calculated for the daily observations on the Dow Jones Industrial Average(Jan.1982-Dec.1999,a total of4,551observations). The output follows.Ox version 3.00(Linux)(C)J.A.Doornik,1994-2001Copyright for this package:urent and J.P.Peters,2000,2001.G@RCH package version 2.00,object created on14-08-2001----Database information----Sample:1-4313(4313observations)Frequency:1Variables:4Variable#obs#miss min mean max std.devDEM43130-6.3153-0.0022999 3.90740.75333PREC4313000.4259250.82935SUCC4313000.418550.81568OBSVAR43130 3.3897e-060.567539.853 1.3569 **********************SPECIFICATIONS*********************Mean Equation:ARMA(0,0)model.No regressor in the meanVariance Equation:GARCH(1,1)model.No regressor in the varianceThe distribution is a Gauss distribution.Strong convergence using numerical derivativesLog-likelihood=-4651.57Please wait:Computing the Std Errors...Maximum Likelihood EstimationCoefficient Std.Error t-value t-probCst(M)0.0031860.0100190.31800.7505Cst(V)0.0178730.003216 5.5580.0000GARCH(Beta1)0.8702150.01168674.460.0000ARCH(Alpha1)0.1028470.00964210.670.0000Estimated Parameters Vector:0.003186;0.017873;0.870215;0.102847No.Observations:4313No.Parameters:4*************TESTS**12***********Statistic t-Test P-ValueSkewness-0.20031 5.37237.7733e-08Excess Kurtosis 1.868425.061 1.3133e-138Jarque-Bera656.19656.19 3.2440e-143---------------Information Criterium(minimize)Akaike 2.158856Shibata 2.158855Schwarz 2.164763Hannan-Quinn 2.160942---------------BOX-PIERCE:ValueMean of standardized residuals-0.00065Mean of squared standardized residuals0.99808H0:No serial correlation==>Accept H0when prob.is High[Q<Chisq(lag)] Box-Pierce Q-statistics on residualsQ(5)=17.7914[0.00321948]Q(10)=26.4749[0.00315138]Q(20)=44.9781[0.00111103]Box-Pierce Q-statistics on squared residuals-->P-values adjusted by2degree(s)of freedomQ(5)=8.01956[0.0456093]Q(10)=12.4119[0.133749]Q(20)=34.563[0.0107229]--------------ARCH1-2test:F(2,4306)= 2.7378[0.0648]ARCH1-5test:F(5,4300)= 1.5635[0.1668]ARCH1-10test:F(10,4290)= 1.2342[0.2632]--------------Diagnostic test based on the news impact curve(EGARCH vs.GARCH)Test ProbSign Bias t-Test 1.175980.23960Negative Size Bias t-Test 1.828560.06747Positive Size Bias t-Test0.975420.32935Joint Test for the Three Effects 4.468820.21509---------------Joint Statistic of the Nyblom test of stability: 1.77507Individual Nyblom Statistics:Cst(M)0.43501Cst(V)0.22234GARCH(Beta1)0.10147ARCH(Alpha1)0.10050Rem:Asymptotic1%critical value for individual statistics=0.75.Asymptotic5%critical value for individual statistics=0.47.---------------Adjusted Pearson Chi-square Goodness-of-fit testLags Statistic P-Value(lag-1)P-Value(lag-k-1)4078.06890.0002040.0000405089.05190.0004090.00010060103.25320.0003250.00008913Rem.:k=#estimated parameters---------------Elapsed Time: 4.67seconds(or0.0778333minutes).The stochastic volatility package(SvPack),written by Neil Shephard,is essentially a dy-namic link library for Ox of C code that deals with the implementation of likelihood inference in volatility models.The fact that it is written in C guarantees optimal speed,whereas the linking to Ox definitely improves usability.It requires the Ox state space package(SsfPack), which provides for Kalmanfiltering,smoothing and simulation smoothing algorithms of Gaus-sian multivariate state space forms(see Koopman,Shephard and Doornik,1999;Ooms,1999, and also ),as well as ARMS(Adaptive Rejection Metropolis Sam-pling),an Ox front-end for C code for adaptive rejection sampling algorithms(i.e.,routines for efficient sampling from complicated univariate densities)developed and documented by Michael Pitt(based on C code by Wally Gilks).The Arfima package is a set of Ox functions that create a class(an ARFIMA object) for the estimation and testing of AR(F)IMA models(Beran,1994).The models can be esti-mated via exact maximum likelihood,modified profile likelihood and nonlinear least squares. ArfimaSim is an additional simulation class included in the Arfima package that provides the means for Monte Carlo experiments based on the Arfima class.The Dynamic Panel Data package,DPD,like the Arfima and G@RCH packages,is a nice example of object-oriented Ox programming.They are derived classes written in Ox.DPD, which is entirely written in Ox,implements dynamic panel data models,as well as some static ones,and can handle unbalanced panels.Monte Carlo experimentation is possible with the simulation class DPSSim,included in this Ox add-on package.5.GraphicsOx has a number of commands that help create publication-quality graphics.This is, however,one of the areas where more progress is expected.The graphics capabilities of the console version of Ox are not comparable to those of,say,GAUSS,MATLAB,R or S-PLUS.It is important to note,however,that the professional version of Ox comes with an impressive interface for graphics:GiveWin.It allows users,for example,to modify a graph with a few clicks of the mouse.With GiveWin,it is possible to edit all graphs on the screen, manipulate areas,add Greek letters,add labels,change fonts,etc.Therefore,users who intend to make extensive use of the plotting capabilities of the language to produce publication quality graphics should consider using the professional version of Ox.5An alternative strategy would be to use Ox for programming,save the results to afile, read the resultsfile into R,which is also free,and then produce publication quality plots from there.6It is also possible to use GnuDraw,an Ox package written by Charles Bos (http://www2.tinbergen.nl/~cbos/).GnuDraw allows users to create gnuplot(http:// )graphics from Ox,extending the possibilities offered by existing OxDraw 5The newest,just released,version3.00of Ox has improved graphics capabilities.For instance,it now has built-in functions for producing3D plots.6For details on R,see .14。