A-New-Algorithm-for-Solving-the-Word-Problem-in-Braid-Groups

Analyzing the Scalability ofAlgorithmsAlgorithms are essential tools used in various fields such as computer science, data analysis, and machine learning. The scalability of algorithms refers to their ability to handle increasing amounts of data or growing computational demands efficiently without compromising performance. In this article, we will delve into the concept of scalability of algorithms and discuss various factors that influence it.One of the key factors that affect the scalability of algorithms is the input size. As the amount of data increases, the algorithm should be able to process it within a reasonable time frame. The efficiency of an algorithm can be measured in terms of its time complexity, which describes how the running time of the algorithm grows with the size of the input. Algorithms with a lower time complexity are more scalable as they can handle larger inputs without a significant increase in processing time.Another important factor to consider is the space complexity of an algorithm. Space complexity refers to the amount of memory or storage space required by the algorithm to solve a problem. As the input size grows, the algorithm should not consume an excessive amount of memory, as this can lead to performance degradation or even failure to complete the computation. Algorithms with lower space complexity are more scalable as they can operate efficiently even with limited memory resources.Moreover, the structure and design of an algorithm can greatly impact its scalability. Algorithms that are well-structured and modularized are easier to scale as they can be optimized or parallelized to improve performance. Additionally, the choice of data structures and algorithms used within the main algorithm can influence its scalability. For example, utilizing efficient data structures such as arrays or hash tables can improve the scalability of the algorithm by reducing the time and space required for processing.Furthermore, the scalability of algorithms can also be affected by external factors such as hardware limitations or network constraints. Algorithms that are designed towork in a distributed system or parallel computing environment are more scalable as they can distribute the workload across multiple processing units. However, algorithms that rely on a single processor or have high communication overhead may not scale well when faced with increasing computational demands.In conclusion, analyzing the scalability of algorithms is crucial for ensuring optimal performance in handling large datasets or complex computational tasks. Understanding the factors that influence scalability, such as time complexity, space complexity, algorithm structure, and external constraints, can help developers and researchers design and implement scalable algorithms. By considering these factors and optimizing the algorithm accordingly, we can improve efficiency, reduce resource consumption, and achieve better performance in various applications.。

Discrete OptimizationScheduling flow shops using differential evolution algorithmGodfrey Onwubolu *,Donald DavendraDepartment of Engineering,The University of the South Pacific,P.O.Box 1168,Suva,FijiReceived 17January 2002;accepted 5August 2004Available online 21November 2004AbstractThis paper describes a novel optimization method based on a differential evolution (exploration)algorithm and its applications to solving non-linear programming problems containing integer and discrete variables.The techniques for handling discrete variables are described as well as the techniques needed to handle boundary constraints.In particular,the application of differential evolution algorithm to minimization of makespan ,flowtime and tardiness in a flow shop manufacturing system is given in order to illustrate the capabilities and the practical use of the method.Experiments were carried out to compare results from the differential evolution algorithm and the genetic algorithm,which has a reputation for being very powerful.The results obtained have proven satisfactory in solution quality when compared with genetic algorithm.The novel method requires few control variables,is relatively easy to implement and use,effec-tive,and efficient,which makes it an attractive and widely applicable approach for solving practical engineering prob-lems.Future directions in terms of research and applications are given.Ó2004Elsevier B.V.All rights reserved.Keywords:Scheduling;Flow shops;Differential evolution algorithm;Optimization1.IntroductionIn general,when discussing non-linear programming,the variables of the object function are usually as-sumed to be continuous.However,in practical real-life engineering applications it is common to have the problem variables under consideration being discrete or integer values.Real-life,practical engineering opti-mization problems are commonly integer or discrete because the available values are limited to a set of commercially available standard sizes.For example,the number of automated guided vehicles,the number of unit loads,the number of storage units in a warehouse operation are integer variables,while the size of a pallet,the size of billet for machining operation,etc.,are often limited to a set of commercially available 0377-2217/$-see front matter Ó2004Elsevier B.V.All rights reserved.doi:10.1016/j.ejor.2004.08.043*Corresponding author.Tel.:+679212034;fax:+679302567.E-mail address:onwubolu_g@usp.ac.fj (G.Onwubolu).European Journal of Operational Research 171(2006)674–692/locate/ejorG.Onwubolu,D.Davendra/European Journal of Operational Research171(2006)674–692675 standard sizes.Another class of interesting optimization problem isfinding the best order or sequence in which jobs have to be machined.None of these engineering problems has a continuous objective function; rather each of these engineering problems has either an integer objective function or discrete objective func-tion.In this paper we deal with the scheduling of jobs in aflow shop manufacturing system.Theflow shop scheduling-problem is a production planning-problem in which n jobs have to be pro-cessed in the same sequence on m machines.The assumptions are that there are no machine breakdowns and that all jobs are pre-emptive.This is commonly the case in many manufacturing systems where jobs are transferred from machine to machine by some kind of automated material handling systems.For large problem instances,typical of practical manufacturing settings,most researchers have focused on developing heuristic procedures that yield near optimal-solutions within a reasonable computation time. Most of these heuristic procedures focus on the development of permutation schedules and use makespan as a performance measure.Some of the well-known scheduling heuristics,which have been reported in the literature,include Palmer(1965),Campbell et al.(1970),Gupta(1971),Dannenbring(1977),Hundal and Rajagopal(1988)and Ho and Chang(1991).Cheng and Gupta(1989)and Baker and Scudder(1990)pre-sented a comprehensive survey of research work done inflow shop scheduling.In recent years,a growing body of literature suggests the use of heuristic search procedures for combi-natorial optimization problems.Several search procedures that have been identified as having great poten-tial to address practical optimization problems include simulated annealing(Kirkpatrick et al.,1983), genetic algorithms(Goldberg,1989),tabu search(Glover,1989,1990),and ant colony optimization(Dor-igo,1992).Consequently,over the past few years,several researchers have demonstrated the applicability of these methods,to combinatorial optimization problems such as theflow shop scheduling(see for example, Widmer and Hertz,1989;Ogbu and Smith,1990;Taillard,1990;Chen et al.,1995;Onwubolu,2000).More recently,a novel optimization method based on differential evolution(exploration)algorithm(Storn and Price,1995)has been developed,which originally focused on solving non-linear programming problems containing continuous variables.Since Storn and Price(1995)invented the differential evolution(explora-tion)algorithm,the challenge has been to employ the algorithm to different areas of problems other than those areas that the inventors originally focussed on.Although application of DE to combinatorial optimi-zation problems encountered in engineering is scarce,researchers have used DE to design complex digital filters(Storn,1999),and to design mechanical elements such as gear train,pressure vessels and springs (Lampinen and Zelinka,1999).This paper presents a new approach based on differential evolution algorithm for solving the problem of scheduling n jobs on m machines when all jobs are available for processing and the objective is to minimize the makespan.Other objective functions considered in the present work include meanflowtime and total tardiness.2.Problem formulationAflow shop scheduling is one in which all jobs must visit machines or work centers in the same sequence. Processing of a job must be completed on current machine before processing of the job is started on suc-ceeding machine.This means that initially all jobs are available and that each machine is restricted to pro-cessing only one job at any particular time.Since thefirst machine in the facility arrangement is thefirst to be visited by each job,the other machines are idle and other jobs are queued.Although queuing of jobs is prohibited in just-in-time(JIT)manufacturing environments,flow shop manufacturing continues tofind applications in electronics manufacturing,and space shuttle processing,and has attracted much research work(Onwubolu,2002).Theflow shop can be formatted generally by the sequencing of n jobs on m ma-chines under the precedence condition,with typical objective functions being the minimizing of average flowtime,minimizing the time required to complete all jobs or makespan,minimizing maximum tardiness,and minimizing the number of tardy jobs.If the number of jobs is relatively small,then the problem can be solved without using any generic optimizing algorithm.Every possibility can be checked to obtain results and then sequentially compared to capture the optimum value.But,more often,the number of jobs to be processed is large,which leads to big-O order of n !Consequently,some kind of algorithm is essential in this type of problem to avoid combinatorial explosion.The standard three-field notation (Lawler et al.,1995)used is that for representing a scheduling problem as a j b j F (C ),where a describes the machine environment,b describes the deviations from standard sched-uling assumptions,and F (C )describes the objective C being optimized.In the work reported in this paper,we are solving the n /m /F k F (C max )problem.Other problems solved include F ðC Þ¼F ðP C i Þand F ðC Þ¼F ðP T j Þ.Here a =n /m /F describes the multiple-machines flow shop problem,b =null,and F ðC Þ¼F ðC max ;P C i ;and P T j Þfor makespan,mean flowtime,and total tardiness,respectively.Stating these problem descriptions more elaborately,the minimization of completion time (makespan)for a flow shop schedule is equivalent to minimizing the objective function I :I ¼X n j ¼1C m ;j ;ð1Þs :t :C i ;j ¼max C i À1;j ;C i ;j À1ÀÁþP i ;j ;ð2Þwhere C m ,j =the completion time of job j ,C 1,1=k (any given value),C i ;j ¼P j k ¼1C 1;k ;C j ;i ¼P i k ¼1C k ;1,i )machine number,j )job in sequence,P i ,j )processing time of job j on machine i .For a given sequence,the mean flowtime,MFT =1P m i ¼1P n j ¼1c ij ,while the condition for tardiness is c m ,j >d j .The constraint of Eq.(2)applies to these two problem descriptions.3.Differential evolutionThe differential evolution (exploration)[DE]algorithm introduced by Storn and Price (1995)is a novel parallel direct search method,which utilizes NP parameter vectors as a population for each generation G .DE can be categorized into a class of floating-point encoded,evolutionary optimization algorithms .Currently,there are several variants of DE.The particular variant used throughout this investigation is the DE/rand/1/bin scheme.This scheme will be discussed here and more detailed descriptions are provided (Storn and Price,1995).Since the DE algorithm was originally designed to work with continuous variables,the opti-mization of continuous problems is discussed first.Handling discrete variables is explained later.Generally,the function to be optimized,I ,is of the form I ðX Þ:R D !R .The optimization target is to minimize the value of this objective function I ðX Þ,min ðI ðX ÞÞ;ð3Þby optimizing the values of its parameters X ={x 1,x 2,...,x D },X 2R D ,where X denotes a vector composed of D objective function ually,the parameters of the objective function are also subject to lower and upper boundary constraints,x (L )and x (U ),respectively,x ðL Þj P x j P x ðU Þj8j 2½1;D :ð4Þ3.1.InitializationAs with all evolutionary optimization algorithms,DE works with a population of solutions,not with a sin-gle solution for the optimization problem.Population P of generation G contains NP solution vectors called individuals of the population and each vector represents potential solution for the optimization problem 676G.Onwubolu,D.Davendra /European Journal of Operational Research 171(2006)674–692P ðG Þ¼X ðG Þi ¼x ðG Þj ;i ;i ¼1;...;NP ;j ¼1;...;D ;G ¼1;...;G max :ð5ÞIn order to establish a starting point for optimum seeking,the population must be initialized.Often there is no more knowledge available about the location of a global optimum than the boundaries of the problem variables.In this case,a natural way to initialize the population P (0)(initial population)is to seed it with random values within the given boundary constraints:P ð0Þ¼x ð0Þj ;i ¼x ðL Þj þrand j ½0;1 Âx ðU Þj Àx ðL Þj 8i 2½1;NP ;8j 2½1;D ;ð6Þwhere rand j [0,1]represents a uniformly distributed random value that ranges from zero to one.3.2.MutationThe self-referential population recombination scheme of DE is different from the other evolutionary algorithms.From the first generation onward,the population of the subsequent generation P (G +1)is obtained on the basis of the current population P (G ).First a temporary or trial population of candidate vectors for the subsequent generation,P 0ðG þ1Þ¼V ðG þ1Þ¼v ðG þ1Þj ;i ,is generated as follows:v ðG þ1Þj ;i ¼x ðG Þj ;r 3þF Âx ðG Þj ;r 1Àx ðG Þj ;r 2 ;if rand j ½0;1 <CR _j ¼k ;x ðG Þi ;j ;otherwise ;8<:ð7Þwhere i 2[1,NP];j 2[1,D ],r 1,r 2,r 32[1,NP],randomly selected,except:r 15r 25r 35i ,k =(int(rand i [0,1]·D )+1),and CR 2[0,1],F 2(0,1].Three randomly chosen indexes,r 1,r 2,and r 3refer to three randomly chosen vectors of population.They are mutually different from each other and also different from the running index i .New random values for r 1,r 2,and r 3are assigned for each value of index i (for each vector).A new value for the random num-ber rand[0,1]is assigned for each value of index j (for each vector parameter).3.3.CrossoverThe index k refers to a randomly chosen vector parameter and it is used to ensure that at least one vector parameter of each individual trial vector V (G +1)differs from its counterpart in the previous generation X (G ).A new random integer value is assigned to k for each value of the index i (prior to construction of each trial vector).F and CR are DE control parameters.Both values remain constant during the search process.Both values as well as the third control parameter,NP (population size),remain constant during the search pro-cess.F is a real-valued factor in range [0.0,1.0]that controls the amplification of differential variations.CR is a real-valued crossover factor in the range [0.0,1.0]that controls the probability that a trial vector will be selected form the randomly chosen,mutated vector,V ðG þ1Þj ;i instead of from the current vector,x ðG Þj ;i .Gener-ally,both F and CR affect the convergence rate and robustness of the search process.Their optimal values are dependent both on objective function characteristics and on the population size,ually,suitable values for F ,CR and NP can be found by experimentation after a few tests using different values.Practical advice on how to select control parameters NP,F and CR can be found in Storn and Price (1995,1997).3.4.SelectionThe selection scheme of DE also differs from the other evolutionary algorithms.On the basis of the cur-rent population P (G )and the temporary population P 0(G +1),the population of the next generation P (G +1)is created as follows:G.Onwubolu,D.Davendra /European Journal of Operational Research 171(2006)674–692677XðGþ1Þi ¼VðGþ1Þi;if I VðGþ1Þi6IðXðGÞiÞ;XðGÞi;otherwise:8<:ð8ÞThus,each individual of the temporary or trial population is compared with its counterpart in the current population.The one with the lower value of cost-function IðXÞto be minimized will propagate the pop-ulation of the next generation.As a result,all the individuals of the next generation are as good or better than their counterparts in the current generation.The interesting point concerning the DE selection scheme is that a trial vector is only compared to one individual vector,not to all the individual vectors in the cur-rent population.3.5.Boundary constraintsIt is important to notice that the recombination operation of DE is able to extend the search outside of the initialized range of the search space(Eqs.(6)and(7)).It is also worthwhile to notice that sometimes this is a beneficial property in problems with no boundary constraints because it is possible tofind the optimum that is located outside of the initialized range.However,in boundary-constrained problems,it is essential to ensure that parameter values lie inside their allowed ranges after recombination.A simple way to guarantee this is to replace parameter values that violate boundary constraints with random values generated within the feasible range:uðGþ1Þj;i ¼xðLÞjþrand j½0;1 ÂðxðUÞjÀxðLÞjÞ;if uðGþ1Þj;i<xðLÞj_uðGþ1Þj;i>xðUÞj;uðGþ1Þi;j;otherwise;(ð9Þwhere i2[1,NP];j2[1,D].This is the method that was used for this work.Another simple but less efficient method is to reproduce the boundary constraint violating values according to Eq.(7)as many times as is necessary to satisfy the boundary constraints.Yet another simple method that allows bounds to be approached asymptotically while minimizing the amount of disruption that results from resetting out of bound values(Price,1999) isuðGþ1Þj;i ¼ðxðGÞj;iþxðLÞjÞ=2;if uðGþ1Þj;i<xðLÞj;ðxðGÞj;iþxðUÞjÞ=2;if uðGþ1Þj;i>xðUÞj;uðGþ1Þj;i;otherwise:8>><>>:ð10Þ3.6.Conventional technique for integer and discrete optimization by DESeveral approaches have been used to deal with discrete variable optimization.Most of them round offthe variable to the nearest available value before evaluating each trial vector.To keep the population robust,successful trial vectors must enter the population with all of the precision with which they were generated(Storn and Price,1997).In its canonical form,the differential evolution algorithm is only capable of handling continuous vari-ables.Extending it for optimization of integer variables,however,is rather mpinen and Zelinka (1999)discuss how to modify DE for mixed variable optimization.They suggest that only a couple of sim-ple modifications are required.First,integer values should be used to evaluate the objective function,even though DE itself may still works internally with continuousfloating-point values.Thus, Iðy iÞ;i2½1;D ;ð11Þ678G.Onwubolu,D.Davendra/European Journal of Operational Research171(2006)674–692wherey i ¼x i for continuous variables;INTðx iÞfor integer variables;&wherey i ¼x i;INTðx iÞ: &x i2X:INT()is a function for converting a real-value to an integer value by truncation.Truncation is performed here only for purposes of cost-function value evaluation.Truncated values are not elsewhere assigned. Thus,DE works with a population of continuous variables regardless of the corresponding object variable type.This is essential for maintaining the diversity of the population and the robustness of the algorithm. Second,in case of integer variable,instead of Eq.(6),the population should be initialized as follows: Pð0Þ¼xð0Þj;i¼xðLÞjþrand j½0;1 ÂðxðUÞjÀxðLÞjþ1Þ8i2½1;NP ;8j2½1;D :ð12ÞAdditionally,instead of Eq.(9),the boundary constraint handling integer variables should be performed as follows:uðGþ1Þj;i ¼xðLÞjþrand j½0;1 ÂðxðUÞjÀxðLÞjþ1Þ;if INTðuðGþ1Þj;iÞ<xðLÞj_INTðuðGþ1Þj;iÞ>xðUÞj;uðGþ1Þi;ji;otherwise;(ð13Þwhere i2[1,NP];j2[1,D].They also discuss how discrete values can also be handled in a straightforward manner.Suppose that the subset of discrete variables,X(d),contains l elements that can be assigned to var-iable x:XðdÞ¼xðdÞi;i2½1;l ;ð14Þwhere xðdÞi<xðdÞiþ1.Instead of the discrete value x i itself,we may assign its index,i,to x.Now the discrete variable can be handled as an integer variable that is boundary constrained to range1,...,l.To evaluate the objective func-tion,the discrete value,x i,is used instead of its index i.In other words,instead of optimizing the value of the discrete variable directly,we optimize the value of its index i.Only during evaluation is the indicated discrete value used.Once the discrete problem has been converted into an integer one,the previously de-scribed methods for handling integer variables can be applied(Eqs.(11)–(13)).3.7.Forward transformation and backward transformation techniqueThe problem formulation is already discussed in Section2.Solving theflow shop-scheduling problem and indeed most combinatorial optimization problems requires discrete variables and ordered sequence, rather than relative position indexing.To achieve this,we developed two strategies known as forward and backward transformation techniques respectively.In this paper,we present a forward transformation method for transforming integer variables into continuous variables for the internal representation of vec-tor values since in its canonical form,the DE algorithm is only capable of handling continuous variables.G.Onwubolu,D.Davendra/European Journal of Operational Research171(2006)674–692679We also present a backward transformation method for transforming a population of continuous variablesobtained after mutation back into integer variables for evaluating the objective function(Onwubolu,2001). Both forward and backward transformations are utilized in implementing the DE algorithm used in the present study for theflow shop-scheduling problem.Fig.1shows how to deal with this inherent represen-tational problem in DE.Level0deals with integer numbers(which are used in discrete problems).At this level,initialization andfinal solutions are catered for.In the problem domain areas of scheduling,TSP,etc., we are not only interested in computing the objective function cost,we are also interested in the proper order of jobs or cities respectively.Level1of Fig.1deals withfloating point numbers,which are suited for DE.At this level,the DE operators(mutation,crossover,and selection)take place.To transform the integer at level0intofloating point numbers at level1for DEÕs operators,requires some specific kind of coding.This type of coding is highly used in mathematics and computing science.For the basics of trans-forming an integer number into its real number equivalence,interested readers may refer to Michalewicz (1994),and Onwubolu and Kumalo(2001)for its application to optimizing machining operations using genetic algorithms.3.7.1.Forward transformation(from integer to real number)In integer variable optimization a set of integer number is normally generated randomly as an initial solution.Let this set of integer number be represented asz0i2z0:ð15ÞLet the real number(floating point)equivalence of this integer number be z i.The length of the real number depends on the required precision,which in our case,we have chosen two places after the decimal point. The domain of the variable z i has length equal to5;the precision requirement implies that the range be [0...4].Although0is considered since it is not a feasible solution,the range[0.1,1,2,3,4]is chosen,which gives a range of5.We assign each feasible solution two decimal places and this gives us5·100=500.Accordingly,the equivalent continuous variable for z0iis given as100¼102<5Â1026103¼1000:ð16ÞThe mapping from an integer number to a real number z i for the given range is now straightforward,given asz i¼À1þz0iÂ510À1:ð17Þ680G.Onwubolu,D.Davendra/European Journal of Operational Research171(2006)674–692Eq.(17)results in most conversion values being negative;this does not create any accuracy problem any way.After some studies by Onwubolu(2001),the scaling factor f=100was found to be adequate for con-verting virtually all integer numbers into their equivalent positive real numbers.Applying this scaling factor of f=100givesz i¼À1þz0iÂfÂ510À1¼À1þz0iÂ50010À1:ð18ÞEq.(18)is used to transform any integer variable into an equivalent continuous variable,which is then used for the DE internal representation of the population of vectors.Without this transformation,it is not pos-sible to make useful moves towards the global optimum in the solution space using the mutation mecha-nism of DE,which works better on continuous variables.For example in afive-job scheduling problem, suppose the sequence is given as{2,4,3,1,5}.This sequence is not directly used in DE internal representa-tion.Rather,applying Eq.(18),the sequence is transformed into a continuous form.Thefloating-pointequivalence of thefirst entry of the given sequence,z0i ¼2,is z i¼À1þ2Â500103À1¼0:001001.Other valuesare similarly obtained and the sequence is therefore represented internally in the DE scheme as {0.001001,1.002,0.501502,À0.499499,and1.5025}.3.7.2.Backward transformation(from real number to integer)Integer variables are used to evaluate the objective function.The DE self-referential population muta-tion scheme is quite unique.After the mutation of each vector,the trial vector is evaluated for its objective function in order to decide whether or not to retain it.This means that the objective function values of the current vectors in the population need to be also evaluated.These vector variables are continuous(from the forward transformation scheme)and have to be transformed into their integer number equivalence. The backward transformation technique is used for convertingfloating point numbers to their integer num-ber equivalence.The scheme is given as follows:z0 i ¼ð1þz iÞÂð103À1Þ500:ð19ÞIn this present form the backward transformation function is not able to properly discriminate between variables.To ensure that each number is discrete and unique,some modifications are required as follows: a¼intðz0iþ0:5Þ;ð20Þb¼aÀz0i;ð21ÞzÃi ¼ðaÀ1Þ;if b>0:5;a;if b<0:5:&ð22ÞEq.(22)gives zÃi ,which is the transformed value used for computing the objective function.It should bementioned that the conversion scheme of Eq.(19),which transforms real numbers after DE operations into integer numbers is not sufficient to avoid duplication;hence,the steps highlighted in Eqs.(20)–(22)are important.In our studies,these modifications ensure that after mutation,crossover and selection opera-tions,the convertedfloating numbers into their integer equivalence in the set of jobs for a new scheduling solution,or set of cities for a new TSP solution,etc.,are not duplicated.As an example,we consider a set of trial vector,z i={À0.33,0.67,À0.17,1.5,0.84}obtained after mutation.The integer values corresponding to the trial vector values are obtained using Eq.(22)as follows:G.Onwubolu,D.Davendra/European Journal of Operational Research171(2006)674–692681z0 1¼ð1À0:33ÞÂð103À1Þ=500¼1:33866;z02¼ð1þ0:67ÞÂð103À1Þ=500¼3:3367;z0 3¼ð1À0:17ÞÂð103À1Þ=500¼1:65834;z04¼ð1þ1:50ÞÂð103À1Þ=500¼4:9950;z05¼ð1þ0:84ÞÂð103À1Þ=500¼3:6763;a1¼intð1:333866þ0:5Þ¼2;b1¼2À1:33866¼0:66134>0:5;zÃ1¼2À1¼1;a2¼intð3:3367þ0:5Þ¼4;b2¼4À3:3367¼0:6633>0:5;zÃ2¼4À1¼3;a3¼intð1:65834þ0:5Þ¼2;b3¼2À1:65834¼0:34166<0:5;zÃ3¼2;a4¼intð4:995þ0:5Þ¼5;b4¼5À4:995¼0:005<0:5;zÃ4¼5;a5¼intð3:673þ0:5Þ¼4;b5¼4À3:673¼0:3237<0:5;zÃ5¼4:This can be represented schematically as shown in Fig.2.The set of integer values is given aszÃi ¼f1;3;2;5;4g.This set is used to obtain the objective function values.Like in GA,after mutation,crossover,and boundary checking operations,the trial vector obtained fromthe backward transformation is continuously checked until feasible solution is found.Hence,it is not nec-essary to bother about the ordered sequence,which is crucially important in the type of combinatorial opti-mization problems we are concerned with.Feasible solutions constitute about10–15%of the total trial vectors.3.8.DE strategiesPrice and Storn(2001)have suggested ten different working strategies of DE and some guidelines in applying these strategies for any given problem.Different strategies can be adopted in the DE algorithm depending upon the type of problem for which it is applied.Table1shows the ten different working strat-egies proposed by Price and Storn(2001).The general convention used in Table1is as follows:DE/x/y/z.DE stands for differential evolution algorithm,x represents a string denoting the vector to be perturbed,y is the number of difference vectors considered for perturbation of x,and z is the type of crossover being used(exp:exponential;bin:binomial). Thus,the working algorithm outline by Storn and Price(1997)is the seventh strategy of DE,that is,DE/ rand/1/bin.Hence the perturbation can be either in the best vector of the previous generation or in any ran-domly chosen vector.Similarly for perturbation,either single or two vector differences can be used.For perturbation with a single vector difference,out of the three distinct randomly chosen vectors,the weighted vector differential of any two vectors is added to the third one.Similarly for perturbation with two vector682G.Onwubolu,D.Davendra/European Journal of Operational Research171(2006)674–692。

《计算机英语（第2版）》参考答案注：这里仅给出《计算机英语（第2版）》新增或变化课文的答案，其他未改动课文答案参见《计算机英语（第1版）》原来的答案。

Unit OneSection CPDA Prizefight: Palm vs. Pocket PCI. Fill in the blanks with the information given in the text:1. With DataViz’s Documents To Go, you can view and edit desktop documents on your PDA without converting them first to a PDA-specific ________. (format)2. Both Palm OS and Windows Mobile PDAs can offer e-mail via ________ so that new messages received on your desktop system are transferred to the PDA for on-the-go reading. (synchronization)3. The Windows Mobile keyboard, Block Recognizer, and Letter Recognizer are all ________ input areas, meaning they appear and disappear as needed. (virtual)4. Generally speaking, Windows Mobile performs better in entering information and playing ________ files while Palm OS offers easier operation, more ________ programs, better desktop compatibility, and a stronger e-mail application. (multimedia; third-party)II. Translate the following terms or phrases from English into Chinese and vice versa:1. data field数据字段2. learning curve学习曲线3. third-party solution第三方解决方案4. Windows Media Player Windows媒体播放器5. 开始按钮Start button6. 指定输入区designated input area7. 手写体识别系统handwriting-recognition system8. 字符集character setUnit ThreeSection BLonghorn：The Next Version of WindowsI. Fill in the blanks with the information given in the text:1. NGSCB, the new security architecture Microsoft is developing for Longhorn, splits the OS into two parts: a standard mode and a(n) ________ mode. (secure)2. It is reported that Longhorn will provide different levels of operation that disable the more intensive Aero effects to boost ________ on less capable PCs. (performance)3. With Longhorn’s new graphics and presentation engine, we can create and display Tiles on the desktop, which remind us of the old Active Desktop but are based on ________ instead of ________. (XML; HTML)4. The most talked-about feature in Longhorn so far is its new storage system, WinFS, whichworks like a(n) ________ database. (relational)II. Translate the following terms or phrases from English into Chinese and vice versa:1. search box搜索框2. built-in firewall内置防火墙3. standalone application独立应用程序4. active desktop 活动桌面5. mobile device移动设备6. 专有软件proprietary software7. 快速加载键quick-launch key8. 图形加速器graphics accelerator9. 虚拟文件夹virtual folder10. 三维界面three-dimensional interfaceUnit FourSection CArraysI. Fill in the blanks with the information given in the text:1. Given the array called object with 20 elements, if you see the term object10, you know the array is in ________ form; if you see the term object[10], you know the array is in ________ form. (subscript; index)2. In most programming languages, an array is a static data structure. When you define an array, the size is ________. (fixed)3. A(n) ________ is a pictorial representation of a frequency array. (histogram)4. An array that consists of just rows and columns is probably a(n) ________ array. (two-dimensional)II. Translate the following terms or phrases from English into Chinese and vice versa:1. bar chart条形图2. frequency array频率数组3. graphical representation图形表示4. multidimensional array多维数组5. 用户视图user(’s) view6. 下标形式subscript form7. 一维数组one-dimensional array8. 编程结构programming constructUnit FiveSection BMicrosoft .NET vs. J2EEI. Fill in the blanks with the information given in the text:1. One of the differences between C# and Java is that Java runs on any platform with a Java Virtual ________ while C# only runs in Windows for the foreseeable future. (Machine)2. With .NET, Microsoft is opening up a channel both to ________ in other programming languages and to ________. (developers; components)3. J2EE is a single-language platform; calls from/to objects in other languages are possiblethrough ________, but this kind of support is not a ubiquitous part of the platform. (CORBA)4. One important element of the .NET platform is a common language ________, which runs bytecodes in an Internal Language format. (runtime)II. Translate the following terms or phrases from English into Chinese and vice versa:1. messaging model消息收发模型2. common language runtime通用语言运行时刻（环境）3. hierarchical namespace分等级层次的名称空间4. development community开发社区5. CORBA公用对象请求代理（程序）体系结构6. 基本组件base component7. 元数据标记metadata tag8. 虚拟机virtual machine9. 集成开发环境IDE（integrated development environment）10. 简单对象访问协议SOAP（Simple Object Access Protocol）Unit SixSection ASoftware Life CycleI. Fill in the blanks with the information given in the text:1. The development process in the software life cycle involves four phases: analysis, design, implementation, and ________. (testing)2. In the system development process, the system analyst defines the user, needs, requirements and methods in the ________ phase. (analysis)3. In the system development process, the code is written in the ________ phase. (implementation)4. In the system development process, modularity is a very well-established principle used in the ________ phase. (design)5. The most commonly used tool in the design phase is the ________. (structure chart)6. In the system development process, ________ and pseudocode are tools used by programmers in the implementation phase. (flowcharts)7. Pseudocode is part English and part program ________. (logic)8. While black box testing is done by the system test engineer and the ________, white box testing is done by the ________. (user; programmer)II. Translate the following terms or phrases from English into Chinese and vice versa:1. standard graphical symbol标准图形符号2. logical flow of data标准图形符号3. test case测试用例4. program validation程序验证5. white box testing白盒测试6. student registration system学生注册系统7. customized banking package定制的金融软件包8. software life cycle软件生命周期9. user working environment用户工作环境10. implementation phase实现阶段11. 测试数据test data12. 结构图structure chart13. 系统开发阶段system development phase14. 软件工程software engineering15. 系统分析员system(s) analyst16. 测试工程师test engineer17. 系统生命周期system life cycle18. 设计阶段design phase19. 黑盒测试black box testing20. 会计软件包accounting packageIII. Fill in each of the blanks with one of the words given in the following list, making changes if necessary:development; testing; programmer; chart; engineer; attend; interfacessystem; software; small; userdevelop; changes; quality; board; UncontrolledIV. Translate the following passage from English into Chinese:软件工程是软件开发的一个领域；在这个领域中，计算机科学家和工程师研究有关的方法与工具，以使高效开发正确、可靠和健壮的计算机程序变得容易。

用一种新方法英文IntroductionThe world is constantly evolving, and with it, the challenges we face grow more complex. In order to effectively address these challenges, we need to explore innovative and alternative methods of problem-solving. This article introduces a new way of thinking, a fresh approach that promises to revolutionize the way we approach problem-solving.The Traditional ApproachBefore delving into the new method, let us examine the traditional approach to problem-solving. Traditionally, problem-solving follows a linear path, often characterized by a rigid step-by-step process. This conventional method has its limitations, as it often fails to consider the dynamic and interconnected nature of problems faced in today's world. The New Method: A Holistic ApproachThe new method to problem-solving encourages a shift in perspective. It advocates for a holistic approach that considers multiple factors, relationships, and stakeholders involved in a given problem. Instead of isolating each component, it aims to establish connections and uncover interdependencies.Embracing ComplexityUnlike the traditional approach, the new method does not shy away from complex problems. It acknowledges that problems are rarely isolatedand recognizes the need for a multifaceted analysis. By embracing complexity, this method ensures a comprehensive understanding of the problem at hand.Systems ThinkingA key component of the new method is systems thinking. It encourages individuals to view problems as interconnected systems rather than isolated incidents. Systems thinking allows us to consider the ripple effects of our actions and identify the underlying causes that contribute to a problem. By understanding the system as a whole, we can identify effective solutions that address the root causes.Collaboration and Diverse PerspectivesThe new method recognizes the importance of collaboration and diverse perspectives in problem-solving. It emphasizes the need for interdisciplinary teams that bring together individuals from various backgrounds and expertise. By tapping into a diverse pool of knowledge and perspectives, this method encourages innovative thinking and fosters creativity in finding solutions.Iterative and Adaptive ProcessIn contrast to the linear approach, the new method embraces an iterative and adaptive process. It recognizes that problem-solving is not aone-time event but a continuous and evolving process. It encourages constant reassessment, feedback loops, and adaptations based on newinformation and changing circumstances. This adaptive process ensures that solutions remain relevant and effective.Case Study: Solving Sustainable Energy ChallengesTo illustrate the effectiveness of the new method, let us consider a case study on solving sustainable energy challenges. Traditional approaches may focus solely on developing renewable energy sources without considering the existing infrastructure and socio-economic factors. In contrast, the new method would consider the entire energy ecosystem, including distribution, storage, and consumption patterns. It would involve experts from various domains, such as engineers, economists, social scientists, and policymakers. Through collaboration and systems thinking, this approach would result in holistic and sustainable solutions tailored to the specific challenges faced.ConclusionThe traditional approach to problem-solving has served us well in the past. However, as the complexity of problems increases, we must adapt our methods to effectively address them. The new method presented here offers a fresh perspective, emphasizing holistic thinking, systems understanding, collaboration, and adaptability. By embracing this new approach, we can pave the way for more comprehensive and innovativesolutions. As we face an ever-changing world, let us work together to revolutionize the way we approach problem-solving.。

Efficient Hardware Architectures forModular MultiplicationbyDavid Narh AmanorA Thesissubmitted toThe University of Applied Sciences Offenburg, GermanyIn partial fulfillment of the requirements for theDegree of Master of ScienceinCommunication and Media EngineeringFebruary, 2005Approved:Prof. Dr. Angelika Erhardt Prof. Dr. Christof Paar Thesis Supervisor Thesis SupervisorDeclaration of Authorship“I declare in lieu of an oath that the Master thesis submitted has been produced by me without illegal help from other persons. I state that all passages which have been taken out of publications of all means or unpublished material either whole or in part, in words or ideas, have been marked as quotations in the relevant passage. I also confirm that the quotes included show the extent of the original quotes and are marked as such. I know that a false declaration willhave legal consequences.”David Narh AmanorFebruary, 2005iiPrefaceThis thesis describes the research which I conducted while completing my graduate work at the University of Applied Sciences Offenburg, Germany.The work produced scalable hardware implementations of existing and newly proposed algorithms for performing modular multiplication.The work presented can be instrumental in generating interest in the hardware implementation of emerging algorithms for doing faster modular multiplication, and can also be used in future research projects at the University of Applied Sciences Offenburg, Germany, and elsewhere.Of particular interest is the integration of the new architectures into existing public-key cryptosystems such as RSA, DSA, and ECC to speed up the arithmetic.I wish to thank the following people for their unselfish support throughout the entire duration of this thesis.I would like to thank my external advisor Prof. Christof Paar for providing me with all the tools and materials needed to conduct this research. I am particularly grateful to Dipl.-Ing. Jan Pelzl, who worked with me closely, and whose constant encouragement and advice gave me the energy to overcome several problems I encountered while working on this thesis.I wish to express my deepest gratitude to my supervisor Prof. Angelika Erhardt for being in constant touch with me and for all the help and advice she gave throughout all stages of the thesis. If it was not for Prof. Erhardt, I would not have had the opportunity of doing this thesis work and therefore, I would have missed out on a very rewarding experience.I am also grateful to Dipl.-Ing. Viktor Buminov and Prof. Manfred Schimmler, whose newly proposed algorithms and corresponding architectures form the basis of my thesis work and provide the necessary theoretical material for understanding the algorithms presented in this thesis.Finally, I would like to thank my brother, Mr. Samuel Kwesi Amanor, my friend and Pastor, Josiah Kwofie, Mr. Samuel Siaw Nartey and Mr. Csaba Karasz for their diverse support which enabled me to undertake my thesis work in Bochum.iiiAbstractModular multiplication is a core operation in many public-key cryptosystems, e.g., RSA, Diffie-Hellman key agreement (DH), ElGamal, and ECC. The Montgomery multiplication algorithm [2] is considered to be the fastest algorithm to compute X*Y mod M in computers when the values of X, Y and M are large.Recently, two new algorithms for modular multiplication and their corresponding architectures were proposed in [1]. These algorithms are optimizations of the Montgomery multiplication algorithm [2] and interleaved modular multiplication algorithm [3].In this thesis, software (Java) and hardware (VHDL) implementations of the existing and newly proposed algorithms and their corresponding architectures for performing modular multiplication have been done. In summary, three different multipliers for 32, 64, 128, 256, 512, and 1024 bits were implemented, simulated, and synthesized for a Xilinx FPGA.The implementations are scalable to any precision of the input variables X, Y and M.This thesis also evaluated the performance of the multipliers in [1] by a thorough comparison of the architectures on the basis of the area-time product.This thesis finally shows that the newly optimized algorithms and their corresponding architectures in [1] require minimum hardware resources and offer faster speed of computation compared to multipliers with the original Montgomery algorithm.ivTable of Contents1Introduction 91.1 Motivation 91.2 Thesis Outline 10 2Existing Architectures for Modular Multiplication 122.1 Carry Save Adders and Redundant Representation 122.2 Complexity Model 132.3 Montgomery Multiplication Algorithm 132.4 Interleaved Modular Multiplication 163 New Architectures for Modular Multiplication 193.1 Faster Montgomery Algorithm 193.2 Optimized Interleaved Algorithm 214 Software Implementation 264.1 Implementational Issues 264.2 Java Implementation of the Algorithms 264.2.1 Imported Libraries 274.2.2 Implementation Details of the Algorithms 284.2.3 1024 Bits Test of the Implemented Algorithms 30 5Hardware Implementation 345.1 Modeling Technique 345.2 Structural Elements of Multipliers 34vTable of Contents vi5.2.1 Carry Save Adder 355.2.2 Lookup Table 375.2.3 Register 395.2.4 One-Bit Shifter 405.3 VHDL Implementational Issues 415.4 Simulation of Architectures 435.5 Synthesis 456 Results and Analysis of the Architectures 476.1 Design Statistics 476.2 Area Analysis 506.3 Timing Analysis 516.4 Area – Time (AT) Analysis 536.5 RSA Encryption Time 557 Discussion 567.1 Summary and Conclusions 567.2 Further Research 577.2.1 RAM of FPGA 577.2.2 Word Wise Multiplication 57 References 58List of Figures2.3 Architecture of the loop of Algorithm 1b [1] 163.1 Architecture of Algorithm 3 [1] 21 3.2 Inner loop of modular multiplication using carry save addition [1] 233.2 Modular multiplication with one carry save adder [1] 254.2.2 Path through the loop of Algorithm 3 29 4.2.3 A 1024 bit test of Algorithm 1b 30 4.2.3 A 1024 bit test of Algorithm 3 314.2.3 A 1024 bit test of Algorithm 5 325.2 Block diagram showing components that wereimplemented for Faster Montgomery Architecture 35 5.2.1 VHDL implementation of carry save adder 36 5.2.2 VHDL implementation of lookup table 38 5.2.3 VHDL implementation of register 39 5.2.4 Implementation of ‘Shift Right’ unit 40 5.3 32 bit blocks of registers for storing input data bits 425.4 State diagram of implemented multipliers 436.2 Percentage of configurable logic blocks occupied 50 6.2 CLB Slices versus bitlength for Fast Montgomery Multiplier 51 6.3 Minimum clock periods for all implementations 52 6.3 Absolute times for all implementations 52 6.4 Area –time product analysis 54viiList of Tables6.1 Percentage of configurable logic block slices(out of 19200) occupied depending on bitlength 47 6.1 Number of gates 48 6.1 Minimum period and maximum frequency 48 6.1 Number of Dffs or Latches 48 6.1 Number of Function Generators 49 6.1 Number of MUX CARRYs 49 6.1 Total equivalent gate count for design 49 6.3 Absolute Time (ns) for all implementations 53 6.4 Area –Time Product Values 54 6.5 Time (ns) for 1024 bit RSA encryption 55viiiChapter 1Introduction1.1 MotivationThe rising growth of data communication and electronic transactions over the internet has made security to become the most important issue over the network. To provide modern security features, public-key cryptosystems are used. The widely used algorithms for public-key cryptosystems are RSA, Diffie-Hellman key agreement (DH), the digital signature algorithm (DSA) and systems based on elliptic curve cryptography (ECC). All these algorithms have one thing in common: they operate on very huge numbers (e.g. 160 to 2048 bits). Long word lengths are necessary to provide a sufficient amount of security, but also account for the computational cost of these algorithms.By far, the most popular public-key scheme in use today is RSA [9]. The core operation for data encryption processing in RSA is modular exponentiation, which is done by a series of modular multiplications (i.e., X*Y mod M). This accounts for most of the complexity in terms of time and resources needed. Unfortunately, the large word length (e.g. 1024 or 2048 bits) makes the RSA system slow and difficult to implement. This gives reason to search for dedicated hardware solutions which compute the modular multiplications efficiently with minimum resources.The Montgomery multiplication algorithm [2] is considered to be the fastest algorithm to compute X*Y mod M in computers when the values of X, Y and M are large. Another efficient algorithm for modular multiplication is the interleaved modular multiplication algorithm [4].In this thesis, two new algorithms for modular multiplication and their corresponding architectures which were proposed in [1] are implemented. TheseIntroduction 10 algorithms are optimisations of Montgomery multiplication and interleaved modular multiplication. They are optimised with respect to area and time complexity. In both algorithms the product of two n bit integers X and Y modulo M are computed by n iterations of a simple loop. Each loop consists of one single carry save addition, a comparison of constants, and a table lookup.These new algorithms have been proved in [1] to speed-up the modular multiplication operation by at least a factor of two in comparison with all methods previously known.The main advantages offered by these new algorithms are;•faster computation time, and•area requirements and resources for the implementation of their architectures in hardware are relatively small compared to theMontgomery multiplication algorithm presented in [1, Algorithm 1a and1b].1.2 Thesis OutlineChapter 2 provides an overview of the existing algorithms and their corresponding architectures for performing modular multiplication. The necessary background knowledge which is required for understanding the algorithms, architectures, and concepts presented in the subsequent chapters is also explained. This chapter also discusses the complexity model which was used to compare the existing architectures with the newly proposed ones.In Chapter 3, a description of the new algorithms for modular multiplication and their corresponding architectures are presented. The modifications that were applied to the existing algorithms to produce the new optimized versions are also explained in this chapter.Chapter 4 covers issues on the software implementation of the algorithms presented in Chapters 2 and 3. The special classes in Java which were used in the implementation of the algorithms are mentioned. The testing of the new optimized algorithms presented in Chapter 3 using random generated input variables is also discussed.The hardware modeling technique which was used in the implementation of the multipliers is explained in Chapter 5. In this chapter, the design capture of the architectures in VHDL is presented and the simulations of the VHDLIntroduction 11 implementations are also discussed. This chapter also discusses the target technology device and synthesis results. The state machine of the implemented multipliers is also presented in this chapter.In Chapter 6, analysis and comparison of the implemented multipliers is given. The vital design statistics which were generated after place and route were tabulated and graphically represented in this chapter. Of prime importance in this chapter is the area – time (AT) analysis of the multipliers which is the complexity metric used for the comparison.Chapter 7 concludes the thesis by setting out the facts and figures of the performance of the implemented multipliers. This chapter also itemizes a list of recommendations for further research.Chapter 2Existing Architectures for Modular Multiplication2.1 Carry Save Adders and Redundant RepresentationThe core operation of most algorithms for modular multiplication is addition. There are several different methods for addition in hardware: carry ripple addition, carry select addition, carry look ahead addition and others [8]. The disadvantage of these methods is the carry propagation, which is directly proportional to the length of the operands. This is not a big problem for operands of size 32 or 64 bits but the typical operand size in cryptographic applications range from 160 to 2048 bits. The resulting delay has a significant influence on the time complexity of these adders.The carry save adder seems to be the most cost effective adder for our application. Carry save addition is a method for an addition without carry propagation. It is simply a parallel ensemble of n full-adders without any horizontal connection. Its function is to add three n -bit integers X , Y , and Z to produce two integers C and S as results such thatC + S = X + Y + Z,where C represents the carry and S the sum.The i th bit s i of the sum S and the (i + 1)st bit c i+1 of carry C are calculated using the boolean equations,001=∨∨=⊕⊕=+c z y z x y x c z y x s ii i i i i i i i i iExisting Architectures for Modular Multiplication 13 When carry save adders are used in an algorithm one uses a notation of the form (S, C) = X + Y + Zto indicate that two results are produced by the addition.The results are now represented in two binary words, an n-bit word S and an (n+1) bit word C. Of course, this representation is redundant in the sense that we can represent one value in several different ways. This redundant representation has the advantage that the arithmetic operations are fast, because there is no carry propagation. On the other hand, it brings to the fore one basic disadvantage of the carry save adder:•It does not solve our problem of adding two integers to produce a single result. Rather, it adds three integers and produces two such that the sum of these two is equal to that of the three inputs. This method may not be suitable for applications which only require the normal addition.2.2 Complexity ModelFor comparison of different algorithms we need a complexity model that allows fora realistic evaluation of time and area requirements of the considered methods. In[1], the delay of a full adder (1 time unit) is taken as a reference for the time requirement and quantifies the delay of an access to a lookup table with the same time delay of 1 time unit. The area estimation is based on empirical studies in full-custom and semi-custom layouts for adders and storage elements: The area for 1 bit in a lookup table corresponds to 1 area unit. A register cell requires 4 area units per bit and a full adder requires 8 area units. These values provide a powerful and realistic model for evaluation of area and time for most algorithms for modular multiplication.In this thesis, the percentage of configurable logic block slices occupied and the absolute time for computation are used to evaluate the algorithms. Other hardware resources such as total number of gates and number of flip-flops or latches required were also documented to provide a more practical and realistic evaluation of the algorithms in [1].2.3 Montgomery Multiplication AlgorithmThe Montgomery algorithm [1, Algorithm 1a] computes P = (X*Y* (2n)-1) mod M. The idea of Montgomery [2] is to keep the lengths of the intermediate resultsExisting Architectures for Modular Multiplication14smaller than n +1 bits. This is achieved by interleaving the computations and additions of new partial products with divisions by 2; each of them reduces the bit-length of the intermediate result by one.For a detailed treatment of the Montgomery algorithm, the reader is referred to [2] and [1].The key concepts of the Montgomery algorithm [1, Algorithm 1b] are the following:• Adding a multiple of M to the intermediate result does not change the valueof the final result; because the result is computed modulo M . M is an odd number.• After each addition in the inner loop the least significant bit (LSB) of theintermediate result is inspected. If it is 1, i.e., the intermediate result is odd, we add M to make it even. This even number can be divided by 2 without remainder. This division by 2 reduces the intermediate result to n +1 bits again.• After n steps these divisions add up to one division by 2n .The Montgomery algorithm is very easy to implement since it operates least significant bit first and does not require any comparisons. A modification of Algorithm 1a with carry save adders is given in [1, Algorithm 1b]:Algorithm 1a: Montgomery multiplication [1]P-M;:M) then P ) if (P (; }P div ) P :(*M; p P ) P :(*Y; x P ) P :() {n; i ; i ) for (i (;) P :(;: LSB of P p bit of X;: i x X;in bits of n: number M ) ) (X*Y(Output: P MX, Y Y, M with Inputs: X,i th i -n =≥=+=+=++<===<≤625430201 mod 20001Existing Architectures for Modular Multiplication15Algorithm 1b: Fast Montgomery multiplication [1]P-M;:M) then P ) if (P (C;S ) P :(;} C div ; C :S div ) S :(*M; s C S :) S,C (*Y; x C S :) S,C () {n; i ; i ) for (i (; ; C : ) S :(;: LSB of S s bit of X;: i x X;of bits in n: number M ) ) (X*Y(Output: P M X, Y Y, M with Inputs: X,i th i -n =≥+===++=++=++<====<≤762254302001mod 20001In this algorithm the delay of one pass through the loop is reduced from O (n ) to O (1). This remarkable improvement of the propagation delay inside the loop of Algorithm 1b is due to the use of carry save adders to implement step (3) and (4) in Algorithm 1a.Step (3) and (4) in Algorithm 1b represent carry save adders. S and C denote the sum and carry of the three input operands respectively.Of course, the additions in step (6) and (7) are conventional additions. But since they are performed only once while the additions in the loop are performed n times this is subdominant with respect to the time complexity.Figure 1 shows the architecture for the implementation of the loop of Algorithm 1b. The layout comprises of two carry save adders (CSA) and registers for storing the intermediate results of the sum and carry. The carry save adders are the dominant occupiers of area in hardware especially for very large values of n (e.g. n 1024).In Chapter 3, we shall see the changes that were made in [1] to reduce the number of carry save adders in Figure1 from 2 to 1, thereby saving considerable hardware space. However, these changes also brought about other area consuming blocks such as lookup tables for storing precomputed values before the start of the loop.Existing Architectures for Modular Multiplication 16Fig. 1: Architecture of the loop of algorithm 1b [1].There are various modifications to the Montgomery algorithm in [5], [6] and [7]. All these algorithms aimed at decreasing the operating time for faster system performance and reducing the chip area for practical hardware implementation. 2.4 Interleaved Modular MultiplicationAnother well known algorithm for modular multiplication is the interleaved modular multiplication. The details of the method are sketched in [3, 4]. The idea is to interleave multiplication and reduction such that the intermediate results are kept as short as possible.As shown in [1, Algorithm 2], the computation of P requires n steps and at each step we perform the following operations:Existing Architectures for Modular Multiplication17• A left shift: 2*P• A partial product computation: x i * Y• An addition: 2*P+ x i * Y •At most 2 subtractions:If (P M) Then P := P – M; If (P M) Then P := P – M;The partial product computation and left shift operations are easily performed by using an array of AND gates and wiring respectively. The difficult task is the addition operation, which must be performed fast. This was done using carry save adders in [1, Algorithm 4], introducing only O (1) delay per step.Algorithm 2: Standard interleaved modulo multiplication [1]P-M; }:M) then P ) if (P (P-M; :M) then P ) if (P (I;P ) P :(*Y; x ) I :(*P; ) P :() {i ; i ; n ) for (i (;) P :( bit of X;: i x X;of bits in n: number M X*Y Output: P M X, Y Y, M with Inputs: X,i th i =≥=≥+===−−≥−===<≤765423 0 1201mod 0The main advantages of Algorithm 2 compared to the separated multiplication and division are the following:• Only one loop is required for the whole operation.• The intermediate results are never any longer than n +2 bits (thus reducingthe area for registers and full adders).But there are some disadvantages as well:Existing Architectures for Modular Multiplication 18 •The algorithm requires three additions with carry propagation in steps (5),(6) and (7).•In order to perform the comparisons in steps (4) and (5), the preceding additions have to be completed. This is important for the latency because the operands are large and, therefore, the carry propagation has a significant influence on the latency.•The comparison in step (6) and (7) also requires the inspection of the full bit lengths of the operands in the worst case. In contrast to addition, the comparison is performed MSB first. Therefore, these two operations cannot be pipelined without delay.Many researchers have tried to address these problems, but the only solution with a constant delay in the loop is the one of [8], which has an AT- complexity of 156n2.In [1], a different approach is presented which reduces the AT-complexity for modular multiplication considerably. In Chapter 3, this new optimized algorithm is presented and discussed.Chapter 3New Architectures for Modular Multiplication The detailed treatment of the new algorithms and their corresponding architectures presented in this chapter can be found in [1]. In this chapter, a summary of these algorithms and architectures is given. They have been designed to meet the core requirements of most modern devices: small chip area and low power consumption.3.1 Faster Montgomery AlgorithmIn Figure 1, the layout for the implementation of the loop of Algorithm 1b consists of two carry save adders. For large wordsizes (e.g. n = 1024 or higher), this would require considerable hardware resources to implement the architecture of Algorithm 1b. The motivation behind this optimized algorithm is that of reducing the chip area for practical hardware implementation of Algorithm 1b. This is possible if we can precompute the four possible values to be added to the intermediate result within the loop of Algorithm 1b, thereby reducing the number of carry save adders from 2 to 1. There are four possible scenarios:•if the sum of the old values of S and C is an even number, and if the actual bit x i of X is 0, then we add 0 before we perform the reduction of S and C by division by 2.•if the sum of the old values of S and C is an odd number, and if the actual bit x i of X is 0, then we must add M to make the intermediate result even.Afterwards, we divide S and C by 2.•if the sum of the old values of S and C is an even number, and if the actual bit x i of X is 1, but the increment x i *Y is even, too, then we do not need to add M to make the intermediate result even. Thus, in the loop we add Y before we perform the reduction of S and C by division by 2. The same action is necessary if the sum of S and C is odd, and if the actual bit x i of X is 1 and Y is odd as well. In this case, S+C+Y is an even number, too.New Architectures for Modular Multiplication20• if the sum of the old values of S and C is odd, the actual bit x i of X is 1, butthe increment x i *Y is even, then we must add Y and M to make the intermediate result even. Thus, in the loop we add Y +M before we perform the reduction of S and C by division by 2.The same action is necessary if the sum of S and C is even, and the actual bit x i of X is 1, and Y is odd. In this case, S +C +Y +M is an even number, too.The computation of Y +M can be done prior to the loop. This saves one of the two additions which are replaced by the choice of the right operand to be added to the old values of S and C . Algorithm 3 is a modification of Montgomery’s method which takes advantage of this idea.The advantage of Algorithm 3 in comparison to Algorithm 1 can be seen in the implementation of the loop of Algorithm 3 in Figure 2. The possible values of I are stored in a lookup-table, which is addressed by the actual values of x i , y 0, s 0 and c 0. The operations in the loop are now reduced to one table lookup and one carry save addition. Both these activities can be performed concurrently. Note that the shift right operations that implement the division by 2 can be done by routing.Algorithm 3: Faster Montgomery multiplication [1]P-M;:M) then P ) if (P (C;S ) P :(;} C div ; C :S div ) S :(I;C S :) S,C ( R;) then I :) and x y c ((s ) if ( Y;) then I :) and x y c (not(s ) if ( M;) then I :x ) and not c ((s ) if (; ) then I :x ) and not c ((s ) if () {n; i ; i ) for (i (; ; C : ) S :(M; of Y uted value R: precomp ;: LSB of Y , y : LSB of C , c : LSB of S s bit of X;: i x X;of bits in n: number M ) ) (X*Y(Output: P M X, Y Y, M with Inputs: X,i i i i th i -n =≥+===++==⊕⊕=⊕⊕=≠==++<===+=<≤10922876540302001mod 2000000000000001New Architectures for Modular Multiplication 21Fig. 2: Architecture of Algorithm 3 [1]In [1], the proof of Algorithm 3 is presented and the assumptions which were made in arriving at an Area-Time (AT) complexity of 96n2 are shown.3.2 Optimized Interleaved AlgorithmThe new algorithm [1, Algorithm 4] is an optimisation of the interleaved modular multiplication [1, Algorithm 2]. In [1], four details of Algorithm 2 were modified in order to overcome the problems mentioned in Chapter 2:•The intermediate results are no longer compared to M (as in steps (6) and(7) of Algorithm 2). Rather, a comparison to k*2n(k=0... 6) is performedwhich can be done in constant time. This comparison is done implicitly in the mod-operation in step (13) of Algorithm 4.New Architectures for Modular Multiplication22• Subtractions in steps (6), (7) of Algorithm 2 are replaced by one subtractionof k *2n which can be done in constant time by bit masking. • Next, the value of k *2n mod M is added in order to generate the correctintermediate result (step (12) of Algorithm 4).• Finally, carry save adders are used to perform the additions inside the loop,thereby reducing the latency to a constant. The intermediate results are in redundant form, coded in two words S and C instead of generated one word P .These changes made by the authors in [1] led to Algorithm 4, which looks more complicated than Algorithm 2. Its main advantage is the fact that all the computations in the loop can be performed in constant time. Hence, the time complexity of the whole algorithm is reduced to O(n ), provided the values of k *2n mod M are precomputed before execution of the loop.Algorithm 4: Modular multiplication using carry save addition [1]M;C) (S ) P :(M;})*C *C S *S () A :( A);CSA(S, C,) :) (S,C ( I); CSA(S, C,C) :) (S,(*Y;x ) I :(*A;) A :(*C;) C :(*S;) S :(; C ) C :(; S ) S :() {; i ; i n ) for (i (; ; A : ; C :) S :( bit of X;: i x X;of bits in n: number M X*Y Output: P MX, Y Y, M with Inputs: X,n n n n n i n n th i mod 12mod 2221110982726252mod 42mod 30120001mod 011+=+++=========−−≥−=====<≤++New Architectures for Modular Multiplication 23Fig. 3: Inner loop of modular multiplication using carry save addition [1]In [1], the authors specified some modifications that can be applied to Algorithm 2 in order simplify and significantly speed up the operations inside the loop. The mathematical proof which confirms the correctness of the Algorithm 4 can be referred to in [1].The architecture for the implementation of the loop of Algorithm 4 can be seen in the hardware layout in Figure 3.In [1], the authors showed how to reduce both area and time by further exploiting precalculation of values in a lookup-table and thus saving one carry save adder. The basic idea is:。

IntroductionThe globalized world we inhabit today necessitates effective communication across linguistic barriers, with English often serving as the lingua franca. For non-native English speakers, particularly those from Mandarin-speaking backgrounds, enhancing their proficiency in English not only broadens their horizons but also contributes significantly to improving their Mandarin proficiency. This essay explores the multifaceted ways in which English language learning can elevate one's command of Mandarin, considering aspects such as vocabulary expansion, grammatical understanding, pronunciation refinement, cultural appreciation, and cognitive development.Vocabulary ExpansionOne of the most apparent benefits of learning English for Mandarin speakers is the substantial increase in vocabulary. English, being an Indo-European language, has a vast lexicon that shares numerous cognates and loanwords with other languages, including Mandarin. Many English words have Latin or Greek roots, which are also found in many Mandarin terms due to China's long history of cultural exchange and academic borrowing. Learning these words in English can simultaneously reinforce or introduce their Mandarin counterparts, thereby expanding the learner's lexical repertoire.Moreover, English is replete with technical and specialized terms that have been adopted into Mandarin, particularly in fields like science, technology, business, and law. Acquiring these terms in English directly enhances one's ability to use them accurately in Mandarin contexts. For instance, learning the English term "algorithm" not only enriches one's English vocabulary but also reinforces the understanding and usage of its Mandarin equivalent, "jīsuàn fāngshì." Thus, English learning serves as a gateway to a wider range of vocabulary that can be transferred and applied in Mandarin discourse.Grammatical UnderstandingWhile English and Mandarin belong to entirely different language families (Indo-European and Sino-Tibetan, respectively), studying English grammar canoffer valuable insights into Mandarin's syntactic structures. The process of comparing and contrasting the grammatical rules, sentence patterns, and word order in both languages fosters a deeper understanding of the underlying principles that govern language usage. This comparative approach enables learners to identify similarities and differences between the two languages, enhancing their ability to navigate complex grammatical constructs in Mandarin.For example, while English relies heavily on tenses to convey temporal relationships, Mandarin primarily employs aspect markers and context. Studying English tenses can help Mandarin speakers better understand how to express temporal nuances in their native language using aspectual particles like "le," "zhe," and "guo." Similarly, the explicit subject-verb-object structure in English sentences can highlight the importance of topic-comment organization in Mandarin, where the topic is often implied rather than explicitly stated. Such cross-linguistic awareness empowers learners to articulate ideas more precisely and coherently in Mandarin.Pronunciation RefinementEnglish pronunciation training, with its emphasis on phonemic awareness and accurate sound production, can greatly benefit Mandarin speakers striving to improve their pronunciation in both languages. English, unlike Mandarin, uses stress, intonation, and connected speech features that may be less familiar to native Mandarin speakers. Mastering these elements in English can enhance learners' sensitivity to prosodic features and their application in Mandarin, leading to clearer, more intelligible speech.Additionally, English contains sounds that do not exist in Mandarin, such as dental fricatives (/θ/ and /ð/) and the distinction between voiced and voiceless consonants (e.g., /b/ vs. /p/, /d/ vs. /t/). Practicing these sounds in English can help Mandarin speakers develop the necessary muscular control to produce them accurately, which may translate to a more refined pronunciation of similar or borrowed sounds in Mandarin. Furthermore, the International Phonetic Alphabet (IPA) – commonly used in English language teaching – canprovide a standardized framework for learners to analyze and improve their pronunciation in both languages.Cultural AppreciationLanguage is deeply intertwined with culture, and learning English offers Mandarin speakers a window into the Western cultural landscape. Exposure to English literature, media, and everyday discourse fosters an understanding of Anglophone values, customs, and perspectives. This cultural immersion enables learners to appreciate the nuances of language use in various social and cultural contexts, enhancing their ability to communicate effectively and appropriately in diverse situations.This heightened cultural awareness also spills over into Mandarin usage. As learners engage with English materials that discuss or reference Chinese culture, they gain a fresh perspective on their own cultural heritage. They may discover new ways to express familiar concepts or be inspired to delve deeper into Mandarin idioms, proverbs, and historical references. Moreover, navigating cultural differences between English and Mandarin contexts equips learners with the skills to articulate their thoughts and feelings about their own culture more articulately in Mandarin, fostering a richer and more nuanced expression of their identity.Cognitive DevelopmentLastly, the process of learning English itself can stimulate cognitive growth that indirectly benefits Mandarin proficiency. Engaging in a second language acquisition process enhances cognitive flexibility, problem-solving abilities, and metalinguistic awareness – skills that are transferable to any language, including Mandarin. For instance, the constant need to switch between English and Mandarin in multilingual environments sharpens learners' ability to monitor and control their language output, reducing code-switching errors and facilitating more seamless language switching.Furthermore, the mental gymnastics involved in comparing and contrasting English and Mandarin grammar, vocabulary, and pronunciation refine learners'analytical thinking and pattern recognition skills. These enhanced cognitive faculties enable them to identify and rectify errors more efficiently in their Mandarin usage, as well as to learn and retain new Mandarin content more effectively.ConclusionIn summary, learning English presents a multi-faceted opportunity for Mandarin speakers to elevate their proficiency in their native tongue. It expands vocabulary, deepens grammatical understanding, refines pronunciation, fosters cultural appreciation, and promotes cognitive development – all of which contribute to a more nuanced, accurate, and confident use of Mandarin. As such, investing in English language education should be viewed not only as a means to communicate globally but also as a strategic tool for enhancing one's mastery of Mandarin in today's interconnected world.。

算法导论第4版英文版Algorithm Introduction, Fourth Edition by Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein is undoubtedly one of the most influential books in the field of computer science. With its comprehensive coverage of various algorithms and their analysis, this book has become a beloved resource for students, researchers, and professionals alike.The fourth edition of Algorithm Introduction builds upon the success of its predecessors, offering updated content and new insights into the world of algorithms. It starts with an introduction to algorithm analysis, providing readers with a solid foundation to understand the efficiency and effectiveness of different algorithms. The authors skillfully explain the techniques used in algorithm design and analysis, such as divide-and-conquer, dynamic programming, and greedy algorithms.One of the standout features of this book is its detailed and comprehensive treatment of various data structures. From arrays and linked lists to trees and graphs, the authors explore the intricacies of each data structure, discussing their properties, operations, and analysis. This thorough examination ensures that readers gain a deep understanding of the strengths and weaknesses of different data structures, enabling them to make informed decisions when choosing the appropriate structure for their algorithms.The book also covers a wide range of fundamental algorithms, including sorting, searching, and graph algorithms. The authors presentthese algorithms in a clear and concise manner, using pseudocode and diagrams to facilitate understanding. Additionally, they providedetailed analysis of these algorithms, discussing their time and space complexity, as well as their theoretical limits.Furthermore, Algorithm Introduction delves into advanced topics, such as computational geometry, network flow, and NP-completeness. These topics offer readers a glimpse into the cutting-edge research and real-world applications of algorithms. The authors' expertise in these areas shines through, making the book a valuable resource for those interested in pushing the boundaries of algorithmic research.In addition to its comprehensive content, Algorithm Introduction also stands out for its pedagogical approach. The authors include numerous exercises and problems throughout the book, encouraging readers to apply the concepts they have learned. These exercises not only serve as a means of reinforcing understanding but also provide an opportunity for readers to sharpen their problem-solving skills.The fourth edition of Algorithm Introduction is undoubtedly a must-have for anyone interested in algorithms and their applications. Its clear and concise explanations, comprehensive coverage of topics, and practical exercises make it an invaluable resource for students, researchers, and professionals alike. Whether you are a beginner looking to grasp the basics or an experienced practitioner seeking to expand your knowledge, this book will undoubtedly enhance your understanding of algorithms and their role in computer science.。

On Lattices,Learning with Errors,Random Linear Codes,and CryptographyOded Regev∗May2,2009AbstractOur main result is a reduction from worst-case lattice problems such as G AP SVP and SIVP to a certain learning problem.This learning problem is a natural extension of the‘learning from parity witherror’problem to higher moduli.It can also be viewed as the problem of decoding from a random linearcode.This,we believe,gives a strong indication that these problems are hard.Our reduction,however,isquantum.Hence,an efficient solution to the learning problem implies a quantum algorithm for G AP SVPand SIVP.A main open question is whether this reduction can be made classical(i.e.,non-quantum).We also present a(classical)public-key cryptosystem whose security is based on the hardness of the learning problem.By the main result,its security is also based on the worst-case quantum hardness ofG AP SVP and SIVP.The new cryptosystem is much more efficient than previous lattice-based cryp-tosystems:the public key is of size˜O(n2)and encrypting a message increases its size by a factor of˜O(n)(in previous cryptosystems these values are˜O(n4)and˜O(n2),respectively).In fact,under theassumption that all parties share a random bit string of length˜O(n2),the size of the public key can bereduced to˜O(n).1IntroductionMain theorem.For an integer n≥1and a real numberε≥0,consider the‘learning from parity with error’problem,defined as follows:the goal is tofind an unknown s∈Z n2given a list of‘equations with errors’s,a1 ≈εb1(mod2)s,a2 ≈εb2(mod2)...where the a i’s are chosen independently from the uniform distribution on Z n2, s,a i =js j(a i)j is theinner product modulo2of s and a i,and each equation is correct independently with probability1−ε. More precisely,the input to the problem consists of pairs(a i,b i)where each a i is chosen independently and∗School of Computer Science,Tel Aviv University,Tel Aviv69978,Israel.Supported by an Alon Fellowship,by the Binational Science Foundation,by the Israel Science Foundation,by the Army Research Office grant DAAD19-03-1-0082,by the European Commission under the Integrated Project QAP funded by the IST directorate as Contract Number015848,and by a European Research Council(ERC)Starting Grant.uniformly from Z n 2and each b i is independently chosen to be equal to s ,a i with probability 1−ε.The goal is to find s .Notice that the case ε=0can be solved efficiently by,say,Gaussian elimination.This requires O (n )equations and poly(n )time.The problem seems to become significantly harder when we take any positive ε>0.For example,let us consider again the Gaussian elimination process and assume that we are interested in recovering only the first bit of s .Using Gaussian elimination,we can find a set S of O (n )equations such that S a i is (1,0,...,0).Summing the corresponding values b i gives us a guess for the first bit of s .However,a standard calculationshows that this guess is correct with probability 12+2−Θ(n ).Hence,in order to obtain the first bit with good confidence,we have to repeat the whole procedure 2Θ(n )times.This yields an algorithm that uses 2O (n )equations and 2O (n )time.In fact,it can be shown that given only O (n )equations,the s ∈Z n 2that maximizes the number of satisfied equations is with high probability s .This yields a simple maximum likelihood algorithm that requires only O (n )equations and runs in time 2O (n ).Blum,Kalai,and Wasserman [11]provided the first subexponential algorithm for this problem.Their algorithm requires only 2O (n/log n )equations/time and is currently the best known algorithm for the problem.It is based on a clever idea that allows to find a small set S of equations (say,O (√n ))among 2O (n/log n )equations,such that S a i is,say,(1,0,...,0).This gives us a guess for the first bit of s that is correct with probability 12+2−Θ(√n ).We can obtain the correct value with high probability by repeating the whole procedure only 2O (√n )times.Their idea was later shown to have other important applications,such as the first 2O (n )-time algorithm for solving the shortest vector problem [23,5].An important open question is to explain the apparent difficulty in finding efficient algorithms for this learning problem.Our main theorem explains this difficulty for a natural extension of this problem to higher moduli,defined next.Let p =p (n )≤poly(n )be some prime integer and consider a list of ‘equations with error’s ,a 1 ≈χb 1(mod p )s ,a 2 ≈χb 2(mod p )...where this time s ∈Z n p ,a i are chosen independently and uniformly from Z n p ,and b i ∈Z p .The errorin the equations is now specified by a probability distribution χ:Z p →R +on Z p .Namely,for each equation i ,b i = s ,a i +e i where each e i ∈Z p is chosen independently according to χ.We denote the problem of recovering s from such equations by LWE p,χ(learning with error).For example,the learning from parity problem with error εis the special case where p =2,χ(0)=1−ε,and χ(1)=ε.Under a reasonable assumption on χ(namely,that χ(0)>1/p +1/poly(n )),the maximum likelihood algorithm described above solves LWE p,χfor p ≤poly(n )using poly(n )equations and 2O (n log n )time.Under a similar assumption,an algorithm resembling the one by Blum et al.[11]requires only 2O (n )equations/time.This is the best known algorithm for the LWE problem.Our main theorem shows that for certain choices of p and χ,a solution to LWE p,χimplies a quantum solution to worst-case lattice problems.Theorem 1.1(Informal)Let n,p be integers and α∈(0,1)be such that αp >2√n .If there exists anefficient algorithm that solves LWE p,¯Ψαthen there exists an efficient quantum algorithm that approximatesthe decision version of the shortest vector problem (G AP SVP )and the shortest independent vectors problem(SIVP )to within ˜O(n/α)in the worst case.The exact definition of ¯Ψαwill be given later.For now,it is enough to know that it is a distribution on Z p that has the shape of a discrete Gaussian centered around 0with standard deviation αp ,as in Figure 1.Also,the probability of 0(i.e.,no error)is roughly 1/(αp ).A possible setting for the parameters is p =O (n 2)and α=1/(√n log 2n )(in fact,these are the parameters that we use in our cryptographic application).Figure 1:¯Ψαfor p =127with α=0.05(left)and α=0.1(right).The elements of Z p are arranged on a circle.G AP SVP and SIVP are two of the main computational problems on lattices.In G AP SVP,for instance,the input is a lattice,and the goal is to approximate the length of the shortest nonzero lattice vector.The best known polynomial time algorithms for them yield only mildly subexponential approximation factors[24,38,5].It is conjectured that there is no classical (i.e.,non-quantum)polynomial time algorithm that approximates them to within any polynomial ttice-based constructions of one-way functions,such as the one by Ajtai [2],are based on this conjecture.One might even conjecture that there is no quantum polynomial time algorithm that approximates G AP SVP (or SIVP)to within any polynomial factor.One can then interpret the main theorem as say-ing that based on this conjecture,the LWE problem is hard.The only evidence supporting this conjecture is that there are no known quantum algorithms for lattice problems that outperform classical algorithms,even though this is probably one of the most important open questions in the field of quantum computing.1In fact,one could also interpret our main theorem as a way to disprove this conjecture:if one finds an efficient algorithm for LWE,then one also obtains a quantum algorithm for approximating worst-case lattice problems.Such a result would be of tremendous importance on its own.Finally,we note that it is possible that our main theorem will one day be made classical.This would make all our results stronger and the above discussion unnecessary.The LWE problem can be equivalently presented as the problem of decoding random linear codes.More specifically,let m =poly(n )be arbitrary and let s ∈Z n p be some vector.Then,consider the followingproblem:given a random matrix Q ∈Z m ×n p and the vector t =Q s +e ∈Z m p where each coordinate of the error vector e ∈Z m p is chosen independently from ¯Ψα,recover s .The Hamming weight of e isroughly m (1−1/(αp ))(since a value chosen from ¯Ψαis 0with probability roughly 1/(αp )).Hence,the Hamming distance of t from Q s is roughly m (1−1/(αp )).Moreover,it can be seen that for large enough m ,for any other word s ,the Hamming distance of t from Q s is roughly m (1−1/p ).Hence,we obtain that approximating the nearest codeword problem to within factors smaller than (1−1/p )/(1−1/(αp ))on random codes is as hard as quantumly approximating worst-case lattice problems.This gives a partial 1If forced to make a guess,the author would say that the conjecture is true.answer to the important open question of understanding the hardness of decoding from random linear codes.It turns out that certain problems,which are seemingly easier than the LWE problem,are in fact equiv-alent to the LWE problem.We establish these equivalences in Section4using elementary reductions.For example,being able to distinguish a set of equations as above from a set of equations in which the b i’s are chosen uniformly from Z p is equivalent to solving LWE.Moreover,it is enough to correctly distinguish these two distributions for some non-negligible fraction of all s.The latter formulation is the one we use in our cryptographic applications.Cryptosystem.In Section5we present a public key cryptosystem and prove that it is secure based on the hardness of the LWE problem.We use the standard security notion of semantic,or IND-CPA,secu-rity(see,e.g.,[20,Chapter10]).The cryptosystem and its security proof are entirely classical.In fact, the cryptosystem itself is quite simple;the reader is encouraged to glimpse at the beginning of Section5. Essentially,the idea is to provide a list of equations as above as the public key;encryption is performed by summing some of the equations(forming another equation with error)and modifying the right hand side depending on the message to be transmitted.Security follows from the fact that a list of equations with error is computationally indistinguishable from a list of equations in which the b i’s are chosen uniformly.By using our main theorem,we obtain that the security of the system is based also on the worst-case quantum hardness of approximating SIVP and G AP SVP to within˜O(n1.5).In other words,breaking our cryptosystem implies an efficient quantum algorithm for approximating SIVP and G AP SVP to within ˜O(n1.5).Previous cryptosystems,such as the Ajtai-Dwork cryptosystem[4]and the one by Regev[36],are based on the worst-case(classical)hardness of the unique-SVP problem,which can be related to G AP SVP (but not SIVP)through the recent result of Lyubashevsky and Micciancio[26].Another important feature of our cryptosystem is its improved efficiency.In previous cryptosystems, the public key size is˜O(n4)and the encryption increases the size of messages by a factor of˜O(n2).In our cryptosystem,the public key size is only˜O(n2)and encryption increases the size of messages by a factor of only˜O(n).This possibly makes our cryptosystem practical.Moreover,using an idea of Ajtai[3],we can reduce the size of the public key to˜O(n).This requires all users of the cryptosystem to share some(trusted) random bit string of length˜O(n2).This can be achieved by,say,distributing such a bit string as part of the encryption and decryption software.We mention that learning problems similar to ours were already suggested as possible sources of cryp-tographic hardness in,e.g.,[10,7],although this was done without establishing any connection to lattice problems.In another related work[3],Ajtai suggested a cryptosystem that has several properties in common with ours(including its efficiency),although its security is not based on worst-case lattice problems.Why quantum?This paper is almost entirely classical.In fact,quantum is needed only in one step in the proof of the main theorem.Making this step classical would make the entire reduction classical.To demonstrate the difficulty,consider the following situation.Let L be some lattice and let d=λ1(L)/n10 whereλ1(L)is the length of the shortest nonzero vector in L.We are given an oracle that for any point x∈R n within distance d of Lfinds the closest lattice vector to x.If x is not within distance d of L, the output of the oracle is undefined.Intuitively,such an oracle seems quite powerful;the best known algorithms for performing such a task require exponential time.Nevertheless,we do not see any way to use this oracle classically.Indeed,it seems to us that the only way to generate inputs to the oracle is the following:somehow choose a lattice point y∈L and let x=y+z for some perturbation vector z of lengthat most d .Clearly,on input x the oracle outputs y .But this is useless since we already know y !It turns out that quantumly,such an oracle is quite useful.Indeed,being able to compute y from x allows us to uncompute y .More precisely,it allows us to transform the quantum state |x ,y to the state |x ,0 in a reversible (i.e.,unitary)way.This ability to erase the contents of a memory cell in a reversible way seems useful only in the quantum setting.Techniques.Unlike previous constructions of lattice-based public-key cryptosystems,the proof of our main theorem uses an ‘iterative construction’.Essentially,this means that instead of ‘immediately’finding very short vectors in a lattice,the reduction proceeds in steps where in each step shorter lattice vectors are found.So far,such iterative techniques have been used only in the construction of lattice-based one-way functions [2,12,27,29].Another novel aspect of our main theorem is its crucial use of quantum computation.Our cryptosystem is the first classical cryptosystem whose security is based on a quantum hardness assumption (see [30]for a somewhat related recent work).Our proof is based on the Fourier transform of Gaussian measures,a technique that was developed in previous papers [36,29,1].More specifically,we use a parameter known as the smoothing parameter,as introduced in [29].We also use the discrete Gaussian distribution and approximations to its Fourier transform,ideas that were developed in [1].Open questions.The main open question raised by this work is whether Theorem 1.1can be dequantized:can the hardness of LWE be established based on the classical hardness of SIVP and G AP SVP?We see no reason why this should be impossible.However,despite our efforts over the last few years,we were not able to show this.As mentioned above,the difficulty is that there seems to be no classical way to use an oracle that solves the closest vector problem within small distances.Quantumly,however,such an oracle turns out to be quite useful.Another important open question is to determine the hardness of the learning from parity with errors problem (i.e.,the case p =2).Our theorem only works for p >2√n .It seems that in order to prove similar results for smaller values of p ,substantially new ideas are required.Alternatively,one can interpret our inability to prove hardness for small p as an indication that the problem might be easier than believed.Finally,it would be interesting to relate the LWE problem to other average-case problems in the liter-ature,and especially to those considered by Feige in [15].See Alekhnovich’s paper [7]for some related work.Followup work.We now describe some of the followup work that has appeared since the original publi-cation of our results in 2005[37].One line of work focussed on improvements to our cryptosystem.First,Kawachi,Tanaka,and Xa-gawa [21]proposed a modification to our cryptosystem that slightly improves the encryption blowup to O (n ),essentially getting rid of a log factor.A much more significant improvement is described by Peikert,Vaikuntanathan,and Waters in [34].By a relatively simple modification to the cryptosystem,they managed to bring the encryption blowup down to only O (1),in addition to several equally significant improvements in running time.Finally,Akavia,Goldwasser,and Vaikuntanathan [6]show that our cryptosystem remains secure even if almost the entire secret key is leaked.Another line of work focussed on the design of other cryptographic protocols whose security is based on the hardness of the LWE problem.First,Peikert and Waters [35]constructed,among other things,CCA-secure cryptosystems (see also [33]for a simpler construction).These are cryptosystems that are secure even if the adversary is allowed access to a decryption oracle (see,e.g.,[20,Chapter 10]).All previous lattice-based cryptosystems (including the one in this paper)are not CCA-secure.Second,Peikert,Vaikuntanathan,and Waters [34]showed how to construct oblivious transfer protocols,which are useful,e.g.,for performing secure multiparty computation.Third,Gentry,Peikert,and Vaikuntanathan [16]constructed an identity-based encryption (IBE)scheme.This is a public-key encryption scheme in which the public key can be any unique identifier of the user;very few constructions of such schemes are known.Finally,Cash,Peikert,and Sahai [13]constructed a public-key cryptosystem that remains secure even when the encrypted messages may depend upon the secret key.The security of all the above constructions is based on the LWE problem and hence,by our main theorem,also on the worst-case quantum hardness of lattice problems.The LWE problem has also been used by Klivans and Sherstov to show hardness results related to learning halfspaces [22].As before,due to our main theorem,this implies hardness of learning halfspaces based on the worst-case quantum hardness of lattice problems.Finally,we mention two results giving further evidence for the hardness of the LWE problem.In the first,Peikert [32]somewhat strengthens our main theorem by replacing our worst-case lattice problems with their analogues for the q norm,where 2≤q ≤∞is arbitrary.Our main theorem only deals with the standard 2versions.In another recent result,Peikert [33]shows that the quantum part of our proof can be removed,leading to a classical reduction from G AP SVP to the LWE problem.As a result,Peikert is able to show that public-key cryptosystems (including many of the above LWE-based schemes)can be based on the classical hardness of G AP SVP,resolving a long-standing open question (see also [26]).Roughly speaking,the way Peikert circumvents the difficulty we described earlier is by noticing that the existence of an oracle that is able to recover y from y +z ,where y is a random lattice point and z is a random perturbation of length at most d ,is by itself a useful piece of information as it provides a lower bound on the length of the shortest nonzero vector.By trying to construct such oracles for several different values of d and checking which ones work,Peikert is able to obtain a good approximation of the length of the shortest nonzero vector.Removing the quantum part,however,comes at a cost:the construction can no longer be iterative,the hardness can no longer be based on SIVP,and even for hardness based on G AP SVP,the modulus p in the LWE problem must be exponentially big unless we assume the hardness of a non-standard variant of G AP SVP.Because of this,we believe that dequantizing our main theorem remains an important open problem.1.1OverviewIn this subsection,we give a brief informal overview of the proof of our main theorem,Theorem 1.1.The complete proof appears in Section 3.We do not discuss here the reductions in Section 4and the cryptosystem in Section 5as these parts of the paper are more similar to previous work.In addition to some very basic definitions related to lattices,we will make heavy use here of the discrete Gaussian distribution on L of width r ,denoted D L,r .This is the distribution whose support is L (which is typically a lattice),and in which the probability of each x ∈L is proportional to exp −π x /r 2 (see Eq.(6)and Figure 2).We also mention here the smoothing parameter ηε(L ).This is a real positive number associated with any lattice L (εis an accuracy parameter which we can safely ignore here).Roughly speaking,it gives the smallest r starting from which D L,r ‘behaves like’a continuous Gaussian distribution.For instance,for r ≥ηε(L ),vectors chosen from D L,r have norm roughly r √n with high probability.Incontrast,for sufficiently small r ,D L,r gives almost all its mass to the origin 0.Although not required for thisFigure 2:D L,2(left)and D L,1(right)for a two-dimensional lattice L .The z -axis represents probability.Let α,p,n be such that αp >2√n ,as required in Theorem 1.1,and assume we have an oracle that solvesLWE p,¯Ψα.For concreteness,we can think of p =n 2and α=1/n .Our goal is to show how to solve thetwo lattice problems mentioned in Theorem 1.1.As we prove in Subsection 3.3using standard reductions,it suffices to solve the following discrete Gaussian sampling problem (DGS):Given an n -dimensional lattice L and a number r ≥√2n ·ηε(L )/α,output a sample from D L,r .Intuitively,the connection to G AP SVP and SIVP comes from the fact that by taking r close to its lower limit √2n ·ηε(L )/α,we can obtain short lattice vectors (of length roughly √nr ).In the rest of this subsection we describe our algorithm for sampling from D L,r .We note that the exact lower bound on r is not that important for purposes of this overview,as it only affects the approximation factor we obtain for G AP SVP and SIVP.It suffices to keep in mind that our goal is to sample from D L,r for r that is rather small,say within a polynomial factor of ηε(L ).The core of the algorithm is the following procedure,which we call the ‘iterative step’.Its input consists of a number r (which is guaranteed to be not too small,namely,greater than √2pηε(L )),and n c samples from D L,r where c is some constant.Its output is a sample from the distribution D L,r for r =r √n/(αp ).Notice that since αp >2√n ,r <r/2.In order to perform this ‘magic’of converting vectors of norm √nr into shorter vectors of norm √nr ,the procedure of course needs to use the LWE oracle.Given the iterative step,the algorithm for solving DGS works as follows.Let r i denote r ·(αp/√n )i .The algorithm starts by producing n c samples from D L,r 3n .Because r 3n is so large,such samples can be computed efficiently by a simple procedure described in Lemma 3.2.Next comes the core of the algorithm:for i =3n,3n −1,...,1the algorithm uses its n c samples from D L,r i to produce n c samples from D L,r i −1by calling the iterative step n c times.Eventually,we end up with n c samples from D L,r 0=D L,r and we complete the algorithm by simply outputting the first of those.Note the following crucial fact:using n c samples from D L,r i ,we are able to generate the same number of samples n c from D L,r i −1(in fact,we couldeven generate more than n c samples).The algorithm would not work if we could only generate,say,n c /2samples,as this would require us to start with an exponential number of samples.We now finally get to describe the iterative step.Recall that as input we have n c samples from D L,r and we are supposed to generate a sample from D L,r where r =r √n/(αp ).Moreover,r is known and guaranteed to be at least √2pηε(L ),which can be shown to imply that p/r <λ1(L ∗)/2.As mentioned above,the exact lower bound on r does not matter much for this overview;it suffices to keep in mind that ris sufficiently larger thanηε(L),and that1/r is sufficiently smaller thanλ1(L∗).The iterative step is obtained by combining two parts(see Figure3).In thefirst part,we construct a classical algorithm that uses the given samples and the LWE oracle to solve the following closest vector problem,which we denote by CVP L∗,αp/r:given any point x∈R n within distanceαp/r of the dual lattice L∗,output the closest vector in L∗to x.2By our assumption on r,the distance between any two points in L∗is greater than2αp/r and hence the closest vector is unique.In the second part,we use this algorithm to generate samples from D L,r .This part is quantum(and in fact,the only quantum part of our proof). The idea here is to use the CVP L∗,αp/r algorithm to generate a certain quantum superposition which,after applying the quantum Fourier transform and performing a measurement,provides us with a sample from D L,r√n/(αp).In the following,we describe each of the two parts in more detail.Figure3:Two iterations of the algorithmPart1:We start by recalling the main idea in[1].Consider some probability distribution D on some lattice L and consider its Fourier transform f:R n→C,defined asf(x)=y∈L D(y)exp(2πi x,y )=Expy∼D[exp(2πi x,y )]where in the second equality we simply rewrite the sum as an expectation.By definition,f is L∗-periodic, i.e.,f(x)=f(x+y)for any x∈R n and y∈L∗.In[1]it was shown that given a polynomial number of samples from D,one can compute an approximation of f to within±1/poly(n).To see this,note that by the Chernoff-Hoeffding bound,if y1,...,y N are N=poly(n)independent samples from D,thenf(x)≈1NNj=1exp(2πi x,y j )where the approximation is to within±1/poly(n)and holds with probability exponentially close to1, assuming that N is a large enough polynomial.By applying this idea to the samples from D L,r given to us as input,we obtain a good approximation of the Fourier transform of D L,r,which we denote by f1/r.It can be shown that since1/r λ1(L∗)one hasthe approximationf1/r(x)≈exp−π(r·dist(L∗,x))2(1)2In fact,we only solve CVPL∗,αp/(√2r)but for simplicity we ignore the factor√2here.(see Figure 4).Hence,f 1/r (x )≈1for any x ∈L ∗(in fact an equality holds)and as one gets away from L ∗,its value decreases.For points within distance,say,1/r from the lattice,its value is still some positive constant (roughly exp (−π)).As the distance from L ∗increases,the value of the function soon becomes negligible.Since the distance between any two vectors in L ∗is at least λ1(L ∗) 1/r ,the Gaussians around each point of L ∗are well-separated.Figure 4:f 1/r for a two-dimensional latticeAlthough not needed in this paper,let us briefly outline how one can solve CVP L ∗,1/r using samples from D L,r .Assume that we are given some point x within distance 1/r of L ∗.Intuitively,this x is located on one of the Gaussians of f 1/r .By repeatedly computing an approximation of f 1/r using the samples from D L,r as described above,we ‘walk uphill’on f 1/r in an attempt to find its ‘peak’.This peak corresponds to the closest lattice point to x .Actually,the procedure as described here does not quite work:due to the error in our approximation of f 1/r ,we cannot find the closest lattice point exactly.It is possible to overcome this difficulty;see [25]for the details.The same procedure actually works for slightly longer distances,namely O (√log n/r ),but beyond that distance the value of f 1/r becomes negligible and no useful information can be extracted from our approximation of it.Unfortunately,solving CVP L ∗,1/r is not useful for the iterative step as it would lead to samples from D L,r √n ,which is a wider rather than a narrower distribution than the one we started with.This is not surprising,since our solution to CVP L ∗,1/r did not use the LWE ing the LWE oracle,we will now show that we can gain an extra αp factor in the radius,and obtain the desired CVP L ∗,αp/r algorithm.Notice that if we could somehow obtain samples from D L,r/p we would be done:using the procedure described above,we could solve CVP L ∗,p/r ,which is better than what we need.Unfortunately,it is not clear how to obtain such samples,even with the help of the LWE oracle.Nevertheless,here is an obvious way to obtain something similar to samples from D L,r/p :just take the given samples from D L,r and divide them by p .This provides us with samples from D L/p,r/p where L/p is the lattice L scaled down by a factor of p .In the following we will show how to use these samples to solve CVP L ∗,αp/r .Let us first try to understand what the distribution D L/p,r/p looks like.Notice that the lattice L/p consists of p n translates of the original lattice L .Namely,for each a ∈Z n p ,consider the setL +L a /p ={L b /p |b ∈Z n ,b mod p =a }.Then {L +L a /p |a ∈Z n p }forms a partition of L/p .Moreover,it can be shown that since r/p is larger。