improved cryptanalysis of the ajps mersenne based
play

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem - PowerPoint PPT Presentation

Apr 17, 2023 •31 likes •341 views

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese Gini University of Luxembourg June 27, 2019 NutMiC 1 / 20 Timeline 2016 NIST calling for quantum-resistant cryptographic algorithms for new

  1. Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sébastien Coron and Agnese Gini University of Luxembourg June 27, 2019 NutMiC 1 / 20

  2. Timeline 2016 NIST calling for quantum-resistant cryptographic algorithms for new public-key crypto standards. 2017 Aggarwal, Joux, Prakash, Santha propose A new public-key cryptosystem via Mersenne numbers . 2017 Deadline submission to Round 1 NIST PQC "Competition": 69 accepted papers of 82, more than 40% lattice-based including Mersenne-756839 . 2019 Round 2 candidates announced: 26 selected, ∼ 46% lattice-based not including Mersenne-756839 . 2 / 20

  3. Ring+Small Noise p Z , where n is a prime and p = 2 n − 1 a ◮ Let R := Z � Mersenne prime. 3 / 20

  4. Ring+Small Noise p Z , where n is a prime and p = 2 n − 1 a ◮ Let R := Z � Mersenne prime. ◮ There is a bijection between integers mod p and strings of length n (up to 1 n ≃ 0 n ). 3 / 20

  5. Ring+Small Noise p Z , where n is a prime and p = 2 n − 1 a ◮ Let R := Z � Mersenne prime. ◮ There is a bijection between integers mod p and strings of length n (up to 1 n ≃ 0 n ). ◮ Reducing mod p preserves low Hamming weight strings. 3 / 20

  6. Ring+Small Noise p Z , where n is a prime and p = 2 n − 1 a ◮ Let R := Z � Mersenne prime. ◮ There is a bijection between integers mod p and strings of length n (up to 1 n ≃ 0 n ). ◮ Reducing mod p preserves low Hamming weight strings. 3 / 20

  7. Ring+Small Noise p Z , where n is a prime and p = 2 n − 1 a ◮ Let R := Z � Mersenne prime. ◮ There is a bijection between integers mod p and strings of length n (up to 1 n ≃ 0 n ). ◮ Reducing mod p preserves low Hamming weight strings. n = 7 , p = 2 7 − 1 2 19 + 2 ∈ Z 2 5 0 2 34 ∈ R 3 / 20

  8. Ring+Small Noise n = 31 , p = 2 31 − 1 · 2 4 4 ◮ HW (2 i · A ) = HW ( A ) 4 / 20

  9. Ring+Small Noise + 5 / 20

  10. Ring+Small Noise + = ◮ HW ( A + B ) ≤ HW ( A ) + HW ( B ) ◮ HW ( A · B ) ≤ HW ( A ) HW ( B ) ◮ HW ( − B ) = n − HW ( B ) 5 / 20

  11. AJPS-2 Setup n , p = 2 n − 1 prime, h = λ ∈ N , ( E , D ) error correcting code where E : { 0 , 1 } h → { 0 , 1 } n . - F, G ∈ R random such that HW ( F ) = HW ( G ) = h KeyGen - R ∈ R random pk = ( R, F · R + G ) = ( R, T ) and sk = F Encrypt Given m ∈ { 0 , 1 } h : - generate random A , B 1 , B 2 ∈ R such that HW ( A ) = HW ( B 1 ) = HW ( B 2 ) = h - ( C 1 , C 2 ) := ( A · R + B 1 , ( A · T + B 2 ) ⊕ E ( m )) Decrypt m = D (( F · C 1 ) ⊕ C 2 ) 6 / 20

  12. AJPS-2 Setup n , p = 2 n − 1 prime, h = λ ∈ N , ( E , D ) error correcting code where E : { 0 , 1 } h → { 0 , 1 } n . - F, G ∈ R random such that HW ( F ) = HW ( G ) = h KeyGen - R ∈ R random pk = ( R, F · R + G ) = ( R, T ) and sk = F Encrypt Given m ∈ { 0 , 1 } h : - generate random A , B 1 , B 2 ∈ R such that HW ( A ) = HW ( B 1 ) = HW ( B 2 ) = h - ( C 1 , C 2 ) := ( A · R + B 1 , ( A · T + B 2 ) ⊕ E ( m )) Decrypt m = D (( F · C 1 ) ⊕ C 2 ) Note: F · C 1 = A · F · R + F · B 1 = A · ( T − G ) + F · B 1 =( A · T + B 2 ) − A · G − B 2 + B 1 · F. 6 / 20

  13. Mersenne Low Hamming Combination Search Problem (MLHCSP) Let p = 2 n − 1 be an n -bit Mersenne prime, h be an integer, R be a uniformly random n -bit string and F, G having Hamming weight h . Given ( R, FR + G ) , find F, G . 7 / 20

  14. Mersenne Low Hamming Combination Search Problem (MLHCSP) Let p = 2 n − 1 be an n -bit Mersenne prime, h be an integer, R be a uniformly random n -bit string and F, G having Hamming weight h . Given ( R, FR + G ) , find F, G . F = 2 24 + 2 19 + 2 and G = 2 18 + 2 7 + 2 5 F G R = 2 30 +2 25 +2 23 +2 21 +2 19 +2 15 +2 13 +2 11 +2 10 +2 7 +2 6 +2 5 +2 3 +2 T = FR + G R T 7 / 20

  15. Weak-key Attack, Beunardeau et al. Considers the lattice L generated by the rows of the matrix and T = FR + G mod p = FR + G + Kp : � 1 � − R 0 p ◮ [0 , T ] − [ F, G ] = − F [1 , − R ] + K [0 , p ] ∈ L , ◮ if F, G < √ p ⇒ [0 , T ] is close to L , ◮ if F, G < √ p this is a Closest Vector Problem in a lattice of dimension 2. ◮ This enables to recover F and G . 8 / 20

  16. Weak-key Attack, Beunardeau et al. Considers the lattice L generated by the rows of the matrix and T = FR + G mod p = FR + G + Kp : � 1 � − R 0 p ◮ [0 , T ] − [ F, G ] = − F [1 , − R ] + K [0 , p ] ∈ L , ◮ if F, G < √ p ⇒ [0 , T ] is close to L , ◮ if F, G < √ p this is a Closest Vector Problem in a lattice of dimension 2. ◮ This enables to recover F and G .  2 n/ 2  0 T L ′ = 0 1 − R   0 0 p - It contains a vector of norm ≃ (vol L ′ ) 1 / 3 ≃ 2 n 2 , n n 2 , F, G ] � ≃ 2 - � [2 2 8 / 20

  17. n 2 is 2 − h . - HW ( F ) = h ⇒ the probability that F < 2 n 2 is 2 − h . - HW ( G ) = h ⇒ the probability that G < 2 F G We can recover the private key with probability 2 − 2 h . 9 / 20

  18. ◮ The previous attack is a weak key attack: recover sk from pk with probability 2 − 2 h over the public-keys. ◮ Beunardeau et al. showed that by using random partitions of the strings F and G , for any pk one can recover the secret F and G with complexity O (2 2 h ) . 10 / 20

  19. Our New Attack Assume that m = 0 and E ( m ) = 0 . C 1 = A · R + B 1 ❍❍ ✟ C 2 = A · T + B 2 + ✟✟ E ( m ) ❍ 11 / 20

  20. Our New Attack Assume that m = 0 and E ( m ) = 0 . C 1 = A · R + B 1 ❍❍ ✟ C 2 = A · T + B 2 + ✟✟ E ( m ) ❍ 2  3 n  2 0 C 1 C 2 0 1 − R − T     0 0 p 0   0 0 0 p 1 2 ◮ L contains vectors of norm ≃ (vol L ) 2 ≃ 2 3 n , ◮ s = [2 2 n/ 3 , A, B 1 , B 2 ] ∈ L , 3 n ⇒ � s � ≃ 2 2 2 ◮ if A, B 1 , B 2 < 2 3 n , 11 / 20

  21. � 2 3 n is 2 � h . ◮ HW ( A ) = h ⇒ the probability that A < 2 3 = A � 2 3 n is � h . 2 ◮ HW ( B 1 ) = h ⇒ the probability that B 1 < 2 3 � 2 3 n is 2 � h . ◮ HW ( B 2 ) = h ⇒ the probability that B 2 < 2 3 � 2 � 3 h . We can recover A, B 1 , B 2 with probability 3 12 / 20

  22. Small summary Beunardeau et al. weak-key attack: - It recovers the secret key, n 2 , - F, G < 2 - the probability is O (2 − 2 h ) Our attack: - It distinguishes between m = 0 and m � = 0 , 2 3 n , - A, B 1 , B 2 < 2 �� 2 � 3 h � ≃ O (2 − 1 . 75 h ) . - the probability is O 3 Using random partitions as in Beunardeau et al. , our attack complexity becomes O (2 1 . 75 h ) instead of O (2 2 h ) 13 / 20

  23. Case 1: 3 n and A = 2 23 > 2 2 2 3 n n = 31 , h = 1 . Suppose we sampled B 1 , B 2 < 2 A A = 2 7 · 2 16 ⇒ s ′ = [2 2 3 n , 2 7 , B 1 , B 2 ] is a candidate shortest vector of 2  3 n  2 0 C 1 C 2 − R · 2 16 − T · 2 16 0 1     0 0 p 0   0 0 0 p A · 2 − 16 14 / 20

  24. Case 2: Suppose h = 4 = A for any shift is not possible to recover A, B 1 , B 2 . Split in 16+15 bits: a → ( x 1 , x 2 ) = (129 , 129) and A = 129 · 2 16 + 129 . We have a representative of A of lower norm but higher dimension. 15 / 20

  25. L β,P,Q,S = � M β,P,Q,S � , given β ∈ Z \ { 0 } and P, Q, S three interval-like partitions of [ n ] C 1 · 2 − q 1 C 2 · 2 − s 1 0 0 · · · 0 0 · · · 0 0 · · · 0  β  − R · 2 p k − q 1 − T · 2 p k − s 1 0 1 0 · · · 0 0 · · · 0 0 · · · 0   − R · 2 p k − 1 − q 1 − T · 2 p k − 1 − s 1 0 0 1 · · · 0 0 · · · 0 0 · · · 0     ...   − R · 2 p 2 − q 1 − T · 2 p 2 − s 1 0 0 · · · 0 0 · · · 0     − R · 2 p 1 − q 1 − T · 2 p 1 − s 1 0 0 0 · · · 1 0 · · · 0 0 · · · 0     − 2 q ℓ − q 1 0 0 0 · · · 0 1 · · · 0 0 · · · 0 0     0 ... 0   − 2 q i − q 1 0 0 0 · · · 0 0 · · · 0 0    − 2 q 2 − q 1  0 0 0 · · · 0 0 · · · 1 0 · · · 0 0    0 0 0 · · · 0 0 · · · 0 0 · · · 0 0  p   − 2 s j − s 1  0 0 0 · · · 0 0 · · · 0 0 1 · · · 0     0 ... 0  − 2 s i − s 1  0 0 0 · · · 0 0 · · · 0 0    − 2 s 2 − s 1 0 0 0 · · · 0 0 · · · 0 0 0 · · · 1   0 0 0 · · · 0 0 · · · 0 0 0 · · · 0 p 16 / 20

  26. a) L β,P,Q,S is full-rank lattice of dimension d = k + ℓ + j + 1 , b) vol( L β,P,Q,S ) ≃ 2 (2+ t ) n where β = 2 tn , c) we have to ensure that structural vectors are not shorter than our target secret vector, d) we expect the entries of the target vector to be about of the same size for a β - lucky tuple ( P, Q, S ) . 17 / 20

  27. a) L β,P,Q,S is full-rank lattice of dimension d = k + ℓ + j + 1 , b) vol( L β,P,Q,S ) ≃ 2 (2+ t ) n where β = 2 tn , c) we have to ensure that structural vectors are not shorter than our target secret vector, d) we expect the entries of the target vector to be about of the same size for a β - lucky tuple ( P, Q, S ) . Then k = ℓ = j is a good choice and in such a case ◮ d = 3 k + 1 3 k n we have a 2 ◮ if the norm of the target vector is less then 2 lucky tuple. 17 / 20

  28. The success probability is roughly ( k · 2 n/ 3 k · 1 /n ) 3 h ≃ 2 − 1 . 75 h . 18 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. Ducas 1 , S. Jeffery 1 , 2 , R.

Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. Ducas 1 , S. Jeffery 1 , 2 , R.

Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. Ducas 1 , S. Jeffery 1 , 2 , R. de Wolf 1 , 2 , 3 1 Centrum Wiskunde en Informatica, Amsterdam 2 QuSoft, Amsterdam 3 University of Amsterdam April 9, 2018 April 9, PQCrypto, Fort

1.03k views • 76 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K K K Gatan

540 views • 36 slides
The centre Mersenne for Open Scientific Publishing An academic-led open access publishing

The centre Mersenne for Open Scientific Publishing An academic-led open access publishing

The centre Mersenne for Open Scientific Publishing An academic-led open access publishing infrastructure Academic-Led Publishing Day, 7 February 2019 Centre Mersenne 1 / 15 Presentation of the centre Mersenne Centre Mersenne Centre Mersenne

475 views • 15 slides
An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant Sinha 2 , Sugata Gangopadhyay 2 , Subhamoy Maitra 3 , Goutam Paul 3 and Kanta Matsuura 4 1 Mathematical Institute, Serbian Academy of Sciences and

809 views • 49 slides
Improved Slender-set Linear Cryptanalysis Guo-Qiang Liu 1 Chen-Hui Jin 1 Chuan-Da Qi 2 1

Improved Slender-set Linear Cryptanalysis Guo-Qiang Liu 1 Chen-Hui Jin 1 Chuan-Da Qi 2 1

Introduction Our Contributions Conclusion Improved Slender-set Linear Cryptanalysis Guo-Qiang Liu 1 Chen-Hui Jin 1 Chuan-Da Qi 2 1 Information Science Technology Institute Zhengzhou, Henan, China 2 Xinyang Normal University Xinyang, Henan, China

1.23k views • 49 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel

Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel

Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 1 / 25 Outline

904 views • 25 slides
Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis C

Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis C

Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis C eline Blondeau and Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi FSE 2017 TOKYO March 8, 2017 Outline Introduction

257 views • 24 slides
Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

FSE 2020 Multiple Linear Cryptanalysis Using Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended approach of multiple linear cryptanalysis[BCQ04] (exploit dominant statistically independent linear

714 views • 30 slides
Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py

Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py

Py SPP attack Improving on the attack Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py SPP attack Improving on the attack Py eSTREAM entrant by Eli Biham and Jennifer Seberry Fast in

870 views • 38 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
The Frobenius problem for Mersenne numerical semigroups M.B. Branco Setember 2014 This is joint

The Frobenius problem for Mersenne numerical semigroups M.B. Branco Setember 2014 This is joint

The Frobenius problem for Mersenne numerical semigroups M.B. Branco Setember 2014 This is joint work with: J.C. Rosales and D. Torro The Frobenius problem for Mersenne numerical semigroups &gt; Introduction &gt; The embedding dimension &gt;

726 views • 43 slides
Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and Information Security Agency) Friday, October 2 nd , 2015 - Singapore Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures|

1.19k views • 69 slides
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and Differential Cryptanalysis by Howard Heys.] Modern block ciphers (like DES and AES): - proceed in rounds - each round has its own round key or subkey

644 views • 21 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Codes, matroids and trellises occur at several levels. Do you (a) change one factor at a time?

Codes, matroids and trellises occur at several levels. Do you (a) change one factor at a time?

238 views • 6 slides
A simplified proof of Hausslers packing Theorem Nikita Zhivotovskiy 1 1 Technion Based on

A simplified proof of Hausslers packing Theorem Nikita Zhivotovskiy 1 1 Technion Based on

A simplified proof of Hausslers packing Theorem Nikita Zhivotovskiy 1 1 Technion Based on https://arxiv.org/abs/1711.10414 Zhivotovskiy A simplified proof of Hausslers packing Theorem 1 / 15 VC dimension Let V { 0 , 1 } n . For I = { i

619 views • 15 slides
Foundations of Machine Learning Multi-Class Classification Motivation Real-world problems often

Foundations of Machine Learning Multi-Class Classification Motivation Real-world problems often

Foundations of Machine Learning Multi-Class Classification Motivation Real-world problems often have multiple classes: text, speech, image, biological sequences. Algorithms studied so far: designed for binary classification problems. How do

481 views • 33 slides
Hardness of Mastermind Giovanni Viglietta Department of Computer Science, University of Pisa,

Hardness of Mastermind Giovanni Viglietta Department of Computer Science, University of Pisa,

Hardness of Mastermind Giovanni Viglietta Department of Computer Science, University of Pisa, Italy Pisa - January 19 th , 2011 Easy to learn. Easy to play. But not so easy to win. Mastermind commercial, 1981 Hardness of Mastermind

730 views • 50 slides
Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and Lei Wei 3 1 Ecole Polytechnique Fdrale de Lausanne, Switzerland 2 Institute for Infocomm Research, Singapore 3 Nanyang Technological University,

783 views • 46 slides
Efficient Algorithms for Differential Properties of Addition Helger Lipmaa Helsinki University

Efficient Algorithms for Differential Properties of Addition Helger Lipmaa Helsinki University

Efficient Algorithms for Differential Properties of Addition Helger Lipmaa Helsinki University of Technology (Finland) helger@tml.hut.fi Shiho Moriai NTT Laboratories (Japan) shiho@isl.ntt.co.jp FSE 2001, 04.04.2001 Efficient Algorithms for

481 views • 26 slides
Digital Logic Design: a rigorous approach c Chapter 13: Decoders and Encoders Guy Even Moti

Digital Logic Design: a rigorous approach c Chapter 13: Decoders and Encoders Guy Even Moti

Digital Logic Design: a rigorous approach c Chapter 13: Decoders and Encoders Guy Even Moti Medina School of Electrical Engineering Tel-Aviv Univ. May 12, 2020 Book Homepage: http://www.eng.tau.ac.il/~guy/Even-Medina 1 / 47 Buses

680 views • 55 slides
Fixed-Point-Free is NP-complete Taoyang Wu With Peter. J. Cameron Taoyang.Wu@dcs.qmul.ac.uk

Fixed-Point-Free is NP-complete Taoyang Wu With Peter. J. Cameron Taoyang.Wu@dcs.qmul.ac.uk

Fixed-Point-Free is NP-complete Taoyang Wu With Peter. J. Cameron Taoyang.Wu@dcs.qmul.ac.uk Department of Computer Science &amp; School of Mathematical Science, Queen Mary, University of London Fixed-Point-Free is NP-complete p. 1/10 The

386 views • 10 slides

More recommend