WITH POST-QUANTUM SECURITY FOR BROADCAST SYSTEMS

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No. 63/336,834, filed April 29, 2022, the entire contents of which are incorporated herein by reference.

FIELD OF THE INVENTION

The disclosure relates to broadcast encryption as well as attribute-based encryption schemes.

BACKGROUND OF THE INVENTION

In ciphertext-policy attribute-based encryption (CP- ABE), ciphertexts ct are associated with a predicate f and a message m and keys sk with an attribute x, and decryption returns m when x satisfies f. Broadcast encryption is a special case of CP-ABE where the predicate is specified by a set 5 c [TV] , and decryption returns m when x e 5. In both cases, we require security against unbounded collusions, so that an adversary that sees a ciphertext along with secret keys for an arbitrary number of attributes Xi, X2, ... learns nothing about m as long as none of these attributes satisfies f.

Broadcast encryption has been an active area of research since their introduction in the 1990s, where a major goal is to obtain schemes with short parameters, that is, short cipher- texts ct, public keys mpk and secret keys sk. In a celebrated work from 2005, Boneh, Gentry and Waters presented the first broadcast encryption scheme with sublinear-sized parame- ters from bilinear groups where |ct| + | m pk| + |sk| = O(N ^1/2 ), O(N ^1/3 ). On the other hand, in spite of the tremendous advances in lattice-based cryptography over the past decade, we do not know a LWE-based broadcast encryption scheme achieving |ct| = o(N).

A recent line of works focuses on optimal broadcast encryption with parameter size poly (log TV), where the first feasibility results relied on either multi-linear maps or indis- tinguishability obfuscation. Other work has constructed an optimal broadcast encryption scheme from bilinear groups and LWE. Still other work has presented a candidate lattice- inspired optimal broadcast encryption scheme that is plausibly post-quantum secure, but it was unable to provide a reduction to LWE or any simple lattice assumption. BRIEF SUMMARY OF THE INVENTION

The invention relates to broadcast encryption as well as attribute-based encryption schemes.

One example embodiment includes a candidate optimal broadcast encryption scheme with poly(log7V)-sized parameters. We prove selective security of our scheme assuming evasive LWE, a non-standard variant of the LWE assumption where the distinguisher addition- ally receives short Gaussian pre-images while avoiding zeroizing attacks. This yields the first candidate optimal broadcast encryption that is plausibly post-quantum secure, and enjoys a security reduction to a simple assumption. As a secondary contribution, we present a candi- date CP-ABE scheme for circuits of a-priori bounded polynomial depth where the parameter size is independent of the circuit size, and prove security under an additional non-standard assumption.

Some embodiments of the invention include systems, methods, network devices, and machine- readable media for encrypting a message for transmitting to multiple recipients as a ciphertext by: receiving an access policy f, wherein the access policy: determines which recipient can recover a message, wherein each recipient is associated with an identity, each identity represented by a bit string of one specified length, and is represented as a set of executable instructions capable of being executed in polynomial time; receiving a public key comprising two matrices A and B from an authority, wherein width of A is based on the specified bit length of the recipient identities, and wherein B is a learning with errors matrix; receiving a message p for encryption; homomorphically executing the executable instruc- tions f on A to obtain Af, sampling a learning with errors secret vector s; computing a first learning with errors sample Ci based on the secret vector 5 and the matrix B; computing a second learning with errors sample C2 based on the secret vector 5 and a tensor product of A f and a square matrix having l’s on the main diagonal, and 0’s everywhere else; computing a sum C3 of C2 and the message p; computing a ciphertext by concatenating C3 with Q; and transmitting the ciphertext by broadcast to a plurality of recipients.

Some further embodiments can include generating a secret key for one of the plurality of recipients by: receiving a bit string x specifying an identity for the one of the recipients; sampling a Gaussian vector r; computing a Gaussian pre-image of (A-x®G)®r with respect to B, wherein G is a predefined gadget matrix wherein each entry is 0 or a power of 2; and generating the secret key as a concatenation of r and the Gaussian pre-image. Further embodiments can include decrypting the ciphertext at one of the recipients to recover the broadcast ciphertext by: multiplying Q from the ciphertext with the Gaussian pre-image from the secret key to obtain d , which is a learning with errors sample based on s and (A - x ® G) ® r ; homomorphically evaluating f on d to obtain d', wherein c" is a learning with errors sample based on 5 and (Af ® r); and combining d', r from the secret key, and C3 from the ciphertext to recover the message.

In some embodiments, the method is post-quantum secure.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are included to provide further understanding and are incorporated in and constitute a part of this specification, illustrate disclosed embod- iments, and together with the description, serve to explain the principles of the disclosed embodiments. In the drawings:

Fig. 1 is a block diagram illustrating a multimedia communication system suitable for use in various embodiments.

Fig. 2 illustrates an example computer-implemented method for the claimed broadcast encryption scheme.

Fig. 3 illustrates an example computer system architecture for implementing the claimed systems and methods.

Fig. 4 illustrates further details of an example computer system architecture for imple- menting the claimed systems and methods.

DETAILED DESCRIPTION

1 Technical Overview

The disclosed optimal broadcast encryption starts with a one-key secure CP- ABE for circuits based on LWE, we randomize the secret keys to achieve security against collusions, and we show that for an appropriate family of circuits, the disclosed CP-ABE scheme implies op- timal broadcast encryption. The schemes achieve randomization via exponentiation with random scalars in a bilinear group. Security relies on LWE in addition to a hardness as- sumption about the bilinear group, either the generic group model (GGM), or non-standard knowledge assumption (KOALA). Disclosed are new technical ideas that allow us to elimi- nate the use of bilinear maps, thereby achieving plausible post-quantum security. Randomization via tensors. We randomize secret keys by tensoring with random Gaussian

(row) vectors r <— which satisfies the following correctness and security properties:

- Following prior ABE schemes based on EWE, given , we can homo- morphically evaluate a circuit G to obtain a quantity of the form Ay - /(x)G via right-multiplication by some low-norm matrix H This property is preserved un- der tensoring with random Gaussian vectors r: we can homomorphically evaluate f on to obtain via right multiplication by Note that homomorphic evaluation is not possible if we replace tensor product with vector multi- plication (on the right).

- Tensoring “amplifies” a single EWE secret s into Q independent EWE secrets SI, ... , SQ. More formally, under the EWE assumption, we have (1) where In our analysis, Q corresponds to the num- ber of key queries, and having Q independent secrets enables a hybrid argument over the key queries.

An evasive lattice assumption. We describe a simple variant of the evasive LWE assumption we put forth in this work. Fix an efficiently samplable distribution P over Z” ^{x f} . The evasive LWE assumption allows us to assert statements of the form where re uniformly random, m = O(nlogfj) < t (so that P is wider than B). We have two distinguishing strategies in the literature:

- ignore B ^-1 (P) and distinguish (B, sB + e) from (B, c) - this covers lattice attacks on LWE;

- compute and distinguish the latter from uniform - this includes zeroizing attacks on multi-linear map and obfuscation candidates.

The evasive LWE assumption essentially asserts that these are the only distinguishing at- tacks. Namely, where e" is a fresh noise vector. Note that sP + e" « _c c” implies that the high-order bits of (sB + e') • B ^-1 (P) « sP are pseudorandom, thereby defeating the second distinguishing strat- egy. Note that the error distribution e • B ^-1 (P) in c* is different from the fresh Gaussian error e". Differences in error distributions can make or break a scheme if c* has small norm, but we do not know attacks exploiting these differences when c* has large norm, as is the case here. Overall, we note that the statement of evasive LWE is fairly simple and general, and does not refer to tensor products, circuits, or structured distributions like A -x ® G or Af. That is, the assumption encapsulates a principled approach towards (conjectured) compu- tational hardness, rather than one that is tailored to our scheme.

Proof strategy. Our security proof proceeds in two steps: first, we rely on evasive LWE to reduce security of our scheme to a simpler statement with no short Gaussians, and then we prove this latter statement from LWE, using (1) along the way. For the second step, we need to modify the scheme to perform homomorphic evaluation on A-x® I where A is a low- norm matrix, and we replaced the gadget matrix G with the identity matrix I; in the security proof, we will use the fact that if A - x ® I is low- no rm, then upon which we can invoke ( .1 ) to replace s (I ® r ^T ) on the RHS with random.

Homomorphic evaluation on A -x® I works as before with G, except the noise growth is now doubly (instead of singly) exponential in circuit depth. This yields a CP-ABE scheme with for NC ¹ circuits of multiplicative depth d and size s, and we show that this is sufficient for optimal broadcast encryption. In particular, broadcast encryption for N users correspond to circuits of multiplicative depth O(loglogN) and size O(NlogN). To obtain a CP-ABE for a-prior bounded depth circuits with |ct| = poly(d,logs), we keep A- x® G as before, and instead prove security based a new (falsifiable) “ tensor LWE” assumption in the second step.

1.1 The Disclosed CP-ABE Schemes

The CP-ABE schemes are disclosed in more detail. The schemes rely on the following strength- ening of our earlier statement of evasive LWE: we consider distributions over pairs of matri- ces (A', P) together with auxiliary input a ux (instead of just P) and require that

In our applications, the auxiliary input includes the coin tosses used to sample A', P, which rules out obfuscation-based counter-examples.

A one-key secure CP-ABE. We consider CP-ABE for circuits f : {0, 1/ —>■ {0, 1} of depth d and size 5. We begin with a one-key secure CP-ABE (where we use curly underlines in place of noise terms):

Note that the ciphertext size is independent of Decryption for ,/, y , which implies

Next, we show that the scheme is one-key secure assuming EWE and evasive EWE. Intu- itively, evasive EWE says that we can replace the terms sBi, Bj ^{- 1} (A-x® G) with their product Then, it suffices to show that p is hidden given

Next, we can write sA yu ^T in terms of using homomorphic com- putation. Since it suffices to show that p is hidden given which follows quite readily from EWE.

Note that this scheme is insecure if the adversary is allowed to make two key queries: given secret keys for 0 ⁶ and 1 ^£ , an adversary can compute sA, s(A - l ^< ® G), substract the two to obtain sfl£®jG) and solve for s and thus p. To defeat this attack, we randomize the secret keys by tensoring with random Gaussian vectors. First modification. We replace cty := s(Ayu ^T ® I) + /i-g, sBi, where s Z”

Decryption computes the following quantities: and subtracts the two to recover p. The attacker from before now learns and since iq # r ₂ w.h.p., we can no longer carry out the attack from before.

We do not know an attack on the preceding scheme. However, adapting the security proof for the one-key setting to the many-key setting runs into two difficulties. Upon ap- plying evasive LWE as before, we want to argue that p is hidden given

- The first difficulty lies in handling s(Ayu ^T ® I) : using homomorphic computation as before allows us to write s(Ayu ^T ® rT) in terms then need to bridge the gap between { s (A yu ^T ® rT) } . _{£ [Q]} (what we know how to simulate) and s(Ayu ^T ® I) (what appears in the ciphertext). The next modification addresses this difficulty while relying only on the LWE assumption.

- This leaves us with arguing pseudorandomness of for which we present two solutions. The first (and less satisfactory) is to simply assert pseudoran- domness via a new assumption, which we refer to as tensor LWE. This assumption is qualitatively different from evasive LWE in that there are no Gaussian pre-images. The second solution relies only on the LWE assumption, but incurs a 2 ^d blow-up, which is nonetheless sufficient for optimal broadcast encryption.

Second modification. We mask s(Ay ® I) in the cipertext with a fresh LWE sample soAo + eo and during decryption, compute where soBo + eo appears in ct f and B _o ¹ (Aor ^T ) in sk _x . This yields the following CP-ABE scheme for bounded depth circuits: m

Decryption for /(x) = 0 computes (approximately)

Again, via the evasive LWE assumption (upon additionally combining Bo,Bx into a single matrix B), ABE security reduces to proving pseudorandomness of

Observe that

We can then use the LWE assumption with secret s ₀ to replace c' with random. This leaves us with proving pseudorandomness of

At this point, we can apply homomorphic computation to s((A-x, ® G) ® rT) as before in the one-key scheme, upon which we are left with proving pseudorandomness of (5)

The tensor LWE assumption essentially states that the above distribution is pseudorandom.

Third modification. The third and final modification allows us to handle the second diffi- culty without introducing the additional tensor LWE assumption but with a 2 ^d blow-up. The idea is to replace G in sk _x with I _m and sample A so that A - x ® I _m has low-norm: In the security proof, instead of (5), we need to prove pseudorandomness of

Both A - x/ ® I _m and u ^T have low-norm, so

We may then invoke (1) to replace upon which it suffices to prove pseudorandomness of

This in turn follows from EWE via a straight- forward hybrid argument over i e [Q] .

2 Preliminaries

Notations. We use boldface lower case for row vectors (e.g. v) and boldface upper case for matrices (e.g. V). For integral vectors and matrices (i.e., those over Z), we use the notation | v|, | V| to denote the maximum absolute value over all the entries. We use v <— D to denote a random sample from a distribution D, as well as v <— S to denote a uniformly random sample from a set 5. We use ~ _s and « _c as the abbreviation for statistically close and compu- tationally indistinguishable.

Tensor product. The tensor product (Kronecker product) for matrices

B e Z” ^xp is defined as

The mixed-product property for tensor product says that

A useful corollary of the mixed-product property says that for any pair of row vectors u, v e

Z”, We adopt the convention that matrix multiplication takes precedence over tensor product, so that we can write

2.1 Lattices background

We use to denote the discrete Gaussian distribution over Z with standard deviation %.

Learning with errors (LWE). Given n, m, q,% E N, the LWE _w>m>(/ ^ assumption states that where

Trapdoor and preimage sampling. Given any to denote the distribution of a matrix Y sampled from D _/mx „/ _a conditioned on BY = Z (mod q). We sometimes suppress cr when the context is clear.

There is a p.p.t. algorithm Tra pGen (1 ”, q} that, given the modulus q > 2 and dimension n, outputs with a trapdoor T. Moreover, there is a p.p.t. algorithm that given

2.2 Attribute-based encryption

Syntax. A ciphertext-policy attribute-based encryption (CP-ABE) scheme for some class U consists of four algorithms:

Setup . The setup algorithm gets as input the security parameter 1 ^A and class description U. It outputs the master public key mpk and the master secret key msk.

Enc(mpk, f , p) ctj. The encryption algorithm gets as input mpk, and a message p e {0, 1}. It outputs a ciphertext ct f.

KeyGen(mpk, msk,x) sk _x . The key generation algorithm gets as input mpk, msk and x E {0, 1} ^£ . It outputs a secret key sk _x . The decryption algorithm gets as input sk _x and ct f such that /(x) = 0 along with mpk. It outputs a message p. Correctness. For all inputs x and f with f(x) = 0 and all p e {0, 1], we require

Security definition. For a stateful adversary A, we define the advantage function with the restriction that all queries x that A sent to KeyGen(mpk, msk, •) satisfy /(x) = 0. An ABE scheme is selectively secure if for all PPT adversaries A, the advantage Adv^ ^BE (l) is a negligible function in A. Similarly, say that an ABE scheme is very selectively secure for the advantage function: Broadcast encryption. Here, where we think of {0, 1} ⁷⁷ as the power set of [TV] (i.e., set of all subsets of [TV]) , and

As has been noted, very selective security for broadcast encryption implies selective security since an adversary can simply ask for all keys outside S. 3 Evasive LWE

A formal statement of the evasive LWE assumption, also having been stated informally, is provided.

Evasive LWE. Let Sa mp be a PPT algorithm that on input 1 ^A , outputs

We define the following advantage functions: -Pr[yLi(c,Co,K,A',B,aux) = 1] (7) where

We say that the evasive LWE assumption holds if for every PPT Sa m p, A i , there exists another PPT Ao and a polynomial Q(-) such that

We consider parameter settings for which holds. Remark 1 (restricted samplers). As noted elsewhere, we only require that the assumption holds for samplers where aux additionally contains all of the coin tosses used by Samp. This avoids obfuscation-based counter-examples where aux contains an obfuscation of a pro- gram related to a trapdoor for matrix P. Remark 2 (noise magnitudes). For simplicity, we stated the assumption with all the LWE er- ror terms e, e' , e" having the same Gaussian parameter %. It is straight-forward to adapt the assumption and the scheme to a quantitatively weaker variant where the error terms in the post-condition (7) have a larger Gaussian parameter than those in the pre-condition.

Remark3 (weaker pseudorandomness). For the security of our scheme, it suffices to con- sider a weaker variant of the assumption where only sA' + e' is required to be pseudorandom in the post-condition.

4 Main Constructions

In this section, we present our main constructions:

- an “optimal” broadcast encryption scheme for TV users with | mpk| + |ct| + |sk| = poly (log TV, 1);

- a CP-ABE scheme for circuits achieving |ct| = poly(d,logs,l);

The first scheme serves as the basis for the second and the third scheme. The first two schemes rely on evasive LWE whereas the third requires an additional “tensor LWE” assump- tion. We prove very selective security for all three schemes, which implies selective security for broadcast encryption.

4.1 Homomorphic Computation on Matrices

We recall basic homorphic computation on matrices used in prior EWE-based ABE. where G e Z” ^{x m} is the gadget matrix. Moreover, HA,/, _X is efficiently computable given A, f,x. y Low-norm variant. We also consider a variant where A has low-norm and we replace G with I: when deriving Af, addition gates correspond to matrix addition and multiplication gates correspond to matrix multiplication. That is, x _; - + Xj corresponds to A, + Ay and x _; - • Xj corresponds to A, -Ay instead of A, • G ^-1 (Ay). More generally, we can represent a circuit f of depth d and size s as a polynomial comprising the sum of 5 monomials, each of total degree at most 2 ^d . Then, Ay = /(A^ ... , A^>). The magnitude of the noise squares with each multiplication gate, leading to noise growth that is doubly exponential in d.

Lemma 2 (EvalF, EvalFX). Fix parameters m,£. Given a matrix A c jmxf m _an d _a circuit f ;

Moreover, H _A; y _;X is efficiently computable given denote the algorithms computing respectively

4.2 CP- ABE for NC ¹ Circuits

We present our CP-ABE scheme for NC ¹ circuits.

- Setup(l”, 1^): Sample

Output

-

Output In particular, the err 0

Now, g - r ^T is statistically close to uniform over 7. _q , and correctness follows as long as q >

4.3 Optimal Broadcast Encryption

To handle broadcast encryption with N users, we identify a user x e [TV] with a bit string . Let I _y (•) be the point function wrt y, that is, ifx = y otherwise

We can then associate each set 5 c [AT] with the circuit fs : {0, l] given by

It is easy to see that fs can be computed by a circuit of depth O (loglog AT) and size O(ATlog AT) :

- each ly(-) can be computed by a circuit of depth O(loglogN) and size O(log AT);

- followed by an addition gate with fan-in N.

To support multiplication and addition of constants, we may assume that we have an extra O-th input to the circuit that always carries the value 1. That is, we will set £ = flog AT) + 1 in our CP-ABE scheme. We can then instantiate our CP-ABE scheme with f) = ^P ^o| y( ^lo g^ . ATlog N (via the bound in Lemma 2) which yields a broadcast encryption scheme with

|mpk| = poly (log TV, A), |ct| = poly(logAT, A), |sk| = poly (logTV, A)

4.4 CP-ABE for Polynomial-Depth Circuits

Tensor LWE. We introduce an additional tensor EWE assumption which states that for all XX, ... ,XQ e {0, 1} ^£ , we have where A — Z" ^{7 x < ra} ,s Zf' f ei consider the same parame- ter settings as LWE„ _;(?;X , with £, Q = poly (A). The analysis herein shows that if we use a low- norm A and replace G with I, then LWE implies tensor LWE. CP-ABE scheme. We modify our CP-ABE scheme in Section 4.2 as follows:

- we sample TrapGen(l ^m ”, q), Si <— 7.™ ⁿ ,'

- we replace I _m in ct,sk with the gadget matrix G e Z” ^{x m} and we replace Eva IF, Eva I FX with EvalFc, EvalFXc respectively;

- we set x" = poly (A) .

That is, we have: ctf = ((So | si)B + e ₀ , s _o Ao + si(Ayu ^T ® G) + p-g+ e)

As before, we have: | mpk| = £ ■ poly (log/3, A) , |ct| = poly (log /3, A), |sk| = £ ■ poly (log /3, A). Now, for circuits of depth d and size s, we have |HA,/, _X I = A ^O(rf) • s, which yields:

|mpk| = £ • poly(d,logs, A), |ct| = poly(d,logs, 1), |sk| = £ • poly(d,logs, 1)

Example Systems and Apparatuses of the Present Disclosure

The various embodiments may be implemented within a variety of communication sys- tems, networks and/or mobile multi-media broadcast systems, an example of which is il- lustrated in Fig. 1. Specifically, Fig. 1 illustrates a communication system in which mobile receiver devices 102 may receive content from multimedia broadcast network 104, unicast network 106, or via the Internet 108. A typical multimedia broadcast network 104 includes a plurality of broadcast transmitters 112 controlled by a mobile broadcast network con- trol center/broadcast operation center (BOC) 114. The multimedia broadcast network 104 broadcasts content from the broadcast transmitters 112 as mobile broadcast transmissions 113 for reception by the mobile receiver devices 102. Within the BOC 114, there may be one or more servers 110 for managing content broadcasts, and which provide a connection to the Internet 108.

In addition to the multimedia broadcast network 104, mobile receiver devices 102 may communicate via a unicast network 106, such as a cellular telephone network, WiFi network (not shown), WiMAX, etc. A typical cellular telephone network includes a plurality of cellu- lar base stations 116 coupled to a network operations center 118. The network operations center 118 operates to connect voice and data calls between mobile receiver devices 102 and other network destinations, such as via telephone land lines (e.g., a POTS network, not shown) and the Internet 108.

Communications between mobile receiver devices 102 and the unicast network 106 may be accomplished via two-way wireless communication links 115 such as LTE, 4G, 3G, CDMA, TDMA, and other cellular telephone communication technologies. Such two-way wireless communication links 115 may enable users to stream multimedia content to receiver de- vices (e.g., mobile devices).

To facilitate Internet data communications (e.g., streaming video feeds), the unicast net- work 106 will typically include one or more servers 120 coupled to, or within, the network operations center 118 that provide a connection to the Internet 108. Mobile receiver devices 102 may further connect to the Internet 108 via a wired connection when available, in which case the Internet 108 may serve as the unicast network. Mobile receiver devices 102 may also receive non-broadcast content over the Internet 108 using well known conventional web-based access protocols.

Generally, the operations for receiving and rendering content by a receiver device (e.g., the mobile receiver devices 102 discussed above) may be divided into separate and indepen- dent groups or categories of operations, and each group or category of operations may be assigned to a layer (e.g., physical layer, data link layer, etc.). In each of these layers, various hardware and/or software components may implement functionality that is commensu- rate with responsibilities assigned to that layer. For example, media streams (e.g., broadcast, point-to-point, etc.) are typically received in the physical layer, which may include a radio receiver, buffers, and processing components that perform the operations of demodulating, recognizing symbols within the radio frequency (RF) signal, and performing other opera- tions for extracting raw data from the received RF signal.

Fig. 2 illustrates an example computer-implemented method for the claimed broadcast encryption scheme. In the illustrated example embodiment, setup routine generates master public key (MPK) 270 and provides it to the broadcasting authority 210. The key operations 245, 255, 265 may be performed at a centralized or trusted authority or third-party, which may or may not be associated with or controlled by broadcast authority 210. The setup rou- tine 245 also generates the master secret key (MSK) 250. Setup routine 245 may be called by the private key generator (PKG) 255. PKG 255 outputs system master public-key MPK 250 and the system master secret-key MSK 250, and makes MPK publicly available and keeps MSK as a secret. Key generation routine 265 receives the MPK and MSK, and user identities 275, and outputs secret keys 280 for each specific user.

Broadcasting authority 210 then employs MPK 270 to perform an encryption 215, which is then used as the ciphertext for a broadcast message 220. The broadcast message is then provided over a broadcast channel 225, which as described herein can take any wired or wireless form. The ciphertext is received by subscribed receivers 230 who have been pro- vided with certain key material 280 in association with their identities 275 which have been provided to a key generation module 265. The secret keys 280 can be provided to receivers based on their identities 275. With the secret keys, the subscribed receivers can perform a decryption 235 of the broadcast ciphertext, and generate a resulting broadcast message 240.

Figs. 3 and 4 depict example computer systems useful for implementing various embod- iments described in the present disclosure. Various embodiments may be implemented, for example, using one or more computer systems, such as computer system 500 shown in Fig. 3. One or more computer system(s) 500 may be used, for example, to implement any of the embodiments discussed herein, as well as combinations and sub-combinations thereof.

Computer system 500 may include one or more processors (also called central process- ing units, processing devices, or CPUs), such as a processor 504. Processor 504 may be con- nected to a communication infrastructure 506 (e.g., such as a bus).

Computer system 500 may also include user input/output device(s) 503, such as mon- itors, keyboards, pointing devices, etc., which may communicate with communication in- frastructure 506 through user input/output interface(s) 502. One or more of processors 504 may be a graphics processing unit (GPU) . In an embodiment, a GPU may be a processor that is a specialized electronic circuit designed to process mathematically intensive applications. The GPU may have a parallel structure that is efficient for parallel processing of large blocks of data, such as mathematically intensive data common to computer graphics applications, images, videos, etc.

Computer system 500 may also include a main memory 508, such as random-access memory (RAM). Main memory 508 may include one or more levels of cache. Main memory 508 may have stored therein control logic (i.e., computer software, instructions, etc.) and/or data. Computer system 500 may also include one or more secondary storage devices or sec- ondary memory 510. Secondary memory 510 may include, for example, a hard disk drive 512 and/or a removable storage device or removable storage drive 514. Removable storage drive 514 may interact with a removable storage unit 518. Removable storage unit 518 may include a computer-usable or readable storage device having stored thereon computer soft- ware (control logic) and/or data. Removable storage drive 514 may read from and/or write to removable storage unit 518.

Secondary memory 510 may include other means, devices, components, instrumental- ities, or other approaches for allowing computer programs and/or other instructions and/or data to be accessed by computer system 500. Such means, devices, components, instrumentalities, or other approaches may include, for example, a removable storage unit 522 and an interface 520. Examples of the removable storage unit 522 and the interface 520 may include a program cartridge and cartridge interface, a removable memory chip (such as an EPROM or PROM) and associated socket, a memory stick and USB port, a memory card and associated memory card slot, and/or any other removable storage unit and associated interface.

Computer system 500 may further include communications interface 524 (e.g., network interface). Communications interface 524 may enable computer system 500 to communi- cate and interact with any combination of external devices, external networks, external enti- ties, etc. (individually and collectively referenced as remote device (s), network(s), entity (ies) 528). For example, communications interface 524 may allow computer system 500 to com- municate with external or remote device (s), network(s), entity (ies) 528 over communica- tions path 526, which may be wired and/or wireless (or a combination thereof), and which may include any combination of LANs, WANs, the Internet, etc. Control logic and/or data may be transmitted to and from computer system 500 via communications path 526.

Computer system 500 may also be any of a personal digital assistant (PDA), desktop workstation, laptop or notebook computer, netbook, tablet, smartphone, smartwatch or other wearable devices, appliance, part of the Internet-of-Things, and/or embedded system, to name a few non-limiting examples, or any combination thereof.

Computer system 500 may be a client or server computing device, accessing or host- ing any applications and/or data through any delivery paradigm, including but not limited to remote or distributed cloud computing solutions; local or on-premises software (“on- premise” cloud-based solutions); “as a service” models (e.g., content as a service (CaaS), digital content as a service (DCaaS), software as a service (SaaS), managed software as a service (MSaaS), platform as a service (PaaS), desktop as a service (DaaS), framework as a service (FaaS), backend as a service (BaaS), mobile backend as a service (MBaaS), infras- tructure as a service (laaS), etc.); and/or a hybrid model including any combination of the foregoing examples or other services or delivery paradigms.

Fig. 4 illustrates an example machine of a computer system 900 within which a set of in- structions, for causing the machine to perform any one or more of the operations discussed herein, may be executed. In alternative implementations, the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, and/or the Internet. The machine may operate in the capacity of a server or a client machine in a client-server network environment, as a peer machine in a peer-to-peer (or distributed) network environ- ment, or as a server or a client machine in a cloud computing infrastructure or environment.

The machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Per- sonal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, a specialized application or network security appliance or de- vice, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individu- ally or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.

The example computer system 900 includes a processing device 902, a main memory 904 (e.g., read-only memory (ROM), flash memory, dynamic random-access memory (DRAM) such as synchronous DRAM (SDRAM), etc.), a static memory 906 (e.g., flash memory, static random-access memory (SRAM), etc.), and a data storage device 918, which communicate with each other via a bus 930.

Processing device 902 represents one or more processing devices such as a micropro- cessor, a central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set com- puting (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or pro- cessor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 902 may also be one or more special-purpose processing devices such as an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 902 is configured to execute instructions 926 for performing the operations and steps discussed herein.

The computer system 900 may further include a network interface device 908 to commu- nicate over the network 920. The computer system 900 also may include a video display unit 910, an alphanumeric input device 912 (e.g., a keyboard), a cursor control device 914 (e.g., a mouse), a graphics processing unit 922, a signal generation device 916 (e.g., a speaker), graphics processing unit 922, video processing unit 928, and audio processing unit 932.

The data storage device 918 may include a machine-readable medium 924 (also known as a computer- readable storage medium) on which is stored one or more sets of instructions 926 (e.g., software instructions) embodying any one or more of the operations described herein. The instructions 926 may also reside, completely or at least partially, within the main memory 904 and/or within the processing device 902 during execution thereof by the com- puter system 900, where the main memory 904 and the processing device 902 also constitute machine-readable storage media.

In an example, the instructions 926 include instructions to implement operations and functionality corresponding to the disclosed subject matter. While the machine-readable storage medium 924 is shown in an example implementation to be a single medium, the term “machine-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions 926. The term “machine-readable storage medium” shall also be taken to include any medium that is capable of storing or encoding a set of instructions 926 for execution by the machine and that cause the machine to perform any one or more of the operations of the present disclosure. The term “machine- readable storage medium” shall accordingly be taken to include, but not be limited to, solid- state memories, optical media, and magnetic media.

Some portions of the detailed description have been presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the ways used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of operations leading to a desired result. The operations are those requiring physical manipu- lations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, combined, compared, and other- wise manipulated. It has proven convenient at times, principally for reasons of common us- age, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar terms are to be as- sociated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the above discus- sion, it is appreciated that throughout the description, discussions utilizing terms such as “identifying” or “determining” or “executing” or “performing” or “collecting” or “creating” or “sending” or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physi- cal (electronic) quantities within the computer system’s registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage devices.

The present disclosure also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the intended purposes, or it may comprise a computer selectively activated or reconfigured by a computer program stored in the com- puter. Such a computer program may be stored in a computer-readable storage medium, such as but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing elec- tronic instructions, each coupled to a computer system bus.

The operations and illustrations presented herein are not inheren Lly related to any par- ticular computer or other apparatus. Various types of systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the operations. The structure for a variety of these sys- terns will appear as set forth in the description herein. In addition, the present disclosure is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the disclosure as described herein.

The present disclosure may be provided as a computer program product, or software, that may include a machine-readable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a pro- cess according to the present disclosure. A machine-readable medium includes any mech- anism for storing information in a form readable by a machine (e.g., a computer). For ex- ample, a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium such as read-only memory (“ROM”), random access memory (“RAM”), magnetic disk storage media, optical storage media, flash memory de- vices, etc.

In some embodiments, a tangible, non-transitory apparatus or article of manufacture comprising a tangible, non-transitory computer useable or readable medium having con- trol logic (software) stored thereon may also be referred to herein as a computer program product or program storage device. This includes, but is not limited to, computer system 500, main memory 508, secondary memory 510, and removable storage units 518 and 522, as well as tangible articles of manufacture embodying any combination of the foregoing. Such control logic, when executed by one or more data processing devices (such as com- puter system 500), may cause such data processing devices to operate as described herein.

Based on the teachings contained in this disclosure, it will be apparent to persons skilled in the relevant art(s) how to make and use embodiments of this disclosure using data pro- cessing devices, computer systems, and/or computer architectures other than that shown in Figs. 3 and 4. In particular, embodiments can operate with software, hardware, and/or operating system implementations other than those described herein.

It is to be appreciated that the Detailed Description section, and not any other section, is intended to be used to interpret the claims. Other sections can set forth one or more but not all exemplary embodiments as contemplated by the inventor(s), and thus, are not intended to limit this disclosure or the appended claims in any way. While this disclosure describes exemplary embodiments for exemplary fields and appli- cations, it should be understood that the disclosure is not limited thereto. Other embodi- ments and modifications thereto are possible and are within the scope and spirit of this dis- closure. For example, and without limiting the generality of this paragraph, embodiments are not limited to the software, hardware, firmware, and/or entities illustrated in the figures described herein. Further, embodiments (whether or not explicitly described herein) have significant utility to fields and applications beyond the examples described herein.

Embodiments have been described herein with the aid of functional building blocks il- lustrating the implementation of specified functions and relationships thereof. The bound- aries of these functional building blocks have been arbitrarily defined herein for the con- venience of the description. Alternate boundaries can be defined as long as the specified functions and relationships (or equivalents thereof) are appropriately performed. Also, al- ternative embodiments can perform functional blocks, steps, operations, methods, etc. us- ing orderings different than those described herein.

References herein to “one embodiment,” “an embodiment,” “an example embodiment,” or similar phrases, indicate that the embodiment described can include a particular fea- ture, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or charac- teristic is described in connection with an embodiment, it would be within the knowledge of persons skilled in the relevant art(s) to incorporate such feature, structure, or character- istic into other embodiments whether or not explicitly mentioned or described herein. Ad- ditionally, some embodiments can be described using the expression “coupled” and “con- nected” along with their derivatives. These terms are not necessarily intended as synonyms for each other. For example, some embodiments can be described using the terms “con- nected” and/or “coupled” to indicate that two or more elements are in direct physical or electrical contact with each other. The term “coupled,” however, can also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other.

The breadth and scope of this disclosure should not be limited by any of the above- described exemplary embodiments but should be defined only in accordance with the fol- lowing claims and their equivalents. In the foregoing specification, implementations of the disclosure have been described with reference to specific example implementations thereof. It will be evident that various modifications may be made thereto without departing from the broader spirit and scope of implementations of the disclosure as set forth in the follow- ing claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.