Algebraic partitioning: Fully compact and (almost) tightly secure cryptography
|
|
- Tamsin Mason
- 5 years ago
- Views:
Transcription
1 Algebrac parttonng: Fully compact and (almost) tghtly secure cryptography Denns Hofhenz October 12, 2015 Abstract We descrbe a new technque for conductng parttonng arguments. Parttonng arguments are a popular way to prove the securty of a cryptographc scheme. For nstance, to prove the securty of a sgnature scheme, a parttonng argument could dvde the set of messages nto sgnable messages for whch a sgnature can be smulated durng the proof, and unsgnable ones for whch any sgnature would allow to solve a computatonal problem. Durng the securty proof, we would then hope that an adversary only requests sgnatures for sgnable messages, and later forges a sgnature for an unsgnable one. In ths work, we develop a new class of parttonng arguments from smple assumptons. Unlke prevous parttonng strateges, ours s based upon an algebrac property of the parttoned elements (e.g., the sgned messages), and not on ther bt structure. Ths allows to perform the parttonng effcently n a hdden way, such that already a sngle slot for a parttonng operaton n the scheme can be used to mplement many dfferent parttonngs sequentally, one after the other. As a consequence, we can construct complex parttonngs out of smple basc (but algebrac) parttonngs n a very space-effcent way. As a demonstraton of our technque, we provde the frst sgnature and publc-key encrypton schemes that acheve the followng propertes smultaneously: they are (almost) tghtly secure under a smple assumpton, and they are fully compact (n the sense that parameters, keys, and sgnatures, resp. cphertexts only comprse a constant number of group elements). Keywords. Parttonng arguments, tght securty proofs, dgtal sgnatures, publc-key encrypton. Karlsruhe Insttute of Technology, Denns.Hofhenz@kt.edu
2 1 Introducton Parttonng arguments. Many securty reductons rely on a parttonng argument. Informally, a parttonng argument dvdes the parts of a large system nto those parts that are under the control of the smulaton, and those parts nto whch a computatonal challenge can be embedded. For nstance, a parttonng argument for a sgnature scheme could dvde the set of message nto sgnable messages (for whch a sgnature can be generated by the securty reducton), and unsgnable messages (for whch any sgnature would solve an underlyng problem). Durng the securty reducton, we hope that an adversary only asks for the sgnatures of sgnable messages, but forges a sgnature for an unsgnable one. Parttonng arguments are a popular means for provng the securty of sgnature schemes (e.g., [35, 17, 38, 29]), dentty-based encypton schemes (e.g., [10, 9, 38, 14]), or tghtly secure cryptosystems (e.g., [15, 6, 32]). The complexty of bt-based parttonng. All of the above works (except for [17, 10], whch use a programmable random oracle to mplement a parttonng) partton messages or denttes accordng to ther bt representaton. For nstance, n the sgnature scheme from [29], messages are sgnable precsely f they do not start wth a partcular bt prefx. Ths non-algebrac approach requres a certan preparaton n the scheme tself: already the scheme must establsh certan dstnctons of messages based on ther bt representaton. For nstance, the sgnature scheme of [38] uses a hash functon of the form H(M) = h 0 j h j,m j, where M j are the bts of the sgned message M, and h 0 and the h j,b are publc group elements. Ths leads to comparatvely large publc parameters or keys, n partcular because all potental dstnctons (based on the values of the M j ) are already present n the scheme. Our contrbuton. In ths work, we develop an entrely dfferent parttonng approach: nstead of parttonng based on the bt representaton, we partton accordng to a smple algebrac predcate. Namely, we vew a message M as above as a Z p -element, and consder varous Legendre symbols L j = ( f j (M)) p for dfferent affne functons fj. Taken together, suffcently many L j unquely determne M, but the computaton of each L j can be encoded as a seres of Z p -operatons. 1 Intutvely, ths algebrac property allows to nternalze and hde the computatons of the L j, e.g., by hdng the f j nsde a homomorphc commtment. As a consequence, only one unversal parttonng (accordng to a sngle L j ) needs to be performed n the scheme tself; n the analyss, several smple parttonngs can then be mplemented sequentally, by varyng the f j. Comparson wth prevous parttonng technques. Compared to prevous, bt-based parttonng approaches, our new strategy has the advantage that t smultaneously leads to compact schemes and to a tght securty reducton. Prevous parttonng strateges were ether based on more complex parttonngs (such as [35, 9, 38, 29]) that lead to a non-tght securty reducton, or on a sequence of smple bt-based parttonngs (such as [15, 6, 32]) that lead to large publc parameters or keys. In contrast, we support many smple algebrac parttonngs (and thus a tght securty reducton), but we occupy only one parttonng slot n the publc parameters. Ths leads to tghtly secure and very compact applcatons, as we wll detal next. Applcatons. Specfcally, we demonstrate the usefulness of our parttonng technque by descrbng the frst (almost) tghtly secure sgnature and PKE schemes that are fully compact, n the sense that parameters, keys, and sgnatures (resp. cphertexts) only contan a constant number of group elements. Our securty reducton loses only a factor of O(k), where k s the securty parameter. In partcular, our securty reducton does not degrade n the number of 1 Techncally, we wll not even need to explctly compute L j, but only prove that L j = 1. Ths s possble usng a quadratc equaton over Z p. 1
3 users or sgnatures, resp. cphertexts. The securty of our schemes s based upon the Decsonal Dffe-Hellman (DDH) assumpton n both premage groups of a parng. (Ths assumpton s also called Symmetrc External Dffe-Hellman or SXDH.) Tables 1 and 2 gve a more detaled comparson wth exstng schemes. In the followng, we gve more detals on our technques and results. To do so, we start wth a lttle background concernng our applcatons. Tght securty reductons. To argue for the securty of a gven cryptographc scheme S, we usually employ a securty reducton. That s, we try to argue that every hypothetcal adversary A S on S can be converted nto an adversary A P on an allegedly hard computatonal problem P. In that sense, the only way to break S s to solve P. Of course, we are mostly nterested n reductons to well-nvestgated problems P. Furthermore, there are reasons to consder the tghtness of the reducton: a tght reducton guarantees that A P s success ε P n solvng P (n a reasonable metrc) s about the same as A S s success ε S n attackng S. To explan the mpact of a (non-)tght reducton n more detal, consder a publc-key encrypton (PKE) scheme S that s deployed n a many-user envronment. In ths settng, an adversary A S on S may observe, say, n C cphertexts generated for each of the, say, n U users. Most known securty reductons n ths settng are non-tght, n the sense that ε P ε S n U n C. As a consequence, keylength recommendatons should also take n U and n C nto account; no unversal keylength recommendaton can be gven for such a scheme. Ths s partcularly problematc n settngs that grow sgnfcantly beyond ntal expectatons. Tghtly secure encrypton and sgnature schemes. The constructon of tghtly secure cryptographc schemes appears to be a nontrval task. For nstance, although already explctly consdered n 2000 [3], tghtly secure PKE schemes have only been constructed very recently [28, 2, 15, 6, 32]. 2,3 Moreover, the schemes from [28, 2] have rather large cphertexts, and the schemes nduced by [15, 6] and from [32] requre large parameters (but offer small keys and cphertexts). The stuaton for tghtly secure sgnature schemes s somewhat brghter, but results are stll lmted. There are effcent sgnature schemes that are tghtly secure under q-type [8, 16, 36] or nteractve [21] assumptons, or n the random oracle model [24, 5, 30]. There are also more recent and somewhat less effcent schemes tghtly secure under smple 4 assumptons [12, 28, 15, 6, 32] (see also [1, 2]). Some of these latter schemes can even be converted nto tghtly secure PKE schemes; however, all of the schemes [12, 28, 2, 15, 6, 32] suffer from asymptotcally large parameters, keys, or sgnatures (resp. cphertexts). The scheme of Chen and Wee. Our techncal deas are best presented wth our sgnature scheme. At a very hgh level, we follow the strategy of Chen and Wee [15] (see also [6]), where we nterpret ther IBE scheme as a sgnature scheme usng Naor s trck [11]. In ther scheme, sgnatures are of the form ( n σ = h 0, sgk h,m ), (1) where sgk s the secret key, M = (M ) n =1 {0, 1}n s the bt representaton of the sgned message, and h 0, (h,0, h,1 ) n =1 are group elements chosen from a jont publc dstrbuton.5 2 Actually, [15, 6] construct tghtly secure dentty-based encrypton (IBE) schemes. However, those IBE schemes can be vewed as tghtly secure sgnature schemes (usng Naor s trck [11]), and then converted nto tghtly secure PKE schemes usng the transformaton from [28]. In fact, the PKE scheme of [32] can be vewed as a (modfed and hghly optmzed) converson of the IBE scheme from [15]. 3 We note that earler PKE schemes acheve at least a certan form of tght securty under q-type assumptons [22, 23, 27], or n the random oracle model [20, 13, 7]. 4 Wth a smple assumpton, we mean one n whch the adversary gets a challenge whose sze only depends on the securty parameter, and s then supposed to output a unque soluton wthout further nteracton. Examples of smple assumptons are DLOG, DDH, d-lin, or RSA, but not, say, Strong Dffe-Hellman [8] or q-abdhe [22]. 5 We note that although ther scheme can be vewed as a generalzaton of Waters sgnatures [38], ther analyss =1 2
4 Scheme parameters verfcaton key sgnature reducton loss assumpton BMS03 [12] 0 k + 3 k + 1 O(k) CDH HJ12 [28] k + 22 O(1) DLIN CW13 [15] 2d 2 (2n + 1) d 4d O(k) d-lin BKP14 [6] d d 2 (2n + 1) 2d + 1 O(k) D d -MDDH LJYP14 [32] 0 O(d 2 n) 2d + 1 O(k) d-lin Ths work O(k) DDH Table 1: Comparson of dfferent (at least almost) tghtly EUF-CMA secure sgnature schemes from smple 4 assumptons n parng-frendly groups. The parameters, verfcaton key, and sgnature columns denote space complexty, measured n group elements. The reducton loss column denotes the (multplcatve) loss of the securty reducton to the respectve assumpton. For the schemes from [15, 6], we assume the sgnature scheme nduced by the presented IBE scheme. Furthermore, n = Θ(k) denotes the btlength of the sgned message (f the sgned message s a btstrng and not a group element or an exponent). We note that [32] menton that ther scheme can be generalzed to the d-lin assumpton (ncludng 1-LIN=DDH). However, snce they only gve explct complextes for the arsng sgnatures (dentcal to the ones from [6]), we restrct to ther DLIN-based scheme. Fnally, we remark that all of these schemes (except for [12]) mply tghtly secure PKE schemes (cf. Table 2). Scheme parameters publc key cphertext reducton loss assumpton HJ12 [28] O(1) O(1) O(k) O(1) DLIN AKDNO13 [2] O(1) O(1) O(k) O(1) DLIN CW13 [15] O(d 2 k) O(d) O(d) O(k) d-lin BKP14 [6] O(d) O(d 2 k) O(d) O(k) D d -MDDH LJYP14 [32] O(1) O(d 2 k) O(d) O(k) d-lin LJYP14 [32] 3 24k O(k) DLIN Ths work O(k) DDH Table 2: Comparson of dfferent (at least almost) tghtly IND-CCA secure PKE schemes from smple 4 assumptons. As n Table 1, the parameters, publc key, and cphertext columns denote space complexty, measured n group elements, and the reducton loss column denotes the (multplcatve) loss of the securty reducton to the respectve assumpton. For the schemes from [15, 6], we assume the PKE scheme nduced by the respectve sgnature scheme when gong through the constructon of [28]. We note that [32] only descrbe a symmetrc-parng verson of ther scheme, so ther DDH-based scheme s not explct. However, we expect that ther DDH-based scheme has slghtly more compact cphertexts than ours. Durng ther proof of exstental unforgeablty (EUF-CMA securty), Chen and Wee gradually modfy sgnatures generated by the securty experment for an adversary A. Ths s done va a small hybrd argument over the bt ndces of messages, and thus yelds a securty proof that loses a factor of O(n). Concretely, n the -th hybrd, generated sgnatures are of the form σ = (h 0, sgk M1,...,M n j=1 h j,m j ), where sgk M1,...,M = R(M 1,..., M ) for a truly random functon R. Smlarly, a forged message-sgnature par (M, σ ) from A s only consdered vald f t s consstent wth sgk M 1,...,M (nstead of sgk). In other words, n the -th hybrd, the secret key used n sgnatures depends on the frst bts of the sgned message. Thus, the dfference between the ( 1)-th and the -th hybrd s an addtonal dependency of used secret keys on the -th message bt M. To progress from hybrd 1 to hybrd, Chen and Wee frst partton the message space n two halves (accordng to M ). Then, usng an elaborate argument, they consstently modfy the secret keys used for messages from one half, and thus essentally decouple those keys from the keys used for messages from the other half. Ths creates an addtonal dependency on M. After n = M such steps, each sgnature uses a dfferent secret key (up to multple sgnatures of the same message). In partcular, A gets no nformaton about the secret key sgk M 1,...,M used to verfy ts own forgery, and exstental n unforgeablty follows. We would lke to hghlght the parttonng character of ther analyss: n ther proof, Chen s entrely dfferent. Also, we omt here certan subtletes regardng the used dstrbutons of group elements. 3
5 and Wee ntroduce more and more dependences of sgnatures on the correspondng messages, and each such dependency s based upon a dfferent parttonng of the message space. 6 Now observe that already regular sgnatures (as n (1)) feature dstnctons based on all bts of M. These dstnctons provde the techncal tool to ntroduce dependences n the securty proof. However, as a consequence, rather complex jont dstrbutons need to be sampled durng sgnature generaton, whch results n publc parameters of O(n) group elements. Algebrac parttonng. In a nutshell, our man techncal tool s a new way to partton the message space of a sgnature scheme. We call ths tool algebrac parttonng. Concretely, a sgnature for a message M Z p n our scheme conssts essentally of an encrypton of the secret key X, along wth a consstency proof: σ = ( C = Enc(pk, X), π ). (2) The correspondng encrypton key pk s part of the verfcaton key vk, and the consstency proof π proves the followng statement: Ether C encrypts the secret key X, or f(m) Z p s a quadratc resdue (or both). Here, p s the order of the underlyng group, and f : Z p Z p s an affne functon fxed (but hdden) n the verfcaton key. Implctly, ths provdes a sngle parttonng of messages nto those for whch f(m) s a quadratc resdue, and those for whch f(m) s not. However, snce f s hdden, many parttonngs can be nduced (one after the other) by varyng f durng a proof. In fact, durng the securty proof, ths parttonng wll fulfll the same role as the bt-based parttonng n the analyss of Chen and Wee. In partcular, t wll help to ntroduce addtonal dependences of the sgnature on the message. More specfcally, n the -th hybrd of the securty proof, C wll not encrypt X, but a value X M that depends on the Legendre symbols ( fj (M) p ) for randomly chosen (but fxed) affne functons f1,..., f. Each new such dependency s ntroduced by frst refreshng the affne functon f hdden n vk, and then modfyng all values encrypted n sgnatures whenever possble (.e., whenever f(m) s a quadratc resdue). 7 Observe that the sngle explct parttonng n regular sgnatures s used several tmes (for dfferent f j ) to ntroduce many dependences of sgnatures on messages n the proof. The remanng strategy can then be mplemented as n [15]. Our dfferent strategy to partton the message space results n a very compact scheme. Namely, snce only one explct parttonng step s performed n the scheme, parameters, keys, and sgnatures comprse only a constant number of group elements. Specfcally, parameters, keys, and sgnatures contan 14, 6, and 25 group elements, respectvely. Besdes, our scheme s compatble wth Groth-Saha proofs [26]. Hence, when used n the constructon of [28], we mmedately get the frst compact (n the above sense) PKE scheme that s tghtly IND-CCA secure under a smple assumpton. 8 Dfferent perspectve: our scheme as a MAC. So far our hgh-level dscusson can be equally used to justfy a smlar message authentcaton code (MAC), n whch verfcaton s nonpublc. Such a MAC can then be converted nto a sgnature scheme, e.g., usng the technque of Bellare and Goldwasser [4]. 9 One could hope that ths yelds a more modular constructon, 6 We note that a smlar technque has also been used n the context of pseudorandom functons [25, 33]. 7 Ths neglects a number of detals. For nstance, n the somewhat smplfed scheme above, π always tes the cphertexts n sgnatures for quadratc non-resdues f(m) to a sngle value X. In our actual proof, we wll thus smulate a part of π, such that the encrypted values can be decoupled from the orgnal secret key X. 8 Actually, pluggng our scheme drectly nto the constructon of [28] yelds an asymptotcally compact, but not very effcent scheme. Thus, we provde a more drect and effcent explct PKE constructon wth parameters, publc keys, and cphertexts comprsed of 15, 2, and 60 group elements, respectvely. 9 In a sgnature scheme derved usng the converson of Bellare and Goldwasser, the verfcaton key contans an encrypton of the MAC secret key. A sgnature for a message M then conssts of a MAC tag τ for M, along wth a non-nteractve zero-knowledge proof that τ s vald relatve to the encrypted MAC key. 4
6 possbly wth a MAC as a smpler basc buldng block. (In partcular, ths approach was suggested by a revewer.) In ths work, we stll present our dea drectly n terms of a sgnature scheme. One reason s that a MAC followng the strategy descrbed above would actually not be sgnfcantly less complex than a full sgnature scheme. In partcular, already a MAC would requre Groth- Saha proofs. Moreover, a modular approach n the sprt of [4] would requre algebracally compatble buldng blocks (to allow for an effcent and tghtly secure overall scheme), and would seem to lead to a more complex presentaton. Open problems. Besdes of course obtanng more effcent (and compact) schemes, t would be nterestng to apply smlar deas n the dentty-based settng. Specfcally, currently there s no fully compact dentty-based encrypton (IBE) scheme whose securty can be tghtly based on a standard assumpton. 10 However, t s not obvous how to use algebrac parttonng n the dentty-based settng. Specfcally, t s not clear how to derve functonalty from vald sgnature proofs, n the followng sense. Namely, frst note that IBE schemes can be nterpreted as sgnature schemes, n a sense noted by Naor (cf. [11]): IBE user secret keys for an dentty M correspond to sgnatures for message M, and verfcaton smply checks whether the alleged sgnature works as a decrypton key for dentty M. It s natural to use the same nterpretaton to try to upgrade a sgnature scheme to an IBE scheme. For ths strategy, however, one must fnd a way to make a sgnature σ act as a decrypton trapdoor, and thus to derve functonalty from σ (as opposed to just check σ for valdty). In common dscrete-log-based IBE schemes, ths functonalty property s acheved by the fact that a parng operaton s used to par IBE user secret keys wth cphertext elements. The result of ths parng operaton s then a common secret that s shared between encryptor and decryptor. Our strategy, however, crucally uses quadratc Z p -equatons n sgnatures (to mplement the algebrac parttonng of messages). In partcular, our sgnature scheme uses a parng operaton already to mplement these quadratc equatons (even though sgnatures n our scheme consst solely of group elements n the source group of the parng). As a consequence, the parng operaton cannot be used anymore to derve a common secret shared wth the encryptor. Hence, at least a straghtforward way to turn our sgnature scheme nto an IBE scheme fals. 11 Roadmap. After recallng some basc defntons, we present our sgnature scheme n Secton 3. In Secton 4, we gve a drect constructon of a PKE scheme derved from our sgnature scheme. In Appendx A, we gve more detals on the exact Groth-Saha equatons arsng from the consstency proofs of sgnatures and cphertexts. In Appendx B, we provde addtonal llustratons for the proof of our sgnature scheme. Acknowledgements. The author would lke to thank Eke Kltz, Jula Hesse, Wll Geselmann, and the anonymous revewers for helpful feedback. 2 Prelmnares Notaton. Throughout the paper, k N denotes the securty parameter. For n N, let [n] := {1,..., n}. For a fnte set S, we denote wth s S the process of samplng s unformly from S. For a probablstc algorthm A, we denote wth y A(x; R) the process of runnng A on nput x and wth randomness R, and assgnng y the result. We wrte y A(x) for 10 The schemes of [22, 23] are tghtly secure and fully compact, but rely on a nonstandard (q-type) assumpton. On the other hand, IBE schemes obtaned through the dual systems technque (e.g., [37, 31]) are compact and secure under standard assumptons, but not known to be tghtly secure. 11 We realze that ths explanaton s somewhat techncal and may not seem very compellng. We wsh we had a better one. 5
7 y A(x; R) wth unformly chosen R, and we wrte A(x) = y for the event that A(x; R) (for unform R) outputs y. If A s runnng tme s polynomal n k, then A s called probablstc polynomal-tme (PPT). A functon f : N R s neglgble f t vanshes faster than the nverse of any polynomal (.e., f c k 0 k k 0 : f(x) 1/k c ). Collson-resstant hashng. A hash functon generator s a PPT algorthm H that, on nput 1 k, outputs (the descrpton of) an effcently computable functon H : {0, 1} {0, 1} k. Defnton 2.1 (Collson-resstance). We say that a hash functon generator H outputs collsonresstant functons H (or, when the reference to H s clear, that such an H s collson-resstant), f [ ] Adv cr H,A(k) = Pr x x H(x) = H(x ) H H(1 k ), (x, x ) A(1 k, H) s neglgble for every PPT adversary A. Sgnature schemes. A sgnature scheme SIG conssts of four PPT algorthms SPars, SGen, Sg, Ver. Parameter generaton SPars(1 k ) outputs publc parameters spp that are shared among all users. Key generaton SGen(spp) takes publc parameters spp, and outputs a verfcaton key vk and a sgnng key sgk. The sgnature algorthm Sg(spp, sgk, M) takes publc parameters spp, a sgnng key sgk, and a message M, and outputs a sgnature σ. Verfcaton Ver(spp, vk, M, σ) takes publc parameters spp, a verfcaton key vk, a message M, and a potental sgnature σ, and outputs a verdct b {0, 1}. For correctness, we requre that 1 Ver(spp, vk, M, σ) = 1 always and for all M, all (vk, sgk) SGen(1 k ), and all σ Sg(spp, sgk, M). For the sake of readablty, we wll omt the publc parameters spp from nvocatons of Sg and Ver when the reference s clear. Defnton 2.2 (Mult-user (one-tme) exstental unforgeablty). Let SIG be a sgnature scheme as above, and consder the followng experment for an adversary A: 1. A specfes (n unary) the number n U N of desred scheme nstances. 2. The experment then samples parameters spp SPars(1 k ) as well as n U keypars (vk (l), sgk (l) ) SGen(spp). 3. A s nvoked on nput (1 k, spp, (vk (l) ) n U l=1 ), and gets access to sgnng oracles Sg(sgk (l), ) for all l [n U ]. Fnally, A outputs an ndex l [n U ] and a potental forgery (M, σ ). 4. A wns ff Ver(vk (l ), M, σ ) = 1 and M has not been quered to Sg(sgk (l ), ). Let Adv euf-mcma SIG,A (k) denote the probablty that A wns n the above experment. We say that SIG s exstentally unforgeable under chosen-message attacks n the mult-user settng (EUF-mCMA secure) ff Adv euf-mcma SIG,A (k) s neglgble for every PPT A. Let Adv ot-euf-mcma SIG,A (k) be the probablty that A wns n the slghtly modfed experment n whch only one Sg-query to each scheme nstance l s allowed. We say that SIG s exstentally unforgeable under one-tme chosen-message attacks n the mult-user settng (OT-EUF-mCMA secure) ff Adv ot-euf-mcma SIG,A (k) s neglgble for every PPT A. Publc-key encrypton schemes. A publc-key encrypton (PKE) scheme PKE conssts of four PPT algorthms (EPars, EGen, Enc, Dec). The parameter generaton algorthm EPars(1 k ) outputs publc parameters epp. Key generaton EGen(epp) outputs a publc key pk and a secret key sk. Encrypton Enc(epp, pk, M) takes parameters epp, a publc key pk, and a message M, and outputs a cphertext C. Decrypton Dec(epp, sk, C) takes publc parameters epp, a secret key sk, and a cphertext C, and outputs a message M. For correctness, we requre Dec(epp, sk, C) = M always and for all M, all epp EPars(1 k ), all (pk, sk) EGen(epp), and all C Enc(epp, pk, M). As wth sgnatures, we usually omt the publc parameters epp from nvocatons of Enc and Dec. Defnton 2.3 (Mult-user, mult-challenge ndstngushablty of cphertexts). For a publc-key encrypton scheme PKE and an adversary A, consder the followng securty experment Exp nd-mcca PKE,A (k): 6
8 1. A specfes (n unary) the number n U N of desred scheme nstances. 2. The experment samples parameters epp EPars(1 k ), and n U keypars through (pk (l), sk (l) ) EGen(epp), and unformly chooses a bt b {0, 1}. 3. A s nvoked on nput (1 k, epp, (pk (l) ) n U l=1 ), and gets access to challenge oracles O (l) and decrypton oracles Dec(sk (l), ) for all l [n U ]. Here, challenge oracle O (l), on nput two messages M 0, M 1, outputs an encrypton C Enc(pk (l), M b ) of M b. 4. Fnally, A outputs a bt b, and the experment outputs 1 ff b = b. A PPT adversary A s vald f every par (M 0, M 1 ) of messages submtted to an O (l) by A satsfes M 0 = M 1, and f A never submts any challenge cphertext (prevously receved from an O (l) ) to the correspondng decrypton oracle Dec(sk (l), ). Let [ ] Adv nd-mcca PKE,A (k) = Pr Exp nd-mcca PKE,A (k) = 1 1/2. We say that PKE has ndstngushable cphertexts under chosen-cphertext attacks n the mult-user, mult-challenge settng (short: s IND-mCCA secure) ff Adv nd-mcca PKE,A (k) s neglgble for all vald A. Let Adv nd-mcpa PKE,A be defned smlarly, except that A has no access to any Dec oracles. PKE has ndstngushable cphertexts under chosen-plantext attacks n the mult-user, mult-challenge settng (short: s IND-mCPA secure) ff Adv nd-mcpa PKE,A (k) s neglgble for all vald A. Quadratc resdues and Legendre symbols. Let p be a prme. Then, QR p Z p s the set of quadratc resdues modulo p,.e., the set of all x Z p for whch an r Z p wth r 2 = x mod p exsts. Gven p and an x QR p, such an r can be computed effcently. For x Z p, we let ( ) p 1 x p = x 2 mod p denote the Legendre of x modulo p. We have ( x p) { 1, 0, 1}, and n partcular ( x p ) = 1 x QRp, as well as ( x p) = 0 x = 0, and ( x p) = 1 x Z p \ QR p. Group and parng generators. A group generator G s a PPT algorthm that, on nput 1 k, outputs the descrpton of a group G, along wth ts (prme) order p, and a generator g of G. A parng generator P s a PPT algorthm that, on nput 1 k, outputs descrptons of: three groups G, ^G, G T of the same prme order p, along wth p, and generators g, ^g of G, ^G, a blnear map e : G ^G G T that s non-degenerate n the sense of e(g, ^g) 1 G T. Occasonally, t wll also be useful to consder a parng generator P as a group generator (that only outputs (G, p, g) or ( ^G, p, ^g)). Assumpton 2.4 (Decsonal Dffe-Hellman). For a group generator G and an adversary A, let Adv ddh G,A(k) be the followng dfference: ] Pr [ A(1 k, G, p, g, g x, g y, g xy ) = 1 [ ] Pr A(1 k, G, p, g, g x, g y, g z ) = 1. Here, the probablty s over (G, p, g) G(1 k ) and unformly chosen x, y, z Z p. We say that the Decsonal Dffe-Hellman (DDH) assumpton holds wth respect to G ff Adv ddh G,A s neglgble for every PPT A. When the reference to G s clear, we also say that the DDH assumpton holds n G (and wrte Adv ddh G,A). On occason, we mght also say that the DDH assumpton holds n groups G or ^G sampled by a parng generator, wth the obvous meanng. ElGamal encrypton. The ElGamal encrypton scheme PKE eg s defned as follows, where we assume a sutable group generator G. EPars eg (1 k ) runs (G, p, g) G(1 k ) and outputs epp = (G, p, g). EGen eg (epp) pcks a unform sk Z p, sets pk = g sk, and outputs (pk, sk). Enc(pk, M), for M G, pcks an R Z p, and outputs C = (g R, pk R M). Dec(sk, C), for C = (C 1, C 2 ) G 2, outputs M = C 2 /C sk 1. 7
9 The ElGamal scheme s tghtly IND-mCPA secure under the DDH assumpton n G. Concretely, for every vald IND-mCPA adversary A, there s a DDH adversary B (of roughly the same complexty as the IND-mCPA experment wth A) wth Adv ddh G,B(k) = Adv nd-mcpa PKE (k). eg,a Groth-Saha proofs. In a settng wth a parng generator, Groth-Saha proofs [26] provde a very versatle and effcent way to prove the satsfablty of very general classes of equatons over G and ^G. We wll not need them n full generalty, and the next defnton only captures a number of abstract propertes of Groth-Saha proofs we wll use. In partcular, we wll not formalze the exact classes of languages amenable to Groth-Saha proofs. (For the exact languages used n our applcaton, however, we gve more detals n Appendx A.1.) Lke [19, 18], we formalze Groth-Saha proofs as commt-and-prove systems: Defnton 2.5 (GS proofs [26]). The Groth-Saha proof system for a gven parng generator P conssts of the followng PPT algorthms, where gpp denotes group parameters sampled by P. Common reference strngs. HGen(gpp) and BGen(gpp) sample hdng, resp. bndng common reference strngs (CRSs) CRS. Commtments. For a (hdng or bndng) CRS CRS and a G-, ^G-, or Z p -element v, the commtment algorthm Com(gpp, CRS, v; R) outputs a commtment C, where R denotes the used random cons. Proofs. Let CRS be a CRS, and let X be a system of equatons. Each equaton may be over G, ^G, or Z p, and nvolve varables and constants. Let (v ) be a varable assgnment that satsfes X, and let (R ) be a vector of random cons for Com. Then Prove(gpp, CRS, X, (v, R ) ) outputs a proof π. Verfcaton. For a CRS CRS, a system X of equatons, a commtment vector (C ) to an assgnment of the varables n X, and a proof π, Verfy(gpp, CRS, X, (C ), π) outputs a verdct b {0, 1}. Smulaton. For a hdng CRS generated as CRS HGen(gpp; R CRS ), a system X of equatons, and a vector (R ) of commtment random cons, we have that Sm(gpp, R CRS, X, (R ) ) outputs a smulated proof π. As wth sgnatures and encrypton, we usually omt the group parameters gpp on nvocatons of Com, Prove, Verfy, Sm when the reference s clear. Theorem 2.6 (Propertes of GS proofs [26]). The algorthms from Defnton 2.5 satsfy the followng for all choces group parameters gpp P(1 k ) (unless noted otherwse): Homomorphc commtments. For any (hdng or bndng) CRS CRS, any two gven commtments Com(CRS, v; R) and Com(CRS, v ; R ) to G-elements v, v allow to effcently compute a commtment Com(CRS, v v ; R R ) to v v. (Note that the correspondng random cons R R can be effcently computed from R and R.) The same holds for two commtments to ^G-elements, and two commtments to Z p -elements (where the homomorphc operaton on Z p -elements s addton). Dual-mode commtments. Consder a commtment C Com(CRS, v; R). If CRS s bndng, then C unquely determnes v, and f CRS s hdng, then the dstrbuton of C does not depend on v. CRS ndstngushablty. For every PPT adversary A, there are PPT adversares A 1 and A 2 wth [ ] [ Pr A(1 k, HGen(gpp)) = 1 Pr A(1 k, BGen(gpp)) = 1] Adv ddh G,A 1 (k) + Adv ddh ^G,A 2 (k) where the probablty s over gpp P(1 k ), and the random cons of HGen, BGen, and A. Perfect completeness. For every (hdng or bndng) CRS CRS, every system X of equatons, every satsfyng assgnment (v ) of X, and every possble vector (C ) of commtments generated through C Com(CRS, v ; R ), we always have Verfy(CRS, X, (C ), Prove(CRS, X, (v, R ) )) = 1. Perfect soundness. For every bndng CRS CRS, every system X of equatons that s not satsfable, and every (C ) and π, Verfy(CRS, X, (C ), π) = 0 always., 8
10 Perfect smulaton. For every hdng CRS CRS HGen(gpp; R CRS ), and every system X of equatons that s satsfed by a varable assgnment (v ), the followng two dstrbutons are dentcal: ( (C ), Prove(CRS, X, (v, R ) ) ) for C Com(CRS, v ; R ) and fresh R, ( (C ), Sm(R CRS, X, (R ) ) ) for C Com(CRS, 1; R ) and fresh R. (The probablty space conssts of the R and the cons of Prove and Sm.) Snce smulaton s perfect (n the sense above), t also holds for reused commtments (.e., when multple adaptvely chosen statements X that nvolve the same varables and commtments are proven, see also [18]). Besdes, perfect smulaton drectly mples perfect wtnessndstngushablty (under a hdng CRS): for any two vectors (v ) and (v ) of satsfyng assgnments of a gven system X of equatons, the correspondng commtments and proofs ((C ), π) and ((C ), π ) are dentcally dstrbuted. Agan, ths holds even f the same commtments are used n several proofs for adaptvely generated statements X. 3 The sgnature scheme 3.1 Scheme descrpton Settng and ngredents. We assume the followng ngredents: A parng generator P that outputs groups G = g and ^G = ^g of prme order p > 2 k and an asymmetrc parng e : G ^G G T. We make the DDH assumpton n both G and ^G. The ElGamal encrypton scheme (gven by algorthms EGen eg, Enc eg, Dec eg ) over G. (That s, we wll use P n place of EPars eg to generate the group G for ElGamal.) A Groth-Saha proof system for P (see Defnton 2.5), gven by algorthms HGen, BGen, Com, Prove, Verfy, Sm. Publc parameters. SPars(1 k ) samples group parameters gpp = (G, ^G, G T, p, g, ^g, e) P(1 k ) and sets epp eg = (G, p, g). Then, SPars generates two bndng Groth-Saha CRSs and two ElGamal keypars: CRS 1 BGen(gpp) (pk 0, sk 0 ) EGen eg (epp eg ) CRS 2 BGen(gpp) (pk 1, sk 1 ) EGen eg (epp eg ). The publc parameters are then defned as spp = (gpp, CRS 1, CRS 2, pk 0, pk 1 ). Key generaton. SGen(spp) frst sets up the exponents Z = X Z p and α = β = 0, and commts to them usng fresh random cons R Z, R α, R β : C α Com(CRS 1, α; R α ), C β Com(CRS 1, β; R β ), C Z Com(CRS 2, Z; R Z ). We wll use that α, β defne an affne functon f : Z p Z p through f(x) = α x + β mod p. 9
11 Verfcaton and sgnng key are gven by vk = (C Z, C α, C β ) sgk = (X, R Z, R α, R β ). Sgnature generaton. Sg(sgk, M), for M Z p, pcks fresh random cons R and encrypts C 0 = Enc eg (pk 0, g Z 0 ; R) C 1 = Enc eg (pk 1, g Z 1 ; R) for Z 0 = Z 1 = X Z p, usng the same cons R n both encryptons for effcency. Then, Sg generates proofs π 1 and π 2 for the respectve statements ( ) Z 0 = Z }{{} 1 f(m) QR p {0} }{{} and Z 0 = Z. }{{} (3) S1 S2 S3 Here, Z 0, Z 1, Z, f refer to the values encrypted (resp. commtted to) n C 0, C 1, C Z, (C α, C β ). Concretely, Sg generates a proof π 1 for S1 S2 under CRS 1, usng as wtness Z 0 = Z 1 = X and the encrypton cons R. Also, Sg computes a proof π 2 for S3 under CRS 2, usng as wtness X and R Z, R. We stress that π 1 and π 2 are ndependently generated, wth dfferent (fresh) Groth- Saha commtments to the respectve wtnesses. We descrbe the exact Groth-Saha equatons for these proofs n Appendx A.1, and gve some ntuton on the meanng of the statements S1-S3 n Secton 3.2 below. The sgnature s then defned as σ = (C 0, C 1, π 1, π 2 ). Verfcaton. Ver(spp, vk, M, σ) outputs 1 f and only f both proofs π 1 and π 2 n σ are vald wth respect to M, C 0, C 1, C Z, C α, C β. Correctness. The completeness of Groth-Saha proofs mples the correctness of SIG. Effcency. SIG has the followng effcency characterstcs (cf. Appendx A.1): The publc parameters consst of 8 G- and 6 ^G-elements, plus the group parameters gpp. Each verfcaton key contans 2 G- and 4 ^G-elements. Each sgnng key contans 7 Z p -exponents. Each sgnature contans 11 G- and 14 ^G-elements. 3.2 Securty analyss More detals on the role of π 1 and π 2 n sgnatures. Before we proceed to the proof, we gve some ntuton on the proofs π 1 and π 2 publshed n sgnatures (and the statements S1-S3): π 1 proves that ether C 0 and C 1 encrypt the same value or that the sgned message satsfes a specal property S2 (or both). In the scheme, all messages are specal n ths sense (because f(m) = 0 for all M). However, n the proof, we can adjust f and, e.g., partton the set of messages nto specal and non-specal ones n a random and roughly balanced way. Intutvely, ths provdes a means to make the double encrypton (C 0, C 1 ) nconsstent (and subsequently change the encrypted values) n sgnatures for specal messages. At the same tme, any vald adversaral forgery on a non-specal message (that does not satsfy S2) must carry a consstent double encrypton (C 0, C 1 ). In the scheme, π 2 tes the plantext encrypted n C 0 to the master secret Z. In the smulaton, we wll remove that connecton by smulatng π 2. Specfcally, recall that π 1 and π 2 are ndependently generated, usng ndependently generated Groth-Saha commtments to the respectve wtnesses. Thus, n the proof, we can smulate π 2 wthout wtness (by choosng a hdng CRS 2 and usng Sm), whle preservng the soundness of π 1 (assumng CRS 1 s bndng). Ths smulaton of π 2 wll be nstrumental n changng the message encrypted n C 0 (when the sgned message s specal n the above sense). 10
12 Theorem 3.1 (Securty of SIG). Under the DDH assumptons n G and ^G, the sgnature scheme SIG from Secton 3.1 s EUF-mCMA secure. Concretely, for every EUF-mCMA adversary A on SIG, there exst DDH adversares B and B (of roughly the same complexty as the EUF-mCMA experment wth A and SIG) wth Adv euf-mcma SIG,A (k) (8n + 1) ddh Adv G,B(k) ddh + (4n + 1) Adv (k) + O(n/2 ^G,B k ) (4) for n = 2 log 2 (p) + k, where p denotes the order of G and ^G, and k s the securty parameter. Proof outlne. The proof starts wth a number of preparatons for the core argument. Our man goal durng ths phase wll be to mplement an addtonal and explct check of A s forgery σ = (C 0, C 1, π 1, π 2 ) for Dec eg(sk 0, C 0 ) = gx. (Note that n the default key setup, ths explct check s redundant, snce vald sgnatures must fulfll statement S3 from (3).) In the core argument (from Game 4 to Game 5, detaled n Lemma 3.2), we replace the value X used n generated sgnatures and the addtonal forgery check wth a value H(M) that depends on the sgned message. We start wth a constant functon H(M) = X (whch corresponds to Game 4), and then ntroduce more and more dependences of H(M) on the Legendre symbols ( f j (M)) p for ndependently and randomly selected (nvertble) affne functons fj. Each such dependency s ntroduced as follows. We start by commttng to (the coeffcents of) a new random functon f n C α, C β. Ths change allows us to modfy the messages Z 0, Z 1 encrypted n generated sgnatures for all M wth f (M) QR p {0} (and only for those M), by provng S2 (and not S1) n sgnatures. We wll also abort f A s forgery satsfes f (M ) QR p {0}, and we wll keep enforcng our forgery check on C 0. Hence, from A s pont of vew, an addtonal dependency on ( f (M)) p s consstently ntroduced on all sgnatures. More mportantly, ths dependency s also enforced durng the addtonal forgery check. After suffcently many such dependences are ntroduced (for several dfferent f ), all sgnatures are consstently generated wth (or checked for) Z 0 = Z 1 = R(M) for a truly random functon R. At ths pont, A has to predct a truly random functon R on a fresh nput M n order to produce a vald forgery. Hence, A s forgery success must be neglgble. Fgs. 1 and 2 (on page 22 and page 23) gve a more techncal summary of the game transtons of the proof (also takng nto account the notaton for the mult-user case). The remander of ths secton s devoted to a detaled proof. Proof of Theorem 3.1. We proceed n games. Let out denote the output of Game. Game 1 s the orgnal EUF-mCMA game wth A and SIG. Of course, Pr [out 1 = 1] = Adv euf-mcma SIG,A (k). (5) In the followng, we apply a superscrpt to varables to denote to whch SIG nstance they belong. For nstance, we denote wth X (l) and sk (l) 0, sk(l) 1 the respectve values from the l-th used SIG nstance. Furthermore, we wrte X for X (l ) for the challenge nstance l selected by A for hs forgery, and smlarly for sk 0 and sk 1. Thus, n Game 2, we mplement an addtonal forgery check. Concretely, we only consder a forgery σ = (C 0, C 1, π 1, π 2 ) from A as vald f π 1 and π 2 are vald and f Dec eg(sk 0, C 0 ) = g X. (Otherwse, the game outputs 0.) Ths change s purely conceptual: ndeed, snce CRS 2 s bndng, we can use the soundness of Groth-Saha proofs. Thus, any vald proof π 2 guarantees that S3 (from (3)) holds, and so Dec eg (sk 0, C 0 ) = gx. We obtan Pr [out 2 = 1] = Pr [out 1 = 1]. (6) 11
13 In Game 3, we generate both CRS 1 and CRS 2 as hdng CRSs, usng HGen. The CRS ndstngushablty of Groth-Saha proofs yelds Pr [out 3 = 1] Pr [out 2 = 1] = Adv ddh G,B 3 (k) + Adv ddh ^G,B 3(k) (7) for sutable DDH adversares B 3 and B 3. (Here, we use the re-randomzablty of DDH tuples. Ths enables a reducton that loses only a factor of 1 nstead of 2.) In Game 4, we smulate all proofs π 2 n sgnatures generated for A, usng the Groth-Saha smulator Sm (on nput the random cons R CRS used to prepare CRS). We also generate the correspondng commtments C Z n all verfcaton keys as C Z Com(CRS 2, 1). We stress that all X (l) are stll chosen randomly, and all sgnatures are generated wth encryptons C 0, C 1 of X (l). By the smulaton property of Groth-Saha proofs (see Theorem 2.6 and the followng comment concernng the reuse of commtments), these changes do not affect A s vew: Pr [out 4 = 1] = Pr [out 3 = 1]. (8) In Game 5, we change the generaton of sgnatures and the forgery check from Game 2 as follows. To descrbe these changes, let R (l) : Z p Z p (for all scheme nstances l [n U ]) be truly random functons. Our changes n Game 5 are then as follows: All sgnatures generated for A contan encryptons C 0, C 1 of exponents Z 0 = Z 1 = R (l) (M) (encoded as g Z 0, g Z 1) nstead of Z 0 = Z 1 = X (l), where M s the sgned message. As n Game 4, the correspondng proof π s generated usng wtnesses for S1 and S3 from (3). Any forgery σ = (C 0, C 1, π 1, π 2 ) for a (fresh) message M from A s consdered vald only f π 1 and π 2 are vald and Dec eg(sk 0, C 0 ) = R (M ) holds. Otherwse, the game outputs 0. (Agan, we use the shorthand notaton R = R (l ) for the challenge nstance l.) In partcular, the second change mples that snce R (M ) s nformaton-theoretcally hdden from A. Hence, t remans to relate Game 4 and Game 5: Pr [out 5 = 1] 1/(p 1) 1/2 k, (9) Lemma 3.2. For n = 2 log 2 (p) + k and sutable DDH adversares B 5 and B 5, we have Pr [out 5 = 1] Pr [out 4 = 1] ddh 8n Adv G,B 5 (k) ddh + 4n Adv ^G,B 5(k) + O(n/2 k ). (10) Before we prove Lemma 3.2, we remark that puttng together (5-10), we obtan (27), whch s suffcent to show Theorem 3.1. Proof of Lemma 3.2. We wll consder a seres of hybrd games between Game 4 and Game 5. Concretely, Game 4. (for 0) s defned lke Game 4, except for the followng changes: We ntally unformly and ndependently choose nvertble affne functons f j : Z p Z p (for j []). The f j defne a partal fngerprnt functon L : Z p { 1, 0, 1} through (( ) f1 (M) L (M) =,..., p ( f (M) p )). (11) For every scheme nstance l [n U ], let H (l) : Z p Z p be the composton of L wth a truly random functon R (l) : { 1, 0, 1} Z p (so that H (l) (M) = R (l) (L (M))). Sgnatures for A contan encryptons C 0, C 1 of exponents Z 0 = Z 1 = H (l) (M). Any forgery σ = (C 0, C 1, π 1, π 2 ) for a (fresh) message M from A s consdered vald only f π 1 and π 2 are vald and Dec eg(sk 0, C 0 ) = H(l) (M ). 12
14 Note that every H (l) 0 s a constant functon that maps every nput M to the same random value. Hence, Game 4.0 s dentcal to Game 4: Pr [out 4.0 = 1] = Pr [out 4 = 1]. (12) Conversely, for large enough and wth hgh probablty, the fngerprnt functon L becomes njectve, so that all H (l) become ndependent truly random functons from Z p to Z p: Lemma 3.3. For n = 2 log 2 (p) + k, the functon L n from (11) s njectve, except wth probablty 1/2 k (over the choce of the nvertble affne functons f j : Z p Z p ). We postpone a proof of Lemma 3.3 for now. Hence, the functons H n (l) = R (l) n L n used n Game 4.n (for n = 2 log 2 (p) + k) are statstcally close to truly random functons R (l) (as used n Game 5): Pr [out 4.n = 1] Pr [out 5 = 1] 1/2 k. (13) The algebrac parttonng. Thus, we only need to show that there s no detectable dfference between Game 4. and Game 4.( + 1) for any. We do so usng a hybrd argument (.e., a sequence of games) that nterpolates between Game 4. and Game 4.( + 1). (See Fg. 2 for an overvew.) In short, we frst refresh the affne functon f from C α, C β to a fresh random (but nvertble) affne functon f. Next, we use f to mplement a dfferent treatment of sgnatures, dependng on ( f(m) ) p. We detal these steps n the followng. Concretely, Game 4..0 s dentcal to Game 4.. Thus, Pr [out 4..0 = 1] = Pr [out 4. = 1]. (14) Step 1: refresh f. In Game 4..1, we ntally choose an nvertble affne functon f : Z p Z p unformly, and we abort (wth output 0) f the message M for whch A fnally prepares a forgery satsfes f (M ) QR p {0}. We stress that f s not (yet) commtted to n any C α, C β, and thus completely hdden from A. Hence, an abort occurs wth probablty p+1 2p = p, ndependently of A s vew, so ( 1 Pr [out 4..1 = 1] = 2 1 ) Pr [out 4..0 = 1] 1 2p 2 Pr [out 4..0 = 1] 1 2p. (15) In Game 4..2, we commt to the coeffcents f 0, f 1 of the functon f from Game 4..1 n C α, C β for all verfcaton keys (nstead of the coeffcents α = β = 0). Accordngly, we generate all sgnatures for A by provng statement S2 (and not S1) from (3) whenever possble (.e., upon all sgnature queres wth f (M) QR p {0}). Snce CRS 1 s hdng, we can use the wtnessndstngushablty of Groth-Saha proofs to obtan Pr [out 4..2 = 1] = Pr [out 4..1 = 1]. (16) Step 2: use f to decouple sgnatures. To descrbe our change n Game 4..3, recall that n Game 4..2, functons H (l) s used to determne both the values Z 0 = Z 1 = H (l) (M) encrypted n C 0, C 1 upon sgnature queres, and to mplement the forgery check. In Game 4..3, we use three such functons H (l), Z (l), Q (l) : Z p Z p. Each of these functons s defned lke H (l), for the same fngerprnt functon L, but wth dfferent (.e., ndependently chosen) random functons R (l). (In other words, we can wrte H (l) = F L, and Z (l) = F L, and Q (l) = F L for ndependently random functons F, F, F : { 1, 0, 1} Z p. Intutvely, thus, Z (l) are decoupled copes of H (l).) 13 and Q (l)
15 Our goal wll be to use the functons H (l), Z (l), Q (l) for messages M satsfyng f (M) / QR p, f (M) = 0, and f (M) QR p, respectvely. (Hence the symbols Z and Q.) Ths wll be conceptually dentcal to usng a sngle functon H (l) +1 for all messages of a gven scheme nstance l. At ths pont, however, we can only partally mplement ths strategy, snce we can only replace the messages encrypted n C 1, but not those from C 0. (Indeed, sk 0 s stll requred to mplement the addtonal forgery check n Game 4..3.) Thus, n Game 4..3, for every scheme nstance l [n U ], we use the respectve functon H (l) to generate all cphertexts C 0, C 1 n sgnatures (as n Game 4..2), wth the followng exceptons: For sgnature queres wth f (M) = 0, we encrypt Z 1 = Z (l) (M) (nstead of Z 1 = H (l) (M)) n the cphertext C 1 of the generated sgnature. For sgnature queres wth f (M) QR p, we encrypt Z 1 = Q (l) (M) n C 1. Note that for sgnatures wth f (M) QR p {0}, the random cons used to generate C 1 (or C 0 ) are not used as a wtness n the process of constructng π. Furthermore, no secret key sk (l) 1 has to be known to the game. A reducton to the (tght) IND-mCPA securty of ElGamal yelds n 1 Pr [out 4..3 = 1] Pr [out 4..2 = 1] = n Adv ddh G,B 4..3 (k) (17) =0 for a sutable DDH adversary B (We note that even though the random cons R of C 1 are not known explctly to B 4..3, a C 0 wth reused R can be constructed from sk (l) 0 and a gven g R.) Our next step wll be to replace the values encrypted n C 0 n a smlar way. To do so, however, we need some preparatons, snce Game 4..3 stll knows the secret keys sk (l) 0 (to fnally mplement the forgery check). Fortunately, however, we can alternatvely use the sk (l) 1 to mplement ths check. (To see why ths yelds the same functonalty, recall that by our abort rule from Game 1, we may restrct to forgeres wth f (M ) / QR p {0}. However, by (3), a vald forgery for such a message must contan C 0 and C 1 that encrypt the same message.) As a frst step, n Game 4..4, we ntally generate a bndng CRS CRS 1 (usng CRS 1 BGen(gpp)). The CRS ndstngushablty of Groth-Saha proofs ensures that n 1 ( ) Pr [out 4..4 = 1] Pr [out 4..3 = 1] = n Adv ddh G,B 4..4 (k) + Adv ddh ^G,B 4..4(k) =0 (18) for sutable DDH adversares B 4..4 and B Next, n Game 4..5, we mplement the forgery check rule from Game 2 usng sk 1 (and not sk 0). That s, when A submts a forgery σ = (C 0, C 1, π 1, π 2 ), we check f Dec eg(sk 1, C 1 ) = H (M ) holds (and reject the forgery f not). We may assume that M / QR p {0} (snce otherwse, we trvally abort anyway). But for such M, a vald forgery must fulfll S1 from (3), snce at ths pont, CRS 1 s bndng. In other words, we have Dec eg (sk 1, C 1 ) = H (M ) f and only f Dec eg (sk 0, C 0 ) = H (M ). Hence, the change n Game 4..5 s purely conceptual, and we get: Pr [out 4..5 = 1] = Pr [out 4..4 = 1]. (19) Snce we no longer use sk 0 (or the random cons from any C 1 generated upon a sgnature query), we can contnue wth our strategy. Specfcally, n Game 4..6, we generate all cphertexts C 0, C 1 n sgnatures as follows: For queres wth f (M) / QR p, we encrypt Z 0 = Z 1 = H (l) (M) n C 0 and C 1. For queres wth f (M) = 0, we encrypt Z 0 = Z 1 = Z (l) (M) n C 0 and C 1. For queres wth f (M) QR p, we encrypt Z 0 = Z 1 = Q (l) (M) n C 0 and C 1. 14
16 Observe that the only dfference to Game 4..5 s that the messages Z 0 encrypted n cphertexts C 0 n sgnatures wth f (M) QR p {0} are changed. For such encryptons, nether secret key nor random cons are used by the game. Hence, a reducton to the (tght) IND-mCPA securty of ElGamal yelds n 1 Pr [out 4..6 = 1] Pr [out 4..5 = 1] = n Adv ddh G,B 4..6 (k) (20) =0 for a sutable DDH adversary B (Agan, a reuse of random cons between C 0 and C 1 s possble snce the secret key sk 1 s known to B 4..6 durng the reducton.) Step 3: clean up. Now n Game 4..6, we handle both sgnature queres and A s forgery wth ether H (l), Z (l), or Q (l), dependng on the Legendre symbol ( ) M p of M. Ths s equvalent to handlng all messages wth a sngle functon H (l) +1 by the defnton of H(l) (see also (11)). Hence, we already almost mplement the rules of Game 4.( + 1), and we only need to clean up thngs a lttle. Namely, n Game 4..7, we agan mplement the forgery check from Game 2 usng sk 0 (and not sk 1). Wth the same reasonng as n Game 5, we get: Pr [out 4..7 = 1] = Pr [out 4..6 = 1]. (21) Next, n Game 4..8, we agan set up CRS 1 as a hdng CRS (usng HGen). Agan, CRS ndstngushablty guarantees n 1 ( ) Pr [out 4..8 = 1] Pr [out 4..7 = 1] = n Adv ddh G,B 4..8 (k) + Adv ddh ^G,B 4..8(k) =0 (22) for sutable DDH adversares B 4..8 and B In Game 4..9, we agan set up the commtments C α, C β n all verfcaton keys as commtments to α = β = 0. Accordngly, we generate all sgnatures for A by provng statement S1 from (3). (Note that ths s possble agan snce all generated pars (C 0, C 1 ) do encrypt the same message.) By the wtness-ndstngushablty of Groth-Saha proofs, Pr [out 4..9 = 1] = Pr [out 4..8 = 1]. (23) Fnally, n Game 4..10, we do not abort anymore. (That s, we take back the abort rule from Game 1.) To see how ths change affects the game s output, we make a few observatons. Frst, note that n both Game 4..9 and Game 4..10, A s vew only depends on the way f parttons the set of messages dependng on ( f (M)) p, but not on whch messages M are mapped by f to squares, and whch to non-squares. (Indeed, any parttonng of the M s nvarant under multplyng f wth an nvertble non-square modulo p. However, multplcaton wth an nvertble non-square nverts the Legendre symbol of f (M).) Thus, the probablty for A to successfully forge a sgnature wth ( f (M )) p = 1 s exactly the same as that to forge a sgnature wth ( f (M )) p = 1. Hence, f we cease to abort upon f (M ) QR p {0}, we at least double A s success probablty: Pr [out = 1] 2 Pr [out 4..9 = 1]. (24) At the same tme, Game s dentcal to Game 4.( + 1). (As argued, the use of three functons H (l), Z (l), Q (l) for each scheme nstance l s equvalent to the use of a sngle functon 15
G /G Advanced Cryptography 12/9/2009. Lecture 14
G22.3220-001/G63.2180 Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we
More informationCircular chosen-ciphertext security with compact ciphertexts
Crcular chosen-cphertext securty wth compact cphertexts Denns Hofhenz January 19, 2013 Abstract A key-dependent message (KDM secure encrypton scheme s secure even f an adversary obtans encryptons of messages
More informationProvable Security Signatures
Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00 No extra materal s allowed durng the exam except for pens and a smple calculator (not smartphones).
More informationHash functions : MAC / HMAC
Hash functons : MAC / HMAC Outlne Message Authentcaton Codes Keyed hash famly Uncondtonally Secure MACs Ref: D Stnson: Cryprography Theory and Practce (3 rd ed), Chap 4. Unversal hash famly Notatons: X
More informationLecture 4: Universal Hash Functions/Streaming Cont d
CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected
More informationConfined Guessing: New Signatures From Standard Assumptions
Confned Guessng: New Sgnatures From Standard Assumptons Floran Böhl 1, Denns Hofhenz 1, Tbor Jager 2, Jessca Koch 1, and Chrstoph Strecks 1 1 Karlsruhe Insttute of Technology, Germany, {floran.boehl,denns.hofhenz,jessca.koch,chrstoph.strecks}@kt.edu
More information3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X
Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number
More information= z 20 z n. (k 20) + 4 z k = 4
Problem Set #7 solutons 7.2.. (a Fnd the coeffcent of z k n (z + z 5 + z 6 + z 7 + 5, k 20. We use the known seres expanson ( n+l ( z l l z n below: (z + z 5 + z 6 + z 7 + 5 (z 5 ( + z + z 2 + z + 5 5
More informationLecture Space-Bounded Derandomization
Notes on Complexty Theory Last updated: October, 2008 Jonathan Katz Lecture Space-Bounded Derandomzaton 1 Space-Bounded Derandomzaton We now dscuss derandomzaton of space-bounded algorthms. Here non-trval
More informationTightly CCA-Secure Encryption without Pairings
Tghtly CCA-Secure Encrypton wthout Parngs Roman Gay 1,, Denns Hofhenz 2,, Eke Kltz 3,, and Hoeteck Wee 1, 1 ENS, Pars, France rgay,wee@d.ens.fr 2 Ruhr-Unverstät Bochum, Bochum, Germany eke.kltz@rub.de
More informationProblem Set 9 Solutions
Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem
More informationThe Order Relation and Trace Inequalities for. Hermitian Operators
Internatonal Mathematcal Forum, Vol 3, 08, no, 507-57 HIKARI Ltd, wwwm-hkarcom https://doorg/0988/mf088055 The Order Relaton and Trace Inequaltes for Hermtan Operators Y Huang School of Informaton Scence
More informationNotes on Frequency Estimation in Data Streams
Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to
More informationTHE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens
THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of
More informationLectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix
Lectures - Week 4 Matrx norms, Condtonng, Vector Spaces, Lnear Independence, Spannng sets and Bass, Null space and Range of a Matrx Matrx Norms Now we turn to assocatng a number to each matrx. We could
More informationStanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7
Stanford Unversty CS54: Computatonal Complexty Notes 7 Luca Trevsan January 9, 014 Notes for Lecture 7 1 Approxmate Countng wt an N oracle We complete te proof of te followng result: Teorem 1 For every
More informationNumerical Heat and Mass Transfer
Master degree n Mechancal Engneerng Numercal Heat and Mass Transfer 06-Fnte-Dfference Method (One-dmensonal, steady state heat conducton) Fausto Arpno f.arpno@uncas.t Introducton Why we use models and
More informationCircular chosen-ciphertext security with compact ciphertexts
Crcular chosen-cphertext securty wth compact cphertexts Denns Hofhenz March 22, 2012 Abstract A key-dependent message KDM) secure encrypton scheme s secure even f an adversary obtans encryptons of messages
More informationDifference Equations
Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1
More informationConstant-Size Structure-Preserving Signatures Generic Constructions and Simple Assumptions
Constant-Sze Structure-Preservng Sgnatures Generc Constructons and Smple Assumptons Masayuk Abe Melssa Chase Bernardo Davd Markulf Kohlwess Ryo Nshmak Myako Ohkubo NTT Secure Platform Laboratores, NTT
More informationLecture 5 Decoding Binary BCH Codes
Lecture 5 Decodng Bnary BCH Codes In ths class, we wll ntroduce dfferent methods for decodng BCH codes 51 Decodng the [15, 7, 5] 2 -BCH Code Consder the [15, 7, 5] 2 -code C we ntroduced n the last lecture
More informationFinding Primitive Roots Pseudo-Deterministically
Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms
More informationModule 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:
More informationLecture 12: Discrete Laplacian
Lecture 12: Dscrete Laplacan Scrbe: Tanye Lu Our goal s to come up wth a dscrete verson of Laplacan operator for trangulated surfaces, so that we can use t n practce to solve related problems We are mostly
More informationCryptanalysis of pairing-free certificateless authenticated key agreement protocol
Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen
More informationThe Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction
ECONOMICS 5* -- NOTE (Summary) ECON 5* -- NOTE The Multple Classcal Lnear Regresson Model (CLRM): Specfcaton and Assumptons. Introducton CLRM stands for the Classcal Lnear Regresson Model. The CLRM s also
More informationFinding Dense Subgraphs in G(n, 1/2)
Fndng Dense Subgraphs n Gn, 1/ Atsh Das Sarma 1, Amt Deshpande, and Rav Kannan 1 Georga Insttute of Technology,atsh@cc.gatech.edu Mcrosoft Research-Bangalore,amtdesh,annan@mcrosoft.com Abstract. Fndng
More informationPractical Functional Encryption for Quadratic Functions with Applications to Predicate Encryption
Practcal Functonal Encrypton for Quadratc Functons wth Applcatons to Predcate Encrypton Carmen Elsabetta Zara Baltco 1, Daro Catalano 1, Daro Fore 2, and Roman Gay 3 1 Dpartmento d Matematca e Informatca,
More informationStanford University CS359G: Graph Partitioning and Expanders Handout 4 Luca Trevisan January 13, 2011
Stanford Unversty CS359G: Graph Parttonng and Expanders Handout 4 Luca Trevsan January 3, 0 Lecture 4 In whch we prove the dffcult drecton of Cheeger s nequalty. As n the past lectures, consder an undrected
More informationIntroduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law:
CE304, Sprng 2004 Lecture 4 Introducton to Vapor/Lqud Equlbrum, part 2 Raoult s Law: The smplest model that allows us do VLE calculatons s obtaned when we assume that the vapor phase s an deal gas, and
More informationLecture 4. Instructor: Haipeng Luo
Lecture 4 Instructor: Hapeng Luo In the followng lectures, we focus on the expert problem and study more adaptve algorthms. Although Hedge s proven to be worst-case optmal, one may wonder how well t would
More informationOn a CCA2-secure variant of McEliece in the standard model
On a CCA2-secure varant of McElece n the standard model Edoardo Perschett Department of Mathematcs, Unversty of Auckland, New Zealand. e.perschett@math.auckland.ac.nz Abstract. We consder publc-key encrypton
More informationAttacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction
Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard
More informationDecentralized Multi-Client Functional Encryption for Inner Product
Ths paper s a slght varant of the Extended Abstract that appears n Advances n Cryptology ASIACRYPT 2018 (December 2 6, Brsbane, Australa) Sprnger-Verlag, LNCS?????, pages??????. Decentralzed Mult-Clent
More informationa b a In case b 0, a being divisible by b is the same as to say that
Secton 6.2 Dvsblty among the ntegers An nteger a ε s dvsble by b ε f there s an nteger c ε such that a = bc. Note that s dvsble by any nteger b, snce = b. On the other hand, a s dvsble by only f a = :
More informationMore metrics on cartesian products
More metrcs on cartesan products If (X, d ) are metrc spaces for 1 n, then n Secton II4 of the lecture notes we defned three metrcs on X whose underlyng topologes are the product topology The purpose of
More informationFoundations of Arithmetic
Foundatons of Arthmetc Notaton We shall denote the sum and product of numbers n the usual notaton as a 2 + a 2 + a 3 + + a = a, a 1 a 2 a 3 a = a The notaton a b means a dvdes b,.e. ac = b where c s an
More informationPerfect Competition and the Nash Bargaining Solution
Perfect Competton and the Nash Barganng Soluton Renhard John Department of Economcs Unversty of Bonn Adenauerallee 24-42 53113 Bonn, Germany emal: rohn@un-bonn.de May 2005 Abstract For a lnear exchange
More informationPsychology 282 Lecture #24 Outline Regression Diagnostics: Outliers
Psychology 282 Lecture #24 Outlne Regresson Dagnostcs: Outlers In an earler lecture we studed the statstcal assumptons underlyng the regresson model, ncludng the followng ponts: Formal statement of assumptons.
More informationPolynomials. 1 More properties of polynomials
Polynomals 1 More propertes of polynomals Recall that, for R a commutatve rng wth unty (as wth all rngs n ths course unless otherwse noted), we defne R[x] to be the set of expressons n =0 a x, where a
More informationprinceton univ. F 17 cos 521: Advanced Algorithm Design Lecture 7: LP Duality Lecturer: Matt Weinberg
prnceton unv. F 17 cos 521: Advanced Algorthm Desgn Lecture 7: LP Dualty Lecturer: Matt Wenberg Scrbe: LP Dualty s an extremely useful tool for analyzng structural propertes of lnear programs. Whle there
More information8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS
SECTION 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS 493 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS All the vector spaces you have studed thus far n the text are real vector spaces because the scalars
More informationThe Second Anti-Mathima on Game Theory
The Second Ant-Mathma on Game Theory Ath. Kehagas December 1 2006 1 Introducton In ths note we wll examne the noton of game equlbrum for three types of games 1. 2-player 2-acton zero-sum games 2. 2-player
More informationand problem sheet 2
-8 and 5-5 problem sheet Solutons to the followng seven exercses and optonal bonus problem are to be submtted through gradescope by :0PM on Wednesday th September 08. There are also some practce problems,
More informationU.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016
U.C. Berkeley CS94: Spectral Methods and Expanders Handout 8 Luca Trevsan February 7, 06 Lecture 8: Spectral Algorthms Wrap-up In whch we talk about even more generalzatons of Cheeger s nequaltes, and
More informationInner Product. Euclidean Space. Orthonormal Basis. Orthogonal
Inner Product Defnton 1 () A Eucldean space s a fnte-dmensonal vector space over the reals R, wth an nner product,. Defnton 2 (Inner Product) An nner product, on a real vector space X s a symmetrc, blnear,
More informationAffine transformations and convexity
Affne transformatons and convexty The purpose of ths document s to prove some basc propertes of affne transformatons nvolvng convex sets. Here are a few onlne references for background nformaton: http://math.ucr.edu/
More informationMaximizing the number of nonnegative subsets
Maxmzng the number of nonnegatve subsets Noga Alon Hao Huang December 1, 213 Abstract Gven a set of n real numbers, f the sum of elements of every subset of sze larger than k s negatve, what s the maxmum
More informationLinear Approximation with Regularization and Moving Least Squares
Lnear Approxmaton wth Regularzaton and Movng Least Squares Igor Grešovn May 007 Revson 4.6 (Revson : March 004). 5 4 3 0.5 3 3.5 4 Contents: Lnear Fttng...4. Weghted Least Squares n Functon Approxmaton...
More informationLai-Massey Scheme and Quasi-Feistel Networks (Extended Abstract)
La-Massey Scheme and Quas-Festel Networks (Extended Abstract Aaram Yun, Je Hong Park 2, and Jooyoung Lee 2 Unversty of Mnnesota - Twn Ctes aaramyun@gmalcom 2 ETRI Network & Communcaton Securty Dvson, Korea
More informationCSci 6974 and ECSE 6966 Math. Tech. for Vision, Graphics and Robotics Lecture 21, April 17, 2006 Estimating A Plane Homography
CSc 6974 and ECSE 6966 Math. Tech. for Vson, Graphcs and Robotcs Lecture 21, Aprl 17, 2006 Estmatng A Plane Homography Overvew We contnue wth a dscusson of the major ssues, usng estmaton of plane projectve
More informationPassword Based Key Exchange With Mutual Authentication
Password Based Key Exchange Wth Mutual Authentcaton Shaoquan Jang and Guang Gong Department of Electrcal and Computer Engneerng Unversty of Waterloo Waterloo, Ontaro N2L 3G1, CANADA Emal:{angshq,ggong}@callope.uwaterloo.ca
More informationAssortment Optimization under MNL
Assortment Optmzaton under MNL Haotan Song Aprl 30, 2017 1 Introducton The assortment optmzaton problem ams to fnd the revenue-maxmzng assortment of products to offer when the prces of products are fxed.
More information12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA. 4. Tensor product
12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA Here s an outlne of what I dd: (1) categorcal defnton (2) constructon (3) lst of basc propertes (4) dstrbutve property (5) rght exactness (6) localzaton
More informationFor now, let us focus on a specific model of neurons. These are simplified from reality but can achieve remarkable results.
Neural Networks : Dervaton compled by Alvn Wan from Professor Jtendra Malk s lecture Ths type of computaton s called deep learnng and s the most popular method for many problems, such as computer vson
More informationChapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems
Numercal Analyss by Dr. Anta Pal Assstant Professor Department of Mathematcs Natonal Insttute of Technology Durgapur Durgapur-713209 emal: anta.bue@gmal.com 1 . Chapter 5 Soluton of System of Lnear Equatons
More informationAppendix B: Resampling Algorithms
407 Appendx B: Resamplng Algorthms A common problem of all partcle flters s the degeneracy of weghts, whch conssts of the unbounded ncrease of the varance of the mportance weghts ω [ ] of the partcles
More informationFormulas for the Determinant
page 224 224 CHAPTER 3 Determnants e t te t e 2t 38 A = e t 2te t e 2t e t te t 2e 2t 39 If 123 A = 345, 456 compute the matrx product A adj(a) What can you conclude about det(a)? For Problems 40 43, use
More informationModule 9. Lecture 6. Duality in Assignment Problems
Module 9 1 Lecture 6 Dualty n Assgnment Problems In ths lecture we attempt to answer few other mportant questons posed n earler lecture for (AP) and see how some of them can be explaned through the concept
More informationIntroduction to Algorithms
Introducton to Algorthms 6.046J/8.40J Lecture 7 Prof. Potr Indyk Data Structures Role of data structures: Encapsulate data Support certan operatons (e.g., INSERT, DELETE, SEARCH) Our focus: effcency of
More informationMA 323 Geometric Modelling Course Notes: Day 13 Bezier Curves & Bernstein Polynomials
MA 323 Geometrc Modellng Course Notes: Day 13 Bezer Curves & Bernsten Polynomals Davd L. Fnn Over the past few days, we have looked at de Casteljau s algorthm for generatng a polynomal curve, and we have
More informationHidden Markov Models & The Multivariate Gaussian (10/26/04)
CS281A/Stat241A: Statstcal Learnng Theory Hdden Markov Models & The Multvarate Gaussan (10/26/04) Lecturer: Mchael I. Jordan Scrbes: Jonathan W. Hu 1 Hdden Markov Models As a bref revew, hdden Markov models
More informationCOS 521: Advanced Algorithms Game Theory and Linear Programming
COS 521: Advanced Algorthms Game Theory and Lnear Programmng Moses Charkar February 27, 2013 In these notes, we ntroduce some basc concepts n game theory and lnear programmng (LP). We show a connecton
More informationGames of Threats. Elon Kohlberg Abraham Neyman. Working Paper
Games of Threats Elon Kohlberg Abraham Neyman Workng Paper 18-023 Games of Threats Elon Kohlberg Harvard Busness School Abraham Neyman The Hebrew Unversty of Jerusalem Workng Paper 18-023 Copyrght 2017
More informationCS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016
CS 29-128: Algorthms and Uncertanty Lecture 17 Date: October 26, 2016 Instructor: Nkhl Bansal Scrbe: Mchael Denns 1 Introducton In ths lecture we wll be lookng nto the secretary problem, and an nterestng
More informationShort Pairing-based Non-interactive Zero-Knowledge Arguments
Short Parng-based Non-nteractve Zero-Knowledge Arguments Jens Groth Unversty College London j.groth@ucl.ac.uk October 26, 2010 Abstract. We construct non-nteractve zero-knowledge arguments for crcut satsfablty
More informationMin Cut, Fast Cut, Polynomial Identities
Randomzed Algorthms, Summer 016 Mn Cut, Fast Cut, Polynomal Identtes Instructor: Thomas Kesselhem and Kurt Mehlhorn 1 Mn Cuts n Graphs Lecture (5 pages) Throughout ths secton, G = (V, E) s a mult-graph.
More informationCanonical transformations
Canoncal transformatons November 23, 2014 Recall that we have defned a symplectc transformaton to be any lnear transformaton M A B leavng the symplectc form nvarant, Ω AB M A CM B DΩ CD Coordnate transformatons,
More informationComplete subgraphs in multipartite graphs
Complete subgraphs n multpartte graphs FLORIAN PFENDER Unverstät Rostock, Insttut für Mathematk D-18057 Rostock, Germany Floran.Pfender@un-rostock.de Abstract Turán s Theorem states that every graph G
More informationGeneralized Linear Methods
Generalzed Lnear Methods 1 Introducton In the Ensemble Methods the general dea s that usng a combnaton of several weak learner one could make a better learner. More formally, assume that we have a set
More informationSection 8.3 Polar Form of Complex Numbers
80 Chapter 8 Secton 8 Polar Form of Complex Numbers From prevous classes, you may have encountered magnary numbers the square roots of negatve numbers and, more generally, complex numbers whch are the
More informationSome Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM
Example of Extended Eucldean Algorthm Recall that gcd(84, 33) = gcd(33, 18) = gcd(18, 15) = gcd(15, 3) = gcd(3, 0) = 3 We work backwards to wrte 3 as a lnear combnaton of 84 and 33: 3 = 18 15 [Now 3 s
More informationStructure and Drive Paul A. Jensen Copyright July 20, 2003
Structure and Drve Paul A. Jensen Copyrght July 20, 2003 A system s made up of several operatons wth flow passng between them. The structure of the system descrbes the flow paths from nputs to outputs.
More informationEdge Isoperimetric Inequalities
November 7, 2005 Ross M. Rchardson Edge Isopermetrc Inequaltes 1 Four Questons Recall that n the last lecture we looked at the problem of sopermetrc nequaltes n the hypercube, Q n. Our noton of boundary
More informationRandom Walks on Digraphs
Random Walks on Dgraphs J. J. P. Veerman October 23, 27 Introducton Let V = {, n} be a vertex set and S a non-negatve row-stochastc matrx (.e. rows sum to ). V and S defne a dgraph G = G(V, S) and a drected
More information4 Analysis of Variance (ANOVA) 5 ANOVA. 5.1 Introduction. 5.2 Fixed Effects ANOVA
4 Analyss of Varance (ANOVA) 5 ANOVA 51 Introducton ANOVA ANOVA s a way to estmate and test the means of multple populatons We wll start wth one-way ANOVA If the populatons ncluded n the study are selected
More informationBOUNDEDNESS OF THE RIESZ TRANSFORM WITH MATRIX A 2 WEIGHTS
BOUNDEDNESS OF THE IESZ TANSFOM WITH MATIX A WEIGHTS Introducton Let L = L ( n, be the functon space wth norm (ˆ f L = f(x C dx d < For a d d matrx valued functon W : wth W (x postve sem-defnte for all
More informationGrover s Algorithm + Quantum Zeno Effect + Vaidman
Grover s Algorthm + Quantum Zeno Effect + Vadman CS 294-2 Bomb 10/12/04 Fall 2004 Lecture 11 Grover s algorthm Recall that Grover s algorthm for searchng over a space of sze wors as follows: consder the
More informationComposite Hypotheses testing
Composte ypotheses testng In many hypothess testng problems there are many possble dstrbutons that can occur under each of the hypotheses. The output of the source s a set of parameters (ponts n a parameter
More informationNotes prepared by Prof Mrs) M.J. Gholba Class M.Sc Part(I) Information Technology
Inverse transformatons Generaton of random observatons from gven dstrbutons Assume that random numbers,,, are readly avalable, where each tself s a random varable whch s unformly dstrbuted over the range(,).
More informationSupplement to Clustering with Statistical Error Control
Supplement to Clusterng wth Statstcal Error Control Mchael Vogt Unversty of Bonn Matthas Schmd Unversty of Bonn In ths supplement, we provde the proofs that are omtted n the paper. In partcular, we derve
More information12. The Hamilton-Jacobi Equation Michael Fowler
1. The Hamlton-Jacob Equaton Mchael Fowler Back to Confguraton Space We ve establshed that the acton, regarded as a functon of ts coordnate endponts and tme, satsfes ( ) ( ) S q, t / t+ H qpt,, = 0, and
More informationNP-Completeness : Proofs
NP-Completeness : Proofs Proof Methods A method to show a decson problem Π NP-complete s as follows. (1) Show Π NP. (2) Choose an NP-complete problem Π. (3) Show Π Π. A method to show an optmzaton problem
More information2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification
E395 - Pattern Recognton Solutons to Introducton to Pattern Recognton, Chapter : Bayesan pattern classfcaton Preface Ths document s a soluton manual for selected exercses from Introducton to Pattern Recognton
More informationVapnik-Chervonenkis theory
Vapnk-Chervonenks theory Rs Kondor June 13, 2008 For the purposes of ths lecture, we restrct ourselves to the bnary supervsed batch learnng settng. We assume that we have an nput space X, and an unknown
More information5 The Rational Canonical Form
5 The Ratonal Canoncal Form Here p s a monc rreducble factor of the mnmum polynomal m T and s not necessarly of degree one Let F p denote the feld constructed earler n the course, consstng of all matrces
More informationLecture 10 Support Vector Machines II
Lecture 10 Support Vector Machnes II 22 February 2016 Taylor B. Arnold Yale Statstcs STAT 365/665 1/28 Notes: Problem 3 s posted and due ths upcomng Frday There was an early bug n the fake-test data; fxed
More informationApproximate Smallest Enclosing Balls
Chapter 5 Approxmate Smallest Enclosng Balls 5. Boundng Volumes A boundng volume for a set S R d s a superset of S wth a smple shape, for example a box, a ball, or an ellpsod. Fgure 5.: Boundng boxes Q(P
More informationGeneric Hardness of the Multiple Discrete Logarithm Problem
Generc Hardness of the Multple Dscrete Logarthm Problem Aaram Yun Ulsan Natonal Insttute of Scence and Technology (UNIST) Republc of Korea aaramyun@unst.ac.kr Abstract. We study generc hardness of the
More informationSL n (F ) Equals its Own Derived Group
Internatonal Journal of Algebra, Vol. 2, 2008, no. 12, 585-594 SL n (F ) Equals ts Own Derved Group Jorge Macel BMCC-The Cty Unversty of New York, CUNY 199 Chambers street, New York, NY 10007, USA macel@cms.nyu.edu
More informationRecover plaintext attack to block ciphers
Recover plantext attac to bloc cphers L An-Png Bejng 100085, P.R.Chna apl0001@sna.com Abstract In ths paper, we wll present an estmaton for the upper-bound of the amount of 16-bytes plantexts for Englsh
More informationComments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards
Comments on a secure dynamc ID-based remote user authentcaton scheme for multserver envronment usng smart cards Debao He chool of Mathematcs tatstcs Wuhan nversty Wuhan People s Republc of Chna Emal: hedebao@63com
More informationCOS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture # 15 Scribe: Jieming Mao April 1, 2013
COS 511: heoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 15 Scrbe: Jemng Mao Aprl 1, 013 1 Bref revew 1.1 Learnng wth expert advce Last tme, we started to talk about learnng wth expert advce.
More informationReport on Image warping
Report on Image warpng Xuan Ne, Dec. 20, 2004 Ths document summarzed the algorthms of our mage warpng soluton for further study, and there s a detaled descrpton about the mplementaton of these algorthms.
More informationEfficient Ring Signatures Without Random Oracles
Effcent Rng Sgnatures Wthout Random Oracles Hovav Shacham hovav.shacham@wezmann.ac.l Brent Waters bwaters@csl.sr.com Abstract We descrbe the frst effcent rng sgnature scheme secure, wthout random oracles,
More information1 GSW Iterative Techniques for y = Ax
1 for y = A I m gong to cheat here. here are a lot of teratve technques that can be used to solve the general case of a set of smultaneous equatons (wrtten n the matr form as y = A), but ths chapter sn
More information9 Characteristic classes
THEODORE VORONOV DIFFERENTIAL GEOMETRY. Sprng 2009 [under constructon] 9 Characterstc classes 9.1 The frst Chern class of a lne bundle Consder a complex vector bundle E B of rank p. We shall construct
More informationErrors for Linear Systems
Errors for Lnear Systems When we solve a lnear system Ax b we often do not know A and b exactly, but have only approxmatons  and ˆb avalable. Then the best thng we can do s to solve ˆx ˆb exactly whch
More informationDISCRIMINANTS AND RAMIFIED PRIMES. 1. Introduction A prime number p is said to be ramified in a number field K if the prime ideal factorization
DISCRIMINANTS AND RAMIFIED PRIMES KEITH CONRAD 1. Introducton A prme number p s sad to be ramfed n a number feld K f the prme deal factorzaton (1.1) (p) = po K = p e 1 1 peg g has some e greater than 1.
More information