Bilinear Entropy Expansion from the Decisional Linear Assumption
Size: px
Start display at page:

Download "Bilinear Entropy Expansion from the Decisional Linear Assumption"

Transcription

1 Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University Allison Bisho Lewko Columbia University Abstract We develo a techniue insired by seudorandom functions that allows us to increase the entroy available for roving the security of dual system encrytion schemes under the Decisional Linear Assumtion. We show an alication of the tool to Attribute-Based Encrytion by resenting a Key-Policy ABE scheme that is fully-secure under DLIN with short ublic arameters. 1 Introduction Since its concetion in [32] attribute-based encrytion (ABE) has served as a demonstrably fertile ground for exloring the ossible tradeoffs between exressibility security and efficiency in crytograhically enforced access control. In addition to the otential alications it has in its own right the rimitive of attribute-based encrytion has been a catalyst for the definitions and constructions of further crytograhic rimitives such as functional encrytion for general circuits. The rich structure of secret keys demanded by exressive attribute-based encrytion has romoted a continuing evolution of roof techniues designed to meet the challenges inherent in balancing large and comlex structures on the inhead of simle comutational hardness assumtions. The origins of attribute-based encrytion can be traced back to identity-based encrytion [11 5] where users have identities that serve as ublic keys and secret keys are generated on demand by a master authority. A desirable notion of security for such schemes ensures resilience against arbitrary collusions among users by allowing an attacker to demand many secret keys for individual users and attack a cihertext encryted to any user not reresented in the set of obtained keys. Proving this kind of security reuires a reduction design that can satisfy the attacker s demands without fully knowing the master secret key. This challenge is exacerbated in the (key-olicy) attribute-based setting where user keys corresond to access olicies exressed over attributes and cihertexts are associated with subsets of these attributes. Decrytion is allowed recisely when a single user s olicy is satisfied by a cihertext s attribute set. Thus the structure of allowable keys that the attacker can reuest grows more comlex as the scheme is euied to exress more comlex olicies. As a conseuence of this the intuitive and elegant constructions of attribute-based encrytion in bilinear grous in [18 34] were only roven secure in the selective security model: a weakened model of security that reuires the attacker to declare the target of attack in advance before seeing the ublic arameters of the system. This limitation of the model allows Allison Lewko is suorted in art by NSF CNS and NSF CCF

2 the security reduction to embed the comutational challenge into its view of the ublic arameters of the scheme in a way that artitions the sace of secret keys. Keys that do not satisfy the targeted cihertext are able to be generated under the embedding while keys that do satisfy the cihertext cannot be generated. This aroach does not extend well to the full security model where this artificial limitation on the attacker is lifted. The first fully secure ABE schemes aeared in [19] using the dual system encrytion methodology [33] for designing the security reduction. In a dual system aroach there are tyically multile (comutationally indistinguishable) forms of keys and cihertexts. There are normal keys and cihertexts that are emloyed in the real system and then are various forms of semi-functional keys and cihertexts. The core idea is to rove security via a hybrid argument where the cihertext is changed to semi-functional and keys are changed to semi-functional tyes one by one until all the keys are of a semi-functional tye incaable of decryting the semi-functional cihertext (it is imortant that they still decryt normal cihertexts otherwise the hybrid transitions could be detected by the attacker who can create normal cihertexts for itself using the ublic arameters). Once we reach a state where the key and cihertexts distributions rovided to the attacker are no longer bound by correct decryt behavior it is easier for the reduction to roduce these without knowing the master secret key. The most critical ste of these dual system arguments occurs when a articular key changes from a tye that can decryt the challenge cihertext to a tye that cannot - the fact that this change is not detected by the attacker is where the reduction must use the criterion that the access olicy is not satisfied. The security reductions in [19] and many subseuent works (e.g. [28 22]) used an information-theoretic argument for this ste. However this argument reuires a great deal of entroy (secifically fresh randomness for each attribute-use in a olicy). This entroy was sulied by arameters in the semi-functional sace that aralleled the ublished arameters of the normal sace. This necessitated a blowu in ublic arameter and cihertext sizes secifically a multilicative factor of the the number of attribute-uses allowed for access olicies. In [26] it was observed that the initial stes of a tyical dual system encrytion hybrid argument could be re-interreted as roviding a shadow coy of the system arameters in the semi-functional sace that does not have to be committed to when the ublic arameters for the normal sace are rovided. This ersective suggests that one can embed a comutational challenge into these semi-functional sace arameters as semi-functional objects are roduced. For instance when a ortion of these arameters affect a single semi-functional key that is ueried after the semi-functional cihertext one can essentially embed the challenge in the same way as the original selective security arguments in [18]. In the reverse case where the semi-functional key is ueried before the challenge cihertext the embedding can be similar to a selective security roof for a cihertext-olicy ABE scheme where keys are associated with attributes and cihertexts are associated with access olicies. In [26] state of the art selective techniues for KP-ABE and CP-ABE systems were combined into a full security roof avoiding the blowu in arameters incurred by the information-theoretic dual system techniues. However even selective security for CP-ABE systems remains a rather challenging task and the state of the art techniue in [34] introduces an undesirable -tye assumtion into the fully secure ABE scheme. In the CP-ABE setting selectivity means that the attacker declares a target access olicy u front. This can then be leveraged by the security reduction to design ublic arameters so that it can create keys recisely for sets of attributes that do not satisfy this target olicy. The -tye assumtion in [34] was a conseuence of the need to encode a otentially large access olicy into small ublic arameters. This leaves us still searching for an ideal KP-ABE scheme in the bilinear setting that has arameter sizes comarable to the selectively secure scheme in [18] and a full security roof from a simle assumtion such as the 2

3 decisional linear assumtion (DLIN). A security reduction for such a scheme must seemingly break outside the mold of using either a urely information-theoretic or urely comutational argument for leveraging the fact that a reuested key olicy cannot be satisfied by the challenge cihertext. Our Results To demonstrate our aroach we resent a KP-ABE constructions in the comosite-order bilinear setting which is roven fully secure from simle assumtions and suorts LSSS/MSP access olicies (like its bilinear redecessors). Security is roven using a few secific instances of subgrou-decision assumtions and DLIN. Our scheme greatly reduces the size of the ublic arameters as comared to [19 28] as the number of grou elements we need to include in the ublic arameters grows only logarithmically rather than linearly in the bound on the number of attribute-uses in an access olicy. Our Techniues We intermix the comutational and information-theoretic dual system encrytion aroaches using comutational stes to boost the entroy of a small set of (unublished) semi-functional arameters to a level that suffices to make the rior informationtheoretic argument work. Essentially we use the fact that the semi-functional sace arameters are never ublished to not only delay their definition as exloited in [26] but further to argue that they can (comutationally) aear to rovide more entroy than their size would information-theoretically allow. The gadget that allows us do this comutational re-rocessing before the running information-theoretic argument is resented as our bilinear entroy exansion lemma. The insiration for the gadget construction comes from seudorandom generators/seudorandom functions. Naturally if we want a small set of semi-functional generators to seemingly roduce a large amount of entroy we may want to view these arameters as the seed for a PRF for examle. Out-of-the-box PRF constructions like Naor-Reingold [27] and its DLIN-based extension [25] however are unsuitable in the bilinear setting (even though the DLIN version would remain secure) because they would reuire direct access to the seed for comutation and a secure bilinear construction will only rovide indirect access to the seed as exonents of grou elements. To circumvent this difficulty we use a subset-sum based construction that can be comuted in a bilinear grou with the seed elements in the exonents. Of course using a naked linear structure would be detectable but we are able to use a rather minimal amount of additional random exonents to ush the linear sub-structure out of reach of detection by regular grou or airing oerations. We build our construction in two stes. First we resent a construction for a one-use KP-ABE system which only suorts access olicies where each attribute is used at most once. This scheme achieves cihertext and key sizes which rival those of selectively secure schemes (u to constants) while significantly reducing ublic arameter size. Then we aly a standard transformation to get from a one-use system to a system which allows multile uses of attributes in olicies (the number of uses allowed er attribute is constant and fixed at setu). The overhead of this transformation is drastically mitigated by our scheme s small ublic arameters. The effect on cihertext and key sizes comared to revious alications of this transformation remain the same u to constants. Further Discussion of Related Work Additional work on ABE in the bilinear setting includes various constructions of KP-ABE and CP-ABE schemes (e.g. [ ]) schemes suorting multile authorities (e.g. [ ]) and schemes suorting large attribute universes (e.g. [23 29]). Some of the structure for randomization in our schemes is insired by 3

4 [23]. The large universe scheme in [29] also achieves full-security with short ublic arameters using concetually different techniues. We view the main contribution of this aer to be the entroy exansion lemma which we believe is modular and otentially useful in other settings. Our aroach lends a clear understanding of the roles of information-theoretic and comutational techniues in dual-system encrytion roofs. There are also recent constructions of ABE schemes in the lattice setting. The construction of [16] allows access olicies to be exressed as circuits which makes it more exressive than any known bilinear scheme. It was roven selectively secure under the standard LWE assumtion. Circuit olicies are also suorted by the construction in [13] based on multilinear mas. This scheme is also roven selectively secure under a articular comutational hardness assumtion for multilinear grous. The very recent multilinear scheme in [14] achieves full security relying on comutational hardness assumtions in multilinear grous. The fully secure general functional encrytion scheme in [35] which relies on indistinguishability obfuscation can also be secialized to the ABE setting. Some relationshis between ABE and other crytograhic rimitives have also been exlored. The work of [2] derives schemes for verifiable comutation from attribute-based encrytion schemes while [15] use attribute-based encrytion as a tool in designing more general functional encrytion and reusable garbling schemes. Dual system encrytion roof techniues have also been further studied in the works of [ ] alied to achieve leakage resilience in [ ] and alied directly to comutational assumtions in [9]. 2 Preliminaries 2.1 Comosite Order Bilinear Grous Our construction uses comosite order bilinear grous. which were introduced in [6]. We let G denote a grou generator - an algorithm which takes a security arameter λ as inut and oututs a descrition of a bilinear grou G. We define G s outut as (N G G T e) where N = w is a roduct of three distinct rimes G and G T are cyclic grous of order N and e : G G G T is a ma with the following roerties: 1. (Bilinear) g f G a b Z N e(g a f b ) = e(g f) ab 2. (Non-degenerate) g G such that e(g g) has order N in G T. We refer to G as the source grou and G T as the target grou. We assume that the grou oerations in G and G T and the ma e are comutable in olynomial time with resect to λ and the grou descritions of G and G T include a generator of each grou. We let G G and G w denote the subgrous of order and w in G resectively. We note that these subgrous are orthogonal to each other under the bilinear ma e: if u v are elements of two different subgrous out of {G G G w } then e(u v) is the identity element in G T. If g generates G g generates G and g w generates G w then every element f of G can be exressed as f = g c 1 g c 2 g c 3 w for some values c 1 c 2 c 3 Z N. We will refer to g c 1 as the G art of f for examle. 2.2 Comlexity Assumtions We now resent the comlexity assumtions we will use to rove the security of our system. We use the notation x S to exress that element x is chosen uniformly at random from the finite set S. We will first consider grous G whose orders are roducts of three distinct rimes: w. We denote the subgrous of G with these orders by G G G w resectively. We use the notation g g g w to denote generators of these resective subgrous. 4

5 Subgrou Decision Assumtion 1 The Subgrou Decision Problem 1 is stated as follows: on a grou G of order w given g g w and T where either T = g s G or T = g g s s G (where s is distributed uniformly in Z and s is distributed uniformly in Z ) outut yes if T = g s and no otherwise. Definition 1. Subgrou Decision Assumtion 1 in G: no olynomial time algorithm can achieve non-negligible advantage in deciding the Subgrou Decision Problem 1 in G. Subgrou Decision Assumtion 2 on a grou G of order w given g g w g g s s g r gw r and T where either T = gg y w y The Subgrou Decision Problem 2 is stated as follows: or T = ggỹ y gw y (where s y are distributed uniformly in Z s r and ỹ are distributed uniformly in Z and r y are distributed uniformly in Z w ) outut yes if T = g y g y w and no otherwise. Definition 2. Subgrou Decision Assumtion 2 in G: no olynomial time algorithm can achieve non-negligible advantage in deciding the Subgrou Decision Problem 2 in G. Subgrou Decision Assumtion 3 The Subgrou Decision Problem 3 is stated as follows: given a grou G of order w given g g g w g α g α g g s s and T where either T = e(g g ) αs or T = X (where α s are distributed uniformly in Z α s are distributed uniformly in Z and X is distributed uniformly in G T ) outut yes if T = e(g g ) αs and no otherwise. Definition 3. Subgrou Decision Assumtion 3 in G: no olynomial time algorithm can achieve non-negligible advantage in deciding the Subgrou Decision Problem 3 roblem in G. We additionally use one assumtion in the rime order setting where G is a bilinear grou of rime order and g is a generator: 2-Linear Assumtion (DLIN) The 2-Linear roblem is stated as follows: given a cyclic grou G of rime order g g y 1 g y 2 g y 1c 1 g y 2c 2 g c 1+c 2 +r G (where y 1 y 2 c 1 c 2 are distributed uniformly in Z and r is either a uniform random element of Z or 0) outut yes if r is a random element of Z and no otherwise. Definition 4. 2-Linear Assumtion in G: no olynomial time algorithm can achieve nonnegligible advantage in deciding the 2-Linear roblem in G. 2.3 Background for ABE We now give reuired background material on Linear Secret Sharing Schemes the formal definition of a KP-ABE scheme and the security definition we will use Linear Secret Sharing Schemes Our construction uses linear secret-sharing schemes (LSSS). We use the following definition (adated from [3]). In the context of ABE attributes will lay the role of arties and will be reresented as nonemty subsets K [k] for a fixed k. Definition 5. (Linear Secret-Sharing Schemes (LSSS)) A secret sharing scheme Π over a set of attributes is called linear (over Z ) if 1. The shares belonging to all attributes form a vector over Z. 5

6 2. There exists an l n matrix Λ called the share-generating matrix for Π. The matrix Λ has l rows and n columns. For all j = 1... l the j th row of Λ is labeled by an attribute K. When we consider the column vector v = (s r 2... r n ) where s Z is the secret to be shared and r 2... r n Z are randomly chosen then Λv is the vector of l shares of the secret s according to Π. The share (Λv) j = λ K belongs to attribute K. We note the linear reconstruction roerty: we suose that Π is an LSSS. We let S denote an authorized set. Then there is a subset S S such that the vector ( ) is in the san of rows of Λ indexed by S and there exist constants {ω K Z } K S such that for any valid shares {λ K } of a secret s according to Π we have: ω K λ K = s. These constants {ω K } can K S be found in time olynomial in the size of the share-generating matrix Λ [3]. For unauthorized sets no such S {ω K } exist. For our comosite order grou construction we will emloy LSSS matrices over Z N where N is a roduct of three distinct rimes w. As in the definition above over the rime order Z we say a set of attributes S is authorized if is a subset S S such that the rows of the access matrix A labeled by elements of S have the vector ( ) in their san modulo N. However in our security roof for our comosite order system we will further assume that for an unauthorized set the corresonding rows of A do not include the vector ( ) in their san modulo. We may assume this because if an adversary can roduce an access matrix A over Z N and an unauthorized set over Z N that is authorized over Z then this can be used to roduce a non-trivial factor of the grou order N which would violate our subgrou decision assumtions KP-ABE Definition A key-olicy attribute-based encrytion system consists of four algorithms: Setu Encryt KeyGen and Decryt. Setu(λ U) (PP MSK) The setu algorithm takes in the security arameter λ and the attribute universe descrition U. It oututs the ublic arameters PP and a master secret key MSK. Encryt(PP M S) CT The encrytion algorithm takes in the ublic arameters PP the message M and a set of attributes S. It will outut a cihertext CT. We assume that S is imlicitly included in CT. KeyGen(MSK PP A) SK The key generation algorithm takes in the master secret key MSK the ublic arameters PP and an access structure A over the universe of attributes. It oututs a rivate key SK which can be used to decryt cihertexts encryted under a set of attributes which satisfies A. We assume that A is imlicitly included in SK. Decryt(PP CT SK) M The decrytion algorithm takes in the ublic arameters PP a cihertext CT encryted under a set of attributes S and a rivate key SK for an access structure A. If the set of attributes of the cihertext satisfies the access structure of the rivate key it oututs the message M Full Security for KP-ABE Systems We define full security for KP-ABE Systems in terms of the following game: 6

7 The challenger runs the Setu algorithm and gives the ublic arameters to the at- Setu tacker. The attacker ueries the challenger for rivate keys corresonding to access struc- Phase 1 tures. Challenge The attacker declares two eual length messages M 0 M 1 and a set of attributes A U where U is the attribute universe such that A does not satisfy the access structure of any of the keys reuested in Phase 1. The challenger flis a random coin β {0 1} encryts M β under S to yield cihertext CT β and gives CT β to the attacker. Phase 2 The attacker ueries the challenger for rivate keys corresonding to access structures that are not satisfied by S. Guess The attacker oututs a guess β. KP ABE Definition 6. The advantage of an attacker A in this game is defined as AdvA (λ) = Pr[β = β ] 1 2. Definition 7. A key-olicy attribute based encrytion scheme is fully secure if no olynomial time algorithm can achieve a non-negligible advantage in the above security game Transformation from One-Use to Multile Use KP-ABE Given a KP-ABE scheme which is fully-secure when attributes are used at most once in access olicies we can obtain a KP-ABE scheme which is fully-secure when each attribute is used at most some constant number of times in access olicies using a standard transformation. Essentially multile uses of an attribute are treated as new attributes in the one-use system. For examle if we want an attribute x to be able to be used u to k x times in access olicies we will instantiate our one-use system with k x attributes x : 1... x : k x. Each time we want to label a row of an access matrix Λ with x we label it with x : i for a new value of i. Each time we want to associate a subset S of attributes to a cihertext we instead use the set S = {x : 1... x : k x x S}. We can then emloy the one-use KP-ABE scheme on this new larger set of attributes and retain its full security and functionality. Clearly this transformation comes at a cost. Tyically the cihertext and ublic arameter size of the KP-ABE scheme resulting from the transformation now scale linearly with the number of attribute-uses allowed in access olicies not just the number of attributes. This blowu is seen in all revious fully secure KP-ABE schemes based on static assumtions and resents a roblem if one desires olicies which have high reuse of attributes. Our one-use KP-ABE scheme mitigates the roblem with ublic arameter size by featuring ublic arameters that scale only logarithmically with the number of attributes suorted by the system comared to the linear scaling of all other known fully secure KP-ABE schemes based on static assumtions. 3 KP-ABE Construction Our single-use KP-ABE construction assumes a olynomially sized attribute universe U where attributes are non-emty subsets K [k] for some fixed k. The rior fully secure single-use KP-ABE scheme in [19] reuired a fresh grou element to aear in the ublic arameters for each attribute in the universe. After using the generic transformation discussed in section

8 this results in the scheme reuiring a fresh grou element for each attribute-use allowed in access olicies. As a concrete examle if one wanted to allow 9 attributes to be used u to 7 times each one needed to have 9 7 = 63 grou elements in the ublic arameters corresonding to this attribute. In our comosite order scheme to allow the same 63 = attribute-uses we only need 2 6 grou elements in the ublic arameters corresonding to the attribute. The way we accomlish this dramatic comression of ublic arameters is to note that the encrytor can roduce 63 grou elements from 6 by taking roducts of all non-emty subsets (these corresond to subset-sums in the exonent). More generally given k grou elements g a 1... g a k we can roduce 2 k 1 grou elements by enumerating over all non-emty subsets a j K [k] and comuting gj K. We name the resulting collection of elements g A K where A K := a j. Our comosite order scheme uses two arallel such subset constructions (which j K is the reason for the factor of 2). Obviously these 2 k 1 grou elements no longer look random - they have linear relationshis in their exonents by construction. However since we are assuming the decisional linear assumtion is hard if we choose 2 k 1 additional random exonents {t K } then the 2(2 k 1) grou elements formed as {g t K g t KA K } are comutationally indistinguishable from 2(2 k 1) uniformly random grou elements (which lack any hidden linear structures in their exonents). The roof of this is the core of bilinear entroy exansion lemma though the full statement of the lemma includes some additional structure that is useful for linking into a KP-ABE construction. The dual system encrytion framework allows us to aly this argument to the arameters in the semi-functional sace where we do not need to ublish the values {g a j }. (Note that ublishing these would make the structure of {g t K g t KA K } detectable through alications of the bilinear ma.) Setu(λ U k) P P MSK The setu algorithm chooses a bilinear grou G of order N = w where w are rimes. We let G G G w reresent the subgrou of order and w resectively in G. It then draws α Z N and random grou element (generator) g G. For each j [k] it chooses values a j b j Z N. The ublic arameters are N g e(g g ) α {g a j g b j : j [k]}. The MSK is α and a generator g w of G w. Such a construction is euied to create keys for access olicies which include attributes K [k] where K is not emty. KeyGen(MSK Λ P P ) SK The key generation algorithm takes in the ublic arameters master secret key and LSSS access matrix Λ. First the key generation algorithm generates {λ K }: a linear sharing of α according to olicy matrix Λ (the reader is referred to section for details). For each attribute K corresonding to a row in the olicy matrix Λ it then raises generator g w to random exonents to create g z K w g z K w w G w chooses exonent y K Z N and comutes g A K = g a j and g B K = g b j. Note that here and throughout the rest of the j K j K descrition of our construction and its roof of security we will use the notation A K = j K a j and B K = j K b j. It then oututs the secret key: SK Λ = {g λ K (This imlicitly includes Λ) g z K w g y K g z K w 8

9 Encryt(M S P P ) CT The encrytion algorithm first draws s Z N. For each K S the encrytion algorithm draws t K Z N and comutes g A K = g a j and g B K = g b j. It j K j K then oututs the cihertext: (This imlicitly includes S) CT = Me(g g ) αs {g s g sa K g t KB K g t K : ( K S)} Decryt(CT SK P P ) M We let S corresond to the set of attributes associated to cihertext CT and Λ be the olicy matrix. If S satisfies Λ the decrytion algorithm comutes suitable constants ω K such that ω K λ K = α (recall section 2.3.1). It then comutes: K S K S e(g s g λ K g z K w ) e(gy K g z K e(g t K w g sa K g t KB K ) w ) 1 ω K = ( ( e(g g ) sλ K e(g g ) sy e(g KA K g ) sy KA K e(g g ) t Ky K B K ) 1 ) ωk e(g K S g ) t Ky K B K = ( e(g g ) sλ K e(g g ) sy KA K ) ωk e(g K S g ) sy KA K = ( ) e(g g ) sλ ωk K K S sω K λ K = e(g g ) K S = e(g g ) αs The message can then be recovered by comuting: Me(g g ) αs /e(g g ) αs = M. This demonstrates correctness of the scheme. 4 Security Proof Our security roof uses a hybrid argument over a seuence of games. We let Game real denote the real security game. The rest of the games use semi-functional keys and cihertexts which we describe below. We let g denote a fixed generator of the subgrou G which will serve as the semi-functional sace. Like a tyical dual system encrytion roof we will begin by transitioning from a normal cihertext to a semi-functional cihertext with semi-functional comonents that mimic the structure of their normal counterarts. This kind of transition can be done with a basic subgrou decision assumtion. We will then erform a hybrid over keys gradually changing each one to a semi-functional form that does not roerly decryt the semi-functional cihertext. To start we can bring in semi-functional comonents for a articular key that mimic the structure of normal comonents u to the constraint that the shared valued in the semi-functional sace will be 0 (modulo ). Technically this constraint arises because we will be taking a challenge term from a subgrou decision assumtion that has an unknown exonent in the normal sace and raising it to a share - so we have to make this a share of 0 and searately share the α value in the normal sace so that the unknown exonent does not affect the correctness of the 9

10 sharing in the normal sace. At a higher level this constraint exlains why the simulator at this stage of the hybrid cannot solve the challenge roblem for itself by test decryting against a semi-functional cihertext. Since the structure in the semi-functional sace arallels the normal structure and the shared value here is zero the semi-functional comonents will cancel out uon decrytion. So we can arrive at a stage where a key and cihertext have semi-functional comonents structured just like the normal sace but with fresh arameters modulo that are indeendent of the ublished arameters modulo. This is a conseuence of the Chinese Remainder Theorem that ensures when we samle an exonent uniformly at random modulo N its modulo and modulo reductions are indeendent and uniformly random in Z Z resectively. Since these imlicit arameters in the semi-functional sace are never ublished we can use our bilinear entroy exansion lemma to argue that their subset-sum structure is hidden under the decisional linear assumtion. This allows us to relace them with higher entroy arameters (lacking the subset-sum structure of the normal sace) and then argue that the shared value in the semi-functional sace is information-theoretically hidden (this is where we use that the access olicy is not satisfied and that attributes are used at most once in the olicy). This enables us to switch the semi-functional shares in the key to shares of a random value now destroying correct decrytion of a semi-functional cihertext. We then remove some of the other (now unnecessary) semi-functional comonents of the key to reclaim the entroy of those arameters to use in rocessing the next key in the hybrid. Finally once we have reached a game where all keys are semi-functional with shares of a random secret modulo we can use Subgrou Decision Assumtion 3 to create such keys without knowing the master secret and can hence comlete the roof. We now formally resent our definitions of semi-functional cihertexts and keys and our hybrid roof: Semi-functional Cihertext We will use 3 tyes of semi-functional cihertexts. To roduce a semi-functional cihertext for an attribute set S one first calls the normal encrytion algorithm to roduce a normal cihertext consisting of: Me(g g ) αs {g s g sa K g t KB K g t K : ( K S)} One then draws s Z N. For each K S an exonent t K Z N is chosen. The remaining comosition of the semifunctional cihertext deends on the tye of cihertext desired: Tye 1 The semi-functional cihertext of Tye 1 is formed as: Me(g g ) αs {g s g s g sa K g t KB K g sa K g t K B K g t K g t K : ( K S)} (again here A K = j K a j and B K = j K b j ) Tye 2 The semi-functional cihertext of Tye 2 is formed as: Me(g g ) αs {g s g s g sa K g t KB K g sa K g t K bk g t K g t K : ( K S)} for fixed b K Z N which are chosen uniformly at random and fixed if they do not already exist (in a semi-functional key for instance). 10

11 Tye 3 The semi-functional cihertext of Tye 3 is formed as: Me(g g ) αs {g s g s g sa K g t KB K g sã K g t K bk g t K g t K : ( K S)} for fixed ã K b K Z N which are chosen uniformly at random and fixed if they do not already exist. Semi-functional Keys We will use 7 tyes of semi-functional keys. To roduce a semifunctional key for an access olicy Λ one first calls the normal key generation algorithm to roduce a normal key consisting of: {g λ K g z K w g y K g z K w The first 6 tyes of keys fall under 3 classes which have two variants each: a Z variant and an R variant. For Z-tye keys one comutes a linear sharing of 0 under access olicy Λ creating shares λ K. For R-tye keys one comutes a linear sharing of a random element u of Z which is fixed once it is created and used for all R-tye keys. u is shared under access olicy Λ to create shares λ K. The next stes deend on the class of the key: Class 1 First comute g A K and g B K (where again A K and B K reresent the subset-sums of a j and b j ). For each K label in the honest key one then draws ỹ K Z N and forms the semi-functional key of tye 1Z or 1R (deending on the sharing λ K ) as: {g λ K g λ K gỹka K g z K w g y K gỹk g z K w gỹkb K Class 2 First comute g A K. Random values b K Z N are chosen if they do not already exist (in a semi-functional cihertext for instance) and fixed. For each K label in the honest key one then draws ỹ K Z N and forms the semi-functional key of tye 2Z or 2R as: {g λ K g λ K gỹka K g z K w g y K gỹk g z K w gỹk b K Class 3 Random values ã K b K Z N are chosen if they do not already exist and fixed. For each K label in the honest key one then draws ỹ K Z N and forms the semi-functional key of tye 3Z or 3R as: {g λ K g λ K gỹkã K g z K w g y K gỹk g z K w gỹk b K Note that we now have defined 6 tyes of keys: 1Z 1R 2Z 2R 3Z and 3R where the letter (Z/R) describes whether the λ K share zero or a random element of Z resectively and the number (1/2/3) describes whether the semi-functional analogues of the g A K and g B K in the G grou are structured as subset-sums or as random elements of G (Class 1 keys have both g A K and g B K. Class 2 keys have just g A K have both relaced by random elements gãk g b K 4R which does not contain any of these elements: structured with a random element g b K. Class 3 keys of G ). There is one final tye of key tye Tye 4R Using shares λ K of u (which is randomly chosen from Z and fixed if it has not already been fixed) one forms the semi-functional key of tye 4R as: {g λ K g λ K g z K w g y K g z K w 11

12 Proof Structure Our hybrid roof takes lace over a series of games defined as follows: Letting Q denote the total number of key ueries that the attacker makes we define Game l1 Game l2 Game l3 Game l4 Game l5 Game l6 and Game l7 for l = 1... Q. In each game the first l 1 keys are semi-functional of tye 4R and all keys after the lth reuest are normal. They differ in the construction of the lth key and the cihertext as follows: Game l1 In this game the lth key is tye 1Z and the cihertext is tye 1. Game l2 In this game the lth key is tye 2Z and the cihertext is tye 2. Game l3 In this game the lth key is tye 3Z and the cihertext is tye 3. Game l4 In this game the lth key is tye 3R and the cihertext is tye 3. Game l5 In this game the lth key is tye 2R and the cihertext is tye 2. Game l6 In this game the lth key is tye 1R and the cihertext is tye 1. Game l7 In this game the lth key is tye 4R and the cihertext is tye 1. Note that under this definition we have that in Game 07 the cihertext given to the attacker is tye 1 and the keys are all normal. The outer structure of our hybrid argument will rogress as follows. First we transition from Game real to Game 07 then to Game 11 next to Game 12 next to Game 13 next to Game 14 next to Game 15 next to Game 16 next to Game 17 and then to Game 21 and so on. We then arrive at Game Q7 where the cihertext is semifunctional of tye 1 and all of the keys given to the attacker are semi-functional of tye 4R. We then transition to one last game named Game final which will comlete our roof. Game final uses a semi-functional cihertext of a new tye: tye X which we will now define: Tye X The semi-functional cihertext of Tye X is formed as: MX {g s g s g sa K g t KB K g sa K g t K B K g t K g t K : ( K S)} where X is a uniform random element of G T.(again here A K = j K a j and B K = j K b j ) Game final In this game all keys are semi-functional of tye 4R and the cihertext is semifunctional of tye X. Note that a cihertext of tye X information-theoretically hides its message M because the message is multilied by the uniform random X which is unused anywhere else. So in Game final no olynomial time adversary will be able to achieve advantage in the security game comleting our roof. Our hybrid argument is accomlished in the following lemmas: Lemma 8. Under the Subgrou Decision Assumtion 1 no olynomial time attacker can achieve a non-negligible difference in advantage between Game real and Game

13 Proof. If an algorithm A has non-negligible difference in advantage between Game real and Game 07 then we could use A to achieve non-negligible advantage in the Subgrou Decision Problem 1 as follows: Given g g w and T where either T = g s G or T = g g s s G (where s Z and s Z ) consider the following simulator B in the security game: The ublic arameters are formed by using the given g choosing α a j b j randomly from Z N and giving the constructed ublic arameters to A. B can resond to key reuests by running the usual key generation algorithm to make normal keys because it knows the MSK. To return the challenge cihertext for a set of attributes S for each K S a t K Z N is drawn then the following cihertext is constructed and rovided: } Me(g T ) α {T T A K T t K B K T t K : ( K S) The simulator is able to honestly follow the rest of the scheme using generators g g w so the only difference between its execution distributions deends on the different cihertexts formed deendent on T. Notice that if T = g s for s Z then the distribution of cihertexts formed is identical to the honest case (where t K = t K s) and so the simulator s behavior is exactly that of Game real. If T = g g s s for s Z s Z the cihertext formed is a semi-functional cihertext of tye 1 (where t K = t K s and t K = t K s are indeendent since the values of t K modulo and modulo are indendent and uniform in Z Z resectively by the Chinese Remainder Theorem) so the simulator s behavior is exactly that of Game 07. Therefore any adversary with non-negligible difference in advantage between Game real and Game 07 could be used to achieve the same non-negligible advantage in deciding the Subgrou Decision Problem 1. By assumtion this is not ossible so such an adversary cannot exist. Lemma 9. Under the Subgrou Decision Assumtion 2 no olynomial time attacker can achieve a non-negligible difference in advantage between Game (l 1)7 and Game l1 for any l from 1 to Q Proof. If an algorithm A has non-negligible difference in advantage between Game (l 1)7 and Game l1 for some l in [1 Q] then we could use A to achieve non-negligible advantage in the Subgrou Decision Problem 2 as follows: Given g g w g g s s g r gw r and T where either T = gg y w y or T = ggỹ y gw y (where s y Z s r ỹ Z and r y Z w ) consider the simulator in the security game which acts as follows: The ublic arameters are formed by using the rovided g choosing α a j b j randomly from Z n and giving the constructed ublic arameters to A. To return the challenge cihertext for a set of attributes S for each K S t K Z N is drawn then the following semi-functional cihertext of tye 1 is constructed and rovided: Me(g g s g s ) α {g s g s (g s g s ) A K (g s g s ) t K B K (g s g s ) t K : ( K S)} Here the semi-functional cihertext has t K = st K and t K = st K which are indeendent since the values of t K modulo and modulo are indendent and uniform in Z Z resectively by the Chinese Remainder Theorem. For each reuested key for olicy Λ since the simulator knows the MSK α it can generate an honest key: SK = {g λ K g z K w g y K g z K w 13

14 using the key generation algorithm with g and g w. For honest keys after the lth reuest the simulator returns this key. The simulator additionally chooses and fixes u Z N. For key reuests u to the (l 1)th reuest the simulator generates shares λ K of u. The first l 1 semi-functional keys of tye 4R can be created by returning: SK = {g λ K (g r gw r ) λ K g z K w g y K g z K w Note that these are valid semi-functional keys of tye 4R where the λ K = r λ K ( λ K are a sharing of u so the r λ K are a sharing of u = ru which is uniformly distributed in Z and fixed across all R-tye keys). Also notice that the extra G w comonent g r λ K w is absorbed by the uniform random g z K w. For the lth key reuest the simulator generates λ K and λ K shares of α and 0 resectively. It then draws y K Z N and roduces the key: {g λ K T λ K (T y K ) A K g z K w T y K g z K w (T y K ) B K w : ( K labels Λ)} If T = gg y w y then the key is an honest key where λ K = λ K + yλ K which is a valid sharing of α (λ K is a sharing of zero which multilying it by y does not change and adding this to λ K (the sharing of α) results in another sharing of α) and y K = y K y. The extra G w comonents are all absorbed by the uniform random g z K w g z K w and w. If T = ggỹ y gw y then the key is semi-functional of tye 1Z where λ K = λ K + yλ K which is again a valid sharing of α ỹ K = y Kỹ and y K = y K y which are indeendent since the values of y K modulo and modulo are indendent and uniform in Z Z resectively by the Chinese Remainder Theorem. The extra G w comonents are all absorbed by the uniform random g z K w g z K w and w. Therefore any adversary able to achieve a non-negligible difference in advantage between Game (l 1)7 and Game l1 for some l in [1 Q] could be used to achieve the same non-negligible advantage in deciding the Subgrou Decision Problem 2. By assumtion this is not ossible so such an adversary cannot exist. Bilinear Entroy Exansion Before the next ste of the hybrid roof we will need a result about the indistinguishability between two distributions based on the 2-Linear Comutational Hardness Assumtion. Definition 10. Given G a grou of rime order and g a generator of that grou let D 1 (m) be the distribution of: g s gỹ1... gỹm 1 gỹ1r 1... gỹm 1r M 1 gỹ1b 1... gỹm 1b M 1 g t 1... g t M 1 g sr 1+ t 1 b 1... g sr M 1+ t M 1 b M 1 where the ỹ i t i b i r i s Z and M = 2 m. 14

15 Definition 11. Given G a grou of rime order g a generator of that grou and C = {c 1... c m } a set of m elements drawn uniformly at random from Z let D 2 (m) be the same distribution as above where the ỹ i t i b i s Z but each r i = j C i c j where C i denotes the ith indexed nonemty subset of C ( C = m and there are M 1 = 2 m 1 nonemty subsets). The Bilinear Entroy Exansion Lemma states that these two distributions are indistinguishable: Lemma 12. The distributions D 1 (k) and D 2 (k) are comutationally indistinguishable under the 2-Linear comutational hardness assumtion if k = O(lg oly(λ)). We defer the roof of this lemma to the end of this security roof and return to the next ste in our hybrid: where the B K in the semi-functional sace change to random elements g b K. Lemma 13. Under the 2-Linear Assumtion no olynomial time attacker can achieve a nonnegligible difference in advantage between Game l1 and Game l2 for any l from 1 to Q. Proof. From Lemma 12 we have that the distributions D 1 (k) and D 2 (k) are comutationally indistinguishable under the 2-Linear comutational hardness assumtion if k = O(lg oly(λ)). However if an algorithm A is able to achieve a non-negligible difference in advantage δ between Game l1 and Game l2 for some l in [1 Q] then we could use A to create a distinguisher B for D 1 (k) and D 2 (k) where k is the same value that defines our attribute universe U. (This resents a contradiction since U = O(oly(λ)) and U is defined as containing all subsets of [k] so k = O(lg oly(λ))). We do this as follows: Let the generator of G used in D 1 (k) and D 2 (k) be g. Rename the set C as C = {b 1... b k }. Now given the challenge instance g s gỹ1... gỹk 1 gỹ1r 1... gỹk 1r K 1 gỹ1b 1... gỹk 1b K 1 g t 1... g t K 1 g sr 1+ t 1 b 1... g sr K 1+ t K 1 b K 1 relabel each index as the subset K [k] associated to it so in articular we have: gỹk gỹkr K for all nonemty subsets K [k]. (Note that here we do not even use all of the challenge instance just the sections of gỹk gỹkr K. The full set is needed later when we reuse the lemma in the next hybrid roof). Now B forms the ublic arameters using g choosing α a j b j randomly and giving the aroriately constructed ublic arameters to A. To return the challenge cihertext for a set of attributes S first choose an s Z N. The simulator then redefines s by samling it uniformly at random from Z N. Then t K t K Z N are chosen for each K S. The following semi-functional cihertext can then be constructed and rovided: Me(g g ) αs {g s g s g sa K g t KB K g sa K (gỹkr K ) t K g t K (gỹk ) t K : ( K S)} 15

16 Here t K = t KỹK for all K S. For each reuested key S for olicy Λ since the simulator knows the MSK α it can generate an honest key: SK = {g λ K g z K w g y K g z K w using the key generation algorithm with g and g w. For honest keys after the lth reuest the simulator returns this key. The simulator additionally chooses and fixes u Z N. For key reuests u to the (l 1)th reuest the simulator generates shares λ K of u.the first l 1 semi-functional keys of tye 4R can be created by returning: SK = {g λ K g λ K g z K w g y K g z K w For the lth key reuest B can comute λ K : a sharing of 0 and return the key: {g λ K g λ K (gỹk ) A K g z K w g y K (gỹk )g z K w (gỹkr K ) Notice that if r K = j K b j then g r K = j K g b j is distributed identically to g B K = j K g b j by the Chinese Remainder Theorem. Each b j is a random element of Z N so its value taken mod is indeendent of its value mod. So the distributions of ( j K g b j g b j j K ) = (g B K g B K ) and ( g b j g b j ) = (g B K g r K ) are identical. j K j K Constructing the lth key and challenge cihertext this way gives them alternatively structured or random comonents deending on whether the r K = b j or are uniformly random j K in Z. If the challenge set is drawn from D 2 (k) then B behaves as exected in Game l1 (where the challenge cihertext and lth key are semi-functional of tye 1 and 1Z resectively). If the challenge set is drawn from D 1 (k) then B behaves as exected in Game l2 (where the challenge cihertext and lth key are semi-functional of tye 2 and 2Z resectively). Therefore any adversary with non-negligible difference in advantage δ between Game l1 and Game l2 could be used to achieve the same non-negligible difference in advantage in distinguishing the distributions D 1 (k) and D 2 (k). By Lemma 12 this is not ossible so such an adversary cannot exist and therefore we have roven that no olynomial time attacker can achieve a non-negligible difference in advantage between Game l1 and Game l2 for any l from 1 to Q. The roof for the next ste in our hybrid is similar as we transition from structured g A K to random elements gãk (excet this uses the full version of our Bilinear Entroy Exansion lemma): Lemma 14. Under the 2-Linear Assumtion no olynomial time attacker can achieve a nonnegligible difference in advantage between Game l2 and Game l3 for any l from 1 to Q. Proof. From Lemma 12 we have that the distributions D 1 (k) and D 2 (k) are comutationally indistinguishable under the 2-Linear comutational hardness assumtion if k = O(lg oly(λ)). However if an algorithm A is able to achieve non-negligible difference in advantage δ between Game l2 and Game l3 for some l in [1 Q] then again we could use A to create a distinguisher B for D 1 (k) and D 2 (k) (where again we use the same k which defines our attribute universe U and satisfies k = O(lg oly(λ))). We do this as follows: 16

17 Let the generator of G used in D 1 (k) and D 2 (k) be g. Relabel the set C as C = {a 1... a k }. Now given the challenge instance g s gỹ1... gỹk 1 gỹ1r 1... gỹk 1r K 1 gỹ1b 1... gỹk 1b K 1 g t 1... g t K 1 g sr 1+ t 1 b 1... g sr K 1+ t K 1 b K 1 relabel each index as the subset K [k] associated to it so we have: g s gỹk gỹkr K gỹkb K g t K g sr K+ t K b K for all nonemty subsets K [k]. Now B forms the ublic arameters using g choosing α a j b j randomly and giving the aroriately constructed ublic arameters to A. To return the challenge cihertext for a set of attributes S first choose an s Z N. Then t K Z N are chosen for all K S. The following semi-functional cihertext can then be constructed and rovided: Me(g g ) αs {g s (g s ) g sa K g t KB K (g sr K+ t K b K ) g t K g t K : ( K S)} Note that here we imlicitly set b K = b K. For each reuested key for olicy Λ since the simulator knows the MSK α it can generate an honest key: SK = {g λ K g z K w g y K g z K w using the key generation algorithm with g and g w. For honest keys after the lth reuest the simulator returns this key. The simulator additionally chooses and fixes u Z N. For key reuests u to the (l 1)th reuest the simulator generates shares λ K of u.the first l 1 semi-functional keys of tye 4R can be created by returning: SK = {g λ K A y K K g λ K g z K w g y K g z K w For the lth key reuest B can comute λ K : a sharing of 0 and return the key: {g λ K g λ K (gỹkr K )g z K w g y K (gỹk )g z K w (gỹkb K ) Again notice that if r K = j K a j then g A K = j K g a j is distributed identically to j K g a j = g r K by the Chinese Remainder Theorem. Each a j is a random element of Z N so its value taken mod is indeendent of its value mod. So the distributions of ( j K and ( j K g a j g a j j K ) = (g A K g r K ) are identical. g a j g a j j K ) = (g A K g A K ) 17

18 So constructing the challenge cihertext and lth key this way causes them to have alternatively structured or random comonents deending on whether the r K = j K a j or are uniformly random in Z. If the challenge set is drawn from D 2 (k) then B behaves as exected in Game l2 (where the challenge cihertext and lth key are semi-functional of tye 2 and 2Z resectively). If the challenge set is drawn from D 1 (k) then B behaves as exected in Game l3 (where the challenge cihertext and lth key are semi-functional of tye 3 and 3Z resectively). Therefore any adversary with non-negligible difference in advantage δ between Game l2 and Game l3. could be used to achieve the same non-negligible difference in advantage in distinguishing the distributions D 1 (k) and D 2 (k). By Lemma 12 this is not ossible so such an adversary cannot exist and therefore we have roven that no olynomial time attacker can achieve a non-negligible difference in advantage between Game l2 and Game l3 for any l from 1 to Q. We continue to the next ste in our hybrid roof: Lemma 15. No olynomial time attacker can achieve a non-negligible difference in advantage between Game l3 and Game l4 for any l from 1 to Q Proof. Recall that in both Game l3 and Game l4 the cihertext is semi-functional of tye 3 all keys after the lth key reuest are normal and the first l 1 keys are semi-functional of tye 4R. The only difference is the lth key (either semi-functional of tye 3Z or 3R). In Game l3 the shares λ K are a sharing of 0 while in Game l4 they are a sharing of the u used in R-tye keys. The transition between these two modes of oeration is accomlished using an informationtheoretic argument. Namely the distribution of elements seen by an attacker in both games is the same. To see this note that for any attribute K not included in the cihertext then the distributions of the elements of the key indexed by K are identical in both cases since the λ K are masked by a gãkỹ K where the ã K are chosen uniformly at random and used nowhere else (they do not aear in keys other than the lth key and only aear at most once in the lth key because of our single-use restriction) therefore hiding the value of all λ K information-theoretically. For attributes K used in the cihertext this argument does not aly (since these ã K do aear elsewhere - in the cihertext). For these note that in the security game the attacker is not allowed to reuest a key that is able to decryt the challenge cihertext. So for this key with olicy Λ the rows of the olicy matrix Λ corresonding to the attributes the challenge cihertext is encryted under do not contain ( ) in their san (modulo N). We can further assume that the corresonding rows of Λ do not include ( ) in their san modulo (because if an adversary can roduce an unauthorized set over Z N that is authorized over Z then this can be used to roduce a non-trivial factor of the grou order N which would violate our subgrou decision assumtions). Therefore there exists some vector w Z n orthogonal to the san of these rows which is not orthogonal to ( ) modulo (since Z is a finite field). By scaling this vector we can have w = (1 w 2... w n ) for some collection of w i. Now notice that whether the shares λ K which comrise λ were generated by taking Λ r = λ where r = (0 r 2... r n ) (that is a valid sharing of zero) or taking Λ( r + u w) where (that is a valid sharing of the u used in R-tye keys) then the distributions of shares λ K modulo (they are exonents of g ) that are not information-theoretically hidden by the revious argument are the same. All that is seen are λ K created by taking dot roducts with rows of Λ - for the shares that are not information-theoretically hidden we have that the u w contributes 0 modulo to the share so the distribution of these shares is the same as those roduced by an honest sharing of zero. 18

Similar documents

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.

More information

Improved Hidden Vector Encryption with Short Ciphertexts and Tokens

Improved Hidden Vector Encryption with Short Ciphertexts and Tokens Imroved Hidden Vector Encrytion with Short Cihertexts and Tokens Kwangsu Lee Dong Hoon Lee Abstract Hidden vector encrytion HVE) is a articular kind of redicate encrytion that is an imortant crytograhic

More information

Tight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys

Tight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys Tight Adatively Secure Broadcast Encrytion with Short Cihertexts and Keys Romain Gay ENS, Paris, France romain.gay@ens.fr Lucas Kowalczyk Columbia University luke@cs.columbia.edu Hoeteck Wee ENS, Paris,

More information

Cryptanalysis of Pseudorandom Generators

Cryptanalysis of Pseudorandom Generators CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we

More information

Conversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs

Conversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs Conversions among Several Classes of Predicate Encrytion and Alications to ABE with Various Comactness Tradeoffs Nuttaong Attraadung, Goichiro Hanaoka, and Shota Yamada National Institute of Advanced Industrial

More information

Cryptography. Lecture 8. Arpita Patra

Cryptography. Lecture 8. Arpita Patra Crytograhy Lecture 8 Arita Patra Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous

More information

Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products

Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz jkatz@cs.umd.edu Amit Sahai sahai@cs.ucla.edu Brent Waters bwaters@csl.sri.com Abstract Predicate encrytion

More information

Elliptic Curves and Cryptography

Elliptic Curves and Cryptography Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a

More information

Advanced Cryptography Midterm Exam

Advanced Cryptography Midterm Exam Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will

More information

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift

More information

RECIPROCITY LAWS JEREMY BOOHER

RECIPROCITY LAWS JEREMY BOOHER RECIPROCITY LAWS JEREMY BOOHER 1 Introduction The law of uadratic recirocity gives a beautiful descrition of which rimes are suares modulo Secial cases of this law going back to Fermat, and Euler and Legendre

More information

CDH/DDH-Based Encryption. K&L Sections , 11.4.

CDH/DDH-Based Encryption. K&L Sections , 11.4. CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be

More information

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols Published in Journal of Crytology, 30(2:519 549, 2017. Efficient Crytosystems From 2 k -th Power Residue Symbols Fabrice Benhamouda 1, Javier Herranz 2, Marc Joye 3, and Benoît Libert 4, 1 ES Paris, CRS,

More information

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr

More information

Cryptography Assignment 3

Cryptography Assignment 3 Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some

More information

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security An extended abstract of this aer aears in the Proceedings of the 35th Annual Crytology Conference (CRYPTO 2015), Part I, Rosario ennaro and Matthew Robshaw (Eds.), volume 9215 of Lecture Notes in Comuter

More information

A Public-Key Cryptosystem Based on Lucas Sequences

A Public-Key Cryptosystem Based on Lucas Sequences Palestine Journal of Mathematics Vol. 1(2) (2012), 148 152 Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010

More information

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM JOHN BINDER Abstract. In this aer, we rove Dirichlet s theorem that, given any air h, k with h, k) =, there are infinitely many rime numbers congruent to

More information

p-adic Measures and Bernoulli Numbers

p-adic Measures and Bernoulli Numbers -Adic Measures and Bernoulli Numbers Adam Bowers Introduction The constants B k in the Taylor series exansion t e t = t k B k k! k=0 are known as the Bernoulli numbers. The first few are,, 6, 0, 30, 0,

More information

Predicate Privacy in Encryption Systems

Predicate Privacy in Encryption Systems Predicate Privacy in Encrytion Systems Emily Shen MIT eshen@csail.mit.edu Elaine Shi CMU/PARC eshi@arc.com December 24, 2008 Brent Waters UT Austin bwaters@cs.utexas.edu Abstract Predicate encrytion is

More information

A Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition

A Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition A Qualitative Event-based Aroach to Multile Fault Diagnosis in Continuous Systems using Structural Model Decomosition Matthew J. Daigle a,,, Anibal Bregon b,, Xenofon Koutsoukos c, Gautam Biswas c, Belarmino

More information

The Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule

The Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule The Grah Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule STEFAN D. BRUDA Deartment of Comuter Science Bisho s University Lennoxville, Quebec J1M 1Z7 CANADA bruda@cs.ubishos.ca

More information

The non-stochastic multi-armed bandit problem

The non-stochastic multi-armed bandit problem Submitted for journal ublication. The non-stochastic multi-armed bandit roblem Peter Auer Institute for Theoretical Comuter Science Graz University of Technology A-8010 Graz (Austria) auer@igi.tu-graz.ac.at

More information

arxiv: v1 [physics.data-an] 26 Oct 2012

arxiv: v1 [physics.data-an] 26 Oct 2012 Constraints on Yield Parameters in Extended Maximum Likelihood Fits Till Moritz Karbach a, Maximilian Schlu b a TU Dortmund, Germany, moritz.karbach@cern.ch b TU Dortmund, Germany, maximilian.schlu@cern.ch

More information

c Copyright by Helen J. Elwood December, 2011

c Copyright by Helen J. Elwood December, 2011 c Coyright by Helen J. Elwood December, 2011 CONSTRUCTING COMPLEX EQUIANGULAR PARSEVAL FRAMES A Dissertation Presented to the Faculty of the Deartment of Mathematics University of Houston In Partial Fulfillment

More information

An Inverse Problem for Two Spectra of Complex Finite Jacobi Matrices

An Inverse Problem for Two Spectra of Complex Finite Jacobi Matrices Coyright 202 Tech Science Press CMES, vol.86, no.4,.30-39, 202 An Inverse Problem for Two Sectra of Comlex Finite Jacobi Matrices Gusein Sh. Guseinov Abstract: This aer deals with the inverse sectral roblem

More information

Shadow Computing: An Energy-Aware Fault Tolerant Computing Model

Shadow Computing: An Energy-Aware Fault Tolerant Computing Model Shadow Comuting: An Energy-Aware Fault Tolerant Comuting Model Bryan Mills, Taieb Znati, Rami Melhem Deartment of Comuter Science University of Pittsburgh (bmills, znati, melhem)@cs.itt.edu Index Terms

More information

1. INTRODUCTION. Fn 2 = F j F j+1 (1.1)

1. INTRODUCTION. Fn 2 = F j F j+1 (1.1) CERTAIN CLASSES OF FINITE SUMS THAT INVOLVE GENERALIZED FIBONACCI AND LUCAS NUMBERS The beautiful identity R.S. Melham Deartment of Mathematical Sciences, University of Technology, Sydney PO Box 23, Broadway,

More information

Distributed Rule-Based Inference in the Presence of Redundant Information

Distributed Rule-Based Inference in the Presence of Redundant Information istribution Statement : roved for ublic release; distribution is unlimited. istributed Rule-ased Inference in the Presence of Redundant Information June 8, 004 William J. Farrell III Lockheed Martin dvanced

More information

GOOD MODELS FOR CUBIC SURFACES. 1. Introduction

GOOD MODELS FOR CUBIC SURFACES. 1. Introduction GOOD MODELS FOR CUBIC SURFACES ANDREAS-STEPHAN ELSENHANS Abstract. This article describes an algorithm for finding a model of a hyersurface with small coefficients. It is shown that the aroach works in

More information

A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract

A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS CASEY BRUCK 1. Abstract The goal of this aer is to rovide a concise way for undergraduate mathematics students to learn about how rime numbers behave

More information

Evaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models

Evaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models Evaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models Ketan N. Patel, Igor L. Markov and John P. Hayes University of Michigan, Ann Arbor 48109-2122 {knatel,imarkov,jhayes}@eecs.umich.edu

More information

Pseudorandom Sequence Generation

Pseudorandom Sequence Generation YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Crytograhy and Comuter Security Handout #21 Professor M. J. Fischer November 29, 2005 Pseudorandom Seuence Generation 1 Distinguishability and

More information

Linear diophantine equations for discrete tomography

Linear diophantine equations for discrete tomography Journal of X-Ray Science and Technology 10 001 59 66 59 IOS Press Linear diohantine euations for discrete tomograhy Yangbo Ye a,gewang b and Jiehua Zhu a a Deartment of Mathematics, The University of Iowa,

More information

MATH 2710: NOTES FOR ANALYSIS

MATH 2710: NOTES FOR ANALYSIS MATH 270: NOTES FOR ANALYSIS The main ideas we will learn from analysis center around the idea of a limit. Limits occurs in several settings. We will start with finite limits of sequences, then cover infinite

More information

Elementary Analysis in Q p

Elementary Analysis in Q p Elementary Analysis in Q Hannah Hutter, May Szedlák, Phili Wirth November 17, 2011 This reort follows very closely the book of Svetlana Katok 1. 1 Sequences and Series In this section we will see some

More information

Math 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,

Math 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2, MATH 4400 roblems. Math 4400/6400 Homework # solutions 1. Let P be an odd integer not necessarily rime. Show that modulo, { P 1 0 if P 1, 7 mod, 1 if P 3, mod. Proof. Suose that P 1 mod. Then we can write

More information

POINTS ON CONICS MODULO p

POINTS ON CONICS MODULO p POINTS ON CONICS MODULO TEAM 2: JONGMIN BAEK, ANAND DEOPURKAR, AND KATHERINE REDFIELD Abstract. We comute the number of integer oints on conics modulo, where is an odd rime. We extend our results to conics

More information

1-way quantum finite automata: strengths, weaknesses and generalizations

1-way quantum finite automata: strengths, weaknesses and generalizations 1-way quantum finite automata: strengths, weaknesses and generalizations arxiv:quant-h/9802062v3 30 Se 1998 Andris Ambainis UC Berkeley Abstract Rūsiņš Freivalds University of Latvia We study 1-way quantum

More information

Radial Basis Function Networks: Algorithms

Radial Basis Function Networks: Algorithms Radial Basis Function Networks: Algorithms Introduction to Neural Networks : Lecture 13 John A. Bullinaria, 2004 1. The RBF Maing 2. The RBF Network Architecture 3. Comutational Power of RBF Networks 4.

More information

Extension of Minimax to Infinite Matrices

Extension of Minimax to Infinite Matrices Extension of Minimax to Infinite Matrices Chris Calabro June 21, 2004 Abstract Von Neumann s minimax theorem is tyically alied to a finite ayoff matrix A R m n. Here we show that (i) if m, n are both inite,

More information

Lattice Attacks on the DGHV Homomorphic Encryption Scheme

Lattice Attacks on the DGHV Homomorphic Encryption Scheme Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr

More information

CMSC 425: Lecture 4 Geometry and Geometric Programming

CMSC 425: Lecture 4 Geometry and Geometric Programming CMSC 425: Lecture 4 Geometry and Geometric Programming Geometry for Game Programming and Grahics: For the next few lectures, we will discuss some of the basic elements of geometry. There are many areas

More information

System Reliability Estimation and Confidence Regions from Subsystem and Full System Tests

System Reliability Estimation and Confidence Regions from Subsystem and Full System Tests 009 American Control Conference Hyatt Regency Riverfront, St. Louis, MO, USA June 0-, 009 FrB4. System Reliability Estimation and Confidence Regions from Subsystem and Full System Tests James C. Sall Abstract

More information

An Attack on a Fully Homomorphic Encryption Scheme

An Attack on a Fully Homomorphic Encryption Scheme An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, 710071 Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University,

More information

Approximating min-max k-clustering

Approximating min-max k-clustering Aroximating min-max k-clustering Asaf Levin July 24, 2007 Abstract We consider the roblems of set artitioning into k clusters with minimum total cost and minimum of the maximum cost of a cluster. The cost

More information

Fault Tolerant Quantum Computing Robert Rogers, Thomas Sylwester, Abe Pauls

Fault Tolerant Quantum Computing Robert Rogers, Thomas Sylwester, Abe Pauls CIS 410/510, Introduction to Quantum Information Theory Due: June 8th, 2016 Sring 2016, University of Oregon Date: June 7, 2016 Fault Tolerant Quantum Comuting Robert Rogers, Thomas Sylwester, Abe Pauls

More information

By Evan Chen OTIS, Internal Use

By Evan Chen OTIS, Internal Use Solutions Notes for DNY-NTCONSTRUCT Evan Chen January 17, 018 1 Solution Notes to TSTST 015/5 Let ϕ(n) denote the number of ositive integers less than n that are relatively rime to n. Prove that there

More information

Computer arithmetic. Intensive Computation. Annalisa Massini 2017/2018

Computer arithmetic. Intensive Computation. Annalisa Massini 2017/2018 Comuter arithmetic Intensive Comutation Annalisa Massini 7/8 Intensive Comutation - 7/8 References Comuter Architecture - A Quantitative Aroach Hennessy Patterson Aendix J Intensive Comutation - 7/8 3

More information

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1) SQUARES I Z/Z We study squares in the ring Z/Z from a theoretical and comutational oint of view. We resent two related crytograhic schemes. 1. SQUARES I Z/Z Consider for eamle the rime = 13. Write the

More information

The Fekete Szegő theorem with splitting conditions: Part I

The Fekete Szegő theorem with splitting conditions: Part I ACTA ARITHMETICA XCIII.2 (2000) The Fekete Szegő theorem with slitting conditions: Part I by Robert Rumely (Athens, GA) A classical theorem of Fekete and Szegő [4] says that if E is a comact set in the

More information

MAS 4203 Number Theory. M. Yotov

MAS 4203 Number Theory. M. Yotov MAS 4203 Number Theory M. Yotov June 15, 2017 These Notes were comiled by the author with the intent to be used by his students as a main text for the course MAS 4203 Number Theory taught at the Deartment

More information

ECE 534 Information Theory - Midterm 2

ECE 534 Information Theory - Midterm 2 ECE 534 Information Theory - Midterm Nov.4, 009. 3:30-4:45 in LH03. You will be given the full class time: 75 minutes. Use it wisely! Many of the roblems have short answers; try to find shortcuts. You

More information

HENSEL S LEMMA KEITH CONRAD

HENSEL S LEMMA KEITH CONRAD HENSEL S LEMMA KEITH CONRAD 1. Introduction In the -adic integers, congruences are aroximations: for a and b in Z, a b mod n is the same as a b 1/ n. Turning information modulo one ower of into similar

More information

ON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE

ON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE MATHEMATICS OF COMPUTATIO Volume 75, umber 256, October 26, Pages 237 247 S 25-5718(6)187-9 Article electronically ublished on June 28, 26 O POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE THORSTE

More information

A Block Cipher Involving a Key and a Key Bunch Matrix, Supplemented with Key-Based Permutation and Substitution

A Block Cipher Involving a Key and a Key Bunch Matrix, Supplemented with Key-Based Permutation and Substitution (IJACSA) International Journal of Advanced Comuter Science and Alications, Vol. 4, No., 0 A Block Ciher Involving a Key and a Key Bunch Matrix, Sulemented with Key-Based Permutation and Substitution Dr.

More information

For q 0; 1; : : : ; `? 1, we have m 0; 1; : : : ; q? 1. The set fh j(x) : j 0; 1; ; : : : ; `? 1g forms a basis for the tness functions dened on the i

For q 0; 1; : : : ; `? 1, we have m 0; 1; : : : ; q? 1. The set fh j(x) : j 0; 1; ; : : : ; `? 1g forms a basis for the tness functions dened on the i Comuting with Haar Functions Sami Khuri Deartment of Mathematics and Comuter Science San Jose State University One Washington Square San Jose, CA 9519-0103, USA khuri@juiter.sjsu.edu Fax: (40)94-500 Keywords:

More information

An Estimate For Heilbronn s Exponential Sum

An Estimate For Heilbronn s Exponential Sum An Estimate For Heilbronn s Exonential Sum D.R. Heath-Brown Magdalen College, Oxford For Heini Halberstam, on his retirement Let be a rime, and set e(x) = ex(2πix). Heilbronn s exonential sum is defined

More information

Brownian Motion and Random Prime Factorization

Brownian Motion and Random Prime Factorization Brownian Motion and Random Prime Factorization Kendrick Tang June 4, 202 Contents Introduction 2 2 Brownian Motion 2 2. Develoing Brownian Motion.................... 2 2.. Measure Saces and Borel Sigma-Algebras.........

More information

RESOLUTIONS OF THREE-ROWED SKEW- AND ALMOST SKEW-SHAPES IN CHARACTERISTIC ZERO

RESOLUTIONS OF THREE-ROWED SKEW- AND ALMOST SKEW-SHAPES IN CHARACTERISTIC ZERO RESOLUTIONS OF THREE-ROWED SKEW- AND ALMOST SKEW-SHAPES IN CHARACTERISTIC ZERO MARIA ARTALE AND DAVID A. BUCHSBAUM Abstract. We find an exlicit descrition of the terms and boundary mas for the three-rowed

More information

Solved Problems. (a) (b) (c) Figure P4.1 Simple Classification Problems First we draw a line between each set of dark and light data points.

Solved Problems. (a) (b) (c) Figure P4.1 Simple Classification Problems First we draw a line between each set of dark and light data points. Solved Problems Solved Problems P Solve the three simle classification roblems shown in Figure P by drawing a decision boundary Find weight and bias values that result in single-neuron ercetrons with the

More information

4. Score normalization technical details We now discuss the technical details of the score normalization method.

4. Score normalization technical details We now discuss the technical details of the score normalization method. SMT SCORING SYSTEM This document describes the scoring system for the Stanford Math Tournament We begin by giving an overview of the changes to scoring and a non-technical descrition of the scoring rules

More information

arxiv: v1 [quant-ph] 3 Feb 2015

arxiv: v1 [quant-ph] 3 Feb 2015 From reversible comutation to quantum comutation by Lagrange interolation Alexis De Vos and Stin De Baerdemacker 2 arxiv:502.0089v [quant-h] 3 Feb 205 Cmst, Imec v.z.w., vakgroe elektronica en informatiesystemen,

More information

CR extensions with a classical Several Complex Variables point of view. August Peter Brådalen Sonne Master s Thesis, Spring 2018

CR extensions with a classical Several Complex Variables point of view. August Peter Brådalen Sonne Master s Thesis, Spring 2018 CR extensions with a classical Several Comlex Variables oint of view August Peter Brådalen Sonne Master s Thesis, Sring 2018 This master s thesis is submitted under the master s rogramme Mathematics, with

More information

The Value of Even Distribution for Temporal Resource Partitions

The Value of Even Distribution for Temporal Resource Partitions The Value of Even Distribution for Temoral Resource Partitions Yu Li, Albert M. K. Cheng Deartment of Comuter Science University of Houston Houston, TX, 7704, USA htt://www.cs.uh.edu Technical Reort Number

More information

Convex Optimization methods for Computing Channel Capacity

Convex Optimization methods for Computing Channel Capacity Convex Otimization methods for Comuting Channel Caacity Abhishek Sinha Laboratory for Information and Decision Systems (LIDS), MIT sinhaa@mit.edu May 15, 2014 We consider a classical comutational roblem

More information

Combining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO)

Combining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO) Combining Logistic Regression with Kriging for Maing the Risk of Occurrence of Unexloded Ordnance (UXO) H. Saito (), P. Goovaerts (), S. A. McKenna (2) Environmental and Water Resources Engineering, Deartment

More information

RANDOM WALKS AND PERCOLATION: AN ANALYSIS OF CURRENT RESEARCH ON MODELING NATURAL PROCESSES

RANDOM WALKS AND PERCOLATION: AN ANALYSIS OF CURRENT RESEARCH ON MODELING NATURAL PROCESSES RANDOM WALKS AND PERCOLATION: AN ANALYSIS OF CURRENT RESEARCH ON MODELING NATURAL PROCESSES AARON ZWIEBACH Abstract. In this aer we will analyze research that has been recently done in the field of discrete

More information

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting Allison Lewko The University of Texas at Austin alewko@csutexasedu Abstract In this paper, we explore a general

More information

COMMUNICATION BETWEEN SHAREHOLDERS 1

COMMUNICATION BETWEEN SHAREHOLDERS 1 COMMUNICATION BTWN SHARHOLDRS 1 A B. O A : A D Lemma B.1. U to µ Z r 2 σ2 Z + σ2 X 2r ω 2 an additive constant that does not deend on a or θ, the agents ayoffs can be written as: 2r rθa ω2 + θ µ Y rcov

More information

Uncorrelated Multilinear Principal Component Analysis for Unsupervised Multilinear Subspace Learning

Uncorrelated Multilinear Principal Component Analysis for Unsupervised Multilinear Subspace Learning TNN-2009-P-1186.R2 1 Uncorrelated Multilinear Princial Comonent Analysis for Unsuervised Multilinear Subsace Learning Haiing Lu, K. N. Plataniotis and A. N. Venetsanooulos The Edward S. Rogers Sr. Deartment

More information

Feedback-error control

Feedback-error control Chater 4 Feedback-error control 4.1 Introduction This chater exlains the feedback-error (FBE) control scheme originally described by Kawato [, 87, 8]. FBE is a widely used neural network based controller

More information

δ(xy) = φ(x)δ(y) + y p δ(x). (1)

δ(xy) = φ(x)δ(y) + y p δ(x). (1) LECTURE II: δ-rings Fix a rime. In this lecture, we discuss some asects of the theory of δ-rings. This theory rovides a good language to talk about rings with a lift of Frobenius modulo. Some of the material

More information

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas

More information

An Overview of Witt Vectors

An Overview of Witt Vectors An Overview of Witt Vectors Daniel Finkel December 7, 2007 Abstract This aer offers a brief overview of the basics of Witt vectors. As an alication, we summarize work of Bartolo and Falcone to rove that

More information

Galois Fields, Linear Feedback Shift Registers and their Applications

Galois Fields, Linear Feedback Shift Registers and their Applications Galois Fields, Linear Feedback Shift Registers and their Alications With 85 illustrations as well as numerous tables, diagrams and examles by Ulrich Jetzek ISBN (Book): 978-3-446-45140-7 ISBN (E-Book):

More information

Desingularization Explains Order-Degree Curves for Ore Operators

Desingularization Explains Order-Degree Curves for Ore Operators Desingularization Exlains Order-Degree Curves for Ore Oerators Shaoshi Chen Det. of Mathematics / NCSU Raleigh, NC 27695, USA schen2@ncsu.edu Maximilian Jaroschek RISC / Joh. Keler University 4040 Linz,

More information

16.2. Infinite Series. Introduction. Prerequisites. Learning Outcomes

16.2. Infinite Series. Introduction. Prerequisites. Learning Outcomes Infinite Series 6.2 Introduction We extend the concet of a finite series, met in Section 6., to the situation in which the number of terms increase without bound. We define what is meant by an infinite

More information

An Investigation of Some Forward Security Properties for PEKS and IBE

An Investigation of Some Forward Security Properties for PEKS and IBE An Investigation of Some Forward Security Proerties for PEKS and IBE Qiang Tang APSIA grou, SnT, University of Luxemourg 6, rue Richard Coudenhove-Kalergi, L-359 Luxemourg qiang.tang@uni.lu Astract. In

More information

DISCRIMINANTS IN TOWERS

DISCRIMINANTS IN TOWERS DISCRIMINANTS IN TOWERS JOSEPH RABINOFF Let A be a Dedekind domain with fraction field F, let K/F be a finite searable extension field, and let B be the integral closure of A in K. In this note, we will

More information

On the Relationship Between Packet Size and Router Performance for Heavy-Tailed Traffic 1

On the Relationship Between Packet Size and Router Performance for Heavy-Tailed Traffic 1 On the Relationshi Between Packet Size and Router Performance for Heavy-Tailed Traffic 1 Imad Antonios antoniosi1@southernct.edu CS Deartment MO117 Southern Connecticut State University 501 Crescent St.

More information

Information collection on a graph

Information collection on a graph Information collection on a grah Ilya O. Ryzhov Warren Powell February 10, 2010 Abstract We derive a knowledge gradient olicy for an otimal learning roblem on a grah, in which we use sequential measurements

More information

Online Appendix to Accompany AComparisonof Traditional and Open-Access Appointment Scheduling Policies

Online Appendix to Accompany AComparisonof Traditional and Open-Access Appointment Scheduling Policies Online Aendix to Accomany AComarisonof Traditional and Oen-Access Aointment Scheduling Policies Lawrence W. Robinson Johnson Graduate School of Management Cornell University Ithaca, NY 14853-6201 lwr2@cornell.edu

More information

Solution sheet ξi ξ < ξ i+1 0 otherwise ξ ξ i N i,p 1 (ξ) + where 0 0

Solution sheet ξi ξ < ξ i+1 0 otherwise ξ ξ i N i,p 1 (ξ) + where 0 0 Advanced Finite Elements MA5337 - WS7/8 Solution sheet This exercise sheets deals with B-slines and NURBS, which are the basis of isogeometric analysis as they will later relace the olynomial ansatz-functions

More information

#A47 INTEGERS 15 (2015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS

#A47 INTEGERS 15 (2015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS #A47 INTEGERS 15 (015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS Mihai Ciu Simion Stoilow Institute of Mathematics of the Romanian Academy, Research Unit No. 5,

More information

Hidden Predictors: A Factor Analysis Primer

Hidden Predictors: A Factor Analysis Primer Hidden Predictors: A Factor Analysis Primer Ryan C Sanchez Western Washington University Factor Analysis is a owerful statistical method in the modern research sychologist s toolbag When used roerly, factor

More information

New Schedulability Test Conditions for Non-preemptive Scheduling on Multiprocessor Platforms

New Schedulability Test Conditions for Non-preemptive Scheduling on Multiprocessor Platforms New Schedulability Test Conditions for Non-reemtive Scheduling on Multirocessor Platforms Technical Reort May 2008 Nan Guan 1, Wang Yi 2, Zonghua Gu 3 and Ge Yu 1 1 Northeastern University, Shenyang, China

More information

LINEAR SYSTEMS WITH POLYNOMIAL UNCERTAINTY STRUCTURE: STABILITY MARGINS AND CONTROL

LINEAR SYSTEMS WITH POLYNOMIAL UNCERTAINTY STRUCTURE: STABILITY MARGINS AND CONTROL LINEAR SYSTEMS WITH POLYNOMIAL UNCERTAINTY STRUCTURE: STABILITY MARGINS AND CONTROL Mohammad Bozorg Deatment of Mechanical Engineering University of Yazd P. O. Box 89195-741 Yazd Iran Fax: +98-351-750110

More information

Introduction to Group Theory Note 1

Introduction to Group Theory Note 1 Introduction to Grou Theory Note July 7, 009 Contents INTRODUCTION. Examles OF Symmetry Grous in Physics................................. ELEMENT OF GROUP THEORY. De nition of Grou................................................

More information

Convex Analysis and Economic Theory Winter 2018

Convex Analysis and Economic Theory Winter 2018 Division of the Humanities and Social Sciences Ec 181 KC Border Conve Analysis and Economic Theory Winter 2018 Toic 16: Fenchel conjugates 16.1 Conjugate functions Recall from Proosition 14.1.1 that is

More information

Mobius Functions, Legendre Symbols, and Discriminants

Mobius Functions, Legendre Symbols, and Discriminants Mobius Functions, Legendre Symbols, and Discriminants 1 Introduction Zev Chonoles, Erick Knight, Tim Kunisky Over the integers, there are two key number-theoretic functions that take on values of 1, 1,

More information

The inverse Goldbach problem

The inverse Goldbach problem 1 The inverse Goldbach roblem by Christian Elsholtz Submission Setember 7, 2000 (this version includes galley corrections). Aeared in Mathematika 2001. Abstract We imrove the uer and lower bounds of the

More information

Characteristics of Fibonacci-type Sequences

Characteristics of Fibonacci-type Sequences Characteristics of Fibonacci-tye Sequences Yarden Blausa May 018 Abstract This aer resents an exloration of the Fibonacci sequence, as well as multi-nacci sequences and the Lucas sequence. We comare and

More information

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols Efficient Crytosystems From 2 k -th Power Residue Symbols Marc Joye and Benoît Libert Technicolor 975 avenue des Chams Blancs, 35576 Cesson-Sévigné Cedex, France {marc.joye,benoit.libert}@technicolor.com

More information

AI*IA 2003 Fusion of Multiple Pattern Classifiers PART III

AI*IA 2003 Fusion of Multiple Pattern Classifiers PART III AI*IA 23 Fusion of Multile Pattern Classifiers PART III AI*IA 23 Tutorial on Fusion of Multile Pattern Classifiers by F. Roli 49 Methods for fusing multile classifiers Methods for fusing multile classifiers

More information

Topic 7: Using identity types

Topic 7: Using identity types Toic 7: Using identity tyes June 10, 2014 Now we would like to learn how to use identity tyes and how to do some actual mathematics with them. By now we have essentially introduced all inference rules

More information

Sums of independent random variables

Sums of independent random variables 3 Sums of indeendent random variables This lecture collects a number of estimates for sums of indeendent random variables with values in a Banach sace E. We concentrate on sums of the form N γ nx n, where

More information

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle] Chater 5 Model checking, verification of CTL One must verify or exel... doubts, and convert them into the certainty of YES or NO. [Thomas Carlyle] 5. The verification setting Page 66 We introduce linear

More information

Sets of Real Numbers

Sets of Real Numbers Chater 4 Sets of Real Numbers 4. The Integers Z and their Proerties In our revious discussions about sets and functions the set of integers Z served as a key examle. Its ubiquitousness comes from the fact

More information

Introduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013

Introduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013 18.782 Introduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013 In this lecture we lay the groundwork needed to rove the Hasse-Minkowski theorem for Q, which states that a quadratic form over

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback