EME : extending EME to handle arbitrary-length messages with associated data
|
|
- Albert Haynes
- 6 years ago
- Views:
Transcription
1 EME : extending EME to handle arbitrary-length meage with aociated data (Preliminary Report) Shai Halevi May 27, 2004 Abtract Thi work decribe a mode of operation, EME, that turn a regular block cipher into a length-preerving enciphering cheme for meage of (almot) arbitrary length. Specifically, the reulting cheme can handle any bit-length, not horter than the block ize of the underlying cipher, and it alo handle aociated data of arbitrary bit-length. Such a cheme can either be ued directly in application that need encryption but cannot afford length expanion, or erve a a convenient building block for higher-level mode. The mode EME i a refinement of the EME mode of Halevi and Rogaway, and it inherit the efficiency and parallelim from the original EME. 1 Introduction Adding ecrecy protection to exiting (legacy) protocol and application raie ome unique problem. One of thee problem i that exiting protocol ometime require that the encryption be tranparent, and in particular preclude length-expanion. One example i encryption of torage data at the ector level, where both the higher-level operating ytem and the lower-level dik expect the data to be tored in block of 512 byte, and o any encryption method would have to accept 512-byte plaintext and produce 512-byte ciphertext. Clearly, initing on a length-preerving (and hence determinitic) tranformation ha many drawback. Indeed, even the weaket acceptable notion of ecure encryption (i.e., emantic ecurity [5]) cannot be achieved by determinitic encryption. Still, there may be cae where lengthpreervation i a hard requirement (due to technical, economical or even political contrain), and in uch cae one may want to ue ome encryption cheme that give better protection than no encryption at all. The tronget notion of ecurity for a length-preerving tranformation i trong peudo-random permutation (SPRP) a defined by Luby and Rackoff [10], and it extenion to tweakable SPRP by Likov et al. [9]. A tweak i an additional input to the enciphering and deciphering procedure that need not be kept ecret. Thi report ue the term tweak and aociated data pretty much interchangeably, except that aociated data hint that it can be of arbitrary length, wherea tweak i ometime thought of a a fixed-length quantity. IBM T.J. Waton Reearch Center, P.O. Box 704, Yorktown Height, NY 10598, USA, haih@waton.ibm.com 1
2 Motivated by the application for ector level encryption, ome efficient mode of operation that implement tweakable SPRP on large block were recently decribed by Halevi and Rogaway [6, 7]. A general purpoe mode, however, thee mode are omewhat limited, in that they can only be applied to input meage whoe ize i a multiple of n, the block-ize of the underlying cipher. Alo, the mode CMC from [6] i inherently equential (and it wa only proven ecure againt attack model where all the meage are of the ame length), and the mode EME from [7] i limited to meage of at mot n 2 bit. The current work i aimed at eliminating thee limitation. The mode EME, preented below, take a tandard cipher with n-bit block and turn it into a tweakable enciphering cheme with meage pace M = {0, 1} n+ (i.e., any tring of at leat n bit) and tweak pace T = {0, 1}. The key for EME conit of one key of the underlying cipher and two additional n-bit block. The mode EME ha imilar tructure to the mode EME from [7]. Roughly, it conit of two layer of maked ECB encryption, with a layer of lightweight mixing in between. A a conequence, EME i highly parallelizeable, 1 and alo quite work-efficient. Proceing an m- block query with l block of aociated data take at mot l + 2m + m/n block encryption (or decryption). (We note that another mode for arbitrary-length meage, following the Luby- Rackoff approach, wa recently propoed by McGrew and Viaga [11].) 1.1 What about very hort block? The mode EME can handle block of any bit-length but not le that the block ize of the underlying cipher. The underlying tructure of EME, being baed on ECB encryption, doe not lend itelf to handling horter block. In fact, in my opinion there i no good olution today for handling arbitrary hort block. The olution that I am aware of are the following: For block that are not too hort (ay, at leat 64 bit), one can imply witch to uing a different block cipher. For example, one could ue EME [AES] to proce block that are 128 bit or more, and ue a eparately keyed EME [3DES] to handle block of length between 64 and 127 bit. Thi olution, however, i quite expenive, a it mandate the implementation of two different cipher. (Of coure, one could ue EME [3DES] alo to handle longer meage, but then the ecurity parameter would be much reduced.) Moreover thi olution doe not addre block horter than 64 bit. For very hort block (e.g., one byte) it i poible to pre-compute a peudorandom permutation and tore it in a table. Thi approach, however, clearly run out of team for block longer than two byte, and it i extremely wateful of pace even before that. (Alo, it i not clear how to incorporate a tweak into thi approach.) Alternatively, one could apply the Luby-Rackoff contruction to implement the narrow-block cipher, uing the underlying cipher for the peudorandom function. (Indeed, the ABL mode of McGrew and Viaga [11] doe jut that.) Thi olution extend to handle meage of any length, but at a price of a everely reduced ecurity-parameter. For example, although 128-bit block may enjoy 128 bit of ecurity, 127-bit block only enjoy 63 bit of ecurity. Even wore, 64-bit block have to make due with a pathetic 32 bit of ecurity. 1 In EME, the longet execution path for any input conit of at mot five block encryption. If the input length i a multiple of the block length then only longet path ha only four encryption, and only three if in addition the input i horter than n block. 2
3 It i poible to ue ix or more round of the Luby-Rackoff contruction to make the ecurity parameter a little le mierable (cf. Patarin work [12]), but the price i an extremely low mode for mall block. Another approach i to ue a parameterizable cipher (e.g., RC5 [13]) a the underlying block cipher. Parameterizable cipher can be intantiated to handle variou block ize, o in particular they can be ued in their narrow-block intantiation to handle the mall block. However, to the bet of my knowledge there i a fairly mall number of uch cipher, and they were never eriouly analyzed for mall block. So it unlikely that they provide very good ecurity, epecially in the very mall block ize. Wore till, it i likely that uing the ame key for different block ize would have diatrou conequence. I view the problem of handling arbitrary mall block a wide open. The two plauible approache for addreing it are either to deign a mode of operation with good ecurity-performance tradeoff for mall block, or to deign an efficient block cipher that can handle mall block ecurely. I believe that a good cipher i more likely to be poible than a good mode of operation (but perhap thi i only becaue I know more about mode of operation than about block cipher.) Organization Section 2 recall ome tandard definition (thi ection i taken almot verbatim from [7]). Section 3 decribe the EME mode with a brief dicuion of the extenion of EME over EME. The ecurity of EME i tated in Section 4 and proven in the appendix. Acknowledgment I thank John Viaga for howing me hi ABL mode of operation. I alo thank Eli Biham for a dicuion about the tate of block cipher for very hort block. 2 Preliminarie Baic. A tweakable enciphering cheme i a function E: K T M M where M = i I {0, 1}i i the meage pace (for ome nonempty index et I N) and K i the key pace and T i the tweak pace. We require that for every K K and T T we have that E(K, T, ) = E T K ( ) i a length-preerving permutation on M. The invere of an enciphering cheme E i the enciphering cheme D = E 1 where X = D T K (Y ) if and only if ET K (X) = Y. A block cipher i the pecial cae of a tweakable enciphering cheme where the meage pace i M = {0, 1} n (for ome n 1) and the tweak pace i T = {ε} (the empty tring). The number n i called the blockize. By Perm(n) we mean the et of all permutation on {0, 1} n. By Perm T (M) we mean the et of all function π: T M M where π(t, ) i a length-preerving permutation. An adverary A i a (poibly probabilitic) algorithm with acce to ome oracle. Oracle are written a upercript. By convention, the running time of an algorithm include it decription ize. The notation A 1 decribe the event that the adverary A output the bit one. Security meaure. For a tweakable enciphering cheme E: K T M M we conider the advantage that the adverary A ha in ditinguihing E and it invere from a random tweakable 3
4 permutation and it invere: Adv ± prp E (A) = Pr [K $ K : A E K(, ) E 1 K (, ) 1 ] [ ] Pr π $ Perm T (M) : A π(, ) π 1 (, ) 1 The notation how, in the bracket, an experiment to the left of the colon and an event to the right of the colon. We are looking at the probability of the indicated event after performing the pecified experiment. By X $ X we mean to chooe X at random from the finite et X. In writing ± prp the tilde erve a a reminder that the PRP i tweakable and the ± ymbol i a reminder that thi i the trong (choen plaintext/ciphertext attack) notion of ecurity. For a block cipher, we omit the tilde. Without lo of generality we aume that an adverary never repeat an encipher query, never repeat a decipher query, never querie it deciphering oracle with (T, C) if it got C in repone to ome (T, M) encipher query, and never querie it enciphering oracle with (T, M) if it earlier got M in repone to ome (T, C) decipher query. We call uch querie pointle becaue the adverary know the anwer that it hould receive. When R i a lit of reource and Adv xxx Π (A) ha been defined, we write Advxxx Π (R) for the maximal value of Adv xxx Π (A) over all adverarie A that ue reource at mot R. Reource of interet are the running time t and the number of oracle querie q and the query complexity σ n (where n 1 i a number). The query complexity σ n i jut the total number of n-bit block in all the querie that the adverary make (including both the data and the aociated data). Namely, the query complexity of any one call (T, P ) i T /n + P /n, and the query complexity of an attack i the um of the query complexity of all the call. The name of an argument (e.g., t, q, or σ n ) will be enough to make clear what reource it refer to. Finite field. We interchangeably view an n-bit tring a: a tring; a nonnegative integer le than 2 n (mb firt); a formal polynomial over GF(2) (with the coefficient of x n 1 firt and the free term lat); and an abtract point in the finite field GF(2 n ). To do addition on field point, one xor their tring repreentation. To do multiplication on field point, one mut fix a degree-n irreducible polynomial. We chooe to ue the lexicographically firt primitive polynomial of minimum weight. For n = 128 thi i the polynomial x x 7 + x 2 + x + 1. See [3] for a lit of the indicated polynomial. We note that with thi choice of field-point repreentation, the point x = 0 n 2 10 = 2 will alway have order 2 n 1 in the multiplicative group of GF(2 n ), meaning that 2, 2 2, 2 3,..., 2 2n 1 are all ditinct. Finally, we note that given L = L n 1 L 1 L 0 {0, 1} n it i eay to compute 2L. We illutrate the procedure for n = 128, in which cae 2L = L <1 if firtbit(l) = 0, and 2L = (L <1) Cont87 if firtbit(l) = 1. Here Cont87 = and firtbit(l) mean L n 1 and L <1 mean L n 2 L n 3 L 1 L Specification of EME Mode Conider a block cipher E: K {0, 1} n {0, 1} n. Then EME [E]: (K {0, 1} 2n ) T M M i an enciphering cheme with aociated data, where K i the ame a the underlying cipher, T = {0, 1} 0..n(2n 3), and M = {0, 1} n..n(2n 2). In word, the key for EME [E] conit of one key K of the underlying block cipher E and two n-bit block, L and R. EME [E] accept meage of any bit length grater than or equal to n (but no more than n(2 n 2)), and aociated data of arbitrary bit-length (but no more than n(2 n 3)). Obviouly, in practical term the upper limit are no limitation at all. 4
5 function H K,R (T 1 T l 1, T l ): 01 if T i empty return E K (R) 10 for i [1..l 1] do TTT i E K (2 i R T i ) 2 i R 11 if T l = n then TTT l E K (2 l R T l ) 2 l R 12 ele TTT l E K (2 l+1 R (T l 10..0)) 2 l+1 R 13 return T T T 1 T T T l Algorithm E K,L,R (T ; P 1 P m ) // P 1 = = P m 1 = n, 0 < P m n 101 if P m = n then latfull m 102 ele latfull m PPP m P m padded with for i 1 to latfull do 111 PP i 2 i 1 L P i 112 PPP i E K (PP i ) 120 SP PPP 2 PPP m 121 MP 1 PPP 1 SP H K,R (T ) 122 if P m = n then MC 1 E K (MP 1 ) 123 ele MM E K (MP 1 ) 124 MC 1 E K (MM ) 125 C m P m (MM truncated) 126 CCC m C m padded with M 1 MP 1 MC for i = 2 to latfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M MC j E K (MP j ) 135 M j MP j MC j 136 CCC i MC j M ele CCC i PPP i 2 k M j // T 1 = = T l 1 = n, 0 < T l n Algorithm D K,L,R (T ; C 1 C m ) // C 1 = = C m 1 = n, 0 < C m n 201 if C m = n then latfull m 202 ele latfull m CCC m C m padded with for i 1 to latfull do 211 CC i 2 i 1 L C i 212 CCC i E 1 K (CC i) 220 SC CCC 2 CCC m 221 MC 1 CCC 1 SC H K,R (T ) 222 if C m = n then MP 1 E 1 K (MC 1) 223 ele MM E 1 K (MC 1) 224 MP 1 E 1 K (MM ) 225 P m C m (MM truncated) 226 PPP m P m padded with M 1 MP 1 MC for i = 2 to latfull do 231 j = i/n, k = (i 1) mod n 232 if k = 0 then 233 MC j CCC i M MP j E 1 K (MC j) 235 M j MP j MC j 236 PPP i MP j M ele PPP i CCC i 2 k M j 140 SC CCC 2 CCC m 141 CCC 1 MC 1 SC H K,R (T ) 142 for i 1 to latfull do 143 CC i E K (CCC i ) 144 C i CC i 2 i 1 L 150 return C 1... C m 240 SP PPP 2 PPP m 241 PPP 1 MP 1 SP H K,R (T ) 242 for i 1 to latfull do 243 PP i E 1 K (PPP i) 244 P i PP i 2 i 1 L 250 return P 1... P m Figure 1: Enciphering and deciphering under E = EME [E], where E: K {0, 1} n {0, 1} n i a block cipher. The aociated data i T {0, 1}, the plaintext i P = P 1 P m and the ciphertext i C = C 1 C m. 5
6 Aociated data P 1 P 2 P n P n+1 P n+2 P n+3 L 2L 2 n 1 L 2 n L 2 n+1 L H PP 1 PP 2... PP n PP n+1 PP n+2 pad T PPP 1 PPP 2 PPP n PPP n+1 PPP n+2 PPP n+3 SP T MP 1 M 1 MM 2M 1 2 n 1 M 1 MP 2 2M 2 MM MC 2 M 1 MC 1 SC T CCC 1 CCC 2... CCC n CCC n+1 CCC n+2 CCC n+3 pad L CC 1 2L CC 2 CC n 2 n 1 L 2 n L CC n+1 2 n+1 L CC n+2 C 1 C 2 C n C n+1 C n+2 C n+3 Figure 2: Enciphering under EME a buffer with n + 2 full block and one partial block. The boxe repreent E K. We et the mak a SP = PPP 2 PPP n+3, M i = MP i MC i, and SC = CCC 2 CCC n+3. 6
7 The cheme EME [E] follow the ame general principle of the tweakable cheme EME from [7]. Roughly, it conit of two layer of maked ECB encryption, with a layer of lightweight mixing in between. A complete pecification of the enciphering cheme EME [E] i given in Figure 1, and an illutration (for a meage of n + 2 full block and one partial block) i provided in Figure 2. For thoe familiar with EME, the difference between EME and EME are a follow: Hahing the tweak. The original EME cheme require that the tweak value be an n-bit tring, wherea here we allow aociated data of any length. For thi purpoe, we hah the aociated data to an n-bit tring. The hah function need only be xor-univeral, yet I choe to implement it uing the underlying block cipher in a PMAC-like mode [2]. More than one mak. The EME cheme ue (multiple of) a ingle mak value M in the lightweight making layer. It wa hown in [7], however, that thi making technique with jut one mak cannot be ued for meage longer than n 2 bit. Longer meage are handled in EME uing the approach that wa propoed in the appendix of [7]. The meage i broken to chunk of at mot n 2 bit each, and a different mak value i ued for every chunk. To handle the lat partial block (if any), yet another mak i computed and xor-ed into the lat partial plaintext block, thu getting the lat partial ciphertext block. We comment that it i poible to derive the two key block L, R from the cipher key K, ay by etting L = 2E K (0) and R = 3E K (0). 2 The proof below doe not prove thi variant, ince proving it would mean adding a few more page to a proof that i already way too long. 4 Security of EME The following theorem relate the advantage of an adverary in attacking EME [E] to the advantage an adverary in attacking the block cipher E. Theorem 1 [EME ecurity] Any adverary that trie to ditinguih EME [Perm(n)] from a truly random tweakable length-preerving permutation, uing at mot q querie totaling at mot σ n block (ome of which may be partial), ha advantage at mot (2.5σ n + 3q) 2 /2 n+1. Uing the notation from Section 2, we have Adv ± prp EME [Perm(n)] (q, σ n) (2.5σ n + 3q) 2 2 n+1 (1) Corollary 1 Fix n, t, q, σ n N and a block cipher E: K {0, 1} n {0, 1} n. Then Adv ± prp EME [E] (t, q, σ n) (2.5σ n + 3q) 2 ( 2 n Adv ±prp E t, 2q + (2 + 1 ) n )σ n where t = t + O(nσ n ). Note that the theorem and corollary do not retrict meage to one particular length: proven ecurity i for a variable-input-length (VIL) cipher, not jut fixed-input-length (FIL) one. The proof of Theorem 1 i given in Appendix A. Corollary 1 embodie the tandard way to pa from the information-theoretic etting to the complexity-theoretic one. 2 The maximum length of meage and aociated input would have to be omewhat reduced for thi to work. But for n = 128 we can till prove ecurity for meage and aociated data a long a, ay, block. (The upper bound i actually min(log 2 3, 2 n 1 log 2 3). With the repreentation of F G(2 128 ) a above, we have log See [14].) 7
8 Reference [1] J. Black and P. Rogaway. CBC MAC for arbitrary-length meage: The three-key contruction. In Advance in Cryptology CRYPTO 2000, volume 1880 of Lecture Note in Computer Science, page Springer-Verlag, [2] J. Black and P. Rogaway. A block-cipher mode of operation for parallelizable meage authentication. In L. Knuden, editor, Advance in Cryptology EUROCRYPT 02, volume 2332 of Lecture Note in Computer Science, page Springer-Verlag, [3] S. Duplichan. A primitive polynomial earch program. Web document. Available at duplichan/primitivepolynomial/primivitepolynomial.htm, [4] S. Even and Y. Manour. A contruction of a cipher from a ingle peudorandom permutation. Journal of Cryptology, 10(3): , [5] S. Goldwaer and S. Micali. Probabilitic encryption. J. of Computer and Sytem Science, 28, April [6] S. Halevi and P. Rogaway. A tweakable enciphering mode. In D. Boneh, editor, Advance in Cryptology CRYPTO 03, volume 2729 of Lecture Note in Computer Science, page Springer-Verlag, Full verion available on the eprint archive, [7] S. Halevi and P. Rogaway. A parallelizable enciphering mode. In The RSA conference Cryptographer track, RSA-CT 04, volume 2964 of Lecture Note in Computer Science, page Springer-Velrag, Full verion available on the eprint archive, [8] J. Kilian and P. Rogaway. How to protect DES againt exhautive key earch. Journal of Cryptology, 14(1):17 35, Earlier verion in CRYPTO rogaway. [9] M. Likov, R. Rivet, and D. Wagner. Tweakable block cipher. In Advance in Cryptology CRYPTO 02, volume 2442 of Lecture Note in Computer Science, page Springer- Verlag, daw/. [10] M. Luby and C. Rackoff. How to contruct peudorandom permutation from peudorandom function. SIAM J. of Computation, 17(2), April [11] D. A. McGrew and J. Viega. ABL mode: ecurity without data expanion. Private communication, [12] J. Patarin. Luby-Rackoff: 7 round are enough for 2 n(1 ε) ecurity. In Advance in Cryptology CRYPTO 2003, volume 2729 of Lecture Note in Computer Science, page Springer- Verlag, [13] R. L. Rivet. The RC5 encryption algorithm. In Fat Software Encryption (FSE 94), volume 1008 of Lecture Note in Computer Science, page Springer, [14] P. Rogaway. Efficient intantiation of tweakable block cipher and refinement to mode OCB and PMAC. Available on-line from rogaway/paper/,
9 A Proof of Theorem 1 Security of EME A peronal comment. The proof below pan more than 23 page, and a much a I tried to implify and to explain clearly, it i quite a pain to read. Frankly, I don t believe that anyone will ever go through the trouble of reading and verifying it. Auming thi i the cae, one can till get ome aurance in the correctne of the mode, even from a proof that no one read: At leat it implie that the author went carefully through all the different cae and wa convinced that they all work. Indeed, the proof below ue the ame mechanim that wa ued to prove CMC [6] and EME [7], and thi mechanim in effect force one to cover all the cae. Alo, the mode EME i cloe enough to the original mode EME, o that one who verified the proof for EME (which i horter) may be able to be convinced of the correctne of EME jut by inpection. A ueful lemma. The proof of ecurity i divided into two part: in Section A.1 we carry out a game-ubtitution argument, reducing the analyi of EME to the analyi of a impler probabilitic game. In Section A.2 we analyze that impler game. Before we begin we firt recall a little lemma, aying that a (tweakable) truly random permutation look very much like an oracle that jut return random bit (a long a you never ak pointle querie). So intead of analyzing inditinguihability from a random permutation we can analyze inditinguihability from random bit. Let E: K T M M be a tweaked block-cipher and let D be it invere. Define the advantage of ditinguihing E from random bit, Adv ± rnd E, by Adv ± rnd E (A) = Pr[K $ K : A E K(, ) D K (, ) 1 ] Pr[ A $(, ) $(, ) 1 ] where $(T, M) return a random tring of length M. We init that A make no pointle querie, regardle of oracle repone, and A ak no query (T, M) outide of T M. We extend the definition above in the uual way to it reource-bounded verion. We have the following lemma, whoe (tandard) proof can be found, for example, in the full verion of [6]. Lemma 2 [± prp-ecurity ± rnd-ecurity] Let E: K T M M be a tweaked block-cipher and let q 1 be a number. Then Adv ± prp E (q) Adv ± rnd E (q) q(q 1)/2 N+1 where N i the length of a hortet tring in the meage pace M. A.1 The game-ubtitution equence Fix n, σ n, and q. Let A be an adverary that ak q oracle querie (none pointle) totaling σ n block (of both data and aociated data, potentially ome of them partial block). Our goal in thi part i to tie the advantage Adv ± rnd EME[Perm(n)] (A) to the probability Pr[ N2 et bad ], where N2 i ome probability pace and N2 et bad i an event defined there. Later we bound Pr[ N2 et bad ], and, putting that together with Lemma 2, we get Eq. (1) of Theorem 1. Game N2 i obtained by a game-ubtitution argument, a carried out in work like [8]. The goal i to implify the rather complicated etting of A adaptively querying it oracle, and to arrive at a impler etting where there i no adverary and no interaction jut a program that flip coin and a flag bad that doe or doe not get et. 9
10 Abtracting the function H K,R : The analyi below turn out to be quite complicated. We omewhat implify it by replacing the function H K,R by an abtract function h : {0, 1} {0, 1} n, choen from a pairwie independent family H. The propertie of h that we ue in the analyi are: (i) For a fixed T {0, 1}, h(t) i uniform in {0, 1} n when h i choen at random from H. (ii) For fixed T T {0, 1}, h(t) h(t ) i uniform in {0, 1} n when h $ H. (iii) The choice h $ H i independent of all the other random choice in the game. We can jutify thee aumption on h by replacing the computation of E K (T jr) jr (with j a contant) in line 10, 11, and 12 of Figure 1, by the computation f j (T ) where for each j we have an independent random function f j : {0, 1} n {0, 1} n. It i known that replacing a maked random permutation by a collection of random function thi way entail only a negligible difference on the view of the adverary. Specifically, one could prove the following: Fix ome integer n, q p, q f N and an adverary with three oracle A E( ),D( ),F (, ), and conider the two following experiment. In the firt experiment (Expr1), we chooe at random a permutation π over {0, 1} n and a tring R {0, 1} n. Then for x, y, j {0, 1} n with j 0, an oracle-query E(x) i anwered by π(x), an oracle query D(y) i anwered by π 1 (y), and an oracle query F (j, x) i anwered by π(x jr) jr (where the multiplication jr i over GF (2 n )). In the econd experiment (Expr2), we chooe at random a permutation π over {0, 1} n, and 2 n function {f j : {0, 1} n {0, 1} n } j {0,1} n. Then for x, y, j {0, 1} n, with j 0, the oracle-querie E(x) and D(y) are anwered a before by π(x) and π 1 (y), repectively, but an oracle query F (j, x) i anwered by f j (x). Lemma 3 Fix ome n, q p, q f N. For any adverary A E( ),D( ),F (, ) a above that make at mot q p querie to E and D, and at mot q f querie to F, it hold that Pr [ Expr1 AE,D,F 1 ] Pr [ Expr2 AE,D,F 1 ] q f (q f + 2q p )/2 n Thi lemma i pretty much folklore by now, although I could not find a reference where it i proven. A imilar reult we proven by by Even and Manour [4] (but the mak there are completely independent, rather than pairwie independent). A proof for a pecial cae of thi lemma can be found in [1, Lemma 4], and that proof can eaily be extended to prove Lemma 3 itelf. Uing Lemma 3, we can replace the function H K,R from Figure 1 by the following function h (that depend on the 2 n random function f j ). In the code below, the contant 2 i are computed in the finite field GF (2 n ). function h(t 1 T l 1, T l ): 01 if T i empty return f 1 (0) 10 for i [1..l 1] do TTT i f 2 i(t i ) 11 if T l = n then TTT l f 2 l(t l ) 12 ele TTT l f 2 l+1(t l 10..0)) 13 return T T T 1 T T T l // T 1 = = T l 1 = n, 0 < T l n Divide the total number of block σ n in an attack on EME into σ n = σ d n + σ a n where σ d n i the number of block in the data itelf, and σ a n i the number of block in the aociated data. Let N be 10
11 Subroutine Chooe-π(X): 010 Y $ {0, 1} n ; if Y Range then bad true, Y $ Range 011 if X Domain then bad true, Y π(x) 012 π(x) Y, Domain Domain {X}, Range Range {Y }; return Y Subroutine Chooe-π 1 (Y ): 020 X $ {0, 1} n ; if X Domain then bad true, X $ Domain 021 if Y Range then bad true, X π 1 (Y ) 022 π(x) Y, Domain Domain {X}, Range Range {Y }; return X Figure 3: The procedure that are ued in game E1 and R1. The haded tatement are executed in Game E1 but not in Game R1. denote the total number of block encryption that are ued throughout the attack (not counting the computation of H), and we can bound it by N be < (2 + 1 n )σd n + 2q (2) Then from Lemma 3 it follow that the tatitical ditance in the view of the adverary due to the replacement of H K,R by h i bounded by σ a n(σ a n + 2N be )/2 n. Once we made that replacement, it i clear that the choice of h i now independent of all the other random choice in the attack, o we only need to prove the propertie (i) and (ii). Thi i done next: Claim 2 When 2 n function {f j : {0, 1} n {0, 1} n } j {0,1} n are choen at random and h i defined a above, it hold that: (i) For any fixed T {0, 1} 0..n(2n 3), h(t ) i uniform in {0, 1} n. (ii) For any fixed T T {0, 1} 0..n(2n 3), h(t ) h(t ) i uniform in {0, 1} n. Proof: Property (i) i obviou, ince the output of h at any point T depend on at leat one application of one of the function f j, and thee are all random function. To prove Property (ii), fix ome T T, and denote T = T 1... T l and imilarly T = T 1... T l, where l = T /n and l = T /n. (The proof below ue the fact that 2 i a primitive element in GF (2 n ) and l 2 n 3, o for any i i l + 1 we have 2 i 2 i in GF (2 n ).) If l = l then there mut be at leat one index i l uch that T i T i. If T i and T i are full block then h(t ) h(t ) = omething-independent-of-f 2 i f 2 i(t i ) f 2 i(t i ), which i uniform ince f 2 i i a random function. If they are both partial block (o i = l) then we get h(t ) h(t ) = omething-independent-of-f 2 l+1 f 2 l+1(t i 10..0) f 2 l+1(t i 10..0), which i again uniform ince T i T i implie that alo T i10..0 T i and f 2 l+1 i a random function. If T i i a full block and T i i partial, then we imilarly get h(t ) h(t ) = omething-independent-of-f 2 l+1 f 2 l+1(t i 10..0). If l l, then aume that l > l. If T i i a partial block then a before we get h(t ) h(t ) = omething-independent-of-f 2 l +1 f 2 l +1(T i 10..0). Similarly if T i i a full block and either l > l+1 or T l i a full block, then h(t ) h(t ) = omething-independent-of-f 2 l f 2l (T i ). The lat cae i when l = l + 1 and T l i a full block and T l i a partial block. In thi cae h(t ) include the term f 2 l(t l ) but h(t ) i independent of f 2 l, o again h(t ) h(t ) i uniform. 11
12 Initialization: 050 Domain Range ; for all X {0, 1} n do π(x) undef 051 bad fale; L $ {0, 1} n ; h H Repond to the -th adverary query a follow: An encipher query, Enc(T ; P 1 P m ): 102 if P m = n then latfull m 103 ele latfull m PPP m P m padded with for i 1 to latfull do 111 r = r[, i] i the 1t index.t. P i = P r i 112 if r < then PP i PP r i 113 PPP i PPP r i 114 ele PP i Pi 2i 1 L 115 PPP i Chooe-π(PP i ) 120 MP 1 PPP 1 PPP m h(t ) 121 if Pm = n then MC 1 Chooe-π(MP 1) 122 ele MM Chooe-π(MP 1) 123 MC 1 Chooe-π(MM ) 124 Cm P m (MM truncated) 125 CCC m C m padded with M 1 MP 1 MC for i 2 to latfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M1 134 MC j Chooe-π(MP j) 135 M j MP j MC j 136 CCC i MC j M ele CCC i PPP i 2 k Mj 138 CCC 1 MC 1 CCC 2 CCC m h(t ) 140 for i 1 to latfull do 141 CC i Chooe-π(CCC i ) 142 Ci CC i 2 i 1 L 150 return C 1 C m A decipher query, Dec(T ; C 1 C m ): 202 if C m = n then latfull m 203 ele latfull m CCC m C m padded with for i 1 to latfull do 211 r = r[, i] i the 1t index.t. C i = Cr i 212 if r < then CC i CC r i 213 CCC i CCC r i 214 ele CC i Ci 2i 1 L 215 CCC i Chooe-π 1 (CC i ) 220 MC 1 CCC 1 CCC m h(t ) 221 if Cm = n then MP 1 Chooe-π 1 (MC 1) 222 ele MM Chooe-π 1 (MC 1) 223 MP 1 Chooe-π 1 (MM ) 224 Pm C m (MM truncated) 225 PPP m P m padded with M 1 MP 1 MC for i 2 to latfull do 231 j = i/n, k = (i 1) mod n 232 if k = 0 then 233 MC j CCC i M1 234 MP j Chooe-π 1 (MC j) 235 M j MP j MC j 236 PPP i MP j M ele PPP i CCC i 2 k Mj 238 PPP 1 MP 1 PPP 2 PPP m h(t ) 240 for i 1 to latfull do 241 PP i Chooe-π 1 (PPP i ) 242 Pi PP i 2 i 1 L 250 return P 1 P m Figure 4: Game E1 decribe the attack of A on EME[Perm(n)], where the permutation π i choen on the fly a needed. Game R1 i the ame a game E1, except we do not execute the haded tatement in the procedure from Figure 3. 12
13 The game E1. We decribe the attack cenario of A againt EME[Perm(n)] (with the abtraction of h a above) a a probabilitic game in which the permutation π i choen on the fly, a needed to anwer the querie of A. Initially, the partial function π: {0, 1} n {0, 1} n i everywhere undefined. When we need π(x) and π in t yet defined at X we chooe thi value randomly among the available range value. When we need π 1 (Y ) and there i no X for which π(x) ha been et to Y we likewie chooe X at random from the available domain value. A we fill in π it domain and it range thu grow. In the game we keep track of the domain and range of π by maintaining two et, Domain and Range, that include all the point for which π i already defined. We let Domain and Range be the complement of thee et relative to {0, 1} n. The game, denoted E1, i hown in Figure 3 and 4. Since game E1 accurately repreent the attack cenario, we have that Pr[ A Eπ Dπ 1 ] Pr[ A E1 1 ] + σa n(σ a n + 2N be ) 2 n (3) (where the additive factor i due to the abtraction of h). Looking ahead to the game-ubtitution equence, we tructured the code in Figure 3 and 4 in a way that make it eaier to preent the following game. In particular, here are ome thing to note about thi code: Notation. We denote all the quantitie that are encountered during the proceing of query with a upercript. For example, the number of block in the query i denoted m, and the plaintext i denoted P = P1 P m (where P i = n for i < m and Pm n). The notation r[, i]. When handling the -th adverary query, we look for each block of the query to ee if it i a new block : if thi i an encipher query P = (P1 P m ) we look for an earlier plaintext P r = (P1 r P m r r) with the ame i th block P i = Pi r. Since we ue maked ECB encryption, we only expect to chooe a new value for π when there i no uch prior plaintext. If thi i a decipher query then for any i we likewie look for an earlier ciphertext C r with the ame i th block, Ci = Cr i. We define r[, i] to be the index of the firt uch plaintext or ciphertext. Namely, we define r[, i] def = { min{ r : P r i = Pi } min{ r : Ci r = C i } if query i an encipher query if query i a decipher query Filling in π and π 1 value. When we need to define π on what i likely to be a new domain point X, etting π(x) Y for ome Y, we do the following: We firt ample Y from {0, 1} n ; then re-ample, thi time from Range, if the initially choen ample Y wa already in the range of π; finally, if π already had a value at X, then we forget about the newly choen value Y and ue the previou value of π(x). We behave analogouly for π 1 (Y ) value. In Figure 3 we highlight the place where we have to reet a choice we tentatively made. Whenever we do o we et a flag bad. The flag bad i never een by the adverary A that interact with the E1 game it i only preent to facilitate the ubequent analyi. Game R1. We next modify game E1 by omitting the tatement that immediately follow the etting of bad to true. (Thi i the uual trick under the game-ubtitution approach.) Namely, before we were making ome conitency check after each random choice π(x) = Y $ {0, 1} n to ee if thi value of Y wa already in ue, or if π wa already defined at X, and we reet out choice 13
14 Initialization: 050 Domain Range ; bad fale; L $ {0, 1} n ; h H Repond to the -th adverary query a follow: An encipher query, Enc(T ; P 1 P m ): 101 if P m = n then latfull m 102 ele latfull m PPP m P m padded with for i 1 to latfull do 111 r = r[, i] i the 1t index.t. P i = P r i 112 if r < then PP i PP r i ; PPP i PPP r i 113 ele PP i Pi 2i 1 L; PPP $ i {0, 1} n 114 if PP i Domain or PPP i Range then bad true 115 Domain Domain {PP i }; Range Range {PPP i } 120 MP 1 PPP 1 PPP m h(t ) 121 if Pm = n then MC $ 1 {0, 1} n ; M1 MP 1 MC if MP 1 Domain or MC 1 Range then bad true 123 Domain Domain {MP 1}; Range Range {MC 1} 124 ele MM $ {0, 1} n ; MC $ 1 {0, 1} n ; M1 MP 1 MC if MP 1 Domain or MM Range then bad true 126 if MM Domain {MP 1} or MC 1 Range {MM } then bad true 127 Domain Domain {MP 1, MM }; Range Range {MM, MC 1} 128 Cm P m (MM truncated); CCC m C m padded with for i 2 to latfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M1 ; MC $ j {0, 1} n ; Mj MP j MC j 134 if MP j Domain or MC j Range then bad true 135 Domain Domain {MP j}; Range Range {MC j} 136 CCC i MC j M ele CCC i PPP i 2 k Mj 138 CCC 1 MC 1 CCC 2 CCC m h(t ) 140 for i 1 to latfull do 141 CC $ i {0, 1} n ; Ci CC i 2 i 1 L 142 if CCC i Domain or CC i Range then bad true 143 Domain Domain {CCC i }; Range Range {CC i } 150 return C 1 C m A decipher query, Dec(T ; C1 Cm ), i treated ymmetrically Figure 5: Game R1 i imilar to E1, but doe not reet the random choice. 14
15 of Y a needed. Now we till make thee check and et the flag bad, but we do not reet the choen value of Y. The game R1 i decribed in Figure 5. (In thi figure we omitted the function π from the code, ince it i never ued anymore.) Thee change mean that π may end up not being a permutation, and moreover we may reet it value on previouly choen point. Still, the game E1 and R1 are yntactically identical apart from what happen after the etting of the flag bad to true. Once the flag bad i et to true the ubequent behavior of the game doe not impact the probability that an adverary A interacting with the game can et the flag bad to true. Thi i exactly the etup ued in the game-ubtitution method to conclude that Pr[ A E1 1 ] Pr[ A R1 1 ] Pr[ A R1 et bad ] (4) Game R2. We now make everal change to the order in which variable are choen in game R1. Specifically, we make the following change to the code: Intead of chooing CC $ i {0, 1} n and then etting Ci CC i 2 i L (in line 141), we chooe $ {0, 1} n and then et CC i Ci 2i L. C i Similarly, intead of chooing MC $ j {0, 1} n and etting Mj MP j MC j (line 121, 124 and 133), we chooe Mj $ {0, 1} n and et MC j MP j M Intead of chooing MM $ {0, 1} n and etting Cm P m (MM truncated) (line 124 and 128) we chooe C $ {0, 1} n and et Cm (C truncated) and MM (Pm 10..0) C. We replace the aignment CCC i MC j M1 in line 136 by the equivalent aignment CCC i PPP i Mj. Thi i equivalent ince MC j = MP j Mj = PPP i M1 M j. We replace the aignment CCC 1 MC 1 CCC 2 CCC m h(t ) in line 138 by the equivalent aignment CCC 1 PPP 1 M 1 (PPP 2 CCC 2) (PPP m CCC m ). Thi i indeed equivalent ince MC 1 = MP 1 M 1 = PPP 1 PPP m h(t ) M 1. Clearly, thee change preerve the ditribution of all thoe variable, and we make the ymmetric change alo for decryption querie. In addition to thee change, we alo lightly implify the logic of the game by aigning value to MM and adding it to Domain and Range even in the cae that Pm i a full block ( P m = n). Thi ha no effect on the anwer that are returned to the adverary, but it may increae the probability of the flag bad being et (ince we may introduce colliion that were not preent before). The reulting game R2 i decribed in Figure 6. It i clear that the change we made do ha no effect on the probability that A return one (a they do not change anything in the interaction between A and it oracle), and they can only increae the probability of etting flag bad. Hence we conclude that Pr[ A R1 1 ] = Pr[ A R2 1 ] and Pr[ A R1 et bad ] Pr[ A R2 et bad ] (5) We note that in game R2 we repond to any encipher query P by returning P random bit, and imilarly, we repond to any decipher query C by returning C random bit. Thu R2 provide an adverary with an identical view to a pair of random-bit oracle, Pr[ A R2 1 ] = Pr[ A ± rnd 1 ] (6) j. 15
16 Initialization: 050 Domain Range ; bad fale; L $ {0, 1} n ; h H Repond to the -th adverary query a follow: An encipher query, Enc(T ; P 1 P m ): 101 if P m = n then latfull m 102 ele latfull m PPP m P m padded with for i 1 to latfull do 111 r = r[, i] i the 1t index.t. P i = P r i 112 if r < then PP i PP r i ; PPP i PPP r i 113 ele PP i Pi 2i 1 L; PPP $ i {0, 1} n 114 if PP i Domain or PPP i Range then bad true 115 Domain Domain {PP i }; Range Range {PPP i } 120 C $ {0, 1} n ; M1 $ {0, 1} n 121 MP 1 PPP 1 PPP m h(t ); MC 1 MP 1 M1 ; MM PPP m C 122 if MP 1 Domain or MM Range then bad true 123 if MM Domain {MP 1} or MC 1 Range {MM } then bad true 124 Domain Domain {MP 1, MM }; Range Range {MM, MC 1} 125 if Pm = n then 126 Cm (C truncated); CCC m C m padded with for i 2 to latfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M1 ; Mj $ {0, 1} n ; MC j MP j Mj 134 if MP j Domain or MC j Range then bad true 135 Domain Domain {MP j}; Range Range {MC j} 136 CCC i PPP i 2 k Mj 137 CCC 1 PPP 1 M1 (PPP 2 CCC 2) (PPP m CCC m ) 140 for i 1 to latfull do 141 Ci $ {0, 1} n ; CC i Ci 2i 1 L 142 if CCC i Domain or CC i Range then bad true 143 Domain Domain {CCC i }; Range Range {CC i } 150 return C 1 C m A decipher query, Dec(T ; C1 Cm ), i treated ymmetrically Figure 6: Game R2 i inditinguihable from Game R1 but chooe ome of it variable in different order. 16
17 Combining Equation 3, 4, 5, and 6, we thu have that Adv ± rnd EME[Perm(n)] (A) = Pr[ AE1 1 ] + σa n(σ a n + 2N be ) 2 n Pr[ A R2 1 ] Our tak i thu to bound Pr[ A R2 et bad ]. = Pr[ A E1 1 ] Pr[ A R1 1 ] + σa n(σ a n + 2N be ) 2 n Pr[ A R1 et bad ] + σa n(σ a n + 2N be 2 n Pr[ A R2 et bad ] + σa n(σ a n + 2N be ) 2 n (7) Game R3. Next we reorganize game R2 o a to eparate out (i) chooing random value to return to the adverary, (ii) defining intermediate variable, and (iii) etting the flag bad. We remarked before that game R2 replie to any z-bit query with z random bit. Now, in game R3, hown in Figure 7, we make that even more clear by chooing the block C1 C m 1 C or P1 P m 1 P jut a oon a the th query i made. Nothing ele i done at that point except for recording if the adverary made an Enc query or a Dec query, and returning the anwer to the adverary. When the adverary finihe all of it oracle querie and halt, we execute the finalization tep of game R3. Firt, we go over all the variable of the game and determine their value, jut a we do in game R2. While doing o, we collect all the value in the et Domain and Range, thi time viewing them a multiet D and R, repectively. When we are done etting value to all the variable, we go back and look at D and R. The flag bad i et if (and only if) any of thee multiet contain ome value more than once. Thi procedure i deigned to et bad under exactly the ame condition a in game R2. The following i thu clear: Pr[ A R2 et bad ] = Pr[ A R3 et bad ] (8) Game N1. So far we have not changed the tructure of the game at all: it ha remained an adverary aking q quetion to an oracle, our anwering thoe quetion, and the internal variable bad either ending up true or fale. The next tep, however, actually get rid of the adverary, a well a all interaction in the game. We want to bound the probability that bad get et to true in game R3. We may aume that the adverary i determinitic, and o the probability i over the random choice that are made while anwering the querie (in line 011 and 021), and the random choice in the finalization phae of the game (line 050, 113, 120, 133, 213, 220, and 233). We will now eliminate the coin aociated to line 011 and 021. Recall that the adverary ak no pointle querie. We would like to make the tronger tatement that for any et of value that might be choen in line 011 and 021, and for any et of querie (none pointle) aociated to them, the finalization tep of game R3 rarely et bad. However, thi tatement in t quite true. For example, aume that querie r and (r < ) are both encipher querie, and that the random choice in line 011 pecify that the i th ciphertext block in the two anwer i the ame, Ci r = C i. Then the flag bad i ure to be et, ince we will have a colliion between CC r i and CC i. Formally, ince in line
18 Repond to the -th adverary query a follow: An encipher query, Enc(T ; P 1 P m ): 010 ty Enc 011 (C 1 C m 1 C ) $ {0, 1} nm A decipher query, Dec(T ; C 1 C m ): 020 ty Dec 021 (P 1 P m 1 P ) $ {0, 1} nm 012 C m 1t P m bit of C 013 return C = C 1 C m 022 P m 1t C m bit of P 023 return P = P 1 P m Finalization: Firt phae 050 D R ; L $ {0, 1} n ; h $ H / D, R are multiet 051 repeat the following for all [1..q]: 100 if ty = Enc then 101 if Pm = n then latfull m 102 ele latfull m PPP m P m padded with 10..0; CCC m C m padded with for i 1 to latfull do 111 r = r[, i] i the 1t index.t. Pi = P i r 112 if r < then PP i PP r i ; PPP i PPP r i 113 ele PP i Pi 2i 1 L; PPP $ i {0, 1} n ; D D {PP i }; R R {PPP i } 120 M 1 $ {0, 1} n 121 MP 1 PPP 1 PPP m h(t ); MC 1 MP 1 M1 ; MM PPP m C 122 D D {MP 1, MM }; R R {MM, MC 1} 130 for i 2 to latfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M1 ; Mj $ {0, 1} n ; MC j MP j Mj 134 D D {MP j}; R R {MC j} 135 CCC i PPP i 2 k Mj 136 CCC 1 PPP 1 M1 (PPP 2 CCC 2) (PPP m CCC m ) 140 for i 1 to latfull do 141 CC i Ci 2i 1 L; D D {CCC i }; R R {CC i } 200 The cae ty = Dec i treated ymmetrically Second phae 300 bad (ome value appear more than once in D) or (ome value appear more than once in R) Figure 7: Game R3 i adverarially inditinguihable from game RND2 but defer the etting of bad. 18
19 050 D R ; L $ {0, 1} n ; h $ H / D, R are multiet 051 for 1 to q do 100 if ty = Enc then 101 C m 1t P m bit of C 102 if P m = n then latfull m 103 ele latfull m 1; PPP m P m padded with 10..0; CCC m C m padded with for i 1 to latfull do 111 r = r[, i] i the 1t index.t. P i = Pr i 112 if r < then PP i PP r i ; PPP i PPP r i 113 ele PP i P i 2i 1 L; PPP $ i {0, 1} n ; D D {PP i }; R R {PPP i } 120 M 1 $ {0, 1} n 121 MP 1 PPP 1 PPP m h(t ); MC 1 MP 1 M1 ; MM PPP m C 122 D D {MP 1, MM }; R R {MM, MC 1} 130 for i 2 to latfull do 131 j = i/n, k = (i 1) mod n 132 if k = 0 then 133 MP j PPP i M1 ; Mj $ {0, 1} n ; MC j MP j Mj 134 D D {MP j}; R R {MC j} 135 CCC i PPP i 2 k Mj 136 CCC 1 PPP 1 M1 (PPP 2 CCC 2) (PPP m CCC m ) 140 for i 1 to latfull do 141 CC i C i 2i 1 L; D D {CCC i }; R R {CC i } 200 ele / ty = Dec 201 P m 1t C m bit of P 202 if C m = n then latfull m 203 ele latfull m 1; PPP m P m padded with 10..0; CCC m C m padded with for i 1 to latfull do 211 r = r[, i] i the 1t index.t. C i = Cr i 212 if r < then CC i CC r i ; CCC i CCC r i 213 ele CC i C i 2i 1 L; CCC $ i {0, 1} n ; D D {CCC i }; R R {CC i } 220 M 1 $ {0, 1} n 221 MC 1 CCC 1 CCC m h(t ); MP 1 MC 1 M1 ; MM CCC m P 222 D D {MP 1, MM }; R R {MM, MC 1} 230 for i 2 to latfull do 231 j = i/n, k = (i 1) mod n 232 if k = 0 then 233 MC j CCC i M1 ; Mj $ {0, 1} n ; MP j MC j Mj 234 D D {MP j}; R R {MC j} 235 PPP i CCC i 2 k Mj 236 PPP 1 CCC 1 M1 (PPP 2 CCC 2) (PPP m CCC m ) 240 for i 1 to latfull do 241 PP i C i 2i 1 L; D D {PP i }; R R {PPP i } 300 bad (ome value appear more than once in D) or (ome value appear more than once in R) Figure 8: Game N1 i baed on game R3 but now τ = (ty, T, P, C) i a fixed, allowed trancript. 19
20 we et CC r i = Ci r 2i 1 L = Ci 2i 1 L = CC 1, and ince both CC r i and CC i are added to R we would et bad when we examine their value in line 300. Another example i when encipher querie r, have lat block Pm r r, P m, repectively, that are partial (namely Pm r r, P m < n), and the block C, C r that are choen at random in line 11 atify (Pm r r10..0) Cr = (Pm 10..0) C. In thi cae, we would have MM r = MM and ince both are added to D in line 122 we would et bad when we examine their value in line 300. Similar example can be hown for decipher querie. We call uch colliion immediate colliion. Formally, an immediate colliion on encipher happen whenever i an encipher query and for ome r < we have either Ci = Ci r for ome i latfull, or C = (Pm 10..0) (P m r r10..0) Cr when Pm r r, P m < n. An immediate colliion on decipher happen whenever i an decipher query and for ome r < we have either Pi = Pi r for ome i latfull, or P = (Cm 10..0) (Cr m r10..0) P r when Cm r r, C m < n. The probability of an immediate colliion (on either encipher or decipher) in game R3 i at mot q =1 m ( 1) 2 n < q 2 n q =1 m = qσd n 2 n We make from the Finalization part of game R3 a new game, game N1 (for noninteractive ). Thi game ilently depend on a fixed trancript τ = ty, T, P, C with ty the type of query (ty {Enc, Dec}) and T {0, 1} the aociated data to query. Alo for an encipher query we have P = P 1 P m and C = C 1 C m 1, C, and for a decipher query we have P = P 1 P m 1 P and C = C 1 C m. Below we let latfull denote either m if the lat block in query i full or m 1 if it i partial. Alo, for an encipher query we denote by P the padding of P m, P = P m10..0, and by C m we denote the firt P m bit of C. Similarly, for a decipher query we denote C = C m 10..0, and denote by P m the firt C m bit of P. Since the trancript τ i fixed, then alo all thee quantitie are fixed. Thi fixed trancript τ may not pecify any immediate colliion or pointle querie; we call uch a trancript allowed. Thu aying that τ i allowed mean that for all r < we have the following: if ty = Enc then (i) (T, P ) (T r, P r ), (ii) C i Cr i for any i [1.. latfull ], (iii) If P m, Pr m r < n then C (P m 10..0) (Pr m r10..0) Cr ; while if ty = Dec then (i) (T, C ) (T r, C r ) and (ii) P i Pr i for any i [1.. latfull ], (iii) If C m, Cr m r < n then P (C m 10..0) (Cr m r10..0) Pr. Now fix an allowed trancript τ that maximize the probability of the flag bad being et. Thi one trancript τ i hardwired into game N1. We have that Pr[ A R3 et bad ] Pr[ N1 et bad ] + qσd n 2 n (9) Thi tep can be viewed a conditioning on the abence of an immediate colliion, followed by the uual argument that an average of a collection of real number i at mot the maximum of thoe number. One can alo view the tranition from game R3 to game N1 a augmenting the adverary, letting it pecify not only the querie to the game, but alo the anwer to thee querie 20
21 (a long a it doe not pecify immediate colliion or pointle querie). In term of game R3, intead of having the oracle chooe the anwer to the querie at random in line 011 and 021, we let the adverary upply both the querie and the anwer. The oracle jut record thee querie and anwer. When the adverary i done, we execute the finalization tep a before to determine the bad flag. Clearly uch an augmented adverary doe not interact with the oracle at all, it jut determine the entire trancript, giving it a input to the oracle. Now maximizing the probability of etting bad over all uch augmented adverarie i the ame a maximizing thi probability over all allowed trancript. Game N2. Before we move to analyze the non-interactive game, we make one lat change, aimed at reducing the number of cae that we need to handle in the analyi. We oberve that due to the complete ymmetry between D and R, it i ufficient to analyze the colliion probability in jut one of them. Specifically, becaue of thi ymmetry we can aume w.l.o.g. that in game N1 Pr[ome value appear more than once in D] Pr[ome value appear more than once in R] and therefore Pr[ N1 et bad ] 2 Pr[ome value appear more than once in D]. We therefore replace the game N1 by game N2, in which we only et the flag bad if there i a colliion in D. We now can drop the code that handle R, a well a anything ele that doen t affect the multiet D. Specifically, we make the following change in the code of the game N1: We drop the multiet R from the code. We replace the aignment MP 1 MC 1 M1 from line 221 in game N1 by the equivalent aignment MP 1 CCC 1 CCC m h(t ) M1. Similarly, we replace the aignment MP j MC j Mj from line 233 by the equivalent aignment MP j CCC i M1 M j. Now the variable CC i and MC j are never ued in the code, o we drop them altogether. The reulting game i decribed in Figure 9, and we have A.2 Analyi of the non-interactive game Pr[ N1 et bad ] 2 Pr[ N2 et bad ] (10) We are now ready to analyze the reulting game N2, howing that the event N2 et bad only happen with mall probability. In the analyi we view the multiet D a a et of formal variable (rather than a multiet containing the value that thee variable aume). Namely, whenever we et D D {X} for ome variable X we think of it a etting D D { X } where X i the name of that formal variable. Viewed in thi light, our goal now i to bound the probability that two formal variable in D aume the ame value in the execution of N2. We oberve that the formal variable in D are uniquely determined by τ they don t depend on the random choice made in the game N2; pecifically, D = {MM q} {MP j q, j latfull /n } {PP i ty = Dec, i latfull } {PP i ty = Enc, i latfull, = r[, i]} {CCC i ty = Enc, i latfull } {CCC i ty = Dec, i latfull, = r[, i]} 21
EME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationSocial Studies 201 Notes for November 14, 2003
1 Social Studie 201 Note for November 14, 2003 Etimation of a mean, mall ample ize Section 8.4, p. 501. When a reearcher ha only a mall ample ize available, the central limit theorem doe not apply to the
More information7.2 INVERSE TRANSFORMS AND TRANSFORMS OF DERIVATIVES 281
72 INVERSE TRANSFORMS AND TRANSFORMS OF DERIVATIVES 28 and i 2 Show how Euler formula (page 33) can then be ued to deduce the reult a ( a) 2 b 2 {e at co bt} {e at in bt} b ( a) 2 b 2 5 Under what condition
More informationSocial Studies 201 Notes for March 18, 2005
1 Social Studie 201 Note for March 18, 2005 Etimation of a mean, mall ample ize Section 8.4, p. 501. When a reearcher ha only a mall ample ize available, the central limit theorem doe not apply to the
More informationLecture 8: Period Finding: Simon s Problem over Z N
Quantum Computation (CMU 8-859BB, Fall 205) Lecture 8: Period Finding: Simon Problem over Z October 5, 205 Lecturer: John Wright Scribe: icola Rech Problem A mentioned previouly, period finding i a rephraing
More informationLecture 9: Shor s Algorithm
Quantum Computation (CMU 8-859BB, Fall 05) Lecture 9: Shor Algorithm October 7, 05 Lecturer: Ryan O Donnell Scribe: Sidhanth Mohanty Overview Let u recall the period finding problem that wa et up a a function
More informationCodes Correcting Two Deletions
1 Code Correcting Two Deletion Ryan Gabry and Frederic Sala Spawar Sytem Center Univerity of California, Lo Angele ryan.gabry@navy.mil fredala@ucla.edu Abtract In thi work, we invetigate the problem of
More informationBogoliubov Transformation in Classical Mechanics
Bogoliubov Tranformation in Claical Mechanic Canonical Tranformation Suppoe we have a et of complex canonical variable, {a j }, and would like to conider another et of variable, {b }, b b ({a j }). How
More informationDIFFERENTIAL EQUATIONS
DIFFERENTIAL EQUATIONS Laplace Tranform Paul Dawkin Table of Content Preface... Laplace Tranform... Introduction... The Definition... 5 Laplace Tranform... 9 Invere Laplace Tranform... Step Function...4
More informationShannon s Theory. Objectives
Shannon Theory Debdeep Mukhopadhyay IIT Kharagpur Objective Undertand the definition of Perfect Secrecy Prove that a given crypto-ytem i perfectly ecured One Time Pad Entropy and it computation Ideal Cipher
More informationON THE APPROXIMATION ERROR IN HIGH DIMENSIONAL MODEL REPRESENTATION. Xiaoqun Wang
Proceeding of the 2008 Winter Simulation Conference S. J. Maon, R. R. Hill, L. Mönch, O. Roe, T. Jefferon, J. W. Fowler ed. ON THE APPROXIMATION ERROR IN HIGH DIMENSIONAL MODEL REPRESENTATION Xiaoqun Wang
More informationLecture 7: Testing Distributions
CSE 5: Sublinear (and Streaming) Algorithm Spring 014 Lecture 7: Teting Ditribution April 1, 014 Lecturer: Paul Beame Scribe: Paul Beame 1 Teting Uniformity of Ditribution We return today to property teting
More informationProblem Set 8 Solutions
Deign and Analyi of Algorithm April 29, 2015 Maachuett Intitute of Technology 6.046J/18.410J Prof. Erik Demaine, Srini Devada, and Nancy Lynch Problem Set 8 Solution Problem Set 8 Solution Thi problem
More informationA Parallelizable Enciphering Mode
A Parallelizable Enciphering Mode Shai Halevi Phillip Rogaway June 17, 2003 Abstract We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into a tweakable enciphering scheme
More informationA Provably Secure Scheme for Remote User Authentication
A Provably Secure Scheme for Remote Uer Authentication Fuw-Yi Yang 1, Su-Hui Chiu 2 1 Department of Computer Science and Information Engineering, Chaoyang Univerity of Technology Taichung County 41349,
More informationLecture 17: Analytic Functions and Integrals (See Chapter 14 in Boas)
Lecture 7: Analytic Function and Integral (See Chapter 4 in Boa) Thi i a good point to take a brief detour and expand on our previou dicuion of complex variable and complex function of complex variable.
More informationThe Game-Playing Technique
The Game-Playing Technique M. Bellare P. Rogaway December 11, 2004 (Draft 0.4) Abtract In the game-playing technique, one write a peudocode game uch that an adverary advantage in attacking ome cryptographic
More informationMemory Erasability Amplification
Memory Eraability Amplification Jan Camenich 1, Robert R. Enderlein 1,2, and Ueli Maurer 2 1 IBM Reearch Zurich, Switzerland 2 Department of Computer Science, ETH Zürich, Switzerland Abtract. Eraable memory
More informationTheoretical Computer Science. Optimal algorithms for online scheduling with bounded rearrangement at the end
Theoretical Computer Science 4 (0) 669 678 Content lit available at SciVere ScienceDirect Theoretical Computer Science journal homepage: www.elevier.com/locate/tc Optimal algorithm for online cheduling
More informationμ + = σ = D 4 σ = D 3 σ = σ = All units in parts (a) and (b) are in V. (1) x chart: Center = μ = 0.75 UCL =
Our online Tutor are available 4*7 to provide Help with Proce control ytem Homework/Aignment or a long term Graduate/Undergraduate Proce control ytem Project. Our Tutor being experienced and proficient
More informationLecture 21. The Lovasz splitting-off lemma Topics in Combinatorial Optimization April 29th, 2004
18.997 Topic in Combinatorial Optimization April 29th, 2004 Lecture 21 Lecturer: Michel X. Goeman Scribe: Mohammad Mahdian 1 The Lovaz plitting-off lemma Lovaz plitting-off lemma tate the following. Theorem
More informationinto a discrete time function. Recall that the table of Laplace/z-transforms is constructed by (i) selecting to get
Lecture 25 Introduction to Some Matlab c2d Code in Relation to Sampled Sytem here are many way to convert a continuou time function, { h( t) ; t [0, )} into a dicrete time function { h ( k) ; k {0,,, }}
More informationLaplace Transformation
Univerity of Technology Electromechanical Department Energy Branch Advance Mathematic Laplace Tranformation nd Cla Lecture 6 Page of 7 Laplace Tranformation Definition Suppoe that f(t) i a piecewie continuou
More informationDIFFERENTIAL EQUATIONS Laplace Transforms. Paul Dawkins
DIFFERENTIAL EQUATIONS Laplace Tranform Paul Dawkin Table of Content Preface... Laplace Tranform... Introduction... The Definition... 5 Laplace Tranform... 9 Invere Laplace Tranform... Step Function...
More informationCorrection for Simple System Example and Notes on Laplace Transforms / Deviation Variables ECHE 550 Fall 2002
Correction for Simple Sytem Example and Note on Laplace Tranform / Deviation Variable ECHE 55 Fall 22 Conider a tank draining from an initial height of h o at time t =. With no flow into the tank (F in
More informationPreemptive scheduling on a small number of hierarchical machines
Available online at www.ciencedirect.com Information and Computation 06 (008) 60 619 www.elevier.com/locate/ic Preemptive cheduling on a mall number of hierarchical machine György Dóa a, Leah Eptein b,
More informationAn Inequality for Nonnegative Matrices and the Inverse Eigenvalue Problem
An Inequality for Nonnegative Matrice and the Invere Eigenvalue Problem Robert Ream Program in Mathematical Science The Univerity of Texa at Dalla Box 83688, Richardon, Texa 7583-688 Abtract We preent
More informationNonlinear Single-Particle Dynamics in High Energy Accelerators
Nonlinear Single-Particle Dynamic in High Energy Accelerator Part 6: Canonical Perturbation Theory Nonlinear Single-Particle Dynamic in High Energy Accelerator Thi coure conit of eight lecture: 1. Introduction
More informationSingular perturbation theory
Singular perturbation theory Marc R. Rouel June 21, 2004 1 Introduction When we apply the teady-tate approximation (SSA) in chemical kinetic, we typically argue that ome of the intermediate are highly
More informationarxiv: v1 [math.mg] 25 Aug 2011
ABSORBING ANGLES, STEINER MINIMAL TREES, AND ANTIPODALITY HORST MARTINI, KONRAD J. SWANEPOEL, AND P. OLOFF DE WET arxiv:08.5046v [math.mg] 25 Aug 20 Abtract. We give a new proof that a tar {op i : i =,...,
More informationClustering Methods without Given Number of Clusters
Clutering Method without Given Number of Cluter Peng Xu, Fei Liu Introduction A we now, mean method i a very effective algorithm of clutering. It mot powerful feature i the calability and implicity. However,
More informationPhysics 741 Graduate Quantum Mechanics 1 Solutions to Final Exam, Fall 2014
Phyic 7 Graduate Quantum Mechanic Solution to inal Eam all 0 Each quetion i worth 5 point with point for each part marked eparately Some poibly ueful formula appear at the end of the tet In four dimenion
More informationAvoiding Forbidden Submatrices by Row Deletions
Avoiding Forbidden Submatrice by Row Deletion Sebatian Wernicke, Jochen Alber, Jen Gramm, Jiong Guo, and Rolf Niedermeier Wilhelm-Schickard-Intitut für Informatik, niverität Tübingen, Sand 13, D-72076
More informationChapter 2 Sampling and Quantization. In order to investigate sampling and quantization, the difference between analog
Chapter Sampling and Quantization.1 Analog and Digital Signal In order to invetigate ampling and quantization, the difference between analog and digital ignal mut be undertood. Analog ignal conit of continuou
More informationTHE SPLITTING SUBSPACE CONJECTURE
THE SPLITTING SUBSPAE ONJETURE ERI HEN AND DENNIS TSENG Abtract We anwer a uetion by Niederreiter concerning the enumeration of a cla of ubpace of finite dimenional vector pace over finite field by proving
More informationMAE140 Linear Circuits Fall 2012 Final, December 13th
MAE40 Linear Circuit Fall 202 Final, December 3th Intruction. Thi exam i open book. You may ue whatever written material you chooe, including your cla note and textbook. You may ue a hand calculator with
More informationList coloring hypergraphs
Lit coloring hypergraph Penny Haxell Jacque Vertraete Department of Combinatoric and Optimization Univerity of Waterloo Waterloo, Ontario, Canada pehaxell@uwaterloo.ca Department of Mathematic Univerity
More informationarxiv: v2 [math.nt] 30 Apr 2015
A THEOREM FOR DISTINCT ZEROS OF L-FUNCTIONS École Normale Supérieure arxiv:54.6556v [math.nt] 3 Apr 5 943 Cachan November 9, 7 Abtract In thi paper, we etablih a imple criterion for two L-function L and
More informationSMALL-SIGNAL STABILITY ASSESSMENT OF THE EUROPEAN POWER SYSTEM BASED ON ADVANCED NEURAL NETWORK METHOD
SMALL-SIGNAL STABILITY ASSESSMENT OF THE EUROPEAN POWER SYSTEM BASED ON ADVANCED NEURAL NETWORK METHOD S.P. Teeuwen, I. Erlich U. Bachmann Univerity of Duiburg, Germany Department of Electrical Power Sytem
More informationIEOR 3106: Fall 2013, Professor Whitt Topics for Discussion: Tuesday, November 19 Alternating Renewal Processes and The Renewal Equation
IEOR 316: Fall 213, Profeor Whitt Topic for Dicuion: Tueday, November 19 Alternating Renewal Procee and The Renewal Equation 1 Alternating Renewal Procee An alternating renewal proce alternate between
More informationConvex Hulls of Curves Sam Burton
Convex Hull of Curve Sam Burton 1 Introduction Thi paper will primarily be concerned with determining the face of convex hull of curve of the form C = {(t, t a, t b ) t [ 1, 1]}, a < b N in R 3. We hall
More informationSuggestions - Problem Set (a) Show the discriminant condition (1) takes the form. ln ln, # # R R
Suggetion - Problem Set 3 4.2 (a) Show the dicriminant condition (1) take the form x D Ð.. Ñ. D.. D. ln ln, a deired. We then replace the quantitie. 3ß D3 by their etimate to get the proper form for thi
More informationEC381/MN308 Probability and Some Statistics. Lecture 7 - Outline. Chapter Cumulative Distribution Function (CDF) Continuous Random Variables
EC38/MN38 Probability and Some Statitic Yanni Pachalidi yannip@bu.edu, http://ionia.bu.edu/ Lecture 7 - Outline. Continuou Random Variable Dept. of Manufacturing Engineering Dept. of Electrical and Computer
More informationLecture 10 Filtering: Applied Concepts
Lecture Filtering: Applied Concept In the previou two lecture, you have learned about finite-impule-repone (FIR) and infinite-impule-repone (IIR) filter. In thee lecture, we introduced the concept of filtering
More informationChapter 4. The Laplace Transform Method
Chapter 4. The Laplace Tranform Method The Laplace Tranform i a tranformation, meaning that it change a function into a new function. Actually, it i a linear tranformation, becaue it convert a linear combination
More informationUNIT 15 RELIABILITY EVALUATION OF k-out-of-n AND STANDBY SYSTEMS
UNIT 1 RELIABILITY EVALUATION OF k-out-of-n AND STANDBY SYSTEMS Structure 1.1 Introduction Objective 1.2 Redundancy 1.3 Reliability of k-out-of-n Sytem 1.4 Reliability of Standby Sytem 1. Summary 1.6 Solution/Anwer
More informationControl Systems Analysis and Design by the Root-Locus Method
6 Control Sytem Analyi and Deign by the Root-Locu Method 6 1 INTRODUCTION The baic characteritic of the tranient repone of a cloed-loop ytem i cloely related to the location of the cloed-loop pole. If
More informationAlternate Dispersion Measures in Replicated Factorial Experiments
Alternate Diperion Meaure in Replicated Factorial Experiment Neal A. Mackertich The Raytheon Company, Sudbury MA 02421 Jame C. Benneyan Northeatern Univerity, Boton MA 02115 Peter D. Krau The Raytheon
More informationSuggested Answers To Exercises. estimates variability in a sampling distribution of random means. About 68% of means fall
Beyond Significance Teting ( nd Edition), Rex B. Kline Suggeted Anwer To Exercie Chapter. The tatitic meaure variability among core at the cae level. In a normal ditribution, about 68% of the core fall
More informationStandard Guide for Conducting Ruggedness Tests 1
Deignation: E 69 89 (Reapproved 996) Standard Guide for Conducting Ruggedne Tet AMERICA SOCIETY FOR TESTIG AD MATERIALS 00 Barr Harbor Dr., Wet Conhohocken, PA 948 Reprinted from the Annual Book of ASTM
More informationComparing Means: t-tests for Two Independent Samples
Comparing ean: t-tet for Two Independent Sample Independent-eaure Deign t-tet for Two Independent Sample Allow reearcher to evaluate the mean difference between two population uing data from two eparate
More informationFactor Analysis with Poisson Output
Factor Analyi with Poion Output Gopal Santhanam Byron Yu Krihna V. Shenoy, Department of Electrical Engineering, Neurocience Program Stanford Univerity Stanford, CA 94305, USA {gopal,byronyu,henoy}@tanford.edu
More information5. Fuzzy Optimization
5. Fuzzy Optimization 1. Fuzzine: An Introduction 135 1.1. Fuzzy Memberhip Function 135 1.2. Memberhip Function Operation 136 2. Optimization in Fuzzy Environment 136 3. Fuzzy Set for Water Allocation
More informationA New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation
A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation Debrup Chakraborty and Palash Sarkar Computer Science Department, CINVESTAV-IPN Av. IPN No. 2508 Col. San Pedro Zacatenco
More informationIntroduction to Laplace Transform Techniques in Circuit Analysis
Unit 6 Introduction to Laplace Tranform Technique in Circuit Analyi In thi unit we conider the application of Laplace Tranform to circuit analyi. A relevant dicuion of the one-ided Laplace tranform i found
More informationCHAPTER 8 OBSERVER BASED REDUCED ORDER CONTROLLER DESIGN FOR LARGE SCALE LINEAR DISCRETE-TIME CONTROL SYSTEMS
CHAPTER 8 OBSERVER BASED REDUCED ORDER CONTROLLER DESIGN FOR LARGE SCALE LINEAR DISCRETE-TIME CONTROL SYSTEMS 8.1 INTRODUCTION 8.2 REDUCED ORDER MODEL DESIGN FOR LINEAR DISCRETE-TIME CONTROL SYSTEMS 8.3
More informationTRIPLE SOLUTIONS FOR THE ONE-DIMENSIONAL
GLASNIK MATEMATIČKI Vol. 38583, 73 84 TRIPLE SOLUTIONS FOR THE ONE-DIMENSIONAL p-laplacian Haihen Lü, Donal O Regan and Ravi P. Agarwal Academy of Mathematic and Sytem Science, Beijing, China, National
More informationCS 170: Midterm Exam II University of California at Berkeley Department of Electrical Engineering and Computer Sciences Computer Science Division
1 1 April 000 Demmel / Shewchuk CS 170: Midterm Exam II Univerity of California at Berkeley Department of Electrical Engineering and Computer Science Computer Science Diviion hi i a cloed book, cloed calculator,
More informationDesign By Emulation (Indirect Method)
Deign By Emulation (Indirect Method he baic trategy here i, that Given a continuou tranfer function, it i required to find the bet dicrete equivalent uch that the ignal produced by paing an input ignal
More informationImproving Upon the TET Mode of Operation
Improving Upon the TET Mode of Operation Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. Naor and Reingold
More informationCompact finite-difference approximations for anisotropic image smoothing and painting
CWP-593 Compact finite-difference approximation for aniotropic image moothing and painting Dave Hale Center for Wave Phenomena, Colorado School of Mine, Golden CO 80401, USA ABSTRACT Finite-difference
More informationElectronic Theses and Dissertations
Eat Tenneee State Univerity Digital Common @ Eat Tenneee State Univerity Electronic Thee and Diertation Student Work 5-208 Vector Partition Jennifer French Eat Tenneee State Univerity Follow thi and additional
More informationFast explicit formulae for genus 2 hyperelliptic curves using projective coordinates
Fat explicit formulae for genu hyperelliptic curve uing projective coordinate Thoma Wollinger Ecrypt embedded ecurity GmbH twollinger@ecryptde Abtract Thi contribution propoe a modification of method of
More informationQuantitative Information Leakage. Lecture 9
Quantitative Information Leakage Lecture 9 1 The baic model: Sytem = Information-Theoretic channel Secret Information Obervable 1 o1... Sytem... m on Input Output 2 Toward a quantitative notion of leakage
More informationWhat lies between Δx E, which represents the steam valve, and ΔP M, which is the mechanical power into the synchronous machine?
A 2.0 Introduction In the lat et of note, we developed a model of the peed governing mechanim, which i given below: xˆ K ( Pˆ ˆ) E () In thee note, we want to extend thi model o that it relate the actual
More informationOnline Parallel Scheduling of Non-uniform Tasks: Trading Failures for Energy
Online Parallel Scheduling of Non-uniform Tak: Trading Failure for Energy Antonio Fernández Anta a, Chryi Georgiou b, Dariuz R. Kowalki c, Elli Zavou a,d,1 a Intitute IMDEA Network b Univerity of Cypru
More informationBayesian Learning, Randomness and Logic. Marc Snir
Bayeian Learning, Randomne and Logic Marc Snir Background! 25 year old work, far from my current reearch! why preent now?! Becaue it wa done when I wa Eli tudent! Becaue it i about the foundation of epitemology!
More informationExploiting Transformations of the Galois Configuration to Improve Guess-and-Determine Attacks on NFSRs
Exploiting Tranformation of the Galoi Configuration to Improve Gue-and-Determine Attack on NFSR Gefei Li, Yuval Yarom, and Damith C. Ranainghe Univerity of Adelaide, Adelaide, South Autralia, Autralia
More informationUnavoidable Cycles in Polynomial-Based Time-Invariant LDPC Convolutional Codes
European Wirele, April 7-9,, Vienna, Autria ISBN 978--87-4-9 VE VERLAG GMBH Unavoidable Cycle in Polynomial-Baed Time-Invariant LPC Convolutional Code Hua Zhou and Norbert Goertz Intitute of Telecommunication
More informationChapter Landscape of an Optimization Problem. Local Search. Coping With NP-Hardness. Gradient Descent: Vertex Cover
Coping With NP-Hardne Chapter 12 Local Search Q Suppoe I need to olve an NP-hard problem What hould I do? A Theory ay you're unlikely to find poly-time algorithm Mut acrifice one of three deired feature
More informationLecture 4 Topic 3: General linear models (GLMs), the fundamentals of the analysis of variance (ANOVA), and completely randomized designs (CRDs)
Lecture 4 Topic 3: General linear model (GLM), the fundamental of the analyi of variance (ANOVA), and completely randomized deign (CRD) The general linear model One population: An obervation i explained
More informationChapter 5 Consistency, Zero Stability, and the Dahlquist Equivalence Theorem
Chapter 5 Conitency, Zero Stability, and the Dahlquit Equivalence Theorem In Chapter 2 we dicued convergence of numerical method and gave an experimental method for finding the rate of convergence (aka,
More informationonline learning Unit Workbook 4 RLC Transients
online learning Pearon BTC Higher National in lectrical and lectronic ngineering (QCF) Unit 5: lectrical & lectronic Principle Unit Workbook 4 in a erie of 4 for thi unit Learning Outcome: RLC Tranient
More informationDYNAMIC MODELS FOR CONTROLLER DESIGN
DYNAMIC MODELS FOR CONTROLLER DESIGN M.T. Tham (996,999) Dept. of Chemical and Proce Engineering Newcatle upon Tyne, NE 7RU, UK.. INTRODUCTION The problem of deigning a good control ytem i baically that
More informationSOME RESULTS ON INFINITE POWER TOWERS
NNTDM 16 2010) 3, 18-24 SOME RESULTS ON INFINITE POWER TOWERS Mladen Vailev - Miana 5, V. Hugo Str., Sofia 1124, Bulgaria E-mail:miana@abv.bg Abtract To my friend Kratyu Gumnerov In the paper the infinite
More informationGNSS Solutions: What is the carrier phase measurement? How is it generated in GNSS receivers? Simply put, the carrier phase
GNSS Solution: Carrier phae and it meaurement for GNSS GNSS Solution i a regular column featuring quetion and anwer about technical apect of GNSS. Reader are invited to end their quetion to the columnit,
More informationTopic 6. Digital Signatures and Identity Based Encryption
Topic 6. Digital Signature and Identity Baed Encryption. Security of Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital Signature
More informationComputers and Mathematics with Applications. Sharp algebraic periodicity conditions for linear higher order
Computer and Mathematic with Application 64 (2012) 2262 2274 Content lit available at SciVere ScienceDirect Computer and Mathematic with Application journal homepage: wwweleviercom/locate/camwa Sharp algebraic
More informationIdentity-based Hierarchical Designated Decryption *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 26, 243-259 (200) Identity-baed Hierarchical Deignated Decryption * SHU-HUI CHANG, CHUAN-MING LI 2 AND TZONELIH HWANG 3 Center of General Education Southern
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationCHAPTER 4 DESIGN OF STATE FEEDBACK CONTROLLERS AND STATE OBSERVERS USING REDUCED ORDER MODEL
98 CHAPTER DESIGN OF STATE FEEDBACK CONTROLLERS AND STATE OBSERVERS USING REDUCED ORDER MODEL INTRODUCTION The deign of ytem uing tate pace model for the deign i called a modern control deign and it i
More informationZ a>2 s 1n = X L - m. X L = m + Z a>2 s 1n X L = The decision rule for this one-tail test is
M09_BERE8380_12_OM_C09.QD 2/21/11 3:44 PM Page 1 9.6 The Power of a Tet 9.6 The Power of a Tet 1 Section 9.1 defined Type I and Type II error and their aociated rik. Recall that a repreent the probability
More informationRaneNote BESSEL FILTER CROSSOVER
RaneNote BESSEL FILTER CROSSOVER A Beel Filter Croover, and It Relation to Other Croover Beel Function Phae Shift Group Delay Beel, 3dB Down Introduction One of the way that a croover may be contructed
More informationLogic, Automata and Games
Logic, Automata and Game Jacque Duparc EJCIM 27 EJCIM, 23-27 January 27 J. Duparc ( & ) Logic, Automata and Game Lyon, 23-27 January 27 / 97 Reference [] K. R. Apt and E. Grädel. Lecture in game theory
More informationSource slideplayer.com/fundamentals of Analytical Chemistry, F.J. Holler, S.R.Crouch. Chapter 6: Random Errors in Chemical Analysis
Source lideplayer.com/fundamental of Analytical Chemitry, F.J. Holler, S.R.Crouch Chapter 6: Random Error in Chemical Analyi Random error are preent in every meaurement no matter how careful the experimenter.
More informationEvolutionary Algorithms Based Fixed Order Robust Controller Design and Robustness Performance Analysis
Proceeding of 01 4th International Conference on Machine Learning and Computing IPCSIT vol. 5 (01) (01) IACSIT Pre, Singapore Evolutionary Algorithm Baed Fixed Order Robut Controller Deign and Robutne
More informationThe machines in the exercise work as follows:
Tik-79.148 Spring 2001 Introduction to Theoretical Computer Science Tutorial 9 Solution to Demontration Exercie 4. Contructing a complex Turing machine can be very laboriou. With the help of machine chema
More informationThe Hassenpflug Matrix Tensor Notation
The Haenpflug Matrix Tenor Notation D.N.J. El Dept of Mech Mechatron Eng Univ of Stellenboch, South Africa e-mail: dnjel@un.ac.za 2009/09/01 Abtract Thi i a ample document to illutrate the typeetting of
More informationMath Skills. Scientific Notation. Uncertainty in Measurements. Appendix A5 SKILLS HANDBOOK
ppendix 5 Scientific Notation It i difficult to work with very large or very mall number when they are written in common decimal notation. Uually it i poible to accommodate uch number by changing the SI
More informationThe Laplace Transform (Intro)
4 The Laplace Tranform (Intro) The Laplace tranform i a mathematical tool baed on integration that ha a number of application It particular, it can implify the olving of many differential equation We will
More informationGain and Phase Margins Based Delay Dependent Stability Analysis of Two- Area LFC System with Communication Delays
Gain and Phae Margin Baed Delay Dependent Stability Analyi of Two- Area LFC Sytem with Communication Delay Şahin Sönmez and Saffet Ayaun Department of Electrical Engineering, Niğde Ömer Halidemir Univerity,
More informationQuestion 1 Equivalent Circuits
MAE 40 inear ircuit Fall 2007 Final Intruction ) Thi exam i open book You may ue whatever written material you chooe, including your cla note and textbook You may ue a hand calculator with no communication
More informationAsymptotics of ABC. Paul Fearnhead 1, Correspondence: Abstract
Aymptotic of ABC Paul Fearnhead 1, 1 Department of Mathematic and Statitic, Lancater Univerity Correpondence: p.fearnhead@lancater.ac.uk arxiv:1706.07712v1 [tat.me] 23 Jun 2017 Abtract Thi document i due
More informationFermi Distribution Function. n(e) T = 0 T > 0 E F
LECTURE 3 Maxwell{Boltzmann, Fermi, and Boe Statitic Suppoe we have a ga of N identical point particle in a box ofvolume V. When we ay \ga", we mean that the particle are not interacting with one another.
More informationEfficient Methods of Doppler Processing for Coexisting Land and Weather Clutter
Efficient Method of Doppler Proceing for Coexiting Land and Weather Clutter Ça gatay Candan and A Özgür Yılmaz Middle Eat Technical Univerity METU) Ankara, Turkey ccandan@metuedutr, aoyilmaz@metuedutr
More informationLecture 3. January 9, 2018
Lecture 3 January 9, 208 Some complex analyi Although you might have never taken a complex analyi coure, you perhap till know what a complex number i. It i a number of the form z = x + iy, where x and
More informationEE 4443/5329. LAB 3: Control of Industrial Systems. Simulation and Hardware Control (PID Design) The Inverted Pendulum. (ECP Systems-Model: 505)
EE 4443/5329 LAB 3: Control of Indutrial Sytem Simulation and Hardware Control (PID Deign) The Inverted Pendulum (ECP Sytem-Model: 505) Compiled by: Nitin Swamy Email: nwamy@lakehore.uta.edu Email: okuljaca@lakehore.uta.edu
More informationFlag-transitive non-symmetric 2-designs with (r, λ) = 1 and alternating socle
Flag-tranitive non-ymmetric -deign with (r, λ = 1 and alternating ocle Shenglin Zhou, Yajie Wang School of Mathematic South China Univerity of Technology Guangzhou, Guangdong 510640, P. R. China lzhou@cut.edu.cn
More informationApproximating discrete probability distributions with Bayesian networks
Approximating dicrete probability ditribution with Bayeian network Jon Williamon Department of Philoophy King College, Str and, London, WC2R 2LS, UK Abtract I generalie the argument of [Chow & Liu 1968]
More informationStochastic Neoclassical Growth Model
Stochatic Neoclaical Growth Model Michael Bar May 22, 28 Content Introduction 2 2 Stochatic NGM 2 3 Productivity Proce 4 3. Mean........................................ 5 3.2 Variance......................................
More information