G /G Advanced Cryptography 12/9/2009. Lecture 14
|
|
- Annice Higgins
- 6 years ago
- Views:
Transcription
1 G /G Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we saw some UC secure ZK protocols and NIZKs. 1 Ideal/Real paradgm One of the man objectves of cryptography s to construct protocols, whch are secure even n the presence of corrupted partes. But, frst of all, we have to defne what secure means. In order to do so magne what propertes we would have n an deal world and then we call a protocol secure f the real (the constructed) protocol has smlar propertes. Ths s the basc dea of the Ideal/Real paradgm. There are two man knds of adversares: statc and adaptve. In the frst case, the adversary chooses whch party t corrupts before the protocol begns. In the latter case, the adversary chooses the party to be corrupted durng the executon of the protocol. The network, whch s used mght be ether authentcated, whch means that the recever always knows who the sender was, or not. It mght also have secure or publc channels. The former ensure that the transmtted messages reveal useful nformaton only to the recever, whle the latter do not. Here, for smplcty, we may assume statc adversares and a network wth secure, authentcated channels. For example let us see a ZK protocol for some relaton R, where generally the verfer V has as nput some y and the prover P wants to prove to V that there exsts some x such that (x, y) R. In an deal world we can magne a thrd party, whch s honest and trustful and can communcate wth both P and V. In ths deal scenaro, P could gve (x, y) to ths trusted party the latter would check f (x, y) R and then tell V f ths s true or false. However, n the real world we do not have such trusted partes and we have to substtute them wth a cryptographc protocol π between P and V. Roughly speakng, the Ideal/Real paradgm requres that for whatever nformaton an adversary A (whch plays the role of ether P or V ) could retreve n the Real world, there s a way to retreve t n the Ideal world as well. The trusted thrd party can be vewed as the functonalty we want to acheve and we denote t by F ZK. If some protocol satsfes the above property regardng ths functonalty, we call t secure. The formal defnton of securty follows: L14-1
2 Defnton 1 A protocol π realzes F ZK f for all ppt A, there exsts a ppt S such that Real π A c Ideal F ZK S. Now let us see what s the role of smulator S n each case of corrupton. In the case where the adversary A corrupts the verfer V, the smulator S only learns n the deal world whether the statement s true or not, whle n the real world A also sees a proof for that. Thus, S must be able to smulate an acceptng proof, whle only knowng that the statement s true. On the other hand, f A corrupts P, S must be able to provde the wtness x to the functonalty F ZK n the Ideal world. Observng that S can smulate V we see that S must be able to extract the wtness from P (whch s corrupted). The next theorem must be ntutvely clear: Theorem 2 Any ZKPoK protocol π realzes F ZK. 2 Unversal Composablty The above noton of securty s qute strong, but stll not enough. In some cases we want the protocols to be securely composable. That s, we want the protocols to be secure even f we use them as subroutnes n larger protocols or n cases where other protocols (related or not) are runnng concurrently. Therefore, we have to take nto consderaton any envronment n whch the nteracton takes place. The envronment can be vewed as an nteractve ppt Turng Machne, whch nteracts wth both P and V, and s denoted by Z. L14-2
3 Defnton 3 A protocol π UC-realzes F ZK f for all ppt A, there exsts a ppt S such that for all ppt Z Real π A,Z c Ideal F ZK S,Z. A negatve result s that ths noton of securty s too strong. Theorem 4 No protocol π UC-realzes F ZK. The ntuton s that the envronment Z does not allow the smulator to do rewndng. That s, n the case of corrupted prover P, the smulator must extract onlne, but f there s no set up the extracton could be done by a malcous verfer V, whch would contradct ZK. On the other hand f we assume an extended settng, we can have UC-realzable ZK protocols n the CRS model. The two models we assume are: Fresh CRS model. For every nteracton we use a new CRS. Reusable CRS model. For every nteracton we use the same CRS. Theorem 5 1. Any NIZKPoK π UC-realzes F ZK n the fresh CRS model. 2. Any wse-nizk wth labels π UC-realzes F ZK n the reusable CRS model Ω-protocols To construct protocols whch UC-realze F ZK based on weaker assumptons, we are gong to use Ω-protocols. Let us recall Ω-protocols, whch we saw n lecture 8: Defnton 6 Let π be a Σ-protocol. We call π an Ω-protocol, f there exsts a ppt extractor E such that for any prover P and statement y we have that: Pr[π (P (y) V (y));x E(π, TK) : Accept(π) (x, y) / R] = negl where TK s the trapdoor key of FakeCRS. 1 Every nteracton s labeled wth a dfferent dentfcaton number called sd (sesson dentfcaton number). If we use ths sd as label, then every new proof s fresh and cannot be used agan. L14-3
4 The dfference wth the prevous lecture s that here there s a CRS wth a trapdoor nstead of a (non-programmable) random oracle. Therefore, the extractor s gven the trapdoor oof the CRS nstead of the queres. Now let us see two constructons of Ω-protocols for a relaton R: Constructon 1 (from CPA+Σ-protocol wth large challenge space) The CRS s the publc key pk and the trapdoor of the CRS s the decrypton key dk for the CPA secure encrypton scheme. Durng the frst round the prover P computes c Enc pk (x) and sends t to the verfer V. Then P and V run a Σ-protocol of the statement: Dec sk (c) = x and (x, y) R. The extractor E smply uses the secret key to compute x = Dec sk (c). By soundness of the underlyng Σ-protocol x must be a wtness. A dsadvantage of ths constructon s that even f R has an effcent Σ-protocol, the relaton of the statements Dec sk (c) = x and (x, y) R mght not. Theorem 7 The above constructon s a secure Ω-protocol f Σ has a superlogarthmc challenge space. Constructon 2 (from CPA+Σ-protocol wth small challenge space) If the challenge space s bnary (small) then we can do the followng: P (a, z 0, z1 ) Σ-protocol γ 0 = Enc pk(z 0, r0 ) γ 1 = Enc pk(z 1, r1 ) (a,γ 0,γ1 ) (c 1,...,c n) z c,rc V c R {0, 1} Theorem 8 The above constructon s a secure Ω-protocol. Ths constructon s very smlar to that of lecture 8 for the case of non-programmable random oracle. The extractor here uses the secret key (trapdoor of CRS) to compute z 1 c and use specal soundness to compute the wtness from a, z c, z1 c. Wth overwhelmng probablty there exsts some whch gves a vald wtness. The advantage of ths protocol s that t s qute generc and only needs a Σ-protocol for relaton R tself (and not another relaton as before). The dsadvantage s that there s a great loss of effcency as t s lke runnng many protocols n parallel. L14-4
5 2.2 Constructon of a UC-secure ZK protocol n the fresh CRS model Suppose that we have a trapdoor commtment scheme. The CRS wll be the CRS of both the trapdoor commtment scheme and the Ω-protocol, namely CRS = (Ω-CRS, Com-CRS). P (γ, d) Com(a) γ c z,d,a V As we can see ths constructon s very smlar to that of concurrent ZK of lecture 7. However, here we not only need straghtlne smulatablty, but straghtlne extractablty as well. Ths s exactly the reason why we use Ω-protocols. 2.3 Constructon of a UC-secure ZK protocol n the reusable CRS model The above protocol s only secure f every tme there s a fresh CRS. However, f the CRS remans the same an adversary mght nteract wth some prover P and then use what P sent hm to break bndng and then nteract wth some verfer V. Therefore, here we are gong to use a tool called Identty Based Trapdoor Commtment Scheme (IBTC). It s almost the same wth a Trapdoor Commtment Scheme, but every recever has an dentty and each dentty has a dfferent trapdoor. More specfcally, there exsts a master secret key MSK and a publc key PK. Usng MSK we can compute for any ID ts trapdoor key TK ID. The property of equvocaton s the same wth that of regular Trapdoor Commtments wth respect to each dentty ID. Namely, havng TK ID, we can produce an equvocable commtment, whch can be opened to any message. Constructon of IBTC (from OWF+Σ-protocol) The constructon s very smlar to that of regular Trapdoor Commtments, whch we saw n lecture 4. There we used a Σ-protocol for a relaton R f such that (x, y) = 1 ff f(x) = y, wth f a OWF, the publc key was y and the trapdoor key x. Here we just use a dfferent relaton. Suppose that Γ = (Gen, Sg, V er) s a sgnature scheme, let R ID be a relaton such that (x, y) R ID ff y = (V K, ID) and x = σ s.t. V er(v K, ID, σ) = 1, and suppose that there s a Σ-protocol for ths relaton. Frstly, we choose a random strng r and compute (V K, SK) Gen(r). Then, we set MSK = r and PK = V K. The trapdoor key TK ID for dentty ID s σ ID = Sg SK (ID). Commtment and Equvocaton are the same as n the based on Σ- protocols Trapdoor Commtments. The ZK protocol s the same as before, but nstead of usng regular trapdoor commtments we use IBTC. Namely, L14-5
6 P (γ, d) Com V (a) γ c z,d,a V The usefulness of IBTC reles on the fact that every ID has a dfferent trapdoor and breakng bndng for one ID does not mply breakng bndng for other ID s. 3 Generalzed Unversal Composablty Although UC-securty s a very strong noton, t does not capture all securty propertes we want n the case of protocols whch use a global setup (CRS,PKI,etc.). That s, n cases where many protocols may use the same setup, there are ssues such as denablty and malleablty whch are not guaranteed wth UC-securty. Therefore, an even stronger noton of securty s requred, whch s called Generalzed Unversal Composablty (GUC). Roughly speakng, n the case of CRS model n UC framework the common reference strng s only gven to the adversary and the partes runnng the actual protocol (n the real world), but n the GUC framework the reference strng s gven to everyone ncludng the envronment. In a more techncal level the smulator s not allowed to choose ts own CRS, namely the CRS s non-programmable. What we acheve wth GUC secure protocols s that they can be securely composed wth other protocols whch use the same setup. L14-6
Black-Box Constructions of Two-Party Protocols from One-Way Functions
Black-Box Constructons of Two-Party Protocols from One-Way Functons Rafael Pass and Hoeteck Wee 1 Cornell Unversty rafael@cs.cornell.edu 2 Queens College, CUNY hoeteck@cs.qc.cuny.edu Abstract. We exhbt
More informationConstructing Non-Malleable Commitments: A Black-Box Approach
Constructng Non-Malleable Commtments: A Black-Box Approach Vpul Goyal Mcrosoft Research INDIA vpul@mcrosoft.com Chen-Kue Lee UCLA USA jcklee@ucla.edu Ivan Vscont Unversty of Salerno ITALY vscont@da.unsa.t
More informationLecture 4. Instructor: Haipeng Luo
Lecture 4 Instructor: Hapeng Luo In the followng lectures, we focus on the expert problem and study more adaptve algorthms. Although Hedge s proven to be worst-case optmal, one may wonder how well t would
More informationLeakage-Resilient Identification Schemes from Zero-Knowledge Proofs of Storage
Leakage-Reslent Identfcaton Schemes from Zero-Knowledge Proofs of Storage Guseppe Atenese Sapenza, Unversty of Rome atenese@d.unroma1.t Antono Faono Aarhus Unversty antfa@cs.au.dk Seny Kamara Mcrosoft
More informationCryptanalysis of pairing-free certificateless authenticated key agreement protocol
Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen
More informationProvable Security Signatures
Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -
More informationAggregate Message Authentication Codes
Aggregate Message Authentcaton Codes Jonathan Katz Dept. of Computer Scence Unversty of Maryland, USA. jkatz@cs.umd.edu Yehuda Lndell Dept. of Computer Scence Bar-Ilan Unversty, Israel. lndell@cs.bu.ac.l.
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00 No extra materal s allowed durng the exam except for pens and a smple calculator (not smartphones).
More informationEdge Isoperimetric Inequalities
November 7, 2005 Ross M. Rchardson Edge Isopermetrc Inequaltes 1 Four Questons Recall that n the last lecture we looked at the problem of sopermetrc nequaltes n the hypercube, Q n. Our noton of boundary
More information6.842 Randomness and Computation February 18, Lecture 4
6.842 Randomness and Computaton February 18, 2014 Lecture 4 Lecturer: Rontt Rubnfeld Scrbe: Amartya Shankha Bswas Topcs 2-Pont Samplng Interactve Proofs Publc cons vs Prvate cons 1 Two Pont Samplng 1.1
More informationBorn and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares
Publshed n Theoretcal Computer Scence, 645: 24, 206 Born and rased dstrbutvely: Fully dstrbuted non-nteractve adaptvely-secure threshold sgnatures wth short shares Benoît Lbert Ecole Normale Supéreure
More informationInformation-Theoretic Timed-Release Security: Key-Agreement, Encryption, and Authentication Codes
Informaton-Theoretc Tmed-Release Securty: Key-Agreement, Encrypton, and Authentcaton Codes Yohe Watanabe, Takenobu Seto, Junj Shkata Graduate School of Envronment and Informaton Scences, Yokohama Natonal
More informationCS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016
CS 29-128: Algorthms and Uncertanty Lecture 17 Date: October 26, 2016 Instructor: Nkhl Bansal Scrbe: Mchael Denns 1 Introducton In ths lecture we wll be lookng nto the secretary problem, and an nterestng
More informationDecentralized Multi-Client Functional Encryption for Inner Product
Ths paper s a slght varant of the Extended Abstract that appears n Advances n Cryptology ASIACRYPT 2018 (December 2 6, Brsbane, Australa) Sprnger-Verlag, LNCS?????, pages??????. Decentralzed Mult-Clent
More information1 The Mistake Bound Model
5-850: Advanced Algorthms CMU, Sprng 07 Lecture #: Onlne Learnng and Multplcatve Weghts February 7, 07 Lecturer: Anupam Gupta Scrbe: Bryan Lee,Albert Gu, Eugene Cho he Mstake Bound Model Suppose there
More informationShort Pairing-based Non-interactive Zero-Knowledge Arguments
Short Parng-based Non-nteractve Zero-Knowledge Arguments Jens Groth Unversty College London j.groth@ucl.ac.uk October 26, 2010 Abstract. We construct non-nteractve zero-knowledge arguments for crcut satsfablty
More informationA Threshold Digital Signature Issuing Scheme without Secret Communication
A Threshold Dgtal Sgnature Issung Scheme wthout Secret Communcaton Kazuo Takarag, Kunhko Myazak, Masash Takahash Systems Development Laboratory, Htach, Ltd e-mal: {takara, kunhko, takahas}@sdlhtachcop
More informationComments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards
Comments on a secure dynamc ID-based remote user authentcaton scheme for multserver envronment usng smart cards Debao He chool of Mathematcs tatstcs Wuhan nversty Wuhan People s Republc of Chna Emal: hedebao@63com
More informationCOS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture # 15 Scribe: Jieming Mao April 1, 2013
COS 511: heoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 15 Scrbe: Jemng Mao Aprl 1, 013 1 Bref revew 1.1 Learnng wth expert advce Last tme, we started to talk about learnng wth expert advce.
More informationLecture 4: November 17, Part 1 Single Buffer Management
Lecturer: Ad Rosén Algorthms for the anagement of Networs Fall 2003-2004 Lecture 4: November 7, 2003 Scrbe: Guy Grebla Part Sngle Buffer anagement In the prevous lecture we taled about the Combned Input
More informationCryptographic Protocols
Cryptographc Protocols Entty Authentcaton Key Agreement Fat-Shamr Identfcaton Schemes Zero-Knowledge Proof Systems Shnorr s Identfcaton/Sgnature Scheme Commtment Schemes Secret Sharng Electronc Electon
More information3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X
Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number
More informationEfficient UC-Secure Authenticated Key-Exchange for Algebraic Languages
Ths s the Full Verson of the Extended Abstract that appears n the Proceedngs of the 16th Internatonal Conference on Practce and Theory n Publc-Key Cryptography (PKC 13) (26 February 1 March 2013, Nara,
More informationprinceton univ. F 17 cos 521: Advanced Algorithm Design Lecture 7: LP Duality Lecturer: Matt Weinberg
prnceton unv. F 17 cos 521: Advanced Algorthm Desgn Lecture 7: LP Dualty Lecturer: Matt Wenberg Scrbe: LP Dualty s an extremely useful tool for analyzng structural propertes of lnear programs. Whle there
More informationOutline. Communication. Bellman Ford Algorithm. Bellman Ford Example. Bellman Ford Shortest Path [1]
DYNAMIC SHORTEST PATH SEARCH AND SYNCHRONIZED TASK SWITCHING Jay Wagenpfel, Adran Trachte 2 Outlne Shortest Communcaton Path Searchng Bellmann Ford algorthm Algorthm for dynamc case Modfcatons to our algorthm
More informationHomomorphic Trapdoor Commitments to Group Elements
Homomorphc Trapdoor Commtments to Group Elements Jens Groth Unversty College London j.groth@ucl.ac.uk Abstract We present homomorphc trapdoor commtments to group elements. In contrast, prevous homomorphc
More informationECE559VV Project Report
ECE559VV Project Report (Supplementary Notes Loc Xuan Bu I. MAX SUM-RATE SCHEDULING: THE UPLINK CASE We have seen (n the presentaton that, for downlnk (broadcast channels, the strategy maxmzng the sum-rate
More informationFeature Selection: Part 1
CSE 546: Machne Learnng Lecture 5 Feature Selecton: Part 1 Instructor: Sham Kakade 1 Regresson n the hgh dmensonal settng How do we learn when the number of features d s greater than the sample sze n?
More informationClassical Encryption and Authentication under Quantum Attacks
Classcal Encrypton and Authentcaton under Quantum Attacks arxv:1307.3753v1 [cs.cr] 14 Jul 2013 Mara Velema July 12, 2013 Abstract Post-quantum cryptography studes the securty of classcal,.e. non-quantum
More informationLecture 10: May 6, 2013
TTIC/CMSC 31150 Mathematcal Toolkt Sprng 013 Madhur Tulsan Lecture 10: May 6, 013 Scrbe: Wenje Luo In today s lecture, we manly talked about random walk on graphs and ntroduce the concept of graph expander,
More informationProactive Linear Integer Secret Sharing
Proactve Lnear Integer Secret Sharng Rune Thorbek BRICS, Dept. of Computer Scence, Unversty of Aarhus Abstract. In [3] Damgard and Thorbek proposed the lnear nteger secret sharng (LISS) scheme. In ths
More informationEconomics 101. Lecture 4 - Equilibrium and Efficiency
Economcs 0 Lecture 4 - Equlbrum and Effcency Intro As dscussed n the prevous lecture, we wll now move from an envronment where we looed at consumers mang decsons n solaton to analyzng economes full of
More information} Often, when learning, we deal with uncertainty:
Uncertanty and Learnng } Often, when learnng, we deal wth uncertanty: } Incomplete data sets, wth mssng nformaton } Nosy data sets, wth unrelable nformaton } Stochastcty: causes and effects related non-determnstcally
More informationAnonymous Identity-Based Broadcast Encryption with Revocation for File Sharing
Anonymous Identty-Based Broadcast Encrypton wth Revocaton for Fle Sharng Janchang La, Y Mu, Fuchun Guo, Wlly Suslo, and Rongmao Chen Centre for Computer and Informaton Securty Research, School of Computng
More informationImproving the Round Complexity of VSS in Point-to-Point Networks
Improvng the Round Complexty of VSS n Pont-to-Pont Networks Jonathan Katz Chu-Yuen Koo Rant Kumaresan Abstract We revst the followng queston: what s the optmal round complexty of verfable secret sharng
More informationForward Secure Efficient Group Signature in Dynamic Setting using Lattices
Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay Department of Mathematcs, Indan Insttute of Technology Kharagpur, Kharagpur-721302,
More informationPost-Quantum EPID Group Signatures from Symmetric Primitives
Post-Quantum EPID Group Sgnatures from Symmetrc Prmtves Dan Boneh Stanford Unversty dabo@cs.stanford.edu Saba Eskandaran Stanford Unversty saba@cs.stanford.edu Ben Fsch Stanford Unversty bfsch@cs.stanford.edu
More informationAnonymous identity-based broadcast encryption with revocation for file sharing
Unversty of Wollongong Research Onlne Faculty of Engneerng and Informaton Scences - Papers: Part A Faculty of Engneerng and Informaton Scences 2016 Anonymous dentty-based broadcast encrypton wth revocaton
More informationAn Optimally Fair Coin Toss
An Optmally Far Con Toss Tal Moran Mon Naor Gl Segev Abstract We address one of the foundatonal problems n cryptography: the bas of con-flppng protocols. Con-flppng protocols allow mutually dstrustful
More informationarxiv: v1 [cs.cr] 24 Jan 2019
A Descrpton and Proof of a Generalsed and Optmsed Varant of Wkström s Mxnet Thomas Hanes arxv:90.0837v [cs.cr] 24 Jan 209 Introducton Polyas GmbH In ths paper, we descrbe an optmsed varant of Wkström s
More informationProblem Set 9 Solutions
Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem
More informationSection 8.3 Polar Form of Complex Numbers
80 Chapter 8 Secton 8 Polar Form of Complex Numbers From prevous classes, you may have encountered magnary numbers the square roots of negatve numbers and, more generally, complex numbers whch are the
More informationThe Order Relation and Trace Inequalities for. Hermitian Operators
Internatonal Mathematcal Forum, Vol 3, 08, no, 507-57 HIKARI Ltd, wwwm-hkarcom https://doorg/0988/mf088055 The Order Relaton and Trace Inequaltes for Hermtan Operators Y Huang School of Informaton Scence
More informationLectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix
Lectures - Week 4 Matrx norms, Condtonng, Vector Spaces, Lnear Independence, Spannng sets and Bass, Null space and Range of a Matrx Matrx Norms Now we turn to assocatng a number to each matrx. We could
More informationPractical Functional Encryption for Quadratic Functions with Applications to Predicate Encryption
Practcal Functonal Encrypton for Quadratc Functons wth Applcatons to Predcate Encrypton Carmen Elsabetta Zara Baltco 1, Daro Catalano 1, Daro Fore 2, and Roman Gay 3 1 Dpartmento d Matematca e Informatca,
More informationSecure and practical identity-based encryption
Secure and practcal dentty-based encrypton D. Naccache Abstract: A varant of Waters dentty-based encrypton scheme wth a much smaller system parameters sze (only a few klobytes) s presented. It s shown
More informationMore metrics on cartesian products
More metrcs on cartesan products If (X, d ) are metrc spaces for 1 n, then n Secton II4 of the lecture notes we defned three metrcs on X whose underlyng topologes are the product topology The purpose of
More informationU.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016
U.C. Berkeley CS94: Spectral Methods and Expanders Handout 8 Luca Trevsan February 7, 06 Lecture 8: Spectral Algorthms Wrap-up In whch we talk about even more generalzatons of Cheeger s nequaltes, and
More informationFair and Robust Multi-Party Computation using a Global Transaction Ledger
Far and Robust Mult-Party Computaton usng a Global Transacton Ledger Aggelos Kayas aggelos@d.uoa.gr Hong-Sheng Zhou hszhou@vcu.edu June 10, 2015 Vassls Zkas vzkas@nf.ethz.edu Abstract Classcal results
More informationRecover plaintext attack to block ciphers
Recover plantext attac to bloc cphers L An-Png Bejng 100085, P.R.Chna apl0001@sna.com Abstract In ths paper, we wll present an estmaton for the upper-bound of the amount of 16-bytes plantexts for Englsh
More informationOnline Classification: Perceptron and Winnow
E0 370 Statstcal Learnng Theory Lecture 18 Nov 8, 011 Onlne Classfcaton: Perceptron and Wnnow Lecturer: Shvan Agarwal Scrbe: Shvan Agarwal 1 Introducton In ths lecture we wll start to study the onlne learnng
More informationAlgebraic partitioning: Fully compact and (almost) tightly secure cryptography
Algebrac parttonng: Fully compact and (almost) tghtly secure cryptography Denns Hofhenz October 12, 2015 Abstract We descrbe a new technque for conductng parttonng arguments. Parttonng arguments are a
More informationIntroduction to information theory and data compression
Introducton to nformaton theory and data compresson Adel Magra, Emma Gouné, Irène Woo March 8, 207 Ths s the augmented transcrpt of a lecture gven by Luc Devroye on March 9th 207 for a Data Structures
More informationRound and Communication Efficient Unconditionally-secure MPC with t < n/3 in Partially Synchronous Network
Round and Communcaton Effcent Uncondtonally-secure MPC wth t < n/3 n Partally Synchronous Network Ashsh Choudhury Arpta Patra Dvya Rav Abstract In ths work, we study uncondtonally-secure mult-party computaton
More informationTHE SUMMATION NOTATION Ʃ
Sngle Subscrpt otaton THE SUMMATIO OTATIO Ʃ Most of the calculatons we perform n statstcs are repettve operatons on lsts of numbers. For example, we compute the sum of a set of numbers, or the sum of the
More informationA New Biometric Identity Based Encryption Scheme
NEYIRE DENIZ SARIER (2008). A New Bometrc Identty Based Encrypton Scheme. In Techncal Sessons for 2008 Internatonal Symposum on Trusted Computng (TrustCom 2008) n Proceedngs of the 9th Internatonal Conference
More informationModule 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:
More informationU.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan 2/21/2008. Notes for Lecture 8
U.C. Berkeley CS278: Computatonal Complexty Handout N8 Professor Luca Trevsan 2/21/2008 Notes for Lecture 8 1 Undrected Connectvty In the undrected s t connectvty problem (abbrevated ST-UCONN) we are gven
More informationLecture 4: Universal Hash Functions/Streaming Cont d
CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected
More informationImproving the Round Complexity of VSS in Point-to-Point Networks
Improvng the Round Complexty of VSS n Pont-to-Pont Networks Jonathan Katz Chu-Yuen Koo Rant Kumaresan Abstract We revst the followng queston: what s the optmal round complexty of verfable secret sharng
More informationDepartment of Statistics University of Toronto STA305H1S / 1004 HS Design and Analysis of Experiments Term Test - Winter Solution
Department of Statstcs Unversty of Toronto STA35HS / HS Desgn and Analyss of Experments Term Test - Wnter - Soluton February, Last Name: Frst Name: Student Number: Instructons: Tme: hours. Ads: a non-programmable
More informationBounded Memory Leakage
6.889: New Developments n Cryptography prl 5, 2011 Instructor: Yael Tauman Kala Bounded Memory Leakage Scrbe: Raluca da Popa When desgnng cryptographc schemes, we usually rely on the assumpton that every
More informationarxiv: v1 [quant-ph] 6 Sep 2007
An Explct Constructon of Quantum Expanders Avraham Ben-Aroya Oded Schwartz Amnon Ta-Shma arxv:0709.0911v1 [quant-ph] 6 Sep 2007 Abstract Quantum expanders are a natural generalzaton of classcal expanders.
More informationNotes on Frequency Estimation in Data Streams
Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to
More informationAugmented Broadcaster Identity-based Broadcast Encryption
Augmented Broadcaster Identty-based Broadcast Encrypton Janhong Zhang Yuwe Xu Zhpeng Chen Insttuton of Image Processng and Pattern Recognton North Chna Unversty of Technology Bejng Chna 100144 ywxupaper@163com
More informationA Commitment-Consistent Proof of a Shuffle
A Commtment-Consstent Proof of a Shuffle Douglas Wkström CSC KTH Stockholm, Sweden dog@csc.kth.se Aprl 2, 2011 Abstract We ntroduce a pre-computaton technque that drastcally reduces the onlne computatonal
More informationLecture 5 Decoding Binary BCH Codes
Lecture 5 Decodng Bnary BCH Codes In ths class, we wll ntroduce dfferent methods for decodng BCH codes 51 Decodng the [15, 7, 5] 2 -BCH Code Consder the [15, 7, 5] 2 -code C we ntroduced n the last lecture
More informationLecture 3: Shannon s Theorem
CSE 533: Error-Correctng Codes (Autumn 006 Lecture 3: Shannon s Theorem October 9, 006 Lecturer: Venkatesan Guruswam Scrbe: Wdad Machmouch 1 Communcaton Model The communcaton model we are usng conssts
More informationUtility Dependence in Correct and Fair Rational Secret Sharing
Utlty Dependence n Correct and Far Ratonal Secret Sharng Glad Asharov and Yehuda Lndell Department of Computer Scence Bar-Ilan Unversty, Israel glad asharov@yahoo.com, lndell@cs.bu.ac.l Abstract. The problem
More informationBlack-Box Constructions for Secure Computation
Black-Box Constructons for Secure Computaton (extended abstract) Yuval Isa Eyal Kuslevtz Yeuda Lndell Erez Petrank ABSTRACT It s well known tat te secure computaton of non-trval functonaltes n te settng
More informationAffine transformations and convexity
Affne transformatons and convexty The purpose of ths document s to prove some basc propertes of affne transformatons nvolvng convex sets. Here are a few onlne references for background nformaton: http://math.ucr.edu/
More informationResource Allocation with a Budget Constraint for Computing Independent Tasks in the Cloud
Resource Allocaton wth a Budget Constrant for Computng Independent Tasks n the Cloud Wemng Sh and Bo Hong School of Electrcal and Computer Engneerng Georga Insttute of Technology, USA 2nd IEEE Internatonal
More information( 1) i [ d i ]. The claim is that this defines a chain complex. The signs have been inserted into the definition to make this work out.
Mon, Apr. 2 We wsh to specfy a homomorphsm @ n : C n ()! C n (). Snce C n () s a free abelan group, the homomorphsm @ n s completely specfed by ts value on each generator, namely each n-smplex. There are
More informationLai-Massey Scheme and Quasi-Feistel Networks (Extended Abstract)
La-Massey Scheme and Quas-Festel Networks (Extended Abstract Aaram Yun, Je Hong Park 2, and Jooyoung Lee 2 Unversty of Mnnesota - Twn Ctes aaramyun@gmalcom 2 ETRI Network & Communcaton Securty Dvson, Korea
More informationCommunication Complexity 16:198: February Lecture 4. x ij y ij
Communcaton Complexty 16:198:671 09 February 2010 Lecture 4 Lecturer: Troy Lee Scrbe: Rajat Mttal 1 Homework problem : Trbes We wll solve the thrd queston n the homework. The goal s to show that the nondetermnstc
More informationLecture Space-Bounded Derandomization
Notes on Complexty Theory Last updated: October, 2008 Jonathan Katz Lecture Space-Bounded Derandomzaton 1 Space-Bounded Derandomzaton We now dscuss derandomzaton of space-bounded algorthms. Here non-trval
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More information2.3 Nilpotent endomorphisms
s a block dagonal matrx, wth A Mat dm U (C) In fact, we can assume that B = B 1 B k, wth B an ordered bass of U, and that A = [f U ] B, where f U : U U s the restrcton of f to U 40 23 Nlpotent endomorphsms
More informationAssortment Optimization under MNL
Assortment Optmzaton under MNL Haotan Song Aprl 30, 2017 1 Introducton The assortment optmzaton problem ams to fnd the revenue-maxmzng assortment of products to offer when the prces of products are fxed.
More informationSeparable Linkable Threshold Ring Signatures
Separable Lnkable Threshold Rng Sgnatures Patrck P. Tsang 1, Vctor K. We 1, Tony K. Chan 1, Man Ho Au 1, Joseph K. Lu 1, and Duncan S. Wong 2 1 Department of Informaton Engneerng The Chnese Unversty of
More informationBasic Regular Expressions. Introduction. Introduction to Computability. Theory. Motivation. Lecture4: Regular Expressions
Introducton to Computablty Theory Lecture: egular Expressons Prof Amos Israel Motvaton If one wants to descrbe a regular language, La, she can use the a DFA, Dor an NFA N, such L ( D = La that that Ths
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationNon-Malleable Extractors and Symmetric Key Cryptography from Weak Secrets
Non-Malleable Extractors and Symmetrc Key Cryptography from Weak Secrets Yevgeny Dods Danel Wchs Aprl 6, 2009 Abstract We study the queston of basng symmetrc key cryptography on weak secrets. In ths settng,
More informationStrongly Unforgeable Signatures Resilient to Polynomially Hard-to-Invert Leakage under Standard Assumptions
Strongly nforgeable Sgnatures Reslent to Polynomally Hard-to-Invert Leakage under Standard Assumptons Masahto Ishzaka and Kanta Matsuura Insttute of Industral Scence, The nversty of Tokyo, Tokyo, Japan.
More informationTightly CCA-Secure Encryption without Pairings
Tghtly CCA-Secure Encrypton wthout Parngs Roman Gay 1,, Denns Hofhenz 2,, Eke Kltz 3,, and Hoeteck Wee 1, 1 ENS, Pars, France rgay,wee@d.ens.fr 2 Ruhr-Unverstät Bochum, Bochum, Germany eke.kltz@rub.de
More informationDifference Equations
Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1
More informationExcess Error, Approximation Error, and Estimation Error
E0 370 Statstcal Learnng Theory Lecture 10 Sep 15, 011 Excess Error, Approxaton Error, and Estaton Error Lecturer: Shvan Agarwal Scrbe: Shvan Agarwal 1 Introducton So far, we have consdered the fnte saple
More information(1 ) (1 ) 0 (1 ) (1 ) 0
Appendx A Appendx A contans proofs for resubmsson "Contractng Informaton Securty n the Presence of Double oral Hazard" Proof of Lemma 1: Assume that, to the contrary, BS efforts are achevable under a blateral
More information20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The first idea is connectedness.
20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The frst dea s connectedness. Essentally, we want to say that a space cannot be decomposed
More information12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA. 4. Tensor product
12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA Here s an outlne of what I dd: (1) categorcal defnton (2) constructon (3) lst of basc propertes (4) dstrbutve property (5) rght exactness (6) localzaton
More informationGrover s Algorithm + Quantum Zeno Effect + Vaidman
Grover s Algorthm + Quantum Zeno Effect + Vadman CS 294-2 Bomb 10/12/04 Fall 2004 Lecture 11 Grover s algorthm Recall that Grover s algorthm for searchng over a space of sze wors as follows: consder the
More informationOn a CCA2-secure variant of McEliece in the standard model
On a CCA2-secure varant of McElece n the standard model Edoardo Perschett Department of Mathematcs, Unversty of Auckland, New Zealand. e.perschett@math.auckland.ac.nz Abstract. We consder publc-key encrypton
More informationThe Second Anti-Mathima on Game Theory
The Second Ant-Mathma on Game Theory Ath. Kehagas December 1 2006 1 Introducton In ths note we wll examne the noton of game equlbrum for three types of games 1. 2-player 2-acton zero-sum games 2. 2-player
More informationPractical Attribute-Based Encryption: Traitor Tracing, Revocation, and Large Universe
Practcal Attrbute-Based Encrypton: Trator Tracng, Revocaton, and Large Unverse Zhen Lu 1 and Duncan S Wong 2 1 Cty Unversty of Hong Kong, Hong Kong SAR, Chna zhenlu7-c@myctyueduhk 2 Securty and Data Scences,
More informationStrongly Unforgeable Proxy Re-Signature Schemes in the Standard model
Strongly Unforgeable Proxy Re-Sgnature Schemes n the Standard model No Author Gven No Insttute Gven Abstract. Proxy re-sgnatures are generally used for the delegaton of sgnng rghts of a user delegator
More informationStructure and Drive Paul A. Jensen Copyright July 20, 2003
Structure and Drve Paul A. Jensen Copyrght July 20, 2003 A system s made up of several operatons wth flow passng between them. The structure of the system descrbes the flow paths from nputs to outputs.
More informationBasically, if you have a dummy dependent variable you will be estimating a probability.
ECON 497: Lecture Notes 13 Page 1 of 1 Metropoltan State Unversty ECON 497: Research and Forecastng Lecture Notes 13 Dummy Dependent Varable Technques Studenmund Chapter 13 Bascally, f you have a dummy
More informationLecture Notes 7: The Unruh Effect
Quantum Feld Theory for Leg Spnners 17/1/11 Lecture Notes 7: The Unruh Effect Lecturer: Prakash Panangaden Scrbe: Shane Mansfeld 1 Defnng the Vacuum Recall from the last lecture that choosng a complex
More informationSpectral Graph Theory and its Applications September 16, Lecture 5
Spectral Graph Theory and ts Applcatons September 16, 2004 Lecturer: Danel A. Spelman Lecture 5 5.1 Introducton In ths lecture, we wll prove the followng theorem: Theorem 5.1.1. Let G be a planar graph
More informationAmortizing Secure Computation with Penalties
Amortzng Secure Computaton wth Penaltes ABSTRACT Motvated by the mpossblty of achevng farness n secure computaton [Cleve, STOC 1986], recent works study a model of farness n whch an adversaral party that
More information