Improved Security Analyses for CBC MACs

 Matthew Hoover
 6 months ago
 Views:
Transcription
1 Improved Securty nalye for CC MC Mhr ellare 1, Krzyztof Petrzak 2, and Phllp Rogaway 3 1 Dept. of Computer Scence & Engneerng, Unverty of Calforna San Dego, 9500 Glman Drve, La Jolla, C 92093, US. Emal: URL: wwwce.ucd.edu/uer/mhr 2 Dept. of Computer Scence, ETH Zürch, CH8092 Zürch Swtzerland, Emal: 3 Dept. of Computer Scence, Unverty of Calforna, Dav, Calforna, 95616, US; and Dept. of Computer Scence, Faculty of Scence, Chang Ma Unverty, Chang Ma 50200, Thaland. Emal: URL: rogaway/ btract. We preent an mproved bound on the advantage of any qquery adverary at dtnguhng between the CC MC over a random nbt permutaton and a random functon outputtng n bt. The reult aume that no meage quered a prefx of any other, a the cae when all meage to be MCed have the ame length. We go on to gve an mproved analy of the encrypted CC MC, where there no retrcton on quered meage. Lettng m be the block length of the longet query, our bound are about mq 2 /2 n for the bac CC MC and m o(1) q 2 /2 n for the encrypted CC MC, mprovng pror bound of m 2 q 2 /2 n. The new bound tranlate nto mproved guarantee on the probablty of forgng thee MC. 1 Introducton Some defnton. The CC functon CC π aocated to a key π: {0, 1} n {0, 1} n take a nput a meage M = M 1 M m that a equence of nbt block and return the nbt trng C m computed by ettng C = π(c 1 M ) for each [1..m], where C 0 = 0 n. Conder three type of attack for an adverary gven an oracle: atk = eq mean all quere are exactly m block long; atk = pf mean they have at mot m block and no query a prefx of any another; atk = any mean the quere are arbtrary dtnct trng of at mot m block. Let dv atk CC(q, n, m) denote the maxmum advantage attanable by any qquery adverary, mountng an atk attack, n dtnguhng whether t oracle CC π n for a random permutaton π on n bt, or a random functon that output n bt. We am to upper bound th quantty a a functon of n, m, q. Pat work and our reult on CC. ellare, Klan and Rogaway [2] howed that dv eq CC (q, n, m) 2m2 q 2 /2 n. Maurer reduced the contant 2 to 1 and provded a ubtantally dfferent proof [13]. Petrank and Rackoff [15] howed that the ame bound hold (up to a contant) for dv pf CC (q, n, m). In th paper we how that dv pf CC (q, n, m) 20mq2 /2 n for m 2 n/3. (The reult
2 Contruct atk Prevou bound Our bound CC pf m 2 q 2 /2 n [2, 13, 15] mq 2 /2 n (12 + 8m 3 /2 n ) ECC any 2.5 m 2 q 2 /2 n [7] q 2 /2 n (d (m) + 4m 4 /2 n ) Fg. 1. ound on dv pf CC (q, n, m) and dvany ECC (q, n, m), aumng m 2n/2 1. actually a lttle tronger. See Fg. 1.) Th mple the ame bound hold for (q, n, m). dv eq CC Context and dcuon. When π = E(K, ), where K K a random key for blockcpher E: K {0, 1} n {0, 1} n, the functon CC π a popular meage authentcaton code (MC). umng E a good peudorandom permutaton (PRP), the domnant term n a bound on the probablty of forgery n an atktype choenmeage attack dv atk CC(q, n, m), where q the um of the number of MCgeneraton and MCverfcaton quere made by the adverary (cf. [1]). Thu the qualty of guarantee we get on the ecurty of the MC a functon of how good an upper bound we can prove on dv atk CC(q, n, m). It well known that the CC MC necure when the meage MCed have varyng length (pecfcally, t forgeable under an anyattack that ue jut one MCgeneraton and one MCverfcaton query, each of at mot two block) o the cae atk = any not of nteret for CC. The cae where all meage MCed have the ame length (atk = eq) the mot bac one, and where potve reult were frt obtaned [2]. The cae atk = pf nteretng becaue one way to get a ecure MC for varynglength nput to apply a prefxfree encodng to the data before MCng t. The mot common uch encodng to nclude n the frt block of each meage an encodng of t length. We emphaze that our reult are about CC π for a random permutaton π: {0, 1} n {0, 1} n, and not about CC ρ for a random functon ρ: {0, 1} n {0, 1} n. Snce our bound are better than the cot to convert between a random nbt functon and a random nbt permutaton ung the wtchng lemma [2], the dtncton gnfcant. Indeed for the prefxfree cae, applyng CC over a random functon on n bt known to admt an attack more effectve than that whch ruled out by our bound [6]. Encrypted CC. The ECC functon ECC π1,π 2 aocated to permutaton π 1, π 2 on n bt take a meage M that a multple of n bt and return π 2 (CC π1 (M)). Defne dv atk ECC(q, n, m) analogouly to the CC cae above (atk {any, eq, pf}). Petrank and Rackoff [15] howed that dv any ECC (q, n, m) 2.5 m 2 q 2 /2 n. better bound, dv eq ECC (q, n, m) q2 /2 n (1 + cm 2 /2 n + cm 6 /2 2n ) for ome contant c, poble for the atk = eq cae baed on a lemma of Dod et al. [9], but the pont of the ECC contructon to acheve anyecurty. We mprove on the reult of Petrank and Rackoff to how that dv any ECC (q, n, m) q2 /2 n (d (m) + 4m 4 /2 n ) where d (m) the maxmum,
3 over all m m, of the number of dvor of m. (Once agan ee Fg. 1.) Note that the functon d (m) m 1/ ln ln(m) grow lowly. The MC correpondng to ECC (namely ECC π1,π 2 when π 1 = E(K 1, ) and π 2 = E(K 2, ) for random key K 1, K 2 K of a blockcpher E: K {0, 1} n {0, 1} n ) wa developed by the RCE project [5]. Th MC nteretng a a natural and practcal varant of the CC MC that correctly handle meage of varyng length. varant of ECC called CMC wa recently adopted a a NISTrecommended mode of operaton [14]. wth the CC MC, our reult mply mproved guarantee on the forgery probablty of the ECC MC under a choenmeage attack, but th tme of type any rather than merely pf, and wth the mprovement beng numercally more ubtantal. More defnton. The collonprobablty CP atk n,m of the CC MC the maxmum, over all par of meage (M 1, M 2 ) n an approprate atkdependent range, of the probablty, over random π, that CC π (M 1 ) = CC π (M 2 ). For atk = any the range any par of dtnct trng of length a potve multple of n but at mot mn; for atk = pf t any uch par where nether trng a prefx of the other; and for atk = eq t any par of dtnct trng of exactly mn bt. The full collon probablty FCP atk n,m mlar except that the probablty of the event C m2 2 {C1, 1..., C m1 1, C2, 1..., C m2 1 2 } where, for each b {1, 2}, we have Cb = π(c 1 b Mb ) for m b = M b /n and [1..m b ] and Cb 0 = 0n. Note that thee defnton do not nvolve an adverary and n th ene are mpler than the advantage functon condered above. Reducton to FCP and CP. y vewng ECC a an ntance of the CarterWegman paradgm [18], one can reduce boundng dv atk ECC(q, n, m) (for atk {any, eq, pf}) to boundng CP atk n,m (ee [7], tated here a Lemma 3). Th mplfe the analy becaue one now faced wth a combnatoral problem rather than conderaton of a dynamc, adaptve adverary. The frt tep n our analy of the CC MC to provde an analogou reducton (Lemma 1) that reduce boundng dv pf CC (q, n, m) to boundng FCP pf n,m. Unlke the cae of ECC, the reducton not mmedate and doe not rely on the CarterWegman paradgm. Rather t proved drectly ung the gameplayng approach [4, 16]. ound on FCP and CP. lack and Rogaway [7] how that CP any n,m 2(m 2 + m)/2 n. Dod, Gennaro, Håtad, Krawczyk, and Rabn [9] how that CP eq n,m 2 n + cm 2 /2 2n + cm 3 /2 3n for ome abolute contant c. (The abovementoned bound on dv eq ECC (q, n, m) obtaned va th.) We buld on ther technque to how (cf. Lemma 4) that CP any n,m 2d (m)/2 n + 8m 4 /2 2n. Our bound on dv any ECC (q, n, m) then follow. We alo how that FCPpf n,m 8m/2 n +8m 4 /2 2n. Our bound on dv pf CC (q, n, m) then follow. We remark that the ecurty proof of RMC [11] had tated and ued a clam that mple CP any n,m 12m/2 n, but the publhed proof wa wrong. Our Lemma 4 both fxe and mprove that reult.
4 Further related work. Other approache to the analy of the CC MC and the encrypted CC MC nclude thoe of Maurer [13] and Vaudenay [17], but they only obtan bound of m 2 q 2 /2 n. 2 Defnton Notaton. The empty trng denoted ε. If x a trng then x denote t length. We let n = {0, 1} n. If x n then x n = x /n denote the number of nbt block n t. If X {0, 1} then X m denote the et of all nonempty trng formed by concatenatng m or fewer trng from X and X + denote the et of all trng formed by concatenatng one or more trng from X. If M n then M denote t th nbt block and M j denote the trng M M j, for 1 j M n. If S a et equpped wth ome probablty dtrbuton then $ S denote the operaton of pckng from S accordng to th dtrbuton. If no dtrbuton explctly pecfed, t undertood to be unform. We denote by Perm(n) the et of all permutaton over {0, 1} n, and by Func(n) the et of all functon mappng {0, 1} to {0, 1} n. (oth thee et are vewed a equpped wth the unform dtrbuton.) blockcpher E (wth blocklength n and keypace K) dentfed wth the et of permutaton {E K : K K} where E K : {0, 1} n {0, 1} n denote the map pecfed by key K K. The dtrbuton that nduced by a random choce of K from K, o f $ E the ame a K $ K, f E K. Securty. n adverary a randomzed algorthm that alway halt. Let atk q,n,m denote the cla of adverare that make at mot q oracle quere, where f atk = eq, then each query n n m ; f atk = pf, then each query n n m and no query a prefx of another; and f atk = any then each query n n m. We remark that the adverare condered here are computatonally unbounded. In th paper we alway conder determntc, tatele oracle and thu we wll aume that an adverary never repeat an oracle query. We alo aume that an adverary never ak a query outde of the mplctly undertood doman of nteret. Let F : D {0, 1} n be a et of functon and let atk q,n,m be an adverary, where atk {eq, pf, any}. y f 1 we denote the event that output 1 wth oracle f. The advantage of (n dtnguhng an ntance of F from a random functon outputtng n bt) and the advantage of F are defned, repectvely, a dv F () = Pr[f $ F : f 1] Pr[f $ Func(n) : f 1] and dv atk F (q, n, m) = max { dv F () }. atk q,n,m Note that nce eq q,n,m pf q,n,m any q,n,m, we have dv eq F (q, n, m) dvpf F (q, n, m) dvany F (q, n, m). (1)
5 Cbc and Ecbc. Fx n 1. For M n m and π: n n then defne CC M π [] nductvely for [0..m] va CC M π [0] = 0 n and CC M π [] = π(cc M π M ) for [1..m]. We aocate to π the CC MC functon CC π : n + n defned by CC π (M) = CC M π [m] where m = M n. We let CC = {CC π : π Perm(n)}. Th et of functon ha the dtrbuton nduced by pckng π unformly from Perm(n). To functon π 1, π 2 : n n we aocate the encrypted CC MC functon ECC π1,π 2 : n + n defned by ECC π1,π 2 (M) = π 2 (CC π1 (M)) for all M n +. We let ECC = {ECC π1,π 2 : π 1, π 2 Perm(n)}. Th et of functon ha the dtrbuton nduced by pckng π 1, π 2 ndependently and unformly at random from Perm(n). Collon. For M 1, M 2 n we defne the prefx predcate pf(m 1, M 2 ) to be true f ether M 1 a prefx of M 2 or M 2 a prefx of M 1, and fale otherwe. Note that pf(m, M) = true for any M n. Let M eq n,m = {(M 1, M 2 ) m n m n : M 1 M 2 }, M pf n,m = {(M 1, M 2 ) n m n m : pf(m 1, M 2 ) = fale}, and M any n,m = {(M 1, M 2 ) n m n m : M 1 M 2 }. For M 1, M 2 + n and atk {eq, pf, any} we then let CP n (M 1, M 2 ) = Pr[π $ Perm(n) : CC π (M 1 ) = CC π (M 2 )] CP atk n,m = max { CP n (M 1, M 2 ) }. (M 1,M 2) M atk n,m For M 1, M 2 n + we let FCP n (M 1, M 2 ) (the full collon probablty) be the probablty, over π $ Perm(n), that CC π (M 2 ) n the et {CC M1 π [1],..., CC M1 π [m 1 ], CC M2 π [1],..., CC M2 π [m 2 1]} where m b = M b n for b = 1, 2. For atk {eq, pf, any} we then let FCP atk n,m = max { FCP n (M 1, M 2 ) }. (M 1,M 2) M atk n,m 3 Reult on the CC MC We tate reult only for the atk = pf cae; reult for atk = eq follow due to (1). To bound dv pf CC (q, n, m) we mut conder a dynamc adverary that adaptvely quere t oracle. Our frt lemma reduce th problem to that of boundng a more tatc quantty whoe defnton doe not nvolve an adverary, namely the full collon probablty of the CC MC. The proof n Secton 5. Lemma 1. For any n, m, q, dv pf CC (q, n, m) q2 FCP pf n,m + 4mq2 2 n.
6 The next lemma bound the full collon probablty of the CC MC. The proof gven n Secton 8. Lemma 2. For any n, m wth m 2 2 n 2, FCP pf n,m 8m 2 n + 8m4 2 2n. Combnng the above two lemma we bound dv pf CC (q, n, m): Theorem 1. For any n, m, q wth m 2 2 n 2, ) dv pf mq2 CC (q, n, m) (12 2 n + 8m3 2 n. 4 Reult on the Encrypted CC MC Followng [7], we vew ECC a an ntance of the CarterWegman paradgm [18]. Th enable u to reduce the problem of boundng dv atk ECC(q, n, m) to boundng the collon probablty of the CC MC, a tated n the next lemma. proof of the followng provded n [3]. Lemma 3. For any n, m, q 1 and any atk {eq, pf, any}, ( dv atk q(q 1) ECC(q, n, m) CP atk n,m + 1 ) 2 2 n. Petrank and Rackoff [15] how that dv any ECC (q, n, m) 2.5 m2 q 2 /2 n. (2) Dod et al. [9] how that CP eq n,m 2 n + cm 2 2 2n + cm 6 2 3n for ome abolute contant c. Combnng th wth Lemma 3 lead to ) dv eq q2 ECC (q, n, m) (1 2 n + cm2 2 n + cm6 2 2n. However, the cae of atk = eq not nteretng here, nce the pont of ECC to gan ecurty even for atk = any. To obtan an mprovement for th, we how the followng, whoe proof n Secton 7: Lemma 4. For any n, m wth m 2 2 n 2, CP any n,m 2d (m) 2 n + 8m4 2 2n where d (m) the maxmum, over all m m, of the number of potve number that dvde m.
7 The functon d (m) grow lowly; n partcular, d (m) < m 0.7/ln ln(m) for all uffcently large m [10, Theorem 317]. We have verfed that d 1.07/ ln ln m (m) m for all m 2 64 (and we aume for all m), and alo that d (m) lg 2 m for all m Combnng the above wth Lemma 3 lead to the followng: Theorem 2. For any n, m, q wth m 2 2 n 2, ) dv any q2 ECC (q, n, m) (d 2 n (m) + 4m4 2 n. 5 oundng FCP ound CC (Proof of Lemma 1) The proof by the gameplayng technque [2, 4]. Let be an adverary that ak exactly q quere, M 1,..., M q n m, where no quere M r and M, for r, hare a prefx n n +. We mut how that dv CC () q 2 FCP pf n,m +4mq 2 /2 n. Refer to game D0 D7 a defned n Fg. 2. Set Dom(π) and Ran(π) tart off a empty and automatcally grow a pont are added to the doman and range of the partal functon π. Set Dom(π) and Ran(π) are the complement of thee et relatve to {0, 1} n. They automatcally hrnk a pont jon the doman and range of π. We wrte boolean value a 0 (fale) and 1 (true), and we ometme wrte then a a colon. The flag bad ntalzed to 0 and the map π ntalzed a everywhere undefned. We now brefly explan the equence. D1: Game D1 fathfully mulate the CC MC contructon. Intead of choong a random permutaton π up front, we fll n t value aneeded, o a to not to create a conflct. Oberve that f bad = 0 followng lne then Ĉm = C m and o game D1 alway return C m, regardle of bad. Th make clear that Pr[ D1 1] = Pr[π $ Perm(n) : CCπ 1]. D0: Game D0 obtaned from game D1 by omttng lne 110 and the tatement that mmedately follow the ettng of bad at lne 107 and 108. Thu th game return the random nbt trng C m = Ĉm n repone to each query M, o Pr[ D0 1] = Pr[ρ $ Func(n) : ρ 1]. Now game D1 and D0 have been defned o a to be yntactcally dentcal except on tatement that mmedately follow the ettng of bad to true or the checkng f bad true, o the fundamental lemma of gameplayng [4] ay u that Pr[ D1 1] Pr[ D0 1] Pr[ D0 et bad ]. dv CC () = Pr[ CCπ 1] Pr[ ρ 1] = Pr[ D1 1] Pr[ D0 1], the ret of the proof bound dv CC () by boundng Pr[ D0 et bad ]. D0 D2: We rewrte game D0 a game D2 by droppng the varable Ĉm and ung varable C m n t place, a thee are alway equal. We have that Pr[ D0 et bad ] = Pr[ D2 et bad ]. D2 D3: Next we elmnate lne 209 and then, to compenate, we et bad any tme the value X m or C m would have been acceed. Th account for the new lne 303 and the new djunct on lne 310. To compenate for the removal of lne 209 we mut alo et bad whenever C, choen at lne 204, happen to be a pror value Cr mr. Th done at lne 306. We have that Pr[ D2 et bad ] Pr[ D3 et bad ]. D3 D4: Next we remove the
8 On the th query F (M ) 100 m M n, C 0 0 n Game D1 101 for 1 to m 1 do 102 X C 1 M 103 f X Dom(π) then C π(x) 104 ele π(x) C Ran(π) 105 X m C m 1 M m 106 Ĉm C m $ {0, 1} n Ran(π): bad 1, C m $ 107 f C m 108 f X m 109 π(x m Ran(π) Dom(π): bad 1, C m π(x m ) C m 110 f bad then return C m 111 return Ĉm On the th query F (M ) 300 m M n, C 0 0 n $ ) Game D3 301 for 1 to m 1 do 302 X C 1 M 303 f ( r < )(X = Xr mr ): bad f X Dom(π) then C π(x) 305 ele π(x) C Ran(π), 306 f ( r <)(C =Cr mr ): bad 1 C m 1 M m 307 X m 308 C m 309 f X m $ {0, 1} n 310 ( r <)(X m 311 then bad return C m Dom(π) C m =X mr r $ Ran(π) C m =Cr mr ) 500 for 1 to q do Game D5 501 C 0 0 n 502 for 1 to m 1 do 503 X C 1 M 504 f ( r < )(X = Xr mr ): bad f X Dom(π) then C π(x) 506 ele π(x) C C m 1 M m 507 X m 508 f ( r < ) (X m = X mr 509 X m $ Ran(π) Dom(π) r ) then bad π $ Perm(n) Game D7 701 C 0 1 C n 702 for 1 to m 1 do 703 X1 C 1 1 M 1, C1 π(x1) 704 for 1 to m 2 do 705 X2 C 1 2 M 2, C2 π(x2) 706 bad X m 2 2 {X1 1,..., X m 1 1, 707 X2 1,..., X m } On the th query F (M ) 200 m M n, C 0 0 n Game D2 201 for 1 to m 1 do 202 X C 1 M 203 f X Dom(π) then C π(x) 204 ele π(x) C Ran(π) C m 1 M m 205 X m 206 C m $ {0, 1} n Dom(π) C m 207 f X m 208 then bad π(x m ) C m 210 return C m On the th query F (M ) 400 m M n, C 0 0 n $ Ran(π) Game D4 401 for 1 to m 1 do 402 X C 1 M 403 f ( r <)(X = Xr mr ): bad f X Dom(π) then C π(x) 405 ele π(x) C Ran(π) 406 X m C m 1 M m 407 f X m Dom(π) 408 ( r <)(X m =Xr mr ) then bad C m $ {0, 1} n 410 return C m 600 π $ Perm(n) Game D6 601 for [1.. q] do 602 C 0 0 n 603 for 1 to m 1 do 604 X C 1 M 605 C π(x) 606 X m C m 1 M m 607 bad ( (r, ) (, m )) [Xr = X m $ ] Fg. 2. Game D0 D7 ued n the proof of Lemma 1.
9 tet ( r <)(C =C mr r tet for C m = C mr r ) at lne 306, the tet f C m Ran(π) at lne 309, and the at lne 310, boundng the probablty that bad get et due to any of thee three tet. To bound the probablty of bad gettng et at lne 306: total of at mot mq tme we elect at lne 305 a random ample C from a et of ze at leat 2 n mq 2 n 1. (We may aume that mq 2 n 1 nce the probablty bound gven by our lemma exceed 1 f mq > 2 n 1.) The chance that one of thee pont equal to any of the at mot q pont C mr r thu at mot 2mq 2 /2 n. To bound the probablty of bad gettng et by the C m Ran(π) tet at lne 309: ealy een to be at mot mq 2 /2 n. To bound the probablty of bad gettng et by the C m = Cr mr tet at lne 310: ealy een to be at mot q 2 /2 n. Overall then, Pr[ D3 et bad ] Pr[ D4 et bad ] + 4mq 2 /2 n. D4 D5: The value C m returned to the adverary n repone to a query n game D4 never referred to agan n the code and ha no nfluence on the game and the ettng of bad. ccordngly, we may thnk of thee value a beng choen upfront by the adverary who, correpondngly, make an optmal choce of meage quere M 1,..., M q o a to maxmze the probablty that bad get et n game D4. Quere M 1,..., M q n m are prefxfree (meanng that no two trng from th lt hare a prefx P n + ) and the trng have block length of m 1,..., m q, repectvely, where each m m. We fx uch an optmal vector of meage and meage length n pang to game D5, o that Pr[ D4 et bad ] Pr[D5 et bad ]. The adverary ha effectvely been elmnated at th pont. D5 D6: Next we potpone the evaluaton of bad and undo the lazy defnng of π to arrve at game D6. We have Pr[D5 et bad ] Pr[D6 et bad ]. D6 D7: Next we oberve that n game D6, ome par r, mut contrbute at leat an average amount to the probablty that bad get et. Namely, for any r, [1.. q] where r defne bad r, a (X m = X r for ome [1.. m r ]) (X m = X for ome [1.. m 1]) and note that bad et at lne 607 ff bad r, = 1 for ome r, and o there mut be an r uch that Pr[D6 et bad r, ] (1/q(q 1)) Pr[D6 et bad ]. Fxng uch an r, and renamng M 1 = M r, M 2 = M, m 1 = m r, and m 2 = m, we arrve at game D7 knowng that Pr[D6 et bad ] q 2 Pr[D7 et bad ]. (3) Now Pr[D7 et bad ] = FCP n (M 1, M 2 ) FCP pf n,m by the defnton of FCP and the fact that π a permutaton. Puttng all the above together we are done. 6 Graphaed Repreentaton of CC In th ecton we decrbe a graphbaed vew of CC computaton and provde ome lemma that wll then allow u to reduce the problem of upper boundng the collon probablte CP any n,m and FCP pf n,m to combnatoral countng problem. We fx for the ret of th ecton a blocklength n 1 and a par of dtnct meage M 1 = M1 1 M m1 1 n m1 and M 2 = M2 1 M m2 2 n m2 where m 1, m 2 1. We let l = max(m 1, m 2 ).
10 algorthm Perm2Graph(M 1, M 2, π) //M 1 m 1 n, M 2 m 2 n, π Perm(n) σ(0) 0 n, ν 0, E for b 1 to 2 do v 0 for 1 to m b do f w.t. (v, w) E and L((v, w)) = Mb then v w ele f w.t. π(σ(v) Mb) = σ(w) then E E {(v, w)}, L((v, w)) Mb, v w ele ν ν + 1, σ(ν) π(σ(v) Mb), E E {(v, ν)}, L((v, ν)) Mb, v ν return G ([0..ν], E, L) algorthm Graph2Prof(G) //G G(M 1, M 2), M 1 m 1 n, M 2 m 2 n Prof 1 Prof 2 Prof 3 ( ), V {0}, E for b 1 to 2 do for 1 to m b do f w V.t. Vb (G) = w then f b = 1 then p (w, ) ele p (w, m 1 + ) Prof 1 Prof 1 p f (V 1 b (G), w) E then Prof 2 Prof 2 p f Cycle G(V, E, V 1 b (G), w) = 0 then Prof 3 Prof 3 p V V {Vb (G)}, E E {(V 1 b (G), Vb (G))} return (Prof 1, Prof 2, Prof 3) algorthm Prof2Graph() // = (( 1, t 1),..., ( a, t a)) Prof 2(M 1, M 2) V {0}, E, c 1, v 1 0 v 2 0 ν 0 for b 1 to 2 do for 1 to m b do f = t c then v b c, c c + 1 ele ν ν + 1, v b ν E E {(v b 1, v b )}, L((v b 1, v b )) M b return G ([0..ν], E, L) Fg. 3. The frt algorthm above buld the tructure graph G M 1,M 2 π aocated to M 1, M 2 and a permutaton π Perm(n). The next aocate to G G(M 1, M 2) t type1, type2 and type3 collon profle. The lat algorthm contruct a graph from t type2 collon profle Prof 2(M 1, M 2). Structure graph. To M 1, M 2 and any π Perm(n) we aocate the tructure graph G M1,M2 π output by the procedure Perm2Graph (permutaton to graph) of Fg. 3. The tructure graph a drected graph (V, E) together wth an edgelabelng functon L: E {M1 1,..., M m1 1, M2 1,..., M m2 2 }, where V = [0..ν] for ome ν m 1 + m To get ome ene of what gong on here, let C M1,M2 π = {CC M1 π [] : 0 m 1 } {CC M2 π [] : 0 m 2 }. Note that due to collon the ze of the et Cπ M1,M2 could be trctly le than the maxmum poble ze of m 1 + m The tructure graph Gπ M1,M2 ha vertex et V = [0..η] where η = Cπ M1,M2. ocated to a vertex v V a label σ(v) Cπ M1,M2, wth σ(0) = 0 n. (Th label contructed by the code but not part of the fnal graph.) n edge from a to b wth label x ext n the tructure graph ff π(σ(a) x) = σ(b).
11 Let G(M 1, M 2 ) = {G M1,M2 π : π Perm(n)} denote the et of all tructure graph aocated to meage M 1, M 2. Th et ha the probablty dtrbuton nduced by pckng π at random from Perm(n). We aocate to G = (V, E, L) G(M 1, M 2 ) equence Vb 0,..., V m b b V that for b = 1, 2 are defned nductvely a follow: et Vb 0 = 0 and for [1..m b] let Vb 1 be the unque vertex w V uch that there an edge (Vb, w) E wth L(e) = Mb. Note that th defne the followng walk n G: 0 = V = V 0 2 M1 1 V1 1 M2 1 V2 1 M 2 1 V 2 1 V m1 1 M 2 2 V 2 2 V m2 1 2 M m1 1 V m1 1 and M m2 2 V m2 2. If G = G M1,M2 π then oberve that σ(vb ) = CCM1,M2 π [] for [0..m b ] and b = 1, 2, where σ( ) the vertexlabelng functon defned by Perm2Graph(π). We emphaze that Vb depend on G (and thu mplctly on M 1 and M 2 ), and f we want to make the dependence explct we wll wrte Vb (G). Collon. We ue the followng notaton for equence. If = ( 1,..., k ) a equence then = k; y ff y = for ome [1..k]; x = ( 1,..., k, x); and ( ) denote the empty equence. For G = (V, E) G, E E, V V and a, b V we defne Cycle G (V, E, a, b) = 1 f addng edge (a, b) to graph G = (V, E ) cloe a cycle of length at leat four wth drecton of edge on the cycle alternatng. Formally, Cycle G (V, E, a, b) = 1 ff there ext k 2 and vertce a = v 1, v 2,..., v 2k 1, v 2k = b V uch that (v 2 1, v 2 ) E for all [1..k], (v 2+1, v 2 ) E for all [1..k 1], and (b, a) E. To a graph G G we aocate equence Prof 1 (G), Prof 2 (G), Prof 3 (G) called, repectvely, the type1, type2 and type3 collon profle of G. They are returned by the algorthm Graph2Prof (graph to collon profle) of Fg. 3 that refer to the predcate Cycle G we have jut defned. We ay that G ha a typea (, t)collon (a {1, 2, 3}) f (, t) Prof a (G). Type3 collon are alo called accdent, and type1 collon that are not accdent are called nduced collon. We let col (G) = Prof (G) for = 1, 2, 3. Lemma 5. Let n 1, M 1 n m1, M 2 n m2, l = max(m 1, m 2 ). Let H G(M 1, M 2 ) be a tructure graph. Then Pr[G $ G(M 1, M 2 ) : G = H] 1 (2 n m m ) col3(h) 1 (2 n 2l) col3(h). The lemma buld on an unpublhed technque from [8, 9]. proof gven n [3]. For = 1, 2, 3 let Prof (M 1, M 2 ) = {Prof (G) : G G(M 1, M 2 )}. Note that f = ((w 1, t 1 ),..., (w a, t a )) Prof 2 (M 1, M 2 ) then 1 t 1 < < t a m 1 + m 2 and w < t for all [1..a]. lgorthm Prof2Graph (collon profle to graph) of Fg. 3 aocate to Prof 2 (M 1, M 2 ) a graph n a natural way. We leave the reader to verfy the followng: Lemma 6. Prof2Graph(Prof 2 (G)) = G for any G G(M 1, M 2 ).
12 Th mean that the type2 collon profle of a graph determne t unquely. Now for = 1, 2, 3 and an nteger a 0 we let G a (M 1, M 2 ) = {G G(M 1, M 2 ) : col (G) = a} and Prof a (M 1, M 2 ) = { Prof (M 1, M 2 ) : = a} Lemma 7. Let n 1, M 1 n m1, M 2 n m2, l = max(m 1, m 2 ), and aume l 2 2 n 2. Then Proof. y Lemma 5 Pr[G $ G(M 1, M 2 ) : col 3 (G) 2] 8l4 2 2n. Pr[G $ G(M 1, M 2 ) : col 3 (G) 2] l = Pr[G $ G(M 1, M 2 ) : G = H] a=2 H G3 a(m1,m2) l G3 a (M 1, M 2 ) (2 n 2l) a. a=2 Snce every type3 collon a type2 collon, G a 3 (M 1, M 2 ) G a 2 (M 1, M 2 ). y Propoton 6, G a 2 (M 1, M 2 ) = Prof a 2(M 1, M 2 ). Now Prof a 2(M 1, M 2 ) (l(l + 1)/2) a l 2a, o we have l a=2 G a 3 (M 1, M 2 ) (2 n 2l) a l a=2 l 2a (2 n 2l) a. Let x = l 2 /(2 n 2l), and oberve that the aumpton l 2 2 n 2 made n the lemma tatement mple that x 1/2. Thu the above l l 2 x a = x 2 x a x 2 x a 2x 2 2l 4 = (2 n 2l) 2 8l4 2 2n, a=2 a=0 a=0 where the lat nequalty ued the fact that l 2 n 2. Let P denote a predcate on graph. Then φ M1,M 2 [P ] wll denote the et of all G G3(M 1 1, M 2 ) uch that G atfe P. (That, t the et of tructure graph G havng exactly one type3 collon and atfyng the predcate.) For example, predcate P mght be V m1 1 ( ) = V m2 2 ( ) and n that cae φ M1,M 2 2 ] {G G 1 3(M 1, M 2 ) : V m1 1 (G) = V m2 2 (G)}. Note that f G ha exactly one accdent then Prof 2 (G) = Prof 3 (G), meanng the accdent wa both a type2 and a type3 collon. We wll ue th below. In th cae when we talk of an (, t)accdent, we mean a type2 (, t)collon. Fnally, let n G (v) denote the ndegree of a vertex v n a tructure graph G.
13 7 oundng CP any n,m (Proof of Lemma 4) In th ecton we prove Lemma 4, howng that CP any n,l 2d (l)/2 n + 8l 4 /2 2n for any n, l wth l 2 2 n 2, thereby provng Lemma 4. Lemma 8. Let n 1 and 1 m 1, m 2 l. Let M 1 n m1 dtnct meage and aume l 2 2 n 2. Then and M 2 m2 n be CP any n,l (M 1, M 2 ) 2 φ M 1,M 2 2 ] 2 n + 8l4 2 2n. Proof. Wth the probablty over G $ G(M 1, M 2 ), we have: CP n (M 1, M 2 ) = Pr [ V m1 2 ] = Pr [ V m1 2 col 3 (G) = 1 ] + Pr [ V m1 2 col 3 (G) 2 ] (4) φ M 1,M 2 2 ] 2 n + 8l4 2l 2 2n (5) 2 φ M 1,M 2 2 ] 2 n + 8l4. 22n (6) In (4) above we ued that Pr [ V m1 2 col 3 (G) = 0 ] = 0 a V m1 2 wth M 1 M 2 mple that there at leat one accdent. In (5) we frt ued Lemma 5, and then ued Lemma 7. In (6) we ued the fact that l 2 n 2, whch follow from the aumpton l 2 2 n 2. Next we bound the ze of the et that are above: Lemma 9. Let n, l 1 and 1 m 2 m 1 l. Let M 1 n m1 be dtnct meage. Then and M 2 m2 n φ M1,M 2 2 ] d (l). Puttng together Lemma 8 and 9 complete the proof of Lemma 4. Proof (Lemma 9). Let k 0 be the larget nteger uch that M 1, M 2 have a common uffx of k block. Note that V m1 2 ff V m1 k k 2. Thu, we may conder M 1 to be replaced by M 1 m1 k 1 and M 2 to be replaced by M 1 m2 k 2, wth m 1, m 2 correpondngly replaced by m 1 k, m 2 k repectvely. We now have dtnct meage M 1, M 2 of at mot l block each uch that ether m 2 = 0 or M m1 1 M m2 2. (Note that now m 2 could be 0, whch wa not true before our tranformaton.) Now conder three cae. The frt that m 2 1 and M 2 a prefx of M 1. Th cae covered by Lemma 10. (Note n th cae t mut be that m 1 > m 2 nce M 1, M 2 are dtnct and ther lat block are dfferent.) The econd cae that m 2 = 0 and covered by Lemma 11. (In th cae, m 1 1 nce M 1, M 2 are dtnct.) The thrd cae that m 2 1 and M 2 not a prefx of M 1. Th cae covered by Lemma 12.
14 Lemma 10. Let n 1 and 1 m 2 < m 1 l. Let M 1 n m1, M 2 n m2. ume M 2 a prefx of M 1 and M m1 1 M m2 2. Then φ M1,M 2 2 ] d (l). Proof. ecaue M 2 a prefx of M 1 we have that V m2 2 = V m2 1, and thu φ M1,M 2 2 ] = φ M1,M 2 1 = V m1 1 ]. We now bound the latter. Let G G3(M 1 1, M 2 ). Then V m1 1 (G) = V m2 1 (G) ff t m 2 uch that G ha a type2 (t, V m2 1 (G))collon. (Th alo a type3 (V m2 1 (G), t)collon nce G ha exactly one accdent.) To ee th note that nce there wa at mot one accdent, we have n G (V1 (G)) 1 for all [1..m 1 ] except one, namely the uch that V1 (G) wa ht by the accdent. nd t mut be that = m 2 nce V m2 1 (G) ha ngong edge labeled M m2 1 and M m1 1, and thee edge cannot be the ame a M m1 1 M m2 1. Let c 1 be the mallet nteger uch that V m2+c 1 (G) = V m2 1 (G). That, we have a cycle V m2 1 (G), V m2+1 1 (G),..., V m2+c 1 (G) = V m2 1 (G). Now, gven that there only one accdent and V m2 1 (G) = V m1 1 (G), t mut be that m 1 = m 2 +kc for ome nteger k 1. (That, tartng from V m2 1 (G), one travere the cycle k tme before reachng V m1 1 (G) = V m2 1 (G).) Th mean that c mut dvde m 1 m 2. ut φ M1,M 2 1 = V m1 1 ] at mot the number of poble value of c, nce th value unquely determne the graph. So φ M1,M 2 1 = V m1 1 ] d(m 1 m 2 ), where d() the number of potve nteger uch that dvde. ut d(m 1 m 2 ) d (l) by defnton of the latter. Lemma 11. Let n 1 and 1 m 1 l. Let M 1 n m1, let M 2 = ε and let m 2 = 0. Then φ M1,M 2 2 ] d (l). Proof. Ue an argument mlar to that of Lemma 10, notng that Vm 0 1 (G) = V1 0 (G) mple that n G (V1 0 (G)) 1. Lemma 12. Let n 1 and 1 m 2 m 1 l. Let M 1 n m1, M 2 m2 ume M 2 not a prefx of M 1 and M m1 1 M m2 2. Then φ M1,M 2 V m2 2 ] 1. n. 1 = Proof. Let p [0..m 2 1] be the larget nteger uch that M1 1 = M2 1 for all [1..p]. Then V1 = V2 for [1..p] and V p+1 1 V p+1 2. Now to have V m1 2 we need an accdent. Snce M m1 1 M m2 2 and there only one accdent, the only poblty that th a (V m1 1, m 1 + m 2 )collon. Thu, there only one way to draw the graph. 8 oundng FCP pf n,l (Proof of Lemma 2) In th ecton we how that FCP pf n,l 8l/2n + 8l 4 /2 2n for any n, l wth l 2 2 n 2, thereby provng Lemma 2. Recall that pf(m 1, M 2 ) = fale ff M 1 not a prefx of M 2 and M 2 not a prefx of M 1. The proof of the followng mlar to the proof of Lemma 8 and omtted.
15 ??? Fg. 4. Some hape where the M 1path (old lne) make a loop. In the frt three cae the M 1path pae only once through V p 1 (the dot), and we ee that we cannot draw the M 2path uch that V m 2 2 {V p+1 1,..., V m 1 1 } wthout a econd accdent n any of thoe cae. In the lat graph V m 2 2 {V p+1 1,..., V m 1 1 }, but there alo V p {V 0 1,..., V p 1 1, V p+1 1,..., V m 1 1 }. 1 Lemma 13. Let n 1 and 1 m 1, m 2 l. Let M 1 n m1, M 2 n m2 pf(m 1, M 2 ) = fale. ume l 2 2 n 2. Then FCP pf n,l (M 1, M 2 ) 2 φm1,m 2 2 {V1 1,..., V m1 1, V2 1,..., V m2 1 2 }] 2 n + 8l4 2 2n. Next we bound the ze of the et that are above: Lemma 14. Let n, l 1 and 1 m 1, m 2 l. Let M 1 n m1 pf(m 1, M 2 ) = fale. Then φm1,m 2 2 {V 1 1,..., V m1 1, V 1 2,..., V m2 1 2 }] 4l., M 2 m2 n wth wth Puttng together Lemma 13 and 14 complete the proof of Lemma 2. We denote by cpl(m 1, M 2 ) the number of block n the longet common blockprefx of M 1, M 2. That, cpl(m 1, M 2 ) the larget nteger p uch that M1 = M2 for all [1..p]. Defne the predcate NoLoop(G) to be true for tructure graph G G 1 2(M 1, M 2 ) ff V 0 1 (G),..., V m1 V 0 2 (G),..., V m2 1 (G) are all dtnct and alo 2 (G) are all dtnct. Let Loop be the negaton of NoLoop. Proof (Lemma 14). Let p = cpl(m 1, M 2 ). Snce pf(m 1, M 2 ) = fale, t mut be that p < m 1, m 2 and M p+1 1 M p+1 2. Note then that V1 = V2 for all [0..p] but V p+1 1 V p+1 2. Now we break up the et n whch we are ntereted a φ M1,M 2 2 {V1 1,..., V m1 1, V2 1,..., V m2 1 2 }] = φ M1,M 2 2 {V2 1,..., V m2 1 2 }] φ M1,M 2 2 {V p+1 1,..., V m1 1 }]. Lemma 15 mple that φ M1,M 2 2 {V2 1,..., V m2 1 2 }] m 2 and Lemma 17 ay that φ M1,M 2 2 {V p+1 1,..., V m1 1 } NoLoop] m 1. It reman to bound φ M1,M 2 2 {V p+1 1,..., V m1 1 } Loop]. We ue a cae analy, whch llutrated n Fg. 4. The condton Loop mean that ether the M 1  or the M 2 path (or both) mut make a loop. If the M 1 path make a loop then we can only draw the M 2 path uch that V m2 2 {V p+1 1,..., V m1 1 } f the loop goe twce through V p 1. The ame argument work f only the M 2path make a loop. Thu φ M1,M 2 2 {V p+1 1,..., V m1 1 } Loop] S 1 S 2
16 Fg. 5. n example for the proof of Lemma 15 wth m 1 = 5 and M 1 = for dtnct, {0, 1} n. Here we have N 5 = 5 µ 1(M1 5 ) + 1 = 5 µ 1() + 1 = = 3 and N 4 = µ 1(M1 5 ) µ 1(M1 4 5 ) = µ 1() µ 1( ) = 3 2 = 1 and N 3 = µ 1(M1 4 5 ) µ 1(M1 3 5 ) = µ 1( ) µ 1( ) = 2 1 = 1 and N 2 = N 1 = 0. The frt three graph how the N 5 cae, the fourth and the ffth graph how the ngle cae for N 4 and N 3. where S 1 = φ M1,M 2 [V p 1 {V 1 0,..., V p 1 1, V p+1 1,..., V m1 1 }] S 2 = φ M1,M 2 [V p 2 {V 2 0,..., V p 1 2, V p+1 2,..., V m2 2 }]. Lemma 16 ay that S 1 m 1 and S 2 m 2. Puttng everythng together, the lemma follow a 2(m 1 + m 2 ) 4l. Lemma 15. Let n, m 1, m 2 1. Let M 1 m1 n fale. Then for b {1, 2}, φm1,m 2 [V m b b V 0 b, V 1, M 2 m2 n wth pf(m 1, M 2 ) = b,..., V m b 1 }] = mb Proof. We prove the clam for b = 1 and then brefly dcu how to extend the proof to b = 2. If V m1 1 {V1 0,..., V m1 1 1 } then there mut be a (V1, j) accdent for ome [0..m 1 1] and j [ + 1..m 1 ] and then nduced collon n tep j + 1 to m 1. Thu V j+k 1 = V1 +k for all k [0..m 1 j]. For j [1..m 1 ] let N j be the number of tructure graph G G2(M 1 1, M 2 ) uch that V m1 1 (G) {V1 0 (G),..., V m1 1 1 (G)} and there a (V1 (G), j)accdent for ome [0..j 1]. Then φ M1,M 2 1 {V1 0,..., V m1 1 1 }] m 1 = N j. Let µ 1 (S) denote the number of blockalgned occurrence of the ubtrng S n M 1. (For example, µ 1 ( ) = 2 f M 1 = for ome dtnct, {0, 1} n.) It poble to have a (V1, m 1 )accdent for any [0..m 1 1] for whch M1 M m1 1 (cf. Fg. 5) and thu N m1 = m 1 µ 1 (M m1 1 ) + 1. It poble to have a (V1, m 1 1)accdent and alo have V m1 1 {V1 0,..., V m1 1 1 } for any [0..m 1 2] for whch M1 M m1 1 1 and M1 +1 = M m1 1 and thu b j=1
17 D D D D Fg. 6. n example for the proof of Lemma 16 wth m 1 = 5, M 1 = D and r = 1, where,, D {0, 1} n are dtnct. (The large dot V1 r = V1 1.) Here we have N r = m r = µ 2(M1 1 ) = N 1 = m 1 1 µ 2(M1 1 ) = 5 1 µ 2() = = 3. Thoe cae correpond to the frt three graph n the fgure. The fourth graph correpond to N r 1 = N 0 = µ 2( M1 1 r ) = µ 2( ) = 1. N m1 1 = µ 1 (M m1 1 ) µ 1 (M m1 1 m1 1 ). In general for j [1..m 1 1] we have N j = µ 1 (M j+1 m1 1 ) µ 1 (M j m1 1 ). Ung cancellaton of term n the um we have m 1 j=1 N j = m µ 1 (M 1 m1 1 ) = m 1 whch prove the lemma for the cae b = 1. For b = 2 we note that we can effectvely gnore the part of the graph related to M nce t mut be a traght lne, and thu the above countng apple agan wth the (V1, j)accdent now beng a (V2, m 1 + j)accdent and M 1, m 1 replaced by M 2, m 2 repectvely. Next we have a generalzaton of Lemma 15. Lemma 16. Let n, m 1, m 2 1. Let M 1 n m1 fale. Then for b {1, 2} and any r [0..m b ], φ M1,M 2 [V r b {V 0 b,..., V r 1 b, V r+1 b, M 2 m2 n wth pf(m 1, M 2 ) =,..., V m b b }] m b. Proof. We prove t for the cae b = 1. (The cae b = 2 analogou.) y Lemma 15 we have φ M1,M 2 [V1 r {V1 0,..., V1 r 1 }) = r. It reman to how that φm1,m 2 [V1 r {V1 r+1,..., V m1 1 } V1 r {V1 0,..., V1 r }] m1 r. We may aume that V1 V j 1 for all 0 < j r 1, a otherwe we have already ued up our accdent and there no way to get V1 r {V1 r+1,..., V m1 1 } any more. If Vr {V1 r+1,..., V m1 1 } then there a (V j 1, )accdent for ome 0 j r <. For j [0..r] let N j be the number of tructure graph G G2(M 1 1, M 2 ) uch that V1 r (G) {V1 r+1 (G),..., V m1 1 (G)}, V1 r (G) {V1 0 (G),..., V1 r (G)} and there a (V j 1, )accdent for ome [r + 1..m 1]. Then φm1,m 2 [V1 r {V1 r+1,..., V m1 1 } V1 r {V1 0,..., V1 r }] r = N j. j=0
18 Let µ 2 (S) be the number of blockalgned occurrence of the ubtrng S n M r+1 m1 1, and adopt the conventon that µ 2 (M1 0 ) = 0. Snce we can only have an (V1 r, j)accdent when M j 1 M 1 r we have N r = m r µ 2 (M1 r ). For > r, a (V1 r, )accdent poble and wll reult n V1 r {V1 r+1,..., V m1 1 } only f M1 +1 = X M r for ome X M1 r 1. Now wth beng a wldcard tandng for an arbtrary block we have N r 1 = µ 2 ( M1 r ) µ 2 (M1 r 1 r ). In general, for j [1..r 1] we have N j = µ 2 ( M j+1 r 1 ) µ 2 (M j r 1 ) and N 0 = µ 2 ( M1 1 r ). Now, a µ 2 ( S) µ 2 (S) for any S, we get r N j m 1 r. j=0 The proof of the followng n [3]. Lemma 17. Let n, m 1, m 2 1. Let M 1 n m1 fale. Let p = cpl(m 1, M 2 ). Then φ M1,M 2 2 {V p+1 1,..., V m1 cknowledgment, M 2 m2 n wth pf(m 1, M 2 ) = 1 } NoLoop] m 1. art Preneel wa the frt we heard to ak, back n 1994, f the m 2 term can be mproved n the CC MC bound of m 2 q 2 /2 n. ellare wa upported by NSF grant NR and CCR , and by an IM Faculty Partnerhp Development ward. Petrzak wa upported by the Sw Natonal Scence Foundaton, project No /1. Rogaway carred out mot of th work whle hoted by the Department of Computer Scence, Faculty of Scence, Chang Ma Unverty, Thaland. He currently hoted by the School of Informaton Technology, Mae Fah Luang Unverty, Thaland. He upported by NSF grant CCR and a gft from Intel Corp. Reference 1. M. ellare, O. Goldrech, and. Mtyagn. The power of verfcaton quere n meage authentcaton and authentcated encrypton. Cryptology eprnt rchve: Report 2004/ M. ellare, J. Klan, and P. Rogaway. The ecurty of the cpher block channg meage authentcaton code. Journal of Computer and Sytem Scence (JCSS), vol. 61, no. 3, pp , Earler veron n Crypto M. ellare, K. Petrzak, and P. Rogaway. Improved ecurty analye for CC MC. Full veron of th paper. valable va author web page. 4. M. ellare and P. Rogaway. The gameplayng technque. Cryptology eprnt rchve: Report 2004/ erendchot,. den oer, J. oly,. oelaer, J. randt, D. Chaum, I. Damgård, M. Dchtl, W. Fumy, M. van der Ham, C. Janen, P. Landrock,. Preneel, G. Roelofen, P. de Rooj, and J. Vandewalle. Fnal Report of Race Integrty Prmtve. Lecture Note n Computer Scence, vol. 1007, SprngerVerlag, 1995
19 6. R. erke. On the ecurty of terated MC. Dploma The, ETH Zürch, ugut J. lack and P. Rogaway. CC MC for arbtrarylength meage: the threekey contructon. dvance n Cryptology CRYPTO 00, Lecture Note n Computer Scence Vol. 1880, M. ellare ed., SprngerVerlag, Y. Dod. Peronal communcaton to K. Petrzak Y. Dod, R. Gennaro, J. Håtad, H. Krawczyk, and T. Rabn. Randomne extracton and key dervaton ung the CC, Cacade, and HMC mode. dvance n Cryptology CRYPTO 04, Lecture Note n Computer Scence Vol. 3152, M. Frankln ed., SprngerVerlag, G. Hardy and E. Wrght. n Introducton to the Theory of Number. Oxford Unverty Pre, E. Jaulme,. Joux, and F. Valette. On the ecurty of randomzed CCMC beyond the brthday paradox lmt: a new contructon. Fat Software Encrypton 02, Lecture Note n Computer Scence Vol. 2365, J. Daemen, V. Rjmen ed., SprngerVerlag, J. Klan and P. Rogaway. How to protect DES agant exhautve key earch (an analy of DESX). Journal of Cryptology, vol. 14, no. 1, pp , Earler veron n Crypto U. Maurer. Indtnguhablty of random ytem. dvance n Cryptology EUROCRYPT 02, Lecture Note n Computer Scence Vol. 2332, L. Knuden ed., SprngerVerlag, Natonal Inttute of Standard and Technology, U.S. Department of Commerce, M Dworkn, author. Recommendaton for block cpher mode of operaton: the CMC mode for authentcaton. NIST Specal Publcaton , May E. Petrank and C. Rackoff. CC MC for realtme data ource. Journal of Cryptology, vol. 13, no. 3, pp , V. Shoup. Sequence of game: a tool for tamng complexty n ecurty proof. Cryptology eprnt report 2004/332, S. Vaudenay. Decorrelaton over nfnte doman: the encrypted CCMC cae. Communcaton n Informaton and Sytem (CIS), vol. 1, pp , M. Wegman and L. Carter. New clae and applcaton of hah functon. Sympoum on Foundaton of Computer Scence (FOCS), pp , 1979.
Specification  Assumptions of the Simple Classical Linear Regression Model (CLRM) 1. Introduction
ECONOMICS 35*  NOTE ECON 35*  NOTE Specfcaton  Aumpton of the Smple Clacal Lnear Regreon Model (CLRM). Introducton CLRM tand for the Clacal Lnear Regreon Model. The CLRM alo known a the tandard lnear
More informationAdditional File 1  Detailed explanation of the expression level CPD
Addtonal Fle  Detaled explanaton of the expreon level CPD A mentoned n the man text, the man CPD for the uterng model cont of two ndvdual factor: P( level gen P( level gen P ( level gen 2 (.).. CPD factor
More informationTwo Approaches to Proving. Goldbach s Conjecture
Two Approache to Provng Goldbach Conecture By Bernard Farley Adved By Charle Parry May 3 rd 5 A Bref Introducton to Goldbach Conecture In 74 Goldbach made h mot famou contrbuton n mathematc wth the conecture
More informationPythagorean triples. Leen Noordzij.
Pythagorean trple. Leen Noordz Dr.l.noordz@leennoordz.nl www.leennoordz.me Content A Roadmap for generatng Pythagorean Trple.... Pythagorean Trple.... 3 Dcuon Concluon.... 5 A Roadmap for generatng Pythagorean
More informationProvable Security Signatures
Provable Securty Sgnatures UCL  LouvanlaNeuve Wednesday, July 10th, 2002 LIENSCNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty 
More informationProblem Set 9 Solutions
Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem
More informationIntroduction to Interfacial Segregation. Xiaozhe Zhang 10/02/2015
Introducton to Interfacal Segregaton Xaozhe Zhang 10/02/2015 Interfacal egregaton Segregaton n materal refer to the enrchment of a materal conttuent at a free urface or an nternal nterface of a materal.
More informationStatistical Properties of the OLS Coefficient Estimators. 1. Introduction
ECOOMICS 35*  OTE 4 ECO 35*  OTE 4 Stattcal Properte of the OLS Coeffcent Etmator Introducton We derved n ote the OLS (Ordnary Leat Square etmator ˆβ j (j, of the regreon coeffcent βj (j, n the mple
More informationTeam. Outline. Statistics and Art: Sampling, Response Error, Mixed Models, Missing Data, and Inference
Team Stattc and Art: Samplng, Repone Error, Mxed Model, Mng Data, and nference Ed Stanek Unverty of Maachuett Amhert, USA 9/5/8 9/5/8 Outlne. Example: Doerepone Model n Toxcology. ow to Predct Realzed
More informationLearning Theory: Lecture Notes
Learnng Theory: Lecture Notes Lecturer: Kamalka Chaudhur Scrbe: Qush Wang October 27, 2012 1 The Agnostc PAC Model Recall that one of the constrants of the PAC model s that the data dstrbuton has to be
More information1 The Mistake Bound Model
5850: Advanced Algorthms CMU, Sprng 07 Lecture #: Onlne Learnng and Multplcatve Weghts February 7, 07 Lecturer: Anupam Gupta Scrbe: Bryan Lee,Albert Gu, Eugene Cho he Mstake Bound Model Suppose there
More informationModule 5. Cables and Arches. Version 2 CE IIT, Kharagpur
odule 5 Cable and Arche Veron CE IIT, Kharagpur Leon 33 Twonged Arch Veron CE IIT, Kharagpur Intructonal Objectve: After readng th chapter the tudent wll be able to 1. Compute horzontal reacton n twohnged
More informationarxiv: v1 [math.co] 1 Mar 2014
Unonntersectng set systems Gyula O.H. Katona and Dánel T. Nagy March 4, 014 arxv:1403.0088v1 [math.co] 1 Mar 014 Abstract Three ntersecton theorems are proved. Frst, we determne the sze of the largest
More informationNUMERICAL DIFFERENTIATION
NUMERICAL DIFFERENTIATION 1 Introducton Dfferentaton s a method to compute the rate at whch a dependent output y changes wth respect to the change n the ndependent nput x. Ths rate of change s called the
More informationSupplement to Clustering with Statistical Error Control
Supplement to Clusterng wth Statstcal Error Control Mchael Vogt Unversty of Bonn Matthas Schmd Unversty of Bonn In ths supplement, we provde the proofs that are omtted n the paper. In partcular, we derve
More informationLecture 10 Support Vector Machines II
Lecture 10 Support Vector Machnes II 22 February 2016 Taylor B. Arnold Yale Statstcs STAT 365/665 1/28 Notes: Problem 3 s posted and due ths upcomng Frday There was an early bug n the faketest data; fxed
More informationn ). This is tight for all admissible values of t, k and n. k t + + n t
MAXIMIZING THE NUMBER OF NONNEGATIVE SUBSETS NOGA ALON, HAROUT AYDINIAN, AND HAO HUANG Abstract. Gven a set of n real numbers, f the sum of elements of every subset of sze larger than k s negatve, what
More informationThe Second AntiMathima on Game Theory
The Second AntMathma on Game Theory Ath. Kehagas December 1 2006 1 Introducton In ths note we wll examne the noton of game equlbrum for three types of games 1. 2player 2acton zerosum games 2. 2player
More informationOneKey Compression Function Based MAC with Security beyond Birthday Bound
OneKey Compresson Functon Based MAC wth Securty beyond Brthday Bound Avjt Dutta, Mrdul Nand, Goutam Paul Indan Statstcal Insttute, Kolkata 700 108, Inda. avrocks.dutta13@gmal.com, mrdul.nand@gmal.com,
More informationA A NonConstructible Equilibrium 1
A A NonContructbe Equbrum 1 The eampe depct a eparabe contet wth three payer and one prze of common vaue 1 (o v ( ) =1 c ( )). I contruct an equbrum (C, G, G) of the contet, n whch payer 1 betrepone
More informationSpectral Properties of the Grounded Laplacian Matrix with Applications to Consensus in the Presence of Stubborn Agents
Spectral Properte of the Grounded Laplacan Matrx wth Applcaton to Conenu n the Preence of Stubborn Agent Mohammad Pran and Shreya Sundaram Abtract We tudy lnear conenu and opnon dynamc n network that contan
More informationA Novel Approach for Testing Stability of 1D Recursive Digital Filters Based on Lagrange Multipliers
Amercan Journal of Appled Scence 5 (5: 49495, 8 ISSN 546939 8 Scence Publcaton A Novel Approach for Tetng Stablty of D Recurve Dgtal Flter Baed on Lagrange ultpler KRSanth, NGangatharan and Ponnavakko
More informationMA 323 Geometric Modelling Course Notes: Day 13 Bezier Curves & Bernstein Polynomials
MA 323 Geometrc Modellng Course Notes: Day 13 Bezer Curves & Bernsten Polynomals Davd L. Fnn Over the past few days, we have looked at de Casteljau s algorthm for generatng a polynomal curve, and we have
More informationTHE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens
THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of
More informationP exp(tx) = 1 + t 2k M 2k. k N
1. Subgaussan tals Defnton. Say that a random varable X has a subgaussan dstrbuton wth scale factor σ< f P exp(tx) exp(σ 2 t 2 /2) for all real t. For example, f X s dstrbuted N(,σ 2 ) then t s subgaussan.
More informationAntivan der Waerden numbers of 3term arithmetic progressions.
Antvan der Waerden numbers of 3term arthmetc progressons. Zhanar Berkkyzy, Alex Schulte, and Mchael Young Aprl 24, 2016 Abstract The antvan der Waerden number, denoted by aw([n], k), s the smallest
More informationE Tail Inequalities. E.1 Markov s Inequality. NonLecture E: Tail Inequalities
Algorthms NonLecture E: Tal Inequaltes If you hold a cat by the tal you learn thngs you cannot learn any other way. Mar Twan E Tal Inequaltes The smple recursve structure of sp lsts made t relatvely easy
More informationModule 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:
More informationPolynomials. 1 More properties of polynomials
Polynomals 1 More propertes of polynomals Recall that, for R a commutatve rng wth unty (as wth all rngs n ths course unless otherwse noted), we defne R[x] to be the set of expressons n =0 a x, where a
More informationMessage modification, neutral bits and boomerangs
Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles StQuentnenYvelnes France Jont work wth Thomas Peyrn 1 Dfferental
More information6.842 Randomness and Computation February 18, Lecture 4
6.842 Randomness and Computaton February 18, 2014 Lecture 4 Lecturer: Rontt Rubnfeld Scrbe: Amartya Shankha Bswas Topcs 2Pont Samplng Interactve Proofs Publc cons vs Prvate cons 1 Two Pont Samplng 1.1
More informationAffine transformations and convexity
Affne transformatons and convexty The purpose of ths document s to prove some basc propertes of affne transformatons nvolvng convex sets. Here are a few onlne references for background nformaton: http://math.ucr.edu/
More information20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The first idea is connectedness.
20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The frst dea s connectedness. Essentally, we want to say that a space cannot be decomposed
More informationGeometric drawings of K n with few crossings
Geometrc drawngs of K n wth few crossngs Bernardo M. Ábrego, Slva FernándezMerchant Calforna State Unversty Northrdge {bernardo.abrego,slva.fernandez}@csun.edu ver 9 Abstract We gve a new upper bound
More informationIntroduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law:
CE304, Sprng 2004 Lecture 4 Introducton to Vapor/Lqud Equlbrum, part 2 Raoult s Law: The smplest model that allows us do VLE calculatons s obtaned when we assume that the vapor phase s an deal gas, and
More informationECE559VV Project Report
ECE559VV Project Report (Supplementary Notes Loc Xuan Bu I. MAX SUMRATE SCHEDULING: THE UPLINK CASE We have seen (n the presentaton that, for downlnk (broadcast channels, the strategy maxmzng the sumrate
More informationMarkov Chain Monte Carlo Lecture 6
where (x 1,..., x N ) X N, N s called the populaton sze, f(x) f (x) for at least one {1, 2,..., N}, and those dfferent from f(x) are called the tral dstrbutons n terms of mportance samplng. Dfferent ways
More informationLecture 2: GramSchmidt Vectors and the LLL Algorithm
NYU, Fall 2016 Lattces Mn Course Lecture 2: GramSchmdt Vectors and the LLL Algorthm Lecturer: Noah StephensDavdowtz 2.1 The Shortest Vector Problem In our last lecture, we consdered short solutons to
More informationinto a discrete time function. Recall that the table of Laplace/ztransforms is constructed by (i) selecting to get
Lecture 25 Introduction to Some Matlab c2d Code in Relation to Sampled Sytem here are many way to convert a continuou time function, { h( t) ; t [0, )} into a dicrete time function { h ( k) ; k {0,,, }}
More informationPHYS 705: Classical Mechanics. Canonical Transformation II
1 PHYS 705: Classcal Mechancs Canoncal Transformaton II Example: Harmonc Oscllator f ( x) x m 0 x U( x) x mx x LT U m Defne or L p p mx x x m mx x H px L px p m p x m m H p 1 x m p m 1 m H x p m x m m
More informationMATH 5707 HOMEWORK 4 SOLUTIONS 2. 2 i 2p i E(X i ) + E(Xi 2 ) ä i=1. i=1
MATH 5707 HOMEWORK 4 SOLUTIONS CİHAN BAHRAN 1. Let v 1,..., v n R m, all lengths v are not larger than 1. Let p 1,..., p n [0, 1] be arbtrary and set w = p 1 v 1 + + p n v n. Then there exst ε 1,..., ε
More informationA New Upper Bound on 2D Online Bin Packing
50 A New Upper Bound 2.5545 on 2D Onlne Bn Packng XIN HAN, Dalan Unverty of Technology FRANCIS Y. L. CHIN and HINGFUNG TING, The Unverty of Hong Kong GUOCHUAN ZHANG, Zhejang Unverty YONG ZHANG, The Unverty
More informationCopyright 2017 by Taylor Enterprises, Inc., All Rights Reserved. Adjusted Control Limits for U Charts. Dr. Wayne A. Taylor
Taylor Enterprses, Inc. Adjusted Control Lmts for U Charts Copyrght 207 by Taylor Enterprses, Inc., All Rghts Reserved. Adjusted Control Lmts for U Charts Dr. Wayne A. Taylor Abstract: U charts are used
More informationAnalytical Chemistry Calibration Curve Handout
I. Quckand Drty Excel Tutoral Analytcal Chemstry Calbraton Curve Handout For those of you wth lttle experence wth Excel, I ve provded some key technques that should help you use the program both for problem
More informationPHYS 100 Worked Examples Week 05: Newton s 2 nd Law
PHYS 00 Worked Eaple Week 05: ewton nd Law Poor Man Acceleroeter A drver hang an ar frehener fro ther rearvew rror wth a trng. When acceleratng onto the hghwa, the drver notce that the ar frehener ake
More informationMin Cut, Fast Cut, Polynomial Identities
Randomzed Algorthms, Summer 016 Mn Cut, Fast Cut, Polynomal Identtes Instructor: Thomas Kesselhem and Kurt Mehlhorn 1 Mn Cuts n Graphs Lecture (5 pages) Throughout ths secton, G = (V, E) s a multgraph.
More information1 Definition of Rademacher Complexity
COS 511: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture #9 Scrbe: Josh Chen March 5, 2013 We ve spent the past few classes provng bounds on the generalzaton error of PAClearnng algorths for the
More informationSynchronization Protocols. Task Allocation BinPacking Heuristics: FirstFit Subtasks assigned in arbitrary order To allocate a new subtask T i,j
EndtoEnd Schedulng Framework 1. Tak allocaton: bnd tak to proceor 2. Synchronzaton protocol: enforce precedence contrant 3. Subdeadlne agnment 4. Schedulablty analy Tak Allocaton BnPackng eurtc: FrtFt
More informationBOUNDARY ELEMENT METHODS FOR VIBRATION PROBLEMS. Ashok D. Belegundu Professor of Mechanical Engineering Penn State University
BOUNDARY ELEMENT METHODS FOR VIBRATION PROBLEMS by Aho D. Belegundu Profeor of Mechancal Engneerng Penn State Unverty ahobelegundu@yahoo.com ASEE Fello, Summer 3 Colleague at NASA Goddard: Danel S. Kaufman
More informationSelfcomplementing permutations of kuniform hypergraphs
Dscrete Mathematcs Theoretcal Computer Scence DMTCS vol. 11:1, 2009, 117 124 Selfcomplementng permutatons of kunform hypergraphs Artur Szymańsk A. Paweł Wojda Faculty of Appled Mathematcs, AGH Unversty
More information12. The HamiltonJacobi Equation Michael Fowler
1. The HamltonJacob Equaton Mchael Fowler Back to Confguraton Space We ve establshed that the acton, regarded as a functon of ts coordnate endponts and tme, satsfes ( ) ( ) S q, t / t+ H qpt,, = 0, and
More informationThe optimal delay of the second test is therefore approximately 210 hours earlier than =2.
THE IEC 61508 FORMULAS 223 The optmal delay of the second test s therefore approxmately 210 hours earler than =2. 8.4 The IEC 61508 Formulas IEC 615086 provdes approxmaton formulas for the PF for smple
More informationAttacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction
Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard
More informationThe GamePlaying Technique
The GamePlaying Technique M. Bellare P. Rogaway December 11, 2004 (Draft 0.4) Abtract In the gameplaying technique, one write a peudocode game uch that an adverary advantage in attacking ome cryptographic
More informationStatistical Mechanics and Combinatorics : Lecture III
Statstcal Mechancs and Combnatorcs : Lecture III Dmer Model Dmer defntons Defnton A dmer coverng (perfect matchng) of a fnte graph s a set of edges whch covers every vertex exactly once, e every vertex
More informationWeek 2. This week, we covered operations on sets and cardinality.
Week 2 Ths week, we covered operatons on sets and cardnalty. Defnton 0.1 (Correspondence). A correspondence between two sets A and B s a set S contaned n A B = {(a, b) a A, b B}. A correspondence from
More informationMETHOD OF NETWORK RELIABILITY ANALYSIS BASED ON ACCURACY CHARACTERISTICS
METHOD OF NETWOK ELIABILITY ANALYI BAED ON ACCUACY CHAACTEITIC ławomr Łapńsk hd tudent Faculty of Geodesy and Cartography Warsaw Unversty of Technology ABTACT Measurements of structures must be precse
More informationEME : extending EME to handle arbitrarylength messages with associated data
EME : extending EME to handle arbitrarylength meage with aociated data (Preliminary Report) Shai Halevi May 27, 2004 Abtract Thi work decribe a mode of operation, EME, that turn a regular block cipher
More informationSpeeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem
H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng Speedng up Computaton of Scalar Multplcaton n Ellptc Curve Cryptosystem H. K. Pathak Manju Sangh S.o.S n Computer scence
More informationModulo Magic Labeling in Digraphs
Gen. Math. Notes, Vol. 7, No., August, 03, pp. 5 ISSN 9784; Copyrght ICSRS Publcaton, 03 www.csrs.org Avalable free onlne at http://www.geman.n Modulo Magc Labelng n Dgraphs L. Shobana and J. Baskar
More informationAmusing Properties of Odd Numbers Derived From Valuated Binary Tree
IOSR Journal of Mathematcs (IOSRJM) eiss: 78578, piss: 19765X. Volume 1, Issue 6 Ver. V (ov.  Dec.016), PP 557 www.osrjournals.org Amusng Propertes of Odd umbers Derved From Valuated Bnary Tree
More informationBit Juggling. Representing Information. representations.  Some other bits.  Representing information using bits  Number. Chapter
Representng Informaton 1 1 1 1 Bt Jugglng  Representng nformaton usng bts  Number representatons  Some other bts Chapter 3.13.3 REMINDER: Problem Set #1 s now posted and s due next Wednesday L3 Encodng
More informationCOS 521: Advanced Algorithms Game Theory and Linear Programming
COS 521: Advanced Algorthms Game Theory and Lnear Programmng Moses Charkar February 27, 2013 In these notes, we ntroduce some basc concepts n game theory and lnear programmng (LP). We show a connecton
More informationFACTORIZATION IN KRULL MONOIDS WITH INFINITE CLASS GROUP
C O L L O Q U I U M M A T H E M A T I C U M VOL. 80 1999 NO. 1 FACTORIZATION IN KRULL MONOIDS WITH INFINITE CLASS GROUP BY FLORIAN K A I N R A T H (GRAZ) Abstract. Let H be a Krull monod wth nfnte class
More informationCase A. P k = Ni ( 2L i k 1 ) + (# big cells) 10d 2 P k.
THE CELLULAR METHOD In ths lecture, we ntroduce the cellular method as an approach to ncdence geometry theorems lke the SzemerédTrotter theorem. The method was ntroduced n the paper Combnatoral complexty
More informationExercises of Chapter 2
Exercses of Chapter ChuangCheh Ln Department of Computer Scence and Informaton Engneerng, Natonal Chung Cheng Unversty, MngHsung, Chay 61, Tawan. Exercse.6. Suppose that we ndependently roll two standard
More informationConditional Hardness for Approximate Coloring
Condtonal Hardness for Approxmate Colorng Irt Dnur Elchanan Mossel Oded Regev November 3, 2005 Abstract We study the APPROXIMATECOLORING(q, Q) problem: Gven a graph G, decde whether χ(g) q or χ(g) Q (where
More informationYong Joon Ryang. 1. Introduction Consider the multicommodity transportation problem with convex quadratic cost function. 1 2 (x x0 ) T Q(x x 0 )
KangweonKyungk Math. Jour. 4 1996), No. 1, pp. 7 16 AN ITERATIVE ROWACTION METHOD FOR MULTICOMMODITY TRANSPORTATION PROBLEMS Yong Joon Ryang Abstract. The optmzaton problems wth quadratc constrants often
More informationk(k 1)(k 2)(p 2) 6(p d.
BLOCKTRANSITIVE 3DESIGNS WITH AFFINE AUTOMORPHISM GROUP Greg Gamble Let X = (Z p d where p s an odd prme and d N, and let B X, B = k. Then t was shown by Praeger that the set B = {B g g AGL d (p} s the
More informationModule 1 : The equation of continuity. Lecture 1: Equation of Continuity
1 Module 1 : The equaton of contnuty Lecture 1: Equaton of Contnuty 2 Advanced Heat and Mass Transfer: Modules 1. THE EQUATION OF CONTINUITY : Lectures 16 () () () (v) (v) Overall Mass Balance Momentum
More informationDISCRIMINANTS AND RAMIFIED PRIMES. 1. Introduction A prime number p is said to be ramified in a number field K if the prime ideal factorization
DISCRIMINANTS AND RAMIFIED PRIMES KEITH CONRAD 1. Introducton A prme number p s sad to be ramfed n a number feld K f the prme deal factorzaton (1.1) (p) = po K = p e 1 1 peg g has some e greater than 1.
More informationCopyright 2017 by Taylor Enterprises, Inc., All Rights Reserved. Adjusted Control Limits for P Charts. Dr. Wayne A. Taylor
Taylor Enterprses, Inc. Control Lmts for P Charts Copyrght 2017 by Taylor Enterprses, Inc., All Rghts Reserved. Control Lmts for P Charts Dr. Wayne A. Taylor Abstract: P charts are used for count data
More informationA PROCEDURE FOR SIMULATING THE NONLINEAR CONDUCTION HEAT TRANSFER IN A BODY WITH TEMPERATURE DEPENDENT THERMAL CONDUCTIVITY.
Proceedngs of the th Brazlan Congress of Thermal Scences and Engneerng  ENCIT 006 Braz. Soc. of Mechancal Scences and Engneerng  ABCM, Curtba, Brazl, Dec. 58, 006 A PROCEDURE FOR SIMULATING THE NONLINEAR
More informationj=0 s t t+1 + q t are vectors of length equal to the number of assets (c t+1 ) q t +1 + d i t+1 (1) (c t+1 ) R t+1 1= E t β u0 (c t+1 ) R u 0 (c t )
1 Aet Prce: overvew Euler equaton CCAPM equty premum puzzle and rk free rate puzzle Law of One Prce / No Arbtrage HanenJagannathan bound reoluton of equty premum puzzle Euler equaton agent problem X
More informationRecover plaintext attack to block ciphers
Recover plantext attac to bloc cphers L AnPng Bejng 100085, P.R.Chna apl0001@sna.com Abstract In ths paper, we wll present an estmaton for the upperbound of the amount of 16bytes plantexts for Englsh
More informationSimulation and Random Number Generation
Smulaton and Random Number Generaton Summary Dscrete Tme vs Dscrete Event Smulaton Random number generaton Generatng a random sequence Generatng random varates from a Unform dstrbuton Testng the qualty
More informationImproving the Round Complexity of VSS in PointtoPoint Networks
Improvng the Round Complexty of VSS n PonttoPont Networks Jonathan Katz ChuYuen Koo Rant Kumaresan Abstract We revst the followng queston: what s the optmal round complexty of verfable secret sharng
More information6.854J / J Advanced Algorithms Fall 2008
MIT OpenCourseWare http://ocw.mt.edu 6.854J / 18.415J Advanced Algorthms Fall 2008 For nformaton about ctng these materals or our Terms of Use, vst: http://ocw.mt.edu/terms. 18.415/6.854 Advanced Algorthms
More informationSingular Value Decomposition: Theory and Applications
Sngular Value Decomposton: Theory and Applcatons Danel Khashab Sprng 2015 Last Update: March 2, 2015 1 Introducton A = UDV where columns of U and V are orthonormal and matrx D s dagonal wth postve real
More informationCHAPTER 4. Vector Spaces
man 2007/2/16 page 234 CHAPTER 4 Vector Spaces To crtcze mathematcs for ts abstracton s to mss the pont entrel. Abstracton s what makes mathematcs work. Ian Stewart The man am of ths tet s to stud lnear
More informationWeek3, Chapter 4. Position and Displacement. Motion in Two Dimensions. Instantaneous Velocity. Average Velocity
Week3, Chapter 4 Moton n Two Dmensons Lecture Quz A partcle confned to moton along the x axs moves wth constant acceleraton from x =.0 m to x = 8.0 m durng a 1s tme nterval. The velocty of the partcle
More informationColor Rendering Uncertainty
Australan Journal of Basc and Appled Scences 4(10): 46014608 010 ISSN 19918178 Color Renderng Uncertanty 1 A.el Bally M.M. ElGanany 3 A. Alamel 1 Physcs Department Photometry department NIS Abstract:
More informationPh 219a/CS 219a. Exercises Due: Wednesday 23 October 2013
1 Ph 219a/CS 219a Exercses Due: Wednesday 23 October 2013 1.1 How far apart are two quantum states? Consder two quantum states descrbed by densty operators ρ and ρ n an Ndmensonal Hlbert space, and consder
More informationLecture 10: Euler s Equations for Multivariable
Lecture 0: Euler s Equatons for Multvarable Problems Let s say we re tryng to mnmze an ntegral of the form: {,,,,,, ; } J f y y y y y y d We can start by wrtng each of the y s as we dd before: y (, ) (
More information2. SINGLE VS. MULTI POLARIZATION SAR DATA
. SINGLE VS. MULTI POLARIZATION SAR DATA.1 Scatterng Coeffcent v. Scatterng Matrx In the prevou chapter of th document, we dealt wth the decrpton and the characterzaton of electromagnetc wave. A t wa hown,
More informationarxiv: v6 [math.nt] 23 Aug 2016
A NOTE ON ODD PERFECT NUMBERS JOSE ARNALDO B. DRIS AND FLORIAN LUCA arxv:03.437v6 [math.nt] 23 Aug 206 Abstract. In ths note, we show that f N s an odd perfect number and q α s some prme power exactly
More informationLecture 9: Shor s Algorithm
Quantum Computation (CMU 8859BB, Fall 05) Lecture 9: Shor Algorithm October 7, 05 Lecturer: Ryan O Donnell Scribe: Sidhanth Mohanty Overview Let u recall the period finding problem that wa et up a a function
More informationNew modular multiplication and division algorithms based on continued fraction expansion
New modular multplcaton and dvson algorthms based on contnued fracton expanson Mourad Goucem a a UPMC Unv Pars 06 and CNRS UMR 7606, LIP6 4 place Jusseu, F75252, Pars cedex 05, France Abstract In ths
More informationREDUCTION MODULO p. We will prove the reduction modulo p theorem in the general form as given by exercise 4.12, p. 143, of [1].
REDUCTION MODULO p. IAN KIMING We wll prove the reducton modulo p theorem n the general form as gven by exercse 4.12, p. 143, of [1]. We consder an ellptc curve E defned over Q and gven by a Weerstraß
More informationG /G Advanced Cryptography 12/9/2009. Lecture 14
G22.3220001/G63.2180 Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we
More informationYou must not circulate this book in any other binding or cover and you must impose this same condition on any acquirer.
6 Interfacal thermodynamc: Gbb equaton Luuk K. Koopal Chapter 6, Interfacal thermodynamc: Gbb equaton n Interface Scence, Second edton, 008, Wagenngen Unverty, Wagenngen, The Netherland. Avalable va: http://www.reearchgate.net/profle/luuk_koopal
More informationError Probability for M Signals
Chapter 3 rror Probablty for M Sgnals In ths chapter we dscuss the error probablty n decdng whch of M sgnals was transmtted over an arbtrary channel. We assume the sgnals are represented by a set of orthonormal
More informationGames of Threats. Elon Kohlberg Abraham Neyman. Working Paper
Games of Threats Elon Kohlberg Abraham Neyman Workng Paper 18023 Games of Threats Elon Kohlberg Harvard Busness School Abraham Neyman The Hebrew Unversty of Jerusalem Workng Paper 18023 Copyrght 2017
More informationBayesian predictive Configural Frequency Analysis
Psychologcal Test and Assessment Modelng, Volume 54, 2012 (3), 285292 Bayesan predctve Confgural Frequency Analyss Eduardo GutérrezPeña 1 Abstract Confgural Frequency Analyss s a method for cellwse
More informationPrimitive Digraphs with the Largest Scrambling Index
Primitive Digraph with the Larget Scrambling Index Mahmud Akelbek, Steve Kirkl 1 Department of Mathematic Statitic, Univerity of Regina, Regina, Sakatchewan, Canada S4S 0A Abtract The crambling index of
More informationAPPLICATIONS OF RELIABILITY ANALYSIS TO POWER ELECTRONICS SYSTEMS
APPLICATIONS OF RELIABILITY ANALYSIS TO POWER ELECTRONICS SYSTEMS Chanan Sngh, Fellow IEEE Praad Enjet, Fellow IEEE Department o Electrcal Engneerng Texa A&M Unverty College Staton, Texa USA Joydeep Mtra,
More informationPulse Coded Modulation
Pulse Coded Modulaton PCM (Pulse Coded Modulaton) s a voce codng technque defned by the ITUT G.711 standard and t s used n dgtal telephony to encode the voce sgnal. The frst step n the analog to dgtal
More informationRetrieval Models: Language models
CS590I Informaton Retreval Retreval Models: Language models Luo S Department of Computer Scence Purdue Unversty Introducton to language model Ungram language model Document language model estmaton Maxmum
More informationElectrical double layer: revisit based on boundary conditions
Electrcal double layer: revst based on boundary condtons Jong U. Km Department of Electrcal and Computer Engneerng, Texas A&M Unversty College Staton, TX 77843318, USA Abstract The electrcal double layer
More informationChapter 8: Fast Convolution. Keshab K. Parhi
Cater 8: Fat Convoluton Keab K. Par Cater 8 Fat Convoluton Introducton CookToo Algort and Modfed CookToo Algort Wnograd Algort and Modfed Wnograd Algort Iterated Convoluton Cyclc Convoluton Degn of Fat
More information