One-Key Compression Function Based MAC with Security beyond Birthday Bound
Size: px
Start display at page:

Download "One-Key Compression Function Based MAC with Security beyond Birthday Bound"

Transcription

1 One-Key Compresson Functon Based MAC wth Securty beyond Brthday Bound Avjt Dutta, Mrdul Nand, Goutam Paul Indan Statstcal Insttute, Kolkata , Inda. Abstract. Gaž et al. [CRYPTO 014] analyzed the NI-MAC constructon proposed by An and Bellare [CRYPTO 1999] and gave a tght brthday-bound of O(lq / n ), as an mprovement over the prevous bound of O(l q / n ). In ths paper, we desgn a smple extenson of NI-MAC, called NI + -MAC, and prove that t has securty bound beyond brthday (BBB) of order O(q l / n ) provded l n/4. Our constructon not only lfts the securty of NI-MAC beyond brthday, t also reduces the number of keys from (NI uses ndependent keys) to 1. Before ths work, Yasuda had proposed [FSE 008] a sngle fxed-keyed compresson functon based BBB-secure MAC wth securty bound O(lq / n ) that uses an extra mask, requres a storage space to store the mask. However, our proposed constructon NI + does not requre any extra mask and thereby has reduced the state sze compared to Yasuda s proposal [FSE 008] wth provdng the same order of securty bound for lght-weght applcatons Keywords: Beyond Brthday, MAC, NI, Structure-Graph. 1 Introducton In symmetrc key paradgm, MAC (Message Authentcaton Code) s used for preservng message ntegrty and message orgn authentcaton. The desgn of a MAC should not only consder achevng securty, but also target attanng effcency. In the lterature, three dfferent approaches of desgnng a MAC exsts: (a) unversal hash functon based MAC, a popular example of whch s UMAC [8], (b) a compresson functon based MAC, lke NMAC [], HMAC [], NI [1] etc. (c) Block cpher based MAC, such as CBC MAC [4], PMAC [9], OMAC [17]. etc. Most of the popular MACs are block cpher based MACs, but each one of them suffers from the same problem - securty s guaranteed up to the brthday bound. When the block length of the underlyng block cpher s 18-bt, then brthday bound does not seem to be a problem, as we are guaranteed to have 64 bts of securty whch s well acceptable for many practcal applcatons. But when we deal wth 64-bt block cpher (e.g. HIGHT [16], PRESENT [10]) as used n many lght weght crypto devces (e.g. RFID, smartcard) then brthday bound

2 problem becomes the man bottleneck. NMAC and HMAC. NMAC and ts varant HMAC [] s the frst re-keyng compresson functon based MAC where a key s appended to a message and then the appended message s hashed usng Merkle-Damgård technque. It has been standardzed n [3] and has become popular and wdely used n many network protocols lke SSH, IPSec, TLS etc. Bellare et al. n [] proves that NMAC s a secure PRF based on the assumpton () f s a secure PRF and () Casc f s a WCR (weakly collson resstant). HMAC, when nstantated wth MD4 or SHA-1, plays the role of Casc f and both have been found not to satsfy the WCR property [37, 38] and hence the securty of HMAC [] stands vod. To restore the PRF securty of NMAC, Bellare n [6] nvestgates the proof and drops assumpton (). Kobltz and Menezes n [] crtczes the way [6] dscusses the practcal mplcaton of ther result aganst unform and non-unform reductons used n the proof. Dods et al. n [1] nvestgates the ndfferentable property of HMAC from a keyed random oracle. In a recent lne of researches, generc attack aganst terated hash based MAC are beng nvestgated [31, 3, 30, 5]. More recently, Gaž et al. n [14] showed a tght bound on NMAC. There s also a recent result [15] on the generc securty analyss of NMAC and HMAC wth nput whtenng. Yasuda n [40] had proposed a novel way of teratng a compresson functon dedcated for the use of MAC whch s more effcent than standard HMAC to process data much faster. In [4] Yasuda has showed that classcal sandwched constructon wth Merkle-Damgård teraton based hashng provdes a secure MAC whch s an alternatve for HMAC, useful n stuaton where the message sze s small and hgh performance s requred. A new secret-prefx MAC based on hash functons s presented n [45] whch s smlar to HMAC but does not requre the second key. U. Maurer et al. n [7] has presented a MAC constructon namely PDI, that transforms any Fxed-Input Length (FIL) MAC to Alternatve Input Length (AIL) MAC and nvestgated the tradeoff between the effcency of MAC and the tghtness of ts securty reducton. In [8] constructon of AIL MAC from a FIL MAC wth a sngle key was presented whch s better than NI [1]. Beyond Brthday Secure MAC. We dscuss two types of MACs n ths category - one s block cpher based and the other one s compresson functon based. Block Cpher Based Beyond Brthday Secure MAC. Recently, many MAC constructons have been proposed wth securty beyond the brthday barrer wthout degradng the performance. The frst attempt was made n ISO [3] wthout securty proof. But Algorthm 4 of ISO was attacked by Joux et al. [0] that falsfed the securty bound. Algorthm 6 of ISO was proven to be secure aganst O( n/3 ) queres wth restrctons on the message length [46]. In [46] Yasuda also presented SUM-ECBC, a 4-key rate-1/ constructon wth beyond brthday bound securty. In 011, Yasuda mproved the number of keys and rate over SUM-ECBC and proposed a 3-key rate-1 PMAC Plus construc-

3 ton [47] wth beyond brthday securty. In 01, Zhang et al. [50] proposed a 3key verson of f9 MAC (3kf9) that acheves BBB securty. There s also another determnstc MAC mode provdes securty beyond the brthday bound. Gven an n-bt to n-bt fxed-key block cpher wth MAC securty ɛ aganst q queres, Dods et al. [13] have desgned a varable-length MAC achevng O(ɛqpoly(n)) MAC securty. However, ths desgn requres even longer keys and more block cpher nvocatons. By party method, Bellare et al. present MACRX [3] wth BBB securty, condtoned on the nput parameters are random and dstnct. In [18], Jaulmes et al. proposed a randomzed MAC that provdes BBB securty based on the deal model (or possbly based on tweakable block cpher). Another BBB secure randomzed constructon called generc enhanced hash then MAC has been proposed n [9] by Mnematsu. In [4], the authors propose a tweakable block-cpher based two-key rate- BBB-secure MAC wth securty margn of O(q l / n ). Recently Datta et al. n [11] unfy PMAC Plus and 3kf9 n one key settng wth beyond brthday securty. Compresson Functon Based Beyond Brthday Secure MAC. Besdes the block cpher based BBB MAC constructons, Yasuda n [41] proposed a compresson functon based MAC constructon - Mult-lane HMAC, that acheves BBB securty. In [44] Yasuda presented a double ppe mode operaton (Lucks Constructon [6]) for constructng AIL MAC from a FIL MAC that acheves BBB securty. Ths work s further extended to provde full securty n [48]. In [43] Yasuda has proposed a fxed sngle keyed compresson functon based cascaded MAC n whch, for a l blocks message, one needs to compute l many dfferent masks where the masks are generated from a sngle mask 0 usng the feld multplcaton. The securty of the scheme has been proved to be O(lq / n ). Further mprovement on [43] s followed n [49]. Fxed-Key MAC. An et al.n [1] proposed a fxed-keyed compresson functon based MAC called NI-MAC. The constructon of NI-MAC s smlar to that of NMAC [], the only dfference s that NI-MAC uses two ndependent keyed compresson functons f K1, f K. The motvaton of desgnng NI was to avod constant re-keyng on mult-block messages n NMAC and to allow for a securty proof startng by the standard swtch from a PRF to a random functon, followed by nformaton-theoretc analyss. We menton here that the securty proof technque for re-keyng compresson functon based MAC s completely dfferent from that of fxed-keyed compresson functon based MAC. The securty of the former scheme s proved usng reducton argument, whereas that of the latter s proved by replacng the fxed-keyed compresson functon wth a random functon. Gaž et al.n [14] revsted the proof of NI-MAC and gave a tght brthday bound of O( lq ), a better bound than earler O( l q n ). n Our Contrbutons. We have the followng two man contrbutons.

4 (1) We propose a fxed key compresson functon based MAC NI + wth rate 1 b/(b + n), whch s an extenson of exstng NI-MAC, that acheves beyondbrthday securty of securty bound O(q l / n ), where b s the block length and n s the number of output bts. Our proposed constructon not only lfts the securty of NI beyond brthday (Sect. 4), but also reduces the number of requred keys from two (NI uses two ndependent keys) to one. () Yasuda n [43] proposed a rate-1, one pass mode BBB secure MAC wth a beyond brthday securty bound of O(lq / n ). The constructon uses a keyedcompresson functon f k from b bts to n bts and a b -bt mask 0 where one needs to store the mask value. Note that, the assumpton n the constructon [43] s b n. Now, for processng a message of l blocks, one needs to compute the masks 1,,..., l whch are computed from 0 usng feld multplcaton. The state sze of the Yasuda s proposed constructon s (b + n), as one needs to store the b -bt maskng value and the b -bt checksum value along wth two n bts partal outputs. In ths regard, our constructon NI + s a rate-b/b + n sngle-keyed compresson functon based MAC that uses a keyed-compresson functon f k from (b + n)-bts to n bts, where b > n. Our constructon does not use any mask and therefore the state sze of NI + s reduced to (b + n) as one needs to store b-bt checksum value along wth two n bt partal outputs. However, to compare the state-sze of Yasuda s constructon wth our desgn, one needs to consder the compresson functons wth the same nput sze n both the scheme,.e., one needs to replace nput sze (b ) of the compresson functon used n the constructon proposed n [43] by b + n, whch gves the state sze of Yasuda s scheme to (b + n) + n = (b + n), whch s twce of our state sze. Though reducng ths state-sze to n bts was placed as an open problem n [43, Secton 7], our constructon has slghtly mproved the state sze, albet wth the cost of an extra factor of l n the securty bound. However, we note that ths bound s comparable to that of [43] for lght-weght applcatons n whch l s usually to be small. In the followng table we show dfferent parameters and the securty bound of known stateless and determnstc BBB secure MACs. We wrte BC to denote block cpher based MAC n whch the underlyng prmtve s a block cpher and CF rk denotes re-keyng compresson functon based MAC n whch the underlyng prmtve s a compresson functon (e.g. HMAC), CF fk denotes fxed-keyed compresson functon based MAC (e.g. NI). 1 Rate b rs, where b-sze of message block, s-total nput sze of the functon wthout the key part and r s the total number of functon calls to process a sngle message block. In [43] author has mstakenly stated the state sze for the constructon s b + n bts, wthout consderng the state sze requred for storng the b -bt mask, thus eventually state sze becomes (b + n).

5 Constructon Type # Keys Rate Securty Bound State sze (#bts) SUM-ECBC [46] BC 4 1/ O(l 3 q 3 / n ) n PMAC Plus [47] BC 3 1 O(l 3 q 3 / n ) 4n 3kf9 [50] BC 3 1 O(l 3 q 3 / n ) n 1kf9 [11] BC 1 1 O(q 3 l 4 / n ) n 1k PMAC+ [11] BC 1 1 O(q 3 l 4 / n ) 4n L-Lane (L = ) HMAC [41] CF rk 3 1/ O(l q / n ) n 1-pass mode [43] CF fk 1 1 O(lq / n ) (b + 4n) NI + [Ths paper] CF fk 1 b/(b + n) O(l q / n ) (b + n) Prelmnares In ths secton, we brefly dscuss the notatons and defntons used n ths paper. We also state some exstng basc results. We denote S as the cardnalty of set S. Let x $ S denote that x s chosen unformly at random from S. [n] denotes the set of ntegers {1,,..., n}. (s) n denotes the last n bt substrng of b bt strng s. Let M be a bnary strng over {0, 1}. Length of M n bts s denoted by M. When M mod b 0, we pad 10 d to M to make M mod b = 0 where d = n 1 M mod b and b denotes the block length of M. M 1 M... M l denotes the partton of message M after M s beng padded, where each M {0, 1} b and l denotes the number of blocks of M. l denotes the maxmum number of blocks n a message. By a q-set or a q-tuple x := (x : I) for an ndex set I, we mean a set or a tuple of sze q. When all elements x s are dstnct we wrte x dst q. Random Functons. Let F unc(a, B) denote the set of all functons from A to B. A random functon F s a functon whch s chosen from F unc(a, B) followng some dstrbuton, not necessarly unform. In partcular, a functon ρ n s sad to be a unform random functon, f ρ n s chosen unformly at random from the set of all functons from a specfed fnte doman D to {0, 1} n. Throughout the paper we fx a postve nteger n. We wll specfy a unform random functon by performng lazy samplng. In lazy samplng, ntally the functon ρ s undefned at every pont of ts doman. We mantan a set Dom(ρ) that grows dynamcally to keep the record of already defned doman ponts of ρ. Dom(ρ) s ntalzed to be empty. If x / Dom(ρ) then we wll choose y $ {0, 1} n and add x n Dom(ρ). In ths regard, x s sad to be fresh. On the other hand, f x Dom(ρ) (.e x = x ) then y f(x ). In ths regard x s sad to be covered. Securty Defntons. We consder that an adversary A s an oracle algorthm wth access to ts oracle O( ) and outputs ether 1 or 0. Accordngly, we wrte A O( ) = 1 or 0. The resource of A s measured n terms of the tme complexty t whch takes nto account the tme t takes to nteracts wth ts oracle O( ) and the tme for ts nternal computatons, query complexty q takes nto account the number of queres asked to the oracle by the adversary, data complexty l takes nto account the maxmum number of blocks n each query.

6 Pseudo-Random Functon. We defne dstngushng advantage of an oracle algorthm A for dstngushng two random functons F from G as Adv A (F ; G) := Pr[A F = 1] Pr[A G = 1]. We defne PRF-advantage of A for an n-bt constructon F by Adv prf F (A) := Adv A (F ; ρ n ). We call A a (q, l, t)-dstngusher f t makes at most q queres wth at most l-blocks n each query and runs n tme at most t. We wrte Adv prf F (q, l, t) = max A Adv prf F (A) where maxmum s taken over all (q, l, t)-dstngusher A. In an nformaton theoretc stuaton we also gnore the tme parameter t. We call a keyed constructon F s (q, l, ɛ)-prf f Adv prf F (q, l) ɛ. Informally, F s called a secure PRF, f ɛ s neglgble, Collson-Free and Cover-Free. Now we defne some other nformaton-theoretc securty advantages (n whch there s no presence of an adversary). Let H be a random functon whch outputs two n bt blocks, denoted by (Σ, Θ) ({0, 1} n ). For a q-tuple of dstnct messages M = (M 1,..., M q ), we wrte H(M ) = (Σ, Θ ). For a q-tuple of pars (Σ, Θ ), we say that 1. A tuple (Σ, Θ ) s collded f, j [q] such that Σ = Σ j and Θ = Θ j for some j. Otherwse the tuple s sad to be collson-free.. A tuple (Σ, Θ ) s covered f, j [q] such that Σ = (Mα) j n and Θ = Y j α 1 where α [l ] or α [ ] and j could be equal to, Mα j denotes the α th block of j th message M j and Y j α 1 s a n bt bnary strng that denotes the output of (α 1) th block correspondng to j th message M j. Otherwse the tuple s sad to be cover-free. Defnton 1. We defne (q, l)-collson advantage and (q, l)-cover-free advantage as Adv coll F (q, l) = max M dst q Pr[(Σ, Θ ) s not collson-free]. Adv cf F (q, l) = max Pr[(Σ, Θ ) s not cover-free]. M dst q Clearly, Adv coll F (q, l) q Advcoll F (, l). Smlarly, Adv cf F (q, l) q Advcf F (, l). So t would be suffcent to concentrate on a par of messages whle boundng collson free or cover-free advantages. We say that a constructon F s (q, l, ɛ)- xxx f Adv xxx F (q, l) ɛ where xxx denotes ether collson-free or cover-free.

7 .1 Structure Graphs In ths secton, we brefly revst the structure graph analyss [5, 14]. Consder a cascaded constructon wth a functon f, where f s a unform random functon, that works on a message M = M 1 M... M l of length l blocks as follows: Y 0 = 0, and Y = f(y 1, M ) for = 1,..., l, where M s the th block of message M. Informally, for a set of any two fxed dstnct messages M = {M 1, M } and a unformly chosen random functon f, we construct the structure graph G f (M) wth {0, 1} n as the set of nodes as follows. We follow the computatons for M 1 followed by those of M by creatng nodes labelled by the values y of the ntermedate channg varables Y wth the edge (y, y +1 ) labelled by the block M +1. In ths process, f we arrve at a vertex already labelled, whle not followng an exstng edge, we call ths event an f-collson. 3 The sequence of alternatng vertces and edges correspondng to the computatons for a message M j s called an M j -walk or more generally a message walk, denoted by W j. A more formal dscusson on structure graph appears n Appendx A. Let G(M) denote the set of all structure graphs correspondng to the set of messages M (by varyng f over a functon famly). For a fxed graph G G(M), let fcoll(g) denote the set of all f-collsons n G. We state the followng results. Proposton 1. n fcoll(g). [14, Lemma ] For a fxed graph G, Pr f [G f (M) = G] Proposton. Pr[G $ G(M) : fcoll(g) 3] 7l6, where l s the total n number of blocks of the messages n M. Proof of the Prosposton can be found n Appendx B. It s to be noted that for CBC-MAC analyss [5], f(α, β) s taken as π(α β) and for the NI-MAC analyss [14], f(α, β) s taken as ρ(α β), where π s a random permutaton over n bts and ρ s a random functon from b + n bts to n bts, where b s the message block-length and n s the length of the channg varable as well as the tag. 3 Proposed Constructon of NI + for Beyond-Brthday Secure MAC We present the schematc dagram of NI + n Fg. 3.1 followed by the descrpton n Algorthm 1. Let f k : {0, 1} b+n {0, 1} n be a keyed functon from b + n bts to n bts where b > n where b refers to the block length of a message block and n refers to the output length n bts. Let M {0, 1} bl. So we can wrte M = (M 1, M,..., M l ) where each M {0, 1} b. We defne a checksum block 3 We use the term collson and accdent nterchangably.

8 0 n M 1 M M 3 M l M... f k f k f k f k f k Y 1 Y Y 3 Y l 1 Y l Σ c Σ f k T 0 n Θ Fg Constructon of NI + MAC Input: f k : k $ K, M {0, 1}, c 10 b n 1 Output: T {0, 1} n M 1 M... M l M 10 ; //l s the number of message blocks n M Z 0 n ; Y 0 n ; for = 1 to l do Y f k (M, Y ); Z Z Y ; end CS l =1M ; Y f k (CS, Y ); Z Z Y ; Σ Y ; Θ Z; T f k (c Σ, Θ); Return T ; Algorthm 1: Algorthm for NI + MAC CS = l =1 M. We denote Casc f k (M) := f k1 (... (f k (f k (0, M 1 ), M ),..., M l ). Output of Casc f k (M) and the checksum block CS s passed through the same functon f k and the output s denoted as Σ. We obtan Θ by xorng all the ntermedate channg values (.e l =1 Y Σ). We concatenate a fxed b n bt strng c = 10 b n 1 wth the n bt strng Σ Θ to match the nput sze of f k and then the entre concatenated b bt strng (.e c Σ Θ) s passed through f k and fnally outputs the tag T. We sometmes denote CS by M l+1. Note that, NI + s smlar to that of NI up to Casc f k (M) except the followng dfferences. Schematc dagram of NI s gven n Appendx C. (a) In NI constructon, b-bt encodng of M and the last message block output Y l s passed through a dfferent keyed compresson functon f k. In NI +, we substtute the b-bt length encodng by the checksum block CS. Moreover, CS and Y l s passed through the same keyed compresson functon. (b) NI s a two fxed-keyed compresson functon based MAC. NI + s a sngle fxed-keyed compresson functon based MAC. (c) NI provdes only brthday bound (lq / n ) securty. NI + provdes beyond brthday bound securty (q l / n ) when l n/4. Remark 1 We note that the beyond brthday securty s not possble to acheve f we just keep the orgnal structure of NI-MAC and output Σ as the last block output (.e Σ = f K ( M, Y l )) and Θ as the sum of all ntermedate channg

9 varables (.e Θ = l =1 Y Σ) as the brthday bound attack s followed from Prennnel and Oorschot s attack [33]. 4 Securty Analyss of NI + -MAC Gaž et. al n [14] have shown that the advantage of NI-MAC s bounded above by ( q n l + 64l4 ). In ths secton we analyze the advantage of our constructon NI + - n MAC and show that the advantage of NI + -MAC acheves beyond brthday bound securty; better than that of NI-MAC. Thus we have the followng theorem. Theorem 1. Let f : ({0, 1} k ){0, 1} b {0, 1} n {0, 1} n be a (ɛ, t, q) secure PRF. Then NI + be a ɛ, t, q, l secure PRF, where ɛ ɛ + q n + q n + q l n + q l 4 3n + 54q l 6 3n, such that t = t + Õ (lq). Moreover, f l n/4 then, ɛ ɛ + q n + q l n. Proof. Let A be a adaptve PRF-adversary aganst NI + runnng n tme t and askng at most q queres, each of length at most l blocks. NI + uses a sngle keyed functon f. Now f we replace f by a unformly dstrbuted random functon r such that r $ F unc({0, 1} b {0, 1} n, {0, 1} n ) and call the resultng constructon NI + r, then usng the standard reducton from nformaton theoretc settng to complexty theoretc settng we have, Adv prf ɛ + Adv prf. NI + NI + r Therefore to prove Theorem 1, we only need to prove Adv prf NI + r q n + q n + q l n + q l 4 3n + 54q l 6 3n. Consder the followng Game as shown n Algorthm where the adversary A queres to oracle O wth dstnct messages M and obtans the response T. Note that Game G 0 truly smulates a unform random functon and G 1 smulates the actual constructon NI + r. Therefore usng the fundamental lemma of gameplayng technque [7], we have the followng: Adv prf NI + r = Pr[A G 1 = 1] Pr[A G0 = 1] Pr[A G1 sets badsgma A G1 sets bad] Pr[A G1 sets badsgma] + Pr[A G1 sets bad]. (1)

10 1 ntalze : badsgma, bad false; On the j th query M j ; 3 M j 1 M j... M j l M j 10 Partton(M j ), Y 0 = 0; 4 for = 1 to l ; 5 f ((M j, Y j 1 ) Dom(f)) Y j f(m j, Y j 1 ); 6 Else Y j {0, 1} n ; 7 f(m j, Y j 1 ) Y j ; 8 Dom(f) Dom(f) (M j, Y j 1 ); 9 f (( l =1M j, Y j l ) Dom(f)) Y j l+1 f( l =1M j, Y j l ); 10 Else Y j l+1 {0, 1}n ; 11 f( l =1M j, Y j l ) Y j l+1 ; 1 Dom(f) Dom(f) ( l =1M j, Y j l ); 13 Σ j Y j l+1, Θj l+1 =1 Y j ; 14 f (Σ j = 0) badsgma true; 15 T j $ {0, 1} n ; 16 f ((Σ j, Θ j ) = (Σ, Θ ) for some {1,,..., j 1}, or (c Σ j, Θ j ) = (Ms, Ys 1) such that s [l + 1] or s [ + 1], {, j}); 17 f ( bad); 18 Coll(, j) true, bad true; f ((Σ j, Θ j ) = (Σ, Θ )) T j f(σ, Θ ) ; Else Return T j ; T j f(m s, Y s 1) ; Algorthm : Game G 0 s wthout boxed statement and G 1 s wth boxed statement. Therefore, we evaluate now the probablty Pr[A G1 sets bad]. To evaluate ths, let us defne a double block functon H f (M) := (Σ, Θ) wth respect to a unform random functon f. Recall that the tuple H f (M ) := (Σ, Θ ), [q] s sad to be collson-free f, ether Σ Σ j or Θ Θ j or both j [ 1]. Smlarly, the tuple (Σ, Θ ) s sad to be cover-free f, ether Σ (Mα) j n or Θ Y j α 1 or both j []. Therefore, t s then easy to see that, Pr[A G1 sets bad] Adv coll H (q, l) + Adv cf H (q, l) q (Advcoll H (, l) + Adv cf H (, l)). () Now we state the followng lemma, proof of whch s deferred untl next secton. The frst three cases of the lemma bound the collson-free advantage and the last three cases bound the cover-free advantage of functon H f ( ). Notaton: Let E coll denotes the collson event (.e. Σ = Σ j Θ = Θ j ) and E cf denotes the covered event (.e. Σ = x Θ = Yt s ) for some n bt constant x. W denotes the walk graph correspondng to message M. Y denotes the vector of ntermedate computatons (.e (Y 1, Y,..., Y l )). l and denote the message

11 length n number of blocks of M and M j respectvely. When M s not a prefx of M j or M j s not a prefx of M, p denotes longest common prefx (LCP) of M and M j. That means Mp+1 M j p+1 and M α = Mα j where 1 α p. Let G(M, M j ) denotes the set of all structure graphs correspondng to two fxed messages M and M j. G a G(M, M j ) be the set of all structure graphs wth accdent a where, n ths paper, we consder a = 0, 1,. Moreover, when a = 1 or we denote Gnl a G a be the set of all structure graphs such that none of the two message walks W, W j contans a loop. Gl a denotes the set of all remanng structure graphs. Moreover, G a = Gnl a Ga l for a = 1,. Lemma 1. Let us consder G $ G(M, M j ), where M and M j are any two dstnct messages, each of length at most l blocks and a partcular n bt constant x, we have the followngs: Case (A) : Pr[E coll fcoll(g) = 0] 1. n Case (B) : Pr[E coll fcoll(g) = 1] l. n Case (C) : Pr[E coll fcoll(g) = ] l4. 3n Case (D) : Pr[E cf fcoll(g) = 0] 1. n Case (E) : Pr[E cf fcoll(g) = 1] l. 3n Case (F) : Pr[E cf fcoll(g) = ] l4. 3n Resume the proof of Theorem 1: Now we have all the materals to prove Theorem 1 whch s gven n the followng. It s easy to see the followngs: Adv coll H (, l) Pr[E coll fcoll(g) = k] + Pr[ fcoll(g) 3]. Adv cf H (, l) k=0 Pr[E cf fcoll(g) = k] + Pr[ fcoll(g) 3]. k=0 Therefore, we have the followng results, Adv coll H (, l) 1 l l4 7l (3) n n 3n 3n Adv cf H (, l) 1 l l4 7l (4) n n 3n 3n Equaton (3) follows from Case (A),(B) and (C) of Lemma 1. Smlarly, Equaton (4) follows from Case (D),(E) and (F) of Lemma 1. Substtutng Equaton (3) and (4) nto Equaton () we obtan Pr[A G1 sets bad] q n + q l n + q l 4 3n + 54q l 6 3n. Moreover t s easy to see that Pr[A G1 sets badsgma] q. Therefore, substtutng these two probablty expressons back to Equaton (1) wll n gve Adv prf NI + r q n + q l l 4 l 6 n +q n +q 3n +54q. 3n

12 4.1 Proof of Lemma 1 We prove all the followng cases usng structure graph analyss. After fxng two dstnct messages we choose a structure graph unformly at random from the set of all structure graphs. Then we analyze manly two events E coll and E cf n vew of the number of collsons occurred n the randomly chosen structure graph G. Therefore, we have, Pr[E coll fcoll(g) = a] = H G a Pr[E coll G = H] Pr[E cf fcoll(g) = a] = H G a Pr[E cf G = H] It s easy to see that G a l a as structure graph s unquely determned by the number of accdents occurred n the graph when the two messages are fxed. Therefore, we only need to bound () Pr[E coll G = H] and () Pr[E cf G = H] for some fxed structure graph H havng accdent a where we consder a = 0, 1 or. Case (A) : Proof of Pr[E coll fcoll(g) = 0] 1. We fx a structure n graph H G 0 and then analyze the probablty of the event E coll wth respect to H n a case-by-case bass. Case () When M or M j s not a prefx of each other, we recall that p be the LCP of M and M j. Therefore, all Yα and Y j β are dstnct where p + 1 α l, p + 1 β. Moreover, Yα Yα, j p + 1 α mn{l, } as the number of collsons n H s 0. Therefore, we have, Pr[E coll G = H] = Pr[Θ = Θ j G = H Σ = Σ j ] Pr[Σ = Σ j ] It s obvous that Pr[Σ = Σ j ] 1 n l and the event Θ = Θ j G = H condtoned on the event Σ = Σ j mples a non trval equaton on Y as we wll obtan Yp+1 and Y j p+1 for whch Θ Θ j = 0 would become non-trval. Thus, Pr[Θ = Θ j G = H Σ = Σ j ] 1 n l. Therefore, Pr[E coll G = H] 1 n, assumng l n 1. Case () Consder ether of the two messages s a prefx of other (w.l.o.g M j s a prefx of M ). Snce l > therefore, p =. Snce the number of collson n H s 0, Yp+1,... Yl are all dstnct wth each other and wth Y1,..., Yl j. Ths mples that Yl as depcted n Fg Therefore, the probablty of Θ = Θ j G = H condtoned on the event Σ = Σ j wll be O(1/ n ) as we wll obtan two random varables Yl and Y j for whch Θ Θ j = 0 would become non-trval. Moreover, Pr[Σ = Σ j ] 1. Therefore agan, n Y j Pr[E coll G = H] 1 n. Snce, G 0 = 1, we have, Pr[E coll fcoll(g) = 0] 1 n.

13 Fg Structure graph wth 0 accdent Case (B) : Proof of Pr[E coll fcoll(g) = 1] l. Lke the earler n case, we fx a structure graph H G 1 and then analyze the probablty of the event E coll wth respect to H n a case-by-case bass. Snce G 1 = Gnl 1 G1 l, t follows that H Gnl 1 or H G1 l. We analyze each case separately as follows: Case (B.1) When H Gnl 1. It essentally mples that H s the unon of two walk graphs W, W j such that W and W j are path. Wthout loss of generalty, we consder l. Case (B.) When H Gl. It mples that ether of the walks W or W j contans a loop. (B.1) Analyss of Gnl 1. Let us consder H G1 nl. Frst of all we would lke to note that f M j s a proper prefx of M then Gnl 1 = 0, as n that case number of accdents of H wll be 0. So, wthout loss of generalty, lets assume that M j s not a prefx of M and p be the LCP of M and M j. Therefore, Yα = Yα, j 1 α p. As number of collson s 1 therefore, let the colldng par s (Yβ, Y j β j ), where p + 1 β l, p + 1 β j. Case () Let β = β j = p + 1 and l = and after the collson Yβ = Y j β, for p + β l. In ths case, t s clear that checksum block of th message CS and checksum block of j th message CS j would not be equal and therefore even f Yl = Y j, the event Σ = Σ j would not be trval. So, even though Pr[Θ = Θ j Σ = Σ j G = H] = 1, but the requred randomness wll be obtaned from the followng two equatons : () Y p+1 Y j p+1 = 0, () Σ Σ j = 0 such that the rank of the system of equatons s. Therefore, Pr[E coll G = H] 1 n. Case () Let β = β j = p + 1 and l = and after the collson Yβ Y j β, for p + β l. Then we wll always obtan Yk and Y j k such that Θ = Θ j s non-trval for some k, k. Therefore agan n ths case we have, Pr[E coll G = H] 1 n. Case () Let β = β j = p + and l = and Yβ = Y j β, for p + 3 β l, then Θ = Θ j would mply Yp+1 = Y j p+1 ; creates one more collson whch volates the condton that the structure graph has only one collson. Therefore, n general, we assume that the colldng par s (Yβ, Y j β j ), where p + 1 β l, p + 1 β j. Snce the number of collson allowed n H s 1,

14 after the collson pont ether W and W j follow the same path or they wll get bfurcated rght from the collson pont and wll never meet agan. If W and W j follows the same path, then for Case () we have shown that we can ensure to get the probablty O(1/ n ). If not, then except Case () where β = β j = p +, we wll obtan two random varables Yk and Y j k such that equaton Θ Θ j = 0 becomes non-trval. If W and W j gets bfurcated rght after the collson pont, then the equalty of Θ becomes non-trval for two random varables Y Y j p+1 p+1 and as depcted n (a) and (b) of Fg. 4.. Note that t s easy to follow that we wll always obtan two such random varables. (a) (b) (c) (d) Fg. 4.. Structure graphs wth 1 accdent. (a) and (b): no loop, (c) and (d): one loop. Case (v) Fnally, f β = l and β j = then one can easly fnd out two random varables from the set {Yp+1,..., Yl } {Y j 1 p+1,..., Y j 1 } such that the equaton on Θ becomes non-trval. Therefore, n each of the above cases we have obtaned Pr[E coll G = H] 1 n. Snce G 1 nl G1 l, we have, Pr[E coll fcoll(g) = 1] l n. (B.) Analyss of Gl 1. Let us fx a structure graph H G1 l. Wthout loss of generalty we assume that W contans a loop. That means α s a smallest nteger such that Yα = Yα+c for c 1. Here c denotes the loop sze. Note that, the loop actually creates a collson and therefore, nether () W j or W makes another dfferent loop, nor () W j colldes wth W as n both of the cases number of collsons wll ncrease to. Thus, the only possbltes are ether () W j completely les on W () W j could follow W but after a pont W j and W gets bfurcated and never meets. We wll analyze the probablty of the event E coll G = H separately for each of the above cases.

15 Case () : W j completely les on W. Let us assume W W j = Y j 1... Y j α 1 (Y α j... Y j α+c 1 )k Y j α+c+1 we have the followng cases: = Y1... Yα 1 (Y α... Yα+c 1) k Yα+c+1... Yl j... Y and where k 0. Now As W j les on W, t s easy to see that f k = 0 then W j be a subsequence of Y1... Yα 1 and therefore one can ensures the non-trvalty of equaton Θ Θ j = 0 whch holds wth probablty 1. Moreover, Y n l Y j and thus Σ = Σ j also holds wth probablty 1 and therefore Pr[E n coll G = H] 1. n If k 1, then t s obvous that Y j 1... Y j α 1 = Y 1... Yα 1. Now, f we assume that the length of the tal of W (.e Yα+c+1... Yl ) s same as that of W j then t must have been the case that k k and wthout loss of generalty we can assume that k > k. Snce Yl = Y j, dependng on the equalty of CS and CS j we have Pr[Σ = Σ j fcoll(g) = 1] = 1. Therefore, Pr[E coll G = H] = Pr[Θ = Θ j Σ = Σ j G = H] Pr[Σ = Σ j G = H] Pr[G = H] As k > k therefore, t s obvous to see that there must be at least two random varables Ys and Ys for whch Θ = Θ j would become non-trval as depcted n (c) of Fg. 4.. Thus n the above equaton, Pr[Θ = Θ j Σ = Σ j G = H] 1 and n Pr[G = H] 1. Therefore, Pr[E n coll G = H] 1. Moreover, f we assume n that the tal length of W and W j are not same (w.l.o.g tal(w ) > tal(w j )) then we have ether k = k or k k. The case of k = k has already been taken care of. If k k then Yl Y j and therefore, Θ Θ j = 0 would become non-trval for the random varable Yl and Y j. Moreover, Pr[Σ = Σ j ] 1. n Thus, Pr[E coll G = H] 1 n. Case () : W j follows W but after they get bfurcated and never meets. In ths case W j bfurcates from W rght after some pont X. Ths condton necessarly mples that Yl Y j. Now t s to be noted that f W j completely les on W (as n head(w ) = head(w j ) and k = k ) and bfurcates rght from the pont X = Yl, then 1 Θ = Θ j would mply Yl = Y j, ntroduces one more collson and hence the number of collson would ncrease. Therefore, even f head(w ) = head(w j ) ether k k or W j must get bfurcated from W from some earler pont of Yl 1. In both of these cases one should obtan at least two random varables (ether from porton of loop or from porton of tal) Ys and Ys for some s and s that ensures the non-trvalty of equaton on Θ as depcted n (d) of Fg. 4.. Moreover as Yl Y j ths ensures that Pr[Σ = Σ j ] 1. Hence, Pr[E n coll G = H] 1. n

16 Therefore, n all of the above cases we have obtaned Pr[E coll G = H] 1 n. Moreover, G 1 l G1 l. So, Pr[E coll fcoll(g) = 1] l n. Case (C) : Proof of Pr[E coll fcoll(g) = ] xl4 3n Lkewse the analyss of Case (B), we frst fx a graph H G and analyze the probablty of E coll wth respect to H n a case-by-case bass. Wth the same argument, ether H G nl or H G l. Case (C.1) Let us consder H Gnl whch mples that none of the message walks W or W j contans a loop. Case (C.) Let us consder H Gl whch mples that ether of the message walks W or W j contans a loop. (C.1) Analyss of G nl. Let p be the LCP of M and M j. Snce number of accdent of H s, we denote the collson pars are : (Y α, Y j α j ) and (Y β, Y j β j ) where p + 1 α, β l and p + 1 α j, β j. Case () Let l =, α = α j = p + 1 and β = β j = p + and after collson Ys = Ys j, for p + 3 s l. Ths case s boled down to the analyss of subcase () under Case (B.1). Therefore, even though Pr[Θ = Θ j Σ = Σ j G = H] = 1, we obtan the requred randomness from the followng three lnearly ndependent equatons : () Yp+1 Y j p+1 = 0, () Y p+ Y j p+ = 0 and () Σ Σ j = 0 such that the rank of the system of equatons become 3. Therefore, Pr[E coll G = H] 1 3n. Case () Ths case s smlar to Case () except that after the collson Y s Y j s. Agan ths case s boled down to the analyss of subcase () under Case (B.1). Therefore t s easy to see that the obtaned rank of the lnear system of equatons wll be at least 3. Therefore n ths case also, we obtan, Pr[E coll G = H] 1 3n. Case () Let l = and two collson ponts are not consecutve lke Case (). We can also assume that after the fnal collson pont (.e Yβ = Y j β j ) Ys = Ys j for s l. So, we can obtan a system of lnear equatons of rank 3 such that Θ Θ j = 0 along wth two collsons gve three lnearly ndependent equatons. Therefore, n ths case we obtan, Pr[E coll G = H] 1. 3n In general, we assume that the colldng par s (Yα, Yα j j ) and (Yβ, Y j β j ), where p+1 α, β l, p+1 α j, β j. Snce the number of collson allowed n H s, after the frst collson pont (Yα, Yα j ), W and W j must bfurcate and then meets wth each other to form the second collson pont (Yβ, Y j β j ) and then W, W j follow the same path or they wll get bfurcated from the second collson pont and wll never meet agan. If W and W j follows the same path, then for Case () we have shown that we can ensure to get the probablty O(1/ n ). If not, then we wll obtan two random varables Yk and Y j k such that equaton Θ Θ j = 0 becomes non-trval. If W and W j gets bfurcated after the second collson pont, then the equalty of Θ becomes non-trval for two

17 (a) (b) (c) (d) (e) (f) (g) (h) () (j) (k) (l) (m) (n) (o) (p) (q) (r) (s) (t) Fg Structure graphs wth accdents. (a) and (b) : No loop, (c) to (l) : one loop, (m) to (t) : two loops.

18 random varables Yk and Y j k as depcted n (a) and (b) of Fg Note that t s easy to follow that we wll always obtan two such random varables. Therefore, the obtaned rank of the lnear system of equatons comprsng of equatons () Σ Σ j = 0, Θ Θ j = 0, Yα Yα j j = 0, Yβ = Y j β j = 0 wll be at least 3. Therefore, Pr[E coll G = H] 1. 3n Case (v) Fnally, β = l and β j = where α < β, α j < β j, then one can easly fnd out two random varables from the set {Yp+1,..., Yl } {Y j 1 p+1,..., Y j l } j 1 such that the equaton on Θ becomes non-trval. Therefore, from the all of the above cases we have the followng, Pr[E coll G = H] 1 3n. Moreover, G nl G l 4. Therefore, Pr[E coll fcoll(g) = ] l4 3n. (C.) Analyss of Gl. We characterze the all possble graphs n followng two ways : () When both the accdent comes from a sngle message walk. () When two message walks are nvolved to yeld two accdents. (.) When each message walk contrbutes a sngle accdent. (.) When two message walk jontly contrbutes two accdents. Let p be the LCP of M and M j. Snce number of accdent of H s, here the collson pars wll be one of the followngs based on the three cases lsted above: (a) (Yα, Y ) and (Y α β, Y ) (sngle message walk) where α β < α < β < β, (b) (Yα, Y ) and (Y j α β j, Y j ) (each message walk contrbutes sngle accdent) where β j α < α and β < β, (c) (Y α, Yα j j ) and (Yβ, Y j β j ) (two message walks jontly contrbute two accdents) where p + 1 α, β l and p + 1 α j, β j. Case () : Both accdents come from a sngle message walk. To analyze ths case, note that, only a sngle message walk (e.g W ) yelds two accdents; that means, the accdent par s (Yα, Y ) and (Y α β, Y ), thus W contans two β dstnct loops, whereas W j does not contan any loop. In ths regard, t s to be noted that W j ether les on W or W j eventually bfurcates from W and never meets agan. Now we have two possbltes under ths case. (a) When l =, then t has to be the case that W j must bfurcates from W j from some fxed certan pont node X n H. Note that, t may also happen that X does not exst n some H and n that specfc cases we wll obtan two parallel walks. Now one can easly see that two dstnct accdents yelds two lnearly ndependent equatons. That s Y α Y α = 0 Yβ Y = 0. β

19 Moreover, the followng two equatons Σ Σ j = 0 and Θ Θ j = 0 s not mpled from the prevous two lnearly ndependent equatons comng from accdents as one can easly see that Yl Y j and thus, Σ Σ j = 0 s not a trval equaton. Thus one can ensure that the rank of ths system of lnear equatons s at least 3. (b) When l, then wthout loss of generalty we assume that l >. Therefore, ether W j bfurcates from W or W j completely les on W. Former case has already been treated. So, when W j completely les on W where W j < W 4, then agan Y Y j, makng the equaton Σ Σ j = 0 non-trval. l Moreover, two accdents mply two lnearly ndependent equatons. Altogether, the rank of the system of equatons become at least 3. Therefore, n ths case, we obtan P r[e coll G = H] 1. (5) 3n Case (.) : Each message walk contrbutes a sngle accdent. When two message walk W, W J ndvdually contrbutes a sngle accdent, that s the accdent par s (Yα, Y ) and (Y j α β j, Y j ). Note that the last collson pont, say, β j (Y j β j, Y j ) must be after the LCP pont. Therefore, each of W and W j contans β j a sngle loop and they never meet agan, otherwse that wll contrbute to one more accdent. Therefore, the structure of the graph s smple as depcted n (m) and (n) of Fg 4.3. It s very straght-forward to see that Yl Y j. Moreover, two dstnct accdent gves two lnearly ndependent equatons and therefore, one can see that the rank becomes at least 3. Thus, Equaton (5) holds n ths case. Case (.) : Two message walks jontly contrbute two accdents. Former two cases were easy to handle as those cases contan smple structure graphs. Ths case s lttle nvolved to handle as t contans many knd of structure graphs as depcted n (c) to (t) of Fg, 4.3. Let d denotes the gap of two colldng nodes 5. Note that for (e), (f), (o) and (p) of Fg. 4.3, value of d s 0. For the rest of the cases, d > 0. To keep our dscusson smple, we gve the detals proof of (c) of Fg. 4.3 and then one can use the smlar analyss for the proof of the rest of the cases. Detals analyss for Case (c) of Fg Let the fst collson pont s (Yα, Yα j j ). Ths accdent s contrbuted by two message walks W and W j. After ths frst accdent pont, the second message walk may or may not take part n formng the second collson. (a) If W j takes part n formng the second collson then after the frst collson pont W and W j wll move n unson and after formng the second collson W j and W may bfurcates or agan they move n unson dependng on the message blocks of M j. (b) On the other hand, f W j does not take part then ether () W j bfurcates from a node X where X {Y α, Yα +1,..., Yα } and never meets agan or () W j +d completely les on W and W j < β. Note that n both of the cases (a) and (b), two collson 4 Length of a walk W s denoted as W. 5 gap of two colldng nodes means the number of edges n the structure graphs between two vertces whch are collded.

20 gve rses to two lnearly ndependent equatons Y α Y j α j = 0 Y β Y j β j = 0. (a) We consder W j takes part n formng the second collson. If l =, then we wll fnd Yp+1 for whch Θ Θ j = 0 becomes non-trval and hence the rank of the above two equatons along wth Θ Θ j = 0 becomes 3. If l then agan one can ensure to obtan Y j l such that the varable s fresh n the equaton Θ Θ j = 0 whch makes the rank of the above three equatons to 3. (b) We consder w j does not take part n formng the second collson. Therefore () When W j bfurcates from W then agan Y j wll be the fresh random varable n the equaton Θ Θ j = 0; makng the rank of the system of equatons to at least 3. () If W j completely les on W, whch essentally mples < l, and therefore, one can obtan Yl whch wll be fresh n the equaton Θ Θ j = 0; makng the rank at least 3. Therefore, n all of the above cases, we have observed that the rank of the followng system of equatons s at least 3. Therefore, we have, Y α Y j α j = 0 Y β Y j β j = 0 Σ Σ j = 0 Θ Θ j = 0. Pr[E coll G = H] 1 3n. All of the remanng cases can be analyzed smlarly and one can show the rank to be at least 3. Snce, G l G l 4. Therefore, Pr[E coll fcoll(g) = ] l4 3n. Case (D) : Proof of Pr[E cf fcoll(g) = 0] 1 n. We fx a structure graph H G 0 and then analyse the probablty of the event E cf wth respect to H n a case-by-case bass. Case () Let p be the LCP of M and M j. Therefore, Yα = Yα j where 1 α p and Yβ Y j β where p + 1 β mn{l, } as the number of accdent n H s 0. Moreover, f l > then all Yβ would have been dstnct as fcoll(g) = 0 where + 1 β l. Note that, t s also true that Yl Y j. Therefore, we have the followng set of equatons: Yl +1 = x, (6) Y1 Y... Yl +1 + Yt s = 0, (7)

21 where s could be ether or j and t [l +1] or t [ +1]. For each of these cases one can easly check that the above system of equaton has rank. Therefore, Pr[E cf G = H] 1. n Case (). Wthout loss of generalty let us consder that M j s a prefx of M. Snce l > therefore, p =. Snce, number of collsons n H s 0, Yp+1,... Yl are all dstnct wth each other and wth Y j 1,..., Y j. Ths mples that Yl Y j as depcted n Fg Therefore, the set of equatons (Equaton (6) and (7)) has the full rank. Therefore, agan we have, Pr[E cf G = H] 1. n Therefore from the above two cases, we have, Pr[E cf G = H] 1 for any n non-zero n bt constant x. Moreover G 0 1. So Pr[E cf fcoll(g) = 0] 1 n. Case (E) : Proof of Pr[E cf fcoll(g) = 1] l. Agan, we fx a n structure graph H G 1 and then analyse the probablty of the event E cf wth respect to H n a case-by-case bass. Therefore, H Gnl 1 or H G1 l. We analyse each case separately as follows. Case (E.1) Let us consder H Gnl 1 whch mples that none of the message walks W or W j contans a loop. Case (E.) Let us consder H Gl 1 whch mples that ether of the message walks W or W j contans a loop (E.1) Analyss of G 1 nl. As before M or M j could not be a prefx of each other. Let p be the LCP of M and M j and let the colldng par s (Y β, Y j β j ), where p + 1 β l, p + 1 β j. In ths case, t s easy to check that the followng system of equatons wll have rank. Yl +1 = x, Y1 Y... Yl +1 + Yt s = 0. Therefore, we have Pr[E cf G = H] 1 n. Note that, G 1 nl G1 l. Therefore Pr[E cf fcoll(g) = 1 ] l n. (E.) Analyss of G l. As before let us assume that W contans a loop of sze c such that Y α = Y α+c for c 1. Snce the loop creates a collson, nether () W j or W makes another dfferent loop, nor () W j colldes wth W as n both of the cases the number of collsons wll ncrease to. Thus we have the followng two possbltes. (1) W j concdes wth W () W j could follow W but after a pont W and W j departs and never meets agan. We analyze the probablty of the event E cf G = H separately for each of the two above cases. In partcular, n each of the followng analyss our man concern wll be to show the rank of the set of equatons as defned earler (.e Equaton (6) and (7)) to be, that s t acheves full rank n each of the followng subcases.

22 Case () : W j concdes wth W. Let k denotes the number of teratons n the loop of W and k be the number of teratons n the loop of W j. Now rrespectve of the value of k and k, the system of equatons (Equaton (6) and (7)) wll have rank and therefore, we can upper bound the probablty of our desred event to 1. n Case () : W j could follow W but after a pont W and W j departs and never meets agan. The analyss for ths case would be smlar to Case (). Here W and W j bfurcates from a certan pont say X and l X, X 0. Therefore, t s trval to see that the set of equatons (.e Equaton (6) and (7)) wll have full rank. Agan, as we have shown n the prevous case that Pr[E cf G = H] 1. n Therefore, for the above two cases Pr[E cf G = H] 1 G 1 l. Therefore, Pr[E cf fcoll(g) = 1] l n. n. Moreover, G 1 l Case (F) : Proof of Pr[E cf fcoll(g) = ] xl4 3n Proof of ths bound s smlar to Case (C) and thus we skp the proof of the bound. 5 Concluson In ths paper, we have proposed a non-tweaked sngle fxed-key compresson functon based MAC NI +, a varant of NI-MAC that acheves BBB securty and effcent than NI-MAC n terms of number of keys. Moreover, our constructon s better than Yasuda s proposed sngle-fxed key compresson functon based MAC constructon that uses an extra mask of b bts whch needs a storage space. Moreover, we have been able to slghtly reduce the state sze from (b + n) bts to (b + n) bts whch was an open problem n [43] to reduce the state sze to n bts. Thus we are leavng the problem stll open whch does not requre now a extra mask. References 1. Jee Hea An and Mhr Bellare. Constructng vl-macsfrom fl-macs: Message authentcaton under weakened assumptons. In Wener [39], pages Mhr Bellare, Ran Canett, and Hugo Krawczyk. Keyng hash functons for message authentcaton. In Neal Kobltz, edtor, CRYPTO 96, volume 1109 of LNCS, pages Sprnger, Mhr Bellare, Oded Goldrech, and Hugo Krawczyk. Stateless evaluaton of pseudorandom functons: Securty beyond the brthday barrer. In Wener [39], pages Mhr Bellare, Joe Klan, and Phllp Rogaway. The securty of cpher block channg. In Yvo Desmedt, edtor, CRYPTO 94, volume 839 of LNCS, pages Sprnger, 1994.

23 5. Mhr Bellare, Krzysztof Petrzak, and Phllp Rogaway. Improved securty analyses for CBC macs. In Shoup [34], pages Mhr Bellare. New proofs for NMAC and HMAC: securty wthout collsonresstance. In Cyntha Dwork, edtor, CRYPTO 006, volume 4117 of LNCS, pages Sprnger, Mhr Bellare and Phllp Rogaway. The securty of trple encrypton and a framework for code-based game-playng proofs. In Vaudenay [35], pages John Black, Sha Halev, Hugo Krawczyk, Ted Krovetz, and Phllp Rogaway. UMAC: fast and secure message authentcaton. In Wener [39], pages John Black and Phllp Rogaway. A block-cpher mode of operaton for parallelzable message authentcaton. In Knudsen [1], pages Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, Chrstof Paar, Axel Poschmann, Matthew J. B. Robshaw, Yannck Seurn, and C. Vkkelsoe. PRESENT: an ultra-lghtweght block cpher. In Pascal Paller and Ingrd Verbauwhede, edtors, CHES 007, volume 477 of LNCS, pages Sprnger, Nlanjan Datta, Avjt Dutta, Mrdul Nand, Goutam Paul, and Ltng Zhang. Onekey double-sum mac wth beyond-brthday securty. Cryptology eprnt Archve, Report 015/958, Yevgeny Dods, Thomas Rstenpart, John P. Stenberger, and Stefano Tessaro. To hash or not to hash agan? (n)dfferentablty results for H and HMAC. In Rehaneh Safav-Nan and Ran Canett, edtors, CRYPTO 01, volume 7417 of LNCS, pages Sprnger, Yevgeny Dods and John P. Stenberger. Doman extenson for macs beyond the brthday barrer. In Kenneth G. Paterson, edtor, EUROCRYPT 011, volume 663 of LNCS, pages Sprnger, Peter Gaz, Krzysztof Petrzak, and Mchal Rybár. The exact prf-securty of NMAC and HMAC. In Juan A. Garay and Rosaro Gennaro, edtors, CRYPTO 014, volume 8616 of LNCS, pages Sprnger, Peter Gaž, Krzysztof Petrzak, and Stefano Tessaro. Generc securty of nmac and hmac wth nput whtenng. Cryptology eprnt Archve, Report 015/881, Deukjo Hong, Jaechul Sung, Seokhe Hong, Jongn Lm, Sangjn Lee, Bonseok Koo, Changhoon Lee, Donghoon Chang, Jaesang Lee, Ktae Jeong, Hyun Km, Jongsung Km, and Seongtaek Chee. HIGHT: A new block cpher sutable for low-resource devce. In Lous Goubn and Mtsuru Matsu, edtors, CHES 006, volume 449 of LNCS, pages Sprnger, Tetsu Iwata and Kaoru Kurosawa. OMAC: one-key CBC MAC. In Johansson [19], pages Élane Jaulmes, Antone Joux, and Frédérc Valette. On the securty of randomzed CBC-MAC beyond the brthday paradox lmt: A new constructon. In FSE, 00, volume 365 of LNCS, pages Sprnger, Thomas Johansson, edtor. In FSE, 003, volume 887 of LNCS. Sprnger, Antone Joux, Gullaume Poupard, and Jacques Stern. New attacks aganst standardzed macs. In Johansson [19], pages Lars R. Knudsen, edtor. EUROCRYPT 00, volume 33 of LNCS. Sprnger, 00.. Neal Kobltz and Alfred Menezes. Another look at hmac. J. Mathematcal Cryptology, 7(3):5 51, H. Krawczyk, M. Bellare, and R. Canett. HMAC: Keyed-Hashng for Message Authentcaton. RFC 104 (Informatonal), February 1997.

Similar documents

One-Key Compression Function Based MAC with BBB Security

One-Key Compression Function Based MAC with BBB Security One-Key Compression Function Based MAC with BBB Security Avijit Dutta, Mridul Nandi, Goutam Paul Indian Statistical Institute, Kolkata 700 108, India. avirocks.dutta13@gmail.com, mridul.nandi@gmail.com,

More information

Problem Set 9 Solutions

Problem Set 9 Solutions Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem

More information

Cryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with n-bit Block and n-bit Key

Cryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with n-bit Block and n-bit Key Cryptanalyss of Some Double-Block-Length Hash Modes of Block Cphers wth n-bt Block and n-bt Key Deukjo Hong and Daesung Kwon Abstract In ths paper, we make attacks on DBL (Double-Block-Length) hash modes

More information

Provable Security Signatures

Provable Security Signatures Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -

More information

Lecture 4: Universal Hash Functions/Streaming Cont d

Lecture 4: Universal Hash Functions/Streaming Cont d CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected

More information

Hash functions : MAC / HMAC

Hash functions : MAC / HMAC Hash functons : MAC / HMAC Outlne Message Authentcaton Codes Keyed hash famly Uncondtonally Secure MACs Ref: D Stnson: Cryprography Theory and Practce (3 rd ed), Chap 4. Unversal hash famly Notatons: X

More information

Lecture Space-Bounded Derandomization

Lecture Space-Bounded Derandomization Notes on Complexty Theory Last updated: October, 2008 Jonathan Katz Lecture Space-Bounded Derandomzaton 1 Space-Bounded Derandomzaton We now dscuss derandomzaton of space-bounded algorthms. Here non-trval

More information

Difference Equations

Difference Equations Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1

More information

Message modification, neutral bits and boomerangs

Message modification, neutral bits and boomerangs Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1 Dfferental

More information

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:

More information

Notes on Frequency Estimation in Data Streams

Notes on Frequency Estimation in Data Streams Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to

More information

Introduction to Algorithms

Introduction to Algorithms Introducton to Algorthms 6.046J/8.40J Lecture 7 Prof. Potr Indyk Data Structures Role of data structures: Encapsulate data Support certan operatons (e.g., INSERT, DELETE, SEARCH) Our focus: effcency of

More information

The Order Relation and Trace Inequalities for. Hermitian Operators

The Order Relation and Trace Inequalities for. Hermitian Operators Internatonal Mathematcal Forum, Vol 3, 08, no, 507-57 HIKARI Ltd, wwwm-hkarcom https://doorg/0988/mf088055 The Order Relaton and Trace Inequaltes for Hermtan Operators Y Huang School of Informaton Scence

More information

3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X

3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number

More information

More metrics on cartesian products

More metrics on cartesian products More metrcs on cartesan products If (X, d ) are metrc spaces for 1 n, then n Secton II4 of the lecture notes we defned three metrcs on X whose underlyng topologes are the product topology The purpose of

More information

Lecture 10: May 6, 2013

Lecture 10: May 6, 2013 TTIC/CMSC 31150 Mathematcal Toolkt Sprng 013 Madhur Tulsan Lecture 10: May 6, 013 Scrbe: Wenje Luo In today s lecture, we manly talked about random walk on graphs and ntroduce the concept of graph expander,

More information

The Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction

The Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction ECONOMICS 5* -- NOTE (Summary) ECON 5* -- NOTE The Multple Classcal Lnear Regresson Model (CLRM): Specfcaton and Assumptons. Introducton CLRM stands for the Classcal Lnear Regresson Model. The CLRM s also

More information

Chapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems

Chapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems Numercal Analyss by Dr. Anta Pal Assstant Professor Department of Mathematcs Natonal Insttute of Technology Durgapur Durgapur-713209 emal: anta.bue@gmal.com 1 . Chapter 5 Soluton of System of Lnear Equatons

More information

Edge Isoperimetric Inequalities

Edge Isoperimetric Inequalities November 7, 2005 Ross M. Rchardson Edge Isopermetrc Inequaltes 1 Four Questons Recall that n the last lecture we looked at the problem of sopermetrc nequaltes n the hypercube, Q n. Our noton of boundary

More information

2.3 Nilpotent endomorphisms

2.3 Nilpotent endomorphisms s a block dagonal matrx, wth A Mat dm U (C) In fact, we can assume that B = B 1 B k, wth B an ordered bass of U, and that A = [f U ] B, where f U : U U s the restrcton of f to U 40 23 Nlpotent endomorphsms

More information

Homework Assignment 3 Due in class, Thursday October 15

Homework Assignment 3 Due in class, Thursday October 15 Homework Assgnment 3 Due n class, Thursday October 15 SDS 383C Statstcal Modelng I 1 Rdge regresson and Lasso 1. Get the Prostrate cancer data from http://statweb.stanford.edu/~tbs/elemstatlearn/ datasets/prostate.data.

More information

18.1 Introduction and Recap

18.1 Introduction and Recap CS787: Advanced Algorthms Scrbe: Pryananda Shenoy and Shjn Kong Lecturer: Shuch Chawla Topc: Streamng Algorthmscontnued) Date: 0/26/2007 We contnue talng about streamng algorthms n ths lecture, ncludng

More information

Lai-Massey Scheme and Quasi-Feistel Networks (Extended Abstract)

Lai-Massey Scheme and Quasi-Feistel Networks (Extended Abstract) La-Massey Scheme and Quas-Festel Networks (Extended Abstract Aaram Yun, Je Hong Park 2, and Jooyoung Lee 2 Unversty of Mnnesota - Twn Ctes aaramyun@gmalcom 2 ETRI Network & Communcaton Securty Dvson, Korea

More information

Graph Reconstruction by Permutations

Graph Reconstruction by Permutations Graph Reconstructon by Permutatons Perre Ille and Wllam Kocay* Insttut de Mathémathques de Lumny CNRS UMR 6206 163 avenue de Lumny, Case 907 13288 Marselle Cedex 9, France e-mal: lle@ml.unv-mrs.fr Computer

More information

Errors for Linear Systems

Errors for Linear Systems Errors for Lnear Systems When we solve a lnear system Ax b we often do not know A and b exactly, but have only approxmatons  and ˆb avalable. Then the best thng we can do s to solve ˆx ˆb exactly whch

More information

Complete subgraphs in multipartite graphs

Complete subgraphs in multipartite graphs Complete subgraphs n multpartte graphs FLORIAN PFENDER Unverstät Rostock, Insttut für Mathematk D-18057 Rostock, Germany Floran.Pfender@un-rostock.de Abstract Turán s Theorem states that every graph G

More information

NP-Completeness : Proofs

NP-Completeness : Proofs NP-Completeness : Proofs Proof Methods A method to show a decson problem Π NP-complete s as follows. (1) Show Π NP. (2) Choose an NP-complete problem Π. (3) Show Π Π. A method to show an optmzaton problem

More information

20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The first idea is connectedness.

20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The first idea is connectedness. 20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The frst dea s connectedness. Essentally, we want to say that a space cannot be decomposed

More information

NUMERICAL DIFFERENTIATION

NUMERICAL DIFFERENTIATION NUMERICAL DIFFERENTIATION 1 Introducton Dfferentaton s a method to compute the rate at whch a dependent output y changes wth respect to the change n the ndependent nput x. Ths rate of change s called the

More information

Structure and Drive Paul A. Jensen Copyright July 20, 2003

Structure and Drive Paul A. Jensen Copyright July 20, 2003 Structure and Drve Paul A. Jensen Copyrght July 20, 2003 A system s made up of several operatons wth flow passng between them. The structure of the system descrbes the flow paths from nputs to outputs.

More information

Affine transformations and convexity

Affine transformations and convexity Affne transformatons and convexty The purpose of ths document s to prove some basc propertes of affne transformatons nvolvng convex sets. Here are a few onlne references for background nformaton: http://math.ucr.edu/

More information

Introduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law:

Introduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law: CE304, Sprng 2004 Lecture 4 Introducton to Vapor/Lqud Equlbrum, part 2 Raoult s Law: The smplest model that allows us do VLE calculatons s obtaned when we assume that the vapor phase s an deal gas, and

More information

Hashing. Alexandra Stefan

Hashing. Alexandra Stefan Hashng Alexandra Stefan 1 Hash tables Tables Drect access table (or key-ndex table): key => ndex Hash table: key => hash value => ndex Man components Hash functon Collson resoluton Dfferent keys mapped

More information

Lecture 4. Instructor: Haipeng Luo

Lecture 4. Instructor: Haipeng Luo Lecture 4 Instructor: Hapeng Luo In the followng lectures, we focus on the expert problem and study more adaptve algorthms. Although Hedge s proven to be worst-case optmal, one may wonder how well t would

More information

Introduction to Algorithms

Introduction to Algorithms Introducton to Algorthms 6.046J/18.401J Lecture 7 Prof. Potr Indyk Data Structures Role of data structures: Encapsulate data Support certan operatons (e.g., INSERT, DELETE, SEARCH) What data structures

More information

Some Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM

Some Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM Example of Extended Eucldean Algorthm Recall that gcd(84, 33) = gcd(33, 18) = gcd(18, 15) = gcd(15, 3) = gcd(3, 0) = 3 We work backwards to wrte 3 as a lnear combnaton of 84 and 33: 3 = 18 15 [Now 3 s

More information

Stanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7

Stanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7 Stanford Unversty CS54: Computatonal Complexty Notes 7 Luca Trevsan January 9, 014 Notes for Lecture 7 1 Approxmate Countng wt an N oracle We complete te proof of te followng result: Teorem 1 For every

More information

Min Cut, Fast Cut, Polynomial Identities

Min Cut, Fast Cut, Polynomial Identities Randomzed Algorthms, Summer 016 Mn Cut, Fast Cut, Polynomal Identtes Instructor: Thomas Kesselhem and Kurt Mehlhorn 1 Mn Cuts n Graphs Lecture (5 pages) Throughout ths secton, G = (V, E) s a mult-graph.

More information

Calculation of time complexity (3%)

Calculation of time complexity (3%) Problem 1. (30%) Calculaton of tme complexty (3%) Gven n ctes, usng exhaust search to see every result takes O(n!). Calculaton of tme needed to solve the problem (2%) 40 ctes:40! dfferent tours 40 add

More information

Finding Primitive Roots Pseudo-Deterministically

Finding Primitive Roots Pseudo-Deterministically Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms

More information

For now, let us focus on a specific model of neurons. These are simplified from reality but can achieve remarkable results.

For now, let us focus on a specific model of neurons. These are simplified from reality but can achieve remarkable results. Neural Networks : Dervaton compled by Alvn Wan from Professor Jtendra Malk s lecture Ths type of computaton s called deep learnng and s the most popular method for many problems, such as computer vson

More information

U.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016

U.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016 U.C. Berkeley CS94: Spectral Methods and Expanders Handout 8 Luca Trevsan February 7, 06 Lecture 8: Spectral Algorthms Wrap-up In whch we talk about even more generalzatons of Cheeger s nequaltes, and

More information

Learning Theory: Lecture Notes

Learning Theory: Lecture Notes Learnng Theory: Lecture Notes Lecturer: Kamalka Chaudhur Scrbe: Qush Wang October 27, 2012 1 The Agnostc PAC Model Recall that one of the constrants of the PAC model s that the data dstrbuton has to be

More information

COMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS

COMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS Avalable onlne at http://sck.org J. Math. Comput. Sc. 3 (3), No., 6-3 ISSN: 97-537 COMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS

More information

12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA. 4. Tensor product

12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA. 4. Tensor product 12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA Here s an outlne of what I dd: (1) categorcal defnton (2) constructon (3) lst of basc propertes (4) dstrbutve property (5) rght exactness (6) localzaton

More information

Basic Regular Expressions. Introduction. Introduction to Computability. Theory. Motivation. Lecture4: Regular Expressions

Basic Regular Expressions. Introduction. Introduction to Computability. Theory. Motivation. Lecture4: Regular Expressions Introducton to Computablty Theory Lecture: egular Expressons Prof Amos Israel Motvaton If one wants to descrbe a regular language, La, she can use the a DFA, Dor an NFA N, such L ( D = La that that Ths

More information

Dr. Shalabh Department of Mathematics and Statistics Indian Institute of Technology Kanpur

Dr. Shalabh Department of Mathematics and Statistics Indian Institute of Technology Kanpur Analyss of Varance and Desgn of Exerments-I MODULE III LECTURE - 2 EXPERIMENTAL DESIGN MODELS Dr. Shalabh Deartment of Mathematcs and Statstcs Indan Insttute of Technology Kanur 2 We consder the models

More information

Lecture 12: Discrete Laplacian

Lecture 12: Discrete Laplacian Lecture 12: Dscrete Laplacan Scrbe: Tanye Lu Our goal s to come up wth a dscrete verson of Laplacan operator for trangulated surfaces, so that we can use t n practce to solve related problems We are mostly

More information

College of Computer & Information Science Fall 2009 Northeastern University 20 October 2009

College of Computer & Information Science Fall 2009 Northeastern University 20 October 2009 College of Computer & Informaton Scence Fall 2009 Northeastern Unversty 20 October 2009 CS7880: Algorthmc Power Tools Scrbe: Jan Wen and Laura Poplawsk Lecture Outlne: Prmal-dual schema Network Desgn:

More information

A 2D Bounded Linear Program (H,c) 2D Linear Programming

A 2D Bounded Linear Program (H,c) 2D Linear Programming A 2D Bounded Lnear Program (H,c) h 3 v h 8 h 5 c h 4 h h 6 h 7 h 2 2D Lnear Programmng C s a polygonal regon, the ntersecton of n halfplanes. (H, c) s nfeasble, as C s empty. Feasble regon C s unbounded

More information

LINEAR REGRESSION ANALYSIS. MODULE IX Lecture Multicollinearity

LINEAR REGRESSION ANALYSIS. MODULE IX Lecture Multicollinearity LINEAR REGRESSION ANALYSIS MODULE IX Lecture - 30 Multcollnearty Dr. Shalabh Department of Mathematcs and Statstcs Indan Insttute of Technology Kanpur 2 Remedes for multcollnearty Varous technques have

More information

Randić Energy and Randić Estrada Index of a Graph

Randić Energy and Randić Estrada Index of a Graph EUROPEAN JOURNAL OF PURE AND APPLIED MATHEMATICS Vol. 5, No., 202, 88-96 ISSN 307-5543 www.ejpam.com SPECIAL ISSUE FOR THE INTERNATIONAL CONFERENCE ON APPLIED ANALYSIS AND ALGEBRA 29 JUNE -02JULY 20, ISTANBUL

More information

1 The Mistake Bound Model

1 The Mistake Bound Model 5-850: Advanced Algorthms CMU, Sprng 07 Lecture #: Onlne Learnng and Multplcatve Weghts February 7, 07 Lecturer: Anupam Gupta Scrbe: Bryan Lee,Albert Gu, Eugene Cho he Mstake Bound Model Suppose there

More information

5 The Rational Canonical Form

5 The Rational Canonical Form 5 The Ratonal Canoncal Form Here p s a monc rreducble factor of the mnmum polynomal m T and s not necessarly of degree one Let F p denote the feld constructed earler n the course, consstng of all matrces

More information

Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction

Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard

More information

Lectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix

Lectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix Lectures - Week 4 Matrx norms, Condtonng, Vector Spaces, Lnear Independence, Spannng sets and Bass, Null space and Range of a Matrx Matrx Norms Now we turn to assocatng a number to each matrx. We could

More information

Grover s Algorithm + Quantum Zeno Effect + Vaidman

Grover s Algorithm + Quantum Zeno Effect + Vaidman Grover s Algorthm + Quantum Zeno Effect + Vadman CS 294-2 Bomb 10/12/04 Fall 2004 Lecture 11 Grover s algorthm Recall that Grover s algorthm for searchng over a space of sze wors as follows: consder the

More information

SL n (F ) Equals its Own Derived Group

SL n (F ) Equals its Own Derived Group Internatonal Journal of Algebra, Vol. 2, 2008, no. 12, 585-594 SL n (F ) Equals ts Own Derved Group Jorge Macel BMCC-The Cty Unversty of New York, CUNY 199 Chambers street, New York, NY 10007, USA macel@cms.nyu.edu

More information

Generalized Linear Methods

Generalized Linear Methods Generalzed Lnear Methods 1 Introducton In the Ensemble Methods the general dea s that usng a combnaton of several weak learner one could make a better learner. More formally, assume that we have a set

More information

ISSN: ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 3, Issue 1, July 2013

ISSN: ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 3, Issue 1, July 2013 ISSN: 2277-375 Constructon of Trend Free Run Orders for Orthogonal rrays Usng Codes bstract: Sometmes when the expermental runs are carred out n a tme order sequence, the response can depend on the run

More information

A new construction of 3-separable matrices via an improved decoding of Macula s construction

A new construction of 3-separable matrices via an improved decoding of Macula s construction Dscrete Optmzaton 5 008 700 704 Contents lsts avalable at ScenceDrect Dscrete Optmzaton journal homepage: wwwelsevercom/locate/dsopt A new constructon of 3-separable matrces va an mproved decodng of Macula

More information

Using T.O.M to Estimate Parameter of distributions that have not Single Exponential Family

Using T.O.M to Estimate Parameter of distributions that have not Single Exponential Family IOSR Journal of Mathematcs IOSR-JM) ISSN: 2278-5728. Volume 3, Issue 3 Sep-Oct. 202), PP 44-48 www.osrjournals.org Usng T.O.M to Estmate Parameter of dstrbutons that have not Sngle Exponental Famly Jubran

More information

Volume 18 Figure 1. Notation 1. Notation 2. Observation 1. Remark 1. Remark 2. Remark 3. Remark 4. Remark 5. Remark 6. Theorem A [2]. Theorem B [2].

Volume 18 Figure 1. Notation 1. Notation 2. Observation 1. Remark 1. Remark 2. Remark 3. Remark 4. Remark 5. Remark 6. Theorem A [2]. Theorem B [2]. Bulletn of Mathematcal Scences and Applcatons Submtted: 016-04-07 ISSN: 78-9634, Vol. 18, pp 1-10 Revsed: 016-09-08 do:10.1805/www.scpress.com/bmsa.18.1 Accepted: 016-10-13 017 ScPress Ltd., Swtzerland

More information

Appendix B. Criterion of Riemann-Stieltjes Integrability

Appendix B. Criterion of Riemann-Stieltjes Integrability Appendx B. Crteron of Remann-Steltes Integrablty Ths note s complementary to [R, Ch. 6] and [T, Sec. 3.5]. The man result of ths note s Theorem B.3, whch provdes the necessary and suffcent condtons for

More information

FACTORIZATION IN KRULL MONOIDS WITH INFINITE CLASS GROUP

FACTORIZATION IN KRULL MONOIDS WITH INFINITE CLASS GROUP C O L L O Q U I U M M A T H E M A T I C U M VOL. 80 1999 NO. 1 FACTORIZATION IN KRULL MONOIDS WITH INFINITE CLASS GROUP BY FLORIAN K A I N R A T H (GRAZ) Abstract. Let H be a Krull monod wth nfnte class

More information

ELASTIC WAVE PROPAGATION IN A CONTINUOUS MEDIUM

ELASTIC WAVE PROPAGATION IN A CONTINUOUS MEDIUM ELASTIC WAVE PROPAGATION IN A CONTINUOUS MEDIUM An elastc wave s a deformaton of the body that travels throughout the body n all drectons. We can examne the deformaton over a perod of tme by fxng our look

More information

Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem

Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng Speedng up Computaton of Scalar Multplcaton n Ellptc Curve Cryptosystem H. K. Pathak Manju Sangh S.o.S n Computer scence

More information

Recover plaintext attack to block ciphers

Recover plaintext attack to block ciphers Recover plantext attac to bloc cphers L An-Png Bejng 100085, P.R.Chna apl0001@sna.com Abstract In ths paper, we wll present an estmaton for the upper-bound of the amount of 16-bytes plantexts for Englsh

More information

Numerical Heat and Mass Transfer

Numerical Heat and Mass Transfer Master degree n Mechancal Engneerng Numercal Heat and Mass Transfer 06-Fnte-Dfference Method (One-dmensonal, steady state heat conducton) Fausto Arpno f.arpno@uncas.t Introducton Why we use models and

More information

Maximizing the number of nonnegative subsets

Maximizing the number of nonnegative subsets Maxmzng the number of nonnegatve subsets Noga Alon Hao Huang December 1, 213 Abstract Gven a set of n real numbers, f the sum of elements of every subset of sze larger than k s negatve, what s the maxmum

More information

find (x): given element x, return the canonical element of the set containing x;

find (x): given element x, return the canonical element of the set containing x; COS 43 Sprng, 009 Dsjont Set Unon Problem: Mantan a collecton of dsjont sets. Two operatons: fnd the set contanng a gven element; unte two sets nto one (destructvely). Approach: Canoncal element method:

More information

Outline. Communication. Bellman Ford Algorithm. Bellman Ford Example. Bellman Ford Shortest Path [1]

Outline. Communication. Bellman Ford Algorithm. Bellman Ford Example. Bellman Ford Shortest Path [1] DYNAMIC SHORTEST PATH SEARCH AND SYNCHRONIZED TASK SWITCHING Jay Wagenpfel, Adran Trachte 2 Outlne Shortest Communcaton Path Searchng Bellmann Ford algorthm Algorthm for dynamc case Modfcatons to our algorthm

More information

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of

More information

Lecture 4: November 17, Part 1 Single Buffer Management

Lecture 4: November 17, Part 1 Single Buffer Management Lecturer: Ad Rosén Algorthms for the anagement of Networs Fall 2003-2004 Lecture 4: November 7, 2003 Scrbe: Guy Grebla Part Sngle Buffer anagement In the prevous lecture we taled about the Combned Input

More information

CHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE

CHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE CHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE Analytcal soluton s usually not possble when exctaton vares arbtrarly wth tme or f the system s nonlnear. Such problems can be solved by numercal tmesteppng

More information

Finding Dense Subgraphs in G(n, 1/2)

Finding Dense Subgraphs in G(n, 1/2) Fndng Dense Subgraphs n Gn, 1/ Atsh Das Sarma 1, Amt Deshpande, and Rav Kannan 1 Georga Insttute of Technology,atsh@cc.gatech.edu Mcrosoft Research-Bangalore,amtdesh,annan@mcrosoft.com Abstract. Fndng

More information

VQ widely used in coding speech, image, and video

VQ widely used in coding speech, image, and video at Scalar quantzers are specal cases of vector quantzers (VQ): they are constraned to look at one sample at a tme (memoryless) VQ does not have such constrant better RD perfomance expected Source codng

More information

APPENDIX A Some Linear Algebra

APPENDIX A Some Linear Algebra APPENDIX A Some Lnear Algebra The collecton of m, n matrces A.1 Matrces a 1,1,..., a 1,n A = a m,1,..., a m,n wth real elements a,j s denoted by R m,n. If n = 1 then A s called a column vector. Smlarly,

More information

HMMT February 2016 February 20, 2016

HMMT February 2016 February 20, 2016 HMMT February 016 February 0, 016 Combnatorcs 1. For postve ntegers n, let S n be the set of ntegers x such that n dstnct lnes, no three concurrent, can dvde a plane nto x regons (for example, S = {3,

More information

BOUNDEDNESS OF THE RIESZ TRANSFORM WITH MATRIX A 2 WEIGHTS

BOUNDEDNESS OF THE RIESZ TRANSFORM WITH MATRIX A 2 WEIGHTS BOUNDEDNESS OF THE IESZ TANSFOM WITH MATIX A WEIGHTS Introducton Let L = L ( n, be the functon space wth norm (ˆ f L = f(x C dx d < For a d d matrx valued functon W : wth W (x postve sem-defnte for all

More information

Stanford University CS359G: Graph Partitioning and Expanders Handout 4 Luca Trevisan January 13, 2011

Stanford University CS359G: Graph Partitioning and Expanders Handout 4 Luca Trevisan January 13, 2011 Stanford Unversty CS359G: Graph Parttonng and Expanders Handout 4 Luca Trevsan January 3, 0 Lecture 4 In whch we prove the dffcult drecton of Cheeger s nequalty. As n the past lectures, consder an undrected

More information

= z 20 z n. (k 20) + 4 z k = 4

= z 20 z n. (k 20) + 4 z k = 4 Problem Set #7 solutons 7.2.. (a Fnd the coeffcent of z k n (z + z 5 + z 6 + z 7 + 5, k 20. We use the known seres expanson ( n+l ( z l l z n below: (z + z 5 + z 6 + z 7 + 5 (z 5 ( + z + z 2 + z + 5 5

More information

Problem Solving in Math (Math 43900) Fall 2013

Problem Solving in Math (Math 43900) Fall 2013 Problem Solvng n Math (Math 43900) Fall 2013 Week four (September 17) solutons Instructor: Davd Galvn 1. Let a and b be two nteger for whch a b s dvsble by 3. Prove that a 3 b 3 s dvsble by 9. Soluton:

More information

COS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture # 15 Scribe: Jieming Mao April 1, 2013

COS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture # 15 Scribe: Jieming Mao April 1, 2013 COS 511: heoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 15 Scrbe: Jemng Mao Aprl 1, 013 1 Bref revew 1.1 Learnng wth expert advce Last tme, we started to talk about learnng wth expert advce.

More information

Assortment Optimization under MNL

Assortment Optimization under MNL Assortment Optmzaton under MNL Haotan Song Aprl 30, 2017 1 Introducton The assortment optmzaton problem ams to fnd the revenue-maxmzng assortment of products to offer when the prces of products are fxed.

More information

a b a In case b 0, a being divisible by b is the same as to say that

a b a In case b 0, a being divisible by b is the same as to say that Secton 6.2 Dvsblty among the ntegers An nteger a ε s dvsble by b ε f there s an nteger c ε such that a = bc. Note that s dvsble by any nteger b, snce = b. On the other hand, a s dvsble by only f a = :

More information

Online Appendix. t=1 (p t w)q t. Then the first order condition shows that

Online Appendix. t=1 (p t w)q t. Then the first order condition shows that Artcle forthcomng to ; manuscrpt no (Please, provde the manuscrpt number!) 1 Onlne Appendx Appendx E: Proofs Proof of Proposton 1 Frst we derve the equlbrum when the manufacturer does not vertcally ntegrate

More information

Module 9. Lecture 6. Duality in Assignment Problems

Module 9. Lecture 6. Duality in Assignment Problems Module 9 1 Lecture 6 Dualty n Assgnment Problems In ths lecture we attempt to answer few other mportant questons posed n earler lecture for (AP) and see how some of them can be explaned through the concept

More information

Comments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards

Comments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards Comments on a secure dynamc ID-based remote user authentcaton scheme for multserver envronment usng smart cards Debao He chool of Mathematcs tatstcs Wuhan nversty Wuhan People s Republc of Chna Emal: hedebao@63com

More information

The Geometry of Logit and Probit

The Geometry of Logit and Probit The Geometry of Logt and Probt Ths short note s meant as a supplement to Chapters and 3 of Spatal Models of Parlamentary Votng and the notaton and reference to fgures n the text below s to those two chapters.

More information

CHAPTER 17 Amortized Analysis

CHAPTER 17 Amortized Analysis CHAPTER 7 Amortzed Analyss In an amortzed analyss, the tme requred to perform a sequence of data structure operatons s averaged over all the operatons performed. It can be used to show that the average

More information

Lecture 13 APPROXIMATION OF SECOMD ORDER DERIVATIVES

Lecture 13 APPROXIMATION OF SECOMD ORDER DERIVATIVES COMPUTATIONAL FLUID DYNAMICS: FDM: Appromaton of Second Order Dervatves Lecture APPROXIMATION OF SECOMD ORDER DERIVATIVES. APPROXIMATION OF SECOND ORDER DERIVATIVES Second order dervatves appear n dffusve

More information

6.842 Randomness and Computation February 18, Lecture 4

6.842 Randomness and Computation February 18, Lecture 4 6.842 Randomness and Computaton February 18, 2014 Lecture 4 Lecturer: Rontt Rubnfeld Scrbe: Amartya Shankha Bswas Topcs 2-Pont Samplng Interactve Proofs Publc cons vs Prvate cons 1 Two Pont Samplng 1.1

More information

n α j x j = 0 j=1 has a nontrivial solution. Here A is the n k matrix whose jth column is the vector for all t j=0

n α j x j = 0 j=1 has a nontrivial solution. Here A is the n k matrix whose jth column is the vector for all t j=0 MODULE 2 Topcs: Lnear ndependence, bass and dmenson We have seen that f n a set of vectors one vector s a lnear combnaton of the remanng vectors n the set then the span of the set s unchanged f that vector

More information

A Robust Method for Calculating the Correlation Coefficient

A Robust Method for Calculating the Correlation Coefficient A Robust Method for Calculatng the Correlaton Coeffcent E.B. Nven and C. V. Deutsch Relatonshps between prmary and secondary data are frequently quantfed usng the correlaton coeffcent; however, the tradtonal

More information

Outline and Reading. Dynamic Programming. Dynamic Programming revealed. Computing Fibonacci. The General Dynamic Programming Technique

Outline and Reading. Dynamic Programming. Dynamic Programming revealed. Computing Fibonacci. The General Dynamic Programming Technique Outlne and Readng Dynamc Programmng The General Technque ( 5.3.2) -1 Knapsac Problem ( 5.3.3) Matrx Chan-Product ( 5.3.1) Dynamc Programmng verson 1.4 1 Dynamc Programmng verson 1.4 2 Dynamc Programmng

More information

Foundations of Arithmetic

Foundations of Arithmetic Foundatons of Arthmetc Notaton We shall denote the sum and product of numbers n the usual notaton as a 2 + a 2 + a 3 + + a = a, a 1 a 2 a 3 a = a The notaton a b means a dvdes b,.e. ac = b where c s an

More information

Example: (13320, 22140) =? Solution #1: The divisors of are 1, 2, 3, 4, 5, 6, 9, 10, 12, 15, 18, 20, 27, 30, 36, 41,

Example: (13320, 22140) =? Solution #1: The divisors of are 1, 2, 3, 4, 5, 6, 9, 10, 12, 15, 18, 20, 27, 30, 36, 41, The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no confuson

More information

Time-Varying Systems and Computations Lecture 6

Time-Varying Systems and Computations Lecture 6 Tme-Varyng Systems and Computatons Lecture 6 Klaus Depold 14. Januar 2014 The Kalman Flter The Kalman estmaton flter attempts to estmate the actual state of an unknown dscrete dynamcal system, gven nosy

More information

Tornado and Luby Transform Codes. Ashish Khisti Presentation October 22, 2003

Tornado and Luby Transform Codes. Ashish Khisti Presentation October 22, 2003 Tornado and Luby Transform Codes Ashsh Khst 6.454 Presentaton October 22, 2003 Background: Erasure Channel Elas[956] studed the Erasure Channel β x x β β x 2 m x 2 k? Capacty of Noseless Erasure Channel

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback