Concurrent Blind Signatures without Random Oracles
|
|
- Virginia Mosley
- 6 years ago
- Views:
Transcription
1 Concuent Blind Signatues without Random Oacles Aggelos Kiayias Hong-Sheng Zhou Abstact We pesent a blind signatue scheme that is efficient and povably secue without andom oacles unde concuent attacks utilizing only fou moves of shot communication. The scheme is based on elliptic cuve goups fo which a bilinea map exists and on extactable and equivocable commitments. The unfogeability of the employed signatue scheme is guaanteed by the LRSW assumption while the blindness popety of ou scheme is guaanteed by the Decisional Linea Diffie-Hellman assumption. We pove ou constuction secue unde the above assumptions as well as Paillie s DCR assumption in the concuent attack model of Juels, Luby and Ostovsky fom Cypto 97 using a common efeence sting. Ou constuction is the fist efficient constuction fo blind signatues in such a concuent model without andom oacles. We pesent two vaiants of ou basic potocol: fist, a blind signatue scheme whee blindness still holds even if the public-key geneation is maliciously contolled; second, a blind signatue scheme that incopoates a public-tagging mechanism. This latte vaiant of ou scheme gives ise to a patially blind signatue with essentially the same efficiency and secuity popeties as ou basic scheme. 1 Intoduction Blind signatues wee intoduced by Chaum in [Cha82] and poved to be a most useful cyptogaphic scheme that has been the basis of many complex cyptogaphic constuctions including e-cash systems and e-voting schemes. Infomally, a blind signatue is a signatue scheme that incopoates a signing potocol that allows the signe to sign a document submitted by a use blindly, i.e., without obtaining any infomation about the document itself. It was obseved ealy on (at least as ealy as [Dam88], see also [PW91]) that blind signatues contain an instance of a secue function evaluation potocol in the following sense: the use possesses a pivate input m and a public-input pk which is the veification key of a digital signatue algoithm, and the signe possesses a pivate input sk which is the signing-key of the digital signatue algoithm; with this setup the use and the signe should execute a pobabilistic secue function evaluation potocol that will allow the use to compute σ, a signatue on m unde pk, without evealing m to the signe and without the signe evealing sk to the use. Given the complexity of geneal secue function evaluation though, [Yao86, GMW87], in ealy wok on blind signatues this paadigm was not vey motivating. A moe motivating paadigm was found in divetible zeo-knowledge poofs [OO89, Oka92, CDP94] and many blind signatues wee subsequently designed in this line of easoning [PS96, PS97, Poi98, AO00, AO01, Abe01] as well as the fist attempt to give povably secue constuctions (in the andom oacle model) was due to [PS96]. Regading povably secue constuctions, Pointcheval and Sten [PS96], pesented secue blind signatues with thee communication moves that wee poven secue in the andom oacle model unde the An ealie vesion of this pape was titled Two-ound Concuent Blind Signatues without Random Oacles with each ound meant to include two moves; this poved to be confusing with espect to the use of the tem ound in pevious woks and thus the two-ound was emoved fom the title. The potocols pesented in all vesions of the pesent wok have always been 4-move potocols. Univesity of Connecticut, Compute Science and Engineeing, Stos, CT, USA, {aggelos,hszhou}@cse.uconn.edu. Reseach patly suppoted by NSF CAREER Awad CNS
2 discete-logaithm assumption assuming only logaithmically many messages wee tansmitted by the use. This esult was late impoved to polynomially many messages but five communication moves [Poi98] and the ound complexity was finally deceased to thee moves and polynomially many messages in [AO01, Abe01]. A two moves potocol was pesented in [BNPS01] assuming the RSA invesion oacle assumption. We stess that all these esults wee poven secue in the andom oacle model. Concuency in the context of blind signatues was put foth by Juels, Luby and Ostovsky [JLO97] who pesented the fist secuity model fo blind signatues that takes into account that the advesay may launch many concuent sessions of the blind signing potocol (opeating as eithe the use o the signe). Concuency is paticulaly impotant since in implementations of blind signatues in e-voting and e-cash schemes, see e.g., [Cha82, FOO92, Kim04], the signe is a multi-theaded seve that accepts many concuent sessions of uses that ae executing the signing potocol. Thus, it is of cucial impotance to conside the secuity of blind signatues, when (1) a malicious signe attempts to defeat the blindness of many concuently joining uses, and (2) a coalition of malicious uses attempts to extact infomation about the signing key of the multi-theaded signe seve. Still, the design of schemes that satisfied such stonge models poved elusive. In fact, Lindell [Lin03] showed that concuent secuity fo blind signatues is impossible in the bae model (i.e., without any setup assumption). On the othe hand, in the CRS model, Canetti et al. [CLOS02] gave a geneic constuction fo multi-paty secue function evaluation that achieves an even stonge notion of secuity than concuency (univesal composition) and can be used to solve (geneically) the blind signatue poblem using a CRS. Note that this constuction is not efficient and some tusted setup assumption such as using a CRS is necessay fo a blind signatue given the esult of Lindell [Lin03]. Moe ecently, Camenisch et al. [CKW04] using a weake model than that of [JLO97] that only allowed sequential attacks pesented an eight-move blind signatue scheme that is based on the Stong-RSA assumption leaving as open poblem the possibility of achieving concuent secuity in an efficient scheme. Ou Contibution. In this pape, we give the fist efficient constuction fo blind signatues to achieve concuent secuity in the sense of [JLO97] assuming a common efeence sting. The fou-move inteactions between the use and the signe in the signing potocol equies oveall communication not exceeding 2 Kbytes (about 10.2 Kbits to be pecise) fo a full signatue geneation. Achieving this level of efficiency while simultaneously maintaining povability in a concuency model equied the caeful composition of a numbe of cyptogaphic pimitives. As ou undelying digital signatue scheme (i.e., the type of signatue that is obtained by uses) we use the elliptic cuve based signatue scheme of Camenisch and Lysyanskaya [CL04] (hencefoth called a CL signatue). We also employ a vaiant of Linea Encyption, an encyption scheme that was oiginally intoduced in the context of goup signatues by Boneh, Boyen and Shacham [BBS04]. Hee we find a novel use of this pimitive in the context of blind signatues. In addition to these pimitives, ou constuction makes essential use of discete-logaithm equivocal commitments based on Pedesen commitments [Ped91] and extactable commitments based on Paillie encyption [Pai99]. The cental idea of ou constuction is to use a vaiant of Linea Encyption to poduce a vey efficient secue function evaluation potocol fo CL signatues that poceeds oughly as follows: the use selects on the fly a key fo the encyption scheme and encypts he message with it. The signe upon eceiving this encyption takes advantage of the homomophic popeties of the encyption to blindly tansfom the ciphetext into a andomized encyption of a CL signatue and then tansmits the esulting eandomized ciphetext back to the use. We make an essential use of the homomophic popeties of the undelying encyption in the efficient geneation of non-advesaial andomness between the mutually distustful playes. In ode to pove secuity unde concuent attacks a numbe of povisions have to be taken in the blind signatue potocol design. Most impotantly, in ou signing potocol, both sides will be equied to pove statements about thei local computations. As a esult, pefoming the whole potocol in fou moves is one of the most delicate pats of ou constuction. The homomophic encyption based inteaction that is used fo the secue signatue computation needs to be paied with an extactable commitment. Moeove, an 2
3 equivocable commitment is used fo ensuing that no infomation leakage occus fom the use to the signe o vice vesa. Finally, the signe, poves to the use that he is following the potocol specifications and is applying his signing key to the use s ciphetext wheeas the use has to pove that he is consistent acoss his commitments. The constuction is poven to satisfy the two popeties of the [JLO97] model as follows: the blindness popety is ensued unde the Decisional Composite Residuosity assumption of [Pai99] and the Decision Linea Diffie-Hellman assumption of [BBS04]. The unfogeability popety is poven unde the LRSW assumption of [LRSW99]. Note that the esulting signatue fom the signing potocol is about half the size of an RSA based Chaum blind signatue. Stonge blindness popety. We conside a stonge advesaial model fo blindness whee the public-key is advesaially contolled; we show how it is possible to modify ou basic potocol in a staightfowad way to achieve this stonge blindness popety. Public-tagging and patial blindness. We finally povide an extension of ou scheme that allows the publictagging of blindly signed messages, i.e., all messages that ae obtained by the uses also contain a publicly known tag that is decided pio to the signing potocol execution. This extension is essentially equivalent to a patially blind signatue constuction, a notion that was fomalized in [AF96]. In a patially blind signatue evey message is tagged with a public-sting that is poduced jointly by the use and the signe. The blindness popety is then esticted to hold only fo blind signatues with same tag. Patial blindness is impotant as it allows the signe to euse the same public-key fo a vaiety of diffeent blind signatue functions. 2 Peliminaies Bilinea Goups. Let G = g be a cyclic goup of pime ode p such that e : G G G T is a bilinea map, i.e., fo all t, v G and a, b Z, it holds that e(t a, v b ) = e(t, v) ab and e is non-tivial, i.e., e(g, g) 1. Note that G T = p. Camenisch-Lysyanskaya Signatue. Camenisch and Lysyanskaya [CL04] poposed a digital signatue scheme (which we will call it CL-signatue fo shot) that was adaptively chosen message secue in the standad model. Ou blind signatue will be based on this signatue scheme and we descibe it below: - The key geneation algoithm gen CL : geneate the bilinea goup paamete (p, G, G T, g, e); then choose x, y Z p, and compute X = g x and Y = g y ; set secet key as sk = (x, y) and public key as pk = (p, G, G T, g, e; X, Y ). - The signing algoithm sign CL : on input message m, secet key sk = (x, y), and public key pk = (p, G, G T, g, e; X, Y ), choose a andom a G, and output the signatue σ = (a, a y, a x+mxy ). - The veification algoithm veify CL : on input public key pk = (p, G, G T, g, e; X, Y ), message m, and signatue σ = (a, b, c), check whethe the veification equations e(a, Y ) = e(g, b) and e(x, a)e(x, b) m = e(g, c) hold. The undelying assumption of CL-signatues is called the LRSW assumption, which was intoduced by Lysyanskaya et al. [LRSW99]. Note that in this pape it was also shown that this assumption holds fo geneic goups. Assumption 2.1 (LRSW Assumption). Given the bilinea goup paametes (p, g, G, G T, e). Let X, Y G, X = g x, Y = g y and define O X,Y () to be an oacle that, on input a value m Z p, it outputs a tiple (a, b, c) such that b = a y, and c = a x+mxy whee a G. Then, fo all pobabilistic polynomial time advesaies A, 3
4 [ x, y Zp ; X = g P x ; Y = g y ; (m, a, b, c) A O X,Y : m / Q m Z p m 0 a G b = a y c = a x+mxy ] ɛ whee ɛ is a negligible function in secuity paamete λ, and Q is the set of queies that A made to O X,Y (). Linea Encyption. Boneh et al. [BBS04] poposed a vaiant of ElGamal encyption, called, Linea Encyption that is suitable fo goups ove which the DDH assumption fails. We call it LE fo shot. - The key geneation algoithm gen LE : the public key pk is a tiple of geneatos t, v, w G and the secet key sk is the exponents x, y Z p such that t x = v y = w. - The encyption algoithm enc LE : to encypt a message m G, choose andom values a, b Z p, and output the tiple (t a, v b, m w a+b ). - The decyption algoithm dec LE : given an encyption (T, V, W ), we ecove the plaintext m as follows m = dec LE sk (T, V, W ) = W T x V y. The Linea encyption is based on the Decision Linea Diffie-Hellman assumption, which was fist intoduced by Boneh et al. [BBS04]. With g G as above, along with abitay geneatos t,v, and w of G, conside the following poblem: Definition 2.2 (Decision Linea Diffie-Hellman Poblem in G). Given t, v, w, t α, v β, w γ G as input, output 1 if α + β = γ and 0 othewise. It is believed that DLDH is a had poblem even in bilinea goups whee DDH is easy. Now we define the advantage of an algoithm A in deciding the DLDH poblem in G as Adv A DLDH = P[1 A(t, v, w, t α, v β, w α+β ) : t, v, w G, α, β Z p ] P[1 A(t, v, w, t α, v β, χ) : t, v, w, χ, G, α, β Z p ] Assumption 2.3 (Decision Linea Diffie-Hellman Assumption). We say that the Decision Linea Diffie- Hellman assumption holds in G if fo all PPT algoithms A it holds that Adv A DLDH is negligible in the secuity paamete λ. Paillie-Encyption. In ou scheme we will employ the public-key encyption intoduced by Paillie [Pai99]: - The key geneation algoithm gen Pai : let p and q be andom pimes fo which it holds p q, p = q and gcd(pq, (p 1)(q 1)) = 1; let n = pq, π = lcm(p 1, q 1), K = π 1 mod n, and g = (1 + n); the public key is pk = (n, g) while the secet key is sk = (p, q). - The encyption algoithm enc Pai : the plaintext set is Z n ; given a plaintext m, choose a andom ζ Z n, and let the ciphetext be E m = enc Pai pk (m, ζ) = gm ζ n mod n 2. - The decyption algoithm dec Pai : given a ciphetext E m, let K = π 1 mod n and now obseve that (E m ) πk = g m πk ζ n πk = g m πk mod n ζ n πk mod nπ = g m mod n ζ 0 mod nπ = g m = 1 + mn mod n 2. Thus, it is possible to ecove m = ((Em)πK mod n 2 ) 1 n mod n. The cyptosystem above has been poven semantically secue if and only if the Decisional Composite Residuosity (DCR) assumption [Pai99] is tue. The advantage of an algoithm A in deciding the DCR poblem is defined as follows: Adv A DCR = P[1 A(z) : z Z n 2 ] P[1 A(z) : z HR n n 2 ] whee HR n n 2 is the subgoup of n-th esidues modulo n 2. Assumption 2.4 (Decisional Composite Residuosity Assumption). We say that the DCR assumption holds in G if fo all PPT algoithms A it holds that Adv A DCR is negligible in the secuity paamete λ. 4
5 Commitment Schemes. A commitment scheme is a potocol with two stages, the commit stage and the decommit stage, between two paties, the committe and the eceive. A commitment scheme consists of a key geneation algoithm gen which can be used to poduce a public key pk, a commitment algoithm com which is used by the committe to poduce a commitment to the message m and the decommitment infomation ζ, i.e., (c, ζ) com pk (m), and a decommitment veification algoithm dec which can be used by the eceive to veify the decommitment infomation ζ and the message m with espect to the commitment c, i.e., dec(c, m, ζ) {0, 1}. Fequently the decommitment infomation ζ is the andom coins used by the commitment algoithm and we will wite c com pk (m, ζ). A commitment scheme will satisfy two popeties: hiding, the eceive can not obtain any infomation about m given com pk (m, ζ); and binding, the committe cannot change his mind about m late, i.e. he cannot change the decommitment veification infomation (m, ζ) into some (m, ζ ) whee m m, so that c com pk (m, ζ) and dec(c, m, ζ ) = 1. In an extactable commitment, thee is a tapdoo infomation xk associated to each public key pk that allows the tapdoo owne to compute m fom any com pk (m, ζ). In an equivocable commitment on the othe hand, thee is a tapdoo infomation ek associated to each public key pk that allows a committe who is a tapdoo owne to compute ζ given any m, ζ, m, c com pk (m, ζ) so that dec(c, m, ζ ) = 1. Common Refeence Sting Model. In the common efeence sting (CRS) model, we assume that each playe can access a common sting that is guaanteed to come fom a pescibed distibution. Futhemoe, no playes (including the advesaies) will know the tapdoo infomation elated to the pocedue of choosing the sting. The tapdoo will be known to the simulato in the poof of secuity. In pactice, a tusted thid paty can geneate the CRS by unning the CRS geneato K, i.e. (cs, τ) K(1 λ ), and discading the tapdoo τ. The sting cs is published, and all paties eceive it as additional input. 3 Fomal Model fo Blind Signatues In this section, we evisit in detail the fomal model fo blind signatues as intoduced in [JLO97] and we efomulate it to the common efeence sting (CRS) model. We stess again that some tusted setup assumption is necessay in the light of Lindell s negative esult fo blind signatues [Lin03] in the bae concuent model. 3.1 Blind Signatue Scheme Definition 3.1 (Blind Signatue Scheme). A blind digital signatue scheme is a fou-tuple, consisting of two inteactive Tuing machines (S, U) and two algoithms (gen,veify). Hee S denotes the signe, and U the use. - gen(1 λ ) is a pobabilistic polynomial time key-geneation algoithm which takes as an input a secuity paamete 1 λ and outputs a pai (pk, sk) of public and secet keys. - S(pk, sk) and U(pk, m) is a pai of polynomially time bounded pobabilistic inteactive Tuing machines, whee both machines have the following tapes: ead-only input tape, wite-only output tape, a ead/wite wok tape, a ead-only andom tape, and two communication tapes, a ead-only and a wite-only tape. They ae both given on thei input tapes as a common input a pk poduced by the key geneation algoithm. Additionally S is given on his input tape the coesponding secet key sk and U is given on his input tape a message m, whee the length of all inputs must be polynomial in the secuity paamete 1 λ. Both U and S engage in an inteactive potocol fo some polynomial in λ numbe of moves. At the end of this potocol S outputs eithe completed o not-completed and U outputs eithe σ o. - veify(m, σ, pk) is a deteministic polynomial time algoithm, which outputs 1 o 0. 5
6 The coectness equiement fo the above is that fo any message m, and fo all andom choices of the key geneation algoithm, if both S and U follow the potocol then S always outputs completed, and if the output of the use is σ then veify(m, σ, pk) = 1. Note that in the CRS model, both S, U eceive as additional input the cs sting. 3.2 Blindness and Unfogeability The secuity popeties fo blind signatues defined in [JLO97] ae blindness and unfogeability. Below we evisit thei modelling and we give detailed definitions fo these popeties in the CRS model. Definition 3.2 (Blindness). Assume (cs, τ) K(1 λ ), (pk, sk) gen(1 λ ). We define an oacle I φ with public input (1 λ, cs, pk) which simulates two use instantiations U L and U R, whee φ {0, 1}. The advesay A will be communicating with this oacle tying to pedict φ given input (1 λ, cs, pk, sk). The oacle I φ opeates as follows: - Given challenge, m 0, m 1, the oacle I φ simulates two use instantiations U L and U R with input the public-key pk and the messages m φ and m 1 φ espectively. The oacle I φ keeps a database with the state of each use instantiation; the state includes all coin tosses of the use instantiation and the contents of all tapes including the communication tape. The oacle uses st L (esp. st R ) to ecod the state of U L (esp. U R ). - Given advance, ρ, msg, whee ρ {L, R}, the oacle I φ ecoves the state of st ρ, and simulates the use instantiation U ρ with msg till U ρ eithe teminates o etuns a esponse to the signe. If U ρ etuns a esponse, then I φ etuns this to A. The oacle will ecod the cuent state st, i.e. st ρ = st ρ st. Note that this kind of quey can be executed seveal times depending on the numbe of moves of the blind signatue potocol. - Given teminate, msg L, msg R, the oacle I φ ecoves the state st L (esp. st R ), and simulates the use instantiation U L (esp. U R ) with msg L (esp. msg R ) till U L (esp. U R ) teminates o fails. If both use instantiations teminate successfully and output two signatues, then the oacle etuns these signatues to A, othewise etuns (, ). Given any pobabilistic polynomial time A, we define its advantage against blindness as: Adv A blind (λ) = P [ φ A Iφ (1 λ,cs,pk) (1 λ, cs, pk, sk) : φ {0, 1}, (cs, τ) K(1 λ ), (pk, sk) gen(1 λ ) ] 1 2 and say that the blind signatue scheme satisfies the blindness popety if Adv A blind (λ) is negligible in λ. Definition 3.3 (Unfogeability). We define an oacle I that is simulating concuently an abitay numbe of signe instantiations. The oacle accepts two types of queies defined as follows: - stat, msg. The oacle I selects a session identifie sid, and simulates the signe instantiation S with msg till S eithe teminates o etuns a esponse. If the signe instance etuns a esponse to the use, I etuns this with the session identifie sid as an answe to the oacle quey. The oacle I keeps a database with the state of S fo the session identifie sid; the state includes all coin tosses of S, and the contents of all tapes including the communication tape. - advance, sid, msg. The oacle I looks up the table of sessions and ecoves the state of S fo the session with identifie sid (if session sid exists). Subsequently, I wites msg in the communication tape of S and simulates it till it eithe teminates o etuns a esponse to the use. If it etuns a message to the use, I etuns this as an answe to the oacle quey. If no session identifie exists the oacle etuns fail. 6
7 The oacle I maintains a counte l that counts the numbe of times that the oacle has successfully teminated a signe session. Each time that I successfully teminates a signe session it inceases the counte l by 1. A one-moe fogey advesay against the blind signatue is a polynomial-time pobabilistic machine A that is given as input (1 λ, cs, pk) whee (cs, τ) K(1 λ ) and (pk, sk) gen(1 λ ). The advesay A inteacts with I(cs, pk, sk) and teminates by etuning a sequence of (m 1, σ 1 ),..., (m l, σ l ) whee m i m j fo all i, j : 1 i j l. We define the advantage of A in the above attack by Adv A unfoge (λ) = P[ l i=1(1 veify(pk, m i, σ i )) (l > l)] and say that the blind signatue scheme is unfogeable if Adv A unfoge (λ) is negligible in λ. 4 The Poposed Scheme 4.1 Setup and Geneation of Keys We stat the desciption of ou constuction by descibing the setup definition as well as the way that the involved paties, the use and the signe geneate thei keys. Public Paametes. The public paamete pub contains geneal infomation about all potocol executions as well as a specific bilinea goup paamete (p, G, G T, g, e) appopiately selected. Common Refeence Sting. Next we descibe how the common efeence sting cs is selected. It includes two pats, cs 1 and cs 2. Fist, we geneate paametes fo a Pedesen-like [Ped91] commitment scheme ove an elliptic cuve goup: let G = g be a cyclic elliptic cuve goup of pime ode Q; select Z Q and compute h = g ; set cs 1 = Q, g, h, G, H, whee H : {0, 1} Z Q is a collision esistant hash function and set the tapdoo to be τ 1 =. Then we geneate paametes fo the Paillie encyption: let p and q be andom pimes fo which it holds p q, p = q and gcd(pq, (p 1)(q 1)) = 1; let n = pq, and g = (1 + n); set cs 2 = n, g and the tapdoo τ 2 = p, q. Now we have cs = (cs 1, cs 2 ); the two tapdoos τ 1, τ 2 as well as any andom coins used fo the geneation of cs ae discaded. Signe Paametes. The signe S uses the algoithm gen to geneate his public and secet paametes based on pub. The signe selects x, y Z p and computes X = g x and Y = g y. Then it sets P K S = X, Y and SK S = x, y ; this is the key pai of S. We note that the paametes selected above ae assumed to be long-lived, i.e., they will be used fo many executions of the signing potocol. On the othe hand, the use has no long-lived paametes. Still, as pat of each signing potocol the use will select some public and secet key that will have the lifetime of one signing potocol execution. We stess that this is not a necessity and each use may also keep his public-key paametes the same acoss signing potocol executions; in fact these paametes can be pat of a PKI that all uses ae membes of. This will make the potocol s time-complexity somewhat moe efficient on the side of the use (but will have the cost of maintaining a use PKI). Use Paametes. Each use U geneates his key pai on the fly: he selects w G\{1} and δ, ξ Z p, and set t, v G such that t δ = v ξ = w. Set P K U = t, v, w as his public key and keep secetly SK U = δ, ξ as his secet key. Choice of Paamete Lengths. The length of each paamete p, n, Q is ν p, ν n, ν Q espectively and should be selected so that the following ae satisfied: (i) The DLDH assumption holds ove the bilinea goup paamete (p, G, G T, g, e), (ii) The LSRW assumption holds ove the bilinea goup paamete (p, G, G T, g, e), (iii) The discete-logaithm (DLOG) assumption holds ove the elliptic cuve cyclic goup G, (iv) The DCR assumption holds ove Z n 2. Based on the pesent state of the at with espect to the solvability of the above poblems, a possible choice of the paametes is fo example ν p = 171 bits, ν n = 1024 bits, ν Q = 171 bits. 7
8 4.2 Signing Potocol We give a high-level desciption of ou potocol befoe pesenting in detail. (1) Fist, both the use and the signe obtain the public inputs pub, cs, and P K S, the signe gets the pivate input SK S, and the use gets the pivate input message m. (2) Then the use geneates his key pai (P K U, SK U ) fo Linea Encyption, and keeps SK U secet; the use geneates a Paillie ciphetext fo message m which is used as an extactable commitment; the use geneates a special Linea Encyption ciphetext fo m which will be signed by the signe. (3) To guaantee that the Linea Encyption ciphetext and the Paillie ciphetext ae consistent, the use inteleaves within the potocol execution a 3-move Σ-potocol that shows the consistency of the commitment and the encyption. This potocol employs an equivocal Pedesen commitment scheme to allow zeo-knowledge in the concuent setting (cf. [Dam00]). When the signe successfully veifies the 3-move potocol which was initialized by the use, he will tansfom the Linea Encyption ciphetext by using his signing key SK S and appopiately eandomize it. This will esult in the encyption of a CL-signatue which will be ecoveed by the use using his secet key SK U. (4) To guaantee that the signe follows the potocol specifications, the signe is equied to inteleave a 3-move Σ-potocol as well in ode to show that he is applying his secet-key appopiately on the Linea Encyption ciphetext that is povided by the use. Again we employ an equivocal Pedesen commitment to allow fo concuent zeo-knowledge. (5) When the use veifies successfully the final step of the signing potocol computation, he decypts the CLsignatue fom the signe s ciphetext using his secet-key SK U and obtains a CL-signatue fo the message m. Then he efeshes the andomness of the signatue taking advantage of the andomness homomophic popety of CL-signatues. Σ-potocols and Round-complexity. In ou signing potocol we employ two Σ-potocols fom both sides of the inteaction. Both these potocols have the fom commitment; challenge; esponse, decommitment. A subtle difficulty in the design of ou potocol is that if the two Σ-potocols ae executed sequentially they will esult in an oveall ound complexity of six moves. In ode to maintain the fou-move potocol complexity we want to stat the Σ-potocol fo the signe side befoe the use side Σ-potocol teminates. Nevetheless this will violate the secuity popety of ou scheme, so, in ode to allow an ealy stat of the signe side Σ-potocol we have the signe commit to the value he will pove a statement about and open the commitment only in case the use s side Σ-potocol veifies. We outline the high-level desciption of ou signing potocol in Figue 1. In the fist step, the use U pepaes two diffeent encyptions of his pivate input m, called E m and T, V, W. Moeove, it computes the fist move of a Σ-potocol that shows the consistency of the two encyptions and commits to it into commitment U. In the second step, the signe pepaes an encyption ψ that can be decypted by the use into a CL-signatue but does not tansmit yet this value to the use. Instead, it pepaes the fist move of a Σ-potocol that shows that he computed ψ coectly and commits to ψ as well as the fist move into commitment S. In the thid step, the use, given the challenge of the signe, completes the Σ-potocol that shows he computed the two encyptions E m and T, V, W in a consistent way and tansmits to the signe the decommitment infomation necessay to veify the consistency of the ciphetexts. In the fouth step, the signe veifies the Σ-potocol of the use and if it is accepted, the signe completes his Σ-potocol and tansmits to the use the encyption ψ as well as the decommitment infomation necessay to veify the claim that ψ is coectly computed based on the signe s public-key. Finally the use veifies the Σ-potocol and if accepted it outputs the computed blind signatue. The detailed desciption of the potocol is shown in Figue 2. Note that d 1 < p, d 2 < p, i.e. λ 1 < ν p, λ 2 < ν p. Fo example λ 0 = λ 1 = λ 2 = 80 bits. 8
9 U (P K U, SK U ) gen LE (1 λ ) E m enc Pai (m) Use enc LE ( ) and m to poduce an appopiate ciphetext T, V, W Compute the fist move of the use side Σ-poof and commit it into commitment U Veify the 3-move Σ-potocol commitment S ; challenge S ; esponse S, decommitment S, then get ψ fom decommitment S and decypt it to obtain the signatue. P K U,E m, T,V,W,commitment U Use the homomophic popeties of Linea Encyption and of CLsignatue and tansfom T, V, W into an encyption ψ of a CLsignatue σ on the message m. Compute the fist move of the signe side Σ-poof and commit it togethe with ψ into commitment S. challenge U,commitment S esponse U,decommitment U,challenge S esponse S,decommitment S S Veify the 3-move Σ-potocol commitment U ; challenge U ; esponse U, decommitment U, Figue 1: Oveview of ou blind signatue geneation potocol. 4.3 Signatue Veification Given a message-signatue pai (m; σ), whee σ = a, b, c, the veification algoithm is based on the two veification equations below: e(a, Y ) = e(g, b) and e(x, a)e(x, b) m = e(g, c). 4.4 Coectness and Secuity The coectness and secuity of ou scheme is captued by Theoem 4.1, Theoem 4.3, Theoem 4.5 as descibed hee Coectness Theoem 4.1 (Coectness). If the signe and the use follow the signing potocol, the esulting signatue satisfies the veification with povability 1. Poof. Fist, we check the coectness of the veification equations fo the Σ-potocols. 9
10 cs = Q, g, h, G, H; n, g ; pub = p, g, G, G T, e ; P K S = X, Y U S MSG = m, m [0, 2 νp ] SK S = x, y (P K U, SK U ) gen LE (1 λ ) P K U = t, v, w, SK U = δ, ξ m ±[0, 2 λ0+λ1+νp ], A m, B m Z n α, k, l, k, l Z p, θ G\{1}, µ 1 E m = g m (A m ) n mod n 2 Ê m = g bm (B m ) n mod n 2 T = t k, V = v l, W = θ m w k+l T = t bk, V = v bl, Ŵ = θbm w b k+b l ZQ ω 1 = H(Êm, T, V, Ŵ ), C 1 = g ω1 h µ1 P K U,E m, θ,t,v,w,c 1 d 1 {0, 1} λ 1 d 2 {0, 1} λ 2 d 1,C 2 C 2 = g ω2 h µ2 s m = m d 1 m (in Z) s k = k d 1 k, s l = l d 1 l F m = B m (A m ) d1 mod n α, k, l, x, k, l Zp, µ 2 ZQ a = θ α, b = θ yα T = T xyα t k α, V = V xyα v l α W = W xyα θ xα w k α +l α L T = e(t, b ) bx e(t, a ) b k L V = e(v, b ) bx e(v, a ) b l L W = (e(w, b )e(θ, a )) bx e(w, a ) b k +b l ω 2 = H(a, b, T, V, W, L T, L V, L W ) d 2, s m,s k,s l,f m, b Em,b T, b V, c W,µ1 E m? Z n 2, s m? ±[0, 2 λ0+λ1+νp+1 ] ω 1 = H(Êm, T, V, Ŵ ), C 1 =? g ω1 h µ1 Ê m =? g sm (F m ) n (E m ) d1 mod n 2 T =? t s k T d1, V =? v s l V d1 ω 2 = H(a, b, T, V, W, L T, L V, L W ) C 2 =? g ω2 h µ2 e(a, Y ) =? e(b, g) L T =? e(t, b ) sx e(t, a ) s k e(t, θ) d2 L V =? e(v, b ) sx e(v, a ) s l e(v, θ) d2 L W =? (e(w, b )e(θ, a )) sx e(w, a ) s k +s l e(w, θ) d2 ( a = (a ) α, b = (b ) α, c = σ = a, b, c output (m; σ) ) α W T δ V ξ s x,s k,s l a,b,t,v,w,l T,L V,L W,µ 2 Ŵ =? θ sm w s k+s l W d1 s x = x d 2 x, s k = k d 2 k, s l = l d 2 l Figue 2: Blind signatue geneation potocol. 10
11 Ê m = g bm (B m ) n mod n 2 = g sm+d 1 m (F m (A m ) d 1 ) n mod n 2 = (g sm (F m ) n ) (g m (A m ) n ) d 1 mod n 2 = g sm (F m ) n (E m ) d 1 mod n 2, Ŵ = θ bm w b k+ bl = θ sm+d 1 m w (s k+s l )+d 1 (k+l) = (θ sm w s k+s l ) (θ m w k+l ) d 1 = θ sm w s k+s l W d 1, T = t bk = t s k+d 1 k = t s k (t k ) d 1 = t s kt d 1, V = v bl = v s l+d 1 l = v s l (v l ) d 1 = v s lv d 1 ; L T = e(t, b ) bx e(t, a ) b k = e(t, b ) sx+d 2x e(t, a ) s k +d 2k = e(t, b ) sx e(t, a ) s k ( e(t, θ yα ) x e(t, θ α ) k ) d 2 = e(t, b ) sx e(t, a ) s k ( e(t, b ) x e(t, a ) k ) d 2 = e(t, b ) sx e(t, a ) s k (e(t xyα, θ)e(t k α, θ) = e(t, b ) sx e(t, a ) s k e(t xyα t k α, θ) d 2 = e(t, b ) sx e(t, a ) s k e(t, θ) d 2, L V = e(v, b ) bx e(v, a ) b l = e(v, b ) sx+d 2x e(v, a ) s l +d 2l = e(v, b ) sx e(v, a ) s l ( e(v, θ yα ) x e(v, θ α ) l ) d 2 = e(v, b ) sx e(v, a ) s l ( e(v, b ) x e(v, a ) l ) d 2 = e(v, b ) sx e(v, a ) s l (e(v xyα, θ)e(v l α, θ) = e(v, b ) sx e(v, a ) s l e(v xyα v l α, θ) d 2 = e(v, b ) sx e(v, a ) s l e(v, θ) d 2, L W = (e(w, b )e(θ, a )) bx e(w, a ) b k + b l = (e(w, b )e(θ, a )) sx+d2x e(w, a ) (s k +s l )+d 2(k +l ) ( = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l (e(w, b )e(θ, a )) x e(w, a ) k +l ) d 2 ) x = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l ((e(w, θ yα )e(θ, θ α ) e(w, θ α ) k +l ) d 2 = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l e(w xyα θ xα w (k +l )α, θ) d 2 = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l e(w, θ) d 2. Then we check the coectness of the CL-signatue. a = (a ) α = θ αα, b = (b ) α = (θ y ) αα = (θ αα ) y = a y, c = (W /(T δ V ξ )) α = ((W xy θ x w k +l )/((T xy t k ) δ (V xy v l ) ξ )) αα = ((W/(T δ V ξ )) xy θ x (w k +l /(t δk v ξl ))) αα = ((θ m ) xy θ x 1) αα = (θ αα ) mxy+x = a mxy+x So, e(a, Y ) = e(g, b) and e(x, a)e(x, b) m = e(g, c) Unfogeability In this subsection, we pove the unfogeability of ou scheme. Befoe poving the unfogeability of ou scheme, we fist build a useful lemma which guaantees that the use will use the same plaintext in the Linea Encyption and in the Paillie encyption based on the thee-move poof in the blind signatue geneation potocol. Based on the lemma, then we can simulate the signe successfully and educe the unfogeability to the unfogeability of the CL-signatue. Lemma 4.2. In the blind signatue geneation potocol, unde the DLOG assumption, a PPT advesay can geneate a valid poof with the signe such that ) d2 ) d2 log θ ( dec LE (T, V, W ) ) dec P ai (E m ) mod p only with pobability 2 λ 1. Poof. Define m = dec P ai (E m ). Paillie encyption is 1-1 ove Z n 2, so it is well-defined and m Z n. Also E m Z n 2 can be witten as E m = g m (A m ) n mod n 2 fo some A m Z n. Similaly, define m = log θ ( dec LE (T, V, W ) ). Recall that θ G\{1} and the ode of G is pime p. So θ is a geneato of G, and we can get θ m = dec LE (T, V, W ) and m Z p. Also t, v G ae geneatos of G, and T, V G can be 11
12 witten as T = t k, V = v l fo some k, l Z p. Note that dec LE (T, V, W ) = W T δ V. So W = θ m T δ V ξ = ξ θ m t kδ v lξ = θ m w k+l. Now we assume that thee is a PPT advesay who can geneate a valid poof with the signe such that m m mod p. Up to now we have equations: m m mod p m Z n, m Z p (1) E m = g m (A m ) n mod n 2 A m Z n (2) W = θ m w k+l k, l Z p (3) T = t k (4) V = v l (5) We have assumed that the poof is valid. So all veification equations hold: Fom equations (2) and (6), we have Ê m = g sm (F m ) n (E m ) d 1 mod n 2 (6) Ŵ = θ sm w s k+s l W d 1 (7) T = t s kt d 1 (8) V = v s lv d 1 (9) E m = g sm (F m ) n (E m ) d 1 mod n 2 = g sm (F m ) n (g m (A m ) n ) d 1 mod n 2 = g sm+d 1m (F m (A m ) d 1 ) n mod n 2 By the simila way, we can get T = t s k+d 1 k, V = v s l+d 1 l, and Ŵ = θsm+d 1m w (s k+d 1 k)+(s l +d 1 l). Now we call m def = s m + d 1 m mod n (10) def B m = F m (A m ) d 1 mod n (11) def k = s k + d 1 k mod p (12) def l = s l + d 1 l mod p (13) m def = s m + d 1 m mod p (14) Conside that gcd(n, p) = 1. Fom the equation (10), we can let m = s m + d 1 m + An, whee A Z. So m s m d 1 m = An. Recall that s m ±[0, 2 λ 0+λ 1 +ν p+1 ], and m ±[0, 2 λ 0+λ 1 +ν p ], d 1 {0, 1} λ 1, and m [0, 2 νp ]. So m s m d 1 m ±[0, 2 λ 0+λ 1 +ν p+2 ], and A = 0 because l n ν p + λ 0 + λ So m = s m + d 1 m. Fom the equation (14), we can let m = s m + d 1 m + Bp whee B Z. So m m = d 1 (m m ) Bp. Recall that p (m m ). We can find such B only in the case of p ( m m ) d 1 (m m ). Note that m, m, m, m is detemined befoe eceiving the challenge d 1 fom the signe because t, v, w, E m, θ, T, V, W ; C 1 is sent befoe eceiving d 1 and Êm, T, V, Ŵ is bound by the commitment C 1 unde the DLOG assumption. So we have only pobability 2 λ 1 to find B. Theefoe, unde the DLOG assumption, the advesay cannot develop a valid poof with m m mod p except negligible pobability 2 λ 1. Theoem 4.3 (Unfogeability). The poposed scheme is unfogeable unde the LRSW assumption. Poof. In this pat, we will show unde LRSW assumption, no PPT advesay use A can achieve onemoe fogey with non-negligible pobability. Let (p, g, G, G T, e; X, Y ) be the input instance of LRSW poblem. If a PPT use A obtains l + 1 valid message-signatue pais afte l times successful executions with the signe, we can constuct oacle I which will output a valid pai (m, a, b, c ), whee m is not queied to the oacle O X,Y. 12
13 1. The oacle sets pub = p, g, G, G T, e and P K S = X, Y. The oacle geneates cs 1 = Q, g, h, G, H and τ 1 = fo the equivocal Pedesen commitment scheme; geneates cs 2 = n, g and τ 2 = p, q fo the Paillie encyption; sets cs = (cs 1, cs 2 ). Now the oacle supplies the advesay with pub, cs, P K S, keeps τ 1, τ The oacle I will be queied by A which opeates like that in one of the two cases below: Case 1: A queies I with stat, msg, whee msg = {P K U, E m, θ, T, V, W, C 1 }. The oacle I will ceate a session identity sid and set the coesponding state st = ; the oacle I will simulates the signe S with msg till S eithe teminates o etuns a esponse sp to the use; the oacle I ecods the cuent state in st. If S etuns sp then I etuns this with the session identity to A, i.e. I etuns {sid, d 1, C 2 } to A, whee d 1 {0, 1} λ 1 and C 2 = g γ 2, γ 2 ZQ. Case 2: A queies I with advance, sid, msg, whee msg = {d 2, s m, s k, s l, F m, Êm, T, V, Ŵ, µ 1 }. The oacle I will simulate the signe S with msg and pevious state st. The S checks whethe all equations hold: C 1 =? g ω 1 h µ 1 whee ω 1 = H(Êm, T, V, Ŵ ), Êm =? g sm (F m ) n (E m ) d 1 mod n 2, T =? t s kt d 1, V =? v s lv d 1, Ŵ =? θ sm w s k+s l W d 1. If not tue, teminates. Othewise, the oacle I geneates an identically distibuted esponse to A. Conside the Pedesen commitment scheme is involved. Fom Lemma 4.2 above, unde the DLOG assumption, except negligible eo pobability 2 λ 1, the oacle I can obtain the m unde {θ, T, V, W } by decypting m fom E m, and then obtain a, b, T, V, W based on this m: the oacle I simulates S to decypt E m into m = dec Pai τ 2 (E m ) by using the tapdoo infomation τ 2 = p, q ; then the oacle I simulates O X,Y with input m mod p which etuns a, b, c, and computes a = a, b = b, W = cw k +l, T = t k, V = v l, whee k, l Zp. Note that hee T, V, W is in fact the ciphetext of c ove the public key t, v, w. The simulated {a, b, T, V, W } is indistinguishable fom the potocol answe conside the eo pobability 2 λ 1 is negligible. In fact, without the eo pobability, the two distibution is identical, i.e. {a, b, cw k +l, t k, v l } {(θ) α, (θ y ) α, (W xy θ x w k +l ) α, (T xy t k ) α, (V xy v l ) α, fo andom k, l and α, k, l. Note that a, b, c is the esponse fom O X,Y. So, a is a andom element in G, b = a y, c = a x+mxy. We know W = θ m w k+l, T = t k, V = v l, fo some k, l Z p. We can compute (W xy θ x w k +l ) α = ((θ m w k+l ) xy θ x w k +l ) α = ((θ) α ) x+mxy w (kxy+k )α +(lxy+l )α, (T xy t k ) α = ((t k ) xy t k ) α = t (kxy+k )α, (V xy v l ) α = ((v l ) xy v l ) α = v (lxy+l )α. Replace θ α, (kxy + k )α, (lxy + l )α with a, k, l, we will know the two pobability distibutions ae identical. Next, the oacle I andomly selects s x, s k, s l Z p, and let L T = e(t, b ) sx e(t, a ) s k e(t, θ) d 2, L V = e(v, b ) sx e(v, a ) s l e(v, θ) d 2, L W = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l e(w, θ) d 2 ; computes ω 2 = H(a, b, T, V, W, L T, L V, L W ); uses the tapdoo τ 1 = to compute µ 2 such that C 2 = g ω 2 h µ 2, i.e. µ 2 = γ 2 ω 2. Conside the 3-move poof is zeo-knowledge [Dam00], the simulated distibution {a, b, T, V, W, L T, L V, L W, µ 2 ; s x, s k, s l } is indistinguishable fom that in the potocol answe. 3. A outputs message-signatue pais. Now assume that A can beak the scheme, which means A can geneate l message-signatue pais (m 1 ; σ 1 ), (m 2 ; σ 2 ),..., (m l ; σ l ) with m i m j and l > l. Since l l 1, at least one message, say m O, is not queied to oacle O X,Y, though (m O ; σ O ) is a valid pai. In othe wod, we can constuct a valid pai (m O ; σ O ), whee m O is not in quey histoy. This beaks the LRSW assumption. 13
14 4.4.3 Blindness In this subsection, we show the blindness of ou scheme. Befoe going to the poof of the blindness of ou scheme, we fist build a useful lemma which guaantee that the signe will use the coect ciphetext θ, T, V, W and his secet key x, y to geneate a, b, T, V, W based on the thee-move poof. Lemma 4.4. In the blind signatue geneation potocol, unde the DLOG assumption, a PPT advesay can geneate a valid poof with the use such that log g Y log a b mod p o ( log g X + log g X log g Y log θ dec LE (T, V, W ) ) ( log a dec LE (T, V, W ) ) mod p only with pobability 2 λ 2. Poof. Based on the veification equation e(a, Y ) = e(b, y) it is vey easy to pove the fist pat of the lemma. Next we focus on the second pat. Now we have Y = g y, X = g x, b = (a ) y. Define m = log θ ( dec LE (T, V, W ) ), and we have T = t k, V = v l, W = θ m w k+l fo some k, l Z p by using the same agument in the poof of Lemma 4.2. Note that G T is also ode pime p. Thee exist x, k, l, η, k, l, η Z p such that, L T = e(t, b ) bx e(t, a ) b k (15) L V = e(v, b ) bx e(v, a ) b l (16) L W = (e(w, b )e(θ, a )) bx e(w, a ) bη (17) e(t, θ) = e(t, b ) x e(t, a ) k (18) e(v, θ) = e(v, b ) x e(v, a ) l (19) e(w, θ) = (e(w, b )e(θ, a )) x e(w, a ) η (20) ( Assume thee is a PPT can geneate valid poof such that log g X+log g X log g Y log θ dec LE (T, V, W ) ) ( log a dec LE (T, V, W ) ) mod p; the veification equations ae L T = e(t, b ) sx e(t, a ) s k e(t, θ) d 2 (21) L V = e(v, b ) sx e(v, a ) s l e(v, θ) d 2 (22) L W = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l e(w, θ) d 2 (23) Fom equations (15,16,18,19,21,22), we can obtain s x = x + d 2 x mod p (24) s k = k + d 2 k mod p (25) s l = l + d 2 l mod p (26) Fom equations (17, 20, 23, 24), we can obtain s k + s l = η + d 2 η mod p (27) Fom equations (25-27), we can obtain k + l η = d 2 (k + l η) mod p (28) Note that a, b, T, V, W ; L T, L V, L W is bound by commitment C 2 which is sent befoe the challenge d 2 ; and k, l, η, k, l, η is detemined befoe eceiving d 2 fom the use. So, except pobability 2 λ 2, the signe cannot get d 2 befoe eceiving it fom the use. Now the equation η = k + l mod p holds; othewise the signe can compute such d 2 = ( k + l η)/(k + l η) befoe he eceives the value. Put the equation η = k + l mod p into equation (28), we can also get η = k + l mod p. Assume a = θ α and ecall that b = (a ) y, we can obtain T = T xyα t k α fom equation (18); similaly we can obtain V = V xyα v l α and W = W xyα θ xα w k α +l α. Define c = dec LE (T, V, W ). Then c W = = θ (x+xym)α = (a ) x+xym (. And log (T ) δ (V ) ξ a dec LE (T, V, W ) ) = log a c = x + xym = 14
15 ( log g X + log g X log g Y log θ dec LE (T, V, W ) ) mod p which contadicts the assumption. So, based on a secue commitment scheme, except the pobability 2 λ 2 (, no PPT advesay can develop a valid poof such that log g X + log g X log g Y log θ dec LE (T, V, W ) ) ( log a dec LE (T, V, W ) ) mod p. This completes the poof. Theoem 4.5 (Blindness). The poposed scheme is blind unde the DLDH assumption and the DCR assumption. We stat fom the blindness model, and define it as Game 0; we slightly change Game 0 by simulating the left use instantiation by Damgåd s tick in Game 1; and then we slightly change Game 1 again and do the simila simulation fo the ight use instantiation in Game 2. The statistical distance of the pobability distibution of Game 0 and Game 1, and of Game 1 and Game 2 ae negligible. Now we slightly change Game 2 into Game 3 when two use instantiations veify the veification equations successfully: instead of geneating σ based on a, b, T, V, W in Game 2, geneate σ by using the signing key (x, y) on m. Based on Lemma 4.4, we show the statistical distance between Game 2 and Game 3 is negligible. Next we slightly change Game 3 by simulating the left use instantiation with inputting a andom message (not one of the messages selected by the advesay) to the Paillie encyption in Game 4; then do the simila simulation fo the ight use instantiation in Game 5. Both distances between Game 3 and Game 4, and Game 4 and Game 5 ae negligible unde the DCR assumption. Similaly, we slightly change Game 5 into Game 6 by simulating the left use instantiation with inputting a andom message to the linea encyption; then change Game 6 into Game 7 by simila way fo the ight use instantiation. Again the distances between Game 5 and Game 6, and Game 6 and Game 7 ae negligible unde the DLDH assumption. Theefoe, the pobability distibution in Game 0 is indistinguishable fom that in Game 7. Conside in Game 7, the two messages (m 0, m 1 ) have neve been involved in the communications between the use instantiations and the advesay signe, which means the advesay has no advantage to win the game (with just pobability 1 2 to pedict φ). So, in Game 0, the advesay has at most negligible advantage to win the game unde the assumptions. Poof. We use the sequential games technique to pove this pat, and define games G A j between the advesay A and the oacle I φ j which simulates two use instantiation: the left one UL and the ight one U R, whee j = 0, 1,..., 7. Also we define E j to be the event that φ = φ in G A j. Game 0: Follow the blindness model, we can define Game 0 as below: Hee I φ 0 G A 0 (1λ ) 1. φ {0, 1}; 2. (pub, cs, P K S, SK S ) gen(1 λ ); 3. φ A Iφ 0 (1λ,pub,cs,P K S ) (1 λ, pub, cs, P K S, SK S ); 4. if φ = φ then 1; is defined as: - Given challenge, m 0, m 1, the oacle I φ 0 simulates UL (esp. U R ) with m φ (esp. m 1 φ ). The oacle I φ 0 keeps a database with the state of each use instantiation; the state includes all coin tosses of the use instantiation and the contents of all tapes including the communication tape. Hee the oacle uses st L (esp. st R ) to ecod the state of U L (esp. U R ). - Given advance, ρ, msg, whee ρ {L, R}: 15
16 If msg =, then I φ 0 ecoves the state of stρ, and simulates the use instantiation U ρ till U ρ eithe teminates o etuns a esponse to the signe. If U ρ etuns a esponse sp, then I φ 0 etuns sp to A. The oacle will ecod the cuent state st, i.e. st ρ = st ρ st. Let m be the simulated message fo U ρ, i.e. m = m φ fo ρ = L and m = m 1 φ fo ρ = R, we have, (a) (P K ρ U, SKρ U ) genle (1 λ ) (b) m ±[0, 2 λ 0+λ 1 +ν p ], A m, B m Z n, α, k, l, k, l Z p, θ G\{1}, µ 1 ZQ. (c) E m enc Pai cs 2 (m, A m ) (d) T, V, W enc LE pub,p KU(m, ρ θ, k, l) (e) Ê m enc Pai cs 2 ( m, B m ) (f) T, V, Ŵ encle pub,p KU( ρ m, θ, k, l) (g) ω 1 = H(Êm, T, V, Ŵ ), C 1 = g ω 1 h µ 1 (h) sp = {P K U, E m, θ, T, V, W, C 1 } If msg = {d 1, C 2 }, then I φ 0 ecoves the state of stρ, and simulates the use instantiation U ρ with msg till U ρ eithe teminates o etuns a esponse sp to the signe. If U ρ etuns a esponse sp, then I φ 0 etuns sp to A. The oacle will ecod the cuent state st, i.e. stρ = st ρ st. Hee sp is in the fom of {d 2, s m, s k, s l, F m, Êm, T, V, Ŵ, µ 1 }, whee Êm, T, V, Ŵ, µ 1 is ecoveed fom the pevious state of st ρ, and s m, s k, s l, F m is geneated as: s m = m d 1 m in Z, s k = k d 1 k mod p, s l = l d 1 l mod p, F m = B m (A m ) d 1 mod n, d 2 {0, 1} λ 2. - Given teminate, msg L, msg R, the oacle I φ 0 ecoves the state stl (esp. st R ), and simulates the use instantiation U L (esp. U R ) with msg L (esp. msg R ) till U L (esp. U R ) eithe teminates o etuns an output, whee msg ρ is in fom of {s x, s k, s l ; a, b, T, V, W, L T, L V, L W, µ 2 }. Each U ρ will veify all equations: C 2 = g ω 2 h µ 2 whee ω 2 = H(a, b, T, V, W, L T, L V, L W ), e(a, Y ) = e(b, g), L T = e(t, b ) sx e(t, a ) s k e(t, θ) d 2, L V = e(v, b ) sx e(v, a ) s l e(v, θ) d 2, L W = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l e(w, θ) d 2 If the two use instantiations veify the veification equations successfully, each of them geneates σ = (a, b, c) by a = (a ) α, b = (b ) α, c = (W /(T δ V ξ )) α. Let the geneated signatues fom the two use instantiations be σ 0, σ 1 fo message m 0, m 1 espectively. The oacle set sp = (σ 0, σ 1 ). Othewise set sp = (, ). The oacle etuns sp to A. Game 1: We modify G A 0 into GA 1 by changing step 2 into: 2. (pub, cs 2, P K S, SK S ) gen(1 λ ); geneates cs 1 = Q, g, h, G, H and τ 1 = fo the equivocal Pedesen commitment scheme; set cs = (cs 1, cs 2 ). and changing I φ 0 into Iφ 1. Note that Iφ 1 is same as Iφ 0 except that - Given advance, ρ, msg, whee ρ {L, R}. If ρ = R, I φ 1 opeates identically as Iφ 0 ; but if ρ = L, woks as follows: I φ 1 16
17 If msg =, then I φ 1 ecoves the state of stl, and simulates the use instantiation U L till U L eithe teminates o etuns a esponse to the signe. If U L etuns a esponse sp, then I φ 1 etuns sp to A. The oacle will ecod the cuent state st, i.e. st L = st L st. Let m = m φ, we have, (a) (P KU L, SKL U ) genle (1 λ ) (b) A m Z n, α, k, l Z p, θ G\{1}. (c) E m enc Pai cs 2 (m, A m ) (d) T, V, W enc LE (m, θ, k, l) pub,p KU L (e) γ 1 ZQ, C 1 = g γ 1 (f) sp = {P K L U, E m, θ, T, V, W, C 1 } If msg = {d 1, C 2 }, then I φ 1 ecoves the state of stl, and simulates the use instantiation U L with msg till U L eithe teminates o etuns a esponse sp to the signe. If U L etuns a esponse sp, then I φ 1 etuns sp to A. The oacle will ecod the cuent state st, i.e. stl = st L st. (a) s m ±[0, 2 λ 0 +λ 1 +ν p ], F m Z n, s k, s l Zp (b) Ê m = g sm (F m ) n (E m ) d mod n 2 (c) Ŵ = θsm w s k+s l W d 1, T = t s kt d 1, V = v s lv d 1 (d) use τ 1 = to compute µ 1 such that C 1 = g ω 1 h µ 1 µ 1 = γ 1 ω 1 mod Q (e) sp = {d 2, s m, s k, s l, F m, Êm, T, V, Ŵ, µ 1 } whee ω 1 = H(Êm, T, V, Ŵ ), i.e. Game 2: We modify G A 1 into GA 2 by changing Iφ 1 into Iφ 2. Note that Iφ 2 is same as Iφ 1 except that : - Given advance, ρ, msg, whee ρ {L, R}. If ρ = L, I φ 2 opeates identically as Iφ 1 ; but if ρ = R, I φ 2 opeates similaly as the case ρ = L with m = m 1 φ, i.e. uns the same opeations fo the ight use instantiation U R. Game 3: We modify G A 2 into GA 3 by changing Iφ 2 into Iφ 3. Note that Iφ 3 is same as Iφ 2 except that - Given teminate, msg L, msg R, the oacle I φ 3 ecoves the state stl (esp. st R ), and simulates the use instantiation U L (esp. U R ) with msg L (esp. msg R ) till U L (esp. U R ) eithe teminates o etuns an output. If the two use instantiations veify the veification equations successfully, now the oacle geneates two signatues σ 0, σ 1 fo m 0, m 1 by using the signing key: σ = (a, a y, a x+xym ) whee a G. The oacle set sp = (σ 0, σ 1 ). Othewise set sp = (, ). The oacle etuns sp to A. Game 4: We modify G A 3 into GA 4 by changing Iφ 3 into Iφ 4. Note that Iφ 4 is same as Iφ 3 except that - Given challenge, m 0, m 1, the oacle I φ 4 andomly selects m 0, m 1 fom the message space and simulates U L (esp. U R ) with m φ o m 0 (esp. m 1 φ o m 1 ). - Given advance, ρ, msg, whee ρ {L, R}. If ρ = R, I φ 4 opeates identically as Iφ 3 ; but if ρ = L, woks as follows: I φ 4 17
10/04/18. P [P(x)] 1 negl(n).
Mastemath, Sping 208 Into to Lattice lgs & Cypto Lectue 0 0/04/8 Lectues: D. Dadush, L. Ducas Scibe: K. de Boe Intoduction In this lectue, we will teat two main pats. Duing the fist pat we continue the
More informationLecture 25: Pairing Based Cryptography
6.897 Special Topics in Cyptogaphy Instucto: Ran Canetti May 5, 2004 Lectue 25: Paiing Based Cyptogaphy Scibe: Ben Adida 1 Intoduction The field of Paiing Based Cyptogaphy has exploded ove the past 3 yeas
More informationProvable Security in Cryptography
Povable Secuity in Cyptogaphy Thomas Baignèes EPFL http://lasecwww.epfl.ch May 29, 2007 (ve. 25) These lectue notes ae a compilation of some of my eadings while I was pepaing two lectues given at EPFL
More informationSome RSA-based Encryption Schemes with Tight Security Reduction
Some RSA-based Encyption Schemes with Tight Secuity Reduction Kaou Kuosawa 1 and Tsuyoshi Takagi 2 1 Ibaaki Univesity, 4-12-1 Nakanausawa, Hitachi, Ibaaki, 316-8511, Japan kuosawa@cis.ibaaki.ac.jp 2 Technische
More informationCryptography. Primitives and Protocols. Aggelos Kiayias
P1 P2 P3 E E E IV C1 C2 C3 Aggelos Kiayias Cyptogaphy Pimitives and Potocols Based on notes by G. Panagiotakos, S. Pehlivanoglu, J. Todd, K. Samai, T. Zachaias and H.S. Zhou CONTENTS 1 Contents 1 Intoduction
More informationStanford University CS259Q: Quantum Computing Handout 8 Luca Trevisan October 18, 2012
Stanfod Univesity CS59Q: Quantum Computing Handout 8 Luca Tevisan Octobe 8, 0 Lectue 8 In which we use the quantum Fouie tansfom to solve the peiod-finding poblem. The Peiod Finding Poblem Let f : {0,...,
More informationSecret Exponent Attacks on RSA-type Schemes with Moduli N = p r q
Secet Exponent Attacks on RSA-type Schemes with Moduli N = p q Alexande May Faculty of Compute Science, Electical Engineeing and Mathematics Univesity of Padebon 33102 Padebon, Gemany alexx@uni-padebon.de
More informationE E E. Aggelos Kiayias. Cryptography. Primitives and Protocols. Based on notes by S. Pehlivanoglu, J. Todd, K. Samari, T. Zacharias and H.S.
P1 P2 P3 E E E IV C1 C2 C3 Aggelos Kiayias Cyptogaphy Pimitives and Potocols Based on notes by S. Pehlivanoglu, J. Todd, K. Samai, T. Zachaias and H.S. Zhou CONTENTS 1 Contents 1 Intoduction 4 1.1 Flipping
More informationProbablistically Checkable Proofs
Lectue 12 Pobablistically Checkable Poofs May 13, 2004 Lectue: Paul Beame Notes: Chis Re 12.1 Pobablisitically Checkable Poofs Oveview We know that IP = PSPACE. This means thee is an inteactive potocol
More informationKey Establishment Protocols. Cryptography CS 507 Erkay Savas Sabanci University
Key Establishment Potocols Cyptogaphy CS 507 Ekay Savas Sabanci Univesity ekays@sabanciuniv.edu Key distibution poblem Secuity of the keys Even if the cyptogaphic algoithms & potocols ae cyptogaphically
More informationA Bijective Approach to the Permutational Power of a Priority Queue
A Bijective Appoach to the Pemutational Powe of a Pioity Queue Ia M. Gessel Kuang-Yeh Wang Depatment of Mathematics Bandeis Univesity Waltham, MA 02254-9110 Abstact A pioity queue tansfoms an input pemutation
More informationQIP Course 10: Quantum Factorization Algorithm (Part 3)
QIP Couse 10: Quantum Factoization Algoithm (Pat 3 Ryutaoh Matsumoto Nagoya Univesity, Japan Send you comments to yutaoh.matsumoto@nagoya-u.jp Septembe 2018 @ Tokyo Tech. Matsumoto (Nagoya U. QIP Couse
More informationLecture 18: Graph Isomorphisms
INFR11102: Computational Complexity 22/11/2018 Lectue: Heng Guo Lectue 18: Gaph Isomophisms 1 An Athu-Melin potocol fo GNI Last time we gave a simple inteactive potocol fo GNI with pivate coins. We will
More informationNew problems in universal algebraic geometry illustrated by boolean equations
New poblems in univesal algebaic geomety illustated by boolean equations axiv:1611.00152v2 [math.ra] 25 Nov 2016 Atem N. Shevlyakov Novembe 28, 2016 Abstact We discuss new poblems in univesal algebaic
More informationAQI: Advanced Quantum Information Lecture 2 (Module 4): Order finding and factoring algorithms February 20, 2013
AQI: Advanced Quantum Infomation Lectue 2 (Module 4): Ode finding and factoing algoithms Febuay 20, 203 Lectue: D. Mak Tame (email: m.tame@impeial.ac.uk) Intoduction In the last lectue we looked at the
More informationMath 301: The Erdős-Stone-Simonovitz Theorem and Extremal Numbers for Bipartite Graphs
Math 30: The Edős-Stone-Simonovitz Theoem and Extemal Numbes fo Bipatite Gaphs May Radcliffe The Edős-Stone-Simonovitz Theoem Recall, in class we poved Tuán s Gaph Theoem, namely Theoem Tuán s Theoem Let
More informationFixed Argument Pairing Inversion on Elliptic Curves
Fixed Agument Paiing Invesion on Elliptic Cuves Sungwook Kim and Jung Hee Cheon ISaC & Dept. of Mathematical Sciences Seoul National Univesity Seoul, Koea {avell7,jhcheon}@snu.ac.k Abstact. Let E be an
More informationEM Boundary Value Problems
EM Bounday Value Poblems 10/ 9 11/ By Ilekta chistidi & Lee, Seung-Hyun A. Geneal Desciption : Maxwell Equations & Loentz Foce We want to find the equations of motion of chaged paticles. The way to do
More informationE E E. Aggelos Kiayias. Cryptography. Primitives and Protocols. Notes by S. Pehlivanoglu, J. Todd, and H.S. Zhou
P1 P2 P3 E E E IV C1 C2 C3 Aggelos Kiayias Cyptogaphy Pimitives and Potocols Notes by S. Pehlivanoglu, J. Todd, and H.S. Zhou CONTENTS 1 Contents 2 1 Intoduction To begin discussing the basic popeties
More informationThe Substring Search Problem
The Substing Seach Poblem One algoithm which is used in a vaiety of applications is the family of substing seach algoithms. These algoithms allow a use to detemine if, given two chaacte stings, one is
More informationANA BERRIZBEITIA, LUIS A. MEDINA, ALEXANDER C. MOLL, VICTOR H. MOLL, AND LAINE NOBLE
THE p-adic VALUATION OF STIRLING NUMBERS ANA BERRIZBEITIA, LUIS A. MEDINA, ALEXANDER C. MOLL, VICTOR H. MOLL, AND LAINE NOBLE Abstact. Let p > 2 be a pime. The p-adic valuation of Stiling numbes of the
More informationEquivocal Blind Signatures and Adaptive UC-Security
Equivocal Blind Signatues and Adaptive UC-Secuity Aggelos Kiayias Hong-Sheng Zhou Septembe 4, 2007 Abstact We study the design of adaptively secue blind signatues in the univesal composability (UC) setting.
More informationVanishing lines in generalized Adams spectral sequences are generic
ISSN 364-0380 (on line) 465-3060 (pinted) 55 Geomety & Topology Volume 3 (999) 55 65 Published: 2 July 999 G G G G T T T G T T T G T G T GG TT G G G G GG T T T TT Vanishing lines in genealized Adams spectal
More informationON INDEPENDENT SETS IN PURELY ATOMIC PROBABILITY SPACES WITH GEOMETRIC DISTRIBUTION. 1. Introduction. 1 r r. r k for every set E A, E \ {0},
ON INDEPENDENT SETS IN PURELY ATOMIC PROBABILITY SPACES WITH GEOMETRIC DISTRIBUTION E. J. IONASCU and A. A. STANCU Abstact. We ae inteested in constucting concete independent events in puely atomic pobability
More informationA more efficient secure event signature protocol for massively multiplayer online games based on P2P Dapeng Li1, a, Liang Hu1,b, and JianFeng Chu1,c
Intenational Foum on Mechanical, Contol and Automation (IFMCA 2016) A moe efficient secue event signatue potocol fo massively multiplaye online games based on P2P Dapeng Li1, a, Liang Hu1,b, and JianFeng
More informationDo Managers Do Good With Other People s Money? Online Appendix
Do Manages Do Good With Othe People s Money? Online Appendix Ing-Haw Cheng Haison Hong Kelly Shue Abstact This is the Online Appendix fo Cheng, Hong and Shue 2013) containing details of the model. Datmouth
More informationQuantum Fourier Transform
Chapte 5 Quantum Fouie Tansfom Many poblems in physics and mathematics ae solved by tansfoming a poblem into some othe poblem with a known solution. Some notable examples ae Laplace tansfom, Legende tansfom,
More informationAnonymous return route information for onion based mix-nets
Anonymous etun oute infomation fo onion based mix-nets ABSTRACT Yoshifumi Manabe NTT Communication Science Laboatoies NTT Copoation Atsugi Kanagawa 239-0198 Japan manabeyoshifumi@labnttcojp This pape poposes
More information6 PROBABILITY GENERATING FUNCTIONS
6 PROBABILITY GENERATING FUNCTIONS Cetain deivations pesented in this couse have been somewhat heavy on algeba. Fo example, detemining the expectation of the Binomial distibution (page 5.1 tuned out to
More informationC/CS/Phys C191 Shor s order (period) finding algorithm and factoring 11/12/14 Fall 2014 Lecture 22
C/CS/Phys C9 Sho s ode (peiod) finding algoithm and factoing /2/4 Fall 204 Lectue 22 With a fast algoithm fo the uantum Fouie Tansfom in hand, it is clea that many useful applications should be possible.
More informationA STUDY OF HAMMING CODES AS ERROR CORRECTING CODES
AGU Intenational Jounal of Science and Technology A STUDY OF HAMMING CODES AS ERROR CORRECTING CODES Ritu Ahuja Depatment of Mathematics Khalsa College fo Women, Civil Lines, Ludhiana-141001, Punjab, (India)
More informationInformation-Theoretic
Infomation-Theoetic Key Ageement fom Close Secets Leonid Reyzin Januay 5, 2018 IISc 1 Infomation-Theoetic Key Ageement fom Close Secets: A Suvey 0 1 assume these ae close and patially secet 2 Infomation-Theoetic
More informationCentral Coverage Bayes Prediction Intervals for the Generalized Pareto Distribution
Statistics Reseach Lettes Vol. Iss., Novembe Cental Coveage Bayes Pediction Intevals fo the Genealized Paeto Distibution Gyan Pakash Depatment of Community Medicine S. N. Medical College, Aga, U. P., India
More informationAnonymity-enhanced Pseudonym System
JAIST Reposi https://dspace.j Title Anonymity-enhanced Pseudonym System Autho(s)Tamua, Yuko; Miyaji, Atsuko Citation Lectue Notes in Compute Science, 2 47 Issue Date 2003 Type Jounal Aticle Text vesion
More informationSurveillance Points in High Dimensional Spaces
Société de Calcul Mathématique SA Tools fo decision help since 995 Suveillance Points in High Dimensional Spaces by Benad Beauzamy Januay 06 Abstact Let us conside any compute softwae, elying upon a lage
More informationQuasi-Randomness and the Distribution of Copies of a Fixed Graph
Quasi-Randomness and the Distibution of Copies of a Fixed Gaph Asaf Shapia Abstact We show that if a gaph G has the popety that all subsets of vetices of size n/4 contain the coect numbe of tiangles one
More informationCompactly Supported Radial Basis Functions
Chapte 4 Compactly Suppoted Radial Basis Functions As we saw ealie, compactly suppoted functions Φ that ae tuly stictly conditionally positive definite of ode m > do not exist The compact suppot automatically
More informationExploration of the three-person duel
Exploation of the thee-peson duel Andy Paish 15 August 2006 1 The duel Pictue a duel: two shootes facing one anothe, taking tuns fiing at one anothe, each with a fixed pobability of hitting his opponent.
More informationHidden Identity-Based Signatures
Hidden Identity-Based Signatues ggelos Kiayias Hong-Sheng Zhou bstact This pape intoduces Hidden Identity-based Signatues (Hidden-IBS), a type of digital signatues that povide mediated signe-anonymity
More informationDesign and Analysis of Password-Based Key Derivation Functions
Design and Analysis of Passwod-Based Key Deivation Functions 245 Fances F. Yao 1 and Yiqun Lisa Yin 2 1 Depatment of Compute Science, City Univesity of Hong Kong, Kowloon, Hong Kong csfyao@cityu.edu.hk
More informationLifting Private Information Retrieval from Two to any Number of Messages
Lifting Pivate Infomation Retieval fom Two to any umbe of Messages Rafael G.L. D Oliveia, Salim El Rouayheb ECE, Rutges Univesity, Piscataway, J Emails: d746@scaletmail.utges.edu, salim.elouayheb@utges.edu
More informationClassical Worm algorithms (WA)
Classical Wom algoithms (WA) WA was oiginally intoduced fo quantum statistical models by Pokof ev, Svistunov and Tupitsyn (997), and late genealized to classical models by Pokof ev and Svistunov (200).
More informationGoodness-of-fit for composite hypotheses.
Section 11 Goodness-of-fit fo composite hypotheses. Example. Let us conside a Matlab example. Let us geneate 50 obsevations fom N(1, 2): X=nomnd(1,2,50,1); Then, unning a chi-squaed goodness-of-fit test
More informationDesign and Analysis of Password-Based Key Derivation Functions
Design and Analysis of Passwod-Based Key Deivation Functions Fances F. Yao 1 and Yiqun Lisa Yin 2 1 Depatment of Compute Science City Univesity of Hong Kong Kowloon, Hong Kong Email: csfyao@cityu.edu.hk
More informationChapter 3: Theory of Modular Arithmetic 38
Chapte 3: Theoy of Modula Aithmetic 38 Section D Chinese Remainde Theoem By the end of this section you will be able to pove the Chinese Remainde Theoem apply this theoem to solve simultaneous linea conguences
More informationNon-Transferable Proxy Re-Encryption Scheme
Title Non-Tansfeable Poxy Re-Encyption Scheme Autho(s) He, Y; Chim, TW; Hui, CK; Yiu, SM Citation The 5th IFIP Intenational Confeence on New Technologies, Mobility and Secuity (NTMS 12), Istanbul, Tukey,
More informationCryptography. Lecture 11. Arpita Patra
Cptogaph Lectue Apita Pata Geneic Results in PK Wold CPA Secuit CCA Secuit Bit Encption Man-bit Encption Bit Encption Man-Bit Encption Π CPA-secue KEM Π SKE COA-secue SKE Π Hb CPA-secue Π CCA-secue KEM
More informationLecture 28: Convergence of Random Variables and Related Theorems
EE50: Pobability Foundations fo Electical Enginees July-Novembe 205 Lectue 28: Convegence of Random Vaiables and Related Theoems Lectue:. Kishna Jagannathan Scibe: Gopal, Sudhasan, Ajay, Swamy, Kolla An
More informationMore Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries
Moe Efficient Oblivious Tansfe Extensions with Secuity fo Malicious Advesaies Gilad Ashaov Yehuda Lindell Thomas Schneide Michael Zohne Hebew Univesity Ba-Ilan Univesity Damstadt Damstadt EUROCRYPT 2015
More informationNew Finding on Factoring Prime Power RSA Modulus N = p r q
Jounal of Mathematical Reseach with Applications Jul., 207, Vol. 37, o. 4, pp. 404 48 DOI:0.3770/j.issn:2095-265.207.04.003 Http://jme.dlut.edu.cn ew Finding on Factoing Pime Powe RSA Modulus = p q Sadiq
More informationUnobserved Correlation in Ascending Auctions: Example And Extensions
Unobseved Coelation in Ascending Auctions: Example And Extensions Daniel Quint Univesity of Wisconsin Novembe 2009 Intoduction In pivate-value ascending auctions, the winning bidde s willingness to pay
More informationEncapsulation theory: the transformation equations of absolute information hiding.
1 Encapsulation theoy: the tansfomation equations of absolute infomation hiding. Edmund Kiwan * www.edmundkiwan.com Abstact This pape descibes how the potential coupling of a set vaies as the set is tansfomed,
More informationASTR415: Problem Set #6
ASTR45: Poblem Set #6 Cuan D. Muhlbege Univesity of Mayland (Dated: May 7, 27) Using existing implementations of the leapfog and Runge-Kutta methods fo solving coupled odinay diffeential equations, seveal
More information3.1 Random variables
3 Chapte III Random Vaiables 3 Random vaiables A sample space S may be difficult to descibe if the elements of S ae not numbes discuss how we can use a ule by which an element s of S may be associated
More informationHOW TO TEACH THE FUNDAMENTALS OF INFORMATION SCIENCE, CODING, DECODING AND NUMBER SYSTEMS?
6th INTERNATIONAL MULTIDISCIPLINARY CONFERENCE HOW TO TEACH THE FUNDAMENTALS OF INFORMATION SCIENCE, CODING, DECODING AND NUMBER SYSTEMS? Cecília Sitkuné Göömbei College of Nyíegyháza Hungay Abstact: The
More informationFractional Zero Forcing via Three-color Forcing Games
Factional Zeo Focing via Thee-colo Focing Games Leslie Hogben Kevin F. Palmowski David E. Robeson Michael Young May 13, 2015 Abstact An -fold analogue of the positive semidefinite zeo focing pocess that
More informationPushdown Automata (PDAs)
CHAPTER 2 Context-Fee Languages Contents Context-Fee Gammas definitions, examples, designing, ambiguity, Chomsky nomal fom Pushdown Automata definitions, examples, euivalence with context-fee gammas Non-Context-Fee
More information9.1 The multiplicative group of a finite field. Theorem 9.1. The multiplicative group F of a finite field is cyclic.
Chapte 9 Pimitive Roots 9.1 The multiplicative goup of a finite fld Theoem 9.1. The multiplicative goup F of a finite fld is cyclic. Remak: In paticula, if p is a pime then (Z/p) is cyclic. In fact, this
More informationAttribute Based Data Sharing with Attribute Revocation
Attibute Based Data Shaing with Attibute Revocation Shucheng Yu Depatment of ECE Woceste Polytechnic Institute Woceste, MA 01609 yscheng@wpi.edu Cong Wang Depatment of ECE Illinois Institute of Technology
More information1 Explicit Explore or Exploit (E 3 ) Algorithm
2.997 Decision-Making in Lage-Scale Systems Mach 3 MIT, Sping 2004 Handout #2 Lectue Note 9 Explicit Exploe o Exploit (E 3 ) Algoithm Last lectue, we studied the Q-leaning algoithm: [ ] Q t+ (x t, a t
More informationON THE INVERSE SIGNED TOTAL DOMINATION NUMBER IN GRAPHS. D.A. Mojdeh and B. Samadi
Opuscula Math. 37, no. 3 (017), 447 456 http://dx.doi.og/10.7494/opmath.017.37.3.447 Opuscula Mathematica ON THE INVERSE SIGNED TOTAL DOMINATION NUMBER IN GRAPHS D.A. Mojdeh and B. Samadi Communicated
More informationLecture 7. Public Key Cryptography (Diffie-Hellman and RSA)
Lectue 7 Pulic Key Cytogahy (Diffie-Hellman and RSA) 1 Pulic Key Cytogahy Asymmetic cytogahy Invented in 1974-1978 (Diffie-Hellman and Rivest-Shami- Adleman) Two keys: ivate (SK), ulic (PK) Encytion: with
More information16 Modeling a Language by a Markov Process
K. Pommeening, Language Statistics 80 16 Modeling a Language by a Makov Pocess Fo deiving theoetical esults a common model of language is the intepetation of texts as esults of Makov pocesses. This model
More informationMultiple Criteria Secretary Problem: A New Approach
J. Stat. Appl. Po. 3, o., 9-38 (04 9 Jounal of Statistics Applications & Pobability An Intenational Jounal http://dx.doi.og/0.785/jsap/0303 Multiple Citeia Secetay Poblem: A ew Appoach Alaka Padhye, and
More informationAnalytical Solutions for Confined Aquifers with non constant Pumping using Computer Algebra
Poceedings of the 006 IASME/SEAS Int. Conf. on ate Resouces, Hydaulics & Hydology, Chalkida, Geece, May -3, 006 (pp7-) Analytical Solutions fo Confined Aquifes with non constant Pumping using Compute Algeba
More informationExperiment I Voltage Variation and Control
ELE303 Electicity Netwoks Expeiment I oltage aiation and ontol Objective To demonstate that the voltage diffeence between the sending end of a tansmission line and the load o eceiving end depends mainly
More informationSolution to HW 3, Ma 1a Fall 2016
Solution to HW 3, Ma a Fall 206 Section 2. Execise 2: Let C be a subset of the eal numbes consisting of those eal numbes x having the popety that evey digit in the decimal expansion of x is, 3, 5, o 7.
More informationFunctions Defined on Fuzzy Real Numbers According to Zadeh s Extension
Intenational Mathematical Foum, 3, 2008, no. 16, 763-776 Functions Defined on Fuzzy Real Numbes Accoding to Zadeh s Extension Oma A. AbuAaqob, Nabil T. Shawagfeh and Oma A. AbuGhneim 1 Mathematics Depatment,
More informationFUSE Fusion Utility Sequence Estimator
FUSE Fusion Utility Sequence Estimato Belu V. Dasaathy Dynetics, Inc. P. O. Box 5500 Huntsville, AL 3584-5500 belu.d@dynetics.com Sean D. Townsend Dynetics, Inc. P. O. Box 5500 Huntsville, AL 3584-5500
More informationConspiracy and Information Flow in the Take-Grant Protection Model
Conspiacy and Infomation Flow in the Take-Gant Potection Model Matt Bishop Depatment of Compute Science Univesity of Califonia at Davis Davis, CA 95616-8562 ABSTRACT The Take Gant Potection Model is a
More informationTemporal-Difference Learning
.997 Decision-Making in Lage-Scale Systems Mach 17 MIT, Sping 004 Handout #17 Lectue Note 13 1 Tempoal-Diffeence Leaning We now conside the poblem of computing an appopiate paamete, so that, given an appoximation
More informationLINEAR AND NONLINEAR ANALYSES OF A WIND-TUNNEL BALANCE
LINEAR AND NONLINEAR ANALYSES O A WIND-TUNNEL INTRODUCTION BALANCE R. Kakehabadi and R. D. Rhew NASA LaRC, Hampton, VA The NASA Langley Reseach Cente (LaRC) has been designing stain-gauge balances fo utilization
More informationIntroduction to Nuclear Forces
Intoduction to Nuclea Foces One of the main poblems of nuclea physics is to find out the natue of nuclea foces. Nuclea foces diffe fom all othe known types of foces. They cannot be of electical oigin since
More informationSMT 2013 Team Test Solutions February 2, 2013
1 Let f 1 (n) be the numbe of divisos that n has, and define f k (n) = f 1 (f k 1 (n)) Compute the smallest intege k such that f k (013 013 ) = Answe: 4 Solution: We know that 013 013 = 3 013 11 013 61
More informationWhen two numbers are written as the product of their prime factors, they are in factored form.
10 1 Study Guide Pages 420 425 Factos Because 3 4 12, we say that 3 and 4 ae factos of 12. In othe wods, factos ae the numbes you multiply to get a poduct. Since 2 6 12, 2 and 6 ae also factos of 12. The
More information7.2. Coulomb s Law. The Electric Force
Coulomb s aw Recall that chaged objects attact some objects and epel othes at a distance, without making any contact with those objects Electic foce,, o the foce acting between two chaged objects, is somewhat
More informationAdditive Approximation for Edge-Deletion Problems
Additive Appoximation fo Edge-Deletion Poblems Noga Alon Asaf Shapia Benny Sudakov Abstact A gaph popety is monotone if it is closed unde emoval of vetices and edges. In this pape we conside the following
More informationQuery Complexity Lower Bounds for Reconstruction of Codes
Quey Complexity Lowe Bounds fo Reconstuction of Codes Souav Chakaboty Elda Fische Aie Matsliah Abstact We investigate the poblem of local econstuction, as defined by Saks and Seshadhi (2008), in the context
More informationLocalization of Eigenvalues in Small Specified Regions of Complex Plane by State Feedback Matrix
Jounal of Sciences, Islamic Republic of Ian (): - () Univesity of Tehan, ISSN - http://sciencesutaci Localization of Eigenvalues in Small Specified Regions of Complex Plane by State Feedback Matix H Ahsani
More informationSyntactical content of nite approximations of partial algebras 1 Wiktor Bartol Inst. Matematyki, Uniw. Warszawski, Warszawa (Poland)
Syntactical content of nite appoximations of patial algebas 1 Wikto Batol Inst. Matematyki, Uniw. Waszawski, 02-097 Waszawa (Poland) batol@mimuw.edu.pl Xavie Caicedo Dep. Matematicas, Univ. de los Andes,
More informationPearson s Chi-Square Test Modifications for Comparison of Unweighted and Weighted Histograms and Two Weighted Histograms
Peason s Chi-Squae Test Modifications fo Compaison of Unweighted and Weighted Histogams and Two Weighted Histogams Univesity of Akueyi, Bogi, v/noduslód, IS-6 Akueyi, Iceland E-mail: nikolai@unak.is Two
More informationDeterministic vs Non-deterministic Graph Property Testing
Deteministic vs Non-deteministic Gaph Popety Testing Lio Gishboline Asaf Shapia Abstact A gaph popety P is said to be testable if one can check whethe a gaph is close o fa fom satisfying P using few andom
More informationTopic 4a Introduction to Root Finding & Bracketing Methods
/8/18 Couse Instucto D. Raymond C. Rumpf Office: A 337 Phone: (915) 747 6958 E Mail: cumpf@utep.edu Topic 4a Intoduction to Root Finding & Backeting Methods EE 4386/531 Computational Methods in EE Outline
More informationQUANTUM ALGORITHMS IN ALGEBRAIC NUMBER THEORY
QUANTU ALGORITHS IN ALGEBRAIC NUBER THEORY SION RUBINSTEIN-SALZEDO Abstact. In this aticle, we discuss some quantum algoithms fo detemining the goup of units and the ideal class goup of a numbe field.
More informationV G. In this class, we will look at a possible hypothesis for way the time dependence is t
ECE65R : Reliability Physics of anoelectonic Devices Lectue : CI Time Exponents Date : Dec. 4, 6 Classnote : Saakshi Gangwal Review : Lutfe A Siddiqui. Review We have spent seveal weeks discussing discussing
More informationJournal of Inequalities in Pure and Applied Mathematics
Jounal of Inequalities in Pue and Applied Mathematics COEFFICIENT INEQUALITY FOR A FUNCTION WHOSE DERIVATIVE HAS A POSITIVE REAL PART S. ABRAMOVICH, M. KLARIČIĆ BAKULA AND S. BANIĆ Depatment of Mathematics
More informationResearch Article On Alzer and Qiu s Conjecture for Complete Elliptic Integral and Inverse Hyperbolic Tangent Function
Abstact and Applied Analysis Volume 011, Aticle ID 697547, 7 pages doi:10.1155/011/697547 Reseach Aticle On Alze and Qiu s Conjectue fo Complete Elliptic Integal and Invese Hypebolic Tangent Function Yu-Ming
More informationA Multivariate Normal Law for Turing s Formulae
A Multivaiate Nomal Law fo Tuing s Fomulae Zhiyi Zhang Depatment of Mathematics and Statistics Univesity of Noth Caolina at Chalotte Chalotte, NC 28223 Abstact This pape establishes a sufficient condition
More informationConvergence Dynamics of Resource-Homogeneous Congestion Games: Technical Report
1 Convegence Dynamics of Resouce-Homogeneous Congestion Games: Technical Repot Richad Southwell and Jianwei Huang Abstact Many esouce shaing scenaios can be modeled using congestion games A nice popety
More informationTHE JEU DE TAQUIN ON THE SHIFTED RIM HOOK TABLEAUX. Jaejin Lee
Koean J. Math. 23 (2015), No. 3, pp. 427 438 http://dx.doi.og/10.11568/kjm.2015.23.3.427 THE JEU DE TAQUIN ON THE SHIFTED RIM HOOK TABLEAUX Jaejin Lee Abstact. The Schensted algoithm fist descibed by Robinson
More informationThe Chromatic Villainy of Complete Multipartite Graphs
Rocheste Institute of Technology RIT Schola Wos Theses Thesis/Dissetation Collections 8--08 The Chomatic Villainy of Complete Multipatite Gaphs Anna Raleigh an9@it.edu Follow this and additional wos at:
More informationBrief summary of functional analysis APPM 5440 Fall 2014 Applied Analysis
Bief summay of functional analysis APPM 5440 Fall 014 Applied Analysis Stephen Becke, stephen.becke@coloado.edu Standad theoems. When necessay, I used Royden s and Keyzsig s books as a efeence. Vesion
More informationMATH 220: SECOND ORDER CONSTANT COEFFICIENT PDE. We consider second order constant coefficient scalar linear PDEs on R n. These have the form
MATH 220: SECOND ORDER CONSTANT COEFFICIENT PDE ANDRAS VASY We conside second ode constant coefficient scala linea PDEs on R n. These have the fom Lu = f L = a ij xi xj + b i xi + c i whee a ij b i and
More informationac p Answers to questions for The New Introduction to Geographical Economics, 2 nd edition Chapter 3 The core model of geographical economics
Answes to questions fo The New ntoduction to Geogaphical Economics, nd edition Chapte 3 The coe model of geogaphical economics Question 3. Fom intoductoy mico-economics we know that the condition fo pofit
More information4/18/2005. Statistical Learning Theory
Statistical Leaning Theoy Statistical Leaning Theoy A model of supevised leaning consists of: a Envionment - Supplying a vecto x with a fixed but unknown pdf F x (x b Teache. It povides a desied esponse
More informationImproved Factoring Attacks on Multi-Prime RSA with Small Prime Difference
Impoved Factoing Attacks on Multi-Pime RSA with Small Pime Diffeence Mengce Zheng 1,2, Nobou Kunihio 2, and Honggang Hu 1 1 Univesity of Science and Technology of China, China mengce.zheng@gmail.com 2
More informationCSCE 478/878 Lecture 4: Experimental Design and Analysis. Stephen Scott. 3 Building a tree on the training set Introduction. Outline.
In Homewok, you ae (supposedly) Choosing a data set 2 Extacting a test set of size > 3 3 Building a tee on the taining set 4 Testing on the test set 5 Repoting the accuacy (Adapted fom Ethem Alpaydin and
More informationCALCULATING THE NUMBER OF TWIN PRIMES WITH SPECIFIED DISTANCE BETWEEN THEM BASED ON THE SIMPLEST PROBABILISTIC MODEL
U.P.B. Sci. Bull. Seies A, Vol. 80, Iss.3, 018 ISSN 13-707 CALCULATING THE NUMBER OF TWIN PRIMES WITH SPECIFIED DISTANCE BETWEEN THEM BASED ON THE SIMPLEST PROBABILISTIC MODEL Sasengali ABDYMANAPOV 1,
More informationKOEBE DOMAINS FOR THE CLASSES OF FUNCTIONS WITH RANGES INCLUDED IN GIVEN SETS
Jounal of Applied Analysis Vol. 14, No. 1 2008), pp. 43 52 KOEBE DOMAINS FOR THE CLASSES OF FUNCTIONS WITH RANGES INCLUDED IN GIVEN SETS L. KOCZAN and P. ZAPRAWA Received Mach 12, 2007 and, in evised fom,
More informationAlternative Tests for the Poisson Distribution
Chiang Mai J Sci 015; 4() : 774-78 http://epgsciencecmuacth/ejounal/ Contibuted Pape Altenative Tests fo the Poisson Distibution Manad Khamkong*[a] and Pachitjianut Siipanich [b] [a] Depatment of Statistics,
More information