Provable Security in Cryptography
|
|
- Elwin Daniel
- 6 years ago
- Views:
Transcription
1 Povable Secuity in Cyptogaphy Thomas Baignèes EPFL May 29, 2007 (ve. 25) These lectue notes ae a compilation of some of my eadings while I was pepaing two lectues given at EPFL on povable secuity in cyptogaphy. They ae essentially based on a book chapte fom David Pointcheval called Povable Secuity fo Public Key Schemes [24], on Victo Shoup s tutoial on game playing techniques [30], on Coon s Cypto 00 pape on the exact secuity of the Full Domain Hash [9], and on Victo Shoup s Jounal of Cyptology pape on OAEP+ [28, 29]. 1 Povable Secuity Although the oigin of cyptogaphy seems to date back to the invention of witing, no povably secue cyptosystem (a notion that will be made cleae late) was known befoe Rabin s cyptosystem, published in 1979 [18, 25]. Yet, seveal cyptosystems designed duing the past 30 yeas povide vey little (not to say no) secuity poofs. Some of these algoithms ae widely used in nowadays secue applications. Fo example, if it was not fo the wok of Kelihe [15], the AES [10] (the block ciphe adopted as an encyption standad by the U.S. govenment) would not povide any (convincing) secuity poof against linea cyptanalysis [20] (a vey poweful, yet vey specific attack). The stongest agument in favo of the secuity of the AES is that, until now, none of the smat cyptanalytic attempts to beak it was successful. This fact, added to the vey nice design ationales on which the AES elies, ae often consideed as sufficient fom a secuity pespective. Ae we done then? Not quite. It sometimes takes time to beak a cyptogaphic scheme. Fo example the Cho-Rivest cyptosystem [8] esisted to almost 15 yeas of cyptanalytic effots, until it was completely boken by Vaudenay [32]. Obviously, the lack of successful cyptanalytic attack shall not eplace a secuity poof. But what do cyptogaphes exactly mean by povable secuity? Infomally, a scheme is povably secue if it comes with a igoous logical agument that shows that if the secuity of this scheme is compomised then eithe some simple logical contadiction occus (Infomation theoetic secuity o secuity against computationally unbounded advesaies), o some well-studied poblem can be solved efficiently (secuity against computationally bounded advesaies). In the latte case, one must fist assume the hadness of some poblem (such as factoization of lage integes) o the existence of some pimitive (such as a one-way function f, fo which it is easy to compute f(x), but given y = f(x) it is computationally intactable to ecove x). In ode to pove the secuity of a cyptogaphic scheme, one shows that a potential advesay against the scheme (i.e., an algoithm that beaks the scheme) can be used as a suboutine in ode to efficiently beak the computational assumption. We say that the cyptogaphic scheme educes to the computational assumption (a notion boowed fom complexity theoy). The eduction is consideed to be efficient when both the time and space complexities of the outine against the computational assumption ae bounded by a polynomial in the size of some secuity input (e.g., the size an RSA modulus). Howeve, even the existence of such a poof may have little impact on pactical secuity. To illustate this fact we boow an example fom Koblitz and Menezes [17]. The Blum-Blum-Shub geneato [6] is a cyptogaphically secue pseudoandom bit geneato. Let N = p q be the n-bit poduct of two lage pimes both conguent to 3 mod 4. Let x 0 < N be a andom intege and define x i = x 2 i 1 mod N fo i = 1,..., k. The pseudoandom bit sequence made of the O(log log N) least significant bits of the x i s is cyptogaphically secue [33], i.e., no polynomialtime statistical test can distinguish it fom a pefectly andom bitsting of the same length unde the assumption that factoing N is intactable. Moe pecisely, if the unning time of the statistical test is
2 bounded by T and its advantage 1 is bounded by ɛ, then it was shown by Sidoenko and Schoenmakes [31] that one can secuely extact the j least significant bits of each x i, povided that T L(n) 36n(log n)δ 2 22j+9 nδ 4, (1) whee δ = (2 j 1) 1 (ɛ/(kj)) and L(n) = exp ( (n ln 2) 1/3 (ln(n ln 2)) 2/3) which is the heuistic expected unning time of the numbe field sieve to facto a andom n-bit Blum intege. Fo n = 1024, j = 10, k = 10 6, and ɛ = 0.01, the bound given by (1) is close to 2 200, which is quite meaningless. To obtain a positive bound with this specific choice of j,k, and ɛ, n must be lage than wheeas in pactice the typical size fo a modulus would be 2048 bits. 2 Fom Povable Secuity to Pactical Secuity o the Need fo Idealized Models. The poblem illustated in the last section with the BBS pseudoandom geneato finds a solution in the notion of exact secuity [5] o concete secuity [23]. The advesay against the undelying poblem should almost be as efficient (both in time and space) than the advesay against the cyptogaphic scheme it elies on, and should almost each the same success pobability. A scheme that comes with such secuity aguments achieves pactical secuity. Unfotunately, pactical secuity seems to lead to inefficient cyptogaphic schemes. To compensate, idealized models have been intoduced. Among them, one may cite the andom oacle model, infomally intoduced by Fiat and Shami [11] and fomalized by Bellae and Rogaway [3], whee andom functions eplace hash functions, and the ideal ciphe model [2], whee block ciphes ae eplaced by andom pemutations. Given the fact that poviding secuity poofs in such idealized models indeed leads to efficient cyptogaphic schemes, it is natual to wonde whethe thee is a gap between pactical secuity in these models and pactical secuity in the eal wold (e.g., whee a hash function is SHA-1 [22]), also known as the standad model. The fist counte example was povided by Canetti, Goldeich, and Halevi [7] who show that thee exists encyption and signatue schemes which ae secue in the andom oacle model but that have no secue implementation in the standad model. In othe wods, a eal implementation of the secue ideal schemes would esult in an insecue scheme. As fa as the autho of these notes can judge, the question whethe the andom oacle model should be pefeed to the standad model with stong secuity assumptions on the undelying pimitives is essentially a matte of taste. Yet, it is often stated that the constuctions whose pupose is to efute the validity of the andom oacle model ae not natual and that it would be vey unlikely to come up with a eal constuction that would suffe fom the same pathology [18, 24]. 3 Stuctuing Convincing Secuity Poofs using Sequences of Games A poof of secuity (just like any kind of poof) should be clea and easy to follow. If it is not elementay, being convincing about the validity of that which is to be demonstated can be vey challenging. Stuctuing secuity poofs as a sequence of games is one possibility to povide such poofs. The notion of secuity fo a cyptogaphic scheme is usually defined via the desciption of a game between an advesay and a challenge. If the advesay wins the game, the secuity of the scheme is compomised. Both the advesay and the challenge ae modeled as pobabilistic pocesses, so that the whole game is modeled as a pobability space. Consequently, the fact that the game is won by the advesay coesponds to a specific event S and the scheme is secue when P[S] is close to some taget pobability (such as 0 o 1 2 ). Poviding a tight bound between P[S] and the taget pobability is fundamental to povide pactical secuity. Usually, poviding such a bound given the sole desciption of the initial game is had. One thus constucts a sequence of games Game 0, Game 1,..., Game n, whee Game 0 is the oiginal game between the advesay and the challenge. Just as Game 0 defines an event 1 The advantage of such a test is the absolute value of the pobability that it outputs 1 when fed with a andom bitsting minus the pobability that it outputs 1 when fed with a BBS pseudoandom sequence. 2
3 S 0 = S, each Game i defines an event S i such that P[S i ] is negligibly close to P[S i 1 ] fo i = 1,..., n. Povided that P[S n ] is easy to compute and negligibly close to the taget pobability, we ae done. Note that if we only conside povable secuity, negligibly close to means bounded by the invese of some polynomial in the secuity paamete. When consideing pactical secuity, the final bound should moeove be of pactical inteest (i.e., be meaningful fo pactical values of the secuity paamete). Tansitions between the games should be small to keep the analysis as simple as possible. Tansitions ae mainly of 3 types [30]: Tansitions based on indistinguishability. Hee, if the advesay is able to distinguish between the two games, then it is easy to deive a distinguishing algoithm between two pobability distibutions that wee assumed to be indistinguishable (eithe computationally o statistically, in the case of infomation theoetic secuity), hence a contadiction. The secuity poof the ElGamal encyption (see Section 7) is the fist example in this notes that uses this kind of tansition. Tansitions based on failue events. In such a tansition, Game i and Game i+1 poceed identically unless some failue event F occus, i.e., The following fact is then (almost) inevitably used. S i F S i+1 F. Lemma 1 (Diffeence Lemma). Let A, B, and F be thee pobabilistic events such that A F B F. Then P[A] P[B] P[F ]. Poof. P[A] P[B] = P[A F ] + P[A F ] P[B F ] P[B F ] = P[A F ] P[B F ] P[F ], whee the second equality comes fom the fact that P[A F ] = P[B F ] and the thid fom the fact that both P[A F ] and P[B F ] ae eal numbes between 0 and P[F ]. Thus, to show that P[S i ] P[S i+1 ] is negligible (i.e., negligibly close to 0), it is sufficient to show that P[F ] is negligible. The computation of the RF/RP-advantage (see Section 8) is the fist example in this notes that uses this kind of tansition. Bidging step. This is the most simple kind of steps in which the game is just fomulated in a diffeent way, but such that P[S i ] = P[S i+1 ]. The objective is to obtain an equivalent game, but easie to analyse. The computation of the RF/RP-advantage (see Section 8) is the fist example in this notes that uses this kind of tansition. 4 About of the Rest of this Pape Sections 5 and 6 espectively intoduce the main secuity scenaios fo public key encyption and fo digital signatues. Next, each of the following sections descibes a secue scheme and povides a poof of its secuity using sequences of games. The sections ae odeed by inceasing level difficulty of the poofs, the fist examples being faily simple (toy examples, yet, impotant esults), the last two examples being moe technical (as they ae based on ecent eseach papes). All the secuity notions intoduced in sections 5 and 6 ae illustated by at least one example in the following sections. 5 Secuity of Public-Key Encyption Schemes The aim of a public-key encyption scheme is to allow anybody who knows the public-key of Alice to s he a message that she will be the only one able to ecove, ganted he pivate key [24]. A public-key encyption scheme is a tiplet (K, f, f 1 ) whee K is a key geneation algoithm, which on input 1 k (whee k is the secuity paamete) outputs a pai (pk, sk) of matching public and pivate keys. The algoithm is pobabilistic. f is an encyption algoithm that, given a message m and the public key pk outputs a ciphetext c = f pk (m). The algoithm may be pobabilistic. f 1 is a decyption algoithm that, given a ciphetext c and the secet key sk outputs a plaintext m = f 1 sk (c). The algoithm is deteministic. The decyption shall undo the encyption, i.e., fo any message m and any valid public/pivate key pai (pk, sk), it should hold that f 1 sk (f pk(m)) = m. 3
4 One-Wayness. This is the most basic secuity notion fo a public-key encyption scheme which infomally means that only the legitimate secet key holde should be able to decypt. We descibe this notion moe fomally in Algoithm 1. In this algoithm the advesay A is a deteministic algoithm that takes as input andom coins sampled unifomly fom some set R. (pk, sk) K(1 k ) R, view {, pk} m M, c f pk (m),view view {c} m A(view) if m = m then etun 1 else etun 0 Algoithm 1: One-wayness of a Public-key Encyption Scheme Denoting S the event that Algoithm 1 etuns 1, the success of an advesay A of beaking the one-wayness (ow) of the public-key scheme S is defined by Succ ow S (A) = P[S] whee the pobability holds ove the andom coins used by the encyption scheme, the intenal coins used by the advesay, and the message m. Semantic Secuity. This notion, intoduced by Goldwasse and Micali in [13], guaantees that the advesay should not be able to obtain any infomation about a message given its encyption, even if the advesay knows that the plaintext was chosen among a finite set of texts (e.g., if the plaintext is just the encyption of yes o no ). This notion 2 is descibed in Algoithm 2. (pk, sk) K(1 k ) R, view {, pk} (m 0, m 1 ) A(view) b {0, 1}, c f pk (m b ),view view {c} b A(view) if b = b then etun 1 else etun 0 Algoithm 2: Semantic Secuity of a Public-key Encyption Scheme Denoting S the event that Algoithm 2 etuns 1, the success of an advesay A of beaking the semantic secuity (ss) of the public-key encyption scheme S is defined by Succ ss S (A) = P[S] 1/2. Adaptive Chosen Ciphetext Attacks (CCA). Semantic secuity is not sufficient when consideing active advesaies (i.e, that don t only eavesdop but also injects messages). To deal with active advesaies, Rackoff and Simon intoduced the notion of adaptive chosen ciphetext attack [26]. Hee, the advesay has access to a decyption oacle that she/he can quey to obtain the decyption of any ciphetext. Given a taget ciphetext (diffeent fom those that wee submitted to the decyption oacle), the advesay must not be able to extact any infomation about the coesponding plaintext. The attack is adaptive in the sense that the advesay is allowed to quey the decyption oacle even afte she/he obtained the taget ciphetext (povided, of couse, that this taget ciphetext is not submitted to the decyption oacle). This notion is descibed in Algoithm 3. Denoting S the event that Algoithm 3 etuns 1, the success of an advesay A of beaking the CCA secuity (cca) of the public-key encyption scheme S is defined by Succ cca S (A) = P[S] 1/2. In Algoithm 3 it is undestood that the advesay is bounded in the numbe of oacle queies (i.e., the loop in the Oacle Queies function eventually s). In othe wods, when studying the secuity of a paticula scheme, thee will be some explicit bound on this numbe of queies, on which the final secuity bound will dep. 2 The definition we give fo semantic secuity is actually that of a diffeent (but equivalent) one, called ciphetext indistinguishability, also intoduced by Goldwasse and Micali in [13]. 4
5 (pk, sk) K(1 k ) /* Global Vas */ R, view {, pk} Oacle Queies(A, view, ) (m 0, m 1 ) A(view), (y, bit) Encyption Oacle(m 0, m 1 ), view view {y } Oacle Queies(A, view, y ) cbit A(view) if c bit = bit then etun 1 else etun 0 function Oacle Queies(A, view, y ) loop y A(view) such that y y, m Decyption Oacle(y), view view {m} function Decyption Oacle(y) m f 1 (y), etun m sk function Encyption Oacle(m 0, m 1 ) bit {0, 1}, m m bit, y f pk (m ), etun (y, bit) Algoithm 3: CCA Secuity of a Public-key Encyption Scheme Othe Secuity Notions. Fo an in-depth study of the secuity elations between diffeent secuity citeia of public-key encyption schemes, we efe to [1]. 6 Secuity of Digital Signatue Schemes The aim of a digital signatue scheme is to allow Alice to sign any document with he pivate key, the coectness of this signatue being veifiable by anybody using Alice s public key. Intuitively, it should be impossible to foge a signatue, i.e., without the knowledge of Alice s pivate key, it should not be possible to sign messages on behalf of he. A digital signatue scheme is a tiplet (K, sig, ve) whee K is a key geneation algoithm, which on input 1 k (whee k is the secuity paamete) outputs a pai (pk, sk) of matching public and pivate keys. The algoithm is pobabilistic. sig is the signing algoithm that, given a message m and the secet key sk outputs a signatue σ = sig sk (m) of the message m. The algoithm may be pobabilistic. ve is veification algoithm that, given a message m, a signatue σ, and the public key pk, checks whethe the signatue is valid (in that case ve pk (m, σ) etuns 1) o not (in that case ve pk (m, σ) etuns 0). This algoithm is deteministic. Fo any valid public/pivate key pai (pk, sk), any message m, and any signatue σ = sig sk (m), it should always hold that ve pk (m, σ) = 1. Moeove, it should be impossible fo an advesay to compute a valid signatue on Alice s behalf, without the knowledge of he pivate key. Seveal kind of advesaies can be consideed, with diffeent goals. In these notes we will only conside one kind of secuity notion, namely existential unfogeability (euf) unde chosen-message attack (cma) [14], defined by Algoithm 4. 5
6 (pk, sk) K(1 k ) /* Global Vas */ R, view {, pk} Oacle Queies(A, view) (m, σ ) A(view) etun ve pk (m, σ ) /* etuns 1 if the signatue is valid, 0 othewise */ function Oacle Queies(A, view) loop m A(view), σ Signing Oacle(m), view view {σ} function Signing Oacle(m) σ sig sk (m), etun σ Algoithm 4: Existential unfogeability (euf) against chosen-message attack (cma) of a digital signatue scheme. Denoting S the event that Algoithm 4 etuns 1, the success of an advesay A of foging a valid message/signatue pai (euf) unde a chosen-message attack against the digital signatue scheme S is Succ euf S (A) = P[S]. In Algoithm 4 it is undestood that m should not have been queied to the signing oacle 3, and that the numbe of signing queies of the advesay is uppe bounded. The secuity bound on the success of a paticula advesay will dep on this bound. 7 ElGamal Encyption We show in this section that the ElGamal public-key encyption scheme is semantically secue unde the decisional Diffie-Hellman (DDH) assumption. In this section, G is a cyclic goup of pime ode q, and γ is an abitay geneato of G. 7.1 Peliminaies The Decisional Diffie-Hellman (DDH) assumption. Let D be a distinguishing algoithm that takes a tiplet of elements of G as an input and outputs a bit. The DDH advantage of D is defined by DDHAdv(D) = P x,y [D(γ x, γ y, γ xy ) = 1] P x,y,z [D(γ x, γ y, γ z ) = 1], whee x, y, z ae andom elements of Z q. The DDH assumption (fo G) is the assumption that DDHAdv(D) is negligible fo any D. The ElGamal public-key encyption scheme. The key geneation algoithm computes the public/pivate key pai as follows: x Z q, α γ x, pk α, sk x. Given a message m G, the encyption algoithm computes the ciphetext c as follows: y Z q, β γ y, δ α y, χ δ m, c (β, χ). Given a ciphetext c = (β, χ) G 2, the decyption algoithm ecoves the plaintext m as follows: The decyption undoes the encyption as m χ/β x. χ/β x = (δ m)/(γ y ) x = (α y m)/γ xy = ((γ x ) y m)/γ xy = (γ xy m)/γ xy = m. Finally, note that the secuity paamete coesponds to the bit-length of the goup ode q. 3 A stonge secuity notion, called non-malleability, equies that the signatue was not obtained fom the signing oacle. 6
7 7.2 Secuity Poof Game 0: This game coesponds to the definition of an advesay A against the semantic secuity of the ElGamal encyption scheme. x Z q, α = γ x, pk α, sk x R, view {, pk} (m 0, m 1 ) A(view) b {0, 1}, y Z q, β γ y, δ α y, χ δ m b, c (β, χ), view view {c} b A(view) if b = b then etun 1 else etun 0 Denoting S 0 the event that Game 0 etuns 1, we have Succ ss ElGamal(A) = P[S 0 ] 1/2. (2) Game 1: [Tansition based on indistinguishability.] Instead of computing δ as α y = γ xy, we now compute it as γ z, whee z is sampled unifomly fom Z q. x Z q, α = γ x, pk α, sk x R, view {, pk} (m 0, m 1 ) A(view) b {0, 1}, y Z q, β γ y, b A(view) if b = b then etun 1 else etun 0 z Z q, δ γ z, χ δ m b, c (β, χ), view view {c} Denoting S 1 the event that Game 0 etuns 1, we claim that P[S 1 ] P[S 0 ] = DDHAdv(D), (3) fo some distinguishing algoithm D. To pove this claim, let us fist define D as follows: Distinguishe D(α, β, δ) pk α R, view {, pk} (m 0, m 1 ) A(view) b {0, 1}, χ δ m b, c (β, χ), view view {c} b A(view) if b = b then etun 1 else etun 0 If the input of the pevious algoithm is of the fom (γ x, γ y, γ xy ), then computation poceeds just as in Game 0, so that P[D(γ x, γ y, γ xy ) = 1] = P[S 0 ]. If the input is of the fom (γ x, γ y, γ z ), then computation poceeds just as in Game 1, so that P[D(γ x, γ y, γ z ) = 1] = P[S 1 ]. Based on the advesay A, we obtained the desciption of a distinguishe D against the DDH assumption such that P[S 1 ] P[S 0 ] = DDHAdv(D). Moeove, it is easy to see that P[S 1 ] = 1/2: we fist note that (in Game 1) b,, pk, β, δ ae unifomly distibuted andom vaiables that ae mutually indepent, and thus, so ae b,, pk, β, χ (the agument is identical to the one that shows that the distibution of a ciphetext poduced by the one-time pad is unifom, egadless of the plaintext distibution). Consequently b and b A(view) ae mutually indepent so that P[S 1 ] = 1/2. Fom this, and fom equations (2) and (3), we conclude that Succ ss ElGamal(A) = DDHAdv(D) fo some distinguishe D, which is negligible unde the DDH assumption. This completes the poof. 7
8 8 Random Function vs. Random Pemutation In the ideal ciphe model [2], block ciphes ae eplaced by andom pemutations. In cetain cicumstances, it is easie to study the secuity of a cyptogaphic scheme by eplacing the andom pemutations by andom functions. The RF/RP-Lemma allows to evaluate in which cases such a switch is acceptable by computing the advantage of an advesay tying to distinguish between a andom pemutation and a andom function of the same (co)domain. 8.1 Peliminaies We denote by Γ l the set of all functions fom {0, 1} l to {0, 1} l and by Π l the set of all pemutations on {0, 1} l. We conside an advesay A who is eithe given a black-box (oacle) access to a unifomly distibuted andom function F Γ l o to a unifomly distibuted andom pemutation P Π l. We espectively denote this advesay A F and A P. The RF/RP-advantage of this advesay is defined by P F [A F = 1] P P [A P = 1]. We will show that the advantage of an advesay that makes at most q queies to the black box is bounded by q l. Without loss of geneality, we assume that the advesay makes exactly q queies and that all of them ae distinct (a duplicate quey would be useless as it would not povide any additional infomation that the advesay would not aleady have). 8.2 Secuity Poof Game 0: This game epesents the computations made by an advesay A having a black-box (oacle) access to a andom pemutation P Π l. P Π l /* Global Va */ R, view {} fo i = 1,..., q do x i A(view), y i Oacle(x i ), view view {y i } bit A(view), etun bit function Oacle(x) y P (x) etun y Denoting S 0 the event that the pevious algoithm etuns 1, we have P P [A P = 1] = P[S 0 ]. (4) Game 1: [Bidging Step.] We now intoduce a technique that will be oveused in the est of these notes. We eplace the andom pemutation by a table that gows while the advesay makes queies to the oacle. The table, initially empty, keeps tack of the input/output values of the simulated pemutation. Given an input value x on which the oacle has not been queied yet, a andom value is chosen fo y, the pai (x, y) is inseted in the table, and y is etuned. If the input value x matches some enty in the table, the coesponding y is etuned. This would pefectly simulate a andom function. As we ae dealing with a andom pemutation, we should also make sue that two distinct queies eceive two distinct answes. This is descibed moe fomally in Game 1 (ecall that we assumed that the advesay neve makes the same quey twice, so that we do not actually need to keep tack of x in the list hee). This technique is sometimes called lazy sampling. 8
9 List /* Global Va */ R, view {} fo i = 1,..., q do x i A(view), y i Oacle(x i ), view view {y i } bit A(view), etun bit function Oacle(x) Y {0, 1} l if Y List then y {0, 1} l \List else y Y List List {y} etun y It should be clea that this change is puely conceptual and doesn t change anything fom the point of view of the advesay. Consequently, if we denote by S 1 the event the Game 1 etuns 1, P[S 1 ] = P[S 0 ]. (5) Game 2: [Tansition based on a failue event.] We now dop the consistency check in the simulation of the andom pemutation, so that it actually becomes a simulation of a andom function, i.e., letting S 2 be the event that Game 2 etuns 1, whee F Γ l is a andom function. List /* Global Va */ R, view {} fo i = 1,..., q do x i A(view), y i Oacle(x i ), view view {y i } bit A(view), etun bit function Oacle(x) Y {0, 1} l y Y List List {y} etun y P[S 2 ] = P F [A F = 1], (6) Let F be the event that Y List at least once duing the execution of Game 1. It is obvious that Game 1 and Game 2 poceed identically unless the event F occus. By the diffeence lemma, P[S 2 ] P[S 1 ] P[F ]. (7) We denote Y i the value sampled by Oacle to answe the ith quey in Game 1. Let {y 1, y 2,..., y q } be a list of q distinct elements of {0, 1} l at let Y {0, 1} l be a unifomly distibuted andom vaiable. We have that P[F ] = P[Y 2 {Y 1 } Y 3 {Y 1, Y 2 } Y q {Y 1,..., Y q 1 }] P[Y 2 {Y 1 }] + P[Y 3 {Y 1, Y 2 }] + + P[Y q {Y 1,..., Y q 1 }] P Y [Y {y 1 }] + P Y [Y {y 1, y 2 }] + + P Y [Y {y 1, y 2,..., y q 1 }] = 1 2 l l + + q 1 q(q 1) 2 l = 2 l q l. The fist inequality comes fom the union bound, the second fom the fact that P[Y i {Y 1,..., Y i 1 }] P[Y i {y 1,..., y i 1 }] as the y 1,..., y i 1 ae distinct values (which might not be the case fo the Y i s). Fom this bound and fom equations (4), (5), (6), and (7) we deduce the announced esult. 9
10 9 The Luby-Rackoff Constuction When studying the secuity of the Data Encyption Standad (DES) [21], Luby and Rackoff poved that a 3 ounds Feistel netwok (on which the DES is based) can geneate a pseudo-andom pemutation out of thee mutually indepent andom functions. 9.1 Peliminaies A family P = {P k } k K Π l is said to be pseudo-andom if it is had to distinguish between a andom instance of that family and a andom instance of Π l. Moe fomally, let A be an advesay who is given an oacle access to a andom pemutation P k of P o to a andom pemutation P of Π l. The PRP-advantage of A is defined by P[A P k = 1] P[A P = 1]. The family P is said to be pseudo-andom if any advesay s PRP-advantage is negligible. A Feistel scheme allows to build a pemutation fom a ound functions. A thee ound Feistel scheme based on the functions f 1, f 2, f 3 Γ l is a pemutation in Π 2l, usually denoted Ψ(f 1, f 2, f 3 ), and defined as follows: On input (u, v) {0, 1} l {0, 1} l, let w u f 1 (v) x v f 2 (w) y w f 3 (x), the output is (x, y) {0, 1} l {0, 1} l. It is easy to see that Ψ(f 1, f 2, f 3 ) is pemutation by checking that Ψ 1 (f 1, f 2, f 3 ) = Ψ(f 3, f 2, f 1 ). The Luby-Rackoff constuction consists in a thee ound Feistel scheme with 3 mutually indepent andom functions. In the next section, we show that the family LR = {Ψ(F, G, H) : F, G, H Γ l } Π 2l is pseudo-andom, povided that 2 l is negligible. Moe pecisely, we show that the PRP-advantage of any advesay A who is given access to a andom pemutation P LR o to a andom pemutation P Π l is bounded by 3 2 q2 2 l. 9.2 Secuity Poof Game 0: This game epesents the computation of an advesay A who is given an oacle access to a andom Luby-Rackoff instance. As in Section 8.1, we assume that the advesay makes exactly q encyption queies, and that all the queies ae distinct fom each othe. In the following game, this tanslates in (u i, v i ) (u j, v j ) fo i j. F, G, H Γ l /* Global Va */ R, view {} fo i = 1,..., q do (u i, v i ) A(view), (x i, y i ) Oacle(u i, v i ), view view {(x i, y i )} bit A(view), etun bit function Oacle(u, v) w u F (v) x v G(w) y w H(x) etun (x, y) Denoting S 0 the event that Game 0 etuns 1, we have whee P is a andom instance of Luby-Rackoff constuction. P[S 0 ] = P[A P = 1], (8) 10
11 Game 1: [Bidging Step.] In this game, we adopt the lazy-sampling technique fo both andom functions G and H (similaly to what we did in Game 1 in Section 8.2, except that we deal with a simple case hee, as we conside andom functions). GList, HList, F Γ l /* Global Va */ R, view {} fo i = 1,..., q do (u i, v i ) A(view), (x i, y i ) Oacle(u i, v i ), view view {(x i, y i )} bit A(view), etun bit function Oacle(u, v) w u F (v) if (w, g) GList then x v g else g {0, 1} l, GList GList {(w, g)}, x v g if (x, h) HList then y w h else h {0, 1} l, HList HList {(x, h)}, y w h etun (x, y) To save us some space in the algoithm, we do not explicitly wite that seaching fo (w, g) GList o fo (x, h) HList is espectively done fo some g and fo some h. Denoting S 1 the event that Game 0 etuns 1, we have P[S 1 ] = P[S 0 ]. (9) Game 2: [Tansition based on a failue event.] We eliminate the consistency checks in the encyption oacle. As we do not need GList no HList in this case, we emove them fom the game desciption to simplify it a little bit. F Γ l /* Global Va */ R, view {} fo i = 1,..., q do (u i, v i ) A(view), (x i, y i ) Oacle(u i, v i ), view view {(x i, y i )} bit A(view), etun bit function Oacle(u, v) w u F (v) g {0, 1} l, x v g h {0, 1} l, y w h etun (x, y) In this new game, the oacle simply outputs a fesh andom value of {0, 1} 2l fo each quey. As we assumed that the q queies of the advesay ae distinct fom each othe, this means that the oacle behaves like a andom function of Γ l. Denoting S 2 the event that Game 2 outputs 1, we thus have P[S 2 ] = P[A F = 1], (10) whee F Γ l is a andom function. We denote by (u 1, v 1 ),..., (u q, v q ) the q queies made to the oacle, and similaly denote w i, g i, h i, x i, y i the values coesponding to the quey (u i, v i ). Let F 1 be the event that w i = w j fo some i j in Game 2. Let F 2 be the event that x i = x j fo some i j in Game 2. It is simple to see that Game 2 poceed identically to Game 1, unless the event F 1 F 2 occus. By the diffeence lemma and the union bound, we have P[S 2 ] P[S 1 ] P[F 1 F 2 ] P[F 1 ] + P[F 2 ] i<j(p[w i = w j ] + P[x i = x j ]). (11) 11
12 Fo any i j we have P[w i = w j ] = P[u i F (v i ) = u j F (v j )]. As we assumed that the advesay does not ask the same quey twice, eithe u i u j and v i = v j, in such a case we have P[u i F (v i ) = u j F (v j )] = 0, o v i v j, and we have P[u i F (v i ) = u j F (v j )] = 2 l. Thus P[w i = w j ] 2 l. Fo any i j, we moeove have P[x i = x j ] = P[v i g i = v j g j ] = 2 l, as g i, g j ae mutually indepent andom vaiables. With this and fom (11) we obtain that Fom equations (8), (9), (10), (11), and (12), we deduce that P[S 2 ] P[S 1 ] q 2 2 l. (12) P[A P = 1] P[A F = 1] q 2 2 l. Finalizing the poof using the RF/RP-Lemma: To conclude, we make use of the esult of Section 8. The advantage of A of distinguishing P fom P is P[A P = 1] P[A P = 1] P[A P = 1] P[A F = 1] + P[A F = 1] P[A P = 1] 3 2 q2 2 l. This completes the poof. 10 Full-Domain Hash The Full-Domain Hash (FDH) [3] is a povably secue signatue scheme in the andom oacle model. The fist secuity poof was initially poposed by Bellae and Rogaway in [5] and was late impoved by Coon in [9] (see Section 11 fo Coon s poof) Peliminaies The Full Domain Hash (FDH) signatue scheme is defined as follows. On input 1 k (whee k is the secuity paamete), the key geneation algoithm computes RSA paametes n = p q, e, d whee p, q ae k/2-bit pimes and whee e d 1 (mod ϕ(n)). It outputs (pk, sk) whee pk = (n, e) and sk = (n, d). Both the signing and the veifying algoithm have oacle access to a hash function H : {0, 1} Z n. On input m, the signing algoithm outputs the signatue σ = H(m) d mod n. On input (m, σ), the veifying algoithm outputs 1 if σ e mod n = H(m) and 0 othewise. Theoem 2. Let A be an advesay pefoming a chosen-message attack against the Full Domain Hash in the andom oacle model, with secuity paamete k. Let q s and q h denote the numbe of queies made by A to the signing oacle and to the hash oacle espectively. Let Succ euf fdh(a) be the success pobability of A to poduce an existential fogey in time t. Then thee exists an advesay A that beaks the one-wayness of RSA with pobability of success Succ ow sa(a ) in time t whee Succ ow sa(a ) = 1 q h Succ euf fdh(a) and t = t + q h O(k 3 ). A poof of this esult is povided in Section Discussion As noted by authos themselves, the bound is not satisfactoy. Indeed, wheeas it is easy in pactice to limit the numbe of signing quey, it is not possible to limit the numbe of hash queies. We should assume that q h q s. If the advesay is allowed to ask, say, q h = 2 60 hash queies (in pactice, this coesponds to hash 2 60 times with SHA-1 [22] o MD5 [27]), and if the success pobability of inveting RSA is 2 61, Theoem 2 says that the foging pobability is 1/2, which is too much. If we only had this secuity esult available, we would have to incease the size of the secuity paamete k to lowe the 12
13 pobability of inveting RSA. The dawback of this solution is that it would decease the efficiency of the scheme. At fist sight, it might be supising that the bound given in Theoem 2 does not dep on q s. In fact, the oiginal bound poposed in [5] does, as it shows how to constuct an advesay A such that Succ ow sa(a 1 ) = q h + q s + 1 Succeuf fdh(a) and t = t + (q h + q s + 1) O(k 3 ). Theefoe, ou bound slightly impoves on that of the oiginal poof, but the gain is negligible. Fo easons mentioned in the pevious paagaph, we should conside that q h q s so that both bounds ae equivalent. Coon s poof [9] is a eal impovement in the sense that it eplaces the facto q h by q s in the bound on the success pobability of A (see Section 11 fo a full teatment of Coon s poof) Poof of Theoem 2 Thoughout this poof, we denote by S i the pobability that Game i etuns 1. Game 0: This game exactly coesponds to the existential unfogeability (euf) game unde chosenmessage attack pefomed by an advesay A. In the game, we denote by H the set of all functions fom {0, 1} to Z n. We have Succ euf fdh(a) = P[S 0 ]. (13) Note that as the hash oacle is queied q h + q s + 1 times in total (q h times by the advesay, q s by the signing oacle, and one last time at the of the game). (n, e, d) RSA(1 k ), H H, i, j 0 /* Global Vas */ R, view {, n, e} Oacle Queies(A, view) (m, σ ) A(view) h H(m ) if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) loop m i+j A(view) do eithe if i < q h then h i+j Hash Oacle(m i+j ), view view {h i+j }, i i + 1 o if j < q s then σ i+j Signing Oacle(m i+j ), view view {σ i+j }, j j + 1 done function Hash Oacle(m) h H(m), etun h function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ Game 1: [Bidging Step.] In this game, we adopt the lazy-sampling technique fo the andom function H. Note that seaching fo (, m,, h) HList is done fo some h. We have P[S 1 ] = P[S 0 ]. (14) 13
14 (n, e, d) RSA(1 k ), HList, i, j 0 /* Global Vas */ R, view {, n, e} Oacle Queies(A, view) (m, σ ) A(view) if (, m,, h ) HList then h h else h if σ = h d mod n then etun 1 else etun 0 Z n function Oacle Queies(A, view) loop m i+j A(view) do eithe if i < q h then h i+j Hash Oacle(m i+j ), view view {h i+j }, i i + 1 o if j < q s then σ i+j Signing Oacle(m i+j ), view view {σ i+j }, j j + 1 done function Hash Oacle(m) if (, m,, h) HList then etun h else h Z n, HList HList {(i + j, m,, h)}, etun h function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ Game 2: [Bidging Step.] (n, e, d) RSA(1 k ), HList, i, j 0 /* Global Vas */ R, view {, n, e} Oacle Queies(A, view) (m, σ ) A(view) if (, m,, h ) HList then h h else h Z n if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) h i Hash Oacle(m i ), view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (, m,, h) HList then etun h else h Z n, HList HList {( i, m,, h)}, etun h function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ This game comes fom two obsevations. This fist is that we can assume without loss of geneality that the advesay does not ask twice the same quey to the signing oacle (as she/he would necessaily obtain the same answe twice). We can thus assume that the signing queies ae distinct fom each othe. 14
15 The second obsevation is that if the advesay pefoms a signing quey at a point m that she/he neve queies to the hash oacle duing the game, then the signatue σ Z n is a unifomly distibuted andom vaiable indepent fom the est of the game at any time, and in paticula fom the est of view (as it is the encyption of a andom bitsting that is neve included in view). We can thus assume that the advesay neve queies the signing oacle at point she/he has not submitted to the hash oacle yet. Note that this implies that q h q s. We have P[S 2 ] = P[S 1 ]. (15) Game 3: Using a simila agument than in the pevious game, if m does not match any enty in the list (i.e., if the advesay did not quey the hash oacle at the point m ), then the success pobability of the advesay is necessaily negligible since the guess σ is compaed to a andom value indepent fom the value of view at the of the game. We can assume that thee exists some index 1 c < q h + such that m = m c. In Game 3 we ty to guess the value of c (we denote the guess ĉ). If the guess is coect, Game 3 poceeds just as Game 2. If it is not, the game is aboted. As both games poceed identically unless ĉ c in Game 3, we have P[S 3 ] = P[S 2 ĉ = c] = P[S 2 ] P[ĉ = c] = 1 q h P[S 2 ], (16) whee the second equality comes fom the fact that the events S 2 and ĉ = c ae indepent (they concen two distinct games), and whee the last equality comes fom the fact that ĉ is sampled unifomly at andom. (n, e, d) RSA(1 k ), HList, i, j 0 /* Global Vas */ R, view {, n, e} ĉ {1, 2,..., q h } /* Global Va */ Oacle Queies(A, view) (m, σ ) A(view) Seach fo (c, m,, h ) HList fo some c and h /* We assumed that this enty exists */ if ĉ c then abot else h h if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) h i Hash Oacle(m i ), view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (, m,, h) HList then etun h else h Z n, HList HList {(i, m,, h)}, etun h function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ Game 4: In this game we incopoate the challenge ciphetext (of the ow game) as follows: at the cth quey to the hash oacle, we set the hash value to y, without queying the hash oacle. 15
16 (n, e, d) RSA(1 k ), HList, i, j 0 /* Global Vas */ R, view {, n, e} ĉ {1, 2,..., q h }, y Z n /* Global Vas */ Oacle Queies(A, view) (m, σ ) A(view) Seach fo (c, m,, h ) HList fo some c and h /* We assumed that this enty exists */ if ĉ c then abot else h h if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) if i = ĉ then HList HList {(i, m i,, y)}, view view {y} else h i Hash Oacle(m i ) view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (, m,, h) HList then etun h else h Z n, HList HList {(i, m,, h)}, etun h function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ Since we assumed that the advesay neve asks the same hash quey twice, this game pefoms just as the pevious one fom the point of view of the advesay (i.e., the espective distibutions of view ae identical). Consequently, P[S 4 ] = P[S 3 ]. (17) Game 5: In this game, instead of geneating a andom value fo each hash quey, we geneate andom signatues that we encypt (using the public key) to get equivalent andom hash values. Also note that we keep tack of the plaintexts in the list. As the encyption is bijective, this makes no diffeence fom the point of view of the advesay, and thus P[S 5 ] = P[S 4 ]. (18) 16
17 (n, e, d) RSA(1 k ), HList, i, j 0 /* Global Vas */ R, view {, n, e} ĉ {1, 2,..., q h }, y Z n /* Global Vas */ Oacle Queies(A, view) (m, σ ) A(view) Seach fo (c, m,, h ) HList fo some c and h /* We assumed that this enty exists */ if ĉ c then abot else h h if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) if i = ĉ then HList HList {(i, m i,, y)}, view view {y} else h i Hash Oacle(m i ) view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (, m,, h) HList then etun h else x Z n, h x e mod n, HList HList {(i, m, x, h)}, etun h function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ Game 6: Since the peimage of each hash quey (except the cth one) is known, we can simulate the signing oacle without the need fo the secet key. Fom the point of view of the advesay, this game is identical to the pevious one: P[S 6 ] = P[S 5 ]. (19) In Game 6, one can note that a valid fogey actually coesponds to a peimage of y. Moeove, the simulation of this game does not equie to have access to the signing (decyption) oacle as it can be simulated. Indeed, the secet key is neve used duing the game (except fo the final veification step of couse). This game thus povides a desciption of a valid advesay A that ties to beak the one-wayness (ow) of the public key scheme. This advesay needs to pefom q h RSA encyptions (with the public key). Consequently, P[S 6 ] = Succ ow sa(a ), (20) whee A pefoms in time t = t + q h O(k 3 ). Fom equations (13), (14), (15), (16), (17), (18), (19), and (20) we obtain Succ ow sa(a ) = 1 q h Succ euf fdh(a). 17
18 (n, e, d) RSA(1 k ), HList, i, j 0 /* Global Vas */ R, view {, n, e} ĉ {1, 2,..., q h }, y Z n /* Global Vas */ Oacle Queies(A, view) (m, σ ) A(view) Seach fo (c, m,, h ) HList fo some c and h /* We assumed that this enty exists */ if ĉ c then abot else h h if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) if i = ĉ then HList HList {(i, m i,, y)}, view view {y} else h i Hash Oacle(m i ) view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (, m,, h) HList then etun h else x Z n, h x e mod n, HList HList {(i, m, x, h)}, etun h function Signing Oacle(m) h Hash Oacle(m), Seach fo (,, x, h) HList, σ x etun σ 11 A Bette Secuity Bound fo the Full-Domain Hash 11.1 Peliminaies In Section 10 we descibed the FDH signatue scheme and poved its secuity. Fo easons detailed in Section 10.2 the bound was not satisfactoy. In this section we intoduce a new bound, poposed by Coon in [9]. Theoem 3. Let A be an advesay pefoming a chosen-message attack against the Full Domain Hash in the andom oacle model, with secuity paamete k. Let q s and q h denote the numbe of queies made by A to the signing oacle and to the hash oacle espectively. Let Succ euf fdh(a) be the success pobability of A to poduce an existential fogey in time t. Then thee exists an advesay A that beaks the one-wayness of RSA with pobability of success Succ ow sa(a ) in time t whee 11.2 Poof of Theoem 3 Succ ow sa(a ) = 1 q s e Succeuf fdh(a) and t = t + q h O(k 3 ). Games 0,1, and 2 ae almost the same in this poof than in the one of Theoem 2. The only diffeence is that the list HList contains elements that ae diffeent fom those that wee stoed in the pevious poof. The two fist elements will natually coespond to a message and to its image by H. The next to will be claified in Game 3. These last two values ae always set to in games 0,1, and 2. Game 3: In the pevious poof, the challenge ciphetext y was intoduced only once, at a specific index. Hee, fo each quey, we intoduce it with pobability p (that we will pecised late). With pobability 1 p we intoduce a value with a known peimage. In both cases, the value etuned by Hash Oacle is a unifomly distibuted andom value of Z n, just as in Game 2. Consequently, P[S 3 ] = P[S 2 ]. (21) 18
19 (n, e, d) RSA(1 k ), HList, i, j 0, y Z n /* Global Vas */ R, view {, n, e} Oacle Queies(A, view) (m, σ ) A(view) if (m, h,, ) HList then h h else h if σ = h d mod n then etun 1 else etun 0 Z n function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) h i Hash Oacle(m i ), view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (m, h,, ) HList then etun h else s Z n, With pobability p, h y s e and t 1, othewise h s e and t 0 HList HList {(m, h, s, t)}, function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ Game 4: We fist note that if m cannot be found in HList, then the advantage of the advesay is necessaily negligible as he/his guess σ is compaed to a fesh andom value. Consequently, we assume in this game that m can always be found in the list. This will simplify the analysis of Game 5. Now the ticky pat. Fo a popotion 1 p of the signing queies, it is now possible to simulate the signing oacle without the knowledge of the secet key. Games 3 and 4 ae identical unless Game 4 abot (an event that we denote F ), i.e., unless t = 1 fo one of the q s signing oacle queies. As t = 1 with pobability p we have P[S 4 ] = P[F S 3 ] = P[F ] P[S 3 ] = (1 p) qs P[S 3 ]. (22) 19
20 (n, e, d) RSA(1 k ), HList, i, j 0, y Z n /* Global Vas */ R, view {, n, e} Oacle Queies(A, view) (m, σ ) A(view) Seach fo (m, h,, ) HList and set h h if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) h i Hash Oacle(m i ), view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (m, h,, ) HList then etun h else Z n, With pobability p, h y s e and t 1, othewise h s e and t 0 s HList HList {(m, h, s, t)}, function Signing Oacle(m) Seach fo (m, h, s, t) HList fo some h, s, t. if t = 1 then abot else σ s etun σ Game 5: We add a last modification at the of the game. If the last lookup etuns a tuple such that t = 0 we abot the game (an event that we denote F ). As t = 0 with pobability 1 p, P[S 5 ] = P[F S 4 ] = P[F ] P[S 4 ] = p P[S 4 ]. (23) In this last game, the simulation can be pefomed without the knowledge of the secet key (except fo the last veification step of couse). Note also that when Game 5 outputs one, it is easy to find the peimage x of y as in that case we have σ = h d and h = y s e, so that x = y d = h d /s e d = σ /s. This game thus povides a desciption of a valid advesay A that beaks the one-wayness (ow) of the public key scheme by use of A so that we can denote P[S 5 ] = Succ ow sa(a ). (24) This advesay pefoms q h encyptions (using the public key) and thus, it pefoms in time t = t + q h O(k 3 ). Fom equations (13), (14), (15), (21), (22), (23), and (24), we obtain Succ ow sa(a ) = p(1 p) qs Succ euf fdh(a). To best success pobability of advesay A is obtained by choosing p = 1 1+q s, in which case we obtain When q s is lage, this can be appoximated by whee e = exp(1). Succ ow sa(a ) = 1 ( 1 1 ) qs Succ euf 1 + q s 1 + q fdh(a). s Succ ow sa(a ) = 1 q s e Succeuf fdh(a), 20
21 (n, e, d) RSA(1 k ), HList, i, j 0, y Z n /* Global Vas */ R, view {, n, e} Oacle Queies(A, view) (m, σ ) A(view) Seach fo (m, h, s, t) HList, if t = 0 then abot else h h if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) h i Hash Oacle(m i ), view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (m, h,, ) HList then etun h else Z n, With pobability p, h y s e and t 1, othewise h s e and t 0 s HList HList {(m, h, s, t)}, function Signing Oacle(m) Seach fo (m, h, s, t) HList fo some s, h, t. if t = 1 then abot else σ s etun σ 12 OAEP+ OAEP is a public-key encyption scheme intoduced by Bellae and Rogaway in [4]. Although vey efficient, this scheme suffes fom the fact that it is not povably secue against adaptive chosen ciphetext attacks. Shoup shows in [28, 29] that no poof is attainable fo the geneal OAEP scheme by only assuming the one-wayness of the undelying tapdoo pemutation, even in the andom oacle model. Yet, he poves that when the undelying tapdoo pemutation is RSA with a public exponent equal to 3, then the constuction is secue (a esult that is exted in [12] to any public exponent). To obtain a povably secue scheme unde the one-wayness assumption of the undelying tapdoo pemutation, Shoup intoduces the OAEP+ public-key encyption scheme Peliminaies OAEP+ is based on a one-way tapdoo pemutation f pk : {0, 1} k {0, 1} k, its invese being f 1 sk. Let k 0 and k 1 be two paametes that satisfy k 0 + k 1 < k and such that 2 k0 and 2 k1 ae negligible. The scheme encypts messages x {0, 1} n whee n = k k 0 k 1. It makes use of thee hash functions (that will be modeled in the poofs as andom oacles): G : {0, 1} k 0 {0, 1} n, H : {0, 1} n+k0 {0, 1} k1, H : {0, 1} n+k1 {0, 1} k0. Key Geneation: On input the secuity paamete, the key geneation algoithm poduces a public/pivate key pai (pk, sk), defining the public pemutation f pk and its invese f 1 sk. 21
22 Encyption: Given a plaintext x {0, 1} n, the encyption algoithm chooses {0, 1} k0 and computes The ciphetext is y. s (G() x) H ( x), (s {0, 1} n+k 1 ), t H(s), (t {0, 1} k0 ), w s t, (w {0, 1} k ), y f pk (w) (y{0, 1} k ). Decyption: On input y {0, 1} k, the decyption algoithm pefoms the following computations: w f 1 sk (y) (w {0, 1}k ), s t w (s {0, 1} n+k 1, t {0, 1} k 0 ), H(s) t ( {0, 1} k 0 ), x G() s[0 n 1] (x {0, 1} n ), c s[n n + k 1 1] (c {0, 1} k1 ). If c = H ( x), the algoithm outputs the cleatext x; othewise, the algoithm ejects the ciphetext and does not output a cleatext. Theoem 4. If the undelying tapdoo pemutation f is one-way (ow), then OAEP+ is secue against adaptive chosen ciphetext attack in the andom oacle model Poof of Theoem 4 Thoughout this poof the event S i always denotes the pobability that Game i etuns 1. Moeove we note that, duing the decyption pocess, H is always queied at points of the fom x whee x = G() s[0 n 1]. Consequently, an efficient advesay would not quey H at a point x without at least queying G() fist (othewise, the pobability that the H quey makes any sense would be negligible). In the poof, we thus assume that wheneve a quey of the fom H ( x) is made by the advesay A, then A has peviously made the quey G(). Game 0: This is the oiginal attack game against the encyption scheme. It is epesented on page 23. In this game we let G = {g : {0, 1} k 0 {0, 1} n }, H = {h : {0, 1} n+k 0 {0, 1} k 1 }, and H = {h : {0, 1} n+k 1 {0, 1} k 0 }. We have Succ cca oaep+(a) = P[S 0 ] 1/2. (25) Game 0 : We adopt the (by now) well known lazy-sampling technique. Obviously, P[S 0 ] = P[S 0 ]. (26) 22
10/04/18. P [P(x)] 1 negl(n).
Mastemath, Sping 208 Into to Lattice lgs & Cypto Lectue 0 0/04/8 Lectues: D. Dadush, L. Ducas Scibe: K. de Boe Intoduction In this lectue, we will teat two main pats. Duing the fist pat we continue the
More informationSecret Exponent Attacks on RSA-type Schemes with Moduli N = p r q
Secet Exponent Attacks on RSA-type Schemes with Moduli N = p q Alexande May Faculty of Compute Science, Electical Engineeing and Mathematics Univesity of Padebon 33102 Padebon, Gemany alexx@uni-padebon.de
More informationSome RSA-based Encryption Schemes with Tight Security Reduction
Some RSA-based Encyption Schemes with Tight Secuity Reduction Kaou Kuosawa 1 and Tsuyoshi Takagi 2 1 Ibaaki Univesity, 4-12-1 Nakanausawa, Hitachi, Ibaaki, 316-8511, Japan kuosawa@cis.ibaaki.ac.jp 2 Technische
More informationLecture 25: Pairing Based Cryptography
6.897 Special Topics in Cyptogaphy Instucto: Ran Canetti May 5, 2004 Lectue 25: Paiing Based Cyptogaphy Scibe: Ben Adida 1 Intoduction The field of Paiing Based Cyptogaphy has exploded ove the past 3 yeas
More informationProbablistically Checkable Proofs
Lectue 12 Pobablistically Checkable Poofs May 13, 2004 Lectue: Paul Beame Notes: Chis Re 12.1 Pobablisitically Checkable Poofs Oveview We know that IP = PSPACE. This means thee is an inteactive potocol
More informationSurveillance Points in High Dimensional Spaces
Société de Calcul Mathématique SA Tools fo decision help since 995 Suveillance Points in High Dimensional Spaces by Benad Beauzamy Januay 06 Abstact Let us conside any compute softwae, elying upon a lage
More informationE E E. Aggelos Kiayias. Cryptography. Primitives and Protocols. Based on notes by S. Pehlivanoglu, J. Todd, K. Samari, T. Zacharias and H.S.
P1 P2 P3 E E E IV C1 C2 C3 Aggelos Kiayias Cyptogaphy Pimitives and Potocols Based on notes by S. Pehlivanoglu, J. Todd, K. Samai, T. Zachaias and H.S. Zhou CONTENTS 1 Contents 1 Intoduction 4 1.1 Flipping
More informationThe Substring Search Problem
The Substing Seach Poblem One algoithm which is used in a vaiety of applications is the family of substing seach algoithms. These algoithms allow a use to detemine if, given two chaacte stings, one is
More informationA Bijective Approach to the Permutational Power of a Priority Queue
A Bijective Appoach to the Pemutational Powe of a Pioity Queue Ia M. Gessel Kuang-Yeh Wang Depatment of Mathematics Bandeis Univesity Waltham, MA 02254-9110 Abstact A pioity queue tansfoms an input pemutation
More informationLecture 28: Convergence of Random Variables and Related Theorems
EE50: Pobability Foundations fo Electical Enginees July-Novembe 205 Lectue 28: Convegence of Random Vaiables and Related Theoems Lectue:. Kishna Jagannathan Scibe: Gopal, Sudhasan, Ajay, Swamy, Kolla An
More informationStanford University CS259Q: Quantum Computing Handout 8 Luca Trevisan October 18, 2012
Stanfod Univesity CS59Q: Quantum Computing Handout 8 Luca Tevisan Octobe 8, 0 Lectue 8 In which we use the quantum Fouie tansfom to solve the peiod-finding poblem. The Peiod Finding Poblem Let f : {0,...,
More informationCryptography. Primitives and Protocols. Aggelos Kiayias
P1 P2 P3 E E E IV C1 C2 C3 Aggelos Kiayias Cyptogaphy Pimitives and Potocols Based on notes by G. Panagiotakos, S. Pehlivanoglu, J. Todd, K. Samai, T. Zachaias and H.S. Zhou CONTENTS 1 Contents 1 Intoduction
More informationCryptography. Lecture 11. Arpita Patra
Cptogaph Lectue Apita Pata Geneic Results in PK Wold CPA Secuit CCA Secuit Bit Encption Man-bit Encption Bit Encption Man-Bit Encption Π CPA-secue KEM Π SKE COA-secue SKE Π Hb CPA-secue Π CCA-secue KEM
More informationMath 301: The Erdős-Stone-Simonovitz Theorem and Extremal Numbers for Bipartite Graphs
Math 30: The Edős-Stone-Simonovitz Theoem and Extemal Numbes fo Bipatite Gaphs May Radcliffe The Edős-Stone-Simonovitz Theoem Recall, in class we poved Tuán s Gaph Theoem, namely Theoem Tuán s Theoem Let
More informationDesign and Analysis of Password-Based Key Derivation Functions
Design and Analysis of Passwod-Based Key Deivation Functions Fances F. Yao 1 and Yiqun Lisa Yin 2 1 Depatment of Compute Science City Univesity of Hong Kong Kowloon, Hong Kong Email: csfyao@cityu.edu.hk
More information6 PROBABILITY GENERATING FUNCTIONS
6 PROBABILITY GENERATING FUNCTIONS Cetain deivations pesented in this couse have been somewhat heavy on algeba. Fo example, detemining the expectation of the Binomial distibution (page 5.1 tuned out to
More informationE E E. Aggelos Kiayias. Cryptography. Primitives and Protocols. Notes by S. Pehlivanoglu, J. Todd, and H.S. Zhou
P1 P2 P3 E E E IV C1 C2 C3 Aggelos Kiayias Cyptogaphy Pimitives and Potocols Notes by S. Pehlivanoglu, J. Todd, and H.S. Zhou CONTENTS 1 Contents 2 1 Intoduction To begin discussing the basic popeties
More informationDesign and Analysis of Password-Based Key Derivation Functions
Design and Analysis of Passwod-Based Key Deivation Functions 245 Fances F. Yao 1 and Yiqun Lisa Yin 2 1 Depatment of Compute Science, City Univesity of Hong Kong, Kowloon, Hong Kong csfyao@cityu.edu.hk
More information16 Modeling a Language by a Markov Process
K. Pommeening, Language Statistics 80 16 Modeling a Language by a Makov Pocess Fo deiving theoetical esults a common model of language is the intepetation of texts as esults of Makov pocesses. This model
More information9.1 The multiplicative group of a finite field. Theorem 9.1. The multiplicative group F of a finite field is cyclic.
Chapte 9 Pimitive Roots 9.1 The multiplicative goup of a finite fld Theoem 9.1. The multiplicative goup F of a finite fld is cyclic. Remak: In paticula, if p is a pime then (Z/p) is cyclic. In fact, this
More informationON INDEPENDENT SETS IN PURELY ATOMIC PROBABILITY SPACES WITH GEOMETRIC DISTRIBUTION. 1. Introduction. 1 r r. r k for every set E A, E \ {0},
ON INDEPENDENT SETS IN PURELY ATOMIC PROBABILITY SPACES WITH GEOMETRIC DISTRIBUTION E. J. IONASCU and A. A. STANCU Abstact. We ae inteested in constucting concete independent events in puely atomic pobability
More informationConcurrent Blind Signatures without Random Oracles
Concuent Blind Signatues without Random Oacles Aggelos Kiayias Hong-Sheng Zhou Abstact We pesent a blind signatue scheme that is efficient and povably secue without andom oacles unde concuent attacks utilizing
More informationQIP Course 10: Quantum Factorization Algorithm (Part 3)
QIP Couse 10: Quantum Factoization Algoithm (Pat 3 Ryutaoh Matsumoto Nagoya Univesity, Japan Send you comments to yutaoh.matsumoto@nagoya-u.jp Septembe 2018 @ Tokyo Tech. Matsumoto (Nagoya U. QIP Couse
More informationThe Iterated Random Function Problem,
The Iteated Random Function Poblem, Ritam Bhaumik 1, ilanjan Datta 2, Avijit Dutta 1, icky Mouha 3,4, and Midul andi 1 1 Indian Statistical Institute, Kolkata, India. 2 Indian Institute of Technology,
More informationLecture 18: Graph Isomorphisms
INFR11102: Computational Complexity 22/11/2018 Lectue: Heng Guo Lectue 18: Gaph Isomophisms 1 An Athu-Melin potocol fo GNI Last time we gave a simple inteactive potocol fo GNI with pivate coins. We will
More informationNew problems in universal algebraic geometry illustrated by boolean equations
New poblems in univesal algebaic geomety illustated by boolean equations axiv:1611.00152v2 [math.ra] 25 Nov 2016 Atem N. Shevlyakov Novembe 28, 2016 Abstact We discuss new poblems in univesal algebaic
More informationNew Finding on Factoring Prime Power RSA Modulus N = p r q
Jounal of Mathematical Reseach with Applications Jul., 207, Vol. 37, o. 4, pp. 404 48 DOI:0.3770/j.issn:2095-265.207.04.003 Http://jme.dlut.edu.cn ew Finding on Factoing Pime Powe RSA Modulus = p q Sadiq
More information3.1 Random variables
3 Chapte III Random Vaiables 3 Random vaiables A sample space S may be difficult to descibe if the elements of S ae not numbes discuss how we can use a ule by which an element s of S may be associated
More informationChapter 3: Theory of Modular Arithmetic 38
Chapte 3: Theoy of Modula Aithmetic 38 Section D Chinese Remainde Theoem By the end of this section you will be able to pove the Chinese Remainde Theoem apply this theoem to solve simultaneous linea conguences
More informationC/CS/Phys C191 Shor s order (period) finding algorithm and factoring 11/12/14 Fall 2014 Lecture 22
C/CS/Phys C9 Sho s ode (peiod) finding algoithm and factoing /2/4 Fall 204 Lectue 22 With a fast algoithm fo the uantum Fouie Tansfom in hand, it is clea that many useful applications should be possible.
More informationKey Establishment Protocols. Cryptography CS 507 Erkay Savas Sabanci University
Key Establishment Potocols Cyptogaphy CS 507 Ekay Savas Sabanci Univesity ekays@sabanciuniv.edu Key distibution poblem Secuity of the keys Even if the cyptogaphic algoithms & potocols ae cyptogaphically
More informationNOTE. Some New Bounds for Cover-Free Families
Jounal of Combinatoial Theoy, Seies A 90, 224234 (2000) doi:10.1006jcta.1999.3036, available online at http:.idealibay.com on NOTE Some Ne Bounds fo Cove-Fee Families D. R. Stinson 1 and R. Wei Depatment
More informationLifting Private Information Retrieval from Two to any Number of Messages
Lifting Pivate Infomation Retieval fom Two to any umbe of Messages Rafael G.L. D Oliveia, Salim El Rouayheb ECE, Rutges Univesity, Piscataway, J Emails: d746@scaletmail.utges.edu, salim.elouayheb@utges.edu
More informationQuasi-Randomness and the Distribution of Copies of a Fixed Graph
Quasi-Randomness and the Distibution of Copies of a Fixed Gaph Asaf Shapia Abstact We show that if a gaph G has the popety that all subsets of vetices of size n/4 contain the coect numbe of tiangles one
More informationGoodness-of-fit for composite hypotheses.
Section 11 Goodness-of-fit fo composite hypotheses. Example. Let us conside a Matlab example. Let us geneate 50 obsevations fom N(1, 2): X=nomnd(1,2,50,1); Then, unning a chi-squaed goodness-of-fit test
More informationExploration of the three-person duel
Exploation of the thee-peson duel Andy Paish 15 August 2006 1 The duel Pictue a duel: two shootes facing one anothe, taking tuns fiing at one anothe, each with a fixed pobability of hitting his opponent.
More information6 Matrix Concentration Bounds
6 Matix Concentation Bounds Concentation bounds ae inequalities that bound pobabilities of deviations by a andom vaiable fom some value, often its mean. Infomally, they show the pobability that a andom
More information4/18/2005. Statistical Learning Theory
Statistical Leaning Theoy Statistical Leaning Theoy A model of supevised leaning consists of: a Envionment - Supplying a vecto x with a fixed but unknown pdf F x (x b Teache. It povides a desied esponse
More informationUnobserved Correlation in Ascending Auctions: Example And Extensions
Unobseved Coelation in Ascending Auctions: Example And Extensions Daniel Quint Univesity of Wisconsin Novembe 2009 Intoduction In pivate-value ascending auctions, the winning bidde s willingness to pay
More informationANA BERRIZBEITIA, LUIS A. MEDINA, ALEXANDER C. MOLL, VICTOR H. MOLL, AND LAINE NOBLE
THE p-adic VALUATION OF STIRLING NUMBERS ANA BERRIZBEITIA, LUIS A. MEDINA, ALEXANDER C. MOLL, VICTOR H. MOLL, AND LAINE NOBLE Abstact. Let p > 2 be a pime. The p-adic valuation of Stiling numbes of the
More informationAQI: Advanced Quantum Information Lecture 2 (Module 4): Order finding and factoring algorithms February 20, 2013
AQI: Advanced Quantum Infomation Lectue 2 (Module 4): Ode finding and factoing algoithms Febuay 20, 203 Lectue: D. Mak Tame (email: m.tame@impeial.ac.uk) Intoduction In the last lectue we looked at the
More informationEncapsulation theory: the transformation equations of absolute information hiding.
1 Encapsulation theoy: the tansfomation equations of absolute infomation hiding. Edmund Kiwan * www.edmundkiwan.com Abstact This pape descibes how the potential coupling of a set vaies as the set is tansfomed,
More informationSolution to HW 3, Ma 1a Fall 2016
Solution to HW 3, Ma a Fall 206 Section 2. Execise 2: Let C be a subset of the eal numbes consisting of those eal numbes x having the popety that evey digit in the decimal expansion of x is, 3, 5, o 7.
More information1 Explicit Explore or Exploit (E 3 ) Algorithm
2.997 Decision-Making in Lage-Scale Systems Mach 3 MIT, Sping 2004 Handout #2 Lectue Note 9 Explicit Exploe o Exploit (E 3 ) Algoithm Last lectue, we studied the Q-leaning algoithm: [ ] Q t+ (x t, a t
More informationConstruction and Analysis of Boolean Functions of 2t + 1 Variables with Maximum Algebraic Immunity
Constuction and Analysis of Boolean Functions of 2t + 1 Vaiables with Maximum Algebaic Immunity Na Li and Wen-Feng Qi Depatment of Applied Mathematics, Zhengzhou Infomation Engineeing Univesity, Zhengzhou,
More informationLecture 8 - Gauss s Law
Lectue 8 - Gauss s Law A Puzzle... Example Calculate the potential enegy, pe ion, fo an infinite 1D ionic cystal with sepaation a; that is, a ow of equally spaced chages of magnitude e and altenating sign.
More informationFractional Zero Forcing via Three-color Forcing Games
Factional Zeo Focing via Thee-colo Focing Games Leslie Hogben Kevin F. Palmowski David E. Robeson Michael Young May 13, 2015 Abstact An -fold analogue of the positive semidefinite zeo focing pocess that
More informationMATH 220: SECOND ORDER CONSTANT COEFFICIENT PDE. We consider second order constant coefficient scalar linear PDEs on R n. These have the form
MATH 220: SECOND ORDER CONSTANT COEFFICIENT PDE ANDRAS VASY We conside second ode constant coefficient scala linea PDEs on R n. These have the fom Lu = f L = a ij xi xj + b i xi + c i whee a ij b i and
More informationB. Spherical Wave Propagation
11/8/007 Spheical Wave Popagation notes 1/1 B. Spheical Wave Popagation Evey antenna launches a spheical wave, thus its powe density educes as a function of 1, whee is the distance fom the antenna. We
More informationPearson s Chi-Square Test Modifications for Comparison of Unweighted and Weighted Histograms and Two Weighted Histograms
Peason s Chi-Squae Test Modifications fo Compaison of Unweighted and Weighted Histogams and Two Weighted Histogams Univesity of Akueyi, Bogi, v/noduslód, IS-6 Akueyi, Iceland E-mail: nikolai@unak.is Two
More informationA STUDY OF HAMMING CODES AS ERROR CORRECTING CODES
AGU Intenational Jounal of Science and Technology A STUDY OF HAMMING CODES AS ERROR CORRECTING CODES Ritu Ahuja Depatment of Mathematics Khalsa College fo Women, Civil Lines, Ludhiana-141001, Punjab, (India)
More informationImproved Factoring Attacks on Multi-Prime RSA with Small Prime Difference
Impoved Factoing Attacks on Multi-Pime RSA with Small Pime Diffeence Mengce Zheng 1,2, Nobou Kunihio 2, and Honggang Hu 1 1 Univesity of Science and Technology of China, China mengce.zheng@gmail.com 2
More informationOvercoming Weak Expectations
Ovecoming Weak Expectations Yevgeniy Dodis Depatment of Compute Science New Yok Univesity Email: dodis@cs.nyu.edu (Invited Pape) Yu Yu Institute fo Intedisciplinay Infomation Sciences Tsinghua Univesity,
More informationAdditive Approximation for Edge-Deletion Problems
Additive Appoximation fo Edge-Deletion Poblems Noga Alon Asaf Shapia Benny Sudakov Abstact A gaph popety is monotone if it is closed unde emoval of vetices and edges. In this pape we conside the following
More informationMultiple Criteria Secretary Problem: A New Approach
J. Stat. Appl. Po. 3, o., 9-38 (04 9 Jounal of Statistics Applications & Pobability An Intenational Jounal http://dx.doi.og/0.785/jsap/0303 Multiple Citeia Secetay Poblem: A ew Appoach Alaka Padhye, and
More informationDeterministic vs Non-deterministic Graph Property Testing
Deteministic vs Non-deteministic Gaph Popety Testing Lio Gishboline Asaf Shapia Abstact A gaph popety P is said to be testable if one can check whethe a gaph is close o fa fom satisfying P using few andom
More informationFixed Argument Pairing Inversion on Elliptic Curves
Fixed Agument Paiing Invesion on Elliptic Cuves Sungwook Kim and Jung Hee Cheon ISaC & Dept. of Mathematical Sciences Seoul National Univesity Seoul, Koea {avell7,jhcheon}@snu.ac.k Abstact. Let E be an
More informationOn a quantity that is analogous to potential and a theorem that relates to it
Su une quantité analogue au potential et su un théoème y elatif C R Acad Sci 7 (87) 34-39 On a quantity that is analogous to potential and a theoem that elates to it By R CLAUSIUS Tanslated by D H Delphenich
More informationVanishing lines in generalized Adams spectral sequences are generic
ISSN 364-0380 (on line) 465-3060 (pinted) 55 Geomety & Topology Volume 3 (999) 55 65 Published: 2 July 999 G G G G T T T G T T T G T G T GG TT G G G G GG T T T TT Vanishing lines in genealized Adams spectal
More informationEM Boundary Value Problems
EM Bounday Value Poblems 10/ 9 11/ By Ilekta chistidi & Lee, Seung-Hyun A. Geneal Desciption : Maxwell Equations & Loentz Foce We want to find the equations of motion of chaged paticles. The way to do
More informationBrief summary of functional analysis APPM 5440 Fall 2014 Applied Analysis
Bief summay of functional analysis APPM 5440 Fall 014 Applied Analysis Stephen Becke, stephen.becke@coloado.edu Standad theoems. When necessay, I used Royden s and Keyzsig s books as a efeence. Vesion
More informationA generalization of the Bernstein polynomials
A genealization of the Benstein polynomials Halil Ouç and Geoge M Phillips Mathematical Institute, Univesity of St Andews, Noth Haugh, St Andews, Fife KY16 9SS, Scotland Dedicated to Philip J Davis This
More informationFall 2014 Randomized Algorithms Oct 8, Lecture 3
Fall 204 Randomized Algoithms Oct 8, 204 Lectue 3 Pof. Fiedich Eisenband Scibes: Floian Tamè In this lectue we will be concened with linea pogamming, in paticula Clakson s Las Vegas algoithm []. The main
More informationInformation Retrieval Advanced IR models. Luca Bondi
Advanced IR models Luca Bondi Advanced IR models 2 (LSI) Pobabilistic Latent Semantic Analysis (plsa) Vecto Space Model 3 Stating point: Vecto Space Model Documents and queies epesented as vectos in the
More informationA Multivariate Normal Law for Turing s Formulae
A Multivaiate Nomal Law fo Tuing s Fomulae Zhiyi Zhang Depatment of Mathematics and Statistics Univesity of Noth Caolina at Chalotte Chalotte, NC 28223 Abstact This pape establishes a sufficient condition
More informationMany Electron Atoms. Electrons can be put into approximate orbitals and the properties of the many electron systems can be catalogued
Many Electon Atoms The many body poblem cannot be solved analytically. We content ouselves with developing appoximate methods that can yield quite accuate esults (but usually equie a compute). The electons
More informationConservative Averaging Method and its Application for One Heat Conduction Problem
Poceedings of the 4th WSEAS Int. Conf. on HEAT TRANSFER THERMAL ENGINEERING and ENVIRONMENT Elounda Geece August - 6 (pp6-) Consevative Aveaging Method and its Application fo One Heat Conduction Poblem
More informationOn the integration of the equations of hydrodynamics
Uebe die Integation de hydodynamischen Gleichungen J f eine u angew Math 56 (859) -0 On the integation of the equations of hydodynamics (By A Clebsch at Calsuhe) Tanslated by D H Delphenich In a pevious
More informationCALCULATING THE NUMBER OF TWIN PRIMES WITH SPECIFIED DISTANCE BETWEEN THEM BASED ON THE SIMPLEST PROBABILISTIC MODEL
U.P.B. Sci. Bull. Seies A, Vol. 80, Iss.3, 018 ISSN 13-707 CALCULATING THE NUMBER OF TWIN PRIMES WITH SPECIFIED DISTANCE BETWEEN THEM BASED ON THE SIMPLEST PROBABILISTIC MODEL Sasengali ABDYMANAPOV 1,
More informationSyntactical content of nite approximations of partial algebras 1 Wiktor Bartol Inst. Matematyki, Uniw. Warszawski, Warszawa (Poland)
Syntactical content of nite appoximations of patial algebas 1 Wikto Batol Inst. Matematyki, Uniw. Waszawski, 02-097 Waszawa (Poland) batol@mimuw.edu.pl Xavie Caicedo Dep. Matematicas, Univ. de los Andes,
More informationCentral Coverage Bayes Prediction Intervals for the Generalized Pareto Distribution
Statistics Reseach Lettes Vol. Iss., Novembe Cental Coveage Bayes Pediction Intevals fo the Genealized Paeto Distibution Gyan Pakash Depatment of Community Medicine S. N. Medical College, Aga, U. P., India
More informationarxiv: v1 [math.co] 4 May 2017
On The Numbe Of Unlabeled Bipatite Gaphs Abdullah Atmaca and A Yavuz Ouç axiv:7050800v [mathco] 4 May 207 Abstact This pape solves a poblem that was stated by M A Haison in 973 [] This poblem, that has
More informationLikelihood vs. Information in Aligning Biopolymer Sequences. UCSD Technical Report CS Timothy L. Bailey
Likelihood vs. Infomation in Aligning Biopolyme Sequences UCSD Technical Repot CS93-318 Timothy L. Bailey Depatment of Compute Science and Engineeing Univesity of Califonia, San Diego 1 Febuay, 1993 ABSTRACT:
More informationq i i=1 p i ln p i Another measure, which proves a useful benchmark in our analysis, is the chi squared divergence of p, q, which is defined by
CSISZÁR f DIVERGENCE, OSTROWSKI S INEQUALITY AND MUTUAL INFORMATION S. S. DRAGOMIR, V. GLUŠČEVIĆ, AND C. E. M. PEARCE Abstact. The Ostowski integal inequality fo an absolutely continuous function is used
More informationAuchmuty High School Mathematics Department Advanced Higher Notes Teacher Version
The Binomial Theoem Factoials Auchmuty High School Mathematics Depatment The calculations,, 6 etc. often appea in mathematics. They ae called factoials and have been given the notation n!. e.g. 6! 6!!!!!
More informationHOW TO TEACH THE FUNDAMENTALS OF INFORMATION SCIENCE, CODING, DECODING AND NUMBER SYSTEMS?
6th INTERNATIONAL MULTIDISCIPLINARY CONFERENCE HOW TO TEACH THE FUNDAMENTALS OF INFORMATION SCIENCE, CODING, DECODING AND NUMBER SYSTEMS? Cecília Sitkuné Göömbei College of Nyíegyháza Hungay Abstact: The
More informationA more efficient secure event signature protocol for massively multiplayer online games based on P2P Dapeng Li1, a, Liang Hu1,b, and JianFeng Chu1,c
Intenational Foum on Mechanical, Contol and Automation (IFMCA 2016) A moe efficient secue event signatue potocol fo massively multiplaye online games based on P2P Dapeng Li1, a, Liang Hu1,b, and JianFeng
More informationJournal of Inequalities in Pure and Applied Mathematics
Jounal of Inequalities in Pue and Applied Mathematics COEFFICIENT INEQUALITY FOR A FUNCTION WHOSE DERIVATIVE HAS A POSITIVE REAL PART S. ABRAMOVICH, M. KLARIČIĆ BAKULA AND S. BANIĆ Depatment of Mathematics
More informationFunctions Defined on Fuzzy Real Numbers According to Zadeh s Extension
Intenational Mathematical Foum, 3, 2008, no. 16, 763-776 Functions Defined on Fuzzy Real Numbes Accoding to Zadeh s Extension Oma A. AbuAaqob, Nabil T. Shawagfeh and Oma A. AbuGhneim 1 Mathematics Depatment,
More informationClassical Worm algorithms (WA)
Classical Wom algoithms (WA) WA was oiginally intoduced fo quantum statistical models by Pokof ev, Svistunov and Tupitsyn (997), and late genealized to classical models by Pokof ev and Svistunov (200).
More informationRelating Branching Program Size and. Formula Size over the Full Binary Basis. FB Informatik, LS II, Univ. Dortmund, Dortmund, Germany
Relating Banching Pogam Size and omula Size ove the ull Binay Basis Matin Saueho y Ingo Wegene y Ralph Wechne z y B Infomatik, LS II, Univ. Dotmund, 44 Dotmund, Gemany z ankfut, Gemany sauehof/wegene@ls.cs.uni-dotmund.de
More informationChapter 5 Linear Equations: Basic Theory and Practice
Chapte 5 inea Equations: Basic Theoy and actice In this chapte and the next, we ae inteested in the linea algebaic equation AX = b, (5-1) whee A is an m n matix, X is an n 1 vecto to be solved fo, and
More informationTemporal-Difference Learning
.997 Decision-Making in Lage-Scale Systems Mach 17 MIT, Sping 004 Handout #17 Lectue Note 13 1 Tempoal-Diffeence Leaning We now conside the poblem of computing an appopiate paamete, so that, given an appoximation
More informationSupplementary information Efficient Enumeration of Monocyclic Chemical Graphs with Given Path Frequencies
Supplementay infomation Efficient Enumeation of Monocyclic Chemical Gaphs with Given Path Fequencies Masaki Suzuki, Hioshi Nagamochi Gaduate School of Infomatics, Kyoto Univesity {m suzuki,nag}@amp.i.kyoto-u.ac.jp
More informationIdentification of the degradation of railway ballast under a concrete sleeper
Identification of the degadation of ailway ballast unde a concete sleepe Qin Hu 1) and Heung Fai Lam ) 1), ) Depatment of Civil and Achitectual Engineeing, City Univesity of Hong Kong, Hong Kong SAR, China.
More informationON THE INVERSE SIGNED TOTAL DOMINATION NUMBER IN GRAPHS. D.A. Mojdeh and B. Samadi
Opuscula Math. 37, no. 3 (017), 447 456 http://dx.doi.og/10.7494/opmath.017.37.3.447 Opuscula Mathematica ON THE INVERSE SIGNED TOTAL DOMINATION NUMBER IN GRAPHS D.A. Mojdeh and B. Samadi Communicated
More informationarxiv: v1 [math.nt] 12 May 2017
SEQUENCES OF CONSECUTIVE HAPPY NUMBERS IN NEGATIVE BASES HELEN G. GRUNDMAN AND PAMELA E. HARRIS axiv:1705.04648v1 [math.nt] 12 May 2017 ABSTRACT. Fo b 2 and e 2, let S e,b : Z Z 0 be the function taking
More informationChem 453/544 Fall /08/03. Exam #1 Solutions
Chem 453/544 Fall 3 /8/3 Exam # Solutions. ( points) Use the genealized compessibility diagam povided on the last page to estimate ove what ange of pessues A at oom tempeatue confoms to the ideal gas law
More informationOn decompositions of complete multipartite graphs into the union of two even cycles
On decompositions of complete multipatite gaphs into the union of two even cycles A. Su, J. Buchanan, R. C. Bunge, S. I. El-Zanati, E. Pelttai, G. Rasmuson, E. Spaks, S. Tagais Depatment of Mathematics
More informationMASSACHUSETTS INSTITUTE OF TECHNOLOGY Physics Department Physics 8.07: Electromagnetism II September 15, 2012 Prof. Alan Guth PROBLEM SET 2
MASSACHUSETTS INSTITUTE OF TECHNOLOGY Physics Depatment Physics 8.07: Electomagnetism II Septembe 5, 202 Pof. Alan Guth PROBLEM SET 2 DUE DATE: Monday, Septembe 24, 202. Eithe hand it in at the lectue,
More informationPhysics 2A Chapter 10 - Moment of Inertia Fall 2018
Physics Chapte 0 - oment of netia Fall 08 The moment of inetia of a otating object is a measue of its otational inetia in the same way that the mass of an object is a measue of its inetia fo linea motion.
More informationMath 124B February 02, 2012
Math 24B Febuay 02, 202 Vikto Gigoyan 8 Laplace s equation: popeties We have aleady encounteed Laplace s equation in the context of stationay heat conduction and wave phenomena. Recall that in two spatial
More informationST 501 Course: Fundamentals of Statistical Inference I. Sujit K. Ghosh.
ST 501 Couse: Fundamentals of Statistical Infeence I Sujit K. Ghosh sujit.ghosh@ncsu.edu Pesented at: 2229 SAS Hall, Depatment of Statistics, NC State Univesity http://www.stat.ncsu.edu/people/ghosh/couses/st501/
More informationQuantum Fourier Transform
Chapte 5 Quantum Fouie Tansfom Many poblems in physics and mathematics ae solved by tansfoming a poblem into some othe poblem with a known solution. Some notable examples ae Laplace tansfom, Legende tansfom,
More informationCSCE 478/878 Lecture 4: Experimental Design and Analysis. Stephen Scott. 3 Building a tree on the training set Introduction. Outline.
In Homewok, you ae (supposedly) Choosing a data set 2 Extacting a test set of size > 3 3 Building a tee on the taining set 4 Testing on the test set 5 Repoting the accuacy (Adapted fom Ethem Alpaydin and
More informationf h = u, h g = v, we have u + v = f g. So, we wish
Answes to Homewok 4, Math 4111 (1) Pove that the following examples fom class ae indeed metic spaces. You only need to veify the tiangle inequality. (a) Let C be the set of continuous functions fom [0,
More informationPROBLEM SET #1 SOLUTIONS by Robert A. DiStasio Jr.
POBLM S # SOLUIONS by obet A. DiStasio J. Q. he Bon-Oppenheime appoximation is the standad way of appoximating the gound state of a molecula system. Wite down the conditions that detemine the tonic and
More informationConvergence Dynamics of Resource-Homogeneous Congestion Games: Technical Report
1 Convegence Dynamics of Resouce-Homogeneous Congestion Games: Technical Repot Richad Southwell and Jianwei Huang Abstact Many esouce shaing scenaios can be modeled using congestion games A nice popety
More informationAnonymous return route information for onion based mix-nets
Anonymous etun oute infomation fo onion based mix-nets ABSTRACT Yoshifumi Manabe NTT Communication Science Laboatoies NTT Copoation Atsugi Kanagawa 239-0198 Japan manabeyoshifumi@labnttcojp This pape poposes
More informationSMT 2013 Team Test Solutions February 2, 2013
1 Let f 1 (n) be the numbe of divisos that n has, and define f k (n) = f 1 (f k 1 (n)) Compute the smallest intege k such that f k (013 013 ) = Answe: 4 Solution: We know that 013 013 = 3 013 11 013 61
More information