An Investigation of Some Forward Security Properties for PEKS and IBE
|
|
- Abel Holland
- 5 years ago
- Views:
Transcription
1 An Investigation of Some Forward Security Proerties for PEKS and IBE Qiang Tang APSIA grou, SnT, University of Luxemourg 6, rue Richard Coudenhove-Kalergi, L-359 Luxemourg Astract. In crytograhy, forward secrecy is a well-known roerty of key agreement rotocols. It ensures that a session key remains secure even if one of the long-term secret keys is comromised in the future. In this aer, we investigate some forward security roerties for Pulic-key Encrytion with Keyword Search (PEKS schemes, which allow a client to store encryted data and delegate search oerations to a server. The roosed roerties guarantee that the client s rivacy is rotected to the maximum extent when his rivate key is comromised. Motivated y the generic transformation from anonymous Identity-Based Encrytion (IBE to PEKS, we corresondingly roose some forward security roerties for IBE, in which case we assume the attacker learns the master secret key. We then study several existing PEKS and IBE schemes, including a PEKS scheme y Nishioka, an IBE scheme y Boneh, Raghunathan and Segev, and an IBE scheme y Arriaga, Tang and Ryan. Our analysis indicates that the roosed forward security roerties can e achieved y some of these schemes if the attacker is RO-non-adative (the attacker does not define its distriutions ased on the random oracle. Finally, we show how to extend the Boyen-Waters anonymous IBE scheme to achieve the forward security roerties for adative attackers. Introduction In the seminal work [8], Boneh et al. roosed the concet of Pulic-key Encrytion with Keyword Search (PEKS and formulated it as a crytograhic rimitive with four algorithms (KeyGen, Encryt, TraGen, Test. PEKS is a two-arty (i.e. client-server rimitive aiming at rotecting a client, say Alice s, rivacy in the following encryted routing scenario.. Alice runs a KeyGen algorithm to generate a ulic/rivate key air (PK, SK and ulishes PK. 2. When any user, say Bo, sends an to Alice, he can generate a tag Encryt(x, PK for a keyword x and attach it to the (the should e encryted indeendently and the detail is omitted here. In the view of the server, it has a list of s indexed y Encryt(x, PK, Encryt(x 2, PK, resectively. 3. If Alice wants to retrieve those s indexed with a keyword y, she sends a tradoor TraGen(y, SK to the server, which can then run an algorithm Test on the inut (TraGen(y, SK, Encryt(x i, PK for every i to figure out whether y = x i. As shown in this scenario, PEKS only suorts equality testing (or, exact matching of keywords. To suort more comlex search queries, a lot of extensions have een roosed. Among them, [3, 2, 22] suort search queries with conjunctive keywords, [3, 27] suort suset and range queries, and [23] suorts disjunctions, olynomial equations, and inner roducts. In contrast to the large numer of follow-u works to extend the PEKS functionality, very little has een done to investigate its full security caailities and the only few we know are [3, 4, 9 ].. Prolem Statement With a PEKS scheme imlemented, the server has a list of tags from message senders and a list of tradoors from the client. As a result of the desired search functionality, the server can categorize the tags and the tradoors into three grous. Grou : the tags, which do not match any tradoor. Grou 2: the tradoors, which do not match any tag. Grou 3: the tags and tradoors, which match at least one tradoor or tag.
2 The seminal work [8] and most of follow-us only considered the cihertext rivacy roerty, which catures the rivacy of keywords encryted y the tags in Grou. Boneh et al. [, ] introduced a new function rivacy roerty which catures rivacy of keywords encryted y the tags and tradoors in Grou 3. Arriaga, Tang, and Ryan [3, 4] introduced a new search attern rivacy roerty which catures the rivacy of keywords in the tradoors in Grou 2. Moreover, they showed that these roerties are not comatile with each other. Ideally, a PEKS scheme should rovide maximal rotection for the keywords in all three grous. In this work, we try to answer two questions.. Are the security roerties from [3, 4, 9 ] the strongest we can have? 2. How to construct PEKS schemes to achieve all roerties simultaneously? Interestingly, oth questions can also e asked against the extensions of PEKS (and searchale encrytion schemes in the symmetric-key setting as well. We leave this as a future work..2 Concerning the Entroy of Keywords With resect to PEKS and its extensions, there is a concern aout the low entroy nature of keywords. For examle, in the aforementioned routing examle, the entroy of keywords may not e very high. This makes eole wonder the racticality of rivacy roerties for PKES, articularly the function rivacy roerty [, ] and the search attern rivacy roerty [3, 4]. Nevertheless, we would like to argue that it makes a lot of sense to investigate the maximal level of security guarantees y PEKS. Theoretically, it is always interesting to study the strongest security roerties for a crytograhic rimitive. This has een done for many other rimitives, such as encrytion and signature schemes. Practically, it is not true that the keywords always have low entroy. When a PEKS scheme is deloyed, the underlying alication can always enrich the keyword set with some context information. For instance, instead of using the keyword confidential, the alication can use confidential-roject457. A more effective way to augment the entroy of keywords is using re-shared asswords etween some message senders and the client. An extra advantage of this aroach is that there is no need to store asswords given they are memorale. It is worth noting that augmenting the entroy of keywords may cause some efficiency issues (e.g. there may e several augmented keywords for the same keyword confidential, so that the client needs to generate several tradoors to search for all confidential s. We regard this as a natural tradeoff etween security and efficiency..3 Our Contriution Forward secrecy is a well-known roerty roosed for key agreement rotocols [8, 2], and it ensures that a session key remains secure even if one of the long-term secret keys is comromised in the future. This concet has also een alied to other rimitives, such as signature schemes [6]. Generally seaking, it is a valuale concet for all crytograhic rimitives that involve a long-term secret key. Firstly, we introduce two new forward-secure roerties for PEKS. One is forward-secure function rivacy, which aims at rotecting the keywords in matched tags and tradoors. The other is forwardsecure tradoor unlinkaility, which aims at rotecting the keywords in those tradoors which do not match any tags. These two roerties are augmented variants of those from [, ] and [3, 4] resectively. The augmentation lies not only in allowing the attacker to comromise the long-term secret key ut also in giving it more flexiility to define the keyword distriutions in the attack games. We then analyse a PEKS scheme y Nishioka [25] and show that it achieves our roerties for RO-nonadative attackers which can not choose its distriutions ased on the random oracle. Secondly, motivated y the fact that we can otain a PEKS scheme from an anonymous IBE scheme through a generic transformation [, 8], we introduce two new forward-secure roerties for IBE y giving the master secret key the attacker in the attack games. It is worth noting that this is different from the forward security concet given in [3], where the focus is on the key evolution and the attacker is given secret keys corresonding to some identities. These roerties directly lead to those forwardsecure roerties for PEKS as a result of the generic transformation. Similar to the case of PEKS, oth roerties are augmented variants of those from [, ] and [3, 4] resectively. We then analyse the IBE DLIN2 scheme y Boneh, Raghunathan and Segev [, ], and show that it does not achieve the forward secure function rivacy roerty. We also analyse an IBE scheme y Arriaga, Tang and Ryan [3, 4], and show that it achieves our roerties for RO-non-adative attackers. 2
3 Thirdly, we introduce the concet of deterministic scramler, which takes correlated random variales as inut and oututs indeendent random variales. By re-rocessing the identities with a deterministic scramler scheme, an IBE scheme automatically achieves the forward-secure function rivacy roerty against adative attackers. In contrast to the extract-augment-comine aroach from [, ], we do not need to tweak the encrytion and decrytion algorithms of the underlying IBE scheme. We then extend the Boyen-Waters anonymous IBE scheme [4] with comosite order ilinear grous and a deterministic scramler scheme, and show that the resulted scheme achieves our forward-secure roerties..4 Organization The rest of this aer is organized as follows. In Section 2, we resent reliminaries on notation and hardness assumtions. In Section 3, we resent an enhanced security model for PEKS with a focus on the forward security roerties, and analyse the Nishioka scheme. In Section 4, we roose some forward security roerties for IBE. In Section 5, we analyse two IBE schemes y Boneh, Raghunathan and Segev, and an IBE scheme y Arriaga, Tang and Ryan. In Section 6, we introduce the concet of deterministic scramler and extend the Boyen-Waters Scheme. In Section 7, we resent some remarks. 2 Preliminary 2. Notation x y means the concatenation of x and y, P.P.T. stands for roailistic olynomial time. x A O,O 2, (m, m 2, means that x is the outut of the algorithm A which runs with the inut m, m 2, and has access to oracles O, O 2,. When X is a set, x X means that x is chosen from X uniformly at random, and X means the size of X. When D is a distriution on the set X, x D X means that x is a value samled from X according to D. We use old letter, such as X, to denote a vector or matrix. Given a vector X, we use X (i to denote the i-th element in the vector. When g is a grou element, we use g X to denote a new vector or matrix, whose elements are exonentiations of the corresonding elements in X. For two vectors (or matrices Y and Z whose elements are from a grou, we use Y Z to denote the new vector (or matrix after airwise grou oerations. A function P(λ : Z R is said to e negligile with resect to λ if, for every olynomial f (λ, there exists an integer N f such that P(λ < f (λ for all λ N f. When P(λ is negligile, then we say P(λ is overwhelming. A random variale V has min-entroy λ, denoted as H (V = λ, if max v Pr[V = v] = 2 λ, or equivalently λ = log max v Pr[V = v]. If V has min-entroy at least λ, then V is a λ source. Given two random variales V and W, the conditional min-entroy of V with resect to W is defined to e min w H (V W = w, or equivalently log max v,w Pr[V = v W = w]. 2.2 Pairing over Prime-order Grous A rime-order ilinear grou generator is an algorithm G P that takes as inut a security arameter λ and oututs a descrition Γ = (, G, G T, ê, g where: G and G T are grous of rime-order with efficiently-comutale grou laws. g is a randomly-chosen generator of G. ê is an efficiently-comutale ilinear airing ê : G G G T, i.e., a ma satisfying the following roerties: Bilinearity: ê(g a, g = ê(g, g a for all a, Z ; Non-degeneracy: ê(g, g. We say the DLIN (Decision Linear assumtion [7] holds if, for every P.P.T. attacker A, its advantage Pr[ = ] 2 is negligile in the game, defined in Fig.. 3
4 . Γ = (, G, G T, ê, g G P (λ 2. z, z 2, z 3, z 4, r Z 3. X = (Γ, g z, g z 2, g z z 3, g z 2z 4, g z 3+z 4 X = (Γ, g z, g z 2, g z z 3, g z 2z 4, g r 4. R {, } 5. A(X Fig.. DLIN Assumtion 2.3 Pairing over Comosite-order Grous A comosite-order ilinear grou generator is an algorithm G C that takes as inut a security arameter λ and oututs a descrition Γ = (, q, G, G T, ê, g, g q where: G and G T are grous of order n = q, where and q are rimes, with efficiently comutale grou laws. g is a randomly-chosen generator of the sugrou G of order, and g q is a randomly-chosen generator of the sugrou G q of order q. ê is an efficiently-comutale ilinear airing ê : G G G T, i.e., a ma satisfying the following roerties for g G: Bilinearity: ê(g a, g = ê(g, g a for all a, Z q ; Non-degeneracy: ê(g, g. It is worth noting that, instead of setting the order of G to e q, we can require G C to set the order to e the roduct of multile rime numers, e.g. [23 25]. Let Γ = (, q, G, G T, ê, g, g q e the outut y G C (λ, and Γ = (q, G, G T, ê, g, g q. We say the Comosite-DDH assumtion [3, 4] holds if, for every P.P.T. attacker A, its advantage Pr[ = ] 2 is negligile in the game, defined in Fig. 2.. Γ = (, q, G, G T, ê, g, g q G C (λ 2. a, a 2,, 2, 3, r Z q 3. Γ = (q, G, G T, ê, g, g q 4. X = (Γ, g a g q, g a 2 g 2 q, g a a 2 g 3 q X = (Γ, g a g q, g a 2 g 2 q, g r g 3 q 5. R {, } 6. A(X Fig. 2. Comosite-DDH assumtion. Γ = (, q, G, G T, ê, g, g q G C (λ 2. a, a 2, a 3,, 2, 3, 4, r Z q 3. Γ = (q, G, G T, ê, g, g q 4. X = (Γ, g a g q, g a 2 g 2 q, g a a 3 g 3 q, g a 2a 3 g 4 q X = (Γ, g a g q, g a 2 g 2 q, g a a 3 g 3 q, g r g 4 q 5. R {, } 6. A(X Fig. 3. Weak Comosite-DDH assumtion We say the Weak Comosite-DDH assumtion holds if, for every P.P.T. attacker A, its advantage Pr[ = ] 2 is negligile in the game, defined in Fig. 3. Both assumtions are strictly weaker than the C3DH assumtion y Boneh and Waters [3]. 2.4 New Assumtions In [5], Canetti roosed the DDH-II assumtion which differs from the standard DDH assumtion in that one exonent is chosen from a wide sread distriution instead of a uniform one. Damgård, Hazay and, Zottarel [7] showed that this assumtion holds in the generic grou model, and stated that it is a useful tool in leakage resilient crytograhy. Next, we introduce an analog assumtion for ilinear grous. The hilosohy is similar to the case of Comosite-DDH: although it is trivial to solve DDH-II rolem in ilinear grous, adding an additional layer of randomization makes it difficult even with the hel of the ilinear ma. Formally, we say the Comosite-DDH-II assumtion holds if, for every P.P.T. attacker A, its advantage Pr[ = ] 2 is negligile in the game, defined in Fig. 4. In the game, the distriution D from the attacker should guarantee that a has min-entroy not smaller than λ, i.e. a is wide sread according to Canetti [5]. 4
5 . Γ = (, q, G, G T, ê, g, g, g q G C (λ 2. Γ = (q, G, G T, ê, g, g, g q 3. D A(Γ 4. a D Z 5., s, s 2, s 3, r Z q 6. X = (Γ, g a g s q, g g s 2 q, g a g s 3 q X = (Γ, g a g s q, g g s 2 q, g r g s 3 q 7. R {, } 8. A(X, D. Γ = (, q, G, G T, ê, g, g, g q G C (λ 2. Γ = (q, G, G T, ê, g, g, g q 3. D A(Γ 4. (a,, a L D Z L 5., L, r,, r L, s,, s L, t,, t L Z q 6. X = (Γ, g g s q, g a g t q,, g L g s L q, g a L L g t L q X = (Γ, g g s q, g r g t q,, g L 7. R {, } 8. A(X, D g t L q, g r L g t L q Fig. 4. Comosite-DDH-II assumtion Fig. 5. Correlated Comosite-DDH-II assumtion Further, we say the Correlated Comosite-DDH-II assumtion holds if, for every P.P.T. attacker A, its advantage Pr[ = ] 2 is negligile in the game, defined in Fig. 5. In the game, the distriution D from the attacker should guarantee that a i for any i L has min-entroy not smaller than λ. Comared to the Comosite-DDH-II assumtion, on one hand the values g a,, g a L are not given to the attacker (not even in the randomized form, ut on the other hand the attacker is given multile incomlete DH airs. As to these two new assumtions, it is not clear how to reduce one to the other. Nevertheless, we have the following lemma. The roof is in Aendix I. Lemma. Suose any P.P.T. attacker has at most the advantage ϵ in the Comosite-DDH-II assumtion. Then, any P.P.T. attacker has at most the advantage L ϵ in the Correlated Comosite-DDH-II assumtion in the following two scenarios.. a, a 2,, a L are indeendent according to D. 2. a = a 2 = = a L according to D. It is unclear how to reduce these two assumtions to existing standard assumtions. Nevertheless, we can rove their security in the generic grou model, as what have een done for the DDH-II assumtion in [7]. The roof will aear in the full version of this aer. 3 Forward Security Proerties for PEKS A PEKS scheme involves a client, a server, and senders which can e any entity (including the client and the server. Let λ e the security arameter, a PEKS scheme consists of the following algorithms. KeyGen(λ: Run y the client, this roailistic algorithm oututs a ulic/rivate key air (PK, SK, where PK should define a message sace W. Encryt(x, PK: Run y a sender, this roailistic algorithm oututs a cihertext (or, tag C x for a message (or, keyword x W. TraGen(y, SK: Run y the client, this roailistic algorithm generates a tradoor T y for the message y W. Test(C x, T y, PK: Run y the server, this deterministic algorithm returns if x = y and otherwise. Definition. A PEKS scheme achieves comutational consistency [], if any P.P.T. attacker A s advantage Pr[ = ] is negligile in the attack game, shown in Fig. 6.. (PK, SK KeyGen(λ 2. (x, x, state A(PK 3. Set = iff Test(C x, T x, PK = and x x, where T x = TraGen(x, SK, C x = Encryt(x, PK Fig. 6. Comutational Consistency 5
6 3. Security Proerties for PEKS The following cihertext rivacy roerty is the default roerty for PEKS from [8]. Definition 2. A PEKS scheme achieves cihertext rivacy if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the attack game shown in Fig. 7. In the game, A is not allowed to query the TraGen oracle with the messages x and x. In Definition 3 and Definition 4, we follow the Real-or-Random aradigm. This means that D is defined y the attacker at its will, ut D always reresents an indeendent uniform distriution for every variale. The following forward-secure tradoor unlinkaility says that any P.P.T. attacker cannot determine the links among tradoors as long as the underlying keywords are samled according to distriutions with min-entroy not smaller than λ. This roerty is an augmented variant of the strong search attern rivacy roerty from [3, 4], where the augmentation lies in two asects. One is that the attacker is given SK in Ste 4 of the attack game, and this rings in the forwardsecure flavor. The other is that the attacker is allowed to adatively choose the keyword distriutions ased on the ulic arameters, while the challenger samles the keywords uniformly from the keyword sace in [3, 4]. Definition 3. A PEKS scheme achieves forward-secure tradoor unlinkaility if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the game shown in Fig. 8. In the game, D and D are the joint distriutions of L (deendent λ-source random variales, which take values in the message sace W. The integer L is a olynomial in λ.. (PK, SK KeyGen(λ 2. (x, x, state A TraGen (PK 3. R {, }, C x = Encryt(x, PK 4. A TraGen (state, C x Fig. 7. Cihertext Privacy. (PK, SK KeyGen(λ 2. (D, D, L, state A TraGen (PK 3. R {, }, x D, T = TraGen(x, SK 4. A( SK, state, T Fig. 8. Forward-Secure Tradoor unlinkaility For simlicity, we use TraGen(x, SK to denote (TraGen(x (, SK,, TraGen(x(L, SK in Fig. 8. Such notation is also used in Fig. 9 and roerties definitions for IBE. The following forward-secure function rivacy roerty says that a P.P.T. attacker cannot determine the links among (tag, tradoor airs, as long as the underlying keywords are samled according to distriutions with min-entroy not smaller than λ and they are not equal to each other. This roerty is an augmented variant of the enhanced function rivacy roerty from [], where the augmentation lies in two asects. It is worth noting that the roerty for PEKS is not exlicitly defined in [], ut it is imlied y their discussions (in fact, they use it to motivate the roerty for IBE. One is that the attacker is given SK in Ste 4 of the attack game, and this rings in the forwardsecure flavor. The other is that, in the enhanced function rivacy roerty definition in [], the conditional min-entroy of x (i given x(,, x(i is required to e at least λ, for all 2 i L. While, in our definition, we relax this requirement y asking the samled identities not equal to each other. Based on the fact that the keywords in tradoors may highly correlated, our requirement is more realistic in ractice. Definition 4. A PEKS scheme achieves forward-secure function rivacy if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the game shown in Fig. 9. In the game, D and D are defined in the same way as in Definition 3, ut with the following restriction: for (x (, x(2,, x(l D W L and any i j L, the roaility Pr[x (i ] is negligile. = x(j 6
7 . (PK, SK KeyGen(λ 2. (D, D, L, state A TraGen (PK 3. R {, }, x D, T = TraGen(x, SK, C = Encryt(x, PK 4. A TraGen,Encryt ( SK, state, T, C Fig. 9. Forward-Secure Function Privacy In Ste 4 of the aove game, in a TraGen oracle query, the attacker has an index i L as inut and receives TraGen(x (i, SK. In an Encryt oracle query, the attacker has an index j L as inut and receives Encryt(x (j, PK. Note that the samled identities x(,, x(l are not allowed to e equal in the attack game. Hence, oth oracles are necessary even if the attacker ossesses SK, ecause the attacker may not e ale to generate a new tradoor or tag y re-randomizing an existing one. These two oracles faithfully reflect the fact that, in ractice, the attacker (i.e. the server may receive many tags and tradoors for the same keyword. Remark. Similar to the argument in [3], the forward-secure tradoor unlinkaility roerty and the forward-secure function rivacy roerty do not imly each other. We ski the details in this aer. 3.2 Analysis of Nishioka Scheme In [25], Nishioka modeled tradoor unlinkaility for a very restricted setting: the attacker is nonadative, the unlinkaility is only for two tradoors, and the model seems to e selective since the challenge keywords are chosen efore the generation of other arameters (in the SPP exeriment. Relying on ilinear grous of comosite-order qw, Nishioka constructed the following scheme (referred to as Instance 3 in [25] and roved the cihertext rivacy and tradoor unlinkaility roerties under some non-standard assumtions (as stated y Nishioka. In the following, we show that the scheme actually achieves more than what Nishioka has exected. KeyGen(λ TraGen(y, SK (, q, w, G, G T, ê, g, g q, g w G C (λ r Z qw g q G q, g = g g q g w, g w G w W = {, }, H : {, } G T = g r g w PK = (qw, G, G T, ê, g q, g w, g, W, H T 2 = H(y r g w SK = (PK, g T y = (T, T 2 Encryt(x, PK Test(C x, T y, PK r 2 Z qw, g q, g q G q if ê(t, C 2 = ê(t 2, C, outut C = g r2 g q, C 2 = H(x r2 g q otherwise, outut C x = (C, C 2 Note that we use the notation G C to emhasize the fact that this algorithm generates ilinear grous of order qw, in contrast to the definition of G C in Section 2.3. A minor remark is that r is defined to e r Z for the TraGen algorithm in [25], ut it is clear that r Z qw makes the scheme work in the same way. In Definition 3 and 4, we assume the attacker to e fully adative in the sense that it can choose the distriution D ased on everything. An immediate relaxation on these definitions is to make the attacker RO-non-adative, which means that the attacker can choose the distriution D ased on everything excet for the random oracle (i.e. the hash function. In ractice, the keywords in search queries might e related to the system arameters in some manner, ut it is hard to imagine a scenario where the keywords would deend on the ehavior of a random function. We argue that the relaxation is minimal and reasonale. Next, we rove that the scheme achieves forward-secure roerties for RO-non-adative attackers in the random oracle model. The roofs aear in Aendix II. It is worth mentioning that Theorem is imlied y the discussion in []. 7
8 Theorem. The scheme achieves RO-non-adative forward-secure function rivacy roerty in the random oracle model. Theorem 2. The scheme achieves RO-non-adative forward-secure tradoor unlinkaility roerty ased on the Weak Comosite-DDH assumtion in the random oracle model. A natural following-u question is whether or not the scheme is (adatively forward-secure in the random oracle model. Referring to the forward-secure tradoor unlinkaility attack game, as shown in Fig. 8, the attacker is required to distinguish the same airs as in the the roof of Theorem 2, with the excetion that the distriution D is defined y the attacker ased on the knowledge of H. It is straightforward to verify that the attacker s advantage is negligile ased on the correlated Comosite- DDH-II assumtion, defined in Section 2.4. However, it is very tricky for the forward-secure function rivacy roerty. Referring to the attack game, as shown in Fig. 9, the attacker s mission is to distinguish the following two airs. = : ((g r( g ( w, H(x ( r( g ( w, g r( 2 g ( q, H(x ( (g r(l g (L w, H(x (L r(l g (L w, g r(l 2 r( 2 g ( q,, g (L q, H(x (L r(l 2 g (L q = : ((g r( g ( w, H(x ( r( g ( w, g r( 2 g ( q, H(x ( (g r(l g (L w, H(x (L r(l g (L w, g r(l 2 r( 2 g ( q,, g (L q, H(x (L r(l 2 g (L q We are not ale to reduce this assumtion to the correlated Comosite-DDH-II assumtion or any other assumtion, even though we might e ale to rove that distinguishing the two airs is hard in the generic grou model. We leave a further investigation of this as a future work. 4 IBE and its Security Proerties An IBE scheme is secified y four algorithms (Setu, Extract, Enc, Dec, defined as follows. Setu(λ: On inut the security arameter λ, this roailistic algorithm returns a master secret key Msk and ulic arameters arams, which should define a message sace M and identity sace I. Extract(Msk, id: On inut a master secret key Msk and a ulic key id I, this roailistic algorithm oututs a secret key sk id. Enc(m, id: On inut a message m M and a ulic key id I, this roailistic algorithm oututs a cihertext C. Dec(C, sk id : On inut a cihertext C and a secret key sk id, this deterministic algorithm oututs a message m or an error symol. 4. Generic Transformation from IBE to PEKS Given an IBE scheme (Setu, Extract, Enc, Dec, the generic transformation works as follows []. Note that the message sace W of the resulted PEKS scheme is the ulic-key sace I of the original IBE scheme.. (Msk, arams = Setu(λ 2. sk id = Extract(Msk, id 3. C = Enc(m, id 4. Dec(C, sk id = m or Fig.. Original IBE. KeyGen(λ = Setu(λ 2. Encryt(x, PK = (m, Enc(m, x, where m R M 3. TraGen(y, SK = Extract(Msk, y 4. Test(C x, T y, PK = iff m = Dec(Enc(m, x, T y Fig.. Resulted PEKS 8
9 4.2 Security Proerties of IBE In this susection, we resent four IBE security roerties, which resectively lead to the four desirale roerties for the resulted PEKS through the generic transformation. Their corresondence is summarized in the following tale. PEKS Proerties IBE Proerties comutational consistency IND-CPA cihertext rivacy anonymity forward-secure tradoor unlinkaility forward-secure key unlinkaility forward-secure function rivacy forward-secure function rivacy In Definition 6 and Definition 7, we follow the Real-or-Random aradigm in all relevant attack games. This means that D is defined y the attacker at its will, ut D always reresents an indeendent uniform distriution for every variale. Definition 5. An IBE scheme achieves IND-CPA security if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the attack game shown in Fig. 2. In the game, the attacker is not allowed to query the Extract oracle with id. An IBE scheme achieves anonymity if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the game shown in Fig. 3. In the game, the attacker is not allowed to query the Extract oracle with id and id.. (Msk, arams Setu(λ 2. (m, m, id, state A Extract (arams 3. R {, }, C = Enc(m, id 4. A Extract (state, C. (Msk, arams Setu(λ 2. (m, id, id, state A Extract (arams 3. R {, }, C = Enc(m, id 4. A Extract (state, C Fig. 2. IND-CPA Fig. 3. Anonymity The following forward-secure key unlinkaility roerty says that any P.P.T. attacker cannot determine the links among rivate keys as long as the underlying identities are samled according to distriutions with min-entroy not smaller than λ. This roerty is an augmented variant of the strong key unlinkaility roerty from [3, 4], where the augmentation lies in two asects. One is that the attacker is given Msk in Ste 4 of the attack game, and this rings in the forwardsecure flavor. The other is that the attacker is allowed to adatively choose the identity distriution D ased on the ulic arameters, while the challenger samles the identities uniformly at random (according to certain atterns defined y the attacker from the identity sace in [3, 4]. Definition 6. An IBE scheme achieves forward-secure key unlinkaility if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the game shown in Fig. 4. In the game, D and D are the joint distriution of L (deendent λ-source random variales, which take values in the identity sace I. The integer L is a olynomial in λ.. (Msk, arams Setu(λ 2. (D, D, L, state A Extract (arams 3. R {, }, id D, sk = Extract(id, Msk 4. A( Msk, state, sk Fig. 4. Forward-Secure Key Unlinkaility The following forward-secure function rivacy roerty says that any P.P.T. attacker cannot determine the links among (rivate key, cihertext airs, as long as the underlying identities are samled according to distriutions with min-entroy not smaller than λ and they are not equal to each other. This roerty is an augmented variant of the enhanced function rivacy roerty from [], where the augmentation lies in two asects. 9
10 One is that the attacker is given Msk in Ste 4 of the attack game, and this rings in the forwardsecure flavor. The other is that, in the enhanced function rivacy roerty definition from [], the conditional min-entroy of id (i given id (,, id(i is required to e at least λ, for all 2 i L. In our definition, we relax this requirement y only asking the samled identities not equal to each other. Definition 7. An IBE scheme achieves forward-secure function rivacy if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the game shown in Fig. 5. In the game, D and D are defined in the same way as in Definition 6, ut with the following restriction: for (id (, id(2,, id(l D I L and any i j L, the roaility Pr[id (i ] is negligile. = id(j. (PK, SK Setu(λ 2. (D, D, L, state A Extract (arams 3. R {, }, id D, sk = Extract(id, Msk, m M L, C = Enc(m, id 4. A Extract,Enc ( Msk, state, sk, C Fig. 5. Forward-Secure Function Privacy For simlicity, we use Enc(m, id to denote (Enc(m (, id(,, Enc(m(L, id (L in Fig. 5. In Ste 4 of the aove game, in an Extract oracle query, the attacker has an index i L as inut and receives Extract(Msk, id (i. In an Enc oracle the attacker has an index j L as inut and receives Enc(m, id (j. It is ovious that oth oracles are necessary even if the attacker ossesses Msk, ecause the attacker may not e ale to generate a new secret key or a cihertext y re-randomizing an existing one. 5 Existing Function-Private IBE Schemes In this section, we first show that the fully-secure IBE scheme y Boneh, Raghunathan, and Segev [, ] does not achieve the forward-secure function rivacy. We then rove that a scheme y Arriaga, Tang, and Ryan [3, 4] achieves RO-non-adative forward-secure function rivacy and forward-secure key unlinkaility in the random oracle model. 5. Boneh-Raghunathan-Segev IBE DLIN2 Scheme The following scheme is referred to as IBE DLIN2 in []. It has een roven fully-secure with resect to enhanced function rivacy (under the definition in [] ased on the DLIN assumtion in the standard model. Setu(λ Extract(Msk, id Γ = (G, G T, ê, g, = G P (λ id = (id, id 2,, id n {, } n A, B, A,, A n Z 2 m S Z m 2 u Z 2, M = G T, I = {, } n F id,s = [A BS + ( id j A j S] j n Msk = (A, B, A,, A n, u v {x F id,s x = u (mod } arams = (Γ, g A, B, g A,, g A n, g u, M, I z = g v G m+2, sk id = (S, z Enc(m, id Dec(C, sk id id = (id, id 2,, id n {, } n, m G T D(id = id j A j, r Z 2 j n c T = g rt A, c T = g rt [B+D(id], c 2 = m ê(g, g rtu m = c 2 ê(d, z C = (c, c, c 2 d T = [c T (c T S ] = g rt F id,s ê(d, z = ê(g, g rt (F id,s v = ê(g, g rt u
11 We show that this scheme does not achieve forward-secure function rivacy, namely an attacker wins the attack game in Fig. 5 with overwhelming roaility. The following attack makes use of the fact that, with Msk, the attacker can transform a cihertext under an identity id into a cihertext under another identity id, for some carefully chosen id and id. To mount an attack, in ste 2 and 4 of the game, the attacker erforms as follows. In ste 2, the attacker sets L = 2, which means D and D are the joint distriution of two identities (id (, id (2. For D, the attacker sets id ( = (id, id 2,, id n as follows: (id, id 2,, id n {, } n and id n =. The attacker sets id (2 = id ( excet that id n =. In ste 4, the attacker firstly otains Msk = (A, B, A,, A n, u. Then, the attacker comutes X Z m m such that A n = A X. Recall that the challenge is (sk, C. Suose that the first cihertext in C is C = (c, c, c 2, which is in the following form: c T = g rt A, c T = g rt [B+D(id ( ], c 2 = m ê(g, g rtu. The attacker now generates a new cihertext C = (c, c, c 2, where c T = c T (c T X = g rt [B+D(id ( ] g rt A X = g rt [B+D(id ( ] g rt A n Let the secret keys in the challenge sk e denoted as (sk id (, sk id (2. The attacker oututs if Dec(C, sk id (2 = Dec(C, sk id (, and oututs otherwise. Recall that, is an oerator for airwise grou oerations etween two the new vectors or matrices. It is clear that c T = g rt [B+D(id (2 ] if (id (, id (2 is samled according to D, then C is a cihertext for Dec(C, sk id ( under the identity id (2. But, this equality holds with a negligile roaility if the identities are samled according to D. The attack works. 5.2 Arriaga-Tang-Ryan IBE Scheme The following scheme was roosed y Arriaga, Tang, and Ryan in [3, 4], ased on an anonymous IBE scheme y Boyen and Waters [4]. This scheme has een roven secure with resect to the strong key unlinkaility roerty (under the definition in [3, 4] in the random oracle model. Comared with our forward-secure key unlinkaility roerty, the definition from [3, 4] is weaker in three asects: ( the attacker is not allowed to adatively choose the identity distriution D and it can only secify the identity atterns (i.e. which identities are equal; (2 according to the atterns, the challenger samles the identities uniformly at random from the identity sace; (3 there is no forward security. Setu(λ Extract(Msk, id Γ = (, q, G, G T, ê, g, g, g q = G C (λ r Z n Γ = (n = q, G, G T, ê, g, g, g q x, x, x 2 G q x, t, t 2 Z n d = x g rt t 2 Ω = ê(g, g xt t 2, v = g t, v 2 = g t 2 d = x g xt 2 H(id rt 2 M = G T, I = {, }, H : {, } G d 2 = x 2 g xt H(id rt Msk = (x, t, t 2, arams = (Γ, Ω, v, v 2, M, I, H sk id = (d, d, d 2 Enc(m, id Dec(C, sk id s, s R Z n e = ê(c, d, e = ê(c, d ĉ = Ω s m, c = H(id s, c = v s s, and c 2 = v s e 2 2 = ê(c 2, d 2, C = (ĉ, c, c, c 2 m = ĉ e e e 2 Similar to the discussions in Section 3.2, an immediate relaxation on Definition 6 and 7 is to make the attacker RO-non-adative, which means that the attacker can choose the distriution D ased on everything excet for the random oracle (i.e. the hash function. Next, we rove that the aove scheme is secure under Definition 6 and 7 for a RO-non-adative attacker. This result is much stronger that what has een roven in [3, 4].
12 Theorem 3. The scheme achieves RO-non-adative forward-secure function rivacy roerty in the random oracle model. The roof of Theorem 3 is exactly the same as that for Theorem, and it is imlied y Theorem 6. from []. Next, we rove the RO-non-adative forward-secure key unlinkaility roerty. This result is an imrovement to Lemma 3 from [3], and it relies on Weak Comosite-DDH assumtion instead of Comosite-DDH assumtion. The roof aears in Aendix III. Theorem 4. The scheme achieves RO-non-adative forward-secure key unlinkaility roerty ased on the Weak Comosite-DDH assumtion in the random oracle model. With these results, a following-u question is whether or not the scheme is (adatively forwardsecure. Referring to the forward-secure key unlinkaility attack game, as shown in Fig. 4, it is straightforward to verify that the attacker s advantage is negligile ased on the correlated Comosite-DDH-II assumtion, similar to the roof of Theorem 6 in next section. However, it is very tricky for the forwardsecure function rivacy roerty. Referring to the attack game, as shown in Fig. 5, the attacker s mission is to distinguish the following two airs. = : ((g r(, H(id ( r( r, (g (2, H(id (2 r(2,, (g r (L, H(id (L r(l = : ((g r(, H(id ( r( r, (g (2, H(id (2 r(2,, (g r (L, H(id (L r(l This seems to e strictly easier for the attacker than in the case of correlated Comosite-DDH-II assumtion, ecause these airs are not randomized y anything from G q. 6 Forward-Secure IBE Construction In [, ], Boneh, Raghunathan and Segev indicated that function rivacy against non-adative attackers is almost trivial to achieve in the random oracle model. In Section 5.2, we showed that forward-secure function rivacy can e achieved against RO-non-adative attackers in the random oracle model. But, it ecomes very tricky in the resence of adative attackers. If an attacker defines the distriutions ased on the ehavior of random oracle (i.e. hash function, then we cannot easily reduce the security to standard hardness assumtions, as shown in the end of last section. In Section?? and 5., our attacks show that the elegant extract-comine-augment aroach from [, ] falls short of achieving our forward-secure function rivacy roerty, intuitively ecause it introduces good algeraic structures into the cihertexts and allows the attacker to mount an attack accordingly. In its imlementation, the extract-comine-augment aroach requires secific modifications to oth encrytion and decrytion algorithms in the underlying IBE scheme. This may not e an easy task to achieve, in articularly to achieve our forward security roerties. In the following, we introduce the concet of deterministic scramler, which serves as a uilding lock to re-rocess identities for any IBE scheme. Similar to the extract ste in the extract-comine-augment aroach, a deterministic scramler scheme eliminates the deendency relationshis among correlated random variales while it does not require any further change to the underlying IBE scheme. As an examle alication, we extend the Boyen-Waters anonymous IBE scheme and rove its security roerties. 6. Deterministic Scramler A deterministic scramler scheme is a crytograhic rimitive to ma inuts from a set X to oututs from another set Y. Formally, it consists of two algorithms. DS.init(λ: this roailistic algorithm returns the ulic arameter aram. DS.enc(x, aram: this deterministic algorithm returns a scramled outut y Y. A deterministic scramler scheme is sound if it is injective with overwhelming roaility. Formally, the roaility that, an attacker can find x x 2 X such that DS.enc(x, aram = DS.enc(x 2, aram, is negligile. 2
13 Definition 8. A deterministic scramler scheme is secure if the attacker s advantage Pr[ = ] 2 is negligile in the attack game, shown in Fig. 6. In the game, D and D are the joint distriutions of L (deendent λ-source random variales, which take values in the sace X. It is required that, for (x (, x(2,, x(l D X L and any i j L, the roaility Pr[x (i ] is negligile. The integer L is a olynomial in λ. = x(j. aram DS.init(λ 2. (D, D, L, state A(aram D 3. R {, }, x X L, y = DS.enc(x, aram 4. A(state, y Fig. 6. Deterministic Scramler Security Note that, we follow the Real-or-Random aradigm, which means that D is defined y the attacker at its will, ut D reresents an indeendent uniform distriution for every variale. The concet of deterministic scramler is closely related to that of correlated-inut secure hash functions y Goyal, O Neill and Rao [9]. Its soundness roerty is indeed the standard collision resistance roerty of hash function, and its security roerty is related to the correlated-inut seudorandomness roerty. Unfortunately, only selective security roerties have een considered in [9] and the constructions assume certain secific correlations among the inuts. The concet of deterministic scramler is also related to that of unseeded deterministic extractors [28]. But, they have sutle differences: deterministic scramler generates indistinguishale oututs for correlated inuts and random inuts, while unseeded deterministic extractor generates oututs which are indistinguishale from random strings. It may seem straightforward to instantiate a deterministic scramler scheme from an unseeded deterministic extractor scheme. However, the existing constructions for unseeded deterministic extractors usually ut strict constraints on the sources (or, inuts, hence it is unclear how to instantiate a deterministic scramler scheme from them. Yet another related concet is deterministic encrytion [5] since oth rimitives aim at hiding the deendent relationshis of their inuts. With resect to their functionalities, deterministic scramler is simler ecause it does not need a decrytion function. With resect to security, deterministic scramler is stronger in the sense that it assumes adative attackers while the security definitions in [5] and most following-us assume non-adative attackers. Very recently, Raghunathan, Segev and Vadhan have considered adative security for deterministic encrytion schemes [26]. Based on their scheme, we can instantiate a deterministic scramler scheme in a straightforward manner: set aram to e the ulic key and set the function DS.enc e the encrytion function. In the instantiation, there may e a need to align the cihertext sace with the outut sace of the deterministic scramler, in which case a standard collision-resistant hash function can e used. 6.2 Extended Boyen-Waters Scheme Given a sound and secure deterministic scramler scheme (DS.init, DS.enc, the following scheme is achieved y extending Boyen-Waters scheme [4] in two stes. The first ste is to relace the identity id in all algorithms with DS.enc(id, aram. This ste guarantees the forward-secure function rivacy roerty, without affecting the IND-CPA and anonymity roerties. The second ste is to emloy comosite-order ilinear grous, similar to the Arriaga-Tang-Ryan IBE Scheme descried in Section 5.2. This ste guarantees that the elements in the secret key can e randomized y randomly-chosen elements from a sugrou. 3
14 Setu(λ Extract(Msk, id Γ = (, q, G, G T, ê, g, g q = G C (λ r, r 2 Z n, Γ = (n = q, G, G T, ê, g, g q x, x, x 2, x 3, x 4 G q x, t, t 2, t 3, t 4 Z n d = x g r t t 2 +r 2 t 3 t 4 Ω = ê(g, g xt t 2, g, g G d = x g xt 2 v = g t, v 2 = g t 2, v 3 = g t 3, v 4 = g t 4 d 2 = x 2 g xt M = G T, I = Z n, aram DS.init(λ (g g DS.enc(id,aram r t 2 (g g DS.enc(id,aram r t d 3 = x 3 (g g DS.enc(id,aram r 2t 4 Msk = (x, t, t 2, t 3, t 4 d 4 = x 4 (g g DS.enc(id,aram r 2t 3 arams = (Γ, g, g, Ω, v, v 2, v 3, v 4, M, I, aram sk id = (d, d, d 2, d 3, d 4 Enc(m, id Dec(C, sk id s, s, s 2 Z n e = ê(c, d, e = ê(c, d ĉ = Ω s m, c = (g g DS.enc(id,aram s, c = v s s e 2 = ê(c 2, d 2,e 3 = ê(c 3, d 3 c 2 = v s 2, c 3 = v s s 2, c 3 4 = v s 2 e 4 4 = ê(c 4, d 4 C = (ĉ, c, c, c 2, c 3, c 4 m = ĉ e e e 2 e 3 e 4 Based on the fact that Boyen-Waters IBE is oth IND-CPA and anonymous ased on the DLIN assumtion, it is clear that the extended scheme achieves the same security roerties given the deterministic scramler scheme is sound. Next, we show that the scheme achieves the other two roerties. The roofs aear in Aendix IV. Theorem 5. The extended scheme achieves the forward-secure function rivacy roerty, if the emloyed deterministic scramler scheme is secure. Theorem 6. The extended scheme achieves the forward-secure key unlinkaility roerty, if the emloyed deterministic scramler scheme is secure. 7 Concluding Remarks In this aer, we have defined two forward-secure roerties for PEKS and IBE resectively. Moreover, we have analysed several existing PEKS and IBE schemes, and extended the Boyen-Waters anonymous IBE scheme y using a new uilding lock (i.e. deterministic scramler. Our analysis shows that it is relatively easy to achieve our roerties against RO-non-adative attackers. However, it is not an easy task to construct secure schemes against adative attackers. In fact, the task seems to e very difficult if we want to use standard hardness assumtions and get rid of random oracle model. Our work has motivated many interesting future directions, and some of them are listed elow. The extract-comine-augment aroach from [, ] is a very elegant aroach to achieve function rivacy without forward security. It remains oen whether the schemes from [, ] achieve key unlinkaility or even forward-secure key unlinkaility. Moreover, as ointed out earlier, this aroach introduces some algeraic structure into cihertexts, which makes the schemes not forwardsecure with resect to function rivacy. It is an interesting task to augment these schemes and enhance the aroach to achieve our forward-secure roerties. As to the concet of deterministic scramler, we only know one method to instantiate it, i.e. using the adative secure deterministic encrytion scheme y Raghunathan, Segev and Vadhan [26]. Unfortunately, the scheme is only secure in the random oracle model, and it seems difficult to have a secure scheme in the standard model as ointed y Wichs [29]. It is a very interesting task to see how to instantiate a deterministic scramler scheme in the standard model. Both PEKS and IBE are secial tyes of functional encrytion [2]. Hence, the concet of forward security is also valuale for other functional encrytion schemes, including other PEKS variants and searchale encrytion schemes in the symmetric-key setting. As shown in [2, 2], roosing aroriate security definitions for these schemes may e very tricky due to the more comlex functionalities and the inequality of indistinguishaility and simulation ased aroaches. This is a ig oen research area for the future. The forward-secure roerties for IBE have een motivated y constructing forward-secure PEKS schemes. It is interesting to investigate their imlications in other alications of IBE, and study their relationshis with other secial roerties such as those from [6, 3]. 4
15 Acknowledgement. The author would like to thank Afonso Arriaga and Vincenzo Iovino for their helful discussions. References. M. Adalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi. Searchale encrytion revisited: Consistency roerties, relation to anonymous ie, and extensions. J. Crytol., 2(3:35 39, S. Agrawal, S. Agrawal, S. Badrinarayanan, A. Kumarasuramanian, M. Prahakaran, and A. Sahai. Function rivate functional encrytion and roerty reserving encrytion : New definitions and ositive results. htt://erint.iacr.org/23/744, A. Arriaga, Q. Tang, and P. Ryan. Tradoor rivacy in asymmetric searchale encrytion schemes. htt://erint.iacr.org/23/33.df, A. Arriaga, Q. Tang, and P. Ryan. Tradoor rivacy in asymmetric searchale encrytion schemes. In D. Pointcheval and D. Vergnaud, editors, Progress in Crytology AFRICACRYPT 24, volume 8469 of LNCS, ages 3 5. Sringer, M. Bellare, A. Boldyreva, and A. O Neill. Deterministic and efficiently searchale encrytion. In A. Menezes, editor, Advances in crytology CRYPTO 27, volume 4622 of LNCS, ages Sringer, M. Bellare and S. K. Miner. A forward-secure digital signature scheme. In M. J. Wiener, editor, Advances in Crytology CRYPTO 999, volume 666 of LNCS, ages Sringer, D. Boneh, X. Boyen, and H. Shacham. Short grou signatures. In M. Franklin, editor, Advances in Crytology CRYPTO 24, volume 352 of LNCS, ages 4 55, D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano. Pulic Key Encrytion with Keyword Search. In C. Cachin and J. Camenisch, editors, Advances in Crytology EUROCRYPT 24, volume 327 of LNCS, ages Sringer, D. Boneh and M. K. Franklin. Identity-ased encrytion from the weil airing. In J. Kilian, editor, Advances in Crytology CRYPTO 2, volume 239 of Lecture Notes in Comuter Science, ages Sringer, 2.. D. Boneh, A. Raghunathan, and G. Segev. Function-rivate identity-ased encrytion: Hiding the function in functional encrytion. In R. Canetti and J. A. Garay, editors, Advances in Crytology CRYPTO 23, volume 843 of LNCS, ages Sringer, 23.. D. Boneh, A. Raghunathan, and G. Segev. Function-rivate identity-ased encrytion: Hiding the function in functional encrytion. htt://erint.iacr.org/23/283.df, D. Boneh, A. Sahai, and B. Waters. Functional encrytion: Definitions and challenges. In Y. Ishai, editor, Theory of Crytograhy - 8th Theory of Crytograhy Conference, TCC 2, volume 6597 of LNCS, ages Sringer, D. Boneh and B. Waters. Conjunctive, suset, and range queries on encryted data. In S. P. Vadhan, editor, Proceedings of the 4th conference on Theory of crytograhy, volume 4392 of LNCS, ages Sringer, X. Boyen and B. Waters. Anonymous hierarchical identity-ased encrytion (without random oracles. In C. Dwork, editor, Advances in Crytology CRYPTO 26, volume 47 of LNCS, ages Sringer, R. Canetti. Towards realizing random oracles: Hash functions that hide all artial information. In B. S. Kaliski Jr., editor, Advances in Crytology CRYPTO 997, volume 294 of Lecture Notes in Comuter Science, ages Sringer, S. M. Chow. Removing escrow from identity-ased encrytion. In S. Jarecki and G. Tsudik, editors, Pulic Key Crytograhy PKC 29, 2th International Conference on Practice and Theory in Pulic Key Crytograhy, volume 5443 of LNCS, ages Sringer, I. Damgård, C. Hazay, and A. Zottarel. Short aer on the generic hardness of DDH-II. htt://cs.au.dk/ angela/hardness.df, Accessed in May, W. Diffie, P. C. Oorschot, and M. J. Wiener. Authentication and authenticated key exchanges. Designs, Codes and Crytograhy, 2(2:7 25, V. Goyal, A. O Neill, and V. Rao. Correlated-inut secure hash functions. In Y. Ishai, editor, Theory of Crytograhy 8th Theory of Crytograhy Conference, TCC 2, volume 6597 of Lecture Notes in Comuter Science, ages Sringer, C. Günther. An identity-ased key-exchange rotocol. In J. Quisquater and J. Vandewalle, editors, Advances in Crytology EUROCRYPT 989, volume 434 of Lecture Notes in Comuter Science, ages Sringer, Y. H. Hwang and P. J. Lee. Pulic key encrytion with conjunctive keyword search and its extension to a multi-user system. In T. Takagi, editor, Pairing-Based Crytograhy Pairing 27, volume 4575 of LNCS, ages Sringer, V. Iovino and G. Persiano. Hidden-vector encrytion with grous of rime order. In S. D. Galraith and K. G. Paterson, editors, Pairing-Based Crytograhy Pairing 28, volume 529 of LNCS, ages Sringer, 28. 5
Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz jkatz@cs.umd.edu Amit Sahai sahai@cs.ucla.edu Brent Waters bwaters@csl.sri.com Abstract Predicate encrytion
More informationImproved Hidden Vector Encryption with Short Ciphertexts and Tokens
Imroved Hidden Vector Encrytion with Short Cihertexts and Tokens Kwangsu Lee Dong Hoon Lee Abstract Hidden vector encrytion HVE) is a articular kind of redicate encrytion that is an imortant crytograhic
More informationCryptography. Lecture 8. Arpita Patra
Crytograhy Lecture 8 Arita Patra Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous
More informationRandomness Extraction in finite fields F p
Randomness Extraction in finite fields F n Abdoul Aziz Ciss École doctorale de Mathématiques et d Informatique, Université Cheikh Anta Dio de Dakar, Sénégal BP: 5005, Dakar Fann abdoul.ciss@ucad.edu.sn,
More information1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings
Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, 43007 Abstract: Many identity-based
More informationElliptic Curves and Cryptography
Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a
More informationBilinear Entropy Expansion from the Decisional Linear Assumption
Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo
More informationPredicate Privacy in Encryption Systems
Predicate Privacy in Encrytion Systems Emily Shen MIT eshen@csail.mit.edu Elaine Shi CMU/PARC eshi@arc.com December 24, 2008 Brent Waters UT Austin bwaters@cs.utexas.edu Abstract Predicate encrytion is
More informationConversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs
Conversions among Several Classes of Predicate Encrytion and Alications to ABE with Various Comactness Tradeoffs Nuttaong Attraadung, Goichiro Hanaoka, and Shota Yamada National Institute of Advanced Industrial
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From 2 k -th Power Residue Symbols Marc Joye and Benoît Libert Technicolor 975 avenue des Chams Blancs, 35576 Cesson-Sévigné Cedex, France {marc.joye,benoit.libert}@technicolor.com
More informationCDH/DDH-Based Encryption. K&L Sections , 11.4.
CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be
More informationAn Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security
An extended abstract of this aer aears in the Proceedings of the 35th Annual Crytology Conference (CRYPTO 2015), Part I, Rosario ennaro and Matthew Robshaw (Eds.), volume 9215 of Lecture Notes in Comuter
More informationCryptanalysis of Pseudorandom Generators
CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we
More informationA Public-Key Cryptosystem Based on Lucas Sequences
Palestine Journal of Mathematics Vol. 1(2) (2012), 148 152 Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Published in Journal of Crytology, 30(2:519 549, 2017. Efficient Crytosystems From 2 k -th Power Residue Symbols Fabrice Benhamouda 1, Javier Herranz 2, Marc Joye 3, and Benoît Libert 4, 1 ES Paris, CRS,
More informationLattice Attacks on the DGHV Homomorphic Encryption Scheme
Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More information#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS
#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS Ramy F. Taki ElDin Physics and Engineering Mathematics Deartment, Faculty of Engineering, Ain Shams University, Cairo, Egyt
More informationOutline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding
Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift
More informationAuthor(s)Emura, Keita; Miyaji, Atsuko; Omote, International Conference on Availabi Reliability and Security, ARES 492
JAIST Reosi htts://dsacej Title A Dynamic Attribute-Based Grou Sign and its Alication in an Anonymous the Collection of Attribute Statisti Author(s)Emura, Keita; Miyaji, Atsuko; Omote, Citation International
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationApproximating min-max k-clustering
Aroximating min-max k-clustering Asaf Levin July 24, 2007 Abstract We consider the roblems of set artitioning into k clusters with minimum total cost and minimum of the maximum cost of a cluster. The cost
More informationCryptography Assignment 3
Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some
More informationMATH 2710: NOTES FOR ANALYSIS
MATH 270: NOTES FOR ANALYSIS The main ideas we will learn from analysis center around the idea of a limit. Limits occurs in several settings. We will start with finite limits of sequences, then cover infinite
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationTight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys
Tight Adatively Secure Broadcast Encrytion with Short Cihertexts and Keys Romain Gay ENS, Paris, France romain.gay@ens.fr Lucas Kowalczyk Columbia University luke@cs.columbia.edu Hoeteck Wee ENS, Paris,
More informationA New and Optimal Chosen-message Attack on RSA-type Cryptosystems
Published in Y. Han, T. Okamoto, and S. Qing, eds, Information and Communications Security (ICICS 97), vol. 1334 of Lecture Notes in Comer Science,. 30-313, Sringer-Verlag, 1997. A New and Otimal Chosen-message
More informationON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS
#A13 INTEGERS 14 (014) ON THE LEAST SIGNIFICANT ADIC DIGITS OF CERTAIN LUCAS NUMBERS Tamás Lengyel Deartment of Mathematics, Occidental College, Los Angeles, California lengyel@oxy.edu Received: 6/13/13,
More informationEfficient Approximations for Call Admission Control Performance Evaluations in Multi-Service Networks
Efficient Aroximations for Call Admission Control Performance Evaluations in Multi-Service Networks Emre A. Yavuz, and Victor C. M. Leung Deartment of Electrical and Comuter Engineering The University
More informationA Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem
A Modified Menezes-Vanstone Ellitic Curve Multi-Keys Crytosystem By K.H. Rahouma Electrical Technology Deartment Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationHidden-Vector Encryption with Groups of Prime Order
Hidden-Vector Encryption with Groups of Prime Order Vincenzo Iovino 1 and Giuseppe Persiano 1 Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84084 Fisciano (SA), Italy. iovino,giuper}@dia.unisa.it.
More informationAn Attack on a Fully Homomorphic Encryption Scheme
An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, 710071 Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University,
More informationMA3H1 TOPICS IN NUMBER THEORY PART III
MA3H1 TOPICS IN NUMBER THEORY PART III SAMIR SIKSEK 1. Congruences Modulo m In quadratic recirocity we studied congruences of the form x 2 a (mod ). We now turn our attention to situations where is relaced
More informationMulti-Operation Multi-Machine Scheduling
Multi-Oeration Multi-Machine Scheduling Weizhen Mao he College of William and Mary, Williamsburg VA 3185, USA Abstract. In the multi-oeration scheduling that arises in industrial engineering, each job
More informationMultiplicative group law on the folium of Descartes
Multilicative grou law on the folium of Descartes Steluţa Pricoie and Constantin Udrişte Abstract. The folium of Descartes is still studied and understood today. Not only did it rovide for the roof of
More informationUncorrelated Multilinear Principal Component Analysis for Unsupervised Multilinear Subspace Learning
TNN-2009-P-1186.R2 1 Uncorrelated Multilinear Princial Comonent Analysis for Unsuervised Multilinear Subsace Learning Haiing Lu, K. N. Plataniotis and A. N. Venetsanooulos The Edward S. Rogers Sr. Deartment
More informationGOOD MODELS FOR CUBIC SURFACES. 1. Introduction
GOOD MODELS FOR CUBIC SURFACES ANDREAS-STEPHAN ELSENHANS Abstract. This article describes an algorithm for finding a model of a hyersurface with small coefficients. It is shown that the aroach works in
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationBrownian Motion and Random Prime Factorization
Brownian Motion and Random Prime Factorization Kendrick Tang June 4, 202 Contents Introduction 2 2 Brownian Motion 2 2. Develoing Brownian Motion.................... 2 2.. Measure Saces and Borel Sigma-Algebras.........
More informationGalois Fields, Linear Feedback Shift Registers and their Applications
Galois Fields, Linear Feedback Shift Registers and their Alications With 85 illustrations as well as numerous tables, diagrams and examles by Ulrich Jetzek ISBN (Book): 978-3-446-45140-7 ISBN (E-Book):
More information1. INTRODUCTION. Fn 2 = F j F j+1 (1.1)
CERTAIN CLASSES OF FINITE SUMS THAT INVOLVE GENERALIZED FIBONACCI AND LUCAS NUMBERS The beautiful identity R.S. Melham Deartment of Mathematical Sciences, University of Technology, Sydney PO Box 23, Broadway,
More informationElementary Analysis in Q p
Elementary Analysis in Q Hannah Hutter, May Szedlák, Phili Wirth November 17, 2011 This reort follows very closely the book of Svetlana Katok 1. 1 Sequences and Series In this section we will see some
More informationBayesian System for Differential Cryptanalysis of DES
Available online at www.sciencedirect.com ScienceDirect IERI Procedia 7 (014 ) 15 0 013 International Conference on Alied Comuting, Comuter Science, and Comuter Engineering Bayesian System for Differential
More informationAdditive results for the generalized Drazin inverse in a Banach algebra
Additive results for the generalized Drazin inverse in a Banach algebra Dragana S. Cvetković-Ilić Dragan S. Djordjević and Yimin Wei* Abstract In this aer we investigate additive roerties of the generalized
More informationSystem Reliability Estimation and Confidence Regions from Subsystem and Full System Tests
009 American Control Conference Hyatt Regency Riverfront, St. Louis, MO, USA June 0-, 009 FrB4. System Reliability Estimation and Confidence Regions from Subsystem and Full System Tests James C. Sall Abstract
More informationDistributed Rule-Based Inference in the Presence of Redundant Information
istribution Statement : roved for ublic release; distribution is unlimited. istributed Rule-ased Inference in the Presence of Redundant Information June 8, 004 William J. Farrell III Lockheed Martin dvanced
More informationPerfect Keyword Privacy in PEKS Systems
Perfect Keyword Privacy in PEKS Systems Mototsugu Nishioka HITACHI, Ltd., Yokohama Research Laboratory, Japan mototsugu.nishioka.rc@hitachi.com Abstract. This paper presents a new security notion, called
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationarxiv: v2 [math.nt] 26 Dec 2012
ON CONSTANT-MULTIPLE-FREE SETS CONTAINED IN A RANDOM SET OF INTEGERS arxiv:1212.5063v2 [math.nt] 26 Dec 2012 SANG JUNE LEE Astract. For a rational numer r > 1, a set A of ositive integers is called an
More informationEstimation of the large covariance matrix with two-step monotone missing data
Estimation of the large covariance matrix with two-ste monotone missing data Masashi Hyodo, Nobumichi Shutoh 2, Takashi Seo, and Tatjana Pavlenko 3 Deartment of Mathematical Information Science, Tokyo
More informationAdvanced Cryptography Midterm Exam
Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will
More informationHENSEL S LEMMA KEITH CONRAD
HENSEL S LEMMA KEITH CONRAD 1. Introduction In the -adic integers, congruences are aroximations: for a and b in Z, a b mod n is the same as a b 1/ n. Turning information modulo one ower of into similar
More informationTopic 7: Using identity types
Toic 7: Using identity tyes June 10, 2014 Now we would like to learn how to use identity tyes and how to do some actual mathematics with them. By now we have essentially introduced all inference rules
More informationPrivacy via Pseudorandom Sketches
Privacy via Pseudorandom Sketches Nina Mishra Mark Sandler December 18, 2005 Abstract Imagine a collection of individuals who each ossess rivate data that they do not wish to share with a third arty. This
More informationAN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction
J. Al. Math. & Comuting Vol. 20(2006), No. 1-2,. 485-489 AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly
More information#A37 INTEGERS 15 (2015) NOTE ON A RESULT OF CHUNG ON WEIL TYPE SUMS
#A37 INTEGERS 15 (2015) NOTE ON A RESULT OF CHUNG ON WEIL TYPE SUMS Norbert Hegyvári ELTE TTK, Eötvös University, Institute of Mathematics, Budaest, Hungary hegyvari@elte.hu François Hennecart Université
More informationA-optimal diallel crosses for test versus control comparisons. Summary. 1. Introduction
A-otimal diallel crosses for test versus control comarisons By ASHISH DAS Indian Statistical Institute, New Delhi 110 016, India SUDHIR GUPTA Northern Illinois University, Dekal, IL 60115, USA and SANPEI
More informationThe Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule
The Grah Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule STEFAN D. BRUDA Deartment of Comuter Science Bisho s University Lennoxville, Quebec J1M 1Z7 CANADA bruda@cs.ubishos.ca
More informationGraph-Decomposition-Based Frameworks for Subset-Cover Broadcast Encryption and Efficient Instantiations
Grah-Decomosition-Based Frameworks for Subset-Cover Broadcast Encrytion and Efficient Instantiations Nuttaong Attraadung and Hideki Imai Imai Laboratory, Institute of Industrial Science, University of
More informationPOINTS ON CONICS MODULO p
POINTS ON CONICS MODULO TEAM 2: JONGMIN BAEK, ANAND DEOPURKAR, AND KATHERINE REDFIELD Abstract. We comute the number of integer oints on conics modulo, where is an odd rime. We extend our results to conics
More informationInequalities for the L 1 Deviation of the Empirical Distribution
Inequalities for the L 1 Deviation of the Emirical Distribution Tsachy Weissman, Erik Ordentlich, Gadiel Seroussi, Sergio Verdu, Marcelo J. Weinberger June 13, 2003 Abstract We derive bounds on the robability
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationBent Functions of maximal degree
IEEE TRANSACTIONS ON INFORMATION THEORY 1 Bent Functions of maximal degree Ayça Çeşmelioğlu and Wilfried Meidl Abstract In this article a technique for constructing -ary bent functions from lateaued functions
More informationLinear diophantine equations for discrete tomography
Journal of X-Ray Science and Technology 10 001 59 66 59 IOS Press Linear diohantine euations for discrete tomograhy Yangbo Ye a,gewang b and Jiehua Zhu a a Deartment of Mathematics, The University of Iowa,
More informationHASSE INVARIANTS FOR THE CLAUSEN ELLIPTIC CURVES
HASSE INVARIANTS FOR THE CLAUSEN ELLIPTIC CURVES AHMAD EL-GUINDY AND KEN ONO Astract. Gauss s F x hyergeometric function gives eriods of ellitic curves in Legendre normal form. Certain truncations of this
More informationOn the Unpredictability of Bits of the Elliptic Curve Diffie Hellman Scheme
On the Unredictability of Bits of the Ellitic Curve Diffie Hellman Scheme Dan Boneh 1 and Igor E. Sharlinski 2 1 Deartment of Comuter Science, Stanford University, CA, USA dabo@cs.stanford.edu 2 Deartment
More informationA Distance-sensitive Attribute Based Cryptosystem for Privacy-Preserving Querying
MITSUBISHI ELECTRIC RESEARCH LABORATORIES htt://www.merl.com A Distance-sensitive Attribute Based Crytosystem for Privacy-Preserving Querying Sun, W.; Rane, S. TR2012-054 July 2012 Abstract We roose an
More information1-way quantum finite automata: strengths, weaknesses and generalizations
1-way quantum finite automata: strengths, weaknesses and generalizations arxiv:quant-h/9802062v3 30 Se 1998 Andris Ambainis UC Berkeley Abstract Rūsiņš Freivalds University of Latvia We study 1-way quantum
More informationA Bound on the Error of Cross Validation Using the Approximation and Estimation Rates, with Consequences for the Training-Test Split
A Bound on the Error of Cross Validation Using the Aroximation and Estimation Rates, with Consequences for the Training-Test Slit Michael Kearns AT&T Bell Laboratories Murray Hill, NJ 7974 mkearns@research.att.com
More informationcient Round-Optimal Blind Signatures in the Standard Model
E cient Round-Otimal lind Signatures in the Standard Model Essam Ghadafi University of the West of England, ristol, UK Essam.Ghadafi@gmail.com bstract. lind signatures are at the core of e-cash systems
More informationQUANTUM INFORMATION DELAY SCHEME USING ORTHOGONAL PRODUCT STATES
0 th March 0. Vol. No. 00-0 JATIT & LLS. All rights reserved. ISSN: -86 www.jatit.org E-ISSN: 87- QUANTUM INFORMATION DELAY SCHEME USING ORTHOGONAL PRODUCT STATES XIAOYU LI, LIJU CHEN School of Information
More informationA Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition
A Qualitative Event-based Aroach to Multile Fault Diagnosis in Continuous Systems using Structural Model Decomosition Matthew J. Daigle a,,, Anibal Bregon b,, Xenofon Koutsoukos c, Gautam Biswas c, Belarmino
More informationAnalysis of some entrance probabilities for killed birth-death processes
Analysis of some entrance robabilities for killed birth-death rocesses Master s Thesis O.J.G. van der Velde Suervisor: Dr. F.M. Sieksma July 5, 207 Mathematical Institute, Leiden University Contents Introduction
More informationMODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL
Technical Sciences and Alied Mathematics MODELING THE RELIABILITY OF CISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL Cezar VASILESCU Regional Deartment of Defense Resources Management
More informationScaling ORAM for Secure Computation
Scaling ORAM for Secure Comutation Jack Doerner Northeastern University j@ckdoerner.net ahi shelat Northeastern University ahi@neu.edu Decemer 27, 2017 Astract We design and imlement a Distriuted Olivious
More informationSQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)
SQUARES I Z/Z We study squares in the ring Z/Z from a theoretical and comutational oint of view. We resent two related crytograhic schemes. 1. SQUARES I Z/Z Consider for eamle the rime = 13. Write the
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationPrivacy-Preserving Bayesian Network Learning From Heterogeneous Distributed Data
Privacy-Preserving Bayesian Network Learning From Heterogeneous Distributed Data Jianjie Ma and Krishnamoorthy Sivakumar School of EECS, Washington State University, Pullman, WA 9964-75, USA Telehone:
More informationIntroduction to MVC. least common denominator of all non-identical-zero minors of all order of G(s). Example: The minor of order 2: 1 2 ( s 1)
Introduction to MVC Definition---Proerness and strictly roerness A system G(s) is roer if all its elements { gij ( s)} are roer, and strictly roer if all its elements are strictly roer. Definition---Causal
More informationTanja Lange Technische Universiteit Eindhoven
Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein Main goal of this course: We are the attackers. We want to break ECC and RSA.
More informationResearch Article Controllability of Linear Discrete-Time Systems with Both Delayed States and Delayed Inputs
Abstract and Alied Analysis Volume 203 Article ID 97546 5 ages htt://dxdoiorg/055/203/97546 Research Article Controllability of Linear Discrete-Time Systems with Both Delayed States and Delayed Inuts Hong
More informationA FEW EQUIVALENCES OF WALL-SUN-SUN PRIME CONJECTURE
International Journal of Mathematics & Alications Vol 4, No 1, (June 2011), 77-86 A FEW EQUIVALENCES OF WALL-SUN-SUN PRIME CONJECTURE ARPAN SAHA AND KARTHIK C S ABSTRACT: In this aer, we rove a few lemmas
More informationPlanar Vector Equations in Engineering*
Int. J. Engng Ed. Vol., No.,. 40±406, 006 0949-149X/91 $3.00+0.00 Printed in Great Britain. # 006 TEMPUS Pulications. Planar Vector Equations in Engineering* H. R. MOHAMMADI DANIALI Deartment of Mechanical
More informationSets of Real Numbers
Chater 4 Sets of Real Numbers 4. The Integers Z and their Proerties In our revious discussions about sets and functions the set of integers Z served as a key examle. Its ubiquitousness comes from the fact
More informationConstructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationEfficient Hardware Architecture of SEED S-box for Smart Cards
JOURNL OF SEMICONDUCTOR TECHNOLOY ND SCIENCE VOL.4 NO.4 DECEMBER 4 37 Efficient Hardware rchitecture of SEED S-bo for Smart Cards Joon-Ho Hwang bstract This aer resents an efficient architecture that otimizes
More informationCompactness vs Collusion Resistance in Functional Encryption
Compactness vs Collusion Resistance in Functional Encryption Baiyu Li Daniele Micciancio April 10, 2017 Astract We present two general constructions that can e used to comine any two functional encryption
More informationALGEBRAIC TOPOLOGY MASTERMATH (FALL 2014) Written exam, 21/01/2015, 3 hours Outline of solutions
ALGERAIC TOPOLOGY MASTERMATH FALL 014) Written exam, 1/01/015, 3 hours Outline of solutions Exercise 1. i) There are various definitions in the literature. ased on the discussion on. 5 of Lecture 3, as
More informationState Estimation with ARMarkov Models
Deartment of Mechanical and Aerosace Engineering Technical Reort No. 3046, October 1998. Princeton University, Princeton, NJ. State Estimation with ARMarkov Models Ryoung K. Lim 1 Columbia University,
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationThe Twin Diffie-Hellman Problem and Applications
The Twin Diffie-Hellman Problem and Applications David Cash 1 Eike Kiltz 2 Victor Shoup 3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This
More informationFault Tolerant Quantum Computing Robert Rogers, Thomas Sylwester, Abe Pauls
CIS 410/510, Introduction to Quantum Information Theory Due: June 8th, 2016 Sring 2016, University of Oregon Date: June 7, 2016 Fault Tolerant Quantum Comuting Robert Rogers, Thomas Sylwester, Abe Pauls
More informationMAS 4203 Number Theory. M. Yotov
MAS 4203 Number Theory M. Yotov June 15, 2017 These Notes were comiled by the author with the intent to be used by his students as a main text for the course MAS 4203 Number Theory taught at the Deartment
More information2-D Analysis for Iterative Learning Controller for Discrete-Time Systems With Variable Initial Conditions Yong FANG 1, and Tommy W. S.
-D Analysis for Iterative Learning Controller for Discrete-ime Systems With Variable Initial Conditions Yong FANG, and ommy W. S. Chow Abstract In this aer, an iterative learning controller alying to linear
More information