CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00
|
|
- Ashlynn Goodwin
- 5 years ago
- Views:
Transcription
1 CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00 No extra materal s allowed durng the exam except for pens and a smple calculator (not smartphones). No other electronc devces allowed. Your answers n the exam must be wrtten n Englsh. Your language sklls wll not be graded (but of course we cannot grade your answer f we do not understand t), so try to gve clear answers. Your thoughts and ways of reasonng must be clearly understood! Teacher: Elena Pagnn Examner: Akatern Mtrokotsa Questons durng the exam: Elena Pagnn (phone ) Inspecton of exam: See web page for announcement. The exam has 4 topcs and some bonus questons to gan extra ponts. The total number of ponts s 100 ponts (+ 8 bonus ponts). Grades are : CTH Grades: , , 90 or above 5 GU Grades: G, 90 or above VG Good luck! 1
2 Symmetrc Cphers (20p) 1. Consder the message m = HKPUFCMHY BHDDXZH, and let (E, D) be a substtuton cpher. (a) Decrypt m usng the followng (secret) substtuton key: plan cpher a b c d e f g h j k l m n o p q r s t u v w x y z X G P Y H Q Z I R A J S B K T C L U D M V E N W F O Usng the gven substtuton key we see that the decrypton of m s: encrypted message. (b) Can ths cpher be broken by someone who has access to m but not to the secret key? Why? (3p) No (1p), the cphertext s too short. (1p) Any message matchng the followng pattern s a possble plantext: (1p)? 1? 2? 3? 4? 5? 6? 7? 1? 8? 9? 1? 10? 10? 11? 12? 1 Other possble decryptons are: rghtward broomer, embroaden lettuce, equlobed terrace. 2. Let (E, D) be a (one-tme) semantcally secure cpher, where the messages, cphertexts and keys are bnary strngs, e.g., you can thnk M = C = K = {0, 1} n, wth n 2. Are the followng encrypton schemes, derved from (E, D), semantcally secure or not? Explan why (no need for formal proofs, but your motvatons should be well-justfed). Why do we requre n 2? Would n = 1 provde dfferent answers? (1 bonus pont) (a) E (k, m) = E(k, m) 1, where 1 denotes the strng wth all ones. (b) E (k, m) = E(k, m) RB(m), where RB(m) gves back a random bt of the nput m. (c) E (k, m) = E(k, m) RB(k), where RB(k) gves back a random bt of the nput k. (a) The encrypton scheme s semantcally secure. The cphertexts of E are smply the cphertexts of E flpped. Thus, t s easy to see that any attack aganst E can be turn nto an attack aganst E (whch s semantcally secure by assumpton). (b) The encrypton scheme s not semantcally secure. The adversary could use the folowng strategy to wn the semantc securty game. Choose m 0 = 0 (the all-0 message) and m 1 = 1 (the all-1 message). Return RB(m) as b, the guess for the b chosen by the adversary to produce the challenge cphertext. (c) The encrypton scheme s semantcally secure. Although E s leakng one bt of the key, t does not harm (gven that the key s longer than 1 bt, n 2 (1p)), snce a randomly chosen keys, wll have both 0 and 1 bts. Thus, the adversary cannot retreve any useful nformaton from RB(k). 3. Does the OTP (One Tme Pad) cpher acheve perfect secrecy? Prove t. (9p) (Hnt: you can start by quckly descrbng how the OTP cpher works and how perfect secrecy s defned). 2
3 Yes, the OTP cpher s perfect secret. The OTP Cpher (E,D) over the message-space M = {0, 1} n, the keys-pace K = {0, 1} n and the cphertext-space C = {0, 1} n (where n s a postve nteger), s defned as follows. For every key k R K: E(k, ) : M C, E(k, m) = m k, for any m M. D(k, ) : C M, D(k, c) = c k, for any m M. The noton of perfect secrecy states that, for all m 0, m 1 M such that len(m 0 ) = len(m 1 ), and for all c C (1p) t holds that: Prob[E(k, m 0 ) = c] = Prob[E(k, m 1 ) = c] where k s chosen unformly at random from K (k R K). In order to prove that the OTP cpher has perfect secrecy we need to show that Prob[E(k, m) = c] s a constant value (the same for all possble messages m M). (1p) Now, Prob[E(k, m) = c] s the probablty that there exsts a key k K that encrypts m n the cphertext c. For how the OTP encrypton s defned, there s only one key that encrypts m n c, namely k = m c. Therefore, Prob[E(k, m) = c] = number of keys that encrypt m nto c number of total keys = k K : E(k,m)=c K = 1 K = 1 2 n (1p) (1p) By replacng m wth m 0 and m 1 we get that: Prob[E(k, m 0 ) = c] = Prob[ k K : k m 0 = c] = 1 K = 1 2 n = Prob[E(k, m 1) = c]. Therefore OTP has perfect secrecy. Publc Key Encrypton (30p) 4. Descrbe the ElGamal encrypton scheme. (6p) (Hnt: wrte down nput, output and behavour of the algorthms). The ElGamal encrypton scheme s made by the three algorthm (KeyGen, Enc, Dec), defned as follows. KeyGen(λ) (pk, sk), s the key generaton algorthm. It takes as nput the securty parameter λ and generates the descrpton of a cyclc group G =< g > of order q (where q s a λ-bt long nteger). Then t chooses a random value x R {1, 2,... q 1} and computes h = g x G. The output s the secret key sk = x and the publc key pk = (G, g, q, h). Enc(pk, m) c = (c 1, c 2 ), s the encrypton algorthm. It takes as nput the publc key and a message m G and outputs the cphertext c G G. As a frst step, the algorthm generates a random value r R {1, 2,..., q 1} and computes c 1 = g r G. Then t computes c 2 = mh r G. Dec(sk, c) m s the encrypton algorthm. It takes as nput the secret key and a cphertext c G G. The decrypton works as follows. Frst t computes k = c x 1 G. Then t computes m = c 2 k 1 G. 5. Defne the IND-CCA securty game (ndstngushablty chosen cphertext attack) and show that the ElGamal encrypton scheme s not secure under IND-CCA. (11p) In the IND-CCA securty game, the adversary s gven the publc key of the scheme, 3
4 and he can ask for (at most q poly(λ)) decryptons of messages of hs choce to the challenger. After that, the adversary chooses two messages m 0, m 1 (of the same length) and sends them to the challenger. The challenger selects a random bt b R {0, 1} and returns to the attacker the cphertext c Enc(pk, m b ). The adversary then can go through another query pahse, where anyhow he s not allowed to submt the challenge cphertext c. The adversary wns the game f he can determne wth non-neglgble probablty f c s an encrypton of m 0 or of m 1 (.e., guess the bt b chosen by the Challenger). (4p) In what follows, we show a possble strategy for the attacker to wn the game (there are several varants of ths attack that are vald). The attacker can skp the frst query phase, and choose two random messages m 0, m 1 G such that m 0 m 1, and send them to the Challenger. Let c denote the receved challenge cphertext. Durng the second query phase the Adversary can submt a modfcaton of the challenge cphertext, e.g., c = (c 1, d c 2 ), where d 1 s an (of course nvertble) element n G. The plantext m returned by the Challenger wll then be m = d (c 2 c x 1 ) = d m b. Therefore the attacker can output the guess b = 0 for b n case d 1 m = m 0, and b = 1 otherwse. (5p) Followng the above strategy, we can show that the adversary has a non-neglgble advantage n the IND-CCA game. Let W denote the probablty of the event ẗhe Challenger selects b = (.e., c s an encrypton of m, {0, 1}), and the adversary outputs as a guess b = 0. Then, Adv IND CCA [A, ElGamal] = W 0 W 1 = 1 0 = 1, whch s ndeed non-neglgbly larger than Consder the cyclc group Z 37. If you explan n detals the functons / theorems / theory nvolved n ths exercse you can gan a maxmum of (3 bonus ponts) (a) How many elements are n Z 37,.e., what s the order of the group? The order of Z 37 s ϕ(37), where ϕ denotes Euler s Ph (totent) functon. (1p) Snce 37 s a prme number, we have ϕ(37) = 37 1 = 36. (1p) (b) Is Z 37 a cyclc group? How many generators does t have? (4p) Yes, Z 36 s a cyclc group because 37 s a prme number. (1p) The number of generators corresponds to the number of coprme numbers between 1 and 36, that s Z 36 has ϕ(ϕ(37)) generators (1p), more explctly ϕ(36) = ϕ( ) = (2 1) (3 1) = 12 generators. (c) Is 4 a generator of Z 37? Prove t. (7p) An element g Z 37 s a generator of the group f g36 = 1 n Z 37 and g 1 for all {1, 2,..., 35}. Therefore, n order to check f 4 s a generator we need to see f 4 1 n Z 37 for all {1, 2,..., 35}. By Lagrange theorem we know that the order of an element always dvdes the order of the group. Snce Z 37 has order 36 = we only need to check the powers 1, 2, 3, 4, 6, 9, 12, 18 (proper dvsors of 36). 4 1 = 4 1 mod 37, 4 2 = 16 ±1 mod 37 (thus 4 does not have order 2 or 4), 4 3 = 10 ±1 mod 37 (thus 4 does not have order 3 or 6). 4 9 = (4 3 ) 3 = = 1 mod 37 from whch we can derve that 4 has order 2 9 = 18 (4p) and thus 4 s not a generator of Z 37. (1p) 4
5 Data Integrty (20p) 7. Descrbe the RSA dgtal sgnature scheme. (10p) (Hnt: wrte down nput, output and behavour of the algorthms). The RSA dgtal sgnature scheme s made by the three algorthm (KeyGen, Sgn, Verfy), defned as follows. KeyGen(λ) (pk, sk), s the key generaton algorthm. Gven λ, the securty parameter of the scheme, the algorthm does: 1. Generate two, dstnct λ-bt prmes p, q; (1p) and compute N = pq and ϕ(n), where ϕ( ) denotes Euler Totent functon. (1p) 2. Choose a random nteger e R Z ϕ(n) satsfyng GCD(e, ϕ(n))=1.(1p) Compute d = e 1 mod ϕ(n). (1p) 3. Set pk = (N, e) and sk = d. (1p)(note: the role of e and d s nterchangeable, as long as Sgn takes as nput the secret value, and Verfy the publc one). Sgn(sk, m) σ, s the sgnng algorthm. It takes as nput the secret key d and a message m Z ϕ(n) and outputs the sgnature σ = m d mod N. Verfy(pk, m, σ) {0, 1} s the verfcaton algorthm. It takes as nput the publc key e, a message m and a sgnature σ; t outputs 1 f the sgnature s correct (verfes) and 0 otherwse. (1p) More formally, the verfcaton algorthm checks whether σ e = m mod N. If the equalty holds Verfy returns 1, otherwse t returns Let N > 2 be a postve nteger. Consder the functon h : Z Z N, defned as h(m) = m mod N. To check f h s a cryptographc hash functon we need to assure that h satsfes (at least) the followng three propertes: (2a) Gven a message m, the message dgest y = h(m) can be computed n an effcent way. (2b) Gven a message dgest y, t s computatonally nfeasble to fnd an m wth h(m) = y (n other words, h s a one-way, or pre-mage resstant functon). (2c) It s computatonally nfeasble to fnd two dnstnt messages m 1, m 2 Z such that h(m 1 ) = h(m 2 ) (n ths case, the functon h s sad to be collson-free). Check f h s a cryptographc hash functon,.e., for each of the propertes ((8a), (8b) and (8c)) show f h satsfes t or not. (10p) Computng the remander modulus N of a number m Z can be done n an effcent way usng, e.g., the Eucldean Algorthm. Therefore h satsfes property (8a). (1p) Property (8b) s obvously not satsfed, (1p) snce m = y tself s a possble premage of the dgest y. More formally, for every y {0, 1,..., N 1} Z t holds that h(y) = y mod N = y. (1p) From the observaton above, t s mmedate to see that h s not collson-resstant. (1p) Indeed, for any message m 1 Z we have that m 2 = m 1 + N Z has the same dgest: h(m 1 ) = m 1 mod N = m 1 + N mod N = h(m 2 ). Actually, all the messages of the form m 1 + kn have the same dgest (the remander modulus N). Advanced Topcs n Cryptography (30p) 9. Descrbe n your own words (or gve the defnton of): (a) Uncondtonal and provable securty. Also, gve at least one example of a cryptosystem n each category. (6p) 5
6 Uncondtonal securty: The cryptosystem cannot be broken even by an adversary wth unlmted computatonal power. Examples of uncondtonally secure crypto systems are: Shamr s and Mgnotte s Secret Sharng Scheme., the OTP. (1p) Provable securty: It s possble to prove that an attack that breaks the cryptosystem, can be used to solve some well-known problem wdely beleved to be (computatonally) hard. Examples of provably secure cryptosystems are: ElGamal (reduced to the Dscrete-Log assumpton), RSA (reduced to the Dscrete-Log assumpton and the factorng assumpton). (1p) (b) The three man propertes of the Fat-Shamr dentfcaton protocol (Completeness, Soundness and Zero-Knowledge). (8p) Completeness: An (nteractve) dentfcaton protocol s complete f an honest prover P succeeds n convncng a honest verfer V that a true statement s true. Soundness: An (nteractve) dentfcaton protocol s sound f no dshonest prover P succeeds n convncng an honest verfer V that a false statement s true. Zero-Knowledge: An honest prover P can convnce the verfer V of the valdty of a statement wthout revealng any nformaton beyond the truth of the statement. In other words, an honest-but-curous verfer s not able to extract any useful nformaton (e.g. the secret key) from the prover whle, at the same tme, the verfer wll be convnced that the prover knows the secret. (4p) 10. Consder the Secure Multparty Computaton (SMPC) protocol for addton, based on the Shamr Secret Sharng Scheme, seen n class. Assume that there are n = 4 partes (P 1, P 2, P 3, P 4 ), that the system tolerates t = 3 corrupted partes, and that all computatons are done n Z 13. (a) Imagne you are P 1, and your secret nput to the computaton s a = 5. Explan how you would share your secret value a wth the other partes and what you expect to receve from each other party (note that no explct computaton s requred for ths step, just a formal descrpton of how the scheme works). (4p) In order to share the secret a Z 13 usng the Shamr Secret Sharng Scheme, the party P 1 needs to frst select a random polynomal f(x) Z 13 [x] satsfyng f(0) = a and 3 = t = deg(f). In other words, P 1 generates f(x) as f(x) = a + r 1 x + r 2 x 2 + r + 3x 3 R wth r 1, r 2, r 3 Z13. Then P 1 computes f on the ponts {1, 2, 3, 4} and gves to party P the share a = f(). (1p) Each party follows the same procedure, thus P 1 receves the shares of each party s secret nput computed n = 1, namely b 1, c 1 and d 1. (1p) (b) Now, magne you are P 1 and hold the table below (whch corresponds to your vew of the protocol). Compute the value S = a+b+c+d usng the nformaton contaned n the table. (12p) P 1 P 2 P 3 P 4 a = 5 a 1 = 5 a 2 = 12 a 3 = 7 a 4 = 10 b =? b 1 = 4??? c =? c 1 = 12??? d =? d 1 = 9??? S s 1 = 4 s 2 = 6 s 3 = 1 s 4 = 7 6
7 Party P 1 can compute the sum S by usng Lagrange nterpolaton on the partal sums s 1, s 2, s 3 and s 4 n the formula S = 4 =1 s 1 (0), where (0) denote the Lagrange nterpolaton polynomals (evaluated at 0) (4p) and defned as: (0) = j {1,2,3,4} {} j(j ) 1 (here k 1 denotes the nverse of k modulus 13). (1p) 1 (0) = 2(2 1) 1 3(3 1) 1 4(4 1) 1 = 4 mod 13 2 (0) = 1(1 2) 1 3(3 2) 1 4(4 2) 1 = 7 mod 13 3 (0) = 1(1 3) 1 2(2 3) 1 4(4 3) 1 = 4 mod 13 4 (0) = 1(1 4) 1 2(2 4) 1 3(3 4) 1 = 12 mod 13 For each δ : (1p) for correct computaton, (0.5p) for usng EEA / Bézout dentty to fnd the nverses n Z 13. Total (6p). Substtutng the numbers n the Largange nterpolaton formula, one gets: = 3 mod 13. Thus S = 3. (1p). (c) Bonus queston: Lookng at the table n pont (10b), are you able to determne what was the polynomal f chosen by P 1 to share a? Why? Compute the polynomal f, f possble. (4 bonus ponts) Yes, t s possble to retreve the polynomal f chosen by P 1, because table (10b) contans n = 4 ponts on whch the degree t = 3 polynomal (chosen by P 1 to share the secret nput a) s evaluated, and there exsts only one degree t polynomal passng on t + 1 = 4 ponts (1p). It s possble to compute f(x) Z 13 [x] usng the Lagrange nterpolaton on the ponts f(1) = a 1 = 5, f(2) = a 2 = 12 1 mod 13, f(3) = a 3 = 7, f(4) = a 4 = 10, as follows: f(x) = 4 =1 f() (x) mod 13 where (x) = j {1,2,3,4} {} (x j)( j) 1 (1p). By substtutng the numbers n the above expressons we get: 1 (x) = x x x = 2( x 3 + ( 4 3 2)x 2 + ( )x + 2 ) = 2x 3 + 8x mod 13 (0.5p) 2 (x) = 7x 3 + 9x 2 + 3x + 7 mod 13 (0.5p) 3 (x) = 6x 3 3x 2 + 6x + 4 mod 13 (0.5p) 4 (x) = 2x 3 x 2 + 4x 1 mod 13 (0.5p) Thus, f(x) = x 3 + x
CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationAttacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction
Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard
More informationCryptographic Protocols
Cryptographc Protocols Entty Authentcaton Key Agreement Fat-Shamr Identfcaton Schemes Zero-Knowledge Proof Systems Shnorr s Identfcaton/Sgnature Scheme Commtment Schemes Secret Sharng Electronc Electon
More informationProvable Security Signatures
Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -
More informationG /G Advanced Cryptography 12/9/2009. Lecture 14
G22.3220-001/G63.2180 Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we
More informationA Threshold Digital Signature Issuing Scheme without Secret Communication
A Threshold Dgtal Sgnature Issung Scheme wthout Secret Communcaton Kazuo Takarag, Kunhko Myazak, Masash Takahash Systems Development Laboratory, Htach, Ltd e-mal: {takara, kunhko, takahas}@sdlhtachcop
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationCryptanalysis of pairing-free certificateless authenticated key agreement protocol
Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen
More informationInformation-Theoretic Timed-Release Security: Key-Agreement, Encryption, and Authentication Codes
Informaton-Theoretc Tmed-Release Securty: Key-Agreement, Encrypton, and Authentcaton Codes Yohe Watanabe, Takenobu Seto, Junj Shkata Graduate School of Envronment and Informaton Scences, Yokohama Natonal
More informationHash functions : MAC / HMAC
Hash functons : MAC / HMAC Outlne Message Authentcaton Codes Keyed hash famly Uncondtonally Secure MACs Ref: D Stnson: Cryprography Theory and Practce (3 rd ed), Chap 4. Unversal hash famly Notatons: X
More informationOn a CCA2-secure variant of McEliece in the standard model
On a CCA2-secure varant of McElece n the standard model Edoardo Perschett Department of Mathematcs, Unversty of Auckland, New Zealand. e.perschett@math.auckland.ac.nz Abstract. We consder publc-key encrypton
More informationLecture 4: Universal Hash Functions/Streaming Cont d
CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected
More informationand problem sheet 2
-8 and 5-5 problem sheet Solutons to the followng seven exercses and optonal bonus problem are to be submtted through gradescope by :0PM on Wednesday th September 08. There are also some practce problems,
More information6.842 Randomness and Computation February 18, Lecture 4
6.842 Randomness and Computaton February 18, 2014 Lecture 4 Lecturer: Rontt Rubnfeld Scrbe: Amartya Shankha Bswas Topcs 2-Pont Samplng Interactve Proofs Publc cons vs Prvate cons 1 Two Pont Samplng 1.1
More informationTHE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens
THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of
More informationMath 261 Exercise sheet 2
Math 261 Exercse sheet 2 http://staff.aub.edu.lb/~nm116/teachng/2017/math261/ndex.html Verson: September 25, 2017 Answers are due for Monday 25 September, 11AM. The use of calculators s allowed. Exercse
More informationComplex Numbers Alpha, Round 1 Test #123
Complex Numbers Alpha, Round Test #3. Wrte your 6-dgt ID# n the I.D. NUMBER grd, left-justfed, and bubble. Check that each column has only one number darkened.. In the EXAM NO. grd, wrte the 3-dgt Test
More informationFoundations of Arithmetic
Foundatons of Arthmetc Notaton We shall denote the sum and product of numbers n the usual notaton as a 2 + a 2 + a 3 + + a = a, a 1 a 2 a 3 a = a The notaton a b means a dvdes b,.e. ac = b where c s an
More information18.781: Solution to Practice Questions for Final Exam
18.781: Soluton to Practce Questons for Fnal Exam 1. Fnd three solutons n postve ntegers of x 6y = 1 by frst calculatng the contnued fracton expanson of 6. Soluton: We have 1 6=[, ] 6 6+ =[, ] 1 =[,, ]=[,,
More information8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS
SECTION 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS 493 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS All the vector spaces you have studed thus far n the text are real vector spaces because the scalars
More informationRecover plaintext attack to block ciphers
Recover plantext attac to bloc cphers L An-Png Bejng 100085, P.R.Chna apl0001@sna.com Abstract In ths paper, we wll present an estmaton for the upper-bound of the amount of 16-bytes plantexts for Englsh
More informationCOMPLEX NUMBERS AND QUADRATIC EQUATIONS
COMPLEX NUMBERS AND QUADRATIC EQUATIONS INTRODUCTION We know that x 0 for all x R e the square of a real number (whether postve, negatve or ero) s non-negatve Hence the equatons x, x, x + 7 0 etc are not
More informationPassword Based Key Exchange With Mutual Authentication
Password Based Key Exchange Wth Mutual Authentcaton Shaoquan Jang and Guang Gong Department of Electrcal and Computer Engneerng Unversty of Waterloo Waterloo, Ontaro N2L 3G1, CANADA Emal:{angshq,ggong}@callope.uwaterloo.ca
More informationSecure and practical identity-based encryption
Secure and practcal dentty-based encrypton D. Naccache Abstract: A varant of Waters dentty-based encrypton scheme wth a much smaller system parameters sze (only a few klobytes) s presented. It s shown
More informationCalculation of time complexity (3%)
Problem 1. (30%) Calculaton of tme complexty (3%) Gven n ctes, usng exhaust search to see every result takes O(n!). Calculaton of tme needed to solve the problem (2%) 40 ctes:40! dfferent tours 40 add
More informationExploring Naccache-Stern Knapsack Encryption
Explorng Naccache-Stern Knapsack Encrypton Érc Brer 1, Rém Géraud 2, and Davd Naccache 2 1 Ingenco Termnals 9 Avenue de la Gare f-26300 Alxan, France erc.brer@ngenco.com 2 École normale supéreure 45 rue
More informationFinding Primitive Roots Pseudo-Deterministically
Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms
More informationAlgebraic partitioning: Fully compact and (almost) tightly secure cryptography
Algebrac parttonng: Fully compact and (almost) tghtly secure cryptography Denns Hofhenz October 12, 2015 Abstract We descrbe a new technque for conductng parttonng arguments. Parttonng arguments are a
More informationDecentralized Multi-Client Functional Encryption for Inner Product
Ths paper s a slght varant of the Extended Abstract that appears n Advances n Cryptology ASIACRYPT 2018 (December 2 6, Brsbane, Australa) Sprnger-Verlag, LNCS?????, pages??????. Decentralzed Mult-Clent
More informationBernoulli Numbers and Polynomials
Bernoull Numbers and Polynomals T. Muthukumar tmk@tk.ac.n 17 Jun 2014 The sum of frst n natural numbers 1, 2, 3,..., n s n n(n + 1 S 1 (n := m = = n2 2 2 + n 2. Ths formula can be derved by notng that
More informationInner Product. Euclidean Space. Orthonormal Basis. Orthogonal
Inner Product Defnton 1 () A Eucldean space s a fnte-dmensonal vector space over the reals R, wth an nner product,. Defnton 2 (Inner Product) An nner product, on a real vector space X s a symmetrc, blnear,
More informationHardening the ElGamal Cryptosystem in the Setting of the Second Group of Units
54 The Internatonal Arab Journal of Informaton Technology, Vol., o. 5, September 204 Hardenng the ElGamal Cryptosystem n the Settng of the Second Group of Unts Ramz Haraty, Abdulasser ElKassar, and Suzan
More informationReport on Image warping
Report on Image warpng Xuan Ne, Dec. 20, 2004 Ths document summarzed the algorthms of our mage warpng soluton for further study, and there s a detaled descrpton about the mplementaton of these algorthms.
More informationPh 219a/CS 219a. Exercises Due: Wednesday 12 November 2008
1 Ph 19a/CS 19a Exercses Due: Wednesday 1 November 008.1 Whch state dd Alce make? Consder a game n whch Alce prepares one of two possble states: ether ρ 1 wth a pror probablty p 1, or ρ wth a pror probablty
More informationEdge Isoperimetric Inequalities
November 7, 2005 Ross M. Rchardson Edge Isopermetrc Inequaltes 1 Four Questons Recall that n the last lecture we looked at the problem of sopermetrc nequaltes n the hypercube, Q n. Our noton of boundary
More informationAnonymous Identity-Based Broadcast Encryption with Revocation for File Sharing
Anonymous Identty-Based Broadcast Encrypton wth Revocaton for Fle Sharng Janchang La, Y Mu, Fuchun Guo, Wlly Suslo, and Rongmao Chen Centre for Computer and Informaton Securty Research, School of Computng
More information3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X
Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number
More informationNotes on Frequency Estimation in Data Streams
Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to
More informationClassical Encryption and Authentication under Quantum Attacks
Classcal Encrypton and Authentcaton under Quantum Attacks arxv:1307.3753v1 [cs.cr] 14 Jul 2013 Mara Velema July 12, 2013 Abstract Post-quantum cryptography studes the securty of classcal,.e. non-quantum
More informationAugmented Broadcaster Identity-based Broadcast Encryption
Augmented Broadcaster Identty-based Broadcast Encrypton Janhong Zhang Yuwe Xu Zhpeng Chen Insttuton of Image Processng and Pattern Recognton North Chna Unversty of Technology Bejng Chna 100144 ywxupaper@163com
More informationSeparable Linkable Threshold Ring Signatures
Separable Lnkable Threshold Rng Sgnatures Patrck P. Tsang 1, Vctor K. We 1, Tony K. Chan 1, Man Ho Au 1, Joseph K. Lu 1, and Duncan S. Wong 2 1 Department of Informaton Engneerng The Chnese Unversty of
More informationCanonical transformations
Canoncal transformatons November 23, 2014 Recall that we have defned a symplectc transformaton to be any lnear transformaton M A B leavng the symplectc form nvarant, Ω AB M A CM B DΩ CD Coordnate transformatons,
More informationMULTIPLICATIVE FUNCTIONS: A REWRITE OF ANDREWS CHAPTER 6
MULTIPLICATIVE FUNCTIONS: A REWRITE OF ANDREWS CHAPTER 6 In these notes we offer a rewrte of Andrews Chapter 6. Our am s to replace some of the messer arguments n Andrews. To acheve ths, we need to change
More informationAffine transformations and convexity
Affne transformatons and convexty The purpose of ths document s to prove some basc propertes of affne transformatons nvolvng convex sets. Here are a few onlne references for background nformaton: http://math.ucr.edu/
More informationBorn and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares
Publshed n Theoretcal Computer Scence, 645: 24, 206 Born and rased dstrbutvely: Fully dstrbuted non-nteractve adaptvely-secure threshold sgnatures wth short shares Benoît Lbert Ecole Normale Supéreure
More informationProblem Set 9 Solutions
Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem
More informationCHALMERS, GÖTEBORGS UNIVERSITET. SOLUTIONS to RE-EXAM for ARTIFICIAL NEURAL NETWORKS. COURSE CODES: FFR 135, FIM 720 GU, PhD
CHALMERS, GÖTEBORGS UNIVERSITET SOLUTIONS to RE-EXAM for ARTIFICIAL NEURAL NETWORKS COURSE CODES: FFR 35, FIM 72 GU, PhD Tme: Place: Teachers: Allowed materal: Not allowed: January 2, 28, at 8 3 2 3 SB
More informationMessage modification, neutral bits and boomerangs
Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1 Dfferental
More informationELASTIC WAVE PROPAGATION IN A CONTINUOUS MEDIUM
ELASTIC WAVE PROPAGATION IN A CONTINUOUS MEDIUM An elastc wave s a deformaton of the body that travels throughout the body n all drectons. We can examne the deformaton over a perod of tme by fxng our look
More informationA Novel Feistel Cipher Involving a Bunch of Keys supplemented with Modular Arithmetic Addition
(IJACSA) Internatonal Journal of Advanced Computer Scence Applcatons, A Novel Festel Cpher Involvng a Bunch of Keys supplemented wth Modular Arthmetc Addton Dr. V.U.K Sastry Dean R&D, Department of Computer
More informationMore metrics on cartesian products
More metrcs on cartesan products If (X, d ) are metrc spaces for 1 n, then n Secton II4 of the lecture notes we defned three metrcs on X whose underlyng topologes are the product topology The purpose of
More informationComments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards
Comments on a secure dynamc ID-based remote user authentcaton scheme for multserver envronment usng smart cards Debao He chool of Mathematcs tatstcs Wuhan nversty Wuhan People s Republc of Chna Emal: hedebao@63com
More informationLectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix
Lectures - Week 4 Matrx norms, Condtonng, Vector Spaces, Lnear Independence, Spannng sets and Bass, Null space and Range of a Matrx Matrx Norms Now we turn to assocatng a number to each matrx. We could
More informationThe Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction
ECONOMICS 5* -- NOTE (Summary) ECON 5* -- NOTE The Multple Classcal Lnear Regresson Model (CLRM): Specfcaton and Assumptons. Introducton CLRM stands for the Classcal Lnear Regresson Model. The CLRM s also
More informationAPPENDIX A Some Linear Algebra
APPENDIX A Some Lnear Algebra The collecton of m, n matrces A.1 Matrces a 1,1,..., a 1,n A = a m,1,..., a m,n wth real elements a,j s denoted by R m,n. If n = 1 then A s called a column vector. Smlarly,
More informationarxiv: v1 [cs.cr] 22 Oct 2018
CRYPTOGRAPHIC ANALYSIS OF THE MODIFIED MATRIX MODULAR CRYPTOSYSTEM arxv:181109876v1 [cscr] 22 Oct 2018 VITALIĬ ROMAN KOV Abstract We show that the Modfed Matrx Modular Cryptosystem proposed by SK Rososhek
More informationAnonymous identity-based broadcast encryption with revocation for file sharing
Unversty of Wollongong Research Onlne Faculty of Engneerng and Informaton Scences - Papers: Part A Faculty of Engneerng and Informaton Scences 2016 Anonymous dentty-based broadcast encrypton wth revocaton
More informationThe Synchronous 8th-Order Differential Attack on 12 Rounds of the Block Cipher HyRAL
The Synchronous 8th-Order Dfferental Attack on 12 Rounds of the Block Cpher HyRAL Yasutaka Igarash, Sej Fukushma, and Tomohro Hachno Kagoshma Unversty, Kagoshma, Japan Emal: {garash, fukushma, hachno}@eee.kagoshma-u.ac.jp
More informationLecture 3: Shannon s Theorem
CSE 533: Error-Correctng Codes (Autumn 006 Lecture 3: Shannon s Theorem October 9, 006 Lecturer: Venkatesan Guruswam Scrbe: Wdad Machmouch 1 Communcaton Model The communcaton model we are usng conssts
More informationAlgorithms for factoring
CSA E0 235: Crytograhy Arl 9,2015 Instructor: Arta Patra Algorthms for factorng Submtted by: Jay Oza, Nranjan Sngh Introducton Factorsaton of large ntegers has been a wdely studed toc manly because of
More informationMA 323 Geometric Modelling Course Notes: Day 13 Bezier Curves & Bernstein Polynomials
MA 323 Geometrc Modellng Course Notes: Day 13 Bezer Curves & Bernsten Polynomals Davd L. Fnn Over the past few days, we have looked at de Casteljau s algorthm for generatng a polynomal curve, and we have
More information= z 20 z n. (k 20) + 4 z k = 4
Problem Set #7 solutons 7.2.. (a Fnd the coeffcent of z k n (z + z 5 + z 6 + z 7 + 5, k 20. We use the known seres expanson ( n+l ( z l l z n below: (z + z 5 + z 6 + z 7 + 5 (z 5 ( + z + z 2 + z + 5 5
More informationSection 8.3 Polar Form of Complex Numbers
80 Chapter 8 Secton 8 Polar Form of Complex Numbers From prevous classes, you may have encountered magnary numbers the square roots of negatve numbers and, more generally, complex numbers whch are the
More informationExpected Value and Variance
MATH 38 Expected Value and Varance Dr. Neal, WKU We now shall dscuss how to fnd the average and standard devaton of a random varable X. Expected Value Defnton. The expected value (or average value, or
More informationLecture 5 Decoding Binary BCH Codes
Lecture 5 Decodng Bnary BCH Codes In ths class, we wll ntroduce dfferent methods for decodng BCH codes 51 Decodng the [15, 7, 5] 2 -BCH Code Consder the [15, 7, 5] 2 -code C we ntroduced n the last lecture
More informationA Commitment-Consistent Proof of a Shuffle
A Commtment-Consstent Proof of a Shuffle Douglas Wkström CSC KTH Stockholm, Sweden dog@csc.kth.se Aprl 2, 2011 Abstract We ntroduce a pre-computaton technque that drastcally reduces the onlne computatonal
More informationCryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with n-bit Block and n-bit Key
Cryptanalyss of Some Double-Block-Length Hash Modes of Block Cphers wth n-bt Block and n-bt Key Deukjo Hong and Daesung Kwon Abstract In ths paper, we make attacks on DBL (Double-Block-Length) hash modes
More informationLecture 3: Probability Distributions
Lecture 3: Probablty Dstrbutons Random Varables Let us begn by defnng a sample space as a set of outcomes from an experment. We denote ths by S. A random varable s a functon whch maps outcomes nto the
More informationPh 219a/CS 219a. Exercises Due: Wednesday 23 October 2013
1 Ph 219a/CS 219a Exercses Due: Wednesday 23 October 2013 1.1 How far apart are two quantum states? Consder two quantum states descrbed by densty operators ρ and ρ n an N-dmensonal Hlbert space, and consder
More informationn α j x j = 0 j=1 has a nontrivial solution. Here A is the n k matrix whose jth column is the vector for all t j=0
MODULE 2 Topcs: Lnear ndependence, bass and dmenson We have seen that f n a set of vectors one vector s a lnear combnaton of the remanng vectors n the set then the span of the set s unchanged f that vector
More informationSL n (F ) Equals its Own Derived Group
Internatonal Journal of Algebra, Vol. 2, 2008, no. 12, 585-594 SL n (F ) Equals ts Own Derved Group Jorge Macel BMCC-The Cty Unversty of New York, CUNY 199 Chambers street, New York, NY 10007, USA macel@cms.nyu.edu
More informationErrors for Linear Systems
Errors for Lnear Systems When we solve a lnear system Ax b we often do not know A and b exactly, but have only approxmatons  and ˆb avalable. Then the best thng we can do s to solve ˆx ˆb exactly whch
More informationProactive Linear Integer Secret Sharing
Proactve Lnear Integer Secret Sharng Rune Thorbek BRICS, Dept. of Computer Scence, Unversty of Aarhus Abstract. In [3] Damgard and Thorbek proposed the lnear nteger secret sharng (LISS) scheme. In ths
More informationLeakage-Resilient Identification Schemes from Zero-Knowledge Proofs of Storage
Leakage-Reslent Identfcaton Schemes from Zero-Knowledge Proofs of Storage Guseppe Atenese Sapenza, Unversty of Rome atenese@d.unroma1.t Antono Faono Aarhus Unversty antfa@cs.au.dk Seny Kamara Mcrosoft
More information2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification
E395 - Pattern Recognton Solutons to Introducton to Pattern Recognton, Chapter : Bayesan pattern classfcaton Preface Ths document s a soluton manual for selected exercses from Introducton to Pattern Recognton
More informationMath 2534 Final Exam Review Answer Key 1. Know deþnitions for the various terms: a. Modus Ponens b. Modus Tollens c. divides d. rational e.
Math 534 Fnal Exam Revew Answer Key 1. Know deþntons for the varous terms: a. Modus Ponens b. Modus Tollens c. dvdes d. ratonal e. Quotent-Remander Theorem f. unon g. ntersecton h. complement. DeMorgan
More informationEnhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities
Enhanced Prvacy ID: A Drect Anonymous Attestaton Scheme wth Enhanced Revocaton Capabltes Erne Brckell Intel Corporaton erne.brckell@ntel.com Jangtao L Intel Corporaton jangtao.l@ntel.com August 17, 2007
More informationImproving the Round Complexity of VSS in Point-to-Point Networks
Improvng the Round Complexty of VSS n Pont-to-Pont Networks Jonathan Katz Chu-Yuen Koo Rant Kumaresan Abstract We revst the followng queston: what s the optmal round complexty of verfable secret sharng
More informationCircular chosen-ciphertext security with compact ciphertexts
Crcular chosen-cphertext securty wth compact cphertexts Denns Hofhenz January 19, 2013 Abstract A key-dependent message (KDM secure encrypton scheme s secure even f an adversary obtans encryptons of messages
More informationThe Second Anti-Mathima on Game Theory
The Second Ant-Mathma on Game Theory Ath. Kehagas December 1 2006 1 Introducton In ths note we wll examne the noton of game equlbrum for three types of games 1. 2-player 2-acton zero-sum games 2. 2-player
More informationHMMT February 2016 February 20, 2016
HMMT February 016 February 0, 016 Combnatorcs 1. For postve ntegers n, let S n be the set of ntegers x such that n dstnct lnes, no three concurrent, can dvde a plane nto x regons (for example, S = {3,
More informationHashing. Alexandra Stefan
Hashng Alexandra Stefan 1 Hash tables Tables Drect access table (or key-ndex table): key => ndex Hash table: key => hash value => ndex Man components Hash functon Collson resoluton Dfferent keys mapped
More informationk(k 1)(k 2)(p 2) 6(p d.
BLOCK-TRANSITIVE 3-DESIGNS WITH AFFINE AUTOMORPHISM GROUP Greg Gamble Let X = (Z p d where p s an odd prme and d N, and let B X, B = k. Then t was shown by Praeger that the set B = {B g g AGL d (p} s the
More informationRSA /2002/13(08) , ); , ) RSA RSA : RSA RSA [2] , [1,4]
1000-9825/2002/13(081729-06 2002 Journal of Software Vol13, No8 RSA 1,2 1, 1 (, 200433; 2 (, 200070 E-mal: yfhu@fudaneducn http://wwwfudaneducn : RSA RSA :, ; RSA,,, RSA,, : ; RSA ; ;RSA; : TP309 : A RSA
More informationLecture 10 Support Vector Machines II
Lecture 10 Support Vector Machnes II 22 February 2016 Taylor B. Arnold Yale Statstcs STAT 365/665 1/28 Notes: Problem 3 s posted and due ths upcomng Frday There was an early bug n the fake-test data; fxed
More informationSecurity Vulnerability in Identity-Based Public Key Cryptosystems from Pairings
Internatonal Journal of Informaton and Educaton Technology Vol No 4 August 0 Securty Vulnerablty n Identty-Based ublc Key Cryptosystems from arngs Jyh-aw Yeh Abstract Many dentty-based lc key cryptosystems
More informationEfficient Ring Signatures Without Random Oracles
Effcent Rng Sgnatures Wthout Random Oracles Hovav Shacham hovav.shacham@wezmann.ac.l Brent Waters bwaters@csl.sr.com Abstract We descrbe the frst effcent rng sgnature scheme secure, wthout random oracles,
More informationOn the Instantiability of Hash-and-Sign RSA Signatures
On the Instantablty of Hash-and-Sgn RSA Sgnatures Yevgeny Dods Iftach Hatner Ars Tentes December 29, 2011 Abstract The hash-and-sgn RSA sgnature s one of the most elegant and well known sgnatures schemes,
More informationLinear, affine, and convex sets and hulls In the sequel, unless otherwise specified, X will denote a real vector space.
Lnear, affne, and convex sets and hulls In the sequel, unless otherwse specfed, X wll denote a real vector space. Lnes and segments. Gven two ponts x, y X, we defne xy = {x + t(y x) : t R} = {(1 t)x +
More informationOn quasiperfect numbers
Notes on Number Theory and Dscrete Mathematcs Prnt ISSN 1310 5132, Onlne ISSN 2367 8275 Vol. 23, 2017, No. 3, 73 78 On quasperfect numbers V. Sva Rama Prasad 1 and C. Suntha 2 1 Nalla Malla Reddy Engneerng
More information10-701/ Machine Learning, Fall 2005 Homework 3
10-701/15-781 Machne Learnng, Fall 2005 Homework 3 Out: 10/20/05 Due: begnnng of the class 11/01/05 Instructons Contact questons-10701@autonlaborg for queston Problem 1 Regresson and Cross-valdaton [40
More informationIntroduction to Algorithms
Introducton to Algorthms 6.046J/8.40J Lecture 7 Prof. Potr Indyk Data Structures Role of data structures: Encapsulate data Support certan operatons (e.g., INSERT, DELETE, SEARCH) Our focus: effcency of
More informationFinding Malleability in NTRUSign
Fndng Malleablty n TRUSgn SungJun Mn, Go Yamamoto, and Kwangjo Km Auto-ID Labs Whte Paper WP-HARDWARE-33 Sungjun Mn Senor Researcher, atonal Computerzaton Agency Go Yamamoto Senor Researcher, Informaton
More informationCryptanalysis of a Public-key Cryptosystem Using Lattice Basis Reduction Algorithm
www.ijcsi.org 110 Cryptanalyss of a Publc-key Cryptosystem Usng Lattce Bass Reducton Algorthm Roohallah Rastagh 1, Hamd R. Dall Oskoue 2 1,2 Department of Electrcal Engneerng, Aeronautcal Unversty of Snce
More informationNUMERICAL DIFFERENTIATION
NUMERICAL DIFFERENTIATION 1 Introducton Dfferentaton s a method to compute the rate at whch a dependent output y changes wth respect to the change n the ndependent nput x. Ths rate of change s called the
More informationISSN: ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 3, Issue 1, July 2013
ISSN: 2277-375 Constructon of Trend Free Run Orders for Orthogonal rrays Usng Codes bstract: Sometmes when the expermental runs are carred out n a tme order sequence, the response can depend on the run
More informationGrover s Algorithm + Quantum Zeno Effect + Vaidman
Grover s Algorthm + Quantum Zeno Effect + Vadman CS 294-2 Bomb 10/12/04 Fall 2004 Lecture 11 Grover s algorthm Recall that Grover s algorthm for searchng over a space of sze wors as follows: consder the
More informationCOS 521: Advanced Algorithms Game Theory and Linear Programming
COS 521: Advanced Algorthms Game Theory and Lnear Programmng Moses Charkar February 27, 2013 In these notes, we ntroduce some basc concepts n game theory and lnear programmng (LP). We show a connecton
More informationprinceton univ. F 17 cos 521: Advanced Algorithm Design Lecture 7: LP Duality Lecturer: Matt Weinberg
prnceton unv. F 17 cos 521: Advanced Algorthm Desgn Lecture 7: LP Dualty Lecturer: Matt Wenberg Scrbe: LP Dualty s an extremely useful tool for analyzng structural propertes of lnear programs. Whle there
More information