Strongly Unforgeable Proxy Re-Signature Schemes in the Standard model
Size: px
Start display at page:

Download "Strongly Unforgeable Proxy Re-Signature Schemes in the Standard model"

Transcription

1 Strongly Unforgeable Proxy Re-Sgnature Schemes n the Standard model No Author Gven No Insttute Gven Abstract. Proxy re-sgnatures are generally used for the delegaton of sgnng rghts of a user delegator to a semtrusted proxy and a delegatee. The proxy can convert the sgnature of one user on a message nto the sgnature of another user on the same message by usng the delegaton nformaton rekey provded by the delegator. Ths s a handy prmtve for network securty and automated delegatons n herarchcal organzatons. Though proxy resgnature schemes that are secure n the standard model are avalable, none of them have addressed the securty noton of strong exstental unforgeablty, where the adversary wll not be able to forge even on messages for whch sgnatures are already avalable. Ths s an mportant property for applcatons whch nvolve the delegaton of authentcaton on senstve data. In ths paper, we defne the securty model for strong unforgeablty of proxy re-sgnature schemes. We propose two concrete strong unforgeable proxy re-sgnature schemes, where we nduce the strong unforgeablty n the scheme by embeddng the transformaton technques carefully n the sgn and resgn algorthms. The securty of both the schemes s related to the hardness of solvng Computatonal Dffe-Hellman CDH problem. Introducton Proxy Re-Cryptography orgnally ntroduced by Blaze et. al. [4], has been an emergng feld of nterest n the research communty. Ths has manly been motvated by ts applcatons and challenges faced n the constructon of such schemes. Proxy Re-Sgnature and Proxy Re-Encrypton schemes are the essental prmtves n ths feld. Proxy Re-Encrypton allows a sem-trusted proxy to convert a cpher text meant for a recever nto a cpher text of another user so that the other user can decrypt t usng hs secret key. Many such schemes have been desgned and are beng used for varous applcatons lke dstrbuted storage, dstrbuted rghts management and cloud nfrastructure. Proxy Re-Sgnature scheme nvolves a sem-trusted proxy between two partes A and B, where the proxy has the capablty and nformaton Re-Sgnature Key to convert the sgnature on a message m by user A, nto the sgnature by user B on the same message m [A-Delegatee, B-Delegator]. Ths knd of sgnature comes handy n stuatons where n B the delegator s not avalable to sgn on a gven messagem. Then usng a sgnature of the delegatee A on the messagem, the sem-trusted proxy can generate a sgnature on behalf of B on the same messagem wth the help of a rekeyre-sgnature Key, wthout nvolvng delegator B n the sgnng process. The deal propertes of a proxy re-sgnature scheme are undrectonal, mult-use, publc proxy, transparency, key-optmal, non-nteractve and non-transtvty whch were standardzed by [2]. The descrptons for these propertes can be found n Appendx A. Proxy Re-Sgnatures are generally proved for an unforgeablty noton where an adversary wll not be able to forge a sgnature/re-sgnature on a new message rather than on a message that has already been sgned/resgned. But there mght be applcatons wth strcter securty, whch requre the system to protect the exstng message-sgnature pars from beng forged. The securty noton for such a requrement s called strong unforgeablty, whch we dscuss n detal later. Motvaton: Proxy re-sgnature schemes have varous applcatons as lsted by [2]. For example, they can be used n huge organzatons for employee are delegated to sgn on behalf of the organzaton. Applcatons nvolvng checkponts can make good use of mult-use proxy re-sgnatures. Ths prmtve can ad the delegaton of certfyng temporary publc keys, whch wll as a result n a reduced overhead n the PKI network. The property of strong unforgeablty can also be adapted by applcatons shown above for a more strngent securty. Consder senstve applcatons where the sgnatures play a crucal role, there can be passve adversares pollng the communcaton channel. Hence they can store every message and ts correspondng sgnature or re-sgnature. Then at a later tme, they can modfy these sgnatures due to ther weak unforgeablty property and present a new sgnature or re-sgnature for the same message at wll. Strong unforgeablty n proxy re-sgnatures s an nterestng property n practce. For nstance, consder access control mechansm whch nvolves delegaton of access rghts. Assume that the system wants to gve access to a user-a wth access polcy p, then the systems generates a sgnature S A on p and gves t to the user-a. In the case when user-a and the system are unavalable to mplement the polcy when requred, then there can be a mddle system proxy to converts the sgnature S A to S B and gves t to user-b to perform the requred acton. In the case of revocaton of access polces, nether user-a or user-b should be able to forge on the revoked sgnatures S A and S B and clam the access rghts for p.

2 We can adopt the same deology for ntellectual property protecton n servces lke the dgtal meda rental, where the owner of the copyrghtsgn would gve the content to the retalersresgned from whom the customers can rent the meda. The copyrght materals embedded wth the sgnature of the owner or the re-sgnature of the retaler must be unforgeable by an external adversary whch otherwse mght lead to pracy. Hence the strongly unforgeable proxy re-sgnature can come n handy for such a stuaton where the prated copes cannot possess a vald publcally verfable sgnature apart from ts orgnal copy. It can be used n conjuncton wth proxy re-encrpyton n the dgtal rghts management. Note: Further we would lke to emphasze that t s not trval to attan strong unforgeablty n proxy re-sgnatures as t s dfferent from that for the noton n sgnatures. The attacker must not be able to modfy the sgnatures/resgnatures to belong another entty whch can be publcly verfed. Related Work: Proxy Re-Sgnatures orgnally ntroduced by Blaze et. al. [4], s an nterestng class of sgnature schemes. It was later formalzed by Atenese et. al. [2] who also defned a sutable securty model for provng ts securty and supplementng t wth two concrete schemes one b-drectonal and the other un-drectonal both secure n the random oracle model. Shao et. al. [3] proposed the frst proxy re-sgnature scheme, whch was b-drectonal and secure n the standard model, wth a new perspectve on the securty Statc Corrupton smlar to that n proxy re-encrypton schemes. Chow et. al [6] showed an nsecurty n Shao s scheme and gave a new proxy re-sgnature scheme, whch was secure n the standard model but at the cost of transparency. Lbert et. al. [9] came up wth a mult-use, un-drectonal Open problem left n [2] and non-transparent proxy re-sgnature scheme that s secure n the standard model. Recently, Shao et. al. came up wth a novel approach [5] for the frst ID based mult-use proxy re-sgnatures. It s to be noted from Table that none of the exstng proxy re-sgnature schemes secure n the standard model satsfy the stronger noton of exstental unforgeablty [], where an adversary wll not be able to forge a prevously sgned or re-sgned message. In ths paper we address ths ssue by defnng a securty model for such a securty noton and propose two concrete schemes for the same. Table. Proxy Re-Sgnature Schemes n the Standard Model wth propertes comparson Propertes Shao et. al.[3] Lbert et. al.[9] Chow et. al.[6] Our Scheme Un-Drectonal No Yes Yes Yes Mult-Use Yes Yes No No Prvate Proxy Yes Yes Yes Yes Non-Interactve No No No No Non-Transtve No Yes Yes No Transparent Yes No No No Temporary No No Yes No Strongly Unforgeable No No No Yes Our Contrbuton: In ths paper, we frst defne a securty noton for strongly unforgeable proxy re-sgnature schemes based on the statc corrupton securty model defned by Shao et. al. [3]. Then, based on Waters scheme [8] we propose two strongly unforgeable proxy re-sgnature schemes secure n the standard model. After revewng the exstng transformaton technques for convertng exstentally unforgeable sgnatures to strongly unforgeable ones, we choose the transformaton technque proposed by [5] strong unforgeablty transformaton and generc transformaton by [7] whch uses chameleon hash functon. The schemes are constructed usng blnear maps and ther securty s based on the Computatonal Dffe-Hellman CDH assumpton. We also suggest some effcency mprovements for the schemes. Paper Organzaton: The paper s organzed as follows. In Secton 2 we gve the varous defntons whch are nvolved n constructng and provng the securty of the scheme. Secton 3 revews the avalable strong unforgeablty transformatons technques n the standard model. In Secton 4 and 5 we propose two concrete strongly unforgeable proxy re-sgnatures and also provde suggestons for effcency mprovement. Concluson s offered n Secton 6. The Appendces A and B presents the formal securty argument for both the schemes. 2 Defntons 2. Proxy Re-Sgnature The proxy re-sgnature s a collecton of probablstc polynomal tme algorthms KeyGen, ReKey, Sgn, Verfy, Re-Sgn: KeyGen, Sgn : These algorthms are taken from the underlyng sgnature scheme, and hence retan all ts functonalty and propertes. We are usng the same key construct pk-publc key, sk-secret key for the rest of the scheme.

3 ReKey : On nput of the secret keys sk A, sk B, the re-key generaton algorthm generates a re-key whch s to be stored n the proxy. The re-sgnature key may be calculated through an nteractve protocol, where the secret keys of A and B are used to compute the re-key. At the end of the protocol, the proxy wll obtan the re-key rk A B wthout ganng any nformaton regardng the correspondng secret keys of A and B. Ths re-key rk A B s used by the proxy to transform the sgnatures of user A to that of user B. ReSgn : Takes as nput rk A B, pk A, m, σ A and t frst verfes whether the gven sgnature s that of user A by performng V erfypk A, m, σ A. If the Verfy returns false, then the algorthm aborts and reports of an nvald sgnature. Otherwse, the transformaton of the sgnature takes place usng the re-key and the transformed sgnature σ B = ReSgnReKeysk A, sk B, pk A, m, σ A s returned. Verfy : The sgnature σ B on message m, when generated drectly by user B, wll be verfed by the Verfy algorthm of the underlyng sgnature scheme. However, f σ B s generated by the proxy, we may use a dfferent algorthm. Correctness : All the untransformed and transformed sgnatures wll satsfy the Verfy algorthm. Verfym, σ A, pk A = True Verfy2m, ReSgnReKeysk A, sk B, pk A, m, σ A, pk B = True Note: We are usng two verfcaton algorthms Verfy and Verfy2 n order to verfy the sgnature and re-sgnature respectvely. Dependng on the transparency property of the scheme, f the output of the sgn and re-sgn algorthm are computatonally ndstngushable, the Verfy and Verfy2 are one and the same. On the other hand, n the case of non-transparency where the sgnature and the re-sgnature are dstngushable, the Verfy and Verfy2 are dfferent algorthms. For mult-use, non-transparent schemes, the Verfy2 wll be varyng for each level of sgnature translaton. Hence Verfy algorthm vares dependng on the nature of the sgnature. Securty Model for Proxy Re-Sgnature Scheme We present a securty model for the proxy re-sgnature scheme, whch ensures the strong unforgeablty property. The securty of the scheme defned here s nspred by Shao et al. s securty model [3] for exstental unforgeablty under statc corrupton. The same has also been dscussed recently as an mproved securty model n un-drectonal proxy re-sgnatures [4]. The securty model s defned as the game between the forger F the adversary tryng to attack the system and the challenger C. The securty s based on the deology of statc corrupton where, a forger who s tryng to attack the sgnature scheme determnes the corrupted partes of the system pror to the start of game between F and C. It does not allow adaptve corrupton of users of the system n between the securty game. Hence our securty model wll deal wth corrupted and uncorrupted partes accordngly. The securty game s defned n the followng phases: Tranng Phase: The challenger smulates the followng oracles, whch the forger s allowed to query durng ths phase.. O UKeyGen Key Generaton for Uncorrupted user : Ths oracle generates the key par usng the KeyGen and returns the publc keys of uncorrupted users n the system. 2. O CKeyGen Key Generaton for Corrupted user : Ths oracle generates the key par usng KeyGen and returns the publc key and secret key of the correspondng corrupted user. 3. O ReKey Re-Sgnature Key Generaton : Ths oracle when gven the publc key of users A and B, generates a re-key rk A B only when both user A and B are ether corrupted or uncorrupted. When one of them s corrupted and the other one s not, s returned. 4. O Sgn Sgnature : Gven the nput publc key for user A whch was generated by the one of the KeyGen oracles and a message m, the sgnature σ Am for the correspondng publc key on the message s returned. The sgnature on the message s returned regardless of user A beng a corrupted or uncorrupted user. 5. O ReSgn Re-Sgnature : Gven the nput pk B, pk A, m, σ A, ths oracle wll return the correspondng transformed sgnature σ B regardless of A or B beng a corrupted or uncorrupted user. Notce that the rekey s not generated by C, when one of the users A or B s corrupted. Stll, ths oracle must be able to return the re-sgnature. Ths ensures that the forger gets all hs tranng by queryng the oracles polynomal number of queres wth respect to the securty parameter avalable to any user n the system. It s nherent that the forger controls the corrupted users. After the tranng phase, the strong unforgeablty s captured n the followng phase whch exposes the true potental of the forger. Forgery Phase : The forger after the tranng phase wll return the forgery m, pk, σ. The forgery s sad to be a vald one f the followng condtons are satsfed,. Verfy algorthm must satsfy for m, pk, σ where σ can ether be a transformed or untransformed sgnature. 2. pk used for forgery must be uncorrupted and whose keys are generated by the uncorrupted key generaton oracle. 3. σ s not the output durng the tranng phase wth m, pk as nput to the sgn oracle. 4. σ s not the output of the ReSgn oracle wth nput as pk, pk, m, σ durng the tranng phase, for any pk and σ. Note: When we consder the strong unforgeablty for proxy re-sgnatures, we must take nto account the fact that any re-sgnature must always be generated usng the re-sgnature key. The delegator must not be able to explot hs own sgnatures n order to convert them to a re-sgnature.

4 2.2 Blnear Parng Let G be an addtve cyclc group generated by P, wth prme order p, and G be a multplcatve cyclc group of the same order p. A blnear parng s a map ê : G G G wth the followng propertes. Blnearty. For all P, Q, R G, êp + Q, R = êp, RêQ, R êp, Q + R = êp, QêP, R êap, bq = êp, Q ab Non-Degeneracy. There exst P, Q G such that êp, Q I G, where I G s the dentty n G. Computablty. There exsts an effcent algorthm to compute êp, Q for all P, Q G. Note: We wll be usng the multplcatve notaton for our schemes, as t s easer to represent the standard model schemes [8] n ths form. But t s to be understood that, G s bascally an addtve prme order group for our schemes. 2.3 Computatonal Dffe-Hellman Assumpton Computatonal Dffe-Hellman Problem: Let G be a group of prme order p and g be the generator of G. The CDH problem can be defned as follows: An algorthm A s sad to have an advantage ɛ n solvng the CDH problem f P r[ag, g a, g b = g ab ] ɛ where the probablty s calculated over the random choces of a,b Z p, g G and the random bts used by algorthm A. 3 Strong Unforgeablty Transformaton In ths secton we gve an overvew of the strong unforgeablty property n sgnature schemes and provde our ntuton regardng how we select and use the strong unforgeablty transformaton technques for our constructons. Generally sgnature schemes are proven for unforgeablty under adaptve chosen message attack The forger can adaptvely choose a message for forgery. There are two knds of securty notons under ths namely, strong and weak unforgeablty. The most commonly used noton s the weak exstental unforgeablty, where the forgery s on a message that has never been quered for a sgnature, durng the tranng phase. Ths case s mplct for determnstc sgnature schemes where a message cannot have two dfferent sgnatures wth respect to a user. But, wth the advent probablstc sgnature schemes, the stuaton arses where a message can have one or more sgnatures wth respect to a sngle user. Hence a stronger noton of securty s requred, where the forgery on a message whch has already been sgned quered durng the tranng phase s also consdered a vald attack on the system. Let the forger have the followng message sgnature pars from the tranng phase: m, σ, m 2, σ 2,..., m q, σ q. where q s the number of queres n the tranng phase. Weak forgeablty: Here a forgery s on a message m where m {m, m 2,..., m q}. Strong forgeablty: Here, the forger may come up wth a forgery m, σ where m, σ {m, σ q}. Note that, n the tranng phase, some of the queres may have m as the message. Whle the technque n [6] can be appled for our construct, we stck to the basc transform used n [5], so that the effcency does not reduce consderably. The generc transformaton usng chameleon hash functons proposed by [7] can be appled to [8] for a strongly unforgeable sgnature. A concrete strongly unforgeable proxy re-sgnature scheme based on ths transformaton s gven n secton 4. Whle there are other transformaton technques [7,, 3], to obtan strong unforgeablty, we avod ther usage as they compromse on the effcency and the flexblty requred to obtan a proxy re-sgnature. Remark: It s to be noted that the technques dscussed above, cannot be appled drectly to exstng standard model proxy re-sgnature schemes as they may not satsfy the strongly unforgeablty noton n ts true sense. Hence t s requred to perform a customzed transformaton n order to obtan a strong unforeablty property. We llustrate a few nsecurtes n appendx C. 4 Scheme- In ths secton, we wll present our frst strongly unforgeable proxy re-sgnature scheme, whch can be proved secure n the standard model. We name the scheme P RS SUF, whch s bdrectonal, and sngle-use n nature. The constructon of the scheme uses blnear maps. The scheme uses the Boneh et. al. s transformaton technque and carefully addng extra randomness and certan parameters so that the proxy re-sgnature can reman strongly unforgeable from all aspects. The use of two key pars for every user s justfed by provng that the re-sgnature cannot be produced unless t s processed by the re-sgnature algorthm. The nput message to be sgned can be of any sze. Ths message wll then be modfed to a n-bt format before computng the sgnature or re-sgnature.

5 KeyGen k : On the nput of securty parameter k, ths algorthm performs the followng computatons to generate the keys of a user. Let G, G be groups of prme order p. Let ê be an admssble blnear map where ê : G G G. We consder a collson resstant hash functon whch s defned as H : {0, } {0, } n. Snce the scheme s n the standard model, the hash functons can be nstantated wth standard hash functons whch can be mplemented n the real world. Here the lengthn of the message dgest Output of the H depends on the securty parameter. Let g a generator for group G and random elements < g 2, h, u 0, u...u n, v 0, v..v n > G 2n+4. The systemtrusted party then fxes ths as a common reference strng for all users, wth whch they can generate ther respectve publc and secret key components. Consder a user A, who chooses a, a 2 R Z p and sets g = g a and g = g a 2 as hs publc keys. The secret key components computed for the user s sk =< sk, sk 2 >=< g a 2, g a 2 2 >. Sgnm, sk: On the nput of the message m to be sgned and secret key of the sgner, the sgnature algorthm performs the followng computatons Let r, s R Z p Compute σ 2 = g r G Set σ 3 = s Z p t = H m, σ 2 {0, } n Set m = H g t h s {0, } n. Defne m u = u 0 u m where m = m, m 2, m 3... m n denotes the n-bt representaton of m. r r Compute σ = sk. m u = g a 2. m u G Thus, the sgnature σ =< σ, σ 2, σ 3 > on the message m by the sgner A wth the secret key g a 2 s gven by r σ, σ 2, σ 3 = g a 2. m u, g r, s Remark: The transformaton [5] can be observed n m whch s used as the message component n the sgn algorthm. ReKeyg a 2, gb 2, gb 2 2 : In order to delegate the sgnng rght from ether A to B or B to A as our scheme s bdrectonal the proxy wll run an nteractve protocol wth A and B. The fnal re-sgnature key obtaned by the proxy wll be of the form rk A B = g b +b 2 a 2 G The Interactve protocol for usng the secret keys of the users n a secure manner to calculate the fnal re-sgnature key s defned as follows:. The proxy ntally chooses a random R Z p, compute g2 R and send t to user A. 2. Then A uses ts secret key parameter a, computes and sends g2 R.g a 2 = g R a 2 to user B. B s chosen by A, as he s the user to whom A wshes to convert hs sgnatures. 3. B uses hs secret parameters b and b 2, computes and sends g R a 2.g b +b 2 2 = g R+b +b 2 a 2 to the proxy. 4. The proxy now computes g R+b +b 2 a 2.g R 2 = g b +b 2 a 2 as the re-sgnature key. Remark: The rekey algorthm s performed durng the system setup through a secure channel or n prvate. We clam that the above nteractve protocol between the partes nvolved n delegatons s unavodable because t nvolves the use of ther secret nformaton. Snce t performs a secure computaton, a non-nteractve zero knowledge wll not serve the purpose n ths scenaro. Ths has been the approach used n all the proxy re-sgnatures wth prvate proxy defned untl now. ReSgnrk A B, pk A, m, σ: Proxy on recevng a sgnature σ = < σ, σ 2, σ 3 > on the message m by user A assocated wth publc key pk A, re-sgnature key rk A B as nput, performs the followng to generate a sgnature on m by user B. Frst check whether the V erfypk A, m, σ s satsfed, f not abort reportng an nvald sgnature. Otherwse perform the followng steps to generate the re-sgnature. Assgn ˆσ 2 = σ 2 = g r G Let r R Z p and compute g r and assgn ˆσ 3 = g r G Assgn ˆσ 4 = σ 3 = s Z p t 2 = H m, g r, g r {0, } n Set m 2 = H g t 2 h σ 3 {0, } n. The computaton of m 2 s n accordance wth the strong unforgeablty transformaton. Defne m 2 v = v 0 v m2 where m 2 = m 2, m2 2, m m 2 n denotes the n-bt representaton of m 2.

6 Compute ˆσ = σ.rk A B. m 2 v r G = g a 2. = g b +b 2 2. The Re-sgnature ˆσ =< ˆσ, ˆσ 2, ˆσ 3, ˆσ 4 > s gven by, ˆσ, ˆσ 2, ˆσ 3, ˆσ 4 = m u r.g b +b 2 a m u g b +b 2 2. r. 2. m 2 v r m 2 v m u r. m 2 v r r, g r, g r, s Remark: The transformaton [5] can be observed n m 2 whch s used as the message component n the resgn algorthm. Ths transformed message re-randomzes the exstng randomness obtaned from the sgnature algorthm. Verfym, σ, pk: For verfyng the sgnature σ = σ, σ 2, σ 3 on the message m by the user correspondng to publc key pk, any verfer can perform the followng valdty check. Intally compute, ˆt = H m, σ 2 {0, } n m = H g ˆ t h σ 3 {0, } n Verfy whether the followng equaton satsfes ê σ, g? = êm u, σ 2êg 2, g f the above test holds, output Vald otherwse output Invald. Correctness for verfcaton of sgnature Verfy: êσ, g? = êm u, σ 2êg 2, g Rght Hand Sde: By Blnearty property of the map e: = êm u, g r êg 2, g a = êm u r, gêg a 2, g = êg a 2 m u r, g = êσ, g. Verfy2m, ˆσ, pk: For verfyng the re-sgnature ˆσ = ˆσ, ˆσ 2, ˆσ 3, ˆσ 4 on the message m by the user correspondng to publc key pk, any verfer can perform the followng valdty check on the transformed sgnature as follows, Compute ˆt = H m, ˆσ 2 {0, } n m t = H g ˆ hˆσ 4 {0, } n ˆt 2 = H m, σ 2, σ 3 {0, } n m 2 = H g ˆ t 2 hˆσ 4 {0, } n m u = u 0 m 2 v = v 0 u m v m2 Verfy whether the followng equaton satsfes ê ˆσ, g? = êm u, ˆσ 2.êm 2 v, ˆσ 3.êg 2, g.êg 2, g f the above test holds, output Vald otherwse output Invald. Correctness for verfcaton of re-sgnature Verfy2: ê ˆσ, g? = êm u, ˆσ 2.êm 2 v, ˆσ 3.êg 2, g.êg 2, g

7 Rght Hand Sde: By Blnearty property of the map e: = êm u, g r êm 2 v, g r êg 2, g b êg 2, g b 2 = êm u r, gêm 2 v r, g.êg b +b 2 2, g = êg b +b 2 2 m u r m 2 v r, g = ê ˆσ, g. Proof of Securty: We prove the securty of the scheme P RS SUF usng the followng theorem. In ths theorem, we prove that breakng the scheme s as hard as solvng the CDH problem. Theorem. If there s an adversary, whch can break the strongly unforgeable scheme P RS SUF n polynomal tme, by havng q s and q rs queres to the sgn and resgn oracles and advantage ɛ wth n as the sze of the message, then the CDH problem can be broken wth advantage ɛ ɛ/44q sq s + q rsn + 2. The securty proof of the P RS SUF can be dvded nto two parts. The frst one s where we prove the securty of the underlyng sgnature scheme by smulatng a weaker form of the sgnature wth the sgn and resgn oracles. Thus we prove the scheme to be secure for any message that was not quered durng the tranng phase. 2. Once we have proved the exstental forgery for the sgnature and re-sgnature scheme, we may apply transformaton modfyng the message by bndng t wth a randomness, wthout affectng the nternal structure of the sgnature or re-sgnature and then derve the securty for strong unforgeablty. Snce ths transformaton [5] uses the assumpton of unversal one way hash functons, the resultng strongly unforgeable scheme s also secure. As mentoned n the model, the securty s proved as game between the challenger C and forger F. F s traned wth the workng of the system through the followng smulaton by C. We are smulatng the tranng phase for the weaker form of the re-sgnaturewthout transformaton where m or m 2 =m and prove for ts exstental unforgeablty pror to applyng the strong unforgeablty transformaton. C s gven the nput of the hard problem, g a, g b and s requred to fnd the soluton g ab from the forgery performed by the forger. Hence C embeds the hard problem nstances whle smulatng the system to the adversary, whch s descrbed n detal n Appendx A. 5 Scheme-2 Recently [7], proposed a new knd of strong unforgeablty transformaton whch makes use of chameleon hash functons Hash functons wth a publc-secret key par and where a vald collson can be found usng the prvate hash key. We can make use of ths transformaton as an alternatve to the one suggested by [5]. The computaton cost for ths transformaton s approxmately the same compared to the one proposed by [5] as they have smlar parameters and constructs. That s the probablty of the forger breakng the scheme, s almost at the same level of the challenger solvng the underlyng hard problemcdh Problem. We name ths alternate scheme P RS2 SUF Chameleon Hash Functon: Orgnally coned and ntroduced by Krawczyk, was extensvely used to mplement blnd sgnatures. It s assocated wth a publc hash key and prvate hash key. One can compute the hash value usng the publc hash key. It s possble to fnd vald hash collsons only usng the prvate hash key but cannot calculate the collson wth only the chameleon hash and ts publc hash key. Let H ch be a chameleon hash functon wth m, s as the nput where m s the message and s s the randomness. It s easy to fnd a new par ˆm, ŝ such that H ch m, s = H ch ˆm, ŝ wth the knowledge of the prvate hash key. The constructon for the chameleon hash functon used s not an dealzed one and hence t can use exstng standard dscrete log based constructons of chameleon hash functons [2]. Scheme Defntons: KeyGen k : Same as that n Scheme- where there are two pars of secret,publc key - g a 2, g = ga, g a 2 2, g = g a 2 where a, a 2 R Z p. Defne a standard hash functon H 2 : {0, } Z p. The Chameleon Hash used n ths scheme [2] s defned as follows: Usng the generator g G, set the element g 3 = g β where β Z p. The prvate hash key s β and publc hash key s g 3, g. The chameleon hash H ch m, s = g m 3 g s. Gven a new ˆm m, t s easy to fnd a hash collson usng the prvate hash key β by calculatng ŝ = m ˆmβ + s. It can observed that H ch ˆm, ŝ = g3 ˆm gŝ = g3 m g s = H ch m, s. g 3 s added to the common reference strng for all users and β can be stored secretly for every user and s manly used n the sgn and re-sgn algorthms. To note that the β used by each userncludng proxy s dfferent. Hence the common reference strng, < g, g 2, u 0, u...u n, v 0, v...v n, > G. Sgnm, sk: On the nput of the message to be sgned and secret key of the user sgnng the message m, the sgner to return the sgnature, performs the followng computatons: Consder the prmary secret of the sgner user A to be g a 2.

8 Pck a random γ, r Z p and compute g γ. Consder m = H g γ {0, } n as the message and perform the Waters Sgnature on t as follows: Defne m u = u 0 u m. where m = m, m 2, m 3... m n denotes the n-bt representaton of m. Compute σ = g a 2.m u r G. Compute σ 2 = g r G. Unforgeablty transformaton Compute m = H 2m, σ 2 Z p. Compute s = γ m β. Assgn σ 3 = s Z p The sgnature σ =< σ, σ 2, σ 3 > σ, σ 2, σ 3 = g a 2.m u r, g r, s ReKeyg a 2, gb +b 2 2 : In order to delegate the sgnng rght from ether A to B or B to A as our scheme s bdrectonal the proxy wll run an nteractve protocol wth A and B. The fnal re-sgnature key obtaned by the proxy wll be of the form rk A B = g b +b 2 a 2 G The Interactve protocol used to obtan the rk A B s the same as that defned n Secton 3. ReSgnpk B, pk A, m, σ: Proxy on recevng a sgnature σ =< σ, σ 2, σ 3 > on the message m by user A assocated wth publc key pk A, re-sgnature key rk A B as nput, performs the followng to generate a sgnature on m for user B. Frst check whether the V erfypk A, m, σ satsfes, f not abort reportng an nvald sgnature. Otherwse perform the followng steps to generate the re-sgnature. Assgn ˆσ 2 = σ 2 = g r G Let γ, r R Z p, compute and assgn ˆσ 3 = g r G Consder m 2 = H g γ {0, } n as the message and perform the Waters Sgnature on t as follows: Defne m v = v 0 v m 2. where m = m, m 2, m 3... m Unforgeablty transformaton Compute m = H 2m, ˆσ 3 Z p. Compute s 2 = γ m β. Assgn ˆσ 5 = s 2 Z p Assgn ˆσ 4 = σ 3 = s Z p Defne m 2 v = v 0 v m 2 Compute ˆσ = σ.rk A B.m 2 v r G The Re-sgnature ˆσ = ˆσ, ˆσ 2, ˆσ 3, ˆσ 4, ˆσ 5 = n denotes the n-bt representaton of m. = g a 2.m u r.g b +b 2 a 2.m 2 v r = g b +b 2 2 m u r m 2 v r g b +b 2 2 m u r m 2 v r, g r, g r, s, s 2 for one transformaton of the sgnature s returned. Verfym, σ, pk: For verfyng the sgnature σ =< σ, σ 2, σ 3 > on the message m by the user correspondng to publc key g a, any verfer can perform the followng valdty check. Compute t = H 2σ 2, m m = H g3g t σ 3 {0, } n m u = u 0 u m. Verfy whether the followng equaton satsfes êσ, g? = êm u, σ 2êg 2, g f the above test holds, output Vald otherwse output Invald. Verfy2m, ˆσ, pk: For verfyng the re-sgnature ˆσ =< σ, σ 2, σ 3, σ 4 > on the message m by the user correspondng to publc key pk, any verfer can perform the followng valdty check on the transformed sgnature as follows.

9 Compute t = H 2m, ˆσ 2 {0, } n m = H g 3gˆσ t 4 {0, } n t = H 2m, ˆσ 3 {0, } n m 2 = H g t gˆσ 5 3 {0, } n m u = u 0 m 2 v = v 0 u m v m2 Verfy whether the followng equaton satsfes êˆσ, g? =êm u, ˆσ 2.êm 2 v, ˆσ 3.êg 2, g êg 2, g f the above test holds, output Vald otherwse output Invald. The Correctness of the Verfy algorthm s smlar to that gven n PRS SUF. Proof of Securty: Theorem 2. If there s an adversary, whch can break the strongly unforgeable scheme P RS2 SUF n polynomal tme, by havng q s and q rs queres to the sgn and resgn oracles and advantage ɛ wth n as the sze of the message, then the CDH problem can be broken wth advantage ɛ ɛ/32q sq s + q rsn +. In ths theorem we gve an overvew of the proof of securty for the strongly unforgeable scheme defned above. The proof of ths theorem cannot use the proof of tght reducton that s defned n [7] due to the flaw ponted out n [8]. In [8] t has been proved that parttonng stratergy such as [8] has an nherent securty loss of order q, where q s a polynomal. So we devate from the proof of securty n [7] and modfy t smlar to the proof n scheme. Suppose there exsts a t,q s, q rs, ɛ adversary that can break our strongly unforeable proxy re-sgnature scheme, then there s a challenger who can solve the computatonal Dffe-Hellman problem,.e. when gven a random tuple g, g a, g b then ts output s g ab. The proof s descrbed n detal n Appendx B. 5. Effcency Improvements of Schemes Due to the use of a sgnature construct smlar to that of Waters [8], the number of publc parameters used n the scheme s qute hgh. Especally, the two n-vector group elements consume a enormous amount of memory whch s not healthy consderng the lmted storage capacty avalable. As Patterson [0] had ponted out, we can use the technques suggested by Naccache and Chatterjee-Sarkar who clamed that the number of parameters can be reduced by makng a small modfcaton n the manner we consder the n-vector group elements based on the n-bts of the hash functon output. Instead of consderng the message dgest hash functon output as a strng of bts, t s taken as concatenaton of t-bt ntegers. Hence number of group elements ˆn = n t. Consder the message m to consst of n bts. It s beng splt nto t-bt ntegers and computaton s modfed accordngly, ˆn u 0 u m nstead of u 0 u m Ths reducton n number of parameters also ncrease the effcency by reducng the computatons [0] performed durng sgnng and resgnng. But at the same tme, there s a reduce n the success probablty for the C to solve the underlyng hard problem by the order of the number of sgnng and resgnng queres durng the tranng phase durng the securty game. Accordng to [0] we can deduce that the probablty s reduced by a factor of approxmately 2 qs 2 qrs q sq rs. In order to compensate for the securty loss, Chatterjee-Sarkar proposed an dea where the sze of the group n whch the CDH problem s hard. Ths wll to an extent negate the effect of probablty reducton due to q s and q rs. 6 Concluson We have presented n ths paper, two strongly unforgeable proxy re-sgnature schemes, whch can be proved secure n the standard model. We have made use of strong unforgeablty transformaton technques to obtan the strongly unforgeable verson of the sgnature scheme n order to make the resultng proxy re-sgnature scheme also as strongly unforgeable. However, there has been a trade off between effcency and securty, as we have by strengthenng the securty, reduced the effcency due to the ntroducton of a large number of parameters. A few effcency mprovements have been suggested for the same. The future work for such strongly unforgeable, standard model b-drectonal/undrectonal proxy re-sgnature schemes can be to propose and prove such schemes secure under the noton of adaptve corrupton for whch the securty model has been formalzed [2] [6] and also to ncrease ts effcency by reducng the number of parameters.

10 References. Jee Hea An, Yevgeny Dods, and Tal Rabn. On the securty of jont sgnature and encrypton. In EUROCRYPT, pages 83 07, Guseppe Atenese and Susan Hohenberger. Proxy re-sgnatures: new defntons, algorthms, and applcatons. In ACM Conference on Computer and Communcatons Securty, pages 30 39, Mhr Bellare and Sarah Shoup. Two-ter sgnatures, strongly unforgeable sgnatures, and fat-shamr wthout random oracles. Cryptology eprnt Archve, Report 2007/273, Matt Blaze, Gerrt Bleumer, and Martn Strauss. Dvertble protocols and atomc proxy cryptography. In EUROCRYPT, pages 27 44, Dan Boneh, Emly Shen, and Brent Waters. Strongly unforgeable sgnatures based on computatonal dffehellman. In Publc Key Cryptography, pages , Sherman S. M. Chow and Raphael C.-W. Phan. Proxy re-sgnatures n the standard model. In ISC, pages , Fuchun Guo, Y Mu, and Wlly Suslo. How to prove securty of a sgnature wth a tghter securty reducton. In ProvSec, pages 90 03, Denns Hofhenz, Tbor Jager, and Edward Knapp. Waters sgnatures wth optmal securty reducton. In Publc Key Cryptography, pages 66 83, Benoît Lbert and Damen Vergnaud. Mult-use undrectonal proxy re-sgnatures. In ACM Conference on Computer and Communcatons Securty, pages 5 520, Kenneth G. Paterson and Jacob C. N. Schuldt. Effcent dentty-based sgnatures secure n the standard model. In ACISP, pages , Jn L Qong Huang, Duncan S. Wong and Y-Mng Zhao. Generc transformaton from weakly to strongly unforgeable sgnatures. In Journal of Computer Scence and Technology, volume 23, pages , Ad Shamr and Yael Tauman. Improved onlne/offlne sgnature schemes. In CRYPTO, pages , Jun Shao, Zhenfu Cao, Lcheng Wang, and Xaohu Lang. Proxy re-sgnature schemes wthout random oracles. In INDOCRYPT, pages , Jun Shao, Mn Feng, Bn Zhu, Zhenfu Cao, and Peng Lu. The securty model of undrectonal proxy re-sgnature wth prvate re-sgnature key. In ACISP, pages , Jun Shao, Guy We, Yun Lng, and Mande Xe. Undrectonal dentty-based proxy re-sgnature. In Communcatons ICC, 20 IEEE Internatonal Conference on, pages 5, june Ron Stenfeld, Josef Peprzyk, and Huaxong Wang. How to strengthen any weakly unforgeable sgnature nto a strongly unforgeable sgnature. In CT-RSA, pages , Isamu Teransh, Takuro Oyama, and Wakaha Ogata. General converson for obtanng strongly exstentally unforgeable sgnatures. In INDOCRYPT, pages 9 205, Brent Waters. Effcent dentty-based encrypton wthout random oracles. In EUROCRYPT, pages 4 27, A Proof of Securty for Scheme Theorem If there s an adversary, whch can break the strongly unforgeable scheme P RS SUF n polynomal tme, by havng q s and q rs queres to the sgn and resgn oracles and advantage ɛ wth n as the sze of the message, then the CDH problem can be broken wth advantage ɛ ɛ/44q sq s + q rsn + 2. The securty proof of the P RS SUF can be dvded nto two parts. The frst one s where we prove the securty of the underlyng sgnature scheme by smulatng a weaker form of the sgnature wth the sgn and resgn oracles. Thus we prove the scheme to be secure for any message that was not quered durng the tranng phase. We are smulatng the tranng phase for the weaker form of the re-sgnaturewthout transformaton where m or m 2 =m and prove for ts exstental unforgeablty pror to applyng the strong unforgeablty transformaton. C s gven the nput of the hard problem, g a, g b and s requred to fnd the soluton g ab from the forgery performed by the forger. Hence C embeds the hard problem nstances whle smulatng the system to the adversary, whch s descrbed as follows. Tranng Phase Setup: Consder publc key g = g a, g 2 = g b and therefore the soluton to the hard problem s fndng the secret key g a 2 = g ab. The second secret key component g a 2 2 does not nvolve n the hard problem solvng and hence s generated n a smlar fashon as n the KeyGen algorthm for each user. Let the number of bts of the message be n. Let l n = 2q s + q rs where q s, q rs are the number of queres to the sgn/resgn oracle, where l nn + < p and let k n be defned by 0 k n n. Let x 0, x,..., x n Z ln and smlarly y 0, y,..., y n Z p. Fm = x 0 + x l nk n; Jm = y 0 + U Uy

11 where U s set of all from to n, where m =. Let the parameters be u 0 = g x 0 l nk n 2.g y 0, u = g x 2.gy Therefore, the hash functon for Sgn Oracle: n m u = u 0 u m = g F m 2 g Jm l m = 2q rs where q rs are the number of queres to the resgn oracle, where l mn + < p and let k m be defned by 0 k m n. Let z 0, z,..., z n Z ln and smlarly w 0, w,..., w n Z p. Km = z 0 + U z l mk m; Lm = w 0 + U w where U s set of all from to n, where m =. Let the parameters be u 0 = g z 0 l mk m 2.g w 0, u = g z 2.gw Therefore, the hash functon for Resgn Oracle: n m v = v 0 v m = g Km 2 g Lm Hence, t s evdent from the above-mentoned steps that for any gven messagem C can calculate the respectve hash functon for the correspondng oracle. O UKeyGen: When F queres for the key generaton of user A, C does the followng. Selects an element x, ˆx R Z p. Here ˆx denotes the second secret key component. 2. Computes publc key pk A = g a g x, g ˆx = g a+x, g ˆx and sends pk A to F. Note that the prmary secret key sk A of user A, s a + x mplctly and C does not know prmary sk A whch s used for sgnng. O CKeyGen: When a query s made by F, C responds wth sk = x, ˆx and pk = g x, g ˆx of a corrupted user where x, ˆx R Z p. O ReKey: On nput wth two publc keys pk and pk j C does the followng, If both the users pk and pk j rekey between user & j are uncorrupted then C computes the rekey g xˆ j +x j x 2 where x j and x are prmary secret key components correspondng to pk and pk j. The oracle returns and aborts f ether one of the user correspondng to pk or pk j s a corrupted user. The rekey rk j s vald snce by defnton dfference of the prmary secret key component of the uncorrupted users x j x when substtuted wth ts values generated by O UKeyGen wll be of the form a + x j a + x whch s x j x. The second secret key component ˆx j wll not be an ssue, snce t s a known value to C. O Sgn: When F queres the sgn oracle for message m to be sgned by the prmary secret key of the uncorrupted user correspondng to publc key pk = g a+x. If Fm 0 Fm was defned usng the Setup, then return the followng sgnature σ = σ, σ 2 = Otherwse f Fm=0 mod p, C aborts. Jm/F m σ = g g F m 2 g Jm r.g x 2 = g a+x 2 g F m 2 g Jm a/f m g Jm g F m 2 r = g a+x 2 g F m 2 g Jm r a/f m = g x 2 gab g F m 2 g Jm r a/f m /F m σ 2 = g g r g x m 2 g Jm/F r g F m 2 g Jm g x /F m 2, g g r Correctness of Sgn oracle for uncorrupted sgnature: Ths cooked up sgnature wll satsfy the verfcaton algorthm as follows: n êσ, g =? êu 0 u m, σ 2êg 2, g where σ = g a+x 2 g F m 2 g Jm r a/f m Rght Hand Sde: = êu 0 n u m, σ 2.êg 2, g = êg F m 2 g Jm, g r a/f m.êg 2, g a+x = êg F m 2 g Jm r a/f m, g.êg a+x 2, g = êg a+x 2 g F m 2 g Jm r a/f m, g = êσ, g.

12 Note: The fact that should be remembered whle smulatng the re-sgn oracle s that for every uncorrupted user, the randomness n the sgnature s of the form ˆr=r-a/Fm and for every corrupted user t s ˆr=r where r R Z p O ReSgn: On nput the sgnature σ on message m of the user correspondng to publc key pk and the publc key pk j of the user to whom the sgnature s beng transformed to, there are 3 possbltes for the nput of ths re-sgn oracle. They are. Convertng sgnature of an uncorrupted user to the sgnature of another uncorrupted user 2. Convertng sgnature of a uncorrupted user to that of an corrupted user 3. Convertng sgnature of an corrupted user to that of a uncorrupted user C checks f Verfym, σ, pk s vald. If false C aborts, otherwse C does the followng: Consder r R Z p to be the new randomness parameter used by the ReSgn algorthm. Case : If pk and pk j are uncorrupted users, then C wll call the O ReKeypk, pk j to obtan rk j and run the ReSgn algorthm wth new randomness r Z p and returns the re-sgnature to forger F. Case 2: If pk corresponds to an uncorrupted user and pk j to a corrupted user C s requred to remove the hard problem nstance g ab whle convertng t to the corrupted user s sgnature. Hence the resultng ReSgn must contan a g ab mplctly n order to cancel out the effect and thereby makng t the sgnature of an corrupted userwhose prmary secret key s g x j 2. The nput to the ReSgn oracle for ths case s as follows: σ =< σ, σ 2 > Jm/F m σ = g g F m 2 g Jm r g x 2 gab g F m 2 g Jm r a/f m /F m σ 2 = g g r the orgnal randomness ˆr = r - a/fm. The resgnature for the corrupted user s calculated n the followng manner: Consder r Z p ˆσ = σ g x j +ˆx j 2 g Lm/Km g Km 2 g Lm r Jm/F m 2 g g Lm/Km g F m = g x j +ˆx j 2 g Jm r g Km 2 g Lm r = g x j +ˆx j 2 g ab g ab g F m 2 g Jm r a/f m g Km 2 g Lm r +a/km = g x j +ˆx j 2 g F m 2 g Jm r a/f m g Km 2 g Lm r +a/km Hence the new randomness ˆr = r + a/km. C outputs ˆσ = ˆσ, ˆσ 2, ˆσ 3 to the forger. ˆσ, ˆσ 2, ˆσ 3 = g x j +ˆx j 2 /F m ˆσ 2 = σ 2 = g g r r a/f m = g ˆσ 3 = g /Km g r = g r +a/km g F m 2 g Jm r a/f m g Km 2 g Lm r +a/km, g r a/f m, g r +a/km To be noted that the above computaton s possble only f Fm and Km 0 mod p. Otherwse, resgn oracle returns and the game aborts. Correctness of ReSgn oracle for case 2: We show the correctness of the smulated ˆσ as follows êˆσ, g? = êu 0 n ev 0 n v m2 u m, ˆσ 2., ˆσ 3.êg 2, g.êg 2, g Rght Hand Sde: = êu 0 n u m, ˆσ 2.êv 0 v m2, ˆσ 3.êg 2, g.êg 2, g = êg F m 2 g Jm, gˆr êg Km 2 g Lm, g rˆ êg 2, g x j +ˆx j = êg F m 2 g Jm ˆr, gêg Km 2 g Lm ˆ r, gêg x j +ˆx j 2, g

13 By Blnearty property of the map e: = êg x j +ˆx j 2 g F m 2 g Jm ˆr g Km 2 g Lm rˆ, g = êˆσ, g. Case 3: If pk corresponds to an corrupted user and pk j to an uncorrupted user, then the C s requred to nduce the hard problem nstance whle convertng t to the uncorrupted user s sgnature. Hence the resultng ReSgn must contan a g ab mplctly n order to nduce the effect of the hard problem and thereby makng t the sgnature of an uncorrupted userwhose prmary secret key s g x j +a 2. The nput to the ReSgn oracle for ths case s as follows: σ = g x 2.u0 u m r, g r = g x m 2 gf 2 g Jm, g r where the orgnal randomness ˆr=r. The resgnature for the uncorrupted user s calculated n the followng manner: Consder r Z p Hence the new randomness ˆr = r - a/km. C outputs ˆσ = ˆσ, ˆσ 2, ˆσ 3 ˆσ = σ g x 2 g Lm/Km g Km 2 g Lm r.g x j +ˆx j 2 = g x 2 g x 2 g Lm/Km g F m 2 g Jm r g Km 2 g Lm r.g x j +ˆx j 2 = g ab g F m 2 g Jm r g Km 2 g Lm r a/km = g x j +ˆx j 2 g ab g F m 2 g Jm r g Km 2 g Lm r a/km ˆσ 2 = σ 2 = g r ˆσ 3 = g /Km g r = g r a/km = g x j +ˆx j 2 g ab g F m 2 g Jm r g Km 2 g Lm r a/km, g r, g r a/km to the forger. To be noted that the above computaton can be performed only f Km 0 mod p. Otherwse, resgn oracle returns and the game aborts. Correctness of ReSgn oracle for case 3: We show the correctness of the smulated ˆσ as follows: Rght Hand Sde: êˆσ, g? =êu 0 n = êu 0 n u m u m, ˆσ 2êv 0, ˆσ 2êv 0 v m2 v m2, ˆσ 3êg 2, g êg 2, g, ˆσ 3êg 2, g êg 2, g = êg F m 2 g Jm, gˆr êg Km 2 g Lm, g rˆ êg 2, g a+x j êg 2, g ˆx j = êg F m 2 g Jm ˆr, gêg Km 2 g Lm rˆ, gêg a+x j +ˆx j 2, g = êg a+x j +ˆx j 2 g F m 2 g Jm ˆr g Km 2 g Lm rˆ, g = êˆσ, g. After the tranng phase, the forger F submts a Forgery : m, pk, σ for a message m correspondng to uncorrupted user s publc key pk. If F s able to come up wth a forgery for the uncorrupted user ether on the sgnature or re-sgnature, then the Challenger C usng the output of F, can fnd the soluton for the CDH hard problem. Snce the publc key pk corresponds to an uncorrupted user, the forgery wll always contan an nstance of the hard problem soluton n the sgnature. The exstental forgery on chosen message m s consdered a vald forgery f t satsfes the followng requrements:. None of the messages m among the q s sgn queres durng the tranng phase has F m 0 mod p. 2. It s requred that m s not among the Sgn and ReSgn queres n the tranng phase.

14 3. For a forgery of a re-sgnature, The condton F m 0 mod p and Km 0 mod p must satsfy n order for the C to compute the hard problem. Sgnature of uncorrupted user pk s of the followng form wth the constrant that F m 0 mod p σ, σ 2 = g x 2 gab g F m 2 g Jm r, g r Hence the soluton to the CDH problem wth respect to a new message m : σ = g x 2 gab g F m 2 g Jm r = g ab+bx +Jm r Therefore, gab+bx +Jm r = g ab g bx.g r Jm The forgery of the re-sgnature can be used to solve the CDH problem n a smlar manner. Snce the hard problem s nduced accordngly dependng on the nature of converson between the uncorrupted and corrupted users. The Re-Sgnature of uncorrupted user pk s of the followng form wth the constrant F m 0 mod p and Km 0 mod p, σ, σ 2, σ 3 = g x j +ˆx r j 2 g ab g F m 2 g Jm g Km 2 g r Lm, g r, g r Hence the soluton to the CDH problem wth respect to a new message m : σ = g x j +ˆx j 2 g ab g F m 2 g Jm r g Km 2 g Lm r = g ab+bx j +bˆx j +Jm r +Lm r Therefore, gab+bx j +bˆx j +Jm r +Lm r = g ab g bx j +bˆx j g r Jm g r Lm Hence the probablty s calculated n accordance to the game not abortng n any query of the tranng phase and obeys the condtons stated n the forgery phase. In the tranng phase, there are few nstances n the smulaton of the underlyng sgnature when the game aborts. And the forgery s only calculated f the stated condtons are met. Hence, the event of abort: Fm 0 mod p Fm 0 mod p Km 0 mod p Fm 0 mod p Km 0 mod p Hence the probablty, Pr[ abort] Pr[F m 0modp q s+q rs Km 0modp] + Pr[F m = 0 q rs F m = 0] + Pr[Km = 0 Km = 0] Calculatng the probablty of the forger wnnng the game, n a smlar fashon to that of [0] we obtan, ɛ ɛ/6q sq s + q rsn + 2 where q s and q rs s the total number of queres to the Sgn and ReSgn oracle. n s the number of bts of the message. In the noton of strong unforgeablty, the forgery can be made on any message ncludng those whch have already been sgned. We frst smulated the weaker form of the underlyng sgnaturewthout the transformaton whch was proven exstentally unforgeable,.e. only a forgery on a message whch has not been sgned before s consdered vald. Then the exstental forgery of the sgnature s used to solve the CDH problem wth a non-neglgble probablty. As stated earler, the exstental unforgeablty result of the underlyng sgnature scheme s transformed to a strongly unforgeable one usng the stated transformaton technque. Now after applyng the transformaton [5] to both the sgnature and re-sgnature algorthms, where the message bnds wth the randomness and becomes a modfed message nput to the underlyng exstentally unforgeable re-sgnature scheme. As a result the re-sgnature becomes strongly unforgeable one and the securty for the strong unforgeablty s based on the securty of the underlyng exstentally unforgeable sgnature scheme. Proof can be referred from Theorem of [5]. The way, the transformaton s setup over the underlyng proxy re-sgnature aganst the followng specal knds of adversares,. When the forgery s of the form where m = m and t = t for, 2...q s or m 2 = m 2 and t 2 = t 2 for, 2...q rs

15 2. When the forgery s of the form where m = m and t t for, 2...q s or m 2 = m 2 and t 2 t 2 for, 2...q rs 3. When m m for, 2...q s or m 2 m 2 for, 2...q rs. It s observable that the strong unforgeablty of the proxy re-sgnature follows the smlar smulaton by the C as descrbed n [5]. It can hence be proved n a smlar fashon an extenson of that n [5] that f the type 3 forger succeeds n hs attempt t wll break the underlyng exstentally unforgeable proxy re-sgnature whch has been proved above. The type forger s used to break the collson resstance of the hash functon whch s used to bnd the message and randomness and the type 2 forger can be used to solve the dscrete log problem n G. To note that the randomness of the orgnal sgnature s bound wth the message n the resgn algorthm. Ths wll retan the ntegrty of the re-sgnature and prevent t from beng splt up as ndependent components. Ths plays an mportant role to prevent the forgery on re-sgnatures. After the applcaton of the strong unforgeablty transformaton [5] to the sgnature and re-sgnature algorthms n P RS SUF to get a strongly unforgeable one, the advantage of breakng the underlyng exstentally unforgeable re-sgnature scheme reduces to /3 rd snce t s one of the three types of forgers accordng to Theorem n [5]. Snce we are applyng to both the sgn and re-sgn algorthms, the advantage reduces to /9 th. Hence the probablty of solvng the Computatonal Dffe-Hellman problem after applyng the transformaton s ɛ ɛ/44q sq s + q rsn + 2 B Proof of Securty of Scheme 2 Theorem 2 If there s an adversary, whch can break the strongly unforgeable scheme P RS2 SUF n polynomal tme, by havng q s and q rs queres to the sgn and resgn oracles and advantage ɛ wth n as the sze of the message, then the CDH problem can be broken wth advantage ɛ ɛ/32q sq s + q rsn + 2. In ths theorem we gve an overvew of the proof of securty for the strongly unforgeable scheme defned above. The proof of ths theorem cannot use the proof of tght reducton that s defned n [7] due to the flaw ponted out n [8]. In [8] t has been proved that parttonng stratergy such as [8] has an nherent securty loss of order q, where q s a polynomal. So we devate from the proof of securty n [7] and modfy t smlar to the proof n scheme. We prove the securty of ths scheme n a sngle game wth two types of adversares. Type : The ablty to forge on messages whch were not quered durng the tranng phase. Type 2: ablty to forge on any message rrespectve of beng quered or not. We wll llustrate ther formal defntons durng the proof. Informally, we are gong to prove that, suppose there exsts a t,q s, q rs, ɛ adversary that can break our strongly unforeable proxy re-sgnature scheme, then there s a challenger who can solve the computatonal Dffe-Hellman problem,.e. when gven a random tuple g, g a, g b then ts output s g ab. The ntal tranng phase of the adversary s as follows: Note: Ths scheme s proved secure aganst statc corrupton, where the corrupted enttes are set pror to the begnnng of the game. The setup algorthm s smlar to that n Theorem. The hard problem s nserted n the g a 2 secret component of the uncorrupted user. There are some extra parameters whch are to be ntroduced for the chameleon hash functon, namely, g 3 = g β, where β Z p. Tranng Phase The KeyGen and Rekey oracles for corrupted and uncorrupted users are taken n the same fashon as mentoned n Theorem-. We assume â as the secondary secret component for both corrupted and uncorrupted users wthout loss of generalty. Setup of Waters hash for the Sgn Oracle: Let the number of bts of the message be n. Let l n = 2q s + q rs where q s, q rs are the number of queres to the sgn/resgn oracle, where l nn + < p and let k n be defned by 0 k n n. Let x 0, x,..., x n Z ln and smlarly y 0, y,..., y n Z p. For setup for every th query s, F M = x 0 + x l nk n; JM = y 0 + U Uy where U s set of all from to n, where M =. Let the parameters be u 0 = g x 0 l nk n 2.g y 0, u = g x 2.gy Therefore, the hash functon for Sgn Oracle: M u = u 0 M u = g F M 2 g JM O UncorruptedSgn m, pk A : C chooses a d Z p and computes a M = H m d whch wll be used as the M as defned n the setup above. Then a random r Z p, for a gven m and computes the sgnature σ, σ 2, σ 3 as follows:

Similar documents

Provable Security Signatures

Provable Security Signatures Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -

More information

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen

More information

G /G Advanced Cryptography 12/9/2009. Lecture 14

G /G Advanced Cryptography 12/9/2009. Lecture 14 G22.3220-001/G63.2180 Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we

More information

Comments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards

Comments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards Comments on a secure dynamc ID-based remote user authentcaton scheme for multserver envronment usng smart cards Debao He chool of Mathematcs tatstcs Wuhan nversty Wuhan People s Republc of Chna Emal: hedebao@63com

More information

Cryptanalysis of Threshold Proxy Signature Schemes 1)

Cryptanalysis of Threshold Proxy Signature Schemes 1) MM Research Preprnts, 226 233 MMRC, AMSS, Academa Snca No. 23, December 24 Cryptanalyss of Threshold Proxy Sgnature Schemes 1) Zuo-Wen Tan and Zhuo-Jun Lu Key Laboratory of Mathematcs Mechanzaton Insttute

More information

College of Computer & Information Science Fall 2009 Northeastern University 20 October 2009

College of Computer & Information Science Fall 2009 Northeastern University 20 October 2009 College of Computer & Informaton Scence Fall 2009 Northeastern Unversty 20 October 2009 CS7880: Algorthmc Power Tools Scrbe: Jan Wen and Laura Poplawsk Lecture Outlne: Prmal-dual schema Network Desgn:

More information

Message modification, neutral bits and boomerangs

Message modification, neutral bits and boomerangs Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1 Dfferental

More information

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00 CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00 No extra materal s allowed durng the exam except for pens and a smple calculator (not smartphones).

More information

A Model of Bilinear-Pairings Based Designated-Verifier Proxy Signatue Scheme*

A Model of Bilinear-Pairings Based Designated-Verifier Proxy Signatue Scheme* A Model of Blnear-Parngs Based Desgnated-Verfer Proxy Sgnatue Scheme Fengyng L,, Qngshu Xue, Jpng Zhang, Zhenfu Cao Department of Educaton Informaton Technology, East Chna Normal Unversty, 0006, Shangha,

More information

CHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE

CHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE CHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE Analytcal soluton s usually not possble when exctaton vares arbtrarly wth tme or f the system s nonlnear. Such problems can be solved by numercal tmesteppng

More information

Hash functions : MAC / HMAC

Hash functions : MAC / HMAC Hash functons : MAC / HMAC Outlne Message Authentcaton Codes Keyed hash famly Uncondtonally Secure MACs Ref: D Stnson: Cryprography Theory and Practce (3 rd ed), Chap 4. Unversal hash famly Notatons: X

More information

Calculation of time complexity (3%)

Calculation of time complexity (3%) Problem 1. (30%) Calculaton of tme complexty (3%) Gven n ctes, usng exhaust search to see every result takes O(n!). Calculaton of tme needed to solve the problem (2%) 40 ctes:40! dfferent tours 40 add

More information

Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem

Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng Speedng up Computaton of Scalar Multplcaton n Ellptc Curve Cryptosystem H. K. Pathak Manju Sangh S.o.S n Computer scence

More information

Confined Guessing: New Signatures From Standard Assumptions

Confined Guessing: New Signatures From Standard Assumptions Confned Guessng: New Sgnatures From Standard Assumptons Floran Böhl 1, Denns Hofhenz 1, Tbor Jager 2, Jessca Koch 1, and Chrstoph Strecks 1 1 Karlsruhe Insttute of Technology, Germany, {floran.boehl,denns.hofhenz,jessca.koch,chrstoph.strecks}@kt.edu

More information

Kernel Methods and SVMs Extension

Kernel Methods and SVMs Extension Kernel Methods and SVMs Extenson The purpose of ths document s to revew materal covered n Machne Learnng 1 Supervsed Learnng regardng support vector machnes (SVMs). Ths document also provdes a general

More information

Lecture 4: Universal Hash Functions/Streaming Cont d

Lecture 4: Universal Hash Functions/Streaming Cont d CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected

More information

A Threshold Digital Signature Issuing Scheme without Secret Communication

A Threshold Digital Signature Issuing Scheme without Secret Communication A Threshold Dgtal Sgnature Issung Scheme wthout Secret Communcaton Kazuo Takarag, Kunhko Myazak, Masash Takahash Systems Development Laboratory, Htach, Ltd e-mal: {takara, kunhko, takahas}@sdlhtachcop

More information

Augmented Broadcaster Identity-based Broadcast Encryption

Augmented Broadcaster Identity-based Broadcast Encryption Augmented Broadcaster Identty-based Broadcast Encrypton Janhong Zhang Yuwe Xu Zhpeng Chen Insttuton of Image Processng and Pattern Recognton North Chna Unversty of Technology Bejng Chna 100144 ywxupaper@163com

More information

Comment on An arbitrated quantum signature scheme. with fast signing and verifying

Comment on An arbitrated quantum signature scheme. with fast signing and verifying Comment on n arbtrated quantum sgnature scheme wth fast sgnng and verfyng Y-Png Luo and Tzonelh Hwang * Department of Computer cence and Informaton Engneerng, Natonal Cheng ung Unversty, No, Unversty Rd,

More information

Finding Malleability in NTRUSign

Finding Malleability in NTRUSign Fndng Malleablty n TRUSgn SungJun Mn, Go Yamamoto, and Kwangjo Km Auto-ID Labs Whte Paper WP-HARDWARE-33 Sungjun Mn Senor Researcher, atonal Computerzaton Agency Go Yamamoto Senor Researcher, Informaton

More information

Foundations of Arithmetic

Foundations of Arithmetic Foundatons of Arthmetc Notaton We shall denote the sum and product of numbers n the usual notaton as a 2 + a 2 + a 3 + + a = a, a 1 a 2 a 3 a = a The notaton a b means a dvdes b,.e. ac = b where c s an

More information

Anonymous Identity-Based Broadcast Encryption with Revocation for File Sharing

Anonymous Identity-Based Broadcast Encryption with Revocation for File Sharing Anonymous Identty-Based Broadcast Encrypton wth Revocaton for Fle Sharng Janchang La, Y Mu, Fuchun Guo, Wlly Suslo, and Rongmao Chen Centre for Computer and Informaton Securty Research, School of Computng

More information

3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X

3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number

More information

Difference Equations

Difference Equations Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1

More information

CHAPTER III Neural Networks as Associative Memory

CHAPTER III Neural Networks as Associative Memory CHAPTER III Neural Networs as Assocatve Memory Introducton One of the prmary functons of the bran s assocatve memory. We assocate the faces wth names, letters wth sounds, or we can recognze the people

More information

Finding Primitive Roots Pseudo-Deterministically

Finding Primitive Roots Pseudo-Deterministically Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms

More information

The Order Relation and Trace Inequalities for. Hermitian Operators

The Order Relation and Trace Inequalities for. Hermitian Operators Internatonal Mathematcal Forum, Vol 3, 08, no, 507-57 HIKARI Ltd, wwwm-hkarcom https://doorg/0988/mf088055 The Order Relaton and Trace Inequaltes for Hermtan Operators Y Huang School of Informaton Scence

More information

6.842 Randomness and Computation February 18, Lecture 4

6.842 Randomness and Computation February 18, Lecture 4 6.842 Randomness and Computaton February 18, 2014 Lecture 4 Lecturer: Rontt Rubnfeld Scrbe: Amartya Shankha Bswas Topcs 2-Pont Samplng Interactve Proofs Publc cons vs Prvate cons 1 Two Pont Samplng 1.1

More information

COS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture # 15 Scribe: Jieming Mao April 1, 2013

COS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture # 15 Scribe: Jieming Mao April 1, 2013 COS 511: heoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 15 Scrbe: Jemng Mao Aprl 1, 013 1 Bref revew 1.1 Learnng wth expert advce Last tme, we started to talk about learnng wth expert advce.

More information

Problem Set 9 Solutions

Problem Set 9 Solutions Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem

More information

The Minimum Universal Cost Flow in an Infeasible Flow Network

The Minimum Universal Cost Flow in an Infeasible Flow Network Journal of Scences, Islamc Republc of Iran 17(2): 175-180 (2006) Unversty of Tehran, ISSN 1016-1104 http://jscencesutacr The Mnmum Unversal Cost Flow n an Infeasble Flow Network H Saleh Fathabad * M Bagheran

More information

Notes on Frequency Estimation in Data Streams

Notes on Frequency Estimation in Data Streams Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to

More information

Secure and practical identity-based encryption

Secure and practical identity-based encryption Secure and practcal dentty-based encrypton D. Naccache Abstract: A varant of Waters dentty-based encrypton scheme wth a much smaller system parameters sze (only a few klobytes) s presented. It s shown

More information

Aggregate Message Authentication Codes

Aggregate Message Authentication Codes Aggregate Message Authentcaton Codes Jonathan Katz Dept. of Computer Scence Unversty of Maryland, USA. jkatz@cs.umd.edu Yehuda Lndell Dept. of Computer Scence Bar-Ilan Unversty, Israel. lndell@cs.bu.ac.l.

More information

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of

More information

Min Cut, Fast Cut, Polynomial Identities

Min Cut, Fast Cut, Polynomial Identities Randomzed Algorthms, Summer 016 Mn Cut, Fast Cut, Polynomal Identtes Instructor: Thomas Kesselhem and Kurt Mehlhorn 1 Mn Cuts n Graphs Lecture (5 pages) Throughout ths secton, G = (V, E) s a mult-graph.

More information

Parametric fractional imputation for missing data analysis. Jae Kwang Kim Survey Working Group Seminar March 29, 2010

Parametric fractional imputation for missing data analysis. Jae Kwang Kim Survey Working Group Seminar March 29, 2010 Parametrc fractonal mputaton for mssng data analyss Jae Kwang Km Survey Workng Group Semnar March 29, 2010 1 Outlne Introducton Proposed method Fractonal mputaton Approxmaton Varance estmaton Multple mputaton

More information

Maximizing the number of nonnegative subsets

Maximizing the number of nonnegative subsets Maxmzng the number of nonnegatve subsets Noga Alon Hao Huang December 1, 213 Abstract Gven a set of n real numbers, f the sum of elements of every subset of sze larger than k s negatve, what s the maxmum

More information

12. The Hamilton-Jacobi Equation Michael Fowler

12. The Hamilton-Jacobi Equation Michael Fowler 1. The Hamlton-Jacob Equaton Mchael Fowler Back to Confguraton Space We ve establshed that the acton, regarded as a functon of ts coordnate endponts and tme, satsfes ( ) ( ) S q, t / t+ H qpt,, = 0, and

More information

Assortment Optimization under MNL

Assortment Optimization under MNL Assortment Optmzaton under MNL Haotan Song Aprl 30, 2017 1 Introducton The assortment optmzaton problem ams to fnd the revenue-maxmzng assortment of products to offer when the prces of products are fxed.

More information

1 The Mistake Bound Model

1 The Mistake Bound Model 5-850: Advanced Algorthms CMU, Sprng 07 Lecture #: Onlne Learnng and Multplcatve Weghts February 7, 07 Lecturer: Anupam Gupta Scrbe: Bryan Lee,Albert Gu, Eugene Cho he Mstake Bound Model Suppose there

More information

Lecture 12: Discrete Laplacian

Lecture 12: Discrete Laplacian Lecture 12: Dscrete Laplacan Scrbe: Tanye Lu Our goal s to come up wth a dscrete verson of Laplacan operator for trangulated surfaces, so that we can use t n practce to solve related problems We are mostly

More information

Resource Allocation with a Budget Constraint for Computing Independent Tasks in the Cloud

Resource Allocation with a Budget Constraint for Computing Independent Tasks in the Cloud Resource Allocaton wth a Budget Constrant for Computng Independent Tasks n the Cloud Wemng Sh and Bo Hong School of Electrcal and Computer Engneerng Georga Insttute of Technology, USA 2nd IEEE Internatonal

More information

COS 521: Advanced Algorithms Game Theory and Linear Programming

COS 521: Advanced Algorithms Game Theory and Linear Programming COS 521: Advanced Algorthms Game Theory and Lnear Programmng Moses Charkar February 27, 2013 In these notes, we ntroduce some basc concepts n game theory and lnear programmng (LP). We show a connecton

More information

Anonymous identity-based broadcast encryption with revocation for file sharing

Anonymous identity-based broadcast encryption with revocation for file sharing Unversty of Wollongong Research Onlne Faculty of Engneerng and Informaton Scences - Papers: Part A Faculty of Engneerng and Informaton Scences 2016 Anonymous dentty-based broadcast encrypton wth revocaton

More information

A Robust Method for Calculating the Correlation Coefficient

A Robust Method for Calculating the Correlation Coefficient A Robust Method for Calculatng the Correlaton Coeffcent E.B. Nven and C. V. Deutsch Relatonshps between prmary and secondary data are frequently quantfed usng the correlaton coeffcent; however, the tradtonal

More information

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:

More information

Structure and Drive Paul A. Jensen Copyright July 20, 2003

Structure and Drive Paul A. Jensen Copyright July 20, 2003 Structure and Drve Paul A. Jensen Copyrght July 20, 2003 A system s made up of several operatons wth flow passng between them. The structure of the system descrbes the flow paths from nputs to outputs.

More information

On a CCA2-secure variant of McEliece in the standard model

On a CCA2-secure variant of McEliece in the standard model On a CCA2-secure varant of McElece n the standard model Edoardo Perschett Department of Mathematcs, Unversty of Auckland, New Zealand. e.perschett@math.auckland.ac.nz Abstract. We consder publc-key encrypton

More information

ECE559VV Project Report

ECE559VV Project Report ECE559VV Project Report (Supplementary Notes Loc Xuan Bu I. MAX SUM-RATE SCHEDULING: THE UPLINK CASE We have seen (n the presentaton that, for downlnk (broadcast channels, the strategy maxmzng the sum-rate

More information

Proxy Re-Signature Schemes without Random Oracles

Proxy Re-Signature Schemes without Random Oracles An extended abstract of this paper appears in Indocrypt 2007, K. Srinathan, C. Pandu Rangan, M. Yung (Eds.), volume 4859 of LNCS, pp. 97-209, Sringer-Verlag, 2007. Proxy Re-Signature Schemes without Random

More information

Errors for Linear Systems

Errors for Linear Systems Errors for Lnear Systems When we solve a lnear system Ax b we often do not know A and b exactly, but have only approxmatons  and ˆb avalable. Then the best thng we can do s to solve ˆx ˆb exactly whch

More information

Born and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares

Born and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares Publshed n Theoretcal Computer Scence, 645: 24, 206 Born and rased dstrbutvely: Fully dstrbuted non-nteractve adaptvely-secure threshold sgnatures wth short shares Benoît Lbert Ecole Normale Supéreure

More information

Temperature. Chapter Heat Engine

Temperature. Chapter Heat Engine Chapter 3 Temperature In prevous chapters of these notes we ntroduced the Prncple of Maxmum ntropy as a technque for estmatng probablty dstrbutons consstent wth constrants. In Chapter 9 we dscussed the

More information

Lecture 4: November 17, Part 1 Single Buffer Management

Lecture 4: November 17, Part 1 Single Buffer Management Lecturer: Ad Rosén Algorthms for the anagement of Networs Fall 2003-2004 Lecture 4: November 7, 2003 Scrbe: Guy Grebla Part Sngle Buffer anagement In the prevous lecture we taled about the Combned Input

More information

Efficient Ring Signatures Without Random Oracles

Efficient Ring Signatures Without Random Oracles Effcent Rng Sgnatures Wthout Random Oracles Hovav Shacham hovav.shacham@wezmann.ac.l Brent Waters bwaters@csl.sr.com Abstract We descrbe the frst effcent rng sgnature scheme secure, wthout random oracles,

More information

Note on EM-training of IBM-model 1

Note on EM-training of IBM-model 1 Note on EM-tranng of IBM-model INF58 Language Technologcal Applcatons, Fall The sldes on ths subject (nf58 6.pdf) ncludng the example seem nsuffcent to gve a good grasp of what s gong on. Hence here are

More information

COMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS

COMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS Avalable onlne at http://sck.org J. Math. Comput. Sc. 3 (3), No., 6-3 ISSN: 97-537 COMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS

More information

Numerical Heat and Mass Transfer

Numerical Heat and Mass Transfer Master degree n Mechancal Engneerng Numercal Heat and Mass Transfer 06-Fnte-Dfference Method (One-dmensonal, steady state heat conducton) Fausto Arpno f.arpno@uncas.t Introducton Why we use models and

More information

2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification

2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification E395 - Pattern Recognton Solutons to Introducton to Pattern Recognton, Chapter : Bayesan pattern classfcaton Preface Ths document s a soluton manual for selected exercses from Introducton to Pattern Recognton

More information

Chapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems

Chapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems Numercal Analyss by Dr. Anta Pal Assstant Professor Department of Mathematcs Natonal Insttute of Technology Durgapur Durgapur-713209 emal: anta.bue@gmal.com 1 . Chapter 5 Soluton of System of Lnear Equatons

More information

NP-Completeness : Proofs

NP-Completeness : Proofs NP-Completeness : Proofs Proof Methods A method to show a decson problem Π NP-complete s as follows. (1) Show Π NP. (2) Choose an NP-complete problem Π. (3) Show Π Π. A method to show an optmzaton problem

More information

Subset Topological Spaces and Kakutani s Theorem

Subset Topological Spaces and Kakutani s Theorem MOD Natural Neutrosophc Subset Topologcal Spaces and Kakutan s Theorem W. B. Vasantha Kandasamy lanthenral K Florentn Smarandache 1 Copyrght 1 by EuropaNova ASBL and the Authors Ths book can be ordered

More information

CS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016

CS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016 CS 29-128: Algorthms and Uncertanty Lecture 17 Date: October 26, 2016 Instructor: Nkhl Bansal Scrbe: Mchael Denns 1 Introducton In ths lecture we wll be lookng nto the secretary problem, and an nterestng

More information

A new Approach for Solving Linear Ordinary Differential Equations

A new Approach for Solving Linear Ordinary Differential Equations , ISSN 974-57X (Onlne), ISSN 974-5718 (Prnt), Vol. ; Issue No. 1; Year 14, Copyrght 13-14 by CESER PUBLICATIONS A new Approach for Solvng Lnear Ordnary Dfferental Equatons Fawz Abdelwahd Department of

More information

12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA. 4. Tensor product

12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA. 4. Tensor product 12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA Here s an outlne of what I dd: (1) categorcal defnton (2) constructon (3) lst of basc propertes (4) dstrbutve property (5) rght exactness (6) localzaton

More information

CSci 6974 and ECSE 6966 Math. Tech. for Vision, Graphics and Robotics Lecture 21, April 17, 2006 Estimating A Plane Homography

CSci 6974 and ECSE 6966 Math. Tech. for Vision, Graphics and Robotics Lecture 21, April 17, 2006 Estimating A Plane Homography CSc 6974 and ECSE 6966 Math. Tech. for Vson, Graphcs and Robotcs Lecture 21, Aprl 17, 2006 Estmatng A Plane Homography Overvew We contnue wth a dscusson of the major ssues, usng estmaton of plane projectve

More information

(1 ) (1 ) 0 (1 ) (1 ) 0

(1 ) (1 ) 0 (1 ) (1 ) 0 Appendx A Appendx A contans proofs for resubmsson "Contractng Informaton Securty n the Presence of Double oral Hazard" Proof of Lemma 1: Assume that, to the contrary, BS efforts are achevable under a blateral

More information

Linearly Homomorphic Structure-Preserving Signatures and Their Applications

Linearly Homomorphic Structure-Preserving Signatures and Their Applications Lnearly Homomorphc Structure-Preservng Sgnatures and Ther Applcatons Benoît Lbert 1, Thomas Peters 2, Marc Joye 1, and Mot Yung 3 1 Techncolor (France) 2 Unversté catholque de Louvan, Crypto Group (Belgum)

More information

The Second Anti-Mathima on Game Theory

The Second Anti-Mathima on Game Theory The Second Ant-Mathma on Game Theory Ath. Kehagas December 1 2006 1 Introducton In ths note we wll examne the noton of game equlbrum for three types of games 1. 2-player 2-acton zero-sum games 2. 2-player

More information

Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction

Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard

More information

Generalized Linear Methods

Generalized Linear Methods Generalzed Lnear Methods 1 Introducton In the Ensemble Methods the general dea s that usng a combnaton of several weak learner one could make a better learner. More formally, assume that we have a set

More information

VQ widely used in coding speech, image, and video

VQ widely used in coding speech, image, and video at Scalar quantzers are specal cases of vector quantzers (VQ): they are constraned to look at one sample at a tme (memoryless) VQ does not have such constrant better RD perfomance expected Source codng

More information

Constant-Size Structure-Preserving Signatures Generic Constructions and Simple Assumptions

Constant-Size Structure-Preserving Signatures Generic Constructions and Simple Assumptions Constant-Sze Structure-Preservng Sgnatures Generc Constructons and Smple Assumptons Masayuk Abe Melssa Chase Bernardo Davd Markulf Kohlwess Ryo Nshmak Myako Ohkubo NTT Secure Platform Laboratores, NTT

More information

Algebraic partitioning: Fully compact and (almost) tightly secure cryptography

Algebraic partitioning: Fully compact and (almost) tightly secure cryptography Algebrac parttonng: Fully compact and (almost) tghtly secure cryptography Denns Hofhenz October 12, 2015 Abstract We descrbe a new technque for conductng parttonng arguments. Parttonng arguments are a

More information

Password Based Key Exchange With Mutual Authentication

Password Based Key Exchange With Mutual Authentication Password Based Key Exchange Wth Mutual Authentcaton Shaoquan Jang and Guang Gong Department of Electrcal and Computer Engneerng Unversty of Waterloo Waterloo, Ontaro N2L 3G1, CANADA Emal:{angshq,ggong}@callope.uwaterloo.ca

More information

Separable Linkable Threshold Ring Signatures

Separable Linkable Threshold Ring Signatures Separable Lnkable Threshold Rng Sgnatures Patrck P. Tsang 1, Vctor K. We 1, Tony K. Chan 1, Man Ho Au 1, Joseph K. Lu 1, and Duncan S. Wong 2 1 Department of Informaton Engneerng The Chnese Unversty of

More information

Tightly CCA-Secure Encryption without Pairings

Tightly CCA-Secure Encryption without Pairings Tghtly CCA-Secure Encrypton wthout Parngs Roman Gay 1,, Denns Hofhenz 2,, Eke Kltz 3,, and Hoeteck Wee 1, 1 ENS, Pars, France rgay,wee@d.ens.fr 2 Ruhr-Unverstät Bochum, Bochum, Germany eke.kltz@rub.de

More information

Finding Dense Subgraphs in G(n, 1/2)

Finding Dense Subgraphs in G(n, 1/2) Fndng Dense Subgraphs n Gn, 1/ Atsh Das Sarma 1, Amt Deshpande, and Rav Kannan 1 Georga Insttute of Technology,atsh@cc.gatech.edu Mcrosoft Research-Bangalore,amtdesh,annan@mcrosoft.com Abstract. Fndng

More information

Some Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM

Some Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM Example of Extended Eucldean Algorthm Recall that gcd(84, 33) = gcd(33, 18) = gcd(18, 15) = gcd(15, 3) = gcd(3, 0) = 3 We work backwards to wrte 3 as a lnear combnaton of 84 and 33: 3 = 18 15 [Now 3 s

More information

FREQUENCY DISTRIBUTIONS Page 1 of The idea of a frequency distribution for sets of observations will be introduced,

FREQUENCY DISTRIBUTIONS Page 1 of The idea of a frequency distribution for sets of observations will be introduced, FREQUENCY DISTRIBUTIONS Page 1 of 6 I. Introducton 1. The dea of a frequency dstrbuton for sets of observatons wll be ntroduced, together wth some of the mechancs for constructng dstrbutons of data. Then

More information

Lecture 14: Bandits with Budget Constraints

Lecture 14: Bandits with Budget Constraints IEOR 8100-001: Learnng and Optmzaton for Sequental Decson Makng 03/07/16 Lecture 14: andts wth udget Constrants Instructor: Shpra Agrawal Scrbed by: Zhpeng Lu 1 Problem defnton In the regular Mult-armed

More information

A Novel Feistel Cipher Involving a Bunch of Keys supplemented with Modular Arithmetic Addition

A Novel Feistel Cipher Involving a Bunch of Keys supplemented with Modular Arithmetic Addition (IJACSA) Internatonal Journal of Advanced Computer Scence Applcatons, A Novel Festel Cpher Involvng a Bunch of Keys supplemented wth Modular Arthmetc Addton Dr. V.U.K Sastry Dean R&D, Department of Computer

More information

Transfer Functions. Convenient representation of a linear, dynamic model. A transfer function (TF) relates one input and one output: ( ) system

Transfer Functions. Convenient representation of a linear, dynamic model. A transfer function (TF) relates one input and one output: ( ) system Transfer Functons Convenent representaton of a lnear, dynamc model. A transfer functon (TF) relates one nput and one output: x t X s y t system Y s The followng termnology s used: x y nput output forcng

More information

ANSWERS. Problem 1. and the moment generating function (mgf) by. defined for any real t. Use this to show that E( U) var( U)

ANSWERS. Problem 1. and the moment generating function (mgf) by. defined for any real t. Use this to show that E( U) var( U) Econ 413 Exam 13 H ANSWERS Settet er nndelt 9 deloppgaver, A,B,C, som alle anbefales å telle lkt for å gøre det ltt lettere å stå. Svar er gtt . Unfortunately, there s a prntng error n the hnt of

More information

Information-Theoretic Timed-Release Security: Key-Agreement, Encryption, and Authentication Codes

Information-Theoretic Timed-Release Security: Key-Agreement, Encryption, and Authentication Codes Informaton-Theoretc Tmed-Release Securty: Key-Agreement, Encrypton, and Authentcaton Codes Yohe Watanabe, Takenobu Seto, Junj Shkata Graduate School of Envronment and Informaton Scences, Yokohama Natonal

More information

Lecture 4. Instructor: Haipeng Luo

Lecture 4. Instructor: Haipeng Luo Lecture 4 Instructor: Hapeng Luo In the followng lectures, we focus on the expert problem and study more adaptve algorthms. Although Hedge s proven to be worst-case optmal, one may wonder how well t would

More information

Lecture Notes on Linear Regression

Lecture Notes on Linear Regression Lecture Notes on Lnear Regresson Feng L fl@sdueducn Shandong Unversty, Chna Lnear Regresson Problem In regresson problem, we am at predct a contnuous target value gven an nput feature vector We assume

More information

Appendix B: Resampling Algorithms

Appendix B: Resampling Algorithms 407 Appendx B: Resamplng Algorthms A common problem of all partcle flters s the degeneracy of weghts, whch conssts of the unbounded ncrease of the varance of the mportance weghts ω [ ] of the partcles

More information

Cryptographic Protocols

Cryptographic Protocols Cryptographc Protocols Entty Authentcaton Key Agreement Fat-Shamr Identfcaton Schemes Zero-Knowledge Proof Systems Shnorr s Identfcaton/Sgnature Scheme Commtment Schemes Secret Sharng Electronc Electon

More information

Application of Nonbinary LDPC Codes for Communication over Fading Channels Using Higher Order Modulations

Application of Nonbinary LDPC Codes for Communication over Fading Channels Using Higher Order Modulations Applcaton of Nonbnary LDPC Codes for Communcaton over Fadng Channels Usng Hgher Order Modulatons Rong-Hu Peng and Rong-Rong Chen Department of Electrcal and Computer Engneerng Unversty of Utah Ths work

More information

Affine transformations and convexity

Affine transformations and convexity Affne transformatons and convexty The purpose of ths document s to prove some basc propertes of affne transformatons nvolvng convex sets. Here are a few onlne references for background nformaton: http://math.ucr.edu/

More information

Communication Complexity 16:198: February Lecture 4. x ij y ij

Communication Complexity 16:198: February Lecture 4. x ij y ij Communcaton Complexty 16:198:671 09 February 2010 Lecture 4 Lecturer: Troy Lee Scrbe: Rajat Mttal 1 Homework problem : Trbes We wll solve the thrd queston n the homework. The goal s to show that the nondetermnstc

More information

Lecture 10: May 6, 2013

Lecture 10: May 6, 2013 TTIC/CMSC 31150 Mathematcal Toolkt Sprng 013 Madhur Tulsan Lecture 10: May 6, 013 Scrbe: Wenje Luo In today s lecture, we manly talked about random walk on graphs and ntroduce the concept of graph expander,

More information

Introduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law:

Introduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law: CE304, Sprng 2004 Lecture 4 Introducton to Vapor/Lqud Equlbrum, part 2 Raoult s Law: The smplest model that allows us do VLE calculatons s obtaned when we assume that the vapor phase s an deal gas, and

More information

Section 8.3 Polar Form of Complex Numbers

Section 8.3 Polar Form of Complex Numbers 80 Chapter 8 Secton 8 Polar Form of Complex Numbers From prevous classes, you may have encountered magnary numbers the square roots of negatve numbers and, more generally, complex numbers whch are the

More information

Decentralized Multi-Client Functional Encryption for Inner Product

Decentralized Multi-Client Functional Encryption for Inner Product Ths paper s a slght varant of the Extended Abstract that appears n Advances n Cryptology ASIACRYPT 2018 (December 2 6, Brsbane, Australa) Sprnger-Verlag, LNCS?????, pages??????. Decentralzed Mult-Clent

More information

A New Refinement of Jacobi Method for Solution of Linear System Equations AX=b

A New Refinement of Jacobi Method for Solution of Linear System Equations AX=b Int J Contemp Math Scences, Vol 3, 28, no 17, 819-827 A New Refnement of Jacob Method for Soluton of Lnear System Equatons AX=b F Naem Dafchah Department of Mathematcs, Faculty of Scences Unversty of Gulan,

More information

Outline. Communication. Bellman Ford Algorithm. Bellman Ford Example. Bellman Ford Shortest Path [1]

Outline. Communication. Bellman Ford Algorithm. Bellman Ford Example. Bellman Ford Shortest Path [1] DYNAMIC SHORTEST PATH SEARCH AND SYNCHRONIZED TASK SWITCHING Jay Wagenpfel, Adran Trachte 2 Outlne Shortest Communcaton Path Searchng Bellmann Ford algorthm Algorthm for dynamc case Modfcatons to our algorthm

More information

Psychology 282 Lecture #24 Outline Regression Diagnostics: Outliers

Psychology 282 Lecture #24 Outline Regression Diagnostics: Outliers Psychology 282 Lecture #24 Outlne Regresson Dagnostcs: Outlers In an earler lecture we studed the statstcal assumptons underlyng the regresson model, ncludng the followng ponts: Formal statement of assumptons.

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback