Strongly Unforgeable Proxy Re-Signature Schemes in the Standard model
|
|
- Francis Elliott
- 5 years ago
- Views:
Transcription
1 Strongly Unforgeable Proxy Re-Sgnature Schemes n the Standard model No Author Gven No Insttute Gven Abstract. Proxy re-sgnatures are generally used for the delegaton of sgnng rghts of a user delegator to a semtrusted proxy and a delegatee. The proxy can convert the sgnature of one user on a message nto the sgnature of another user on the same message by usng the delegaton nformaton rekey provded by the delegator. Ths s a handy prmtve for network securty and automated delegatons n herarchcal organzatons. Though proxy resgnature schemes that are secure n the standard model are avalable, none of them have addressed the securty noton of strong exstental unforgeablty, where the adversary wll not be able to forge even on messages for whch sgnatures are already avalable. Ths s an mportant property for applcatons whch nvolve the delegaton of authentcaton on senstve data. In ths paper, we defne the securty model for strong unforgeablty of proxy re-sgnature schemes. We propose two concrete strong unforgeable proxy re-sgnature schemes, where we nduce the strong unforgeablty n the scheme by embeddng the transformaton technques carefully n the sgn and resgn algorthms. The securty of both the schemes s related to the hardness of solvng Computatonal Dffe-Hellman CDH problem. Introducton Proxy Re-Cryptography orgnally ntroduced by Blaze et. al. [4], has been an emergng feld of nterest n the research communty. Ths has manly been motvated by ts applcatons and challenges faced n the constructon of such schemes. Proxy Re-Sgnature and Proxy Re-Encrypton schemes are the essental prmtves n ths feld. Proxy Re-Encrypton allows a sem-trusted proxy to convert a cpher text meant for a recever nto a cpher text of another user so that the other user can decrypt t usng hs secret key. Many such schemes have been desgned and are beng used for varous applcatons lke dstrbuted storage, dstrbuted rghts management and cloud nfrastructure. Proxy Re-Sgnature scheme nvolves a sem-trusted proxy between two partes A and B, where the proxy has the capablty and nformaton Re-Sgnature Key to convert the sgnature on a message m by user A, nto the sgnature by user B on the same message m [A-Delegatee, B-Delegator]. Ths knd of sgnature comes handy n stuatons where n B the delegator s not avalable to sgn on a gven messagem. Then usng a sgnature of the delegatee A on the messagem, the sem-trusted proxy can generate a sgnature on behalf of B on the same messagem wth the help of a rekeyre-sgnature Key, wthout nvolvng delegator B n the sgnng process. The deal propertes of a proxy re-sgnature scheme are undrectonal, mult-use, publc proxy, transparency, key-optmal, non-nteractve and non-transtvty whch were standardzed by [2]. The descrptons for these propertes can be found n Appendx A. Proxy Re-Sgnatures are generally proved for an unforgeablty noton where an adversary wll not be able to forge a sgnature/re-sgnature on a new message rather than on a message that has already been sgned/resgned. But there mght be applcatons wth strcter securty, whch requre the system to protect the exstng message-sgnature pars from beng forged. The securty noton for such a requrement s called strong unforgeablty, whch we dscuss n detal later. Motvaton: Proxy re-sgnature schemes have varous applcatons as lsted by [2]. For example, they can be used n huge organzatons for employee are delegated to sgn on behalf of the organzaton. Applcatons nvolvng checkponts can make good use of mult-use proxy re-sgnatures. Ths prmtve can ad the delegaton of certfyng temporary publc keys, whch wll as a result n a reduced overhead n the PKI network. The property of strong unforgeablty can also be adapted by applcatons shown above for a more strngent securty. Consder senstve applcatons where the sgnatures play a crucal role, there can be passve adversares pollng the communcaton channel. Hence they can store every message and ts correspondng sgnature or re-sgnature. Then at a later tme, they can modfy these sgnatures due to ther weak unforgeablty property and present a new sgnature or re-sgnature for the same message at wll. Strong unforgeablty n proxy re-sgnatures s an nterestng property n practce. For nstance, consder access control mechansm whch nvolves delegaton of access rghts. Assume that the system wants to gve access to a user-a wth access polcy p, then the systems generates a sgnature S A on p and gves t to the user-a. In the case when user-a and the system are unavalable to mplement the polcy when requred, then there can be a mddle system proxy to converts the sgnature S A to S B and gves t to user-b to perform the requred acton. In the case of revocaton of access polces, nether user-a or user-b should be able to forge on the revoked sgnatures S A and S B and clam the access rghts for p.
2 We can adopt the same deology for ntellectual property protecton n servces lke the dgtal meda rental, where the owner of the copyrghtsgn would gve the content to the retalersresgned from whom the customers can rent the meda. The copyrght materals embedded wth the sgnature of the owner or the re-sgnature of the retaler must be unforgeable by an external adversary whch otherwse mght lead to pracy. Hence the strongly unforgeable proxy re-sgnature can come n handy for such a stuaton where the prated copes cannot possess a vald publcally verfable sgnature apart from ts orgnal copy. It can be used n conjuncton wth proxy re-encrpyton n the dgtal rghts management. Note: Further we would lke to emphasze that t s not trval to attan strong unforgeablty n proxy re-sgnatures as t s dfferent from that for the noton n sgnatures. The attacker must not be able to modfy the sgnatures/resgnatures to belong another entty whch can be publcly verfed. Related Work: Proxy Re-Sgnatures orgnally ntroduced by Blaze et. al. [4], s an nterestng class of sgnature schemes. It was later formalzed by Atenese et. al. [2] who also defned a sutable securty model for provng ts securty and supplementng t wth two concrete schemes one b-drectonal and the other un-drectonal both secure n the random oracle model. Shao et. al. [3] proposed the frst proxy re-sgnature scheme, whch was b-drectonal and secure n the standard model, wth a new perspectve on the securty Statc Corrupton smlar to that n proxy re-encrypton schemes. Chow et. al [6] showed an nsecurty n Shao s scheme and gave a new proxy re-sgnature scheme, whch was secure n the standard model but at the cost of transparency. Lbert et. al. [9] came up wth a mult-use, un-drectonal Open problem left n [2] and non-transparent proxy re-sgnature scheme that s secure n the standard model. Recently, Shao et. al. came up wth a novel approach [5] for the frst ID based mult-use proxy re-sgnatures. It s to be noted from Table that none of the exstng proxy re-sgnature schemes secure n the standard model satsfy the stronger noton of exstental unforgeablty [], where an adversary wll not be able to forge a prevously sgned or re-sgned message. In ths paper we address ths ssue by defnng a securty model for such a securty noton and propose two concrete schemes for the same. Table. Proxy Re-Sgnature Schemes n the Standard Model wth propertes comparson Propertes Shao et. al.[3] Lbert et. al.[9] Chow et. al.[6] Our Scheme Un-Drectonal No Yes Yes Yes Mult-Use Yes Yes No No Prvate Proxy Yes Yes Yes Yes Non-Interactve No No No No Non-Transtve No Yes Yes No Transparent Yes No No No Temporary No No Yes No Strongly Unforgeable No No No Yes Our Contrbuton: In ths paper, we frst defne a securty noton for strongly unforgeable proxy re-sgnature schemes based on the statc corrupton securty model defned by Shao et. al. [3]. Then, based on Waters scheme [8] we propose two strongly unforgeable proxy re-sgnature schemes secure n the standard model. After revewng the exstng transformaton technques for convertng exstentally unforgeable sgnatures to strongly unforgeable ones, we choose the transformaton technque proposed by [5] strong unforgeablty transformaton and generc transformaton by [7] whch uses chameleon hash functon. The schemes are constructed usng blnear maps and ther securty s based on the Computatonal Dffe-Hellman CDH assumpton. We also suggest some effcency mprovements for the schemes. Paper Organzaton: The paper s organzed as follows. In Secton 2 we gve the varous defntons whch are nvolved n constructng and provng the securty of the scheme. Secton 3 revews the avalable strong unforgeablty transformatons technques n the standard model. In Secton 4 and 5 we propose two concrete strongly unforgeable proxy re-sgnatures and also provde suggestons for effcency mprovement. Concluson s offered n Secton 6. The Appendces A and B presents the formal securty argument for both the schemes. 2 Defntons 2. Proxy Re-Sgnature The proxy re-sgnature s a collecton of probablstc polynomal tme algorthms KeyGen, ReKey, Sgn, Verfy, Re-Sgn: KeyGen, Sgn : These algorthms are taken from the underlyng sgnature scheme, and hence retan all ts functonalty and propertes. We are usng the same key construct pk-publc key, sk-secret key for the rest of the scheme.
3 ReKey : On nput of the secret keys sk A, sk B, the re-key generaton algorthm generates a re-key whch s to be stored n the proxy. The re-sgnature key may be calculated through an nteractve protocol, where the secret keys of A and B are used to compute the re-key. At the end of the protocol, the proxy wll obtan the re-key rk A B wthout ganng any nformaton regardng the correspondng secret keys of A and B. Ths re-key rk A B s used by the proxy to transform the sgnatures of user A to that of user B. ReSgn : Takes as nput rk A B, pk A, m, σ A and t frst verfes whether the gven sgnature s that of user A by performng V erfypk A, m, σ A. If the Verfy returns false, then the algorthm aborts and reports of an nvald sgnature. Otherwse, the transformaton of the sgnature takes place usng the re-key and the transformed sgnature σ B = ReSgnReKeysk A, sk B, pk A, m, σ A s returned. Verfy : The sgnature σ B on message m, when generated drectly by user B, wll be verfed by the Verfy algorthm of the underlyng sgnature scheme. However, f σ B s generated by the proxy, we may use a dfferent algorthm. Correctness : All the untransformed and transformed sgnatures wll satsfy the Verfy algorthm. Verfym, σ A, pk A = True Verfy2m, ReSgnReKeysk A, sk B, pk A, m, σ A, pk B = True Note: We are usng two verfcaton algorthms Verfy and Verfy2 n order to verfy the sgnature and re-sgnature respectvely. Dependng on the transparency property of the scheme, f the output of the sgn and re-sgn algorthm are computatonally ndstngushable, the Verfy and Verfy2 are one and the same. On the other hand, n the case of non-transparency where the sgnature and the re-sgnature are dstngushable, the Verfy and Verfy2 are dfferent algorthms. For mult-use, non-transparent schemes, the Verfy2 wll be varyng for each level of sgnature translaton. Hence Verfy algorthm vares dependng on the nature of the sgnature. Securty Model for Proxy Re-Sgnature Scheme We present a securty model for the proxy re-sgnature scheme, whch ensures the strong unforgeablty property. The securty of the scheme defned here s nspred by Shao et al. s securty model [3] for exstental unforgeablty under statc corrupton. The same has also been dscussed recently as an mproved securty model n un-drectonal proxy re-sgnatures [4]. The securty model s defned as the game between the forger F the adversary tryng to attack the system and the challenger C. The securty s based on the deology of statc corrupton where, a forger who s tryng to attack the sgnature scheme determnes the corrupted partes of the system pror to the start of game between F and C. It does not allow adaptve corrupton of users of the system n between the securty game. Hence our securty model wll deal wth corrupted and uncorrupted partes accordngly. The securty game s defned n the followng phases: Tranng Phase: The challenger smulates the followng oracles, whch the forger s allowed to query durng ths phase.. O UKeyGen Key Generaton for Uncorrupted user : Ths oracle generates the key par usng the KeyGen and returns the publc keys of uncorrupted users n the system. 2. O CKeyGen Key Generaton for Corrupted user : Ths oracle generates the key par usng KeyGen and returns the publc key and secret key of the correspondng corrupted user. 3. O ReKey Re-Sgnature Key Generaton : Ths oracle when gven the publc key of users A and B, generates a re-key rk A B only when both user A and B are ether corrupted or uncorrupted. When one of them s corrupted and the other one s not, s returned. 4. O Sgn Sgnature : Gven the nput publc key for user A whch was generated by the one of the KeyGen oracles and a message m, the sgnature σ Am for the correspondng publc key on the message s returned. The sgnature on the message s returned regardless of user A beng a corrupted or uncorrupted user. 5. O ReSgn Re-Sgnature : Gven the nput pk B, pk A, m, σ A, ths oracle wll return the correspondng transformed sgnature σ B regardless of A or B beng a corrupted or uncorrupted user. Notce that the rekey s not generated by C, when one of the users A or B s corrupted. Stll, ths oracle must be able to return the re-sgnature. Ths ensures that the forger gets all hs tranng by queryng the oracles polynomal number of queres wth respect to the securty parameter avalable to any user n the system. It s nherent that the forger controls the corrupted users. After the tranng phase, the strong unforgeablty s captured n the followng phase whch exposes the true potental of the forger. Forgery Phase : The forger after the tranng phase wll return the forgery m, pk, σ. The forgery s sad to be a vald one f the followng condtons are satsfed,. Verfy algorthm must satsfy for m, pk, σ where σ can ether be a transformed or untransformed sgnature. 2. pk used for forgery must be uncorrupted and whose keys are generated by the uncorrupted key generaton oracle. 3. σ s not the output durng the tranng phase wth m, pk as nput to the sgn oracle. 4. σ s not the output of the ReSgn oracle wth nput as pk, pk, m, σ durng the tranng phase, for any pk and σ. Note: When we consder the strong unforgeablty for proxy re-sgnatures, we must take nto account the fact that any re-sgnature must always be generated usng the re-sgnature key. The delegator must not be able to explot hs own sgnatures n order to convert them to a re-sgnature.
4 2.2 Blnear Parng Let G be an addtve cyclc group generated by P, wth prme order p, and G be a multplcatve cyclc group of the same order p. A blnear parng s a map ê : G G G wth the followng propertes. Blnearty. For all P, Q, R G, êp + Q, R = êp, RêQ, R êp, Q + R = êp, QêP, R êap, bq = êp, Q ab Non-Degeneracy. There exst P, Q G such that êp, Q I G, where I G s the dentty n G. Computablty. There exsts an effcent algorthm to compute êp, Q for all P, Q G. Note: We wll be usng the multplcatve notaton for our schemes, as t s easer to represent the standard model schemes [8] n ths form. But t s to be understood that, G s bascally an addtve prme order group for our schemes. 2.3 Computatonal Dffe-Hellman Assumpton Computatonal Dffe-Hellman Problem: Let G be a group of prme order p and g be the generator of G. The CDH problem can be defned as follows: An algorthm A s sad to have an advantage ɛ n solvng the CDH problem f P r[ag, g a, g b = g ab ] ɛ where the probablty s calculated over the random choces of a,b Z p, g G and the random bts used by algorthm A. 3 Strong Unforgeablty Transformaton In ths secton we gve an overvew of the strong unforgeablty property n sgnature schemes and provde our ntuton regardng how we select and use the strong unforgeablty transformaton technques for our constructons. Generally sgnature schemes are proven for unforgeablty under adaptve chosen message attack The forger can adaptvely choose a message for forgery. There are two knds of securty notons under ths namely, strong and weak unforgeablty. The most commonly used noton s the weak exstental unforgeablty, where the forgery s on a message that has never been quered for a sgnature, durng the tranng phase. Ths case s mplct for determnstc sgnature schemes where a message cannot have two dfferent sgnatures wth respect to a user. But, wth the advent probablstc sgnature schemes, the stuaton arses where a message can have one or more sgnatures wth respect to a sngle user. Hence a stronger noton of securty s requred, where the forgery on a message whch has already been sgned quered durng the tranng phase s also consdered a vald attack on the system. Let the forger have the followng message sgnature pars from the tranng phase: m, σ, m 2, σ 2,..., m q, σ q. where q s the number of queres n the tranng phase. Weak forgeablty: Here a forgery s on a message m where m {m, m 2,..., m q}. Strong forgeablty: Here, the forger may come up wth a forgery m, σ where m, σ {m, σ q}. Note that, n the tranng phase, some of the queres may have m as the message. Whle the technque n [6] can be appled for our construct, we stck to the basc transform used n [5], so that the effcency does not reduce consderably. The generc transformaton usng chameleon hash functons proposed by [7] can be appled to [8] for a strongly unforgeable sgnature. A concrete strongly unforgeable proxy re-sgnature scheme based on ths transformaton s gven n secton 4. Whle there are other transformaton technques [7,, 3], to obtan strong unforgeablty, we avod ther usage as they compromse on the effcency and the flexblty requred to obtan a proxy re-sgnature. Remark: It s to be noted that the technques dscussed above, cannot be appled drectly to exstng standard model proxy re-sgnature schemes as they may not satsfy the strongly unforgeablty noton n ts true sense. Hence t s requred to perform a customzed transformaton n order to obtan a strong unforeablty property. We llustrate a few nsecurtes n appendx C. 4 Scheme- In ths secton, we wll present our frst strongly unforgeable proxy re-sgnature scheme, whch can be proved secure n the standard model. We name the scheme P RS SUF, whch s bdrectonal, and sngle-use n nature. The constructon of the scheme uses blnear maps. The scheme uses the Boneh et. al. s transformaton technque and carefully addng extra randomness and certan parameters so that the proxy re-sgnature can reman strongly unforgeable from all aspects. The use of two key pars for every user s justfed by provng that the re-sgnature cannot be produced unless t s processed by the re-sgnature algorthm. The nput message to be sgned can be of any sze. Ths message wll then be modfed to a n-bt format before computng the sgnature or re-sgnature.
5 KeyGen k : On the nput of securty parameter k, ths algorthm performs the followng computatons to generate the keys of a user. Let G, G be groups of prme order p. Let ê be an admssble blnear map where ê : G G G. We consder a collson resstant hash functon whch s defned as H : {0, } {0, } n. Snce the scheme s n the standard model, the hash functons can be nstantated wth standard hash functons whch can be mplemented n the real world. Here the lengthn of the message dgest Output of the H depends on the securty parameter. Let g a generator for group G and random elements < g 2, h, u 0, u...u n, v 0, v..v n > G 2n+4. The systemtrusted party then fxes ths as a common reference strng for all users, wth whch they can generate ther respectve publc and secret key components. Consder a user A, who chooses a, a 2 R Z p and sets g = g a and g = g a 2 as hs publc keys. The secret key components computed for the user s sk =< sk, sk 2 >=< g a 2, g a 2 2 >. Sgnm, sk: On the nput of the message m to be sgned and secret key of the sgner, the sgnature algorthm performs the followng computatons Let r, s R Z p Compute σ 2 = g r G Set σ 3 = s Z p t = H m, σ 2 {0, } n Set m = H g t h s {0, } n. Defne m u = u 0 u m where m = m, m 2, m 3... m n denotes the n-bt representaton of m. r r Compute σ = sk. m u = g a 2. m u G Thus, the sgnature σ =< σ, σ 2, σ 3 > on the message m by the sgner A wth the secret key g a 2 s gven by r σ, σ 2, σ 3 = g a 2. m u, g r, s Remark: The transformaton [5] can be observed n m whch s used as the message component n the sgn algorthm. ReKeyg a 2, gb 2, gb 2 2 : In order to delegate the sgnng rght from ether A to B or B to A as our scheme s bdrectonal the proxy wll run an nteractve protocol wth A and B. The fnal re-sgnature key obtaned by the proxy wll be of the form rk A B = g b +b 2 a 2 G The Interactve protocol for usng the secret keys of the users n a secure manner to calculate the fnal re-sgnature key s defned as follows:. The proxy ntally chooses a random R Z p, compute g2 R and send t to user A. 2. Then A uses ts secret key parameter a, computes and sends g2 R.g a 2 = g R a 2 to user B. B s chosen by A, as he s the user to whom A wshes to convert hs sgnatures. 3. B uses hs secret parameters b and b 2, computes and sends g R a 2.g b +b 2 2 = g R+b +b 2 a 2 to the proxy. 4. The proxy now computes g R+b +b 2 a 2.g R 2 = g b +b 2 a 2 as the re-sgnature key. Remark: The rekey algorthm s performed durng the system setup through a secure channel or n prvate. We clam that the above nteractve protocol between the partes nvolved n delegatons s unavodable because t nvolves the use of ther secret nformaton. Snce t performs a secure computaton, a non-nteractve zero knowledge wll not serve the purpose n ths scenaro. Ths has been the approach used n all the proxy re-sgnatures wth prvate proxy defned untl now. ReSgnrk A B, pk A, m, σ: Proxy on recevng a sgnature σ = < σ, σ 2, σ 3 > on the message m by user A assocated wth publc key pk A, re-sgnature key rk A B as nput, performs the followng to generate a sgnature on m by user B. Frst check whether the V erfypk A, m, σ s satsfed, f not abort reportng an nvald sgnature. Otherwse perform the followng steps to generate the re-sgnature. Assgn ˆσ 2 = σ 2 = g r G Let r R Z p and compute g r and assgn ˆσ 3 = g r G Assgn ˆσ 4 = σ 3 = s Z p t 2 = H m, g r, g r {0, } n Set m 2 = H g t 2 h σ 3 {0, } n. The computaton of m 2 s n accordance wth the strong unforgeablty transformaton. Defne m 2 v = v 0 v m2 where m 2 = m 2, m2 2, m m 2 n denotes the n-bt representaton of m 2.
6 Compute ˆσ = σ.rk A B. m 2 v r G = g a 2. = g b +b 2 2. The Re-sgnature ˆσ =< ˆσ, ˆσ 2, ˆσ 3, ˆσ 4 > s gven by, ˆσ, ˆσ 2, ˆσ 3, ˆσ 4 = m u r.g b +b 2 a m u g b +b 2 2. r. 2. m 2 v r m 2 v m u r. m 2 v r r, g r, g r, s Remark: The transformaton [5] can be observed n m 2 whch s used as the message component n the resgn algorthm. Ths transformed message re-randomzes the exstng randomness obtaned from the sgnature algorthm. Verfym, σ, pk: For verfyng the sgnature σ = σ, σ 2, σ 3 on the message m by the user correspondng to publc key pk, any verfer can perform the followng valdty check. Intally compute, ˆt = H m, σ 2 {0, } n m = H g ˆ t h σ 3 {0, } n Verfy whether the followng equaton satsfes ê σ, g? = êm u, σ 2êg 2, g f the above test holds, output Vald otherwse output Invald. Correctness for verfcaton of sgnature Verfy: êσ, g? = êm u, σ 2êg 2, g Rght Hand Sde: By Blnearty property of the map e: = êm u, g r êg 2, g a = êm u r, gêg a 2, g = êg a 2 m u r, g = êσ, g. Verfy2m, ˆσ, pk: For verfyng the re-sgnature ˆσ = ˆσ, ˆσ 2, ˆσ 3, ˆσ 4 on the message m by the user correspondng to publc key pk, any verfer can perform the followng valdty check on the transformed sgnature as follows, Compute ˆt = H m, ˆσ 2 {0, } n m t = H g ˆ hˆσ 4 {0, } n ˆt 2 = H m, σ 2, σ 3 {0, } n m 2 = H g ˆ t 2 hˆσ 4 {0, } n m u = u 0 m 2 v = v 0 u m v m2 Verfy whether the followng equaton satsfes ê ˆσ, g? = êm u, ˆσ 2.êm 2 v, ˆσ 3.êg 2, g.êg 2, g f the above test holds, output Vald otherwse output Invald. Correctness for verfcaton of re-sgnature Verfy2: ê ˆσ, g? = êm u, ˆσ 2.êm 2 v, ˆσ 3.êg 2, g.êg 2, g
7 Rght Hand Sde: By Blnearty property of the map e: = êm u, g r êm 2 v, g r êg 2, g b êg 2, g b 2 = êm u r, gêm 2 v r, g.êg b +b 2 2, g = êg b +b 2 2 m u r m 2 v r, g = ê ˆσ, g. Proof of Securty: We prove the securty of the scheme P RS SUF usng the followng theorem. In ths theorem, we prove that breakng the scheme s as hard as solvng the CDH problem. Theorem. If there s an adversary, whch can break the strongly unforgeable scheme P RS SUF n polynomal tme, by havng q s and q rs queres to the sgn and resgn oracles and advantage ɛ wth n as the sze of the message, then the CDH problem can be broken wth advantage ɛ ɛ/44q sq s + q rsn + 2. The securty proof of the P RS SUF can be dvded nto two parts. The frst one s where we prove the securty of the underlyng sgnature scheme by smulatng a weaker form of the sgnature wth the sgn and resgn oracles. Thus we prove the scheme to be secure for any message that was not quered durng the tranng phase. 2. Once we have proved the exstental forgery for the sgnature and re-sgnature scheme, we may apply transformaton modfyng the message by bndng t wth a randomness, wthout affectng the nternal structure of the sgnature or re-sgnature and then derve the securty for strong unforgeablty. Snce ths transformaton [5] uses the assumpton of unversal one way hash functons, the resultng strongly unforgeable scheme s also secure. As mentoned n the model, the securty s proved as game between the challenger C and forger F. F s traned wth the workng of the system through the followng smulaton by C. We are smulatng the tranng phase for the weaker form of the re-sgnaturewthout transformaton where m or m 2 =m and prove for ts exstental unforgeablty pror to applyng the strong unforgeablty transformaton. C s gven the nput of the hard problem, g a, g b and s requred to fnd the soluton g ab from the forgery performed by the forger. Hence C embeds the hard problem nstances whle smulatng the system to the adversary, whch s descrbed n detal n Appendx A. 5 Scheme-2 Recently [7], proposed a new knd of strong unforgeablty transformaton whch makes use of chameleon hash functons Hash functons wth a publc-secret key par and where a vald collson can be found usng the prvate hash key. We can make use of ths transformaton as an alternatve to the one suggested by [5]. The computaton cost for ths transformaton s approxmately the same compared to the one proposed by [5] as they have smlar parameters and constructs. That s the probablty of the forger breakng the scheme, s almost at the same level of the challenger solvng the underlyng hard problemcdh Problem. We name ths alternate scheme P RS2 SUF Chameleon Hash Functon: Orgnally coned and ntroduced by Krawczyk, was extensvely used to mplement blnd sgnatures. It s assocated wth a publc hash key and prvate hash key. One can compute the hash value usng the publc hash key. It s possble to fnd vald hash collsons only usng the prvate hash key but cannot calculate the collson wth only the chameleon hash and ts publc hash key. Let H ch be a chameleon hash functon wth m, s as the nput where m s the message and s s the randomness. It s easy to fnd a new par ˆm, ŝ such that H ch m, s = H ch ˆm, ŝ wth the knowledge of the prvate hash key. The constructon for the chameleon hash functon used s not an dealzed one and hence t can use exstng standard dscrete log based constructons of chameleon hash functons [2]. Scheme Defntons: KeyGen k : Same as that n Scheme- where there are two pars of secret,publc key - g a 2, g = ga, g a 2 2, g = g a 2 where a, a 2 R Z p. Defne a standard hash functon H 2 : {0, } Z p. The Chameleon Hash used n ths scheme [2] s defned as follows: Usng the generator g G, set the element g 3 = g β where β Z p. The prvate hash key s β and publc hash key s g 3, g. The chameleon hash H ch m, s = g m 3 g s. Gven a new ˆm m, t s easy to fnd a hash collson usng the prvate hash key β by calculatng ŝ = m ˆmβ + s. It can observed that H ch ˆm, ŝ = g3 ˆm gŝ = g3 m g s = H ch m, s. g 3 s added to the common reference strng for all users and β can be stored secretly for every user and s manly used n the sgn and re-sgn algorthms. To note that the β used by each userncludng proxy s dfferent. Hence the common reference strng, < g, g 2, u 0, u...u n, v 0, v...v n, > G. Sgnm, sk: On the nput of the message to be sgned and secret key of the user sgnng the message m, the sgner to return the sgnature, performs the followng computatons: Consder the prmary secret of the sgner user A to be g a 2.
8 Pck a random γ, r Z p and compute g γ. Consder m = H g γ {0, } n as the message and perform the Waters Sgnature on t as follows: Defne m u = u 0 u m. where m = m, m 2, m 3... m n denotes the n-bt representaton of m. Compute σ = g a 2.m u r G. Compute σ 2 = g r G. Unforgeablty transformaton Compute m = H 2m, σ 2 Z p. Compute s = γ m β. Assgn σ 3 = s Z p The sgnature σ =< σ, σ 2, σ 3 > σ, σ 2, σ 3 = g a 2.m u r, g r, s ReKeyg a 2, gb +b 2 2 : In order to delegate the sgnng rght from ether A to B or B to A as our scheme s bdrectonal the proxy wll run an nteractve protocol wth A and B. The fnal re-sgnature key obtaned by the proxy wll be of the form rk A B = g b +b 2 a 2 G The Interactve protocol used to obtan the rk A B s the same as that defned n Secton 3. ReSgnpk B, pk A, m, σ: Proxy on recevng a sgnature σ =< σ, σ 2, σ 3 > on the message m by user A assocated wth publc key pk A, re-sgnature key rk A B as nput, performs the followng to generate a sgnature on m for user B. Frst check whether the V erfypk A, m, σ satsfes, f not abort reportng an nvald sgnature. Otherwse perform the followng steps to generate the re-sgnature. Assgn ˆσ 2 = σ 2 = g r G Let γ, r R Z p, compute and assgn ˆσ 3 = g r G Consder m 2 = H g γ {0, } n as the message and perform the Waters Sgnature on t as follows: Defne m v = v 0 v m 2. where m = m, m 2, m 3... m Unforgeablty transformaton Compute m = H 2m, ˆσ 3 Z p. Compute s 2 = γ m β. Assgn ˆσ 5 = s 2 Z p Assgn ˆσ 4 = σ 3 = s Z p Defne m 2 v = v 0 v m 2 Compute ˆσ = σ.rk A B.m 2 v r G The Re-sgnature ˆσ = ˆσ, ˆσ 2, ˆσ 3, ˆσ 4, ˆσ 5 = n denotes the n-bt representaton of m. = g a 2.m u r.g b +b 2 a 2.m 2 v r = g b +b 2 2 m u r m 2 v r g b +b 2 2 m u r m 2 v r, g r, g r, s, s 2 for one transformaton of the sgnature s returned. Verfym, σ, pk: For verfyng the sgnature σ =< σ, σ 2, σ 3 > on the message m by the user correspondng to publc key g a, any verfer can perform the followng valdty check. Compute t = H 2σ 2, m m = H g3g t σ 3 {0, } n m u = u 0 u m. Verfy whether the followng equaton satsfes êσ, g? = êm u, σ 2êg 2, g f the above test holds, output Vald otherwse output Invald. Verfy2m, ˆσ, pk: For verfyng the re-sgnature ˆσ =< σ, σ 2, σ 3, σ 4 > on the message m by the user correspondng to publc key pk, any verfer can perform the followng valdty check on the transformed sgnature as follows.
9 Compute t = H 2m, ˆσ 2 {0, } n m = H g 3gˆσ t 4 {0, } n t = H 2m, ˆσ 3 {0, } n m 2 = H g t gˆσ 5 3 {0, } n m u = u 0 m 2 v = v 0 u m v m2 Verfy whether the followng equaton satsfes êˆσ, g? =êm u, ˆσ 2.êm 2 v, ˆσ 3.êg 2, g êg 2, g f the above test holds, output Vald otherwse output Invald. The Correctness of the Verfy algorthm s smlar to that gven n PRS SUF. Proof of Securty: Theorem 2. If there s an adversary, whch can break the strongly unforgeable scheme P RS2 SUF n polynomal tme, by havng q s and q rs queres to the sgn and resgn oracles and advantage ɛ wth n as the sze of the message, then the CDH problem can be broken wth advantage ɛ ɛ/32q sq s + q rsn +. In ths theorem we gve an overvew of the proof of securty for the strongly unforgeable scheme defned above. The proof of ths theorem cannot use the proof of tght reducton that s defned n [7] due to the flaw ponted out n [8]. In [8] t has been proved that parttonng stratergy such as [8] has an nherent securty loss of order q, where q s a polynomal. So we devate from the proof of securty n [7] and modfy t smlar to the proof n scheme. Suppose there exsts a t,q s, q rs, ɛ adversary that can break our strongly unforeable proxy re-sgnature scheme, then there s a challenger who can solve the computatonal Dffe-Hellman problem,.e. when gven a random tuple g, g a, g b then ts output s g ab. The proof s descrbed n detal n Appendx B. 5. Effcency Improvements of Schemes Due to the use of a sgnature construct smlar to that of Waters [8], the number of publc parameters used n the scheme s qute hgh. Especally, the two n-vector group elements consume a enormous amount of memory whch s not healthy consderng the lmted storage capacty avalable. As Patterson [0] had ponted out, we can use the technques suggested by Naccache and Chatterjee-Sarkar who clamed that the number of parameters can be reduced by makng a small modfcaton n the manner we consder the n-vector group elements based on the n-bts of the hash functon output. Instead of consderng the message dgest hash functon output as a strng of bts, t s taken as concatenaton of t-bt ntegers. Hence number of group elements ˆn = n t. Consder the message m to consst of n bts. It s beng splt nto t-bt ntegers and computaton s modfed accordngly, ˆn u 0 u m nstead of u 0 u m Ths reducton n number of parameters also ncrease the effcency by reducng the computatons [0] performed durng sgnng and resgnng. But at the same tme, there s a reduce n the success probablty for the C to solve the underlyng hard problem by the order of the number of sgnng and resgnng queres durng the tranng phase durng the securty game. Accordng to [0] we can deduce that the probablty s reduced by a factor of approxmately 2 qs 2 qrs q sq rs. In order to compensate for the securty loss, Chatterjee-Sarkar proposed an dea where the sze of the group n whch the CDH problem s hard. Ths wll to an extent negate the effect of probablty reducton due to q s and q rs. 6 Concluson We have presented n ths paper, two strongly unforgeable proxy re-sgnature schemes, whch can be proved secure n the standard model. We have made use of strong unforgeablty transformaton technques to obtan the strongly unforgeable verson of the sgnature scheme n order to make the resultng proxy re-sgnature scheme also as strongly unforgeable. However, there has been a trade off between effcency and securty, as we have by strengthenng the securty, reduced the effcency due to the ntroducton of a large number of parameters. A few effcency mprovements have been suggested for the same. The future work for such strongly unforgeable, standard model b-drectonal/undrectonal proxy re-sgnature schemes can be to propose and prove such schemes secure under the noton of adaptve corrupton for whch the securty model has been formalzed [2] [6] and also to ncrease ts effcency by reducng the number of parameters.
10 References. Jee Hea An, Yevgeny Dods, and Tal Rabn. On the securty of jont sgnature and encrypton. In EUROCRYPT, pages 83 07, Guseppe Atenese and Susan Hohenberger. Proxy re-sgnatures: new defntons, algorthms, and applcatons. In ACM Conference on Computer and Communcatons Securty, pages 30 39, Mhr Bellare and Sarah Shoup. Two-ter sgnatures, strongly unforgeable sgnatures, and fat-shamr wthout random oracles. Cryptology eprnt Archve, Report 2007/273, Matt Blaze, Gerrt Bleumer, and Martn Strauss. Dvertble protocols and atomc proxy cryptography. In EUROCRYPT, pages 27 44, Dan Boneh, Emly Shen, and Brent Waters. Strongly unforgeable sgnatures based on computatonal dffehellman. In Publc Key Cryptography, pages , Sherman S. M. Chow and Raphael C.-W. Phan. Proxy re-sgnatures n the standard model. In ISC, pages , Fuchun Guo, Y Mu, and Wlly Suslo. How to prove securty of a sgnature wth a tghter securty reducton. In ProvSec, pages 90 03, Denns Hofhenz, Tbor Jager, and Edward Knapp. Waters sgnatures wth optmal securty reducton. In Publc Key Cryptography, pages 66 83, Benoît Lbert and Damen Vergnaud. Mult-use undrectonal proxy re-sgnatures. In ACM Conference on Computer and Communcatons Securty, pages 5 520, Kenneth G. Paterson and Jacob C. N. Schuldt. Effcent dentty-based sgnatures secure n the standard model. In ACISP, pages , Jn L Qong Huang, Duncan S. Wong and Y-Mng Zhao. Generc transformaton from weakly to strongly unforgeable sgnatures. In Journal of Computer Scence and Technology, volume 23, pages , Ad Shamr and Yael Tauman. Improved onlne/offlne sgnature schemes. In CRYPTO, pages , Jun Shao, Zhenfu Cao, Lcheng Wang, and Xaohu Lang. Proxy re-sgnature schemes wthout random oracles. In INDOCRYPT, pages , Jun Shao, Mn Feng, Bn Zhu, Zhenfu Cao, and Peng Lu. The securty model of undrectonal proxy re-sgnature wth prvate re-sgnature key. In ACISP, pages , Jun Shao, Guy We, Yun Lng, and Mande Xe. Undrectonal dentty-based proxy re-sgnature. In Communcatons ICC, 20 IEEE Internatonal Conference on, pages 5, june Ron Stenfeld, Josef Peprzyk, and Huaxong Wang. How to strengthen any weakly unforgeable sgnature nto a strongly unforgeable sgnature. In CT-RSA, pages , Isamu Teransh, Takuro Oyama, and Wakaha Ogata. General converson for obtanng strongly exstentally unforgeable sgnatures. In INDOCRYPT, pages 9 205, Brent Waters. Effcent dentty-based encrypton wthout random oracles. In EUROCRYPT, pages 4 27, A Proof of Securty for Scheme Theorem If there s an adversary, whch can break the strongly unforgeable scheme P RS SUF n polynomal tme, by havng q s and q rs queres to the sgn and resgn oracles and advantage ɛ wth n as the sze of the message, then the CDH problem can be broken wth advantage ɛ ɛ/44q sq s + q rsn + 2. The securty proof of the P RS SUF can be dvded nto two parts. The frst one s where we prove the securty of the underlyng sgnature scheme by smulatng a weaker form of the sgnature wth the sgn and resgn oracles. Thus we prove the scheme to be secure for any message that was not quered durng the tranng phase. We are smulatng the tranng phase for the weaker form of the re-sgnaturewthout transformaton where m or m 2 =m and prove for ts exstental unforgeablty pror to applyng the strong unforgeablty transformaton. C s gven the nput of the hard problem, g a, g b and s requred to fnd the soluton g ab from the forgery performed by the forger. Hence C embeds the hard problem nstances whle smulatng the system to the adversary, whch s descrbed as follows. Tranng Phase Setup: Consder publc key g = g a, g 2 = g b and therefore the soluton to the hard problem s fndng the secret key g a 2 = g ab. The second secret key component g a 2 2 does not nvolve n the hard problem solvng and hence s generated n a smlar fashon as n the KeyGen algorthm for each user. Let the number of bts of the message be n. Let l n = 2q s + q rs where q s, q rs are the number of queres to the sgn/resgn oracle, where l nn + < p and let k n be defned by 0 k n n. Let x 0, x,..., x n Z ln and smlarly y 0, y,..., y n Z p. Fm = x 0 + x l nk n; Jm = y 0 + U Uy
11 where U s set of all from to n, where m =. Let the parameters be u 0 = g x 0 l nk n 2.g y 0, u = g x 2.gy Therefore, the hash functon for Sgn Oracle: n m u = u 0 u m = g F m 2 g Jm l m = 2q rs where q rs are the number of queres to the resgn oracle, where l mn + < p and let k m be defned by 0 k m n. Let z 0, z,..., z n Z ln and smlarly w 0, w,..., w n Z p. Km = z 0 + U z l mk m; Lm = w 0 + U w where U s set of all from to n, where m =. Let the parameters be u 0 = g z 0 l mk m 2.g w 0, u = g z 2.gw Therefore, the hash functon for Resgn Oracle: n m v = v 0 v m = g Km 2 g Lm Hence, t s evdent from the above-mentoned steps that for any gven messagem C can calculate the respectve hash functon for the correspondng oracle. O UKeyGen: When F queres for the key generaton of user A, C does the followng. Selects an element x, ˆx R Z p. Here ˆx denotes the second secret key component. 2. Computes publc key pk A = g a g x, g ˆx = g a+x, g ˆx and sends pk A to F. Note that the prmary secret key sk A of user A, s a + x mplctly and C does not know prmary sk A whch s used for sgnng. O CKeyGen: When a query s made by F, C responds wth sk = x, ˆx and pk = g x, g ˆx of a corrupted user where x, ˆx R Z p. O ReKey: On nput wth two publc keys pk and pk j C does the followng, If both the users pk and pk j rekey between user & j are uncorrupted then C computes the rekey g xˆ j +x j x 2 where x j and x are prmary secret key components correspondng to pk and pk j. The oracle returns and aborts f ether one of the user correspondng to pk or pk j s a corrupted user. The rekey rk j s vald snce by defnton dfference of the prmary secret key component of the uncorrupted users x j x when substtuted wth ts values generated by O UKeyGen wll be of the form a + x j a + x whch s x j x. The second secret key component ˆx j wll not be an ssue, snce t s a known value to C. O Sgn: When F queres the sgn oracle for message m to be sgned by the prmary secret key of the uncorrupted user correspondng to publc key pk = g a+x. If Fm 0 Fm was defned usng the Setup, then return the followng sgnature σ = σ, σ 2 = Otherwse f Fm=0 mod p, C aborts. Jm/F m σ = g g F m 2 g Jm r.g x 2 = g a+x 2 g F m 2 g Jm a/f m g Jm g F m 2 r = g a+x 2 g F m 2 g Jm r a/f m = g x 2 gab g F m 2 g Jm r a/f m /F m σ 2 = g g r g x m 2 g Jm/F r g F m 2 g Jm g x /F m 2, g g r Correctness of Sgn oracle for uncorrupted sgnature: Ths cooked up sgnature wll satsfy the verfcaton algorthm as follows: n êσ, g =? êu 0 u m, σ 2êg 2, g where σ = g a+x 2 g F m 2 g Jm r a/f m Rght Hand Sde: = êu 0 n u m, σ 2.êg 2, g = êg F m 2 g Jm, g r a/f m.êg 2, g a+x = êg F m 2 g Jm r a/f m, g.êg a+x 2, g = êg a+x 2 g F m 2 g Jm r a/f m, g = êσ, g.
12 Note: The fact that should be remembered whle smulatng the re-sgn oracle s that for every uncorrupted user, the randomness n the sgnature s of the form ˆr=r-a/Fm and for every corrupted user t s ˆr=r where r R Z p O ReSgn: On nput the sgnature σ on message m of the user correspondng to publc key pk and the publc key pk j of the user to whom the sgnature s beng transformed to, there are 3 possbltes for the nput of ths re-sgn oracle. They are. Convertng sgnature of an uncorrupted user to the sgnature of another uncorrupted user 2. Convertng sgnature of a uncorrupted user to that of an corrupted user 3. Convertng sgnature of an corrupted user to that of a uncorrupted user C checks f Verfym, σ, pk s vald. If false C aborts, otherwse C does the followng: Consder r R Z p to be the new randomness parameter used by the ReSgn algorthm. Case : If pk and pk j are uncorrupted users, then C wll call the O ReKeypk, pk j to obtan rk j and run the ReSgn algorthm wth new randomness r Z p and returns the re-sgnature to forger F. Case 2: If pk corresponds to an uncorrupted user and pk j to a corrupted user C s requred to remove the hard problem nstance g ab whle convertng t to the corrupted user s sgnature. Hence the resultng ReSgn must contan a g ab mplctly n order to cancel out the effect and thereby makng t the sgnature of an corrupted userwhose prmary secret key s g x j 2. The nput to the ReSgn oracle for ths case s as follows: σ =< σ, σ 2 > Jm/F m σ = g g F m 2 g Jm r g x 2 gab g F m 2 g Jm r a/f m /F m σ 2 = g g r the orgnal randomness ˆr = r - a/fm. The resgnature for the corrupted user s calculated n the followng manner: Consder r Z p ˆσ = σ g x j +ˆx j 2 g Lm/Km g Km 2 g Lm r Jm/F m 2 g g Lm/Km g F m = g x j +ˆx j 2 g Jm r g Km 2 g Lm r = g x j +ˆx j 2 g ab g ab g F m 2 g Jm r a/f m g Km 2 g Lm r +a/km = g x j +ˆx j 2 g F m 2 g Jm r a/f m g Km 2 g Lm r +a/km Hence the new randomness ˆr = r + a/km. C outputs ˆσ = ˆσ, ˆσ 2, ˆσ 3 to the forger. ˆσ, ˆσ 2, ˆσ 3 = g x j +ˆx j 2 /F m ˆσ 2 = σ 2 = g g r r a/f m = g ˆσ 3 = g /Km g r = g r +a/km g F m 2 g Jm r a/f m g Km 2 g Lm r +a/km, g r a/f m, g r +a/km To be noted that the above computaton s possble only f Fm and Km 0 mod p. Otherwse, resgn oracle returns and the game aborts. Correctness of ReSgn oracle for case 2: We show the correctness of the smulated ˆσ as follows êˆσ, g? = êu 0 n ev 0 n v m2 u m, ˆσ 2., ˆσ 3.êg 2, g.êg 2, g Rght Hand Sde: = êu 0 n u m, ˆσ 2.êv 0 v m2, ˆσ 3.êg 2, g.êg 2, g = êg F m 2 g Jm, gˆr êg Km 2 g Lm, g rˆ êg 2, g x j +ˆx j = êg F m 2 g Jm ˆr, gêg Km 2 g Lm ˆ r, gêg x j +ˆx j 2, g
13 By Blnearty property of the map e: = êg x j +ˆx j 2 g F m 2 g Jm ˆr g Km 2 g Lm rˆ, g = êˆσ, g. Case 3: If pk corresponds to an corrupted user and pk j to an uncorrupted user, then the C s requred to nduce the hard problem nstance whle convertng t to the uncorrupted user s sgnature. Hence the resultng ReSgn must contan a g ab mplctly n order to nduce the effect of the hard problem and thereby makng t the sgnature of an uncorrupted userwhose prmary secret key s g x j +a 2. The nput to the ReSgn oracle for ths case s as follows: σ = g x 2.u0 u m r, g r = g x m 2 gf 2 g Jm, g r where the orgnal randomness ˆr=r. The resgnature for the uncorrupted user s calculated n the followng manner: Consder r Z p Hence the new randomness ˆr = r - a/km. C outputs ˆσ = ˆσ, ˆσ 2, ˆσ 3 ˆσ = σ g x 2 g Lm/Km g Km 2 g Lm r.g x j +ˆx j 2 = g x 2 g x 2 g Lm/Km g F m 2 g Jm r g Km 2 g Lm r.g x j +ˆx j 2 = g ab g F m 2 g Jm r g Km 2 g Lm r a/km = g x j +ˆx j 2 g ab g F m 2 g Jm r g Km 2 g Lm r a/km ˆσ 2 = σ 2 = g r ˆσ 3 = g /Km g r = g r a/km = g x j +ˆx j 2 g ab g F m 2 g Jm r g Km 2 g Lm r a/km, g r, g r a/km to the forger. To be noted that the above computaton can be performed only f Km 0 mod p. Otherwse, resgn oracle returns and the game aborts. Correctness of ReSgn oracle for case 3: We show the correctness of the smulated ˆσ as follows: Rght Hand Sde: êˆσ, g? =êu 0 n = êu 0 n u m u m, ˆσ 2êv 0, ˆσ 2êv 0 v m2 v m2, ˆσ 3êg 2, g êg 2, g, ˆσ 3êg 2, g êg 2, g = êg F m 2 g Jm, gˆr êg Km 2 g Lm, g rˆ êg 2, g a+x j êg 2, g ˆx j = êg F m 2 g Jm ˆr, gêg Km 2 g Lm rˆ, gêg a+x j +ˆx j 2, g = êg a+x j +ˆx j 2 g F m 2 g Jm ˆr g Km 2 g Lm rˆ, g = êˆσ, g. After the tranng phase, the forger F submts a Forgery : m, pk, σ for a message m correspondng to uncorrupted user s publc key pk. If F s able to come up wth a forgery for the uncorrupted user ether on the sgnature or re-sgnature, then the Challenger C usng the output of F, can fnd the soluton for the CDH hard problem. Snce the publc key pk corresponds to an uncorrupted user, the forgery wll always contan an nstance of the hard problem soluton n the sgnature. The exstental forgery on chosen message m s consdered a vald forgery f t satsfes the followng requrements:. None of the messages m among the q s sgn queres durng the tranng phase has F m 0 mod p. 2. It s requred that m s not among the Sgn and ReSgn queres n the tranng phase.
14 3. For a forgery of a re-sgnature, The condton F m 0 mod p and Km 0 mod p must satsfy n order for the C to compute the hard problem. Sgnature of uncorrupted user pk s of the followng form wth the constrant that F m 0 mod p σ, σ 2 = g x 2 gab g F m 2 g Jm r, g r Hence the soluton to the CDH problem wth respect to a new message m : σ = g x 2 gab g F m 2 g Jm r = g ab+bx +Jm r Therefore, gab+bx +Jm r = g ab g bx.g r Jm The forgery of the re-sgnature can be used to solve the CDH problem n a smlar manner. Snce the hard problem s nduced accordngly dependng on the nature of converson between the uncorrupted and corrupted users. The Re-Sgnature of uncorrupted user pk s of the followng form wth the constrant F m 0 mod p and Km 0 mod p, σ, σ 2, σ 3 = g x j +ˆx r j 2 g ab g F m 2 g Jm g Km 2 g r Lm, g r, g r Hence the soluton to the CDH problem wth respect to a new message m : σ = g x j +ˆx j 2 g ab g F m 2 g Jm r g Km 2 g Lm r = g ab+bx j +bˆx j +Jm r +Lm r Therefore, gab+bx j +bˆx j +Jm r +Lm r = g ab g bx j +bˆx j g r Jm g r Lm Hence the probablty s calculated n accordance to the game not abortng n any query of the tranng phase and obeys the condtons stated n the forgery phase. In the tranng phase, there are few nstances n the smulaton of the underlyng sgnature when the game aborts. And the forgery s only calculated f the stated condtons are met. Hence, the event of abort: Fm 0 mod p Fm 0 mod p Km 0 mod p Fm 0 mod p Km 0 mod p Hence the probablty, Pr[ abort] Pr[F m 0modp q s+q rs Km 0modp] + Pr[F m = 0 q rs F m = 0] + Pr[Km = 0 Km = 0] Calculatng the probablty of the forger wnnng the game, n a smlar fashon to that of [0] we obtan, ɛ ɛ/6q sq s + q rsn + 2 where q s and q rs s the total number of queres to the Sgn and ReSgn oracle. n s the number of bts of the message. In the noton of strong unforgeablty, the forgery can be made on any message ncludng those whch have already been sgned. We frst smulated the weaker form of the underlyng sgnaturewthout the transformaton whch was proven exstentally unforgeable,.e. only a forgery on a message whch has not been sgned before s consdered vald. Then the exstental forgery of the sgnature s used to solve the CDH problem wth a non-neglgble probablty. As stated earler, the exstental unforgeablty result of the underlyng sgnature scheme s transformed to a strongly unforgeable one usng the stated transformaton technque. Now after applyng the transformaton [5] to both the sgnature and re-sgnature algorthms, where the message bnds wth the randomness and becomes a modfed message nput to the underlyng exstentally unforgeable re-sgnature scheme. As a result the re-sgnature becomes strongly unforgeable one and the securty for the strong unforgeablty s based on the securty of the underlyng exstentally unforgeable sgnature scheme. Proof can be referred from Theorem of [5]. The way, the transformaton s setup over the underlyng proxy re-sgnature aganst the followng specal knds of adversares,. When the forgery s of the form where m = m and t = t for, 2...q s or m 2 = m 2 and t 2 = t 2 for, 2...q rs
15 2. When the forgery s of the form where m = m and t t for, 2...q s or m 2 = m 2 and t 2 t 2 for, 2...q rs 3. When m m for, 2...q s or m 2 m 2 for, 2...q rs. It s observable that the strong unforgeablty of the proxy re-sgnature follows the smlar smulaton by the C as descrbed n [5]. It can hence be proved n a smlar fashon an extenson of that n [5] that f the type 3 forger succeeds n hs attempt t wll break the underlyng exstentally unforgeable proxy re-sgnature whch has been proved above. The type forger s used to break the collson resstance of the hash functon whch s used to bnd the message and randomness and the type 2 forger can be used to solve the dscrete log problem n G. To note that the randomness of the orgnal sgnature s bound wth the message n the resgn algorthm. Ths wll retan the ntegrty of the re-sgnature and prevent t from beng splt up as ndependent components. Ths plays an mportant role to prevent the forgery on re-sgnatures. After the applcaton of the strong unforgeablty transformaton [5] to the sgnature and re-sgnature algorthms n P RS SUF to get a strongly unforgeable one, the advantage of breakng the underlyng exstentally unforgeable re-sgnature scheme reduces to /3 rd snce t s one of the three types of forgers accordng to Theorem n [5]. Snce we are applyng to both the sgn and re-sgn algorthms, the advantage reduces to /9 th. Hence the probablty of solvng the Computatonal Dffe-Hellman problem after applyng the transformaton s ɛ ɛ/44q sq s + q rsn + 2 B Proof of Securty of Scheme 2 Theorem 2 If there s an adversary, whch can break the strongly unforgeable scheme P RS2 SUF n polynomal tme, by havng q s and q rs queres to the sgn and resgn oracles and advantage ɛ wth n as the sze of the message, then the CDH problem can be broken wth advantage ɛ ɛ/32q sq s + q rsn + 2. In ths theorem we gve an overvew of the proof of securty for the strongly unforgeable scheme defned above. The proof of ths theorem cannot use the proof of tght reducton that s defned n [7] due to the flaw ponted out n [8]. In [8] t has been proved that parttonng stratergy such as [8] has an nherent securty loss of order q, where q s a polynomal. So we devate from the proof of securty n [7] and modfy t smlar to the proof n scheme. We prove the securty of ths scheme n a sngle game wth two types of adversares. Type : The ablty to forge on messages whch were not quered durng the tranng phase. Type 2: ablty to forge on any message rrespectve of beng quered or not. We wll llustrate ther formal defntons durng the proof. Informally, we are gong to prove that, suppose there exsts a t,q s, q rs, ɛ adversary that can break our strongly unforeable proxy re-sgnature scheme, then there s a challenger who can solve the computatonal Dffe-Hellman problem,.e. when gven a random tuple g, g a, g b then ts output s g ab. The ntal tranng phase of the adversary s as follows: Note: Ths scheme s proved secure aganst statc corrupton, where the corrupted enttes are set pror to the begnnng of the game. The setup algorthm s smlar to that n Theorem. The hard problem s nserted n the g a 2 secret component of the uncorrupted user. There are some extra parameters whch are to be ntroduced for the chameleon hash functon, namely, g 3 = g β, where β Z p. Tranng Phase The KeyGen and Rekey oracles for corrupted and uncorrupted users are taken n the same fashon as mentoned n Theorem-. We assume â as the secondary secret component for both corrupted and uncorrupted users wthout loss of generalty. Setup of Waters hash for the Sgn Oracle: Let the number of bts of the message be n. Let l n = 2q s + q rs where q s, q rs are the number of queres to the sgn/resgn oracle, where l nn + < p and let k n be defned by 0 k n n. Let x 0, x,..., x n Z ln and smlarly y 0, y,..., y n Z p. For setup for every th query s, F M = x 0 + x l nk n; JM = y 0 + U Uy where U s set of all from to n, where M =. Let the parameters be u 0 = g x 0 l nk n 2.g y 0, u = g x 2.gy Therefore, the hash functon for Sgn Oracle: M u = u 0 M u = g F M 2 g JM O UncorruptedSgn m, pk A : C chooses a d Z p and computes a M = H m d whch wll be used as the M as defned n the setup above. Then a random r Z p, for a gven m and computes the sgnature σ, σ 2, σ 3 as follows:
Provable Security Signatures
Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -
More informationCryptanalysis of pairing-free certificateless authenticated key agreement protocol
Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen
More informationG /G Advanced Cryptography 12/9/2009. Lecture 14
G22.3220-001/G63.2180 Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we
More informationComments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards
Comments on a secure dynamc ID-based remote user authentcaton scheme for multserver envronment usng smart cards Debao He chool of Mathematcs tatstcs Wuhan nversty Wuhan People s Republc of Chna Emal: hedebao@63com
More informationCryptanalysis of Threshold Proxy Signature Schemes 1)
MM Research Preprnts, 226 233 MMRC, AMSS, Academa Snca No. 23, December 24 Cryptanalyss of Threshold Proxy Sgnature Schemes 1) Zuo-Wen Tan and Zhuo-Jun Lu Key Laboratory of Mathematcs Mechanzaton Insttute
More informationCollege of Computer & Information Science Fall 2009 Northeastern University 20 October 2009
College of Computer & Informaton Scence Fall 2009 Northeastern Unversty 20 October 2009 CS7880: Algorthmc Power Tools Scrbe: Jan Wen and Laura Poplawsk Lecture Outlne: Prmal-dual schema Network Desgn:
More informationMessage modification, neutral bits and boomerangs
Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1 Dfferental
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00 No extra materal s allowed durng the exam except for pens and a smple calculator (not smartphones).
More informationA Model of Bilinear-Pairings Based Designated-Verifier Proxy Signatue Scheme*
A Model of Blnear-Parngs Based Desgnated-Verfer Proxy Sgnatue Scheme Fengyng L,, Qngshu Xue, Jpng Zhang, Zhenfu Cao Department of Educaton Informaton Technology, East Chna Normal Unversty, 0006, Shangha,
More informationCHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE
CHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE Analytcal soluton s usually not possble when exctaton vares arbtrarly wth tme or f the system s nonlnear. Such problems can be solved by numercal tmesteppng
More informationHash functions : MAC / HMAC
Hash functons : MAC / HMAC Outlne Message Authentcaton Codes Keyed hash famly Uncondtonally Secure MACs Ref: D Stnson: Cryprography Theory and Practce (3 rd ed), Chap 4. Unversal hash famly Notatons: X
More informationCalculation of time complexity (3%)
Problem 1. (30%) Calculaton of tme complexty (3%) Gven n ctes, usng exhaust search to see every result takes O(n!). Calculaton of tme needed to solve the problem (2%) 40 ctes:40! dfferent tours 40 add
More informationSpeeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem
H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng Speedng up Computaton of Scalar Multplcaton n Ellptc Curve Cryptosystem H. K. Pathak Manju Sangh S.o.S n Computer scence
More informationConfined Guessing: New Signatures From Standard Assumptions
Confned Guessng: New Sgnatures From Standard Assumptons Floran Böhl 1, Denns Hofhenz 1, Tbor Jager 2, Jessca Koch 1, and Chrstoph Strecks 1 1 Karlsruhe Insttute of Technology, Germany, {floran.boehl,denns.hofhenz,jessca.koch,chrstoph.strecks}@kt.edu
More informationKernel Methods and SVMs Extension
Kernel Methods and SVMs Extenson The purpose of ths document s to revew materal covered n Machne Learnng 1 Supervsed Learnng regardng support vector machnes (SVMs). Ths document also provdes a general
More informationLecture 4: Universal Hash Functions/Streaming Cont d
CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected
More informationA Threshold Digital Signature Issuing Scheme without Secret Communication
A Threshold Dgtal Sgnature Issung Scheme wthout Secret Communcaton Kazuo Takarag, Kunhko Myazak, Masash Takahash Systems Development Laboratory, Htach, Ltd e-mal: {takara, kunhko, takahas}@sdlhtachcop
More informationAugmented Broadcaster Identity-based Broadcast Encryption
Augmented Broadcaster Identty-based Broadcast Encrypton Janhong Zhang Yuwe Xu Zhpeng Chen Insttuton of Image Processng and Pattern Recognton North Chna Unversty of Technology Bejng Chna 100144 ywxupaper@163com
More informationComment on An arbitrated quantum signature scheme. with fast signing and verifying
Comment on n arbtrated quantum sgnature scheme wth fast sgnng and verfyng Y-Png Luo and Tzonelh Hwang * Department of Computer cence and Informaton Engneerng, Natonal Cheng ung Unversty, No, Unversty Rd,
More informationFinding Malleability in NTRUSign
Fndng Malleablty n TRUSgn SungJun Mn, Go Yamamoto, and Kwangjo Km Auto-ID Labs Whte Paper WP-HARDWARE-33 Sungjun Mn Senor Researcher, atonal Computerzaton Agency Go Yamamoto Senor Researcher, Informaton
More informationFoundations of Arithmetic
Foundatons of Arthmetc Notaton We shall denote the sum and product of numbers n the usual notaton as a 2 + a 2 + a 3 + + a = a, a 1 a 2 a 3 a = a The notaton a b means a dvdes b,.e. ac = b where c s an
More informationAnonymous Identity-Based Broadcast Encryption with Revocation for File Sharing
Anonymous Identty-Based Broadcast Encrypton wth Revocaton for Fle Sharng Janchang La, Y Mu, Fuchun Guo, Wlly Suslo, and Rongmao Chen Centre for Computer and Informaton Securty Research, School of Computng
More information3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X
Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number
More informationDifference Equations
Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1
More informationCHAPTER III Neural Networks as Associative Memory
CHAPTER III Neural Networs as Assocatve Memory Introducton One of the prmary functons of the bran s assocatve memory. We assocate the faces wth names, letters wth sounds, or we can recognze the people
More informationFinding Primitive Roots Pseudo-Deterministically
Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms
More informationThe Order Relation and Trace Inequalities for. Hermitian Operators
Internatonal Mathematcal Forum, Vol 3, 08, no, 507-57 HIKARI Ltd, wwwm-hkarcom https://doorg/0988/mf088055 The Order Relaton and Trace Inequaltes for Hermtan Operators Y Huang School of Informaton Scence
More information6.842 Randomness and Computation February 18, Lecture 4
6.842 Randomness and Computaton February 18, 2014 Lecture 4 Lecturer: Rontt Rubnfeld Scrbe: Amartya Shankha Bswas Topcs 2-Pont Samplng Interactve Proofs Publc cons vs Prvate cons 1 Two Pont Samplng 1.1
More informationCOS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture # 15 Scribe: Jieming Mao April 1, 2013
COS 511: heoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 15 Scrbe: Jemng Mao Aprl 1, 013 1 Bref revew 1.1 Learnng wth expert advce Last tme, we started to talk about learnng wth expert advce.
More informationProblem Set 9 Solutions
Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem
More informationThe Minimum Universal Cost Flow in an Infeasible Flow Network
Journal of Scences, Islamc Republc of Iran 17(2): 175-180 (2006) Unversty of Tehran, ISSN 1016-1104 http://jscencesutacr The Mnmum Unversal Cost Flow n an Infeasble Flow Network H Saleh Fathabad * M Bagheran
More informationNotes on Frequency Estimation in Data Streams
Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to
More informationSecure and practical identity-based encryption
Secure and practcal dentty-based encrypton D. Naccache Abstract: A varant of Waters dentty-based encrypton scheme wth a much smaller system parameters sze (only a few klobytes) s presented. It s shown
More informationAggregate Message Authentication Codes
Aggregate Message Authentcaton Codes Jonathan Katz Dept. of Computer Scence Unversty of Maryland, USA. jkatz@cs.umd.edu Yehuda Lndell Dept. of Computer Scence Bar-Ilan Unversty, Israel. lndell@cs.bu.ac.l.
More informationTHE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens
THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of
More informationMin Cut, Fast Cut, Polynomial Identities
Randomzed Algorthms, Summer 016 Mn Cut, Fast Cut, Polynomal Identtes Instructor: Thomas Kesselhem and Kurt Mehlhorn 1 Mn Cuts n Graphs Lecture (5 pages) Throughout ths secton, G = (V, E) s a mult-graph.
More informationParametric fractional imputation for missing data analysis. Jae Kwang Kim Survey Working Group Seminar March 29, 2010
Parametrc fractonal mputaton for mssng data analyss Jae Kwang Km Survey Workng Group Semnar March 29, 2010 1 Outlne Introducton Proposed method Fractonal mputaton Approxmaton Varance estmaton Multple mputaton
More informationMaximizing the number of nonnegative subsets
Maxmzng the number of nonnegatve subsets Noga Alon Hao Huang December 1, 213 Abstract Gven a set of n real numbers, f the sum of elements of every subset of sze larger than k s negatve, what s the maxmum
More information12. The Hamilton-Jacobi Equation Michael Fowler
1. The Hamlton-Jacob Equaton Mchael Fowler Back to Confguraton Space We ve establshed that the acton, regarded as a functon of ts coordnate endponts and tme, satsfes ( ) ( ) S q, t / t+ H qpt,, = 0, and
More informationAssortment Optimization under MNL
Assortment Optmzaton under MNL Haotan Song Aprl 30, 2017 1 Introducton The assortment optmzaton problem ams to fnd the revenue-maxmzng assortment of products to offer when the prces of products are fxed.
More information1 The Mistake Bound Model
5-850: Advanced Algorthms CMU, Sprng 07 Lecture #: Onlne Learnng and Multplcatve Weghts February 7, 07 Lecturer: Anupam Gupta Scrbe: Bryan Lee,Albert Gu, Eugene Cho he Mstake Bound Model Suppose there
More informationLecture 12: Discrete Laplacian
Lecture 12: Dscrete Laplacan Scrbe: Tanye Lu Our goal s to come up wth a dscrete verson of Laplacan operator for trangulated surfaces, so that we can use t n practce to solve related problems We are mostly
More informationResource Allocation with a Budget Constraint for Computing Independent Tasks in the Cloud
Resource Allocaton wth a Budget Constrant for Computng Independent Tasks n the Cloud Wemng Sh and Bo Hong School of Electrcal and Computer Engneerng Georga Insttute of Technology, USA 2nd IEEE Internatonal
More informationCOS 521: Advanced Algorithms Game Theory and Linear Programming
COS 521: Advanced Algorthms Game Theory and Lnear Programmng Moses Charkar February 27, 2013 In these notes, we ntroduce some basc concepts n game theory and lnear programmng (LP). We show a connecton
More informationAnonymous identity-based broadcast encryption with revocation for file sharing
Unversty of Wollongong Research Onlne Faculty of Engneerng and Informaton Scences - Papers: Part A Faculty of Engneerng and Informaton Scences 2016 Anonymous dentty-based broadcast encrypton wth revocaton
More informationA Robust Method for Calculating the Correlation Coefficient
A Robust Method for Calculatng the Correlaton Coeffcent E.B. Nven and C. V. Deutsch Relatonshps between prmary and secondary data are frequently quantfed usng the correlaton coeffcent; however, the tradtonal
More informationModule 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:
More informationStructure and Drive Paul A. Jensen Copyright July 20, 2003
Structure and Drve Paul A. Jensen Copyrght July 20, 2003 A system s made up of several operatons wth flow passng between them. The structure of the system descrbes the flow paths from nputs to outputs.
More informationOn a CCA2-secure variant of McEliece in the standard model
On a CCA2-secure varant of McElece n the standard model Edoardo Perschett Department of Mathematcs, Unversty of Auckland, New Zealand. e.perschett@math.auckland.ac.nz Abstract. We consder publc-key encrypton
More informationECE559VV Project Report
ECE559VV Project Report (Supplementary Notes Loc Xuan Bu I. MAX SUM-RATE SCHEDULING: THE UPLINK CASE We have seen (n the presentaton that, for downlnk (broadcast channels, the strategy maxmzng the sum-rate
More informationProxy Re-Signature Schemes without Random Oracles
An extended abstract of this paper appears in Indocrypt 2007, K. Srinathan, C. Pandu Rangan, M. Yung (Eds.), volume 4859 of LNCS, pp. 97-209, Sringer-Verlag, 2007. Proxy Re-Signature Schemes without Random
More informationErrors for Linear Systems
Errors for Lnear Systems When we solve a lnear system Ax b we often do not know A and b exactly, but have only approxmatons  and ˆb avalable. Then the best thng we can do s to solve ˆx ˆb exactly whch
More informationBorn and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares
Publshed n Theoretcal Computer Scence, 645: 24, 206 Born and rased dstrbutvely: Fully dstrbuted non-nteractve adaptvely-secure threshold sgnatures wth short shares Benoît Lbert Ecole Normale Supéreure
More informationTemperature. Chapter Heat Engine
Chapter 3 Temperature In prevous chapters of these notes we ntroduced the Prncple of Maxmum ntropy as a technque for estmatng probablty dstrbutons consstent wth constrants. In Chapter 9 we dscussed the
More informationLecture 4: November 17, Part 1 Single Buffer Management
Lecturer: Ad Rosén Algorthms for the anagement of Networs Fall 2003-2004 Lecture 4: November 7, 2003 Scrbe: Guy Grebla Part Sngle Buffer anagement In the prevous lecture we taled about the Combned Input
More informationEfficient Ring Signatures Without Random Oracles
Effcent Rng Sgnatures Wthout Random Oracles Hovav Shacham hovav.shacham@wezmann.ac.l Brent Waters bwaters@csl.sr.com Abstract We descrbe the frst effcent rng sgnature scheme secure, wthout random oracles,
More informationNote on EM-training of IBM-model 1
Note on EM-tranng of IBM-model INF58 Language Technologcal Applcatons, Fall The sldes on ths subject (nf58 6.pdf) ncludng the example seem nsuffcent to gve a good grasp of what s gong on. Hence here are
More informationCOMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS
Avalable onlne at http://sck.org J. Math. Comput. Sc. 3 (3), No., 6-3 ISSN: 97-537 COMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS
More informationNumerical Heat and Mass Transfer
Master degree n Mechancal Engneerng Numercal Heat and Mass Transfer 06-Fnte-Dfference Method (One-dmensonal, steady state heat conducton) Fausto Arpno f.arpno@uncas.t Introducton Why we use models and
More information2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification
E395 - Pattern Recognton Solutons to Introducton to Pattern Recognton, Chapter : Bayesan pattern classfcaton Preface Ths document s a soluton manual for selected exercses from Introducton to Pattern Recognton
More informationChapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems
Numercal Analyss by Dr. Anta Pal Assstant Professor Department of Mathematcs Natonal Insttute of Technology Durgapur Durgapur-713209 emal: anta.bue@gmal.com 1 . Chapter 5 Soluton of System of Lnear Equatons
More informationNP-Completeness : Proofs
NP-Completeness : Proofs Proof Methods A method to show a decson problem Π NP-complete s as follows. (1) Show Π NP. (2) Choose an NP-complete problem Π. (3) Show Π Π. A method to show an optmzaton problem
More informationSubset Topological Spaces and Kakutani s Theorem
MOD Natural Neutrosophc Subset Topologcal Spaces and Kakutan s Theorem W. B. Vasantha Kandasamy lanthenral K Florentn Smarandache 1 Copyrght 1 by EuropaNova ASBL and the Authors Ths book can be ordered
More informationCS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016
CS 29-128: Algorthms and Uncertanty Lecture 17 Date: October 26, 2016 Instructor: Nkhl Bansal Scrbe: Mchael Denns 1 Introducton In ths lecture we wll be lookng nto the secretary problem, and an nterestng
More informationA new Approach for Solving Linear Ordinary Differential Equations
, ISSN 974-57X (Onlne), ISSN 974-5718 (Prnt), Vol. ; Issue No. 1; Year 14, Copyrght 13-14 by CESER PUBLICATIONS A new Approach for Solvng Lnear Ordnary Dfferental Equatons Fawz Abdelwahd Department of
More information12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA. 4. Tensor product
12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA Here s an outlne of what I dd: (1) categorcal defnton (2) constructon (3) lst of basc propertes (4) dstrbutve property (5) rght exactness (6) localzaton
More informationCSci 6974 and ECSE 6966 Math. Tech. for Vision, Graphics and Robotics Lecture 21, April 17, 2006 Estimating A Plane Homography
CSc 6974 and ECSE 6966 Math. Tech. for Vson, Graphcs and Robotcs Lecture 21, Aprl 17, 2006 Estmatng A Plane Homography Overvew We contnue wth a dscusson of the major ssues, usng estmaton of plane projectve
More information(1 ) (1 ) 0 (1 ) (1 ) 0
Appendx A Appendx A contans proofs for resubmsson "Contractng Informaton Securty n the Presence of Double oral Hazard" Proof of Lemma 1: Assume that, to the contrary, BS efforts are achevable under a blateral
More informationLinearly Homomorphic Structure-Preserving Signatures and Their Applications
Lnearly Homomorphc Structure-Preservng Sgnatures and Ther Applcatons Benoît Lbert 1, Thomas Peters 2, Marc Joye 1, and Mot Yung 3 1 Techncolor (France) 2 Unversté catholque de Louvan, Crypto Group (Belgum)
More informationThe Second Anti-Mathima on Game Theory
The Second Ant-Mathma on Game Theory Ath. Kehagas December 1 2006 1 Introducton In ths note we wll examne the noton of game equlbrum for three types of games 1. 2-player 2-acton zero-sum games 2. 2-player
More informationAttacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction
Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard
More informationGeneralized Linear Methods
Generalzed Lnear Methods 1 Introducton In the Ensemble Methods the general dea s that usng a combnaton of several weak learner one could make a better learner. More formally, assume that we have a set
More informationVQ widely used in coding speech, image, and video
at Scalar quantzers are specal cases of vector quantzers (VQ): they are constraned to look at one sample at a tme (memoryless) VQ does not have such constrant better RD perfomance expected Source codng
More informationConstant-Size Structure-Preserving Signatures Generic Constructions and Simple Assumptions
Constant-Sze Structure-Preservng Sgnatures Generc Constructons and Smple Assumptons Masayuk Abe Melssa Chase Bernardo Davd Markulf Kohlwess Ryo Nshmak Myako Ohkubo NTT Secure Platform Laboratores, NTT
More informationAlgebraic partitioning: Fully compact and (almost) tightly secure cryptography
Algebrac parttonng: Fully compact and (almost) tghtly secure cryptography Denns Hofhenz October 12, 2015 Abstract We descrbe a new technque for conductng parttonng arguments. Parttonng arguments are a
More informationPassword Based Key Exchange With Mutual Authentication
Password Based Key Exchange Wth Mutual Authentcaton Shaoquan Jang and Guang Gong Department of Electrcal and Computer Engneerng Unversty of Waterloo Waterloo, Ontaro N2L 3G1, CANADA Emal:{angshq,ggong}@callope.uwaterloo.ca
More informationSeparable Linkable Threshold Ring Signatures
Separable Lnkable Threshold Rng Sgnatures Patrck P. Tsang 1, Vctor K. We 1, Tony K. Chan 1, Man Ho Au 1, Joseph K. Lu 1, and Duncan S. Wong 2 1 Department of Informaton Engneerng The Chnese Unversty of
More informationTightly CCA-Secure Encryption without Pairings
Tghtly CCA-Secure Encrypton wthout Parngs Roman Gay 1,, Denns Hofhenz 2,, Eke Kltz 3,, and Hoeteck Wee 1, 1 ENS, Pars, France rgay,wee@d.ens.fr 2 Ruhr-Unverstät Bochum, Bochum, Germany eke.kltz@rub.de
More informationFinding Dense Subgraphs in G(n, 1/2)
Fndng Dense Subgraphs n Gn, 1/ Atsh Das Sarma 1, Amt Deshpande, and Rav Kannan 1 Georga Insttute of Technology,atsh@cc.gatech.edu Mcrosoft Research-Bangalore,amtdesh,annan@mcrosoft.com Abstract. Fndng
More informationSome Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM
Example of Extended Eucldean Algorthm Recall that gcd(84, 33) = gcd(33, 18) = gcd(18, 15) = gcd(15, 3) = gcd(3, 0) = 3 We work backwards to wrte 3 as a lnear combnaton of 84 and 33: 3 = 18 15 [Now 3 s
More informationFREQUENCY DISTRIBUTIONS Page 1 of The idea of a frequency distribution for sets of observations will be introduced,
FREQUENCY DISTRIBUTIONS Page 1 of 6 I. Introducton 1. The dea of a frequency dstrbuton for sets of observatons wll be ntroduced, together wth some of the mechancs for constructng dstrbutons of data. Then
More informationLecture 14: Bandits with Budget Constraints
IEOR 8100-001: Learnng and Optmzaton for Sequental Decson Makng 03/07/16 Lecture 14: andts wth udget Constrants Instructor: Shpra Agrawal Scrbed by: Zhpeng Lu 1 Problem defnton In the regular Mult-armed
More informationA Novel Feistel Cipher Involving a Bunch of Keys supplemented with Modular Arithmetic Addition
(IJACSA) Internatonal Journal of Advanced Computer Scence Applcatons, A Novel Festel Cpher Involvng a Bunch of Keys supplemented wth Modular Arthmetc Addton Dr. V.U.K Sastry Dean R&D, Department of Computer
More informationTransfer Functions. Convenient representation of a linear, dynamic model. A transfer function (TF) relates one input and one output: ( ) system
Transfer Functons Convenent representaton of a lnear, dynamc model. A transfer functon (TF) relates one nput and one output: x t X s y t system Y s The followng termnology s used: x y nput output forcng
More informationANSWERS. Problem 1. and the moment generating function (mgf) by. defined for any real t. Use this to show that E( U) var( U)
Econ 413 Exam 13 H ANSWERS Settet er nndelt 9 deloppgaver, A,B,C, som alle anbefales å telle lkt for å gøre det ltt lettere å stå. Svar er gtt . Unfortunately, there s a prntng error n the hnt of
More informationInformation-Theoretic Timed-Release Security: Key-Agreement, Encryption, and Authentication Codes
Informaton-Theoretc Tmed-Release Securty: Key-Agreement, Encrypton, and Authentcaton Codes Yohe Watanabe, Takenobu Seto, Junj Shkata Graduate School of Envronment and Informaton Scences, Yokohama Natonal
More informationLecture 4. Instructor: Haipeng Luo
Lecture 4 Instructor: Hapeng Luo In the followng lectures, we focus on the expert problem and study more adaptve algorthms. Although Hedge s proven to be worst-case optmal, one may wonder how well t would
More informationLecture Notes on Linear Regression
Lecture Notes on Lnear Regresson Feng L fl@sdueducn Shandong Unversty, Chna Lnear Regresson Problem In regresson problem, we am at predct a contnuous target value gven an nput feature vector We assume
More informationAppendix B: Resampling Algorithms
407 Appendx B: Resamplng Algorthms A common problem of all partcle flters s the degeneracy of weghts, whch conssts of the unbounded ncrease of the varance of the mportance weghts ω [ ] of the partcles
More informationCryptographic Protocols
Cryptographc Protocols Entty Authentcaton Key Agreement Fat-Shamr Identfcaton Schemes Zero-Knowledge Proof Systems Shnorr s Identfcaton/Sgnature Scheme Commtment Schemes Secret Sharng Electronc Electon
More informationApplication of Nonbinary LDPC Codes for Communication over Fading Channels Using Higher Order Modulations
Applcaton of Nonbnary LDPC Codes for Communcaton over Fadng Channels Usng Hgher Order Modulatons Rong-Hu Peng and Rong-Rong Chen Department of Electrcal and Computer Engneerng Unversty of Utah Ths work
More informationAffine transformations and convexity
Affne transformatons and convexty The purpose of ths document s to prove some basc propertes of affne transformatons nvolvng convex sets. Here are a few onlne references for background nformaton: http://math.ucr.edu/
More informationCommunication Complexity 16:198: February Lecture 4. x ij y ij
Communcaton Complexty 16:198:671 09 February 2010 Lecture 4 Lecturer: Troy Lee Scrbe: Rajat Mttal 1 Homework problem : Trbes We wll solve the thrd queston n the homework. The goal s to show that the nondetermnstc
More informationLecture 10: May 6, 2013
TTIC/CMSC 31150 Mathematcal Toolkt Sprng 013 Madhur Tulsan Lecture 10: May 6, 013 Scrbe: Wenje Luo In today s lecture, we manly talked about random walk on graphs and ntroduce the concept of graph expander,
More informationIntroduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law:
CE304, Sprng 2004 Lecture 4 Introducton to Vapor/Lqud Equlbrum, part 2 Raoult s Law: The smplest model that allows us do VLE calculatons s obtaned when we assume that the vapor phase s an deal gas, and
More informationSection 8.3 Polar Form of Complex Numbers
80 Chapter 8 Secton 8 Polar Form of Complex Numbers From prevous classes, you may have encountered magnary numbers the square roots of negatve numbers and, more generally, complex numbers whch are the
More informationDecentralized Multi-Client Functional Encryption for Inner Product
Ths paper s a slght varant of the Extended Abstract that appears n Advances n Cryptology ASIACRYPT 2018 (December 2 6, Brsbane, Australa) Sprnger-Verlag, LNCS?????, pages??????. Decentralzed Mult-Clent
More informationA New Refinement of Jacobi Method for Solution of Linear System Equations AX=b
Int J Contemp Math Scences, Vol 3, 28, no 17, 819-827 A New Refnement of Jacob Method for Soluton of Lnear System Equatons AX=b F Naem Dafchah Department of Mathematcs, Faculty of Scences Unversty of Gulan,
More informationOutline. Communication. Bellman Ford Algorithm. Bellman Ford Example. Bellman Ford Shortest Path [1]
DYNAMIC SHORTEST PATH SEARCH AND SYNCHRONIZED TASK SWITCHING Jay Wagenpfel, Adran Trachte 2 Outlne Shortest Communcaton Path Searchng Bellmann Ford algorthm Algorthm for dynamc case Modfcatons to our algorthm
More informationPsychology 282 Lecture #24 Outline Regression Diagnostics: Outliers
Psychology 282 Lecture #24 Outlne Regresson Dagnostcs: Outlers In an earler lecture we studed the statstcal assumptons underlyng the regresson model, ncludng the followng ponts: Formal statement of assumptons.
More information