Conversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs
Size: px
Start display at page:

Download "Conversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs"

Transcription

1 Conversions among Several Classes of Predicate Encrytion and Alications to ABE with Various Comactness Tradeoffs Nuttaong Attraadung, Goichiro Hanaoka, and Shota Yamada National Institute of Advanced Industrial Science and Technology (AIST). {n.attraadung, hanaoka-goichiro, Abstract. Predicate encrytion is an advanced form of ublic-key encrytion that yields high flexibility in terms of access control. In the literature, many redicate encrytion schemes have been roosed such as fuzzy-ibe, KP-ABE, CP- ABE, (doubly) satial encrytion (DSE), and ABE for arithmetic san rograms. In this aer, we study relations among them and show that some of them are in fact equivalent by giving conversions among them. More secifically, our main contributions are as follows: We show that monotonic, small universe KP-ABE (CP-ABE) with bounds on the size of attribute sets and san rograms (or linear secret sharing matrix) can be converted into DSE. Furthermore, we show that DSE imlies nonmonotonic CP-ABE (and KP-ABE) with the same bounds on arameters. This imlies that monotonic/non-monotonic KP/CP-ABE (with the bounds) and DSE are all equivalent in the sense that one imlies another. We also show that if we start from KP-ABE without bounds on the size of san rograms (but bounds on the size of attribute sets), we can obtain ABE for arithmetic san rograms. The other direction is also shown: ABE for arithmetic san rograms can be converted into KP-ABE. These results imly, somewhat surrisingly, KP-ABE without bounds on san rogram sizes is in fact equivalent to ABE for arithmetic san rograms, which was thought to be more exressive or at least incomarable. By alying these conversions to existing schemes, we obtain many non-trivial consequences. We obtain the first non-monotonic, large universe CP-ABE (that suorts san rograms) with constant-size cihertexts, the first KP-ABE with constant-size rivate keys, the first (adatively-secure, multi-use) ABE for arithmetic san rograms with constant-size cihertexts, and more. We also obtain the first attribute-based signature scheme that suorts non-monotone san rograms and achieves constant-size signatures via our techniques. Keywords. Attribute-based encrytion, doubly satial encrytion, generic conversion, constant-size cihertexts, constant-size keys, arithmetic san rograms 1 Introduction Predicate encrytion (PE) is an advanced form of ublic-key encrytion that allows much flexibility. Instead of encryting data to a target reciient, a sender will secify in a more general way about who should be able to view the message. In redicate encrytion for a redicate R, a sender can associate a cihertext with a cihertext attribute X

2 2 while a rivate key is associated with a key attribute Y. Such a cihertext can then be decryted by such a key if the redicate evaluation R(X, Y ) holds true. There exist many classes of PE, each is defined by secifying a corresonding class of redicates. One notable class is attribute-based encrytion (ABE) [41,26] for san rograms (or equivalently, linear secret sharing schemes), of which redicate is defined over key attributes being a san rogram and cihertext attributes being a set of attributes, and its evaluation holds true if the san rogram accets the set. This is called key-olicy ABE (KP-ABE). There is also cihertext-olicy ABE (CP-ABE), where the roles of key and cihertext attributes are exchanged. Another imortant class is doubly satial encrytion (DSE) [27], of which redicate is defined over both key and cihertext attributes being affine subsaces, and its evaluation holds true if both subsaces intersect. Very recently, a new imortant class of PE, that is called attribute encrytion for arithmetic san rograms is defined in [30]. They showed such a PE scheme is useful by demonstrating that the scheme can be efficiently converted into ABE for arithmetic branching rograms for both zero-tye and non-zero tye redicates. If the scheme satisfies a certain requirement for efficiency (namely, encrytion cost is at most linear in cihertext redicate size), it is also ossible to obtain a ublicly verifiable delegation scheme for arithmetic branching rograms, by exloiting a conversion shown in [39]. Furthermore, they gave a concrete construction of such scheme. Comared to secific constructions of redicate encrytion [32,33,35,45,23,21] (to name just a few) that focus on achieving more exressive redicates and/or stronger security guarantee, relations among redicate encrytion schemes are much less investigated. The urose of this aer is to imrove our understanding of relations among them. 1.1 Our Results Relations among PE. Towards the goal above, we study relations among PE and show that some of them are in fact equivalent by giving generic conversion among them. We first investigate the relation among ABE with some bounds on arameters (the size of attribute sets and the size of san rograms) and DSE. We have the following results: First, we show a conversion from KP-ABE (or CP-ABE) with the bounds on arameters into DSE (without key delegation, in Section 3). Such an imlication is not straightforward in the first lace. Intuitively, one reason stems from the different nature between both redicates: while DSE can be considered as an algebraic object that involves affine saces, ABE can be seen as a somewhat more combinatorial object that involves sets (of attributes). Our aroach involves some new technique for rogramming a set associated to a cihertext and a san rogram associated to a rivate key in the KP-ABE scheme so that they can emulate the relation for doubly satial encrytion. We then extend the result of [27], which showed that DSE imlies CP/KP-ABE with large universes. We rovide a new conversion from DSE (without delegation) to non-monotonic CP/KP-ABE with large universes (in Section 4). We note that the resulting schemes obtained by the above conversions have some bounds on arameters. In the conversion, we extensively use a secial form of olynomial introduced in [31] and carefully design a matrix so that DSE can cature a relation for ABE.

3 3 non-mono,large ( k,,, ) KP-ABE Full version. non-mono,large ( k,,, ) CP-ABE Full version trivial KASP CASP trivial Sect. 5 Sect. 5 mono,small ( k,,, ) KP-ABE mono,small ( k,,, ) CP-ABE trivial Sect. 3 Sect. 3 trivial mono,small ( k, l, m, ϕ) KP-ABE n-dse mono,small ( k, l, m, ϕ) CP-ABE trivial [27] [27] trivial mono,large ( k, l, m, ϕ) KP-ABE trivial Sect. 4 non-mono,large ( k, l, m, ϕ) KP-ABE mono,large ( k, l, m, ϕ) CP-ABE Sect. 4 trivial non-mono,large ( k, l, m, ϕ) CP-ABE Fig. 1. Relations among redicate encrytion rimitives. In this figure, arrows indicate conversions that transform the rimitive of the starting oint to that of the end oint. The red arrows indicate our results in this aer. For ABE, mono and non-mono indicate whether it is monotonic or non-monotonic, while small and large indicate whether the attribute universes are large (i.e., exonentially large) or small (i.e., olynomially bounded). ( k, l, m, ϕ) secify bounds on size of sets of attributes and san rograms. See Section 2.1 for details. As a result, rimitives inside each dashed box are all equivalent in the sense there is a conversion between each air. Somewhat surrisingly, by combining the above results, we obtain generic conversions that can boost the functionality of (bounded) ABE: from monotonic to non-monotonic, and from small-universe to large-universe; moreover, we also obtain conversions which transform ABE to its dual (key-olicy to cihertext-olicy, and vice versa). This imlies that they are essentially equivalent in some sense. See Figure 1 for the details. So far, we have considered ABE schemes with bounds on arameters, esecially on the size of san rograms. We then roceed to investigate relation among ABE schemes without bounds on the size of san rograms (but with a bound on the size of attribute sets) and ABE for arithmetic san rograms recently introduced and studied by Ishai and Wee [30]. We call the latter key-olicy ABE for arithmetic san rograms (KASP), since in the latter, a cihertext is associated with a vector while a rivate key is associated with an arithmetic san rogram which secifies a olicy. By exchanging key and cihertext attribute, we can also define cihertext-olicy version of ABE for arithmetic san rogram (CASP). We have the following results: We show that monotonic KP-ABE with small universe (without bound on the size of san rograms) can be converted into KASP (in Section 5). The idea for the conversion is similar to that in Section 3. In the full version of the aer [4], we also investigate the converse direction. In fact, we show somewhat stronger result. That is, KASP can be converted into non-

4 4 monotonic KP-ABE with large universe, which trivially imlies monotonic KP-ABE with small universe. The idea for the conversion is similar to that in Section 4. Given the above results, we have all of the following are equivalent: monotonic KP- ABE with small universe, non-monotonic KP-ABE with large universe, and KASP. Similar imlications hold for the case of CP-ABE and CASP. However, we do not have a conversion from KP-ABE to CP-ABE in this case. Again, see Figure 1 for the details. Direct Alications: New Instantiations. By alying our conversions to existing schemes, we obtain many new instantiations. Most of them have new roerties that were not achieved before. These include the first DSE with constant-size ublic key, the first DSE with constant-size cihertexts, the first DSE with constant-size rivate keys, the first non-monotonic, large-universe CP-ABE with constant-size cihertexts, the first non-monotonic, large-universe KP-ABE with constant-size keys, the first KASP, CASP with constant-size ublic key, the first KASP, CASP with adative security and unbounded multi-use, the first KASP with constant-size cihertexts, the first CASP with constant-size keys, which together offer various comactness tradeoffs. Previously, all DSE schemes require linear (or more) sizes in all arameters [27,18,15]. Previous CP-ABE with constantsize cihertexts [20,14,22,13] can only deal with threshold or even more limited exressiveness. As for KP-ABE, to the best of our knowledge, there were no constructions with constant-size keys. 1 Previous KASP and CASP [30,17] require linear sizes in all arameters. Moreover, the adatively secure schemes [17] suort only attribute oneuse. See Section 6 and tables therein for our instantiations and comarisons. Alication to Attribute-Based Signatures. Our technique is also useful in the settings of attribute-based signatures (ABS) [36,37]. We first define a notion that we call redicate signature (PS) which is a signature analogue of PE. Then, we construct a secific PS scheme with constant-size signatures such that a signature is associated with a set of attributes while a rivate key is associated with a olicy (or monotone san rograms). This is in some sense a dual notion of ordinary ABS in which a signature is associated with a olicy and a rivate key with a set. By using the technique develoed in the above, we can convert the PS scheme into an ABS scheme. As a result, we obtain the first ABS scheme with constant-size signatures. Previous ABS schemes with constant-size signatures [28,13] only suort threshold or more limited olicies. Finally, we remark that although our conversions are feasible, they often introduce olynomial-size overheads to some arameters. Thus, in most cases, above schemes obtained by the conversions should be seen as feasibility results in the sense that they might not be totally efficient. As a future direction, it would be interesting to construct more efficient schemes directly. 1 KP-ABE with (asymtotically) short keys was also roosed in [10]. Comared to ours, their key size is not constant but they focus on more exressive ABE, namely ABE for circuits.

5 5 1.2 Related Works There are several revious works investigating relations among PE rimitives. In [25], a black box searation between threshold redicate encrytion (fuzzy IBE) and IBE was shown. They also rule out certain natural constructions of PE for NC 1 from PE for AC 0. In [16], it was shown that hierarchical inner roduct encrytion is equivalent to satial encrytion, which is a secial case of doubly satial encrytion. [24] showed a generic conversion from KP-ABE suorting threshold formulae to CP-ABE suorting threshold formulae. Their result and ours are incomarable. Our KP-ABE to CP-ABE conversion requires the original KP-ABE to suort monotone san rograms, which is a stronger requirement than [24]. On the other hand, the resulting scheme obtained by our conversion suorts non-monotone san rograms, which is a wider class than threshold formulae 2. Thus, by alying our conversion, we can obtain new schemes (such as CP-ABE suorting non-monotone san rograms with constant-size cihertext) that is not ossible to obtain by the conversion by [24]. In recent works [2,6], it is shown that PE satisfying certain secific temlate can be converted into PE for its dual redicate. In articular, it yields KP-ABE-to-CP-ABE conversion. Again, their result and ours are incomarable. On the one hand, schemes obtained from their conversion are tyically more efficient than ours. On the other hand, their conversion only works for schemes with the temlate while our conversion is comletely generic. Furthermore, since they essentially exchange key and cihertext comonents in the conversion, the size of keys and cihertexts are also exchanged. For examle, if we start from KP-ABE with constant-size cihertexts, they obtain CP-ABE with constant-size rivate keys while we obtain CP-ABE with constant-size cihertexts. We also remark that in the settings where PE for general circuit is available, we can easily convert any KP-ABE into CP-ABE by using universal circuits as discussed in [23,21]. However, in the settings where only PE for san rograms is available, this technique is not known to be alicable. We note that all existing PE schemes for general circuits [21,23,10] are quite inefficient and based on strong assumtions (e.g., existence of secure multi-linear ma or hardness of certain lattice roblems for an exonential aroximation factor). In [8], in the context of quantum comutation, Belovs studies a san rogram that decides whether two saces intersect or not. The roblem and its solution considered there is very similar to that in Section 3 of our aer. However, he does not consider alication to crytograhy and the result is not alicable to our setting immediately since the syntax of san rograms is slightly different. Concurrent and Indeendent Work. Concurrently and indeendently to our work, Aggrawal and Chase [1] show secific construction of CP-ABE scheme with constantsize cihertexts. Comared to our CP-ABE scheme with constant-size cihertexts, which is obtained by our conversion, their scheme only suorts monotone access structure over large universe, whereas our scheme suorts non-monotonic access structure over large universe. Furthermore, we can obtain adatively secure scheme whereas their scheme is only selectively secure. On the other hand, their scheme has shorter keys. 2 While it is known that monotone san rograms contain threshold formulae [26], the converse is not known to be true.

6 6 2 Preliminaries Notation. Throughout the aer, denotes a rime number. We will treat a vector as a column vector, unless stated otherwise. For a vector a Z n, a[i] Z reresents i-th element of the vector. Namely, a = (a[1],..., a[n]). For a, b Z n, we denote their inner roduct as a, b = a b = n i=1 a[i] b[i]. We denote by e i the i-th unit vector: its i-th comonent is one, all others are zero. I n and 0 n m reresent an identity matrix in Z n n and zero matrix in Z n m resectively. We also define 1 n = (1, 1,..., 1) Z n and 0 n = 0 n 1. We often omit the subscrit if it is clear from the context. We denote by [a, b] a set {a, a+1,..., b} for a, b Z such that a b and [b] denotes [1, b]. For a matrix X Z n d, san(x) denotes a linear sace {X u u Z d } sanned by columns of X. For matrices A Z n1 m and B Z n2 m, [A; B] Z (n1+n2) m denotes [A, B ] i.e., the vertical concatenation of them. 2.1 Definition of Predicate Encrytion Here, we define the syntax of redicate encrytion. We emhasize that we do not consider attribute hiding in this aer 3. Syntax. Let R = {R N : A N B N {0, 1} N N c } be a relation family where A N and B N denote cihertext attribute and key attribute saces and c is some fixed constant. The index N = (n 1, n 2,..., n c ) of R N denotes the numbers of bounds for corresonding arameters. A redicate encrytion (PE) scheme for R is defined by the following algorithms: Setu(λ, N) (mk, msk): The setu algorithm takes as inut a security arameter λ and an index N of the relation R N and oututs a master ublic key mk and a master secret key msk. Encryt(mk, M, X) C: The encrytion algorithm takes as inut a master ublic key mk, the message M, and a cihertext attribute X A N. It will outut a cihertext C. KeyGen(msk, mk, Y ) sk Y : The key generation algorithm takes as inut the master secret key msk, the master ublic key mk, and a key attribute Y B N. It oututs a rivate key sk Y. Decryt(mk, C, X, sk Y, Y ) M or : We assume that the decrytion algorithm is deterministic. The decrytion algorithm takes as inut the master ublic key mk, a cihertext C, cihertext attribute X A N, a rivate key sk Y, and rivate key attribute Y. It oututs the message M or which reresents that the cihertext is not in a valid form. We refer (standard) definitions of correctness and security of PE to [2,4]. 2.2 (Arithmetic) San Program, ABE, and Doubly Satial Encrytion Definition of San Program. Let U = {u 1,..., u t } be a set of variables. For each u i, denote u i as a new variable. Intuitively, u i and u i corresond to ositive and 3 This is called ublic-index redicate encrytion, categorized in [12].

7 7 negative attributes, resectively. Also let U = { u 1,..., u t }. A san rogram over Z is secified by a air (L, ρ) of a matrix and a labelling function where L Z l m ρ : [l] U U for some integer l, m. Intuitively, the ma ρ labels row i with attribute ρ(i). A san rogram accets or rejects an inut by the following criterion. For an inut δ {0, 1} t, we define the sub-matrix L δ of L to consist of the rows whose labels are set to 1 by the inut δ. That is, it consists of either rows labelled by some u i such that δ i = 1 or rows labelled by some u i such that δ i = 0. We say that (L, ρ) accets δ iff (1, 0,..., 0) is in the row san of L δ. We can write this also as e 1 san(l δ ). A san rogram is called monotone if the labels of the rows consist of only the ositive literals, in U. Key-Policy and Cihertext-Policy Attribute-Based Encrytion. Let U be the universe of attributes. We define a relation R KP on any san rograms (L, ρ) over Z and any sets of attributes S U as follows. For S U, we define δ {0, 1} t as an indicator vector corresonding to S. Namely, δ i = 1 if u i S and δ i = 0 if u i S. We define R KP (S, (L, ρ)) = 1 iff (L, ρ) accets δ. Similarly, R CP is defined as R CP ((L, ρ), S) = 1 iff (L, ρ) accets δ. A KP-ABE scheme may require some bounds on arameters: we denote k = the maximum size of k (the size of attribute set S), l = the maximum size of l (the number of rows of L), m = the maximum size of m (the number of columns of L), ϕ = the maximum size of allowed reetition in {ρ(1),..., ρ(l)}. These bounds define the index N = ( k, l, m, ϕ) for the redicate family. When there is no restriction on corresonding arameter, we reresent it by such as ( k,,, ). We define A N and B N as the set of all attribute sets and the set of all san rograms whose sizes are restricted by N, resectively. KP-ABE is a redicate encrytion for RN KP : A N B N {0, 1}, where RN KP is restricted on N in a natural manner. CP-ABE is defined dually with A N and B N swaed. Let t := U. We say the scheme suorts small universe if t is olynomially bounded and large universe if t is exonentially large. The scheme is monotonic if san rograms are restricted to be monotone, and non-monotonic otherwise. Attribute-Based Encrytion for Arithmetic San Programs [30]. In this redicate, the index N for the family is secified by an integer n. We call it the dimension of the scheme. We define A N = Z n. An arithmetic san rogram of dimension n is secified by a tule (Y, Z, ρ) of two matrices Y, Z Z m l and a ma ρ : [l] [n], for some integers l, m. There is no restriction on l and m. If ρ is restricted to injective, we say that the scheme suorts only attribute one-use. Otherwise, if there is no restriction on

8 8 ρ, we say that it is unbounded multi-use. We let B N be the set of all arithmetic san rograms of dimension n. We then define R KASP N (x, (Y, Z, ρ)) = 1 iff e 1 san{x[ρ(j)] y j + z j } j [l], where here e 1 = (1, 0,..., 0) Z m and x[ρ(j)] is the ρ(j)-th term of x, while y j and z j are the j-th column of Y and Z resectively. We call redicate encrytion for R KASP key-olicy attribute-based encrytion for arithmetic san rogram (KASP). Cihertext-olicy ASP (CASP) can be defined dually with A N and B N swaed. Doubly Satial Encrytion. In this redicate, the index N for the family is secified by an integer n (the dimension of the scheme). We define the domains as A N = B N = Z n ( 0 d n Z n d ). We define ( (x0, X), (y 0, Y) ) = 1 iff ( x 0 + san(x) ) ( y 0 + san(y) ). R DSE N Doubly satial encrytion is PE for relation R DSE N equied with additional key delegation algorithm. The key delegation algorithm takes a rivate key for some affine sace as an inut and oututs a rivate key for another affine sace, which is a subset of the first one. We require that the distribution of a key obtained by the delegation is the same as that of a key directly obtained by the key generation algorithm. We refer to [18,4] for the formal definition. 2.3 Embedding Lemma for PE The following useful lemma from [11] describes a sufficient criterion for imlication from PE for a given redicate to PE for another redicate. The lemma is alicable to any relation family. We consider two relation families: RN F : A N B N {0, 1}, RN F : A N B N {0, 1}, which is arametrized by N N c and N N c resectively. Suose that there exists three efficient maings f : Z c Z c f e : A N A f (N ) f k : B N B f (N ) which mas arameters, cihertext attributes, and key attributes, resectively, such that for all X A N, Y B N, R F N (X, Y ) = 1 R F f (N ) (f e(x ), f k (Y )) = 1. (1) We can then construct a PE scheme Π = {Setu, Encryt, KeyGen, Decryt } for redicate RN F from a PE scheme Π = {Setu, Encryt, KeyGen, Decryt} for redicate RN F as follows. Let Setu (λ, N ) = Setu(λ, f (N )) and Encryt (mk, M, X ) = Encryt(mk, M, f e (X )), KeyGen (msk, mk, Y ) = KeyGen(msk, mk, f k (Y )), and Decryt (mk, C, X, sk Y, Y ) = Decryt(mk, C, f e (X ), sk Y, f k (Y )).

9 9 Lemma 1 (Embedding lemma [11]). If Π is correct and secure, then so is Π. This holds for selective security and adative security. Intuitively, the forward and backward direction of Relation (1) ensure that the correctness and the security are reserving, resectively. 3 Conversion from ABE to DSE In this section, we show how to construct DSE for dimension n from monotonic KP- ABE (with bounds on the size of attribute sets and san rograms). We note that by simly swaing key and cihertext attributes, we can also obtain CP-ABE-to-DSE conversion. We first describe the conversion, then exlain the intuition behind the conversion later below. 3.1 The Conversion Maing Parameters. We ma f DSE KP : n ( k, l, m, ψ) where k = n(n + 1)κ + 1, l = 2(nκ + 1)(n + 1), m = (nκ + 1)(n + 1) + 1, ψ = 2(n + 1), where we define κ := log 2. Moreover, we set the universe U as follows. { } U = Att[i][j][k][b] (i, j, k, b) [0, n] [1, n] [1, κ] {0, 1} {D}, where D is a dummy attribute which will be assigned for all cihertext. Hence, the universe size is U = 2n(n + 1)κ + 1. Intuitively, Att[i][j][k][b] reresents an indicator for the condition the k-th least significant bit of the binary reresentation of the j-th element of the vector x i is b {0, 1}. Maing Cihertext Attributes. For x 0 Z n and X = [x 1,..., x d1 ] Z n d1 such that d 1 n, we ma fe DSE KP : (x 0, X) S where { } S = Att[i][j][k][b] (i, j, k) [0, d 1 ] [1, n] [1, κ], b = x i [j][k] {D}. Here, we define x i [j][k] {0, 1} so that they satisfy x i [j] = κ 2 k 1 x i [j][k]. k=1 Namely, x i [j][k] is the k-th least significant bit of the binary reresentation of x i [j]. Maing Key Attributes. For y 0 Z n and Y = [y 1,..., y d2 ] Z n d2 such that d 2 n, we ma fk DSE KP : (y 0, Y) (L, ρ) as follows. Let the numbers of rows and columns of L be l = (2nκ + 1)(n + 1) + d 2 + 1, m = (nκ + 1)(n + 1) + 1,

10 10 resectively. We then define e 1 e 1 + e d2+2 y0 Y E J L = E J.... E J Z l m, (2) of which each sub-matrix E and J both aears n + 1 times, where we define 1 g 1 g 1 E =... Z (2nκ+1) n 1, J =... Z (2nκ+1) nκ (3) g where g = (0, 1, 0, 2,..., 0, 2 i,..., 0, 2 κ 1 ) Z 2κ. Next, we define the ma ρ : [1, l] U as follows. If i d 2 + 1, we set ρ(i) := D. Else, we have i [d 2 + 2, l]. We then write i = (d 2 + 1) + (2nκ + 1)i + i with a unique i [0, n + 1] and a unique i [0, 2nκ]. If i = 0, we again set ρ(i) = D. Else, we have i [1, 2nκ]. We then write i = 2κj + 2k + b + 1 with unique j [0, n 1], k [0, κ 1], and b {0, 1}. We finally set ρ(i) = Att[i ][j + 1][k + 1][b ]. Intuition. We exlain the intuition behind the conversion. S can be seen as a binary reresentation of the information of (x 0, X). In the san rogram (L, ρ), E is used to reroduce the information of (x 0, X) in the matrix while J is used to constrain the form of linear combination among rows to a certain form. 4 In some sense, the roll of the lower art of the matrix L (the last (2nκ + 1)(n + 1) rows) is similar to universal circuit while the uer art of the matrix contains the information of (y 0, Y). 4 A somewhat similar technique to ours that restricts the form of linear combination of vectors was used in [9] in a different context (for constructing a monotone san rogram that tests co-rimality of two numbers).

11 Correctness of the Conversion We show the following theorem. The imlication from KP-ABE to DSE would then follow from the embedding lemma (Lemma 1). Theorem 1. For n N, for any x 0 Z n, X Z n d1, y 0 Z n and Y Z n d2, it holds that with N = f DSE KP RN KP (S, (L, ρ)) = 1 Rn DSE ( (x0, X), (y 0, Y) ) = 1 (n), S = f DSE KP (x 0, X), and (L, ρ) = f DSE KP (y 0, Y). e Proof. Define I [l] as I := { i ρ(i) S } and define L I as the sub-matrix of L formed by all the rows of which index is in I. From the definition of fe DSE KP, we have that L I is in the form of L I = e 1 e 1 + e d2+2 y 0 Y E 0 J E 1 J. E d1... J 1 nκ... 1 nκ k Z l I m I where l I := (nκ + 1)(d 1 + 1) + n d 1 + d and m I := (nκ + 1)(n + 1) + 1 and g i,1 g i,2 E i =... gi,n for i [0, d 1 ], where g i,j = Z (nκ+1) n, J = ( x i [j][1], 2x i [j][2],..., 2 κ 1 x i [j][κ]) Z κ. Z (nκ+1) nκ. We remark that it holds that 1 κ, g i,j = x i [j] by the definition of x i [j][k] and thus E i 1 nκ+1 = x i holds. We also remark that if v J = 0 holds for some v Z nκ+1, then there exists v Z such that v = v1 nκ+1. These roerties will be used later. To rove the theorem statement is now equivalent to rove that e 1 san(l I ) ( x 0 + san(x) ) ( y 0 + san(y) ).

12 12 Forward Direction ( ). Suose e 1 san(l I ). Then, there exists u Zl I that u L I = e 1. We write u as such We then write u L I = u = ( }{{} v, }{{} v, u 0, u 1,..., u ) d }{{}}{{} 1, u d1+1,..., u n. }{{}}{{} 1 d 2 nκ+1 nκ }{{} nκ+1 ( ( ) ( v, v + u 0, e 1, vy0 + v Y + d 1 i=0 u i E i ), ( u d 1 J ) ( ), u d1+11 nκ+1 ( u 0 J ),...,,..., ( ) ) u n 1 nκ+1 Since u L I = e 1, we have u d1+1 = = u n = 0, by comaring each element of the vector. Furthermore, since u i J = 0 for i [0, d 1 ], there exist {u i Z } i [0,d1] such that u i = u i 1 nκ+1. By comaring the first and the second element of the vector, we obtain v = 1 and v + u 0, e 1 = 1 + u 0 1 nκ+1, e 1 = 1 + u 0 = 0. Hence, u 0 = 1. Finally, we have that d 1 i=0 u i E i + vy 0 + v Y = 0 and thus d 1 E i u i = y 0 + Y v. i=0 The left hand side of the equation is d 1 d 1 E i u i = u 0 E 0 1 nκ+1 u i E i 1 nκ+1 i=0 i=1 d 1 = x 0 u i x i ( x 0 + san(x) ). i=1 while the right hand side is y 0 + Y v (y 0 + san(y)). This imlies that ( x 0 + san(x) ) ( y 0 + san(y) ). Converse Direction ( ). Suose ( x 0 + san(x) ) ( y 0 + san(y) ). Hence, there exist sets {u i Z } i [1,d1] and {v i Z } i [1,d2] such that x 0 + d 1 i=1 u ix i = y 0 + d 2 i=1 v iy i. We set a vector u as u = ( 1, v 1,..., v d2 1 }{{} nκ+1, u 1 1 nκ+1,..., u d1 1 ) nκ+1, 0,..., 0 ). }{{}}{{} d 2 (nκ+1)(d 1+1) n d 1

13 13 Therefore, we have u L I = = ( ( 1, 1 1, y0 + ( ( 1, 0, y0 + d 2 i=1 ( 1 nκ+1j ), d 2 i=1 v i y i d 1 v i yi 1 nκ+1(e 0 + i=1 ( u 1 1 nκ+1j ),..., ) ( x 0 + d 1 i=1 as desired. This concludes the roof of the theorem. u i x i ) u i E i ), ( u n 1 nκ+1j ), 0..., 0 ) ), 0..., 0 = e 1 ) 4 From DSE to Non-Monotonic ABE In [27], it is shown that DSE can be converted into monotonic CP-ABE with large universe (and bounds on the size of attribute sets and san rograms). In this section, we extend their result to show that non-monotonic CP-ABE with large universe and the same bounds can be constructed from DSE. We note that our transformation is very different from that of [27] even if we only consider monotonic CP-ABE because of exositional reasons. We also note that by simly swaing key and cihertext attributes, we immediately obtain DSE-to-non-monotonic-KP-ABE conversion. Again, we first describe the conversion, rovide some intuition later below. 4.1 The Conversion Maing Parameters. We ma f CP DSE : ( k, l, m, l) n = 4 l + m + 2 k l. We assume that the universe of attributes is Z.This restriction can be easily removed by using collision resistant hash. Maing Cihertext Attributes. For a san rogram (L, ρ), we ma fe CP DSE : (L, ρ) (x 0, X) as follows. Let l m be the dimension of L, where l l. (If the number of columns is smaller, we can adjust the size by adding zeroes.) Let l 0, l 1 be such that l = l 0 + l 1, and without loss of generality, we assume that the first l 0 rows of L are associated with ositive attributes and the last l 1 rows with negative attributes by the ma ρ. We denote L as L = [L 0 ; L 1 ] using matrices L 0 Z and l0 m l1 m L 1 Z. We then define f CP DSE (L, ρ) = (x 0, X) with e x 0 = e 1 Z n, X = l l1 L 1 I l1 {}}{ G 1 L 0 l {}}{ G0 Z(l0+2l1) n,

14 14 where G b Z l b l( k+1) for each b {0, 1} is defined as ( ρ(bl 0 + 1) ) ( ρ(bl G b = 0 + 2) )... ( ρ(bl 0 + l b ) ) ( l l b )( k+1) {}}{ where () is a function that takes an element of Z or its negation ({ x x Z }) as an inut and oututs a vector (x) = (1, x, x 2,..., x k) Z k+1. Maing Key Attributes. For a set S = (S 1,..., S k ) such that k k, we ma : S (y 0, Y) where f CP DSE k y 0 = 0 n Z n, Y = ( m ) {}}{ H I( k+1) l Z 2( k+1) l n, H I ( k+1) l of which H is defined as q S q S H = I l q S =... qs ( Z ) ( k+1) l l, where q S = (q S [1],..., q S [ k + 1]) Z k+1 k+1 Q S [Z] = q S [i] Z i 1 = i=1 is defined as a coefficient vector from k (Z S i ). If k < k, the coordinates q S [k + 2],..., q S [ k + 1] are all set to 0. Intuition. The matrices X and Y constructed above can be divided into two arts. The first l 0 rows of X and the first ( k + 1) l rows of Y deal with ositive attributes.the lower arts of X and Y deal with negation of attributes. Here, we exlain how we handle negated attributes. Positive attributes are handled by a similar mechanism. I ( k+1) l in Y and G 1 in X restricts the linear combination of the rows of X and Y to a certain form in order to two affine saces to have a intersection. As a result, we can argue that the coefficient of the i-th row of L 1 in the linear combination should be multile of Q S (ρ(l 0 + i)) 5. Since we have that Q S (x) = 0 iff x S for any x Z, this means that the coefficient of the vector in the linear combination should be 0 if ρ(l 0 + i) = Att and Att S. This restriction is exactly what we need to emulate redicate of non-monotonic CP-ABE. 5 Here, We treat negated attributes ({ x x Z }) as elements of Z. Namely, if ρ(l 0 + i) = Att for some Att Z, Q S(ρ(l 0 + i)) := Q S(Att). i=1

15 Correctness of the Conversion We show the following theorem. The imlication from DSE to non-monotonic CP-ABE with large universe would then follow from the embedding lemma. Theorem 2. For any san rogram (L Z l m, ρ) such that l l and m m and S such that S k, let N = ( k, l, m, l), we have that where n = f CP DSE Rn DSE ((x 0, X), (y 0, Y)) = 1 RN CP (S, (L, ρ)) = 1 (N), (x 0, X) = f CP DSE e (L, ρ), and (y 0, Y) = fk CP DSE (S). Proof. Let I [1, l] be I = { i (ρ(i) = Att Att S) (ρ(i) = Att Att S) }. We also let L I be the sub-matrix of L formed by rows whose index is in I. To rove the theorem statement is equivalent to rove that ( x0 + san(x) ) ( y 0 + san(y) ) e 1 san(l I ). Forward Direction ( ). Suose that there exist u Z l0+2l1 and v Z 2( k+1) l that x 0 + u X = y0 + v Y = v Y. We denote these vectors as u = ( u 0, u 1, u 2 ), v = ( v1 }{{}}{{}}{{}}{{} l 0 l 1 l 1 k+1,..., v l }{{} k+1 w1 }{{} k+1,..., w l }{{} k+1.) such Hence, x 0 + u X and v Y can be written as ( x 0 + u X = e 1 + u 0 L 0 + u 1 L 1, 0 l, u 0 [1] (ρ(1)),..., u 0 [l 0 ] (ρ(l 0 )), }{{}}{{} m ( k+1)l 0 and 0 ( l l 0)( k+1), u 1 }{{} l 1, 0 l l1, u 2 [1] (ρ(l 0 + 1)),..., u 2 [l 1 ] (ρ(l 0 + l 1 )), 0 }{{} ( k+1)l 1 v Y = (0 m, v 1, q S,...,, v l, q S, v1,..., v l, }{{}}{{} l ( k+1) l ) ( l l 1)( k+1) w 1, q S,...,, w l, q S, w1,..., w l ). (5) }{{}}{{} l ( k+1) l First, by comaring the m + l + 1-th to m + ( k + 2) l-th elements of the vector, we obtain that v i = u 0 [i] (ρ(i)) for i [1, l 0 ] and v i = 0 k+1 for i [l 0 + 1, l]. Furthermore, by comaring m + 1-th to m + l-th elements of the vector, we have v i, q S = u 0 [i] (ρ(i)), q S = u 0 [i] Q S ( ρ(i) ) = 0 (4)

16 16 for i [1, l 0 ]. The second equation above follows from the definition of () and q S. Since Q S (ρ(i)) = ω S (ρ(i) ω) 0 if ρ(i) S, we have that u 0[i] = 0 if ρ(i) S. That is, u 0 [i] = 0 for i [1, l 0 ]\I. Next, by comaring the last ( k + 1) l elements in the vector, we obtain that w i = u 2 [i] (ρ(l 0 + i)) for i [1, l 1 ] and w i = 0 k+1 for i [l 1 + 1, l]. By comaring the m + ( k + 2) l + 1-th to m + ( k + 3) l-th elements in the vector, we have that (u 1, 0 l l1 ) = ( w 1, q S,...,, w l, q S ) and thus u 1 [i] = w i, q S = u 2 [i] (ρ(l 0 + i)), q S = u 2 [i] Q S (ρ(l 0 + i)) holds for i [1, l 1 ]. From the above, we have that u 1 [i] = 0 if ρ(l 0 + i) = Att and Att S for some Att. This imlies that u 1 [i] = 0 if (l 0 + i) I for i [1, l 1 ]. Finally, by comaring the first m elements in the vector, we obtain that e 1 + u 0 L 0 + u 1 L 1 = 0. Let u 0,I be a subvector of u 0 which is obtained by deleting all elements u 0 [i] for i I. Similarly, we define u 1,I as a vector obtained by deleting all elements u 1 [i] for i such that (l 0 + i) I from u 1. Since u 0 [i] = 0 for i [1, l 0 ]\I and u 1 [i] = 0 for i [1, l 1 ] such that (l 0 + i) I, it follows that (u 0,I, u 1,I )L I = u 0 L 0 + u 1 L 1 = e 1 and thus e 1 san(l I ) as desired. Converse Direction ( ). The converse direction can be shown by reeating the above discussion in reverse order. Assume that e 1 san(l I ). Then there exists u Z I such that u L I = e 1. We extend u to define u Z l0+l1 so that u I = u and u [i] = 0 for i I hold. Here, u I Z I is a subvector of u which is obtained by deleting all elements u [i] for i I. These conditions comletely determine u. We denote this u as u = (u 0, u 1 ) using u 0 Z l0 and u 1 Z l1. We note that u 0 L 0 + u 1 L 1 = e 1 holds by the definition. Next we define v i for i [ l] as v i = u 0 [i] (ρ(i)) if i [l 0 ] and v i = 0 k+1 if i [l 0 + 1, l]. We claim that v i, q S = 0 holds for i [ l]. Here, we rove this. The case for i [l 0 + 1, l] is trivial. For the case of i [1, l 0 ], we have v i, q S = u 0 [i] (ρ(i)), q S = u 0 [i] Q S (ρ(i)) = 0. The last equation above holds because we have Q S (ρ(i)) = 0 if i I and u 0 [i] = 0 otherwise, by the definition of u 0 [i]. We define u 2 [i] Z for i [1, l 1 ] as u 2 [i] = u 1 [i]/q S (ρ(l 0 + i)) if u 1 [i] 0 and u 2 [i] = 0 if u 1 [i] = 0. We have to show that u 2 [i] are well defined by showing that Q S (ρ(l 0 + i)) 0 if u 1 [i] 0 (i.e., division by 0 does not occur). If u 1 [i] 0, then (l 0 + i) I by the definition of u 1. It imlies that (ρ(l 0 + i) = Att) (Att S) for some Att Z and thus Q S (ρ(l 0 + i)) = ω S (Att ω) 0 holds as desired. We also define w i as w i = u 2 [i] (ρ(l 0 + i)) for i [1, l 1 ] and w i = 0 k+1 for i [l 1 + 1, l]. Then, we have w i, q S = u 2 [i] (ρ(l 0 + i)), q S = u 2 [i] Q S (ρ(l 0 + i)) = u 1 [i] for i [1, l 1 ] and w i, q S = 0 for i [l 1 + 1, l]. Finally, we define u and v as u = (u 0, u 1, u 2 ) and v = (v 1,..., v l, w 1,..., w l ). Then, Equation (4) and (5) hold. By the roerties of u and v we investigated so

17 17 far, it is straightforward to see that x 0 + u X = y0 the roof of the theorem. + v Y holds. This concludes 5 From KP(CP)-ABE to KASP(CASP) In this section, we show that monotonic KP-ABE with small universe (without bounds on the size of san rograms) can be converted into KASP. We note that we can also obtain CP-ABE-to-CASP conversion by simly swaing key and cihertext attribute. 5.1 The Conversion Maing Parameters. We show how to construct KASP for dimension n from monotonic KP-ABE for arameter N = (nκ + 1,,, ) and the size of attribute universe is U = 2nκ + 1. Here, κ = log 2. That is, we define f KASP KP (n) = N. We set the universe of attributes as { } U = Att[i][j][b] (i, j, b) [1, n] [1, κ] {0, 1} {D}. Intuitively, Att[i][j][b] reresents an indicator for the condition the j-th least significant bit of the binary reresentation of the i-th element of the vector x is b {0, 1}. D is a dummy attribute which will be assigned for all cihertexts. Maing Cihertext Attributes. For x Z n, we ma fe KASP KP : x S where { } S = Att[i][j][b] (i, j) [1, n] [1, κ], b = x[i][j] {D}, where we define x[i][j] {0, 1} in such a way that x[i] = κ j=1 2j 1 x[i][j]. In other words, x[i][j] is the j-th least significant bit of the binary reresentation of x[i] Z. Maing Key Attributes. For an arithmetic san rogram (Y = (y 1,..., y l ) Z m l, Z = (z 1,..., z l ) Z m l, ρ) such that Y, Z Z m l, we define the ma fk KASP KP : (Y, Z, ρ) (L, ρ ) as follows. First, we define G 1 J G 2 J ( ) ( ) L =.... Z (2κ+1)l κl+m, (6) J G l where the matrix J Z (2κ+1) κ G i is defined as is defined as in Equation (3) (by setting n = 1) while G i = [g y i ; z i ] = (0 m, y i, 0 m, 2y i,, 0 m, 2 κ 1 y i, z i ) Z (2κ+1) m where g = (0, 1, 0, 2,..., 0, 2 i,..., 0, 2 κ 1 ) Z 2κ. Next, we define the ma ρ : [(2κ + 1)l] U as follows. If i = 0 mod (2κ + 1), we set ρ(i) := D.

18 18 Else, we write i = (2κ + 1)i + 2j + b + 1 with unique i [0, l 1], j [0, κ 1], and b {0, 1}. We finally set ρ (i) = Att[ρ(i + 1)][j + 1][b ]. Intuition. S can be seen as a binary reresentation of the information of x. In the san rogram (L, ρ ), J is used to constrain the form of linear combination among rows to a certain form. G i as well as ρ, along with the above restriction, are designed so that linear combination of rows of G i only can be a scalar multile of the vector (x[ρ(i)]y i + z i ). Therefore, (L, ρ ) essentially works as an arithmetic san rogram. 5.2 Correctness of the Conversion We show the following theorem. The imlication from KP-ABE with arameter N = (nκ + 1,,, ) to KASP with dimension n would then follow from the embedding lemma. Theorem 3. For any x Z n, Y Z m l where N = f KASP KP, Z Z m l, and ρ : [l] [n], it holds that R KP N (S, (L, ρ )) = 1 R KASP n (x, (Y, Z, ρ)) = 1 (n), S = f KASP KP (x), and (L, ρ ) = f KASP KP (Y, Z, ρ). e Proof. Define I [1, (2κ + 1)l] as I = { i ρ (i) S }. We define L I as the submatrix of L formed by rows whose index is in I. From the definition of fe KASP KP, we have that L I is in the form of G 1 J G 2 J ( ) ( ) L I =.... Z (κ+1)l κl+m, G l J where G i = [g i y i ; z i ] Z (κ+1) m, J = 1 1 k Z (κ+1) κ, and where g i = (x[ρ(i)][1], 2x[ρ(i)][2],..., 2 κ 1 x[ρ(i)][κ]) Z κ. We note that we have 1 κ, g i = x[ρ(i)] by the definition of x[ρ(i)][j] and thus G i 1 κ+1 = x[ρ(i)]y i + z i holds. We also remark that if v J = 0 holds for some v Z κ+1, then there exists v Z such that v = v1 κ+1. These roerties will be used later below. To rove the theorem statement is equivalent to rove that e 1 san(l I ) e 1 san({x[ρ(i)]y i + z i } i [l] ).

19 Forward Direction ( ). We assume that e 1 san(l I ). From this, there exists u Z (κ+1)l such that u L I = e 1. We write this u as u = ( u 1, u 2,..., u ) l. }{{}}{{}}{{} κ+1 κ+1 κ+1 19 Therefore, we have that e 1 = u L I = u i G i, u 1 J,..., u l J. i [l] Since u i we have J = 0 for i [l], there exist {u i Z } i [l] such that u i = u i 1 κ+1. Then, e 1 = i [l] u i G i = i [l] u i 1 κ+1g i = i [l] u i (x[ρ(i)] y i + z i ). This imlies e 1 san({x[ρ(i)]y i + z i } i [l] ), as desired. Converse Direction ( ). We assume that e 1 san({x[ρ(i)]y i + z i } i [l] ). Then, there exist {u i Z } i [l] such that i [l] u i(x[ρ(i)] y i + z i ) = e 1. We set a vector u Z (κ+1)l as u = ( u 1 1 κ+1,..., u l 1κ+1). Then, we have that u L I = u i 1 κ+1g i, u 1 1 κ+1j,..., u l 1 κ+1j i [l] = u i (x[ρ(i)]y i + z i ), 0 κ,..., 0 κ = e 1. i [l] This imlies e 1 san(l I ), as desired. This concludes the roof of the theorem. 6 Imlications of Our Result In this section, we discuss consequences of our results. Equivalence between (bounded) ABE and DSE. We have shown that monotonic KP/CP-ABE for ( k, l, m, ϕ) imlies DSE (without delegation) in Section 3 and DSE imlies non-monotonic KP/CP-ABE with large universe for ( k, l, m, ϕ) in Section 4. Since non-monotonic KP/CP-ABE with large universe for ( k, l, m, ϕ) trivially imlies monotonic KP/CP-ABE with small universe for ( k, l, m, ϕ), our results indicate that these PE schemes are essentially equivalent in the sense that they imly each other. Equivalence between K(C)ASP and KP(CP)-ABE. Next, we consider the case where there is no restriction on the size of san rograms. In Section 5, we showed that monotonic KP-ABE for (( k + 1)κ,,, ) imlies KASP for ( k,,, ). In the full version [4], we also show the converse direction. That is, we show that KASP for

20 20 Table 1. Comarison among DSE Schemes Schemes mk C sk Delegation Security Assumtion Hamburg11 [27] O(n) O(d 1) O(d 2) Selective Parameterized CW14 [18] O(n 2 ) O(nd 1) O(n) Selective Static CZF12 [15] O(n) O(d 1) O(d 2) Adative Static Sec. 3 + RW13 [40] O(1) O(nd 1κ) O(n 2 κ) Selective Parameterized Sec. 3 + ALP11 [5] O(n 2 κ) O(1) O(n 4 κ 2 ) Selective Parameterized Sec. 3 + OT12 [38] O(1) O(n 2 d 1κ) O(n 2 κ)? Adative Static Sec. 3 + A15 [3] O(1) O(nd 1κ) O(n 2 κ)? Adative Parameterized Sec. 3 + A15 [3] O(n 2 κ) O(1) O(n 4 κ 2 )? Adative Parameterized Sec. 3 + A15 [3] O(n 2 κ) O(n 4 κ 2 ) O(1)? Adative Parameterized n is the dimension of the scheme; d 1 and d 2 denote the dimension of the sace associated with the cihertext and rivate key, resectively; κ = log 2. Delegation shows if key delegation is suorted.? means unknown. ( k + 1,,, ) imlies non-monotonic KP-ABE for ( k,,, ) with large universe. Since non-monotonic KP-ABE for ( k,,, ) trivially imlies monotonic KP-ABE for ( k,,, ), our results indicate that these PE schemes are essentially equivalent similarly to the above case. Similar imlications hold for CP-ABE. See figure 1 for the overview. By alying the conversions to existing schemes, we obtain various new schemes. The overviews of roerties of resulting schemes and comarison with existing schemes are rovided in Table 1, 2, 3, and 4. All schemes in the tables are constructed in airing grous. In the tables, we count the number of grou elements to measure the size of master ublic keys ( mk ), cihertexts ( C ), and rivate keys ( sk ). Note that our conversions only can be alied to ABE schemes suorting san rograms over Z. Therefore, for ABE schemes constructed on comosite order grous [32,2], our conversions are not alicable since they suort san rograms over Z N where N is a roduct of several large rimes. Similar restrictions are osed on DSE and K(C)ASP. Though it is quite lausible that our conversions work even in such cases assuming hardness of factoring N, we do not rove this in this aer. New DSE Schemes. By alying our KP(CP)-ABE-to-DSE conversion to existing KP(CP)-ABE schemes, we obtain many new DSE schemes. Table 1 shows overview of obtained schemes. 6 Secifically, From the unbounded KP-ABE schemes [38,40,3], we obtain the first DSE scheme with constant-size master ublic key (without delegation). Note that all revious schemes [27,15,18] require at least O(n) grou elements in master ublic key where n is the dimension of the scheme. From KP-ABE scheme with constant-size cihertexts [5,29,42,3], we obtain the first DSE scheme with constant-size cihertexts. All revious schemes [27,15,18] require 6 In the table, arameterized assumtions refer to q-tye assumtions, which are non-interactive and falsifiable but arameterized by some arameters of the scheme such as k, k.

21 21 Table 2. Comarison among CP-ABE Schemes Schemes Exressiveness Efficiency Security Assumtion Universe Policy mk C sk OT12 [38] Large Non-mono. San. O(1) O(l) O(kϕ) Adative Static AY15 [6], A15 [3] Large Mono. San. O(1) O(l) O(k) Adative Parametrized AY15 [6], A15 [3] Large Mono. San. O( k) O( kl) O(1) Adative Parametrized EMN+09 [20] Small AND-only O( k) O(1) O( k) Selective Static CZF11 [14] Small AND-only O( k) O(1) O( k 2 ) Selective Static CCL+13 [13] Small Threshold O( k) O(1) O( k 2 ) Adative Static Sec. 3,4 + ALP11 [5] Large Non-mono. San. O(( k l) 2 κ) O(1) O(( k l) 4 κ 2 ) Selective Parametrized Sec. 3,4 + T14 [42] Large Non-mono. San. O(( k l) 2 κ) O(1) O(( k l) 4 κ 2 ) Semi-adat Static Sec. 3,4 + A15 [3] Large Non-mono. San. O(( k l) 2 κ) O(1) O(( k l) 4 κ 2 ) Adative Parametrized k is the size of an attribute set associated with a key, l is the number of rows of a san rogram matrix associated with a cihertext; k, l are the maximums of k, l (if bounded); ϕ is the maximum number of allowed attribute multi-use in one olicy (if bounded); κ = log 2. at least O(d 1 ) grou elements in cihertexts where d 1 is the dimension of the affine sace associated to a cihertext. From CP-ABE scheme with constant-size keys [6], we obtain the first DSE scheme with constant-size rivate keys. All revious schemes require at least O(d 2 ) grou elements in rivate keys where d 2 is the dimension of the affine sace associated to a rivate key. The schemes obtained from [38,3] achieves adative security. Furthermore, for schemes obtained from [40,5,29], we can define key delegation algorithm. The details of the key delegation algorithm will be given in the full version [4]. CP-ABE with Constant-Size Cihertexts. By alying our DSE-to-non-monotonic- CP-ABE conversion in Section 4 to the DSE scheme with constant-size cihertexts obtained above, we obtain the first non-monotonic CP-ABE with constant-size cihertexts. Previous CP-ABE schemes with constant-size cihertexts [20,14,13] only suort threshold or more limited redicates 7. See Table 2 for comarison (we list only relevant schemes). KP-ABE with Constant-Size Keys. By alying our DSE-to-non-monotonic-KP-ABE conversion in Section 4 to the DSE scheme with constant-size keys obtained above, we obtain the first non-monotonic KP-ABE with constant-size keys. See Table 3 for comarison (we list only relevant schemes). New KASP and CASP Schemes. By alying the KP(CP)-ABE-to-K(C)ASP conversion in Section 5, we obtain many new K(C)ASP schemes. See Table 4 for the overview. Secifically, From the unbounded KP-ABE, CP-ABE schemes of [40,3], we obtain the first KASP, CASP schemes with constant-size master ublic key. 7 One would be able to obtain CP-ABE with constant-size cihertexts suorting threshold formulae by alying the generic conversion in [24] to a KP-ABE scheme roosed in [5]. However, the resulting scheme suorts more limited redicate comared to ours. To the best of our knowledge, this observation has not aeared elsewhere.

22 22 Table 3. Comarison among KP-ABE Schemes Schemes Exressiveness Efficiency Security Assumtion Universe Policy mk C sk OT12 [38] Large Non-mono. San. O(1) O(kϕ) O(l) Adative Static AY15 [6], A15 [3] Large Mono. San. O(1) O(k) O(l) Adative Parameterized AY15 [6], A15 [3] Large Mono. San. O( k) O(1) O( kl) Adative Parameterized Sec. 3,4 + A15 [3] Large Non-mono. San. O(( k l) 2 κ) O(( k l) 4 κ 2 ) O(1) Adative Parameterized k is the size of an attribute set associated with a cihertext, l is the number of rows of a san rogram matrix associated with a key; k, l are the maximums of k, l (if bounded); ϕ is the maximum number of allowed attribute multi-use in one olicy (if bounded); κ = log 2. From adatively secure KP-ABE, CP-ABE schemes of [35,3], we obtain the first adatively secure KASP, CASP schemes with unbounded attribute multi-use. From KP-ABE schemes with constant-size cihertexts [5,29,42,3], we obtain the first KASP schemes with constant-size cihertexts. From CP-ABE schemes with constant-size keys [3], we obtain the first CASP schemes with constant-size keys. Until recently, the only (K)ASP scheme in the literature was roosed by [30], which is selectively secure and the master ublic key and cihertext size are linear in the dimension of the scheme. Very recently, adatively secure KASP and CASP were given in [17], albeit with the restriction of one-time use (of the same attribute in one olicy). We remark that the conversion is not alicable for schemes in [37,38] since these schemes are KP-ABE for (,,, ϕ) where ϕ is olynomially bounded, whereas our conversion requires the last arameter to be unbounded. 7 Alication to Attribute-Based Signature Here, we discuss that our techniques develoed in revious sections are also alicable to construct attribute-based signatures (ABS) [36,37]. ABS is an advanced form of signature and can be considered as a signature analogue of ABE. In articular, it resembles CP-ABE in the sense that a rivate key is associated with a set of attributes while a signature is associated with a olicy and a message. A user can sign on a message with a olicy if and only if she has a rivate key associated with a set satisfying the olicy. Roughly seaking, this roerty corresonds to the correctness and unforgeability. For ABS, we also require rivacy. That is, we require that one cannot obtain any information about the attribute of the signer from a signature. The construction of exressive ABS scheme with constant-size signatures has been oen. All revious ABS schemes with constant-size signatures [28,13] only suorts threshold redicates. The difficulty of constructing ABS with constant-size signatures seems to be related to the difficulty of construction of CP-ABE with constant-size cihertexts. That is, it is hard to set constant number of grou elements so that they include very comlex information such as san rograms. To solve the roblem, we first define the notion of redicate signature (PS) that is a signature analogue of PE. Then we construct a PS scheme that is dual of ABS: a ri-

Similar documents

Cryptography. Lecture 8. Arpita Patra

Cryptography. Lecture 8. Arpita Patra Crytograhy Lecture 8 Arita Patra Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous

More information

Elliptic Curves and Cryptography

Elliptic Curves and Cryptography Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a

More information

Bilinear Entropy Expansion from the Decisional Linear Assumption

Bilinear Entropy Expansion from the Decisional Linear Assumption Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo

More information

MATH 2710: NOTES FOR ANALYSIS

MATH 2710: NOTES FOR ANALYSIS MATH 270: NOTES FOR ANALYSIS The main ideas we will learn from analysis center around the idea of a limit. Limits occurs in several settings. We will start with finite limits of sequences, then cover infinite

More information

Improved Hidden Vector Encryption with Short Ciphertexts and Tokens

Improved Hidden Vector Encryption with Short Ciphertexts and Tokens Imroved Hidden Vector Encrytion with Short Cihertexts and Tokens Kwangsu Lee Dong Hoon Lee Abstract Hidden vector encrytion HVE) is a articular kind of redicate encrytion that is an imortant crytograhic

More information

Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products

Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz jkatz@cs.umd.edu Amit Sahai sahai@cs.ucla.edu Brent Waters bwaters@csl.sri.com Abstract Predicate encrytion

More information

Cryptanalysis of Pseudorandom Generators

Cryptanalysis of Pseudorandom Generators CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we

More information

Cryptography Assignment 3

Cryptography Assignment 3 Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some

More information

Approximating min-max k-clustering

Approximating min-max k-clustering Aroximating min-max k-clustering Asaf Levin July 24, 2007 Abstract We consider the roblems of set artitioning into k clusters with minimum total cost and minimum of the maximum cost of a cluster. The cost

More information

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle] Chater 5 Model checking, verification of CTL One must verify or exel... doubts, and convert them into the certainty of YES or NO. [Thomas Carlyle] 5. The verification setting Page 66 We introduce linear

More information

Math 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,

Math 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2, MATH 4400 roblems. Math 4400/6400 Homework # solutions 1. Let P be an odd integer not necessarily rime. Show that modulo, { P 1 0 if P 1, 7 mod, 1 if P 3, mod. Proof. Suose that P 1 mod. Then we can write

More information

Lattice Attacks on the DGHV Homomorphic Encryption Scheme

Lattice Attacks on the DGHV Homomorphic Encryption Scheme Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr

More information

1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings

1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, 43007 Abstract: Many identity-based

More information

Elementary Analysis in Q p

Elementary Analysis in Q p Elementary Analysis in Q Hannah Hutter, May Szedlák, Phili Wirth November 17, 2011 This reort follows very closely the book of Svetlana Katok 1. 1 Sequences and Series In this section we will see some

More information

CERIAS Tech Report The period of the Bell numbers modulo a prime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education

CERIAS Tech Report The period of the Bell numbers modulo a prime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education CERIAS Tech Reort 2010-01 The eriod of the Bell numbers modulo a rime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education and Research Information Assurance and Security Purdue University,

More information

Combining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO)

Combining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO) Combining Logistic Regression with Kriging for Maing the Risk of Occurrence of Unexloded Ordnance (UXO) H. Saito (), P. Goovaerts (), S. A. McKenna (2) Environmental and Water Resources Engineering, Deartment

More information

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr

More information

An Attack on a Fully Homomorphic Encryption Scheme

An Attack on a Fully Homomorphic Encryption Scheme An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, 710071 Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University,

More information

Use of Transformations and the Repeated Statement in PROC GLM in SAS Ed Stanek

Use of Transformations and the Repeated Statement in PROC GLM in SAS Ed Stanek Use of Transformations and the Reeated Statement in PROC GLM in SAS Ed Stanek Introduction We describe how the Reeated Statement in PROC GLM in SAS transforms the data to rovide tests of hyotheses of interest.

More information

1-way quantum finite automata: strengths, weaknesses and generalizations

1-way quantum finite automata: strengths, weaknesses and generalizations 1-way quantum finite automata: strengths, weaknesses and generalizations arxiv:quant-h/9802062v3 30 Se 1998 Andris Ambainis UC Berkeley Abstract Rūsiņš Freivalds University of Latvia We study 1-way quantum

More information

Convex Optimization methods for Computing Channel Capacity

Convex Optimization methods for Computing Channel Capacity Convex Otimization methods for Comuting Channel Caacity Abhishek Sinha Laboratory for Information and Decision Systems (LIDS), MIT sinhaa@mit.edu May 15, 2014 We consider a classical comutational roblem

More information

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols Published in Journal of Crytology, 30(2:519 549, 2017. Efficient Crytosystems From 2 k -th Power Residue Symbols Fabrice Benhamouda 1, Javier Herranz 2, Marc Joye 3, and Benoît Libert 4, 1 ES Paris, CRS,

More information

#A37 INTEGERS 15 (2015) NOTE ON A RESULT OF CHUNG ON WEIL TYPE SUMS

#A37 INTEGERS 15 (2015) NOTE ON A RESULT OF CHUNG ON WEIL TYPE SUMS #A37 INTEGERS 15 (2015) NOTE ON A RESULT OF CHUNG ON WEIL TYPE SUMS Norbert Hegyvári ELTE TTK, Eötvös University, Institute of Mathematics, Budaest, Hungary hegyvari@elte.hu François Hennecart Université

More information

Positive Definite Uncertain Homogeneous Matrix Polynomials: Analysis and Application

Positive Definite Uncertain Homogeneous Matrix Polynomials: Analysis and Application BULGARIA ACADEMY OF SCIECES CYBEREICS AD IFORMAIO ECHOLOGIES Volume 9 o 3 Sofia 009 Positive Definite Uncertain Homogeneous Matrix Polynomials: Analysis and Alication Svetoslav Savov Institute of Information

More information

Tanja Lange Technische Universiteit Eindhoven

Tanja Lange Technische Universiteit Eindhoven Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein Main goal of this course: We are the attackers. We want to break ECC and RSA.

More information

The Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule

The Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule The Grah Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule STEFAN D. BRUDA Deartment of Comuter Science Bisho s University Lennoxville, Quebec J1M 1Z7 CANADA bruda@cs.ubishos.ca

More information

Public Key Cryptosystems RSA

Public Key Cryptosystems RSA Public Key Crytosystems RSA 57 17 Receiver Sender 41 19 and rime 53 Attacker 47 Public Key Crytosystems RSA Comute numbers n = * 2337 323 57 17 Receiver Sender 41 19 and rime 53 Attacker 2491 47 Public

More information

Statics and dynamics: some elementary concepts

Statics and dynamics: some elementary concepts 1 Statics and dynamics: some elementary concets Dynamics is the study of the movement through time of variables such as heartbeat, temerature, secies oulation, voltage, roduction, emloyment, rices and

More information

Extension of Minimax to Infinite Matrices

Extension of Minimax to Infinite Matrices Extension of Minimax to Infinite Matrices Chris Calabro June 21, 2004 Abstract Von Neumann s minimax theorem is tyically alied to a finite ayoff matrix A R m n. Here we show that (i) if m, n are both inite,

More information

Advanced Cryptography Midterm Exam

Advanced Cryptography Midterm Exam Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will

More information

Topic: Lower Bounds on Randomized Algorithms Date: September 22, 2004 Scribe: Srinath Sridhar

Topic: Lower Bounds on Randomized Algorithms Date: September 22, 2004 Scribe: Srinath Sridhar 15-859(M): Randomized Algorithms Lecturer: Anuam Guta Toic: Lower Bounds on Randomized Algorithms Date: Setember 22, 2004 Scribe: Srinath Sridhar 4.1 Introduction In this lecture, we will first consider

More information

The Fekete Szegő theorem with splitting conditions: Part I

The Fekete Szegő theorem with splitting conditions: Part I ACTA ARITHMETICA XCIII.2 (2000) The Fekete Szegő theorem with slitting conditions: Part I by Robert Rumely (Athens, GA) A classical theorem of Fekete and Szegő [4] says that if E is a comact set in the

More information

Graph-Decomposition-Based Frameworks for Subset-Cover Broadcast Encryption and Efficient Instantiations

Graph-Decomposition-Based Frameworks for Subset-Cover Broadcast Encryption and Efficient Instantiations Grah-Decomosition-Based Frameworks for Subset-Cover Broadcast Encrytion and Efficient Instantiations Nuttaong Attraadung and Hideki Imai Imai Laboratory, Institute of Industrial Science, University of

More information

Introduction to MVC. least common denominator of all non-identical-zero minors of all order of G(s). Example: The minor of order 2: 1 2 ( s 1)

Introduction to MVC. least common denominator of all non-identical-zero minors of all order of G(s). Example: The minor of order 2: 1 2 ( s 1) Introduction to MVC Definition---Proerness and strictly roerness A system G(s) is roer if all its elements { gij ( s)} are roer, and strictly roer if all its elements are strictly roer. Definition---Causal

More information

2 Asymptotic density and Dirichlet density

2 Asymptotic density and Dirichlet density 8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime

More information

2 Asymptotic density and Dirichlet density

2 Asymptotic density and Dirichlet density 8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime

More information

Factorability in the ring Z[ 5]

Factorability in the ring Z[ 5] University of Nebraska - Lincoln DigitalCommons@University of Nebraska - Lincoln Dissertations, Theses, and Student Research Paers in Mathematics Mathematics, Deartment of 4-2004 Factorability in the ring

More information

Asymptotically Optimal Simulation Allocation under Dependent Sampling

Asymptotically Optimal Simulation Allocation under Dependent Sampling Asymtotically Otimal Simulation Allocation under Deendent Samling Xiaoing Xiong The Robert H. Smith School of Business, University of Maryland, College Park, MD 20742-1815, USA, xiaoingx@yahoo.com Sandee

More information

A Public-Key Cryptosystem Based on Lucas Sequences

A Public-Key Cryptosystem Based on Lucas Sequences Palestine Journal of Mathematics Vol. 1(2) (2012), 148 152 Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010

More information

Various Proofs for the Decrease Monotonicity of the Schatten s Power Norm, Various Families of R n Norms and Some Open Problems

Various Proofs for the Decrease Monotonicity of the Schatten s Power Norm, Various Families of R n Norms and Some Open Problems Int. J. Oen Problems Comt. Math., Vol. 3, No. 2, June 2010 ISSN 1998-6262; Coyright c ICSRS Publication, 2010 www.i-csrs.org Various Proofs for the Decrease Monotonicity of the Schatten s Power Norm, Various

More information

State Estimation with ARMarkov Models

State Estimation with ARMarkov Models Deartment of Mechanical and Aerosace Engineering Technical Reort No. 3046, October 1998. Princeton University, Princeton, NJ. State Estimation with ARMarkov Models Ryoung K. Lim 1 Columbia University,

More information

Brownian Motion and Random Prime Factorization

Brownian Motion and Random Prime Factorization Brownian Motion and Random Prime Factorization Kendrick Tang June 4, 202 Contents Introduction 2 2 Brownian Motion 2 2. Develoing Brownian Motion.................... 2 2.. Measure Saces and Borel Sigma-Algebras.........

More information

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift

More information

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM JOHN BINDER Abstract. In this aer, we rove Dirichlet s theorem that, given any air h, k with h, k) =, there are infinitely many rime numbers congruent to

More information

Solvability and Number of Roots of Bi-Quadratic Equations over p adic Fields

Solvability and Number of Roots of Bi-Quadratic Equations over p adic Fields Malaysian Journal of Mathematical Sciences 10(S February: 15-35 (016 Secial Issue: The 3 rd International Conference on Mathematical Alications in Engineering 014 (ICMAE 14 MALAYSIAN JOURNAL OF MATHEMATICAL

More information

A Social Welfare Optimal Sequential Allocation Procedure

A Social Welfare Optimal Sequential Allocation Procedure A Social Welfare Otimal Sequential Allocation Procedure Thomas Kalinowsi Universität Rostoc, Germany Nina Narodytsa and Toby Walsh NICTA and UNSW, Australia May 2, 201 Abstract We consider a simle sequential

More information

MATH 250: THE DISTRIBUTION OF PRIMES. ζ(s) = n s,

MATH 250: THE DISTRIBUTION OF PRIMES. ζ(s) = n s, MATH 50: THE DISTRIBUTION OF PRIMES ROBERT J. LEMKE OLIVER For s R, define the function ζs) by. Euler s work on rimes ζs) = which converges if s > and diverges if s. In fact, though we will not exloit

More information

AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction

AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction J. Al. Math. & Comuting Vol. 20(2006), No. 1-2,. 485-489 AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly

More information

MODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL

MODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL Technical Sciences and Alied Mathematics MODELING THE RELIABILITY OF CISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL Cezar VASILESCU Regional Deartment of Defense Resources Management

More information

Improved Capacity Bounds for the Binary Energy Harvesting Channel

Improved Capacity Bounds for the Binary Energy Harvesting Channel Imroved Caacity Bounds for the Binary Energy Harvesting Channel Kaya Tutuncuoglu 1, Omur Ozel 2, Aylin Yener 1, and Sennur Ulukus 2 1 Deartment of Electrical Engineering, The Pennsylvania State University,

More information

and INVESTMENT DECISION-MAKING

and INVESTMENT DECISION-MAKING CONSISTENT INTERPOLATIVE FUZZY LOGIC and INVESTMENT DECISION-MAKING Darko Kovačević, č Petar Sekulić and dal Aleksandar Rakićević National bank of Serbia Belgrade, Jun 23th, 20 The structure of the resentation

More information

arxiv: v2 [math.na] 6 Apr 2016

arxiv: v2 [math.na] 6 Apr 2016 Existence and otimality of strong stability reserving linear multiste methods: a duality-based aroach arxiv:504.03930v [math.na] 6 Ar 06 Adrián Németh January 9, 08 Abstract David I. Ketcheson We rove

More information

Sums of independent random variables

Sums of independent random variables 3 Sums of indeendent random variables This lecture collects a number of estimates for sums of indeendent random variables with values in a Banach sace E. We concentrate on sums of the form N γ nx n, where

More information

#A6 INTEGERS 15A (2015) ON REDUCIBLE AND PRIMITIVE SUBSETS OF F P, I. Katalin Gyarmati 1.

#A6 INTEGERS 15A (2015) ON REDUCIBLE AND PRIMITIVE SUBSETS OF F P, I. Katalin Gyarmati 1. #A6 INTEGERS 15A (015) ON REDUCIBLE AND PRIMITIVE SUBSETS OF F P, I Katalin Gyarmati 1 Deartment of Algebra and Number Theory, Eötvös Loránd University and MTA-ELTE Geometric and Algebraic Combinatorics

More information

A Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition

A Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition A Qualitative Event-based Aroach to Multile Fault Diagnosis in Continuous Systems using Structural Model Decomosition Matthew J. Daigle a,,, Anibal Bregon b,, Xenofon Koutsoukos c, Gautam Biswas c, Belarmino

More information

The inverse Goldbach problem

The inverse Goldbach problem 1 The inverse Goldbach roblem by Christian Elsholtz Submission Setember 7, 2000 (this version includes galley corrections). Aeared in Mathematika 2001. Abstract We imrove the uer and lower bounds of the

More information

Tight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys

Tight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys Tight Adatively Secure Broadcast Encrytion with Short Cihertexts and Keys Romain Gay ENS, Paris, France romain.gay@ens.fr Lucas Kowalczyk Columbia University luke@cs.columbia.edu Hoeteck Wee ENS, Paris,

More information

CDH/DDH-Based Encryption. K&L Sections , 11.4.

CDH/DDH-Based Encryption. K&L Sections , 11.4. CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be

More information

Solution sheet ξi ξ < ξ i+1 0 otherwise ξ ξ i N i,p 1 (ξ) + where 0 0

Solution sheet ξi ξ < ξ i+1 0 otherwise ξ ξ i N i,p 1 (ξ) + where 0 0 Advanced Finite Elements MA5337 - WS7/8 Solution sheet This exercise sheets deals with B-slines and NURBS, which are the basis of isogeometric analysis as they will later relace the olynomial ansatz-functions

More information

Evaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models

Evaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models Evaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models Ketan N. Patel, Igor L. Markov and John P. Hayes University of Michigan, Ann Arbor 48109-2122 {knatel,imarkov,jhayes}@eecs.umich.edu

More information

Almost All Palindromes Are Composite

Almost All Palindromes Are Composite Almost All Palindromes Are Comosite William D Banks Det of Mathematics, University of Missouri Columbia, MO 65211, USA bbanks@mathmissouriedu Derrick N Hart Det of Mathematics, University of Missouri Columbia,

More information

Numerical Linear Algebra

Numerical Linear Algebra Numerical Linear Algebra Numerous alications in statistics, articularly in the fitting of linear models. Notation and conventions: Elements of a matrix A are denoted by a ij, where i indexes the rows and

More information

An Estimate For Heilbronn s Exponential Sum

An Estimate For Heilbronn s Exponential Sum An Estimate For Heilbronn s Exonential Sum D.R. Heath-Brown Magdalen College, Oxford For Heini Halberstam, on his retirement Let be a rime, and set e(x) = ex(2πix). Heilbronn s exonential sum is defined

More information

The non-stochastic multi-armed bandit problem

The non-stochastic multi-armed bandit problem Submitted for journal ublication. The non-stochastic multi-armed bandit roblem Peter Auer Institute for Theoretical Comuter Science Graz University of Technology A-8010 Graz (Austria) auer@igi.tu-graz.ac.at

More information

Combinatorics of topmost discs of multi-peg Tower of Hanoi problem

Combinatorics of topmost discs of multi-peg Tower of Hanoi problem Combinatorics of tomost discs of multi-eg Tower of Hanoi roblem Sandi Klavžar Deartment of Mathematics, PEF, Unversity of Maribor Koroška cesta 160, 000 Maribor, Slovenia Uroš Milutinović Deartment of

More information

IMPROVED BOUNDS IN THE SCALED ENFLO TYPE INEQUALITY FOR BANACH SPACES

IMPROVED BOUNDS IN THE SCALED ENFLO TYPE INEQUALITY FOR BANACH SPACES IMPROVED BOUNDS IN THE SCALED ENFLO TYPE INEQUALITY FOR BANACH SPACES OHAD GILADI AND ASSAF NAOR Abstract. It is shown that if (, ) is a Banach sace with Rademacher tye 1 then for every n N there exists

More information

#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS

#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS #A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS Ramy F. Taki ElDin Physics and Engineering Mathematics Deartment, Faculty of Engineering, Ain Shams University, Cairo, Egyt

More information

LECTURE 6: FIBER BUNDLES

LECTURE 6: FIBER BUNDLES LECTURE 6: FIBER BUNDLES In this section we will introduce the interesting class o ibrations given by iber bundles. Fiber bundles lay an imortant role in many geometric contexts. For examle, the Grassmaniann

More information

16.2. Infinite Series. Introduction. Prerequisites. Learning Outcomes

16.2. Infinite Series. Introduction. Prerequisites. Learning Outcomes Infinite Series 6.2 Introduction We extend the concet of a finite series, met in Section 6., to the situation in which the number of terms increase without bound. We define what is meant by an infinite

More information

Notes on Instrumental Variables Methods

Notes on Instrumental Variables Methods Notes on Instrumental Variables Methods Michele Pellizzari IGIER-Bocconi, IZA and frdb 1 The Instrumental Variable Estimator Instrumental variable estimation is the classical solution to the roblem of

More information

Quantitative estimates of propagation of chaos for stochastic systems with W 1, kernels

Quantitative estimates of propagation of chaos for stochastic systems with W 1, kernels oname manuscrit o. will be inserted by the editor) Quantitative estimates of roagation of chaos for stochastic systems with W, kernels Pierre-Emmanuel Jabin Zhenfu Wang Received: date / Acceted: date Abstract

More information

CMSC 425: Lecture 4 Geometry and Geometric Programming

CMSC 425: Lecture 4 Geometry and Geometric Programming CMSC 425: Lecture 4 Geometry and Geometric Programming Geometry for Game Programming and Grahics: For the next few lectures, we will discuss some of the basic elements of geometry. There are many areas

More information

Partial Identification in Triangular Systems of Equations with Binary Dependent Variables

Partial Identification in Triangular Systems of Equations with Binary Dependent Variables Partial Identification in Triangular Systems of Equations with Binary Deendent Variables Azeem M. Shaikh Deartment of Economics University of Chicago amshaikh@uchicago.edu Edward J. Vytlacil Deartment

More information

#A8 INTEGERS 12 (2012) PARTITION OF AN INTEGER INTO DISTINCT BOUNDED PARTS, IDENTITIES AND BOUNDS

#A8 INTEGERS 12 (2012) PARTITION OF AN INTEGER INTO DISTINCT BOUNDED PARTS, IDENTITIES AND BOUNDS #A8 INTEGERS 1 (01) PARTITION OF AN INTEGER INTO DISTINCT BOUNDED PARTS, IDENTITIES AND BOUNDS Mohammadreza Bidar 1 Deartment of Mathematics, Sharif University of Technology, Tehran, Iran mrebidar@gmailcom

More information

Multiplicative group law on the folium of Descartes

Multiplicative group law on the folium of Descartes Multilicative grou law on the folium of Descartes Steluţa Pricoie and Constantin Udrişte Abstract. The folium of Descartes is still studied and understood today. Not only did it rovide for the roof of

More information

AVERAGES OF EULER PRODUCTS, DISTRIBUTION OF SINGULAR SERIES AND THE UBIQUITY OF POISSON DISTRIBUTION

AVERAGES OF EULER PRODUCTS, DISTRIBUTION OF SINGULAR SERIES AND THE UBIQUITY OF POISSON DISTRIBUTION AVERAGES OF EULER PRODUCTS, DISTRIBUTION OF SINGULAR SERIES AND THE UBIQUITY OF POISSON DISTRIBUTION EMMANUEL KOWALSKI Abstract. We discuss in some detail the general roblem of comuting averages of convergent

More information

ε i (E j )=δj i = 0, if i j, form a basis for V, called the dual basis to (E i ). Therefore, dim V =dim V.

ε i (E j )=δj i = 0, if i j, form a basis for V, called the dual basis to (E i ). Therefore, dim V =dim V. Covectors Definition. Let V be a finite-dimensional vector sace. A covector on V is real-valued linear functional on V, that is, a linear ma ω : V R. The sace of all covectors on V is itself a real vector

More information

RESOLUTIONS OF THREE-ROWED SKEW- AND ALMOST SKEW-SHAPES IN CHARACTERISTIC ZERO

RESOLUTIONS OF THREE-ROWED SKEW- AND ALMOST SKEW-SHAPES IN CHARACTERISTIC ZERO RESOLUTIONS OF THREE-ROWED SKEW- AND ALMOST SKEW-SHAPES IN CHARACTERISTIC ZERO MARIA ARTALE AND DAVID A. BUCHSBAUM Abstract. We find an exlicit descrition of the terms and boundary mas for the three-rowed

More information

Feedback-error control

Feedback-error control Chater 4 Feedback-error control 4.1 Introduction This chater exlains the feedback-error (FBE) control scheme originally described by Kawato [, 87, 8]. FBE is a widely used neural network based controller

More information

System Reliability Estimation and Confidence Regions from Subsystem and Full System Tests

System Reliability Estimation and Confidence Regions from Subsystem and Full System Tests 009 American Control Conference Hyatt Regency Riverfront, St. Louis, MO, USA June 0-, 009 FrB4. System Reliability Estimation and Confidence Regions from Subsystem and Full System Tests James C. Sall Abstract

More information

Galois Fields, Linear Feedback Shift Registers and their Applications

Galois Fields, Linear Feedback Shift Registers and their Applications Galois Fields, Linear Feedback Shift Registers and their Alications With 85 illustrations as well as numerous tables, diagrams and examles by Ulrich Jetzek ISBN (Book): 978-3-446-45140-7 ISBN (E-Book):

More information

An Analysis of Reliable Classifiers through ROC Isometrics

An Analysis of Reliable Classifiers through ROC Isometrics An Analysis of Reliable Classifiers through ROC Isometrics Stijn Vanderlooy s.vanderlooy@cs.unimaas.nl Ida G. Srinkhuizen-Kuyer kuyer@cs.unimaas.nl Evgueni N. Smirnov smirnov@cs.unimaas.nl MICC-IKAT, Universiteit

More information

ON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE

ON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE MATHEMATICS OF COMPUTATIO Volume 75, umber 256, October 26, Pages 237 247 S 25-5718(6)187-9 Article electronically ublished on June 28, 26 O POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE THORSTE

More information

Convexification of Generalized Network Flow Problem with Application to Power Systems

Convexification of Generalized Network Flow Problem with Application to Power Systems 1 Convexification of Generalized Network Flow Problem with Alication to Power Systems Somayeh Sojoudi and Javad Lavaei + Deartment of Comuting and Mathematical Sciences, California Institute of Technology

More information

Positive decomposition of transfer functions with multiple poles

Positive decomposition of transfer functions with multiple poles Positive decomosition of transfer functions with multile oles Béla Nagy 1, Máté Matolcsi 2, and Márta Szilvási 1 Deartment of Analysis, Technical University of Budaest (BME), H-1111, Budaest, Egry J. u.

More information

Predicate Privacy in Encryption Systems

Predicate Privacy in Encryption Systems Predicate Privacy in Encrytion Systems Emily Shen MIT eshen@csail.mit.edu Elaine Shi CMU/PARC eshi@arc.com December 24, 2008 Brent Waters UT Austin bwaters@cs.utexas.edu Abstract Predicate encrytion is

More information

Elementary theory of L p spaces

Elementary theory of L p spaces CHAPTER 3 Elementary theory of L saces 3.1 Convexity. Jensen, Hölder, Minkowski inequality. We begin with two definitions. A set A R d is said to be convex if, for any x 0, x 1 2 A x = x 0 + (x 1 x 0 )

More information

COMMUNICATION BETWEEN SHAREHOLDERS 1

COMMUNICATION BETWEEN SHAREHOLDERS 1 COMMUNICATION BTWN SHARHOLDRS 1 A B. O A : A D Lemma B.1. U to µ Z r 2 σ2 Z + σ2 X 2r ω 2 an additive constant that does not deend on a or θ, the agents ayoffs can be written as: 2r rθa ω2 + θ µ Y rcov

More information

POINTS ON CONICS MODULO p

POINTS ON CONICS MODULO p POINTS ON CONICS MODULO TEAM 2: JONGMIN BAEK, ANAND DEOPURKAR, AND KATHERINE REDFIELD Abstract. We comute the number of integer oints on conics modulo, where is an odd rime. We extend our results to conics

More information

Estimation of the large covariance matrix with two-step monotone missing data

Estimation of the large covariance matrix with two-step monotone missing data Estimation of the large covariance matrix with two-ste monotone missing data Masashi Hyodo, Nobumichi Shutoh 2, Takashi Seo, and Tatjana Pavlenko 3 Deartment of Mathematical Information Science, Tokyo

More information

Research Article An iterative Algorithm for Hemicontractive Mappings in Banach Spaces

Research Article An iterative Algorithm for Hemicontractive Mappings in Banach Spaces Abstract and Alied Analysis Volume 2012, Article ID 264103, 11 ages doi:10.1155/2012/264103 Research Article An iterative Algorithm for Hemicontractive Maings in Banach Saces Youli Yu, 1 Zhitao Wu, 2 and

More information

MA3H1 TOPICS IN NUMBER THEORY PART III

MA3H1 TOPICS IN NUMBER THEORY PART III MA3H1 TOPICS IN NUMBER THEORY PART III SAMIR SIKSEK 1. Congruences Modulo m In quadratic recirocity we studied congruences of the form x 2 a (mod ). We now turn our attention to situations where is relaced

More information

Proof Nets and Boolean Circuits

Proof Nets and Boolean Circuits Proof Nets and Boolean Circuits Kazushige Terui terui@nii.ac.j National Institute of Informatics, Tokyo 14/07/04, Turku.1/44 Motivation (1) Proofs-as-Programs (Curry-Howard) corresondence: Proofs = Programs

More information

16.2. Infinite Series. Introduction. Prerequisites. Learning Outcomes

16.2. Infinite Series. Introduction. Prerequisites. Learning Outcomes Infinite Series 6. Introduction We extend the concet of a finite series, met in section, to the situation in which the number of terms increase without bound. We define what is meant by an infinite series

More information

Primes - Problem Sheet 5 - Solutions

Primes - Problem Sheet 5 - Solutions Primes - Problem Sheet 5 - Solutions Class number, and reduction of quadratic forms Positive-definite Q1) Aly the roof of Theorem 5.5 to find reduced forms equivalent to the following, also give matrices

More information

By Evan Chen OTIS, Internal Use

By Evan Chen OTIS, Internal Use Solutions Notes for DNY-NTCONSTRUCT Evan Chen January 17, 018 1 Solution Notes to TSTST 015/5 Let ϕ(n) denote the number of ositive integers less than n that are relatively rime to n. Prove that there

More information

GOOD MODELS FOR CUBIC SURFACES. 1. Introduction

GOOD MODELS FOR CUBIC SURFACES. 1. Introduction GOOD MODELS FOR CUBIC SURFACES ANDREAS-STEPHAN ELSENHANS Abstract. This article describes an algorithm for finding a model of a hyersurface with small coefficients. It is shown that the aroach works in

More information

ON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS

ON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS #A13 INTEGERS 14 (014) ON THE LEAST SIGNIFICANT ADIC DIGITS OF CERTAIN LUCAS NUMBERS Tamás Lengyel Deartment of Mathematics, Occidental College, Los Angeles, California lengyel@oxy.edu Received: 6/13/13,

More information

#A47 INTEGERS 15 (2015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS

#A47 INTEGERS 15 (2015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS #A47 INTEGERS 15 (015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS Mihai Ciu Simion Stoilow Institute of Mathematics of the Romanian Academy, Research Unit No. 5,

More information

On Erdős and Sárközy s sequences with Property P

On Erdős and Sárközy s sequences with Property P Monatsh Math 017 18:565 575 DOI 10.1007/s00605-016-0995-9 On Erdős and Sárközy s sequences with Proerty P Christian Elsholtz 1 Stefan Planitzer 1 Received: 7 November 015 / Acceted: 7 October 016 / Published

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback