Conversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs
|
|
- Edith Cole
- 5 years ago
- Views:
Transcription
1 Conversions among Several Classes of Predicate Encrytion and Alications to ABE with Various Comactness Tradeoffs Nuttaong Attraadung, Goichiro Hanaoka, and Shota Yamada National Institute of Advanced Industrial Science and Technology (AIST). {n.attraadung, hanaoka-goichiro, Abstract. Predicate encrytion is an advanced form of ublic-key encrytion that yields high flexibility in terms of access control. In the literature, many redicate encrytion schemes have been roosed such as fuzzy-ibe, KP-ABE, CP- ABE, (doubly) satial encrytion (DSE), and ABE for arithmetic san rograms. In this aer, we study relations among them and show that some of them are in fact equivalent by giving conversions among them. More secifically, our main contributions are as follows: We show that monotonic, small universe KP-ABE (CP-ABE) with bounds on the size of attribute sets and san rograms (or linear secret sharing matrix) can be converted into DSE. Furthermore, we show that DSE imlies nonmonotonic CP-ABE (and KP-ABE) with the same bounds on arameters. This imlies that monotonic/non-monotonic KP/CP-ABE (with the bounds) and DSE are all equivalent in the sense that one imlies another. We also show that if we start from KP-ABE without bounds on the size of san rograms (but bounds on the size of attribute sets), we can obtain ABE for arithmetic san rograms. The other direction is also shown: ABE for arithmetic san rograms can be converted into KP-ABE. These results imly, somewhat surrisingly, KP-ABE without bounds on san rogram sizes is in fact equivalent to ABE for arithmetic san rograms, which was thought to be more exressive or at least incomarable. By alying these conversions to existing schemes, we obtain many non-trivial consequences. We obtain the first non-monotonic, large universe CP-ABE (that suorts san rograms) with constant-size cihertexts, the first KP-ABE with constant-size rivate keys, the first (adatively-secure, multi-use) ABE for arithmetic san rograms with constant-size cihertexts, and more. We also obtain the first attribute-based signature scheme that suorts non-monotone san rograms and achieves constant-size signatures via our techniques. Keywords. Attribute-based encrytion, doubly satial encrytion, generic conversion, constant-size cihertexts, constant-size keys, arithmetic san rograms 1 Introduction Predicate encrytion (PE) is an advanced form of ublic-key encrytion that allows much flexibility. Instead of encryting data to a target reciient, a sender will secify in a more general way about who should be able to view the message. In redicate encrytion for a redicate R, a sender can associate a cihertext with a cihertext attribute X
2 2 while a rivate key is associated with a key attribute Y. Such a cihertext can then be decryted by such a key if the redicate evaluation R(X, Y ) holds true. There exist many classes of PE, each is defined by secifying a corresonding class of redicates. One notable class is attribute-based encrytion (ABE) [41,26] for san rograms (or equivalently, linear secret sharing schemes), of which redicate is defined over key attributes being a san rogram and cihertext attributes being a set of attributes, and its evaluation holds true if the san rogram accets the set. This is called key-olicy ABE (KP-ABE). There is also cihertext-olicy ABE (CP-ABE), where the roles of key and cihertext attributes are exchanged. Another imortant class is doubly satial encrytion (DSE) [27], of which redicate is defined over both key and cihertext attributes being affine subsaces, and its evaluation holds true if both subsaces intersect. Very recently, a new imortant class of PE, that is called attribute encrytion for arithmetic san rograms is defined in [30]. They showed such a PE scheme is useful by demonstrating that the scheme can be efficiently converted into ABE for arithmetic branching rograms for both zero-tye and non-zero tye redicates. If the scheme satisfies a certain requirement for efficiency (namely, encrytion cost is at most linear in cihertext redicate size), it is also ossible to obtain a ublicly verifiable delegation scheme for arithmetic branching rograms, by exloiting a conversion shown in [39]. Furthermore, they gave a concrete construction of such scheme. Comared to secific constructions of redicate encrytion [32,33,35,45,23,21] (to name just a few) that focus on achieving more exressive redicates and/or stronger security guarantee, relations among redicate encrytion schemes are much less investigated. The urose of this aer is to imrove our understanding of relations among them. 1.1 Our Results Relations among PE. Towards the goal above, we study relations among PE and show that some of them are in fact equivalent by giving generic conversion among them. We first investigate the relation among ABE with some bounds on arameters (the size of attribute sets and the size of san rograms) and DSE. We have the following results: First, we show a conversion from KP-ABE (or CP-ABE) with the bounds on arameters into DSE (without key delegation, in Section 3). Such an imlication is not straightforward in the first lace. Intuitively, one reason stems from the different nature between both redicates: while DSE can be considered as an algebraic object that involves affine saces, ABE can be seen as a somewhat more combinatorial object that involves sets (of attributes). Our aroach involves some new technique for rogramming a set associated to a cihertext and a san rogram associated to a rivate key in the KP-ABE scheme so that they can emulate the relation for doubly satial encrytion. We then extend the result of [27], which showed that DSE imlies CP/KP-ABE with large universes. We rovide a new conversion from DSE (without delegation) to non-monotonic CP/KP-ABE with large universes (in Section 4). We note that the resulting schemes obtained by the above conversions have some bounds on arameters. In the conversion, we extensively use a secial form of olynomial introduced in [31] and carefully design a matrix so that DSE can cature a relation for ABE.
3 3 non-mono,large ( k,,, ) KP-ABE Full version. non-mono,large ( k,,, ) CP-ABE Full version trivial KASP CASP trivial Sect. 5 Sect. 5 mono,small ( k,,, ) KP-ABE mono,small ( k,,, ) CP-ABE trivial Sect. 3 Sect. 3 trivial mono,small ( k, l, m, ϕ) KP-ABE n-dse mono,small ( k, l, m, ϕ) CP-ABE trivial [27] [27] trivial mono,large ( k, l, m, ϕ) KP-ABE trivial Sect. 4 non-mono,large ( k, l, m, ϕ) KP-ABE mono,large ( k, l, m, ϕ) CP-ABE Sect. 4 trivial non-mono,large ( k, l, m, ϕ) CP-ABE Fig. 1. Relations among redicate encrytion rimitives. In this figure, arrows indicate conversions that transform the rimitive of the starting oint to that of the end oint. The red arrows indicate our results in this aer. For ABE, mono and non-mono indicate whether it is monotonic or non-monotonic, while small and large indicate whether the attribute universes are large (i.e., exonentially large) or small (i.e., olynomially bounded). ( k, l, m, ϕ) secify bounds on size of sets of attributes and san rograms. See Section 2.1 for details. As a result, rimitives inside each dashed box are all equivalent in the sense there is a conversion between each air. Somewhat surrisingly, by combining the above results, we obtain generic conversions that can boost the functionality of (bounded) ABE: from monotonic to non-monotonic, and from small-universe to large-universe; moreover, we also obtain conversions which transform ABE to its dual (key-olicy to cihertext-olicy, and vice versa). This imlies that they are essentially equivalent in some sense. See Figure 1 for the details. So far, we have considered ABE schemes with bounds on arameters, esecially on the size of san rograms. We then roceed to investigate relation among ABE schemes without bounds on the size of san rograms (but with a bound on the size of attribute sets) and ABE for arithmetic san rograms recently introduced and studied by Ishai and Wee [30]. We call the latter key-olicy ABE for arithmetic san rograms (KASP), since in the latter, a cihertext is associated with a vector while a rivate key is associated with an arithmetic san rogram which secifies a olicy. By exchanging key and cihertext attribute, we can also define cihertext-olicy version of ABE for arithmetic san rogram (CASP). We have the following results: We show that monotonic KP-ABE with small universe (without bound on the size of san rograms) can be converted into KASP (in Section 5). The idea for the conversion is similar to that in Section 3. In the full version of the aer [4], we also investigate the converse direction. In fact, we show somewhat stronger result. That is, KASP can be converted into non-
4 4 monotonic KP-ABE with large universe, which trivially imlies monotonic KP-ABE with small universe. The idea for the conversion is similar to that in Section 4. Given the above results, we have all of the following are equivalent: monotonic KP- ABE with small universe, non-monotonic KP-ABE with large universe, and KASP. Similar imlications hold for the case of CP-ABE and CASP. However, we do not have a conversion from KP-ABE to CP-ABE in this case. Again, see Figure 1 for the details. Direct Alications: New Instantiations. By alying our conversions to existing schemes, we obtain many new instantiations. Most of them have new roerties that were not achieved before. These include the first DSE with constant-size ublic key, the first DSE with constant-size cihertexts, the first DSE with constant-size rivate keys, the first non-monotonic, large-universe CP-ABE with constant-size cihertexts, the first non-monotonic, large-universe KP-ABE with constant-size keys, the first KASP, CASP with constant-size ublic key, the first KASP, CASP with adative security and unbounded multi-use, the first KASP with constant-size cihertexts, the first CASP with constant-size keys, which together offer various comactness tradeoffs. Previously, all DSE schemes require linear (or more) sizes in all arameters [27,18,15]. Previous CP-ABE with constantsize cihertexts [20,14,22,13] can only deal with threshold or even more limited exressiveness. As for KP-ABE, to the best of our knowledge, there were no constructions with constant-size keys. 1 Previous KASP and CASP [30,17] require linear sizes in all arameters. Moreover, the adatively secure schemes [17] suort only attribute oneuse. See Section 6 and tables therein for our instantiations and comarisons. Alication to Attribute-Based Signatures. Our technique is also useful in the settings of attribute-based signatures (ABS) [36,37]. We first define a notion that we call redicate signature (PS) which is a signature analogue of PE. Then, we construct a secific PS scheme with constant-size signatures such that a signature is associated with a set of attributes while a rivate key is associated with a olicy (or monotone san rograms). This is in some sense a dual notion of ordinary ABS in which a signature is associated with a olicy and a rivate key with a set. By using the technique develoed in the above, we can convert the PS scheme into an ABS scheme. As a result, we obtain the first ABS scheme with constant-size signatures. Previous ABS schemes with constant-size signatures [28,13] only suort threshold or more limited olicies. Finally, we remark that although our conversions are feasible, they often introduce olynomial-size overheads to some arameters. Thus, in most cases, above schemes obtained by the conversions should be seen as feasibility results in the sense that they might not be totally efficient. As a future direction, it would be interesting to construct more efficient schemes directly. 1 KP-ABE with (asymtotically) short keys was also roosed in [10]. Comared to ours, their key size is not constant but they focus on more exressive ABE, namely ABE for circuits.
5 5 1.2 Related Works There are several revious works investigating relations among PE rimitives. In [25], a black box searation between threshold redicate encrytion (fuzzy IBE) and IBE was shown. They also rule out certain natural constructions of PE for NC 1 from PE for AC 0. In [16], it was shown that hierarchical inner roduct encrytion is equivalent to satial encrytion, which is a secial case of doubly satial encrytion. [24] showed a generic conversion from KP-ABE suorting threshold formulae to CP-ABE suorting threshold formulae. Their result and ours are incomarable. Our KP-ABE to CP-ABE conversion requires the original KP-ABE to suort monotone san rograms, which is a stronger requirement than [24]. On the other hand, the resulting scheme obtained by our conversion suorts non-monotone san rograms, which is a wider class than threshold formulae 2. Thus, by alying our conversion, we can obtain new schemes (such as CP-ABE suorting non-monotone san rograms with constant-size cihertext) that is not ossible to obtain by the conversion by [24]. In recent works [2,6], it is shown that PE satisfying certain secific temlate can be converted into PE for its dual redicate. In articular, it yields KP-ABE-to-CP-ABE conversion. Again, their result and ours are incomarable. On the one hand, schemes obtained from their conversion are tyically more efficient than ours. On the other hand, their conversion only works for schemes with the temlate while our conversion is comletely generic. Furthermore, since they essentially exchange key and cihertext comonents in the conversion, the size of keys and cihertexts are also exchanged. For examle, if we start from KP-ABE with constant-size cihertexts, they obtain CP-ABE with constant-size rivate keys while we obtain CP-ABE with constant-size cihertexts. We also remark that in the settings where PE for general circuit is available, we can easily convert any KP-ABE into CP-ABE by using universal circuits as discussed in [23,21]. However, in the settings where only PE for san rograms is available, this technique is not known to be alicable. We note that all existing PE schemes for general circuits [21,23,10] are quite inefficient and based on strong assumtions (e.g., existence of secure multi-linear ma or hardness of certain lattice roblems for an exonential aroximation factor). In [8], in the context of quantum comutation, Belovs studies a san rogram that decides whether two saces intersect or not. The roblem and its solution considered there is very similar to that in Section 3 of our aer. However, he does not consider alication to crytograhy and the result is not alicable to our setting immediately since the syntax of san rograms is slightly different. Concurrent and Indeendent Work. Concurrently and indeendently to our work, Aggrawal and Chase [1] show secific construction of CP-ABE scheme with constantsize cihertexts. Comared to our CP-ABE scheme with constant-size cihertexts, which is obtained by our conversion, their scheme only suorts monotone access structure over large universe, whereas our scheme suorts non-monotonic access structure over large universe. Furthermore, we can obtain adatively secure scheme whereas their scheme is only selectively secure. On the other hand, their scheme has shorter keys. 2 While it is known that monotone san rograms contain threshold formulae [26], the converse is not known to be true.
6 6 2 Preliminaries Notation. Throughout the aer, denotes a rime number. We will treat a vector as a column vector, unless stated otherwise. For a vector a Z n, a[i] Z reresents i-th element of the vector. Namely, a = (a[1],..., a[n]). For a, b Z n, we denote their inner roduct as a, b = a b = n i=1 a[i] b[i]. We denote by e i the i-th unit vector: its i-th comonent is one, all others are zero. I n and 0 n m reresent an identity matrix in Z n n and zero matrix in Z n m resectively. We also define 1 n = (1, 1,..., 1) Z n and 0 n = 0 n 1. We often omit the subscrit if it is clear from the context. We denote by [a, b] a set {a, a+1,..., b} for a, b Z such that a b and [b] denotes [1, b]. For a matrix X Z n d, san(x) denotes a linear sace {X u u Z d } sanned by columns of X. For matrices A Z n1 m and B Z n2 m, [A; B] Z (n1+n2) m denotes [A, B ] i.e., the vertical concatenation of them. 2.1 Definition of Predicate Encrytion Here, we define the syntax of redicate encrytion. We emhasize that we do not consider attribute hiding in this aer 3. Syntax. Let R = {R N : A N B N {0, 1} N N c } be a relation family where A N and B N denote cihertext attribute and key attribute saces and c is some fixed constant. The index N = (n 1, n 2,..., n c ) of R N denotes the numbers of bounds for corresonding arameters. A redicate encrytion (PE) scheme for R is defined by the following algorithms: Setu(λ, N) (mk, msk): The setu algorithm takes as inut a security arameter λ and an index N of the relation R N and oututs a master ublic key mk and a master secret key msk. Encryt(mk, M, X) C: The encrytion algorithm takes as inut a master ublic key mk, the message M, and a cihertext attribute X A N. It will outut a cihertext C. KeyGen(msk, mk, Y ) sk Y : The key generation algorithm takes as inut the master secret key msk, the master ublic key mk, and a key attribute Y B N. It oututs a rivate key sk Y. Decryt(mk, C, X, sk Y, Y ) M or : We assume that the decrytion algorithm is deterministic. The decrytion algorithm takes as inut the master ublic key mk, a cihertext C, cihertext attribute X A N, a rivate key sk Y, and rivate key attribute Y. It oututs the message M or which reresents that the cihertext is not in a valid form. We refer (standard) definitions of correctness and security of PE to [2,4]. 2.2 (Arithmetic) San Program, ABE, and Doubly Satial Encrytion Definition of San Program. Let U = {u 1,..., u t } be a set of variables. For each u i, denote u i as a new variable. Intuitively, u i and u i corresond to ositive and 3 This is called ublic-index redicate encrytion, categorized in [12].
7 7 negative attributes, resectively. Also let U = { u 1,..., u t }. A san rogram over Z is secified by a air (L, ρ) of a matrix and a labelling function where L Z l m ρ : [l] U U for some integer l, m. Intuitively, the ma ρ labels row i with attribute ρ(i). A san rogram accets or rejects an inut by the following criterion. For an inut δ {0, 1} t, we define the sub-matrix L δ of L to consist of the rows whose labels are set to 1 by the inut δ. That is, it consists of either rows labelled by some u i such that δ i = 1 or rows labelled by some u i such that δ i = 0. We say that (L, ρ) accets δ iff (1, 0,..., 0) is in the row san of L δ. We can write this also as e 1 san(l δ ). A san rogram is called monotone if the labels of the rows consist of only the ositive literals, in U. Key-Policy and Cihertext-Policy Attribute-Based Encrytion. Let U be the universe of attributes. We define a relation R KP on any san rograms (L, ρ) over Z and any sets of attributes S U as follows. For S U, we define δ {0, 1} t as an indicator vector corresonding to S. Namely, δ i = 1 if u i S and δ i = 0 if u i S. We define R KP (S, (L, ρ)) = 1 iff (L, ρ) accets δ. Similarly, R CP is defined as R CP ((L, ρ), S) = 1 iff (L, ρ) accets δ. A KP-ABE scheme may require some bounds on arameters: we denote k = the maximum size of k (the size of attribute set S), l = the maximum size of l (the number of rows of L), m = the maximum size of m (the number of columns of L), ϕ = the maximum size of allowed reetition in {ρ(1),..., ρ(l)}. These bounds define the index N = ( k, l, m, ϕ) for the redicate family. When there is no restriction on corresonding arameter, we reresent it by such as ( k,,, ). We define A N and B N as the set of all attribute sets and the set of all san rograms whose sizes are restricted by N, resectively. KP-ABE is a redicate encrytion for RN KP : A N B N {0, 1}, where RN KP is restricted on N in a natural manner. CP-ABE is defined dually with A N and B N swaed. Let t := U. We say the scheme suorts small universe if t is olynomially bounded and large universe if t is exonentially large. The scheme is monotonic if san rograms are restricted to be monotone, and non-monotonic otherwise. Attribute-Based Encrytion for Arithmetic San Programs [30]. In this redicate, the index N for the family is secified by an integer n. We call it the dimension of the scheme. We define A N = Z n. An arithmetic san rogram of dimension n is secified by a tule (Y, Z, ρ) of two matrices Y, Z Z m l and a ma ρ : [l] [n], for some integers l, m. There is no restriction on l and m. If ρ is restricted to injective, we say that the scheme suorts only attribute one-use. Otherwise, if there is no restriction on
8 8 ρ, we say that it is unbounded multi-use. We let B N be the set of all arithmetic san rograms of dimension n. We then define R KASP N (x, (Y, Z, ρ)) = 1 iff e 1 san{x[ρ(j)] y j + z j } j [l], where here e 1 = (1, 0,..., 0) Z m and x[ρ(j)] is the ρ(j)-th term of x, while y j and z j are the j-th column of Y and Z resectively. We call redicate encrytion for R KASP key-olicy attribute-based encrytion for arithmetic san rogram (KASP). Cihertext-olicy ASP (CASP) can be defined dually with A N and B N swaed. Doubly Satial Encrytion. In this redicate, the index N for the family is secified by an integer n (the dimension of the scheme). We define the domains as A N = B N = Z n ( 0 d n Z n d ). We define ( (x0, X), (y 0, Y) ) = 1 iff ( x 0 + san(x) ) ( y 0 + san(y) ). R DSE N Doubly satial encrytion is PE for relation R DSE N equied with additional key delegation algorithm. The key delegation algorithm takes a rivate key for some affine sace as an inut and oututs a rivate key for another affine sace, which is a subset of the first one. We require that the distribution of a key obtained by the delegation is the same as that of a key directly obtained by the key generation algorithm. We refer to [18,4] for the formal definition. 2.3 Embedding Lemma for PE The following useful lemma from [11] describes a sufficient criterion for imlication from PE for a given redicate to PE for another redicate. The lemma is alicable to any relation family. We consider two relation families: RN F : A N B N {0, 1}, RN F : A N B N {0, 1}, which is arametrized by N N c and N N c resectively. Suose that there exists three efficient maings f : Z c Z c f e : A N A f (N ) f k : B N B f (N ) which mas arameters, cihertext attributes, and key attributes, resectively, such that for all X A N, Y B N, R F N (X, Y ) = 1 R F f (N ) (f e(x ), f k (Y )) = 1. (1) We can then construct a PE scheme Π = {Setu, Encryt, KeyGen, Decryt } for redicate RN F from a PE scheme Π = {Setu, Encryt, KeyGen, Decryt} for redicate RN F as follows. Let Setu (λ, N ) = Setu(λ, f (N )) and Encryt (mk, M, X ) = Encryt(mk, M, f e (X )), KeyGen (msk, mk, Y ) = KeyGen(msk, mk, f k (Y )), and Decryt (mk, C, X, sk Y, Y ) = Decryt(mk, C, f e (X ), sk Y, f k (Y )).
9 9 Lemma 1 (Embedding lemma [11]). If Π is correct and secure, then so is Π. This holds for selective security and adative security. Intuitively, the forward and backward direction of Relation (1) ensure that the correctness and the security are reserving, resectively. 3 Conversion from ABE to DSE In this section, we show how to construct DSE for dimension n from monotonic KP- ABE (with bounds on the size of attribute sets and san rograms). We note that by simly swaing key and cihertext attributes, we can also obtain CP-ABE-to-DSE conversion. We first describe the conversion, then exlain the intuition behind the conversion later below. 3.1 The Conversion Maing Parameters. We ma f DSE KP : n ( k, l, m, ψ) where k = n(n + 1)κ + 1, l = 2(nκ + 1)(n + 1), m = (nκ + 1)(n + 1) + 1, ψ = 2(n + 1), where we define κ := log 2. Moreover, we set the universe U as follows. { } U = Att[i][j][k][b] (i, j, k, b) [0, n] [1, n] [1, κ] {0, 1} {D}, where D is a dummy attribute which will be assigned for all cihertext. Hence, the universe size is U = 2n(n + 1)κ + 1. Intuitively, Att[i][j][k][b] reresents an indicator for the condition the k-th least significant bit of the binary reresentation of the j-th element of the vector x i is b {0, 1}. Maing Cihertext Attributes. For x 0 Z n and X = [x 1,..., x d1 ] Z n d1 such that d 1 n, we ma fe DSE KP : (x 0, X) S where { } S = Att[i][j][k][b] (i, j, k) [0, d 1 ] [1, n] [1, κ], b = x i [j][k] {D}. Here, we define x i [j][k] {0, 1} so that they satisfy x i [j] = κ 2 k 1 x i [j][k]. k=1 Namely, x i [j][k] is the k-th least significant bit of the binary reresentation of x i [j]. Maing Key Attributes. For y 0 Z n and Y = [y 1,..., y d2 ] Z n d2 such that d 2 n, we ma fk DSE KP : (y 0, Y) (L, ρ) as follows. Let the numbers of rows and columns of L be l = (2nκ + 1)(n + 1) + d 2 + 1, m = (nκ + 1)(n + 1) + 1,
10 10 resectively. We then define e 1 e 1 + e d2+2 y0 Y E J L = E J.... E J Z l m, (2) of which each sub-matrix E and J both aears n + 1 times, where we define 1 g 1 g 1 E =... Z (2nκ+1) n 1, J =... Z (2nκ+1) nκ (3) g where g = (0, 1, 0, 2,..., 0, 2 i,..., 0, 2 κ 1 ) Z 2κ. Next, we define the ma ρ : [1, l] U as follows. If i d 2 + 1, we set ρ(i) := D. Else, we have i [d 2 + 2, l]. We then write i = (d 2 + 1) + (2nκ + 1)i + i with a unique i [0, n + 1] and a unique i [0, 2nκ]. If i = 0, we again set ρ(i) = D. Else, we have i [1, 2nκ]. We then write i = 2κj + 2k + b + 1 with unique j [0, n 1], k [0, κ 1], and b {0, 1}. We finally set ρ(i) = Att[i ][j + 1][k + 1][b ]. Intuition. We exlain the intuition behind the conversion. S can be seen as a binary reresentation of the information of (x 0, X). In the san rogram (L, ρ), E is used to reroduce the information of (x 0, X) in the matrix while J is used to constrain the form of linear combination among rows to a certain form. 4 In some sense, the roll of the lower art of the matrix L (the last (2nκ + 1)(n + 1) rows) is similar to universal circuit while the uer art of the matrix contains the information of (y 0, Y). 4 A somewhat similar technique to ours that restricts the form of linear combination of vectors was used in [9] in a different context (for constructing a monotone san rogram that tests co-rimality of two numbers).
11 Correctness of the Conversion We show the following theorem. The imlication from KP-ABE to DSE would then follow from the embedding lemma (Lemma 1). Theorem 1. For n N, for any x 0 Z n, X Z n d1, y 0 Z n and Y Z n d2, it holds that with N = f DSE KP RN KP (S, (L, ρ)) = 1 Rn DSE ( (x0, X), (y 0, Y) ) = 1 (n), S = f DSE KP (x 0, X), and (L, ρ) = f DSE KP (y 0, Y). e Proof. Define I [l] as I := { i ρ(i) S } and define L I as the sub-matrix of L formed by all the rows of which index is in I. From the definition of fe DSE KP, we have that L I is in the form of L I = e 1 e 1 + e d2+2 y 0 Y E 0 J E 1 J. E d1... J 1 nκ... 1 nκ k Z l I m I where l I := (nκ + 1)(d 1 + 1) + n d 1 + d and m I := (nκ + 1)(n + 1) + 1 and g i,1 g i,2 E i =... gi,n for i [0, d 1 ], where g i,j = Z (nκ+1) n, J = ( x i [j][1], 2x i [j][2],..., 2 κ 1 x i [j][κ]) Z κ. Z (nκ+1) nκ. We remark that it holds that 1 κ, g i,j = x i [j] by the definition of x i [j][k] and thus E i 1 nκ+1 = x i holds. We also remark that if v J = 0 holds for some v Z nκ+1, then there exists v Z such that v = v1 nκ+1. These roerties will be used later. To rove the theorem statement is now equivalent to rove that e 1 san(l I ) ( x 0 + san(x) ) ( y 0 + san(y) ).
12 12 Forward Direction ( ). Suose e 1 san(l I ). Then, there exists u Zl I that u L I = e 1. We write u as such We then write u L I = u = ( }{{} v, }{{} v, u 0, u 1,..., u ) d }{{}}{{} 1, u d1+1,..., u n. }{{}}{{} 1 d 2 nκ+1 nκ }{{} nκ+1 ( ( ) ( v, v + u 0, e 1, vy0 + v Y + d 1 i=0 u i E i ), ( u d 1 J ) ( ), u d1+11 nκ+1 ( u 0 J ),...,,..., ( ) ) u n 1 nκ+1 Since u L I = e 1, we have u d1+1 = = u n = 0, by comaring each element of the vector. Furthermore, since u i J = 0 for i [0, d 1 ], there exist {u i Z } i [0,d1] such that u i = u i 1 nκ+1. By comaring the first and the second element of the vector, we obtain v = 1 and v + u 0, e 1 = 1 + u 0 1 nκ+1, e 1 = 1 + u 0 = 0. Hence, u 0 = 1. Finally, we have that d 1 i=0 u i E i + vy 0 + v Y = 0 and thus d 1 E i u i = y 0 + Y v. i=0 The left hand side of the equation is d 1 d 1 E i u i = u 0 E 0 1 nκ+1 u i E i 1 nκ+1 i=0 i=1 d 1 = x 0 u i x i ( x 0 + san(x) ). i=1 while the right hand side is y 0 + Y v (y 0 + san(y)). This imlies that ( x 0 + san(x) ) ( y 0 + san(y) ). Converse Direction ( ). Suose ( x 0 + san(x) ) ( y 0 + san(y) ). Hence, there exist sets {u i Z } i [1,d1] and {v i Z } i [1,d2] such that x 0 + d 1 i=1 u ix i = y 0 + d 2 i=1 v iy i. We set a vector u as u = ( 1, v 1,..., v d2 1 }{{} nκ+1, u 1 1 nκ+1,..., u d1 1 ) nκ+1, 0,..., 0 ). }{{}}{{} d 2 (nκ+1)(d 1+1) n d 1
13 13 Therefore, we have u L I = = ( ( 1, 1 1, y0 + ( ( 1, 0, y0 + d 2 i=1 ( 1 nκ+1j ), d 2 i=1 v i y i d 1 v i yi 1 nκ+1(e 0 + i=1 ( u 1 1 nκ+1j ),..., ) ( x 0 + d 1 i=1 as desired. This concludes the roof of the theorem. u i x i ) u i E i ), ( u n 1 nκ+1j ), 0..., 0 ) ), 0..., 0 = e 1 ) 4 From DSE to Non-Monotonic ABE In [27], it is shown that DSE can be converted into monotonic CP-ABE with large universe (and bounds on the size of attribute sets and san rograms). In this section, we extend their result to show that non-monotonic CP-ABE with large universe and the same bounds can be constructed from DSE. We note that our transformation is very different from that of [27] even if we only consider monotonic CP-ABE because of exositional reasons. We also note that by simly swaing key and cihertext attributes, we immediately obtain DSE-to-non-monotonic-KP-ABE conversion. Again, we first describe the conversion, rovide some intuition later below. 4.1 The Conversion Maing Parameters. We ma f CP DSE : ( k, l, m, l) n = 4 l + m + 2 k l. We assume that the universe of attributes is Z.This restriction can be easily removed by using collision resistant hash. Maing Cihertext Attributes. For a san rogram (L, ρ), we ma fe CP DSE : (L, ρ) (x 0, X) as follows. Let l m be the dimension of L, where l l. (If the number of columns is smaller, we can adjust the size by adding zeroes.) Let l 0, l 1 be such that l = l 0 + l 1, and without loss of generality, we assume that the first l 0 rows of L are associated with ositive attributes and the last l 1 rows with negative attributes by the ma ρ. We denote L as L = [L 0 ; L 1 ] using matrices L 0 Z and l0 m l1 m L 1 Z. We then define f CP DSE (L, ρ) = (x 0, X) with e x 0 = e 1 Z n, X = l l1 L 1 I l1 {}}{ G 1 L 0 l {}}{ G0 Z(l0+2l1) n,
14 14 where G b Z l b l( k+1) for each b {0, 1} is defined as ( ρ(bl 0 + 1) ) ( ρ(bl G b = 0 + 2) )... ( ρ(bl 0 + l b ) ) ( l l b )( k+1) {}}{ where () is a function that takes an element of Z or its negation ({ x x Z }) as an inut and oututs a vector (x) = (1, x, x 2,..., x k) Z k+1. Maing Key Attributes. For a set S = (S 1,..., S k ) such that k k, we ma : S (y 0, Y) where f CP DSE k y 0 = 0 n Z n, Y = ( m ) {}}{ H I( k+1) l Z 2( k+1) l n, H I ( k+1) l of which H is defined as q S q S H = I l q S =... qs ( Z ) ( k+1) l l, where q S = (q S [1],..., q S [ k + 1]) Z k+1 k+1 Q S [Z] = q S [i] Z i 1 = i=1 is defined as a coefficient vector from k (Z S i ). If k < k, the coordinates q S [k + 2],..., q S [ k + 1] are all set to 0. Intuition. The matrices X and Y constructed above can be divided into two arts. The first l 0 rows of X and the first ( k + 1) l rows of Y deal with ositive attributes.the lower arts of X and Y deal with negation of attributes. Here, we exlain how we handle negated attributes. Positive attributes are handled by a similar mechanism. I ( k+1) l in Y and G 1 in X restricts the linear combination of the rows of X and Y to a certain form in order to two affine saces to have a intersection. As a result, we can argue that the coefficient of the i-th row of L 1 in the linear combination should be multile of Q S (ρ(l 0 + i)) 5. Since we have that Q S (x) = 0 iff x S for any x Z, this means that the coefficient of the vector in the linear combination should be 0 if ρ(l 0 + i) = Att and Att S. This restriction is exactly what we need to emulate redicate of non-monotonic CP-ABE. 5 Here, We treat negated attributes ({ x x Z }) as elements of Z. Namely, if ρ(l 0 + i) = Att for some Att Z, Q S(ρ(l 0 + i)) := Q S(Att). i=1
15 Correctness of the Conversion We show the following theorem. The imlication from DSE to non-monotonic CP-ABE with large universe would then follow from the embedding lemma. Theorem 2. For any san rogram (L Z l m, ρ) such that l l and m m and S such that S k, let N = ( k, l, m, l), we have that where n = f CP DSE Rn DSE ((x 0, X), (y 0, Y)) = 1 RN CP (S, (L, ρ)) = 1 (N), (x 0, X) = f CP DSE e (L, ρ), and (y 0, Y) = fk CP DSE (S). Proof. Let I [1, l] be I = { i (ρ(i) = Att Att S) (ρ(i) = Att Att S) }. We also let L I be the sub-matrix of L formed by rows whose index is in I. To rove the theorem statement is equivalent to rove that ( x0 + san(x) ) ( y 0 + san(y) ) e 1 san(l I ). Forward Direction ( ). Suose that there exist u Z l0+2l1 and v Z 2( k+1) l that x 0 + u X = y0 + v Y = v Y. We denote these vectors as u = ( u 0, u 1, u 2 ), v = ( v1 }{{}}{{}}{{}}{{} l 0 l 1 l 1 k+1,..., v l }{{} k+1 w1 }{{} k+1,..., w l }{{} k+1.) such Hence, x 0 + u X and v Y can be written as ( x 0 + u X = e 1 + u 0 L 0 + u 1 L 1, 0 l, u 0 [1] (ρ(1)),..., u 0 [l 0 ] (ρ(l 0 )), }{{}}{{} m ( k+1)l 0 and 0 ( l l 0)( k+1), u 1 }{{} l 1, 0 l l1, u 2 [1] (ρ(l 0 + 1)),..., u 2 [l 1 ] (ρ(l 0 + l 1 )), 0 }{{} ( k+1)l 1 v Y = (0 m, v 1, q S,...,, v l, q S, v1,..., v l, }{{}}{{} l ( k+1) l ) ( l l 1)( k+1) w 1, q S,...,, w l, q S, w1,..., w l ). (5) }{{}}{{} l ( k+1) l First, by comaring the m + l + 1-th to m + ( k + 2) l-th elements of the vector, we obtain that v i = u 0 [i] (ρ(i)) for i [1, l 0 ] and v i = 0 k+1 for i [l 0 + 1, l]. Furthermore, by comaring m + 1-th to m + l-th elements of the vector, we have v i, q S = u 0 [i] (ρ(i)), q S = u 0 [i] Q S ( ρ(i) ) = 0 (4)
16 16 for i [1, l 0 ]. The second equation above follows from the definition of () and q S. Since Q S (ρ(i)) = ω S (ρ(i) ω) 0 if ρ(i) S, we have that u 0[i] = 0 if ρ(i) S. That is, u 0 [i] = 0 for i [1, l 0 ]\I. Next, by comaring the last ( k + 1) l elements in the vector, we obtain that w i = u 2 [i] (ρ(l 0 + i)) for i [1, l 1 ] and w i = 0 k+1 for i [l 1 + 1, l]. By comaring the m + ( k + 2) l + 1-th to m + ( k + 3) l-th elements in the vector, we have that (u 1, 0 l l1 ) = ( w 1, q S,...,, w l, q S ) and thus u 1 [i] = w i, q S = u 2 [i] (ρ(l 0 + i)), q S = u 2 [i] Q S (ρ(l 0 + i)) holds for i [1, l 1 ]. From the above, we have that u 1 [i] = 0 if ρ(l 0 + i) = Att and Att S for some Att. This imlies that u 1 [i] = 0 if (l 0 + i) I for i [1, l 1 ]. Finally, by comaring the first m elements in the vector, we obtain that e 1 + u 0 L 0 + u 1 L 1 = 0. Let u 0,I be a subvector of u 0 which is obtained by deleting all elements u 0 [i] for i I. Similarly, we define u 1,I as a vector obtained by deleting all elements u 1 [i] for i such that (l 0 + i) I from u 1. Since u 0 [i] = 0 for i [1, l 0 ]\I and u 1 [i] = 0 for i [1, l 1 ] such that (l 0 + i) I, it follows that (u 0,I, u 1,I )L I = u 0 L 0 + u 1 L 1 = e 1 and thus e 1 san(l I ) as desired. Converse Direction ( ). The converse direction can be shown by reeating the above discussion in reverse order. Assume that e 1 san(l I ). Then there exists u Z I such that u L I = e 1. We extend u to define u Z l0+l1 so that u I = u and u [i] = 0 for i I hold. Here, u I Z I is a subvector of u which is obtained by deleting all elements u [i] for i I. These conditions comletely determine u. We denote this u as u = (u 0, u 1 ) using u 0 Z l0 and u 1 Z l1. We note that u 0 L 0 + u 1 L 1 = e 1 holds by the definition. Next we define v i for i [ l] as v i = u 0 [i] (ρ(i)) if i [l 0 ] and v i = 0 k+1 if i [l 0 + 1, l]. We claim that v i, q S = 0 holds for i [ l]. Here, we rove this. The case for i [l 0 + 1, l] is trivial. For the case of i [1, l 0 ], we have v i, q S = u 0 [i] (ρ(i)), q S = u 0 [i] Q S (ρ(i)) = 0. The last equation above holds because we have Q S (ρ(i)) = 0 if i I and u 0 [i] = 0 otherwise, by the definition of u 0 [i]. We define u 2 [i] Z for i [1, l 1 ] as u 2 [i] = u 1 [i]/q S (ρ(l 0 + i)) if u 1 [i] 0 and u 2 [i] = 0 if u 1 [i] = 0. We have to show that u 2 [i] are well defined by showing that Q S (ρ(l 0 + i)) 0 if u 1 [i] 0 (i.e., division by 0 does not occur). If u 1 [i] 0, then (l 0 + i) I by the definition of u 1. It imlies that (ρ(l 0 + i) = Att) (Att S) for some Att Z and thus Q S (ρ(l 0 + i)) = ω S (Att ω) 0 holds as desired. We also define w i as w i = u 2 [i] (ρ(l 0 + i)) for i [1, l 1 ] and w i = 0 k+1 for i [l 1 + 1, l]. Then, we have w i, q S = u 2 [i] (ρ(l 0 + i)), q S = u 2 [i] Q S (ρ(l 0 + i)) = u 1 [i] for i [1, l 1 ] and w i, q S = 0 for i [l 1 + 1, l]. Finally, we define u and v as u = (u 0, u 1, u 2 ) and v = (v 1,..., v l, w 1,..., w l ). Then, Equation (4) and (5) hold. By the roerties of u and v we investigated so
17 17 far, it is straightforward to see that x 0 + u X = y0 the roof of the theorem. + v Y holds. This concludes 5 From KP(CP)-ABE to KASP(CASP) In this section, we show that monotonic KP-ABE with small universe (without bounds on the size of san rograms) can be converted into KASP. We note that we can also obtain CP-ABE-to-CASP conversion by simly swaing key and cihertext attribute. 5.1 The Conversion Maing Parameters. We show how to construct KASP for dimension n from monotonic KP-ABE for arameter N = (nκ + 1,,, ) and the size of attribute universe is U = 2nκ + 1. Here, κ = log 2. That is, we define f KASP KP (n) = N. We set the universe of attributes as { } U = Att[i][j][b] (i, j, b) [1, n] [1, κ] {0, 1} {D}. Intuitively, Att[i][j][b] reresents an indicator for the condition the j-th least significant bit of the binary reresentation of the i-th element of the vector x is b {0, 1}. D is a dummy attribute which will be assigned for all cihertexts. Maing Cihertext Attributes. For x Z n, we ma fe KASP KP : x S where { } S = Att[i][j][b] (i, j) [1, n] [1, κ], b = x[i][j] {D}, where we define x[i][j] {0, 1} in such a way that x[i] = κ j=1 2j 1 x[i][j]. In other words, x[i][j] is the j-th least significant bit of the binary reresentation of x[i] Z. Maing Key Attributes. For an arithmetic san rogram (Y = (y 1,..., y l ) Z m l, Z = (z 1,..., z l ) Z m l, ρ) such that Y, Z Z m l, we define the ma fk KASP KP : (Y, Z, ρ) (L, ρ ) as follows. First, we define G 1 J G 2 J ( ) ( ) L =.... Z (2κ+1)l κl+m, (6) J G l where the matrix J Z (2κ+1) κ G i is defined as is defined as in Equation (3) (by setting n = 1) while G i = [g y i ; z i ] = (0 m, y i, 0 m, 2y i,, 0 m, 2 κ 1 y i, z i ) Z (2κ+1) m where g = (0, 1, 0, 2,..., 0, 2 i,..., 0, 2 κ 1 ) Z 2κ. Next, we define the ma ρ : [(2κ + 1)l] U as follows. If i = 0 mod (2κ + 1), we set ρ(i) := D.
18 18 Else, we write i = (2κ + 1)i + 2j + b + 1 with unique i [0, l 1], j [0, κ 1], and b {0, 1}. We finally set ρ (i) = Att[ρ(i + 1)][j + 1][b ]. Intuition. S can be seen as a binary reresentation of the information of x. In the san rogram (L, ρ ), J is used to constrain the form of linear combination among rows to a certain form. G i as well as ρ, along with the above restriction, are designed so that linear combination of rows of G i only can be a scalar multile of the vector (x[ρ(i)]y i + z i ). Therefore, (L, ρ ) essentially works as an arithmetic san rogram. 5.2 Correctness of the Conversion We show the following theorem. The imlication from KP-ABE with arameter N = (nκ + 1,,, ) to KASP with dimension n would then follow from the embedding lemma. Theorem 3. For any x Z n, Y Z m l where N = f KASP KP, Z Z m l, and ρ : [l] [n], it holds that R KP N (S, (L, ρ )) = 1 R KASP n (x, (Y, Z, ρ)) = 1 (n), S = f KASP KP (x), and (L, ρ ) = f KASP KP (Y, Z, ρ). e Proof. Define I [1, (2κ + 1)l] as I = { i ρ (i) S }. We define L I as the submatrix of L formed by rows whose index is in I. From the definition of fe KASP KP, we have that L I is in the form of G 1 J G 2 J ( ) ( ) L I =.... Z (κ+1)l κl+m, G l J where G i = [g i y i ; z i ] Z (κ+1) m, J = 1 1 k Z (κ+1) κ, and where g i = (x[ρ(i)][1], 2x[ρ(i)][2],..., 2 κ 1 x[ρ(i)][κ]) Z κ. We note that we have 1 κ, g i = x[ρ(i)] by the definition of x[ρ(i)][j] and thus G i 1 κ+1 = x[ρ(i)]y i + z i holds. We also remark that if v J = 0 holds for some v Z κ+1, then there exists v Z such that v = v1 κ+1. These roerties will be used later below. To rove the theorem statement is equivalent to rove that e 1 san(l I ) e 1 san({x[ρ(i)]y i + z i } i [l] ).
19 Forward Direction ( ). We assume that e 1 san(l I ). From this, there exists u Z (κ+1)l such that u L I = e 1. We write this u as u = ( u 1, u 2,..., u ) l. }{{}}{{}}{{} κ+1 κ+1 κ+1 19 Therefore, we have that e 1 = u L I = u i G i, u 1 J,..., u l J. i [l] Since u i we have J = 0 for i [l], there exist {u i Z } i [l] such that u i = u i 1 κ+1. Then, e 1 = i [l] u i G i = i [l] u i 1 κ+1g i = i [l] u i (x[ρ(i)] y i + z i ). This imlies e 1 san({x[ρ(i)]y i + z i } i [l] ), as desired. Converse Direction ( ). We assume that e 1 san({x[ρ(i)]y i + z i } i [l] ). Then, there exist {u i Z } i [l] such that i [l] u i(x[ρ(i)] y i + z i ) = e 1. We set a vector u Z (κ+1)l as u = ( u 1 1 κ+1,..., u l 1κ+1). Then, we have that u L I = u i 1 κ+1g i, u 1 1 κ+1j,..., u l 1 κ+1j i [l] = u i (x[ρ(i)]y i + z i ), 0 κ,..., 0 κ = e 1. i [l] This imlies e 1 san(l I ), as desired. This concludes the roof of the theorem. 6 Imlications of Our Result In this section, we discuss consequences of our results. Equivalence between (bounded) ABE and DSE. We have shown that monotonic KP/CP-ABE for ( k, l, m, ϕ) imlies DSE (without delegation) in Section 3 and DSE imlies non-monotonic KP/CP-ABE with large universe for ( k, l, m, ϕ) in Section 4. Since non-monotonic KP/CP-ABE with large universe for ( k, l, m, ϕ) trivially imlies monotonic KP/CP-ABE with small universe for ( k, l, m, ϕ), our results indicate that these PE schemes are essentially equivalent in the sense that they imly each other. Equivalence between K(C)ASP and KP(CP)-ABE. Next, we consider the case where there is no restriction on the size of san rograms. In Section 5, we showed that monotonic KP-ABE for (( k + 1)κ,,, ) imlies KASP for ( k,,, ). In the full version [4], we also show the converse direction. That is, we show that KASP for
20 20 Table 1. Comarison among DSE Schemes Schemes mk C sk Delegation Security Assumtion Hamburg11 [27] O(n) O(d 1) O(d 2) Selective Parameterized CW14 [18] O(n 2 ) O(nd 1) O(n) Selective Static CZF12 [15] O(n) O(d 1) O(d 2) Adative Static Sec. 3 + RW13 [40] O(1) O(nd 1κ) O(n 2 κ) Selective Parameterized Sec. 3 + ALP11 [5] O(n 2 κ) O(1) O(n 4 κ 2 ) Selective Parameterized Sec. 3 + OT12 [38] O(1) O(n 2 d 1κ) O(n 2 κ)? Adative Static Sec. 3 + A15 [3] O(1) O(nd 1κ) O(n 2 κ)? Adative Parameterized Sec. 3 + A15 [3] O(n 2 κ) O(1) O(n 4 κ 2 )? Adative Parameterized Sec. 3 + A15 [3] O(n 2 κ) O(n 4 κ 2 ) O(1)? Adative Parameterized n is the dimension of the scheme; d 1 and d 2 denote the dimension of the sace associated with the cihertext and rivate key, resectively; κ = log 2. Delegation shows if key delegation is suorted.? means unknown. ( k + 1,,, ) imlies non-monotonic KP-ABE for ( k,,, ) with large universe. Since non-monotonic KP-ABE for ( k,,, ) trivially imlies monotonic KP-ABE for ( k,,, ), our results indicate that these PE schemes are essentially equivalent similarly to the above case. Similar imlications hold for CP-ABE. See figure 1 for the overview. By alying the conversions to existing schemes, we obtain various new schemes. The overviews of roerties of resulting schemes and comarison with existing schemes are rovided in Table 1, 2, 3, and 4. All schemes in the tables are constructed in airing grous. In the tables, we count the number of grou elements to measure the size of master ublic keys ( mk ), cihertexts ( C ), and rivate keys ( sk ). Note that our conversions only can be alied to ABE schemes suorting san rograms over Z. Therefore, for ABE schemes constructed on comosite order grous [32,2], our conversions are not alicable since they suort san rograms over Z N where N is a roduct of several large rimes. Similar restrictions are osed on DSE and K(C)ASP. Though it is quite lausible that our conversions work even in such cases assuming hardness of factoring N, we do not rove this in this aer. New DSE Schemes. By alying our KP(CP)-ABE-to-DSE conversion to existing KP(CP)-ABE schemes, we obtain many new DSE schemes. Table 1 shows overview of obtained schemes. 6 Secifically, From the unbounded KP-ABE schemes [38,40,3], we obtain the first DSE scheme with constant-size master ublic key (without delegation). Note that all revious schemes [27,15,18] require at least O(n) grou elements in master ublic key where n is the dimension of the scheme. From KP-ABE scheme with constant-size cihertexts [5,29,42,3], we obtain the first DSE scheme with constant-size cihertexts. All revious schemes [27,15,18] require 6 In the table, arameterized assumtions refer to q-tye assumtions, which are non-interactive and falsifiable but arameterized by some arameters of the scheme such as k, k.
21 21 Table 2. Comarison among CP-ABE Schemes Schemes Exressiveness Efficiency Security Assumtion Universe Policy mk C sk OT12 [38] Large Non-mono. San. O(1) O(l) O(kϕ) Adative Static AY15 [6], A15 [3] Large Mono. San. O(1) O(l) O(k) Adative Parametrized AY15 [6], A15 [3] Large Mono. San. O( k) O( kl) O(1) Adative Parametrized EMN+09 [20] Small AND-only O( k) O(1) O( k) Selective Static CZF11 [14] Small AND-only O( k) O(1) O( k 2 ) Selective Static CCL+13 [13] Small Threshold O( k) O(1) O( k 2 ) Adative Static Sec. 3,4 + ALP11 [5] Large Non-mono. San. O(( k l) 2 κ) O(1) O(( k l) 4 κ 2 ) Selective Parametrized Sec. 3,4 + T14 [42] Large Non-mono. San. O(( k l) 2 κ) O(1) O(( k l) 4 κ 2 ) Semi-adat Static Sec. 3,4 + A15 [3] Large Non-mono. San. O(( k l) 2 κ) O(1) O(( k l) 4 κ 2 ) Adative Parametrized k is the size of an attribute set associated with a key, l is the number of rows of a san rogram matrix associated with a cihertext; k, l are the maximums of k, l (if bounded); ϕ is the maximum number of allowed attribute multi-use in one olicy (if bounded); κ = log 2. at least O(d 1 ) grou elements in cihertexts where d 1 is the dimension of the affine sace associated to a cihertext. From CP-ABE scheme with constant-size keys [6], we obtain the first DSE scheme with constant-size rivate keys. All revious schemes require at least O(d 2 ) grou elements in rivate keys where d 2 is the dimension of the affine sace associated to a rivate key. The schemes obtained from [38,3] achieves adative security. Furthermore, for schemes obtained from [40,5,29], we can define key delegation algorithm. The details of the key delegation algorithm will be given in the full version [4]. CP-ABE with Constant-Size Cihertexts. By alying our DSE-to-non-monotonic- CP-ABE conversion in Section 4 to the DSE scheme with constant-size cihertexts obtained above, we obtain the first non-monotonic CP-ABE with constant-size cihertexts. Previous CP-ABE schemes with constant-size cihertexts [20,14,13] only suort threshold or more limited redicates 7. See Table 2 for comarison (we list only relevant schemes). KP-ABE with Constant-Size Keys. By alying our DSE-to-non-monotonic-KP-ABE conversion in Section 4 to the DSE scheme with constant-size keys obtained above, we obtain the first non-monotonic KP-ABE with constant-size keys. See Table 3 for comarison (we list only relevant schemes). New KASP and CASP Schemes. By alying the KP(CP)-ABE-to-K(C)ASP conversion in Section 5, we obtain many new K(C)ASP schemes. See Table 4 for the overview. Secifically, From the unbounded KP-ABE, CP-ABE schemes of [40,3], we obtain the first KASP, CASP schemes with constant-size master ublic key. 7 One would be able to obtain CP-ABE with constant-size cihertexts suorting threshold formulae by alying the generic conversion in [24] to a KP-ABE scheme roosed in [5]. However, the resulting scheme suorts more limited redicate comared to ours. To the best of our knowledge, this observation has not aeared elsewhere.
22 22 Table 3. Comarison among KP-ABE Schemes Schemes Exressiveness Efficiency Security Assumtion Universe Policy mk C sk OT12 [38] Large Non-mono. San. O(1) O(kϕ) O(l) Adative Static AY15 [6], A15 [3] Large Mono. San. O(1) O(k) O(l) Adative Parameterized AY15 [6], A15 [3] Large Mono. San. O( k) O(1) O( kl) Adative Parameterized Sec. 3,4 + A15 [3] Large Non-mono. San. O(( k l) 2 κ) O(( k l) 4 κ 2 ) O(1) Adative Parameterized k is the size of an attribute set associated with a cihertext, l is the number of rows of a san rogram matrix associated with a key; k, l are the maximums of k, l (if bounded); ϕ is the maximum number of allowed attribute multi-use in one olicy (if bounded); κ = log 2. From adatively secure KP-ABE, CP-ABE schemes of [35,3], we obtain the first adatively secure KASP, CASP schemes with unbounded attribute multi-use. From KP-ABE schemes with constant-size cihertexts [5,29,42,3], we obtain the first KASP schemes with constant-size cihertexts. From CP-ABE schemes with constant-size keys [3], we obtain the first CASP schemes with constant-size keys. Until recently, the only (K)ASP scheme in the literature was roosed by [30], which is selectively secure and the master ublic key and cihertext size are linear in the dimension of the scheme. Very recently, adatively secure KASP and CASP were given in [17], albeit with the restriction of one-time use (of the same attribute in one olicy). We remark that the conversion is not alicable for schemes in [37,38] since these schemes are KP-ABE for (,,, ϕ) where ϕ is olynomially bounded, whereas our conversion requires the last arameter to be unbounded. 7 Alication to Attribute-Based Signature Here, we discuss that our techniques develoed in revious sections are also alicable to construct attribute-based signatures (ABS) [36,37]. ABS is an advanced form of signature and can be considered as a signature analogue of ABE. In articular, it resembles CP-ABE in the sense that a rivate key is associated with a set of attributes while a signature is associated with a olicy and a message. A user can sign on a message with a olicy if and only if she has a rivate key associated with a set satisfying the olicy. Roughly seaking, this roerty corresonds to the correctness and unforgeability. For ABS, we also require rivacy. That is, we require that one cannot obtain any information about the attribute of the signer from a signature. The construction of exressive ABS scheme with constant-size signatures has been oen. All revious ABS schemes with constant-size signatures [28,13] only suorts threshold redicates. The difficulty of constructing ABS with constant-size signatures seems to be related to the difficulty of construction of CP-ABE with constant-size cihertexts. That is, it is hard to set constant number of grou elements so that they include very comlex information such as san rograms. To solve the roblem, we first define the notion of redicate signature (PS) that is a signature analogue of PE. Then we construct a PS scheme that is dual of ABS: a ri-
Cryptography. Lecture 8. Arpita Patra
Crytograhy Lecture 8 Arita Patra Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous
More informationElliptic Curves and Cryptography
Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a
More informationBilinear Entropy Expansion from the Decisional Linear Assumption
Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo
More informationMATH 2710: NOTES FOR ANALYSIS
MATH 270: NOTES FOR ANALYSIS The main ideas we will learn from analysis center around the idea of a limit. Limits occurs in several settings. We will start with finite limits of sequences, then cover infinite
More informationImproved Hidden Vector Encryption with Short Ciphertexts and Tokens
Imroved Hidden Vector Encrytion with Short Cihertexts and Tokens Kwangsu Lee Dong Hoon Lee Abstract Hidden vector encrytion HVE) is a articular kind of redicate encrytion that is an imortant crytograhic
More informationPredicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz jkatz@cs.umd.edu Amit Sahai sahai@cs.ucla.edu Brent Waters bwaters@csl.sri.com Abstract Predicate encrytion
More informationCryptanalysis of Pseudorandom Generators
CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we
More informationCryptography Assignment 3
Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some
More informationApproximating min-max k-clustering
Aroximating min-max k-clustering Asaf Levin July 24, 2007 Abstract We consider the roblems of set artitioning into k clusters with minimum total cost and minimum of the maximum cost of a cluster. The cost
More informationModel checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]
Chater 5 Model checking, verification of CTL One must verify or exel... doubts, and convert them into the certainty of YES or NO. [Thomas Carlyle] 5. The verification setting Page 66 We introduce linear
More informationMath 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,
MATH 4400 roblems. Math 4400/6400 Homework # solutions 1. Let P be an odd integer not necessarily rime. Show that modulo, { P 1 0 if P 1, 7 mod, 1 if P 3, mod. Proof. Suose that P 1 mod. Then we can write
More informationLattice Attacks on the DGHV Homomorphic Encryption Scheme
Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr
More information1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings
Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, 43007 Abstract: Many identity-based
More informationElementary Analysis in Q p
Elementary Analysis in Q Hannah Hutter, May Szedlák, Phili Wirth November 17, 2011 This reort follows very closely the book of Svetlana Katok 1. 1 Sequences and Series In this section we will see some
More informationCERIAS Tech Report The period of the Bell numbers modulo a prime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education
CERIAS Tech Reort 2010-01 The eriod of the Bell numbers modulo a rime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education and Research Information Assurance and Security Purdue University,
More informationCombining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO)
Combining Logistic Regression with Kriging for Maing the Risk of Occurrence of Unexloded Ordnance (UXO) H. Saito (), P. Goovaerts (), S. A. McKenna (2) Environmental and Water Resources Engineering, Deartment
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr
More informationAn Attack on a Fully Homomorphic Encryption Scheme
An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, 710071 Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University,
More informationUse of Transformations and the Repeated Statement in PROC GLM in SAS Ed Stanek
Use of Transformations and the Reeated Statement in PROC GLM in SAS Ed Stanek Introduction We describe how the Reeated Statement in PROC GLM in SAS transforms the data to rovide tests of hyotheses of interest.
More information1-way quantum finite automata: strengths, weaknesses and generalizations
1-way quantum finite automata: strengths, weaknesses and generalizations arxiv:quant-h/9802062v3 30 Se 1998 Andris Ambainis UC Berkeley Abstract Rūsiņš Freivalds University of Latvia We study 1-way quantum
More informationConvex Optimization methods for Computing Channel Capacity
Convex Otimization methods for Comuting Channel Caacity Abhishek Sinha Laboratory for Information and Decision Systems (LIDS), MIT sinhaa@mit.edu May 15, 2014 We consider a classical comutational roblem
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Published in Journal of Crytology, 30(2:519 549, 2017. Efficient Crytosystems From 2 k -th Power Residue Symbols Fabrice Benhamouda 1, Javier Herranz 2, Marc Joye 3, and Benoît Libert 4, 1 ES Paris, CRS,
More information#A37 INTEGERS 15 (2015) NOTE ON A RESULT OF CHUNG ON WEIL TYPE SUMS
#A37 INTEGERS 15 (2015) NOTE ON A RESULT OF CHUNG ON WEIL TYPE SUMS Norbert Hegyvári ELTE TTK, Eötvös University, Institute of Mathematics, Budaest, Hungary hegyvari@elte.hu François Hennecart Université
More informationPositive Definite Uncertain Homogeneous Matrix Polynomials: Analysis and Application
BULGARIA ACADEMY OF SCIECES CYBEREICS AD IFORMAIO ECHOLOGIES Volume 9 o 3 Sofia 009 Positive Definite Uncertain Homogeneous Matrix Polynomials: Analysis and Alication Svetoslav Savov Institute of Information
More informationTanja Lange Technische Universiteit Eindhoven
Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein Main goal of this course: We are the attackers. We want to break ECC and RSA.
More informationThe Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule
The Grah Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule STEFAN D. BRUDA Deartment of Comuter Science Bisho s University Lennoxville, Quebec J1M 1Z7 CANADA bruda@cs.ubishos.ca
More informationPublic Key Cryptosystems RSA
Public Key Crytosystems RSA 57 17 Receiver Sender 41 19 and rime 53 Attacker 47 Public Key Crytosystems RSA Comute numbers n = * 2337 323 57 17 Receiver Sender 41 19 and rime 53 Attacker 2491 47 Public
More informationStatics and dynamics: some elementary concepts
1 Statics and dynamics: some elementary concets Dynamics is the study of the movement through time of variables such as heartbeat, temerature, secies oulation, voltage, roduction, emloyment, rices and
More informationExtension of Minimax to Infinite Matrices
Extension of Minimax to Infinite Matrices Chris Calabro June 21, 2004 Abstract Von Neumann s minimax theorem is tyically alied to a finite ayoff matrix A R m n. Here we show that (i) if m, n are both inite,
More informationAdvanced Cryptography Midterm Exam
Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will
More informationTopic: Lower Bounds on Randomized Algorithms Date: September 22, 2004 Scribe: Srinath Sridhar
15-859(M): Randomized Algorithms Lecturer: Anuam Guta Toic: Lower Bounds on Randomized Algorithms Date: Setember 22, 2004 Scribe: Srinath Sridhar 4.1 Introduction In this lecture, we will first consider
More informationThe Fekete Szegő theorem with splitting conditions: Part I
ACTA ARITHMETICA XCIII.2 (2000) The Fekete Szegő theorem with slitting conditions: Part I by Robert Rumely (Athens, GA) A classical theorem of Fekete and Szegő [4] says that if E is a comact set in the
More informationGraph-Decomposition-Based Frameworks for Subset-Cover Broadcast Encryption and Efficient Instantiations
Grah-Decomosition-Based Frameworks for Subset-Cover Broadcast Encrytion and Efficient Instantiations Nuttaong Attraadung and Hideki Imai Imai Laboratory, Institute of Industrial Science, University of
More informationIntroduction to MVC. least common denominator of all non-identical-zero minors of all order of G(s). Example: The minor of order 2: 1 2 ( s 1)
Introduction to MVC Definition---Proerness and strictly roerness A system G(s) is roer if all its elements { gij ( s)} are roer, and strictly roer if all its elements are strictly roer. Definition---Causal
More information2 Asymptotic density and Dirichlet density
8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime
More information2 Asymptotic density and Dirichlet density
8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime
More informationFactorability in the ring Z[ 5]
University of Nebraska - Lincoln DigitalCommons@University of Nebraska - Lincoln Dissertations, Theses, and Student Research Paers in Mathematics Mathematics, Deartment of 4-2004 Factorability in the ring
More informationAsymptotically Optimal Simulation Allocation under Dependent Sampling
Asymtotically Otimal Simulation Allocation under Deendent Samling Xiaoing Xiong The Robert H. Smith School of Business, University of Maryland, College Park, MD 20742-1815, USA, xiaoingx@yahoo.com Sandee
More informationA Public-Key Cryptosystem Based on Lucas Sequences
Palestine Journal of Mathematics Vol. 1(2) (2012), 148 152 Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010
More informationVarious Proofs for the Decrease Monotonicity of the Schatten s Power Norm, Various Families of R n Norms and Some Open Problems
Int. J. Oen Problems Comt. Math., Vol. 3, No. 2, June 2010 ISSN 1998-6262; Coyright c ICSRS Publication, 2010 www.i-csrs.org Various Proofs for the Decrease Monotonicity of the Schatten s Power Norm, Various
More informationState Estimation with ARMarkov Models
Deartment of Mechanical and Aerosace Engineering Technical Reort No. 3046, October 1998. Princeton University, Princeton, NJ. State Estimation with ARMarkov Models Ryoung K. Lim 1 Columbia University,
More informationBrownian Motion and Random Prime Factorization
Brownian Motion and Random Prime Factorization Kendrick Tang June 4, 202 Contents Introduction 2 2 Brownian Motion 2 2. Develoing Brownian Motion.................... 2 2.. Measure Saces and Borel Sigma-Algebras.........
More informationOutline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding
Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift
More informationANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM
ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM JOHN BINDER Abstract. In this aer, we rove Dirichlet s theorem that, given any air h, k with h, k) =, there are infinitely many rime numbers congruent to
More informationSolvability and Number of Roots of Bi-Quadratic Equations over p adic Fields
Malaysian Journal of Mathematical Sciences 10(S February: 15-35 (016 Secial Issue: The 3 rd International Conference on Mathematical Alications in Engineering 014 (ICMAE 14 MALAYSIAN JOURNAL OF MATHEMATICAL
More informationA Social Welfare Optimal Sequential Allocation Procedure
A Social Welfare Otimal Sequential Allocation Procedure Thomas Kalinowsi Universität Rostoc, Germany Nina Narodytsa and Toby Walsh NICTA and UNSW, Australia May 2, 201 Abstract We consider a simle sequential
More informationMATH 250: THE DISTRIBUTION OF PRIMES. ζ(s) = n s,
MATH 50: THE DISTRIBUTION OF PRIMES ROBERT J. LEMKE OLIVER For s R, define the function ζs) by. Euler s work on rimes ζs) = which converges if s > and diverges if s. In fact, though we will not exloit
More informationAN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction
J. Al. Math. & Comuting Vol. 20(2006), No. 1-2,. 485-489 AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly
More informationMODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL
Technical Sciences and Alied Mathematics MODELING THE RELIABILITY OF CISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL Cezar VASILESCU Regional Deartment of Defense Resources Management
More informationImproved Capacity Bounds for the Binary Energy Harvesting Channel
Imroved Caacity Bounds for the Binary Energy Harvesting Channel Kaya Tutuncuoglu 1, Omur Ozel 2, Aylin Yener 1, and Sennur Ulukus 2 1 Deartment of Electrical Engineering, The Pennsylvania State University,
More informationand INVESTMENT DECISION-MAKING
CONSISTENT INTERPOLATIVE FUZZY LOGIC and INVESTMENT DECISION-MAKING Darko Kovačević, č Petar Sekulić and dal Aleksandar Rakićević National bank of Serbia Belgrade, Jun 23th, 20 The structure of the resentation
More informationarxiv: v2 [math.na] 6 Apr 2016
Existence and otimality of strong stability reserving linear multiste methods: a duality-based aroach arxiv:504.03930v [math.na] 6 Ar 06 Adrián Németh January 9, 08 Abstract David I. Ketcheson We rove
More informationSums of independent random variables
3 Sums of indeendent random variables This lecture collects a number of estimates for sums of indeendent random variables with values in a Banach sace E. We concentrate on sums of the form N γ nx n, where
More information#A6 INTEGERS 15A (2015) ON REDUCIBLE AND PRIMITIVE SUBSETS OF F P, I. Katalin Gyarmati 1.
#A6 INTEGERS 15A (015) ON REDUCIBLE AND PRIMITIVE SUBSETS OF F P, I Katalin Gyarmati 1 Deartment of Algebra and Number Theory, Eötvös Loránd University and MTA-ELTE Geometric and Algebraic Combinatorics
More informationA Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition
A Qualitative Event-based Aroach to Multile Fault Diagnosis in Continuous Systems using Structural Model Decomosition Matthew J. Daigle a,,, Anibal Bregon b,, Xenofon Koutsoukos c, Gautam Biswas c, Belarmino
More informationThe inverse Goldbach problem
1 The inverse Goldbach roblem by Christian Elsholtz Submission Setember 7, 2000 (this version includes galley corrections). Aeared in Mathematika 2001. Abstract We imrove the uer and lower bounds of the
More informationTight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys
Tight Adatively Secure Broadcast Encrytion with Short Cihertexts and Keys Romain Gay ENS, Paris, France romain.gay@ens.fr Lucas Kowalczyk Columbia University luke@cs.columbia.edu Hoeteck Wee ENS, Paris,
More informationCDH/DDH-Based Encryption. K&L Sections , 11.4.
CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be
More informationSolution sheet ξi ξ < ξ i+1 0 otherwise ξ ξ i N i,p 1 (ξ) + where 0 0
Advanced Finite Elements MA5337 - WS7/8 Solution sheet This exercise sheets deals with B-slines and NURBS, which are the basis of isogeometric analysis as they will later relace the olynomial ansatz-functions
More informationEvaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models
Evaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models Ketan N. Patel, Igor L. Markov and John P. Hayes University of Michigan, Ann Arbor 48109-2122 {knatel,imarkov,jhayes}@eecs.umich.edu
More informationAlmost All Palindromes Are Composite
Almost All Palindromes Are Comosite William D Banks Det of Mathematics, University of Missouri Columbia, MO 65211, USA bbanks@mathmissouriedu Derrick N Hart Det of Mathematics, University of Missouri Columbia,
More informationNumerical Linear Algebra
Numerical Linear Algebra Numerous alications in statistics, articularly in the fitting of linear models. Notation and conventions: Elements of a matrix A are denoted by a ij, where i indexes the rows and
More informationAn Estimate For Heilbronn s Exponential Sum
An Estimate For Heilbronn s Exonential Sum D.R. Heath-Brown Magdalen College, Oxford For Heini Halberstam, on his retirement Let be a rime, and set e(x) = ex(2πix). Heilbronn s exonential sum is defined
More informationThe non-stochastic multi-armed bandit problem
Submitted for journal ublication. The non-stochastic multi-armed bandit roblem Peter Auer Institute for Theoretical Comuter Science Graz University of Technology A-8010 Graz (Austria) auer@igi.tu-graz.ac.at
More informationCombinatorics of topmost discs of multi-peg Tower of Hanoi problem
Combinatorics of tomost discs of multi-eg Tower of Hanoi roblem Sandi Klavžar Deartment of Mathematics, PEF, Unversity of Maribor Koroška cesta 160, 000 Maribor, Slovenia Uroš Milutinović Deartment of
More informationIMPROVED BOUNDS IN THE SCALED ENFLO TYPE INEQUALITY FOR BANACH SPACES
IMPROVED BOUNDS IN THE SCALED ENFLO TYPE INEQUALITY FOR BANACH SPACES OHAD GILADI AND ASSAF NAOR Abstract. It is shown that if (, ) is a Banach sace with Rademacher tye 1 then for every n N there exists
More information#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS
#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS Ramy F. Taki ElDin Physics and Engineering Mathematics Deartment, Faculty of Engineering, Ain Shams University, Cairo, Egyt
More informationLECTURE 6: FIBER BUNDLES
LECTURE 6: FIBER BUNDLES In this section we will introduce the interesting class o ibrations given by iber bundles. Fiber bundles lay an imortant role in many geometric contexts. For examle, the Grassmaniann
More information16.2. Infinite Series. Introduction. Prerequisites. Learning Outcomes
Infinite Series 6.2 Introduction We extend the concet of a finite series, met in Section 6., to the situation in which the number of terms increase without bound. We define what is meant by an infinite
More informationNotes on Instrumental Variables Methods
Notes on Instrumental Variables Methods Michele Pellizzari IGIER-Bocconi, IZA and frdb 1 The Instrumental Variable Estimator Instrumental variable estimation is the classical solution to the roblem of
More informationQuantitative estimates of propagation of chaos for stochastic systems with W 1, kernels
oname manuscrit o. will be inserted by the editor) Quantitative estimates of roagation of chaos for stochastic systems with W, kernels Pierre-Emmanuel Jabin Zhenfu Wang Received: date / Acceted: date Abstract
More informationCMSC 425: Lecture 4 Geometry and Geometric Programming
CMSC 425: Lecture 4 Geometry and Geometric Programming Geometry for Game Programming and Grahics: For the next few lectures, we will discuss some of the basic elements of geometry. There are many areas
More informationPartial Identification in Triangular Systems of Equations with Binary Dependent Variables
Partial Identification in Triangular Systems of Equations with Binary Deendent Variables Azeem M. Shaikh Deartment of Economics University of Chicago amshaikh@uchicago.edu Edward J. Vytlacil Deartment
More information#A8 INTEGERS 12 (2012) PARTITION OF AN INTEGER INTO DISTINCT BOUNDED PARTS, IDENTITIES AND BOUNDS
#A8 INTEGERS 1 (01) PARTITION OF AN INTEGER INTO DISTINCT BOUNDED PARTS, IDENTITIES AND BOUNDS Mohammadreza Bidar 1 Deartment of Mathematics, Sharif University of Technology, Tehran, Iran mrebidar@gmailcom
More informationMultiplicative group law on the folium of Descartes
Multilicative grou law on the folium of Descartes Steluţa Pricoie and Constantin Udrişte Abstract. The folium of Descartes is still studied and understood today. Not only did it rovide for the roof of
More informationAVERAGES OF EULER PRODUCTS, DISTRIBUTION OF SINGULAR SERIES AND THE UBIQUITY OF POISSON DISTRIBUTION
AVERAGES OF EULER PRODUCTS, DISTRIBUTION OF SINGULAR SERIES AND THE UBIQUITY OF POISSON DISTRIBUTION EMMANUEL KOWALSKI Abstract. We discuss in some detail the general roblem of comuting averages of convergent
More informationε i (E j )=δj i = 0, if i j, form a basis for V, called the dual basis to (E i ). Therefore, dim V =dim V.
Covectors Definition. Let V be a finite-dimensional vector sace. A covector on V is real-valued linear functional on V, that is, a linear ma ω : V R. The sace of all covectors on V is itself a real vector
More informationRESOLUTIONS OF THREE-ROWED SKEW- AND ALMOST SKEW-SHAPES IN CHARACTERISTIC ZERO
RESOLUTIONS OF THREE-ROWED SKEW- AND ALMOST SKEW-SHAPES IN CHARACTERISTIC ZERO MARIA ARTALE AND DAVID A. BUCHSBAUM Abstract. We find an exlicit descrition of the terms and boundary mas for the three-rowed
More informationFeedback-error control
Chater 4 Feedback-error control 4.1 Introduction This chater exlains the feedback-error (FBE) control scheme originally described by Kawato [, 87, 8]. FBE is a widely used neural network based controller
More informationSystem Reliability Estimation and Confidence Regions from Subsystem and Full System Tests
009 American Control Conference Hyatt Regency Riverfront, St. Louis, MO, USA June 0-, 009 FrB4. System Reliability Estimation and Confidence Regions from Subsystem and Full System Tests James C. Sall Abstract
More informationGalois Fields, Linear Feedback Shift Registers and their Applications
Galois Fields, Linear Feedback Shift Registers and their Alications With 85 illustrations as well as numerous tables, diagrams and examles by Ulrich Jetzek ISBN (Book): 978-3-446-45140-7 ISBN (E-Book):
More informationAn Analysis of Reliable Classifiers through ROC Isometrics
An Analysis of Reliable Classifiers through ROC Isometrics Stijn Vanderlooy s.vanderlooy@cs.unimaas.nl Ida G. Srinkhuizen-Kuyer kuyer@cs.unimaas.nl Evgueni N. Smirnov smirnov@cs.unimaas.nl MICC-IKAT, Universiteit
More informationON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE
MATHEMATICS OF COMPUTATIO Volume 75, umber 256, October 26, Pages 237 247 S 25-5718(6)187-9 Article electronically ublished on June 28, 26 O POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE THORSTE
More informationConvexification of Generalized Network Flow Problem with Application to Power Systems
1 Convexification of Generalized Network Flow Problem with Alication to Power Systems Somayeh Sojoudi and Javad Lavaei + Deartment of Comuting and Mathematical Sciences, California Institute of Technology
More informationPositive decomposition of transfer functions with multiple poles
Positive decomosition of transfer functions with multile oles Béla Nagy 1, Máté Matolcsi 2, and Márta Szilvási 1 Deartment of Analysis, Technical University of Budaest (BME), H-1111, Budaest, Egry J. u.
More informationPredicate Privacy in Encryption Systems
Predicate Privacy in Encrytion Systems Emily Shen MIT eshen@csail.mit.edu Elaine Shi CMU/PARC eshi@arc.com December 24, 2008 Brent Waters UT Austin bwaters@cs.utexas.edu Abstract Predicate encrytion is
More informationElementary theory of L p spaces
CHAPTER 3 Elementary theory of L saces 3.1 Convexity. Jensen, Hölder, Minkowski inequality. We begin with two definitions. A set A R d is said to be convex if, for any x 0, x 1 2 A x = x 0 + (x 1 x 0 )
More informationCOMMUNICATION BETWEEN SHAREHOLDERS 1
COMMUNICATION BTWN SHARHOLDRS 1 A B. O A : A D Lemma B.1. U to µ Z r 2 σ2 Z + σ2 X 2r ω 2 an additive constant that does not deend on a or θ, the agents ayoffs can be written as: 2r rθa ω2 + θ µ Y rcov
More informationPOINTS ON CONICS MODULO p
POINTS ON CONICS MODULO TEAM 2: JONGMIN BAEK, ANAND DEOPURKAR, AND KATHERINE REDFIELD Abstract. We comute the number of integer oints on conics modulo, where is an odd rime. We extend our results to conics
More informationEstimation of the large covariance matrix with two-step monotone missing data
Estimation of the large covariance matrix with two-ste monotone missing data Masashi Hyodo, Nobumichi Shutoh 2, Takashi Seo, and Tatjana Pavlenko 3 Deartment of Mathematical Information Science, Tokyo
More informationResearch Article An iterative Algorithm for Hemicontractive Mappings in Banach Spaces
Abstract and Alied Analysis Volume 2012, Article ID 264103, 11 ages doi:10.1155/2012/264103 Research Article An iterative Algorithm for Hemicontractive Maings in Banach Saces Youli Yu, 1 Zhitao Wu, 2 and
More informationMA3H1 TOPICS IN NUMBER THEORY PART III
MA3H1 TOPICS IN NUMBER THEORY PART III SAMIR SIKSEK 1. Congruences Modulo m In quadratic recirocity we studied congruences of the form x 2 a (mod ). We now turn our attention to situations where is relaced
More informationProof Nets and Boolean Circuits
Proof Nets and Boolean Circuits Kazushige Terui terui@nii.ac.j National Institute of Informatics, Tokyo 14/07/04, Turku.1/44 Motivation (1) Proofs-as-Programs (Curry-Howard) corresondence: Proofs = Programs
More information16.2. Infinite Series. Introduction. Prerequisites. Learning Outcomes
Infinite Series 6. Introduction We extend the concet of a finite series, met in section, to the situation in which the number of terms increase without bound. We define what is meant by an infinite series
More informationPrimes - Problem Sheet 5 - Solutions
Primes - Problem Sheet 5 - Solutions Class number, and reduction of quadratic forms Positive-definite Q1) Aly the roof of Theorem 5.5 to find reduced forms equivalent to the following, also give matrices
More informationBy Evan Chen OTIS, Internal Use
Solutions Notes for DNY-NTCONSTRUCT Evan Chen January 17, 018 1 Solution Notes to TSTST 015/5 Let ϕ(n) denote the number of ositive integers less than n that are relatively rime to n. Prove that there
More informationGOOD MODELS FOR CUBIC SURFACES. 1. Introduction
GOOD MODELS FOR CUBIC SURFACES ANDREAS-STEPHAN ELSENHANS Abstract. This article describes an algorithm for finding a model of a hyersurface with small coefficients. It is shown that the aroach works in
More informationON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS
#A13 INTEGERS 14 (014) ON THE LEAST SIGNIFICANT ADIC DIGITS OF CERTAIN LUCAS NUMBERS Tamás Lengyel Deartment of Mathematics, Occidental College, Los Angeles, California lengyel@oxy.edu Received: 6/13/13,
More information#A47 INTEGERS 15 (2015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS
#A47 INTEGERS 15 (015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS Mihai Ciu Simion Stoilow Institute of Mathematics of the Romanian Academy, Research Unit No. 5,
More informationOn Erdős and Sárközy s sequences with Property P
Monatsh Math 017 18:565 575 DOI 10.1007/s00605-016-0995-9 On Erdős and Sárközy s sequences with Proerty P Christian Elsholtz 1 Stefan Planitzer 1 Received: 7 November 015 / Acceted: 7 October 016 / Published
More information