Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
Size: px
Start display at page:

Download "Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products"

Transcription

1 Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz Amit Sahai Brent Waters Abstract Predicate encrytion is a new aradigm generalizing, among other things, identity-based encrytion. In a redicate encrytion scheme, secret keys corresond to redicates and cihertexts are associated with attributes; the secret key SK f corresonding to the redicate f can be used to decryt a cihertext associated with attribute I if and only if fi = 1. Constructions of such schemes are currently known for relatively few classes of redicates. We construct such a scheme for redicates corresonding to the evaluation of inner roducts over Z N for some large integer N. This, in turn, enables constructions in which redicates corresond to the evaluation of disjunctions, olynomials, CNF/DNF formulae, or threshold redicates among others. Besides serving as what we feel is a significant ste forward in the theory of redicate encrytion, our results lead to a number of alications that are interesting in their own right. 1 Introduction Traditional ublic-key encrytion, though an extremely useful rimitive, is rather coarse-grained: a sender encryts a message M with resect to a given ublic key P K, and only the owner of the unique secret key associated with P K can decryt the resulting cihertext and recover the message. These straightforward semantics suffice for alications such as encryting data a ersonal hard-drive or securing oint-to-oint communication, where encryted data is intended for one articular user who is known in advance by the sender. As the Internet and alications evolve, more comlex tyes of data will be stored in distributed settings. These will resent a different set of demands for the security of stored data. In many cases, the sender will want access to the encryted data to be governed by more comlex rules; the sender may no longer intend the encryted data for any articular user, but might instead want to enable decrytion by any user satisfying a certain sender-secified olicy. For examle, in a health care alication a atient s records should erhas be accessible only to a hysician who has treated the atient in the ast. In other scenarios, we will want to go even further and limit what a articular user learns about a record. Consider a researcher studying the correlation between the occurrence of a articular disease and the age of eole that the disease afflicts. The researcher might be authorized to learn whether a record matches for the disease and, if so, the age of the atient; however, he should not learn anything more. Another examle is an firewall that should only be able to evaluate the redicate of whether an encryted message is considered to be sam, but should learn nothing else about the encryted message. 1

2 Alications such as those sketched above will require new crytograhic mechanisms that rovide more fine-grained control over access to encryted data. Predicate encrytion schemes are one such tool. At a high level formal definitions are given in Section 2, secret keys in a redicate encrytion scheme corresond to redicates in some class F, and cihertexts are associated with attributes in some set Σ; a cihertext associated with the attribute I Σ can be decryted by a secret key SK f corresonding to the redicate f F if and only if fi = 1. In redicate encrytion systems we require a strong definition of security where we will evaluate the redicate over the hidden data or attributes itself. For examle, these redicate encrytion schemes an adversary as above learns nothing about I beyond the fact that f 1 I = f l I = 0. Furthermore, even a legitimate user who holds SK f and can recover the laintext from some cihertext associated with attribute I learns nothing about I other than the fact that fi = 1. See Definition 2.2 for a formal statement. Related Work The best-known examle of encrytion systems with fine-grained caabilities is Identity-Based Encrytion IBE [18, 6, 12]. Identity-Based Encrytion can be viewed as a system where a cihertext is associated with a certain attribute or identity, I, and a user can decryt the underlying encryted data M if and only if there is an equality match between the attribute assigned to the user s rivate key and that of the cihertext. One limitation of IBE systems and more exressive generalizations such as attribute-based encrytion ABE [17, 15, 3, 11, 16] is that they fall into a class of encrytion systems that we informally informally refer to as attribute revealing. Attribute-revealing encrytion systems can be viewed as encrytion systems that guarantee that an adversary in ossession of secret keys SK f1,..., SK fl and given a cihertext associated with the attribute I learns nothing about the underlying laintext whenever f 1 I = = f l I = 0. However, the adversary may learn I itself. More generally, an attribute-revealing scheme offers no rotection of I whatsoever; tyical constructions satisfying this notion reveal I in the clear. In the context of, e.g., identity-based encrytion, a attribute-revealing scheme corresonds to the standard notion of security while a redicate encrytion or attribute-hiding scheme is also anonymous. Unfortunately, current redicate encrytion systems are rather limited in their exressiveness. Song, Wagner, and Perrig [20] and Goldreich and Ostrovsky [14] gave the first such encrytion systems for equality redicates in the symmetric setting and Boneh et al. [5] showed how to comute equality tests that later came to be known as Anonymous IBE in the ublic key setting. Subsequently, Boyen and Waters [9] showed the first such Anonymous IBE scheme that didn t use random oracles and also had a hierarchical structure. Gentry [13] gave a different technique for removing random oracles. Recently, Boneh and Waters [8] showed how to construct redicates that were a conjunction over subset of fields, secified by the rivate key that was used to realize subset and range queries. Shi et al. [19] showed how to do more efficient queries over a small number of ranges, but in a weaker security model where the decrytor learns extra information when the redicate evaluates to true. In other work researchers have looked at issues of correctness definitions in anonymous IBE [1] and security versus efficiency tradeoffs in equality redicates [2]. 1.1 Our Results An imortant research direction is to construct redicate encrytion schemes for classes F that are as exressive as ossible with the ultimate goal, of course, being to construct a scheme where F contains all olynomial-time redicates. The main limitation of all rior work, listed above, is 2

3 that existing techniques for building attribute-hiding schemes are essentially limited to enforcing conjunctions of equalities. Getting slightly more technical, this is because the underlying crytograhic mechanism in the above schemes is to set u cancellations between the rivate key comonents and the cihertext comonents. If a articular field in the cihertext does not match with the corresonding field in the rivate key, the result will be random and the decrytor will know that the redicate evaluates to false. While these cancellation techniques are useful for conjunction redicates, it is aarent that very different crytograhic techniques are needed to suort redicates that include a disjunctive comonent. As a simle examle, suose we want a system that suorts a simle OR redicate over two fields where the evaluation should not revealing which field satisfied it. Previous cancellation mechanisms do not readily suort such queries; if a articular cihertext field does not match a rivate key field, then the evaluation should deend uon the second field and not just be sent to a random grou element. While OR queries is just one tye of redicate, several other redicate classes deend on some tye of disjunctive mechanism, such as thresholds and evaluating CNF or DNF formulas. In this work we aim to realize such redicates, so we will need to introduce new techniques. Towards realizing this goal we focus on building a class of redicates corresonding to the comutation of inner roducts of vectors over Z N for some large integer N. By making our technical objective tied more closely to the underlying mathematics we will able to achieve our overall objectives. Secifically, we will take Σ = Z n N as our set of attributes, and our class of redicates will be F = f x x Z n N } where f x y = 1 iff x, y = 0. We let x, y denote the value of the standard inner roduct n x i y i mod N of two vectors x and y. This can be generalized in a comletely straightforward manner to suort more general redicates such as f x,a y = 1 iff x, y = a. Our main result is a construction of a scheme as described above in the standard model, based on two new assumtions in comosite-order grous equied with a bilinear ma. Our assumtions are non-interactive and of fixed size i.e., not q-tye. We haven t done this and we justify them by showing that they hold in generic grous with a bilinear ma. A essimistic interretation of our results would be that we rove security in the generic grou model, but we believe it is of additional imortance that we are able to distill our necessary assumtions to ones that are comact and falsifiable. We view our main construction as a significant ste toward increasing the exressiveness of redicate encrytion in general. In articular, we stress that our desired result does not follow from any trivial adatation or combination of the existing schemes highlighted above, and our construction uses new techniques including the fact that we work in a grou whose order is a roduct of three rimes but see footnote 1. Moreover, we show that any redicate encrytion scheme suorting inner roduct redicates as described earlier can be used as a building block to construct redicates of more general tyes: As an easy warm-u, we show that it imlies anonymous identity-based encrytion as well as hidden-vector encrytion. As a consequence, our work imlies all the results of [8]. We can also construct redicate encrytion schemes suorting olynomial evaluation. Here, we take Z N as our set of attributes, and redicates corresonds to olynomials over Z N of some bounded degree; a redicate evaluates to 1 iff the corresonding olynomial evaluates to 0 on the attribute in question. We can also extend this to include multi-variate olynomials in some bounded number of variables. A dual of this construction allows the attributes 3

4 to be olynomials, and the redicates to corresond to evaluation at a fixed oint. Given the above, we can fairly easily suort redicates that are disjunctions of other redicates e.g., equality, thus addressing the oen question from [8] noted earlier. In the context of identity-based encrytion, this gives the ability to issue secret keys corresonding to a set of identities that enables decrytion whenever a cihertext is encryted to any identity in this set without leaking which identity was actually used to encryt. We also show how to handle redicates corresonding to DNF and CNF formulas of some bounded size. Working directly with our inner roduct construction, we can derive a scheme suorting threshold queries of the following form: Attributes are subsets of A = 1,..., l}, and redicates take the form f S,t S A} where f S,t S = 1 iff S S = t. This is useful for hiding an encryted biometric in the fuzzy IBE setting of Sahai and Waters [17], which reviously hid only a ayload, but revealed the biometric it was encryted under. We defer further discussion regarding the above until Section 5. 2 Definitions We define the syntax of redicate encrytion, as well as the notion of attribute hiding mentioned reviously. Our definitions follow the general framework of those given in [8]. Throughout this section, we consider the general case where Σ denotes an arbitrary set of attributes and F denotes an arbitrary set of redicates over Σ. Formally, both Σ and F might deend on the security arameter and/or the master ublic arameters; for simlicity, we leave this imlicit. Definition 2.1. A redicate encrytion scheme for the class of redicates F over the set of attributes Σ consists of four t algorithms Setu, GenKey, Enc, Dec such that: Setu takes as inut the security arameter 1 n and oututs a master ublic key P K and a master secret key SK. GenKey takes as inut the master secret key SK and a descrition of a redicate f F. It oututs a key SK f. Enc takes as inut the ublic key P K, an attribute I Σ, and a message M in some associated message sace. It returns a cihertext C. We write this as C Enc P K I, M. Dec takes as inut a secret key SK f and a cihertext C. It oututs either a message M or the distinguished symbol. For correctness, we require that for all n, all P K, SK generated by Setu1 n, all f F, any key SK f GenKey SK f, and all I Σ: If fi = 1 then Dec SKf Enc P K I, M = M. If fi = 0 then Dec SKf Enc P K I, M = with all but negligible robability. We will also consider a variant of the above that we call a redicate-only scheme. Here, Enc takes only an attribute I and no message; the correctness requirement is that if fi = 1 then Dec SKf Enc P K I = 1 whereas if fi = 0 then Dec SKf Enc P K I = 0. A scheme of this sort can serve as a useful building block toward a full-fledged redicate encrytion scheme. 4

5 Our definition of security corresonds to the attribute-hiding notion described informally earlier. Here, an adversary may request keys corresonding to the redicates f 1,..., f l and is then given either Enc P K I 0, M 0 or Enc P K I 1, M 1 for attributes I 0, I 1 such that f i I 0 = f i I 1 for all i. Furthermore, if M 0 M 1 then it is required that f i I 0 = f i I 1 = 0 for all i. The goal of the adversary is to determine which attribute/message air was encryted, and the stated conditions ensure that this is not trivial. Once again, we note that when secialized to the case when F consists of equality queries, this notion corresonds to anonymous identity-based encrytion. However, our definition actually uses the selective notion of security first introduced in [10]. Definition 2.2. A redicate encrytion scheme with resect to F and Σ is attribute hiding or simle secure if for all t adversaries A, the advantage of A in the following exeriment is negligible in the security arameter n: 1. A1 n oututs I 0, I 1 Σ. 2. Setu1 n is run to generate P K, SK, and the adversary is given P K. 3. A may adatively request keys for any redicates f 1,..., f l F subject to the restriction that f i I 0 = f i I 1 for all i. In resonse, A is given the corresonding keys SK i GenKey SK f i. 4. A oututs two equal-length messages M 0, M 1. If there is an i for which f i I 0 = f i I 1 = 1, then it is required that M 0 = M 1. A random bit b is chosen, and A is given the cihertext C Enc P K I b, M b. 5. The adversary may continue to request keys for additional redicates, subject to the same restrictions as before. 6. A oututs a bit b, and succeeds if b = b. The advantage of A is the absolute value of the difference between its success robability and 1/2. For redicate-only encrytion schemes we simly omit the messages in the above exeriment. For convenience, we include in Aendix A a re-statement of the definition of security given above for the articular inner-roduct redicate we use in our main construction. 3 Background on Pairings and Comlexity Assumtions 3.1 Bilinear Grous of Comosite Order We review some general notions about bilinear grous, with an emhasis on grous of comosite order. We follow [7] in which comosite-order bilinear grous were first introduced. In contrast to all rior work using comosite-order bilinear grous, however, we resent our results using grous whose order N is a roduct of three distinct rimes. This is for simlicity only, since a variant of our construction can be roven secure based on a decisional linear -tye assumtion [4] in a grou of comosite order N which is a roduct of two rimes. 1 Let G be an algorithm that takes as inut a security arameter 1 n and oututs a tule, q, r, G, G T, ê where, q, r are distinct rimes, G and G T are two cyclic grous of order N = qr, and ê : G G G T is: 1 This is analogous to the folklore transformation based on the decisional linear assumtion that converts any scheme using grous whose order N is a roduct of two rimes, to a scheme that uses rime-order grous. 5

6 Bilinear u, v G, a, b Z, êu a, v b = êu, v ab. Non-degenerate g G such that êg, g has order N in G T. We assume that the grou action in G and G T as well as the bilinear ma ê are all comutable in time olynomial in n. Furthermore, we assume that the descrition of G and G T includes generators of G and G T resectively. We use the notation G, G q, G r to denote the subgrous of G having order, q, and r, resectively. Observe that G = G G q G r. Note also that if g is a generator of G, then the element g q is a generator of G r ; the element g r is a generator of G q ; and the element g qr is a generator of G. Furthermore, if, e.g., h G and h q G q then êh, h q = ê g qr α 1, g r α 2 = ê g α 1, g rα 2 qr = 1, where α 1 = log g qr h and α 2 = log g r h q. Similar rules hold whenever ê is alied to elements in disjoint subgrous. 3.2 Our Assumtions We now state the assumtions we use to rove security of our construction. As remarked earlier, these assumtions are new but we justify them by roving that they hold in the generic grou model under the assumtion that factoring N, the order of the grou, is hard. These roofs are omitted from the resent submission. At a minimum, then, our construction can be viewed as secure in the generic grou model. Nevertheless, we state our assumtions exlicitly since our assumtions are non-interactive and of fixed size, and we view this as an advantage. Assumtion 1. Let G be as in the revious section. We say that G satisfies Assumtion 1 if the advantage of any t algorithm A in the following exeriment is negligible in the security arameter n: 1. G1 n is run to obtain, q, r, G, G T, ê. Set N = qr, and let g, g q, g r be generators of G, G q, and G r, resectively. 2. Choose random Q 1, Q 2, Q 3 G q, random R 1, R 2, R 3 G r, random a, b, s Z, and a random bit b. Give to A the values N, G, G T, ê as well as g, g r, g q R 1, g b, g b2, g a g q, g ab Q 1, g s, g bs Q 2 R 2. If b = 0 give A the value T = g b2 s R 3, while if b = 1 give A the value T = g b2 s Q 3 R A oututs a bit b, and succeeds if b = b. The advantage of A is the absolute value of the difference between its success robability and 1/2. Assumtion 2. Let G be as in the revious section. We say that G satisfies Assumtion 2 if the advantage of any t algorithm A in the following exeriment is negligible in the security arameter n: 1. G1 n is run to obtain, q, r, G, G T, ê. Set N = qr, and let g, g q, g r be generators of G, G q, and G r, resectively. 6

7 2. Choose random h, Q 1, Q 2 G q, random s, γ Z q, and a random bit b. Give to A the values N, G, G T, ê as well as g, g q, g r, h, g s, h s Q 1, g γ Q 2, êg, h γ. If b = 0 then give A the value êg, h γs, while if b = 1 then give A a random element of G T. 3. A oututs a bit b, and succeeds if b = b. The advantage of A is the absolute value of the difference between its success robability and 1/2. Note that both the above assumtions imly the hardness of factoring N. 4 Our Main Construction Our main construction is a redicate-only scheme where the set of attributes is Σ = Z n N, and the class of redicates is F = f x x Z n N } with f x y = 1 iff x, y = 0 mod N. In this section we rovide our redicate-only construction and give some intuition about our roof. For sace considerations the details of the roof are resented in Aendix B. In Aendix C we show how our scheme can be extended to give a full-fledged redicate encrytion scheme. Intuition In our construction, each cihertext has associated with it a secret vector x, and each secret key corresonds to a vector v. The decrytion rocedure must check whether x v = 0, and reveal nothing about x but whether this is true. To do this, we will make use of a bilinear grou G whose order N is the roduct of three rimes, q, and r. Let G, G q, and G r denote the subgrous of G having order, q, and r, resectively. We will informally assume, as in [7], that a random element in any of these subgrous is indistinguishable from a random element of G. 2. Thus, we can use random elements from one subgrou to mask elements from another subgrou. At a high level, we will use these subgrous as follows. G q will be used to encode the vectors x and v in the cihertext and secret keys, resectively. Comutation of the inner roduct v, x will be done in G q in the exonent, using the bilinear ma. G will be used to encode an equation again in the exonent that evaluates to zero when decrytion is done roerly. This subgrou is used to revent an adversary from imroerly maniulating the comutation by, e.g., changing the ordering of comonents of the cihertext or secret key, raising these comonents to some ower, etc.. On an intuitive level, if the adversary tries to maniulate the comutation in any way, then the comutation occurring in the G subgrou will no longer yield the identity, but will instead have the effect of masking the correct answer with a random element of G which will invalidate the entire comutation. Elements in G r are used for general masking of terms in other subgrous; i.e., random elements of G r will be multilied with various comonents of the cihertext and secret key in order to hide information that might be resent in the G and G q subgrous. We now roceed to the formal descrition of our scheme. 4.1 Scheme Setu1 n The setu algorithm first runs G1 n to obtain, q, r, G, G T, ê with G = G G q G r. Next, it comutes g, g q, and g r as generators of G, G q, and G r, resectively. It then chooses 2 This is only for intuition. Our actual comutational assumtion is given in Section 3. 7

8 R, R G r and h, h G uniformly at random for i = 1 to n, and R 0 G r uniformly at random. The ublic arameters include N = qr, G, G T, ê along with: PK = g, g r, Q = g q R 0, H = h R, H = h R } n. The master secret key SK is, q, r, g q, h, h } n. Enc PK x Let x = x 1,..., x n with x i Z N. This algorithm chooses random s, α, β Z N and R 3,i, R 4,i G r for i = 1 to n. Note: a random element R G r can be samled by choosing random δ Z N and setting R = gr. δ It oututs the cihertext } n C = C 0 = g, s C = H s Q α xi R 3,i, C = H s Q β xi R 4,i. GenKey SK v Let v = v 1,..., v n, and recall SK =, q, r, g q, h, h } n. This algorithm chooses random r, r Z for i = 1 to n, random R 5 G r, random f 1, f 2 Z q, and random Q 6 G q. It then oututs SK v = K = R 5 Q 6 h r h r, K = g r g f 1 v i q, K = g r } n g f 2 v i q. Dec SK v C Let C and SK v be as above. The decrytion algorithm oututs 1 iff êc 0, K êc, K êc, K =? 1. Correctness. Let C and SK v be as above. Then êc 0, K = ê = ê = êc, K êc, K g s, R 5 Q 6 n ê g s, h r h r H s Q α x i R 3,i, g r h r h r g f 1 v i q ê ê h s g α x i H s Q β x i R 4,i, g r q, g r êg q, g q αf 1+βf 2 x i v i = êg q, g q αf 1+βf 2 x, v. g f 2 v i q g f 1 v i q ê h s g β x i q, g r g f 2 v i q If x, v = 0 mod N, then the above evaluates to 1. If x, v = 0 mod N there are two cases: if x, v 0 mod q then with all but negligible robability the above evaluates to an element other than the identity. It is ossible that x, v = 0 mod q, in which case the above would always evaluate to 1; however, this would reveal a non-trivial factor of N and so an adversary can cause this condition to occur with only negligible robability. 8

9 The reader might notice that there aears to be some redundancy in our construction. For instance, the C and C comonents lay almost identical roles. In fact we can view the encrytion system as two arallel sub-systems linked at the C 0 comonent and the corresonding rivate key comonent. A natural question is whether this redundancy can be eliminated i.e. remove the second sub-system to achieve better erformance. While such a construction aears to be secure, our current roof that utilizes a non-interactive assumtion relies in an essential way on having two arallel subsystems. 4.2 Proof Intuition The most challenging asect to roviding a roof of our scheme naturally arises from the disjunctive caabilities of our system. In revious conjunctive systems such as that of Boneh and Waters [8] the authors roved security by moving through a sequence of hybrid games, in which an encrytion of a vector x was changed comonent-by-comonent to the encrytion of a vector y. In these systems no inner roduct functionality was given, the adversary could only ask for redicate caabilities that erformed a conjunctive search. In the security game the adversary could only ask for queries that did not match either x or y, or queries that did not look at the comonents in which x and y differed. There, is was relatively straightforward to erform hybrid exeriments over the comonents of x and y that differed, since the rivate keys given to the adversary did not look at these comonents. In our roof an adversary will again try to distinguish between encrytion of two vectors x and y. However, in this case the adversary can query for a vector v such that both x, v = 0 and y, v = 0; i.e., this key should enable correct decrytion in either case. This is a erfectly legitimate query since the inner roduct caability associated with redicate v should not be able to distinguish between x and y. However, this means that we cannot use the same hybrid roof strategy as in revious schemes. For examle, if we change just one comonent at a time, then the hybrid vector used in an intermediate ste will likely not be orthogonal to v and the adversary will be able to detect this. Therefore, we need an aroach that will enable us to use hybrids in which entire vectors are changed in one ste, instead of changing the vector comonent-by-comonent. To get around this we take advantage of the fact that, as noted earlier, our encrytion scheme has two arallel sub-systems. In our roof we will use a sequence of hybrids where some of the hybrid challenge cihertexts will be encrytions of one vector in the first sub-system and a different vector in the second sub-system. Note that such a cihertext will be ill-formed, since any valid cihertext will always use the same vector in each sub-system. Let a, b denote an encrytion of vector a in the first sub-system and b in the second su-system. To rove indistinguishability when encryting to x which corresonds to x, x and when encryting to y which corresonds to y, y, we will rove indistinguishability of the following sequence of hybrid games: x, x, x, 0, x, y, 0, y, y, y. Forming our hybrid roof in this structure allows us to use a simulator that will essentially be able to evaluate one sub-system, but not know what is haening in the other one. The simulator embeds a subgrou decision-like assumtion into the challenge cihertext for each exeriment. The structure of the challenge will determine whether a sub-system encryts a articular vector or the zero vector. Details of our roof and further discussion are given in Aendix B. 9

10 5 Alications of Our Main Construction In this section we discuss some alications of redicate encrytion schemes of the tye constructed in this aer. Our treatment here is general and can be based on any redicate encrytion scheme suorting inner roduct queries; we do not rely on any secific details of our construction. For imroved readability throughout this section, we use boldface to denote vectors. Given a vector x Z l N, we denote by f x : Z l N 0, 1} the function such that f xy = 1 iff x, y = 0. We define F l def = f x x Z l N }. 5.1 Anonymous Identity-Based Encrytion As a warm-u, we show how anonymous identity-based encrytion IBE can be recovered from any inner roduct encrytion system over F 2. To generate the master ublic and secret keys for the IBE scheme, simly run the setu algorithm of the underlying inner roduct encrytion scheme. To generate secret keys for the identity I Z N, set I := 1, I and outut the secret key corresonding to the redicate f I. To encryt a message M for the identity I Z N, set Ī := I, 1 and encryt the message using the encrytion algorithm of the underlying inner roduct encrytion scheme and the attribute Ī. Since I, J = 0 iff I = J, both correctness and security follow. 5.2 Hidden-Vector Encrytion Given a set Σ, let Σ = Σ }. Hidden-vector encrytion HVE [8] corresonds to a redicate encrytion scheme for the class of redicates Φ hve = φ hve a 1,...,a l a 1,..., a l Σ }, where φ hve 1 if, for all i, either a 1,...,a l x ai = x 1,..., x l = i or a i = 0 otherwise. A generalization of the ideas from the revious section can be used to realize hidden-vector encrytion with Σ = Z N from any inner roduct encrytion scheme Setu, GenKey, Enc, Dec for F 2l : The setu algorithm is unchanged. To generate a secret key corresonding to the redicate φ hve a 1,...,a l, first construct a vector A = A 1,..., A 2l as follows: if a i : A 2i 1 := 1, A 2i := a i if a i = : A 2i 1 := 0, A 2i := 0. Then outut the key obtained by running GenKey SK f A. To encryt a message M for the attribute x = x 1,..., x l, choose random r 1,..., r l Z N and construct a vector X r = X 1,..., X 2l as follows: X 2i 1 := r i x i, X 2i := r i multilication is done modulo N. Then outut the cihertext C Enc P K X r, M. To see that correctness holds, let a 1,..., a l, A, x 1,..., x l, r, and X r be as above and note that φ hve a 1,...,a l x 1,..., x l = 1 r : A, X r = 0 r : f A X r = 1. 10

11 Conversely, security holds since φ hve a 1,...,a l x 1,..., x l = 0 Pr r [ A, X r = 0] = 1/N Pr r [f A X r = 1] = 1/N, which is negligible. A straightforward modification of the above gives a scheme that is the dual of HVE, where the set of attributes is Σ l and the class of redicates is Φ hve = φ hve a 1,...,a l a 1,..., a l Σ} with φ hve 1 if, for all i, either a 1,...,a l x ai = x 1,..., x l = i or x i = 0 otherwise. 5.3 Predicate Encrytion Schemes Suorting Polynomial Evaluation We can also construct redicate encrytion schemes for classes of redicates corresonding to olynomial evaluation. Let Φ d oly = f Z N [x], deg d}, where φ x = 1 if x = 0 0 otherwise for x Z N. Given an inner roduct encrytion scheme Setu, GenKey, Enc, Dec for F d+1, we can construct a redicate encrytion scheme for Φ d oly as follows: The setu algorithm is unchanged. To generate a secret key corresonding to the olynomial = a d x d + + a 0 x 0, set := a d,..., a 0 and outut the key obtained by running GenKey SK f. To encryt a message M for the attribute w Z N, set w := w d mod N,..., w 0 mod N and outut the cihertext C Enc P K w, M. Since w = 0 iff, w = 0, correctness and security follow. The above shows that we can construct redicate encrytion schemes where redicates corresond to univariate olynomials whose degree d is olynomial in the security arameter. This can be generalized to the case of olynomials in t variables, and degree at most d in each variable, as long as d t is olynomial in the security arameter. We can also construct schemes that are the dual of the above, in which attributes corresond to olynomials and redicates involve the evaluation of the inut olynomial at some fixed oint. 5.4 Disjunctions, Conjunctions, and Evaluating CNF and DNF Formulas Given the olynomial-based constructions of the revious section, we can fairly easily build redicate encrytion schemes for disjunctions of equality tests. For examle, the redicate OR I1,I 2, where OR I1,I 2 x = 1 iff either x = I 1 or x = I 2, can be encoded as the univariate olynomial x = x I 1 x I 2, which evaluates to 0 iff the relevant redicate evaluates to 1. Similarly, the redicate OR a1,a 2, where OR eq a 1,a 2 x 1, x 2 = 1 iff either x 1 = I 1 or x 2 = I 2, can be encoded as the bivariate olynomial x 1, x 2 = x 1 I 1 x 2 I 2. 11

12 Conjunctions can be handled in a similar fashion. Consider, for examle, the redicate AND I1,I 2 where AND I1,I 2 x 1, x 1 = 1 if both x 1 = I 1 and x 2 = I 2. Here, we determine the relevant secret key by choosing a random r Z N and letting the secret key corresond to the olynomial x 1, x 2 = r x 1 I 1 + x 2 I 2. Note that if AND I1,I 2 x 1, x 1 = 1 then x 1, x 2 = 0, whereas if AND I1,I 2 x 1, x 1 = 0 then, with all but negligible robability over choice of r, it will hold 3 that x 1, x 2 0. The above ideas extend to more comlex combinations of disjunctions and conjunctions, and for boolean variables this means we can handle arbitrary CNF or DNF formulas. For non-boolean variables we do not know how to directly handle negation. As ointed out in the revious section the comlexity of the resulting scheme deends olynomially on d t, where t is the number of variables and d is the maximum degree of the resulting olynomial of each variable. 5.5 Exact Thresholds We conclude with an alication that relies directly on redicate encrytion schemes for comuting inner roducts rather than relying on the olynomial-based scheme outlined in Section 5.3. Here, we consider the setting of fuzzy IBE [17], which can be maed to the redicate encrytion framework as follows: fix a set A = 1,..., l} and let the set of attributes be all subsets of A. Predicates take the form Φ = φ S S A} where φ S S = 1 iff S S t, i.e., S and S overla in at least t ositions. Sahai and Waters [17] show a construction of a redicate encrytion scheme satisfying a weaker notion of security than Definition 2.2 for this class of redicates. We can construct a scheme where the attribute sace is the same as before, but the class of redicates corresonds to overla in exactly t ositions. Our scheme will also satisfy the stronger definition of security given here. Namely, set Φ = φ S S A} with φ S S = 1 iff S S = t. Then, given any redicate encrytion scheme over F l+1 : The setu algorithm is unchanged. To generate a secret key for the redicate φ S, first define a vector v Zl+1 N as follows: for 1 i l: v i = 1 iff i S v l+1 = 1. Then outut the key obtained by running GenKey SK f v. To encryt a message M for the attribute S A, define a vector v as follows: for 1 i l: v i = 1 iff i S Then outut the cihertext C Enc P K v, M. v l+1 = t mod N. Since S S = t exactly when v, v = 0, correctness and security follow. 3 In general, the secret key may leak the value of r in which case the adversary will be able to find x 1, x 2 such that AND I1,I 2 x 1, x 1 1 yet x 1, x 2 = 0. Since, however, we consider the selective notion of security where the adversary must commit to x 1, x 2 at the outset of the exeriment, this is not a roblem in our setting. 12

13 References [1] M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi. Searchable encrytion revisited: Consistency roerties, relation to anonymous IBE, and extensions. In Advances in Crytology Cryto [2] M. Bellare, A. Boldyreva, and A. O Neill. Deterministic and efficiently searchable encrytion. In CRYPTO, ages , [3] J. Bethencourt, A. Sahai, and B. Waters. Cihertext-olicy attribute-based encrytion. In IEEE Symosium on Security and Privacy, ages , [4] D. Boneh, X. Boyen, and H. Shacham. Short grou signatures. In Advances in Crytology Cryto [5] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano. Public-key encrytion with keyword search. In Advances in Crytology Eurocryt [6] D. Boneh and M. Franklin. Identity-based encrytion from the Weil airing. SIAM J. Comuting, 323: , [7] D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-DNF formulas on cihertexts. In J. Kilian, editor, Proc. 2nd Theory of Crytograhy Conference, volume 3378 of LNCS, ages Sringer, [8] D. Boneh and B. Waters. Conjunctive, subset, and range queries on encryted data. In Theory of Crytograhy Conference, [9] X. Boyen and B. Waters. Anonymous hierarchical identity-based encrytion without random oracles. In Advances in Crytology Cryto [10] R. Canetti, S. Halevi, and J. Katz. A forward-secure ublic-key encrytion scheme. In Advances in Crytology Eurocryt [11] M. Chase. Multi-authority attribute based encrytion. In TCC, ages , [12] C. Cocks. An identity based encrytion scheme based on quadratic residues. In Proc. IMA Intl. Conf. on Crytograhy and Coding, [13] C. Gentry. Practical identity-based encrytion without random oracles. In EUROCRYPT, ages , [14] O. Goldreich and R. Ostrovsky. Software rotection and simulation by oblivious rams. JACM, [15] V. Goyal, O. Pandey, A. Sahai, and B. Waters. Attribute-based encrytion for fine-grained access control of encryted data. In ACM Conf. Comuter and Comm. Security, [16] R. Ostrovsky, A. Sahai, and B. Waters. Attribute-based encrytion with non-monotonic access structures. In ACM Conf. on Comuter and Communications Security,

14 [17] A. Sahai and B. Waters. Fuzzy identity-based encrytion. In Advances in Crytology Eurocryt [18] A. Shamir. Identity-based crytosystems and signature schemes. In Advances in Crytology Cryto 84, volume 196 of LNCS, ages Sringer-Verlag, [19] E. Shi, J. Bethencourt, H. T.-H. Chan, D. X. Song, and A. Perrig. Multi-dimensional range queries over encryted data. In IEEE Sym. Security and Privacy, ages , [20] D. Song, D. Wagner, and A. Perrig. Practical techniques for searches on encryted data. In Proceedings of the 2000 IEEE symosium on Security and Privacy S&P 2000, A Security Definition for Inner-Product Encrytion Here, we re-state Definition 2.2 in the articular setting of our main construction. Our main construction is a redicate-only scheme we show how to extend it to a full-fledged redicate encrytion scheme in Aendix C where the set of attributes 4 is Σ = Z n N and the class of redicates is F = f x x Z n N } such that f x y = 1 x, y = 0. where Σ = Z n N and F = f v v Z n N } with f vv = 1 iff v, v = 0: Definition A.1. A redicate-only encrytion scheme for Σ, F as above is attribute-hiding if for all t adversaries A, the advantage of A in the following exeriment is negligible in the security arameter n: 1. Setu1 n is run to generate keys P K, SK. This defines a value N which is given to A. 2. A oututs x, y Z n N, and is then given P K. 3. A may adatively request keys corresonding to the vectors v 1,..., v l Z n N, subject to the restriction that, for all i, v i, x = 0 if and only if v i, y = 0. In resonse, A is given the corresonding keys SK vi GenKey SK f vi. 4. A random bit b is chosen. If b = 0 then A is given C Enc P K x, and if b = 1 then A is given C Enc P K y. 5. The adversary may continue to request keys for additional vectors, subject to the same restriction as before. 6. A oututs a bit b, and succeeds if b = b. The advantage of A is the absolute value of the difference between its success robability and 1/2. B Proof of Security This section is devoted to a roof of the following theorem: 4 Technically seaking, both Σ and F deend on the ublic arameters since N is generated as art of P K, but we ignore this technicality. We remark also that we consider vectors of length n, the security arameter, for convenience only. 14

15 Theorem B.1. If G satisfies Assumtion 1 then the scheme described in Section 4 is an attributehiding, redicate-only encrytion scheme. Throughout, we will refer to the exeriment as described in Definition A.1. theorem using a sequence of games, defined as follows: We establish the Game 1 : The challenge cihertext is generated as a roer encrytion using x. Recall from Definition A.1 that we let x, y denote the two vectors outut by the adversary. That is, we choose random s, α, β Z N and random R 3,i, R 4,i } G r and comute the cihertext as C = C 1 = g s, } n C = HQ s αx i R 3,i, C = HQ s βx i R 4,i. Game 2 : We now generate the C } comonents as if encrytion were done using 0. That is, we choose random s, α, β Z N and random R 3,i, R 4,i } G r and comute the cihertext as C = C 1 = g s, C = H s Q αx i R 3,i, C = H s R 4,i } n. Game 3 : We now generate the C } comonents using vector y. That is, we choose random s, α, β Z N and random R 3,i, R 4,i } G r and comute the cihertext as C = C 1 = g s, } n C = HQ s αx i R 3,i, C = HQ s βy i R 4,i. Game 4 and Game 5 : These games are defined symmetrically to Game 2 and Game 3 : In Game 4 the C i,1 } comonents are generated using 0. That is, we choose random s, α, β Z N and random R 3,i, R 4,i } G r and comute the cihertext as C = C 1 = g s, } n C = H s R 3,i, C = HQ s βy i R 4,i. In Game 5, the C i,1 } comonents are generated using y. I.e., we choose random s, α, β Z N and random R 3,i, R 4,i } G r and comute the cihertext as C = C 1 = g s, } n C = HQ s αy i R 3,i, C = HQ s βy i R 4,i. In Game 5 the challenge cihertext is a roer encrytion with resect to the vector y. So, the roof of the theorem is concluded once we show that the adversary cannot distinguish between Game i and Game i+1 for each i. As discussed in Section 4.2, it is difficult to roceed directly from a game in which the challenge cihertext is generated as a roer encrytion using x, to a game in which the challenge cihertext is generated as a roer encrytion using y. Indeed, this is the reason our construction uses two sub-systems to begin with. That is why our roof roceeds via the intermediate Game 3 where half of the challenge cihertext corresonds to an encrytion using x and the other half corresonds to an encrytion using y. Intermediate games Game 2 and Game 4 are used to simlify the roof; informally seaking, it hels when art of the cihertext corresonds to an encrytion using 0 since this vector is orthogonal to everything. 15

16 The main difficulty in our roofs will be to answer queries for decrytion keys. In considering the indistinguishability of Game 1 and Game 2 and, symmetrically, Game 4 and Game 5, we will actually be able to construct all decrytion keys i.e., even keys that would allow the adversary to distinguish an encrytion relative to x from an encrytion relative to y. In essence, we will be showing that even such keys cannot be used to distinguish a well-formed encrytion of x or y from a badly-formed one. On the other hand, in considering the indistinguishability of Game 2 and Game 3 and, symmetrically, Game 3 and Game 4 we will not be able to construct all decrytion keys. Instead, we will deal searately with the roblems of 1 roviding keys for vectors v with v, x = 0 = v, y and 2 roviding keys for vectors v with v, x 0 v, y. B.1 Indistinguishability of Game 1 and Game 2 Fix an adversary A. We describe a simulator who is given N = qr, G, G T, ê along with the elements g, g r, g q R 1, h = g, b k = g b2, gg a q, g ab Q 1, g, s g bs Q 2 R 2, and an element T = g b2 s gq β g R 3 r where β is either 0 or uniform in Z q cf. Assumtion 1. Before describing the simulation in detail, we observe that the simulator can samle a random element R G r by choosing random δ Z N and setting R = gr. δ Although there does not aear to be any way for the simulator to samle a random element of G q since g q is not rovided to def the simulator, it is ossible for the simulator to choose a random element QR G qr = G q G r : this can be done by choosing random δ 1, δ 2 Z N and setting QR = g q R 1 δ1 g δ 2 r. Henceforth, we simly describe the simulator as samling uniformly from G r and G qr with the understanding that such samling is done in this way. Public arameters. The simulator begins by giving N to A, who oututs vectors x, y. The simulator chooses random w, w } Z N and random R, R } G r, includes N, G, G T, ê in the ublic arameters, and sets the remaining values as follows: P K = g, g r, g q R 1, H = h x i g w R, H = k x i g w R }. By doing so, the simulator is imlicitly setting h = h x i g w has the aroriate distribution. and h = k x i g w. Note that P K Key derivation. We now describe how the simulator reares the secret key corresonding to the vector v = v 1,..., v n. We stress that although Definition A.1 restricts the vectors v for which the adversary is allowed to request secret keys, we do not rely on this restriction here. This is because the urose of this hybrid roof is to show that the adversary cannot distinguish between roerly formed encrytions of x and imroerly formed encrytions a combination of an encrytion of x and 0. We begin with some intuition: We must construct the K and K comonents of the key. Note that we do not have access to g q, but we do have g q g. a We will make use of this element from the assumtion here. This will give rise to terms containing a in the exonent of g. Note, however, that we will later have to construct the K comonent of the key, whose urose is to cancel out terms in the G subgrou. If v, x = 0, then additional terms involving ab and ab 2 will have to aear in K. However, we do not have access to g ab2 ; indeed if we did, the assumtion would be false and we could easily distinguish between Game 1 and Game 2. We deal with this roblem by 16

17 adding a term using the g ab g d q term given in the assumtion to the K comonents that will allow us to cancel out the ab 2 terms that will aear in K due to the K comonents. The simulator begins by choosing random f 1, f 2, r }, r } Z N. In constructing the key, the simulator will be imlicitly setting: r = r + v i af 1 abf 2 1 r = r + a f 2 v i, 2 as well as f 1 = f 1 d f 2 and f 2 = f 2, where we set d = log g q Q 1. Note that these values are each indeendently and uniformly distributed in Z N, just as they would be in actual secret key comonents. Next, for all i it comutes: K = gg a f 1 vi f q g ab 2 v i r Q 1 g and = g af 1 abf 2 v i+r g f 1 df 2 v i q K = g a g q f 2 vi g r = g af 2 v i+r g f 2 v i q. Now, to construct the K element for the decrytion key. Recall that h = g bx i g w. Therefore, the exonents in K will contain a term of the form i r bx i. But because of how we chose r, we have that i r bx i = kabf 1 ab2 f 2 + i r x i where k = v, x. A similar equation holds for the terms arising out of the h arts of K, and allows us to cancel out all the ab 2 terms that arise in K. Thus, we can comute K as follows: Let k = v, x. Finally, the simulator chooses random QR G qr and comutes k f K = QR g ab 1 Q 1 i g a g q f 1 v i w f 2 v iw g ab Q 1 f 2 v i w g w r w r h x i r k x i r. The simulator then hands the adversary SK v = K, K, K } n as the key. To see formally that the K comonent has the correct distribution, let K, K q, and K r denote the rojections of K in G, G q, and G r, resectively. It is easy to see that K q and K r are indeendently and uniformly distributed, as required. Furthermore, K = g abkf 1 g af 1 v iw af 2 v iw g abf 2 v iw g w r w r h x ir k x ir = h akf 1 = i i i h ax iv i f 1 k x ir h x ir g w r g w v i af 1 abf 2 k x ir g w r g w r g w af 2 v i h x ir g w r g w v i af 1 abf 2 h abx iv i f 2 h abx iv i f 2 g w af 2 v i, 17

18 using the fact that k = x, v = i x i, v i. Using simle but tedious algebra, we obtain K = i = i h x ir g w r h x iv i af 1 abf 2 g w v i af 1 abf 2 k x ir h x i g w r k x i g w r = i h r h r g w r k x iaf 2 v i g w af 2 v i using Eqs. 1 and 2, and thus K has the correct distribution. The challenge cihertext. The challenge cihertext is generated in a straightforward way, as follows. The simulator chooses R 7,i, R 8,i } G r at random, sets C 1 equal to g s, and comutes: C = = h x is g bs Q 2 R 2 xi g s w R 7,i g w s Q x i 2 R 7,i = h s Q x i 2 R 7,i C = T xi g s w R 8,i = h s g β q xi R 8,i, where R 7,i, R 8,i } refer to elements of G r whose exact values are unimortant. Analysis. By examining the rojections of the comonents of the challenge cihertext in the grous G, G q, and G r, it can be verified that when β is random the challenge cihertext is distributed exactly as in Game 1, whereas if β = 0 the challenge cihertext is distributed exactly as in Game 2. We conclude that, under Assumtion 1, these two games are indistinguishable. B.2 Indistinguishability of Game 2 and Game 3 Fix again some adversary A. We describe a simulator who is given N = qr, G, G T, ê along with the elements g, g r, g q R 1, h = g, b k = g b2, gg a q, g ab Q 1, g, s g bs Q 2 R 2, and an element T = g b2 s gq β g R 3 r where β is either 0 or uniform in Z q. Recall that samling uniform elements from G r or G qr can be done efficiently. The simulator interacts with A as we now describe. Public arameters. The simulator begins by giving N to A, who oututs vectors x, y. The simulator chooses random w, w } Z N and random R, R } G r, includes N, G, G T, ê in the ublic arameters, and sets the ublic arameters as follows: P K = g, g r, g q R 1, H = h x i g w R H = k y i g w R }. By doing so, the simulator is imlicitly setting h = h x i g w has the aroriate distribution. and h = k y i g w. Note that P K Key derivation. The adversary A may request secret keys corresonding to different vectors, and we now describe how the simulator reares the secret key corresonding to the vector v = v 1,..., v n. Here, the simulator will only be able to roduce the aroriate secret key when the vector v satisfies the restriction imosed by Definition A.1. We distinguish two cases, deending on whether v, x and v, y are both 0 or whether they are both non-zero. 18

19 Case 1. We first consider the case where v, x = 0 = v, y. The simulator begins by choosing random f 1, f 2, r 1,1 }, r 2,1 } Z N. Then for all i it comutes: K = g a g q f1 vi g r = g af 1v i +r g f 1v i q K = g a g q f2 vi g r = g af 2v i +r g f 2v i q. Finally, the simulator chooses random QR G qr and comutes K = QR i g a g q f1 v i w f 2 v i w g w r w r h x i r k y i r. The simulator then hands the adversary SK v = K, K, K } as the key. To see that this key has the correct distribution, note that by construction of the K, K } the values f 1, f 2 are random; furthermore, the simulator imlicity sets r = r + af 1 v i r = r + af 2 v i, which are uniformly distributed as well. Looking at K, the rojection of K in G as in the roof in the revious section, we see that K = i = i g af 1v i w af 2 v i w g w r w r h x i r k y i r h af 1x i v i k af 2y i v i g af 1v i w af 2 v i w g w r w r h x i r k y i r, using the fact that i h af 1x i v i = h af 1 P i x iv i = 1 = i k af 2y i v i because v, x = 0 = v, y. Algebraic maniulation as in the revious section shows that K has the correct distribution. Case 2. Here, we consider the case where v, x = c x 0 and v, y = c y 0. The simulator begins by choosing random f 1, f 2, r 1,1 }, r 2,1 } Z N. Next, for all i it comutes K = g a g q f 1 v i g ab Q 1 cy f 2 v i g r = g af 1 abcyf 2 v i+r K = g a g q cx f 2 vi g r = g acxf 2 v i+r g cx f 2 v i q, g f 1 cydf 2 v i q where we set d = log gq Q 1 as in the revious roof. Finally, the simulator chooses random QR G qr and comutes K = QR g ab Q 1 cxf 1 g a f g 1 v i w f 2 cxv iw q g ab Q 1 f 2 cyv iw g w r w r h x i r k y i r. i 19

Similar documents

Predicate Privacy in Encryption Systems

Predicate Privacy in Encryption Systems Predicate Privacy in Encrytion Systems Emily Shen MIT eshen@csail.mit.edu Elaine Shi CMU/PARC eshi@arc.com December 24, 2008 Brent Waters UT Austin bwaters@cs.utexas.edu Abstract Predicate encrytion is

More information

Improved Hidden Vector Encryption with Short Ciphertexts and Tokens

Improved Hidden Vector Encryption with Short Ciphertexts and Tokens Imroved Hidden Vector Encrytion with Short Cihertexts and Tokens Kwangsu Lee Dong Hoon Lee Abstract Hidden vector encrytion HVE) is a articular kind of redicate encrytion that is an imortant crytograhic

More information

Bilinear Entropy Expansion from the Decisional Linear Assumption

Bilinear Entropy Expansion from the Decisional Linear Assumption Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo

More information

Cryptography. Lecture 8. Arpita Patra

Cryptography. Lecture 8. Arpita Patra Crytograhy Lecture 8 Arita Patra Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous

More information

Conversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs

Conversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs Conversions among Several Classes of Predicate Encrytion and Alications to ABE with Various Comactness Tradeoffs Nuttaong Attraadung, Goichiro Hanaoka, and Shota Yamada National Institute of Advanced Industrial

More information

Cryptanalysis of Pseudorandom Generators

Cryptanalysis of Pseudorandom Generators CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we

More information

Elliptic Curves and Cryptography

Elliptic Curves and Cryptography Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a

More information

Advanced Cryptography Midterm Exam

Advanced Cryptography Midterm Exam Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will

More information

Predicate Privacy in Encryption Systems

Predicate Privacy in Encryption Systems Predicate Privacy in Encryption Systems Emily Shen 1, Elaine Shi 2, and Brent Waters 3 1 MIT eshen@csail.mit.edu 2 CMU/PARC eshi@parc.com 3 UT Austin bwaters@cs.utexas.edu Abstract. Predicate encryption

More information

MATH 2710: NOTES FOR ANALYSIS

MATH 2710: NOTES FOR ANALYSIS MATH 270: NOTES FOR ANALYSIS The main ideas we will learn from analysis center around the idea of a limit. Limits occurs in several settings. We will start with finite limits of sequences, then cover infinite

More information

1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings

1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, 43007 Abstract: Many identity-based

More information

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols Published in Journal of Crytology, 30(2:519 549, 2017. Efficient Crytosystems From 2 k -th Power Residue Symbols Fabrice Benhamouda 1, Javier Herranz 2, Marc Joye 3, and Benoît Libert 4, 1 ES Paris, CRS,

More information

#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS

#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS #A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS Ramy F. Taki ElDin Physics and Engineering Mathematics Deartment, Faculty of Engineering, Ain Shams University, Cairo, Egyt

More information

CDH/DDH-Based Encryption. K&L Sections , 11.4.

CDH/DDH-Based Encryption. K&L Sections , 11.4. CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be

More information

Tight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys

Tight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys Tight Adatively Secure Broadcast Encrytion with Short Cihertexts and Keys Romain Gay ENS, Paris, France romain.gay@ens.fr Lucas Kowalczyk Columbia University luke@cs.columbia.edu Hoeteck Wee ENS, Paris,

More information

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols Efficient Crytosystems From 2 k -th Power Residue Symbols Marc Joye and Benoît Libert Technicolor 975 avenue des Chams Blancs, 35576 Cesson-Sévigné Cedex, France {marc.joye,benoit.libert}@technicolor.com

More information

A Public-Key Cryptosystem Based on Lucas Sequences

A Public-Key Cryptosystem Based on Lucas Sequences Palestine Journal of Mathematics Vol. 1(2) (2012), 148 152 Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010

More information

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr

More information

Lattice Attacks on the DGHV Homomorphic Encryption Scheme

Lattice Attacks on the DGHV Homomorphic Encryption Scheme Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr

More information

ON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS

ON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS #A13 INTEGERS 14 (014) ON THE LEAST SIGNIFICANT ADIC DIGITS OF CERTAIN LUCAS NUMBERS Tamás Lengyel Deartment of Mathematics, Occidental College, Los Angeles, California lengyel@oxy.edu Received: 6/13/13,

More information

An Investigation of Some Forward Security Properties for PEKS and IBE

An Investigation of Some Forward Security Properties for PEKS and IBE An Investigation of Some Forward Security Proerties for PEKS and IBE Qiang Tang APSIA grou, SnT, University of Luxemourg 6, rue Richard Coudenhove-Kalergi, L-359 Luxemourg qiang.tang@uni.lu Astract. In

More information

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift

More information

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security An extended abstract of this aer aears in the Proceedings of the 35th Annual Crytology Conference (CRYPTO 2015), Part I, Rosario ennaro and Matthew Robshaw (Eds.), volume 9215 of Lecture Notes in Comuter

More information

4. Score normalization technical details We now discuss the technical details of the score normalization method.

4. Score normalization technical details We now discuss the technical details of the score normalization method. SMT SCORING SYSTEM This document describes the scoring system for the Stanford Math Tournament We begin by giving an overview of the changes to scoring and a non-technical descrition of the scoring rules

More information

Cryptography Assignment 3

Cryptography Assignment 3 Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some

More information

Statics and dynamics: some elementary concepts

Statics and dynamics: some elementary concepts 1 Statics and dynamics: some elementary concets Dynamics is the study of the movement through time of variables such as heartbeat, temerature, secies oulation, voltage, roduction, emloyment, rices and

More information

Math 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,

Math 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2, MATH 4400 roblems. Math 4400/6400 Homework # solutions 1. Let P be an odd integer not necessarily rime. Show that modulo, { P 1 0 if P 1, 7 mod, 1 if P 3, mod. Proof. Suose that P 1 mod. Then we can write

More information

Randomness Extraction in finite fields F p

Randomness Extraction in finite fields F p Randomness Extraction in finite fields F n Abdoul Aziz Ciss École doctorale de Mathématiques et d Informatique, Université Cheikh Anta Dio de Dakar, Sénégal BP: 5005, Dakar Fann abdoul.ciss@ucad.edu.sn,

More information

AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction

AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction J. Al. Math. & Comuting Vol. 20(2006), No. 1-2,. 485-489 AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly

More information

#A37 INTEGERS 15 (2015) NOTE ON A RESULT OF CHUNG ON WEIL TYPE SUMS

#A37 INTEGERS 15 (2015) NOTE ON A RESULT OF CHUNG ON WEIL TYPE SUMS #A37 INTEGERS 15 (2015) NOTE ON A RESULT OF CHUNG ON WEIL TYPE SUMS Norbert Hegyvári ELTE TTK, Eötvös University, Institute of Mathematics, Budaest, Hungary hegyvari@elte.hu François Hennecart Université

More information

Approximating min-max k-clustering

Approximating min-max k-clustering Aroximating min-max k-clustering Asaf Levin July 24, 2007 Abstract We consider the roblems of set artitioning into k clusters with minimum total cost and minimum of the maximum cost of a cluster. The cost

More information

A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract

A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS CASEY BRUCK 1. Abstract The goal of this aer is to rovide a concise way for undergraduate mathematics students to learn about how rime numbers behave

More information

Topic 7: Using identity types

Topic 7: Using identity types Toic 7: Using identity tyes June 10, 2014 Now we would like to learn how to use identity tyes and how to do some actual mathematics with them. By now we have essentially introduced all inference rules

More information

POINTS ON CONICS MODULO p

POINTS ON CONICS MODULO p POINTS ON CONICS MODULO TEAM 2: JONGMIN BAEK, ANAND DEOPURKAR, AND KATHERINE REDFIELD Abstract. We comute the number of integer oints on conics modulo, where is an odd rime. We extend our results to conics

More information

Elliptic Curves Spring 2015 Problem Set #1 Due: 02/13/2015

Elliptic Curves Spring 2015 Problem Set #1 Due: 02/13/2015 18.783 Ellitic Curves Sring 2015 Problem Set #1 Due: 02/13/2015 Descrition These roblems are related to the material covered in Lectures 1-2. Some of them require the use of Sage, and you will need to

More information

Why Proofs? Proof Techniques. Theorems. Other True Things. Proper Proof Technique. How To Construct A Proof. By Chuck Cusack

Why Proofs? Proof Techniques. Theorems. Other True Things. Proper Proof Technique. How To Construct A Proof. By Chuck Cusack Proof Techniques By Chuck Cusack Why Proofs? Writing roofs is not most student s favorite activity. To make matters worse, most students do not understand why it is imortant to rove things. Here are just

More information

The non-stochastic multi-armed bandit problem

The non-stochastic multi-armed bandit problem Submitted for journal ublication. The non-stochastic multi-armed bandit roblem Peter Auer Institute for Theoretical Comuter Science Graz University of Technology A-8010 Graz (Austria) auer@igi.tu-graz.ac.at

More information

Mobius Functions, Legendre Symbols, and Discriminants

Mobius Functions, Legendre Symbols, and Discriminants Mobius Functions, Legendre Symbols, and Discriminants 1 Introduction Zev Chonoles, Erick Knight, Tim Kunisky Over the integers, there are two key number-theoretic functions that take on values of 1, 1,

More information

On the Unpredictability of Bits of the Elliptic Curve Diffie Hellman Scheme

On the Unpredictability of Bits of the Elliptic Curve Diffie Hellman Scheme On the Unredictability of Bits of the Ellitic Curve Diffie Hellman Scheme Dan Boneh 1 and Igor E. Sharlinski 2 1 Deartment of Comuter Science, Stanford University, CA, USA dabo@cs.stanford.edu 2 Deartment

More information

HENSEL S LEMMA KEITH CONRAD

HENSEL S LEMMA KEITH CONRAD HENSEL S LEMMA KEITH CONRAD 1. Introduction In the -adic integers, congruences are aroximations: for a and b in Z, a b mod n is the same as a b 1/ n. Turning information modulo one ower of into similar

More information

Sets of Real Numbers

Sets of Real Numbers Chater 4 Sets of Real Numbers 4. The Integers Z and their Proerties In our revious discussions about sets and functions the set of integers Z served as a key examle. Its ubiquitousness comes from the fact

More information

arxiv: v1 [physics.data-an] 26 Oct 2012

arxiv: v1 [physics.data-an] 26 Oct 2012 Constraints on Yield Parameters in Extended Maximum Likelihood Fits Till Moritz Karbach a, Maximilian Schlu b a TU Dortmund, Germany, moritz.karbach@cern.ch b TU Dortmund, Germany, maximilian.schlu@cern.ch

More information

p-adic Measures and Bernoulli Numbers

p-adic Measures and Bernoulli Numbers -Adic Measures and Bernoulli Numbers Adam Bowers Introduction The constants B k in the Taylor series exansion t e t = t k B k k! k=0 are known as the Bernoulli numbers. The first few are,, 6, 0, 30, 0,

More information

Hotelling s Two- Sample T 2

Hotelling s Two- Sample T 2 Chater 600 Hotelling s Two- Samle T Introduction This module calculates ower for the Hotelling s two-grou, T-squared (T) test statistic. Hotelling s T is an extension of the univariate two-samle t-test

More information

Hidden-Vector Encryption with Groups of Prime Order

Hidden-Vector Encryption with Groups of Prime Order Hidden-Vector Encryption with Groups of Prime Order Vincenzo Iovino 1 and Giuseppe Persiano 1 Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84084 Fisciano (SA), Italy. iovino,giuper}@dia.unisa.it.

More information

Bayesian System for Differential Cryptanalysis of DES

Bayesian System for Differential Cryptanalysis of DES Available online at www.sciencedirect.com ScienceDirect IERI Procedia 7 (014 ) 15 0 013 International Conference on Alied Comuting, Comuter Science, and Comuter Engineering Bayesian System for Differential

More information

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle] Chater 5 Model checking, verification of CTL One must verify or exel... doubts, and convert them into the certainty of YES or NO. [Thomas Carlyle] 5. The verification setting Page 66 We introduce linear

More information

A Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem

A Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem A Modified Menezes-Vanstone Ellitic Curve Multi-Keys Crytosystem By K.H. Rahouma Electrical Technology Deartment Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com

More information

ON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE

ON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE MATHEMATICS OF COMPUTATIO Volume 75, umber 256, October 26, Pages 237 247 S 25-5718(6)187-9 Article electronically ublished on June 28, 26 O POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE THORSTE

More information

Positive decomposition of transfer functions with multiple poles

Positive decomposition of transfer functions with multiple poles Positive decomosition of transfer functions with multile oles Béla Nagy 1, Máté Matolcsi 2, and Márta Szilvási 1 Deartment of Analysis, Technical University of Budaest (BME), H-1111, Budaest, Egry J. u.

More information

State Estimation with ARMarkov Models

State Estimation with ARMarkov Models Deartment of Mechanical and Aerosace Engineering Technical Reort No. 3046, October 1998. Princeton University, Princeton, NJ. State Estimation with ARMarkov Models Ryoung K. Lim 1 Columbia University,

More information

Definitional Issues in Functional Encryption

Definitional Issues in Functional Encryption Definitional Issues in Functional Encryption Adam O Neill Abstract We provide a formalization of the emergent notion of functional encryption, as well as introduce various security notions for it, and

More information

A Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition

A Qualitative Event-based Approach to Multiple Fault Diagnosis in Continuous Systems using Structural Model Decomposition A Qualitative Event-based Aroach to Multile Fault Diagnosis in Continuous Systems using Structural Model Decomosition Matthew J. Daigle a,,, Anibal Bregon b,, Xenofon Koutsoukos c, Gautam Biswas c, Belarmino

More information

Identity-based encryption

Identity-based encryption Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages

More information

1-way quantum finite automata: strengths, weaknesses and generalizations

1-way quantum finite automata: strengths, weaknesses and generalizations 1-way quantum finite automata: strengths, weaknesses and generalizations arxiv:quant-h/9802062v3 30 Se 1998 Andris Ambainis UC Berkeley Abstract Rūsiņš Freivalds University of Latvia We study 1-way quantum

More information

δ(xy) = φ(x)δ(y) + y p δ(x). (1)

δ(xy) = φ(x)δ(y) + y p δ(x). (1) LECTURE II: δ-rings Fix a rime. In this lecture, we discuss some asects of the theory of δ-rings. This theory rovides a good language to talk about rings with a lift of Frobenius modulo. Some of the material

More information

Convex Optimization methods for Computing Channel Capacity

Convex Optimization methods for Computing Channel Capacity Convex Otimization methods for Comuting Channel Caacity Abhishek Sinha Laboratory for Information and Decision Systems (LIDS), MIT sinhaa@mit.edu May 15, 2014 We consider a classical comutational roblem

More information

An Estimate For Heilbronn s Exponential Sum

An Estimate For Heilbronn s Exponential Sum An Estimate For Heilbronn s Exonential Sum D.R. Heath-Brown Magdalen College, Oxford For Heini Halberstam, on his retirement Let be a rime, and set e(x) = ex(2πix). Heilbronn s exonential sum is defined

More information

Galois Fields, Linear Feedback Shift Registers and their Applications

Galois Fields, Linear Feedback Shift Registers and their Applications Galois Fields, Linear Feedback Shift Registers and their Alications With 85 illustrations as well as numerous tables, diagrams and examles by Ulrich Jetzek ISBN (Book): 978-3-446-45140-7 ISBN (E-Book):

More information

Notes on Instrumental Variables Methods

Notes on Instrumental Variables Methods Notes on Instrumental Variables Methods Michele Pellizzari IGIER-Bocconi, IZA and frdb 1 The Instrumental Variable Estimator Instrumental variable estimation is the classical solution to the roblem of

More information

Elementary Analysis in Q p

Elementary Analysis in Q p Elementary Analysis in Q Hannah Hutter, May Szedlák, Phili Wirth November 17, 2011 This reort follows very closely the book of Svetlana Katok 1. 1 Sequences and Series In this section we will see some

More information

Linear diophantine equations for discrete tomography

Linear diophantine equations for discrete tomography Journal of X-Ray Science and Technology 10 001 59 66 59 IOS Press Linear diohantine euations for discrete tomograhy Yangbo Ye a,gewang b and Jiehua Zhu a a Deartment of Mathematics, The University of Iowa,

More information

An Attack on a Fully Homomorphic Encryption Scheme

An Attack on a Fully Homomorphic Encryption Scheme An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, 710071 Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University,

More information

Pseudorandom Sequence Generation

Pseudorandom Sequence Generation YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Crytograhy and Comuter Security Handout #21 Professor M. J. Fischer November 29, 2005 Pseudorandom Seuence Generation 1 Distinguishability and

More information

On a Markov Game with Incomplete Information

On a Markov Game with Incomplete Information On a Markov Game with Incomlete Information Johannes Hörner, Dinah Rosenberg y, Eilon Solan z and Nicolas Vieille x{ January 24, 26 Abstract We consider an examle of a Markov game with lack of information

More information

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1) SQUARES I Z/Z We study squares in the ring Z/Z from a theoretical and comutational oint of view. We resent two related crytograhic schemes. 1. SQUARES I Z/Z Consider for eamle the rime = 13. Write the

More information

Intrinsic Approximation on Cantor-like Sets, a Problem of Mahler

Intrinsic Approximation on Cantor-like Sets, a Problem of Mahler Intrinsic Aroximation on Cantor-like Sets, a Problem of Mahler Ryan Broderick, Lior Fishman, Asaf Reich and Barak Weiss July 200 Abstract In 984, Kurt Mahler osed the following fundamental question: How

More information

1. INTRODUCTION. Fn 2 = F j F j+1 (1.1)

1. INTRODUCTION. Fn 2 = F j F j+1 (1.1) CERTAIN CLASSES OF FINITE SUMS THAT INVOLVE GENERALIZED FIBONACCI AND LUCAS NUMBERS The beautiful identity R.S. Melham Deartment of Mathematical Sciences, University of Technology, Sydney PO Box 23, Broadway,

More information

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM JOHN BINDER Abstract. In this aer, we rove Dirichlet s theorem that, given any air h, k with h, k) =, there are infinitely many rime numbers congruent to

More information

CS 6260 Some number theory. Groups

CS 6260 Some number theory. Groups Let Z = {..., 2, 1, 0, 1, 2,...} denote the set of integers. Let Z+ = {1, 2,...} denote the set of ositive integers and = {0, 1, 2,...} the set of non-negative integers. If a, are integers with > 0 then

More information

2 Asymptotic density and Dirichlet density

2 Asymptotic density and Dirichlet density 8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime

More information

2 Asymptotic density and Dirichlet density

2 Asymptotic density and Dirichlet density 8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime

More information

GOOD MODELS FOR CUBIC SURFACES. 1. Introduction

GOOD MODELS FOR CUBIC SURFACES. 1. Introduction GOOD MODELS FOR CUBIC SURFACES ANDREAS-STEPHAN ELSENHANS Abstract. This article describes an algorithm for finding a model of a hyersurface with small coefficients. It is shown that the aroach works in

More information

Towards understanding the Lorenz curve using the Uniform distribution. Chris J. Stephens. Newcastle City Council, Newcastle upon Tyne, UK

Towards understanding the Lorenz curve using the Uniform distribution. Chris J. Stephens. Newcastle City Council, Newcastle upon Tyne, UK Towards understanding the Lorenz curve using the Uniform distribution Chris J. Stehens Newcastle City Council, Newcastle uon Tyne, UK (For the Gini-Lorenz Conference, University of Siena, Italy, May 2005)

More information

Feedback-error control

Feedback-error control Chater 4 Feedback-error control 4.1 Introduction This chater exlains the feedback-error (FBE) control scheme originally described by Kawato [, 87, 8]. FBE is a widely used neural network based controller

More information

QUADRATIC RESIDUES AND DIFFERENCE SETS

QUADRATIC RESIDUES AND DIFFERENCE SETS QUADRATIC RESIDUES AND DIFFERENCE SETS VSEVOLOD F. LEV AND JACK SONN Abstract. It has been conjectured by Sárközy that with finitely many excetions, the set of quadratic residues modulo a rime cannot be

More information

AI*IA 2003 Fusion of Multiple Pattern Classifiers PART III

AI*IA 2003 Fusion of Multiple Pattern Classifiers PART III AI*IA 23 Fusion of Multile Pattern Classifiers PART III AI*IA 23 Tutorial on Fusion of Multile Pattern Classifiers by F. Roli 49 Methods for fusing multile classifiers Methods for fusing multile classifiers

More information

Section 0.10: Complex Numbers from Precalculus Prerequisites a.k.a. Chapter 0 by Carl Stitz, PhD, and Jeff Zeager, PhD, is available under a Creative

Section 0.10: Complex Numbers from Precalculus Prerequisites a.k.a. Chapter 0 by Carl Stitz, PhD, and Jeff Zeager, PhD, is available under a Creative Section 0.0: Comlex Numbers from Precalculus Prerequisites a.k.a. Chater 0 by Carl Stitz, PhD, and Jeff Zeager, PhD, is available under a Creative Commons Attribution-NonCommercial-ShareAlike.0 license.

More information

We collect some results that might be covered in a first course in algebraic number theory.

We collect some results that might be covered in a first course in algebraic number theory. 1 Aendices We collect some results that might be covered in a first course in algebraic number theory. A. uadratic Recirocity Via Gauss Sums A1. Introduction In this aendix, is an odd rime unless otherwise

More information

Distributed Rule-Based Inference in the Presence of Redundant Information

Distributed Rule-Based Inference in the Presence of Redundant Information istribution Statement : roved for ublic release; distribution is unlimited. istributed Rule-ased Inference in the Presence of Redundant Information June 8, 004 William J. Farrell III Lockheed Martin dvanced

More information

RECIPROCITY LAWS JEREMY BOOHER

RECIPROCITY LAWS JEREMY BOOHER RECIPROCITY LAWS JEREMY BOOHER 1 Introduction The law of uadratic recirocity gives a beautiful descrition of which rimes are suares modulo Secial cases of this law going back to Fermat, and Euler and Legendre

More information

Numerical Linear Algebra

Numerical Linear Algebra Numerical Linear Algebra Numerous alications in statistics, articularly in the fitting of linear models. Notation and conventions: Elements of a matrix A are denoted by a ij, where i indexes the rows and

More information

John Weatherwax. Analysis of Parallel Depth First Search Algorithms

John Weatherwax. Analysis of Parallel Depth First Search Algorithms Sulementary Discussions and Solutions to Selected Problems in: Introduction to Parallel Comuting by Viin Kumar, Ananth Grama, Anshul Guta, & George Karyis John Weatherwax Chater 8 Analysis of Parallel

More information

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004 CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed

More information

Uncorrelated Multilinear Principal Component Analysis for Unsupervised Multilinear Subspace Learning

Uncorrelated Multilinear Principal Component Analysis for Unsupervised Multilinear Subspace Learning TNN-2009-P-1186.R2 1 Uncorrelated Multilinear Princial Comonent Analysis for Unsuervised Multilinear Subsace Learning Haiing Lu, K. N. Plataniotis and A. N. Venetsanooulos The Edward S. Rogers Sr. Deartment

More information

MATH 361: NUMBER THEORY EIGHTH LECTURE

MATH 361: NUMBER THEORY EIGHTH LECTURE MATH 361: NUMBER THEORY EIGHTH LECTURE 1. Quadratic Recirocity: Introduction Quadratic recirocity is the first result of modern number theory. Lagrange conjectured it in the late 1700 s, but it was first

More information

Real Analysis 1 Fall Homework 3. a n.

Real Analysis 1 Fall Homework 3. a n. eal Analysis Fall 06 Homework 3. Let and consider the measure sace N, P, µ, where µ is counting measure. That is, if N, then µ equals the number of elements in if is finite; µ = otherwise. One usually

More information

Combining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO)

Combining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO) Combining Logistic Regression with Kriging for Maing the Risk of Occurrence of Unexloded Ordnance (UXO) H. Saito (), P. Goovaerts (), S. A. McKenna (2) Environmental and Water Resources Engineering, Deartment

More information

MODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL

MODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL Technical Sciences and Alied Mathematics MODELING THE RELIABILITY OF CISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL Cezar VASILESCU Regional Deartment of Defense Resources Management

More information

Pell's Equation and Fundamental Units Pell's equation was first introduced to me in the number theory class at Caltech that I never comleted. It was r

Pell's Equation and Fundamental Units Pell's equation was first introduced to me in the number theory class at Caltech that I never comleted. It was r Pell's Equation and Fundamental Units Kaisa Taiale University of Minnesota Summer 000 1 Pell's Equation and Fundamental Units Pell's equation was first introduced to me in the number theory class at Caltech

More information

The inverse Goldbach problem

The inverse Goldbach problem 1 The inverse Goldbach roblem by Christian Elsholtz Submission Setember 7, 2000 (this version includes galley corrections). Aeared in Mathematika 2001. Abstract We imrove the uer and lower bounds of the

More information

CMSC 425: Lecture 4 Geometry and Geometric Programming

CMSC 425: Lecture 4 Geometry and Geometric Programming CMSC 425: Lecture 4 Geometry and Geometric Programming Geometry for Game Programming and Grahics: For the next few lectures, we will discuss some of the basic elements of geometry. There are many areas

More information

Privacy via Pseudorandom Sketches

Privacy via Pseudorandom Sketches Privacy via Pseudorandom Sketches Nina Mishra Mark Sandler December 18, 2005 Abstract Imagine a collection of individuals who each ossess rivate data that they do not wish to share with a third arty. This

More information

IDENTIFYING CONGRUENCE SUBGROUPS OF THE MODULAR GROUP

IDENTIFYING CONGRUENCE SUBGROUPS OF THE MODULAR GROUP PROCEEDINGS OF THE AMERICAN MATHEMATICAL SOCIETY Volume 24, Number 5, May 996 IDENTIFYING CONGRUENCE SUBGROUPS OF THE MODULAR GROUP TIM HSU (Communicated by Ronald M. Solomon) Abstract. We exhibit a simle

More information

Secure and Practical Identity-Based Encryption

Secure and Practical Identity-Based Encryption Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.

More information

A Distance-sensitive Attribute Based Cryptosystem for Privacy-Preserving Querying

A Distance-sensitive Attribute Based Cryptosystem for Privacy-Preserving Querying MITSUBISHI ELECTRIC RESEARCH LABORATORIES htt://www.merl.com A Distance-sensitive Attribute Based Crytosystem for Privacy-Preserving Querying Sun, W.; Rane, S. TR2012-054 July 2012 Abstract We roose an

More information

THE 2D CASE OF THE BOURGAIN-DEMETER-GUTH ARGUMENT

THE 2D CASE OF THE BOURGAIN-DEMETER-GUTH ARGUMENT THE 2D CASE OF THE BOURGAIN-DEMETER-GUTH ARGUMENT ZANE LI Let e(z) := e 2πiz and for g : [0, ] C and J [0, ], define the extension oerator E J g(x) := g(t)e(tx + t 2 x 2 ) dt. J For a ositive weight ν

More information

Analysis of some entrance probabilities for killed birth-death processes

Analysis of some entrance probabilities for killed birth-death processes Analysis of some entrance robabilities for killed birth-death rocesses Master s Thesis O.J.G. van der Velde Suervisor: Dr. F.M. Sieksma July 5, 207 Mathematical Institute, Leiden University Contents Introduction

More information

A New and Optimal Chosen-message Attack on RSA-type Cryptosystems

A New and Optimal Chosen-message Attack on RSA-type Cryptosystems Published in Y. Han, T. Okamoto, and S. Qing, eds, Information and Communications Security (ICICS 97), vol. 1334 of Lecture Notes in Comer Science,. 30-313, Sringer-Verlag, 1997. A New and Otimal Chosen-message

More information

Use of Transformations and the Repeated Statement in PROC GLM in SAS Ed Stanek

Use of Transformations and the Repeated Statement in PROC GLM in SAS Ed Stanek Use of Transformations and the Reeated Statement in PROC GLM in SAS Ed Stanek Introduction We describe how the Reeated Statement in PROC GLM in SAS transforms the data to rovide tests of hyotheses of interest.

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback