Cryptography. Lecture 11. Arpita Patra
|
|
- Claud Horton
- 6 years ago
- Views:
Transcription
1 Cptogaph Lectue Apita Pata
2 Geneic Results in PK Wold CPA Secuit CCA Secuit Bit Encption Man-bit Encption Bit Encption Man-Bit Encption Π CPA-secue KEM Π SKE COA-secue SKE Π Hb CPA-secue Π CCA-secue KEM Π SKE CCA-secue SKE Π Hb CCA-secue Gen Hb = Gen pk m Enc Hb c Encaps k c Enc SKE SKE (c, c SKE ) sk c ec Hb ecaps k c SKE ec SKE m Π = (Gen, Encaps, ecaps) Π SKE = (Gen SKE, Enc SKE, ec SKE ) Π Hb = (Gen Hb, Enc Hb, ec Hb )
3 Constuctions fo PK Wold CPA Secuit PKE Instantiation: H based El Gamal KEM Instantiation: HH based vaiation of El Gamal CCA Secuit Instantiation: H + CR Hash based Came- Shoup Scheme (fist eve CCA secue unde standad assumption ) KEM Instantiation: OH based (the same) vaiation of El Gamal Vaiant El Gamal KEM PRG-based SKE Π Hb CPA-secue Vaiant ElGamal KEM CPA-secue SKE + scma MAC Π Hb CCA-secue Gen Hb = Gen pk m Enc Hb c Encaps k c Enc SKE SKE (c, c SKE ) sk c ec Hb ecaps k c SKE ec SKE m Π = (Gen, Encaps, ecaps) Π SKE = (Gen SKE, Enc SKE, ec SKE ) Π Hb = (Gen Hb, Enc Hb, ec Hb )
4 CCA Secuit fo KEM cca CCA epeiment KEM (n) A, Π PPT A pk (c,k ) Π = (Gen, Encaps, ecaps) Also have to give ecaps sk (.) sevice to the (c,k) attacke Encaps pk ( n ) b {0, } b {0, } pk, sk I can beak Π Let me veif Gen( n ) (Attacke s guess about encapsulated ke) k k if b=0 unifom andom sting, b = --- attacke won b = b Game Output b b attacke lost Π is CPA-secue if fo eve PPT attacke A, the pobabilit that A wins the epeiment is at most negligibl bette than ½ cca P KEM (n) A, Π = ½ + negl(n)
5 El Gamal like KEM Gen( n ) (G, o, q, g) h = g. Fo andom pk= (G,o,q,g,h), sk = Gen( n ) (G, o, q, g) h = g. Fo andom pk= (G,o,q,g,h,H), sk = c = g fo andom c 2 = h.. m c= (c,c 2 ) - Need to choose m andoml - Multiplication - Ciphetet= 2 elements - No need of that - No Multiplication, hashing - Ciphetet= element Encaps pk ( n ) c = g fo andom k = H(h ) = H(g. ) (c,k) ec sk (c) c 2 / (c ) = c 2. [(c ) ] - - Multiplication - No Multiplication, hashing ecaps sk (c) k = H(c )= H(g ) Secuit: H Assumption Secuit:??
6 El Gamal like KEM Gen( n ) (G, o, q, g) h = g. Fo andom pk= (G,o,q,g,h,H), sk = Encaps pk ( n ) c = g fo andom k = H(h ) = H(g. ) (c,k) ec sk (c) k = H(c )= H(g ) OH (Oacle iffie-hellman) Assumption OH poblem is had elative to (G, o) and hash function H: G -> {0,} m if fo eve PPT A, (it is had to distinguish H(g ) fom a andom sting {0,} m even given g, g AN an oacle O (X): = H(X ); anthing othe than g can be quied) ): P[A o (.) (G, o, q, g, g, g, H(g )) = ] - P[A o(.) (G, o, q, g, g, g, ) = ] negl() OH assumption is just the belief that thee eist a goup and hash function H so that the above is tue. It is stonge than HH. Theoem: OH assumption holds Π is a CCA-secue KEM
7 Constuction of Hbid CCA-secue PKE Gen Hb = Gen pk m Enc Hb c Encaps k c Enc SKE SKE (c, c SKE ) sk c ec Hb ecaps k c SKE ec SKE m Π = (Gen, Encaps, ecaps) Π SKE = (Gen SKE, Enc SKE, ec SKE ) Π Hb = (Gen Hb, Enc Hb, ec Hb ) CCA Secue Π SKE - CPA Secue Π SKE + Stong CMA Secue Π MAC CCA Secue Π - Oacle Function assumption (OH) HIES (iffie-hellman Integated Encption Scheme)- ISO/IEC
8 HIES- ISO/IEC Π (CCA) = (Gen, Encaps, ecaps) Gen Hb = (G, o, q, g) Π SKE (CPA) = (Gen SKE, Enc SKE, ec SKE ) Π MAC (scma)= (Gen MAC, Mac, Vf) Π Hb (CCA) = (Gen Hb, Enc Hb, ec Hb ) h = g. Fo andom H: G à {0,} 2n pk= (G,o,q,g,h,H), sk = pk Enc Hb c = g fo andom k = H(h ) = H(g. ) c (c, c SKE =(c CPA,t MAC )) sk c k = H(c ) = H(g ) ec Hb k k k=k E k M k=k E k M m k E Enc CPA c CPA k E Mac scma t MAC k M c SKE (c CPA, t MAC ) Vf scma Yes k E c CPA ec CPA m m CCA Secue Π SKE - CPA Secue Π SKE + Stong CMA Secue Π MAC CCA Secue Π - Numbe theoetic assumption + Hash Function (OH)
9 HIES (Tem Pape) Michel Abdalla, Mihi Bellae, Phillip Rogawa: The Oacle iffie-hellman Assumptions and an Analsis of HIES. CT-RSA 200: 43-58
10 Came-Shoup Cptosstem Ronald Came, Victo Shoup: A Pactical Public Ke Cptosstem Povabl Secue Against Adaptive Chosen Ciphetet Attack. CRYPTO 998: 3-25
11 Came-Shoup Cptosstem- Route map Anothe Look at H Assumption/ An altenative Fomulation CPA Secue Scheme (diffeent fom El Gamal) CCA Secue Scheme + Collision-Resistant Hash Function CCA Secue Scheme
12 Anothe Look at H (G,o,q,g) Goup of Pime Ode q - P[A(g, g, g, g ) = ] P[A(g, g, g, g z ) = ] negl() (g 0,, g 0, ) (g 0,, g 0, ) - P[A(g 0,, g 0, g ) = ] P[A(g 0,, g 0, g ) = ] negl()
13 Randomization Function Input Output (g 0,, h 0, h ) Random (,) fom Z q. Wa : Given,, h 0,h v = h 0. h Case I (g 0,, h 0 = g 0, h = ): Wa 2: Given, u Claim: u = v Poof: u. ) = h 0. h = v Case II (g 0,, h 0 = g 0, h = g ): Claim: An all poweful adv A can guess v with pobabilit at most / G, even given (g 0,, h 0, h, u). Poof: A can compute,, α (whee = g 0α ) and discete log of u (sa R) u = g R 0. ) = g +α 0 +α = R --- () v = h 0. h = g 0. g = g +α 0 +α is lineal independent of +α Fo eve guess R of this value +α, thee eist a pai of unique values fo, satisfing equation ()
14 CPA Secue Scheme Gen( n ) (G, o, q, g 0, ) Random fom Z q Random (,) fom Z q h 0 = g 0, h = g. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) A, Π H o non-h tuple? (G,o,q,g 0,, h 0, h ) Random (,) fom Z q. g Let us un PubK (n) A, Π pk = (G,o,q,g 0,,u) m 0, m, m 0 = m (h 0, h, c) A c = h 0. h. m b b {0, }
15 CPA Secue Scheme Gen( n ) (G, o, q, g 0, ) Random fom Z q Random (,) fom Z q h 0 = g 0, h = g. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) A, Π H Tuple (G,o,q,g 0,, h 0 = g 0, h = ) Random (,) fom Z q. g h 0. h = g 0. g = u c = h 0. h. m b Let us un PubK (n) A, Π pk = (G,o,q, g 0,,u) m 0, m, m 0 = m (h 0, h, c) b {0, } A
16 CPA Secue Scheme Gen( n ) (G, o, q, g 0, ) Random fom Z q Random (,) fom Z q h 0 = g 0, h = g. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) A, Π P PubK (n) A, Π = = ½ Non-H Tuple (G,o,q,g 0,, h 0 = g 0, h = ) Random (,) fom Z q. g h 0. h is unifoml andom element c = h 0. h. m b Let us un PubK (n) A, Π pk = (G,o,q, g 0,,u) m 0, m, m 0 = m (h 0, h, c) b {0, } A
17 CPA Secue Scheme Gen( n ) (G, o, q, g 0, ) Random fom Z q Random (,) fom Z q h 0 = g 0, h = g. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) P PubK (n) = = ½ A, Π A, Π = = P [(H tuple) = ] - P [(non-h tuple) = ] > /p(n) H o non-h tuple? (G,o,q,g 0,, h 0, h ) if b = b 0 othewise Random (,) fom Z q. g c = h 0. h. m b Let us un PubK (n) A, Π pk = (G,o,q, g 0,,u) m 0, m, m 0 = m (h 0, h, c) b {0, } A
18 Wh NOT El Gamal? Gen( n ) (G, o, q, g) Random fom Z q, h = g c = g fo andom pk= (G,o,q, g 0, h), sk = c 2 = g.. m ec sk (c) c 2 / (c ) = c 2. [(c ) ] - Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) P PubK (n) A, Π A, Π = = ½ = = P [(H tuple) = ] - P [(non-h tuple) = ] > /p(n) The secet ke is not with the eduction and so cannot Let us un PubK (n) H o non-h tuple? povide O sevice to A! A, Π (G,o,q,g, g, g, g z ) pk = (G,o,q,g,g ) m 0, m, m 0 = m A if b = b c = (g, g z.m b ) 0 othewise b b {0, }
19 Is the Scheme CCA secue? Gen( n ) ec sk = (,) (h 0, h, c) (G, o, q, g v = h Random fom Z 0. h 0, ) (Wa) q Random (,) fom Z q h 0 = g 0, h = g m = c/v. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) It is malleable. Not CCA Secue
20 Is the Scheme CCA secue? Gen( n ) ec sk = (,) (h 0, h, c) (G, o, q, g v = h Random fom Z 0. h 0, ) (Wa) q Random (,) fom Z q h 0 = g 0, h = g m = c/v. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) P PubK (n) = = ½ A, Π A u,π = = P [(H tuple) = ] - P [(non-h tuple) = ] > /p(n) H o non-h tuple? (G,o,q,g 0,, h 0, h ) if b = b Random (,) fom Z q. g pk = (G,o,q, g 0,,u) ecption que m 0, m, m 0 = m (h 0, h, c) A 0 othewise c = h 0. h. m b b {0, }
21 Is the Scheme CCA secue? Gen( n ) (G, o, q, g 0, ) Random (,) fom Z q. pk= (G,o,q, g 0,, u), sk = (,) Random fom Z q h 0 = g 0, h = c = u.m = v.m (Wa2) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Claim. Just one decption que is enough fo an unbounded poweful advesa A u to know, and guess b with pobabilit. Poof: A u can compute discete log of u &, sa R & α R. ) = g 0 +α +α = R --- () A u need anothe (lineal) independent equation on and to ecove them. Can ecption Que help? Random (,) fom Z q. pk = (G,o,q, g 0,,u) Q: (h 0, h, c) A u
22 Is the Scheme CCA secue? Gen( n ) (G, o, q, g 0, ) Random (,) fom Z q. pk= (G,o,q, g 0,, u), sk = (,) Random fom Z q h 0 = g 0, h = c = u.m = v.m (Wa2) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Claim. Just one decption que is enough fo an unbounded poweful advesa to know, and guess b with pobabilit. Poof: A u can compute discete log of u &, sa R & α R. ) = g 0 +α +α = R --- () A u need anothe (lineal) independent equation on and to ecove them. Can ecption Que help? c/m = v = g 0 R = (h 0. h ) = g 0 +α +α = R --- (2) (lineal) ependent L No use Random (,) fom Z q. pk = (G,o,q, g 0,,u) Q: (h 0 = g 0, h =, c) m A u
23 Gen( n ) (G, o, q, g 0, ) Random (,) fom Z q. pk= (G,o,q, g 0,, u), sk = (,) Is the Scheme CCA secue? Random fom Z q h 0 = g 0, h = c = u.m = v.m (Wa2) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Claim. Just one decption que is enough fo an unbounded poweful advesa to know, and guess b with pobabilit. Poof: A u can compute discete log of u &, sa R & α R. ) = g 0 +α +α = R --- () A u need anothe (lineal) independent equation on and to ecove them. Can ecption Que help? c/m = v = g 0 R = (h 0. h ) = g 0 + α + α = R --- (2) (lineal) independent J Solving () & (2) gives the secet ke (,) P PubK (n) A u,π = = Random (,) fom Z q. pk = (G,o,q, g 0,,u) Q: (h 0 = g 0, h =, c) m A u
24 CPA Secue Scheme Gen( n ) (G, o, q, g 0, ) Random fom Z q Random (,) fom Z q h 0 = g 0, h = g. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) P PubK (n) = = ½ A, Π A, Π = = Illegal ecption Que: (g P [(H tuple) = ] - P [(non-h 0, g tuple), c) = ] > /p(n) A checking mechanism in ec so that illegal queies Let us un PubK (n) H o non-h tuple? will be REJECTE with ve high A, pobabilit Π A pk = (G,o,q, g (G,o,q,g 0,, h 0, h ) 0,,u) Random (,) fom Z q. g m 0, m, m 0 = m if b = b 0 othewise c = h 0. h. m b (h 0, h, c) b {0, }
25 Gen( n ) (G, o, q, g 0, ) Random (,,, ) fom Z q u = g e = g pk= (G,o,q, g 0,,u,e), sk = (,,, ) CCA Scheme Random fom Z q h 0 = g 0, h = g c = u.m = v.m ; f = e (Wa2) (h 0, h, c, f) ec sk = (,,, ) (h 0, h, c, f) f = h (Wa)?? v = h (Wa) m = c/v Claim. An unbounded poweful advesa computes (,) ecept with neg. pobabilit. Theefoe it can guess bit b with pobabilit no bette than ½ + negl(.). Poof: A u can compute discete log of u, e, sa R, S & α R ) = g 0 +α e = g 0 S ) = g 0 +α +α = R -() +α = S -(2) What if A u can guess f so that f = h 0 h?? o ou see the disaste??????? f = g 0 S = (h 0 h ) = g 0 + α c/m = v = g 0 R = (h 0. h ) = g 0 + α Solving () & (4) gives the secet ke (,) P PubK (n) A u,π = = + α = S --- (3) (lineal) independent of (2) + α = R --- (4) (lineal) independent of () Random (,,, ) fom Z q e = g 0 f = h?? If es, then send m pk = (G,o,q, g 0,,u,e) Q: (h 0 =g 0, h =, c, f) m A u
26 Secuit Poof of CCA Scheme Gen( n ) (G, o, q, g 0, ) Random (,,, ) fom Z q Random fom Z q h 0 = g 0, h = g ec sk = (,,, ) (h 0, h, c, f) f = h (Wa)?? v = h (Wa) u = g e = g c = u.m = v.m ; f = e (Wa2) m = c/v pk= (G,o,q, g 0,,u,e), sk = (,,, ) (h 0, h, c, f) Claim. An unbounded poweful advesa computes (,) ecept with neg. pobabilit. Theefoe it can guess bit b with pobabilit no bette than ½ + negl(.). Poof: A u can compute discete log of u &, sa R & α R ) = g 0 +α +α = R --- () e = g 0 S ) = g 0 +α +α = S --- (2) What is the pob of A u guessing f so that f = h 0 h = g 0 +α Yes! It does. A u knows its chosen value in the fist Q is NOT a possibilit. Net time it can guess f fom G minus that value in his FIRST Q Recall that h 0 h is unifoml andom fo A u even given (g 0,, h 0 =g 0, h =, e) P[A u succeeds in fist Q] = / G --- negligible But A u can make polnomials man attempts sa, t man. oes getting ejected in the fist Q help in succeeding second Q? Random (,,, ) fom Z q e = g 0 f = h?? If es, then send m pk = (G,o,q, g 0,,u,e) Q: (h 0 =g 0, h =, c, f) m A u
27 Secuit Poof of CCA Scheme Gen( n ) (G, o, q, g 0, ) Random (,,, ) fom Z q Random fom Z q h 0 = g 0, h = g ec sk = (,,, ) (h 0, h, c, f) f = h (Wa)?? v = h (Wa) u = g e = g c = u.m = v.m ; f = e (Wa2) m = c/v pk= (G,o,q, g 0,,u,e), sk = (,,, ) (h 0, h, c, f) Claim. An unbounded poweful advesa computes (,) ecept with neg. pobabilit. Theefoe it can guess bit b with pobabilit no bette than ½ + negl(.). Poof: A u can compute discete log of u &, sa R & α R ) = g 0 +α +α = R --- () e = g 0 S ) = g 0 +α +α = S --- (2) What is the pob of A u guessing f so that f = h 0 h = g 0 +α in his SECON Q P[A u succeeds in second Q] = / ( G -) - negligible Random (,,, ) fom Z q u = g e = g f = h?? If es, then send m pk = (G,o,q, g 0,,u,e) Q: (h 0 =g 0, h =, c, f) m A u
28 Secuit Poof of CCA Scheme Gen( n ) (G, o, q, g 0, ) Random (,,, ) fom Z q Random fom Z q h 0 = g 0, h = g ec sk = (,,, ) (h 0, h, c, f) f = h (Wa)?? v = h (Wa) u = g e = g c = u.m = v.m ; f = e (Wa2) m = c/v pk= (G,o,q, g 0,,u,e), sk = (,,, ) (h 0, h, c, f) Claim. An unbounded poweful advesa computes (,) ecept with neg. pobabilit. Theefoe it can guess bit b with pobabilit no bette than ½ + negl(.). Poof: A u can compute discete log of u &, sa R & α R ) = g 0 +α +α = R --- () e = g 0 S ) = g 0 +α +α = S --- (2) What is the pob of A u guessing f so that f = h = g +α 0 bound on the numbe of Qs) in his t th Q (t is the uppe P[A u succeeds in t th Q] = / ( G -t) - negligible P[A u succeeds in one of t Qs] t / ( G -t) - negligible P PubK (n) A u,π = ½ + negl(.) Random (,,, ) fom Z q u = g e = g f = h?? If es, then send m pk = (G,o,q, g 0,,u,e) Q: (h 0 =g 0, h =, c, f) m A u
29 Is the Scheme CCA-secue? Gen( n ) (G, o, q, g 0, ) Random (,,, ) fom Z q Random fom Z q h 0 = g 0, h = g ec sk = (,,, ) (h 0, h, c, f) f = h (Wa)?? v = h (Wa) u = g e = g c = u.m = v.m ; f = e (Wa2) m = c/v pk= (G,o,q, g 0,,u,e), sk = (,,, ) (h 0, h, c, f) Claim. Just one Q in post-challenge phase is enough fo an unbounded poweful advesa to compute (,) completel and guess bit b with pobabilit. Poof: A u can compute discete log of u &, sa R & α R ) = g 0 +α +α = R --- () e = g 0 S ) = g 0 +α +α = S --- (2) What is the pob of A u guessing f so that f = h = g +α 0 bound on the numbe of Qs) in his t th Q (t is the uppe P[A u succeeds in t th Q] = / ( G -t) - negligible P[A u succeeds in one of t Qs] t / ( G -t) - negligible P PubK (n) A u,π = ½ + negl(.) Random (,,, ) fom Z q u = g e = g f = h?? If es, then send m pk = (G,o,q, g 0,,u,e) Q: (h 0 =g 0, h =, c, f) m A u
30 Is the Scheme CCA-secue? Gen( n ) (G, o, q, g 0, ) Random (,,, ) fom Z q Random fom Z q h 0 = g 0, h = g ec sk = (,,, ) (h 0, h, c, f) f = h (Wa)?? v = h (Wa) u = g e = g c = u.m = v.m ; f = e (Wa2) m = c/v pk= (G,o,q, g 0,,u,e), sk = (,,, ) (h 0, h, c, f) Claim. Just one Q in post-challenge phase is enough fo an unbounded poweful advesa to compute (,) completel and guess bit b with pobabilit. Poof: A u can compute discete log of u &, sa R & α u = g R 0 = (g 0 ) = g +α We +α need = R --- to () ensue A P PubK (n) = = 0 u can not make illegal Q and get O sevice even afte seeing A u,π the challenge e = g S 0 = (g ) = g +α +α = S --- (2) 0 We ae now consideing the case when eceived a non-h tuple (g 0,, h * 0, h* ) and so h* 0 =g 0, h * = f * = g 0 S* = (h 0 h ) = g 0 + α ciphetet. Incease the no. of vaiables??? + α = S* --- (3) (lineal) independent of (2) Solving (2) & (3) gives (, ) Now A u can make illegal Q in post-challenge phase and still pass the veification and get m and discove (,) Random (,,, ) fom Z q e = g 0 c = h 0 h. m b f = h 0 h pk = (G,o,q, g 0,,u,e) m 0, m, m 0 = m (h * 0, h*, c*, f * ) A u
31 Gen( n ) (G, o, q, g 0, ) Random (,,,,, ) fom Z q e = g 0 k = g 0 pk= (G,o,q, g 0,,u,e,k), sk = (,,,,, ) oes above help? Is the Scheme CCA-secue? Random fom Z q h 0 = g 0, h = c = u.m = v.m ; f = e ; l = k (Wa2) (h 0, h, c, f, l) ec sk = (,,,,,, ) (h 0, h,c,f,l) f = h 0 h (Wa)?? l = h 0 h (Wa)?? v = h 0 h (Wa) m = c/v Poof: A u can compute discete log of u &, sa R & α R ) = g 0 +α +α = R - () e = g 0 S ) = g 0 +α +α = S - (2) Random (,,, ) fom Z q e = g 0 c = h 0 h. m b f = h 0 h f * = g 0 S* = (h 0 h ) = g 0 + α + α = S* - (4) k = g 0 T ) = g 0 +α +α = T - (3) l * = g 0 T* = (h 0 h ) = g 0 + α + α = T * - (5) We ae now consideing the case when eceived a non-h tuple (g 0,, h * 0, h* ) and so h* 0 =g 0, h * = Now A u can make illegal Q in post-challenge phase and still pass the veification and get m and discove (,) Adding moe vaiable in the above wa does not help. pk = (G,o,q, g 0,,u,e,k) m 0, m, m 0 = m (h * 0, h*, c*, f *,l * ) A u
32 Gen( n ) (G, o, q, g 0, ) Random (,,,,, ) fom Z q e = g 0 k = g 0 pk= (G,o,q, g 0,,u,e,k), sk = (,,,,, ) oes above help? Poof: Is the Scheme CCA-secue? Random fom Z q h 0 = g 0, h = c = u.m = v.m ; f = e k (Wa2) (h 0, h, c, f) ec sk = (,,,,, ), (h 0,h,c,f) f = h 0 + h +?? v = h 0 h (Wa) m = c/v R ) = g 0 +α +α = R - () e = g 0 S ) = g 0 +α +α = S - (2) k = g 0 T ) = g 0 +α +α = T - (3) f * = g 0 S* = (h 0 + h + ) = g 0 (+ ) + α( + ) ( + ) + α( + ) = S* - (4) Fom (2), (3) & (4), A u can compute ( + ) and ( + ) and that s enough to make an illegal Q in postchallenge phase and still pass the veification and get m and discove (,). Adding moe vaiable in the above wa does not help. Random (,,, ) fom Z q e = g 0 c = h 0 h. m b f = h 0 h pk = (G,o,q, g 0,,u,e,k) m 0, m, m 0 = m (h * 0, h*, c*, f * ) A u
33 Gen( n ) (G, o, q, g 0, ) Random (,,,,, ) fom Z q e = g 0 k = g 0 pk= (G,o,q, g 0,,u,e,k, H), sk = (,,,,, ) oes above help? Poof: Is the Scheme CCA-secue? Random fom Z q h 0 = g 0, h = c = u.m = v.m ; f = e k β β = H(h 0, h, c) (h 0, h, c, f) ec sk = (,,,,, ) (h 0,h,c,f) β = H(h 0, h, c) f = h 0 + β h + β?? v = h 0 h m = c/v R ) = g 0 +α +α = R - () e = g 0 S ) = g 0 +α +α = S - (2) k = g 0 T ) = g 0 +α +α = T - (3) f * = g 0 S = (h 0 + β h + β ) = g 0 ( + β ) + α( + β ) ( + β ) + α( + β ) = S - (4) Fom (2), (3) & (4), A u can compute ( + β ) and ( + β ) BUT.to make an illegal Q in post-challenge phase A u must find a collision fo H i.e h 0, h, c such that β = H(h 0, h, c ) because.. pk = (G,o,q, g 0,,u,e,k) A u.he is not allowed to submit Random (,,, ) fom Z q the challenge ciphetet to O m u = g e = g 0, m, m 0 = m (h * 0, h*, c*, f * ) c = h. m b f = h
34 Gen( n ) (G, o, q, g 0, ) Random (,,,,, ) fom Z q The Came-Shoup Cptosstem e = g 0 k = g 0 pk= (G,o,q, g 0,,u,e,k, H), sk = (,,,,, ) Random fom Z q h 0 = g 0, h = c = u.m = v.m ; f = e k β β = H(h 0, h, c) (h 0, h, c, f) Theoem. If H is had + H is CR HF, then Π is a CCA-secue scheme. ec sk = (,,,,, ) (h 0,h,c,f) β = H(h 0, h, c) f = h 0 + β h + β?? v = h 0 h m = c/v Case I: If (h 0, h, c) = (h * 0, h*, c* ) and f * f à will eject Case II: If (h 0, h, c) (h * 0, h*, c* ) and f * = f [i.e. H(h 0, h, c) = H(h * 0, h*, c* ) ] à A has found collision but since H is CR, this happens with negl pobabilit pk = (G,o,q, g 0,,u,e,k) H o non-h tuple? (G,o,q,g 0,, h 0, h ) Random (,,,,, ) Compute u,e,k (h 0, h, c, f) Reject (if veification fails) m 0, m, m 0 = m A (h * 0, h*, c*, f * ) c * = h 0 h m b and f* (h 0, h, c, f) if b = b 0 othewise Reject (if veification fails) b {0, }
35 Gen( n ) (G, o, q, g 0, ) Random (,,,,, ) fom Z q The Came-Shoup Cptosstem e = g 0 k = g 0 pk= (G,o,q, g 0,,u,e,k, H), sk = (,,,,, ) Random fom Z q h 0 = g 0, h = c = u.m = v.m ; f = e k β β = H(h 0, h, c) (h 0, h, c, f) Theoem. If H is had + H is CR HF, then Π is a CCA-secue scheme. ec sk = (,,,,, ) (h 0,h,c,f) β = H(h 0, h, c) f = h 0 + β h + β?? v = h 0 h m = c/v Case III: H(h 0, h, c) H(h * 0, h*, c* ) ]: Thee is a possibilit that it is a valid ciphetet. But it can happen b shee luck. We can have fou INEPENENT constaints on,.. : () e (2) k (3) challenge ciphe (4) O => Beaking secuit But befoe making O que A had onl thee constaints and so finding an matching f fo the O can be donewith pob at most / G pk = (G,o,q, g 0,,u,e,k) H o non-h tuple? (G,o,q,g 0,, h 0, h ) if b = b 0 othewise Random (,,,,, ) Compute u,e,k (h 0, h, c, f) Reject (if veification fails) m 0, m, m 0 = m (h * 0, h*, c*, f * ) c * = h 0 h m b and f* (h 0, h, c, f) Reject (if veification fails) b {0, } A
36 Public Ke Summa Pimitives Secuit Notions Assumptions PKE KEM Hbid Encption CPA CCA Adaptive Attack (Non-committing Encption) Selective Opening Attack (eniable Encption) >> Close Relatives of L assumptions- CH, H, HH, OH >> RSA Assumption (Padded RSA, RSA OAEP) >> Factoing assumptions (Rabin Cptosstem) >> Quadatic Residuacit Assumptions (Micali-Goldwasse) >> ecisional Composite Residuacit (CR) Assumptions (Paillie) >> Lattice-based Assumptions LWE, LPN (Regev) Man moe assumptions
37
10/04/18. P [P(x)] 1 negl(n).
Mastemath, Sping 208 Into to Lattice lgs & Cypto Lectue 0 0/04/8 Lectues: D. Dadush, L. Ducas Scibe: K. de Boe Intoduction In this lectue, we will teat two main pats. Duing the fist pat we continue the
More informationSome RSA-based Encryption Schemes with Tight Security Reduction
Some RSA-based Encyption Schemes with Tight Secuity Reduction Kaou Kuosawa 1 and Tsuyoshi Takagi 2 1 Ibaaki Univesity, 4-12-1 Nakanausawa, Hitachi, Ibaaki, 316-8511, Japan kuosawa@cis.ibaaki.ac.jp 2 Technische
More informationProvable Security in Cryptography
Povable Secuity in Cyptogaphy Thomas Baignèes EPFL http://lasecwww.epfl.ch May 29, 2007 (ve. 25) These lectue notes ae a compilation of some of my eadings while I was pepaing two lectues given at EPFL
More informationProbablistically Checkable Proofs
Lectue 12 Pobablistically Checkable Poofs May 13, 2004 Lectue: Paul Beame Notes: Chis Re 12.1 Pobablisitically Checkable Poofs Oveview We know that IP = PSPACE. This means thee is an inteactive potocol
More information9.1 The multiplicative group of a finite field. Theorem 9.1. The multiplicative group F of a finite field is cyclic.
Chapte 9 Pimitive Roots 9.1 The multiplicative goup of a finite fld Theoem 9.1. The multiplicative goup F of a finite fld is cyclic. Remak: In paticula, if p is a pime then (Z/p) is cyclic. In fact, this
More information16 Modeling a Language by a Markov Process
K. Pommeening, Language Statistics 80 16 Modeling a Language by a Makov Pocess Fo deiving theoetical esults a common model of language is the intepetation of texts as esults of Makov pocesses. This model
More informationQuantum Information & Quantum Computation
CS29A, Sping 25: Quantum Infomation & Quantum Computation Wim van Dam Engineeing, Room 59 vandam@cs http://www.cs.ucsb.edu/~vandam/teaching/cs29/ Administivia ext week talk b Matthias Steffen on uclea
More informationOn the Selective-Opening Security of DHIES
On the Selective-Opening Security of DHIES and other practical encryption schemes UbiCrypt Research Retreat, Schloss Raesfeld: 29.& 30. Sep. 2014 Felix Heuer, Tibor Jager, Eike Kiltz, Sven Schäge Horst
More informationLecture 25: Pairing Based Cryptography
6.897 Special Topics in Cyptogaphy Instucto: Ran Canetti May 5, 2004 Lectue 25: Paiing Based Cyptogaphy Scibe: Ben Adida 1 Intoduction The field of Paiing Based Cyptogaphy has exploded ove the past 3 yeas
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationChapter Eight Notes N P U1C8S4-6
Chapte Eight Notes N P UC8S-6 Name Peiod Section 8.: Tigonometic Identities An identit is, b definition, an equation that is alwas tue thoughout its domain. B tue thoughout its domain, that is to sa that
More informationOblivious Transfer (OT) and OT Extension
Oblivious Transfer (OT) and OT Extension School on Secure Multiparty Computation Arpita Patra Arpita Patra Roadmap o Oblivious Transfer - Construction from `special PKE o OT Extension - IKNP OT extension
More informationStanford University CS259Q: Quantum Computing Handout 8 Luca Trevisan October 18, 2012
Stanfod Univesity CS59Q: Quantum Computing Handout 8 Luca Tevisan Octobe 8, 0 Lectue 8 In which we use the quantum Fouie tansfom to solve the peiod-finding poblem. The Peiod Finding Poblem Let f : {0,...,
More informationChapter 3: Theory of Modular Arithmetic 38
Chapte 3: Theoy of Modula Aithmetic 38 Section D Chinese Remainde Theoem By the end of this section you will be able to pove the Chinese Remainde Theoem apply this theoem to solve simultaneous linea conguences
More information6 Matrix Concentration Bounds
6 Matix Concentation Bounds Concentation bounds ae inequalities that bound pobabilities of deviations by a andom vaiable fom some value, often its mean. Infomally, they show the pobability that a andom
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationAQI: Advanced Quantum Information Lecture 2 (Module 4): Order finding and factoring algorithms February 20, 2013
AQI: Advanced Quantum Infomation Lectue 2 (Module 4): Ode finding and factoing algoithms Febuay 20, 203 Lectue: D. Mak Tame (email: m.tame@impeial.ac.uk) Intoduction In the last lectue we looked at the
More informationGoodness-of-fit for composite hypotheses.
Section 11 Goodness-of-fit fo composite hypotheses. Example. Let us conside a Matlab example. Let us geneate 50 obsevations fom N(1, 2): X=nomnd(1,2,50,1); Then, unning a chi-squaed goodness-of-fit test
More informationConcurrent Blind Signatures without Random Oracles
Concuent Blind Signatues without Random Oacles Aggelos Kiayias Hong-Sheng Zhou Abstact We pesent a blind signatue scheme that is efficient and povably secue without andom oacles unde concuent attacks utilizing
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationLecture 18: Graph Isomorphisms
INFR11102: Computational Complexity 22/11/2018 Lectue: Heng Guo Lectue 18: Gaph Isomophisms 1 An Athu-Melin potocol fo GNI Last time we gave a simple inteactive potocol fo GNI with pivate coins. We will
More informationSolutions to Problem Set 8
Massachusetts Institute of Technology 6.042J/18.062J, Fall 05: Mathematics fo Compute Science Novembe 21 Pof. Albet R. Meye and Pof. Ronitt Rubinfeld evised Novembe 27, 2005, 858 minutes Solutions to Poblem
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationSecret Exponent Attacks on RSA-type Schemes with Moduli N = p r q
Secet Exponent Attacks on RSA-type Schemes with Moduli N = p q Alexande May Faculty of Compute Science, Electical Engineeing and Mathematics Univesity of Padebon 33102 Padebon, Gemany alexx@uni-padebon.de
More informationRevision of Lecture Eight
Revision of Lectue Eight Baseband equivalent system and equiements of optimal tansmit and eceive filteing: (1) achieve zeo ISI, and () maximise the eceive SNR Thee detection schemes: Theshold detection
More informationSuggested Solutions to Homework #4 Econ 511b (Part I), Spring 2004
Suggested Solutions to Homewok #4 Econ 5b (Pat I), Sping 2004. Conside a neoclassical gowth model with valued leisue. The (epesentative) consume values steams of consumption and leisue accoding to P t=0
More informationRandom Variables and Probability Distribution Random Variable
Random Vaiables and Pobability Distibution Random Vaiable Random vaiable: If S is the sample space P(S) is the powe set of the sample space, P is the pobability of the function then (S, P(S), P) is called
More informationDivisibility. c = bf = (ae)f = a(ef) EXAMPLE: Since 7 56 and , the Theorem above tells us that
Divisibility DEFINITION: If a and b ae integes with a 0, we say that a divides b if thee is an intege c such that b = ac. If a divides b, we also say that a is a diviso o facto of b. NOTATION: d n means
More informationNew problems in universal algebraic geometry illustrated by boolean equations
New poblems in univesal algebaic geomety illustated by boolean equations axiv:1611.00152v2 [math.ra] 25 Nov 2016 Atem N. Shevlyakov Novembe 28, 2016 Abstact We discuss new poblems in univesal algebaic
More informationIntroduction Common Divisors. Discrete Mathematics Andrei Bulatov
Intoduction Common Divisos Discete Mathematics Andei Bulatov Discete Mathematics Common Divisos 3- Pevious Lectue Integes Division, popeties of divisibility The division algoithm Repesentation of numbes
More informationMath 301: The Erdős-Stone-Simonovitz Theorem and Extremal Numbers for Bipartite Graphs
Math 30: The Edős-Stone-Simonovitz Theoem and Extemal Numbes fo Bipatite Gaphs May Radcliffe The Edős-Stone-Simonovitz Theoem Recall, in class we poved Tuán s Gaph Theoem, namely Theoem Tuán s Theoem Let
More informationPROBLEM SET #1 SOLUTIONS by Robert A. DiStasio Jr.
POBLM S # SOLUIONS by obet A. DiStasio J. Q. he Bon-Oppenheime appoximation is the standad way of appoximating the gound state of a molecula system. Wite down the conditions that detemine the tonic and
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationCSCE 478/878 Lecture 4: Experimental Design and Analysis. Stephen Scott. 3 Building a tree on the training set Introduction. Outline.
In Homewok, you ae (supposedly) Choosing a data set 2 Extacting a test set of size > 3 3 Building a tee on the taining set 4 Testing on the test set 5 Repoting the accuacy (Adapted fom Ethem Alpaydin and
More informationMore Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries
Moe Efficient Oblivious Tansfe Extensions with Secuity fo Malicious Advesaies Gilad Ashaov Yehuda Lindell Thomas Schneide Michael Zohne Hebew Univesity Ba-Ilan Univesity Damstadt Damstadt EUROCRYPT 2015
More informationSurveillance Points in High Dimensional Spaces
Société de Calcul Mathématique SA Tools fo decision help since 995 Suveillance Points in High Dimensional Spaces by Benad Beauzamy Januay 06 Abstact Let us conside any compute softwae, elying upon a lage
More informationMultiple Criteria Secretary Problem: A New Approach
J. Stat. Appl. Po. 3, o., 9-38 (04 9 Jounal of Statistics Applications & Pobability An Intenational Jounal http://dx.doi.og/0.785/jsap/0303 Multiple Citeia Secetay Poblem: A ew Appoach Alaka Padhye, and
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More information(n 1)n(n + 1)(n + 2) + 1 = (n 1)(n + 2)n(n + 1) + 1 = ( (n 2 + n 1) 1 )( (n 2 + n 1) + 1 ) + 1 = (n 2 + n 1) 2.
Paabola Volume 5, Issue (017) Solutions 151 1540 Q151 Take any fou consecutive whole numbes, multiply them togethe and add 1. Make a conjectue and pove it! The esulting numbe can, fo instance, be expessed
More informationThe Substring Search Problem
The Substing Seach Poblem One algoithm which is used in a vaiety of applications is the family of substing seach algoithms. These algoithms allow a use to detemine if, given two chaacte stings, one is
More informationCentral Coverage Bayes Prediction Intervals for the Generalized Pareto Distribution
Statistics Reseach Lettes Vol. Iss., Novembe Cental Coveage Bayes Pediction Intevals fo the Genealized Paeto Distibution Gyan Pakash Depatment of Community Medicine S. N. Medical College, Aga, U. P., India
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More information1 Explicit Explore or Exploit (E 3 ) Algorithm
2.997 Decision-Making in Lage-Scale Systems Mach 3 MIT, Sping 2004 Handout #2 Lectue Note 9 Explicit Exploe o Exploit (E 3 ) Algoithm Last lectue, we studied the Q-leaning algoithm: [ ] Q t+ (x t, a t
More informationLecture 16 Root Systems and Root Lattices
1.745 Intoduction to Lie Algebas Novembe 1, 010 Lectue 16 Root Systems and Root Lattices Pof. Victo Kac Scibe: Michael Cossley Recall that a oot system is a pai (V, ), whee V is a finite dimensional Euclidean
More informationB da = 0. Q E da = ε. E da = E dv
lectomagnetic Theo Pof Ruiz, UNC Asheville, doctophs on YouTube Chapte Notes The Maxwell quations in Diffeential Fom 1 The Maxwell quations in Diffeential Fom We will now tansfom the integal fom of the
More informationInternet Appendix for A Bayesian Approach to Real Options: The Case of Distinguishing Between Temporary and Permanent Shocks
Intenet Appendix fo A Bayesian Appoach to Real Options: The Case of Distinguishing Between Tempoay and Pemanent Shocks Steven R. Genadie Gaduate School of Business, Stanfod Univesity Andey Malenko Gaduate
More information15.081J/6.251J Introduction to Mathematical Programming. Lecture 6: The Simplex Method II
15081J/6251J Intoduction to Mathematical Pogamming ectue 6: The Simplex Method II 1 Outline Revised Simplex method Slide 1 The full tableau implementation Anticycling 2 Revised Simplex Initial data: A,
More informationQIP Course 10: Quantum Factorization Algorithm (Part 3)
QIP Couse 10: Quantum Factoization Algoithm (Pat 3 Ryutaoh Matsumoto Nagoya Univesity, Japan Send you comments to yutaoh.matsumoto@nagoya-u.jp Septembe 2018 @ Tokyo Tech. Matsumoto (Nagoya U. QIP Couse
More informationand the correct answer is D.
@. Assume the pobability of a boy being bon is the same as a gil. The pobability that in a family of 5 childen thee o moe childen will be gils is given by A) B) C) D) Solution: The pobability of a gil
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationCryptography. Primitives and Protocols. Aggelos Kiayias
P1 P2 P3 E E E IV C1 C2 C3 Aggelos Kiayias Cyptogaphy Pimitives and Potocols Based on notes by G. Panagiotakos, S. Pehlivanoglu, J. Todd, K. Samai, T. Zachaias and H.S. Zhou CONTENTS 1 Contents 1 Intoduction
More informationLinear Algebra Math 221
Linea Algeba Math Open Book Eam Open Notes Sept Calculatos Pemitted Sho all ok (ecept #). ( pts) Gien the sstem of equations a) ( pts) Epess this sstem as an augmented mati. b) ( pts) Bing this mati to
More informationOnline-routing on the butterfly network: probabilistic analysis
Online-outing on the buttefly netwok: obabilistic analysis Andey Gubichev 19.09.008 Contents 1 Intoduction: definitions 1 Aveage case behavio of the geedy algoithm 3.1 Bounds on congestion................................
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationFall 2014 Randomized Algorithms Oct 8, Lecture 3
Fall 204 Randomized Algoithms Oct 8, 204 Lectue 3 Pof. Fiedich Eisenband Scibes: Floian Tamè In this lectue we will be concened with linea pogamming, in paticula Clakson s Las Vegas algoithm []. The main
More information0606 ADDITIONAL MATHEMATICS 0606/01 Paper 1, maximum raw mark 80
UNIVERSITY OF CAMBRIDGE INTERNATIONAL EXAMINATIONS Intenational Geneal Cetificate of Seconday Education MARK SCHEME fo the Octobe/Novembe 009 question pape fo the guidance of teaches 0606 ADDITIONAL MATHEMATICS
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationLecture 28: Convergence of Random Variables and Related Theorems
EE50: Pobability Foundations fo Electical Enginees July-Novembe 205 Lectue 28: Convegence of Random Vaiables and Related Theoems Lectue:. Kishna Jagannathan Scibe: Gopal, Sudhasan, Ajay, Swamy, Kolla An
More informationOn the ratio of maximum and minimum degree in maximal intersecting families
On the atio of maximum and minimum degee in maximal intesecting families Zoltán Lóánt Nagy Lale Özkahya Balázs Patkós Máté Vize Mach 6, 013 Abstact To study how balanced o unbalanced a maximal intesecting
More informationAlternative Tests for the Poisson Distribution
Chiang Mai J Sci 015; 4() : 774-78 http://epgsciencecmuacth/ejounal/ Contibuted Pape Altenative Tests fo the Poisson Distibution Manad Khamkong*[a] and Pachitjianut Siipanich [b] [a] Depatment of Statistics,
More information3.1 Random variables
3 Chapte III Random Vaiables 3 Random vaiables A sample space S may be difficult to descibe if the elements of S ae not numbes discuss how we can use a ule by which an element s of S may be associated
More informationk. s k=1 Part of the significance of the Riemann zeta-function stems from Theorem 9.2. If s > 1 then 1 p s
9 Pimes in aithmetic ogession Definition 9 The Riemann zeta-function ζs) is the function which assigns to a eal numbe s > the convegent seies k s k Pat of the significance of the Riemann zeta-function
More informationPhysics 121 Hour Exam #5 Solution
Physics 2 Hou xam # Solution This exam consists of a five poblems on five pages. Point values ae given with each poblem. They add up to 99 points; you will get fee point to make a total of. In any given
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationMarkscheme May 2017 Calculus Higher level Paper 3
M7/5/MATHL/HP3/ENG/TZ0/SE/M Makscheme May 07 Calculus Highe level Pape 3 pages M7/5/MATHL/HP3/ENG/TZ0/SE/M This makscheme is the popety of the Intenational Baccalaueate and must not be epoduced o distibuted
More informationDo Managers Do Good With Other People s Money? Online Appendix
Do Manages Do Good With Othe People s Money? Online Appendix Ing-Haw Cheng Haison Hong Kelly Shue Abstact This is the Online Appendix fo Cheng, Hong and Shue 2013) containing details of the model. Datmouth
More informationAuchmuty High School Mathematics Department Advanced Higher Notes Teacher Version
The Binomial Theoem Factoials Auchmuty High School Mathematics Depatment The calculations,, 6 etc. often appea in mathematics. They ae called factoials and have been given the notation n!. e.g. 6! 6!!!!!
More informationQuasi-Randomness and the Distribution of Copies of a Fixed Graph
Quasi-Randomness and the Distibution of Copies of a Fixed Gaph Asaf Shapia Abstact We show that if a gaph G has the popety that all subsets of vetices of size n/4 contain the coect numbe of tiangles one
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationE E E. Aggelos Kiayias. Cryptography. Primitives and Protocols. Based on notes by S. Pehlivanoglu, J. Todd, K. Samari, T. Zacharias and H.S.
P1 P2 P3 E E E IV C1 C2 C3 Aggelos Kiayias Cyptogaphy Pimitives and Potocols Based on notes by S. Pehlivanoglu, J. Todd, K. Samai, T. Zachaias and H.S. Zhou CONTENTS 1 Contents 1 Intoduction 4 1.1 Flipping
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationA Simple Model of Communication APIs Application to Dynamic Partial-order Reduction
Simple Model of Communication PIs pplication to Dynamic Patial-ode Reduction Cistian Rosa Stephan Mez Matin Quinson VOCS 2010 22/09/2010 1 / 18 Motivation Distibuted lgoithms ae had to get ight: lack of
More informationOn the ratio of maximum and minimum degree in maximal intersecting families
On the atio of maximum and minimum degee in maximal intesecting families Zoltán Lóánt Nagy Lale Özkahya Balázs Patkós Máté Vize Septembe 5, 011 Abstact To study how balanced o unbalanced a maximal intesecting
More informationUnobserved Correlation in Ascending Auctions: Example And Extensions
Unobseved Coelation in Ascending Auctions: Example And Extensions Daniel Quint Univesity of Wisconsin Novembe 2009 Intoduction In pivate-value ascending auctions, the winning bidde s willingness to pay
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLinear Program for Partially Observable Markov Decision Processes. MS&E 339B June 9th, 2004 Erick Delage
Linea Pogam fo Patiall Obsevable Makov Decision Pocesses MS&E 339B June 9th 2004 Eick Delage Intoduction Patiall Obsevable Makov Decision Pocesses Etension of the Makov Decision Pocess to a wold with uncetaint
More informationThe Iterated Random Function Problem,
The Iteated Random Function Poblem, Ritam Bhaumik 1, ilanjan Datta 2, Avijit Dutta 1, icky Mouha 3,4, and Midul andi 1 1 Indian Statistical Institute, Kolkata, India. 2 Indian Institute of Technology,
More informationAustralian Intermediate Mathematics Olympiad 2017
Austalian Intemediate Mathematics Olympiad 207 Questions. The numbe x is when witten in base b, but it is 22 when witten in base b 2. What is x in base 0? [2 maks] 2. A tiangle ABC is divided into fou
More informationON INDEPENDENT SETS IN PURELY ATOMIC PROBABILITY SPACES WITH GEOMETRIC DISTRIBUTION. 1. Introduction. 1 r r. r k for every set E A, E \ {0},
ON INDEPENDENT SETS IN PURELY ATOMIC PROBABILITY SPACES WITH GEOMETRIC DISTRIBUTION E. J. IONASCU and A. A. STANCU Abstact. We ae inteested in constucting concete independent events in puely atomic pobability
More informationHypothesis Test and Confidence Interval for the Negative Binomial Distribution via Coincidence: A Case for Rare Events
Intenational Jounal of Contempoay Mathematical Sciences Vol. 12, 2017, no. 5, 243-253 HIKARI Ltd, www.m-hikai.com https://doi.og/10.12988/ijcms.2017.7728 Hypothesis Test and Confidence Inteval fo the Negative
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationof the contestants play as Falco, and 1 6
JHMT 05 Algeba Test Solutions 4 Febuay 05. In a Supe Smash Bothes tounament, of the contestants play as Fox, 3 of the contestants play as Falco, and 6 of the contestants play as Peach. Given that thee
More informationNOTE. Some New Bounds for Cover-Free Families
Jounal of Combinatoial Theoy, Seies A 90, 224234 (2000) doi:10.1006jcta.1999.3036, available online at http:.idealibay.com on NOTE Some Ne Bounds fo Cove-Fee Families D. R. Stinson 1 and R. Wei Depatment
More informationC/CS/Phys C191 Shor s order (period) finding algorithm and factoring 11/12/14 Fall 2014 Lecture 22
C/CS/Phys C9 Sho s ode (peiod) finding algoithm and factoing /2/4 Fall 204 Lectue 22 With a fast algoithm fo the uantum Fouie Tansfom in hand, it is clea that many useful applications should be possible.
More informationA New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack
A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack Joonsang Baek 1 Willy Susilo 2 Joseph K. Liu 1 Jianying Zhou 1 1 Institute for Infocomm Research, Singapore 2 University of
More informationQuantum Fourier Transform
Chapte 5 Quantum Fouie Tansfom Many poblems in physics and mathematics ae solved by tansfoming a poblem into some othe poblem with a known solution. Some notable examples ae Laplace tansfom, Legende tansfom,
More informationPushdown Automata (PDAs)
CHAPTER 2 Context-Fee Languages Contents Context-Fee Gammas definitions, examples, designing, ambiguity, Chomsky nomal fom Pushdown Automata definitions, examples, euivalence with context-fee gammas Non-Context-Fee
More informationIntegral Control via Bias Estimation
1 Integal Contol via Bias stimation Consie the sstem ẋ = A + B +, R n, R p, R m = C +, R q whee is an nknown constant vecto. It is possible to view as a step istbance: (t) = 0 1(t). (If in fact (t) vaies
More informationNotes on McCall s Model of Job Search. Timothy J. Kehoe March if job offer has been accepted. b if searching
Notes on McCall s Model of Job Seach Timothy J Kehoe Mach Fv ( ) pob( v), [, ] Choice: accept age offe o eceive b and seach again next peiod An unemployed oke solves hee max E t t y t y t if job offe has
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationSolution to Problem First, the firm minimizes the cost of the inputs: min wl + rk + sf
Econ 0A Poblem Set 4 Solutions ue in class on Tu 4 Novembe. No late Poblem Sets accepted, so! This Poblem set tests the knoledge that ou accumulated mainl in lectues 5 to 9. Some of the mateial ill onl
More informationRigid Body Dynamics 2. CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Winter 2018
Rigid Body Dynamics 2 CSE169: Compute Animation nstucto: Steve Rotenbeg UCSD, Winte 2018 Coss Poduct & Hat Opeato Deivative of a Rotating Vecto Let s say that vecto is otating aound the oigin, maintaining
More informationPractice Integration Math 120 Calculus I Fall 2015
Pactice Integation Math 0 Calculus I Fall 05 Hee s a list of pactice eecises. Thee s a hint fo each one as well as an answe with intemediate steps... ( + d. Hint. Answe. ( 8 t + t + This fist set of indefinite
More information3.6 Applied Optimization
.6 Applied Optimization Section.6 Notes Page In this section we will be looking at wod poblems whee it asks us to maimize o minimize something. Fo all the poblems in this section you will be taking the
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationPractice Integration Math 120 Calculus I D Joyce, Fall 2013
Pactice Integation Math 0 Calculus I D Joyce, Fall 0 This fist set of indefinite integals, that is, antideivatives, only depends on a few pinciples of integation, the fist being that integation is invese
More information