Over-encryption: Management of Access Control Evolution on Outsourced Data

Size: px
Start display at page:

Download "Over-encryption: Management of Access Control Evolution on Outsourced Data"

Transcription

1 Ove-encyption: Management of Access Contol Evolution on Outsouced Data Sabina De Capitani di Vimecati DTI - Univesità di Milano Cema - Italy Stefano Paaboschi DIIMM - Univesità di Begamo Dalmine - Italy Saa Foesti DTI - Univesità di Milano Cema - Italy Pieangela Samaati DTI - Univesità di Milano Cema - Italy Sushil Jajodia CSIS - Geoge Mason Univesity Faifax, VA ABSTRACT Data outsoucing is emeging today as a successful paadigm allowing uses and oganizations to exploit extenal sevices fo the distibution of esouces. A cucial poblem to be addessed in this context concens the enfocement of selective authoization policies and the suppot of policy updates in dynamic scenaios. In this pape, we pesent a novel solution to the enfocement of access contol and the management of its evolution. Ou poposal is based on the application of selective encyption as a means to enfoce authoizations. Two layes of encyption ae imposed on data: the inne laye is imposed by the owne fo poviding initial potection, the oute laye is imposed by the seve to eflect policy modifications. The combination of the two layes povides an efficient and obust solution. The pape pesents a model, an algoithm fo the management of the two layes, and an analysis to identify and theefoe counteact possible infomation exposue isks. 1. INTRODUCTION Contay to the vision of a few yeas ago, whee many pedicted that Intenet uses would have in a shot time exploited the availability of pevasive high-bandwidth netwok connections to activate thei own seves, uses ae today, with inceasing fequency, esoting to sevice povides fo disseminating and shaing esouces they want to make available to othes. The continuous gowth of the amount of digital infomation to be stoed and widely distibuted, togethe with the always inceasing stoage, suppot the view that sevice povides will be moe and moe equested to be esponsible fo the stoage and the efficient and eliable distibution of Pemission to copy without fee all o pat of this mateial is ganted povided that the copies ae not made o distibuted fo diect commecial advantage, the VLDB copyight notice and the title of the publication and its date appea, and notice is given that copying is by pemission of the Vey Lage Data Base Endowment. To copy othewise, o to epublish, to post on seves o to edistibute to lists, equies a fee and/o special pemission fom the publishe, ACM. VLDB 07, Septembe 23-28, 2007, Vienna, Austia. Copyight 2007 VLDB Endowment, ACM /07/09. content poduced by othes, ealizing a data outsoucing achitectue on a wide scale. This impotant tend is paticulaly clea when we look at the success of sevices like YouTube, Flick, Blogge, MySpace, and many othes in the social netwoking envionment. When stoage and distibution do not involve publicly eleasable esouces, selective access techniques must be enfoced. In this context, it is legitimate fo the data owne to demand the data not to be disclosed to the sevice povide itself, which, while tustwothy to popely cay out the esouce distibution functions, should not be allowed access to the esouce content. The poblem of outsoucing esouce management to a honest but cuious sevice has ecently eceived consideable attention by the eseach community and seveal advancements have been poposed. The diffeent poposals equie the owne to encypt the data befoe outsoucing them to the sevice. Most poposals assume that the data ae encypted with a single key only [7, 10, 11]. In such a context, eithe authoized uses ae assumed to have the complete view on the data o, if diffeent views need to be povided to diffeent uses, the data owne needs to paticipate in the quey execution to possibly filte the esult of the sevice povide. Othe poposals [13, 18], developed fo the potection of XML documents, avoid this poblem by applying selective encyption, whee diffeent keys ae used to encypt diffeent potions of the XML tee. In the outsoucing scenaio, all these poposals, in case of updates of the authoization policy, would equie to e-encypt the esouces and esend them to the sevice. If the owne does not have the esouces stoed locally, a futhe peliminay step is needed to e-acquie them fom the sevice and decypt them. In this pape, we popose a solution that emoves these issues, facilitating the successful development of outsoucing data in emeging scenaios. In paticula, we look at the poblem of defining and assigning keys to uses, by exploiting hieachical key assignment schemes [3, 4, 8, 15], and of efficiently suppoting policy changes. Indeed, in scenaios involving potentially huge sets of esouces of consideable size, e-encyption and e-tansmission by the owne may not be acceptable. The advantage compaed with a solution equiing to e-send a novel encypted vesion of the esouce 123

2 is typically huge and abitaily lage (if the esouce has a size of 1 GByte and the equest to the seve equies a 100- byte packet, in tems of netwok taffic, compaed to the tansmission of the e-encypted esouce, the impovement is in the ode of 10 7 ). The contibution of this pape is theefold. Fist (Section 2), we popose a fomal base model fo the coect application of selective encyption. The model allows the definition of an encyption policy equivalent to the authoization policy to be enfoced on the esouces. We note that, while it is in pinciple advisable to leave authoizationbased access contol and cyptogaphic potection sepaate, in the outsoucing scenaio such a combination can pove successful: selective encyption allows selective access to be enfoced by the sevice povide itself without the owne intevention. Second (Section 3 and Section 4), building on the base model we popose the use of a two-laye appoach to enfoce selective encyption without equesting the owne to e-encypt the esouces evey time thee is a change in the authoization policy. The fist laye of encyption is applied by the data owne at initialization time (when eleasing the esouce fo outsoucing), the second laye of encyption is applied by the sevice itself to take cae of dynamic policy changes. Intuitively, the two-laye encyption allows the owne to outsouce, besides the esouce stoage and dissemination, the authoization policy management, while not eleasing data to the povide. Thid (Section 5), we povide a chaacteization of the diffeent views of the esouces by diffeent uses and chaacteize potential isks of infomation exposues due to dynamic policy changes. The investigation allows us to conclude that, while an exposue isk may exist, it is well defined and identifiable. This allows the owne to addess the poblem and minimize it at design time. Also, the fact that exposue aises only in specific situations and ove well identified esouces, allows the owne to completely eliminate it by esoting to e-encyption when necessay. An impotant stength of ou solution is that it does not substitute the cuent poposals, athe it complements them, enabling them to suppot encyption in a selective fom and easily enfoce dynamic policy changes. 2. BASE MODEL Consistently with the typical outsoucing scenaio, we distinguish thee oles: the data owne, who ceates the esouce; the seve, who eceives by the data owne a esouce in an encypted fomat and makes it available on the netwok; and the use, who exploits the knowledge of a small shaed secet (a key) and possibly additional public infomation (typically available on the seve) to access the esouce plaintext. 2.1 Keys and tokens We assume the existence of a set of symmetic encyption keys K in the system. Also, we exploit the existence of the key deivation method poposed by Atallah s et al. [4] based on the definition and computation of public tokens that allow the deivation of keys fom othe keys. Given two keys k i and k j, a token t i,j is defined as t i,j = k j h(k i, l j), whee l j is a publicly available label associated with k j, is the bita-bit xo opeato and h is a deteministic cyptogaphic function (in [4] it was poposed the use of a secue hash v 1 v 2 v 3 v 4 v 5 v 6 v 7 (a) v 8 souce dest value v 1.k v 6.k v 6.k h(v 1.k, l 6) v 2.k v 6.k v 6.k h(v 2.k, l 6) v 3.k v 6.k v 6.k h(v 3.k, l 6) v 3.k v 7.k v 7.k h(v 3.k, l 7) v 4.k v 7.k v 7.k h(v 4.k, l 7) v 5.k v 8.k v 8.k h(v 5.k, l 8) v 6.k v 8.k v 8.k h(v 6.k, l 8) (b) Figue 1: An example of key deivation A B C D E Figue 2: An example of access matix u φ(u) A v 1.k B v 2.k C v 3.k D v 4.k E v 5.k (a) φ() 1, 2 v 3.k 3, 4 v 7.k 5, 6, 7 v 6.k 8 v 8.k (b) Figue 3: An example of key assignment function). Since keys need to emain secet, while tokens ae public, the use of tokens geatly simplifies key management. Key deivation via tokens can be applied in chains: a chain of tokens is a sequence t i,l,..., t n,j of tokens such that t c,d follows t a,b in the chain only if b = c. This is fomally captued by the following definition, associating with each key the set of keys eachable by it via chains of tokens. Definition 1. (Key deivation function). Let K be the set of symmetic encyption keys in the system, and T the set of tokens in the public catalog. The diect key deivation function τ : K 2 K is defined as τ(k i)={k j K t i,j T }. The key deivation function τ : K 2 K is a function such that τ (k i) is the set of keys deivable fom k i by chains of tokens, including the key itself (chain of length 0). We can gaphically epesent keys and tokens though a gaph, having a vetex v i associated with each key in the system, denoted v i.k, and an edge connecting two vetices (v i, v j) if token t i,j belongs to the public token catalog T. Chains of tokens then coespond to paths in the gaph. In othe wods, the key deivation function associates with each τ (k) the keys of vetices eachable fom the vetex associated with k in the gaph. Fo instance, Figue 1(a) epesents an example of gaph coesponding to a set of 8 keys, along with its public token catalog composed of 7 items (see Figue 1(b)). As an example, τ(v 3.k)={v 6.k,v 7.k} and τ (v 3.k)={v 3.k,v 6.k,v 7.k,v 8.k}. 2.2 Access contol and encyption policies Consistently with the data distibution and dissemination scenaio, we assume access by uses to the outsouced data to be ead-only. The data owne theefoe defines a discetionay access contol policy to egulate ead opeations on the outsouced esouces. Authoizations ae of the fom use,esouce. 1 1 Fo the sake of simplicity, hee we do not deal with the fact 124

3 Let U be the set of uses of the system and R the set of outsouced esouces. Authoizations can be modeled via a taditional access matix A, with a ow fo each use u U, a column fo each esouce R. Each enty A[u,] is set to 1 if u can access ; 0 othewise. Figue 2 illustates an example of access matix with five uses (A, B, C, D, E) and eight esouces ( 1, 2,..., 8). Given an access matix A ove sets U and R, acl() denotes the access contol list of (i.e., the set of uses that can access ), while cap(u) denotes the capability list of u (i.e., the set of esouces that u can access). Fo instance, with efeence to the matix in Figue 2, acl( 1)={C} and cap(b)={ 5, 6, 7, 8}. Ou initial goal is to epesent the authoizations by means of pope encyption and key distibutions. To avoid uses having to stoe and manage a huge numbe of (secet) keys, we exploit the key deivation method via tokens. Exploiting tokens, the elease to each use of a set of keys K = {k 1,..., k n} can be equivalently obtained by the elease to each use of a single key k i K and the publication of a set of tokens allowing to deive (diectly o indiectly) all keys k j K, j i. A majo advantage of using tokens is that they ae public (typically they will be stoed togethe with esouces) and allow each use to deive multiple encyption keys, while having to secuely manage a single one. In the following, we use K and T to denote the set of keys and tokens defined in the system, espectively. We assume that each use is associated with a single key, communicated to he by the owne on a secue channel at the time the use joins the system. Also, each esouce can be encypted by using a single key. Definition 2. (Key assignment). A key assignment is a function φ : U R K, which associates with each use u U the (single) key eleased to he and with each esouce R the (single) key with which the esouce is encypted. It is easy to see that, by Definition 1, each use u can etieve (via he own key φ(u) and the set of public tokens T ) all the keys deivable fom φ(u), that is, all the keys in τ (φ(u)). In the following, we use φ (u) as a shot hand fo τ (φ(u)). Figue 3 epesents an example of key assignment, with efeence to the key gaph in Figue 1(a). Composing the gaph in Figue 1(a) with the function defined in Figue 3(a), we obtain the set of keys each use knows. As an example, φ (B)=τ (v 2.k)={v 2.k,v 6.k,v 8.k}. A key deivation defined by tokens and the coesponding key assignment ealize an encyption policy. This is captued by the following definition. Definition 3. (Encyption policy). Let E=(τ, φ) be an encyption policy composed of a key deivation function τ and a key assignment function φ. An encyption policy E is said to coectly model a set of authoizations A if and only if uses ae able to decypt all and only the esouces fo which they have the authoization. This is fomally captued by the following definition. Definition 4. (Coectness). Let E=(τ, φ) be an encyption policy, and A an access contol policy. E is said to that authoizations can be specified fo pedefined goups of uses and goups of esouces. Ou appoach will suppot dynamic gouping, theefoe subsuming any statically defined goup. coectly enfoce A, denoted E A, iff both the following conditions hold: Soundness. u U, R : φ() φ (u) = A[u,] = 1 Completeness. u U, R : A[u,] = 1 = φ() φ (u) As an example, the encyption policy illustated in Figues 1 and 3 coectly enfoces the policy epesented by the access matix in Figue 2. A staightfowad appoach fo defining a coect E can exploit the hieachy among sets of uses, which is induced by the patial odeing of sets of uses, based on the set containment elationship ( ) [9]. This stategy woks as follows: define a key fo each access contol list as well as fo each singleton set of uses (when not aleady included in the acls); define tokens between keys coesponding to sets of uses in hieachical elationships; 2 assign to each use u the key coesponding to its singleton goup {u}; encypt each esouce with the key associated with acl(). As an example, conside policy A in Figue 2. Since thee is a set of 4 diffeent acls (i.e., {C}, {C, D}, {A, B, C}, {A, B, C, E}), which includes a singleton acl, and 5 uses, we need to define 8 diffeent keys. In paticula, keys k 1,...k 5 ae associated, in the ode, with uses A,...,E, k 6 is associated with {A, B, C}, k 7 with {C, D}, and k 8 with {A, B, C, E}. We then define a token between each pai of keys (k i, k j), i, j = 1..., 8 and i j, such that the set of uses coesponding to k i is included in the set of uses coesponding to k j. Figue 1(a) illustates a gaphical epesentation of these keys and tokens, whee vetex v i coesponds to key k i. Resouces 1,..., 8 ae then encypted as shown in Figue 3(b). 3. TWO LAYER MODEL The model descibed in Section 2 assumes keys and tokens ae computed, on the basis of the existing authoization policy, pio to sending the encypted esouces to the seve. While we can note that, in geneal, the authoizations specified at initialization time may not change fequently, many situations equie dynamic changes of authoizations, fo example, fo ganting pivileges to new uses. Evey time an authoization on a esouce is ganted o evoked, acl() changes accodingly. In tems of the encyption policy this implies the need to change the key used to encypt the esouce (i.e., φ()) to make it accessible (i.e., intelligible) only to uses in the new acl. This opeation equies then decypting the esouce (with the key with which it is cuently encypted) to etieve the oiginal plaintext (the owne may possibly stoe esouces only on the extenal povide without keeping a local copy), and then e-encypt it with the new key. Imposing such an ovehead (in tems 2 As usual, only diect elationships ae consideed [12]. 125

4 of both tansmission and computation) fo managing authoization changes does not fit ou woking assumption, whee the owne outsouces its data since it does not have the necessay esouces and tansmission channels to manage them. We put fowad the idea of outsoucing to the seve, besides the esouce stoage, the authoization management as well. Note that this delegation is possible since the seve is consideed tustwothy to popely cay out the sevice. Recall, howeve, that the seve is not tusted with confidentiality (honest but cuious). Fo this eason, ou solution has been thought of with the goal of minimizing the case of the seve colluding with the uses to beach data confidentiality (see Section 5). The way to make this possible is via a solution that enfoces policy changes on encypted esouces themselves (without the need of decypting them), and can then be pefomed by the seve. 3.1 Two-laye encyption To delegate policy changes enfocement to the seve, avoiding e-encyption fo the data owne, we adopt a two laye encyption appoach. The owne encypts the esouces and sends them to the seve in encypted fom; the seve can impose anothe laye of encyption (following diections by the data owne). We then distinguish two layes of encyption. Base Encyption Laye (), pefomed by the data owne befoe tansmitting data to the seve. It enfoces encyption on the esouces accoding to the policy existing at initialization time. Suface Encyption Laye (), pefomed by the seve ove the esouces aleady encypted by the data owne. It enfoces the dynamic changes ove the policy. Both layes enfoce encyption by means of a set of symmetic keys and a set of public tokens between these keys, as illustated in Section 2, although some adaptations ae necessay as explained espectively in Sections and In tems of efficiency, the use of a double laye of encyption does not appea as a significant computational buden; expeience shows that cuent systems have no significant delay when managing encyption on data coming fom eithe the netwok o local disks, this is also testified by the widespead use of encyption on netwok taffic and fo potecting the stoage of data on local file systems [16] Base Encyption Laye Compaed with the model pesented in Section 2, in the level we distinguish two kinds of keys: deivation keys and access keys. Access keys ae the ones actually used to encypt esouces, while deivation keys ae used to povide the deivation capability via tokens, i.e., tokens can be defined only with the deivation key as stating point. Each deivation key k is always associated with an access key k a obtained by applying a secue hash function to k, that is, k a = h(k). In othe wods, keys at the level always go in pais k, k a. The ationale fo this evolution is to distinguish the two oles associated with keys, namely: enabling key deivation (applying the coesponding tokens) and enabling esouce access. The eason fo which such a distinction is needed will be clea in Section 4. A key deivation function τ b : K 2 K associates with each deivation key the set of keys deivable fom it - eithe diectly o indiectly - via the public token catalog and/o the application of the hashing function. Again, the key deivation elationship is epesented by means of a gaph, which now has a vetex b fo each pai of keys k, k a and an edge connecting vetices (b i, b j) if thee is a token in the public catalog allowing the deivation of eithe b j.k o b j.k a fom b i.k. To gaphically distinguish tokens leading to deivation keys fom tokens leading to access keys we use dashed lines fo the latte. Given a key k i, τ b (k i) etuns all keys eachable fom vetex b with b.k=k i by following paths of tokens and hashing. Note that dashed edges can only appea as the last step of the path (and they allow the deivation of the access key only). A key assignment is a function φ b : U R K that associates with each use u U the (single) deivation key eleased to the use by the data owne and with each esouce R the (single) access key with which the esouce is encypted by the data owne. Figue 4 illustates an example of coesponding to the example intoduced in Section Suface Encyption Laye As in the base model of Section 2, at the level thee is no distinction between deivation and access keys (intuitively a single key caies out both functions). Again, we define a key deivation function τ s : K 2 K that can be epesented by means of a gaph having a vetex fo each key k defined at and an edge connecting vetices (s i, s j) if thee is a token in the public catalog allowing the deivation of s j.k fom s i.k. A key assignment is a function φ s : U R K {null} that associates with each use u U the (single) key eleased to the use by the seve and with each esouce R the (single) key with which the esouce is encypted by the seve (if any) and combination In the two-laye appoach, each esouce can then be encypted twice: at the level fist, and at the level then. Uses can access esouces only via the level. Each use u eceives two keys: one to access the and the othe to access the. 3 Uses will be able to access esouces fo which they know both the keys ( and ) used fo encyption. The consideation of the two levels equies to estate the coectness popety of the encyption policy, which is now defined as follows. Definition 5. (Coectness). Let E b =(τ b, φ b ) be an encyption policy at the level, E s=(τ s, φ s) be an encyption policy at the level, and A an access contol policy. The pai E b,e s is said to coectly enfoce A, denoted E b,e s A, iff both the following conditions hold: Soundness. u U, R : φ b () φ b(u) φ s() φ s (u) = A[u,] = 1 Completeness. u U, R : A[u,] = 1 = φ b () φ b(u) φ s() φ s (u) 3 To simplify key management, the use key φ s(u) fo can be obtained by the application of a secue hash function fom the use key φ b (u) fo. In this case, the data owne needs to send in the initialization phase to the seve the list of keys of each use. 126

5 Delta Full u φ b (u) φ b () A b 1.k 1, 2 b 3.k a B b 2.k 3, 4 b 7.k a C b 3.k 5, 6, 7 b 6.k a D b 4.k 8 b 8.k a E b 5.k b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 u φ s(u) A s 1.k B s 2.k C s 3.k D s 4.k E s 5.k s 1 s 2 1,..., 8 s 3 s 4 φ s() null s 5 u φ s(u) φ s() A s 1.k 1, 2 s 3.k B s 2.k 3, 4 s 7.k C s 3.k 5, 6, 7 s 6.k D s 4.k 8 s 8.k E s 5.k s 1 s 2 s 3 s 4 s 5 s 6 s 7 Figue 4: An example of and combination with the Delta and the Full appoaches s 8 In pinciple, any encyption policy at and can be specified as long as thei combination is coect with espect to the authoizations. Let A be the authoization policy at the initialization time and let (τ b, φ b ) be the encyption policy at the level coectly enfocing it (i.e., (τ b, φ b ) A). We envision two basic appoaches that can be followed in the constuction of the two levels. Full. The policy is initialized to eflect exactly (i.e., to epeat) the policy: fo each deivation key in a coesponding key is defined in ; fo each token in, a coesponding token is defined in. Note that the key deivation function τ s coesponds to a gaph which is isomophic to the one existing at the level. Each use is assigned the unique key φ s(u) coesponding to he φ b (u). Each esouce is encypted with the unique key φ s() coesponding to the unique deivation key associated with access key φ b (). The policy models exactly the policy, and hence by definition is coect with espect to the access contol policy (i.e., (τ s, φ s) A). Delta. The policy is initialized to not cay out any ove-encyption. Each use u is assigned a unique key φ s(u). No encyption is pefomed on esouces, that is, R : φ s() = null. The level itself does not povide any additional potection at stat time, but it does not modify the accesses allowed by. We note that a thid appoach could be possible, whee the authoization enfocement is completely delegated at the level and the simply applies a unifom oveencyption (i.e., with the same key eleased to all uses) to potect the plaintext content fom the seve s eyes. We do not conside this appoach as it pesents a significant exposue to collusion (Section 5). It is easy to see that all the appoaches descibed poduce a coect two laye encyption. In othe wods, given a coect encyption policy at the level, the appoaches poduce a level such that the pai E b,e s coectly enfoces the authoizations. The eason fo consideing both the Full and Delta appoaches is the diffeent pefomance and potection guaantees that they enjoy. In paticula, Full always equies double encyption to be enfoced (even when authoizations emain unvaied), thus doubling the decyption load of uses fo each access. By contast, the Delta appoach equies double encyption only when actually needed to enfoce a change in the authoizations. Howeve, as we will see in Section 5, the Delta is chaacteized by geate infomation exposue, which instead does not affect the Full appoach. The choice between one o the othe can then be a tade-off between costs and esilience to attacks. We close this section with a emak on the implementation. In the illustation of ou appoach we always assume ove-encyption to be managed with a diect and complete encyption and decyption of the esouce, as needed. We note howeve that the seve can, at the level, apply a lazy encyption appoach, simila to the copy-on-wite (COW) stategy used by most opeating systems, and actually ove-encypt the esouce when it is fist accessed (and then stoing the computed encypted epesentation); the seve may choose also to always stoe the epesentation and then dynamically apply the encyption diven by the when uses access the esouce. 4. POLICY UPDATES Policy update opeations can be of thee kinds: 1) inseting/deleting a use; 2) inseting/deleting a esouce; and 3) ganting/evoking an authoization. We note that insetion/deletion of uses and esouces do not have any impact on the policy (and consequently on the keys) as long as these uses and esouces ae not involved in authoizations. Without loss of geneality, we estict ouselves to the consideation of ganting and evoking of authoizations (with the note that deleting a use/esouce implies evoking all the authoizations in which the use/esouce is involved). Also, fo the sake of simplicity, we assume gant and evoke opeations to be efeed to a single use u and a single esouce. Thei extension to sets of uses and esouces is immediate. Policy updates ae demanded and egulated by the owne (i.e., at the level). The two-laye appoach enables the enfocement of policy updates without the need fo the owne to e-encypt, and to esend them to the seve. By contast, the owne just adds (if necessay) some tokens at the level and delegates policy changes to the level by possibly equesting the seve to ove-encypt the esouces. The level (enacted by the seve) eceives 127

6 ove-encyption equests by the level (unde the contol of the data owne) and opeates accodingly, adjusting tokens and possibly encypting (and/o decypting) esouces. Befoe analyzing gant and evoke opeations let us then see the woking of ove-encyption at the level. 4.1 Ove-encypt The level egulates the update pocess though oveencyption of esouces. It eceives fom the equests of the fom ove-encypt(r, U) coesponding to the demand to the to make the set of esouces R accessible only to uses in U. Note hee that the semantics is diffeent in the two diffeent encyption modes. In the Full appoach, ove-encyption must eflect the actual access contol policy existing at any given time. In othe wods, it must eflect, besides the - dynamic - policy changes not eflected in the, also the policy itself. In the Delta appoach, ove-encyption is demanded only when additional estictions (with espect to those enfoced by the ) need to be enfoced. As a paticula case, hee, the set of uses U may be all when - while pocessing a gant opeation - the detemines that its potection is sufficient and theefoe equests the not to enfoce any estiction and to possibly emove an ove-encyption peviously imposed. Fo the sake of simplicity, in the algoithm we make use of a function Anc uses that, given the key s.k of a vetex, etuns the set of uses that can deive it (i.e., can each the vetex via a path of tokens). Anc uses(s.k) is theefoe a shot-hand defined as Anc uses(s.k)={u U s.k φ s (u)}, which can be dynamically computed o explicitly maintained fo each vetex. Let us then see how the algoithm woks. Algoithm oveencypt takes a set of esouces R and a set of uses U as input. Fist, it checks whethe thee exists a vetex s whose key s.k is used to encypt esouces in R and the set of uses that can deive s.k is equal to U (step 2). If such a vetex exists, intuitively, this means that esouces in R ae ove-encypted with a key that eflects the cuent acl of esouces in R. Note that since all esouces in R shae the same key, it is sufficient to check the above condition on any of the esouces in R. If this condition is evaluated to tue, the algoithm teminates. Othewise, if the esouces in R ae cuently ove-encypted (step 2.1), they ae fist decypted. 4 Then, if the set of uses that should be allowed access to the esouces in R by the is not all (step 2.2), ove-encyption is necessay. (No opeation is executed othewise, as U=all is the paticula case of Delta appoach discussed above.) The algoithm poceeds by checking the existence of a vetex s such that the set of uses that can each key s.k (i.e., belonging to Anc uses(s.k)) coesponds to U. If such a vetex exists, then the key that will be used fo ove-encyption is set to s.k. Othewise, a new key key is geneated and a coesponding new vetex s new is ceated, setting then s new.k=key. Vetex s new is then inseted in the gaph and tokens defined accodingly so to make s new.k deivable by all uses in U (in tems of the gaph s new must be eachable by all the keys associated with uses in U). To this pupose, the algoithm checks existing 4 If φ s() is no moe used to potect othe esouces in the system, the coesponding vetex can be emoved. In this case, all paents of vetex φ s() ae diectly connected to its childen and the token catalog is changed accodingly [4]. Fo simplicity, we omit this opeation. vetices in deceasing ode of cadinality of Anc uses. Fo each s i consideed, if the set of uses that can each key s i.k (i.e., Anc uses(s i.k)) is contained in U, a new token fom s i.k to s new.k is geneated and added. Set U is then updated by emoving the set of uses Anc uses(s i.k) that can now each key s new.k thanks to the new token. This token geneation pocess continues until U is empty, i.e., until all uses have been connected to the key. Finally, all esouces in R ae encypted with the designated key and the key assignment φ s updated accodingly. 4.2 Gant and evoke Conside fist a gant equest gant(,u) to gant use u access to esouce. The level stats and egulates the update pocess as follows. Fist, acl() is updated to include u, that is, A[u, ] = 1 (step 1). Then, the algoithm etieves the vetex b i whose access key b i.k a is the key with which is encypted (step 2). If the esouce s access key cannot be deived by u, then a new token fom use s key φ b (u) to b i.k a is geneated and added (step 3). The new token is needed to make b i.k a deivable by u (i.e., belonging to φ b(u)). Note that the sepaation between deivation and access keys fo each vetex allows us to add a token only giving u access to the key used to encypt esouce, thus limiting the knowledge of each use to the infomation stictly needed to coectly enfoce the authoization policy. Indeed, knowledge of b i.k a is a necessay condition to make accessible by u. Howeve, thee may be othe esouces that ae encypted with the same key b i.k a and which should not be made accessible to u. Since eleasing b i.k a would make them accessible to u, they need to be ove-encypted so to make them accessible to uses in acl( ) only. Then, the algoithm detemines if such a set of esouces R exists (step 4). If R is not empty, the algoithm patitions R in sets such that each set S R includes all esouces chaacteized by the same acl, denoted acl S (step 5.1). Fo each set S, the algoithm calls ove-encypt(s,acl S) to demand to execute an ove-encyption of S fo uses in acl S (step 5.2). In addition, the algoithm equests the level to synchonize itself with the policy change. Hee, the algoithm behaves diffeently depending on the encyption model assumed. In the case of Delta (step 6.1), the algoithm fist contols whethe the set of uses that can each the esouce s access key (i.e., belonging to Anc uses(b i.k a)) coesponds to acl(). If so, the encyption suffices and no potection is needed at the level, and theefoe a call ove-encypt({}, all) is equested. Othewise, a call ove-encypt({},acl()) equests the to make accessible only to uses in acl(). In the case of Full (step 6.2), this is done by calling ove-encypt(,acl()), equesting the to synchonize its policy so to make accessible only by the uses in acl(). Conside now a evoke equest evoke(,u) to evoke fom use u access to esouce. The algoithm updates acl() to emove use u, that is, A[u,] = 0 (step 1). Then, it calls ove-encypt({},acl()) to demand to make accessible only to uses in acl() (step 2). In tems of pefomance, the algoithm only equies a diect navigation of the and stuctue and it poduces the identification of the equests to be sent to the seve in a time which in typical scenaios will be less than the time equied to send the messages to the seve. 128

7 GRANT(,u) 1. acl() := acl() {u} 2. find the vetex b i with b i.k a = φ b () 3. if φ b ()/ φ b(u) then find the vetex b j with b j.k = φ b (u) add token(b j.k,b i.k a) 4. find the set R of esouces such that, φ b ( )=φ b (), Anc uses(b i.k a) acl( ) 5. if R then 5.1 Patition R in sets such that each set S contains esouces with the same acl acl S 5.2 fo each set S do ove-encypt(s,acl S) 6. case encyption model of 6.1 Delta : if Anc uses(b i.k a)=acl() then ove-encypt({},all) else ove-encypt({},acl()) 6.2 Full : ove-encypt({},acl()) REVOKE(,u) 1. acl() := acl() {u} 2. ove-encypt({},acl()) OVER-ENCRYPT(R,U) 1. let be a esouce in R 2. if ( a vetex s : s.k = φ s( ) Anc uses(s.k) = U) then exit else 2.1 if φ s( ) null then decypt all R 2.2 if U all then if a vetex s such that Anc uses(s.k)=u then key := s.k else geneate and add to Ks a new key key ceate a new vetex s new s new.k := key while U choose a vetex s i by consideing vetices in deceasing ode of cadinality of Anc uses(s i.k) if Anc uses(s i.k) U then add token(s i.k,s new.k) U := U Anc uses(s i.k) fo each R do φ s() := key encypt with key Figue 5: Algoithms fo ganting and evoking authoizations 4.3 Example We pesent an example that illustates the behavio of the evoke and gant opeations descibed above. We assume the initial configuation depicted in Figue 4. Figue 6 illustates the evolution of the encyption policies at both and in the Full and Delta modes, upon the following sequence of policy changes. Hee, dashed edges at the level coespond to the tokens added by the gant algoithm. gant( 5,D): key b 6.k a used to encypt 5 does not belong to φ b(d). The data owne theefoe adds a token t 4,6 in the. Since b 6.k a is also used to encypt esouces 6 and 7, these esouces have to be ove-encypted in such a way that they ae accessible only to uses A, B, and C. In the Delta scenaio, ove-encypt ceates a new vetex s 6 fo esouces 6 and 7. The potection of esouce 5 at level is instead sufficient and no ove-encyption is needed. In the Full scenaio esouces 6 and 7 ae aleady coectly potected and 5 is instead ove-encypted with key s 9.k. evoke( 2,C): use C is emoved fom acl( 2). Since now this acl becomes empty, esouce 2 has to be oveencypted with a key that no use can compute. Consequently, both in the Delta and in the Full scenaio, a new vetex s is ceated and its key is used to potect 2. gant( 4,E): b 7.k a used to encypt 4 does not belong to φ b(e). The data owne theefoe adds a token t 5,7 allowing E to compute b 7.k a. Since b 7.k a is also used to potect 3, we need to call oveencypt( 3,{C, D}). In the Delta scenaio, oveencypt ceates a new vetex s 7 fo 3, while the potection of esouce 4 is sufficient and no oveencyption is needed. In the Full scenaio, 3 is aleady coectly potected and 4 is ove-encypted with s 10.k, which only C, D, and E can deive. gant( 6,D): b 6.k a used to encypt 6 aleady belongs to φ b(d), and theefoe the encyption policy does not change. Howeve, since 6 shaes its access key with 5 and 7, the encyption policy may need to be updated. In paticula, both the Delta and the Full scenaio aleady coectly enfoce the policy w..t. 5 and 7. In the Delta scenaio, the ove-encyption of 6 is emoved because the encyption policy is sufficient, while in the Full scenaio 6 is ove-encypted with a new key s 9.k. 4.4 Coectness We now pove that the algoithm implementing the gant and evoke opeations peseves the coectness of the encyption policy. Theoem 4.1 (Coectness). Let E b =(τb, φ b ) be an encyption policy at the level, E s=(τs, φ s) be an encyption policy at the level, and A an access contol policy such that E b,e s A. Algoithms in Figue 5 geneate a new E b = (τ b, φ b), E s = (τ s, φ s), and A such that E b, E s A. Poof. (sketch) Since we stat with a encyption policy and a encyption policy that satisfy Definition 5 (as discussed in Section 3.1.3), we will theefoe conside only uses and esouces fo which the encyption policies change. Gant and evoke ae based on the coect enfocement of the oveencyption opeation. We then examine it fist. 129

8 Delta Full gant( 5,D) ove-encypt( 6, 7,ABC) ove-encypt( 6, 7,ABC) ove-encypt( 5,all) ove-encypt( 5,ABCD) b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 s 1 s 2 s 3 s 6 s 4 s 5 φ s() 7, 6 s 6.k 1,..., 5 null null 8 s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 9 s 8 φ s() 1, 2 s 3.k 3, 4 s 7.k 5 s 9.k 6, 7 s 6.k 8 s 8.k evoke( 2,C) ove-encypt( 2, ) ove-encypt( 2, ) b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 s s 1 s 2 s 3 s 6 s 4 s 5 φ s() 2 s.k 6, 7 s 6.k 1 null 3, 4, 5 null null 8 s s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 9 s 8 φ s() 1 s 3.k 2 s.k 3, 4 s 7.k 5 s 9.k 6, 7 s 6.k 8 s 8.k gant( 4,E) ove-encypt( 3,CD) ove-encypt( 3,CD) ove-encypt( 4,all) ove-encypt( 4,CDE) b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 s s 1 s 2 s 3 s 4 s 6 s 7 s 5 φ s() 2 s.k 3 s 7.k 6, 7 s 6.k 1 null 4, 5 null null 8 s s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 9 s 8 s 10 φ s() 1 s 3.k 2 s.k 3 s 7.k 4 s 10.k 5 s 9.k 6, 7 s 6.k 8 s 8.k gant( 6,D) ove-encypt( 7,ABC) ove-encypt( 7,ABCD) ove-encypt( 6,all) ove-encypt( 6,ABCD) b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 s s 1 s 2 s 3 s 4 s 6 s 7 s 5 φ s() 2 s.k 3 s 7.k 7 s 6.k 1 null 4, 5, 6 null null 8 s s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 9 s 8 s 10 φ s() 1 s 3.k 2 s.k 3 s 7.k 4 s 10.k 5, 6 s 9.k 7 s 6.k 8 s 8.k Figue 6: An example of gant and evoke opeations 130

9 Ove-encypt. We need to pove that oveencypt(r, U) possibly encypts all esouces in R with a key in such a way that a use u can deive such a key if and only if u U. The only case we need to conside is when the set of uses U is diffeent fom all (when U = all, esouces in R ae not needed to be ove-encypted). Then, if the condition in the fist if statement (step 2) is evaluated to tue, esouces in R ae aleady coectly potected and since the algoithm teminates, the esult is coect. Othewise, esouces in R ae fist possibly decypted and then encypted with the coect key s.k o with the new geneated key, which is assigned to a new vetex s new. In the fist case, the esult is tivially coect. In the second case, coectness is guaanteed by the constuction of the tokens in the while statement (a use will each s new.k iff she belongs to U). Gant. E b, E s = A (soundness) Conside use u and esouce. Fom step 3, it is easy to see that φ b() = φ b () φ b (u). Fom step 6 and by the coectness of ove-encypt, eithe φ s() = null o is ove-encypted with a key such that φ s() φ s (u) (use u is included in the cuent acl()). Since φ b() φ b (u) and φ s() φ s (u), we have that A [u, ] = 1. Conside now the set of esouces R and suppose that R is not empty. Fo each subset S of R, use u can now deive the key used to encypt such a set of esouces. This implies that S, φ b( ) = φ b ( ) φ b (u). Howeve, by the coectness of ove-encypt, a call ove-encypt(s,acl S) guaantees that all esouces in S ae ove-encypted with a key such that S, φ s( ) φ s (u) because acl S does not include use u. E b, E s = A (completeness) Conside use u and esouce. Fom step 1, we have that A [u, ] = 1. Fom step 3, it is easy to see that φ b() = φ b () φ b (u). Also, fom step 6 and by the coectness of ove-encypt, eithe φ s() = null o is ove-encypted with a key such that φ s() φ s (u). Revoke. E b, E s = A (soundness) Conside use u and esouce. A call oveencypt({},acl()) is equested to demand the to make accessible only to uses in the cuent acl(). We know that φ b() φ b (u). Also, fom the ove-encypt coectness, it is easy to see that φ s() φ s (u). E b, E s = A (completeness) Conside use u and esouce. Fom step 1 we have that A[u, ] = 0. The subsequent call oveencypt({},acl()) makes esouce no moe accessible to use u because is ove-encypted with a key that is no moe deivable by u (this popety is a consequence of the ove-encypt coectness), that is, φ b() φ b (u) and φ s() φ s (u). 5. PROTECTION EVALUATION Since the and ae coected at initialization time, the coectness of the algoithm ensues that the encyption Seve s view Use s view open locked sel locked bel locked (a) (b) (c) (d) (e) Figue 7: Possible views on esouce policy E coectly models the authoization policy A. In othe wods, at any point in time, uses will be able to access only esouces fo which they have - diectly o indiectly - the necessay keys both at the and at the level. The key deivation function adopted is poved to be secue [4]. We also assume that all the encyption functions and the tokens ae obust and cannot be boken, even combining the infomation available to many uses. Moeove, we assume that each use coectly manages he keys, without the possibility fo a use to steal keys fom anothe use. It still emains to evaluate whethe the appoach is vulneable to attacks fom uses who access and stoe all infomation offeed by the seve, o fom collusion attacks, whee diffeent uses (o a use and the seve) combine thei knowledge to access esouces they would not othewise be able to access. Note that fo collusion to exist, both paties should gain in the exchange (as othewise they will not have any incentive in colluding). We now discuss possible infomation exposue, with the consevative assumption that uses ae not oblivious (i.e., they have the ability to stoe and keep indefinitely all infomation they wee entitled to access). In the discussion we fist efe to the Full appoach; we will then analyze the Delta appoach. To be able to model exposue, we fist stat by examining the diffeent views that one can have on a esouce. To do so, we exploit a gaphical notation with esouce in the cente and with fences aound denoting the baies to the access imposed by the knowledge of the keys used fo s encyption at the (inne fence, φ b ()) and at the (oute fence, φ s()). The fence is continuous if thee is no knowledge of the coesponding key (the baie cannot be passed) and it is discontinuous othewise (the baie can be passed). Figue 7 illustates the diffeent views that can exist on the esouce. On the left, Figue 7(a), thee is the view of the seve itself, which knows the key at the level but does not have access to the key at the level. On the ight, thee ae the diffeent possible views of uses, fo whom the esouce can be: open: the use knows the key at the level as well as the key at the level (Figue 7(b)); locked: the use knows neithe the key at the level no the key at the level (Figue 7(c)); sel locked: the use knows only the key at the level but does not know the key at the level (Figue 7(d)); bel locked: the use knows only the key at the level but does not know the one at the level (Figue 7(e)). Note that this latte view coesponds to the view of the seve itself. 131

10 open locked sel_locked Figue 8: View tansitions in the Full gant(,u) locked sel_locked open Figue 9: Fom locked to sel locked views acl() Past_acl Bel_accessible All uses Figue 10: Classification of uses fo a esouce By the coectness of the appoach (Theoem 4.1), the open view coesponds to the view of authoized uses, while the emaining views coespond to the views of non authoized uses. Befoe analyzing exposue, we illustate how the diffeent views on a esouce can be poduced by authoization changes (and consequent ove-encyption). 5.1 View evolution In the Full appoach, at initialization time, and ae completely synchonized. Then, fo each use, a esouce is potected by both keys o by neithe: authoized uses will have the open view, while non authoized uses will have the locked view. Figue 8 summaizes the possible view tansitions stating fom these two views. Let us fist examine the evolution of the open view. Since esouces at the level ae not e-encypted, the view of an authoized use can change only if the use is evoked the authoization. In this case, the esouce is ove-encypted at the level, then becoming sel locked fo the use. The view could be bought back to be open if the use is ganted the authoization again (i.e., ove-encyption is emoved). Let us now examine the evolution of the locked view. Fist, we note that - fo how the is constucted and maintained in the Full appoach - it cannot happen that the gants a use an access that is blocked at the level, and theefoe the bel locked view can neve be eached. The view can instead change to open, in case the use is ganted the authoization to access the esouce; o to sel locked, in case the use is given the access key at the level but she is not given that at the level. This latte situation can happen if the elease of the key at the level is necessay to make accessible to the use anothe esouce that is, at the level, encypted with the same key as. To illustate, suppose that at initialization time esouces and ae both encypted with the same key and they ae not accessible by use u (whose view on the esouces is locked). The leftmost view in Figue 9 illustates this situation. Suppose then that u is ganted the authoization fo. To make accessible at the level, a token is added to make φ b () deivable by u, whee howeve φ b ()=φ b ( ). Hence, will be ove-encypted at the level and φ s( ) made deivable by u. The esulting situation is illustated in Figue 9, whee is open and esults sel locked. 5.2 Exposue isk Collusion can take place evey time two entities, combining thei knowledge (i.e., the keys known to them) can acquie knowledge that neithe of them has access to. Thee- foe, uses having the open view need not be consideed as they have nothing to gain in colluding (they aleady access ). By the same line of easoning, also uses having the locked view need not be consideed as they have nothing to offe (and theefoe no one will have to gain in colluding with them). Also, ecall that in the Full appoach, fo what said in the pevious subsection, nobody (but the seve) can have a bel locked view. This leaves us only with uses having the sel locked view. Since uses having the same views will not gain anything in colluding, the only possible collusion can happen between the seve (who has a bel locked view) and a use who has a sel locked view. In this situation, the knowledge of the seve allows loweing the oute fence, while the knowledge of the use allows loweing the inne fence: meging thei knowledge, they would then be able to bing down both fences and enjoy the open view on the esouce. We know, fom the possible tansitions between views, that thee ae two easons fo which a use can have the sel locked view on a esouce. Past acl: the use was peviously authoized to access the esouce and the authoization was then evoked fom he (tansition fom open to sel locked in Figue 8). By colluding with the seve, in this case the use would get access to a esouce she peviously had authoization fo. Since we assume uses to be non oblivious, the use - while not cuently having ability to access the esouce - can have it cached at he side aleady. Then she has no gain in colluding with the seve. It is theefoe legitimate to conside this case ineffective with espect to collusion isks. 5 Policy split: the use has been ganted the authoization fo anothe esouce that was, at the initialization time, encypted with the same key as, leaving sel locked. In this situation (fom locked to sel locked), the use has neve had access to and should still not have it; theefoe thee is indeed exposue to collusion. In othe wods, the isk of collusion aises on esouces fo which a use holds a sel locked view and the use neve had the authoization to access the esouce (i.e., the use neve belonged to the acl of the esouce). This obsevation povides a way to measue the collusion isk to which a esouce is exposed. Figue 10 povides a gaphical illustation of the set of uses and thei possible elationship with the 5 We assume, without loss of geneality, that any time a esouce is updated, the data owne encypts it with the ight key. 132

11 open bel_locked sel_locked Figue 11: View tansitions in the Delta esouce. The outemost set epesents all the uses. Fo a subset of them, denoted as Bel accessible, the esouce might be not potected at the level (thee is no fence as they know φ b ()). Among them, thee ae the uses, denoted as Past acl, who had in the past the authoization to access, some of whom (those in acl()) may still hold the authoization. The uses epesenting a collusion isk fo the esouce ae all those that belong to Bel accessible and do not belong to Past acl. Besides collusion between diffeent paties, we also need to conside the isk of exposue due to a single use (o seve) meging he own views on a esouce at diffeent points in time. It is easy to see that, in the Full appoach, whee all non authoized uses stat with a locked view on the esouce (and tansitions ae as illustated in Figue 8), thee is no isk of exposue. Tivially, if the use is eleased the key at the level (i.e., it is possible fo he to bing down the lowe fence) it is because the use has the authoization fo at some point in time and theefoe she is (o has been) authoized fo the esouce. Thee is theefoe no exposue isk. As fo the Delta appoach, we stat by noting that uses not authoized to see a esouce have, at initial time, the bel locked view on it. Fom thee, the view can evolve to be sel locked o open (in case the use is given the authoization fo the esouce). View tansitions ae illustated in Figue 11. It is easy to see that, in this case, a single use by heself can then hold the two diffeent views: sel locked and bel locked. In othe wods a (planning-ahead) use could etieve the esouce at initial time, when she is not authoized, getting and stoing at he side s bel locked view. If, at a late point in time the use is eleased φ() to make accessible to he anothe esouce, she will acquie the sel locked view on. Meging this with the past bel locked view, she can enjoy the open view on. Note that the set of esouces potentially exposed to a use coincides with the esouces exposed to collusion between that use and the seve in the Full appoach. It is impotant to note that in both cases (Full and Delta ), exposue is limited to esouces that have been involved in a policy split to make othe esouces, encypted with the same key, available to the use. Exposue is theefoe limited and well identifiable. This allows the owne to possibly counteact it via explicit selective e-encyption o by pope design (as discussed in the next section). The collusion analysis claifies why we did not conside the thid possible encyption scenaio illustated in Section 3. In this scenaio, all uses non authoized to access a esouce would always have the sel locked view on it and could potentially collude with the seve. The fact that the key is the same fo all esouces would make all the esouces exposed (as the seve would need just one key to be able to access them all). 5.3 Design consideations Fom the analysis above, we can make the following obsevations on the Delta and the Full appoaches. Exposue potection. The Full appoach povides supeio potection, as it educes the isk of exposue, which is limited to collusion with the seve. By contast, the Delta appoach exposes also to single (planning-ahead) uses. Pefomance. The Delta appoach povides supeio pefomance, as it imposes ove-encyption only when equied by a change in authoizations. By contast, the Full appoach always imposes a double encyption on the esouces, and theefoe an additional load. Fom these obsevations we can daw some citeia that could be followed by a data owne when choosing between the use of Delta o Full. If the data owne knows that: the access policy will be elatively static, o sets of esouces shaing the same acl at initialization time epesent a stong semantic elationship aely split by policy evolution, o esouces ae gouped in the in fine ganulaity components whee most of the nodes ae associated with a single o few esouces, then the isk of exposing the data to collusion is limited also in the Delta appoach, which can then be pefeed fo pefomance easons. By contast, if authoizations have a moe dynamic and chaotic behavio, the Full appoach can be pefeed to limit exposue due to collusion (necessaily involving the seve). Also, the collusion isk can be minimized by a pope oganization of the esouces to educe the possibility of policy splits. This could be done eithe by poducing a fine ganulaity of encyption and/o bette identifying esouce goups chaacteized by a pesistent semantic affinity (in both cases, using in the diffeent keys fo esouces with identical acl). 6. RELATED WORK Pevious wok close to ou is in the aea of database-asa-sevice paadigm [10, 11], which consides the poblem of database outsoucing. Its intended pupose is to enable data ownes to outsouce distibution of data on the Intenet to sevice povides. The majoity of existing effots on this topic focuses on techniques allowing the execution of queies on encypted outsouced data, tying to suppot all SQL clauses and diffeent kinds of conditions ove attibutes [2, 7, 10, 11]. In geneal, these appoaches ae based on indexing infomation stoed togethe with the encypted data. Such indexes ae used to select the data to be etuned in esponse to a quey, without need of decypting the data. One of the majo challenges in the development of indexing techniques is the tade off between quey efficiency and 133

12 exposue to infeence and linking attacks that stongly depends on the attacke s pio knowledge [7]. A elated effot in [14] focuses on the design of mechanisms fo potecting the integity and authenticity of data fom both malicious outside attacks and the sevice povide itself. Othe poposals have investigated the use of patitioning, adopting a distibuted achitectue to allow an oganization to outsouce its data management to two untusted seves while peseving data pivacy [1]. In addition to the application-based appoaches abovementioned, hadwae-based appoaches to the poblem of secue outsouced stoage have also been investigated [6]. Hee, the basic idea is to use a special secuity hadwae component, which can suppot secue computations at both client and seve sides. A few eseach effots have diectly tackled the issues of access contol in an outsouced scenaio. In [13] the authos pesent a famewok fo enfocing access contol on published XML documents by using diffeent cyptogaphic keys ove diffeent potions of the XML tee and by intoducing special metadata nodes in the stuctue. Ou wok is complementay to this poposal, as it looks at the diffeent poblem of enfocing policy changes. On a diffeent line of elated wok, othe appoaches have investigated the hieachical-based access contol in the context of distibuted envionments and pay-tv [5, 17]. While some commonalities can be identified (e.g., the use of cyptogaphic key-based hieachical schemes), the outsouced data scenaio pesents peculia chaacteistics that equie the development of new solutions. 7. CONCLUSIONS Thee is an emeging tend towads scenaios whee esouce management is outsouced to an extenal sevice poviding stoage capabilities and high-bandwidth distibution channels. In this context, selective elease equies enfocing measues to potect the esouce confidentiality fom both unauthoized uses as well as honest-but-cuious seves. Cuent solutions povide potection by exploiting encyption in conjunction with pope indexing capabilities, but suffe fom limitations equiing the involvement of the owne evey time selective access is to be enfoced o the access policy is modified. In this pape we have put fowad the idea of enfocing the authoization policy by using a two-laye selective encyption. Ou solution offes significant benefits in tems of quicke and less costly ealization of authoization policy updates and geneal efficiency of the system (eplication of esouces can cay along the policy itself). We believe these benefits to be cucial fo the success of emeging scenaios chaacteized by a huge numbe of esouces of consideable size and that have to be distibuted in a selective way to a vaiety of uses. 8. ACKNOWLEDGMENTS This wok was suppoted in pat by the Euopean Union unde contact IST , and by the Italian Ministy of Reseach, within pogams FIRB, unde poject RBNE05FKZ2, and PRIN 2006, unde poject Basi di dati cittogafate ( ). The wok of Sushil Jajodia was patially suppoted by the National Science Foundation unde gants CT , IIS , and IIS REFERENCES [1] G. Aggawal et al. Two can keep a secet: a distibuted achitectue fo secue database sevices. In Poc. of CIDR 2005, Asiloma, CA, Jan [2] R. Agawal, J. Kieman, R. Sikant, and Y. Xu. Ode peseving encyption fo numeic data. In Poc. of ACM SIGMOD 2004, Pais, Fance, June [3] S. Akl and P. Taylo. Cyptogaphic solution to a poblem of access contol in a hieachy. ACM TOCS, 1(3): , August [4] M. Atallah, K. Fikken, and M. Blanton. Dynamic and efficient key management fo access hieachies. In Poc. of the 12th ACM CCS05, Alexandia, VA, USA, Nov [5] J. Biget, X. Zou, G. Noubi, and B. Ramamuthy. Hieachy-based access contol in distibuted envionments. In Poc. of IEEE Intenational Confeence on Communications, Finland, June [6] L. Bouganim and P. Pucheal. Chip-secued data access: confidential data on untusted seves. In Poc. of the 28th VLDB Confeence, Hong Kong, China, August [7] A. Ceselli, E. Damiani, S. D. C. di Vimecati, S. Jajodia, S. Paaboschi, and P. Samaati. Modeling and assessing infeence exposue in encypted databases. ACM TISSEC, 8(1): , Feb [8] J. Campton, K. Matin, and P. Wild. On key assignment fo hieachical access contol. In Poc. of the 19th IEEE CSFW 06, Venice, Italy, July [9] E. Damiani et al. An expeimental evaluation of multi-key stategies fo data outsoucing. In Poc. of the 22nd IFIP TC-11 Intenational Infomation Secuity Confeence, South Afica, May [10] H. Hacigümüs, B. Iye, and S. Mehota. Poviding database as a sevice. In Poc. of 18th ICDE, San Jose, CA, USA, Feb [11] H. Hacigümüs, B. Iye, S. Mehota, and C. Li. Executing SQL ove encypted data in the database-sevice-povide model. In Poc. of the ACM SIGMOD 2002, Madison, Wisconsin, USA, June [12] S. Jajodia, P. Samaati, M. Sapino, and V. Subahmanian. Flexible suppot fo multiple access contol policies. ACM TODS, 26(2): , June [13] G. Miklau and D. Suciu. Contolling access to published data using cyptogaphy. In Poc. of the 29th VLDB confeence, Belin, Gemany, Sept [14] E. Mykletun, M. Naasimha, and G. Tsudik. Authentication and integity in outsouced database. In Poc. of the 11th NDSS04, San Diego, CA, USA, Feb [15] R. Sandhu. On some cyptogaphic solutions fo access contol in a tee hieachy. In Poc. of the FJCC 87, Dallas, TX, USA, Oct [16] B. Schneie, J. Kelsey, D. Whiting, D. Wagne, C. Hall, and N. Feguson. On the twofish key schedule. In Selected Aeas in Cyptogaphy, June [17] Y. Sun and K. Liu. Scalable hieachical access contol in secue goup communications. In Poc. of the IEEE Infocom, Hong Kong, China, Mach [18] XML Encyption Syntax and Pocessing, W3C Rec. Dec

Concept and Experiences on using a Wiki-based System for Software-related Seminar Papers

Concept and Experiences on using a Wiki-based System for Software-related Seminar Papers Concept and Expeiences on using a Wiki-based System fo Softwae-elated Semina Papes Dominik Fanke and Stefan Kowalewski RWTH Aachen Univesity, 52074 Aachen, Gemany, {fanke, kowalewski}@embedded.wth-aachen.de,

More information

Uncertain Version Control in Open Collaborative Editing of Tree-Structured Documents

Uncertain Version Control in Open Collaborative Editing of Tree-Structured Documents Uncetain Vesion Contol in Open Collaboative Editing of Tee-Stuctued Documents M. Lamine Ba Institut Mines Télécom; Télécom PaisTech; LTCI Pais, Fance mouhamadou.ba@ telecom-paistech.f Talel Abdessalem

More information

An Efficient Group Key Agreement Protocol for Ad hoc Networks

An Efficient Group Key Agreement Protocol for Ad hoc Networks An Efficient Goup Key Ageement Potocol fo Ad hoc Netwoks Daniel Augot, Raghav haska, Valéie Issany and Daniele Sacchetti INRIA Rocquencout 78153 Le Chesnay Fance {Daniel.Augot, Raghav.haska, Valéie.Issany,

More information

Chapter 3 Savings, Present Value and Ricardian Equivalence

Chapter 3 Savings, Present Value and Ricardian Equivalence Chapte 3 Savings, Pesent Value and Ricadian Equivalence Chapte Oveview In the pevious chapte we studied the decision of households to supply hous to the labo maket. This decision was a static decision,

More information

Comparing Availability of Various Rack Power Redundancy Configurations

Comparing Availability of Various Rack Power Redundancy Configurations Compaing Availability of Vaious Rack Powe Redundancy Configuations White Pape 48 Revision by Victo Avela > Executive summay Tansfe switches and dual-path powe distibution to IT equipment ae used to enhance

More information

Software Engineering and Development

Software Engineering and Development I T H E A 67 Softwae Engineeing and Development SOFTWARE DEVELOPMENT PROCESS DYNAMICS MODELING AS STATE MACHINE Leonid Lyubchyk, Vasyl Soloshchuk Abstact: Softwae development pocess modeling is gaining

More information

The transport performance evaluation system building of logistics enterprises

The transport performance evaluation system building of logistics enterprises Jounal of Industial Engineeing and Management JIEM, 213 6(4): 194-114 Online ISSN: 213-953 Pint ISSN: 213-8423 http://dx.doi.og/1.3926/jiem.784 The tanspot pefomance evaluation system building of logistics

More information

HEALTHCARE INTEGRATION BASED ON CLOUD COMPUTING

HEALTHCARE INTEGRATION BASED ON CLOUD COMPUTING U.P.B. Sci. Bull., Seies C, Vol. 77, Iss. 2, 2015 ISSN 2286-3540 HEALTHCARE INTEGRATION BASED ON CLOUD COMPUTING Roxana MARCU 1, Dan POPESCU 2, Iulian DANILĂ 3 A high numbe of infomation systems ae available

More information

Modeling and Verifying a Price Model for Congestion Control in Computer Networks Using PROMELA/SPIN

Modeling and Verifying a Price Model for Congestion Control in Computer Networks Using PROMELA/SPIN Modeling and Veifying a Pice Model fo Congestion Contol in Compute Netwoks Using PROMELA/SPIN Clement Yuen and Wei Tjioe Depatment of Compute Science Univesity of Toonto 1 King s College Road, Toonto,

More information

Comparing Availability of Various Rack Power Redundancy Configurations

Comparing Availability of Various Rack Power Redundancy Configurations Compaing Availability of Vaious Rack Powe Redundancy Configuations By Victo Avela White Pape #48 Executive Summay Tansfe switches and dual-path powe distibution to IT equipment ae used to enhance the availability

More information

Efficient Redundancy Techniques for Latency Reduction in Cloud Systems

Efficient Redundancy Techniques for Latency Reduction in Cloud Systems Efficient Redundancy Techniques fo Latency Reduction in Cloud Systems 1 Gaui Joshi, Emina Soljanin, and Gegoy Wonell Abstact In cloud computing systems, assigning a task to multiple seves and waiting fo

More information

Things to Remember. r Complete all of the sections on the Retirement Benefit Options form that apply to your request.

Things to Remember. r Complete all of the sections on the Retirement Benefit Options form that apply to your request. Retiement Benefit 1 Things to Remembe Complete all of the sections on the Retiement Benefit fom that apply to you equest. If this is an initial equest, and not a change in a cuent distibution, emembe to

More information

STUDENT RESPONSE TO ANNUITY FORMULA DERIVATION

STUDENT RESPONSE TO ANNUITY FORMULA DERIVATION Page 1 STUDENT RESPONSE TO ANNUITY FORMULA DERIVATION C. Alan Blaylock, Hendeson State Univesity ABSTRACT This pape pesents an intuitive appoach to deiving annuity fomulas fo classoom use and attempts

More information

An Introduction to Omega

An Introduction to Omega An Intoduction to Omega Con Keating and William F. Shadwick These distibutions have the same mean and vaiance. Ae you indiffeent to thei isk-ewad chaacteistics? The Finance Development Cente 2002 1 Fom

More information

How to recover your Exchange 2003/2007 mailboxes and emails if all you have available are your PRIV1.EDB and PRIV1.STM Information Store database

How to recover your Exchange 2003/2007 mailboxes and emails if all you have available are your PRIV1.EDB and PRIV1.STM Information Store database AnswesThatWok TM Recoveing Emails and Mailboxes fom a PRIV1.EDB Exchange 2003 IS database How to ecove you Exchange 2003/2007 mailboxes and emails if all you have available ae you PRIV1.EDB and PRIV1.STM

More information

Towards Automatic Update of Access Control Policy

Towards Automatic Update of Access Control Policy Towads Automatic Update of Access Contol Policy Jinwei Hu, Yan Zhang, and Ruixuan Li Intelligent Systems Laboatoy, School of Computing and Mathematics Univesity of Westen Sydney, Sydney 1797, Austalia

More information

An Analysis of Manufacturer Benefits under Vendor Managed Systems

An Analysis of Manufacturer Benefits under Vendor Managed Systems An Analysis of Manufactue Benefits unde Vendo Managed Systems Seçil Savaşaneil Depatment of Industial Engineeing, Middle East Technical Univesity, 06531, Ankaa, TURKEY secil@ie.metu.edu.t Nesim Ekip 1

More information

Approximation Algorithms for Data Management in Networks

Approximation Algorithms for Data Management in Networks Appoximation Algoithms fo Data Management in Netwoks Chistof Kick Heinz Nixdof Institute and Depatment of Mathematics & Compute Science adebon Univesity Gemany kueke@upb.de Haald Räcke Heinz Nixdof Institute

More information

Give me all I pay for Execution Guarantees in Electronic Commerce Payment Processes

Give me all I pay for Execution Guarantees in Electronic Commerce Payment Processes Give me all I pay fo Execution Guaantees in Electonic Commece Payment Pocesses Heiko Schuldt Andei Popovici Hans-Jög Schek Email: Database Reseach Goup Institute of Infomation Systems ETH Zentum, 8092

More information

UNIT CIRCLE TRIGONOMETRY

UNIT CIRCLE TRIGONOMETRY UNIT CIRCLE TRIGONOMETRY The Unit Cicle is the cicle centeed at the oigin with adius unit (hence, the unit cicle. The equation of this cicle is + =. A diagam of the unit cicle is shown below: + = - - -

More information

An Approach to Optimized Resource Allocation for Cloud Simulation Platform

An Approach to Optimized Resource Allocation for Cloud Simulation Platform An Appoach to Optimized Resouce Allocation fo Cloud Simulation Platfom Haitao Yuan 1, Jing Bi 2, Bo Hu Li 1,3, Xudong Chai 3 1 School of Automation Science and Electical Engineeing, Beihang Univesity,

More information

Converting knowledge Into Practice

Converting knowledge Into Practice Conveting knowledge Into Pactice Boke Nightmae srs Tend Ride By Vladimi Ribakov Ceato of Pips Caie 20 of June 2010 2 0 1 0 C o p y i g h t s V l a d i m i R i b a k o v 1 Disclaime and Risk Wanings Tading

More information

Office of Family Assistance. Evaluation Resource Guide for Responsible Fatherhood Programs

Office of Family Assistance. Evaluation Resource Guide for Responsible Fatherhood Programs Office of Family Assistance Evaluation Resouce Guide fo Responsible Fathehood Pogams Contents Intoduction........................................................ 4 Backgound..........................................................

More information

THE DISTRIBUTED LOCATION RESOLUTION PROBLEM AND ITS EFFICIENT SOLUTION

THE DISTRIBUTED LOCATION RESOLUTION PROBLEM AND ITS EFFICIENT SOLUTION IADIS Intenational Confeence Applied Computing 2006 THE DISTRIBUTED LOCATION RESOLUTION PROBLEM AND ITS EFFICIENT SOLUTION Jög Roth Univesity of Hagen 58084 Hagen, Gemany Joeg.Roth@Fenuni-hagen.de ABSTRACT

More information

Mining Relatedness Graphs for Data Integration

Mining Relatedness Graphs for Data Integration Mining Relatedness Gaphs fo Data Integation Jeemy T. Engle (jtengle@indiana.edu) Ying Feng (yingfeng@indiana.edu) Robet L. Goldstone (goldsto@indiana.edu) Indiana Univesity Bloomington, IN. 47405 USA Abstact

More information

Chris J. Skinner The probability of identification: applying ideas from forensic statistics to disclosure risk assessment

Chris J. Skinner The probability of identification: applying ideas from forensic statistics to disclosure risk assessment Chis J. Skinne The pobability of identification: applying ideas fom foensic statistics to disclosue isk assessment Aticle (Accepted vesion) (Refeeed) Oiginal citation: Skinne, Chis J. (2007) The pobability

More information

est using the formula I = Prt, where I is the interest earned, P is the principal, r is the interest rate, and t is the time in years.

est using the formula I = Prt, where I is the interest earned, P is the principal, r is the interest rate, and t is the time in years. 9.2 Inteest Objectives 1. Undestand the simple inteest fomula. 2. Use the compound inteest fomula to find futue value. 3. Solve the compound inteest fomula fo diffeent unknowns, such as the pesent value,

More information

Automatic Testing of Neighbor Discovery Protocol Based on FSM and TTCN*

Automatic Testing of Neighbor Discovery Protocol Based on FSM and TTCN* Automatic Testing of Neighbo Discovey Potocol Based on FSM and TTCN* Zhiliang Wang, Xia Yin, Haibin Wang, and Jianping Wu Depatment of Compute Science, Tsinghua Univesity Beijing, P. R. China, 100084 Email:

More information

Channel selection in e-commerce age: A strategic analysis of co-op advertising models

Channel selection in e-commerce age: A strategic analysis of co-op advertising models Jounal of Industial Engineeing and Management JIEM, 013 6(1):89-103 Online ISSN: 013-0953 Pint ISSN: 013-843 http://dx.doi.og/10.396/jiem.664 Channel selection in e-commece age: A stategic analysis of

More information

Top K Nearest Keyword Search on Large Graphs

Top K Nearest Keyword Search on Large Graphs Top K Neaest Keywod Seach on Lage Gaphs Miao Qiao, Lu Qin, Hong Cheng, Jeffey Xu Yu, Wentao Tian The Chinese Univesity of Hong Kong, Hong Kong, China {mqiao,lqin,hcheng,yu,wttian}@se.cuhk.edu.hk ABSTRACT

More information

Financial Planning and Risk-return profiles

Financial Planning and Risk-return profiles Financial Planning and Risk-etun pofiles Stefan Gaf, Alexande Kling und Jochen Russ Pepint Seies: 2010-16 Fakultät fü Mathematik und Witschaftswissenschaften UNIERSITÄT ULM Financial Planning and Risk-etun

More information

Cloud Service Reliability: Modeling and Analysis

Cloud Service Reliability: Modeling and Analysis Cloud Sevice eliability: Modeling and Analysis Yuan-Shun Dai * a c, Bo Yang b, Jack Dongaa a, Gewei Zhang c a Innovative Computing Laboatoy, Depatment of Electical Engineeing & Compute Science, Univesity

More information

9:6.4 Sample Questions/Requests for Managing Underwriter Candidates

9:6.4 Sample Questions/Requests for Managing Underwriter Candidates 9:6.4 INITIAL PUBLIC OFFERINGS 9:6.4 Sample Questions/Requests fo Managing Undewite Candidates Recent IPO Expeience Please povide a list of all completed o withdawn IPOs in which you fim has paticipated

More information

The impact of migration on the provision. of UK public services (SRG.10.039.4) Final Report. December 2011

The impact of migration on the provision. of UK public services (SRG.10.039.4) Final Report. December 2011 The impact of migation on the povision of UK public sevices (SRG.10.039.4) Final Repot Decembe 2011 The obustness The obustness of the analysis of the is analysis the esponsibility is the esponsibility

More information

Review Graph based Online Store Review Spammer Detection

Review Graph based Online Store Review Spammer Detection Review Gaph based Online Stoe Review Spamme Detection Guan Wang, Sihong Xie, Bing Liu, Philip S. Yu Univesity of Illinois at Chicago Chicago, USA gwang26@uic.edu sxie6@uic.edu liub@uic.edu psyu@uic.edu

More information

ON THE (Q, R) POLICY IN PRODUCTION-INVENTORY SYSTEMS

ON THE (Q, R) POLICY IN PRODUCTION-INVENTORY SYSTEMS ON THE R POLICY IN PRODUCTION-INVENTORY SYSTEMS Saifallah Benjaafa and Joon-Seok Kim Depatment of Mechanical Engineeing Univesity of Minnesota Minneapolis MN 55455 Abstact We conside a poduction-inventoy

More information

The Role of Gravity in Orbital Motion

The Role of Gravity in Orbital Motion ! The Role of Gavity in Obital Motion Pat of: Inquiy Science with Datmouth Developed by: Chistophe Caoll, Depatment of Physics & Astonomy, Datmouth College Adapted fom: How Gavity Affects Obits (Ohio State

More information

Optimizing Content Retrieval Delay for LT-based Distributed Cloud Storage Systems

Optimizing Content Retrieval Delay for LT-based Distributed Cloud Storage Systems Optimizing Content Retieval Delay fo LT-based Distibuted Cloud Stoage Systems Haifeng Lu, Chuan Heng Foh, Yonggang Wen, and Jianfei Cai School of Compute Engineeing, Nanyang Technological Univesity, Singapoe

More information

A framework for the selection of enterprise resource planning (ERP) system based on fuzzy decision making methods

A framework for the selection of enterprise resource planning (ERP) system based on fuzzy decision making methods A famewok fo the selection of entepise esouce planning (ERP) system based on fuzzy decision making methods Omid Golshan Tafti M.s student in Industial Management, Univesity of Yazd Omidgolshan87@yahoo.com

More information

Model-Driven Engineering of Adaptation Engines for Self-Adaptive Software: Executable Runtime Megamodels

Model-Driven Engineering of Adaptation Engines for Self-Adaptive Software: Executable Runtime Megamodels Model-Diven Engineeing of Adaptation Engines fo Self-Adaptive Softwae: Executable Runtime Megamodels Thomas Vogel, Holge Giese Technische Beichte N. 66 des Hasso-Plattne-Instituts fü Softwaesystemtechnik

More information

Effect of Contention Window on the Performance of IEEE 802.11 WLANs

Effect of Contention Window on the Performance of IEEE 802.11 WLANs Effect of Contention Window on the Pefomance of IEEE 82.11 WLANs Yunli Chen and Dhama P. Agawal Cente fo Distibuted and Mobile Computing, Depatment of ECECS Univesity of Cincinnati, OH 45221-3 {ychen,

More information

High Availability Replication Strategy for Deduplication Storage System

High Availability Replication Strategy for Deduplication Storage System Zhengda Zhou, Jingli Zhou College of Compute Science and Technology, Huazhong Univesity of Science and Technology, *, zhouzd@smail.hust.edu.cn jlzhou@mail.hust.edu.cn Abstact As the amount of digital data

More information

Valuation of Floating Rate Bonds 1

Valuation of Floating Rate Bonds 1 Valuation of Floating Rate onds 1 Joge uz Lopez us 316: Deivative Secuities his note explains how to value plain vanilla floating ate bonds. he pupose of this note is to link the concepts that you leaned

More information

How to create RAID 1 mirroring with a hard disk that already has data or an operating system on it

How to create RAID 1 mirroring with a hard disk that already has data or an operating system on it AnswesThatWok TM How to set up a RAID1 mio with a dive which aleady has Windows installed How to ceate RAID 1 mioing with a had disk that aleady has data o an opeating system on it Date Company PC / Seve

More information

Financial Derivatives for Computer Network Capacity Markets with Quality-of-Service Guarantees

Financial Derivatives for Computer Network Capacity Markets with Quality-of-Service Guarantees Financial Deivatives fo Compute Netwok Capacity Makets with Quality-of-Sevice Guaantees Pette Pettesson pp@kth.se Febuay 2003 SICS Technical Repot T2003:03 Keywods Netwoking and Intenet Achitectue. Abstact

More information

An Infrastructure Cost Evaluation of Single- and Multi-Access Networks with Heterogeneous Traffic Density

An Infrastructure Cost Evaluation of Single- and Multi-Access Networks with Heterogeneous Traffic Density An Infastuctue Cost Evaluation of Single- and Multi-Access Netwoks with Heteogeneous Taffic Density Andes Fuuskä and Magnus Almgen Wieless Access Netwoks Eicsson Reseach Kista, Sweden [andes.fuuska, magnus.almgen]@eicsson.com

More information

Energy Efficient Cache Invalidation in a Mobile Environment

Energy Efficient Cache Invalidation in a Mobile Environment Enegy Efficient Cache Invalidation in a Mobile Envionment Naottam Chand, Ramesh Chanda Joshi, Manoj Misa Electonics & Compute Engineeing Depatment Indian Institute of Technology, Rookee - 247 667. INDIA

More information

Questions & Answers Chapter 10 Software Reliability Prediction, Allocation and Demonstration Testing

Questions & Answers Chapter 10 Software Reliability Prediction, Allocation and Demonstration Testing M13914 Questions & Answes Chapte 10 Softwae Reliability Pediction, Allocation and Demonstation Testing 1. Homewok: How to deive the fomula of failue ate estimate. λ = χ α,+ t When the failue times follow

More information

INITIAL MARGIN CALCULATION ON DERIVATIVE MARKETS OPTION VALUATION FORMULAS

INITIAL MARGIN CALCULATION ON DERIVATIVE MARKETS OPTION VALUATION FORMULAS INITIAL MARGIN CALCULATION ON DERIVATIVE MARKETS OPTION VALUATION FORMULAS Vesion:.0 Date: June 0 Disclaime This document is solely intended as infomation fo cleaing membes and othes who ae inteested in

More information

Electricity transmission network optimization model of supply and demand the case in Taiwan electricity transmission system

Electricity transmission network optimization model of supply and demand the case in Taiwan electricity transmission system Electicity tansmission netwok optimization model of supply and demand the case in Taiwan electicity tansmission system Miao-Sheng Chen a Chien-Liang Wang b,c, Sheng-Chuan Wang d,e a Taichung Banch Gaduate

More information

METHODOLOGICAL APPROACH TO STRATEGIC PERFORMANCE OPTIMIZATION

METHODOLOGICAL APPROACH TO STRATEGIC PERFORMANCE OPTIMIZATION ETHODOOGICA APPOACH TO STATEGIC PEFOANCE OPTIIZATION ao Hell * Stjepan Vidačić ** Željo Gaača *** eceived: 4. 07. 2009 Peliminay communication Accepted: 5. 0. 2009 UDC 65.02.4 This pape pesents a matix

More information

Distributed Computing and Big Data: Hadoop and MapReduce

Distributed Computing and Big Data: Hadoop and MapReduce Distibuted Computing and Big Data: Hadoop and Map Bill Keenan, Diecto Tey Heinze, Achitect Thomson Reutes Reseach & Development Agenda R&D Oveview Hadoop and Map Oveview Use Case: Clusteing Legal Documents

More information

Data Center Demand Response: Avoiding the Coincident Peak via Workload Shifting and Local Generation

Data Center Demand Response: Avoiding the Coincident Peak via Workload Shifting and Local Generation (213) 1 28 Data Cente Demand Response: Avoiding the Coincident Peak via Wokload Shifting and Local Geneation Zhenhua Liu 1, Adam Wieman 1, Yuan Chen 2, Benjamin Razon 1, Niangjun Chen 1 1 Califonia Institute

More information

Database Management Systems

Database Management Systems Contents Database Management Systems (COP 5725) D. Makus Schneide Depatment of Compute & Infomation Science & Engineeing (CISE) Database Systems Reseach & Development Cente Couse Syllabus 1 Sping 2012

More information

Spirotechnics! September 7, 2011. Amanda Zeringue, Michael Spannuth and Amanda Zeringue Dierential Geometry Project

Spirotechnics! September 7, 2011. Amanda Zeringue, Michael Spannuth and Amanda Zeringue Dierential Geometry Project Spiotechnics! Septembe 7, 2011 Amanda Zeingue, Michael Spannuth and Amanda Zeingue Dieential Geomety Poject 1 The Beginning The geneal consensus of ou goup began with one thought: Spiogaphs ae awesome.

More information

Firstmark Credit Union Commercial Loan Department

Firstmark Credit Union Commercial Loan Department Fistmak Cedit Union Commecial Loan Depatment Thank you fo consideing Fistmak Cedit Union as a tusted souce to meet the needs of you business. Fistmak Cedit Union offes a wide aay of business loans and

More information

Research Article A Reputation-Based Identity Management Model for Cloud Computing

Research Article A Reputation-Based Identity Management Model for Cloud Computing Mathematical Poblems in Engineeing Volume 2015, Aticle ID 238245, 15 pages http://dx.doi.og/10.1155/2015/238245 Reseach Aticle A Reputation-Based Identity Management Model fo Cloud Computing Lifa Wu, 1

More information

The Supply of Loanable Funds: A Comment on the Misconception and Its Implications

The Supply of Loanable Funds: A Comment on the Misconception and Its Implications JOURNL OF ECONOMICS ND FINNCE EDUCTION Volume 7 Numbe 2 Winte 2008 39 The Supply of Loanable Funds: Comment on the Misconception and Its Implications. Wahhab Khandke and mena Khandke* STRCT Recently Fields-Hat

More information

How To Use A Network On A Network With A Powerline (Lan) On A Pcode (Lan On Alan) (Lan For Acedo) (Moe) (Omo) On An Ipo) Or Ipo (

How To Use A Network On A Network With A Powerline (Lan) On A Pcode (Lan On Alan) (Lan For Acedo) (Moe) (Omo) On An Ipo) Or Ipo ( Hubs, Bidges, and Switches Used fo extending LANs in tems of geogaphical coveage, numbe of nodes, administation capabilities, etc. Diffe in egads to: m collision domain isolation m laye at which they opeate

More information

Optimal Peer Selection in a Free-Market Peer-Resource Economy

Optimal Peer Selection in a Free-Market Peer-Resource Economy Optimal Pee Selection in a Fee-Maket Pee-Resouce Economy Micah Adle, Rakesh Kuma, Keith Ross, Dan Rubenstein, David Tune and David D Yao Dept of Compute Science Univesity of Massachusetts Amhest, MA; Email:

More information

Unveiling the MPLS Structure on Internet Topology

Unveiling the MPLS Structure on Internet Topology Unveiling the MPLS Stuctue on Intenet Topology Gabiel Davila Revelo, Mauicio Andeson Ricci, Benoit Donnet, José Ignacio Alvaez-Hamelin INTECIN, Facultad de Ingenieía, Univesidad de Buenos Aies Agentina

More information

Alarm transmission through Radio and GSM networks

Alarm transmission through Radio and GSM networks Alam tansmission though Radio and GSM netwoks 2015 Alam tansmission though Radio netwok RR-IP12 RL10 E10C E10C LAN RL1 0 R11 T10 (T10U) Windows MONAS MS NETWORK MCI > GNH > GND > +E > DATA POWER DATA BUS

More information

Fast FPT-algorithms for cleaning grids

Fast FPT-algorithms for cleaning grids Fast FPT-algoithms fo cleaning gids Josep Diaz Dimitios M. Thilikos Abstact We conside the poblem that given a gaph G and a paamete k asks whethe the edit distance of G and a ectangula gid is at most k.

More information

Ilona V. Tregub, ScD., Professor

Ilona V. Tregub, ScD., Professor Investment Potfolio Fomation fo the Pension Fund of Russia Ilona V. egub, ScD., Pofesso Mathematical Modeling of Economic Pocesses Depatment he Financial Univesity unde the Govenment of the Russian Fedeation

More information

AN IMPLEMENTATION OF BINARY AND FLOATING POINT CHROMOSOME REPRESENTATION IN GENETIC ALGORITHM

AN IMPLEMENTATION OF BINARY AND FLOATING POINT CHROMOSOME REPRESENTATION IN GENETIC ALGORITHM AN IMPLEMENTATION OF BINARY AND FLOATING POINT CHROMOSOME REPRESENTATION IN GENETIC ALGORITHM Main Golub Faculty of Electical Engineeing and Computing, Univesity of Zageb Depatment of Electonics, Micoelectonics,

More information

Transmittal 198 Date: DECEMBER 9, 2005. SUBJECT: Termination of the Existing Eligibility-File Based Crossover Process at All Medicare Contractors

Transmittal 198 Date: DECEMBER 9, 2005. SUBJECT: Termination of the Existing Eligibility-File Based Crossover Process at All Medicare Contractors anual ystem Depatment of ealth & uman evices (D) entes fo edicae & Pub 100-20 One-Time Notification edicaid evices () Tansmittal 198 Date: DEEBE 9, 2005 hange equest 4231 UBJET: Temination of the Existing

More information

Define What Type of Trader Are you?

Define What Type of Trader Are you? Define What Type of Tade Ae you? Boke Nightmae srs Tend Ride By Vladimi Ribakov Ceato of Pips Caie 20 of June 2010 1 Disclaime and Risk Wanings Tading any financial maket involves isk. The content of this

More information

Scheduling Hadoop Jobs to Meet Deadlines

Scheduling Hadoop Jobs to Meet Deadlines Scheduling Hadoop Jobs to Meet Deadlines Kamal Kc, Kemafo Anyanwu Depatment of Compute Science Noth Caolina State Univesity {kkc,kogan}@ncsu.edu Abstact Use constaints such as deadlines ae impotant equiements

More information

Peer-to-Peer File Sharing Game using Correlated Equilibrium

Peer-to-Peer File Sharing Game using Correlated Equilibrium Pee-to-Pee File Shaing Game using Coelated Equilibium Beibei Wang, Zhu Han, and K. J. Ray Liu Depatment of Electical and Compute Engineeing and Institute fo Systems Reseach, Univesity of Mayland, College

More information

The Binomial Distribution

The Binomial Distribution The Binomial Distibution A. It would be vey tedious if, evey time we had a slightly diffeent poblem, we had to detemine the pobability distibutions fom scatch. Luckily, thee ae enough similaities between

More information

Promised Lead-Time Contracts Under Asymmetric Information

Promised Lead-Time Contracts Under Asymmetric Information OPERATIONS RESEARCH Vol. 56, No. 4, July August 28, pp. 898 915 issn 3-364X eissn 1526-5463 8 564 898 infoms doi 1.1287/ope.18.514 28 INFORMS Pomised Lead-Time Contacts Unde Asymmetic Infomation Holly

More information

Ignorance is not bliss when it comes to knowing credit score

Ignorance is not bliss when it comes to knowing credit score NET GAIN Scoing points fo you financial futue AS SEEN IN USA TODAY SEPTEMBER 28, 2004 Ignoance is not bliss when it comes to knowing cedit scoe By Sanda Block USA TODAY Fom Alabama comes eassuing news

More information

Gravitational Mechanics of the Mars-Phobos System: Comparing Methods of Orbital Dynamics Modeling for Exploratory Mission Planning

Gravitational Mechanics of the Mars-Phobos System: Comparing Methods of Orbital Dynamics Modeling for Exploratory Mission Planning Gavitational Mechanics of the Mas-Phobos System: Compaing Methods of Obital Dynamics Modeling fo Exploatoy Mission Planning Alfedo C. Itualde The Pennsylvania State Univesity, Univesity Pak, PA, 6802 This

More information

Secure Smartcard-Based Fingerprint Authentication

Secure Smartcard-Based Fingerprint Authentication Secue Smatcad-Based Fingepint Authentication [full vesion] T. Chales Clancy Compute Science Univesity of Mayland, College Pak tcc@umd.edu Nega Kiyavash, Dennis J. Lin Electical and Compute Engineeing Univesity

More information

CONCEPTUAL FRAMEWORK FOR DEVELOPING AND VERIFICATION OF ATTRIBUTION MODELS. ARITHMETIC ATTRIBUTION MODELS

CONCEPTUAL FRAMEWORK FOR DEVELOPING AND VERIFICATION OF ATTRIBUTION MODELS. ARITHMETIC ATTRIBUTION MODELS CONCEPUAL FAMEOK FO DEVELOPING AND VEIFICAION OF AIBUION MODELS. AIHMEIC AIBUION MODELS Yui K. Shestopaloff, is Diecto of eseach & Deelopment at SegmentSoft Inc. He is a Docto of Sciences and has a Ph.D.

More information

SELF-INDUCTANCE AND INDUCTORS

SELF-INDUCTANCE AND INDUCTORS MISN-0-144 SELF-INDUCTANCE AND INDUCTORS SELF-INDUCTANCE AND INDUCTORS by Pete Signell Michigan State Univesity 1. Intoduction.............................................. 1 A 2. Self-Inductance L.........................................

More information

ENABLING INFORMATION GATHERING PATTERNS FOR EMERGENCY RESPONSE WITH THE OPENKNOWLEDGE SYSTEM

ENABLING INFORMATION GATHERING PATTERNS FOR EMERGENCY RESPONSE WITH THE OPENKNOWLEDGE SYSTEM Computing and Infomatics, Vol. 29, 2010, 537 555 ENABLING INFORMATION GATHERING PATTERNS FOR EMERGENCY RESPONSE WITH THE OPENKNOWLEDGE SYSTEM Gaia Tecaichi, Veonica Rizzi, Mauizio Machese Depatment of

More information

Epdf Sulf petroleum, Eflecti and Eeflecti

Epdf Sulf petroleum, Eflecti and Eeflecti ANALYSIS OF GLOBAL WARMING MITIGATION BY WHITE REFLECTING SURFACES Fedeico Rossi, Andea Nicolini Univesity of Peugia, CIRIAF Via G.Duanti 67 0615 Peugia, Italy T: +9-075-585846; F: +9-075-5848470; E: fossi@unipg.it

More information

COMPLYING WITH THE DRUG-FREE SCHOOLS AND CAMPUSES REGULATIONS

COMPLYING WITH THE DRUG-FREE SCHOOLS AND CAMPUSES REGULATIONS Highe Education Cente fo Alcohol and Othe Dug Abuse and Violence Pevention Education Development Cente, Inc. 55 Chapel Steet Newton, MA 02458-1060 COMPLYING WITH THE DRUG-FREE SCHOOLS AND CAMPUSES REGULATIONS

More information

Supporting Efficient Top-k Queries in Type-Ahead Search

Supporting Efficient Top-k Queries in Type-Ahead Search Suppoting Efficient Top-k Queies in Type-Ahead Seach Guoliang Li Jiannan Wang Chen Li Jianhua Feng Depatment of Compute Science, Tsinghua National Laboatoy fo Infomation Science and Technology (TNList),

More information

MULTIPLE SOLUTIONS OF THE PRESCRIBED MEAN CURVATURE EQUATION

MULTIPLE SOLUTIONS OF THE PRESCRIBED MEAN CURVATURE EQUATION MULTIPLE SOLUTIONS OF THE PRESCRIBED MEAN CURVATURE EQUATION K.C. CHANG AND TAN ZHANG In memoy of Pofesso S.S. Chen Abstact. We combine heat flow method with Mose theoy, supe- and subsolution method with

More information

Definitions and terminology

Definitions and terminology I love the Case & Fai textbook but it is out of date with how monetay policy woks today. Please use this handout to supplement the chapte on monetay policy. The textbook assumes that the Fedeal Reseve

More information

Towards Realizing a Low Cost and Highly Available Datacenter Power Infrastructure

Towards Realizing a Low Cost and Highly Available Datacenter Power Infrastructure Towads Realizing a Low Cost and Highly Available Datacente Powe Infastuctue Siam Govindan, Di Wang, Lydia Chen, Anand Sivasubamaniam, and Bhuvan Ugaonka The Pennsylvania State Univesity. IBM Reseach Zuich

More information

Exam #1 Review Answers

Exam #1 Review Answers xam #1 Review Answes 1. Given the following pobability distibution, calculate the expected etun, vaiance and standad deviation fo Secuity J. State Pob (R) 1 0.2 10% 2 0.6 15 3 0.2 20 xpected etun = 0.2*10%

More information

An application of stochastic programming in solving capacity allocation and migration planning problem under uncertainty

An application of stochastic programming in solving capacity allocation and migration planning problem under uncertainty An application of stochastic pogamming in solving capacity allocation and migation planning poblem unde uncetainty Yin-Yann Chen * and Hsiao-Yao Fan Depatment of Industial Management, National Fomosa Univesity,

More information

883 Brochure A5 GENE ss vernis.indd 1-2

883 Brochure A5 GENE ss vernis.indd 1-2 ess x a eu / u e a. p o.eu c e / :/ http EURAXESS Reseaches in Motion is the gateway to attactive eseach caees in Euope and to a pool of wold-class eseach talent. By suppoting the mobility of eseaches,

More information

Tracking/Fusion and Deghosting with Doppler Frequency from Two Passive Acoustic Sensors

Tracking/Fusion and Deghosting with Doppler Frequency from Two Passive Acoustic Sensors Tacking/Fusion and Deghosting with Dopple Fequency fom Two Passive Acoustic Sensos Rong Yang, Gee Wah Ng DSO National Laboatoies 2 Science Pak Dive Singapoe 11823 Emails: yong@dso.og.sg, ngeewah@dso.og.sg

More information

Semipartial (Part) and Partial Correlation

Semipartial (Part) and Partial Correlation Semipatial (Pat) and Patial Coelation his discussion boows heavily fom Applied Multiple egession/coelation Analysis fo the Behavioal Sciences, by Jacob and Paticia Cohen (975 edition; thee is also an updated

More information

Timing Synchronization in High Mobility OFDM Systems

Timing Synchronization in High Mobility OFDM Systems Timing Synchonization in High Mobility OFDM Systems Yasamin Mostofi Depatment of Electical Engineeing Stanfod Univesity Stanfod, CA 94305, USA Email: yasi@wieless.stanfod.edu Donald C. Cox Depatment of

More information

How To Write A Theory Of The Concept Of The Mind In A Quey

How To Write A Theory Of The Concept Of The Mind In A Quey Jounal of Atificial Intelligence Reseach 31 (2008) 157-204 Submitted 06/07; published 01/08 Conjunctive Quey Answeing fo the Desciption Logic SHIQ Bite Glimm Ian Hoocks Oxfod Univesity Computing Laboatoy,

More information

PAN STABILITY TESTING OF DC CIRCUITS USING VARIATIONAL METHODS XVIII - SPETO - 1995. pod patronatem. Summary

PAN STABILITY TESTING OF DC CIRCUITS USING VARIATIONAL METHODS XVIII - SPETO - 1995. pod patronatem. Summary PCE SEMINIUM Z PODSTW ELEKTOTECHNIKI I TEOII OBWODÓW 8 - TH SEMIN ON FUNDMENTLS OF ELECTOTECHNICS ND CICUIT THEOY ZDENĚK BIOLEK SPŠE OŽNO P.., CZECH EPUBLIC DLIBO BIOLEK MILITY CDEMY, BNO, CZECH EPUBLIC

More information

Referral service and customer incentive in online retail supply Chain

Referral service and customer incentive in online retail supply Chain Refeal sevice and custome incentive in online etail supply Chain Y. G. Chen 1, W. Y. Zhang, S. Q. Yang 3, Z. J. Wang 4 and S. F. Chen 5 1,,3,4 School of Infomation Zhejiang Univesity of Finance and Economics

More information

Faithful Comptroller s Handbook

Faithful Comptroller s Handbook Faithful Comptolle s Handbook Faithful Comptolle s Handbook Selection of Faithful Comptolle The Laws govening the Fouth Degee povide that the faithful comptolle be elected, along with the othe offices

More information

Ashfield Girls High School. Critical Incident Policy

Ashfield Girls High School. Critical Incident Policy Ashfield Gils High School A Specialist School fo ICT Citical Incident Policy Citical Incident Policy 2 Citical Incident Policy A Specialist School fo ICT Ashfield Gils High School CRITICAL INCIDENT POLICY

More information

A Capacitated Commodity Trading Model with Market Power

A Capacitated Commodity Trading Model with Market Power A Capacitated Commodity Tading Model with Maket Powe Victo Matínez-de-Albéniz Josep Maia Vendell Simón IESE Business School, Univesity of Navaa, Av. Peason 1, 08034 Bacelona, Spain VAlbeniz@iese.edu JMVendell@iese.edu

More information

2 r2 θ = r2 t. (3.59) The equal area law is the statement that the term in parentheses,

2 r2 θ = r2 t. (3.59) The equal area law is the statement that the term in parentheses, 3.4. KEPLER S LAWS 145 3.4 Keple s laws You ae familia with the idea that one can solve some mechanics poblems using only consevation of enegy and (linea) momentum. Thus, some of what we see as objects

More information

How To Find The Optimal Stategy For Buying Life Insuance

How To Find The Optimal Stategy For Buying Life Insuance Life Insuance Puchasing to Reach a Bequest Ehan Bayakta Depatment of Mathematics, Univesity of Michigan Ann Abo, Michigan, USA, 48109 S. David Pomislow Depatment of Mathematics, Yok Univesity Toonto, Ontaio,

More information

Patent renewals and R&D incentives

Patent renewals and R&D incentives RAND Jounal of Economics Vol. 30, No., Summe 999 pp. 97 3 Patent enewals and R&D incentives Fancesca Conelli* and Mak Schankeman** In a model with moal hazad and asymmetic infomation, we show that it can

More information

They aim to select the best services that satisfy the user s. other providers infrastructures and utility services to run

They aim to select the best services that satisfy the user s. other providers infrastructures and utility services to run End-to-End Qo Mapping and Aggegation fo electing Cloud evices Raed Kaim, Chen Ding, Ali Mii Depatment of Compute cience Ryeson Univesity, Toonto, Canada 2kaim@yeson.ca, cding@scs.yeson.ca, ali.mii@yeson.ca

More information

Public Health and Transportation Coalition (PHiT) Vision, Mission, Goals, Objectives, and Work Plan August 2, 2012

Public Health and Transportation Coalition (PHiT) Vision, Mission, Goals, Objectives, and Work Plan August 2, 2012 Public Health and Tanspotation Coalition (PHiT) Vision, Mission, Goals, Objectives, and Wok Plan 2, 2012 Vision We envision Maine as a place whee people of all ages and abilities can move about in ways

More information