From Selective to Full Security: SemiGeneric Transformations in the Standard Model


 Mavis Norton
 2 years ago
 Views:
Transcription
1 An extended abstract of ths work appears n the proceedngs of PKC 2012 From Selectve to Full Securty: SemGenerc Transformatons n the Standard Model Mchel Abdalla 1 Daro Fore 2 Vadm Lyubashevsky 1 1 Département d Informatque, École normale supéreure 2 Department of Computer Scence New York Unversty Abstract In ths paper, we propose an effcent, standard model, semgenerc transformaton of selectvesecure (Herarchcal) IdenttyBased Encrypton schemes nto fully secure ones. The man step s a procedure that uses admssble hash functons (whose exstence s mpled by collsonresstant hash functons) to convert any selectvesecure wldcarded denttybased encrypton (WIBE) scheme nto a fully secure (H)IBE scheme. Snce buldng a selectvesecure WIBE, especally wth a selectvesecure HIBE already n hand, s usually much less nvolved than drectly buldng a fully secure HIBE, ths transform already sgnfcantly smplfes the latter task. Ths blackbox transformaton easly extends to schemes secure n the Contnual Memory Leakage (CML) model of Brakersk et al. (FOCS 2010), whch allows us obtan a new fully secure IBE n that model. We furthermore show that f a selectvesecure HIBE scheme satsfes a partcular securty noton, then t can be genercally transformed nto a selectvesecure WIBE. We demonstrate that several current schemes already ft ths new defnton, whle some others that do not obvously satsfy t can stll be easly modfed nto a selectvesecure WIBE. Keywords: Selectve securty, full securty, denttybased encrypton.
2 Contents 1 Introducton Our results Basc Defntons CodeBased Games (Herarchcal) Identty Based Encrypton Identty Based Encrypton wth Wldcards The Contnual Memory Leakage Model FullySecure HIBE from SelectveSecure WIBE Our transformaton Extensons of our transformaton Selectve WIBE schemes from selectve HIBE Securty under Correlated Randomness for HIBE From HIBE selectvesecure under Correlated Randomness to selectvesecure WIBE Our WIBE scheme A suffcent dstrbuton for buldng a WIBE A leakagereslent WIBE scheme based on Decson Lnear 25 6 LattceBased WIBE Lattces and the LWE Problem Algorthms used n constructng the HIBE and WIBE Our LattceBased WIBE scheme Securty Proof Future Drectons 35 References 36 A A proof wthout artfcal abort 38 B HIBE Schemes SelectveSecure under Correlated Randomness 46 B.1 The case of the BonehBoyen HIBE [8, 1] B.2 The case of the BonehBoyenGoh HIBE [10] B.3 The case of the Waters HIBE [35]
3 1 Introducton The concept of denttybased encrypton (IBE) s a generalzaton of the standard noton of publckey encrypton n whch the sender can encrypt messages to a user based only on the dentty of the latter and a set of userndependent publc parameters. In these systems, there exsts a trusted authorty, called prvate key generator, that s responsble for generatng decrypton keys for all denttes n the system. Snce beng ntroduced by Shamr n 1984 [33], IBE has receved a lot of attenton due to the fact that one no longer needs to mantan a separate publc key for each user. Despte beng an attractve concept, t was only n 2001 that the frst practcal IBE constructon was proposed based on ellptc curve parngs [13]. Later that year, Cocks proposed an alternatve IBE constructon based on the quadratc resduosty problem [23]. The nowstandard defnton of securty of IBE schemes, frst suggested by Boneh and Frankln [13], s ndstngushablty under adaptve chosendentty attacks (we refer to t as full securty). In ths securty model, the adversary s allowed to obtan secret keys for adaptvely chosen denttes before decdng the dentty upon whch t wshes to be challenged. By allowng these queres, ths noton mplctly captures resstance aganst colluson attacks as dfferent users should be unable to combne ther keys n an attempt to decrypt cphertexts ntended to another user. In 2002, Horwtz and Lynn ntroduced the noton of herarchcal denttybased encrypton (HIBE), whch allows ntermedate nodes to act as prvate key generators. They also provded a twolevel HIBE constructon based on the BonehFrankln IBE scheme, but ther scheme could provde full colluson resstance only n the upper level. The frst HIBE scheme to provde full colluson resstance n all levels s due to Gentry and Slverberg [26]. Lke the HorwtzLynn HIBE scheme, the GentrySlverberg HIBE scheme was also based on the BonehFrankln IBE scheme and proven secure n the randomoracle model [6]. The frst HIBE to be proven secure n the standard model s due to Canett, Halev, and Katz [20], but n a weaker securty model, called the selectvedentty model. Unlke the securty defntons used n prevous constructons of (H)IBE schemes, the selectvedentty model requres the adversary to commt to the challenge dentty before obtanng the publc parameters of the scheme. Despte provdng weaker securty guarantees, Canett, Halev, and Katz showed that the selectvedentty model s suffcent for buldng forwardsecure encrypton schemes, whch was the man motvaton of ther paper. Although the selectvedentty model has been consdered n many works, and s nterestng n ts own rght (e.g., t mples forwardsecure publc key encrypton), f we focus solely on the (H)IBE applcaton, then the selectve noton s clearly unrealstc because t does not model the real capabltes of an adversary attackng a (H)IBE scheme. So whle the desgn of selectvedentty secure schemes seems to be an easer task, the quest for fully secure solutons s always consdered the man goal for (H)IBE constructon. It s therefore a very nterestng problem to nvestgate whether there are ways to effcently convert a selectve secure scheme nto a fully secure one. In the random oracle model, ths queston has been resolved by Boneh, Boyen and Goh [10], who provded a very effcent blackbox transformaton. In the standard model, however, no such converson s known 1, and all fullysecure (H)IBE schemes (e.g., [9], [35], [22]) had to be constructed and proved secure essentally from scratch. 1 It was shown by Boneh and Boyen n [8] that any selectve secure IBE scheme s already fully secure, but the concrete securty degrades by a factor 1/ ID, where ID s the scheme s dentty space. Snce ID s usually of exponental sze, ths converson s too expensve n terms of effcency to be consdered practcal. 1
4 1.1 Our results In ths paper, we explore the relatonshp between selectvedentty and fully secure (H)IBE schemes n the standard model. From selectvesecure WIBE to fullysecure HIBE. Our frst man contrbuton s a generc constructon of fullysecure HIBE schemes from selectvepatternsecure wldcarded denttybased encrypton (WIBE) schemes. The noton of a WIBE, ntroduced by Abdalla et al. [1], s very smlar to the noton of a HIBE except that the sender can encrypt messages not only to a specfc dentty, but to a whole range of recevers whose denttes match a certan pattern defned through a sequence of fxed strngs and a specal wldcard symbol (*). The securty noton, called selectvepattern securty, requres the adversary to commt ahead of tme to the pattern P that he ntends to attack. He can then ask for the secret keys of any dentty not matchng P, and for the challenge cphertext on any pattern P matchng P. Ths noton of securty s slghtly more general and natural than that gven n [1]. Yet, as noted n Remark 2.5 at the end of Secton 2, t s satsfed by all known WIBE constructons. Our transformaton from any selectvepatternsecure WIBE to a fullysecure HIBE s generc and reles on the noton of admssble hash functons (whose exstence s mpled by collsonresstant hash functons) ntroduced by Boneh and Boyen n [9]. Snce buldng selectvepatternsecure WIBE schemes seems to be much easer than drectly buldng a fully secure HIBE scheme, ths transformaton already sgnfcantly smplfes the latter task. In fact, t s worth notcng that the selectvepattern securty of all currentlyknown nstantatons of WIBE schemes follows from the selectvedentty securty of ther respectve underlyng HIBE schemes (see [1]). One drect consequence of our constructon s that several exstng fully secure (H)IBE schemes can be seen as a partcular case of our transformaton. For nstance, the fully secure IBE scheme of Boneh and Boyen n [9] turns out to be a partcular case of our generc constructon when nstantated wth the selectvepatternsecure BonehBoyen WIBE scheme gven n [1]. Lkewse, the fully secure HIBE by Cash, Hofhenz, Kltz, and Pekert [22] can be seen as the result of our generc transformaton when appled to our new WIBE scheme n Secton 6. Another consequence of our transformaton s that one can obtan new constructons of fully secure HIBE schemes by applyng our methodology to exstng selectvepatternsecure WIBE schemes, such as the BonehBoyenGoh WIBE n [1]. Interestngly, the result obtaned from ths nstantaton closely resembles the Waters (H)IBE scheme [35]. The transformaton n the Contnual Memory Leakage model. An mportant pont about our transformaton from WIBE to (H)IBE s that t also works n the Contnual Memory Leakage (CML) model [19, 24]. In ths model, securty s defned wth respect to an adversary that may learn a bounded number of bts related to the secret nformaton of a user, such as hs secret key, over a gven tme perod. In partcular, secret keys are updated regularly and nformaton about new secret keys and the randomness used durng ther updates may also leak to the adversary. In [19], Brakersk et al. extended the IBE constructon n [17] to obtan a selectvesecure IBE n the CML model based on the Decson Lnear assumpton. Whle Brakersk and Kala s IBE constructon can be made fully secure usng admssble hash functons as suggested n [17], a smlar result s not known to hold n the CML model. In ths paper, we show how to modfy the scheme n [19] nto a WIBE scheme and prove t selectvepatternsecure n the CML model under the same assumpton. Then, by applyng our transformaton to ths newlyconstructed WIBE, we obtan a (CML) fullysecure verson of the IBE n [19]. As n the orgnal IBE, our new IBE constructon assumes that there s no leakage from the master secret key. We observe, however, that ths restrcton s not that crtcal because, n the case of IBE, t may be reasonable to assume that the key generaton center uses strong countermeasures to avod leakng secret nformaton. 2
5 The role of WIBE n our transformaton. Somewhat surprsngly, our transformaton seems to mply that the WIBE noton s of central mportance when gong from selectve to full securty n (H)IBE. To see why, one has to take a look at our proof strategy and at the noton of Admssble hash functons (AHF). AHFs are a tool whch allows to partton the dentty space nto two subsets, B and R (both of whch are of exponental sze) so that n the securty proof the denttes of secret key queres fall n B whle the challenge dentty falls n R. In partcular, by carefully selectng the AHFs parameters (as descrbed n [9], for nstance) one can make sure that the above (good) event occurs wth nonneglgble probablty. In our proof from selectvesecure WIBE to fullysecure HIBE, the smulator frst uses AHFs to partton the dentty space nto B and R. Next, t declares to the WIBE challenger a challenge pattern whch corresponds to R, by expressng R n the form of a pattern. By the property of AHFs, f the good event occurs (for all key dervaton queres and the challenge dentty chosen by the adversary), then the smulator can easly forward all queres to the WIBE challenger. In partcular, t s guaranteed that the challenge dentty falls n R. When that happens, the smulator can output the challenge dentty chosen by the adversary as ts own challenge. We remark that the proof strategy descrbed above does not work f one starts from a selectvesecure HIBE nstead of a WIBE. Unlke the selectvewibe smulator, the smulator aganst the selectve securty of a HIBE should commt to the challenge dentty ID at the very begnnng. And even f the smulator chooses the AHFs parameters so that all secret key queres fall n B and the challenge dentty falls n R, t stll needs to guess ID n R at the very begnnng. But the probablty that the challenge dentty chosen by the adversary matches such ID s 1/ R, whch s neglgble (recall that both B and R are of exponental sze). Selectve WIBE from selectve HIBE. The second man contrbuton of ths paper s to dentfy condtons under whch we can genercally transform a selectvedenttysecure HIBE scheme nto a selectvepatternsecure WIBE scheme. Towards ths goal, we ntroduce a new noton of securty for HIBE schemes, called securty under correlated randomness, whch allows us to transform a gven HIBE nto a WIBE by smply reencryptng the same message to a partcular set of denttes by reusng the same randomness. Informally speakng, n order for a HIBE scheme to be secure under correlated randomness, t must satsfy the followng two propertes. Frst, when gven an encrypton of the same message under the same randomness for two dentty vectors ID 0 = (ID 0,1,..., ID 0,j,..., ID 0,λ ) and ID 1 = (ID 1,1,..., ID 1,j,..., ID 1,λ ) dfferng n exactly one poston (say j), one can easly generate a cphertext for any dentty vector matchng the pattern ID = (ID 1,1,..., *,..., ID 1,λ ). Secondly, when gven these two cphertexts, the adversary should not be able to generate an encrypton of the same message under the same randomness for any dentty vector that does not match the pattern. In Secton 4 we show that selectvecorrelatedrandomnesssecure HIBE schemes can be converted to selectvepatternsecure WIBEs. Moreover, n Appendx B, we show that several exstng HIBE schemes already satsfy ths slghtly stronger noton of securty, e.g., [8, 10, 35], and n partcular we show that ther securty under correlated randomness blackbox reduces to ther selectvedentty securty. Hence, f we combne our frst generc transformaton from selectvepatternsecure WIBE to fullysecure (H)IBE, together wth our second result descrbed above, we obtan a compler that allows us to construct a fully secure (H)IBE startng from a selectvesecure (H)IBE. In partcular, the resultng transformaton works n the standard model and s semgenerc because the second part assumes a specfc property of the underlyng scheme (.e., securty under correlated randomness). Nevertheless, by reducng the task of buldng fully secure HIBE schemes to that of buldng a selectvepatternsecure WIBE scheme, we beleve that our result makes the former task sgnfcantly easer to acheve. New WIBE schemes. One fnal contrbuton of ths paper are two constructons of selectve 3
6 patternsecure WIBE schemes. The frst one, whose descrpton s gven n Secton 5, s obtaned by modfyng the IBE n [19]. It s based on parngs and s secure under the Decson Lnear assumpton n the CML model. Such modfcaton essentally follows the correlatedrandomness paradgm. Snce for some techncal reasons (related to the specfc scheme) the selectvepattern securty of ths WIBE cannot be blackbox reduced to the selectvedentty securty of the related IBE (lke we do for other parngbased WIBEs), we decded to gve a drect proof under the Decson Lnear assumpton. However, we notce that such proof closely follows the one n [19]. The second WIBE s based on lattces and ts securty follows from the selectvedentty secure HIBE constructon from [22]. Even though the CashHofhenzKltzPekert HIBE scheme does not meet the noton of securty under correlated randomness ntroduced n Secton 4 (because the scheme s not secure when the same randomness s reused for encrypton), we show n Secton 6 that one can easly modfy t to obtan a selectvepatternsecure WIBE scheme. Smlarly to the case of parngbased WIBE schemes, the selectvepattern securty of the new WIBE can be reduced drectly to the selectvedentty securty of the orgnal CashHofhenzKltzPekert HIBE scheme. However, n ths case, t turns out to be even smpler to prove the selectvepattern securty of our scheme drectly from the decsonal Learnng Wth Errors Problem (LWE) [32, 31]. Dscusson. In ths paper, we concentrate on buldng HIBE schemes that are adaptvedenttysecure aganst chosenplantext attacks. As shown by Boneh, Canett, Halev, and Katz [21, 15, 12], such schemes can easly be made chosencphertextsecure wth the help of onetme sgnature schemes or message authentcaton codes. Smlarly to the (H)IBE schemes by Boneh and Boyen [9], by Waters [35], and by Cash, Hofhenz, Kltz, and Pekert [22], the schemes obtaned va our transformaton are only provably secure when the maxmum herarchy s depth L s some fxed constant due to the loss of a factor whch s exponental n L. Whle for lattcebased HIBE schemes [22, 3, 4], ths seems to be the state of the art, the same s not true for parngbased HIBE schemes. More precsely, there have been several proposals n recent years (e.g., [25, 34, 29, 28]), whch are fully secure even when the HIBE scheme has polynomally many levels. Most of these schemes use a new proof methodology, known as dual system encrypton [34]. Organzaton. The paper s organzed as follows. In Secton 2, we start by recallng some standard defntons and notatons used throughout the paper. Next, n Secton 3, we present our frst man contrbuton, whch s a generc constructon whch can transform any selectvepatternsecure WIBE nto a fully secure HIBE scheme. Then, n Secton 4, we ntroduce the noton of securty under correlated randomness for HIBE schemes and show how such schemes can be used to buld selectvepatternsecure WIBEs. Though such securty noton does not necessarly hold for all HIBE schemes, we show n Appendx B that several exstng selectvedenttysecure HIBE schemes do meet ths noton. Next, n Sectons 5 and 6, we show two selectvepatternsecure WIBE schemes that are obtaned by transformng, respectvely, the BrakerskKalaKatzVakuntanathan IBE and the Cash HofhenzKltzPekert HIBE. Fnally, n Secton 7, we summarze some future drectons left open by our work. 2 Basc Defntons In ths secton we descrbe the notaton and the basc defntons that we use n the paper. Notaton. We say that a functon s neglgble f t vanshes faster than the nverse of any polynomal. If S s a set, then x S ndcates the process of selectng x unformly at random over S. If A( ) s an algorthm then we denote wth y A( ) the operaton of runnng A (on some nput) and 4
7 assgnng the output to y. For any l N we denote wth [l] the set {1, 2,..., l}. PPT stands for probablstc polynomal tme and PTA for PPT algorthm or adversary. 2.1 CodeBased Games In ths work, we state our defntons and gve our proofs usng codebased games [7]. A game s usually defned by two procedures Intalze and Fnalze, and by other procedures that model the answers to the adversary s oracle queres. A game G s executed wth an adversary A as follows. Frst, A runs Intalze, and gets ts output. Then, A can make oracle queres by executng the correspondng procedures. At the end, before haltng, the adversary s requred to execute the procedure Fnalze whose output s the output of the game G. If b s G s output, then we denote all ths process by wrtng G A b. Usually, a game keeps a flag bad whch s ntalzed to false, and that may be set true durng the executon of the game. We denote wth Bad (resp. Good ) the event that G A sets (resp. does not set) bad true. Two games G and G j are sad dentcaluntlbad f ther code dffers only n statements that are executed when bad s set. Bellare and Rogaway show n [7] that f G and G j are dentcaluntlbad, and A s an adversary, then Pr[Bad ] = Pr[Bad j ]. Moreover, the fundamental lemma of gameplayng [7] states that f G and G j are dentcaluntlbad, then for any b: Pr[G A b] Pr[G A j b] Pr[Bad ]. In our work we use a varant of ths lemma formulated by Bellare and Rstenpart n [5]: Lemma 2.1 [[5]] If G and G j are dentcaluntlbad games, and A s an adversary, then for any b: Pr[G A b Bad ] = Pr[G A j b Bad j ]. 2.2 (Herarchcal) Identty Based Encrypton A herarchcal denttybased encrypton scheme (HIBE) s defned by a tuple of algorthms HIBE = (Setup, KeyDer, Enc, Dec), a message space M, and an dentty space ID. The algorthm Setup s run by a trusted authorty to generate a par of keys (mpk, msk) such that mpk s made publc, whereas msk s kept prvate. The users are herarchcally organzed n a tree of depth L whose root s the trusted authorty. The dentty of a user at level 1 l L s represented by a vector ID = (ID 1,..., ID l ) ID l. A user at level l wth dentty ID = (ID 1,..., ID l ) can use the key dervaton algorthm KeyDer(sk ID, ID ) to generate a secret key for any of ts chldren ID = (ID 1,..., ID l, ID l+1 ) at level l + 1. Snce ths process can be terated, every user can generate keys for all ts descendants. Then, every user holdng the master publc key mpk, can encrypt a message m M for the dentty ID by runnng C Enc(mpk, ID, m). Fnally, the cphertext C can be decrypted by runnng the determnstc decrypton algorthm, m Dec(sk ID, C). For correctness, t s requred that for all honestly generated master keys (mpk, msk) Setup, for all messages m M, all denttes ID ID l and all ID ancestors of ID, m Dec(KeyDer(msk, ID ), Enc(mpk, ID, m)) holds wth overwhelmng probablty. An IBE s defned as an HIBE wth a herarchy of depth 1. The securty of a HIBE scheme s captured by the standard noton of ndstngushablty under chosenplantext attacks. In partcular, ths s formalzed by a game, INDHIDCPA, that we recall n Fgure 1 usng the notaton of codebased games. The game s defned by four procedures that can be run by an adversary A and works as follows. As usual, A starts by executng Intalze and runs Fnalze before haltng. We assume that A makes at most one query ( ID, m 0, m 1 ) to 5
8 Game INDHIDCPA procedure Intalze (mpk, msk) Setup β {0, 1} Return mpk procedure Extract( ID) sk ID KeyDer(msk, ID) Return sk ID procedure LR( ID, m 0, m 1 ) C Enc(mpk, ID, m β ) Return C procedure Fnalze(β ) Return (β = β) Game INDsHIDCPA procedure Intalze( ID ) (mpk, msk) Setup; β {0, 1} Return mpk procedure LR(m 0, m 1 ) C Enc(mpk, ID, m β ) Return C Fgure 1: On the left the defnton of Game INDHIDCPA. On the rght the procedures Intalze and LR of the game INDsHIDCPA. Notce that n the latter game the procedures Extract and Fnalze are the same as those of game INDsHIDCPA. the LR procedure, under the requrement that m 0 = m 1 (.e., the two messages have the same length), and that all the denttes submtted to Extract and LR are legtmate. For ths noton, a set of queres s sad legtmate f A never queres Extract on an dentty ID such that ID = ID or ID s an ancestor of ID. We defne the INDHIDCPAadvantage of any adversary A aganst a HIBE scheme HIBE as Adv INDHIDCPA HIBE (A) = 2 Pr[INDHIDCPA A 1] 1 where INDHIDCPA A 1 denotes that a run of the INDHIDCPA wth adversary A outputs 1. Defnton 2.2 [INDHIDCPAsecurty] A HIBE scheme s INDHIDCPAsecure f for any PPT adversary A, Adv INDHIDCPA HIBE (A) s at most neglgble. In the context of herarchcal denttybased encrypton a lot of works n the lterature also consdered a weaker noton of securty, called selectvedentty ndstngushablty under chosenplantext attacks (INDsHIDCPA). The man dfference wth the standard INDHIDCPA noton s that here the adversary s requred to commt ahead of tme to the dentty that he wll use to query the LR procedure. The correspondng game s recalled n Fgure 1, on the rght. Precsely, we descrbe only the procedures Intalze and LR, as Extract and Fnalze reman the same as n the game INDHIDCPA. The INDsHIDCPAadvantage of any adversary A aganst a HIBE scheme HIBE s defned as Adv INDsHIDCPA HIBE (A) = 2 Pr[INDsHIDCPA A 1] 1 Defnton 2.3 [INDsHIDCPAsecurty] A HIBE scheme s INDsHIDCPAsecure f for any PPT adversary A, Adv INDsHIDCPA HIBE (A) s at most neglgble. Sometmes, n order to have a clear dstncton wth the standard noton of INDHIDCPA, the latter s called full securty. 2.3 Identty Based Encrypton wth Wldcards The noton of IdenttyBased Encrypton wth Wldcards was ntroduced by Abdalla et al. n [1] as a generalzaton of the HIBE s noton. A WIBE scheme s defned by a tuple of algorthms WIBE = (Setup, KeyDer, Enc, Dec) that works exactly as a HIBE, except that here the encrypton 6
9 algorthm takes as nput a value P (ID *) l (for 1 l L),.e., the pattern, nstead of an dentty vector. Such pattern may contan a specal don t care symbol *, the wldcard, at some levels. An dentty ID = (ID 1,..., ID l ) ID l s sad to match a pattern P (ID *) l, denoted as ID * P, f and only f l l and = 1,..., l: ID = P or P = *. Note that under ths defnton, any ancestor of a matchng dentty s also a matchng dentty. Ths makes sense for the noton of WIBE, as any ancestor can derve the secret key of a matchng descendant dentty anyway. For any pattern P (ID *) l, we denote wth W(P ) the set of ndces j [l] such that P j = *. For correctness, t s requred that for all honestly generated master keys (mpk, msk) Setup, for all messages m M, all patterns P (ID *) l and all denttes ID ID l such that ID * P, m Dec(KeyDer(msk, ID), Enc(mpk, P, m)) holds wth all but neglgble probablty. procedure Intalze(P ) (mpk, msk) Setup ; β {0, 1} Return mpk procedure Extract( ID) sk ID KeyDer(msk, ID) Return sk ID procedure LR(P, m 0, m 1 ) C Enc(mpk, P, m β ) Return C procedure Fnalze(β ) Return (β = β) Fgure 2: Game INDsWIDCPA. Smlarly to HIBE, WIBE allows for smlar notons of securty under chosenplantext attacks. In partcular, n our work we consder only the noton of selectve securty. Roughly speakng, t s smlar to the INDsHIDCPA noton for HIBE, except that here the adversary has to commt to a pattern P at the begnnng of the game. Next, when he calls the LR procedure, he can provde a pattern P that matches P,.e., such that ether P s an dentty matchng P, or P s a subpattern of P. The securty noton s formalzed by the game INDsWIDCPA n Fgure 2. So, we defne the INDsWIDCPAadvantage of any adversary A aganst a WIBE scheme WIBE as Adv INDsWIDCPA WIBE (A) = 2 Pr[INDsWIDCPA A 1] 1 Defnton 2.4 A WIBE scheme s INDsWIDCPAsecure f Adv INDsWIDCPA WIBE (A) s neglgble for any PTA A. Remark 2.5 We notce that our noton of selectvesecurty for WIBE schemes s slghtly more general than the one that was orgnally proposed n [1]. The man dfference s that n the orgnal work of Abdalla et al. the noton s purely selectve, meanng that the adversary declares the challenge pattern P at the begnnng of the game, and later t receves an encrypton of ether m 0 or m 1 under P. Instead, our noton allows for more flexblty. Indeed, the adversary stll declares P at the begnnng of the game, but later t may ask the challenge cphertext on a pattern P, possbly dfferent from P, but such that P matches P. We stress that ths property s not artfcal for at least two reasons. Frst, t s more general than the prevous one. Second, t s satsfed by all known WIBE schemes, and n partcular we wll show that t s satsfed by those schemes obtaned through our transformaton, from selectvesecure HIBE to selectve WIBE, that we descrbe n Secton The Contnual Memory Leakage Model In ths secton we present an extenson of the defntons of herarchcal denttybased encrypton and wldcarded denttybased encrypton n the Contnual Memory Leakage (CML) Model proposed 7
10 procedure Intalze (mpk, msk) Setup β {0, 1} C[ ID] ID L[ ID, 0] 0 ID Return mpk procedure Extract( ID) If C[ ID] = Then sk ID,0 KeyDer(msk, ID) C[ ID] 0 Return sk ID,C[ ID] procedure Challenge( ID ) Store ID procedure LR(m 0, m 1 ) C Enc(mpk, ID, m β ) Return C procedure Fnalze(β ) Return (β = β) Game CMLINDHIDCPA procedure Leak(f, ID) If ID ID and ID not ancestor of ID Then Return Else contnue let C[ ID] If = Then sk ID,0 KeyDer(msk, ID) C[ ID] 0 If L[ ID, ] + f(sk ID, ) < ρ M sk L[ ID, ] L[ ID, ] + f(sk ID, ) ID, Then Return f(sk ID, ) Else Return procedure Update(f, ID) If ID ID and ID not ancestor of ID Then Return Else contnue let C[ ID] sk ID,+1 Update user (mpk, sk ID,, r) C[ ID] + 1 If L[ ID, ] + f(sk ID,, r) < ρ U sk ID, Then L[ ID, + 1] f(sk ID,, r) Return f(sk ID,, r) Else Return Fgure 3: Defnton of Game CMLINDHIDCPA. by Brakersk et al. [19]. In partcular, we consder the model wth the restrcton that there s no leakage from the master secret key. Ths means that both the Setup and KeyDer algorthms do not leak secret nformaton. In ths settng a (H)IBE scheme s defned by the same algorthms as a standard (H)IBE wth an addtonal Update user algorthm that takes as nput the publc parameters, the secret key of some dentty ID and some randomness (from an approprate doman), and t outputs a new updated secret key for the same dentty ID. The noton of ndstngushablty under chosenplantext attack n the CML model (that we call CMLINDHIDCPA) s defned as follows. The game conssts of sx procedures that can be run by an adversary A and t works n the followng way. As usual, A starts by executng Intalze and runs Fnalze before haltng. The adversary can run the procedure Extract and then t s allowed one query to the procedure Challenge on some dentty ID such that ID, nor an ancestor of t, have been asked to Extract before. Next, the adversary can run procedures Extract, Leak and Update as descrbed n Fgure 3. Notce that Leak and Update can be quered on denttes ID that decrypt ID. These procedures take as nput also a computable functon f. As specfed n the fgure, such functons must have a suffcently bounded output sze. We also assume that A makes at most one query (m 0, m 1 ) to the LR pro 8
11 cedure, under the requrement that m 0 = m 1 (.e., the two messages have the same length), and that all denttes submtted to Extract, Leak, Update and LR are legtmate. Fnally, once the adversary has quered LR t can no longer run Leak and Update. In the CML model, a set of queres s sad legtmate f A never queres Extract on an dentty ID such that ID = ID or ID s an ancestor of ID. Furthermore, the total number of bts of each secret key of ID (or of any ancestor of ID ) that are leaked through Leak and Update must be less than ρ M sk ID and ρ U sk ID respectvely. So, ρ M and ρ U represent the fracton of bts that can be leaked from the memory (.e., from a secret key) and from the update operaton (.e., from the secret key and the randomness used n the update). Notce that (ρ M, ρ U ) parametrze the securty game. We defne the CMLINDHIDCPAadvantage of any adversary A aganst a HIBE scheme HIBE wth leakage rate (ρ M, ρ U ) as Adv CMLINDHIDCPA HIBE (A) = 2 Pr[CMLINDHIDCPA A 1] 1 where CMLINDHIDCPA A 1 denotes that a run of the experment CMLINDHIDCPA (parametrzed by (ρ M, ρ U )) wth adversary A outputs 1. Defnton 2.6 [CMLINDHIDCPAsecurty] A HIBE scheme s CMLINDHIDCPAsecure wth leakage rate (ρ M, ρ U ) f for any PPT adversary A, Adv CMLINDHIDCPA HIBE (A) s at most neglgble. In a very smlar way t s possble to defne the noton of selectve securty, CMLINDsHIDCPA, for (H)IBE n the CML model. The game s descrbed by the procedures n Fgure 4. The procedures are smlar to the ones of the CMLINDHIDCPA game, but they are a bt smpler. For consstency, n order for the game to make sense, we requre that the total number of bts of secret keys of ID (or of any ancestor of ID ) that are leaked through Leak and Update must be less than ρ M sk ID and ρ U sk ID respectvely. Defnton 2.7 [CMLINDsHIDCPAsecurty] A HIBE scheme s CMLINDsHIDCPAsecure wth leakage rate (ρ M, ρ U ) f for any PPT adversary A, Adv CMLINDsHIDCPA HIBE (A) s at most neglgble. WIBE n the CML model. Fnally, we extend the securty noton of WIBE to the CML model. To do ths, we defne the game CMLINDsWIDCPA whch s smlar to INDsWIDCPA, except that n addton t contans the procedures Leak and Update. The game s descrbed n detals n Fgure 5. The man dfference s n the defnton of what s the set of legtmate queres n ths settng. Frst, we requre that the adversary calls the LR procedure on a pattern P that matches the pattern P provded to Intalze at the begnnng of the game. Second, we requre that Leak and Update are quered on denttes matchng the challenge pattern, and that for each of these denttes the total number of leaked bts s at most ρ M sk ID and ρ U sk ID respectvely. Defnton 2.8 [CMLINDsWIDCPAsecurty] A WIBE scheme s CMLINDsWIDCPAsecure wth leakage rate (ρ M, ρ U ) f for any PPT adversary A, Adv CMLINDsWIDCPA WIBE (A) s at most neglgble. 3 FullySecure HIBE from SelectveSecure WIBE In ths secton we concentrate on the frst part of our man result. We show how to construct a fullysecure HIBE scheme startng from any WIBE scheme that s secure only n a selectve sense. 9
12 Game CMLINDsHIDCPA procedure Intalze( ID ) procedure Leak(f) (mpk, msk) Setup β {0, 1} L[] 0 sk ID,0 Return mpk KeyDer(msk, ID ) procedure Extract( ID) KeyDer(msk, ID) sk ID Return sk ID procedure LR(m 0, m 1 ) C Enc(mpk, ID, m β ) Return C If L[] + f(sk ID, ) < ρ M sk ID, Then L[] L[] + f(sk ID, ) Return f(sk ID, ) Else Return procedure Update(f) sk ID,+1 Update user (mpk, sk ID,, r) If L[] + f(sk ID,, r) < ρ U sk ID, Then L[ + 1] f(sk ID,, r) Return f(sk ID,, r) + 1 Else Return procedure Fnalze(β ) Return (β = β) Fgure 4: Defnton of Game CMLINDsHIDCPA. procedure Intalze(P ) (mpk, msk) Setup β {0, 1} C[ ID] ID L[ ID, 0] 0 ID Return mpk procedure Extract( ID) If C[ ID] = Then sk ID,0 KeyDer(msk, ID) C[ ID] 0 Return sk ID,C[ ID] procedure LR(P, m 0, m 1 ) C Enc(mpk, ID, m β ) Return C procedure Fnalze(β ) Return (β = β) Game CMLINDsWIDCPA procedure Leak(f, ID) let C[ ID] If = Then sk ID,0 KeyDer(msk, ID) C[ ID] 0 If L[ ID, ] + f(sk ID, ) < ρ M sk L[ ID, ] L[ ID, ] + f(sk ID, ) ID, Then Return f(sk ID, ) Else Return procedure Update(f, ID) let C[ ID] sk ID,+1 Update user (mpk, sk ID,, r) C[ ID] + 1 If L[ ID, ] + f(sk ID,, r) < ρ U sk ID, Then L[ ID, + 1] f(sk ID,, r) Return f(sk ID,, r) Else Return Fgure 5: Defnton of Game CMLINDsWIDCPA. Our transformaton s blackbox and makes use of admssble hash functons, a noton ntroduced by Boneh and Boyen n [9] that we recall below. Admssble Hash Functons. Admssble hash functons were frst ntroduced by Boneh and Boyen n [9] as a tool for provng the full securty of ther denttybased encrypton scheme n 10
13 the standard model. Such functons turn out to be partcularly sutable for ths purpose as they provde a way to mplement the socalled parttonng technque, a proof methodology that allows to secretly partton the dentty space nto two sets, the blue set and the red set, both of exponental sze, so that there s a nonneglgble probablty that the adversary s secret key queres fall n the blue set and the challenge dentty falls n the red set. Ths property has been shown useful to prove the full securty of some denttybased encrypton schemes (e.g., [9, 35, 22]). In partcular, t fts those cases when, n the reducton, one can program the smulator so that t can answer secret key queres for all the blue denttes, whereas t s prepared to generate a challenge cphertext only for red denttes. In our work we employ admssble hash functons for a smlar purpose,.e., constructng a fullysecure HIBE from a selectvesecure WIBE, and n partcular we adopt a defnton of admssble hash functons whch follows the one used by Cash et al. n [22]. The formal defnton follows. Let k N be the securty parameter, w and λ be two values that are at most polynomal n k, and Σ be an alphabet of sze s. Let H = {H : {0, 1} w Σ λ } be a famly of functons. For H H, K (Σ {*}) λ and any x {0, 1} w we defne the followng functon whch colors strngs n {0, 1} w as follows: { R f {1,..., λ} : H(x) = K F K,H (x) = or K = * B f {1,..., λ} : H(x) K For any µ {0,..., λ}, we denote wth K (λ,µ) the unform dstrbuton over (Σ {*}) λ such that exactly µ components are not *. Moreover, for every H H, K K (λ,µ), and every vector x ({0, 1} w ) Q+1 we defne the functon γ( x) = Pr[F K,H (x 0 ) = R F K,H (x 1 ) = B F K,H (x 2 ) = B F K,H (x Q ) = B]. Defnton 3.1 [Admssble Hash Functons] H = {H : {0, 1} w Σ λ } s a famly of (Q, δ mn ) admssble hash functons f for every polynomal Q = Q(k), there exsts an effcently computable functon µ = µ(k), effcently recognzable sets bad H ({0, 1} w ) and an nverse of a polynomal δ mn = 1/δ(k, Q) such that the followng propertes holds: 1. For every PPT algorthm A that, on nput H H, outputs x ({0, 1} w ) Q+1, there exsts a neglgble functon ɛ(k) such that: Adv adm H (A) = Pr[ x bad H : H H, x A(H)] ɛ(k) 2. For every H H, K K (λ,µ), and every vector x ({0, 1} w ) Q+1 \ bad H such that x 0 / {x 1,..., x Q } we have: γ( x) δ mn. 3.1 Our transformaton Let WIBE be a WIBE scheme wth dentty space ID = Σ of sze s and depth λ L, and H = {H : {0, 1} w Σ λ } be a famly of functons. Then we construct the followng HIBE scheme that has dentty space ID = {0, 1} w and depth at most L: HIBE.Setup: run (mpk, msk ) WIBE.Setup and select H 1,..., H L H. Output mpk = (mpk, H 1,..., H L ) and msk = msk. HIBE.KeyDer(msk, ID): let ID = (ID 1,..., ID l ) and defne I = (H 1 (ID 1 ),..., H l (ID l )) Σ λ l. Output sk ID = WIBE.KeyDer(msk, I). 11
14 HIBE.Enc(mpk, ID, m): let ID = (ID 1,..., ID l ) and defne I = (H 1 (ID 1 ),..., H l (ID l )) Σ λ l. Output C = WIBE.Enc(mpk, I, m). HIBE.Dec(sk ID, C): return m = WIBE.Dec(sk ID, C). Our scheme s very smple. Essentally, the HIBE algorthm uses the algorthms of the WIBE scheme n a blackbox way, where each dentty component ID s frst hashed usng a functon H H. Boneh and Boyen show how to construct admssble hash functons based on collsonresstance and errorcorrecton, and propose some concrete parameters for ther nstantaton (whch satsfy our defnton). In partcular, for convenence of ther constructon, they consder functons that map to strngs n an alphabet Σ of sze s = 2. Here we notce that f the gven WIBE has an alphabet Σ of sze s > 2, then one can smply choose two values x 1, x 2 Σ, set Σ = {x 1, x 2 }, and then consder the same WIBE restrcted to these two denttes. The securty of our scheme follows from the followng theorem. Theorem 3.2 If H = {H : {0, 1} w Σ λ } s a famly of (Q, δ mn )admssble hash functons, and WIBE s INDsWIDCPAsecure, then the scheme HIBE gven n Secton 3 s INDHIDCPAsecure, where the maxmum herarchy s depth L s some fxed constant. Proof Intuton. Although the scheme s smple, ts proof of securty s rather techncal. Therefore, we frst provde some nformal ntutons about our strategy. Intutvely speakng, the proof proceeds by showng an algorthm B that plays game INDsWIDCPA aganst the scheme WIBE and smulates the game INDHIDCPA to an adversary A aganst HIBE. B frst generates the parameters for the admssble hash functons, whch defne parttons B and R of the dentty space, and then t declares the set R as the challenge pattern (notce that by defnton of K K (λ,µ), R can be descrbed n a compact way usng a pattern). Next, all secret key queres made by A for denttes n B are forwarded by B to ts own challenger, and the same can be done f the challenge dentty chosen by A falls n R. In partcular, by the propertes of admssble hash functons, the event that the denttes of secret key queres fall n B and the challenge dentty falls n R occurs wth nonneglgble probablty. However, thngs are not that smple, as there may be unlucky events n whch B s unable to smulate the rght game to A and thus t needs to abort. As t already occurred n other works [35, 22], these events may not be ndependent of the adversary s vew, and one soluton s to force the smulator to run an expensve artfcal abort step. Our proof of Theorem 3.2 proceeds n ths way, requrng B to (eventually) artfcally abort at the end of the smulaton. Alternatvely, one can extend the technques ntroduced by Bellare and Rstenpart n [5] to obtan a proof of Theorem 3.2 whch avods the need of artfcal aborts. However, ths requres a slghtly dfferent defnton of admssble hash functons. In Appendx A we descrbe ths alternatve proof wthout artfcal aborts. It may be of ndependent nterest. Proof: To prove Theorem 3.2 we descrbe a sequence of games that allows to show that an adversary for the game INDHIDCPA can be effcently turned nto an adversary for the game INDsWID CPA. The smulator algorthm B. In Fgure 6 we descrbe an adversary B that plays game INDsWIDCPA aganst the scheme WIBE, by smulatng the game INDHIDCPA to an adversary A. To avod confuson between the games INDsWIDCPA and INDHIDCPA, we prepend the prefx sw to the procedures of INDsWIDCPA. In order to show that such smulaton can be carred on effcently, we proceed by descrbng a sequence of games G 0 G 8, where G 0 s the game smulated by our algorthm B, and G 8 s essentally 12
15 Algorthm B: K 1,..., K L K (λ,µ) P (K 1,..., K L ) Run mpk sw.intalze(p ) H 1,..., H L H cnt 1 mpk (mpk, H 1,..., H L ) Run A (mpk), answerng queres as follows: Extract( ID): X cnt ID, cnt cnt + 1 let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) sk ID If F H,K (ID ) = R = 1 to l Then bad true Else sk ID sw.extract( I) Return sk ID LR(ID, m 0, m 1 ): X 0 ID let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) C If [l ] : F H,K (ID ) = B Then bad true Else C sw.lr( I, m 0, m 1 ) return C let β be A s output If [L] : X bad H Then β {0, 1} If bad true η 0 for j = 1 to ks/δmn L do K 1,..., K L K (λ,µ) If L =1 (F K,H (X 0) = R F K,H (X 1) = B F K,H (X Q ) = B) Then η η + 1 δ η/ ks/δmn L Set bad true wth probablty 1 δmn L / δ If bad = true Then β {0, 1} sw.fnalze(β ) procedure Intalze: Games G 0 G K 1,..., K L K (λ,µ) 002 P (K 1,..., K L ) 003 (mpk, msk ) WIBE.Setup; β {0, 1} 004 H 1,..., H L H 005 cnt mpk (mpk, H 1,..., H L ) 007 return mpk procedure Extract( ID): Games G 0, G X cnt ID; cnt cnt let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 012 sk ID 013 If F H,K (ID ) = R = 1 to l Then 014 bad true 015 sk ID WIBE.KeyDer(msk, I) 016 Else sk ID WIBE.KeyDer(msk, I) 017 Return sk ID procedure LR( ID, m 0, m 1 ): Games G 0, G X 0 ID 021 let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 022 C 023 If [l ] : F H,K (ID ) = B Then 024 bad true 025 C WIBE.Enc(mpk, I, m β ) 026 Else 027 C WIBE.Enc(mpk, I, m β ) 028 return C procedure Fnalze(β ): Games G 0, G If [L] : X bad H Then β {0, 1} 031 β β 032 If bad true 033 η for j = 1 to ks/δmn L do 035 K1,..., K L K (λ,µ) 036 If L =1 (F K,H (X 0) = R F K,H (X 1) = B F K,H (X Q ) = B) Then 037 η η δ η/ ks/δ L mn 039 Set bad true wth probablty 1 δmn L / δ 040 If bad = true Then β {0, 1}, β β 041 If β = β Then return Else return 0 Fgure 6: Adversary B and descrpton of the games G 0 and G 1. 13
16 INDHIDCPA wth some addtonal code that, however, does not condton the output. Our approach s based on codebased games where each game s defned as a set of procedures that can be run by the adversary. Before focusng on the game sequence, we frst show that the smulaton provded by B s correct whenever bad s not set, and that B plays the game INDsWIDCPA correctly. For ease of exposton we assume that the adversary always outputs denttes of the same (maxmum) length L. However, ths can be formalzed by assumng that for any set of denttes ( ID 0,..., ID Q ) output by A, for = 1 to Q all those ID such that ID < L are padded to reach length L usng some specal symbol so that F H,K (ID j) always returns B on postons j such that ID < j L. On the other hand, f the challenge dentty has length l < L, then t s padded wth some symbol so that F H,K (ID 0 j) always returns R on postons j > l. Frst, observe that all the denttes I for whch B runs sw.extract( I) are legtmate queres, namely they do not match the challenge pattern P declared by B to sw.intalze. In the code of B, f sw.extract( I) s called, then there exsts an ndex {1,..., l} for whch F K,H (ID ) = B, namely I P (and P *), thus I * P. Second, note that the cphertext C s dstrbuted as the challenge cphertext n the game INDHIDCPA for the scheme HIBE. However, we have also to check that the procedure sw.lr be run on an dentty I * P. To see ths, observe that the procedure s run only f bad s not set, namely when F H,K (ID ) = R for all [l ], whch s equvalent to say I * P. A crtcal part n B s smulaton s that t may set bad true and, as a consequence, B returns a random bt (bascally, t fals ts smulaton). Such bad event depends on the values K 1,..., K L chosen by B as well as on the set of denttes asked by A to Extract and LR. As shown n other works, such as [35], these cases are problematc as the event that the smulaton fals s not ndependent of the adversary s vew. Ths dffculty s overcome by ntroducng an artfcal abort event n the smulaton that allows to balance the probablty of falng so that t s suffcently ndependent of the adversary s vew. Ths s why, at the end of the smulaton, even f bad was not set, the algorthm B may abort. Precsely, the smulator B proceeds as follows. Before termnatng the smulaton, B repeats ks/δmn L tmes the followng step: t samples L vectors K 1,..., K L as at the begnnng of the smulaton, and for each sample t checks whether such choce (combned wth the gven set X of denttes returned by the adversary) would set bad true or not. At the end of ths step, B evaluates on the fly the average probablty, over the random choces of the vectors K, that bad s set, gven the set X. Let δ be such estmaton, then B sets bad true wth probablty 1 δmn L / δ. In partcular, here S s an arbtrary polynomal such that by Hoeffdng s nequalty, ks/δ L samples are suffcent to get δ δ L such that [ Γ(X) ] Pr δ δl 1 S 2 k. (1) The sequence of games. Now, let us focus on the sequence of games G 0 G 8. In partcular, the Lemma 3.3 gven below proves that we can move from the game INDsWIDCPA played by B to game G 4. Followng the notaton gven n Secton 2, we wrte G A b to denote that an executon of game G by A returns b. Also, let Bad (resp. Good ) be the event that G sets (resp. does not set) bad true. Our adversary B and the games G 0 G 8 are descrbed n Fgures 6 and 7. When some games share a procedure wth very smlar code we use a compact descrpton wth boxed statements. If a 14
17 procedure Extract( ID): Game G X cnt ID; cnt cnt let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 212 If F H,K (ID ) = R = 1 to l Then 213 bad true 214 sk ID WIBE.KeyDer(msk, I)( I) 215 Return sk ID procedure LR( ID, m 0, m 1 ): Game G X 0 ID 221 let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 222 If [l ] : F H,K (ID ) = B Then 223 bad true 224 C WIBE.Enc(mpk, I, m β ) 225 return C procedure Fnalze(β ): Game G 2, G If [L] : X bad H Then β {0, 1} 231 for j = 1 to cnt do 232 let l j ID j 233 If F H,K (X j ) = R = 1 to l j Then 234 bad true 235 If [l ] : F H,K (X 0) = B Then 236 bad true 237 If bad true 238 η for j = 1 to ks/δmn L do 240 K1,..., K L K (λ,µ) 241 If L =1 (F K,H (X 0) = R F K,H (X 1) = B F K,H (X Q ) = B) Then 242 η η δ η/ ks/δ L mn 244 Set bad true wth probablty 1 δmn L / δ 245 If β = β Then return Else return 0 procedure Intalze(l ): Games G 4 G (mpk, msk ) WIBE.Setup; β {0, 1} 401 H 1,..., H L H 402 mpk (mpk, H 1,..., H L ) 403 cnt return mpk procedure Fnalze(β ): Game G If [L] : X bad H Then β {0, 1} 641 Set bad true wth probablty 1 δmn L 642 If bad = true Then β {0, 1} 643 If β = β Then return Else return 0 procedure Extract( ID): Games G 3 G X cnt ID; cnt cnt let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 312 sk ID WIBE.KeyDer(msk, I)( I) 313 Return sk ID procedure LR( ID, m 0, m 1 ): Game G 3 G X 0 ID 321 let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 322 C WIBE.Enc(mpk, I, m β ) 323 return C procedure Fnalze(β ): Game G 4, G If [L] : X bad H Then β {0, 1} 431 K 1,..., K L K (λ,µ) 432 for j = 1 to cnt do 433 let l j ID j 434 If F H,K (X j ) = R = 1 to l j Then 435 bad true 436 If [l ] : F H,K (X 0) = B Then 437 bad true 438 If bad true 439 η for j = 1 to ks/δmn L do 441 K1,..., K L K (λ,µ) 442 If L =1 (F K,H (X 0) = R F K,H (X 1) = B F K,H (X Q ) = B) Then 443 η η δ η/ ks/δ L mn 445 Set bad true wth probablty 1 δmn L / δ 446 If bad = true Then β {0, 1} 447 If β = β Then return Else return 0 procedure Fnalze(β ): Game G If [L] : X bad H Then β {0, 1} 741 If β = β Then return Else return 0 procedure Fnalze(β ): Game G If β = β Then return Else return 0 Fgure 7: Descrpton of the Games from G 2 to G 8. 15
18 procedure s shared by games G, G j,..., G k, f G s boxed, then the code of the gven procedure n G ncludes the boxed statements, whereas ts code n the other games does not. To better understand the notaton one may look at Fgure 6 for an example. There, the Fnalze procedure s shared by games G 0 and G 1, and G 1 s wrtten n a box. Ths means that Fnalze n G 1 contans the statement β β of lne 040, whereas ths statement s not present n game G 0. Lemma 3.3 Adv INDsWIDCPA WIBE (B) = 2 Pr[G A 4 1 Good 4 ] Pr[Good 4 ]. Proof: To prove the lemma we wll analyze the dfferences between each consecutve par of games. Frst, we focus on the code of B and game G 0. The procedure Intalze contans n lne 003 the code of sw.intalze. Moreover, lne 016 and lne 027 contan the code of sw.extract and sw.lr respectvely. Fnally, t s not hard to notce that the code of the Fnalze procedure s an equvalent mplementaton of the way B concludes ts smulaton and executes sw.fnalze. Therefore, we have: Pr[INDsWIDCPA B 1] = Pr[G A 0 1] = Pr[G A 0 1 Bad 0 ] Pr[Bad 0 ] + Pr[G A 0 1 Good 0 ] = 1 2 Pr[Bad 0] + Pr[G A 0 1 Good 0 ] (2) where Equaton (2) s justfed from that the Fnalze procedure of G 0 outputs a random bt when bad s set. If we look at the dfferences between the games G 0 and G 1 we can observe that G 1 contans some addtonal lnes of code (hghlghted n the framed boxes). Such changes make sure that Extract and LR never return. Also, n G 1 Fnalze s modfed n lne 040 (by addng β β ) so that the procedure s output does not depend on bad = true. Snce n game G 0 the events that Extract and LR return and that Fnalze takes β at random both occur only f bad s set, then we have that G 0 and G 1 are dentcaluntlbad. Thus, we can apply Lemma 2.1 to obtan: Pr[Bad 0 ] = Pr[Bad 1 ] and Pr[G A 0 1 Good 0 ] = Pr[G A 1 1 Good 1 ] (3) Now, let us compare games G 1 and G 2. The changes n the Extract and Fnalze procedures are only syntactcal. Lnes 015, 016 (resp. 025, 027) of G 1 have been moved to lne 214 (resp. 224) of G 2. So G 2 s equvalent to G 1 : Pr[Bad 1 ] = Pr[Bad 2 ] and Pr[G A 1 1 Good 1 ] = Pr[G A 2 1 Good 2 ] (4) Let us now consder G 2 and G 3. In game G 2, both Extract and LR may set bad n lnes and respectvely. However, ths operaton does no longer nfluence the behavor of each procedures. So, n G 3 these lnes are moved to the end of the game, nto the procedure Fnalze. Moreover, n order for ths change to be descrbed correctly, G 3 ntroduces a counter and a labelng for the quered denttes. Agan, these changes n the code are only syntactcal. Thus the two games are dentcal, and we have: Pr[Bad 2 ] = Pr[Bad 3 ] and Pr[G A 2 1 Good 2 ] = Pr[G A 3 1 Good 3 ] (5) 16
19 Fnally, we show that G 3 and G 4 are dentcally dstrbuted as well. The only change s that lne 001 of G 3 s moved to lne 431 of Fnalze n G 4. Snce n G 3 the values K 1,..., K L are used only nto Fnalze, ths code can be postponed there. Thus we have: Pr[Bad 3 ] = Pr[Bad 4 ] and Pr[G A 3 1 Good 3 ] = Pr[G A 4 1 Good 4 ] (6) Fnally, f we put together Equatons (2), (3), (4), (5) and (6) we obtan: Adv INDsWIDCPA WIBE (B) = 2 Pr[INDsWIDCPA B 1] 1 whch completes the proof of the Lemma. = Pr[Bad 4 ] + 2 Pr[G A 4 Good 4 ] 1 = 2 Pr[G A 4 Good 4 ] Pr[Good 4 ] (7) Next, f we look at games G 4 and G 5, we notce that the only dfference s that G 5 changes the value of β wth a random bt when bad = true. Snce ths acton s performed only f bad s set, then we have that games G 4 and G 5 are dentcaluntlbad, and thus we can apply the restatement of the fundamental Lemma of gameplayng (.e., Lemma 2.1) to obtan: Pr[Bad 4 ] = Pr[Bad 5 ] and Pr[G A 4 1 Good 4 ] = Pr[G A 5 1 Good 5 ] (8) Now, let us focus on the games G 5 and G 6. We observe that lnes of game G 5 are substtuted wth lne 641 n game G 6. In partcular, n the latter game bad s set true wth ndependent probablty 1 δmn L. Snce Pr[Good 5] = δmn L Γ(X), and the condton of Equaton (1) holds, then we obtan δ that the dfference Pr[Good 5 ] Pr[Good 6 ] = δ L mn δ Γ(X) δ holds wth probablty 1 1/2 k. Thus we have: δl mn S Pr[G A 5 1] Pr[G A 6 1] δl mn S k (9) Game G 7 s the same as G 6 except that the Fnalze procedure does not set bad. So we have: 2 Pr[G A 6 1] 1 = δ L mn(2 Pr[G A 7 1] 1) (10) Fnally, observe that game G 8 dffers from game G 7 as t does no longer contan lne 740. So, t s easy to observe that a trval reducton would show that any effcent dstngusher between the two games would reduce to the frst condton of admssble hash functons, namely: Pr[G A 8 1] Pr[G A 7 1] L Adv adm H,C (k) (11) 17
20 Fnally, one can easly note that game G 8 s essentally the same as the game INDHIDCPA wth some addtonal bookkeepng. So we can wrte: Adv INDHIDCPA HIBE (A) = 2 Pr[G A 8 1] 1 2 Pr[G A 7 1] 1 + 2L Adv adm H (C) (12) = 2 Pr[GA 6 1] 1 δ L mn 2 Pr[GA 5 1] 1 δ L mn 2 Pr[GA 4 1 Good 4 ] Pr[Good 4 ] δ L mn AdvINDsWIDCPA WIBE δmn L + 2L Adv adm H (C) (13) ( S + 1 ) 2 k δmn L + 2L Adv adm H (C) (14) (B) ( S + 1 ) 2 k + +2L Adv adm H (C) (15) ( S + 1 ) 2 k + 2L Adv adm H (C) (16) Equaton (12) s obtaned by applyng Equaton (11), whle Equaton (13) derves from Equaton (10). Equaton (14) s obtaned by applyng the dfference between game G 5 and G 6 noted n Equaton (9). Equaton (15) comes from that G 4 and G 5 are dentcaluntlbad (see Equaton (8)), and fnally the last result (16) s obtaned by combnng Equatons (15) and (7). Ths completes the proof of Theorem 3.2. Due to the exponental factor L, we notce that the reducton s meanngful when the maxmum herarchy s depth L s some fxed constant. Remark 3.4 Even though our transformaton requres a WIBE scheme wth λ L levels to get a HIBE wth L levels, we observe that the HIBE key dervaton algorthm wll use the WIBE key dervaton at most L tmes. The pont s that whle L s supposed to be a constant, λ can be nstead nonconstant, as t s the case for known constructons of admssble hash functons, whose output length depends on the number of secret key queres made by the adversary. Ths mght have been a problem for those WIBE schemes that do not support key dervaton (delegaton) for a polynomal number of levels, such as our lattcebased scheme n Secton Extensons of our transformaton Our transformaton easly allows for two extensons. Obtanng an IBE. If one s nterested nto constructng only an IBE, then our transformaton easly works. In partcular, we observe that to construct an IBE we can use a WIBE scheme wth herarchy of depth λ (nstead of λ L). Furthermore the WIBE does not need to satsfy the delegaton property. Therefore, we can state the followng Corollary: Corollary 3.5 Let IBE be the IBE scheme defned as HIBE usng a scheme WIBE of depth λ. If H = {H : {0, 1} w Σ λ } s a famly of (Q, δ mn )admssble hash functons, and WIBE s INDsWIDCPAsecure (even wthout the delegaton property), then the scheme IBE descrbed above s INDIDCPAsecure. The transformaton n the CML model. It s nterestng to note that our transformaton from a selectvesecure WIBE to a fullysecure HIBE scheme works also n the CML model (whose 18
Compact CCA2secure Hierarchical IdentityBased Broadcast Encryption for Fuzzyentity Data Sharing
Compact CCA2secure Herarchcal IdenttyBased Broadcast Encrypton for Fuzzyentty Data Sharng Weran Lu 1, Janwe Lu 1, Qanhong Wu 1, Bo Qn 2, Davd Naccache 3, and Houda Ferrad 4 1 School of Electronc and
More informationIdentityBased Encryption Gone Wild
An extended abstract of ths paper appeared n Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, 33rd Internatonal Colloquum on Automata, Languages and Programmng ICALP 2006, volume
More informationRecurrence. 1 Definitions and main statements
Recurrence 1 Defntons and man statements Let X n, n = 0, 1, 2,... be a MC wth the state space S = (1, 2,...), transton probabltes p j = P {X n+1 = j X n = }, and the transton matrx P = (p j ),j S def.
More informationLuby s Alg. for Maximal Independent Sets using Pairwise Independence
Lecture Notes for Randomzed Algorthms Luby s Alg. for Maxmal Independent Sets usng Parwse Independence Last Updated by Erc Vgoda on February, 006 8. Maxmal Independent Sets For a graph G = (V, E), an ndependent
More information1 Example 1: Axisaligned rectangles
COS 511: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 6 Scrbe: Aaron Schld February 21, 2013 Last class, we dscussed an analogue for Occam s Razor for nfnte hypothess spaces that, n conjuncton
More informationbenefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).
REVIEW OF RISK MANAGEMENT CONCEPTS LOSS DISTRIBUTIONS AND INSURANCE Loss and nsurance: When someone s subject to the rsk of ncurrng a fnancal loss, the loss s generally modeled usng a random varable or
More information8 Algorithm for Binary Searching in Trees
8 Algorthm for Bnary Searchng n Trees In ths secton we present our algorthm for bnary searchng n trees. A crucal observaton employed by the algorthm s that ths problem can be effcently solved when the
More informationExtending Probabilistic Dynamic Epistemic Logic
Extendng Probablstc Dynamc Epstemc Logc Joshua Sack May 29, 2008 Probablty Space Defnton A probablty space s a tuple (S, A, µ), where 1 S s a set called the sample space. 2 A P(S) s a σalgebra: a set
More informationModule 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module LOSSLESS IMAGE COMPRESSION SYSTEMS Lesson 3 Lossless Compresson: Huffman Codng Instructonal Objectves At the end of ths lesson, the students should be able to:. Defne and measure source entropy..
More informationAn Alternative Way to Measure Private Equity Performance
An Alternatve Way to Measure Prvate Equty Performance Peter Todd Parlux Investment Technology LLC Summary Internal Rate of Return (IRR) s probably the most common way to measure the performance of prvate
More informationRUHRUNIVERSITÄT BOCHUM
RUHRUNIVERSITÄT BOCHUM Horst Görtz Insttute for IT Securty Techncal Report TRHGI2006002 Survey on Securty Requrements and Models for Group Key Exchange Mark Manuls Char for Network and Data Securty
More informationWhat is Candidate Sampling
What s Canddate Samplng Say we have a multclass or mult label problem where each tranng example ( x, T ) conssts of a context x a small (mult)set of target classes T out of a large unverse L of possble
More information1 Approximation Algorithms
CME 305: Dscrete Mathematcs and Algorthms 1 Approxmaton Algorthms In lght of the apparent ntractablty of the problems we beleve not to le n P, t makes sense to pursue deas other than complete solutons
More informationSupport Vector Machines
Support Vector Machnes Max Wellng Department of Computer Scence Unversty of Toronto 10 Kng s College Road Toronto, M5S 3G5 Canada wellng@cs.toronto.edu Abstract Ths s a note to explan support vector machnes.
More informationComplete Fairness in Secure TwoParty Computation
Complete Farness n Secure TwoParty Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure twoparty computaton, two mutually dstrustng partes wsh to compute
More informationTHE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek
HE DISRIBUION OF LOAN PORFOLIO VALUE * Oldrch Alfons Vascek he amount of captal necessary to support a portfolo of debt securtes depends on the probablty dstrbuton of the portfolo loss. Consder a portfolo
More informationFrequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters
Frequency Selectve IQ Phase and IQ Ampltude Imbalance Adjustments for OFDM Drect Converson ransmtters Edmund Coersmeer, Ernst Zelnsk Noka, Meesmannstrasse 103, 44807 Bochum, Germany edmund.coersmeer@noka.com,
More information8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by
6 CHAPTER 8 COMPLEX VECTOR SPACES 5. Fnd the kernel of the lnear transformaton gven n Exercse 5. In Exercses 55 and 56, fnd the mage of v, for the ndcated composton, where and are gven by the followng
More informationThe OC Curve of Attribute Acceptance Plans
The OC Curve of Attrbute Acceptance Plans The Operatng Characterstc (OC) curve descrbes the probablty of acceptng a lot as a functon of the lot s qualty. Fgure 1 shows a typcal OC Curve. 10 8 6 4 1 3 4
More informationAn InterestOriented Network Evolution Mechanism for Online Communities
An InterestOrented Network Evoluton Mechansm for Onlne Communtes Cahong Sun and Xaopng Yang School of Informaton, Renmn Unversty of Chna, Bejng 100872, P.R. Chna {chsun,yang}@ruc.edu.cn Abstract. Onlne
More informationMultiplication Algorithms for Radix2 RNCodings and Two s Complement Numbers
Multplcaton Algorthms for Radx RNCodngs and Two s Complement Numbers JeanLuc Beuchat Projet Arénare, LIP, ENS Lyon 46, Allée d Itale F 69364 Lyon Cedex 07 jeanluc.beuchat@enslyon.fr JeanMchel Muller
More information+ + +   This circuit than can be reduced to a planar circuit
MeshCurrent Method The meshcurrent s analog of the nodeoltage method. We sole for a new set of arables, mesh currents, that automatcally satsfy KCLs. As such, meshcurrent method reduces crcut soluton to
More informationPSYCHOLOGICAL RESEARCH (PYC 304C) Lecture 12
14 The Chsquared dstrbuton PSYCHOLOGICAL RESEARCH (PYC 304C) Lecture 1 If a normal varable X, havng mean µ and varance σ, s standardsed, the new varable Z has a mean 0 and varance 1. When ths standardsed
More information) of the Cell class is created containing information about events associated with the cell. Events are added to the Cell instance
Calbraton Method Instances of the Cell class (one nstance for each FMS cell) contan ADC raw data and methods assocated wth each partcular FMS cell. The calbraton method ncludes event selecton (Class Cell
More informationA Secure PasswordAuthenticated Key Agreement Using Smart Cards
A Secure PasswordAuthentcated Key Agreement Usng Smart Cards Ka Chan 1, WenChung Kuo 2 and JnChou Cheng 3 1 Department of Computer and Informaton Scence, R.O.C. Mltary Academy, Kaohsung 83059, Tawan,
More informationProactive Secret Sharing Or: How to Cope With Perpetual Leakage
Proactve Secret Sharng Or: How to Cope Wth Perpetual Leakage Paper by Amr Herzberg Stanslaw Jareck Hugo Krawczyk Mot Yung Presentaton by Davd Zage What s Secret Sharng Basc Idea ((2, 2)threshold scheme):
More informationLogistic Regression. Lecture 4: More classifiers and classes. Logistic regression. Adaboost. Optimization. Multiple class classification
Lecture 4: More classfers and classes C4B Machne Learnng Hlary 20 A. Zsserman Logstc regresson Loss functons revsted Adaboost Loss functons revsted Optmzaton Multple class classfcaton Logstc Regresson
More informationgreatest common divisor
4. GCD 1 The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no
More informationSection 5.4 Annuities, Present Value, and Amortization
Secton 5.4 Annutes, Present Value, and Amortzaton Present Value In Secton 5.2, we saw that the present value of A dollars at nterest rate per perod for n perods s the amount that must be deposted today
More informationPKIS: practical keyword index search on cloud datacenter
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 RESEARCH Open Access PKIS: practcal keyword ndex search on cloud datacenter HyunA
More informationCalculation of Sampling Weights
Perre Foy Statstcs Canada 4 Calculaton of Samplng Weghts 4.1 OVERVIEW The basc sample desgn used n TIMSS Populatons 1 and 2 was a twostage stratfed cluster desgn. 1 The frst stage conssted of a sample
More informationA Probabilistic Theory of Coherence
A Probablstc Theory of Coherence BRANDEN FITELSON. The Coherence Measure C Let E be a set of n propostons E,..., E n. We seek a probablstc measure C(E) of the degree of coherence of E. Intutvely, we want
More informationHow Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence
1 st Internatonal Symposum on Imprecse Probabltes and Ther Applcatons, Ghent, Belgum, 29 June 2 July 1999 How Sets of Coherent Probabltes May Serve as Models for Degrees of Incoherence Mar J. Schervsh
More informationBERNSTEIN POLYNOMIALS
OnLne Geometrc Modelng Notes BERNSTEIN POLYNOMIALS Kenneth I. Joy Vsualzaton and Graphcs Research Group Department of Computer Scence Unversty of Calforna, Davs Overvew Polynomals are ncredbly useful
More informationv a 1 b 1 i, a 2 b 2 i,..., a n b n i.
SECTION 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS 455 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS All the vector spaces we have studed thus far n the text are real vector spaces snce the scalars are
More informationOn Mean Squared Error of Hierarchical Estimator
S C H E D A E I N F O R M A T I C A E VOLUME 0 0 On Mean Squared Error of Herarchcal Estmator Stans law Brodowsk Faculty of Physcs, Astronomy, and Appled Computer Scence, Jagellonan Unversty, Reymonta
More informationOn the Optimal Control of a Cascade of HydroElectric Power Stations
On the Optmal Control of a Cascade of HydroElectrc Power Statons M.C.M. Guedes a, A.F. Rbero a, G.V. Smrnov b and S. Vlela c a Department of Mathematcs, School of Scences, Unversty of Porto, Portugal;
More informationProvably Secure Single Signon Scheme in Distributed Systems and Networks
0 IEEE th Internatonal Conference on Trust, Securty and Prvacy n Computng and Communcatons Provably Secure Sngle Sgnon Scheme n Dstrbuted Systems and Networks Jangshan Yu, Guln Wang, and Y Mu Center for
More informationEfficient Project Portfolio as a tool for Enterprise Risk Management
Effcent Proect Portfolo as a tool for Enterprse Rsk Management Valentn O. Nkonov Ural State Techncal Unversty Growth Traectory Consultng Company January 5, 27 Effcent Proect Portfolo as a tool for Enterprse
More informationSecure Network Coding Over the Integers
Secure Network Codng Over the Integers Rosaro Gennaro Jonathan Katz Hugo Krawczyk Tal Rabn Abstract Network codng has receved sgnfcant attenton n the networkng communty for ts potental to ncrease throughput
More informationMAPP. MERIS level 3 cloud and water vapour products. Issue: 1. Revision: 0. Date: 9.12.1998. Function Name Organisation Signature Date
Ttel: Project: Doc. No.: MERIS level 3 cloud and water vapour products MAPP MAPPATBDClWVL3 Issue: 1 Revson: 0 Date: 9.12.1998 Functon Name Organsaton Sgnature Date Author: Bennartz FUB Preusker FUB Schüller
More informationInstitute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic
Lagrange Multplers as Quanttatve Indcators n Economcs Ivan Mezník Insttute of Informatcs, Faculty of Busness and Management, Brno Unversty of TechnologCzech Republc Abstract The quanttatve role of Lagrange
More informationCHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol
CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK Sample Stablty Protocol Background The Cholesterol Reference Method Laboratory Network (CRMLN) developed certfcaton protocols for total cholesterol, HDL
More informationDEFINING %COMPLETE IN MICROSOFT PROJECT
CelersSystems DEFINING %COMPLETE IN MICROSOFT PROJECT PREPARED BY James E Aksel, PMP, PMISP, MVP For Addtonal Informaton about Earned Value Management Systems and reportng, please contact: CelersSystems,
More informationPractical and Secure Solutions for Integer Comparison
In Publc Key Cryptography PKC 07, Vol. 4450 of Lecture Notes n Computer Scence, SprngerVerlag, 2007. pp. 330342. Practcal and Secure Solutons for Integer Comparson Juan Garay 1, erry Schoenmakers 2,
More informationA Verifiable Secret Shuffle of Homomorphic. encryptions.
A Verfable Secret Shuffle of Homomorphc Encryptons Jens Groth 1 Department of Computer Scence, UCLA 3531A Boelter Hall Los Angeles, CA 900951596 USA jg@cs.ucla.edu Abstract. A shuffle conssts of a permutaton
More informationAnswer: A). There is a flatter IS curve in the high MPC economy. Original LM LM after increase in M. IS curve for low MPC economy
4.02 Quz Solutons Fall 2004 MultpleChoce Questons (30/00 ponts) Please, crcle the correct answer for each of the followng 0 multplechoce questons. For each queston, only one of the answers s correct.
More informationSection 5.3 Annuities, Future Value, and Sinking Funds
Secton 5.3 Annutes, Future Value, and Snkng Funds Ordnary Annutes A sequence of equal payments made at equal perods of tme s called an annuty. The tme between payments s the payment perod, and the tme
More informationFeature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College
Feature selecton for ntruson detecton Slobodan Petrovć NISlab, Gjøvk Unversty College Contents The feature selecton problem Intruson detecton Traffc features relevant for IDS The CFS measure The mrmr measure
More informationANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING
ANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING Matthew J. Lberatore, Department of Management and Operatons, Vllanova Unversty, Vllanova, PA 19085, 6105194390,
More information1.1 The University may award Higher Doctorate degrees as specified from timetotime in UPR AS11 1.
HIGHER DOCTORATE DEGREES SUMMARY OF PRINCIPAL CHANGES General changes None Secton 3.2 Refer to text (Amendments to verson 03.0, UPR AS02 are shown n talcs.) 1 INTRODUCTION 1.1 The Unversty may award Hgher
More informationSketching Sampled Data Streams
Sketchng Sampled Data Streams Florn Rusu, Aln Dobra CISE Department Unversty of Florda Ganesvlle, FL, USA frusu@cse.ufl.edu adobra@cse.ufl.edu Abstract Samplng s used as a unversal method to reduce the
More informationTracker: Security and Privacy for RFIDbased Supply Chains
Tracker: Securty and Prvacy for RFIDbased Supply Chans ErkOlver Blass Kaoutar Elkhyaou Refk Molva EURECOM Sopha Antpols, France {blass elkhyao molva}@eurecom.fr Abstract The counterfetng of pharmaceutcs
More informationSolutions to the exam in SF2862, June 2009
Solutons to the exam n SF86, June 009 Exercse 1. Ths s a determnstc perodcrevew nventory model. Let n = the number of consdered wees,.e. n = 4 n ths exercse, and r = the demand at wee,.e. r 1 = r = r
More informationFormula of Total Probability, Bayes Rule, and Applications
1 Formula of Total Probablty, Bayes Rule, and Applcatons Recall that for any event A, the par of events A and A has an ntersecton that s empty, whereas the unon A A represents the total populaton of nterest.
More informationActivity Scheduling for CostTime Investment Optimization in Project Management
PROJECT MANAGEMENT 4 th Internatonal Conference on Industral Engneerng and Industral Management XIV Congreso de Ingenería de Organzacón Donosta San Sebastán, September 8 th 10 th 010 Actvty Schedulng
More informationBrigid Mullany, Ph.D University of North Carolina, Charlotte
Evaluaton And Comparson Of The Dfferent Standards Used To Defne The Postonal Accuracy And Repeatablty Of Numercally Controlled Machnng Center Axes Brgd Mullany, Ph.D Unversty of North Carolna, Charlotte
More informationGeneralizing the degree sequence problem
Mddlebury College March 2009 Arzona State Unversty Dscrete Mathematcs Semnar The degree sequence problem Problem: Gven an nteger sequence d = (d 1,...,d n ) determne f there exsts a graph G wth d as ts
More informationInterIng 2007. INTERDISCIPLINARITY IN ENGINEERING SCIENTIFIC INTERNATIONAL CONFERENCE, TG. MUREŞ ROMÂNIA, 1516 November 2007.
InterIng 2007 INTERDISCIPLINARITY IN ENGINEERING SCIENTIFIC INTERNATIONAL CONFERENCE, TG. MUREŞ ROMÂNIA, 1516 November 2007. UNCERTAINTY REGION SIMULATION FOR A SERIAL ROBOT STRUCTURE MARIUS SEBASTIAN
More informationCommunication Networks II Contents
8 / 1  Communcaton Networs II (Görg)  www.comnets.unbremen.de Communcaton Networs II Contents 1 Fundamentals of probablty theory 2 Traffc n communcaton networs 3 Stochastc & Marovan Processes (SP
More informationJ. Parallel Distrib. Comput.
J. Parallel Dstrb. Comput. 71 (2011) 62 76 Contents lsts avalable at ScenceDrect J. Parallel Dstrb. Comput. journal homepage: www.elsever.com/locate/jpdc Optmzng server placement n dstrbuted systems n
More informationLinear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits
Lnear Crcuts Analyss. Superposton, Theenn /Norton Equalent crcuts So far we hae explored tmendependent (resste) elements that are also lnear. A tmendependent elements s one for whch we can plot an / cure.
More informationLoop Parallelization
  Loop Parallelzaton C52 Complaton steps: nested loops operatng on arrays, sequentell executon of teraton space DECLARE B[..,..+] FOR I :=.. FOR J :=.. I B[I,J] := B[I,J]+B[I,J] ED FOR ED FOR analyze
More informationPeriod and Deadline Selection for Schedulability in RealTime Systems
Perod and Deadlne Selecton for Schedulablty n RealTme Systems Thdapat Chantem, Xaofeng Wang, M.D. Lemmon, and X. Sharon Hu Department of Computer Scence and Engneerng, Department of Electrcal Engneerng
More informationAn Optimally Robust Hybrid Mix Network (Extended Abstract)
An Optmally Robust Hybrd Mx Network (Extended Abstract) Markus Jakobsson and Ar Juels RSA Laboratores Bedford, MA, USA {mjakobsson,ajuels}@rsasecurty.com Abstract We present a mx network that acheves effcent
More informationA Lyapunov Optimization Approach to Repeated Stochastic Games
PROC. ALLERTON CONFERENCE ON COMMUNICATION, CONTROL, AND COMPUTING, OCT. 2013 1 A Lyapunov Optmzaton Approach to Repeated Stochastc Games Mchael J. Neely Unversty of Southern Calforna http://wwwbcf.usc.edu/
More informationVision Mouse. Saurabh Sarkar a* University of Cincinnati, Cincinnati, USA ABSTRACT 1. INTRODUCTION
Vson Mouse Saurabh Sarkar a* a Unversty of Cncnnat, Cncnnat, USA ABSTRACT The report dscusses a vson based approach towards trackng of eyes and fngers. The report descrbes the process of locatng the possble
More informationThe Development of Web Log Mining Based on ImproveKMeans Clustering Analysis
The Development of Web Log Mnng Based on ImproveKMeans Clusterng Analyss TngZhong Wang * College of Informaton Technology, Luoyang Normal Unversty, Luoyang, 471022, Chna wangtngzhong2@sna.cn Abstract.
More informationA Novel Methodology of Working Capital Management for Large. Public Constructions by Using Fuzzy Scurve Regression
Novel Methodology of Workng Captal Management for Large Publc Constructons by Usng Fuzzy Scurve Regresson ChengWu Chen, Morrs H. L. Wang and TngYa Hseh Department of Cvl Engneerng, Natonal Central Unversty,
More informationThe covariance is the two variable analog to the variance. The formula for the covariance between two variables is
Regresson Lectures So far we have talked only about statstcs that descrbe one varable. What we are gong to be dscussng for much of the remander of the course s relatonshps between two or more varables.
More informationMinimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures
Mnmal Codng Network Wth Combnatoral Structure For Instantaneous Recovery From Edge Falures Ashly Joseph 1, Mr.M.Sadsh Sendl 2, Dr.S.Karthk 3 1 Fnal Year ME CSE Student Department of Computer Scence Engneerng
More informationProject Networks With MixedTime Constraints
Project Networs Wth MxedTme Constrants L Caccetta and B Wattananon Western Australan Centre of Excellence n Industral Optmsaton (WACEIO) Curtn Unversty of Technology GPO Box U1987 Perth Western Australa
More informationdenote the location of a node, and suppose node X . This transmission causes a successful reception by node X for any other node
Fnal Report of EE359 Class Proect Throughput and Delay n Wreless Ad Hoc Networs Changhua He changhua@stanford.edu Abstract: Networ throughput and pacet delay are the two most mportant parameters to evaluate
More informationA ReplicationBased and Fault Tolerant Allocation Algorithm for Cloud Computing
A ReplcatonBased and Fault Tolerant Allocaton Algorthm for Cloud Computng Tork Altameem Dept of Computer Scence, RCC, Kng Saud Unversty, PO Box: 28095 11437 RyadhSaud Araba Abstract The very large nfrastructure
More informationRESEARCH DISCUSSION PAPER
Reserve Bank of Australa RESEARCH DISCUSSION PAPER Competton Between Payment Systems George Gardner and Andrew Stone RDP 200902 COMPETITION BETWEEN PAYMENT SYSTEMS George Gardner and Andrew Stone Research
More informationCHAPTER 14 MORE ABOUT REGRESSION
CHAPTER 14 MORE ABOUT REGRESSION We learned n Chapter 5 that often a straght lne descrbes the pattern of a relatonshp between two quanttatve varables. For nstance, n Example 5.1 we explored the relatonshp
More informationMultiplePeriod Attribution: Residuals and Compounding
MultplePerod Attrbuton: Resduals and Compoundng Our revewer gave these authors full marks for dealng wth an ssue that performance measurers and vendors often regard as propretary nformaton. In 1994, Dens
More informationFINANCIAL MATHEMATICS. A Practical Guide for Actuaries. and other Business Professionals
FINANCIAL MATHEMATICS A Practcal Gude for Actuares and other Busness Professonals Second Edton CHRIS RUCKMAN, FSA, MAAA JOE FRANCIS, FSA, MAAA, CFA Study Notes Prepared by Kevn Shand, FSA, FCIA Assstant
More informationPassive Filters. References: Barbow (pp 265275), Hayes & Horowitz (pp 3260), Rizzoni (Chap. 6)
Passve Flters eferences: Barbow (pp 6575), Hayes & Horowtz (pp 360), zzon (Chap. 6) Frequencyselectve or flter crcuts pass to the output only those nput sgnals that are n a desred range of frequences (called
More informationNew bounds in BalogSzemerédiGowers theorem
New bounds n BalogSzemerédGowers theorem By Tomasz Schoen Abstract We prove, n partcular, that every fnte subset A of an abelan group wth the addtve energy κ A 3 contans a set A such that A κ A and A
More informationForecasting the Direction and Strength of Stock Market Movement
Forecastng the Drecton and Strength of Stock Market Movement Jngwe Chen Mng Chen Nan Ye cjngwe@stanford.edu mchen5@stanford.edu nanye@stanford.edu Abstract  Stock market s one of the most complcated systems
More informationWe are now ready to answer the question: What are the possible cardinalities for finite fields?
Chapter 3 Fnte felds We have seen, n the prevous chapters, some examples of fnte felds. For example, the resdue class rng Z/pZ (when p s a prme) forms a feld wth p elements whch may be dentfed wth the
More informationCS 2750 Machine Learning. Lecture 17a. Clustering. CS 2750 Machine Learning. Clustering
Lecture 7a Clusterng Mlos Hauskrecht mlos@cs.ptt.edu 539 Sennott Square Clusterng Groups together smlar nstances n the data sample Basc clusterng problem: dstrbute data nto k dfferent groups such that
More informationConversion between the vector and raster data structures using Fuzzy Geographical Entities
Converson between the vector and raster data structures usng Fuzzy Geographcal Enttes Cdála Fonte Department of Mathematcs Faculty of Scences and Technology Unversty of Combra, Apartado 38, 3 454 Combra,
More informationAN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS
Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS Len Harn 1 and Changlu Ln 2 1 Department of Computer Scence
More informationA Novel Multifactor Authenticated Key Exchange Scheme With Privacy Preserving
A Novel Multfactor Authentcated Key Exchange Scheme Wth Prvacy Preservng Dexn Yang Guangzhou Cty Polytechnc Guangzhou, Chna, 510405 yangdexn@21cn.com Bo Yang South Chna Agrcultural Unversty Guangzhou,
More informationA Cryptographic Key Assignment Scheme for Access Control in Poset Ordered Hierarchies with Enhanced Security
Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept. 8 3 A ryptographc Key Assgnment Scheme for Access ontrol n Poset Ordered Herarches wth Enhanced Securty Debass Gr and P. D. Srvastava
More informationInterest Rate Fundamentals
Lecture Part II Interest Rate Fundamentals Topcs n Quanttatve Fnance: Inflaton Dervatves Instructor: Iraj Kan Fundamentals of Interest Rates In part II of ths lecture we wll consder fundamental concepts
More informationL10: Linear discriminants analysis
L0: Lnear dscrmnants analyss Lnear dscrmnant analyss, two classes Lnear dscrmnant analyss, C classes LDA vs. PCA Lmtatons of LDA Varants of LDA Other dmensonalty reducton methods CSCE 666 Pattern Analyss
More informationNordea G10 Alpha Carry Index
Nordea G10 Alpha Carry Index Index Rules v1.1 Verson as of 10/10/2013 1 (6) Page 1 Index Descrpton The G10 Alpha Carry Index, the Index, follows the development of a rule based strategy whch nvests and
More informationA DYNAMIC CRASHING METHOD FOR PROJECT MANAGEMENT USING SIMULATIONBASED OPTIMIZATION. Michael E. Kuhl Radhamés A. TolentinoPeña
Proceedngs of the 2008 Wnter Smulaton Conference S. J. Mason, R. R. Hll, L. Mönch, O. Rose, T. Jefferson, J. W. Fowler eds. A DYNAMIC CRASHING METHOD FOR PROJECT MANAGEMENT USING SIMULATIONBASED OPTIMIZATION
More informationTraffic State Estimation in the Traffic Management Center of Berlin
Traffc State Estmaton n the Traffc Management Center of Berln Authors: Peter Vortsch, PTV AG, Stumpfstrasse, D763 Karlsruhe, Germany phone ++49/72/965/35, emal peter.vortsch@ptv.de Peter Möhl, PTV AG,
More informationEfficient Dynamic Integrity Verification for Big Data Supporting Users Revocability
nformaton Artcle Effcent Dynamc Integrty Verfcaton for Bg Data Supportng Users Revocablty Xnpeng Zhang 1,2, *, Chunxang Xu 1, Xaojun Zhang 1, Tazong Gu 2, Zh Geng 2 and Guopng Lu 2 1 School of Computer
More information: ;,i! i.i.i; " '^! THE LOGIC THEORY MACHINE; EMPIRICAL EXPLORATIONS WITH A CASE STUDY IN HEURISTICS
! EMPRCAL EXPLORATONS WTH THE LOGC THEORY MACHNE; A CASE STUDY N HEURSTCS. :, by Allen Newell, J. C. Shaw, & H. A. Smon Ths s a case study n problemsolvng, representng part of a program of research on
More informationChapter 4 ECONOMIC DISPATCH AND UNIT COMMITMENT
Chapter 4 ECOOMIC DISATCH AD UIT COMMITMET ITRODUCTIO A power system has several power plants. Each power plant has several generatng unts. At any pont of tme, the total load n the system s met by the
More informationFORMAL ANALYSIS FOR REALTIME SCHEDULING
FORMAL ANALYSIS FOR REALTIME SCHEDULING Bruno Dutertre and Vctora Stavrdou, SRI Internatonal, Menlo Park, CA Introducton In modern avoncs archtectures, applcaton software ncreasngly reles on servces provded
More information1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)
6.3 /  Communcaton Networks II (Görg) SS20  www.comnets.unbremen.de Communcaton Networks II Contents. Fundamentals of probablty theory 2. Emergence of communcaton traffc 3. Stochastc & Markovan Processes
More informationSimple Interest Loans (Section 5.1) :
Chapter 5 Fnance The frst part of ths revew wll explan the dfferent nterest and nvestment equatons you learned n secton 5.1 through 5.4 of your textbook and go through several examples. The second part
More informationRiposte: An Anonymous Messaging System Handling Millions of Users
Rposte: An Anonymous Messagng System Handlng Mllons of Users Henry CorrganGbbs, Dan Boneh, and Davd Mazères Stanford Unversty Abstract Ths paper presents Rposte, a new system for anonymous broadcast messagng.
More informationIDENTIFICATION AND CONTROL OF A FLEXIBLE TRANSMISSION SYSTEM
Abstract IDENTIFICATION AND CONTROL OF A FLEXIBLE TRANSMISSION SYSTEM Alca Esparza Pedro Dept. Sstemas y Automátca, Unversdad Poltécnca de Valenca, Span alespe@sa.upv.es The dentfcaton and control of a
More information