From Selective to Full Security: Semi-Generic Transformations in the Standard Model

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "From Selective to Full Security: Semi-Generic Transformations in the Standard Model"

Transcription

1 An extended abstract of ths work appears n the proceedngs of PKC 2012 From Selectve to Full Securty: Sem-Generc Transformatons n the Standard Model Mchel Abdalla 1 Daro Fore 2 Vadm Lyubashevsky 1 1 Département d Informatque, École normale supéreure 2 Department of Computer Scence New York Unversty Abstract In ths paper, we propose an effcent, standard model, sem-generc transformaton of selectvesecure (Herarchcal) Identty-Based Encrypton schemes nto fully secure ones. The man step s a procedure that uses admssble hash functons (whose exstence s mpled by collson-resstant hash functons) to convert any selectve-secure wldcarded dentty-based encrypton (WIBE) scheme nto a fully secure (H)IBE scheme. Snce buldng a selectve-secure WIBE, especally wth a selectve-secure HIBE already n hand, s usually much less nvolved than drectly buldng a fully secure HIBE, ths transform already sgnfcantly smplfes the latter task. Ths black-box transformaton easly extends to schemes secure n the Contnual Memory Leakage (CML) model of Brakersk et al. (FOCS 2010), whch allows us obtan a new fully secure IBE n that model. We furthermore show that f a selectve-secure HIBE scheme satsfes a partcular securty noton, then t can be genercally transformed nto a selectve-secure WIBE. We demonstrate that several current schemes already ft ths new defnton, whle some others that do not obvously satsfy t can stll be easly modfed nto a selectve-secure WIBE. Keywords: Selectve securty, full securty, dentty-based encrypton.

2 Contents 1 Introducton Our results Basc Defntons Code-Based Games (Herarchcal) Identty Based Encrypton Identty Based Encrypton wth Wldcards The Contnual Memory Leakage Model Fully-Secure HIBE from Selectve-Secure WIBE Our transformaton Extensons of our transformaton Selectve WIBE schemes from selectve HIBE Securty under Correlated Randomness for HIBE From HIBE selectve-secure under Correlated Randomness to selectve-secure WIBE Our WIBE scheme A suffcent dstrbuton for buldng a WIBE A leakage-reslent WIBE scheme based on Decson Lnear 25 6 Lattce-Based WIBE Lattces and the LWE Problem Algorthms used n constructng the HIBE and WIBE Our Lattce-Based WIBE scheme Securty Proof Future Drectons 35 References 36 A A proof wthout artfcal abort 38 B HIBE Schemes Selectve-Secure under Correlated Randomness 46 B.1 The case of the Boneh-Boyen HIBE [8, 1] B.2 The case of the Boneh-Boyen-Goh HIBE [10] B.3 The case of the Waters HIBE [35]

3 1 Introducton The concept of dentty-based encrypton (IBE) s a generalzaton of the standard noton of publckey encrypton n whch the sender can encrypt messages to a user based only on the dentty of the latter and a set of user-ndependent publc parameters. In these systems, there exsts a trusted authorty, called prvate key generator, that s responsble for generatng decrypton keys for all denttes n the system. Snce beng ntroduced by Shamr n 1984 [33], IBE has receved a lot of attenton due to the fact that one no longer needs to mantan a separate publc key for each user. Despte beng an attractve concept, t was only n 2001 that the frst practcal IBE constructon was proposed based on ellptc curve parngs [13]. Later that year, Cocks proposed an alternatve IBE constructon based on the quadratc resduosty problem [23]. The now-standard defnton of securty of IBE schemes, frst suggested by Boneh and Frankln [13], s ndstngushablty under adaptve chosen-dentty attacks (we refer to t as full securty). In ths securty model, the adversary s allowed to obtan secret keys for adaptvely chosen denttes before decdng the dentty upon whch t wshes to be challenged. By allowng these queres, ths noton mplctly captures resstance aganst colluson attacks as dfferent users should be unable to combne ther keys n an attempt to decrypt cphertexts ntended to another user. In 2002, Horwtz and Lynn ntroduced the noton of herarchcal dentty-based encrypton (HIBE), whch allows ntermedate nodes to act as prvate key generators. They also provded a two-level HIBE constructon based on the Boneh-Frankln IBE scheme, but ther scheme could provde full colluson resstance only n the upper level. The frst HIBE scheme to provde full colluson resstance n all levels s due to Gentry and Slverberg [26]. Lke the Horwtz-Lynn HIBE scheme, the Gentry-Slverberg HIBE scheme was also based on the Boneh-Frankln IBE scheme and proven secure n the random-oracle model [6]. The frst HIBE to be proven secure n the standard model s due to Canett, Halev, and Katz [20], but n a weaker securty model, called the selectve-dentty model. Unlke the securty defntons used n prevous constructons of (H)IBE schemes, the selectve-dentty model requres the adversary to commt to the challenge dentty before obtanng the publc parameters of the scheme. Despte provdng weaker securty guarantees, Canett, Halev, and Katz showed that the selectve-dentty model s suffcent for buldng forward-secure encrypton schemes, whch was the man motvaton of ther paper. Although the selectve-dentty model has been consdered n many works, and s nterestng n ts own rght (e.g., t mples forward-secure publc key encrypton), f we focus solely on the (H)IBE applcaton, then the selectve noton s clearly unrealstc because t does not model the real capabltes of an adversary attackng a (H)IBE scheme. So whle the desgn of selectve-dentty secure schemes seems to be an easer task, the quest for fully secure solutons s always consdered the man goal for (H)IBE constructon. It s therefore a very nterestng problem to nvestgate whether there are ways to effcently convert a selectve secure scheme nto a fully secure one. In the random oracle model, ths queston has been resolved by Boneh, Boyen and Goh [10], who provded a very effcent black-box transformaton. In the standard model, however, no such converson s known 1, and all fully-secure (H)IBE schemes (e.g., [9], [35], [22]) had to be constructed and proved secure essentally from scratch. 1 It was shown by Boneh and Boyen n [8] that any selectve secure IBE scheme s already fully secure, but the concrete securty degrades by a factor 1/ ID, where ID s the scheme s dentty space. Snce ID s usually of exponental sze, ths converson s too expensve n terms of effcency to be consdered practcal. 1

4 1.1 Our results In ths paper, we explore the relatonshp between selectve-dentty and fully secure (H)IBE schemes n the standard model. From selectve-secure WIBE to fully-secure HIBE. Our frst man contrbuton s a generc constructon of fully-secure HIBE schemes from selectve-pattern-secure wldcarded dentty-based encrypton (WIBE) schemes. The noton of a WIBE, ntroduced by Abdalla et al. [1], s very smlar to the noton of a HIBE except that the sender can encrypt messages not only to a specfc dentty, but to a whole range of recevers whose denttes match a certan pattern defned through a sequence of fxed strngs and a specal wldcard symbol (*). The securty noton, called selectvepattern securty, requres the adversary to commt ahead of tme to the pattern P that he ntends to attack. He can then ask for the secret keys of any dentty not matchng P, and for the challenge cphertext on any pattern P matchng P. Ths noton of securty s slghtly more general and natural than that gven n [1]. Yet, as noted n Remark 2.5 at the end of Secton 2, t s satsfed by all known WIBE constructons. Our transformaton from any selectve-pattern-secure WIBE to a fully-secure HIBE s generc and reles on the noton of admssble hash functons (whose exstence s mpled by collson-resstant hash functons) ntroduced by Boneh and Boyen n [9]. Snce buldng selectve-pattern-secure WIBE schemes seems to be much easer than drectly buldng a fully secure HIBE scheme, ths transformaton already sgnfcantly smplfes the latter task. In fact, t s worth notcng that the selectve-pattern securty of all currently-known nstantatons of WIBE schemes follows from the selectve-dentty securty of ther respectve underlyng HIBE schemes (see [1]). One drect consequence of our constructon s that several exstng fully secure (H)IBE schemes can be seen as a partcular case of our transformaton. For nstance, the fully secure IBE scheme of Boneh and Boyen n [9] turns out to be a partcular case of our generc constructon when nstantated wth the selectve-pattern-secure Boneh-Boyen WIBE scheme gven n [1]. Lkewse, the fully secure HIBE by Cash, Hofhenz, Kltz, and Pekert [22] can be seen as the result of our generc transformaton when appled to our new WIBE scheme n Secton 6. Another consequence of our transformaton s that one can obtan new constructons of fully secure HIBE schemes by applyng our methodology to exstng selectve-pattern-secure WIBE schemes, such as the Boneh-Boyen-Goh WIBE n [1]. Interestngly, the result obtaned from ths nstantaton closely resembles the Waters (H)IBE scheme [35]. The transformaton n the Contnual Memory Leakage model. An mportant pont about our transformaton from WIBE to (H)IBE s that t also works n the Contnual Memory Leakage (CML) model [19, 24]. In ths model, securty s defned wth respect to an adversary that may learn a bounded number of bts related to the secret nformaton of a user, such as hs secret key, over a gven tme perod. In partcular, secret keys are updated regularly and nformaton about new secret keys and the randomness used durng ther updates may also leak to the adversary. In [19], Brakersk et al. extended the IBE constructon n [17] to obtan a selectve-secure IBE n the CML model based on the Decson Lnear assumpton. Whle Brakersk and Kala s IBE constructon can be made fully secure usng admssble hash functons as suggested n [17], a smlar result s not known to hold n the CML model. In ths paper, we show how to modfy the scheme n [19] nto a WIBE scheme and prove t selectve-pattern-secure n the CML model under the same assumpton. Then, by applyng our transformaton to ths newly-constructed WIBE, we obtan a (CML) fullysecure verson of the IBE n [19]. As n the orgnal IBE, our new IBE constructon assumes that there s no leakage from the master secret key. We observe, however, that ths restrcton s not that crtcal because, n the case of IBE, t may be reasonable to assume that the key generaton center uses strong countermeasures to avod leakng secret nformaton. 2

5 The role of WIBE n our transformaton. Somewhat surprsngly, our transformaton seems to mply that the WIBE noton s of central mportance when gong from selectve to full securty n (H)IBE. To see why, one has to take a look at our proof strategy and at the noton of Admssble hash functons (AHF). AHFs are a tool whch allows to partton the dentty space nto two subsets, B and R (both of whch are of exponental sze) so that n the securty proof the denttes of secret key queres fall n B whle the challenge dentty falls n R. In partcular, by carefully selectng the AHFs parameters (as descrbed n [9], for nstance) one can make sure that the above (good) event occurs wth non-neglgble probablty. In our proof from selectve-secure WIBE to fully-secure HIBE, the smulator frst uses AHFs to partton the dentty space nto B and R. Next, t declares to the WIBE challenger a challenge pattern whch corresponds to R, by expressng R n the form of a pattern. By the property of AHFs, f the good event occurs (for all key dervaton queres and the challenge dentty chosen by the adversary), then the smulator can easly forward all queres to the WIBE challenger. In partcular, t s guaranteed that the challenge dentty falls n R. When that happens, the smulator can output the challenge dentty chosen by the adversary as ts own challenge. We remark that the proof strategy descrbed above does not work f one starts from a selectvesecure HIBE nstead of a WIBE. Unlke the selectve-wibe smulator, the smulator aganst the selectve securty of a HIBE should commt to the challenge dentty ID at the very begnnng. And even f the smulator chooses the AHFs parameters so that all secret key queres fall n B and the challenge dentty falls n R, t stll needs to guess ID n R at the very begnnng. But the probablty that the challenge dentty chosen by the adversary matches such ID s 1/ R, whch s neglgble (recall that both B and R are of exponental sze). Selectve WIBE from selectve HIBE. The second man contrbuton of ths paper s to dentfy condtons under whch we can genercally transform a selectve-dentty-secure HIBE scheme nto a selectve-pattern-secure WIBE scheme. Towards ths goal, we ntroduce a new noton of securty for HIBE schemes, called securty under correlated randomness, whch allows us to transform a gven HIBE nto a WIBE by smply re-encryptng the same message to a partcular set of denttes by reusng the same randomness. Informally speakng, n order for a HIBE scheme to be secure under correlated randomness, t must satsfy the followng two propertes. Frst, when gven an encrypton of the same message under the same randomness for two dentty vectors ID 0 = (ID 0,1,..., ID 0,j,..., ID 0,λ ) and ID 1 = (ID 1,1,..., ID 1,j,..., ID 1,λ ) dfferng n exactly one poston (say j), one can easly generate a cphertext for any dentty vector matchng the pattern ID = (ID 1,1,..., *,..., ID 1,λ ). Secondly, when gven these two cphertexts, the adversary should not be able to generate an encrypton of the same message under the same randomness for any dentty vector that does not match the pattern. In Secton 4 we show that selectve-correlatedrandomness-secure HIBE schemes can be converted to selectve-pattern-secure WIBEs. Moreover, n Appendx B, we show that several exstng HIBE schemes already satsfy ths slghtly stronger noton of securty, e.g., [8, 10, 35], and n partcular we show that ther securty under correlated randomness black-box reduces to ther selectve-dentty securty. Hence, f we combne our frst generc transformaton from selectve-pattern-secure WIBE to fully-secure (H)IBE, together wth our second result descrbed above, we obtan a compler that allows us to construct a fully secure (H)IBE startng from a selectve-secure (H)IBE. In partcular, the resultng transformaton works n the standard model and s sem-generc because the second part assumes a specfc property of the underlyng scheme (.e., securty under correlated randomness). Nevertheless, by reducng the task of buldng fully secure HIBE schemes to that of buldng a selectve-pattern-secure WIBE scheme, we beleve that our result makes the former task sgnfcantly easer to acheve. New WIBE schemes. One fnal contrbuton of ths paper are two constructons of selectve- 3

6 pattern-secure WIBE schemes. The frst one, whose descrpton s gven n Secton 5, s obtaned by modfyng the IBE n [19]. It s based on parngs and s secure under the Decson Lnear assumpton n the CML model. Such modfcaton essentally follows the correlated-randomness paradgm. Snce for some techncal reasons (related to the specfc scheme) the selectve-pattern securty of ths WIBE cannot be blackbox reduced to the selectve-dentty securty of the related IBE (lke we do for other parng-based WIBEs), we decded to gve a drect proof under the Decson Lnear assumpton. However, we notce that such proof closely follows the one n [19]. The second WIBE s based on lattces and ts securty follows from the selectve-dentty secure HIBE constructon from [22]. Even though the Cash-Hofhenz-Kltz-Pekert HIBE scheme does not meet the noton of securty under correlated randomness ntroduced n Secton 4 (because the scheme s not secure when the same randomness s reused for encrypton), we show n Secton 6 that one can easly modfy t to obtan a selectve-pattern-secure WIBE scheme. Smlarly to the case of parngbased WIBE schemes, the selectve-pattern securty of the new WIBE can be reduced drectly to the selectve-dentty securty of the orgnal Cash-Hofhenz-Kltz-Pekert HIBE scheme. However, n ths case, t turns out to be even smpler to prove the selectve-pattern securty of our scheme drectly from the decsonal Learnng Wth Errors Problem (LWE) [32, 31]. Dscusson. In ths paper, we concentrate on buldng HIBE schemes that are adaptve-denttysecure aganst chosen-plantext attacks. As shown by Boneh, Canett, Halev, and Katz [21, 15, 12], such schemes can easly be made chosen-cphertext-secure wth the help of one-tme sgnature schemes or message authentcaton codes. Smlarly to the (H)IBE schemes by Boneh and Boyen [9], by Waters [35], and by Cash, Hofhenz, Kltz, and Pekert [22], the schemes obtaned va our transformaton are only provably secure when the maxmum herarchy s depth L s some fxed constant due to the loss of a factor whch s exponental n L. Whle for lattce-based HIBE schemes [22, 3, 4], ths seems to be the state of the art, the same s not true for parng-based HIBE schemes. More precsely, there have been several proposals n recent years (e.g., [25, 34, 29, 28]), whch are fully secure even when the HIBE scheme has polynomally many levels. Most of these schemes use a new proof methodology, known as dual system encrypton [34]. Organzaton. The paper s organzed as follows. In Secton 2, we start by recallng some standard defntons and notatons used throughout the paper. Next, n Secton 3, we present our frst man contrbuton, whch s a generc constructon whch can transform any selectve-pattern-secure WIBE nto a fully secure HIBE scheme. Then, n Secton 4, we ntroduce the noton of securty under correlated randomness for HIBE schemes and show how such schemes can be used to buld selectvepattern-secure WIBEs. Though such securty noton does not necessarly hold for all HIBE schemes, we show n Appendx B that several exstng selectve-dentty-secure HIBE schemes do meet ths noton. Next, n Sectons 5 and 6, we show two selectve-pattern-secure WIBE schemes that are obtaned by transformng, respectvely, the Brakersk-Kala-Katz-Vakuntanathan IBE and the Cash- Hofhenz-Kltz-Pekert HIBE. Fnally, n Secton 7, we summarze some future drectons left open by our work. 2 Basc Defntons In ths secton we descrbe the notaton and the basc defntons that we use n the paper. Notaton. We say that a functon s neglgble f t vanshes faster than the nverse of any polynomal. If S s a set, then x S ndcates the process of selectng x unformly at random over S. If A( ) s an algorthm then we denote wth y A( ) the operaton of runnng A (on some nput) and 4

7 assgnng the output to y. For any l N we denote wth [l] the set {1, 2,..., l}. PPT stands for probablstc polynomal tme and PTA for PPT algorthm or adversary. 2.1 Code-Based Games In ths work, we state our defntons and gve our proofs usng code-based games [7]. A game s usually defned by two procedures Intalze and Fnalze, and by other procedures that model the answers to the adversary s oracle queres. A game G s executed wth an adversary A as follows. Frst, A runs Intalze, and gets ts output. Then, A can make oracle queres by executng the correspondng procedures. At the end, before haltng, the adversary s requred to execute the procedure Fnalze whose output s the output of the game G. If b s G s output, then we denote all ths process by wrtng G A b. Usually, a game keeps a flag bad whch s ntalzed to false, and that may be set true durng the executon of the game. We denote wth Bad (resp. Good ) the event that G A sets (resp. does not set) bad true. Two games G and G j are sad dentcal-untl-bad f ther code dffers only n statements that are executed when bad s set. Bellare and Rogaway show n [7] that f G and G j are dentcal-untl-bad, and A s an adversary, then Pr[Bad ] = Pr[Bad j ]. Moreover, the fundamental lemma of game-playng [7] states that f G and G j are dentcal-untl-bad, then for any b: Pr[G A b] Pr[G A j b] Pr[Bad ]. In our work we use a varant of ths lemma formulated by Bellare and Rstenpart n [5]: Lemma 2.1 [[5]] If G and G j are dentcal-untl-bad games, and A s an adversary, then for any b: Pr[G A b Bad ] = Pr[G A j b Bad j ]. 2.2 (Herarchcal) Identty Based Encrypton A herarchcal dentty-based encrypton scheme (HIBE) s defned by a tuple of algorthms HIBE = (Setup, KeyDer, Enc, Dec), a message space M, and an dentty space ID. The algorthm Setup s run by a trusted authorty to generate a par of keys (mpk, msk) such that mpk s made publc, whereas msk s kept prvate. The users are herarchcally organzed n a tree of depth L whose root s the trusted authorty. The dentty of a user at level 1 l L s represented by a vector ID = (ID 1,..., ID l ) ID l. A user at level l wth dentty ID = (ID 1,..., ID l ) can use the key dervaton algorthm KeyDer(sk ID, ID ) to generate a secret key for any of ts chldren ID = (ID 1,..., ID l, ID l+1 ) at level l + 1. Snce ths process can be terated, every user can generate keys for all ts descendants. Then, every user holdng the master publc key mpk, can encrypt a message m M for the dentty ID by runnng C Enc(mpk, ID, m). Fnally, the cphertext C can be decrypted by runnng the determnstc decrypton algorthm, m Dec(sk ID, C). For correctness, t s requred that for all honestly generated master keys (mpk, msk) Setup, for all messages m M, all denttes ID ID l and all ID ancestors of ID, m Dec(KeyDer(msk, ID ), Enc(mpk, ID, m)) holds wth overwhelmng probablty. An IBE s defned as an HIBE wth a herarchy of depth 1. The securty of a HIBE scheme s captured by the standard noton of ndstngushablty under chosen-plantext attacks. In partcular, ths s formalzed by a game, IND-HID-CPA, that we recall n Fgure 1 usng the notaton of code-based games. The game s defned by four procedures that can be run by an adversary A and works as follows. As usual, A starts by executng Intalze and runs Fnalze before haltng. We assume that A makes at most one query ( ID, m 0, m 1 ) to 5

8 Game IND-HID-CPA procedure Intalze (mpk, msk) Setup β {0, 1} Return mpk procedure Extract( ID) sk ID KeyDer(msk, ID) Return sk ID procedure LR( ID, m 0, m 1 ) C Enc(mpk, ID, m β ) Return C procedure Fnalze(β ) Return (β = β) Game IND-sHID-CPA procedure Intalze( ID ) (mpk, msk) Setup; β {0, 1} Return mpk procedure LR(m 0, m 1 ) C Enc(mpk, ID, m β ) Return C Fgure 1: On the left the defnton of Game IND-HID-CPA. On the rght the procedures Intalze and LR of the game IND-sHID-CPA. Notce that n the latter game the procedures Extract and Fnalze are the same as those of game IND-sHID-CPA. the LR procedure, under the requrement that m 0 = m 1 (.e., the two messages have the same length), and that all the denttes submtted to Extract and LR are legtmate. For ths noton, a set of queres s sad legtmate f A never queres Extract on an dentty ID such that ID = ID or ID s an ancestor of ID. We defne the IND-HID-CPA-advantage of any adversary A aganst a HIBE scheme HIBE as Adv IND-HID-CPA HIBE (A) = 2 Pr[IND-HID-CPA A 1] 1 where IND-HID-CPA A 1 denotes that a run of the IND-HID-CPA wth adversary A outputs 1. Defnton 2.2 [IND-HID-CPA-securty] A HIBE scheme s IND-HID-CPA-secure f for any PPT adversary A, Adv IND-HID-CPA HIBE (A) s at most neglgble. In the context of herarchcal dentty-based encrypton a lot of works n the lterature also consdered a weaker noton of securty, called selectve-dentty ndstngushablty under chosenplantext attacks (IND-sHID-CPA). The man dfference wth the standard IND-HID-CPA noton s that here the adversary s requred to commt ahead of tme to the dentty that he wll use to query the LR procedure. The correspondng game s recalled n Fgure 1, on the rght. Precsely, we descrbe only the procedures Intalze and LR, as Extract and Fnalze reman the same as n the game IND-HID-CPA. The IND-sHID-CPA-advantage of any adversary A aganst a HIBE scheme HIBE s defned as Adv IND-sHID-CPA HIBE (A) = 2 Pr[IND-sHID-CPA A 1] 1 Defnton 2.3 [IND-sHID-CPA-securty] A HIBE scheme s IND-sHID-CPA-secure f for any PPT adversary A, Adv IND-sHID-CPA HIBE (A) s at most neglgble. Sometmes, n order to have a clear dstncton wth the standard noton of IND-HID-CPA, the latter s called full securty. 2.3 Identty Based Encrypton wth Wldcards The noton of Identty-Based Encrypton wth Wldcards was ntroduced by Abdalla et al. n [1] as a generalzaton of the HIBE s noton. A WIBE scheme s defned by a tuple of algorthms WIBE = (Setup, KeyDer, Enc, Dec) that works exactly as a HIBE, except that here the encrypton 6

9 algorthm takes as nput a value P (ID *) l (for 1 l L),.e., the pattern, nstead of an dentty vector. Such pattern may contan a specal don t care symbol *, the wldcard, at some levels. An dentty ID = (ID 1,..., ID l ) ID l s sad to match a pattern P (ID *) l, denoted as ID * P, f and only f l l and = 1,..., l: ID = P or P = *. Note that under ths defnton, any ancestor of a matchng dentty s also a matchng dentty. Ths makes sense for the noton of WIBE, as any ancestor can derve the secret key of a matchng descendant dentty anyway. For any pattern P (ID *) l, we denote wth W(P ) the set of ndces j [l] such that P j = *. For correctness, t s requred that for all honestly generated master keys (mpk, msk) Setup, for all messages m M, all patterns P (ID *) l and all denttes ID ID l such that ID * P, m Dec(KeyDer(msk, ID), Enc(mpk, P, m)) holds wth all but neglgble probablty. procedure Intalze(P ) (mpk, msk) Setup ; β {0, 1} Return mpk procedure Extract( ID) sk ID KeyDer(msk, ID) Return sk ID procedure LR(P, m 0, m 1 ) C Enc(mpk, P, m β ) Return C procedure Fnalze(β ) Return (β = β) Fgure 2: Game IND-sWID-CPA. Smlarly to HIBE, WIBE allows for smlar notons of securty under chosen-plantext attacks. In partcular, n our work we consder only the noton of selectve securty. Roughly speakng, t s smlar to the IND-sHID-CPA noton for HIBE, except that here the adversary has to commt to a pattern P at the begnnng of the game. Next, when he calls the LR procedure, he can provde a pattern P that matches P,.e., such that ether P s an dentty matchng P, or P s a sub-pattern of P. The securty noton s formalzed by the game IND-sWID-CPA n Fgure 2. So, we defne the IND-sWID-CPA-advantage of any adversary A aganst a WIBE scheme WIBE as Adv IND-sWID-CPA WIBE (A) = 2 Pr[IND-sWID-CPA A 1] 1 Defnton 2.4 A WIBE scheme s IND-sWID-CPA-secure f Adv IND-sWID-CPA WIBE (A) s neglgble for any PTA A. Remark 2.5 We notce that our noton of selectve-securty for WIBE schemes s slghtly more general than the one that was orgnally proposed n [1]. The man dfference s that n the orgnal work of Abdalla et al. the noton s purely selectve, meanng that the adversary declares the challenge pattern P at the begnnng of the game, and later t receves an encrypton of ether m 0 or m 1 under P. Instead, our noton allows for more flexblty. Indeed, the adversary stll declares P at the begnnng of the game, but later t may ask the challenge cphertext on a pattern P, possbly dfferent from P, but such that P matches P. We stress that ths property s not artfcal for at least two reasons. Frst, t s more general than the prevous one. Second, t s satsfed by all known WIBE schemes, and n partcular we wll show that t s satsfed by those schemes obtaned through our transformaton, from selectve-secure HIBE to selectve WIBE, that we descrbe n Secton The Contnual Memory Leakage Model In ths secton we present an extenson of the defntons of herarchcal dentty-based encrypton and wldcarded dentty-based encrypton n the Contnual Memory Leakage (CML) Model proposed 7

10 procedure Intalze (mpk, msk) Setup β {0, 1} C[ ID] ID L[ ID, 0] 0 ID Return mpk procedure Extract( ID) If C[ ID] = Then sk ID,0 KeyDer(msk, ID) C[ ID] 0 Return sk ID,C[ ID] procedure Challenge( ID ) Store ID procedure LR(m 0, m 1 ) C Enc(mpk, ID, m β ) Return C procedure Fnalze(β ) Return (β = β) Game CML-IND-HID-CPA procedure Leak(f, ID) If ID ID and ID not ancestor of ID Then Return Else contnue let C[ ID] If = Then sk ID,0 KeyDer(msk, ID) C[ ID] 0 If L[ ID, ] + f(sk ID, ) < ρ M sk L[ ID, ] L[ ID, ] + f(sk ID, ) ID, Then Return f(sk ID, ) Else Return procedure Update(f, ID) If ID ID and ID not ancestor of ID Then Return Else contnue let C[ ID] sk ID,+1 Update user (mpk, sk ID,, r) C[ ID] + 1 If L[ ID, ] + f(sk ID,, r) < ρ U sk ID, Then L[ ID, + 1] f(sk ID,, r) Return f(sk ID,, r) Else Return Fgure 3: Defnton of Game CML-IND-HID-CPA. by Brakersk et al. [19]. In partcular, we consder the model wth the restrcton that there s no leakage from the master secret key. Ths means that both the Setup and KeyDer algorthms do not leak secret nformaton. In ths settng a (H)IBE scheme s defned by the same algorthms as a standard (H)IBE wth an addtonal Update user algorthm that takes as nput the publc parameters, the secret key of some dentty ID and some randomness (from an approprate doman), and t outputs a new updated secret key for the same dentty ID. The noton of ndstngushablty under chosen-plantext attack n the CML model (that we call CML-IND-HID-CPA) s defned as follows. The game conssts of sx procedures that can be run by an adversary A and t works n the followng way. As usual, A starts by executng Intalze and runs Fnalze before haltng. The adversary can run the procedure Extract and then t s allowed one query to the procedure Challenge on some dentty ID such that ID, nor an ancestor of t, have been asked to Extract before. Next, the adversary can run procedures Extract, Leak and Update as descrbed n Fgure 3. Notce that Leak and Update can be quered on denttes ID that decrypt ID. These procedures take as nput also a computable functon f. As specfed n the fgure, such functons must have a suffcently bounded output sze. We also assume that A makes at most one query (m 0, m 1 ) to the LR pro- 8

11 cedure, under the requrement that m 0 = m 1 (.e., the two messages have the same length), and that all denttes submtted to Extract, Leak, Update and LR are legtmate. Fnally, once the adversary has quered LR t can no longer run Leak and Update. In the CML model, a set of queres s sad legtmate f A never queres Extract on an dentty ID such that ID = ID or ID s an ancestor of ID. Furthermore, the total number of bts of each secret key of ID (or of any ancestor of ID ) that are leaked through Leak and Update must be less than ρ M sk ID and ρ U sk ID respectvely. So, ρ M and ρ U represent the fracton of bts that can be leaked from the memory (.e., from a secret key) and from the update operaton (.e., from the secret key and the randomness used n the update). Notce that (ρ M, ρ U ) parametrze the securty game. We defne the CML-IND-HID-CPA-advantage of any adversary A aganst a HIBE scheme HIBE wth leakage rate (ρ M, ρ U ) as Adv CML-IND-HID-CPA HIBE (A) = 2 Pr[CML-IND-HID-CPA A 1] 1 where CML-IND-HID-CPA A 1 denotes that a run of the experment CML-IND-HID-CPA (parametrzed by (ρ M, ρ U )) wth adversary A outputs 1. Defnton 2.6 [CML-IND-HID-CPA-securty] A HIBE scheme s CML-IND-HID-CPA-secure wth leakage rate (ρ M, ρ U ) f for any PPT adversary A, Adv CML-IND-HID-CPA HIBE (A) s at most neglgble. In a very smlar way t s possble to defne the noton of selectve securty, CML-IND-sHID-CPA, for (H)IBE n the CML model. The game s descrbed by the procedures n Fgure 4. The procedures are smlar to the ones of the CML-IND-HID-CPA game, but they are a bt smpler. For consstency, n order for the game to make sense, we requre that the total number of bts of secret keys of ID (or of any ancestor of ID ) that are leaked through Leak and Update must be less than ρ M sk ID and ρ U sk ID respectvely. Defnton 2.7 [CML-IND-sHID-CPA-securty] A HIBE scheme s CML-IND-sHID-CPA-secure wth leakage rate (ρ M, ρ U ) f for any PPT adversary A, Adv CML-IND-sHID-CPA HIBE (A) s at most neglgble. WIBE n the CML model. Fnally, we extend the securty noton of WIBE to the CML model. To do ths, we defne the game CML-IND-sWID-CPA whch s smlar to IND-sWID-CPA, except that n addton t contans the procedures Leak and Update. The game s descrbed n detals n Fgure 5. The man dfference s n the defnton of what s the set of legtmate queres n ths settng. Frst, we requre that the adversary calls the LR procedure on a pattern P that matches the pattern P provded to Intalze at the begnnng of the game. Second, we requre that Leak and Update are quered on denttes matchng the challenge pattern, and that for each of these denttes the total number of leaked bts s at most ρ M sk ID and ρ U sk ID respectvely. Defnton 2.8 [CML-IND-sWID-CPA-securty] A WIBE scheme s CML-IND-sWID-CPA-secure wth leakage rate (ρ M, ρ U ) f for any PPT adversary A, Adv CML-IND-sWID-CPA WIBE (A) s at most neglgble. 3 Fully-Secure HIBE from Selectve-Secure WIBE In ths secton we concentrate on the frst part of our man result. We show how to construct a fully-secure HIBE scheme startng from any WIBE scheme that s secure only n a selectve sense. 9

12 Game CML-IND-sHID-CPA procedure Intalze( ID ) procedure Leak(f) (mpk, msk) Setup β {0, 1} L[] 0 sk ID,0 Return mpk KeyDer(msk, ID ) procedure Extract( ID) KeyDer(msk, ID) sk ID Return sk ID procedure LR(m 0, m 1 ) C Enc(mpk, ID, m β ) Return C If L[] + f(sk ID, ) < ρ M sk ID, Then L[] L[] + f(sk ID, ) Return f(sk ID, ) Else Return procedure Update(f) sk ID,+1 Update user (mpk, sk ID,, r) If L[] + f(sk ID,, r) < ρ U sk ID, Then L[ + 1] f(sk ID,, r) Return f(sk ID,, r) + 1 Else Return procedure Fnalze(β ) Return (β = β) Fgure 4: Defnton of Game CML-IND-sHID-CPA. procedure Intalze(P ) (mpk, msk) Setup β {0, 1} C[ ID] ID L[ ID, 0] 0 ID Return mpk procedure Extract( ID) If C[ ID] = Then sk ID,0 KeyDer(msk, ID) C[ ID] 0 Return sk ID,C[ ID] procedure LR(P, m 0, m 1 ) C Enc(mpk, ID, m β ) Return C procedure Fnalze(β ) Return (β = β) Game CML-IND-sWID-CPA procedure Leak(f, ID) let C[ ID] If = Then sk ID,0 KeyDer(msk, ID) C[ ID] 0 If L[ ID, ] + f(sk ID, ) < ρ M sk L[ ID, ] L[ ID, ] + f(sk ID, ) ID, Then Return f(sk ID, ) Else Return procedure Update(f, ID) let C[ ID] sk ID,+1 Update user (mpk, sk ID,, r) C[ ID] + 1 If L[ ID, ] + f(sk ID,, r) < ρ U sk ID, Then L[ ID, + 1] f(sk ID,, r) Return f(sk ID,, r) Else Return Fgure 5: Defnton of Game CML-IND-sWID-CPA. Our transformaton s black-box and makes use of admssble hash functons, a noton ntroduced by Boneh and Boyen n [9] that we recall below. Admssble Hash Functons. Admssble hash functons were frst ntroduced by Boneh and Boyen n [9] as a tool for provng the full securty of ther dentty-based encrypton scheme n 10

13 the standard model. Such functons turn out to be partcularly sutable for ths purpose as they provde a way to mplement the so-called parttonng technque, a proof methodology that allows to secretly partton the dentty space nto two sets, the blue set and the red set, both of exponental sze, so that there s a non-neglgble probablty that the adversary s secret key queres fall n the blue set and the challenge dentty falls n the red set. Ths property has been shown useful to prove the full securty of some dentty-based encrypton schemes (e.g., [9, 35, 22]). In partcular, t fts those cases when, n the reducton, one can program the smulator so that t can answer secret key queres for all the blue denttes, whereas t s prepared to generate a challenge cphertext only for red denttes. In our work we employ admssble hash functons for a smlar purpose,.e., constructng a fullysecure HIBE from a selectve-secure WIBE, and n partcular we adopt a defnton of admssble hash functons whch follows the one used by Cash et al. n [22]. The formal defnton follows. Let k N be the securty parameter, w and λ be two values that are at most polynomal n k, and Σ be an alphabet of sze s. Let H = {H : {0, 1} w Σ λ } be a famly of functons. For H H, K (Σ {*}) λ and any x {0, 1} w we defne the followng functon whch colors strngs n {0, 1} w as follows: { R f {1,..., λ} : H(x) = K F K,H (x) = or K = * B f {1,..., λ} : H(x) K For any µ {0,..., λ}, we denote wth K (λ,µ) the unform dstrbuton over (Σ {*}) λ such that exactly µ components are not *. Moreover, for every H H, K K (λ,µ), and every vector x ({0, 1} w ) Q+1 we defne the functon γ( x) = Pr[F K,H (x 0 ) = R F K,H (x 1 ) = B F K,H (x 2 ) = B F K,H (x Q ) = B]. Defnton 3.1 [Admssble Hash Functons] H = {H : {0, 1} w Σ λ } s a famly of (Q, δ mn )- admssble hash functons f for every polynomal Q = Q(k), there exsts an effcently computable functon µ = µ(k), effcently recognzable sets bad H ({0, 1} w ) and an nverse of a polynomal δ mn = 1/δ(k, Q) such that the followng propertes holds: 1. For every PPT algorthm A that, on nput H H, outputs x ({0, 1} w ) Q+1, there exsts a neglgble functon ɛ(k) such that: Adv adm H (A) = Pr[ x bad H : H H, x A(H)] ɛ(k) 2. For every H H, K K (λ,µ), and every vector x ({0, 1} w ) Q+1 \ bad H such that x 0 / {x 1,..., x Q } we have: γ( x) δ mn. 3.1 Our transformaton Let WIBE be a WIBE scheme wth dentty space ID = Σ of sze s and depth λ L, and H = {H : {0, 1} w Σ λ } be a famly of functons. Then we construct the followng HIBE scheme that has dentty space ID = {0, 1} w and depth at most L: HIBE.Setup: run (mpk, msk ) WIBE.Setup and select H 1,..., H L H. Output mpk = (mpk, H 1,..., H L ) and msk = msk. HIBE.KeyDer(msk, ID): let ID = (ID 1,..., ID l ) and defne I = (H 1 (ID 1 ),..., H l (ID l )) Σ λ l. Output sk ID = WIBE.KeyDer(msk, I). 11

14 HIBE.Enc(mpk, ID, m): let ID = (ID 1,..., ID l ) and defne I = (H 1 (ID 1 ),..., H l (ID l )) Σ λ l. Output C = WIBE.Enc(mpk, I, m). HIBE.Dec(sk ID, C): return m = WIBE.Dec(sk ID, C). Our scheme s very smple. Essentally, the HIBE algorthm uses the algorthms of the WIBE scheme n a black-box way, where each dentty component ID s frst hashed usng a functon H H. Boneh and Boyen show how to construct admssble hash functons based on collson-resstance and error-correcton, and propose some concrete parameters for ther nstantaton (whch satsfy our defnton). In partcular, for convenence of ther constructon, they consder functons that map to strngs n an alphabet Σ of sze s = 2. Here we notce that f the gven WIBE has an alphabet Σ of sze s > 2, then one can smply choose two values x 1, x 2 Σ, set Σ = {x 1, x 2 }, and then consder the same WIBE restrcted to these two denttes. The securty of our scheme follows from the followng theorem. Theorem 3.2 If H = {H : {0, 1} w Σ λ } s a famly of (Q, δ mn )-admssble hash functons, and WIBE s IND-sWID-CPA-secure, then the scheme HIBE gven n Secton 3 s IND-HID-CPA-secure, where the maxmum herarchy s depth L s some fxed constant. Proof Intuton. Although the scheme s smple, ts proof of securty s rather techncal. Therefore, we frst provde some nformal ntutons about our strategy. Intutvely speakng, the proof proceeds by showng an algorthm B that plays game IND-sWID-CPA aganst the scheme WIBE and smulates the game IND-HID-CPA to an adversary A aganst HIBE. B frst generates the parameters for the admssble hash functons, whch defne parttons B and R of the dentty space, and then t declares the set R as the challenge pattern (notce that by defnton of K K (λ,µ), R can be descrbed n a compact way usng a pattern). Next, all secret key queres made by A for denttes n B are forwarded by B to ts own challenger, and the same can be done f the challenge dentty chosen by A falls n R. In partcular, by the propertes of admssble hash functons, the event that the denttes of secret key queres fall n B and the challenge dentty falls n R occurs wth non-neglgble probablty. However, thngs are not that smple, as there may be unlucky events n whch B s unable to smulate the rght game to A and thus t needs to abort. As t already occurred n other works [35, 22], these events may not be ndependent of the adversary s vew, and one soluton s to force the smulator to run an expensve artfcal abort step. Our proof of Theorem 3.2 proceeds n ths way, requrng B to (eventually) artfcally abort at the end of the smulaton. Alternatvely, one can extend the technques ntroduced by Bellare and Rstenpart n [5] to obtan a proof of Theorem 3.2 whch avods the need of artfcal aborts. However, ths requres a slghtly dfferent defnton of admssble hash functons. In Appendx A we descrbe ths alternatve proof wthout artfcal aborts. It may be of ndependent nterest. Proof: To prove Theorem 3.2 we descrbe a sequence of games that allows to show that an adversary for the game IND-HID-CPA can be effcently turned nto an adversary for the game IND-sWID- CPA. The smulator algorthm B. In Fgure 6 we descrbe an adversary B that plays game IND-sWID-CPA aganst the scheme WIBE, by smulatng the game IND-HID-CPA to an adversary A. To avod confuson between the games IND-sWID-CPA and IND-HID-CPA, we prepend the prefx sw to the procedures of IND-sWID-CPA. In order to show that such smulaton can be carred on effcently, we proceed by descrbng a sequence of games G 0 G 8, where G 0 s the game smulated by our algorthm B, and G 8 s essentally 12

15 Algorthm B: K 1,..., K L K (λ,µ) P (K 1,..., K L ) Run mpk sw.intalze(p ) H 1,..., H L H cnt 1 mpk (mpk, H 1,..., H L ) Run A (mpk), answerng queres as follows: Extract( ID): X cnt ID, cnt cnt + 1 let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) sk ID If F H,K (ID ) = R = 1 to l Then bad true Else sk ID sw.extract( I) Return sk ID LR(ID, m 0, m 1 ): X 0 ID let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) C If [l ] : F H,K (ID ) = B Then bad true Else C sw.lr( I, m 0, m 1 ) return C let β be A s output If [L] : X bad H Then β {0, 1} If bad true η 0 for j = 1 to ks/δmn L do K 1,..., K L K (λ,µ) If L =1 (F K,H (X 0) = R F K,H (X 1) = B F K,H (X Q ) = B) Then η η + 1 δ η/ ks/δmn L Set bad true wth probablty 1 δmn L / δ If bad = true Then β {0, 1} sw.fnalze(β ) procedure Intalze: Games G 0 G K 1,..., K L K (λ,µ) 002 P (K 1,..., K L ) 003 (mpk, msk ) WIBE.Setup; β {0, 1} 004 H 1,..., H L H 005 cnt mpk (mpk, H 1,..., H L ) 007 return mpk procedure Extract( ID): Games G 0, G X cnt ID; cnt cnt let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 012 sk ID 013 If F H,K (ID ) = R = 1 to l Then 014 bad true 015 sk ID WIBE.KeyDer(msk, I) 016 Else sk ID WIBE.KeyDer(msk, I) 017 Return sk ID procedure LR( ID, m 0, m 1 ): Games G 0, G X 0 ID 021 let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 022 C 023 If [l ] : F H,K (ID ) = B Then 024 bad true 025 C WIBE.Enc(mpk, I, m β ) 026 Else 027 C WIBE.Enc(mpk, I, m β ) 028 return C procedure Fnalze(β ): Games G 0, G If [L] : X bad H Then β {0, 1} 031 β β 032 If bad true 033 η for j = 1 to ks/δmn L do 035 K1,..., K L K (λ,µ) 036 If L =1 (F K,H (X 0) = R F K,H (X 1) = B F K,H (X Q ) = B) Then 037 η η δ η/ ks/δ L mn 039 Set bad true wth probablty 1 δmn L / δ 040 If bad = true Then β {0, 1}, β β 041 If β = β Then return Else return 0 Fgure 6: Adversary B and descrpton of the games G 0 and G 1. 13

16 IND-HID-CPA wth some addtonal code that, however, does not condton the output. Our approach s based on code-based games where each game s defned as a set of procedures that can be run by the adversary. Before focusng on the game sequence, we frst show that the smulaton provded by B s correct whenever bad s not set, and that B plays the game IND-sWID-CPA correctly. For ease of exposton we assume that the adversary always outputs denttes of the same (maxmum) length L. However, ths can be formalzed by assumng that for any set of denttes ( ID 0,..., ID Q ) output by A, for = 1 to Q all those ID such that ID < L are padded to reach length L usng some specal symbol so that F H,K (ID j) always returns B on postons j such that ID < j L. On the other hand, f the challenge dentty has length l < L, then t s padded wth some symbol so that F H,K (ID 0 j) always returns R on postons j > l. Frst, observe that all the denttes I for whch B runs sw.extract( I) are legtmate queres, namely they do not match the challenge pattern P declared by B to sw.intalze. In the code of B, f sw.extract( I) s called, then there exsts an ndex {1,..., l} for whch F K,H (ID ) = B, namely I P (and P *), thus I * P. Second, note that the cphertext C s dstrbuted as the challenge cphertext n the game IND-HID-CPA for the scheme HIBE. However, we have also to check that the procedure sw.lr be run on an dentty I * P. To see ths, observe that the procedure s run only f bad s not set, namely when F H,K (ID ) = R for all [l ], whch s equvalent to say I * P. A crtcal part n B s smulaton s that t may set bad true and, as a consequence, B returns a random bt (bascally, t fals ts smulaton). Such bad event depends on the values K 1,..., K L chosen by B as well as on the set of denttes asked by A to Extract and LR. As shown n other works, such as [35], these cases are problematc as the event that the smulaton fals s not ndependent of the adversary s vew. Ths dffculty s overcome by ntroducng an artfcal abort event n the smulaton that allows to balance the probablty of falng so that t s suffcently ndependent of the adversary s vew. Ths s why, at the end of the smulaton, even f bad was not set, the algorthm B may abort. Precsely, the smulator B proceeds as follows. Before termnatng the smulaton, B repeats ks/δmn L tmes the followng step: t samples L vectors K 1,..., K L as at the begnnng of the smulaton, and for each sample t checks whether such choce (combned wth the gven set X of denttes returned by the adversary) would set bad true or not. At the end of ths step, B evaluates on the fly the average probablty, over the random choces of the vectors K, that bad s set, gven the set X. Let δ be such estmaton, then B sets bad true wth probablty 1 δmn L / δ. In partcular, here S s an arbtrary polynomal such that by Hoeffdng s nequalty, ks/δ L samples are suffcent to get δ δ L such that [ Γ(X) ] Pr δ δl 1 S 2 k. (1) The sequence of games. Now, let us focus on the sequence of games G 0 G 8. In partcular, the Lemma 3.3 gven below proves that we can move from the game IND-sWID-CPA played by B to game G 4. Followng the notaton gven n Secton 2, we wrte G A b to denote that an executon of game G by A returns b. Also, let Bad (resp. Good ) be the event that G sets (resp. does not set) bad true. Our adversary B and the games G 0 G 8 are descrbed n Fgures 6 and 7. When some games share a procedure wth very smlar code we use a compact descrpton wth boxed statements. If a 14

17 procedure Extract( ID): Game G X cnt ID; cnt cnt let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 212 If F H,K (ID ) = R = 1 to l Then 213 bad true 214 sk ID WIBE.KeyDer(msk, I)( I) 215 Return sk ID procedure LR( ID, m 0, m 1 ): Game G X 0 ID 221 let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 222 If [l ] : F H,K (ID ) = B Then 223 bad true 224 C WIBE.Enc(mpk, I, m β ) 225 return C procedure Fnalze(β ): Game G 2, G If [L] : X bad H Then β {0, 1} 231 for j = 1 to cnt do 232 let l j ID j 233 If F H,K (X j ) = R = 1 to l j Then 234 bad true 235 If [l ] : F H,K (X 0) = B Then 236 bad true 237 If bad true 238 η for j = 1 to ks/δmn L do 240 K1,..., K L K (λ,µ) 241 If L =1 (F K,H (X 0) = R F K,H (X 1) = B F K,H (X Q ) = B) Then 242 η η δ η/ ks/δ L mn 244 Set bad true wth probablty 1 δmn L / δ 245 If β = β Then return Else return 0 procedure Intalze(l ): Games G 4 G (mpk, msk ) WIBE.Setup; β {0, 1} 401 H 1,..., H L H 402 mpk (mpk, H 1,..., H L ) 403 cnt return mpk procedure Fnalze(β ): Game G If [L] : X bad H Then β {0, 1} 641 Set bad true wth probablty 1 δmn L 642 If bad = true Then β {0, 1} 643 If β = β Then return Else return 0 procedure Extract( ID): Games G 3 G X cnt ID; cnt cnt let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 312 sk ID WIBE.KeyDer(msk, I)( I) 313 Return sk ID procedure LR( ID, m 0, m 1 ): Game G 3 G X 0 ID 321 let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 322 C WIBE.Enc(mpk, I, m β ) 323 return C procedure Fnalze(β ): Game G 4, G If [L] : X bad H Then β {0, 1} 431 K 1,..., K L K (λ,µ) 432 for j = 1 to cnt do 433 let l j ID j 434 If F H,K (X j ) = R = 1 to l j Then 435 bad true 436 If [l ] : F H,K (X 0) = B Then 437 bad true 438 If bad true 439 η for j = 1 to ks/δmn L do 441 K1,..., K L K (λ,µ) 442 If L =1 (F K,H (X 0) = R F K,H (X 1) = B F K,H (X Q ) = B) Then 443 η η δ η/ ks/δ L mn 445 Set bad true wth probablty 1 δmn L / δ 446 If bad = true Then β {0, 1} 447 If β = β Then return Else return 0 procedure Fnalze(β ): Game G If [L] : X bad H Then β {0, 1} 741 If β = β Then return Else return 0 procedure Fnalze(β ): Game G If β = β Then return Else return 0 Fgure 7: Descrpton of the Games from G 2 to G 8. 15

18 procedure s shared by games G, G j,..., G k, f G s boxed, then the code of the gven procedure n G ncludes the boxed statements, whereas ts code n the other games does not. To better understand the notaton one may look at Fgure 6 for an example. There, the Fnalze procedure s shared by games G 0 and G 1, and G 1 s wrtten n a box. Ths means that Fnalze n G 1 contans the statement β β of lne 040, whereas ths statement s not present n game G 0. Lemma 3.3 Adv IND-sWID-CPA WIBE (B) = 2 Pr[G A 4 1 Good 4 ] Pr[Good 4 ]. Proof: To prove the lemma we wll analyze the dfferences between each consecutve par of games. Frst, we focus on the code of B and game G 0. The procedure Intalze contans n lne 003 the code of sw.intalze. Moreover, lne 016 and lne 027 contan the code of sw.extract and sw.lr respectvely. Fnally, t s not hard to notce that the code of the Fnalze procedure s an equvalent mplementaton of the way B concludes ts smulaton and executes sw.fnalze. Therefore, we have: Pr[IND-sWID-CPA B 1] = Pr[G A 0 1] = Pr[G A 0 1 Bad 0 ] Pr[Bad 0 ] + Pr[G A 0 1 Good 0 ] = 1 2 Pr[Bad 0] + Pr[G A 0 1 Good 0 ] (2) where Equaton (2) s justfed from that the Fnalze procedure of G 0 outputs a random bt when bad s set. If we look at the dfferences between the games G 0 and G 1 we can observe that G 1 contans some addtonal lnes of code (hghlghted n the framed boxes). Such changes make sure that Extract and LR never return. Also, n G 1 Fnalze s modfed n lne 040 (by addng β β ) so that the procedure s output does not depend on bad = true. Snce n game G 0 the events that Extract and LR return and that Fnalze takes β at random both occur only f bad s set, then we have that G 0 and G 1 are dentcal-untl-bad. Thus, we can apply Lemma 2.1 to obtan: Pr[Bad 0 ] = Pr[Bad 1 ] and Pr[G A 0 1 Good 0 ] = Pr[G A 1 1 Good 1 ] (3) Now, let us compare games G 1 and G 2. The changes n the Extract and Fnalze procedures are only syntactcal. Lnes 015, 016 (resp. 025, 027) of G 1 have been moved to lne 214 (resp. 224) of G 2. So G 2 s equvalent to G 1 : Pr[Bad 1 ] = Pr[Bad 2 ] and Pr[G A 1 1 Good 1 ] = Pr[G A 2 1 Good 2 ] (4) Let us now consder G 2 and G 3. In game G 2, both Extract and LR may set bad n lnes and respectvely. However, ths operaton does no longer nfluence the behavor of each procedures. So, n G 3 these lnes are moved to the end of the game, nto the procedure Fnalze. Moreover, n order for ths change to be descrbed correctly, G 3 ntroduces a counter and a labelng for the quered denttes. Agan, these changes n the code are only syntactcal. Thus the two games are dentcal, and we have: Pr[Bad 2 ] = Pr[Bad 3 ] and Pr[G A 2 1 Good 2 ] = Pr[G A 3 1 Good 3 ] (5) 16

19 Fnally, we show that G 3 and G 4 are dentcally dstrbuted as well. The only change s that lne 001 of G 3 s moved to lne 431 of Fnalze n G 4. Snce n G 3 the values K 1,..., K L are used only nto Fnalze, ths code can be postponed there. Thus we have: Pr[Bad 3 ] = Pr[Bad 4 ] and Pr[G A 3 1 Good 3 ] = Pr[G A 4 1 Good 4 ] (6) Fnally, f we put together Equatons (2), (3), (4), (5) and (6) we obtan: Adv IND-sWID-CPA WIBE (B) = 2 Pr[IND-sWID-CPA B 1] 1 whch completes the proof of the Lemma. = Pr[Bad 4 ] + 2 Pr[G A 4 Good 4 ] 1 = 2 Pr[G A 4 Good 4 ] Pr[Good 4 ] (7) Next, f we look at games G 4 and G 5, we notce that the only dfference s that G 5 changes the value of β wth a random bt when bad = true. Snce ths acton s performed only f bad s set, then we have that games G 4 and G 5 are dentcal-untl-bad, and thus we can apply the restatement of the fundamental Lemma of game-playng (.e., Lemma 2.1) to obtan: Pr[Bad 4 ] = Pr[Bad 5 ] and Pr[G A 4 1 Good 4 ] = Pr[G A 5 1 Good 5 ] (8) Now, let us focus on the games G 5 and G 6. We observe that lnes of game G 5 are substtuted wth lne 641 n game G 6. In partcular, n the latter game bad s set true wth ndependent probablty 1 δmn L. Snce Pr[Good 5] = δmn L Γ(X), and the condton of Equaton (1) holds, then we obtan δ that the dfference Pr[Good 5 ] Pr[Good 6 ] = δ L mn δ Γ(X) δ holds wth probablty 1 1/2 k. Thus we have: δl mn S Pr[G A 5 1] Pr[G A 6 1] δl mn S k (9) Game G 7 s the same as G 6 except that the Fnalze procedure does not set bad. So we have: 2 Pr[G A 6 1] 1 = δ L mn(2 Pr[G A 7 1] 1) (10) Fnally, observe that game G 8 dffers from game G 7 as t does no longer contan lne 740. So, t s easy to observe that a trval reducton would show that any effcent dstngusher between the two games would reduce to the frst condton of admssble hash functons, namely: Pr[G A 8 1] Pr[G A 7 1] L Adv adm H,C (k) (11) 17

20 Fnally, one can easly note that game G 8 s essentally the same as the game IND-HID-CPA wth some addtonal book-keepng. So we can wrte: Adv IND-HID-CPA HIBE (A) = 2 Pr[G A 8 1] 1 2 Pr[G A 7 1] 1 + 2L Adv adm H (C) (12) = 2 Pr[GA 6 1] 1 δ L mn 2 Pr[GA 5 1] 1 δ L mn 2 Pr[GA 4 1 Good 4 ] Pr[Good 4 ] δ L mn AdvIND-sWID-CPA WIBE δmn L + 2L Adv adm H (C) (13) ( S + 1 ) 2 k δmn L + 2L Adv adm H (C) (14) (B) ( S + 1 ) 2 k + +2L Adv adm H (C) (15) ( S + 1 ) 2 k + 2L Adv adm H (C) (16) Equaton (12) s obtaned by applyng Equaton (11), whle Equaton (13) derves from Equaton (10). Equaton (14) s obtaned by applyng the dfference between game G 5 and G 6 noted n Equaton (9). Equaton (15) comes from that G 4 and G 5 are dentcal-untl-bad (see Equaton (8)), and fnally the last result (16) s obtaned by combnng Equatons (15) and (7). Ths completes the proof of Theorem 3.2. Due to the exponental factor L, we notce that the reducton s meanngful when the maxmum herarchy s depth L s some fxed constant. Remark 3.4 Even though our transformaton requres a WIBE scheme wth λ L levels to get a HIBE wth L levels, we observe that the HIBE key dervaton algorthm wll use the WIBE key dervaton at most L tmes. The pont s that whle L s supposed to be a constant, λ can be nstead non-constant, as t s the case for known constructons of admssble hash functons, whose output length depends on the number of secret key queres made by the adversary. Ths mght have been a problem for those WIBE schemes that do not support key dervaton (delegaton) for a polynomal number of levels, such as our lattce-based scheme n Secton Extensons of our transformaton Our transformaton easly allows for two extensons. Obtanng an IBE. If one s nterested nto constructng only an IBE, then our transformaton easly works. In partcular, we observe that to construct an IBE we can use a WIBE scheme wth herarchy of depth λ (nstead of λ L). Furthermore the WIBE does not need to satsfy the delegaton property. Therefore, we can state the followng Corollary: Corollary 3.5 Let IBE be the IBE scheme defned as HIBE usng a scheme WIBE of depth λ. If H = {H : {0, 1} w Σ λ } s a famly of (Q, δ mn )-admssble hash functons, and WIBE s INDsWID-CPA-secure (even wthout the delegaton property), then the scheme IBE descrbed above s IND-ID-CPA-secure. The transformaton n the CML model. It s nterestng to note that our transformaton from a selectve-secure WIBE to a fully-secure HIBE scheme works also n the CML model (whose 18

Compact CCA2-secure Hierarchical Identity-Based Broadcast Encryption for Fuzzy-entity Data Sharing

Compact CCA2-secure Hierarchical Identity-Based Broadcast Encryption for Fuzzy-entity Data Sharing Compact CCA2-secure Herarchcal Identty-Based Broadcast Encrypton for Fuzzy-entty Data Sharng Weran Lu 1, Janwe Lu 1, Qanhong Wu 1, Bo Qn 2, Davd Naccache 3, and Houda Ferrad 4 1 School of Electronc and

More information

Identity-Based Encryption Gone Wild

Identity-Based Encryption Gone Wild An extended abstract of ths paper appeared n Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, 33rd Internatonal Colloquum on Automata, Languages and Programmng ICALP 2006, volume

More information

Recurrence. 1 Definitions and main statements

Recurrence. 1 Definitions and main statements Recurrence 1 Defntons and man statements Let X n, n = 0, 1, 2,... be a MC wth the state space S = (1, 2,...), transton probabltes p j = P {X n+1 = j X n = }, and the transton matrx P = (p j ),j S def.

More information

Luby s Alg. for Maximal Independent Sets using Pairwise Independence

Luby s Alg. for Maximal Independent Sets using Pairwise Independence Lecture Notes for Randomzed Algorthms Luby s Alg. for Maxmal Independent Sets usng Parwse Independence Last Updated by Erc Vgoda on February, 006 8. Maxmal Independent Sets For a graph G = (V, E), an ndependent

More information

1 Example 1: Axis-aligned rectangles

1 Example 1: Axis-aligned rectangles COS 511: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 6 Scrbe: Aaron Schld February 21, 2013 Last class, we dscussed an analogue for Occam s Razor for nfnte hypothess spaces that, n conjuncton

More information

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ). REVIEW OF RISK MANAGEMENT CONCEPTS LOSS DISTRIBUTIONS AND INSURANCE Loss and nsurance: When someone s subject to the rsk of ncurrng a fnancal loss, the loss s generally modeled usng a random varable or

More information

8 Algorithm for Binary Searching in Trees

8 Algorithm for Binary Searching in Trees 8 Algorthm for Bnary Searchng n Trees In ths secton we present our algorthm for bnary searchng n trees. A crucal observaton employed by the algorthm s that ths problem can be effcently solved when the

More information

Extending Probabilistic Dynamic Epistemic Logic

Extending Probabilistic Dynamic Epistemic Logic Extendng Probablstc Dynamc Epstemc Logc Joshua Sack May 29, 2008 Probablty Space Defnton A probablty space s a tuple (S, A, µ), where 1 S s a set called the sample space. 2 A P(S) s a σ-algebra: a set

More information

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur Module LOSSLESS IMAGE COMPRESSION SYSTEMS Lesson 3 Lossless Compresson: Huffman Codng Instructonal Objectves At the end of ths lesson, the students should be able to:. Defne and measure source entropy..

More information

An Alternative Way to Measure Private Equity Performance

An Alternative Way to Measure Private Equity Performance An Alternatve Way to Measure Prvate Equty Performance Peter Todd Parlux Investment Technology LLC Summary Internal Rate of Return (IRR) s probably the most common way to measure the performance of prvate

More information

RUHR-UNIVERSITÄT BOCHUM

RUHR-UNIVERSITÄT BOCHUM RUHR-UNIVERSITÄT BOCHUM Horst Görtz Insttute for IT Securty Techncal Report TR-HGI-2006-002 Survey on Securty Requrements and Models for Group Key Exchange Mark Manuls Char for Network and Data Securty

More information

What is Candidate Sampling

What is Candidate Sampling What s Canddate Samplng Say we have a multclass or mult label problem where each tranng example ( x, T ) conssts of a context x a small (mult)set of target classes T out of a large unverse L of possble

More information

1 Approximation Algorithms

1 Approximation Algorithms CME 305: Dscrete Mathematcs and Algorthms 1 Approxmaton Algorthms In lght of the apparent ntractablty of the problems we beleve not to le n P, t makes sense to pursue deas other than complete solutons

More information

Support Vector Machines

Support Vector Machines Support Vector Machnes Max Wellng Department of Computer Scence Unversty of Toronto 10 Kng s College Road Toronto, M5S 3G5 Canada wellng@cs.toronto.edu Abstract Ths s a note to explan support vector machnes.

More information

Complete Fairness in Secure Two-Party Computation

Complete Fairness in Secure Two-Party Computation Complete Farness n Secure Two-Party Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure two-party computaton, two mutually dstrustng partes wsh to compute

More information

THE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek

THE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek HE DISRIBUION OF LOAN PORFOLIO VALUE * Oldrch Alfons Vascek he amount of captal necessary to support a portfolo of debt securtes depends on the probablty dstrbuton of the portfolo loss. Consder a portfolo

More information

Frequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters

Frequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters Frequency Selectve IQ Phase and IQ Ampltude Imbalance Adjustments for OFDM Drect Converson ransmtters Edmund Coersmeer, Ernst Zelnsk Noka, Meesmannstrasse 103, 44807 Bochum, Germany edmund.coersmeer@noka.com,

More information

8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by

8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by 6 CHAPTER 8 COMPLEX VECTOR SPACES 5. Fnd the kernel of the lnear transformaton gven n Exercse 5. In Exercses 55 and 56, fnd the mage of v, for the ndcated composton, where and are gven by the followng

More information

The OC Curve of Attribute Acceptance Plans

The OC Curve of Attribute Acceptance Plans The OC Curve of Attrbute Acceptance Plans The Operatng Characterstc (OC) curve descrbes the probablty of acceptng a lot as a functon of the lot s qualty. Fgure 1 shows a typcal OC Curve. 10 8 6 4 1 3 4

More information

An Interest-Oriented Network Evolution Mechanism for Online Communities

An Interest-Oriented Network Evolution Mechanism for Online Communities An Interest-Orented Network Evoluton Mechansm for Onlne Communtes Cahong Sun and Xaopng Yang School of Informaton, Renmn Unversty of Chna, Bejng 100872, P.R. Chna {chsun,yang}@ruc.edu.cn Abstract. Onlne

More information

Multiplication Algorithms for Radix-2 RN-Codings and Two s Complement Numbers

Multiplication Algorithms for Radix-2 RN-Codings and Two s Complement Numbers Multplcaton Algorthms for Radx- RN-Codngs and Two s Complement Numbers Jean-Luc Beuchat Projet Arénare, LIP, ENS Lyon 46, Allée d Itale F 69364 Lyon Cedex 07 jean-luc.beuchat@ens-lyon.fr Jean-Mchel Muller

More information

+ + + - - This circuit than can be reduced to a planar circuit

+ + + - - This circuit than can be reduced to a planar circuit MeshCurrent Method The meshcurrent s analog of the nodeoltage method. We sole for a new set of arables, mesh currents, that automatcally satsfy KCLs. As such, meshcurrent method reduces crcut soluton to

More information

PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12

PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12 14 The Ch-squared dstrbuton PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 1 If a normal varable X, havng mean µ and varance σ, s standardsed, the new varable Z has a mean 0 and varance 1. When ths standardsed

More information

) of the Cell class is created containing information about events associated with the cell. Events are added to the Cell instance

) of the Cell class is created containing information about events associated with the cell. Events are added to the Cell instance Calbraton Method Instances of the Cell class (one nstance for each FMS cell) contan ADC raw data and methods assocated wth each partcular FMS cell. The calbraton method ncludes event selecton (Class Cell

More information

A Secure Password-Authenticated Key Agreement Using Smart Cards

A Secure Password-Authenticated Key Agreement Using Smart Cards A Secure Password-Authentcated Key Agreement Usng Smart Cards Ka Chan 1, Wen-Chung Kuo 2 and Jn-Chou Cheng 3 1 Department of Computer and Informaton Scence, R.O.C. Mltary Academy, Kaohsung 83059, Tawan,

More information

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage Proactve Secret Sharng Or: How to Cope Wth Perpetual Leakage Paper by Amr Herzberg Stanslaw Jareck Hugo Krawczyk Mot Yung Presentaton by Davd Zage What s Secret Sharng Basc Idea ((2, 2)-threshold scheme):

More information

Logistic Regression. Lecture 4: More classifiers and classes. Logistic regression. Adaboost. Optimization. Multiple class classification

Logistic Regression. Lecture 4: More classifiers and classes. Logistic regression. Adaboost. Optimization. Multiple class classification Lecture 4: More classfers and classes C4B Machne Learnng Hlary 20 A. Zsserman Logstc regresson Loss functons revsted Adaboost Loss functons revsted Optmzaton Multple class classfcaton Logstc Regresson

More information

greatest common divisor

greatest common divisor 4. GCD 1 The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no

More information

Section 5.4 Annuities, Present Value, and Amortization

Section 5.4 Annuities, Present Value, and Amortization Secton 5.4 Annutes, Present Value, and Amortzaton Present Value In Secton 5.2, we saw that the present value of A dollars at nterest rate per perod for n perods s the amount that must be deposted today

More information

PKIS: practical keyword index search on cloud datacenter

PKIS: practical keyword index search on cloud datacenter Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 RESEARCH Open Access PKIS: practcal keyword ndex search on cloud datacenter Hyun-A

More information

Calculation of Sampling Weights

Calculation of Sampling Weights Perre Foy Statstcs Canada 4 Calculaton of Samplng Weghts 4.1 OVERVIEW The basc sample desgn used n TIMSS Populatons 1 and 2 was a two-stage stratfed cluster desgn. 1 The frst stage conssted of a sample

More information

A Probabilistic Theory of Coherence

A Probabilistic Theory of Coherence A Probablstc Theory of Coherence BRANDEN FITELSON. The Coherence Measure C Let E be a set of n propostons E,..., E n. We seek a probablstc measure C(E) of the degree of coherence of E. Intutvely, we want

More information

How Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence

How Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence 1 st Internatonal Symposum on Imprecse Probabltes and Ther Applcatons, Ghent, Belgum, 29 June 2 July 1999 How Sets of Coherent Probabltes May Serve as Models for Degrees of Incoherence Mar J. Schervsh

More information

BERNSTEIN POLYNOMIALS

BERNSTEIN POLYNOMIALS On-Lne Geometrc Modelng Notes BERNSTEIN POLYNOMIALS Kenneth I. Joy Vsualzaton and Graphcs Research Group Department of Computer Scence Unversty of Calforna, Davs Overvew Polynomals are ncredbly useful

More information

v a 1 b 1 i, a 2 b 2 i,..., a n b n i.

v a 1 b 1 i, a 2 b 2 i,..., a n b n i. SECTION 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS 455 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS All the vector spaces we have studed thus far n the text are real vector spaces snce the scalars are

More information

On Mean Squared Error of Hierarchical Estimator

On Mean Squared Error of Hierarchical Estimator S C H E D A E I N F O R M A T I C A E VOLUME 0 0 On Mean Squared Error of Herarchcal Estmator Stans law Brodowsk Faculty of Physcs, Astronomy, and Appled Computer Scence, Jagellonan Unversty, Reymonta

More information

On the Optimal Control of a Cascade of Hydro-Electric Power Stations

On the Optimal Control of a Cascade of Hydro-Electric Power Stations On the Optmal Control of a Cascade of Hydro-Electrc Power Statons M.C.M. Guedes a, A.F. Rbero a, G.V. Smrnov b and S. Vlela c a Department of Mathematcs, School of Scences, Unversty of Porto, Portugal;

More information

Provably Secure Single Sign-on Scheme in Distributed Systems and Networks

Provably Secure Single Sign-on Scheme in Distributed Systems and Networks 0 IEEE th Internatonal Conference on Trust, Securty and Prvacy n Computng and Communcatons Provably Secure Sngle Sgn-on Scheme n Dstrbuted Systems and Networks Jangshan Yu, Guln Wang, and Y Mu Center for

More information

Efficient Project Portfolio as a tool for Enterprise Risk Management

Efficient Project Portfolio as a tool for Enterprise Risk Management Effcent Proect Portfolo as a tool for Enterprse Rsk Management Valentn O. Nkonov Ural State Techncal Unversty Growth Traectory Consultng Company January 5, 27 Effcent Proect Portfolo as a tool for Enterprse

More information

Secure Network Coding Over the Integers

Secure Network Coding Over the Integers Secure Network Codng Over the Integers Rosaro Gennaro Jonathan Katz Hugo Krawczyk Tal Rabn Abstract Network codng has receved sgnfcant attenton n the networkng communty for ts potental to ncrease throughput

More information

MAPP. MERIS level 3 cloud and water vapour products. Issue: 1. Revision: 0. Date: 9.12.1998. Function Name Organisation Signature Date

MAPP. MERIS level 3 cloud and water vapour products. Issue: 1. Revision: 0. Date: 9.12.1998. Function Name Organisation Signature Date Ttel: Project: Doc. No.: MERIS level 3 cloud and water vapour products MAPP MAPP-ATBD-ClWVL3 Issue: 1 Revson: 0 Date: 9.12.1998 Functon Name Organsaton Sgnature Date Author: Bennartz FUB Preusker FUB Schüller

More information

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic Lagrange Multplers as Quanttatve Indcators n Economcs Ivan Mezník Insttute of Informatcs, Faculty of Busness and Management, Brno Unversty of TechnologCzech Republc Abstract The quanttatve role of Lagrange

More information

CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol

CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK Sample Stablty Protocol Background The Cholesterol Reference Method Laboratory Network (CRMLN) developed certfcaton protocols for total cholesterol, HDL

More information

DEFINING %COMPLETE IN MICROSOFT PROJECT

DEFINING %COMPLETE IN MICROSOFT PROJECT CelersSystems DEFINING %COMPLETE IN MICROSOFT PROJECT PREPARED BY James E Aksel, PMP, PMI-SP, MVP For Addtonal Informaton about Earned Value Management Systems and reportng, please contact: CelersSystems,

More information

Practical and Secure Solutions for Integer Comparison

Practical and Secure Solutions for Integer Comparison In Publc Key Cryptography PKC 07, Vol. 4450 of Lecture Notes n Computer Scence, Sprnger-Verlag, 2007. pp. 330-342. Practcal and Secure Solutons for Integer Comparson Juan Garay 1, erry Schoenmakers 2,

More information

A Verifiable Secret Shuffle of Homomorphic. encryptions.

A Verifiable Secret Shuffle of Homomorphic. encryptions. A Verfable Secret Shuffle of Homomorphc Encryptons Jens Groth 1 Department of Computer Scence, UCLA 3531A Boelter Hall Los Angeles, CA 90095-1596 USA jg@cs.ucla.edu Abstract. A shuffle conssts of a permutaton

More information

Answer: A). There is a flatter IS curve in the high MPC economy. Original LM LM after increase in M. IS curve for low MPC economy

Answer: A). There is a flatter IS curve in the high MPC economy. Original LM LM after increase in M. IS curve for low MPC economy 4.02 Quz Solutons Fall 2004 Multple-Choce Questons (30/00 ponts) Please, crcle the correct answer for each of the followng 0 multple-choce questons. For each queston, only one of the answers s correct.

More information

Section 5.3 Annuities, Future Value, and Sinking Funds

Section 5.3 Annuities, Future Value, and Sinking Funds Secton 5.3 Annutes, Future Value, and Snkng Funds Ordnary Annutes A sequence of equal payments made at equal perods of tme s called an annuty. The tme between payments s the payment perod, and the tme

More information

Feature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College

Feature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College Feature selecton for ntruson detecton Slobodan Petrovć NISlab, Gjøvk Unversty College Contents The feature selecton problem Intruson detecton Traffc features relevant for IDS The CFS measure The mrmr measure

More information

ANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING

ANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING ANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING Matthew J. Lberatore, Department of Management and Operatons, Vllanova Unversty, Vllanova, PA 19085, 610-519-4390,

More information

1.1 The University may award Higher Doctorate degrees as specified from time-to-time in UPR AS11 1.

1.1 The University may award Higher Doctorate degrees as specified from time-to-time in UPR AS11 1. HIGHER DOCTORATE DEGREES SUMMARY OF PRINCIPAL CHANGES General changes None Secton 3.2 Refer to text (Amendments to verson 03.0, UPR AS02 are shown n talcs.) 1 INTRODUCTION 1.1 The Unversty may award Hgher

More information

Sketching Sampled Data Streams

Sketching Sampled Data Streams Sketchng Sampled Data Streams Florn Rusu, Aln Dobra CISE Department Unversty of Florda Ganesvlle, FL, USA frusu@cse.ufl.edu adobra@cse.ufl.edu Abstract Samplng s used as a unversal method to reduce the

More information

Tracker: Security and Privacy for RFID-based Supply Chains

Tracker: Security and Privacy for RFID-based Supply Chains Tracker: Securty and Prvacy for RFID-based Supply Chans Erk-Olver Blass Kaoutar Elkhyaou Refk Molva EURECOM Sopha Antpols, France {blass elkhyao molva}@eurecom.fr Abstract The counterfetng of pharmaceutcs

More information

Solutions to the exam in SF2862, June 2009

Solutions to the exam in SF2862, June 2009 Solutons to the exam n SF86, June 009 Exercse 1. Ths s a determnstc perodc-revew nventory model. Let n = the number of consdered wees,.e. n = 4 n ths exercse, and r = the demand at wee,.e. r 1 = r = r

More information

Formula of Total Probability, Bayes Rule, and Applications

Formula of Total Probability, Bayes Rule, and Applications 1 Formula of Total Probablty, Bayes Rule, and Applcatons Recall that for any event A, the par of events A and A has an ntersecton that s empty, whereas the unon A A represents the total populaton of nterest.

More information

Activity Scheduling for Cost-Time Investment Optimization in Project Management

Activity Scheduling for Cost-Time Investment Optimization in Project Management PROJECT MANAGEMENT 4 th Internatonal Conference on Industral Engneerng and Industral Management XIV Congreso de Ingenería de Organzacón Donosta- San Sebastán, September 8 th -10 th 010 Actvty Schedulng

More information

Brigid Mullany, Ph.D University of North Carolina, Charlotte

Brigid Mullany, Ph.D University of North Carolina, Charlotte Evaluaton And Comparson Of The Dfferent Standards Used To Defne The Postonal Accuracy And Repeatablty Of Numercally Controlled Machnng Center Axes Brgd Mullany, Ph.D Unversty of North Carolna, Charlotte

More information

Generalizing the degree sequence problem

Generalizing the degree sequence problem Mddlebury College March 2009 Arzona State Unversty Dscrete Mathematcs Semnar The degree sequence problem Problem: Gven an nteger sequence d = (d 1,...,d n ) determne f there exsts a graph G wth d as ts

More information

Inter-Ing 2007. INTERDISCIPLINARITY IN ENGINEERING SCIENTIFIC INTERNATIONAL CONFERENCE, TG. MUREŞ ROMÂNIA, 15-16 November 2007.

Inter-Ing 2007. INTERDISCIPLINARITY IN ENGINEERING SCIENTIFIC INTERNATIONAL CONFERENCE, TG. MUREŞ ROMÂNIA, 15-16 November 2007. Inter-Ing 2007 INTERDISCIPLINARITY IN ENGINEERING SCIENTIFIC INTERNATIONAL CONFERENCE, TG. MUREŞ ROMÂNIA, 15-16 November 2007. UNCERTAINTY REGION SIMULATION FOR A SERIAL ROBOT STRUCTURE MARIUS SEBASTIAN

More information

Communication Networks II Contents

Communication Networks II Contents 8 / 1 -- Communcaton Networs II (Görg) -- www.comnets.un-bremen.de Communcaton Networs II Contents 1 Fundamentals of probablty theory 2 Traffc n communcaton networs 3 Stochastc & Marovan Processes (SP

More information

J. Parallel Distrib. Comput.

J. Parallel Distrib. Comput. J. Parallel Dstrb. Comput. 71 (2011) 62 76 Contents lsts avalable at ScenceDrect J. Parallel Dstrb. Comput. journal homepage: www.elsever.com/locate/jpdc Optmzng server placement n dstrbuted systems n

More information

Linear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits

Linear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits Lnear Crcuts Analyss. Superposton, Theenn /Norton Equalent crcuts So far we hae explored tmendependent (resste) elements that are also lnear. A tmendependent elements s one for whch we can plot an / cure.

More information

Loop Parallelization

Loop Parallelization - - Loop Parallelzaton C-52 Complaton steps: nested loops operatng on arrays, sequentell executon of teraton space DECLARE B[..,..+] FOR I :=.. FOR J :=.. I B[I,J] := B[I-,J]+B[I-,J-] ED FOR ED FOR analyze

More information

Period and Deadline Selection for Schedulability in Real-Time Systems

Period and Deadline Selection for Schedulability in Real-Time Systems Perod and Deadlne Selecton for Schedulablty n Real-Tme Systems Thdapat Chantem, Xaofeng Wang, M.D. Lemmon, and X. Sharon Hu Department of Computer Scence and Engneerng, Department of Electrcal Engneerng

More information

An Optimally Robust Hybrid Mix Network (Extended Abstract)

An Optimally Robust Hybrid Mix Network (Extended Abstract) An Optmally Robust Hybrd Mx Network (Extended Abstract) Markus Jakobsson and Ar Juels RSA Laboratores Bedford, MA, USA {mjakobsson,ajuels}@rsasecurty.com Abstract We present a mx network that acheves effcent

More information

A Lyapunov Optimization Approach to Repeated Stochastic Games

A Lyapunov Optimization Approach to Repeated Stochastic Games PROC. ALLERTON CONFERENCE ON COMMUNICATION, CONTROL, AND COMPUTING, OCT. 2013 1 A Lyapunov Optmzaton Approach to Repeated Stochastc Games Mchael J. Neely Unversty of Southern Calforna http://www-bcf.usc.edu/

More information

Vision Mouse. Saurabh Sarkar a* University of Cincinnati, Cincinnati, USA ABSTRACT 1. INTRODUCTION

Vision Mouse. Saurabh Sarkar a* University of Cincinnati, Cincinnati, USA ABSTRACT 1. INTRODUCTION Vson Mouse Saurabh Sarkar a* a Unversty of Cncnnat, Cncnnat, USA ABSTRACT The report dscusses a vson based approach towards trackng of eyes and fngers. The report descrbes the process of locatng the possble

More information

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis The Development of Web Log Mnng Based on Improve-K-Means Clusterng Analyss TngZhong Wang * College of Informaton Technology, Luoyang Normal Unversty, Luoyang, 471022, Chna wangtngzhong2@sna.cn Abstract.

More information

A Novel Methodology of Working Capital Management for Large. Public Constructions by Using Fuzzy S-curve Regression

A Novel Methodology of Working Capital Management for Large. Public Constructions by Using Fuzzy S-curve Regression Novel Methodology of Workng Captal Management for Large Publc Constructons by Usng Fuzzy S-curve Regresson Cheng-Wu Chen, Morrs H. L. Wang and Tng-Ya Hseh Department of Cvl Engneerng, Natonal Central Unversty,

More information

The covariance is the two variable analog to the variance. The formula for the covariance between two variables is

The covariance is the two variable analog to the variance. The formula for the covariance between two variables is Regresson Lectures So far we have talked only about statstcs that descrbe one varable. What we are gong to be dscussng for much of the remander of the course s relatonshps between two or more varables.

More information

Minimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures

Minimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures Mnmal Codng Network Wth Combnatoral Structure For Instantaneous Recovery From Edge Falures Ashly Joseph 1, Mr.M.Sadsh Sendl 2, Dr.S.Karthk 3 1 Fnal Year ME CSE Student Department of Computer Scence Engneerng

More information

Project Networks With Mixed-Time Constraints

Project Networks With Mixed-Time Constraints Project Networs Wth Mxed-Tme Constrants L Caccetta and B Wattananon Western Australan Centre of Excellence n Industral Optmsaton (WACEIO) Curtn Unversty of Technology GPO Box U1987 Perth Western Australa

More information

denote the location of a node, and suppose node X . This transmission causes a successful reception by node X for any other node

denote the location of a node, and suppose node X . This transmission causes a successful reception by node X for any other node Fnal Report of EE359 Class Proect Throughput and Delay n Wreless Ad Hoc Networs Changhua He changhua@stanford.edu Abstract: Networ throughput and pacet delay are the two most mportant parameters to evaluate

More information

A Replication-Based and Fault Tolerant Allocation Algorithm for Cloud Computing

A Replication-Based and Fault Tolerant Allocation Algorithm for Cloud Computing A Replcaton-Based and Fault Tolerant Allocaton Algorthm for Cloud Computng Tork Altameem Dept of Computer Scence, RCC, Kng Saud Unversty, PO Box: 28095 11437 Ryadh-Saud Araba Abstract The very large nfrastructure

More information

RESEARCH DISCUSSION PAPER

RESEARCH DISCUSSION PAPER Reserve Bank of Australa RESEARCH DISCUSSION PAPER Competton Between Payment Systems George Gardner and Andrew Stone RDP 2009-02 COMPETITION BETWEEN PAYMENT SYSTEMS George Gardner and Andrew Stone Research

More information

CHAPTER 14 MORE ABOUT REGRESSION

CHAPTER 14 MORE ABOUT REGRESSION CHAPTER 14 MORE ABOUT REGRESSION We learned n Chapter 5 that often a straght lne descrbes the pattern of a relatonshp between two quanttatve varables. For nstance, n Example 5.1 we explored the relatonshp

More information

Multiple-Period Attribution: Residuals and Compounding

Multiple-Period Attribution: Residuals and Compounding Multple-Perod Attrbuton: Resduals and Compoundng Our revewer gave these authors full marks for dealng wth an ssue that performance measurers and vendors often regard as propretary nformaton. In 1994, Dens

More information

FINANCIAL MATHEMATICS. A Practical Guide for Actuaries. and other Business Professionals

FINANCIAL MATHEMATICS. A Practical Guide for Actuaries. and other Business Professionals FINANCIAL MATHEMATICS A Practcal Gude for Actuares and other Busness Professonals Second Edton CHRIS RUCKMAN, FSA, MAAA JOE FRANCIS, FSA, MAAA, CFA Study Notes Prepared by Kevn Shand, FSA, FCIA Assstant

More information

Passive Filters. References: Barbow (pp 265-275), Hayes & Horowitz (pp 32-60), Rizzoni (Chap. 6)

Passive Filters. References: Barbow (pp 265-275), Hayes & Horowitz (pp 32-60), Rizzoni (Chap. 6) Passve Flters eferences: Barbow (pp 6575), Hayes & Horowtz (pp 360), zzon (Chap. 6) Frequencyselectve or flter crcuts pass to the output only those nput sgnals that are n a desred range of frequences (called

More information

New bounds in Balog-Szemerédi-Gowers theorem

New bounds in Balog-Szemerédi-Gowers theorem New bounds n Balog-Szemeréd-Gowers theorem By Tomasz Schoen Abstract We prove, n partcular, that every fnte subset A of an abelan group wth the addtve energy κ A 3 contans a set A such that A κ A and A

More information

Forecasting the Direction and Strength of Stock Market Movement

Forecasting the Direction and Strength of Stock Market Movement Forecastng the Drecton and Strength of Stock Market Movement Jngwe Chen Mng Chen Nan Ye cjngwe@stanford.edu mchen5@stanford.edu nanye@stanford.edu Abstract - Stock market s one of the most complcated systems

More information

We are now ready to answer the question: What are the possible cardinalities for finite fields?

We are now ready to answer the question: What are the possible cardinalities for finite fields? Chapter 3 Fnte felds We have seen, n the prevous chapters, some examples of fnte felds. For example, the resdue class rng Z/pZ (when p s a prme) forms a feld wth p elements whch may be dentfed wth the

More information

CS 2750 Machine Learning. Lecture 17a. Clustering. CS 2750 Machine Learning. Clustering

CS 2750 Machine Learning. Lecture 17a. Clustering. CS 2750 Machine Learning. Clustering Lecture 7a Clusterng Mlos Hauskrecht mlos@cs.ptt.edu 539 Sennott Square Clusterng Groups together smlar nstances n the data sample Basc clusterng problem: dstrbute data nto k dfferent groups such that

More information

Conversion between the vector and raster data structures using Fuzzy Geographical Entities

Conversion between the vector and raster data structures using Fuzzy Geographical Entities Converson between the vector and raster data structures usng Fuzzy Geographcal Enttes Cdála Fonte Department of Mathematcs Faculty of Scences and Technology Unversty of Combra, Apartado 38, 3 454 Combra,

More information

AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS

AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS Len Harn 1 and Changlu Ln 2 1 Department of Computer Scence

More information

A Novel Multi-factor Authenticated Key Exchange Scheme With Privacy Preserving

A Novel Multi-factor Authenticated Key Exchange Scheme With Privacy Preserving A Novel Mult-factor Authentcated Key Exchange Scheme Wth Prvacy Preservng Dexn Yang Guangzhou Cty Polytechnc Guangzhou, Chna, 510405 yangdexn@21cn.com Bo Yang South Chna Agrcultural Unversty Guangzhou,

More information

A Cryptographic Key Assignment Scheme for Access Control in Poset Ordered Hierarchies with Enhanced Security

A Cryptographic Key Assignment Scheme for Access Control in Poset Ordered Hierarchies with Enhanced Security Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept. 8 3 A ryptographc Key Assgnment Scheme for Access ontrol n Poset Ordered Herarches wth Enhanced Securty Debass Gr and P. D. Srvastava

More information

Interest Rate Fundamentals

Interest Rate Fundamentals Lecture Part II Interest Rate Fundamentals Topcs n Quanttatve Fnance: Inflaton Dervatves Instructor: Iraj Kan Fundamentals of Interest Rates In part II of ths lecture we wll consder fundamental concepts

More information

L10: Linear discriminants analysis

L10: Linear discriminants analysis L0: Lnear dscrmnants analyss Lnear dscrmnant analyss, two classes Lnear dscrmnant analyss, C classes LDA vs. PCA Lmtatons of LDA Varants of LDA Other dmensonalty reducton methods CSCE 666 Pattern Analyss

More information

Nordea G10 Alpha Carry Index

Nordea G10 Alpha Carry Index Nordea G10 Alpha Carry Index Index Rules v1.1 Verson as of 10/10/2013 1 (6) Page 1 Index Descrpton The G10 Alpha Carry Index, the Index, follows the development of a rule based strategy whch nvests and

More information

A DYNAMIC CRASHING METHOD FOR PROJECT MANAGEMENT USING SIMULATION-BASED OPTIMIZATION. Michael E. Kuhl Radhamés A. Tolentino-Peña

A DYNAMIC CRASHING METHOD FOR PROJECT MANAGEMENT USING SIMULATION-BASED OPTIMIZATION. Michael E. Kuhl Radhamés A. Tolentino-Peña Proceedngs of the 2008 Wnter Smulaton Conference S. J. Mason, R. R. Hll, L. Mönch, O. Rose, T. Jefferson, J. W. Fowler eds. A DYNAMIC CRASHING METHOD FOR PROJECT MANAGEMENT USING SIMULATION-BASED OPTIMIZATION

More information

Traffic State Estimation in the Traffic Management Center of Berlin

Traffic State Estimation in the Traffic Management Center of Berlin Traffc State Estmaton n the Traffc Management Center of Berln Authors: Peter Vortsch, PTV AG, Stumpfstrasse, D-763 Karlsruhe, Germany phone ++49/72/965/35, emal peter.vortsch@ptv.de Peter Möhl, PTV AG,

More information

Efficient Dynamic Integrity Verification for Big Data Supporting Users Revocability

Efficient Dynamic Integrity Verification for Big Data Supporting Users Revocability nformaton Artcle Effcent Dynamc Integrty Verfcaton for Bg Data Supportng Users Revocablty Xnpeng Zhang 1,2, *, Chunxang Xu 1, Xaojun Zhang 1, Tazong Gu 2, Zh Geng 2 and Guopng Lu 2 1 School of Computer

More information

: ;,i! i.i.i; " '^! THE LOGIC THEORY MACHINE; EMPIRICAL EXPLORATIONS WITH A CASE STUDY IN HEURISTICS

: ;,i! i.i.i;  '^! THE LOGIC THEORY MACHINE; EMPIRICAL EXPLORATIONS WITH A CASE STUDY IN HEURISTICS ! EMPRCAL EXPLORATONS WTH THE LOGC THEORY MACHNE; A CASE STUDY N HEURSTCS. :, by Allen Newell, J. C. Shaw, & H. A. Smon Ths s a case study n problem-solvng, representng part of a program of research on

More information

Chapter 4 ECONOMIC DISPATCH AND UNIT COMMITMENT

Chapter 4 ECONOMIC DISPATCH AND UNIT COMMITMENT Chapter 4 ECOOMIC DISATCH AD UIT COMMITMET ITRODUCTIO A power system has several power plants. Each power plant has several generatng unts. At any pont of tme, the total load n the system s met by the

More information

FORMAL ANALYSIS FOR REAL-TIME SCHEDULING

FORMAL ANALYSIS FOR REAL-TIME SCHEDULING FORMAL ANALYSIS FOR REAL-TIME SCHEDULING Bruno Dutertre and Vctora Stavrdou, SRI Internatonal, Menlo Park, CA Introducton In modern avoncs archtectures, applcaton software ncreasngly reles on servces provded

More information

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP) 6.3 / -- Communcaton Networks II (Görg) SS20 -- www.comnets.un-bremen.de Communcaton Networks II Contents. Fundamentals of probablty theory 2. Emergence of communcaton traffc 3. Stochastc & Markovan Processes

More information

Simple Interest Loans (Section 5.1) :

Simple Interest Loans (Section 5.1) : Chapter 5 Fnance The frst part of ths revew wll explan the dfferent nterest and nvestment equatons you learned n secton 5.1 through 5.4 of your textbook and go through several examples. The second part

More information

Riposte: An Anonymous Messaging System Handling Millions of Users

Riposte: An Anonymous Messaging System Handling Millions of Users Rposte: An Anonymous Messagng System Handlng Mllons of Users Henry Corrgan-Gbbs, Dan Boneh, and Davd Mazères Stanford Unversty Abstract Ths paper presents Rposte, a new system for anonymous broadcast messagng.

More information

IDENTIFICATION AND CONTROL OF A FLEXIBLE TRANSMISSION SYSTEM

IDENTIFICATION AND CONTROL OF A FLEXIBLE TRANSMISSION SYSTEM Abstract IDENTIFICATION AND CONTROL OF A FLEXIBLE TRANSMISSION SYSTEM Alca Esparza Pedro Dept. Sstemas y Automátca, Unversdad Poltécnca de Valenca, Span alespe@sa.upv.es The dentfcaton and control of a

More information