Complete Fairness in Secure Two-Party Computation

Size: px
Start display at page:

Download "Complete Fairness in Secure Two-Party Computation"

Transcription

1 Complete Farness n Secure Two-Party Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure two-party computaton, two mutually dstrustng partes wsh to compute some functon of ther nputs whle preservng, to the extent possble, varous securty propertes such as prvacy, correctness, and more. One desrable property s farness whch guarantees, nformally, that f one party receves ts output, then the other party does too. Cleve (STOC 1986) showed that complete farness cannot be acheved n general wthout an honest maorty. Snce then, the accepted folklore has been that nothng non-trval can be computed wth complete farness n the two-party settng. We demonstrate that ths folklore belef s false by showng completely far protocols for varous non-trval functons n the two-party settng based on standard cryptographc assumptons. We frst show feasblty of obtanng complete farness when computng any functon over polynomal-sze domans that does not contan an embedded XOR ; ths class of functons ncludes boolean AND/OR as well as Yao s mllonares problem. We also demonstrate feasblty for certan functons that do contan an embedded XOR, and prove a lower bound showng that any completely far protocol for such functons must have round complexty superlogarthmc n the securty parameter. Our results demonstrate that the queston of completely far secure computaton wthout an honest maorty s far from closed. Keywords: cryptography, secure computaton, farness, dstrbuted computng Dept. of Computer Scence, Columba Unversty. Work done whle at the Unversty of Maryland. Dept. of Computer Scence, Aarhus Unversty. Work done whle at Bar-Ilan Unversty. Dept. of Computer Scence, Unversty of Maryland. Work supported by NSF grants # and # , and US-Israel Bnatonal Scence Foundaton grant # Dept. of Computer Scence, Bar-Ilan Unversty. Work supported by US-Israel Bnatonal Scence Foundaton grant #

2 1 Introducton In the settng of secure computaton, a set of partes wsh to run some protocol for computng a functon of ther nputs whle preservng, to the extent possble, securty propertes such as prvacy, correctness, nput ndependence, etc. These requrements, and more, are formalzed by comparng a real-world executon of the protocol to an deal world where there s a trusted entty who performs the computaton on behalf of the partes. Informally, a protocol s secure f for any real-world adversary A there exsts a correspondng deal-world adversary S (corruptng the same partes as A) such that the result of executng the protocol n the real world wth A s computatonally ndstngushable from the result of computng the functon n the deal world wth S. One desrable property s farness whch, ntutvely, means that ether everyone receves the output, or else no one does. Unfortunately, t has been shown by Cleve [11] that complete farness 1 s mpossble to acheve n general when a maorty of partes s not honest (whch, n partcular, ncludes the two-party settng); specfcally, Cleve rules out completely far con tossng, whch mples the mpossblty of computng boolean XOR wth complete farness. Snce Cleve s work, the accepted folklore has been that nothng non-trval can be computed wth complete farness wthout an honest maorty, and researchers have smply resgned themselves to beng unable to acheve ths goal. Indeed, the standard formulaton of secure computaton (see [18]) posts two deal worlds, and two correspondng defntons of securty: one that ncorporates farness and s used when a maorty of the partes are assumed to be honest (we refer to the correspondng defnton as securty wth complete farness ), and one that does not ncorporate farness and s used when an arbtrary number of partes may be corrupted (we refer to the correspondng defnton as securty wth abort, snce the adversary n ths case may abort the protocol once t receves ts output). Protocols achevng securty wth complete farness when a maorty of partes are honest, for arbtrary functonaltes, are known (assumng a broadcast channel) [19, 5, 9, 1, 30], as are protocols achevng securty wth abort for any number of corrupted partes (under sutable cryptographc assumptons) [19, 18]. Snce the work of Cleve, however, there has been no progress toward a better understandng of complete farness wthout an honest maorty. No further mpossblty results have been shown (.e., other than those that follow trvally from Cleve s result), nor have any completely far protocols for any non-trval 2 functons been constructed. In short, the queston of farness wthout an honest maorty has been treated as closed for over two decades. 1.1 Our Results Cleve s work shows that certan functons cannot be computed wth complete farness wthout an honest maorty. The folklore nterpretaton of ths result seems to have been that nothng (non-trval) can be computed wth complete farness wthout an honest maorty. Surprsngly, we show that ths folklore s false by demonstratng that many nterestng and non-trval functons can be computed wth complete farness n the two-party settng. Our postve results can be based on standard cryptographc assumptons such as the exstence of enhanced trapdoor permutatons. (Actually, our results can be based on the mnmal assumpton that oblvous transfer s possble.) 1 Varous notons of partal farness have also been consdered; see Secton 1.2 for a bref dscusson. 2 It s not hard to see that some trval functons (e.g., the constant functon) can be computed wth complete farness. Furthermore, any functon that depends on only one party s nput can be computed wth complete farness, as can any functon where only one party receves output. We consder such functons trval n ths context. 1

3 Our frst result concerns functons wthout an embedded XOR, where a functon f s sad to have an embedded XOR f there exst nputs x 0, x 1, y 0, y 1 such that f(x, y ) =. We show: Theorem Let f be a two-nput boolean functon defned over polynomal-sze domans that does not contan an embedded XOR. Then, under sutable cryptographc assumptons, there exsts a protocol for securely computng f wth complete farness. Ths result s descrbed n Secton 3. The round complexty of our protocol n ths case s lnear n the sze of the domans, hence the restrcton that the domans be of polynomal sze. Examples of functons wthout an embedded XOR nclude boolean OR and AND, as well as Yao s mllonares problem [31] (.e., the greater-than functon). We remark that even smple functons such as OR/AND are non-trval n the context of secure two-party computaton snce they cannot be computed wth nformaton-theoretc prvacy [10] and are n fact complete for two-party secure computaton wth abort [24]. Recall that Cleve s result rules out completely far computaton of boolean XOR. Gven ths and the fact that our frst result apples only to functons wthout an embedded XOR, a natural conecture s that the presence of an embedded XOR serves as a barrer to completely far computaton of a gven functon. Our next result shows that ths conecture s false: Theorem Under sutable cryptographc assumptons, there exst two-nput boolean functons contanng an embedded XOR that can be securely computed wth complete farness. Ths result s descrbed n Secton 4. The round complexty of the protocol here s super-logarthmc n the securty parameter. We show that ths s, n fact, nherent: Theorem Let f be a two-party functon contanng an embedded XOR. Then any protocol securely computng f wth complete farness (assumng one exsts) requres ω(log n) rounds. Our proof of the above s remnscent of Cleve s proof [11], except that Cleve only needed to consder the adversary s ablty to bas a con toss, whereas we must ontly consder both bas and prvacy (snce, for certan functons contanng an embedded XOR, t s possble for an adversary to bas the output even n the deal world). Ths makes the proof consderably more complex. 1.2 Related Work Questons of farness have been studed snce the early days of secure computaton. Prevous work has been dedcated to achevng varous relaxatons of farness (.e., partal farness ), both for the case of specfc functonaltes lke con tossng [11, 12, 28] and contract sgnng/exchangng secrets [6, 26, 14, 4, 13], as well as for the case of general functonaltes [32, 16, 3, 20, 15, 7, 29, 17, 22]. Whle relevant, such work s tangental to our own: here, rather than try to acheve partal farness for all functonaltes, we are nterested n obtanng complete farness and then ask for whch functonaltes ths s possble. 1.3 Open Questons We have shown the frst postve results for completely-far secure computaton of non-trval functonaltes wthout an honest maorty. Ths re-opens an area of research that was prevously thought to be closed, and leaves many tantalzng open drectons to explore. The most pressng queston left open by ths work s to provde a tght characterzaton of whch boolean functons can be computed wth complete farness n the two-party settng. More generally, the postve results 2

4 shown here apply only to determnstc, sngle-output, 3 boolean functons defned over polynomalsze domans. Relaxng any of these restrctons n a non-trval way (or provng the mpossblty of dong so) would be an nterestng next step. Fnally, what can be sad wth regard to complete farness n the mult-party settng wthout honest maorty? (Ths queston s nterestng both wth and wthout the assumpton of a broadcast channel.) Intal feasblty results have been shown [21], but much work remans to be done. 2 Defntons We let n denote the securty parameter. A functon µ( ) s neglgble f for every postve polynomal p( ) and all suffcently large n t holds that µ(n) < 1/p(n). A dstrbuton ensemble X = {X(a, n)} a Dn, n N s an nfnte sequence of random varables ndexed by a D n and n N, where D n s a set that may depend on n. (Lookng ahead, n wll be the securty parameter and D n wll denote the doman of the partes nputs.) Two dstrbuton ensembles X = {X(a, n)} a Dn, n N and Y = {Y (a, n)} a Dn, n N are computatonally ndstngushable, denoted X c Y, f for every nonunform polynomal-tme algorthm D there exsts a neglgble functon µ( ) such that for every n and every a D n Pr[D(X(a, n)) = 1] Pr[D(Y (a, n)) = 1] µ(n). The statstcal dfference between two dstrbutons X(a, n) and Y (a, n) s defned as SD ( X(a, n), Y (a, n) ) = 1 2 Pr[X(a, n) = s] Pr[Y (a, n) = s], s where the sum ranges over s n the support of ether X(a, n) or Y (a, n). Two dstrbuton ensembles X = {X(a, n)} a Dn, n N and Y = {Y (a, n)} a Dn, n N are statstcally close, denoted X s Y, f there s a neglgble functon µ( ) such that for every n and every a D n, t holds that SD ( X(a, n), Y (a, n) ) µ(n). Functonaltes. In the two-party settng, a functonalty F = {f n } n N s a sequence of randomzed processes, where each f n maps pars of nputs to pars of outputs (one for each party). We wrte f n = (fn, 1 fn) 2 f we wsh to emphasze the two outputs of f n, but stress that f fn 1 and fn 2 are randomzed then the outputs of fn 1 and fn 2 are correlated random varables. The doman of f n s X n Y n, where X n (resp., Y n ) denotes the possble nputs of the frst (resp., second) party. 4 If X n and Y n are polynomal n n, then we say that F s defned over polynomal-sze domans. If each f n s determnstc we wll refer to each f n as well as the collecton F, as a functon. 2.1 Secure Two-Party Computaton wth Complete Farness In what follows, we defne what we mean by a secure protocol. Our defnton follows the standard defnton of [18] (based on [20, 27, 2, 8]) except that we requre complete farness even though we are n the two-party settng. (Thus, our defnton s equvalent to the one n [18] for the case of an honest maorty, even though we do not have an honest maorty.) We consder actve (.e., malcous) adversares, who may devate from the protocol arbtrarly, and statc corruptons. 3 I.e., where both partes receve the same output. 4 The typcal conventon n secure computaton s to let f n = f and X n = Y n = {0, 1} for all n. We wll be dealng wth functons defned over polynomal-sze domans, whch s why we ntroduce ths notaton. 3

5 Two-party computaton. A two-party protocol for computng a functonalty F = {(f 1 n, f 2 n)} s a protocol runnng n polynomal tme and satsfyng the followng functonal requrement: f party P 1 begns by holdng 1 n and nput x X n, and party P 2 holds 1 n and nput y Y n, then the ont dstrbuton of the outputs of the partes s statstcally close to (f 1 n(x, y), f 2 n(x, y)). Securty of protocols (nformal). The securty of a protocol s analyzed by comparng what an adversary can do n a real protocol executon to what t can do n an deal scenaro that s secure by defnton. Ths s formalzed by consderng an deal computaton nvolvng an ncorruptble trusted party to whom the partes send ther nputs. The trusted party computes the functonalty on the nputs and returns to each party ts respectve output. Loosely speakng, a protocol s secure f any adversary nteractng n the real protocol (where no trusted party exsts) can do no more harm than f t were nvolved n the above-descrbed deal computaton. We assume an adversary who corrupts one of the partes. It s also meanngful to consder an eavesdroppng adversary who corrupts nether of the partes (and should learn nothng from the executon), but such an adversary s easly handled and s not very nterestng n our settng. Executon n the deal model. The partes are P 1 and P 2, and there s an adversary A who has corrupted one of them. An deal executon for the computaton of F = {f n } proceeds as follows: Inputs: P 1 and P 2 hold the same value 1 n, and ther nputs x X n and y Y n, respectvely; the adversary A receves an auxlary nput z. Send nputs to trusted party: The honest party sends ts nput to the trusted party. The corrupted party controlled by A may send any value of ts choce. Denote the par of nputs sent to the trusted party by (x, y ). Trusted party sends outputs: If x X n the trusted party sets x to some default nput n X n ; lkewse f y Y n the trusted party sets y equal to some default nput n Y n. Then the trusted party chooses r unformly at random and sends f 1 n(x, y ; r) to party P 1 and f 2 n(x, y ; r) to party P 2. Outputs: The honest party outputs whatever t was sent by the trusted party, the corrupted party outputs nothng, and A outputs an arbtrary (probablstc polynomal-tme computable) functon of ts vew. We let deal F,A(z) (x, y, n) be the random varable consstng of the output of the adversary and the output of the honest party followng an executon n the deal model as descrbed above. Executon n the real model. We next consder the real model n whch a two-party protocol π s executed by P 1 and P 2 (and there s no trusted party). In ths case, the adversary A gets the nputs of the corrupted party and sends all messages on behalf of ths party, usng an arbtrary polynomal-tme strategy. The honest party follows the nstructons of π. Let F be as above and let π be a two-party protocol computng F. Let A be a non-unform probablstc polynomal-tme machne wth auxlary nput z. We let real π,a(z) (x, y, n) be the random varable consstng of the vew of the adversary and the output of the honest party, followng an executon of π where P 1 begns by holdng 1 n and nput x and P 2 begns by holdng 1 n and y. Securty as emulaton of an deal executon n the real model. Havng defned the deal and real models, we can now defne securty of a protocol. Loosely speakng, the defnton asserts that a secure protocol (n the real model) emulates the deal model (n whch a trusted party exsts). Ths s formulated as follows: 4

6 Defnton 2.1 Protocol π s sad to securely compute F wth complete farness f for every nonunform probablstc polynomal-tme adversary A n the real model, there exsts a non-unform probablstc polynomal-tme adversary S n the deal model such that { dealf,s(z) (x, y, n) } (x,y) X n Y n, z {0,1}, n N 2.2 Secure Two-Party Computaton Wth Abort c { real π,a(z) (x, y, n) } (x,y) X n Y n, z {0,1}, n N. Ths defnton s the standard one for secure two-party computaton [18] n that t allows early abort;.e., the adversary may receve ts own output even though the honest party does not. We agan let P 1 and P 2 denote the two partes, and consder an adversary A who has corrupted one of them. The only change from the defnton n Secton 2.1 s wth regard to the deal model for computng F = {f n }, whch s now defned as follows: Inputs: As prevously. Send nputs to trusted party: As prevously. Trusted party sends output to corrupted party: If x X n the trusted party sets x to some default nput n X n ; lkewse f y Y n the trusted party sets y equal to some default nput n Y n. Then the trusted party chooses r unformly at random, computes z 1 = f 1 n(x, y ; r) and z 2 = f 2 n(x, y ; r), and sends z to the corrupted party P (.e., to the adversary A). Adversary decdes whether to abort: After recevng ts output (as descrbed above), the adversary ether sends abort of contnue to the trusted party. In the former case the trusted party sends to the honest party P, and n the latter case the trusted party sends z to P. Outputs: As prevously. We let deal abort F,A(z) (x, y, n) be the random varable consstng of the output of the adversary and the output of the honest party followng an executon n the deal model as descrbed above. Defnton 2.2 Protocol π s sad to securely compute F wth abort f for every non-unform probablstc polynomal-tme adversary A n the real model, there exsts a non-unform probablstc polynomal-tme adversary S n the deal model such that { deal abort F,S(z) (x, y, n) } 2.3 The Hybrd Model (x,y) X n Y n, z {0,1}, n N c { real π,a(z) (x, y, n) } (x,y) X n Y n, z {0,1}, n N. The hybrd model combnes both the real and deal models. Specfcally, an executon of a protocol π n the G-hybrd model, for some functonalty G, nvolves the partes sendng normal messages to each other (as n the real model) and, n addton, havng access to a trusted party computng G. The partes communcate wth ths trusted party n exactly the same way as n the deal models descrbed above; the queston of whch deal model s taken (that wth or wthout abort) must be specfed. In ths paper, we always consder a hybrd model where the functonalty G s computed accordng to the deal model wth abort. In all our protocols n the G-hybrd model there wll only be sequental calls to G;.e., there s at most a sngle call to G per round, and no other messages are sent durng any round n whch G s called. 5

7 Let G be a functonalty and let π be a two-party protocol for computng some functonalty F, where π ncludes real messages between the partes as well as calls to G. Let A be a non-unform probablstc polynomal-tme machne wth auxlary nput z. We let hybrd G π,a(z) (x, y, n) be the random varable consstng of the vew of the adversary and the output of the honest party, followng an executon of π (wth deal calls to G) where P 1 begns by holdng 1 n and nput x and P 2 begns by holdng 1 n and nput y. Both securty wth complete farness and securty wth abort can be defned va the natural modfcatons of Defntons 2.1 and 2.2. The hybrd model gves a powerful tool for provng the securty of protocols. Specfcally, we may desgn a real-world protocol for securely computng some functonalty F by frst constructng a protocol for computng F n the G-hybrd model. Lettng π denote the protocol thus constructed (n the G-hybrd model), we denote by π ρ the real-world protocol n whch calls to G are replaced by sequental executon of a real-world protocol ρ that computes G. ( Sequental here mples that only one executon of ρ s carred out at any tme, and no other π-protocol messages are sent durng executon of ρ.) The results of [8] then mply that f π securely computes F n the G-hybrd model, and ρ securely computes G, then the composed protocol π ρ securely computes F (n the real world). For completeness, we state ths result formally as we wll use t n ths work: Proposton 1 Let ρ be a protocol that securely computes G wth abort, and let π be a protocol that securely computes F wth complete farness n the G-hybrd model (where G s computed accordng to the deal world wth abort). Then protocol π ρ securely computes F wth complete farness. 2.4 Informaton-Theoretc MACs We brefly revew the standard defnton for nformaton-theoretcally secure message authentcaton codes (MACs). (We use such MACs for smplcty, though computatonally secure MACs would also suffce.) A message authentcaton code conssts of three polynomal-tme algorthms (Gen, Mac, Vrfy). The key-generaton algorthm Gen takes as nput the securty parameter 1 n n unary and outputs a key k. The message authentcaton algorthm Mac takes as nput a key k and a message M {0, 1} n, and outputs a tag t; we wrte ths as t = Mac k (M). The verfcaton algorthm Vrfy takes as nput a key k, a message M {0, 1} n, and a tag t, and outputs a bt b; we wrte ths as b = Vrfy k (M, t). We regard b = 1 as acceptance and b = 0 as reecton, and requre that for all n, all k output by Gen(1 n ), all M {0, 1} n, t holds that Vrfy k (M, Mac k (M)) = 1. We say (Gen, Mac, Vrfy) s a secure m-tme MAC, where m may be a functon of n, f no computatonally unbounded adversary can output a vald tag on a new message after seeng vald tags on m other messages. For our purposes, we do not requre securty aganst an adversary who adaptvely chooses ts m messages for whch to obtan a vald tag; t suffces to consder a nonadaptve defnton where the m messages are fxed n advance. (Nevertheless, known constructons satsfy the stronger requrement.) Formally: Defnton 2.3 Message authentcaton code (Gen, Mac, Vrfy) s an nformaton-theoretcally secure m-tme MAC f for any sequence of messages M 1,..., M m and any adversary A, the followng s neglgble n the securty parameter n: Pr [ k Gen(1 n ); : t = Mac k (M ); (M, t ) A(M 1, t 1,..., M m, t m ) : Vrfy k (M, t ) = 1 ] M {M 1,..., M m }. 6

8 3 Far Computaton of the Mllonares Problem (and More) In ths secton, we descrbe a protocol for securely computng the mllonares problem (and related functonaltes) wth complete farness. (We dscuss n Secton 3.2 how ths generalzes, rather easly, to any functon over polynomal-sze domans that does not contan an embedded XOR.) Specfcally, we look at functons defned by a lower-trangular matrx, as n the followng table: y 1 y 2 y 3 y 4 y 5 y 6 x x x x x x Let F = {f m(n) } n N denote a functon of the above form, where m = m(n) denotes the sze of the domans of each nput whch we assume, for now, have the same sze. (In the next secton we wll consder the case when they are unequal.) Let X m = {x 1,..., x m } denote the vald nputs for the frst party and let Y m = {y 1,..., y m } denote the vald nputs for the second party. By sutably orderng these elements, we may wrte f m as follows: f m (x, y ) = { 1 f > 0 f. (1) Vewed n ths way, f m s exactly the mllonares problem or, equvalently, the greater-than functon. The remander of ths secton s devoted to a proof of the followng theorem: Theorem Let m = poly(n). Assumng the exstence of constant-round general secure two-party computaton wth abort, there exsts an Θ(m)-round protocol that securely computes F = {f m } wth complete farness. Constant-round protocols for general secure two-party computaton wth abort can be constructed based on enhanced trapdoor permutatons or any constant-round protocol for oblvous transfer [25]. (The assumpton of a constant-round protocol s needed only for the clam regardng round complexty.) The fact that our protocol requres (at least) Θ(m) rounds explans why we requre m = poly(n). When m = 2, we obtan a constant-round protocol for computng boolean AND wth complete farness and, by symmetry, we also obtan a protocol for boolean OR. We remark further that our results extend to varants of f m such as the greater-than-or-equal-to functon, or the greater-than functon where the szes of the domans X and Y are unequal; see Secton 3.2 for a full dscusson. 3.1 The Protocol In ths secton, we wrte f n place of f m, and X and Y n place of X m and Y m. Intuton. At a hgh level, our protocol works as follows. Say the nput of P 1 s x, and the nput of P 2 s y. Followng a constant-round pre-processng phase, the protocol proceeds n a seres of m teratons, where P 1 learns the output namely, the value f(x, y ) n teraton, and P 2 learns the output n teraton. (That s, n contrast to standard protocols, the teraton n whch 7

9 a party learns the output depends on the value of ts own nput.) If one party (say, P 1 ) aborts after recevng ts teraton-k message, and the second party (say, P 2 ) has not yet receved ts output, then P 2 assumes that P 1 learned ts output n teraton k, and so computes f on ts own usng nput x k for P 1. (In ths case, that means that P 2 would output f(x k, y ).) We stress that a malcous P 1 may, of course, abort n any teraton t lkes (and not necessarly n the teraton n whch t learns ts output); the foregong s only an ntutve explanaton. The fact that ths approach gves complete farness can be ntutvely understood as follows. Say P 1 s malcous and uses x as ts effectve nput, and let y denote the (unknown) nput of P 2. There are two possbltes: P 1 ether aborts n teraton k <, or teraton k. (If P 1 never aborts then farness s trvally acheved.) In the frst case, P 1 never learns the correct output and so farness s acheved. In the second case, P 1 does obtan the output f(x, y) (n teraton ) and then aborts n some teraton k. Here we consder two sub-cases dependng on the value of P 2 s nput y = y : If < k then P 2 has already receved ts output n a prevous teraton and farness s acheved. If k then P 2 has not yet receved ts output. Snce P 1 aborts n teraton k, the protocol drects P 2 to output f(x k, y) = f(x k, y ). Snce k, we have f(x k, y ) = 0 = f(x, y ) (relyng on the specfcs of f), and so the output of P 2 s equal to the output obtaned by P 1 (and thus farness s acheved). Ths s the key observaton that enables us to obtan farness for ths functon. We formalze the above ntuton n our proof, where we demonstrate an deal-world smulator correspondng to the actons of any malcous P 1. Of course, we also consder the case of a malcous P 2. Formal descrpton of the protocol. We use a message authentcaton code (Gen, Mac, Vrfy); see Defnton 2.3. For convenence, we use an m-tme message authentcaton code (MAC) wth nformaton-theoretc securty, though a computatonally secure MAC would also suffce. We also rely on a sub-protocol for securely computng a randomzed functonalty ShareGen defned n Fgure 1. In our protocol, the partes wll compute ShareGen as a result of whch P 1 wll obtan shares a (1) 1, b(1) 1, a(1) 2, b(1) 2,... and P 2 wll obtan shares a (2) 1, b(2) 1, a(2) 2, b(2) 2,.... (The functonalty ShareGen also provdes the partes wth MAC keys and tags so that f a malcous party modfes the share t sends to the other party, then the other party wll almost certanly detect ths. In case such manpulaton s detected, t wll be treated as an abort.) The partes then exchange ther shares one-by-one n a sequence of m teratons. Specfcally, n teraton party P 2 wll send a (2) def to P 1, thus allowng P 1 to reconstruct the value a = a (1) a (2), and then P 1 wll send b (1) def to P 2, thus allowng P 2 to learn the value b = b (2) b (1). Let π be a protocol that securely computes ShareGen wth abort. Our protocol for computng f wth complete farness uses π and s gven n Fgure 2. Theorem 3.1 If (Gen, Mac, Vrfy) s an nformaton-theoretcally secure m-tme MAC, and π securely computes ShareGen wth abort, then the protocol n Fgure 2 securely computes {f m } wth complete farness. Proof: Let Π denote the protocol n Fgure 2. We analyze Π n a hybrd model where there s a trusted party computng ShareGen. (Snce π s only guaranteed to securely compute ShareGen wth abort, the adversary n the hybrd model s allowed to abort the trusted party computng ShareGen 8

10 before output s sent to the honest party.) We prove that an executon of Π n ths hybrd model s statstcally close to an evaluaton of f n the deal model (wth complete farness), where the only dfference occurs due to MAC forgeres. Applyng Proposton 1 then mples the theorem. We separately analyze corrupton of P 1 and P 2, begnnng wth P 1 : Clam 2 For every non-unform, polynomal-tme adversary A corruptng P 1 and runnng Π n a hybrd model wth access to an deal functonalty computng ShareGen (wth abort), there exsts a non-unform, probablstc polynomal-tme adversary S corruptng P 1 and runnng n the deal world wth access to an deal functonalty computng f (wth complete farness), such that { dealf,s(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N s { hybrd ShareGen Π,A(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N. Proof: Let P 1 be corrupted by A. We construct a smulator S gven black-box access to A: 1. S nvokes A on the nput x, the auxlary nput z, and the securty parameter n. 2. S receves the nput x of A to the computaton of the functonalty ShareGen. (a) If x / X (ths ncludes the case when x = snce A aborts), then S hands to A as ts output from the computaton of ShareGen, sends x 1 to the trusted party computng f, outputs whatever A outputs, and halts. (b) Otherwse, f the nput s some x X, then S chooses unformly dstrbuted shares a (1) 1,..., a(1) m and b (1) 1,..., b(1) m. In addton, t generates keys k a, k b Gen(1 n ) and computes t b = Mac k b ( b (1) ) for every. Fnally, t hands A the strngs a (1) 1,..., a(1) m, (b (1) 1, tb 1 ),..., (b(1) m, t b m), and k a as ts output from the computaton of ShareGen. ShareGen Inputs: Let the nputs to ShareGen be x and y wth 1, m. (If one of the receved nputs s not n the correct doman, then both partes are gven output.) The securty parameter s n. Computaton: 1. Defne values a 1,..., a m and b 1,..., b m n the followng way: Set a = b = f(x, y ). For l {1,..., m}, l, set a l = null. For l {1,..., m}, l, set b l = null. (Techncally, a, b are represented as 2-bt values wth, say, 00 nterpreted as 0, 11 nterpreted as 1, and 01 nterpreted as null.) 2. For 1 m, choose (a (1), a (2) ) and (b (1), b (2) ) as random secret sharngs of a and b, respectvely. (I.e., a (1) s random and a (1) a (2) = a.) 3. Compute k a, k b Gen(1 n ). For 1 m, let t a = Mac k a ( a (2) ) and t b = Mac k b ( b (1) ). Output: 1. P 1 receves the values a (1) 1,..., a(1) m and (b (1) 1, tb 1),..., (b (1) m, t b m), and the MAC-key k a. 2. P 2 receves the values (a (2) 1, ta 1),..., (a (2) m, t a m) and b (2) 1,..., b(2) m, and the MAC-key k b. Fgure 1: Functonalty ShareGen. 9

11 Protocol 1 Inputs: Party P 1 has nput x and party P 2 has nput y. The securty parameter s n. The protocol: 1. Prelmnary phase: (a) Partes P 1 and P 2 run protocol π for computng ShareGen, usng ther respectve nputs x, y, and securty parameter n. (b) If P 1 receves from the above computaton (because P 2 aborts the computaton or uses an nvald nput n π) t outputs f(x, y 1 ) and halts. Lkewse, f P 2 receves, t outputs f(x 1, y) and halts. Otherwse, the partes proceed. (c) Denote the output of P 1 from π by a (1) 1,..., a(1) m, (b (1) 1, tb 1),..., (b (1) m, t b m), and k a. (d) Denote the output of P 2 from π by (a (2) 1, ta 1),..., (a (2) m, t a m), b (2) 1,..., b(2) m, and k b. 2. For = 1,..., m do: P 2 sends the next share to P 1 : (a) P 2 sends (a (2), t a ) to P 1. (b) P 1 receves (a (2), t a ) from P 2. If Vrfy ka ( a (2), t a ) = 0 (or f P 1 receved an nvald message, or no message), then P 1 halts. If P 1 has already determned ts output n some earler teraton, then t outputs that value. Otherwse, t outputs f(x, y 1 ) (f = 1, then P 1 outputs f(x, y 1 )). (c) If Vrfy ka ( a (2), t a ) = 1 and a(1) a (2) null (.e., x = x ), then P 1 sets ts output to be a (1) a (2) (and contnues runnng the protocol). P 1 sends the next share to P 2 : (a) P 1 sends (b (1), t b ) to P 2. (b) P 2 receves (b (1), t b ) from P 1. If Vrfy kb ( b (1), t b ) = 0 (or f P 2 receved an nvald message, or no message), then P 2 halts. If P 2 has already determned ts output n some earler teraton, then t outputs that value. Otherwse, t outputs f(x, y). (c) If Vrfy kb ( b (1), t b ) = 1 and b(1) b (2) null (.e., y = y ), then P 2 sets ts output to be b (1) b (2) (and contnues runnng the protocol). Fgure 2: Protocol for computng f. 3. If A sends abort to the trusted party computng ShareGen (sgnallng that P 2 should receve as output from ShareGen), then S sends x 1 to the trusted party computng f, outputs whatever A outputs, and halts. Otherwse (.e., f A sends contnue), S proceeds as below. 4. Let (wth 1 m) be the ndex such that x = x (such an exsts snce x X). 5. To smulate teraton, for <, smulator S works as follows: (a) S chooses a (2) such that a (1) a (2) = null, and computes the tag t a = Mac k a ( a (2) ). Then S gves A the message (a (2), t a ). (b) S receves A s message (ˆb (1), ˆt b ) n the th teraton:. If Vrfy kb ( ˆb (1), ˆt b ) = 0 (or the message s nvald, or A aborts), then S sends x to the trusted party computng f, outputs whatever A outputs, and halts. 10

12 . If Vrfy kb ( ˆb (1), ˆt b ) = 1, then S proceeds to the next teraton. 6. To smulate teraton, smulator S works as follows: (a) S sends x to the trusted party computng f, and receves back the output z = f(x, y). (b) S chooses a (2) such that a (1) a (2) = z, and computes the tag t a = Mac k a ( a (2) ). Then S gves A the message (a (2), t a ). (c) S receves A s message (ˆb (1), ˆt b ). If Vrfy k b ( ˆb (1), ˆt b ) = 0 (or the message s nvald, or A aborts), then S outputs whatever A outputs, and halts. If Vrfy kb ( ˆb (1), ˆt b ) = 1, then S proceeds to the next teraton. 7. To smulate teraton, for < m, smulator S works as follows: (a) S chooses a (2) such that a (1) a (2) = null, and computes the tag t a = Mac k a ( a (2) ). Then S gves A the message (a (2), t a ). (b) S receves A s message (ˆb (1), ˆt b ). If Vrfy k b ( ˆb (1) aborts), then S outputs whatever A outputs, and halts. If Vrfy kb ( ˆb (1) proceeds to the next teraton., ˆt b ) = 0 (or the message s nvald, or A 8. If S has not halted yet, at ths pont t halts and outputs whatever A outputs., ˆt b ) = 1, then S We analyze the smulator S descrbed above. In what follows we assume that f Vrfy kb ( ˆb (1), ˆt b ) = 1 (1) then ˆb = b (1) (meanng that A sent the same share that t receved). Under ths assumpton, we show that the dstrbuton generated by S s dentcal to the dstrbuton n a hybrd executon between A and an honest P 2. Snce ths assumpton holds wth all but neglgble probablty (by securty of the nformaton-theoretc MAC), ths proves statstcal closeness as stated n the clam. Let y denote the nput of P 2. It s clear that the vew of A n an executon wth S s dentcal to the vew of A n a hybrd executon wth P 2 ; the only dfference s that the ntal shares gven to A are generated by S wthout knowledge of z = f(x, y), but snce these shares are unformly dstrbuted the vew of A s unaffected. Therefore, what s left to demonstrate s that the ont dstrbuton of A s vew and P 2 s output s dentcal n the hybrd world and the deal world. We show ths now by separately consderng three dfferent cases: 1. Case 1: S sends x 1 to the trusted party because x X, or because A aborted the computaton of ShareGen: In the hybrd world, P 2 would have receved from ShareGen, and would have then output f(x 1, y) as nstructed by protocol Π. Ths s exactly what P 2 outputs n the deal executon wth S because, n ths case, S sends x 1 to the trusted party computng f. If Case 1 does not occur, let x be defned as n the descrpton of the smulator. 2. Case 2: S sends x to the trusted party, for some < : Ths case occurs when A aborts the protocol n some teraton < (ether by refusng to send a message, sendng an nvald message, or sendng an ncorrect share). There are two sub-cases dependng on the value of P 2 s nput y. Let l be the ndex such that y = y l. Then: (a) If l then, n the hybrd world, P 2 would not yet have determned ts output (snce t only determnes ts output once t receves a vald message from P 1 n teraton l). Thus, as nstructed by the protocol, P 2 would output f(x, y). Ths s exactly what P 2 outputs n the deal world, because S sends x to the trusted party n ths case. 11

13 (b) If l < then, n the hybrd world, P 2 would have already determned ts output f(x, y) = f(x, y l ) n the lth teraton. In the deal world, P 2 wll output f(x, y l ) snce S sends x to the trusted party. Snce < we have l < < and so f(x, y l ) = f(x, y l ) = 1. Thus, P 2 s output f(x, y) n the hybrd world s equal to ts output f(x, y) n the deal executon wth S. 3. Case 3: S sends x to the trusted party: Here, P 2 outputs f(x, y) n the deal executon. We show that ths s dentcal to what P 2 would have output n the hybrd world. There are two sub-cases dependng on P 2 s nput y. Let l be the ndex such that y = y l. Then: (a) If l <, then P 2 would have already determned ts output f(x, y) = f(x, y) n the lth teraton. (The fact that we are n Case 3 means that A could not have sent an ncorrect share pror to teraton.) (b) If l, then P 2 would not yet have determned ts output. There are two sub-cases:. A sends correct shares n teratons =,..., l (nclusve). Then P 2 would determne ts output as b (1) l b (2) l = f(x, y) = f(x, y), exactly as n the deal world.. A sends an ncorrect share n teraton ζ, where ζ l. In ths case, by the specfcaton of the protocol, party P 2 would output f(x ζ, y) = f(x ζ, y l ). However, snce ζ l we have f(x ζ, y l ) = 0 = f(x, y l ). Thus, P 2 outputs the same value n the hybrd and deal executons. Ths concludes the proof of the clam. The followng clam, dealng wth a corrupted P 2, completes the proof of the theorem: Clam 3 For every non-unform, polynomal-tme adversary A corruptng P 2 and runnng Π n a hybrd model wth access to an deal functonalty computng ShareGen (wth abort), there exsts a non-unform, probablstc polynomal-tme adversary S corruptng P 2 and runnng n the deal world wth access to an deal functonalty computng f (wth complete farness), such that { dealf,s(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N s { hybrd ShareGen Π,A(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N. Proof: Say P 2 s corrupted by A. We construct a smulator S gven black-box access to A: 1. S nvokes A on the nput y, the auxlary nput z, and the securty parameter n. 2. S receves the nput y of A to the computaton of the functonalty ShareGen. (a) If y / Y (ths ncludes the case when y = snce A aborts), then S hands to A as ts output from the computaton of ShareGen, sends y 1 to the trusted party computng f, outputs whatever A outputs, and halts. (b) Otherwse, f the nput s some y Y, then S chooses unformly dstrbuted shares a (2) 1,..., a(2) m and b (2) 1,..., b(2) m. In addton, t generates keys k a, k b Gen(1 n ) and computes t a = Mac ka ( a (2) ) for every. Fnally, t hands A the strngs b (2) 1,..., b(2) m, (a (2) 1, ta 1 ),..., (a(2) m, t a m), and k b as ts output from the computaton of ShareGen. 3. If A sends abort to the trusted party computng ShareGen, then S sends y 1 to the trusted party computng f, outputs whatever A outputs, and halts. Otherwse (.e., f A sends contnue), S proceeds as below. 12

14 4. Let (wth 1 m) be the ndex such that y = y (such an exsts snce y Y ). 5. To smulate teraton, for <, smulator S works as follows: (a) S receves A s message (â (2), ˆt a ) n the th teraton:. If Vrfy ka ( â (2), ˆt a ) = 0 (or the message s nvald, or A aborts), then S sends y 1 to the trusted party computng f (f = 1, then S sends y 1 ), outputs whatever A outputs, and halts.. If Vrfy ka ( â (2), ˆt a ) = 1, then S proceeds. (b) Choose b (1) such that b (1) b (2) = null, and compute the tag t b = Mac k b ( b (1) ). Then gve to A the message (b (1), t b ). 6. To smulate teraton, smulator S works as follows: (a) S receves A s message (â (2), ˆt a ).. If Vrfy ka ( â (2), ˆt a ) = 0 (or the message s nvald, or A aborts), then S sends y 1 to the trusted party computng f (f = 1 then S sends y 1 ), outputs whatever A outputs, and halts.. If Vrfy ka ( â (2), ˆt a ) = 1, then S sends y to the trusted party computng f, receves the output z = f(x, y ), and proceeds. (b) Choose b (1) such that b (1) b (2) = z, and compute the tag t b = Mac k b ( b (1) ). Then gve to A the message (b (1), t b ). 7. To smulate teraton, for < m, smulator S works as follows: (a) S receves A s message (â (2), ˆt a ). If Vrfy k a ( â (2) A aborts), then S outputs whatever A outputs, and halts. If Vrfy ka ( â (2) S proceeds., ˆt a ) = 0 (or the message s nvald, or, ˆt a ) = 1, then (b) Choose b (1) such that b (1) b (2) = null, and compute the tag t b = Mac k b ( b (1) ). Then gve to A the message (b (1), t b ). 8. If S has not halted yet, at ths pont t halts and outputs whatever A outputs. As n the proof of the prevous clam, we assume n what follows that f Vrfy ka ( â (2), ˆt a ) = 1 then â (2) = a (2) (meanng that A sent P 1 the same share that t receved). Under ths assumpton, we show that the dstrbuton generated by S s dentcal to the dstrbuton n a hybrd executon between A and an honest P 1. Snce ths assumptons holds wth all but neglgble probablty (by securty of the MAC), ths proves statstcal closeness as stated n the clam. Let x denote the nput of P 1. Agan, t s clear that the vew of A n an executon wth S s dentcal to the vew of A n a hybrd executon wth P 1. What s left to demonstrate s that the ont dstrbuton of A s vew and P 1 s output s dentcal. We show ths by consderng four dfferent cases: 13

15 1. Case 1: S sends y 1 to the trusted party because y Y, or because A aborted the computaton of ShareGen: In such a case, the protocol nstructs P 1 to output f(x, y 1 ), exactly what P 1 outputs n the deal world. 2. Case 2: S sends y 1 to the trusted party because A sends an ncorrect share n the frst teraton: In ths case, the smulator sends y 1 to the trusted party computng f, and so the output of P 1 n the deal world s f(x, y 1 ). In the hybrd world, P 1 wll also output f(x, y 1 ) as nstructed by the protocol. If Cases 1 and 2 do not occur, let y be defned as n the descrpton of the smulator. 3. Case 3: S sends y 1 to the trusted party, for some 1 1 <, because A sends an ncorrect share n the th teraton: The output of P 1 n the deal world s f(x, y 1 ). There are two sub-cases here, dependng on the value of P 1 s nput x. Let l be the ndex such that x = x l. Then: (a) If l < then, n the hybrd world, P 1 would have already determned ts output f(x, y ) = f(x l, y ). But snce l 1 < we have f(x l, y ) = 0 = f(x l, y 1 ), and so P 1 s output s dentcal n both the hybrd and deal worlds. (b) If l then, n the hybrd world, P 1 would not yet have determned ts output. Therefore, as nstructed by the protocol, P 1 wll output f(x, y 1 ) n the hybrd world, whch s exactly what t outputs n the deal executon wth S. 4. Case 4: S sends y to the trusted party: Ths case occurs when A sends correct shares up through and ncludng teraton. The output of P 1 n the deal world s f(x, y ). There are agan two sub-cases here, dependng on the value of P 1 s nput x. Let l be the ndex such that x = x l. Then: (a) If l, then P 1 would have already determned ts output f(x, y ) = f(x l, y ) n the lth teraton. Ths matches what P 1 outputs n the deal executon wth S. (b) If l >, then P 1 would not have yet have determned ts output. There are two sub-cases:. A sends correct shares n teratons = + 1,..., l (nclusve). Ths mples that, n the hybrd world, P 1 would determne ts output to be a (1) l a (2) l = f(x, y ) = f(x, y ), exactly as n the deal executon.. A sends an ncorrect share n teraton ζ, where < ζ l. In ths case, by the specfcaton of the protocol, party P 1 would output f(x, y ζ 1 ) = f(x l, y ζ 1 ) n the hybrd world. But snce ζ 1 < l we have f(x l, y ζ 1 ) = 1 = f(x l, y ), and so P 1 s output s dentcal n both the hybrd and deal worlds. Ths completes the proof of the clam. The precedng clams along wth Proposton 1 mply the theorem. 3.2 Handlng any Functon wthout an Embedded XOR The protocol n the prevous secton, as descrbed, apples only to the greater-than functon on two equal-sze domans X and Y. For the case of the greater-than functon wth X = Y + 1, the same protocol (wth one small change) stll works. Specfcally, let X = {x 1,..., x m+1 } and 14

16 Y = {y 1,..., y m } wth f stll defned as n Equaton (1). Modfy the protocol of Fgure 2 so that f the end of the protocol s reached and P 1 holds nput x m+1, then P 1 outputs 1. Then the same proof as n the prevous secton shows that ths protocol s also completely far. (Adaptng Clam 3 s mmedate: the vew of a malcous P 2 s smulated n the same way; as for the output of the honest P 1, the case when P 1 holds nput x = x wth < m + 1 s analyzed dentcally, and when x = x m+1 then P 1 outputs 1 no matter what n both the hybrd and deal worlds. Adaptng Clam 2 requres only a lttle thought to verfy that the analyss n Case 2(b) stll holds when = m + 1.) We now show that the protocol can be appled to any functon defned over polynomal-sze domans that does not contan an embedded XOR. Ths s because any such functon can be converted to the greater-than functon as we now descrbe. Let g : X Y {0, 1} be a functon that does not contan an embedded XOR, and let X = {x 1,..., x m1 } and Y = {y 1,..., y m2 }. It wll be convenent to pcture g as an m 1 m 2 matrx, where entry (, ) contans the value g(x, y ). Smlarly, we can vew any matrx as a functon. We wll apply a sequence of transformatons to g that wll result n a functonally equvalent functon g, where by functonally equvalent we mean that g can be computed wth perfect securty (and complete farness) n the g -hybrd model (where g s computed by a trusted party wth complete farness). It follows that a secure and completely far protocol for computng g yelds a secure and completely far protocol for computng g. The transformatons are as follows: 1. Frst, remove any duplcate rows or columns n g. (E.g., f there exst and such that g(x, y) = g(x, y) for all y Y, then remove ether row or row.) Denote the resultng functon by g, and say that g (vewed as a matrx) has dmenson m 1 m 2. It s clear that g s functonally equvalent to g. 2. We observe that no two rows (resp., columns) of g have the same Hammng weght. To see ths, notce that two non-dentcal rows (resp., columns) wth the same Hammng weght would mply the exstence of an embedded XOR n g, and hence an embedded XOR n g. Snce the maxmum Hammng weght of any row s m 2, ths mples that m 1 m Applyng the same argument to the columns shows that m 2 m 1 + 1, and so the number of rows s wthn 1 of the number of columns. Assume m 1 m 2 ; f not, we may smply take the transpose of g (whch ust has the effect of swappng the roles of the partes). 3. Order the rows of g n ncreasng order accordng to ther Hammng weght. Order the columns n the same way. Once agan ths results n a functon g that s functonally equvalent to g (and hence to g). All the above transformatons are effcently computable snce we are assumng that the ntal domans X and Y are of polynomal sze. Gven g resultng from the above transformatons, there are now three possbltes (recall we assume that the number of rows s at least the number of columns): 1. Case 1: m 1 = m In ths case the frst row of g s an all-0 row and the last row s an all-1 row, and we exactly have an nstance of the greater-than functon wth m 1 = m Case 2: m 1 = m 2 and the frst row of g s an all-0 row. Then we agan have an nstance of the greater-than functon, except now wth equal-sze domans. 15

17 3. Case 3: m 1 = m 2 and the frst row of g s not an all-0 row. In ths case, the last row of g must be an all-1 row. Takng the complement of every bt n the matrx (and then re-orderng the rows and columns accordngly) gves a functon that s stll functonally equvalent to g and s exactly an nstance of the greater-than functon on equal-sze domans. We have thus proved: Theorem 3.2 Let f be a two-nput functon defned over polynomal-sze domans that does not contan an embedded XOR. Then, assumng the exstence of general secure two-party computaton wth abort, there exsts a protocol for securely computng f wth complete farness. The assumpton n the theorem s mnmal, snce the exstence of even a secure-wth-abort protocol for computng boolean OR mples the exstence of oblvous transfer [24], whch n turn suffces for constructng a secure-wth-abort protocol for any polynomal-tme functonalty [23]. 4 Far Computaton of Functons wth an Embedded XOR Recall that Cleve s result showng mpossblty of completely far con tossng mples the mpossblty of completely far computaton of boolean XOR. (More generally, t mples the mpossblty of completely far computaton of any functon f that enables con tossng:.e., any f such that a completely far mplementaton of f suffces for con tossng.) Gven ths, along wth the fact that our result n the prevous secton apples only to functons that do not contan an embedded XOR, t s temptng to conecture that no functon contanng an embedded XOR can be computed wth complete farness. In ths secton, we show that ths s not the case and that there exst functons wth an embedded XOR that can be computed wth complete farness. Interestngly, however, such functons appear to be more dffcult to compute wth complete farness; specfcally, we refer the reader to Secton 5 where we prove a lower bound of ω(log n) on the round complexty of any protocol for completely far computaton of any functon havng an embedded XOR. (Note that, n general, ths bound s ncomparable to the result of the prevous secton, where the round complexty was lnear n the doman sze.) It wll be nstructve to see why Cleve s mpossblty result does not mmedately rule out complete farness for all functons contanng an embedded XOR. Consder the followng functon f (whch s the example for whch we wll later prove feasblty): y 1 y 2 x x x If the partes could be forced to choose ther nputs from {x 1, x 2 } and {y 1, y 2 }, respectvely, then t would be easy to generate a far con toss from any secure computaton of f (wth complete farness) by smply nstructng both partes to choose ther nputs unformly from the stated domans. (Ths results n a far con toss snce the output s unform at long as ether party chooses ther nput at random.) Unfortunately, a protocol for securely computng f does not restrct the frst party to choosng ts nput n {x 1, x 2 }, and cannot prevent that party from choosng nput x 3 and thus basng the result toward 1 wth certanty. (Nave solutons such as requrng the frst party to provde a zero-knowledge proof that t chose ts nput n {x 1, x 2 } do not work ether, snce we stll 16

18 need a way for, e.g., the second party to decde on ther output n case the zero-knowledge proof of the frst party fals.) Of course, ths only shows that Cleve s mpossblty result does not apply but does not prove that a completely far protocol for computng f exsts. 4.1 The Protocol Prelmnares. In ths secton we present a generc protocol for computng a boolean functon F = {f n : X n Y n {0, 1}}. (For convenence, we wrte X and Y and drop the explct dependence on n n what follows.) The protocol s parameterzed by a functon α = α(n), and the number of rounds s set to m = ω(α 1 log n) n order for correctness to hold wth all but neglgble probablty. (We thus must have α notceable to ensure that the number of rounds s polynomal n n.) We do not clam that the protocol s completely far for arbtrary functons F and arbtrary settngs of α. Rather, we clam that for some functons F there exsts a correspondng α for whch the protocol s completely far. In Secton 4.2, we prove ths for one specfc functon that contans an embedded XOR. In Appendx A we generalze the proof and show that the protocol can be used for completely far computaton of other functons as well. Overvew and ntuton. As n the protocol of the prevous secton, the partes begn by runnng a prelmnary phase durng whch values a 1, b 1,..., a m, b m are generated based on the partes respectve nputs x and y, and shares of the {a, b } are dstrbuted to each of the partes. (As before, ths phase wll be carred out usng a standard protocol for secure two-party computaton, where one party can abort the executon and prevent the other party from recevng any output.) As n the prevous protocol, followng the prelmnary phase the partes exchange ther shares one-by-one n a sequence of m teratons, wth P 1 reconstructng a and P 2 reconstructng b n teraton. At the end of the protocol, P 1 outputs a m and P 2 outputs b m. If a party (say, P 1 ) ever aborts, then the other party (P 2 n ths case) outputs the last value t successfully reconstructed;.e., f P 1 aborts before sendng ts teraton- message, P 2 outputs b 1. (Ths assumes > 1. See the formal descrpton of the protocol for further detals.) In contrast to our earler protocol, however, the values a 1, b 1,..., a m, b m are now generated probablstcally n the followng way: frst, a value {1,..., m} s chosen accordng to a geometrc dstrbuton wth parameter α (see below), n a way such that nether party learns the value of. For <, the value a (resp., b ) s chosen n a manner that s ndependent of P 2 s (resp., P 1 s) nput; specfcally, we set a = f(x, ŷ) for randomly chosen ŷ Y (and analogously for b ). For all, the values a and b are set equal to f(x, y). Note that f m = ω(α 1 log n), we have a m = b m = f(x, y) wth all but neglgble probablty and so correctness holds. (The protocol could also be modfed so that a m = b m = f(x, y) wth probablty 1, thus gvng perfect correctness. But the analyss s easer wthout ths modfcaton.) Farness s more dffcult to see and, of course, cannot hold for all functons f snce some functons cannot be computed farly. But as ntuton for why the protocol acheves farness for certan functons, we observe that: (1) f a malcous party (say, P 1 ) aborts n some teraton <, then P 1 has not yet obtaned any nformaton about P 2 s nput and so farness s trvally acheved. On the other hand, (2) f P 1 aborts n some teraton > then both P 1 and P 2 have receved the correct output f(x, y) and farness s obtaned. The worst case, then, occurs when P 1 aborts exactly n teraton, as P 1 has then learned the correct value of f(x, y) whle P 2 has not. However, P 1 cannot dentfy teraton wth certanty, even f t knows the other party s nput y! Ths s because P 1 can randomly receve the correct output value even n rounds <. Although the 17

19 ShareGen Inputs: Let the nputs to ShareGen be x X and y Y. (If one of the receved nputs s not n the correct doman, then both partes are gven output.) The securty parameter s n. Computaton: 1. Defne values a 1,..., a m and b 1,..., b m n the followng way: Choose accordng to a geometrc dstrbuton wth parameter α (see text). For = 1 to 1 do: Choose ŷ Y and set a = f(x, ŷ). Choose ˆx X and set b = f(ˆx, y). For = to m, set a = b = f(x, y). 2. For 1 m, choose (a (1), a (2) ) and (b (1), b (2) ) as random secret sharngs of a and b, respectvely. (E.g., a (1) s random and a (1) a (2) = a.) 3. Compute k a, k b Gen(1 n ). For 1 m, let t a = Mac k a ( a (2) ) and t b = Mac k b ( b (1) ). Output: 1. Send to P 1 the values a (1) 1,..., a(1) m and (b (1) 1, tb 1),..., (b (1) m, t b m), and the MAC-key k a. 2. Send to P 2 the values (a (2) 1, ta 1),..., (a (2) m, t a m) and b (2) 1,..., b(2) m, and the MAC-key k b. Fgure 3: Functonalty ShareGen, parameterzed by a value α. adversary may happen to guess correctly, the fact that t can never be sure whether ts guess s correct s what allows us to prove farness. (Recall, we defne farness va ndstngushablty from an deal world n whch farness s guaranteed. Ths ntuton provdes a way of understandng what s gong on, but the formal proof does not exactly follow ths ntuton.) Formal descrpton of the protocol. The protocol s parameterzed by a value α = α(n) whch s assumed to be notceable. Let m = ω(α 1 log n). As n the prevous secton, we use an m-tme MAC wth nformaton-theoretc securty. We also rely on a sub-protocol π computng a functonalty ShareGen that generates shares (and assocated MAC tags) for the partes; see Fgure 3. (As before, π securely computes ShareGen wth abort.) We contnue to let a (1) 1, b(1) 1, a(1) 2, b(1) 2,... denote the shares obtaned by P 1, and let a (2) 1, b(2) 1, a(2) 2, b(2) 2,... denote the shares obtaned by P 2. Functonalty ShareGen generates a value accordng to a geometrc dstrbuton wth parameter α. Ths s the probablty dstrbuton on N = {1, 2,...} gven by repeatng a Bernoull tral (wth parameter α) untl the frst success. In other words, s determned by tossng a based con (that s heads wth probablty α) untl the frst head appears, and lettng be the number of tosses performed. Note that nether party learns the value of. We use a geometrc dstrbuton for because t has the followng useful property: for any, the probablty that = condtoned on the event that s ndependent of (namely, Pr[ = ] = α). We remark that, as far as ShareGen s concerned, f > m then the exact value of s unmportant, and so ShareGen can be mplemented n strct (rather than expected) polynomal tme. In any case, our choce of m ensures that m wth all but neglgble probablty. Our second protocol calls ShareGen as a subroutne and then has the partes exchange ther shares as n our frst protocol. As dscussed above, aborts are handled dfferently here n that a party also outputs the last value t reconstructed f the other party aborts. A formal descrpton 18

20 of the protocol s gven n Fgure 4. Protocol 2 Inputs: Party P 1 has nput x and party P 2 has nput y. The securty parameter s n. The protocol: 1. Prelmnary phase: (a) P 1 chooses ŷ Y unformly at random, and sets a 0 = f(x, ŷ). Smlarly, P 2 chooses ˆx X unformly at random, and sets b 0 = f(ˆx, y). (b) Partes P 1 and P 2 run protocol π for computng ShareGen, usng ther respectve nputs x and y, and securty parameter n. (c) If P 1 receves from the above computaton, t outputs a 0 and halts. Lkewse, f P 2 receves then t outputs b 0 and halts. Otherwse, the partes proceed to the next step. (d) Denote the output of P 1 from π by a (1) 1,..., a(1) m, (b (1) 1, tb 1),..., (b (1) m, t b m), and k a. (e) Denote the output of P 2 from π by (a (2) 1, ta 1),..., (a (2) m, t a m), b (2) 1,..., b(2) m, and k b. 2. For = 1,..., m do: P 2 sends the next share to P 1 : (a) P 2 sends (a (2), t a ) to P 1. (b) P 1 receves (a (2), t a ) from P 2. If Vrfy ka ( a (2), t a ) = 0 (or f P 1 receved an nvald message, or no message), then P 1 outputs a 1 and halts. (c) If Vrfy ka ( a (2), t a ) = 1, then P 1 sets a = a (1) a (2) (and contnues runnng the protocol). P 1 sends the next share to P 2 : (a) P 1 sends (b (1), t b ) to P 2. (b) P 2 receves (b (1), t b ) from P 1. If Vrfy kb ( b (1), t b ) = 0 (or f P 2 receved an nvald message, or no message), then P 2 outputs b 1 and halts. (c) If Vrfy kb ( b (1), t b ) = 1, then P 2 sets b = b (1) b (2) (and contnues runnng the protocol). 3. If all m teratons have been run, party P 1 outputs a m and party P 2 outputs b m. Fgure 4: Generc protocol for computng a functon f. 4.2 Proof of Securty for a Partcular Functon Protocol 2 cannot guarantee complete farness for all functons f. Rather, what we clam s that for certan functons f and partcular assocated values of α, the protocol provdes complete farness. In ths secton, we prove securty for the followng functon f: y 1 y 2 x x x Ths functon has an embedded XOR, and s defned over a fnte doman so that X n = X = {x 1, x 2, x 3 } and Y n = Y = {y 1, y 2 }. For ths f, we set α = 1/5 n Protocol 2. 19

What is Candidate Sampling

What is Candidate Sampling What s Canddate Samplng Say we have a multclass or mult label problem where each tranng example ( x, T ) conssts of a context x a small (mult)set of target classes T out of a large unverse L of possble

More information

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ). REVIEW OF RISK MANAGEMENT CONCEPTS LOSS DISTRIBUTIONS AND INSURANCE Loss and nsurance: When someone s subject to the rsk of ncurrng a fnancal loss, the loss s generally modeled usng a random varable or

More information

A Probabilistic Theory of Coherence

A Probabilistic Theory of Coherence A Probablstc Theory of Coherence BRANDEN FITELSON. The Coherence Measure C Let E be a set of n propostons E,..., E n. We seek a probablstc measure C(E) of the degree of coherence of E. Intutvely, we want

More information

Extending Probabilistic Dynamic Epistemic Logic

Extending Probabilistic Dynamic Epistemic Logic Extendng Probablstc Dynamc Epstemc Logc Joshua Sack May 29, 2008 Probablty Space Defnton A probablty space s a tuple (S, A, µ), where 1 S s a set called the sample space. 2 A P(S) s a σ-algebra: a set

More information

Recurrence. 1 Definitions and main statements

Recurrence. 1 Definitions and main statements Recurrence 1 Defntons and man statements Let X n, n = 0, 1, 2,... be a MC wth the state space S = (1, 2,...), transton probabltes p j = P {X n+1 = j X n = }, and the transton matrx P = (p j ),j S def.

More information

Luby s Alg. for Maximal Independent Sets using Pairwise Independence

Luby s Alg. for Maximal Independent Sets using Pairwise Independence Lecture Notes for Randomzed Algorthms Luby s Alg. for Maxmal Independent Sets usng Parwse Independence Last Updated by Erc Vgoda on February, 006 8. Maxmal Independent Sets For a graph G = (V, E), an ndependent

More information

An Alternative Way to Measure Private Equity Performance

An Alternative Way to Measure Private Equity Performance An Alternatve Way to Measure Prvate Equty Performance Peter Todd Parlux Investment Technology LLC Summary Internal Rate of Return (IRR) s probably the most common way to measure the performance of prvate

More information

1 Example 1: Axis-aligned rectangles

1 Example 1: Axis-aligned rectangles COS 511: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 6 Scrbe: Aaron Schld February 21, 2013 Last class, we dscussed an analogue for Occam s Razor for nfnte hypothess spaces that, n conjuncton

More information

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur Module LOSSLESS IMAGE COMPRESSION SYSTEMS Lesson 3 Lossless Compresson: Huffman Codng Instructonal Objectves At the end of ths lesson, the students should be able to:. Defne and measure source entropy..

More information

1 Approximation Algorithms

1 Approximation Algorithms CME 305: Dscrete Mathematcs and Algorthms 1 Approxmaton Algorthms In lght of the apparent ntractablty of the problems we beleve not to le n P, t makes sense to pursue deas other than complete solutons

More information

8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by

8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by 6 CHAPTER 8 COMPLEX VECTOR SPACES 5. Fnd the kernel of the lnear transformaton gven n Exercse 5. In Exercses 55 and 56, fnd the mage of v, for the ndcated composton, where and are gven by the followng

More information

RUHR-UNIVERSITÄT BOCHUM

RUHR-UNIVERSITÄT BOCHUM RUHR-UNIVERSITÄT BOCHUM Horst Görtz Insttute for IT Securty Techncal Report TR-HGI-2006-002 Survey on Securty Requrements and Models for Group Key Exchange Mark Manuls Char for Network and Data Securty

More information

v a 1 b 1 i, a 2 b 2 i,..., a n b n i.

v a 1 b 1 i, a 2 b 2 i,..., a n b n i. SECTION 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS 455 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS All the vector spaces we have studed thus far n the text are real vector spaces snce the scalars are

More information

) of the Cell class is created containing information about events associated with the cell. Events are added to the Cell instance

) of the Cell class is created containing information about events associated with the cell. Events are added to the Cell instance Calbraton Method Instances of the Cell class (one nstance for each FMS cell) contan ADC raw data and methods assocated wth each partcular FMS cell. The calbraton method ncludes event selecton (Class Cell

More information

A Lyapunov Optimization Approach to Repeated Stochastic Games

A Lyapunov Optimization Approach to Repeated Stochastic Games PROC. ALLERTON CONFERENCE ON COMMUNICATION, CONTROL, AND COMPUTING, OCT. 2013 1 A Lyapunov Optmzaton Approach to Repeated Stochastc Games Mchael J. Neely Unversty of Southern Calforna http://www-bcf.usc.edu/

More information

Forecasting the Direction and Strength of Stock Market Movement

Forecasting the Direction and Strength of Stock Market Movement Forecastng the Drecton and Strength of Stock Market Movement Jngwe Chen Mng Chen Nan Ye cjngwe@stanford.edu mchen5@stanford.edu nanye@stanford.edu Abstract - Stock market s one of the most complcated systems

More information

greatest common divisor

greatest common divisor 4. GCD 1 The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no

More information

How Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence

How Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence 1 st Internatonal Symposum on Imprecse Probabltes and Ther Applcatons, Ghent, Belgum, 29 June 2 July 1999 How Sets of Coherent Probabltes May Serve as Models for Degrees of Incoherence Mar J. Schervsh

More information

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP) 6.3 / -- Communcaton Networks II (Görg) SS20 -- www.comnets.un-bremen.de Communcaton Networks II Contents. Fundamentals of probablty theory 2. Emergence of communcaton traffc 3. Stochastc & Markovan Processes

More information

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis The Development of Web Log Mnng Based on Improve-K-Means Clusterng Analyss TngZhong Wang * College of Informaton Technology, Luoyang Normal Unversty, Luoyang, 471022, Chna wangtngzhong2@sna.cn Abstract.

More information

Support Vector Machines

Support Vector Machines Support Vector Machnes Max Wellng Department of Computer Scence Unversty of Toronto 10 Kng s College Road Toronto, M5S 3G5 Canada wellng@cs.toronto.edu Abstract Ths s a note to explan support vector machnes.

More information

8 Algorithm for Binary Searching in Trees

8 Algorithm for Binary Searching in Trees 8 Algorthm for Bnary Searchng n Trees In ths secton we present our algorthm for bnary searchng n trees. A crucal observaton employed by the algorthm s that ths problem can be effcently solved when the

More information

From Selective to Full Security: Semi-Generic Transformations in the Standard Model

From Selective to Full Security: Semi-Generic Transformations in the Standard Model An extended abstract of ths work appears n the proceedngs of PKC 2012 From Selectve to Full Securty: Sem-Generc Transformatons n the Standard Model Mchel Abdalla 1 Daro Fore 2 Vadm Lyubashevsky 1 1 Département

More information

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage Proactve Secret Sharng Or: How to Cope Wth Perpetual Leakage Paper by Amr Herzberg Stanslaw Jareck Hugo Krawczyk Mot Yung Presentaton by Davd Zage What s Secret Sharng Basc Idea ((2, 2)-threshold scheme):

More information

PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12

PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12 14 The Ch-squared dstrbuton PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 1 If a normal varable X, havng mean µ and varance σ, s standardsed, the new varable Z has a mean 0 and varance 1. When ths standardsed

More information

Practical and Secure Solutions for Integer Comparison

Practical and Secure Solutions for Integer Comparison In Publc Key Cryptography PKC 07, Vol. 4450 of Lecture Notes n Computer Scence, Sprnger-Verlag, 2007. pp. 330-342. Practcal and Secure Solutons for Integer Comparson Juan Garay 1, erry Schoenmakers 2,

More information

DEFINING %COMPLETE IN MICROSOFT PROJECT

DEFINING %COMPLETE IN MICROSOFT PROJECT CelersSystems DEFINING %COMPLETE IN MICROSOFT PROJECT PREPARED BY James E Aksel, PMP, PMI-SP, MVP For Addtonal Informaton about Earned Value Management Systems and reportng, please contact: CelersSystems,

More information

General Auction Mechanism for Search Advertising

General Auction Mechanism for Search Advertising General Aucton Mechansm for Search Advertsng Gagan Aggarwal S. Muthukrshnan Dávd Pál Martn Pál Keywords game theory, onlne auctons, stable matchngs ABSTRACT Internet search advertsng s often sold by an

More information

Loop Parallelization

Loop Parallelization - - Loop Parallelzaton C-52 Complaton steps: nested loops operatng on arrays, sequentell executon of teraton space DECLARE B[..,..+] FOR I :=.. FOR J :=.. I B[I,J] := B[I-,J]+B[I-,J-] ED FOR ED FOR analyze

More information

2.4 Bivariate distributions

2.4 Bivariate distributions page 28 2.4 Bvarate dstrbutons 2.4.1 Defntons Let X and Y be dscrete r.v.s defned on the same probablty space (S, F, P). Instead of treatng them separately, t s often necessary to thnk of them actng together

More information

BERNSTEIN POLYNOMIALS

BERNSTEIN POLYNOMIALS On-Lne Geometrc Modelng Notes BERNSTEIN POLYNOMIALS Kenneth I. Joy Vsualzaton and Graphcs Research Group Department of Computer Scence Unversty of Calforna, Davs Overvew Polynomals are ncredbly useful

More information

THE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek

THE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek HE DISRIBUION OF LOAN PORFOLIO VALUE * Oldrch Alfons Vascek he amount of captal necessary to support a portfolo of debt securtes depends on the probablty dstrbuton of the portfolo loss. Consder a portfolo

More information

An Interest-Oriented Network Evolution Mechanism for Online Communities

An Interest-Oriented Network Evolution Mechanism for Online Communities An Interest-Orented Network Evoluton Mechansm for Onlne Communtes Cahong Sun and Xaopng Yang School of Informaton, Renmn Unversty of Chna, Bejng 100872, P.R. Chna {chsun,yang}@ruc.edu.cn Abstract. Onlne

More information

Riposte: An Anonymous Messaging System Handling Millions of Users

Riposte: An Anonymous Messaging System Handling Millions of Users Rposte: An Anonymous Messagng System Handlng Mllons of Users Henry Corrgan-Gbbs, Dan Boneh, and Davd Mazères Stanford Unversty Abstract Ths paper presents Rposte, a new system for anonymous broadcast messagng.

More information

Minimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures

Minimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures Mnmal Codng Network Wth Combnatoral Structure For Instantaneous Recovery From Edge Falures Ashly Joseph 1, Mr.M.Sadsh Sendl 2, Dr.S.Karthk 3 1 Fnal Year ME CSE Student Department of Computer Scence Engneerng

More information

The Greedy Method. Introduction. 0/1 Knapsack Problem

The Greedy Method. Introduction. 0/1 Knapsack Problem The Greedy Method Introducton We have completed data structures. We now are gong to look at algorthm desgn methods. Often we are lookng at optmzaton problems whose performance s exponental. For an optmzaton

More information

The OC Curve of Attribute Acceptance Plans

The OC Curve of Attribute Acceptance Plans The OC Curve of Attrbute Acceptance Plans The Operatng Characterstc (OC) curve descrbes the probablty of acceptng a lot as a functon of the lot s qualty. Fgure 1 shows a typcal OC Curve. 10 8 6 4 1 3 4

More information

Multiple-Period Attribution: Residuals and Compounding

Multiple-Period Attribution: Residuals and Compounding Multple-Perod Attrbuton: Resduals and Compoundng Our revewer gave these authors full marks for dealng wth an ssue that performance measurers and vendors often regard as propretary nformaton. In 1994, Dens

More information

Ring structure of splines on triangulations

Ring structure of splines on triangulations www.oeaw.ac.at Rng structure of splnes on trangulatons N. Vllamzar RICAM-Report 2014-48 www.rcam.oeaw.ac.at RING STRUCTURE OF SPLINES ON TRIANGULATIONS NELLY VILLAMIZAR Introducton For a trangulated regon

More information

Embedding lattices in the Kleene degrees

Embedding lattices in the Kleene degrees F U N D A M E N T A MATHEMATICAE 62 (999) Embeddng lattces n the Kleene degrees by Hsato M u r a k (Nagoya) Abstract. Under ZFC+CH, we prove that some lattces whose cardnaltes do not exceed ℵ can be embedded

More information

INTERPRETING TRUE ARITHMETIC IN THE LOCAL STRUCTURE OF THE ENUMERATION DEGREES.

INTERPRETING TRUE ARITHMETIC IN THE LOCAL STRUCTURE OF THE ENUMERATION DEGREES. INTERPRETING TRUE ARITHMETIC IN THE LOCAL STRUCTURE OF THE ENUMERATION DEGREES. HRISTO GANCHEV AND MARIYA SOSKOVA 1. Introducton Degree theory studes mathematcal structures, whch arse from a formal noton

More information

Compact CCA2-secure Hierarchical Identity-Based Broadcast Encryption for Fuzzy-entity Data Sharing

Compact CCA2-secure Hierarchical Identity-Based Broadcast Encryption for Fuzzy-entity Data Sharing Compact CCA2-secure Herarchcal Identty-Based Broadcast Encrypton for Fuzzy-entty Data Sharng Weran Lu 1, Janwe Lu 1, Qanhong Wu 1, Bo Qn 2, Davd Naccache 3, and Houda Ferrad 4 1 School of Electronc and

More information

Combinatorial Agency of Threshold Functions

Combinatorial Agency of Threshold Functions Combnatoral Agency of Threshold Functons Shal Jan Computer Scence Department Yale Unversty New Haven, CT 06520 shal.jan@yale.edu Davd C. Parkes School of Engneerng and Appled Scences Harvard Unversty Cambrdge,

More information

Generalizing the degree sequence problem

Generalizing the degree sequence problem Mddlebury College March 2009 Arzona State Unversty Dscrete Mathematcs Semnar The degree sequence problem Problem: Gven an nteger sequence d = (d 1,...,d n ) determne f there exsts a graph G wth d as ts

More information

CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol

CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK Sample Stablty Protocol Background The Cholesterol Reference Method Laboratory Network (CRMLN) developed certfcaton protocols for total cholesterol, HDL

More information

Product-Form Stationary Distributions for Deficiency Zero Chemical Reaction Networks

Product-Form Stationary Distributions for Deficiency Zero Chemical Reaction Networks Bulletn of Mathematcal Bology (21 DOI 1.17/s11538-1-9517-4 ORIGINAL ARTICLE Product-Form Statonary Dstrbutons for Defcency Zero Chemcal Reacton Networks Davd F. Anderson, Gheorghe Cracun, Thomas G. Kurtz

More information

Project Networks With Mixed-Time Constraints

Project Networks With Mixed-Time Constraints Project Networs Wth Mxed-Tme Constrants L Caccetta and B Wattananon Western Australan Centre of Excellence n Industral Optmsaton (WACEIO) Curtn Unversty of Technology GPO Box U1987 Perth Western Australa

More information

An Optimally Robust Hybrid Mix Network (Extended Abstract)

An Optimally Robust Hybrid Mix Network (Extended Abstract) An Optmally Robust Hybrd Mx Network (Extended Abstract) Markus Jakobsson and Ar Juels RSA Laboratores Bedford, MA, USA {mjakobsson,ajuels}@rsasecurty.com Abstract We present a mx network that acheves effcent

More information

FORMAL ANALYSIS FOR REAL-TIME SCHEDULING

FORMAL ANALYSIS FOR REAL-TIME SCHEDULING FORMAL ANALYSIS FOR REAL-TIME SCHEDULING Bruno Dutertre and Vctora Stavrdou, SRI Internatonal, Menlo Park, CA Introducton In modern avoncs archtectures, applcaton software ncreasngly reles on servces provded

More information

+ + + - - This circuit than can be reduced to a planar circuit

+ + + - - This circuit than can be reduced to a planar circuit MeshCurrent Method The meshcurrent s analog of the nodeoltage method. We sole for a new set of arables, mesh currents, that automatcally satsfy KCLs. As such, meshcurrent method reduces crcut soluton to

More information

Linear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits

Linear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits Lnear Crcuts Analyss. Superposton, Theenn /Norton Equalent crcuts So far we hae explored tmendependent (resste) elements that are also lnear. A tmendependent elements s one for whch we can plot an / cure.

More information

J. Parallel Distrib. Comput.

J. Parallel Distrib. Comput. J. Parallel Dstrb. Comput. 71 (2011) 62 76 Contents lsts avalable at ScenceDrect J. Parallel Dstrb. Comput. journal homepage: www.elsever.com/locate/jpdc Optmzng server placement n dstrbuted systems n

More information

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network * JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 24, 819-840 (2008) Data Broadcast on a Mult-System Heterogeneous Overlayed Wreless Network * Department of Computer Scence Natonal Chao Tung Unversty Hsnchu,

More information

Inequality and The Accounting Period. Quentin Wodon and Shlomo Yitzhaki. World Bank and Hebrew University. September 2001.

Inequality and The Accounting Period. Quentin Wodon and Shlomo Yitzhaki. World Bank and Hebrew University. September 2001. Inequalty and The Accountng Perod Quentn Wodon and Shlomo Ytzha World Ban and Hebrew Unversty September Abstract Income nequalty typcally declnes wth the length of tme taen nto account for measurement.

More information

Secure Network Coding Over the Integers

Secure Network Coding Over the Integers Secure Network Codng Over the Integers Rosaro Gennaro Jonathan Katz Hugo Krawczyk Tal Rabn Abstract Network codng has receved sgnfcant attenton n the networkng communty for ts potental to ncrease throughput

More information

Tools for Privacy Preserving Distributed Data Mining

Tools for Privacy Preserving Distributed Data Mining Tools for Prvacy Preservng Dstrbuted Data Mnng hrs lfton, Murat Kantarcoglu, Jadeep Vadya Purdue Unversty Department of omputer Scences 250 N Unversty St West Lafayette, IN 47907-2066 USA (clfton, kanmurat,

More information

To Fill or not to Fill: The Gas Station Problem

To Fill or not to Fill: The Gas Station Problem To Fll or not to Fll: The Gas Staton Problem Samr Khuller Azarakhsh Malekan Julán Mestre Abstract In ths paper we study several routng problems that generalze shortest paths and the Travelng Salesman Problem.

More information

Answer: A). There is a flatter IS curve in the high MPC economy. Original LM LM after increase in M. IS curve for low MPC economy

Answer: A). There is a flatter IS curve in the high MPC economy. Original LM LM after increase in M. IS curve for low MPC economy 4.02 Quz Solutons Fall 2004 Multple-Choce Questons (30/00 ponts) Please, crcle the correct answer for each of the followng 0 multple-choce questons. For each queston, only one of the answers s correct.

More information

6. EIGENVALUES AND EIGENVECTORS 3 = 3 2

6. EIGENVALUES AND EIGENVECTORS 3 = 3 2 EIGENVALUES AND EIGENVECTORS The Characterstc Polynomal If A s a square matrx and v s a non-zero vector such that Av v we say that v s an egenvector of A and s the correspondng egenvalue Av v Example :

More information

Calculation of Sampling Weights

Calculation of Sampling Weights Perre Foy Statstcs Canada 4 Calculaton of Samplng Weghts 4.1 OVERVIEW The basc sample desgn used n TIMSS Populatons 1 and 2 was a two-stage stratfed cluster desgn. 1 The frst stage conssted of a sample

More information

Brigid Mullany, Ph.D University of North Carolina, Charlotte

Brigid Mullany, Ph.D University of North Carolina, Charlotte Evaluaton And Comparson Of The Dfferent Standards Used To Defne The Postonal Accuracy And Repeatablty Of Numercally Controlled Machnng Center Axes Brgd Mullany, Ph.D Unversty of North Carolna, Charlotte

More information

Nordea G10 Alpha Carry Index

Nordea G10 Alpha Carry Index Nordea G10 Alpha Carry Index Index Rules v1.1 Verson as of 10/10/2013 1 (6) Page 1 Index Descrpton The G10 Alpha Carry Index, the Index, follows the development of a rule based strategy whch nvests and

More information

Provably Secure Single Sign-on Scheme in Distributed Systems and Networks

Provably Secure Single Sign-on Scheme in Distributed Systems and Networks 0 IEEE th Internatonal Conference on Trust, Securty and Prvacy n Computng and Communcatons Provably Secure Sngle Sgn-on Scheme n Dstrbuted Systems and Networks Jangshan Yu, Guln Wang, and Y Mu Center for

More information

Optimal Distributed Password Verification

Optimal Distributed Password Verification Optmal Dstrbuted Password Verfcaton Jan Camensch IBM Research Zurch jca@zurch.bm.com Anja Lehmann IBM Research Zurch anj@zurch.bm.com Gregory Neven IBM Research Zurch nev@zurch.bm.com ABSTRACT We present

More information

Identity-Based Encryption Gone Wild

Identity-Based Encryption Gone Wild An extended abstract of ths paper appeared n Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, 33rd Internatonal Colloquum on Automata, Languages and Programmng ICALP 2006, volume

More information

Efficient Project Portfolio as a tool for Enterprise Risk Management

Efficient Project Portfolio as a tool for Enterprise Risk Management Effcent Proect Portfolo as a tool for Enterprse Rsk Management Valentn O. Nkonov Ural State Techncal Unversty Growth Traectory Consultng Company January 5, 27 Effcent Proect Portfolo as a tool for Enterprse

More information

The EigenTrust Algorithm for Reputation Management in P2P Networks

The EigenTrust Algorithm for Reputation Management in P2P Networks The EgenTrust Algorthm for Reputaton Management n P2P Networks Sepandar D. Kamvar Stanford Unversty sdkamvar@stanford.edu Maro T. Schlosser Stanford Unversty schloss@db.stanford.edu Hector Garca-Molna

More information

Implementation of Deutsch's Algorithm Using Mathcad

Implementation of Deutsch's Algorithm Using Mathcad Implementaton of Deutsch's Algorthm Usng Mathcad Frank Roux The followng s a Mathcad mplementaton of Davd Deutsch's quantum computer prototype as presented on pages - n "Machnes, Logc and Quantum Physcs"

More information

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) 2127472, Fax: (370-5) 276 1380, Email: info@teltonika.

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) 2127472, Fax: (370-5) 276 1380, Email: info@teltonika. VRT012 User s gude V0.1 Thank you for purchasng our product. We hope ths user-frendly devce wll be helpful n realsng your deas and brngng comfort to your lfe. Please take few mnutes to read ths manual

More information

Feature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College

Feature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College Feature selecton for ntruson detecton Slobodan Petrovć NISlab, Gjøvk Unversty College Contents The feature selecton problem Intruson detecton Traffc features relevant for IDS The CFS measure The mrmr measure

More information

Availability-Based Path Selection and Network Vulnerability Assessment

Availability-Based Path Selection and Network Vulnerability Assessment Avalablty-Based Path Selecton and Network Vulnerablty Assessment Song Yang, Stojan Trajanovsk and Fernando A. Kupers Delft Unversty of Technology, The Netherlands {S.Yang, S.Trajanovsk, F.A.Kupers}@tudelft.nl

More information

Implied (risk neutral) probabilities, betting odds and prediction markets

Implied (risk neutral) probabilities, betting odds and prediction markets Impled (rsk neutral) probabltes, bettng odds and predcton markets Fabrzo Caccafesta (Unversty of Rome "Tor Vergata") ABSTRACT - We show that the well known euvalence between the "fundamental theorem of

More information

Number of Levels Cumulative Annual operating Income per year construction costs costs ($) ($) ($) 1 600,000 35,000 100,000 2 2,200,000 60,000 350,000

Number of Levels Cumulative Annual operating Income per year construction costs costs ($) ($) ($) 1 600,000 35,000 100,000 2 2,200,000 60,000 350,000 Problem Set 5 Solutons 1 MIT s consderng buldng a new car park near Kendall Square. o unversty funds are avalable (overhead rates are under pressure and the new faclty would have to pay for tself from

More information

A Secure Password-Authenticated Key Agreement Using Smart Cards

A Secure Password-Authenticated Key Agreement Using Smart Cards A Secure Password-Authentcated Key Agreement Usng Smart Cards Ka Chan 1, Wen-Chung Kuo 2 and Jn-Chou Cheng 3 1 Department of Computer and Informaton Scence, R.O.C. Mltary Academy, Kaohsung 83059, Tawan,

More information

Joe Pimbley, unpublished, 2005. Yield Curve Calculations

Joe Pimbley, unpublished, 2005. Yield Curve Calculations Joe Pmbley, unpublshed, 005. Yeld Curve Calculatons Background: Everythng s dscount factors Yeld curve calculatons nclude valuaton of forward rate agreements (FRAs), swaps, nterest rate optons, and forward

More information

Examensarbete. Rotating Workforce Scheduling. Caroline Granfeldt

Examensarbete. Rotating Workforce Scheduling. Caroline Granfeldt Examensarbete Rotatng Workforce Schedulng Carolne Granfeldt LTH - MAT - EX - - 2015 / 08 - - SE Rotatng Workforce Schedulng Optmerngslära, Lnköpngs Unverstet Carolne Granfeldt LTH - MAT - EX - - 2015

More information

Today s class. Chapter 13. Sources of uncertainty. Decision making with uncertainty

Today s class. Chapter 13. Sources of uncertainty. Decision making with uncertainty Today s class Probablty theory Bayesan nference From the ont dstrbuton Usng ndependence/factorng From sources of evdence Chapter 13 1 2 Sources of uncertanty Uncertan nputs Mssng data Nosy data Uncertan

More information

Tracker: Security and Privacy for RFID-based Supply Chains

Tracker: Security and Privacy for RFID-based Supply Chains Tracker: Securty and Prvacy for RFID-based Supply Chans Erk-Olver Blass Kaoutar Elkhyaou Refk Molva EURECOM Sopha Antpols, France {blass elkhyao molva}@eurecom.fr Abstract The counterfetng of pharmaceutcs

More information

Value Driven Load Balancing

Value Driven Load Balancing Value Drven Load Balancng Sherwn Doroud a, Esa Hyytä b,1, Mor Harchol-Balter c,2 a Tepper School of Busness, Carnege Mellon Unversty, 5000 Forbes Ave., Pttsburgh, PA 15213 b Department of Communcatons

More information

RESEARCH DISCUSSION PAPER

RESEARCH DISCUSSION PAPER Reserve Bank of Australa RESEARCH DISCUSSION PAPER Competton Between Payment Systems George Gardner and Andrew Stone RDP 2009-02 COMPETITION BETWEEN PAYMENT SYSTEMS George Gardner and Andrew Stone Research

More information

We are now ready to answer the question: What are the possible cardinalities for finite fields?

We are now ready to answer the question: What are the possible cardinalities for finite fields? Chapter 3 Fnte felds We have seen, n the prevous chapters, some examples of fnte felds. For example, the resdue class rng Z/pZ (when p s a prme) forms a feld wth p elements whch may be dentfed wth the

More information

On the Optimal Control of a Cascade of Hydro-Electric Power Stations

On the Optimal Control of a Cascade of Hydro-Electric Power Stations On the Optmal Control of a Cascade of Hydro-Electrc Power Statons M.C.M. Guedes a, A.F. Rbero a, G.V. Smrnov b and S. Vlela c a Department of Mathematcs, School of Scences, Unversty of Porto, Portugal;

More information

Bandwdth Packng E. G. Coman, Jr. and A. L. Stolyar Bell Labs, Lucent Technologes Murray Hll, NJ 07974 fegc,stolyarg@research.bell-labs.com Abstract We model a server that allocates varyng amounts of bandwdth

More information

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic Lagrange Multplers as Quanttatve Indcators n Economcs Ivan Mezník Insttute of Informatcs, Faculty of Busness and Management, Brno Unversty of TechnologCzech Republc Abstract The quanttatve role of Lagrange

More information

Logistic Regression. Lecture 4: More classifiers and classes. Logistic regression. Adaboost. Optimization. Multiple class classification

Logistic Regression. Lecture 4: More classifiers and classes. Logistic regression. Adaboost. Optimization. Multiple class classification Lecture 4: More classfers and classes C4B Machne Learnng Hlary 20 A. Zsserman Logstc regresson Loss functons revsted Adaboost Loss functons revsted Optmzaton Multple class classfcaton Logstc Regresson

More information

Power-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts

Power-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts Power-of-wo Polces for Sngle- Warehouse Mult-Retaler Inventory Systems wth Order Frequency Dscounts José A. Ventura Pennsylvana State Unversty (USA) Yale. Herer echnon Israel Insttute of echnology (Israel)

More information

ABSTRACT. Categories and Subject Descriptors. General Terms. Keywords

ABSTRACT. Categories and Subject Descriptors. General Terms. Keywords On Desgnng Incentve-Compatble Routng and Forwardng Protocols n Wreless Ad-Hoc Networks An Integrated Approach Usng Game Theoretcal and Cryptographc Technques Sheng Zhong L (Erran) L Yanbn Grace Lu Yang

More information

Latent Class Regression. Statistics for Psychosocial Research II: Structural Models December 4 and 6, 2006

Latent Class Regression. Statistics for Psychosocial Research II: Structural Models December 4 and 6, 2006 Latent Class Regresson Statstcs for Psychosocal Research II: Structural Models December 4 and 6, 2006 Latent Class Regresson (LCR) What s t and when do we use t? Recall the standard latent class model

More information

An Enhanced Super-Resolution System with Improved Image Registration, Automatic Image Selection, and Image Enhancement

An Enhanced Super-Resolution System with Improved Image Registration, Automatic Image Selection, and Image Enhancement An Enhanced Super-Resoluton System wth Improved Image Regstraton, Automatc Image Selecton, and Image Enhancement Yu-Chuan Kuo ( ), Chen-Yu Chen ( ), and Chou-Shann Fuh ( ) Department of Computer Scence

More information

L10: Linear discriminants analysis

L10: Linear discriminants analysis L0: Lnear dscrmnants analyss Lnear dscrmnant analyss, two classes Lnear dscrmnant analyss, C classes LDA vs. PCA Lmtatons of LDA Varants of LDA Other dmensonalty reducton methods CSCE 666 Pattern Analyss

More information

Stability, observer design and control of networks using Lyapunov methods

Stability, observer design and control of networks using Lyapunov methods Stablty, observer desgn and control of networks usng Lyapunov methods von Lars Naujok Dssertaton zur Erlangung des Grades enes Doktors der Naturwssenschaften - Dr. rer. nat. - Vorgelegt m Fachberech 3

More information

Lecture 3: Force of Interest, Real Interest Rate, Annuity

Lecture 3: Force of Interest, Real Interest Rate, Annuity Lecture 3: Force of Interest, Real Interest Rate, Annuty Goals: Study contnuous compoundng and force of nterest Dscuss real nterest rate Learn annuty-mmedate, and ts present value Study annuty-due, and

More information

Relay Secrecy in Wireless Networks with Eavesdropper

Relay Secrecy in Wireless Networks with Eavesdropper Relay Secrecy n Wreless Networks wth Eavesdropper Parvathnathan Venktasubramanam, Tng He and Lang Tong School of Electrcal and Computer Engneerng Cornell Unversty, Ithaca, NY 14853 Emal : {pv45, th255,

More information

Period and Deadline Selection for Schedulability in Real-Time Systems

Period and Deadline Selection for Schedulability in Real-Time Systems Perod and Deadlne Selecton for Schedulablty n Real-Tme Systems Thdapat Chantem, Xaofeng Wang, M.D. Lemmon, and X. Sharon Hu Department of Computer Scence and Engneerng, Department of Electrcal Engneerng

More information

MAPP. MERIS level 3 cloud and water vapour products. Issue: 1. Revision: 0. Date: 9.12.1998. Function Name Organisation Signature Date

MAPP. MERIS level 3 cloud and water vapour products. Issue: 1. Revision: 0. Date: 9.12.1998. Function Name Organisation Signature Date Ttel: Project: Doc. No.: MERIS level 3 cloud and water vapour products MAPP MAPP-ATBD-ClWVL3 Issue: 1 Revson: 0 Date: 9.12.1998 Functon Name Organsaton Sgnature Date Author: Bennartz FUB Preusker FUB Schüller

More information

Enterprise Master Patient Index

Enterprise Master Patient Index Enterprse Master Patent Index Healthcare data are captured n many dfferent settngs such as hosptals, clncs, labs, and physcan offces. Accordng to a report by the CDC, patents n the Unted States made an

More information

Joint Scheduling of Processing and Shuffle Phases in MapReduce Systems

Joint Scheduling of Processing and Shuffle Phases in MapReduce Systems Jont Schedulng of Processng and Shuffle Phases n MapReduce Systems Fangfe Chen, Mural Kodalam, T. V. Lakshman Department of Computer Scence and Engneerng, The Penn State Unversty Bell Laboratores, Alcatel-Lucent

More information

ErrorPropagation.nb 1. Error Propagation

ErrorPropagation.nb 1. Error Propagation ErrorPropagaton.nb Error Propagaton Suppose that we make observatons of a quantty x that s subject to random fluctuatons or measurement errors. Our best estmate of the true value for ths quantty s then

More information

Course outline. Financial Time Series Analysis. Overview. Data analysis. Predictive signal. Trading strategy

Course outline. Financial Time Series Analysis. Overview. Data analysis. Predictive signal. Trading strategy Fnancal Tme Seres Analyss Patrck McSharry patrck@mcsharry.net www.mcsharry.net Trnty Term 2014 Mathematcal Insttute Unversty of Oxford Course outlne 1. Data analyss, probablty, correlatons, vsualsaton

More information

Fisher Markets and Convex Programs

Fisher Markets and Convex Programs Fsher Markets and Convex Programs Nkhl R. Devanur 1 Introducton Convex programmng dualty s usually stated n ts most general form, wth convex objectve functons and convex constrants. (The book by Boyd and

More information