Complete Fairness in Secure TwoParty Computation


 Lora McKinney
 1 years ago
 Views:
Transcription
1 Complete Farness n Secure TwoParty Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure twoparty computaton, two mutually dstrustng partes wsh to compute some functon of ther nputs whle preservng, to the extent possble, varous securty propertes such as prvacy, correctness, and more. One desrable property s farness whch guarantees, nformally, that f one party receves ts output, then the other party does too. Cleve (STOC 1986) showed that complete farness cannot be acheved n general wthout an honest maorty. Snce then, the accepted folklore has been that nothng nontrval can be computed wth complete farness n the twoparty settng. We demonstrate that ths folklore belef s false by showng completely far protocols for varous nontrval functons n the twoparty settng based on standard cryptographc assumptons. We frst show feasblty of obtanng complete farness when computng any functon over polynomalsze domans that does not contan an embedded XOR ; ths class of functons ncludes boolean AND/OR as well as Yao s mllonares problem. We also demonstrate feasblty for certan functons that do contan an embedded XOR, and prove a lower bound showng that any completely far protocol for such functons must have round complexty superlogarthmc n the securty parameter. Our results demonstrate that the queston of completely far secure computaton wthout an honest maorty s far from closed. Keywords: cryptography, secure computaton, farness, dstrbuted computng Dept. of Computer Scence, Columba Unversty. Work done whle at the Unversty of Maryland. Dept. of Computer Scence, Aarhus Unversty. Work done whle at BarIlan Unversty. Dept. of Computer Scence, Unversty of Maryland. Work supported by NSF grants # and # , and USIsrael Bnatonal Scence Foundaton grant # Dept. of Computer Scence, BarIlan Unversty. Work supported by USIsrael Bnatonal Scence Foundaton grant #
2 1 Introducton In the settng of secure computaton, a set of partes wsh to run some protocol for computng a functon of ther nputs whle preservng, to the extent possble, securty propertes such as prvacy, correctness, nput ndependence, etc. These requrements, and more, are formalzed by comparng a realworld executon of the protocol to an deal world where there s a trusted entty who performs the computaton on behalf of the partes. Informally, a protocol s secure f for any realworld adversary A there exsts a correspondng dealworld adversary S (corruptng the same partes as A) such that the result of executng the protocol n the real world wth A s computatonally ndstngushable from the result of computng the functon n the deal world wth S. One desrable property s farness whch, ntutvely, means that ether everyone receves the output, or else no one does. Unfortunately, t has been shown by Cleve [11] that complete farness 1 s mpossble to acheve n general when a maorty of partes s not honest (whch, n partcular, ncludes the twoparty settng); specfcally, Cleve rules out completely far con tossng, whch mples the mpossblty of computng boolean XOR wth complete farness. Snce Cleve s work, the accepted folklore has been that nothng nontrval can be computed wth complete farness wthout an honest maorty, and researchers have smply resgned themselves to beng unable to acheve ths goal. Indeed, the standard formulaton of secure computaton (see [18]) posts two deal worlds, and two correspondng defntons of securty: one that ncorporates farness and s used when a maorty of the partes are assumed to be honest (we refer to the correspondng defnton as securty wth complete farness ), and one that does not ncorporate farness and s used when an arbtrary number of partes may be corrupted (we refer to the correspondng defnton as securty wth abort, snce the adversary n ths case may abort the protocol once t receves ts output). Protocols achevng securty wth complete farness when a maorty of partes are honest, for arbtrary functonaltes, are known (assumng a broadcast channel) [19, 5, 9, 1, 30], as are protocols achevng securty wth abort for any number of corrupted partes (under sutable cryptographc assumptons) [19, 18]. Snce the work of Cleve, however, there has been no progress toward a better understandng of complete farness wthout an honest maorty. No further mpossblty results have been shown (.e., other than those that follow trvally from Cleve s result), nor have any completely far protocols for any nontrval 2 functons been constructed. In short, the queston of farness wthout an honest maorty has been treated as closed for over two decades. 1.1 Our Results Cleve s work shows that certan functons cannot be computed wth complete farness wthout an honest maorty. The folklore nterpretaton of ths result seems to have been that nothng (nontrval) can be computed wth complete farness wthout an honest maorty. Surprsngly, we show that ths folklore s false by demonstratng that many nterestng and nontrval functons can be computed wth complete farness n the twoparty settng. Our postve results can be based on standard cryptographc assumptons such as the exstence of enhanced trapdoor permutatons. (Actually, our results can be based on the mnmal assumpton that oblvous transfer s possble.) 1 Varous notons of partal farness have also been consdered; see Secton 1.2 for a bref dscusson. 2 It s not hard to see that some trval functons (e.g., the constant functon) can be computed wth complete farness. Furthermore, any functon that depends on only one party s nput can be computed wth complete farness, as can any functon where only one party receves output. We consder such functons trval n ths context. 1
3 Our frst result concerns functons wthout an embedded XOR, where a functon f s sad to have an embedded XOR f there exst nputs x 0, x 1, y 0, y 1 such that f(x, y ) =. We show: Theorem Let f be a twonput boolean functon defned over polynomalsze domans that does not contan an embedded XOR. Then, under sutable cryptographc assumptons, there exsts a protocol for securely computng f wth complete farness. Ths result s descrbed n Secton 3. The round complexty of our protocol n ths case s lnear n the sze of the domans, hence the restrcton that the domans be of polynomal sze. Examples of functons wthout an embedded XOR nclude boolean OR and AND, as well as Yao s mllonares problem [31] (.e., the greaterthan functon). We remark that even smple functons such as OR/AND are nontrval n the context of secure twoparty computaton snce they cannot be computed wth nformatontheoretc prvacy [10] and are n fact complete for twoparty secure computaton wth abort [24]. Recall that Cleve s result rules out completely far computaton of boolean XOR. Gven ths and the fact that our frst result apples only to functons wthout an embedded XOR, a natural conecture s that the presence of an embedded XOR serves as a barrer to completely far computaton of a gven functon. Our next result shows that ths conecture s false: Theorem Under sutable cryptographc assumptons, there exst twonput boolean functons contanng an embedded XOR that can be securely computed wth complete farness. Ths result s descrbed n Secton 4. The round complexty of the protocol here s superlogarthmc n the securty parameter. We show that ths s, n fact, nherent: Theorem Let f be a twoparty functon contanng an embedded XOR. Then any protocol securely computng f wth complete farness (assumng one exsts) requres ω(log n) rounds. Our proof of the above s remnscent of Cleve s proof [11], except that Cleve only needed to consder the adversary s ablty to bas a con toss, whereas we must ontly consder both bas and prvacy (snce, for certan functons contanng an embedded XOR, t s possble for an adversary to bas the output even n the deal world). Ths makes the proof consderably more complex. 1.2 Related Work Questons of farness have been studed snce the early days of secure computaton. Prevous work has been dedcated to achevng varous relaxatons of farness (.e., partal farness ), both for the case of specfc functonaltes lke con tossng [11, 12, 28] and contract sgnng/exchangng secrets [6, 26, 14, 4, 13], as well as for the case of general functonaltes [32, 16, 3, 20, 15, 7, 29, 17, 22]. Whle relevant, such work s tangental to our own: here, rather than try to acheve partal farness for all functonaltes, we are nterested n obtanng complete farness and then ask for whch functonaltes ths s possble. 1.3 Open Questons We have shown the frst postve results for completelyfar secure computaton of nontrval functonaltes wthout an honest maorty. Ths reopens an area of research that was prevously thought to be closed, and leaves many tantalzng open drectons to explore. The most pressng queston left open by ths work s to provde a tght characterzaton of whch boolean functons can be computed wth complete farness n the twoparty settng. More generally, the postve results 2
4 shown here apply only to determnstc, sngleoutput, 3 boolean functons defned over polynomalsze domans. Relaxng any of these restrctons n a nontrval way (or provng the mpossblty of dong so) would be an nterestng next step. Fnally, what can be sad wth regard to complete farness n the multparty settng wthout honest maorty? (Ths queston s nterestng both wth and wthout the assumpton of a broadcast channel.) Intal feasblty results have been shown [21], but much work remans to be done. 2 Defntons We let n denote the securty parameter. A functon µ( ) s neglgble f for every postve polynomal p( ) and all suffcently large n t holds that µ(n) < 1/p(n). A dstrbuton ensemble X = {X(a, n)} a Dn, n N s an nfnte sequence of random varables ndexed by a D n and n N, where D n s a set that may depend on n. (Lookng ahead, n wll be the securty parameter and D n wll denote the doman of the partes nputs.) Two dstrbuton ensembles X = {X(a, n)} a Dn, n N and Y = {Y (a, n)} a Dn, n N are computatonally ndstngushable, denoted X c Y, f for every nonunform polynomaltme algorthm D there exsts a neglgble functon µ( ) such that for every n and every a D n Pr[D(X(a, n)) = 1] Pr[D(Y (a, n)) = 1] µ(n). The statstcal dfference between two dstrbutons X(a, n) and Y (a, n) s defned as SD ( X(a, n), Y (a, n) ) = 1 2 Pr[X(a, n) = s] Pr[Y (a, n) = s], s where the sum ranges over s n the support of ether X(a, n) or Y (a, n). Two dstrbuton ensembles X = {X(a, n)} a Dn, n N and Y = {Y (a, n)} a Dn, n N are statstcally close, denoted X s Y, f there s a neglgble functon µ( ) such that for every n and every a D n, t holds that SD ( X(a, n), Y (a, n) ) µ(n). Functonaltes. In the twoparty settng, a functonalty F = {f n } n N s a sequence of randomzed processes, where each f n maps pars of nputs to pars of outputs (one for each party). We wrte f n = (fn, 1 fn) 2 f we wsh to emphasze the two outputs of f n, but stress that f fn 1 and fn 2 are randomzed then the outputs of fn 1 and fn 2 are correlated random varables. The doman of f n s X n Y n, where X n (resp., Y n ) denotes the possble nputs of the frst (resp., second) party. 4 If X n and Y n are polynomal n n, then we say that F s defned over polynomalsze domans. If each f n s determnstc we wll refer to each f n as well as the collecton F, as a functon. 2.1 Secure TwoParty Computaton wth Complete Farness In what follows, we defne what we mean by a secure protocol. Our defnton follows the standard defnton of [18] (based on [20, 27, 2, 8]) except that we requre complete farness even though we are n the twoparty settng. (Thus, our defnton s equvalent to the one n [18] for the case of an honest maorty, even though we do not have an honest maorty.) We consder actve (.e., malcous) adversares, who may devate from the protocol arbtrarly, and statc corruptons. 3 I.e., where both partes receve the same output. 4 The typcal conventon n secure computaton s to let f n = f and X n = Y n = {0, 1} for all n. We wll be dealng wth functons defned over polynomalsze domans, whch s why we ntroduce ths notaton. 3
5 Twoparty computaton. A twoparty protocol for computng a functonalty F = {(f 1 n, f 2 n)} s a protocol runnng n polynomal tme and satsfyng the followng functonal requrement: f party P 1 begns by holdng 1 n and nput x X n, and party P 2 holds 1 n and nput y Y n, then the ont dstrbuton of the outputs of the partes s statstcally close to (f 1 n(x, y), f 2 n(x, y)). Securty of protocols (nformal). The securty of a protocol s analyzed by comparng what an adversary can do n a real protocol executon to what t can do n an deal scenaro that s secure by defnton. Ths s formalzed by consderng an deal computaton nvolvng an ncorruptble trusted party to whom the partes send ther nputs. The trusted party computes the functonalty on the nputs and returns to each party ts respectve output. Loosely speakng, a protocol s secure f any adversary nteractng n the real protocol (where no trusted party exsts) can do no more harm than f t were nvolved n the abovedescrbed deal computaton. We assume an adversary who corrupts one of the partes. It s also meanngful to consder an eavesdroppng adversary who corrupts nether of the partes (and should learn nothng from the executon), but such an adversary s easly handled and s not very nterestng n our settng. Executon n the deal model. The partes are P 1 and P 2, and there s an adversary A who has corrupted one of them. An deal executon for the computaton of F = {f n } proceeds as follows: Inputs: P 1 and P 2 hold the same value 1 n, and ther nputs x X n and y Y n, respectvely; the adversary A receves an auxlary nput z. Send nputs to trusted party: The honest party sends ts nput to the trusted party. The corrupted party controlled by A may send any value of ts choce. Denote the par of nputs sent to the trusted party by (x, y ). Trusted party sends outputs: If x X n the trusted party sets x to some default nput n X n ; lkewse f y Y n the trusted party sets y equal to some default nput n Y n. Then the trusted party chooses r unformly at random and sends f 1 n(x, y ; r) to party P 1 and f 2 n(x, y ; r) to party P 2. Outputs: The honest party outputs whatever t was sent by the trusted party, the corrupted party outputs nothng, and A outputs an arbtrary (probablstc polynomaltme computable) functon of ts vew. We let deal F,A(z) (x, y, n) be the random varable consstng of the output of the adversary and the output of the honest party followng an executon n the deal model as descrbed above. Executon n the real model. We next consder the real model n whch a twoparty protocol π s executed by P 1 and P 2 (and there s no trusted party). In ths case, the adversary A gets the nputs of the corrupted party and sends all messages on behalf of ths party, usng an arbtrary polynomaltme strategy. The honest party follows the nstructons of π. Let F be as above and let π be a twoparty protocol computng F. Let A be a nonunform probablstc polynomaltme machne wth auxlary nput z. We let real π,a(z) (x, y, n) be the random varable consstng of the vew of the adversary and the output of the honest party, followng an executon of π where P 1 begns by holdng 1 n and nput x and P 2 begns by holdng 1 n and y. Securty as emulaton of an deal executon n the real model. Havng defned the deal and real models, we can now defne securty of a protocol. Loosely speakng, the defnton asserts that a secure protocol (n the real model) emulates the deal model (n whch a trusted party exsts). Ths s formulated as follows: 4
6 Defnton 2.1 Protocol π s sad to securely compute F wth complete farness f for every nonunform probablstc polynomaltme adversary A n the real model, there exsts a nonunform probablstc polynomaltme adversary S n the deal model such that { dealf,s(z) (x, y, n) } (x,y) X n Y n, z {0,1}, n N 2.2 Secure TwoParty Computaton Wth Abort c { real π,a(z) (x, y, n) } (x,y) X n Y n, z {0,1}, n N. Ths defnton s the standard one for secure twoparty computaton [18] n that t allows early abort;.e., the adversary may receve ts own output even though the honest party does not. We agan let P 1 and P 2 denote the two partes, and consder an adversary A who has corrupted one of them. The only change from the defnton n Secton 2.1 s wth regard to the deal model for computng F = {f n }, whch s now defned as follows: Inputs: As prevously. Send nputs to trusted party: As prevously. Trusted party sends output to corrupted party: If x X n the trusted party sets x to some default nput n X n ; lkewse f y Y n the trusted party sets y equal to some default nput n Y n. Then the trusted party chooses r unformly at random, computes z 1 = f 1 n(x, y ; r) and z 2 = f 2 n(x, y ; r), and sends z to the corrupted party P (.e., to the adversary A). Adversary decdes whether to abort: After recevng ts output (as descrbed above), the adversary ether sends abort of contnue to the trusted party. In the former case the trusted party sends to the honest party P, and n the latter case the trusted party sends z to P. Outputs: As prevously. We let deal abort F,A(z) (x, y, n) be the random varable consstng of the output of the adversary and the output of the honest party followng an executon n the deal model as descrbed above. Defnton 2.2 Protocol π s sad to securely compute F wth abort f for every nonunform probablstc polynomaltme adversary A n the real model, there exsts a nonunform probablstc polynomaltme adversary S n the deal model such that { deal abort F,S(z) (x, y, n) } 2.3 The Hybrd Model (x,y) X n Y n, z {0,1}, n N c { real π,a(z) (x, y, n) } (x,y) X n Y n, z {0,1}, n N. The hybrd model combnes both the real and deal models. Specfcally, an executon of a protocol π n the Ghybrd model, for some functonalty G, nvolves the partes sendng normal messages to each other (as n the real model) and, n addton, havng access to a trusted party computng G. The partes communcate wth ths trusted party n exactly the same way as n the deal models descrbed above; the queston of whch deal model s taken (that wth or wthout abort) must be specfed. In ths paper, we always consder a hybrd model where the functonalty G s computed accordng to the deal model wth abort. In all our protocols n the Ghybrd model there wll only be sequental calls to G;.e., there s at most a sngle call to G per round, and no other messages are sent durng any round n whch G s called. 5
7 Let G be a functonalty and let π be a twoparty protocol for computng some functonalty F, where π ncludes real messages between the partes as well as calls to G. Let A be a nonunform probablstc polynomaltme machne wth auxlary nput z. We let hybrd G π,a(z) (x, y, n) be the random varable consstng of the vew of the adversary and the output of the honest party, followng an executon of π (wth deal calls to G) where P 1 begns by holdng 1 n and nput x and P 2 begns by holdng 1 n and nput y. Both securty wth complete farness and securty wth abort can be defned va the natural modfcatons of Defntons 2.1 and 2.2. The hybrd model gves a powerful tool for provng the securty of protocols. Specfcally, we may desgn a realworld protocol for securely computng some functonalty F by frst constructng a protocol for computng F n the Ghybrd model. Lettng π denote the protocol thus constructed (n the Ghybrd model), we denote by π ρ the realworld protocol n whch calls to G are replaced by sequental executon of a realworld protocol ρ that computes G. ( Sequental here mples that only one executon of ρ s carred out at any tme, and no other πprotocol messages are sent durng executon of ρ.) The results of [8] then mply that f π securely computes F n the Ghybrd model, and ρ securely computes G, then the composed protocol π ρ securely computes F (n the real world). For completeness, we state ths result formally as we wll use t n ths work: Proposton 1 Let ρ be a protocol that securely computes G wth abort, and let π be a protocol that securely computes F wth complete farness n the Ghybrd model (where G s computed accordng to the deal world wth abort). Then protocol π ρ securely computes F wth complete farness. 2.4 InformatonTheoretc MACs We brefly revew the standard defnton for nformatontheoretcally secure message authentcaton codes (MACs). (We use such MACs for smplcty, though computatonally secure MACs would also suffce.) A message authentcaton code conssts of three polynomaltme algorthms (Gen, Mac, Vrfy). The keygeneraton algorthm Gen takes as nput the securty parameter 1 n n unary and outputs a key k. The message authentcaton algorthm Mac takes as nput a key k and a message M {0, 1} n, and outputs a tag t; we wrte ths as t = Mac k (M). The verfcaton algorthm Vrfy takes as nput a key k, a message M {0, 1} n, and a tag t, and outputs a bt b; we wrte ths as b = Vrfy k (M, t). We regard b = 1 as acceptance and b = 0 as reecton, and requre that for all n, all k output by Gen(1 n ), all M {0, 1} n, t holds that Vrfy k (M, Mac k (M)) = 1. We say (Gen, Mac, Vrfy) s a secure mtme MAC, where m may be a functon of n, f no computatonally unbounded adversary can output a vald tag on a new message after seeng vald tags on m other messages. For our purposes, we do not requre securty aganst an adversary who adaptvely chooses ts m messages for whch to obtan a vald tag; t suffces to consder a nonadaptve defnton where the m messages are fxed n advance. (Nevertheless, known constructons satsfy the stronger requrement.) Formally: Defnton 2.3 Message authentcaton code (Gen, Mac, Vrfy) s an nformatontheoretcally secure mtme MAC f for any sequence of messages M 1,..., M m and any adversary A, the followng s neglgble n the securty parameter n: Pr [ k Gen(1 n ); : t = Mac k (M ); (M, t ) A(M 1, t 1,..., M m, t m ) : Vrfy k (M, t ) = 1 ] M {M 1,..., M m }. 6
8 3 Far Computaton of the Mllonares Problem (and More) In ths secton, we descrbe a protocol for securely computng the mllonares problem (and related functonaltes) wth complete farness. (We dscuss n Secton 3.2 how ths generalzes, rather easly, to any functon over polynomalsze domans that does not contan an embedded XOR.) Specfcally, we look at functons defned by a lowertrangular matrx, as n the followng table: y 1 y 2 y 3 y 4 y 5 y 6 x x x x x x Let F = {f m(n) } n N denote a functon of the above form, where m = m(n) denotes the sze of the domans of each nput whch we assume, for now, have the same sze. (In the next secton we wll consder the case when they are unequal.) Let X m = {x 1,..., x m } denote the vald nputs for the frst party and let Y m = {y 1,..., y m } denote the vald nputs for the second party. By sutably orderng these elements, we may wrte f m as follows: f m (x, y ) = { 1 f > 0 f. (1) Vewed n ths way, f m s exactly the mllonares problem or, equvalently, the greaterthan functon. The remander of ths secton s devoted to a proof of the followng theorem: Theorem Let m = poly(n). Assumng the exstence of constantround general secure twoparty computaton wth abort, there exsts an Θ(m)round protocol that securely computes F = {f m } wth complete farness. Constantround protocols for general secure twoparty computaton wth abort can be constructed based on enhanced trapdoor permutatons or any constantround protocol for oblvous transfer [25]. (The assumpton of a constantround protocol s needed only for the clam regardng round complexty.) The fact that our protocol requres (at least) Θ(m) rounds explans why we requre m = poly(n). When m = 2, we obtan a constantround protocol for computng boolean AND wth complete farness and, by symmetry, we also obtan a protocol for boolean OR. We remark further that our results extend to varants of f m such as the greaterthanorequalto functon, or the greaterthan functon where the szes of the domans X and Y are unequal; see Secton 3.2 for a full dscusson. 3.1 The Protocol In ths secton, we wrte f n place of f m, and X and Y n place of X m and Y m. Intuton. At a hgh level, our protocol works as follows. Say the nput of P 1 s x, and the nput of P 2 s y. Followng a constantround preprocessng phase, the protocol proceeds n a seres of m teratons, where P 1 learns the output namely, the value f(x, y ) n teraton, and P 2 learns the output n teraton. (That s, n contrast to standard protocols, the teraton n whch 7
9 a party learns the output depends on the value of ts own nput.) If one party (say, P 1 ) aborts after recevng ts teratonk message, and the second party (say, P 2 ) has not yet receved ts output, then P 2 assumes that P 1 learned ts output n teraton k, and so computes f on ts own usng nput x k for P 1. (In ths case, that means that P 2 would output f(x k, y ).) We stress that a malcous P 1 may, of course, abort n any teraton t lkes (and not necessarly n the teraton n whch t learns ts output); the foregong s only an ntutve explanaton. The fact that ths approach gves complete farness can be ntutvely understood as follows. Say P 1 s malcous and uses x as ts effectve nput, and let y denote the (unknown) nput of P 2. There are two possbltes: P 1 ether aborts n teraton k <, or teraton k. (If P 1 never aborts then farness s trvally acheved.) In the frst case, P 1 never learns the correct output and so farness s acheved. In the second case, P 1 does obtan the output f(x, y) (n teraton ) and then aborts n some teraton k. Here we consder two subcases dependng on the value of P 2 s nput y = y : If < k then P 2 has already receved ts output n a prevous teraton and farness s acheved. If k then P 2 has not yet receved ts output. Snce P 1 aborts n teraton k, the protocol drects P 2 to output f(x k, y) = f(x k, y ). Snce k, we have f(x k, y ) = 0 = f(x, y ) (relyng on the specfcs of f), and so the output of P 2 s equal to the output obtaned by P 1 (and thus farness s acheved). Ths s the key observaton that enables us to obtan farness for ths functon. We formalze the above ntuton n our proof, where we demonstrate an dealworld smulator correspondng to the actons of any malcous P 1. Of course, we also consder the case of a malcous P 2. Formal descrpton of the protocol. We use a message authentcaton code (Gen, Mac, Vrfy); see Defnton 2.3. For convenence, we use an mtme message authentcaton code (MAC) wth nformatontheoretc securty, though a computatonally secure MAC would also suffce. We also rely on a subprotocol for securely computng a randomzed functonalty ShareGen defned n Fgure 1. In our protocol, the partes wll compute ShareGen as a result of whch P 1 wll obtan shares a (1) 1, b(1) 1, a(1) 2, b(1) 2,... and P 2 wll obtan shares a (2) 1, b(2) 1, a(2) 2, b(2) 2,.... (The functonalty ShareGen also provdes the partes wth MAC keys and tags so that f a malcous party modfes the share t sends to the other party, then the other party wll almost certanly detect ths. In case such manpulaton s detected, t wll be treated as an abort.) The partes then exchange ther shares onebyone n a sequence of m teratons. Specfcally, n teraton party P 2 wll send a (2) def to P 1, thus allowng P 1 to reconstruct the value a = a (1) a (2), and then P 1 wll send b (1) def to P 2, thus allowng P 2 to learn the value b = b (2) b (1). Let π be a protocol that securely computes ShareGen wth abort. Our protocol for computng f wth complete farness uses π and s gven n Fgure 2. Theorem 3.1 If (Gen, Mac, Vrfy) s an nformatontheoretcally secure mtme MAC, and π securely computes ShareGen wth abort, then the protocol n Fgure 2 securely computes {f m } wth complete farness. Proof: Let Π denote the protocol n Fgure 2. We analyze Π n a hybrd model where there s a trusted party computng ShareGen. (Snce π s only guaranteed to securely compute ShareGen wth abort, the adversary n the hybrd model s allowed to abort the trusted party computng ShareGen 8
10 before output s sent to the honest party.) We prove that an executon of Π n ths hybrd model s statstcally close to an evaluaton of f n the deal model (wth complete farness), where the only dfference occurs due to MAC forgeres. Applyng Proposton 1 then mples the theorem. We separately analyze corrupton of P 1 and P 2, begnnng wth P 1 : Clam 2 For every nonunform, polynomaltme adversary A corruptng P 1 and runnng Π n a hybrd model wth access to an deal functonalty computng ShareGen (wth abort), there exsts a nonunform, probablstc polynomaltme adversary S corruptng P 1 and runnng n the deal world wth access to an deal functonalty computng f (wth complete farness), such that { dealf,s(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N s { hybrd ShareGen Π,A(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N. Proof: Let P 1 be corrupted by A. We construct a smulator S gven blackbox access to A: 1. S nvokes A on the nput x, the auxlary nput z, and the securty parameter n. 2. S receves the nput x of A to the computaton of the functonalty ShareGen. (a) If x / X (ths ncludes the case when x = snce A aborts), then S hands to A as ts output from the computaton of ShareGen, sends x 1 to the trusted party computng f, outputs whatever A outputs, and halts. (b) Otherwse, f the nput s some x X, then S chooses unformly dstrbuted shares a (1) 1,..., a(1) m and b (1) 1,..., b(1) m. In addton, t generates keys k a, k b Gen(1 n ) and computes t b = Mac k b ( b (1) ) for every. Fnally, t hands A the strngs a (1) 1,..., a(1) m, (b (1) 1, tb 1 ),..., (b(1) m, t b m), and k a as ts output from the computaton of ShareGen. ShareGen Inputs: Let the nputs to ShareGen be x and y wth 1, m. (If one of the receved nputs s not n the correct doman, then both partes are gven output.) The securty parameter s n. Computaton: 1. Defne values a 1,..., a m and b 1,..., b m n the followng way: Set a = b = f(x, y ). For l {1,..., m}, l, set a l = null. For l {1,..., m}, l, set b l = null. (Techncally, a, b are represented as 2bt values wth, say, 00 nterpreted as 0, 11 nterpreted as 1, and 01 nterpreted as null.) 2. For 1 m, choose (a (1), a (2) ) and (b (1), b (2) ) as random secret sharngs of a and b, respectvely. (I.e., a (1) s random and a (1) a (2) = a.) 3. Compute k a, k b Gen(1 n ). For 1 m, let t a = Mac k a ( a (2) ) and t b = Mac k b ( b (1) ). Output: 1. P 1 receves the values a (1) 1,..., a(1) m and (b (1) 1, tb 1),..., (b (1) m, t b m), and the MACkey k a. 2. P 2 receves the values (a (2) 1, ta 1),..., (a (2) m, t a m) and b (2) 1,..., b(2) m, and the MACkey k b. Fgure 1: Functonalty ShareGen. 9
11 Protocol 1 Inputs: Party P 1 has nput x and party P 2 has nput y. The securty parameter s n. The protocol: 1. Prelmnary phase: (a) Partes P 1 and P 2 run protocol π for computng ShareGen, usng ther respectve nputs x, y, and securty parameter n. (b) If P 1 receves from the above computaton (because P 2 aborts the computaton or uses an nvald nput n π) t outputs f(x, y 1 ) and halts. Lkewse, f P 2 receves, t outputs f(x 1, y) and halts. Otherwse, the partes proceed. (c) Denote the output of P 1 from π by a (1) 1,..., a(1) m, (b (1) 1, tb 1),..., (b (1) m, t b m), and k a. (d) Denote the output of P 2 from π by (a (2) 1, ta 1),..., (a (2) m, t a m), b (2) 1,..., b(2) m, and k b. 2. For = 1,..., m do: P 2 sends the next share to P 1 : (a) P 2 sends (a (2), t a ) to P 1. (b) P 1 receves (a (2), t a ) from P 2. If Vrfy ka ( a (2), t a ) = 0 (or f P 1 receved an nvald message, or no message), then P 1 halts. If P 1 has already determned ts output n some earler teraton, then t outputs that value. Otherwse, t outputs f(x, y 1 ) (f = 1, then P 1 outputs f(x, y 1 )). (c) If Vrfy ka ( a (2), t a ) = 1 and a(1) a (2) null (.e., x = x ), then P 1 sets ts output to be a (1) a (2) (and contnues runnng the protocol). P 1 sends the next share to P 2 : (a) P 1 sends (b (1), t b ) to P 2. (b) P 2 receves (b (1), t b ) from P 1. If Vrfy kb ( b (1), t b ) = 0 (or f P 2 receved an nvald message, or no message), then P 2 halts. If P 2 has already determned ts output n some earler teraton, then t outputs that value. Otherwse, t outputs f(x, y). (c) If Vrfy kb ( b (1), t b ) = 1 and b(1) b (2) null (.e., y = y ), then P 2 sets ts output to be b (1) b (2) (and contnues runnng the protocol). Fgure 2: Protocol for computng f. 3. If A sends abort to the trusted party computng ShareGen (sgnallng that P 2 should receve as output from ShareGen), then S sends x 1 to the trusted party computng f, outputs whatever A outputs, and halts. Otherwse (.e., f A sends contnue), S proceeds as below. 4. Let (wth 1 m) be the ndex such that x = x (such an exsts snce x X). 5. To smulate teraton, for <, smulator S works as follows: (a) S chooses a (2) such that a (1) a (2) = null, and computes the tag t a = Mac k a ( a (2) ). Then S gves A the message (a (2), t a ). (b) S receves A s message (ˆb (1), ˆt b ) n the th teraton:. If Vrfy kb ( ˆb (1), ˆt b ) = 0 (or the message s nvald, or A aborts), then S sends x to the trusted party computng f, outputs whatever A outputs, and halts. 10
12 . If Vrfy kb ( ˆb (1), ˆt b ) = 1, then S proceeds to the next teraton. 6. To smulate teraton, smulator S works as follows: (a) S sends x to the trusted party computng f, and receves back the output z = f(x, y). (b) S chooses a (2) such that a (1) a (2) = z, and computes the tag t a = Mac k a ( a (2) ). Then S gves A the message (a (2), t a ). (c) S receves A s message (ˆb (1), ˆt b ). If Vrfy k b ( ˆb (1), ˆt b ) = 0 (or the message s nvald, or A aborts), then S outputs whatever A outputs, and halts. If Vrfy kb ( ˆb (1), ˆt b ) = 1, then S proceeds to the next teraton. 7. To smulate teraton, for < m, smulator S works as follows: (a) S chooses a (2) such that a (1) a (2) = null, and computes the tag t a = Mac k a ( a (2) ). Then S gves A the message (a (2), t a ). (b) S receves A s message (ˆb (1), ˆt b ). If Vrfy k b ( ˆb (1) aborts), then S outputs whatever A outputs, and halts. If Vrfy kb ( ˆb (1) proceeds to the next teraton., ˆt b ) = 0 (or the message s nvald, or A 8. If S has not halted yet, at ths pont t halts and outputs whatever A outputs., ˆt b ) = 1, then S We analyze the smulator S descrbed above. In what follows we assume that f Vrfy kb ( ˆb (1), ˆt b ) = 1 (1) then ˆb = b (1) (meanng that A sent the same share that t receved). Under ths assumpton, we show that the dstrbuton generated by S s dentcal to the dstrbuton n a hybrd executon between A and an honest P 2. Snce ths assumpton holds wth all but neglgble probablty (by securty of the nformatontheoretc MAC), ths proves statstcal closeness as stated n the clam. Let y denote the nput of P 2. It s clear that the vew of A n an executon wth S s dentcal to the vew of A n a hybrd executon wth P 2 ; the only dfference s that the ntal shares gven to A are generated by S wthout knowledge of z = f(x, y), but snce these shares are unformly dstrbuted the vew of A s unaffected. Therefore, what s left to demonstrate s that the ont dstrbuton of A s vew and P 2 s output s dentcal n the hybrd world and the deal world. We show ths now by separately consderng three dfferent cases: 1. Case 1: S sends x 1 to the trusted party because x X, or because A aborted the computaton of ShareGen: In the hybrd world, P 2 would have receved from ShareGen, and would have then output f(x 1, y) as nstructed by protocol Π. Ths s exactly what P 2 outputs n the deal executon wth S because, n ths case, S sends x 1 to the trusted party computng f. If Case 1 does not occur, let x be defned as n the descrpton of the smulator. 2. Case 2: S sends x to the trusted party, for some < : Ths case occurs when A aborts the protocol n some teraton < (ether by refusng to send a message, sendng an nvald message, or sendng an ncorrect share). There are two subcases dependng on the value of P 2 s nput y. Let l be the ndex such that y = y l. Then: (a) If l then, n the hybrd world, P 2 would not yet have determned ts output (snce t only determnes ts output once t receves a vald message from P 1 n teraton l). Thus, as nstructed by the protocol, P 2 would output f(x, y). Ths s exactly what P 2 outputs n the deal world, because S sends x to the trusted party n ths case. 11
13 (b) If l < then, n the hybrd world, P 2 would have already determned ts output f(x, y) = f(x, y l ) n the lth teraton. In the deal world, P 2 wll output f(x, y l ) snce S sends x to the trusted party. Snce < we have l < < and so f(x, y l ) = f(x, y l ) = 1. Thus, P 2 s output f(x, y) n the hybrd world s equal to ts output f(x, y) n the deal executon wth S. 3. Case 3: S sends x to the trusted party: Here, P 2 outputs f(x, y) n the deal executon. We show that ths s dentcal to what P 2 would have output n the hybrd world. There are two subcases dependng on P 2 s nput y. Let l be the ndex such that y = y l. Then: (a) If l <, then P 2 would have already determned ts output f(x, y) = f(x, y) n the lth teraton. (The fact that we are n Case 3 means that A could not have sent an ncorrect share pror to teraton.) (b) If l, then P 2 would not yet have determned ts output. There are two subcases:. A sends correct shares n teratons =,..., l (nclusve). Then P 2 would determne ts output as b (1) l b (2) l = f(x, y) = f(x, y), exactly as n the deal world.. A sends an ncorrect share n teraton ζ, where ζ l. In ths case, by the specfcaton of the protocol, party P 2 would output f(x ζ, y) = f(x ζ, y l ). However, snce ζ l we have f(x ζ, y l ) = 0 = f(x, y l ). Thus, P 2 outputs the same value n the hybrd and deal executons. Ths concludes the proof of the clam. The followng clam, dealng wth a corrupted P 2, completes the proof of the theorem: Clam 3 For every nonunform, polynomaltme adversary A corruptng P 2 and runnng Π n a hybrd model wth access to an deal functonalty computng ShareGen (wth abort), there exsts a nonunform, probablstc polynomaltme adversary S corruptng P 2 and runnng n the deal world wth access to an deal functonalty computng f (wth complete farness), such that { dealf,s(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N s { hybrd ShareGen Π,A(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N. Proof: Say P 2 s corrupted by A. We construct a smulator S gven blackbox access to A: 1. S nvokes A on the nput y, the auxlary nput z, and the securty parameter n. 2. S receves the nput y of A to the computaton of the functonalty ShareGen. (a) If y / Y (ths ncludes the case when y = snce A aborts), then S hands to A as ts output from the computaton of ShareGen, sends y 1 to the trusted party computng f, outputs whatever A outputs, and halts. (b) Otherwse, f the nput s some y Y, then S chooses unformly dstrbuted shares a (2) 1,..., a(2) m and b (2) 1,..., b(2) m. In addton, t generates keys k a, k b Gen(1 n ) and computes t a = Mac ka ( a (2) ) for every. Fnally, t hands A the strngs b (2) 1,..., b(2) m, (a (2) 1, ta 1 ),..., (a(2) m, t a m), and k b as ts output from the computaton of ShareGen. 3. If A sends abort to the trusted party computng ShareGen, then S sends y 1 to the trusted party computng f, outputs whatever A outputs, and halts. Otherwse (.e., f A sends contnue), S proceeds as below. 12
14 4. Let (wth 1 m) be the ndex such that y = y (such an exsts snce y Y ). 5. To smulate teraton, for <, smulator S works as follows: (a) S receves A s message (â (2), ˆt a ) n the th teraton:. If Vrfy ka ( â (2), ˆt a ) = 0 (or the message s nvald, or A aborts), then S sends y 1 to the trusted party computng f (f = 1, then S sends y 1 ), outputs whatever A outputs, and halts.. If Vrfy ka ( â (2), ˆt a ) = 1, then S proceeds. (b) Choose b (1) such that b (1) b (2) = null, and compute the tag t b = Mac k b ( b (1) ). Then gve to A the message (b (1), t b ). 6. To smulate teraton, smulator S works as follows: (a) S receves A s message (â (2), ˆt a ).. If Vrfy ka ( â (2), ˆt a ) = 0 (or the message s nvald, or A aborts), then S sends y 1 to the trusted party computng f (f = 1 then S sends y 1 ), outputs whatever A outputs, and halts.. If Vrfy ka ( â (2), ˆt a ) = 1, then S sends y to the trusted party computng f, receves the output z = f(x, y ), and proceeds. (b) Choose b (1) such that b (1) b (2) = z, and compute the tag t b = Mac k b ( b (1) ). Then gve to A the message (b (1), t b ). 7. To smulate teraton, for < m, smulator S works as follows: (a) S receves A s message (â (2), ˆt a ). If Vrfy k a ( â (2) A aborts), then S outputs whatever A outputs, and halts. If Vrfy ka ( â (2) S proceeds., ˆt a ) = 0 (or the message s nvald, or, ˆt a ) = 1, then (b) Choose b (1) such that b (1) b (2) = null, and compute the tag t b = Mac k b ( b (1) ). Then gve to A the message (b (1), t b ). 8. If S has not halted yet, at ths pont t halts and outputs whatever A outputs. As n the proof of the prevous clam, we assume n what follows that f Vrfy ka ( â (2), ˆt a ) = 1 then â (2) = a (2) (meanng that A sent P 1 the same share that t receved). Under ths assumpton, we show that the dstrbuton generated by S s dentcal to the dstrbuton n a hybrd executon between A and an honest P 1. Snce ths assumptons holds wth all but neglgble probablty (by securty of the MAC), ths proves statstcal closeness as stated n the clam. Let x denote the nput of P 1. Agan, t s clear that the vew of A n an executon wth S s dentcal to the vew of A n a hybrd executon wth P 1. What s left to demonstrate s that the ont dstrbuton of A s vew and P 1 s output s dentcal. We show ths by consderng four dfferent cases: 13
15 1. Case 1: S sends y 1 to the trusted party because y Y, or because A aborted the computaton of ShareGen: In such a case, the protocol nstructs P 1 to output f(x, y 1 ), exactly what P 1 outputs n the deal world. 2. Case 2: S sends y 1 to the trusted party because A sends an ncorrect share n the frst teraton: In ths case, the smulator sends y 1 to the trusted party computng f, and so the output of P 1 n the deal world s f(x, y 1 ). In the hybrd world, P 1 wll also output f(x, y 1 ) as nstructed by the protocol. If Cases 1 and 2 do not occur, let y be defned as n the descrpton of the smulator. 3. Case 3: S sends y 1 to the trusted party, for some 1 1 <, because A sends an ncorrect share n the th teraton: The output of P 1 n the deal world s f(x, y 1 ). There are two subcases here, dependng on the value of P 1 s nput x. Let l be the ndex such that x = x l. Then: (a) If l < then, n the hybrd world, P 1 would have already determned ts output f(x, y ) = f(x l, y ). But snce l 1 < we have f(x l, y ) = 0 = f(x l, y 1 ), and so P 1 s output s dentcal n both the hybrd and deal worlds. (b) If l then, n the hybrd world, P 1 would not yet have determned ts output. Therefore, as nstructed by the protocol, P 1 wll output f(x, y 1 ) n the hybrd world, whch s exactly what t outputs n the deal executon wth S. 4. Case 4: S sends y to the trusted party: Ths case occurs when A sends correct shares up through and ncludng teraton. The output of P 1 n the deal world s f(x, y ). There are agan two subcases here, dependng on the value of P 1 s nput x. Let l be the ndex such that x = x l. Then: (a) If l, then P 1 would have already determned ts output f(x, y ) = f(x l, y ) n the lth teraton. Ths matches what P 1 outputs n the deal executon wth S. (b) If l >, then P 1 would not have yet have determned ts output. There are two subcases:. A sends correct shares n teratons = + 1,..., l (nclusve). Ths mples that, n the hybrd world, P 1 would determne ts output to be a (1) l a (2) l = f(x, y ) = f(x, y ), exactly as n the deal executon.. A sends an ncorrect share n teraton ζ, where < ζ l. In ths case, by the specfcaton of the protocol, party P 1 would output f(x, y ζ 1 ) = f(x l, y ζ 1 ) n the hybrd world. But snce ζ 1 < l we have f(x l, y ζ 1 ) = 1 = f(x l, y ), and so P 1 s output s dentcal n both the hybrd and deal worlds. Ths completes the proof of the clam. The precedng clams along wth Proposton 1 mply the theorem. 3.2 Handlng any Functon wthout an Embedded XOR The protocol n the prevous secton, as descrbed, apples only to the greaterthan functon on two equalsze domans X and Y. For the case of the greaterthan functon wth X = Y + 1, the same protocol (wth one small change) stll works. Specfcally, let X = {x 1,..., x m+1 } and 14
16 Y = {y 1,..., y m } wth f stll defned as n Equaton (1). Modfy the protocol of Fgure 2 so that f the end of the protocol s reached and P 1 holds nput x m+1, then P 1 outputs 1. Then the same proof as n the prevous secton shows that ths protocol s also completely far. (Adaptng Clam 3 s mmedate: the vew of a malcous P 2 s smulated n the same way; as for the output of the honest P 1, the case when P 1 holds nput x = x wth < m + 1 s analyzed dentcally, and when x = x m+1 then P 1 outputs 1 no matter what n both the hybrd and deal worlds. Adaptng Clam 2 requres only a lttle thought to verfy that the analyss n Case 2(b) stll holds when = m + 1.) We now show that the protocol can be appled to any functon defned over polynomalsze domans that does not contan an embedded XOR. Ths s because any such functon can be converted to the greaterthan functon as we now descrbe. Let g : X Y {0, 1} be a functon that does not contan an embedded XOR, and let X = {x 1,..., x m1 } and Y = {y 1,..., y m2 }. It wll be convenent to pcture g as an m 1 m 2 matrx, where entry (, ) contans the value g(x, y ). Smlarly, we can vew any matrx as a functon. We wll apply a sequence of transformatons to g that wll result n a functonally equvalent functon g, where by functonally equvalent we mean that g can be computed wth perfect securty (and complete farness) n the g hybrd model (where g s computed by a trusted party wth complete farness). It follows that a secure and completely far protocol for computng g yelds a secure and completely far protocol for computng g. The transformatons are as follows: 1. Frst, remove any duplcate rows or columns n g. (E.g., f there exst and such that g(x, y) = g(x, y) for all y Y, then remove ether row or row.) Denote the resultng functon by g, and say that g (vewed as a matrx) has dmenson m 1 m 2. It s clear that g s functonally equvalent to g. 2. We observe that no two rows (resp., columns) of g have the same Hammng weght. To see ths, notce that two nondentcal rows (resp., columns) wth the same Hammng weght would mply the exstence of an embedded XOR n g, and hence an embedded XOR n g. Snce the maxmum Hammng weght of any row s m 2, ths mples that m 1 m Applyng the same argument to the columns shows that m 2 m 1 + 1, and so the number of rows s wthn 1 of the number of columns. Assume m 1 m 2 ; f not, we may smply take the transpose of g (whch ust has the effect of swappng the roles of the partes). 3. Order the rows of g n ncreasng order accordng to ther Hammng weght. Order the columns n the same way. Once agan ths results n a functon g that s functonally equvalent to g (and hence to g). All the above transformatons are effcently computable snce we are assumng that the ntal domans X and Y are of polynomal sze. Gven g resultng from the above transformatons, there are now three possbltes (recall we assume that the number of rows s at least the number of columns): 1. Case 1: m 1 = m In ths case the frst row of g s an all0 row and the last row s an all1 row, and we exactly have an nstance of the greaterthan functon wth m 1 = m Case 2: m 1 = m 2 and the frst row of g s an all0 row. Then we agan have an nstance of the greaterthan functon, except now wth equalsze domans. 15
17 3. Case 3: m 1 = m 2 and the frst row of g s not an all0 row. In ths case, the last row of g must be an all1 row. Takng the complement of every bt n the matrx (and then reorderng the rows and columns accordngly) gves a functon that s stll functonally equvalent to g and s exactly an nstance of the greaterthan functon on equalsze domans. We have thus proved: Theorem 3.2 Let f be a twonput functon defned over polynomalsze domans that does not contan an embedded XOR. Then, assumng the exstence of general secure twoparty computaton wth abort, there exsts a protocol for securely computng f wth complete farness. The assumpton n the theorem s mnmal, snce the exstence of even a securewthabort protocol for computng boolean OR mples the exstence of oblvous transfer [24], whch n turn suffces for constructng a securewthabort protocol for any polynomaltme functonalty [23]. 4 Far Computaton of Functons wth an Embedded XOR Recall that Cleve s result showng mpossblty of completely far con tossng mples the mpossblty of completely far computaton of boolean XOR. (More generally, t mples the mpossblty of completely far computaton of any functon f that enables con tossng:.e., any f such that a completely far mplementaton of f suffces for con tossng.) Gven ths, along wth the fact that our result n the prevous secton apples only to functons that do not contan an embedded XOR, t s temptng to conecture that no functon contanng an embedded XOR can be computed wth complete farness. In ths secton, we show that ths s not the case and that there exst functons wth an embedded XOR that can be computed wth complete farness. Interestngly, however, such functons appear to be more dffcult to compute wth complete farness; specfcally, we refer the reader to Secton 5 where we prove a lower bound of ω(log n) on the round complexty of any protocol for completely far computaton of any functon havng an embedded XOR. (Note that, n general, ths bound s ncomparable to the result of the prevous secton, where the round complexty was lnear n the doman sze.) It wll be nstructve to see why Cleve s mpossblty result does not mmedately rule out complete farness for all functons contanng an embedded XOR. Consder the followng functon f (whch s the example for whch we wll later prove feasblty): y 1 y 2 x x x If the partes could be forced to choose ther nputs from {x 1, x 2 } and {y 1, y 2 }, respectvely, then t would be easy to generate a far con toss from any secure computaton of f (wth complete farness) by smply nstructng both partes to choose ther nputs unformly from the stated domans. (Ths results n a far con toss snce the output s unform at long as ether party chooses ther nput at random.) Unfortunately, a protocol for securely computng f does not restrct the frst party to choosng ts nput n {x 1, x 2 }, and cannot prevent that party from choosng nput x 3 and thus basng the result toward 1 wth certanty. (Nave solutons such as requrng the frst party to provde a zeroknowledge proof that t chose ts nput n {x 1, x 2 } do not work ether, snce we stll 16
18 need a way for, e.g., the second party to decde on ther output n case the zeroknowledge proof of the frst party fals.) Of course, ths only shows that Cleve s mpossblty result does not apply but does not prove that a completely far protocol for computng f exsts. 4.1 The Protocol Prelmnares. In ths secton we present a generc protocol for computng a boolean functon F = {f n : X n Y n {0, 1}}. (For convenence, we wrte X and Y and drop the explct dependence on n n what follows.) The protocol s parameterzed by a functon α = α(n), and the number of rounds s set to m = ω(α 1 log n) n order for correctness to hold wth all but neglgble probablty. (We thus must have α notceable to ensure that the number of rounds s polynomal n n.) We do not clam that the protocol s completely far for arbtrary functons F and arbtrary settngs of α. Rather, we clam that for some functons F there exsts a correspondng α for whch the protocol s completely far. In Secton 4.2, we prove ths for one specfc functon that contans an embedded XOR. In Appendx A we generalze the proof and show that the protocol can be used for completely far computaton of other functons as well. Overvew and ntuton. As n the protocol of the prevous secton, the partes begn by runnng a prelmnary phase durng whch values a 1, b 1,..., a m, b m are generated based on the partes respectve nputs x and y, and shares of the {a, b } are dstrbuted to each of the partes. (As before, ths phase wll be carred out usng a standard protocol for secure twoparty computaton, where one party can abort the executon and prevent the other party from recevng any output.) As n the prevous protocol, followng the prelmnary phase the partes exchange ther shares onebyone n a sequence of m teratons, wth P 1 reconstructng a and P 2 reconstructng b n teraton. At the end of the protocol, P 1 outputs a m and P 2 outputs b m. If a party (say, P 1 ) ever aborts, then the other party (P 2 n ths case) outputs the last value t successfully reconstructed;.e., f P 1 aborts before sendng ts teraton message, P 2 outputs b 1. (Ths assumes > 1. See the formal descrpton of the protocol for further detals.) In contrast to our earler protocol, however, the values a 1, b 1,..., a m, b m are now generated probablstcally n the followng way: frst, a value {1,..., m} s chosen accordng to a geometrc dstrbuton wth parameter α (see below), n a way such that nether party learns the value of. For <, the value a (resp., b ) s chosen n a manner that s ndependent of P 2 s (resp., P 1 s) nput; specfcally, we set a = f(x, ŷ) for randomly chosen ŷ Y (and analogously for b ). For all, the values a and b are set equal to f(x, y). Note that f m = ω(α 1 log n), we have a m = b m = f(x, y) wth all but neglgble probablty and so correctness holds. (The protocol could also be modfed so that a m = b m = f(x, y) wth probablty 1, thus gvng perfect correctness. But the analyss s easer wthout ths modfcaton.) Farness s more dffcult to see and, of course, cannot hold for all functons f snce some functons cannot be computed farly. But as ntuton for why the protocol acheves farness for certan functons, we observe that: (1) f a malcous party (say, P 1 ) aborts n some teraton <, then P 1 has not yet obtaned any nformaton about P 2 s nput and so farness s trvally acheved. On the other hand, (2) f P 1 aborts n some teraton > then both P 1 and P 2 have receved the correct output f(x, y) and farness s obtaned. The worst case, then, occurs when P 1 aborts exactly n teraton, as P 1 has then learned the correct value of f(x, y) whle P 2 has not. However, P 1 cannot dentfy teraton wth certanty, even f t knows the other party s nput y! Ths s because P 1 can randomly receve the correct output value even n rounds <. Although the 17
19 ShareGen Inputs: Let the nputs to ShareGen be x X and y Y. (If one of the receved nputs s not n the correct doman, then both partes are gven output.) The securty parameter s n. Computaton: 1. Defne values a 1,..., a m and b 1,..., b m n the followng way: Choose accordng to a geometrc dstrbuton wth parameter α (see text). For = 1 to 1 do: Choose ŷ Y and set a = f(x, ŷ). Choose ˆx X and set b = f(ˆx, y). For = to m, set a = b = f(x, y). 2. For 1 m, choose (a (1), a (2) ) and (b (1), b (2) ) as random secret sharngs of a and b, respectvely. (E.g., a (1) s random and a (1) a (2) = a.) 3. Compute k a, k b Gen(1 n ). For 1 m, let t a = Mac k a ( a (2) ) and t b = Mac k b ( b (1) ). Output: 1. Send to P 1 the values a (1) 1,..., a(1) m and (b (1) 1, tb 1),..., (b (1) m, t b m), and the MACkey k a. 2. Send to P 2 the values (a (2) 1, ta 1),..., (a (2) m, t a m) and b (2) 1,..., b(2) m, and the MACkey k b. Fgure 3: Functonalty ShareGen, parameterzed by a value α. adversary may happen to guess correctly, the fact that t can never be sure whether ts guess s correct s what allows us to prove farness. (Recall, we defne farness va ndstngushablty from an deal world n whch farness s guaranteed. Ths ntuton provdes a way of understandng what s gong on, but the formal proof does not exactly follow ths ntuton.) Formal descrpton of the protocol. The protocol s parameterzed by a value α = α(n) whch s assumed to be notceable. Let m = ω(α 1 log n). As n the prevous secton, we use an mtme MAC wth nformatontheoretc securty. We also rely on a subprotocol π computng a functonalty ShareGen that generates shares (and assocated MAC tags) for the partes; see Fgure 3. (As before, π securely computes ShareGen wth abort.) We contnue to let a (1) 1, b(1) 1, a(1) 2, b(1) 2,... denote the shares obtaned by P 1, and let a (2) 1, b(2) 1, a(2) 2, b(2) 2,... denote the shares obtaned by P 2. Functonalty ShareGen generates a value accordng to a geometrc dstrbuton wth parameter α. Ths s the probablty dstrbuton on N = {1, 2,...} gven by repeatng a Bernoull tral (wth parameter α) untl the frst success. In other words, s determned by tossng a based con (that s heads wth probablty α) untl the frst head appears, and lettng be the number of tosses performed. Note that nether party learns the value of. We use a geometrc dstrbuton for because t has the followng useful property: for any, the probablty that = condtoned on the event that s ndependent of (namely, Pr[ = ] = α). We remark that, as far as ShareGen s concerned, f > m then the exact value of s unmportant, and so ShareGen can be mplemented n strct (rather than expected) polynomal tme. In any case, our choce of m ensures that m wth all but neglgble probablty. Our second protocol calls ShareGen as a subroutne and then has the partes exchange ther shares as n our frst protocol. As dscussed above, aborts are handled dfferently here n that a party also outputs the last value t reconstructed f the other party aborts. A formal descrpton 18
20 of the protocol s gven n Fgure 4. Protocol 2 Inputs: Party P 1 has nput x and party P 2 has nput y. The securty parameter s n. The protocol: 1. Prelmnary phase: (a) P 1 chooses ŷ Y unformly at random, and sets a 0 = f(x, ŷ). Smlarly, P 2 chooses ˆx X unformly at random, and sets b 0 = f(ˆx, y). (b) Partes P 1 and P 2 run protocol π for computng ShareGen, usng ther respectve nputs x and y, and securty parameter n. (c) If P 1 receves from the above computaton, t outputs a 0 and halts. Lkewse, f P 2 receves then t outputs b 0 and halts. Otherwse, the partes proceed to the next step. (d) Denote the output of P 1 from π by a (1) 1,..., a(1) m, (b (1) 1, tb 1),..., (b (1) m, t b m), and k a. (e) Denote the output of P 2 from π by (a (2) 1, ta 1),..., (a (2) m, t a m), b (2) 1,..., b(2) m, and k b. 2. For = 1,..., m do: P 2 sends the next share to P 1 : (a) P 2 sends (a (2), t a ) to P 1. (b) P 1 receves (a (2), t a ) from P 2. If Vrfy ka ( a (2), t a ) = 0 (or f P 1 receved an nvald message, or no message), then P 1 outputs a 1 and halts. (c) If Vrfy ka ( a (2), t a ) = 1, then P 1 sets a = a (1) a (2) (and contnues runnng the protocol). P 1 sends the next share to P 2 : (a) P 1 sends (b (1), t b ) to P 2. (b) P 2 receves (b (1), t b ) from P 1. If Vrfy kb ( b (1), t b ) = 0 (or f P 2 receved an nvald message, or no message), then P 2 outputs b 1 and halts. (c) If Vrfy kb ( b (1), t b ) = 1, then P 2 sets b = b (1) b (2) (and contnues runnng the protocol). 3. If all m teratons have been run, party P 1 outputs a m and party P 2 outputs b m. Fgure 4: Generc protocol for computng a functon f. 4.2 Proof of Securty for a Partcular Functon Protocol 2 cannot guarantee complete farness for all functons f. Rather, what we clam s that for certan functons f and partcular assocated values of α, the protocol provdes complete farness. In ths secton, we prove securty for the followng functon f: y 1 y 2 x x x Ths functon has an embedded XOR, and s defned over a fnte doman so that X n = X = {x 1, x 2, x 3 } and Y n = Y = {y 1, y 2 }. For ths f, we set α = 1/5 n Protocol 2. 19
What is Candidate Sampling
What s Canddate Samplng Say we have a multclass or mult label problem where each tranng example ( x, T ) conssts of a context x a small (mult)set of target classes T out of a large unverse L of possble
More informationbenefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).
REVIEW OF RISK MANAGEMENT CONCEPTS LOSS DISTRIBUTIONS AND INSURANCE Loss and nsurance: When someone s subject to the rsk of ncurrng a fnancal loss, the loss s generally modeled usng a random varable or
More informationExtending Probabilistic Dynamic Epistemic Logic
Extendng Probablstc Dynamc Epstemc Logc Joshua Sack May 29, 2008 Probablty Space Defnton A probablty space s a tuple (S, A, µ), where 1 S s a set called the sample space. 2 A P(S) s a σalgebra: a set
More informationA Probabilistic Theory of Coherence
A Probablstc Theory of Coherence BRANDEN FITELSON. The Coherence Measure C Let E be a set of n propostons E,..., E n. We seek a probablstc measure C(E) of the degree of coherence of E. Intutvely, we want
More informationRecurrence. 1 Definitions and main statements
Recurrence 1 Defntons and man statements Let X n, n = 0, 1, 2,... be a MC wth the state space S = (1, 2,...), transton probabltes p j = P {X n+1 = j X n = }, and the transton matrx P = (p j ),j S def.
More informationLuby s Alg. for Maximal Independent Sets using Pairwise Independence
Lecture Notes for Randomzed Algorthms Luby s Alg. for Maxmal Independent Sets usng Parwse Independence Last Updated by Erc Vgoda on February, 006 8. Maxmal Independent Sets For a graph G = (V, E), an ndependent
More informationAn Alternative Way to Measure Private Equity Performance
An Alternatve Way to Measure Prvate Equty Performance Peter Todd Parlux Investment Technology LLC Summary Internal Rate of Return (IRR) s probably the most common way to measure the performance of prvate
More information1 Example 1: Axisaligned rectangles
COS 511: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 6 Scrbe: Aaron Schld February 21, 2013 Last class, we dscussed an analogue for Occam s Razor for nfnte hypothess spaces that, n conjuncton
More informationModule 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module LOSSLESS IMAGE COMPRESSION SYSTEMS Lesson 3 Lossless Compresson: Huffman Codng Instructonal Objectves At the end of ths lesson, the students should be able to:. Defne and measure source entropy..
More information1 Approximation Algorithms
CME 305: Dscrete Mathematcs and Algorthms 1 Approxmaton Algorthms In lght of the apparent ntractablty of the problems we beleve not to le n P, t makes sense to pursue deas other than complete solutons
More information8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by
6 CHAPTER 8 COMPLEX VECTOR SPACES 5. Fnd the kernel of the lnear transformaton gven n Exercse 5. In Exercses 55 and 56, fnd the mage of v, for the ndcated composton, where and are gven by the followng
More informationRUHRUNIVERSITÄT BOCHUM
RUHRUNIVERSITÄT BOCHUM Horst Görtz Insttute for IT Securty Techncal Report TRHGI2006002 Survey on Securty Requrements and Models for Group Key Exchange Mark Manuls Char for Network and Data Securty
More informationv a 1 b 1 i, a 2 b 2 i,..., a n b n i.
SECTION 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS 455 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS All the vector spaces we have studed thus far n the text are real vector spaces snce the scalars are
More information) of the Cell class is created containing information about events associated with the cell. Events are added to the Cell instance
Calbraton Method Instances of the Cell class (one nstance for each FMS cell) contan ADC raw data and methods assocated wth each partcular FMS cell. The calbraton method ncludes event selecton (Class Cell
More informationA Lyapunov Optimization Approach to Repeated Stochastic Games
PROC. ALLERTON CONFERENCE ON COMMUNICATION, CONTROL, AND COMPUTING, OCT. 2013 1 A Lyapunov Optmzaton Approach to Repeated Stochastc Games Mchael J. Neely Unversty of Southern Calforna http://wwwbcf.usc.edu/
More informationgreatest common divisor
4. GCD 1 The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no
More informationForecasting the Direction and Strength of Stock Market Movement
Forecastng the Drecton and Strength of Stock Market Movement Jngwe Chen Mng Chen Nan Ye cjngwe@stanford.edu mchen5@stanford.edu nanye@stanford.edu Abstract  Stock market s one of the most complcated systems
More informationHow Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence
1 st Internatonal Symposum on Imprecse Probabltes and Ther Applcatons, Ghent, Belgum, 29 June 2 July 1999 How Sets of Coherent Probabltes May Serve as Models for Degrees of Incoherence Mar J. Schervsh
More informationCommunication Networks II Contents
8 / 1  Communcaton Networs II (Görg)  www.comnets.unbremen.de Communcaton Networs II Contents 1 Fundamentals of probablty theory 2 Traffc n communcaton networs 3 Stochastc & Marovan Processes (SP
More information1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)
6.3 /  Communcaton Networks II (Görg) SS20  www.comnets.unbremen.de Communcaton Networks II Contents. Fundamentals of probablty theory 2. Emergence of communcaton traffc 3. Stochastc & Markovan Processes
More informationThe Development of Web Log Mining Based on ImproveKMeans Clustering Analysis
The Development of Web Log Mnng Based on ImproveKMeans Clusterng Analyss TngZhong Wang * College of Informaton Technology, Luoyang Normal Unversty, Luoyang, 471022, Chna wangtngzhong2@sna.cn Abstract.
More information8 Algorithm for Binary Searching in Trees
8 Algorthm for Bnary Searchng n Trees In ths secton we present our algorthm for bnary searchng n trees. A crucal observaton employed by the algorthm s that ths problem can be effcently solved when the
More informationFrom Selective to Full Security: SemiGeneric Transformations in the Standard Model
An extended abstract of ths work appears n the proceedngs of PKC 2012 From Selectve to Full Securty: SemGenerc Transformatons n the Standard Model Mchel Abdalla 1 Daro Fore 2 Vadm Lyubashevsky 1 1 Département
More informationProactive Secret Sharing Or: How to Cope With Perpetual Leakage
Proactve Secret Sharng Or: How to Cope Wth Perpetual Leakage Paper by Amr Herzberg Stanslaw Jareck Hugo Krawczyk Mot Yung Presentaton by Davd Zage What s Secret Sharng Basc Idea ((2, 2)threshold scheme):
More informationPSYCHOLOGICAL RESEARCH (PYC 304C) Lecture 12
14 The Chsquared dstrbuton PSYCHOLOGICAL RESEARCH (PYC 304C) Lecture 1 If a normal varable X, havng mean µ and varance σ, s standardsed, the new varable Z has a mean 0 and varance 1. When ths standardsed
More informationSupport Vector Machines
Support Vector Machnes Max Wellng Department of Computer Scence Unversty of Toronto 10 Kng s College Road Toronto, M5S 3G5 Canada wellng@cs.toronto.edu Abstract Ths s a note to explan support vector machnes.
More informationPractical and Secure Solutions for Integer Comparison
In Publc Key Cryptography PKC 07, Vol. 4450 of Lecture Notes n Computer Scence, SprngerVerlag, 2007. pp. 330342. Practcal and Secure Solutons for Integer Comparson Juan Garay 1, erry Schoenmakers 2,
More informationDEFINING %COMPLETE IN MICROSOFT PROJECT
CelersSystems DEFINING %COMPLETE IN MICROSOFT PROJECT PREPARED BY James E Aksel, PMP, PMISP, MVP For Addtonal Informaton about Earned Value Management Systems and reportng, please contact: CelersSystems,
More informationGeneral Auction Mechanism for Search Advertising
General Aucton Mechansm for Search Advertsng Gagan Aggarwal S. Muthukrshnan Dávd Pál Martn Pál Keywords game theory, onlne auctons, stable matchngs ABSTRACT Internet search advertsng s often sold by an
More informationLoop Parallelization
  Loop Parallelzaton C52 Complaton steps: nested loops operatng on arrays, sequentell executon of teraton space DECLARE B[..,..+] FOR I :=.. FOR J :=.. I B[I,J] := B[I,J]+B[I,J] ED FOR ED FOR analyze
More informationBERNSTEIN POLYNOMIALS
OnLne Geometrc Modelng Notes BERNSTEIN POLYNOMIALS Kenneth I. Joy Vsualzaton and Graphcs Research Group Department of Computer Scence Unversty of Calforna, Davs Overvew Polynomals are ncredbly useful
More information2.4 Bivariate distributions
page 28 2.4 Bvarate dstrbutons 2.4.1 Defntons Let X and Y be dscrete r.v.s defned on the same probablty space (S, F, P). Instead of treatng them separately, t s often necessary to thnk of them actng together
More informationAn InterestOriented Network Evolution Mechanism for Online Communities
An InterestOrented Network Evoluton Mechansm for Onlne Communtes Cahong Sun and Xaopng Yang School of Informaton, Renmn Unversty of Chna, Bejng 100872, P.R. Chna {chsun,yang}@ruc.edu.cn Abstract. Onlne
More informationTHE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek
HE DISRIBUION OF LOAN PORFOLIO VALUE * Oldrch Alfons Vascek he amount of captal necessary to support a portfolo of debt securtes depends on the probablty dstrbuton of the portfolo loss. Consder a portfolo
More informationRiposte: An Anonymous Messaging System Handling Millions of Users
Rposte: An Anonymous Messagng System Handlng Mllons of Users Henry CorrganGbbs, Dan Boneh, and Davd Mazères Stanford Unversty Abstract Ths paper presents Rposte, a new system for anonymous broadcast messagng.
More informationMinimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures
Mnmal Codng Network Wth Combnatoral Structure For Instantaneous Recovery From Edge Falures Ashly Joseph 1, Mr.M.Sadsh Sendl 2, Dr.S.Karthk 3 1 Fnal Year ME CSE Student Department of Computer Scence Engneerng
More informationThe OC Curve of Attribute Acceptance Plans
The OC Curve of Attrbute Acceptance Plans The Operatng Characterstc (OC) curve descrbes the probablty of acceptng a lot as a functon of the lot s qualty. Fgure 1 shows a typcal OC Curve. 10 8 6 4 1 3 4
More informationThe Greedy Method. Introduction. 0/1 Knapsack Problem
The Greedy Method Introducton We have completed data structures. We now are gong to look at algorthm desgn methods. Often we are lookng at optmzaton problems whose performance s exponental. For an optmzaton
More informationMultiplePeriod Attribution: Residuals and Compounding
MultplePerod Attrbuton: Resduals and Compoundng Our revewer gave these authors full marks for dealng wth an ssue that performance measurers and vendors often regard as propretary nformaton. In 1994, Dens
More informationRing structure of splines on triangulations
www.oeaw.ac.at Rng structure of splnes on trangulatons N. Vllamzar RICAMReport 201448 www.rcam.oeaw.ac.at RING STRUCTURE OF SPLINES ON TRIANGULATIONS NELLY VILLAMIZAR Introducton For a trangulated regon
More informationEmbedding lattices in the Kleene degrees
F U N D A M E N T A MATHEMATICAE 62 (999) Embeddng lattces n the Kleene degrees by Hsato M u r a k (Nagoya) Abstract. Under ZFC+CH, we prove that some lattces whose cardnaltes do not exceed ℵ can be embedded
More informationEE201 Circuit Theory I 2015 Spring. Dr. Yılmaz KALKAN
EE201 Crcut Theory I 2015 Sprng Dr. Yılmaz KALKAN 1. Basc Concepts (Chapter 1 of Nlsson  3 Hrs.) Introducton, Current and Voltage, Power and Energy 2. Basc Laws (Chapter 2&3 of Nlsson  6 Hrs.) Voltage
More informationCompact CCA2secure Hierarchical IdentityBased Broadcast Encryption for Fuzzyentity Data Sharing
Compact CCA2secure Herarchcal IdenttyBased Broadcast Encrypton for Fuzzyentty Data Sharng Weran Lu 1, Janwe Lu 1, Qanhong Wu 1, Bo Qn 2, Davd Naccache 3, and Houda Ferrad 4 1 School of Electronc and
More informationINTERPRETING TRUE ARITHMETIC IN THE LOCAL STRUCTURE OF THE ENUMERATION DEGREES.
INTERPRETING TRUE ARITHMETIC IN THE LOCAL STRUCTURE OF THE ENUMERATION DEGREES. HRISTO GANCHEV AND MARIYA SOSKOVA 1. Introducton Degree theory studes mathematcal structures, whch arse from a formal noton
More informationGeneralizing the degree sequence problem
Mddlebury College March 2009 Arzona State Unversty Dscrete Mathematcs Semnar The degree sequence problem Problem: Gven an nteger sequence d = (d 1,...,d n ) determne f there exsts a graph G wth d as ts
More informationCHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol
CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK Sample Stablty Protocol Background The Cholesterol Reference Method Laboratory Network (CRMLN) developed certfcaton protocols for total cholesterol, HDL
More informationProductForm Stationary Distributions for Deficiency Zero Chemical Reaction Networks
Bulletn of Mathematcal Bology (21 DOI 1.17/s11538195174 ORIGINAL ARTICLE ProductForm Statonary Dstrbutons for Defcency Zero Chemcal Reacton Networks Davd F. Anderson, Gheorghe Cracun, Thomas G. Kurtz
More informationProject Networks With MixedTime Constraints
Project Networs Wth MxedTme Constrants L Caccetta and B Wattananon Western Australan Centre of Excellence n Industral Optmsaton (WACEIO) Curtn Unversty of Technology GPO Box U1987 Perth Western Australa
More informationAn Optimally Robust Hybrid Mix Network (Extended Abstract)
An Optmally Robust Hybrd Mx Network (Extended Abstract) Markus Jakobsson and Ar Juels RSA Laboratores Bedford, MA, USA {mjakobsson,ajuels}@rsasecurty.com Abstract We present a mx network that acheves effcent
More information+ + +   This circuit than can be reduced to a planar circuit
MeshCurrent Method The meshcurrent s analog of the nodeoltage method. We sole for a new set of arables, mesh currents, that automatcally satsfy KCLs. As such, meshcurrent method reduces crcut soluton to
More informationCombinatorial Agency of Threshold Functions
Combnatoral Agency of Threshold Functons Shal Jan Computer Scence Department Yale Unversty New Haven, CT 06520 shal.jan@yale.edu Davd C. Parkes School of Engneerng and Appled Scences Harvard Unversty Cambrdge,
More informationLinear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits
Lnear Crcuts Analyss. Superposton, Theenn /Norton Equalent crcuts So far we hae explored tmendependent (resste) elements that are also lnear. A tmendependent elements s one for whch we can plot an / cure.
More information6. EIGENVALUES AND EIGENVECTORS 3 = 3 2
EIGENVALUES AND EIGENVECTORS The Characterstc Polynomal If A s a square matrx and v s a nonzero vector such that Av v we say that v s an egenvector of A and s the correspondng egenvalue Av v Example :
More informationFORMAL ANALYSIS FOR REALTIME SCHEDULING
FORMAL ANALYSIS FOR REALTIME SCHEDULING Bruno Dutertre and Vctora Stavrdou, SRI Internatonal, Menlo Park, CA Introducton In modern avoncs archtectures, applcaton software ncreasngly reles on servces provded
More informationTo Fill or not to Fill: The Gas Station Problem
To Fll or not to Fll: The Gas Staton Problem Samr Khuller Azarakhsh Malekan Julán Mestre Abstract In ths paper we study several routng problems that generalze shortest paths and the Travelng Salesman Problem.
More informationJ. Parallel Distrib. Comput.
J. Parallel Dstrb. Comput. 71 (2011) 62 76 Contents lsts avalable at ScenceDrect J. Parallel Dstrb. Comput. journal homepage: www.elsever.com/locate/jpdc Optmzng server placement n dstrbuted systems n
More informationInequality and The Accounting Period. Quentin Wodon and Shlomo Yitzhaki. World Bank and Hebrew University. September 2001.
Inequalty and The Accountng Perod Quentn Wodon and Shlomo Ytzha World Ban and Hebrew Unversty September Abstract Income nequalty typcally declnes wth the length of tme taen nto account for measurement.
More informationData Broadcast on a MultiSystem Heterogeneous Overlayed Wireless Network *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 24, 819840 (2008) Data Broadcast on a MultSystem Heterogeneous Overlayed Wreless Network * Department of Computer Scence Natonal Chao Tung Unversty Hsnchu,
More informationIdentityBased Encryption Gone Wild
An extended abstract of ths paper appeared n Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, 33rd Internatonal Colloquum on Automata, Languages and Programmng ICALP 2006, volume
More informationFormula of Total Probability, Bayes Rule, and Applications
1 Formula of Total Probablty, Bayes Rule, and Applcatons Recall that for any event A, the par of events A and A has an ntersecton that s empty, whereas the unon A A represents the total populaton of nterest.
More informationSecure Network Coding Over the Integers
Secure Network Codng Over the Integers Rosaro Gennaro Jonathan Katz Hugo Krawczyk Tal Rabn Abstract Network codng has receved sgnfcant attenton n the networkng communty for ts potental to ncrease throughput
More informationTools for Privacy Preserving Distributed Data Mining
Tools for Prvacy Preservng Dstrbuted Data Mnng hrs lfton, Murat Kantarcoglu, Jadeep Vadya Purdue Unversty Department of omputer Scences 250 N Unversty St West Lafayette, IN 479072066 USA (clfton, kanmurat,
More informationCalculation of Sampling Weights
Perre Foy Statstcs Canada 4 Calculaton of Samplng Weghts 4.1 OVERVIEW The basc sample desgn used n TIMSS Populatons 1 and 2 was a twostage stratfed cluster desgn. 1 The frst stage conssted of a sample
More informationBrigid Mullany, Ph.D University of North Carolina, Charlotte
Evaluaton And Comparson Of The Dfferent Standards Used To Defne The Postonal Accuracy And Repeatablty Of Numercally Controlled Machnng Center Axes Brgd Mullany, Ph.D Unversty of North Carolna, Charlotte
More informationNordea G10 Alpha Carry Index
Nordea G10 Alpha Carry Index Index Rules v1.1 Verson as of 10/10/2013 1 (6) Page 1 Index Descrpton The G10 Alpha Carry Index, the Index, follows the development of a rule based strategy whch nvests and
More informationAnswer: A). There is a flatter IS curve in the high MPC economy. Original LM LM after increase in M. IS curve for low MPC economy
4.02 Quz Solutons Fall 2004 MultpleChoce Questons (30/00 ponts) Please, crcle the correct answer for each of the followng 0 multplechoce questons. For each queston, only one of the answers s correct.
More informationOptimal Distributed Password Verification
Optmal Dstrbuted Password Verfcaton Jan Camensch IBM Research Zurch jca@zurch.bm.com Anja Lehmann IBM Research Zurch anj@zurch.bm.com Gregory Neven IBM Research Zurch nev@zurch.bm.com ABSTRACT We present
More informationJoe Pimbley, unpublished, 2005. Yield Curve Calculations
Joe Pmbley, unpublshed, 005. Yeld Curve Calculatons Background: Everythng s dscount factors Yeld curve calculatons nclude valuaton of forward rate agreements (FRAs), swaps, nterest rate optons, and forward
More informationProvably Secure Single Signon Scheme in Distributed Systems and Networks
0 IEEE th Internatonal Conference on Trust, Securty and Prvacy n Computng and Communcatons Provably Secure Sngle Sgnon Scheme n Dstrbuted Systems and Networks Jangshan Yu, Guln Wang, and Y Mu Center for
More informationEfficient Project Portfolio as a tool for Enterprise Risk Management
Effcent Proect Portfolo as a tool for Enterprse Rsk Management Valentn O. Nkonov Ural State Techncal Unversty Growth Traectory Consultng Company January 5, 27 Effcent Proect Portfolo as a tool for Enterprse
More informationImplementation of Deutsch's Algorithm Using Mathcad
Implementaton of Deutsch's Algorthm Usng Mathcad Frank Roux The followng s a Mathcad mplementaton of Davd Deutsch's quantum computer prototype as presented on pages  n "Machnes, Logc and Quantum Physcs"
More informationThe EigenTrust Algorithm for Reputation Management in P2P Networks
The EgenTrust Algorthm for Reputaton Management n P2P Networks Sepandar D. Kamvar Stanford Unversty sdkamvar@stanford.edu Maro T. Schlosser Stanford Unversty schloss@db.stanford.edu Hector GarcaMolna
More informationVRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT09105, Phone: (3705) 2127472, Fax: (3705) 276 1380, Email: info@teltonika.
VRT012 User s gude V0.1 Thank you for purchasng our product. We hope ths userfrendly devce wll be helpful n realsng your deas and brngng comfort to your lfe. Please take few mnutes to read ths manual
More informationFeature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College
Feature selecton for ntruson detecton Slobodan Petrovć NISlab, Gjøvk Unversty College Contents The feature selecton problem Intruson detecton Traffc features relevant for IDS The CFS measure The mrmr measure
More informationAvailabilityBased Path Selection and Network Vulnerability Assessment
AvalabltyBased Path Selecton and Network Vulnerablty Assessment Song Yang, Stojan Trajanovsk and Fernando A. Kupers Delft Unversty of Technology, The Netherlands {S.Yang, S.Trajanovsk, F.A.Kupers}@tudelft.nl
More informationImplied (risk neutral) probabilities, betting odds and prediction markets
Impled (rsk neutral) probabltes, bettng odds and predcton markets Fabrzo Caccafesta (Unversty of Rome "Tor Vergata") ABSTRACT  We show that the well known euvalence between the "fundamental theorem of
More informationExamensarbete. Rotating Workforce Scheduling. Caroline Granfeldt
Examensarbete Rotatng Workforce Schedulng Carolne Granfeldt LTH  MAT  EX   2015 / 08   SE Rotatng Workforce Schedulng Optmerngslära, Lnköpngs Unverstet Carolne Granfeldt LTH  MAT  EX   2015
More informationValue Driven Load Balancing
Value Drven Load Balancng Sherwn Doroud a, Esa Hyytä b,1, Mor HarcholBalter c,2 a Tepper School of Busness, Carnege Mellon Unversty, 5000 Forbes Ave., Pttsburgh, PA 15213 b Department of Communcatons
More informationNumber of Levels Cumulative Annual operating Income per year construction costs costs ($) ($) ($) 1 600,000 35,000 100,000 2 2,200,000 60,000 350,000
Problem Set 5 Solutons 1 MIT s consderng buldng a new car park near Kendall Square. o unversty funds are avalable (overhead rates are under pressure and the new faclty would have to pay for tself from
More informationA Secure PasswordAuthenticated Key Agreement Using Smart Cards
A Secure PasswordAuthentcated Key Agreement Usng Smart Cards Ka Chan 1, WenChung Kuo 2 and JnChou Cheng 3 1 Department of Computer and Informaton Scence, R.O.C. Mltary Academy, Kaohsung 83059, Tawan,
More informationNew bounds in BalogSzemerédiGowers theorem
New bounds n BalogSzemerédGowers theorem By Tomasz Schoen Abstract We prove, n partcular, that every fnte subset A of an abelan group wth the addtve energy κ A 3 contans a set A such that A κ A and A
More informationToday s class. Chapter 13. Sources of uncertainty. Decision making with uncertainty
Today s class Probablty theory Bayesan nference From the ont dstrbuton Usng ndependence/factorng From sources of evdence Chapter 13 1 2 Sources of uncertanty Uncertan nputs Mssng data Nosy data Uncertan
More informationWe are now ready to answer the question: What are the possible cardinalities for finite fields?
Chapter 3 Fnte felds We have seen, n the prevous chapters, some examples of fnte felds. For example, the resdue class rng Z/pZ (when p s a prme) forms a feld wth p elements whch may be dentfed wth the
More informationOn the Optimal Control of a Cascade of HydroElectric Power Stations
On the Optmal Control of a Cascade of HydroElectrc Power Statons M.C.M. Guedes a, A.F. Rbero a, G.V. Smrnov b and S. Vlela c a Department of Mathematcs, School of Scences, Unversty of Porto, Portugal;
More informationRESEARCH DISCUSSION PAPER
Reserve Bank of Australa RESEARCH DISCUSSION PAPER Competton Between Payment Systems George Gardner and Andrew Stone RDP 200902 COMPETITION BETWEEN PAYMENT SYSTEMS George Gardner and Andrew Stone Research
More informationNonlinear data mapping by neural networks
Nonlnear data mappng by neural networks R.P.W. Dun Delft Unversty of Technology, Netherlands Abstract A revew s gven of the use of neural networks for nonlnear mappng of hgh dmensonal data on lower dmensonal
More informationBandwdth Packng E. G. Coman, Jr. and A. L. Stolyar Bell Labs, Lucent Technologes Murray Hll, NJ 07974 fegc,stolyarg@research.belllabs.com Abstract We model a server that allocates varyng amounts of bandwdth
More informationInstitute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic
Lagrange Multplers as Quanttatve Indcators n Economcs Ivan Mezník Insttute of Informatcs, Faculty of Busness and Management, Brno Unversty of TechnologCzech Republc Abstract The quanttatve role of Lagrange
More informationLogistic Regression. Lecture 4: More classifiers and classes. Logistic regression. Adaboost. Optimization. Multiple class classification
Lecture 4: More classfers and classes C4B Machne Learnng Hlary 20 A. Zsserman Logstc regresson Loss functons revsted Adaboost Loss functons revsted Optmzaton Multple class classfcaton Logstc Regresson
More informationPowerofTwo Policies for Single Warehouse MultiRetailer Inventory Systems with Order Frequency Discounts
Powerofwo Polces for Sngle Warehouse MultRetaler Inventory Systems wth Order Frequency Dscounts José A. Ventura Pennsylvana State Unversty (USA) Yale. Herer echnon Israel Insttute of echnology (Israel)
More informationControl Charts for Means (Simulation)
Chapter 290 Control Charts for Means (Smulaton) Introducton Ths procedure allows you to study the run length dstrbuton of Shewhart (Xbar), Cusum, FIR Cusum, and EWMA process control charts for means usng
More informationABSTRACT. Categories and Subject Descriptors. General Terms. Keywords
On Desgnng IncentveCompatble Routng and Forwardng Protocols n Wreless AdHoc Networks An Integrated Approach Usng Game Theoretcal and Cryptographc Technques Sheng Zhong L (Erran) L Yanbn Grace Lu Yang
More informationAn Enhanced SuperResolution System with Improved Image Registration, Automatic Image Selection, and Image Enhancement
An Enhanced SuperResoluton System wth Improved Image Regstraton, Automatc Image Selecton, and Image Enhancement YuChuan Kuo ( ), ChenYu Chen ( ), and ChouShann Fuh ( ) Department of Computer Scence
More informationLatent Class Regression. Statistics for Psychosocial Research II: Structural Models December 4 and 6, 2006
Latent Class Regresson Statstcs for Psychosocal Research II: Structural Models December 4 and 6, 2006 Latent Class Regresson (LCR) What s t and when do we use t? Recall the standard latent class model
More informationL10: Linear discriminants analysis
L0: Lnear dscrmnants analyss Lnear dscrmnant analyss, two classes Lnear dscrmnant analyss, C classes LDA vs. PCA Lmtatons of LDA Varants of LDA Other dmensonalty reducton methods CSCE 666 Pattern Analyss
More informationTracker: Security and Privacy for RFIDbased Supply Chains
Tracker: Securty and Prvacy for RFIDbased Supply Chans ErkOlver Blass Kaoutar Elkhyaou Refk Molva EURECOM Sopha Antpols, France {blass elkhyao molva}@eurecom.fr Abstract The counterfetng of pharmaceutcs
More informationDiVA Digitala Vetenskapliga Arkivet
DVA Dgtala Vetenskaplga Arkvet http://umudvaportalorg Ths s a book chapter publshed n Hghperformance scentfc computng: algorthms and applcatons (ed Berry, MW; Gallvan, KA; Gallopoulos, E; Grama, A; Phlppe,
More informationStability, observer design and control of networks using Lyapunov methods
Stablty, observer desgn and control of networks usng Lyapunov methods von Lars Naujok Dssertaton zur Erlangung des Grades enes Doktors der Naturwssenschaften  Dr. rer. nat.  Vorgelegt m Fachberech 3
More informationRelay Secrecy in Wireless Networks with Eavesdropper
Relay Secrecy n Wreless Networks wth Eavesdropper Parvathnathan Venktasubramanam, Tng He and Lang Tong School of Electrcal and Computer Engneerng Cornell Unversty, Ithaca, NY 14853 Emal : {pv45, th255,
More informationPeriod and Deadline Selection for Schedulability in RealTime Systems
Perod and Deadlne Selecton for Schedulablty n RealTme Systems Thdapat Chantem, Xaofeng Wang, M.D. Lemmon, and X. Sharon Hu Department of Computer Scence and Engneerng, Department of Electrcal Engneerng
More information