DEScomputationandasinglemodularmultiplication.Westressthatthecostlymodular
|
|
- Dorothy Jones
- 8 years ago
- Views:
Transcription
1 ShimonEveny On-Line/O-LineDigitalSignatures (non-nalversionfrom1994) OdedGoldreichz Abstract SilvioMicalix signatureschemeisusedfortheo-linestage. (basedonfactoring)anddes.intheon-linephase,allweuseisamoderateamountof usesone-timesignatureschemes,whichareveryfast,fortheon-linesigning.anordinary methodforconstructingsuchon-line/o-linesignatureschemesispresented.themethod performedo-line,beforethemessagetobesignedisevenknown.thesecondon-linephase isperformedoncethemessagetobesignedisknown,andissupposedtobeveryfast.a Inapracticalimplementationofourscheme,weuseavariantofRabin'ssignaturescheme Anewtypeofsignatureschemeisproposed.Itconsistsoftwophases.Therstphaseis DEScomputationandasinglemodularmultiplication.Westressthatthecostlymodular exponentiationoperationisperformedo-line.thisimplementationisideallysuitedfor electronicwalletsorsmartcards. patentprotectionunderu.s.patentno.5,016,274.analversionofthisworkwillappearinjournalofcryptology. ccopyright1996byinternationalassociationforcryptographicresearch. ApreliminaryversionappearedintheproceedingsofCrypto89.On-Line/O-LineDigitalSigninghasobtained ycomputersciencedepartment,technion-israelinstituteoftechnology,haifa32000,israel.e-address: zcomputersciencedepartment,technion-israelinstituteoftechnology,haifa32000,israel.e-address: xlaboratoryforcomputerscience,mit-massachusettsinstituteoftechnology,545technologysquare,cam- 0
2 asecretkey.u'ssignatureofamessagemisavalue,dependingonmandhissecretkey, 1Introduction Informally,inadigitalsignaturescheme,eachuserUpublishesapublickeywhilekeepingsecret suchthatucan(quickly)generateandanyonecan(quickly)verifythevalidityof,usingu's arbitrarilymanymessages,withonepairofkeys. stressthatsigningisanon-interactiveprocessinvolvingonlythesigner,andthatonecansign publickey.however,itishardtoforgeu'ssignatureswithoutknowledgeofhissecretkey.we signingprocess,andtheseinturnrequiremanymodularmultiplications.furthermore,these signatureschemesrequiretoperformmodularexponentiationwithlargemoduliaspartofthe eredtooslowformanypracticalapplications(e.g.,electronicwallets[5,4]).inparticular,these severalschemeshavebeenprovedsecureevenagainstchosenmessageattack[8,1,12,19].unfortunately,intheseschemes,thesigningprocessisnotsucientlyfastforsomepracticalpurposes. Furthermore,evenmoreecientschemeslikeRSA[16]andRabin'sschemeof[15],areconsid- Manysignatureschemesareknownbynow.Basedonvariousintractabilityassumptions, thesesignatureschemeswillbecomemuchmoreattractiveifonlyafew(say,twoorthree)modularmultiplicationsneedtobeperformedafterthemessagebecomesknown,whilethemorecostly operationscanbepreprocessed.thisleadstothenotionofanon-line/o-linesignaturescheme. ANewNotion costlyoperationscanstartonlyoncethemessagetobesignedbecomesknown.consequently, Tosummarize,inmanyapplicationssignatureshavetobeproducedveryfastoncethemessage ispresented.however,onecantolerateslowerprecomputations,providedthattheydonot havetobeperformedon-line(i.e.,oncethemessagetobesignedishandedtothesignerand isperformedon-line,oncethemessageispresented.wewillbeinterestedinon-line/o-line performedo-line,isindependentoftheparticularmessagetobesigned;whilethesecondphase whiletheverieriswaitingforthesignature).thissuggeststhenotionofanon-line/o-line signaturescheme,inwhichthesigningprocesscanbebrokenintotwophases.therstphase, Wepresentageneralconstructiontransforminganordinary,digitalsignatureschemetoanonline/o-lineone.Thisisdonebyproperlycombiningthreemainingredients: 1.An(ordinary)signaturescheme; 2.Afastone-timesignaturescheme(i.e.,asignatureschemeknowntobeunforgeable,pro- signatureschemesinwhichtheo-linestageisfeasible(thoughrelativelyslow)andbothon-line signingandvericationarefast. AGeneralConstruction videditisusedtosignasinglemessage);1
3 Theessenceoftheconstructionistousetheordinarysignatureschemetosign(o-line)arandomlyconstructedinstanceoftheinformationwhichenablesone-timesignature,andlaterto sign(on-line)themessageusingtheone-timesignatureschemewhichistypicallyveryfast.the 3.Afastcollision-freehashingscheme(i.e.,ahashingschemeforwhichitisinfeasibletond tags,butitisnotessentialforthebasicconstruction. hashingschemeismostlikelytobeusedinpracticeforcompressinglongmessagesintoshorter twostringswhichhashtothesamevalue). weuseamodicationofrabin'ssignaturescheme[15]intheroleoftheordinarysignaturescheme, anddesasabasisforaone-timesignaturescheme.thesecurityoftheseimplementationsis basedontheintractabilityoffactoringlargeintegersandtheassumptionthatdesbehaveslike arandomcipher.theonlycomputations(possibly)required,intheon-linephaseofthesigning process,areapplicationsofdes.vericationrequiressomedescomputations(yetnottoomany) andasinglemodularmultiplication.thecostlymodularcomputation,ofextractingsquareroots Wepresentseveralpracticalimplementationofthegeneralscheme.Intheseimplementations, One-timesignatureschemesplayacentralroleinourconstructionofon-line/o-linesignature computations(whichcanbeperformedmuchfasterthanexponentiation). One-timeSignatureSchemes moduloalarge(e.g.512-bit)compositeintegerwithknownfactorization,isperformedoline.areasonablechoiceofparametersallowstosign100-bittagsusingonly200on-linedes schemes.thisisduetothefactthattheyseemtooeramuchfastersigningprocessthan ordinarysignatureschemes.thedisadvantageofone-timesignaturescheme,namelythefact thatthesigning-keycanonlybeusedonce,turnsouttobeirrelevantforourpurposes. particular,weobservethatsigningerror-correctedencodingofmessagesrequirestheforgerto come-upwithsignaturesofstringswhichareverydierentfromthestringsforwhichithas Rabin[14]andseveralvariantsofithaveappearedsince(cf.[11]).Yet,arigorousanalysisof theirsecurityhasneverappeared.furthermore,theknownconstructionscanbeimprovedin oftheschemescanbeenhanced.wedescribeseveraltechniquesforachievingthesegoals.in severalrespects.inparticular,thelengthofthesignaturescanbedecreasedandthesecurity Ageneralmethodforconstructingone-timesignatureswasproposedinthelate70'sby obtainedsignaturesviaachosenmessageattack.thistranslatestoenhancedsecurityespecially whenthesignatureschemeinusedistheonedescribedin[14,11]. Security Todiscuss,eveninformally,theissueofsecurity,weneedsometerminology.Achosenmessage attackisanattemptofanadversarytoforgeasignatureofauseraftergettingfromhimsignatures tomessagesoftheadversary'schoice;inthisscenario,theuserbehaveslikeanoraclewhich answerstheadversary'squeries.theadversary'schoiceof(message)queriesmaydependonthe user'spublickeyandtheprevioussignaturestheadversaryhasreceived.aknownmessageattack 2
4 securitymeanstheinfeasibilityofforgingasignaturetoanymessageforwhichtheuserhasnot suppliedthesignature(i.e.,existentialforgeryintheterminologyof[8]). isanattemptofanadversarytoforgeasignatureofauseraftergettingfromhimsignatures tomessageswhicharerandomlyselectedinthemessagespace.(thesemessagesareselected withstandknownmessageattack.thisisdemonstratedinthefollowingtheoreticalresult,where thatbothsignatureschemesusedintheconstruction(i.e.,(1)and(2))dowithstandsuchattacks. However,inparticularimplementationsitsucestorequirethattheseunderlyingschemesonly independentlyoftheadversary'sactions.)inbothcases(chosenandknownmessageattacks), weuseasignaturescheme,secureagainstknownmessageattack,bothintheroleoftheordinary signatureschemeandinordertoimplementaone-timesignaturescheme.one-wayhashingis notusedatall.theresultingschemeissecureagainstchosenmessageattack.henceweget Asucientconditionfortheresultingsignatureschemetowithstandchosenmessageattackis againstachosenmessageattack[19].however,thisalternativeproofismuchmorecomplexand isobtainedviaanimpracticalconstruction.furthermore,thepreliminaryversionofourwork[6] one-wayfunctions,whilethelatterimplytheexistenceofsignatureschemeswhicharesecure onlyifsignatureschemessecureagainstknownmessageattackexist. WeremarkthattheaboveTheoremcanbederivedfromRompel'sworkbyobservingthatthe Theorem:Digitalsignatureschemesthataresecureagainstchosenmessageattackexistifand (whichincludesaproofoftheabovetheorem),predatesrompel'swork[19]. Organization existenceofasignatureschemesecureagainstknownmessageattackimpliestheexistenceof BasicdenitionsconcerningsignatureschemesarepresentedinSection2.InSection3,the timesignatureschemeisaddressedinsection4.concreteimplementationsofthegeneralscheme, whichutilizedierentconstructionsofone-timesignatureschemes,arepresentedinsection5. WeconcludewithaproofoftheTheoremstatedabove(Sec.6). 2SomeBasicDenitions generalconstructionofon-line/o-linesignatureschemeispresented.theconstructionofone- polynomial-timealgorithmssatisfyingthefollowingconventions: Followingtheinformalpresentationintheintroduction,werecallthefollowingdenitionsdueto Goldwasseret.al.[8]. Signatureschemes Denition1(signatureschemes):Asignatureschemeisatriplet,(G;S;V),ofprobabilistic AlgorithmGiscalledthekeygenerator.Thereexistsapolynomial,k(),calledthekey length,sothatoninput1n,algorithmgoutputsapair(sk;vk)sothatsk;vk2f0;1gk(n). 3
5 AlgorithmSiscalledthesigningalgorithm.Thereexistsapolynomial,m(),calledthe Therstelement,sk,iscalledthesigningkeyandthesecondelementisthe(corresponding) AlgorithmViscalledthevericationalgorithm.Foreveryn,every(sk;vk)intherangeof vericationkey. algorithmsoutputsastringcalledasignature(ofmessagemwithsigning-keysk).the messagelength,sothatoninputapair(sk;m),wheresk2f0;1gk(n)andm2f0;1gm(n), randomvariables(sk;m)issometimeswrittenasssk(m). G(1n),everyM2f0;1gm(n)andeveryintherangeofSsk(M),itholdsthat Notethatnisaparameterwhichdeterminesthelengthsofthekeysandthemessagesas signing-keyskcorrespondingtotheverication-keyvk.however,thisintuitivelyappealing (OnemayalsorequirethatV(M;vk;)=1impliesthatisintherangeofSsk(M)fora requirementisirrelevanttotherealissues{inviewofthesecuritydenitionswhichfollow.) wellasthesecurityoftheschemeasdenedbelow.weemphasizethattheabovedenitiondoes notsayanythingaboutthesecurityofthesignatureschemewhichisthefocusofthesubsequent denitions.weremarkthatsignatureschemesaredenedtodealwithmessagesofxedand conventions.forexample,shortermessagescanalwaysbepaddedtothedesiredlength,and predeterminelength(i.e.,m(n)).messagesofdierentlengthsaredealbyoneofthestandard canbehashedintothedesiredlengthbyuseofacollision-freehashingfunction.formoredetails seesection3.3. Typesofattacks originalmessage(e.g.,theithpiecewillcontainaheaderreadingthatitistheithpieceoutoft longermessagescanbebrokenintomanypieceseachbearinganidrelatingthepiecetothe Goldwasseret.al.discussseveraltypesofattacksranginginseverenessfromatotallynon-adaptive piecesofmessagewithaspecic(randomlychosen)idnumber).alternatively,longermessages one(inwhichtheattackeronlyhasaccesstothevericationkey)uptothemostsevereattack everconsidered(i.e.,chosenmessageattack,inwhichtheattackergetstheverication-keyand attackaswellasaspecial(andhenceweak)formofknownmessageattack(whichwecallrandom maygetsignaturestomanymessagesofitschoice).inthispaperwediscussthechosenmessage messageattack). Denition2(typesofattacks): Achosenmessageattackonasignaturescheme(G;S;V)isaprobabilisticoraclemachine where(sk;vk)isintherangeofg(1n).the(randomized)oraclesskanswersaquery thatoninput(aparameter)1nand(averication-key)vkalsogetsoracleaccesstossk(), 4
6 Arandommessageattackonasignaturescheme(G;S;V)isaprobabilisticoraclemachine q2f0;1gm(n)withtherandomvariablessk(q)=s(sk;q).(forsimplicityweassumethat thesamequeryisnotaskedtwice.) theymake(resp.,numberofsignaturesthattheyreceive). wewillexplicitlyspecifytherunning-timeoftheattackersaswellasthenumberofqueriesthat Theabovedenitiondoesnotrefertothecomplexityoftheattackingmachines.Inourresults independentlyselectedfromf0;1gm(n). (ri;ssk(ri)),where(sk;vk)isintherangeofg(1n)andeachoftheri'sisuniformlyand thatoninput1nandvkalsogetsaccesstoarandomoraclethatonqueryireturnsapair Goldwasseret.al.alsodiscussseverallevelsofsuccessfulnessofthe(various)attacks,ranging keyvk. Successofattacks fromtotalforgery/breaking(i.e.,abilitytoforgeasignatureforeverymessage)uptoexistential forgery/breaking(i.e.,abilitytoforgeasignatureforsomemessage). Denition3(successofattacks):Consideranattackoninputparameter1nandaverication- Wesaythatanattackhasresultedinexistentialforgeryifitoutputsapair(M;),sothat Wesaythatanattackhasresultedintotalforgeryifitoutputsaprogramforatimebounded1universalmachine,U,sothatV(M;vk;U(;M))=1holds,foreveryM2 Theabovedenitiondoesnotrefertothesuccessprobabilityoftheattackingmachines.In signaturehasbeenhandedover(bythesigningoracle)duringtheattack. M2f0;1gm(n)andV(M;vk;)=1,andMisdierentfromallmessagesforwhicha f0;1gm(n). betakenoverallpossible(sk;vk)pairsaccordingtothedistributiondenedbyg(1n),andover allinternalcoinipsoftheattackingmachinesandtheansweringoracles. Securitydenitionsforsignatureschemesarederivedfromtheabovebycombiningatypeofan ourresultswewillexplicitlyspecifythesuccessprobabilityoftheattackers.theprobabilitywill attackwithatypeofforgeryandrequiringthatsuchattacks,restrictedtospeciedtimebounds, failtoproducethespeciedforgery,exceptforwithaspeciedprobability.forexample,consider thefollowingstandarddenition. choiceofthepolynomial,aslongasitisgreaterthan-say-n2,isimmaterial(cf.,[9]). 1Thetimeboundcanbexedtobeaspecicpolynomial.Usingpaddingarguments,onecanshowthatthe 5
7 n'sitholdsthatf(n)<1=p(n).) secureifeveryprobabilisticpolynomial-timechosenmessageattacksucceedsinexistentialforgery withnegligibleprobability. (Afunctionisf:IN7!INiscallednegligibleifforeverypolynomialp()andallsucientlylarge Denition4(standarddenitionofsecuresignatureschemes):Asignatureschemeissaidtobe ofthevariousnotions,butforderivingresultsconcerningpracticalschemesoneshouldpreboundorsuccess-probability.thischoiceisjustiedandconvenientforatheoreticaltreatmenprobabilities. 3TheGeneralConstruction ferthemorecumbersomealternativeofspecifyingfeasibletime-boundsandnoticeablesuccess- Noticethatthereisnothingsacredinthechoiceofpolynomialsasspecicationforthetime- chosen)messageattack(ofcertaintime-complexityandsuccess-probability)ifitissecureagainst Letusrstdenedigitalsignatureschemeswithlessstringentsecurityproperties.Namely, Denition5Aone-timesignatureschemeisadigitalsignatureschemewhichcanbeusedto suchattackswhicharerestrictedtoasinglequery. legitimatelysignasinglemessage.aone-timesignatureschemeissecureagainstknown(resp., ForfurtherdetailsseeSection4. avoidsuchanexchangeweresuggestedbylamport,die,winternitzandmerkle;see[11].in particular,aone-timesignatureschemecanbeeasilyconstructedusinganyone-wayfunction. longasonedoesnotusethesecretpadtwice.anearlyversionofone-timesignaturewassuggested byrabin[14].itrequiredanexchangeofmessagesbetweenthesignerandsignee.schemeswhich Webelievethattheimportanceofone-timesignatureschemesstemsfromtheirsimplicity Noticetheanalogywithaone-timepad,whichallowsonetosendprivatemessagessecurelyas andthefactthattheycanbeimplementedveryeciently.ourconstructiondemonstratesthat 3.1TheBasicScheme one-timesignaturescanplayanimportantroleinthedesignofverypowerfulandusefulsignature schemes. Let(G;S;V)denoteanordinarysignatureschemeand(g;s;v)denoteaone-timesignature wewillalwaysattachtheterm\one-time"totermssuchas\signing-key"and\verication-key" associatedwiththeone-timesignaturescheme.hopefully,thiswillhelptoavoidconfusion. Asourconstructionusesbothaone-timesignatureschemeandanordinarysignaturescheme, scheme.bellowwedescribeourgeneralon-line/o-linesignaturescheme.inourdescriptionwe assumethatthesecurityparameterisn. 6
8 signingkey,sk. KeyGeneration O-LineComputation keys(vk;sk).heannounceshisverication-key,vk,whilekeepinginsecretthecorresponding Thekeygenerationforouron-line/o-lineschemecoincideswiththeoneoftheordinaryscheme. Theo-linephaseconsistsofgeneratingapairofone-timesigning/verifyingkeys,andproducing Namely,thesignerrunsGoninput1ntogenerateapairofmatchingvericationandsigning determinedatthisstage.followingisadetaileddescriptionoftheo-linephase.thesigner computesthesignatureofvk,usingtheordinarysigningalgorithmswiththekeysk.namely, runsalgorithmgoninput1ntorandomlyselectaone-timeverication-keyvkanditsassociated one-timesigning-keysk.(thispairofone-timekeysisunlikelytobeusedagain.)hethen independentlyofthemessage(tobelatersigned).furthermore,themessagemayevennotbe anordinarysignatureoftheone-timevericationkey.bothone-timekeysandthesignature arestoredforfutureuseintheon-linephase.westressthattheo-linephaseisperformed def aprecomputedunusedpairofone-timekeys,andusingtheone-timesigning-keytosignthe On-LineSigning Theon-linephaseisperformedonceamessagetobesignedispresented.Itconsistsofretrieving Thesignerstoresthepairofone-timekeys,(vk;sk),aswellasthe\precomputedsignature",. =SSK(vk) thencomputesaone-timesignaturedef M,thesignerretrievesfrommemorytheprecomputedsignature,andthepair(vk;sk).He message.thecorrespondingone-timevericationkeyandtheprecomputedsignaturetothe one-timevericationkeyareattachedtoproducethenalsignature.namely,tosignmessage VK,theverieractsasfollows.First,heusesalgorithmVtocheckthatisindeedasignature Verication Toverifythatthetriple(vk;;)isindeedasignatureofMwithrespecttotheverication-key ThesignatureofMconsistsofthetriplet(vk;;). =ssk(m) runningv,thatisindeedasignatureofmwithrespecttotheone-timeverication-keyvk. Namely,vericationprocedureamountstoevaluatingthefollowingpredicate of(theone-timeverication-key)vkwithrespecttotheverication-keyvk.next,hechecks,by VVK(vk;)^vvk(M;) 7
9 Key,MessageandSignatureLengths Letusdenotebyk()andm()thekeyandmessagelengthfunctionsfortheordinarysignature scheme.letl:in7!inbeafunctionboundingthelengthofthesignatureintheordinarysignature m1()andl1(),andthefunctionsfortheresultingon-line/o-lineschemebyk(),m()and scheme,asafunctionoftheparametern(ratherthanasfunctionofthemessagelength,m(n)). l().then,thefollowingequalitiesholdk(n)=k(n) Similarly,wedenotebythecorrespondingfunctionsfortheone-timesignatureschemebyk1(), Namely,thekey-lengthoftheon-line/o-lineschemeequalstheoneoftheordinaryscheme, whereasthemessage-lengthfortheon-line/o-lineschemeequalstheoneoftheone-timescheme. Inaddition,theordinaryschememustallowsignaturestomessagesoflengthequaltothekeylengthoftheone-timescheme.Eciencyimprovementscanbeobtainedbyusingcollision-free hashing,aswellasallowm(n)k1(n)andsigningtheone-timeverication-keybyhashingit m(n)=k1(n) m(n)=m1(n) hashingfunctions.thismayallowsettingm(n)=nanddealingwithlongermessagesby rst.fordetailsseesubsection3.3. linearlywiththekey-lengthoftheone-timescheme,evenincasehashingisused!namely, 3.2Security Thebasicon-line/o-linesignatureschemecanbeprovensecureagainstadaptivechosenmessage Finally,weremarkthatthelengthofthesignaturesproducedbytheresultingschemegrow attacksprovidedthatboththeoriginalschemes(i.e.,theordinaryscheme(g;s;v)andtheonetimescheme(g;s;v))aresecureagainstchosenmessageattack.asusualincomplexity-based l(n)=k1(n)+l(n)+l1(n) cryptography,theabovestatementisnotonlyvalidinasymptotictermsbutalsohasaconcrete timet()andprobability().then,foreveryn2inatleastoneofthefollowingholds: interpretationwhichisapplicabletospecickeylengths.duetothepracticalnatureofthe line/o-linesignatureschemecanbeexistentiallybroken,viaachosenq()-messageattack,in currentwork,wetaketheuncommonapproachofmakingthisconcreteinterpretationexplicit2. Namely, Lemma1SupposethatQ;T:IN7!INand:IN7!IRarefunctionssothattheresultingon- thepriceisworthpaying. 2Thisclearlyresultsinamorecumbersomestatement,butwebelievethatinthecontextofthecurrentpaper Theunderlyingone-timesignatureschemecanbeexistentiallybroken,viaachosen(single) ts(n)+ts(n))q(n),whereta(n)isaboundonthetimecomplexityofalgorithma. messageattack,withprobabilityatleast(n)=(2q(n))andwithintimetg(n)+t(n)+(tg(n)+ 8
10 speciedinthehypothesis. Thelemmaistobeunderstoodinthecounter-positive.Namely,ifboththeunderlying(ordinary andone-time)signatureschemescannotbebrokenwithintheparametersspeciedintheconclusionofthelemmathentheon-line/o-lineschemecannotbebrokenwithintheparameters Theunderlyingordinarysignatureschemecanbeexistentiallybroken,viaachosenQ(n)- messageattack,withprobabilityatleast(n)=2andwithintimet(n)+(tg(n)+ts(n))q(n). bythesignerunderthechosenmessageattack),orusesaone-timeverication-keyvkwhichhas notappearedpreviously.thus,oneofthefollowingtwocasesoccurs. Proof:Letusdenotetheresultingon-line/o-linesignatureschemeby(G;S;V).Suppose Case1:Withprobabilityatleast(n)=2,algorithmFformsanewsignatureusingaone-time eitherusesaone-timeverication-key,vk,whichhasappearedinaprevioussignature(supplied successprobability(n),viaachosenq(n)-messageattack.intherestofthediscussionwexn andconsidertheforgedsignatureoutputbyf(attheendofitsattack).thisforgedsignature thatfisaprobabilisticalgorithmwhichintimet()forgessignaturesof(g;s;v),with verication-keyusedinaprevioussignature.inthiscaseweusealgorithmftoconstructan algorithm,f1,forgingsignaturesoftheone-timesignaturescheme(g;s;v).looselyspeaking, signatureschemeinoneofitsresponsestof.incasefhaltswithaforgesignatureinwhich algorithmf1operatesasfollows.itcreatesaninstanceoftheordinarysignatureschemeand willbeabletoproducesignatures.algorithmf1willusetheattackedinstanceoftheone-time manyadditionalinstancesoftheone-timesignaturescheme.foralltheseinstances,algorithmf1 thatfalwaysasksq(n)queries(i.e.,messagestobesigned).algorithmf1uniformlyselectsan respondingkeys(sk;vk)fortheordinarysignaturescheme.withoutlossofgenerality,assume attack.detailsfollow. integeri2f1;2;:::;q(n)g,andinvokesalgorithmfoninputvk.(motivatingremark:algorithm theattackedinstanceoftheone-timeschemeappears,thenalgorithmf1hassucceededinits operatorssk,algorithmf1proceedsasfollows.algorithmf1runsgtoobtainapairofcor- F1willusetheveryinstanceitattacksintheithmessagetobesignedforF.) Oninputvkandaccesstoachosen(single)messageattackonthecorrespondingsigning ordinarysigning-keysk,algorithmf1suppliestherequiredsignature(vk;ssk(vk);). signingkeys.incasej=i,algorithmf1usesitsthesinglemessageattack,whichitisallowed, toobtainasignaturetothemessagemi(relativetotheverication-keyvk).usingandthe NotethatF1hasnodicultydoingsosince,havingproducedSKandskj,itknowstherequired pairofone-timekeys3,denoted(skj;vkj),andanswerswiththetriplet(vkj;ssk(vkj);sskj(mj). thejthmessage,denotedmj,isproducedasfollows.ifj6=i,algorithmf1runsgtogeneratea Inthesequel,F1suppliesFwithsignaturestomessagesofF'schoice.Thesignatureto (whichitknows)inordertoforgesignatures,relativetovk(=vkj),toanymessage. 3Weremarkthatitisveryunlikelythatvkjequalsvk.Yet,ifthishappensthenalgorithmF1canuseskj 9
11 M6=Mi,algorithmF1obtains(andindeedoutputs)asignaturetoanewmessagerelativetothe one-timeverication-keyvk.hence,theattackontheone-timesignatureschemesucceedswith verication-keyswhichhasappearedbefore.withprobability1=q(n),conditionedontheevent one-timeverication-keyusedintheithsignature,namelytheone-timeverication-keyvk.since thatsuchaforgedsignatureisoutputbyf,theforgedsignatureoutputbyfusesthesame message,denotedm,inwhichtheone-timeverication-keyisidenticaltooneoftheone-time Eventually,withprobabilityatleast(n)=2,algorithmFhaltsyieldingasignaturetoanew Foreachoftheseinstances,algorithmF2willbeabletoproducesignatures.AlgorithmF2will algorithmf2operatesasfollows.itcreatesmanyinstancesoftheone-timesignaturescheme. algorithm,f2,forgingsignaturesoftheordinarysignaturescheme(g;s;v).looselyspeaking, verication-keynotusedinprevioussignatures.inthiscaseweusealgorithmftoconstructan Case2:Withprobabilityatleast(n)=2,algorithmFformsanewsignatureusingaone-time bytg(n)+t(n)+q(n)(tg(n)+ts(n)+ts(n)). 2Q(n).WeobservethatthetimecomplexityofalgorithmF1canbebounded supplyfwithsignaturestomessagesofitschoice.incasefhaltswithaforgesignaturein usethechosenmessageattackontheordinarysignatureschemetoobtainsignaturestothese attack.detailsfollow. whichanewinstanceoftheone-timeschemeappears,thenalgorithmf2hassucceededinits one-timeverication-keysandusingthecorrespondingone-timesigning-keysf2willbeableto thechosenmessageattacktoobtainanordinarysignature,denotedj,tovkj(relativetothe ordinaryverication-keyvk)andreplieswiththetriplet(vkj;j;sskj(mj).(notethatf2hasno dicultyproducingsskj(mj)sinceitknowstherequiredsigningkey.) SSK),algorithmF2invokesFoninputVKandsuppliesFwithsignaturestomessagesofF's choiceasfollows.tosupplyasignaturetothejthmessage,denotedmj,algorithmf2starts byrunninggtogenerateapairofone-timekeys,denoted(skj;vkj).algorithmf2thenuses OninputVK(andaccesstochosenmessageattackonthecorrespondingsigningoperator probabilityatleast(n) ordinaryverication-keyvk.hence,theattackontheordinarysignatureschemesucceedswith whichcontainsanssk-signatureofaone-timeverication-keywhichhasnotappearedsofar.in thiscase,algorithmf2obtains(andindeedoutputs)asignaturetoanewmessagerelativetothe Eventually,withprobabilityatleast(n)=2,algorithmFyieldsasignaturetoanewmessage natureschemeresistsgeneralchosenmessageattacks(whichmaydependonthecorresponding verication-key),eveniftheunderlyingordinaryandone-timesignatureschemesonlyresists 2,areobliviousofthecorrespondingverication-key.Hence,theresultingon-line/o-linesig- Remark:Thechosenmessageattacksdescribedintheaboveproof,bothinCase1andCase byt(n)+q(n)(tg(n)+ts(n))andthatitasksq(n)queries.thelemmafollows.2 2.WeobservethatthetimecomplexityofalgorithmF2canbebounded chosenmessageattackswhichareobliviousofthecorrespondingverication-key. Recallingthestandarddenitionofsecurity(i.e.,Def.4),weget 10
12 3.3EciencyConsiderations Theo-linecomputation,inourscheme,reducestogeneratinganinstanceoftheone-timesignatureschemeandcomputingthesignatureofasinglestring(specically,theone-timevericationkey)intheordinaryscheme.Theon-linephaseofthesigningprocessmerelyrequiresapplying providedthattheunderlyingordinaryandone-timesignatureschemesaresecure. Theorem1Theresultingon-line/o-linesignatureschemeissecure(inthestandardsense) fasterthansigningalgorithmsofordinaryschemes.indeedthisseemtobethecaseifoneusesthe DESisusedasaone-wayfunction. one-timesignatureschemesbasedonone-wayfunctions,describedinsection4,andespeciallyif vantageousforthesigneronlyifthesigningalgorithmsofone-timesignatureschemesaremuch signaturescheme)ismuchfasterthansigningintheordinaryscheme,theentireon-line(signing thesigningprocessoftheone-timesignaturescheme.hence,ouron-line/o-lineschemeisad- andverication)processissped-up.thecondition(i.e.,muchfasterverication)issatisedin Rabin'sschemeaswellasinRSAwhenusedwithsmallvericationexponent(e.g.,3).Hence, attractiveimplementationofthegeneralschemecanbepresented{seesection5. Incasethevericationprocedureintheordinarysignaturescheme(andintheone-time thesameimage.4assumingtheintractabilityoffactoring(alternativelyofextractingdiscrete thetimerequiredforsigning(aswellasverication)istouseveryfasthashingfunctionswhich maplongstringsintomuchshorterones.thishashingfunctionshavetobesecureinthesense Logarithms),suchfunctionscanbeconstructed[3,8].Yet,inpracticalimplementations,one thatitishardtoformcollisions;namely,ndtwostringswhicharemappedbythefunctionto theordinaryandone-timesigningalgorithmsareapplied.astandardpracticeusedtoreduce Amajorfactoreectingtheeciencyoftheaboveschemeisthelengthofthestringstowhich mayusemuchfasterhashingschemes.atypicalexampleisthemd5recentlysuggestedby doesnotappearintheforgedsignature.intherstcase,wederiveanalgorithmwhichcontradicts thecollision-freepropertyofthehashingfunction,whereasinthesecondcaseweproceedasin hashedvaluewhichhasappearedinprevioussignatures,andthecasethatsuchahashedvalue theproofoflemma1. Rivest[17,18]. oflemma1.namely,oneconsiderstwocases:thecasethataforgedsignatureisformedusinga 4Actually,alowerlevelofsecuritysucesforourpurposes.Specically,itsucesthatthefunctionisone-way Thesecurityofaschemewhichuseshashingcanbeproveninawayanalogoustotheproof underthehashingfunction,tothesameimage[12].itisknownthatone-wayhashingfunctionscanbeconstructed usinganyone-wayfunction[12,19],butthisconstructionisveryfarfrombeingpractical. hashing;namely,givenapreimagetothefunctionitisinfeasibletondadierentpreimagewhichismapped, 11
13 butnotintheon-lineone.thus,ourconstructionmaybecomeevenmoreusefulifordinary vericationandsecretkeyswillbenecessary.thiswillcauseaslowdownintheo-linestage, Mostordinarysigningalgorithmsarebasedonthecomputationaldicultyofintegerfactorization.Shouldsomemoderatelyfasterfactoringalgorithmcomeabout,thenlongerordinary 3.4ARemark signatureschemeswillbecomeslowerduetoincreasingsecurityrequirements. 4One-TimeSignatureSchemesBasedonOne-WayFunction One-timesignaturesschemesplayacentralroleinourconstructionofon-line/o-linesignature schemes.ageneralmethodforconstructingone-timesignatureshasbeenknownforarelatively Letfbeaone-wayfunction;namely,weassumethatfispolynomial-timecomputablebutit theknownconstructionscanbeimproved{asshownbelow. 4.1TheBasicConstruction Westartwiththebasicconstruction(ofone-timesignatureschemesbasedonone-wayfunctions). longtime;cf.,[14,11].yet,arigorousanalysisoftheirsecurityhasneverappeared.furthermore, whethertheymatchthecorrespondingstringsintheverication-key.looselyspeaking,this fromapplyingftoauniformlychosenpreimage).thesigning-keyconsistsofasequenceofm pairsofn-bitlongstrings,(x01;x1);:::;(x0m;x1m),andtheverication-keyconsistsoftheresultof applyingtheone-wayfunctionftoeachofthe2mstrings(i.e.,theverication-keyconsistsofthe 1:::m,thesignerrevealsx1 sequence(f(x01);f(x1));:::;(f(x0m);f(x1m)),wherefistheone-wayfunction).tosignthemessage isinfeasibletoinvertfwithnoticeablesuccessprobability(takenoverthedistributionresulting schemeissecuresinceotherwisewegetawaytoinverttheone-wayfunctionf.furtherdetails willbecomeobviouslater. 4.2Shorteningthelengthsofkeysandsignatures 1;:::;xm t,andthesigneeappliesftotherevealedstringsandchecks Asomewhatrepellingpropertyofthebasicconstructionisthatitusesverylongkeysandsignatures.Additionalideascanbeusedtoreducetheselengths.Westartwithanideawhictionisdoneintheobviousmanner(i.e.,applyingftothesuppliedxi'sandapplyingfm Pito message1:::m,thesignerrevealsthexi'sforwhichi=1aswellasydef insteadofthe2mstringsusedabove.thesigning-keyconsistsofasequenceofm+1(n-bitlong) strings,x0;x1;:::;xm,andtheverication-keyconsistsofthesequencefm(x0);f(x1);:::;f(xm), whereft(x)denotesthestringresultingfromxbyapplyingfsuccessivelymtimes.tosignthe y).intuitively,thezero-componentservesasan\accumulator"fortherest.toprovethatthe isattributedin[11]towinternitz.theideaistouseonlym+1strings,eachoflengthn, 12 =fpi(x0).verica-
14 byiteratingituptomtimes(cf.,[9]).detailsfollow. signatureschemeissecureweneedtoassumethatfisone-wayalsoonthedistributionobtained indicatordetermininghowmanytimesfhastobeappliedtoeachoftheindividualstringsin thesigning-keysotoformthesignature.notethatinthepreviousconstruction,dependingon thebitsofthemessagetobesigned,thefunctionfisappliedbetweenmand0timestox0,and eitheronceornotatalltoeachxi,fori6=0.aprecisedescription,whichcombinesbothideas, follows. Anotherideaistobreakthemessagetobesignedintoblocksandtouseeachblockasan functionm(). functionsothat1t(n)=poly(n)andf:f0;1g7!f0;1gbeafunction,bothcomputable Construction1(basedonaccumulatorandblockpartition):Lett:IN7!INbeaninteger inpolynomial-time.weconsiderthefollowingone-timesignatureschemeformessagelength signing:tosignamessagem2f0;1gm,itst-bitlongblocks,1;:::;m=t,areinterpreted keygeneration:oninput1n,thekey-generatoruniformlyselectsx0;x1;:::;xm=t2f0;1gn, wheremdef verication-keyisydef asintegers5andthesignature =m(n)andtdef =f(2t 1)(m=t)(x0);f2t 1(x1);:::;f2t 1(xm=t): =t(n).thesigning-keyconsistsofthesexi's,whereasthe verication:thecomponentsofthesignaturevectoraresubjectedtothecorresponding verication-keyy=(y0;y1;:::;ym=t),onecomputes toverifythat(z0;z1;:::;zm=t)constitutesasignaturetom=(1;:::;m=t)relativetothe numberofapplicationsoffandtheresultiscomparedtotheverication-key.namely, iscomputed. fpi(x0);f2t 1 1(x1);:::;f2t 1 m=t(xm=t) Lemma2SupposethatT:IN7!INand:IN7!IRarefunctionssothattheaboveone-time signatureschemecanbeexistentiallybroken,viaachosen(single)messageattack,intimet() andprobability().then,foreveryn2inandsomei(m=t)(2t 1)thefunctionfcanbe andcomparestheresultingvectortothevectory. f(2t 1)(m=t) Pi(z0);f1(z1);:::;fm=t(zm=t) arandomvariableuniformlydistributedoverf0;1gn. invertedondistributionfi(un)intimet(n)andsuccessprobability(n) 5i.e.,thestring0tisinterpretedas0,thestring0t 11as1,etc. 13 (m=t)2t+1,whereundenotes
15 InthestatementofLemma2,aswellasinallotherlemmatainthissection,weignorethetime requiredtocomputethefunctionf(intheforwarddirection!).namely,theinvertingalgorithm (oftheconclusion)actuallyrunsintimet(n)+2t(m=t)tf(n)(ratherthant(n)),where Tfdenotesthecomplexityofcomputingf.Thisomissionisjustiedsincetheadditivetermis negligibleinallreasonableapplicationsofsuchlemmata. iterateoff. chosen(single)messageattack,intimet()andprobability().hence,foreveryn2in,with casesoccurs. Case1:thereexistsanjsothatbj<cj.InthiscasewecanuseFtoinvertfonthe(2t 1 bj)th probability(n),algorithmfrstasksforasignatureofm2f0;1gmandthenproducesa signaturetom06=m.letm=b1bm=tandm0=c1cm=t.then,oneofthefollowingtwo proof:letfbeaprobabilisticalgorithmthatexistentiallybreakstheone-timescheme,viaa thealgorithmselectsbuniformlyinf1;:::;(m=t)2tg,andotherwisebisselecteduniformlyin formedasinthekey-generation,exceptthatthejthcomponentisfb(y).weinvokefwiththis f1;:::;2tg.setbdef selectsj=0withprobability12andjuniformlyinf1;:::;(m=t)gotherwise.incasej=0, Case2:Pmj=1bj>Pmj=1cj.InthiscasewecanuseFtoinvertfonthe(Pbj)thiterateoff. cansupply(i.e.,thejthcomponentisnotsmallerthanb)andreturnsasignatureofamessagein verication-key.withprobabilityatleast(n) Theactualinvertingalgorithmissimilarinthetwocases.Oninputy,theinvertingalgorithm whichthejthcomponentissmallerthanb.thisyieldsaninverseofyunderf,andthelemma follows.2 =(m=t)(2t 1) bifj=0andbdef (m=t)2t+1,algorithmfasksforthesignaturethatwe =2t 1 botherwise.theverication-keyis 4.3Enhancingsecuritybyuseoferror-correctingcodes (n))mm(n)(for(n)1=m).hence,incaset=1,thesecuritylossofafactormis ontheone-timesignatureschemewhichexistentiallyforgesasignaturewithprobability1 (1 inevitable.similarly,forgeneralt1,wegetaninevitablelossofsecuritybyamtfactor. invertingfwithprobability(n)(intimet(n))yieldsa(mt(n)-time)chosenmessageattack Remark:Fort=1,thestatementofLemma2istightinthefollowingsense.Anyalgorithm functiononmanypointsratherthanonasingleone.forsakeofsimplicity,letusapplytheidea Asjustremarked,thesecuritylossofafactorofm=tintheaboveconstructionisinevitable. rsttothebasicconstruction(ofsubsection4.1). Toavoidthisloss,weneedanewidea.Looselyspeaking,theideaistoencodemessagesviaa themoderateincreaseinthelengthofthemessagetobesignedwillprovideasubstantialbenet. Thereasonbeingthatinordertoforgeasignaturetheadversaryneedstoinverttheone-way gooderror-correctingcodeandsigntheencodedmessageratherthantheoriginalone.thisidea standsincontrasttothecommonpracticeoftryingtoshortenthemessagetobesigned.yet, 14
16 Backgroundonerror-correctingcodes Forourpurposes,wedon'trequirethecodetohaveanecientdecodingalgorithm.Hence,for Denition6(error-correctingcode[10]):A(m();m0();d())-codeisan(ecientlycomputable) ourpurposes,wecanuserandomlinearcodes(i.e.,amappingdenedbymultiplicationbya mapping,,ofm()-bitlongstringstom0()-bitlongstringssothat,foreverytwox6=y2 wheredist(;)denotesthehammingdistance(i.e.,numberofmismatches)betweenand. randomm-by-m0booleanmatrix).bythegilbert-varshamovbound[10,20]auniformlychosen f0;1gm(n), m-by-m0matrixdenesa(m;m0;d)-codewithprobability1 pprovidedthat dist((x);(y))d(n) d 1 Xi=1 andm0=160onegetsd=23(>0:143)[10,appendixa.1].form=128,weuseacodewith m=79andm0=128thereexistsacodewithdistanced=15(>0:117),whereasform=80 valuesofm0andmlargervaluesofareattainablebyspeciallydesignedcodes.forexample,for 6Alternatively,m0=3m,p=2 m=2andd=m0whereh2()12(=18willdo).forsmall Forexample,wecansetm0=2m,p=2 m=2andd=m0whereh2()14(=120willdo). i!<p2m0 m+1 checksthatcindeedequals(m).hence,achosenmessageattackneedstoproduceasignature Basicschemewitherror-correctingcodes distanced=13andcodewordsoflengthm0=185,yielding>0:07. toastringc0thatisnotonlydierentfromc,butisalsoatdistanceatleastdfromc. signsc.inadditiontoverifying,asusual,thatcisproperlysigned,thevericationprocedure Looselyspeaking,tosignamessageMonerstcomputesthecodewordCdef Construction2(usingerror-correctingcodes):Letf:f0;1g7!f0;1gbeaone-wayfunction and:f0;1g7!f0;1gbea(m();m0();d())-code.weconsiderthefollowingone-timesignature =(M)andthen schemeformessagelengthfunctionm(). signing:tosignamessagem2f0;1gm,onecomputes1m0def keygeneration:oninput1n,thekey-generatoruniformlyselectsx01;x1;:::;x0m0;x1m02f0;1gn, wherem0def f(x01);f(x1);:::;f(x0m0);f(x1m0). =m0(n).thesigning-keyconsistsofthesexji's,whereastheverication-keyis 6Asusual,H2(x)def asthesignaturetom. = (xlog2x+(1 x)log2(1 x))denotesthebinaryentropyfunction. x1 1;:::;xm0 =(M)andreveals 15
17 Lemma3SupposethatT:IN7!INand:IN7!IRarefunctionssothattheaboveone-time signatureschemecanbeexistentiallybroken,viaachosen(single)messageattack,intimet() andprobability().then,foreveryn2in,thefunctionfcanbeinvertedintimet(n)and verication:thecodewordc=(m)iscomputedandthefunctionfisappliedtothe successprobability(n) revealedstrings.theresultischeckedagainstthecorrespondingstringsinthevericationkey. andprobability().then,foreveryn2in,thefunctionfcanbeinvertedintimet(n)and (ofsubsection4.1)canbeexistentiallybroken,viaachosen(single)messageattack,intimet() Corollary4SupposethatT:IN7!INand:IN7!IRarefunctionssothatthebasicconstruction Asaspecialcase,wederiveaboundforthesecurityofthebasicconstruction.Namely, 2(n),where(n)def =d(n) successprobability1 m0(n). proofoflemma3:letfbeaprobabilisticalgorithmthatexistentiallybreakstheone-time scheme,viaachosen(single)messageattack,intimet()andprobability().hence,forevery thecode,bi6=ciforatleastafractionofthei2f1;:::;m0g. producesasignaturetom06=m.let(m)=b1bm0and(m0)=c1cm0.bydenitionof n2in,withprobability(n),algorithmfrstasksforasignatureofm2f0;1gmandthen 2m(n). thatthe(2(i 1)+j)stcomponentisy,andinvokesFwiththisverication-key.Withprobability withprobability(n),algorithmfreturnsasignatureofamessagem0andwithprobabilityat i2f1;:::;m0gandj2f0;1g.next,aformsaverication-keyasinthekey-generation,except leasttheithbitof(m0)isdierentfromtheithbitof(m).thisyieldsaninverseofyunder f,andthelemmafollows.2 12,algorithmFasksforthesignature,toamessagedenotedM,thatAcansupply.Inthiscase, Theinvertingalgorithm,A,operatesasfollows.Oninputy,algorithmAuniformlyselects key).thepartitionintoblockstsverynicelywitherror-correctingcodes,providedm0 t-bitlongblocks.eachblockisassignedapairofstringsinthesigning-key(resp.,verication- Infact,weonlyuseoftheshorteningideas;specically,thepartitionofthebinarystringinto Wenowcombinetheshorteningideasofsubsection4.2withthecodingideajustpresented. Schemewithblockcoding elementsingf(2t)specifyingapolynomialofdegree(m=t) 1overthiseld,andthecodeword isthesequenceofvaluesthispolynomialyieldson(m0=t)dierentelementsoftheeld(hence m=tblocksusingm0=tblocks(eachoflengtht).ourencodingschemeviewsthem=tblocksas Namely,wepartitionthem-bitlongmessageintom=tblocks(eachoflengtht)andencodethese therequirementm0 hasthepropertythatdierentmessages(viewedaspolynomials)aremappedtocodewordsthat t2t).thisencoding,knownasblock-codingandspecicallyasbchcode, t2t. 16
18 functionm()<m0(). to(m0 m)=t. Construction3(basedonblockpartitionandcoding):Lett:IN7!INbeanintegerfunctionso inpolynomial-time.weconsiderthefollowingone-timesignatureschemeformessagelength that1t(n)=poly(n)andm0(n) agreeonatmost(m=t) 1values.Hence,the`blockdistance'betweencodewordscorresponds keygeneration:oninput1n,thekey-generatoruniformlyselectsx01;x1;:::;x0m0=t;x1m0=t2 f0;1gn,wherem0def =m0(n)andtdef t(n)2t(n),andf:f0;1g7!f0;1gbeafunction,bothcomputable signing:tosignamessagem2f0;1gm,itst-bitlongblocks,1;:::;m=t,areinterpretedas elementsingf(2t)specifyingapolynomialofdegreet 1overtheeld(i.e.,iisinterpreted theverication-keyisf2t 1(x01);f2t 1(x1);:::;f2t 1(x0m0=t;f2t 1(x1m0=t) =t(n).thesigning-keyconsistsofthesexji's,whereas verication:thepolynomialanditsvaluesatthem0=tpointsisconstructedasabove,the iscomputed. thesignaturef1(x01);f2t 1 1(x1);:::;fm0=t(x0m0=t);f2t 1 m0=t(x1m=t) eldelementsarenowinterpretedasintegers,denoted1;:::;m0=t2f0;1;:::;2t 1g,and asthei 1stcoecientofthepolynomial).Thevaluesofthepolynomialatsomem0=t componentsofthesignaturevectoraresubjectedtothecorrespondingnumberofapplicationsoffandtheresultiscomparedtotheverication-key. successprobability Lemma5Letm0(n)=(1+)m(n),forsomeconstant>0.SupposethatT:IN7!INand :IN7!IRarefunctionssothattheaboveone-timesignatureschemecanbeexistentiallybroken, andsomei(2t 1)thefunctionfcanbeinvertedondistributionfi(Un)intimeT(n)and viaachosen(single)messageattack,intimet()andprobability().then,foreveryn2in proof:usingthesameideasasintheproofsofthelasttwolemmata.2 Remark:Wecanset2t=m0 f0;1gn. (1+)2t(n),whereUndenotesarandomvariableuniformlydistributedover than1. constructionwhileusingkeysandsignatureswhichareonly4timesaslargeasthoseusedin Construction1.Ingeneral,theboundonsuccessprobabilityofattacksinthenewconstruction isrelatedtotheboundinthebasicconstructionbyafactorof(1+)2 tand=1.then,fort4,wegetsecurityatleastasinthebasic 17 t,whichistypicallysmaller
19 4.4Furtherenhancingsecurity Thereadermaynotethatintheenhancedsecurityassertedintheprevioussubsectionstemsfrom thefactthatwhenusingaforgingalgorithmwehaveabetterchancethatitinvertsthefunctionon thedesiredcomponent(providedthatwechoosethedesiredcomponentatrandom).wedidnot takeadvantageofthefactthatthisforgingalgorithminvertsthefunctiononmanycomponents. Todosowehavetoconsidertheproblemofsimultaneouslyinvertingaone-wayfunctiononmany images,andtoshowhowthisproblemreducestoforgingsignaturesinconstructions2and3. Oncethisisdone,thesecurityofthesignatureschemeisbasedonthedicultyofinvertingthe functiononmanyimages,ataskthatmaybemoredicultthaninvertingthefunctiononasingle image.forexample,time-probabilitytrade-osinexhaustivesearchforinvertingafunctionare invertedonk(n)images,intimet(n)andsuccessprobability k:in7!insothatk(n)d(n).then,foreveryn2in,thefunctionfcanbesimultaneously existentiallybroken,viaachosen(single)messageattack,intimet()andprobability().let thesubsequentsection). Lemma6SupposethatT:IN7!INand:IN7!IRarefunctionssothatConstruction2canbe lessfavorablewhenoneneedstoinvertthefunctiononseveralinstances(seeassumption2in proof:similartotheproofoflemma3.fixinganyn2in,theinvertingalgorithm,a,operatesasfollows.oninputy1;:::;yk,algorithmauniformlyselectskdierentelements,denoted 1 i1;i2;:::;ik,inf1;:::;m0gandj1;:::;jk2f0;1g.next,aformsaverication-keyasinthekeygeneration,exceptthatforeverylkthe(2(il 1)+jl)stcomponentisyl,andinvokesthe Yl=0d(n) l 2(m0(n) l)1ak(n)(n) rithmfreturnsasignatureofamessagem0.withprobabilityatleastdm0d 1 signature,toamessagedenotedm,thatacansupply.inthiscase,withprobability(n),algo- bitlocationsi1throughikof(m0)and(m)areallindisagreement.thisyieldsinverseofy1 throughykunderf,andthelemmafollows.2 Usingsimilarideas,weget forgingalgorithm,f,withthisverication-key.withprobability1 2k,algorithmFasksforthe Lemma7Letm0(n)=(1+)m(n),forsomeconstant>0.SupposethatT:IN7!INand m0 1d k+1 m0 k+1,the :IN7!IRarefunctionssothatConstruction3canbeexistentiallybroken,viaachosen(single) denotearandomvariableuniformlydistributedoverf0;1gn.then,foreveryn2inandsome messageattack,intimet()andprobability().letk:in7!insothatk(n)m(n)andun i1;:::;ik(n)(2t(n) 1)thefunctionfcanbesimultaneouslyinvertedonk(n)images,takenfrom 18
20 thedistributionsfi1(un)throughfik(n)(un),intimet(n)andsuccessprobability 5ConcreteImplementations 1 Yl=0(1+ (l=m))2t(n)1ak(n)(n) AlltheconcreteimplementationuseRabin'sscheme[15]inroleoftheordinarysignaturescheme andthedesasaone-wayfunctionusedtoconstructaone-timesignaturescheme.theimplementationsdierbytheconstructiontheyuseforaone-timesignaturescheme.theconstructions ofone-timesignatureschemeusedarethosepresentedintheprevioussection. Wenowsuggestconcreteimplementationsofourgeneralon-line/o-linesignatureschemeoering faston-linecomputations(bothforsignerandverier). 5.1TheIngredients everyintegerv2zn(themultiplicativegroupmodulon)exactlyoneoftheelementsintheset Theordinarysignaturescheme Svdef modication,weuseintegerswhicharetheproductoftwolarge(say256bitslong)primes,one congruentto3modulo8andtheothercongruentto7modulo8.forsuchanintegernandfor IntheroleoftheordinarysignatureschemeweuseamodicationofRabin'sscheme[15].Inthis andisconsideredintractableotherwise. denotedextpvmodn,tobeadistinguishedsquarerootmodulon(say,thesmallestone)ofthe exactly4distinctsquarerootsmodn.letusdenetheextendedsquarerootofvmodulon, appropriatememberofsv.computingextpvmodnisfeasibleifthefactorizationofnisknown, =fv; v;2v; 2vgisasquaremoduloN(see[21,8]).Moreover,eachsquaremoduloNhas squarerootofm,modulona.anyonecanverifythatisalegitimatesignatureofmby 2ndeighthofZN(i.e.,fv2ZN:N8<v<N4g). ofna.signingmessagem,inthemodiedrabinscheme,amountstoextractinganextended messagesarersthashedintosuchanelement.itisassumedthatthemessagespacesatisesthe followingcondition:ifv6=uthensv\su=;.thiscanbeenforcedbyusingonlyvaluesofthe Themessagespaceisassociatedwiththeelementsoftheabovemultiplicativegroup.Larger thisproblemisreallyimportanttoourapplication,neverthelesspaddingbyarandomsux(cf., [15])overcomestheobviousattack. computing2modnaandcheckingthatitindeedbelongstothesetsm. ConsiderauserA,whosepublic-keyisamoduloNA.UserAaloneknowsthefactorization Theschemedescribedsofarisnotsecureagainstexistentialforgery.Itisnotclearwhether 19
21 Fortheone-timesignaturescheme,weuseanyoftheconstructionspresentedinSection4.These messageattack,whentheintegerswhichareusedaretheproductoftwolarge(say256bitslong) primes. Theone-timesignaturescheme WeassumethatitisinfeasibletobreakthemodiedRabinscheme,evenafterachosen message,m,usingdeswithkeyx. aone-wayfunctionf(x)def Thecollision-freehashingscheme constructionsexhibitatrade-obetweenkeyandsignaturesize,ononehand,andcomputationtimeandsecurityontheotherhand.inparticular,weproposetousethedesalgorithmas Inroleofthecollision-freehashingfunctionweuseanystandardwayofusingDESinahashing mode.(see,forexample,[14].)alternatively,onemayusetherecentlysuggestedmd4ormd5 =DESx(M);thatis,thevalueobtainedbyencryptingastandard (cf.,[17,18]).werecommendthathmapsarbitrarilylongstringsto128-bitlongstrings(i.e., ordinarysignatureschemeandthedesasaone-wayfunctionusedforaone-timesignature implementationofthegeneralschemewiththemodiedrabinschemeplayingtheroleofthe Wenowdescribefourversionsoftheconcreteimplementation.Westartwithastraightforward 5.2FourImplementations m=128).forsomeapplications,onemaybecontentwithm=64. therstoneonlyinthewayinwhichtheone-wayfunctionisusedtoconstructaone-time scheme(asinthebasicconstructionofsection4).theotherthreeimplementations,dierfrom Implementation1ThemodiedRabinscheme,withprimesoflength256,isusedastheordinarysignaturescheme.Asone-timesignaturescheme,formessagelengthm=128,weusethwayfunctionn=56.Thetotallengthofthesignatureintheresultingon-line/o-lineschemeis 3mn+512,whichforourchoiceofparameters(i.e.,m=128andn=56)yields22;016.The basicconstructionofsection4withdesinroleoftheone-wayfunction.finally,fastcollisionfreehashingfunctionsareusedtohasharbitrarilylongstringstom-bitstrings. mosttime-consumingoperationintheo-linesigningphaseisthecomputationofanordinary amountstomdescomputations,thatmaybeperformedinparallel,andasinglemultiplication signatureinthemodiedrabinscheme,whichamounttoextractingsquarerootsmodulo256-bit primes.on-linesigningonlyinvolvesretrievingrelevantinformationfrommemory.verication Thekey-lengthfortheone-timesignatureschemeis2mn,whereincaseofDES-basedone- byafactorof2t 1.Fort=4thistradeoseemsworthwhile.Namely, moduloa512-bitinteger(i.e.,vericationinthemodiedrabinscheme).thesignaturesandkeys canbeshortenedbyafactoroftifwearewillingtoincreasethenumberofdescomputations 20
22 Implementation2Theordinarysignatureschemeandthecollision-freehashingfunctionare weuseconstruction1(ofsection4),witht=4.again,desisusedinroleoftheone-way asinthepreviousimplementation.asone-timesignaturescheme,formessagelengthm=128, ofdesoperationsincreasesbyafactorof2t 1=15.However,thesecurityofthecurrent implementationisdecreasedbyafactorof2t 1 parameters(i.e.,m=128,t=4andn=56)wegetsignaturelengthof4;208.thenumber signatureintheresultingon-line/o-lineschemeisthus2(1+mt)n+512.forourchoiceof function. usingconstruction3asabasisfortheone-timesignaturescheme.namely, Now,thekey-lengthfortheone-timesignatureschemeis(1+mt)n,andtotallengthofthe Implementation3Theordinarysignatureschemeandthecollision-freehashingfunctionare asinthepreviousimplementations.asone-timesignaturescheme,formessagelengthm=120, weuseconstruction3(ofsection4),withm0=160andt=5.again,desisusedinroleof theone-wayfunction. t=3:75.improvedsecuritycanbeobtainedby signatureintheresultingon-line/o-lineschemeis4m0 (i.e.,m=120,m0=160,t=5andn=56)wegetsignaturelengthof7;680.thenumber ofdesoperationsisaboutthreetimesasmuchasinthepreviousimplementation.however, thesecurityofthecurrentimplementationisevenbetterthaninimplementation1.togeteven bettersecurityweusedconstruction2 Now,thekey-lengthfortheone-timesignatureschemeis2m0 tn+512.forourchoiceofparameters tn,andthetotallengthofthe Implementation4Theordinarysignatureschemeandthecollision-freehashingfunctionare asinthepreviousimplementations.asone-timesignaturescheme,formessagelengthm=120, weuseconstruction2(ofsection4),withm0=185andd=13.again,desisusedinroleof theone-wayfunction. parametersspeciedabove).forthereader'sconveniencewealsopresenttherelativesecurity (i.e.,m=128,m0=185andn=56)wegetsignaturelengthof31;592.thenumberofdes operationsis185(insteadof128inimplementation1). Thecomplexityboundsforthefourimplementationsaretabulatedbelow(forthechoiceof signatureintheresultingon-line/o-lineschemeisthus3m0n+512.forourchoiceofparameters Now,thekey-lengthfortheone-timesignatureschemeis2m0n,andtotallengthofthe oftheseimplementations.thesecurityguresareupperboundonthesuccessprobabilityof somereasonablyrestrictedattacksfullydescribedandanalyzedbelow.(hence,thelowerthe 21
23 security-guresare{thebetter.)implem:1implem:2implem:3implem:4 messagelen. keylen. signaturelen. DESoperations14;336 22; ; ; otherwords,weassumethattheprobabilitythatsuchapracticalattacksucceedsisnegligible tentiallyforgesignaturestothemodiedrabinscheme,evenafterachosenmessageattack.in Security Ouranalysisisbasedontwoassumptions.Therstisthatitinpracticallyinfeasibletoexis- security furthermore,thatitbehavesasarandomfunctionoveradomainwith256elements.amoreaccuratestatementfollows.westressthatthisassumptionisnotincontradictionwiththecurrent knowledgeconcerningthecryptanalysisofdes[2]. andhenceweignoreitalltogether.oursecondassumptionsisthatthedes-basedone-way breachofsecurityinthemodiedrabinschemeorabreachofsecurityintheone-timescheme. Westressthatthislemmaassertsthatiftheon-line/o-lineschemeisbrokenwithprobability functioncannotbeinvertedbetterthanbyexhaustivesearch(inthef0;1g56keyspace),and, broken.assumingthatabreachofsecurityinthemodiedrabinschemeisinfeasible,weignore therstpossibilityandareleftwiththesecond.beforecontinuing,wenowexplicitlystateour (n)theneitherrabin'sschemeisbrokenwithprobability(n)=2(withinthesametimeand querycomplexities)or,withprobability(n)=2,oneoftheinstancesoftheone-timeschemeis BytheproofofLemma1,abreachofsecurityintheon-line/o-lineschemeyieldseithera assumptionconcerningthesecurityofthedes-basedone-wayfunction. mentation1).combiningassumption1,lemma1andcorollary4,weconcludethatachosen Assumption1LetDdef one-wayfunction.then,arandomizedalgorithmrunningintimethatallowsmakingonlytdes evaluations,succeedsininvertingthedes-basedfunctiononagivenimage,withprobabilityat mosttd. Westartbyevaluatingthesecurityoftherstimplementationpresentedabove(i.e.,Imple- =256denotethenumberofelementsinthedomainoftheDES-based lengthm=128.letrdef realisticimplementationsatmostq=10;000messagesarelikelytobesignedandeachisof asksforqmessagestobesignedandrunsintimeallowingtdescomputationsisboundedby Q-messageattackoftimeTsucceedsinexistentialforgerywithprobabilityatmostT(2mQ) =Qm1:3106.Thus,thesuccessprobabilityofanattackwhich 2TR D22 D.In
4 m m 2m 21 K N Am -K 5K E m m m m K S mm m B m V ms S m S E D m V m 1 m m m m m 2 ( m ) 2 m E mm m m mn A m V mm m m E mm m m K m mm m K 3 495 175 B 19 415 16 66 A D ( 1 23 391)1 928 9 337 S G O 18 3
More informationRouch, Jean. Cine-Ethnography. Minneapolis, MN, USA: University of Minnesota Press, 2003. p 238
Minneapolis, MN, USA: University of Minnesota Press, 2003. p 238 http://site.ebrary.com/lib/uchicago/doc?id=10151154&ppg=238 Minneapolis, MN, USA: University of Minnesota Press, 2003. p 239 http://site.ebrary.com/lib/uchicago/doc?id=10151154&ppg=239
More informationBreaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring
Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2
More informationRemote Video Inspection Cables & Cable Reels
Extension Cables Remote Video Inspection Cables & Cable Reels Name: Extension Cable 30 m (100 ft) Part No.: V4400-6404 Polyurethane cable for extension of main cable to reel or CCU. 30 m (100 ft) Name:
More informationLTCG. Runways: Runway 11 Takeoff length: 2640, Landing length: 2640 Runway 29 Takeoff length: 2640, Landing length: 2640
LTG irport information: ountry: Turkey ity: INTL oordinates: N 0 59.8', E039 7. Elevation: ustoms: ustoms Fuel: Jet RFF: T 8 hours: H2 Runways: Runway Takeoff length: 260, Landing length: 260 Runway 29
More informationEigenvalues, Eigenvectors, Matrix Factoring, and Principal Components
Eigenvalues, Eigenvectors, Matrix Factoring, and Principal Components The eigenvalues and eigenvectors of a square matrix play a key role in some important operations in statistics. In particular, they
More informationAssessment Schedule 2013
NCEA Level Mathematics (9161) 013 page 1 of 5 Assessment Schedule 013 Mathematics with Statistics: Apply algebraic methods in solving problems (9161) Evidence Statement ONE Expected Coverage Merit Excellence
More information1 Review of Newton Polynomials
cs: introduction to numerical analysis 0/0/0 Lecture 8: Polynomial Interpolation: Using Newton Polynomials and Error Analysis Instructor: Professor Amos Ron Scribes: Giordano Fusco, Mark Cowlishaw, Nathanael
More informationManual for SOA Exam MLC.
Chapter 5 Life annuities Extract from: Arcones Manual for the SOA Exam MLC Fall 2009 Edition available at http://wwwactexmadrivercom/ 1/94 Due n year temporary annuity Definition 1 A due n year term annuity
More informationRising Rates in Random institute (R&I)
139. Proc. 3rd Car. Conf. Comb. & Comp. pp. 139-143 SPANNING TREES IN RANDOM REGULAR GRAPHS Brendan D. McKay Computer Science Dept., Vanderbilt University, Nashville, Tennessee 37235 Let n~ < n2
More informationMeasurement Conditions/Independent Variable. Units Parameter Specifications Value Units
providers: CESMEC (Centro de Estudios, Medicion y Certificacion de Calidad) and IDIC (Instituto de Investigaciones y Control) Calibration or 1 1 mg 2 2 mg 5 5 mg 0.002 mg 2 95% No CESMEC 131-750 0.002
More informationdiculttoopentowidepublicasthiswouldveryquicklylenditselftoabuseinthat someuserswouldvoluntarilygiveawaytheirpin.telebankingservicesbasedonvoice
(C)Intheproceedingsofthe``EuropeanConf.onMultimediaApplications, ServicesandTechniques-ECMAST;Louvain-la-Neuve,28-30May,1996'' Multi-modalpersonvericationtoolsusingspeech M.Acheroy RMA-B C.Beumier RMA-B
More informationSchool of Economics & Finance
School of Economics & Finance Economics & Finance - Programme Requirements 2015/6 - August 2015 Automatic Entry to Honours Students who attain an average of grade 11.0 or above at the first sitting in
More informationINSTRUCTION BOOKLET. AQ SAS Standard Arc Schemes. AQ 100 Series
INSTRUCTION BOOKLET AQ SAS Standard Arc Schemes AQ 100 Series Instruction booklet Standard arc schemes for AQ 100 series 2 (28) Revision 1.2 Date August 2011 Changes - Add trade mark to SAS. - AQ SAS scheme
More informationSchool of Economics & Finance
School of Economics & Finance Economics & Finance - Programme Requirements 2016/7 - April 2016 Automatic Entry to Honours Students who pass and attain an average of grade 11.0 or above at the first sitting
More informationUse of XFT by Pierre & Vacances IT team. Pierre & Vacances September 2009
Use of XFT by Pierre & Vacances IT team Pierre & Vacances September 2009 Table of content. XFT IN THE INFORMATION SYSTEM. ASYNCHRONOUS PROCESS WITH XFT. EXCHANGE WITH PARTNERS. CONCLUSION 1. Information
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationAutomatic Model Generation for Stochastic Qualitative Reasoning of Building Air Conditioning Systems
Automatic Model Generation for Stochastic Qualitative Reasoning of Building Air Conditioning Systems Masaki Yumoto*, Takahiro Yamasaki*, Takenao Ohkawa*, Norihisa Komoda*, Fusachika Miyasaka** * Department
More informationFFT Algorithms. Chapter 6. Contents 6.1
Chapter 6 FFT Algorithms Contents Efficient computation of the DFT............................................ 6.2 Applications of FFT................................................... 6.6 Computing DFT
More informationMulti-Robot Tracking of a Moving Object Using Directional Sensors
Multi-Robot Tracking of a Moving Object Using Directional Sensors Manuel Mazo Jr., Alberto Speranzon, Karl H. Johansson Dept. of Signals, Sensors & Systems Royal Institute of Technology SE- 44 Stockholm,
More informationCS 575 Parallel Processing
CS 575 Parallel Processing Lecture one: Introduction Wim Bohm Colorado State University Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5
More informationThe purpose of software configuration management (SCM) is to establish and
DonnaAlbino LIS489FinalProject SoftwareConfigurationManagement Thepurposeofsoftwareconfigurationmanagement(SCM)is toestablishand maintaintheintegrityoftheproductsofthesoftwareprojectthroughoutthe project
More informationFactoring Special Polynomials
6.6 Factoring Special Polynomials 6.6 OBJECTIVES 1. Factor the difference of two squares 2. Factor the sum or difference of two cubes In this section, we will look at several special polynomials. These
More informationLogarithmic and Exponential Equations
11.5 Logarithmic and Exponential Equations 11.5 OBJECTIVES 1. Solve a logarithmic equation 2. Solve an exponential equation 3. Solve an application involving an exponential equation Much of the importance
More informationValve series MN-06 acc. to NAMUR, 3/2-way G1/4 750 Nl/min (0.762 Cv)
Valve series MN-06 acc. to NAMUR, 3/2-way G1/4 750 Nl/min (0.762 Cv) Order code Series and function 1) Plug socket see page 5.042. MN-06-310-HN-442 Standard coil 1) 441 = 12 V DC, 4.2 W 442 = 24 V DC,
More informationACOMPARATIVE STUDY OF RSA BASED DIGITAL
ACOMPARATIVE STUDY OF RSA BASED DIGITAL SIGNATURE ALGORITHMS RAMZI A. HARATY,A. N. EL-KASSAR,AND BILAL M. SHEBARO Abstract. In 1978 the powerful and practical RSA public-key scheme was produced. It is
More informationi n g S e c u r it y 3 1B# ; u r w e b a p p li c a tio n s f r o m ha c ke r s w ith t his å ] í d : L : g u id e Scanned by CamScanner
í d : r ' " B o m m 1 E x p e r i e n c e L : i i n g S e c u r it y. 1-1B# ; u r w e b a p p li c a tio n s f r o m ha c ke r s w ith t his g u id e å ] - ew i c h P e t e r M u la e n PACKT ' TAÞ$Æo
More informationCollege Affordability for Students from Low and Lower-Middle Income Families. Scholarship America Minneapolis, Minnesota October 19, 2006
Intro College Affordability for Students from Low and Lower-Middle Income Families Scholarship America Minneapolis, Minnesota October 19, 2006 Tom Mortenson Senior Scholar, The Pell Institute for the Study
More informationDesign of pile foundations following Eurocode 7-Section 7
Brussels, 18-20 February 2008 Dissemination of information workshop 1 Workshop Eurocodes: background and applications Brussels, 18-20 Februray 2008 Design of pile foundations following Eurocode 7-Section
More informationSchneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, 2013. p i.
New York, NY, USA: Basic Books, 2013. p i. http://site.ebrary.com/lib/mcgill/doc?id=10665296&ppg=2 New York, NY, USA: Basic Books, 2013. p ii. http://site.ebrary.com/lib/mcgill/doc?id=10665296&ppg=3 New
More information2.1 The Present Value of an Annuity
2.1 The Present Value of an Annuity One example of a fixed annuity is an agreement to pay someone a fixed amount x for N periods (commonly months or years), e.g. a fixed pension It is assumed that the
More informationElasticity and mechanical advantage in cables and ropes
IOP PUBLISHING Eur. J. Phys. 8 (007) 715 77 EUROPEAN JOURNAL OF PHYSICS doi:10.1088/0143-0807/8/4/011 Elasticity and mechanical advantage in cables and ropes MJO Shea Department of Physics, Kansas State
More informationTape & Reel Packaging For Surface Mount Devices. Date Code Marking:
Tape & Reel Packaging For Surface Mount Devices A utomation of surface-mount assembly by the use of pick-and-place equipment to handle tiny components has been enhanced by evolutionary improvements in
More informationCryptanalysis of and improvement on the Hwang Chen multi-proxy multi-signature schemes
Applied Mathematics and Computation 167 (2005) 729 739 www.elsevier.com/locate/amc Cryptanalysis of and improvement on the Hwang Chen multi-proxy multi-signature schemes Yuh-Dauh Lyuu a,b,1, Ming-Luen
More informationPrime Factorization, Greatest Common Factor (GCF), and Least Common Multiple (LCM)
Prime Factorization, Greatest Common Factor (GCF), and Least Common Multiple (LCM) Definition of a Prime Number A prime number is a whole number greater than 1 AND can only be divided evenly by 1 and itself.
More informationfire Utrymningsplan/Evacuation plan In case of fire or other emergency Vid brand eller annan fara Rescue Call Larma Warn Varna Extinguish Evacuate
genom telefon 2 In case of or other emergency telephone 2 the if possible and risk engineering Uppsala 08-8 58 00 205-02-25/JB Plan 3, tr genom telefon 2 In case of or other emergency telephone 2 the if
More informationSteel Design Report. Governing Criteria Stress Ratio
Steel Design Report Element: Untitled2 () Company: Description: User: Date: 01:06 PM Software: Digital Canal Steel Design 4.0 GENERAL INFORMATION Description Value Description Value Run Mode Design Mode
More informationOn-Line/Off-Line Digital Signatures
J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,
More informationF Matrix Calculus F 1
F Matrix Calculus F 1 Appendix F: MATRIX CALCULUS TABLE OF CONTENTS Page F1 Introduction F 3 F2 The Derivatives of Vector Functions F 3 F21 Derivative of Vector with Respect to Vector F 3 F22 Derivative
More informationPerfect Fluidity in Cold Atomic Gases?
Perfect Fluidity in Cold Atomic Gases? Thomas Schaefer North Carolina State University 1 2 Hydrodynamics Long-wavelength, low-frequency dynamics of conserved or spontaneoulsy broken symmetry variables.
More informationBEZIER CURVES AND SURFACES
Department of Applied Mathematics and Computational Sciences University of Cantabria UC-CAGD Group COMPUTER-AIDED GEOMETRIC DESIGN AND COMPUTER GRAPHICS: BEZIER CURVES AND SURFACES Andrés Iglesias e-mail:
More informationSection 4.5 Exponential and Logarithmic Equations
Section 4.5 Exponential and Logarithmic Equations Exponential Equations An exponential equation is one in which the variable occurs in the exponent. EXAMPLE: Solve the equation x = 7. Solution 1: We have
More informationSection 11. 4-wire E&M/TO Configuration. 4-Wire E&M/TO Voice Card. About This Section. Functional Description. Physical Description
Section 11 4-wire E&M/TO Configuration About This Section This section describes how to configure the 4-wire E&M/Transmission Only (E&M/TO) 12-channel voice card for connecting the Access Bank II to T1
More informationCryptography and Network Security Chapter 9
Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,
More information2. Parallel pump system Q(pump) = 300 gpm, h p = 270 ft for each of the two pumps
Pumping Systems: Parallel and Series Configurations For some piping system designs, it may be desirable to consider a multiple pump system to meet the design requirements. Two typical options include parallel
More informationLinear Maps. Isaiah Lankham, Bruno Nachtergaele, Anne Schilling (February 5, 2007)
MAT067 University of California, Davis Winter 2007 Linear Maps Isaiah Lankham, Bruno Nachtergaele, Anne Schilling (February 5, 2007) As we have discussed in the lecture on What is Linear Algebra? one of
More information5 Signal Design for Bandlimited Channels
225 5 Signal Design for Bandlimited Channels So far, we have not imposed any bandwidth constraints on the transmitted passband signal, or equivalently, on the transmitted baseband signal s b (t) I[k]g
More informationClear Creek Business Center 187,865 Sq. Ft. OFFICE/FLEX/INDUSTRIAL
Clear Creek Business Center 187,865 Sq. Ft. OFFICE/FLEX/INDUSTRIAL 6800-6880 N. Broadway, Denver CO 80221 Lease rates & terms 6870 AVAILABLE 6860 6850 3.1 Acre Build-To-Suit Site 8 High-quality buildings
More informationFaculty of Engineering
30 October 2012 10:30 AM 30 October 2012 COMP 61025 BACHELOR OF ARTS IN COMPUTING COMP 61032- AMM BACHELOR OF BUSINESS ADMINISTRATION WITH A MAJOR IN MANAGEMENT COMP 61031- DEM BACHELOR OF SCIENCE IN COMPUTING
More informationOPTIMAl PREMIUM CONTROl IN A NON-liFE INSURANCE BUSINESS
ONDERZOEKSRAPPORT NR 8904 OPTIMAl PREMIUM CONTROl IN A NON-liFE INSURANCE BUSINESS BY M. VANDEBROEK & J. DHAENE D/1989/2376/5 1 IN A OPTIMAl PREMIUM CONTROl NON-liFE INSURANCE BUSINESS By Martina Vandebroek
More informationSOME PROPERTIES OF FIBER PRODUCT PRESERVING BUNDLE FUNCTORS
SOME PROPERTIES OF FIBER PRODUCT PRESERVING BUNDLE FUNCTORS Ivan Kolář Abstract. Let F be a fiber product preserving bundle functor on the category FM m of the proper base order r. We deduce that the r-th
More informationNEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES
NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,
More informationSponsorship opportunities
Sponsorship opportunities 1. Show bags - $9,500+GST 2. Lanyards - $9,500+GST 3. Central Bar - $15,000+GST 4. Registration & Badge - $12,000+GST 5. Digital Signage - $1,000+GST 6. Speaker Series Partner
More informationPay and Conditions Circular (M&D) 1/2015
20 March 2015 Pay and Conditions Circular (M&D) 1/2015 Pay award for hospital medical and dental staff, doctors and dentists in public health, the community health service and salaried primary dental care
More informationESNV. Runways: Runway 10 Takeoff length: 1502, Landing length: 1502 Runway 28 Takeoff length: 1502, Landing length: 1260
ESNV irport information: ountry: Sweden ity: oordinates: N 64 34.7', E016 50.4 Elevation: 1140 ustoms: Fuel: 100LL, Jet 1 RFF: T 4 during SKE TF, other times O/R hours: See NOTM Runways: Runway 10 Takeoff
More informationCapital Expenditure Reporting Requirements For Major Spending Commitments
Capital Expenditures A Guide to Minnesota Capital Expenditure Reporting Minnesota Statute 62J.17 Health care providers in Minnesota are required to report all major capital spending commitments of one
More information226 ежглеяис тгс йубеямгсеыс (теувос деутеяо) 80 90 : 3 CxHy CO2 H2O. CxHy + (x+y/4) O2 xco2 + y/2 H2O + Q () CO ( ).
226 ежглеяис тгс йубеямгсеыс (теувос деутеяо) I 80 90 1 / / 1 (C) ( 2 ) CO 2 2 21 % 79 % 3 CxHy CO2 H2O CxHy + (x+y/4) O2 xco2 + y/2 H2O + Q () 4 CO2 ( ) 5 CO2 ( ) CO ( ) 6 1atm 100C 7 8 ( ) 9 10 11 12
More informationFactoring Algorithms
Factoring Algorithms The p 1 Method and Quadratic Sieve November 17, 2008 () Factoring Algorithms November 17, 2008 1 / 12 Fermat s factoring method Fermat made the observation that if n has two factors
More informationDesign Strategies for High Availability: Accommodating In-Vessel Piping Services and Auxiliary Systems
3 rd IAEA-DEMO Program workshop 11-14 May 2015 Design Strategies for High Availability: Accommodating In-Vessel Piping Services and Auxiliary Systems Tom Brown Princeton Plasma Physics Laboratory All fusion
More informationAn Introductory Course in Elementary Number Theory. Wissam Raji
An Introductory Course in Elementary Number Theory Wissam Raji 2 Preface These notes serve as course notes for an undergraduate course in number theory. Most if not all universities worldwide offer introductory
More informationthe recursion-tree method
the recursion- method recurrence into a 1 recurrence into a 2 MCS 360 Lecture 39 Introduction to Data Structures Jan Verschelde, 22 November 2010 recurrence into a The for consists of two steps: 1 Guess
More informationGREEN CHICKEN EXAM - NOVEMBER 2012
GREEN CHICKEN EXAM - NOVEMBER 2012 GREEN CHICKEN AND STEVEN J. MILLER Question 1: The Green Chicken is planning a surprise party for his grandfather and grandmother. The sum of the ages of the grandmother
More informationTHE TIME VALUE OF MONEY
QUANTITATIVE METHODS THE TIME VALUE OF MONEY Reading 5 http://proschool.imsindia.com/ 1 Learning Objective Statements (LOS) a. Interest Rates as Required rate of return, Discount Rate and Opportunity Cost
More informationfun www.sausalitos.de
O ily i f www.lit. Ctt. Cy... 4 5 Rtt... 6 7 B... 8 11 Tt... 12 13 Pt... 14 15. 2 Ctt. Cy. Rtt. B. Tt. Pt Ctt. Cy. Rtt. B. Tt. Pt. 3 Ti t f vyy lif, ity viti. AUALITO i l t t fi, t ty, t t, jy ktil jt
More information5.1 Simple and Compound Interest
5.1 Simple and Compound Interest Question 1: What is simple interest? Question 2: What is compound interest? Question 3: What is an effective interest rate? Question 4: What is continuous compound interest?
More informationwww.ms-biotech.wisc.edu
S M A T - S TR ATEGY T MS I k W - k T S Y C 2005 P M H I INNOVAT ION T MS T - z k k k M F-S C 2008 S P D S C D I T M S k - z q k S - x M S U W- M D D MS k I / Y k Y x z x T MS N A qk R T MS 30 T k x x
More informationSales and operations planning (SOP) Demand forecasting
ing, introduction Sales and operations planning (SOP) forecasting To balance supply with demand and synchronize all operational plans Capture demand data forecasting Balancing of supply, demand, and budgets.
More informationVEHICLE IDENTIFICATION, SERIAL NUMBER FRAME STAMP AND VEHICLE DATA PLATE LOCATIONS
TAYLOR-DUNN 2114 WEST BALL ROAD ANAHEIM, CA 92804 DOCUMENT #: BUL-08-02-004 DATE: 2/14/2008 REVISION: A VEHICLE IDENTIFICATION, SERIAL NUMBER FRAME STAMP AND VEHICLE DATA PLATE LOCATIONS This document
More informationSS7 Protocol Stack. SS7 Level 1: Physical Connection. SS7 Level 2: Data Link CHAPTER
CHATER 3 This chapter describes the components of the SS7 protocol stack. A stack is a set of data storage locations that are accessed in a fixed sequence. The SS7 stack is compared against the Open Systems
More informationDie ganzen zahlen hat Gott gemacht
Die ganzen zahlen hat Gott gemacht Polynomials with integer values B.Sury A quote attributed to the famous mathematician L.Kronecker is Die Ganzen Zahlen hat Gott gemacht, alles andere ist Menschenwerk.
More informationExecutive Head (Governance & Logistics) Spot Salary 3. Strategic Procurement Project Manager Spot Salary 4
Governance and Logistics Executive Director (Spot Salary 2) Tom Horwood Executive Head (Governance & Logistics) Spot Salary 3 (Property) () (Revenues and Benefits) (Human Resources) (Customer and Support
More informationGULF COAST COOPERATIVE ECOSYSTEM STUDIES UNIT
GULF COAST COOPERATIVE ECOSYSTEM STUDIES UNIT AMENDMENT FOUR to COOPERATIVE and JOINT VENTURE AGREEMENT between U.S. DEPARTMENT OF THE INTERIOR Bureau of Land Management U.S. Geological Survey National
More informationChapter Two. Determinants of Interest Rates. McGraw-Hill /Irwin. Copyright 2001 by The McGraw-Hill Companies, Inc. All rights reserved.
Chapter Two Determinants of Interest Rates Interest Rate Fundamentals Nominal interest rates - the interest rate actually observed in financial markets directly affect the value (price) of most securities
More informationPay and Conditions Circular (M&D) 1/2016
30 March 2016 Pay and Conditions Circular (M&D) 1/2016 Pay award for hospital medical and dental staff, doctors and dentists in public health, the community health service and salaried primary dental care
More informationBy reversing the rules for multiplication of binomials from Section 4.6, we get rules for factoring polynomials in certain forms.
SECTION 5.4 Special Factoring Techniques 317 5.4 Special Factoring Techniques OBJECTIVES 1 Factor a difference of squares. 2 Factor a perfect square trinomial. 3 Factor a difference of cubes. 4 Factor
More informationDesigning public private crop insurance in Finland
Designing public private crop insurance in Finland Liesivaara 1, P., Meuwissen 2, M.P.M. and Myyrä 1, S 1 MTT Agrifood Research Finland 2 Business Economics, Wageningen University, the Netherlands Abstract
More informationRSA Encryption. Tom Davis tomrdavis@earthlink.net http://www.geometer.org/mathcircles October 10, 2003
RSA Encryption Tom Davis tomrdavis@earthlink.net http://www.geometer.org/mathcircles October 10, 2003 1 Public Key Cryptography One of the biggest problems in cryptography is the distribution of keys.
More informationRosemount 1199 Submersible Seal
Product Data Sheet July 2013 00813-0400-4016, Rev AA The Rosemount Submersible Seal design uses innovative DP level technology to measure level for top-down applications. For this design, the seal and
More informationCryptography and Network Security
Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared
More informationGRUNDFOS INDUSTRY. Grundfos Immersible Pumps
GRUNDFOS INDUSTRY Grundfos immersible pumps a complete and versatile range Universal flange connctions DIN JEM ANSI JIS Plug connector (Harting) () () Suitable for a variety of industrial applications
More informationEducators Workshop in Solar Energy, Energy Auditing and Lighting Technologies
Educators Workshop in Solar Energy, Energy Auditing and Lighting Technologies V1.1 I. PROJECT BACKGROUND As part of the Inter-American Development Bank (IDB) sponsored BRIDGE (Building capacity and Regional
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationLesson 3.1 Factors and Multiples of Whole Numbers Exercises (pages 140 141)
Lesson 3.1 Factors and Multiples of Whole Numbers Exercises (pages 140 141) A 3. Multiply each number by 1, 2, 3, 4, 5, and 6. a) 6 1 = 6 6 2 = 12 6 3 = 18 6 4 = 24 6 5 = 30 6 6 = 36 So, the first 6 multiples
More informationChapter 6 Interest Rates and Bond Valuation
Chapter 6 Interest Rates and Bond Valuation Solutions to Problems P6-1. P6-2. LG 1: Interest Rate Fundamentals: The Real Rate of Return Basic Real rate of return = 5.5% 2.0% = 3.5% LG 1: Real Rate of Interest
More informationMemristor-Based Reactance-Less Oscillator
Memristor-Based Reactance-Less Oscillator M. Affan Zidan, Hesham Omran, A. G. Radwan and K. N. Salama In this letter, the first reactance-less oscillator is introduced. By using memristor, the oscillator
More informationChapter 5 Time Value of Money 2: Analyzing Annuity Cash Flows
1. Future Value of Multiple Cash Flows 2. Future Value of an Annuity 3. Present Value of an Annuity 4. Perpetuities 5. Other Compounding Periods 6. Effective Annual Rates (EAR) 7. Amortized Loans Chapter
More informationME 111: Engineering Drawing
ME 111: Engineering Drawing Lecture 4 08-08-2011 Engineering Curves and Theory of Projection Indian Institute of Technology Guwahati Guwahati 781039 Eccentrici ty = Distance of the point from the focus
More informationHIGH CREDIT OR LIMIT BALANCE $230000 MTG $120000 360 $975 $28626 069 $533 $31206 AUTO $4000 REV $228 MIN $10
32065 TL URT UIT 300, VRGRN, 80439 Phone: 3036707993 Fax: 3036708067 MRGD INFIL RDIT RPRT Reporting ureau certifies compliance contractual requirements governing check of public records with these results.
More informationissuitableforexecutiononasynchronous,tightly-coupledparallelmachine,suchasasuper-scalaror 1Introduction
UniversityofCalifornia,Berkeley email:aiken@cs.berkeley.edu ComputerScienceDivision Berkeley,CA94720-1776 AlexanderAiken Resource-ConstrainedSoftwarePipelining DepartmentofInformationandComputerScience
More informationValue of Money Concept$
Value of Money Concept$ Time, not timing is the key to investing 2 Introduction Time Value of Money Application of TVM in financial planning : - determine capital needs for retirement plan - determine
More informationKhair Eddin Sabri and Ridha Khedri
Khair Eddin Sabri and Ridha Foundations & Practice of Security Symposium (Oct. 2012) CRYPTO Presentation Outline 1 Introduction 2 3 4 Order Semiring 5 keystructure 6 7 8 Technique 9 Verification of secrecy
More informationprime space acres accessible 24 hr security start-ups game-changers flexible space pioneers
24 hr security start-s 97 prime space acres accessible game-changers flexible space pioneers start-s 97 prime space acres accessible BKLYN Army Terminal is 97 acres of prime business opportunity. BKLYN
More informationTRAINING BULLETIN Fire Apparatus Pump Test
TOPIC: TRAINING BULLETIN Fire Apparatus Pump Test EFFECTIVE DATE: 05/06 DOC NO: TB081 CROSS REF: INTRODUCTION District Fire Apparatus Pump Testing is completed on an annual basis. Currently, pump testing
More informationSolid State Timers Type F
Solid State Timers Type F Class 9050 CATALOG CONTENTS Description.....................................................Page Product Descriptions............................................. 3 Application
More informationFaculty of Engineering
5 November 10:30 AM 5 November 3:00 PM Title COMP 61025 BACHELOR OF ARTS IN COMPUTING Bachelor of Arts (Blue) COMP 61032- AMM BACHELOR OF BUSINESS ADMINISTRATION WITH A MAJOR IN Bachelor of Business MANAGEMENT
More informationWHO ARE THE GEORGIA REVOLUTION FC?
WHO ARE THE GEORGIA REVOLUTION FC? The Georgia Revolution FC is a semi-professional soccer team that began play in the National Premier Soccer League (NPSL) in 2011. The NPSL is regionally based with over
More informationMean value theorems for long Dirichlet polynomials and tails of Dirichlet series
ACA ARIHMEICA LXXXIV.2 998 Mean value theorems for long Dirichlet polynomials and tails of Dirichlet series by D. A. Goldston San Jose, Calif. and S. M. Gonek Rochester, N.Y. We obtain formulas for computing
More informationMaximum growth rate of sugar beet as a result of nutrient supply, ph and other environmental factors. Olof Hellgren
Maximum growth rate of sugar beet as a result of nutrient supply, ph and other environmental factors Olof Hellgren Nutrient addition and uptake traditional and static concept TRADITIONAL CONCEPT is based
More informationStronger Security Bounds for OMAC, TMAC and XCBC
Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan {iwata,
More informationA3 Unit To Let Building 103, Wales 1 Business Park, Monmouthshire Junction 23A M4 Motorway - Magor A development by www.charnwoodgroup.
Occupiers Secured On Site A3 Unit To Let Building, Wales 1 Business Park, Monmouthshire Junction 23A M4 Motorway - Magor A development by www.charnwoodgroup.com The location of Wales 1 has unparalled communications
More information