How to Encrypt Properly with RSA


 Claire Collins
 1 years ago
 Views:
Transcription
1 RSA Laboatoies CyptoBytes. Volume 5, No. 1 Winte/Sping 2002, pages ow to Encypt Popely with RSA David Pointcheval Dépt d Infomatique, ENS CNRS, 45 ue d Ulm, Pais Cedex 05, Fance URL: Abstact. In 1993, Bellae and Rogaway fomalized the concept of a andom oacle, impoted fom complexity theoy fo cyptogaphic puposes. This new tool allowed them to pesent seveal asymmetic encyption and signatue schemes that ae both efficient and povably secue (in the andom oacle model). The Optimal Asymmetic Encyption Padding (OAEP) is the most significant application of the andom oacle model to date. It gives an efficient RSA encyption scheme with a stong secuity guaantee (semantic secuity against chosenciphetext attacks). Afte Bleichenbache s devastating attack on RSA PKCS #1 v1.5 in 1998, RSA OAEP became the natual successo (RSA PKCS #1 v2.0) and thus a de facto intenational standad. Supisingly, Shoup ecently showed that the oiginal poof of secuity fo OAEP is incoect. Without a poof, RSA OAEP cannot be tusted to povide an adequate level of secuity. Luckily, shotly afte Shoup s discovey a fomal and complete poof was found in joint wok by the autho and othes that eaffimed the stong level of secuity povided by RSA OAEP. oweve, this new secuity poof still does not guaantee secuity fo key sizes used in pactice due to the inefficiency of the secuity eduction (the eduction to inveting RSA takes quadatic time). Recent altenatives to OAEP, such as OAEP +, SAEP +, and REACT, admit moe efficient poofs and thus povide adequate secuity fo key sizes used in pactice. 1 Asymmetic Encyption In 1978, Rivest, Shami, and Adleman poposed the fist candidate tapdoo pemutation [30]. A tapdoo pemutation pimitive is a function f that anyone can compute efficiently; howeve, inveting f is had unless we ae also given some tapdoo infomation. iven the tapdoo infomation, inveting f becomes easy. Naively, a tapdoo pemutation defines a simple public key encyption scheme: the desciption of f is the public key and the tapdoo is the secet key. Unfotunately, encyption in this naive public key system is deteministic and hence cannot be secue, as discussed below. Befoe we can claim that a cyptosystem is secue (o insecue) we must pecisely define what secuity actually means. The fomalization of secuity notions stated aound the time when RSA was poposed and took seveal yeas to convege (see [18] fo a suvey on this topic). Today, the accepted secuity equiement fo an encyption scheme is called semantic secuity against an adaptive chosenciphetext attack [29] o IND CCA fo shot. To undestand this concept we point out that secuity is always defined in tems of two paametes: (1) the attacke s capabilities, namely what the attacke can do duing the attack, and (2) the attacke s goals, namely what the attacke is tying to do. 1. Attacke s capabilities: The stongest attacke capability in the standad model is called adaptive chosenciphetext attack and is denoted by (CCA) [29]. This means that the advesay has the ability to decypt any ciphetext of his choice except fo some challenge ciphetext (imagine the attacke is able to exploit a decyption box that will decypt anything except fo some known challenge ciphetext). c RSA Secuity Inc
2 2 2. Attacke s goal: The standad secuity goal is called semantic secuity [19] (also known as indistinguishability of ciphetexts ), and is denoted by (IND). Roughly speaking, the attacke s goal is to deduce just one bit of infomation about the decyption of some given ciphetext. We say that a system is semantically secue if no efficient attacke can achieve this goal. We note that a deteministic encyption algoithm can neve give semantic secuity. An encyption scheme that is semantically secue unde an adaptive chosenciphetext attack is said to be IND CCA secue. IND CCA secuity implies that even with full access to the decyption oacle, the attacke is not able to deduce one bit of infomation about the decyption of a given challenge ciphetext. IND CCA may seem vey stong, but such attacks ae possible in some eal wold scenaios. In fact, CCAlike attacks have been used to beak pactical implementations, as we will see late. Futhemoe, semantic secuity is equied fo high confidentiality, namely when the message space is limited (such as yes o no, buy o sell ). As a consequence, IND CCA is accepted as the equied secuity level fo pactical encyption schemes. One can obtain many othe secuity notions by combining diffeent attacke goals with vaious attacke capabilities. Fo example, anothe secuity goal is called nonmalleability [15, 7]. ee the attacke is given some ciphetext and his goal is to build anothe ciphetext such that the plaintexts ae meaningfully elated. Nonmalleability is known to be equivalent to semantic secuity unde an adaptive chosenciphetext attack [3]. Fo this eason, IND CCA secuity is sometimes called nonmalleability. Similaly, one can also conside diffeent attacke capabilities based on the oacles given to the attacke [25, 29, 9, 20, 26]. As mentioned above, the most poweful attacke capability in the classical model is the decyption oacle itself, which decypts any ciphetext (except the challenge ciphetext). This classical model gives the cyptogaphic engine to the advesay as a black box to which he can make queies and eceive coect answes in constant time. It thus excludes timing attacks [21], simple and diffeential powe analyses [22] as well, and othe diffeential fault analyses [8, 12]. 2 The RSAbased Cyptosystems 2.1 The Plain RSA The RSA pemutation, poposed by Rivest, Shami and Adleman [30], is the most well known tapdoo pemutation. Its onewayness is believed to be as stong as intege factoization. The RSA setup consists of choosing two lage pime numbes p and q, and computing the RSA modulus n = pq. The public key is n togethe with an exponent e (elatively pime to ϕ(n) = (p 1)(q 1)). The secet key d is defined to be the invese of e modulo ϕ(n). Encyption and decyption is defined as follows: E n,e (m) = m e mod n D n,d (c) = c d mod n. This pimitive does not povide by itself an IND CCA secue encyption scheme. Unde a slightly stonge assumption than the intactability of the intege factoization, it gives a cyptosystem that is only oneway unde chosenplaintext attacks a vey weak level of secuity. Semantic secuity fails because encyption is deteministic. Even wose, unde a CCA attack, the attacke can fully decypt a challenge ciphetext C = m e mod n using the homomophic popety of RSA: E n,e (m 1 ) E n,e (m 2 ) = E n,e (m 1 m 2 mod n) mod n.
3 To decypt C = m e mod n using a CCA attack do: (1) compute C = C 2 e mod n, (2) give C ( C) to the decyption oacle, and (3) the oacle etuns 2m mod n fom which the advesay can deduce m. To ovecome RSA this simple CCA attack, pactical RSAbased cyptosystems andomly pad the plaintext pio to encyption. This andomizes the ciphetext and eliminates the homomophic popety The RSA PKCS #1 v1.5 Encyption A widely deployed padding fo RSAbased encyption is defined in the PKCS #1 v1.5 standad: fo any modulus 2 8(k 1) n < 2 8k, in ode to encypt an l bytelong message m (fo l k 11), one andomly chooses a k 3 l bytelong andom sting (with only nonzeo bytes). Then, one defines the kbyte long sting M = 02 0 m (see figue 1) which is theeafte encypted with the RSA pemutation, C = M e mod n. When decypting a ciphetext C, the decypto applies RSA invesion by computing M = C d mod n and then checks that the esult M matches the expected fomat 02 * 0 *. If so, the decypto outputs the last pat as the plaintext. Othewise, the ciphetext is ejected. 0 2 nonzeo bytes 0 m moe than 8 bytes Fig. 1. PKCS #1 v1.5 Fomat Intuitively, this padding seems sufficient to ule out the above weaknesses of the plain RSA system, but without any fomal poof o guaantee. Supisingly, in 1998, Bleichenbache [9] showed that a simple active attack can completely beak RSA PKCS #1. This attack applies to eal systems such as a Web seve using SSL v3.0. These seves often output a specific failue message in case of an invalid ciphetext. This enables an attacke to test whethe the two most significant bytes of a challenge ciphetext C ae equal to 02. If so, the attacke leans the following bound on the decyption of C: 2 2 8(k 2) C d mod n < 3 2 8(k 2). Due to the andom selfeducibility of the RSA pemutation, in paticula the homomophism Cs e = M e s e = (Ms) e mod n, the complete decyption of C can be ecoveed afte a elatively small numbe of queies. Only a few million queies ae needed with a 1024bit modulus. Bleichenbache s attack had an impact on many pactical systems and standads bodies, which suddenly became awae of the impotance of fomal secuity aguments. Nevetheless, the weak PKCS #1 v1.5 padding is still used in the TLS potocol [33]. The TLS specification now appeas to defend against Bleichenbache s attack using a technique fo which no poof of secuity has yet been published. Cetain simple attacks ae still possible (fo example, plaintextchecking attacks [26] can be easily un, even if they seem ineffective). The lesson hee is that standads should ely as much as possible on fully analyzed constuctions and avoid adhoc techniques.
4 4 3 The Optimal Asymmetic Encyption Padding Fo some time, people have tied to povide secuity poofs fo cyptogaphic potocols in the eductionist sense [10]. To do so, one pesents an algoithm that uses an effective advesay as a subpogam to beak some undelying hadness assumption (such as the RSA assumption, o the intactability of the intege factoization). Such an algoithm is called a eduction. This eduction is said to be efficient, oughly speaking, if it does not equie too many calls to the subpogam. 3.1 The Random Oacle Model A few yeas ago, a new line of eseach stated with the goal of combining povable secuity with efficiency, still in the eductionist sense. To achieve this goal, Bellae and Rogaway [4] fomalized a heuistic suggested by Fiat and Shami [16]. This heuistic consisted in making an idealized assumption about some objects, such as hash functions, accoding to which they wee assumed to behave like tuly andom functions. This assumption, known as the andom oacle model, may seem stong, and lacking in pactical embodiments. In fact, Canetti et al. [13] gave an example of a signatue scheme which is secue in the andom oacle model, but insecue unde any instantiation of the andom oacle. oweve, one can also conside andomoaclebased poofs unde the assumption that the advesay is geneic, whateve the actual implementation of the hash function o othe idealized algoithms may be. In othe wods, we may assume that the advesay does/can not use any specific weakness of the hash functions used in pactice. Thanks to this ideal assumption, seveal efficient encyption and signatue schemes have been analyzed [5, 6, 27]. We emphasize that even fomal analyses in the andom oacle model ae not stong secuity poofs, because of the undelying ideal assumption. They do, howeve, povide stong evidence fo secuity and can futhemoe seve as the basis fo quite efficient schemes. Since people do not often want to pay moe than a negligible pice fo secuity, such an agument fo pactical schemes is moe useful than fomal secuity poofs fo inefficient schemes. m 0 k 1 s t Fig. 2. OAEP Padding
5 5 3.2 Desciption of OAEP At the time Bleichenbache published his attack on RSA PKCS #1 v1.5, the only efficient and povably secue encyption scheme based on RSA was the Optimal Asymmetic Encyption Padding (OAEP) poposed by Bellae and Rogaway [5]. OAEP can be used with any tapdoo pemutation f. To encypt a message m using the encyption scheme f OAEP, fist apply the OAEP pocedue descibed in Figue 2 ee is a andom sting and, ae hash functions. The esulting values [s t] ae then encypted using f, namely C = f(s, t). Bellae and Rogaway poved that OAEP padding used with any tapdoo pemutation f povides a semantically secue encyption scheme. By adding some edundancy (the constant value 0 k 1 at the end of the message, as shown in Figue 2), they futhemoe poved it to be weakly plaintextawae. Plaintextawaeness is a popety of encyption schemes in the andom oacle model which means that thee exists a plaintextextacto able to simulate the decyption oacle on any ciphetext (valid o not) designed by the advesay. The weak pat in the definition poposed by Bellae and Rogaway was that the plaintextextaction was just equied to wok while the advesay had not eceived any valid ciphetext fom any souce. Unfotunately, the adaptive chosenciphetext attack model gives the advesay a fulltime access to the decyption oacle, even afte eceiving the challenge ciphetext about which the advesay wants to lean infomation. This challenge is a valid ciphetext. Theefoe, semantic secuity togethe with weak plaintextawaeness only implies the semantic secuity against nonadaptive chosenciphetext attacks (a.k.a. lunchtime attacks [25], o indiffeent chosenciphetext attacks), whee the decyption oacle access is limited until the advesay has eceived the challenge ciphetext. In 1998, Bellae, Desai, Rogaway and the autho [3] coected this initial definition of plaintextawaeness, equiing the existence of a plaintextextacto able to simulate the decyption oacle on any ciphetext submitted by the advesay, even afte seeing some valid ciphetexts not encypted by the advesay himself. This stonge definition is a moe accuate model of the eal wold, whee the advesay may have access to ciphetexts via eavesdopping. We futhemoe poved that this new popety (which can only be defined in the andom oacle model) actually povides the encyption scheme with the stongest secuity level, namely semantic secuity against (adaptive) chosenciphetext attacks (IND CCA). oweve, no one eve povided OAEP with such a new plaintextextacto. Theefoe, even if eveybody believed in the stong secuity level of OAEP, it had neve been poven IND CCA unde the onewayness of the pemutation alone. 3.3 The OAEP Secuity Analyses In fact, the only fomally poven secuity esult about OAEP was its semantic secuity against lunchtime attacks, assuming the onewayness of the undelying pemutation. Until vey ecently OAEP was widely believed to also be IND CCA. Shoup s Result Shoup [32] ecently showed that it was quite unlikely that OAEP is IND CCA assuming only the onewayness of the undelying tapdoo pemutation. In fact, he showed that if thee exists a tapdoo oneway pemutation g fo which it is easy to compute g(x a) fom g(x) and a, then OAEP cannot be IND CCA secue fo an abitay tapdoo pemutation f. Refeing to this special popety of g as XOR malleability, let us biefly pesent Shoup s counteexample. Let s t denote
6 6 the output of the OAEP tansfomation on a plaintext message m. Define the oneway pemutation f as f(s t) = s g(t). Then encypting m using f OAEP gives the ciphetext C = [s g(t)]. What Shoup showed is that unde these conditions the advesay can use C to constuct a ciphetext C of a plaintext message m that is closely elated to the message m. In paticula, fo any sting δ, the advesay can constuct C which is the encyption of m = m δ. Thus, the scheme is malleable and hence not IND CCA giving C to the decyption oacle will eveal m = m δ, fom which the advesay can obtain m. m 0 k 1 m 0 k 1 s t s t (s) (s ) Fig. 3. Shoup s Attack To constuct C, the idea is fo the advesay to exploit the explicit appeaance of s in the ciphetext C. The advesay fist computes s = s, whee = δ 0 k 1 ; essentially, is simply a padded endeing of δ. The advesay then computes D = (s) (s ) using explicit knowledge of s and s and access to the andom oacle fo. Finally, by exploiting the XOR malleability of g, the advesay computes g(t ), whee t = t D. It is easy to see now that C = s g(t ) is a valid encyption of the message m. ence, the nonmalleability of f OAEP is boken. This obsevation shows that it is unlikely that one can pove that f OAEP is IND CCA secue fo abitay tapdoo pemutations f by assuming only the onewayness of f. Repaiing the OAEP Poof of Secuity To constuct a valid ciphetext C in the above attack it seems that the advesay has to quey the hash function at (s). But this seems to imply that given C the advesay can figue out the value s used to ceate C (ecall that s is the left hand side of f 1 (C)). Thus, it appeas that in ode to mount Shoup s attack the advesay must be able patly to invet f given f(s, t), the advesay must be able to expose s. We say f is patialdomain oneway if no efficient algoithm can deduce s fom C = f(s, t). Fo such tapdoo pemutations f, one could hope that Shoup s attack will fail and that f OAEP is IND CCA secue. Fujisaki, Okamoto, Sten and the autho [17] fomally poved this fact: If f is patialdomain oneway, then f OAEP is IND CCA secue. We note that patialdomain onewayness is a stonge popety than onewayness: a function might be oneway but still not patialdomain oneway. Fotunately, the homomophic popeties of RSA enable us to pove that the RSA pemutation is patialdomain oneway if and only if RSA is oneway. Moe pecisely,
7 an algoithm that can expose half of RSA 1 (C) given C can be used to completely invet the RSA pemutation. Altogethe, this poves the widely believed IND CCA secuity of RSA OAEP assuming that RSA is a tapdoo pemutation. Fo secuity paametes, and t (whose fomal definitions ae omitted hee), we obtain the following esult [17]: Let A be a CCAadvesay against the semantic secuity of RSA OAEP with unning time bounded by t and advantage ε. Then, the RSA function can be inveted with pobability geate than appoximately ε 2 /4 within time bound 2t. Unfotunately, the secuity eduction fom an RSAinvesion into an attack is quite inefficient fo pactical sizes (moe pecisely, it is quadatic in the numbe of oacle queies). ence, this eduction is meaningless unless one uses a modulus lage enough so that the RSAinvesion (o the factoization) equies much moe than computational effot. With cuent factoization techniques [23, 14], one needs to use a modulus of length moe than 4096 bits to make the eduction meaningful (see [24] fo complexity estimates of the most efficient factoing algoithms). Viewed anothe way, this eduction shows that a 1024bit modulus just povides a povable secuity level of 2 40, which is clealy inadequate given cuently pevalent levels of computing powe. (We note, howeve, that this does not mean that thee is an attack with this low complexity, only that one cannot be uled out by the available poofs of secuity.) 4 OAEP Altenatives 4.1 The OAEP + Padding Shoup also poposed a fomal secuity poof of RSA OAEP with a much moe efficient secuity eduction, but in the paticula case whee the encyption exponent e is equal to 3. oweve, many people believe that the RSA tapdoo pemutation with exponent 3 may be weake than with geate exponents. Theefoe, he also poposed a slightly modified vesion of OAEP, called OAEP + (see Figue 4), which can be poven secue unde the onewayness of the pemutation alone. It uses the vaiable edundancy R(m, ) instead of the constant 0 k 1. It is thus a bit moe inticate than the oiginal OAEP. The secuity eduction fo OAEP + is efficient, but still uns in quadatic time. 7 m R m m R(m, ) R m R(m, ) R(m, ) s t s OAEP + padding SAEP + padding Fig. 4. OAEP + and SAEP + Paddings
8 8 4.2 SAEP + Padding Boneh [11] ecently poposed a new padding scheme, SAEP +, to be used with the Rabin pimitive [28] o RSA. It is simple than OAEP, hence the name Simplified Asymmetic Encyption Padding: wheeas OAEP is a twoound Feistel netwok, SAEP + is a singleound. SAEP + has a linea time eduction fo the Rabin system (i.e., e = 2). Fo lage exponents, SAEP + has a quadatic time eduction. ence, fo lage exponents (e > 2), SAEP + does not guaantee secuity fo pactical paametes (less than two thousand bits). 4.3 The REACT Constuction Anothe altenative to OAEP is the REACT constuction, poposed by Okamoto and the autho [26] (see Figue 5). It povides an IND CCA encyption scheme fom any m m SymE RSA RSA C 1 C 2 C 3 C 1 C 2 C 3 Basic encyption ybid encyption Fig. 5. REACT weakly secue one (moe pecisely, a oneway pimitive, against plaintextchecking attacks), such as the RSA pimitive. Theefoe, the RSA REACT scheme is IND CCA secue unde the RSA assumption. Futhemoe, the secuity eduction is vey efficient, since it is in linea time without any loss in the success pobability, whateve the exponent. Consequently, it guaantees pefect equivalence with RSA invesion fo moduli which equie just a bit moe than 2 70 effot to be factoed. This is the case fo 1024 bitlong moduli, the minimal cuently advised key size. In compaison to pevious poposals, REACT is a full scheme and not just a pue padding applied to the message befoe the RSA function. Consequently, the ciphetext is a bit longe. oweve, even when used fo key tanspot, it allows integation of a symmetic encyption scheme (SymE) to achieve vey high encyption ates, as shown in the hybid constuction. In the specific case of RSA, REACT can be optimized, as explained below. 4.4 Simple RSA In an ISO epot [31], Shoup suggested a possible altenative, based on ideas fom Bellae and Rogaway [4] that povide a secue encyption scheme fom any tapdoo oneway pemutation f. Roughly speaking, simple RSA, as it is called, consists of fist encypting a andom sting using f to obtain C 0 (thus C 0 = e mod n), and then pasing () as k 0 k 1, whee is some hash function (modeled by a andom oacle). Theeafte, one encypts the message m using a symmetic encyption scheme
9 with the key k 0 to get C 1 (e.g., C 1 = m k 0 ), and authenticates the ciphetext with a MAC function using the key k 1 to get a tag T = (k 1, C 1 ). The ciphetext is the tiple (C 0, C 1, T ). This constuction is a special case of REACT, optimized fo RSA, and hence is IND CCA unde the RSA assumption. It povides a vey efficient linea time eduction. Moeove, thanks to the andom selfeducibility of RSA (which can only be used with this latte constuction, but cannot with the OAEP and SAEP vaiants), this constuction povides a high secuity level even when encypting many plaintexts [1, 2]. 9 5 Conclusion RSA OAEP is a pactical RSA encyption scheme with povable secuity in the andom oacle model. Fo pactical secuity, the cost of the eductions cannot simply be shown to be polynomial time (as in asymptotical analyses), since the eduction efficiency diectly impacts the secuity paametes needed fo the scheme. ence, when evaluating cyptogaphic constuctions, one must take into account the efficiency of the secuity poof. Inefficient poofs of secuity do not give secuity guaantees fo eal wold paametes. Only OAEP with exponents 2 o 3, SAEP + with exponent 2, and RSA REACT (o the optimization simple RSA ) with any exponent, admit fomal poofs with linea time eductions in the andom oacle model. ence only these schemes guaantee semantic secuity against chosenciphetext attacks fo pactical modulus sizes (even less than 1024 bits). The povable secuity fo othe padding schemes is meaningful only fo much lage moduli (moe than 4096 bits). Acknowledgments I wamly thank my coauthos, Mihi Bellae, Anand Desai, Eiichio Fujisaki, Tatsuaki Okamoto, Phil Rogaway and Jacques Sten fo the inteesting woks we did on asymmetic encyption, as well as Dan Boneh, PieeAlain Fouque, Victo Shoup and Yves Vehoeven fo the fuitful discussions we had. Refeences 1. O. Baudon, D. Pointcheval, and J. Sten. Extended Notions of Secuity fo Multicast Public Key Cyptosystems. In Poc. of the 27th ICALP, LNCS 1853, pages SpingeVelag, Belin, M. Bellae, A. Boldyeva, and S. Micali. Publickey Encyption in a MultiUse Setting: Secuity Poofs and Impovements. In Euocypt 00, LNCS 1807, pages SpingeVelag, Belin, M. Bellae, A. Desai, D. Pointcheval, and P. Rogaway. Relations among Notions of Secuity fo PublicKey Encyption Schemes. In Cypto 98, LNCS 1462, pages SpingeVelag, Belin, M. Bellae and P. Rogaway. Random Oacles Ae Pactical: a Paadigm fo Designing Efficient Potocols. In Poc. of the 1st CCS, pages ACM Pess, New Yok, M. Bellae and P. Rogaway. Optimal Asymmetic Encyption ow to Encypt with RSA. In Euocypt 94, LNCS 950, pages SpingeVelag, Belin, M. Bellae and P. Rogaway. The Exact Secuity of Digital Signatues ow to Sign with RSA and Rabin. In Euocypt 96, LNCS 1070, pages SpingeVelag, Belin, M. Bellae and A. Sahai. NonMalleable Encyption: Equivalence between Two Notions, and an IndistinguishabilityBased Chaacteization. In Cypto 99, LNCS 1666, pages Spinge Velag, Belin, 1999.
10 10 8. E. Biham and A. Shami. Diffeential Fault Analysis of Secet Key Cyptosystems. In Cypto 97, LNCS 1294, pages SpingeVelag, Belin, D. Bleichenbache. A Chosen Ciphetext Attack against Potocols based on the RSA Encyption Standad PKCS #1. In Cypto 98, LNCS 1462, pages SpingeVelag, Belin, M. Blum and S. Micali. ow to eneate Cyptogaphically Stong Sequences of Pseudoandom Bits. SIAM Jounal on Computing, 13: , D. Boneh. Simplified OAEP fo the RSA and Rabin Functions. In Cypto 01, LNCS 2139, pages SpingeVelag, Belin, D. Boneh, R. DeMillo, and R. Lipton. On the Impotance of Checking Cyptogaphic Potocols fo Faults. In Euocypt 97, LNCS 1233, pages SpingeVelag, Belin, R. Canetti, O. oldeich, and S. alevi. The Random Oacles Methodology, Revisited. In Poc. of the 30th STOC, pages ACM Pess, New Yok, S. Cavalla, B. Dodson, A. K. Lensta, W. Lioen, P. L. Montgomey, B. Muphy,. te Riele, K. Aadal, J. ilchist,. uillem, P. Leyland, J. Machand, F. Moain, A. Muffett, Ch. Putnam, C. Putnam, and P. Zimmemann. Factoization of a 512bit RSA Modulus. In Euocypt 00, LNCS 1807, pages SpingeVelag, Belin, D. Dolev, C. Dwok, and M. Nao. NonMalleable Cyptogaphy. SIAM Jounal on Computing, 30(2): , A. Fiat and A. Shami. ow to Pove Youself: Pactical Solutions of Identification and Signatue Poblems. In Cypto 86, LNCS 263, pages SpingeVelag, Belin, E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Sten. RSA OAEP is Secue unde the RSA Assumption. In Cypto 01, LNCS 2139, pages SpingeVelag, Belin, O. oldeich. On the Foundations of Moden Cyptogaphy. In Cypto 97, LNCS 1294, pages SpingeVelag, Belin, S. oldwasse and S. Micali. Pobabilistic Encyption. Jounal of Compute and System Sciences, 28: , C. all, I. oldbeg, and B. Schneie. Reaction Attacks Against Seveal PublicKey Cyptosystems. In Poc. of ICICS 99, LNCS, pages SpingeVelag, P. C. Koche. Timing Attacks on Implementations of Diffieellman, RSA, DSS, and Othe Systems. In Cypto 96, LNCS 1109, pages SpingeVelag, Belin, P. C. Koche, J. Jaffe, and B. Jun. Diffeential Powe Analysis. In Cypto 99, LNCS 1666, pages SpingeVelag, Belin, A. Lensta and. Lensta. The Development of the Numbe Field Sieve, volume 1554 of Lectue Notes in Mathematics. SpingeVelag, A. Lensta and E. Veheul. Selecting Cyptogaphic Key Sizes. In PKC 00, LNCS 1751, pages SpingeVelag, Belin, M. Nao and M. Yung. Univesal OneWay ash Functions and Thei Cyptogaphic Applications. In Poc. of the 21st STOC, pages ACM Pess, New Yok, T. Okamoto and D. Pointcheval. REACT: Rapid Enhancedsecuity Asymmetic Cyptosystem Tansfom. In CT RSA 01, LNCS 2020, pages SpingeVelag, Belin, D. Pointcheval and J. Sten. Secuity Aguments fo Digital Signatues and Blind Signatues. Jounal of Cyptology, 13(3): , M. O. Rabin. Digitalized Signatues. In R. Lipton and R. De Millo, editos, Foundations of Secue Computation, pages Academic Pess, New Yok, C. Rackoff and D. R. Simon. NonInteactive ZeoKnowledge Poof of Knowledge and Chosen Ciphetext Attack. In Cypto 91, LNCS 576, pages SpingeVelag, Belin, R. Rivest, A. Shami, and L. Adleman. A Method fo Obtaining Digital Signatues and Public Key Cyptosystems. Communications of the ACM, 21(2): , Febuay V. Shoup. A Poposal fo an ISO Standad fo PublicKey Encyption, decembe ISO/IEC JTC 1/SC V. Shoup. OAEP Reconsideed. In Cypto 01, LNCS 2139, pages SpingeVelag, Belin, T. Dieks and C. Allen. The TLS Potocol, januay RFC 2246 Available fom
Supporting Efficient Topk Queries in TypeAhead Search
Suppoting Efficient Topk Queies in TypeAhead Seach Guoliang Li Jiannan Wang Chen Li Jianhua Feng Depatment of Compute Science, Tsinghua National Laboatoy fo Infomation Science and Technology (TNList),
More informationTHE CARLO ALBERTO NOTEBOOKS
THE CARLO ALBERTO NOTEBOOKS Meanvaiance inefficiency of CRRA and CARA utility functions fo potfolio selection in defined contibution pension schemes Woking Pape No. 108 Mach 2009 Revised, Septembe 2009)
More informationReal Time Tracking of High Speed Movements in the Context of a Table Tennis Application
Real Time Tacking of High Speed Movements in the Context of a Table Tennis Application Stephan Rusdof Chemnitz Univesity of Technology D09107, Chemnitz, Gemany +49 371 531 1533 stephan.usdof@infomatik.tuchemnitz.de
More informationOn the Algorithmic Implementation of Multiclass Kernelbased Vector Machines
Jounal of Machine Leaning Reseach 2 (2001) 265292 Submitted 03/01; Published 12/01 On the Algoithmic Implementation of Multiclass Kenelbased Vecto Machines Koby Camme Yoam Singe School of Compute Science
More informationSelfAdaptive and ResourceEfficient SLA Enactment for Cloud Computing Infrastructures
2012 IEEE Fifth Intenational Confeence on Cloud Computing SelfAdaptive and ResouceEfficient SLA Enactment fo Cloud Computing Infastuctues Michael Maue, Ivona Bandic Distibuted Systems Goup Vienna Univesity
More informationCloud Service Reliability: Modeling and Analysis
Cloud Sevice eliability: Modeling and Analysis YuanShun Dai * a c, Bo Yang b, Jack Dongaa a, Gewei Zhang c a Innovative Computing Laboatoy, Depatment of Electical Engineeing & Compute Science, Univesity
More informationLoad Balancing in Processor Sharing Systems
Load Balancing in ocesso Shaing Systems Eitan Altman INRIA Sophia Antipolis 2004, oute des Lucioles 06902 Sophia Antipolis, Fance altman@sophia.inia.f Utzi Ayesta LAASCNRS Univesité de Toulouse 7, Avenue
More informationOn the winnertakeall principle in innovation races
On the winnetakeall pinciple in innovation aces VincenzoDenicolòandLuigiAlbetoFanzoni Univesity of Bologna, Italy Novembe 2007 Abstact What is the optimal allocation of pizes in an innovation ace? Should
More informationAccuracy at the Top. Abstract
Accuacy at the Top Stephen Boyd Stanfod Univesity Packad 64 Stanfod, CA 94305 boyd@stanfod.edu Mehya Mohi Couant Institute and Google 5 Mece Steet New Yok, NY 00 mohi@cims.nyu.edu Coinna Cotes Google Reseach
More informationThey aim to select the best services that satisfy the user s. other providers infrastructures and utility services to run
EndtoEnd Qo Mapping and Aggegation fo electing Cloud evices Raed Kaim, Chen Ding, Ali Mii Depatment of Compute cience Ryeson Univesity, Toonto, Canada 2kaim@yeson.ca, cding@scs.yeson.ca, ali.mii@yeson.ca
More informationFrom PLI s Treatise Initial Public Offerings: A Practical Guide to Going Public #19784 PREPACKAGED BANKRUPTCY AND PREARRANGED BANKRUPTCY PROCESS
Fom PLI s Teatise Initial Public Offeings: A Pactical Guide to Going Public #19784 16 PREPACKAGED BANKRUPTCY AND PREARRANGED BANKRUPTCY PROCESS Deyck Palme Jessica Fink Cadwalade, Wickesham & Taft LLP
More informationCHAPTER 9 THE TWO BODY PROBLEM IN TWO DIMENSIONS
9. Intoduction CHAPTER 9 THE TWO BODY PROBLEM IN TWO DIMENSIONS In this chapte we show how Keple s laws can be deived fom Newton s laws of motion and gavitation, and consevation of angula momentum, and
More informationRecovering RiskNeutral Densities from Exchange Rate Options: Evidence in Turkey
CENTRAL BANK OF THE REPUBLIC OF TURKEY WORKING PAPER NO: 10/03 Recoveing RiskNeutal Densities fom Exchange Rate Options: Evidence in Tukey Mach 2010 Halil İbahim AYDIN Ahmet DEĞERLİ Pına ÖZLÜ Cental Bank
More informationDevelopment of Mathematical Model for MarketOriented Cloud Computing
Intenational Jounal of Compute Applications (0975 8887) Volume 9 No.11, Novembe 2010 Development of Mathematical Model fo MaketOiented Cloud Computing K.Mukhejee Depatment of Compute Science & Engineeing.
More informationDOCUMENT RESUME. Schacht, Robert M.; Baldwin, Julie TITLE
DOCUMENT RESUME ED 415 045 RC 021 260 AUTHOR Schacht Robet M.; Baldwin Julie TITLE The Vocational Rehabilitation of Ameican Indians Who Have Alcohol o Dug Abuse Disodes. Executive Summay. INSTITUTION Nothen
More informationMULTIPLE SOLUTIONS OF THE PRESCRIBED MEAN CURVATURE EQUATION
MULTIPLE SOLUTIONS OF THE PRESCRIBED MEAN CURVATURE EQUATION K.C. CHANG AND TAN ZHANG In memoy of Pofesso S.S. Chen Abstact. We combine heat flow method with Mose theoy, supe and subsolution method with
More informationHow to recover your Exchange 2003/2007 mailboxes and emails if all you have available are your PRIV1.EDB and PRIV1.STM Information Store database
AnswesThatWok TM Recoveing Emails and Mailboxes fom a PRIV1.EDB Exchange 2003 IS database How to ecove you Exchange 2003/2007 mailboxes and emails if all you have available ae you PRIV1.EDB and PRIV1.STM
More informationYour Guide to Homeowners Insurance
You Guide to Homeownes Insuance Fo Michigan Consumes Depatment of Insuance and Financial Sevices (DIFS) TollFee Consume Assistance Line 8779996442 www.michigan.gov/difs Table of Contents Undestanding
More informationEU import restrictions on genetically modified feeds: impacts on Spanish, EU and global livestock sectors
Instituto Nacional de Investigación y Tecnología Agaia y Alimentaia (INIA) Spanish Jounal of Agicultual Reseach 2010 8(1), 317 Available online at www.inia.es/sja ISSN: 1695971X EU impot estictions
More informationThe Lucas Paradox and the Quality of Institutions: Then and Now
Diskussionsbeitäge des Fachbeeichs Witschaftswissenschaft de Feien Univesität Belin Volkswitschaftliche Reihe 2008/3 The Lucas Paadox and the Quality of Institutions: Then and Now Moitz Schulaick und Thomas
More informationSurge...With Service. When a Knight acts selflessly, he acts on behalf of the world.
Suge...With Sevice When a Knight acts selflessly, he acts on behalf of the wold. Times may change, but the challenges facing people emain the same. A need fo food, shelte, wam clothing, financial secuity
More informationMaketoorder, Maketostock, or Delay Product Differentiation? A Common Framework for Modeling and Analysis
aetoode, aetostoc, o Dela Poduct Dieentiation? A Common Famewo o odeling and Analsis Diwaa Gupta Saiallah Benjaaa Univesit o innesota Depatment o echanical Engineeing inneapolis, N 55455 Second evision,
More informationAdaptive Oneway Functions and Applications
Adaptive Oneway Functions and Applications Omkant Pandey 1, Rafael Pass 2, and Vinod Vaikuntanathan 3 1 UCLA (omkant@cs.ucla.edu) 2 Cornell University (rafael@cs.cornell.edu) 3 MIT (vinodv@mit.edu) Abstract.
More informationScalable Protocols for Authenticated Group Key Exchange
Scalable Protocols for Authenticated Group Key Exchange Jonathan Katz Moti Yung Abstract We consider the problem of authenticated group key exchange among n parties communicating over an insecure public
More informationInstituto Superior Técnico Av. Rovisco Pais, 1 1049001 Lisboa Email: virginia.infante@ist.utl.pt
FATIGUE LIFE TIME PREDICTIO OF POAF EPSILO TB30 AIRCRAFT  PART I: IMPLEMETATIO OF DIFERET CYCLE COUTIG METHODS TO PREDICT THE ACCUMULATED DAMAGE B. A. S. Seano 1, V. I. M.. Infante 2, B. S. D. Maado
More informationHow to Encipher Messages on a Small Domain
Appears in Advances in Cryptology CRYPTO 2009 How to Encipher Messages on a Small Domain Deterministic Encryption and the Thorp Shuffle Ben Morris 1, Phillip Rogaway 2, and Till Stegers 2 1 Dept. of Mathematics,
More informationCoin Flipping of Any Constant Bias Implies OneWay Functions
Coin Flipping of Any Constant Bias Implies OneWay Functions Extended Abstract] Itay Berman School of Computer Science Tel Aviv University Israel itayberm@post.tau.ac.il Iftach Haitner School of Computer
More informationCorrecting Privacy Violations in BlindCarbonCopy (BCC) Encrypted Email
Correcting Privacy Violations in BlindCarbonCopy (BCC) Encrypted Email Adam Barth abarth@cs.stanford.edu Dan Boneh dabo@cs.stanford.edu Abstract We show that many widely deployed email encryption systems
More informationOn Cryptographic Properties of LFSRbased Pseudorandom Generators
On Cryptographic Properties of LFSRbased Pseudorandom Generators InauguralDissertation zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften der Universität Mannheim vorgelegt von
More informationEfficient Private Matching and Set Intersection
Efficient Private Matching and Set Intersection Michael J. Freedman 1, Kobbi Nissim 2, and Benny Pinkas 3 1 New York University (mfreed@cs.nyu.edu) 2 Microsoft Research SVC (kobbi@microsoft.com) 3 HP Labs
More information