Analysis of Privacy-Preserving Element Reduction of Multiset

Save this PDF as:

Size: px
Start display at page:

Transcription

1 Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul National University, Seoul, , Korea. (jhsbhs, 2 School of Electrical Engineering and Computer Sciences, Seoul National University, Seoul, , Korea. 3 Department of Mathematics, INHA University, Incheon, , Korea 5 Electronics and Telecommunications Research Institute, Taejon, , Korea Abstract. Among private set operations, the privacy preserving element reduction of a multiset can be an important tool for privacy enhancing technology as itself or in the combination with other private set operations. Recently, a protocol, over-threshold-set-union-protocol, for a privacy preserving element reduction method of a multiset was proposed by Kissner and Song in Crypto In this paper, we point out that there is a mathematical flaw in their polynomial representation of element reduction of a multiset and the resulting protocol error from the flaw in the polynomial representation of a multiset. We correct their polynomial representation of a multiset and propose an over-threshold-set-operation-protocol based on the corrected representation. Our over-threshold-set-operation-protocol can be combined with a privacy preserving set operation and outputs those elements appears over the predetermined threshold number times in the resulting multiset of set operation. Key words : Privacy-Preserving Operations, Set Operations, Element Reduction, Multi-party Computations 1 Introduction Private set operations, such as set intersection, set union and element reduction of multisets, are important tools for privacy preserving of many applications. The element reduction(by d) method for a multiset S, a set allows a repetition of elements, is a method to get a multiset, denoted by Rd d (S), after reducing the repetition number of each element by d from the multiset S. Whenever one sees an element a in Rd d (S), then he/she knows that a appears more than d times in S. A private element reduction method of a multiset enables

2 controlled disclosure of private information and it can be combined with other private set operations to support controlled privacy level of the output of the private set operation. The element reduction of a multiset also can be used to develop privacy preserving techniques for distributed network monitoring. In distributed network monitoring service, each node monitors anomalous local traffic, and a distributed nodes collectively identify behaviors that are identified by at least a threshold t number of monitors. Monitoring individuals network usage requires appropriate privacy preserving of network users. In some cases, monitoring of individuals network behaviors generates records subject to a system of protections under Privacy Act (e.g, FERPA). The privacy framework includes notification of policies; minimization of collection of data; limits on secondary use; nondisclosure and consent; a need to know before granting third parties access to data. On the other hand, in order to run normal network flow, it is necessary to control anomalous behaviors which could threat the normal flow of the network system. By using private element reduction method with respect to a threshold t on a multiset, one can identify just those elements appeared at least t times in the multiset but cannot obtain any information of the elements appeared less than t times. Hence the private element reduction supports an appropriate privacy preserving in monitoring network system within Privacy Act. In Crypto 2005, Kissner and Song studied privacy-preserving set operations, such as set intersection, set union and element reduction of multisets ([6]). By using the polynomial representation of set operations and public key encryption scheme with homomorphic property, they proposed protocols for privacy preserving set intersection and set union. They also proposed a protocol, Over-Threshold Set-Union protocol, by using their polynomial representation of element reduction of a multiset. In this paper, we point out that there is a mathematical flaw in their polynomial representation of element reduction of a multiset. Due to this mathematical flaw, it may happen to identify elements appeared in the multiset less than the threshold t as elements appeared at least t times in the multiset in their proposed Over-Threshold Set-Union protocol. Hence when we apply Over-Threshold Set-Union protocol to network monitoring system, it may happen to identify user with normal behavior as an user with an anomalous behavior and this leads privacy threat to normal user. Hence it could be a serious problem in privacy preserving techniques and it is necessary to correct the protocol. We give a correction in Kissner 2

5 3. The encryption scheme should support (n, n)-threshold decryption, i.e. the corresponding private key is shared by a group of n players and decryption must be performed by all n players acting together. The Paillier s cryptosystem [9] satisfies these requirements. 2.3 Multiset and its Polynomial Representation We consider the concept of multiset. Differently from an ordinary set, a multiset permits duplication of its elements. For example, in a multiset, an element is represented more than once like {a, a, b} and the multiset is different from {a, b}. Now, we define set intersection, and set union of multisets and the element reduction of a multiset as follows: Definition 1 The union of multisets A and B, A B, is the multiset composed of the elements which are in A or B. If an element a appears l A times in A and l B times in B, then a appears l A + l B times in A B. Definition 2 The intersection of multisets A and B, A B, is the multiset composed of the elements which are in both A and B. If an element a appears l A times in A and l B times in B, then a appears min{l A, l B } times in A B. Definition 3 The element reduction by d, Rd d (A), of a multiset A is the multiset composed of the elements of A such that for every element a that appears d times in A, a is included max{0, d d} times in Rd d (A). Polynomial Representation of a Multiset Kissner and Song use a homomorphic encryption scheme to achieve the property of privacy-preserving in set operation. Let a ring R be the domain of the homomorphic encryption function and P a subset of the ring R, where the elements in P are uniformly distributed in R and the probability that randomly chosen element of R is an element in P is negligible. Kissner and Song consider the multiset S whose elements belong to P and define the polynomial representation of the multiset as follows: From a multiset S to a polynomial f S R[x]: 5

6 Given a multiset S = {S j } 1 j k, S j P, the polynomial f S R[x] represents the multiset S can be constructed as f S (x) = (x S j ). 1 j k From a polynomial f R[x] to a multiset S: Given a polynomial f R[x], the multiset S represented by f can be defined as follows: a S and a appears t times in S (x a) t f, (x a) t+1 f and a is an element in P Feasible Homomorphic Operations of Encrypted Polynomials We define an encryption E(f(x)) of a polynomial f(x) = deg(f) i=0 f[i]x i as a tuple of each encryption of coefficient f[i], where 0 i deg(f). That is, E(f(x)) := (E(f[0]),, E(f[deg(f)])). If the public key encryption scheme satisfies the additive homomorphic property, we can perform the following computations without its decryption key. 1. The addition of encrypted polynomials: Given E(f 1 ) and E(f 2 ), we can compute E(f 1 +f 2 ) as follows: E((f 1 + f 2 )[i]) := E(f 1 [i]) + h E(f 2 [i]) (0 i max{deg(f 1 ), deg(f 2 )}). 2. The addition of encrypted polynomial and unencrypted polynomial: Given E(f 1 ) and f 2, we can compute E(f 1 f 2 ) as follows: E((f 1 f 2 )[i]) := (f 2 [0] h E(f 1 [i])) + h + h (f 2 [i] h E(f 1 [0])) (0 i max{deg(f 1 ) + deg(f 2 )}). 3. The differentiation of encrypted polynomial: Given E(f), we can compute E( df dx ) as follows: ( ) df E dx [i] := (i + 1) h E(f 1 [i + 1]) (0 i deg(f 1 ) 1). 4. The value of encrypted polynomial at plain point: Given a R and E(f), we can compute E(f(a)) as follows: E(f(a)) := (a 0 h E(f[0])) + h + h (a deg(f) h E(f[deg(f)])). 6

7 3 Analysis of Kissner and Song s Element Reduction Methods In this section, we review the results of Kissner and Song [6, 7] and point out a flaw in their polynomial representation of element reduction of a multiset. Furthermore we show that their over-threshold set-union protocol has critical errors since they used the incorrect polynomial representation of element reduction of a multiset. 3.1 Errors of Kissner and Song s Polynomial Representation for Element Reduction Kissner and Song use polynomials to represent multisets and propose probabilistic polynomial representations corresponding to set union, set intersection, and element reduction of a multiset. Kissner and Song s polynomial representations of the set union, set intersection and incorrect element reduction (by d) of a multiset are given as follows: Union Let f and g be polynomial representations of multisets S and T, respectively. The polynomial f g is the polynomial representation of multiset S T. Intersection Let f and g be polynomial representations of multisets S and T, respectively. For random polynomials r, s of higher to or same degree with deg(f), f r+g s is equal to gcd(f, g) u, where u is a uniformly distributed in R α [x], R α [x] is the set of all polynomials whose coefficients are in R and degrees are lower to or same with α = 2 deg(f) S T. The polynomial f r +g s is a polynomial representation of multiset S T with overwhelming probability. (Incorrect) Element Reduction (by d) Let f be the polynomial representation of a multiset S. For random polynomials r, s of degree deg(f) or more and a random polynomial F with degree d whose solutions are not in P, f (d) F r + f s is equal to gcd(f, f (d) ) u, where f (d) is the d-th derivative of f, u is a uniformly distributed in R α [x], R α [x] is the set of all polynomials whose coefficients are in R and degrees are lower to or same with α = 2 deg(f) Rd d (S). The polynomial f (d) F r + f s is a polynomial representation of multiset Rd d (S) with overwhelming probability. In the above, since u is uniformly distributed in R α [x], the probability that u has a root in P is negligible. Thus f r + g s = gcd(f, g) u is the polynomial representation of the 7

8 multiset S T and f (d) F r + f s = gcd(f, f (d) ) u is the polynomial representation of the multiset Rd d (S) with overwhelming probability. The polynomial representation of element reduction proposed in [6, 7] uses following lemma. Lemma 1 (Lemma 2 in [6]) Let R be a ring and f(x) R[x]. For (d 1), (1) if (x a) d+1 f(x), then (x a) f (d) (x). (2) if (x a) f(x) and (x a) d+1 f(x), then (x a) f (d) (x). By using Lemma 1, Kissner and Song showed that gcd(f, f (d) ) is a polynomial representation of Rd d (S), where f is the polynomial representation of the multiset S. But, in general, Lemma 1 is incorrect when d > 1. We can make a counter-example of Lemma 1 as follows. Example 1 Let a,b and c be distinct elements of ring R. Let f(x) = (x a)(x b)(x c). If the Lemma 1 is correct then the following relation: (x a) f (2) (x) holds since (x a) f and (x a) 3 f(x). But f (2) (x) = 6x 2(a+b+c) and (x (a+b+c) 3 ) f (2) (x) i.e. This contradicts Lemma 1. (x a) f (2) (x), when c = 2a b. Thus we see that Lemma 1 is incorrect. The mathematical flaw in Lemma 1 results errors in their polynomial representation of element reduction. In the same example as in Example 1, we consider the element reduction by 2 for the set S = {a, b, c} of distinct elements with c = 2a b. Clearly, we see that Rd 2 (S) = φ. But as we have in the above example, gcd(f, f (2) ) = (x a), which cannot be a polynomial representation of Rd 2 (S) = φ. 3.2 Analysis of the Kissner and Song s Protocol Now, we analyze the Over-Threshold Set-Union protocol proposed in [6, 7]. The Over-Threshold Set-Union protocol is a multiparty protocol with n users under the assumption that at most c(< n) players can dishonestly collude. A user i (where 1 i n) generates a multiset S i 8

9 whose elements represent private information and they are in P. Assume that each individual multiset should have the same cardinality. That is, for all i such 1 i n, S i = k for some k. The j-th element of a multiset S i is represented by (S i ) j. At the end of the protocol, all users wants to get a multiset which consists of the over-threshold elements in the set union S = S 1 S n of each user s multiset. The goal of the protocol is to solve the Over-Threshold Set-Union problem which is defined in [6, 7] as follows: Definition 4 1 All players know elements in the union of the each players private multisets that appears more than a threshold number d times, and the frequency of these elements in the union without gaining any other information. We call the elements of resulting set as over-threshold elements in the union of private sets of all players. In their Over-Threshold Set-Union protocol, Kissner and Song use the element reduction method to obtain over-threshold elements in set union. Let a fixed threshold number be t and a polynomial p be the corresponding to the multiset S of union of private sets of all players. As shown in the previous section, Kissner and Song computed gcd(p, p (t 1) ) as the polynomial representation of Rd t 1 (S) thus gcd(p, p (t 1) ) doesn t give the correct representation of Rd t 1 (S) in some cases. Now, we show that their protocol outputs wrong results in the case of Example 1. We apply their Over-Threshold Set-Union protocol to the set union S = {a, b, 2a b} with the threshold 3. Then, the protocol outputs the corresponding set {a} as the set of the overthreshold 3 in set union. But a appears only once in the set S, hence Kissner and Song s protocol is not a correct threshold 3 protocol. Suppose we consider the above example in the distributed network monitoring system with a privacy policy that says the monitoring system identify only the users with anomalous behavior over threshold 3. Then the user a will be identified in the monitoring system, but it appears only once and should not be identified in the monitoring system. This conflicts the privacy policy they adopt. Hence a correction in Kissner and Song s polynomial representation of element reduction is required. 1 This definition can be extended to a Over-Threshold Set-Operation problem by exchanging the union for general set operation. 9

10 4 A Correct Polynomial Representation and an Over-Threshold Set-Operation Protocol In this section, we suggest a correct polynomial representation of element reduction and propose a new over-threshold set-operation protocol using the corrected polynomial representation. 4.1 A Correct Polynomial Representation of Element Reduction We propose new method of element reduction by correcting Lemma 1. Particularly, we prove gcd(f, f,, f (d) ) is a polynomial representation of Rd d (S). By correcting Lemma 1, we have following lemma. Lemma 2 Let f(x) R[x]. The followings are equivalent. (1) (x a) d+1 f(x). (2) f(a) = f (a) = = f (d) (a) = 0, i.e. (x a) f, (x a) f,, (x a) f (d). Proof. ((1) (2)) Suppose (x a) d+1 f(x). Then f(x) = (x a) d+1 g(x) for some g(x), and clearly we have f(a) = 0. We also have f (x) = (d + 1)(x a) d g(x) + (x a) d+1 g (x) and it gives f (a) = 0. For 1 n d, we get f (n) (x) = (d + 1) (d n + 2)(x a) d n+1 g(x) + (x a) d n+2 h n (x) for some h n (x). Hence f(a) = = f (d) (a) = 0. ((2) (1)) First we will show that if f (n) (a) = 0 and (x a) n f(x) then (x a) n+1 f(x). Since (x a) n f(x), we have f(x) = (x a) n g(x) for some g(x). f (n) (x) = n!g(x)+(x a)h n (x) for some h n (x). Since f (n) (a) = 0, we have g(a) = 0, which implies that g(x) = (x a)g 1 (x) for some g 1 (x). Therefore f(x) = (x a) n+1 g 1 (x). Because f (1) (a) = 0 and (x a) f(x) by hypothesis, we have (x a) 2 f(x). And again together (x a) 2 f(x) with f (2) (a) = 0, we have (x a) 3 f(x). By repeating the same procedure with f (3) (a) = 0,, f (d) (a) = 0, eventually we get (x a) d+1 f(x). We obtain the following Corollary from the Lemma 2. Corollary 3 (x a) d+1 f(x) (x a) d f (x). 10

11 Proof. By Lemma 2, (x a) d+1 f(x) f(a) = f (a) = = f (d) (a) = 0 f (a) = f (a) = = f (d 1) (a) = 0 (x a) d f (x) by applying Lemma 2 to f. Therefore Corollary 3 is proved. Now, we will prove gcd(f, f,, f (d) ) is a correct polynomial representation of Rd d (S). Theorem 4 Let a polynomial f be a polynomial representation of a multiset S. For a S and positive integer l a, (x a) la gcd(f, f,, f (d) ), (x a) la+1 gcd(f, f,, f (d) ) a appears l a times in Rd d (S). i.e. gcd(f, f,, f (d) ) is a polynomial representation of Rd d (S). Proof. ( ) Suppose that l a is a positive integer satisfying (x a) la gcd(f,, f (d) ), and (x a) la+1 gcd(f,, f (d) ). Then since (x a) la gcd(f,, f (d) ), we have (x a) la f, (x a) la f,, (x a) la f (d). By Corollary 3, we have (x a) la 1 f (d+1),, (x a) 1 f (d+la 1). Thus we have (x a) d+la f by Lemma 2. If (x a) la+d+1 f, then f(a) = = f (la+d) (a) = 0. The part f(a) = = f (la) (a) = 0 implies that (x a) la+1 f by Lemma 2. Similarly, f (i) (a) = = f (la+i) (a) = 0 implies that (x a) la+1 f (i) for all i with 1 i d and it means that (x a) la+1 gcd(f,, f (d) ). This contradicts to the hypothesis. Therefore, we have (x a) la+d+1 f. Hence l a satisfies (x a) la+d f and (x a) la+d+1 f. 11

12 And we know that a appears l a + d times in multiset S since f is a polynomial representation of S. In conclusion, a appears l a times in Rd d (S). ( ) Suppose that a appears l a times in Rd d (S), then we have (x a) la+d f and (x a) la+d+1 f. By Corollary 3, we have (x a) la+d 1 f,, (x a) la f (d),, (x a) f (la+d 1), (x a) f (la+d), which implies that (x a) la f, (x a) la f,, (x a) la f (d), but (x a) la+1 f (d). Thus l a is a positive integer satisfying (x a) la gcd(f,, f (d) ) and (x a) la+1 gcd(f,, f (d) ). By Theorem 4, we can correct the Kissner and Song s polynomial representation of element reduction as follows: Correct Element Reduction (by d) Let f be the polynomial representation of a multiset S. For random polynomial r i s of degree deg(f) or more and random polynomial F i s with degree i whose solutions are not in P, d i=0 f (i) F i r i is equal to gcd(f, f,..., f (d) ) u(x)). Thus the polynomial d i=0 f (i) F i r i is a polynomial representation of multiset Rd d (S) with overwhelming probability. 4.2 An Over-Threshold Set-Operation Protocol Now, we propose an Over-Threshold Set-Operation protocol using our correct polynomial representation of element reduction of a multiset. As described above, the goal of this protocol is for all players to obtain the multiset of elements which appear in the result of set operation of each private multiset more than a predetermined threshold number without gaining any other information. There are n( 2) honest-but-curious players with a private input set S i such that S i = k. We assume that at most c(< n) players can dishonestly collude. The players share the secret 12

13 key sk corresponding to the public key pk for a homomorphic cryptosystem which supports threshold group decryption. Let the threshold number be d and F j be an arbitrary polynomial of degree j which has no roots representing elements of the set P. Protocol : Over Threshold Set Operation HBC 1. Set-Operation Each player i = 1,, n computes f i (x) = (x (S i ) 1 ) (x (S i ) k ). Players perform the predetermined set operation protocol and player 1 obtain the encryption of polynomial p, corresponding to the result of set operation, E pk (p). Player 1 distributes E pk (p) to players 2,, c Element-Reduction Each player i = 1,, c + 1 (a) Computes E pk (p ),, E pk (p (d) ) from E pk (p). (b) Chooses randomly d + 1 polynomials t i,0,, t i,d R k [x]. (c) Sends E pk (p t i,0 + F 1 p t i,1 + + F d p (d) t i,d ) to all other player. 3. Group-Decryption All players perform a group decryption to obtain Φ = F d p (d) ( c+1 i=1 t i,d)+ +F 1 p ( c+1 i=1 t i,1)+p ( c+1 i=1 t i,0). 4. Recovering-Set Each player i = 1,, n determines the resulting set depending on a kind of set operation. We use the modified element reduction method of the multiset in the step 2 and fix the flaw of the original one proposed by Kissner and Song. The step 1 and 4 of the above protocol can be varied according to a kind of set operation. In [6, 7], protocols for privacy preserving set operations, set union and set intersection, were proposed. In step 1, if we apply Kissner and Song s privacy-preserving (set union/set intersection) then we obtain (Over-Threshold Set-Union protocol /Over-Threshold Set-Intersection protocol), respectively. Because the difference of Over Threshold Set Union protocol proposed in [6, 7] from our protocol is only the polynomial representation method of element reduction of multiset, it does not affect the security of the protocol. Thus, the our protocol has the same security with that of [6, 7] in the set intersection and set union cases when we follow their set operation protocol. 13

14 5 Conclusion A privacy preserving element reduction method can be an important tool to identify badly behaved internet users while it preserves privacy for normal users. In Crypto 2005, Kissner and Song introduced a method of polynomial representation of element reduction of a multiset and proposed an Over-Threshold-Set-Union protocol using the polynomial representation and homomorphic public key encryption scheme. In this paper, we have shown that their polynomial representation is not correct and its impact to their protocol can be somewhat critical for privacy preserving techniques. We present a correction for the polynomial representation of element reduction of a multiset in this paper. We also modified their Over- Threshold Set-Union protocol and proposed an Over-Threshold Set Operation protocol based on the corrected polynomial representation. Our Over-threshold-set-operation-protocol can be combined with a privacy preserving set operation and outputs those elements appears over the predetermined threshold number times in the resulting multiset of set operation. References 1. D. Boneh, E-J. Goh, and K. Nissim. Evaluating 2-DNF formulas on ciphertexts. In TCC2005, LNCS Vol. 3378, pp Springer-Verlag, R. Agrawal, A. Evfimievski, and R. Srikant. Information sharing across private databases. In SIGMOD 2003, Proceedings of the 2003 ACM SIGMOD international conference on Management of data, pp , ACM Press, M. Freedman, K. Nissim, and B. Pinkas. Efficient private matching and set intersection. In Advances in Cryptology - Eurocrypt 2004, LNCS Vol. 3027, pp. 1 19, Springer-Verlag, P-A. Fouque and D. Pointcheval. Threshold cryptosystems secure against chosenciphertext attacks. In Advances in Cryptology - Asiacrypt 2000, LNCS Vol. 1976, pp , Springer-Verlag, O. Goldreich, The Foundations of Cryptography - Vol. 2, Cambridge University Press, L. Kissner and D. Song. Privacy-preserving set operations. In Advances in Cryptology - Crypto 2005, LNCS Vol. 3621, pp , Springer-Verlag, L. Kissner and D. Song. Private and threshold set-intersection. Technical Report CMU-CS , Carnegie Mellon University, T. Okamoto and S. Uchiyama. A new public-key cryptosystem as secure as factoring. In Advances in Cryptology - Eurocrypt 1998, LNCS Vol. 1403, pp Springer-Verlag, P. Pallier. Public-key cryptosystems based on composite degree residuosity classes. In Advances in Cryptology - Eurocrypt 1999, LNCS Vol. 1592, pp , Springer-Verlag,

Privacy-Preserving Set Operations

Privacy-Preserving Set Operations Lea Kissner and Dawn Song Carnegie Mellon University Abstract In many important applications, a collection of mutually distrustful parties must perform private computation

Privacy-Preserving Set Operations

Privacy-Preserving Set Operations Lea Kissner Dawn Song February 2005 Last modified June 2005 CMU-CS-05-113 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Abstract In many important

3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

Privacy-Preserving Network Aggregation

Privacy-Preserving Network Aggregation Troy Raeder 1,2, Marina Blanton 2, Nitesh V. Chawla 1,2, and Keith Frikken 3 1 Interdisciplinary Center for Network Science and Applications University of Notre Dame,

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

Experimental Analysis of Privacy-Preserving Statistics Computation

Experimental Analysis of Privacy-Preserving Statistics Computation Hiranmayee Subramaniam 1, Rebecca N. Wright 2, and Zhiqiang Yang 2 1 Stevens Institute of Technology graduate, hiran@polypaths.com. 2

New Efficient Searchable Encryption Schemes from Bilinear Pairings

International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks

Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks J. M. BAHI, C. GUYEUX, and A. MAKHOUL Computer Science Laboratory LIFC University of Franche-Comté Journée thématique

Private Inference Control For Aggregate Database Queries

Private Inference Control For Aggregate Database Queries Geetha Jagannathan geetha@cs.rutgers.edu Rebecca N. Wright Rebecca.Wright@rutgers.edu Department of Computer Science Rutgers, State University of

Batch Decryption of Encrypted Short Messages and Its Application on Concurrent SSL Handshakes

Batch Decryption of ncrypted Short Messages and Its Application on Concurrent SSL Handshakes Yongdong Wu and Feng Bao System and Security Department Institute for Infocomm Research 21, Heng Mui Keng Terrace,

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z DANIEL BIRMAJER, JUAN B GIL, AND MICHAEL WEINER Abstract We consider polynomials with integer coefficients and discuss their factorization

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

H/wk 13, Solutions to selected problems

H/wk 13, Solutions to selected problems Ch. 4.1, Problem 5 (a) Find the number of roots of x x in Z 4, Z Z, any integral domain, Z 6. (b) Find a commutative ring in which x x has infinitely many roots.

An Application of the Goldwasser-Micali Cryptosystem to Biometric Authentication

The 12th Australasian Conference on Information Security and Privacy (ACISP 07). (2 4 july 2007, Townsville, Queensland, Australia) J. Pieprzyk Ed. Springer-Verlag, LNCS????, pages??????. An Application

Private Searching On Streaming Data

Journal of Cryptology, Volume 20:4, pp. 397-430, October 2007. 1 Private Searching On Streaming Data Rafail Ostrovsky William E. Skeith III Abstract In this paper, we consider the problem of private searching

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm. We begin by defining the ring of polynomials with coefficients in a ring R. After some preliminary results, we specialize

Elementary Number Theory

Elementary Number Theory Ahto Buldas December 3, 2016 Ahto Buldas Elementary Number Theory December 3, 2016 1 / 1 Division For any m > 0, we define Z m = {0, 1,... m 1} For any n, m Z (m > 0), there are

Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

On the representability of the bi-uniform matroid

On the representability of the bi-uniform matroid Simeon Ball, Carles Padró, Zsuzsa Weiner and Chaoping Xing August 3, 2012 Abstract Every bi-uniform matroid is representable over all sufficiently large

A Secure Model for Medical Data Sharing

International Journal of Database Theory and Application 45 A Secure Model for Medical Data Sharing Wong Kok Seng 1,1,Myung Ho Kim 1, Rosli Besar 2, Fazly Salleh 2 1 Department of Computer, Soongsil University,

Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data

Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data Dario Catalano 1 and Dario Fiore 2 1 Dipartimento di Matematica e Informatica, Università di Catania, Italy. catalano@dmi.unict.it

Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

Paillier Threshold Encryption Toolbox

Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created

Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

On the Limits of Anonymous Password Authentication

On the Limits of Anonymous Password Authentication Yan-Jiang Yang a Jian Weng b Feng Bao a a Institute for Infocomm Research, Singapore, Email: {yyang,baofeng}@i2r.a-star.edu.sg. b School of Computer Science,

Techniques for Policy Enforcement on Encrypted Network Traffic

Techniques for Policy Enforcement on Encrypted Network Traffic Y.SinanHanayandTilmanWolf Department of Electrical and Computer Engineering University of Massachusetts, Amherst, MA, USA {hanay,wolf}@ecs.umass.edu

Privacy-Preserving Television Audience Measurement Using Smart TVs

Privacy-Preserving Television Audience Measurement Using Smart TVs George Drosatos, Aimilia Tasidou, and Pavlos S. Efraimidis Dept. of Electrical and Computer Engineering, Democritus University of Thrace,

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,

it is easy to see that α = a

21. Polynomial rings Let us now turn out attention to determining the prime elements of a polynomial ring, where the coefficient ring is a field. We already know that such a polynomial ring is a UF. Therefore

Dealing Cards in Poker Games

1 Dealing Cards in Poker Games Philippe Golle Palo Alto Research Center pgolle@parc.com Abstract This paper proposes a new protocol for shuffling and dealing cards, that is designed specifically for games

Modern Algebra Lecture Notes: Rings and fields set 4 (Revision 2)

Modern Algebra Lecture Notes: Rings and fields set 4 (Revision 2) Kevin Broughan University of Waikato, Hamilton, New Zealand May 13, 2010 Remainder and Factor Theorem 15 Definition of factor If f (x)

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

Threshold Identity Based Encryption Scheme without Random Oracles

WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yat-sen University Guangzhou, P.R. China Yanming Wang Lingnan College

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

A Survey on Optimistic Fair Digital Signature Exchange Protocols

A Survey on Optimistic Fair Digital Signature Exchange s Alfin Abraham Vinodh Ewards Harlay Maria Mathew Abstract Security services become crucial to many applications such as e-commerce payment protocols,

Legally Enforceable Fairness in Secure Two-Party Computation

Legally Enforceable Fairness in Secure Two-Party Computation Yehuda Lindell Department of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il Abstract In the setting of secure multiparty

Math 345-60 Abstract Algebra I Questions for Section 23: Factoring Polynomials over a Field

Math 345-60 Abstract Algebra I Questions for Section 23: Factoring Polynomials over a Field 1. Throughout this section, F is a field and F [x] is the ring of polynomials with coefficients in F. We will

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

Information Sciences

Information Sciences 180 (2010) 3059 3064 Contents lists available at ScienceDirect Information Sciences journal homepage: www.elsevier.com/locate/ins Strong (n, t, n) verifiable secret sharing scheme

COMPARING ENCRYPTED DATA. Thijs Veugen

COMPARING ENCRYPTED DATA Thijs Veugen Multimedia Signal Processing Group, Delft University of Technology, The Netherlands, and TNO Information and Communication Technology, Delft, The Netherlands ABSTRACT

Introduction to Finite Fields (cont.)

Chapter 6 Introduction to Finite Fields (cont.) 6.1 Recall Theorem. Z m is a field m is a prime number. Theorem (Subfield Isomorphic to Z p ). Every finite field has the order of a power of a prime number

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

A NOVEL APPROACH FOR VERIFIABLE SECRET SHARING BY USING A ONE WAY HASH FUNCTION

A NOVEL APPROACH FOR VERIFIABLE SECRET SHARING BY Abstract USING A ONE WAY HASH FUNCTION Keyur Parmar & Devesh Jinwala Sardar Vallabhbhai National Institute of Technology, Surat Email : keyur.beit@gmail.com

Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate

Electronic Contract Signing without Using Trusted Third Party

Electronic Contract Signing without Using Trusted Third Party Zhiguo Wan 1, Robert H. Deng 2 and David Lee 1 Sim Kim Boon Institute for Financial Economics 1, School of Information Science 2, Singapore

Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation

On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation Yuval Ishai 1, Eyal Kushilevitz 1, Yehuda Lindell 2, and Erez Petrank 1 1 Technion ({yuvali,eyalk,erez}@cs.technion.ac.il)

Programmable Order-Preserving Secure Index for Encrypted Database Query

2012 IEEE Fifth International Conference on Cloud Computing Programmable Order-Preserving Secure Index for Encrypted Database Query Dongxi Liu Shenlu Wang CSIRO ICT Centre, Marsfield, NSW 2122, Australia

Privacy-Preserving Social Network Analysis for Criminal Investigations

Privacy-Preserving Social Network Analysis for Criminal Investigations Florian Kerschbaum SAP Research Karlsruhe, Germany florian.kerschbaum@sap.com Andreas Schaad SAP Research Karlsruhe, Germany andreas.schaad@sap.com

PARTICIPATORY sensing and data surveillance are gradually

1 A Comprehensive Comparison of Multiparty Secure Additions with Differential Privacy Slawomir Goryczka and Li Xiong Abstract This paper considers the problem of secure data aggregation (mainly summation)

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

Public Key Encryption that Allows PIR Queries

Public Key Encryption that Allows PIR Queries Dan Boneh Eyal Kushilevitz Rafail Ostrovsky William E Skeith III Appeared at CRYPTO 2007: 50-67 Abstract Consider the following problem: Alice wishes to maintain

Polynomials can be added or subtracted simply by adding or subtracting the corresponding terms, e.g., if

1. Polynomials 1.1. Definitions A polynomial in x is an expression obtained by taking powers of x, multiplying them by constants, and adding them. It can be written in the form c 0 x n + c 1 x n 1 + c

Factoring Cubic Polynomials

Factoring Cubic Polynomials Robert G. Underwood 1. Introduction There are at least two ways in which using the famous Cardano formulas (1545) to factor cubic polynomials present more difficulties than

EFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE

EFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE Reshma Mary Abraham and P. Sriramya Computer Science Engineering, Saveetha University, Chennai, India E-Mail: reshmamaryabraham@gmail.com

Quotient Rings and Field Extensions

Chapter 5 Quotient Rings and Field Extensions In this chapter we describe a method for producing field extension of a given field. If F is a field, then a field extension is a field K that contains F.

POLYNOMIAL RINGS AND UNIQUE FACTORIZATION DOMAINS

POLYNOMIAL RINGS AND UNIQUE FACTORIZATION DOMAINS RUSS WOODROOFE 1. Unique Factorization Domains Throughout the following, we think of R as sitting inside R[x] as the constant polynomials (of degree 0).

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

More Mathematical Induction. October 27, 2016

More Mathematical Induction October 7, 016 In these slides... Review of ordinary induction. Remark about exponential and polynomial growth. Example a second proof that P(A) = A. Strong induction. Least

Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

Reusable Anonymous Return Channels

Reusable Anonymous Return Channels Philippe Golle Stanford University Stanford, CA 94305, USA pgolle@cs.stanford.edu Markus Jakobsson RSA Laboratories Bedford, MA 01730, USA mjakobsson@rsasecurity.com

Collusion-Resistant Outsourcing of Private Set Intersection

Collusion-Resistant Outsourcing of Private Set Intersection Florian Kerschbaum SAP Research Karlsruhe, Germany florian.kerschbaum@sap.com ABSTRACT Set intersection is a building block for many data analysis

A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem

A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem Jintai Ding, Xiang Xie, Xiaodong Lin University of Cincinnati Chinese Academy of Sciences Rutgers University Abstract.

Secure Computation Martin Beck

Institute of Systems Architecture, Chair of Privacy and Data Security Secure Computation Martin Beck Dresden, 05.02.2015 Index Homomorphic Encryption The Cloud problem (overview & example) System properties

Encoding Rational Numbers for FHE-based Applications

Encoding Rational Numbers for FHE-based Applications HeeWon Chung 1 and Myungsun Kim 1 Department of Mathematical Sciences Seoul National University, Seoul 0886, South Korea runghyun@snu.ac.kr Department

5. Convergence of sequences of random variables

5. Convergence of sequences of random variables Throughout this chapter we assume that {X, X 2,...} is a sequence of r.v. and X is a r.v., and all of them are defined on the same probability space (Ω,

Hey! Cross Check on Computation in Cloud

Hey! Cross Check on Computation in Cloud Ajeet Singh Rajput Computer Science and Engineering Department S.D.B.C.T, Mhow Road,Indore,(M.P), India ajeetsinghrajput@gmail.com M.E.(CSE), S.D.B.C.T, Indore

Factorization Algorithms for Polynomials over Finite Fields

Degree Project Factorization Algorithms for Polynomials over Finite Fields Sajid Hanif, Muhammad Imran 2011-05-03 Subject: Mathematics Level: Master Course code: 4MA11E Abstract Integer factorization is

The Division Algorithm for Polynomials Handout Monday March 5, 2012

The Division Algorithm for Polynomials Handout Monday March 5, 0 Let F be a field (such as R, Q, C, or F p for some prime p. This will allow us to divide by any nonzero scalar. (For some of the following,

Share conversion, pseudorandom secret-sharing and applications to secure distributed computing

Share conversion, pseudorandom secret-sharing and applications to secure distributed computing Ronald Cramer 1, Ivan Damgård 2, and Yuval Ishai 3 1 CWI, Amsterdam and Mathematical Institute, Leiden University

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

Winter Camp 2011 Polynomials Alexander Remorov. Polynomials. Alexander Remorov alexanderrem@gmail.com

Polynomials Alexander Remorov alexanderrem@gmail.com Warm-up Problem 1: Let f(x) be a quadratic polynomial. Prove that there exist quadratic polynomials g(x) and h(x) such that f(x)f(x + 1) = g(h(x)).

A New, Publicly Veriable, Secret Sharing Scheme

Scientia Iranica, Vol. 15, No. 2, pp 246{251 c Sharif University of Technology, April 2008 A New, Publicly Veriable, Secret Sharing Scheme A. Behnad 1 and T. Eghlidos A Publicly Veriable Secret Sharing

Factoring Polynomials

Factoring Polynomials Sue Geller June 19, 2006 Factoring polynomials over the rational numbers, real numbers, and complex numbers has long been a standard topic of high school algebra. With the advent

New Techniques for Private Stream Searching

New Techniques for Private Stream Searching John Bethencourt Dawn Song Brent Waters February 2006 CMU-CS-06-106 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Carnegie Mellon

Secure and privacy-preserving DRM scheme using homomorphic encryption in cloud computing

December 2013, 20(6): 88 95 www.sciencedirect.com/science/journal/10058885 The Journal of China Universities of Posts and Telecommunications http://jcupt.xsw.bupt.cn Secure and privacy-preserving DRM scheme

A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

Secure Large-Scale Bingo

Secure Large-Scale Bingo Antoni Martínez-Ballesté, Francesc Sebé and Josep Domingo-Ferrer Universitat Rovira i Virgili, Dept. of Computer Engineering and Maths, Av. Països Catalans 26, E-43007 Tarragona,

Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

Math 421, Homework #5 Solutions

Math 421, Homework #5 Solutions (1) (8.3.6) Suppose that E R n and C is a subset of E. (a) Prove that if E is closed, then C is relatively closed in E if and only if C is a closed set (as defined in Definition

Oblivious Transfer. Sven Laur University of Tartu

Oblivious Transfer Sven Laur swen@math.ut.ee University of Tartu Ideal implementation b x 0, x 1 b x 0, x 1 x b Ideal ( 2 1) -OT The protocol is always carried out between a client P 1 and a sender P 2.

The Mean Value Theorem

The Mean Value Theorem THEOREM (The Extreme Value Theorem): If f is continuous on a closed interval [a, b], then f attains an absolute maximum value f(c) and an absolute minimum value f(d) at some numbers

Information Security in Big Data using Encryption and Decryption

International Research Journal of Computer Science (IRJCS) ISSN: 2393-9842 Information Security in Big Data using Encryption and Decryption SHASHANK -PG Student II year MCA S.K.Saravanan, Assistant Professor

Universal Padding Schemes for RSA Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jean-sebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

Ciphertext-Auditable Identity-based Encryption

International Journal of Network Security, Vol.17, No.1, PP.23 28, Jan. 2015 23 Ciphertext-Auditable Identity-based Encryption Changlu Lin 1, Yong Li 2, Kewei Lv 3, and Chin-Chen Chang 4,5 (Corresponding

Irreducibility criteria for compositions and multiplicative convolutions of polynomials with integer coefficients

DOI: 10.2478/auom-2014-0007 An. Şt. Univ. Ovidius Constanţa Vol. 221),2014, 73 84 Irreducibility criteria for compositions and multiplicative convolutions of polynomials with integer coefficients Anca

The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

Comments on "public integrity auditing for dynamic data sharing with multi-user modification"

University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers Faculty of Engineering and Information Sciences 2016 Comments on "public integrity auditing for dynamic

1 Public-Key Encryption in Practice

CS 120/CSCI E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 16, 2006 Lecture Notes 15: Public-Key Encryption in Practice Recommended Reading. KatzLindell, Sections 9.4, 9.5.3 1 Public-Key

Security System in Cloud Computing for Medical Data Usage

, pp.27-31 http://dx.doi.org/10.14257/astl.2013.38.06 Security System in Cloud Computing for Medical Data Usage Maya Louk 1, Hyotaek Lim 2, Hoon Jae Lee 3 1 Department of Ubiquitous IT, Graduate School

Note on some explicit formulae for twin prime counting function

Notes on Number Theory and Discrete Mathematics Vol. 9, 03, No., 43 48 Note on some explicit formulae for twin prime counting function Mladen Vassilev-Missana 5 V. Hugo Str., 4 Sofia, Bulgaria e-mail:

On Generating the Initial Key in the Bounded-Storage Model

On Generating the Initial Key in the Bounded-Storage Model Stefan Dziembowski Institute of Informatics, Warsaw University Banacha 2, PL-02-097 Warsaw, Poland, std@mimuw.edu.pl Ueli Maurer Department of

Secure Computation Without Authentication

Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com