Compact CCA2-secure Hierarchical Identity-Based Broadcast Encryption for Fuzzy-entity Data Sharing
|
|
- Ella Ryan
- 8 years ago
- Views:
Transcription
1 Compact CCA2-secure Herarchcal Identty-Based Broadcast Encrypton for Fuzzy-entty Data Sharng Weran Lu 1, Janwe Lu 1, Qanhong Wu 1, Bo Qn 2, Davd Naccache 3, and Houda Ferrad 4 1 School of Electronc and Informaton Engneerng, Behang Unversty, XueYuan oad No.37, Hadan Dstrct, Bejng, Chna luweran900217@gmal.com, lujanwe@buaa.edu.cn, qanhong.wu@buaa.edu.cn 2 School of Informaton, enmn Unversty of Chna, ZhongGuanCun Street No. 59, Hadan Dstrct, Bejng, Chna bo.qn@ruc.edu.cn 3 Département d Informatque 45 rue dúlm, École normale supéreure, Pars cedex 05, f-75230, France davd.naccache@ens.fr, Houda.Ferrad@ens.fr Abstract. Wth the advances of cloud computng, data sharng becomes easer for large-scale enterprses. When deployng prvacy and securty schemes n data sharng systems, fuzzy-entty data sharng, entty management, and effcency must take nto account, especally when the system s asked to share data wth a large number of users n a tree-lke structure. Herarchcal Identty-Based Encrypton s a promsng canddate to ensure fuzzy-entty data sharng functonaltes whle meetng the securty requrement, but encounters effcency dffculty n multuser settngs. Ths paper proposes a new prmtve called Herarchcal Identty-Based Broadcast Encrypton HIBBE to support mult-user data sharng mechansm. Smlar to HIBE, HIBBE organzes users n a tree-lke structure and users can delegate ther decrypton capablty to ther subordnates. Unlke HIBE merely allowng a sngle decrypton path, HIBBE enables encrypton to any subset of the users and only the ntended users and ther supervsors can decrypt. We defne Cphertext Indstngushablty aganst Adaptvely Chosen-Identty-Vector-Set and Chosen-Cphertext Attack IND-CIVS-CCA2 for HIBBE, whch capture the most powerful attacks n the real world. We acheve ths goal n the standard model n two steps. We frst construct an effcent HIBBE Scheme HIBBES aganst Adaptvely Chosen-Identty-Vector-Set and Chosen-Plantext Attack IND-CIVS-CPA n whch the attacker s not allowed to query the decrypton oracle. Then we convert t nto an IND-CIVS-CCA2 scheme at only a margnal cost,.e., merely addng one on-the-fly dummy user at the frst depth of herarchy n the basc scheme wthout requrng any other cryptographc prmtves. Our CCA2-secure scheme natvely allows publc cphertext valdty test, whch s a useful property when a CCA2-secure HIBBES s used to desgn advanced protocols and audtng mechansms for HIBBE-based data sharng. Keywords: Herarchcal Identty-Based Broadcast Encrypton; Adaptve Securty; Chosen-cphertext Securty; Fuzzy-entty Data Sharng 1 Introducton The rapd development of Cloud Computng have brought great convenence for on-demand data sharng. Nowadays, large-scale enterprses choose to acqure cloud storage servces from a cloud servce provder, or establshng ts own cloud data center for cost-effectve data sharng. In ths paradgm, ndvdual staff n such an enterprse can easly acqure useful data, whle sharng data to ts superors, colleagues, and subordnates n an on-demand manner. Ths sgnfcantly mproves the communcaton effcency, lower the data sharng expenses, thus brngs benefts to the enterprses. Due to ts openness, data sharng system s always deployed n a hostle envronment and vulnerable to a number of securty threats [25]. Among all, data prvacy, legal access, and data authentcty are the man securty concerns n data sharng systems [12]. The above securty ssue can be respectvely addressed wth the help of tradtonal cryptographc tools, e.g., encrypton, message authentcaton code MAC, dgtal sgnatures. However, leveragng these cryptographc tools nto large-scale data sharng systems may brng addtonal dffcultes when takng nto account other ssues, such as fuzzyentty data sharng, effectve entty management, and effcency.
2 Tradtonal cryptographc tools allow data encrypton and data authentcaton after explctly knowng the recevers publc yet random nformaton,.e., publc keys. When the personnel structure of the company changes, whch rapdly happens n a large-scale enterprse, fuzzy-entty data sharng s needed so that stuffs can share data wthout knowng the recevers publc keys, but the recognzable denttes. Identty-Based Encrypton IBE, ntroduced by Shamr [37], allows one to securely communcate wth others f he/she knows ther publc denttes. In IBE, users recognzable denttes such as ther socal securty numbers, IPs or emal addresses, are used as ther publc keys. A Prvate Key Generator PKG s used to generate secret keys assocated wth the users publc denttes. One can encrypt to any user by specfyng ts recognzable dentty and only the ntended user can decrypt. Whle IBE supports fuzzy-entty data sharng n the enterprse, t faces the dffculty of neffcent entty management. In IBE systems, every entty should ask PKG for obtanng a secret key assocated wth ts own denttes. However, the number of users n a data sharng system could be huge [25]. Wth the number of users n the system ncrease, PKG may be busy wth generatng secret keys for replyng secret key obtanng requests from the users. A method of sharng PKG s burden s requred. Herarchcal IBE HIBE extends IBE to endow a large number of users wth a delegaton mechansm. HIBE [20] organzes users n a tree-lke structure whch s consstent wth the structure of large-scale enterprses and organzatons [16, 42]. PKG s burden s shared by upper-level users who can delegate secret keys to ther subordnates. In the encrypton process, the sender assocates the cphertext wth an dentty vector nstead of a sngle dentty. Then only the users whose denttes appear n the specfed dentty vector can decrypt. When applyng HIBE n an enterprse or an organzaton for data sharng, one should also consder effcency aspects, that s, the computaton and communcaton costs n dfferent data sharng stuatons. In such applcaton scenaro, ndvdual stuff may have to smultaneously communcate and share data wth multple users n herarchcal organzatons. For example, the enterprse may cooperate wth a number of professors from dfferent laboratores n a unversty to develop a new software system. The enterprse can separately encrypt to these professors by specfyng ther respectve decrypton paths. However, ths trval soluton ncurs heavy encrypton burden and long cphertexts. Another example comes from the cloud-based electronc health record system, where medcal stuff should share patents electronc health record wth chef/assstant doctors n dstnct departments [33]. Applyng exstng HIBE schemes n such systems s a reasonable soluton. However, HIBE gradually becomes neffcent when the number of nvolved departments ncreases. We are nterested n more practcal solutons to such applcatons. 1.1 Our Contrbutons We propose a new cryptographc prmtve called Herarchcal Identty-Based Broadcast Encrypton HIBBE. Users n a tree-lke structure can delegate ther decrypton capabltes to ther subordnates, so that the burden of the PKG can be shared when the system hosts a large number of users. One can encrypt to any subset of the users and only the ntended ones and ther supervsors can decrypt. We defne the securty noton for HIBBE, named Cphertext Indstngushablty aganst Adaptvely Chosen-Identty-Vector-Set and Chosen-Cphertext attack IND-CIVS-CCA2. In ths noton, the attacker s smultaneously allowed to adaptvely query for the secret keys of users recognzed by dentty vectors of ts choce and to ssue decrypton queres for recever dentty vector sets at wsh. Even such an attacker cannot dstngush the encrypted messages, provded that the attacker does not query for the secret keys of the target users or ther supervsors. Clearly, ths defnton captures the most powerful attacks on HIBBE n the real world. We obtan an IND-CIVS-CCA2 scheme n the standard model wthout usng random oracles n two steps. We frst construct an HIBBE Scheme HIBBES aganst Adaptvely Chosen-Identty-Vector- Set and Chosen-Plantext Attack IND-CIVS-CPA n the standard model, n whch the attacker s not allowed to ssue decrypton queres. Then, at merely margnal cost, we convert the basc scheme nto an IND-CIVS-CCA2 scheme by addng only one on-the-fly dummy user, rather than addng one herarchy of users n exstng conversons from a CPA-secure herarchcal encrypton scheme to a CCA2- secure one. Both schemes have constant sze cphertext and are effcent n terms of communcatons and data sharng n mult-recever stuatons. Ths novel cryptographc scheme sutably meets the securty and effcency requrement of large-scale enterprses, ncludng fuzzy-entty data sharng, entty management, and effcency. 2
3 Compared wth the prelmnary verson [31] of the paper, n ths extended work we gve the formal securty proof of the CPA securty of the basc scheme; we further convert the CPA-secure HIBBES nto a CCA2-secure HIBBES wth compact desgn n the sense that the converson does not requre any other cryptographc prmtves; we formally prove that the resultng scheme s CCA2-secure n the standard model. Our CCA2-secure HIBBES allows publc cphertext valdty test whch s useful for a thrd party, e.g., a frewall, to flter nvald spams and for system desgners to desgn advanced protocols from HIBBE, e.g., publcly verfable HIBBE allowng audtng for cloud data center [13, 38], and data authentcaton of HIBBE-encrypted dgtal contents [26]. 1.2 elated Work Identty-Based Encrypton. Snce the concept of Identty-Based Encrypton IBE was ntroduced by Shamr [37], t took a long tme for researchers to construct a practcal and fully functonal IBE Scheme IBES. In 2001, Boneh and Frankln [3, 4] precsely defned the securty model of IBE and proposed the frst practcal IBES by usng blnear parngs. In the Boneh-Frankln securty model, the adversary can adaptvely request secret keys for the denttes of ts choce and can choose the challenge dentty t wants to attack at any pont durng the key-requestng process, provded that the secret key for the challengng dentty s not quered. The securty of ther IBES [3, 4] requres cryptographc hash functons to be modeled as random oracles. Canett et al. [10, 11] formalzed a slghtly weaker securty noton, called selectve-id securty, n whch the adversary must dsclose the challenge dentty before the publc parameters are generated. They exhbted a selectve-id secure IBES wthout usng random oracles. Snce then, more practcal IBES have been proposed that are shown to be secure wthout random oracles n the selectve-id securty model [1] or n the standard securty model [39]. These schemes are secure aganst CPA. Interestngly, some recent works [8, 9, 11] showed CPA-secure IBES can be used to construct regular Publc-Key Encrypton systems wth CCA2 securty. Canett, Halev and Katz [11] exhbted a generc converson by addng a one-tme sgnature scheme and hash the sgnature parameters as a specal dentty n encrypton. Boneh and Katz [8] later presented a more effcent constructon usng a MAC to replace the one-tme sgnature. More recently, Boyen et al. [9] ntroduced a new technque that can drectly obtan CCA2 securty from some partcular IBES wthout extra cryptographc prmtves. Park et al. [34] proposed a concrete CCA2-secure IBES wth a tght securty reducton n the random oracle model. Broadcast Encrypton. In Broadcast Encrypton BE [18], a dealer s employed to generate and dstrbute decrypton keys for users. A sender can encrypt to a subset of the users and only the prvleged users can decrypt. Ths functonalty models flexble secure one-to-many communcaton scenaros [35]. Snce the BE concept was ntroduced n 1994 [18], many BE Schemes have been proposed to gan more preferable propertes. We menton just a few of those propertes, such as Stateless ecevers after gettng the broadcast secret keys, users do not need to update them [17, 22], Fully Colluson esstant even f all users except the recever set collude, they can obtan no nformaton about the plantext [5], Dynamc the dealer can dynamcally recrut new members whle the other members wll not be affected [15], Anonymty a recever does not need to know who the other recevers are when decryptng cphertexts [30], and Contrbutory Broadcast Anyone can send messages to any subset of the group members wthout a trusted key server [41]. Identty-Based Broadcast Encrypton. Identty-Based Broadcast Encrypton IBBE ncorporates the dea of BE nto IBE and recognzes the users n a BES wth ther denttes, nstead of ndexes assgned by the system. When one needs to send confdental messages to multple users, the sender n IBBE can effcently encrypt the message once to multple users and smply broadcasts the resultng cphertext. Fully functonal IBBE was formalzed and realzed by Delerablée wth constant sze cphertexts and secret keys [14], although t s only selectve-id secure n the random oracle model. The up-to-date IBBE Schemes [21, 36, 27] are shown to be secure n the standard securty model. Herarchcal Identty-Based Encrypton. Horwtz and Lynn [23] frst proposed the concept of HIBE and presented a two-level HIBES n the same artcle. The frst fully functonal HIBE constructon was proposed by Gentry and Slverberg [20]. The securty reles on the Blnear Dffe-Hellman assumpton n the random oracle model. Subsequently, Boneh and Boyen [1] ntroduced HIBES n the selectve-id model wthout usng random oracles. Boneh, Boyen and Goh [2] presented a selectve-id secure HIBE wth constant sze cphertext. Gentry and Halev [19] constructed a fully secure HIBES supportng polynomal herarchy depth. In 2009, Waters [40] proposed a new framework, called Dual System 3
4 Encrypton, for constructng fully secure IBES and HIBES. Ths approach has become a powerful tool for obtanng fully secure encrypton schemes [28, 29]. These plan HIBES are CPA-secure. The technques n the prevously revewed conversons [8, 9, 11] can be extended to acheve CCA2-secure HIBES wth CPA-secure ones by addng one extra herarchy to the underlyng CPA-secure HIBES. Generalzed Identty-Based Encrypton. Boneh and Hamburg [7] proposed a general framework for constructng IBES, named Generalzed Identty-Based Encrypton GIBE, to ncorporate dfferent propertes n IBE va a product rule. They also ntroduced an mportant nstance of GIBE called Spatal Encrypton SE, showng that many GIBES are embedded n t, e.g., HIBE, nclusve IBE, co-nclusve IBE, n an dentty-based lke settngs. HIBBE can also be derved from SE. However, the HIBBE derved from ther SE only has selectve and chosen-plantext securty. Very recently, Zhang et al. [43] suggested two fully secure and anonymous SE schemes, whch not only obtan full securty, but further protect the recpent dentty prvacy. Ther constructons acheve CPA securty and can be extended to CCA2 securty, but also wth the help of one-tme sgnature schemes. 1.3 Paper Organzaton The rest of the paper s organzed as follows. In Secton 2, we revew composte order blnear groups and the assumptons used n our constructons. Secton 3 formalzes HIBBE and ts securty defntons. We propose a secure HIBBES aganst Adaptvely Chosen-Identty-Vector-Set and Chosen-Plantext Attack n Secton 4. We then ntroduce a compact transformaton that converts our CPA-secure HIBBES nto a CCA2-secure one n Secton 5. We conclude the paper n Secton 6. 2 Prelmnares 2.1 Composte Order Blnear Groups Composte order blnear groups were frst ntroduced n [6]. Let G be an algorthm whch takes a securty parameter λ as nput and outputs the descrpton of a blnear group, N, G, G T, e, where N = p 1 p 2 p 3 s a composte nteger wth three dstnct large prme factors p 1, p 2 and p 3, G and G T are cyclc groups of order N, and a blnear map e : G G G T satsfyng the followng propertes: 1. Blnearty: for all g, h G and a, b Z N, eg a, h b = eg, h ab ; 2. Non-degeneracy: there exsts at least an element g G such that eg, g has order N n G T ; 3. Computablty: There exsts an effcent algorthm n polynomal tme wth respect to λ computng the blnear parng eu, v for all u, v G. In addton to these propertes, the three subgroups of order p 1, p 2 and p 3 n G we respectvely denote them by G p1, G p2 and G p3 satsfy the orthogonalty property: For all h G p and h j G pj, eh, h j = 1 for j Ths specal property wll be an essental tool n our constructons and the securty proofs. 2.2 Assumptons n Composte Order Blnear Groups We wll use three statc assumptons to prove the securty of our HIBBES. These three assumptons, whch were frst ntroduced by Lewko and Waters [28], hold f t s hard to fnd a nontrval factor of N. Let G be a group generatng algorthm that outputs a composte order blnear group N = p 1 p 2 p 3, G, G T, e. For ease of descrpton, we let G pp j denote the subgroup of order p p j n G. Let g G p1 be a random generator of G p1 and X 3 Gp3 be a random element n G p3. Assumpton 1 s that t s hard to determne whether T s a random element n G p1p 2, or a random element n G p1 gven D 1 = g, X 3 as an nput. We defne the advantage of an algorthm A that outputs b {0, 1} n solvng the frst assumpton n G to be [ ] [ Adv1 A λ = Pr A D 1, T G p1p 2 = 1 Pr A D 1, T G p1 = 1] Defnton 1. Assumpton 1 states that Adv1 A λ s neglgble for all polynomal tme algorthms A. 4
5 Let g G p1 be a random generator of G p1. Choose random elements X 1 Gp1, X 2, Y 2 Gp2 and X 3, Y 3 Gp3. Assumpton 2 s that gven the nput as D 2 = g, X 1 X 2, X 3, Y 2 Y 3, t s hard to determne whether T s a random element n G or a random element n G p1p 3. We defne the advantage of an algorthm A that outputs b {0, 1} n solvng the second assumpton n G to be Adv2 A λ = Pr [ A D 2, T G ] = 1 Pr [ A D 2, T G p1p 3 = 1] Defnton 2. Assumpton 2 states that Adv2 A λ s neglgble for all polynomal tme algorthms A. Smlarly, let g G p1 be a random generator of G p1, X 2, Y 2, Z 2 Gp2 be random elements n G p2, X 3 Gp3 be a random element n G p3, α, s Z N be random exponents chosen n Z N. Assumpton 3 states that, gven D 3 = g, g α X 2, X 3, g s Y 2, Z 2 as an nput, t s hard to determne whether T s eg, g αs, or a random element n G T. We defne the advantage of an algorthm A that outputs b {0, 1} n solvng the thrd assumpton n G to be Adv3 A λ = Pr [A D 3, T eg, g αs = 1] [ A D 3, T G T = 1] Defnton 3. Assumpton 3 states that Adv3 A λ s neglgble for all polynomal tme algorthms A. 3 Syntax 3.1 Termnology and Notatons We ntroduce several notatons to smplfy the descrpton of HIBBES. Table 1 summarzes these notatons and ther correspondng meanngs. Table 1. Notatons Notaton Descrpton Notaton Descrpton λ Securty Parameter P K Publc Key MSK Master Key CT Cphertext ID Identty ID Identty Vector I ID Identty Vector Poston SK ID Secret Key for Identty Vector ID Depth of ID S ID Identty Set Assocated wth ID V Identty Vector Set I V Identty Vector Set Poston V Depth of V S V Identty Set Assocated wth V We use [a, b] to denote the nteger set {a, a + 1,, b}. S denotes the cardnalty of the set S. For an dentty vector ID = ID 1, ID 2,, ID d, we defne ID = d as the depth of ID and S ID = {ID 1,, ID d } as the dentty set assocated wth ID. The dentty vector poston of ID s defned by I ID = { : ID S ID }. Smlarly, we defne the maxmal depth of an dentty vector set as V = max{ ID : ID V}. The assocated dentty set S V of V and the dentty vector set poston I V of V can be defned accordngly. We slghtly abuse the term prefx and defne the prefx of an dentty vector ID = ID 1,, ID d as an dentty vector set as PrefID = {ID 1,, ID d : d d}. Clearly, PrefID = ID = d. We smlarly defne the prefx of an dentty vector set V as PrefV = ID V PrefID. In practce, a user may have more than one dentty or parent node. In ths case, we treat these users as dfferent users wth the same dentty. Hence, wthout loss of generalty, we assume that each user has a unque dentty vector and can have at most one parent node. For example, assume that the users are organzed as n Fgure 1. For the user whose dentty vector s ID = ID 1, ID 3, we have that ID = 2, S ID = {ID 1, ID 3 }, and I ID = {1, 3}. The prefx of ID s PrefID = {ID 1, ID 1, ID 3 }. Smlarly, for the broadcast dentty vector set V = {ID 1, ID 3, ID 2, ID 6, ID 7 }, we have that V = max{2, 3} = 3, the dentty set assocated wth V s S V = {ID 1, ID 3, ID 2, ID 6, ID 7 }, and I V = {1, 3, 2, 6, 7}. The prefx of V s PrefV = {ID 1, ID 1, ID 3, ID 2, ID 2, ID 6, ID 2, ID 6, ID 7 } 5
6 Fg. 1. A Typcal Example of an HIBBES. 3.2 Herarchcal Identty-Based Broadcast Encrypton A D, n-hibbes conssts of fve polynomal tme algorthms: Setup, KeyGen, Delegate, Encrypt and Decrypt defned as follows: SetupD, n, λ. Takes as nputs the maxmal depth D of the herarchy, the maxmal number n of users, and the securty parameter λ. It outputs a masker key MSK and a publc key P K. EncryptP K, M, V. Takes as nputs the publc key P K, a message M n the message space M, and a recever dentty vector set V. It outputs the cphertext CT of the message M. KeyGenMSK, ID. Takes as nputs the master key MSK and an dentty vector ID. It outputs a secret key SK ID for the user whose dentty vector s ID. DelegateSK ID, ID. Takes as nputs a secret key of a user whose dentty vector s ID of depth d and an dentty ID. It returns a secret key SK ID for the user whose dentty vector s ID = ID, ID. DecryptV, CT, SK ID. Takes as nputs a recever dentty vector set V, a cphertext CT of a message M, and a secret key SK ID of a user whose dentty vector s ID. If ID PrefV, t returns M. An HIBBES must satsfy the standard consstency constrant, namely for all D n N, all P P, MSK SetupD, n, λ, all SK ID KeyGenMSK, ID or SK ID DelegateSK ID, ID wth ID D, all M M, and all CT EncryptP P, M, V wth V D and S V n, f ID PrefV, then DecryptV, CT, SK ID = M. We defne the securty noton, named Cphertext Indstngushablty aganst Adaptvely Chosen- Identty-Vector-Set and Chosen-Cphertext Attack IND-CIVS-CCA2 for HIBBE. In ths securty model, the adversary s allowed to obtan the secret keys assocated wth any dentty vectors ID of ts choce and to ssue decrypton queres for ts chosen cphertexts, provded that the adversary does not query for the secret keys of ts chosen recevers or ther supervsors, or for the challenge cphertext as one of ts chosen messages. We requre that even such an adversary cannot dstngush the encrypted messages of ts choce. IND-CIVS-CCA2 securty s defned through a game played by an adversary A and a challenger C. Both of them are gven the parameters D, n and λ as nputs. Setup. C runs Setup algorthm to obtan the publc key P K and gves t to A. Phase 1. A adaptvely ssues two knds of queres: Secret key query for an dentty vector ID. C generates a secret key for ID and gves t to A. Decrypton query for the cphertext CT wth a recever dentty vector set V. C responds by runnng algorthm KeyGen to generate a secret key SK ID for an dentty vector ID satsfyng ID PrefV. It then decrypts the cphertext CT and returns the resultng message to A. Challenge. When A decdes that Phase 1 s over, t outputs two equal-length messages M 0 and M 1 on whch A wshes to be challenged. Also, A outputs a challenge dentty vector set V whch contans all the users that A wshes to attack. The dentty vector set V should be such that for all the secret key queres for ID ssued n Phase 1, ID / PrefV. C flps a random con b {0, 1} and encrypts M b under the challenge dentty vector set V. C returns the challenge cphertext CT to A. Phase 2. A further adaptvely ssues two knds of queres: 6
7 Secret key queres for dentty vectors ID such that ID / PrefV. Decrypton queres for cphertexts CT such that CT CT. C responds the same as n Phase 1. Guess. Fnally, A outputs a guess b {0, 1} and wns n the game f b = b. The advantage of such an A n attackng the D, n-hibbes wth securty parameter λ s defned as IND CIV S CCA2 AdvA,D,n λ = Pr[b = b] 1 2 Defnton 4. A D, n-hibbes s τ, q, q d, ɛ-secure f for any τ-tme IND-CIVS-CCA2 adversary IND CIV S CCA2 A that makes at most q secret key queres and q d decrypton queres, AdvA,D,n λ < ɛ. As usual, we defne Cphertext Indstngushablty aganst Adaptvely Chosen-Identty-Vector- Set and Chosen-Plantext Attack IND-CIVS-CPA for HIBBE as n the precedng game, wth the constrant that A s not allowed to ssue any decrypton query. A s stll able to adaptvely ssue secret key queres. Defnton 5. A D, n-hibbes s τ, q, ɛ-secure f for any τ-tme IND-CIVS-CPA adversary A IND CIV S CP A that makes at most q secret key queres, we have that AdvA,D,n λ < ɛ. It s challengng to acheve full dentty/dentty-vector securty n BE and HIBE, some weaker securty notons have been proposed to brdge securty proofs or cater for specal applcatons whch requre only moderate securty levels. One useful securty noton, called selectve securty, was frst proposed by Canett, Halev, and Katz [10, 11] n IBES. In ths noton, A should commts ahead of tme to the challenge dentty t wll attack. Smlar securty notons can also be found n HIBES [1] and IBBES [14]. A counterpart securty noton can be naturally defned n HIBBES, by requrng the adversary n HIBBE to submt a challenge dentty vector set before seeng the publc parameters. Another useful securty noton, named sem-statc securty, can also be extended n HIBBES. Ths securty noton was frst defned by Gentry and Waters [21] n BES. In ths noton, A must frst commt to a set S before the Setup phase. A cannot query for secret key of any user n S, but t can attack any target set S S. Ths securty noton s weaker than full securty but stronger than selectve securty, snce A can partly decde whch set s allowed to query adaptvely. In HIBBES, a smlar securty noton can be defned by requrng A to submt an dentty vector set V before the Setup phase and later allow A to challenge any dentty vector set V PrefV. ecently, a practcal HIBBES wth moderate securty result was proposed to meet ths securty noton [32]. 4 IND-CIVS-CPA Secure HIBBE wth Constant Sze Cphertext In ths secton, we propose an IND-CIVS-CPA secure HIBBE wth constant sze cphertext over composte order blnear groups of order N = p 1 p 2 p 3. Our startng pont s the Lewko-Waters fully secure HIBES [28] whch was nspred by the Boneh-Boyen-Goh selectvely secure HIBES [2]. To support broadcast, every user n our system, nstead of every depth of herarchy n [2, 28], s assocated wth a random element for blndng ts own dentty vector n ts secret key. Snce users denttes have been randomzed by dfferent elements, users cannot reveal any nformaton about other users secret keys from ther own ones. We realze the functonaltes n G p1, whle randomzng secret keys n G p3. The G p2 space, called sem-functonal space, s only used n securty proofs. 4.1 Basc Constructon We frst assume that the dentty vectors at depth k are vector elements n Z N k. We later extend the constructon to dentty vectors over {0, 1} k by frst hashng each component ID j S ID usng a collson resstant hash functon H : {0, 1} Z N. We also assume that plantexts are elements of G T. Smlar to HIBES, we assume that users postons n HIBBE are publcly known wth the processng of KeyGen, Delegate, Encrypt and Decrypt. Our D, n-hibbes works as follows. 7
8 SetupD, n, λ. un N, G, G T, e G1 λ to generate a composte nteger N = p 1 p 2 p 3, two groups G, G T of order N, and a blnear map e : G G G T. Then, select a random generator g G p1, two random elements h G p1, X 3 Gp3, and a random exponent α Z N. Next, pck random elements u Gp1 for all [1, n]. The publc key P K ncludes the descrpton of N, G, G T, e, as well as The master key s MSK g α. g, h, u 1,, u n, X 3, eg, g α KeyGenMSK, ID. For an dentty vector ID of depth d D, the key generaton algorthm pcks a random exponent r Z N and two random elements A 0, A 1 Gp3. It then chooses random elements U j Gp3 for all j [1, n]\i ID and outputs SK ID g α h I ID r A 0, g r A 1, { u r ju j }j [1,n]\I ID DelegateSK ID, ID. Gven a secret key SK ID = g α h I ID r A 0, g r A 1, } {u r j U j j [1,n]\I ID = a 0, a 1, {b j } j [1,n]\IID the delegaton algorthm generates a secret key for ID = ID, ID as follows. It pcks a random exponent t Z N, and also chooses two random elements 0, 1 Gp3. Next, for all j [1, n]\i ID, t chooses random elements T j Gp3. The algorthm outputs SK ID = a 0 b ID h I t ID \I ID 0, a 1 g t 1, { b j u t I ID jt j }j [1,n]\I ID Note that by mplctly settng r = r + t Z N, A 0 = A 0U 0 G p3 wth I ID \I ID, A 1 = A 1 1 G p3, and U j = U j T j G p3 for all j [1, n]\i ID, ths secret key can be wrtten under the form SK ID g α h I ID r A 0, g r A 1, { u r ju j }j [1,n]\I ID whch s well-formed as f t were generated by the KeyGen algorthm. Hence SK ID s a properly dstrbuted secret key for ID = ID, ID. EncryptP P, M, V. For the recever dentty vector set V the encrypton algorthm pcks a random exponent β Z N and outputs the cphertext CT = C 0, C 1, C 2 = g β, h I V β, eg, g αβ M DecryptV, CT, SK ID. Gven the cphertext CT = C 0, C 1, C 2, any user whose dentty vector satsfes ID PrefV can use ts correspondng secret key SK ID = a 0, a 1, {b j } j [1,n]\IID to compute K = a 0 b IDj j j I V \I ID Then t outputs the message by calculatng M = C 2 ec 1, a 1 /ek, C 0. 8
9 Soundness. If the cphertext CT = C 0, C 1, C 2 s well-formed, then we have K = a 0 j = g α h r A 0 j I V \I ID b IDj I V j I V \I ID U j Note that all random elements n G p3 can be cancelled n the parng operatons due to the orthogonalty property. Therefore, for the blndng factor n C 2, the followng equaltes hold: e h β, g r A 1 I ec 1, a 1 ek, C 0 = V e g α h r, g β = e I V h e g α, g β e I V h A 0 U j j I V \I ID β, g r I V 1 r = e g, g αβ, g β It follows that C 2 ec 1, a 1 ek, C 0 = M eg, gαβ eg, g αβ = M 4.2 Securty Analyss The securty of our scheme s guaranteed by the followng Theorem. In a hgh level, the proof of our HIBBES follows the proof framework of Lewko-Waters HIBES [28], wth an extra effort to generate cphertexts for supportng broadcast. Theorem 1. Let G be a group of composte order N endowed wth an effcent blnear map. Our HIBBES s IND-CIVS-CPA secure f all the three assumptons defned n Defnton 1, Defnton 2 and Defnton 3 hold n G. To prove the IND-CIVS-CPA securty of our scheme, we apply the Dual System Encrypton technque ntroduced by Waters [40] for obtanng adaptvely secure IBES and HIBES. Ths technque has been shown to be a powerful tool for securty proofs [28, 29]. In a Dual System Encrypton system, the cphertexts and keys can take one of two ndstngushable forms: normal form and sem-functonal form. Normal keys can decrypt normal or sem-functonal cphertexts, and sem-functonal cphertexts can be decrypted by normal or sem-functonal keys. Decrypton wll fal when one uses a sem-functonal key to decrypt a sem-functonal cphertext. Snce these two knds of keys and cphertexts are ndstngushable, the smulator can replace all normal cphertexts and keys wth sem-functonal ones n the securty game. When all cphertexts and keys are sem-functonal, A obtans no nformaton about the challenge cphertext as none of the gven keys are useful to decrypt the challenge cphertext. We frst need to defne the sem-functonal key and the sem-functonal cphertext. They wll only be used n the securty proof. Let g 2 Gp2 be a random generator of G p2, the sem-functonal cphertext and the sem-functonal key are defned as follows: Sem-Functonal Cphertext. un Encrypt to construct a normal cphertext CT = C 0, C 1, C 2. Then, choose random exponents x, y c ZN and set C 0 = C 0, C 1 = C 1g xyc 2, C 2 = C 2g x 2 Sem-Functonal Key. For an dentty vector ID, run KeyGen to generate ts normal secret key SK = a 0, a 1, {b j} j [1,n]\IID 9
10 Then, choose random exponents γ, y k G N, z j G N for all j [1, n]\i ID and set a 0 = a 0g γ 2, a 1 = a 1g γy k 2, {b j = b jg γzj 2 } j [1,n]\IID Decrypt wll correctly output the message M when decryptng a sem-functonal cphertext usng a normal key or a sem-functonal key snce the added elements n G p2 wll be cancelled due to the orthogonalty property. However, the blndng factor wll be multpled by the addtonal term eg 2, g 2 xγy k y c when tryng to decrypt the sem-functonal cphertext usng a sem-functonal key, unless y k = y c wth probablty 1 N. In ths case, we call the key a nomnally sem-functonal key. In the sem-functonal secret key, the exponent y k used for blndng the second component a 1 and the exponents z j used for blndng the thrd component a 2 are chosen randomly and only appear at most twce n the securty game. Therefore, from A s vew the components n G p2 for the sem-functonal secret keys look random so that t does not helpful for A to dstngush the sem-functonal secret key from a normal one, except wth neglgble probablty 1 N when nomnally sem-functonal secret keys s concdentally generated. We prove securty by usng a sequence of games: Game eal. It s the real securty game. Game estrcted. It s dentcal wth Game eal, except that n Phase 2, A cannot ask for dentty vectors ID = ID 1,, ID d satsfyng ID = ID1,, IDd PrefV wth d d, s.t. [1, d ], ID = ID mod p 2, where V s the challenge dentty vector set. Game k. Suppose that A can make q secret key queres n Phase 1 and Phase 2. Ths game s dentcal wth the Game estrcted, except that the challenge cphertext s sem-functonal and the frst k keys are sem-functonal, whle the rest of the keys are normal. We note that n Game 0, only the challenge cphertext s sem-functonal; n Game q, the challenge cphertext and all secret keys are sem-functonal. Game Fnal. It s the same as Game q, except that the challenge cphertext s a sem-functonal encrypton of a random message n G T, not one of the messages gven by A. Gven a securty parameter λ, we respectvely represent the advantages of wnnng n the games Game eal, Game estrcted, Game k and Game Fnal by Adveal CPA λ, AdvCPA estrcted λ, AdvCPA k λ and AdvFnal CPA λ. We show that these games are ndstngushable n the followng four lemmas. Lemma 1. Suppose Assumpton 2 defned n Defnton 2 holds. Then there s no polynomal tme algorthm that can dstngush Game eal from Game estrcted wth non-neglgble advantage. Proof. If there exsts an adversary A that can dstngush Game eal from Game estrcted wth advantage ɛ, then by the defnton of Game estrcted, A can ssue a secret key query for the dentty vector ID = ID 1,, ID d from others satsfyng that ID = ID 1,, ID d PrefV wth d d, s.t. [1, d ], ID = ID mod p 2 Then a factor of N can be extracted by computng gcdid ID, N, from whch we can buld a smlar algorthm descrbed n the proof of Lemma 5 n [28] that can refute the second assumpton wth advantage Adv2 B λ ɛ /2. We omt the detals here for avodng repetton. Compared wth Game estrcted, n Game 0 the challenge cphertext s replaced wth a semfunctonal one. Snce A does not know the factor of N = p 1 p 2 p 3, t cannot determne whether the components of the challenge cphertext are n G p1 or n G p1p 2. Hence A s unable to know of whch form the gven challenge cphertext s. Ths mples ndstngushablty between Game estrcted and Game 0. Formally, we have the followng Lemma. Lemma 2. Suppose Assumpton 1 defned n Defnton 1 holds. Then there s no polynomal tme algorthm that can dstngush Game estrcted from Game 0 wth non-neglgble advantage. Proof. Suppose that there exsts an adversary A that can dstngush Game estrcted from Game 0 wth advantage ɛ 0. Then we can construct an algorthm B that can refute Assumpton 1 wth advantage Adv1 B λ ɛ 0. The nput of B s the challenge tuple g, X 3, T of Assumpton 1. B needs to determne whether T s n G p1 or n G p1p 2. B sets the publc key as follows. It randomly chooses α Z N and 10
11 γ ZN for all [0, n]. Then, t sets h g γ0 and u g γ for all [1, n]. Fnally, B gves the publc key P K g, h, u 1,, u n, X 3, eg, g α to A. It keeps the master key MSK g α to tself. Assume that A ssues a secret key query for the dentty vector ID = ID 1, ID d. B chooses random elements r, w 0, w 1 ZN and v j ZN for all j [1, n]\i, where I = { : ID S ID }. Then B returns a normal key SK ID g α h I r X w0 3, gr X w1 3, { u r } jx vj 3 j [1,n]\I When A decdes that the Challenge phase starts, t outputs two equal-length messages M 0, M 1 G T, together wth a challenge dentty vector set V. B flps a random con b {0, 1}, and returns the challenge cphertext CT C0, C1, C2 T, T γ0+ ID I γ, M b eg, T α where I = { : ID S V }. A outputs a guess that t s n Game estrcted or n Game 0. B guesses T G p1 f A decdes t s n Game estrcted. Otherwse, B outputs T G p1p 2. If T G p1, ths s a normal cphertext by mplctly settng T g β. Hence, B s smulatng Game estrcted. Otherwse, f T G p1p 2, all components n ths cphertext contan elements n subgroup G p2, thus t s a sem-functonal cphertext. In ths case, B s smulatng Game 0. If A has advantage ɛ 0 n dstngushng Game estrcted from Game 0, B can dstngush the dstrbuton of T wth advantage Adv1 B λ ɛ 0. Smlarly, Game k-1 and Game k are two ndstngushable games. The way to determne whether the k th quered key s normal or sem-functonal s to determne whether the key components are n G p1p 3 or n G N. Ths s computatonally dffcult wthout factorng N = p 1 p 2 p 3. Hence, we have the followng Lemma. Lemma 3. Suppose Assumpton 2 defned n Defnton 2 holds. Then there s no polynomal tme algorthm that can dstngush Game k-1 from Game k wth non-neglgble advantage. Proof. Suppose there exsts an adversary A that can dstngush Game k-1 from Game k wth advantage ɛ k. Then we can construct an algorthm B that can refute Assumpton 2 wth advantage Adv2 B λ ɛ k. The nput of B s the challenge tuple g, X 1 X 2, X 3, Y 2 Y 3, T of Assumpton 2. B has to answer T s n G N or n G p1p 3. B runs exactly the same as Setup n the proof of Lemma 2. The publc key can be publshed as P K g, h, u 1,, u n, X 3, eg, g α wth g g, h g γ0 and u g γ for all [1, n]. The master key s MSK g α that s kept secret to B. When recevng the l th secret key query for dentty vector ID = ID 1, ID d wth l < k, B creates a sem-functonal key to response to the query. Denote I = { : ID S ID }. B chooses random elements r, w 0, w 1 ZN and v j ZN for all j [1, n]\i. Then t returns the secret key SK ID g α h I r Y 2 Y 3 w0, g r Y 2 Y 3 w1, { u r jy 2 Y 3 vj } j [1,n]\I Ths s a well-formed sem-functonal key obtaned by mplctly settng g γ 2 = Y w0 2 and y k = w 1 /w 0. If A ssues the l th secret key query for k < l q, B calls the usual key generaton algorthm to generate a normal secret key and returns t to A. When A ssues the k th secret key query for dentty vector ID wth I = { : ID S ID }, B chooses random exponents w 0 ZN and v j ZN for all j [1, n]\i. It then outputs SK ID g α T γ0+ ID γ X I w 0 3, T, { } T γj X vj 3 j [1,n]\I 11
12 If T G p1p 3, then all components n ths secret key are n G p1p 3. Hence t s a normal secret key. Otherwse, t s a sem-functonal key by mplctly settng y k = γ 0 + I ID γ. In Challenge phase, B receves two equal-length messages M 0, M 1 G T and a challenge dentty vector set V from A. It chooses a random bt b {0, 1} and returns CT C0, C1, C2 X 1 X 2, X 1 X 2 γ0+ ID I γ, M b eg, X 1 X 2 α to A, where I = { : ID S V }. Note that ths cphertext s sem-functonal wth y c = γ 0 + ID γ. Snce from Game estrcted, I the dentty vector assocatng wth the k th secret key s not a prefx of the challenge recever dentty vector set modulo p 2, y c and y k wll seem randomly dstrbuted to A so that the relatonshp between y c and y k offers no help for A to dstngush the two games. Although hdden from A, the relatonshp between y c and y k s mportant: t prevents B from testng f the k th secret key s sem-functonal by generatng a sem-functonal cphertext for any dentty vector set V wth ID PrefV and decrypts t usng the k th key. Indeed, B only can generate a nomnally sem-functonal key for the k th key query for ID. Note that y k + ID γ = y c, where I = { : ID S ID } and I = { : ID S V }. Hence, f B tres to do that, then decrypton wll always work, even when the k th key s sem-functonal. So, usng ths method, B cannot test whether the k th key for dentty vector ID s sem-functonal or not wthout A s help. Note that ths s the only case the nomnally sem-functonal secret key s used. For other quered secret keys, the exponents used n the subgroup G p2 are randomly chosen so that the secret keys are randomly blnded by the elements n G p2 and helpless for A to wn the securty game. B fnally outputs T G p1p 3 f A outputs that t s n Game k-1, or outputs T G N f A answers that t s n Game k. If T G p1p 3, all components n the k th secret key generated by B are n G p1p 3. Hence t s a normal secret key. In ths case, B s smulatng Game k-1. Otherwse, f T G N, then the k th secret key s sem-functonal. In ths case, B s smulatng Game k. If A has advantage ɛ k n dstngushng these two games, B can also dstngush T G p1p 3 from T G N wth advantage Adv B λ ɛ k. Lemma 4. Suppose Assumpton 3 defned n Defnton 3 holds. Then there s no polynomal tme algorthm that can dstngush Game q from Game Fnal wth non-neglgble advantage. Proof. Suppose that there exsts an adversary A that can dstngush Game q from Game Fnal wth advantage ɛ F. By nvokng A as a blackbox, we buld an algorthm B refutng the thrd assumpton wth advantage Adv3 B λ ɛ F. B s gven the challenge tuple g, g α X 2, X 3, g s Y 2, Z 2, T and s requred to answer whether T s eg, g αs or a random element n G T. B randomly chooses γ ZN for all [0, n] and sets the publc key I\I P K g = g, h = g γ0, u 1 = g γ1,, u n = g γn, X 3, eg, g α = eg α X 2, g When A requests a secret key for an dentty vector ID, B chooses random exponents w 0, w 1, t 0, t 1 Z N and v j, z j ZN for all j [1, n]\i, where I = { : ID S ID }. It outputs SK ID g α X 2 h I r Z t0 2 Xw0 3, gr Z t1 2 Xw1 3, { u r } jz zj 2 Xvj 3 j [1,n]\I Note that ths secret key s sem-functonal wth g γ 2 = Zt0 2 and y k = t 1 /t 0. In the challenge phase, A outputs two equal-length messages M 0, M 1 G T, and a challenge dentty vector set V. Denote I = { : ID S V }. B chooses a random bt b {0, 1} and outputs the resultng sem-functonal cphertext CT C0, C1, C2 g s Y 2, g s Y 2 γ0+ ID I γ, M b T 12
13 Eventually, f A guesses that t s n Game q, B outputs T eg, g αs. Otherwse, B outputs T G T when A answers that t s n Game Fnal. If T eg, g αs, then B s smulatng Game q snce CT s a sem-functonal cphertext of the message M b. If T G T, then CT s a sem-functonal cphertext of a random message that s ndependent of M b. In ths case, B s smulatng Game Fnal. Hence, f A has advantage ɛ F n dstngushng these two games, then B has advantage Adv3 B λ ɛ F n dstngushng the dstrbuton of T. Snce all keys and cphertexts are sem-functonal n Game q, A can get no nformaton about the challenge cphertext snce none of the gven keys are useful to decrypt t. Therefore, A cannot notce that the challenge cphertext has been replaced by a random element. Ths mples the ndstngushablty between Game q and Game Fnal. Wth the above lemmas, these games are ndstngushable and n the fnal game the encrypted message s nformaton-theoretcally hdden from A. Therefore, the proof of Theorem 1 follows. Proof. If the three assumptons hold, then for all polynomal tme adversares A, Adv1 A λ, Adv2 A λ, and Adv3 A λ are all neglgble probablty. In Game Fnal, the cphertext has been replaced wth a random element of G T. The value of b chosen by the challenger s nformaton-theoretcally hdden from A. By applyng the Lemma 1, Lemma 2, Lemma 3 and Lemma 4, we have that Adv CPA eal λ Adv CPA eal λ Advestrctedλ CPA + Advestrctedλ CPA AdvFnalλ CPA + AdvFnalλ CPA Adv eal CPA λ Advestrctedλ CPA + + Adv q CPA λ AdvFnalλ CPA + Adv Fnalλ CPA Adv1 A λ + q + 2 Adv2 A λ + Adv3 A λ Therefore, there s no polynomal tme adversary that can break our HIBBES wth non-neglgble advantage. Ths completes the proof of Theorem 1. 5 Compact IND-CIVS-CCA2 HIBBE wth Short Cphertexts 5.1 Basc Ideas In ths secton, we construct an IND-CIVS-CCA2 secure D, n-hibbes from our IND-CIVS-CPA secure D, n + 1-HIBBES. We frst provde an overvew of the converson. We add one dummy user wth an on-the-fly dentty to the system. Ths dummy user s at depth 1,.e., a chld of the PKG. No one s allowed to obtan the secret key for the dummy user. It wll be used just for the cphertext valdty test. When encryptng a message M, the encrypton algorthm frst creates the cphertext components C 0 and C 2, whch are ndependent of the recever s dentty vector set. Then, the algorthm hashes these two elements usng a collson resstant hash functon, and assgns t as the on-the-fly dentty of the dummy user. Fnally, we compute the cphertext component C 1, as n the encrypton algorthm of CPA-secure scheme. We show that there s an effcent algorthm to verfy whether the resultng cphertext s vald or not. In one word, the cphertext valdty test can be done publcly, snce the test only nvolves the cphertext CT and the publc key P K. Ths technque s nspred by the Boyen-Me-Waters technque [9], whch apples to Waters adaptvely secure IBE [39] and Boneh-Boyen selectve-id secure IBE [1] to obtan CCA2-secure publc key cryptosystems. Boyen et al. remarked that ther technque can be extended to acheve CCA2-secure HIBES from some CPA-secure HIBES by addng one extra herarchy to the underlyng HIBES. Instead of ntroducng one extra herarchy of users to our HIBBE, we just add one extra dummy user at the frst level by explotng the broadcastng feature to enforce cphertext valdaton test. In ths way, CCA2 securty s acheved only at a margnal cost of one extra user. 5.2 The esultng Constructon For smple descrpton, we label the prevous HIBBES as HIBBE CPA wth algorthms Setup CPA, KeyGen CPA, Delegate CPA, Encrypt CPA, and Decrypt CPA. Our CCA2-secure HIBBES s denoted by HIBBE CCA2. Smlar to HIBBE CPA, we assume that the dentty vectors ID = ID 1,, ID k at depth k are vector elements n Z N k, and messages to be encrypted are elements n G T. Our resultng scheme works as follows: 13
14 SetupD, n, λ. The system frst runs Setup CPA D, n + 1, λ to generate the publc key P K g, h, u 1,, u n, u n+1, X 3, eg, g α and the master key MSK g α. A collson resstant hash functon H : G G T Z N s also ncluded n the publc key. We stress that the dummy user, assocated wth parameter u n+1, s at depth 1 and no one s allowed to obtan ts correspondng secret key. KeyGen and Delegate. These two algorthms are dentcal to KeyGen CPA and Delegate CPA. EncryptP K, M, V. For a recever dentty vector set V, denote I = { : ID S V }. The encrypton algorthm frst pcks a random β Z N and computes C 0, C 2 g β, eg, g αβ M Then, the algorthm computes ID n+1 HC 0, C 2 Z N and constructs C 1 as C 1 h u IDn+1 n+1 The algorthm fnally outputs the cphertext as CT C 0, C 1, C 2. Note that t s a vald HIBBE CPA cphertext for the recever dentty vector set V {ID n+1 }. DecryptV, CT, SK ID. Suppose the secret key for the user assocated wth dentty vector ID s I β SK ID = a 0, a 1, {b j } j [1,n+1]\I where I = { : ID S ID }. Denote I = { : ID S V }. Before decryptng the cphertext CT = C 0, C 1, C 2, the decrypton algorthm needs to frst verfy whether the cphertext s legtmate. It does ths by randomly choosng elements Z 3, Z 3 G p3 computng ID n+1 = HC 0, C 2 Z N and testng whether the followng equaton holds: eg Z 3, C 1 =? e C 0, h u IDn+1 n+1 Z 3 1 If so, the decrypton algorthm smply nvokes Decrypt CPA V {ID n+1 }, CT, SK ID to get message M. Otherwse, the cphertext s nvald and the decrypton algorthm smply outputs N U LL. emark 1. Note that the above cphertext valdty test can be done publcly snce t only nvolves publc parameters and cphertexts. It s useful for our scheme to buld advanced protocols, e.g., publcly verfable HIBBE encrypton wth CCA2 securty [13, 26, 38]. Also, t allows a gateway or frewall to flter spams.e., nvald cphertexts wthout requrng the secret keys of the recevers. Smlar functonalty has been appled to dentfy dshonest transactons n moble E-commerce scenaro [24]. I Soundness. If the cphertext s legtmate, then the followng tuple g, C 0 = g β, h u IDn+1 n+1, C 2 = h u IDn+1 n+1 I s a vald Dffe-Hellman tuple. Elements Z 3, Z 3 G p3 can be elmnated n both sdes of Equaton 1 wth the orthogonalty property. Accordngly, Equaton 1 holds. Also, ths cphertext s a vald HIBBE CPA cphertext for the recever dentty vector set V {ID n+1 } wth ID n+1 = HC 0, C 2. Snce ID PrefV V {ID n+1 }, the decrypton algorthm can decrypt the cphertext by nvokng the underlyng Decrypt CPA V {ID n+1 }, CT, SK ID. I β 14
15 5.3 Securty Analyss We now allow decrypton queres n all games defned prevously n Secton 4.2. Our smulaton works as follows. When recevng a decrypton query from the adversary, the smulator frst checks Equaton 1 to determne whether the cphertext s vald. If the equalty holds, the smulator generates a secret key for any dentty vector ID satsfyng that ID PrefV, and then uses ths key to decrypt the cphertext. In the challenge phase, the smulator creates a challenge cphertext CT = C 0, C 1, C 2 for the challenge dentty vector set V {ID n+1}, where ID n+1 = HC 0, C 2. Snce the hash functon H s collson resstant, the adversary s unable to make any vald cphertext queres that would requre the smulator to use a dentty vector set V {ID n+1} wth ID n+1 = ID n+1. Note that the adversary cannot ssue secret key query for the dummy user because t s not avalable before the smulator produces the challenge cphertext. Hence, the smulaton can be done by nvokng the underlyng HIBBE CPA. Formally, the CCA2 securty of the above scheme s guaranteed by the followng Theorem. Theorem 2. Let G be a group of composte order N endowed wth an effcent blnear map. Suppose all the three assumptons defned n Defnton 1, Defnton 2 and Defnton 3 hold n G. Then our HIBBE CCA2 s IND-CIVS-CCA2 secure. Smlarly to those n CPA securty proofs, we denote those games respectvely by GameCCA2 eal, GameCCA2 estrcted, GameCCA2 k wth k [0, q] and GameCCA2 Fnal. For a securty parameter λ, we respectvely represent the advantages of wnnng n these games by Adveal CCA2 λ, Advestrcted CCA2 λ, AdvCCA2 k λ wth k [0, q], and AdvFnal CCA2λ. The securty of our HIBBE CCA2 follows from the ndstngushablty between the these games, assumng that the three assumptons defned n Secton 2 hold. Lemma 5. Suppose that Assumpton 2 holds. Then there s no polynomal tme algorthm that can dstngush GameCCA2 eal from GameCCA2 estrcted wth non-neglgble advantage. Proof. The proof of ths lemma s dentcal wth the proof of lemma 1. Lemma 6. There s no polynomal tme algorthm that can dstngush GameCCA2 estrcted from GameCCA2 0 wth non-neglgble advantage assumng that Assumpton 1 holds. Proof. Assume that there exsts an adversary A that can dstngush GameCCA2 estrcted from GameCCA2 0 wth advantage ɛ 0. We buld an algorthm B that can refute Assumpton 1 wth advantage Adv1 B λ ɛ 0. B takes the challenge tuple g, X 3, T as nputs. The goal of B s to determne whether T s an element n G p1 or an element n G p1p 2. In the Setup phase, B randomly chooses exponents α Z N and γ ZN for all [0, n + 1]. It sets h g γ0 and u g γ for all [1, n + 1]. Fnally, B gves the publc key P K g, h, u 1,, u n, u n+1, X 3, eg, g α to A. Note that B knows the master key MSK g α. For a secret key query wth dentty vector ID = ID 1,, ID d ssued by A, B runs the usual key generaton algorthm to return the secret key. When recevng a decrypton query from A wth a cphertext CT = C 0, C 1, C 2 and a recever dentty vector set V, B frst computes ID n+1 = HC 0, C 2 and determnes whether the cphertext s vald by checkng Equaton 1 defned n Secton 5.2. If the equalty does not hold, then the cphertext s nvald and B returns NULL. Otherwse, B generates a normal key for any user whose dentty vector s ID PrefV usng the master key g α. Then, B uses ths key to decrypt the cphertext and returns the extracted message to A. In the challenge phase, A outputs two equal-length messages M 0, M 1 G T, together wth a challenge dentty vector set V. Denote I = { : ID S V }. B flps a random con b {0, 1} and returns the challenge cphertext CT C0, C1, C2 T, T γ0+ ID I γ+id n+1 γn+1, M b eg α, T 15
16 where IDn+1 = HC0, C2 = HT, M b eg α, T. Note that the components n the challenge cphertext do not nvolve elements n G p3. Therefore, for any randomly chosen elements Z 3, Z 3 G p3, the challenge cphertext s vald due to the followng equaltes: eg Z 3, C1 e C 0, h u ID n+1 n+1 u ID I Z 3 = eg Z 3, T γ0+ ID I γ+id n+1 γn+1 e T, g γ0+ = 1 ID I γ+id n+1 γn+1 Z 3 Fnally, A outputs a bt b as ts guess of t s n GameCCA2 estrcted or n GameCCA2 0. If A guesses that A s n GameCCA2 estrcted, B outputs T G p1. Otherwse, B concludes T G p1p 2. The decrypton query can be responded to perfectly, snce B can generate normal keys for arbtrary dentty vectors usng the master key g α. Wth the dentcal analyss showed n the proof of Lemma 1, f A has advantage ɛ 0 n dstngushng GameCCA2 estrcted and GameCCA2 0, then B can determne the dstrbuton of T wth advantage Adv1 B λ ɛ 0. Lemma 7. If Assumpton 2 holds, then no polynomal tme algorthm can dstngush GameCCA2 k-1 from GameCCA2 k wth non-neglgble advantage. Proof. Assume there s an adversary A that can dstngush GameCCA2 k-1 from GameCCA2 k wth advantage ɛ k. Then, by nvokng A as a blackbox, we can construct an algorthm B that refutes Assumpton 2 wth advantage Adv2 B λ ɛ k. The nput of B s an nstance g, X 1 X 2, X 3, Y 2 Y 3, T from the second assumpton. B has to decde whether T s an element n G N or an element n G p1p 3. B randomly chooses α Z N and γ ZN for all [1, n + 1]. It sends A the publc key P K g, h, u 1,, u n, u n+1, X 3, eg, g α wth h g γ0 and u g γ for all [1, n + 1]. The master key s MSK g α and s kept by B. When recevng the secret key query wth an dentty vector ID = ID 1,, ID d, B runs the same as Phase 1 n Lemma 3 to generate the secret key and returns t to A. When A ssues a decrypton query for a cphertext CT = C 0, C 1, C 2 wth a recever dentty vector set V, B sets ID n+1 = HC 0, C 2 and checks Equaton 1 descrbed n Secton 5.2. If the equalty holds, B creates a normal key for any dentty vector ID PrefV and returns the message decrypted from the cphertext CT. Otherwse t returns NULL snce the cphertext s nvald. In the Challenge phase, A outputs two equal-length messages M 0, M 1 G T, together wth an dentty vector set V as the challenge dentty vector set. Denote I = { : ID S V }. B chooses a random bt b {0, 1} and outputs the resultng cphertext CT C0, C1, C2 X 1 X 2, X 1 X 2 γ0+ ID I γ+id n+1 γn+1, M b eg, X 1 X 2 α where IDn+1 = HC0, C2 = H X 1 X 2, eg, X 1 X 2 α. Equaton 1 holds for ths cphertext snce for any Z 3, Z 3 G p3, eg Z 3, C1 e g Z 3, X 1 X 2 γ0+ ID I γ+id n+1 γn+1 e C 0, h u ID n+1 n+1 = Z 3 e X 1 X 2, g γ0+ = 1 ID I γ+id n+1 γn+1 Z 3 u ID I Therefore, ths cphertext s vald. Note that ths cphertext s sem-functonal by mplctly settng y c = γ 0 + I ID γ + ID n+1 γ n+1 Snce from GameCCA2 estrcted, A cannot ssue a secret key query wth the dentty vector that s a prefx of the challenge recever dentty vector set module p 2, y c and y k wll seem randomly 16
17 dstrbute to A. Therefore, the relatonshp between y c and y k does not gve any advantage to A for dstngushng between the two games. Though the relatonshp between y c and y k s hdden from A, ths specal settng dsallows B tself to test whether the k th key for dentty vector ID s sem-functonal. The method s to generate a sem-functonal cphertext for any dentty vector set V such that ID PrefV and to decrypt t usng the k th key. If the k th key s normal, the decrypton s correct. However, f the k th key s sem-functonal, then by the defnton of sem-functonal secret key, the k th key cannot decrypt the sem-functonal cphertext. In ths way, B may have advantage 1 to answer T G N or T G p1p 2p 3 wthout A s help. In fact, ths well-desgned secret key generated n the k th key query dsallows B to use ths method. If B tres to do that, then no matter whether the k th key s normal or sem-functonal, decrypton wll always work, because y k + ID γ + ID n+1 γ n+1 = y c, where I = { : ID S ID } and I\I I = { : ID S V }. In other words, for the k th secret key query, B can only generate a nomnally sem-functonal key. Hence decrypton s always correct by the defnton of nomnally sem-functonal key gven n Secton 4.2. If A outputs the guess that t s n GameCCA2 k-1, B answers T G p1p 3. Otherwse, A outputs that t s n GameCCA2 k, and B decdes T G N. Wth the smlar reason n the proof of Lemma 3, f A has advantage ɛ k n dstngushng the game GameCCA2 k-1 from the game GameCCA2 k, B can dstngush T G p1p 3 from T G N wth advantage Adv2 B λ ɛ k. Lemma 8. Suppose that Assumpton 3 holds. No polynomal tme algorthm that can dstngush GameCCA2 q from GameCCA2 Fnal wth non-neglgble advantage. Proof. Assume A can dstngush GameCCA2 q from GameCCA2 Fnal wth advantage ɛ F. By nvokng A as a blackbox, we buld an algorthm B refutng Assumpton 3 wth advantage Adv3 B λ ɛ F. The nput of B s the challenge tuple g, g α X 2, X 3, g s Y 2, Z 2, T of Assumpton 3. B has to answer whether T s eg, g αs or a random element n G T. B randomly chooses γ ZN for all [0, n + 1] and sets the publc key P K g = g, h = g γ0, u 1 = g γ1,, u n = g γn, u n+1 = g γn+1, X 3, eg, g α = eg α X 2, g When A requests a secret key for an dentty vector ID, B chooses random exponents w 0, w 1, t 0, t 1 Z N and v j, z j ZN for all j [1, n]\i, where I = { : ID S ID }. Then, B outputs the secret key SK ID g α X 2 h I r Z t0 2 Xw0 3, gr Z t1 2 Xw1 3, { u r } jz zj 2 Xvj 3 j [1,n]\I Note that the resultng key s sem-functonal. When B receves a decrypton query for a cphertext CT = C 0, C 1, C 2 assocated wth a recever dentty vector set V, t frst sets ID n+1 = HC 0, C 2. Then, B checks Equaton 1 to verfy the valdty of CT. If the equalty does not hold, B smply returns NULL. Otherwse, snce B knows a random generator g of G p1 and a random element X 3 G p3, t can run the same algorthm descrbed n Phase 1 to generate a sem-functonal secret key for ID PrefV and use t to decrypt CT. Although the generated secret keys are all sem-functonal, B can use them to correctly respond the decrypton queres. The reason s that A can only ssue vald normal cphertexts for decrypton queres. One one hand, A cannot generate sem-functonal cphertexts for any dentty vector sets V wthout the knowledge of the subgroup G p2, except for the challenge dentty vector set. Otherwse A can dstngush the precedng securty games by ssung a secret key query for an dentty vector ID PrefV and try to decrypt by tself. Ths has been prevented n the CPA securty proof. On the other hand, only sem-functonal cphertexts that can be obtaned by A are the ones modfed from the challenge cphertext. However, any modfcatons done by A wthout the knowledge of the subgroup G p2 for the challenge cphertext can be detected by Equaton 1. Therefore, any decrypton queres for sem-functonal cphertexts would be prevented. The secret keys would only be used to decrypt normal cphertexts and the decrypton queres can be responded correctly. 17
18 When sutable, A outputs two equal-length messages M 0, M 1 G T, and a challenge dentty vector set V. Denote I = { : ID S V }. B chooses a random bt b {0, 1} and outputs CT C0, C1, C2 g s Y 2, g s Y 2 γ0+ ID I γ+id n+1 γn+1, M b T where IDn+1 = HC0, C2 = H g s Y 2, M b T. Note that for any Z 3, Z 3 e g Z 3, g s Y 2 γ0+ eg Z 3, C1 e C 0, h u ID n+1 n+1 = Z 3 u ID I e G p3, I ID γ+id n+1 γn+1 = 1 g s Y 2, g γ0+ ID I γ+id n+1 γn+1 Z 3 Hence CT s a vald cphertext. B answers T eg, g αs f A outputs the guess that t s n GameCCA2 q. Otherwse, B determnes T G T f A guesses that t s n GameCCA2 Fnal. Smlar to the analyss of Lemma 4, B can dstngush T eg, g αs from a random element n G T wth advantage Adv3 B λ ɛ F f A has advantage ɛ F n dstngushng GameCCA2 q from GameCCA2 Fnal. Wth the four lemmas descrbed above, the securty proof of Theorem 2 follows. Proof. Snce n GameCCA2 Fnal, the cphertext has been replaced wth a random element n G T, the value of b chosen by the challenger s nformaton-theoretcally hdden from A. Hence A can obtan no advantage n breakng our HIBBES. By combnng the four lemmas shown prevously, we have that Adveal CCA2 λ Adveal CCA2 Adveal CCA2 λ Advestrctedλ CCA2 + Advestrctedλ CCA2 AdvFnal CCA2 λ + Adv CCA2 λ Adv CCA2 + + Adv CCA2 λ Adv CCA2 + estrctedλ 2 Adv2 Aλ + Adv1 Aλ + q Adv2 Aλ + Adv3 Aλ q Fnal λ Fnal λ AdvFnal CCA2 λ If the three assumptons hold, then for all polynomal tme A, Adv1 A λ, Adv2 A λ, and Adv3 A λ are all neglgble probablty. Hence for all polynomal tme algorthms, the advantage of breakng our HIBBE CCA2 s neglgble. 5.4 Effcent Tradeoff Between Cphertext Sze and Key Sze The publc/secret key sze and cphertext sze n D, n-hibbe CCA2 reman the same as those of the underlyng D, n + 1-HIBBE CPA system. The encrypton algorthm needs only one more hash operaton. The decrypton algorthm does one more hash operaton and one more extra test of Equaton 1 n whch a two-base parng s requred and can be pre-computed for [1, n]. Table 2 shows comparsons between our CPA-secure D, n+1-hibbe and our CCA2-secure D, n-hibbe n detal. In Table 2, the secret key SK ID s assocated wth the dentty vector ID, and the cphertext CT s assocated wth the recever dentty vector set V. We denote τ e as one exponent operaton tme n G, τ m as one multplcaton operaton tme n G, τ p as one parng operaton tme n G, and τ h as one hash operaton tme for the hash functon H. From Table 2, t can be seen that the addtonal overheads are margnal. HIBBE wth Shorter Secret Keys. In our HIBBES, whle the cphertext contans only three group elements, the secret key for user at depth d contans n d + 2 elements. In some scenaros, e.g., when the storage capactes of the recevers are lmted, one may expect an effcent tradeoff between key sze and cphertext sze. Note that users n an HIBBES are organzed as a tree T wth n nodes PKG as the snk s not countered. We dvde T nto T subtrees wth n nodes, where [1, T ]. To acheve better balance, as shown n Fgure 3, all the subtrees may be obtaned n a way satsfyng: 1. The number of nodes for each subtree s approxmately equal. That s, for the th subtree wth [1, T ], we have n n/t ; 2. If possble, all subtrees share mnmum number of hgher-level nodes. 18
19 Table 2. Comparson Between CPA-secure D, n + 1-HIBBE and CCA2-secure D, n-hibbe D, n + 1-HIBBE CPA D, n-hibbe CCA2 Actve Users n + 1 n P K Sze n + 5 n + 5 SK ID Sze n ID + 2 n ID + 2 CT Sze 3 3 Encrypton Tme 2 + S V τ e + τ m 2 + S V τ e + τ m + τ h Decrypton Tme 1 + S V τ e + τ m + 2τ p 1 + S V τ e + τ m + 4τ p + τ h We then mplement ndependent HIBBE nstances n each subtree. When broadcastng, one encrypts the messages wth each nstance where the broadcast subsets are the ntersecton of the orgnal broadcast set and the subtrees. Each recever can decrypt the cphertext component correspondng to ts subtree. It s clear that, by usng ths subtree method, the key sze s O n T and the cphertext sze s OT. By settng T = n, both the key sze and the cphertext sze are O n. Fg. 2. Constant Sze Cphertext HIBBE. Fg. 3. Shorter Secret keys HIBBE. 6 Concluson Ths paper extended the functonalty of HIBE to HIBBE, allowng users to encrypt to multple recevers organzed n herarchy, whle supportng delegaton of secret keys to releve the prvate key generator from heavy key management burden. The new cryptographc prmtve offers a novel avenue to establsh secure data sharng systems, or sutable dstrbuted computaton and communcaton applcatons. We constructed a CPA-secure HIBBES wth short cphertexts. We then proposed a transformaton technque to convert our basc scheme to obtan CCA2-securty. Both schemes are effcent and proven to be fully secure under three statc assumptons n the standard model. Acknowledgment Ths paper s partally supported by the Natonal Key Basc esearch Program 973 program through project 2012CB315905, by the Natural Scence Foundaton of Chna through projects , 19
20 , , , , and , by the Bejng Natural Scence Foundaton through project , by the Guangx natural scence foundaton through project 2013GXNSFBB053005, by the Fundamental esearch Funds for the Central Unverstes, the esearch Funds No. 14XNLF02 of enmn Unversty of Chna, the Innovaton Fund of Chna Aerospace Scence and Technology Corporaton, Satellte Applcaton esearch Insttute through project CXJJ-TX-10, the Open Project of Key Laboratory of Cryptologc Technology and Informaton Securty, Mnstry of Educaton, Shandong Unversty and the Open esearch Fund of Bejng Key Laboratory of Trusted Computng. eferences 1. Boneh, D., Boyen, X.: Effcent selectve-d secure dentty-based encrypton wthout random oracles. In: EUOCYPT Volume 3027 of LNCS., Sprnger Berln Hedelberg Boneh, D., Boyen, X., Goh, E.J.: Herarchcal dentty based encrypton wth constant sze cphertext. In: EUOCYPT Volume 3494 of LNCS., Sprnger Berln Hedelberg Boneh, D., Frankln, M.: Identty-based encrypton from the wel parng. In: CYPTO Volume 2139 of LNCS., Sprnger Berln Hedelberg Boneh, D., Frankln, M.: Identty-based encrypton from the wel parng. SIAM Journal on Computng Boneh, D., Gentry, C., Waters, B.: Colluson resstant broadcast encrypton wth short cphertexts and prvate keys. In: CYPTO Volume 3621 of LNCS., Sprnger Berln Hedelberg Boneh, D., Goh, E.J., Nssm, K.: Evaluatng 2-dnf formulas on cphertexts. In: TCC Volume 3378 of LNCS., Sprnger Berln Hedelberg Boneh, D., Hamburg, M.: Generalzed dentty based and broadcast encrypton schemes. In: ASIACYPT Volume 5350 of LNCS., Sprnger Berln Hedelberg Boneh, D., Katz, J.: Improved effcency for cca-secure cryptosystems bult usng dentty-based encrypton. In: CT-SA Volume 3376 of LNCS., Sprnger Berln Hedelberg Boyen, X., Me, Q., Waters, B.: Drect chosen cphertext securty from dentty-based technques. In: CCS 2005, ACM Canett,., Halev, S., Katz, J.: A forward-secure publc-key encrypton scheme. In: EUOCYPT Volume 2656 of LNCS., Sprnger Berln Hedelberg Canett,., Halev, S., Katz, J.: Chosen-cphertext securty from dentty-based encrypton. In: EUO- CYPT Volume 3027 of LNCS., Sprnger Berln Hedelberg Chen, H.C.: A trusted user-to-role and role-to-key access control scheme. Soft Computng Chen, X., L, J., Huang, X., Ma, J., Lou, W.: New publcly verfable databases wth effcent updates. IEEE Transactons on Dependable and Secure Computng Delerablée, C.: Identty-based broadcast encrypton wth constant sze cphertexts and prvate keys. In: ASIACYPT Volume 4833 of LNCS., Sprnger Berln Hedelberg Delerablée, C., Paller, P., Pontcheval, D.: Fully colluson secure dynamc broadcast encrypton wth constant-sze cphertexts or decrypton keys. In: Parng Volume 4575 of LNCS., Sprnger Berln Hedelberg Deng, H., Wu, Q., Qn, B., Domngo-Ferrer, J., Zhang, L., Lu, J., Sh, W.: Cphertext-polcy herarchcal attrbute-based encrypton wth short cphertexts. Informaton Scences Dods, Y., Fazo, N.: Publc key broadcast encrypton for stateless recevers. In: Dgtal ghts Management. Volume 2696 of LNCS., Sprnger Berln Hedelberg Fat, A., Naor, M.: Broadcast encrypton. In: CYPTO Volume 773 of LNCS., Sprnger Berln Hedelberg Gentry, C., Halev, S.: Herarchcal dentty based encrypton wth polynomally many levels. In: TCC Volume 5444 of LNCS., Sprnger Berln Hedelberg Gentry, C., Slverberg, A.: Herarchcal d-based cryptography. In: ASIACYPT Volume 2501 of LNCS., Sprnger Berln Hedelberg Gentry, C., Waters, B.: Adaptve securty n broadcast encrypton systems wth short cphertexts. In: EUOCYPT Volume 5479 of LNCS., Sprnger Berln Hedelberg Halevy, D., Shamr, A.: The lsd broadcast encrypton scheme. In: CYPTO Volume 2442 of LNCS., Sprnger Berln Hedelberg Horwtz, J., Lynn, B.: Toward herarchcal dentty-based encrypton. In: EUOCYPT Volume 2332 of LNCS., Sprnger Berln Hedelberg Huan, J., Yang, Y., Huang, X., Yuen, T.H., L, J., Cao, J.: Accountable moble e-commerce scheme va dentty-based plantext-checkable encrypton. Informaton Scences
From Selective to Full Security: Semi-Generic Transformations in the Standard Model
An extended abstract of ths work appears n the proceedngs of PKC 2012 From Selectve to Full Securty: Sem-Generc Transformatons n the Standard Model Mchel Abdalla 1 Daro Fore 2 Vadm Lyubashevsky 1 1 Département
More informationIdentity-Based Encryption Gone Wild
An extended abstract of ths paper appeared n Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, 33rd Internatonal Colloquum on Automata, Languages and Programmng ICALP 2006, volume
More informationProactive Secret Sharing Or: How to Cope With Perpetual Leakage
Proactve Secret Sharng Or: How to Cope Wth Perpetual Leakage Paper by Amr Herzberg Stanslaw Jareck Hugo Krawczyk Mot Yung Presentaton by Davd Zage What s Secret Sharng Basc Idea ((2, 2)-threshold scheme):
More informationAN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS
Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS Len Harn 1 and Changlu Ln 2 1 Department of Computer Scence
More informationA Secure Password-Authenticated Key Agreement Using Smart Cards
A Secure Password-Authentcated Key Agreement Usng Smart Cards Ka Chan 1, Wen-Chung Kuo 2 and Jn-Chou Cheng 3 1 Department of Computer and Informaton Scence, R.O.C. Mltary Academy, Kaohsung 83059, Tawan,
More informationLuby s Alg. for Maximal Independent Sets using Pairwise Independence
Lecture Notes for Randomzed Algorthms Luby s Alg. for Maxmal Independent Sets usng Parwse Independence Last Updated by Erc Vgoda on February, 006 8. Maxmal Independent Sets For a graph G = (V, E), an ndependent
More informationAn Interest-Oriented Network Evolution Mechanism for Online Communities
An Interest-Orented Network Evoluton Mechansm for Onlne Communtes Cahong Sun and Xaopng Yang School of Informaton, Renmn Unversty of Chna, Bejng 100872, P.R. Chna {chsun,yang}@ruc.edu.cn Abstract. Onlne
More informationProvably Secure Single Sign-on Scheme in Distributed Systems and Networks
0 IEEE th Internatonal Conference on Trust, Securty and Prvacy n Computng and Communcatons Provably Secure Sngle Sgn-on Scheme n Dstrbuted Systems and Networks Jangshan Yu, Guln Wang, and Y Mu Center for
More informationPKIS: practical keyword index search on cloud datacenter
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 RESEARCH Open Access PKIS: practcal keyword ndex search on cloud datacenter Hyun-A
More informationRecurrence. 1 Definitions and main statements
Recurrence 1 Defntons and man statements Let X n, n = 0, 1, 2,... be a MC wth the state space S = (1, 2,...), transton probabltes p j = P {X n+1 = j X n = }, and the transton matrx P = (p j ),j S def.
More informationWhat is Candidate Sampling
What s Canddate Samplng Say we have a multclass or mult label problem where each tranng example ( x, T ) conssts of a context x a small (mult)set of target classes T out of a large unverse L of possble
More informationSecure Network Coding Over the Integers
Secure Network Codng Over the Integers Rosaro Gennaro Jonathan Katz Hugo Krawczyk Tal Rabn Abstract Network codng has receved sgnfcant attenton n the networkng communty for ts potental to ncrease throughput
More informationRUHR-UNIVERSITÄT BOCHUM
RUHR-UNIVERSITÄT BOCHUM Horst Görtz Insttute for IT Securty Techncal Report TR-HGI-2006-002 Survey on Securty Requrements and Models for Group Key Exchange Mark Manuls Char for Network and Data Securty
More informationEfficient Dynamic Integrity Verification for Big Data Supporting Users Revocability
nformaton Artcle Effcent Dynamc Integrty Verfcaton for Bg Data Supportng Users Revocablty Xnpeng Zhang 1,2, *, Chunxang Xu 1, Xaojun Zhang 1, Tazong Gu 2, Zh Geng 2 and Guopng Lu 2 1 School of Computer
More informationModule 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module LOSSLESS IMAGE COMPRESSION SYSTEMS Lesson 3 Lossless Compresson: Huffman Codng Instructonal Objectves At the end of ths lesson, the students should be able to:. Defne and measure source entropy..
More informationTracker: Security and Privacy for RFID-based Supply Chains
Tracker: Securty and Prvacy for RFID-based Supply Chans Erk-Olver Blass Kaoutar Elkhyaou Refk Molva EURECOM Sopha Antpols, France {blass elkhyao molva}@eurecom.fr Abstract The counterfetng of pharmaceutcs
More informationA hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm
Avalable onlne www.ocpr.com Journal of Chemcal and Pharmaceutcal Research, 2014, 6(7):1884-1889 Research Artcle ISSN : 0975-7384 CODEN(USA) : JCPRC5 A hybrd global optmzaton algorthm based on parallel
More informationFast Variants of RSA
Fast Varants of RSA Dan Boneh dabo@cs.stanford.edu Hovav Shacham hovav@cs.stanford.edu Abstract We survey three varants of RSA desgned to speed up RSA decrypton. These varants are backwards compatble n
More informationA Cryptographic Key Assignment Scheme for Access Control in Poset Ordered Hierarchies with Enhanced Security
Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept. 8 3 A ryptographc Key Assgnment Scheme for Access ontrol n Poset Ordered Herarches wth Enhanced Securty Debass Gr and P. D. Srvastava
More informationRESEARCH ON DUAL-SHAKER SINE VIBRATION CONTROL. Yaoqi FENG 1, Hanping QIU 1. China Academy of Space Technology (CAST) yaoqi.feng@yahoo.
ICSV4 Carns Australa 9- July, 007 RESEARCH ON DUAL-SHAKER SINE VIBRATION CONTROL Yaoq FENG, Hanpng QIU Dynamc Test Laboratory, BISEE Chna Academy of Space Technology (CAST) yaoq.feng@yahoo.com Abstract
More informationOptimal Distributed Password Verification
Optmal Dstrbuted Password Verfcaton Jan Camensch IBM Research Zurch jca@zurch.bm.com Anja Lehmann IBM Research Zurch anj@zurch.bm.com Gregory Neven IBM Research Zurch nev@zurch.bm.com ABSTRACT We present
More informationAn Alternative Way to Measure Private Equity Performance
An Alternatve Way to Measure Prvate Equty Performance Peter Todd Parlux Investment Technology LLC Summary Internal Rate of Return (IRR) s probably the most common way to measure the performance of prvate
More information8 Algorithm for Binary Searching in Trees
8 Algorthm for Bnary Searchng n Trees In ths secton we present our algorthm for bnary searchng n trees. A crucal observaton employed by the algorthm s that ths problem can be effcently solved when the
More information8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by
6 CHAPTER 8 COMPLEX VECTOR SPACES 5. Fnd the kernel of the lnear transformaton gven n Exercse 5. In Exercses 55 and 56, fnd the mage of v, for the ndcated composton, where and are gven by the followng
More informationThe Development of Web Log Mining Based on Improve-K-Means Clustering Analysis
The Development of Web Log Mnng Based on Improve-K-Means Clusterng Analyss TngZhong Wang * College of Informaton Technology, Luoyang Normal Unversty, Luoyang, 471022, Chna wangtngzhong2@sna.cn Abstract.
More informationPractical and Secure Solutions for Integer Comparison
In Publc Key Cryptography PKC 07, Vol. 4450 of Lecture Notes n Computer Scence, Sprnger-Verlag, 2007. pp. 330-342. Practcal and Secure Solutons for Integer Comparson Juan Garay 1, erry Schoenmakers 2,
More informationComplete Fairness in Secure Two-Party Computation
Complete Farness n Secure Two-Party Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure two-party computaton, two mutually dstrustng partes wsh to compute
More informationFuzzy Keyword Search over Encrypted Data in Cloud Computing
Fuzzy Keyword Search over Encrypted Data n Cloud Computng Jn L,QanWang, Cong Wang,NngCao,KuRen, and Wenjng Lou Department of ECE, Illnos Insttute of Technology Department of ECE, Worcester Polytechnc Insttute
More informationbenefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).
REVIEW OF RISK MANAGEMENT CONCEPTS LOSS DISTRIBUTIONS AND INSURANCE Loss and nsurance: When someone s subject to the rsk of ncurrng a fnancal loss, the loss s generally modeled usng a random varable or
More informationSupport Vector Machines
Support Vector Machnes Max Wellng Department of Computer Scence Unversty of Toronto 10 Kng s College Road Toronto, M5S 3G5 Canada wellng@cs.toronto.edu Abstract Ths s a note to explan support vector machnes.
More informationHow To Understand The Results Of The German Meris Cloud And Water Vapour Product
Ttel: Project: Doc. No.: MERIS level 3 cloud and water vapour products MAPP MAPP-ATBD-ClWVL3 Issue: 1 Revson: 0 Date: 9.12.1998 Functon Name Organsaton Sgnature Date Author: Bennartz FUB Preusker FUB Schüller
More information1 Example 1: Axis-aligned rectangles
COS 511: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 6 Scrbe: Aaron Schld February 21, 2013 Last class, we dscussed an analogue for Occam s Razor for nfnte hypothess spaces that, n conjuncton
More informationAn Optimally Robust Hybrid Mix Network (Extended Abstract)
An Optmally Robust Hybrd Mx Network (Extended Abstract) Markus Jakobsson and Ar Juels RSA Laboratores Bedford, MA, USA {mjakobsson,ajuels}@rsasecurty.com Abstract We present a mx network that acheves effcent
More informationA Novel Multi-factor Authenticated Key Exchange Scheme With Privacy Preserving
A Novel Mult-factor Authentcated Key Exchange Scheme Wth Prvacy Preservng Dexn Yang Guangzhou Cty Polytechnc Guangzhou, Chna, 510405 yangdexn@21cn.com Bo Yang South Chna Agrcultural Unversty Guangzhou,
More informationA Secure Nonrepudiable Threshold Proxy Signature Scheme with Known Signers
INFORMATICA, 2000, Vol. 11, No. 2, 137 144 137 2000 Insttute of Mathematcs and Informatcs, Vlnus A Secure Nonrepudable Threshold Proxy Sgnature Scheme wth Known Sgners Mn-Shang HWANG, Iuon-Chang LIN, Erc
More informationMinimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures
Mnmal Codng Network Wth Combnatoral Structure For Instantaneous Recovery From Edge Falures Ashly Joseph 1, Mr.M.Sadsh Sendl 2, Dr.S.Karthk 3 1 Fnal Year ME CSE Student Department of Computer Scence Engneerng
More informationPAS: A Packet Accounting System to Limit the Effects of DoS & DDoS. Debish Fesehaye & Klara Naherstedt University of Illinois-Urbana Champaign
PAS: A Packet Accountng System to Lmt the Effects of DoS & DDoS Debsh Fesehaye & Klara Naherstedt Unversty of Illnos-Urbana Champagn DoS and DDoS DDoS attacks are ncreasng threats to our dgtal world. Exstng
More informationEfficient Project Portfolio as a tool for Enterprise Risk Management
Effcent Proect Portfolo as a tool for Enterprse Rsk Management Valentn O. Nkonov Ural State Techncal Unversty Growth Traectory Consultng Company January 5, 27 Effcent Proect Portfolo as a tool for Enterprse
More informationANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING
ANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING Matthew J. Lberatore, Department of Management and Operatons, Vllanova Unversty, Vllanova, PA 19085, 610-519-4390,
More informationSecure Cloud Storage Service with An Efficient DOKS Protocol
Secure Cloud Storage Servce wth An Effcent DOKS Protocol ZhengTao Jang Councaton Unversty of Chna z.t.ang@163.co Abstract Storage servces based on publc clouds provde custoers wth elastc storage and on-deand
More informationv a 1 b 1 i, a 2 b 2 i,..., a n b n i.
SECTION 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS 455 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS All the vector spaces we have studed thus far n the text are real vector spaces snce the scalars are
More informationInstitute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic
Lagrange Multplers as Quanttatve Indcators n Economcs Ivan Mezník Insttute of Informatcs, Faculty of Busness and Management, Brno Unversty of TechnologCzech Republc Abstract The quanttatve role of Lagrange
More informationScalable and Secure Architecture for Digital Content Distribution
Valer Bocan Scalable and Secure Archtecture for Dgtal Content Dstrbuton Mha Fagadar-Cosma Department of Computer Scence and Engneerng Informaton Technology Department Poltehnca Unversty of Tmsoara Alcatel
More informationA new anonymity-based protocol preserving privacy based cloud environment
Abstract A new anonymty-based protocol preservng prvacy based cloud envronment Jan Wang 1*, Le Wang 2 1 College of Computer and Informaton Engneerng, Henan Unversty of Economcs and Law, Chna 2 SIAS Internatonal
More informationExtending Probabilistic Dynamic Epistemic Logic
Extendng Probablstc Dynamc Epstemc Logc Joshua Sack May 29, 2008 Probablty Space Defnton A probablty space s a tuple (S, A, µ), where 1 S s a set called the sample space. 2 A P(S) s a σ-algebra: a set
More informationSupporting Recovery, Privacy and Security in RFID Systems Using a Robust Authentication Protocol
Supportng Recovery Prvacy and Securty n RFID Systems Usng a Robust Authentcaton Protocol Md. Endadul Hoque MSCS Dept. Marquette Unversty Mlwaukee Wsconsn USA. mhoque@mscs.mu.edu Farzana Rahman MSCS Dept.
More informationThe OC Curve of Attribute Acceptance Plans
The OC Curve of Attrbute Acceptance Plans The Operatng Characterstc (OC) curve descrbes the probablty of acceptng a lot as a functon of the lot s qualty. Fgure 1 shows a typcal OC Curve. 10 8 6 4 1 3 4
More informationMultiple-Period Attribution: Residuals and Compounding
Multple-Perod Attrbuton: Resduals and Compoundng Our revewer gave these authors full marks for dealng wth an ssue that performance measurers and vendors often regard as propretary nformaton. In 1994, Dens
More informationFully Homomorphic Encryption Scheme with Symmetric Keys
Fully Homomorphc Encrypton Scheme wth Symmetrc Keys A Dssertaton submtted n partal fulfllment for the award of the Degree of Master of Technology n Department of Computer Scence & Engneerng (wth specalzaton
More informationDesign, Development, and Use of Secure Electronic Voting Systems
Desgn, Development, and Use of Secure Electronc Votng Systems Dmtros Zsss Unversty of Aegean, Greece Dmtros Lekkas Unversty of Aegean, Greece A volume n the Advances n Electronc Government, Dgtal Dvde,
More informationPSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12
14 The Ch-squared dstrbuton PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 1 If a normal varable X, havng mean µ and varance σ, s standardsed, the new varable Z has a mean 0 and varance 1. When ths standardsed
More informationWatermark-based Provable Data Possession for Multimedia File in Cloud Storage
Vol.48 (CIA 014), pp.103-107 http://dx.do.org/10.1457/astl.014.48.18 Watermar-based Provable Data Possesson for Multmeda Fle n Cloud Storage Yongjun Ren 1,, Jang Xu 1,, Jn Wang 1,, Lmng Fang 3, Jeong-U
More informationTo manage leave, meeting institutional requirements and treating individual staff members fairly and consistently.
Corporate Polces & Procedures Human Resources - Document CPP216 Leave Management Frst Produced: Current Verson: Past Revsons: Revew Cycle: Apples From: 09/09/09 26/10/12 09/09/09 3 years Immedately Authorsaton:
More informationA Novel Methodology of Working Capital Management for Large. Public Constructions by Using Fuzzy S-curve Regression
Novel Methodology of Workng Captal Management for Large Publc Constructons by Usng Fuzzy S-curve Regresson Cheng-Wu Chen, Morrs H. L. Wang and Tng-Ya Hseh Department of Cvl Engneerng, Natonal Central Unversty,
More informationForecasting the Direction and Strength of Stock Market Movement
Forecastng the Drecton and Strength of Stock Market Movement Jngwe Chen Mng Chen Nan Ye cjngwe@stanford.edu mchen5@stanford.edu nanye@stanford.edu Abstract - Stock market s one of the most complcated systems
More informationAnswer: A). There is a flatter IS curve in the high MPC economy. Original LM LM after increase in M. IS curve for low MPC economy
4.02 Quz Solutons Fall 2004 Multple-Choce Questons (30/00 ponts) Please, crcle the correct answer for each of the followng 0 multple-choce questons. For each queston, only one of the answers s correct.
More informationRiposte: An Anonymous Messaging System Handling Millions of Users
Rposte: An Anonymous Messagng System Handlng Mllons of Users Henry Corrgan-Gbbs, Dan Boneh, and Davd Mazères Stanford Unversty Abstract Ths paper presents Rposte, a new system for anonymous broadcast messagng.
More informationOn the Optimal Control of a Cascade of Hydro-Electric Power Stations
On the Optmal Control of a Cascade of Hydro-Electrc Power Statons M.C.M. Guedes a, A.F. Rbero a, G.V. Smrnov b and S. Vlela c a Department of Mathematcs, School of Scences, Unversty of Porto, Portugal;
More informationA Performance Analysis of View Maintenance Techniques for Data Warehouses
A Performance Analyss of Vew Mantenance Technques for Data Warehouses Xng Wang Dell Computer Corporaton Round Roc, Texas Le Gruenwald The nversty of Olahoma School of Computer Scence orman, OK 739 Guangtao
More informationDEFINING %COMPLETE IN MICROSOFT PROJECT
CelersSystems DEFINING %COMPLETE IN MICROSOFT PROJECT PREPARED BY James E Aksel, PMP, PMI-SP, MVP For Addtonal Informaton about Earned Value Management Systems and reportng, please contact: CelersSystems,
More informationJ. Parallel Distrib. Comput.
J. Parallel Dstrb. Comput. 71 (2011) 62 76 Contents lsts avalable at ScenceDrect J. Parallel Dstrb. Comput. journal homepage: www.elsever.com/locate/jpdc Optmzng server placement n dstrbuted systems n
More informationRing structure of splines on triangulations
www.oeaw.ac.at Rng structure of splnes on trangulatons N. Vllamzar RICAM-Report 2014-48 www.rcam.oeaw.ac.at RING STRUCTURE OF SPLINES ON TRIANGULATIONS NELLY VILLAMIZAR Introducton For a trangulated regon
More informationBrigid Mullany, Ph.D University of North Carolina, Charlotte
Evaluaton And Comparson Of The Dfferent Standards Used To Defne The Postonal Accuracy And Repeatablty Of Numercally Controlled Machnng Center Axes Brgd Mullany, Ph.D Unversty of North Carolna, Charlotte
More informationCalculating the high frequency transmission line parameters of power cables
< ' Calculatng the hgh frequency transmsson lne parameters of power cables Authors: Dr. John Dcknson, Laboratory Servces Manager, N 0 RW E B Communcatons Mr. Peter J. Ncholson, Project Assgnment Manager,
More informationBERNSTEIN POLYNOMIALS
On-Lne Geometrc Modelng Notes BERNSTEIN POLYNOMIALS Kenneth I. Joy Vsualzaton and Graphcs Research Group Department of Computer Scence Unversty of Calforna, Davs Overvew Polynomals are ncredbly useful
More informationCalculation of Sampling Weights
Perre Foy Statstcs Canada 4 Calculaton of Samplng Weghts 4.1 OVERVIEW The basc sample desgn used n TIMSS Populatons 1 and 2 was a two-stage stratfed cluster desgn. 1 The frst stage conssted of a sample
More informationMultiplication Algorithms for Radix-2 RN-Codings and Two s Complement Numbers
Multplcaton Algorthms for Radx- RN-Codngs and Two s Complement Numbers Jean-Luc Beuchat Projet Arénare, LIP, ENS Lyon 46, Allée d Itale F 69364 Lyon Cedex 07 jean-luc.beuchat@ens-lyon.fr Jean-Mchel Muller
More informationSecure and Efficient Proof of Storage with Deduplication
Secure and Effcent Proof of Storage wth Deduplcaton Qng Zheng Department of Computer Scence Unversty of Texas at San Antono qzheng@cs.utsa.edu Shouhua Xu Department of Computer Scence Unversty of Texas
More informationFrequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters
Frequency Selectve IQ Phase and IQ Ampltude Imbalance Adjustments for OFDM Drect Converson ransmtters Edmund Coersmeer, Ernst Zelnsk Noka, Meesmannstrasse 103, 44807 Bochum, Germany edmund.coersmeer@noka.com,
More information1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)
6.3 / -- Communcaton Networks II (Görg) SS20 -- www.comnets.un-bremen.de Communcaton Networks II Contents. Fundamentals of probablty theory 2. Emergence of communcaton traffc 3. Stochastc & Markovan Processes
More information) of the Cell class is created containing information about events associated with the cell. Events are added to the Cell instance
Calbraton Method Instances of the Cell class (one nstance for each FMS cell) contan ADC raw data and methods assocated wth each partcular FMS cell. The calbraton method ncludes event selecton (Class Cell
More informationFORMAL ANALYSIS FOR REAL-TIME SCHEDULING
FORMAL ANALYSIS FOR REAL-TIME SCHEDULING Bruno Dutertre and Vctora Stavrdou, SRI Internatonal, Menlo Park, CA Introducton In modern avoncs archtectures, applcaton software ncreasngly reles on servces provded
More informationSEVERAL trends are opening up the era of Cloud
1 Towards Secure and Dependable Storage Servces n Cloud Computng Cong Wang, Student Member, IEEE, Qan Wang, Student Member, IEEE, Ku Ren, Member, IEEE, Nng Cao, Student Member, IEEE, and Wenjng Lou, Senor
More informationDP5: A Private Presence Service
DP5: A Prvate Presence Servce Nkta Borsov Unversty of Illnos at Urbana-Champagn, Unted States nkta@llnos.edu George Danezs Unversty College London, Unted Kngdom g.danezs@ucl.ac.uk Ian Goldberg Unversty
More informationEnabling P2P One-view Multi-party Video Conferencing
Enablng P2P One-vew Mult-party Vdeo Conferencng Yongxang Zhao, Yong Lu, Changja Chen, and JanYn Zhang Abstract Mult-Party Vdeo Conferencng (MPVC) facltates realtme group nteracton between users. Whle P2P
More informationA role based access in a hierarchical sensor network architecture to provide multilevel security
1 A role based access n a herarchcal sensor network archtecture to provde multlevel securty Bswajt Panja a Sanjay Kumar Madra b and Bharat Bhargava c a Department of Computer Scenc Morehead State Unversty
More informationJoint Scheduling of Processing and Shuffle Phases in MapReduce Systems
Jont Schedulng of Processng and Shuffle Phases n MapReduce Systems Fangfe Chen, Mural Kodalam, T. V. Lakshman Department of Computer Scence and Engneerng, The Penn State Unversty Bell Laboratores, Alcatel-Lucent
More informationIMPACT ANALYSIS OF A CELLULAR PHONE
4 th ASA & μeta Internatonal Conference IMPACT AALYSIS OF A CELLULAR PHOE We Lu, 2 Hongy L Bejng FEAonlne Engneerng Co.,Ltd. Bejng, Chna ABSTRACT Drop test smulaton plays an mportant role n nvestgatng
More informationPower-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts
Power-of-wo Polces for Sngle- Warehouse Mult-Retaler Inventory Systems wth Order Frequency Dscounts José A. Ventura Pennsylvana State Unversty (USA) Yale. Herer echnon Israel Insttute of echnology (Israel)
More informationIDENTIFICATION AND CORRECTION OF A COMMON ERROR IN GENERAL ANNUITY CALCULATIONS
IDENTIFICATION AND CORRECTION OF A COMMON ERROR IN GENERAL ANNUITY CALCULATIONS Chrs Deeley* Last revsed: September 22, 200 * Chrs Deeley s a Senor Lecturer n the School of Accountng, Charles Sturt Unversty,
More informationMaster s Thesis. Configuring robust virtual wireless sensor networks for Internet of Things inspired by brain functional networks
Master s Thess Ttle Confgurng robust vrtual wreless sensor networks for Internet of Thngs nspred by bran functonal networks Supervsor Professor Masayuk Murata Author Shnya Toyonaga February 10th, 2014
More informationA Verifiable Secret Shuffle of Homomorphic. encryptions.
A Verfable Secret Shuffle of Homomorphc Encryptons Jens Groth 1 Department of Computer Scence, UCLA 3531A Boelter Hall Los Angeles, CA 90095-1596 USA jg@cs.ucla.edu Abstract. A shuffle conssts of a permutaton
More informationPractical PIR for Electronic Commerce
Practcal PIR for Electronc Commerce Ryan Henry Cherton School of Computer Scence Unversty of Waterloo Waterloo ON Canada N2L 3G1 rhenry@cs.uwaterloo.ca Fem Olumofn Cherton School of Computer Scence Unversty
More informationData Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 24, 819-840 (2008) Data Broadcast on a Mult-System Heterogeneous Overlayed Wreless Network * Department of Computer Scence Natonal Chao Tung Unversty Hsnchu,
More informationPOLYSA: A Polynomial Algorithm for Non-binary Constraint Satisfaction Problems with and
POLYSA: A Polynomal Algorthm for Non-bnary Constrant Satsfacton Problems wth and Mguel A. Saldo, Federco Barber Dpto. Sstemas Informátcos y Computacón Unversdad Poltécnca de Valenca, Camno de Vera s/n
More informationTrivial lump sum R5.0
Optons form Once you have flled n ths form, please return t wth your orgnal brth certfcate to: Premer PO Box 2067 Croydon CR90 9ND. Fll n ths form usng BLOCK CAPITALS and black nk. Mark all answers wth
More informationAd-Hoc Games and Packet Forwardng Networks
On Desgnng Incentve-Compatble Routng and Forwardng Protocols n Wreless Ad-Hoc Networks An Integrated Approach Usng Game Theoretcal and Cryptographc Technques Sheng Zhong L (Erran) L Yanbn Grace Lu Yang
More informationProject Networks With Mixed-Time Constraints
Project Networs Wth Mxed-Tme Constrants L Caccetta and B Wattananon Western Australan Centre of Excellence n Industral Optmsaton (WACEIO) Curtn Unversty of Technology GPO Box U1987 Perth Western Australa
More informationPerformance Analysis of Energy Consumption of Smartphone Running Mobile Hotspot Application
Internatonal Journal of mart Grd and lean Energy Performance Analyss of Energy onsumpton of martphone Runnng Moble Hotspot Applcaton Yun on hung a chool of Electronc Engneerng, oongsl Unversty, 511 angdo-dong,
More informationVembu StoreGrid Windows Client Installation Guide
Ser v cepr ov dered t on Cl enti nst al l at ongu de W ndows Vembu StoreGrd Wndows Clent Installaton Gude Download the Wndows nstaller, VembuStoreGrd_4_2_0_SP_Clent_Only.exe To nstall StoreGrd clent on
More informationSEVERAL trends are opening up the era of Cloud
IEEE Transactons on Cloud Computng Date of Publcaton: Aprl-June 2012 Volume: 5, Issue: 2 1 Towards Secure and Dependable Storage Servces n Cloud Computng Cong Wang, Student Member, IEEE, Qan Wang, Student
More informationYixin Jiang and Chuang Lin. Minghui Shi and Xuemin Sherman Shen*
198 Int J Securty Networks Vol 1 Nos 3/4 2006 A self-encrypton authentcaton protocol for teleconference servces Yxn Jang huang Ln Departent of oputer Scence Technology Tsnghua Unversty Beng hna E-al: yxang@csnet1cstsnghuaeducn
More informationManaging Resource and Servent Reputation in P2P Networks
Managng Resource and Servent Reputaton n P2P Networks Makoto Iguch NTT Informaton Sharng Platform Laboratores guch@sl.ntt.co.jp Masayuk Terada NTT DoCoMo Multmeda Laboratores te@mml.yrp.nttdocomo.co.jp
More informationFault tolerance in cloud technologies presented as a service
Internatonal Scentfc Conference Computer Scence 2015 Pavel Dzhunev, PhD student Fault tolerance n cloud technologes presented as a servce INTRODUCTION Improvements n technques for vrtualzaton and performance
More informationA Replication-Based and Fault Tolerant Allocation Algorithm for Cloud Computing
A Replcaton-Based and Fault Tolerant Allocaton Algorthm for Cloud Computng Tork Altameem Dept of Computer Scence, RCC, Kng Saud Unversty, PO Box: 28095 11437 Ryadh-Saud Araba Abstract The very large nfrastructure
More informationComputing Arbitrary Functions of Encrypted Data March 2010 Communications of the ACM
Home» Magazne Archve» 2010» No. 3» Computng Arbtrary Functons of Encrypted Data» Full Text RESEARCH HIGHLIGHTS Computng Arbtrary Functons of Encrypted Data Crag Gentry Communcatons of the ACM Vol. 53 No.
More informationSoftware project management with GAs
Informaton Scences 177 (27) 238 241 www.elsever.com/locate/ns Software project management wth GAs Enrque Alba *, J. Francsco Chcano Unversty of Málaga, Grupo GISUM, Departamento de Lenguajes y Cencas de
More informationAvailability-Based Path Selection and Network Vulnerability Assessment
Avalablty-Based Path Selecton and Network Vulnerablty Assessment Song Yang, Stojan Trajanovsk and Fernando A. Kupers Delft Unversty of Technology, The Netherlands {S.Yang, S.Trajanovsk, F.A.Kupers}@tudelft.nl
More informationTraffic State Estimation in the Traffic Management Center of Berlin
Traffc State Estmaton n the Traffc Management Center of Berln Authors: Peter Vortsch, PTV AG, Stumpfstrasse, D-763 Karlsruhe, Germany phone ++49/72/965/35, emal peter.vortsch@ptv.de Peter Möhl, PTV AG,
More informationHow Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence
1 st Internatonal Symposum on Imprecse Probabltes and Ther Applcatons, Ghent, Belgum, 29 June 2 July 1999 How Sets of Coherent Probabltes May Serve as Models for Degrees of Incoherence Mar J. Schervsh
More information