Tracker: Security and Privacy for RFID-based Supply Chains

Size: px
Start display at page:

Download "Tracker: Security and Privacy for RFID-based Supply Chains"

Transcription

1 Tracker: Securty and Prvacy for RFID-based Supply Chans Erk-Olver Blass Kaoutar Elkhyaou Refk Molva EURECOM Sopha Antpols, France {blass elkhyao Abstract The counterfetng of pharmaceutcs or luxury objects s a major threat to supply chans today. As dfferent facltes of a supply chan are dstrbuted and dffcult to montor, malcous adversares can nject fake objects nto the supply chan. Ths paper presents TRACKER, a protocol for object genuneness verfcaton n RFID-based supply chans. More precsely, TRACKER allows to securely dentfy whch (legtmate) path an object/tag has taken through a supply chan. TRACKER provdes prvacy: an adversary can nether learn detals about an object s path, nor can t trace and lnk objects n the supply chan. TRACKER s securty and prvacy s based on an extenson of polynomal sgnature technques for run-tme fault detecton usng homomorphc encrypton. Contrary to related work, RFID tags n ths paper are not requred to perform any computaton, but only feature a few bytes of storage such as ordnary EPC Class 1 Gen 2 tags. 1. Introducton Supply chan management s one of the major applcatons of RFID tags today. The tags are physcally attached to objects, therewth enablng trackng of objects on ther way through the steps of a supply chan. Today, RFID-based supply chan applcatons range from smple barcode replacements n supermarkets to more senstve applcaton scenaros, where tags are used for product genuneness verfcaton, ant-counterfetng, ant-clonng, and replca-preventon of luxury products or pharmaceutcs [12, 15, 22, 29, 32]. All these scenaros and the latter n partcular rase new securty and prvacy challenges. Frst, wth respect to securty, t must be verfable whether an object has taken one of the vald paths through the supply chan,.e., the object went through a certan vald sequence of steps n the supply chan. The goal s to allow the operator or manager of the supply chan to be able to check the genuneness of an object by smply scannng the object s RFID tag. The problem s, though, that supply chans are physcally dstrbuted and partes nvolved n a supply chan (the steps ) may resde n dfferent locatons, even n dfferent countres. The manager does nether have full control over nterconnectons n between steps of the supply chan, nor full control over some of the steps tself. Also, for smple feasblty reasons, t cannot be assumed that facltes of the supply chan are permanently onlne or synchronzed wth a back- database. Consequently, supply chans today are prone to njecton of faked, counterfet or manpulated products. For example, World Health Organzaton (WHO) has estmated that 10% of U.S. pharmaceutcal products were already counterfet n 2005 [9]. Today, the Internatonal Chamber of Commerce estmates that counterfetng accounts for 5-7% of world trade, relatng to $600 bllon per year [14]. Hence, there s a strngent requrement for a securty soluton to prevent an adversary from tamperng wth tags n order to forge faked traces through the steps of the supply chan. Some supply chans today protect products by usng addtonal tamperproof hardware, for example the famlar holograms stckng to products. However, massve deployment of any tamper proof hardware mples addtonal costs. To the best of our knowledge, there s no securty soluton avalable solely based on cheap, non tamper-proof RFID tags. The second problem regards the prvacy of objects n the supply chan. Typcally, the manager of the supply chan does not want to reveal any nformaton about nternal detals, strategc relatonshps and processes wthn the supply chan to adversares, e.g., compettors or customers. An adversary should not be able to trace and recognze tags and objects through subsequent steps n the supply chan and therewth learn somethng about the nternal processes of the supply chan. Smlarly, by scannng an RFID tag attached to an object, the adversary should not be able to gan any knowledge about the hstory of that tag and the object t s attached to. Solutons addressng these securty and prvacy requrements are, however, governed by the challenges of the RFID settngs: RFID tags have to be cheap for massve deploy-

2 ments and therefore can only afford lghtweght computatonal capabltes. Tradtonal securty and prvacy solutons would overburden tny tags and therefore are nelgble. Moreover, the manager of the supply chan uses a handheld RFID reader whch s typcally an embedded devce. Consequently, the path verfcaton at the manager should requre few cryptographc operatons. Note that securty and prvacy requrements for RFIDbased supply chan management call for more than just prvacy-preservng authentcaton as already extensvely covered n the lterature, cf., Avone [3]. As a new requrement rased by the supply chan management, the soundness of the hstory kept n the tags must be assured throughout the steps of the supply chan. Ths paper presents TRACKER, a protocol for secure, prvacy-preservng supply chan management wth RFID tags. The man dea behnd TRACKER s to encode paths n a supply chan usng polynomal sgnature technques smlar to software run-tme fault detecton. These polynomals wll be evaluated usng homomorphc encrypton, thereby provdng securty and prvacy. TRACKER s major contrbutons are: TRACKER allows to determne the exact path that each tag 1 went through n the supply chan. TRACKER provdes provable securty: an adversary cannot create new tags or modfy exstng ones and fake that a tag went properly through the supply chan. TRACKER s prvacy-preservng: only the manager of the supply chan, but no adversary, can fnd out a tag s path. Also, TRACKER acheves unlnkablty. An adversary cannot lnk tags t observes on subsequent occasons. To perform path verfcaton, the manager s requred to perform O(1) computatons per tag,.e., the computatonal complexty of path verfcaton does nether dep on the number of tags n the supply chan n, nor on the number of vald paths ν. Memory requrements scale wth O(n + ν) for the manager. Contrary to related work such as Ouaf and Vaudenay [25] or L and Dng [21], TRACKER does not requre tags to perform any computaton. Instead, TRACKER reles on passve tags wth lmted storage, such as standard EPC Class 1 Generaton 2 tags. Due to lower hardware complexty, ths mples less productons costs and cheaper (or cheapest) tags n comparson to related work. 1 Assumng that a tag s physcally connected to an object and thereby representng t, ths paper uses tag and object nterchangeably. RFID readers do not need to be permanently onlne or synchronzed wth a central data-base. In the same manner, the manager s offlne. TRACKER detects, but does not prevent, malcous tamperng wth tags nternal states by any adversary. The rest of ths paper s structured as follows: after presentng a formal model for a supply chan as used throughout ths paper n Secton 2, we wll state the problem addressed by TRACKER and the adversary model n Secton 3. Ths also ncludes the securty and prvacy goals wthn TRACKER. In sectons 4 and 5, we descrbe TRACKER s detals and formally analyze and prove TRACKER s securty and prvacy propertes. 2. Background We use terms and expressons smlar to the ones used by Ouaf and Vaudenay [25] and Vaudenay [31]. A supply chan n ths paper smply denotes seres of consecutve steps that a product has to pass through. The exact meanng or semantc of such a step n the supply chan deps on the partcular applcaton and wll not be dscussed here, one could magne a step beng a warehouse or a manufacturng unt. The actual busness or manufacturng process that takes place durng each step of a supply chan s out of the scope of ths paper. From the pont of vew of ths paper, each step of the supply chan s equpped wth an RFID reader, and when a product moves to the subsequent step of a supply chan, an nteracton takes place between the product s RFID tag and the reader assocated wth the step. Fnally, a manager wants to know whether a product went through the correct sequence of steps n the supply chan Enttes The followng enttes exst n TRACKER: Tags T : Each tag s attached to and therewth stands for a sngle product or object. A tag T features re-wrtable memory representng T s current state denoted s j T. The set of all possble states s denoted wth S, s j T S, and S s a suffcently large securty parameter of TRACKER, e.g., S = Issuer I: The ssuer I prepares tags for deployment. Whle attachng a tag T to a product, I wrtes an ntal state s 0 T nto T. Readers R k : Representng a sngle step n the supply chan, a reader R k can nteract wth a product s tag T : R k reads out T s current state s j T and wrtes an updated state s j+1 T nto T. Here, R k uses some functon f Rk to generate s j+1 T out of s j T,.e., f Rk (s j T ) = s j+1. Each reader s T

3 assumed to be offlne,.e., not permanently connected to the ssuer, manager, other readers, or some knd of back database. Only durng ntal system preparaton, we assume that ssuer I can connect to readers, e.g., to s some secrets to the reader usng some secure channel. Manager M: Eventually, a tag arrves at a specal step n the supply chan called a checkpont. At a checkpont, manager M wants to check a tag s genuneness or valdty. M checks whether tag T, and therewth the tagged object, has passed through a vald ( correct ) sequence of steps n the supply chan. To do so, M smply reads out the current state s j T of T. Solely based on s j T, M decdes whether T went through a vald sequence of steps. We assume that M knows whch paths n a supply chan are vald or not. As wth readers, M s assumed to be offlne and not synchronzed wth the rest of the system besdes durng an ntal setup Supply Chan Formally, a supply chan s represented by a dgraph G = (V, E) consstng of vertces V and edges E. Each vertex v V s equvalent to one step n the supply chan. A vertex/step v n the supply chan s unquely assocated wth a reader R. Each drected edge e E, e := v v j, from vertex v to vertex v j, expresses that v j s a possble next step to step v n the supply chan. Ths smply means that accordng to the organzaton of the supply chan, a product mght proceed to step v j after beng at step v. If products must not advance from step v to v j, then v v j / E. Note that a supply chan can nclude loops and reflexve edges. Whenever a product n the supply chan proceeds from step v to step v j, reader R j nteracts wth the product s tag. Issuer I s represented n G by the only vertex wthout ncomng edges v 0. A path P s a fnte sequence of steps P = {v 0,..., v l }, where {0,..., l 1} : v v +1 E, and l s the length of path P. Clearly, dfferent paths can have dfferent path lengths. A vald path P vald s a specal path whch manager M wll eventually check products for. A vald path represents a partcular legtmate sequence of steps n the supply chan that M s nterested n. There may be up to ν multple dfferent vald paths {P vald1,..., P valdν }, n a supply chan. The last step v l of a vald path P vald = {v 0,..., v l } represents a checkpont. After tag T has passed through such a checkpont, M wll check for T s path valdty. Whle manager M mght not know all possble paths n G, we assume n the followng that M knows the vald paths,.e., the sequences of steps, that he s wllng to accept as vald. Fgure 1 depcts a sample supply chan. Checkponts, a d I c Fgure 1. Smple supply chan, checkponts are encrcled. where manager M verfes tags/objects, are encrcled. So, after ther deployment at ssuer I, tags can ether start n steps a or b. Vald paths n Fgure 1 are, for example, {I, a, d}, {I, a, d, e} or {I, a, c, c, e}. Other sequences such as {I, a, e} are not vald accordng to the supply chan A Tracker System Usng the above defntons, a complete TRACKER system conssts of a supply chan G = (V, E) a set T of n dfferent tags a set of possble states S a total of η dfferent readers, η = E ssuer I and manager M a set of η state transton functons f : S S a set of ν vald paths a set of vald states S vald a database DB clone, stored at manager M to protect aganst cloned tags (see next secton) a functon READ : T S that reads out tag T and returns T s current state s j T a functon WRITE: T S S that wrtes a new state s j+1 T nto tag T. a functon { Pvald, f tag T CHECK: S went through P vald, f P vald that T went through that based on T s current state s j T decdes about whch vald path n the supply chan tag T has taken. b e

4 3. Problem Statement and Adversary Model In TRACKER, we assume that the readers n the supply chan are ndepent. We assume as well that a reader R s sem-honest ( honest-but-curous ). That s, a reader R at step v behaves correctly when t comes to the operatons t has to perform on tags gong through v. For nstance, a reader R at step v that corresponds to qualty control does not update the state of T unless the product attached to T satsfes the qualty requrements. Wthn TRACKER, we dentfy the followng securty and prvacy challenges and derve a formal adversary model accordngly. Our formal defntons are drect adaptatons of well-establshed RFID adversary models to the challenges of supply chan management. In summary, our adversary corresponds to the adversary proposed by Juels and Wes [17] and the Non-Narrow Destructve adversary by Vaudenay [31] 3.1. Securty The man securty goal of TRACKER s to prevent an adversary from forgng a tag s nternal state wth a vald path that was not actually taken by the tag n the supply chan. Usng the components of the TRACKER system, ths goal s stated as follows: f the verfcaton of tag T s nternal state s j T by manager M usng CHECK returns a vald path P vald, then T must have gone through the steps of P vald n the supply chan. Only the soundness of the CHECK functon s requred wth respect to dentfcaton of a vald path, snce the completeness of the CHECK functon cannot always be assumed. As shown below, the adversary mght wrte any content, for example just garbage, nto T at any tme to spol detecton of vald paths. Even f a tag T has been through P vald n the supply chan, the adversary mght replace and nvaldate the state of T leadng to a CHECK output of. We formalze ths securty property and our adversary model usng game-based defntons n accordance wth Juels and Wes [17]. An adversary A(ρ, r, ɛ), or just A, has access to a TRACKER system n two phases. Frst, n a learnng phase, A can query an oracle O pck, cf., Algorthm 1. When quered, O pck randomly selects a tag from all the n tags T n the supply chan and gves t to A. Durng learnng, A s allowed to read from and wrte nto the tags provded by O pck. For the sake of smplcty, we assume that products and tags go through a supply chan n a clocked, synchronous way. At each clock cycle, all tags are read and then re-wrtten by the readers n ther vcnty and then proceed to the subsequent step n the supply chan. More precsely, the ITERATESUPPLYCHAIN command n Algorthm 1 enables A to terate or execute the supply chan by one clock cycle,.e., all tags advance by one step and they are read-out and re-wrtten by readers. A can terate the supply chan a total of ρ tmes. Now per teraton and per clock cycle, A gets access to a set of r arbtrary tags, read-outs ther nternal state, and re-wrtes ther state wth some arbtrary data. Also, A has access to an oracle lke constructon O M : quered wth a tag T,j, O M wll return the output of the CHECK functon. The above defnton of A reflects an adversary n the real world havng full control over the network and knowledge about the valdty of tags states. After the learnng phase of Algorthm 1, A enters the (smple) challenge phase, cf., Algorthm 2. for := 0 to (ρ 1) do ITERATESUPPLYCHAIN; for j := 1 to r do T,j O pck ; s T,j :=READ(T,j WRITE(T,j, s +1 T,j CHECK(s +1 T,j ) O M (T,j Algorthm 1: Securty learnng phase of adversary A T O pck ; { } s j CREATETAG T :=READ(T WRITE(T, s j+1 or T ; WRITE(T, s j+1 T T A M: T ; M evaluates CHECK on T s state; Algorthm 2: Securty challenge phase of adversary A A can ether arbtrarly choose one tag T T, read and re-wrte, or A can create hs own tag T T and wrte some state s T n t. Fnally, A ss T to M. Manager M wll now evaluate CHECK on T s state. Defnton 1 (False postves). If M s evaluaton of CHECK on tag T s state outputs one of the ν vald paths P vald = {v 0,..., v l }, andf T has not been through the exact sequence of steps {v 0,..., v l } n the supply chan, then ths s called a false postve n TRACKER. The probablty of a false postve s denoted by Pr[False Postve]. Now, adversary A must not be able to generate a state correspondng to a vald path wth hgher probablty than smple guessng: Defnton 2 (Securty). TRACKER provdes securty For adversary A, nequalty Pr[False Postve] S vald S + ɛ holds, where ɛ s neglgble.

5 Dscusson: Clonng As we assume cheap re-wrteable tags wthout any computatonal abltes, no reader authentcaton s possble on the tag sde. Any adversary can read from and wrte nto a tag. Trvally, an adversary mght clone a tag. Ths s mpossble to prevent n our setup wth only re-wrteable tags and offlne, unsynchronzed readers. To mtgate ths problem, manager M utlzes a database DB clone. Intally empty, ths database wll contan dentfers of tags that went through a vald path of a supply chan and were checked by M. Each tme that M verfes a tag s path, M wll also check whether ths tag s dentfer s already n DB clone to check for clonng. Detals about dentfers and handlng of DB clone wll be gven later n the protocol descrpton of Secton 4. Therefore, an adversary cannot clone a tag more than once, and thus, clonng cannot be performed n a large scale. On the other hand, f the tag s attached to a luxury product, clonng s crtcal even f a tag s cloned only once. However, to get a malcous tag to be accepted by the manager, the adversary has to break-n the supply chan, clone a tag, nject ths tag, and overtake the legtmate tag n the supply chan to reach the manager before the legtmate tag. We conjecture that ths s not easy for an adversary to do. Lmtatons The adversary model above does not capture an adversary hjackng tags and performng extra steps wth tags. One mght envson an adversary controllng a set of steps wth readers that do not behave protocol complant. For example, f the extra steps do not change the tags state (but modfy products), ths wll be unnotced by the manager. We clam that these attacks, as well as physcal attacks, e.g., removng one tag from one product and attachng t to another product, are out of scope. Also, there s no noton of multple managers n the supply chan checkng tags for genuneness, but we focus on only one manager. Whle n the real world, multple managers are probably more realstc, ths s left for future work. Addtonally, we do not target managers provng (non-) genuneness to a thrd party n a prvacy-preservng way. Also, we focus only on detectng counterfets, not preventng that s, t remans unclear what happens f a counterfet has been detected. All ths s left for future research Prvacy An adversary n TRACKER s an actve adversary who, besdes beng able to eavesdrop on tags communcaton, can as well tamper wth tags nternal states. Along these lnes, we dentfy two notons of prvacy n TRACKER: the frst one s commonly known as tag anonymty. That s, an adversary A should not be able to dsclose the (unque) dentty of tags he reads from or wrtes nto. The second noton of prvacy that we are nterested n s what we call step prvacy: an adversary A should not be able to fnd out the steps v a tag went through. Whle A can eavesdrop on tags communcaton and re-wrte tags nternal states, t should be nfeasble for A to break tag anonymty or step prvacy. Along these lnes, another noton of prvacy that could be derved as well s path prvacy: A should not be able to tell whch path P a gven tag T took. Note, however, that step prvacy s stronger than path prvacy. If A s able to dsclose the path a tag T went through, then A automatcally knows each of T s steps. So, f TRACKER preserves step prvacy, then A cannot fnd out the path P a tag has taken. Moreover, TRACKER should prevent A from bndng ( lnkng ) the data he reads to the tag storng t. Ths dffers from tag anonymty, as the latter can be acheved, for example, through encrypton. However, smple encrypton cannot acheve tag unlnkablty: A may always be able to recognze the tag through the cphertext t stores. Thus, there s a need to regularly change the data stored on tags to prevent such a threat. In the real world, tag unlnkablty s the property that prevents an eavesdropper from trackng, followng, and dstngushng tems and goods based on the data tags store. Furthermore, A may as well am at lnkng tags based on the steps they went through n the supply chan. Roughly speakng, step unlnkablty should prevent an adversary A from tellng, whether the paths that two dfferent tags T and T j took have a step n common. In practce, step unlnkablty prevents an adversary A from bndng a tag T to a pallet of tags n the supply chan. In ths paper, we wll focus on tag unlnkablty and step unlnkablty for whch we gve formal defntons n the followng secton. It s suffcent to focus only on unlnkablty propertes, as they represent stronger requrements than tag anonymty and step prvacy. As mentoned earler, tag unlnkablty grasps the ablty of an adversary A to dstngush between tags based on the content they store. Ths noton of unlnkablty s stronger than tag anonymty: f an adversary s able to undermne tag anonymty and to unquely dentfy a tag, he s automatcally able to dstngush tags, therewth undermnng tag unlnkablty. Just as well, step unlnkablty ensures that t s nfeasble for an adversary A to tell whether the paths of two tags have a step n common or not. Ths noton s stronger than step prvacy: f A s able to dsclose the steps any tag went through, he can always tell whether two tags have a step n common. Therefore, f TRACKER provdes tag and path unlnkablty, t provdes as well tag anonymty and step prvacy. So n concluson, t s suffcent to nvestgate unlnkablty propertes. These wll be presented n the followng secton n detal.

6 3.3. Unlnkablty For our formal defntons of tag and path unlnkablty, we assume A has access to the followng oracles: O choose s an oracle that, when quered, returns a random tag T enterng the supply chan. O select s an oracle that, when quered, returns a par (T, S). T s a tag selected randomly from the set of tags T and S s the set of steps that T went through so far. O draw s an oracle that, when quered wth a step v, returns a par (T, S). T s a random tag that wll go through v n the next supply chan teraton, and S s the set of steps that T went through so far. O step s an oracle that, when quered wth a tag T, returns the next step that T wll go through n the next supply chan teraton. O flp s an oracle that, when quered wth two tags T 1, T 2, randomly chooses b {1, 2} and returns T b. Tag Unlnkablty: We llustrate tag unlnkablty by a formal experment smlar to the experment by Juels and Wes [17]. In ths experment, A has access to tags n two phases. In the learnng phase, cf., Algorthm 3, O select provdes A wth two challenge tags T 1 and T 2, and r other tags along wth the steps they went through so far. A terates the supply chan ρ tmes. At each teraton, A reads from and wrtes nto tags. He s as well provded wth the step that T 1 and T 2 wll go through n the next supply chan teraton. Ths unlnkablty game reflects an adversary A n the real world that can follow tags n the supply chan along the steps they are gong through. (T 1, S 1 ) O select ; (T 2, S 2 ) O select ; for := 1 to ρ do ITERATESUPPLYCHAIN; T 1 O step ; v T1,(+1) O step ; s T 1 :=READ(T 1 WRITE(T 1, s T 1 T 2 O step ; v T2,(+1) O step ; s T 2 :=READ(T 2 WRITE(T 2, s T 2 for j := 1 to r do (T,j, S,j ) O select ; s T,j :=READ(T,j WRITE(T,j, s T,j Algorthm 3: A s tag unlnkablty learnng phase ITERATESUPPLYCHAIN; T b O flp {T 1, T 2 }; s Tb :=READ(T b for := 1 to s do (T, S ) O select; s T :=READ(T OUTPUT b; Algorthm 4: A s tag unlnkablty challenge phase In the challenge phase, cf., Algorthm 4, the supply chan s terated frst. Then, A s provded wth tag T b, b {1, 2} through oracle O flp. A s goal s to output the value of b. O select provdes A wth s other tags that he can read from and wrte nto. Gven the data stored on T b and the result of the dfferent readngs, A outputs hs guess for the value of b {1, 2}. A s successful, f hs guess of b s correct. Defnton 3 (Tag Unlnkablty). TRACKER provdes tag unlnkablty For adversary A, nequalty P r(a outputs a correct guess) ɛ holds, where ɛ s neglgble. Dscusson: Unlnkablty n between reader nteractons Ths paper targets passve tags that only feature storage capabltes and therewth cannot perform any (cryptographc) computaton. Consequently, tags cannot update ther state after an nteracton wth a reader on ther own, and tags cannot perform any knd of access control. Hence, the tag state does not change n between two protocol executons, and an adversary can easly access a tag s state. Under such crcumstances, t s therefore mpossble to provde tag unlnkablty aganst a powerful adversary who tres to lnk tags n between two subsequent reader nteractons (cf., formal proof by Vaudenay [31]). However, we conjecture that, n a real world scenaro, an adversary cannot permanently access tags or eavesdrop tags communcatons, but there s at least one unobserved nteracton between a tag and a reader. Ths s also n accordance wth related work, such as Atenese et al. [2], Dmtrou [11], Sadegh et al. [27]. We mplement ths n our defnton of adversary A n Algorthm 4 by teratng the supply chan before callng oracle O flp and gvng tag T b to A. Step unlnkablty: TRACKER should prevent an adversary A from beng able to tell, whether the paths of two dfferent tags T and T j have a step n common. Ths s formalzed as follows: n the learnng phase, cf., Algorthm 5, A(ρ, r, s, ɛ) calls O choose whch provdes hm wth a random tag that just entered the supply chan at step v 0. A then terates the supply chan for a maxmum of ρ tmes. At each teraton, A reads out T s state and wrtes nto T. Also, O step provdes A wth the step v T,(+1) that

7 T wll go through n the next supply chan teraton. A then queres the oracle O draw wth step v T,(+1). O draw provdes A wth r tags T,j that wll go through v T,(+1) n the next supply chan teraton that he can read and wrte nto. Also, O select provdes A wth s tags T,j from T along wth the steps they went through so far. A s also provded wth the next step of tags T,j by callng the oracle O step. A then terates the supply chan and reads the updated states of the r tags provded by O draw and the s tags provded by O select. As n the tag unlnkablty game, ths step unlnkablty game reflects the capabltes of an actve adversary who, besdes eavesdroppng on tags communcaton, can as well follow tags and tamper wth ther nternal states along dfferent steps of the supply chan. T O choose ; for := 0 to ρ 1 do T O step ; v T,(+1) O step ; s T :=READ(T WRITE(T, s T for j := 1 to r do v T,(+1) O draw ; (T,j, S,j ) O draw ; s T,j :=READ(T,j WRITE(T,j, s T,j for j := 1 to s do (T,j, S,j ) O select; T,j O step; v T,j O step ; s T,j :=READ(T,j WRITE(T,j, s T,j ITERATESUPPLYCHAIN; for j := 1 to r do READ(T,j for j := 1 to s do READ(T,j Algorthm 5: A s step unlnkablty learnng phase In the challenge phase, cf., Algorthm 6, A s provded wth a challenge tag T c whch just entered the supply chan. A s goal s to tell whether the paths that tag T and tag T c took have a step n common trvally, besdes the ntal step v 0. A terates the supply chan for a maxmum of ρ tmes. At each teraton, A reads out and wrtes nto T c. A calls as well the oracle O select that provdes hm wth s tags T,j whch he can read and wrte nto. He s also T c O choose ; for := 0 to ρ 1 do s T c :=READ(T c WRITE(T c, s T c for j := 1 to s do (T,j, S,j ) O select ; s T,j :=READ(T,j WRITE(T,j, s T,j T,j O step ; v T,j O step ; ITERATESUPPLYCHAIN; for j := 1 to s do READ(T,j READ(T c OUTPUT b; Algorthm 6: A s step unlnkablty challenge phase provded wth the step v T,j that T,j wll go through n the next teraton. A then terates the supply chan and reads the updated state of the s tags. At the of the challenge phase, A reads the current state of tag T c and outputs b = 1, f T c and T have a step n common (besdes v 0 ), and b = 2 f they do not have a step n common (besdes v 0 ). The adversary s successful, f hs guess s correct. Defnton 4 (Step Unlnkablty). TRACKER provdes step unlnkablty For adversary A, nequalty P r(a outputs a correct guess) ɛ holds, where ɛ s neglgble. The above defnton covers unlnkablty of ndvdual steps n the supply chan. Note that step unlnkablty s stronger than unlnkablty of paths that prevents an adversary A from tellng whether two tags went through the same path or not. If A s able to tell whether two tags went through the same path then he automatcally knows that the paths of these two tags have steps n common. So, f TRACKER provdes step unlnkablty, t wll as well provde path unlnkablty. Step unlnkablty also mples step and path prvacy. 4. Tracker Protocol Protocol overvew: In TRACKER, a tag T s state s l T represents the sequence of steps n the supply chan that T went through. The man concept s to represent dfferent paths n the supply chan usng dfferent polynomals. More precsely, at the of a supply chan s vald path P vald, a tag s state s l T wll match the evaluaton of a unque polynomal Q Pvald (x) n a fxed value x 0. Therefore, a path n the

8 supply chan s represented by Q Pvald (x 0 ) F q provdng a compact and effcent representaton of paths. Now, TRACKER reles on the property that for any two dfferent paths P P, vald or not, the equaton Q P (x 0 ) = Q P (x 0 ) holds only wth neglgble probablty. Two dfferent paths wll result n two dfferent polynomal evaluatons. As a result, the state of a tag T at the of the supply chan can be unquely related to one sngle (vald) path. However, the path representaton as presented above does not suffce to prevent path clonng,.e., copyng the path of a vald tag nto a fake tag and then njectng the fake tag n the supply chan. To tackle ths problem, tags wll store Q Pvald (x 0 ) multpled by a keyed HMAC of ther unque IDs. HMAC serves two purposes: frst, t proves that tags are ssued by a legtmate authorty and prevents an adversary from njectng ts own tags. Second, t allows to map the tag s ID to a random number that cannot be predcted by the adversary. A tag s state therefore conssts of three elements that are: a unque ID, HMAC k (ID) and HMAC k (ID) Q Pvald (x 0 ). TRACKER can be structured nto three parts: 1.) Issuer I wrtes an ntal state s 0 T nto a new tag T. 2.) Readers successvely compute the evaluaton of a polynomal: to acheve the evaluaton of the entre polynomal Q Pvald (x 0 ) at the of a vald path, each reader vsted by tag T computes T s new state s T by applyng smple arthmetc operatons represented by the functon f on the T s current state s 1 T. Eventually, ths results n the evaluaton of the entre polynomal Q Pvald (x 0 ). 3.) Fnally, manager M checks a tag s state s l T. M knows a set of ν evaluatons of vald polynomals Q Pvald (x 0 ). M checks whether one of these polynomals corresponds to s l T, and f so, M knows the path the tag has taken. Prvacy and securty overvew: On the one hand, to protect prvacy (more precsely unlnkablty ) n TRACKER, tags store only probablstc ellptc curve Elgamal encryptons of ther states, and readers use homomorphc (re-)encrypton technques for the arthmetc operatons on encrypted path encodngs. At the of the supply chan, the manager can then decrypt and dentfy the path. On the other hand, securty of TRACKER reles on both the securty of Elgamal and the securty of HMAC. A tag stores an encrypted state of the three elements: ID, HMAC k (ID) and HMAC k (ID) Q Pvald (x 0 ). Although an adversary can always have access to encryptons of HMAC k (ID) and encryptons of Q Pvald (x 0 ), he cannot come up wth an encrypton that corresponds to the product of the underlyng plantexts, that s, HMAC k (ID) Q Pvald (x 0 ). We show n Secton 5.2 that f an adversary A s able to come up wth an encrypton of HMAC k (ID) Q Pvald (x 0 ), he wll be able to break ether computatonal Dffe-Hellman (CDH) or HMAC securty. Before the detaled protocol descrpton n Secton 4.3, we wll frst provde an overvew about TRACKER s polynomal path encodng and ellptc curve encrypton used n ths paper Path Encodng n Tracker TRACKER s polynomal path encodng s based on technques for software fault detecton. Noubr et al. [23] propose to encode a software s state machne usng polynomals such that the exact sequence of states vsted durng runtme generates a unque mark. Therewth, run-tme faults can be detected. TRACKER s path encodng s based on the one by Noubr et al. [23] and wll be descrbed n the followng. For each step v, 1 η, n the supply chan, v s assocated wth a unque random number a F q, where q s a large prme. Accordngly, the ssuer s step v 0 s assocated wth a random number a 0 F q. As mentoned above, a path n the supply chan s represented as a polynomal n F q. The polynomal correspondng to a path P = v 0 v 1... v l s defned n Equaton (1). All operatons are n F q. Q P (x) := a 0 x l + l a x l. (1) =1 To have a more compact representaton of paths, a path P s represented as the evaluaton of Q P (x) n x 0, where x 0 s a generator of F q. We denote (P) = Q P (x 0 ). The above path encodng usng polynomals wth random coeffcents a F q has the desred property that any two dfferent paths result n dstnct polynomal evaluatons wth hgh probablty. That s, P, P wth P = P, equaton (P) = (P ) holds wth probablty 1 q, cf., Noubr et al. [23]. Let T be a tag wth a unque ID that took path P. We defne T s path mark as: ID (P) := HMAC k (ID) (P). As defned above, the path mark deps on tags ID to prevent an adversary from copyng the path mark of a tag nto another one. Although the path mark deps on ID, knowledge of ID (P) and HMAC k (ID) allows M to always derve (P) and dentfy P. Readers: The path mark ID (P) s stored on the tag. A reader that s vsted by a tag T reads T s current path mark, updates t, and wrtes the updated path mark back nto T. To eventually acheve the evaluaton of path mark ID (P) of path P = v 0 v 1... v 1 v v v l, the per reader effort s qute low. Assume that T arrves at reader R,.e., step v n the supply chan. So far, T went through (sub-)path P 1 = v 0 v 1... v 1, and stores ID, HMAC k (ID), and path mark ID (P 1 ). To get ID (P ), reader R smply computes ts state tran-

9 ston functon f R defned as f R (x) := x 0 x + HMAC k (ID) a. So, ID (P ) := f R ( ID (P 1 )) = x 0 ID (P 1 ) + HMAC k (ID) a. R wrtes ID (P ) n T. By constructon, ths wll eventually result n ID (P ) = HMAC k (ID) (a 0 x l 0 + j=1 a jx j 0 ) = HMAC k (ID) (P ). Tag state decodng: Ths operaton corresponds to the CHECK functon of the TRACKER protocol. The state s l T of a vald tag T n the supply chan that went through a vald path P vald conssts of a tuple of three elements s l T := (ID, HMAC k(id), ID (P vald )). Before decodng ID (P vald ), M provded wth the secret key k and ID, computes HMAC k (ID) and verfes the second element of T s state. If T passes the verfcaton, M multples ID (P vald ) by HMAC k (ID) 1 to get (P vald ). M stores a lst of all possble (P vald ) along wth ther correspondng vald paths. Gven (P vald ), M wll be able to check and dentfy the path P vald. As we wll now see n the followng paragraphs, tags n TRACKER store encrypted versons of ID, HMAC k (ID) and ID (P vald ). So n concluson, a tag stores the tuple: s l T = (E(ID), E(HMAC k(id)), E( ID (P vald )) Ellptc Curve Elgamal Cryptosystem An ellptc curve Elgamal cryptosystem provdes the followng usual set of operatons: Setup: The system outputs an ellptc curve E over a fnte feld F p. Let P be a pont on E(F p ) of a large prme order q such that the dscrete logarthm problem s ntractable for G =< P >. Here, p and q are TRACKER securty parameters, e.g., p = q = 160 bt. Key generaton: The secret key s sk F q. The correspondng publc key pk s the par of ponts (P, Y = sk P ). Encrypton: To encrypt a pont M E, one randomly selects r F q and computes E(M) := (U, V ) = (r P, M + r Y ). The cphertext s c = (U, V ). Decrypton: To decrypt a cphertext c = (U, V ), one computes D(c) := U sk V = M. In TRACKER, a tag n the supply chan stores the ellptc curve Elgamal encrypton of ts unque ID, HMAC k (ID), and a path mark ID (P). Wthout loss of generalty, we assume that ID of a tag s a random pont n the ellptc curve E and that HMAC k (ID) s an element of F q such that q = 160 bts. To encrypt HMAC k (ID) and ID (P) n F q usng Elgamal over ellptc curves, we need a pont mappng whch transforms a message m F q to a pont n the ellptc curve E. Pont mappng: We use a smple addtvely homomorphc mappng M : F q E that preserves the propertes of our polynomal path encodng wth respect to the probablty of path collsons. Message m F q s mapped to a pont n E by M(m) = m P, where P s a pont n E of large prme order q. Ths mappng s a one-to-one mappng from F q to G =< P >: f m 1, m 2 F q such that M(m 1 ) = M(m 2 ), then m 1 = m 2 mod q. Therefore, the probablty that the mappngs of two path marks collde n E,.e., M( ID (P 1 )) = M( ID (P 2 )), s the same as the probablty that two path marks collde n F q. Ths mappng s not reversble whch means that we cannot deduce ID (P) from M( ID (P)). However, ths s not an ssue n TRACKER: as mentoned above, the manager knows the vald paths n advance. So he computes and stores the mappngs M((P vald )) E, nstead of computng and storng (P vald ) F q. Gven ID, the manager computes HMAC k (ID), derves the mappng M((P)) E from M( ID (P)), and then checks f P s a vald path by comparng M((P)) wth the lst of vald mappngs Detaled Protocol Descrpton TRACKER conssts of an ntal setup phase, the preparaton of new tags enterng the supply chan, reader and tag nteracton as part of the supply chan, and fnally a path verfcaton conducted by manager M. Tracker ntalzaton: Issuer I sets up an ellptc curve Elgamal cryptosystem and generates the secret key sk and the publc key pk = (P, Y = sk P ) such that the order of P s a large prme q, q = 160 bt. Then, I selects x 0 a generator of the fnte feld F q, and selects randomly a value a 0 F q. I generates a random bt strng k, k = 160 bt. The ntal step v 0, representng the ssuer n the supply chan, s assocated wth (a 0, k). Smlarly, I generates η random numbers a F q, 1 η. I ss to each reader R, representng step v, the tuple (x 0, a ) usng a secure channel. Also usng a secure channel, I provdes manager M wth secret key sk, generator x 0, key k and tuples (, a ). Therewth, M s nformed whch reader R at step v knows whch a. As M knows whch paths n the supply chan wll be vald, he now computes all the ν vald (P vald ) usng Equaton (1). Fnally, M computes and stores pars (M((P vald )), steps), where steps s the sequence of steps v 0 v Pvald,1v Pvald,2... v Pvald,l of P vald. That s, M knows for each mappng the sequence of steps. Therefore, the manager verfes the valdty of the path and f the path s vald he can dentfy t. In concluson, x 0 s publc, the a are secret and only known by reader R and M. Also, only M and I know sk and k. Tag preparaton: For each new tag T enterng the supply chan, I draws a random pont ID E whch s T s unque dentfer. Now, let HMAC k be a (secure) HMAC algorthm [6], HMAC k (m) : F q E F q. Provded wth

10 key k, I computes HMAC k (ID). I then selects three random numbers r 0 ID, r0 σ, r 0 F q to compute the followng cphertexts: c 0 ID = E(ID) = (UID, 0 VID) 0 = (rid 0 P, ID + rid 0 Y ) c 0 σ = E(HMAC k (ID)) = (Uσ, 0 Vσ 0 ) = (r 0 σ P, HMAC k (ID) P + r 0 σ Y ) c 0 = E( ID (v 0 )) = (U 0, V 0 ) = (r 0 P, HMAC k (ID) a 0 P + r 0 Y ) Fnally, I wrtes state s 0 T = (c0 ID, c0 σ, c 0 ) nto T that can enter the supply chan. Tag and reader nteracton n the supply chan: Assume a tag T arrves at step v and reader R n the supply chan. Wthout loss of generalty, assume that the path that tag T took so far s P 1 = v 0 v 1 v 1 and let P = v 0 v 1 v. R reads out T s current state s 1 T = (c 1 ID, c 1 σ, c 1 ). Gven the cphertexts c 1, V 1 (U 1 σ (U, V ): = (U 1, V 1 ), c 1 σ ), generator x 0, and a, R computes c = U = x 0 U 1 V = x 0 V 1 j=0 + a U 1 σ + a V 1 σ = (x 0 r 1 σ = + a rσ 1 ) P 1 = x 0 ( HMAC k (ID) a j x 1 j 0 P + r 1 Y ) = +a (HMAC k (ID) P + rσ 1 Y ) 1 HMAC k (ID) a j x 1 j 0 P j=0 +HMAC k (ID) a P +x 0 r 1 = HMAC k (ID) Y + a rσ 1 Y a j x j 0 P j=0 +(x 0 r 1 + a rσ 1 ) Y = M(HMAC k (ID) (P )) +(x 0 r 1 + a rσ 1 ) Y = M( ID (P )) + (x 0 r 1 + a rσ 1 ) Y In concluson, the above s the homomorphc encrypton varant of the reader computaton of Secton 4.1. To get c ID and c σ, reader R re-encrypts c 1 ID and c 1 σ, respectvely: t pcks randomly two numbers r ID and r σ F q and outputs two new cphertexts c ID = (U ID, V ID ) = (r ID P + U 1 ID, r ID Y + V ID ) and c σ = (Uσ, Vσ) = (r σ P + Uσ 1, r σ Y + Vσ). The reader also re-encrypts c. It pcks randomly r F q and outputs: c = (U, V ) = (r P +U, r Y +V ). Fnally, R wrtes the new state s T = (c ID, c σ, c ) nto T. Path verfcaton by M: Ths operaton corresponds to TRACKER s realzaton of the CHECK functon. Upon readng a tag s state s l T = (cl ID, cl σ, c l ), M decrypts cl ID and gets ID E. M checks then for clonng by lookng up ID n M s database DB clone. If ID DB clone, then M outputs and rejects T. Otherwse, M decrypts c l σ to get a pont Q E. M computes HMAC k (ID) and M(HMAC k (ID)), and verfes whether the equaton Q = M(HMAC k (ID)) holds. If t does not, M outputs and rejects T. If Q = M(HMAC k (ID)), M decrypts c l whch results n a pont Q. Gven HMAC k (ID), M computes the nverse of HMAC k (ID) F q, and then computes π = HMAC k (ID) 1 Q = M((P)). M checks, whether π s n hs lst of vald mappngs M((P vald )). If there s no match, M outputs and rejects the tag. Otherwse, manager M outputs P vald and adds ID to DB clone. 5. Securty and Prvacy Analyss Before gvng the securty and the prvacy analyss, we ntroduce the securty propertes of HMAC HMAC Securty An HMAC wth key k, a message m, and a cryptographc hash functon h s defned as HMAC k (m) := h(k opad h(k pad m)), where s concatenaton. For more detals about opad and pad see Krawczyk et al. [20]. If the output of h and the secret key k are ndstngushable from random data for an adversary, then HMAC k holds the followng two propertes [5, 6]: 1.) Resstance to exstental forgery: Let O forge HMAC k be an HMAC oracle that, when provded wth a message m, returns HMAC k (m). An adversary A can choose N messages m 1,..., m N, and provde them to the oracle O forge HMAC k to get the correspondng HMAC k (m ). Stll, the advantage ɛ of A to come up wth a new par (m, HMAC k (m)), where m m, 1 N, s neglgble. 2.) Indstngushablty: Let O dstngush HMAC k be an HMAC oracle, when provded wth a message m, t flps a con b {0, 1} and returns a message m such that: f b = 0, t returns a random number. If b = 1, t returns HMAC k (m). Even knowng m, A cannot tell f m s a random number or m = HMAC k (m). That s, HMAC k s a pseudo-random functon.

11 As an asde note, nstead of usng HMAC, one could use any MAC provdng the same provable propertes as HMAC. In TRACKER, we use HMAC, as t can be mplemented effcently n software [6] Securty Frst, an adversary A wnnng the securty game of Algorthm 2 mples that A wrtes nto a tag T a vald state s T = (c ID, c σ, c ). Ths mples that the par (c ID, c σ) s a vald par,.e., c ID = E(ID) and c σ = E(HMAC k (ID) P ). Producng a new vald par (c ID, c σ) entals that A s breakng the securty of HMAC as sketched n Lemma 1. Note. We say that A produces a new vald par (c ID = E(ID), c σ = E(HMAC k (ID) P )), f (c ID, c σ) s not (a reencrypton of) a par (c ID, c σ ) that A read durng the learnng phase. Lemma 1. Producng a new vald par (c ID, c σ) contradcts the ndstngushablty property of HMAC. Sketch. More precsely, we can buld an adversary A that uses A to break the ndstngushablty property of HMAC k. When A provdes A wth a new par (c ID, c σ), A decrypts c ID and c σ and gets ID and a pont Q respectvely. A gves ID to O dstngush HMAC k. O dstngush HMAC k returns a message m. Fnally, to break the ndstngushablty of HMAC k, A checks whether Q = m P. If so, A outputs 1, meanng that m = HMAC k (ID). Otherwse, A outputs 0 mplyng that m s a random number. Theorem 1. TRACKER s secure under the securty of HMAC and the computatonal Dffe-Hellman (CDH) assumpton. Proof. As of Lemma 1, A cannot compute a new vald par (c ID, c σ). If A re-uses a vald par (c ID, c σ) read n the learnng phase, then provdng a vald tuple (c ID, c σ, c ) mples that A s able to solve an nstance of the computatonal Dffe-Hellman problem as shown below. Assume there would be an adversary A(ρ, r, ɛ) that breaks the securty of TRACKER by choosng arbtrarly a tag T T, then re-wrtng t wth a vald state (c ID, c σ, c ). If ths s the case, and f the output of HMAC s ndstngushable from a random number, we show that there s an adversary A that breaks the CDH assumpton wth nonneglgble advantage ɛ. Note that we do not cover smple clonng here, as an adversary can always succeed n copyng the state of a tag that went through a vald path. As dscussed before, antclonng protecton s provded by DB clone. Let O CDH be an oracle that, when t s quered, selects randomly two elements a and b n F q and returns the tuple (P, a P, b P ). An adversary A breaks CDH, f gven (P, a P, b P ), he outputs ab P. Overvew: In a nutshell, an adversary A s able to break TRACKER, f he outputs an encrypton of ID, HMAC k (ID) P, and HMAC k (ID) (P vald ) P from an encrypton of ID, HMAC k (ID) P, and (P vald ) P. So to break CDH, A uses A as a subroutne as follows: frstly, A creates a TRACKER system wth a vald path P vald = v 0 v 1... v l. He randomly generates (l 1) elements a F q such that a corresponds to step v. The step v l, however, wll be l 1 assocated wth a pont R = b P x 0 =0 a x l 1 0 P. Therefore, M((P vald )) = b P. Secondly, A wrtes nto a challenge tag T n a state s Tn = (c IDn, c σn, c n ) such that c σn = E(a P ). If n the challenge phase of the securty game A s able to wrte a vald state (c ID n, c σ n, c n ) nto T n whch corresponds to the path P vald, then A wll be able to break CDH by decryptng c n. By constructon, the path mark stored on T n wll correspond to ab P. Detals: For ease of understandng, we assume that the supply chan conssts of only one vald path P vald = v 0 v 1... v l such that M((P vald )) = b P. A creates a TRACKER system wth one vald path P vald = v 0 v 1... v l : he generates randomly l elements a, 0 l 1, such that a corresponds to v, the step v l however s assocated wth a pont l 1 R = b P x 0 =0 a x l 1 0 P. Fnally, A generates a vald par of keys (sk, pk) for Elgamal encrypton and a key k for the HMAC. A ntalzes (n 1) tags T n TRACKER. To create the n th tag T n, A pcks randomly ID n E and encrypts t nto c IDn. Then, to compute c σn, A encrypts a P nstead of encryptng HMAC k (ID n ) P. Gven the ndstngushablty property of HMAC, A cannot tell, whether A computes the HMAC correctly or not. Fnally, A computes c n = E(aa 0 P ). A calls A(ρ, r, ɛ) that enters the learnng phase. A terates the supply chan ρ tmes. At each teraton of the supply chan: 1. A updates the state of tags n the supply chan as follows: frst, f a tag T s at step v v l, the tag s updated accordng to the TRACKER protocol. Second, f a tag T s at step v l : A decrypts the state s T = (c ID, c σ, c ) and gets three ponts (ID, Q, Q ). A checks whether (ID, Q, Q ) corresponds to a vald state of a tag gong through the sub-path v 0 v 1... v l 1,.e., Q = HMAC k (ID ) P and Q = HMAC k(id ) l 1 =0 a x l 1 0 P. If t s the case, A wrtes nto T a state s T = (c ID, c σ, c ) such that c = E(HMAC k (ID ) b P ). Otherwse, A wrtes nto T a state s T = (c ID, c σ, c ) such that c s an encrypton of a random number.

12 Note. Wrtng the encrypton of a random number nto an nvald tag T does not affect the output of the CHECK functon. An nvald tag T ether dd not go through the vald subpath v 0 v 1... v l 1 or t stores an nvald HMAC. When A calls the CHECK functon on T, CHECK wll always output. Moreover, a vald tag T that went through P vald wll always store a vald path mark correspondng to HMAC k (ID) b P. 2. Smulatng O pck, A provdes A wth r tags that A s allowed to read from and wrte nto. 3. A gves back the r tags to A. A smulates O M as follows: Upon readng the state s T = (c ID, c σ, c ) of a tag T, A decrypts c ID to get ID. Frst, A verfes whether ID = ID n. If t s the case, A aborts and restarts the game. Otherwse, A decrypts c σ and gets a pont Q. Then, A verfes whether the equaton Q = HMAC k (ID ) P holds. If t does not hold, A rejects the tag T. If Q = HMAC k (ID ) P, A decrypts c and gets a pont Q. A then computes π = HMAC k (ID ) 1 Q. If π = b P,.e., π s vald, A outputs P vald. Otherwse, A rejects the tag T and outputs. After the learnng phase, A puts A nto the challenge phase. A then returns a tag T T whch stores the state (c ID, c σ, c ) to A. Once A receves (c ID, c σ, c ), he decrypts c ID and gets ID usng Elgamal secret key sk. He checks whether ID = ID n,.e., T = T n. If t s not the case, A restarts the game. Otherwse, A decrypts c. Snce A computes the HMAC of ID n as f t was a, the decrypton of c results n a pont Q = a (P vald ) P = ab P. To solve the CDH problem A outputs Q. A succeeds n ts attacks f: 1.) the game does not abort: A s not provded wth tag T n n the learnng phase. 2.) In the challenge phase, A pcks T n. In the learnng phase, A s provded wth r ρ tags. Snce tags are selected randomly among n tags, the probablty that A s not provded wth T n n the learnng phase s (1 1 )r ρ n. Moreover, the probablty that A pcks T n n the challenge phase s 1 n. Therefore, f A(ρ, r, ɛ) breaks TRACKER s securty, then A breaks CDH wth advantage ɛ = 1 n (1 1 )r ρ n ɛ. Above, we have shown that f there s an adversary A who breaks the securty of TRACKER wth one vald path, then there s an adversary who breaks CDH assumpton. However, note that the securty of TRACKER wth one vald path can be exted to the securty of TRACKER wth multple vald paths. Lemma 2. If there s an adversary A(ρ, r, ɛ) who breaks TRACKER s securty wth ν vald path, then there s an adversary A(ρ, r, ɛ ) who breaks TRACKER s securty wth one vald path. Sketch. In order to break TRACKER wth one vald path P vald, A creates a supply chan of ν vald paths such that P vald s one of the vald paths. Snce A(ρ, r, ɛ) breaks TRACKER wth ν vald paths, he may output a tuple (c ID, c, σ ) that corresponds to the path P vald wth probablty 1 ν ɛ. Therefore, the advantage of A s ɛ = ɛ ν. In concluson, f there s an adversary A(ρ, r, ɛ) that breaks the securty of TRACKER wth ν vald paths, then there s an adversary A who breaks CDH wth advantage ɛ = 1 νn (1 1 n )r ρ ɛ Prvacy Analyss For the prvacy analyss, we use the semantc securty property of Elgamal under re-encrypton, cf., Golle et al. [13], to prove both tag unlnkablty and step unlnkablty. Let O re encrypt be the oracle that, provded wth two cphertexts c 1, c 2, randomly chooses b {1, 2}, re-encrypts c b usng Elgamal and publc key pk, and returns the resultng cphertext c b. As ths re-encrypton s based on Elgamal, the semantc securty property of Elgamal encrypton s exted to semantc securty under re-encrypton. Let A be an adversary that selects two cphertexts c 1, c 2 and provdes oracle O re encrypt wth c 1 and c 2. O re encrypt randomly chooses b, re-encrypts c b to c b, and returns c b to A. The semantc securty of Elgamal under re-encrypton mples that guessng the value of b s as dffcult for A as the decsonal Dffe- Hellman (DDH) problem [13]. Theorem 2 (Tag Unlnkablty). TRACKER provdes tag unlnkablty under the DDH assumpton. Proof. Assume there s an adversary A whose advantage ɛ to break the tag unlnkablty experment s non-neglgble. We now construct a new adversary A that executes A and breaks the semantc securty of Elgamal under re-encrypton ensured under the DDH assumpton: A creates a supply chan for the TRACKER protocol. A calls the adversary A. Smulatng O select, A provdes A wth two pars (T 1, S 1 ) and (T 2, S 2 ) such that T 1 and T 2 are selected randomly among the n tags n the supply chan, and S 1 (respectvely S 2 ) s the set of steps that T 1 (respectvely T 2 ) went through so far.

13 A terates the supply chan ρ tmes. At each teraton of the supply chan: 1. A reads and wrtes nto T 1 and T Smulatng O step, A provdes A wth the next step that T 1 (respectvely T 2 ) wll go through n the next supply chan teraton. 3. A smulates O select and provdes A wth r pars (T,j, S,j ), 1 j r, where T,j s selected randomly, and S,j s the set of steps that T,j went through so far. A s allowed to read from and wrte nto these r tags. After the learnng phase, A submts T 1 and T 2 to A that smulates O flp. T 1 contans state s T1 = (c ID1, c σ1, c 1 ), and T 2 contans state s T1 = (c ID2, c σ2, c 2 ). A transmts c ID1 and c ID2 to oracle O re encrypt. O re encrypt randomly chooses b and returns the result c ID b of re-encryptng one of the cphertexts c ID1, c ID2 to A. A prepares the challenge tag T c : 1. A terates the supply chan one more tme. 2. A randomly selects b {1, 2} and stores the state s Tc = (c ID b, c σ b, c b ) n T c. Smulatng O flp, A provdes A wth the challenge tag T c. A smulates O select and provdes A wth s pars (T, S ), 1 s, where T s selected randomly, and S s the set of steps that T went through so far. A s allowed to read from and wrte nto these s tags. In general, gven two events {E 1, E 2 }, the probablty that event E 1 occurs s always P r(e 1 ) = P r(e 1 E 2 ) P r(e 2 ) + P r(e 1 E 2 ) P r(e 2 ). Now let E 1 be the event that A can break the semantc securty of Elgamal under re-encrypton, and E 2 s the event that b = b holds. If b = b, the state s Tc = (c ID b, c σ, b c ) stored on T b c corresponds to a well formed tuple. Therefore, A outputs hs guess for the tag correspondng to challenge tag T c wth non-neglgble advantage ɛ. If A outputs T 1, ths means that T c stores a re-encrypton of c ID1, and A outputs 1. If A outputs T 2, ths means that T c stores a re-encrypton of c ID2, and A outputs 2. If b b, the probablty that A breaks the semantc securty of Elgamal under re-encrypton s at worst a random guess,.e., 1 2. Snce b s selected randomly, the probablty that b = b holds s 1 2. Therefore, P r(e 1 ) = P r(e 1 E 2 ) + P r(e 1 E 2 ) = P r(e 2 ) P r(e 1 E 2 ) + P r(e 2 ) P r(e 1 E 2 ) = 1 2 P r(e 1 E 2 ) P r(e 1 E 2 ) = 1 2 (1 2 + ɛ) P r(e 1 E 2 ) 1 2 (1 2 + ɛ ) = ɛ 2 Consequently, the advantage of A to break the semantc securty of Elgamal under re-encrypton s at least ɛ 2. As a concluson, f A has a non-neglgble advantage ɛ to break TRACKER, A as well wll have a non-neglgble advantage ɛ 2 to break the semantc securty of Elgamal under re-encrypton. Theorem 3 (Step Unlnkablty). TRACKER provdes step unlnkablty under the DDH assumpton. Proof. Assume there s an adversary A whose advantage ɛ to break the step unlnkablty experment s non-neglgble. We now construct a new adversary A that executes A and breaks the semantc securty of Elgamal under reencrypton: A creates a supply chan for the TRACKER protocol wth n tags, η + 1 steps, and ν vald paths. A calls the adversary A. Smulatng O choose, A provdes A wth a tag T enterng the supply chan. A terates the supply chan ρ tmes. At each teraton of the supply chan: 1. A reads from and wrtes nto T. 2. Smulatng O step, A provdes A wth the next step v T,(+1) that T wll go through n the next supply chan teraton. 3. A smulates O draw and provdes A wth r pars (T,j, S,j ), 1 j r, where T,j s a tag that wll go through v T,(+1) n the next teraton, and S,j s the set of steps that T,j went through so far. A s allowed to read from and wrte nto these r tags. 4. A smulates O select and provdes A wth s pars (T,j, S,j ), 1 j s, where T,j s a tag selected randomly, and S,j s the set of steps that T,j went through so far. A s allowed to read from and wrte nto these s tags.

14 5. A provdes the oracle O step wth tags T,j. A smulates O step and provdes A wth the next step of tags T,j. 6. When A terates the supply chan, he wll agan receve the tags T,j, T,j whch he can read from. Wthout loss of generalty, we assume that T went through path P = v 0 v 1... v ρ. Let P = v 0 v 1... v ρ be a path such that P and P have no step n common except for v 0. In the challenge phase, A provdes A wth a challenge tag T c that just entered the supply chan. A s allowed to terate the supply chan ρ tmes. Before each teraton : 1. A can read from and wrte nto T c. 2. A smulates O select and provdes A wth s pars (T,j, S,j ), 1 j s, where T,j s a tag selected randomly, and S,j s the set of steps that T,j went through so far. A s allowed to read and wrte nto these s tags. 3. A provdes the oracle O step wth tags T,j. A smulates O step and provdes A wth the next step of tags T,j. To update the state of T c n the challenge phase, A proceeds as follows: Durng the frst teraton: 1. A computes two states. He computes s 1 T c,1 = (c 1 ID, c1 σ, c 1 1 ) as f T c wll go through v 1 n the frst teraton. He computes s 1 T = c,2 (c1 ID, c1 σ, c 1 2 ) as f T c wll go through v 1 n the frst teraton. 2. A then transmts c 1 1 and c 1 2 to oracle O re encrypt. 3. O re encrypt returns the result c b of reencryptng one of the two cphertexts c 1 1, c 1 2 to A. 4. A wrtes the state s 1 T c = (c 1 ID, c1 σ, c b ) nto T c. In the next teratons, A updates the state of T c as f T c wll go through the sub-path v 2v 3... v ρ. At the of the challenge phase, A reads the state of tag T c and outputs b. Note that the path stored n T c s now ether P Tc = v 0 v 1 v 2... v ρ or P T c = P = v 0 v 1v 2... v ρ. If A outputs b = 1, ths means that T c and T have a step n common that s dfferent from v 0. Snce P Tc P = {v 0, v 1 } and P T c P = {v 0 }, outputtng 1 mples that T c went through P Tc and hence through v 1. Therefore, the state that T c stored at the frst teraton corresponds to v 0 v 1, and c b s a re-encrypton of c 1 1. A outputs 1. If A outputs b = 2, ths means that T c and T do not have a step n common except for v 0. Ths mples as well that T c went through P T c = P and hence through v 1. Therefore, the state that T c stored at the frst teraton corresponds to v 0 v 1, and c b s a re-encrypton of c 1 2. A outputs 2. Therefore, f A has a non-neglgble advantage ɛ n breakng TRACKER, A as well has non-neglgble advantage ɛ n breakng the semantc securty of Elgamal under re-encrypton, leadng to a contradcton. 6. Evaluaton TRACKER can be mplemented usng today s avalable RFID tags. It requres tags to only store data,.e, the encrypted ID, the encrypted HMAC and the encrypted path mark. Consequently, the tag stores three Elgamal cphertexts c ID = (r ID P, ID + r ID Y ), c σ = (r σ P, M(HMAC k (ID)) + r ID Y ) and c = (r P, M( ID (P vald )) + r Y ), whch results n an overall storage of = 960 bts. Storng only 1 Kbt of data s feasble for today s EPC Class 1 Gen 2 UHF tags, for example Alen Technology s Hggs 3 tags [1]. Complexty for readers s also low n TRACKER. A reader R at step v s requred to store an element a F q and the publc key of Elgamal pk. So, the total storage per reader s less than 80 bytes. Regardng computaton, R s requred to update the path mark of the tags passng by and to re-encrypt three cphertexts: ths sums up to a total three ellptc curve Elgamal encryptons. Based on prevous research [7], we conjecture ths to be feasble even for lghtweght embedded readers. The manager M s the entty verfyng the path that a tag T went through. Therefore, M s requred to decrypt the cphertexts stored on the tag usng the secret key sk. M mantans two hash tables: the frst table stores the lst of vald paths n the supply chan. The second table s DB clone. Ths s a hash table contanng the IDs that M has read. So, the storage requred for M s lnear n the number of vald paths, and the number of tags n the supply chan O(ν + n), the path verfcaton cost has constant complexty: when M reads a tag T, M s requred to decrypt three ellptc curve cphertexts to get ID, M(HMAC k (ID)) and M( ID (P)). Therewth, he computes a sngle HMAC and compares the output. To detect clonng, M checks whether DB clone contans ID. Ths operaton s a hash look-up operaton of cost

15 O(1). If no clonng s detected, M uses M( ID (P)) and HMAC k (ID) to derve M((P)). Fnally, M traces the tag path by lookng up M((P)) nto the table of vald paths. In total, M performs three ellptc curve Elgamal decryptons, one HMAC verfcaton, and two hash look-up operatons per tag verfcaton whch s cheap. As a concluson, the complexty of TRACKER on the manager sde s O(n + ν) storage and O(1) computaton. Assume the sze of an ID beng 96 bt as specfed for EPC Class 1 Generaton 2 tags, and each entry M((P vald )) s 160 bt. A large sample TRACKER system supportng n = 10 9 dfferent tags, η = 10 3 readers, and ν = 10 6 dfferent vald paths wth maxmum length of 10 would consume only around 11 GByte of storage for manager M. We conjecture ths storage to be avalable for the manager of such a supply chan. 7. Related Work Although hstorcally one of the major applcatons for RFID tags, secure and prvacy-preservng supply chan management has not receved much attenton n research. Instead, research focuses more on prvacy-preservng authentcaton protocols and ther cryptographc prmtves [4, 8, 16, 24, 30], see Avone [3] for an overvew. Ouaf and Vaudenay [25] address counterfetng of products usng strong cryptography on RFID tags. To protect aganst malcous state updates, tags authentcate readers at every step n the supply chan. Only f readers are successfully authentcated, tags wll update ther nternal state. Ouaf and Vaudenay [25] requre tags to evaluate a cryptographc hash functon twce: for reader authentcaton and for the state update. A smlar approach wth tags evaluatng cryptographc hash functons s proposed by L and Dng [21]. Whle such setups usng cryptography-enabled tags mght lead to a secure and prvacy-preservng soluton of the counterfetng problem, tags wll always be more expensve than read/wrte-only tags n TRACKER. Chawla et al. [10] check whether covert channels exst n a supply chan that leak nformaton about a supply chan s nternal detals to an adversary. Therefore, tags state s frequently synchronzed wth a back-database. If a tag s state contans extra data not n the database, the tag s rejected. TRACKER s focus, however, s on the secure, prvacy-preservng detecton of whch path a tag has taken. Shuhua and Chu [28] detect malcous tamperng of a tag s state n a supply chan usng watermarks. However, there s nether a way to dentfy a tag s path, nor to protect ts prvacy n the supply chan. Kerschbaum and Oertel [19] detect counterfets n the supply chan usng pattern matchng for anomaly detecton. When a tag s read, ths nformaton s stored n a central database along wth the ID of the tag. Unlke TRACKER, the focus of ths paper s prvacy-preservaton of readers partcpatng n the supply chan. There s no prvacy for the tags n the supply chan. Regardng smple product genuneness verfcaton, solutons exst that rely on physcal propertes of a tag. For example, TAGSYS produces holographc tags that are expensve to clone [29]. Verayo produces tags wth Physcally Unclonable Functons (PUF) [32]. Whle these approaches solve product genuneness verfcaton, they nether support dentfcaton of tag s paths nor any knd of prvacy propertes. Our constructon based on polynomal path encodng mght resemble other (cryptographc) constructons based on, e.g., Rabn fngerprnts [26], aggregated messages authentcaton codes [18] or any knd of aggregated sgnatures. However, we stress that our desgn focuses on 1.) preservng both the order or sequence of steps n the supply chan and the prvacy of paths and tags, 2.) at the same tme puttng only mnmal computatonal burden on the manager (O(1) complexty wth low overhead), and 3.) beng provable. Whle alternatve constructons mght be envsoned, ths s far from beng straghtforward. Fnally, whle Golle et al. [13] and Atenese et al. [2] use re-encrypton technques smlar to re-encrypton used n ths work, both target only smple tag dentfcaton. TRACKER, however, targets prvacy-preservng dentfcaton of dfferent paths that tags can take n the supply chan. 8. Concluson In ths paper, we presented TRACKER to address securty and prvacy challenges n RFID-based supply chan management. TRACKER s man dea s to encode vald paths n a supply chan usng polynomals. Readers representng steps n the supply chan evaluate polynomals successvely, such that eventually the manager of the supply chan can unquely dentfy the exact path a tag has taken. TRACKER s securty, prvacy, and unlnkablty propertes aganst adversares reles on the semantc securty of Elgamal and the securty of HMAC, and we prove these propertes. Contrary to related work, TRACKER does not requre any computatonal complexty on the tag, but only 80 bytes of storage. Ths shows TRACKER s feasblty for today s cheap EPC Class 1 Gen 2 RFID tags. Acknowledgment: Ths work has been funded by L Agence Natonale de la Recherche (ANR), grant reference ANR-07- SESU-009, project RFID-AP.

16 References [1] Alen Technology. RFID Tags, tags/ndex.php. [2] G. Atenese, J. Camensch, and B. de Mederos. Untraceable rfd tags va nsubvertble encrypton. In CCS 05: Proceedngs of the 12th ACM conference on Computer and communcatons securty, pages , New York, NY, USA, ACM. ISBN [3] G. Avone. RFID Securty & Prvacy Lounge, [4] G. Avone, E. Dysl, and P. Oechsln. Reducng tme complexty n rfd systems. In Selected Areas n Cryptography, pages , Kngston, Canada, ISBN [5] M. Bellare. New Proofs for NMAC and HMAC: Securty wthout Collson-Resstance. In Proceedngs of Annual Internatonal Cryptology Conference, pages , Santa Barbara, USA, ISBN [6] M. Bellare, R. Canett, and H. Krawczyk. Keyng hash functons for message authentcaton. In Proceedngs of Annual Internatonal Cryptology Conference, pages 1 15, Santa Barbara, USA, ISBN [7] E.-O. Blass and M. Ztterbart. Towards acceptable publc-key encrypton n sensor networks. In Proceedngs of ACM 2nd Internatonal Workshop on Ubqutous Computng, pages 88 93, Mam, USA, ISBN [8] E.-O. Blass, A. Kurmus, R. Molva, G. Noubr, and A. Shkfa. The F f -famly of protocols for rfd-prvacy and authentcaton. IEEE Transactons on Depable and Secure Computng, /TDSC , ISSN [9] K. Brooks. Ant-Counterfetng Intatves and RFID Practces. Contract Pharma, Feb [10] K. Chawla, G. Robns, and W. Wemer. On Mtgatng Covert Channels n RFID-Enabled Supply Chans. In RFIDSec Asa, Sngapore, sg. [11] T. Dmtrou. rfddot: RFID delegaton and ownershp transfer made smple. In Proceedngs of Internatonal Conference on Securty and prvacy n Communcaton Networks, Istanbul, Turkey, ISBN [12] EU project SToP. Stop Tamperng of Products, [13] P. Golle, M. Jakobsson, A. Juels, and P. Syverson. Unversal re-encrypton for mxnets. In In Proceedngs of the 2004 RSA Conference, Cryptographer s track, pages Sprnger-Verlag, [14] ICC Commercal Crme Servces. Counterfetng Intellgence Bureau, opton=com content&vew=artcle&d= 29&Itemd=39. [15] Internatonal Medcal Products Ant-Counterfetng Taskforce. Internatonal Medcal Products Ant- Counterfetng Taskforce IMPACT, [16] A. Juels and S. Wes. Authentcatng pervasve devces wth human protocols. In CRYPTO, pages , Santa Barbara, USA, ISBN [17] A. Juels and S.A. Wes. Defnng Strong Prvacy for RFID. In PerCom Workshops, pages , Whte Plans, USA, ISBN [18] J. Katz and A. Y. Lndell. Aggregate message authentcaton codes. In Topcs n Cryptology CT-RSA 2008, volume 4964 of Lecture Notes n Computer Scence, pages Sprnger Berln / Hedelberg, ISBN [19] F. Kerschbaum and N. Oertel. Prvacy-Preservng Pattern Matchng for Anomaly Detecton n RFID Ant- Counterfetng. In Workshop on RFID Securty RFIDSec 10, Istanbul, Turkey, June [20] H. Krawczyk, M. Bellare, and R. Canett. Hmac: Keyed-hashng for message authentcaton, RFC 2104, [21] Y. L and X. Dng. Protectng RFID communcatons n supply chans. In Proceedngs of ACM Symposum on Informaton, Computer and Communcatons Securty, pages , Sngapore, ISBN

17 [22] Motorola. Saud Araba s luxury retaler Jade Jewellery mplements Motorola s RFID technology to mprove nventory management and securty, [23] G. Noubr, K. Vjayan, and H. J. Nussbaumer. Sgnature-based method for run-tme fault detecton n communcaton protocols. Computer Communcatons Journal, 21(5): , ISSN [24] M. Ohkubo, K. Suzuk, and S. Knoshta. Cryptographc approach to prvacy-frly tags. In RFID Prvacy Workshop, Cambrdge, USA, aga.php. [25] K. Ouaf and S. Vaudenay. Pathchecker: an RFID Applcaton for Tracng Products n Suply-Chans. In Workshop on RFID Securty RFIDSec 09, pages 1 14, Leuven, Belgum, rfdsec09/papers/pathchecker.pdf. [26] M.O. Rabn. Fngerprntng by random polynomals. Techncal Report TR-15-81, Center for Research n Computng Technology. Harvard Unversty, Cambrdge, Massachusetts, USA, [27] A.R. Sadegh, I. Vscont, and C. Wachsmann. Anonymzer-Enabled Securty and Prvacy for RFID. In 8th Internatonal Conference on Cryptology And Network Securty CANS 09, Kanazawa, Ishkawa, Japan, December Sprnger. ISBN [28] H. Shuhua and C.-H. Chu. Tamper Detecton n RFID-Enabled Supply Chans Usng Fragle Watermarkng. In Proceedngs of IEEE RFID, pages , Las Vegas, USA, [29] TAGSYS RFID. RFID Luxury Goods Solutons, Industres/Luxury-Goods. [30] G. Tsudk. Ya-trap: yet another trval rfd authentcaton protocol. In Internatonal Conference on Pervasve Computng and Communcatons Workshops, Psa, Italy, ISBN [31] S. Vaudenay. On Prvacy Models for RFID. In Proceedngs of ASIACRYPT, pages 68 87, Kuchng, Malaysa, ISBN [32] Verayo. Verayo Ant-Counterfetng Soluton, ant-counterfetng.html.

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage Proactve Secret Sharng Or: How to Cope Wth Perpetual Leakage Paper by Amr Herzberg Stanslaw Jareck Hugo Krawczyk Mot Yung Presentaton by Davd Zage What s Secret Sharng Basc Idea ((2, 2)-threshold scheme):

More information

A Secure Password-Authenticated Key Agreement Using Smart Cards

A Secure Password-Authenticated Key Agreement Using Smart Cards A Secure Password-Authentcated Key Agreement Usng Smart Cards Ka Chan 1, Wen-Chung Kuo 2 and Jn-Chou Cheng 3 1 Department of Computer and Informaton Scence, R.O.C. Mltary Academy, Kaohsung 83059, Tawan,

More information

Supporting Recovery, Privacy and Security in RFID Systems Using a Robust Authentication Protocol

Supporting Recovery, Privacy and Security in RFID Systems Using a Robust Authentication Protocol Supportng Recovery Prvacy and Securty n RFID Systems Usng a Robust Authentcaton Protocol Md. Endadul Hoque MSCS Dept. Marquette Unversty Mlwaukee Wsconsn USA. mhoque@mscs.mu.edu Farzana Rahman MSCS Dept.

More information

What is Candidate Sampling

What is Candidate Sampling What s Canddate Samplng Say we have a multclass or mult label problem where each tranng example ( x, T ) conssts of a context x a small (mult)set of target classes T out of a large unverse L of possble

More information

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur Module LOSSLESS IMAGE COMPRESSION SYSTEMS Lesson 3 Lossless Compresson: Huffman Codng Instructonal Objectves At the end of ths lesson, the students should be able to:. Defne and measure source entropy..

More information

Recurrence. 1 Definitions and main statements

Recurrence. 1 Definitions and main statements Recurrence 1 Defntons and man statements Let X n, n = 0, 1, 2,... be a MC wth the state space S = (1, 2,...), transton probabltes p j = P {X n+1 = j X n = }, and the transton matrx P = (p j ),j S def.

More information

An Alternative Way to Measure Private Equity Performance

An Alternative Way to Measure Private Equity Performance An Alternatve Way to Measure Prvate Equty Performance Peter Todd Parlux Investment Technology LLC Summary Internal Rate of Return (IRR) s probably the most common way to measure the performance of prvate

More information

Compact CCA2-secure Hierarchical Identity-Based Broadcast Encryption for Fuzzy-entity Data Sharing

Compact CCA2-secure Hierarchical Identity-Based Broadcast Encryption for Fuzzy-entity Data Sharing Compact CCA2-secure Herarchcal Identty-Based Broadcast Encrypton for Fuzzy-entty Data Sharng Weran Lu 1, Janwe Lu 1, Qanhong Wu 1, Bo Qn 2, Davd Naccache 3, and Houda Ferrad 4 1 School of Electronc and

More information

PKIS: practical keyword index search on cloud datacenter

PKIS: practical keyword index search on cloud datacenter Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 RESEARCH Open Access PKIS: practcal keyword ndex search on cloud datacenter Hyun-A

More information

Luby s Alg. for Maximal Independent Sets using Pairwise Independence

Luby s Alg. for Maximal Independent Sets using Pairwise Independence Lecture Notes for Randomzed Algorthms Luby s Alg. for Maxmal Independent Sets usng Parwse Independence Last Updated by Erc Vgoda on February, 006 8. Maxmal Independent Sets For a graph G = (V, E), an ndependent

More information

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ). REVIEW OF RISK MANAGEMENT CONCEPTS LOSS DISTRIBUTIONS AND INSURANCE Loss and nsurance: When someone s subject to the rsk of ncurrng a fnancal loss, the loss s generally modeled usng a random varable or

More information

RUHR-UNIVERSITÄT BOCHUM

RUHR-UNIVERSITÄT BOCHUM RUHR-UNIVERSITÄT BOCHUM Horst Görtz Insttute for IT Securty Techncal Report TR-HGI-2006-002 Survey on Securty Requrements and Models for Group Key Exchange Mark Manuls Char for Network and Data Securty

More information

An RFID Distance Bounding Protocol

An RFID Distance Bounding Protocol An RFID Dstance Boundng Protocol Gerhard P. Hancke and Markus G. Kuhn May 22, 2006 An RFID Dstance Boundng Protocol p. 1 Dstance boundng Verfer d Prover Places an upper bound on physcal dstance Does not

More information

Secure Network Coding Over the Integers

Secure Network Coding Over the Integers Secure Network Codng Over the Integers Rosaro Gennaro Jonathan Katz Hugo Krawczyk Tal Rabn Abstract Network codng has receved sgnfcant attenton n the networkng communty for ts potental to ncrease throughput

More information

1 Approximation Algorithms

1 Approximation Algorithms CME 305: Dscrete Mathematcs and Algorthms 1 Approxmaton Algorthms In lght of the apparent ntractablty of the problems we beleve not to le n P, t makes sense to pursue deas other than complete solutons

More information

1 Example 1: Axis-aligned rectangles

1 Example 1: Axis-aligned rectangles COS 511: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 6 Scrbe: Aaron Schld February 21, 2013 Last class, we dscussed an analogue for Occam s Razor for nfnte hypothess spaces that, n conjuncton

More information

A Novel Multi-factor Authenticated Key Exchange Scheme With Privacy Preserving

A Novel Multi-factor Authenticated Key Exchange Scheme With Privacy Preserving A Novel Mult-factor Authentcated Key Exchange Scheme Wth Prvacy Preservng Dexn Yang Guangzhou Cty Polytechnc Guangzhou, Chna, 510405 yangdexn@21cn.com Bo Yang South Chna Agrcultural Unversty Guangzhou,

More information

DEFINING %COMPLETE IN MICROSOFT PROJECT

DEFINING %COMPLETE IN MICROSOFT PROJECT CelersSystems DEFINING %COMPLETE IN MICROSOFT PROJECT PREPARED BY James E Aksel, PMP, PMI-SP, MVP For Addtonal Informaton about Earned Value Management Systems and reportng, please contact: CelersSystems,

More information

Provably Secure Single Sign-on Scheme in Distributed Systems and Networks

Provably Secure Single Sign-on Scheme in Distributed Systems and Networks 0 IEEE th Internatonal Conference on Trust, Securty and Prvacy n Computng and Communcatons Provably Secure Sngle Sgn-on Scheme n Dstrbuted Systems and Networks Jangshan Yu, Guln Wang, and Y Mu Center for

More information

An Interest-Oriented Network Evolution Mechanism for Online Communities

An Interest-Oriented Network Evolution Mechanism for Online Communities An Interest-Orented Network Evoluton Mechansm for Onlne Communtes Cahong Sun and Xaopng Yang School of Informaton, Renmn Unversty of Chna, Bejng 100872, P.R. Chna {chsun,yang}@ruc.edu.cn Abstract. Onlne

More information

The OC Curve of Attribute Acceptance Plans

The OC Curve of Attribute Acceptance Plans The OC Curve of Attrbute Acceptance Plans The Operatng Characterstc (OC) curve descrbes the probablty of acceptng a lot as a functon of the lot s qualty. Fgure 1 shows a typcal OC Curve. 10 8 6 4 1 3 4

More information

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis The Development of Web Log Mnng Based on Improve-K-Means Clusterng Analyss TngZhong Wang * College of Informaton Technology, Luoyang Normal Unversty, Luoyang, 471022, Chna wangtngzhong2@sna.cn Abstract.

More information

Extending Probabilistic Dynamic Epistemic Logic

Extending Probabilistic Dynamic Epistemic Logic Extendng Probablstc Dynamc Epstemc Logc Joshua Sack May 29, 2008 Probablty Space Defnton A probablty space s a tuple (S, A, µ), where 1 S s a set called the sample space. 2 A P(S) s a σ-algebra: a set

More information

Vembu StoreGrid Windows Client Installation Guide

Vembu StoreGrid Windows Client Installation Guide Ser v cepr ov dered t on Cl enti nst al l at ongu de W ndows Vembu StoreGrd Wndows Clent Installaton Gude Download the Wndows nstaller, VembuStoreGrd_4_2_0_SP_Clent_Only.exe To nstall StoreGrd clent on

More information

Riposte: An Anonymous Messaging System Handling Millions of Users

Riposte: An Anonymous Messaging System Handling Millions of Users Rposte: An Anonymous Messagng System Handlng Mllons of Users Henry Corrgan-Gbbs, Dan Boneh, and Davd Mazères Stanford Unversty Abstract Ths paper presents Rposte, a new system for anonymous broadcast messagng.

More information

A Performance Analysis of View Maintenance Techniques for Data Warehouses

A Performance Analysis of View Maintenance Techniques for Data Warehouses A Performance Analyss of Vew Mantenance Technques for Data Warehouses Xng Wang Dell Computer Corporaton Round Roc, Texas Le Gruenwald The nversty of Olahoma School of Computer Scence orman, OK 739 Guangtao

More information

From Selective to Full Security: Semi-Generic Transformations in the Standard Model

From Selective to Full Security: Semi-Generic Transformations in the Standard Model An extended abstract of ths work appears n the proceedngs of PKC 2012 From Selectve to Full Securty: Sem-Generc Transformatons n the Standard Model Mchel Abdalla 1 Daro Fore 2 Vadm Lyubashevsky 1 1 Département

More information

Identity-Based Encryption Gone Wild

Identity-Based Encryption Gone Wild An extended abstract of ths paper appeared n Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, 33rd Internatonal Colloquum on Automata, Languages and Programmng ICALP 2006, volume

More information

AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS

AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS Len Harn 1 and Changlu Ln 2 1 Department of Computer Scence

More information

Complete Fairness in Secure Two-Party Computation

Complete Fairness in Secure Two-Party Computation Complete Farness n Secure Two-Party Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure two-party computaton, two mutually dstrustng partes wsh to compute

More information

Feature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College

Feature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College Feature selecton for ntruson detecton Slobodan Petrovć NISlab, Gjøvk Unversty College Contents The feature selecton problem Intruson detecton Traffc features relevant for IDS The CFS measure The mrmr measure

More information

The Greedy Method. Introduction. 0/1 Knapsack Problem

The Greedy Method. Introduction. 0/1 Knapsack Problem The Greedy Method Introducton We have completed data structures. We now are gong to look at algorthm desgn methods. Often we are lookng at optmzaton problems whose performance s exponental. For an optmzaton

More information

Support Vector Machines

Support Vector Machines Support Vector Machnes Max Wellng Department of Computer Scence Unversty of Toronto 10 Kng s College Road Toronto, M5S 3G5 Canada wellng@cs.toronto.edu Abstract Ths s a note to explan support vector machnes.

More information

1.1 The University may award Higher Doctorate degrees as specified from time-to-time in UPR AS11 1.

1.1 The University may award Higher Doctorate degrees as specified from time-to-time in UPR AS11 1. HIGHER DOCTORATE DEGREES SUMMARY OF PRINCIPAL CHANGES General changes None Secton 3.2 Refer to text (Amendments to verson 03.0, UPR AS02 are shown n talcs.) 1 INTRODUCTION 1.1 The Unversty may award Hgher

More information

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP) 6.3 / -- Communcaton Networks II (Görg) SS20 -- www.comnets.un-bremen.de Communcaton Networks II Contents. Fundamentals of probablty theory 2. Emergence of communcaton traffc 3. Stochastc & Markovan Processes

More information

General Auction Mechanism for Search Advertising

General Auction Mechanism for Search Advertising General Aucton Mechansm for Search Advertsng Gagan Aggarwal S. Muthukrshnan Dávd Pál Martn Pál Keywords game theory, onlne auctons, stable matchngs ABSTRACT Internet search advertsng s often sold by an

More information

8 Algorithm for Binary Searching in Trees

8 Algorithm for Binary Searching in Trees 8 Algorthm for Bnary Searchng n Trees In ths secton we present our algorthm for bnary searchng n trees. A crucal observaton employed by the algorthm s that ths problem can be effcently solved when the

More information

SEVERAL trends are opening up the era of Cloud

SEVERAL trends are opening up the era of Cloud 1 Towards Secure and Dependable Storage Servces n Cloud Computng Cong Wang, Student Member, IEEE, Qan Wang, Student Member, IEEE, Ku Ren, Member, IEEE, Nng Cao, Student Member, IEEE, and Wenjng Lou, Senor

More information

Efficient Dynamic Integrity Verification for Big Data Supporting Users Revocability

Efficient Dynamic Integrity Verification for Big Data Supporting Users Revocability nformaton Artcle Effcent Dynamc Integrty Verfcaton for Bg Data Supportng Users Revocablty Xnpeng Zhang 1,2, *, Chunxang Xu 1, Xaojun Zhang 1, Tazong Gu 2, Zh Geng 2 and Guopng Lu 2 1 School of Computer

More information

greatest common divisor

greatest common divisor 4. GCD 1 The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no

More information

How Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence

How Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence 1 st Internatonal Symposum on Imprecse Probabltes and Ther Applcatons, Ghent, Belgum, 29 June 2 July 1999 How Sets of Coherent Probabltes May Serve as Models for Degrees of Incoherence Mar J. Schervsh

More information

SEVERAL trends are opening up the era of Cloud

SEVERAL trends are opening up the era of Cloud IEEE Transactons on Cloud Computng Date of Publcaton: Aprl-June 2012 Volume: 5, Issue: 2 1 Towards Secure and Dependable Storage Servces n Cloud Computng Cong Wang, Student Member, IEEE, Qan Wang, Student

More information

BERNSTEIN POLYNOMIALS

BERNSTEIN POLYNOMIALS On-Lne Geometrc Modelng Notes BERNSTEIN POLYNOMIALS Kenneth I. Joy Vsualzaton and Graphcs Research Group Department of Computer Scence Unversty of Calforna, Davs Overvew Polynomals are ncredbly useful

More information

A Cryptographic Key Assignment Scheme for Access Control in Poset Ordered Hierarchies with Enhanced Security

A Cryptographic Key Assignment Scheme for Access Control in Poset Ordered Hierarchies with Enhanced Security Internatonal Journal of Network Securty, Vol.7, No., PP.3 34, Sept. 8 3 A ryptographc Key Assgnment Scheme for Access ontrol n Poset Ordered Herarches wth Enhanced Securty Debass Gr and P. D. Srvastava

More information

8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by

8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by 6 CHAPTER 8 COMPLEX VECTOR SPACES 5. Fnd the kernel of the lnear transformaton gven n Exercse 5. In Exercses 55 and 56, fnd the mage of v, for the ndcated composton, where and are gven by the followng

More information

We are now ready to answer the question: What are the possible cardinalities for finite fields?

We are now ready to answer the question: What are the possible cardinalities for finite fields? Chapter 3 Fnte felds We have seen, n the prevous chapters, some examples of fnte felds. For example, the resdue class rng Z/pZ (when p s a prme) forms a feld wth p elements whch may be dentfed wth the

More information

An Optimally Robust Hybrid Mix Network (Extended Abstract)

An Optimally Robust Hybrid Mix Network (Extended Abstract) An Optmally Robust Hybrd Mx Network (Extended Abstract) Markus Jakobsson and Ar Juels RSA Laboratores Bedford, MA, USA {mjakobsson,ajuels}@rsasecurty.com Abstract We present a mx network that acheves effcent

More information

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) 2127472, Fax: (370-5) 276 1380, Email: info@teltonika.

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) 2127472, Fax: (370-5) 276 1380, Email: info@teltonika. VRT012 User s gude V0.1 Thank you for purchasng our product. We hope ths user-frendly devce wll be helpful n realsng your deas and brngng comfort to your lfe. Please take few mnutes to read ths manual

More information

Frequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters

Frequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters Frequency Selectve IQ Phase and IQ Ampltude Imbalance Adjustments for OFDM Drect Converson ransmtters Edmund Coersmeer, Ernst Zelnsk Noka, Meesmannstrasse 103, 44807 Bochum, Germany edmund.coersmeer@noka.com,

More information

RequIn, a tool for fast web traffic inference

RequIn, a tool for fast web traffic inference RequIn, a tool for fast web traffc nference Olver aul, Jean Etenne Kba GET/INT, LOR Department 9 rue Charles Fourer 90 Evry, France Olver.aul@nt-evry.fr, Jean-Etenne.Kba@nt-evry.fr Abstract As networked

More information

THE deployment of IEEE 802.11 wireless networks

THE deployment of IEEE 802.11 wireless networks IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. X, NO. X, XXX 2008 1 Passve Onlne Detecton of 802.11 Traffc Usng Sequental Hypothess Testng wth TCP ACK-Pars We We, Member, IEEE, Kyoungwon Suh, Member, IEEE,

More information

Enterprise Master Patient Index

Enterprise Master Patient Index Enterprse Master Patent Index Healthcare data are captured n many dfferent settngs such as hosptals, clncs, labs, and physcan offces. Accordng to a report by the CDC, patents n the Unted States made an

More information

Ensuring Data Storage Security in Cloud Computing

Ensuring Data Storage Security in Cloud Computing 1 Ensurng Data Storage Securty n Cloud Computng Cong Wang,Qan Wang, Ku Ren, and Wenjng Lou Dept of ECE, Illnos Insttute of Technology, Emal: {cwang, qwang, kren}@ecetedu Dept of ECE, Worcester Polytechnc

More information

Conferencing protocols and Petri net analysis

Conferencing protocols and Petri net analysis Conferencng protocols and Petr net analyss E. ANTONIDAKIS Department of Electroncs, Technologcal Educatonal Insttute of Crete, GREECE ena@chana.tecrete.gr Abstract: Durng a computer conference, users desre

More information

Optimal Distributed Password Verification

Optimal Distributed Password Verification Optmal Dstrbuted Password Verfcaton Jan Camensch IBM Research Zurch jca@zurch.bm.com Anja Lehmann IBM Research Zurch anj@zurch.bm.com Gregory Neven IBM Research Zurch nev@zurch.bm.com ABSTRACT We present

More information

Power-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts

Power-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts Power-of-wo Polces for Sngle- Warehouse Mult-Retaler Inventory Systems wth Order Frequency Dscounts José A. Ventura Pennsylvana State Unversty (USA) Yale. Herer echnon Israel Insttute of echnology (Israel)

More information

A DISTRIBUTED REPUTATION MANAGEMENT SCHEME FOR MOBILE AGENT- BASED APPLICATIONS

A DISTRIBUTED REPUTATION MANAGEMENT SCHEME FOR MOBILE AGENT- BASED APPLICATIONS Bamasak & Zhang: A Dstrbuted Reputaton Management Scheme for Moble Agent-Based Applcatons A DISTRIBUTED REPUTATION MANAGEMENT SCHEME FOR MOBILE AGENT- BASED APPLICATIONS Omama Bamasak School of Computer

More information

Fully Homomorphic Encryption Scheme with Symmetric Keys

Fully Homomorphic Encryption Scheme with Symmetric Keys Fully Homomorphc Encrypton Scheme wth Symmetrc Keys A Dssertaton submtted n partal fulfllment for the award of the Degree of Master of Technology n Department of Computer Scence & Engneerng (wth specalzaton

More information

DP5: A Private Presence Service

DP5: A Private Presence Service DP5: A Prvate Presence Servce Nkta Borsov Unversty of Illnos at Urbana-Champagn, Unted States nkta@llnos.edu George Danezs Unversty College London, Unted Kngdom g.danezs@ucl.ac.uk Ian Goldberg Unversty

More information

+ + + - - This circuit than can be reduced to a planar circuit

+ + + - - This circuit than can be reduced to a planar circuit MeshCurrent Method The meshcurrent s analog of the nodeoltage method. We sole for a new set of arables, mesh currents, that automatcally satsfy KCLs. As such, meshcurrent method reduces crcut soluton to

More information

Practical and Secure Solutions for Integer Comparison

Practical and Secure Solutions for Integer Comparison In Publc Key Cryptography PKC 07, Vol. 4450 of Lecture Notes n Computer Scence, Sprnger-Verlag, 2007. pp. 330-342. Practcal and Secure Solutons for Integer Comparson Juan Garay 1, erry Schoenmakers 2,

More information

Design, Development, and Use of Secure Electronic Voting Systems

Design, Development, and Use of Secure Electronic Voting Systems Desgn, Development, and Use of Secure Electronc Votng Systems Dmtros Zsss Unversty of Aegean, Greece Dmtros Lekkas Unversty of Aegean, Greece A volume n the Advances n Electronc Government, Dgtal Dvde,

More information

6. EIGENVALUES AND EIGENVECTORS 3 = 3 2

6. EIGENVALUES AND EIGENVECTORS 3 = 3 2 EIGENVALUES AND EIGENVECTORS The Characterstc Polynomal If A s a square matrx and v s a non-zero vector such that Av v we say that v s an egenvector of A and s the correspondng egenvalue Av v Example :

More information

Practical PIR for Electronic Commerce

Practical PIR for Electronic Commerce Practcal PIR for Electronc Commerce Ryan Henry Cherton School of Computer Scence Unversty of Waterloo Waterloo ON Canada N2L 3G1 rhenry@cs.uwaterloo.ca Fem Olumofn Cherton School of Computer Scence Unversty

More information

Linear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits

Linear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits Lnear Crcuts Analyss. Superposton, Theenn /Norton Equalent crcuts So far we hae explored tmendependent (resste) elements that are also lnear. A tmendependent elements s one for whch we can plot an / cure.

More information

Efficient Project Portfolio as a tool for Enterprise Risk Management

Efficient Project Portfolio as a tool for Enterprise Risk Management Effcent Proect Portfolo as a tool for Enterprse Rsk Management Valentn O. Nkonov Ural State Techncal Unversty Growth Traectory Consultng Company January 5, 27 Effcent Proect Portfolo as a tool for Enterprse

More information

Scalable and Secure Architecture for Digital Content Distribution

Scalable and Secure Architecture for Digital Content Distribution Valer Bocan Scalable and Secure Archtecture for Dgtal Content Dstrbuton Mha Fagadar-Cosma Department of Computer Scence and Engneerng Informaton Technology Department Poltehnca Unversty of Tmsoara Alcatel

More information

A SECURE BILLING SERVICE WITH TWO-FACTOR USER AUTHENTICATION IN WIRELESS SENSOR NETWORKS. Received March 2010; revised July 2010

A SECURE BILLING SERVICE WITH TWO-FACTOR USER AUTHENTICATION IN WIRELESS SENSOR NETWORKS. Received March 2010; revised July 2010 Internatonal Journal of Innovatve Computng, Informaton and Control ICIC Internatonal c 2011 ISSN 1349-4198 Volume 7, Number 8, August 2011 pp. 4821 4831 A SECURE BILLING SERVICE WITH TWO-FACTOR USER AUTHENTICATION

More information

A role based access in a hierarchical sensor network architecture to provide multilevel security

A role based access in a hierarchical sensor network architecture to provide multilevel security 1 A role based access n a herarchcal sensor network archtecture to provde multlevel securty Bswajt Panja a Sanjay Kumar Madra b and Bharat Bhargava c a Department of Computer Scenc Morehead State Unversty

More information

Minimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures

Minimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures Mnmal Codng Network Wth Combnatoral Structure For Instantaneous Recovery From Edge Falures Ashly Joseph 1, Mr.M.Sadsh Sendl 2, Dr.S.Karthk 3 1 Fnal Year ME CSE Student Department of Computer Scence Engneerng

More information

Fast Variants of RSA

Fast Variants of RSA Fast Varants of RSA Dan Boneh dabo@cs.stanford.edu Hovav Shacham hovav@cs.stanford.edu Abstract We survey three varants of RSA desgned to speed up RSA decrypton. These varants are backwards compatble n

More information

v a 1 b 1 i, a 2 b 2 i,..., a n b n i.

v a 1 b 1 i, a 2 b 2 i,..., a n b n i. SECTION 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS 455 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS All the vector spaces we have studed thus far n the text are real vector spaces snce the scalars are

More information

QUESTIONS, How can quantum computers do the amazing things that they are able to do, such. cryptography quantum computers

QUESTIONS, How can quantum computers do the amazing things that they are able to do, such. cryptography quantum computers 2O cryptography quantum computers cryptography quantum computers QUESTIONS, Quantum Computers, and Cryptography A mathematcal metaphor for the power of quantum algorthms Mark Ettnger How can quantum computers

More information

Generalizing the degree sequence problem

Generalizing the degree sequence problem Mddlebury College March 2009 Arzona State Unversty Dscrete Mathematcs Semnar The degree sequence problem Problem: Gven an nteger sequence d = (d 1,...,d n ) determne f there exsts a graph G wth d as ts

More information

Forecasting the Direction and Strength of Stock Market Movement

Forecasting the Direction and Strength of Stock Market Movement Forecastng the Drecton and Strength of Stock Market Movement Jngwe Chen Mng Chen Nan Ye cjngwe@stanford.edu mchen5@stanford.edu nanye@stanford.edu Abstract - Stock market s one of the most complcated systems

More information

MAPP. MERIS level 3 cloud and water vapour products. Issue: 1. Revision: 0. Date: 9.12.1998. Function Name Organisation Signature Date

MAPP. MERIS level 3 cloud and water vapour products. Issue: 1. Revision: 0. Date: 9.12.1998. Function Name Organisation Signature Date Ttel: Project: Doc. No.: MERIS level 3 cloud and water vapour products MAPP MAPP-ATBD-ClWVL3 Issue: 1 Revson: 0 Date: 9.12.1998 Functon Name Organsaton Sgnature Date Author: Bennartz FUB Preusker FUB Schüller

More information

Certificate Revocation using Fine Grained Certificate Space Partitioning

Certificate Revocation using Fine Grained Certificate Space Partitioning Certfcate Revocaton usng Fne Graned Certfcate Space Parttonng Vpul Goyal Department of Computer Scence Unversty of Calforna, Los Angeles vpul@cs.ucla.edu Abstract A new certfcate revocaton system s presented.

More information

) of the Cell class is created containing information about events associated with the cell. Events are added to the Cell instance

) of the Cell class is created containing information about events associated with the cell. Events are added to the Cell instance Calbraton Method Instances of the Cell class (one nstance for each FMS cell) contan ADC raw data and methods assocated wth each partcular FMS cell. The calbraton method ncludes event selecton (Class Cell

More information

THE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek

THE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek HE DISRIBUION OF LOAN PORFOLIO VALUE * Oldrch Alfons Vascek he amount of captal necessary to support a portfolo of debt securtes depends on the probablty dstrbuton of the portfolo loss. Consder a portfolo

More information

Calculating the high frequency transmission line parameters of power cables

Calculating the high frequency transmission line parameters of power cables < ' Calculatng the hgh frequency transmsson lne parameters of power cables Authors: Dr. John Dcknson, Laboratory Servces Manager, N 0 RW E B Communcatons Mr. Peter J. Ncholson, Project Assgnment Manager,

More information

ABSTRACT. Categories and Subject Descriptors. General Terms. Keywords

ABSTRACT. Categories and Subject Descriptors. General Terms. Keywords On Desgnng Incentve-Compatble Routng and Forwardng Protocols n Wreless Ad-Hoc Networks An Integrated Approach Usng Game Theoretcal and Cryptographc Technques Sheng Zhong L (Erran) L Yanbn Grace Lu Yang

More information

sscada: securing SCADA infrastructure communications

sscada: securing SCADA infrastructure communications Int. J. Communcaton Networks and Dstrbuted Systems, Vol. 6, No. 1, 2011 59 sscada: securng SCADA nfrastructure communcatons Yongge Wang Department of SIS, UNC Charlotte, 9201 Unversty Cty Blvd, Charlotte,

More information

Secure and Efficient Proof of Storage with Deduplication

Secure and Efficient Proof of Storage with Deduplication Secure and Effcent Proof of Storage wth Deduplcaton Qng Zheng Department of Computer Scence Unversty of Texas at San Antono qzheng@cs.utsa.edu Shouhua Xu Department of Computer Scence Unversty of Texas

More information

Section 5.4 Annuities, Present Value, and Amortization

Section 5.4 Annuities, Present Value, and Amortization Secton 5.4 Annutes, Present Value, and Amortzaton Present Value In Secton 5.2, we saw that the present value of A dollars at nterest rate per perod for n perods s the amount that must be deposted today

More information

Computing Arbitrary Functions of Encrypted Data March 2010 Communications of the ACM

Computing Arbitrary Functions of Encrypted Data March 2010 Communications of the ACM Home» Magazne Archve» 2010» No. 3» Computng Arbtrary Functons of Encrypted Data» Full Text RESEARCH HIGHLIGHTS Computng Arbtrary Functons of Encrypted Data Crag Gentry Communcatons of the ACM Vol. 53 No.

More information

Tools for Privacy Preserving Distributed Data Mining

Tools for Privacy Preserving Distributed Data Mining Tools for Prvacy Preservng Dstrbuted Data Mnng hrs lfton, Murat Kantarcoglu, Jadeep Vadya Purdue Unversty Department of omputer Scences 250 N Unversty St West Lafayette, IN 47907-2066 USA (clfton, kanmurat,

More information

IT09 - Identity Management Policy

IT09 - Identity Management Policy IT09 - Identty Management Polcy Introducton 1 The Unersty needs to manage dentty accounts for all users of the Unersty s electronc systems and ensure that users hae an approprate leel of access to these

More information

A Novel Methodology of Working Capital Management for Large. Public Constructions by Using Fuzzy S-curve Regression

A Novel Methodology of Working Capital Management for Large. Public Constructions by Using Fuzzy S-curve Regression Novel Methodology of Workng Captal Management for Large Publc Constructons by Usng Fuzzy S-curve Regresson Cheng-Wu Chen, Morrs H. L. Wang and Tng-Ya Hseh Department of Cvl Engneerng, Natonal Central Unversty,

More information

Stochastic Protocol Modeling for Anomaly Based Network Intrusion Detection

Stochastic Protocol Modeling for Anomaly Based Network Intrusion Detection Stochastc Protocol Modelng for Anomaly Based Network Intruson Detecton Juan M. Estevez-Tapador, Pedro Garca-Teodoro, and Jesus E. Daz-Verdejo Department of Electroncs and Computer Technology Unversty of

More information

Ensuring Data Storage Security in Cloud Computing

Ensuring Data Storage Security in Cloud Computing Ensurng Data Storage Securty n Cloud Computng Cong Wang, Qan Wang, and Ku Ren Department of ECE Illnos Insttute of Technology Emal: {cwang, qwang, kren}@ece.t.edu Wenjng Lou Department of ECE Worcester

More information

APPLICATION OF PROBE DATA COLLECTED VIA INFRARED BEACONS TO TRAFFIC MANEGEMENT

APPLICATION OF PROBE DATA COLLECTED VIA INFRARED BEACONS TO TRAFFIC MANEGEMENT APPLICATION OF PROBE DATA COLLECTED VIA INFRARED BEACONS TO TRAFFIC MANEGEMENT Toshhko Oda (1), Kochro Iwaoka (2) (1), (2) Infrastructure Systems Busness Unt, Panasonc System Networks Co., Ltd. Saedo-cho

More information

Loop Parallelization

Loop Parallelization - - Loop Parallelzaton C-52 Complaton steps: nested loops operatng on arrays, sequentell executon of teraton space DECLARE B[..,..+] FOR I :=.. FOR J :=.. I B[I,J] := B[I-,J]+B[I-,J-] ED FOR ED FOR analyze

More information

A Verifiable Secret Shuffle of Homomorphic. encryptions.

A Verifiable Secret Shuffle of Homomorphic. encryptions. A Verfable Secret Shuffle of Homomorphc Encryptons Jens Groth 1 Department of Computer Scence, UCLA 3531A Boelter Hall Los Angeles, CA 90095-1596 USA jg@cs.ucla.edu Abstract. A shuffle conssts of a permutaton

More information

Project Networks With Mixed-Time Constraints

Project Networks With Mixed-Time Constraints Project Networs Wth Mxed-Tme Constrants L Caccetta and B Wattananon Western Australan Centre of Excellence n Industral Optmsaton (WACEIO) Curtn Unversty of Technology GPO Box U1987 Perth Western Australa

More information

Fault tolerance in cloud technologies presented as a service

Fault tolerance in cloud technologies presented as a service Internatonal Scentfc Conference Computer Scence 2015 Pavel Dzhunev, PhD student Fault tolerance n cloud technologes presented as a servce INTRODUCTION Improvements n technques for vrtualzaton and performance

More information

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic Lagrange Multplers as Quanttatve Indcators n Economcs Ivan Mezník Insttute of Informatcs, Faculty of Busness and Management, Brno Unversty of TechnologCzech Republc Abstract The quanttatve role of Lagrange

More information

Managing Resource and Servent Reputation in P2P Networks

Managing Resource and Servent Reputation in P2P Networks Managng Resource and Servent Reputaton n P2P Networks Makoto Iguch NTT Informaton Sharng Platform Laboratores guch@sl.ntt.co.jp Masayuk Terada NTT DoCoMo Multmeda Laboratores te@mml.yrp.nttdocomo.co.jp

More information

FORMAL ANALYSIS FOR REAL-TIME SCHEDULING

FORMAL ANALYSIS FOR REAL-TIME SCHEDULING FORMAL ANALYSIS FOR REAL-TIME SCHEDULING Bruno Dutertre and Vctora Stavrdou, SRI Internatonal, Menlo Park, CA Introducton In modern avoncs archtectures, applcaton software ncreasngly reles on servces provded

More information

Simple Interest Loans (Section 5.1) :

Simple Interest Loans (Section 5.1) : Chapter 5 Fnance The frst part of ths revew wll explan the dfferent nterest and nvestment equatons you learned n secton 5.1 through 5.4 of your textbook and go through several examples. The second part

More information

Brigid Mullany, Ph.D University of North Carolina, Charlotte

Brigid Mullany, Ph.D University of North Carolina, Charlotte Evaluaton And Comparson Of The Dfferent Standards Used To Defne The Postonal Accuracy And Repeatablty Of Numercally Controlled Machnng Center Axes Brgd Mullany, Ph.D Unversty of North Carolna, Charlotte

More information