On Distributed Key Distribution Centers and Unconditionally Secure Proactive Verifiable Secret Sharing Schemes Based on General Access Structure


 Sharyl Cannon
 3 years ago
 Views:
Transcription
1 On Distributed Key Distribution Centers and Unconditionally Secure Proactive Verifiable Secret Saring Scemes Based on General Access Structure (Corrected Version) Ventzislav Nikov 1, Svetla Nikova 2, Bart Preneel 2, and Joos Vandewalle 2 1 Department of Matematics and Computing Science Eindoven University of Tecnology P.O. Box 513, 5600 MB, Eindoven, te Neterlands 2 Department Electrical Engineering, ESAT/COSIC, Katolieke Universiteit Leuven, Kasteelpark Arenberg 10, B3001 HeverleeLeuven, Belgium svetla.nikova, bart.preneel, Canges S. Fer [14] pointed out tat denoting te complement Γ A = c A [20, 13] as onest (or good) players structure appears to be a misleading term. Actually its dual access structure ΓA sould be called te onest (or good) players structure, since for any set G of good players te complement G c is te set of corrupted players from A. Tis reflects in some canges of te notations in Teorem 2 and Teorem 4 from [20] as well as in canges of te notations for good players structure in some protocols. Abstract. A Key Distribution Center of a network is a server enabling private communications witin groups of users. A Distributed Key Distribution Center is a set of servers tat jointly realizes a Key Distribution Center. In tis paper we build a robust Distributed Key Distribution Center Sceme secure against active and mobile adversary. We consider a general access structure for te set of servers and for te adversary access structure. We also revise te unconditionally secure Verifiable Secret Saring Scemes from [11, 10, 20, 23] proposing a modified version wic is proactively secure. 1 Introduction A new approac to te key distribution was introduced by Naor et.al. in [19]. A Distributed Key Distribution Center (DKDC) is a set of n servers of a network Te autor was partially supported by NATO researc fellowsip and Concerted Researc Action GOAMEFISTO666 of te Flemis Government.
2 tat jointly realize te function of a Key Distribution Center. A user wo needs to participate in a conference sends a keyrequest to a subset of is own coosing of te n servers, and te contacted servers answer wit some information enabling te user to compute te conference key. In suc a model, a single server by itself does not know te secret keys, since tey are sared between te n servers. In subsequent papers [3, 4, 8] te notion of te DKDC as been studied from an information teoretic point of view. Recently in [11, 10] a robust verifiable DKDC based on unconditionally secure proactive tresold VSS was proposed. In [19] Naor et.al. gave some specific proposals bot in unconditional and in te computational security framework. Teir computational secure sceme is based on te Decisional DiffieHellman Assumption. Recently in [9] te Naor s computational security model was modified and a sceme based on te ElGamal cryptosystem was proposed. Verifiable secret saring scemes (VSSs) are secret saring scemes (SSSs) dealing wit possible ceating by te participants. Te concept of proactive security was introduced by Ostrovsky and Yung in [21] and applied to te secret saring scemes by Herzberg et.al. in [16]. Basically te idea is tat, if te information stored by te servers in order to sare a given secret stays te same for all lifetime of te system, ten an adversary can eventually break into a sufficient number of servers, to learn and destroy te secret. On te oter and, let te time is divided into periods. At te beginning of eac period te information stored by te servers in a given time period canges, wile te sared secret stays te same. Ten te adversary probably does not ave enoug time to break into necessary number of servers. Moreover, te information e learns during te period p is useless during te period p+i, for i = 1, 2,.... So, e as to start a new attack from scratc during eac time period. Te first unconditionally secure proactive VSS was proposed by Stinson and Wei [23], were proactivity is added to te basic VSS described in te same paper. A generalization of te sceme as subsequently been given in [20]. Recently D Arco and Stinson [11, 10] sowed tat some existing proactive scemes [20, 23] can be broken. Tey proposed two new variations of te scemes to add proactive security to VSS, based on two different approaces, one using symmetric polynomials and anoter one using nonsymmetric polynomials. In tis paper we present a Robust Unconditional Proactive Verifiable DKDS, enabling a set of servers to jointly realize a Key Distribution Center. Te basic building block will be an unconditionally secure proactive VSS based on a general access structure. We will use te sceme proposed by D Arco and Stinson [11, 10], wose round complexity as been improved by applying te tecnique described by Gennaro et. al. in [15]. We also sow an attack on te unconditionally secure proactive SSS wit symmetric polynomials from [10] and propose a sligtly modified sceme tat solves te problem (see also [11]).
3 2 Background 2.1 Notations Let K be finite field. For an arbitrary matrix M over K, wit m rows labelled by 1,..., m let M A denote te matrix obtained by keeping only tose rows i wit i A, were A is an arbitrary nonempty subset of {1,..., m}. If {i} = A we write M i. Consider te set of rowvectors v i1,..., v ik and let A = {i 1,..., i k } be te set of indices, ten we denote by v A te matrix consisting of rows v i1,..., v ik. Instead of ε, v i for i A we will write ε, v A. Let MA T denote te transpose of M A, and let Im(MA T ) denote te Klinear span of te rows of M A. We use Ker(M A ) to denote te kernel of M A, i.e. all linear combinations of te columns of M A, leading to 0. Let us define te standard inner product x, y and x y, wen x, y = 0. For a Klinear subspace V of K t, V denotes te collection of elements of K t, tat are ortogonal to all of V (te ortogonal complement), wic is again a K linear subspace. For all subspaces V of K t we ave V = (V ), (Im(MN T )) = Ker(M N ) or Im(MN T ) = (Ker(M N)), x, MN T y = M Nx, y. A matrix wic it row is of te form (1, α i,..., α t 1 i ), were α 1,..., α n K, is called (n, t)vandermonde matrix (over K) wit t < n. It is well known tat any square Vandermonde matrix as nonzero determinant. If M is an (n, t) Vandermonde matrix over K and A is nonempty subset of {1,..., n}, ten te rank of M A is maximal (i.e. is equal to t, or equivalently, Im(M T A ) = Kt ) if and only if A t. Moreover let ε denotes te column vector (1, 0,..., 0) K t. If A < t, ten ε / Im(M T A ), i.e. tere is no λ K A suc tat M T A λ = ε. 2.2 General Access Structure, Monotone Span Program and LSSS We call te groups wo are allowed to reconstruct te secret qualified, and te groups wo sould not be able to obtain any information about it forbidden. Te collection of all qualified groups is denoted by Γ, and te collection of all forbidden groups is denoted by. In fact Γ is monotone increasing and is monotone decreasing. Te tuple (Γ, ) is called access structure if Γ =. If Γ = 2 P, were P is te set of participants, ten we say tat (Γ, ) is complete and we denote it by Γ. Oterwise we say tat (Γ, ) is incomplete. By Γ we denote te collection of te minimal sets of Γ and by + te collection of te maximal sets of. It is obvious tat (Γ, + ) generates (Γ, ). We will consider general monotone access structure (Γ, ), wic describes subsets of participants tat are qualified to recover te secret s K in te set of possible secret values. Tere exists an adversary A wic can corrupt a set of servers during any time period. Corrupting a server means learning te secret information in te server, modifying its data, sending out wrong message, and so on. Since te server can be rebooted, te adversary is a mobile one. Te collection of all possible corrupted servers for fixed time period we call bad and is denoted by A. Te collection of all possible uncorrupted servers for te same period of time we call good and
4 we denote it by Γ A. So, we can consider a second complete access structure Γ A, wic is called an adversary access structure [17]. Te simplest example of adversary access structure is to set a number b to be te maximum number of broken (corrupt) servers by adversary for fixed time frame (i.e. te tresold case) [11, 10, 23]. A new operation for te access structure, wic generalize te notion of Q 2 (Q 3 ) adversary structure introduced by Hirt and Maurer [17], is given in [20]. Definition 1. [20] For te access structure (Γ, ) te operation can be defined as follows: n = {A = A 1 A 2 ; A 1 (n 1), A 2 }, for n = 2, 3,.... Definition 2. [20] For te complete access structure Γ te operation can be defined as follows: First we set = 2 P \ Γ and (as in Definition 1) calculate n. Ten we define n Γ = 2 P \ n, for n = 2, 3,... Te same operation for monotone structures is defined by Fer and Maurer in [13], wic tey call elementwise union, in order to give necessary and sufficient conditions for robust VSS and Distributed Commitments. Brickell [5] pointed out ow te linear algebraic view leads to a natural extension to a wider class of secret saring scemes tat are not necessarily of te tresold type. Tis ave later been generalized to all possible socalled monotone access structures by Karcmer and Wigdreson [18] based on a linear algebraic computational device called monotone span program (MSP). Definition 3. [18] Te quadruple M = (K, M, ε, ψ) is called monotone span program, were K is a finite field, M is a matrix (wit m rows and d m columns) over K, ψ : {1,..., m} {1,..., n} is a surjective function and ε is a fixed vector, called target vector, e.g. column vector (1, 0,..., 0) K d. Te size of M is te number of rows m. Here ψ labels eac row wit a number from [1,..., m] corresponding to a fixed player, so we can tink of eac player as being te owner of one or more rows. And for every player we consider a function ϕ wic gives te set rows owned by te player. In some sense ϕ is inverse of ψ. Teorem 1. [2, 12, 18] MSP is said to compute an access structure (Γ, ) if te following olds: ε Im(MN T ) if and only if N is a member of Γ. Lemma 1. [7] Te vector ε / ImMN T tat M N k = 0 and k 1 = 1. if and only if tere exists k Kd suc A SSS is linear if te dealer and te participants use only linear operations to compute te sares and te secret. Eac linear SSS (LSSS) can be viewed as derived from a monotone span program computing its access structure. On te oter and, eac monotone span program gives rise to an LSSS. Hence, one can identify an LSSS wit its underlying monotone span program. Note tat te size of M is also te size of te corresponding LSSS. Now we will consider any access structure, as long as it admits a linear secret saring sceme.
5 2.3 Te Model of DKDC From now on we will follow te settings in [10, 11]. Let U = {U 1,..., U m } be a set of m users and let S = {S 1,..., S n } be a set of n servers. Eac user as a private cannel connecting im or er to all te servers. Eac pair of servers is connected by a private cannel and all of tem sare a broadcast cannel. Servers can be good or bad (i.e., tey are controlled by an adversary and can deviate from te protocol in arbitrary ways). Let C 2 U be te family of conferences, i.e. te family of groups of users wic want to communicate privately. And let F be te family of tolerated coalitions, i.e. te family of coalitions of users wo can try to break te sceme in some way. We consider a general access structure (Γ, ) for te set of servers, we also consider te adversary access structure ΓA. A verifiable distributed key distribution sceme (VDKDS) is divided in tree pases: an initialization pase, wic involves only te servers; a keyrequest pase, in wic users ask servers for keys; and a keycomputation pase, in wic users construct keys from te messages received from te servers wo were contacted during te keyrequest pase. Initialization pase: We assume tat te initialization pase is performed by a joint computation of all te servers. As a primitive for tese pase we use a VSS (proactive VSS), so eac server S i is able to verify te information received. Moreover, eac server constructs a list G of good servers presented across te network at te end of tis pase. (Note tat te lists eld by te good servers contain te same identifiers.) Keyrequest: Let C C be a conference. Eac user U j in C, contacts a subset G of good servers belonging to ΓA, requesting a key for te conference C. We denote suc key k. Eac good server S i, contacted by a user U j, cecks for membersip of U j in C ; if U j C, ten S i computes a value yi,j, using a public known function. Oterwise, S i sets yi,j = (a special value wic does convey no information about k ). Finally, S i sends te value yi,j to U j. Note tat a bad server can eiter refuse to replay or it may send some incorrect value. Keycomputation pase: Having received te values from te servers, eac user U j in C computes k from a certain majority of te values received. Rougly speaking, a Verifiable DKDC must satisfy te following properties: Correct and Verifiable Initialization Pase. Wen te initialization pase successfully terminates, any good server S i must be able to identify te subsets of good servers and to compute is private information. Consistent Key Computation. Eac user in a conference C U must be able to compute te same conference key, after interacting wit a subset of good servers. Conference Key Security. A conference key must be secure against attacks performed by a coalition of bad servers, coalition of users, and coalition of bot. Or in a more precise way: Definition 4. [11, 10] Let U = {U 1,..., U m } be a set of users and let S = {S 1,..., S n } be a set of servers. Let C be te family of conferences and let F be
6 te family of tolerated coalitions. A verifiable ((Γ, ), ΓA, m, n, C)Distributed Key Distribution Sceme is a protocol wic enables eac user of C C to compute a common key k interacting wit set of servers of te network. More precisely, te following properties are satisfied: After te initialization pase, eac good server computes is private information and verifies its consistency wit te information received and stored by oter good servers. At least a set of servers successfully completes tis pase and eac of tem constructs te same (public) list G containing te identities of te good servers. After te initialization pase, eac good server is able to answer te keyrequest messages. Eac user in C C can compute te common key k by contacting te servers in G. At least one subset of te good servers G from (3 Γ A ) gives good answers, from wic te user reconstructs te key. Eac conference key is completely secure against coalition of users in F ; coalitions of set of servers (/ ΓA ); and joint coalitions of users and servers. 3 A VSS Te main component of our ((Γ, ), ΓA, m, n, C)VDKDS is a VSS. Since secret saring were proposed initially by Samir [24] and Blakley [1], researc on tis topic as been extensive. In te classic secret saring scemes, tere are assumed to be no faults in te system. Cor et.al. [6] first defined te complete notion of VSS. In tis section we provide a sligtly modified version of unconditionally secure VSS proposed by Stinson and Wei in [23], wit improved round complexity by applying te tecnique described in [15], but for te general access structure. For te precise definition of te VSS one can see [11, 10, 20, 23]. 3.1 Distribution (Sare) Pase Let s K be a secret. 1. Te dealer D cooses a random symmetric matrix R K d,d, subject to s in its upper left corner. He sends v ϕ(k) = M ϕ(k) R (te rowvectors) to P k. 2. Ten eac P i generates and sends to every P k random values r ϕ(i),ϕ(k) K ϕ(i), ϕ(k) troug a private cannel. 3. After receiving r ϕ(i),ϕ(k), eac P k broadcasts te values M ϕ(i) v T ϕ(k) +r ϕ(i),ϕ(k)+ r T ϕ(k),ϕ(i) for eac i k. 4. Eac P i computes te minimum subset G {P 1,..., P n }, suc tat any ordered pair (e, k) G G is consistent, i.e. suc tat M ϕ(e) v T ϕ(k) +r ϕ(e),ϕ(k)+ r T ϕ(k),ϕ(e) = (M ϕ(k)v T ϕ(e) +r ϕ(k),ϕ(e) +r T ϕ(e),ϕ(k) )T = v ϕ(e) M T ϕ(k) +rt ϕ(k),ϕ(e) + r ϕ(e),ϕ(k). If G Γ A, ten P i outputs ver i = 1 oterwise P i outputs ver i = 0.
7 It is obvious tat every good participant computes te same subset G at te end of Sare. Next we consider te reconstruction pase. Note tat altoug te adversary is static, e could provide correct information in Sare pase but wrong information in Reconstruction pase. It means tat te adversary access structure in te reconstruction pase is (2 Γ A ). 3.2 Reconstruction Pase 1. Eac player P i sends ε T, v ϕ(i) to P k, were i, k G, te set of good participants after te distribution pase. 2. After receiving te information, P k computes λ, suc tat M T λ = ε, for ϕ( G) some group G G and G (2 Γ A ). 3. Denote by R 1 te first column in R, ence s = R 1, ε = R 1, M T λ = ϕ( G) M ϕ( G) R 1, λ = (M ϕ( G) R) 1, λ = (v ϕ( G) ) 1, λ, were (v ϕ( G) ) 1 is te columnvector of te first coordinates of eac sare, i.e. ε T, v ϕ( G). Note tat te joint information eld by te players in G is v ϕ(g) = M ϕ(g) R. It can be sown tat te security of te protocol remains te same see [11, 10, 15, 20, 23]. Te following teorem, proved in [20], gives sufficient conditions for existence of a unconditionally secure verifiable secret saring sceme. Teorem 2. [20] Te sceme is a unconditionally secure verifiable secret saring sceme if te following condition is satisfied: i) (2 Γ A ) Γ. Te following result of Fer and Maurer [13] proves tat te conditions are also necessary. Teorem 3. Te very strong robustness property for VSS is fulfilled if and only if P / (2 A ) = A A. 4 Proactivity Proactive security for secret saring was first suggested by Ostrovski and Yung in [21], were tey presented, among oter tings, a proactive polynomial secret saring sceme. Te polynomial proactive secret saring sceme proposed in [21] uses te verifiable secret saring sceme from [22]. Proactive security refers to security and availability in te presence of a mobile adversary. Herzberg et.al. [16] furter specialized tis notion to robust secret saring scemes and gave a detailed efficient proactive secret saring sceme. Robust means tat in any time period, te sareolders can reconstruct te secret value correctly. Tere are also many papers tat discuss proactive security, see e.g. te references in [16, 21 23]. Te secret value needs to be maintained for a long period of time. Ten te life time is divided into time periods wic are determined by te global clock.
8 At te beginning of eac time period te server engages in an interactive update protocol. Te update protocol will not reveal te value of te secret. At te end of te period te servers old new sares of te secret. We distinguis te following pases in eac time period [16]. At te beginning we ave Distribution or Recovery, during te period Renewal and at te end Reconstruct or Detection followed by Recovery for te beginning of te next period. Te first information teoretic unconditionally secure proactive VSS was proposed by Stinson and Wei in [23], were proactivity was added to te basic VSS described above. A generalization of tat sceme to general access structure as subsequently been given in [20]. In [11, 10] D Arco and Stinson found an attack to break te Renewal procedure given in [20, 23]. Tey also proposed a new variation of te sceme based on two different approaces for adding proactive security to VSS. Te first tecnique uses symmetric polynomial and te second relies on te use of generic nonsymmetric polynomial. Te purpose of tis section is to sow an attack on te unconditionally secure proactive SSS wit symmetric polynomials from [10] and to propose a sligtly modified sceme tat resists te attack and as better information rate (see also [11]). First, we make te following remarks to te proposed in [10] solutions. In te nonsymmetric sceme of D Arco and Stinson besides te sare (of lengt t) te servers sould keep also te verification sare of lengt t. So, te information wic is kept by tem is doubled, ence te information rate of te new sceme is reduced twice. In te symmetric sceme te servers sould keep te sare (of lengt t) and te verification sare of lengt n, were n > t + 3b. Tus te information wic is kept by tem increases more tan twice, ence te information rate of te new sceme is reduced more tan twice. 4.1 Attack against proactivity Now we start wit te analysis of te Renewal pase in [10], wic is as follows: Renewal pase 1. Eac server P l selects a random symmetric polynomial (i.e. r i,j = r j,i ). t 2 t 2 r (l) (x, y) = r i,j x i y j. i=0 j=0 2. P l sends (l) k (x) = r(l) (x, ω k ) to P k for k = 1, 2,..., n by a private cannel. 3. After receiving (l) k (x), eac P k sends (l) k (ωm ) to P m for k = 1, 2,..., n. 4. P m cecks weter (l) k (ωm ) = (l) m (ω k ) for k = 1, 2,..., n and k m. If P m finds tat te equality is not true, ten e broadcasts an accusation of P l. 5. If P l is accused by at most b servers, ten e can defend imself as follows. For tose P i e is accused by, P l broadcasts (l) i (x). Ten, te server P k cecks weter (l) k (ωi ) = (l) i (ω k ) and broadcasts yes or no. If tere are at least n b 2 servers broadcasting yes, ten P l is not a bad server.
9 6. P m updates te list of good servers G (i.e., te values l for wic P l is accused by at least b + 1 servers, or found bad in te previous step are not in G). Ten, P m updates its sares as m (x) m (x) + ω m m(x), were m(x) = l G (l) m (x). Moreover, P m updates a verification vector V m by computing V m [j] V m [j] + m(ω j ). First, note tat instead of verification sare V m [j] for j = 1, 2,..., n one can use a polynomial V m (x) of degree t 2, suc tat V m (ω j ) = V m [j]. In fact we can cange in step 6. V m (x) V m (x) + m(x). In tis way te size of te verification sare become t 1. Unfortunately te information from te sare and verification sare of server P i allows te attacker to calculate te initial sare of P i, obtained from te Dealer during te Distribution (Sare) pase. Indeed, after q executions of Renewal P i possesses and i (x) = 0 i (x) + ω i V i (x) = q p=1 q p=1,p i (x).,p i (x) Subtracting ω i V i (x) from i (x) te attacker obtain te initial sare 0 i (x). Te consequence is tat if a passive adversary breaks into t servers once, even in different periods, e collects t initial sares and ence e can recover te secret. 4.2 Modification of te Sceme First we will consider te tresold case. Basically, te problem in te above procedure is due to te asymmetry in te renewal polynomial. Indeed, we ave r(x, y) r(x, y) + yr (x, y) were r (x, y) = l G r(l) (x, y). Note tat r(0, 0) is not canged, so te secret stays te same. Also r(0, y) is canged randomly so te adversary is not able to calculate te new values. To be able to perform a pairwise ceck one need a symmetry, tat is wy te servers keep two sares: one is te actual and te oter is te verification sare, wic collects te asymmetry in te protocol from [10]. We propose to keep te symmetry in te renewal polynomial: r(x, y) r(x, y) + (x + y)r (x, y).
10 Hence in te Renewal pase for te tresold case we need to modify only step P m updates te list of good servers G (i.e., te values l for wic P l is accused by at least b + 1 servers, or found bad in te previous step are not in G). Ten, P m updates its sares as m (x) m (x) + (x + ω m ) m(x), were m(x) = l G (l) m (x). Now we do not need verification sare any more. For general access structure te modification of te Renewal pase of te proactive SSS in [20] will be as follows: Renewal pase 1. Eac server P e G selects a random (d 1) (d 1) symmetric matrix R (e) and using it constructs two symmetric d d matrix R (e,1), R (e,2). R (e,1) is constructed by adding zero column and zero row as last row and column and R (e,2) is constructed by adding zero column and zero row as first row and column. 2. After tat P e sends v (e,1) ϕ(k) = M ϕ(k)r (e,1) and v (e,2) ϕ(k) = M ϕ(k)r (e,2) to all P k by a private cannel. 3. Eac P k cecks weter te last column of v (e,1) ϕ(k) is zerocolumn and weter te first column of v (e,2) ϕ(k) is zerocolumn too. If tese conditions are not satisfied P k broadcasts an accusation to P e, oterwise P k computes v (e) ϕ(k) as te sum of te rigt sift of te coordinates of v (e,1) ϕ(k) coordinates of v (e,2) ϕ(k). i.e. if we denote v(e,2) and v (e,1) (v (e,1) = ((v (e,1) ) 1,..., (v (e,2) = (0, (v (e,2) ) 1,..., (v (e,1) ) d 1, 0) ten v (e) ) d 1 + (v (e,1) ) d 2, (v (e,1) and te left sift of te ) 1,..., (v (e,2) ) d 1 ) = ((v (e,2) ) 1, (v (e,2) ) 2 + ) d 1 ), were ϕ(k). Finally, P k computes and sends to P j te values M ϕ(j) (v (e,1) ϕ(k) )T, M ϕ(j) (v (e,2) ϕ(k) )T and M ϕ(j) (v (e) ϕ(k) )T. 4. P j cecks weter M ϕ(j) (v (e) ϕ(k) )T = v (e) ϕ(j) M ϕ(k) T, M ϕ(j)(v (e,1) ϕ(k) )T = v (e,1) ϕ(j) M ϕ(k) T and M ϕ(j) (v (e,2) ϕ(k) )T = v (e,2) ϕ(j) M ϕ(k) T for te values of e not accused by some set of servers from (2 Γ A ) (in step 3). If te set of values of k, for wic te equations are not true, belongs to (2 Γ A ), ten P j broadcasts an accusation of P e. 5. If P e is accused by some set of servers from (2 Γ A ) (from steps 3 and 4), ten e can defend imself as follows. For tose P i tat P e is accused by, P e broadcasts v (e,1) ϕ(i) v (e) ϕ(i) M T ϕ(k), M ϕ(i)(v (e,1) ϕ(k) )T and v(e,2) ϕ(i). Ten all servers P k ceck weter M ϕ(i) (v (e) = v (e,1) ϕ(i) M T ϕ(k) and M ϕ(i)(v (e,2) ϕ(k) )T ϕ(k) )T = = v (e,2) ϕ(i) M T ϕ(k) and broadcasts yes or no. If te set of servers broadcasting yes is from (2 Γ A ), ten P e is not a bad server.
11 6. P j updates te list of bad servers L by including all values e for wic P e is accused by at least one set from (2 Γ A ) or found bad in te previous step. Ten P j updates its sares as v ϕ(j) v ϕ(j) + e / L v(e) ϕ(j). Because of te symmetry all oter procedures are te same as in [23] for te tresold case and as in [20] for te general access structure. Note tat te information rate of te new sceme is optimal and equal to te rates in [20, 23]. Te following teorem, wic is proved in [20], gives sufficient conditions for te existence of an unconditionally secure proactive secret saring sceme. Teorem 4. [20] Te sceme is a unconditionally secure proactive secret saring sceme if te following conditions are satisfied: ii) (3 Γ A ) Γ. iii) For eac group N Γ te number of rows ϕ(n) for te group is equal to number of columns of matrix M. 5 A Proactive Verifiable DKDS Using LSSS as a primitive and based on te linearity of te system we can build a DKDS. If we use a VSS instead of LSSS we can set up a Verifiable DKDS. Finally, if as primitive we use a proactive VSS we can build a Proactive VDKDS. Te only difference between LSSS and VSS appears in te Set up pase. A straigtforward solution to gain proactive security could be directly to apply, at te beginning of eac time period te procedures Detection, Recovery and Renewal for eac of te secrets. We assume tat a Dealer D initializes te system, but as it is noted in [11, 10], it is also possible te system to be initialized witout te Dealer. Te sceme proposed in tis section provides lwise independent conference keys (as in [11, 10]), i.e. te lt conference key is uniformly distributed over te set of possible values, even if an adversary already knows l 1 conference keys. Te Set up pase is as follows. 5.1 Set up Pase 1. Let l F be te maximum number of conference keys tat a group F can compute. Assume tat l > max{l F ; F F }. Te Dealer D cooses a random secret column vector k = (k 1,..., k l ) and publises an l l matrix N, consisting of linearly independent row vectors, i.e. rank(n) = l. Te conference key for C s is ten defined by k s = k T, N s. 2. Ten for eac coordinate of te vector k te Dealer runs l independent copies of te proactive VSS Σ z described before, were te secret tat eac proactive VSS Σ z distributes among te servers is k z for z = 1,..., l. 3. Eac server S i stores l packets of sares v ϕ(i),kz sent by te Dealer during te executions of te Sare Pase of te Σ z s, and publises te list of good servers G ΓA e as found.
12 In a VSS te reconstruction of te secret is done by te participants (i.e. te servers in our settings) wile in DKDS eac user of a given conference contacts te servers, receives some information and computes te common key by applying a public function to te values received. Basically, te values sent by te servers must enable tem to compute a single key, namely, te one te user is asking for. 5.2 Key Request and Key Computation Pase 1. User U j C s asks a subset of good servers from (2 Γ A ) for te key k s. 2. Eac server S i computes temporary sares v ϕ(i),s = l (N s) z v ϕ(i),kz and sends te first column of v ϕ(i),s to U j C s i.e. (v ϕ(i),s ) 1 = v ϕ(i),s, ε T. 3. U j computes λ, suc tat M T ϕ( G) λ = ε, for some group G G and G (3 Γ A ). Finally, e recovers k s = λ, (v ϕ( G),s ) 1. Correctness. Te correctness of te construction can be sown as follows: According to step 1. in te Set up Pase k s = k T, N s = l (N s) z k z but from te Reconstruct Pase of VSS we ave tat Hence k s = λ, (v ϕ( G),kz ) 1 = λ, (M ϕ( G) R kz ) 1 = λ, M ϕ( G) (R kz ) 1 = (R kz ) 1, M T ϕ( G) λ = (Rkz ) 1, ε = k z. (N s ) z λ, M ϕ( G) (R kz ) 1 = λ, (N s ) z M ϕ( G) (R kz ) 1 = λ, M ϕ( G) (N s ) z (R kz ) 1 = M T ϕ( G) λ, (N s ) z (R kz ) 1 = ε, (N s ) z (R kz ) 1 = ε, (R s ) 1. So, we can tink for te secret conference key k s as a secret distributed wit VSS using te temporary random symmetric matrix R s = l (N s) z R kz. Tat is wy in step 2. in Key Request pase te server S i needs to compute te temporary sares v ϕ(i),s. On te oter and we ave: k s = = (N s ) z λ, M ϕ( G) (R kz ) 1 = (N s ) z λ, (v ϕ( ) G),kz 1 = λ, (N s ) z λ, (M ϕ( G) R kz ) 1 (N s ) z (v ϕ( ) G),kz 1
13 = λ, ( (N s ) z v ϕ( ) G),kz 1 = λ, (v ϕ( G),s ) 1. Tus te user U j is able to restore te secret conference key in step 3. of te Key Computation Pase. 6 Conclusions In tis paper we ave sown ow to set up a Robust Unconditional Proactive Verifiable DKDS, enabling a set of servers to jointly realize a Key Distribution Center. We ave used unconditionally secure proactive VSS based on a general access structure as a building block. Basically, we can use only te VSS based on a general access structure (as a building block) and te structure of te DKDS will stay te same. We ave also revised te unconditionally secure VSSs from [10, 20, 23], proposing a modified version wic is proactively secure. Since te proactivity, considered as security property, can be useful in several settings in wic te adversary is mobile, te applicability of suc scemes as independent interest of te specific application to key distribution tat as been addressed in tis paper. It is clear tat using te linear unconditional Proactive Verifiable DKDC as a base and te omomorpic properties of DiffieHelman or ElGamal cryptosystem one can build a computational secure Proactive Verifiable DKDC. Using te ideas in [9] tey can be made more efficient. 7 Acknowledgements Te autors would like to tank Paolo D Arco and Doug Stinson for te fruitful discussions and comments. References 1. G. R. Blakley, Safeguarding cryptograpic keys, AFIPS Conference Proc. 48, 1979, pp G. R. Blakley, G. A. Kabatianskii, Linear Algebra Approac to Secret Saring Scemes, Springer Verlag LNCS 829, 1994, pp C. Blundo, P. D Arco, V. Daza, C. Padro, Bounds and Constructions for Unconditionally Secure Distributed Key Distribution Scemes for General Access Structures, Proc. of te Information Security Conference (ISC 2001), LNCS 2200, 2001, pp C. Blundo, P. D Arco, C. Padro, A ramp model for distributed key distribution scemes WCC 2001, pp E. F. Brickell, Some ideal secret saring scemes, J. of Comb. Mat. and Comb. Computing 9, 1989, pp B. Cor, S. Goldwasser, S. Micali, B. Awerbuc, Verifiable secret saring and acieving simultaneity in te presence of faults, Proc. of te IEEE 26t Annual Symp. on Foundations of Computer Science 1985, pp
14 7. R. Cramer, Introduction to Secure Computation. In Lectures on Data Security  Modern Cryptology in Teory and Practice, LNCS 1561, 1999, pp P. D Arco, On te Distribution of a Key Distribution Center, Proc. of ICTCS 2001, LNCS 2202, 2001, pp V. Daza, J. Herranz, C. Padro, G. Saez A distributed and computationally secure key distribution sceme, Cryptology eprint Arcive, Report 2002/069, 10. P. D Arco, D. Stinson, On Unconditionally Secure Proactive Secret Saring Sceme and Distributed Key Distribution Centers, unpublised manuscript, May P. D Arco, D. Stinson, On Unconditionally Secure Robust Distributed Key Distribution Centers, to appear in ASIACRYPT M. van Dijk, A Linear Construction of Secret Saring Scemes, DCC 12, 1997, pp S. Fer, U. Maurer, Linear VSS and Distributed Commitments Based on Secret Saring and Pirwise Cecks, Proc. CRYPTO 2002, Springer Verlag LNCS 2442, pp S. Fer, V. Nikov, S. Nikova, private communication. 15. R. Gennaro, Y. Isai, E. Kuslevitz, T. Rabin, Te round complexity of Verifiable Secret Saring and Secure Multicasting, Proc. STOC A. Herzberg, S. Jarecki, H. Krawczyk, M. Yung, Proactive secret saring or: How to cope wit perpetual leakage, Proc. CRYPTO 1995, Springer Verlag LNCS 963, pp M. Hirt, U. Maurer, Player Simulation and General Adversary Structures in Perfect Multiparty Computation, J. of Cryptology 13, 2000, pp M. Karcmer, A. Wigderson, On Span Programs, Proc. of 8t Annual Structure in Complexity Teory Conference, San Diego, California, May IEEE Computer Society Press, pp M. Naor, B. Pinkas and O. Reingold, Distributed Pseudorandom Functions and KDCs, EuroCrypt 99, LNCS 1592, 1999, pp V. Nikov, S. Nikova, B. Preneel, J. Vandewalle, Applying General Access Structure to Proactive Secret Saring Scemes, Proc. of te 23rd Symposium on Information Teory in te Benelux, May 2931, 2002, Universite Catolique de Lovain (UCL), LovainlaNeuve, Belgium, pp , Cryptology eprint Arcive: Report 2002/ R. Ostrovsky, M. Yung, How to witstand mobile virus attack, ACM Symposium on principles of distributed computing, 1991, pp T. Rabin, M. BenOr, Verifiable secret saring and multiparty protocols wit onest majority, Proc. of te 21st Annual ACM Symp. on Teory of Computing 1989, pp D.R. Stinson, R. Wei, Unconditionally Secure Proactive Secret Saring Sceme wit combinatorial Structures, SAC 99, Springer Verlag LNCS 1758, pp A. Samir, How to sare a secret, Communications of te ACM 22, 1979, pp
Applying General Access Structure to Metering Schemes
Applying General Access Structure to Metering Schemes Ventzislav Nikov Department of Mathematics and Computing Science, Eindhoven University of Technology P.O. Box 513, 5600 MB, Eindhoven, the Netherlands
More informationOn Unconditionally Secure Distributed Oblivious Transfer
On Unconditionally Secure Distributed Oblivious Transfer Ventzislav Nikov 1, Svetla Nikova 2, Bart Preneel 2, and Joos Vandewalle 2 1 Department of Mathematics and Computing Science Eindhoven University
More informationVerifying Numerical Convergence Rates
1 Order of accuracy Verifying Numerical Convergence Rates We consider a numerical approximation of an exact value u. Te approximation depends on a small parameter, suc as te grid size or time step, and
More informationComputer Science and Engineering, UCSD October 7, 1999 GoldreicLevin Teorem Autor: Bellare Te GoldreicLevin Teorem 1 Te problem We æx a an integer n for te lengt of te strings involved. If a is an nbit
More informationThe EOQ Inventory Formula
Te EOQ Inventory Formula James M. Cargal Matematics Department Troy University Montgomery Campus A basic problem for businesses and manufacturers is, wen ordering supplies, to determine wat quantity of
More information2.28 EDGE Program. Introduction
Introduction Te Economic Diversification and Growt Enterprises Act became effective on 1 January 1995. Te creation of tis Act was to encourage new businesses to start or expand in Newfoundland and Labrador.
More informationFINITE DIFFERENCE METHODS
FINITE DIFFERENCE METHODS LONG CHEN Te best known metods, finite difference, consists of replacing eac derivative by a difference quotient in te classic formulation. It is simple to code and economic to
More informationThis supplement is meant to be read after Venema s Section 9.2. Throughout this section, we assume all nine axioms of Euclidean geometry.
Mat 444/445 Geometry for Teacers Summer 2008 Supplement : Similar Triangles Tis supplement is meant to be read after Venema s Section 9.2. Trougout tis section, we assume all nine axioms of uclidean geometry.
More informationFinite Difference Approximations
Capter Finite Difference Approximations Our goal is to approximate solutions to differential equations, i.e., to find a function (or some discrete approximation to tis function) tat satisfies a given relationsip
More informationSchedulability Analysis under Graph Routing in WirelessHART Networks
Scedulability Analysis under Grap Routing in WirelessHART Networks Abusayeed Saifulla, Dolvara Gunatilaka, Paras Tiwari, Mo Sa, Cenyang Lu, Bo Li Cengjie Wu, and Yixin Cen Department of Computer Science,
More informationDerivatives Math 120 Calculus I D Joyce, Fall 2013
Derivatives Mat 20 Calculus I D Joyce, Fall 203 Since we ave a good understanding of its, we can develop derivatives very quickly. Recall tat we defined te derivative f x of a function f at x to be te
More informationCan a LumpSum Transfer Make Everyone Enjoy the Gains. from Free Trade?
Can a LumpSum Transfer Make Everyone Enjoy te Gains from Free Trade? Yasukazu Icino Department of Economics, Konan University June 30, 2010 Abstract I examine lumpsum transfer rules to redistribute te
More informationSAMPLE DESIGN FOR THE TERRORISM RISK INSURANCE PROGRAM SURVEY
ASA Section on Survey Researc Metods SAMPLE DESIG FOR TE TERRORISM RISK ISURACE PROGRAM SURVEY G. ussain Coudry, Westat; Mats yfjäll, Statisticon; and Marianne Winglee, Westat G. ussain Coudry, Westat,
More informationComparison between two approaches to overload control in a Real Server: local or hybrid solutions?
Comparison between two approaces to overload control in a Real Server: local or ybrid solutions? S. Montagna and M. Pignolo Researc and Development Italtel S.p.A. Settimo Milanese, ITALY Abstract Tis wor
More informationGeometric Stratification of Accounting Data
Stratification of Accounting Data Patricia Gunning * Jane Mary Horgan ** William Yancey *** Abstract: We suggest a new procedure for defining te boundaries of te strata in igly skewed populations, usual
More information7.6 Complex Fractions
Section 7.6 Comple Fractions 695 7.6 Comple Fractions In tis section we learn ow to simplify wat are called comple fractions, an eample of wic follows. 2 + 3 Note tat bot te numerator and denominator are
More informationDistances in random graphs with infinite mean degrees
Distances in random graps wit infinite mean degrees Henri van den Esker, Remco van der Hofstad, Gerard Hoogiemstra and Dmitri Znamenski April 26, 2005 Abstract We study random graps wit an i.i.d. degree
More informationA New, Publicly Veriable, Secret Sharing Scheme
Scientia Iranica, Vol. 15, No. 2, pp 246{251 c Sharif University of Technology, April 2008 A New, Publicly Veriable, Secret Sharing Scheme A. Behnad 1 and T. Eghlidos A Publicly Veriable Secret Sharing
More informationUnderstanding the Derivative Backward and Forward by Dave Slomer
Understanding te Derivative Backward and Forward by Dave Slomer Slopes of lines are important, giving average rates of cange. Slopes of curves are even more important, giving instantaneous rates of cange.
More informationAn inquiry into the multiplier process in ISLM model
An inquiry into te multiplier process in ISLM model Autor: Li ziran Address: Li ziran, Room 409, Building 38#, Peing University, Beijing 00.87,PRC. Pone: (86) 0062763074 Internet Address: jefferson@water.pu.edu.cn
More information2.23 Gambling Rehabilitation Services. Introduction
2.23 Gambling Reabilitation Services Introduction Figure 1 Since 1995 provincial revenues from gambling activities ave increased over 56% from $69.2 million in 1995 to $108 million in 2004. Te majority
More informationME422 Mechanical Control Systems Modeling Fluid Systems
Cal Poly San Luis Obispo Mecanical Engineering ME422 Mecanical Control Systems Modeling Fluid Systems Owen/Ridgely, last update Mar 2003 Te dynamic euations for fluid flow are very similar to te dynamic
More informationImproved dynamic programs for some batcing problems involving te maximum lateness criterion A P M Wagelmans Econometric Institute Erasmus University Rotterdam PO Box 1738, 3000 DR Rotterdam Te Neterlands
More informationOptimized Data Indexing Algorithms for OLAP Systems
Database Systems Journal vol. I, no. 2/200 7 Optimized Data Indexing Algoritms for OLAP Systems Lucian BORNAZ Faculty of Cybernetics, Statistics and Economic Informatics Academy of Economic Studies, Bucarest
More informationTangent Lines and Rates of Change
Tangent Lines and Rates of Cange 922005 Given a function y = f(x), ow do you find te slope of te tangent line to te grap at te point P(a, f(a))? (I m tinking of te tangent line as a line tat just skims
More informationStrategic trading in a dynamic noisy market. Dimitri Vayanos
LSE Researc Online Article (refereed) Strategic trading in a dynamic noisy market Dimitri Vayanos LSE as developed LSE Researc Online so tat users may access researc output of te Scool. Copyrigt and Moral
More informationChannel Allocation in NonCooperative MultiRadio MultiChannel Wireless Networks
Cannel Allocation in NonCooperative MultiRadio MultiCannel Wireless Networks Dejun Yang, Xi Fang, Guoliang Xue Arizona State University Abstract Wile tremendous efforts ave been made on cannel allocation
More informationSocial Secret Sharing in Cloud Computing Using a New Trust Function
Social Secret Sharing in Cloud Computing Using a New Trust Function Mehrdad Nojoumian and Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario N2L 3G1,
More informationShare conversion, pseudorandom secretsharing and applications to secure distributed computing
Share conversion, pseudorandom secretsharing and applications to secure distributed computing Ronald Cramer 1, Ivan Damgård 2, and Yuval Ishai 3 1 CWI, Amsterdam and Mathematical Institute, Leiden University
More informationInstantaneous Rate of Change:
Instantaneous Rate of Cange: Last section we discovered tat te average rate of cange in F(x) can also be interpreted as te slope of a scant line. Te average rate of cange involves te cange in F(x) over
More informationTrapezoid Rule. y 2. y L
Trapezoid Rule and Simpson s Rule c 2002, 2008, 200 Donald Kreider and Dwigt Lar Trapezoid Rule Many applications of calculus involve definite integrals. If we can find an antiderivative for te integrand,
More informationLecture 10: What is a Function, definition, piecewise defined functions, difference quotient, domain of a function
Lecture 10: Wat is a Function, definition, piecewise defined functions, difference quotient, domain of a function A function arises wen one quantity depends on anoter. Many everyday relationsips between
More informationM(0) = 1 M(1) = 2 M(h) = M(h 1) + M(h 2) + 1 (h > 1)
Insertion and Deletion in VL Trees Submitted in Partial Fulfillment of te Requirements for Dr. Eric Kaltofen s 66621: nalysis of lgoritms by Robert McCloskey December 14, 1984 1 ackground ccording to Knut
More informationA system to monitor the quality of automated coding of textual answers to open questions
Researc in Official Statistics Number 2/2001 A system to monitor te quality of automated coding of textual answers to open questions Stefania Maccia * and Marcello D Orazio ** Italian National Statistical
More informationON LOCAL LIKELIHOOD DENSITY ESTIMATION WHEN THE BANDWIDTH IS LARGE
ON LOCAL LIKELIHOOD DENSITY ESTIMATION WHEN THE BANDWIDTH IS LARGE Byeong U. Park 1 and Young Kyung Lee 2 Department of Statistics, Seoul National University, Seoul, Korea Tae Yoon Kim 3 and Ceolyong Park
More information1.6. Analyse Optimum Volume and Surface Area. Maximum Volume for a Given Surface Area. Example 1. Solution
1.6 Analyse Optimum Volume and Surface Area Estimation and oter informal metods of optimizing measures suc as surface area and volume often lead to reasonable solutions suc as te design of te tent in tis
More information2 Limits and Derivatives
2 Limits and Derivatives 2.7 Tangent Lines, Velocity, and Derivatives A tangent line to a circle is a line tat intersects te circle at exactly one point. We would like to take tis idea of tangent line
More informationDifferentiable Functions
Capter 8 Differentiable Functions A differentiable function is a function tat can be approximated locally by a linear function. 8.. Te derivative Definition 8.. Suppose tat f : (a, b) R and a < c < b.
More informationVerification of Security Protocols with Lists: from Length One to Unbounded Length
Verification of Security Protocols wit Lists: from Lengt One to Unbounded Lengt INRIA, Miriam Paiola and Bruno Blancet École Normale Supérieure, CNRS, Paris {paiola,blancet}@di.ens.fr Abstract. We present
More informationSAT Subject Math Level 1 Facts & Formulas
Numbers, Sequences, Factors Integers:..., 3, 2, 1, 0, 1, 2, 3,... Reals: integers plus fractions, decimals, and irrationals ( 2, 3, π, etc.) Order Of Operations: Aritmetic Sequences: PEMDAS (Parenteses
More informationThe modelling of business rules for dashboard reporting using mutual information
8 t World IMACS / MODSIM Congress, Cairns, Australia 37 July 2009 ttp://mssanz.org.au/modsim09 Te modelling of business rules for dasboard reporting using mutual information Gregory Calbert Command, Control,
More informationMath 113 HW #5 Solutions
Mat 3 HW #5 Solutions. Exercise.5.6. Suppose f is continuous on [, 5] and te only solutions of te equation f(x) = 6 are x = and x =. If f() = 8, explain wy f(3) > 6. Answer: Suppose we ad tat f(3) 6. Ten
More informationResearch on the Antiperspective Correction Algorithm of QR Barcode
Researc on te Antiperspective Correction Algoritm of QR Barcode Jianua Li, YiWen Wang, YiJun Wang,Yi Cen, Guoceng Wang Key Laboratory of Electronic Tin Films and Integrated Devices University of Electronic
More informationDetermine the perimeter of a triangle using algebra Find the area of a triangle using the formula
Student Name: Date: Contact Person Name: Pone Number: Lesson 0 Perimeter, Area, and Similarity of Triangles Objectives Determine te perimeter of a triangle using algebra Find te area of a triangle using
More informationPretrial Settlement with Imperfect Private Monitoring
Pretrial Settlement wit Imperfect Private Monitoring Mostafa Beskar University of New Hampsire JeeHyeong Park y Seoul National University July 2011 Incomplete, Do Not Circulate Abstract We model pretrial
More informationReferendumled Immigration Policy in the Welfare State
Referendumled Immigration Policy in te Welfare State YUJI TAMURA Department of Economics, University of Warwick, UK First version: 12 December 2003 Updated: 16 Marc 2004 Abstract Preferences of eterogeneous
More informationOn the representability of the biuniform matroid
On the representability of the biuniform matroid Simeon Ball, Carles Padró, Zsuzsa Weiner and Chaoping Xing August 3, 2012 Abstract Every biuniform matroid is representable over all sufficiently large
More informationIn other words the graph of the polynomial should pass through the points
Capter 3 Interpolation Interpolation is te problem of fitting a smoot curve troug a given set of points, generally as te grap of a function. It is useful at least in data analysis (interpolation is a form
More informationCollege Planning Using Cash Value Life Insurance
College Planning Using Cas Value Life Insurance CAUTION: Te advisor is urged to be extremely cautious of anoter college funding veicle wic provides a guaranteed return of premium immediately if funded
More informationOPTIMAL DISCONTINUOUS GALERKIN METHODS FOR THE ACOUSTIC WAVE EQUATION IN HIGHER DIMENSIONS
OPTIMAL DISCONTINUOUS GALERKIN METHODS FOR THE ACOUSTIC WAVE EQUATION IN HIGHER DIMENSIONS ERIC T. CHUNG AND BJÖRN ENGQUIST Abstract. In tis paper, we developed and analyzed a new class of discontinuous
More informationProjective Geometry. Projective Geometry
Euclidean versus Euclidean geometry describes sapes as tey are Properties of objects tat are uncanged by rigid motions» Lengts» Angles» Parallelism Projective geometry describes objects as tey appear Lengts,
More informationLecture 10. Limits (cont d) Onesided limits. (Relevant section from Stewart, Seventh Edition: Section 2.4, pp. 113.)
Lecture 10 Limits (cont d) Onesided its (Relevant section from Stewart, Sevent Edition: Section 2.4, pp. 113.) As you may recall from your earlier course in Calculus, we may define onesided its, were
More informationCyber Epidemic Models with Dependences
Cyber Epidemic Models wit Dependences Maocao Xu 1, Gaofeng Da 2 and Souuai Xu 3 1 Department of Matematics, Illinois State University mxu2@ilstu.edu 2 Institute for Cyber Security, University of Texas
More informationUnemployment insurance/severance payments and informality in developing countries
Unemployment insurance/severance payments and informality in developing countries David Bardey y and Fernando Jaramillo z First version: September 2011. Tis version: November 2011. Abstract We analyze
More informationACT Math Facts & Formulas
Numbers, Sequences, Factors Integers:..., 3, 2, 1, 0, 1, 2, 3,... Rationals: fractions, tat is, anyting expressable as a ratio of integers Reals: integers plus rationals plus special numbers suc as
More informationOn a Satellite Coverage
I. INTRODUCTION On a Satellite Coverage Problem DANNY T. CHI Kodak Berkeley Researc Yu T. su National Ciao Tbng University Te eart coverage area for a satellite in an Eart syncronous orbit wit a nonzero
More informationSurface Areas of Prisms and Cylinders
12.2 TEXAS ESSENTIAL KNOWLEDGE AND SKILLS G.10.B G.11.C Surface Areas of Prisms and Cylinders Essential Question How can you find te surface area of a prism or a cylinder? Recall tat te surface area of
More informationMath Test Sections. The College Board: Expanding College Opportunity
Taking te SAT I: Reasoning Test Mat Test Sections Te materials in tese files are intended for individual use by students getting ready to take an SAT Program test; permission for any oter use must be sougt
More informationThe differential amplifier
DiffAmp.doc 1 Te differential amplifier Te emitter coupled differential amplifier output is V o = A d V d + A c V C Were V d = V 1 V 2 and V C = (V 1 + V 2 ) / 2 In te ideal differential amplifier A c
More informationSolution Derivations for Capa #7
Solution Derivations for Capa #7 1) Consider te beavior of te circuit, wen various values increase or decrease. (Select Iincreases, Ddecreases, If te first is I and te rest D, enter IDDDD). A) If R1
More informationWhat is Advanced Corporate Finance? What is finance? What is Corporate Finance? Deciding how to optimally manage a firm s assets and liabilities.
Wat is? Spring 2008 Note: Slides are on te web Wat is finance? Deciding ow to optimally manage a firm s assets and liabilities. Managing te costs and benefits associated wit te timing of cas in and outflows
More informationInformation Sciences
Information Sciences 180 (2010) 3059 3064 Contents lists available at ScienceDirect Information Sciences journal homepage: www.elsevier.com/locate/ins Strong (n, t, n) verifiable secret sharing scheme
More information 1  Handout #22 May 23, 2012 Huffman Encoding and Data Compression. CS106B Spring 2012. Handout by Julie Zelenski with minor edits by Keith Schwarz
CS106B Spring 01 Handout # May 3, 01 Huffman Encoding and Data Compression Handout by Julie Zelenski wit minor edits by Keit Scwarz In te early 1980s, personal computers ad ard disks tat were no larger
More informationOptimal Pricing Strategy for Second Degree Price Discrimination
Optimal Pricing Strategy for Second Degree Price Discrimination Alex O Brien May 5, 2005 Abstract Second Degree price discrimination is a coupon strategy tat allows all consumers access to te coupon. Purcases
More informationEfficient GeneralAdversary MultiParty Computation
Efficient GeneralAdversary MultiParty Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multiparty computation (MPC) allows a set P of n players to evaluate
More informationFinite Volume Discretization of the Heat Equation
Lecture Notes 3 Finite Volume Discretization of te Heat Equation We consider finite volume discretizations of te onedimensional variable coefficient eat equation, wit Neumann boundary conditions u t x
More informationEquilibria in sequential bargaining games as solutions to systems of equations
Economics Letters 84 (2004) 407 411 www.elsevier.com/locate/econbase Equilibria in sequential bargaining games as solutions to systems of equations Tasos Kalandrakis* Department of Political Science, Yale
More informationStrategic trading and welfare in a dynamic market. Dimitri Vayanos
LSE Researc Online Article (refereed) Strategic trading and welfare in a dynamic market Dimitri Vayanos LSE as developed LSE Researc Online so tat users may access researc output of te Scool. Copyrigt
More informationAreaSpecific Recreation Use Estimation Using the National Visitor Use Monitoring Program Data
United States Department of Agriculture Forest Service Pacific Nortwest Researc Station Researc Note PNWRN557 July 2007 AreaSpecific Recreation Use Estimation Using te National Visitor Use Monitoring
More informationACTIVITY: Deriving the Area Formula of a Trapezoid
4.3 Areas of Trapezoids a trapezoid? How can you derive a formula for te area of ACTIVITY: Deriving te Area Formula of a Trapezoid Work wit a partner. Use a piece of centimeter grid paper. a. Draw any
More informationModule 1: Introduction to Finite Element Analysis Lecture 1: Introduction
Module : Introduction to Finite Element Analysis Lecture : Introduction.. Introduction Te Finite Element Metod (FEM) is a numerical tecnique to find approximate solutions of partial differential equations.
More informationGlobal Sourcing of Complex Production Processes
Global Sourcing of Complex Production Processes December 2013 Cristian Scwarz Jens Suedekum Abstract We develop a teory of a firm in an incomplete contracts environment wic decides on te complexity, te
More informationWe consider the problem of determining (for a short lifecycle) retail product initial and
Optimizing Inventory Replenisment of Retail Fasion Products Marsall Fiser Kumar Rajaram Anant Raman Te Warton Scool, University of Pennsylvania, 3620 Locust Walk, 3207 SHDH, Piladelpia, Pennsylvania 191046366
More informationA strong credit score can help you score a lower rate on a mortgage
NET GAIN Scoring points for your financial future AS SEEN IN USA TODAY S MONEY SECTION, JULY 3, 2007 A strong credit score can elp you score a lower rate on a mortgage By Sandra Block Sales of existing
More informationComputer Vision System for Tracking Players in Sports Games
Computer Vision System for Tracking Players in Sports Games Abstract Janez Perš, Stanislav Kovacic Faculty of Electrical Engineering, University of Lublana Tržaška 5, 000 Lublana anez.pers@kiss.unil.si,
More informationCatalogue no. 12001XIE. Survey Methodology. December 2004
Catalogue no. 1001XIE Survey Metodology December 004 How to obtain more information Specific inquiries about tis product and related statistics or services sould be directed to: Business Survey Metods
More informationCHAPTER 7. Di erentiation
CHAPTER 7 Di erentiation 1. Te Derivative at a Point Definition 7.1. Let f be a function defined on a neigborood of x 0. f is di erentiable at x 0, if te following it exists: f 0 fx 0 + ) fx 0 ) x 0 )=.
More information1 Derivatives of Piecewise Defined Functions
MATH 1010E University Matematics Lecture Notes (week 4) Martin Li 1 Derivatives of Piecewise Define Functions For piecewise efine functions, we often ave to be very careful in computing te erivatives.
More informationTraining Robust Support Vector Regression via D. C. Program
Journal of Information & Computational Science 7: 12 (2010) 2385 2394 Available at ttp://www.joics.com Training Robust Support Vector Regression via D. C. Program Kuaini Wang, Ping Zong, Yaoong Zao College
More informationWelfare, financial innovation and self insurance in dynamic incomplete markets models
Welfare, financial innovation and self insurance in dynamic incomplete markets models Paul Willen Department of Economics Princeton University First version: April 998 Tis version: July 999 Abstract We
More informationStaffing and routing in a twotier call centre. Sameer Hasija*, Edieal J. Pinker and Robert A. Shumsky
8 Int. J. Operational Researc, Vol. 1, Nos. 1/, 005 Staffing and routing in a twotier call centre Sameer Hasija*, Edieal J. Pinker and Robert A. Sumsky Simon Scool, University of Rocester, Rocester 1467,
More informationMultivariate time series analysis: Some essential notions
Capter 2 Multivariate time series analysis: Some essential notions An overview of a modeling and learning framework for multivariate time series was presented in Capter 1. In tis capter, some notions on
More informationA Multigrid Tutorial part two
A Multigrid Tutorial part two William L. Briggs Department of Matematics University of Colorado at Denver Van Emden Henson Center for Applied Scientific Computing Lawrence Livermore National Laboratory
More informationMath 312 Homework 1 Solutions
Math 31 Homework 1 Solutions Last modified: July 15, 01 This homework is due on Thursday, July 1th, 01 at 1:10pm Please turn it in during class, or in my mailbox in the main math office (next to 4W1) Please
More informationFor Sale By Owner Program. We can help with our for sale by owner kit that includes:
Dawn Coen Broker/Owner For Sale By Owner Program If you want to sell your ome By Owner wy not:: For Sale Dawn Coen Broker/Owner YOUR NAME YOUR PHONE # Look as professional as possible Be totally prepared
More informationOperation golive! Mastering the people side of operational readiness
! I 2 London 2012 te ultimate Up to 30% of te value of a capital programme can be destroyed due to operational readiness failures. 1 In te complex interplay between tecnology, infrastructure and process,
More informationModeling User Perception of Interaction Opportunities for Effective Teamwork
Modeling User Perception of Interaction Opportunities for Effective Teamwork Ece Kamar, Ya akov Gal and Barbara J. Grosz Scool of Engineering and Applied Sciences Harvard University, Cambridge, MA 02138
More informationOn Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation
On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation Yuval Ishai 1, Eyal Kushilevitz 1, Yehuda Lindell 2, and Erez Petrank 1 1 Technion ({yuvali,eyalk,erez}@cs.technion.ac.il)
More informationSAT Math MustKnow Facts & Formulas
SAT Mat MustKnow Facts & Formuas Numbers, Sequences, Factors Integers:..., 3, 2, 1, 0, 1, 2, 3,... Rationas: fractions, tat is, anyting expressabe as a ratio of integers Reas: integers pus rationas
More informationAbstract. Introduction
Fast solution of te Sallow Water Equations using GPU tecnology A Crossley, R Lamb, S Waller JBA Consulting, Sout Barn, Brougton Hall, Skipton, Nort Yorksire, BD23 3AE. amanda.crossley@baconsulting.co.uk
More informationMathematics Course 111: Algebra I Part IV: Vector Spaces
Mathematics Course 111: Algebra I Part IV: Vector Spaces D. R. Wilkins Academic Year 19967 9 Vector Spaces A vector space over some field K is an algebraic structure consisting of a set V on which are
More informationTRADING AWAY WIDE BRANDS FOR CHEAP BRANDS. Swati Dhingra London School of Economics and CEP. Online Appendix
TRADING AWAY WIDE BRANDS FOR CHEAP BRANDS Swati Dingra London Scool of Economics and CEP Online Appendix APPENDIX A. THEORETICAL & EMPIRICAL RESULTS A.1. CES and Logit Preferences: Invariance of Innovation
More informationOPTIMAL FLEET SELECTION FOR EARTHMOVING OPERATIONS
New Developments in Structural Engineering and Construction Yazdani, S. and Sing, A. (eds.) ISEC7, Honolulu, June 1823, 2013 OPTIMAL FLEET SELECTION FOR EARTHMOVING OPERATIONS JIALI FU 1, ERIK JENELIUS
More informationTheoretical calculation of the heat capacity
eoretical calculation of te eat capacity Principle of equipartition of energy Heat capacity of ideal and real gases Heat capacity of solids: DulongPetit, Einstein, Debye models Heat capacity of metals
More informationTo motivate the notion of a variogram for a covariance stationary process, { Ys ( ): s R}
4. Variograms Te covariogram and its normalized form, te correlogram, are by far te most intuitive metods for summarizing te structure of spatial dependencies in a covariance stationary process. However,
More informationBackground Facts on Economic Statistics
Background Facts on Economic Statistics 2003:3 SAMU Te system for coordination of frame populations and samples from te Business Register at Statistics Sweden epartment of Economic Statistics Te series
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE COFACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II MohammediaCasablanca,
More informationWriting Mathematics Papers
Writing Matematics Papers Tis essay is intended to elp your senior conference paper. It is a somewat astily produced amalgam of advice I ave given to students in my PDCs (Mat 4 and Mat 9), so it s not
More informationRecall that two vectors in are perpendicular or orthogonal provided that their dot
Orthogonal Complements and Projections Recall that two vectors in are perpendicular or orthogonal provided that their dot product vanishes That is, if and only if Example 1 The vectors in are orthogonal
More information