On Distributed Key Distribution Centers and Unconditionally Secure Proactive Verifiable Secret Sharing Schemes Based on General Access Structure

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "On Distributed Key Distribution Centers and Unconditionally Secure Proactive Verifiable Secret Sharing Schemes Based on General Access Structure"

Transcription

1 On Distributed Key Distribution Centers and Unconditionally Secure Proactive Verifiable Secret Saring Scemes Based on General Access Structure (Corrected Version) Ventzislav Nikov 1, Svetla Nikova 2, Bart Preneel 2, and Joos Vandewalle 2 1 Department of Matematics and Computing Science Eindoven University of Tecnology P.O. Box 513, 5600 MB, Eindoven, te Neterlands 2 Department Electrical Engineering, ESAT/COSIC, Katolieke Universiteit Leuven, Kasteelpark Arenberg 10, B-3001 Heverlee-Leuven, Belgium svetla.nikova, bart.preneel, Canges S. Fer [14] pointed out tat denoting te complement Γ A = c A [20, 13] as onest (or good) players structure appears to be a misleading term. Actually its dual access structure ΓA sould be called te onest (or good) players structure, since for any set G of good players te complement G c is te set of corrupted players from A. Tis reflects in some canges of te notations in Teorem 2 and Teorem 4 from [20] as well as in canges of te notations for good players structure in some protocols. Abstract. A Key Distribution Center of a network is a server enabling private communications witin groups of users. A Distributed Key Distribution Center is a set of servers tat jointly realizes a Key Distribution Center. In tis paper we build a robust Distributed Key Distribution Center Sceme secure against active and mobile adversary. We consider a general access structure for te set of servers and for te adversary access structure. We also revise te unconditionally secure Verifiable Secret Saring Scemes from [11, 10, 20, 23] proposing a modified version wic is proactively secure. 1 Introduction A new approac to te key distribution was introduced by Naor et.al. in [19]. A Distributed Key Distribution Center (DKDC) is a set of n servers of a network Te autor was partially supported by NATO researc fellowsip and Concerted Researc Action GOA-MEFISTO-666 of te Flemis Government.

2 tat jointly realize te function of a Key Distribution Center. A user wo needs to participate in a conference sends a key-request to a subset of is own coosing of te n servers, and te contacted servers answer wit some information enabling te user to compute te conference key. In suc a model, a single server by itself does not know te secret keys, since tey are sared between te n servers. In subsequent papers [3, 4, 8] te notion of te DKDC as been studied from an information teoretic point of view. Recently in [11, 10] a robust verifiable DKDC based on unconditionally secure proactive tresold VSS was proposed. In [19] Naor et.al. gave some specific proposals bot in unconditional and in te computational security framework. Teir computational secure sceme is based on te Decisional Diffie-Hellman Assumption. Recently in [9] te Naor s computational security model was modified and a sceme based on te ElGamal cryptosystem was proposed. Verifiable secret saring scemes (VSSs) are secret saring scemes (SSSs) dealing wit possible ceating by te participants. Te concept of proactive security was introduced by Ostrovsky and Yung in [21] and applied to te secret saring scemes by Herzberg et.al. in [16]. Basically te idea is tat, if te information stored by te servers in order to sare a given secret stays te same for all lifetime of te system, ten an adversary can eventually break into a sufficient number of servers, to learn and destroy te secret. On te oter and, let te time is divided into periods. At te beginning of eac period te information stored by te servers in a given time period canges, wile te sared secret stays te same. Ten te adversary probably does not ave enoug time to break into necessary number of servers. Moreover, te information e learns during te period p is useless during te period p+i, for i = 1, 2,.... So, e as to start a new attack from scratc during eac time period. Te first unconditionally secure proactive VSS was proposed by Stinson and Wei [23], were proactivity is added to te basic VSS described in te same paper. A generalization of te sceme as subsequently been given in [20]. Recently D Arco and Stinson [11, 10] sowed tat some existing proactive scemes [20, 23] can be broken. Tey proposed two new variations of te scemes to add proactive security to VSS, based on two different approaces, one using symmetric polynomials and anoter one using non-symmetric polynomials. In tis paper we present a Robust Unconditional Proactive Verifiable DKDS, enabling a set of servers to jointly realize a Key Distribution Center. Te basic building block will be an unconditionally secure proactive VSS based on a general access structure. We will use te sceme proposed by D Arco and Stinson [11, 10], wose round complexity as been improved by applying te tecnique described by Gennaro et. al. in [15]. We also sow an attack on te unconditionally secure proactive SSS wit symmetric polynomials from [10] and propose a sligtly modified sceme tat solves te problem (see also [11]).

3 2 Background 2.1 Notations Let K be finite field. For an arbitrary matrix M over K, wit m rows labelled by 1,..., m let M A denote te matrix obtained by keeping only tose rows i wit i A, were A is an arbitrary non-empty subset of {1,..., m}. If {i} = A we write M i. Consider te set of row-vectors v i1,..., v ik and let A = {i 1,..., i k } be te set of indices, ten we denote by v A te matrix consisting of rows v i1,..., v ik. Instead of ε, v i for i A we will write ε, v A. Let MA T denote te transpose of M A, and let Im(MA T ) denote te K-linear span of te rows of M A. We use Ker(M A ) to denote te kernel of M A, i.e. all linear combinations of te columns of M A, leading to 0. Let us define te standard inner product x, y and x y, wen x, y = 0. For a K-linear subspace V of K t, V denotes te collection of elements of K t, tat are ortogonal to all of V (te ortogonal complement), wic is again a K- linear subspace. For all subspaces V of K t we ave V = (V ), (Im(MN T )) = Ker(M N ) or Im(MN T ) = (Ker(M N)), x, MN T y = M Nx, y. A matrix wic i-t row is of te form (1, α i,..., α t 1 i ), were α 1,..., α n K, is called (n, t)-vandermonde matrix (over K) wit t < n. It is well known tat any square Vandermonde matrix as non-zero determinant. If M is an (n, t)- Vandermonde matrix over K and A is non-empty subset of {1,..., n}, ten te rank of M A is maximal (i.e. is equal to t, or equivalently, Im(M T A ) = Kt ) if and only if A t. Moreover let ε denotes te column vector (1, 0,..., 0) K t. If A < t, ten ε / Im(M T A ), i.e. tere is no λ K A suc tat M T A λ = ε. 2.2 General Access Structure, Monotone Span Program and LSSS We call te groups wo are allowed to reconstruct te secret qualified, and te groups wo sould not be able to obtain any information about it forbidden. Te collection of all qualified groups is denoted by Γ, and te collection of all forbidden groups is denoted by. In fact Γ is monotone increasing and is monotone decreasing. Te tuple (Γ, ) is called access structure if Γ =. If Γ = 2 P, were P is te set of participants, ten we say tat (Γ, ) is complete and we denote it by Γ. Oterwise we say tat (Γ, ) is incomplete. By Γ we denote te collection of te minimal sets of Γ and by + te collection of te maximal sets of. It is obvious tat (Γ, + ) generates (Γ, ). We will consider general monotone access structure (Γ, ), wic describes subsets of participants tat are qualified to recover te secret s K in te set of possible secret values. Tere exists an adversary A wic can corrupt a set of servers during any time period. Corrupting a server means learning te secret information in te server, modifying its data, sending out wrong message, and so on. Since te server can be rebooted, te adversary is a mobile one. Te collection of all possible corrupted servers for fixed time period we call bad and is denoted by A. Te collection of all possible uncorrupted servers for te same period of time we call good and

4 we denote it by Γ A. So, we can consider a second complete access structure Γ A, wic is called an adversary access structure [17]. Te simplest example of adversary access structure is to set a number b to be te maximum number of broken (corrupt) servers by adversary for fixed time frame (i.e. te tresold case) [11, 10, 23]. A new operation for te access structure, wic generalize te notion of Q 2 (Q 3 ) adversary structure introduced by Hirt and Maurer [17], is given in [20]. Definition 1. [20] For te access structure (Γ, ) te operation can be defined as follows: n = {A = A 1 A 2 ; A 1 (n 1), A 2 }, for n = 2, 3,.... Definition 2. [20] For te complete access structure Γ te operation can be defined as follows: First we set = 2 P \ Γ and (as in Definition 1) calculate n. Ten we define n Γ = 2 P \ n, for n = 2, 3,... Te same operation for monotone structures is defined by Fer and Maurer in [13], wic tey call element-wise union, in order to give necessary and sufficient conditions for robust VSS and Distributed Commitments. Brickell [5] pointed out ow te linear algebraic view leads to a natural extension to a wider class of secret saring scemes tat are not necessarily of te tresold type. Tis ave later been generalized to all possible so-called monotone access structures by Karcmer and Wigdreson [18] based on a linear algebraic computational device called monotone span program (MSP). Definition 3. [18] Te quadruple M = (K, M, ε, ψ) is called monotone span program, were K is a finite field, M is a matrix (wit m rows and d m columns) over K, ψ : {1,..., m} {1,..., n} is a surjective function and ε is a fixed vector, called target vector, e.g. column vector (1, 0,..., 0) K d. Te size of M is te number of rows m. Here ψ labels eac row wit a number from [1,..., m] corresponding to a fixed player, so we can tink of eac player as being te owner of one or more rows. And for every player we consider a function ϕ wic gives te set rows owned by te player. In some sense ϕ is inverse of ψ. Teorem 1. [2, 12, 18] MSP is said to compute an access structure (Γ, ) if te following olds: ε Im(MN T ) if and only if N is a member of Γ. Lemma 1. [7] Te vector ε / ImMN T tat M N k = 0 and k 1 = 1. if and only if tere exists k Kd suc A SSS is linear if te dealer and te participants use only linear operations to compute te sares and te secret. Eac linear SSS (LSSS) can be viewed as derived from a monotone span program computing its access structure. On te oter and, eac monotone span program gives rise to an LSSS. Hence, one can identify an LSSS wit its underlying monotone span program. Note tat te size of M is also te size of te corresponding LSSS. Now we will consider any access structure, as long as it admits a linear secret saring sceme.

5 2.3 Te Model of DKDC From now on we will follow te settings in [10, 11]. Let U = {U 1,..., U m } be a set of m users and let S = {S 1,..., S n } be a set of n servers. Eac user as a private cannel connecting im or er to all te servers. Eac pair of servers is connected by a private cannel and all of tem sare a broadcast cannel. Servers can be good or bad (i.e., tey are controlled by an adversary and can deviate from te protocol in arbitrary ways). Let C 2 U be te family of conferences, i.e. te family of groups of users wic want to communicate privately. And let F be te family of tolerated coalitions, i.e. te family of coalitions of users wo can try to break te sceme in some way. We consider a general access structure (Γ, ) for te set of servers, we also consider te adversary access structure ΓA. A verifiable distributed key distribution sceme (VDKDS) is divided in tree pases: an initialization pase, wic involves only te servers; a key-request pase, in wic users ask servers for keys; and a key-computation pase, in wic users construct keys from te messages received from te servers wo were contacted during te key-request pase. Initialization pase: We assume tat te initialization pase is performed by a joint computation of all te servers. As a primitive for tese pase we use a VSS (proactive VSS), so eac server S i is able to verify te information received. Moreover, eac server constructs a list G of good servers presented across te network at te end of tis pase. (Note tat te lists eld by te good servers contain te same identifiers.) Key-request: Let C C be a conference. Eac user U j in C, contacts a subset G of good servers belonging to ΓA, requesting a key for te conference C. We denote suc key k. Eac good server S i, contacted by a user U j, cecks for membersip of U j in C ; if U j C, ten S i computes a value yi,j, using a public known function. Oterwise, S i sets yi,j = (a special value wic does convey no information about k ). Finally, S i sends te value yi,j to U j. Note tat a bad server can eiter refuse to replay or it may send some incorrect value. Key-computation pase: Having received te values from te servers, eac user U j in C computes k from a certain majority of te values received. Rougly speaking, a Verifiable DKDC must satisfy te following properties: Correct and Verifiable Initialization Pase. Wen te initialization pase successfully terminates, any good server S i must be able to identify te subsets of good servers and to compute is private information. Consistent Key Computation. Eac user in a conference C U must be able to compute te same conference key, after interacting wit a subset of good servers. Conference Key Security. A conference key must be secure against attacks performed by a coalition of bad servers, coalition of users, and coalition of bot. Or in a more precise way: Definition 4. [11, 10] Let U = {U 1,..., U m } be a set of users and let S = {S 1,..., S n } be a set of servers. Let C be te family of conferences and let F be

6 te family of tolerated coalitions. A verifiable ((Γ, ), ΓA, m, n, C)-Distributed Key Distribution Sceme is a protocol wic enables eac user of C C to compute a common key k interacting wit set of servers of te network. More precisely, te following properties are satisfied: After te initialization pase, eac good server computes is private information and verifies its consistency wit te information received and stored by oter good servers. At least a set of servers successfully completes tis pase and eac of tem constructs te same (public) list G containing te identities of te good servers. After te initialization pase, eac good server is able to answer te keyrequest messages. Eac user in C C can compute te common key k by contacting te servers in G. At least one subset of te good servers G from (3 Γ A ) gives good answers, from wic te user reconstructs te key. Eac conference key is completely secure against coalition of users in F ; coalitions of set of servers (/ ΓA ); and joint coalitions of users and servers. 3 A VSS Te main component of our ((Γ, ), ΓA, m, n, C)-VDKDS is a VSS. Since secret saring were proposed initially by Samir [24] and Blakley [1], researc on tis topic as been extensive. In te classic secret saring scemes, tere are assumed to be no faults in te system. Cor et.al. [6] first defined te complete notion of VSS. In tis section we provide a sligtly modified version of unconditionally secure VSS proposed by Stinson and Wei in [23], wit improved round complexity by applying te tecnique described in [15], but for te general access structure. For te precise definition of te VSS one can see [11, 10, 20, 23]. 3.1 Distribution (Sare) Pase Let s K be a secret. 1. Te dealer D cooses a random symmetric matrix R K d,d, subject to s in its upper left corner. He sends v ϕ(k) = M ϕ(k) R (te row-vectors) to P k. 2. Ten eac P i generates and sends to every P k random values r ϕ(i),ϕ(k) K ϕ(i), ϕ(k) troug a private cannel. 3. After receiving r ϕ(i),ϕ(k), eac P k broadcasts te values M ϕ(i) v T ϕ(k) +r ϕ(i),ϕ(k)+ r T ϕ(k),ϕ(i) for eac i k. 4. Eac P i computes te minimum subset G {P 1,..., P n }, suc tat any ordered pair (e, k) G G is consistent, i.e. suc tat M ϕ(e) v T ϕ(k) +r ϕ(e),ϕ(k)+ r T ϕ(k),ϕ(e) = (M ϕ(k)v T ϕ(e) +r ϕ(k),ϕ(e) +r T ϕ(e),ϕ(k) )T = v ϕ(e) M T ϕ(k) +rt ϕ(k),ϕ(e) + r ϕ(e),ϕ(k). If G Γ A, ten P i outputs ver i = 1 oterwise P i outputs ver i = 0.

7 It is obvious tat every good participant computes te same subset G at te end of Sare. Next we consider te reconstruction pase. Note tat altoug te adversary is static, e could provide correct information in Sare pase but wrong information in Reconstruction pase. It means tat te adversary access structure in te reconstruction pase is (2 Γ A ). 3.2 Reconstruction Pase 1. Eac player P i sends ε T, v ϕ(i) to P k, were i, k G, te set of good participants after te distribution pase. 2. After receiving te information, P k computes λ, suc tat M T λ = ε, for ϕ( G) some group G G and G (2 Γ A ). 3. Denote by R 1 te first column in R, ence s = R 1, ε = R 1, M T λ = ϕ( G) M ϕ( G) R 1, λ = (M ϕ( G) R) 1, λ = (v ϕ( G) ) 1, λ, were (v ϕ( G) ) 1 is te columnvector of te first coordinates of eac sare, i.e. ε T, v ϕ( G). Note tat te joint information eld by te players in G is v ϕ(g) = M ϕ(g) R. It can be sown tat te security of te protocol remains te same see [11, 10, 15, 20, 23]. Te following teorem, proved in [20], gives sufficient conditions for existence of a unconditionally secure verifiable secret saring sceme. Teorem 2. [20] Te sceme is a unconditionally secure verifiable secret saring sceme if te following condition is satisfied: i) (2 Γ A ) Γ. Te following result of Fer and Maurer [13] proves tat te conditions are also necessary. Teorem 3. Te very strong robustness property for VSS is fulfilled if and only if P / (2 A ) = A A. 4 Proactivity Proactive security for secret saring was first suggested by Ostrovski and Yung in [21], were tey presented, among oter tings, a proactive polynomial secret saring sceme. Te polynomial proactive secret saring sceme proposed in [21] uses te verifiable secret saring sceme from [22]. Proactive security refers to security and availability in te presence of a mobile adversary. Herzberg et.al. [16] furter specialized tis notion to robust secret saring scemes and gave a detailed efficient proactive secret saring sceme. Robust means tat in any time period, te sareolders can reconstruct te secret value correctly. Tere are also many papers tat discuss proactive security, see e.g. te references in [16, 21 23]. Te secret value needs to be maintained for a long period of time. Ten te life time is divided into time periods wic are determined by te global clock.

8 At te beginning of eac time period te server engages in an interactive update protocol. Te update protocol will not reveal te value of te secret. At te end of te period te servers old new sares of te secret. We distinguis te following pases in eac time period [16]. At te beginning we ave Distribution or Recovery, during te period Renewal and at te end Reconstruct or Detection followed by Recovery for te beginning of te next period. Te first information teoretic unconditionally secure proactive VSS was proposed by Stinson and Wei in [23], were proactivity was added to te basic VSS described above. A generalization of tat sceme to general access structure as subsequently been given in [20]. In [11, 10] D Arco and Stinson found an attack to break te Renewal procedure given in [20, 23]. Tey also proposed a new variation of te sceme based on two different approaces for adding proactive security to VSS. Te first tecnique uses symmetric polynomial and te second relies on te use of generic non-symmetric polynomial. Te purpose of tis section is to sow an attack on te unconditionally secure proactive SSS wit symmetric polynomials from [10] and to propose a sligtly modified sceme tat resists te attack and as better information rate (see also [11]). First, we make te following remarks to te proposed in [10] solutions. In te non-symmetric sceme of D Arco and Stinson besides te sare (of lengt t) te servers sould keep also te verification sare of lengt t. So, te information wic is kept by tem is doubled, ence te information rate of te new sceme is reduced twice. In te symmetric sceme te servers sould keep te sare (of lengt t) and te verification sare of lengt n, were n > t + 3b. Tus te information wic is kept by tem increases more tan twice, ence te information rate of te new sceme is reduced more tan twice. 4.1 Attack against proactivity Now we start wit te analysis of te Renewal pase in [10], wic is as follows: Renewal pase 1. Eac server P l selects a random symmetric polynomial (i.e. r i,j = r j,i ). t 2 t 2 r (l) (x, y) = r i,j x i y j. i=0 j=0 2. P l sends (l) k (x) = r(l) (x, ω k ) to P k for k = 1, 2,..., n by a private cannel. 3. After receiving (l) k (x), eac P k sends (l) k (ωm ) to P m for k = 1, 2,..., n. 4. P m cecks weter (l) k (ωm ) = (l) m (ω k ) for k = 1, 2,..., n and k m. If P m finds tat te equality is not true, ten e broadcasts an accusation of P l. 5. If P l is accused by at most b servers, ten e can defend imself as follows. For tose P i e is accused by, P l broadcasts (l) i (x). Ten, te server P k cecks weter (l) k (ωi ) = (l) i (ω k ) and broadcasts yes or no. If tere are at least n b 2 servers broadcasting yes, ten P l is not a bad server.

9 6. P m updates te list of good servers G (i.e., te values l for wic P l is accused by at least b + 1 servers, or found bad in te previous step are not in G). Ten, P m updates its sares as m (x) m (x) + ω m m(x), were m(x) = l G (l) m (x). Moreover, P m updates a verification vector V m by computing V m [j] V m [j] + m(ω j ). First, note tat instead of verification sare V m [j] for j = 1, 2,..., n one can use a polynomial V m (x) of degree t 2, suc tat V m (ω j ) = V m [j]. In fact we can cange in step 6. V m (x) V m (x) + m(x). In tis way te size of te verification sare become t 1. Unfortunately te information from te sare and verification sare of server P i allows te attacker to calculate te initial sare of P i, obtained from te Dealer during te Distribution (Sare) pase. Indeed, after q executions of Renewal P i possesses and i (x) = 0 i (x) + ω i V i (x) = q p=1 q p=1,p i (x).,p i (x) Subtracting ω i V i (x) from i (x) te attacker obtain te initial sare 0 i (x). Te consequence is tat if a passive adversary breaks into t servers once, even in different periods, e collects t initial sares and ence e can recover te secret. 4.2 Modification of te Sceme First we will consider te tresold case. Basically, te problem in te above procedure is due to te asymmetry in te renewal polynomial. Indeed, we ave r(x, y) r(x, y) + yr (x, y) were r (x, y) = l G r(l) (x, y). Note tat r(0, 0) is not canged, so te secret stays te same. Also r(0, y) is canged randomly so te adversary is not able to calculate te new values. To be able to perform a pair-wise ceck one need a symmetry, tat is wy te servers keep two sares: one is te actual and te oter is te verification sare, wic collects te asymmetry in te protocol from [10]. We propose to keep te symmetry in te renewal polynomial: r(x, y) r(x, y) + (x + y)r (x, y).

10 Hence in te Renewal pase for te tresold case we need to modify only step P m updates te list of good servers G (i.e., te values l for wic P l is accused by at least b + 1 servers, or found bad in te previous step are not in G). Ten, P m updates its sares as m (x) m (x) + (x + ω m ) m(x), were m(x) = l G (l) m (x). Now we do not need verification sare any more. For general access structure te modification of te Renewal pase of te proactive SSS in [20] will be as follows: Renewal pase 1. Eac server P e G selects a random (d 1) (d 1) symmetric matrix R (e) and using it constructs two symmetric d d matrix R (e,1), R (e,2). R (e,1) is constructed by adding zero column and zero row as last row and column and R (e,2) is constructed by adding zero column and zero row as first row and column. 2. After tat P e sends v (e,1) ϕ(k) = M ϕ(k)r (e,1) and v (e,2) ϕ(k) = M ϕ(k)r (e,2) to all P k by a private cannel. 3. Eac P k cecks weter te last column of v (e,1) ϕ(k) is zero-column and weter te first column of v (e,2) ϕ(k) is zero-column too. If tese conditions are not satisfied P k broadcasts an accusation to P e, oterwise P k computes v (e) ϕ(k) as te sum of te rigt sift of te coordinates of v (e,1) ϕ(k) coordinates of v (e,2) ϕ(k). i.e. if we denote v(e,2) and v (e,1) (v (e,1) = ((v (e,1) ) 1,..., (v (e,2) = (0, (v (e,2) ) 1,..., (v (e,1) ) d 1, 0) ten v (e) ) d 1 + (v (e,1) ) d 2, (v (e,1) and te left sift of te ) 1,..., (v (e,2) ) d 1 ) = ((v (e,2) ) 1, (v (e,2) ) 2 + ) d 1 ), were ϕ(k). Finally, P k computes and sends to P j te values M ϕ(j) (v (e,1) ϕ(k) )T, M ϕ(j) (v (e,2) ϕ(k) )T and M ϕ(j) (v (e) ϕ(k) )T. 4. P j cecks weter M ϕ(j) (v (e) ϕ(k) )T = v (e) ϕ(j) M ϕ(k) T, M ϕ(j)(v (e,1) ϕ(k) )T = v (e,1) ϕ(j) M ϕ(k) T and M ϕ(j) (v (e,2) ϕ(k) )T = v (e,2) ϕ(j) M ϕ(k) T for te values of e not accused by some set of servers from (2 Γ A ) (in step 3). If te set of values of k, for wic te equations are not true, belongs to (2 Γ A ), ten P j broadcasts an accusation of P e. 5. If P e is accused by some set of servers from (2 Γ A ) (from steps 3 and 4), ten e can defend imself as follows. For tose P i tat P e is accused by, P e broadcasts v (e,1) ϕ(i) v (e) ϕ(i) M T ϕ(k), M ϕ(i)(v (e,1) ϕ(k) )T and v(e,2) ϕ(i). Ten all servers P k ceck weter M ϕ(i) (v (e) = v (e,1) ϕ(i) M T ϕ(k) and M ϕ(i)(v (e,2) ϕ(k) )T ϕ(k) )T = = v (e,2) ϕ(i) M T ϕ(k) and broadcasts yes or no. If te set of servers broadcasting yes is from (2 Γ A ), ten P e is not a bad server.

11 6. P j updates te list of bad servers L by including all values e for wic P e is accused by at least one set from (2 Γ A ) or found bad in te previous step. Ten P j updates its sares as v ϕ(j) v ϕ(j) + e / L v(e) ϕ(j). Because of te symmetry all oter procedures are te same as in [23] for te tresold case and as in [20] for te general access structure. Note tat te information rate of te new sceme is optimal and equal to te rates in [20, 23]. Te following teorem, wic is proved in [20], gives sufficient conditions for te existence of an unconditionally secure proactive secret saring sceme. Teorem 4. [20] Te sceme is a unconditionally secure proactive secret saring sceme if te following conditions are satisfied: ii) (3 Γ A ) Γ. iii) For eac group N Γ te number of rows ϕ(n) for te group is equal to number of columns of matrix M. 5 A Proactive Verifiable DKDS Using LSSS as a primitive and based on te linearity of te system we can build a DKDS. If we use a VSS instead of LSSS we can set up a Verifiable DKDS. Finally, if as primitive we use a proactive VSS we can build a Proactive VDKDS. Te only difference between LSSS and VSS appears in te Set up pase. A straigtforward solution to gain proactive security could be directly to apply, at te beginning of eac time period te procedures Detection, Recovery and Renewal for eac of te secrets. We assume tat a Dealer D initializes te system, but as it is noted in [11, 10], it is also possible te system to be initialized witout te Dealer. Te sceme proposed in tis section provides l-wise independent conference keys (as in [11, 10]), i.e. te l-t conference key is uniformly distributed over te set of possible values, even if an adversary already knows l 1 conference keys. Te Set up pase is as follows. 5.1 Set up Pase 1. Let l F be te maximum number of conference keys tat a group F can compute. Assume tat l > max{l F ; F F }. Te Dealer D cooses a random secret column vector k = (k 1,..., k l ) and publises an l l matrix N, consisting of linearly independent row vectors, i.e. rank(n) = l. Te conference key for C s is ten defined by k s = k T, N s. 2. Ten for eac coordinate of te vector k te Dealer runs l independent copies of te proactive VSS Σ z described before, were te secret tat eac proactive VSS Σ z distributes among te servers is k z for z = 1,..., l. 3. Eac server S i stores l packets of sares v ϕ(i),kz sent by te Dealer during te executions of te Sare Pase of te Σ z s, and publises te list of good servers G ΓA e as found.

12 In a VSS te reconstruction of te secret is done by te participants (i.e. te servers in our settings) wile in DKDS eac user of a given conference contacts te servers, receives some information and computes te common key by applying a public function to te values received. Basically, te values sent by te servers must enable tem to compute a single key, namely, te one te user is asking for. 5.2 Key Request and Key Computation Pase 1. User U j C s asks a subset of good servers from (2 Γ A ) for te key k s. 2. Eac server S i computes temporary sares v ϕ(i),s = l (N s) z v ϕ(i),kz and sends te first column of v ϕ(i),s to U j C s i.e. (v ϕ(i),s ) 1 = v ϕ(i),s, ε T. 3. U j computes λ, suc tat M T ϕ( G) λ = ε, for some group G G and G (3 Γ A ). Finally, e recovers k s = λ, (v ϕ( G),s ) 1. Correctness. Te correctness of te construction can be sown as follows: According to step 1. in te Set up Pase k s = k T, N s = l (N s) z k z but from te Reconstruct Pase of VSS we ave tat Hence k s = λ, (v ϕ( G),kz ) 1 = λ, (M ϕ( G) R kz ) 1 = λ, M ϕ( G) (R kz ) 1 = (R kz ) 1, M T ϕ( G) λ = (Rkz ) 1, ε = k z. (N s ) z λ, M ϕ( G) (R kz ) 1 = λ, (N s ) z M ϕ( G) (R kz ) 1 = λ, M ϕ( G) (N s ) z (R kz ) 1 = M T ϕ( G) λ, (N s ) z (R kz ) 1 = ε, (N s ) z (R kz ) 1 = ε, (R s ) 1. So, we can tink for te secret conference key k s as a secret distributed wit VSS using te temporary random symmetric matrix R s = l (N s) z R kz. Tat is wy in step 2. in Key Request pase te server S i needs to compute te temporary sares v ϕ(i),s. On te oter and we ave: k s = = (N s ) z λ, M ϕ( G) (R kz ) 1 = (N s ) z λ, (v ϕ( ) G),kz 1 = λ, (N s ) z λ, (M ϕ( G) R kz ) 1 (N s ) z (v ϕ( ) G),kz 1

13 = λ, ( (N s ) z v ϕ( ) G),kz 1 = λ, (v ϕ( G),s ) 1. Tus te user U j is able to restore te secret conference key in step 3. of te Key Computation Pase. 6 Conclusions In tis paper we ave sown ow to set up a Robust Unconditional Proactive Verifiable DKDS, enabling a set of servers to jointly realize a Key Distribution Center. We ave used unconditionally secure proactive VSS based on a general access structure as a building block. Basically, we can use only te VSS based on a general access structure (as a building block) and te structure of te DKDS will stay te same. We ave also revised te unconditionally secure VSSs from [10, 20, 23], proposing a modified version wic is proactively secure. Since te proactivity, considered as security property, can be useful in several settings in wic te adversary is mobile, te applicability of suc scemes as independent interest of te specific application to key distribution tat as been addressed in tis paper. It is clear tat using te linear unconditional Proactive Verifiable DKDC as a base and te omomorpic properties of Diffie-Helman or ElGamal cryptosystem one can build a computational secure Proactive Verifiable DKDC. Using te ideas in [9] tey can be made more efficient. 7 Acknowledgements Te autors would like to tank Paolo D Arco and Doug Stinson for te fruitful discussions and comments. References 1. G. R. Blakley, Safeguarding cryptograpic keys, AFIPS Conference Proc. 48, 1979, pp G. R. Blakley, G. A. Kabatianskii, Linear Algebra Approac to Secret Saring Scemes, Springer Verlag LNCS 829, 1994, pp C. Blundo, P. D Arco, V. Daza, C. Padro, Bounds and Constructions for Unconditionally Secure Distributed Key Distribution Scemes for General Access Structures, Proc. of te Information Security Conference (ISC 2001), LNCS 2200, 2001, pp C. Blundo, P. D Arco, C. Padro, A ramp model for distributed key distribution scemes WCC 2001, pp E. F. Brickell, Some ideal secret saring scemes, J. of Comb. Mat. and Comb. Computing 9, 1989, pp B. Cor, S. Goldwasser, S. Micali, B. Awerbuc, Verifiable secret saring and acieving simultaneity in te presence of faults, Proc. of te IEEE 26t Annual Symp. on Foundations of Computer Science 1985, pp

14 7. R. Cramer, Introduction to Secure Computation. In Lectures on Data Security - Modern Cryptology in Teory and Practice, LNCS 1561, 1999, pp P. D Arco, On te Distribution of a Key Distribution Center, Proc. of ICTCS 2001, LNCS 2202, 2001, pp V. Daza, J. Herranz, C. Padro, G. Saez A distributed and computationally secure key distribution sceme, Cryptology eprint Arcive, Report 2002/069, 10. P. D Arco, D. Stinson, On Unconditionally Secure Proactive Secret Saring Sceme and Distributed Key Distribution Centers, unpublised manuscript, May P. D Arco, D. Stinson, On Unconditionally Secure Robust Distributed Key Distribution Centers, to appear in ASIACRYPT M. van Dijk, A Linear Construction of Secret Saring Scemes, DCC 12, 1997, pp S. Fer, U. Maurer, Linear VSS and Distributed Commitments Based on Secret Saring and Pirwise Cecks, Proc. CRYPTO 2002, Springer Verlag LNCS 2442, pp S. Fer, V. Nikov, S. Nikova, private communication. 15. R. Gennaro, Y. Isai, E. Kuslevitz, T. Rabin, Te round complexity of Verifiable Secret Saring and Secure Multicasting, Proc. STOC A. Herzberg, S. Jarecki, H. Krawczyk, M. Yung, Proactive secret saring or: How to cope wit perpetual leakage, Proc. CRYPTO 1995, Springer Verlag LNCS 963, pp M. Hirt, U. Maurer, Player Simulation and General Adversary Structures in Perfect Multiparty Computation, J. of Cryptology 13, 2000, pp M. Karcmer, A. Wigderson, On Span Programs, Proc. of 8-t Annual Structure in Complexity Teory Conference, San Diego, California, May IEEE Computer Society Press, pp M. Naor, B. Pinkas and O. Reingold, Distributed Pseudo-random Functions and KDCs, EuroCrypt 99, LNCS 1592, 1999, pp V. Nikov, S. Nikova, B. Preneel, J. Vandewalle, Applying General Access Structure to Proactive Secret Saring Scemes, Proc. of te 23rd Symposium on Information Teory in te Benelux, May 29-31, 2002, Universite Catolique de Lovain (UCL), Lovain-la-Neuve, Belgium, pp , Cryptology eprint Arcive: Report 2002/ R. Ostrovsky, M. Yung, How to witstand mobile virus attack, ACM Symposium on principles of distributed computing, 1991, pp T. Rabin, M. Ben-Or, Verifiable secret saring and multiparty protocols wit onest majority, Proc. of te 21st Annual ACM Symp. on Teory of Computing 1989, pp D.R. Stinson, R. Wei, Unconditionally Secure Proactive Secret Saring Sceme wit combinatorial Structures, SAC 99, Springer Verlag LNCS 1758, pp A. Samir, How to sare a secret, Communications of te ACM 22, 1979, pp

Applying General Access Structure to Metering Schemes

Applying General Access Structure to Metering Schemes Applying General Access Structure to Metering Schemes Ventzislav Nikov Department of Mathematics and Computing Science, Eindhoven University of Technology P.O. Box 513, 5600 MB, Eindhoven, the Netherlands

More information

On Unconditionally Secure Distributed Oblivious Transfer

On Unconditionally Secure Distributed Oblivious Transfer On Unconditionally Secure Distributed Oblivious Transfer Ventzislav Nikov 1, Svetla Nikova 2, Bart Preneel 2, and Joos Vandewalle 2 1 Department of Mathematics and Computing Science Eindhoven University

More information

Verifying Numerical Convergence Rates

Verifying Numerical Convergence Rates 1 Order of accuracy Verifying Numerical Convergence Rates We consider a numerical approximation of an exact value u. Te approximation depends on a small parameter, suc as te grid size or time step, and

More information

Computer Science and Engineering, UCSD October 7, 1999 Goldreic-Levin Teorem Autor: Bellare Te Goldreic-Levin Teorem 1 Te problem We æx a an integer n for te lengt of te strings involved. If a is an n-bit

More information

The EOQ Inventory Formula

The EOQ Inventory Formula Te EOQ Inventory Formula James M. Cargal Matematics Department Troy University Montgomery Campus A basic problem for businesses and manufacturers is, wen ordering supplies, to determine wat quantity of

More information

2.28 EDGE Program. Introduction

2.28 EDGE Program. Introduction Introduction Te Economic Diversification and Growt Enterprises Act became effective on 1 January 1995. Te creation of tis Act was to encourage new businesses to start or expand in Newfoundland and Labrador.

More information

FINITE DIFFERENCE METHODS

FINITE DIFFERENCE METHODS FINITE DIFFERENCE METHODS LONG CHEN Te best known metods, finite difference, consists of replacing eac derivative by a difference quotient in te classic formulation. It is simple to code and economic to

More information

This supplement is meant to be read after Venema s Section 9.2. Throughout this section, we assume all nine axioms of Euclidean geometry.

This supplement is meant to be read after Venema s Section 9.2. Throughout this section, we assume all nine axioms of Euclidean geometry. Mat 444/445 Geometry for Teacers Summer 2008 Supplement : Similar Triangles Tis supplement is meant to be read after Venema s Section 9.2. Trougout tis section, we assume all nine axioms of uclidean geometry.

More information

Finite Difference Approximations

Finite Difference Approximations Capter Finite Difference Approximations Our goal is to approximate solutions to differential equations, i.e., to find a function (or some discrete approximation to tis function) tat satisfies a given relationsip

More information

Schedulability Analysis under Graph Routing in WirelessHART Networks

Schedulability Analysis under Graph Routing in WirelessHART Networks Scedulability Analysis under Grap Routing in WirelessHART Networks Abusayeed Saifulla, Dolvara Gunatilaka, Paras Tiwari, Mo Sa, Cenyang Lu, Bo Li Cengjie Wu, and Yixin Cen Department of Computer Science,

More information

Derivatives Math 120 Calculus I D Joyce, Fall 2013

Derivatives Math 120 Calculus I D Joyce, Fall 2013 Derivatives Mat 20 Calculus I D Joyce, Fall 203 Since we ave a good understanding of its, we can develop derivatives very quickly. Recall tat we defined te derivative f x of a function f at x to be te

More information

Can a Lump-Sum Transfer Make Everyone Enjoy the Gains. from Free Trade?

Can a Lump-Sum Transfer Make Everyone Enjoy the Gains. from Free Trade? Can a Lump-Sum Transfer Make Everyone Enjoy te Gains from Free Trade? Yasukazu Icino Department of Economics, Konan University June 30, 2010 Abstract I examine lump-sum transfer rules to redistribute te

More information

SAMPLE DESIGN FOR THE TERRORISM RISK INSURANCE PROGRAM SURVEY

SAMPLE DESIGN FOR THE TERRORISM RISK INSURANCE PROGRAM SURVEY ASA Section on Survey Researc Metods SAMPLE DESIG FOR TE TERRORISM RISK ISURACE PROGRAM SURVEY G. ussain Coudry, Westat; Mats yfjäll, Statisticon; and Marianne Winglee, Westat G. ussain Coudry, Westat,

More information

Comparison between two approaches to overload control in a Real Server: local or hybrid solutions?

Comparison between two approaches to overload control in a Real Server: local or hybrid solutions? Comparison between two approaces to overload control in a Real Server: local or ybrid solutions? S. Montagna and M. Pignolo Researc and Development Italtel S.p.A. Settimo Milanese, ITALY Abstract Tis wor

More information

Geometric Stratification of Accounting Data

Geometric Stratification of Accounting Data Stratification of Accounting Data Patricia Gunning * Jane Mary Horgan ** William Yancey *** Abstract: We suggest a new procedure for defining te boundaries of te strata in igly skewed populations, usual

More information

7.6 Complex Fractions

7.6 Complex Fractions Section 7.6 Comple Fractions 695 7.6 Comple Fractions In tis section we learn ow to simplify wat are called comple fractions, an eample of wic follows. 2 + 3 Note tat bot te numerator and denominator are

More information

Distances in random graphs with infinite mean degrees

Distances in random graphs with infinite mean degrees Distances in random graps wit infinite mean degrees Henri van den Esker, Remco van der Hofstad, Gerard Hoogiemstra and Dmitri Znamenski April 26, 2005 Abstract We study random graps wit an i.i.d. degree

More information

A New, Publicly Veriable, Secret Sharing Scheme

A New, Publicly Veriable, Secret Sharing Scheme Scientia Iranica, Vol. 15, No. 2, pp 246{251 c Sharif University of Technology, April 2008 A New, Publicly Veriable, Secret Sharing Scheme A. Behnad 1 and T. Eghlidos A Publicly Veriable Secret Sharing

More information

Understanding the Derivative Backward and Forward by Dave Slomer

Understanding the Derivative Backward and Forward by Dave Slomer Understanding te Derivative Backward and Forward by Dave Slomer Slopes of lines are important, giving average rates of cange. Slopes of curves are even more important, giving instantaneous rates of cange.

More information

An inquiry into the multiplier process in IS-LM model

An inquiry into the multiplier process in IS-LM model An inquiry into te multiplier process in IS-LM model Autor: Li ziran Address: Li ziran, Room 409, Building 38#, Peing University, Beijing 00.87,PRC. Pone: (86) 00-62763074 Internet Address: jefferson@water.pu.edu.cn

More information

2.23 Gambling Rehabilitation Services. Introduction

2.23 Gambling Rehabilitation Services. Introduction 2.23 Gambling Reabilitation Services Introduction Figure 1 Since 1995 provincial revenues from gambling activities ave increased over 56% from $69.2 million in 1995 to $108 million in 2004. Te majority

More information

ME422 Mechanical Control Systems Modeling Fluid Systems

ME422 Mechanical Control Systems Modeling Fluid Systems Cal Poly San Luis Obispo Mecanical Engineering ME422 Mecanical Control Systems Modeling Fluid Systems Owen/Ridgely, last update Mar 2003 Te dynamic euations for fluid flow are very similar to te dynamic

More information

Improved dynamic programs for some batcing problems involving te maximum lateness criterion A P M Wagelmans Econometric Institute Erasmus University Rotterdam PO Box 1738, 3000 DR Rotterdam Te Neterlands

More information

Optimized Data Indexing Algorithms for OLAP Systems

Optimized Data Indexing Algorithms for OLAP Systems Database Systems Journal vol. I, no. 2/200 7 Optimized Data Indexing Algoritms for OLAP Systems Lucian BORNAZ Faculty of Cybernetics, Statistics and Economic Informatics Academy of Economic Studies, Bucarest

More information

Tangent Lines and Rates of Change

Tangent Lines and Rates of Change Tangent Lines and Rates of Cange 9-2-2005 Given a function y = f(x), ow do you find te slope of te tangent line to te grap at te point P(a, f(a))? (I m tinking of te tangent line as a line tat just skims

More information

Strategic trading in a dynamic noisy market. Dimitri Vayanos

Strategic trading in a dynamic noisy market. Dimitri Vayanos LSE Researc Online Article (refereed) Strategic trading in a dynamic noisy market Dimitri Vayanos LSE as developed LSE Researc Online so tat users may access researc output of te Scool. Copyrigt and Moral

More information

Channel Allocation in Non-Cooperative Multi-Radio Multi-Channel Wireless Networks

Channel Allocation in Non-Cooperative Multi-Radio Multi-Channel Wireless Networks Cannel Allocation in Non-Cooperative Multi-Radio Multi-Cannel Wireless Networks Dejun Yang, Xi Fang, Guoliang Xue Arizona State University Abstract Wile tremendous efforts ave been made on cannel allocation

More information

Social Secret Sharing in Cloud Computing Using a New Trust Function

Social Secret Sharing in Cloud Computing Using a New Trust Function Social Secret Sharing in Cloud Computing Using a New Trust Function Mehrdad Nojoumian and Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario N2L 3G1,

More information

Share conversion, pseudorandom secret-sharing and applications to secure distributed computing

Share conversion, pseudorandom secret-sharing and applications to secure distributed computing Share conversion, pseudorandom secret-sharing and applications to secure distributed computing Ronald Cramer 1, Ivan Damgård 2, and Yuval Ishai 3 1 CWI, Amsterdam and Mathematical Institute, Leiden University

More information

Instantaneous Rate of Change:

Instantaneous Rate of Change: Instantaneous Rate of Cange: Last section we discovered tat te average rate of cange in F(x) can also be interpreted as te slope of a scant line. Te average rate of cange involves te cange in F(x) over

More information

Trapezoid Rule. y 2. y L

Trapezoid Rule. y 2. y L Trapezoid Rule and Simpson s Rule c 2002, 2008, 200 Donald Kreider and Dwigt Lar Trapezoid Rule Many applications of calculus involve definite integrals. If we can find an antiderivative for te integrand,

More information

Lecture 10: What is a Function, definition, piecewise defined functions, difference quotient, domain of a function

Lecture 10: What is a Function, definition, piecewise defined functions, difference quotient, domain of a function Lecture 10: Wat is a Function, definition, piecewise defined functions, difference quotient, domain of a function A function arises wen one quantity depends on anoter. Many everyday relationsips between

More information

M(0) = 1 M(1) = 2 M(h) = M(h 1) + M(h 2) + 1 (h > 1)

M(0) = 1 M(1) = 2 M(h) = M(h 1) + M(h 2) + 1 (h > 1) Insertion and Deletion in VL Trees Submitted in Partial Fulfillment of te Requirements for Dr. Eric Kaltofen s 66621: nalysis of lgoritms by Robert McCloskey December 14, 1984 1 ackground ccording to Knut

More information

A system to monitor the quality of automated coding of textual answers to open questions

A system to monitor the quality of automated coding of textual answers to open questions Researc in Official Statistics Number 2/2001 A system to monitor te quality of automated coding of textual answers to open questions Stefania Maccia * and Marcello D Orazio ** Italian National Statistical

More information

ON LOCAL LIKELIHOOD DENSITY ESTIMATION WHEN THE BANDWIDTH IS LARGE

ON LOCAL LIKELIHOOD DENSITY ESTIMATION WHEN THE BANDWIDTH IS LARGE ON LOCAL LIKELIHOOD DENSITY ESTIMATION WHEN THE BANDWIDTH IS LARGE Byeong U. Park 1 and Young Kyung Lee 2 Department of Statistics, Seoul National University, Seoul, Korea Tae Yoon Kim 3 and Ceolyong Park

More information

1.6. Analyse Optimum Volume and Surface Area. Maximum Volume for a Given Surface Area. Example 1. Solution

1.6. Analyse Optimum Volume and Surface Area. Maximum Volume for a Given Surface Area. Example 1. Solution 1.6 Analyse Optimum Volume and Surface Area Estimation and oter informal metods of optimizing measures suc as surface area and volume often lead to reasonable solutions suc as te design of te tent in tis

More information

2 Limits and Derivatives

2 Limits and Derivatives 2 Limits and Derivatives 2.7 Tangent Lines, Velocity, and Derivatives A tangent line to a circle is a line tat intersects te circle at exactly one point. We would like to take tis idea of tangent line

More information

Differentiable Functions

Differentiable Functions Capter 8 Differentiable Functions A differentiable function is a function tat can be approximated locally by a linear function. 8.. Te derivative Definition 8.. Suppose tat f : (a, b) R and a < c < b.

More information

Verification of Security Protocols with Lists: from Length One to Unbounded Length

Verification of Security Protocols with Lists: from Length One to Unbounded Length Verification of Security Protocols wit Lists: from Lengt One to Unbounded Lengt INRIA, Miriam Paiola and Bruno Blancet École Normale Supérieure, CNRS, Paris {paiola,blancet}@di.ens.fr Abstract. We present

More information

SAT Subject Math Level 1 Facts & Formulas

SAT Subject Math Level 1 Facts & Formulas Numbers, Sequences, Factors Integers:..., -3, -2, -1, 0, 1, 2, 3,... Reals: integers plus fractions, decimals, and irrationals ( 2, 3, π, etc.) Order Of Operations: Aritmetic Sequences: PEMDAS (Parenteses

More information

The modelling of business rules for dashboard reporting using mutual information

The modelling of business rules for dashboard reporting using mutual information 8 t World IMACS / MODSIM Congress, Cairns, Australia 3-7 July 2009 ttp://mssanz.org.au/modsim09 Te modelling of business rules for dasboard reporting using mutual information Gregory Calbert Command, Control,

More information

Math 113 HW #5 Solutions

Math 113 HW #5 Solutions Mat 3 HW #5 Solutions. Exercise.5.6. Suppose f is continuous on [, 5] and te only solutions of te equation f(x) = 6 are x = and x =. If f() = 8, explain wy f(3) > 6. Answer: Suppose we ad tat f(3) 6. Ten

More information

Research on the Anti-perspective Correction Algorithm of QR Barcode

Research on the Anti-perspective Correction Algorithm of QR Barcode Researc on te Anti-perspective Correction Algoritm of QR Barcode Jianua Li, Yi-Wen Wang, YiJun Wang,Yi Cen, Guoceng Wang Key Laboratory of Electronic Tin Films and Integrated Devices University of Electronic

More information

Determine the perimeter of a triangle using algebra Find the area of a triangle using the formula

Determine the perimeter of a triangle using algebra Find the area of a triangle using the formula Student Name: Date: Contact Person Name: Pone Number: Lesson 0 Perimeter, Area, and Similarity of Triangles Objectives Determine te perimeter of a triangle using algebra Find te area of a triangle using

More information

Pre-trial Settlement with Imperfect Private Monitoring

Pre-trial Settlement with Imperfect Private Monitoring Pre-trial Settlement wit Imperfect Private Monitoring Mostafa Beskar University of New Hampsire Jee-Hyeong Park y Seoul National University July 2011 Incomplete, Do Not Circulate Abstract We model pretrial

More information

Referendum-led Immigration Policy in the Welfare State

Referendum-led Immigration Policy in the Welfare State Referendum-led Immigration Policy in te Welfare State YUJI TAMURA Department of Economics, University of Warwick, UK First version: 12 December 2003 Updated: 16 Marc 2004 Abstract Preferences of eterogeneous

More information

On the representability of the bi-uniform matroid

On the representability of the bi-uniform matroid On the representability of the bi-uniform matroid Simeon Ball, Carles Padró, Zsuzsa Weiner and Chaoping Xing August 3, 2012 Abstract Every bi-uniform matroid is representable over all sufficiently large

More information

In other words the graph of the polynomial should pass through the points

In other words the graph of the polynomial should pass through the points Capter 3 Interpolation Interpolation is te problem of fitting a smoot curve troug a given set of points, generally as te grap of a function. It is useful at least in data analysis (interpolation is a form

More information

College Planning Using Cash Value Life Insurance

College Planning Using Cash Value Life Insurance College Planning Using Cas Value Life Insurance CAUTION: Te advisor is urged to be extremely cautious of anoter college funding veicle wic provides a guaranteed return of premium immediately if funded

More information

OPTIMAL DISCONTINUOUS GALERKIN METHODS FOR THE ACOUSTIC WAVE EQUATION IN HIGHER DIMENSIONS

OPTIMAL DISCONTINUOUS GALERKIN METHODS FOR THE ACOUSTIC WAVE EQUATION IN HIGHER DIMENSIONS OPTIMAL DISCONTINUOUS GALERKIN METHODS FOR THE ACOUSTIC WAVE EQUATION IN HIGHER DIMENSIONS ERIC T. CHUNG AND BJÖRN ENGQUIST Abstract. In tis paper, we developed and analyzed a new class of discontinuous

More information

Projective Geometry. Projective Geometry

Projective Geometry. Projective Geometry Euclidean versus Euclidean geometry describes sapes as tey are Properties of objects tat are uncanged by rigid motions» Lengts» Angles» Parallelism Projective geometry describes objects as tey appear Lengts,

More information

Lecture 10. Limits (cont d) One-sided limits. (Relevant section from Stewart, Seventh Edition: Section 2.4, pp. 113.)

Lecture 10. Limits (cont d) One-sided limits. (Relevant section from Stewart, Seventh Edition: Section 2.4, pp. 113.) Lecture 10 Limits (cont d) One-sided its (Relevant section from Stewart, Sevent Edition: Section 2.4, pp. 113.) As you may recall from your earlier course in Calculus, we may define one-sided its, were

More information

Cyber Epidemic Models with Dependences

Cyber Epidemic Models with Dependences Cyber Epidemic Models wit Dependences Maocao Xu 1, Gaofeng Da 2 and Souuai Xu 3 1 Department of Matematics, Illinois State University mxu2@ilstu.edu 2 Institute for Cyber Security, University of Texas

More information

Unemployment insurance/severance payments and informality in developing countries

Unemployment insurance/severance payments and informality in developing countries Unemployment insurance/severance payments and informality in developing countries David Bardey y and Fernando Jaramillo z First version: September 2011. Tis version: November 2011. Abstract We analyze

More information

ACT Math Facts & Formulas

ACT Math Facts & Formulas Numbers, Sequences, Factors Integers:..., -3, -2, -1, 0, 1, 2, 3,... Rationals: fractions, tat is, anyting expressable as a ratio of integers Reals: integers plus rationals plus special numbers suc as

More information

On a Satellite Coverage

On a Satellite Coverage I. INTRODUCTION On a Satellite Coverage Problem DANNY T. CHI Kodak Berkeley Researc Yu T. su National Ciao Tbng University Te eart coverage area for a satellite in an Eart syncronous orbit wit a nonzero

More information

Surface Areas of Prisms and Cylinders

Surface Areas of Prisms and Cylinders 12.2 TEXAS ESSENTIAL KNOWLEDGE AND SKILLS G.10.B G.11.C Surface Areas of Prisms and Cylinders Essential Question How can you find te surface area of a prism or a cylinder? Recall tat te surface area of

More information

Math Test Sections. The College Board: Expanding College Opportunity

Math Test Sections. The College Board: Expanding College Opportunity Taking te SAT I: Reasoning Test Mat Test Sections Te materials in tese files are intended for individual use by students getting ready to take an SAT Program test; permission for any oter use must be sougt

More information

The differential amplifier

The differential amplifier DiffAmp.doc 1 Te differential amplifier Te emitter coupled differential amplifier output is V o = A d V d + A c V C Were V d = V 1 V 2 and V C = (V 1 + V 2 ) / 2 In te ideal differential amplifier A c

More information

Solution Derivations for Capa #7

Solution Derivations for Capa #7 Solution Derivations for Capa #7 1) Consider te beavior of te circuit, wen various values increase or decrease. (Select I-increases, D-decreases, If te first is I and te rest D, enter IDDDD). A) If R1

More information

What is Advanced Corporate Finance? What is finance? What is Corporate Finance? Deciding how to optimally manage a firm s assets and liabilities.

What is Advanced Corporate Finance? What is finance? What is Corporate Finance? Deciding how to optimally manage a firm s assets and liabilities. Wat is? Spring 2008 Note: Slides are on te web Wat is finance? Deciding ow to optimally manage a firm s assets and liabilities. Managing te costs and benefits associated wit te timing of cas in- and outflows

More information

Information Sciences

Information Sciences Information Sciences 180 (2010) 3059 3064 Contents lists available at ScienceDirect Information Sciences journal homepage: www.elsevier.com/locate/ins Strong (n, t, n) verifiable secret sharing scheme

More information

- 1 - Handout #22 May 23, 2012 Huffman Encoding and Data Compression. CS106B Spring 2012. Handout by Julie Zelenski with minor edits by Keith Schwarz

- 1 - Handout #22 May 23, 2012 Huffman Encoding and Data Compression. CS106B Spring 2012. Handout by Julie Zelenski with minor edits by Keith Schwarz CS106B Spring 01 Handout # May 3, 01 Huffman Encoding and Data Compression Handout by Julie Zelenski wit minor edits by Keit Scwarz In te early 1980s, personal computers ad ard disks tat were no larger

More information

Optimal Pricing Strategy for Second Degree Price Discrimination

Optimal Pricing Strategy for Second Degree Price Discrimination Optimal Pricing Strategy for Second Degree Price Discrimination Alex O Brien May 5, 2005 Abstract Second Degree price discrimination is a coupon strategy tat allows all consumers access to te coupon. Purcases

More information

Efficient General-Adversary Multi-Party Computation

Efficient General-Adversary Multi-Party Computation Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate

More information

Finite Volume Discretization of the Heat Equation

Finite Volume Discretization of the Heat Equation Lecture Notes 3 Finite Volume Discretization of te Heat Equation We consider finite volume discretizations of te one-dimensional variable coefficient eat equation, wit Neumann boundary conditions u t x

More information

Equilibria in sequential bargaining games as solutions to systems of equations

Equilibria in sequential bargaining games as solutions to systems of equations Economics Letters 84 (2004) 407 411 www.elsevier.com/locate/econbase Equilibria in sequential bargaining games as solutions to systems of equations Tasos Kalandrakis* Department of Political Science, Yale

More information

Strategic trading and welfare in a dynamic market. Dimitri Vayanos

Strategic trading and welfare in a dynamic market. Dimitri Vayanos LSE Researc Online Article (refereed) Strategic trading and welfare in a dynamic market Dimitri Vayanos LSE as developed LSE Researc Online so tat users may access researc output of te Scool. Copyrigt

More information

Area-Specific Recreation Use Estimation Using the National Visitor Use Monitoring Program Data

Area-Specific Recreation Use Estimation Using the National Visitor Use Monitoring Program Data United States Department of Agriculture Forest Service Pacific Nortwest Researc Station Researc Note PNW-RN-557 July 2007 Area-Specific Recreation Use Estimation Using te National Visitor Use Monitoring

More information

ACTIVITY: Deriving the Area Formula of a Trapezoid

ACTIVITY: Deriving the Area Formula of a Trapezoid 4.3 Areas of Trapezoids a trapezoid? How can you derive a formula for te area of ACTIVITY: Deriving te Area Formula of a Trapezoid Work wit a partner. Use a piece of centimeter grid paper. a. Draw any

More information

Module 1: Introduction to Finite Element Analysis Lecture 1: Introduction

Module 1: Introduction to Finite Element Analysis Lecture 1: Introduction Module : Introduction to Finite Element Analysis Lecture : Introduction.. Introduction Te Finite Element Metod (FEM) is a numerical tecnique to find approximate solutions of partial differential equations.

More information

Global Sourcing of Complex Production Processes

Global Sourcing of Complex Production Processes Global Sourcing of Complex Production Processes December 2013 Cristian Scwarz Jens Suedekum Abstract We develop a teory of a firm in an incomplete contracts environment wic decides on te complexity, te

More information

We consider the problem of determining (for a short lifecycle) retail product initial and

We consider the problem of determining (for a short lifecycle) retail product initial and Optimizing Inventory Replenisment of Retail Fasion Products Marsall Fiser Kumar Rajaram Anant Raman Te Warton Scool, University of Pennsylvania, 3620 Locust Walk, 3207 SH-DH, Piladelpia, Pennsylvania 19104-6366

More information

A strong credit score can help you score a lower rate on a mortgage

A strong credit score can help you score a lower rate on a mortgage NET GAIN Scoring points for your financial future AS SEEN IN USA TODAY S MONEY SECTION, JULY 3, 2007 A strong credit score can elp you score a lower rate on a mortgage By Sandra Block Sales of existing

More information

Computer Vision System for Tracking Players in Sports Games

Computer Vision System for Tracking Players in Sports Games Computer Vision System for Tracking Players in Sports Games Abstract Janez Perš, Stanislav Kovacic Faculty of Electrical Engineering, University of Lublana Tržaška 5, 000 Lublana anez.pers@kiss.uni-l.si,

More information

Catalogue no. 12-001-XIE. Survey Methodology. December 2004

Catalogue no. 12-001-XIE. Survey Methodology. December 2004 Catalogue no. 1-001-XIE Survey Metodology December 004 How to obtain more information Specific inquiries about tis product and related statistics or services sould be directed to: Business Survey Metods

More information

CHAPTER 7. Di erentiation

CHAPTER 7. Di erentiation CHAPTER 7 Di erentiation 1. Te Derivative at a Point Definition 7.1. Let f be a function defined on a neigborood of x 0. f is di erentiable at x 0, if te following it exists: f 0 fx 0 + ) fx 0 ) x 0 )=.

More information

1 Derivatives of Piecewise Defined Functions

1 Derivatives of Piecewise Defined Functions MATH 1010E University Matematics Lecture Notes (week 4) Martin Li 1 Derivatives of Piecewise Define Functions For piecewise efine functions, we often ave to be very careful in computing te erivatives.

More information

Training Robust Support Vector Regression via D. C. Program

Training Robust Support Vector Regression via D. C. Program Journal of Information & Computational Science 7: 12 (2010) 2385 2394 Available at ttp://www.joics.com Training Robust Support Vector Regression via D. C. Program Kuaini Wang, Ping Zong, Yaoong Zao College

More information

Welfare, financial innovation and self insurance in dynamic incomplete markets models

Welfare, financial innovation and self insurance in dynamic incomplete markets models Welfare, financial innovation and self insurance in dynamic incomplete markets models Paul Willen Department of Economics Princeton University First version: April 998 Tis version: July 999 Abstract We

More information

Staffing and routing in a two-tier call centre. Sameer Hasija*, Edieal J. Pinker and Robert A. Shumsky

Staffing and routing in a two-tier call centre. Sameer Hasija*, Edieal J. Pinker and Robert A. Shumsky 8 Int. J. Operational Researc, Vol. 1, Nos. 1/, 005 Staffing and routing in a two-tier call centre Sameer Hasija*, Edieal J. Pinker and Robert A. Sumsky Simon Scool, University of Rocester, Rocester 1467,

More information

Multivariate time series analysis: Some essential notions

Multivariate time series analysis: Some essential notions Capter 2 Multivariate time series analysis: Some essential notions An overview of a modeling and learning framework for multivariate time series was presented in Capter 1. In tis capter, some notions on

More information

A Multigrid Tutorial part two

A Multigrid Tutorial part two A Multigrid Tutorial part two William L. Briggs Department of Matematics University of Colorado at Denver Van Emden Henson Center for Applied Scientific Computing Lawrence Livermore National Laboratory

More information

Math 312 Homework 1 Solutions

Math 312 Homework 1 Solutions Math 31 Homework 1 Solutions Last modified: July 15, 01 This homework is due on Thursday, July 1th, 01 at 1:10pm Please turn it in during class, or in my mailbox in the main math office (next to 4W1) Please

More information

For Sale By Owner Program. We can help with our for sale by owner kit that includes:

For Sale By Owner Program. We can help with our for sale by owner kit that includes: Dawn Coen Broker/Owner For Sale By Owner Program If you want to sell your ome By Owner wy not:: For Sale Dawn Coen Broker/Owner YOUR NAME YOUR PHONE # Look as professional as possible Be totally prepared

More information

Operation go-live! Mastering the people side of operational readiness

Operation go-live! Mastering the people side of operational readiness ! I 2 London 2012 te ultimate Up to 30% of te value of a capital programme can be destroyed due to operational readiness failures. 1 In te complex interplay between tecnology, infrastructure and process,

More information

Modeling User Perception of Interaction Opportunities for Effective Teamwork

Modeling User Perception of Interaction Opportunities for Effective Teamwork Modeling User Perception of Interaction Opportunities for Effective Teamwork Ece Kamar, Ya akov Gal and Barbara J. Grosz Scool of Engineering and Applied Sciences Harvard University, Cambridge, MA 02138

More information

On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation

On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation Yuval Ishai 1, Eyal Kushilevitz 1, Yehuda Lindell 2, and Erez Petrank 1 1 Technion ({yuvali,eyalk,erez}@cs.technion.ac.il)

More information

SAT Math Must-Know Facts & Formulas

SAT Math Must-Know Facts & Formulas SAT Mat Must-Know Facts & Formuas Numbers, Sequences, Factors Integers:..., -3, -2, -1, 0, 1, 2, 3,... Rationas: fractions, tat is, anyting expressabe as a ratio of integers Reas: integers pus rationas

More information

Abstract. Introduction

Abstract. Introduction Fast solution of te Sallow Water Equations using GPU tecnology A Crossley, R Lamb, S Waller JBA Consulting, Sout Barn, Brougton Hall, Skipton, Nort Yorksire, BD23 3AE. amanda.crossley@baconsulting.co.uk

More information

Mathematics Course 111: Algebra I Part IV: Vector Spaces

Mathematics Course 111: Algebra I Part IV: Vector Spaces Mathematics Course 111: Algebra I Part IV: Vector Spaces D. R. Wilkins Academic Year 1996-7 9 Vector Spaces A vector space over some field K is an algebraic structure consisting of a set V on which are

More information

TRADING AWAY WIDE BRANDS FOR CHEAP BRANDS. Swati Dhingra London School of Economics and CEP. Online Appendix

TRADING AWAY WIDE BRANDS FOR CHEAP BRANDS. Swati Dhingra London School of Economics and CEP. Online Appendix TRADING AWAY WIDE BRANDS FOR CHEAP BRANDS Swati Dingra London Scool of Economics and CEP Online Appendix APPENDIX A. THEORETICAL & EMPIRICAL RESULTS A.1. CES and Logit Preferences: Invariance of Innovation

More information

OPTIMAL FLEET SELECTION FOR EARTHMOVING OPERATIONS

OPTIMAL FLEET SELECTION FOR EARTHMOVING OPERATIONS New Developments in Structural Engineering and Construction Yazdani, S. and Sing, A. (eds.) ISEC-7, Honolulu, June 18-23, 2013 OPTIMAL FLEET SELECTION FOR EARTHMOVING OPERATIONS JIALI FU 1, ERIK JENELIUS

More information

Theoretical calculation of the heat capacity

Theoretical calculation of the heat capacity eoretical calculation of te eat capacity Principle of equipartition of energy Heat capacity of ideal and real gases Heat capacity of solids: Dulong-Petit, Einstein, Debye models Heat capacity of metals

More information

To motivate the notion of a variogram for a covariance stationary process, { Ys ( ): s R}

To motivate the notion of a variogram for a covariance stationary process, { Ys ( ): s R} 4. Variograms Te covariogram and its normalized form, te correlogram, are by far te most intuitive metods for summarizing te structure of spatial dependencies in a covariance stationary process. However,

More information

Background Facts on Economic Statistics

Background Facts on Economic Statistics Background Facts on Economic Statistics 2003:3 SAMU Te system for co-ordination of frame populations and samples from te Business Register at Statistics Sweden epartment of Economic Statistics Te series

More information

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013 FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

More information

Writing Mathematics Papers

Writing Mathematics Papers Writing Matematics Papers Tis essay is intended to elp your senior conference paper. It is a somewat astily produced amalgam of advice I ave given to students in my PDCs (Mat 4 and Mat 9), so it s not

More information

Recall that two vectors in are perpendicular or orthogonal provided that their dot

Recall that two vectors in are perpendicular or orthogonal provided that their dot Orthogonal Complements and Projections Recall that two vectors in are perpendicular or orthogonal provided that their dot product vanishes That is, if and only if Example 1 The vectors in are orthogonal

More information