Practical and Secure Solutions for Integer Comparison
|
|
- Diane Parker
- 8 years ago
- Views:
Transcription
1 In Publc Key Cryptography PKC 07, Vol of Lecture Notes n Computer Scence, Sprnger-Verlag, pp Practcal and Secure Solutons for Integer Comparson Juan Garay 1, erry Schoenmakers 2, and José Vllegas 2 1 ell Labs Alcatel-Lucent, 600 Mountan Ave., Murray Hll, NJ garay@research.bell-labs.com 2 Dept. of Mathematcs and Computng Scence, TU Endhoven, P.O. ox 513, 5600 M Endhoven, The Netherlands berry@wn.tue.nl, j.a.vllegas@tue.nl Abstract. Yao s classcal mllonares problem s about securely determnng whether x > y, gven two nput values x, y, whch are held as prvate nputs by two partes, respectvely. The output x > y becomes known to both partes. In ths paper, we consder a varant of Yao s problem n whch the nputs x, y as well as the output bt x > y are encrypted. Referrng to the framework of secure n-party computaton based on threshold homomorphc cryptosystems as put forth by Cramer, Damgård, and Nelsen at Eurocrypt 2001, we develop solutons for nteger comparson, whch take as nput two lsts of encrypted bts representng x and y, respectvely, and produce an encrypted bt ndcatng whether x > y as output. Secure nteger comparson s an mportant buldng block for applcatons such as secure auctons. In ths paper, our focus s on the two-party case, although most of our results extend to the mult-party case. We propose new logarthmc-round and constant-round protocols for ths settng, whch acheve smultaneously very low communcaton and computatonal complextes. We analyze the protocols n detal and show that our solutons compare favorably to other known solutons. Key words: Mllonares problem; secure mult-party computaton; homomorphc encrypton. 1 Introducton The mllonares problem, ntroduced by Yao [Yao82], nvolves two partes who want to compare ther rches: they wsh to know who s rcher but do not want to dsclose any other nformaton about ther rches to each other. More formally, the problem s to fnd a two-party protocol for the secure evaluaton of the functon f(x, y) = [x > y] where the bracket notaton [], for a condton, s defned by [] = 1 f holds and [] = 0 otherwse (ths s called Iverson s conventon; see [Knu97]). Rather than requrng that the nputs x and y are actually known as prvate nputs to the partes, we wll work n the more general settng where the
2 nputs are not necessarly known to the partes runnng the protocol. Instead, the nputs to the protocol may be gven as encrypted values only, and the output wll also be made avalable n encrypted form. Note that the nputs to our protocols wll actually be encryptons of the ndvdual bts, representng the ntegers to be compared. For these encryptons we wll use a threshold homomorphc cryptosystem, as n the framework of secure n-party computaton based on threshold homomorphc cryptosystems put forth by Cramer, Damgård, and Nelsen [CDN01]. In lne wth ths, we consder the case of an actve, statc adversary 3,.e., we consder the malcous case. Requrng () that the nputs are gven n encrypted form (wthout anyone knowng these nputs) and () that the output bt [x > y] also be encrypted (wthout anyone learnng ts value) sets our problem settng apart from the settng of Yao s paper [Yao82] and much of the follow-up lterature. Indeed, consder computng [x = y] n the case of encrypted nputs but publc output, where the followng well-known soluton works. Let [M ] denote a (probablstc) encrypton of a message M n a threshold homomorphc cryptosystem. Gven encryptons [[x] and [y ], the encrypton [[x y ] s publcly computed. Furthermore, the partes jontly compute an encrypton [r ] for a (jontly) random r. Usng one nvocaton of a secure multplcaton protocol, the partes then produce encrypton [(x y)r ], whch s jontly decrypted. If the result s 0, then x = y; otherwse, x y, and the result s a random number. In contrast, when the output s requred n encrypted form, such smple solutons are not known and typcally protocols (ncludng ours) work over the encrypted values of the bnary representaton of the nputs x and y. Furthermore, unlke many publcatons on the mllonares problem, we consder the malcous case rather than the sem-honest (or honest-but-curous) case. 1.1 Our contrbutons The contrbutons of ths paper are as follows: A logarthmc-round protocol for secure nteger comparson, whch s based on an elegant oolean crcut for nteger comparson of depth log 2 m for m-bt ntegers. In addton, the sze of the crcut s only 3m (countng the number of secure multplcaton gates). The crcut can be readly used as a drop-n replacement for the O(1)-depth crcut for nteger comparson n [DFK + 06], whch s only of theoretcal nterest as t uses 19 rounds and 22m secure multplcatons. Note that the depth of our log-depth crcut exceeds ther constant-depth crcut for nteger comparson only f the nputs consst of ntegers of bt length m = 2 20 or longer.) A constant-round protocol for secure nteger comparson for whch the number of rounds s a small constant and the number of secure multplcatons s 3 In prncple, the case of adaptve adversares could be handled at the expense of addtonal tools (e.g., [DN00,DN03,GMY03]); n ths paper we focus on the statc (and stand-alone) case.
3 a small multple of m. Our constant-round soluton s restrcted to the case of two partes (or, rather, any constant number of partes). Our protocol bulds on a protocol by lake and Kolesnkov [K04] for nteger comparson for a dfferent settng. In partcular, we provde an effcent technque for securely returnng the output bt n an encrypted form. We lke to stress that applcaton of our log-depth crcut s not restrcted to the framework of [CDN01]: the crcut can be used n any framework for secure n-party computaton that assumes that the functon to be computed s gven as a crcut. In partcular, the log-depth crcut can be used for secure computaton based on verfable secret sharng, thus yeldng solutons whch are uncondtonally secure rather than computatonally secure, as descrbed n ths paper. Furthermore, the proof of securty of our constant-round protocol s nterestng n ts own rght. Theorem 1, as explaned below, essentally captures the securty of the protocol n a modular way. Here, we have adopted the approach suggested recently n [ST06], and we show how the requred smulator can be bult even though our protocol s of a much dfferent nature than the ones n [ST06]. 1.2 Related work There appear to be only a few publcatons n the lterature whch consder encrypted nputs and outputs for nteger comparson. Above we have already mentoned the work of Damgård et al. [DFK + 06]. The man dfference s that they work n an uncondtonal settng, reflected by the use of sharngs for an underlyng lnear secret sharng scheme, whle we work n the cryptographc model where we use encryptons for an underlyng threshold homomorphc cryptosystem. Together wth a secure multplcaton protocol for a homomorphc threshold ElGamal scheme, Schoenmakers and Tuyls [ST04] also present a soluton for secure nteger comparson for encrypted nputs and outputs. Ther soluton, however, requres a lnear (O(m)) number of rounds and secure multplcaton gates. Wth more relaxed requrements than ours, randt [ra06] presents a soluton where the nputs are encrypted but the output s n the clear for both partcpants, and furthermore, t s not 0 or 1 but nstead 0 or random, whch lmts ts applcablty. A dfferent approach to solve the nteger comparson problem s when one of the partes acts as a server. In ths settng, say, Alce knows the prvate keys to open encryptons and ob works over hs nput bts and Alce s encrypted nput bts to produce some nformaton that allows Alce to know the output of the functon beng evaluated. Examples of these approaches to nteger comparson are presented n [DC00,Fs01,K04,LT05]. In contrast to our solutons, these solutons do not provde encrypted output and the actual encrypted nputs are known to the partes runnng the protocols.
4 1.3 Organzaton of the paper The rest of the paper s organzed as follows. In Secton 2 we ntroduce the man buldng blocks used by our protocols and we gve some background on threshold homomorphc cryptosystems. In Secton 3 we present our two new protocols for nteger comparson, together wth ther proof of securty (specfcally, of the second protocol, as the proof of the frst protocol follows drectly from the securty guarantees provded by the [CDN01] settng). We conclude n Secton 4 wth a bref performance analyss and comparson to exstng results. 2 Prelmnares Our results apply to any threshold homomorphc cryptosystem, such as those based on ElGamal or Paller. It s assumed that a secure multplcaton protocol s avalable, as n [CDN01,ST04]. Snce we only need secure multplcaton of bnary values, we use the condtonal gate of [ST04], whch allows for an effcent mplementaton based on threshold homomorphc ElGamal whch n turn allows for the use of ellptc curves, hence yeldng compact and effcent mplementatons. We wrte [x] for a (probablstc) encrypton of the value x, usng the publc key of the underlyng threshold homomorphc ElGamal cryptosystem. Further, let Z q denote the message space, for a large prme q (of, say, sze 160 bts). The cyclc group G used for ElGamal s also of order q, and we assume that elements of G are represented usng q bts only (whch s the case for ellptc curves). Thus, an ElGamal encrypton consstng of two group elements s of sze 2 q. In order to wthstand actve attacks, we use Σ-protocols [CDS94], a standard type of zero-knowledge proofs/arguments. Assumng the random oracle model, all proofs can be converted nto non-nteractve ones and can be smulated easly. As mentoned above, we make use of secure multplcaton gates whch on nput [x] and [y ] allows two or more partes (who share the prvate key of the underlyng threshold homomorphc cryptosystem) to jontly compute an encrypton [[xy ]. Secure multplcaton gates can be mplemented n a constant number of rounds [CDN01], usng the Paller cryptosystem. Usng a number of rounds lnear n the number of partes (whch s constant n case of two-party computaton), the condtonal gate [ST04] can be used nstead, n case one of the multplcands s from a two-valued doman (e.g., f x {0, 1}). Furthermore, n case one of nputs, say, x s prvate to one of the partes, a smplfed multplcaton protocol can be used wth no nteracton between the partes. The protocol conssts n lettng the party knowng the prvate value x broadcast a re-encrypton of [xy ] = [y ] x usng the homomorphc propertes of the scheme, and generate a Σ-proof showng that [xy ] was correctly computed wth respect to [x] and [y ]. Followng [ST04], we wll refer to ths protocol as the prvate-multpler gate. For the performance comparsons presented at the end of ths paper, we wll assume a setup usng a (2,2)-threshold homomorphc ElGamal cryptosystem.
5 We note that n ths case a condtonal gate requres about 50 exponentatons and 34 q bts of communcaton, per nvocaton. Smlarly, a prvate-multpler gate requres about 10 exponentatons and 6 q bts of communcaton, per nvocaton. In the same settng, a threshold decrypton requres 6 exponentatons and 6 q bts of communcaton. A fnal tool that we wll use are verfable mxes [SK95], a tool for verfably mxng lsts of cphertexts. More formally, a verfable mx takes as nput a lst of encryptons [x 1 ],..., [x m ], and produces another lst of encryptons [x 1 ],..., [x m ] as output such that [[x π(1) ] = [x 1 ] [0],..., [x π(m) ] = [x m ] [0] for some random permutaton π of {1,..., m}. Here, each occurrence of [0]] denotes a probablstc encrypton of 0. A verfable mx also outputs a non-nteractve zero-knowledge proof (for whch we assume the random-oracle model throughout). For concreteness, we assume Groth s effcent proof [Gro03], whch for our settng requres about 14m exponentatons and s of sze 6m q bts. We are now ready to descrbe our protocols for nteger comparson. 3 New Solutons to the Integer Comparson Problem In ths secton we present two new protocols for nteger comparson followng dfferent approaches. In both cases, the nputs x and y are gven as sequences of encrypted bts, [x m 1 ],..., [x 0 ] and [y m 1 ],..., [y 0 ], wth x = m 1 =0 x 2, y = m 1 =0 y 2. The output s [[x > y]]. Hence, both nputs and output are avalable n encrypted form only. As a startng pont and for later comparson, we frst the lnear-depth crcut of [ST04] for computng x > y, usng smple arthmetc gates only (addton, subtracton, condtonal gates). The crcut (or, oblvous program) s fully descrbed by the followng recurrence: t 0 = 0, t +1 = (1 (x y ) 2 )t + x (1 y ), where t m s the output bt (hence t m = [x > y]). Rather than startng from the most sgnfcant bt, ths crcut computes [x > y] startng from the least sgnfcant bt. Although somewhat counterntutve, the advantage of ths approach s that the crcut contans 2m 1 condtonal gates only (compared to about 3m condtonal gates when startng from the most sgnfcant bt, see [ST04]). A dsadvantage s that the depth of the crcut s m, hence nducng a crtcal path of m sequental secure multplcatons (the terms [x 1 y 1 ],...,[x m y m ] can be computed n parallel, but the computaton of t 1,..., t m must be done sequental). The computatonal complexty and communcaton complexty of a protocol for nteger comparson based on ths crcut s thus determned by the work requred for the condtonal gates. For later comparson, n the two-party case, we have about 100m exponentatons and 68m q bts of communcaton and a lnear number of rounds.
6 3.1 Logarthmc round complexty wth low computatonal complexty The result n ths secton shows how to reduce the depth of the crcut to O(log m) wthout ncreasng ts sze beyond O(m). The dea reles on the followng smple but crucal property of nteger comparson. Wrte x = X 1 X 0 and y = Y 1 Y 0 as bt strngs, where 0 X 1 = Y 1 m and 0 X 0 = Y 0 m. Then, { [X1 > Y [x > y] = 1 ], X 1 Y 1 ; [X 0 > Y 0 ], X 1 = Y 1, whch may be arthmetzed as [x > y] = [X 1 > Y 1 ] + [X 1 = Y 1 ][X 0 > Y 0 ]. Ths property suggests a protocol that would frst splt the bt strngs x and y n about equally long parts, compare these parts recursvely, and then combne these to produce the fnal output. To evaluate the expresson for [x > y] usng smple arthmetc gates, we ntroduce the followng auxlary functon: z(x, y) = [x = y] = 1 (x y) 2 Let t,j stand for the value of > when appled to the substrngs x +j 1,..., x +1, x and y +j 1,..., y +1, y. Expressed explctly n terms of the bts of x and y, a full soluton for [x > y] s obtaned by evaluatng t 0,m from (usng l = j/2 ) 4 : { x x t,j = y, j = 1; t +l,j l + z +l,j l t,l, j > 1. { 1 x + 2x z,j = y y, j = 1; z +l,j l z,l, j > 1. Correctness of the computaton should be mmedate, and ts securty follows from the securty guarantees provded by the framework we are consderng [CDN01], assumng secure arthmetc gates. Regardng overhead, the number of condtonal gates requred for z,j s 2j 1. The number of condtonal gates for t,j s j 1, not countng the condtonal gates for z. Thus, the total number of condtonal gates for t 0,m s bounded above by 3m 2. About log 2 m condtonal gates can be saved by observng that some z-values are not needed for the evaluaton of t. The computatonal and communcaton complextes are domnated by the number of condtonal gates. In the worst case, 3m 2 condtonal gates are requred, resultng n about 150m exponentatons and 102m q broadcast bts. 4 Any value l, 0 < l < j, actually works, but only l j/2 gves logarthmc depth. The msb-to-lsb and lsb-to-msb crcuts n [ST04] are specal cases, obtaned respectvely by settng l = 1 and l = j 1.
7 The depth of the crcut s exactly log 2 m, hence O(log m) wth hdden constant equal to 1 for the base-2 logarthm. As a further remark we note that ths log-depth crcut allows for the computaton of sgn(x y) at vrtually no extra cost. Here, sgn(z) s the sgnum functon, whch s equal to the sgn of z (whch s equal to 1 f z < 0, 0 f z = 0, and 1 f z > 0). Ths follows form the fact that the crcut also computes [x = y], next to [x > y], hence one obtans sgn(x y) = 2[x > y] 1 + [x = y] as well. 3.2 Constant round complexty wth low computatonal complexty In ths secton we seek to reduce the round complexty to O(1), adoptng an approach qute dfferent from the one above. We consder the problem of computng [[x > y]] n the two-party case, and we wsh to acheve a low, constant-round complexty whle keepng the sze of the crcut small as well. Frst, we note that the O(1)-depth and O(m)-sze crcut for nteger comparson of [DFK + 06] s only of theoretcal nterest to us: the depth of the crcut s actually 19, and ts sze s 22m (only countng secure multplcaton gates). For a result that possbly competes wth our logarthmc soluton we take the protocol for condtonal oblvous transfer of lake and Kolesnkov [K04] (where the condton s also an nteger comparson) as a startng pont. The man dea n that protocol s to calculate the frst poston where the bts of x and y dffer, startng from the most-sgnfcant bt. Let be that poston; then x y { 1, 1} ndcates whether x > y or not. Jumpng ahead a lttle, the poston wll be determned as the unque ndex satsfyng γ = 1 (whch s guaranteed to exst f we assume x y; see below). Of course, the value of must reman hdden, whch s acheved by the partes randomly permutng (.e., mxng) the relevant sequences. The protocol s descrbed n detal below. As sad above, our startng pont s the protocol n [K04] for the passve adversary settng. New ngredents nclude the fact that we allow for encrypted nputs [x] and [y ], rather than prvate nputs x and y. Accordngly, we use a (2,2)-threshold homomorphc cryptosystem nstead of just a homomorphc cryptosystem, and we use secure multplcaton (condtonal gates). Furthermore, we use a specfc knd of blndng at the end of the protocol n order to extract the outcome of the nteger comparson n encrypted form. Fnally, as an mportant dfference, we can actually use other homomorphc cryptosystems, such as ElGamal, whereas [K04] makes essental use of Paller. Constant-round protocol. The protocol conssts of the followng steps: 1. Usng m condtonal gates, partes A and jontly compute [f ] = [[x y ]]. Then they publcly compute the γ-sequence: [γ m ] = [0]; [γ ] = [2γ +1 + f ], for = m 1,..., For = m 1,..., 0, party A broadcasts [r A ] for random ra R Z q and produces sequence [u A ] = [ra (γ 1)] usng a prvate-multpler gate.
8 3. Party does the same wth [r ] producng sequence [[u ] = [r (γ 1)], where r R Z q. Now they publcly produce sequence [u ] = [u A ][u ][x y ] = [(r A + r )(γ 1) + (x y )]. 4. Party A verfably mxes sequence [u ] producng sequence [u ]. 5. Party verfably mxes sequence [u ] producng sequence [v ]. Now, partes A and take turns to multply ths last sequence by a randomly selected number n { 1, 1}: 6. Party A broadcasts [s A ], s A R { 1, 1}, and uses a prvate-multpler gate to produce sequence [v ] = [s A v ]. A proof that [s A ] s an encrypton of ether 1 or 1 s also gven. 7. Party does the same, broadcastng [s ], s R { 1, 1}, and producng sequence [w ] = [s v ] along wth the requred proofs. 8. Fnally, partes A and proceed to decrypt the sequence [w ] untl they fnd the unque ndex satsfyng w { 1, 1}. The output s defned as [(v + 1)/2]. The value v s ether 1 or 1, hence (v + 1)/2 s ether 0 or 1. Ths lnear transformaton can be done for free because of homomorphc propertes. The above protocol assumes that x y, n order that ndex s well defned. If x = y, then no entry n the w-sequence wll be equal to 1 or 1. One can put sentnels to resolve possble equalty, by settng f 1 = 1 and u 1 = (r 1 A + r 1)(γ 1) + 1. The rest of the protocol s adapted accordngly. In case the output need not be encrypted, steps 6 and 7 are omtted, and the partcpants drectly open the sequence v to fnd the poston where v s n { 1, 1}, where 1 means that x s less than or equal to y, and 1 means x s greater than y. For the complextes, the number of rounds for the protocol s small: at most 9 rounds (two rounds for the condtonal gates n step 1, and one round for each of the subsequent steps). For the number of exponentatons, we have 50m for the condtonal gates (step 1), 40m for the multplcaton gates (steps 2, 3, 6, and 7), 28m for the verfable mxes, and 3m for the decrypton (m/2 expected decryptons), whch amounts to 124m exponentatons n total. Smlarly, 77m q s the number of bts of communcaton. We have omtted further optmzatons for clarty of exposton. The protocol easly extends to the multparty case, but snce the mxng s done sequentally, constant round complexty s not acheved (note that secure multplcaton gates can be constant-round even n the mult-party case f Paller encrypton s used, as n [CDN01]). Proof of securty. For the proof of securty, we want to be able to smulate ths protocol assumng that one of the partcpants s corrupted. The dea s to gve the smulator the nputs [x ] and [y ] n such a way that a consstent vew of the protocol can be constructed wthout makng use of the prvate nformaton of the honest partcpant. We frst revew the smulaton requrements for the buldng blocks. In order to smulate a condtonal gate, encryptons [[x] and [y ] are requred, as well
9 as one encrypton of [xy ] wth the requrement that x { 1, 1} (or, any other two-value doman) and the contents of the encryptons are consstent. The actual values x,y and xy need not be known. The same holds for the prvate multpler gate, where n ths case the proof of knowledge of, say, x s smulated. For a threshold decrypton, we need to provde both [x] and x to the correspondng smulator. We now turn to the overall smulaton strategy. We note that one problem already arses at the frst step of the protocol: n order to smulate the condtonal gate nvocatons n Step 1, the smulator has to produce [x y ] only gven [x ] and [y ], whch s mpossble! We crcumvent such problems by adoptng the approach recently ntroduced n [ST06], n whch t s explaned that smulaton for nput/output pars of a specal form (see Theorem 1 below) suffce to ensure ntegraton wth the framework of [CDN01]. Ths s a consequence of the fact that the securty proof n [CDN01] centers around the constructon of a so-called YAD b dstrbuton, whch s defned as a functon of an encrypted bt [b]. The structure of the securty proof [CDN01] follows an deal-model/realmodel approach. The YAD 0 dstrbuton s dentcal to the dstrbuton of the deal case, whereas the YAD 1 dstrbuton s statstcally ndstngushable from the dstrbuton n the real case. Therefore, f an adversary can dstngush between the deal/real cases, t mples that the adversary can dstngush the YAD 0 dstrbuton from the YAD 1 dstrbuton. ut as the choce between these two dstrbutons s determned by the value of the encrypted bt b, t follows that the dstngusher for the deal/real cases s a dstngusher for the underlyng encrypton scheme. And ths s done n tght way,.e., wthout loss n the success probablty for the dstngusher. (See [CDN01,ST06] for more detals.) Thus, t s suffcent to show a smulaton for nputs of a specal form, namely, [ x] = [(1 b)x (0) + bx (1) ], where x (0) and x (1) are gven n the clear to the smulator, but b s only gven n encrypted form [b]. The values x (0) and x (1) correspond to the values arsng n the YAD 0 and YAD 1 cases, respectvely. Theorem 1. Gven nput values x (0), y (0), x (1) and y (1) and an encrypton [b] wth b {0, 1} the above protocol can be smulated statstcally ndstngushably for nputs [ x ] = [(1 b)x (0) + bx (1) ] and [ỹ ] = [(1 b)y (0) + by (1) ]. Proof. Let x (0), y (0), x (1) and y (1) and encrypton [b] wth b {0, 1} be gven. Assumng that party A s corrupted, the smulaton works as follows: 1. For Step 1, we rely on the smulator for the condtonal gates, whch we need to provde wth the nputs [ x ] and [ỹ ] and the correspondng output [ f ] = [ x ỹ ]. The latter values are computed as [(1 b)x (0) y (0) + bx (1) y (1) ], usng [b] and the homomorphc propertes of the cryptosystem. Smlarly, the smulator also computes [ γ ] = [(1 b)γ (0) +bγ (1) ]. Let and 1 denote the ndces such that γ (0) = γ (1) 1 = 1 as these values are known to the smulator. 2. Next, we let party A do her work. She wll broadcast [ r A ] and [ũa ], for all. The values r A can be extracted by rewndng the proof of knowledge of the prvate-multpler nvocaton.
10 3. The dea of ths step s to generate values r (j) such that the smulator may put equal values (up to sgn) n the u-sequences, whch wll later decrypt to the same value ndependently of b. For ths the smulator does the followng. Frst, he selects s (0) R { 1, 1}. The value of s (1) depends on the result of the comparson of x (0) aganst y (0), and x (1) aganst y (1). If both comparsons have the same result, then s (1) = s(0), otherwse s(1) = s(0). Now the smulator selects r (0) the followng: (a) u (0) s (0) = u(1) s (1) (b) u (1) s (1) = u(0) 1 s (0), for {, 1 }; ; (c) u (0) s (0) = u(1) 1 s (1). Frst, we note that, for j = 0, 1: u (j) = ( r A + r (j), r (1) n such a way that u (0) and u (1) )(γ (j) 1) + (x (j) y (j) ). satsfy For case (a) we essentally need that s (0) s(1) u(0) = u (1), whch means that s (0) ( s(1) ( r A +r (0) )(γ (0) 1)+(x (0) y (0) ) ) =( r A +r (1) )(γ (1) 1)+(x (1) y (1) ), where {, 1 }. Ths can be acheved by frst selectng r (0) at random, and then solatng and obtanng r (1) (whch n turn s random n each selecton of b). Smlarly, n case (b), we requre that s (1) s(0) u(1) = u (0) 1, whch s equvalent to s (1) s(0) ( ( r A 0 +r (1) )(γ (1) 1)+(x (1) y (1) ) ) =( r A 1 +r (0) 1 )(γ (0) 1 1)+(x (0) 1 y (0) 1 ), and t s solved as n case (a). For case (c), just takng r (0) and r (1) 1 at random s enough: n those postons the γ-sequences take the value 1 and the randomzaton s lost when consderng u-sequences. The smulator now prepares [ r ] as [(1 b)r(0) + br (1) ] and [ũ ] as [ r ( γ 1)], for all. These encrypted values are broadcast, and the smulator for the prvate-multpler gate s nvoked, wth multplcands [ r ] and [ γ ], and result [(1 b)r (0) γ (0) + br (1) γ (1) ]. The sequence [ũ ] s constructed as n the protocol: [ũ ] = [ũ A ][ũ ][ x ỹ ]. y constructon, t follows that [ũ ] = [(1 b)u (0) + bu (1) ], for all. 4. The smulator lets party A mx the sequence [ũ ], producng a new sequence [ũ ]. The smulator can also extract the permutaton π A that lnks both sequences. 5. Now the smulator randomly selects two ndces, call them ĩ and ĩ, and constructs two permutatons π (0) and π(1) as follows:
11 π (0) (π A( )) = π (1) (π A( 1 )) = ĩ ; π (0) (π A( 1 )) = π (1) (π A( )) = ĩ ; for the remanng postons the permutatons are randomly defned under the condton that π (0) (π A()) = π (1) (π A()), {, 1 }. The next step s to call the smulator of the mx proof dependng on [b], because the smulator wll never know whch permutaton, π (0) actually used. For ths, he constructs the sequences v (j) = u (j) π 1 A (π(j) or π(1), s 1, for ()) j = 0, 1, and then defnes the sequence [ṽ ] = [(1 b)v (0) + bv (1) ], for all. Wth the mxed sequence broadcast by party A n the prevous step and ths last sequence, the smulator now calls the smulator for the mx proof. 6. Party A multples the entre sequence [ṽ ] by a number s A (whch s extracted from the correspondng prvate-multpler proof for [ s A ]), resultng n sequence [ṽ ]. 7. Now the smulator has almost all the work already done. At ths stage he constructs [ s ] = [(1 b)s (0) + bs(1) ], and broadcasts t. Then he constructs the sequence [ w ] = [(1 b)v (0) s A s (0) + bv(1) s A s (1) ]. Note that ṽ = ṽ s A. The prvate-multpler smulator s now nvoked on nputs [ s ] and [ṽ ], and output [ w ]. 8. To smulate the last step, the smulator can lnk back the plantext of encryptons [ w ] by usng permutaton π A π (j), for j = 0, 1; note that the sgn of these values s affected by the factor s A. Thus, w (j) = s A s (j) u(j) π 1 A (π(j) 1, ()) for all, due to the constructon at step 5. Moreover, the plantexts n [w (0) ] and [w (1) ] are equal, as a result of the work of the smulator at step 3. It also follows that w (0) = w (1) = w, ndependently of [b]. Hence, the smulator for the threshold decrypton s called, for nstance, over nputs [ w ] and s A s (0) u(0) π 1 A (π(0) 1. ()) The values generated n ths way by the smulator are consstent, and therefore an adversary cannot statstcally dstngush them from the ones resultng n a real executon. The case when party s corrupted s smlar wth some mnor dfferences, due to the order n whch tasks are executed. Ths completes the proof. 4 Conclusons In ths paper we have presented two new solutons to the nteger comparson problem. Our frst soluton acheves a logarthmc round complexty of exactly log 2 m rounds for m-bt ntegers, whereas the second soluton acheves a constant number of rounds (n the two-party case). In Table 1 we show a comparson
12 Integer Comparson Soluton No. Exponentatons roadcast ts Lnear-depth crcut [ST04] 100m 68m q Logarthmc-depth crcut 150m 102m q Constant-round protocol (two-party) 124m 77m q Table 1. Comparson of dfferent secure solutons for [x > y] between the dfferent solutons presented n ths paper and the lnear-depth crcut of [ST04]. Evdently, gong below O(m) rounds comes at the cost of an ncrease n computatonal and communcaton complexty. For the constant round soluton, the addtonal costs are smaller than for the logarthmc round soluton; however, the logarthmc round soluton also apples to the mult-party case. From a practcal pont of vew, our mult-party logarthmc-depth soluton s very good compared to the known results so far: communcaton and computaton are are only 50% worse than for a lnear-depth soluton. Even though O(1)-round s not acheved ths way, the number of rounds s very low when consderng ntegers x and y of practcal sze, e.g., m = 32 or m = 64, n whch cases the depth s only 5 and 6, respectvely. References [K04] I. lake and V. Kolesnkov. Strong condtonal oblvous transfer and computng on ntervals. In Advances n Cryptology ASIACRYPT 04, volume 3329 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [ra06] F. randt. Effcent cryptographc protocol desgn based on dstrbuted El Gamal encrypton. In Informaton Securty and Cryptology - ICISC 2005, volume 3935 of Lecture Notes n Computer Scence, pages Sprnger- Verlag, [CDN01] R. Cramer, I. Damgård, and J.. Nelsen. Multparty computaton from threshold homomorphc encrypton. In Advances n Cryptology EUROCRYPT 01, volume 2045 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. Full verson eprnt.acr.org/2000/055, October 27, [CDS94] R. Cramer, I. Damgård, and. Schoenmakers. Proofs of partal knowledge and smplfed desgn of wtness hdng protocols. In Advances n Cryptology CRYPTO 94, volume 839 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [DFK + 06] I. Damgård, M. Ftz, E. Kltz, J.. Nelsen, and T. Toft. Uncondtonally secure constant-rounds mult-party computaton for equalty, comparson, bts and exponentaton. In Proc. 3rd Theory of Cryptography Conference, TCC 2006, volume 3876 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [DN00] I. Damgård and J. Nelsen. Improved non-commttng encrypton schemes based on a general complexty assumpton. In Advances n Cryptology
13 Crypto 2000, volume 1880 of Lecture Notes n Computer Scence, pages Sprnger, [DN03] I. Damgård and J.. Nelsen. Unversally composable effcent multparty computaton from threshold homomorphc encrypton. In Advances n Cryptology CRYPTO 03, volume 2729 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [DC00] G. D Crescenzo. Prvate Selectve Payment Protocols. In FC 00: Proc. 4th Internatonal Conference on Fnancal Cryptography, Lecture Notes n Computer Scence, pages 72 89, London, 2001, Sprnger-Verlag. [Fs01] M. Fschln. A cost-effectve pay-per-multplcaton comparson method for mllonares. In Progress n Cryptology CT-RSA 2001, volume 2020 of Lecture Notes n Computer Scence, pages , erln, Sprnger- Verlag. [GMY03] J. Garay, P. MacKenze, and K. Yang. Strengthenng zero-knowledge protocols usng sgnatures. In Advances n Cryptology Eurocrypt 2003, volume 2656, pages Sprnger, [Gro03] J. Groth. A verfable secret shuffle of homomorphc encryptons. In Publc Key Cryptography PKC 03, volume 2567 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [Knu97] D. E. Knuth. The Art of Computer Programmng (Vol. 1: Fundamental Algorthms). Addson Wesley, Readng (MA), 3rd edton, [LT05] H. Ln and W. Tzeng. An effcent soluton to the mllonares problem based on homomorphc encrypton. In ACNS 2005, volume 3531 of Lecture Notes n Computer Scence, pages Sprnger-Verlag, [SK95] K. Sako and J. Klan. Recept-free mx-type votng scheme a practcal soluton to the mplementaton of a votng booth. In Advances n Cryptology EUROCRYPT 95, volume 921 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [ST04]. Schoenmakers and P. Tuyls. Practcal two-party computaton based on the condtonal gate. In Advances n Cryptology ASIACRYPT 04, volume 3329 of Lecture Notes n Computer Scence, pages , erln, Sprnger-Verlag. [ST06]. Schoenmakers and P. Tuyls. Effcent bnary converson for Paller encryptons. In Advances n Cryptology EUROCRYPT 06, volume 4004 of Lecture Notes n Computer Scence, pages , erln, Sprnger- Verlag. [Yao82] A. Yao. Protocols for secure computatons. In Proc. 23rd IEEE Symposum on Foundatons of Computer Scence (FOCS 82), pages IEEE Computer Socety, 1982.
Luby s Alg. for Maximal Independent Sets using Pairwise Independence
Lecture Notes for Randomzed Algorthms Luby s Alg. for Maxmal Independent Sets usng Parwse Independence Last Updated by Erc Vgoda on February, 006 8. Maxmal Independent Sets For a graph G = (V, E), an ndependent
More informationRecurrence. 1 Definitions and main statements
Recurrence 1 Defntons and man statements Let X n, n = 0, 1, 2,... be a MC wth the state space S = (1, 2,...), transton probabltes p j = P {X n+1 = j X n = }, and the transton matrx P = (p j ),j S def.
More informationAn Interest-Oriented Network Evolution Mechanism for Online Communities
An Interest-Orented Network Evoluton Mechansm for Onlne Communtes Cahong Sun and Xaopng Yang School of Informaton, Renmn Unversty of Chna, Bejng 100872, P.R. Chna {chsun,yang}@ruc.edu.cn Abstract. Onlne
More informationWhat is Candidate Sampling
What s Canddate Samplng Say we have a multclass or mult label problem where each tranng example ( x, T ) conssts of a context x a small (mult)set of target classes T out of a large unverse L of possble
More informationProactive Secret Sharing Or: How to Cope With Perpetual Leakage
Proactve Secret Sharng Or: How to Cope Wth Perpetual Leakage Paper by Amr Herzberg Stanslaw Jareck Hugo Krawczyk Mot Yung Presentaton by Davd Zage What s Secret Sharng Basc Idea ((2, 2)-threshold scheme):
More informationbenefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).
REVIEW OF RISK MANAGEMENT CONCEPTS LOSS DISTRIBUTIONS AND INSURANCE Loss and nsurance: When someone s subject to the rsk of ncurrng a fnancal loss, the loss s generally modeled usng a random varable or
More informationModule 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module LOSSLESS IMAGE COMPRESSION SYSTEMS Lesson 3 Lossless Compresson: Huffman Codng Instructonal Objectves At the end of ths lesson, the students should be able to:. Defne and measure source entropy..
More informationComplete Fairness in Secure Two-Party Computation
Complete Farness n Secure Two-Party Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure two-party computaton, two mutually dstrustng partes wsh to compute
More informationA Secure Password-Authenticated Key Agreement Using Smart Cards
A Secure Password-Authentcated Key Agreement Usng Smart Cards Ka Chan 1, Wen-Chung Kuo 2 and Jn-Chou Cheng 3 1 Department of Computer and Informaton Scence, R.O.C. Mltary Academy, Kaohsung 83059, Tawan,
More informationAn Optimally Robust Hybrid Mix Network (Extended Abstract)
An Optmally Robust Hybrd Mx Network (Extended Abstract) Markus Jakobsson and Ar Juels RSA Laboratores Bedford, MA, USA {mjakobsson,ajuels}@rsasecurty.com Abstract We present a mx network that acheves effcent
More informationSupport Vector Machines
Support Vector Machnes Max Wellng Department of Computer Scence Unversty of Toronto 10 Kng s College Road Toronto, M5S 3G5 Canada wellng@cs.toronto.edu Abstract Ths s a note to explan support vector machnes.
More informationExtending Probabilistic Dynamic Epistemic Logic
Extendng Probablstc Dynamc Epstemc Logc Joshua Sack May 29, 2008 Probablty Space Defnton A probablty space s a tuple (S, A, µ), where 1 S s a set called the sample space. 2 A P(S) s a σ-algebra: a set
More informationLogistic Regression. Lecture 4: More classifiers and classes. Logistic regression. Adaboost. Optimization. Multiple class classification
Lecture 4: More classfers and classes C4B Machne Learnng Hlary 20 A. Zsserman Logstc regresson Loss functons revsted Adaboost Loss functons revsted Optmzaton Multple class classfcaton Logstc Regresson
More informationPSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12
14 The Ch-squared dstrbuton PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 1 If a normal varable X, havng mean µ and varance σ, s standardsed, the new varable Z has a mean 0 and varance 1. When ths standardsed
More informationThe Development of Web Log Mining Based on Improve-K-Means Clustering Analysis
The Development of Web Log Mnng Based on Improve-K-Means Clusterng Analyss TngZhong Wang * College of Informaton Technology, Luoyang Normal Unversty, Luoyang, 471022, Chna wangtngzhong2@sna.cn Abstract.
More informationThe OC Curve of Attribute Acceptance Plans
The OC Curve of Attrbute Acceptance Plans The Operatng Characterstc (OC) curve descrbes the probablty of acceptng a lot as a functon of the lot s qualty. Fgure 1 shows a typcal OC Curve. 10 8 6 4 1 3 4
More informationCompact CCA2-secure Hierarchical Identity-Based Broadcast Encryption for Fuzzy-entity Data Sharing
Compact CCA2-secure Herarchcal Identty-Based Broadcast Encrypton for Fuzzy-entty Data Sharng Weran Lu 1, Janwe Lu 1, Qanhong Wu 1, Bo Qn 2, Davd Naccache 3, and Houda Ferrad 4 1 School of Electronc and
More informationTHE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek
HE DISRIBUION OF LOAN PORFOLIO VALUE * Oldrch Alfons Vascek he amount of captal necessary to support a portfolo of debt securtes depends on the probablty dstrbuton of the portfolo loss. Consder a portfolo
More information8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by
6 CHAPTER 8 COMPLEX VECTOR SPACES 5. Fnd the kernel of the lnear transformaton gven n Exercse 5. In Exercses 55 and 56, fnd the mage of v, for the ndcated composton, where and are gven by the followng
More informationFrom Selective to Full Security: Semi-Generic Transformations in the Standard Model
An extended abstract of ths work appears n the proceedngs of PKC 2012 From Selectve to Full Securty: Sem-Generc Transformatons n the Standard Model Mchel Abdalla 1 Daro Fore 2 Vadm Lyubashevsky 1 1 Département
More informationProject Networks With Mixed-Time Constraints
Project Networs Wth Mxed-Tme Constrants L Caccetta and B Wattananon Western Australan Centre of Excellence n Industral Optmsaton (WACEIO) Curtn Unversty of Technology GPO Box U1987 Perth Western Australa
More information8 Algorithm for Binary Searching in Trees
8 Algorthm for Bnary Searchng n Trees In ths secton we present our algorthm for bnary searchng n trees. A crucal observaton employed by the algorthm s that ths problem can be effcently solved when the
More informationTracker: Security and Privacy for RFID-based Supply Chains
Tracker: Securty and Prvacy for RFID-based Supply Chans Erk-Olver Blass Kaoutar Elkhyaou Refk Molva EURECOM Sopha Antpols, France {blass elkhyao molva}@eurecom.fr Abstract The counterfetng of pharmaceutcs
More informationA Verifiable Secret Shuffle of Homomorphic. encryptions.
A Verfable Secret Shuffle of Homomorphc Encryptons Jens Groth 1 Department of Computer Scence, UCLA 3531A Boelter Hall Los Angeles, CA 90095-1596 USA jg@cs.ucla.edu Abstract. A shuffle conssts of a permutaton
More informationFully Homomorphic Encryption Scheme with Symmetric Keys
Fully Homomorphc Encrypton Scheme wth Symmetrc Keys A Dssertaton submtted n partal fulfllment for the award of the Degree of Master of Technology n Department of Computer Scence & Engneerng (wth specalzaton
More information1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)
6.3 / -- Communcaton Networks II (Görg) SS20 -- www.comnets.un-bremen.de Communcaton Networks II Contents. Fundamentals of probablty theory 2. Emergence of communcaton traffc 3. Stochastc & Markovan Processes
More information1 Example 1: Axis-aligned rectangles
COS 511: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 6 Scrbe: Aaron Schld February 21, 2013 Last class, we dscussed an analogue for Occam s Razor for nfnte hypothess spaces that, n conjuncton
More informationInstitute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic
Lagrange Multplers as Quanttatve Indcators n Economcs Ivan Mezník Insttute of Informatcs, Faculty of Busness and Management, Brno Unversty of TechnologCzech Republc Abstract The quanttatve role of Lagrange
More informationRUHR-UNIVERSITÄT BOCHUM
RUHR-UNIVERSITÄT BOCHUM Horst Görtz Insttute for IT Securty Techncal Report TR-HGI-2006-002 Survey on Securty Requrements and Models for Group Key Exchange Mark Manuls Char for Network and Data Securty
More informationHow Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence
1 st Internatonal Symposum on Imprecse Probabltes and Ther Applcatons, Ghent, Belgum, 29 June 2 July 1999 How Sets of Coherent Probabltes May Serve as Models for Degrees of Incoherence Mar J. Schervsh
More informationMultiplication Algorithms for Radix-2 RN-Codings and Two s Complement Numbers
Multplcaton Algorthms for Radx- RN-Codngs and Two s Complement Numbers Jean-Luc Beuchat Projet Arénare, LIP, ENS Lyon 46, Allée d Itale F 69364 Lyon Cedex 07 jean-luc.beuchat@ens-lyon.fr Jean-Mchel Muller
More informationAn Alternative Way to Measure Private Equity Performance
An Alternatve Way to Measure Prvate Equty Performance Peter Todd Parlux Investment Technology LLC Summary Internal Rate of Return (IRR) s probably the most common way to measure the performance of prvate
More informationFast Variants of RSA
Fast Varants of RSA Dan Boneh dabo@cs.stanford.edu Hovav Shacham hovav@cs.stanford.edu Abstract We survey three varants of RSA desgned to speed up RSA decrypton. These varants are backwards compatble n
More informationv a 1 b 1 i, a 2 b 2 i,..., a n b n i.
SECTION 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS 455 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS All the vector spaces we have studed thus far n the text are real vector spaces snce the scalars are
More informationAN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS
Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS Len Harn 1 and Changlu Ln 2 1 Department of Computer Scence
More informationUsage of LCG/CLCG numbers for electronic gambling applications
Usage of LCG/CLCG numbers for electronc gamblng applcatons Anders Knutsson Smovts Consultng, Wenner-Gren Center, Sveavägen 166, 113 46 Stockholm, Sweden anders.knutsson@smovts.com Abstract. Several attacks
More informationSecure Network Coding Over the Integers
Secure Network Codng Over the Integers Rosaro Gennaro Jonathan Katz Hugo Krawczyk Tal Rabn Abstract Network codng has receved sgnfcant attenton n the networkng communty for ts potental to ncrease throughput
More informationFeature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College
Feature selecton for ntruson detecton Slobodan Petrovć NISlab, Gjøvk Unversty College Contents The feature selecton problem Intruson detecton Traffc features relevant for IDS The CFS measure The mrmr measure
More informationLecture 2: Single Layer Perceptrons Kevin Swingler
Lecture 2: Sngle Layer Perceptrons Kevn Sngler kms@cs.str.ac.uk Recap: McCulloch-Ptts Neuron Ths vastly smplfed model of real neurons s also knon as a Threshold Logc Unt: W 2 A Y 3 n W n. A set of synapses
More informationEfficient Project Portfolio as a tool for Enterprise Risk Management
Effcent Proect Portfolo as a tool for Enterprse Rsk Management Valentn O. Nkonov Ural State Techncal Unversty Growth Traectory Consultng Company January 5, 27 Effcent Proect Portfolo as a tool for Enterprse
More informationMultiple-Period Attribution: Residuals and Compounding
Multple-Perod Attrbuton: Resduals and Compoundng Our revewer gave these authors full marks for dealng wth an ssue that performance measurers and vendors often regard as propretary nformaton. In 1994, Dens
More informationImplementation of Deutsch's Algorithm Using Mathcad
Implementaton of Deutsch's Algorthm Usng Mathcad Frank Roux The followng s a Mathcad mplementaton of Davd Deutsch's quantum computer prototype as presented on pages - n "Machnes, Logc and Quantum Physcs"
More informationLinear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits
Lnear Crcuts Analyss. Superposton, Theenn /Norton Equalent crcuts So far we hae explored tmendependent (resste) elements that are also lnear. A tmendependent elements s one for whch we can plot an / cure.
More informationActivity Scheduling for Cost-Time Investment Optimization in Project Management
PROJECT MANAGEMENT 4 th Internatonal Conference on Industral Engneerng and Industral Management XIV Congreso de Ingenería de Organzacón Donosta- San Sebastán, September 8 th -10 th 010 Actvty Schedulng
More informationComputing Arbitrary Functions of Encrypted Data March 2010 Communications of the ACM
Home» Magazne Archve» 2010» No. 3» Computng Arbtrary Functons of Encrypted Data» Full Text RESEARCH HIGHLIGHTS Computng Arbtrary Functons of Encrypted Data Crag Gentry Communcatons of the ACM Vol. 53 No.
More informationJ. Parallel Distrib. Comput.
J. Parallel Dstrb. Comput. 71 (2011) 62 76 Contents lsts avalable at ScenceDrect J. Parallel Dstrb. Comput. journal homepage: www.elsever.com/locate/jpdc Optmzng server placement n dstrbuted systems n
More informationForecasting the Direction and Strength of Stock Market Movement
Forecastng the Drecton and Strength of Stock Market Movement Jngwe Chen Mng Chen Nan Ye cjngwe@stanford.edu mchen5@stanford.edu nanye@stanford.edu Abstract - Stock market s one of the most complcated systems
More informationCHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol
CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK Sample Stablty Protocol Background The Cholesterol Reference Method Laboratory Network (CRMLN) developed certfcaton protocols for total cholesterol, HDL
More informationPKIS: practical keyword index search on cloud datacenter
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 RESEARCH Open Access PKIS: practcal keyword ndex search on cloud datacenter Hyun-A
More informationFault tolerance in cloud technologies presented as a service
Internatonal Scentfc Conference Computer Scence 2015 Pavel Dzhunev, PhD student Fault tolerance n cloud technologes presented as a servce INTRODUCTION Improvements n technques for vrtualzaton and performance
More information+ + + - - This circuit than can be reduced to a planar circuit
MeshCurrent Method The meshcurrent s analog of the nodeoltage method. We sole for a new set of arables, mesh currents, that automatcally satsfy KCLs. As such, meshcurrent method reduces crcut soluton to
More informationDEFINING %COMPLETE IN MICROSOFT PROJECT
CelersSystems DEFINING %COMPLETE IN MICROSOFT PROJECT PREPARED BY James E Aksel, PMP, PMI-SP, MVP For Addtonal Informaton about Earned Value Management Systems and reportng, please contact: CelersSystems,
More informationOn the Optimal Control of a Cascade of Hydro-Electric Power Stations
On the Optmal Control of a Cascade of Hydro-Electrc Power Statons M.C.M. Guedes a, A.F. Rbero a, G.V. Smrnov b and S. Vlela c a Department of Mathematcs, School of Scences, Unversty of Porto, Portugal;
More informationStatistical Methods to Develop Rating Models
Statstcal Methods to Develop Ratng Models [Evelyn Hayden and Danel Porath, Österrechsche Natonalbank and Unversty of Appled Scences at Manz] Source: The Basel II Rsk Parameters Estmaton, Valdaton, and
More informationConversion between the vector and raster data structures using Fuzzy Geographical Entities
Converson between the vector and raster data structures usng Fuzzy Geographcal Enttes Cdála Fonte Department of Mathematcs Faculty of Scences and Technology Unversty of Combra, Apartado 38, 3 454 Combra,
More information"Research Note" APPLICATION OF CHARGE SIMULATION METHOD TO ELECTRIC FIELD CALCULATION IN THE POWER CABLES *
Iranan Journal of Scence & Technology, Transacton B, Engneerng, ol. 30, No. B6, 789-794 rnted n The Islamc Republc of Iran, 006 Shraz Unversty "Research Note" ALICATION OF CHARGE SIMULATION METHOD TO ELECTRIC
More informationPractical PIR for Electronic Commerce
Practcal PIR for Electronc Commerce Ryan Henry Cherton School of Computer Scence Unversty of Waterloo Waterloo ON Canada N2L 3G1 rhenry@cs.uwaterloo.ca Fem Olumofn Cherton School of Computer Scence Unversty
More informationRequIn, a tool for fast web traffic inference
RequIn, a tool for fast web traffc nference Olver aul, Jean Etenne Kba GET/INT, LOR Department 9 rue Charles Fourer 90 Evry, France Olver.aul@nt-evry.fr, Jean-Etenne.Kba@nt-evry.fr Abstract As networked
More informationLIFETIME INCOME OPTIONS
LIFETIME INCOME OPTIONS May 2011 by: Marca S. Wagner, Esq. The Wagner Law Group A Professonal Corporaton 99 Summer Street, 13 th Floor Boston, MA 02110 Tel: (617) 357-5200 Fax: (617) 357-5250 www.ersa-lawyers.com
More informationBERNSTEIN POLYNOMIALS
On-Lne Geometrc Modelng Notes BERNSTEIN POLYNOMIALS Kenneth I. Joy Vsualzaton and Graphcs Research Group Department of Computer Scence Unversty of Calforna, Davs Overvew Polynomals are ncredbly useful
More informationJoint Scheduling of Processing and Shuffle Phases in MapReduce Systems
Jont Schedulng of Processng and Shuffle Phases n MapReduce Systems Fangfe Chen, Mural Kodalam, T. V. Lakshman Department of Computer Scence and Engneerng, The Penn State Unversty Bell Laboratores, Alcatel-Lucent
More informationA Novel Methodology of Working Capital Management for Large. Public Constructions by Using Fuzzy S-curve Regression
Novel Methodology of Workng Captal Management for Large Publc Constructons by Usng Fuzzy S-curve Regresson Cheng-Wu Chen, Morrs H. L. Wang and Tng-Ya Hseh Department of Cvl Engneerng, Natonal Central Unversty,
More informationBrigid Mullany, Ph.D University of North Carolina, Charlotte
Evaluaton And Comparson Of The Dfferent Standards Used To Defne The Postonal Accuracy And Repeatablty Of Numercally Controlled Machnng Center Axes Brgd Mullany, Ph.D Unversty of North Carolna, Charlotte
More informationTools for Privacy Preserving Distributed Data Mining
Tools for Prvacy Preservng Dstrbuted Data Mnng hrs lfton, Murat Kantarcoglu, Jadeep Vadya Purdue Unversty Department of omputer Scences 250 N Unversty St West Lafayette, IN 47907-2066 USA (clfton, kanmurat,
More informationLoop Parallelization
- - Loop Parallelzaton C-52 Complaton steps: nested loops operatng on arrays, sequentell executon of teraton space DECLARE B[..,..+] FOR I :=.. FOR J :=.. I B[I,J] := B[I-,J]+B[I-,J-] ED FOR ED FOR analyze
More informationCan Auto Liability Insurance Purchases Signal Risk Attitude?
Internatonal Journal of Busness and Economcs, 2011, Vol. 10, No. 2, 159-164 Can Auto Lablty Insurance Purchases Sgnal Rsk Atttude? Chu-Shu L Department of Internatonal Busness, Asa Unversty, Tawan Sheng-Chang
More informationMinimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures
Mnmal Codng Network Wth Combnatoral Structure For Instantaneous Recovery From Edge Falures Ashly Joseph 1, Mr.M.Sadsh Sendl 2, Dr.S.Karthk 3 1 Fnal Year ME CSE Student Department of Computer Scence Engneerng
More informationWatermark-based Provable Data Possession for Multimedia File in Cloud Storage
Vol.48 (CIA 014), pp.103-107 http://dx.do.org/10.1457/astl.014.48.18 Watermar-based Provable Data Possesson for Multmeda Fle n Cloud Storage Yongjun Ren 1,, Jang Xu 1,, Jn Wang 1,, Lmng Fang 3, Jeong-U
More informationPOLYSA: A Polynomial Algorithm for Non-binary Constraint Satisfaction Problems with and
POLYSA: A Polynomal Algorthm for Non-bnary Constrant Satsfacton Problems wth and Mguel A. Saldo, Federco Barber Dpto. Sstemas Informátcos y Computacón Unversdad Poltécnca de Valenca, Camno de Vera s/n
More informationHow To Calculate The Accountng Perod Of Nequalty
Inequalty and The Accountng Perod Quentn Wodon and Shlomo Ytzha World Ban and Hebrew Unversty September Abstract Income nequalty typcally declnes wth the length of tme taen nto account for measurement.
More informationForecasting the Demand of Emergency Supplies: Based on the CBR Theory and BP Neural Network
700 Proceedngs of the 8th Internatonal Conference on Innovaton & Management Forecastng the Demand of Emergency Supples: Based on the CBR Theory and BP Neural Network Fu Deqang, Lu Yun, L Changbng School
More informationIdentity-Based Encryption Gone Wild
An extended abstract of ths paper appeared n Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, 33rd Internatonal Colloquum on Automata, Languages and Programmng ICALP 2006, volume
More informationCalculation of Sampling Weights
Perre Foy Statstcs Canada 4 Calculaton of Samplng Weghts 4.1 OVERVIEW The basc sample desgn used n TIMSS Populatons 1 and 2 was a two-stage stratfed cluster desgn. 1 The frst stage conssted of a sample
More informationRiposte: An Anonymous Messaging System Handling Millions of Users
Rposte: An Anonymous Messagng System Handlng Mllons of Users Henry Corrgan-Gbbs, Dan Boneh, and Davd Mazères Stanford Unversty Abstract Ths paper presents Rposte, a new system for anonymous broadcast messagng.
More informationSingle and multiple stage classifiers implementing logistic discrimination
Sngle and multple stage classfers mplementng logstc dscrmnaton Hélo Radke Bttencourt 1 Dens Alter de Olvera Moraes 2 Vctor Haertel 2 1 Pontfíca Unversdade Católca do Ro Grande do Sul - PUCRS Av. Ipranga,
More informationSUPPLIER FINANCING AND STOCK MANAGEMENT. A JOINT VIEW.
SUPPLIER FINANCING AND STOCK MANAGEMENT. A JOINT VIEW. Lucía Isabel García Cebrán Departamento de Economía y Dreccón de Empresas Unversdad de Zaragoza Gran Vía, 2 50.005 Zaragoza (Span) Phone: 976-76-10-00
More informationA Novel Multi-factor Authenticated Key Exchange Scheme With Privacy Preserving
A Novel Mult-factor Authentcated Key Exchange Scheme Wth Prvacy Preservng Dexn Yang Guangzhou Cty Polytechnc Guangzhou, Chna, 510405 yangdexn@21cn.com Bo Yang South Chna Agrcultural Unversty Guangzhou,
More informationNordea G10 Alpha Carry Index
Nordea G10 Alpha Carry Index Index Rules v1.1 Verson as of 10/10/2013 1 (6) Page 1 Index Descrpton The G10 Alpha Carry Index, the Index, follows the development of a rule based strategy whch nvests and
More informationCourse outline. Financial Time Series Analysis. Overview. Data analysis. Predictive signal. Trading strategy
Fnancal Tme Seres Analyss Patrck McSharry patrck@mcsharry.net www.mcsharry.net Trnty Term 2014 Mathematcal Insttute Unversty of Oxford Course outlne 1. Data analyss, probablty, correlatons, vsualsaton
More informationAn Analysis of Central Processor Scheduling in Multiprogrammed Computer Systems
STAN-CS-73-355 I SU-SE-73-013 An Analyss of Central Processor Schedulng n Multprogrammed Computer Systems (Dgest Edton) by Thomas G. Prce October 1972 Techncal Report No. 57 Reproducton n whole or n part
More informationA hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm
Avalable onlne www.ocpr.com Journal of Chemcal and Pharmaceutcal Research, 2014, 6(7):1884-1889 Research Artcle ISSN : 0975-7384 CODEN(USA) : JCPRC5 A hybrd global optmzaton algorthm based on parallel
More information) of the Cell class is created containing information about events associated with the cell. Events are added to the Cell instance
Calbraton Method Instances of the Cell class (one nstance for each FMS cell) contan ADC raw data and methods assocated wth each partcular FMS cell. The calbraton method ncludes event selecton (Class Cell
More informationTraffic State Estimation in the Traffic Management Center of Berlin
Traffc State Estmaton n the Traffc Management Center of Berln Authors: Peter Vortsch, PTV AG, Stumpfstrasse, D-763 Karlsruhe, Germany phone ++49/72/965/35, emal peter.vortsch@ptv.de Peter Möhl, PTV AG,
More informationA DYNAMIC CRASHING METHOD FOR PROJECT MANAGEMENT USING SIMULATION-BASED OPTIMIZATION. Michael E. Kuhl Radhamés A. Tolentino-Peña
Proceedngs of the 2008 Wnter Smulaton Conference S. J. Mason, R. R. Hll, L. Mönch, O. Rose, T. Jefferson, J. W. Fowler eds. A DYNAMIC CRASHING METHOD FOR PROJECT MANAGEMENT USING SIMULATION-BASED OPTIMIZATION
More informationRate Monotonic (RM) Disadvantages of cyclic. TDDB47 Real Time Systems. Lecture 2: RM & EDF. Priority-based scheduling. States of a process
Dsadvantages of cyclc TDDB47 Real Tme Systems Manual scheduler constructon Cannot deal wth any runtme changes What happens f we add a task to the set? Real-Tme Systems Laboratory Department of Computer
More informationA Lyapunov Optimization Approach to Repeated Stochastic Games
PROC. ALLERTON CONFERENCE ON COMMUNICATION, CONTROL, AND COMPUTING, OCT. 2013 1 A Lyapunov Optmzaton Approach to Repeated Stochastc Games Mchael J. Neely Unversty of Southern Calforna http://www-bcf.usc.edu/
More informationA Performance Analysis of View Maintenance Techniques for Data Warehouses
A Performance Analyss of Vew Mantenance Technques for Data Warehouses Xng Wang Dell Computer Corporaton Round Roc, Texas Le Gruenwald The nversty of Olahoma School of Computer Scence orman, OK 739 Guangtao
More informationTexas Instruments 30X IIS Calculator
Texas Instruments 30X IIS Calculator Keystrokes for the TI-30X IIS are shown for a few topcs n whch keystrokes are unque. Start by readng the Quk Start secton. Then, before begnnng a specfc unt of the
More informationProvably Secure Single Sign-on Scheme in Distributed Systems and Networks
0 IEEE th Internatonal Conference on Trust, Securty and Prvacy n Computng and Communcatons Provably Secure Sngle Sgn-on Scheme n Dstrbuted Systems and Networks Jangshan Yu, Guln Wang, and Y Mu Center for
More informationEnterprise Master Patient Index
Enterprse Master Patent Index Healthcare data are captured n many dfferent settngs such as hosptals, clncs, labs, and physcan offces. Accordng to a report by the CDC, patents n the Unted States made an
More informationPeriod and Deadline Selection for Schedulability in Real-Time Systems
Perod and Deadlne Selecton for Schedulablty n Real-Tme Systems Thdapat Chantem, Xaofeng Wang, M.D. Lemmon, and X. Sharon Hu Department of Computer Scence and Engneerng, Department of Electrcal Engneerng
More informationHow To Understand The Results Of The German Meris Cloud And Water Vapour Product
Ttel: Project: Doc. No.: MERIS level 3 cloud and water vapour products MAPP MAPP-ATBD-ClWVL3 Issue: 1 Revson: 0 Date: 9.12.1998 Functon Name Organsaton Sgnature Date Author: Bennartz FUB Preusker FUB Schüller
More informationOpen Access A Load Balancing Strategy with Bandwidth Constraint in Cloud Computing. Jing Deng 1,*, Ping Guo 2, Qi Li 3, Haizhu Chen 1
Send Orders for Reprnts to reprnts@benthamscence.ae The Open Cybernetcs & Systemcs Journal, 2014, 8, 115-121 115 Open Access A Load Balancng Strategy wth Bandwdth Constrant n Cloud Computng Jng Deng 1,*,
More informationProduct-Form Stationary Distributions for Deficiency Zero Chemical Reaction Networks
Bulletn of Mathematcal Bology (21 DOI 1.17/s11538-1-9517-4 ORIGINAL ARTICLE Product-Form Statonary Dstrbutons for Defcency Zero Chemcal Reacton Networks Davd F. Anderson, Gheorghe Cracun, Thomas G. Kurtz
More informationFrequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters
Frequency Selectve IQ Phase and IQ Ampltude Imbalance Adjustments for OFDM Drect Converson ransmtters Edmund Coersmeer, Ernst Zelnsk Noka, Meesmannstrasse 103, 44807 Bochum, Germany edmund.coersmeer@noka.com,
More informationData Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 24, 819-840 (2008) Data Broadcast on a Mult-System Heterogeneous Overlayed Wreless Network * Department of Computer Scence Natonal Chao Tung Unversty Hsnchu,
More informationBinomial Link Functions. Lori Murray, Phil Munz
Bnomal Lnk Functons Lor Murray, Phl Munz Bnomal Lnk Functons Logt Lnk functon: ( p) p ln 1 p Probt Lnk functon: ( p) 1 ( p) Complentary Log Log functon: ( p) ln( ln(1 p)) Motvatng Example A researcher
More informationHow To Know The Components Of Mean Squared Error Of Herarchcal Estmator S
S C H E D A E I N F O R M A T I C A E VOLUME 0 0 On Mean Squared Error of Herarchcal Estmator Stans law Brodowsk Faculty of Physcs, Astronomy, and Appled Computer Scence, Jagellonan Unversty, Reymonta
More informationA Replication-Based and Fault Tolerant Allocation Algorithm for Cloud Computing
A Replcaton-Based and Fault Tolerant Allocaton Algorthm for Cloud Computng Tork Altameem Dept of Computer Scence, RCC, Kng Saud Unversty, PO Box: 28095 11437 Ryadh-Saud Araba Abstract The very large nfrastructure
More informationCHAPTER 14 MORE ABOUT REGRESSION
CHAPTER 14 MORE ABOUT REGRESSION We learned n Chapter 5 that often a straght lne descrbes the pattern of a relatonshp between two quanttatve varables. For nstance, n Example 5.1 we explored the relatonshp
More information