Ciphers with Arbitrary Finite Domains

Size: px
Start display at page:

Download "Ciphers with Arbitrary Finite Domains"

Transcription

1 Cphers wth Arbtrary Fnte Domans John Black 1 and Phllp Rogaway 2 1 Dept. of Computer Scence, Unversty of Nevada, Reno NV 89557, USA, WWW home page: 2 Dept. of Computer Scence, Unversty of Calforna at Davs, Davs, CA 95616, USA, WWW home page: Abstract. We explore the problem of encpherng members of a fnte set M where k = M s arbtrary (n partcular, t need not be a power of two). We want to acheve ths goal startng from a block cpher (whch requres a message space of sze N =2 n, for some n). We look at a few solutons to ths problem, focusng on the case when M =[0,k 1]. We see cphers wth arbtrary domans as a worthwhle prmtve n ts own rght, and as a potentally useful one for makng hgher-level protocols. Keywords: Cphers, Modes of Operaton, Provable securty, Symmetrc Encrypton. 1 Introducton A Motvatng Example. Consder the followng problem: a company wshes to generate dstnct and unpredctable ten-dgt credt-card numbers. One way to accomplsh ths nvolves keepng a hstory of all prevously-ssued numbers. But the company wshes to avod storng a large amount of senstve nformaton. Another approach s to use some block cpher E under a randomly-selected key K and then ssue credt-card numbers E K (0),E K (1),. But the domans of contemporary block cphers are nconvenent for ths problem: ths company needs dstnct numbers n [0, ] but block cpher have a doman [0, 2 n 1] for some n such as 64 or 128. Is there an elegant soluton to ths problem? Encpherng wth Arbtrary Domans. More generally now, we have good tools block cphers to encpher ponts when the message space M s strngs of some partcular length, M = {0, 1} n. But what f you want to encpher a number between one and a mllon? Or a pont n Z N or ZN, where N s a 1024-bt number? Or a pont from some ellptc-curve group? Ths paper looks at the queston of how to construct cphers whose doman s not {0, 1} n. That s, we are nterested n how to make a cpher whch has some desred but werd doman: F : K M Mwhere K s the key space and M s the fnte message space that we have n mnd. A tool from whch we may start our constructon s a block cpher: a map E : K {0, 1} n {0, 1} n where K s the key space and n s the block length. A soluton to ths problem mmedately solves

2 the credt-card problem: for a block cpher F : K [0, ] [0, ], the company chooses a random K Kand ssues the (dstnct) credt-card numbers F K (0),F K (1),F K (2),...,F K (), and has only to remember the last value used. Measurng Success. We would lke to make clear rght away what s the securty goal that we are after. Let s do ths by way of an example. Suppose that you want to encpher numbers between one and a mllon: M =[1, 10 6 ]. Followng [2, 7], we magne two games. In the frst game one chooses a random key K from K and hands to an adversary an oracle E K ( ). In the second game one chooses a random permutaton π on [1, 10 6 ] and hands the adversary an oracle for π( ). The adversary should be unable to dstngush these two types of oracles wthout spendng a huge amount of tme. Note that the doman s so small that the adversary mght well ask for the value of the oracle f( ) {E K ( ), π( )} at every pont n the doman. Ths shouldn t help the adversary wn. So, for example, f the adversary asks the value of E K ( ) at all ponts except 1 and 2 (a total of ponts), then the adversary wll know what are the two mssng numbers, c 1 and c 2, but the adversary won t be able to ascertan f E K (1) = c 1 and E K (2) = c 2,orfE K (1) = c 2 and E K (2) = c 1, nstead. Our Contrbutons. Though the problem of encpherng on an arbtrary doman has been consdered before [13], here we draw attenton to ths problem and gve the frst rgorous treatment, provdng a few solutons together wth ther analyses. Our solutons focus on the case n whch the message space s M =[0,k 1], though we sketch extensons to some other message spaces, lke Z pq and common ellptc-curve groups. Our frst method assumes that we have a block cpher E that acts on N =2 n ponts, where N k. To encpher M =[0,k 1] one just encphers these ponts wth block cpher E and uses the orderng of E K (0), E K (1), up to E K (k 1) to name the desred permutaton on [0,k 1]. Ths method s computatonally reasonable only for small k, such as k<2 30. A second method, smlar to known technques used n other settngs, encphers a message m Mby repeatedly applyng the block cpher, startng at m, untl one gets back to a pont n M. (Assume once agan that N k.) Ths method s good f M s dense n the doman of the block cpher, {0, 1} n.so, for example, one can use ths method to encpher a strng n Z N, where N s a 1024-bt number, usng a block cpher wth block length of 1024 bts. (A block cpher wth a long block length, lke ths, can be constructed from a standard block cpher by followng works lke [3, 9, 11].) Ths constructon has been suggested before [13]; our man contrbuton here s the analyss of the constructon. A fnal method whch we look at chooses an a, b where ab k and performs a Festel constructon on the message m, but uses a left-hand sde n Z a and a rghthand sde n Z b. Our analyss of ths s an adaptaton of Luby and Rackoff s [9]. Ths method can be qute effcent, though the proven bounds are weak when the message space s small (eg, k<2 128 ). Wth each of our cphers we provde a decpherng algorthm, though ths may not be requred n all domans (eg, n our credt-card example above).

3 Note that the three methods above solve our problem for small and large domans, but there s a gap whch remans: ntermedate-szed values where our frst method requres too much space and tme, and our second method requres too many block-cpher nvocatons, and our thrd method may work but the bound s too weak. Ths gap occurs roughly from k =2 30 up to about k =2 60, dependng on your pont of vew. Our credt-card example (k = ) falls nto ths gap. Ths problem remans open. Why Cphers on Non-Standard Sets? Popular books on cryptography speak of encpherng the ponts n the message space M, whatever that message space may be, but few seem to have thought much about how to actually do ths when the message space s somethng other than a set of bt strngs, often of one partcular length. Ths omsson s no doubt due to the fact that t s usually fne to embed the desred message space nto a larger one, usng some paddng method, and then apply a standard constructon to encpher n the larger space. For example, suppose you want to encpher a random number m between one and a mllon. Your tool s a 128-bt block cpher E. You could encode m as a 128-bt strng M by wrtng m usng 20 bts, prependng 108 zero-bts, and computng C = E K (M). Ignorng the fact that the cphertext C wastes 108 bts, ths method s usually fne. But not always. One problem wth the method above s that t allows one to tell f a canddate key K mght have been used to produce C. To llustrate the ssue, suppose that the key space s small, say K =2 30. Suppose the adversary sees a pont C = E K (M). Then the adversary has everythng she needs to decrypt cphertext C = E K (M): she just tres all keys K Kuntl she fnds one for whch E 1 K (C) begns wth 108 zeros. Ths s almost certanly the rght key. The objecton that we shouldn t have used a small key space s not a productve one f the pont of our efforts was to make due wth a small key space. If we had used a cpher wth message space M = [1, 10 6 ] we would not have had ths problem. Every cphertext C, under every possble key K, would correspond to a vald message M. The cphertext would reveal nothng about whch key had been used. Of course there are several other solutons to the problem we have descrbed, but many of them have dffcultes of ther own. Suppose, for example, that one pads wth random bts nstead of zero bts. Ths s better, but stll not perfect: n partcular, an adversary can tell that a canddate key K could not have been used to encpher M f decryptng C under K yelds a fnal 20 bts whose decmal value exceeds 1,000,000. If one had 1,000 cphertexts of random plantexts encphered n the manner we have descrbed, the adversary could, once agan, usually determne the correct key. As a more realstc example related to that above, consder the Bellovn- Merrtt EKE protocol [4]. Ths entty-authentcaton protocol s desgned to defeat password-guessng attacks. The protocol nvolves encryptng, under a possbly weak password K, astrngg x mod p, where p s a large prme number and g s a generator of Zp. In ths context t s crucal that from the resultng cphertext C one can not ascertan f a canddate password K could possbly have

4 produced the cphertext C. Ths can be easly and effcently done by encpherng wth message space M = Z p. Ordnary encrypton methods won t work. Another problem wth cphertext-expanson occurs when we are constraned by an exstng record format: suppose we wsh to encrypt a set of felds n a database, but the cost of changng the record sze s prohbtve. Usng a cpher whose doman s the set of values for the exstng felds allows some measure of added securty wthout requrng a complete restructurng of the database. And f the data have addtonal restrctons beyond sze (eg, the felds must contan prntable characters), we can further restrct the doman as needed. In addton to these (modest) applcatons, the queston s nterestng from a theoretcal standpont: how can we construct new cphers from exstng ones? In partcular, can we construct cphers wth arbtrary domans wthout resortng to creatng new cphers from scratch? It certanly feels lke there should be a good way to construct a block cpher on 32 bts gven a block cpher on 64 bts, but, even for ths case, no one knows how to do ths n a practcal manner wth good securty bounds. Related Work. We assume that one has n hand a good block cpher for any desred block length. Snce standard block cphers come only n convenent block lengths, such as n = 128, here are some ways that one mght create a block cpher for some non-standard block length. Frst, one could construct the block cpher from scratch. But t s probably better to start wth a wellstuded prmtve lke SHA-1 or AES. These could then be used wthn a balanced Festel network [14], whch creates a block cpher for any (even) block length 2n, startng wth somethng that behaves as a pseudorandom functon (PRF) from n bts to n bts. Luby and Rackoff [9] gve quanttatve bounds on the effcacy of ths constructon (when usng three and four rounds), and ther work has spawned much related analyss, too. Naor and Rengold [11] provde a dfferent constructon whch extends a block cpher on n bts to a block cpher on 2n bts, for any 1. A varaton on ther constructon due to Patel, Ramzan and Sundaram [12] yelds a cpher on n bts for any 1. Lucks [10] generalzes Luby-Rackoff to consder a three-round unbalanced Festel network, usng hash functons for round functons. Ths yelds a block cpher for any gven length N startng wth a PRF from r bts to l bts and another from l bts to r bts, where l + r = N. Startng from an n-bt block cpher, Bellare and Rogaway [3] construct and analyze a length-preservng cpher wth doman {0, 1} n. Ths s somethng more than makng a block cpher on arbtrary N n bts. Anderson and Bham [1] provde two constructons for a block cpher (BEAR and LION) whch use a hash functon and a stream cpher. Ths agan uses an unbalanced Festel network. It s unclear how to make any of the constructons above apply to message spaces whch are not sets of strngs. Probably several of the constructons can modfed, and n multple ways, to deal wth a message space M =[0,k 1], or wth other message spaces.

5 The Hasty Puddng Cpher of Schroeppel and Orman [13] s a block cpher whch works on any doman [0,k 1]. They use what s essentally Method 2, nternally teratng the cpher untl a proper doman pont s reached. Schroeppel beleves that the dea underlyng ths method dates back to the rotor machnes used n the early 1900 s. Our noton of a pseudorandom functon s due to Goldrech, Goldwasser and Mcal [6]. Pseudorandom permutatons are defned and constructed by Luby and Rackoff [9]. We use the adaptaton of these notons to deal wth fnte objects, whch frst appears n Bellare, Klan and Rogaway [2]. 2 Prelmnares Notaton. If A and B are sets then Rand(A, B) s the set of all functons from A to B. IfA or B s a postve number, n, then the correspondng set s [0,n 1]. We wrte Perm(A) to denote the set of all permutatons on the set A and f n s a postve number then the set s assumed to be [0,n 1]. By x R A we denote the experment of choosng a random element from A. A functon famly s a multset F = {f : A B}, where A, B {0, 1}. Each element f F has a name K, where K Key. So, equvalently, a functon famly F s a functon F : Key A B. We call A the doman of F and B the range of F. The frst argument to F wll be wrtten as a subscrpt. A cpher s a functon famly F : Key A A where F K ( ) s always a permutaton; a block cpher s a functon famly F : Key {0, 1} n {0, 1} n where F K ( ) s always a permutaton. An deal block cpher s a block cpher n whch each permutaton on {0, 1} n s realzed by exactly one K Key. An adversary s an algorthm wth an oracle. The oracle computes some functon. We wrte A f( ) to ndcate an adversary A wth oracle f( ). Adversares are assumed to never ask a query outsde the doman of the oracle, and to never repeat a query. Let F : Key A B be a functon famly and let A be an adversary. In ths paper, we measure securty as the maxmum advantage obtanable by some adversary; we use the followng statstcal measures: Adv prf F = Pr[f R F : A f( ) =1] Pr[R R Rand(A, B): A R( ) =1], and when A = B (A) def Adv prp def F (A) = Pr[f R F : A f( ) =1] Pr[π R Perm(A): A π( ) =1]. Useful Facts. It s often convenent to replace random permutatons wth random functons, or vce versa. The followng proposton lets us easly do ths. For a proof see Proposton 2.5 n [2]. Lemma 1. [PRF/PRP Swtchng] Fx n 1. LetA be an adversary that asks at most p queres. Then Pr[π R Perm(n): A π( ) =1] Pr[ρ R Rand(n, n): A ρ( ) =1] p 2 /2 n+1.

6 Algorthm Int Px K for j 0 to k 1 do I j E K(j) for j 0 to k 1 do J j Ord(I j, {I j} j [0,k 1] ) for j 0 to k 1 do L Jj j Algorthm Px K(m) return J m Algorthm Px 1 K (m) return L m Fg. 1. Algorthms for the Prefx Cpher. Frst the ntalzaton algorthm Int Px K s run. Then encpher wth Px K(m) and decpher wth Px 1 K (m). 3 Method 1: Prefx Cpher Fx some nteger k and let M be the set [0,k 1]. Our goal s to buld a cpher wth doman M. Our frst approach s a smple, practcal method for small values of k. We name ths cpher Px. Our cpher wll use some exstng block cpher E wth keyspace K and whose doman s a superset of M. The key space for Px wll also be K. TocomputePx K (m) for some m Mand K Kwe frst compute the tuple I =(E K (0) E K (1) E K (k 1)). Snce each element of I s a dstnct strng, we may replace each element n I wth ts ordnal poston (startng from zero) to produce tuple J. And now to encpher any m Mwe compute Px K (m) as smply the m-th component of J (agan countng from zero). The encpherng and decpherng algorthms are gven n Fgure 1. Example. Suppose we wsh to encpher M = {0, 1, 2, 3, 4}. We choose some random key K for some block cpher E. Let s assume E s an 8-bt deal block cpher; therefore E K s a unformly chosen random permutaton on [0, 255]. Next we encpher each element of M. Let s say E K (0) = 166, E K (1) = 6, E K (2) = 130, E K (3) = 201, and E K (4) = 78. So our tuple I s ( ) and J s(30241).wearenowreadytoencpher any m M: we return the m-th element from J, countng from zero. For example we encpher 0 as 3, and 1 as 0, etc.. Analyss. Under the assumpton that our underlyng block cpher E s deal, I s equally lkely to be any of the permutatons on M. The proof of ths fact s trval and s omtted. The method remans good when E s secure n the sense of a PRP. The argument s standard and s omtted. Practcal Consderatons. Encpherng and decpherng are constant-tme operatons. The cost here s O(k) tme and space used n the ntalzaton step. Ths clearly means that ths method s practcal only for small values of k. A further practcal consderaton s that, although ths ntalzaton s a one-tme cost, t results n a table of senstve data whch must be stored somewhere.

7 Algorthm Cy K (m) c E K(m) f c Mreturn c else return Cy K (c) Algorthm Cy 1 K (m) c E 1 K (m) f c Mreturn c else return Cy 1 K (c) Fg. 2. Algorthms for the Cycle-Walkng Cpher. We encpher wth Cy K ( ) and decpher wth Cy 1 K ( ). 4 Method 2: Cycle-Walkng Cpher Ths next method uses a block cpher whose doman s larger than M, and then handles those cases where a pont s out of range. Agan we fx an nteger k, let M be the set [0,k 1], and devse a method to encpher M. Let N be the smallest power of 2 larger or equal to k, letn be lg N, and let E K ( ) beann-bt block cpher. We construct the block cpher Cy K on the set M by computng t = E K (m) and teratng f c M. The encpherng and decpherng algorthms are shown n Fgure 2. Example. Let M = [0, 10 6 ]. Then N = 2 20 and so n = 20. We use some known method to buld a 20-bt block cpher E K ( ) on the set T =[0, ]. Now suppose we wsh to encpher the pont m = ; we compute c 1 = E K (314159) whch yelds some number n T, say Snce c 1 M,we terate by computng c 2 = E K ( ) whch s, say, Snce c 2 M, we output 1729 as Cy K (314159). Decpherment s smply the reverse of ths procedure. Analyss. Let s vew the permutaton E K ( ) as a famly of cycles: any pont m Mles on some cycle and repeated applcatons of E K ( ) can be vewed as a partcle walkng along the cycle, startng at m. In fact, we can now thnk of our constructon as follows: to encpher any pont m Mwalk along the cycle contanng m untl you encounter some pont c M. Then c =Cy K (m). Of course ths method assumes that one can effcently test for membershp n M. Ths s trval for our case when M =[0,k 1], but mght not be for other sets. Now we may easly see that Cy K ( ) s well-defned: gven any pont m M f we apply E K ( ) enough tmes, we wll arrve at a pont n M. Ths s because walkng on m s cycle must eventually arrve back at some pont n M, evenf that pont s m tself. We can also see that Cy K ( ) s nvertble snce nvertng Cy K (m) s equvalent to walkng backwards on m s cycle untl fndng some element n M. Therefore, we know Cy K ( ) s a permutaton on M. However the queston arses, how much securty do we lose n dervng ths permutaton? The fortunate answer s, nothng. Theorem 1. [Securty of Cycle-Walkng Cpher] Fx k 1 and let M = [0,k 1]. LetE K ( ) be an deal block cpher on the set T where M T. Choose a key K unformly at random and then construct Cy K ( ) usng E K ( ). Then Cy K ( ) s a unform random permutaton on M.

8 Proof. Fx some permutaton π on the set M. We wll show that an equal number of keys K wll gve rse to π; ths wll mply the theorem. We proceed by nducton, showng that the number of permutatons on {0,...,k 1,x} whch gve rse under our constructon to π s constant. Snce M T we can repeatedly add all elements x T Mwhle mantanng that the number of permutatons whch gve rse to π s constant. Decompose π nto r cycles of lengths l 1,l 2,,l r. We count the number of ways to nsert the new element x. There are l ways to nsert x nto the th orbt correspondng to the th cycle, and one way to nsert x nto a new orbt of ts own (e, the permutaton whch fxes x). Therefore there are r =1 l +1 = k ways to add element x to π yeldng a permutaton whch wll gve rse to π by repeated teratons. Ths holds no matter what π we choose. Let T = t. Then by nducton we see that there are exactly t =k keys K under whch our constructon reduces E K ( ) toπ. Smlar to the Prefx Cpher, our constructon has retaned all of the securty of the underlyng block cpher. Theorem 1 s an nformaton-theoretc result. Passng to the correspondng complexty-theoretc result s standard. Because no securty s lost n the nformaton-theoretc settng, and because we apply E an expected two tmes (or fewer), an adversary s maxmal advantage to dstngush E K ( ) fromarandom permutaton of Z 2 n n expected tme 2t approxmately upper bounds an adversary s maxmal advantage to dstngush Cy K ( ) fromarandompermutaton on M n tme t. 5 Method 3: Generalzed-Festel Cpher Our fnal method works as follows: we decompose all the numbers n M nto pars of smlarly szed numbers and then apply the well-known Festel constructon [14] to produce a cpher. Agan we fx an nteger k, letm be the set [0,k 1], and devse a method to encpher M. We call our cpher Fe[r, a, b] where r s the number of rounds we use n our Festel network and a and b are postve numbers such that ab k. Weusea and b to decompose any m Mnto two numbers for use as the nputs nto the network. Wthn the network we use r random functons F 1,...,F r whose ranges contan M. The algorthms to encpher and decpher are gven n Fgure 3. Notce that f usng the Festel constructon results n a number not n M, we terate just as we dd for the Cycle-Walkng Cpher. Example. In order to specfy some partcular Fe[r, a, b] K ( ) we must specfy the numbers a and b, the number of Festel rounds r, and the choce of underlyng functons F 1,,F r we wll use. As a concrete example, let s take k = 2 35, r = 3, and a = and b = (methods for fndng a and b wll be dscussed later). Note that ab k as requred. Snce ab s larger than k, our Festel constructon wll be on the set M =[0, (2 35 1) ], meanng there are values

9 Algorthm Fe[r, a, b] K(m) c fe[r, a, b] K(m) f c Mreturn c else return Fe[r, a, b] K(c) Algorthm fe[r, a, b] K(m) L m mod a; R m/a for j 1 to r do f (j s odd) then tmp (L + F j(r)) mod a else tmp (L + F j(r)) mod b L R; R tmp f (r s odd) then return al + R else return ar + L Algorthm Fe[r, a, b] 1 K (m) c fe[r, a, b] 1 K (m) f c Mreturn c else return Fe[r, a, b] 1 K (c) Algorthm fe[r, a, b] 1 K (m) f (r s odd) then R m mod a; L m/a else L m mod a; R m/a for j r to 1 do f (j s odd) then tmp (R F j(l)) mod a else tmp (R F j(l)) mod b R L; L tmp return ar + L Fg. 3. Algorthms for the Generalzed-Festel Cpher. We encpher wth Fe[r, a, b] K( ) and decpher wth Fe[r, a, b] 1 K ( ). Herea and b are the numbers used to bjectvely map all m Mnto L, andr, andr s the number of rounds of Festel we wll apply. The key K s mplctly used to select the r functons F 1,...,F r. whch are n M Mfor whch we wll have to terate (just as we dd for the Cycle-Walkng Cpher). Let s use DES wth ndependent keys as our underlyng PRFs. DES s a 64-bt cpher whch uses a 56-bt key; we wll regard the 64-bt strngs on whch DES operates as ntegers n the range [0, ] n the natural way. We need three PRFs so our key K = K 1 K 2 K 3 wll be 3 56 = 168 bts. Now to compute Fe[3, , ](m) we compute L = m mod , and R = m/185360, and then perform three rounds of Festel usng DES K1 ( ), DES K2 ( ), and DES K3 ( ) as our underlyng PRFs. The frst round results n L m/ and R (m mod DES K1 ( m/ )) mod , and so on. Analyss. Frst we note that Fe[r, a, b]( ) s a permutaton: t s well-known that the Festel constructon produces a permutaton, and we showed prevously that

10 teratng any permutaton s a permutaton. We now analyze the how good s ths Generalzed-Festel Cpher for the three-round case. Assumng the underlyng functons F 1, F 2,andF 3 used n our constructon are truly random functons, we wll compare how close Fe[3,a,b]( ) s to a truly random permutaton. Passng to the complexty-theoretc settng s then standard, and therefore omtted. Theorem 2. [Securty of Generalzed-Festel Cpher] Fx k 1 and let M =[0,k 1]. Fx two numbers a, b > 0 such that ab k. Let = ab k. Fx an n such that 2 n >aand 2 n >b.letd be an adversary whch asks q queres of her oracle. Then Adv prf Fe (D) =Pr[F R 1,F 2,F 3 Rand(2 n, 2 n ): D Fe[3,a,b]( ) =1] Pr[ρ R Rand(k, k): D ρ( ) =1] (q + )2 2 n+1 ( 2 n /a + 2 n /b ). The proof s an adaptaton of Luby s analyss from Lecture 13 of [8], whch s n-turn based on [9]. It can be found n Appendx A. Fnally, we must adjust ths bound to account for the fact that we have compared Fe[3,a,b] K ( ) wth a random functon nstead of a random permutaton. We can nvoke Lemma 1 whch gves us a fnal bound quantfyng the qualty of our constructon: Adv prp Fe (D) =Pr[F R 1,F 2,F 3 Rand(2 n, 2 n ): D Fe[3,a,b]( ) =1] Pr[π R Perm(k): D π( ) =1] (q + )2 + q 2 2 n+1 ( 2 n /a + 2 n /b ). 6 Dscusson Prefx Cpher. Our frst method, the Prefx Cpher, s useful only for sutably small k. Snce encpherng one pont requres encpherng all k ponts n [0,k 1], many applcatons would fnd ths prohbtvely expensve for all but farly small values of k. Cycle-Walkng Cpher. Our second method, the Cycle-Walkng Cpher, can be qute practcal. If k s just smaller than some power of 2, the number of ponts we have to walk through durng any gven encpherment s correspondngly small. In the worst case, however, k s one larger than a power of 2, and (wth extremely bad luck) mght requre k calls to the underlyng block cpher to encpher just one pont. But f the underlyng block cpher s good we requre, n the worst case, an expected two calls to t n order to encpher and decpher any pont.

11 Generalzed-Festel Cpher. To get the best bound we should select a and b such that these numbers are somewhat close together and such that = ab k s small. One obvous technque s to try numbers near k; for example, takng a = b = k means that ab k wll never be more than 2 k + 1. But often one can do better. Another way to mprove the bound s to ensure n s sutably large. The tal effects spoken of n the proof are dmnshed as n grows (because as 2 n gets larger 2 n /a /2 n gets closer to 1/a). The One-Off Constructon. Another method, not mentoned above, works well for domans whch are one element larger than a doman we can accommodate effcently. Say we have a cpher E wth doman [0,k 1] and we wsh to construct a cpher E wth doman [0,k]. We choose a key K = {K, r} for E by choosng a key K for E and a random number r [0,k]. We then compute E K (X) as follows: r E K (X) = k E K (X) f X = k f X = E 1 K (r) otherwse The securty of ths constructon s tghtly related to the securty of E and the method for selectng r. The analyss s omtted. Of course we can use ths method to repeatedly extend the doman of any cpher to the sze of choce, but for most settngs t s mpractcal to do ths more than a few tmes. A typcal method for generatng r would be to take r = E K (0) mod (k + 1) where K s a new randomly-selected key. The tal effect here s not too bad, but wll cause a rapd deteroraton of the securty bound when used too often. Also, the scheme begns to become qute neffcent when we extend the doman n ths way too many tmes. Other Domans. Though we have spoken n terms of the doman [0,k 1] the same methods work for other domans, too. For example, to encpher n Z N, where N = pq s a 1024-bt product of two prmes, one can use ether cyclewalkng or the generalzed-festel constructon, teratng n the hghly unlkely eventthatapontsnz N but not n Z N. We may also use our methods to encpher ponts from an ellptc curve group (EC group). There are well-known compact representatons of the ponts n EC groups, and these representatons form our startng pont. For example, one fnds n [5] smple algorthms to compress the representaton of a pont n an EC group. Consder the EC group G over the feld F q where q s ether a power of two or a prme. Then any pont (x, y) G may be represented as a member of F q together wth a sngle bt. Let s consder frst the case where q =2 m wth m>0. The Hasse theorem (see [5], page 8) guarantees at least d(r) =r +1 2 r ponts n G. Snce t s possble to represent any pont n G wth m+1 bts and t s also possble to effcently test for membershp n G, we could use the cycle-walkng constructon over a 2 m+1 -bt cpher. The expected number of nvocatons of ths cpher to encpher a pont n G s then 2 m+1 /d(2 m ) 2.

12 If q s nstead a prme p, we can represent any pont n G as a number x [0,p 1] and a sngle bt y. We may agan use any of our methods to encpher these 2p ponts. Here the Hasse theorem ([5], page 7) guarantees at least d(p) ponts n G and once agan an effcent test for membershp n G exsts. Therefore we may use the cycle-walkng constructon over some lg 2p bt cpher. However f 2p s not close to a power of 2, we may wsh to nstead use the generalzed-festel constructon. Open Problems. As mentoned already, we have not provded any constructon whch works well (and provably so) for ntermedate-szed values of k. For example, suppose you are gven an deal block cpher Π on 128-bt strngs, and you want to approxmate a random permutaton π on, say, 40-bt strngs. Probably enough rounds of Festel work, but remember that our securty goal s that even f an adversary nqures about all 2 40 ponts, stll she should be unable to dstngush π from a random permutaton on 40 bts. Known bounds are not nearly so strong. Of course the prefx method works, but spendng 2 40 tme and space to encpher the frst pont s not practcal. Acknowledgments Specal thanks to Rchard Schroeppel who made many useful comments on an earler draft. Thanks also to Mhr Bellare, Davd McGrew, and Slvo Mcal for ther helpful comments. Ths paper was wrtten whle Rogaway was on leave of absence from UC Davs, vstng the Department of Computer Scence, Faculty of Scence, Chang Ma Unversty. Ths work was supported under NSF CAREER award CCR , and by a generous gft from Csco Systems. References 1. Anderson, R., and Bham, E. Two practcal and provably secure block cphers: BEAR and LION. In Fast Software Encrypton (1996), vol of Lecture Notes n Computer Scence, Sprnger-Verlag, pp Bellare, M., Klan, J., and Rogaway, P. The securty of the cpher block channg message authentcaton code. Journal of Computer and System Scences 61, 3 (2000), Earler verson n CRYPTO 94. See rogaway. 3. Bellare, M., and Rogaway, P. On the constructon of varable-nput-length cphers. In Fast Software Encrypton (1999), vol of Lecture Notes n Computer Scence, Sprnger-Verlag. See rogaway. 4. Bellovn, S., and Merrtt, M. Encrypted key exchange: password-based protocols secure aganst dctonary attacks. In 1992 IEEE Computer Socety Symposum on Research n Securty and Prvacy (1992), IEEE Computer Socety Press, pp Certcom Research. Standards for effcent cryptography, SEC1: Ellptc curve cryptography, verson 1, Sept Avalable on-lne at 6. Goldrech, O., Goldwasser, S., and Mcal, S. How to construct random functons. Journal of the ACM 33, 4 (1986),

Luby s Alg. for Maximal Independent Sets using Pairwise Independence

Luby s Alg. for Maximal Independent Sets using Pairwise Independence Lecture Notes for Randomzed Algorthms Luby s Alg. for Maxmal Independent Sets usng Parwse Independence Last Updated by Erc Vgoda on February, 006 8. Maxmal Independent Sets For a graph G = (V, E), an ndependent

More information

What is Candidate Sampling

What is Candidate Sampling What s Canddate Samplng Say we have a multclass or mult label problem where each tranng example ( x, T ) conssts of a context x a small (mult)set of target classes T out of a large unverse L of possble

More information

Recurrence. 1 Definitions and main statements

Recurrence. 1 Definitions and main statements Recurrence 1 Defntons and man statements Let X n, n = 0, 1, 2,... be a MC wth the state space S = (1, 2,...), transton probabltes p j = P {X n+1 = j X n = }, and the transton matrx P = (p j ),j S def.

More information

1 Example 1: Axis-aligned rectangles

1 Example 1: Axis-aligned rectangles COS 511: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 6 Scrbe: Aaron Schld February 21, 2013 Last class, we dscussed an analogue for Occam s Razor for nfnte hypothess spaces that, n conjuncton

More information

An Alternative Way to Measure Private Equity Performance

An Alternative Way to Measure Private Equity Performance An Alternatve Way to Measure Prvate Equty Performance Peter Todd Parlux Investment Technology LLC Summary Internal Rate of Return (IRR) s probably the most common way to measure the performance of prvate

More information

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ). REVIEW OF RISK MANAGEMENT CONCEPTS LOSS DISTRIBUTIONS AND INSURANCE Loss and nsurance: When someone s subject to the rsk of ncurrng a fnancal loss, the loss s generally modeled usng a random varable or

More information

8 Algorithm for Binary Searching in Trees

8 Algorithm for Binary Searching in Trees 8 Algorthm for Bnary Searchng n Trees In ths secton we present our algorthm for bnary searchng n trees. A crucal observaton employed by the algorthm s that ths problem can be effcently solved when the

More information

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur Module LOSSLESS IMAGE COMPRESSION SYSTEMS Lesson 3 Lossless Compresson: Huffman Codng Instructonal Objectves At the end of ths lesson, the students should be able to:. Defne and measure source entropy..

More information

Extending Probabilistic Dynamic Epistemic Logic

Extending Probabilistic Dynamic Epistemic Logic Extendng Probablstc Dynamc Epstemc Logc Joshua Sack May 29, 2008 Probablty Space Defnton A probablty space s a tuple (S, A, µ), where 1 S s a set called the sample space. 2 A P(S) s a σ-algebra: a set

More information

A Secure Password-Authenticated Key Agreement Using Smart Cards

A Secure Password-Authenticated Key Agreement Using Smart Cards A Secure Password-Authentcated Key Agreement Usng Smart Cards Ka Chan 1, Wen-Chung Kuo 2 and Jn-Chou Cheng 3 1 Department of Computer and Informaton Scence, R.O.C. Mltary Academy, Kaohsung 83059, Tawan,

More information

BERNSTEIN POLYNOMIALS

BERNSTEIN POLYNOMIALS On-Lne Geometrc Modelng Notes BERNSTEIN POLYNOMIALS Kenneth I. Joy Vsualzaton and Graphcs Research Group Department of Computer Scence Unversty of Calforna, Davs Overvew Polynomals are ncredbly useful

More information

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic Lagrange Multplers as Quanttatve Indcators n Economcs Ivan Mezník Insttute of Informatcs, Faculty of Busness and Management, Brno Unversty of TechnologCzech Republc Abstract The quanttatve role of Lagrange

More information

The OC Curve of Attribute Acceptance Plans

The OC Curve of Attribute Acceptance Plans The OC Curve of Attrbute Acceptance Plans The Operatng Characterstc (OC) curve descrbes the probablty of acceptng a lot as a functon of the lot s qualty. Fgure 1 shows a typcal OC Curve. 10 8 6 4 1 3 4

More information

How Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence

How Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence 1 st Internatonal Symposum on Imprecse Probabltes and Ther Applcatons, Ghent, Belgum, 29 June 2 July 1999 How Sets of Coherent Probabltes May Serve as Models for Degrees of Incoherence Mar J. Schervsh

More information

greatest common divisor

greatest common divisor 4. GCD 1 The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no

More information

1 Approximation Algorithms

1 Approximation Algorithms CME 305: Dscrete Mathematcs and Algorthms 1 Approxmaton Algorthms In lght of the apparent ntractablty of the problems we beleve not to le n P, t makes sense to pursue deas other than complete solutons

More information

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage Proactve Secret Sharng Or: How to Cope Wth Perpetual Leakage Paper by Amr Herzberg Stanslaw Jareck Hugo Krawczyk Mot Yung Presentaton by Davd Zage What s Secret Sharng Basc Idea ((2, 2)-threshold scheme):

More information

6. EIGENVALUES AND EIGENVECTORS 3 = 3 2

6. EIGENVALUES AND EIGENVECTORS 3 = 3 2 EIGENVALUES AND EIGENVECTORS The Characterstc Polynomal If A s a square matrx and v s a non-zero vector such that Av v we say that v s an egenvector of A and s the correspondng egenvalue Av v Example :

More information

Compact CCA2-secure Hierarchical Identity-Based Broadcast Encryption for Fuzzy-entity Data Sharing

Compact CCA2-secure Hierarchical Identity-Based Broadcast Encryption for Fuzzy-entity Data Sharing Compact CCA2-secure Herarchcal Identty-Based Broadcast Encrypton for Fuzzy-entty Data Sharng Weran Lu 1, Janwe Lu 1, Qanhong Wu 1, Bo Qn 2, Davd Naccache 3, and Houda Ferrad 4 1 School of Electronc and

More information

1. Math 210 Finite Mathematics

1. Math 210 Finite Mathematics 1. ath 210 Fnte athematcs Chapter 5.2 and 5.3 Annutes ortgages Amortzaton Professor Rchard Blecksmth Dept. of athematcal Scences Northern Illnos Unversty ath 210 Webste: http://math.nu.edu/courses/math210

More information

PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12

PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12 14 The Ch-squared dstrbuton PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 1 If a normal varable X, havng mean µ and varance σ, s standardsed, the new varable Z has a mean 0 and varance 1. When ths standardsed

More information

Complete Fairness in Secure Two-Party Computation

Complete Fairness in Secure Two-Party Computation Complete Farness n Secure Two-Party Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure two-party computaton, two mutually dstrustng partes wsh to compute

More information

Thursday, December 10, 2009 Noon - 1:50 pm Faraday 143

Thursday, December 10, 2009 Noon - 1:50 pm Faraday 143 1. ath 210 Fnte athematcs Chapter 5.2 and 4.3 Annutes ortgages Amortzaton Professor Rchard Blecksmth Dept. of athematcal Scences Northern Illnos Unversty ath 210 Webste: http://math.nu.edu/courses/math210

More information

A Probabilistic Theory of Coherence

A Probabilistic Theory of Coherence A Probablstc Theory of Coherence BRANDEN FITELSON. The Coherence Measure C Let E be a set of n propostons E,..., E n. We seek a probablstc measure C(E) of the degree of coherence of E. Intutvely, we want

More information

8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by

8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by 6 CHAPTER 8 COMPLEX VECTOR SPACES 5. Fnd the kernel of the lnear transformaton gven n Exercse 5. In Exercses 55 and 56, fnd the mage of v, for the ndcated composton, where and are gven by the followng

More information

+ + + - - This circuit than can be reduced to a planar circuit

+ + + - - This circuit than can be reduced to a planar circuit MeshCurrent Method The meshcurrent s analog of the nodeoltage method. We sole for a new set of arables, mesh currents, that automatcally satsfy KCLs. As such, meshcurrent method reduces crcut soluton to

More information

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP) 6.3 / -- Communcaton Networks II (Görg) SS20 -- www.comnets.un-bremen.de Communcaton Networks II Contents. Fundamentals of probablty theory 2. Emergence of communcaton traffc 3. Stochastc & Markovan Processes

More information

Using Series to Analyze Financial Situations: Present Value

Using Series to Analyze Financial Situations: Present Value 2.8 Usng Seres to Analyze Fnancal Stuatons: Present Value In the prevous secton, you learned how to calculate the amount, or future value, of an ordnary smple annuty. The amount s the sum of the accumulated

More information

DEFINING %COMPLETE IN MICROSOFT PROJECT

DEFINING %COMPLETE IN MICROSOFT PROJECT CelersSystems DEFINING %COMPLETE IN MICROSOFT PROJECT PREPARED BY James E Aksel, PMP, PMI-SP, MVP For Addtonal Informaton about Earned Value Management Systems and reportng, please contact: CelersSystems,

More information

Support Vector Machines

Support Vector Machines Support Vector Machnes Max Wellng Department of Computer Scence Unversty of Toronto 10 Kng s College Road Toronto, M5S 3G5 Canada wellng@cs.toronto.edu Abstract Ths s a note to explan support vector machnes.

More information

Linear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits

Linear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits Lnear Crcuts Analyss. Superposton, Theenn /Norton Equalent crcuts So far we hae explored tmendependent (resste) elements that are also lnear. A tmendependent elements s one for whch we can plot an / cure.

More information

Fast Variants of RSA

Fast Variants of RSA Fast Varants of RSA Dan Boneh dabo@cs.stanford.edu Hovav Shacham hovav@cs.stanford.edu Abstract We survey three varants of RSA desgned to speed up RSA decrypton. These varants are backwards compatble n

More information

Section 5.3 Annuities, Future Value, and Sinking Funds

Section 5.3 Annuities, Future Value, and Sinking Funds Secton 5.3 Annutes, Future Value, and Snkng Funds Ordnary Annutes A sequence of equal payments made at equal perods of tme s called an annuty. The tme between payments s the payment perod, and the tme

More information

Project Networks With Mixed-Time Constraints

Project Networks With Mixed-Time Constraints Project Networs Wth Mxed-Tme Constrants L Caccetta and B Wattananon Western Australan Centre of Excellence n Industral Optmsaton (WACEIO) Curtn Unversty of Technology GPO Box U1987 Perth Western Australa

More information

Section 5.4 Annuities, Present Value, and Amortization

Section 5.4 Annuities, Present Value, and Amortization Secton 5.4 Annutes, Present Value, and Amortzaton Present Value In Secton 5.2, we saw that the present value of A dollars at nterest rate per perod for n perods s the amount that must be deposted today

More information

QUESTIONS, How can quantum computers do the amazing things that they are able to do, such. cryptography quantum computers

QUESTIONS, How can quantum computers do the amazing things that they are able to do, such. cryptography quantum computers 2O cryptography quantum computers cryptography quantum computers QUESTIONS, Quantum Computers, and Cryptography A mathematcal metaphor for the power of quantum algorthms Mark Ettnger How can quantum computers

More information

RUHR-UNIVERSITÄT BOCHUM

RUHR-UNIVERSITÄT BOCHUM RUHR-UNIVERSITÄT BOCHUM Horst Görtz Insttute for IT Securty Techncal Report TR-HGI-2006-002 Survey on Securty Requrements and Models for Group Key Exchange Mark Manuls Char for Network and Data Securty

More information

An Interest-Oriented Network Evolution Mechanism for Online Communities

An Interest-Oriented Network Evolution Mechanism for Online Communities An Interest-Orented Network Evoluton Mechansm for Onlne Communtes Cahong Sun and Xaopng Yang School of Informaton, Renmn Unversty of Chna, Bejng 100872, P.R. Chna {chsun,yang}@ruc.edu.cn Abstract. Onlne

More information

Lecture 3: Annuity. Study annuities whose payments form a geometric progression or a arithmetic progression.

Lecture 3: Annuity. Study annuities whose payments form a geometric progression or a arithmetic progression. Lecture 3: Annuty Goals: Learn contnuous annuty and perpetuty. Study annutes whose payments form a geometrc progresson or a arthmetc progresson. Dscuss yeld rates. Introduce Amortzaton Suggested Textbook

More information

Implementation of Deutsch's Algorithm Using Mathcad

Implementation of Deutsch's Algorithm Using Mathcad Implementaton of Deutsch's Algorthm Usng Mathcad Frank Roux The followng s a Mathcad mplementaton of Davd Deutsch's quantum computer prototype as presented on pages - n "Machnes, Logc and Quantum Physcs"

More information

Practical and Secure Solutions for Integer Comparison

Practical and Secure Solutions for Integer Comparison In Publc Key Cryptography PKC 07, Vol. 4450 of Lecture Notes n Computer Scence, Sprnger-Verlag, 2007. pp. 330-342. Practcal and Secure Solutons for Integer Comparson Juan Garay 1, erry Schoenmakers 2,

More information

7.5. Present Value of an Annuity. Investigate

7.5. Present Value of an Annuity. Investigate 7.5 Present Value of an Annuty Owen and Anna are approachng retrement and are puttng ther fnances n order. They have worked hard and nvested ther earnngs so that they now have a large amount of money on

More information

Identity-Based Encryption Gone Wild

Identity-Based Encryption Gone Wild An extended abstract of ths paper appeared n Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, 33rd Internatonal Colloquum on Automata, Languages and Programmng ICALP 2006, volume

More information

ErrorPropagation.nb 1. Error Propagation

ErrorPropagation.nb 1. Error Propagation ErrorPropagaton.nb Error Propagaton Suppose that we make observatons of a quantty x that s subject to random fluctuatons or measurement errors. Our best estmate of the true value for ths quantty s then

More information

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis The Development of Web Log Mnng Based on Improve-K-Means Clusterng Analyss TngZhong Wang * College of Informaton Technology, Luoyang Normal Unversty, Luoyang, 471022, Chna wangtngzhong2@sna.cn Abstract.

More information

Number of Levels Cumulative Annual operating Income per year construction costs costs ($) ($) ($) 1 600,000 35,000 100,000 2 2,200,000 60,000 350,000

Number of Levels Cumulative Annual operating Income per year construction costs costs ($) ($) ($) 1 600,000 35,000 100,000 2 2,200,000 60,000 350,000 Problem Set 5 Solutons 1 MIT s consderng buldng a new car park near Kendall Square. o unversty funds are avalable (overhead rates are under pressure and the new faclty would have to pay for tself from

More information

x f(x) 1 0.25 1 0.75 x 1 0 1 1 0.04 0.01 0.20 1 0.12 0.03 0.60

x f(x) 1 0.25 1 0.75 x 1 0 1 1 0.04 0.01 0.20 1 0.12 0.03 0.60 BIVARIATE DISTRIBUTIONS Let be a varable that assumes the values { 1,,..., n }. Then, a functon that epresses the relatve frequenc of these values s called a unvarate frequenc functon. It must be true

More information

Calculating the high frequency transmission line parameters of power cables

Calculating the high frequency transmission line parameters of power cables < ' Calculatng the hgh frequency transmsson lne parameters of power cables Authors: Dr. John Dcknson, Laboratory Servces Manager, N 0 RW E B Communcatons Mr. Peter J. Ncholson, Project Assgnment Manager,

More information

PKIS: practical keyword index search on cloud datacenter

PKIS: practical keyword index search on cloud datacenter Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 RESEARCH Open Access PKIS: practcal keyword ndex search on cloud datacenter Hyun-A

More information

Quantization Effects in Digital Filters

Quantization Effects in Digital Filters Quantzaton Effects n Dgtal Flters Dstrbuton of Truncaton Errors In two's complement representaton an exact number would have nfntely many bts (n general). When we lmt the number of bts to some fnte value

More information

J. Parallel Distrib. Comput.

J. Parallel Distrib. Comput. J. Parallel Dstrb. Comput. 71 (2011) 62 76 Contents lsts avalable at ScenceDrect J. Parallel Dstrb. Comput. journal homepage: www.elsever.com/locate/jpdc Optmzng server placement n dstrbuted systems n

More information

CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol

CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK Sample Stablty Protocol Background The Cholesterol Reference Method Laboratory Network (CRMLN) developed certfcaton protocols for total cholesterol, HDL

More information

Inequality and The Accounting Period. Quentin Wodon and Shlomo Yitzhaki. World Bank and Hebrew University. September 2001.

Inequality and The Accounting Period. Quentin Wodon and Shlomo Yitzhaki. World Bank and Hebrew University. September 2001. Inequalty and The Accountng Perod Quentn Wodon and Shlomo Ytzha World Ban and Hebrew Unversty September Abstract Income nequalty typcally declnes wth the length of tme taen nto account for measurement.

More information

Inter-Ing 2007. INTERDISCIPLINARITY IN ENGINEERING SCIENTIFIC INTERNATIONAL CONFERENCE, TG. MUREŞ ROMÂNIA, 15-16 November 2007.

Inter-Ing 2007. INTERDISCIPLINARITY IN ENGINEERING SCIENTIFIC INTERNATIONAL CONFERENCE, TG. MUREŞ ROMÂNIA, 15-16 November 2007. Inter-Ing 2007 INTERDISCIPLINARITY IN ENGINEERING SCIENTIFIC INTERNATIONAL CONFERENCE, TG. MUREŞ ROMÂNIA, 15-16 November 2007. UNCERTAINTY REGION SIMULATION FOR A SERIAL ROBOT STRUCTURE MARIUS SEBASTIAN

More information

Secure Network Coding Over the Integers

Secure Network Coding Over the Integers Secure Network Codng Over the Integers Rosaro Gennaro Jonathan Katz Hugo Krawczyk Tal Rabn Abstract Network codng has receved sgnfcant attenton n the networkng communty for ts potental to ncrease throughput

More information

Vembu StoreGrid Windows Client Installation Guide

Vembu StoreGrid Windows Client Installation Guide Ser v cepr ov dered t on Cl enti nst al l at ongu de W ndows Vembu StoreGrd Wndows Clent Installaton Gude Download the Wndows nstaller, VembuStoreGrd_4_2_0_SP_Clent_Only.exe To nstall StoreGrd clent on

More information

A Performance Analysis of View Maintenance Techniques for Data Warehouses

A Performance Analysis of View Maintenance Techniques for Data Warehouses A Performance Analyss of Vew Mantenance Technques for Data Warehouses Xng Wang Dell Computer Corporaton Round Roc, Texas Le Gruenwald The nversty of Olahoma School of Computer Scence orman, OK 739 Guangtao

More information

On Mean Squared Error of Hierarchical Estimator

On Mean Squared Error of Hierarchical Estimator S C H E D A E I N F O R M A T I C A E VOLUME 0 0 On Mean Squared Error of Herarchcal Estmator Stans law Brodowsk Faculty of Physcs, Astronomy, and Appled Computer Scence, Jagellonan Unversty, Reymonta

More information

Joe Pimbley, unpublished, 2005. Yield Curve Calculations

Joe Pimbley, unpublished, 2005. Yield Curve Calculations Joe Pmbley, unpublshed, 005. Yeld Curve Calculatons Background: Everythng s dscount factors Yeld curve calculatons nclude valuaton of forward rate agreements (FRAs), swaps, nterest rate optons, and forward

More information

2.4 Bivariate distributions

2.4 Bivariate distributions page 28 2.4 Bvarate dstrbutons 2.4.1 Defntons Let X and Y be dscrete r.v.s defned on the same probablty space (S, F, P). Instead of treatng them separately, t s often necessary to thnk of them actng together

More information

AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS

AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS Len Harn 1 and Changlu Ln 2 1 Department of Computer Scence

More information

Logistic Regression. Lecture 4: More classifiers and classes. Logistic regression. Adaboost. Optimization. Multiple class classification

Logistic Regression. Lecture 4: More classifiers and classes. Logistic regression. Adaboost. Optimization. Multiple class classification Lecture 4: More classfers and classes C4B Machne Learnng Hlary 20 A. Zsserman Logstc regresson Loss functons revsted Adaboost Loss functons revsted Optmzaton Multple class classfcaton Logstc Regresson

More information

Power-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts

Power-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts Power-of-wo Polces for Sngle- Warehouse Mult-Retaler Inventory Systems wth Order Frequency Dscounts José A. Ventura Pennsylvana State Unversty (USA) Yale. Herer echnon Israel Insttute of echnology (Israel)

More information

Lecture 3: Force of Interest, Real Interest Rate, Annuity

Lecture 3: Force of Interest, Real Interest Rate, Annuity Lecture 3: Force of Interest, Real Interest Rate, Annuty Goals: Study contnuous compoundng and force of nterest Dscuss real nterest rate Learn annuty-mmedate, and ts present value Study annuty-due, and

More information

How Much to Bet on Video Poker

How Much to Bet on Video Poker How Much to Bet on Vdeo Poker Trstan Barnett A queston that arses whenever a gae s favorable to the player s how uch to wager on each event? Whle conservatve play (or nu bet nzes large fluctuatons, t lacks

More information

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network * JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 24, 819-840 (2008) Data Broadcast on a Mult-System Heterogeneous Overlayed Wreless Network * Department of Computer Scence Natonal Chao Tung Unversty Hsnchu,

More information

Tracker: Security and Privacy for RFID-based Supply Chains

Tracker: Security and Privacy for RFID-based Supply Chains Tracker: Securty and Prvacy for RFID-based Supply Chans Erk-Olver Blass Kaoutar Elkhyaou Refk Molva EURECOM Sopha Antpols, France {blass elkhyao molva}@eurecom.fr Abstract The counterfetng of pharmaceutcs

More information

A hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm

A hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm Avalable onlne www.ocpr.com Journal of Chemcal and Pharmaceutcal Research, 2014, 6(7):1884-1889 Research Artcle ISSN : 0975-7384 CODEN(USA) : JCPRC5 A hybrd global optmzaton algorthm based on parallel

More information

Ring structure of splines on triangulations

Ring structure of splines on triangulations www.oeaw.ac.at Rng structure of splnes on trangulatons N. Vllamzar RICAM-Report 2014-48 www.rcam.oeaw.ac.at RING STRUCTURE OF SPLINES ON TRIANGULATIONS NELLY VILLAMIZAR Introducton For a trangulated regon

More information

Generalizing the degree sequence problem

Generalizing the degree sequence problem Mddlebury College March 2009 Arzona State Unversty Dscrete Mathematcs Semnar The degree sequence problem Problem: Gven an nteger sequence d = (d 1,...,d n ) determne f there exsts a graph G wth d as ts

More information

Traffic-light a stress test for life insurance provisions

Traffic-light a stress test for life insurance provisions MEMORANDUM Date 006-09-7 Authors Bengt von Bahr, Göran Ronge Traffc-lght a stress test for lfe nsurance provsons Fnansnspetonen P.O. Box 6750 SE-113 85 Stocholm [Sveavägen 167] Tel +46 8 787 80 00 Fax

More information

Calculation of Sampling Weights

Calculation of Sampling Weights Perre Foy Statstcs Canada 4 Calculaton of Samplng Weghts 4.1 OVERVIEW The basc sample desgn used n TIMSS Populatons 1 and 2 was a two-stage stratfed cluster desgn. 1 The frst stage conssted of a sample

More information

Activity Scheduling for Cost-Time Investment Optimization in Project Management

Activity Scheduling for Cost-Time Investment Optimization in Project Management PROJECT MANAGEMENT 4 th Internatonal Conference on Industral Engneerng and Industral Management XIV Congreso de Ingenería de Organzacón Donosta- San Sebastán, September 8 th -10 th 010 Actvty Schedulng

More information

21 Vectors: The Cross Product & Torque

21 Vectors: The Cross Product & Torque 21 Vectors: The Cross Product & Torque Do not use our left hand when applng ether the rght-hand rule for the cross product of two vectors dscussed n ths chapter or the rght-hand rule for somethng curl

More information

To Fill or not to Fill: The Gas Station Problem

To Fill or not to Fill: The Gas Station Problem To Fll or not to Fll: The Gas Staton Problem Samr Khuller Azarakhsh Malekan Julán Mestre Abstract In ths paper we study several routng problems that generalze shortest paths and the Travelng Salesman Problem.

More information

Vision Mouse. Saurabh Sarkar a* University of Cincinnati, Cincinnati, USA ABSTRACT 1. INTRODUCTION

Vision Mouse. Saurabh Sarkar a* University of Cincinnati, Cincinnati, USA ABSTRACT 1. INTRODUCTION Vson Mouse Saurabh Sarkar a* a Unversty of Cncnnat, Cncnnat, USA ABSTRACT The report dscusses a vson based approach towards trackng of eyes and fngers. The report descrbes the process of locatng the possble

More information

We are now ready to answer the question: What are the possible cardinalities for finite fields?

We are now ready to answer the question: What are the possible cardinalities for finite fields? Chapter 3 Fnte felds We have seen, n the prevous chapters, some examples of fnte felds. For example, the resdue class rng Z/pZ (when p s a prme) forms a feld wth p elements whch may be dentfed wth the

More information

1.1 The University may award Higher Doctorate degrees as specified from time-to-time in UPR AS11 1.

1.1 The University may award Higher Doctorate degrees as specified from time-to-time in UPR AS11 1. HIGHER DOCTORATE DEGREES SUMMARY OF PRINCIPAL CHANGES General changes None Secton 3.2 Refer to text (Amendments to verson 03.0, UPR AS02 are shown n talcs.) 1 INTRODUCTION 1.1 The Unversty may award Hgher

More information

Finite Math Chapter 10: Study Guide and Solution to Problems

Finite Math Chapter 10: Study Guide and Solution to Problems Fnte Math Chapter 10: Study Gude and Soluton to Problems Basc Formulas and Concepts 10.1 Interest Basc Concepts Interest A fee a bank pays you for money you depost nto a savngs account. Prncpal P The amount

More information

Sketching Sampled Data Streams

Sketching Sampled Data Streams Sketchng Sampled Data Streams Florn Rusu, Aln Dobra CISE Department Unversty of Florda Ganesvlle, FL, USA frusu@cse.ufl.edu adobra@cse.ufl.edu Abstract Samplng s used as a unversal method to reduce the

More information

THE METHOD OF LEAST SQUARES THE METHOD OF LEAST SQUARES

THE METHOD OF LEAST SQUARES THE METHOD OF LEAST SQUARES The goal: to measure (determne) an unknown quantty x (the value of a RV X) Realsaton: n results: y 1, y 2,..., y j,..., y n, (the measured values of Y 1, Y 2,..., Y j,..., Y n ) every result s encumbered

More information

Provably Secure Single Sign-on Scheme in Distributed Systems and Networks

Provably Secure Single Sign-on Scheme in Distributed Systems and Networks 0 IEEE th Internatonal Conference on Trust, Securty and Prvacy n Computng and Communcatons Provably Secure Sngle Sgn-on Scheme n Dstrbuted Systems and Networks Jangshan Yu, Guln Wang, and Y Mu Center for

More information

General Auction Mechanism for Search Advertising

General Auction Mechanism for Search Advertising General Aucton Mechansm for Search Advertsng Gagan Aggarwal S. Muthukrshnan Dávd Pál Martn Pál Keywords game theory, onlne auctons, stable matchngs ABSTRACT Internet search advertsng s often sold by an

More information

From Selective to Full Security: Semi-Generic Transformations in the Standard Model

From Selective to Full Security: Semi-Generic Transformations in the Standard Model An extended abstract of ths work appears n the proceedngs of PKC 2012 From Selectve to Full Securty: Sem-Generc Transformatons n the Standard Model Mchel Abdalla 1 Daro Fore 2 Vadm Lyubashevsky 1 1 Département

More information

Multiple-Period Attribution: Residuals and Compounding

Multiple-Period Attribution: Residuals and Compounding Multple-Perod Attrbuton: Resduals and Compoundng Our revewer gave these authors full marks for dealng wth an ssue that performance measurers and vendors often regard as propretary nformaton. In 1994, Dens

More information

The University of Texas at Austin. Austin, Texas 78712. December 1987. Abstract. programs in which operations of dierent processes mayoverlap.

The University of Texas at Austin. Austin, Texas 78712. December 1987. Abstract. programs in which operations of dierent processes mayoverlap. Atomc Semantcs of Nonatomc Programs James H. Anderson Mohamed G. Gouda Department of Computer Scences The Unversty of Texas at Austn Austn, Texas 78712 December 1987 Abstract We argue that t s possble,

More information

n + d + q = 24 and.05n +.1d +.25q = 2 { n + d + q = 24 (3) n + 2d + 5q = 40 (2)

n + d + q = 24 and.05n +.1d +.25q = 2 { n + d + q = 24 (3) n + 2d + 5q = 40 (2) MATH 16T Exam 1 : Part I (In-Class) Solutons 1. (0 pts) A pggy bank contans 4 cons, all of whch are nckels (5 ), dmes (10 ) or quarters (5 ). The pggy bank also contans a con of each denomnaton. The total

More information

Logical Development Of Vogel s Approximation Method (LD-VAM): An Approach To Find Basic Feasible Solution Of Transportation Problem

Logical Development Of Vogel s Approximation Method (LD-VAM): An Approach To Find Basic Feasible Solution Of Transportation Problem INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME, ISSUE, FEBRUARY ISSN 77-866 Logcal Development Of Vogel s Approxmaton Method (LD- An Approach To Fnd Basc Feasble Soluton Of Transportaton

More information

Hollinger Canadian Publishing Holdings Co. ( HCPH ) proceeding under the Companies Creditors Arrangement Act ( CCAA )

Hollinger Canadian Publishing Holdings Co. ( HCPH ) proceeding under the Companies Creditors Arrangement Act ( CCAA ) February 17, 2011 Andrew J. Hatnay ahatnay@kmlaw.ca Dear Sr/Madam: Re: Re: Hollnger Canadan Publshng Holdngs Co. ( HCPH ) proceedng under the Companes Credtors Arrangement Act ( CCAA ) Update on CCAA Proceedngs

More information

Multiplication Algorithms for Radix-2 RN-Codings and Two s Complement Numbers

Multiplication Algorithms for Radix-2 RN-Codings and Two s Complement Numbers Multplcaton Algorthms for Radx- RN-Codngs and Two s Complement Numbers Jean-Luc Beuchat Projet Arénare, LIP, ENS Lyon 46, Allée d Itale F 69364 Lyon Cedex 07 jean-luc.beuchat@ens-lyon.fr Jean-Mchel Muller

More information

NON-CONSTANT SUM RED-AND-BLACK GAMES WITH BET-DEPENDENT WIN PROBABILITY FUNCTION LAURA PONTIGGIA, University of the Sciences in Philadelphia

NON-CONSTANT SUM RED-AND-BLACK GAMES WITH BET-DEPENDENT WIN PROBABILITY FUNCTION LAURA PONTIGGIA, University of the Sciences in Philadelphia To appear n Journal o Appled Probablty June 2007 O-COSTAT SUM RED-AD-BLACK GAMES WITH BET-DEPEDET WI PROBABILITY FUCTIO LAURA POTIGGIA, Unversty o the Scences n Phladelpha Abstract In ths paper we nvestgate

More information

Week 6 Market Failure due to Externalities

Week 6 Market Failure due to Externalities Week 6 Market Falure due to Externaltes 1. Externaltes n externalty exsts when the acton of one agent unavodably affects the welfare of another agent. The affected agent may be a consumer, gvng rse to

More information

An Optimally Robust Hybrid Mix Network (Extended Abstract)

An Optimally Robust Hybrid Mix Network (Extended Abstract) An Optmally Robust Hybrd Mx Network (Extended Abstract) Markus Jakobsson and Ar Juels RSA Laboratores Bedford, MA, USA {mjakobsson,ajuels}@rsasecurty.com Abstract We present a mx network that acheves effcent

More information

Computing Arbitrary Functions of Encrypted Data March 2010 Communications of the ACM

Computing Arbitrary Functions of Encrypted Data March 2010 Communications of the ACM Home» Magazne Archve» 2010» No. 3» Computng Arbtrary Functons of Encrypted Data» Full Text RESEARCH HIGHLIGHTS Computng Arbtrary Functons of Encrypted Data Crag Gentry Communcatons of the ACM Vol. 53 No.

More information

Chapter 4 ECONOMIC DISPATCH AND UNIT COMMITMENT

Chapter 4 ECONOMIC DISPATCH AND UNIT COMMITMENT Chapter 4 ECOOMIC DISATCH AD UIT COMMITMET ITRODUCTIO A power system has several power plants. Each power plant has several generatng unts. At any pont of tme, the total load n the system s met by the

More information

where the coordinates are related to those in the old frame as follows.

where the coordinates are related to those in the old frame as follows. Chapter 2 - Cartesan Vectors and Tensors: Ther Algebra Defnton of a vector Examples of vectors Scalar multplcaton Addton of vectors coplanar vectors Unt vectors A bass of non-coplanar vectors Scalar product

More information

Implied (risk neutral) probabilities, betting odds and prediction markets

Implied (risk neutral) probabilities, betting odds and prediction markets Impled (rsk neutral) probabltes, bettng odds and predcton markets Fabrzo Caccafesta (Unversty of Rome "Tor Vergata") ABSTRACT - We show that the well known euvalence between the "fundamental theorem of

More information

Trivial lump sum R5.0

Trivial lump sum R5.0 Optons form Once you have flled n ths form, please return t wth your orgnal brth certfcate to: Premer PO Box 2067 Croydon CR90 9ND. Fll n ths form usng BLOCK CAPITALS and black nk. Mark all answers wth

More information

An Analysis of Central Processor Scheduling in Multiprogrammed Computer Systems

An Analysis of Central Processor Scheduling in Multiprogrammed Computer Systems STAN-CS-73-355 I SU-SE-73-013 An Analyss of Central Processor Schedulng n Multprogrammed Computer Systems (Dgest Edton) by Thomas G. Prce October 1972 Techncal Report No. 57 Reproducton n whole or n part

More information

We assume your students are learning about self-regulation (how to change how alert they feel) through the Alert Program with its three stages:

We assume your students are learning about self-regulation (how to change how alert they feel) through the Alert Program with its three stages: Welcome to ALERT BINGO, a fun-flled and educatonal way to learn the fve ways to change engnes levels (Put somethng n your Mouth, Move, Touch, Look, and Lsten) as descrbed n the How Does Your Engne Run?

More information