Ciphers with Arbitrary Finite Domains


 Curtis Parrish
 2 years ago
 Views:
Transcription
1 Cphers wth Arbtrary Fnte Domans John Black 1 and Phllp Rogaway 2 1 Dept. of Computer Scence, Unversty of Nevada, Reno NV 89557, USA, WWW home page: 2 Dept. of Computer Scence, Unversty of Calforna at Davs, Davs, CA 95616, USA, WWW home page: Abstract. We explore the problem of encpherng members of a fnte set M where k = M s arbtrary (n partcular, t need not be a power of two). We want to acheve ths goal startng from a block cpher (whch requres a message space of sze N =2 n, for some n). We look at a few solutons to ths problem, focusng on the case when M =[0,k 1]. We see cphers wth arbtrary domans as a worthwhle prmtve n ts own rght, and as a potentally useful one for makng hgherlevel protocols. Keywords: Cphers, Modes of Operaton, Provable securty, Symmetrc Encrypton. 1 Introducton A Motvatng Example. Consder the followng problem: a company wshes to generate dstnct and unpredctable tendgt credtcard numbers. One way to accomplsh ths nvolves keepng a hstory of all prevouslyssued numbers. But the company wshes to avod storng a large amount of senstve nformaton. Another approach s to use some block cpher E under a randomlyselected key K and then ssue credtcard numbers E K (0),E K (1),. But the domans of contemporary block cphers are nconvenent for ths problem: ths company needs dstnct numbers n [0, ] but block cpher have a doman [0, 2 n 1] for some n such as 64 or 128. Is there an elegant soluton to ths problem? Encpherng wth Arbtrary Domans. More generally now, we have good tools block cphers to encpher ponts when the message space M s strngs of some partcular length, M = {0, 1} n. But what f you want to encpher a number between one and a mllon? Or a pont n Z N or ZN, where N s a 1024bt number? Or a pont from some ellptccurve group? Ths paper looks at the queston of how to construct cphers whose doman s not {0, 1} n. That s, we are nterested n how to make a cpher whch has some desred but werd doman: F : K M Mwhere K s the key space and M s the fnte message space that we have n mnd. A tool from whch we may start our constructon s a block cpher: a map E : K {0, 1} n {0, 1} n where K s the key space and n s the block length. A soluton to ths problem mmedately solves
2 the credtcard problem: for a block cpher F : K [0, ] [0, ], the company chooses a random K Kand ssues the (dstnct) credtcard numbers F K (0),F K (1),F K (2),...,F K (), and has only to remember the last value used. Measurng Success. We would lke to make clear rght away what s the securty goal that we are after. Let s do ths by way of an example. Suppose that you want to encpher numbers between one and a mllon: M =[1, 10 6 ]. Followng [2, 7], we magne two games. In the frst game one chooses a random key K from K and hands to an adversary an oracle E K ( ). In the second game one chooses a random permutaton π on [1, 10 6 ] and hands the adversary an oracle for π( ). The adversary should be unable to dstngush these two types of oracles wthout spendng a huge amount of tme. Note that the doman s so small that the adversary mght well ask for the value of the oracle f( ) {E K ( ), π( )} at every pont n the doman. Ths shouldn t help the adversary wn. So, for example, f the adversary asks the value of E K ( ) at all ponts except 1 and 2 (a total of ponts), then the adversary wll know what are the two mssng numbers, c 1 and c 2, but the adversary won t be able to ascertan f E K (1) = c 1 and E K (2) = c 2,orfE K (1) = c 2 and E K (2) = c 1, nstead. Our Contrbutons. Though the problem of encpherng on an arbtrary doman has been consdered before [13], here we draw attenton to ths problem and gve the frst rgorous treatment, provdng a few solutons together wth ther analyses. Our solutons focus on the case n whch the message space s M =[0,k 1], though we sketch extensons to some other message spaces, lke Z pq and common ellptccurve groups. Our frst method assumes that we have a block cpher E that acts on N =2 n ponts, where N k. To encpher M =[0,k 1] one just encphers these ponts wth block cpher E and uses the orderng of E K (0), E K (1), up to E K (k 1) to name the desred permutaton on [0,k 1]. Ths method s computatonally reasonable only for small k, such as k<2 30. A second method, smlar to known technques used n other settngs, encphers a message m Mby repeatedly applyng the block cpher, startng at m, untl one gets back to a pont n M. (Assume once agan that N k.) Ths method s good f M s dense n the doman of the block cpher, {0, 1} n.so, for example, one can use ths method to encpher a strng n Z N, where N s a 1024bt number, usng a block cpher wth block length of 1024 bts. (A block cpher wth a long block length, lke ths, can be constructed from a standard block cpher by followng works lke [3, 9, 11].) Ths constructon has been suggested before [13]; our man contrbuton here s the analyss of the constructon. A fnal method whch we look at chooses an a, b where ab k and performs a Festel constructon on the message m, but uses a lefthand sde n Z a and a rghthand sde n Z b. Our analyss of ths s an adaptaton of Luby and Rackoff s [9]. Ths method can be qute effcent, though the proven bounds are weak when the message space s small (eg, k<2 128 ). Wth each of our cphers we provde a decpherng algorthm, though ths may not be requred n all domans (eg, n our credtcard example above).
3 Note that the three methods above solve our problem for small and large domans, but there s a gap whch remans: ntermedateszed values where our frst method requres too much space and tme, and our second method requres too many blockcpher nvocatons, and our thrd method may work but the bound s too weak. Ths gap occurs roughly from k =2 30 up to about k =2 60, dependng on your pont of vew. Our credtcard example (k = ) falls nto ths gap. Ths problem remans open. Why Cphers on NonStandard Sets? Popular books on cryptography speak of encpherng the ponts n the message space M, whatever that message space may be, but few seem to have thought much about how to actually do ths when the message space s somethng other than a set of bt strngs, often of one partcular length. Ths omsson s no doubt due to the fact that t s usually fne to embed the desred message space nto a larger one, usng some paddng method, and then apply a standard constructon to encpher n the larger space. For example, suppose you want to encpher a random number m between one and a mllon. Your tool s a 128bt block cpher E. You could encode m as a 128bt strng M by wrtng m usng 20 bts, prependng 108 zerobts, and computng C = E K (M). Ignorng the fact that the cphertext C wastes 108 bts, ths method s usually fne. But not always. One problem wth the method above s that t allows one to tell f a canddate key K mght have been used to produce C. To llustrate the ssue, suppose that the key space s small, say K =2 30. Suppose the adversary sees a pont C = E K (M). Then the adversary has everythng she needs to decrypt cphertext C = E K (M): she just tres all keys K Kuntl she fnds one for whch E 1 K (C) begns wth 108 zeros. Ths s almost certanly the rght key. The objecton that we shouldn t have used a small key space s not a productve one f the pont of our efforts was to make due wth a small key space. If we had used a cpher wth message space M = [1, 10 6 ] we would not have had ths problem. Every cphertext C, under every possble key K, would correspond to a vald message M. The cphertext would reveal nothng about whch key had been used. Of course there are several other solutons to the problem we have descrbed, but many of them have dffcultes of ther own. Suppose, for example, that one pads wth random bts nstead of zero bts. Ths s better, but stll not perfect: n partcular, an adversary can tell that a canddate key K could not have been used to encpher M f decryptng C under K yelds a fnal 20 bts whose decmal value exceeds 1,000,000. If one had 1,000 cphertexts of random plantexts encphered n the manner we have descrbed, the adversary could, once agan, usually determne the correct key. As a more realstc example related to that above, consder the Bellovn Merrtt EKE protocol [4]. Ths enttyauthentcaton protocol s desgned to defeat passwordguessng attacks. The protocol nvolves encryptng, under a possbly weak password K, astrngg x mod p, where p s a large prme number and g s a generator of Zp. In ths context t s crucal that from the resultng cphertext C one can not ascertan f a canddate password K could possbly have
4 produced the cphertext C. Ths can be easly and effcently done by encpherng wth message space M = Z p. Ordnary encrypton methods won t work. Another problem wth cphertextexpanson occurs when we are constraned by an exstng record format: suppose we wsh to encrypt a set of felds n a database, but the cost of changng the record sze s prohbtve. Usng a cpher whose doman s the set of values for the exstng felds allows some measure of added securty wthout requrng a complete restructurng of the database. And f the data have addtonal restrctons beyond sze (eg, the felds must contan prntable characters), we can further restrct the doman as needed. In addton to these (modest) applcatons, the queston s nterestng from a theoretcal standpont: how can we construct new cphers from exstng ones? In partcular, can we construct cphers wth arbtrary domans wthout resortng to creatng new cphers from scratch? It certanly feels lke there should be a good way to construct a block cpher on 32 bts gven a block cpher on 64 bts, but, even for ths case, no one knows how to do ths n a practcal manner wth good securty bounds. Related Work. We assume that one has n hand a good block cpher for any desred block length. Snce standard block cphers come only n convenent block lengths, such as n = 128, here are some ways that one mght create a block cpher for some nonstandard block length. Frst, one could construct the block cpher from scratch. But t s probably better to start wth a wellstuded prmtve lke SHA1 or AES. These could then be used wthn a balanced Festel network [14], whch creates a block cpher for any (even) block length 2n, startng wth somethng that behaves as a pseudorandom functon (PRF) from n bts to n bts. Luby and Rackoff [9] gve quanttatve bounds on the effcacy of ths constructon (when usng three and four rounds), and ther work has spawned much related analyss, too. Naor and Rengold [11] provde a dfferent constructon whch extends a block cpher on n bts to a block cpher on 2n bts, for any 1. A varaton on ther constructon due to Patel, Ramzan and Sundaram [12] yelds a cpher on n bts for any 1. Lucks [10] generalzes LubyRackoff to consder a threeround unbalanced Festel network, usng hash functons for round functons. Ths yelds a block cpher for any gven length N startng wth a PRF from r bts to l bts and another from l bts to r bts, where l + r = N. Startng from an nbt block cpher, Bellare and Rogaway [3] construct and analyze a lengthpreservng cpher wth doman {0, 1} n. Ths s somethng more than makng a block cpher on arbtrary N n bts. Anderson and Bham [1] provde two constructons for a block cpher (BEAR and LION) whch use a hash functon and a stream cpher. Ths agan uses an unbalanced Festel network. It s unclear how to make any of the constructons above apply to message spaces whch are not sets of strngs. Probably several of the constructons can modfed, and n multple ways, to deal wth a message space M =[0,k 1], or wth other message spaces.
5 The Hasty Puddng Cpher of Schroeppel and Orman [13] s a block cpher whch works on any doman [0,k 1]. They use what s essentally Method 2, nternally teratng the cpher untl a proper doman pont s reached. Schroeppel beleves that the dea underlyng ths method dates back to the rotor machnes used n the early 1900 s. Our noton of a pseudorandom functon s due to Goldrech, Goldwasser and Mcal [6]. Pseudorandom permutatons are defned and constructed by Luby and Rackoff [9]. We use the adaptaton of these notons to deal wth fnte objects, whch frst appears n Bellare, Klan and Rogaway [2]. 2 Prelmnares Notaton. If A and B are sets then Rand(A, B) s the set of all functons from A to B. IfA or B s a postve number, n, then the correspondng set s [0,n 1]. We wrte Perm(A) to denote the set of all permutatons on the set A and f n s a postve number then the set s assumed to be [0,n 1]. By x R A we denote the experment of choosng a random element from A. A functon famly s a multset F = {f : A B}, where A, B {0, 1}. Each element f F has a name K, where K Key. So, equvalently, a functon famly F s a functon F : Key A B. We call A the doman of F and B the range of F. The frst argument to F wll be wrtten as a subscrpt. A cpher s a functon famly F : Key A A where F K ( ) s always a permutaton; a block cpher s a functon famly F : Key {0, 1} n {0, 1} n where F K ( ) s always a permutaton. An deal block cpher s a block cpher n whch each permutaton on {0, 1} n s realzed by exactly one K Key. An adversary s an algorthm wth an oracle. The oracle computes some functon. We wrte A f( ) to ndcate an adversary A wth oracle f( ). Adversares are assumed to never ask a query outsde the doman of the oracle, and to never repeat a query. Let F : Key A B be a functon famly and let A be an adversary. In ths paper, we measure securty as the maxmum advantage obtanable by some adversary; we use the followng statstcal measures: Adv prf F = Pr[f R F : A f( ) =1] Pr[R R Rand(A, B): A R( ) =1], and when A = B (A) def Adv prp def F (A) = Pr[f R F : A f( ) =1] Pr[π R Perm(A): A π( ) =1]. Useful Facts. It s often convenent to replace random permutatons wth random functons, or vce versa. The followng proposton lets us easly do ths. For a proof see Proposton 2.5 n [2]. Lemma 1. [PRF/PRP Swtchng] Fx n 1. LetA be an adversary that asks at most p queres. Then Pr[π R Perm(n): A π( ) =1] Pr[ρ R Rand(n, n): A ρ( ) =1] p 2 /2 n+1.
6 Algorthm Int Px K for j 0 to k 1 do I j E K(j) for j 0 to k 1 do J j Ord(I j, {I j} j [0,k 1] ) for j 0 to k 1 do L Jj j Algorthm Px K(m) return J m Algorthm Px 1 K (m) return L m Fg. 1. Algorthms for the Prefx Cpher. Frst the ntalzaton algorthm Int Px K s run. Then encpher wth Px K(m) and decpher wth Px 1 K (m). 3 Method 1: Prefx Cpher Fx some nteger k and let M be the set [0,k 1]. Our goal s to buld a cpher wth doman M. Our frst approach s a smple, practcal method for small values of k. We name ths cpher Px. Our cpher wll use some exstng block cpher E wth keyspace K and whose doman s a superset of M. The key space for Px wll also be K. TocomputePx K (m) for some m Mand K Kwe frst compute the tuple I =(E K (0) E K (1) E K (k 1)). Snce each element of I s a dstnct strng, we may replace each element n I wth ts ordnal poston (startng from zero) to produce tuple J. And now to encpher any m Mwe compute Px K (m) as smply the mth component of J (agan countng from zero). The encpherng and decpherng algorthms are gven n Fgure 1. Example. Suppose we wsh to encpher M = {0, 1, 2, 3, 4}. We choose some random key K for some block cpher E. Let s assume E s an 8bt deal block cpher; therefore E K s a unformly chosen random permutaton on [0, 255]. Next we encpher each element of M. Let s say E K (0) = 166, E K (1) = 6, E K (2) = 130, E K (3) = 201, and E K (4) = 78. So our tuple I s ( ) and J s(30241).wearenowreadytoencpher any m M: we return the mth element from J, countng from zero. For example we encpher 0 as 3, and 1 as 0, etc.. Analyss. Under the assumpton that our underlyng block cpher E s deal, I s equally lkely to be any of the permutatons on M. The proof of ths fact s trval and s omtted. The method remans good when E s secure n the sense of a PRP. The argument s standard and s omtted. Practcal Consderatons. Encpherng and decpherng are constanttme operatons. The cost here s O(k) tme and space used n the ntalzaton step. Ths clearly means that ths method s practcal only for small values of k. A further practcal consderaton s that, although ths ntalzaton s a onetme cost, t results n a table of senstve data whch must be stored somewhere.
7 Algorthm Cy K (m) c E K(m) f c Mreturn c else return Cy K (c) Algorthm Cy 1 K (m) c E 1 K (m) f c Mreturn c else return Cy 1 K (c) Fg. 2. Algorthms for the CycleWalkng Cpher. We encpher wth Cy K ( ) and decpher wth Cy 1 K ( ). 4 Method 2: CycleWalkng Cpher Ths next method uses a block cpher whose doman s larger than M, and then handles those cases where a pont s out of range. Agan we fx an nteger k, let M be the set [0,k 1], and devse a method to encpher M. Let N be the smallest power of 2 larger or equal to k, letn be lg N, and let E K ( ) beannbt block cpher. We construct the block cpher Cy K on the set M by computng t = E K (m) and teratng f c M. The encpherng and decpherng algorthms are shown n Fgure 2. Example. Let M = [0, 10 6 ]. Then N = 2 20 and so n = 20. We use some known method to buld a 20bt block cpher E K ( ) on the set T =[0, ]. Now suppose we wsh to encpher the pont m = ; we compute c 1 = E K (314159) whch yelds some number n T, say Snce c 1 M,we terate by computng c 2 = E K ( ) whch s, say, Snce c 2 M, we output 1729 as Cy K (314159). Decpherment s smply the reverse of ths procedure. Analyss. Let s vew the permutaton E K ( ) as a famly of cycles: any pont m Mles on some cycle and repeated applcatons of E K ( ) can be vewed as a partcle walkng along the cycle, startng at m. In fact, we can now thnk of our constructon as follows: to encpher any pont m Mwalk along the cycle contanng m untl you encounter some pont c M. Then c =Cy K (m). Of course ths method assumes that one can effcently test for membershp n M. Ths s trval for our case when M =[0,k 1], but mght not be for other sets. Now we may easly see that Cy K ( ) s welldefned: gven any pont m M f we apply E K ( ) enough tmes, we wll arrve at a pont n M. Ths s because walkng on m s cycle must eventually arrve back at some pont n M, evenf that pont s m tself. We can also see that Cy K ( ) s nvertble snce nvertng Cy K (m) s equvalent to walkng backwards on m s cycle untl fndng some element n M. Therefore, we know Cy K ( ) s a permutaton on M. However the queston arses, how much securty do we lose n dervng ths permutaton? The fortunate answer s, nothng. Theorem 1. [Securty of CycleWalkng Cpher] Fx k 1 and let M = [0,k 1]. LetE K ( ) be an deal block cpher on the set T where M T. Choose a key K unformly at random and then construct Cy K ( ) usng E K ( ). Then Cy K ( ) s a unform random permutaton on M.
8 Proof. Fx some permutaton π on the set M. We wll show that an equal number of keys K wll gve rse to π; ths wll mply the theorem. We proceed by nducton, showng that the number of permutatons on {0,...,k 1,x} whch gve rse under our constructon to π s constant. Snce M T we can repeatedly add all elements x T Mwhle mantanng that the number of permutatons whch gve rse to π s constant. Decompose π nto r cycles of lengths l 1,l 2,,l r. We count the number of ways to nsert the new element x. There are l ways to nsert x nto the th orbt correspondng to the th cycle, and one way to nsert x nto a new orbt of ts own (e, the permutaton whch fxes x). Therefore there are r =1 l +1 = k ways to add element x to π yeldng a permutaton whch wll gve rse to π by repeated teratons. Ths holds no matter what π we choose. Let T = t. Then by nducton we see that there are exactly t =k keys K under whch our constructon reduces E K ( ) toπ. Smlar to the Prefx Cpher, our constructon has retaned all of the securty of the underlyng block cpher. Theorem 1 s an nformatontheoretc result. Passng to the correspondng complextytheoretc result s standard. Because no securty s lost n the nformatontheoretc settng, and because we apply E an expected two tmes (or fewer), an adversary s maxmal advantage to dstngush E K ( ) fromarandom permutaton of Z 2 n n expected tme 2t approxmately upper bounds an adversary s maxmal advantage to dstngush Cy K ( ) fromarandompermutaton on M n tme t. 5 Method 3: GeneralzedFestel Cpher Our fnal method works as follows: we decompose all the numbers n M nto pars of smlarly szed numbers and then apply the wellknown Festel constructon [14] to produce a cpher. Agan we fx an nteger k, letm be the set [0,k 1], and devse a method to encpher M. We call our cpher Fe[r, a, b] where r s the number of rounds we use n our Festel network and a and b are postve numbers such that ab k. Weusea and b to decompose any m Mnto two numbers for use as the nputs nto the network. Wthn the network we use r random functons F 1,...,F r whose ranges contan M. The algorthms to encpher and decpher are gven n Fgure 3. Notce that f usng the Festel constructon results n a number not n M, we terate just as we dd for the CycleWalkng Cpher. Example. In order to specfy some partcular Fe[r, a, b] K ( ) we must specfy the numbers a and b, the number of Festel rounds r, and the choce of underlyng functons F 1,,F r we wll use. As a concrete example, let s take k = 2 35, r = 3, and a = and b = (methods for fndng a and b wll be dscussed later). Note that ab k as requred. Snce ab s larger than k, our Festel constructon wll be on the set M =[0, (2 35 1) ], meanng there are values
9 Algorthm Fe[r, a, b] K(m) c fe[r, a, b] K(m) f c Mreturn c else return Fe[r, a, b] K(c) Algorthm fe[r, a, b] K(m) L m mod a; R m/a for j 1 to r do f (j s odd) then tmp (L + F j(r)) mod a else tmp (L + F j(r)) mod b L R; R tmp f (r s odd) then return al + R else return ar + L Algorthm Fe[r, a, b] 1 K (m) c fe[r, a, b] 1 K (m) f c Mreturn c else return Fe[r, a, b] 1 K (c) Algorthm fe[r, a, b] 1 K (m) f (r s odd) then R m mod a; L m/a else L m mod a; R m/a for j r to 1 do f (j s odd) then tmp (R F j(l)) mod a else tmp (R F j(l)) mod b R L; L tmp return ar + L Fg. 3. Algorthms for the GeneralzedFestel Cpher. We encpher wth Fe[r, a, b] K( ) and decpher wth Fe[r, a, b] 1 K ( ). Herea and b are the numbers used to bjectvely map all m Mnto L, andr, andr s the number of rounds of Festel we wll apply. The key K s mplctly used to select the r functons F 1,...,F r. whch are n M Mfor whch we wll have to terate (just as we dd for the CycleWalkng Cpher). Let s use DES wth ndependent keys as our underlyng PRFs. DES s a 64bt cpher whch uses a 56bt key; we wll regard the 64bt strngs on whch DES operates as ntegers n the range [0, ] n the natural way. We need three PRFs so our key K = K 1 K 2 K 3 wll be 3 56 = 168 bts. Now to compute Fe[3, , ](m) we compute L = m mod , and R = m/185360, and then perform three rounds of Festel usng DES K1 ( ), DES K2 ( ), and DES K3 ( ) as our underlyng PRFs. The frst round results n L m/ and R (m mod DES K1 ( m/ )) mod , and so on. Analyss. Frst we note that Fe[r, a, b]( ) s a permutaton: t s wellknown that the Festel constructon produces a permutaton, and we showed prevously that
10 teratng any permutaton s a permutaton. We now analyze the how good s ths GeneralzedFestel Cpher for the threeround case. Assumng the underlyng functons F 1, F 2,andF 3 used n our constructon are truly random functons, we wll compare how close Fe[3,a,b]( ) s to a truly random permutaton. Passng to the complextytheoretc settng s then standard, and therefore omtted. Theorem 2. [Securty of GeneralzedFestel Cpher] Fx k 1 and let M =[0,k 1]. Fx two numbers a, b > 0 such that ab k. Let = ab k. Fx an n such that 2 n >aand 2 n >b.letd be an adversary whch asks q queres of her oracle. Then Adv prf Fe (D) =Pr[F R 1,F 2,F 3 Rand(2 n, 2 n ): D Fe[3,a,b]( ) =1] Pr[ρ R Rand(k, k): D ρ( ) =1] (q + )2 2 n+1 ( 2 n /a + 2 n /b ). The proof s an adaptaton of Luby s analyss from Lecture 13 of [8], whch s nturn based on [9]. It can be found n Appendx A. Fnally, we must adjust ths bound to account for the fact that we have compared Fe[3,a,b] K ( ) wth a random functon nstead of a random permutaton. We can nvoke Lemma 1 whch gves us a fnal bound quantfyng the qualty of our constructon: Adv prp Fe (D) =Pr[F R 1,F 2,F 3 Rand(2 n, 2 n ): D Fe[3,a,b]( ) =1] Pr[π R Perm(k): D π( ) =1] (q + )2 + q 2 2 n+1 ( 2 n /a + 2 n /b ). 6 Dscusson Prefx Cpher. Our frst method, the Prefx Cpher, s useful only for sutably small k. Snce encpherng one pont requres encpherng all k ponts n [0,k 1], many applcatons would fnd ths prohbtvely expensve for all but farly small values of k. CycleWalkng Cpher. Our second method, the CycleWalkng Cpher, can be qute practcal. If k s just smaller than some power of 2, the number of ponts we have to walk through durng any gven encpherment s correspondngly small. In the worst case, however, k s one larger than a power of 2, and (wth extremely bad luck) mght requre k calls to the underlyng block cpher to encpher just one pont. But f the underlyng block cpher s good we requre, n the worst case, an expected two calls to t n order to encpher and decpher any pont.
11 GeneralzedFestel Cpher. To get the best bound we should select a and b such that these numbers are somewhat close together and such that = ab k s small. One obvous technque s to try numbers near k; for example, takng a = b = k means that ab k wll never be more than 2 k + 1. But often one can do better. Another way to mprove the bound s to ensure n s sutably large. The tal effects spoken of n the proof are dmnshed as n grows (because as 2 n gets larger 2 n /a /2 n gets closer to 1/a). The OneOff Constructon. Another method, not mentoned above, works well for domans whch are one element larger than a doman we can accommodate effcently. Say we have a cpher E wth doman [0,k 1] and we wsh to construct a cpher E wth doman [0,k]. We choose a key K = {K, r} for E by choosng a key K for E and a random number r [0,k]. We then compute E K (X) as follows: r E K (X) = k E K (X) f X = k f X = E 1 K (r) otherwse The securty of ths constructon s tghtly related to the securty of E and the method for selectng r. The analyss s omtted. Of course we can use ths method to repeatedly extend the doman of any cpher to the sze of choce, but for most settngs t s mpractcal to do ths more than a few tmes. A typcal method for generatng r would be to take r = E K (0) mod (k + 1) where K s a new randomlyselected key. The tal effect here s not too bad, but wll cause a rapd deteroraton of the securty bound when used too often. Also, the scheme begns to become qute neffcent when we extend the doman n ths way too many tmes. Other Domans. Though we have spoken n terms of the doman [0,k 1] the same methods work for other domans, too. For example, to encpher n Z N, where N = pq s a 1024bt product of two prmes, one can use ether cyclewalkng or the generalzedfestel constructon, teratng n the hghly unlkely eventthatapontsnz N but not n Z N. We may also use our methods to encpher ponts from an ellptc curve group (EC group). There are wellknown compact representatons of the ponts n EC groups, and these representatons form our startng pont. For example, one fnds n [5] smple algorthms to compress the representaton of a pont n an EC group. Consder the EC group G over the feld F q where q s ether a power of two or a prme. Then any pont (x, y) G may be represented as a member of F q together wth a sngle bt. Let s consder frst the case where q =2 m wth m>0. The Hasse theorem (see [5], page 8) guarantees at least d(r) =r +1 2 r ponts n G. Snce t s possble to represent any pont n G wth m+1 bts and t s also possble to effcently test for membershp n G, we could use the cyclewalkng constructon over a 2 m+1 bt cpher. The expected number of nvocatons of ths cpher to encpher a pont n G s then 2 m+1 /d(2 m ) 2.
12 If q s nstead a prme p, we can represent any pont n G as a number x [0,p 1] and a sngle bt y. We may agan use any of our methods to encpher these 2p ponts. Here the Hasse theorem ([5], page 7) guarantees at least d(p) ponts n G and once agan an effcent test for membershp n G exsts. Therefore we may use the cyclewalkng constructon over some lg 2p bt cpher. However f 2p s not close to a power of 2, we may wsh to nstead use the generalzedfestel constructon. Open Problems. As mentoned already, we have not provded any constructon whch works well (and provably so) for ntermedateszed values of k. For example, suppose you are gven an deal block cpher Π on 128bt strngs, and you want to approxmate a random permutaton π on, say, 40bt strngs. Probably enough rounds of Festel work, but remember that our securty goal s that even f an adversary nqures about all 2 40 ponts, stll she should be unable to dstngush π from a random permutaton on 40 bts. Known bounds are not nearly so strong. Of course the prefx method works, but spendng 2 40 tme and space to encpher the frst pont s not practcal. Acknowledgments Specal thanks to Rchard Schroeppel who made many useful comments on an earler draft. Thanks also to Mhr Bellare, Davd McGrew, and Slvo Mcal for ther helpful comments. Ths paper was wrtten whle Rogaway was on leave of absence from UC Davs, vstng the Department of Computer Scence, Faculty of Scence, Chang Ma Unversty. Ths work was supported under NSF CAREER award CCR , and by a generous gft from Csco Systems. References 1. Anderson, R., and Bham, E. Two practcal and provably secure block cphers: BEAR and LION. In Fast Software Encrypton (1996), vol of Lecture Notes n Computer Scence, SprngerVerlag, pp Bellare, M., Klan, J., and Rogaway, P. The securty of the cpher block channg message authentcaton code. Journal of Computer and System Scences 61, 3 (2000), Earler verson n CRYPTO 94. See rogaway. 3. Bellare, M., and Rogaway, P. On the constructon of varablenputlength cphers. In Fast Software Encrypton (1999), vol of Lecture Notes n Computer Scence, SprngerVerlag. See rogaway. 4. Bellovn, S., and Merrtt, M. Encrypted key exchange: passwordbased protocols secure aganst dctonary attacks. In 1992 IEEE Computer Socety Symposum on Research n Securty and Prvacy (1992), IEEE Computer Socety Press, pp Certcom Research. Standards for effcent cryptography, SEC1: Ellptc curve cryptography, verson 1, Sept Avalable onlne at 6. Goldrech, O., Goldwasser, S., and Mcal, S. How to construct random functons. Journal of the ACM 33, 4 (1986),
Luby s Alg. for Maximal Independent Sets using Pairwise Independence
Lecture Notes for Randomzed Algorthms Luby s Alg. for Maxmal Independent Sets usng Parwse Independence Last Updated by Erc Vgoda on February, 006 8. Maxmal Independent Sets For a graph G = (V, E), an ndependent
More informationWhat is Candidate Sampling
What s Canddate Samplng Say we have a multclass or mult label problem where each tranng example ( x, T ) conssts of a context x a small (mult)set of target classes T out of a large unverse L of possble
More informationRecurrence. 1 Definitions and main statements
Recurrence 1 Defntons and man statements Let X n, n = 0, 1, 2,... be a MC wth the state space S = (1, 2,...), transton probabltes p j = P {X n+1 = j X n = }, and the transton matrx P = (p j ),j S def.
More information1 Example 1: Axisaligned rectangles
COS 511: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 6 Scrbe: Aaron Schld February 21, 2013 Last class, we dscussed an analogue for Occam s Razor for nfnte hypothess spaces that, n conjuncton
More informationbenefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).
REVIEW OF RISK MANAGEMENT CONCEPTS LOSS DISTRIBUTIONS AND INSURANCE Loss and nsurance: When someone s subject to the rsk of ncurrng a fnancal loss, the loss s generally modeled usng a random varable or
More informationAn Alternative Way to Measure Private Equity Performance
An Alternatve Way to Measure Prvate Equty Performance Peter Todd Parlux Investment Technology LLC Summary Internal Rate of Return (IRR) s probably the most common way to measure the performance of prvate
More information8 Algorithm for Binary Searching in Trees
8 Algorthm for Bnary Searchng n Trees In ths secton we present our algorthm for bnary searchng n trees. A crucal observaton employed by the algorthm s that ths problem can be effcently solved when the
More informationModule 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module LOSSLESS IMAGE COMPRESSION SYSTEMS Lesson 3 Lossless Compresson: Huffman Codng Instructonal Objectves At the end of ths lesson, the students should be able to:. Defne and measure source entropy..
More informationExtending Probabilistic Dynamic Epistemic Logic
Extendng Probablstc Dynamc Epstemc Logc Joshua Sack May 29, 2008 Probablty Space Defnton A probablty space s a tuple (S, A, µ), where 1 S s a set called the sample space. 2 A P(S) s a σalgebra: a set
More informationA Secure PasswordAuthenticated Key Agreement Using Smart Cards
A Secure PasswordAuthentcated Key Agreement Usng Smart Cards Ka Chan 1, WenChung Kuo 2 and JnChou Cheng 3 1 Department of Computer and Informaton Scence, R.O.C. Mltary Academy, Kaohsung 83059, Tawan,
More informationBERNSTEIN POLYNOMIALS
OnLne Geometrc Modelng Notes BERNSTEIN POLYNOMIALS Kenneth I. Joy Vsualzaton and Graphcs Research Group Department of Computer Scence Unversty of Calforna, Davs Overvew Polynomals are ncredbly useful
More informationThe OC Curve of Attribute Acceptance Plans
The OC Curve of Attrbute Acceptance Plans The Operatng Characterstc (OC) curve descrbes the probablty of acceptng a lot as a functon of the lot s qualty. Fgure 1 shows a typcal OC Curve. 10 8 6 4 1 3 4
More information6. EIGENVALUES AND EIGENVECTORS 3 = 3 2
EIGENVALUES AND EIGENVECTORS The Characterstc Polynomal If A s a square matrx and v s a nonzero vector such that Av v we say that v s an egenvector of A and s the correspondng egenvalue Av v Example :
More informationgreatest common divisor
4. GCD 1 The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no
More informationHow Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence
1 st Internatonal Symposum on Imprecse Probabltes and Ther Applcatons, Ghent, Belgum, 29 June 2 July 1999 How Sets of Coherent Probabltes May Serve as Models for Degrees of Incoherence Mar J. Schervsh
More information1 Approximation Algorithms
CME 305: Dscrete Mathematcs and Algorthms 1 Approxmaton Algorthms In lght of the apparent ntractablty of the problems we beleve not to le n P, t makes sense to pursue deas other than complete solutons
More informationProactive Secret Sharing Or: How to Cope With Perpetual Leakage
Proactve Secret Sharng Or: How to Cope Wth Perpetual Leakage Paper by Amr Herzberg Stanslaw Jareck Hugo Krawczyk Mot Yung Presentaton by Davd Zage What s Secret Sharng Basc Idea ((2, 2)threshold scheme):
More informationInstitute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic
Lagrange Multplers as Quanttatve Indcators n Economcs Ivan Mezník Insttute of Informatcs, Faculty of Busness and Management, Brno Unversty of TechnologCzech Republc Abstract The quanttatve role of Lagrange
More informationPSYCHOLOGICAL RESEARCH (PYC 304C) Lecture 12
14 The Chsquared dstrbuton PSYCHOLOGICAL RESEARCH (PYC 304C) Lecture 1 If a normal varable X, havng mean µ and varance σ, s standardsed, the new varable Z has a mean 0 and varance 1. When ths standardsed
More informationCompact CCA2secure Hierarchical IdentityBased Broadcast Encryption for Fuzzyentity Data Sharing
Compact CCA2secure Herarchcal IdenttyBased Broadcast Encrypton for Fuzzyentty Data Sharng Weran Lu 1, Janwe Lu 1, Qanhong Wu 1, Bo Qn 2, Davd Naccache 3, and Houda Ferrad 4 1 School of Electronc and
More information1. Math 210 Finite Mathematics
1. ath 210 Fnte athematcs Chapter 5.2 and 5.3 Annutes ortgages Amortzaton Professor Rchard Blecksmth Dept. of athematcal Scences Northern Illnos Unversty ath 210 Webste: http://math.nu.edu/courses/math210
More informationFormula of Total Probability, Bayes Rule, and Applications
1 Formula of Total Probablty, Bayes Rule, and Applcatons Recall that for any event A, the par of events A and A has an ntersecton that s empty, whereas the unon A A represents the total populaton of nterest.
More informationComplete Fairness in Secure TwoParty Computation
Complete Farness n Secure TwoParty Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure twoparty computaton, two mutually dstrustng partes wsh to compute
More informationA Probabilistic Theory of Coherence
A Probablstc Theory of Coherence BRANDEN FITELSON. The Coherence Measure C Let E be a set of n propostons E,..., E n. We seek a probablstc measure C(E) of the degree of coherence of E. Intutvely, we want
More informationThursday, December 10, 2009 Noon  1:50 pm Faraday 143
1. ath 210 Fnte athematcs Chapter 5.2 and 4.3 Annutes ortgages Amortzaton Professor Rchard Blecksmth Dept. of athematcal Scences Northern Illnos Unversty ath 210 Webste: http://math.nu.edu/courses/math210
More information8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by
6 CHAPTER 8 COMPLEX VECTOR SPACES 5. Fnd the kernel of the lnear transformaton gven n Exercse 5. In Exercses 55 and 56, fnd the mage of v, for the ndcated composton, where and are gven by the followng
More information+ + +   This circuit than can be reduced to a planar circuit
MeshCurrent Method The meshcurrent s analog of the nodeoltage method. We sole for a new set of arables, mesh currents, that automatcally satsfy KCLs. As such, meshcurrent method reduces crcut soluton to
More information1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)
6.3 /  Communcaton Networks II (Görg) SS20  www.comnets.unbremen.de Communcaton Networks II Contents. Fundamentals of probablty theory 2. Emergence of communcaton traffc 3. Stochastc & Markovan Processes
More informationUsing Series to Analyze Financial Situations: Present Value
2.8 Usng Seres to Analyze Fnancal Stuatons: Present Value In the prevous secton, you learned how to calculate the amount, or future value, of an ordnary smple annuty. The amount s the sum of the accumulated
More informationNew bounds in BalogSzemerédiGowers theorem
New bounds n BalogSzemerédGowers theorem By Tomasz Schoen Abstract We prove, n partcular, that every fnte subset A of an abelan group wth the addtve energy κ A 3 contans a set A such that A κ A and A
More informationDEFINING %COMPLETE IN MICROSOFT PROJECT
CelersSystems DEFINING %COMPLETE IN MICROSOFT PROJECT PREPARED BY James E Aksel, PMP, PMISP, MVP For Addtonal Informaton about Earned Value Management Systems and reportng, please contact: CelersSystems,
More informationLinear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits
Lnear Crcuts Analyss. Superposton, Theenn /Norton Equalent crcuts So far we hae explored tmendependent (resste) elements that are also lnear. A tmendependent elements s one for whch we can plot an / cure.
More informationSupport Vector Machines
Support Vector Machnes Max Wellng Department of Computer Scence Unversty of Toronto 10 Kng s College Road Toronto, M5S 3G5 Canada wellng@cs.toronto.edu Abstract Ths s a note to explan support vector machnes.
More informationFast Variants of RSA
Fast Varants of RSA Dan Boneh dabo@cs.stanford.edu Hovav Shacham hovav@cs.stanford.edu Abstract We survey three varants of RSA desgned to speed up RSA decrypton. These varants are backwards compatble n
More informationProject Networks With MixedTime Constraints
Project Networs Wth MxedTme Constrants L Caccetta and B Wattananon Western Australan Centre of Excellence n Industral Optmsaton (WACEIO) Curtn Unversty of Technology GPO Box U1987 Perth Western Australa
More informationSection 5.4 Annuities, Present Value, and Amortization
Secton 5.4 Annutes, Present Value, and Amortzaton Present Value In Secton 5.2, we saw that the present value of A dollars at nterest rate per perod for n perods s the amount that must be deposted today
More informationSection 5.3 Annuities, Future Value, and Sinking Funds
Secton 5.3 Annutes, Future Value, and Snkng Funds Ordnary Annutes A sequence of equal payments made at equal perods of tme s called an annuty. The tme between payments s the payment perod, and the tme
More informationQUESTIONS, How can quantum computers do the amazing things that they are able to do, such. cryptography quantum computers
2O cryptography quantum computers cryptography quantum computers QUESTIONS, Quantum Computers, and Cryptography A mathematcal metaphor for the power of quantum algorthms Mark Ettnger How can quantum computers
More informationRUHRUNIVERSITÄT BOCHUM
RUHRUNIVERSITÄT BOCHUM Horst Görtz Insttute for IT Securty Techncal Report TRHGI2006002 Survey on Securty Requrements and Models for Group Key Exchange Mark Manuls Char for Network and Data Securty
More informationAn InterestOriented Network Evolution Mechanism for Online Communities
An InterestOrented Network Evoluton Mechansm for Onlne Communtes Cahong Sun and Xaopng Yang School of Informaton, Renmn Unversty of Chna, Bejng 100872, P.R. Chna {chsun,yang}@ruc.edu.cn Abstract. Onlne
More informationLecture 3: Annuity. Study annuities whose payments form a geometric progression or a arithmetic progression.
Lecture 3: Annuty Goals: Learn contnuous annuty and perpetuty. Study annutes whose payments form a geometrc progresson or a arthmetc progresson. Dscuss yeld rates. Introduce Amortzaton Suggested Textbook
More informationCommunication Networks II Contents
8 / 1  Communcaton Networs II (Görg)  www.comnets.unbremen.de Communcaton Networs II Contents 1 Fundamentals of probablty theory 2 Traffc n communcaton networs 3 Stochastc & Marovan Processes (SP
More informationImplementation of Deutsch's Algorithm Using Mathcad
Implementaton of Deutsch's Algorthm Usng Mathcad Frank Roux The followng s a Mathcad mplementaton of Davd Deutsch's quantum computer prototype as presented on pages  n "Machnes, Logc and Quantum Physcs"
More informationPractical and Secure Solutions for Integer Comparison
In Publc Key Cryptography PKC 07, Vol. 4450 of Lecture Notes n Computer Scence, SprngerVerlag, 2007. pp. 330342. Practcal and Secure Solutons for Integer Comparson Juan Garay 1, erry Schoenmakers 2,
More information7.5. Present Value of an Annuity. Investigate
7.5 Present Value of an Annuty Owen and Anna are approachng retrement and are puttng ther fnances n order. They have worked hard and nvested ther earnngs so that they now have a large amount of money on
More informationIdentityBased Encryption Gone Wild
An extended abstract of ths paper appeared n Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, 33rd Internatonal Colloquum on Automata, Languages and Programmng ICALP 2006, volume
More informationErrorPropagation.nb 1. Error Propagation
ErrorPropagaton.nb Error Propagaton Suppose that we make observatons of a quantty x that s subject to random fluctuatons or measurement errors. Our best estmate of the true value for ths quantty s then
More informationThe Development of Web Log Mining Based on ImproveKMeans Clustering Analysis
The Development of Web Log Mnng Based on ImproveKMeans Clusterng Analyss TngZhong Wang * College of Informaton Technology, Luoyang Normal Unversty, Luoyang, 471022, Chna wangtngzhong2@sna.cn Abstract.
More informationx f(x) 1 0.25 1 0.75 x 1 0 1 1 0.04 0.01 0.20 1 0.12 0.03 0.60
BIVARIATE DISTRIBUTIONS Let be a varable that assumes the values { 1,,..., n }. Then, a functon that epresses the relatve frequenc of these values s called a unvarate frequenc functon. It must be true
More informationNumber of Levels Cumulative Annual operating Income per year construction costs costs ($) ($) ($) 1 600,000 35,000 100,000 2 2,200,000 60,000 350,000
Problem Set 5 Solutons 1 MIT s consderng buldng a new car park near Kendall Square. o unversty funds are avalable (overhead rates are under pressure and the new faclty would have to pay for tself from
More informationJ. Parallel Distrib. Comput.
J. Parallel Dstrb. Comput. 71 (2011) 62 76 Contents lsts avalable at ScenceDrect J. Parallel Dstrb. Comput. journal homepage: www.elsever.com/locate/jpdc Optmzng server placement n dstrbuted systems n
More informationCalculating the high frequency transmission line parameters of power cables
< ' Calculatng the hgh frequency transmsson lne parameters of power cables Authors: Dr. John Dcknson, Laboratory Servces Manager, N 0 RW E B Communcatons Mr. Peter J. Ncholson, Project Assgnment Manager,
More informationQuantization Effects in Digital Filters
Quantzaton Effects n Dgtal Flters Dstrbuton of Truncaton Errors In two's complement representaton an exact number would have nfntely many bts (n general). When we lmt the number of bts to some fnte value
More informationPKIS: practical keyword index search on cloud datacenter
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 RESEARCH Open Access PKIS: practcal keyword ndex search on cloud datacenter HyunA
More informationCHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol
CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK Sample Stablty Protocol Background The Cholesterol Reference Method Laboratory Network (CRMLN) developed certfcaton protocols for total cholesterol, HDL
More informationInequality and The Accounting Period. Quentin Wodon and Shlomo Yitzhaki. World Bank and Hebrew University. September 2001.
Inequalty and The Accountng Perod Quentn Wodon and Shlomo Ytzha World Ban and Hebrew Unversty September Abstract Income nequalty typcally declnes wth the length of tme taen nto account for measurement.
More informationInterIng 2007. INTERDISCIPLINARITY IN ENGINEERING SCIENTIFIC INTERNATIONAL CONFERENCE, TG. MUREŞ ROMÂNIA, 1516 November 2007.
InterIng 2007 INTERDISCIPLINARITY IN ENGINEERING SCIENTIFIC INTERNATIONAL CONFERENCE, TG. MUREŞ ROMÂNIA, 1516 November 2007. UNCERTAINTY REGION SIMULATION FOR A SERIAL ROBOT STRUCTURE MARIUS SEBASTIAN
More informationSecure Network Coding Over the Integers
Secure Network Codng Over the Integers Rosaro Gennaro Jonathan Katz Hugo Krawczyk Tal Rabn Abstract Network codng has receved sgnfcant attenton n the networkng communty for ts potental to ncrease throughput
More informationThe Magnetic Field. Concepts and Principles. Moving Charges. Permanent Magnets
. The Magnetc Feld Concepts and Prncples Movng Charges All charged partcles create electrc felds, and these felds can be detected by other charged partcles resultng n electrc force. However, a completely
More informationVembu StoreGrid Windows Client Installation Guide
Ser v cepr ov dered t on Cl enti nst al l at ongu de W ndows Vembu StoreGrd Wndows Clent Installaton Gude Download the Wndows nstaller, VembuStoreGrd_4_2_0_SP_Clent_Only.exe To nstall StoreGrd clent on
More informationA Performance Analysis of View Maintenance Techniques for Data Warehouses
A Performance Analyss of Vew Mantenance Technques for Data Warehouses Xng Wang Dell Computer Corporaton Round Roc, Texas Le Gruenwald The nversty of Olahoma School of Computer Scence orman, OK 739 Guangtao
More informationJoe Pimbley, unpublished, 2005. Yield Curve Calculations
Joe Pmbley, unpublshed, 005. Yeld Curve Calculatons Background: Everythng s dscount factors Yeld curve calculatons nclude valuaton of forward rate agreements (FRAs), swaps, nterest rate optons, and forward
More informationOn Mean Squared Error of Hierarchical Estimator
S C H E D A E I N F O R M A T I C A E VOLUME 0 0 On Mean Squared Error of Herarchcal Estmator Stans law Brodowsk Faculty of Physcs, Astronomy, and Appled Computer Scence, Jagellonan Unversty, Reymonta
More information21 Vectors: The Cross Product & Torque
21 Vectors: The Cross Product & Torque Do not use our left hand when applng ether the rghthand rule for the cross product of two vectors dscussed n ths chapter or the rghthand rule for somethng curl
More informationLogistic Regression. Lecture 4: More classifiers and classes. Logistic regression. Adaboost. Optimization. Multiple class classification
Lecture 4: More classfers and classes C4B Machne Learnng Hlary 20 A. Zsserman Logstc regresson Loss functons revsted Adaboost Loss functons revsted Optmzaton Multple class classfcaton Logstc Regresson
More informationPowerofTwo Policies for Single Warehouse MultiRetailer Inventory Systems with Order Frequency Discounts
Powerofwo Polces for Sngle Warehouse MultRetaler Inventory Systems wth Order Frequency Dscounts José A. Ventura Pennsylvana State Unversty (USA) Yale. Herer echnon Israel Insttute of echnology (Israel)
More information2.4 Bivariate distributions
page 28 2.4 Bvarate dstrbutons 2.4.1 Defntons Let X and Y be dscrete r.v.s defned on the same probablty space (S, F, P). Instead of treatng them separately, t s often necessary to thnk of them actng together
More informationAN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS
Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS Len Harn 1 and Changlu Ln 2 1 Department of Computer Scence
More informationTo Fill or not to Fill: The Gas Station Problem
To Fll or not to Fll: The Gas Staton Problem Samr Khuller Azarakhsh Malekan Julán Mestre Abstract In ths paper we study several routng problems that generalze shortest paths and the Travelng Salesman Problem.
More informationHow Much to Bet on Video Poker
How Much to Bet on Vdeo Poker Trstan Barnett A queston that arses whenever a gae s favorable to the player s how uch to wager on each event? Whle conservatve play (or nu bet nzes large fluctuatons, t lacks
More informationLecture 3: Force of Interest, Real Interest Rate, Annuity
Lecture 3: Force of Interest, Real Interest Rate, Annuty Goals: Study contnuous compoundng and force of nterest Dscuss real nterest rate Learn annutymmedate, and ts present value Study annutydue, and
More informationA hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm
Avalable onlne www.ocpr.com Journal of Chemcal and Pharmaceutcal Research, 2014, 6(7):18841889 Research Artcle ISSN : 09757384 CODEN(USA) : JCPRC5 A hybrd global optmzaton algorthm based on parallel
More informationRing structure of splines on triangulations
www.oeaw.ac.at Rng structure of splnes on trangulatons N. Vllamzar RICAMReport 201448 www.rcam.oeaw.ac.at RING STRUCTURE OF SPLINES ON TRIANGULATIONS NELLY VILLAMIZAR Introducton For a trangulated regon
More informationGeneralizing the degree sequence problem
Mddlebury College March 2009 Arzona State Unversty Dscrete Mathematcs Semnar The degree sequence problem Problem: Gven an nteger sequence d = (d 1,...,d n ) determne f there exsts a graph G wth d as ts
More informationTrafficlight a stress test for life insurance provisions
MEMORANDUM Date 006097 Authors Bengt von Bahr, Göran Ronge Traffclght a stress test for lfe nsurance provsons Fnansnspetonen P.O. Box 6750 SE113 85 Stocholm [Sveavägen 167] Tel +46 8 787 80 00 Fax
More informationCalculation of Sampling Weights
Perre Foy Statstcs Canada 4 Calculaton of Samplng Weghts 4.1 OVERVIEW The basc sample desgn used n TIMSS Populatons 1 and 2 was a twostage stratfed cluster desgn. 1 The frst stage conssted of a sample
More informationActivity Scheduling for CostTime Investment Optimization in Project Management
PROJECT MANAGEMENT 4 th Internatonal Conference on Industral Engneerng and Industral Management XIV Congreso de Ingenería de Organzacón Donosta San Sebastán, September 8 th 10 th 010 Actvty Schedulng
More informationVision Mouse. Saurabh Sarkar a* University of Cincinnati, Cincinnati, USA ABSTRACT 1. INTRODUCTION
Vson Mouse Saurabh Sarkar a* a Unversty of Cncnnat, Cncnnat, USA ABSTRACT The report dscusses a vson based approach towards trackng of eyes and fngers. The report descrbes the process of locatng the possble
More informationWe are now ready to answer the question: What are the possible cardinalities for finite fields?
Chapter 3 Fnte felds We have seen, n the prevous chapters, some examples of fnte felds. For example, the resdue class rng Z/pZ (when p s a prme) forms a feld wth p elements whch may be dentfed wth the
More information1.1 The University may award Higher Doctorate degrees as specified from timetotime in UPR AS11 1.
HIGHER DOCTORATE DEGREES SUMMARY OF PRINCIPAL CHANGES General changes None Secton 3.2 Refer to text (Amendments to verson 03.0, UPR AS02 are shown n talcs.) 1 INTRODUCTION 1.1 The Unversty may award Hgher
More informationTracker: Security and Privacy for RFIDbased Supply Chains
Tracker: Securty and Prvacy for RFIDbased Supply Chans ErkOlver Blass Kaoutar Elkhyaou Refk Molva EURECOM Sopha Antpols, France {blass elkhyao molva}@eurecom.fr Abstract The counterfetng of pharmaceutcs
More informationTHE METHOD OF LEAST SQUARES THE METHOD OF LEAST SQUARES
The goal: to measure (determne) an unknown quantty x (the value of a RV X) Realsaton: n results: y 1, y 2,..., y j,..., y n, (the measured values of Y 1, Y 2,..., Y j,..., Y n ) every result s encumbered
More informationData Broadcast on a MultiSystem Heterogeneous Overlayed Wireless Network *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 24, 819840 (2008) Data Broadcast on a MultSystem Heterogeneous Overlayed Wreless Network * Department of Computer Scence Natonal Chao Tung Unversty Hsnchu,
More informationFinite Math Chapter 10: Study Guide and Solution to Problems
Fnte Math Chapter 10: Study Gude and Soluton to Problems Basc Formulas and Concepts 10.1 Interest Basc Concepts Interest A fee a bank pays you for money you depost nto a savngs account. Prncpal P The amount
More informationProvably Secure Single Signon Scheme in Distributed Systems and Networks
0 IEEE th Internatonal Conference on Trust, Securty and Prvacy n Computng and Communcatons Provably Secure Sngle Sgnon Scheme n Dstrbuted Systems and Networks Jangshan Yu, Guln Wang, and Y Mu Center for
More informationMultiplePeriod Attribution: Residuals and Compounding
MultplePerod Attrbuton: Resduals and Compoundng Our revewer gave these authors full marks for dealng wth an ssue that performance measurers and vendors often regard as propretary nformaton. In 1994, Dens
More informationFrom Selective to Full Security: SemiGeneric Transformations in the Standard Model
An extended abstract of ths work appears n the proceedngs of PKC 2012 From Selectve to Full Securty: SemGenerc Transformatons n the Standard Model Mchel Abdalla 1 Daro Fore 2 Vadm Lyubashevsky 1 1 Département
More informationn + d + q = 24 and.05n +.1d +.25q = 2 { n + d + q = 24 (3) n + 2d + 5q = 40 (2)
MATH 16T Exam 1 : Part I (InClass) Solutons 1. (0 pts) A pggy bank contans 4 cons, all of whch are nckels (5 ), dmes (10 ) or quarters (5 ). The pggy bank also contans a con of each denomnaton. The total
More informationThe University of Texas at Austin. Austin, Texas 78712. December 1987. Abstract. programs in which operations of dierent processes mayoverlap.
Atomc Semantcs of Nonatomc Programs James H. Anderson Mohamed G. Gouda Department of Computer Scences The Unversty of Texas at Austn Austn, Texas 78712 December 1987 Abstract We argue that t s possble,
More informationGeneral Auction Mechanism for Search Advertising
General Aucton Mechansm for Search Advertsng Gagan Aggarwal S. Muthukrshnan Dávd Pál Martn Pál Keywords game theory, onlne auctons, stable matchngs ABSTRACT Internet search advertsng s often sold by an
More information) of the Cell class is created containing information about events associated with the cell. Events are added to the Cell instance
Calbraton Method Instances of the Cell class (one nstance for each FMS cell) contan ADC raw data and methods assocated wth each partcular FMS cell. The calbraton method ncludes event selecton (Class Cell
More informationLogical Development Of Vogel s Approximation Method (LDVAM): An Approach To Find Basic Feasible Solution Of Transportation Problem
INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME, ISSUE, FEBRUARY ISSN 77866 Logcal Development Of Vogel s Approxmaton Method (LD An Approach To Fnd Basc Feasble Soluton Of Transportaton
More informationHollinger Canadian Publishing Holdings Co. ( HCPH ) proceeding under the Companies Creditors Arrangement Act ( CCAA )
February 17, 2011 Andrew J. Hatnay ahatnay@kmlaw.ca Dear Sr/Madam: Re: Re: Hollnger Canadan Publshng Holdngs Co. ( HCPH ) proceedng under the Companes Credtors Arrangement Act ( CCAA ) Update on CCAA Proceedngs
More informationMultiplication Algorithms for Radix2 RNCodings and Two s Complement Numbers
Multplcaton Algorthms for Radx RNCodngs and Two s Complement Numbers JeanLuc Beuchat Projet Arénare, LIP, ENS Lyon 46, Allée d Itale F 69364 Lyon Cedex 07 jeanluc.beuchat@enslyon.fr JeanMchel Muller
More informationWeek 6 Market Failure due to Externalities
Week 6 Market Falure due to Externaltes 1. Externaltes n externalty exsts when the acton of one agent unavodably affects the welfare of another agent. The affected agent may be a consumer, gvng rse to
More informationNONCONSTANT SUM REDANDBLACK GAMES WITH BETDEPENDENT WIN PROBABILITY FUNCTION LAURA PONTIGGIA, University of the Sciences in Philadelphia
To appear n Journal o Appled Probablty June 2007 OCOSTAT SUM REDADBLACK GAMES WITH BETDEPEDET WI PROBABILITY FUCTIO LAURA POTIGGIA, Unversty o the Scences n Phladelpha Abstract In ths paper we nvestgate
More informationSketching Sampled Data Streams
Sketchng Sampled Data Streams Florn Rusu, Aln Dobra CISE Department Unversty of Florda Ganesvlle, FL, USA frusu@cse.ufl.edu adobra@cse.ufl.edu Abstract Samplng s used as a unversal method to reduce the
More informationAn Optimally Robust Hybrid Mix Network (Extended Abstract)
An Optmally Robust Hybrd Mx Network (Extended Abstract) Markus Jakobsson and Ar Juels RSA Laboratores Bedford, MA, USA {mjakobsson,ajuels}@rsasecurty.com Abstract We present a mx network that acheves effcent
More informationRiposte: An Anonymous Messaging System Handling Millions of Users
Rposte: An Anonymous Messagng System Handlng Mllons of Users Henry CorrganGbbs, Dan Boneh, and Davd Mazères Stanford Unversty Abstract Ths paper presents Rposte, a new system for anonymous broadcast messagng.
More informationComputing Arbitrary Functions of Encrypted Data March 2010 Communications of the ACM
Home» Magazne Archve» 2010» No. 3» Computng Arbtrary Functons of Encrypted Data» Full Text RESEARCH HIGHLIGHTS Computng Arbtrary Functons of Encrypted Data Crag Gentry Communcatons of the ACM Vol. 53 No.
More information