# Cryptography Lecture 8. Digital signatures, hash functions

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Cryptography Lecture 8 Digital signatures, hash functions

2 A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting it instead of Alice s message Key Key Alice Create MAC Verify MAC Bob Eve

3 Signature vs MAC A MAC, Message Authentication Code, preserves data integrity, i.e., it ensures that creation and any changes of the message have been made by authorised entities Only the authorised entities can check a MAC, and all who can check can also change the data In most legally interesting cases, you want to be able to verify that one single individual wrote something Also, in many situations it is good if everyone is able to check the signature

4 Digital signatures In asymmetric ciphers, one single individual holds the private key, while everyone can get the public key So if you encrypt with the private key, and send both cryptogram and message, anyone can check that decryption with the public key does indeed create the message Note that some public key systems do not allow encryption with the private key Most systems can be modified to generate and verify signatures

5 A digital signature can be created using asymmetric cryptography Used to prevent Eve from creating messages and present them as written by of Alice Private signing key Alice Create signature Verify signature Public verification key Anyone Eve

6 Digital signatures A digital signature should not only be tied to the signing user, but also to the message The example of encrypting with the private key does this: only Alice can create it, and it is valid only if the decryption and the plaintext coincide No attempt is made to hide the information (unless it is encrypted using another method)

7 RSA signatures Alice sets up RSA as usual In order to sign a message m, Alice uses her private key d (and not Bob s public key) to create the signature s = m d mod n Alice now gives both m and s to Bob He uses Alice s public key to verify the signature by comparing m and s e mod n

8 Attacks on RSA signatures Eve wants to sign another message m E so that it seems to be from Alice Eve cannot generate a signature directly because she does not have the secret key d She could try to choose signature s E first and calculate m E = s e E mod n but it is unlikely that se e is a meaningful message Note that two message-signature pairs gives away a third since (m 1 m 2 ) d = m1 d m2 d mod n

9 Variation: Blind RSA signatures Bob wants to prove that he has created a document at a certain time, but keep it secret, and Alice agrees to help him. She sets up standard RSA, keeping d for herself. Bob chooses a random integer k, and gives Alice the message t = k e m mod n The number t is random to Alice, but she signs the message and gives the signature to Bob s = t d = k ed m d = km d mod n Bob can now divide by k (why is this possible?) and retrieve m d, Alice s signature for m.

10 Do not use the same key pairs for signing and encryption! If Alice allows using the same e for encryption and verification, Eve can intercept c = m e mod n. To decrypt c, Eve should create x = r e c mod n for some r which yields a reasonable message x, where reasonable means that Eve can get Alice to sign x If Alice does this, the return value is s = x d = (r e c) d = rm mod n Eve can now divide by r (why is this possible?) and find m = sr 1 mod n

11 ElGamal signatures Choose a large prime p, and a primitive root α mod p. Also, take a random integer a and calculate β = α a mod p The public key is the values of p, α, and β, while the secret key is the value a Signing uses a random integer k with gcd(k, p 1) = 1, and the signature is the pair (r, s) where { r = α k mod p (encryption: (α k, β k m)) s = k 1 (m ar) mod (p 1) Verification is done comparing β r r s and α m mod p, since β r r s = α ar α k(m ar)/k = α m mod p

12 The need for hashing Unfortunately, all known signature algorithms (RSA, ElGamal,... ) are slow Also, all known signature algorithms generate output with the same size as the input Therefore, it is much better to shorten (hash) the message first, and sign the short hash: (m, sig(m)) becomes (m, sig(h(m))) A typical hash function has bit output (giving bits of security)

13 Digital Signature Algorithm ( ElGamal) This is a modification to the ElGamal signature scheme adopted as standard by NIST in 1994 Some debate followed, comparing DSA and RSA signatures The most serious problem was parameter size, which is better in later versions The main change from ElGamal is to choose p so that p 1 has a 160-bit prime factor q, and exponents are mod q

14 DSA signatures Choose a 160-bit prime q, a large prime p so that q is a factor in p 1, and a primitive root g mod p. Set α = g (p 1)/q mod p so that α q = 1 mod p, take a random integer a < q 1 and calculate β = α a mod p The public key is the values of p, q, α, and β, while the secret key is the value a Signing uses a random integer k < q 1, and the signature is the pair (r, s) where { r = (α k mod p) mod q s = k 1 (m ar) mod q To verify, compute t = s 1 m mod q and u = s 1 r mod q. Verification is done comparing (α t β u mod p) and r mod q, since (α t β u mod p) = (α km/(m+ar) α ar/(m+ar) mod p) = (α k mod p) = r mod q

15 ElGamal signatures Choose a large prime p, and a primitive root α mod p. Also, take a random integer a and calculate β = α a mod p The public key is the values of p, α, and β, while the secret key is the value a Signing uses a random integer k with gcd(k, p 1) = 1, and the signature is the pair (r, s) where { r = α k mod p (encryption: (α k, β k m)) s = k 1 (m ar) mod (p 1) Verification is done comparing β r r s and α m mod p, since β r r s = α ar α k(m ar)/k = α m mod p

16 DSA signatures Choose a 160-bit prime q, a large prime p so that q is a factor in p 1, and a primitive root g mod p. Set α = g (p 1)/q mod p so that α q = 1 mod p, take a random integer a < q 1 and calculate β = α a mod p The public key is the values of p, q, α, and β, while the secret key is the value a Signing uses a random integer k < q 1, and the signature is the pair (r, s) where { r = (α k mod p) mod q s = k 1 (m ar) mod q To verify, compute t = s 1 m mod q and u = s 1 r mod q. Verification is done comparing (α t β u mod p) and r mod q, since (α t β u mod p) = (α km/(m+ar) α ar/(m+ar) mod p) = (α k mod p) = r mod q

17 DSA (and ElGamal) security requirement The parameter k must be chosen completely at random for every signature Otherwise, the first half of a DSA signature r = (α k mod p) mod q will tell Eve that k is reused The second halfs are s 1 = k 1 (m 1 + ar) and s 2 = k 1 (m 2 + ar), both mod q k = m 1 + ar = m 2 + ar s 1 s 2 s 2 (m 1 + ar) = s 1 (m 2 + ar) a = s 1m 2 s 2 m 1 (s 2 s 1 )r

18 Why does DSA use arithmetic mod q? There are advantages when using α = g (p 1)/q mod p (so that α q = 1 mod p) instead of the primitive root directly One advantage is that the signatures can be generated mod q instead of mod p, which reduces calculation and increases speed Security is still based on the difficulty of discrete log mod p (and discrete log algorithms have problems with large factors in p 1) Finally, the verification uses two exponentiations rather than ElGamal s three, this speeds things up

19 Key length From ECRYPT II Yearly Report on Algorithms and Keysizes ( )

20 Key length Table 7.4: Security levels (symmetric equivalent) Security Protection Comment (bits) 32 Real-time, individuals Only auth. tag size 64 Very short-term, small org Not for confidentiality in new systems 72 Short-term, medium org Medium-term, small org 80 Very short-term, agencies Smallest general-purpose Long-term, small org < 4 years protection (E.g., use of 2-key 3DES, < 2 40 plaintext/ciphertexts) 96 Legacy standard level 2-key 3DES restricted to 10 6 plaintext/ciphertexts, 10 years protection 112 Medium-term protection 20 years protection (E.g., 3-key 3DES) 128 Long-term protection Good, generic application-indep. Recommendation, 30 years 256 Foreseeable future Good protection against quantum computers unless Shor s algorithm applies. From ECRYPT II Yearly Report on Algorithms and Keysizes ( )

21 Hash functions are not quite the previously mentioned one-way functions A one-way function is a function that is easy to compute but computationally hard to reverse Easy to calculate f (x) from x Hard to invert: to calculate x from f (x) There is no proof that one-way functions exist, or even real evidence that they can be constructed Even so, there are examples that seem one-way: they are easy to compute but we know of no easy way to reverse them, for example x 2 is easy to compute in a finite field but x 1/2 is not

22 Hash functions are not quite the previously mentioned one-way functions A one-way hash function is a function that is easy to compute but computationally hard to find a preimage for (there is no inverse function, there are many preimages) Easy to calculate h(x) from x Hard to find a preimage: to calculate x from h(x) so that h(x ) = h(x) There is no proof that one-way functions exist, or even real evidence that they can be constructed Even so, there are examples that seem one-way: they are easy to compute but we know of no easy way to find a preimage, and examples will follow

23 Security of signing a message hash Suppose that Eve has seen the pair (m,sig(h(m))) and wants to sign her own message m E. This is easy if h(m E ) = h(m) Therefore, good hash functions should make it difficult to find messages m E so that h(m E ) = h(m) This is the reason to use a one-way hash function It should be difficult to find m that under h returns the value h(m); this is sometimes called preimage resistance

24 One-way hash functions A one-way hash function is a function that is easy to compute but computationally hard to find a preimage for (there is no inverse function, there are many preimages) Easy to calculate h(x) from x Hard to find a preimage: to calculate x from h(x) so that h(x ) = h(x) There is no proof that one-way hash functions exist, or even real evidence that they can be constructed Even so, there are examples that seem to be one-way hash functions: they are easy to compute but we know of no easy way to find a preimage

25 Weakly collision-free hash functions A weakly collision-free hash function is a function that is easy to compute but computationally hard to find a second preimage for Easy to calculate h(x) from x Hard to find a preimage: to calculate x from h(x) so that h(x ) = h(x) Hard to find a second preimage: to calculate x from x so that h(x ) = h(x) There is no proof that weakly collision-free hash functions exist, or even real evidence that they can be constructed Even so, there are examples that seem weakly collision-free: they are easy to compute but we know of no easy way to find a second preimage

26 Security of signing a message hash Suppose that Eve has seen the pair (m,sig(h(m))) and wants to sign her own message m E. This is easy if h(m E ) = h(m) Therefore, good hash functions should make it difficult to, given m, find messages m E so that h(m E ) = h(m) This is the reason to use a weakly collision-free hash function It should be difficult to, given m, find m that under h returns the value h(m); this is sometimes called second preimage resistance

27 Weakly collision-free hash functions A weakly collision-free hash function is a function that is easy to compute but computationally hard to find a second preimage for Easy to calculate h(x) from x Hard to find a preimage: to calculate x from h(x) so that h(x ) = h(x) Hard to find a second preimage: to calculate x from x so that h(x ) = h(x) There is no proof that weakly collision-free hash functions exist, or even real evidence that they can be constructed Even so, there are examples that seem weakly collision-free: they are easy to compute but we know of no easy way to find a second preimage This is of course important when signing hash values

28 Strongly collision-free hash functions A strongly collision-free hash function is a function that is easy to compute but computationally hard to find a collision for Easy to calculate h(x) from x Hard to find a preimage: to calculate x from h(x) so that h(x ) = h(x) Hard to find a second preimage: to calculate x from x so that h(x ) = h(x) Hard to find a collision: to find x and x (x x) such that h(x ) = h(x) There is no proof that strongly collision-free hash functions exist, or even real evidence that they can be constructed Even so, there are examples that seem strongly collision-free: they are easy to compute but we know of no easy way to find a collision

29 Birthday attacks on message hash signatures Fred (the Fraudster) knows that Alice will sign a contract. His goal is to get a signature from Alice on a different contract. Fred takes the original contract and produces small variations in it. He can add spaces at the line ends, change the wording slightly, add nonprinting data, and so on. Thirty changes will give 2 30 different documents. He now does the same with the fraudulent contract, and attempts to find a match for the hash values of the two lists. The same signature will be valid for those two contracts If the hash values are shorter than 60 bits, the probability of a match is very high.

30 In practice, weakly collision-free hash functions are used A weakly collision-free hash function is a function that is easy to compute but computationally hard to find a second preimage for Easy to calculate h(x) from x Hard to find a preimage: to calculate x from h(x) so that h(x ) = h(x) Hard to find a second preimage: to calculate x from x so that h(x ) = h(x) There is no proof that weakly collision-free hash functions exist, or even real evidence that they can be constructed Even so, there are examples that seem weakly collision-free: they are easy to compute but we know of no easy way to find a second preimage The birthday attack is included in the security estimate

31 Key length Table 7.4: Security levels (symmetric equivalent) Security Protection Comment (bits) 32 Real-time, individuals Only auth. tag size 64 Very short-term, small org Not for confidentiality in new systems 72 Short-term, medium org Medium-term, small org 80 Very short-term, agencies Smallest general-purpose Long-term, small org < 4 years protection (E.g., use of 2-key 3DES, < 2 40 plaintext/ciphertexts) 96 Legacy standard level 2-key 3DES restricted to 10 6 plaintext/ciphertexts, 10 years protection 112 Medium-term protection 20 years protection (E.g., 3-key 3DES) 128 Long-term protection Good, generic application-indep. Recommendation, 30 years 256 Foreseeable future Good protection against quantum computers unless Shor s algorithm applies. From ECRYPT II Yearly Report on Algorithms and Keysizes ( )

32 Example: the discrete log hash function Choose prime p so that q = (p 1)/2 also is prime, and α and β primitive roots mod p Messages are numbers m mod q 2, let x = m mod q, and y = (m/q) mod q so that m = x + qy mod q 2. Define h(m) = α x β y mod p This value is approximately half the size of m Theorem: If we efficiently can find messages m m with h(m) = h(m ), we can also calculate L α (β) efficiently

33 Example: the discrete log hash function Theorem: If we efficiently can find messages m m with h(m) = h(m ), we can also calculate a = L α (β) efficiently Proof: We have m = x + qy x + qy = m mod q 2, so x x or y y mod q (or both). Now α x β y = α x β y mod p α x+ay = α x +ay mod p x + ay = x + ay mod p 1 x x = a(y y) mod p 1 = 2q { x x = a(y y) mod 2 x x = a(y y) mod q There are at most two solutions (this occurs when x x = 0 mod 2), but it is easy to check which solution a that gives β = α a

34 Example: the discrete log hash function Choose prime p so that q = (p 1)/2 also is prime, and α and β primitive roots mod p Messages are numbers m mod q 2, let x = m mod q, and y = (m/q) mod q so that m = x + qy mod q 2. Define h(m) = α x β y mod p This value is approximately half the size of m Theorem: If we efficiently can find messages m m with h(m) = h(m ), we can also calculate L α (β) efficiently

35 Example: the discrete log hash function Choose prime p so that q = (p 1)/2 also is prime, and α and β primitive roots mod p Messages are numbers m mod q 2, let x = m mod q, and y = (m/q) mod q so that m = x + qy mod q 2. Define h(m) = α x β y mod p This value is approximately half the size of m Theorem: If the discrete log hash function is not strongly collision resistant, we can calculate L α (β) efficiently

36 Theoretical security: The Random Oracle Model A Random Oracle is a function that gives fixed length output. If it is the first time that it receives a particular input, it gives random output. If it already has received the input, it will repeat the corresponding output This is the ideal strongly collision resistant function It can be used to prove security of encryption/signing under the assumption that the functions used behave like a random oracle This is usually treated as strong evidence rather than a real proof. The evidence falls if weaknesses are found in the functions used

37 Desirable properties of a practical hash function Transformation of messages of any length to a fixed length block Dependence on every bit of message Everyone should be able to check the validity of a hash of a message You could still use a secret parameter, but this means you restrict the group of people that can verify to the group that knows the secret

38 Iterative hash functions Mapping any-length input into fixed-length output is complicated A simple way is to use an iterative hash function, to divide the message into blocks, and use the following setup: IV Block 1 Block 2 h h. Block t. h

39 Iterative hash functions with length padding Mapping any-length input into fixed-length output is complicated A simple way is to use an iterative hash function, to divide the message into blocks, and use the following setup: IV Block 1 Block 2 h h.. Block t t h

40 Iterative hash functions and multicollisions IV Block 1 h Block 2 h.. Block t t h In each iteration, there is a good chance of a collision when we have searched 2 n/2 messages Overall, we need to search t2 n/2 = 2 log t+n/2 messages to generate 2 t collisions But for a proper hash function, to get a good chance of a Multi -birthday event (k collisions), one should need to search 2 n(k 1)/k messages

41 Constructing cryptographic hash functions Be wary of inventing a new hash function double hashing concatenating hashes XORing the results... Adding a few operations to a hash function or combining existing functions is a tempting do-it-yourself fix, but usually adds only an insignificant amount of complexity to the attack, and can easily reduce the complexity of attack It was long thought that H(M) = H 1 (M) H 2 (M) would be much stronger than either component no such luck it is only slightly better than the best component There is a reason for the counters in MD1-5, SHA0-3,...

42 MD5 128-bit hash Very widespread (SSL/TLS, IPsec,... ) but not secure (X.509 collisions, rouge CA,...) Uses addition mod 2 32, message blocks M i constant blocks K i, (B C) ( B D) (round 1 16) (B D) (C D) (round 17 32) F (B, C, D) = B C D (round 33 48) C (B D) (round 49 64)

43 SHA bit hash Very widespread Weaknesses found in 2005, current attacks need operations to find collisions Uses add mod 2 32, 80 rounds, message dependent W t, constant K t (B C) ( B D) (round 1 20) B C D (round 21 40) F (B, C, D) = (B C) (B D) (C D) (round 41 60) B C D (round 61 80)

44 SHA-2 224, 256, 384, 512-bit hash Widespread? ( Likely to be... ) The two longer ones are 10% slower Uses add mod 2 32 or 2 64, 64 or 80 rounds, message dependent W t, constant K t Ch(E, F, G) = (E F ) ( E G) Ma(A, B, C) = (A B) (A C) (B C) Σ0(A) = (A 2) (A 13) (A 22) Σ1(E) = (E 6) (E 11) (E 25)

45 SHA-3 contest NIST started a contest 2007 to find (future) replacements for SHA-1 and SHA-2 Finalists were chosen for reasons of speed, security, available analysis, and diversity NIST selected five SHA-3 candidates for the final evaluation: BLAKE, Grøstl, JH, Keccak, and Skein The decision was made Oct , and the winner is Keccak

46 SHA-3 a 0,0 a 0,1 a 0,2 224, 256, 384, 512-bit hash 12.5 cycles per byte 1600-bit internal state, in 25 registers of 2 l (= 64) bits, l iterations of: a 1,0 a 1,1.... θ: Add bitwise column parity to adjacent column, a i,j = i (a i,j+1 a i,j 1 ) ρ: Rotate registers different triangular-number steps, a i,j << t i,j π: Permute words in fixed pattern, a 3i+2j,i = a i,j χ: Combine bits nonlinearly in rows, a i,j = a i,j+1 a i,j+2 ι: Break symmetry, in round n (0 m l), a 0,0[2 m 1] = b m+7n, with b n from a degree-8 LFSR

47 The sponge construction Mapping any-length input into fixed-length output is complicated The sponge construction is used to absorbe r bits in each iteration The unused capacity c should be twice the desired resistance to collision or preimage attacks Still needs secure padding of the last block

48 Other uses of cryptographic hash functions They hide what input to use in order to get a specific output, which is needed in for example password storage Cryptographic hash functions can be used to encrypt, basically running it as a block cipher in OFB mode Other applications of hash functions in computer science (hash tables, file integrity,... ) often has weaker requirements than the ones used here It is therefore important to remember that hash functions as used in computer science often do not fulfil the requirements of a cryptographic hash function

49 Example: Unix passwords Passwords are assumed to be 8 character 7-bit ASCII In total 56 bits Encrypt the message 0 using this DES key Weaknesses Dictionary attacks DES is fast, and there is dedicated hardware

50 Example: Unix password weaknesses Dictionary attacks Use a salt to make dictionary attacks more difficult the book mentions 12-bit salts DES is fast, and there is dedicated hardware Don t have the salt in the message Instead use it to change the DES algorithm (see the book) This makes hardware attacks more difficult... and slows down an attack

51 Example: Modern unixes Stronger algorithms (proper hash functions) Whole password significant Longer salts (up to 16 characters) Use key stretching : many many rounds Only root can read the passwd file mkpasswd -m SHA-512 test \$6\$EUEoZKNThDNKmfdb\$3g5AuZFmWHCaDJDJq2GVPdLQ8CAO ID Method 1 MD5 2a Blowfish (not in mainline glibc; in some Linuxes, NetBSD) 5 SHA-256 (since glibc 2.7) 6 SHA-512 (since glibc 2.7)

52 Hash function life cycles Historically, popular cryptographic hash functions have a useful lifetime of around 10 years

### : : : : : ISBN / C53:H : 19.50

: : : : 2002 1 1 2002 1 1 : ISBN 7-224-06364-9 / C53:H059-53 : 19.50 50,,,,,,, ; 50,,,,,,,, 1 ,,,,,,,,,,,,,, ;,,,,,,,,, 2 ,,,, 2002 8 3 ( 1 ) ( 1 ) Deduction One Way of Deriving the Meaning of U nfamiliar

### BC04 Module_antenna__ doc

http://www.infobluetooth.com TEL:+86-23-68798999 Fax: +86-23-68889515 Page 1 of 10 http://www.infobluetooth.com TEL:+86-23-68798999 Fax: +86-23-68889515 Page 2 of 10 http://www.infobluetooth.com TEL:+86-23-68798999

### 2005 5,,,,,,,,,,,,,,,,, , , 2174, 7014 %, % 4, 1961, ,30, 30,, 4,1976,627,,,,, 3 (1993,12 ),, 2

3,,,,,, 1872,,,, 3 2004 ( 04BZS030),, 1 2005 5,,,,,,,,,,,,,,,,, 1928 716,1935 6 2682 1928 2 1935 6 1966, 2174, 7014 %, 94137 % 4, 1961, 59 1929,30, 30,, 4,1976,627,,,,, 3 (1993,12 ),, 2 , :,,,, :,,,,,,

### Microsoft Word - 第四組心得.doc

A A A A A i A A A A A A A ii Introduction to the Chinese Editions of Great Ideas Penguin s Great Ideas series began publication in 2004. A somewhat smaller list is published in the USA and a related, even

### Microsoft PowerPoint - ryz_030708_pwo.ppt

Long Term Recovery of Seven PWO Crystals Ren-yuan Zhu California Institute of Technology CMS ECAL Week, CERN Introduction 20 endcap and 5 barrel PWO crystals went through (1) thermal annealing at 200 o

### 參 加 第 二 次 pesta 的 我, 在 是 次 交 流 營 上 除 了, 與 兩 年 沒 有 見 面 的 朋 友 再 次 相 聚, 加 深 友 誼 外, 更 獲 得 與 上 屆 不 同 的 體 驗 和 經 歴 比 較 起 香 港 和 馬 來 西 亞 的 活 動 模 式, 確 是 有 不 同 特

WE ARE BOY S BRIGADE 參 加 第 二 次 pesta 的 我, 在 是 次 交 流 營 上 除 了, 與 兩 年 沒 有 見 面 的 朋 友 再 次 相 聚, 加 深 友 誼 外, 更 獲 得 與 上 屆 不 同 的 體 驗 和 經 歴 比 較 起 香 港 和 馬 來 西 亞 的 活 動 模 式, 確 是 有 不 同 特 別 之 處 如 控 制 時 間 及 人 流 方 面, 香

### 2009.05

2009 05 2009.05 2009.05 璆 2009.05 1 亿 平 方 米 6 万 套 10 名 20 亿 元 5 个 月 30 万 亿 60 万 平 方 米 Data 围 观 CCDI 公 司 内 刊 企 业 版 P08 围 观 CCDI 管 理 学 上 有 句 名 言 : 做 正 确 的 事, 比 正 确 地 做 事 更 重 要 方 向 的 对 错 于 大 局 的 意 义 而 言,

### 4. 每 组 学 生 将 写 有 习 语 和 含 义 的 两 组 卡 片 分 别 洗 牌, 将 顺 序 打 乱, 然 后 将 两 组 卡 片 反 面 朝 上 置 于 课 桌 上 5. 学 生 依 次 从 两 组 卡 片 中 各 抽 取 一 张, 展 示 给 小 组 成 员, 并 大 声 朗 读 卡

Tips of the Week 课 堂 上 的 英 语 习 语 教 学 ( 二 ) 2015-04-19 吴 倩 MarriottCHEI 大 家 好! 欢 迎 来 到 Tips of the Week! 这 周 我 想 和 老 师 们 分 享 另 外 两 个 课 堂 上 可 以 开 展 的 英 语 习 语 教 学 活 动 其 中 一 个 活 动 是 一 个 充 满 趣 味 的 游 戏, 另 外

A Study on the Relationships of the Co-construction Contract A Study on the Relationships of the Co-Construction Contract ( ) ABSTRACT Co-constructio in the real estate development, holds the quite

### untitled

Co-integration and VECM Yi-Nung Yang CYCU, Taiwan May, 2012 不 列 1 Learning objectives Integrated variables Co-integration Vector Error correction model (VECM) Engle-Granger 2-step co-integration test Johansen

### Improved Preimage Attacks on AES-like Hash Functions: Applications to Whirlpool and Grøstl

SKLOIS (Pseudo) Preimage Attack on Reduced-Round Grøstl Hash Function and Others Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou March 20, 2012 Institute. of Software, Chinese Academy

### <4D6963726F736F667420576F7264202D2032303130C4EAC0EDB9A4C0E04142BCB6D4C4B6C1C5D0B6CFC0FDCCE2BEABD1A15F325F2E646F63>

2010 年 理 工 类 AB 级 阅 读 判 断 例 题 精 选 (2) Computer mouse How does the mouse work? We have to start at the bottom, so think upside down for now. It all starts with mouse ball. As the mouse ball in the bottom

### Microsoft Word - 武術合併

11/13 醫 學 系 一 年 級 張 雲 筑 武 術 課 開 始, 老 師 並 不 急 著 帶 我 們 舞 弄 起 來, 而 是 解 說 著 支 配 氣 的 流 動 為 何 構 成 中 國 武 術 的 追 求 目 標 武 術, 名 之 為 武 恐 怕 與 其 原 本 的 精 義 有 所 偏 差 其 實 武 術 是 為 了 讓 學 習 者 能 夠 掌 握 身 體, 保 養 身 體 而 發 展, 並

### 穨control.PDF

TCP congestion control yhmiu Outline Congestion control algorithms Purpose of RFC2581 Purpose of RFC2582 TCP SS-DR 1998 TCP Extensions RFC1072 1988 SACK RFC2018 1996 FACK 1996 Rate-Halving 1997 OldTahoe

### Lorem ipsum dolor sit amet, consectetuer adipiscing elit

English for Study in Australia 留 学 澳 洲 英 语 讲 座 Lesson 3: Make yourself at home 第 三 课 : 宾 至 如 归 L1 Male: 各 位 朋 友 好, 欢 迎 您 收 听 留 学 澳 洲 英 语 讲 座 节 目, 我 是 澳 大 利 亚 澳 洲 广 播 电 台 的 节 目 主 持 人 陈 昊 L1 Female: 各 位

### Microsoft Word - template.doc

HGC efax Service User Guide I. Getting Started Page 1 II. Fax Forward Page 2 4 III. Web Viewing Page 5 7 IV. General Management Page 8 12 V. Help Desk Page 13 VI. Logout Page 13 Page 0 I. Getting Started

### Windows XP

Windows XP What is Windows XP Windows is an Operating System An Operating System is the program that controls the hardware of your computer, and gives you an interface that allows you and other programs

### Microsoft Word - Final Exam Review Packet.docx

Do you know these words?... 3.1 3.5 Can you do the following?... Ask for and say the date. Use the adverbial of time correctly. Use Use to ask a tag question. Form a yes/no question with the verb / not

### 從詩歌的鑒賞談生命價值的建構

Viktor E. Frankl (logotherapy) (will-to-meaning) (creative values) Ture (Good) (Beauty) (experiential values) (attitudinal values) 1 2 (logotherapy) (biological) (2) (psychological) (3) (noölogical) (4)

### [ 13 年 12 月 06 日, 下 午 6 点 24 分 ] Intel Hosts 新 加 入 的 同 学 们, 快 去 听 听 在 线 宣 讲 会 哦, 同 时 完 成 页 面 下 方 有 奖 调 查, 就 有 资 格 参 与 大 奖 抽 取 啦! [ 13 年 12 月 06 日, 下 午

China Career Fair: To Know a Different Intel Time Participants Chat Transcript [ 13 年 12 月 06 日, 下 午 6 点 00 分 ] Participant Hi [ 13 年 12 月 06 日, 下 午 6 点 00 分 ] Intel Hosts 大 家 好! [ 13 年 12 月 06 日, 下 午

### C/C++ - 字符输入输出和字符确认

C/C++ Table of contents 1. 2. getchar() putchar() 3. (Buffer) 4. 5. 6. 7. 8. 1 2 3 1 // pseudo code 2 read a character 3 while there is more input 4 increment character count 5 if a line has been read,

### 南華大學數位論文

-------------------------------------------------------------------------------- Pekinger in NewYork -------------------------------------------------------------------------------- 1011 121314 151617

### C o n t e n t s...7... 15 1. Acceptance... 17 2. Allow Love... 19 3. Apologize... 21 4. Archangel Metatron... 23 5. Archangel Michael... 25 6. Ask for

Doreen Virtue, Ph.D. Charles Virtue C o n t e n t s...7... 15 1. Acceptance... 17 2. Allow Love... 19 3. Apologize... 21 4. Archangel Metatron... 23 5. Archangel Michael... 25 6. Ask for a Sign... 27 7.

### TX-NR3030_BAS_Cs_ indd

TX-NR3030 http://www.onkyo.com/manual/txnr3030/adv/cs.html Cs 1 2 3 Speaker Cable 2 HDMI OUT HDMI IN HDMI OUT HDMI OUT HDMI OUT HDMI OUT 1 DIGITAL OPTICAL OUT AUDIO OUT TV 3 1 5 4 6 1 2 3 3 2 2 4 3 2 5

### 蔡 氏 族 譜 序 2

1 蔡 氏 族 譜 Highlights with characters are Uncle Mike s corrections. Missing or corrected characters are found on pages 9, 19, 28, 34, 44. 蔡 氏 族 譜 序 2 3 福 建 仙 遊 赤 湖 蔡 氏 宗 譜 序 蔡 氏 之 先 出 自 姬 姓 周 文 王 第 五 子

### 南華大學數位論文

-- Managing Traditional Temples A Case Study of Representative Temples in CHIA-YI i Abstract This research used the methodology of field study historical comparative research, and qualitative interview

### untitled

數 Quadratic Equations 數 Contents 錄 : Quadratic Equations Distinction between identities and equations. Linear equation in one unknown 3 ways to solve quadratic equations 3 Equations transformed to quadratic

### 2011年高职语文考试大纲

2016 年 湖 北 省 普 通 高 等 学 校 招 收 中 职 毕 业 生 技 能 高 考 文 化 综 合 考 试 大 纲 2016 年 普 通 高 等 学 校 招 收 中 职 毕 业 生 技 能 高 考, 是 由 中 等 职 业 学 校 ( 含 普 通 中 专 职 业 高 中 技 工 学 校 和 成 人 中 专 ) 机 械 类 电 子 类 计 算 机 类 会 计 专 业 护 理 专 业 建 筑

### Rebar Couplers. Heng Xiang Rebar Connection Equipment Factory

Rebar Couplers Heng Xiang Rebar Connection Equipment Factory Attn: Mr. Leo Hao Tel: 86-0318-6662348 E-mail: sales@hshxtaotong.com Add: The north industrial park, Hengshui City, Hebei Province, China 053000

### Rebar Couplers. Heng Xiang Rebar Connection Equipment Factory

Rebar Couplers Heng Xiang Rebar Connection Equipment Factory Attn: Mrs. Lucy Sun Tel: 86-13231837867 E-mail: sales2@hshxtaotong.com Add: The north industrial park, Hengshui City, Hebei Province, China

### Microsoft PowerPoint - AWOL - Acrobat Windows Outlook.ppt [Compatibility Mode]

AWOL Windows - Tips & Tricks Resolution, color depth & refresh rate Background color Service packs Disk cleanup (cleanmgr) Disk defragmentation AWOL Windows Resolution, Color Depth & Refresh Rate The main

### ENGG1410-F Tutorial 6

Jianwen Zhao Department of Computer Science and Engineering The Chinese University of Hong Kong 1/16 Problem 1. Matrix Diagonalization Diagonalize the following matrix: A = [ ] 1 2 4 3 2/16 Solution The

### PowerPoint Presentation

Decision analysis 量化決策分析方法專論 2011/5/26 1 Problem formulation- states of nature In the decision analysis, decision alternatives are referred to as chance events. The possible outcomes for a chance event

### \\Lhh\07-02\黑白\内页黑白1-16.p

Abstract: Urban Grid Management Mode (UGMM) is born against the background of the fast development of digital city. It is a set of urban management ideas, tools, organizations and flow, which is on the

### 國立中山大學學位論文典藏.PDF

I II III The Study of Factors to the Failure or Success of Applying to Holding International Sport Games Abstract For years, holding international sport games has been Taiwan s goal and we are on the way

### (baking powder) 1 ( ) ( ) 1 10g g (two level design, D-optimal) 32 1/2 fraction Two Level Fractional Factorial Design D-Optimal D

( ) 4 1 1 1 145 1 110 1 (baking powder) 1 ( ) ( ) 1 10g 1 1 2.5g 1 1 1 1 60 10 (two level design, D-optimal) 32 1/2 fraction Two Level Fractional Factorial Design D-Optimal Design 1. 60 120 2. 3. 40 10

### 99 學年度班群總介紹 第 370 期 班群總導 陳怡靜 G45 班群總導 陳怡靜(河馬) A 家 惠如 家浩 T 格 宜蓁 小 霖 怡 家 M 璇 均 蓁 雴 家 數學領域 珈玲 國燈 370-2 英領域 Kent

2010 年 8 月 27 日 出 刊 精 緻 教 育 宜 蘭 縣 公 辦 民 營 人 國 民 中 小 學 財 團 法 人 人 適 性 教 育 基 金 會 承 辦 地 址 : 宜 蘭 縣 26141 頭 城 鎮 雅 路 150 號 (03)977-3396 http://www.jwps.ilc.edu.tw 健 康 VS. 學 習 各 位 合 夥 人 其 實 都 知 道, 我 是 個 胖 子, 而

### 101 年 全 國 高 職 學 生 實 務 專 題 製 作 競 賽 暨 成 果 展 報 告 書 題 目 :Beat CNN`s Report, 驚 艷 外 國 人 的 嘴 - 皮 蛋 之 大 改 造 指 導 老 師 : 林 佩 怡 參 賽 學 生 : 胡 雅 吟 楊 椀 惇 張 毓 津 許 巧 文

12. 1. 2. 3. 4. 5. 6. 101 年 全 國 高 職 學 生 實 務 專 題 製 作 競 賽 暨 成 果 展 報 告 書 題 目 :Beat CNN`s Report, 驚 艷 外 國 人 的 嘴 - 皮 蛋 之 大 改 造 指 導 老 師 : 林 佩 怡 參 賽 學 生 : 胡 雅 吟 楊 椀 惇 張 毓 津 許 巧 文 陳 玫 錚 學 校 名 稱 : 國 立 台 南 家 齊 女

### 國立中山大學學位論文典藏.PDF

I II III IV V VI In recent years, the Taiwan s TV talk shows about the political topic have a bias in favour of party. In Taiwan, there are two property of party, one is called Blue property of party,

### 096STUT DOC

i YouTube was established in 2005 until now only more than 3 years. Although it was established just more than 3 years, it has already become the one of multitudinous video shares website that most people

### K7VT2_QIG_v3

............ 1 2 3 4 5 [R] : Enter Raid setup utility 6 Press[A]keytocreateRAID RAID Type: JBOD RAID 0 RAID 1: 2 7 RAID 0 Auto Create Manual Create: 2 RAID 0 Block Size: 16K 32K

### 東莞工商總會劉百樂中學

/2015/ 頁 (2015 年 版 ) 目 錄 : 中 文 1 English Language 2-3 數 學 4-5 通 識 教 育 6 物 理 7 化 學 8 生 物 9 組 合 科 學 ( 化 學 ) 10 組 合 科 學 ( 生 物 ) 11 企 業 會 計 及 財 務 概 論 12 中 國 歷 史 13 歷 史 14 地 理 15 經 濟 16 資 訊 及 通 訊 科 技 17 視 覺

### PowerPoint Presentation

TOEFL Practice Online User Guide Revised September 2009 In This Guide General Tips for Using TOEFL Practice Online Directions for New Users Directions for Returning Users 2 General Tips To use TOEFL Practice

### 神 学 家 陶 恕 博 士 曾 经 相 当 感 叹 的 说, 数 以 百 万 计 的 我 们 生 活 在 福 音 既 得 之 地, 各 自 都 有 所 属 的 教 会, 也 努 力 去 传 基 督 教 的 信 仰, 但 可 悲 的 是, 或 许 终 其 一 生, 都 未 曾 认 真 思 想 过 神

Series: Sermon Series Title: 救 赎 历 史 第 四 章 : 耶 和 华 Part: 1 Speaker: 大 卫 普 莱 特 Date: Text: 各 位 亲 爱 的 弟 兄 姊 妹, 欢 迎 你 收 听 救 赎 历 史 系 列 第 五 讲 我 是 大 卫 普 莱 特 博 士 我 要 带 领 你 更 深 入 地 认 识, 那 昔 在 今 在 以 后 永 远 与 我 们

### 東吳大學

律 律 論 論 療 行 The Study on Medical Practice and Coercion 林 年 律 律 論 論 療 行 The Study on Medical Practice and Coercion 林 年 i 讀 臨 療 留 館 讀 臨 律 六 礪 讀 不 冷 療 臨 年 裡 歷 練 禮 更 老 林 了 更 臨 不 吝 麗 老 劉 老 論 諸 見 了 年 金 歷 了 年

### Liao Mei-Yu Professor, Department of Chinese Literature, National Cheng Kung University Abstract Yao Ying was a government official in Taiwan for more

2006 12 137-178 The Various Viewpoints of Yao Ying s Jail-period Poems 137 Liao Mei-Yu Professor, Department of Chinese Literature, National Cheng Kung University Abstract Yao Ying was a government official

### 2/80 2

2/80 2 3/80 3 DSP2400 is a high performance Digital Signal Processor (DSP) designed and developed by author s laboratory. It is designed for multimedia and wireless application. To develop application

### 中山大學學位論文典藏.pdf

1999 1992 11 7 1999 8811218 800 150.456 1387 1392 1680 The Research on the Faith in Cheng Hwang Yeh in Kinmen This research is written by a native kinmenese who does a long period of field research and

### Microsoft Word - 24217010311110028谢雯雯.doc

HUAZHONG AGRICULTURAL UNIVERSITY 硕 士 学 位 论 文 MASTER S DEGREE DISSERTATION 80 后 女 硕 士 生 择 偶 现 状 以 武 汉 市 七 所 高 校 为 例 POST-80S FEMALE POSTGRADUATE MATE SELECTION STATUS STUDY TAKE WUHAN SEVEN UNIVERSITIES

### A Community Guide to Environmental Health

102 7 建 造 厕 所 本 章 内 容 宣 传 推 广 卫 生 设 施 104 人 们 需 要 什 么 样 的 厕 所 105 规 划 厕 所 106 男 女 对 厕 所 的 不 同 需 求 108 活 动 : 给 妇 女 带 来 方 便 110 让 厕 所 更 便 于 使 用 111 儿 童 厕 所 112 应 急 厕 所 113 城 镇 公 共 卫 生 设 施 114 故 事 : 城 市 社

### Important Notice SUNPLUS TECHNOLOGY CO. reserves the right to change this documentation without prior notice. Information provided by SUNPLUS TECHNOLO

Car DVD New GUI IR Flow User Manual V0.1 Jan 25, 2008 19, Innovation First Road Science Park Hsin-Chu Taiwan 300 R.O.C. Tel: 886-3-578-6005 Fax: 886-3-578-4418 Web: www.sunplus.com Important Notice SUNPLUS

### 100學年度大學推甄申請面試題庫

101 學 年 度 大 學 推 甄 申 請 面 試 題 庫 政 治 大 學 斯 拉 夫 語 文 學 系 5 阿 拉 伯 語 文 學 系 6 國 防 大 學 管 理 學 院 資 訊 管 理 學 系 7 運 籌 管 理 學 系 9 中 央 大 學 中 文 系 10 台 灣 師 範 大 學 歷 史 系 11 特 教 系 12 彰 化 師 範 大 學 中 文 系 13 國 防 理 工 學 院 14 國 立

### The Development of Color Constancy and Calibration System

The Development of Color Constancy and Calibration System The Development of Color Constancy and Calibration System LabVIEW CCD BMP ii Abstract The modern technologies develop more and more faster, and

### 我的野蛮女友（网络小说）中文版

01-2002-1996 CIP /. 2002.6 ISBN 7801155424/I77 I. II.. IV. I312.645 CIP 2002 033396 20002001 by KimHoSik All rights reserved. This Chinese Edition Published by arrangement with Poem and Society. Through

### 2015年下半年全国教师资格笔试《地理学科知识与教学能力》备考指导

2016 年 上 半 年 全 国 教 师 资 格 统 考 英 语 学 科 知 识 与 教 学 能 力 高 分 攻 略 中 公 教 育 教 师 考 试 研 究 院 制 初 级 中 学 一 考 情 综 述 通 过 分 析 真 题, 可 以 发 现 在 英 语 学 科 知 识 和 教 学 能 力 ( 初 中 英 语 ) 笔 试 中, 英 语 教 学 知 识 和 教 学... 设 计 能 力... 所 占

### 壹、前言

DOH93-DC-1116 93 3 1 93 12 31 ... 1... 4... 6... 7... 8... 9... 13... 13 ()... 13 ()... 14 ()... 14... 16... 16... 16... 17... 18 1 ... 19... 24... 27... 29... 31... 31... 33... 34... 35... 36... 36 ()...

### 穨6街舞對抗中正紀念堂_林伯勳張金鶚_.PDF

( ) 115 115140 Journal of City and Planning(2002) Vol.29, No.1, pp.115140 90 10 26 91 05 20 2 3 --- ( ) 1. 2. mag.ryan@msa.hinet.net 3. jachang@nccu.edu.tw 1018-1067/02 2002 Chinese Institute of Urban

### OA-253_H1～H4_OL.ai

WARNINGS Note: Read ALL the following BEFORE using this product. Follow all Guidelines at all times while using this product. CAUTION This warning indicates possibility of personal injury and material

### :

A Study of Huangtao : I Abstract Abstract This text focuses on the special contribution of Huangtao in the history of literature and culture of Fukien, by analyzing the features of Huangtao s thought,

### Chinese oil import policies and reforms 随 着 经 济 的 发 展, 目 前 中 国 石 油 消 费 总 量 已 经 跃 居 世 界 第 二 作 为 一 个 负 责 任 的 大 国, 中 国 正 在 积 极 推 进 能 源 进 口 多 元 化, 鼓 励 替 代

Chinese oil import policies and reforms SINOPEC EDRI 2014.8 Chinese oil import policies and reforms 随 着 经 济 的 发 展, 目 前 中 国 石 油 消 费 总 量 已 经 跃 居 世 界 第 二 作 为 一 个 负 责 任 的 大 国, 中 国 正 在 积 极 推 进 能 源 进 口 多 元 化,

### * RRB *

*9000000000RRB0010040* *9000000000RRB0020040* *9000000000RRB0030040* *9000000000RRB0040040* *9000000000RRC0010050* *9000000000RRC0020050* *9000000000RRC0030050* *9000000000RRC0040050* *9000000000RRC0050050*