Least absolute deviations: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
en>Duoduoduo
Variations, extensions, specializations: fixing, defining, and rendering standard the notation
 
en>Monkbot
Line 1: Line 1:
Large-heeled footwear christian louboutin on-line is every single womans vital weapon of sexy, charm . Just about every season, comprehend gals coronary heart designers for each and every Angle vogue female stylish patterns stylish high heels , encourage a woman trend emotion, expose a girl noble melting temperament, to very first see this period? What sizzling sale type high heels ? Want to know higher-heeled shoes collocation program? Quickly come with me !Buy christian louboutin on-line .Christian louboutin very hot sale sneakers with novel and do not split dignified grace clingy tide is changeable, structure, make modern girl on a lot of instances can turn into the concentration of the seem. <br><br>A new year pair of launched reveal character, allow vogue rock character series woman absolutely out of bondage, stage product scenario self. The most well-known actor and sale louboutin , match on common yuzui design and style and the Oxford restoring historical methods, this sort of sneakers style and design shoes make you at the time owned this period is the most popular ingredient. Hollow-out the cortical vamp permit your pores and skin is like concealed, the much more dominant touched faint, temperament emphasize. Very hot sale the two in suppliers and ugg boots low cost on line retailers, on the net shopping turns into the new pattern for saling low cost uggs for youngsters. From initial rate to price cut uggs, selection of variations for unique individuals. <br><br>Both superior course to lower class, they will uncover their kinds in ugg boots. Even snow major outdoor, they only will need to store indoor with your lovers and family. As the greatest gift in wintertime, it is also a lot of price reduction uggs for cheap, with affordable price tag and legitimate high quality, clearly show your persona in the avenue could bring envy eyesight.It is no question that uggs for young ones british isles set off new fashionable this calendar year. Considering the fact that stars have on uggs boots for low-priced in significant occasions, and even some persons wear it in wedding day, on the web is a new trendy in the world. With website insert a new plan permit people style their styles, level of popularity of overstock uggs will spread all corners of the earth. Each individual sort of girls loves carrying in wintertime time. From the Queen of Jordan to the Hollywood stars, trend trend from the royal loved ones to vogue youthful girls, all girls want to have a pair of that boots. The women donning the boots can attract all men's focus. So the boots is very well-known due to the fact it appeared. offers practically all the perfect attribute of other form of boots. Whichever design and style of footwear you happen to be looking for, classical, trendy, and lovely or the newest style, you can uncover your beloved listed here. Make sure you appear and take a search all-around, and you will have a surprise!Do you want to turn into the envy of every single female facing community? Then you can do not miss any a single of discountcheap UGGs boots. Particularly THEY ARE intended with glitter shimmers on the floor, generally will be significantly captivated the consideration of ladies. The selection is normally suitable. <br><br>We have got several boot clearance product sales on ugg boots clearance boots principally uggs clearance sale boots shop in advance of theye above! Winter season Clearance Sale all sale products with promo code. I paid out for these inexpensive for my [http://Browse.Deviantart.com/?qh=&section=&global=1&q=lady+youngster lady youngster] for xmas and she was soo content ! The ugg boots, are carrying a person kind of weighty line, revisits the natural method to roll up like a mat the globe. Winter major coldness not equipped to stop us to the most up-to-date solution .There are an faultless supply of gains in getting any of people low-cost uggs boots and financial gatherings other weighed in opposition to to snugness and heat. They are actually resilient and lengthened lasting. <br><br>From:and<br><br>If you enjoyed this write-up and you would certainly like to get more details relating to [http://tinyurl.com/m79kb5w http://tinyurl.com/m3ha2dn] kindly go to the web-page.
The '''forking lemma''' is any of a number of related [[lemma (mathematics)|lemmas]] in [[cryptography]] research. The lemma states that if an adversary (typically a [[probabilistic Turing machine]]), on inputs drawn from some [[Probability distribution|distribution]], produces an output that has some property with [[negligible function|non-negligible]] [[probability]], then with non-negligible probability, if the adversary is re-run on new inputs but with the same [[random tape]], its second output will also have the property.
 
This concept was first used by [[David Pointcheval]] and [[Jacques Stern]] in "Security proofs for signature schemes," published in the proceedings of [[Eurocrypt]] 1996.<ref>[[Ernest Brickell]], [[David Pointcheval]], [[Serge Vaudenay]], and [[Moti Yung]], "[http://www.springerlink.com/content/8v8btpfkat5qp3da/?p=2ad4ec3d6e8447a28d44bd3922e75ef8&pi=18 Design Validations for Discrete Logarithm Based Signature Schemes]", Third International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2000, [[Melbourne]], [[Australia]], January 18&ndash;20, 2000, pp. 276&ndash;292.</ref><ref name="YoungYung">Adam Young and Moti Yung, "Malicious Cryptography: Exposing Cryptovirology", Wiley press, 2004, pp. 344.</ref>  In their paper, the forking lemma is specified in terms of an adversary that attacks a [[digital signature]] scheme instantiated in the [[random oracle]] model. They show that if an adversary can forge a signature with non-negligible probability, then there is a non-negligible probability that the same adversary with the same random tape can create a second forgery in an attack with a different random oracle.<ref>David Pointcheval and [[Jacques Stern]], "[http://www.springerlink.com/content/k0xj74fcvnaj202t/?p=f5b8f4cb35e149ceb402fb89549556f1&pi=32 Security Proofs for Signature Schemes]", Advances in Cryptology &mdash; EUROCRYPT '96, [[Saragossa]], [[Spain]], May 12&ndash;16, 1996, pp. 387&ndash;398.</ref> The forking lemma was later generalized by [[Mihir Bellare]] and Gregory Neven.<ref name="BellareNeven">[[Mihir Bellare]] and Gregory Neven, "[http://portal.acm.org/citation.cfm?id=1180453 Multi-Signatures in the Plain Public-Key Model and a General Forking Lemma]", Proceedings of the 13th [[Association for Computing Machinery]] (ACM) Conference on Computer and
Communications Security (CCS), [[Alexandria, Virginia]], 2006, pp. 390&ndash;399.</ref>  The forking lemma has been used to prove the security of a variety of digital signature schemes and other random-oracle based cryptographic constructions.<ref name="YoungYung" />
 
==Statement of the lemma==
 
The generalized version of the lemma is stated as follows.<ref name="BellareNeven" />  Let ''A'' be a probabilistic algorithm, with inputs (''x'', ''h''<sub>1</sub>, ..., ''h''<sub>''q''</sub>; ''r'') that outputs a pair (''J'', ''y''), where ''r'' refers to the random tape of ''A'' (that is, the random choices A will make). Suppose '''further''' that ''IG'' is a probability distribution from which ''x'' is drawn, and that ''H'' is a set of size ''h'' from which each of the ''h<sub>i</sub>'' values are drawn according to the [[Uniform distribution (discrete)|uniform distribution]]. Let acc be the probability that on inputs distributed as described, the ''J'' output by ''A'' is greater than or equal to 1.
 
We can then define a "forking algorithm" ''F<sub>A</sub>'' that proceeds as follows, on input ''x'':
# Pick a random tape ''r'' for ''A''.
# Pick ''h''<sub>1</sub>, ..., ''h''<sub>''q''</sub> uniformly from ''H''.
# Run ''A'' on input (''x'', ''h''<sub>1</sub>, ..., ''h''<sub>''q''</sub>; ''r'') to produce (''J'', ''y'').
# If ''J'' = 0, then return (0, 0, 0).
# Pick ''h'<sub>J</sup>, ..., h'<sub>q</sub>'' uniformly from ''H''.
# Run ''A'' on input (''x'', ''h''<sub>1</sub>, ..., ''h''<sub>''J''&minus;1</sub>, ''h''<nowiki>'</nowiki><sub>''J''</sub>, ..., ''h''<nowiki>'</nowiki><sub>''q''</sub>; ''r'') to produce (''J''<nowiki>'</nowiki>, ''y''<nowiki>'</nowiki>).
# If ''J' '' = ''J'' and ''h<sub>J</sub>'' ≠ ''h'<sub>J</sub>'' then return (1, ''y'', ''y''<nowiki>'</nowiki>), otherwise, return (0, 0, 0).
 
Let frk be the probability that ''F<sub>A</sub>'' outputs a triple starting with 1, given an input ''x'' chosen randomly from ''IG''. Then
 
: <math>\text{frk} \geq \text{acc} \cdot \left ( \frac\text{acc}{q} - \frac{1}{h} \right).</math>
 
===Intuition===
 
The idea here is to think of ''A'' as running two times in related executions, where the process "[[Fork (software development)|forks]]" at a certain point, when some but not all of the input has been examined. In the alternate version, the remaining inputs are re-generated but are generated in the normal way.  The point at which the process forks may be something we only want to decide later, possibly based on the behavior of ''A'' the first time around: this is why the lemma statement chooses the branching point (''J'') based on the output of ''A''.   The requirement that ''h<sub>J</sub>'' ≠ ''h'<sub>J</sub>'' is a technical one required by many uses of the lemma. (Note that since both ''h<sub>J</sub>'' and ''h'<sub>J</sub>'' are chosen randomly from ''H'', then if ''h'' is large, which would be normal, the probability of the two values not being distinct is extremely small.)
 
===Example===
 
For example, let ''A'' be an algorithm for breaking a [[digital signature]] scheme in the [[random oracle]] model.  Then ''x'' would be the public parameters (including the public key) ''A'' is attacking, and ''h<sub>i</sub>'' would be the output of the random oracle on its ''i''th distinct input.  The forking lemma is of use when it would be possible, given two different random signatures of the same message, to solve some underlying hard problem.  An adversary that forges once, however, gives rise to one that forges twice on the same message with non-negligible probability through the forking lemma.  When ''A'' attempts to forge on a message ''m'', we consider the output of ''A'' to be (''J'', ''y'') where ''y'' is the forgery, and ''J'' is such that ''m'' was the ''J''th unique query to the random oracle (it may be assumed that ''A'' will query ''m'' at some point, if ''A'' is to be successful with non-negligible probability). (If ''A'' outputs an incorrect forgery, we consider the output to be (0, ''y'').)
 
By the forking lemma, the probability (''frk'') of obtaining two good forgeries ''y'' and ''y' '' on  the same message but with different random oracle outputs (that is, with ''h<sub>J</sub> ≠ h'<sub>J</sub>'') is non-negligible when ''acc'' is also non-negligible.  This allows us to prove that if the underlying hard problem is indeed hard, then no adversary can forge signatures.
 
This is the essence of the proof given by Pointcheval and Stern for a modified [[ElGamal signature scheme]] against an adaptive adversary.
 
==Known issues with application of forking lemma==
The reduction provided by the forking lemma is not a tight reduction. Pointcheval and Stern proposed security arguments for Digital Signatures and Blind Signature using Forking Lemma.<ref>David Pointcheval and Jacques Stern, "Security Arguments for Digital Signatures and Blind Signatures," ''JOURNAL OF CRYPTOLOGY'', Volume 13, pp 361--396, 2000. [http://www.di.ens.fr/~pointche/pub.php Available on Internet].</ref> [[Claus P. Schnorr]] provided an attack on blind Schnorr signatures schemes,<ref>C.P.Schnorr, "Security of Blind Discrete Log Signatures Against Interactive Attacks," ''Proceedings of ICICS 2001,'' [http://www.springerlink.com/content/wtykch59xl2r/ LNCS Vol. 2229], pp 1-13, 2001. [http://www.mi.informatik.uni-frankfurt.de/research/papers.html Available on Internet].</ref> which were argued to be secure by Pointcheval and Stern. Schnorr also suggested enhancements for securing blind signatures schemes based on [[discrete logarithm]] problem.<ref>C.P. Schnorr, "Enhancing the security of perfect blind DL-signatures," Information Sciences, Elsevier, Vol. 176, pp 1305--1320, 2006. [http://www.mi.informatik.uni-frankfurt.de/research/papers.html Available on Internet]</ref>
 
==References==
{{reflist}}
 
{{DEFAULTSORT:Forking Lemma}}
[[Category:Cryptography]]

Revision as of 13:13, 24 January 2014

The forking lemma is any of a number of related lemmas in cryptography research. The lemma states that if an adversary (typically a probabilistic Turing machine), on inputs drawn from some distribution, produces an output that has some property with non-negligible probability, then with non-negligible probability, if the adversary is re-run on new inputs but with the same random tape, its second output will also have the property.

This concept was first used by David Pointcheval and Jacques Stern in "Security proofs for signature schemes," published in the proceedings of Eurocrypt 1996.[1][2] In their paper, the forking lemma is specified in terms of an adversary that attacks a digital signature scheme instantiated in the random oracle model. They show that if an adversary can forge a signature with non-negligible probability, then there is a non-negligible probability that the same adversary with the same random tape can create a second forgery in an attack with a different random oracle.[3] The forking lemma was later generalized by Mihir Bellare and Gregory Neven.[4] The forking lemma has been used to prove the security of a variety of digital signature schemes and other random-oracle based cryptographic constructions.[2]

Statement of the lemma

The generalized version of the lemma is stated as follows.[4] Let A be a probabilistic algorithm, with inputs (x, h1, ..., hq; r) that outputs a pair (J, y), where r refers to the random tape of A (that is, the random choices A will make). Suppose further that IG is a probability distribution from which x is drawn, and that H is a set of size h from which each of the hi values are drawn according to the uniform distribution. Let acc be the probability that on inputs distributed as described, the J output by A is greater than or equal to 1.

We can then define a "forking algorithm" FA that proceeds as follows, on input x:

  1. Pick a random tape r for A.
  2. Pick h1, ..., hq uniformly from H.
  3. Run A on input (x, h1, ..., hq; r) to produce (J, y).
  4. If J = 0, then return (0, 0, 0).
  5. Pick h'J, ..., h'q uniformly from H.
  6. Run A on input (x, h1, ..., hJ−1, h'J, ..., h'q; r) to produce (J', y').
  7. If J' = J and hJh'J then return (1, y, y'), otherwise, return (0, 0, 0).

Let frk be the probability that FA outputs a triple starting with 1, given an input x chosen randomly from IG. Then

frkacc(accq1h).

Intuition

The idea here is to think of A as running two times in related executions, where the process "forks" at a certain point, when some but not all of the input has been examined. In the alternate version, the remaining inputs are re-generated but are generated in the normal way. The point at which the process forks may be something we only want to decide later, possibly based on the behavior of A the first time around: this is why the lemma statement chooses the branching point (J) based on the output of A. The requirement that hJh'J is a technical one required by many uses of the lemma. (Note that since both hJ and h'J are chosen randomly from H, then if h is large, which would be normal, the probability of the two values not being distinct is extremely small.)

Example

For example, let A be an algorithm for breaking a digital signature scheme in the random oracle model. Then x would be the public parameters (including the public key) A is attacking, and hi would be the output of the random oracle on its ith distinct input. The forking lemma is of use when it would be possible, given two different random signatures of the same message, to solve some underlying hard problem. An adversary that forges once, however, gives rise to one that forges twice on the same message with non-negligible probability through the forking lemma. When A attempts to forge on a message m, we consider the output of A to be (J, y) where y is the forgery, and J is such that m was the Jth unique query to the random oracle (it may be assumed that A will query m at some point, if A is to be successful with non-negligible probability). (If A outputs an incorrect forgery, we consider the output to be (0, y).)

By the forking lemma, the probability (frk) of obtaining two good forgeries y and y' on the same message but with different random oracle outputs (that is, with hJ ≠ h'J) is non-negligible when acc is also non-negligible. This allows us to prove that if the underlying hard problem is indeed hard, then no adversary can forge signatures.

This is the essence of the proof given by Pointcheval and Stern for a modified ElGamal signature scheme against an adaptive adversary.

Known issues with application of forking lemma

The reduction provided by the forking lemma is not a tight reduction. Pointcheval and Stern proposed security arguments for Digital Signatures and Blind Signature using Forking Lemma.[5] Claus P. Schnorr provided an attack on blind Schnorr signatures schemes,[6] which were argued to be secure by Pointcheval and Stern. Schnorr also suggested enhancements for securing blind signatures schemes based on discrete logarithm problem.[7]

References

43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.

  1. Ernest Brickell, David Pointcheval, Serge Vaudenay, and Moti Yung, "Design Validations for Discrete Logarithm Based Signature Schemes", Third International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2000, Melbourne, Australia, January 18–20, 2000, pp. 276–292.
  2. 2.0 2.1 Adam Young and Moti Yung, "Malicious Cryptography: Exposing Cryptovirology", Wiley press, 2004, pp. 344.
  3. David Pointcheval and Jacques Stern, "Security Proofs for Signature Schemes", Advances in Cryptology — EUROCRYPT '96, Saragossa, Spain, May 12–16, 1996, pp. 387–398.
  4. 4.0 4.1 Mihir Bellare and Gregory Neven, "Multi-Signatures in the Plain Public-Key Model and a General Forking Lemma", Proceedings of the 13th Association for Computing Machinery (ACM) Conference on Computer and Communications Security (CCS), Alexandria, Virginia, 2006, pp. 390–399.
  5. David Pointcheval and Jacques Stern, "Security Arguments for Digital Signatures and Blind Signatures," JOURNAL OF CRYPTOLOGY, Volume 13, pp 361--396, 2000. Available on Internet.
  6. C.P.Schnorr, "Security of Blind Discrete Log Signatures Against Interactive Attacks," Proceedings of ICICS 2001, LNCS Vol. 2229, pp 1-13, 2001. Available on Internet.
  7. C.P. Schnorr, "Enhancing the security of perfect blind DL-signatures," Information Sciences, Elsevier, Vol. 176, pp 1305--1320, 2006. Available on Internet