Computational Complexity in Non-Turing Models of Computation

名词解释中英文对比<using_information_sources> social networks 社会网络abductive reasoning 溯因推理action recognition(行为识别)active learning(主动学习)adaptive systems 自适应系统adverse drugs reactions(药物不良反应)algorithm design and analysis(算法设计与分析) algorithm(算法)artificial intelligence 人工智能association rule(关联规则)attribute value taxonomy 属性分类规范automomous agent 自动代理automomous systems 自动系统background knowledge 背景知识bayes methods(贝叶斯方法)bayesian inference(贝叶斯推断)bayesian methods(bayes 方法)belief propagation(置信传播)better understanding 内涵理解big data 大数据big data(大数据)biological network(生物网络)biological sciences(生物科学)biomedical domain 生物医学领域biomedical research(生物医学研究)biomedical text(生物医学文本)boltzmann machine(玻尔兹曼机)bootstrapping method 拔靴法case based reasoning 实例推理causual models 因果模型citation matching (引文匹配)classification (分类)classification algorithms(分类算法)clistering algorithms 聚类算法cloud computing(云计算)cluster-based retrieval (聚类检索)clustering (聚类)clustering algorithms(聚类算法)clustering 聚类cognitive science 认知科学collaborative filtering (协同过滤)collaborative filtering(协同过滤)collabrative ontology development 联合本体开发collabrative ontology engineering 联合本体工程commonsense knowledge 常识communication networks(通讯网络)community detection(社区发现)complex data(复杂数据)complex dynamical networks(复杂动态网络)complex network(复杂网络)complex network(复杂网络)computational biology 计算生物学computational biology(计算生物学)computational complexity(计算复杂性) computational intelligence 智能计算computational modeling(计算模型)computer animation(计算机动画)computer networks(计算机网络)computer science 计算机科学concept clustering 概念聚类concept formation 概念形成concept learning 概念学习concept map 概念图concept model 概念模型concept modelling 概念模型conceptual model 概念模型conditional random field(条件随机场模型) conjunctive quries 合取查询constrained least squares (约束最小二乘) convex programming(凸规划)convolutional neural networks(卷积神经网络) customer relationship management(客户关系管理) data analysis(数据分析)data analysis(数据分析)data center(数据中心)data clustering (数据聚类)data compression(数据压缩)data envelopment analysis (数据包络分析)data fusion 数据融合data generation(数据生成)data handling(数据处理)data hierarchy (数据层次)data integration(数据整合)data integrity 数据完整性data intensive computing(数据密集型计算)data management 数据管理data management(数据管理)data management(数据管理)data miningdata mining 数据挖掘data model 数据模型data models(数据模型)data partitioning 数据划分data point(数据点)data privacy(数据隐私)data security(数据安全)data stream(数据流)data streams(数据流)data structure( 数据结构)data structure(数据结构)data visualisation(数据可视化)data visualization 数据可视化data visualization(数据可视化)data warehouse(数据仓库)data warehouses(数据仓库)data warehousing(数据仓库)database management systems(数据库管理系统)database management(数据库管理)date interlinking 日期互联date linking 日期链接Decision analysis(决策分析)decision maker 决策者decision making (决策)decision models 决策模型decision models 决策模型decision rule 决策规则decision support system 决策支持系统decision support systems (决策支持系统) decision tree(决策树)decission tree 决策树deep belief network(深度信念网络)deep learning(深度学习)defult reasoning 默认推理density estimation(密度估计)design methodology 设计方法论dimension reduction(降维) dimensionality reduction(降维)directed graph(有向图)disaster management 灾害管理disastrous event(灾难性事件)discovery(知识发现)dissimilarity (相异性)distributed databases 分布式数据库distributed databases(分布式数据库) distributed query 分布式查询document clustering (文档聚类)domain experts 领域专家domain knowledge 领域知识domain specific language 领域专用语言dynamic databases(动态数据库)dynamic logic 动态逻辑dynamic network(动态网络)dynamic system(动态系统)earth mover's distance(EMD 距离) education 教育efficient algorithm(有效算法)electric commerce 电子商务electronic health records(电子健康档案) entity disambiguation 实体消歧entity recognition 实体识别entity recognition(实体识别)entity resolution 实体解析event detection 事件检测event detection(事件检测)event extraction 事件抽取event identificaton 事件识别exhaustive indexing 完整索引expert system 专家系统expert systems(专家系统)explanation based learning 解释学习factor graph(因子图)feature extraction 特征提取feature extraction(特征提取)feature extraction(特征提取)feature selection (特征选择)feature selection 特征选择feature selection(特征选择)feature space 特征空间first order logic 一阶逻辑formal logic 形式逻辑formal meaning prepresentation 形式意义表示formal semantics 形式语义formal specification 形式描述frame based system 框为本的系统frequent itemsets(频繁项目集)frequent pattern(频繁模式)fuzzy clustering (模糊聚类)fuzzy clustering (模糊聚类)fuzzy clustering (模糊聚类)fuzzy data mining(模糊数据挖掘)fuzzy logic 模糊逻辑fuzzy set theory(模糊集合论)fuzzy set(模糊集)fuzzy sets 模糊集合fuzzy systems 模糊系统gaussian processes(高斯过程)gene expression data 基因表达数据gene expression(基因表达)generative model(生成模型)generative model(生成模型)genetic algorithm 遗传算法genome wide association study(全基因组关联分析) graph classification(图分类)graph classification(图分类)graph clustering(图聚类)graph data(图数据)graph data(图形数据)graph database 图数据库graph database(图数据库)graph mining(图挖掘)graph mining(图挖掘)graph partitioning 图划分graph query 图查询graph structure(图结构)graph theory(图论)graph theory(图论)graph theory(图论)graph theroy 图论graph visualization(图形可视化)graphical user interface 图形用户界面graphical user interfaces(图形用户界面)health care 卫生保健health care(卫生保健)heterogeneous data source 异构数据源heterogeneous data(异构数据)heterogeneous database 异构数据库heterogeneous information network(异构信息网络) heterogeneous network(异构网络)heterogenous ontology 异构本体heuristic rule 启发式规则hidden markov model(隐马尔可夫模型)hidden markov model(隐马尔可夫模型)hidden markov models(隐马尔可夫模型) hierarchical clustering (层次聚类) homogeneous network(同构网络)human centered computing 人机交互技术human computer interaction 人机交互human interaction 人机交互human robot interaction 人机交互image classification(图像分类)image clustering (图像聚类)image mining( 图像挖掘)image reconstruction(图像重建)image retrieval (图像检索)image segmentation(图像分割)inconsistent ontology 本体不一致incremental learning(增量学习)inductive learning (归纳学习)inference mechanisms 推理机制inference mechanisms(推理机制)inference rule 推理规则information cascades(信息追随)information diffusion(信息扩散)information extraction 信息提取information filtering(信息过滤)information filtering(信息过滤)information integration(信息集成)information network analysis(信息网络分析) information network mining(信息网络挖掘) information network(信息网络)information processing 信息处理information processing 信息处理information resource management (信息资源管理) information retrieval models(信息检索模型) information retrieval 信息检索information retrieval(信息检索)information retrieval(信息检索)information science 情报科学information sources 信息源information system( 信息系统)information system(信息系统)information technology(信息技术)information visualization(信息可视化)instance matching 实例匹配intelligent assistant 智能辅助intelligent systems 智能系统interaction network(交互网络)interactive visualization(交互式可视化)kernel function(核函数)kernel operator (核算子)keyword search(关键字检索)knowledege reuse 知识再利用knowledgeknowledgeknowledge acquisitionknowledge base 知识库knowledge based system 知识系统knowledge building 知识建构knowledge capture 知识获取knowledge construction 知识建构knowledge discovery(知识发现)knowledge extraction 知识提取knowledge fusion 知识融合knowledge integrationknowledge management systems 知识管理系统knowledge management 知识管理knowledge management(知识管理)knowledge model 知识模型knowledge reasoningknowledge representationknowledge representation(知识表达) knowledge sharing 知识共享knowledge storageknowledge technology 知识技术knowledge verification 知识验证language model(语言模型)language modeling approach(语言模型方法) large graph(大图)large graph(大图)learning(无监督学习)life science 生命科学linear programming(线性规划)link analysis (链接分析)link prediction(链接预测)link prediction(链接预测)link prediction(链接预测)linked data(关联数据)location based service(基于位置的服务) loclation based services(基于位置的服务) logic programming 逻辑编程logical implication 逻辑蕴涵logistic regression(logistic 回归)machine learning 机器学习machine translation(机器翻译)management system(管理系统)management( 知识管理)manifold learning(流形学习)markov chains 马尔可夫链markov processes(马尔可夫过程)matching function 匹配函数matrix decomposition(矩阵分解)matrix decomposition(矩阵分解)maximum likelihood estimation(最大似然估计)medical research(医学研究)mixture of gaussians(混合高斯模型)mobile computing(移动计算)multi agnet systems 多智能体系统multiagent systems 多智能体系统multimedia 多媒体natural language processing 自然语言处理natural language processing(自然语言处理) nearest neighbor (近邻)network analysis( 网络分析)network analysis(网络分析)network analysis(网络分析)network formation(组网)network structure(网络结构)network theory(网络理论)network topology(网络拓扑)network visualization(网络可视化)neural network(神经网络)neural networks (神经网络)neural networks(神经网络)nonlinear dynamics(非线性动力学)nonmonotonic reasoning 非单调推理nonnegative matrix factorization (非负矩阵分解) nonnegative matrix factorization(非负矩阵分解) object detection(目标检测)object oriented 面向对象object recognition(目标识别)object recognition(目标识别)online community(网络社区)online social network(在线社交网络)online social networks(在线社交网络)ontology alignment 本体映射ontology development 本体开发ontology engineering 本体工程ontology evolution 本体演化ontology extraction 本体抽取ontology interoperablity 互用性本体ontology language 本体语言ontology mapping 本体映射ontology matching 本体匹配ontology versioning 本体版本ontology 本体论open government data 政府公开数据opinion analysis(舆情分析)opinion mining(意见挖掘)opinion mining(意见挖掘)outlier detection(孤立点检测)parallel processing(并行处理)patient care(病人医疗护理)pattern classification(模式分类)pattern matching(模式匹配)pattern mining(模式挖掘)pattern recognition 模式识别pattern recognition(模式识别)pattern recognition(模式识别)personal data(个人数据)prediction algorithms(预测算法)predictive model 预测模型predictive models(预测模型)privacy preservation(隐私保护)probabilistic logic(概率逻辑)probabilistic logic(概率逻辑)probabilistic model(概率模型)probabilistic model(概率模型)probability distribution(概率分布)probability distribution(概率分布)project management(项目管理)pruning technique(修剪技术)quality management 质量管理query expansion(查询扩展)query language 查询语言query language(查询语言)query processing(查询处理)query rewrite 查询重写question answering system 问答系统random forest(随机森林)random graph(随机图)random processes(随机过程)random walk(随机游走)range query(范围查询)RDF database 资源描述框架数据库RDF query 资源描述框架查询RDF repository 资源描述框架存储库RDF storge 资源描述框架存储real time(实时)recommender system(推荐系统)recommender system(推荐系统)recommender systems 推荐系统recommender systems(推荐系统)record linkage 记录链接recurrent neural network(递归神经网络) regression(回归)reinforcement learning 强化学习reinforcement learning(强化学习)relation extraction 关系抽取relational database 关系数据库relational learning 关系学习relevance feedback (相关反馈)resource description framework 资源描述框架restricted boltzmann machines(受限玻尔兹曼机) retrieval models(检索模型)rough set theroy 粗糙集理论rough set 粗糙集rule based system 基于规则系统rule based 基于规则rule induction (规则归纳)rule learning (规则学习)rule learning 规则学习schema mapping 模式映射schema matching 模式匹配scientific domain 科学域search problems(搜索问题)semantic (web) technology 语义技术semantic analysis 语义分析semantic annotation 语义标注semantic computing 语义计算semantic integration 语义集成semantic interpretation 语义解释semantic model 语义模型semantic network 语义网络semantic relatedness 语义相关性semantic relation learning 语义关系学习semantic search 语义检索semantic similarity 语义相似度semantic similarity(语义相似度)semantic web rule language 语义网规则语言semantic web 语义网semantic web(语义网)semantic workflow 语义工作流semi supervised learning(半监督学习)sensor data(传感器数据)sensor networks(传感器网络)sentiment analysis(情感分析)sentiment analysis(情感分析)sequential pattern(序列模式)service oriented architecture 面向服务的体系结构shortest path(最短路径)similar kernel function(相似核函数)similarity measure(相似性度量)similarity relationship (相似关系)similarity search(相似搜索)similarity(相似性)situation aware 情境感知social behavior(社交行为)social influence(社会影响)social interaction(社交互动)social interaction(社交互动)social learning(社会学习)social life networks(社交生活网络)social machine 社交机器social media(社交媒体)social media(社交媒体)social media(社交媒体)social network analysis 社会网络分析social network analysis(社交网络分析)social network(社交网络)social network(社交网络)social science(社会科学)social tagging system(社交标签系统)social tagging(社交标签)social web(社交网页)sparse coding(稀疏编码)sparse matrices(稀疏矩阵)sparse representation(稀疏表示)spatial database(空间数据库)spatial reasoning 空间推理statistical analysis(统计分析)statistical model 统计模型string matching(串匹配)structural risk minimization (结构风险最小化) structured data 结构化数据subgraph matching 子图匹配subspace clustering(子空间聚类)supervised learning( 有support vector machine 支持向量机support vector machines(支持向量机)system dynamics(系统动力学)tag recommendation(标签推荐)taxonmy induction 感应规范temporal logic 时态逻辑temporal reasoning 时序推理text analysis(文本分析)text anaylsis 文本分析text classification (文本分类)text data(文本数据)text mining technique(文本挖掘技术)text mining 文本挖掘text mining(文本挖掘)text summarization(文本摘要)thesaurus alignment 同义对齐time frequency analysis(时频分析)time series analysis( 时time series data(时间序列数据)time series data(时间序列数据)time series(时间序列)topic model(主题模型)topic modeling(主题模型)transfer learning 迁移学习triple store 三元组存储uncertainty reasoning 不精确推理undirected graph(无向图)unified modeling language 统一建模语言unsupervisedupper bound(上界)user behavior(用户行为)user generated content(用户生成内容)utility mining(效用挖掘)visual analytics(可视化分析)visual content(视觉内容)visual representation(视觉表征)visualisation(可视化)visualization technique(可视化技术) visualization tool(可视化工具)web 2.0(网络2.0)web forum(web 论坛)web mining(网络挖掘)web of data 数据网web ontology lanuage 网络本体语言web pages(web 页面)web resource 网络资源web science 万维科学web search (网络检索)web usage mining(web 使用挖掘)wireless networks 无线网络world knowledge 世界知识world wide web 万维网world wide web(万维网)xml database 可扩展标志语言数据库附录 2 Data Mining 知识图谱（共包含二级节点15 个，三级节点93 个）间序列分析)监督学习)领域 二级分类 三级分类。

ON THE COMPUTATIONALCOMPLEXITY OF ALGORITHMSBYJ. HARTMANIS AND R. E. STEARNSI. Introduction. In his celebrated paper [1], A. M. Turing investigated the computability of sequences (functions) by mechanical procedures and showed that the setofsequencescanbe partitioned into computable and noncomputable sequences. One finds, however, that some computable sequences are very easy to compute whereas other computable sequences seem to have an inherent complexity that makes them difficult to compute. In this paper, we investigate a scheme of classifying sequences according to how hard they are to compute. This scheme puts a rich structure on the computable sequences and a variety of theorems are established. Furthermore, this scheme can be generalized to classify numbers, functions, or recognition problems according to their compu-tational complexity.The computational complexity of a sequence is to be measured by how fast a multitape Turing machine can print out the terms of the sequence. This particular abstract model of a computing device is chosen because much of the work in this area is stimulated by the rapidly growing importance of computation through the use of digital computers, and all digital computers in a slightly idealized form belong to the class of multitape Turing machines. More specifically, if Tin) is a computable, monotone increasing function of positive integers into positive integers and if a is a (binary) sequence, then we say that a is in complexity class ST or that a is T-computable if and only if there is a multitape Turing machine 3~ such that 3~ computes the nth term of a. within Tin) operations. Each set ST is recursively enumerable and so no class ST contains all computable sequences. On the other hand, every computable a is contained in some com-plexity class ST. Thus a hierarchy of complexity classes is assured. Furthermore, the classes are independent of time scale or of the speed of the components from which the machines could be built, as there is a "speed-up" theorem which states that ST = SkT f or positive numbers k.As corollaries to the speed-up theorem, there are several limit conditions which establish containment between two complexity classes. This is contrasted later with the theorem which gives a limit condition for noncontainment. One form of this result states that if (with minor restrictions)Received by the editors April 2, 1963 and, in revised form, August 30, 1963.285286J. HARTMANIS AND R. E. STEARNS[May»*«, U(n)then S,; properly contains ST. The intersection of two classes is again a class. The general containment problem, however, is recursively unsolvable.One section is devoted to an investigation as to how a change in the abstract machine model might affect the complexity classes. Some of these are related by a "square law," including the one-tape-multitape relationship: that is if a is T-computable by a multitape Turing machine, then it is T2-computable by a single tape Turing machine. It is gratifying, however, that some of the more obvious variations do not change the classes.The complexity of rational, algebraic, and transcendental numbers is studied in another section. There seems to be a good agreement with our intuitive notions, but there are several questions still to be settled.There is a section in which generalizations to recognition problems and functions are discussed. This section also provides the first explicit "impossibility" proof, by describing a language whose "words" cannot be recognized in real-time [T(n) = n] .The final section is devoted to open questions and problem areas. It is our conviction that numbers and functions have an intrinsic computational nature according to which they can be classified, as shown in this paper, and that there is a good opportunity here for further research.For background information about Turing machines, computability and related topics, the reader should consult [2]. "Real-time" computations (i.e., T(n) = n) were first defined and studied in [3]. Other ways of classifying the complexity of a computation have been studied in [4] and [5], where the complexity is defined in terms of the amount of tape used.II. Time limited computations. In this section, we define our version of a multitape Turing machine, define our complexity classes with respect to this type of machine, and then work out some fundamental properties of these classes.First, we give an English description of our machine (Figure 1) since one must have a firm picture of the device in order to follow our paper. We imagine a computing device that has a finite automaton as a control unit. Attached to this control unit is a fixed number of tapes which are linear, unbounded at both ends, and ruled into an infinite sequence of squares. The control unit has one reading head assigned to each tape, and each head rests on a single square of the assigned tape. There are a finite number of distinct symbols which can appear on the tape squares. Each combination of symbols under the reading heads together with the state of the control unit determines a unique machine operation. A machine operation consists of overprinting a symbol on each tape square under the heads, shifting the tapes independently either one square left, one square1965]ON THE COMPUTATIONAL COMPLEXITY OF ALGORITHMS287ti 1111 i n cm U I I i I I I ID mm.Tn T| in i i i i i i i m-m Î2II I I I I I I I I m II I I I I I I IIP TnTAPESFINITE STATECOMPUTEROUTPUT TAPEFigure 1. An «-tape Turing machineright, or no squares, and then changing the state of the control unit. The machine is then ready to perform its next operation as determined by the tapes and control state. The machine operation is our basic unit of time. One tape is signaled out and called the output tape. The motion of this tape is restricted to one way move-ment, it moves either one or no squares right. What is printed on the output tape and moved from under the head is therefore irrevocable, and is divorced from further calculations.As Turing defined his machine, it had one tape and if someone put k successive ones on the tape and started the machine, it would print some f(k) ones on the tape and stop. Our machine is expected to print successively /(l),/(2), ••• on its output tape. Turing showed that such innovations as adding tapes or tape symbols does not increase the set of functions that can be computed by machines. Since the techniques for establishing such equivalences are common knowledge, we take it as obvious that the functions computable by Turing's model are the same as those computable by our version of a Turing machine. The reason we have chosen this particular model is that it closely resembles the operation of a present day computer; and being interested in how fast a machine can compute, the extra tapes make a difference.To clear up any misconceptions about our model, we now give a formal definition.Definition 1. An n-tape Turing machine, &~, is a set of (3n + 4)-tuples, {(q¡; Stl, Sh, — , Sin ; Sjo, Sjl, — , Sh ; m0, mx, —, m… ; qf)},where each component can take on a finite set of values, and such that for every possible combination of the first n + 1 entries, there exists a unique (3zi-t-4)-tupIe in this set. The first entry, q¡, designates the present state; the next n entries, S(l,-",S,B, designate the present symbols scanned on tapes Tx, •■•, T…,respectively; the next n + 1 symbols SJa, ••-, Sjn, designate the new symbols to be printed on288J. HARTMANIS AND R. E. STEARNS[May tapes T0, •■», T…, respectively; the next n entries describe the tape motions (left, right, no move) of the n + 1 tapes with the restriction m0 # left ; and the last entry gives the new internal state. Tape T0 is called the output tape. One tuple with S¡. = blank symbol for 1 = j = n is designated as starting symbol.Note that we are not counting the output tape when we figure n. Thus a zero-tape machine is a finite automaton whose outputs are written on a tape. We assume without loss of generality that our machine starts with blank tapes.For brevity and clarity, our proofs will usually appeal to the English description and will technically be only sketches of proofs. Indeed, we will not even give a formal definition of a machine operation. A formal definition of this concept can be found in [2].For the sake of simplicity, we shall talk about binary sequences, the general-ization being obvious. We use the notation a = axa2 ••• .Definition 2. Let Tin) be a computable function from integers into integers such that Tin) ^ Tin + 1) and, for some integer k, Tin) ^ n/ k for all n. Then we shall say that the sequence a is T-computable if and only if there exists a multitape Turing machine, 3~, which prints the first n digits of the sequence a on its output tape in no more than Tin) operations, n = 1,2, ••», allowing for the possibility of printing a bounded number of digits on one square. The class of all T-computable binary sequences shall be denoted by ST, and we shall refer to T(n) as a time-function. Sr will be called a complexity class.When several symbols are printed on one square, we regard them as components of a single symbol. Since these are bounded, we are dealing with a finite set of output symbols. As long as the output comes pouring out of the machine in a readily understood form, we do not regard it as unnatural that the output not be strictly binary. Furthermore, we shall see in Corollaries 2.5, 2.7, and 2.8 that if we insist that Tin) ^ n and that only (single) binary outputs be used, then the theory would be within an e of the theory we are adopting.The reason for the condition Tin) ^ n/fc is that we do not wish to regard the empty set as a complexity class. For if a is in ST and F is the machine which prints it, there is a bound k on the number of digits per square of output tape and T can print at most fcn0 d igits in n0 operations. By assumption, Tikn0) ^ n0 or (substituting n0 = n/ k) Tin) à n/ k . On the other hand, Tin) ^ n/ k implies that the sequence of all zeros is in ST because we can print k zeros in each operation and thus ST is not void.Next we shall derive some fundamental properties of our classes.Theorem 1. TAe set of all T-computable binary sequences, ST, is recursively enumerable.Proof. By methods similar to the enumeration of all Turing machines [2] one can first enumerate all multitape Turing machines which print binary sequences. This is just a matter of enumerating all the sets satisfying Definition 1 with the1965] ON THE COMPUTATIONAL C OMPLEXITY O F ALGORITHMS 289 added requirement that Sjo is always a finite sequence of binary digits (regarded as one symbol). Let such an enumeration be &~x, 3~2, ••• . Because T(n) is comput-able, it is possible to systematically modify each ^"¡ to a machine &"'t w ith the following properties : As long as y¡ prints its nth digit within T(n) operations (and this can be verified by first computing T(n) and then looking at the first T(n) operations of ^"¡), then the nth digit of &~'t will be the nth output of &~¡. If &~¡ s hould ever fail to print the nth digit after T(n) operations, then ^"¡'will print out a zero for each successive operation. Thus we can derive a new enumeration •^"'u &~2> "•• If' &\ operates within time T(n), then ^", and ^"¡'compute the same T-computable sequence <x¡. O therwise, &~{ c omputes an ultimately constant sequence a¡ and this can be printed, k bits at a time [where T(n) — n / fc] by a zero tape machine. In either case, a¡ is T-computable and we conclude that {«,} = ST.Corollary 1.1. There does not exist a time-function T such that ST is the set of all computable binary sequences.Proof. Since ST is recursively enumerable, we can design a machine !T which, in order to compute its ith output, computes the z'th bit of sequence a, and prints out its complement. Clearly 3~ produces a sequence a different from all <Xj in ST.Corollary 1.2. For any time-function T, there exists a time-function U such that ST is strictly contained in Sv. Therefore, there are infinitely long chainsSTl cr STl cz •••of distinct complexity classes.Proof. Let &" compute a sequence a not in ST (Corollary 1.1). Let V(n) equal the number of operations required by ^"to compute the nth digit of a. Clearly V is computable and a e Sr. Lett/(n) = max [Tin), V(n)] ,then Vin) is a time-function and clearlyOrí ^3 Oj1 *Since a in Sv and a not in ST, we haveCorollary 1.3. The set of all complexity classes is countable.Proof. The set of enumerable sets is countable.Our next theorem asserts that linear changes in a time-function do not change the complexity class. // r is a real number, we write [r] to represent the smallest integer m such that m = r.290J. HARTMANIS AND R. E. STEARNS[MayTheorem 2. If the sequence cc is T-computable and k is a computable, positive real number, then a is [kT~\-computable; that is,ST = S[kTX.Proof. We shall show that the theorem is true for k = 1/2 and it will be true for fc = 1/ 2m b y induction, and hence for all other computable k since, given k, k ^ 1 /2'" for some m. (Note that if k is computable, then \kT~\ is a computable function satisfying Definition 2.)Let ¡F be a machine which computes a in time T. If the control state, the tape symbols read, and the tape symbols adjacent to those read are all known, then the state and tape changes resulting from the next two operations of &~ are determined and can therefore be computed in a single operation. If we can devise a scheme so that this information is always available to a machine 5~', then &' can perform in one operation what ST does in two operations. We shall next show how, by combining pairs of tape symbols into single symbols and adding extra memory to the control, we can make the information available.In Figure 2(a), we show a typical tape of S" with its head on the square marked 0. In Figure 2(b), we show the two ways we store this information in &~'. Each square of the ^"'-tape contains the information in two squares of the ^-tape. Two of the ^"-tape symbols are stored internally in 3r' and 3~' must also remember which piece of information is being read by 9~. In our figures, this is indicated by an arrow pointed to the storage spot. In two operations of &~, t he heads must move to one of the five squares labeled 2, 1,0, — l,or —2. The corresponding next position of our ^"'-tape is indicated in Figures 2(c)-(g). It is easily verified that in each case, &"' can print or store the necessary changes. In the event that the present symbol read by IT is stored on the right in ¡T' as in Figure 2(f), then the analogous changes are made. Thus we know that ST' can do in one operation what 9~ does in two and the theorem is proved.Corollary 2.1. If U and T are time-functions such that«-.«> Vin)then Svçz ST.Proof. Because the limit is greater than zero, Win) ^ Tin) for some k > 0, and thus Sv = SlkVj çz sT.Corollary 2.2. If U and T are time-functions such thatTin)sup-TTT-r- < 00 ,n-»a> O(n)then SV^ST.Proof. This is the reciprocal of Corollary 2.1.1965] ON THE COMPUTATIONAL COMPLEXITY OF ALGORITHMSE37291/HO W2|3l4[5l(/ZEEI33OÏÏT2Ï31/L-2_-iJ(c]¿m W\2I3I4I5K/(b)ZBE o2|3|4l5|\r2Vi!¿En on2l3l4l5|/l-T-i](d)¿BE2 34[5|6|7ir\10 l|(f)¿m2 34|5l6l7l /L<Dj(g)Figure 2. (a) Tape of ^" with head on 0. (b) Corresponding configurations of 9"'. (c) 9~' if F moves two left, (d) 9~> i f amoves to -1. (e) 9~' if ^~ moves to 0. (f)^"' if amoves to 1.(g) 9~' if 3~ moves two rightCorollary 2.3. If U and T are time-functions such thatTin)0 < hm ) ; < oo ,H-.« Uin)then Srj = ST .Proof. This follows from Corollaries 2.1 and 2.2.Corollary 2.4. // Tin) is a time-function, then Sn^ST . Therefore, Tin) = n is the most severe time restriction.Proof. Because T is a time-function, Tin) = n/ k for some positive k by Definition 2; hence292j. hartmanis and r. e. stearns[Maymf m à 1 > O…-»o, n kand S… çz s T by Corollary 2.1.Corollary 2.5. For any time-function T, Sr=Sv where t/(n)=max \T(n),n\. Therefore, any complexity class may be defined by a function U(n) ^ n. Proof. Clearly inf (T/ Í7) > min (1,1/ k) and sup (T/ U) < 1 .Corollary 2.6. If T is a time-function satisfyingTin) > n and inf -^ > 1 ,…-co nthen for any a in ST, there is a multitape Turing machined with a binary (i.e., two symbol) output which prints the nth digit of a in Tin) or fewer operations. Proof. The inf condition implies that, for some rational e > 0, and integer N, (1 - e) Tin) > n or Tin) > eTin) + n for all n > N. By the theorem, there is a machine 9' which prints a in time \zT(ri)\. 9' can be modified to a machine 9" which behaves like 9' except that it suspends its calculation while it prints the output one digit per square. Obviously, 9" computes within time \i.T(ri)\ + n (which is less than Tin) for n > N). $~" can be modified to the desired machine9~ by adding enough memory to the control of 9~" to print out the nth digit of a on the nth operation for n ^ N.Corollary 2.7. IfT(n)^nandoieST,thenforanys >0, there exists a binary output multitape Turing machine 9 which prints out the nth digit of a in [(1 + e) T(n)J or fewer operations.Proof. Observe that. [(1 + e) T(n)]inf —--——■— — 1 + enand apply Corollary 2.6.Corollary 2.8. // T(n)^n is a time-function and oteST, then for any real numbers r and e, r > e > 0, /Aere is a binary output multitape Turing machine ¡F which, if run at one operation per r—e seconds, prints out the nth digit of a within rT(n) seconds. Ifcc$ ST, there are no such r and e. Thus, when considering time-functions greater or equal to n, the slightest increase in operation speed wipes out the distinction between binary and nonbinary output machines.Proof. This is a consequence of the theorem and Corollary 2.7.Theorem 3. // Tx and T2 are time-functions, then T(n) = min [T^n), T2(n)~] is a time-function and STí O ST2 = ST.1965] ON THE COMPUTATIONAL COMPLEXITY OF ALGORITHMS 293 Proof. T is obviously a time-function. If 9~x is a machine that computes a in time T, and 9~2 computes a in time T2, then it is an easy matter to construct a third device &~ i ncorporating both y, and 3T2 which computes a both ways simul-taneously and prints the nth digit of a as soon as it is computed by either J~x or 9~2. Clearly this machine operates inTin) = min \Txin), T2(n)] .Theorem 4. If sequences a and ß differ in at most a finite number of places, then for any time-function T, cceST if and only if ße ST.Proof. Let ,T print a in time T. Then by adding some finite memory to the control unit of 3", we can obviously build a machine 3~' which computes ß in time T.Theorem 5. Given a time-function T, there is no decision procedure to decide whether a sequence a is in ST.Proof. Let 9~ be any Turing machine in the classical sense and let 3Tx be a multitape Turing machine which prints a sequence ß not in ST. Such a 9~x exists by Theorem 1. Let 9~2 be a multitape Turing machine which prints a zero for each operation $~ makes before stopping. If $~ should stop after k operations, then 3~2 prints the /cth and all subsequent output digits of &x. Let a be the sequence printed by 9"2, Because of Theorem 4, a.eST if and only if 9~ does not stop. Therefore, a decision procedure for oceST would solve the stopping problem which is known to be unsolvable (see [2]).Corollary 5.1. There is no decision procedure to determine if SV=ST or Sv c STfor arbitrary time-functions U and T.Proof. Similar methods to those used in the previous proof link this with the stopping problem.It should be pointed out that these unsolvability aspects are not peculiar to our classification scheme but hold for any nontrivial classification satisfying Theorem 4.III. Other devices. The purpose of this section is to compare the speed of our multitape Turing machine with the speed of other variants of a Turing machine. Most important is the first result because it has an application in a later section.Theorem 6. If the sequence a is T-computable by multitape Turing machine, !T, then a is T2-computable by a one-tape Turing machine 3~x .Proof. Assume that an n-tape Turing machine, 3~, is given. We shall now describe a one-tape Turing machine Px that simulates 9~, and show that if &" is a T-computer, then S~x is at most a T2-computer.294j. hartmanis and r. e. stearns[May The S~ computation is simulated on S'y as follows : On the tape of & y will be stored in n consecutive squares the n symbols read by S on its n tapes. The symbols on the squares to the right of those symbols which are read by S~ on its n tapes are stored in the next section to the right on the S'y tape, etc., as indicated in Figure 3, where the corresponding position places are shown. The1 TAPE T|A 1 TAPE T2I?TAPE Tn(a)J-"lo(b)Figure 3. (a) The n tapes of S. (b) The tape of S~\machine Tx operates as follows: Internally is stored the behavioral description of the machine S", so that after scanning the n squares [J], [o], ■■■, [5]»-^"îdetermines to what new state S~ will go, what new symbols will be printed by it on its n tapes and in which direction each of these tapes will be shifted. First,¡Fy prints the new symbols in the corresponding entries of the 0 block. Then it shifts the tape to the right until the end of printed symbols is reached. (We can print a special symbol indicating the end of printed symbols.) Now the machine shifts the tape back, erases all those entries in each block of n squares which correspond to tapes of S~ which are shifted to the left, and prints them in the corresponding places in the next block. Thus all those entries whose corresponding S~ tapes are shifted left are moved one block to the left. At the other end of the tape, the process is reversed and returning on the tape 9y transfers all those entries whose corresponding S~ tapes are shifted to the right one block to the right on the S'y tape. When the machine S', reaches the rigAz most printed symbol on its tape, it returns to the specially marked (0) block which now contains1965] ON THE COMPUTATIONAL COMPLEXITY OF ALGORITHMS 295 the n symbols which are read by &~ o n its next operation, and #", has completed the simulation of one operation of 9~. It can be seen that the number of operations of Tx is proportional to s, the number of symbols printed on the tape of &"¡. This number increases at most by 2(n + 1) squares during each operation of &. Thus, after T(fc) operations of the machine J~, the one-tape machine S"t will perform at most7(*)T,(fc) =C0+ T Cxii = loperations, where C0 and C, are constants. But thenr,(fe) g C2 £ i^C [T(fc)]2 .¡ =iSince C is a constant, using Theorem 2, we conclude that there exists a one tape machine printing its fcth output symbol in less than T(fc)2 tape shifts as was to be shown.Corollary 6.1. The best computation time improvement that can be gained in going from n-tape machines to in + l)-tape machines is the square root of the computation time.Next we investigate what happens if we allow the possibility of having several heads on each tape with some appropriate rule to prevent two heads from occupy-ing the same square and giving conflicting instructions. We call such a device a multihead Turing machine. Our next result states that the use of such a model would not change the complexity classes.Theorem 7. Let a. be computable by a multihead Turing machine 3T which prints the nth digit in Tin) or less operations where T is a time-function; then a is in ST .Proof. We shall show it for a one-tape two-head machine, the other cases following by induction. Our object is to build a multitape machine Jr' which computes a within time 4T which will establish our result by Theorem 2. The one tape of !T will be replaced by three tapes in 9"'. Tape a contains the left-hand information from 9", tape b contains the right-hand information of 9~, and tape c keeps count, two at a time, of the number of tape squares of ST which are stored on both tapes a and b_. A check mark is always on some square of tape a to indicate the rightmost square not stored on tape b_ and tape b has a check to indicate the leftmost square not stored on tape a.When all the information between the heads is on both tapes a and b. then we have a "clean" position as shown in Figure 4(a). As &" operates, then tape296j. hartmanis and r. e. stearns [May7/Fio TTzTTR" 5 "6Ï7M I 4T5T6" 7 8TT77' ^f(a) rT-Tô:TT2l3l4l?l \J ¿Kh.1y(b) J I l?IM2!3|4 5.6T7 /I |?|4,|5|6 7 8TT7(c) f\7~ /\V\/\A7\7M J M/l/yTITTTTTTJ(a) (b)Figure 4. (a) .^"' in clean position, (b) S' in dirty positiona performs like the left head of S~, tape A behaves like the right head, and tape c reduces the count each time a check mark is moved. Head a must carry the check right whenever it moves right from a checked square, since the new symbol it prints will not be stored on tape A; and similarly head A moves its check left.After some m operations of S~' corresponding to m operations of S~, a "dirty"position such as Figure 4(b) is reached where there is no overlapping information.The information (if any) between the heads of S~ must be on only one tape of S~',say tape A as in Figure 4(b). Head A then moves to the check mark, the between head information is copied over onto tape a, and head amoves back into position.A clean position has been achieved and S~' is ready to resume imitating S~. The time lost is 3/ where I is the distance between the heads. But / ^ m since headA has moved / squares from the check mark it left. Therefore 4m is enough time to imitate m operations of S~ and restore a clean position. Thusas was to be shown.This theorem suggests that our model can tolerate some large deviations without changing the complexity classes. The same techniques can be applied to other changes in the model. For example, consider multitape Turing ma-chines which have a fixed number of special tape symbols such that each symbol can appear in at most one square at any given time and such that the reading head can be shifted in one operation to the place where the special symbol is printed, no matter how far it is on the tape. Turing machines with such "jump instructions^ are similarly shown to leave the classes unchanged.Changes in the structure of the tape tend to lead to "square laws." For example,consider the following :Definition 3. A two-dimensional tape is an unbounded plane which is sub-divided into squares by equidistant sets of vertical and horizontal lines as shown in Figure 5. The reading head of the Turing machine with this two-dimensional tape can move either one square up or down, or one square left or right on each operation. This definition extends naturally to higher-dimensional tapes.。

Table of ContentsModern Cryptography: Theory and PracticeBy Wenbo Mao Hewlett-Packard CompanyPublisher: Prentice Hall PTRPub Date: July 25, 2003ISBN: 0-13-066943-1Pages: 648Many cryptographic schemes and protocols, especially those based onpublic-keycryptography,have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects formany textbooks on cryptography. This book takes adifferent approach to introducingcryptography: it pays much more attention tofit-for-application aspects of cryptography. Itexplains why "textbook crypto" isonly good in an ideal world where data are random and badguys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world bydemonstratingnumerous attacks on such schemes, protocols and systems under variousrealworldapplication scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely,explains their working principles, discusses their practicalusages, and examines their strong(i.e., fit-for-application) security properties, oftenwith security evidence formally established.The book also includes self-containedtheoretical background material that is the foundation formodern cryptography.Table of ContentsModern Cryptography: Theory and PracticeBy Wenbo Mao Hewlett-Packard CompanyPublisher: Prentice Hall PTRPub Date: July 25, 2003ISBN: 0-13-066943-1Pages: 648CopyrightHewlett-Packard® Professional BooksA Short Description of the BookPrefaceScopeAcknowledgementsList of FiguresList of Algorithms, Protocols and AttacksPart I: IntroductionChapter 1. Beginning with a Simple Communication GameSection 1.1. A Communication GameSection 1.2. Criteria for Desirable Cryptographic Systems and Protocols Section 1.3. Chapter SummaryExercisesChapter 2. Wrestling Between Safeguard and AttackSection 2.1. IntroductionSection 2.2. EncryptionSection 2.3. Vulnerable Environment (the Dolev-Yao Threat Model)Section 2.4. Authentication ServersSection 2.5. Security Properties for Authenticated Key Establishment Section 2.6. Protocols for Authenticated Key Establishment Using Encryption Section 2.7. Chapter SummaryExercisesPart II: Mathematical Foundations: Standard NotationChapter 3. Probability and Information TheorySection 3.1. IntroductionSection 3.2. Basic Concept of ProbabilitySection 3.3. PropertiesSection 3.4. Basic CalculationSection 3.5. Random Variables and their Probability DistributionsSection 3.6. Birthday ParadoxSection 3.7. Information TheorySection 3.8. Redundancy in Natural LanguagesSection 3.9. Chapter SummaryExercisesChapter 4. Computational ComplexitySection 4.1. IntroductionSection 4.2. Turing MachinesSection 4.3. Deterministic Polynomial TimeSection 4.4. Probabilistic Polynomial TimeSection 4.5. Non-deterministic Polynomial TimeSection 4.6. Non-Polynomial BoundsSection 4.7. Polynomial-time IndistinguishabilitySection 4.8. Theory of Computational Complexity and Modern Cryptography Section 4.9. Chapter SummaryExercisesChapter 5. Algebraic FoundationsSection 5.1. IntroductionSection 5.2. GroupsSection 5.3. Rings and FieldsSection 5.4. The Structure of Finite FieldsSection 5.5. Group Constructed Using Points on an Elliptic CurveSection 5.6. Chapter SummaryExercisesChapter 6. Number TheorySection 6.1. IntroductionSection 6.2. Congruences and Residue ClassesSection 6.3. Euler's Phi FunctionSection 6.4. The Theorems of Fermat, Euler and LagrangeSection 6.5. Quadratic ResiduesSection 6.6. Square Roots Modulo IntegerSection 6.7. Blum IntegersSection 6.8. Chapter SummaryExercisesPart III: Basic Cryptographic TechniquesChapter 7. Encryption — Symmetric TechniquesSection 7.1. IntroductionSection 7.2. DefinitionSection 7.3. Substitution CiphersSection 7.4. Transposition CiphersSection 7.5. Classical Ciphers: Usefulness and SecuritySection 7.6. The Data Encryption Standard (DES)Section 7.7. The Advanced Encryption Standard (AES)Section 7.8. Confidentiality Modes of OperationSection 7.9. Key Channel Establishment for Symmetric Cryptosystems Section 7.10. Chapter SummaryExercisesChapter 8. Encryption — Asymmetric TechniquesSection 8.1. IntroductionSection 8.2. Insecurity of "Textbook Encryption Algorithms"Section 8.3. The Diffie-Hellman Key Exchange ProtocolSection 8.4. The Diffie-Hellman Problem and the Discrete Logarithm Problem Section 8.5. The RSA Cryptosystem (Textbook Version)Section 8.6. Cryptanalysis Against Public-key CryptosystemsSection 8.7. The RSA ProblemSection 8.8. The Integer Factorization ProblemSection 8.9. Insecurity of the Textbook RSA EncryptionSection 8.10. The Rabin Cryptosystem (Textbook Version)Section 8.11. Insecurity of the Textbook Rabin EncryptionSection 8.12. The ElGamal Cryptosystem (Textbook Version)Section 8.13. Insecurity of the Textbook ElGamal EncryptionSection 8.14. Need for Stronger Security Notions for Public-key CryptosystemsSection 8.15. Combination of Asymmetric and Symmetric CryptographySection 8.16. Key Channel Establishment for Public-key CryptosystemsSection 8.17. Chapter SummaryExercisesChapter 9. In An Ideal World: Bit Security of The Basic Public-Key Cryptographic Functions Section 9.1. IntroductionSection 9.2. The RSA BitSection 9.3. The Rabin BitSection 9.4. The ElGamal BitSection 9.5. The Discrete Logarithm BitSection 9.6. Chapter SummaryExercisesChapter 10. Data Integrity TechniquesSection 10.1. IntroductionSection 10.2. DefinitionSection 10.3. Symmetric TechniquesSection 10.4. Asymmetric Techniques I: Digital SignaturesSection 10.5. Asymmetric Techniques II: Data Integrity Without Source Identification Section 10.6. Chapter SummaryExercisesPart IV: AuthenticationChapter 11. Authentication Protocols — PrinciplesSection 11.1. IntroductionSection 11.2. Authentication and Refined NotionsSection 11.3. ConventionSection 11.4. Basic Authentication TechniquesSection 11.5. Password-based AuthenticationSection 11.6. Authenticated Key Exchange Based on Asymmetric CryptographySection 11.7. Typical Attacks on Authentication ProtocolsSection 11.8. A Brief Literature NoteSection 11.9. Chapter SummaryExercisesChapter 12. Authentication Protocols — The Real WorldSection 12.1. IntroductionSection 12.2. Authentication Protocols for Internet SecuritySection 12.3. The Secure Shell (SSH) Remote Login ProtocolSection 12.4. The Kerberos Protocol and its Realization in Windows 2000Section 12.5. SSL and TLSSection 12.6. Chapter SummaryExercisesChapter 13. Authentication Framework for Public-Key CryptographySection 13.1. IntroductionSection 13.2. Directory-Based Authentication FrameworkSection 13.3. Non-Directory Based Public-key Authentication FrameworkSection 13.4. Chapter SummaryExercisesPart V: Formal Approaches to Security EstablishmentChapter 14. Formal and Strong Security Definitions for Public-Key Cryptosystems Section 14.1. IntroductionSection 14.2. A Formal Treatment for SecuritySection 14.3. Semantic Security — the Debut of Provable SecuritySection 14.4. Inadequacy of Semantic SecuritySection 14.5. Beyond Semantic SecuritySection 14.6. Chapter SummaryExercisesChapter 15. Provably Secure and Efficient Public-Key CryptosystemsSection 15.1. IntroductionSection 15.2. The Optimal Asymmetric Encryption PaddingSection 15.3. The Cramer-Shoup Public-key CryptosystemSection 15.4. An Overview of Provably Secure Hybrid CryptosystemsSection 15.5. Literature Notes on Practical and Provably Secure Public-key Cryptosystems Section 15.6. Chapter SummarySection 15.7. ExercisesChapter 16. Strong and Provable Security for Digital SignaturesSection 16.1. IntroductionSection 16.2. Strong Security Notion for Digital SignaturesSection 16.3. Strong and Provable Security for ElGamal-family SignaturesSection 16.4. Fit-for-application Ways for Signing in RSA and RabinSection 16.5. SigncryptionSection 16.6. Chapter SummarySection 16.7. ExercisesChapter 17. Formal Methods for Authentication Protocols AnalysisSection 17.1. IntroductionSection 17.2. Toward Formal Specification of Authentication ProtocolsSection 17.3. A Computational View of Correct Protocols — the Bellare-Rogaway Model Section 17.4. A Symbolic Manipulation View of Correct ProtocolsSection 17.5. Formal Analysis Techniques: State System ExplorationSection 17.6. Reconciling Two Views of Formal Techniques for SecuritySection 17.7. Chapter SummaryExercisesPart VI: Cryptographic ProtocolsChapter 18. Zero-Knowledge ProtocolsSection 18.1. IntroductionSection 18.2. Basic DefinitionsSection 18.3. Zero-knowledge PropertiesSection 18.4. Proof or Argument?Section 18.5. Protocols with Two-sided-errorSection 18.6. Round EfficiencySection 18.7. Non-interactive Zero-knowledgeSection 18.8. Chapter SummaryExercisesChapter 19. Returning to "Coin Flipping Over Telephone"Section 19.1. Blum's "Coin-Flipping-By-Telephone" ProtocolSection 19.2. Security AnalysisSection 19.3. EfficiencySection 19.4. Chapter SummaryChapter 20. AfterremarkBibliographyCopyrightLibrary of Congress Cataloging-in-Publication DataA CIP catalog record for this book can be obtained from the Library of Congress. Editorial/production supervision: Mary SudulCover design director: Jerry VottaCover design: Talar BoorujyManufacturing manager: Maura ZaldivarAcquisitions editor: Jill HarryMarketing manager: Dan DePasqualePublisher, Hewlett-Packard Books: Walter BruceA Short Description of the BookMany cryptographic schemes and protocols, especially those based on public-key cryptography,have basic or so-called "textbook crypto" versions, as these versions are usually the subjects formany textbooks on cryptography. This book takes a different approach to introducingcryptography: it pays much more attention to fit-for-application aspects of cryptography. Itexplains why "textbook crypto" is only good in an ideal world where data are random and badguys behave nicely. It reveals the general unfitness of "textbook crypto" for the real world bydemonstrating numerous attacks on such schemes, protocols and systems under various realworldapplication scenarios. This book chooses to introduce a set of practical cryptographicschemes, protocols and systems, many of them standards or de facto ones, studies them closely,explains their working principles, discusses their practical usages, and examines their strong(i.e., fit-for-application) security properties, often with security evidence formally established.The book also includes self-contained theoretical background material that is the foundation formodern cryptography.PrefaceOur society has entered an era where commerce activities, business transactions andgovernment services have been, and more and more of them will be, conducted and offered overopen computer and communications networks such as the Internet, in particular, viaWorldWideWeb-based tools. Doing things online has a great advantage of an always-onavailability to people in any corner of the world. Here are a few examples of things that havebeen, can or will be done online:Banking, bill payment, home shopping, stock trading, auctions, taxation, gambling, micropayment(e.g., pay-per-downloading), electronic identity, online access to medical records, virtual private networking, secure data archival and retrieval, certified delivery of documents, fair exchange of sensitive documents, fair signing of contracts,time-stamping,notarization, voting, advertising, licensing, ticket booking, interactive games, digitallibraries, digital rights management, pirate tracing, …And more can be imagined.Many cryptographic schemes and protocols, especially those based onpublic-keycryptography,have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects formany textbooks on cryptography. This book takes adifferent approach to introducingcryptography: it pays much more attention tofit-for-application aspects of cryptography. Itexplains why "textbook crypto" isonly good in an ideal world where data are random and badguys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world bydemonstratingnumerous attacks on such schemes, protocols and systems under variousrealworldapplication scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely,explains their working principles, discusses their practicalusages, and examines their strong(i.e., fit-for-application) security properties, oftenwith security evidence formally established.The book also includes self-containedtheoretical background material that is the foundation formodern cryptography.PrefaceOur society has entered an era where commerce activities, business transactions andgovernment services have been, and more and more of them will be, conducted and offered overopen computer and communications networks such as the Internet, in particular, viaWorldWideWeb-based tools. Doing things online has a great advantage of an always-onavailability to people in any corner of the world. Here are a few examples of things that havebeen, can or will be done online:Banking, bill payment, home shopping, stock trading, auctions, taxation, gambling, micropayment(e.g., pay-per-downloading), electronic identity, online access to medical records, virtual private networking, secure data archival and retrieval, certified delivery of documents, fair exchange of sensitive documents, fair signing of contracts,time-stamping,notarization, voting, advertising, licensing, ticket booking, interactive games, digitallibraries, digital rights management, pirate tracing, …And more can be imagined.Fascinating commerce activities, transactions and services like these are only possible ifcommunications over open networks can be conducted in a secure manner. An effective solutionto securing communications over open networks is to apply cryptography. Encryption, digitalsignatures, password-based user authentication, are some of the most basic cryptographictechniques for securing communications. However, as we shall witness many times in this book,there are surprising subtleties and serious security consequences in the applicationsof even themost basic cryptographic techniques. Moreover, for many "fancier" applications, such as manylisted in the preceding paragraph, the basic cryptographic techniques are no longer adequate.With an increasingly large demand for safeguarding communications over open networks formore and more sophisticated forms of electronic commerce, business and services[a], anincreasingly large number of information security professionals will be needed for designing,developing, analyzing and maintaining information security systems and cryptographicprotocols. These professionals may range from IT systems administrators, information securityengineers and software/hardware systems developers whose products have securityrequirements, to cryptographers.[a] Gartner Group forecasts that total electronic business revenues for business to business (B2B) andbusiness to consumer (B2C) in the European Union will reach a projected US $2.6 trillion in 2004 (withprobability 0.7) which is a 28-fold increase from the level of 2000 [5]. Also, eMarketer [104] (page 41) reportsthat the cost to financial institutions (in USA) due to electronic identity theft was US $1.4 billion in 2002, andforecasts to grow by a compound annual growth rate of 29%.In the past few years, the author, a technical consultant on information security and cryptographic systems at Hewlett-Packard Laboratories in Bristol, has witnessed the phenomenon of a progressively increased demand for information security professionalsunmatched by an evident shortage of them. As a result, many engineers, who are oriented toapplication problems and may have little proper training in cryptography and informationsecurity have become "roll-up-sleeves" designers and developers for information securitysystems or cryptographic protocols. This is in spite of the fact that designing cryptographicsystems and protocols is a difficult job even for an expert cryptographer.The author's job has granted him privileged opportunities to review many information securitysystems and cryptographic protocols, some of them proposed and designed by "roll-up-sleeves"engineers and are for uses in serious applications. In several occasions, the author observed socalled"textbook crypto" features in such systems, which are the result of applications of cryptographic algorithms and schemes in ways they are usually introduced in many cryptographic textbooks. Direct encryption of a password (a secret number of a smallmagnitude) under a basic public-key encryption algorithm (e.g., "RSA") is a typical example oftextbook crypto. The appearances of textbook crypto in serious applications with a "nonnegligibleprobability" have caused a concern for the author to realize that the general danger oftextbook crypto is not widely known to many people who design and develop informationsecurity systems for serious real-world applications.Motivated by an increasing demand for information security professionals and a belief that theirknowledge in cryptography should not be limited to textbook crypto, the author has written thisbook as a textbook on non-textbook cryptography. This book endeavors to: Introduce a wide range of cryptographic algorithms, schemes and protocols with a particular emphasis on their non-textbook versions.Reveal general insecurity of textbook crypto by demonstrating a large number of attacks onand summarizing typical attacking techniques for such systems.Provide principles and guidelines for the design, analysis and implementation of cryptographic systems and protocols with a focus on standards.Study formalism techniques and methodologies for a rigorous establishment of strong andfit-for-application security notions for cryptographic systems and protocols. Include self-contained and elaborated material as theoretical foundations of modern cryptography for readers who desire a systematic understanding of the subject.ScopeModern cryptography is a vast area of study as a result of fast advances made in the past thirtyyears. This book focuses on one aspect: introducing fit-for-application cryptographic schemesand protocols with their strong security properties evidently established.The book is organized into the following six parts:Part I This part contains two chapters (1—2) and serves an elementary-level introductionfor the book and the areas of cryptography and information security. Chapter 1 begins witha demonstration on the effectiveness of cryptography in solving a subtle communicationproblem. A simple cryptographic protocol (first protocol of the book) for achieving "fair cointossing over telephone" will be presented and discussed. This chapter then carries on toconduct a cultural and "trade" introduction to the areas of study. Chapter 2 uses a series ofsimple authentication protocols to manifest an unfortunate fact in the areas: pitfalls areeverywhere.As an elementary-level introduction, this part is intended for newcomers to the areas.Part II This part contains four chapters (3—6) as a set of mathematical background knowledge, facts and basis to serve as a self-contained mathematical reference guide forthe book. Readers who only intend to "knowhow," i.e., know how to use thefit-forapplicationcrypto schemes and protocols, may skip this part yet still be able to follow most contents of the rest of the book. Readers who also want to "know-why," i.e., know whythese schemes and protocols have strong security properties, may find that this selfcontainedmathematical part is a sufficient reference material. When we present working principles of cryptographic schemes and protocols, reveal insecurity for some of them andreason about security for the rest, it will always be possible for us to refer to a precise pointin this part of the book for supporting mathematical foundations.This part can also be used to conduct a systematic background study of the theoreticalfoundations for modern cryptography.Part III This part contains four chapters (7—10) introducing the most basic cryptographicalgorithms and techniques for providing privacy and data integrity protections. Chapter 7 isfor symmetric encryption schemes, Chapter 8, asymmetric techniques. Chapter 9 considersan important security quality possessed by the basic and popular asymmetric cryptographicfunctions when they are used in an ideal world in which data are random. Finally, Chapter10 covers data integrity techniques.Since the schemes and techniques introduced here are the most basic ones, manyof themare in fact in the textbook crypto category and are consequently insecure. While the schemes are introduced, abundant attacks on many schemes will be demonstrated withwarning remarks explicitly stated. For practitioners who do not plan to proceed with an indepthstudy of fit-for-application crypto and their strong security notions, this textbook crypto part will still provide these readers with explicit early warning signals on the generalinsecurity of textbook crypto.Part IV This part contains three chapters (11—13) introducing an important notion inapplied cryptography and information security: authentication. These chapters provide awide coverage of the topic. Chapter 11 includes technical background, principles, a series ofbasic protocols and standards, common attacking tricks and prevention measures. Chapter12 is a case study for four well-known authentication protocol systems for real world applications. Chapter 13 introduces techniques which are particularly suitable for openfor-application) security properties, oftenwith security evidence formally established.The book also includes self-containedtheoretical background material that is the foundation formodern cryptography.systems which cover up-to-date and novel techniques.Practitioners, such as information security systems administration staff in an enterprise andsoftware/hardware developers whose products have security consequences may find thispart helpful.Part V This part contains four chapters (14—17) which provide formalism and rigoroustreatments for strong (i.e., fit-for-application) security notions for public-key cryptographictechniques (encryption, signature and signcryption) and formal methodologies for theanalysis of authentication protocols. Chapter 14 introduces formal definitions of strongsecurity notions. The next two chapters are fit-for-application counterparts to textbookcrypto schemes introduced in Part III, with strong security properties formally established(i.e., evidently reasoned). Finally, Chapter 17 introduces formal analysismethodologiesand techniques for the analysis of authentication protocols, which we have not been able todeal with in Part IV.Part VI This is the final part of the book. It contains two technical chapters (18—19) and ashort final remark (Chapter 20). The main technical content of this part, Chapter 18, introduces a class of cryptographic protocols called zero-knowledge protocols. Theseprotocols provide an important security service which is needed in various "fancy" electronic commerce and business applications: verification of a claimed property of secretdata (e.g., in conforming with a business requirement) while preserving a strict privacyquality for the claimant. Zero-knowledge protocols to be introduced in this part exemplifythe diversity of special security needs in various real world applications, which are beyondconfidentiality, integrity, authentication and non-repudiation. In the final technical chapterof the book (Chapter 19) we will complete our job which has been left over from the firstprotocol of the book: to realize "fair coin tossing over telephone." That final realization willachieve a protocol which has evidently-established strong security properties yet with anefficiency suitable for practical applications.Needless to say, a description for each fit-for-application crypto scheme or protocol has to beginwith a reason why the textbook crypto counterpart is unfit for application. Invariably, thesereasons are demonstrated by attacks on these schemes or protocols, which, by the nature ofattacks, often contain a certain degree of subtleties. In addition, a description of a fit-forapplicationscheme or protocol must also end at an analysis that the strong (i.e.,fit-forapplication)security properties do hold as claimed. Consequently, some parts of this book inevitably contain mathematical and logical reasonings, deductions and transformations in orderto manifest attacks and fixes.While admittedly fit-for-application cryptography is not a topic for quick mastery or that can bemastered via light reading, this book, nonetheless, is not one for in-depth researchtopics whichwill only be of interest to specialist cryptographers. The things reported and explained in it arewell-known and quite elementary to cryptographers. The author believes that they can also becomprehended by non-specialists if the introduction to the subject is provided with plenty ofexplanations and examples and is supported by self-contained mathematical background andreference material.The book is aimed at the following readers.Students who have completed, or are near to completion of, first degree courses in computer, information science or applied mathematics, and plan to pursue a career ininformation security. For them, this book may serve as an advanced course in appliedcryptography.Security engineers in high-tech companies who are responsible for the design and development of information security systems. If we say that the consequence of textbookcrypto appearing in an academic research proposal may not be too harmful since the worstcase of the consequence would be an embarrassment, then the use of textbook crypto in aninformation security product may lead to a serious loss. Therefore, knowing the unfitness oftextbook crypto for real world applications is necessary for these readers. Moreover, thesereaders should have a good understanding of the security principles behind thefit-forapplicationschemes and protocols and so they can apply the schemes and the principles correctly. The self-contained mathematical foundations material in Part II makes the book asuitable self-teaching text for these readers.Information security systems administration staff in an enterprise andsoftware/hardwaresystems developers whose products have security consequences. For these readers, Part Iis a simple and essential course for cultural and "trade" training; Parts III and IV form asuitable cut-down set of knowledge in cryptography and information security. These threeparts contain many basic crypto schemes and protocols accompanied with plenty of attacking tricks and prevention measures which should be known to and can be grasped by。