Introduction toSecure Multi-Party Computation

PNOZ m EF Multi Link}Configurable control systems PNOZmulti 2This document is a translation of the original document.All rights to this documentation are reserved by Pilz GmbH & Co. KG. Copies may be made for internal purposes. Suggestions and comments for improving this documentation will be gratefully received.Pilz®, PIT®, PMI®, PNOZ®, Primo®, PSEN®, PSS®, PVIS®, SafetyBUS p®,SafetyEYE®, SafetyNET p®, the spirit of safety® are registered and protected trademarks of Pilz GmbH & Co. KG in some countries.SD means Secure Digital1.2Using the documentation4 1.3Definition of symbols42.2Unit features6 2.3Front view73.2System requirements8 3.3Safety regulations8 3.3.1Safety assessment8 3.3.2Use of qualified personnel9 3.3.3Warranty and liability9 3.3.4Disposal9 3.3.5For your safety94.2Functions10 4.3System reaction time11 4.4Block diagram115.2Dimensions in mm12 5.3Connect the base unit and expansion modules136.2Connection15 6.3Download modified project to the PNOZmulti system157.2Fault detection179.2Accessories211Introduction1.1Validity of documentationThis documentation is valid for the product PNOZ m EF Multi Link. It is valid until new docu-mentation is published.This operating manual explains the function and operation, describes the installation andprovides guidelines on how to connect the product.1.2Using the documentationThis document is intended for instruction. Only install and commission the product if youhave read and understood this document. The document should be retained for future ref-erence.1.3Definition of symbolsInformation that is particularly important is identified as follows:NOTICEThis describes a situation in which the product or devices could be dam-aged and also provides information on preventive measures that can betaken. It also highlights areas within the text that are of particular import-ance.INFORMATIONThis gives advice on applications and provides information on special fea-tures.2Overview2.1Scope of supply2.2Unit featuresUsing the product PNOZ m EF Multi Link:Link module to safely connect two configurable control systems PNOZmulti 2.The product has the following features:}Connection options:–Two base units PNOZmulti 2}Can be configured in the PNOZmulti Configurator}Point-to-point connection via 4-core shielded and twisted-pair cable}32 virtual inputs and 32 virtual outputs}Status indicators}Max. 4 PNOZ m EF Multi Link can be connected to the base unit}LEDs for–Operating state–Error–Connection status}Plug-in connection terminals:either spring-loaded terminal or screw terminal available as an accessory (see orderreference)2.3Front viewPowerReadyLinkFaultLegend:}X2:–0 V, 24 V:Supply connections–FE: Functional earth}Link:Connection}LEDs:–Power–Ready–Link–Fault3Safety3.1Intended useThe expansion module is used for the point-to-point connection of safe virtual inputs andoutputs between two base units.The expansion module may only be connected to a base unit from the configurable systemPNOZmulti 2 (please refer to the document "PNOZmulti System Expansion" for details ofthe base units that can be connected).The configurable systems PNOZmulti is used for the safety-related interruption of safety cir-cuits and is designed for use on:}Emergency stop equipment}Safety circuits in accordance with VDE 0113 Part 1 and EN 60204-1The following is deemed improper use in particular:}Any component, technical or electrical modification to the product}Use of the product outside the areas described in this manual}Use of the product outside the technical details (see Technical details [ 18]).NOTICEEMC-compliant electrical installationThe product is designed for use in an industrial environment. The productmay cause interference if installed in other environments. If installed in otherenvironments, measures should be taken to comply with the applicablestandards and directives for the respective installation site with regard to in-terference.3.2System requirementsPlease refer to the "Product Modifications PNOZmulti" document in the "Version overview"section for details of which versions of the base unit and PNOZmulti Configurator can beused for this product.3.3Safety regulations3.3.1Safety assessmentBefore using a unit it is necessary to perform a safety assessment in accordance with theMachinery Directive.Functional safety is guaranteed for the product as a single component. However, this doesnot guarantee the functional safety of the overall plant/machine. In order to achieve the re-quired safety level for the overall plant/machine, define the safety requirements for theplant/machine and then define how these must be implemented from a technical and organ-isational standpoint.3.3.2Use of qualified personnelThe products may only be assembled, installed, programmed, commissioned, operated,maintained and decommissioned by competent persons.A competent person is someone who, because of their training, experience and current pro-fessional activity, has the specialist knowledge required to test, assess and operate thework equipment, devices, systems, plant and machinery in accordance with the generalstandards and guidelines for safety technology.It is the company’s responsibility only to employ personnel who:}Are familiar with the basic regulations concerning health and safety / accident preven-tion}Have read and understood the information provided in this description under "Safety"}And have a good knowledge of the generic and specialist standards applicable to the specific application.3.3.3Warranty and liabilityAll claims to warranty and liability will be rendered invalid if}The product was used contrary to the purpose for which it is intended}Damage can be attributed to not having followed the guidelines in the manual}Operating personnel are not suitably qualified}Any type of modification has been made (e.g. exchanging components on the PCB boards, soldering work etc.).3.3.4Disposalin the safety-re-}In safety-related applications, please comply with the mission time TMlated characteristic data.}When decommissioning, please comply with local regulations regarding the disposal of electronic devices (e.g. Electrical and Electronic Equipment Act).3.3.5For your safetyThe unit meets all the necessary conditions for safe operation. However, you should alwaysensure that the following safety requirements are met:}This operating manual only describes the basic functions of the unit. The expanded functions are described in the PNOZmulti Configurator's online help. Only use thesefunctions once you have read and understood the documentations.}Do not open the housing or make any unauthorised modifications.}Please make sure you shut down the supply voltage when performing maintenance work (e.g. exchanging contactors).Function Description4Function Description4.1Integrated protection mechanismsThe relay conforms to the following safety criteria:}The circuit is redundant with built-in self-monitoring.}The safety function remains effective in the case of a component failure.4.2FunctionsThe link module PNOZ m EF Multi Link is used to safely transfer the input information from32 virtual inputs and 32 virtual outputs between two PNOZmulti systems. One link moduleis assigned to each base unit. Data is exchanged cyclically.The function of the inputs and outputs on the control system depends on the safety circuitcreated using the PNOZmulti Configurator. A chip card is used to download the safety cir-cuit to the base unit. The base unit has 2 microcontrollers that monitor each other. Theyevaluate the input circuits on the base unit and expansion modules and switch the outputson the base unit and expansion modules accordingly.The LEDs on the base unit and expansion modules indicate the status of the configurablecontrol system PNOZmulti.The online help on the PNOZmulti Configurator contains descriptions of the operatingmodes and all the functions of the control system, plus connection examples.Data exchange:}Data is exchanged cyclically.}After the end of a PNOZmulti cycle, each base unit sends its output data to its link mod-ule. This output data is immediately sent to the link module on the other base unit.}At the same time, the base unit reads the input data from the link module.Connection of multiple base units:Any number of base units can be connected via link modules. Two link modules are re-quired for a connection between two base units. However, only a maximum of 4 link mod-ules may be connected to any one base unit.Virtual inputs and outputs:Inputs and outputs for both PNOZmulti systems are assigned in the PNOZmulti Configur-ator. Inputs and outputs with the same number are assigned to each other, e.g. output o5on one PNOZmulti system to input i5 on the other PNOZmulti system.Function DescriptionBase unit 1 Virtual outputs o0...o31Virtual inputs i0...i31Base unit 2 Virtual inputs i0...i31Virtual outputs o0...o314.3System reaction timeCalculation of the maximum reaction time between an input switching off and a linked out-put in the system switching off is described in the document "System Expansion".4.4Block diagram5Installation5.1General installation guidelines}The unit should be installed in a control cabinet with a protection type of at least IP54.}Fit the safety system to a horizontal mounting rail. The venting slots must face upward and downward. Other mounting positions could damage the safety system.}Use the locking elements on the rear of the unit to attach it to a mounting rail.}In environments exposed to heavy vibration, the unit should be secured using a fixing element (e.g. retaining bracket or end angle).}Open the locking slide before lifting the unit from the mounting rail.}To comply with EMC requirements, the mounting rail must have a low impedance con-nection to the control cabinet housing.}The ambient temperature of the PNOZmulti units in the control cabinet must not exceed the figure stated in the technical details, otherwise air conditioning will be required.NOTICEDamage due to electrostatic discharge!Electrostatic discharge can damage components. Ensure against dischargebefore touching the product, e.g. by touching an earthed, conductive sur-face or by wearing an earthed armband.5.2Dimensions in mm5.3Connect the base unit and expansion modulesConnect the base unit and the expansion module as described in the operating instructionsfor the base units.}Connect the black/yellow terminator to the expansion module.}Install the expansion module in the position in which it is configured in the PNOZmulti Configurator.The position of the expansion modules is defined in the PNOZmulti Configurator. The ex-pansion modules are connected to the left or right of the base unit, depending on the type.Please refer to the document "PNOZmulti System Expansion" for details of the number ofmodules that can be connected to the base unit and the module types.6Commissioning6.1WiringThe wiring is defined in the circuit diagram of the PNOZmulti Configurator.Please note:}Information given in the Technical details [ 18] must be followed.}Use copper wire that can withstand 75° C.}The power supply must meet the regulations for extra low voltages with protective sep-aration.} 2 connection terminals are available for each of the supply connections 24 V and 0 V.This means that the supply voltage can be looped through several connections. Thecurrent at each terminal may not exceed 3 A.}The max. cable length between two link modules on a connection with one link module –PNOZ ml1p <V2.0: 100 m–PNOZ ml1p from V2.0, PNOZ mml1p, PNOZ m EF Multi Link: 1000 m}Connect the inputs and outputs from two link modules with 4-core shielded cable. The cables must be twisted in pairs (see "Preparing for operation").}Note the crossover cabling, e.g. CA+ with CB+.}The cables must be classified into a minimum of Category 5 in accordance with ISO/ IEC 11801.6.2Connection6.3Download modified project to the PNOZmulti systemAs soon as an additional expansion module has been connected to the system, the project must be amended using the PNOZmulti Configurator. Proceed as described in the operat-ing instructions for the base unit.NOTICEFor the commissioning and after every program change, you must check whether the safety devices are functioning correctly.7OperationWhen the supply voltage is switched on, the PNOZmulti safety system copies the configur-ation from the chip card.The LEDs "POWER","DIAG", "FAULT", "IFAULT" and "OFAULT" light up on the base unit.The PNOZmulti safety system is ready for operation when the "POWER" and "RUN" LEDson the base unit and the "READY" LED on the PNOZ m EF Multi Link are lit continuously.7.1MessagesLegend:7.2Fault detectionEach base unit contains information about}its own link module (in order, defective, no supply voltage)}the status of the connection (yes, no)}the operating status of the connected base unit (RUN, STOP)When the connection is interrupted, the base units switch the virtual inputs to zero. Thebase units remains in a RUN condition.Defective link module:}The corresponding base unit switches to a STOP condition. The virtual outputs on the link module are set to zero.}The connected base unit remains in a RUN condition.8Technical detailsApprovals BG, CCC, CE, EAC (Eurasian), TÜV, cULus Listedfor Module supplyVoltage24 VKind DCVoltage tolerance-15 %/+20 %Output of external power supply (DC)2,5 WPotential isolation yesAmbient temperatureIn accordance with the standard EN 60068-2-14Temperature range0 - 60 °CStorage temperatureIn accordance with the standard EN 60068-2-1/-2Temperature range-25 - 70 °CClimatic suitabilityIn accordance with the standard EN 60068-2-30, EN 60068-2-78Condensation during operation Not permittedEMC EN 61131-2VibrationIn accordance with the standard EN 60068-2-6Frequency 5 - 55 HzAcceleration1gShock stressIn accordance with the standard EN 60068-2-27Acceleration15gDuration11 msMax. operating height above sea level2000 mAirgap creepageIn accordance with the standard EN 61131-2Overvoltage category IIPollution degree2Rated insulation voltage30 VIn accordance with the standard EN 60529Mounting area (e.g. control cabinet)IP54Housing IP20Type of potential isolation Functional insulationRated surge voltage2500 VPotential isolation between Module and system voltageType of potential isolation Functional insulationDIN railTop hat rail35 x 7,5 EN 50022Recess width27 mmMaterialBottom PCFront PCTop PCConnection type Spring-loaded terminal, screw terminal Mounting type plug-inConductor cross section with screw terminals1 core flexible0,25 - 2,5 mm², 24 - 12 AWG2 core with the same cross section, flexible withoutcrimp connectors or with TWIN crimp connectors0,2 - 1,5 mm², 24 - 16 AWGRigid single-core, flexible multi-core or multi-corewith crimp connector0,5 - 1,5 mm²Torque setting with screw terminals0,5 NmConductor cross section with spring-loaded terminals:Flexible with/without crimp connector0,2 - 2,5 mm², 24 - 12 AWGSpring-loaded terminals: Terminal points per connec-tion2Stripping length with spring-loaded terminals9 mmDimensionsHeight101,4 mmWidth22,5 mmDepth120 mmWeight91 gWhere standards are undated, the 2013-01 latest editions shall apply.8.1Safety characteristic dataNOTICEYou must comply with the safety-related characteristic data in order to achieve the required safety level for your plant/machine.2-channel PL eCat. 4SIL CL 38,82E-09SIL 33,86E-0520All the units used within a safety function must be considered when calculating the safety characteristic data.INFORMATIONA safety function's SIL/PL values are not identical to the SIL/PL values of the units that are used and may be different. We recommend that you use the PAScal software tool to calculate the safety function's SIL/PL values.Order referenceOperating Manual PNOZ m EF Multi Link 1003018-EN-04219Order reference 9.1Product9.2AccessoriesConnection terminalsTerminator, jumperSupportTechnical support is available from Pilz round the clock. Americas Brazil+55 11 97569-2804Canada+1 888-315-PILZ (315-7459)Mexico+52 55 5572 1300USA (toll-free)+1 877-PILZUSA (745-9872)Asia China+86 21 60880878-216 Japan+81 45 471-2281South Korea +82 31 450 0680Australia +61 3 95446300Europe Austria+43 1 7986263-0Belgium, Luxembourg +32 9 3217575France+33 3 88104000Germany+49 711 3409-444Ireland+353 21 4804983Italy+39 0362 1826711Scandinavia +45 74436332Spain+34 938497433Switzerland +41 62 88979-30The Netherlands +31 347 320477Turkey+90 216 5775552United Kingdom +44 1536 462203You can reach our international hotline on: +49 711 3409-444 ****************C M S E ®, I n d u r a N E T p ®, P A S 4000®, P A S c a l ®, P A S c o n fi g ®, P i l z ®, P I T ®, P L ID ®, P M C p r i m o ®, P M C p r o t e g o ®, P M C t e n d o ®, P M D ®, P M I ®, P N O Z ®, P r i m o ®, P SE N ®, P S S ®, P V I S ®, S a f e t y B U S p ®, S a f e t y E Y E ®, S a f e t y N E T p ®, T h E S P I r I T O f S A f E T Y ® a r e r e g i s t e r e d a n d p r o t e c t e d t r a d e m a r k s o f P i l z G m b h & C o . K G i n s o m e c o u n t r i e s . W e w o u l d p o i n t o u t t h a t p r o d u c t f e a t u r e s m a y v a r y f r o m t h e d e t a i l s s t a t e d i n t h i s d o c u m e n t , d e p e n d i n g o n t h e s t a t u s a t t h e t i m e o f p u b l i c a t i o n a n d t h e s c o p e o f t h e e q u i p m e n t . W e a c c e p t n o r e s p o n s i b i l i t y f o r t h e v a l i d i t y , a c c u r a c y a n d e n t i r e t y o f t h e t e x t a n d g r a p h i c s p r e s e n t e d i n t h i s i n f o r m a t i o n . P l e a s e c o n t a c t o u r T e c h n i c a l S u p p o r t i f y o u h a v e a n y q u e s t i o n s .Pilz develops environmentally-friendly products using ecological materials and energy-saving technologies. Offices and production facilities are ecologically designed, environmentally-aware and energy-saving. So Pilz offers sustainability, plus the security of using energy-efficient products and environmentally-friendly solutions.Pilz Gmbh & Co. KG felix-Wankel-Straße 2 73760 Ostfildern, Germany Tel.: +49 711 3409-0 fax: +49 711 3409-133 *************100X X X X -D E -0X 0-0-1-3-000, 2015-00 P r i n t e d i n G e r m a n y © P i l z G m b h & C o . K G , 20151003018-E N -04, 2015-11 P r i n t e d i n G e r m a n y © P i l z G m b H & C o . K G , 2015。

Lower Bounds and Impossibility Results forConcurrent Self Composition∗Yehuda LindellIBM T.J.Watson Research19Skyline Drive,HawthorneNew York10532,USAlindell@April4,2005AbstractIn the setting of concurrent self composition,a single protocol is executed many times con-currently by a single set of parties.In this paper,we prove lower bounds and impossibility resultsfor secure protocols in this setting.First and foremost,we prove that there exist large classesof functionalities that cannot be securely computed under concurrent self composition,by anyprotocol.We also prove a communication complexity lower bound on protocols that securelycompute a large class of functionalities in this setting.Specifically,we show that any protocolthat computes a functionality from this class and remains secure for m concurrent executions,must have bandwidth of at least m bits.The above results are unconditional and hold for anytype of simulation(i.e.,even for non-black-box simulation).In addition,we prove a severe lowerbound on protocols that are proven secure using black-box simulation.Specifically,we showthat any protocol that computes the blind signature or oblivious transfer functionalities andremains secure for m concurrent executions,where security is proven via black-box simulation,must have at least m rounds of communication.Our results hold for the plain model,where notrusted setup phase is assumed.While proving our impossibility results,we also show that formany functionalities,security under concurrent self composition(where a single secure protocolis run many times)is actually equivalent to the seemingly more stringent requirement of securityunder concurrent general composition(where a secure protocol is run concurrently with otherarbitrary protocols).This observation has significance beyond the impossibility results that arederived by it for concurrent self composition.Keywords:secure computation,protocol composition,self and general composition,impossibility results,lower bounds,non-black-box and black-box simulation.∗This paper combines results that appeared in extended abstracts in[25]and[28].Contents1Introduction1 2Definitions62.1Concurrent Self Composition of Secure Two-Party Protocols (7)2.2Concurrent General Composition of Secure Two-Party Protocols (12)2.3Functionalities With Fixed Versus Interchangeable Roles (14)2.4Functionalities That Enable Bit Transmission (15)3Self Composition Versus General Composition173.1Equivalence for Functionalities That Enable Bit Transmission (17)3.2Equivalence For Functionalities with Interchangeable Roles (20)3.3Separation for Other Functionalities (21)4Impossibility Results for Concurrent Self Composition23 5Communication Complexity Lower Bound245.1The Lower Bound (24)5.2Concurrent General Composition With Independent Inputs (29)6Black-Box Lower Bounds on Round Complexity296.1The Main Result (30)6.2Impossibility For Concurrent Oblivious Transfer (38)6.3Extensions of the Black-Box Lower Bounds (40)References411IntroductionIn the setting of two-party computation,two parties with respective private inputs x and y,wish to jointly compute a functionality f(x,y)=(f1(x,y),f2(x,y)),such that thefirst party receives f1(x,y)and the second party receives f2(x,y).This functionality may be probabilistic,in which case f(x,y)is a random variable.Loosely speaking,the security requirements are that nothing is learned from the protocol other than the output(privacy),and that the output is distributed according to the prescribed functionality(correctness).These security requirements must hold in the face of an adversary who controls one of the parties and can arbitrarily deviate from the protocol instructions(i.e.,in this work we consider malicious,static adversaries).Powerful feasibility results have been shown for this problem,demonstrating that any two-party probabilistic polynomial-time functionality can be securely computed,assuming the existence of trapdoor permutations[36,19]. Security under concurrent composition.The feasibility results of[36,19]relate only to the stand-alone setting,where a single pair of parties run a single execution.A more general(and realistic)setting relates to the case that many protocol executions are run concurrently within a network.Unfortunately,the security of a protocol in the stand-alone setting does not necessarily imply its security under concurrent composition.Therefore,it is important to re-establish the fea-sibility results of the stand-alone setting for the setting of concurrent composition,or alternatively, to demonstrate that this cannot be done.The notion of protocol composition can be interpreted in many ways.A very important distinc-tion to be made relates to the context in which the protocol is executed.This refers to the question of which protocols are run together in the network,or in other words,with which protocols should the protocol in question compose.There are two contexts that have been considered,defining two classes of composition:1.Self composition:A protocol is said to be secure under self composition if it remains securewhen it alone is executed many times in a network.We stress that in this setting,there is only one protocol that is being run many times.This is the type of composition considered, for example,in the entire body of work on concurrent zero-knowledge(e.g.,[11,34]).2.General composition:In this type of composition,many different protocols are run togetherin the network.Furthermore,these protocols may have been designed independently of one another.A protocol is said to maintain security under general composition if its security is maintained even when it is run along with other arbitrary protocols.This is the type of composition that was considered,for example,in the framework of universal composability[5]. We stress a crucial difference between self and general composition.In self composition,the pro-tocol designer has control over everything that is being run in the network.However,in general composition,the other protocols being run may even have been designed maliciously after the secure protocol isfixed.This additional adversarial capability has been shown to yield practical attacks against real protocols[23].1Another distinction that we will make relates to the number of times a secure protocol is run. Typically,a protocol is expected to remain secure for any polynomial number of sessions.This is the“default”notion,and we sometimes refer to it as unbounded concurrency.A more restricted notion,first considered by[1],is that of bounded concurrency.In this case,afixed bound on the 1Although the attacks shown in[23]are due to key reuse,they demonstrate the point that the setting of general composition poses a real security threat.Specifically,[23]show how the adversary can construct new protocols whose entire aim is to compromise the security of existing protocols.1number of concurrent executions is given,and the protocol only needs to remain secure when the number of concurrent executions does not exceed this bound.(When the bound is m,we call this m-bounded concurrency.)We note that the protocol design may depend on this bound.Finally,we will distinguish between a setting where parties havefixed roles versus a setting where they may have interchangeable roles.For the sake of this distinction,note that protocols typically involve different roles.In general,in a two-party protocol,one role may be the protocol initiator while the other is the protocol responder.More notable examples of roles arise in specific cases.For example,in zero-knowledge,there are two different roles:the prover role and the verifier role.Now,in the setting of composition withfixed roles,each party assumes the same role in all of the executions.In contrast,in the setting of composition with interchangeable roles,parties may assume different roles in different executions.The latter setting,of interchangeable roles,is more general and in many cases is what is needed.However,there are some cases wherefixed roles also make sense(for example,when one party is a server and the other a client).Feasibility of secure computation under composition.Thefirst definition and composition theorem for security under concurrent general composition was provided by[31]who considered the case that a secure protocol is executed once concurrently with another arbitrary protocol.2The unbounded case,where a secure protocol can be run any polynomial number of times in an arbitrary network,was then considered in the framework of universal composability[5].Informally speaking, a protocol that is proven secure under the definition of universal composability is guaranteed to remain secure when run any polynomial number of times in the setting of concurrent general com-position.This setting realistically models the security requirements in modern networks.Therefore, the construction of protocols that are secure by this definition is of great importance.On the posi-tive side,it has been shown that in the case of an honest majority,essentially any functionality can be securely computed in this framework[5].Furthermore,even when there is no honest majority,it is possible to securely compute any functionality in the common reference string(CRS)model[9]. (In the CRS model,all parties have access to a common string that is chosen according to some distribution.Thus,this assumes some trusted setup phase.)However,it is desirable to obtain protocols in a setting where no trusted setup phase is assumed.Unfortunately,in the case of no honest majority and no trusted setup,broad impossibility results for universal composability have been demonstrated[6,5,8].Recently,it was shown in[27]that these impossibility results extend to any security definition that guarantees security under concurrent general composition(including the definition of[31]).Thus,it seems that in order to obtain security without an honest majority or a trusted setup phase,we must turn to self composition.Indeed,as afirst positive step,it has been shown that any functionality can be securely computed under m-bounded concurrent self composition[25,30]. Unfortunately,however,these protocols are highly inefficient:The protocol of[25]has many rounds of communication and both the protocols of[25]and[30]have high bandwidth.(That is,in order to obtain security for m executions,the protocol of[25]has more than m rounds and communication complexity of at least mn2.In contrast,the protocol of[30]has only a constant number of rounds, but still suffers from communication complexity of at least mn2.)These works still leave open the following important questions:1.Is it possible to obtain protocols that remain secure under unbounded concurrent self compo-sition,and if yes,for which functionalities?2.Is it possible to obtain highly efficient protocols that remain secure under m-bounded con-2An earlier reference to this problem with general ideas about how to define security appeared in[3,Appendix A].2current self composition?(By highly efficient,we mean that the dependence on the bound m is either additive(e.g.,m+poly(n)or poly(m)+poly(n)),or sublinear(e.g.,mǫ·poly(n)for some small constant0<ǫ<1).3)As we have mentioned,these questions are open for the case that no trusted setup phase is assumed and when there is no honest majority,as in the important two party case.Our results.In this paper,we provide negative answers to the above two questions.More precisely,we show that there exist large classes of functionalities that cannot be securely computed under unbounded concurrent self composition,by any protocol.We also prove a communication complexity lower bound for protocols that are secure under m-bounded concurrent self composition (by communication complexity,we mean the bandwidth or total number of bits sent by the parties during the execution).This is thefirst lower bound of this type,connecting the communication complexity of a protocol with the bound on the number of executions for which it remains secure. We begin with our impossibility result.Theorem1.1(impossibility for unbounded concurrency–informal):There exist large classes of two-party functionalities that cannot be securely computed under unbounded concurrent self compo-sition,by any protocol.In order to prove this result,in Section3we show that for many functionalities,obtaining security under unbounded concurrent self composition is actually equivalent to obtaining security under concurrent general composition(that is,a protocol is secure under one notion if and only if it is secure under the other).This may seem counter-intuitive because in the setting of self composition, the protocol designer has full control over the network.Specifically,the only protocol that is run in the network is the specified secure protocol.In contrast,in the setting of general composition,a protocol must remain secure even when run concurrently with arbitrary other protocols.Further-more,these protocols may be designed maliciously in order to attack the secure protocol.Despite this apparent difference,we show that equivalence actually holds.We now briefly describe how this is proven.The above-described equivalence between concurrent self and general composition is proven for all functionalities that“enable bit transmission”.Loosely speaking,such a functionality can be used by each party to send any arbitrary bit to the other party.In the setting of interchangeable roles(described above),essentially any functionality that depends on the parties’inputs(and so is non-trivial)enables bit transmission.In the setting offixed roles,it is also required that both parties receive non-trivial output;see Section2.4.Now,many executions of a protocol that securely computes a functionality that enables bit transmission can be used by the parties to send arbitrary messages to each other.Essentially, this means that many executions of one secure protocol can be used to emulate the execution of any arbitrary protocol.Thus,the setting of general composition,where a secure protocol runs concurrently with other arbitrary protocols,can be emulated(using the bit transmission property) by many executions of a single secure protocol.We therefore obtain that security under concurrent self composition implies security under concurrent general composition.Since,trivially,security under general composition implies security under self composition,we obtain equivalence between these two notions.We conclude that although general composition considers a very difficult scenario 3Notice that a protocol whose complexity has no dependence on m can be used to achieve unbounded concurrency by setting m=n log n.Therefore,given that unbounded concurrency cannot be achieved,some dependence on m is necessary.3(in which arbitrary network activity must be considered),for many functionalities it is actually equivalent to the seemingly more restricted setting of self composition.That is,we have the following theorem:Theorem1.2(equivalence of self and general composition–informal):Let f be any two-party functionality.Then,in the setting of interchangeable roles,f can be securely computed under unbounded concurrent self composition if and only if it can be securely computed under concurrent general composition.If f is a functionality that enables bit transmission,then equivalence also holds in a setting withfixed roles.As stated in Theorem1.2,in the setting of interchangeable roles,we obtain full equivalence be-tween concurrent self and general composition(without any additional requirement regarding bit transmission).This is the case because when interchangeable roles are allowed,all functionalities are either trivial(to the extent that they can be computed without any interaction)or enable bit transmission.A natural question to ask is whether or not in the setting offixed roles,equivalence also holds for functionalities that do not enable bit transmission.In Section3.3,we show that in the setting offixed roles,there exists a functionality that can be securely computed under concurrent self com-position but cannot be securely computed under concurrent general composition(specifically,this is the zero-knowledge proof of knowledge functionality).Thus,when there is no bit transmission, it can be“easier”to obtain security under self composition than under general composition.Returning back to the proof of Theorem1.1,impossibility is derived by combining the equiv-alence between concurrent self and general composition as stated in Theorem1.2with the im-possibility results for concurrent general composition that were demonstrated in[27].The actual impossibility results obtained are described in Section4.This answers thefirst question above,at least in that it demonstrates impossibility for large classes of functionalities.(It is still far,however, from a full characterization of feasibility.)Regarding the second question,in Section5,we prove the following theorem that rules out the possibility of obtaining“efficient”protocols that remain secure under m-bounded concurrent self composition.Theorem1.3(communication complexity lower bound–informal):There exists a large class of two-party functionalities with the property that any protocol that securely computes a functionality in this class under m-bounded concurrent self composition,must have communication complexity of at least m.Theorem1.3is essentially proven by directly combining the proof of Theorem1.2with proofs of impossibility from[27]and[8];see Section5.We remark that our definition of security under concurrent self composition is such that hon-est parties may choose their inputs adaptively,based on previously obtained outputs.This is a seemingly harder definition to achieve than one where the inputs to all the executions arefixed ahead of time.We stress that allowing the inputs to be chosen adaptively is crucial to the proof of Theorems1.1to1.3.Nevertheless,we believe that this is also the desired definition(since in real settings,outputs from previous executions may indeed influence the inputs of later executions). Black-box lower bound.The above lower bounds and impossibility results are unconditional. That is,they hold without any complexity assumptions and assume nothing about the simulation; in particular it is not assumed that the simulator is“black-box”.4In addition to the above,in 4A black-box simulator uses only oracle access to the real adversary A;see the paragraph that follows Definition1.4Section6,we prove a severe lower bound on the round complexity of protocols that can be proven secure using black-box simulation.This lower bound is proven specifically for the functionalities of blind signatures[10]and1-out-of-2oblivious transfer[33,12].Theorem1.4(black-box lower bound–informal):Any protocol that securely computes the blind signature or oblivious transfer functionalities under m-bounded concurrent self composition,and can be proven using black-box simulation,must have more than m rounds of communication. Black-box lower bounds do not imply infeasibility in general.In fact,constant-round protocols for m-bounded concurrent self composition have been demonstrated[30].Nevertheless,Theorem1.4 shows that any such protocol must use non-black-box simulation techniques.Note also that all known highly efficient protocols are proven via black-box simulation;therefore,Theorem1.4may indicate a certain difficulty in obtaining very efficient protocols in this setting.The idea behind the proof of Theorem1.4is to show that when concurrent self composition is considered,the“rewinding capability”of the simulator is severely limited.In fact,for a protocol of m rounds that is run m times concurrently,there exists a scheduling of messages so that in one of the executions,the simulator is unable to carry out any rewinding of the adversary.However, informally speaking,a black-box simulator must rewind in order to successfully simulate.Therefore, any protocol that remains secure for m concurrent executions must have more than m rounds of communication.Theorem1.4stands in stark contrast with concurrent zero-knowledge,where black-box sim-ulation does suffice for obtaining unbounded concurrent composition[34].In fact,a logarithmic number of rounds suffice for obtaining security for any polynomial number of executions[32].Thus, in the“black-box world”and in the setting of concurrent self composition,zero-knowledge is strictly easier to achieve than blind signatures and oblivious transfer.We remark that Theorems1.1,1.3and1.4hold even if at any given time,at most two executions are running simultaneously.(Loosely speaking,in such a case the m-bounded concurrency means that m different protocol executions may overlap.)This shows that our lower bounds do not stem from deep protocol nesting(in contrast to[7],for example).Indeed,a nesting depth of at most two is needed.Extensions to multi-party computation.We note that although Theorems1.1and1.3are stated for two-party functionalities,they immediately imply impossibility results for multi-party functionalities as well.This is because secure protocols for multi-party functionalities can be used to solve two-party tasks as well.Likewise,by appropriately defining“bit transmission”for multi-party functionalities,it is possible to prove Theorem1.2for this setting as well.A new result for concurrent general composition.While proving Theorem1.3,we also obtain a new impossibility result for concurrent general composition.Specifically,we show that even if the inputs used by an honest party in a secure protocol are independent of the inputs used in the other arbitrary protocols,then impossibility still holds.See Section5.2for more details. (Interestingly,as shown in[14]and discussed in Section6.2,oblivious transfer under concurrent self composition and withfixed roles can be achieved in the case that all inputs are independently chosen.This does not contradict the above result for general composition because oblivious transfer does not enable bit transmission.Therefore,the equivalence between self and general composition of Theorem1.2does not hold.)Other related work.The focus of this work is the ability to obtain secure protocols for solving general tasks.However,security under concurrent composition has also been studied for specific5tasks of interest.Indeed,the study of security under concurrent composition was initiated in the context of concurrent zero knowledge[13,11],where a prover runs many copies of a protocol with many verifiers.Thus,concurrent zero-knowledge is cast in the setting of concurrent self composition.This problem has received much attention;see[34,7,1]for just a few examples. Other specific problems have also been considered,but are not directly related to this paper. One work that requires mentioning is the(black-box)protocol for unbounded concurrent oblivious transfer of[14].This construction seems to be in direct contradiction to Theorem1.4.However, in the model of[14],all the inputs in all the executions are assumed to be independent of each other.In contrast,we consider a more standard model where quantification is over all inputs,and in particular,over possibly correlated inputs.Open questions.As we have mentioned,the constant-round protocol of[30]has very high communication complexity.Specifically,the number of bits sent in the protocol isΩ(m(n2+|Π|)), whereΠis a protocol that remains secure under concurrent self composition when given access to an ideal zero-knowledge functionality.Thus,the factor of m is multiplicative in the communication complexity.In contrast,Theorem1.3only shows that a linear dependence on m(or an additive factor)is necessary.This gap is very significant because a bandwidth of m+|Π|may be acceptable in practice,in contrast to the very high communication complexity of the protocol of[30].Another interesting question relates to the feasibility of obtaining security under concurrent self composition and withfixed roles,for functionalities that do not enable bit transmission.As we have mentioned,the zero-knowledge functionality does not enable bit transmission and can be securely computed under concurrent self composition.However,it is not known which other functionalities can also be securely computed.The oblivious transfer functionality would be of specific interest here;both because of its importance as a cryptographic primitive,and because by Theorem1.4,it cannot be securely computed using black-box simulation.Thus,the question remains whether or not non-black-box simulation can be used to achieve oblivious transfer under unbounded concurrent self composition.2DefinitionsIn this section,we present definitions of security under concurrent self composition and concur-rent general composition.In addition,we define functionalities with“interchangeable roles”and functionalities that“enable bit transmission”.Our definitions are presented for the special case of two-party protocols.The extension to the multi-party case is straightforward.Preliminaries.We denote the security parameter by n.A functionµ(·)is negligible in n(or just negligible)if for every polynomial p(·)there exists a value N such that for all n>N it holds thatµ(n)<1/p(n).Let X={X(n,a)}n∈N,a∈{0,1}∗and Y={Y(n,a)}n∈N,a∈{0,1}∗be distribution ensembles.Then,we say that X and Y are computationally indistinguishable,denoted X c≡Y,if for every probabilistic polynomial-time distinguisher D there exists a functionµ(·)that is negligible in n,such that for every a∈{0,1}∗,|Pr[D(X(n,a))=1]−Pr[D(Y(n,a))=1]|<µ(n)When X and Y are equivalent distributions,we write X≡Y.We adopt a convention whereby a machine is said to run in polynomial-time if its number of steps is polynomial in the security parameter,irrespective of the length of its input.(Formally,each machine has a security-parameter tape upon which1n is written.The machine is then polynomial in the contents of this tape.)62.1Concurrent Self Composition of Secure Two-Party ProtocolsWe begin by presenting the definition for security under concurrent self composition.The basic description and definition of secure computation follows[20,2,29,4].Two-party computation.A two-party protocol problem is cast by specifying a random process that maps pairs of inputs to pairs of outputs(one for each party).5We refer to such a process as a functionality and denote it f:{0,1}∗×{0,1}∗→{0,1}∗×{0,1}∗,where f=(f1,f2).That is,for every pair of inputs(x,y),the output-pair is a random variable(f1(x,y),f2(x,y))ranging over pairs of strings.Thefirst party(with input x)wishes to obtain f1(x,y)and the second party(with input y)wishes to obtain f2(x,y).We often denote such a functionality by(x,y)→(f1(x,y),f2(x,y)).Thus,for example,the zero-knowledge proof of knowledge functionality for a relation R is denoted by((x,w),λ)→(λ,(x,R(x,w))).In the context of concurrent composition, each party actually uses many inputs(one for each execution),and these may be chosen adaptively based on previous outputs.We consider both concurrent self composition(where the number of executions is unbounded)and m-bounded concurrent self composition(where the number of simultaneously concurrent executions is a priori bounded by m and the protocol design can depend on this bound).Adversarial behavior.In this work we consider a malicious,static adversary that runs in polynomial time(recall that this means that it is polynomial in the security parameter,irrespective of the length of its input).Such an adversary controls one of the parties(who is called corrupted) and may then interact with the honest party while arbitrarily deviating from the specified protocol. Our definition does not guarantee any fairness.That is,the adversary always receives its own output and can then decide when(if at all)the honest party will receive its output.The scheduling of message delivery is decided by the adversary.Security of protocols(informal).The security of a protocol is analyzed by comparing what an adversary can do in the protocol to what it can do in an ideal scenario that is clearly secure.This is formalized by considering an ideal computation involving an incorruptible trusted third party to whom the parties send their inputs.The trusted party computes the functionality on the inputs and sends each party its designated output.Unlike in the stand-alone model,here the trusted party computes the functionality many times,each time upon different inputs.Loosely speaking, a protocol is secure if any adversary interacting in the real protocol(where no trusted third party exists)can do no more harm than if it was involved in the above-described ideal computation. Concurrent executions in the ideal model.An ideal execution with an adversary who controls P2proceeds as follows(when the adversary controls P1the roles are simply reversed):Inputs:Party P1and P2’s inputs are respectively determined by probabilistic polynomial-time Turing machines M1and M2,and initial inputs x and y to these machines.As we will see below,these Turing machines determine the values that the parties use as inputs in the protocol executions.These input values are computed from the initial input,the current session number and outputs that were obtained from executions that have already concluded.Note that the number of previous outputs ranges from zero(for the case that no previous outputs have yet been obtained)to some polynomial in n that depends on the number of sessions initiated by the adversary.65Thus,our specific definition is for“secure function evaluation”only.However,it can be generalized to reactive functionalities in a straightforward way.6Notice that we place no restriction on the lengths of the input values output by M1and M2.It is known that7。

Microsoft Azure Multi-Factor Authentication- Adoption KitVersion: 3.0For the latest version, please check https://aka.ms/aadadoptionkitsContentsMicrosoft Azure Multi-Factor Authentication- Adoption Kit (1)Awareness (2)Business overview (2)Key benefits (3)Pricing and licensing requirements (3)Announcements/blogs (3)Training/learning resources (4)Level 100 concepts (4)Training resources (4)Videos (4)Books (5)Online courses (5)Whitepaper (5)Plan and change management (6)Deployment plan (6)Quickstarts (6)End-user readiness and communication (6)Combined registration with Self-Service Password Reset (7)Customer stories/case studies (8)Support and feedback (8)Next steps (8)AwarenessThis section helps you to analyze the benefits of Microsoft Azure Multi-Factor Authentication. You will learn about the ease of use, benefits, pricing, and licensing model. You can also access up-to-date announcements and blogs that discuss ongoing improvements.Business overviewThe following adoption kit is specific to Microsoft Azure Multi-Factor Authentication and does not cover the Multi-Factor Authentication server. For information on the Multi-Factor Authentication server, see Getting started with Multi-Factor Authentication Server.Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-on process. It delivers strong authentication via a range of easy verification options—phone call, text message, mobile app notification, or one-time passwords—allowing users to choose the method they prefer. It can be used both on-premises and in the cloud to add security for accessing Microsoft online services, Azure AD-connected SaaS applications, line of business applications, and remote access applications.for general, billing models, user experiences, andKey benefitsUsing Multi-Factor Authentication gives you the following benefits:Easy to set upYour applications or services do not need to make any changes to use Multi-FactorAuthentication. The verification prompts are part of the Azure AD sign-in event, whichautomatically requests and processes the Multi-Factor Authentication challenge whenrequired. It is designed for administrators to easily set up, use, and monitor.ScalableBasic Multi-Factor Authentication features are available at no extra cost. You canupgrade to scale for a greater number of users or groups. You can integrate with ActiveDirectory and on-prem applications as well as cloud-based applications.Always protectedTo enable protection for specific sign-in events, you can configure Conditional Accesspolicies. Coupling Conditional Access with Azure AD Identity Protection which detectsanomalies and suspicious events, allows you to require Multi-Factor Authenticationwhen sign-in risk is medium or high.ReliableMicrosoft guarantees 99.9% availability of Multi-Factor Authentication. This feature isespecially dependable for accounts with privileged access to resources.Intuitive user experienceUsers likely already use Multi-Factor Authentication with personal and other accounts,and their experience is that it is simple to activate and use. The extra protection thatcomes with Multi-Factor Authentication allows users to manage their own devices. Pricing and licensing requirementsinformation on pricing and billing, see Azure AD pricing.Announcements/blogsAzure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, refer to What's new in Azure AD?Training/learning resourcesThe following resources are a good start to learn about Multi-Factor Authentication. They include level 100 concepts, videos by our experts, books, link to online courses, and useful whitepapers for reference.Level 100 conceptsMicrosoft understands that some organizations have unique environment requirements or complexities. If yours is one of these organizations, use these recommendations as a starting point. However, most organizations can implement these recommendations as suggested.•Find what is the identity secure score in Azure AD?••Understand identity and device access configurations.Refer to the following links to get started with Multi-Factor Authentication:•Read the Azure Multi-Factor Authentication overview•Learn about authentication and verification methods available in Azure AD•Learn how Azure Multi-Factor Authentication works?•Understand Conditional Access policies and security defaults.•••••Frequently asked questions (FAQs) about Azure Multi-Factor AuthenticationFor more information, deep-dive into Authentication documentation.Training resourcesVideosHow to register your security information in Azure Active Directory Learn how to register the security information through Azure AD for security features like Multi-Factor Authentication and Self-Service Password Reset. End users will also learn how to view and manage their security methods in Azure AD.BooksSource: Microsoft Press - Modern Authentication with Azure Active Directory for Web Applications (Developer Reference) 1st Edition.Learn the essentials of authentication protocols and get started with Azure AD. Refer to examples of applications that use Azure AD for their authentication and authorization, including how they work in hybrid scenarios with Active Directory Federation Services (ADFS).Online coursesRefer to the following courses on Multi-Factor Authentication at :WhitepaperPlan and change managementIn this section, you deep-dive into planning and deploying Multi-Factor Authentication in your organization. Deployment planPlanning your Multi-Factor Authentication deployment is critical to make sure you achieve the required authentication strategy for your organization.QuickstartsFollow the step-by-step guidance to:•Set up Multi-Factor Authentication•Enable Security defaults•Secure user sign-in events with Azure Multi-Factor Authentication•Use risk detections for user sign-ins to trigger Azure Multi-Factor Authentication or password changes End-user readiness and communicationDownload Multi-Factor Authentication rollout materials and customize them with your organization's branding. You can distribute the readiness material to your users during Multi-Factor Authentication rollout, educate them about the feature, and remind them to register.Combined registration with Self-Service Password ResetWe recommend that you enable combined security information registration in Azure AD for SSPR and Multi-Factor Authentication.understand the functionality and effects of this feature. In case of issues, refer to Troubleshooting combined security information registration.Customer stories/case studies Discover how most organizations have come to understand the need for securing cloud identities with a second layer of authentication like Multi-Factor Authentication.The following featured stories demonstrate these needs:Wipro Limited – Wipro drives mobile productivity with Microsoft cloud securitytools to improve customer engagements. The IT team uses a combination of singlesign-on capabilities and Multi-Factor Authentication to support conditional access,including device-state conditional access.Orica – Explosives provider simplifies business and improves data access with SAPS/4HANA on Azure. Orica uses Azure services for additional protection, such asautomatically requiring anyone seeking access to the software and serviceapplications to verify their identity through Multi-Factor Authentication.Aramex delivery limited - Global logistics and transportation company createscloud-connected office with identity and access management solution . Ensuringsecure access was especially difficult with Aramex’s remote employees. The companyis now applying conditional access to let these remote employees access their SaaSapplications from outside the network. The conditional access rule will decidewhether to enforce Multi-Factor Authentication, giving only the right people theright access.Support and feedbackHow can we improve Multi-Factor Authentication? This section provides links to discussion forums and technical community support email IDs.We encourage you to join our Technical Community , a platform to Microsoft Azure AD users and Microsoft to interact. It is a central destination for education and thought leadership on best practices, product news, live events, and roadmap. If you have technical questions or need help with Azure, please try StackOverflow or visit the MSDN Azure AD forums. Tell us what you think of Azure and what you want to see in the future. If you have suggestions, please submit an idea or ontact a support professional through Multi-Factor Authentication Server (PhoneFactor) support .Next steps。

cryptography Cryptography: An Introduction to Secure CommunicationIntroductionIn today's digital age, the security of sensitive information has become a major concern for individuals, organizations, and governments alike. The practice of cryptography plays a crucial role in safeguarding this information from unauthorized access, manipulation, and theft. In this document, we will explore the fundamentals of cryptography, its history, different types of cryptographic algorithms, and its applications in various fields.1. History of CryptographyCryptography can be traced back to ancient times when it was used to send secret messages during wars and conflicts. The early methods of cryptography involved simple substitution ciphers, where each letter in a message was replaced by another letter following a fixed pattern. Over the years, cryptography evolved, and more complex algorithms were developed to ensure stronger security.2. Symmetric CryptographySymmetric cryptography, also known as secret-key cryptography, is a fundamental technique in which the same key is used for both encryption and decryption of messages. The sender and receiver share this secret key, which should be kept confidential to ensure secure communication. The Advanced Encryption Standard (AES) and Data Encryption Standard (DES) are examples of symmetric cryptographic algorithms widely used today.3. Asymmetric CryptographyAsymmetric cryptography, also known as public-key cryptography, uses two keys - a private key and a public key. The private key is kept secret by the owner, while the public key is shared with others. Messages encrypted with the public key can only be decrypted using the corresponding private key, providing a higher level of security. The most popular algorithm used in asymmetric cryptography is the Rivest-Shamir-Adleman (RSA) algorithm.4. Hash FunctionsHash functions are an essential component of cryptography. They are algorithms that convert data of any size into a fixed-size hash value. A hash function always produces the same hash value for the same input data and is designed to be computationally irreversible, ensuring that it is nearly impossible to obtain the original data from the hash value. Hash functions are extensively used in data integrity checks and digital signatures.5. Cryptographic ApplicationsCryptography finds applications in various fields, ensuring the security of sensitive information and enabling secure communication. Some of the common applications include:a. Internet Security: Cryptography is used in Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols to secure data transmitted over the internet, thereby protecting online transactions and sensitive information.b. Digital Signatures: Cryptography enables the creation of digital signatures, which provide authentication, integrity, and non-repudiation to electronic documents and messages.c. Password Protection: Cryptographic techniques are used in password hashing algorithms to protect user passwords. This ensures that even if the stored passwords are compromised, they cannot be easily deciphered.d. Virtual Private Networks (VPNs): Cryptography plays a critical role in securing VPNs, providing a secure tunnel for remote users to access corporate networks over the internet.e. Blockchain Technology: Cryptography forms the backbone of blockchain technology, securing transactions and ensuring the immutability of data stored in a decentralized network.6. Challenges and Future TrendsWhile cryptography has significantly advanced over the years, it still faces challenges and opportunities for growth. With the rise of quantum computing and the potential threat it poses to traditional encryption algorithms, researchers are exploring post-quantum cryptography techniques. Additionally, advancements in homomorphic encryption and secure multi-party computation hold the potential for securecomputation on encrypted data without revealing the underlying information.ConclusionCryptography is a fundamental tool in securing communication and protecting sensitive information in today's digital world. With its rich history and continuous advancements, cryptography continues to play a vital role in ensuring privacy, integrity, and authenticity. Understanding the different types of cryptographic algorithms and their applications will empower individuals and organizations to make informed decisions when it comes to secure communication.。

Smooth Projective Hashing and Two-MessageOblivious TransferYael Tauman KalaiMassachusetts Institute of Technologytauman@,/∼taumanAbstract.We present a general framework for constructing two-messageoblivious transfer protocols using a modification of Cramer and Shoup’snotion of smooth projective hashing(2002).Our framework is actuallyan abstraction of the two-message oblivious transfer protocols of Naorand Pinkas(2001)and Aiello et.al.(2001),whose security is based onthe Decisional Diffie Hellman Assumption.In particular,this frameworkgives rise to two new oblivious transfer protocols.The security of oneis based on the N’th-Residuosity Assumption,and the security of theother is based on both the Quadratic Residuosity Assumption and theExtended Riemann Hypothesis.When using smooth projective hashing in this context,we must dealwith maliciously chosen smooth projective hash families.This raises newtechnical difficulties that did not arise in previous applications,and inparticular it is here that the Extended Riemann Hypothesis comes intoplay.Similar to the previous two-message protocols for oblivious transfer,ourconstructions give a security guarantee which is weaker than the tradi-tional,simulation based,definition of security.Nevertheless,the securitynotion that we consider is nontrivial and seems to be meaningful forsome applications in which oblivious transfer is used in the presence ofmalicious adversaries.1IntroductionIn[CS98],Cramer and Shoup introduced thefirst CCA2secure encryption scheme,whose security is based on the Decisional Diffie Hellman(DDH)As-sumption.They later presented an abstraction of this scheme based on a new notion which they called“smooth projective hashing”[CS02].This abstrac-tion yielded new CCA2secure encryption schemes whose security is based on the Quadratic Residuosity Assumption or on the N’th Residuosity Assumption [Pa99].1This notion of smooth projective hashing was then used by Genarro Supported in part by NSF CyberTrust grant CNS-04304501The N’th Residuosity Assumption is also referred to in the literature as the Deci-sional Composite Residuosity Assumption and as Paillier’s Assumption.and Lindell[GL03]in the context of key generation from humanly memoriz-able passwords.Analogously,their work generalizes an earlier protocol for this problem[KOY01],whose security is also based on the DDH Assumption.In this paper,we use smooth projective hashing to construct efficient two-message oblivious transfer protocols.Our work follows the above pattern,in that it generalizes earlier protocols for this problem[NP01,AIR01]whose security is based on the DDH assumption.Interestingly,using smooth projective hashing in this context raises a new issue.Specifically,we must deal with maliciously chosen smooth projective hash families.This issue did not arise in the previous two applications because these were either in the public key model or in the common reference string model.1.1Oblivious TransferOblivious transfer is a protocol between a sender,holding two stringsγ0and γ1,and a receiver holding a choice bit b.At the end of the protocol the receiver should learn the string of his choice(i.e.,γb)but learn nothing about the other string.The sender,on the other hand,should learn nothing about the receiver’s choice b.Oblivious transfer,first introduced by Rabin[Rab81],is a central primitive in modern cryptography.It serves as the basis of a wide range of cryptographic tasks.Most notably,any secure multi-party computation can be based on a secure oblivious transfer protocol[Y86,GMW87,Kil88].Oblivious transfer has been studied in several variants,all of which have been shown to be equivalent. The variant considered in this paper is the one by Even,Goldreich and Lempel [EGL85](a.k.a.1-out-of-2oblivious transfer),shown to be equivalent to Rabin’s original definition by Cr´e peau[Cre87].The study of oblivious transfer has been motivated by both theoretical and practical considerations.On the theoretical side,much work has been devoted to the understanding of the hardness assumptions required to guarantee obliv-ious transfer.In this context,it is important to note that known construc-tions for oblivious transfer are based on relatively strong computational as-sumptions–either specific assumptions such as factoring or Diffie Hellman (cf.[Rab81,BM89,NP01,AIR01])or generic assumption such as the existence of enhanced trapdoor permutations(cf.[EGL85,Gol04,Hai04]).Unfortunately, oblivious transfer cannot be reduced in a black box manner to presumably weaker primitives such as one-way functions[IR89].On the practical side,research has been motivated by the fact oblivious transfer is considered to be the main bottle-neck with respect to the amount of computation required by secure multiparty protocols.This makes the construction of efficient protocols for oblivious transfer a well-motivated task.In particular,constructing round-efficient oblivious transfer protocols is an important task.Indeed,[NP01](in Protocol4.1)and[AIR01]independently constructed a two-message(1-round)oblivious transfer protocol based on the DDH Assumption(with weaker security guarantees than the simulation based security).Their work was the starting point of our work.1.2Smooth Projective HashingSmooth projective hashing is a beautiful notion introduced by Cramer and Shoup [CS02].To define this notion they rely on the existence of a set X(actually a distribution on sets),and an underlying N P-language L⊆X(with an associ-ated N P-relation R).The basic hardness assumption is that it is infeasible to distinguish between a random element in L and a random element in X\L.This is called a hard subset membership problem.A smooth projective hash family is a family of hash functions that operate on the set X.Each function in the family has two keys associated with it:a hash key k,and a projection keyα(k).Thefirst requirement(which is the standard requirement of a hash family)is that given a hash key k and an element x in the domain X,one can compute H k(x).There are two additional requirements: the“projection requirement”and the“smoothness requirement.”The“projection requirement”is that given a projection keyα(k)and an element in x∈L,the value of H k(x)is uniquely determined.Moreover,com-puting H k(x)can be done efficiently,given the projection keyα(k)and a pair (x,w)∈R.The“smoothness requirement,”on the other hand,is that given a random projection key s=α(k)and any element in x∈X\L,the value H k(x) is statistically indistinguishable from random.1.3Our resultsWe present a methodology for constructing a two-message oblivious transfer pro-tocol from any(modification of a)smooth projective hash family.In particular, we show how the previously known(DDH based)protocols of[NP01,AIR01]can be viewed as a special case of this methodology.Moreover,we show that this methodology gives rise to two new oblivious transfer protocols;one based on the N’th Residuosity Assumption,and the other based on the Quadratic Residuosity Assumption along with the Extended Riemann Hypothesis.Our protocols,similarly to the protocols of[NP01,AIR01],are not known to be secure according to the traditional simulation based definition.Yet,they have the advantage of providing a certain level of security even against malicious adversaries without having to compromise on efficiency(see Section3for further discussion on the guaranteed level of security).The basic idea.Given a smooth projective hash family for a hard subset mem-bership problem(which generates pairs X,L according to some distribution), consider the following two-message protocol for semi-honest oblivious transfer. Recall that the sender’s input is a pair of stringsγ0,γ1and the receiver’s input is a choice bit b.R→S:Choose a pair X,L(with an associated NP-relation R L)according to the specified distribution.Randomly generate a triplet(x0,x1,w b)where x b∈R L,(x b,w b)∈R L,and x1−b∈R X\L.Send(X,x0,x1).S→R:Choose independently two random keys k0,k1for H and sendα(k0)andα(k1)along with y0=γ0⊕H k0(x0)and y1=γ1⊕H k1(x1).R:Retrieveγb by computing y b⊕H kb (x b),using the witness w b and the pro-jection keyα(k b).The security of the receiver is implied by the hardness of the subset mem-bership problem on X.Specifically,guessing the value of b is equivalent to dis-tinguishing between a random element in L and a random element in X\L. The security of the sender is implied by the smoothness property of the hash family H.Specifically,given a random projection keyα(k)and any element in x∈X\L,the value H k(x)is statistically indistinguishable from random.Thus, the message y1−b gives no information aboutγ1−b(since x1−b∈X\L).Note that the functionality of the protocol is implied by the projection property. Technical difficulty.Notice that when considering malicious receivers,the security of the sender is no longer guaranteed.The reason is that there is no guarantee that the receiver will choose x1−b∈X\L.A malicious receiver might choose x0,x1∈L and learn both values.To overcome this problem,we extend the notion of a hard subset membership problem so that it is possible to verify that at least one of x0,x1belongs to X\L.This should work even if the set X is maliciously chosen by the receiver.It turns out that implementing this extended notion in the context of the DDH assumption is straightforward[NP01,AIR01].Loosely speaking,in this case X is generated by choosing a random prime p,and choosing two random elements g0,g1in Z∗p of some prime order q.The resulting set X is defined by X {(g r00,g r11):r0,r1∈Z q},the corresponding language L is defined by L {(g r0,g r1):r∈Z q},and the witness of each element(g r0,g r1)∈L is its discrete logarithm r.In order to enable the sender to verify that two elements x0,x1are not both in L,we instruct the receiver to generate x0,x1by choosing at random two distinct elements r0,r1∈Z q,setting x b=(g r00,g r01),w b=r0,and x1−b=(g r00,g r11).Notice that x b is uniformly distributed in L,x1−b is uniformly distributed in X\L,and the sender can easily check that it is not the case that both x0and x1are in L by merely checking that they agree on theirfirst coordinate and differ on their second coordinate.Implementing this verifiability property in the context of the N’th Residuos-ity Assumption and the Quadratic Residuosity Assumption is not as easy.This part contains the bulk of technical difficulties of this work.In particular,this is where the Extended Riemann Hypothesis comes into play in the context of Quadratic Residuosity.2Smooth Projective Hash FunctionsOur definition of smooth projective hashing differs from its original definition in [CS02].The main difference(from both[CS02]and[GL03])is in the definition of the smoothness requirement,which we relax to Y-smoothness,and in the definition of a subset membership problem,where we incorporate an additional requirement called Y-verifiability.Notation.The security parameter is denoted by n .For a distribution D ,x ←D denotes the action of choosing x according to D ,and x ∈support (D )means that the distribution D samples the value x with positive probability.We denote by x ∈R S the action of uniformly choosing an element from the set S .For any two random variables X,Y ,we say that X and Y are -close if Dist (X,Y )≤ ,where Dist (X,Y )denotes the statistical difference between X and Y .2We say that the ensembles {X n }n ∈N and {Y n }n ∈N are statistically indistinguishable if there exists a negligible function (·)such that for every n ∈N ,the random variables X n and Y n are (n )-close.3Recall that a function ν:N →N is said to be negligible if for every polynomial p (·)and for every large enough n ,ν(n )<1/p (n ).Hard subset membership problems.A subset membership problem M spec-ifies a collection {I n }n ∈N of distributions,where for every n ,I n is a probability distribution over instance descriptions .Each instance description Λspecifies two finite non-empty sets X,W ⊆{0,1}poly (n ),and an NP-relation R ⊂X ×W ,such that the corresponding language L {x :∃w s.t.(x,w )∈R }is non-empty.For every x ∈X and w ∈W ,if (x,w )∈R ,we say that w is a witness for x .We use the following notation throughout the paper:for any instance description Λwe let X (Λ),W (Λ),R (Λ)and L (Λ)denote the sets specified by Λ.Loosely speaking,subset membership problem M ={I n }n ∈N is said to be hard if for a random instance description Λ←I n ,it is hard to distinguish random members of L (Λ)from random non-members.Definition 1(Hard subset membership problem).Let M ={I n }n ∈N be a subset membership problem as above.We say that M is hard if the ensembles{Λn ,x 0n }n ∈N and {Λn ,x 1n }n ∈N are computationally indistinguishable,where Λn ←I n ,x 0n ∈R L (Λn ),and x 1n ∈R X (Λn )\L (Λn ).4Projective hash family.We next present the notion of a projective hash family with respect to a hard subset membership problem M ={I n }n ∈N .Let H ={H k }k ∈K be a collection of hash functions.K ,referred to as the key space,consists of a set of keys such that for each instance description Λ∈M ,5there is a subset of keys K (Λ)⊆K corresponding to Λ.For every Λand for every k ∈K (Λ),H k is a hash function from X (Λ)to G (Λ),where G (Λ)is some finite non-empty set.We denote by G = Λ∈M G (Λ).We define a projection key function α:K →S ,where S is the space of projection rmally,2Recall that Dist (X,Y ) 1 s ∈S |P r [X =s ]−P r [Y =s ]|,or equivalently,Dist (X,Y ) max S ⊂S |P r [X ∈S ]−P r [Y ∈S ]|,where S is any set that con-tains the support of both X and Y .3For simplicity,throughout this paper we say that two random variables X n and Y n are statistically indistinguishable,meaning that the corresponding distribution ensembles {X n }n ∈N and {Y n }n ∈N are statistically indistinguishable.4Note that this hardness requirement also implies that it is hard to distinguish be-tween a random element x ∈R L (Λ)and a random element x ∈R X (Λ).We will use this fact in the proof of Theorem 1.5We abuse notation and let Λ∈M denote the fact that Λ∈support (I n )for some n .a family(H,K,S,α,G)is a projective hash family for M if for every instance descriptionΛ∈M and for every x∈L(Λ),the projection key s=α(k)uniquely determines H k(x).(We stress that the projection key s=α(k)is only guaranteed to determine H k(x)for x∈L(Λ),and nothing is guaranteed for x∈X(Λ)\L(Λ).) Definition2(Projective hash family).(H,K,S,α,G)is a projective hash family for a subset membership problem M if for every instance description Λ∈M there is a well defined(not necessarily efficient)function f such that for every x∈L(Λ)and every k∈K(Λ),f(x,α(k))=H k(x).Efficient projective hash family.We say that a projective hash family is efficient if there exist polynomial time algorithms for:(1)Sampling a key k∈R K(Λ)givenΛ;(2)Computing a projectionα(k)fromΛand k∈K(Λ);(3) Computing H k(x)fromΛ,k∈K(Λ)and x∈X(Λ);and(4)Computing H k(x) fromΛ,(x,w)∈R(Λ)andα(k),where k∈K(Λ).Notice that this gives two ways to compute H k(x):either by knowing the hash key k,or by knowing the projection keyα(k)and a witness w for x.Y-smooth projective hash family.Let Y be any function from instance de-scriptionsΛ∈M to subsets Y(Λ)⊆X(Λ)\L(Λ).Loosely speaking,a projective hash family for M is Y-smooth if for every instance descriptionΛ=(X,W,R), for every x∈Y(Λ),and for a random k∈R K(Λ),the projection keyα(k) reveals(almost)nothing about H k(x).Definition3(Y-smooth projective hash family).A projective hash family (H,K,S,α,G)for a subset membership problem M is said to be Y-smooth if for every(even maliciously chosen)instance descriptionΛ=(X,W,R)and every x∈Y(Λ),the random variables(α(k),H k(x))and(α(k),g)are statistically indistinguishable,where k∈R K(Λ)and g∈R G(Λ).6A Y-smooth projective hash family thus has the property that a projection of a (random)key enables the computation of H k(x)for x∈L,but gives almost no information about the value of H k(x)for x∈Y(Λ).Remark.This definition of Y-smooth projective hash family differs from the original definition proposed in[CS02]in two ways.First,it requires the smooth-ness property to hold against maliciously chosen instance descriptionsΛ,whereas in[CS02]the smoothness is only with respect toΛ∈M.Second,it requires the smoothness property to hold with respect to every x∈Y,whereas in[CS02]the smoothness condition is required to hold for randomly chosen x∈R X\L.The main reason for our divergence from the original definition in[CS02] is that we need to cope with maliciously chosenΛ.We would like to set Y= X\L(as in[CS02]),and construct a(X\L)-smooth projective hash fam-ily.However,we do not know how to construct such a family,for which the 6We assume throughout this paper,without loss of generality,that a(maliciously chosen)Λhas the same structure as an honestly chosenΛ.smoothness condition holds for every(even maliciously chosen)Λ.7Therefore, we relax our smoothness requirement and require only Y-smoothness,for some Y⊆X\L.In both our constructions of Y-smooth projective hash families, Y(Λ)⊂X(Λ)\L(Λ)for maliciously chosenΛ∈M,and Y(Λ)=X(Λ)\L(Λ)for every honestly chosenΛ∈M.Jumping ahead,the latter will enable the(honest) receiver to choose x b∈R L(Λ),x1−b∈R X(Λ)\L(Λ)such that x1−b is also in Y(Λ).This will enable the(honest)sender to be convinced of its security by checking that either x0or x1is in Y(Λ),and it will enable the(honest)receiver to be convinced that a(dishonest)sender cannot guess the bit b,assuming the underlying subset membership problem is hard.(From now on the reader should think of Y(Λ)as equal to X(Λ)\L(Λ)for everyΛ∈M.)Thus,we need a subset membership problem M such that for every honestly chosenΛ∈M it is easy to sample uniformly from both L(Λ)and X(Λ)\L(Λ). On the other hand,for every(even maliciously chosen)(Λ,x0,x1)it is easy to verify that either x0∈Y(Λ)or x1∈Y(Λ).To this end we define the notion of a“Y-verifiably samplable”subset membership problem.Definition4(Y-verifiably samplable subset membership problem).A subset membership problem M={I n}n∈N is said to be Y-verifiably samplable if the following conditions hold.1.Problem samplability:There exists a probabilistic polynomial-time algorithmthat on input1n,samples an instanceΛ=(X,W,R)according to I n.2.Member samplability:There exists a probabilistic polynomial-time algorithmthat on input an instance descriptionΛ=(X,W,R)∈M,outputs an ele-ment x∈L together with its witness w∈W,such that the distribution of x is statistically close to uniform on L.3.Non-member samplability:There exists a probabilistic polynomial-time al-gorithm A that given an instance descriptionΛ=(X,W,R)∈M and an element x0∈X,outputs an element x1=A(Λ,x0),such that if x0∈R L then the distribution of x1is statistically close to uniform on X\L,and if x0∈R X then the distribution of x1is statistically close to uniform on X.4.Y-Verifiability:There exists a probabilistic polynomial-time algorithm B,thatgiven any triplet(Λ,x0,x1),verifies that there exists a bit b such that x b∈Y(Λ).This should hold even ifΛis maliciously chosen.Specifically:–For everyΛand every x0,x1,if both x0∈Y(Λ)and x1∈Y(Λ)then B(Λ,x0,x1)=0.–For every honestly chosenΛ∈M and every x0,x1,if there exists b such that x b∈L(Λ)and x1−b∈support(A(Λ,x b)),then B(Λ,x0,x1)=1.For simplicity,throughout the paper we do not distinguish between uniform and statistically close to uniform distributions.This is inconsequential.7We note that[CS02,GL03]did not deal with maliciously chosenΛ’s,and indeed the smoothness property of their constructions does not hold for maliciously chosenΛ’s.3Security of Oblivious TransferOur definition of oblivious transfer is similar to the ones considered in previous works on oblivious transfer in the Bounded Storage Model[DHRS04,CCM98].A similar(somewhat weaker)definition was also used in[NP01]in the context of their DDH based two message oblivious transfer protocol.In what follows we let viewˆS (ˆS(z),R(b))denote the view of a cheating senderˆS(z)after interacting with R(b).This view consists of its input z,its random coin tosses,and the messages that it received from R(b)during the interaction.Similarly,we let viewˆR (S(γ0,γ1),ˆR(z))denote the view of a cheating ReceiverˆR(z)after interacting with S(γ,γ1).Definition5(Secure implementation of Oblivious Transfer).A two party protocol(S,R)is said to securely implement oblivious transfer if it is a protocol in which both the sender and the receiver are probabilistic polynomial time machines that get as input a security parameter n in unary representation.Moreover,the sender gets as input two stringsγ0,γ1∈{0,1} (n),the receiver gets as input a choice bit b∈{0,1},and the following conditions are satisfied:–Functionality:If the sender and the receiver follow the protocol then for any security parameter n,any two input stringsγ0,γ1∈{0,1} (n),and any bit b,the receiver outputsγb whereas the sender outputs nothing.8–Receiver’s security:For any probabilistic polynomial-time adversaryˆS,exe-cuting the sender’s part,for any security parameter n,and for any auxiliary input z of size polynomial in n,the view thatˆS(z)sees when the receiver tries to obtain thefirst message is computationally indistinguishable from the view it sees when the receiver tries to obtain the second message.That is,{viewˆS (ˆS(z),R(1n,0))}n,z c≡{viewˆS(ˆS(z),R(1n,1))}n,z–Sender’s security:For any deterministic(not necessarily polynomial-time) adversaryˆR,executing the receiver’s part,for any security parameter n,for any auxiliary input z of size polynomial in n,and for anyγ0,γ1∈{0,1} (n), there exists a bit b such that for everyψ∈{0,1} (n),the view ofˆR(z)when interacting with S(1n,γb,ψ),and the view ofˆR(z)when interacting with S(1n,γ0,γ1),are statistically indistinguishable.9That is,{viewˆR (S(1n,γ0,γ1),ˆR(z))}n,γ,γ1,zs≡{viewˆR(S(1n,γb,ψ),ˆR(z))}n,γb,ψ,zNote that Definition5(similarly to the definitions in[DHRS04,NP01])de-parts from the traditional,simulation based,definition in that it handles the security of the sender and of the receiver separately.This results in a some-what weaker security guarantee,with the main drawback being that neither the 8This condition is also referred to as the completeness condition.9We abuse notation by letting S(1n,γb,ψ)denote S(1n,γ0,ψ)if b=0,and letting it denote S(1n,ψ,γ1)if b=1.sender nor the receiver are actually guaranteed to“know”their own input.(This is unavoidable in two message protocols using“standard”techniques).It is easy to show that Definition5implies simulatability for semi honest adversaries(the proof is omitted due to lack of space).More importantly,Defini-tion5also gives meaningful security guarantees in face of malicious participants. In the case of a malicious sender,the guarantee is that the damage incurred by malicious participation is limited to“replacing”the input stringsγ0,γ1with a pair of strings that are somewhat“related”to the receiver’sfirst message(with-out actually learning anything about the receiver’s choice).In the case of a mali-cious receiver,Definition5can be shown to provide exponential time simulation of the receiver’s view of the interaction(similarly to the definition of[NP01]).In particular,the interaction gives no information to an unbounded receiver beyond the value ofγb.(Again,the proof is omitted due to lack of space.)4Constructing2-Round OT ProtocolsLet M={I n}n∈N be a hard subset membership problem which is Y-verifiably samplable,and let(H,K,S,α,G)be a an efficient Y-smooth projective hash family for M.Recall that the Y-verifiably samplable condition of M implies the existence of algorithms A and B as described in Section2.We assume for simplicity that for any n and for anyΛ∈I n,G(Λ)={0,1} (n), and that the two messagesγ0,γ1,to be transferred in the OT protocol,are binary strings of length at most (n).Let n be the security parameter.Let(γ0,γ1)be the input of the sender and let b∈{0,1}be the input of the receiver.R→S:The receiver chooses a random instance descriptionΛ=(X,W,R)←I n.It then samples a random element x b∈R L together with its corre-sponding witness w b,using the member samplability algorithm,and invokes Algorithm A on input(Λ,x b)to obtain a random element x1−b∈X\L.It sends(Λ,x0,x1).S→R:The sender invokes algorithm B on input(Λ,x0,x1)to verify that there exists a bit b such that x1−b∈Y(Λ).If B outputs0then it aborts,and ifB outputs1then it chooses independently at random k0,k1∈R K(Λ),andsendsα(k0)andα(k1)along with y0=γ0⊕H k0(x0)and y1=γ1⊕H k1(x1).R:The receiver retrievesγb by computing y b⊕H kb (x b)using the projectionkeyα(k b)and the pair(x b,w b).We next prove that the above protocol is secure according to Definition5. Intuitively,the receiver’s security follows from the fact that x b is uniformly distributed in L,x1−b is uniformly distributed in X\L,and from the assumption that it is hard to distinguish random L elements from random X\L elements. The sender’s security follows from the assumption that(H,K,S,α,G)is a Y-smooth projective hash family for M,and from the assumption that one of x0 or x1is in Y(Λ)(otherwise,it will be detected by B and the sender will abort).Theorem1.The above2-round OT protocol is secure according Definition5,assuming M is a Y-verifiably samplable hard subset membership problem,and assuming(H,K,S,α,G)is a Y-smooth projective hash family for M.Proof.we start by proving the receiver’s security.Assume for the sake of con-tradiction that there exists a(malicious)probabilistic polynomial-time senderˆS such that for infinitely many n’s there exists a polynomial size auxiliary input z n such thatˆS(z n)can predict(with non-negligible advantage)the choice bit b when interacting with R(1n,b).In what follows,we useˆS(z n)to break the hard-ness of M,by distinguishing between x∈R L and x∈R X.Given an instance descriptionΛ=(X,W,R)←(I n)and an element x∈X:1.Choose at random a bit b and let x b=x2.Apply algorithm A on input(Λ,x b)to obtain an element x1−b.3.FeedˆS(z n)the message(Λ,x0,x1),and obtain its prediction bit b .4.If b =b then predict“x∈R L”and if b =b then predict“x∈R L.”Notice that if x b∈R L thenˆS(z n)will predict the bit b with non-negligible advantage(follows from our contradiction assumption).On the other hand,if x b∈R X then x1−b is also uniformly distributed in X.In this case it is impossible (information theoretically)to predict b.We now turn to prove the sender’s security.LetˆR be any(not necessarily polynomial time)malicious receiver,and for any n∈N,let z n be any polynomial size auxiliary information given toˆR.Let(Λn,x0,x1)be thefirst message sent by ˆR(zn).Our goal is to show that for every n∈N and for everyγ0,γ1∈{0,1} (n),there exists b∈{0,1}such that the random variables viewˆR(S(1n,γ0,γ1),ˆR(z n))and viewˆR (S(1n,γb,ψ),ˆR(z n))are statistically indistinguishable.We assume without loss of generality that either x0∈Y(Λn)or x1∈Y(Λn). If this is not the case,the sender aborts the execution and b can be set to either0 or1.Let b be the bit satisfying x1−b∈Y(Λn).By the Y-smoothness property of the hash family,the random variables(α(k),H k(x1−b))and(α(k),g)are statis-tically indistinguishable,for a random k∈R K(Λn)and a random g∈R G(Λn). This implies that the random variables(α(k),γ1−b⊕H k(x1−b))and(α(k),g) are statistically indistinguishable,which implies that viewˆR(S(1n,γ0,γ1),ˆR(z))and viewˆR(S(1n,γb,ψ),ˆR(z))are statistically indistinguishable.5Constructing Smooth Projective Hash FamiliesWe next present two constructions of Y-smooth projective hash families for hard subset membership problems which are Y-verifiably samplable.One based on the N’th Residuosity Assumption,and the other based on the Quadratic-Residuosity Assumption together with the Extended Reimann Hypothesis.A key vehicle in both constructions is the notion of an( ,Y)-universal projective hash family. Definition6(Universal projective hash families).Let M={I n}n∈N be any hard subset membership problem.A projective hash family(H,K,S,α,G)。

Homomorphic Evaluation of the AES CircuitCraig Gentry IBM ResearchShai HaleviIBM ResearchNigel P.SmartUniversity of Bristol February16,2012AbstractWe describe a working implementation of leveled homomorphic encryption(without bootstrapping) that can evaluate the AES-128circuit.Our current implementation takes about a week to evaluate anentire AES encryption operation,using NTL(over GMP)as our underlying software platform,andrunning on a large-memory ing SIMD techniques,we can process close to100blocks ineach evaluation,yielding an amortized rate of roughly2hours per block.For this implementation we developed both AES-specific optimizations as well as several“generic”tools for FHE evaluation.These last tools include(among others)a different variant of the Brakerski-Vaikuntanathan key-switching technique that does not require reducing the norm of the ciphertext vector,and a method of implementing the Brakerski-Gentry-Vaikuntanathan modulus-switching transformationon ciphertexts in CRT representation.Keywords.AES,Fully Homomorphic Encryption,ImplementationThefirst and second authors are sponsored by DARPA under agreement number FA8750-11-C-0096.The ernment is authorized to reproduce and distribute reprints for Governmental purposes notwithstand-ing any copyright notation thereon.The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements,either expressed or implied,of DARPA or the ernment.Distribution Statement“A”(Approved for Public Release, Distribution Unlimited).The third author is sponsored by DARPA and AFRL under agreement number FA8750-11-2-0079.The same disclaimers as above apply.He is also supported by the European Commission through the ICT Programme under Contract ICT-2007-216676ECRYPT II and via an ERC Advanced Grant ERC-2010-AdG-267188-CRIPTO,by EPSRC via grant COED–EP/I03126X,and by a Royal Society Wolfson Merit Award.The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements,either expressed or implied,of the European Commission or EPSRC.Contents1Introduction1 2Background22.1Notations and Mathematical Background (2)2.2BGV-type Cryptosystems (3)2.3Computing on Packed Ciphertexts (5)3General-Purpose Optimizations63.1A New Variant of Key Switching (6)3.2Modulus Switching in Evaluation Representation (7)3.3Dynamic Noise Management (8)3.4Randomized Multiplication by Constants (8)4Homomorphic Evaluation of AES94.1Homomorphic Evaluation of the Basic Operations (9)4.2Implementing The Permutations (11)4.3Performance Details (12)References12 A More Details13A.1Plaintext Slots (14)A.2Canonical Embedding Norm (14)A.3Double CRT Representation (15)A.4Sampling From A q (15)A.5Canonical embedding norm of random polynomials (16)B The Basic Scheme16B.1Our Moduli Chain (16)B.2Modulus Switching (17)B.3Key Switching (18)B.4Key-Generation,Encryption,and Decryption (19)B.5Homomorphic Operations (20)C Security Analysis and Parameter Settings21C.1Lower-Bounding the Dimension (22)C.1.1LWE with Sparse Key (23)C.2The Modulus Size (24)C.3Putting It Together (26)D Further AES Implementation Methods27E Scale(c,q t,q t−1)in dble-CRT Representation281IntroductionIn his breakthrough result[11],Gentry demonstrated that fully-homomorphic encryption was theoretically possible,assuming the hardness of some problems in integer lattices.Since then,many different improve-ments have been made,proposing new variants,improving efficiency,suggesting other hardness assump-tions,etc.Some of these works were accompanied by implementation[20,12,7,21,16],but all the imple-mentations so far were either“proofs of concept”that can compute only one basic operation at a time(at great cost),or special-purpose implementations limited to evaluating very simple functions.In this work we report on thefirst implementation powerful enough to support an“interesting real world circuit”.Specifi-cally,we implemented a variant of the leveled FHE-without-bootstrapping scheme of Brakerski,Gentry,and Vaikuntanathan[4](BGV),with support for deep enough circuits so that we can evaluate an entire AES-128 encryption operation.Why AES?We chose to shoot for an evaluation of AES since it seems like a natural benchmark:AES is widely deployed and used extensively in security-aware applications(so it is“practically relevant”to imple-ment it),and the AES circuit is nontrivial on one hand,but on the other hand not astronomical.Moreover the AES circuit has a regular(and quite“algebraic”)structure,which is amenable to parallelism and optimiza-tions.Indeed,for these same reasons AES is often used as a benchmark for implementations of protocols for secure multi-party computation(MPC),for example[19,8,14,15].Using the same yardstick to measure FHE and MPC protocols is quite natural,since these techniques target similar application domains and in some cases both techniques can be used to solve the same problem.Beyond being a natural benchmark,homomorphic evaluation of AES decryption also has interesting applications:When data is encrypted under AES and we want to compute on that data,then homomorphic AES decryption would transform this AES-encrypted data into an FHE-encrypted data,and then we could perform whatever computation we wanted.(Such applications were alluded to in[16,21]).Our Contributions.Our implementation is based on a variant of the ring-LWE scheme of BGV[4,6,5], using the techniques of Smart and Vercauteren(SV)[21]and Gentry,Halevi and Smart(GHS)[13],and we introduce many new optimizations.Some of our optimizations are specific to AES,these are described in Section4.Most of our optimization,however,are more general-purpose and can be used for homomorphic evaluation of other circuits,these are described in Section3.Many of our general-purpose optimizations are aimed at reducing the number of FFTs and CRTs that we need to perform,by reducing the number of times that we need to convert polynomials between coef-ficient and evaluation representations.Since the cryptosystem is defined over a polynomial ring,many of the operations involve various manipulation of integer polynomials,such as modular multiplications and additions and Frobenius maps.Most of these operations can be performed more efficiently in evaluation representation,when a polynomial is represented by the vector of values that it assumes in all the roots of the ring polynomial(for example polynomial multiplication is just point-wise multiplication of the evalu-ation values).On the other hand some operations in BGV-type cryptosystems(such as key switching and modulus switching)seem to require coefficient representation,where a polynomial is represented by listing all its coefficients.1Hence a“naive implementation”of FHE would need to convert the polynomials back and forth between the two representations,and these conversions turn out to be the most time-consuming part of the execution.In our implementation we keep ciphertexts in evaluation representation at all times, converting to coefficient representation only when needed for some operation,and then converting back.1The need for coefficient representation ultimately stems from the fact that the noise in the ciphertexts is small in coefficient representation but not in evaluation representation.1We describe variants of key switching and modulus switching that can be implemented while keeping almost all the polynomials in evaluation representation.Our key-switching variant has another advantage, in that it significantly reduces the size of the key-switching matrices in the public key.This is particularly important since the main limiting factor for evaluating deep circuits turns out to be the ability to keep the key-switching matrices in memory.Other optimizations that we present are meant to reduce the number of modulus switching and key switching operations that we need to do.This is done by tweaking some operations(such as multiplication by constant)to get a slower noise increase,by“batching”some operations before applying key switching,and by attaching to each ciphertext an estimate of the“noisiness”of this ciphertext,in order to support better noise bookkeeping.Our Implementation.Our implementation was based on the NTL C++library running over GMP,we utilized a machine which consisted of a processing unit of Intel Xeon CPUs running at2.0GHz with18MB cache,and most importantly with256GB of RAM.2Memory was our main limiting factor in the implemen-tation.With this machine it took us just under eight days to compute a single block AES encryption using an implementation choice which minimizes the amount of memory required;this is roughly two orders of magnitude faster than what could be done with the Gentry-Halevi implementation[12].The computation was performed on ciphertexts that could hold1512plaintext slots each;where each slot holds an element of F28.This means that we can compute 1512/16 =94AES operations in parallel,which gives an amortize time per block of roughly two hours.We note that there are a multitude of optimizations that one can perform on our basic implementation. Most importantly,we believe that by using the“bootstrapping as optimization”technique from BGV[4]we can speedup the AES performance by an additional order of magnitude.Also,there are great gains to be had by making better use of parallelism:Unfortunately,the NTL library(which serves as our underlying software platform)is not thread safe,which severely limits our ability to utilize the multi-core functionality of modern processors(our test machine has24cores).We expect that by utilizing many threads we can speed up some of our(higher memory)AES variants by as much as a16x factor;just by letting each thread compute a different S-box lookup.Organization.In Section2we review the main features of BGV-type cryptosystems[5,4],and briefly survey the techniques for homomorphic computation on packed ciphertexts from SV and GHS[21,13]. Then in Section3we describe our“general-purpose”optimizations on a high level,with additional details provided in Appendices A and B.A brief overview of AES and a high-level description(and performance numbers)of one of our AES-specific implementations is provided in Section4,with details of alternative implementations being provided in Appendix D.2Background2.1Notations and Mathematical BackgroundFor an integer q we identify the ring Z/q Z with the interval(−q/2,q/2]∩Z,and we use[z]q to denote the reduction of the integer z modulo q into that interval.Our implementation utilizes polynomial rings defined by cyclotomic polynomials,A=Z[X]/Φm(X).The ring A is the ring of integers of a the m th cyclotomic numberfield Q(ζm).We let A q def=A/q A=Z[X]/(Φm(X),q)for the(possibly composite)integer q,and we identify A q with the set of integer polynomials of degree uptoφ(m)−1reduced modulo q.2This machine was BlueCrystal Phase2;and the authors would like to thank the University of Bristol’s Advanced Computing Research Centre(https:///)for access to this facility2Coefficient vs.Evaluation Representation.Let m,q be two integers such that Z /q Z contains a primitive m -th root of unity,and denote one such primitive m -th root of unity by ζ∈Z /q Z .Recallthat the m ’th cyclotomic polynomial splits into linear terms modulo q ,Φm (X )= i ∈(Z /m Z )∗(X −ζi )(mod q ).For an element a ∈A q ,we consider two ways of representing it:Viewing a as a degree-(φ(m )−1)poly-nomial,a (X )= i<φ(m )a i X i ,we can just list all the coefficients in order a = a 0,a 1,...,a φ(m )−1 ∈(Z /q Z )φ(m ).We call a the coefficient representation of a .For the other representation we consider the values that the polynomial a (X )assumes on all primitive m -th roots of unity modulo q ,b i =a (ζi )mod q for i ∈(Z /m Z )∗.The b i ’s in order also yield a vector b ∈(Z /q Z )φ(m ),which we call the evaluation representation of a .Clearly these two representations are related via b =V m ·a ,where V m is the Van-dermonde matrix over the primitive m -th roots of unity modulo q .We remark that for all i we have the equality (a mod (X −ζi ))=a (ζi )=b i ,hence the evaluation representation of a is just a polynomial Chinese-Remaindering representation.In both evaluation and coefficient representations,an element a ∈A q is represented by a φ(m )-vector of integers in Z /q Z .If q is a composite then each of these integers can itself be represented either using the standard binary encoding of integers or using Chinese-Remaindering relative to the factors of q .We usually use the standard binary encoding for the coefficient representation and Chinese-Remaindering for the evaluation representation.(Hence the latter representation is really a double CRT representation,relative to both the polynomial factors of Φm (X )and the integer factors of q .)2.2BGV-type CryptosystemsOur implementation uses a variant of the BGV cryptosystem due to Gentry,Halevi and Smart,specifically the one described in [13,Appendix D](in the full version).In this cryptosystem both ciphertexts and secret keys are vectors over the polynomial ring A ,and the native plaintext space is the space of binary polynomials A 2.(More generally it could be A p for some fixed p ≥2,but in our case we will always use A 2.)At any point during the homomorphic evaluation there is some “current integer modulus q ”and “current secret key s ”,that change from time to time.A ciphertext c is decrypted using the current secret key s by taking inner product over A q (with q the current modulus)and then reducing the result modulo 2in coefficient representation .Namely,the decryption formula isa ←[[ c ,s mod Φm (X )]q noise ]2.(1)The polynomial [ c ,s mod Φm (X )]q is called the “noise”in the ciphertext c .Informally,c is a valid ciphertext with respect to secret key s and modulus q if this noise has “sufficiently small norm”relative to q .The meaning of “sufficiently small norm”is whatever is needed to ensure that the noise does not wrap around q when performing homomorphic operations,in our implementation we keep the norm of the noise always below some pre-set bound (which is determined in Appendix C.2).The specific norm that we use to evaluate the magnitude of the noise is the “canonical embedding norm reduced mod q ”,as described in [13,Appendix D](in the full version).This is useful to get smaller parameters,but for the purpose of presentation the reader can think of the norm as the Euclidean norm of the noise in coefficient representation.More details are given in the Appendices.We refer to the norm of the noise as the noise magnitude .The central feature of BGV-type cryptosystems is that the current secret key and modulus evolve as we apply operations to ciphertexts.We apply five different operations to ciphertexts during homomorphic evaluation.Three of them —addition,multiplication,and automorphism —are “semantic operations”that we use to evolve the plaintext data which is encrypted under those ciphertexts.The other two operations3—key-switching and modulus-switching —are used for “maintenance”:These operations do not change the plaintext at all,they only change the current key or modulus (respectively),and they are mainly used to control the complexity of the evaluation.Below we briefly describe each of these five operations on a high level.For the sake of self-containment,we also describe key generation and encryption in Appendix B.More detailed description can be found in [13,Appendix D].Addition.Homomorphic addition of two ciphertext vectors with respect to the same secret key and mod-ulus q is done just by adding the vectors over A q .If the two arguments were encrypting the plaintext polynomials a 1,a 2∈A 2then the sum will be an encryption of a 1+a 2∈A 2.This operation has no effect on the current modulus or key,and the norm of the noise is at most the sum of norms from the noise in the two arguments.Multiplication.Homomorphic multiplication is done via tensor product over A q .In principle,if the two arguments have dimension n over A q then the product ciphertext has dimension n 2,each entry in the output computed as the product of one entry from the first argument and one entry from the second.3This operation does not change the current modulus,but it changes the current key:If the two input ciphertexts are valid with respect to the dimension-n secret key vector s ,encrypting the plaintext polynomi-als a 1,a 2∈A 2,then the output is valid with respect to the dimension-n 2secret key s which is the tensor product of s with itself,and it encrypt the polynomial a 1·a 2∈A 2.The norm of the noise in the product ciphertext can be bounded in terms of the product of norms of the noise in the two arguments.The specific bound depends on the norm in use,for our choice of norm function the norm of the product is no larger than the product of the norms of the two arguments.Key Switching.The public key of BGV-type cryptosystems includes additional components to enable converting a valid ciphertext with respect to one key into a valid ciphertext encrypting the same plaintext with respect to another key.For example,this is used to convert the product ciphertext which is valid with respect to a high-dimension key back to a ciphertext with respect to the original low-dimension key.To allow conversion from dimension-n key s to dimension-n key s (both with respect to the same modulus q ),we include in the public key a matrix W =W [s →s ]over A q ,where the i ’th column of W is roughly an encryption of the i ’th entry of s with respect to s (and the current modulus).Then given a valid ciphertext c with respect to s ,we roughly compute c =W ·c to get a valid ciphertext with respect to s .In some more detail,the BGV key switching transformation first ensures that the norm of the ciphertext c itself is sufficiently low with respect to q .In [4]this was done by working with the binary encoding of c ,and one of our main optimization in this work is a different method for achieving the same goal (cf.Section 3.1).Then,if the i ’th entry in s is s i ∈A (with norm smaller than q ),then the i ’th column of W [s →s ]is an n -vector w i such that [ w i ,s mod Φm (X )]q =2e i +s i for a low-norm polynomial e i ∈A .Denoting e =(e 1,...,e n ),this means that we have s W =s +2e over A q .For any ciphertext vector c ,setting c =W ·c ∈A q we get the equation[ c ,s mod Φm (X )]q =[s W c mod Φm (X )]q =[ c ,s +2 c ,e mod Φm (X )]qSince c ,e ,and [ c ,s mod Φm (X )]q all have low norm relative to q ,then the addition on the right-hand side does not cause a wrap around q ,hence we get [[ c ,s mod Φm (X )]q ]2=[[ c ,s mod Φm (X )]q ]2,as needed.The key-switching operation changes the current secret key from s to s ,and does not change the current modulus.The norm of the noise is increased by at most an additive factor of 2 c ,e .3It was shown in [6]that over polynomial rings this operation can be implemented while increasing the dimension only to 2n −1rather than to n 2.4Modulus Switching.The modulus switching operation is intended to reduce the norm of the noise,to compensate for the noise increase that results from all the other operations.To convert a ciphertext c with respect to secret key s and modulus q into a ciphertext c encrypting the same thing with respect to the same secret key but modulus q ,we roughly just scale c by a factor q /q (thus getting a fractional ciphertext),then round appropriately to get back an integer ciphertext.Specifically c is a ciphertext vector satisfying(a)c =c (mod 2),and (b)the “rounding error term”τdef =c −(q /q )c has low norm.Converting cto c is easy in coefficient representation,and one of our optimizations is a method for doing the same in evaluation representation (cf.Section 3.2)This operation leaves the current key s unchanged,changes the current modulus from q to q ,and the norm of the noise is changed as n ≤(q /q ) n + τ·s .Note that if the key s has low norm and q is sufficiently smaller than q ,then the noise magnitude decreases by this operation.A BGV-type cryptosystem has a chain of moduli,q 0<q 1···<q L −1,where fresh ciphertexts are with respect to the largest modulus q L −1.During homomorphic evaluation every time the (estimated)noise grows too large we apply modulus switching from q i to q i −1in order to decrease it back.Eventually we get ciphertexts with respect to the smallest modulus q 0,and we cannot compute on them anymore (except by using bootstrapping).Automorphisms.In addition to adding and multiplying polynomials,another useful operation is convert-ing the polynomial a (X )∈A to a (i )(X )def =a (X i )mod Φm (X ).Denoting by κi the transformationκi :a →a (i ),it is a standard fact that the set of transformations {κi :i ∈(Z /m Z )∗}forms a group under composition (which is the Galois group G al (Q (ζm )/Q )),and this group is isomorphic to (Z /m Z )∗.In [4,13]it was shown that applying the transformations κi to the plaintext polynomials is very useful,some more examples of its use can be found in our Section 4.Denoting by c (i ),s (i )the vector obtained by applying κi to each entry in c ,s ,respectively,it was shown in [4,13]that if s is a valid ciphertext encrypting a with respect to key s and modulus q ,then c (i )is a valid ciphertext encrypting a (i )with respect to key s (i )and the same modulus q .Moreover the norm of noise remains the same under this operation.We remark that we can apply key-switching to c (i )in order to get an encryption of a (i )with respect to the original key s .2.3Computing on Packed CiphertextsSmart and Vercauteren observed [20,21]that the plaintext space A 2can be viewed as a vector of “plaintext slots”,by an application the polynomial Chinese Remainder Theorem.Specifically,if the ring polynomial Φm (X )factors modulo 2into a product of irreducible factors Φm (X )= −1j =0F j (X )(mod 2),then a plaintext polynomial a (X )∈A 2can be viewed as encoding different small polynomials,a j =a mod F j .Just like for integer Chinese Remaindering,addition and multiplication in A 2correspond to element-wise addition and multiplication of the vectors of slots.The effect of the automorphisms is a little more involved.When i is a power of two then the transforma-tions κi :a →a (i )is just applied to each slot separately.When i is not a power of two the transformation κi has the effect of roughly shifting the values between the different slots.For example,for some parameters we could get a cyclic shift of the vector of slots:If a encodes the vector (a 0,a 1,...,a −1),then κi (a )(for some i )could encode the vector (a −1,a 0,...,a −2).This was used in [13]to devise efficient procedures for applying arbitrary permutations to the plaintext slots.We note that the values in the plaintext slots are not just bits,rather they are polynomials modulo the irreducible F j ’s,so they can be used to represents elements in extension fields GF (2d ).In particular,in some of our AES implementations we used the plaintext slots to hold elements of GF (28),and encrypt one5byte of the AES state in each slot.Then we can use an adaption of the techniques from [13]to permute the slots when performing the AES row-shift and column-mix.3General-Purpose OptimizationsBelow we summarize our optimizations that are not tied directly to the AES circuit and can be used also in homomorphic evaluation of other circuits.Underlying many of these optimizations is our choice of keeping ciphertext and key-switching matrices in evaluation (double-CRT)representation.Our chain of moduli is defined via a set of primes of roughly the same size,p 0,...,p L −1,all chosen such that Z /p i Z has a m ’th roots of unity.(In other words,m |p i −1for all i .)For i =0,...,L −1we then define our i ’th modulus as q i = i j =0p i .The primes p 0and p L −1are special (p 0is chosen to ensure decryption works,and p L −1is chosen to control noise immediately after encryption),however all other primes p i are of size 217≤p i ≤220if L <100,see Appendix C.In the t -th level of the scheme we have ciphertexts consisting of elements in A q t (i.e.,polynomialsmodulo (Φm (X ),q t )).We represent an element c ∈A q t by a φ(m )×(t +1)“matrix”of its evaluationsat the primitive m -th roots of unity modulo the primes p 0,...,p t .Computing this representation from the coefficient representation of c involves reducing c modulo the p i ’s and then t +1invocations of the FFT algorithm,modulo each of the p i (picking only the FFT coefficients corresponding to (Z /m Z )∗).To convert back to coefficient representation we invoke the inverse FFT algorithm t +1times,each time padding the φ(m )-vector of evaluation point with m −φ(m )zeros (for the evaluations at the non-primitive roots of unity).This yields the coefficients of t +1polynomials modulo (X m −1,p i )for i =0,...,t ,we then reduce each of these polynomials modulo (Φm (X ),p i )and apply Chinese Remainder interpolation.We stress that we try to perform these transformations as rarely as we can.3.1A New Variant of Key SwitchingAs described in Section 2,the key-switching transformation introduces an additive factor of 2 c ,e in the noise,where c is the input ciphertext and e is the noise component in the key-switching matrix.To keep the noise magnitude below the modulus q ,it seems that we need to ensure that the ciphertext c itself has low norm.In BGV [4]this was done by representing c as a fixed linear combination of small vectors,i.e.c = i 2i c i with c i the vector of i ’th bits in c .Considering the high-dimension ciphertextc ∗=(c 0|c 1|c 2|···)and secret key s ∗=(s |2s |4s |···),we note that we have c ∗,s ∗ = c ,s ,and c ∗has low norm (since it consists of 0-1polynomials).BGV therefore included in the public key the matrix W =W [s ∗→s ](rather than W [s →s ]),and had the key-switching transformation computes c ∗from c and sets c =W ·c ∗.When implementing key-switching,there are two drawbacks to the above approach.First,this increases the dimension (and hence the size)of the key switching matrix.This drawback is fatal when evaluating deep circuits,since having enough memory to keep the key-switching matrices turns out to be the limiting factor in our ability to evaluate these deep circuits.Another drawback is it seems that this key-switching procedure requires that we first convert c to coefficient representation in order to compute the c i ’s,then convert each of the c i ’s back to evaluation representation before multiplying by the key-switching matrix.In level t of the circuit,this seem to require Ω(t log q t )FFTs.In this work we propose a different variant:Rather than manipulating c to decrease its norm,we instead temporarily increase the modulus q .To that end we recall that for a valid ciphertext c ,encrypting plaintext a with respect to s and q ,we have the equality c ,s =2e +a over A q ,for a low-norm polynomial e .6This equality,we note,implies that for every odd integer p we have the equality c ,p s =2e +a ,holding over A pq ,for the “low-norm”polynomial e (namely e =p ·e +p −12a ).Clearly,when considered relativeto secret key p s and modulus pq ,the noise in c is p times larger than it was relative to s and q .However,since the modulus is also p times larger,we maintain that the noise has norm sufficiently smaller than the modulus.In other words,c is still a valid ciphertext that encrypts the same plaintext a with respect to secret key p s and modulus pq .By taking p large enough,we can ensure that the norm of c (which is independent of p )is sufficiently small relative to the modulus pq .We therefore include in the public key a matrix W =W [p s →s ]modulo pq for a large enough odd integer p .(Specifically we need p ≈q √m .)Given a ciphertext c ,valid with respect to s and q ,we apply the key-switching transformation simply by setting c =W ·c over A pq .The additive noise term c ,e that we get is now small enough relative to our large modulus pq ,thus the resulting ciphertext c is valid with respect to s and pq .We can now switch the modulus back to q (using our modulus switching routine),hence getting a valid ciphertext with respect to s and q .We note that even though we no longer break c into its binary encoding,it seems that we still need to recover it in coefficient representation in order to compute the evaluations of c mod p .However,since we do not increase the dimension of the ciphertext vector,this procedure requires only O (t )FFTs in level t (vs.O (t log q t )=O (t 2)for the original BGV variant).Also,the size of the key-switching matrix is reduced by roughly the same factor of log q t .Our new variant comes with a price tag,however:We use key-switching matrices relative to a larger modulus,but still need the noise term in this matrix to be small.This means that the LWE problem under-lying this key-switching matrix has larger ratio of modulus/noise,implying that we need a larger dimension to get the same level of security than with the original BGV variant.In fact,since our modulus is more than squared (from q to pq with p >q ),the dimension is increased by more than a factor of two.This translates to more than doubling of the key-switching matrix,partly negating the size and running time advantage that we get from this variant.We comment that a hybrid of the two approaches could also be used:we can decrease the norm of c only somewhat by breaking it into digits (as opposed to binary bits as in [4]),and then increase the modulus somewhat until it is large enough relative to the smaller norm of c .We speculate that the optimal setting in terms of runtime is found around p ≈√q ,but so far did not try to explore this tradeoff.3.2Modulus Switching in Evaluation RepresentationGiven an element c ∈A q t in evaluation (double-CRT)representation relative to q t = t j =0p j ,we wantto modulus-switch to q t −1–i.e.,scale down by a factor of p t ;we call this operation Scale (c,q t ,q t −1)The output should be c ∈A ,represented via the same double-CRT format (with respect to p 0,...,p t −1),such that (a)c ≡c (mod 2),and (b)the “rounding error term”τ=c −(c/p t )has a very low norm.As p t is odd,we can equivalently require that the element c †def=p t ·c satisfy(i)c †is divisible by p t ,(ii)c †≡c (mod 2),and(iii)c †−c (which is equal to p t ·τ)has low norm.Rather than computing c directly,we will first compute c †and then set c ←c †/p t .Observe that once we compute c †in double-CRT format,it is easy to output also c in double-CRT format:given the evaluations for c †modulo p j (j <t ),simply multiply them by p −1t mod p j .The algorithm to output c †in double-CRT format is as follows:7。

网络安全分条英语Network Security in Bullets1. Introduction- In today's digital age, network security has become a critical concern for individuals and organizations alike.- Network security refers to the measures taken to protect computer networks and the data they transmit from unauthorized access, misuse, or damage.2. Importance of Network Security- Network security is important to safeguard sensitive information, such as personal data, financial information, or confidential business data, from falling into the wrong hands.- It helps protect against cyber threats, such as malware, hacking, phishing, or ransomware attacks.- Network security ensures the integrity and availability of network resources, preventing unauthorized access and ensuring smooth operations.3. Types of Network Security Measures- Firewalls: Firewalls act as a barrier between internal and external networks, permitting or denying access based on predefined security rules. They can filter incoming and outgoing traffic, effectively blocking malicious content or unauthorized access attempts.- Encryption: Encryption transforms data into an unreadable form, making it secure during transmission or storage. This prevents sensitive information from being intercepted or compromised.- Intrusion Detection Systems (IDS) / Intrusion Prevention Systems(IPS): IDS and IPS detect and prevent unauthorized network activities or attacks. They monitor network traffic and peripherals for suspicious behavior and take immediate action to prevent potential risks.- Virtual Private Network (VPN): VPN provides a secure connection between remote users or sites by encrypting the data transmitted over the internet. It ensures privacy and confidentiality, especially when accessing the internet from public Wi-Fi networks. - Anti-Malware Software: Anti-malware software protects against malicious software, such as viruses, worms, or Trojans. It regularly scans and removes any detected threats to ensure the integrity of network systems.4. Best Practices for Network Security- Regularly update software and firmware: Keep operating systems, applications, and network devices up to date to patch any vulnerabilities or weaknesses.- Use strong, unique passwords: Weak or easily guessable passwords are a common entry point for hackers. Use a combination of uppercase and lowercase letters, numbers, and special characters for stronger passwords.- Implement multi-factor authentication (MFA): MFA adds an extra layer of security by requiring additional verification, such as a one-time password or biometric data, in addition to a password. - Conduct regular backups: Regularly backup important data and store it securely to ensure that it can be restored in case of data loss or ransomware attacks.- Educate users: Train employees or individuals on network security best practices, such as avoiding suspicious emails or links, not sharing sensitive information, and being cautious whenconnecting to unknown Wi-Fi networks.In conclusion, network security is crucial in today's interconnected world. By implementing suitable network security measures and following best practices, individuals and organizations can protect their networks, data, and privacy from potential cyber threats.。

用英语讨论中国高考录取的区域差异英语作文全文共3篇示例，供读者参考篇1Regional Disparities in China's College AdmissionIntroductionChina's college entrance exam, known as the Gaokao, is a high-stakes test that determines students' access to higher education. It is a fiercely competitive process that can shape the future of millions of young people. However, the system also reveals significant regional disparities in terms of admission rates and academic performance. This essay will delve into the reasons behind these regional differences and suggest potential solutions to address them.Regional Disparities in Admission RatesOne of the most glaring issues in China's college admission process is the vast disparities in admission rates between different regions. In general, students in urban areas and developed provinces have a higher chance of being admitted to top-tier universities compared to their rural counterparts in lessaffluent regions. This is largely due to the differences in quality of education, access to resources, and family background.For instance, students in cities like Beijing and Shanghai benefit from superior educational facilities, well-trained teachers, and a wealth of extracurricular opportunities. They also have access to expensive tutoring services, which can significantly boost their test scores. On the other hand, students in rural areas often attend underfunded schools with limited resources and lackluster teaching staff. As a result, they are at a disadvantage when competing against their urban peers in the Gaokao.Furthermore, family background plays a crucial role in determining students' success in the Gaokao. Wealthier families can afford to send their children to private schools, hire private tutors, and provide them with a conducive learning environment. In contrast, students from low-income households may struggle to afford basic school supplies, let alone expensive test prep courses. As a result, they are less likely to perform well in the exam and secure a spot in a prestigious university.Regional Disparities in Academic PerformanceIn addition to admission rates, academic performance also varies significantly across different regions in China. According to a report by the Chinese Ministry of Education, students incoastal provinces like Guangdong and Zhejiang consistently outperform their peers in inland provinces such as Guizhou and Yunnan. This is reflected in the average test scores, college enrollment rates, and graduation rates of students from different regions.Several factors contribute to these disparities in academic performance. Firstly, the quality of education varies widely between urban and rural areas. Urban schools tend to have better facilities, more experienced teachers, and a more rigorous curriculum. In contrast, rural schools often lack basic amenities, such as libraries, laboratories, and computers. This hampers students' ability to acquire the knowledge and skills needed to excel in the Gaokao.Secondly, cultural attitudes towards education also play a role in shaping students' academic performance. In some regions, there is a stronger emphasis on academic success and a greater willingness to invest time and resources in education. This results in higher motivation levels and better study habits among students in these areas. Conversely, in regions where education is not highly valued, students may lack the drive and ambition to excel academically.Solutions to Address Regional DisparitiesTo address the regional disparities in China's college admission system, several measures can be taken at the policy level. Firstly, the government should allocate more resources to improve the quality of education in rural areas. This includes increasing funding for schools, providing professional development opportunities for teachers, and expanding access to educational materials and technology. By narrowing the gap in educational resources between urban and rural areas, the government can create a more level playing field for students from different regions.Secondly, the government should implement targeted support programs for students from disadvantaged backgrounds. This could involve providing financial aid, mentorship programs, and academic support services to help these students succeed in the Gaokao. By addressing the socio-economic barriers that prevent students from reaching their full potential, the government can promote greater equity and inclusivity in the college admission process.ConclusionIn conclusion, the regional disparities in China's college admission system are a pressing issue that needs to be addressed. By tackling the root causes of these disparities, suchas unequal access to resources and educational opportunities, the government can create a more equitable and meritocratic system that rewards talent and hard work regardless of students' background or geographic location. Ultimately, a fair and transparent college admission process is essential for promoting social mobility and ensuring equal opportunities for all young people in China.篇2Title: Regional Disparities in College Admission in ChinaIntroductionIn China, the National College Entrance Examination, commonly known as the Gaokao, is the most important standardized test for high school students. The results of this exam determine which universities and colleges students can attend. However, regional disparities in Gaokao scores and college admission rates have long been a topic of controversy and discussion.Regional Disparities in Gaokao ScoresOne of the key factors contributing to regional disparities in college admission in China is the variation in Gaokao scores across different provinces. Students in more developed regions,such as Beijing, Shanghai, and Guangdong, tend to score higher on the Gaokao compared to students in less developed provinces in central and western China. This difference can be attributed to various factors, including differences in the quality of education, availability of resources, and socio-economic conditions.For example, students in urban areas with better-funded schools and access to quality teaching resources may have an advantage over students in rural areas with limited educational opportunities. Additionally, the Gaokao syllabus may vary across regions, with some provinces focusing more on rote memorization and test-taking skills, while others prioritize critical thinking and problem-solving abilities.Impact on College Admission RatesAs a result of these regional disparities in Gaokao scores, college admission rates also vary significantly across different provinces. Students from more developed regions with higher average scores have a higher chance of gaining admission to top-tier universities and colleges, while students from less developed regions may struggle to secure a spot in prestigious institutions.This disparity in college admission rates can perpetuate existing inequalities and widen the gap between urban and rural students. Students from disadvantaged backgrounds may face barriers to higher education, limiting their opportunities for social mobility and economic advancement. This issue has sparked calls for reforms to the Gaokao system to address regional disparities and promote equal access to education.Policy RecommendationsTo address the regional disparities in college admission in China, policymakers should consider implementing measures to level the playing field for all students. This could involve standardizing the Gaokao syllabus across provinces, providing additional support and resources to students in underprivileged areas, and promoting equitable access to quality education for all.Furthermore, universities and colleges should adopt holistic admissions criteria that take into account students'socio-economic background, extracurricular activities, and personal achievements, in addition to their Gaokao scores. This would help to create a more inclusive and diverse student body, reflecting the rich cultural and social diversity of China.ConclusionIn conclusion, regional disparities in college admission in China are a complex issue that requires a multi-faceted approach to address. By addressing the root causes of regional disparities and promoting equal access to education for all students, China can create a more inclusive and equitable higher education system that benefits society as a whole.支篇3The Differences in College Admissions in ChinaIntroduction:In China, the college admissions process, particularly the national college entrance examination, known as Gaokao, is a crucial aspect of every student's life. The Gaokao is the sole criterion that determines a student's future in terms of higher education. However, there are significant regional disparities in terms of admission standards and quotas, which have sparked debates and discussions on the fairness of the system.Regional Disparities in Admission Standards:One of the key issues in Chinese college admissions is the variation in admission standards across different provinces and regions. Historically, colleges and universities in developedregions such as Beijing, Shanghai, and Guangdong tend to have higher admission standards compared to those in less developed regions. This means that students in more competitive regions face tougher competition and higher cutoff scores compared to their counterparts in less competitive regions.For example, a student in Beijing may need to score 600 points in the Gaokao to secure a spot in a prestigious university, while a student in a less competitive region may only need 500 points to be admitted to the same university. This creates a significant disadvantage for students in highly competitive regions and raises questions about the fairness and equality of the Gaokao system.Regional Disparities in Admission Quotas:Another major issue in Chinese college admissions is the difference in admission quotas allocated to different regions. Each province in China has a certain number of quotas allocated for its students in national universities. However, these quotas are not distributed evenly, leading to disparities in admission rates for students from different regions.For example, students from Beijing, Shanghai, and Guangdong, which are considered more developed regions, often have higher chances of securing a spot in top universitiesdue to the larger number of quotas allocated to their provinces. On the other hand, students from less developed regions may face fierce competition for a limited number of quotas, making it harder for them to gain admission to prestigious universities.Implications of Regional Disparities in College Admissions:The regional disparities in college admissions in China have far-reaching implications for students, parents, and the education system as a whole. For students in highly competitive regions, the pressure to excel in the Gaokao and secure a spot in a top university is immense, leading to high levels of stress and anxiety. This can have negative impacts on students' mental health and well-being, as well as their overall development.Moreover, the regional disparities in admission standards and quotas contribute to the widening gap between students from different regions in terms of access to quality education and opportunities for social mobility. Students from less developed regions often find themselves at a disadvantage when competing for limited spots in prestigious universities, which can perpetuate existing inequalities in society.Conclusion:In conclusion, the regional disparities in college admissions in China highlight the need for a more equitable and transparent system that provides equal opportunities for all students, regardless of their geographical location. Addressing the issues of admission standards and quotas is crucial to ensuring a fair and inclusive higher education system that promotes meritocracy and social mobility. By recognizing and addressing the regional disparities in college admissions, China can create a more just and equitable education system that benefits all students and contributes to the overall development of the country.。