On the Selection of Random Numbers in the EIGamal Algorithm

The EIGamal algorithm, which can be used for both signature and encryption, is of importance in public-key cryptosystems. However, there has arisen an issue that different criteria of selecting a random number are used for the same algorithm. In the aspects of the sufficiency, necessity, security and computational overhead of parameter selection, this paper analyzes these criteria in a comparative manner and points out the insecurities in some textbook cryptographic schemes. Meanwhile, in order to enhance security a novel generalization of the EIGamal signature scheme is made by expanding the range of selecting random numbers at an acceptable cost of additional computation, and its feasibility is demonstrated.     

The feasibility and outcome of clinic plus Internet delivery of cognitive-behavior therapy for childhood anxiety.

Seventy-two clinically anxious children, aged 7 to 14 years, were randomly allocated to clinic-based, cognitive-behavior therapy, the same treatment partially delivered via the Internet, or a wait-list control (WL). Children in the clinic and clinic-plus-Internet conditions showed significantly greater reductions in anxiety from pre- to posttreatment and were more likely to be free of their anxiety diagnoses, compared with the WL group. Improvements were maintained at 12-month follow-up for both therapy conditions, with minimal difference in outcomes between interventions. The Internet treatment content was highly acceptable to families, with minimal dropout and a high level of therapy compliance. (PsycINFO Database Record (c) 2010 APA, all rights reserved)     

A linear quadtree compression scheme for image encryption

A private key encryption scheme for a two-dimensional image data is proposed in this work. This scheme is designed on the basis of lossless data compression principle. The proposed scheme is developed to have both data encryption and compression performed simultaneously. For the lossless data compression effect, the quadtree data structure is used to represent the image; for the encryption purpose, various scanning sequences of image data are provided. The scanning sequences comprise a private key for encryption. Twenty four possible combinations of scanning sequences are defined for accessing four quadrants, thereby making available 24ⁿ × 4^{n(n − 1)/2} possibilities to encode an image of resolution 2ⁿ × 2ⁿ. The security of the proposed encryption scheme therefore relies on the computational infeasibility of an exhaustive search approach. Three images of 512 × 512 pixels are used to verify the feasibility of the proposed scheme. The testing results and analysis demonstrate the characteristics of the proposed scheme. This scheme can be applied for problems of data storage or transmission in a public network.     

关于具有恢复消息功能的认证方案的一点注记

简述了基本的Nyberg-Rueppel认证方案和HMP认证方案,指出了LC认证方案是HMP认证方案的一个特例。     

广义GM概率公开钥密码体制的多项式安全性证明

基于Ｚｎ＊中二次剩余问题，Ｇｏｌｄｗａｓｓｅｒ与Ｍｉｃａｌｉ［１］首先提出了一种具有多项式安全的概率公开钥密码体制。由此几种基于Ｚｎ＊中γ—次剩余问题的概率加密体制也被建立起来（本文称之为广义ＧＭ体制）。概率公开钥密码体制只有是多项式安全的，才能体现它作为一种概率加密体制所特有的特点，但广义ＧＭ体制的多项式安全性并没有得到证明。本文用较独特的方法证明了广义ＧＭ体制是多项式安全的。     

The Full Cost of Cryptanalytic Attacks

An open question about the asymptotic cost of connecting many processors to a large memory using three dimensions for wiring is answered, and this result is used to find the full cost of several cryptanalytic attacks. In many cases this full cost is higher than the accepted complexity of a given algorithm based on the number of processor steps. The full costs of several cryptanalytic attacks are determined, including Shanks method for computing discrete logarithms in cyclic groups of prime order n, which requires n^1/2+o(1) processor steps, but, when all factors are taken into account, has full cost n^2/3+o(1). Other attacks analyzed are factoring with the number field sieve, generic attacks on block ciphers, attacks on double and triple encryption, and finding hash collisions. In many cases parallel collision search gives a significant asymptotic advantage over well-known generic attacks.     

RSA-OAEP Is Secure under the RSA Assumption

Recently Victor Shoup noted that there is a gap in the widely believed security result of OAEP against adaptive chosen-ciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the one-wayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partial-domain one-wayness of the RSA function is equivalent to its (full-domain) onewayness, it follows that the security of RSA-OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.     

On the uniformity of distribution of the decryption exponent in fixed encryption exponent RSA

Let us fix a security parameter n and a sufficiently large encryption exponent e. We show that for a random choice of the RSA modulus m=pq, where p and q are n-bit primes, the decryption exponent d, defined by is uniformly distributed modulo φ(m). It is known, due to recent work of Boneh, Durfee and Frankel, that additional information about some bits of d may turn out to be dramatic for the security of the whole cryptosystem. Our uniformity of distribution result implies that sufficiently long strings of the most and the least significant bits of d, which are vulnerable to such attacks, behave as random binary vectors.     

How to Better Use Expert Advice

This work is concerned with online learning from expert advice. Extensive work on this problem generated numerous expert advice algorithms whose total loss is provably bounded above in terms of the loss incurred by the best expert in hindsight. Such algorithms were devised for various problem variants corresponding to various loss functions. For some loss functions, such as the square, Hellinger and entropy losses, optimal algorithms are known. However, for two of the most widely used loss functions, namely the 0/1 and absolute loss, there are still gaps between the known lower and upper bounds.In this paper we present two new expert advice algorithms and prove for them the best known 0/1 and absolute loss bounds. Given an expert advice algorithm ALG, the goal is to form an upper bound on the regret L _ALG – L* of ALG, where L _ALG is the loss of ALG and L* is the loss of the best expert in hindsight. Typically, regret bounds of a canonical form C · are sought where N is the number of experts and C is a constant. So far, the best known constant for the absolute loss function is C = 2.83, which is achieved by the recent IAWM algorithm of Auer et al. (2002). For the 0/1 loss function no bounds of this canonical form are known and the best known regret bound is , where C ₁ = e – 2 and C ₂ = 2 . This bound is achieved by a P-norm algorithm of Gentile and Littlestone (1999). Our first algorithm is a randomized extension of the guess and double algorithm of Cesa-Bianchi et al. (1997). While the guess and double algorithm achieves a canonical regret bound with C = 3.32, the expected regret of our randomized algorithm is canonically bounded with C = 2.49 for the absolute loss function. The algorithm utilizes one random choice at the start of the game. Like the deterministic guess and double algorithm, a deficiency of our algorithm is that it occasionally restarts itself and therefore forgets what it learned. Our second algorithm does not forget and enjoys the best known asymptotic performance guarantees for both the absolute and 0/1 loss functions. Specifically, in the case of the absolute loss, our algorithm is canonically bounded with C approaching and in the case of the 0/1 loss, with C approaching 3/ . In the 0/1 loss case the algorithm is randomized and the bound is on the expected regret.     

Verifying functions in online stock trading systems

Temporal colored Petri nets, an extension of temporal Petri nets, are introduced in this paper. It can distinguish the personality of individuals (tokens), describe clearly the causal and temporal relationships betwee nevents in concurrent systems, and represent elegantly certain fundamental properties of concurrent systems, such as eventuality and fairness. The use of this method is illustrated with an example of modeling and formal verification of an online stock trading system. The functional correctness of the modeled system is formally verified based on the temporal colored Petri net model and temporal assertions. Also, some main properties of the system are analyzed. It has been demonstrated sufficiently that temporal colored Petri nets can verify efficiently some time-related properties of concurrent systems, and provide both the power of dynamic representation graphically and the function of logical inference formally. Finally. future work is described.