Multidivisible Online/Offline Cryptography and Its ...downloads.hindawi.com/journals/scn/2019/1042649.pdf · Online/oˆine cryptography, a fundamental concept for many cryptographic

Research ArticleMultidivisible OnlineOffline Cryptography and ItsApplication to Signcryptions

Dan Yamamoto 1 and Wakaha Ogata 2

1Hitachi Ltd Yokohama Japan2Tokyo Institute of Technology Tokyo Japan

Correspondence should be addressed to Dan Yamamoto danyamamotovxhitachicom

Received 17 January 2019 Accepted 17 July 2019 Published 8 October 2019

Academic Editor Bruce M Kapron

Copyright copy 2019 Dan Yamamoto and Wakaha Ogata is is an open access article distributed under the Creative CommonsAttribution License which permits unrestricted use distribution and reproduction in anymedium provided the original work isproperly cited

We introduce a general concept of multidivisible onlineoine (MDO) cryptography which covers the previous works includingonlineoine cryptographic schemes divisible onlineoine signatures incrementally executable signcryptions and multi-divisible onlineoine encryptions We then present the notion of multidivisible onlineoine signcryptions (MDOSCs) as novelapplication of MDO cryptography We dene several security notions for MDOSCs and show implications and separationsbetween these security notions We also present a generic construction of MDOSC that achieves the strongest security notionswith regard to condentiality and unforgeability Using MDOSC schemes the computationally restricted andor bandwidth-restricted devices can transmit messages in both condential and authenticated way with low computational overhead andor low-bandwidth network

1 Introduction

In the emerging network environment eg Internet ofings (IoT) more and more computationally restricteddevices as well as bandwidth-restricted devices are con-nected to each other at any time in any place Securing theircommunication is urgently required to make these envi-ronments sustainable and scalable We can use crypto-graphic schemes as building blocks to achieve security forthem only if it is taken into account that the devices herehave restricted resources

Onlineoine cryptography a fundamental concept formany cryptographic systems (eg signatures [1ndash4] en-cryptions [5ndash8] signcryptions [9ndash13] and so forth) is a keyto reduce computational costs of the devices sending theirmessages in condential andor authenticated way

e history of onlineoine cryptography began withonlineoine signatures proposed by Even et al [2 3] esigning procedure of onlineoine signature scheme is splitinto the oine phase and the online phase e signer canperform all the computationally expensive operations in the

oine phase ie in any idle time before the sender decidesthe message to be signeden in the online phase ie afterthe message is determined only lightweight operations arerequired to sign the message so that even low-power devicescan handle the signing process

As an extension of onlineoine signature scheme in thecontext of signcryption the notion of incrementally exe-cutable signcryptions (IESCs) was proposed in [12] Here asigncryption process is split into three subprocesses wherethe sender can activate each subprocess incrementally by itsgiven sequential input the senderrsquos own key pair a recipientrsquospublic key and a plaintext message to be sent to the recipientWe can utilize signicant intervals between these threesubprocesses to perform as much precomputation as possible

To save the transmission bandwidth as well as compu-tational cost Gao et al [4] proposed the notion of divisibleonlineoine signatures (DOSs) Using DOS intermediateoutputs can be securely sent to the receiver in the oinephase so that the senders can save not only computationalresources but also transmission bandwidths in the onlinephase

HindawiSecurity and Communication NetworksVolume 2019 Article ID 1042649 21 pageshttpsdoiorg10115520191042649

Applying the above attractive features of DOS as well asIESC to public-key encryption schemes the notion ofmultidivisible onlineoffline encryptions (MDOEs) wasproposed in [14] In MDOEs encryption process can beexecuted in at most three steps and at most three partialciphertexts can be transmitted one-by-one

Our contributions in this paper we propose a generalconcept of multidivisible onlineoffline cryptography (MDOcryptography for short) which covers the onlineofflinecryptography divisible onlineoffline signatures in-crementally executable signcryptions and multidivisibleonlineoffline encryptions

In general MDO cryptographic schemes have the fol-lowing features

Incremental processing a senderrsquos process can be di-vided into two or more subprocessesIncremental sending outputs of intermediate sub-processes can be sent prior to all the subsequentsubprocesses

ese features enable us to save both computationaloverhead and transmission bandwidth on which we canconstruct secure communication platform for IoT-likeenvironment

As instances taking full advantage of these two featuresof MDO cryptography we introduce notions of multi-divisible onlineoffline signcryptions (MDOSCs) and di-visible onlineoffline tag-based KEMs

We define parameterized security notions of MDOSCsdenoted as (k n q)-dM-IND-iCCA for confidentiality and(k n)-dM-UF-iCMA for unforgeability with regard to threeparameters the level of divisibility k the number of users nand the number of queries per user q en we analyze allthe relationships ie the implications and separationsamong these security notions

We also present a generic construction of MDOSC thatachieves the strongest security notions of both confidenti-ality and unforgeability

Expected application scenario Figure 1 shows a usageexample of our MDOSCs where a signcryption algorithm issplit into three subalgorithms ie sc1 sc2 and sc3 each ofwhich can be processed incrementally and can send outputsto recipient incrementally e sender in our examplesystem consists of the following three components acomputationally powerful cloud with sc1 an energy-re-stricted mobile device with sc2 and the most computa-tionally restricted as well as bandwidth-restricted IoTdevice such as a sensor node with sc3 Both the sender andthe receiver in our system can access a shared storage Weassume the receiver has enough computational resource todecrypt signcrypted messages received from the senderFirstly the sender uses cloud computing to execute themost computationally expensive algorithm sc1 with thesenderrsquos own key pair (skS pkS) to generate partial ci-phertext Σ1 store it into the shared storage and also storestate information φ1 to the storage of the mobile deviceese procedures can be repeatedly executed depending onthe storage capacity of the mobile device and the costs for

using cloud computing as well as shared storage Nextwhen the sender recognizes the target recipient to whomshe might send some messages and obtains the receiverrsquospublic key pkR the senderrsquos mobile device executes less-expensive algorithm sc2 with φ1 and pkR to generate partialciphertext Σ2 transmit it to the receiver and store stateinformation φ2 to the storage of the IoT device eseprocedures can also be repeatedly executed depending onthe storage capacities of the IoT device and the receiverAfter that when the IoTdevice is ready to send a messagem(eg typically very short numeric value sensed by sensor)it executes the least expensive algorithm sc3 with φ2 and mto generate partial ciphertext Σ3 transmit it to the receiverNote that Σ3 is reasonably short since the cryptographicinformation for decryption (unsigncryption) has been al-ready transmitted as Σ1 and Σ2 Finally the receiver se-curely obtains the message m by unsigncrypting Σ2 and Σ3with separately downloaded Σ1 from the shared storage aswell as pkS and skR using the unsc algorithm

Organization of this paper this paper is organized asfollows Section 2 introduces basic notations used in thispaper In Section 3 we introduce the concept of MDOcryptography and discuss its instances including MDOsignatures MDO encryptions and MDO signcryptionsSection 4 formally defines the notion of MDO signcryptionsand its security notions e relations between the securitynotions of MDOSC are discussed in Section 5 Section 6shows a generic construction of MDOSC and comparisonwith previous signcryption schemes as well as usage exampleof our MDOSC construction Concluding remarks are givenin Section 7

2 Notations

For n isin N [n] denotes the set 1 2 n We write x⟵y

or y⟶ x to indicate that x is the output from a function oran algorithm y or the assignment of the value y to xx⟵ $X denotes the operation of selecting a random el-ement x from a setX We write Ax to indicate explicitly thatthe algorithm x belongs to the scheme A We writez⟵A(x y oracle1 oracle2 ) to indicate the op-eration of a turing machine A with inputs x y andaccess to oracles oracle1 oracle2 and letting z be theoutput Unless otherwise indicated algorithms are ran-domized ie it takes a source of randomness to makerandom choices during execution In all the experiments(games) every number set and bit string is implicitlyinitialized by 0 empty setempty and empty string ε respectivelyWe write Pr[GY

X(A) b] to indicate the probability of theevent that adversary A outputs b in attack game GY

X

3 Multidivisible OnlineOffline Cryptography

In this section we propose a concept of (multi)-divisibleonlineoffline (MDO) cryptography as a generalization ofonlineoffline cryptography is concept can be applied tovarious cryptographic primitives such as encryptionschemes and signature schemes MDO cryptographic

2 Security and Communication Networks

schemes have the two features incremental processing andincremental sending

Incremental Processing In a cryptographic primitive a list ofseveral inputs (x1 x2 xk) is processed by an algorithmALG to compute y ALG(x1 x2 xk) which is sent viaa (insecure) channel

In contrast ALG in MDO cryptography is split intok(ge1) subalgorithms ALG1 ALGk and

φ1 y1( 1113857⟵ALG1 x1( 1113857

φ2 y2( 1113857⟵ALG2 x2φ1( 1113857

⋮

yk⟵ALGk xkφk-1( 1113857

(1)

are computed instead of y ALG(x1 x2 xk) y

(y1 yk) is treated as the output of ALGφi(i 1 k-1) state information is assumed to be se-cretly stored and will be consumed only once by sub-algorithm ALGi+1

For a more general model k inputs are grouped intokprime(lek) input groups (x1prime xkprimeprime ) In this case ALG is splitinto kprime subalgorithms By this definition our concept en-ables us to model wide variety of systems in a unified wayFor example an onlineoffline scheme is a special case whereinputs are divided into two groups a message and the othersMoreover an ordinary cryptographic scheme can be treatedas a special case where all inputs are grouped into only oneinput group ie kprime 1

Grouping of inputs should depend on the timing wheneach input is given to the sender

Incremental Sending To save transmission bandwidth it isdesired to send each partial output yi one-by-one

However it is known that a scheme could be insecure ifeach yi is allowed to be sent one-by-one even when thescheme is secure if all the yirsquos are sent at the same time [14]erefore we need extended security notions that capturenew types of adversary exploiting partial output yirsquos forattacks

In the following we show several MDO cryptographicprimitives including signatures public-key encryptions keyencapsulation mechanisms (KEMs) tag-based key encap-sulation mechanisms (TBKEMs) and signcryptions

31 Signatures We recall the notion of divisible onlineoffline signatures (DOSs) [4] A divisible onlineoffline sig-nature scheme DOS consists of the following algorithms

init( )⟶ λ (the public parameter generation algo-rithm) it outputs public parameters λ to be used by allpartiesgen(λ)⟶ (sk pk) (the key generation algorithm) itgenerates a key pair (sk pk) for signing and verificationsign1(λ sk)⟶ (φ σ1) (the offline signing algorithm)given public parameters λ and a secret key sk it outputsstate information φ and an offline signature token σ1We require that σ1 ne εsign2(φ m)⟶ σ2 (the online signing algorithm)given state information φ and a message m it outputsonline signature token σ2ver(λ pk m σ1 σ2)⟶ v (the deterministic verifica-tion algorithm) given a public key pk a messagem andsignature tokens (C1 C2) it outputs 1 (accept) or 0(reject)

We require the correctness for DOS namely for anyλ⟵DOSinit( ) any (sk pk)⟵DOSgen(λ) any m isin

Cloud

skS pkS

skR pkR

skRpkS

pkS

pks

pkR

Server

unsc m or ⟂Σ1 Σ2 Σ3

SC1

SC2

SC3

Σ1Σ1

Σ2

Σ3

Σ1

Sharedstorage

Mobile

IoT device

genR

ReceiverSender

φ1

φ2

φ1

Σ2

φ2pkR

φ1

mφ2 Σ3

λλ

Figure 1 Usage example of our proposed signcryption construction MDOSC

Security and Communication Networks 3

0 1 lowast any (φ σ1)⟵DOSsign1(λ sk) and any σ2⟵DOSsign2 (φ m) we have DOSver(λ pk m σ1 σ2) 1

As an attempt we might try to extend DOS to MDOSmultidivisible onlineoffline signatures based on ourframework More specifically we could further splitsign1(λ sk) into sign1-(λ) and sign1+(sk) While this split-ting is possible theoretically it does not provide significantbenefits to senders in practical is is because public pa-rameters λ and secret key sk are obtained by senders almost atthe same time in most applications so that senders cannottake advantage of the precomputation of sign1minus We thereforedo not try to formalize the syntax of multidivisible onlineoffline signatures in this paper Nevertheless we can providethe security notions for it based on multidivisible onlineoffline style to capture the unforgeability notion for ordinarysignatures [15] as well as the notion for divisible onlineoffline signatures [4] in a unified way

We define the security notion of (strong) unforgeabilityagainst adaptive chosen message attacks ((k n)-UF-CMAand (k n)-sUF-CMA) as follows

Definition 1 Let k isin 1 2 and n isin N Let X isin UF sUF Let DOS be a DOS scheme and let A be an adversary e(k n)-X-CMA-advantage of A against DOS is defined as

Adv(kn)-X-CMADOS (A) Pr G

(kn)-X-CMADOS (A) 11113960 1113961 (2)

where the attack game G(kn)-X-CMADOS is defined in Figure 2

We say that DOS is (t q ϵ)-(k n)-X-CMA-secure ifAdv(kn)-X-CMA

DOS (A)le ϵ holds for any adversary A that runsin time t and makes at most q queries to oracle sign

Note that the notion of (1 1)-UF-CMA is equivalent tothe standard unforgeability notion for ordinary signatures[15] whereas (2 1)-UF-CMA is identical to the notion fordivisible onlineoffline signatures [4]

We also define the notion of smooth divisible onlineoffline signature scheme in a similar fashion with a smoothKEM [16]

Definition 2 Smoothness SmthDOS for DOS is defined asfollows

SmthDOS E maxσ1isin 01 lowast

Prφσ1prime( )⟵DOSsign1(λsk)

σ1prime σ11113858 1113859⎡⎣ ⎤⎦ (3)

where the expected value is taken over λ⟵DOSinit( ) (sk pk)⟵DOSgen(λ) We say DOS isϵ-smooth if SmthDOS le ϵ holds

32 Public-Key Encryptions and KEMs e notion ofmultidivisible onlineoffline encryptions (MDOEs) wasproposed in [14] It captures both the desirable features ofidentity-based onlineoffline encryptions [5ndash8] and divisibleonlineoffline signatures [4] that is a part of encryption canbe executed even when the public key to the receiver isunknown and partial ciphertexts can be sent to the receivereven when the senderrsquos inputs (eg a public key or aplaintext) are not fully determined Concrete constructions

are also proposed in [14] which allow the computationallyrestricted andor bandwidth-restricted devices to transmitciphertexts with low computational overhead andor low-bandwidth network

eir concrete constructions are built on partitionedKEM which can be regarded as an instance of divisibleonlineoffline KEM As with DOS and MDOE partitionedKEMs have divided encapsulation algorithms enc1(λ) andenc2(pk) both of which output partial encapsulations C1and C2

33 Tag-BasedKey EncapsulationMechanism We introducethe notion of divisible onlineoffline tag-based KEM (DOTK)which is a tag-based analogue of divisible onlineofflineKEM ie partitioned KEM

A divisible onlineoffline tag-based key encapsulationmechanism DOTK consists of the following algorithms

init( )⟶ λ (the public parameter generation algo-rithm) it outputs public parameters λ to be used by allparties Public parameters λ contains a description ofthe session key space DOTKKgen(λ)⟶ (sk pk) (the key generation algorithm) itgenerates a key pair (sk pk) for decapsulation andencapsulationenc1(λ τ)⟶ (φ C1) (the first key encapsulation al-gorithm) given public parameters λ and a tagτ isin 0 1 lowast it outputs state information φ and a partialencapsulation C1 We require that C1 ne εenc2(φ pk)⟶ (K C2) (the second key encapsulationalgorithm) given state information φ and a public keypk it outputs a pair (K C2) where K isin DOTKK is agenerated session key and C2 is a partial encapsulationof Kdec(λ sk τ C1 C2)⟶ K (the deterministic decap-sulation algorithm) given a secret key sk a tag τ andencapsulations (C1 C2) it outputs either a session keyK or an error symbol perp

We require the correctness for DOTK namely for anyλ⟵DOTKinit( ) any (sk pk)⟵DOTKgen(λ) anyτ isin 0 1 lowast any (φ C1)⟵DOTKenc1(λ τ) and any(K C2) ⟵DOTKenc2(φ pk) we have DOTKdec(λ sk

τ C1 C2) KWe define the security notion of indistinguishability

against adaptive tag and adaptive chosen ciphertext attacks((k n q)-IND-tag-CCA)

Definition 3 Let k isin 1 2 and n q isin N Let DOTK be aDOTK scheme and let A be an adversary e(k n q)-IND-tag-CCA-advantage of A against DOTK isdefined as

Adv(knq)-IND-tag-CCADOTK (A) 2Pr G

(knq)-IND-tag-CCADOTK (A) 11113876 1113877 minus 1

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

(4)

where the attack game G(knq)-IND-tag-CCADOTK is defined in

Figure 3


We say that DOTK is (t qd ϵ)-(k n q)-IND-tag-CCA-secure if Adv(knq)-IND-tag-CCA

DOTK (A)le ϵ holds for anyadversaryA that runs in time t andmakes at most qd queriesto the oracle dec

Construction Here we give a concrete example of (1 1)-IND-tag-CCA-secure divisible onlineoffline tag-basedKEM scheme with lightweight enc2 algorithm that requiresonly one regular exponentiation in GT of bilinear groups

Figure 2 Attack game defining (k n)-X-CMA security Boxed parts are evaluated only in sUF game

Figure 3 Attack game defining (k n q)-IND-tag-CCA security


e construction of our tag-based KEM is similar to the oneof partitioned KEM [14] that is based on the IBE-based KEMfrom Boyen et al [17 18] e concrete scheme DOTKBMWis described in Figure 4 where (G 1113954GGT) is a bilinear groupie G 1113954G and GT are cyclic groups of prime order pequipped with a bilinear map e G times 1113954G⟶ GT (a bilinearmap e G times 1113954G⟶ GT satisfies the following properties (1)bilinearity e(ga hb) e(g h)ab for any g isin G any h isin 1113954Gand any a b isin Z (2) efficient computability for any inputpair (3) nondegeneracy e(g h)ne 1GT

for any g isin G1G andany h isin 1113954G11113954G) H G⟶ Zp is a target collision resistanthash function and CH is a secure chameleon hash functionAs with the partitioned KEM in [14] our scheme has nosecond partial ciphertext ie C2 ε which is desirablewhen algorithm enc2 is executed in the bandwidth-restrictedenvironment We can verify that the scheme is(1 1)-IND-tag-CCA-secure if the DBDH (Decisional Bi-linear DiffiendashHellman) assumption on (G 1113954GGT) holds eproof is similar with the original proof in [17]

34 Signcryptions e two features of MDO cryptographyie incremental processing and sending can show their fulladvantages when applying to signcryptions where thesender-side algorithm has multiple input arguments that canbe given incrementally in most caseserefore in the rest ofthis paper we focus on the notion of multidivisible onlineoffline signcryption (MDOSC)

In MDOSC schemes a signcryption algorithm is splitinto three subalgorithms each of which can be processedincrementally and their output can be transmitted in-crementally A formal definition security notions and ageneric construction of MDOSC are described in the fol-lowing sections

4 Multidivisible OnlineOffline Signcryptions

We first introduce multidivisible onlineoffline signcryption(MDOSC) en we formally define its security models interms of confidentiality and unforgeability

41 Syntax Definition 4 A multidivisible onlineofflinesigncryption scheme MDOSC consists of the followingalgorithms

init( )⟶ λ (the public parameter generation algo-rithm) it outputs public parameters λ to be used by allpartiesgenS(λ)⟶ (skS pkS) (the sender key generation al-gorithm) it generates a privatepublic key pair(skS pkS) for a sendergenR(λ)⟶ (skR pkR) (the receiver key generationalgorithm) it generates a privatepublic key pair(skR pkR) for a receiversc1(λ skS pkS)⟶ (φ1Σ1) (the first signcryption al-gorithm) given public parameter λ and senderrsquos keypair (skS pkS) it outputs state information φ1 andpartial ciphertext Σ1

sc2(φ1 pkR)⟶ (φ2Σ2) (the second signcryptionalgorithm) given state information φ1 and recipientrsquospublic key pkR it outputs new state information φ2 andpartial ciphertext Σ2sc3(φ2 m)⟶Σ3 (the third signcryption algorithm)given state information φ2 and plaintext m it outputspartial ciphertext Σ3unsc(λ skR pkR pkSΣ1Σ2Σ3)⟶ m (the determin-istic unsigncryption algorithm) given public parametersλ recipientrsquos key pair (skR pkR) senderrsquos public key pkSand partial ciphertexts Σ1 Σ2 and Σ3 it outputs eitherplaintext m or error symbol perp

We require the correctness for MDOSC namely for anyλ⟵ init( ) any (skS pkS)⟵ genS(λ) any (skR pkR)⟵genR(λ) any m any (φ1Σ1)⟵ sc1(λ skS pkS) and any(φ2Σ2)⟵ sc2(φ1 pkR) we have unsc(λ skR pkR pkSΣ1Σ2 sc3(φ2 m)) m

We say that a MDOSC scheme is a 2-divisible onlineoffline signcryption (2-DOSC for short) scheme if Σ2 is notnull Similarly if Σ1 is not null we call it as 3-DOSC scheme

42 Confidentiality As for confidentiality we define theindistinguishability against insider-chosen ciphertext attacks(or insider-chosen plaintext attacks) in the dynamic mul-tiuser model based on the same notion for standard (ienondivisible) signcryption [19] As with the in-distinguishability of MDO encryption [14] we introduce thelevel of ciphertext divisibility k to express the followingthree distinct situations (k 1) all the ciphertext Σ1 Σ2 andΣ3 are made public at the same time (k 2) Σ1 and Σ2 aremade public at the same time then Σ3 is published (k 3)Σ1 Σ2 and Σ3 are made public one by one Notice that thecase of k 1 is covered by the standard dM-IND-iCCAnotion for signcryptions [19] whereas the case of k 2 3corresponds to the incremental sending situation of MDOcryptography Adversaries in the latter situations have morecapabilities for example the adversary in the case of k 3can choose the target recipient after observing Σ1 and canchoose challenge messages (m0 m1) after knowing Σ2 as wellas Σ1 Our definition captures these types of adversariesusing three signcryption oracles

Definition 5 Let k isin 1 2 3 and n q isin N Let DOSC be aMDOSC scheme and let A be an adversary e(k n q)-dM-IND-iCCA-advantage of A against DOSC isdefined as

Adv(knq)-dM-IND-iCCADOSC (A) 2Pr G

(knq)-dM-IND-iCCADOSC (A) 11113960 1113961 minus 1

11138681113868111386811138681113868

11138681113868111386811138681113868

(5)

where attack game G(knq)-dM-IND-iCCADOSC is defined in Figure 5

We say that DOSC is (t qd ϵ)-(k n q)-dM-IND-iCCA-secure if Adv(knq)-dM-IND-iCCA

DOSC (A)le ϵ holds for any ad-versaryA that runs in time t andmakes at most qd queries tothe oracle unsc


Figure 4 Construction of DOTKBMW

Figure 5 Attack game defining (k n q)-dM-IND-iCCA security


In addition the (k n q)-dM-IND-iCPA-advantage ofAagainst DOSC is defined in a similar fashion with(k n q)-dM-IND-iCCA-advantage except that the adver-sary has no access to oracle unsc ie qd 0 in gameG

(knq)-dM-IND-iCPADOSC

43 Unforgeability As for unforgeability we define the(strong) unforgeability against insider chosen-message at-tacks in the dynamic multiuser model Similar to the con-fidentiality notion we use the level k of divisibility to expressthe three distinct situations Note that the case of k 1 isequivalent to the standard dM-sUF-iCMA for signcryptions[19]e adversary in the case of k 3 can take more flexiblestrategy it can decide the target recipient key pkR afterobserving Σ1 and can query the signcryption oracle with amessage m after knowing Σ2 as well as Σ1

Definition 6 Let k isin 1 2 3 and n q isin N Let X isin UF

sUF Let DOSC be a MDOSC scheme and let A be anadversary e (k n)-dM-X-iCMA-advantage of A againstDOSC is defined as

Adv(kn)-dM-X-iCMADOSC (A) Pr G

(kn)-dM-X-iCMADOSC (A) 11113960 1113961

(6)

where the attack game G(kn)-dM-X-iCMADOSC is defined in

Figure 6We say that DOSC is (t qs ϵ)-(k n)-dM-X-iCMA-

secure if Adv(kn)-dM-X-iCMADOSC (A)le ϵ holds for any adversary

A that runs in time t

5 Relations between SecurityNotions for MDOSCs

In this section we clarify the relations between the securitynotions defined in the previous section in terms of confi-dentiality and unforgeability e result is summarized inFigure 7 where (k n q) denotes the notion of (k n q)

-dM-IND-iCCA-security in the left-hand side whereas(k n) denotes the notion of (k n)-dM-sUF-iCMA-securityin the right-hand side Note that for any k kprime isin 1 2 3 n nprime isin N and q qprime isin N such that kge kprime nge nprime and qge qprimeour (k n q)-dM-IND-iCCA trivially implies (kprime nprime qprime)-dM-IND-iCCA and (k n q)-dM- IND-iCPA Similarly (k n)-dM-sUF-iCMA trivially implies (kprime nprime)-dM-sUF-iCMA and(k n)-dM-UF-iCMA

51 Confidentiality e following two theorems say that forany k isin 1 2 3 (k 1 1)-dM-IND-iCCA-security implies(k n q)-dM-IND-iCCA-security with reduction loss poly-nomial in the number n of receivers as well as the number qof challenge queries

Theorem 1 (( 1 2 1 1)-iCCA⟶ ( 1 2 n q)-iCCA)For k isin 1 2 assume a k-DOSC scheme DOSC is(tprime qd ϵ)-(k 1 1)-dM-IND-iCCA-secure en DOSC is

also (t qd nqϵ)-(k n q)-dM-IND-iCCA-secure where t

tprime minus O(nq)

Using the hybrid argument in a similar fashion with [20]we can easily obtain the proof of eorem 1

As for the case of k 3 the hybrid argument cannot betrivially applied due to the difficulty of the simulation oforacle sc1 in (3 n q)-dM-IND-iCCA which is called nq

times using oracle sc1lowast in (3 1 1)-dM-IND-iCCA whichcan be called only once Responding to the adversaryrsquos queryto sc1 with Σ(j)

1 the simulator for (3 n q)-dM-IND-iCCAfirst chooses (ilowast qlowast) isin [n] times [q] and uses its given singlepublic key pklowast as a key pkilowast of the user ilowast en the sim-ulator uses its given oracle access to sc1lowast in(3 1 1)-dM-IND-iCCA if Σ(j)

1 will be used for the qlowast-thquery related to the target user ilowast whereas it computes Σ(j)

1by the simulator itself otherwise Here the simulator has toguess whether Σ(j)

1 will be used for the qlowast-th challenge queryto ilowast before a subsequent invocation of sc2 To overcome thisissue we use a naive guessing approach and obtain thefollowing reduction

Theorem 2 ((3 1 1)-iCCA⟶ (3 n q)-iCCA) Assume a3-DOSC scheme DOSC is (tprime qd ϵ)-(3 1 1)-dM-IND-iCCA-secure en DOSC is also (t qd n2q2ϵ)-(3 n q)

-dM-IND-iCCA-secure where t tprime minus O(nq)

e proof is given in Appendix B1

Remark 1 We can apply the above argument to themultidivisible onlineoffline encryptions (MDOEs) to get asame polynomial reduction from (3 1 1)-CCA to(3 n q)-CCA for MDOEs e obtained reduction is sig-nificantly tighter than the previous one shown in [14] whereonly superpolynomial one was provided

Next we show that (2 1 1)-dM-IND-iCCA-securityimplies (3 1 1)-dM-IND-iCCA-security as follows

Theorem 3 ((2 1 1)-iCCA⟹ (3 1 1)-iCCA) Assume a3-DOSC scheme DOSC is (t qd ϵ)-(2 1 1)-dM-IND-iCCA-secure en DOSC is also (t qd ϵ)-(3 1 1)-dM-IND-iCCA-secure

Proof In the single-user setting ie n 1 the adversaryhas no choice of the recipient i when it invokes oraclesc2(j i) Hence the successive invocations of sc1(skS pkS)and sc2(j i) in (3 1 1)-dM-IND-iCCA game is essentiallyequivalent to the invocation of the oracle sc12(skS pkS i) in(2 1 1)-dM-IND-iCCA

Finally we show the separation between (1 middot middot)

-dM-IND-iCCA and (2 middot middot)-dM-IND-iCCA Specifically weprovide a (1 1 1)-dM-IND-iCCA-secure but not (2 1 1)

-dM-IND-iCCA-secure 3-DOSC scheme 3DOSCR as anevidence of the separation Scheme 3DOSCR is described inFigure 8

Theorem 4 ((1 1 1)-iCCA↛(2 1 1)-iCPA) Assume thereexists a (divisible) onlineoffline tag-based KEMDOTK that is(1 1 1)-IND-tag-CCA-secure a smooth divisible online


Figure 6 Attack game defining (k n)-dM-X-iCMA security Boxed parts are evaluated only in sUF game

(3 1 1) n2q2Th 2

(3 n q)

(2 1 1) nqTh 1

Th 3

(2 n q)

(1 1 1) nqTh 1

minusTh 4

(1 n q)

(k n q)-dM-IND-iCCA

(3 1) nTh 5

(3 n)

(2 1) nTh 5

minusTh 6

(2 n)

(1 1) nTh 5

minusTh 6

(1 n)

(k n)-dM-sUF-iCMA

Figure 7 Implications and separations between the security notions for MDOSCs In the left-hand side ldquo(k n q)⟶ (kprime 3nprime qprime)rdquo withoverlapped X denotes that (k n q)-dM-IND-iCCA-security implies (kprime nprime qprime)-dM-IND-iCCA-security with reductionrsquos loss X while the dottedarrow denotes that (k n q)-dM-IND-iCCA-security does not necessarily imply (kprime nprime qprime)-dM-IND-iCCA-security e ones for(k n)-dM-sUF-iCMA are similarly represented in the right-hand side


offline signature scheme DOS and a IND-OTCCA-secureDEM DEM where KEMK DEMK en there exists a3-DOSC scheme 3DOSCR which is secure in the sense of(1 1 1)-dM-IND-iCCA but which is not secure in the sense of(2 1 1)-dM-IND-iCCA


52 Unforgeability First we show the following implica-tions with regard to the number of senders

Theorem 5 (( 1 2 3 1)-sUF⟶ ( 1 2 3 n)-sUF) Fork isin 1 2 3 if a k-DOSC scheme DOSC is (tprime q ϵ)-(k 1)-dM-sUF-iCMA-secure then DOSC is also (t q nϵ)-(k n)-dM-sUF-iCMA-secure where t tprime minus O(nq)

Proof e adversary attacking (k 1)-dM-sUF-iCMA cansimulate signcryption oracles for the adversary attacking(k n)-dM-sUF-iCMA using its given oracles (for the singletarget sender) as well as its generating n-1 sender key pairsContrary to the confidentiality notions note that the firstsigncryption oracle sc1 has the sender index i as its input sothat its simulation can be done without any guessing

Next we show separations among (k middot)-dM-sUF-iCMAfor k isin 1 2 3

Theorem 6 ((1 1)-sUF↛ (2 1)-sUF⟶ (3 1)-sUF) As-sume there exists a (2 1)-sUF-CMA-secure and smooth DOSen there exists 3-DOSC schemes 3DOSCS1 and 3DOSCS2such that the former is secure in the sense of(1 1)-dM-sUF-iCMA but which is not secure in the sense of

Figure 8 Constructions of 3DOSCR 3DOSCS1 and 3DOSCS2 used to proveeorem 4 andeorem 6 Boxed parts with superscript X areevaluated only in 3DOSCX


(2 1)-dM-UF-iCMA whereas the latter is secure in the senseof (2 1)-dM-sUF-iCMA but which is not secure in the sense of(3 1)-dM-UF-iCMA

Proof (sketch) 3DOSCS1 and 3DOSCS2 are described inFigure 8 In order to show that 3DOSCS1 (or 3DOSCS2) isnot (2 1)-dM-UF-iCMA-secure (or (3 1)-dM-UF-iCMA-secure) we construct adversary A1 (or A2) shown in Fig-ure 9 Note that oracle sc3 (or sc2) always generates dlowastS skSas an answer to the query m σlowast1 so that A can output anyforgery using skS

On the other hand we can show that 3DOSCS1 (or3DOSCS2) is (1 1)-dM-sUF-iCMA-secure (or (2 1)-dM-sUF-iCMA-secure) in a similar fashion with the proof ofeorem 8 shown later

6 MDOSC Construction

In this section we provide a generic construction ofMDOSCwith security proofs and compare it with previous sign-cryption schemes

Using a (divisible) onlineoffline tag-based KEM a di-visible onlineoffline signature scheme and a DEM asbuilding blocks we can derive 3-DOSC scheme 3DOSC3DOSC is described in Figure 8 without all boxed parts

61 Security e following theorems guarantee the securityof our construction

Theorem 7 (3DOSC is (2 1 1)-iCCA-secure) If DOTK is(tprime qdprime ϵDOTK)-(1 1 1)-IND-tag-CCA-secure and DEM is

(tprime qdprime ϵDEM)-IND-P0-C2-secure then 3DOSC is (t qd ϵ)-

(2 1 1)-dM-IND-iCCA-secure where t tprime minus O(qd) qd

qdprime and ϵ 2ϵDOTK + ϵDEM

We can prove this theorem in a similar fashion with theproof of Lemma B2 described in Appendix B2

Theorem 8 (3DOSC is (3 1)-sUF-secure) If DOS is(tprime qprime ϵprime)-(2 1)-sUF-CMA-secure and DEM is one-to-onethen 3DOSC is (t q ϵ)-(3 1)-dM-sUF- iCMA-secure wheret tprime minus O(q) q qprime and ϵ ϵprime

Proof Assume we have a t-time adversary A that makes atmost q queries to oracles sc1 sc2 and sc3 in order to break(3 1)-dM-sUF-iCMA security of 3DOSC We will constructadversary B exploiting A as a black box to attack(2 1)-sUF-CMA security of DOS For any A we will showthe following relation holds

Adv(31)-dM-sUF-iCMA3DOSC (A)leAdv(21)-sUF-CMA

DOS (B) (7)

In order to prove equation (1) we use G0 and G1 de-scribed in Figure 10 As with the proof of Lemma B2 wesimplify the game description by omitting or modifying thestatements and the variables that play no role when n 1

Game G0 is equivalent to the original attack game playedby A against 3DOSC Hence we have

Pr G(31)-dM-sUF-iCMA3DOSC (A) 11113960 1113961 Pr G0(A) 11113858 1113859 (8)

Game G1 is identical to G0 except the following com-putations of DOSsign1 and DOSsign2 are replaced byoracle invocations of sign1 and sign2 respectively one of thewinning condition v2 is replaced by v2prime Note that sign1sign2 and v2prime are exactly the ones in G

(21)-sUF-CMADOS described

in Figure 2Oracles sign1 and sign2 here can be used to simulate the

original behavior of G0 so thatArsquos views in these two gamesare equivalent

In addition we claim that v2 1 implies v2prime 1 Let usassume v2prime 0 ie there exists some jlowast such that(pk(jlowast)

R C(jlowast)1 C

(jlowast)2 m(jlowast) σ(jlowast)

1 σ(jlowast)2 ) equals to (pklowastR Clowast1 Clowast2

mlowast σlowast1 σlowast2 ) en K(jlowast) Klowast also holds because of thecorrectness property of DOTK Furthermore C

(jlowast)3 Clowast3

also holds because

Cjlowast( )

3 DEMenc λ D Kjlowast( ) σ jlowast( )

2 mjlowast( )1113874 11138751113874 1113875

DEMenc λ D Klowast σlowast2 m

lowast( 1113857( 1113857

Clowast3

(9)

where the second equality follows from one-to-one propertyof DEM Hence v2 0 holds since we now have jprime such that(pk(jlowast)

R m(jlowast) (C(jlowast)1 σ(jlowast)

1 ) C(jlowast)2 C

(jlowast)3 ) equals to (pklowastR mlowast

(Clowast1 σlowast1 ) Clowast2 Clowast3 )erefore it follows that

Pr G0(A) 11113858 1113859le Pr G1(A) 11113858 1113859 (10)

We now construct adversary B satisfies the followingrelation

Pr G1(A) 11113858 1113859 Adv(21)-sUF-CMADOS (B) (11)

e description of adversary B is shown in Figure 11We can see adversaryBmakes at most q queries to sign1 aswell as sign2 and its running time tprime t + O(q) It is easy toverify thatArsquos view in G

(21)-sUF-CMADOS (B) is equivalent to the

one in G1 so that the above relation holdsIn summary we now have equation (1) Combining it

with the assumptions that DOS is (tprime qprime ϵprime)-(2 1)-sUF-CMA-secure we have Adv(31)-dM-sUF-iCMA

3DOSC (A)le ϵprime whichimplies that 3DOSC is (t q ϵ)-(3 1)-dM-sUF-iCMA-securefor ϵ ϵprime as desired

From eorems 2 3 and 5 it follows that 3DOSC hasthe strongest security in the sense of both confidentiality andunforgeability

Corollary 1 (3DOSC is (3 n q)-iCCA-secure) SupposeDOTK is (tprime qd

prime ϵDOTK)(1 1 1)-IND-tag-CCA-secure andDEM is (tprime qd

prime ϵDEM)-IND-P0-C2-secure en 3DOSC is(t qd ϵ)-(3 n q)-dM-IND-iCCA-secure where t tprime minus O

(qd) qd qdprime and ϵ 2n2q2ϵDOTK +n2q2ϵDEM


Figure 9 Description of adversary A1 (or A2) attacking (2 1)-dM-sUF-iCMA (or (3 1)-dM-sUF-iCMA) security of 3DOSCS1 (or3DOSCS2)

Figure 10 Games G0 and G1 for proving (3 1)-dM-sUF-iCMA security of 3DOSC Codes in boxes with superscript X are evaluated only ingame GX


Corollary 2 (3DOSC is (3 n)-sUF-secure) Suppose DOS is(tprime qprime ϵprime)(2 1)-sUF-CMA-secure and DEM is one-to-oneen 3DOSC is (t q ϵ)(3 n)-dM-sUF-iCMA-secure wheret tprime minus O(q) q qprime and ϵ nϵprime

62Comparison In Tables 1 and 2 we present a comparisonof our 3DOSC construction with previous signcryptionconstructions in various viewpoints Here we consider thefollowing three signcryption schemes (including ours) thatsatisfy the strongest notions of insider security in themultiuser setting without relying on random oracles

CMSM the standard (ie not onlineoffline) sign-cryption scheme proposed by Chiba et al [21] thatconsists of TBKEM digital signature and DEM Herewe instantiate it with TBKEMtBMW1 TBKEM obtainedfrom the PKE scheme by Boyen et al [18] and Boneh-Boyen signature scheme DSBB [22]GIESC the incrementally executable signcryptionscheme [12] that consists of TBKEM digital signatureone-time signature and DEM Here we instantiate itwith TBKEMtBMW1 DSBB and the specific DL-basedone-time signature scheme OTSM [23]3DOSC our proposed MDOSC described in Figure 8without all boxed parts which consists of DOTK DOSand DEM Here we instantiate it with DOTKBMW aconcrete (1 1)-IND-tag-CCA-secure DOTK describedin Section 33 and the concrete DOS DOSGWXT pro-posed by Gao et al [4]

Note that we do not specify any instance of DEM sincethe selection of DEM does not cause the efficiency differencein the comparison

Computational costs are measured in the same way as[21] that is [a b c] denotes a exponentiations b multi-exponentiations and c pairing computations andW denotescomputation of the Waters hash [24] Other computationaloverhead caused by multiplications hash functions andsymmetric key primitives are ignored

In terms of storage and ciphertext size |G| and |GT|

denote the size of a bilinear group element from G and GTrespectively Similarly |Zp| denotes the size of a group el-ement of Zp whereas |H| denotes the output length oftarget-collision resistant hash function e appended nu-merical values are instance bit-length of storage and ci-phertext when we assume |G| |Zp| |H| 160 bits and|GT| 1024 bits to achieve 80-bit security We also assume|m| 80 to capture typical IoTuse cases where messages sentby IoT devices are significantly shorter than other cases

Our construction exploits the multidivisible feature ef-fectively to achieve both the shortest ciphertext size and theleast computational cost in the phase 3 (ie online phase)With our DOSC the expensive encryption processDOTKenc1 can also be performed in the phase 1 (ie beforebeing given the recipientrsquos public key) whereas it can be onlyin the phase 2 (ie after being given the recipientrsquos publickey) with GIESC All the advantages enable lightweight IoTdevices to transmit confidential as well as authenticatedmessages to the recipient devices in IoTapplication scenariosas described in Section 1

Figure 11 Description of adversary B attacking (2 1)-sUF-CMA security of DOS

Table 1 Comparison regarding computational cost

CMSM [21] GIESC [12] Ours 3DOSC

Phase 1 sc1 with skS and pkSOperation mdash DSBBsign DOSGWXTsign1

OTSMgen DOTKBMWenc1Computational cost mdash [3 2 0] [2 2 0]

Phase 2 sc2 with pkROperation mdash TBKEMtBMW1enc DOTKBMWenc2Computational cost mdash [3 0 0] + W [1 0 0]

Phase 3 sc3 with m

OperationTBKEMtBMW1enc OTSMsign DOSGWXTsign2

DSBBsign DEMenc DEMencDEMenc

Computational cost [4 0 0] + W [0 0 0] [0 0 0]


7 Conclusions

We presented a general concept of multidivisible onlineoffline cryptography (MDO cryptography) which covers theprevious works including onlineoffline cryptographicschemes divisible onlineoffline signatures incrementallyexecutable signcryptions and multidivisible onlineofflineencryptions We then presented the notion of multidivisibleonlineoffline signcryptions (MDOSCs) as novel applicationof MDO cryptography We defined several security notionsfor MDOSCs and show implications and separations be-tween these security notions We also presented a genericconstruction of MDOSC that achieves the strongest securitynotions with regard to confidentiality and unforgeabilityMDOSC schemes allow the computationally restricted andor bandwidth-restricted devices to transmit signed cipher-texts with low computational overhead andor low-band-width network

Appendix

A Data Encapsulation Mechanism

A data encapsulation mechanism (DEM) consists of thefollowing algorithms

init( )⟶ λ (the public parameter generation algo-rithm) it outputs public parameters λ to be used byall parties Public parameters λ contains a de-scription of the key space DEMK which is usually

identical to KEMK We will generally assume thatall algorithms take λ as an implicit input even if it isnot explicitly statedenc(λ K m)⟶ C (the encryption algorithm) it takesas input the private key K isin DEMK and a messagemfrom the associated message space and outputs a ci-phertext Cdec(λ K C)⟶ m (the deterministic decryption al-gorithm) it takes as input the private key K isin DEMKand a ciphertext C and outputs either a message m oran error symbol perp

We require the correctness for DEM namely for anyλ⟵DEMinit( ) any K isin DEMK and any m we haveDEMdec(λ KDEMenc(λ K m)) m

A DEMDEM is said to be one-to-one if for any K C andCprime DEMdec(K C) DEMdec(K Cprime)neperp implies C CprimeIn other words for any given K and m there is at most oneciphertext C such that DEMdec(K C) m As described in[25] this property is quite natural for a large number ofDEMs

We recall the security notion of indistinguishabilityagainst one-time chosen ciphertext attacks IND-OTCCAand its stronger variant IND-P0-C2 e former is definedin [26] whereas the latter is defined in [27] e decryptionoracle in IND-OTCCA game can be accessed only after theadversary obtains the challenge ciphertext whereas the onein IND-P0-C2 does not have such restriction

Let X isin IND-OTCCA IND-P0-C2 e X-advantageof A against DEM is defined as

Table 2 Comparison regarding storage and ciphertext size

CMSM [21] GIESC [12] Ours 3DOSCPhase 1 sc1 with skS and pkSCiphertext size |Σ1| mdash mdash 3|G| + |Zp| 640Phase 2 sc2 with pkRStorage size |φ1| mdash 4|G| + 5|Zp| + 2|H| 1760 2|Zp| 320Ciphertext size |Σ2| mdash mdash mdashPhase 3 sc3 with mStorage size |φ2| mdash 6|G| + 5|Zp| + 2|H| + |GT| 3104 |GT| + |Zp| 1184Ciphertext size |Σ3| 3|G| + |Zp| + |m| 720 6|G| + 3|Zp| + |H| + |m| 1680 2|Zp| + |m| 400

Figure 12 Attack game for defining IND-OTCCA and IND-P0-C2 security for DEM Note that X isin IND-OTCCA IND-P0-C2 Boxedparts are evaluated only in IND-OTCCA


AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)

where the attack game GXDEM is defined in Figure 12 We say

that DEM is (t q ϵ)-X-secure if AdvXDEM(A)le ε holds for

any adversary A that runs in time t and makes at most qqueries to the oracle DEM_dec

B Proofs of Theorems

B1 Proof of eorem 2 Assume we have a t-time adversaryA that takes n receiversrsquo public keys makes at most nq

queries to sc1 makes at most q queries per receiver to sc2makes at most nq queries to sc3 and makes at most q d

queries to unsc in order to break (3 n q)-dM-IND-iCCAsecurity of DOSCen we will construct a tprime-time adversaryB that takes a single receiverrsquos public key makes only onequery to sc1 makes only one query to sc2 makes only onequery to sc3 makes at most qd queries to unsc and exploitsAas a black box to attack the (3 1 1)-dM-IND-iCCA securityof DOSC For any A we will show the following relationholds

Adv(3nq)-dM-IND-iCCADOSC (A)le n

2q2Adv(311)-dM-IND-iCCA

DOSC (B)

(B2)

In order to prove equation (B2) we use the gamesequence Gu

l where l isin [0 nq] and u isin [0 1] shown inFigure 13 Our proof is via a hybrid argument in a similarfashion with [20] We can see that theArsquos view in game G0

0

is equivalent to the one in G(3nq)-dM-IND-iCCADOSC (A) with

b 0 while the one in game G0nq is equivalent to the one in

G(3nq)-dM-IND-iCCADOSC (A) with b 1 us we have

Adv(3nq)-dM-IND-iCCADOSC (A)

Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)

Let GD ul denote the event that game Gu

l does not set badto true Similarly we let BD u

l denote the event that game Gul

sets bad to true We can see that GD 0l is independent ofArsquos

output Hence for any l isin [0 nq] it follows that

Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)

e second equality holds because GD 0l is equivalent to

the event that (i(jprime) ctr(jprime)) (ilowast qlowast) where the choice ofjprime⟵ $[nq] is independent of Arsquos view

Game G1l is the same as G0

l except that when bad is set totrue game G1

l outputs a random bit blowast and halts in themiddle of sc2 invocation Game G0

l and G1l are identical-

until-bad so that for any l isin [0 nq] we have

Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)

e last equality holds because if BD occurs then theoutput of game G1

l is a random bitWe now show how to construct adversaryB e attack

game defining (3 1 1)-dM-IND-iCCA of DOSC and thedescription of adversary B against it are described in Fig-ure 14 Note that oracle sc1lowast sc2lowast sc3lowast and unsclowast inG

(311)-dM-IND-iCCADOSC (B b) are simplified but equivalent

versions of sc1 sc2 sc3 and unsc respectively We can seeadversaryBmakes one query to sc1lowast one query to sc2lowast onequery to sc3lowast and at most qd queries to unsclowast and its runningtime tprime t + O(nq) In addition for any l isin [nq] we can seethat theArsquos view in game G

(311)-dM-IND-iCCADOSC (B) with lprime l

as well as b 0 (or b 1) is identical to the one in gameG1

l-1(A) (or G1l (A)) erefore for any l isin [nq] it follows

that

Pr G1l minus 1(A) 11113960 1113961 minus Pr G

1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr G(311)-dM-IND-iCCADOSC (B) 1 lprime

1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)

Combining equation (B3) with the above equationequation (B2) holds as follows


le nq 1113944lisin[nq]


1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G

(311)-dM-IND-iCCADOSC (B) 11113960 1113961 minus 1

11138681113868111386811138681113868

11138681113868111386811138681113868

le n2q2Adv(311)-dM-IND-iCCA

DOSC (B)

(B7)

Combining equation (B2) with the assumptions thatDOSC is (tprime qd ϵ)-(3 1 1)-dM-IND-iCCA-secure we haveAdv(3nq)-dM-IND-iCCA

DOSC (A)le n2q2ϵprime which implies thatDOSC is (t qd n2q2ϵ)-(3 1 1)-dM-IND-iCCA-secure asdesired is completes the proof of eorem 2

B2 Proof of eorem 4 We first show that 3DOSCR is not(2 1 1)-dM-IND-iCCA-secure as the following lemma

Lemma B1 (3DOSCR is not (2 1 1)-iCPA-secure) İereexists an adversary against (2 1 1)-dM-IND-iCPA securityof 3DOSCR which has advantage one

Proof We show the description of adversaryA against it inFigure 15


Figure 13 Game sequence for proving (3 n q)-dM-IND-iCCA security of DOSC Codes in boxes with superscript X are evaluated only ingame GX

l or adversary X


In game G(211)-dM-IND-iCPA3DOSCR

(A) when b 1 oracle sc3always generates dlowastR 1 as an answer to the querym1 σlowast1 sothat A outputs 1 with probability one On the other handwhen b 0 oracle sc3 always generates dlowastR 1 as an answerto the query m0 ne σlowast1 so that A outputs 0 with probabilityone Hence advantage Adv(211)-dM-IND-iCPA

3DOSCR(A) equals to 1

Note that this attack is CPA because adversary A does notneed the unsigncryption oracle at all

Next we show that 3DOSCR is (1 1 1)-dM-IND-iCCA-secure as the following lemma

Lemma B2 (3DOSCR is (1 1 1)-iCCA-secure) SupposeDOTK is (tprime q d

prime ϵDOTK)-(1 1 1)-IND-tag-CCA-secure DOS

is ϵSMTH-smooth and DEM is (tprime qdprime ϵDEM)-IND-

OTCCA-secure en 3DOSCR is (t qd ϵ)-(1 1 1)-dM-IND-iCCA-secure where t tprime-O(qd) qd qd

prime and ϵ 2ϵDOTK + 4ϵSMTH + ϵDEM

Proof Assume we have a t-time adversary A that makes atmost q d queries to unsc in order to break (1 1 1)-dM-IND-iCCA security of 3DOSCR We will construct twoadversariesB andC that exploitA as a black box whereBattacks the (1 1 1)-IND-tag-CCA security of DOTK and C

attacks the IND-OTCCA security of DEM For any A wewill show the following relation holds

Adv(111)-dM-IND-iCCA3DOSCR

(A)le 2Adv(111)-IND-tag-CCADOTK (B) + 4SmthDOS + AdvIND-OTCCADEM (C) (B8)

Figure 14 Attack game for defining (3 1 1)-dM-IND-iCCA security of DOSC and description of adversary B against it

Figure 15 Description of adversary A attacking (2 1 1)-dM-IND-iCPA-security of 3DOSCR


In order to prove equation (B8) we describe a gamesequence in Figure 16 Note that we simplify the gamedescription by omitting or modifying the statements and thevariables that play no role when n q 1 In particular we

replace the superscript middot(j) by middotlowast since j is fixed in the gamewhen n q 1 Similarly the public key pkRi is fixed to pk

lowastR

Game G0 is equivalent to the original attack game playedby A against 3DOSCR Hence we have

Figure 16 Game sequence for proving (1 1 1)-dM-IND-iCCA security of 3DOSCR Codes in boxes with superscript X are evaluated onlyin game GX or adversary X whereas ones in a box with X are not evaluated in game GX nor adversary X


Pr G(111)-dM-IND-iCCA3DOSCR

(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)

Game G1 behaves just like G0 except that unsc skips thedecryption process of DOTKdec and directly decrypts(C1 C2) using Klowast when (pkS σ1 C1 C2) (pklowastS σlowast1 Clowast1 Clowast2 )

holds is modification does not change the view of Abecause when (φlowastR1 Clowast1 )⟵DOTKenc1(λK (pklowastS σlowast1 )) and(Klowast Clowast2 )⟵DOTKenc2(φlowastR1 pk

lowastR) it follows that

DOTKdec(λK sklowastR (pklowastS σlowast1 ) Clowast1 Clowast2 ) Klowast from the cor-rectness property of DOTK erefore we have

Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)

Game G2 is the same as G1 except that Klowast is replaced byKlowast0 which is uniformly chosen from DOTKK DEMK

rather than generated by DOTKenc2 We now constructadversary B satisfies the following relation

Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868leAdv(111)-IND-tag-CCADOTK (B)

(B11)

We show the attack game defining (1 1 1)-IND-tag-CCA of DOTK and the description of adversaryBagainst it in Figure 17 We can see adversary B makes atmost qd queries to DOTK_dec and its running timetprime t + O(qd) It is easy to verify that Arsquos view inG

(111)-IND-tag-CCADOTK (B) is equivalent to the one in G1 (or G2)

with 1113954b 1 (or 1113954b 0) Hence we have

Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast

b | 1113954b 11113960 1113961 minus 1 minus Pr blowast ne b | 1113954b 01113960 11139611113872 1113873

11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

2Pr G(111)-IND-tag-CCADOTK (B) 11113876 1113877 minus 1

1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

Adv(111)-IND-tag-CCADOTK (B)

(B12)

where the underlying probability spaces in the second andthe third equalities are defined as G

(111)-IND-tag-CCADO TK (B)

Note that adversary B can replace all executions ofDOTK_dec by the oracle invocation of DOTK_dec since((pklowastS σlowast1 ) Clowast1 Clowast2 ) is never queried to DOTK_dec in gameG2

Game G3 is identical to G2 except that we omit theconditional assignment of dlowastR⟵ 1 if mlowastb σlowast1 Note thatadversary A cannot see σlowast1 before she determines (mlowast0 mlowast1 )

so that the probability of the event mlowastb σlowast1 only depends onthe distribution of σlowast1 Because of the smoothness of DOSthe following relation holds

Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m

lowastb σlowast11113858 1113859

le SmthDOS(B13)

Game G4 is identical to G3 except for omitting theconditional return statement in unsc As with the aboveargument we have

Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)

We now construct adversary C satisfies the followingrelation

Pr G4(A) 11113858 1113859 Pr GIND-OTCCADEM (C) 11113960 1113961 (B15)

We show the attack game defining IND-OTCCA ofDEM and the description of adversary C against it inFigure 18 We can see adversaryCmakes at most qd queriesto DEM_dec and its running time tprime t + O(qd) It is nothard to verify that GIND-OTCCA

DEM (C) is equivalent to G4(A)which implies the above equation Note that if(pkS σ1 C1) (pklowastS σlowast1 Clowast1 ) holds in unsc then C2 neClowast2always holds Hence Clowast2 is never queried to DEM_dec ingame G3 so that adversary C can replace all executions ofDEMdec by the invocations of oracle DEM_dec

In summary equation (B8) holds as follows

Figure 17 Attack game defining (1 1 1)-IND-tag-CCA security of DOTK and description of adversary B against it



(A)

2 Pr G(111)-dM-IND-iCCA3DOSCR

(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3

Pr Gi(A) 11113858 1113859 minus Pr Gi+1(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868

le 2Adv(111)-IND-tag-CCADOTK (B) + 4SmthDOS + AdvIND-OTCCADEM (C)

(B16)

Combining equation (B8) with the assumptions thatDOTK is (tprime qd

prime ϵDOTK)-(1 1 1)-IND-tag-CCA-secureDOS is ϵSMTH-smooth and DEM is (tprime qd

prime ϵDEM)

-IND-OTCCA-secure we have Adv(111)-dM-IND-iCCA3DOSCR

(A)le2ϵDOTK + 4ϵSMTH + ϵDEM which implies that 3DOSCR is(t qd ϵ)-(1 1 1)-dM-IND-iCCA-secure for ϵ 2ϵDOTK+ 4ϵSMTH + ϵDEM as desired is completes the proof ofLemma B2

Combined with Lemma B1 and Lemma B2 the proof ofeorem 4 is completed

Data Availability

All the pseudocodes used to support the findings of thisstudy are included within the article

Conflicts of Interest

e authors declare that there are no conflicts of interestregarding the publication of this article

References

[1] D Catalano M Di Raimondo D Fiore and R GennaroldquoOff-lineon-line signatures theoretical aspects and experi-mental resultsrdquo in Public Key CryptographymdashPKC 2008(LNCS) R Cramer Ed vol 4939 pp 101ndash120 SpringerHeidelberg Germany 2008

[2] S Even O Goldreich and S Micali ldquoOn-lineoff-line digitalschemesrdquo in Advances in CryptologymdashCRYPTO rsquo89 Pro-ceedings (LNCS) G Brassard Ed vol 435 pp 263ndash275Springer Heidelberg Germany 1990

[3] S Even O Goldreich and S Micali ldquoOn-lineoff-line digitalsignaturesrdquo Journal of Cryptology vol 9 no 1 pp 35ndash671996

[4] C Gao BWei D Xie and C Tang ldquoDivisible on-lineoff-linesignaturesrdquo in Topics in CryptologymdashCT-RSA 2009 (LNCS)M Fischlin Ed vol 5473 pp 148ndash163 Springer HeidelbergGermany 2009

[5] S S M Chow J K Liu and J Zhou ldquoIdentity-based onlineoffline key encapsulation and encryptionrdquo in Proceedings ofthe 6th ACM Symposium on Information Computer andCommunications SecuritymdashASIACCS rsquo11 B S N CheungL C K Hui R S Sandhu and D S Wong Eds pp 52ndash60ACM Press Hong Kong China March 2011

[6] F Guo Y Mu and Z Chen ldquoIdentity-based onlineofflineencryptionrdquo in Financial Cryptography and Data SecurityG Tsudik Ed vol 5143 pp 247ndash261 Springer HeidelbergGermany 2008

[7] J Lai Y Mu F Guo andW Susilo ldquoImproved identity-basedonlineoffline encryptionrdquo in Information Security and Pri-vacy E Foo and D Stebila Eds vol 9144 pp 160ndash173Springer Heidelberg Germany 2015

[8] J K Liu and J Zhou ldquoAn efficient identity-based onlineoffline encryption schemerdquo in Applied Cryptography andNetwork Security (LNCS) M Abdalla D PointchevalP A Fouque and D Vergnaud Eds vol 5536 pp 156ndash167SpringerHeidelberg Germany 2009

[9] J K Liu J Baek and J Zhou ldquoOnlineoffline identity-basedsigncryption revisitedrdquo in Information Security and Cryptolo-gymdashInscrypt 2010 pp 36ndash51 Springer Heidelberg Germany2011

[10] D Sun Y Mu and W Susilo ldquoA generic construction ofidentity-based onlineoffline signcryptionrdquo in Proceedings ofthe 2008 IEEE International Symposium on Parallel andDistributed Processing with Applications pp 707ndash712 IEEESydney NSW Australia December 2008

Figure 18 Attack game defining IND minus OTCCA security of DEM and description of the adversary C against it


[11] Z Xu G Dai and D Yang ldquoAn efficient onlineofflinesigncryption scheme for MANETrdquo in Proceedings of the 21stInternational Conference on Advanced Information Net-working and Applications Workshops (AINAWrsquo07) vol 2pp 171ndash176 IEEE Niagara Falls Canada March 2007

[12] D Yamamoto H Sato and Y Fukuzawa ldquoIncrementallyexecutable signcryptionsrdquo in Information Security and Privacy(LNCS) W Susilo and Y Mu Eds vol 8544 pp 226ndash241Springer Heidelberg Germany 2014

[13] F Zhang Y Mu and W Susilo ldquoReducing security overheadfor mobile networksrdquo in Proceedings of the 19th InternationalConference on Advanced Information Networking and Ap-plications (AINArsquo05) vol 1 pp 398ndash403 IEEE Taipei Tai-wan March 2005

[14] D Yamamoto and W Ogata ldquoMulti-divisible on-lineoff-lineencryptionsrdquo IEICE Transactions on Fundamentals of Elec-tronics Communications and Computer Sciences vol E100Ano 1 pp 91ndash102 2017

[15] S Goldwasser S Micali and R L Rivest ldquoA digital signaturescheme secure against adaptive chosen-message attacksrdquoSIAM Journal on Computing vol 17 no 2 pp 281ndash308 Apr1988

[16] M Bellare D Hofheinz and E Kiltz ldquoSubtleties in thedefinition of IND-CCA when and how should challengedecryption be disallowedrdquo Journal of Cryptology vol 28no 1 pp 29ndash48 2015

[17] X Boyen Q Mei and B Waters ldquoDirect chosen ciphertextsecurity from identity-based techniquesrdquo Cryptology ePrintArchive Report 2005288 New York NY USA 2005 httpeprintiacrorg2005288

[18] X Boyen Q Mei and B Waters ldquoDirect chosen ciphertextsecurity from identity-based techniquesrdquo in Proceedings of the12th ACM Conference on Computer and CommunicationssecuritymdashCCSrsquo05 V Atluri C Meadows and A Juels Edspp 320ndash329 ACM Press Alexandria VA USA November2005

[19] T Matsuda K Matsuura and J C N Schuldt ldquoEfficientconstructions of signcryption schemes and signcryptioncomposabilityrdquo in Progress in CryptologymdashINDOCRYPT 2009(LNCS) B K Roy and N Sendrier Eds vol 5922 pp 321ndash342 Springer Heidelberg Germany 2009

[20] M Bellare A Boldyreva and S Micali ldquoPublic-key en-cryption in a multi-user setting security proofs and im-provementsrdquo in Advances in CryptologymdashEUROCRYPT 2000(LNCS) B Preneel Ed vol 1807 pp 259ndash274 SpringerHeidelberg Germany 2000

[21] D Chiba T Matsuda J C Schuldt and K Matsuura ldquoEf-ficient generic constructions of signcryption with insidersecurity in the multi-user settingrdquo in Proceedings of the Ap-plied Cryptography and Network SecuritymdashACNS 2011pp 220ndash237 Springer Nerja Spain June 2011

[22] D Boneh and X Boyen ldquoSecure identity based encryptionwithout random oraclesrdquo in Advances in CryptologymdashCRYPTO 2004 (LNCS) M Franklin Ed vol 3152 pp 443ndash459 Springer Heidelberg Germany 2004

[23] P Mohassel ldquoOne-time signatures and chameleon hashfunctionsrdquo in Selected Areas in CryptographymdashSAC 2010(LNCS) A Biryukov G Gong and D R Stinson Eds vol6544 pp 302ndash319 Springer Heidelberg Germany 2011

[24] B R Waters ldquoEfficient identity-based encryption withoutrandom oraclesrdquo in Lecture Notes in Computer Science(LNCS) R Cramer Ed vol 3494 pp 114ndash127 SpringerHeidelberg Germany 2005

[25] D Chiba T Matsuda J C N Schuldt and K MatsuuraldquoEfficient generic constructions of signcryption with insidersecurity in the multi-user settingrdquo in Applied Cryptographyand Network Security (LNCS) J Lopez and G Tsudik Edsvol 6715 pp 220ndash237 Springer Heidelberg Germany 2011

[26] J Herranz D Hofheinz and E Kiltz ldquoSome (in)sufficientconditions for secure hybrid encryptionrdquo Information andComputation vol 208 no 11 pp 1243ndash1257 2010

[27] J Katz and M Yung ldquoCharacterization of security notions forprobabilistic private-key encryptionrdquo Journal of Cryptologyvol 19 no 1 pp 67ndash95 2006


International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Applying the above attractive features of DOS as well asIESC to public-key encryption schemes the notion ofmultidivisible onlineoffline encryptions (MDOEs) wasproposed in [14] In MDOEs encryption process can beexecuted in at most three steps and at most three partialciphertexts can be transmitted one-by-one

Our contributions in this paper we propose a generalconcept of multidivisible onlineoffline cryptography (MDOcryptography for short) which covers the onlineofflinecryptography divisible onlineoffline signatures in-crementally executable signcryptions and multidivisibleonlineoffline encryptions

In general MDO cryptographic schemes have the fol-lowing features

Incremental processing a senderrsquos process can be di-vided into two or more subprocessesIncremental sending outputs of intermediate sub-processes can be sent prior to all the subsequentsubprocesses

ese features enable us to save both computationaloverhead and transmission bandwidth on which we canconstruct secure communication platform for IoT-likeenvironment

As instances taking full advantage of these two featuresof MDO cryptography we introduce notions of multi-divisible onlineoffline signcryptions (MDOSCs) and di-visible onlineoffline tag-based KEMs

We define parameterized security notions of MDOSCsdenoted as (k n q)-dM-IND-iCCA for confidentiality and(k n)-dM-UF-iCMA for unforgeability with regard to threeparameters the level of divisibility k the number of users nand the number of queries per user q en we analyze allthe relationships ie the implications and separationsamong these security notions

We also present a generic construction of MDOSC thatachieves the strongest security notions of both confidenti-ality and unforgeability

Expected application scenario Figure 1 shows a usageexample of our MDOSCs where a signcryption algorithm issplit into three subalgorithms ie sc1 sc2 and sc3 each ofwhich can be processed incrementally and can send outputsto recipient incrementally e sender in our examplesystem consists of the following three components acomputationally powerful cloud with sc1 an energy-re-stricted mobile device with sc2 and the most computa-tionally restricted as well as bandwidth-restricted IoTdevice such as a sensor node with sc3 Both the sender andthe receiver in our system can access a shared storage Weassume the receiver has enough computational resource todecrypt signcrypted messages received from the senderFirstly the sender uses cloud computing to execute themost computationally expensive algorithm sc1 with thesenderrsquos own key pair (skS pkS) to generate partial ci-phertext Σ1 store it into the shared storage and also storestate information φ1 to the storage of the mobile deviceese procedures can be repeatedly executed depending onthe storage capacity of the mobile device and the costs for

using cloud computing as well as shared storage Nextwhen the sender recognizes the target recipient to whomshe might send some messages and obtains the receiverrsquospublic key pkR the senderrsquos mobile device executes less-expensive algorithm sc2 with φ1 and pkR to generate partialciphertext Σ2 transmit it to the receiver and store stateinformation φ2 to the storage of the IoT device eseprocedures can also be repeatedly executed depending onthe storage capacities of the IoT device and the receiverAfter that when the IoTdevice is ready to send a messagem(eg typically very short numeric value sensed by sensor)it executes the least expensive algorithm sc3 with φ2 and mto generate partial ciphertext Σ3 transmit it to the receiverNote that Σ3 is reasonably short since the cryptographicinformation for decryption (unsigncryption) has been al-ready transmitted as Σ1 and Σ2 Finally the receiver se-curely obtains the message m by unsigncrypting Σ2 and Σ3with separately downloaded Σ1 from the shared storage aswell as pkS and skR using the unsc algorithm

Organization of this paper this paper is organized asfollows Section 2 introduces basic notations used in thispaper In Section 3 we introduce the concept of MDOcryptography and discuss its instances including MDOsignatures MDO encryptions and MDO signcryptionsSection 4 formally defines the notion of MDO signcryptionsand its security notions e relations between the securitynotions of MDOSC are discussed in Section 5 Section 6shows a generic construction of MDOSC and comparisonwith previous signcryption schemes as well as usage exampleof our MDOSC construction Concluding remarks are givenin Section 7

2 Notations

For n isin N [n] denotes the set 1 2 n We write x⟵y

or y⟶ x to indicate that x is the output from a function oran algorithm y or the assignment of the value y to xx⟵ $X denotes the operation of selecting a random el-ement x from a setX We write Ax to indicate explicitly thatthe algorithm x belongs to the scheme A We writez⟵A(x y oracle1 oracle2 ) to indicate the op-eration of a turing machine A with inputs x y andaccess to oracles oracle1 oracle2 and letting z be theoutput Unless otherwise indicated algorithms are ran-domized ie it takes a source of randomness to makerandom choices during execution In all the experiments(games) every number set and bit string is implicitlyinitialized by 0 empty setempty and empty string ε respectivelyWe write Pr[GY

X(A) b] to indicate the probability of theevent that adversary A outputs b in attack game GY

X

3 Multidivisible OnlineOffline Cryptography

In this section we propose a concept of (multi)-divisibleonlineoffline (MDO) cryptography as a generalization ofonlineoffline cryptography is concept can be applied tovarious cryptographic primitives such as encryptionschemes and signature schemes MDO cryptographic





φ1 y1( 1113857⟵ALG1 x1( 1113857

φ2 y2( 1113857⟵ALG2 x2φ1( 1113857

⋮


(1)











Cloud

skS pkS

skR pkR

skRpkS

pkS

pks

pkR

Server


SC1

SC2

SC3

Σ1Σ1

Σ2

Σ3

Σ1

Sharedstorage

Mobile

IoT device

genR

ReceiverSender

φ1

φ2

φ1

Σ2

φ2pkR

φ1

mφ2 Σ3

λλ








(kn)-X-CMADOS (A) 11113960 1113961 (2)









σ1prime σ11113858 1113859⎡⎣ ⎤⎦ (3)














1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

(4)


Figure 3























11138681113868111386811138681113868

11138681113868111386811138681113868

(5)














(kn)-dM-X-iCMADOSC (A) 11113960 1113961

(6)











tprime minus O(nq)





















(3 1 1) n2q2Th 2

(3 n q)

(2 1 1) nqTh 1

Th 3

(2 n q)

(1 1 1) nqTh 1

minusTh 4

(1 n q)

(k n q)-dM-IND-iCCA

(3 1) nTh 5

(3 n)

(2 1) nTh 5

minusTh 6

(2 n)

(1 1) nTh 5

minusTh 6

(1 n)

(k n)-dM-sUF-iCMA



























DOS (B) (7)









R C(jlowast)1 C




(jlowast)3 Clowast3

also holds because

Cjlowast( )


2 mjlowast( )1113874 11138751113874 1113875


lowast( 1113857( 1113857

Clowast3

(9)



1 ) C(jlowast)2 C



Pr G0(A) 11113858 1113859le Pr G1(A) 11113858 1113859 (10)































Phase 3 sc3 with m





7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





φ1 y1( 1113857⟵ALG1 x1( 1113857

φ2 y2( 1113857⟵ALG2 x2φ1( 1113857

⋮


(1)











Cloud

skS pkS

skR pkR

skRpkS

pkS

pks

pkR

Server


SC1

SC2

SC3

Σ1Σ1

Σ2

Σ3

Σ1

Sharedstorage

Mobile

IoT device

genR

ReceiverSender

φ1

φ2

φ1

Σ2

φ2pkR

φ1

mφ2 Σ3

λλ








(kn)-X-CMADOS (A) 11113960 1113961 (2)









σ1prime σ11113858 1113859⎡⎣ ⎤⎦ (3)














1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

(4)


Figure 3























11138681113868111386811138681113868

11138681113868111386811138681113868

(5)














(kn)-dM-X-iCMADOSC (A) 11113960 1113961

(6)











tprime minus O(nq)





















(3 1 1) n2q2Th 2

(3 n q)

(2 1 1) nqTh 1

Th 3

(2 n q)

(1 1 1) nqTh 1

minusTh 4

(1 n q)

(k n q)-dM-IND-iCCA

(3 1) nTh 5

(3 n)

(2 1) nTh 5

minusTh 6

(2 n)

(1 1) nTh 5

minusTh 6

(1 n)

(k n)-dM-sUF-iCMA



























DOS (B) (7)









R C(jlowast)1 C




(jlowast)3 Clowast3

also holds because

Cjlowast( )


2 mjlowast( )1113874 11138751113874 1113875


lowast( 1113857( 1113857

Clowast3

(9)



1 ) C(jlowast)2 C



Pr G0(A) 11113858 1113859le Pr G1(A) 11113858 1113859 (10)































Phase 3 sc3 with m





7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia







(kn)-X-CMADOS (A) 11113960 1113961 (2)









σ1prime σ11113858 1113859⎡⎣ ⎤⎦ (3)














1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868

(4)


Figure 3























11138681113868111386811138681113868

11138681113868111386811138681113868

(5)














(kn)-dM-X-iCMADOSC (A) 11113960 1113961

(6)











tprime minus O(nq)





















(3 1 1) n2q2Th 2

(3 n q)

(2 1 1) nqTh 1

Th 3

(2 n q)

(1 1 1) nqTh 1

minusTh 4

(1 n q)

(k n q)-dM-IND-iCCA

(3 1) nTh 5

(3 n)

(2 1) nTh 5

minusTh 6

(2 n)

(1 1) nTh 5

minusTh 6

(1 n)

(k n)-dM-sUF-iCMA



























DOS (B) (7)









R C(jlowast)1 C




(jlowast)3 Clowast3

also holds because

Cjlowast( )


2 mjlowast( )1113874 11138751113874 1113875


lowast( 1113857( 1113857

Clowast3

(9)



1 ) C(jlowast)2 C



Pr G0(A) 11113858 1113859le Pr G1(A) 11113858 1113859 (10)































Phase 3 sc3 with m





7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia























11138681113868111386811138681113868

11138681113868111386811138681113868

(5)














(kn)-dM-X-iCMADOSC (A) 11113960 1113961

(6)











tprime minus O(nq)





















(3 1 1) n2q2Th 2

(3 n q)

(2 1 1) nqTh 1

Th 3

(2 n q)

(1 1 1) nqTh 1

minusTh 4

(1 n q)

(k n q)-dM-IND-iCCA

(3 1) nTh 5

(3 n)

(2 1) nTh 5

minusTh 6

(2 n)

(1 1) nTh 5

minusTh 6

(1 n)

(k n)-dM-sUF-iCMA



























DOS (B) (7)









R C(jlowast)1 C




(jlowast)3 Clowast3

also holds because

Cjlowast( )


2 mjlowast( )1113874 11138751113874 1113875


lowast( 1113857( 1113857

Clowast3

(9)



1 ) C(jlowast)2 C



Pr G0(A) 11113858 1113859le Pr G1(A) 11113858 1113859 (10)































Phase 3 sc3 with m





7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia

















11138681113868111386811138681113868

11138681113868111386811138681113868

(5)














(kn)-dM-X-iCMADOSC (A) 11113960 1113961

(6)











tprime minus O(nq)





















(3 1 1) n2q2Th 2

(3 n q)

(2 1 1) nqTh 1

Th 3

(2 n q)

(1 1 1) nqTh 1

minusTh 4

(1 n q)

(k n q)-dM-IND-iCCA

(3 1) nTh 5

(3 n)

(2 1) nTh 5

minusTh 6

(2 n)

(1 1) nTh 5

minusTh 6

(1 n)

(k n)-dM-sUF-iCMA



























DOS (B) (7)









R C(jlowast)1 C




(jlowast)3 Clowast3

also holds because

Cjlowast( )


2 mjlowast( )1113874 11138751113874 1113875


lowast( 1113857( 1113857

Clowast3

(9)



1 ) C(jlowast)2 C



Pr G0(A) 11113858 1113859le Pr G1(A) 11113858 1113859 (10)































Phase 3 sc3 with m





7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia











(kn)-dM-X-iCMADOSC (A) 11113960 1113961

(6)











tprime minus O(nq)





















(3 1 1) n2q2Th 2

(3 n q)

(2 1 1) nqTh 1

Th 3

(2 n q)

(1 1 1) nqTh 1

minusTh 4

(1 n q)

(k n q)-dM-IND-iCCA

(3 1) nTh 5

(3 n)

(2 1) nTh 5

minusTh 6

(2 n)

(1 1) nTh 5

minusTh 6

(1 n)

(k n)-dM-sUF-iCMA



























DOS (B) (7)









R C(jlowast)1 C




(jlowast)3 Clowast3

also holds because

Cjlowast( )


2 mjlowast( )1113874 11138751113874 1113875


lowast( 1113857( 1113857

Clowast3

(9)



1 ) C(jlowast)2 C



Pr G0(A) 11113858 1113859le Pr G1(A) 11113858 1113859 (10)































Phase 3 sc3 with m





7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








(kn)-dM-X-iCMADOSC (A) 11113960 1113961

(6)











tprime minus O(nq)





















(3 1 1) n2q2Th 2

(3 n q)

(2 1 1) nqTh 1

Th 3

(2 n q)

(1 1 1) nqTh 1

minusTh 4

(1 n q)

(k n q)-dM-IND-iCCA

(3 1) nTh 5

(3 n)

(2 1) nTh 5

minusTh 6

(2 n)

(1 1) nTh 5

minusTh 6

(1 n)

(k n)-dM-sUF-iCMA



























DOS (B) (7)









R C(jlowast)1 C




(jlowast)3 Clowast3

also holds because

Cjlowast( )


2 mjlowast( )1113874 11138751113874 1113875


lowast( 1113857( 1113857

Clowast3

(9)



1 ) C(jlowast)2 C



Pr G0(A) 11113858 1113859le Pr G1(A) 11113858 1113859 (10)































Phase 3 sc3 with m





7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



(3 1 1) n2q2Th 2

(3 n q)

(2 1 1) nqTh 1

Th 3

(2 n q)

(1 1 1) nqTh 1

minusTh 4

(1 n q)

(k n q)-dM-IND-iCCA

(3 1) nTh 5

(3 n)

(2 1) nTh 5

minusTh 6

(2 n)

(1 1) nTh 5

minusTh 6

(1 n)

(k n)-dM-sUF-iCMA



























DOS (B) (7)









R C(jlowast)1 C




(jlowast)3 Clowast3

also holds because

Cjlowast( )


2 mjlowast( )1113874 11138751113874 1113875


lowast( 1113857( 1113857

Clowast3

(9)



1 ) C(jlowast)2 C



Pr G0(A) 11113858 1113859le Pr G1(A) 11113858 1113859 (10)































Phase 3 sc3 with m





7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


























DOS (B) (7)









R C(jlowast)1 C




(jlowast)3 Clowast3

also holds because

Cjlowast( )


2 mjlowast( )1113874 11138751113874 1113875


lowast( 1113857( 1113857

Clowast3

(9)



1 ) C(jlowast)2 C



Pr G0(A) 11113858 1113859le Pr G1(A) 11113858 1113859 (10)































Phase 3 sc3 with m





7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia

















DOS (B) (7)









R C(jlowast)1 C




(jlowast)3 Clowast3

also holds because

Cjlowast( )


2 mjlowast( )1113874 11138751113874 1113875


lowast( 1113857( 1113857

Clowast3

(9)



1 ) C(jlowast)2 C



Pr G0(A) 11113858 1113859le Pr G1(A) 11113858 1113859 (10)































Phase 3 sc3 with m





7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



















Phase 3 sc3 with m





7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia
















Phase 3 sc3 with m





7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


7 Conclusions


Appendix













AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


AdvXDEM(A) Pr G

XDEM(A 0) 11113960 1113961 minus Pr G

XDEM(A 1) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

(A1)










DOSC (B)

(B2)



0





Pr G00(A) 11113960 1113961 minus Pr G

0nq(A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868

1113944lisin[nq]

Pr G0l-1(A) 11113960 1113961 minus Pr G

0l (A) 11113960 11139611113872 1113873

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

(B3)






Pr G0l (A) 11113960 1113961 Pr G

0l (A) 1andGD

0l1113960 1113961Pr GD

0l1113960 1113961

nqPr G0l (A) 1andGD

0l1113960 1113961

(B4)








Pr G0l (A) 1andGD

0l1113960 1113961

Pr G1l (A) 1andGD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus Pr G

1l (A) 1andBD

1l1113960 1113961

Pr G1l (A) 11113960 1113961 minus

12Pr BD

1l1113960 1113961

(B5)









that


1l (A) 11113960 1113961

11138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868 l1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868

(B6)





1113868111386811138681113868 l1113960 1113961 minus 1

11138681113868111386811138681113868111386811138681113868111386811138681113868

11138681113868111386811138681113868111386811138681113868111386811138681113868

le n2q2 2Pr G


11138681113868111386811138681113868

11138681113868111386811138681113868


DOSC (B)

(B7)








l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



l or adversary X





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





















lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




lowastR





(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



(A) 11113960 1113961 Pr G0(A) 11113858 1113859 (B9)





Pr G0(A) 11113858 1113859 Pr G1(A) 11113858 1113859 (B10)



Pr G1(A) 11113858 1113859-Pr G2(A) 11113858 11138591113868111386811138681113868


(B11)




Pr G1(A) 11113858 1113859 minus Pr G2(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868

Pr blowast


11138681113868111386811138681113868

11138681113868111386811138681113868

11138681113868111386811138681113868

2Pr blowast

b( 1113857 1113954b1113960 1113961 minus 111138681113868111386811138681113868

11138681113868111386811138681113868


1113868111386811138681113868111386811138681113868

1113868111386811138681113868111386811138681113868


(B12)






Pr G2(A) 11113858 1113859 minus Pr G3(A) 11113858 11138591113868111386811138681113868

11138681113868111386811138681113868111386811138681113868le Pr m


le SmthDOS(B13)


Pr G3(A) 11113858 1113859 minus Pr G4(A) 11113858 11138591113868111386811138681113868

1113868111386811138681113868le SmthDOS (B14)









(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



(A)


(A) 11113960 1113961 minus 1211138681113868111386811138681113868

11138681113868111386811138681113868

2 Pr G0(A) 11113858 1113859 minus 121113868111386811138681113868

1113868111386811138681113868

le 2 11139440leile3


11138681113868111386811138681113868111386811138681113868 + 2 Pr G3(A) 11113858 1113859 minus 12

11138681113868111386811138681113868111386811138681113868


(B16)



prime ϵDEM)




Data Availability




References

































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






















RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


Documents

Multidivisible Online/Offline Cryptography and Its ...downloads.hindawi.com/journals/scn/2019/1042649.pdf · Online/oˆine cryptography, a fundamental concept for many cryptographic