Professional Documents
Culture Documents
PDF Public Key Infrastructures Services and Applications 9Th European Workshop Europki 2012 Pisa Italy September 13 14 2012 Revised Selected Papers 1St Edition Masaya Yasuda Ebook Full Chapter
PDF Public Key Infrastructures Services and Applications 9Th European Workshop Europki 2012 Pisa Italy September 13 14 2012 Revised Selected Papers 1St Edition Masaya Yasuda Ebook Full Chapter
PDF Public Key Infrastructures Services and Applications 9Th European Workshop Europki 2012 Pisa Italy September 13 14 2012 Revised Selected Papers 1St Edition Masaya Yasuda Ebook Full Chapter
https://textbookfull.com/product/complex-sciences-second-
international-conference-complex-2012-santa-fe-nm-usa-
december-5-7-2012-revised-selected-papers-1st-edition-matthew-
antognoli/
https://textbookfull.com/product/graphical-models-for-security-
second-international-workshop-gramsec-2015-verona-italy-
july-13-2015-revised-selected-papers-1st-edition-sjouke-mauw/
https://textbookfull.com/product/image-and-graphics-9th-
international-conference-icig-2017-shanghai-china-
september-13-15-2017-revised-selected-papers-part-iii-1st-
edition-yao-zhao/
https://textbookfull.com/product/artificial-life-and-
evolutionary-computation-13th-italian-workshop-wivace-2018-parma-
italy-september-10-12-2018-revised-selected-papers-stefano-
cagnoni/
https://textbookfull.com/product/artificial-life-and-
evolutionary-computation-14th-italian-workshop-wivace-2019-rende-
italy-september-18-20-2019-revised-selected-papers-franco-
cicirelli/
https://textbookfull.com/product/advances-in-service-oriented-
and-cloud-computing-workshops-of-esocc-2018-como-italy-
september-12-14-2018-revised-selected-papers-maria-fazio/
Sabrina De Capitani di Vimercati
Chris Mitchell (Eds.)
Public Key
Infrastructures,
LNCS 7868
Services
and Applications
9th European Workshop, EuroPKI 2012
Pisa, Italy, September 2012
Revised Selected Papers
123
Lecture Notes in Computer Science 7868
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Alfred Kobsa
University of California, Irvine, CA, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Germany
Madhu Sudan
Microsoft Research, Cambridge, MA, USA
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbruecken, Germany
Sabrina De Capitani di Vimercati
Chris Mitchell (Eds.)
Public Key
Infrastructures,
Services
and Applications
9th European Workshop, EuroPKI 2012
Pisa, Italy, September 13-14, 2012
Revised Selected Papers
13
Volume Editors
Sabrina De Capitani di Vimercati
Università degli Studi di Milano
Dipartimento de Informatica
26013 Crema, Italy
E-mail: sabrina.decapitani@unimi.it
Chris Mitchell
University of London, Royal Holloway
Egham, Surrey TW20 0EX, UK
E-mail: c.mitchell@rhul.ac.uk
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of
the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology
now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection
with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and
executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication
or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location,
in its current version, and permission for use must always be obtained from Springer. Permissions for use
may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution
under the respective Copyright Law.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the
material contained herein.
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper
Springer is part of Springer Science+Business Media (www.springer.com)
Preface
These proceedings contain the papers selected for presentation at the 9th Euro-
pean PKI Workshop: Research and Applications, held September 13–14, 2012,
in conjunction with ESORICS 2012, in Pisa, Italy.
In response to the call for papers, 30 papers were submitted to the workshop.
These papers were evaluated on the basis of their significance, novelty, and tech-
nical quality. Each paper was reviewed by at least three members of the Program
committee. Reviewing was double-blind meaning that the Program committee
was not able to see the names and affiliations of the authors, and the authors
were not told which committee members reviewed which papers. The Program
Committee meeting was held electronically, with intensive discussion over a pe-
riod of two weeks. Of the papers submitted, 12 were selected for presentation at
the workshop, giving an acceptance rate of 40%.
There is a long list of people who volunteered their time and energy to put
together the workshop and who deserve acknowledgment. Thanks to all the
members of the Program Committee, and the external reviewers, for all their
hard work in evaluating and discussing papers. We would like to thank Fabio
Martinelli for overall organization as General Chair of ESORICS 2012, Giovanni
Livraga, for taking care of publicity and of the workshop website, Sara Foresti
for collating this volume, and the invited speakers Kenny Paterson and Roberto
Di Pietro. We are also very grateful to all other ESORICS 2012 organizers whose
work ensured a smooth organizational process.
Last, but certainly not least, our thanks go to all the authors who submitted
papers and all the attendees. We hope you find the program stimulating.
General Chair
Fabio Martinelli National Research Council - CNR, Italy
Program Chairs
Sabrina De Capitani Università degli Studi di Milano, Italy
di Vimercati
Chris Mitchell Royal Holloway, University of London, UK
Publicity Chair
Giovanni Livraga Università degli Studi di Milano, Italy
Program Committee
Lejla Batina Radboud University Nijmegen,
The Netherlands
Carlos Blanco Bueno University of Cantabria, Spain
David Chadwick University of Kent, UK
Sherman S.M. Chow University of Waterloo, Canada
Paolo D’Arco University of Salerno, Italy
Bao Feng Institute for Infocomm Research, Singapore
Simone Fischer-Huebner Karlstad University, Sweden
Sara Foresti Università degli Studi di Milano, Italy
Steven Furnell Plymouth University, UK
Peter Gutmann University of Auckland, New Zealand
Ravi Jhawar Università degli Studi di Milano, Italy
Sokratis Katsikas University of Piraeus, Greece
Dogan Kesdogan University of Siegen, Germany
Elisavet Konstantinou University of the Aegean, Greece
Costas Lambrinoudakis University of Piraeus, Greece
Herbert Leitold A-SIT, Austria
Javier Lopez University of Malaga, Spain
Fabio Martinelli National Research Council - CNR, Italy
Catherine Meadows NRL, USA
Stig Mjølsnes NTNU, Norway
Yi Mu University of Wollongong, Australia
Shishir Nagaraja University of Birmingham, UK
VIII Organization
External Reviewers
Au, Man Ho Netter, Michael
Coisel, Iwen Peters, Thomas
Drogkaris, Prokopios Rea, Scott
Fan, Junfeng Riesner, Moritz
Feltz, Michele Seys, Stefaan
Fischer, Lars Slamanig, Daniel
Hassan, Sabri Stengel, Ingo
Heupel, Marcel Vercauteren, Frederik
Karatas, Fatih Vrakas, Nikos
Krautsevich, Leanid Zhao, Jianjie
Table of Contents
Digital Signatures
Cross-Unlinkable Hierarchical Group Signatures . . . . . . . . . . . . . . . . . . . . . . 161
Julien Bringer, Hervé Chabanne, and Alain Patey
1 Introduction
C. Mitchell and S. De Capitani di Vimercati (Eds.): EuroPKI 2012, LNCS 7868, pp. 1–16, 2013.
c Springer-Verlag Berlin Heidelberg 2013
2 M. Yasuda et al.
Related Work: In [6,20], Chen and Nguyen analyzed the security of the FHE
scheme based on ideal lattices (They in [5] also analyzed the security of the
FHE scheme based on integers). In particular, they examined the security of
the Gentry and Halevi’s challenges [13], which are public problems for the FHE
scheme based on ideal lattices. The hardness of lattice problems is essentially
related to the Hermite constant, and lattice problems are easier as the Hermite
constant grows. There are four problems in the Gentry and Halevi’s challenges,
and each problem has Hermite constant 1.67, 1.14, 1.03 and 1.0081 [6, Table
5], respectively (corresponding lattice dimension is 512, 2048, 8192 and 32768,
respectively). They reported on an attack on the toy example with Hermite
constant 1.67 and estimated that the challenge problem with Hermite constant
1.14 should take at most 45 core years. For the challenge problem with Hermite
constant 1.03, they also estimated that it takes at most 68,582 core years. They
suggest that it needs at least 10,000 lattice dimension to guarantee the security
of the FHE scheme based on ideal lattices with an enough margin.
Our Results: In lower dimensions, the FHE scheme based on ideal lattices has
relatively high Hermite constant due to making the scheme to support arbitrary
operations on encrypted data (see [12, Section 10.1] for BDD-hardness parameter
Analysis of Lattice Reduction Attack against the SHE Scheme 3
μ). On the other hand, the Hermite constant of the SHE scheme depends on key
parameters (n, t) mainly determining the possible operations on encrypted data,
where n is the lattice dimension and t is the bit length of coefficients in the secret
key matrix (see §2.3 below for the construction of the SHE scheme). Hence the
SHE scheme of lower dimensions may have both safety and functionality. Our
experimental results show that almost key parameters of dimension 512 or less
are solved by the BKZ algorithm at realistic time. Hence, we conclude that it
needs at least 1024 lattice dimension to apply the SHE scheme to scenarios in
which it needs more than one multiplication on encrypted data. By analysis
based on our experimental results, we show that it needs at least 2048 (resp.
4096) lattice dimension to make the SHE scheme to support 5 (resp. 10) times
multiplication on encrypted data.
denote its associated half-open parallelepiped. We note that the volume of P(B)
is precisely equal to det(L). Furthermore, every lattice L has a unique Hermite
normal form basis HNF(L) = (bij ), where bij = 0 for all i < j, bjj > 0 for all j,
and bij ∈ [−bjj /2, +bjj /2) for all i > j. Given any basis of L, we can compute the
basis HNF(L) by Gaussian elimination. Note that the basis HNF(L) typically
serves as the public key representation of the lattice (see [18] for example).
A lattice reduction algorithm is an algorithm that takes a basis of L as input,
and outputs a basis B = [b1 , . . . , bn ]t of L with short and nearly orthogonal
4 M. Yasuda et al.
Encrypt: To encrypt a bit b ∈ {0, 1} with the public key matrix B, we first choose
a random noise vector u = (u0 , u1 , . . . , un−1 ) with each entry ui ∈ {0, 1}.
Note that the number of nonzero entries in the noise vector u is always
between 15 and 20 in the setting of Gentry and Halevi [12, Section 5.2]. We
set a = 2u + b · e = (2u0 + b, 2u1 , . . . , 2un−1 ) with e = (1, 0, . . . , 0). Then a
ciphertext is given by the vector
c = a mod B := a − a × B −1 × B ∈ P(B),
a = c mod V = c − c × V −1 × V (3)
Note that we can recover the masked plaintext a if the vector a is included
in the set P(V ) (see [12, Section 6] for details). We then output a0 mod 2 as
the decryption result, where a0 denotes the first entry of the vector a.
Evaluate: Let c1 = (c1 , 0, . . . , 0), c2 = (c2 , 0, . . . , 0) be two ciphertexts. The op-
eration on encrypted data for the addition circuit Add is defined by
Note that the right-hand side of the above equation is equal to c1 +c2 mod B,
where c1 + c2 denotes the addition of the corresponding polynomials in
the ring R. Similarly, we define the operation on encrypted data for the
multiplication circuit Mul.
a1 + a2 = (b1 + b2 ) · e + 2(u1 + u2 ) ∈ R,
noise vector
a1 × a2 = (b1 · b2 ) · e + 2(b1 · u2 + b2 · u1 ) + 4u1 × u2 ∈ R.
noise vector
We note that the above two vectors are the masked plaintexts corresponding to the
operated ciphertexts Evaluate(c1 , c2 , Add, B) and Evaluate(c1 , c2 , Mul, B), re-
spectively. Since we can decrypt a ciphertext if the corresponding masked plain-
text is included in the set P(V ), it is possible to add and multiply ciphertexts
Analysis of Lattice Reduction Attack against the SHE Scheme 7
plaintext b .............................................................................................
masked plaintext a .................................................................................
ciphertext c
.. . ..
......... ........ ..
... mod2 ..
.. modV ....
......
........... ..
..
............
.
. .
.......................................................................................................................................................................................................................................................................................................................................................... .
.. ..
... .
Decryption (V : the secret key matrix) .... ...
........ .....
...................................................................................................................................
Attack to get a without V
Fig. 1. The construction of the SHE scheme (§2.3) and the attack (§3.1)
before the size of the noise vector grows in the corresponding masked plaintext
beyond the decryption radius 2t of the secret key matrix V (see [12, Section 2.4]
for details). We see from the above two equations that multiplication on encrypted
data makes the size of the noise vector in the masked plaintext to grow quite larger
than addition.
From their experiments, Gentry and Halevi evaluate the possible operations
of the SHE scheme as follows [12, Section 7]: To handle the operation represented
by a polynomial of degree d with m variables, we roughly need to set the bit
length t so that
m
2 t ≥ cd × , (4)
d
where c is close to the minimal Euclidean norm of masked plaintexts (note that
c is not really
√ a constant). Since the minimal Euclidean norm is approximately
equal to 2 20 ≈ 9 from Encrypt of §2.3, we here assume c = 9 for the sake of
simplicity (assume that the number of the nonzero entries of the noise vectors
u is always between 15 and 20). Note that the possible operations on encrypted
data decrease as the number of the nonzero entries of the noise vectors increases.
By the inequality (4), we need to set t ≥ 20 (resp. t ≥ 35) in making the SHE
scheme to support 5 (resp. 10) times multiplication on encrypted data.
and let L = L(C) denote the lattice generated by C. Note that C is generated
only by (B, c). Let a be the masked plaintext corresponding to c. Since we have
c = a + v for some v ∈ L, the vector v := (c − v, 1) = (a, 1) is an element of L .
Note that we have ||v || ≈ 9 from Encrypt of §2.3. Since the size of v is very small,
we may assume that v is a non-zero shortest vector of L . We next reduce the
matrix C by a lattice reduction algorithm, and let red(C) = [b1 , . . . , bn+1 ]t be the
reduced basis of L such that b1 is the smallest vector among b1 , . . . , bn+1 ∈ L .
Then we have b1 = kv with k ∈ Z if the lattice reduction algorithm has enough
quality to output very small lattice vector b1 . Since we see the constant k from
the last coefficient of b1 , we can get the vector v from b1 and hence find the
masked plaintext a corresponding to the ciphertext c. Hence we get the plaintext
b = a mod 2 only from (B, c) (without the secret key).
We get the masked plaintext a = (3, 0, 2, 2) from the first row of the reduced
matrix. Therefore we get b = 3 mod 2 = 1 only from (B, c) in this example.
Algorithm 1. The attack against the SHE scheme by lattice reduction algorithm
Input: (n, t, ), where n is the lattice dimension which must be a power of two, t is
the bit length of coefficients in the secret key matrix, and is the frequency of the
attack.
Output: The success probability p of the attack.
1: Generate key pair (V, B):
2: for i = 1 to do
3: Generate a ciphertext c:
– For a randomly chosen plaintext b ∈ {0, 1}, choose a random noise vector
u such that the number of nonzero entries in u is always 15 (cf. Encrypt
of §2.3). Set a = 2u + b · e and compute a ciphertext c = a mod B. Note
that we have ||a|| ≈ 8 in our setting. Furthermore, reduce the ciphertext c
module LLL(B): c = c mod LLL(B).
4: Attack to get a without the secret key matrix V (see §3.1 for the method of the
attack):
LLL(B) t 0
– Consider an (n + 1) × (n + 1)-matrix C given by C = as the
c 1
equation (5).
– We reduce the matrix C by lattice reduction algorithm (use either the LLL
or the BKZ algorithm in our experiments). In the case where the first row of
the reduced matrix is proportional to the vector v = (a, 1), let m ← m + 1.
This case means that it succeeded to get a without V , and hence to get b.
5: end for
6: Output the success probability p = m/ × 100 (%) of the attack.
vector u. Assume that the number of the nonzero entries of u is always 15 in our
experiments. In Step 4, we attack to get the masked plaintext a corresponding to
c without the secret key matrix V (see §3.1 for the method of the attack). Note
that we need to select either the LLL or the BKZ algorithm for the attack in
this step (see Table 1 for the selection). We repeat Step 3 and 4 for times (see
Step 2-5). In Step 6, we output the success probability p of the attack defined
by p = m/ × 100 (%), where m is the success frequency of the attack. Note that
we compute the reduced public key matrix LLL(B) in Step 1 and use it in Step
4 for speeding up the computation. Note that this speed-up does not influence
the success probability of the attack.
We implemented Algorithm 1 by using the NTL library [25], in which both the
LLL and the BKZ algorithms are implemented. We also used the GMP library
10 M. Yasuda et al.
Table 2. Average running time of Step 4 of Algorithm 1 in the case n = 512 (Ex-
periment was conducted in a CPU Intel Xeon X3460 running at 2.80GHz with 8GB
memory)
as the primary long integer package (see [25, A Tour of NTL: Using NTL with
GMP]). In the NTL library, there are exact-arithmetic variants and a number
of floating point variants for the LLL algorithm. Since the floating point variant
G LLL XD is faster than the exact-arithmetic variant LLL, we used G LLL XD in
the cases n = 128 and 256. However, we used the exact-arithmetic variant LLL
in the case n = 512 because of precision problems [25]. We took δ = 0.99 as
the reduction parameter of the LLL algorithm in all cases. Similarly to the LLL
algorithm, there are a number of variants for the BKZ algorithm. In our exper-
iments, we used the arbitrary precision floating point variant BKZ RR, which
is useful for large precision and magnitudes. We took the default parameters in
the NTL library as input of BKZ RR (the blocksize β = 10 and the reduction
parameter δ = 0.99 etc., see [25] for details). Since the Hermite factor of the
BKZ algorithm with β = 10 is very close to that with β = 20 [9, Fig. 5], we
expect that our experiments with β = 10 are applied for estimating the attack
of the BKZ algorithm with β ≈ 20.
) 80 ) 80
% 79.65 %
( (
y 70
ty 70
itil iil
b 60 b 60
a a
b b
o
r 50 o
r 50
p p
s 40 s 40
s s
e e
c c 30 31.8
c 30 c
u u
s s 20
20
LLL 10
LLL
10
4.62 Av. of LLL Av. of LLL
0 0 0 0 0
4 5 6 7 8 11 12 13 14 15
bit length t of coefficients in the secret key matrix bit length t of coefficients in the secret key matrix
Fig. 2. Experimental results on the success probability by the LLL algorithm in the
cases n = 256 and 512
Furthermore, for each pair (n, t) of key parameters of the SHE scheme, we also
give the average success probability of the attack for 10 key patterns in Fig. 2
and 3. Table 2 shows average running time of Step 4 of Algorithm 1 in the case
n = 512. Note that once we precompute the reduced public key matrix LLL(B),
we only have to compute Step 4 of Algorithm 1 to get the plaintext b without
the secret key matrix. Our experimental results show the followings:
– We see from Fig. 2 and 3 that the success probability of the attack increases
as the bit length t grows. This implies by the inequality (4) that the more
plentiful the possible operations of the SHE scheme over encrypted data, the
higher the success probability of the attack becomes.
– We see from Fig. 2 that almost all key parameters (n, t) were solved by the
LLL algorithm in the case n = 256. Furthermore, we see from Fig. 3 that key
parameters (n, t) with n = 512 and t ≥ 7 were solved by the BKZ algorithm
with β = 10 at realistic time (see Table 2). Therefore, to make the SHE
scheme to support more than one multiplication over encrypted data, we
need to set n ≥ 1024 by the inequality (4).
In this section, we study the hardness of the lattice problem ensuring the security
of the SHE scheme based on our experimental results, and estimate the key
parameters (n, t) which can be solved by the LLL and the BKZ algorithms. The
lattice problem ensuring the security of the SHE scheme is as follows (BDDP =
Bounded Distance Decoding Problem, see also [12, Section 2.1]):
) 80 ) 80
%
(% (
70
y 70 y
tli tli
i i
b 60 b 60
a a
b b
o
ro 50 r
p
50
p
ss s 40
40 s
e e
c c 30
c 30 c
u
s u
s
20 20
BKZ 10 10
BKZ 10
10
Av. of BKZ 10 0.5 Av. of BKZ 10
0 0 0
4 5 6 7 8 6 7 8 9 10
bit length t of coefficients in the secret key matrix bit length t of coefficients in the secret key matrix
To study the hardness of γ-BDDP, we give the following lattice problem (uSVP
= unique Shortest Vector Problem, see also [9, Section 2.2]):
Definition 2 (δ-uSVP). Given a lattice L of dimension n and a gap δ > 1
such that λ2 (L)/λ1 (L) ≥ δ, find a non-zero shortest vector of L, where λi (L)
denotes the i-th minimum of L defined by the minimum of max1≤j≤i ||v j || over
all i linearly independent lattice vectors v 1 , . . . , v i ∈ L.
Table 3. The uSVP gap δ(n, t) and the average success probability of the attack by
the LLL algorithm (see Fig. 2 for the average success probability of the attack)
Table 4. Same as Table 3, but by the BKZ algorithm with β = 10 (see Fig. 3 for the
average success probability of the attack)
λ1 (L) n det(L)1/n n
δ ≤ ≈ · ≈γ· =: δ(n, t) (7)
μ2 + 1 2πe min ||a|| 2πe
by the assumption that v is a shortest vector of L . We here assume that the
lattice L generated by the public key matrix B has the property same as random
lattices. Note that uSVP becomes easier as the gap grows. To evaluate the SHE
scheme more safely, we here consider δ(n, t) defined in (7) as the uSVP gap
instead of δ .
δLLL = cLLL · 1.018n and δBKZ = cBKZ · 1.01n (∃cLLL , cBKZ > 0)
as the minimum gap for which we can solve uSVP by the LLL algorithm and
the BKZ algorithm with β ≈ 20, respectively (see §2.1 for the Hermite factor of
14 M. Yasuda et al.
the LLL and the BKZ algorithms). In our experiments, we set min ||a|| ≈ 8 (see
Step 3 of Algorithm 1). Therefore we can reduce the lattice problem ensuring
the security of the SHE scheme to uSVP with the gap
n
δ(n, t) = 2t−3 · (8)
2πe
by (6) and (7). Table 3 and 4 show the uSVP gap δ(n, t) and the average success
probability of the attack in our experiments. Since the value δLLL = cLLL ·
1.018n must be close to the minimum gap δ(n, t) for which the average success
probability of the attack by the LLL algorithm is greater than 0%, we have
from Table 3. Note that we choose not (n, t) = (512, 13) but (256, 5) to evaluate
the SHE scheme more safely. By a similar argument, we have
from Table 4. Therefore we roughly estimate that we can solve the lattice problem
ensuring the security of the SHE scheme by the LLL algorithm (resp. the BKZ
algorithm with β ≈ 20) if δLLL ≤ δ(n, t) with cLLL = 0.16 (resp. δBKZ ≤ δ(n, t)
with cBKZ = 0.54). From the above arguments, we can consider
as the set of key parameters (n, t) which are feasible to be solved by the LLL
algorithm and the BKZ algorithm with β ≈ 20, respectively. In Fig. 4, we show
the area of TLLL and TBKZ with n = 1024, 2048, 4096 and 8192.
250
LLL
206.75
200 BKZ with block size around 20
t
150
th
gn
e
l 115.26
ti 100 101.82
b
56.96
50 49.61
23.76 28.06
13.86
0
1024 2048 4096 8192
lattice dimension n
Fig. 4. The area of TLLL and TBKZ (the key parameters (n, t) in the upper left area
are feasible to be solved by the LLL algorithm and the BKZ algorithm with β ≈ 20,
respectively)
References
1. Ajtai, M.: Generating random lattices according to the invariant distribution. Draft
of March 2006 (2006)
2. Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic en-
cryption without bootstrapping. In: Proceedings of the 3rd Innovations in Theo-
retical Computer Science Conference, ITCS 2012, pp. 309–325. ACM (2012)
3. Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE
and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011.
LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011)
4. Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from
(standard) LWE. In: Symposium on Foundations of Computer Science, FOCS 2011,
pp. 97–106. IEEE (2011)
5. Chen, Y., Nguyen, P.Q.: Faster Algorithms for Approximate Common Divi-
sors: Breaking Fully-Homomorphic-Encryption Challenges over the Integers. In:
Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp.
502–519. Springer, Heidelberg (2012)
6. Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates. In: Lee, D.H.,
Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidel-
berg (2011)
7. Coron, J.-S., Mandal, A., Naccache, D., Tibouchi, M.: Fully homomorphic encryp-
tion over the integers with shorter public keys. In: Rogaway, P. (ed.) CRYPTO
2011. LNCS, vol. 6841, pp. 487–504. Springer, Heidelberg (2011)
16 M. Yasuda et al.
8. van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic
encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS,
vol. 6110, pp. 24–43. Springer, Heidelberg (2010)
9. Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EU-
ROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)
10. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Symposium on
Theory of Computing, STOC 2009, pp. 169–178. ACM (2009)
11. Gentry, C.: A fully homomorphic encryption scheme (2009) (manuscript)
12. Gentry, C., Halevi, S.: Implementing Gentry’s fully-homomorphic encryption
scheme. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp.
129–148. Springer, Heidelberg (2011)
13. Gentry, C., Halevi, S.: Public Challenges for Fully-Homomorphic Encryption,
http://researcher.ibm.com/view_project.php?id=1548
14. IBM Press release,
http://www-03.ibm.com/press/us/en/pressrelease/27840.wss
15. Kannan, R.: Improved algorithms for integer programming and related lattice prob-
lems. In: Symposium on Theory of Computing, STOC 1983, pp. 193–206. ACM
(1983)
16. Lauter, K., Naehrig, M., Vaikuntanathan, V.: Can Homomorphic Encryption be
Practical? In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security
Workshop, CCSW 2011, pp. 113–124. ACM (2011)
17. Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational co-
efficients. Math. Ann. 261, 515–534 (1982)
18. Micciancio, D.: Improving lattice based cryptosystems using the hermite normal
form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 126–145. Springer,
Heidelberg (2001)
19. Nguyen, P.Q.: Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem
from Crypto’97. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp.
288–304. Springer, Heidelberg (1999)
20. Nguyen, P.Q.: Lattice reduction algorithms: Theory and practice. In: Paterson,
K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 2–6. Springer, Heidelberg
(2011)
21. Paillier, P.: Public-key cryptosystems based on composite degree residuosity
classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238.
Springer, Heidelberg (1999)
22. Rivest, R., Shamir, A., Adelman, L.: A method for obtaining digital signatures and
public-key cryptosystems. Communications of the ACM 21, 120–126 (1978)
23. Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms
and solving subset sum problems. Math. Programming 66, 181–199 (1994)
24. Schnorr, C.-P., Hörner, H.H.: Attacking the Chor-Rivest cryptosystem by improved
lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995.
LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995)
25. Shoup, V.: Number Theory C++ Library (NTL) version 5.5.2,
http://www.shoup.net/ntl/
26. Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small
key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS,
vol. 6056, pp. 420–443. Springer, Heidelberg (2010)
Group Key Exchange Resilient to Leakage
of Ephemeral Secret Keys with Strong
Contributiveness
1 Introduction
A group key exchange (GKE) protocol enables users to set up a common secret
key. It is useful in applications with multiple users, such as video conferences,
secure multicast, etc. Historically, there are three security goals considered for
GKE, which we briefly explain below.
A basic security requirement for group key exchange is authenticated key
exchange security (AKE-security) [2,3,13,11], which concerns the privacy of the
session key. Another security requirement is called mutual authentication (MA-
security) [12,6,5,9], which states that each honest user should agree on the same
Contact author. Supported by the Fund of the National Science Foundation of
China (No. 61100225), IIEs Cryptography Research Project (No. Y2Z0011102),
the Strategic Priority Research Program of the Chinese Academy of Sciences (No.
XDA06010701) and the One Hundred Person Project of the Chinese Academy of
Sciences.
C. Mitchell and S. De Capitani di Vimercati (Eds.): EuroPKI 2012, LNCS 7868, pp. 17–36, 2013.
c Springer-Verlag Berlin Heidelberg 2013
18 C. Chen, Y. Guo, and R. Zhang
key, even in the presence of malicious insiders. Apart from that for a two-party
counterpart, usually AKE-security cannot guarantee MA-security in the group
GKE setting.
A third security notion is contributiveness against malicious insiders which
we want to explain a little more. A GKE protocol with contributiveness ensures
that a proper subset of insiders cannot predetermine the session key. Since GKE
is different from key distribution protocol: in a key distribution protocol, the
session key is chosen by a single trusted party and transmitted to the other par-
ties, and in a GKE protocol parties interact with each other in order to compute
the key. In addition, none of the GKE protocol participants is trusted to choose
the group key on behalf of other participants. This trust relationship implies the
main difference between group key exchange and group key distribution proto-
cols. Obviously, some misbehaving participants in a GKE protocol may try to
influence the resulting group key, thereby disrupting this trust relationship, and
also causing further security threats. For example, lack of contributiveness may
allow malicious insiders to establish “covert channels” by fixing the probability
distribution of the session key agreed with a collaborating outsider beforehand
[18,8]. If the session key is to be used for the purpose of achieving confidentiality
or authentication of future communication, this will allow a misbehaving insider
to leak the sensitive information without communicating with the outsider after
the protocol session begins.
Another security related to contributiveness, key control, was defined in [17] in
the context of two-party key exchange against malicious insiders, requiring that
an adversary should not influence the group key computation significantly. Later,
Ateniese et al. introduced a notion called contributory group key agreement,
saying each player in a GKE protocol equally contributes to the session key thus
guarantees its freshness. Bohli et al. [6] and Bresson and Manulis [4] unified these
definitions into their own model, called contributiveness. A GKE protocol with
contributiveness ensures that a proper subset of insiders cannot predetermine
the session key. Recently Gorantla et al. [10] extended contributiveness to the
UC framework.
We note that the definitions of contributiveness [6,4,5] still allow some ma-
licious insiders predetermine partial (or several bits) of the session key. Some
misbehaving participants can still influence the distribution of the session key
thus key freshness can never be guaranteed in a real sense. Even worse, if the
session key is used in conjunction with other cryptographic constructions like
encryption schemes or message authentication codes (MACs), one cannot guar-
antee whether those schemes are secure, since the session keys are not chosen
from the correct distributions.
Another importance issue in GKE is session information leakage. Most previ-
ous GKE works [2,3,13,11] allow the adversary to learn session state through a
single query but restricting the leakage of ephemeral secrets to sessions for which
the adversary does not need to distinguish the key. [15] present a GKE model
to accommodate leakage of ephemeral secrets against the target session. How-
ever, the model restricts the adversary making queries on session state. Their
Group Key Exchange Resilient to Leakage of Ephemeral Secret Keys 19
Inspired by Manulis et al.’s work [15], we propose a stronger model for GKE pro-
tocols that considers stronger adversary model and security goals in the presence
of malicious participants.
Protocol Sessions and Instances. Any subset of U can decide at any time to
execute a new protocol session and establish a common group key. Participation
of some U ∈ U in multiple sessions is modeled through a number of instances
{ΠUs |s ∈ [1, . . . , n], U ∈ U}, i.e. the ΠUs is the s-th session of U .
Each instance is invoked via a message to U with a unique session identifier.
We assume that the session identifier is derived during the run of the protocol.
The session identifier of an instance ΠUs is denoted by sidsU . This value is known
to all oracles participating in the same session. We assume that each party knows
the other participants for each protocol instance. Similarly, the partner identifier
of an instance ΠUs denotes pidsU , which contains the identities of participating
users (including U ). In the invoked session ΠUs accepts if the protocol execution
is successful, in particular ΠUs holds then the computed group key SKUs .
Session state. Every ΠUs maintains an internal state information statesU which is
composed of all private, ephemeral information used during the protocol execu-
tion excluding the long-lived key skU (moreover the long-lived key is specific to
Another random document with
no related content on Scribd:
“Origami”—free form. Danree Productions. 12 min., sd., color, 16
mm. © Danree Productions; 1Mar74 (in notice: 1973); MP25724.
MP25725.
Interpersonal process recall. A Media Associates production. 25
min., sd., color, 16 mm. Appl. au.: Norman I. Kagan. © Norman I.
Kagan; 15Dec73; MP25725.
MP25726.
Busch Gardens West. Gardner Advertising Company. 14 min., sd.,
color, 16 mm. © Anheuser-Busch, Inc.; 1Apr74; MP25726.
MP25727.
The Emerging woman. Women’s Film Project. 40 min., sd., b&w,
16 mm. NM: compilation & additions. © The Women’s Film Project;
1Apr74; MP25727.
MP25728.
Safety for the new employee. A Marshall Maintenance production.
23 min., sd., color, 16 mm. © Marshall Maintenance; 30Dec73;
MP25728.
MP25729.
Heart attack. National Broadcasting Company, Inc. 51 min., sd.,
color, 16 mm. © National Broadcasting Company, Inc.; 18Jul74;
MP25729.
MP25730.
Tools for cutting: stone axes to lasers. Coronet Instructional
Media, a division of Esquire, Inc. 22 min., sd., color, 16 mm. ©
Coronet Instructional Media, a division of Esquire, Inc.; 10Jun74;
MP25730.
MP25731.
Building better paragraphs. Coronet Instructional Media, a
division of Esquire, Inc. 2nd ed. 12 min., sd., color, 16 mm. ©
Coronet Instructional Media, a division of Esquire, Inc.; 12Jun74;
MP25731.
MP25732.
Listen well, learn well. Coronet Instructional Media, a division of
Esquire, Inc. 2nd ed. 12 min., sd., color, 16 mm. © Coronet
Instructional Media, a division of Esquire, Inc.; 31May74; MP25732.
MP25733.
Pankin and child, day of tournament. Colgate Palmolive Company.
Made by William Esty Company, Inc. 30 sec., sd., color, 16 mm. ©
Colgate Palmolive Company; 20Apr74; MP25733.
MP25734.
Christ’s church through the ages. Motion Picture Department,
Brigham Young University. 18 min., sd., color, 16 mm. © Brigham
Young University; 25Apr74; MP25734.
MP25735.
Volunteer. Pfizer, Inc. 30 sec., sd., color, 16 mm. © Pfizer, Inc.;
1Jan73 (in notice: 1972); MP25735.
MP25736.
A Place for Aunt Lois. Wombat Productions, Inc. 17 min., sd.,
color, 16 mm. © Wombat Productions, Inc.; 17Jan74; MP25736.
MP25737.
Programming in a VS environment. Pt. 2. Edutronics Systems
International. 9 min., sd., color, 16 mm. (Virtual storage concepts) ©
Edutronics Systems International, Inc.; 13Aug74; MP25737.
MP25738.
The Shakers. Tom Davenport Films. 29 min., sd., color, 16 mm.
Appl. au.: Tom Davenport. © Tom Davenport Films; 1Jul74;
MP25738.
MP25739.
The Combination set. Visual Instruction Productions, a
department of Victor Kayfetz Productions, Inc. 13 min., sd., color, 16
mm. Prev. pub. 15Oct73, MP24550–24553. NM: compilation,
abridgement & editorial revision. © Victor Kayfetz Productions, Inc.;
15Jun74; MP25739.
MP25740.
The Combination square. L. S. Stannett Company. Made by Visual
Instruction Productions, a department of Victor Kayfetz Productions.
13 min., sd., color, 16 mm. Prev. pub. 15Oct73, MP24554–24557.
NM: compilation, abridgement & editorial revision. © Victor Kayfetz
Productions, Inc.; 15Jun74; MP25740.
MP25741.
The Bevel protractor. L. S. Stannett Company. Made by Visual
Instruction Productions, a department of Victor Kayfetz Productions.
13 min., sd., color, 16 mm. Prev. pub. 15Oct73, MP24558–24562.
NM: compilation, abridgement & editorial revision. © Victor Kayfetz
Productions, Inc.; 15Jun74; MP25741.
MP25742.
Evolution of the red star. Adam K. Beckett. 7 min., sd., color, 16
mm. © Adam K. Beckett; 28Nov73; MP25742.
MP25743.
Heavy-light. Adam K. Beckett. 7 min., sd., color, 16 mm. © Adam
K. Beckett; 18Oct73; MP25743.
MP25744.
Sausage City. Adam K. Beckett. 6 min., sd., color, 16 mm. © Adam
K. Beckett; 25Mar74; MP25744.
MP25745.
Flesh flows. Adam K. Beckett. 7 min., sd., color, 16 mm. © Adam
K. Beckett; 25Mar74; MP25745.
MP25746.
Friend. Avon Products. Made by UniWorld Group, Inc. 30 sec., sd.,
color, 16 mm. © Avon Products, Inc.; 13Aug74; MP25746.
MP25747.
Report on Greece. Time, Inc. 18 min., sd., b&w, 16 mm. (The
March of time, vol. 12, no. 7) © Time, Inc.; 22Feb46; MP25747.
MP25748.
Freedom. Corridor Productions, Inc. 3 min., sd., color, 16 mm.
(Contemporary values series) © Corridor Productions, Inc.;
23Aug74; MP25748.
MP25749.
Truth. Corridor Productions, Inc. 3 min., sd., color, 16 mm.
(Contemporary values series) © Corridor Productions, Inc.;
23Aug74; MP25749.
MP25750.
Peace child. Prairie Bible Institute in cooperation with Regions
Beyond Missionary Union. 28 min., sd., color, 16 mm. Appl. au.:
Edward G. Tizzard. © Edward G. Tizzard; 25Mar74; MP25750.
MP25751.
The Missed period. Population Dynamics. 12 min., sd., color, 16
mm. © Population Dynamics; 30Apr74; MP25751.
MP25752.
Nutrition and black Americans. Lee Creative Communications,
Inc. 28 min., sd., color, 16 mm. © Lee Creative Communications,
Inc.; 4May74; MP25752.
MP25753.
Poisonous plants. The Arnold Arboretum of Harvard University.
26 min., sd., color, 16 mm. © The President and Fellows of Harvard
College; 1Apr74; MP25753.
MP25754.
Indian conversation. Lucyann Kerry. 13 min., sd., color, 16 mm. ©
Lucyann Kerry; 1Jun74; MP25754.
MP25755.
Basket builder. Lucyann Kerry. 12 min., sd., color, 16 mm. ©
Lucyann Kerry; 15Jan74; MP25755.
MP25756.
Hot on the job. Diverse Industries, Inc. 12 min., si., b&w, Super 8
mm. © Diverse Industries, Inc.; 15Dec73; MP25756.
MP25757.
Patrol procedures 5: Nondomestic field problems. Woroner Films,
Inc. 22 min., sd., color, 16 mm. (Officer training) Add. ti.: Patrol
procedures 5: Field problems. © Woroner Films, Inc.; 24Aug73;
MP25757.
MP25758.
Pursuit driving, Defensive driving 4. Woroner Films, Inc. 25 min.,
sd., color, 16 mm. (Officer training) Add. ti.: Defensive driving 4:
Pursuit driving. © Woroner Films, Inc.; 21Sep73; MP25758.
MP25759.
Patrol procedures 4: Special situations. Woroner Films, Inc. 25
min., sd., color, 16 mm. (Officer training) © Woroner Films, Inc.;
18May73; MP25759.
MP25760.
Mountain family in Europe. Institut fuer Film und Bild.
Distributed by Films, Inc. 9 min., sd., color, 16 mm. (Man and his
world series) Appl. au.: Public Media, Inc. NM: abridgment. ©
Public Media, Inc.; 7Jun71; MP25760.
MP25761.
Measuring blood pressure, an introduction for paramedical
personnel. Merck, Sharp and Dohme. 10 min., sd., color, 16 mm.
Add. ti.: Measuring blood pressure, a guide for paramedical
personnel. © Merck, Sharp and Dohme, division of Merck and
Company, Inc. (in notice: Merck and Company, Inc.); 1May74;
MP25761.
MP25762.
Hans/Woodcrafter. William Esty Company, Inc. 30 sec., sd., color,
16 mm. © Colgate Palmolive Company; 6Oct73; MP25762.
MP25763.
Hans/Woodcrafter. William Esty Company, Inc. 1 min., sd., color,
16 mm. NM: additions. © Colgate Palmolive Company; 28Oct73;
MP25763.
MP25764.
Garner Ted Armstrong. Program 584. Worldwide Church of God.
29 min., sd., color, videotape (3/4 inch) © Worldwide Church of
God; 22Apr74; MP25764.
MP25765.
Garner Ted Armstrong. Program 545. Ambassador College. 29
min., sd., color, videotape (3/4 inch) in cassette. © Ambassador
College; 22Jan74; MP25765.
MP25766.
Garner Ted Armstrong. Program 458. Ambassador College. 28
min., sd., color, videotape (3/4 inch) in cassette. © Ambassador
College; 24Aug73; MP25766.
MP25767.
Birds of Bharatpur. A Don Meier production. 23 min., sd., color, 16
mm. (Mutual of Omaha’s Wild kingdom) Appl. author: Mutual of
Omaha. © Mutual of Omaha; 13Sep74; MP25767.
MP25768.
Brink of extinction. A Don Meier production. 23 min., sd., color, 16
mm. (Mutual of Omaha’s Wild kingdom) Appl. author: Mutual of
Omaha. © Mutual of Omaha; 4Oct74; MP25768.
MP25769.
Control and extinguishment of LNG spills and spill fires at high
LNG boil-off rates. American Gas Association. 15 min., si., color, 16
mm. © American Gas Association; 8May74; MP25769.
MP25770.
Concepts of data control. Edutronics Systems International, Inc. 8
min., sd., color, 16 mm. © Edutronics Systems International, Inc.;
2Aug74; MP25770.
MP25771.
The Data control function. Edutronics Systems International, Inc.
10 min., sd., color, 16 mm. (Data control) © Edutronics Systems
International, Inc.; 24Jun74; MP25771.
MP25772.
Debugging techniques. Edutronics Systems International, Inc. 11
min., sd., color, 16 mm. (Data communications) © Edutronics
Systems International, Inc.; 2Aug74; MP25772.
MP25773.
The 129 card data recorder. Edutronics Systems International, Inc.
12 min., sd., color, 16 mm. (Keypunch I/O) Add. ti.: The 129 data
recorder. © Edutronics Systems International, Inc.; 14Aug74;
MP25773.
MP25774.
The 029 data transcribing device. Edutronics Systems
International, Inc. 13 min., sd., color, 16 mm. (Keypunch I/O) ©
Edutronics Systems International, Inc.; 10Jul74; MP25774.
MP25775.
Mechanical models of psychotherapy. Division of Instructional
Aids, University of Oregon Medical School. 33 min., sd., color,
videotape (3/4 inch) in cassette. Appl. author: Paul H. Blachly. ©
Paul H. Blachly; 23Sep74; MP25775.
MP25776.
Handi Wipes 1001 uses with bowling tag. Colgate Palmolive
Company. 30 sec., sd., color, 16 mm. © Colgate Palmolive Company;
15Jul74; MP25776.
MP25777.
Handi Wipes 1001 uses, revised. Colgate Palmolive Company. 30
sec., sd., color, 16 mm. © Colgate Palmolive Company; 15Jul74;
MP25777.
MP25778.
VSAM macro coding and debugging. International Business
Machines Corporation. 58 min., sd., color, videotape (1/2 inch) in
cassette. (IBM independent study program) © International
Business Machines Corporation, accepted alternative: IBM
Corporation; 25Mar74; MP25778.
MP25779.
VSAM concepts and access method services usage (DOS/VS)
International Business Machines Corporation. 34 min., sd., color,
videotape (1/2 inch) in cassette. (IBM independent study program)
© International Business Machines Corporation, alternative
designation: IBM Corporation; 25Mar74; MP25779.
MP25780.
Basic shooting techniques. Sports Instruction Aids. 6 min., sd.,
color, 16 mm. © Sports Instruction Aids; 15Nov73; MP25780.
MP25781.
Fakes and drives. Sports Instruction Aids. 6 min., sd., color, 16
mm. © Sports Instruction Aids; 15Nov73; MP25781.
MP25782.
Jump shot from the dribble. Sports Instruction Aids. 5 min., sd.,
color, 16 mm. Add. ti.: Jump from the dribble. © Sports Instruction
Aids; 15Nov73; MP25782.
MP25783.
Close to the basket moves. Sports Instruction Aids. 6 min., sd.,
color, 16 mm. © Sports Instruction Aids; 15Nov73; MP25783.
MP25784.
Free throws. Sports Instruction Aids. 6 min., sd., color, 16 mm. ©
Sports Instruction Aids; 15Nov73; MP25784.
MP25785.
Alpen satisfied revised. Colgate Palmolive Company. 30 sec., sd.,
color, 16 mm. Add. ti.: I’m satisfied revised. © Colgate Palmolive
Company; 1Sep74; MP25785.
MP25786.
Dominion. Stan Brakhage. 5 min., si., color, 16 mm. © Stan
Brakhage; 24Sep74; MP25786.
MP25787.
The Nature and control of canine hookworm disease. Jensen-
Salsbery Laboratories Division, division of Richardson-Merrell, Inc.
17 min., sd., color, 16 mm. © Jensen-Salsbery Laboratories Division,
division of Richardson-Merrell, Inc.; 22Jul74 (in notice: 1973);
MP25787.
MP25788.
Pinocchio’s birthday party. Family Entertainment Corporation
presentation. Made by Intercom Films, Ltd. Released by K-tel
Motion Pictures. 85 min., sd., color, 35 mm. © Family
Entertainment Corporation; 10Aug74 (in notice: 1973); MP25788.
MP25789.
Food: more for your money. Alfred Higgins Productions, Inc. 14
min., sd., color, 16 mm. © Alfred Higgins Productions, Inc.; 1Oct74;
MP25789.
MP25790.
Examination of the foot. The American Humane Association. 11
min., sd., color, videotape (3/4 inch) in cassette. (Introduction to
horse care) © The American Humane Association; 1Jun74 (in notice:
1973); MP25790.
MP25791.
Loading and transportation. The American Humane Association.
13 min., sd., color, videotape (3/4 inch) in cassette. (Introduction to
horse care) © The American Humane Association; 1Jun74 (in notice:
1973); MP25791.
MP25792.
Haltering and restraint. The American Humane Association. 14
min., sd., color, videotape (3/4 inch) in cassette. (Introduction to
horse care) © The American Humane Association; 1Jun74 (in notice:
1973); MP25792.
MP25793.
Flight. Stan Brakhage. 5 min., si., color, 16 mm. © Stan Brakhage;
13Aug74; MP25793.
MP25794.
Kaybolt Wrecking Company. Division of Archives, History and
Records Management, Florida Department of State. Made by Joyous
Lake, Inc. 28 min., sd., color, 16 mm. © Division of Archives, History
and Records Management, Florida Department of State; 21Mar74;
MP25794.
MP25795.
Respect. Corridor Productions, Inc. 3 min., sd., color, 16 mm.
(Contemporary values series) © Corridor Productions, Inc.;
23Aug74; MP25795.
MP25796.
Shorin ryu kata, goju-shiho. Kenjer Martial Arts Productions. 17
min., si., color, Super 8 mm. Add. ti.: Shorin ryu, goju-shiho kata. ©
Kenjer Martial Arts Productions; 6Jun74; MP25796.
MP25797.
Bookkeeping and accounting: how do you figure in? Coronet
Instructional Media, a division of Esquire, Inc. 11 min., sd., color, 16
mm. (Bookkeeping and you, 2nd ed.) © Coronet Instructional
Media, a division of Esquire, Inc.; 21Feb74; MP25797.
MP25798.
Gliding motility in the algae. Ryan W. Drum & Robert Day Allen. 6
min., si., color, Super 8 mm. in cartridge. (Cells and cell processes)
© Harper and Row, Publishers, Inc.; 8Oct73; MP25798.
MP25799.
Albert Camus: a self portrait. Learning Company of America, a
division of Columbia Pictures Industries, Inc. 20 min., sd., color, 16
mm. NM: a new film incorporating some prev. pub. material. ©
Learning Company of America, a division of Columbia Pictures
Industries, Inc.; 18May72 (in notice: 1971); MP25799.
MP25800.
Selling to women. Chrysler Corporation. 18 min., sd., color, Super
8 mm. in cartridge. Appl. au.: Ross Roy, Inc. © Chrysler
Corporation; 25Jul74; MP25800.
MP25801.
Play—is trying out. Allegra May, Kathy Sylva & Jerome S. Bruner.
Distributed by John Wiley and Sons, Inc. 25 min., sd., color, 16 mm.
(Bruner series—cognitive development) © Allegra May, Kathy Sylva
& Jerome S. Bruner; 1Dec73; MP25801.
MP25802.
One, two, many: early object handling. Karlen Lyons, Allegra May
& Jerome Bruner. Distributed by John Wiley and Sons, Inc. 15 min.,
sd., color, 16 mm. (Bruner series—cognitive development) © Karlen
Lyons, Allegra May & Jerome Bruner; 1Dec73 (in notice: 1972);
MP25802.
MP25803.
Garner Ted Armstrong. Program 559. Ambassador College. 30
min., sd., color, videotape (3/4 inch) in cassette. © World Wide
Church of God; 21Feb74; MP25803.
MP25804.
Auto-body sheet metal man’s helper: removing a dent and pulling
out a simple dent (basic hand skills) Robert Heller Productions, Inc.
6 motion pictures (4 min. each), si., color, Super 8 mm. in cartridges.
(Automotive damage correction series, set 1) © Robert Heller
Productions, Inc. & McGraw-Hill, Inc.; 12Sep73; MP25804.
MF25805.
Auto-body sheet metal man: applying a patch and repairing a torn
section (basic hand skills) Robert Heller Productions, Inc. 8 motion
pictures (4 min. each), si., color, Super 8 mm. in cartridges.
(Automotive damage correction series, set 2) © Robert Heller
Productions, Inc. & McGraw-Hill, Inc.; 12Sep73; MP25805.
MP25806.
Auto painter’s helper; removing a scratch (basic hand skills)
Robert Heller Productions, Inc. 7 motion pictures (4 min. each), si.,
color, Super 8 mm. in cartridges. (Automotive damage correction
series, set 3) © Robert Heller Productions, Inc. & McGraw-Hill, Inc.;
12Sep73; MP25806.
MP25807.
Auto painter: refinishing a panel (basic hand skills) Robert Heller
Productions, Inc. 7 motion pictures (4 min. each), si., color, Super 8
mm. in cartridges. (Automotive damage correction series, set 4) ©
Robert Heller Productions, Inc. & McGraw-Hill, Inc.; 12Sep73;
MP25807.
MP25808.
Gillette Street. A production of KERA-TV newsroom. 29 min., sd.,
color, 16 mm. (Urban design issues in Texas) Appl. au.: Public
Communication Foundation for North Texas. © Public
Communication Foundation for North Texas; 16Oct74; MP25808.
MP25809.
ABBA presents. ABBA Productions. 3 min., sd., b&w, 16 mm. ©
ABBA Productions; 23Sep74; MP25809.
MP25810.
Not a sparrow falls. Sparrow Productions. 28 min., sd., color, 16
mm. Appl. au.: The Salvation Army. © The Salvation Army; 1Jun74;
MP25810.
MP25811.
Growth of cassava (Manihot utilissima) Film Production Unit,
Iowa State University of Science and Technology. Produced in
cooperation with Escuela Agricola Pan Americana & the
Organization for Tropical Studies. 3 min., si., color, 16 mm. (Tropical
biology) © Iowa State University a.a.d.o. Iowa State University of
Science and Technology; 1Oct74 (in notice: 1973); MP25811.
MP25812.
Before it’s too late. Woroner Films, Inc. Produced in cooperation
with National Crime Prevention Institute, University of Louisville. 28
min., sd., color, 16 mm. © Woroner Films, Inc.; 26Sep74; MP25812.
MP25813.
Basic security surveys. Woroner Films, Inc. 25 min., sd., color, 16
mm. (Crime prevention) © Texas Criminal Justice Division, State of
Texas; 16Oct74; MP25813.
MP25814.
Introduction and theory of crime prevention. Woroner Films, Inc.
23 min., sd., color, 16 mm. (Crime prevention) Add. ti.: Introduction
to crime prevention. © Texas Criminal Justice Division, State of
Texas; 16Oct74; MP25814.
MP25815.
Penny Lane. Albert Davidson. Produced in association with the
Mechanical Bank Collectors of America. A film created by Arnold L.
Leibovit. 10 min., sd., color, 16 mm. © Albert Davidson (in notice: Al
Davidson); 24Aug74; MP25815.
MP25816.
The Text of light. Stan Brakhage. 75 min., si., color, 16 mm. © Stan
Brakhage; 2Oct74; MP25816.
MP25817.
The Struggle for Vicksburg. Centron Educational Films. 19 min.,
sd., color, 16 mm. Appl. au.: Centron Corporation, Inc. © Centron
Corporation, Inc.; 12Jul74; MP23817.
MP25818.
In the year of the pig. The Monday Film Production Company.
Released by New Yorker Films. 97 min., sd., b&w, 16 mm. NM: 60%
new footage. © The Monday Film Production Company; 25Oct68;
MP25818.
MP25819.
The View from the crib. The American Institutes for Research. 15
min., sd., color, 16 mm. (Early childhood education series) ©
American Institutes for Research; 16Apr74; MP25819.
MP25820.
Science of survival. The Virginia Tech Film Unit & Department of
Food Science and Technology, College of Agriculture and Life
Sciences, Virginia Polytechnic Institute and State University. 21 min.,
sd., color, 16 mm. © Virginia Polytechnic Institute and State
University; 30Mar74; MP25820.
MP25821.
El Camino—a beautiful value. General Motors Corporation. 8 min.,
sd., color, Super 8 mm. in cartridge. Add. ti.: 1975 Chevrolet El
Camino. © General Motors Corporation; 13Aug74; MP25821.
MP25822.
1975 Chevrolet Camaro. General Motors Corporation. 5 min., sd.,
color, Super 8 mm. in cartridge. Add. ti.: Camaro ’75. © General
Motors Corporation (in notice: Chevrolet Motor Division, General
Motors Corporation); 23Aug74; MP25822.
MP25823.
Bearcat Baker’s Filmed boxing course. George Williams known as
Bearcat Baker. 5 min., sd., color, 16 mm. Add. ti.: Bearcat Baker’s
Filmed basic boxing course. © George Williams known as Bearcat
Baker; 2Oct74; MP25823.
MP25824.
Back to school. Colgate Palmolive Company. 30 seconds, sd., color,
16 mm. Add. ti.: A Neat glue for neat people—back to school. ©
Colgate Palmolive Company; 13Aug74; MP25824.
MP25825.
Use of art therapy in a vocational milieu. ICD Rehabilitation and
Research Center. 22 min., sd., b&w, videotape (1/2 inch) in reel. ©
ICD, a.a.d.o. ICD Rehabilitation and Research Center; 30Jul74;
MP25825.
MP25826.
Manual positive pressure ventilation (bag and mask) American
College of Physicians. 7 min., sd., color, Super 8 mm. in cassette.
(American College of Physicians medical skills library) Add. ti.:
Manual positive pressure measurement (bag and mask) © American
College of Physicians; 1Aug74; MP25826.
MP25827.
Meet Lynd Ward and May McNeer. Jaqueline Shachter. 30 min.,
sd., b&w, videotape (1/2 inch) (Profiles in literature) © Jaqueline
Shachter; 26Feb74; MP25827.
MP25828.
Meet Jean Fritz. Jaqueline Shachter. 30 min., sd., b&w, videotape
(1/2 inch) (Profiles in literature) © Jaqueline Shachter; 28Mar74;
MP25828.
MP25829.
Meet Letta Schatz. Jaqueline Shachter. 60 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25829.
MP25830.
Meet Kristin Hunter. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25830.
MP25831.
Meet Judy Blume. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25831.
MP25832.
Meet Keith Robertson. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25832.
MP25833.
Meet Eve Merriam. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25833.
MP25834.
Meet Arnold Lobel. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25034.
MP25835.
Meet Pura Belpre. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25835.
MP25836.
Meet Richard Lewis. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25836.
MP25837.
Meet Marguerite de Angeli. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25837.
MP25838.
Meet Joe and Beth Krush. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25838.
MP25839.
Meet Elizabeth Gray Vining. Jaqueline Shachter. 30 min., sd.,
b&w, videotape (1/2 inch) (Profiles in literature) © Jaqueline
Shachter; 28Mar74; MP25839.
MP25840.
Meet Joan Lexau. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25840.
MP25841.
Meet Tom and Muriel Feelings. Jaqueline Shachter. 30 min., sd.,
b&w, videotape (1/2 inch) (Profiles in literature) © Jaqueline
Shachter; 28Mar74; MP25841.
MP25842.
Meet Madeleine L’Engle. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25842.
MP25843.
Meet Lloyd Alexander, Evaline Ness, Ann Durrell. Jaqueline
Shachter. 30 min., sd., b&w, videotape (1/2 inch) (Profiles in
literature) © Jaqueline Shachter; 28Mar74; MP25843.
MP25844.
Meet Jeanne and Robert Bendick. Jaqueline Shachter. 30 min.,
sd., b&w, videotape (1/2 inch) (Profiles in literature) © Jaqueline
Shachter; 28Mar74; MP2584.
MP25845.
Meet Joseph Krumgold. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25845.
MP25846.
Meet Eleanor Cameron. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25846.
MP25847.