480 likes | 581 Vues
Evolutions and researches on group key agreement (GKA) protocols. Yuh-Min Tseng Information Security Lab. (ISL) Department of Mathematics NCUE E-mail: ymtseng@cc.ncue.edu.tw http://ymtseng.math.ncue.edu.tw. Outline. 1. Finding Problems 2. Definitions and evolutions of problems
E N D
Evolutions and researches on group key agreement (GKA) protocols Yuh-Min TsengInformation Security Lab. (ISL) Department of Mathematics NCUEE-mail: ymtseng@cc.ncue.edu.tw http://ymtseng.math.ncue.edu.tw
Outline • 1. Finding Problems • 2. Definitions and evolutions of problems • 3. Research approaches and related works • 4. Problem 1: GKA protocol resistant to insider attacks • 5. Problem 2: GKA protocol for imbalanced networks • 6. Problem 3: Pairing-based (ID-based) GKA protocol • 7. Conclusions
1. Finding problems • Assigned by your advisor • Research trend for some problems or applications • Referee of manuscripts submitted to Conferences or Journals • Open / Un-solving problems (Famous problems) • Self-finding problems (Important !) • Seminars • Conferences: New • Journals: Complete • Some experts’ web-sites • Livelihood problems (To solve some practical problems) Periodical downloading papers of relatedConferences and Journals
1. Finding problems => Famous problems Pythagoras(-572 ~ -492) x2+y2=z2 , right triangle Fermat’s Little Theorem ? for all primes p and 1≦a≦p-1, ap-1≡ 1 (mod p) Fermat(1601-1665) Fermat's conjectures? Fermat’s Last Theorem ? I have obtained a perfect proof, but no space to write it ? xn+yn=zn , n>2 No positive integer solutions
1. Finding problems => Famous problems Fermat’s Little Theorem Euler Theorem Proof: a corollary of Euler’s theorem for all primes p and 1≦a≦p-1, ap-1≡ 1 (mod p) Euler(1707-1783) Wiles Proof Fermat’s Last Theorem 370 years Based on many previous theorems and conjectures xn+yn=zn , n>2 No positive integer solutions Wiles (1993) Taylor (1995, complete)
1. Finding problems => Fermat Little Theorem Public key primitiveness in Cryptography • Euler Theorem: for all aZn*, a(n)≡1 (mod n) • Euler’s Totient Function (n) = |Zn*| =the number of positive integers lessthan n and relatively prime to n • Fermat’s Little Theorem:for all primes p, 1≦a≦p-1, ap-1 ≡ 1 (mod p) • Proof: a corollary of Euler’s theorem since (p)=p-1 and gcd(a,p)=1 for 1≦a≦p-1. • Both theorems are useful in public key systems (RSA, DSA, and ElGamal)andPrimality testing.
1. Finding problems => Fermat Last Theorem One conjecture => Fermat Last Theorem • History • Fermat (n=4), Euler (n=3), Gauss (n=3, complete) • Legendre (n=5) => Legendre Symbol (Primality test) • Dirichlet (n=14), Lame (n=7), Kummer (1810 - 1893)(n<100) • ……….. • Wolfskehl (1908, Offering $100000 Marks bonus) • Taniyama-Shimura theorem/conjecture (1960): Relationships => Fermat last theorem, Elliptic Curve and modular forms • Wiles (1993, 1995):A proof ofFermat last theorem • Based on Taniyama-Shimura theorem/conjecture Elliptic Curve Cryptography (ECC, Secure and Efficient)
1. Finding problems => Fermat Last Theorem A. Wiles: Modular elliptic curves and Fermat's Last Theorem, Annals of Mathematics 141 (1995), pp. 443-551, => 1998 Fields Medal (Specific Award, 44 years old) R.Taylor and A.Wiles: Ring theoretic properties of certain Hecke algebras, Annals of Mathematics 141 (1995), pp. 553-572
1. Finding problems => Famous problems • Fermat’s anotherconjecture:Fn=22n+1 is prime • F1=5, F2=17, F3=257, F4=65537 • Error => F5=641*6700417 • Mersenne prime (1588-1648): 2p-1 is prime => p is prime • 22-1=3, 23-1=7, 25-1=31, 27-1=127 • Error => 211-1=23*89 • GIMPS: The Great Internet Mersenne Prime Search • 44 thMersenne prime (2006, September 4) • 232582757 -1 = Known large prime (9,808,358 decimal digits) • 10,000,000 decimal digits => US$100,000
1.Finding problems => Personal experiences Group key agreement protocols • Deep: Focusing on one issue deeply • Broad: Understanding related issues • Two-party key agreement protocols • Group (Conference, multi-party) key establishment • Conference key distribution protocols • Group key agreement (GKA) protocols • Resource-limited devices: Elliptic Curve • Imbalanced network (WLAN, Cellular network) • Mobile Ad Hoc networks • Sensor networks • Based on various cryptographic systems(ID-based, Pairing) Co-assistive
2. Definitions and evolutions of problems => Diffie-Hellman key exchange (1976) (1) Randomly select a,Compute Ya=ga mod p (1) Randomly select b,Compute Yb=gb mod p (2) Ya Bob Alice (2*) Yb (3*) Compute Yba=(Ya)b mod p (3) Compute Yab=(Yb)a mod p • DH-scheme provides two-party key agreement • Global parameters: (g, p) • p: a large prime, say, 1024-bit long • g: a generator for group Zp* Discrete logarithm problem K=Yab=Yba=gab mod p
Group key establishment protocol allows users to construct a group key that is used to encrypt/decrypt transmitted messages among the users over an open communication channel. Categories: Group key distribution there is a chairman who is responsible for generating a common key and then securely distributing this group key to the other users. Group key agreement involves all users cooperatively constructing a group key. 2. Definitions and evolutions of problems
2. Definitions and evolutions of problems=> Categories Group key distribution Group key agreement U2 U3 U2 U3 U1 Chair/key U4 U1 key U4 …… …… Un U5 Un U5 Easy issue Challenging issue
Four research approaches Concurrent Ring (1982, Ingemarsson et al.) First group key agreement Linear Ring + 1 Broadcast (many protocols) Binary Tree (many protocols) Broadcast (many protocols) 2. Definitions and evolutions of problems => Group key agreement Parallel processors
First group key agreement 2. Definitions and evolutions of problems => (1)Concurrent Ring (1982, Ingemarsson et al.) x2 U2 U2 gx1x2 gx1 gx2 gx1x3 U1 U3 x1 U1 U3 gx3 x3 gx2x3 U2 gx1x2x3 gx1x2x3 gx1x2x3 U1 U3 Note: n participants 1. It requires (n-1) rounds 2. Concurrent Easy ? How to devise ?
2. Definitions and evolutions of problems=> (2) Linear Ring + 1 Broadcast ……………… U1 U2 Un-1 Broadcast Un • Concept: (many protocols, 2002) Note: n participants 1. It requires (n-1) rounds 2. Ui must sends i messages
2. Definitions and evolutions of problems=> (3)Binary Tree ggx1x2 gx3x4 ggx3x4 ggx1x2 gx3x4 gx1x2 gx3 gx4 gx1 gx2 U2 U1 U3 U4 x1 x2 x3 x4 • Concept: Button-up (many protocols, 2005) Note: n participants 1. It requires log nrounds 2. Semi-concurrent
2. Definitions and evolutions of problems=> (4)Broadcast • Burmester and Demedt (1994, 2005) Step 1 (Round 1) Ui (1≤ i ≤ n): Keeps xi secret broadcasts yi=gxi mod p Step 2 (Round 2) Ui (1≤ i ≤ n): broadcasts zi=(yi+1/ yi-1)xi mod p Step 3 Each Ui computes common key K …… U1 U1 Un Broadcast channel
Burmester and Demedt (1994) Non-authenticated: requires a secure authenticated broadcast channel (2005, IPL) They provide a complete proof. Research approaches based on BD scheme Authenticated Performance Security properties 3. Research approaches and related works=> Burmester and Demedt scheme
Authenticated: based on different cryptographic systems General Public-key system (RSA, DSA, or ElGamal) Password-based ID-based (Weil pairing and Elliptic curve) Performance: Number of Rounds Message size sent by each participant Computational cost required for each participant Security properties: Withstanding impersonator attacks Providing forward secrecy Resisting malicious participant (Insider) attacks (New) 3. Research approaches and related works=> Three approaches
3. Research approaches and related works => History and remarks [1]Diffie-Hellman – 1976 (Two- party) First key agreement [2] Ingemaresson - 1982 First group key agreement [3,4] BD – 1994 and 2005 Efficient and Proof Performance [5, 15] Authenticated [6,8,9,10,16-19] Transformation to authenticated [7,11] Malicious participant [12, 13, 14]
3. Research approaches and related works => History and remarks Performance [5, 15] Transformation to authenticated [7,11] Malicious participant [12, 13, 14] Authenticated [6,8,9,10,16-19] [5] Horng – 2001 Comp. Efficient [6,8] 2002, 2003 Round Efficient [7] Katz – 2003 First Transformation [12]Tang – 2005 Attack it. Insider attack [15] Jung – 2006 Dynamic case (Join/leave) [16] Abdalla – 2006 Password-based [11] Tang – 2005 Round Efficient [9, 17,18] 2004, 2005. ?????? ID-based (Pairing) [10] Tan – 2005 Batch-verification [14] Tseng – 2005 Insider attack [13] Katz – 2005 Insider attack [19] Tseng – 2007 Insider attack
3. Research approaches and related works => Related papers • [1] Diffie, W. and Hellman, M.E. (1976) New directions in cryptography. IEEE Trans. on Infom. Theory, 22, 644-654. • [2] Ingemaresson, I., Tang, T.D. and Wong, C.K. (1982) A conference key distribution system. IEEE Trans. Infom. Theory, 28, 714-720. • [3] Burmester, M. and Desmedt, Y. (1994) A secure and efficient conference key distribution system. Advances in Cryptology - Proceedings of Eurocrypt’94,Perugia, Italy, 9-12 May, LNCS 950, pp. 275-286, Springer-Verlag, Berlin. • [4] M. Burmester and Y. Desmedt (2005) A secure and scalable group key exchange system, Information Processing Letters, vol. 94, pp. 137-143, 2005. • [5] G. Horng (2001) An efficient and secure protocol for multi-party key establishment, The Computer Journal 44 (5) (2001) 463-470. • [6] W. G. Tzeng (2002) A secure fault-tolerant conference-key agreement protocol, IEEE Trans. on Computers 51 (4) (2002) 373-379. • [7] Katz, J. and Yung, M. (2003) Scalable Protocols for Authenticated Group Key Exchange. Advances in Cryptology - Proceedings of Crypto’03, Santa Barbara, CA, 17-21 August, LNCS 2729, pp. 110-125, Springer-Verlag, Berlin. • [8] Boyd, C. and Nieto, G. (2003) Round-Optimal Contributory Conference Key Agreement. Proc. Public-Key Cryptography’03, Miami, USA, 6-8 January, LNCS 2567, pp. 161-174, Springer-Verlag, Berlin.
3. Research approaches and related works => Related papers • [9] X. Yi (2004)Identity-Based Fault-Tolerant Conference Key Agreement, IEEE TRANS. ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 3, pp.170-178, JULY-SEPTEMBER 2004. • [10] C. Tan and J. Teo, (2005) An Authenticated Group Key Agreement for Wireless Networks, IEEE Communications Society, WCNC 2005, pp.2100-2105. • [11] Q. Tang and C. J. Mitchell, (2005) Efficient Compilers for Authenticated Group Key Exchange, Computational Intelligence and Security: International Conference, CIS 2005, Xi'an, China, December 15-19 2005, Proceedings, Part II, Springer-Verlag LNCS 3802, Berlin (2005), pp.192-197. • [12] Q. Tang and C. J. Mitchell (2005) Security properties of two authenticated conference key agreement protocols' (pdf), in: S. Qing, W, Mao, J. Lopez, and G. Wang (eds.), Information and Communications Security: 7th International Conference, ICICS 2005, Beijing, China, December 10-13, 2005. Proceedings, Springer-Verlag LNCS 3783, Berlin (2005), pp.304-314. • [13] J. Katz, J. S. Shin (2005) Modeling Insider Attacks on Group Key Exchange Protocols. ACM Conference on Computer and Communications Security2005, pp. 180-189 . • [14] Tseng, Y.M. (2005) A robust multi-party key agreement protocol resistant to malicious participants. The Computer Journal, 48, 480-487.
3. Research approaches and related works => Related papers • [15] B. E. Jung (2006) An Efficient Group Key Agreement Protocol, IEEE communications letters, vol.10, no. 2, pp. 106-107, Feb. 2006 • [16] M. Abdalla, E. Bresson, O. Chevassut, D. Pointcheval (2006) Password-based Group Key Exchange in a Constant Number of Rounds, PKC2006, LNCS 3958, pp.427-442. • [17] K. Y. Choi, J. Y. Hwang and D. H. Lee, “Efficient ID-based Group Key Agreement with Bilinear Maps”, 2004 International Workshop on Practice and Theory in Public Key Cryptography (PKC2004). • [18]Y. Shi, G. Chen, and J. Li,” ID-Based One Round authenticated Group Key Agreement Protocol with Bilinear Pairings”, Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC’05), 2005. • [19] Y.M. Tseng, “A communication-efficient and fault-tolerant conference-key agreement protocol with forward secrecy”, Journal of Systems and Software, , 2006, Accepted and to appear. • [20]Y.M. Tseng, “A secure authenticated group key agreement protocol for resource-limited mobile devices”, The Computer Journal, Vol.50, No.1, pp. 41-52, 2007.
3. Research approaches and related works => Finding worth-to-work problems Keep cranky and thinking continuously !!! • Finding solutions: • Writing a research paper or patent • Developing application systems • Keeping a research record (Important !!) • Finding new problems => solutions • It could be a good approach/technique. • In the future, it is possible to adopt it for other applications or problems.
Problem 1: Malicious participant (Insider) attack The malicious legal participant broadcasts a wrong message todisrupt the conference key establishment The proposed protocol must find who are the malicious participants Problem 2: Imbalanced wireless networks Resource-limited PDA, Smart phone, or UMD (Ultra mobile device) It is a flexible approach to shift the computational burden to the powerful node and reduce the computational cost of mobile nodes Problem 3: Pairing-based (ID-based) public-key system Practical ID-based public-key system (Elliptic Curve) 2001, New 3. Research approaches and related works => Finding worth-to-work problems
4. Problem 1: GKA protocol resistant to insider attacks • Motivation and finding a solution • All related GKA protocols based on the BD scheme suffer from insider attacks. • Some secure conferences must be held prior to a special time, such as military applications, rescue missions and emergency negotiations. • Related papers: (2005) • [14] Y.M. Tseng (2005)A robust multi-party key agreement protocol resistant to malicious participants. The Computer Journal, 48, 480-487. (2006, Wilkes Award) • [12] Q. Tang and C. J. Mitchell (2005) Security properties of two authenticated conference key agreement protocols', in: S. Qing, W, Mao, J. Lopez, and G. Wang (eds.), Information and Communications Security: 7th International Conference, ICICS 2005, Beijing, China, December 10-13, 2005. Proceedings, Springer-Verlag LNCS 3783, Berlin (2005), pp.304-314. • [13] J. Katz, J. S. Shin (2005) Modeling Insider Attacks on Group Key Exchange Protocols. ACM Conference on Computer and Communications Security2005, pp. 180-189.
4. Problem 1: GKA protocol resistant to insider attacks • Insider attacks (Malicious participants) on BD scheme Step 1 (Round 1) Ui (1≤ i ≤ n): Keeps xi secret broadcasts yi=gxi mod p Step 2 (Round 2) Ui (1≤ i ≤ n, ij): broadcasts zi=(yi+1/ yi-1)xi mod p Uj broadcastsa random value zj Step 3 Each Ui compute different key K …… U1 U1 Un Broadcast channel Who is the malicious participant ?
4. Problem 1: Solution GKA protocol resistant to insider attacks Step 1 (Round 1)Ui (1≤ i ≤ n): Keep xi secret broadcasts yi=gxi mod p Step 2 (Round 2) Step 3Ui (1≤ i ≤ n) checks and computes K Zi is computed correctly”
4. Problem 1: GKA protocol resistant to insider attacks • Security Proofs • Assumption 1: Decision Diffie-Hellman Problem • Theorem 1: The proposed GKA protocol is secure against passive attacks • Theorem 2: The proposed GKA protocol is secure against insider attacks • Discussions • Based on BD scheme, first protocolwith resisting to insider attacks • In fact, the proposed GKA protocol can be applied to other group key agreement protocolswith t-round (t>1) to withstand insider attacks. (Reviewer comments) • Expanding to authenticated (Tseng, 2007, JSS)
5. Problem 2: GKA protocol for imbalanced wireless networks • Motivation and finding a solution • Resource-limited devices: PDA, Cellular phone, or UMD (Ultra mobile device) • It is a flexible approach to shift the computational burden to the powerful node and reduce the computational cost of mobile nodes • Related papers: • Bresson, E. Chevassut, O., Essiari, A. and Pointcheval, D. (2004) Multual authentication and group key agreement for low-power mobile devices. Computer Communications, 27, 1730-1737. • Nam, J., Kim, S., and Won, D. (2005) A weakness in the Bresson-Chevassut-Essiari-Pointcheval's group key agreementscheme for low-power mobile devices. IEEE Communications Letters, 9, 429-431. • Nam, J., Kim, S., and Won, D. (2005) DDH-based group key agreementin a mobile environment. The Journal of Systems and Software, 78, 73-83. • Y.M. Tseng (2007)“A secure authenticated group key agreement protocol for resource-limited mobile devices”, The Computer Journal, Vol.50, No.1, pp. 41-52.
5. Problem 2: GKA protocol for imbalanced wireless networks • Weaknesses of Bresson et al.’s Protocol (2004) • Without forward secrecy • Without key authentication • Not a contributory key agreement • Weaknesses of Nam et al. ‘s Protocol (2005) • It provides a authenticated protocol based on the Katz-Yung transformation [7] (2003). (Time-consuming) • In this case, computational cost is expensive for mobile device • Not a contributory key agreement
5. Problem 2: GKA protocol for imbalanced wireless networks • Goal: • A real contributory key agreement protocol(Proof) • Authenticated GKA protocol • The proposed protocol must be well suited for mobile devices with limited computing capability. • Some related issues and knowledge • Give an example to prove that both Bresson et al.’s and Nam et al. ‘s protocols are not contributory key agreement. • Given a complete proof to show our proposed protocol is a real contributory key agreement. • Understanding the computing capability of mobile devices such as PDA.
5. Problem 2: GKA protocol for imbalanced wireless networks • Security Proofs • Theorem 1: It is a contributory group key agreement protocol • Theorem 2: Against passive adversary • Lemma 1, Lemma 2, and Theorem 3: Against impersonator’s attack • Theorem 4: Implicit key authentication • Theorem 5: Forward secrecy • Discussions • Comparisons: Computational cost and security properties • This is first protocol which provides the proof of contributory group key agreement • A simulation result shows that the proposed protocol is well suited for mobile devices with limited computing capability.
5. Problem 2: GKA protocol for imbalanced wireless networks • Some other possible problems and future works • Possible inherent problems of a powerful node • Communication Bottleneck • Single point fail • Trust • Lower bound of the communication cost in a contributory group key agreement for imbalanced networks.=> Optimal solution .
6. Problem 3: Pairing-based (ID-based) GKA protocol • Motivation and finding a problem • Based on Factoring problem • Shamir (1984) • ID=> Name, ymtseng@cc.ncue.edu.tw and some other information. • The motivation is to simplify certificate management • However, it is not practical. • Based onBilinear Diffie-Hellman assumption • In 2001, D. Boneh and M. Franklin presented first ID-based encryption scheme. • Afterwards, it is a important issue for cryptography research. • Question: If you focus on this topic, what knowledge should you prepare and own ?
6. Problem 3: Pairing-based (ID-based) GKA protocol • Related knowledge: • Elliptic curve • Bilinear Pairing (Weil pairing and Tate pairing) • Less books focus on this cryptographic systems • ID-based cryptographic protocols • ID-basedsignature (batch, threshold, blind, …) • ID-basedencryption (Broadcast, authenticated) • ID-basedtwo-party key agreement/authentication • Fast pairing computation • ID-based authenticatedGroup key agreement
6. Problem 3: Pairing-based (ID-based) GKA protocol • Related papers of ID-based signature/encryption • D. Boneh and M. Franklin, "Identity based encryption from the Weil pairing," Crypto 2001, LNCS 2139, pp.213--229, Springer-Verlag, 2001. • D. Boneh and M. Franklin, "Identity based encryption from the Weil pairing," SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. • D. Boneh, B. Lynn and H. Shacham, "Short signature from Weil pairing," Asiacrypt 2001, LNCS 2248, pp. 514--532, Springer-Verlag, 2001. • K. Paterson. ID-based Signatures from Pairings on Elliptic Curves. Electronics Letters, Vol. 38, No. 18, pp. 1025{1026, 2002. • F. Hess, "Efficient identity based signature schemes based on pairings," SAC 2002, LNCS 2595, pp. 310--324, Springer-Verlag, 2003. • J. C. Cha and J. H. Cheon, "An identity-based signature from gap Diffie-Hellman groups," PKC 2003, LNCS 2567, pp. 18--30, Springer-Verlag, 2003. • Yoon H. J., Cheon J. H., Kim Y. Batch verifications with ID-based signatures. Proc. ICISC‘2004, December 2–3, Seoul, Korea Berlin Springer-Verlag pp. 233–248, LNCS 3506, 2005. • N. Koblitz and A. Meneze, "Pairing-based cryptography at high security levels," Cryptography and Coding: 10th IMA International Conference, LNCS 3796, pp. 13--36, Springer-Verlag, 2005. • S. Cui, P. Duan, C. W. Chan, An efficient identity-based signature scheme with batch verifications, Proceedings of the 1st international conference on Scalable information systems , Article No. 22, May 30 - June 01, 2006
6. Problem 3: Pairing-based (ID-based) GKA protocol • Related papers of ID-based key agreement/authentication • NP Smart. An identity based authenticated key agreement protocol based on the Weil pairing. Electronics Letters, volume 38 (13): 630--632, June 2002 . • L. Chen and C. Kudla , Identity Based Authenticated Key Agreement Protocols from Pairings, 16th IEEE Computer Security Foundations Workshop (CSFW'03), 2003, p. 219 • Y. Wang. Efficient identity-based and authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/108. • G. Xie. An ID-based key agreement scheme from pairing. Cryptology ePrint Archive, Report 2005/093. • Q. Yuan and S. Li. A new efficient ID-based authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/309. • L. Chen, Z. Cheng, and N.P. Smart, Identity-based Key Agreement Protocols From Pairings, http://grouper.ieee.org/groups/1363/IBC/submissions/Chen-IBE.pdf(Good-survey)2006. • X. Yi, Identity-Based Fault-Tolerant Conference Key Agreement, IEEE TRANS. ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 3, pp.170-178, JULY-SEPTEMBER 2004. • M. Das, A. Saxena, A. Gulati, and D. Phatak A novel remote user authentication scheme using bilinear pairings, Computers & Security, Volume: 25, Issue: 3, May, 2006, pp. 184-189
6. Problem 3: Pairing-based (ID-based) GKA protocol • Goal: Pairing-based (ID-based) GKA protocol • Finding some possible solutions => No concrete publication • Extra results: by surveying pairing-based systems • Reviewer of a ID-based partially blind signature (2006) • Improving performance of the Sherman et al.’s scheme (2005) • I presented that their scheme suffers from a forgery attack, reject it! • Try to propose an efficient scheme. • Until now, no concrete result. • Seminar => a two-party key agreement protocol (2006, C&S) • Finding some drawbacks • We have obtained concrete results Conferences
7. Conclusions Based on the previous knowledgeand new applications/environments Thinking other problems
7. Conclusions => Thinking other problems • Wireless environments (Resource-limited devices) • Imbalanced networks (WLAN, Cellular network) • Mobile Ad Hoc networks • Distributed architectures • No on-line certificate authority • Sensor networks • Specific Architectures (Pre-distributed secret keys, or passwords) • Energy-aware (Computation V.S. Communication)
7. Conclusions => Other Problems=> Energy consuming • Sensor networks (2005, Wander et al.) • Specific Architecture (Pre-distributed secret keys) • Energy-aware (Computation V.S. Communication) Mica2dot sensor platform, 2002, …..
7. Conclusions => Other Problems=> Energy consuming Energy cost of digital signature and key exchange computations [mJ]
7. Conclusions Research 「當你進入大廈的第一個房間,裏面很黑,伸手不見五指。你在傢俱之間跌跌撞撞,但是你會逐漸搞清楚每一件傢俱所在的位置。最後…你找到了電燈開關(Switch),打開了燈。突然…你能確切地明白你身在何處。」 ------ Wiles 打通 任、督 二脈
7. Conclusions Thanks for your participation ! Questions and Answers !