%!PS
%%Title: Pareto-Secure
%%Creator: html2ps version 1.0 beta4
%%EndComments
save
2000 dict begin
/d {bind def} bind def
/D {def} d
/t true D
/f false D
/FL [/Times-Roman
/Times-Italic
/Times-Bold
/Times-BoldItalic
/Courier
/Courier-Oblique
/Courier-Bold
/Courier-BoldOblique
/Helvetica
/Helvetica-Oblique
/Helvetica-Bold
/Helvetica-BoldOblique] D
/WF t D
/WI 0 D
/F 1 D
/IW 454 F div D
/IL 672 F div D
/PS 842 D
/EF [0 1 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 2 2] D
/EZ [11 9 19 17 15 13 12 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 8 8] D
/Ey [0 0 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] D
/EG [-1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1] D
/Tm [1 1 0.8 0.8 0.8 0.8 0.8 0.8 0 0 0 0 0 0 0.5 1 1 1 1 0 0 1.3 0 0] D
/Bm [1 1 0.5 0.5 0.5 0.5 0.5 0.5 0 0 0 0 0 0 0.5 1 1 1 1 0 0 1 0 0] D
/Lm [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 0 0 3 0 0 0] D
/Rm [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0 0 0 0 0] D
/EU [-1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 0 0] D
/NO t D
/YY [[{()}1][{()}0][{()}2]] D
/ZZ [[{()}1][{()}0][{()}2]] D
/Ts EZ 0 get D
/TU f D
/Xp t D
/AU f D
/SN 0 D
/Cf f D
/Tp f D
/Fe f D
/TI 1 Ts mul D
/Fm 14 D
/xL 71 D
/xR 71 D
/yL 757 D
/yR 757 D
/Wl 454 F div D
/Wr 454 F div D
/hL 672 F div D
/hR 672 F div D
/FE {newpath Fm neg Fm M CP BB IW Fm add Fm L IW Fm add IL Fm add neg L CP BB
Fm neg IL Fm add neg L closepath} D
/LA {PM 0 eq{/IW Wl D /IL hL D}{/IW Wr D /IL hR D}ie /W IW D /LL W D /LS W D
TU PM 0 eq and{IW 56 F div add SA{Sf div}if 0 translate}
{PM 0 eq{xL yL}{xR yR}ie translate F SA{Sf mul}if dup scale
CS CF FS Cf{CA CL get VC}if /Bb f D}ie 0 0 M
TF not Tc or {Cf{gsave SA{1 Sf div dup scale}if Cb VC FE fill grestore}if}if}D
/Pi 0 Ts mul D
/SG [0.8 1 1] D
/Ab 15 D
/J 0 D
/Tc f D
/NH 6 D
/Nf f D
/Pa f D
/LH 1.2 D
/XR f D
/Xr {/pN E D ( [p ) WB pN WB (] )WB} D
/Db [16#FF 16#FF 16#FF] D
/Dt [16#00 16#00 16#00] D
/eA f D
/Fi f D
/bT f D
/Lc t D
/Dl [16#00 16#00 16#00] D
/LX f D
/Br 0.25 D
/IA ([IMAGE]) D
/DS {/PF f D()WB NL NP()pop RC ZF} D
/Gb f D
/Mb t D
/Hc [16#00 16#00 16#00] D
/Bl 3 D
/MI -15.2 D
/DX (DRAFT) D
/Di 0 D
/Tt 113.385826771654 D
/Th {()2 Al()BR (
) 0 1 -1 H()4 FZ Ti ES()EH (
) 0 2 -1 H() ME 0 get join EH()Ea()BR()} D
/tH {()0 1 -1 H (Table of Contents) EH()} D
/FD 2 D
/Dy 2 D
/cD [16#F0 16#F0 16#F0] D
/FW 0.6 D
/FU [16#00 16#00 16#00] D
/ET {/RM f D /A0 0 D /PN SN D /OU t D /Ou t D /W IW D /LL W D D1
Ms not TP and{Ip}if /TF f D} D
%-- End of variable part --
/MySymbol 10 dict dup begin
/FontType 3 D /FontMatrix [.001 0 0 .001 0 0 ] D /FontBBox [25 -10 600 600] D
/Encoding 256 array D 0 1 255{Encoding exch /.notdef put}for
Encoding (e) 0 get /euro put
/Metrics 2 dict D Metrics begin
/.notdef 0 D
/euro 651 D
end
/BBox 2 dict D BBox begin
/.notdef [0 0 0 0] D
/euro [25 -10 600 600] D
end
/CharacterDefs 2 dict D CharacterDefs begin
/.notdef {} D
/euro{newpath 114 600 moveto 631 600 lineto 464 200 lineto 573 200 lineto
573 0 lineto -94 0 lineto 31 300 lineto -10 300 lineto closepath clip
50 setlinewidth newpath 656 300 moveto 381 300 275 0 360 arc stroke
-19 350 moveto 600 0 rlineto -19 250 moveto 600 0 rlineto stroke}d
end
/BuildChar{0 begin
/char E D /fontdict E D /charname fontdict /Encoding get char get D
fontdict begin
Metrics charname get 0 BBox charname get aload pop setcachedevice
CharacterDefs charname get exec
end
end}D
/BuildChar load 0 3 dict put /UniqueID 1 D
end
definefont pop
/Cd {aload length 2 idiv dup dict begin {D} repeat currentdict end} D
/EX {EC cvx exec} D
/DU {} d
/BB {pop pop}d
/ie {ifelse} d
/E {exch} d
/M {moveto} d
/R {rmoveto} d
/L {lineto} d
/RL {rlineto} d
/CP {currentpoint} d
/SW {stringwidth} d
/GI {getinterval} d
/PI {putinterval} d
/Sg {setgray} d
/LW {setlinewidth} d
/S {dup () ne OU and{0 Co R AT 3 eq LB and HF not and A1 0 ne A2 0 ne or and
{A2 0 32 A1 0 6 -1 roll awidthshow}{show}ie 0 Co neg R}{pop}ie
OU PH 3 eq or{/Ms t D}if} D
/U {OU{gsave CP currentfont /FontInfo get /UnderlinePosition get
0 E currentfont /FontMatrix get dtransform E pop add newpath M dup SW pop
CJ 0 RL stroke grestore}if} D
/B {OU Br 0 gt and{CP Ts neg Ts .33 mul R gsave 0 Sg
CP newpath Ts Br mul 0 360 arc closepath UI 2 mod 0 eq{stroke}{fill}ie
grestore M CP E Ts Br 1 add mul sub E BB /Ms t D}if}D
/NP {Ms TP not or PA and OU and{TP{OR}if f1{mF k2 /mF E D /YC 0 D}if
TP TU not PM 0 eq or and{showpage}if DU Ip TE not{LA}if 0.6 LW
/CI 0 D /TP t D /Hs f D /hl 6 D /Hv 6 D /HI hi D /Ms f D}if Bs XO BO M} D
/Np {LE sub CP E pop gt PL 0 eq and{NP}if}D
/Ip {/PN PN 1 add D /Pn RM{1}{4}ie PN Ns D /PM PN SN sub 2 mod D} D
/GP {E dup 3 -1 roll get PN 1 add 2 mod get dup type /integertype eq
{get 0 get}{E pop}ie}d
/Fc {dup 2 GP exec SW pop /S1 E D dup 1 GP exec SW pop /S2 E D 0 GP exec SW
pop /S3 E D S1 0 gt{S2 2 mul S1 add S3 2 mul S1 add 2 copy lt{E}if pop}{0}ie
S2 S3 add 2 copy lt{E}if pop IW .9 mul div dup 1 gt{1 E div}{pop 1}ie}D
/OR {Df{Sd}if tp not{gsave SA{1 Sf div dup scale}if Fe{Cf{FU VC}if FW LW
1 setlinejoin FE stroke}if /YO {60 F div dup 40 gt{pop 40}if}D /cs CS D
/cf CF D /CF 0 D /pf PF D /PF f D /Fn FN D /At AT D /AT 0 D /FN EF Hf 1 add
get D Fz Fs FS ZZ Fc Fz mul Fs FS EU Hf 1 add get dup type /arraytype eq
Cf and{VC}{pop 0 Sg}ie IW IL neg YO sub M ZZ 1 GP exec dup SW pop neg 0 R Sh
0 IL neg YO sub M ZZ 0 GP exec Sh ZZ 2 GP exec dup SW pop IW E sub 2 div
IL neg YO sub M Sh Fz Fs FS NO{/AW IW Pn SW pop sub D AW 2 div IL neg YO sub
S1 0 gt S2 AW .45 mul gt or S3 AW .45 mul gt or{Fz 2 mul sub}if M Pn Sh}if
EU Hf get dup type /arraytype eq Cf and{VC}{pop 0 Sg}ie YY Fc /FN EF Hf get D
Hz mul HS FS IW YO M YY 1 GP exec dup SW pop neg 0 R Sh 0 YO M YY 0 GP exec Sh
YY 2 GP exec dup SW pop IW E sub 2 div YO M Sh /FN Fn D /AT At D t Pb XO SZ
SL get neg R /PF pf D grestore /CF 0 D cs cf FS}if}D
/Sh {dup () ne{CP Hz 4 div sub BB show CP CS add BB}{pop}ie}D
/Pb {/OU E D /Ou OU D /PB t D 0 0 M Ba{/Sa save D /BP t D /Fl t D RC /PL 0 D
/PH 0 D /W IW D /LE IL .7 mul D /EO 0 D SI ZF /YA 0 D /BO 0 D /C1 () D
BA 0 Ts neg R Bb{Xl Yl Xh Yh}if Bb CP Sa restore M
{/Yh E D /Xh E D /Yl E D /Xl E D}if /Fl t D}if
BL /OU t D /HM f D /Ou t D /PB f D} D
/Bs {/BP Ba not D}D
/reencodeISO {
dup dup findfont dup length dict begin{1 index /FID ne{D}{pop pop}ie}forall
/Encoding ISOLatin1Encoding D currentdict end definefont} D
/ISOLatin1Encoding [
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright
/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash
/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon
/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N
/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright
/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m
/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/space/exclamdown/cent/sterling/currency/yen/brokenbar
/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot
/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior
/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine
/guillemotright/onequarter/onehalf/threequarters/questiondown
/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute
/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis
/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave
/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex
/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis
/yacute/thorn/ydieresis
] D
[128/backslash 129/parenleft 130/parenright 141/circumflex 142/tilde
143/perthousand 144/dagger 145/daggerdbl 146/Ydieresis 147/scaron 148/Scaron
149/oe 150/OE 151/guilsinglleft 152/guilsinglright 153/quotesinglbase
154/quotedblbase 155/quotedblleft 156/quotedblright 157/endash 158/emdash
159/trademark]
aload length 2 idiv 1 1 3 -1 roll{pop ISOLatin1Encoding 3 1 roll put}for
/colorimage where{pop}{
/colorimage {
pop pop /Pr E D {/Cv Pr D /Gr Cv length 3 idiv string D 0 1 Gr length 1 sub
{Gr E dup /i E 3 mul D Cv i get 0.299 mul Cv i 1 add get 0.587 mul add
Cv i 2 add get 0.114 mul add cvi put}for Gr} image} D
}ie
/pdfmark where{pop}{userdict /pdfmark /cleartomark load put}ie
WF{FL{reencodeISO D}forall}{4 1 FL length 1 sub{FL E get reencodeISO D}for}ie
/Symbol dup dup findfont dup length dict begin
{1 index /FID ne{D}{pop pop}ie}forall /Encoding [Encoding aload pop]
dup 128 /therefore put D currentdict end definefont D
/SF {/CS E D SZ SL CS put FO SL FN put /YI CS LH neg mul D dup ST cvs ( ) join
CS ST cvs join C1 E join ( NF ) join /C1 E D CS NF /Wf WF FN 0 gt or D
/BW Wf{( ) SW pop}{0}ie D}D
/NF {/cS E D /cF E D cF 0 ge{FL cF get}{cF -1 eq{/Symbol}{/MySymbol}ie}ie
findfont cS scalefont setfont} D
/FS {CF or /CF E D FR SL CF put CF CF 0 ge{FN 4 mul add}if E SF} D
/PC {SH /BP f D fin not GL not and{NL}if /HM t D /LL LS D} D
/BS {/TX E D Wf{/fin f D /CW 0 D /LK 0 D /SC 0 D
/RT TX D {RT ( ) search{/NW E D pop /RT E D /WH NW SW pop D CW WH add LL gt
{TX SC LK SC sub 1 sub NN GI GL{SH cF cS OC
2 copy cS ne E cF ne or{NF}{pop pop}ie}{PC /CW WH BW add D}ie
/SC LK D}
{GL{JC}if
/CW CW WH add BW add D /HM t D}ie /GL f D /Ph f D
/LK LK NW length 1 add add D}{pop exit}ie}loop
/fin t D TX SC LK SC sub GI SH RT () ne{GL not{CC}if}if
/LC TX length D /WH RT SW pop D CW WH add Hy{HC SW pop add}if LL gt
{RT GL{SH cF cS OC 2 copy cS ne E cF ne or{NF}{pop pop}ie
Hy{/Ph t D}if /LL LS D}{NL /LL LS D SH}ie}
{RT PC Hy{CC}if /Ph Ph Hy or D}ie RT () ne{/GL t D /HM t D}if}
{TX SW pop LL le{TX SH}{/NW () D 0 2 TX length 1 sub
{/CW E D TX 0 CW GI dup SW pop LL gt{pop NW SH /HM t D NL/LL W XO sub MR sub D
/CW CW 2 sub NN D /TX TX CW TX length CW sub GI D TX BS exit}
{/NW E D}ie}for}ie}ie /HM t D}D
/CC {C0 length 0 gt{JC}if /C0 [C1 L1 YA YB Mf NS NB TB AF Bw] D
/C1 () D /L0 L1 D /YA 0 D /YB 0 D /Mf 0 D /NS 0 D /NB 0 D}D
/JC {C0 aload length 0 gt{pop pop pop NB add /NB E D NS add /NS E D
dup Mf gt{/Mf E D}{pop}ie dup YB gt{/YB E D}{pop}ie
dup YA gt{/YA E D}{pop}ie pop C1 join /C1 E D /C0 [] D}if}D
/OC {C0 length 0 gt{C1 L1 L0 sub YA YB Mf NS NB TB AF Bw GL C0 aload pop
/Bw E D /AF E D /TB E D /NB E D /NS E D /Mf E D /YB E D /YA E D /C0 [] D
/L1 E D /C1 E D Ph{HC SH}if NL /GL E D /Bw E D /AF E D /TB E D /NB E D /NS E D
/Mf E D /YB E D /YA E D /L1 E D /LL W L1 sub XO sub MR sub WH sub D /CW 0 D
C1 E join /C1 E D}if}D
/BT {/LB t D dup length string copy RS dup dup () ne E ( ) ne and
{/CI 0 D /LS LL D /LL W L1 sub XO sub MR sub D BS}
{dup ( ) eq{/GL f D}if dup () eq L1 0 eq or{pop}{SH /BP f D /Ph f D}ie}ie
/LB f D} D
/BL {CP E pop XO E M} D
/NL {JC /GL f D /SK W XO sub MR sub L1 sub TB{Bw add}if D
/YA LF{Mf HM Fl not and PF or{LH mul}if}{0 /LF t D}ie YA 2 copy lt{E}if pop D
C1 () ne{/FB YB Mf SA{Sf mul}if 4 div 2 copy lt{E}if pop D}if Fl{/Ya YA D}if
CP E pop YA sub YB sub LE neg lt Fl not and PB not and{NP}if NT TL BL
OU PF not and PB or{/RE L1 TB{Bw sub}if
W XO sub MR sub div YA YB add LE BO add div 2 copy lt{E}if pop D
RE 1 gt{BL 1 RE div dup scale}if}if
AT 2 le{SK AT mul 2 div YA neg R}if
AT 3 eq{0 YA neg R TB{/NB NB 1 sub D /NS NS 1 sub D}if /NB NB 1 sub NN D
/A3 NS 6 mul NB add D NS NB add 0 eq
{/A1 0 D /A2 0 D}
{NS 0 eq{/A1 SK NB div dup J gt{pop 0}if D /A2 0 D}{J A3 mul SK lt
{/A1 J D /A2 SK J NB mul sub NS div dup Ab gt{/A1 0 D pop 0}if D}
{/A1 SK A3 div D /A2 A1 6 mul D}ie}ie}ie /A1 A1 NN D /A2 A2 NN D}if
AT 4 eq{0 YA neg R PH 2 le{PD 0 lt{/PD L1 D}if PD M1 gt{/M1 PD D}if
L1 PD sub M2 gt{/M2 L1 PD sub D}if}{DV ID 1 sub get 0 ge{Lo 0 R}if}ie}if
F0 cF ne Cs cS ne or{F0 Cs NF}if
/ms Ms D /Ms f D CP FB sub
C1 cvx exec XO EO sub L1 add TB{BW sub}if dup LM gt{/LM E D}{pop}ie
PH 0 eq PH 4 eq or Ms and{HF not{/PO t D /AH t D}if
BB CP YA add E AT 3 eq LB and{A1 sub}if TB{BW sub}if E BB}
{pop pop}ie Ms HM PH 3 eq and or{/BP f D /Fl f D}if
/Lo 0 D /L1 0 D /F0 cF D /Cs cS D BP not{0 YB NN neg R}if
OU f1 and mF not and{k2 /f1 f D}if
OU PF not and PB or{RE 1 gt{RE dup scale}if}if /Ms ms Ms or D
/C1 AF{(Cp )}{()}ie D /YA 0 D /YB 0 D BL
AT 4 eq LB not and PH 3 ge and
{ID DV length lt{DV ID get dup 0 ge{DO E sub /Lo E D /L1 Lo D}{pop}ie
/ID ID 1 add D}if}if /T t D CD{/LN LN 1 add D PD}if
/PD -1 D /NS 0 D /NB 0 D /TB f D /Ph f D /Mf 0 D /HM f D} D
/RS {/TM E D /CN 0 D TM{10 eq{TM CN ( ) PI}if /CN CN 1 add D}forall
/CN 0 D /BK HM EN and{0}{1}ie D TM
{dup 32 ne{TM CN 3 2 roll put /CN CN 1 add D /BK 0 D}
{pop BK 0 eq{TM CN 32 put /CN CN 1 add D}if /BK 1 D}ie}forall
TM 0 CN GI dup dup () ne E ( ) ne and
{dup CN 1 sub get 32 eq{/EN f D}{/EN t D}ie}if} D
/join {2 copy length E length add string dup 4 2 roll 2 index 0 3 index
PI E length E PI}d
/WR {(\n) search{dup () ne BP not or
{Li 4 le CP E pop YI Li mul add LE add 0 lt and PL 0 eq and{NP}if
SH NL pop /Li Li 1 sub D WR}{pop pop WR}ie}{SH}ie /CI 0 D /BP f D} D
/SH {dup dup () ne E ( ) ne and PF or CS Mf gt and{/Mf CS D}if
T not Wf and{( ) E join /T t D}if dup BP{/MF CS D}if
AT 3 eq{2 copy length dup 0 gt{/NB E NB add D
{( ) search{/NS NS 1 add D pop pop}{pop exit}ie}loop}{pop pop}ie}if
CD PD 0 lt and{dup DC search{SW pop /PD E L1 add D pop pop}{pop}ie}if
0 Np dup SW pop L1 add /L1 E D dup () ne
{C1 (\() join E join (\)) join AU AF and UF or Wf and{( U ) join}if
sF{( s ) join}if ( S ) join
/C1 E D dup length 1 sub get 32 eq /TB E D /Bw BW D}{pop pop}ie} D
/BG {AI LG BC add add 0 eq} D
/ON {OU{Ty AR AI NN get dup 1 add Ln Ns Ty 2 mod 0 eq{(. )}{(\) )}ie join
dup SW pop neg 0 R CP E 0 lt{0 E M}{pop}ie CP BB show /Ms t D}if} D
/Ln {AR AI 3 -1 roll put}D
/SP {dup CI lt BP not and{dup CI sub 0 E R /CI E D}{pop}ie} D
/BN {PF{WR /HM f D}{BT NL}ie} D
/NN {dup 0 lt{pop 0}if} D
/h {(h) HI ST cvs join cvx exec dup 1 get E Nf{0 get E join}{pop}ie} D
/H {/fn FN D /Hi E 1 add D 1 sub /HL E D /H2 HL 2 add D /GS EZ H2 get D
E Tm H2 get GS mul BE dup 0 gt{1 sub}{pop EG H2 get dup 0 lt{pop AT}if}ie NA
WW Np /SL SL 1 add D /FN EF H2 get D GS Ey H2 get FS
EU H2 get Sc Hs not HL Hl lt and Hs HL hl lt and or Hi 0 eq or
{/HI Hi D /Hs t D /hl HL D /Hv HL D}if HL Hl lt{/hi Hi D}if
Nf HI 0 gt and{(h) Hi ST cvs join cvx exec 0 get WB}if
/HF t D /AH f D /PO f D} D
/EH {Bm H2 get GS mul BE OA /SL SL 1 sub NN D /CF 0 D /FN fn D
SZ SL get FR SL get FS /HF f D /GS Ts D ()Ec} D
/P {E PF{WR}{PO{EP}{BN}ie Ts 4 mul Np AE not{Tm 0 get Ts mul neg SP}if
dup 0 ge AH and{Pi Pd}if}ie 1 sub dup 0 lt{pop AV AL get}if /AT E D /PO t D} D
/EP {PF{WR}{BN Ts 4 mul Np}ie AE not{Bm 0 get Ts mul neg SP}if
/AT AV AL get D /PO f D} D
/BE {E PO{EP}{BN}ie Ts 4 mul Np neg SP} D
/HR {/Aw W EO sub D /RW E dup 0 gt{Aw mul}{neg}ie dup Aw gt{pop Aw}if D /RZ E D
E BN Ts neg SP 1 sub 2 div Aw RW sub mul EO add CP E pop M PF{0 Ps neg R}if
0 Np OU{gsave RZ LW Cf{Hc VC}{0 Sg}ie CP BB RW 0 RL CP BB stroke grestore}if
/CI 0 D /BP f D PF not{Ts neg SP}if /Ms t D} D
/AD {I NL EG 14 get dup 0 lt{pop AT}if NA /AE t D Tm 14 get Ts mul neg SP
Cf{EU 14 get dup -1 eq{pop CA CL get}if Sc}if} D
/DA {BN ()ES OA /AE f D ()Ec Bm 14 get Ts mul neg SP} D
/PR {/MW E D /Li E D Tm 1 get Ps mul BE 0 NA /FN Fp D /PF t D SI /SL SL 1 add D
/CF 0 D Ps CS mul Ts div MW WC mul CS mul Ts div dup LL gt PL 0 eq and
{LL div div}{pop}ie Ey 1 get FS CP E pop LE add YI neg div cvi dup Li lt
AH and{4 lt YI Li mul 5 mul LE add 0 gt or PL 0 eq and{NP}if}{pop}ie
EU 1 get Sc /GS Ps D}D
/RP {WR NL () /PF f D SI /FN 0 D ES Bm 1 get Ps mul neg SP OA /GS Ts D} D
/SI {/XO Lm 15 get BC NN mul Lm 16 get AI UI sub NN mul add
Lm 17 get UI NN mul add Lm 20 get LG NN mul add Ts mul
PF{Lm 1 get Ps mul add}if EO add D
/MR Rm 15 get BC NN mul Rm 16 get AI UI sub NN mul add
Rm 17 get UI NN mul add Rm 20 get LG NN mul add Ts mul
PF{Rm 1 get Ps mul add}if D /LL W XO sub MR sub D} D
/DT {/cC E D BN /LG LG 1 sub D SI /LG LG 1 add D WW 2 div Np BL} D
/DD {WB Cc 0 eq cC 0 eq and L1 0 eq or Lm 20 get Ts mul L1 sub TB{BW add}if
Ts 2 div lt or NL /LF E D SI BL /cC 0 D} D
/DL {Dc LG Cc put /Cc E D BG{Tm 18 get Ts mul BE}{BN}ie /LG LG 1 add D BL} D
/LD {BN LG 0 gt{/LG LG 1 sub D}if /Cc Dc LG get D SI
BG{()Bm 18 get Ts mul BE}if BL} D
/UL {BG{Tm 17 get Ts mul BE}{BN}ie NR AI NN 0 put /UI UI 1 add D
/AI AI 1 add D SI BL} D
/LU {BN /UI UI 1 sub D /AI AI 1 sub D SI BG{()Bm 17 get Ts mul BE}if BL} D
/OL {E BG{Tm 16 get Ts mul BE}{BN}ie TR AI NN Ty put /Ty E D NR AI NN 1 put
/AI AI 1 add D SI BL 1 Ln} D
/LO {BN /AI AI 1 sub D /Ty TR AI get D SI BG{()Bm 16 get Ts mul BE}if BL} D
/LI {E BN -1 SP /BP f D /CI 0 D 0 Np NR AI 1 sub NN get 1 eq
{dup dup 0 gt E 4 le and{/Ty E D}{pop}ie
/L1 L1 Ty AR AI NN get Ns SW pop XO sub dup 0 lt{pop 0}if add D ( ON )}
{pop ( B )}ie C1 E join /C1 E D CS Mf gt{/Mf CS D}if BL} D
/BQ {Tm 15 get Ts mul BE /BC BC 1 add D SI BL} D
/QB {Bm 15 get Ts mul BE /BC BC 1 sub D SI BL} D
/Al {E EP 1 sub dup 0 lt{pop AV AL get}if NA} D
/Ea {EP OA} D
/WB {PF{WR}{BT}ie} D
/F1 {WB /FN 0 D CS 0 FS} D
/F2 {WB /FN WI D CS 0 FS} D
/HY {/Hy t D WB /Hy f D} D
/YH {WB} D
/A {/LT E D LT 1 eq{/RN E D}if /Lh E D WB /C1 C1 ( Cp ) join D
Lc AF not and{Cl Sc}if /AF t D} D
/EA {Lc AF and{Ec}{WB}ie TL Pa AF and Lh 0 ne and
{( \() Lh join (\)) join /AF f D WB}if /AF f D} D
/TL {C1 ( Tl ) apa /C1 E D} d
/apa {AF OU and Lh 0 ne LT 1 eq or and{LT 1 eq{RN ( /) E ST cvs join}
{(\() Lh join (\)) join}ie E join join}{pop}ie} d
/Cp {/Xc CP /Yc E D D} D
/SS {Cf{dup 0 ge{EU E get dup -1 eq{pop CA CL get}if}{pop CA CL get}ie Sc}
{pop}ie SZ SL get /SL SL 1 add D} D
/I {WB 8 SS 1 FS} D
/EM {WB 8 SS /CF CF 1 xor D 0 FS} D
/BD {WB 9 SS 2 FS} D
/TT {WB 10 SS /FN Fp D 0 FS} D
/KB {WB 11 SS /FN Fp D 2 FS} D
/CT {WB 12 SS 1 FS} D
/SM {WB 13 SS /FN Fp D 0 FS} D
/Q {/QL QL 1 add D QO QL 2 mod get La get join WB} D
/EQ {QC QL 2 mod get La get join WB /QL QL 1 sub D} D
/RO {WB -1 SS /CF 0 D 0 FS} D
/SY {WB -1 SS -1 FS} D
/MY {WB -1 SS -2 FS} D
/ES {WB /SL SL 1 sub NN D /CF 0 D /FN FO SL get D SZ SL get FR SL get FS ()Ec}D
/FZ {3 sub 1.2 E exp GS mul E WB TL /C1 C1 ( Cp ) join D /SL SL 1 add D 0 FS} D
/Ef {WB TL ()ES /C1 C1 ( Cp ) join D} D
/BZ {dup /Bf E D FZ}D
/Sc {dup -1 ne Cf and{/CL CL 1 add D dup 0 eq{pop [0 0 0]}if
dup CA E CL E put VS ( VC ) join C1 E join /C1 E D}{pop}ie} D
/Ec {WB Cf{/CL CL 1 sub NN D CA CL get VS ( VC ) join C1 E join /C1 E D}if} D
/VS {dup type /arraytype eq{([) E {ST cvs join ( ) join}forall (]) join}if} D
/VC {{255 div}forall setrgbcolor} D
/Sl {dup type /integertype ne{Ds}if /La E D WB}d
/UN {WB /UF t D} D
/NU {WB /UF f D} D
/SE {WB /sF t D} D
/XE {WB /sF f D} D
/sM {/C1 C1 ( k1 ) join D}d
/eM {/C1 C1 ( k2 ) join D}d
/k1 {/YC CP E pop Ts add D /mF t D /f1 t D}d
/k2 {gsave 3 LW -9 CP E pop Ts 0.2 mul sub M -9 YC L stroke grestore /mF f D}d
/Ac {/AC E D WB}d
/Ca {eA{( \()join AC join(\) )join}if WB}d
/s {OU{gsave 0 CS .25 mul R dup SW pop CJ 0 RL stroke grestore}if}D
/CJ {AT 3 eq LB and{E dup dup length 1 sub A1 mul E
{( ) search{pop pop E A2 add E}{pop exit}ie}loop 3 -1 roll add
W CP pop sub 2 copy gt{E}if pop}if}D
/So {/Co E D} D
/SO {C1 Yo ST cvs join ( So ) join /C1 E D (j) SW pop 2 div Pd} D
/Se {E WB CS E div Pd}D
/Pd {dup type /stringtype eq{SW pop}if dup /L1 E L1 add D
ST cvs ( 0 R ) join C1 E join /C1 E D} D
/Sp {0.35 CO} D
/Sb {-0.2 CO} D
/CO {OV Io Yo put /Yo E CS mul Yo add D /Io Io 1 add D -1.5 Io mul 3 add FZ SO
CS Yo add dup YA gt{/YA E D}{pop}ie
Yo neg dup YB gt{/YB E D}{pop}ie} D
/Es {ES /Io Io 1 sub NN D /Yo OV Io get D SO} D
/SB {/N2 0 D 0 1 NI{/N E D{IX N2 get 0 lt{/N2 N2 1 add D}{exit}ie}loop
/K WS N get FC N get mul D /NY AY N2 get D /BV NY array D
0 1 NY 1 sub{/TM K string D currentfile TM readhexstring pop pop BV E TM put}
for BM N BV put /N2 N2 1 add D}for} D
/IC [{/MA E D /MB 0 D}{2 div /MA E D /MB MA D}{/MB E CS sub D /MA CS D}
{pop /MA YS AB mul D /MB 1 AB sub YS mul D}{pop /MA 0 D /MB 0 D}] D
/IP {BV N get /N N 1 add D} D
/II {/K E D IX K get 0 lt{/EC E D}if /TY E D
TY 4 eq{/Y E D /X E D}if TY 3 eq{/AB E D}if
/XW AX K get D /YW AY K get D /IS SG IT K get get D /XS XW IS mul D
/YS YW IS mul D YS IC TY get exec /MA MA Fl not{3 add}if D} D
/IM {II /ty TY D /xs XS D /ys YS D /ya YA D /yb YB D /ma MA D /mb MB D /k K D
/ec EC D /BP f D /CI 0 D WB TL L1 xs add dup XO add MR add W gt
{pop /ma ma Fl{3 add}if D NL /YA ma D /YB mb D /YS ys D /L1 xs D}
{/L1 E D ma YA gt{/YA ma D}if mb YB gt{/YB mb D}if}ie /TB f D
OU{CP E pop YS sub LE neg lt Fl not and PB not and{NP /YA ma D /YB mb D}if
/BP f D ty ST cvs ( ) join IX k get 0 lt{(\() join ec join (\) ) join}if
k ST cvs join ty 3 eq{AB ST cvs ( ) join E join}if
ty 4 eq{X ST cvs ( ) join Y ST cvs join ( ) join E join}if C1 E join
( DI ) join FP 2 eq FP 1 eq AF and or{( FM ) join}if
( Il Cp ) apa /C1 E D /EN f D}if /HM t D /T f D} D
/DI {II /Xc CP /Yc E D D /YN YW neg D /HM t D /CI 0 D /K2 IX K get D gsave
TY 4 eq{OX X IS mul add OY FY add YS sub Y IS mul sub}
{/FY YS D CP MB sub 2 copy /OY E D /OX E D}ie
translate K2 0 ge{/DP AZ K2 get D /BV BM K2 get D XS YS scale /N 0 D XW YW DP
[XW 0 0 YN 0 YW] {IP} FC K2 get 1 eq{image}{f 3 colorimage}ie}
{EX}ie grestore XS 0 R /Ms t D} D
/FM {gsave 0 Sg CP MB sub translate XS neg 0 M 0 YS RL XS 0 RL 0 YS neg RL
XS neg 0 RL stroke grestore} D
/NA {/AT E D /AL AL 1 add D AV AL AT put} D
/OA {AL 0 gt{/AL AL 1 sub D /AT AV AL get D}if} D
/D1 {/BR {CP E pop E BN Mb{CP E pop eq{0 YI R}if}{pop}ie} D
/Sn {OU{C1 E ST cvs join ( Ld ) join /C1 E D}{pop}ie} D} D
/D1 {/BR {BN} D /Sn {OU {C1 E ST cvs join ( Ld ) join /C1 E D} {pop} ie} D} D
/TC {/TF t D /ML 0 D HN{SW pop dup ML gt{/ML E D}{pop}ie}forall NP /RM RM not D
RC /OU Tc D Ep /PN 0 D Ms not TP and{Ip}if /W IW ML sub Ts sub D
/A0 0 D TH{/BR {( ) join BT} D /Sn {pop} D /Au () D}if} D
/TN {0 eq{E EA PF HF or not XR and{HN E get Xr}{pop}ie}
{OU{Tn 0 ge{() BN}if /Tn E D}{pop}ie WB}ie} D
/NT {OU LB not and Tn 0 ge and{PL 0 eq{Ms not{CS CF FS}if CP dup
/y E YA sub D W 9 sub CS -1.8 mul XO L1 add 2 add{y M (.) show}for
HN Tn get dup SW pop IW E sub y M show CP BB M}if /Tn -1 D}if} D
/Ld {/DN E D HN DN Pn put [/View [/XYZ -4 Fl{PS}{CP YA add US E pop}ie null]
/Dest DN ST cvs cvn /DEST pdfmark} D
/C {ND 1 eq{1 sub}if TI mul /XO E D NL Nf not{pop()}if 0 3 -1 roll 1 A} D
/OP {BP not{NP}if PN 2 mod 0 eq{/Ms t D NP}if}D
/Ep {Xp PN 2 mod 0 eq and OU and{/Pn (-) D showpage /PM 1 D LA}if}D
/Dg [73 86 88 76 67 68 77] D
/Rd [0 [1 1 0][2 1 0][3 1 0][2 1 1][1 1 1][2 2 1][3 3 1][4 4 1][2 1 2]] D
/Ns {/m E D /c E 32 mul D /j m 1000 idiv D /p j 12 add string D
c 96 le m 0 gt and{c 32 le {/i 0 D /d 77 D /l 100 D /m m j 1000 mul sub D
j -1 1 {pop p i d c add put /i i 1 add D}for
4 -2 0 {/j E D /n m l idiv D /m m n l mul sub D /d Dg j get D
n 0 gt {/x Rd n get D x 0 get -1 1 {pop p i d c add put /i i 1 add D}for
p i x 1 get sub Dg x 2 get j add get c add put}if /l l 10 idiv D
}for p 0 i GI}
{/i ST length 1 sub D m {1 sub dup 0 ge{dup 26 mod c add 1 add
ST i 3 -1 roll put 26 idiv dup 0 eq{pop exit}if}if /i i 1 sub D}loop
ST i ST length i sub GI}ie}
{m p cvs}ie} D
/US {matrix currentmatrix matrix defaultmatrix matrix invertmatrix
matrix concatmatrix transform} D
/GB {Gb{US}if}D
/Tl {/Rn E D Xc CP pop ne{
[/Rect [Xc 1 sub Yc cS 0.25 mul sub GB CP E 1 add E cS 0.85 mul add GB]
/Subtype /Link /Border [0 0 Cf Lc and LX and AU or{0}{1}ie] Rn type
/nametype eq {/Dest Rn}{/Action [/Subtype /URI /URI Rn] Cd}ie
/ANN pdfmark}if} D
/Il {/Rn E D [/Rect [Xc Yc GB Xc XS add Yc YS add GB] /Subtype /Link
/Border [0 0 0] Rn type /nametype eq{/Dest Rn}
{/Action [/Subtype /URI /URI Rn] Cd}ie /ANN pdfmark} D
/XP {[{/Z Bz 2 div D Z 0 R Z Z RL Z neg Z RL Z neg Z neg RL Z Z neg RL
Fi cH 1 eq and{fill}if} {Bz 0 RL 0 Bz RL Bz neg 0 RL 0 Bz neg RL
Fi cH 1 eq and{fill}if} {0 -5 R Bz 0 RL 0 21 RL Bz neg 0 RL 0 -21 RL}]} D
/MS {/Sm E D WB}D
/O {BN()Sm BX} D
/O {BN()0 Sm BX} D
/BX {/Bt E D Bt 2 lt{/Ch E D CS 0.8 mul}{11 mul}ie W XO sub MR sub
2 copy gt{E}if pop /HZ E D Bt 2 eq{Fi not{pop()}if ( )E join /Ft E D TT
/PF t D /MW 1 D /Li 1 D /Fw Ft SW pop D Fw HZ gt{/HZ Fw 8 add D}if
HZ ST cvs( )join}{WB Ch ST cvs( )join}ie L1 HZ add XO add MR add W gt{NL}if
Bt 2 eq{Ft ES Fw neg HM{CS sub}if Pd}if Bt ST cvs join( Bx )join
Bt 2 eq HM and{CS Pd}if C1 E join /C1 E D /L1 L1 HZ add D /T f D
( ) Pd /PF f D Bt 2 lt{YA CS .8 mul lt{/YA CS .8 mul D}if}
{YB 5 lt{/YB 5 D}if YA 21 lt{/YA 21 D}if}ie /CI 0 D} D
/Bx {dup 2 eq{E /Bz E D}{E /cH E D /Bz CS .8 mul D}ie
OU {gsave 0 Sg XP E get exec stroke grestore}{pop}ie Bz 0 R /Ms t D}D
/SD {FD 4 mul Dy add DZ NF newpath 0 0 M DX t charpath pathbbox
3 -1 roll sub /DY E D E dup /X1 E D sub WM mul WX DY mul add WM DG mul E div
/DF E D /DR WX DF mul DY mul WM div 2 div D} d
/Sd {gsave 0 IL Di mul neg translate IL IW atan Di 0 eq{neg}if rotate
FD 4 mul Dy add DZ NF DR X1 sub DY 2 div neg M cD VC DX show grestore} d
/Pt {/tp t D Tp{NP /Pn (TP) D 0 Tt neg R Th BN NP Ep ET RC ZF}if /tp f D} D
/RC {/AI 0 D /LG 0 D /BC 0 D /UI 0 D /PF f D /Cc 0 D /cC 0 D /Dc 10 array D
/NR [0 1 9{pop 0}for] D /La Ds D /AR 10 array D /TR 10 array D /AV 30 array D
SI /AL -1 D /AT A0 D AT NA /OV 9 array D /Yo 0 D /Co 0 D /Io 0 D /Hy f D
/Ph f D /CL -1 D Ct Sc}D
/ZF {/FR [0 1 30{pop 0}for] D /SZ [0 1 30{pop 0}for] D /FO [0 1 30{pop 0}for] D
/SL 0 D /CF 0 D /FN 0 D 0 Ts SF}D
/QO [[(\234)(\233)(\253\240)(\232)(\273)(\253)][(')(`)(\253\240)(\231)(\273)(\253)]] D
/QC [[(\234)(\234)(\240\273)(\233)(\253)(\273)][(')(')(\240\273)(`)(\253)(\273)]] D
/Hf EF length 2 sub D
/Hz EZ Hf get D
/HS Ey Hf get D
/Fz EZ Hf 1 add get D
/Fs Ey Hf 1 add get D
/LE IL D
/Ps EZ 1 get D
/Fp EF 1 get D
/XO 0 D
/YI 0 D
/CI 0 D
/FP 0 D
/WW Ts 7 mul D
/Mf 0 D
/YA 0 D
/YB 0 D
/Cs Ts D
/GS Ts D
/F0 0 D
/NS 0 D
/NB 0 D
/N 0 D
/C0 [] D
/C1 () D
/Lo 0 D
/L1 0 D
/LM 0 D
/PH 0 D
/EC 0 D
/Lh 0 D
/LT 0 D
/CH 1 string D
/ST 16 string D
/CA 9 array D
/HC (\255) D
/HM f D
/PF f D
/EN f D
/TB f D
/UF f D
/sF f D
/AE f D
/AF f D
/BP t D
/CD f D
/PA t D
/GL f D
/T t D
/HF f D
/AH f D
/SA f D
/PB f D
/f1 f D
/mF f D
/OX 0 D
/OY 0 D
/FY 0 D
/EO 0 D
/FB 0 D
/PL 0 D
/Bw 0 D
/PD -1 D
/TP f D
/tp f D
/TH t D
/Ty 4 D
/Tn -1 D
/Fl t D
/LB t D
/PM 1 D
/Ms f D
/Ba f D
/Bb f D
/Hl 3 D
/hl 6 D
/Hv 6 D
/Hs f D
/HI 0 D
/hi 0 D
/PO t D
/TE f D
/LF t D
/BO 0 D
/Sm 1 D
/Bf 3 D
/A1 0 D
/A2 0 D
/Ds 1 D
/QL -1 D
/Cb Db D
/Ct Dt D
/Cl Dl D
[/Creator (html2ps version 1.0 beta4) /Author () /Keywords () /Subject ()
/Title (Pareto-Secure) /DOCINFO pdfmark
/ND 1 D
/HN [1 1 85{pop (??)}for] D
/h0 [()(Table of Contents)] D
/h1 [(0.1\240\240)( Preamble )] D
/h2 [(0.1.1\240\240)(On the Nature of Security)] D
/h3 [(0.1.2\240\240)(Acknowledgments)] D
/h4 [(0.2\240\240)( Prior Work )] D
/h5 [(0.2.1\240\240)(Measuring Strength in Cryptography Components)] D
/h6 [(0.2.2\240\240)(The 1st Law)] D
/h7 [(0.2.3\240\240)(Relative Security and Components)] D
/h8 [(0.2.4\240\240)(Components and Systems)] D
/h9 [(0.3\240\240)( Pareto-Secure )] D
/h10 [(0.3.1\240\240)(The theory of Pareto efficiency)] D
/h11 [(0.3.2\240\240)(Introducing Pareto-secure)] D
/h12 [(0.3.3\240\240)(Components within a Security System)] D
/h13 [(0.3.4\240\240)(Introducing Pareto-Complete)] D
/h14 [(0.3.5\240\240)(Combining Components)] D
/h15 [(0.4\240\240)( Conclusions )] D
/h16 [(0.4.1\240\240)(Summary)] D
/h17 [(0.4.2\240\240)(Choice)] D
/h18 [(0.4.3\240\240)(Applicability)] D
/h19 [(0.4.4\240\240)(Limitations)] D
/h20 [(0.4.4.1\240\240)(The full system)] D
/h21 [(0.4.4.2\240\240)(Time)] D
/h22 [(0.4.4.3\240\240)(Kaldor-Hicks)] D
/h23 [(0.5\240\240)( References )] D
/Hr [-62 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
83 84]D
/HV [1 2 3 3 2 3 3 3 3 2 3 3 3 3 3 2 3 3 3 3 4 4 4 2]D
/Cn [5 2 0 0 4 0 0 0 0 5 0 0 0 0 0 4 0 0 0 3 0 0 0 0]D
Hr length 0 gt{[/PageMode /UseOutlines /DOCVIEW pdfmark}if
/Hn 1 D
0 1 Hr length 1 sub{
/Bn E D [Cn Bn get dup 0 gt{/Count E HV Bn get Bl ge{neg}if}{pop}ie
/Dest Hr Bn get dup abs ST cvs cvn E 0 ge{(h)Hn ST cvs join cvx exec
dup 1 get E Nf{0 get E join}{pop}ie /Hn Hn 1 add D}{()}ie
/Title E dup length 255 gt{0 255 getinterval}if /OUT pdfmark}for
ZF /FN Fp D Ps 0 FS /WC Wf{( )}{}ie SW pop D
ET RC ZF
/Df f D
/R1 (https://www.financialcryptography.com/mt/archives/000457.html) D
/R2 (http://www.acm.org/awards/turing_lectures_project/turing/S/s-pp/shamir_1files_files/TextOnly/index.html) D
/R3 (http://www.financialcryptography.com/mt/archives/000147.html) D
/R4 (http://en.wikipedia.org/wiki/Pareto_efficiency) D
/R5 (http://www.keylength.com/) D
/R6 (http://en.wikipedia.org/wiki/Kaldor-Hicks_efficiency) D
/R7 (http://cm.bell-labs.com/who/akl/index.html) D
/R8 (http://citeseer.ist.psu.edu/287428.html) D
/R9 (http://www.cacr.math.uwaterloo.ca/conferences/1999/ecc99/lenstra.doc) D
/R10 (http://csrc.nist.gov/policies/ombencryption-guidance.pdf) D
/R11 (http://www.faqs.org/rfcs/rfc2246.html) D
/R12 (http://www.ietf.org/html.charters/secsh-charter.html) D
/R13 (http://iang.org/ssl/) D
/R14 (http://news.zdnet.com/2100-1009_22-5564288.html) D
/R15 (http://www.iacr.org/conferences/crypto2004/) D
/R16 (http://www.financialcryptography.com/mt/archives/000199.html) D
/R17 (http://informationsecurity.techtarget.com/magPrintFriendly/0,293813,sid42_gci1052390,00.html) D
/TS {
tables E get /table E D
table aload pop /rdesc E D /cdesc E D /tdesc E D
tdesc aload pop /capalg E D /caption E D /rules E D /frame E D /nfoot E D
/nhead E D /ncol E D /nrow E D /border E D /twid E D /units E D /talign E D
/flow E D /clear E D /tclass E D pop pop
/w W D /eps 0.1 D /OU f D /PL 1 D
/FN EF 21 get D EZ 21 get Ey 21 get FS
0 1 1{
/pass E D
0 1 nrow{
/irow E D
/cells rdesc irow get 6 get D
0 1 ncol{
/icol E D
/cell cells icol get D
cell 0 ne{
cell aload pop /ang E D /CB E D pop pop pop
/DV E D /bot E D /top E D /right E D /left E D /nowrap E D /valign E D
/dp E D /align E D /rspan E D /cspan E D /cclass E D /ctype E D /cmax E D
/cmin E D /proc E D
rspan 0 eq{/rspan nrow irow sub 1 add D}if
cspan 0 eq{/cspan ncol icol sub 1 add D}if
pass 0 eq cspan 1 eq and pass 1 eq cspan 1 gt and or{
/W 1e5 D /LL W D /PH 1 D
ctype 1 eq{() BD}if
RC align NA
AT 4 eq{/CD t D /DC dp D /LN 0 D /M1 0 D /M2 0 D}{/CD f D}ie
0 0 M /LM 0 D proc exec BN
AT 4 eq{
LN array astore cell 15 3 -1 roll put
cdesc icol get dup dup 5 get M1 lt{5 M1 put}{5 get /M1 E D}ie
dup 6 get M2 lt{6 M2 put}{6 get /M2 E D}ie
/LM M1 M2 add D
}if
/CD f D
ang 0 ne{/LM CP E pop neg D}if
/thiswid LM left add right add eps add D
/oldmin 0 D /oldmax 0 D
0 1 cspan 1 sub{
icol add cdesc E get dup 2 get /oldmax E oldmax add D
1 get /oldmin E oldmin add D
}for
thiswid oldmax ge{
0 1 cspan 1 sub{
icol add cdesc E get dup 2 E 2 get oldmax 0 eq
{pop thiswid cspan div}{thiswid mul oldmax div}ie
put
}for
}if
nowrap 1 eq{
thiswid oldmin ge{
0 1 cspan 1 sub{
icol add cdesc E get dup 1 E 1 get oldmin 0 eq
{pop thiswid cspan div}{thiswid mul oldmin div}ie
put
}for
}if
}{
/W 0 D /LL W D /PH 2 D
ctype 1 eq{() ES () BD}if
0 0 M /LM 0 D RC proc exec BN
/thiswid LM left add right add eps add D
thiswid oldmin ge{
0 1 cspan 1 sub{
icol add cdesc E get dup 1 E 1 get oldmin 0 eq
{pop thiswid cspan div}{thiswid mul oldmin div}ie
put
}for
}if
}ie
ctype 1 eq{() ES}if
}if
}if
}for
}for
}for
/tmin 0 D /tmax 0 D
0 1 ncol{
cdesc E get dup 1 get E 2 get 2 copy gt{pop dup}if
tmax add /tmax E D tmin add /tmin E D
}for
twid 0 lt{twid neg IW gt{IW neg}{twid}ie /twid E D}if
tdesc 0 twid neg tmin 2 copy lt{E}if pop put
tdesc 1 twid neg tmax 2 copy lt{E}if pop put
/W w D /LL W D /OU t D /PH 0 D /PL 0 D
} D
/PT {
/PL PL 1 add D
tables E get /table E D Tm 21 get Ts mul BE
PL 2 ge{save}if
/SL SL 1 add D /FN EF 21 get D EZ 21 get Ey 21 get FS
table aload pop /rdesc E D /cdesc E D /tdesc E D
tdesc aload pop /capalg E D /caption E D /rules E D /frame E D /nfoot E D
/nhead E D /ncol E D /nrow E D /border E D /twid E D /units E D /talign E D
/flow E D /clear E D /tclass E D /tmax E D /tmin E D
/w W D /xo XO D /mr MR D /ll LL D /lg LG D /ai AI D /bc BC D /nr NR D /ar AR D
/tr TR D /ui UI D /ph PH D /a0 A0 D /pf PF D /at AT D /av AV D /al AL D
/Le LE D /la La D
talign 0 lt{/talign AL 0 gt{AV AL get}{A0 2 le{A0}{0}ie}ie D}if
ph 1 eq ph 2 eq or{
NL ph 1 eq{tmax}{tmin}ie dup XO add LM gt{/LM E XO add D}{pop}ie LM E
}{
/PH 3 D /LE 1e5 D RC %ZF
border 0 gt{/border 1 D}if
/twidth 0 D /avail W xo sub D
twid 0 eq{0 1 ncol{cdesc E get dup 2 get E 3 get dup 0 gt{div neg dup twid lt
{/twid E D}{pop}ie}{pop pop}ie}for}if
/twid twid dup 0 lt{neg avail 2 copy gt{E}if pop}{avail mul}ie D
/OK t D 0 1 ncol{cdesc E get dup 1 get E 3 get twid mul gt{/OK f D}if}for
0 1 ncol{
cdesc E get dup 1 get /colmin E D dup 3 get /cwid E twid mul D dup
tmax avail le{2 get}if
tmin avail le tmax avail gt and{
dup 2 get E 1 get dup 3 1 roll sub avail tmin sub mul tmax tmin sub div add
}if
tmin avail gt{1 get}if
0 E colmin cwid lt OK and{pop cwid}if dup /twidth E twidth add D put
}for
/OU f D CP
tmin twid le{
0 1 ncol{cdesc E get dup 0 get twidth div twid mul 0 E put}for
/twidth twid D
}if
CP printcap CP E pop sub /caphig E D pop
0 1 1{
/pass E D
0 1 nrow{
/irow E D
/cells rdesc irow get 6 get D
0 1 ncol{
/icol E D
/cell cells icol get D
cell 0 ne{
cell aload pop /ang E D /CB E D pop pop pop
/DV E D /bot E D /top E D /right E D /left E D /nowrap E D /valign E D
/dp E D /align E D /rspan E D /cspan E D /cclass E D /ctype E D /cmax E D
/cmin E D /proc E D
rspan 0 eq{/rspan nrow irow sub 1 add D}if
cspan 0 eq{/cspan ncol icol sub 1 add D}if
/W 0 D
0 1 cspan 1 sub{icol add cdesc E get 0 get /W E W add D}for
pass 0 eq rspan 1 eq and pass 1 eq rspan 1 gt and or{
ctype 1 eq{() BD}if
/W W left sub right sub D /XO 0 D /EO 0 D SI
/A0 align D RC align NA
AT 4 eq{
/DC dp D /DO 0 D /ID 1 D
0 1 DV length 1 sub{DV E get dup DO gt{/DO E D}{pop}ie}for
/Lo DO DV 0 get sub D /L1 Lo D
}if
0 0 M /BP t D /Fl t D /MF 0 D /FB 0 D
proc exec T not{/CI 0 D}if BN 0 FB neg R MF 0 eq{/MF CS D}if
CP /thishig E neg bot add top add CI add D pop
ang 0 ne{/thishig LM bot add top add D}if
cell 16 MF put cell 17 Ya put cell 18 thishig put
valign 4 eq{
/below thishig Ya sub D
rdesc irow get dup dup 4 get Ya lt
{4 Ya put}{4 get /Ya E D}ie
dup 5 get below lt{5 below put}{5 get /below E D}ie
/thishig Ya below add D
}if
ctype 1 eq{()ES}if
/oldhig 0 D
0 1 rspan 1 sub{
irow add rdesc E get 0 get /oldhig E oldhig add D
}for
thishig oldhig ge{
0 1 rspan 1 sub{
irow add rdesc E get dup 0 E 0 get oldhig 0 eq
{pop thishig rspan div}{thishig mul oldhig div}ie
put
}for
}if
}if
}if
}for
}for
}for M RC %ZF
/thight 0 D /racc 0 D /maxh 0 D /brk 0 D /rbeg nhead nfoot add D
0 1 nrow{
rdesc E get dup 0 get dup /thight E thight add D
brk 0 eq{/racc E D}{/racc E racc add D}ie
racc maxh gt{/maxh racc D}if 2 get /brk E D
}for
ph 3 ge{thight caphig add E}if
ph 0 eq ph 4 eq or{
/PH 4 D /LE Le D /OU Ou D /yoff 0 D /headsz 0 D
0 1 nhead 1 sub{rdesc E get 0 get headsz add /headsz E D}for
/footsz 0 D
0 1 nfoot 1 sub{rdesc E nhead add get 0 get footsz add /footsz E D}for
/ahig LE BO add MI add D /maxh maxh headsz add footsz add D
/thight thight headsz add footsz add D
tmin avail gt maxh ahig gt or
{/Sf avail tmin div dup ahig maxh div gt{pop ahig maxh div}if D /SA t D}
{/Sf 1 D}ie
tclass 1 eq thight LE 15 sub gt and
{/SA t D LE 15 sub thight div dup Sf lt{/Sf E D}{pop}ie}if
SA{Sf Sf scale /ll ll Sf div D /xo xo Sf div D /LE LE Sf div D
/mr mr Sf div D /BO BO Sf div D /ahig ahig Sf div D}if
nhead nfoot add getwid
LE CP E pop add capalg 0 eq{caphig sub}if
bT{f}{dup thight lt thight ahig lt and}ie
E headsz sub footsz sub rwid lt or{NP}if
capalg 0 eq{printcap -8 SP}if
CP /ycur E D pop
printhead
rbeg 1 nrow{/row E D row
getwid
ycur yoff add rwid sub footsz sub LE add 0 lt
{nfoot 0 gt{printfoot}if Tf NP /rbeg irow1 D
Ba{MI /MI MI SA{Sf div}if D MI SP /MI E D}if
CP /ycur E D pop /yoff 0 D printhead}if
irow1 printrow
}for
printfoot /row row 1 add D Tf
0 ycur yoff add M
capalg 1 eq{/EO 0 D SI -3 SP printcap}if
Sf 1 lt{1 Sf div dup scale /ll ll Sf mul D /xo xo Sf mul D /LE LE Sf mul D
/mr mr Sf mul D /BO BO Sf mul D /SA f D}if
/EO 0 D
}if
}ie
/W w D /XO xo D /MR mr D /LL ll D /LG lg D /AI ai D /BC bc D /NR nr D /AR ar D
/TR tr D /UI ui D /PH ph D /A0 a0 D /PF pf D /AT at D /AV av D /AL al D
/La la D
/SL SL 1 sub NN D /CF 0 D /FN 0 D SZ SL get FR SL get FS Wf not{()F2}if
PL 2 ge{Ms E restore Ms or /Ms E D PH 1 eq PH 2 eq or
{/LM E D}if PH 3 ge{/CI 0 D NL 0 E neg R}if
}if
/PL PL 1 sub D /CI 0 D /BP f D /PO f D () Bm 21 get Ts mul BE BL %CF CS SF
} D
/printcap{
capalg 0 ge{
SA{/W w Sf div D}
{talign 1 eq{/XO xo ll twidth sub 2 div add D}if
talign 2 eq{/XO xo ll twidth sub add D}if
/W XO twidth add D
}ie /XO xo D /LL W XO sub MR sub D
/PA f D /Fl capalg 0 eq D
1 NA BL caption exec BN OA /PA t D
}if
} D
/getwid{
/irow1 E D
/irow2 irow1 D
/rwid 0 D
{rdesc irow2 get dup 0 get rwid add /rwid E D 2 get 0 eq
{exit}{/irow2 irow2 1 add D}ie
}loop
} D
/printrow{
/xoff ll twidth PL 2 ge{Sf div}if sub talign mul 2 div D
/xleft xoff xo add D
/irow E D
/cells rdesc irow get 6 get D
0 1 ncol{
/icol E D
/cell cells icol get D
cell 0 ne{
cell aload pop /ang E D /CB E D /cvsize E D /above E D /fontsz E D
/DV E D /bot E D /top E D /right E D /left E D /nowrap E D /valign E D
/dp E D /align E D /rspan E D /cspan E D /cclass E D /ctype E D /cmax E D
/cmin E D /proc E D
rspan 0 eq{/rspan nrow irow sub 1 add D}if
cspan 0 eq{/cspan ncol icol sub 1 add D}if
/width 0 D
0 1 cspan 1 sub{icol add cdesc E get 0 get /width E width add D}for
/rhight rdesc irow get 0 get D
/hight rhight D
1 1 rspan 1 sub{irow add rdesc E get 0 get /hight E hight add D}for
/W xo xoff add width add right sub D
ang 0 ne{/W xo xoff add hight add right sub D}if
/EO xo xoff add left add D SI
Cf{
gsave CB VC xo xoff add ycur yoff add M
0 hight neg RL width 0 RL 0 hight RL width neg 0 RL fill
grestore
}if
ctype 1 eq{() BD}if
/A0 align D RC
AT 4 eq{
/DC dp D /ID 1 D /DO cdesc icol get 5 get D /Lo DO DV 0 get sub D /L1 Lo D
}if
ang 0 ne{
gsave ang 90 eq
{xoff ycur add hight cvsize sub 2 div sub ycur hight sub xoff sub}
{xoff ycur sub width add hight cvsize sub 2 div add ycur xoff add}ie
translate ang rotate
}if
valign 3 le{0 ycur yoff add top sub
hight cvsize sub valign 1 sub mul 2 div sub M}
{0 ycur yoff add top sub above add rdesc irow get 4 get sub M}ie
/PA f D /BP t D /Fl t D
BL proc exec BN
ang 0 ne{grestore}if
/PA t D
ctype 1 eq{() ES}if
}if
/xoff xoff cdesc icol get 0 get add D
}for
/yoff yoff rhight sub D
} D
/printhead {0 1 nhead 1 sub{printrow}for} D
/printfoot {nhead 1 nhead nfoot add 1 sub{printrow}for} D
/Tf {
OU{rules 2 ge{/yoff 0 D
gsave 0 Sg
[0 1 nhead 1 sub{}for rbeg 1 row 1 sub{}for nhead 1 nhead nfoot add 1 sub{}for]{
/irow E D
/xoff ll twidth PL 2 ge{Sf div}if sub talign mul 2 div D
/cells rdesc irow get 6 get D
0 1 ncol{
/icol E D
/cell cells icol get D
cell 0 ne{
/rspan cell 6 get D
/cspan cell 5 get D
rspan 0 eq{/rspan nrow irow sub 1 add D}if
cspan 0 eq{/cspan ncol icol sub 1 add D}if
/width 0 D
0 1 cspan 1 sub{icol add cdesc E get 0 get /width E width add D}for
/rhight rdesc irow get 0 get D
/hight rhight D
1 1 rspan 1 sub{irow add rdesc E get 0 get /hight E hight add D}for
xo xoff add width add ycur yoff add M
0 hight neg icol cspan add 1 sub ncol lt
{cdesc icol 1 add get 4 get dup rules 3 le{1 eq}{pop t}ie
{1 eq{0.8}{0.3}ie
LW RL CP stroke M}{pop R}ie}{R}ie
irow nhead nfoot add 1 sub ne nfoot 0 eq or
{irow rspan add 1 sub nrow lt
{rdesc irow rspan add get 3 get}{nfoot 0 eq{0}{1}ie}ie
dup rules 2 mod 0 eq{1 eq}{pop t}ie
{1 eq irow rspan add nhead eq or irow rspan add row eq nfoot 0 gt and or
{0.8}{0.3}ie LW width neg 0 RL CP stroke M}{pop}ie}if
}if
/xoff xoff cdesc icol get 0 get add D
}for
/yoff yoff rhight sub D
}forall
grestore
/Ms t D
}if
frame 1 gt{
gsave
1 LW 0 Sg
xleft ycur M CP BB
0 yoff frame 5 eq frame 7 ge or{RL}{R}ie
twidth 0 frame 3 eq frame 4 eq or frame 8 ge or{RL}{R}ie CP BB
0 yoff neg frame 6 ge{RL}{R}ie
twidth neg 0 frame 2 eq frame 4 eq or frame 8 ge or{RL}{R}ie
closepath stroke
grestore
/Ms t D
}if
}if
} D
/tables [[[0 0 0 0 0 -1 0 0 1 0 0 0 0 9 5 {()} -1]
[[0 0 0 0 0 0 0]]
[[0 0 0 0 0 0 [[{()1 Sl()WB( )2 P()I(S1 - 3 laws of security)ES()EP(
)UL()BR()-1 LI(Absolutely secure systems do not exist)BR()-1 LI(To halve your vulnerability, you have to double your expenditure)BR()-1 LI(Cryptography is typically bypassed, not penetrated)BR()LU(
)BQ(Adi Shamir,
)R2 2 A(Turing Award lecture)EA(,
2004.)QB(
)} 0 0 0 0 1 1 0 (.) 2 0 10 10 10 10 0 0 0 0 [16#F0 16#F0 16#F0] 0 ]
]]
]]
[[0 0 0 0 0 2 0 0.5 0 0 0 0 0 1 1 {()} -1]
[[0 0 0 0 0 0 0]]
[[0 0 0 0 0 0 [[{()1 Sl()WB( )0 PT()} 0 0 0 0 1 1 0 (.) 2 0 15 15 15 15 0 0 0 0 Db 0 ]
]]
]]
[[0 0 0 0 0 -1 0 0 1 0 0 0 0 9 5 {()} -1]
[[0 0 0 0 0 0 0]]
[[0 0 0 0 0 0 [[{()1 Sl()WB( )2 P()I(S2 - Is AES absolutely secure?)ES()EP(
)0 P(Consider the AES algorithm,
the current day standard in secure
secret key encryption systems.
There are no known attacks on this algorithm
that are better than brute force, and current
calculations put brute force attacks outside
our capabilities
)2 FZ([)0 36 1 A(NIST1)WB 6 Sn()36 0 TN TL()Ec /AF f D(])ES(.
Thus to all intents and
purposes, AES is secure,
and it is recommended without
caveat by many experts.)EP(
)0 P(Yet this rides on a simple assumption that
the secret key is kept secret. Within a
real world cryptosystem, if an attacker
adjusts the security framework and reveals
the key, then the cryptosystem is broken,
and AES is "no longer secure" by some measure.)EP(
)0 P(It is in the challenge of the assumptions
that the algorithm is rendered defeated,
which is, according to the 1st law, acceptable.
Because there are no absolute assumptions,
there are no absolutely secure security
systems.)EP(
)} 0 0 0 0 1 1 0 (.) 2 0 10 10 10 10 0 0 0 0 [16#F0 16#F0 16#F0] 0 ]
]]
]]
[[0 0 0 0 0 2 0 0.5 0 0 0 0 0 1 1 {()} -1]
[[0 0 0 0 0 0 0]]
[[0 0 0 0 0 0 [[{()1 Sl()WB( )2 PT()} 0 0 0 0 1 1 0 (.) 2 0 15 15 15 15 0 0 0 0 Db 0 ]
]]
]]
[[0 0 0 0 0 -1 0 0 1 0 0 0 0 9 5 {()} -1]
[[0 0 0 0 0 0 0]]
[[0 0 0 0 0 0 [[{()1 Sl()WB( )2 P()I(S3 - Wikipedia on Pareto)ES()EP(
)I("Pareto efficiency, or Pareto optimality,
is a central concept in game theory with
broad applications in economics, engineering
and the social sciences.
A change that can make at least one
individual better off, without making
any other individual worse off is called
a Pareto improvement:
an allocation of resources is
Pareto efficient when no further
Pareto improvements can be made.")ES(
)} 0 0 0 0 1 1 0 (.) 2 0 10 10 10 10 0 0 0 0 [16#F0 16#F0 16#F0] 0 ]
]]
]]
[[0 0 0 0 0 2 0 0.5 0 0 0 0 0 1 1 {()} -1]
[[0 0 0 0 0 0 0]]
[[0 0 0 0 0 0 [[{()1 Sl()WB( )4 PT()} 0 0 0 0 1 1 0 (.) 2 0 15 15 15 15 0 0 0 0 Db 0 ]
]]
]]
[[0 0 0 0 0 -1 0 0 1 0 0 0 0 9 5 {()} -1]
[[0 0 0 0 0 0 0]]
[[0 0 0 0 0 0 [[{()1 Sl()WB( )2 P()I(S4 - A Simple Unbalanced Cryptosystem)ES()EP(
)0 P(Consider a system with a 4 digit PIN
encrypting with a strong encryption algorithm.
Attackers can take any number, encrypt with it
and test it against an oracle that confirms,
correct or not. Or they can attack the algorithm.)EP(
)0 P(In this simple cryptosystem, the PIN dominates
as the weak link. Assuming the encryption algorithm
is even remotely strong, the dominating attack
is to try all of the 10,000 possibilities.
Attacking the algorithm would be inefficient.)EP(
)0 P(If chosen for such a cryptosystem,
DES would be Pareto-secure.
Putting in AES would not result
in a Pareto improvement.
Any Pareto improvements would
come from adding digits to the PIN,
and many more digits would be needed
to match and stress the strength of DES.)EP(
)} 0 0 0 0 1 1 0 (.) 2 0 10 10 10 10 0 0 0 0 [16#F0 16#F0 16#F0] 0 ]
]]
]]
[[0 0 0 0 0 2 0 0.5 0 0 0 0 0 1 1 {()} -1]
[[0 0 0 0 0 0 0]]
[[0 0 0 0 0 0 [[{()1 Sl()WB( )6 PT()} 0 0 0 0 1 1 0 (.) 2 0 15 15 15 15 0 0 0 0 Db 0 ]
]]
]]
[[0 0 0 0 0 -1 0 0 1 0 0 0 0 9 5 {()} -1]
[[0 0 0 0 0 0 0]]
[[0 0 0 0 0 0 [[{()1 Sl()WB( )2 P()I(S5 - Is AES Pareto-complete?)ES()EP(
)0 P(AES is both secure against all
practical attacks, and there is no improvement
we can make that will offer a better security
choice in a cryptosystem,
regardless of the cryptosystem.
Of course this rests dangerously on our choice
of what exactly are reasonable assumptions in
all security systems.)EP(
)0 P()BD(1. The key.)ES(
As the key
represents such an asymmetrical threat to
the algorithm, it is common security practice
to model the key breach as a breach
in another component or layer of the system,
rather than as a breach in the algorithm.)EP(
)0 P()BD(2. Time.)ES(
The second assumption to challenge would be
the march of time. NIST states that AES is
"secure for at least 20-30 years
)2 FZ([)0 44 1 A(NIST)WB 14 Sn()44 0 TN TL()Ec /AF f D(])ES(."
The )R5 2 A(Key Length Calculator)EA(
places 128 bit key lengths as secure until 2088,
using Lenstra and Verheul's framework
)2 FZ([)0 45 1 A(UCL)WB 15 Sn()45 0 TN TL()Ec /AF f D(])ES(
)2 FZ([)0 46 1 A(LV3)WB 16 Sn()46 0 TN TL()Ec /AF f D(])ES(.
We know of no generally fielded cryptosystems
that require even 20 years.)EP(
)0 P()BD(3. Esoterica.)ES(
It may be that AES is Pareto-secure for
all commercial security systems, but there
may also be esoteric 'national security'
systems where the assumptions are not so robust.
Our attitude to those exceptions is to
excuse them from being reasonable;
such systems designers know that they
are pushing the envelope, and they have
the budget for that.)EP(
)0 P(Thus, we suggest as our working hypothesis
that AES is Pareto-complete.)EP(
)} 0 0 0 0 1 1 0 (.) 2 0 10 10 10 10 0 0 0 0 [16#F0 16#F0 16#F0] 0 ]
]]
]]
[[0 0 0 0 0 2 0 0.5 0 0 0 0 0 1 1 {()} -1]
[[0 0 0 0 0 0 0]]
[[0 0 0 0 0 0 [[{()1 Sl()WB( )8 PT()} 0 0 0 0 1 1 0 (.) 2 0 15 15 15 15 0 0 0 0 Db 0 ]
]]
]]
[[0 0 0 0 0 -1 0 0 0 6 4 0 0 1 1 {()} -1]
[[0 0 0 0 0 0 0][0 0 0 0 0 0 0][0 0 0 0 0 0 0][0 0 0 0 0 0 0][0 0 0 0 0 0 0]]
[[0 0 0 0 0 0 [[{()1 Sl()WB()} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB()I(Before Crypto 2004)ES()} 0 0 1 0 2 1 1 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
0
[{()1 Sl()WB()I(After Crypto 2004)ES(
)} 0 0 1 0 2 1 1 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
0
]]
[0 0 0 0 0 0 [[{()1 Sl()WB()} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( Pareto-secure)BR(\201signatures\202 )} 0 0 1 0 1 1 1 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( Pareto-complete )} 0 0 1 0 1 1 1 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( Pareto-secure)BR(\201signatures\202 )} 0 0 1 0 1 1 1 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( Pareto-complete
)} 0 0 1 0 1 1 1 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
]]
[0 0 0 0 0 0 [[{()1 Sl()WB(MD5)} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( ? )} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( No )} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( No )} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( No
)} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
]]
[0 0 0 0 0 0 [[{()1 Sl()WB(SHA0)} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( Yes )} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( ? )} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( No )} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( No
)} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
]]
[0 0 0 0 0 0 [[{()1 Sl()WB(SHA1)} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( Yes )} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( Yes )} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( ? )} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( No
)} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
]]
[0 0 0 0 0 0 [[{()1 Sl()WB(SHA256)} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( Yes )} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( Yes )} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( Yes )} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
[{()1 Sl()WB( ?
)} 0 0 0 0 1 1 0 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
]]
[0 0 0 0 0 0 [[{()1 Sl()WB(T1 - Pareto-secure status of Message Digests
)} 0 0 1 0 5 1 1 (.) 2 0 5 5 5 5 0 0 0 0 Db 0 ]
0
0
0
0
]]
]]
] D
0 1 10{TS}for RC ZF
/Ba f D /BO 0 D Bs
/UR (/tmp/page2ps2) D
/Ti (Pareto-Secure) D
/Au () D
/Df f D
/ME [()] D
/Cb Db D /Ct [16#00 16#00 16#00] D /Cl [16#00 16#00 16#00] D /CL -1 D Ct Sc
Pt
/Ba f D /BO 0 D Bs
/UR (/tmp/page2ps2) D
/Ti (Pareto-Secure) D
/Au () D
/Df f D
/ME [()] D
NP RC ZF
()1 Sl()WB 0 Sn(
)BR()2 Al(
)UN()I(Work - in - Progress)ES()NU(
)BR( )+2 Bf add FZ()BD( Pareto-Secure
)ES()Ef(
)BR( A definition of security using the theory of Pareto Efficiency
)BR( )+1 Bf add FZ( Ian Grigg)BR( )I(Systemics, Inc.)ES()BR( )Ef(
)BR( 2004 - 2005
)BR()Ea(
)2 Al(
)BD()4 FZ($Revision: 1.16 $)ES()ES()BR()2 FZ($Date: 2005/12/25 23:04:21 $)ES()BR()2 FZ()R1 2 A(Comments on FC++)EA()ES(
)Ea(
)BR()BR()BQ( )0 P( )BD(Abstract: )ES(
What do people mean when they say something is secure?
)EP()0 P( Shamir's 1st law says absolute security does
not exist, yet the popular press and the security
buying process is inundated in secure product.
For some of these products, there may be merit in the term,
but for many it is more debatable.
Such differences of meaning and applicability
suggest low efficiency in the market for
security, as well as a blackspot on the claim for
security as a robust science.
)EP()0 P( One way to define 'secure' is to apply the economics theory and
terminology of )I(Pareto efficiency)ES(. This simple structure
gives an easy way to categorise and choose among alternates,
and identifies when an optimum has been reached.
We suggest that this meaning may already be in wide
spread usage, intuitively, among security practitioners
and the popular press.
)EP(
)QB()BR()BR(
)0 2 0 H()WB 62 Sn( )0 61 1 A()WB 1 Sn( Preamble )61 0 TN TL()Ec /AF f D()EH(
)0 3 1 H()WB 63 Sn( On the Nature of Security )EH(
)0 P(Pareto-efficiency is an economics concept dating
from the early 20th Century
)2 FZ([)0 33 1 A(VP)WB 2 Sn()33 0 TN TL()Ec /AF f D(])ES(:
)BQ()I(A change that can make at least one individual
better off, without making any other individual
worse off is called a Pareto improvement:
an allocation of resources is Pareto efficient
when no further Pareto improvements can be made.)ES()QB(
)0 P(This essay applies this framework to the field of
security, especially that of cryptographic systems.)EP(
)0 P(Security is substantially complex. In constructing
security systems, we build from strong components.
A most common reductionist technique of
security professionals is to create every
link in the chain as strong as possible,
and hope that no link becomes too weak.
At the component level, this is well understood,
and indeed in cryptography we have many strong
components.)EP(
)0 P(Strong cryptographic components might be a mixed blessing.
Much effort is undertaken to deal with the
inherent complexities in interaction between
these components,
yet the framework for reducing these complexities
is not well founded.
At the systems level, our
concentration on strong components
has sometimes distracted us from the
difficulty of combining them.
The result is that we often
do not challenge our system assumptions,
sometimes holding on to these assumptions
beyond their scope and lifetimes.)EP(
)0 P(This is seen in its extreme form in
the popular press and the purchasing process.
For example,
in cryptosystems, it is almost not a caricature
to say that as long as a cryptosystem uses
AES, triple DES, RSA with key lengths of 1024 bits
or more, and so forth and so on,
not only are these considered secure choices,
but the entire system is considered secure.
Such a leap from components to systems is
unwarranted, yet the signal of an over-strong
algorithm remains strong.)EP(
)0 P(Can economics add anything to these questions?
This essay introduces Pareto efficiency to
security. We suggest
that this framework is already in use at an
intuitive level; when a component is claimed
to be secure, it is meant that it is Pareto-secure.
Using Pareto-security provides at least one view
on how we can rate components within a subsystem,
and gives us limits in statements about systems
security.)EP(
)1 PT(
)0 3 2 H()WB 64 Sn( Acknowledgments )EH(
)0 P(I received valuable feedback from
Twan van der Schoot,
Bryce Wilcox,
Daniel Nagy,
Graeme Burnett
and Nick Szabo.
The original idea to apply the analogue of Pareto-efficiency
came out of discussions with Adam Shostack.)EP(
)0 2 3 H()WB 65 Sn( )0 61 1 A()WB 3 Sn( Prior Work )61 0 TN TL()Ec /AF f D()EH(
)0 3 4 H()WB 66 Sn( Measuring Strength in Cryptography Components )EH(
)0 P(Lenstra and Verheul created a framework to
analyse key strengths based on the life span
of security
)2 FZ([)0 34 1 A(LV1)WB 4 Sn()34 0 TN TL()Ec /AF f D(])ES(.
This approach was suggested by
their observations that it was understandable
to the external user community, and they
explicitly caveated that they offered no
rational founding for it other than user
comprehension
)2 FZ([)0 35 1 A(LV2)WB 5 Sn()35 0 TN TL()Ec /AF f D(])ES(.)EP(
)0 3 5 H()WB 67 Sn( The 1st Law )EH(
)0 P(In his
)R2 2 A(Turing Award lecture)EA(,
Adi Shamir introduced
)R3 2 A(three laws of security)EA(,
see Sidebox 1.
The 1st law states that)EP(
)BQ()I("Absolutely secure systems do not exist.")ES()QB(
)0 P(We can show this by a simple contradiction argument.
A secure system must be secure according
to a frame of reference.
Within the context of the frame of
reference, it is possible to analyse
and prove all component statements
and system assumptions, and to construct
an absolute security statement for the
system.)EP(
)0 P(Yet security, unlike many other sciences,
suffers from the drawback that the attacker
is aggressive.
Within the real world, it is impossible to
reliably create a frame of reference
that is absolute. It is always possible for
an attacker to challenge convenient assumptions
and to redraw the framework in order
to break the system.)EP(
)0 P(As there can be no reliable frame of reference,
there can be no absolute in security.)EP(
)0 3 6 H()WB 68 Sn( Relative Security and Components )EH(
)0 P(Notwithstanding the absence of
absolute security, we can make some
relative judgments about security
components and we can make statements
of practical utility
based on those relative judgments.
We can make comparative judgments between
two components bound by a common set
of assumptions, and we can make judgments
about how differing components interact
within an encompassing system.)EP(
)3 PT(
)0 P(Consider two algorithms, DES and AES.
These are interchangeable at some level of software
engineering, and most cryptosystems envisage some
level of selection of these or similar algorithms.
\201From here on in, we assume that the key is part
of the wider cryptosystem.\202)EP(
)0 P(As seen in Sidebox 2, we know of no practical attack
against AES.
In contrast we do know of practical attacks against DES
)2 FZ([)0 37 1 A(DT)WB 7 Sn()37 0 TN TL()Ec /AF f D(])ES(
)2 FZ([)0 38 1 A(NIST2)WB 8 Sn()38 0 TN TL()Ec /AF f D(])ES(.
One algorithm was designed in the 1970s, the
other was designed in the late 1990s, and these
differences are telling.)EP(
)0 P(Hence, we can state with some degree of confidence
that replacing DES with AES results in an improvement
of security: it eliminates the class of attacks
that now afflict DES.
Furthermore, it does so at a cost that is low
or trivial.
The only cost appears to be that AES is
slower than DES and we ignore that here
)2 FZ([)0 39 1 A(TDES)WB 9 Sn()39 0 TN TL()Ec /AF f D(])ES(.)EP(
)0 P(This improvement then is a decided win, at no cost.
Now consider two variants of AES, being 128 bit key
length and 256 bit key length.
Both are strong, but AES256 is many orders of magnitude
stronger. As it is relatively much stronger, it might
be thought that swapping AES256 for AES128 would be an
improvement.)EP(
)0 P(Yet, in terms of results, even though one is stronger
than the other, both are so strong that there is no
practical attack.
Thus, there is no improvement
in resultant security possible in either choice,
even though one has a stronger theoretical envelope.)EP(
)0 P(Note however that the claimed improvements are only
as robust as our assumptions, for example there being
relevant attacks against DES. Later, we challenge
these assumptions, and modify our approach.)EP(
)0 3 7 H()WB 69 Sn( Components and Systems )EH(
)0 P(As Sidebox 2 suggests, AES is secure, unless we have to
consider the key. Normally, a design would consider
the algorithm to be a secure component, and the key's
security would be punted up to the next layer.
Often, such issues as key security get punted from layer
to layer until they end up as assumptions in the highest
layer, being the security system.)EP(
)0 P(This then indicates the relationship between components and
systems. Components can refer their weaknesses as
assumptions out
and upwards, but this only goes so far as the system.
The system then must take these assumptions and live
with their consequences; "the buck stops here.")EP(
)0 P(And this is why the 1st law states that there are no
absolutely secure )I(systems)ES(. Each system
inherits the assumptions of the components.
Hence a corollary to the 1st law might be that
in a security system,
)I(all assumptions are subject to challenge)ES(,
and the same corollary bridges to the 3rd law,
)I(cryptography is typically bypassed, not penetrated)ES(.)EP(
)0 2 8 H()WB 70 Sn( )0 61 1 A()WB 1 Sn( Pareto-Secure )61 0 TN TL()Ec /AF f D()EH(
)0 3 9 H()WB 71 Sn( The theory of Pareto efficiency )EH(
)5 PT(
)0 P(Economics describes such improvements within an
allocation of resources under the theory of
)R4 2 A()I(Pareto efficiency)ES()EA(
)2 FZ([)0 40 1 A(VP2)WB 10 Sn()40 0 TN TL()Ec /AF f D(])ES(.
An improvement is a
)I(Pareto improvement)ES(
if a change
made results in an improvement in efficiency at no
commensurate cost elsewhere in the equation.
And a solution is )I(Pareto efficient)ES(
if there is no further )I(Pareto improvement)ES(
that can be made.)EP(
)0 3 10 H()WB 72 Sn( Introducing )I(Pareto-secure)ES( )EH(
)0 P(Economists use the metric of economic efficiency
of allocations between competing agents.
Applying this framework to our security metrics,
we introduce the analogous terms
)I(Pareto-secure)ES(
and
)I(Pareto-secure improvement)ES(
to refer to security metrics resulting from
allocations of competing choices in an
overall design.)EP(
)0 P(A change is a Pareto-secure improvement if
a measurable and useful improvement in security
results, at no commensurate loss of security
elsewhere.
A choice of algorithm could be a Pareto-secure improvement
if we could measure the result as being more secure,
and it would not be a Pareto improvement if either
some other cost in security is incurred,
or no improvement is measured.
\201Where there is no need to distinguish the term,
Pareto improvement should be sufficient.\202)EP(
)0 P(Then, a choice of AES over DES
is a Pareto-secure improvement
)2 FZ([)0 41 1 A(K)WB 11 Sn()41 0 TN TL()Ec /AF f D(])ES(.
But using AES256 over AES128 is not a Pareto-secure
improvement
)2 FZ([)0 42 1 A(AES5)WB 12 Sn()42 0 TN TL()Ec /AF f D(])ES(.)EP(
)0 P(In economics, if we were to show
that there was no algorithm that
delivered a Pareto improvement in
economics efficiency over AES,
we would conclude that AES is
Pareto-efficient.
Likewise,
a component is Pareto-secure within a system if)EP(
)4 OL()0 P()-1 LI( It is secure against all practical attacks, and
)EP()0 P()-1 LI( there is no Pareto-secure improvement that can
be made)EP()LO(
)0 P(As AES is both secure against all
practical attacks, and there is no improvement
we can make that will offer better realised
security in an algorithm, we suggest that
AES is Pareto-secure.
All of the AES family of algorithms are
by this logic Pareto-secure,
according to our assumptions.
However, none of them represent a
Pareto-improvement over any of the others.)EP(
)0 3 11 H()WB 73 Sn( Components within a Security System )EH(
)0 P(We have to this point been quite loose on
the environment of the component.
Note that the above requirements were limited to a
single system
\201and that the first requirement implies the second\202.
Now consider a security system of two cooperating
asymmetric parts, )I(Yin)ES( and )I(Yang)ES(.
The two parts work together to make a
complete system, where each part does
a different job and they link together well.)EP(
)7 PT(
)0 P(Let us assume that the first part, )I(Yin)ES(,
reaches a particular strength,
with known weaknesses.
Let us further assume that
the second part, )I(Yang)ES(, well exceeds
that strength, and there thus
results an imbalance between the
two in contribution to the security of the system.
If the imbalance is severe, the weaker component
becomes the dominating factor
- the )I(weak link)ES( - and it will always
be attacked in preference.)EP(
)0 P(The strength of this system
can not be improved by substituting in
a yet stronger alternate for the second component,
)I(Yang)ES(.
This means that there is no Pareto-secure improvement
to be made with )I(Yang)ES(, and therefore
)I(within the confines of the security system)ES(
we can assert that
)I(Yang)ES( is Pareto-secure.)EP(
)0 3 12 H()WB 74 Sn( Introducing )I(Pareto-Complete)ES( )EH(
)0 P(Note how narrowing our context to a specific
cryptosystem enables us to identify a context-dependent
security statement.
Within this narrowed context, we declare
components to be Pareto-secure,
but they may not be so secure elsewhere.
This is very useful within the context of that
security system, but it does add the cost of
needing to be always aware of our specific
set of assumptions.)EP(
)0 P(In the construction of practical security systems,
we need to analyse and design according to a
set of requirements, and within the
limitations of a set of assumptions.
This saves costs in the design phase,
but incurs costs in the long term.
The original designers of a system often
know well their requirements and assumptions,
but later participants will not.
Engineers, implementers and operators
that follow in the footsteps of the
original designers may make changes that
challenge the security of the system.)EP(
)0 P(There is then a use for a definition
of security that survives regardless of the
limitations of a chosen security system.
For this, we introduce
)I(Pareto-complete)ES(.)EP(
)0 P(If we can show that )I(for all reasonable sets of
assumptions and all reasonable security systems)ES(,
there is no choice that offers a Pareto-secure
improvement over our initial choice,
then we can say that this component is
not only Pareto-secure, but also
)I(Pareto-complete)ES(.
That is, choosing this component is
a reliable security choice, no matter
what other weaknesses exist in the
rest of the system and no matter how
those assumptions are changed
)2 FZ([)0 43 1 A(PC)WB 13 Sn()43 0 TN TL()Ec /AF f D(])ES(.)EP(
)9 PT(
)0 3 13 H()WB 75 Sn( Combining Components )EH(
)0 P(It is possible to combine components, and apply
a similar logic. Consider the following stylised
example based on the commonly accepted models of
TLS and SSH. Note however that real world
implementations can markedly differ, and can
indeed reverse many of the following assumptions.)EP(
)0 P(The popular TLS protocol
is built out of algorithms such
as AES and other components
)2 FZ([)0 47 1 A(TLS)WB 17 Sn()47 0 TN TL()Ec /AF f D(])ES(
)2 FZ([)0 48 1 A(SSL)WB 18 Sn()48 0 TN TL()Ec /AF f D(])ES(.
It is mature, well studied, and widely implemented.
Researchers have been finding minor flaws for some time,
yet the discoveries of major flaws have dried up.)EP(
)0 P(In terms of the deliverables as a
public key connection-oriented
transport layer protocol,
we do not know of one that delivers more
measurable security, as long as a Pareto-secure
set of algorithms is chosen.
For comparative example,
the underlying protocol behind SSH is
thought to be highly similar
)2 FZ([)0 49 1 A(SSH)WB 19 Sn()49 0 TN TL()Ec /AF f D(])ES(
)2 FZ([)0 50 1 A(SecSh)WB 20 Sn()50 0 TN TL()Ec /AF f D(])ES(.
We could then suggest that both TLS )I(and)ES( SSH
are Pareto-secure protocols,
and may even be Pareto-complete.)EP(
)0 P(Yet, if we go wider and higher, and bring in their
respective
regimes for public key exchange, as additional
components, the differences become more marked.
TLS applications commonly punt key authentication
to a trusted third party \201TTP\202,
while SSH applications commonly ask the
user to confirm a newly discovered key
)2 FZ([)0 51 1 A(Options)WB 21 Sn()51 0 TN TL()Ec /AF f D(])ES(.
In order to overcome the weakness
inherent in adding another party to TLS,
we could switch to the SSH key exchange model,
but that brings in the weakness of
the user's first confirmation
leaving open a potential
)I(man-in-the-middle)ES( attack.
Likewise, switching SSH over to TTP authentication
adds the weakness of the TTP.)EP(
)0 P(Hence, we cannot suggest that either of TLS+TTP,
or SSH+user-confirm are Pareto-secure. Substitution
of either key exchange regime results in
benefits but more importantly, costs.
In order to achieve a Pareto improvement,
we would need to do one or both of:)EP(
)UL()0 P()-1 LI( limit our assessment to a particular security
system where we could overcome the weaknesses, or
)EP()0 P()-1 LI( expand the key exchange regimes
to include the benefits of
both, and incur no costs over either
alone.)EP()LU(
)0 P(By way of example, consider secure browsing.
We could hypothesize
that TLS+TTP was Pareto-secure within
that framework, a framework that includes
the user, her browser, the net, the site server
and the TTP.
Consider however
the unfortunate weakness of external links
being presented by pseudo-authoritive means
such as emails. That is, phishing, which
at its minimum is a breach in the spoofing
protection of the secure browser.)EP(
)0 P(Several parties have proposed a fix to the browser
security model to address phishing links
)2 FZ([)0 52 1 A(IG)WB 22 Sn()52 0 TN TL()Ec /AF f D(])ES(
)2 FZ([)0 53 1 A(AA)WB 23 Sn()53 0 TN TL()Ec /AF f D(])ES(
)2 FZ([)0 54 1 A(TC)WB 24 Sn()54 0 TN TL()Ec /AF f D(])ES(.
Each certificate would
be augmented by additional information known
only to the user
\201such as a petname or an individual logo\202
and this would be displayed to her to assist
her in discovering fraudulent links.
As this addition to the certificate improves
security, and does not result in any security
costs \201the TTP authentication is augmented
rather than replaced\202,
it identifies a Pareto-secure improvement.
Thus, TLS+TTP is not Pareto-secure,
within the context of
the secure browsing application.)EP(
)0 P(Until these Pareto-secure improvements are made,
TLS+TTP would remain short of Pareto-secure.
Likewise, a component built of SSH and
its key system would not be Pareto-secure,
as improvements are needed in
how keys are distributed and authorised
in the initial instance.)EP(
)0 2 14 H()WB 76 Sn( )0 61 1 A()WB 25 Sn( Conclusions )61 0 TN TL()Ec /AF f D()EH(
)0 3 15 H()WB 77 Sn( Summary )EH(
)0 P(A Pareto-secure improvement is made to a security
system when a substituted component results
firstly in an improvement in security, and
secondly with no cost to security elsewhere.)EP(
)0 P(We say that a component is Pareto-secure
if within the confines of its security
system, there is no Pareto improvement
to security in changing it for another
component, and it is secure against known
threats.
Further, we say that a component is
Pareto-complete if within any
reasonable security model, there is
no Pareto improvement.)EP(
)0 3 16 H()WB 78 Sn( Choice )EH(
)0 P(Using a Pareto-complete component is always sufficient.
Designers prefer and select Pareto-complete components
in order to reduce local calculation costs,
risks of incomplete calculations,
external costs of verification,
and risks of future changes weakening
the system.)EP(
)0 P(If unavailable, a Pareto-secure component is also
sufficient, but it carries risks that the security
system may face unpredictable changes in the future
that are dramatic enough to challenge the security.
It also carries external costs of analysis, in that
verifiers of security need to confirm that a
component is indeed Pareto-secure within that
system.)EP(
)0 P(With more resistance, designers will choose components
that trade costs and benefits in security and other
non-security variables, both internally and against
other components.
A resistance to trade reflects a valid desire
to reduce the above costs, and is sometimes referred to
as )I(conservatism)ES(.
In cryptography especially, conservatism may indicate a
bias introduced by the mixed blessing of so many
good and strong cryptographic algorithms.
It is an open question as to
whether an economics model of interests,
risks and rewards can be constructed to explain
such preferences.)EP(
)0 3 17 H()WB 79 Sn( Applicability )EH(
)0 P(Especially, in discussing a cryptographic
system, we believe that we can now put
a firmer meaning to the statement that a
component is secure.
A system using AES could be considered to
be using a Pareto-complete algorithm,
yet the wider cryptosystem has other
components that also need some degree
of attention.
A system using DES may still be using an
algorithm that is Pareto-secure, within
its assumptions and limitations, as long
as substituting another algorithm does not
improve security.)EP(
)0 P(This essay presents cryptographic examples,
but we suggest the idea may apply to all
fields of security, especially where choices
and interactions are complex.
Further, at least in cryptology, it would
seem that Pareto-secure as a meaning is already
applied in less formal settings such as product
sales and the general media.)EP(
)BQ()I( "Security is a chain;
it's only as strong as the weakest link.
Currently encryption is the strongest link we have.
Everything else is worse: software, networks, people.
There's absolutely no value in taking the
strongest link and making it even stronger
)2 FZ([)0 55 1 A(MK-BS)WB 26 Sn()55 0 TN TL()Ec /AF f D(])ES(.")ES()QB(
)0 P(By refining the meaning of the term,
we have the opportunity to reduce insecurity
based on poorly understood product characteristics.)EP(
)0 3 18 H()WB 80 Sn( Limitations )EH(
)0 4 19 H()WB 81 Sn( The full system )EH(
)0 P(Within each system, there are other
components to consider, and even if
all were Pareto-secure, we lack a
meaningful language and theory for linking
components into systems. Further, we fall
short of offering a meaningful definition
for security of the entire system.
The first law stops us from totally eliminating
all assumptions of weakness from a system;
and it seems that combining components into a
system simply means that at this point we can
no longer pass the buck on assumptions. As a
corollary to the law of no absolutely secure
systems, we propose that at the systems level,
all assumptions are challengeable.)EP(
)0 4 20 H()WB 82 Sn( Time )EH(
)0 P(Nothing is forever. Even though we assert that
a status of Pareto-secure means that analysis
is good, this is still not an absolute.)EP(
)BQ()10 PT()QB(
)0 P(This status can change overnight.
In fact, at )CT(Crypto 2004)ES(
the status of many message digest
functions was shaken up overnight
)2 FZ([)0 56 1 A(Crypto)WB 27 Sn()56 0 TN TL()Ec /AF f D(])ES(
)2 FZ([)0 57 1 A(FC)WB 28 Sn()57 0 TN TL()Ec /AF f D(])ES(.
See Table 1.
We leave as an exercise the before
and after Pareto-security of
the various message digests.)EP(
)0 4 21 H()WB 83 Sn( Kaldor-Hicks )EH(
)0 P(The economic theory of Pareto efficiency is limited to the
assumption of )I(no commensurate cost)ES(.
Yet, much of security is based on
risk analysis that leads to cost-benefits
tradeoffs. That is, many systems
explicitly impose costs in some areas to
acquire benefits in other areas,
which in economic terms would be an
allocation closer to
)R6 2 A(Kaldor-Hicks efficiency)EA(
)2 FZ([)0 58 1 A(KH)WB 29 Sn()58 0 TN TL()Ec /AF f D(])ES(.)EP(
)0 P(Such choices are not compatible with the
simple and direct assumptions of
Pareto efficiency, and this means
that the application of the Pareto
theory is by no means universally
applicable.
Still, there are many security systems
where the complexities of interaction
give rise to a tendency to Pareto analysis.
That is, designers try to make
Pareto secure choices, even when
they could achieve better risk / cost-benefit
tradeoffs with superior information.)EP(
)0 P(A future suggested line may be to apply a
Kaldor-Hicks analogy. This would require
a method of valuation of the comparative
costs and benefits of alternate choices,
which is beyond the easy scope of this note
)2 FZ([)0 59 1 A(LV4)WB 30 Sn()59 0 TN TL()Ec /AF f D(])ES(
)2 FZ([)0 60 1 A(PL)WB 31 Sn()60 0 TN TL()Ec /AF f D(])ES(.)EP(
)0 2 22 H()WB 84 Sn( )0 61 1 A()WB 32 Sn( References )61 0 TN TL()Ec /AF f D()EH(
)-1 Bf add FZ()Ef(
)-1 Bf add FZ(
)0 P()BD([VP])WB 33 Sn()EA()ES(
Vilfredo Pareto,
)R4 2 A( Pareto efficiency)EA(,
)CT(Wikipedia)ES(.
)EP(
)0 P()BD([LV1])WB 34 Sn()EA()ES(
)R7 2 A(Arjen K. Lenstra)EA(
and Eric R. Verheul,
)R8 2 A( Selecting Cryptographic Key Sizes)EA(.
)CT(Journal of Cryptology)ES(,
14\2014\202:255-293, August 2001.
Also see
)R9 2 A( DOC slides)EA(.
)EP(
)0 P()BD([LV2])WB 35 Sn()EA()ES(
Ibid., DOC slides.
)EP(
)0 P()BD([NIST1])WB 36 Sn()EA()ES(
Elaine Barker
)R10 2 A( Cryptographic Standards and Guidelines:
a Status Report
)EA(
NIST, 2002.
)EP(
)0 P()BD([DT])WB 37 Sn()EA()ES(
Electronic Frontier Foundation,
)CT(Cracking DES)ES(
O'Reilly, 1998
)EP(
)0 P()BD([NIST2])WB 38 Sn()EA()ES(
DES is to be withdrawn as a US-government
approved algorithm in 2004.
NIST, Op cit.
)EP(
)0 P()BD([TDES])WB 39 Sn()EA()ES(
Note that a closer argument can be made for 3DES versus
AES, which both run at the same speed. 3DES suffers
from a birthday attack as a consequence of its small
block size, which AES does not suffer.
)EP(
)0 P()BD([VP2])WB 40 Sn()EA()ES(
)R4 2 A( Pareto efficiency)EA(, op cit.
)EP(
)0 P()BD([K])WB 41 Sn()EA()ES(
The issue of the key secret can be ignored
for two reasons; being that
both algorithms have the same assumptions,
and the key secret could be
considered part of the wider cryptosystem.
)EP(
)0 P()BD([AES5])WB 42 Sn()EA()ES(
Similarly to the above,
an argument can be made that AES256 is more expensive
in cycle time than AES128. If this marginal argument
is accepted, AES256 is no longer Pareto-efficient,
as swapping to AES128 will save cycles at no cost
to security. We could make a case that AES128 is
both Pareto-secure and Pareto-efficient, whereas
AES256 is Pareto-secure but not Pareto-efficient.
)EP(
)0 P()BD([PC])WB 43 Sn()EA()ES(
This may not accord with the economics term of art
\201)I(B\201Z\202W)ES(\202.
)EP(
)0 P()BD([NIST])WB 44 Sn()EA()ES(
NIST,
)R10 2 A( OMB Guidance to Federal Agencies on
Data Availability and Encryption)EA(.
)EP(
)0 P()BD([UCL])WB 45 Sn()EA()ES(
Bulens Philippe and Giry Damien
)R5 2 A(Key Length Calculator)EA(,
UCL Crypto Group.
)EP(
)0 P()BD([LV3])WB 46 Sn()EA()ES(
Lenstra and Verheul, op cit.
)EP(
)0 P()BD([TLS])WB 47 Sn()EA()ES(
T. Dierks and C. Allen,
)R11 2 A( RFC 2246 - The TLS Protocol Version 1.0)EA(
Network Working Group
)EP(
)0 P()BD([SSL])WB 48 Sn()EA()ES(
Eric Rescorla,
)CT(SSL and TLS: Designing and Building Secure Systems)ES(,
Addison-Wesley, 2000.
)EP(
)0 P()BD([SSH])WB 49 Sn()EA()ES(
Tatu Yl\366nen,
)CT(The SSH \201Secure Shell\202 Remote Login Protocol)ES(
15 November 1995.
)EP(
)0 P()BD([SecSh])WB 50 Sn()EA()ES(
See
)R12 2 A( SecSh Working Group)EA(
for modern )I(Internet Draft)ES( standards.
)EP(
)0 P()BD([Options])WB 51 Sn()EA()ES(
Both of these cryptoprotocols can be
configured for other behaviors, but
we stick here with the canonical examples.
)EP(
)0 P()BD([IG])WB 52 Sn()EA()ES(
Ian Grigg,
)R13 2 A( Collected rants on SSL)EA(,
2003 - 2005.
)EP(
)0 P()BD([AA])WB 53 Sn()EA()ES(
Amir Herzberg and Ahmad Gbara,
)R13 2 A( TrustBar: Protecting \201even Na\357ve\202
Web Users from Spoofing and Phishing Attacks)EA(,
draft paper, forthcoming.
)EP(
)0 P()BD([TC])WB 54 Sn()EA()ES(
Tyler Close,
)R13 2 A( YURL - Trust Management for Humans)EA(,
web article, July 2003 - July 2004.
Actually, the YURL / petname proposal
disposes of the certificate altogether,
so that may not be appropriate in this
example.
)EP(
)0 P()BD([MK-BS])WB 55 Sn()EA()ES(
Michael Kanellos quoting Bruce Schneier,
")R14 2 A( Quantum crypto firm charts way to mainstream)EA(,"
)CT(CNET News.com)ES(, 6th February 2005.
)EP(
)0 P()BD([Crypto])WB 56 Sn()EA()ES(
)R15 2 A( Crypto 2004)EA(
Santa Barbara August 2004,
International Association of Cryptological Research
)EP(
)0 P()BD([FC])WB 57 Sn()EA()ES(
Ian Grigg,
)R16 2 A( SHA0 is Cracked)EA(
Financial Cryptography blog entry,
15th August 2004
)EP(
)0 P()BD([KH])WB 58 Sn()EA()ES(
Nicholas Kaldor and John Hicks,
)R6 2 A( Kaldor-Hicks efficiency)EA(,
)CT(Wikipedia)ES(.
)EP(
)0 P()BD([LV4])WB 59 Sn()EA()ES(
Lenstra and Verheul
go some way in that direction with
calculation costs,
Op Cit.
)EP(
)0 P()BD([PL])WB 60 Sn()EA()ES(
Pete Lindstrom, quoting Bruce Schneier,
")R17 2 A( Security: Measuring Up)EA(,"
)CT(Information Security)ES(,
Feb 2005
)EP()Ef(
)WB NL /BO 0 D TC /Ba f D Bs /AU f D /UR () D RC ZF
tH WB
ND 1 gt{Ts 3 mul Np 0()0 C()BD(Pareto-Secure)ES()0 1 TN()EA()BN}if
2 NH le{62(0.1\240\240)2 C( )0 61 1 A()WB 1 Sn( Preamble )61 0 TN TL()Ec /AF f D()62 1 TN()EA()BN}if
3 NH le{63(0.1.1\240\240)3 C( On the Nature of Security )63 1 TN()EA()BN}if
3 NH le{64(0.1.2\240\240)3 C( Acknowledgments )64 1 TN()EA()BN}if
2 NH le{65(0.2\240\240)2 C( )0 61 1 A()WB 3 Sn( Prior Work )61 0 TN TL()Ec /AF f D()65 1 TN()EA()BN}if
3 NH le{66(0.2.1\240\240)3 C( Measuring Strength in Cryptography Components )66 1 TN()EA()BN}if
3 NH le{67(0.2.2\240\240)3 C( The 1st Law )67 1 TN()EA()BN}if
3 NH le{68(0.2.3\240\240)3 C( Relative Security and Components )68 1 TN()EA()BN}if
3 NH le{69(0.2.4\240\240)3 C( Components and Systems )69 1 TN()EA()BN}if
2 NH le{70(0.3\240\240)2 C( )0 61 1 A()WB 1 Sn( Pareto-Secure )61 0 TN TL()Ec /AF f D()70 1 TN()EA()BN}if
3 NH le{71(0.3.1\240\240)3 C( The theory of Pareto efficiency )71 1 TN()EA()BN}if
3 NH le{72(0.3.2\240\240)3 C( Introducing )I(Pareto-secure)ES( )72 1 TN()EA()BN}if
3 NH le{73(0.3.3\240\240)3 C( Components within a Security System )73 1 TN()EA()BN}if
3 NH le{74(0.3.4\240\240)3 C( Introducing )I(Pareto-Complete)ES( )74 1 TN()EA()BN}if
3 NH le{75(0.3.5\240\240)3 C( Combining Components )75 1 TN()EA()BN}if
2 NH le{76(0.4\240\240)2 C( )0 61 1 A()WB 25 Sn( Conclusions )61 0 TN TL()Ec /AF f D()76 1 TN()EA()BN}if
3 NH le{77(0.4.1\240\240)3 C( Summary )77 1 TN()EA()BN}if
3 NH le{78(0.4.2\240\240)3 C( Choice )78 1 TN()EA()BN}if
3 NH le{79(0.4.3\240\240)3 C( Applicability )79 1 TN()EA()BN}if
3 NH le{80(0.4.4\240\240)3 C( Limitations )80 1 TN()EA()BN}if
4 NH le{81(0.4.4.1\240\240)4 C( The full system )81 1 TN()EA()BN}if
4 NH le{82(0.4.4.2\240\240)4 C( Time )82 1 TN()EA()BN}if
4 NH le{83(0.4.4.3\240\240)4 C( Kaldor-Hicks )83 1 TN()EA()BN}if
2 NH le{84(0.5\240\240)2 C( )0 61 1 A()WB 32 Sn( References )61 0 TN TL()Ec /AF f D()84 1 TN()EA()BN}if
/TE t D NP TU PM 0 eq and{/Pn () D showpage}if end restore